Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
2c7b4dbc
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
9 个月 前同步成功
通知
8
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
2c7b4dbc
编写于
8月 03, 2016
作者:
M
Matt Caswell
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Convert tls_construct_client_hello() to use PACKETW
Reviewed-by:
N
Rich Salz
<
rsalz@openssl.org
>
上级
b7273855
变更
13
展开全部
隐藏空白更改
内联
并排
Showing
13 changed file
with
585 addition
and
390 deletion
+585
-390
include/openssl/ssl.h
include/openssl/ssl.h
+2
-1
ssl/d1_lib.c
ssl/d1_lib.c
+4
-0
ssl/d1_srtp.c
ssl/d1_srtp.c
+0
-43
ssl/s3_lib.c
ssl/s3_lib.c
+39
-1
ssl/ssl_err.c
ssl/ssl_err.c
+2
-2
ssl/ssl_locl.h
ssl/ssl_locl.h
+28
-12
ssl/statem/statem_clnt.c
ssl/statem/statem_clnt.c
+118
-78
ssl/statem/statem_dtls.c
ssl/statem/statem_dtls.c
+43
-0
ssl/statem/statem_lib.c
ssl/statem/statem_lib.c
+14
-0
ssl/statem/statem_srvr.c
ssl/statem/statem_srvr.c
+2
-2
ssl/t1_ext.c
ssl/t1_ext.c
+67
-3
ssl/t1_lib.c
ssl/t1_lib.c
+266
-224
ssl/t1_reneg.c
ssl/t1_reneg.c
+0
-24
未找到文件。
include/openssl/ssl.h
浏览文件 @
2c7b4dbc
...
...
@@ -2120,6 +2120,7 @@ int ERR_load_SSL_strings(void);
# define SSL_F_SSL_CHECK_PRIVATE_KEY 163
# define SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT 280
# define SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG 279
# define SSL_F_SSL_CIPHER_LIST_TO_BYTES 425
# define SSL_F_SSL_CIPHER_PROCESS_RULESTR 230
# define SSL_F_SSL_CIPHER_STRENGTH_SORT 231
# define SSL_F_SSL_CLEAR 164
...
...
@@ -2456,9 +2457,9 @@ int ERR_load_SSL_strings(void);
# define SSL_R_SSL_SECTION_NOT_FOUND 136
# define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED 301
# define SSL_R_SSL_SESSION_ID_CONFLICT 302
# define SSL_R_SSL_SESSION_ID_TOO_LONG 408
# define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273
# define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH 303
# define SSL_R_SSL_SESSION_ID_TOO_LONG 408
# define SSL_R_SSL_SESSION_VERSION_MISMATCH 210
# define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049
# define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050
...
...
ssl/d1_lib.c
浏览文件 @
2c7b4dbc
...
...
@@ -44,6 +44,8 @@ const SSL3_ENC_METHOD DTLSv1_enc_data = {
SSL_ENC_FLAG_DTLS
|
SSL_ENC_FLAG_EXPLICIT_IV
,
DTLS1_HM_HEADER_LENGTH
,
dtls1_set_handshake_header
,
dtls1_set_handshake_header2
,
dtls1_close_construct_packet
,
dtls1_handshake_write
};
...
...
@@ -63,6 +65,8 @@ const SSL3_ENC_METHOD DTLSv1_2_enc_data = {
|
SSL_ENC_FLAG_SHA256_PRF
|
SSL_ENC_FLAG_TLS1_2_CIPHERS
,
DTLS1_HM_HEADER_LENGTH
,
dtls1_set_handshake_header
,
dtls1_set_handshake_header2
,
dtls1_close_construct_packet
,
dtls1_handshake_write
};
...
...
ssl/d1_srtp.c
浏览文件 @
2c7b4dbc
...
...
@@ -136,49 +136,6 @@ SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s)
return
s
->
srtp_profile
;
}
/*
* Note: this function returns 0 length if there are no profiles specified
*/
int
ssl_add_clienthello_use_srtp_ext
(
SSL
*
s
,
unsigned
char
*
p
,
int
*
len
,
int
maxlen
)
{
int
ct
=
0
;
int
i
;
STACK_OF
(
SRTP_PROTECTION_PROFILE
)
*
clnt
=
0
;
SRTP_PROTECTION_PROFILE
*
prof
;
clnt
=
SSL_get_srtp_profiles
(
s
);
ct
=
sk_SRTP_PROTECTION_PROFILE_num
(
clnt
);
/* -1 if clnt == 0 */
if
(
p
)
{
if
(
ct
==
0
)
{
SSLerr
(
SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT
,
SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST
);
return
1
;
}
if
((
2
+
ct
*
2
+
1
)
>
maxlen
)
{
SSLerr
(
SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT
,
SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG
);
return
1
;
}
/* Add the length */
s2n
(
ct
*
2
,
p
);
for
(
i
=
0
;
i
<
ct
;
i
++
)
{
prof
=
sk_SRTP_PROTECTION_PROFILE_value
(
clnt
,
i
);
s2n
(
prof
->
id
,
p
);
}
/* Add an empty use_mki value */
*
p
++
=
0
;
}
*
len
=
2
+
ct
*
2
+
1
;
return
0
;
}
int
ssl_parse_clienthello_use_srtp_ext
(
SSL
*
s
,
PACKET
*
pkt
,
int
*
al
)
{
SRTP_PROTECTION_PROFILE
*
sprof
;
...
