udpate Supported Point Formats Extension code

Submitted by: Douglas Stebila

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 0537a16743cff7527a8e67c1ba1c418cabbc0123..aecf6d62a8b40a3512758e03c2339cc72b153203 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1754,30 +1754,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                        }
                s->options |= SSL_OP_NO_SSLv2; /* can't use extension w/ SSL 2.0 format */
                break;
-#ifndef OPENSSL_NO_EC
-       case SSL_CTRL_SET_TLSEXT_ECPOINTFORMATLIST:
-               if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(larg)) == NULL)
-                       {
-                       SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE);
-                       return 0;
-                       }
-               {
-               int i;
-               unsigned char *sparg = (unsigned char *) parg;
-               for (i = 0; i < larg; i++, sparg++)
-                       {
-                       if (TLSEXT_ECPOINTFORMAT_last < *sparg)
-                               {
-                               SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT);
-                               return(0);
-                               }
-                       }
-               }
-               s->tlsext_ecpointformatlist_length = larg;
-               memcpy(s->tlsext_ecpointformatlist, parg, larg);
-               s->options |= SSL_OP_NO_SSLv2; /* can't use extension w/ SSL 2.0 format */
-               break;
-#endif /* OPENSSL_NO_EC */
 #endif /* !OPENSSL_NO_TLSEXT */
        default:
                break;

diff --git a/ssl/ssl.h b/ssl/ssl.h
index 70d8b4d0d62c117d1841da2f60013b6debad2106..5557f4cb7b4b372ba79b52685c383a75885262ea 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1289,7 +1289,6 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
 #define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB      53
 #define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG     54
 #define SSL_CTRL_SET_TLSEXT_HOSTNAME           55
-#define SSL_CTRL_SET_TLSEXT_ECPOINTFORMATLIST  56
 #endif
 
 #define SSL_session_reused(ssl) \

diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 9372a4ed870faa45c5442113de215de9a20800ea..b5db2090ab476e7f9ac575dd2a7a324600d84daa 100644 (file)
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -359,6 +359,7 @@ int ssl_get_new_session(SSL *s, int session)
 #ifndef OPENSSL_NO_EC
                if (s->tlsext_ecpointformatlist)
                        {
+                       if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(ss->tlsext_ecpointformatlist);
                        if ((ss->tlsext_ecpointformatlist = OPENSSL_malloc(s->tlsext_ecpointformatlist_length)) == NULL)
                                {
                                SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_MALLOC_FAILURE);

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 7f42cee22ab8c3be0e9df08f226f2c6a00894276..07149ebcb9a48e0f733bf44483250148d3065b4e 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -359,6 +359,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                return 0;
                                }
                        s->session->tlsext_ecpointformatlist_length = 0;
+                       if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
                        if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
                                {
                                *al = TLS1_AD_INTERNAL_ERROR;
@@ -430,6 +431,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                return 0;
                                }
                        s->session->tlsext_ecpointformatlist_length = 0;
+                       if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
                        if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
                                {
                                *al = TLS1_AD_INTERNAL_ERROR;
@@ -485,6 +487,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                        if (s->session->tlsext_ecpointformatlist == NULL)
                                {
                                s->session->tlsext_ecpointformatlist_length = s->tlsext_ecpointformatlist_length;
+                               if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
                                if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(s->tlsext_ecpointformatlist_length)) == NULL)
                                        {
                                        *al = TLS1_AD_INTERNAL_ERROR;
@@ -509,7 +512,7 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
        {
 #ifndef OPENSSL_NO_EC
        /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats we 
-        * support (namely, only uncompressed points).
+        * support.
         */
        int using_ecc = 0;
        int i;
@@ -528,13 +531,16 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
        using_ecc = using_ecc && (s->version == TLS1_VERSION);
        if (using_ecc)
                {
-               if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(1)) == NULL)
+               if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
+               if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
                        {
                        SSLerr(SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
                        return -1;
                        }
-               s->tlsext_ecpointformatlist_length = 1;
-               *s->tlsext_ecpointformatlist = TLSEXT_ECPOINTFORMAT_uncompressed;
+               s->tlsext_ecpointformatlist_length = 3;
+               s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
+               s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
+               s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
                }
 #endif /* OPENSSL_NO_EC */
        return 1;
@@ -543,8 +549,8 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
 int ssl_prepare_serverhello_tlsext(SSL *s)
        {
 #ifndef OPENSSL_NO_EC
-       /* If we are server and using an ECC cipher suite, send the point formats we support (namely, only
-        * uncompressed points) if the client sent us an ECPointsFormat extension.
+       /* If we are server and using an ECC cipher suite, send the point formats we support 
+        * if the client sent us an ECPointsFormat extension.
         */
        int i;
        int algs = s->s3->tmp.new_cipher->algorithms;
@@ -553,13 +559,16 @@ int ssl_prepare_serverhello_tlsext(SSL *s)
 
        if (using_ecc)
                {
-               if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(1)) == NULL)
+               if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
+               if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
                        {
                        SSLerr(SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
                        return -1;
                        }
-               s->tlsext_ecpointformatlist_length = 1;
-               *s->tlsext_ecpointformatlist = TLSEXT_ECPOINTFORMAT_uncompressed;
+               s->tlsext_ecpointformatlist_length = 3;
+               s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
+               s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
+               s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
                }
 #endif /* OPENSSL_NO_EC */
        return 1;

diff --git a/ssl/tls1.h b/ssl/tls1.h
index d839e9bdda28ff63b91050fb0395c0b328027d0b..fbe80e998cbd18ee6c45be5cd030a9030a3589b9 100644 (file)
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -223,11 +223,6 @@ SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_CB,(void (*)(void))cb)
 
 #define SSL_CTX_set_tlsext_servername_arg(ctx, arg) \
 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG,0, (void *)arg)
-
-#ifndef OPENSSL_NO_EC
-#define SSL_set_tlsext_ecpointformat(s,length,list) \
-SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_ECPOINTFORMATLIST,length,(unsigned char *)list)
-#endif /* OPENSSL_NO_EC */
 #endif
 
 /* PSK ciphersuites from 4279 */