From 1e9053549fdf9244255c71d92ffdc6580eb465f3 Mon Sep 17 00:00:00 2001 From: tedu Date: Fri, 18 Apr 2014 21:19:20 +0000 Subject: [PATCH] now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */ --- lib/libssl/src/ssl/t1_enc.c | 157 +++++++++++++++---------------- lib/libssl/src/ssl/t1_lib.c | 182 ++++++++++++++++++------------------ lib/libssl/t1_enc.c | 157 +++++++++++++++---------------- lib/libssl/t1_lib.c | 182 ++++++++++++++++++------------------ 4 files changed, 332 insertions(+), 346 deletions(-) diff --git a/lib/libssl/src/ssl/t1_enc.c b/lib/libssl/src/ssl/t1_enc.c index fb471b2f14f..fc7a23fb4b5 100644 --- a/lib/libssl/src/ssl/t1_enc.c +++ b/lib/libssl/src/ssl/t1_enc.c @@ -219,9 +219,8 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec, int sec_len, /* calc the next A1 value */ if (!EVP_DigestSignFinal(&ctx_tmp, A1, &A1_len)) goto err; - } - else /* last one */ - { + } else { + /* last one */ if (!EVP_DigestSignFinal(&ctx, A1, &A1_len)) goto err; memcpy(out, A1, olen); @@ -269,10 +268,10 @@ tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2, goto err; } - if (!tls1_P_hash(md , S1, len + (slen&1), - seed1, seed1_len, seed2, seed2_len, seed3, seed3_len, seed4, seed4_len, seed5, seed5_len, - out2, olen)) - goto err; + if (!tls1_P_hash(md , S1, len + (slen&1), seed1, + seed1_len, seed2, seed2_len, seed3, seed3_len, + seed4, seed4_len, seed5, seed5_len, out2, olen)) + goto err; S1 += len; for (i = 0; i < olen; i++) { out1[i] ^= out2[i]; @@ -288,13 +287,14 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km, unsigned char *tmp, int num) { int ret; + ret = tls1_PRF(ssl_get_algorithm2(s), - TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE, - s->s3->server_random, SSL3_RANDOM_SIZE, - s->s3->client_random, SSL3_RANDOM_SIZE, - NULL, 0, NULL, 0, - s->session->master_key, s->session->master_key_length, - km, tmp, num); + TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE, + s->s3->server_random, SSL3_RANDOM_SIZE, + s->s3->client_random, SSL3_RANDOM_SIZE, + NULL, 0, NULL, 0, + s->session->master_key, s->session->master_key_length, + km, tmp, num); #ifdef KSSL_DEBUG printf("tls1_generate_key_block() ==> %d byte master_key =\n\t", s->session->master_key_length); @@ -369,9 +369,10 @@ tls1_change_cipher_state(SSL *s, int which) reuse_dd = 1; else if ((s->enc_read_ctx = malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; - else + else { /* make sure it's intialized in case we exit later with an error */ - EVP_CIPHER_CTX_init(s->enc_read_ctx); + EVP_CIPHER_CTX_init(s->enc_read_ctx); + } dd = s->enc_read_ctx; mac_ctx = ssl_replace_hash(&s->read_hash, NULL); #ifndef OPENSSL_NO_COMP @@ -386,8 +387,7 @@ tls1_change_cipher_state(SSL *s, int which) goto err2; } if (s->s3->rrec.comp == NULL) - s->s3->rrec.comp = (unsigned char *) - malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); + s->s3->rrec.comp = malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); if (s->s3->rrec.comp == NULL) goto err; } @@ -438,11 +438,11 @@ tls1_change_cipher_state(SSL *s, int which) EVP_CIPHER_CTX_cleanup(dd); p = s->s3->tmp.key_block; - i=*mac_secret_size = s->s3->tmp.new_mac_secret_size; + i = *mac_secret_size = s->s3->tmp.new_mac_secret_size; cl = EVP_CIPHER_key_length(c); j = is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? - cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; + cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ /* If GCM mode only part of IV comes from PRF */ if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) @@ -480,7 +480,7 @@ tls1_change_cipher_state(SSL *s, int which) memcpy(mac_secret, ms, i); - if (!(EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER)) { + if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) { mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, mac_secret, *mac_secret_size); EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key); @@ -495,22 +495,22 @@ tls1_change_cipher_state(SSL *s, int which) * same value since only the correct one will be used :-). */ if (!tls1_PRF(ssl_get_algorithm2(s), - exp_label, exp_label_len, - s->s3->client_random, SSL3_RANDOM_SIZE, - s->s3->server_random, SSL3_RANDOM_SIZE, - NULL, 0, NULL, 0, - key, j, tmp1, tmp2, EVP_CIPHER_key_length(c))) - goto err2; + exp_label, exp_label_len, + s->s3->client_random, SSL3_RANDOM_SIZE, + s->s3->server_random, SSL3_RANDOM_SIZE, + NULL, 0, NULL, 0, + key, j, tmp1, tmp2, EVP_CIPHER_key_length(c))) + goto err2; key = tmp1; if (k > 0) { if (!tls1_PRF(ssl_get_algorithm2(s), - TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE, - s->s3->client_random, SSL3_RANDOM_SIZE, - s->s3->server_random, SSL3_RANDOM_SIZE, - NULL, 0, NULL, 0, - empty, 0, iv1, iv2, k*2)) - goto err2; + TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE, + s->s3->client_random, SSL3_RANDOM_SIZE, + s->s3->server_random, SSL3_RANDOM_SIZE, + NULL, 0, NULL, 0, + empty, 0, iv1, iv2, k*2)) + goto err2; if (client_write) iv = iv1; else @@ -537,9 +537,9 @@ tls1_change_cipher_state(SSL *s, int which) EVP_CipherInit_ex(dd, c, NULL, key, iv,(which & SSL3_CC_WRITE)); /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ - if ((EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size) + if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size) EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY, - *mac_secret_size, mac_secret); + *mac_secret_size, mac_secret); #ifdef TLS_DEBUG printf("which = %04X\nkey=", which); @@ -588,7 +588,7 @@ tls1_setup_key_block(SSL *s) s->s3->tmp.new_mac_pkey_type = mac_type; s->s3->tmp.new_mac_secret_size = mac_secret_size; num = EVP_CIPHER_key_length(c) + mac_secret_size + EVP_CIPHER_iv_length(c); - num*=2; + num *= 2; ssl3_cleanup_key_block(s); @@ -620,8 +620,8 @@ tls1_setup_key_block(SSL *s) { int z; for (z = 0; zoptions & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) - && s->method->version <= TLS1_VERSION) { + if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) && + s->method->version <= TLS1_VERSION) { /* enable vulnerability countermeasure for CBC ciphers with * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */ @@ -678,8 +678,8 @@ tls1_enc(SSL *s, int send) int ivlen; enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx); /* For TLSv1.1 and later explicit IV */ - if (s->version >= TLS1_1_VERSION - && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE) + if (s->version >= TLS1_1_VERSION && + EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE) ivlen = EVP_CIPHER_iv_length(enc); else ivlen = 0; @@ -720,7 +720,7 @@ tls1_enc(SSL *s, int send) l = rec->length; bs = EVP_CIPHER_block_size(ds->cipher); - if (EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER) { + if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { unsigned char buf[13], *seq; seq = send ? s->s3->write_sequence : s->s3->read_sequence; @@ -733,14 +733,10 @@ tls1_enc(SSL *s, int send) memcpy(buf, dtlsseq, 8); } else { memcpy(buf, seq, 8); - for (i = 7; - i >= 0; - i--) /* increment */ - { + for (i = 7; i >= 0; i--) { /* increment */ ++seq[i]; if (seq[i] != 0) break; - } } @@ -748,7 +744,7 @@ tls1_enc(SSL *s, int send) buf[9] = (unsigned char)(s->version >> 8); buf[10] = (unsigned char)(s->version); buf[11] = rec->length >> 8; - buf[12] = rec->length&0xff; + buf[12] = rec->length & 0xff; pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf); if (send) { l += pad; @@ -795,10 +791,9 @@ tls1_enc(SSL *s, int send) } i = EVP_Cipher(ds, rec->data, rec->input, l); - if ((EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_CUSTOM_CIPHER) - ?(i < 0) - :(i == 0)) - return -1; /* AEAD can fail to verify MAC */ + if ((EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_CUSTOM_CIPHER) ? + (i < 0) : (i == 0)) + return -1; /* AEAD can fail to verify MAC */ if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) { rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN; rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN; @@ -837,7 +832,8 @@ tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) return 0; for (i = 0; i < SSL_MAX_DIGEST; i++) { - if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) { + if (s->s3->handshake_dgst[i] && + EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) { d = s->s3->handshake_dgst[i]; break; } @@ -879,24 +875,25 @@ tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *out) if (mask & ssl_get_algorithm2(s)) { int hashsize = EVP_MD_size(md); EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx]; - if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q - buf))) { + if (!hdgst || hashsize < 0 || + hashsize > (int)(sizeof buf - (size_t)(q - buf))) { /* internal error: 'buf' is too small for this cipersuite! */ err = 1; } else { if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || - !EVP_DigestFinal_ex(&ctx, q, &i) || - (i != (unsigned int)hashsize)) - err = 1; + !EVP_DigestFinal_ex(&ctx, q, &i) || + (i != (unsigned int)hashsize)) + err = 1; q += hashsize; } } } - if (!tls1_PRF(ssl_get_algorithm2(s), - str, slen, buf,(int)(q - buf), NULL, 0, NULL, 0, NULL, 0, - s->session->master_key, s->session->master_key_length, - out, buf2, sizeof buf2)) - err = 1; + if (!tls1_PRF(ssl_get_algorithm2(s), str, slen, buf,(int)(q - buf), + NULL, 0, NULL, 0, NULL, 0, + s->session->master_key, s->session->master_key_length, + out, buf2, sizeof buf2)) + err = 1; EVP_MD_CTX_cleanup(&ctx); if (err) @@ -945,7 +942,7 @@ tls1_mac(SSL *ssl, unsigned char *md, int send) unsigned char dtlsseq[8], *p = dtlsseq; s2n(send ? ssl->d1->w_epoch : ssl->d1->r_epoch, p); - memcpy (p, &seq[2], 6); + memcpy(p, &seq[2], 6); memcpy(header, dtlsseq, 8); } else @@ -961,21 +958,18 @@ tls1_mac(SSL *ssl, unsigned char *md, int send) header[11] = (rec->length) >> 8; header[12] = (rec->length)&0xff; - if (!send && - EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && - ssl3_cbc_record_digest_supported(mac_ctx)) { + if (!send && EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && + ssl3_cbc_record_digest_supported(mac_ctx)) { /* This is a CBC-encrypted record. We must avoid leaking any * timing-side channel information about how many blocks of * data we are hashing because that gives an attacker a * timing-oracle. */ - ssl3_cbc_digest_record( - mac_ctx, - md, &md_size, - header, rec->input, - rec->length + md_size, orig_len, - ssl->s3->read_mac_secret, - ssl->s3->read_mac_secret_size, - 0 /* not SSLv3 */); + ssl3_cbc_digest_record(mac_ctx, + md, &md_size, header, rec->input, + rec->length + md_size, orig_len, + ssl->s3->read_mac_secret, + ssl->s3->read_mac_secret_size, + 0 /* not SSLv3 */); } else { EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)); EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length); @@ -1001,7 +995,6 @@ tls1_mac(SSL *ssl, unsigned char *md, int send) ++seq[i]; if (seq[i] != 0) break; - } } @@ -1115,20 +1108,20 @@ tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, * comparisons won't have buffer overflow */ if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, - TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) goto err1; + TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) + goto err1; if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, - TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) goto err1; + TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) + goto err1; if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, - TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) goto err1; + TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) + goto err1; if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, - TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) goto err1; + TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) + goto err1; rv = tls1_PRF(s->s3->tmp.new_cipher->algorithm2, - val, vallen, - NULL, 0, - NULL, 0, - NULL, 0, - NULL, 0, + val, vallen, NULL, 0, NULL, 0, NULL, 0, NULL, 0, s->session->master_key, s->session->master_key_length, out, buff, olen); diff --git a/lib/libssl/src/ssl/t1_lib.c b/lib/libssl/src/ssl/t1_lib.c index 6ee2289153f..f6cfb508f60 100644 --- a/lib/libssl/src/ssl/t1_lib.c +++ b/lib/libssl/src/ssl/t1_lib.c @@ -152,8 +152,9 @@ tls1_default_timeout(void) int tls1_new(SSL *s) { - if (!ssl3_new(s)) return (0); - s->method->ssl_clear(s); + if (!ssl3_new(s)) + return (0); + s->method->ssl_clear(s); return (1); } @@ -349,13 +350,14 @@ unsigned char unsigned char *ret = p; /* don't add extensions for SSLv3 unless doing secure renegotiation */ - if (s->client_version == SSL3_VERSION - && !s->s3->send_connection_binding) - return p; + if (s->client_version == SSL3_VERSION && + !s->s3->send_connection_binding) + return p; ret += 2; - if (ret>=limit) return NULL; /* this really never occurs, but ... */ + if (ret>=limit) + return NULL; /* this really never occurs, but ... */ if (s->tlsext_hostname != NULL) { /* Add TLS extension servername to the Client Hello message */ @@ -371,9 +373,9 @@ unsigned char + hostname length */ - if ((lenmax = limit - ret - 9) < 0 - || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) - return NULL; + if ((lenmax = limit - ret - 9) < 0 || + (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) + return NULL; /* extension type and length */ s2n(TLSEXT_TYPE_server_name, ret); @@ -399,8 +401,8 @@ unsigned char return NULL; } - if ((limit - p - 4 - el) - < 0) return NULL; + if ((limit - p - 4 - el) < 0) + return NULL; s2n(TLSEXT_TYPE_renegotiate, ret); s2n(el, ret); @@ -415,8 +417,8 @@ unsigned char #ifndef OPENSSL_NO_SRP /* Add SRP username if there is one */ - if (s->srp_ctx.login != NULL) - { /* Add TLS extension SRP username to the Client Hello message */ + if (s->srp_ctx.login != NULL) { + /* Add TLS extension SRP username to the Client Hello message */ int login_len = strlen(s->srp_ctx.login); @@ -430,8 +432,8 @@ unsigned char 1 for the srp user identity + srp user identity length */ - if ((limit - ret - 5 - login_len) - < 0) return NULL; + if ((limit - ret - 5 - login_len) < 0) + return NULL; /* fill in the extension */ @@ -445,16 +447,16 @@ unsigned char #ifndef OPENSSL_NO_EC if (s->tlsext_ecpointformatlist != NULL && - s->version != DTLS1_VERSION) { + s->version != DTLS1_VERSION) { /* Add TLS extension ECPointFormats to the ClientHello message */ long lenmax; + if ((lenmax = limit - ret - 5) < 0) + return NULL; - if ((lenmax = limit - ret - 5) - < 0) return NULL; - - if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; - if (s->tlsext_ecpointformatlist_length > 255) { + if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) + return NULL; + if (s->tlsext_ecpointformatlist_length > 255) { SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); return NULL; } @@ -466,11 +468,10 @@ unsigned char ret += s->tlsext_ecpointformatlist_length; } if (s->tlsext_ellipticcurvelist != NULL && - s->version != DTLS1_VERSION) { + s->version != DTLS1_VERSION) { /* Add TLS extension EllipticCurves to the ClientHello message */ long lenmax; - if ((lenmax = limit - ret - 6) < 0) return NULL; @@ -499,7 +500,7 @@ unsigned char if (!s->new_session && s->session && s->session->tlsext_tick) ticklen = s->session->tlsext_ticklen; else if (s->session && s->tlsext_session_ticket && - s->tlsext_session_ticket->data) { + s->tlsext_session_ticket->data) { ticklen = s->tlsext_session_ticket->length; s->session->tlsext_tick = malloc(ticklen); if (!s->session->tlsext_tick) @@ -511,13 +512,14 @@ unsigned char } else ticklen = 0; if (ticklen == 0 && s->tlsext_session_ticket && - s->tlsext_session_ticket->data == NULL) - goto skip_ext; + s->tlsext_session_ticket->data == NULL) + goto skip_ext; /* Check for enough room 2 for extension type, 2 for len * rest for ticket */ - if ((long)(limit - ret - 4 - ticklen) < 0) return NULL; - s2n(TLSEXT_TYPE_session_ticket, ret); + if ((long)(limit - ret - 4 - ticklen) < 0) + return NULL; + s2n(TLSEXT_TYPE_session_ticket, ret); s2n(ticklen, ret); if (ticklen) { @@ -525,7 +527,7 @@ unsigned char ret += ticklen; } } - skip_ext: +skip_ext: if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) @@ -558,7 +560,7 @@ unsigned char #endif if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && - s->version != DTLS1_VERSION) { + s->version != DTLS1_VERSION) { int i; long extlen, idlen, itmp; OCSP_RESPID *id; @@ -579,8 +581,9 @@ unsigned char } else extlen = 0; - if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL; - s2n(TLSEXT_TYPE_status_request, ret); + if ((long)(limit - ret - 7 - extlen - idlen) < 0) + return NULL; + s2n(TLSEXT_TYPE_status_request, ret); if (extlen + idlen > 0xFFF0) return NULL; s2n(extlen + idlen + 5, ret); @@ -618,8 +621,8 @@ unsigned char ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); - if ((limit - p - 4 - el) - < 0) return NULL; + if ((limit - p - 4 - el) < 0) + return NULL; s2n(TLSEXT_TYPE_use_srtp, ret); s2n(el, ret); @@ -682,11 +685,12 @@ unsigned char return p; ret += 2; - if (ret>=limit) return NULL; /* this really never occurs, but ... */ + if (ret>=limit) + return NULL; /* this really never occurs, but ... */ if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) { - if ((long)(limit - ret - 4) < 0) return NULL; - + if ((long)(limit - ret - 4) < 0) + return NULL; s2n(TLSEXT_TYPE_server_name, ret); s2n(0, ret); @@ -724,8 +728,9 @@ unsigned char if ((lenmax = limit - ret - 5) < 0) return NULL; - if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; - if (s->tlsext_ecpointformatlist_length > 255) { + if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) + return NULL; + if (s->tlsext_ecpointformatlist_length > 255) { SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); return NULL; } @@ -740,24 +745,24 @@ unsigned char /* Currently the server should not respond with a SupportedCurves extension */ #endif /* OPENSSL_NO_EC */ - if (s->tlsext_ticket_expected - && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { - if ((long)(limit - ret - 4) < 0) return NULL; + if (s->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { + if ((long)(limit - ret - 4) < 0) + return NULL; s2n(TLSEXT_TYPE_session_ticket, ret); s2n(0, ret); } if (s->tlsext_status_expected) { - if ((long)(limit - ret - 4) < 0) return NULL; + if ((long)(limit - ret - 4) < 0) + return NULL; s2n(TLSEXT_TYPE_status_request, ret); s2n(0, ret); } #ifdef TLSEXT_TYPE_opaque_prf_input - if (s->s3->server_opaque_prf_input != NULL && - s->version != DTLS1_VERSION) { + if (s->s3->server_opaque_prf_input != NULL && s->version != DTLS1_VERSION) { size_t sol = s->s3->server_opaque_prf_input_len; if ((long)(limit - ret - 6 - sol) < 0) @@ -794,8 +799,9 @@ unsigned char } #endif - if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) - && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { + if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 || + (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) && + (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { const unsigned char cryptopro_ext[36] = { 0xfd, 0xe8, /*65000*/ 0x00, 0x20, /*32 bytes length*/ @@ -820,8 +826,9 @@ unsigned char r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg); if (r == SSL_TLSEXT_ERR_OK) { - if ((long)(limit - ret - 4 - npalen) < 0) return NULL; - s2n(TLSEXT_TYPE_next_proto_neg, ret); + if ((long)(limit - ret - 4 - npalen) < 0) + return NULL; + s2n(TLSEXT_TYPE_next_proto_neg, ret); s2n(npalen, ret); memcpy(ret, npa, npalen); ret += npalen; @@ -987,7 +994,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int servname_type; int dsize; - if (size < 2) { *al = SSL_AD_DECODE_ERROR; return 0; @@ -1013,7 +1019,7 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, } if (s->servername_done == 0) switch (servname_type) { - case TLSEXT_NAMETYPE_host_name: + case TLSEXT_NAMETYPE_host_name: if (!s->hit) { if (s->session->tlsext_hostname) { *al = SSL_AD_DECODE_ERROR; @@ -1038,14 +1044,14 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, s->servername_done = 1; - } else - s->servername_done = s->session->tlsext_hostname - && strlen(s->session->tlsext_hostname) == len - && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; - + } else { + s->servername_done = s->session->tlsext_hostname && + strlen(s->session->tlsext_hostname) == len && + strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; + } break; - default: + default: break; } @@ -1285,12 +1291,12 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, return 0; } } - } + } else { /* We don't know what to do with any other type * so ignore it. */ - else s->tlsext_status_type = -1; + } } #ifndef OPENSSL_NO_NEXTPROTONEG else if (type == TLSEXT_TYPE_next_proto_neg && @@ -1317,9 +1323,8 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, /* session ticket processed earlier */ #ifndef OPENSSL_NO_SRTP else if (type == TLSEXT_TYPE_use_srtp) { - if (ssl_parse_clienthello_use_srtp_ext(s, data, size, - al)) - return 0; + if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al)) + return 0; } #endif @@ -1404,7 +1409,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, tlsext_servername = 1; } - #ifndef OPENSSL_NO_EC else if (type == TLSEXT_TYPE_ec_point_formats && s->version != DTLS1_VERSION) { @@ -1434,15 +1438,13 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, #endif } #endif /* OPENSSL_NO_EC */ - else if (type == TLSEXT_TYPE_session_ticket) { if (s->tls_session_ticket_ext_cb && - !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { + !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { *al = TLS1_AD_INTERNAL_ERROR; return 0; } - if ((SSL_get_options(s) & SSL_OP_NO_TICKET) - || (size > 0)) { + if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) { *al = TLS1_AD_UNSUPPORTED_EXTENSION; return 0; } @@ -1450,7 +1452,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, } #ifdef TLSEXT_TYPE_opaque_prf_input else if (type == TLSEXT_TYPE_opaque_prf_input && - s->version != DTLS1_VERSION) { + s->version != DTLS1_VERSION) { unsigned char *sdata = data; if (size < 2) { @@ -1477,7 +1479,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, } #endif else if (type == TLSEXT_TYPE_status_request && - s->version != DTLS1_VERSION) { + s->version != DTLS1_VERSION) { /* MUST be empty and only sent if we've requested * a status request message. */ @@ -1490,7 +1492,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, } #ifndef OPENSSL_NO_NEXTPROTONEG else if (type == TLSEXT_TYPE_next_proto_neg && - s->s3->tmp.finish_md_len == 0) { + s->s3->tmp.finish_md_len == 0) { unsigned char *selected; unsigned char selected_len; @@ -1558,7 +1560,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, *p = data; - ri_check: +ri_check: /* Determine if we need to see RI. Strictly speaking if we want to * avoid an attack we should *always* see RI even on initial server @@ -1567,8 +1569,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, * which doesn't support RI so for the immediate future tolerate RI * absence on initial connect only. */ - if (!renegotiate_seen - && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { + if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { *al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); @@ -1578,7 +1579,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, return 1; } - int ssl_prepare_clienthello_tlsext(SSL *s) { @@ -1597,7 +1597,8 @@ ssl_prepare_clienthello_tlsext(SSL *s) alg_k = c->algorithm_mkey; alg_a = c->algorithm_auth; - if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) { + if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || + (alg_a & SSL_aECDSA))) { using_ecc = 1; break; } @@ -1625,9 +1626,8 @@ ssl_prepare_clienthello_tlsext(SSL *s) return -1; } for (i = 0, j = s->tlsext_ellipticcurvelist; - (unsigned int)i < - sizeof(pref_list)/sizeof(pref_list[0]); - i++) { + (unsigned int)i < sizeof(pref_list)/sizeof(pref_list[0]); + i++) { int id = tls1_ec_nid2curve_id(pref_list[i]); s2n(id, j); } @@ -1659,9 +1659,11 @@ ssl_prepare_clienthello_tlsext(SSL *s) s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; } - if (r == 2) + if (r == 2) { /* at callback's request, insist on receiving an appropriate server opaque PRF input */ - s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; + s->s3->server_opaque_prf_input_len = + s->tlsext_opaque_prf_input_len; + } } #endif @@ -1743,7 +1745,7 @@ ssl_check_clienthello_tlsext_early(SSL *s) if (s->tlsext_opaque_prf_input != NULL) { if (s->s3->client_opaque_prf_input != NULL && - s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) { + s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) { /* can only use this extension if we have a server opaque PRF input * of the same length as the client opaque PRF input! */ @@ -1770,7 +1772,7 @@ ssl_check_clienthello_tlsext_early(SSL *s) } } - err: +err: #endif switch (ret) { case SSL_TLSEXT_ERR_ALERT_FATAL: @@ -1842,12 +1844,10 @@ err: ssl3_send_alert(s, SSL3_AL_FATAL, al); return -1; - case SSL_TLSEXT_ERR_ALERT_WARNING: ssl3_send_alert(s, SSL3_AL_WARNING, al); return 1; - default: return 1; } @@ -1866,9 +1866,11 @@ ssl_check_serverhello_tlsext(SSL *s) */ unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; - if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && - (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && - ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) { + if ((s->tlsext_ecpointformatlist != NULL) && + (s->tlsext_ecpointformatlist_length > 0) && + (s->session->tlsext_ecpointformatlist != NULL) && + (s->session->tlsext_ecpointformatlist_length > 0) && + ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) { /* we are using an ECC cipher */ size_t i; unsigned char *list; @@ -1943,12 +1945,10 @@ ssl_check_serverhello_tlsext(SSL *s) ssl3_send_alert(s, SSL3_AL_FATAL, al); return -1; - case SSL_TLSEXT_ERR_ALERT_WARNING: ssl3_send_alert(s, SSL3_AL_WARNING, al); - return 1; - + return 1; case SSL_TLSEXT_ERR_NOACK: s->servername_done = 0; default: @@ -2279,6 +2279,7 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) int i, idx; const EVP_MD *md; CERT *c = s->cert; + /* Extension ignored for TLS versions below 1.2 */ if (TLS1_get_version(s) < TLS1_2_VERSION) return 1; @@ -2321,7 +2322,6 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) } - /* Set any remaining keys to default values. NOTE: if alg is not * supported it stays as NULL. */ diff --git a/lib/libssl/t1_enc.c b/lib/libssl/t1_enc.c index fb471b2f14f..fc7a23fb4b5 100644 --- a/lib/libssl/t1_enc.c +++ b/lib/libssl/t1_enc.c @@ -219,9 +219,8 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec, int sec_len, /* calc the next A1 value */ if (!EVP_DigestSignFinal(&ctx_tmp, A1, &A1_len)) goto err; - } - else /* last one */ - { + } else { + /* last one */ if (!EVP_DigestSignFinal(&ctx, A1, &A1_len)) goto err; memcpy(out, A1, olen); @@ -269,10 +268,10 @@ tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2, goto err; } - if (!tls1_P_hash(md , S1, len + (slen&1), - seed1, seed1_len, seed2, seed2_len, seed3, seed3_len, seed4, seed4_len, seed5, seed5_len, - out2, olen)) - goto err; + if (!tls1_P_hash(md , S1, len + (slen&1), seed1, + seed1_len, seed2, seed2_len, seed3, seed3_len, + seed4, seed4_len, seed5, seed5_len, out2, olen)) + goto err; S1 += len; for (i = 0; i < olen; i++) { out1[i] ^= out2[i]; @@ -288,13 +287,14 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km, unsigned char *tmp, int num) { int ret; + ret = tls1_PRF(ssl_get_algorithm2(s), - TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE, - s->s3->server_random, SSL3_RANDOM_SIZE, - s->s3->client_random, SSL3_RANDOM_SIZE, - NULL, 0, NULL, 0, - s->session->master_key, s->session->master_key_length, - km, tmp, num); + TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE, + s->s3->server_random, SSL3_RANDOM_SIZE, + s->s3->client_random, SSL3_RANDOM_SIZE, + NULL, 0, NULL, 0, + s->session->master_key, s->session->master_key_length, + km, tmp, num); #ifdef KSSL_DEBUG printf("tls1_generate_key_block() ==> %d byte master_key =\n\t", s->session->master_key_length); @@ -369,9 +369,10 @@ tls1_change_cipher_state(SSL *s, int which) reuse_dd = 1; else if ((s->enc_read_ctx = malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; - else + else { /* make sure it's intialized in case we exit later with an error */ - EVP_CIPHER_CTX_init(s->enc_read_ctx); + EVP_CIPHER_CTX_init(s->enc_read_ctx); + } dd = s->enc_read_ctx; mac_ctx = ssl_replace_hash(&s->read_hash, NULL); #ifndef OPENSSL_NO_COMP @@ -386,8 +387,7 @@ tls1_change_cipher_state(SSL *s, int which) goto err2; } if (s->s3->rrec.comp == NULL) - s->s3->rrec.comp = (unsigned char *) - malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); + s->s3->rrec.comp = malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); if (s->s3->rrec.comp == NULL) goto err; } @@ -438,11 +438,11 @@ tls1_change_cipher_state(SSL *s, int which) EVP_CIPHER_CTX_cleanup(dd); p = s->s3->tmp.key_block; - i=*mac_secret_size = s->s3->tmp.new_mac_secret_size; + i = *mac_secret_size = s->s3->tmp.new_mac_secret_size; cl = EVP_CIPHER_key_length(c); j = is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? - cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; + cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ /* If GCM mode only part of IV comes from PRF */ if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) @@ -480,7 +480,7 @@ tls1_change_cipher_state(SSL *s, int which) memcpy(mac_secret, ms, i); - if (!(EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER)) { + if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) { mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, mac_secret, *mac_secret_size); EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key); @@ -495,22 +495,22 @@ tls1_change_cipher_state(SSL *s, int which) * same value since only the correct one will be used :-). */ if (!tls1_PRF(ssl_get_algorithm2(s), - exp_label, exp_label_len, - s->s3->client_random, SSL3_RANDOM_SIZE, - s->s3->server_random, SSL3_RANDOM_SIZE, - NULL, 0, NULL, 0, - key, j, tmp1, tmp2, EVP_CIPHER_key_length(c))) - goto err2; + exp_label, exp_label_len, + s->s3->client_random, SSL3_RANDOM_SIZE, + s->s3->server_random, SSL3_RANDOM_SIZE, + NULL, 0, NULL, 0, + key, j, tmp1, tmp2, EVP_CIPHER_key_length(c))) + goto err2; key = tmp1; if (k > 0) { if (!tls1_PRF(ssl_get_algorithm2(s), - TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE, - s->s3->client_random, SSL3_RANDOM_SIZE, - s->s3->server_random, SSL3_RANDOM_SIZE, - NULL, 0, NULL, 0, - empty, 0, iv1, iv2, k*2)) - goto err2; + TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE, + s->s3->client_random, SSL3_RANDOM_SIZE, + s->s3->server_random, SSL3_RANDOM_SIZE, + NULL, 0, NULL, 0, + empty, 0, iv1, iv2, k*2)) + goto err2; if (client_write) iv = iv1; else @@ -537,9 +537,9 @@ tls1_change_cipher_state(SSL *s, int which) EVP_CipherInit_ex(dd, c, NULL, key, iv,(which & SSL3_CC_WRITE)); /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ - if ((EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size) + if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size) EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY, - *mac_secret_size, mac_secret); + *mac_secret_size, mac_secret); #ifdef TLS_DEBUG printf("which = %04X\nkey=", which); @@ -588,7 +588,7 @@ tls1_setup_key_block(SSL *s) s->s3->tmp.new_mac_pkey_type = mac_type; s->s3->tmp.new_mac_secret_size = mac_secret_size; num = EVP_CIPHER_key_length(c) + mac_secret_size + EVP_CIPHER_iv_length(c); - num*=2; + num *= 2; ssl3_cleanup_key_block(s); @@ -620,8 +620,8 @@ tls1_setup_key_block(SSL *s) { int z; for (z = 0; zoptions & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) - && s->method->version <= TLS1_VERSION) { + if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) && + s->method->version <= TLS1_VERSION) { /* enable vulnerability countermeasure for CBC ciphers with * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */ @@ -678,8 +678,8 @@ tls1_enc(SSL *s, int send) int ivlen; enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx); /* For TLSv1.1 and later explicit IV */ - if (s->version >= TLS1_1_VERSION - && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE) + if (s->version >= TLS1_1_VERSION && + EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE) ivlen = EVP_CIPHER_iv_length(enc); else ivlen = 0; @@ -720,7 +720,7 @@ tls1_enc(SSL *s, int send) l = rec->length; bs = EVP_CIPHER_block_size(ds->cipher); - if (EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER) { + if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { unsigned char buf[13], *seq; seq = send ? s->s3->write_sequence : s->s3->read_sequence; @@ -733,14 +733,10 @@ tls1_enc(SSL *s, int send) memcpy(buf, dtlsseq, 8); } else { memcpy(buf, seq, 8); - for (i = 7; - i >= 0; - i--) /* increment */ - { + for (i = 7; i >= 0; i--) { /* increment */ ++seq[i]; if (seq[i] != 0) break; - } } @@ -748,7 +744,7 @@ tls1_enc(SSL *s, int send) buf[9] = (unsigned char)(s->version >> 8); buf[10] = (unsigned char)(s->version); buf[11] = rec->length >> 8; - buf[12] = rec->length&0xff; + buf[12] = rec->length & 0xff; pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf); if (send) { l += pad; @@ -795,10 +791,9 @@ tls1_enc(SSL *s, int send) } i = EVP_Cipher(ds, rec->data, rec->input, l); - if ((EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_CUSTOM_CIPHER) - ?