diff options
| -rw-r--r-- | lib/libssl/d1_lib.c | 1 | ||||
| -rw-r--r-- | lib/libssl/s3_lib.c | 2 | ||||
| -rw-r--r-- | lib/libssl/ssl_lib.c | 1 | ||||
| -rw-r--r-- | lib/libssl/ssl_locl.h | 37 | ||||
| -rw-r--r-- | lib/libssl/t1_clnt.c | 4 | ||||
| -rw-r--r-- | lib/libssl/t1_lib.c | 38 | ||||
| -rw-r--r-- | lib/libssl/t1_meth.c | 4 | ||||
| -rw-r--r-- | lib/libssl/t1_srvr.c | 4 |
8 files changed, 82 insertions, 9 deletions
diff --git a/lib/libssl/d1_lib.c b/lib/libssl/d1_lib.c index 87bc9b68c6b..4ee3e361681 100644 --- a/lib/libssl/d1_lib.c +++ b/lib/libssl/d1_lib.c @@ -86,6 +86,7 @@ SSL3_ENC_METHOD DTLSv1_enc_data = { .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, .alert_value = tls1_alert_code, .export_keying_material = tls1_export_keying_material, + .enc_flags = SSL_ENC_FLAG_DTLS|SSL_ENC_FLAG_EXPLICIT_IV, }; long diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 2f4ab388631..e3770bd0aec 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -2270,6 +2270,7 @@ SSL3_ENC_METHOD SSLv3_enc_data = { .export_keying_material = (int (*)(SSL *, unsigned char *, size_t, const char *, size_t, const unsigned char *, size_t, int use_context))ssl_undefined_function, + .enc_flags = 0, }; long @@ -3062,7 +3063,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, emask_k = cert->export_mask_k; emask_a = cert->export_mask_a; - alg_k = c->algorithm_mkey; alg_a = c->algorithm_auth; diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index f1c92ee2f62..6cc02c8d7a1 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -182,6 +182,7 @@ SSL3_ENC_METHOD ssl3_undef_enc_method = { .export_keying_material = (int (*)(SSL *, unsigned char *, size_t, const char *, size_t, const unsigned char *, size_t, int use_context))ssl_undefined_function, + .enc_flags = 0, }; int diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 464a4a88fea..11250ba4682 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -408,8 +408,20 @@ (c)->algo_strength) #define SSL_C_EXPORT_PKEYLENGTH(c) SSL_EXPORT_PKEYLENGTH((c)->algo_strength) +/* Check if an SSL structure is using DTLS. */ +#define SSL_IS_DTLS(s) (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) +/* See if we need explicit IV. */ +#define SSL_USE_EXPLICIT_IV(s) \ + (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_EXPLICIT_IV) +/* See if we use signature algorithms extension. */ +#define SSL_USE_SIGALGS(s) \ + (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SIGALGS) + +/* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */ +#define SSL_USE_TLS1_2_CIPHERS(s) \ + (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS) /* Mostly for SSLv3 */ #define SSL_PKEY_RSA_ENC 0 @@ -535,8 +547,29 @@ typedef struct ssl3_enc_method { int (*export_keying_material)(SSL *, unsigned char *, size_t, const char *, size_t, const unsigned char *, size_t, int use_context); + /* Flags indicating protocol version requirements. */ + unsigned int enc_flags; } SSL3_ENC_METHOD; +/* + * Flag values for enc_flags. + */ + +/* Uses explicit IV. */ +#define SSL_ENC_FLAG_EXPLICIT_IV (1 << 0) + +/* Uses signature algorithms extension. */ +#define SSL_ENC_FLAG_SIGALGS (1 << 1) + +/* Uses SHA256 default PRF. */ +#define SSL_ENC_FLAG_SHA256_PRF (1 << 2) + +/* Is DTLS. */ +#define SSL_ENC_FLAG_DTLS (1 << 3) + +/* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */ +#define SSL_ENC_FLAG_TLS1_2_CIPHERS (1 << 4) + #ifndef OPENSSL_NO_COMP /* Used for holding the relevant compression methods loaded into SSL_CTX */ typedef struct ssl3_comp_st { @@ -552,11 +585,11 @@ extern SSL_CIPHER ssl3_ciphers[]; SSL_METHOD *ssl_bad_method(int ver); extern SSL3_ENC_METHOD TLSv1_enc_data; +extern SSL3_ENC_METHOD TLSv1_1_enc_data; +extern SSL3_ENC_METHOD TLSv1_2_enc_data; extern SSL3_ENC_METHOD SSLv3_enc_data; extern SSL3_ENC_METHOD DTLSv1_enc_data; -#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION) - void ssl_clear_cipher_ctx(SSL *s); int ssl_clear_bad_session(SSL *s); CERT *ssl_cert_new(void); diff --git a/lib/libssl/t1_clnt.c b/lib/libssl/t1_clnt.c index 2223422d93a..39b1d2a324a 100644 --- a/lib/libssl/t1_clnt.c +++ b/lib/libssl/t1_clnt.c @@ -123,7 +123,7 @@ const SSL_METHOD TLSv1_1_client_method_data = { .get_cipher = ssl3_get_cipher, .get_ssl_method = tls1_get_client_method, .get_timeout = tls1_default_timeout, - .ssl3_enc = &TLSv1_enc_data, + .ssl3_enc = &TLSv1_1_enc_data, .ssl_version = ssl_undefined_void_function, .ssl_callback_ctrl = ssl3_callback_ctrl, .