diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index 87cdc3b2447ecc1d4eaa5a4878d8a9279aaddc17..ea46c3989ec90026110a54a96b81de4ebcf59b9a 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -146,7 +146,7 @@ int tls1_cbc_remove_padding(const SSL* s, unsigned padding_length, good, to_check, i; const unsigned overhead = 1 /* padding length byte */ + mac_size; /* Check if version requires explicit IV */ - if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER) + if (SSL_USE_EXPLICIT_IV(s)) { /* These lengths are all public so we can test them in * non-constant time. diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 1bbe99401fb644a115acae7e6714202f3dcea9c1..dbf790c3136806ea08ce6b5274cd8c52dcfe187a 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -1030,10 +1030,10 @@ int ssl3_get_server_hello(SSL *s) } } s->s3->tmp.new_cipher=c; - /* Don't digest cached records if TLS v1.2: we may need them for + /* Don't digest cached records if no sigalgs: we may need them for * client authentication. */ - if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s)) + if (!SSL_USE_SIGALGS(s) && !ssl3_digest_cached_records(s)) goto f_err; /* lets get the compression algorithm */ /* COMPRESSION */ @@ -1785,7 +1785,7 @@ int ssl3_get_key_exchange(SSL *s) /* if it was signed, check the signature */ if (pkey != NULL) { - if (TLS1_get_version(s) >= TLS1_2_VERSION) + if (SSL_USE_SIGALGS(s)) { int rv = tls12_check_peer_sigalg(&md, s, p, pkey); if (rv == -1) @@ -1817,7 +1817,7 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); } #ifndef OPENSSL_NO_RSA - if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION) + if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s)) { int num; @@ -1991,7 +1991,7 @@ int ssl3_get_certificate_request(SSL *s) for (i=0; is3->tmp.ctype[i]= p[i]; p+=p[-1]; - if (TLS1_get_version(s) >= TLS1_2_VERSION) + if (SSL_USE_SIGALGS(s)) { n2s(p, llen); /* Check we have enough room for signature algorithms and @@ -3051,7 +3051,7 @@ int ssl3_send_client_verify(SSL *s) EVP_PKEY_sign_init(pctx); if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0) { - if (TLS1_get_version(s) < TLS1_2_VERSION) + if (!SSL_USE_SIGALGS(s)) s->method->ssl3_enc->cert_verify_mac(s, NID_sha1, &(data[MD5_DIGEST_LENGTH])); @@ -3063,7 +3063,7 @@ int ssl3_send_client_verify(SSL *s) /* For TLS v1.2 send signature algorithm and signature * using agreed digest and cached handshake records. */ - if (TLS1_get_version(s) >= TLS1_2_VERSION) + if (SSL_USE_SIGALGS(s)) { long hdatalen = 0; void *hdata; @@ -3193,7 +3193,7 @@ static int ssl3_check_client_certificate(SSL *s) if (!s->cert || !s->cert->key->x509 || !s->cert->key->privatekey) return 0; /* If no suitable signature algorithm can't use certificate */ - if (TLS1_get_version(s) >= TLS1_2_VERSION && !s->cert->key->digest) + if (SSL_USE_SIGALGS(s) && !s->cert->key->digest) return 0; /* If strict mode check suitability of chain before using it. * This also adjusts suite B digest if necessary. diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 2fe30d77a63c823a270a44d2def4ee4dacf98fa2..b92d879f3d70543c3b1fa1961a4d25e214499d82 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -4458,14 +4458,14 @@ need to go to SSL_ST_ACCEPT. } return(ret); } -/* If we are using TLS v1.2 or later and default SHA1+MD5 algorithms switch - * to new SHA256 PRF and handshake macs +/* If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF + * and handshake macs if required. */ long ssl_get_algorithm2(SSL *s) { long alg2 = s->s3->tmp.new_cipher->algorithm2; - if (TLS1_get_version(s) >= TLS1_2_VERSION && - alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) + if (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF + && alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; return alg2; } diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index ffd9c19fab8656c75e22a8a2e061f1c6f30d23cb..80562914f0b49cbd66f5aee3ce74f96ff5e4a9f5 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -180,7 +180,7 @@ int ssl3_read_n(SSL *s, int n, int max, int extend) /* For DTLS/UDP reads should not span multiple packets * because the read operation returns the whole packet * at once (as long as it fits into the buffer). */ - if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) + if (SSL_IS_DTLS(s)) { if (left > 0 && n > left) n = left; @@ -248,7 +248,7 @@ int ssl3_read_n(SSL *s, int n, int max, int extend) { rb->left = left; if (s->mode & SSL_MODE_RELEASE_BUFFERS && - SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER) + !SSL_IS_DTLS(s)) if (len+left == 0) ssl3_release_read_buffer(s); return(i); @@ -257,7 +257,7 @@ int ssl3_read_n(SSL *s, int n, int max, int extend) /* reads should *never* span multiple packets for DTLS because * the underlying transport protocol is message oriented as opposed * to byte oriented as in the TLS case. */ - if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) + if (SSL_IS_DTLS(s)) { if (n > left) n = left; /* makes the while condition false */ @@ -757,8 +757,8 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, /* field where we are to write out packet length */ plen=p; p+=2; - /* Explicit IV length, block ciphers and TLS version 1.1 or later */ - if (s->enc_write_ctx && s->version >= TLS1_1_VERSION) + /* Explicit IV length, block ciphers appropriate version flag */ + if (s->enc_write_ctx && SSL_USE_EXPLICIT_IV(s)) { int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx); if (mode == EVP_CIPH_CBC_MODE) @@ -895,7 +895,7 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, wb->left=0; wb->offset+=i; if (s->mode & SSL_MODE_RELEASE_BUFFERS && - SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER) + !SSL_IS_DTLS(s)) ssl3_release_write_buffer(s); s->rwstate=SSL_NOTHING; return(s->s3->wpend_ret); diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 5d7ab1325e6085ee4f112772300d6e3cec79f079..0c322cb2b17ce6d133ee9b28b0054cfa5a273ce0 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -640,13 +640,13 @@ int ssl3_accept(SSL *s) #endif s->init_num = 0; } - else if (TLS1_get_version(s) >= TLS1_2_VERSION) + else if (SSL_USE_SIGALGS(s)) { s->state=SSL3_ST_SR_CERT_VRFY_A; s->init_num=0; if (!s->session->peer) break; - /* For TLS v1.2 freeze the handshake buffer + /* For sigalgs freeze the handshake buffer * at this point and digest cached records. */ if (!s->s3->handshake_buffer) @@ -1037,7 +1037,7 @@ int ssl3_get_client_hello(SSL *s) p+=j; - if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) + if (SSL_IS_DTLS(s)) { /* cookie stuff */ cookie_len = *(p++); @@ -1409,7 +1409,7 @@ int ssl3_get_client_hello(SSL *s) s->s3->tmp.new_cipher=s->session->cipher; } - if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER)) + if (!SSL_USE_SIGALGS(s) || !(s->verify_mode & SSL_VERIFY_PEER)) { if (!ssl3_digest_cached_records(s)) goto f_err; @@ -1941,8 +1941,7 @@ int ssl3_send_server_key_exchange(SSL *s) /* n is the length of the params, they start at &(d[4]) * and p points to the space at the end. */ #ifndef OPENSSL_NO_RSA - if (pkey->type == EVP_PKEY_RSA - && TLS1_get_version(s) < TLS1_2_VERSION) + if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s)) { q=md_buf; j=0; @@ -1973,9 +1972,8 @@ int ssl3_send_server_key_exchange(SSL *s) #endif if (md) { - /* For TLS1.2 and later send signature - * algorithm */ - if (TLS1_get_version(s) >= TLS1_2_VERSION) + /* send signature algorithm */ + if (SSL_USE_SIGALGS(s)) { if (!tls12_get_sigandhash(p, pkey, md)) { @@ -2002,7 +2000,7 @@ int ssl3_send_server_key_exchange(SSL *s) } s2n(i,p); n+=i+2; - if (TLS1_get_version(s) >= TLS1_2_VERSION) + if (SSL_USE_SIGALGS(s)) n+= 2; } else @@ -2052,7 +2050,7 @@ int ssl3_send_certificate_request(SSL *s) p+=n; n++; - if (TLS1_get_version(s) >= TLS1_2_VERSION) + if (SSL_USE_SIGALGS(s)) { const unsigned char *psigs; nl = tls12_get_psigalgs(s, &psigs); @@ -3024,7 +3022,7 @@ int ssl3_get_cert_verify(SSL *s) } else { - if (TLS1_get_version(s) >= TLS1_2_VERSION) + if (SSL_USE_SIGALGS(s)) { int rv = tls12_check_peer_sigalg(&md, s, p, pkey); if (rv == -1) @@ -3060,7 +3058,7 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); goto f_err; } - if (TLS1_get_version(s) >= TLS1_2_VERSION) + if (SSL_USE_SIGALGS(s)) { long hdatalen = 0; void *hdata; diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 3fbb48953944d7f610aae5eadb032ab2e61fc8fe..1de2625c586f360d919256151cd1010c06665666 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1112,8 +1112,7 