ag/cpython-source-deps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update to OpenSSL 1.0.2.o

Browse Source
This commit is contained in:
Steve Dower
2018-04-13 17:29:45 +00:00
parent ccd3ab4aff
commit 4933cd8231
386 changed files with 5623 additions and 2984 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ssl/Makefile
View File

@@ -15,7 +15,8 @@ KRB5_INCLUDES=
CFLAGS= $(INCLUDES) $(CFLAG)
GENERAL=Makefile README ssl-lib.com install.com
TEST=ssltest.c heartbeat_test.c clienthellotest.c sslv2conftest.c dtlstest.c bad_dtls_test.c
TEST=ssltest.c heartbeat_test.c clienthellotest.c sslv2conftest.c dtlstest.c \
bad_dtls_test.c fatalerrtest.c
APPS=
LIB=$(TOP)/libssl.a
@@ -268,7 +269,7 @@ d1_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
d1_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
d1_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_srvr.c
d1_srvr.o: ssl_locl.h
kssl.o: ../include/openssl/asn1.h ../include/openssl/bio.h
kssl.o: ../crypto/o_time.h ../include/openssl/asn1.h ../include/openssl/bio.h
kssl.o: ../include/openssl/buffer.h ../include/openssl/comp.h
kssl.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
kssl.o: ../include/openssl/e_os2.h ../include/openssl/ec.h

22
ssl/bad_dtls_test.c
View File

@@ -19,7 +19,7 @@
* Note that unlike other SSL tests, we don't test against our own SSL
* server method. Firstly because we don't have one; we *only* support
* DTLS1_BAD_VER as a client. And secondly because even if that were
* fixed up it's the wrong thing to test against because if changes
* fixed up it's the wrong thing to test against - because if changes
* are made in generic DTLS code which don't take DTLS1_BAD_VER into
* account, there's plenty of scope for making those changes such that
* they break *both* the client and the server in the same way.
@@ -590,13 +590,13 @@ static int send_record(BIO *rbio, unsigned char type, unsigned long seqnr,
unsigned char *enc;
#ifdef SIXTY_FOUR_BIT_LONG
seq[0] = (seqnr >> 40) & 0xff;
seq[1] = (seqnr >> 32) & 0xff;
seq[0] = (unsigned char)(seqnr >> 40);
seq[1] = (unsigned char)(seqnr >> 32);
#endif
seq[2] = (seqnr >> 24) & 0xff;
seq[3] = (seqnr >> 16) & 0xff;
seq[4] = (seqnr >> 8) & 0xff;
seq[5] = seqnr & 0xff;
seq[2] = (unsigned char)(seqnr >> 24);
seq[3] = (unsigned char)(seqnr >> 16);
seq[4] = (unsigned char)(seqnr >> 8);
seq[5] = (unsigned char)(seqnr);
pad = 15 - ((len + SHA_DIGEST_LENGTH) % 16);
enc = OPENSSL_malloc(len + SHA_DIGEST_LENGTH + 1 + pad);
@@ -612,8 +612,8 @@ static int send_record(BIO *rbio, unsigned char type, unsigned long seqnr,
HMAC_Update(&ctx, seq, 6);
HMAC_Update(&ctx, &type, 1);
HMAC_Update(&ctx, ver, 2); /* Version */
lenbytes[0] = len >> 8;
lenbytes[1] = len & 0xff;
lenbytes[0] = (unsigned char)(len >> 8);
lenbytes[1] = (unsigned char)(len);
HMAC_Update(&ctx, lenbytes, 2); /* Length */
HMAC_Update(&ctx, enc, len); /* Finally the data itself */
HMAC_Final(&ctx, enc + len, NULL);
@@ -637,8 +637,8 @@ static int send_record(BIO *rbio, unsigned char type, unsigned long seqnr,
BIO_write(rbio, ver, 2);
BIO_write(rbio, epoch, 2);
BIO_write(rbio, seq, 6);
lenbytes[0] = (len + sizeof(iv)) >> 8;
lenbytes[1] = (len + sizeof(iv)) & 0xff;
lenbytes[0] = (unsigned char)((len + sizeof(iv)) >> 8);
lenbytes[1] = (unsigned char)(len + sizeof(iv));
BIO_write(rbio, lenbytes, 2);
BIO_write(rbio, iv, sizeof(iv));

21
ssl/d1_both.c
View File

@@ -517,6 +517,17 @@ long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
return i;
}
/*
* Don't change the *message* read sequence number while listening. For
* the *record* write sequence we reflect the ClientHello sequence number
* when listening.
*/
if (s->d1->listen)
memcpy(s->s3->write_sequence, s->s3->read_sequence,
sizeof(s->s3->write_sequence));
else
s->d1->handshake_read_seq++;
if (mt >= 0 && s->s3->tmp.message_type != mt) {
al = SSL_AD_UNEXPECTED_MESSAGE;
SSLerr(SSL_F_DTLS1_GET_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
@@ -544,10 +555,6 @@ long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
/* Don't change sequence numbers while listening */
if (!s->d1->listen)
s->d1->handshake_read_seq++;
s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
return s->init_num;
@@ -1068,7 +1075,9 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int b)
int dtls1_read_failed(SSL *s, int code)
{
if (code > 0) {
#ifdef TLS_DEBUG
fprintf(stderr, "invalid state reached %s:%d", __FILE__, __LINE__);
#endif
return 1;
}
@@ -1140,7 +1149,9 @@ int dtls1_retransmit_buffered_messages(SSL *s)
(frag->msg_header.seq,
frag->msg_header.is_ccs), 0,
&found) <= 0 && found) {
#ifdef TLS_DEBUG
fprintf(stderr, "dtls1_retransmit_message() failed\n");
#endif
return -1;
}
}
@@ -1240,7 +1251,9 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
item = pqueue_find(s->d1->sent_messages, seq64be);
if (item == NULL) {
#ifdef TLS_DEBUG
fprintf(stderr, "retransmit: message %d non-existant\n", seq);
#endif
*found = 0;
return 0;
}

7
ssl/d1_clnt.c
View File

@@ -320,8 +320,13 @@ int dtls1_connect(SSL *s)
s->shutdown = 0;
/* every DTLS ClientHello resets Finished MAC */
ssl3_init_finished_mac(s);
if (!ssl3_init_finished_mac(s)) {
ret = -1;
s->state = SSL_ST_ERR;
goto end;
}
/* fall thru */
case SSL3_ST_CW_CLNT_HELLO_B:
dtls1_start_timer(s);
ret = ssl3_client_hello(s);

4
ssl/d1_lib.c
View File

@@ -126,9 +126,9 @@ int dtls1_new(SSL *s)
if (!ssl3_new(s))
return (0);
if ((d1 = OPENSSL_malloc(sizeof *d1)) == NULL)
if ((d1 = OPENSSL_malloc(sizeof(*d1))) == NULL)
return (0);
memset(d1, 0, sizeof *d1);
memset(d1, 0, sizeof(*d1));
/* d1->handshake_epoch=0; */

35
ssl/d1_pkt.c
View File

@@ -4,7 +4,7 @@
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
*/
/* ====================================================================
* Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -706,8 +706,11 @@ int dtls1_get_record(SSL *s)
n2s(p, rr->length);
/* Lets check version */
if (!s->first_packet) {
/*
* Lets check the version. We tolerate alerts that don't have the exact
* version number (e.g. because of protocol version errors)
*/
if (!s->first_packet && rr->type != SSL3_RT_ALERT) {
if (version != s->version) {
/* unexpected version, silently discard */
rr->length = 0;
@@ -1061,7 +1064,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
unsigned int *dest_len = NULL;
if (rr->type == SSL3_RT_HANDSHAKE) {
dest_maxlen = sizeof s->d1->handshake_fragment;
dest_maxlen = sizeof(s->d1->handshake_fragment);
dest = s->d1->handshake_fragment;
dest_len = &s->d1->handshake_fragment_len;
} else if (rr->type == SSL3_RT_ALERT) {
@@ -1202,6 +1205,24 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
goto start;
}
/*
* If we are a server and get a client hello when renegotiation isn't
* allowed send back a no renegotiation alert and carry on.
*/
if (s->server
&& SSL_is_init_finished(s)
&& !s->s3->send_connection_binding
&& s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH
&& s->d1->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO
&& s->s3->previous_client_finished_len != 0
&& (s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) == 0) {
s->d1->handshake_fragment_len = 0;
rr->length = 0;
ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
goto start;
}
if (s->d1->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH) {
int alert_level = s->d1->alert_fragment[0];
int alert_descr = s->d1->alert_fragment[1];
@@ -1286,7 +1307,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
s->s3->fatal_alert = alert_descr;
SSLerr(SSL_F_DTLS1_READ_BYTES,
SSL_AD_REASON_OFFSET + alert_descr);
BIO_snprintf(tmp, sizeof tmp, "%d", alert_descr);
BIO_snprintf(tmp, sizeof(tmp), "%d", alert_descr);
ERR_add_error_data(2, "SSL alert number ", tmp);
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
SSL_CTX_remove_session(s->session_ctx, s->session);
@@ -1323,9 +1344,9 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
/* XDTLS: check that epoch is consistent */
if ((rr->length != ccs_hdr_len) ||
(rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) {
i = SSL_AD_ILLEGAL_PARAMETER;
al = SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_BAD_CHANGE_CIPHER_SPEC);
goto err;
goto f_err;
}
rr->length = 0;