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, @@ -155,7 +155,7 @@ const SSL_METHOD TLSv1_2_client_method_data = { .get_cipher = ssl3_get_cipher, .get_ssl_method = tls1_get_client_method, .get_timeout = tls1_default_timeout, - .ssl3_enc = &TLSv1_enc_data, + .ssl3_enc = &TLSv1_2_enc_data, .ssl_version = ssl_undefined_void_function, .ssl_callback_ctrl = ssl3_callback_ctrl, .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c index 205c2558fb5..1424eab6e66 100644 --- a/lib/libssl/t1_lib.c +++ b/lib/libssl/t1_lib.c @@ -140,6 +140,44 @@ SSL3_ENC_METHOD TLSv1_enc_data = { .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, .alert_value = tls1_alert_code, .export_keying_material = tls1_export_keying_material, + .enc_flags = 0, +}; + +SSL3_ENC_METHOD TLSv1_1_enc_data = { + .enc = tls1_enc, + .mac = tls1_mac, + .setup_key_block = tls1_setup_key_block, + .generate_master_secret = tls1_generate_master_secret, + .change_cipher_state = tls1_change_cipher_state, + .final_finish_mac = tls1_final_finish_mac, + .finish_mac_length = TLS1_FINISH_MAC_LENGTH, + .cert_verify_mac = tls1_cert_verify_mac, + .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, + .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, + .server_finished_label = TLS_MD_SERVER_FINISH_CONST, + .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, + .alert_value = tls1_alert_code, + .export_keying_material = tls1_export_keying_material, + .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV, +}; + +SSL3_ENC_METHOD TLSv1_2_enc_data = { + .enc = tls1_enc, + .mac = tls1_mac, + .setup_key_block = tls1_setup_key_block, + .generate_master_secret = tls1_generate_master_secret, + .change_cipher_state = tls1_change_cipher_state, + .final_finish_mac = tls1_final_finish_mac, + .finish_mac_length = TLS1_FINISH_MAC_LENGTH, + .cert_verify_mac = tls1_cert_verify_mac, + .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, + .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, + .server_finished_label = TLS_MD_SERVER_FINISH_CONST, + .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, + .alert_value = tls1_alert_code, + .export_keying_material = tls1_export_keying_material, + .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS| + SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS, }; long diff --git a/lib/libssl/t1_meth.c b/lib/libssl/t1_meth.c index b39303b369f..6bdffd2332e 100644 --- a/lib/libssl/t1_meth.c +++ b/lib/libssl/t1_meth.c @@ -120,7 +120,7 @@ const SSL_METHOD TLSv1_1_method_data = { .get_cipher = ssl3_get_cipher, .get_ssl_method = tls1_get_method, .get_timeout = tls1_default_timeout, - .ssl3_enc = &TLSv1_enc_data, + .ssl3_enc = &TLSv1_1_enc_data, .ssl_version = ssl_undefined_void_function, .ssl_callback_ctrl = ssl3_callback_ctrl, .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, @@ -152,7 +152,7 @@ const SSL_METHOD TLSv1_2_method_data = { .get_cipher = ssl3_get_cipher, .get_ssl_method = tls1_get_method, .get_timeout = tls1_default_timeout, - .ssl3_enc = &TLSv1_enc_data, + .ssl3_enc = &TLSv1_2_enc_data, .ssl_version = ssl_undefined_void_function, .ssl_callback_ctrl = ssl3_callback_ctrl, .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, diff --git a/lib/libssl/t1_srvr.c b/lib/libssl/t1_srvr.c index d38afc5a21c..721b190a84f 100644 --- a/lib/libssl/t1_srvr.c +++ b/lib/libssl/t1_srvr.c @@ -124,7 +124,7 @@ const SSL_METHOD TLSv1_1_server_method_data = { .get_cipher = ssl3_get_cipher, .get_ssl_method = tls1_get_server_method, .get_timeout = tls1_default_timeout, - .ssl3_enc = &TLSv1_enc_data, + .ssl3_enc = &TLSv1_1_enc_data, .ssl_version = ssl_undefined_void_function, .ssl_callback_ctrl = ssl3_callback_ctrl, .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, @@ -156,7 +156,7 @@ const SSL_METHOD TLSv1_2_server_method_data = { .get_cipher = ssl3_get_cipher, .get_ssl_method = tls1_get_server_method, .get_timeout = tls1_default_timeout, - .ssl3_enc = &TLSv1_enc_data, + .ssl3_enc = &TLSv1_2_enc_data, .ssl_version = ssl_undefined_void_function, .ssl_callback_ctrl = ssl3_callback_ctrl, .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, |