...
ssl/s3_lib.c
浏览文件 @
2c7b4dbc
...
...
@@ -2751,6 +2751,8 @@ const SSL3_ENC_METHOD SSLv3_enc_data = {
0
,
SSL3_HM_HEADER_LENGTH
,
ssl3_set_handshake_header
,
ssl3_set_handshake_header2
,
tls_close_construct_packet
,
ssl3_handshake_write
};
...
...
@@ -2787,6 +2789,22 @@ int ssl3_set_handshake_header(SSL *s, int htype, unsigned long len)
return
1
;
}
/*
* Temporary name. To be renamed ssl3_set_handshake_header() once all PACKETW
* conversion is complete. The old ssl3_set_handshake_heder() can be deleted
* at that point.
* TODO - RENAME ME
*/
int
ssl3_set_handshake_header2
(
SSL
*
s
,
PACKETW
*
pkt
,
PACKETW
*
body
,
int
htype
)
{
/* Set the content type and 3 bytes for the message len */
if
(
!
PACKETW_put_bytes
(
pkt
,
htype
,
1
)
||
!
PACKETW_get_sub_packet_len
(
pkt
,
body
,
3
))
return
0
;
return
1
;
}
int
ssl3_handshake_write
(
SSL
*
s
)
{
return
ssl3_do_write
(
s
,
SSL3_RT_HANDSHAKE
);
...
...
@@ -3553,7 +3571,13 @@ const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
return
cp
;
}
int
ssl3_put_cipher_by_char
(
const
SSL_CIPHER
*
c
,
unsigned
char
*
p
)
/*
* Old version of the ssl3_put_cipher_by_char function used by code that has not
* yet been converted to PACKETW yet. It will be deleted once PACKETW conversion
* is complete.
* TODO - DELETE ME
*/
int
ssl3_put_cipher_by_char_old
(
const
SSL_CIPHER
*
c
,
unsigned
char
*
p
)
{
long
l
;
...
...
@@ -3567,6 +3591,20 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
return
(
2
);
}
int
ssl3_put_cipher_by_char
(
const
SSL_CIPHER
*
c
,
PACKETW
*
pkt
,
size_t
*
len
)
{
if
((
c
->
id
&
0xff000000
)
!=
0x03000000
)
{
*
len
=
0
;
return
1
;
}
if
(
!
PACKETW_put_bytes
(
pkt
,
c
->
id
&
0xffff
,
2
))
return
0
;
*
len
=
2
;
return
1
;
}
/*
* ssl3_choose_cipher - choose a cipher from those offered by the client
* @s: SSL connection
...
...
ssl/ssl_err.c
浏览文件 @
2c7b4dbc
...
...
@@ -107,6 +107,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
"ssl_check_serverhello_tlsext"
},
{
ERR_FUNC
(
SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG
),
"ssl_check_srvr_ecc_cert_and_alg"
},
{
ERR_FUNC
(
SSL_F_SSL_CIPHER_LIST_TO_BYTES
),
"ssl_cipher_list_to_bytes"
},
{
ERR_FUNC
(
SSL_F_SSL_CIPHER_PROCESS_RULESTR
),
"ssl_cipher_process_rulestr"
},
{
ERR_FUNC
(
SSL_F_SSL_CIPHER_STRENGTH_SORT
),
"ssl_cipher_strength_sort"
},
...
...
@@ -567,10 +568,9 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{
ERR_REASON
(
SSL_R_SSL_SESSION_ID_CONFLICT
),
"ssl session id conflict"
},
{
ERR_REASON
(
SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG
),
"ssl session id context too long"
},
{
ERR_REASON
(
SSL_R_SSL_SESSION_ID_TOO_LONG
),
"ssl session id too long"
},
{
ERR_REASON
(
SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH
),
"ssl session id has bad length"
},
{
ERR_REASON
(
SSL_R_SSL_SESSION_ID_TOO_LONG
),
"ssl session id too long"
},
{
ERR_REASON
(
SSL_R_SSL_SESSION_VERSION_MISMATCH
),
"ssl session version mismatch"
},
{
ERR_REASON
(
SSL_R_TLSV1_ALERT_ACCESS_DENIED
),
...
...
ssl/ssl_locl.h
浏览文件 @
2c7b4dbc
...
...
@@ -457,7 +457,8 @@ struct ssl_method_st {
long
(
*
ssl_ctrl
)
(
SSL
*
s
,
int
cmd
,
long
larg
,
void
*
parg
);
long
(
*
ssl_ctx_ctrl
)
(
SSL_CTX
*
ctx
,
int
cmd
,
long
larg
,
void
*
parg
);
const
SSL_CIPHER
*
(
*
get_cipher_by_char
)
(
const
unsigned
char
*
ptr
);
int
(
*
put_cipher_by_char
)
(
const
SSL_CIPHER
*
cipher
,
unsigned
char
*
ptr
);
int
(
*
put_cipher_by_char
)
(
const
SSL_CIPHER
*
cipher
,
PACKETW
*
pkt
,
size_t
*
len
);
int
(
*
ssl_pending
)
(
const
SSL
*
s
);
int
(
*
num_ciphers
)
(
void
);
const
SSL_CIPHER
*
(
*
get_cipher
)
(
unsigned
ncipher
);
...