28
ssl/d1_srvr.c
View File

@@ -282,7 +282,12 @@ int dtls1_accept(SSL *s)
goto end;
}
ssl3_init_finished_mac(s);
if (!ssl3_init_finished_mac(s)) {
ret = -1;
s->state = SSL_ST_ERR;
goto end;
}
s->state = SSL3_ST_SR_CLNT_HELLO_A;
s->ctx->stats.sess_accept++;
} else if (!s->s3->send_connection_binding &&
@@ -322,7 +327,11 @@ int dtls1_accept(SSL *s)
s->state = SSL3_ST_SW_FLUSH;
s->init_num = 0;
ssl3_init_finished_mac(s);
if (!ssl3_init_finished_mac(s)) {
ret = -1;
s->state = SSL_ST_ERR;
goto end;
}
break;
case SSL3_ST_SW_HELLO_REQ_C:
@@ -346,15 +355,6 @@ int dtls1_accept(SSL *s)
s->init_num = 0;
/*
* Reflect ClientHello sequence to remain stateless while
* listening
*/
if (listen) {
memcpy(s->s3->write_sequence, s->s3->read_sequence,
sizeof(s->s3->write_sequence));
}
/* If we're just listening, stop here */
if (listen && s->state == SSL3_ST_SW_SRVR_HELLO_A) {
ret = 2;
@@ -381,7 +381,11 @@ int dtls1_accept(SSL *s)
/* HelloVerifyRequest resets Finished MAC */
if (s->version != DTLS1_BAD_VER)
ssl3_init_finished_mac(s);
if (!ssl3_init_finished_mac(s)) {
ret = -1;
s->state = SSL_ST_ERR;
goto end;
}
break;
#ifndef OPENSSL_NO_SCTP

109
ssl/fatalerrtest.c Normal file
View File

@@ -0,0 +1,109 @@
/*
* Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <openssl/ssl.h>
#include <openssl/err.h>
#include "ssltestlib.h"
int main(int argc, char *argv[])
{
SSL_CTX *sctx = NULL, *cctx = NULL;
SSL *sssl = NULL, *cssl = NULL;
const char *msg = "Dummy";
BIO *err = NULL, *wbio = NULL;
int ret = 1, len;
char buf[80];
unsigned char dummyrec[] = {
0x17, 0x03, 0x03, 0x00, 0x05, 'D', 'u', 'm', 'm', 'y'
};
if (argc != 3) {
printf("Incorrect number of parameters\n");
return 1;
}
SSL_library_init();
SSL_load_error_strings();
err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
CRYPTO_malloc_debug_init();
CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
if (!create_ssl_ctx_pair(SSLv23_method(), SSLv23_method(), &sctx, &cctx,
argv[1], argv[2])) {
printf("Failed to create SSL_CTX pair\n");
goto err;
}
/*
* Deliberately set the cipher lists for client and server to be different
* to force a handshake failure.
*/
if (!SSL_CTX_set_cipher_list(sctx, "AES128-SHA")
|| !SSL_CTX_set_cipher_list(cctx, "AES256-SHA")) {
printf("Failed to set cipher lists\n");
goto err;
}
if (!create_ssl_objects(sctx, cctx, &sssl, &cssl, NULL, NULL)) {
printf("Failed to create SSL objectx\n");
goto err;
}
wbio = SSL_get_wbio(cssl);
if (wbio == NULL) {
printf("Unexpected NULL bio received\n");
goto err;
}
if (create_ssl_connection(sssl, cssl)) {
printf("Unexpected success creating a connection\n");
goto err;
}
ERR_clear_error();
/* Inject a plaintext record from client to server */
if (BIO_write(wbio, dummyrec, sizeof(dummyrec)) <= 0) {
printf("Unexpected failure injecting dummy record\n");
goto err;
}
/* SSL_read()/SSL_write should fail because of a previous fatal error */
if ((len = SSL_read(sssl, buf, sizeof(buf) - 1)) > 0) {
buf[len] = '\0';
printf("Unexpected success reading data: %s\n", buf);
goto err;
}
if (SSL_write(sssl, msg, strlen(msg)) > 0) {
printf("Unexpected success writing data\n");
goto err;
}
ret = 0;
err:
SSL_free(sssl);
SSL_free(cssl);
SSL_CTX_free(sctx);
SSL_CTX_free(cctx);
ERR_print_errors_fp(stderr);
if (ret) {
printf("Fatal err test: FAILED\n");
}
ERR_free_strings();
ERR_remove_thread_state(NULL);
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
CRYPTO_mem_leaks(err);
BIO_free(err);
return ret;
}

17
ssl/kssl.c
View File

@@ -4,7 +4,7 @@
* 2000.
*/
/* ====================================================================
* Copyright (c) 2000 The OpenSSL Project. All rights reserved.
* Copyright (c) 2000-2018 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -78,6 +78,7 @@
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/krb5_asn.h>
#include "o_time.h"
#include "kssl_lcl.h"
#ifndef OPENSSL_NO_KRB5
@@ -2026,6 +2027,8 @@ krb5_error_code kssl_check_authent(
int outl, unencbufsize;
struct tm tm_time, *tm_l, *tm_g;
time_t now, tl, tg, tr, tz_offset;
struct tm gmt_result = {0};
struct tm lt_result = {0};
EVP_CIPHER_CTX_init(&ciph_ctx);
*atimep = 0;
@@ -2082,7 +2085,7 @@ krb5_error_code kssl_check_authent(
}
# endif
enc = kssl_map_enc(enctype);
memset(iv, 0, sizeof iv); /* per RFC 1510 */
memset(iv, 0, sizeof(iv)); /* per RFC 1510 */
if (enc == NULL) {
/*
@@ -2140,9 +2143,17 @@ krb5_error_code kssl_check_authent(
if (k_gmtime(auth->ctime, &tm_time) &&
((tr = mktime(&tm_time)) != (time_t)(-1))) {
now = time(&now);
tm_g = OPENSSL_gmtime(&now, &gmt_result);
# if defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32) && \
!defined(OPENSSL_SYS_OS2) && !defined(OPENSSL_SYS_SUNOS) && \
(!defined(OPENSSL_SYS_VMS) || defined(localtime_r))
tm_l = localtime_r(&now, &lt_result);
# else
tm_l = localtime(&now);
# endif
tl = mktime(tm_l);
tm_g = gmtime(&now);
tg = mktime(tm_g);
tz_offset = tg - tl;

35
ssl/s23_clnt.c
View File

@@ -204,7 +204,10 @@ int ssl23_connect(SSL *s)
goto end;
}
ssl3_init_finished_mac(s);
if (!ssl3_init_finished_mac(s)) {
ret = -1;
goto end;
}
s->state = SSL23_ST_CW_CLNT_HELLO_A;
s->ctx->stats.sess_connect++;
@@ -732,7 +735,37 @@ static int ssl23_get_server_hello(SSL *s)
s->version = TLS1_2_VERSION;
s->method = TLSv1_2_client_method();
} else {
/*
* Unrecognised version, we'll send a protocol version alert using
* our preferred version.
*/
switch(s->client_version) {
default:
/*
* Shouldn't happen
* Fall through
*/
case TLS1_2_VERSION:
s->version = TLS1_2_VERSION;
s->method = TLSv1_2_client_method();
break;
case TLS1_1_VERSION:
s->version = TLS1_1_VERSION;
s->method = TLSv1_1_client_method();
break;
case TLS1_VERSION:
s->version = TLS1_VERSION;
s->method = TLSv1_client_method();
break;
#ifndef OPENSSL_NO_SSL3
case SSL3_VERSION:
s->version = SSL3_VERSION;
s->method = SSLv3_client_method();
break;
#endif
}
SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);
goto err;
}

9
ssl/s23_srvr.c
View File

@@ -195,7 +195,10 @@ int ssl23_accept(SSL *s)
s->init_buf = buf;
}
ssl3_init_finished_mac(s);
if (!ssl3_init_finished_mac(s)) {
ret = -1;
goto end;
}
s->state = SSL23_ST_SR_CLNT_HELLO_A;
s->ctx->stats.sess_accept++;
@@ -265,8 +268,8 @@ int ssl23_get_client_hello(SSL *s)
if (!ssl3_setup_buffers(s))
goto err;
n = ssl23_read_bytes(s, sizeof buf_space);
if (n != sizeof buf_space)
n = ssl23_read_bytes(s, sizeof(buf_space));
if (n != sizeof(buf_space))
return (n); /* n == -1 || n == 0 */
p = s->packet;

6
ssl/s2_clnt.c
View File

@@ -523,7 +523,7 @@ static int get_server_hello(SSL *s)
}
s->s2->conn_id_length = s->s2->tmp.conn_id_length;
if (s->s2->conn_id_length > sizeof s->s2->conn_id) {
if (s->s2->conn_id_length > sizeof(s->s2->conn_id)) {
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_SSL2_CONNECTION_ID_TOO_LONG);
return -1;
@@ -708,7 +708,7 @@ static int client_finished(SSL *s)
if (s->state == SSL2_ST_SEND_CLIENT_FINISHED_A) {
p = (unsigned char *)s->init_buf->data;
*(p++) = SSL2_MT_CLIENT_FINISHED;
if (s->s2->conn_id_length > sizeof s->s2->conn_id) {
if (s->s2->conn_id_length > sizeof(s->s2->conn_id)) {
SSLerr(SSL_F_CLIENT_FINISHED, ERR_R_INTERNAL_ERROR);
return -1;
}
@@ -981,7 +981,7 @@ static int get_server_finished(SSL *s)
} else {
if (!(s->options & SSL_OP_MICROSOFT_SESS_ID_BUG)) {
if ((s->session->session_id_length >
sizeof s->session->session_id)
sizeof(s->session->session_id))
|| (0 !=
memcmp(buf + 1, s->session->session_id,
(unsigned int)s->session->session_id_length))) {