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg) return 0; #endif - if (SSL_version(s) == DTLS1_VERSION || - SSL_version(s) == DTLS1_BAD_VER) + if (SSL_IS_DTLS(s)) { s->d1->mtu = larg; return larg; diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index b4d84a0f0df0f72c88021e27d2b5ba25f27bb8fa..f9c5544b3f7f053812e6afc14742db3ddac19f85 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -440,7 +440,14 @@ /* Check if an SSL structure is using DTLS */ #define SSL_IS_DTLS(s) (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) - +/* See if we need explicit IV */ +#define SSL_USE_EXPLICIT_IV(s) \ + (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_EXPLICIT_IV) +/* See if we use signature algorithms extension + * and signature algorithm before signatures. + */ +#define SSL_USE_SIGALGS(s) \ + (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SIGALGS) /* Mostly for SSLv3 */ #define SSL_PKEY_RSA_ENC 0 @@ -702,8 +709,10 @@ typedef struct ssl3_enc_method #define SSL_ENC_FLAG_EXPLICIT_IV 0x1 /* Uses signature algorithms extension */ #define SSL_ENC_FLAG_SIGALGS 0x2 +/* Uses SHA256 default PRF */ +#define SSL_ENC_FLAG_SHA256_PRF 0x4 /* Is DTLS */ -#define SSL_ENC_FLAG_DTLS 0x4 +#define SSL_ENC_FLAG_DTLS 0x8 #ifndef OPENSSL_NO_COMP /* Used for holding the relevant compression methods loaded into SSL_CTX */ diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index e313355fa2f2a8d9952ed532c35a0a36c25b2dbb..c6942ff881411db7a9f9be310f8341c99c7d6242 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -779,7 +779,7 @@ int tls1_enc(SSL *s, int send) seq = send?s->s3->write_sequence:s->s3->read_sequence; - if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) + if (SSL_IS_DTLS(s)) { unsigned char dtlsseq[9],*p=dtlsseq; @@ -1008,7 +1008,7 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) mac_ctx = &hmac; } - if (ssl->version == DTLS1_VERSION || ssl->version == DTLS1_BAD_VER) + if (SSL_IS_DTLS(ssl)) { unsigned char dtlsseq[8],*p=dtlsseq; @@ -1071,7 +1071,7 @@ printf("rec="); {unsigned int z; for (z=0; zlength; z++) printf("%02X ",buf[z]); printf("\n"); } #endif - if (ssl->version != DTLS1_VERSION && ssl->version != DTLS1_BAD_VER) + if (SSL_IS_DTLS(ssl)) { for (i=7; i>=0; i--) { diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 359edbc29883eb60a738098e8ca6473a72de31e6..99d452a49203952961cc7cab924be4da110c6b0a 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -178,7 +178,7 @@ SSL3_ENC_METHOD TLSv1_2_enc_data={ TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, tls1_alert_code, tls1_export_keying_material, - SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS, + SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF, SSL3_HM_HEADER_LENGTH, ssl3_set_handshake_header, ssl3_handshake_write @@ -1297,7 +1297,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha } skip_ext: - if (TLS1_get_client_version(s) >= TLS1_2_VERSION) + if (SSL_USE_SIGALGS(s)) { size_t salglen; const unsigned char *salg; @@ -3031,7 +3031,7 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, if (p >= limit) return -1; /* Skip past DTLS cookie */ - if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) + if (SSL_IS_DTLS(s)) { i = *(p++); p+= i; @@ -3458,8 +3458,8 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) const EVP_MD *md; CERT *c = s->cert; TLS_SIGALGS *sigptr; - /* Extension ignored for TLS versions below 1.2 */ - if (TLS1_get_version(s) < TLS1_2_VERSION) + /* Extension ignored for inappropriate versions */ + if (!SSL_USE_SIGALGS(s)) return 1; /* Should never happen */ if (!c) diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c index e766095a631ccabea707468b7213e8f09c34ad7d..e471272b5dd3eaccdbe6915bfe77394cf451b6c3 100644 --- a/ssl/t1_trce.c +++ b/ssl/t1_trce.c @@ -531,7 +531,7 @@ static int ssl_print_signature(BIO *bio, int indent, SSL *s, { if (*pmsglen < 2) return 0; - if (TLS1_get_version(s) >= TLS1_2_VERSION) + if (SSL_USE_SIGALGS(s)) { const unsigned char *p = *pmsg; BIO_indent(bio, indent, 80); @@ -1046,7 +1046,7 @@ static int ssl_print_cert_request(BIO *bio, int indent, SSL *s, return 0; msg += xlen; msglen -= xlen + 1; - if (TLS1_get_version(s) < TLS1_2_VERSION) + if (!SSL_USE_SIGALGS(s)) goto skip_sig; if (msglen < 2) return 0;