...
@@ -1584,6 +1585,11 @@ typedef struct ssl3_enc_method {
unsigned
int
hhlen
;
/* Set the handshake header */
int
(
*
set_handshake_header
)
(
SSL
*
s
,
int
type
,
unsigned
long
len
);
/* Set the handshake header */
int
(
*
set_handshake_header2
)
(
SSL
*
s
,
PACKETW
*
pkt
,
PACKETW
*
body
,
int
type
);
/* Close construction of the handshake message */
int
(
*
close_construct_packet
)
(
SSL
*
s
,
PACKETW
*
pkt
);
/* Write out handshake message */
int
(
*
do_write
)
(
SSL
*
s
);
}
SSL3_ENC_METHOD
;
...
...
@@ -1593,6 +1599,10 @@ typedef struct ssl3_enc_method {
(((unsigned char *)s->init_buf->data) + s->method->ssl3_enc->hhlen)
# define ssl_set_handshake_header(s, htype, len) \
s->method->ssl3_enc->set_handshake_header(s, htype, len)
# define ssl_set_handshake_header2(s, pkt, body, htype) \
s->method->ssl3_enc->set_handshake_header2((s), (pkt), (body), (htype))
# define ssl_close_construct_packet(s, pkt) \
s->method->ssl3_enc->close_construct_packet((s), (pkt))
# define ssl_do_write(s) s->method->ssl3_enc->do_write(s)
/* Values for enc_flags */
...
...
@@ -1854,7 +1864,9 @@ __owur int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey);
__owur
EVP_PKEY
*
ssl_dh_to_pkey
(
DH
*
dh
);
__owur
const
SSL_CIPHER
*
ssl3_get_cipher_by_char
(
const
unsigned
char
*
p
);
__owur
int
ssl3_put_cipher_by_char
(
const
SSL_CIPHER
*
c
,
unsigned
char
*
p
);
__owur
int
ssl3_put_cipher_by_char_old
(
const
SSL_CIPHER
*
c
,
unsigned
char
*
p
);
__owur
int
ssl3_put_cipher_by_char
(
const
SSL_CIPHER
*
c
,
PACKETW
*
pkt
,
size_t
*
len
);
int
ssl3_init_finished_mac
(
SSL
*
s
);
__owur
int
ssl3_setup_key_block
(
SSL
*
s
);
__owur
int
ssl3_change_cipher_state
(
SSL
*
s
,
int
which
);
...
...
@@ -1894,6 +1906,12 @@ __owur int ssl3_do_change_cipher_spec(SSL *ssl);
__owur
long
ssl3_default_timeout
(
void
);
__owur
int
ssl3_set_handshake_header
(
SSL
*
s
,
int
htype
,
unsigned
long
len
);
__owur
int
ssl3_set_handshake_header2
(
SSL
*
s
,
PACKETW
*
pkt
,
PACKETW
*
body
,
int
htype
);
__owur
int
tls_close_construct_packet
(
SSL
*
s
,
PACKETW
*
pkt
);
__owur
int
dtls1_set_handshake_header2
(
SSL
*
s
,
PACKETW
*
pkt
,
PACKETW
*
body
,
int
htype
);
__owur
int
dtls1_close_construct_packet
(
SSL
*
s
,
PACKETW
*
pkt
);
__owur
int
ssl3_handshake_write
(
SSL
*
s
);
__owur
int
ssl_allow_compression
(
SSL
*
s
);
...
...
@@ -2002,8 +2020,7 @@ __owur EVP_PKEY *ssl_generate_pkey_curve(int id);
__owur
int
tls1_shared_list
(
SSL
*
s
,
const
unsigned
char
*
l1
,
size_t
l1len
,
const
unsigned
char
*
l2
,
size_t
l2len
,
int
nmatch
);
__owur
unsigned
char
*
ssl_add_clienthello_tlsext
(
SSL
*
s
,
unsigned
char
*
buf
,
unsigned
char
*
limit
,
int
*
al
);
__owur
int
ssl_add_clienthello_tlsext
(
SSL
*
s
,
PACKETW
*
pkt
,
int
*
al
);
__owur
unsigned
char
*
ssl_add_serverhello_tlsext
(
SSL
*
s
,
unsigned
char
*
buf
,
unsigned
char
*
limit
,
int
*
al
);
__owur
int
ssl_parse_clienthello_tlsext
(
SSL
*
s
,
PACKET
*
pkt
);
...
...