2
ssl/s2_enc.c
View File

@@ -99,7 +99,7 @@ int ssl2_enc_init(SSL *s, int client)
num = c->key_len;
s->s2->key_material_length = num * 2;
OPENSSL_assert(s->s2->key_material_length <= sizeof s->s2->key_material);
OPENSSL_assert(s->s2->key_material_length <= sizeof(s->s2->key_material));
if (ssl2_generate_key_material(s) <= 0)
return 0;

8
ssl/s2_lib.c
View File

@@ -326,9 +326,9 @@ int ssl2_new(SSL *s)
{
SSL2_STATE *s2;
if ((s2 = OPENSSL_malloc(sizeof *s2)) == NULL)
if ((s2 = OPENSSL_malloc(sizeof(*s2))) == NULL)
goto err;
memset(s2, 0, sizeof *s2);
memset(s2, 0, sizeof(*s2));
# if SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER + 3 > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + 2
# error "assertion failed"
@@ -371,7 +371,7 @@ void ssl2_free(SSL *s)
OPENSSL_free(s2->rbuf);
if (s2->wbuf != NULL)
OPENSSL_free(s2->wbuf);
OPENSSL_cleanse(s2, sizeof *s2);
OPENSSL_cleanse(s2, sizeof(*s2));
OPENSSL_free(s2);
s->s2 = NULL;
}
@@ -386,7 +386,7 @@ void ssl2_clear(SSL *s)
rbuf = s2->rbuf;
wbuf = s2->wbuf;
memset(s2, 0, sizeof *s2);
memset(s2, 0, sizeof(*s2));
s2->rbuf = rbuf;
s2->wbuf = wbuf;

8
ssl/s2_srvr.c
View File

@@ -724,7 +724,7 @@ static int get_client_hello(SSL *s)
p += s->s2->tmp.session_id_length;
/* challenge */
if (s->s2->challenge_length > sizeof s->s2->challenge) {
if (s->s2->challenge_length > sizeof(s->s2->challenge)) {
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
return -1;
@@ -872,7 +872,7 @@ static int get_client_finished(SSL *s)
}
/* SSL2_ST_GET_CLIENT_FINISHED_B */
if (s->s2->conn_id_length > sizeof s->s2->conn_id) {
if (s->s2->conn_id_length > sizeof(s->s2->conn_id)) {
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_CLIENT_FINISHED, ERR_R_INTERNAL_ERROR);
return -1;
@@ -903,7 +903,7 @@ static int server_verify(SSL *s)
if (s->state == SSL2_ST_SEND_SERVER_VERIFY_A) {
p = (unsigned char *)s->init_buf->data;
*(p++) = SSL2_MT_SERVER_VERIFY;
if (s->s2->challenge_length > sizeof s->s2->challenge) {
if (s->s2->challenge_length > sizeof(s->s2->challenge)) {
SSLerr(SSL_F_SERVER_VERIFY, ERR_R_INTERNAL_ERROR);
return -1;
}
@@ -925,7 +925,7 @@ static int server_finish(SSL *s)
p = (unsigned char *)s->init_buf->data;
*(p++) = SSL2_MT_SERVER_FINISHED;
if (s->session->session_id_length > sizeof s->session->session_id) {
if (s->session->session_id_length > sizeof(s->session->session_id)) {
SSLerr(SSL_F_SERVER_FINISH, ERR_R_INTERNAL_ERROR);
return -1;
}

32
ssl/s3_clnt.c
View File

@@ -263,6 +263,7 @@ int ssl3_connect(SSL *s)
if (!ssl3_setup_buffers(s)) {
ret = -1;
s->state = SSL_ST_ERR;
goto end;
}
@@ -275,7 +276,11 @@ int ssl3_connect(SSL *s)
/* don't push the buffering BIO quite yet */
ssl3_init_finished_mac(s);
if (!ssl3_init_finished_mac(s)) {
ret = -1;
s->state = SSL_ST_ERR;
goto end;
}
s->state = SSL3_ST_CW_CLNT_HELLO_A;
s->ctx->stats.sess_connect++;
@@ -979,7 +984,7 @@ int ssl3_get_server_hello(SSL *s)
/* get the session-id */
j = *(p++);
if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) {
if ((j > sizeof(s->session->session_id)) || (j > SSL3_SESSION_ID_SIZE)) {
al = SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_SSL3_SESSION_ID_TOO_LONG);
goto f_err;
@@ -1864,6 +1869,7 @@ int ssl3_get_key_exchange(SSL *s)
goto err;
}
if (EC_KEY_set_group(ecdh, ngroup) == 0) {
EC_GROUP_free(ngroup);
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_EC_LIB);
goto err;
}
@@ -2555,16 +2561,16 @@ int ssl3_send_client_key_exchange(SSL *s)
tmp_buf[0] = s->client_version >> 8;
tmp_buf[1] = s->client_version & 0xff;
if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0)
if (RAND_bytes(&(tmp_buf[2]), sizeof(tmp_buf) - 2) <= 0)
goto err;
s->session->master_key_length = sizeof tmp_buf;
s->session->master_key_length = sizeof(tmp_buf);
q = p;
/* Fix buf for TLS and beyond */
if (s->version > SSL3_VERSION)
p += 2;
n = RSA_public_encrypt(sizeof tmp_buf,
n = RSA_public_encrypt(sizeof(tmp_buf),
tmp_buf, p, rsa, RSA_PKCS1_PADDING);
# ifdef PKCS1_CHECK
if (s->options & SSL_OP_PKCS1_CHECK_1)
@@ -2589,8 +2595,8 @@ int ssl3_send_client_key_exchange(SSL *s)
s->
session->master_key,
tmp_buf,
sizeof tmp_buf);
OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
sizeof(tmp_buf));
OPENSSL_cleanse(tmp_buf, sizeof(tmp_buf));
}
#endif
#ifndef OPENSSL_NO_KRB5
@@ -2682,7 +2688,7 @@ int ssl3_send_client_key_exchange(SSL *s)
tmp_buf[0] = s->client_version >> 8;
tmp_buf[1] = s->client_version & 0xff;
if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0)
if (RAND_bytes(&(tmp_buf[2]), sizeof(tmp_buf) - 2) <= 0)
goto err;
/*-
@@ -2693,13 +2699,13 @@ int ssl3_send_client_key_exchange(SSL *s)
* EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
*/
memset(iv, 0, sizeof iv); /* per RFC 1510 */
memset(iv, 0, sizeof(iv)); /* per RFC 1510 */
EVP_EncryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key, iv);
EVP_EncryptUpdate(&ciph_ctx, epms, &outl, tmp_buf,
sizeof tmp_buf);
sizeof(tmp_buf));
EVP_EncryptFinal_ex(&ciph_ctx, &(epms[outl]), &padl);
outl += padl;
if (outl > (int)sizeof epms) {
if (outl > (int)sizeof(epms)) {
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
goto err;
@@ -2717,9 +2723,9 @@ int ssl3_send_client_key_exchange(SSL *s)
s->
session->master_key,
tmp_buf,
sizeof tmp_buf);
sizeof(tmp_buf));
OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
OPENSSL_cleanse(tmp_buf, sizeof(tmp_buf));
OPENSSL_cleanse(epms, outl);
}
#endif

84
ssl/s3_enc.c
View File

@@ -177,32 +177,34 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
EVP_MD_CTX_init(&s1);
for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) {
k++;
if (k > sizeof buf) {
if (k > sizeof(buf))
/* bug: 'buf' is too small for this ciphersuite */
SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
return 0;
}
goto err;
for (j = 0; j < k; j++)
buf[j] = c;
c++;
EVP_DigestInit_ex(&s1, EVP_sha1(), NULL);
EVP_DigestUpdate(&s1, buf, k);
EVP_DigestUpdate(&s1, s->session->master_key,
s->session->master_key_length);
EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE);
EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE);
EVP_DigestFinal_ex(&s1, smd, NULL);
if (!EVP_DigestInit_ex(&s1, EVP_sha1(), NULL) ||
!EVP_DigestUpdate(&s1, buf, k) ||
!EVP_DigestUpdate(&s1, s->session->master_key,
s->session->master_key_length) ||
!EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE) ||
!EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE) ||
!EVP_DigestFinal_ex(&s1, smd, NULL))
goto err2;
EVP_DigestInit_ex(&m5, EVP_md5(), NULL);
EVP_DigestUpdate(&m5, s->session->master_key,
s->session->master_key_length);
EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH);
if (!EVP_DigestInit_ex(&m5, EVP_md5(), NULL) ||
!EVP_DigestUpdate(&m5, s->session->master_key,
s->session->master_key_length) ||
!EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH))
goto err2;
if ((int)(i + MD5_DIGEST_LENGTH) > num) {
EVP_DigestFinal_ex(&m5, smd, NULL);
if (!EVP_DigestFinal_ex(&m5, smd, NULL))
goto err2;
memcpy(km, smd, (num - i));
} else
EVP_DigestFinal_ex(&m5, km, NULL);
if (!EVP_DigestFinal_ex(&m5, km, NULL))
goto err2;
km += MD5_DIGEST_LENGTH;
}
@@ -210,6 +212,12 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
EVP_MD_CTX_cleanup(&m5);
EVP_MD_CTX_cleanup(&s1);
return 1;
err:
SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
err2:
EVP_MD_CTX_cleanup(&m5);
EVP_MD_CTX_cleanup(&s1);
return 0;
}
int ssl3_change_cipher_state(SSL *s, int which)
@@ -360,25 +368,33 @@ int ssl3_change_cipher_state(SSL *s, int which)
* In here I set both the read and write key/iv to the same value
* since only the correct one will be used :-).
*/
EVP_DigestInit_ex(&md, EVP_md5(), NULL);
EVP_DigestUpdate(&md, key, j);
EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL);
if (!EVP_DigestInit_ex(&md, EVP_md5(), NULL) ||
!EVP_DigestUpdate(&md, key, j) ||
!EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE) ||
!EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE) ||
!EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL)) {
EVP_MD_CTX_cleanup(&md);
goto err2;
}
key = &(exp_key[0]);
if (k > 0) {
EVP_DigestInit_ex(&md, EVP_md5(), NULL);
EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL);
if (!EVP_DigestInit_ex(&md, EVP_md5(), NULL) ||
!EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE) ||
!EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE) ||
!EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL)) {
EVP_MD_CTX_cleanup(&md);
goto err2;
}
iv = &(exp_iv[0]);
}
}
EVP_MD_CTX_cleanup(&md);
s->session->key_arg_length = 0;
EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE));
if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE)))
goto err2;
#ifdef OPENSSL_SSL_TRACE_CRYPTO
if (s->msg_callback) {
@@ -399,7 +415,6 @@ int ssl3_change_cipher_state(SSL *s, int which)
OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key));
OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv));
EVP_MD_CTX_cleanup(&md);
return (1);
err:
SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
@@ -555,17 +570,20 @@ int ssl3_enc(SSL *s, int send)
if ((bs != 1) && !send)
return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
}
return (1);
return 1;
}
void ssl3_init_finished_mac(SSL *s)
int ssl3_init_finished_mac(SSL *s)
{
if (s->s3->handshake_buffer)
BIO_free(s->s3->handshake_buffer);
if (s->s3->handshake_dgst)
ssl3_free_digest_list(s);
s->s3->handshake_buffer = BIO_new(BIO_s_mem());
if (s->s3->handshake_buffer == NULL)
return 0;
(void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE);
return 1;
}
void ssl3_free_digest_list(SSL *s)
@@ -622,6 +640,10 @@ int ssl3_digest_cached_records(SSL *s)
for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) {
if ((mask & ssl_get_algorithm2(s)) && md) {
s->s3->handshake_dgst[i] = EVP_MD_CTX_create();
if (s->s3->handshake_dgst[i] == NULL) {
SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE);
return 0;
}
#ifdef OPENSSL_FIPS
if (EVP_MD_nid(md) == NID_md5) {
EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
@@ -903,7 +925,7 @@ int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
s, s->msg_callback_arg);
}
#endif
OPENSSL_cleanse(buf, sizeof buf);
OPENSSL_cleanse(buf, sizeof(buf));
return (ret);
}

