diff options
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libssl/s3_clnt.c | 22 | ||||
-rw-r--r-- | lib/libssl/s3_lib.c | 24 | ||||
-rw-r--r-- | lib/libssl/ssl_lib.c | 19 | ||||
-rw-r--r-- | lib/libssl/ssl_locl.h | 5 |
4 files changed, 30 insertions, 40 deletions
diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c index 848de8c268e..9ccc67acb94 100644 --- a/lib/libssl/s3_clnt.c +++ b/lib/libssl/s3_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_clnt.c,v 1.87 2014/08/11 01:10:42 jsing Exp $ */ +/* $OpenBSD: s3_clnt.c,v 1.88 2014/08/23 14:52:41 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -775,9 +775,10 @@ ssl3_get_server_hello(SSL *s) { STACK_OF(SSL_CIPHER) *sk; const SSL_CIPHER *c; - unsigned char *p, *d; + unsigned char *p, *q, *d; int i, al, ok; - unsigned int j; + unsigned int j, cipher_id; + uint16_t cipher_value; long n; n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A, @@ -830,7 +831,7 @@ ssl3_get_server_hello(SSL *s) p += SSL3_RANDOM_SIZE; /* get the session-id */ - j= *(p++); + j = *(p++); if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) { @@ -843,6 +844,11 @@ ssl3_get_server_hello(SSL *s) if (p + j + 2 - d > n) goto truncated; + /* Get the cipher value. */ + q = p + j; + n2s(q, cipher_value); + cipher_id = SSL3_CK_ID | cipher_value; + /* * Check if we want to resume the session based on external * pre-shared secret @@ -854,7 +860,7 @@ ssl3_get_server_hello(SSL *s) &s->session->master_key_length, NULL, &pref_cipher, s->tls_session_secret_cb_arg)) { s->session->cipher = pref_cipher ? - pref_cipher : ssl3_get_cipher_by_char(p + j); + pref_cipher : ssl3_get_cipher_by_id(cipher_id); s->s3->flags |= SSL3_FLAGS_CCS_OK; } } @@ -885,10 +891,11 @@ ssl3_get_server_hello(SSL *s) } } s->session->session_id_length = j; - memcpy(s->session->session_id,p,j); /* j could be 0 */ + memcpy(s->session->session_id, p, j); /* j could be 0 */ } p += j; - c = ssl3_get_cipher_by_char(p); + + c = ssl3_get_cipher_by_id(cipher_id); if (c == NULL) { /* unknown cipher */ al = SSL_AD_ILLEGAL_PARAMETER; @@ -896,6 +903,7 @@ ssl3_get_server_hello(SSL *s) SSL_R_UNKNOWN_CIPHER_RETURNED); goto f_err; } + /* TLS v1.2 only ciphersuites require v1.2 or later */ if ((c->algorithm_ssl & SSL_TLSV1_2) && (TLS1_get_version(s) < TLS1_2_VERSION)) { diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 1d84effeeab..1578f0388dc 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.76 2014/08/11 01:06:22 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.77 2014/08/23 14:52:41 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2452,28 +2452,6 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) return (1); } -/* This function needs to check if the ciphers required are actually - * available */ -const SSL_CIPHER * -ssl3_get_cipher_by_char(const unsigned char *p) -{ - SSL_CIPHER c; - const SSL_CIPHER *cp; - unsigned long id; - - id = 0x03000000L | ((unsigned long)p[0] << 8L) | (unsigned long)p[1]; - c.id = id; - cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS); -#ifdef DEBUG_PRINT_UNKNOWN_CIPHERSUITES - if (cp == NULL) - fprintf(stderr, "Unknown cipher ID %x\n", (p[0] << 8) | p[1]); -#endif - if (cp == NULL || cp->valid == 0) - return NULL; - else - return cp; -} - int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) { diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index 55ab469df5b..e5dedf0ba4a 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.81 2014/08/11 10:46:19 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.82 2014/08/23 14:52:41 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1408,6 +1408,8 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num, const SSL_CIPHER *c; STACK_OF(SSL_CIPHER) *sk; int i; + unsigned int cipher_id; + uint16_t cipher_value; if (s->s3) s->s3->send_connection_binding = 0; @@ -1427,10 +1429,12 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num, } for (i = 0; i < num; i += SSL3_CIPHER_VALUE_SIZE) { + n2s(p, cipher_value); + cipher_id = SSL3_CK_ID | cipher_value; + /* Check for SCSV */ - if (s->s3 && (p[0] == ((SSL3_CK_SCSV >> 8) & 0xff)) && - (p[1] == (SSL3_CK_SCSV & 0xff))) { - /* SCSV fatal if renegotiating */ + if (s->s3 && cipher_id == SSL3_CK_SCSV) { + /* SCSV is fatal if renegotiating. */ if (s->renegotiate) { SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); @@ -1440,12 +1444,10 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num, goto err; } s->s3->send_connection_binding = 1; - p += SSL3_CIPHER_VALUE_SIZE; continue; } - c = ssl3_get_cipher_by_char(p); - p += SSL3_CIPHER_VALUE_SIZE; + c = ssl3_get_cipher_by_id(cipher_id); if (c != NULL) { if (!sk_SSL_CIPHER_push(sk, c)) { SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, @@ -1458,8 +1460,9 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num, if (skp != NULL) *skp = sk; return (sk); + err: - if ((skp == NULL) || (*skp == NULL)) + if (skp == NULL || *skp == NULL) sk_SSL_CIPHER_free(sk); return (NULL); } diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 87b27a1d996..1c823c046ae 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.65 2014/08/11 01:06:22 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.66 2014/08/23 14:52:41 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -325,6 +325,8 @@ * make sure to update this constant too */ #define SSL_MAX_DIGEST 6 +#define SSL3_CK_ID 0x03000000 + #define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT) #define TLS1_PRF_DGST_SHIFT 10 @@ -594,7 +596,6 @@ STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); int ssl_verify_alarm_type(long type); void ssl_load_ciphers(void); -const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p); int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p); void ssl3_init_finished_mac(SSL *s); int ssl3_send_server_certificate(SSL *s); |