@@ -2054,12 +2071,12 @@ void ssl_clear_hash_ctx(EVP_MD_CTX **hash);
__owur
int
ssl_add_serverhello_renegotiate_ext
(
SSL
*
s
,
unsigned
char
*
p
,
int
*
len
,
int
maxlen
);
__owur
int
ssl_parse_serverhello_renegotiate_ext
(
SSL
*
s
,
PACKET
*
pkt
,
int
*
al
);
__owur
int
ssl_add_clienthello_renegotiate_ext
(
SSL
*
s
,
unsigned
char
*
p
,
int
*
len
,
int
maxlen
);
__owur
int
ssl_parse_clienthello_renegotiate_ext
(
SSL
*
s
,
PACKET
*
pkt
,
int
*
al
);
__owur
long
ssl_get_algorithm2
(
SSL
*
s
);
__owur
size_t
tls12_copy_sigalgs
(
SSL
*
s
,
unsigned
char
*
out
,
const
unsigned
char
*
psig
,
size_t
psiglen
);
__owur
size_t
tls12_copy_sigalgs_old
(
SSL
*
s
,
unsigned
char
*
out
,
const
unsigned
char
*
psig
,
size_t
psiglen
);
__owur
int
tls12_copy_sigalgs
(
SSL
*
s
,
PACKETW
*
pkt
,
const
unsigned
char
*
psig
,
size_t
psiglen
);
__owur
int
tls1_save_sigalgs
(
SSL
*
s
,
const
unsigned
char
*
data
,
int
dsize
);
__owur
int
tls1_process_sigalgs
(
SSL
*
s
);
__owur
size_t
tls12_get_psigalgs
(
SSL
*
s
,
const
unsigned
char
**
psigs
);
...
...
@@ -2068,8 +2085,6 @@ __owur int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
void
ssl_set_client_disabled
(
SSL
*
s
);
__owur
int
ssl_cipher_disabled
(
SSL
*
s
,
const
SSL_CIPHER
*
c
,
int
op
);
__owur
int
ssl_add_clienthello_use_srtp_ext
(
SSL
*
s
,
unsigned
char
*
p
,
int
*
len
,
int
maxlen
);
__owur
int
ssl_parse_clienthello_use_srtp_ext
(
SSL
*
s
,
PACKET
*
pkt
,
int
*
al
);
__owur
int
ssl_add_serverhello_use_srtp_ext
(
SSL
*
s
,
unsigned
char
*
p
,
int
*
len
,
int
maxlen
);
...
...
@@ -2108,8 +2123,9 @@ __owur int custom_ext_parse(SSL *s, int server,
unsigned
int
ext_type
,
const
unsigned
char
*
ext_data
,
size_t
ext_size
,
int
*
al
);
__owur
int
custom_ext_add
(
SSL
*
s
,
int
server
,
unsigned
char
**
pret
,
unsigned
char
*
limit
,
int
*
al
);
__owur
int
custom_ext_add_old
(
SSL
*
s
,
int
server
,
unsigned
char
**
pret
,
unsigned
char
*
limit
,
int
*
al
);
__owur
int
custom_ext_add
(
SSL
*
s
,
int
server
,
PACKETW
*
pkt
,
int
*
al
);
__owur
int
custom_exts_copy
(
custom_ext_methods
*
dst
,
const
custom_ext_methods
*
src
);
...
...
ssl/statem/statem_clnt.c
浏览文件 @
2c7b4dbc
...
...
@@ -63,7 +63,7 @@ static ossl_inline int cert_req_allowed(SSL *s);
static
int
key_exchange_expected
(
SSL
*
s
);
static
int
ca_dn_cmp
(
const
X509_NAME
*
const
*
a
,
const
X509_NAME
*
const
*
b
);
static
int
ssl_cipher_list_to_bytes
(
SSL
*
s
,
STACK_OF
(
SSL_CIPHER
)
*
sk
,
unsigned
char
*
p
);
PACKETW
*
pkt
);
/*
* Is a CertificateRequest message allowed at the moment or not?
...
...
@@ -689,19 +689,22 @@ WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst)
int
tls_construct_client_hello
(
SSL
*
s
)
{
unsigned
char
*
buf
;
unsigned
char
*
p
,
*
d
;
unsigned
char
*
p
;
int
i
;
int
protverr
;
unsigned
long
l
;
int
al
=
0
;
int
al
=
SSL_AD_HANDSHAKE_FAILURE
;
#ifndef OPENSSL_NO_COMP
int
j
;
SSL_COMP
*
comp
;
#endif
SSL_SESSION
*
sess
=
s
->
session
;
PACKETW
pkt
,
body
,
spkt
;
buf
=
(
unsigned
char
*
)
s
->
init_buf
->
data
;
if
(
!
PACKETW_init
(
&
pkt
,
s
->
init_buf
)
||
!
PACKETW_set_max_size
(
&
pkt
,
SSL3_RT_MAX_PLAIN_LENGTH
))
{
/* Should not happen */
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
,
ERR_R_INTERNAL_ERROR
);
goto
err
;
}
/* Work out what SSL/TLS/DTLS version to use */
protverr
=
ssl_set_client_hello_version
(
s
);
...
...
@@ -743,8 +746,11 @@ int tls_construct_client_hello(SSL *s)
if
(
i
&&
ssl_fill_hello_random
(
s
,
0
,
p
,
sizeof
(
s
->
s3
->
client_random
))
<=
0
)
goto
err
;
/* Do the message type and length last */
d
=
p
=
ssl_handshake_start
(
s
);
if
(
!
ssl_set_handshake_header2
(
s
,
&
pkt
,
&
body
,
SSL3_MT_CLIENT_HELLO
))
{
ssl3_send_alert
(
s
,
SSL3_AL_FATAL
,
SSL_AD_HANDSHAKE_FAILURE
);
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
,
ERR_R_INTERNAL_ERROR
);
goto
err
;
}
/*-
* version indicates the negotiated version: for example from
...