10
ssl/s3_lib.c
View File

@@ -3018,9 +3018,9 @@ int ssl3_new(SSL *s)
{
SSL3_STATE *s3;
if ((s3 = OPENSSL_malloc(sizeof *s3)) == NULL)
if ((s3 = OPENSSL_malloc(sizeof(*s3))) == NULL)
goto err;
memset(s3, 0, sizeof *s3);
memset(s3, 0, sizeof(*s3));
memset(s3->rrec.seq_num, 0, sizeof(s3->rrec.seq_num));
memset(s3->wrec.seq_num, 0, sizeof(s3->wrec.seq_num));
@@ -3078,7 +3078,7 @@ void ssl3_free(SSL *s)
#ifndef OPENSSL_NO_SRP
SSL_SRP_CTX_free(s);
#endif
OPENSSL_cleanse(s->s3, sizeof *s->s3);
OPENSSL_cleanse(s->s3, sizeof(*s->s3));
OPENSSL_free(s->s3);
s->s3 = NULL;
}
@@ -3142,7 +3142,7 @@ void ssl3_clear(SSL *s)
s->s3->alpn_selected = NULL;
}
#endif
memset(s->s3, 0, sizeof *s->s3);
memset(s->s3, 0, sizeof(*s->s3));
s->s3->rbuf.buf = rp;
s->s3->wbuf.buf = wp;
s->s3->rbuf.len = rlen;
@@ -4237,7 +4237,7 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
return (int)s->cert->ctype_num;
}
/* get configured sigalgs */
siglen = tls12_get_psigalgs(s, &sig);
siglen = tls12_get_psigalgs(s, 1, &sig);
if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
nostrict = 0;
for (i = 0; i < siglen; i += 2, sig += 2) {

51
ssl/s3_pkt.c
View File

@@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -670,7 +670,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
* promptly send beyond the end of the users buffer ... so we trap and
* report the error in a way the user will notice
*/
if (len < tot) {
if ((len < tot) || ((wb->left != 0) && (len < (tot + s->s3->wpend_tot)))) {
SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_BAD_LENGTH);
return (-1);
}
@@ -699,6 +699,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
len >= 4 * (int)(max_send_fragment = s->max_send_fragment) &&
s->compress == NULL && s->msg_callback == NULL &&
SSL_USE_EXPLICIT_IV(s) &&
s->enc_write_ctx != NULL &&
EVP_CIPHER_flags(s->enc_write_ctx->cipher) &
EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) {
unsigned char aad[13];
@@ -1095,10 +1096,9 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
int i;
SSL3_BUFFER *wb = &(s->s3->wbuf);
/* XXXX */
if ((s->s3->wpend_tot > (int)len)
|| ((s->s3->wpend_buf != buf) &&
!(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER))
|| (!(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)
&& (s->s3->wpend_buf != buf))
|| (s->s3->wpend_type != type)) {
SSLerr(SSL_F_SSL3_WRITE_PENDING, SSL_R_BAD_WRITE_RETRY);
return (-1);
@@ -1313,20 +1313,26 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
unsigned int *dest_len = NULL;
if (rr->type == SSL3_RT_HANDSHAKE) {
dest_maxlen = sizeof s->s3->handshake_fragment;
dest_maxlen = sizeof(s->s3->handshake_fragment);
dest = s->s3->handshake_fragment;
dest_len = &s->s3->handshake_fragment_len;
} else if (rr->type == SSL3_RT_ALERT) {
dest_maxlen = sizeof s->s3->alert_fragment;
dest_maxlen = sizeof(s->s3->alert_fragment);
dest = s->s3->alert_fragment;
dest_len = &s->s3->alert_fragment_len;
}
#ifndef OPENSSL_NO_HEARTBEATS
else if (rr->type == TLS1_RT_HEARTBEAT) {
tls1_process_heartbeat(s);
i = tls1_process_heartbeat(s);
if (i < 0)
return i;
rr->length = 0;
if (s->mode & SSL_MODE_AUTO_RETRY)
goto start;
/* Exit and notify application to read again */
rr->length = 0;
s->rwstate = SSL_READING;
BIO_clear_retry_flags(SSL_get_rbio(s));
BIO_set_retry_read(SSL_get_rbio(s));
@@ -1414,26 +1420,25 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
*/
goto start;
}
/*
* If we are a server and get a client hello when renegotiation isn't
* allowed send back a no renegotiation alert and carry on. WARNING:
* experimental code, needs reviewing (steve)
* allowed send back a no renegotiation alert and carry on.
*/
if (s->server &&
SSL_is_init_finished(s) &&
!s->s3->send_connection_binding &&
(s->version > SSL3_VERSION) &&
(s->s3->handshake_fragment_len >= 4) &&
(s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) &&
(s->session != NULL) && (s->session->cipher != NULL) &&
!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
/*
* s->s3->handshake_fragment_len = 0;
*/
if (s->server
&& SSL_is_init_finished(s)
&& !s->s3->send_connection_binding
&& s->version > SSL3_VERSION
&& s->s3->handshake_fragment_len >= SSL3_HM_HEADER_LENGTH
&& s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO
&& s->s3->previous_client_finished_len != 0
&& (s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) == 0) {
s->s3->handshake_fragment_len = 0;
rr->length = 0;
ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
goto start;
}
if (s->s3->alert_fragment_len >= 2) {
int alert_level = s->s3->alert_fragment[0];
int alert_descr = s->s3->alert_fragment[1];
@@ -1491,7 +1496,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
s->rwstate = SSL_NOTHING;
s->s3->fatal_alert = alert_descr;
SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
BIO_snprintf(tmp, sizeof tmp, "%d", alert_descr);
BIO_snprintf(tmp, sizeof(tmp), "%d", alert_descr);
ERR_add_error_data(2, "SSL alert number ", tmp);
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
SSL_CTX_remove_session(s->session_ctx, s->session);