(i < 0) - :(i == 0)) - return -1; /* AEAD can fail to verify MAC */ + if ((EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_CUSTOM_CIPHER) ? + (i < 0) : (i == 0)) + return -1; /* AEAD can fail to verify MAC */ if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) { rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN; rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN; @@ -837,7 +832,8 @@ tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) return 0; for (i = 0; i < SSL_MAX_DIGEST; i++) { - if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) { + if (s->s3->handshake_dgst[i] && + EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) { d = s->s3->handshake_dgst[i]; break; } @@ -879,24 +875,25 @@ tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *out) if (mask & ssl_get_algorithm2(s)) { int hashsize = EVP_MD_size(md); EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx]; - if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q - buf))) { + if (!hdgst || hashsize < 0 || + hashsize > (int)(sizeof buf - (size_t)(q - buf))) { /* internal error: 'buf' is too small for this cipersuite! */ err = 1; } else { if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || - !EVP_DigestFinal_ex(&ctx, q, &i) || - (i != (unsigned int)hashsize)) - err = 1; + !EVP_DigestFinal_ex(&ctx, q, &i) || + (i != (unsigned int)hashsize)) + err = 1; q += hashsize; } } } - if (!tls1_PRF(ssl_get_algorithm2(s), - str, slen, buf,(int)(q - buf), NULL, 0, NULL, 0, NULL, 0, - s->session->master_key, s->session->master_key_length, - out, buf2, sizeof buf2)) - err = 1; + if (!tls1_PRF(ssl_get_algorithm2(s), str, slen, buf,(int)(q - buf), + NULL, 0, NULL, 0, NULL, 0, + s->session->master_key, s->session->master_key_length, + out, buf2, sizeof buf2)) + err = 1; EVP_MD_CTX_cleanup(&ctx); if (err) @@ -945,7 +942,7 @@ tls1_mac(SSL *ssl, unsigned char *md, int send) unsigned char dtlsseq[8], *p = dtlsseq; s2n(send ? ssl->d1->w_epoch : ssl->d1->r_epoch, p); - memcpy (p, &seq[2], 6); + memcpy(p, &seq[2], 6); memcpy(header, dtlsseq, 8); } else @@ -961,21 +958,18 @@ tls1_mac(SSL *ssl, unsigned char *md, int send) header[11] = (rec->length) >> 8; header[12] = (rec->length)&0xff; - if (!send && - EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && - ssl3_cbc_record_digest_supported(mac_ctx)) { + if (!send && EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && + ssl3_cbc_record_digest_supported(mac_ctx)) { /* This is a CBC-encrypted record. We must avoid leaking any * timing-side channel information about how many blocks of * data we are hashing because that gives an attacker a * timing-oracle. */ - ssl3_cbc_digest_record( - mac_ctx, - md, &md_size, - header, rec->input, - rec->length + md_size, orig_len, - ssl->s3->read_mac_secret, - ssl->s3->read_mac_secret_size, - 0 /* not SSLv3 */); + ssl3_cbc_digest_record(mac_ctx, + md, &md_size, header, rec->input, + rec->length + md_size, orig_len, + ssl->s3->read_mac_secret, + ssl->s3->read_mac_secret_size, + 0 /* not SSLv3 */); } else { EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)); EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length); @@ -1001,7 +995,6 @@ tls1_mac(SSL *ssl, unsigned char *md, int send) ++seq[i]; if (seq[i] != 0) break; - } } @@ -1115,20 +1108,20 @@ tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, * comparisons won't have buffer overflow */ if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, - TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) goto err1; + TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) + goto err1; if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, - TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) goto err1; + TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) + goto err1; if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, - TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) goto err1; + TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) + goto err1; if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, - TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) goto err1; + TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) + goto err1; rv = tls1_PRF(s->s3->tmp.new_cipher->algorithm2, - val, vallen, - NULL, 0, - NULL, 0, - NULL, 0, - NULL, 0, + val, vallen, NULL, 0, NULL, 0, NULL, 0, NULL, 0, s->session->master_key, s->session->master_key_length, out, buff, olen); diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c index 6ee2289153f..f6cfb508f60 100644 --- a/lib/libssl/t1_lib.c +++ b/lib/libssl/t1_lib.c @@ -152,8 +152,9 @@ tls1_default_timeout(void) int tls1_new(SSL *s) { - if (!ssl3_new(s)) return (0); - s->method->ssl_clear(s); + if (!ssl3_new(s)) + return (0); + s->method->ssl_clear(s); return (1); } @@ -349,13 +350,14 @@ unsigned char unsigned char *ret = p; /* don't add extensions for SSLv3 unless doing secure renegotiation */ - if (s->client_version == SSL3_VERSION - && !s->s3->send_connection_binding) - return p; + if (s->client_version == SSL3_VERSION && + !s->s3->send_connection_binding) + return p; ret += 2; - if (ret>=limit) return NULL; /* this really never occurs, but ... */ + if (ret>=limit) + return NULL; /* this really never occurs, but ... */ if (s->tlsext_hostname != NULL) { /* Add TLS extension servername to the Client Hello message */ @@ -371,9 +373,9 @@ unsigned char + hostname length */ - if ((lenmax = limit - ret - 9) < 0 - || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) - return NULL; + if ((lenmax = limit - ret - 9) < 0 || + (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) + return NULL; /* extension type and length */ s2n(TLSEXT_TYPE_server_name, ret); @@ -399,8 +401,8 @@ unsigned char return NULL; } - if ((limit - p - 4 - el) - < 0) return NULL; + if ((limit - p - 4 - el) < 0) + return NULL; s2n(TLSEXT_TYPE_renegotiate, ret); s2n(el, ret); @@ -415,8 +417,8 @@ unsigned char #ifndef OPENSSL_NO_SRP /* Add SRP username if there is one */ - if (s->srp_ctx.login != NULL) - { /* Add TLS extension SRP username to the Client Hello message */ + if (s->srp_ctx.login != NULL) { + /* Add TLS extension SRP username to the Client Hello message */ int login_len = strlen(s->srp_ctx.login); @@ -430,8 +432,8 @@ unsigned char 1 for the srp user identity + srp user identity length */ - if ((limit - ret - 5 - login_len) - < 0) return NULL; + if ((limit - ret - 5 - login_len) < 0) + return NULL; /* fill in the extension */ @@ -445,16 +447,16 @@ unsigned char #ifndef OPENSSL_NO_EC if (s->tlsext_ecpointformatlist != NULL && - s->version != DTLS1_VERSION) { + s->version != DTLS1_VERSION) { /* Add TLS extension ECPointFormats to the ClientHello message */ long lenmax; + if ((lenmax = limit - ret - 5) < 0) + return NULL; - if ((lenmax = limit - ret - 5) - < 0) return NULL; - - if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; - if (s->tlsext_ecpointformatlist_length > 255) { + if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) + return NULL; + if (s->tlsext_ecpointformatlist_length > 255) { SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); return NULL; } @@ -466,11 +468,10 @@ unsigned char ret += s->tlsext_ecpointformatlist_length; } if (s->tlsext_ellipticcurvelist != NULL && - s->version != DTLS1_VERSION) { + s->version != DTLS1_VERSION) { /* Add TLS extension EllipticCurves to the ClientHello message */ long lenmax; - if ((lenmax = limit - ret - 6) < 0) return NULL; @@ -499,7 +500,7 @@ unsigned char if (!s->new_session && s->session && s->session->tlsext_tick) ticklen = s->session->tlsext_ticklen; else if (s->session && s->tlsext_session_ticket && - s->tlsext_session_ticket->data) { + s->tlsext_session_ticket->data) { ticklen = s->tlsext_session_ticket->length; s->session->tlsext_tick = malloc(ticklen); if (!s->session->tlsext_tick) @@ -511,13 +512,14 @@ unsigned char } else ticklen = 0; if (ticklen == 0 && s->tlsext_session_ticket && - s->tlsext_session_ticket->data == NULL) - goto skip_ext; + s->tlsext_session_ticket->data == NULL) + goto skip_ext; /* Check for enough room 2 for extension type, 2 for len * rest for ticket */ - if ((long)(limit - ret - 4 - ticklen) < 0) return NULL; - s2n(TLSEXT_TYPE_session_ticket, ret); + if ((long)(limit - ret - 4 - ticklen) < 0) + return NULL; + s2n(TLSEXT_TYPE_session_ticket, ret); s2n(ticklen, ret); if (ticklen) { @@ -525,7 +527,7 @@ unsigned char ret += ticklen; } } - skip_ext: +skip_ext: if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) @@ -558,7 +560,7 @@ unsigned char #endif if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && - s->version != DTLS1_VERSION) { + s->version != DTLS1_VERSION) { int i; long extlen, idlen, itmp; OCSP_RESPID *id; @@ -579,8 +581,9 @@ unsigned char } else extlen = 0; - if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL; - s2n(TLSEXT_TYPE_status_request, ret); + if ((long)(limit - ret - 7 - extlen - idlen) < 0) + return NULL; + s2n(TLSEXT_TYPE_status_request, ret); if (extlen + idlen > 0xFFF0) return NULL; s2n(extlen + idlen + 5, ret); @@ -618,8 +621,8 @@ unsigned char ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); - if ((limit - p - 4 - el) - < 0) return NULL; + if ((limit - p - 4 - el) < 0) + return NULL; s2n(TLSEXT_TYPE_use_srtp, ret); s2n(el, ret); @@ -682,11 +685,12 @@ unsigned char return p; ret += 2; - if (ret>=limit) return NULL; /* this really never occurs, but ... */ + if (ret>=limit) + return NULL; /* this really never occurs, but ... */ if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) { - if ((long)(limit - ret - 4) < 0) return NULL; - + if ((long)(limit - ret - 4) < 0) + return NULL; s2n(TLSEXT_TYPE_server_name, ret); s2n(0, ret); @@ -724,8 +728,9 @@ unsigned char if ((lenmax = limit - ret - 5) < 0) return NULL; - if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; - if (s->tlsext_ecpointformatlist_length > 255) { + if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) + return NULL; + if (s->tlsext_ecpointformatlist_length > 255) { SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); return NULL; } @@ -740,24 +745,24 @@ unsigned char /* Currently the server should not respond with a SupportedCurves extension */ #endif /* OPENSSL_NO_EC */ - if (s->tlsext_ticket_expected - && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { - if ((long)(limit - ret - 4) < 0) return NULL; + if (s->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { + if ((long)(limit - ret - 4) < 0) + return NULL; s2n(TLSEXT_TYPE_session_ticket, ret); s2n(0, ret); } if (s->tlsext_status_expected) { - if ((long)(limit - ret - 4) < 0) return NULL; + if ((long)(limit - ret - 4) < 0) + return NULL; s2n(TLSEXT_TYPE_status_request, ret); s2n(0, ret); } #ifdef TLSEXT_TYPE_opaque_prf_input - if (s->s3->server_opaque_prf_input != NULL && - s->version != DTLS1_VERSION) { + if (s->s3->server_opaque_prf_input != NULL && s->version != DTLS1_VERSION) { size_t sol = s->s3->server_opaque_prf_input_len; if ((long)(limit - ret - 6 - sol) < 0) @@ -794,8 +799,9 @@ unsigned char } #endif - if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) - && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { + if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 || + (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) && + (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { const unsigned char cryptopro_ext[36] = { 0xfd, 0xe8, /*65000*/ 0x00, 0x20, /*32 bytes length*/ @@ -820,8 +826,9 @@ unsigned char r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg); if (r == SSL_TLSEXT_ERR_OK) { - if ((long)(limit - ret - 4 - npalen) < 0) return NULL; - s2n(TLSEXT_TYPE_next_proto_neg, ret); + if ((long)(limit - ret - 4 - npalen) < 0) + return NULL; + s2n(TLSEXT_TYPE_next_proto_neg, ret); s2n(npalen, ret); memcpy(ret, npa, npalen); ret += npalen; @@ -987,7 +994,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int servname_type; int dsize; - if (size < 2) { *al = SSL_AD_DECODE_ERROR; return 0; @@ -1013,7 +1019,7 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, } if (s->servername_done == 0) switch (servname_type) { - case TLSEXT_NAMETYPE_host_name: + case TLSEXT_NAMETYPE_host_name: if (!s->hit) { if (s->session->tlsext_hostname) { *al = SSL_AD_DECODE_ERROR; @@ -1038,14 +1044,14 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, s->servername_done = 1; - } else - s->servername_done = s->session->tlsext_hostname - && strlen(s->session->tlsext_hostname) == len - && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; - + } else { + s->servername_done = s->session->tlsext_hostname && + strlen(s->session->tlsext_hostname) == len && + strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; + } break; - default: + default: break; } @@ -1285,12 +1291,12 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, return 0; } } - } + } else { /* We don't know what to do with any other type * so ignore it. */ - else s->tlsext_status_type = -1; + } } #ifndef OPENSSL_NO_NEXTPROTONEG else if (type == TLSEXT_TYPE_next_proto_neg && @@ -1317,9 +1323,8 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, /* session ticket processed earlier */ #ifndef OPENSSL_NO_SRTP else if (type == TLSEXT_TYPE_use_srtp) { - if (ssl_parse_clienthello_use_srtp_ext(s, data, size, - al)) - return 0; + if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al)) + return 0; } #endif @@ -1404,7 +1409,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, tlsext_servername = 1; } - #ifndef OPENSSL_NO_EC else if (type == TLSEXT_TYPE_ec_point_formats && s->version != DTLS1_VERSION) { @@ -1434,15 +1438,13 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, #endif } #endif /* OPENSSL_NO_EC */ - else if (type == TLSEXT_TYPE_session_ticket) { if (s->tls_session_ticket_ext_cb && - !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { + !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { *al = TLS1_AD_INTERNAL_ERROR; return 0; } - if ((SSL_get_options(s) & SSL_OP_NO_TICKET) - || (size > 0)) { + if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) { *al = TLS1_AD_UNSUPPORTED_EXTENSION; return 0; } @@ -1450,7 +1452,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, } #ifdef TLSEXT_TYPE_opaque_prf_input else if (type == TLSEXT_TYPE_opaque_prf_input && - s->version != DTLS1_VERSION) { + s->version != DTLS1_VERSION) { unsigned char *sdata = data; if (size < 2) { @@ -1477,7 +1479,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, } #endif else if (type == TLSEXT_TYPE_status_request && - s->version != DTLS1_VERSION) { + s->version != DTLS1_VERSION) { /* MUST be empty and only sent if we've requested * a status request message. */ @@ -1490,7 +1492,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, } #ifndef OPENSSL_NO_NEXTPROTONEG else if (type == TLSEXT_TYPE_next_proto_neg && - s->s3->tmp.finish_md_len == 0) { + s->s3->tmp.finish_md_len == 0) { unsigned char *selected; unsigned char selected_len; @@ -1558,7 +1560,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, *p = data; - ri_check: +ri_check: /* Determine if we need to see RI. Strictly speaking if we want to * avoid an attack we should *always* see RI even on initial server @@ -1567,8 +1569,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, * which doesn't support RI so for the immediate future tolerate RI * absence on initial connect only. */ - if (!renegotiate_seen - && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { + if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { *al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); @@ -1578,7 +1579,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, return 1; } - int ssl_prepare_clienthello_tlsext(SSL *s) { @@ -1597,7 +1597,8 @@ ssl_prepare_clienthello_tlsext(SSL *s) alg_k = c->algorithm_mkey; alg_a = c->algorithm_auth; - if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) { + if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || + (alg_a & SSL_aECDSA))) { using_ecc = 1; break; } @@ -1625,9 +1626,8 @@ ssl_prepare_clienthello_tlsext(SSL *s) return -1; } for (i = 0, j = s->tlsext_ellipticcurvelist; - (unsigned int)i < - sizeof(pref_list)/sizeof(pref_list[0]); - i++) { + (unsigned int)i < sizeof(pref_list)/sizeof(pref_list[0]); + i++) { int id = tls1_ec_nid2curve_id(pref_list[i]); s2n(id, j); } @@ -1659,9 +1659,11 @@ ssl_prepare_clienthello_tlsext(SSL *s) s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; } - if (r == 2) + if (r == 2) { /* at callback's request, insist on receiving an appropriate server opaque PRF input */ - s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; + s->s3->server_opaque_prf_input_len = + s->tlsext_opaque_prf_input_len; + } } #endif @@ -1743,7 +1745,7 @@ ssl_check_clienthello_tlsext_early(SSL *s) if (s->tlsext_opaque_prf_input != NULL) { if (s->s3->client_opaque_prf_input != NULL && - s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) { + s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) { /* can only use this extension if we have a server opaque PRF input * of the same length as the client opaque PRF input! */ @@ -1770,7 +1772,7 @@ ssl_check_clienthello_tlsext_early(SSL *s) } } - err: +err: #endif switch (ret) { case SSL_TLSEXT_ERR_ALERT_FATAL: @@ -1842,12 +1844,10 @@ err: ssl3_send_alert(s, SSL3_AL_FATAL, al); return -1; - case SSL_TLSEXT_ERR_ALERT_WARNING: ssl3_send_alert(s, SSL3_AL_WARNING, al); return 1; - default: return 1; } @@ -1866,9 +1866,11 @@ ssl_check_serverhello_tlsext(SSL *s) */ unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; - if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && - (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && - ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) { + if ((s->tlsext_ecpointformatlist != NULL) && + (s->tlsext_ecpointformatlist_length > 0) && + (s->session->tlsext_ecpointformatlist != NULL) && + (s->session->tlsext_ecpointformatlist_length > 0) && + ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) { /* we are using an ECC cipher */ size_t i; unsigned char *list; @@ -1943,12 +1945,10 @@ ssl_check_serverhello_tlsext(SSL *s) ssl3_send_alert(s, SSL3_AL_FATAL, al); return -1; - case SSL_TLSEXT_ERR_ALERT_WARNING: ssl3_send_alert(s, SSL3_AL_WARNING, al); - return 1; - + return 1; case SSL_TLSEXT_ERR_NOACK: s->servername_done = 0; default: @@ -2279,6 +2279,7 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) int i, idx; const EVP_MD *md; CERT *c = s->cert; + /* Extension ignored for TLS versions below 1.2 */ if (TLS1_get_version(s) < TLS1_2_VERSION) return 1; @@ -2321,7 +2322,6 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) } - /* Set any remaining keys to default values. NOTE: if alg is not * supported it stays as NULL. */ -- 2.20.1