...
@@ -776,90 +782,92 @@ int tls_construct_client_hello(SSL *s)
* client_version in client hello and not resetting it to
* the negotiated version.
*/
*
(
p
++
)
=
s
->
client_version
>>
8
;
*
(
p
++
)
=
s
->
client_version
&
0xff
;
/* Random stuff */
memcpy
(
p
,
s
->
s3
->
client_random
,
SSL3_RANDOM_SIZE
);
p
+=
SSL3_RANDOM_SIZE
;
if
(
!
PACKETW_put_bytes
(
&
body
,
s
->
client_version
,
2
)
||
!
PACKETW_memcpy
(
&
body
,
s
->
s3
->
client_random
,
SSL3_RANDOM_SIZE
))
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
,
ERR_R_INTERNAL_ERROR
);
goto
err
;
}
/* Session ID */
if
(
s
->
new_session
)
i
=
0
;
else
i
=
s
->
session
->
session_id_length
;
*
(
p
++
)
=
i
;
if
(
i
!=
0
)
{
if
(
i
>
(
int
)
sizeof
(
s
->
session
->
session_id
))
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
,
ERR_R_INTERNAL_ERROR
);
goto
err
;
}
memcpy
(
p
,
s
->
session
->
session_id
,
i
);
p
+=
i
;
if
(
i
>
(
int
)
sizeof
(
s
->
session
->
session_id
)
||
!
PACKETW_get_sub_packet_len
(
&
body
,
&
spkt
,
1
)
||
(
i
!=
0
&&
!
PACKETW_memcpy
(
&
spkt
,
s
->
session
->
session_id
,
i
))
||
!
PACKETW_close
(
&
spkt
))
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
,
ERR_R_INTERNAL_ERROR
);
goto
err
;
}
/* cookie stuff for DTLS */
if
(
SSL_IS_DTLS
(
s
))
{
if
(
s
->
d1
->
cookie_len
>
sizeof
(
s
->
d1
->
cookie
))
{
if
(
s
->
d1
->
cookie_len
>
sizeof
(
s
->
d1
->
cookie
)
||
!
PACKETW_get_sub_packet_len
(
&
body
,
&
spkt
,
1
)
||
!
PACKETW_memcpy
(
&
spkt
,
s
->
d1
->
cookie
,
s
->
d1
->
cookie_len
)
||
!
PACKETW_close
(
&
spkt
))
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
,
ERR_R_INTERNAL_ERROR
);
goto
err
;
}
*
(
p
++
)
=
s
->
d1
->
cookie_len
;
memcpy
(
p
,
s
->
d1
->
cookie
,
s
->
d1
->
cookie_len
);
p
+=
s
->
d1
->
cookie_len
;
}
/* Ciphers supported */
i
=
ssl_cipher_list_to_bytes
(
s
,
SSL_get_ciphers
(
s
),
&
(
p
[
2
]));
if
(
i
==
0
)
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
,
SSL_R_NO_CIPHERS_AVAILABLE
);
if
(
!
PACKETW_get_sub_packet_len
(
&
body
,
&
spkt
,
2
))
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
,
ERR_R_INTERNAL_ERROR
);
goto
err
;
}
/* ssl_cipher_list_to_bytes() raises SSLerr if appropriate */
if
(
!
ssl_cipher_list_to_bytes
(
s
,
SSL_get_ciphers
(
s
),
&
spkt
))
goto
err
;
if
(
!
PACKETW_close
(
&
spkt
))
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
,
ERR_R_INTERNAL_ERROR
);
goto
err
;
}
#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
/*
* Some servers hang if client hello > 256 bytes as hack workaround
* chop number of supported ciphers to keep it well below this if we
* use TLS v1.2
*/
if
(
TLS1_get_version
(
s
)
>=
TLS1_2_VERSION
&&
i
>
OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
)
i
=
OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
&
~
1
;
#endif
s2n
(
i
,
p
);
p
+=
i
;
/* COMPRESSION */
#ifdef OPENSSL_NO_COMP
*
(
p
++
)
=
1
;
#else
if
(
!
ssl_allow_compression
(
s
)
||
!
s
->
ctx
->
comp_methods
)
j
=
0
;
else
j
=
sk_SSL_COMP_num
(
s
->
ctx
->
comp_methods
);
*
(
p
++
)
=
1
+
j
;
for
(
i
=
0
;
i
<
j
;
i
++
)
{
comp
=
sk_SSL_COMP_value
(
s
->
ctx
->
comp_methods
,
i
);
*
(
p
++
)
=
comp
->
id
;
if
(
!