98
ssl/s3_srvr.c
View File

@@ -311,7 +311,12 @@ int ssl3_accept(SSL *s)
goto end;
}
ssl3_init_finished_mac(s);
if (!ssl3_init_finished_mac(s)) {
ret = -1;
s->state = SSL_ST_ERR;
goto end;
}
s->state = SSL3_ST_SR_CLNT_HELLO_A;
s->ctx->stats.sess_accept++;
} else if (!s->s3->send_connection_binding &&
@@ -348,7 +353,11 @@ int ssl3_accept(SSL *s)
s->state = SSL3_ST_SW_FLUSH;
s->init_num = 0;
ssl3_init_finished_mac(s);
if (!ssl3_init_finished_mac(s)) {
ret = -1;
s->state = SSL_ST_ERR;
goto end;
}
break;
case SSL3_ST_SW_HELLO_REQ_C:
@@ -1704,6 +1713,12 @@ int ssl3_send_server_key_exchange(SSL *s)
if (type & SSL_kEECDH) {
const EC_GROUP *group;
if (s->s3->tmp.ecdh != NULL) {
SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
goto err;
}
ecdhp = cert->ecdh_tmp;
if (s->cert->ecdh_tmp_auto) {
/* Get NID of appropriate shared curve */
@@ -1724,17 +1739,7 @@ int ssl3_send_server_key_exchange(SSL *s)
goto f_err;
}
if (s->s3->tmp.ecdh != NULL) {
SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
goto err;
}
/* Duplicate the ECDH structure. */
if (ecdhp == NULL) {
SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
goto err;
}
if (s->cert->ecdh_tmp_auto)
ecdh = ecdhp;
else if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) {
@@ -2084,7 +2089,7 @@ int ssl3_send_certificate_request(SSL *s)
if (SSL_USE_SIGALGS(s)) {
const unsigned char *psigs;
nl = tls12_get_psigalgs(s, &psigs);
nl = tls12_get_psigalgs(s, 1, &psigs);
s2n(nl, p);
memcpy(p, psigs, nl);
p += nl;
@@ -2197,7 +2202,7 @@ int ssl3_get_client_key_exchange(SSL *s)
unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
int decrypt_len;
unsigned char decrypt_good, version_good;
size_t j;
size_t j, padding_len;
/* FIX THIS UP EAY EAY EAY EAY */
if (s->s3->tmp.use_rsa_tmp) {
@@ -2265,16 +2270,38 @@ int ssl3_get_client_key_exchange(SSL *s)
if (RAND_bytes(rand_premaster_secret,
sizeof(rand_premaster_secret)) <= 0)
goto err;
decrypt_len =
RSA_private_decrypt((int)n, p, p, rsa, RSA_PKCS1_PADDING);
ERR_clear_error();
/*
* decrypt_len should be SSL_MAX_MASTER_KEY_LENGTH. decrypt_good will
* be 0xff if so and zero otherwise.
* Decrypt with no padding. PKCS#1 padding will be removed as part of
* the timing-sensitive code below.
*/
decrypt_good =
constant_time_eq_int_8(decrypt_len, SSL_MAX_MASTER_KEY_LENGTH);
decrypt_len =
RSA_private_decrypt((int)n, p, p, rsa, RSA_NO_PADDING);
if (decrypt_len < 0)
goto err;
/* Check the padding. See RFC 3447, section 7.2.2. */
/*
* The smallest padded premaster is 11 bytes of overhead. Small keys
* are publicly invalid, so this may return immediately. This ensures
* PS is at least 8 bytes.
*/
if (decrypt_len < 11 + SSL_MAX_MASTER_KEY_LENGTH) {
al = SSL_AD_DECRYPT_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
SSL_R_DECRYPTION_FAILED);
goto f_err;
}
padding_len = decrypt_len - SSL_MAX_MASTER_KEY_LENGTH;
decrypt_good = constant_time_eq_int_8(p[0], 0) &
constant_time_eq_int_8(p[1], 2);
for (j = 2; j < padding_len - 1; j++) {
decrypt_good &= ~constant_time_is_zero_8(p[j]);
}
decrypt_good &= constant_time_is_zero_8(p[padding_len - 1]);
p += padding_len;
/*
* If the version in the decrypted pre-master secret is correct then
@@ -2483,7 +2510,7 @@ int ssl3_get_client_key_exchange(SSL *s)
/*
* Note that the length is checked again below, ** after decryption
*/
if (enc_pms.length > sizeof pms) {
if (enc_pms.length > sizeof(pms)) {
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
SSL_R_DATA_LENGTH_TOO_LONG);
goto err;
@@ -2536,7 +2563,7 @@ int ssl3_get_client_key_exchange(SSL *s)
if (enc == NULL)
goto err;
memset(iv, 0, sizeof iv); /* per RFC 1510 */
memset(iv, 0, sizeof(iv)); /* per RFC 1510 */
if (!EVP_DecryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key, iv)) {
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
@@ -3018,6 +3045,11 @@ int ssl3_get_cert_verify(SSL *s)
peer = s->session->peer;
pkey = X509_get_pubkey(peer);
if (pkey == NULL) {
al = SSL_AD_INTERNAL_ERROR;
goto f_err;
}
type = X509_certificate_type(peer, pkey);
if (!(type & EVP_PKT_SIGN)) {
@@ -3154,7 +3186,9 @@ int ssl3_get_cert_verify(SSL *s)
goto f_err;
}
if (i != 64) {
#ifdef SSL_DEBUG
fprintf(stderr, "GOST signature length is %d", i);
#endif
}
for (idx = 0; idx < 64; idx++) {
signature[63 - idx] = p[idx];
@@ -3463,8 +3497,22 @@ int ssl3_send_newsession_ticket(SSL *s)
* all the work otherwise use generated values from parent ctx.
*/
if (tctx->tlsext_ticket_key_cb) {
if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
&hctx, 1) < 0)
/* if 0 is returned, write en empty ticket */
int ret = tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
&hctx, 1);
if (ret == 0) {
l2n(0, p); /* timeout */
s2n(0, p); /* length */
ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET,
p - ssl_handshake_start(s));
s->state = SSL3_ST_SW_SESSION_TICKET_B;
OPENSSL_free(senc);
EVP_CIPHER_CTX_cleanup(&ctx);
HMAC_CTX_cleanup(&hctx);
return ssl_do_write(s);
}
if (ret < 0)
goto err;
} else {
if (RAND_bytes(iv, 16) <= 0)

2
ssl/ssl.h
View File

@@ -1727,7 +1727,7 @@ extern "C" {
# define SSL_ST_BEFORE 0x4000
# define SSL_ST_OK 0x03
# define SSL_ST_RENEGOTIATE (0x04|SSL_ST_INIT)
# define SSL_ST_ERR 0x05
# define SSL_ST_ERR (0x05|SSL_ST_INIT)
# define SSL_CB_LOOP 0x01
# define SSL_CB_EXIT 0x02

11
ssl/ssl_cert.c
View File

@@ -412,6 +412,7 @@ CERT *ssl_cert_dup(CERT *cert)
#endif
ssl_cert_clear_certs(ret);
OPENSSL_free(ret);
return NULL;
}
@@ -635,13 +636,13 @@ SESS_CERT *ssl_sess_cert_new(void)
{
SESS_CERT *ret;
ret = OPENSSL_malloc(sizeof *ret);
ret = OPENSSL_malloc(sizeof(*ret));
if (ret == NULL) {
SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
return NULL;
}
memset(ret, 0, sizeof *ret);
memset(ret, 0, sizeof(*ret));
ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);
ret->references = 1;
@@ -1017,15 +1018,15 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
char buf[1024];
int r;
if (strlen(dir) + strlen(filename) + 2 > sizeof buf) {
if (strlen(dir) + strlen(filename) + 2 > sizeof(buf)) {
SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,
SSL_R_PATH_TOO_LONG);
goto err;
}
#ifdef OPENSSL_SYS_VMS
r = BIO_snprintf(buf, sizeof buf, "%s%s", dir, filename);
r = BIO_snprintf(buf, sizeof(buf), "%s%s", dir, filename);
#else
r = BIO_snprintf(buf, sizeof buf, "%s/%s", dir, filename);
r = BIO_snprintf(buf, sizeof(buf), "%s/%s", dir, filename);
#endif
if (r <= 0 || r >= (int)sizeof(buf))
goto err;

5
ssl/ssl_ciph.c
View File

@@ -1205,7 +1205,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
((ch >= '0') && (ch <= '9')) ||
((ch >= 'a') && (ch <= 'z')) || (ch == '-') || (ch == '.'))
#else
while (isalnum(ch) || (ch == '-') || (ch == '.'))
while (isalnum((unsigned char)ch) || (ch == '-') || (ch == '.'))
#endif
{
ch = *(++l);
@@ -2001,7 +2001,7 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
if (id < 193 || id > 255) {
SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,
SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE);
return 0;
return 1;
}
MemCheck_off();
@@ -2013,6 +2013,7 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
}
comp->id = id;
comp->method = cm;
comp->name = cm->name;
load_builtin_compressions();
if (ssl_comp_methods && sk_SSL_COMP_find(ssl_comp_methods, comp) >= 0) {
OPENSSL_free(comp);

35
ssl/ssl_lib.c
View File

@@ -343,7 +343,7 @@ SSL *SSL_new(SSL_CTX *ctx)
s->verify_depth = ctx->verify_depth;
#endif
s->sid_ctx_length = ctx->sid_ctx_length;
OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
OPENSSL_assert(s->sid_ctx_length <= sizeof(s->sid_ctx));
memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx));
s->verify_callback = ctx->default_verify_callback;
s->generate_session_id = ctx->generate_session_id;
@@ -437,7 +437,7 @@ SSL *SSL_new(SSL_CTX *ctx)
int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
unsigned int sid_ctx_len)
{
if (sid_ctx_len > sizeof ctx->sid_ctx) {
if (sid_ctx_len > sizeof(ctx->sid_ctx)) {
SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,
SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
return 0;
@@ -490,7 +490,7 @@ int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
*/
SSL_SESSION r, *p;
if (id_len > sizeof r.session_id)
if (id_len > sizeof(r.session_id))
return 0;
r.ssl_version = ssl->version;
@@ -1825,26 +1825,34 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
const char *label, size_t llen,
const unsigned char *p, size_t plen,
const unsigned char *context, size_t contextlen,
int use_context)
{
if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER)
return -1;
return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
llen, p, plen,
use_context);
llen, context,
contextlen, use_context);
}
static unsigned long ssl_session_hash(const SSL_SESSION *a)
{
const unsigned char *session_id = a->session_id;
unsigned long l;
unsigned char tmp_storage[4];
if (a->session_id_length < sizeof(tmp_storage)) {
memset(tmp_storage, 0, sizeof(tmp_storage));
memcpy(tmp_storage, a->session_id, a->session_id_length);
session_id = tmp_storage;
}
l = (unsigned long)
((unsigned int)a->session_id[0]) |
((unsigned int)a->session_id[1] << 8L) |
((unsigned long)a->session_id[2] << 16L) |
((unsigned long)a->session_id[3] << 24L);
((unsigned long)session_id[0]) |
((unsigned long)session_id[1] << 8L) |
((unsigned long)session_id[2] << 16L) |
((unsigned long)session_id[3] << 24L);
return (l);
}
@@ -3172,6 +3180,7 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
#endif
ssl->cert = ssl_cert_dup(ctx->cert);
if (ocert) {
int i;
/* Preserve any already negotiated parameters */
if (ssl->server) {
ssl->cert->peer_sigalgs = ocert->peer_sigalgs;
@@ -3181,11 +3190,17 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
ssl->cert->ciphers_rawlen = ocert->ciphers_rawlen;
ocert->ciphers_raw = NULL;
}
for (i = 0; i < SSL_PKEY_NUM; i++) {
ssl->cert->pkeys[i].digest = ocert->pkeys[i].digest;
}
#ifndef OPENSSL_NO_TLSEXT
ssl->cert->alpn_proposed = ocert->alpn_proposed;
ssl->cert->alpn_proposed_len = ocert->alpn_proposed_len;
ocert->alpn_proposed = NULL;
ssl->cert->alpn_sent = ocert->alpn_sent;
if (!custom_exts_copy_flags(&ssl->cert->srv_ext, &ocert->srv_ext))
return NULL;
#endif
ssl_cert_free(ocert);
}

6
ssl/ssl_locl.h
View File

@@ -1158,7 +1158,7 @@ long ssl2_default_timeout(void);
const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p);
void ssl3_init_finished_mac(SSL *s);
int ssl3_init_finished_mac(SSL *s);
int ssl3_send_server_certificate(SSL *s);
int ssl3_send_newsession_ticket(SSL *s);
int ssl3_send_cert_status(SSL *s);
@@ -1430,7 +1430,7 @@ int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
long ssl_get_algorithm2(SSL *s);
int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize);
int tls1_process_sigalgs(SSL *s);
size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs);
size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs);
int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
const unsigned char *sig, EVP_PKEY *pkey);
void ssl_set_client_disabled(SSL *s);
@@ -1482,6 +1482,8 @@ int custom_ext_add(SSL *s, int server,
unsigned char **pret, unsigned char *limit, int *al);
int custom_exts_copy(custom_ext_methods *dst, const custom_ext_methods *src);
int custom_exts_copy_flags(custom_ext_methods *dst,
const custom_ext_methods *src);
void custom_exts_free(custom_ext_methods *exts);
# else

6
ssl/ssl_rsa.c
View File

@@ -964,6 +964,7 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
int ret = 0;
BIO *bin = NULL;
size_t num_extensions = 0;
unsigned char *new_serverinfo;
if (ctx == NULL || file == NULL) {
SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
@@ -1014,12 +1015,13 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
goto end;
}
/* Append the decoded extension to the serverinfo buffer */
serverinfo =
new_serverinfo =
OPENSSL_realloc(serverinfo, serverinfo_length + extension_length);
if (serverinfo == NULL) {
if (new_serverinfo == NULL) {
SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE);
goto end;
}
serverinfo = new_serverinfo;
memcpy(serverinfo + serverinfo_length, extension, extension_length);
serverinfo_length += extension_length;

17
ssl/ssl_sess.c
View File

@@ -261,7 +261,6 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
#ifndef OPENSSL_NO_SRP
dest->srp_username = NULL;
#endif
memset(&dest->ex_data, 0, sizeof(dest->ex_data));
/* We deliberately don't copy the prev and next pointers */
dest->prev = NULL;
@@ -275,6 +274,9 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
if (src->peer != NULL)
CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509);
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, dest, &dest->ex_data))
goto err;
#ifndef OPENSSL_NO_PSK
if (src->psk_identity_hint) {
dest->psk_identity_hint = BUF_strdup(src->psk_identity_hint);
@@ -325,7 +327,7 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
}
# endif
if (ticket != 0) {
if (ticket != 0 && src->tlsext_tick != NULL) {
dest->tlsext_tick = BUF_memdup(src->tlsext_tick, src->tlsext_ticklen);
if(dest->tlsext_tick == NULL)
goto err;
@@ -527,7 +529,7 @@ int ssl_get_new_session(SSL *s, int session)
ss->session_id_length = 0;
}
if (s->sid_ctx_length > sizeof ss->sid_ctx) {
if (s->sid_ctx_length > sizeof(ss->sid_ctx)) {
SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
SSL_SESSION_free(ss);
return 0;
@@ -868,9 +870,9 @@ void SSL_SESSION_free(SSL_SESSION *ss)
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
OPENSSL_cleanse(ss->key_arg, sizeof ss->key_arg);
OPENSSL_cleanse(ss->master_key, sizeof ss->master_key);
OPENSSL_cleanse(ss->session_id, sizeof ss->session_id);
OPENSSL_cleanse(ss->key_arg, sizeof(ss->key_arg));
OPENSSL_cleanse(ss->master_key, sizeof(ss->master_key));
OPENSSL_cleanse(ss->session_id, sizeof(ss->session_id));
if (ss->sess_cert != NULL)
ssl_sess_cert_free(ss->sess_cert);
if (ss->peer != NULL)
@@ -1006,7 +1008,8 @@ int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx,
return 0;
}
s->sid_ctx_length = sid_ctx_len;
memcpy(s->sid_ctx, sid_ctx, sid_ctx_len);
if (s->sid_ctx != sid_ctx)
memcpy(s->sid_ctx, sid_ctx, sid_ctx_len);
return 1;
}