PACKETW_get_sub_packet_len
(
&
body
,
&
spkt
,
1
))
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
,
ERR_R_INTERNAL_ERROR
);
goto
err
;
}
#ifndef OPENSSL_NO_COMP
if
(
ssl_allow_compression
(
s
)
&&
s
->
ctx
->
comp_methods
)
{
int
compnum
=
sk_SSL_COMP_num
(
s
->
ctx
->
comp_methods
);
for
(
i
=
0
;
i
<
compnum
;
i
++
)
{
comp
=
sk_SSL_COMP_value
(
s
->
ctx
->
comp_methods
,
i
);
if
(
!
PACKETW_put_bytes
(
&
spkt
,
comp
->
id
,
1
))
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
,
ERR_R_INTERNAL_ERROR
);
goto
err
;
}
}
}
#endif
*
(
p
++
)
=
0
;
/* Add the NULL method */
/* Add the NULL method */
if
(
!
PACKETW_put_bytes
(
&
spkt
,
0
,
1
)
||
!
PACKETW_close
(
&
spkt
))
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
,
ERR_R_INTERNAL_ERROR
);
goto
err
;
}
/* TLS extensions */
if
(
ssl_prepare_clienthello_tlsext
(
s
)
<=
0
)
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
,
SSL_R_CLIENTHELLO_TLSEXT
);
goto
err
;
}
if
((
p
=
ssl_add_clienthello_tlsext
(
s
,
p
,
buf
+
SSL3_RT_MAX_PLAIN_LENGTH
,
&
al
))
==
NULL
)
{
if
(
!
PACKETW_get_sub_packet_len
(
&
body
,
&
spkt
,
2
)
/*
* If extensions are of zero length then we don't even add the
* extensions length bytes
*/
||
!
PACKETW_set_flags
(
&
spkt
,
OPENSSL_PACKETW_FLAGS_ABANDON_ON_ZERO_LENGTH
)
||
!
ssl_add_clienthello_tlsext
(
s
,
&
spkt
,
&
al
)
||
!
PACKETW_close
(
&
spkt
))
{
ssl3_send_alert
(
s
,
SSL3_AL_FATAL
,
al
);
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
,
ERR_R_INTERNAL_ERROR
);
goto
err
;
}
l
=
p
-
d
;
if
(
!
ssl_set_handshake_header
(
s
,
SSL3_MT_CLIENT_HELLO
,
l
))
{
if
(
!
PACKETW_close
(
&
body
)
||
!
ssl_close_construct_packet
(
s
,
&
pkt
))
{
ssl3_send_alert
(
s
,
SSL3_AL_FATAL
,
SSL_AD_HANDSHAKE_FAILURE
);
SSLerr
(
SSL_F_TLS_CONSTRUCT_CLIENT_HELLO
,
ERR_R_INTERNAL_ERROR
);
goto
err
;
...
...
@@ -2909,47 +2917,79 @@ int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
return
i
;
}
int
ssl_cipher_list_to_bytes
(
SSL
*
s
,
STACK_OF
(
SSL_CIPHER
)
*
sk
,
unsigned
char
*
p
)
int
ssl_cipher_list_to_bytes
(
SSL
*
s
,
STACK_OF
(
SSL_CIPHER
)
*
sk
,
PACKETW
*
pkt
)
{
int
i
,
j
=
0
;
const
SSL_CIPHER
*
c
;
unsigned
char
*
q
;
int
i
;
size_t
totlen
=
0
,
len
,
maxlen
;
int
empty_reneg_info_scsv
=
!
s
->
renegotiate
;
/* Set disabled masks for this session */
ssl_set_client_disabled
(
s
);
if
(
sk
==
NULL
)
return
(
0
);
q
=
p
;
for
(
i
=
0
;
i
<
sk_SSL_CIPHER_num
(
sk
);
i
++
)
{
#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
# if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6
# error Max cipher length too short
# endif
/*
* Some servers hang if client hello > 256 bytes as hack workaround
* chop number of supported ciphers to keep it well below this if we
* use TLS v1.2
*/
if
(
TLS1_get_version
(
s
)
>=
TLS1_2_VERSION
)
maxlen
=
OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
&
~
1
;
else
#endif
/* Maximum length that can be stored in 2 bytes. Length must be even */
maxlen
=
0xfffe
;
if
(
empty_reneg_info_scsv
)
maxlen
-=
2
;
if
(
s
->
mode
&
SSL_MODE_SEND_FALLBACK_SCSV
)
maxlen
-=
2
;
for
(
i
=
0
;
i
<
sk_SSL_CIPHER_num
(
sk
)
&&
totlen
<
maxlen
;
i
++
)
{
const
SSL_CIPHER
*
c
;
c
=
sk_SSL_CIPHER_value
(
sk
,
i
);
/* Skip disabled ciphers */
if
(
ssl_cipher_disabled
(
s
,
c
,
SSL_SECOP_CIPHER_SUPPORTED
))
continue
;
j
=
s
->
method
->
put_cipher_by_char
(
c
,
p
);
p
+=
j
;
if
(
!
s
->
method
->
put_cipher_by_char
(
c
,
pkt
,
&
len
))
{
SSLerr
(
SSL_F_SSL_CIPHER_LIST_TO_BYTES
,
ERR_R_INTERNAL_ERROR
);
return
0
;
}
totlen
+=
len
;
}
/*
* If p == q, no ciphers; caller indicates an error. Otherwise, add
* applicable SCSVs.