228
ssl/ssltest.c
View File

@@ -311,6 +311,13 @@ static const char *sn_client;
static const char *sn_server1;
static const char *sn_server2;
static int sn_expect = 0;
static int s_ticket1 = 0;
static int s_ticket2 = 0;
static int c_ticket = 0;
static int ticket_expect = -1;
static int sni_in_cert_cb = 0;
static const char *client_sigalgs = NULL;
static const char *server_digest_expect = NULL;
static int servername_cb(SSL *s, int *ad, void *arg)
{
@@ -325,6 +332,9 @@ static int servername_cb(SSL *s, int *ad, void *arg)
!strcasecmp(servername, sn_server2)) {
BIO_printf(bio_stdout, "Switching server context.\n");
SSL_set_SSL_CTX(s, s_ctx2);
/* Copy over all the SSL_CTX options */
SSL_clear_options(s, 0xFFFFFFFFL);
SSL_set_options(s, SSL_CTX_get_options(s_ctx2));
}
}
return SSL_TLSEXT_ERR_OK;
@@ -348,6 +358,40 @@ static int verify_servername(SSL *client, SSL *server)
BIO_printf(bio_stdout, "Servername: context is unknown\n");
return -1;
}
static int cert_cb(SSL *ssl, void *arg)
{
int unused;
return servername_cb(ssl, &unused, NULL) != SSL_TLSEXT_ERR_ALERT_FATAL;
}
static int verify_ticket(SSL* ssl)
{
if (ticket_expect == -1)
return 0;
if (ticket_expect == 0 &&
(ssl->session->tlsext_tick == NULL ||
ssl->session->tlsext_ticklen == 0))
return 1;
if (ticket_expect == 1 &&
(ssl->session->tlsext_tick != NULL &&
ssl->session->tlsext_ticklen != 0))
return 1;
return -1;
}
static int verify_server_digest(SSL* ssl)
{
int nid = NID_undef;
if (server_digest_expect == NULL)
return 0;
SSL_get_peer_signature_nid(ssl, &nid);
if (strcmp(server_digest_expect, OBJ_nid2sn(nid)) == 0)
return 1;
BIO_printf(bio_stdout, "Expected server digest %s, got %s.\n",
server_digest_expect, OBJ_nid2sn(nid));
return -1;
}
/*-
* next_protos_parse parses a comma separated list of strings into a string
@@ -379,13 +423,13 @@ static unsigned char *next_protos_parse(unsigned short *outlen,
OPENSSL_free(out);
return NULL;
}
out[start] = i - start;
out[start] = (unsigned char)(i - start);
start = i + 1;
} else
out[i + 1] = in[i];
}
*outlen = len + 1;
*outlen = (unsigned char)(len + 1);
return out;
}
@@ -477,6 +521,43 @@ static int verify_alpn(SSL *client, SSL *server)
return -1;
}
#ifndef OPENSSL_NO_TLSEXT
static int cb_ticket0(SSL* s, unsigned char* key_name, unsigned char *iv, EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)
{
return 0;
}
static int cb_ticket1(SSL* s, unsigned char* key_name, unsigned char *iv, EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)
{
static unsigned char key[] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 };
static char name[] = "ticket11ticket11";
if (SSL_get_options(s) & SSL_OP_NO_TICKET)
return 0;
if (enc) {
RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH);
EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv);
HMAC_Init_ex(hctx, key, sizeof(key), EVP_sha1(), NULL);
memcpy(key_name, name, 16);
return 1;
} else {
if (memcmp(key_name, name, 16) == 0) {
EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv);
HMAC_Init_ex(hctx, key, sizeof(key), EVP_sha1(), NULL);
return 1;
}
}
return 0;
}
static int cb_ticket2(SSL* s, unsigned char* key_name, unsigned char *iv, EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)
{
fprintf(stderr, "ticket callback for SNI context should never be called\n");
EXIT(1);
return 0;
}
#endif
#define SCT_EXT_TYPE 18
/*
@@ -773,6 +854,7 @@ static void sv_usage(void)
#endif
#ifndef OPENSSL_NO_TLS1
fprintf(stderr, " -tls1 - use TLSv1\n");
fprintf(stderr, " -tls12 - use TLSv1.2\n");
#endif
#ifndef OPENSSL_NO_DTLS
fprintf(stderr, " -dtls1 - use DTLSv1\n");
@@ -820,6 +902,15 @@ static void sv_usage(void)
fprintf(stderr, " -sn_server2 <string> - have server context 2 respond to this servername\n");
fprintf(stderr, " -sn_expect1 - expected server 1\n");
fprintf(stderr, " -sn_expect2 - expected server 2\n");
#ifndef OPENSSL_NO_TLSEXT
fprintf(stderr, " -s_ticket1 <yes|no|broken> - enable/disable session tickets on context 1\n");
fprintf(stderr, " -s_ticket2 <yes|no> - enable/disable session tickets on context 2\n");
fprintf(stderr, " -c_ticket <yes|no> - enable/disable session tickets on the client\n");
fprintf(stderr, " -ticket_expect <yes|no> - indicate that the client should (or should not) have a ticket\n");
#endif
fprintf(stderr, " -sni_in_cert_cb - have the server handle SNI in the certificate callback\n");
fprintf(stderr, " -client_sigalgs arg - the signature algorithms to configure on the client\n");
fprintf(stderr, " -server_digest_expect arg - the expected server signing digest\n");
}
static void print_details(SSL *c_ssl, const char *prefix)
@@ -946,7 +1037,7 @@ int main(int argc, char *argv[])
int badop = 0;
int bio_pair = 0;
int force = 0;
int dtls1 = 0, dtls12 = 0, tls1 = 0, ssl2 = 0, ssl3 = 0, ret = 1;
int dtls1 = 0, dtls12 = 0, tls1 = 0, tls12 = 0, ssl2 = 0, ssl3 = 0, ret = 1;
int client_auth = 0;
int server_auth = 0, i;
struct app_verify_arg app_verify_arg =
@@ -1011,7 +1102,7 @@ int main(int argc, char *argv[])
}
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
RAND_seed(rnd_seed, sizeof rnd_seed);
RAND_seed(rnd_seed, sizeof(rnd_seed));
bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE | BIO_FP_TEXT);
@@ -1100,6 +1191,11 @@ int main(int argc, char *argv[])
no_protocol = 1;
#endif
tls1 = 1;
} else if (strcmp(*argv, "-tls12") == 0) {
#ifdef OPENSSL_NO_TLS1
no_protocol = 1;
#endif
tls12 = 1;
} else if (strcmp(*argv, "-ssl3") == 0) {
#ifdef OPENSSL_NO_SSL3_METHOD
no_protocol = 1;
@@ -1175,13 +1271,21 @@ int main(int argc, char *argv[])
} else if (strcmp(*argv, "-time") == 0) {
print_time = 1;
}
#ifndef OPENSSL_NO_COMP
else if (strcmp(*argv, "-zlib") == 0) {
#ifndef OPENSSL_NO_COMP
comp = COMP_ZLIB;
} else if (strcmp(*argv, "-rle") == 0) {
comp = COMP_RLE;
}
#else
fprintf(stderr,
"ignoring -zlib, since I'm compiled without COMP\n");
#endif
} else if (strcmp(*argv, "-rle") == 0) {
#ifndef OPENSSL_NO_COMP
comp = COMP_RLE;
#else
fprintf(stderr,
"ignoring -rle, since I'm compiled without COMP\n");
#endif
}
else if (strcmp(*argv, "-named_curve") == 0) {
if (--argc < 1)
goto bad;
@@ -1241,6 +1345,46 @@ int main(int argc, char *argv[])
sn_expect = 1;
} else if (strcmp(*argv, "-sn_expect2") == 0) {
sn_expect = 2;
#ifndef OPENSSL_NO_TLSEXT
} else if (strcmp(*argv, "-s_ticket1") == 0) {
if (--argc < 1)
goto bad;
argv++;
if (strcmp(*argv, "yes") == 0)
s_ticket1 = 1;
if (strcmp(*argv, "broken") == 0)
s_ticket1 = 2;
} else if (strcmp(*argv, "-s_ticket2") == 0) {
if (--argc < 1)
goto bad;
argv++;
if (strcmp(*argv, "yes") == 0)
s_ticket2 = 1;
} else if (strcmp(*argv, "-c_ticket") == 0) {
if (--argc < 1)
goto bad;
argv++;
if (strcmp(*argv, "yes") == 0)
c_ticket = 1;
} else if (strcmp(*argv, "-ticket_expect") == 0) {
if (--argc < 1)
goto bad;
argv++;
if (strcmp(*argv, "yes") == 0)
ticket_expect = 1;
else if (strcmp(*argv, "no") == 0)
ticket_expect = 0;
#endif
} else if (strcmp(*argv, "-sni_in_cert_cb") == 0) {
sni_in_cert_cb = 1;
} else if (strcmp(*argv, "-client_sigalgs") == 0) {
if (--argc < 1)
goto bad;
client_sigalgs = *(++argv);
} else if (strcmp(*argv, "-server_digest_expect") == 0) {
if (--argc < 1)
goto bad;
server_digest_expect = *(++argv);
} else {
fprintf(stderr, "unknown option %s\n", *argv);
badop = 1;
@@ -1271,9 +1415,9 @@ int main(int argc, char *argv[])
goto end;
}
if (ssl2 + ssl3 + tls1 + dtls1 + dtls12 > 1) {
fprintf(stderr, "At most one of -ssl2, -ssl3, -tls1, -dtls1 or -dtls12 should "
"be requested.\n");
if (ssl2 + ssl3 + tls1 + tls12 + dtls1 + dtls12 > 1) {
fprintf(stderr, "At most one of -ssl2, -ssl3, -tls1, -tls12, -dtls1 or "
"-dtls12 should be requested.\n");
EXIT(1);
}
@@ -1289,10 +1433,11 @@ int main(int argc, char *argv[])
goto end;
}
if (!ssl2 && !ssl3 && !tls1 && !dtls1 && !dtls12 && number > 1 && !reuse && !force) {
if (!ssl2 && !ssl3 && !tls1 && !tls12 && !dtls1 && !dtls12 && number > 1
&& !reuse && !force) {
fprintf(stderr, "This case cannot work. Use -f to perform "
"the test anyway (and\n-d to see what happens), "
"or add one of ssl2, -ssl3, -tls1, -dtls1, -dtls12, -reuse\n"
"or add one of ssl2, -ssl3, -tls1, -tls12, -dtls1, -dtls12, -reuse\n"
"to avoid protocol mismatch.\n");
EXIT(1);
}
@@ -1356,7 +1501,7 @@ int main(int argc, char *argv[])
#endif
/*
* At this point, ssl2/ssl3/tls1 is only set if the protocol is
* At this point, ssl2/ssl3/tls1/tls12 is only set if the protocol is
* available. (Otherwise we exit early.) However the compiler doesn't
* know this, so we ifdef.
*/
@@ -1380,6 +1525,8 @@ int main(int argc, char *argv[])
#ifndef OPENSSL_NO_TLS1
if (tls1)
meth = TLSv1_method();
else if (tls12)
meth = TLSv1_2_method();
else
#endif
meth = SSLv23_method();
@@ -1526,9 +1673,9 @@ int main(int argc, char *argv[])
{
int session_id_context = 0;
SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context,
sizeof session_id_context);
sizeof(session_id_context));
SSL_CTX_set_session_id_context(s_ctx2, (void *)&session_id_context,
sizeof session_id_context);
sizeof(session_id_context));
}
/* Use PSK only if PSK key is given */
@@ -1676,8 +1823,33 @@ int main(int argc, char *argv[])
OPENSSL_free(alpn);
}
if (sn_server1 || sn_server2)
SSL_CTX_set_tlsext_servername_callback(s_ctx, servername_cb);
if (sn_server1 || sn_server2) {
if (sni_in_cert_cb)
SSL_CTX_set_cert_cb(s_ctx, cert_cb, NULL);
else
SSL_CTX_set_tlsext_servername_callback(s_ctx, servername_cb);
}
#ifndef OPENSSL_NO_TLSEXT
if (s_ticket1 == 0)
SSL_CTX_set_options(s_ctx, SSL_OP_NO_TICKET);
/* always set the callback */
if (s_ticket1 == 2)
SSL_CTX_set_tlsext_ticket_key_cb(s_ctx, cb_ticket0);
else
SSL_CTX_set_tlsext_ticket_key_cb(s_ctx, cb_ticket1);
if (!s_ticket2)
SSL_CTX_set_options(s_ctx2, SSL_OP_NO_TICKET);
/* always set the callback - this should never be called */
SSL_CTX_set_tlsext_ticket_key_cb(s_ctx2, cb_ticket2);
if (!c_ticket)
SSL_CTX_set_options(c_ctx, SSL_OP_NO_TICKET);
#endif
if (client_sigalgs != NULL)
SSL_CTX_set1_sigalgs_list(c_ctx, client_sigalgs);
c_ssl = SSL_new(c_ctx);
s_ssl = SSL_new(s_ctx);
@@ -1689,9 +1861,9 @@ int main(int argc, char *argv[])
if (c_ssl && c_ssl->kssl_ctx) {
char localhost[MAXHOSTNAMELEN + 2];
if (gethostname(localhost, sizeof localhost - 1) == 0) {
localhost[sizeof localhost - 1] = '\0';
if (strlen(localhost) == sizeof localhost - 1) {
if (gethostname(localhost, sizeof(localhost) - 1) == 0) {
localhost[sizeof(localhost) - 1] = '\0';
if (strlen(localhost) == sizeof(localhost) - 1) {
BIO_printf(bio_err, "localhost name too long\n");
goto end;
}
@@ -1742,6 +1914,10 @@ int main(int argc, char *argv[])
ret = 1;
if (verify_servername(c_ssl, s_ssl) < 0)
ret = 1;
if (verify_ticket(c_ssl) < 0)
ret = 1;
if (verify_server_digest(c_ssl) < 0)
ret = 1;
SSL_free(s_ssl);
SSL_free(c_ssl);
@@ -1865,8 +2041,8 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
if (cw_num > 0) {
/* Write to server. */
if (cw_num > (long)sizeof cbuf)
i = sizeof cbuf;
if (cw_num > (long)sizeof(cbuf))
i = sizeof(cbuf);
else
i = (int)cw_num;
r = BIO_write(c_ssl_bio, cbuf, i);
@@ -1942,8 +2118,8 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
if (sw_num > 0) {
/* Write to client. */
if (sw_num > (long)sizeof sbuf)
i = sizeof sbuf;
if (sw_num > (long)sizeof(sbuf))
i = sizeof(sbuf);
else
i = (int)sw_num;
r = BIO_write(s_ssl_bio, sbuf, i);
@@ -2454,7 +2630,7 @@ static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
char *s, buf[256];
s = X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), buf,
sizeof buf);
sizeof(buf));
if (s != NULL) {
if (ok)
fprintf(stderr, "depth=%d %s\n", ctx->error_depth, buf);