*/
if
(
p
!=
q
)
{
if
(
totlen
==
0
)
{
SSLerr
(
SSL_F_SSL_CIPHER_LIST_TO_BYTES
,
SSL_R_NO_CIPHERS_AVAILABLE
);
return
0
;
}
if
(
totlen
!=
0
)
{
if
(
empty_reneg_info_scsv
)
{
static
SSL_CIPHER
scsv
=
{
0
,
NULL
,
SSL3_CK_SCSV
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
};
j
=
s
->
method
->
put_cipher_by_char
(
&
scsv
,
p
);
p
+=
j
;
if
(
!
s
->
method
->
put_cipher_by_char
(
&
scsv
,
pkt
,
&
len
))
{
SSLerr
(
SSL_F_SSL_CIPHER_LIST_TO_BYTES
,
ERR_R_INTERNAL_ERROR
);
return
0
;
}
}
if
(
s
->
mode
&
SSL_MODE_SEND_FALLBACK_SCSV
)
{
static
SSL_CIPHER
scsv
=
{
0
,
NULL
,
SSL3_CK_FALLBACK_SCSV
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
,
0
};
j
=
s
->
method
->
put_cipher_by_char
(
&
scsv
,
p
);
p
+=
j
;
if
(
!
s
->
method
->
put_cipher_by_char
(
&
scsv
,
pkt
,
&
len
))
{
SSLerr
(
SSL_F_SSL_CIPHER_LIST_TO_BYTES
,
ERR_R_INTERNAL_ERROR
);
return
0
;
}
}
}
return
(
p
-
q
)
;
return
1
;
}
ssl/statem/statem_dtls.c
浏览文件 @
2c7b4dbc
...
...
@@ -1190,3 +1190,46 @@ void dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr)
n2l3
(
data
,
msg_hdr
->
frag_off
);
n2l3
(
data
,
msg_hdr
->
frag_len
);
}
/*
* Temporary name. To be renamed dtls1_set_handshake_header() once all PACKETW
* conversion is complete. The old dtls1_set_handshake_heder() can be deleted
* at that point.
* TODO - RENAME ME
*/
int
dtls1_set_handshake_header2
(
SSL
*
s
,
PACKETW
*
pkt
,
PACKETW
*
body
,
int
htype
)
{
unsigned
char
*
header
;
dtls1_set_message_header
(
s
,
htype
,
0
,
0
,
0
);
/*
* We allocate space at the start for the message header. This gets filled
* in later
*/
if
(
!
PACKETW_allocate_bytes
(
pkt
,
DTLS1_HM_HEADER_LENGTH
,
&
header
)
||
!
PACKETW_get_sub_packet
(
pkt
,
body
))
return
0
;
return
1
;
}
int
dtls1_close_construct_packet
(
SSL
*
s
,
PACKETW
*
pkt
)
{
size_t
msglen
;
if
(
!
PACKETW_get_length
(
pkt
,
&
msglen
)
||
msglen
>
INT_MAX
||
!
PACKETW_close
(
pkt
))
return
0
;
s
->
d1
->
w_msg_hdr
.
msg_len
=
msglen
-
DTLS1_HM_HEADER_LENGTH
;
s
->
d1
->
w_msg_hdr
.
frag_len
=
msglen
-
DTLS1_HM_HEADER_LENGTH
;
s
->
init_num
=
(
int
)
msglen
;
s
->
init_off
=
0
;
/* Buffer the message to handle re-xmits */
if
(
!
dtls1_buffer_message
(
s
,
0
))
return
0
;
return
1
;
}
ssl/statem/statem_lib.c
浏览文件 @
2c7b4dbc
...
...
@@ -57,6 +57,20 @@ int ssl3_do_write(SSL *s, int type)
return
(
0
);
}
int
tls_close_construct_packet
(
SSL
*
s
,
PACKETW
*
pkt
)
{
size_t
msglen
;
if
(
!
PACKETW_get_length
(
pkt
,
&
msglen
)
||
msglen
>
INT_MAX
||
!
PACKETW_close
(
pkt
))
return
0
;
s
->
init_num
=
(
int
)
msglen
;
s
->
init_off
=
0
;
return
1
;
}
int
tls_construct_finished
(
SSL
*
s
,
const
char
*
sender
,
int
slen
)
{
unsigned
char
*
p
;
...
...
ssl/statem/statem_srvr.c
浏览文件 @
2c7b4dbc
...
...
@@ -1551,7 +1551,7 @@ int tls_construct_server_hello(SSL *s)
p
+=
sl
;
/* put the cipher */
i
=
ssl3_put_cipher_by_char
(
s
->
s3
->
tmp
.
new_cipher
,
p
);
i
=
ssl3_put_cipher_by_char
_old
(
s
->
s3
->
tmp
.
new_cipher
,
p
);
p
+=
i
;
/* put the compression method */
...
...
@@ -2002,7 +2002,7 @@ int tls_construct_certificate_request(SSL *s)
nl
=
tls12_get_psigalgs
(
s
,
&
psigs
);
/* Skip over length for now */
p
+=
2
;
nl
=
tls12_copy_sigalgs
(
s
,
p
,
psigs
,
nl
);
nl
=
tls12_copy_sigalgs
_old
(
s
,
p
,
psigs
,
nl
);
/* Now fill in length */
s2n
(
nl
,
etmp
);
p
+=
nl
;
...
...
ssl/t1_ext.c
浏览文件 @
2c7b4dbc
...
...
@@ -72,10 +72,13 @@ int custom_ext_parse(SSL *s, int server,
/*
* Request custom extension data from the application and add to the return
* buffer.
* buffer. This is the old style function signature prior to PACKETW. This is
* here temporarily until the conversion to PACKETW is completed, i.e. it is
* used by code that hasn't been converted yet.
* TODO - REMOVE THIS FUNCTION
*/
int
custom_ext_add
(
SSL
*
s
,
int
server
,
unsigned
char
**
pret
,
unsigned
char
*
limit
,
int
*
al
)
int
custom_ext_add
_old
(
SSL
*
s
,
int
server
,
unsigned
char
**
pret
,
unsigned
char
*
limit
,
int
*
al
)
{
custom_ext_methods
*
exts
=
server
?
&
s
->
cert
->
srv_ext
:
&
s
->
cert
->
cli_ext
;
custom_ext_method
*
meth
;
...
...
@@ -131,6 +134,67 @@ int custom_ext_add(SSL *s, int server,
return
1
;
}
/*
* Request custom extension data from the application and add to the return
* buffer.
*/
int
custom_ext_add
(
SSL
*
s
,
int
server
,
PACKETW
*
pkt
,
int
*
al
)
{
custom_ext_methods
*
exts
=
server
?
&
s
->
cert
->
srv_ext
:
&
s
->
cert
->
cli_ext
;
custom_ext_method
*
meth
;
size_t
i
;
for
(
i
=
0
;
i
<
exts
->
meths_count
;
i
++
)
{
const
unsigned
char
*
out
=
NULL
;
size_t
outlen
=
0
;
PACKETW
spkt
;
meth
=
exts
->
meths
+
i
;
if
(
server
)
{
/*
* For ServerHello only send extensions present in ClientHello.
*/
if
(
!
(
meth
->
ext_flags
&
SSL_EXT_FLAG_RECEIVED
))
continue
;
/* If callback absent for server skip it */
if
(
!
meth
->
add_cb
)
continue
;
}
if
(
meth
->
add_cb
)
{
int
cb_retval
=
0
;
cb_retval
=
meth
->
add_cb
(
s
,
meth
->
ext_type
,
&
out
,
&
outlen
,
al
,
meth
->
add_arg
);
if
(
cb_retval
<
0
)
return
0
;
/* error */
if
(
cb_retval
==
0
)
continue
;
/* skip this extension */
}
if
(
!
PACKETW_put_bytes
(
pkt
,
meth
->
ext_type
,
2
)
||
!
PACKETW_get_sub_packet_len
(
pkt
,
&
spkt
,
2
)
||
(
outlen
>
0
&&
!
PACKETW_memcpy
(
&
spkt
,
out
,
outlen
))
||
!
PACKETW_close
(
&
spkt
))
{
*
al
=
SSL_AD_INTERNAL_ERROR
;
return
0
;
}
/*
* We can't send duplicates: code logic should prevent this.
*/
OPENSSL_assert
(
!
(
meth
->
ext_flags
&
SSL_EXT_FLAG_SENT
));
/*
* Indicate extension has been sent: this is both a sanity check to
* ensure we don't send duplicate extensions and indicates that it is
* not an error if the extension is present in ServerHello.
*/
meth
->
ext_flags
|=
SSL_EXT_FLAG_SENT
;
if
(
meth
->
free_cb
)
meth
->
free_cb
(
s
,
meth
->
ext_type
,
out
,
meth
->
add_arg
);
}
return
1
;
}
/* Copy table of custom extensions */
int
custom_exts_copy
(
custom_ext_methods
*
dst
,
const
custom_ext_methods
*
src
)
{
...
...
ssl/t1_lib.c
浏览文件 @
2c7b4dbc
此差异已折叠。
点击以展开。
ssl/t1_reneg.c
浏览文件 @
2c7b4dbc
...
...
@@ -11,30 +11,6 @@
#include <openssl/objects.h>
#include "ssl_locl.h"
/* Add the client's renegotiation binding */
int
ssl_add_clienthello_renegotiate_ext
(
SSL
*
s
,
unsigned
char
*
p
,
int
*
len
,
int
maxlen
)
{
if
(
p
)
{
if
((
s
->
s3
->
previous_client_finished_len
+
1
)
>
maxlen
)
{
SSLerr
(
SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT
,
SSL_R_RENEGOTIATE_EXT_TOO_LONG
);
return
0
;
}
/* Length byte */
*
p
=
s
->
s3
->
previous_client_finished_len
;
p
++
;
memcpy
(
p
,
s
->
s3
->
previous_client_finished
,
s
->
s3
->
previous_client_finished_len
);
}
*
len
=
s
->
s3
->
previous_client_finished_len
+
1
;
return
1
;
}
/*
* Parse the client's renegotiation binding and abort if it's not right
*/
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录