10
ssl/t1_enc.c
View File

@@ -972,7 +972,7 @@ int tls1_final_finish_mac(SSL *s,
int hashsize = EVP_MD_size(md);
EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx];
if (!hdgst || hashsize < 0
|| hashsize > (int)(sizeof buf - (size_t)(q - buf))) {
|| hashsize > (int)(sizeof(buf) - (size_t)(q - buf))) {
/*
* internal error: 'buf' is too small for this cipersuite!
*/
@@ -990,7 +990,7 @@ int tls1_final_finish_mac(SSL *s,
if (!tls1_PRF(ssl_get_algorithm2(s),
str, slen, buf, (int)(q - buf), NULL, 0, NULL, 0, NULL, 0,
s->session->master_key, s->session->master_key_length,
out, buf2, sizeof buf2))
out, buf2, sizeof(buf2)))
err = 1;
EVP_MD_CTX_cleanup(&ctx);
@@ -999,7 +999,7 @@ int tls1_final_finish_mac(SSL *s,
if (err)
return 0;
else
return sizeof buf2;
return sizeof(buf2);
}
int tls1_mac(SSL *ssl, unsigned char *md, int send)
@@ -1165,8 +1165,8 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
s->s3->client_random, SSL3_RANDOM_SIZE,
co, col,
s->s3->server_random, SSL3_RANDOM_SIZE,
so, sol, p, len, s->session->master_key, buff, sizeof buff);
OPENSSL_cleanse(buff, sizeof buff);
so, sol, p, len, s->session->master_key, buff, sizeof(buff));
OPENSSL_cleanse(buff, sizeof(buff));
#ifdef SSL_DEBUG
fprintf(stderr, "Premaster Secret:\n");
BIO_dump_fp(stderr, (char *)p, len);

33
ssl/t1_ext.c
View File

@@ -179,6 +179,25 @@ int custom_ext_add(SSL *s, int server,
return 1;
}
/* Copy the flags from src to dst for any extensions that exist in both */
int custom_exts_copy_flags(custom_ext_methods *dst,
const custom_ext_methods *src)
{
size_t i;
custom_ext_method *methsrc = src->meths;
for (i = 0; i < src->meths_count; i++, methsrc++) {
custom_ext_method *methdst = custom_ext_find(dst, methsrc->ext_type);
if (methdst == NULL)
continue;
methdst->ext_flags = methsrc->ext_flags;
}
return 1;
}
/* Copy table of custom extensions */
int custom_exts_copy(custom_ext_methods *dst, const custom_ext_methods *src)
{
@@ -223,16 +242,14 @@ static int custom_ext_meth_add(custom_ext_methods *exts,
/* Search for duplicate */
if (custom_ext_find(exts, ext_type))
return 0;
exts->meths = OPENSSL_realloc(exts->meths,
(exts->meths_count +
1) * sizeof(custom_ext_method));
if (!exts->meths) {
exts->meths_count = 0;
meth = OPENSSL_realloc(exts->meths,
(exts->meths_count + 1)
* sizeof(custom_ext_method));
if (meth == NULL)
return 0;
}
meth = exts->meths + exts->meths_count;
exts->meths = meth;
meth += exts->meths_count;
memset(meth, 0, sizeof(custom_ext_method));
meth->parse_cb = parse_cb;
meth->add_cb = add_cb;

50
ssl/t1_lib.c
View File

@@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -1035,7 +1035,7 @@ static unsigned char suiteb_sigalgs[] = {
tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
};
# endif
size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs)
{
/*
* If Suite B mode use Suite B sigalgs only, ignore any other
@@ -1057,7 +1057,7 @@ size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
}
# endif
/* If server use client authentication sigalgs if not NULL */
if (s->server && s->cert->client_sigalgs) {
if (s->server == sent && s->cert->client_sigalgs) {
*psigs = s->cert->client_sigalgs;
return s->cert->client_sigalgslen;
} else if (s->cert->conf_sigalgs) {
@@ -1121,7 +1121,7 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
# endif
/* Check signature matches a type we sent */
sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
break;
@@ -1169,7 +1169,7 @@ void ssl_set_client_disabled(SSL *s)
* Now go through all signature algorithms seeing if we support any for
* RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2.
*/
sigalgslen = tls12_get_psigalgs(s, &sigalgs);
sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
switch (sigalgs[1]) {
# ifndef OPENSSL_NO_RSA
@@ -1440,7 +1440,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
if (SSL_CLIENT_USE_SIGALGS(s)) {
size_t salglen;
const unsigned char *salg;
salglen = tls12_get_psigalgs(s, &salg);
salglen = tls12_get_psigalgs(s, 1, &salg);
/*-
* check for enough space.
@@ -1769,6 +1769,9 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
return NULL;
s2n(TLSEXT_TYPE_session_ticket, ret);
s2n(0, ret);
} else {
/* if we don't add the above TLSEXT, we can't add a session ticket later */
s->tlsext_ticket_expected = 0;
}
if (s->tlsext_status_expected) {
@@ -1913,7 +1916,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
s2n(3 + len, ret);
s2n(1 + len, ret);
*ret++ = len;
*ret++ = (unsigned char)len;
memcpy(ret, selected, len);
ret += len;
}
@@ -2281,8 +2284,12 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
# ifndef OPENSSL_NO_EC
else if (type == TLSEXT_TYPE_ec_point_formats) {
unsigned char *sdata = data;
int ecpointformatlist_length = *(sdata++);
int ecpointformatlist_length;
if (size == 0)
goto err;
ecpointformatlist_length = *(sdata++);
if (ecpointformatlist_length != size - 1 ||
ecpointformatlist_length < 1)
goto err;
@@ -2708,8 +2715,14 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
# ifndef OPENSSL_NO_EC
else if (type == TLSEXT_TYPE_ec_point_formats) {
unsigned char *sdata = data;
int ecpointformatlist_length = *(sdata++);
int ecpointformatlist_length;
if (size == 0) {
*al = TLS1_AD_DECODE_ERROR;
return 0;
}
ecpointformatlist_length = *(sdata++);
if (ecpointformatlist_length != size - 1) {
*al = TLS1_AD_DECODE_ERROR;
return 0;
@@ -3502,6 +3515,10 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
EVP_CIPHER_CTX ctx;
SSL_CTX *tctx = s->initial_ctx;
/* Need at least keyname + iv */
if (eticklen < 16 + EVP_MAX_IV_LENGTH)
return 2;
/* Initialize session ticket encryption and HMAC contexts */
HMAC_CTX_init(&hctx);
EVP_CIPHER_CTX_init(&ctx);
@@ -3510,9 +3527,12 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
&ctx, &hctx, 0);
if (rv < 0)
return -1;
if (rv == 0)
goto err;
if (rv == 0) {
HMAC_CTX_cleanup(&hctx);
EVP_CIPHER_CTX_cleanup(&ctx);
return 2;
}
if (rv == 2)
renew_ticket = 1;
} else {
@@ -3574,8 +3594,14 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
p = sdec;
sess = d2i_SSL_SESSION(NULL, &p, slen);
slen -= p - sdec;
OPENSSL_free(sdec);
if (sess) {
/* Some additional consistency checks */
if (slen != 0 || sess->session_id_length != 0) {
SSL_SESSION_free(sess);
return 2;
}
/*
* The session ID, if non-empty, is used by some clients to detect
* that the ticket has been accepted. So we copy it to the session
@@ -3803,7 +3829,7 @@ static int tls1_set_shared_sigalgs(SSL *s)
conf = c->conf_sigalgs;
conflen = c->conf_sigalgslen;
} else
conflen = tls12_get_psigalgs(s, &conf);
conflen = tls12_get_psigalgs(s, 0, &conf);
if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
pref = conf;
preflen = conflen;

6
ssl/t1_trce.c
View File

@@ -1247,13 +1247,15 @@ void SSL_trace(int write_p, int version, int content_type,
break;
case SSL3_RT_ALERT:
if (msglen != 2)
if (msglen != 2) {
BIO_puts(bio, " Illegal Alert Length\n");
else {
} else {
BIO_printf(bio, " Level=%s(%d), description=%s(%d)\n",
SSL_alert_type_string_long(msg[0] << 8),
msg[0], SSL_alert_desc_string_long(msg[1]), msg[1]);
}
break;
case TLS1_RT_HEARTBEAT:
ssl_print_heartbeat(bio, 4, msg, msglen);
break;

2
ssl/tls1.h
View File

@@ -317,7 +317,7 @@ int SSL_get_servername_type(const SSL *s);
*/
int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
const char *label, size_t llen,
const unsigned char *p, size_t plen,
const unsigned char *context, size_t contextlen,
int use_context);
int SSL_get_sigalgs(SSL *s, int idx,