use TLS1_get_version macro to check version so TLS v1.2 changes don't interfere with DTLS
This commit is contained in:
Dr. Stephen Henson
parent
4dde470865
commit
277f8a34f4
@ -910,7 +910,7 @@ int ssl3_get_server_hello(SSL *s)
|
|||||||
/* Don't digest cached records if TLS v1.2: we may need them for
|
/* Don't digest cached records if TLS v1.2: we may need them for
|
||||||
* client authentication.
|
* client authentication.
|
||||||
*/
|
*/
|
||||||
if (s->version < TLS1_2_VERSION && !ssl3_digest_cached_records(s))
|
if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s))
|
||||||
goto f_err;
|
goto f_err;
|
||||||
/* lets get the compression algorithm */
|
/* lets get the compression algorithm */
|
||||||
/* COMPRESSION */
|
/* COMPRESSION */
|
||||||
@ -1641,7 +1641,7 @@ int ssl3_get_key_exchange(SSL *s)
|
|||||||
/* if it was signed, check the signature */
|
/* if it was signed, check the signature */
|
||||||
if (pkey != NULL)
|
if (pkey != NULL)
|
||||||
{
|
{
|
||||||
if (s->version >= TLS1_2_VERSION)
|
if (TLS1_get_version(s) >= TLS1_2_VERSION)
|
||||||
{
|
{
|
||||||
int sigalg = tls12_get_sigid(pkey);
|
int sigalg = tls12_get_sigid(pkey);
|
||||||
/* Should never happen */
|
/* Should never happen */
|
||||||
@ -1686,7 +1686,7 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
|
|||||||
}
|
}
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_RSA
|
#ifndef OPENSSL_NO_RSA
|
||||||
if (pkey->type == EVP_PKEY_RSA && s->version < TLS1_2_VERSION)
|
if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION)
|
||||||
{
|
{
|
||||||
int num;
|
int num;
|
||||||
|
|
||||||
@ -1846,8 +1846,7 @@ int ssl3_get_certificate_request(SSL *s)
|
|||||||
for (i=0; i<ctype_num; i++)
|
for (i=0; i<ctype_num; i++)
|
||||||
s->s3->tmp.ctype[i]= p[i];
|
s->s3->tmp.ctype[i]= p[i];
|
||||||
p+=ctype_num;
|
p+=ctype_num;
|
||||||
/* HACK! For now just skip over signatature algorithms */
|
if (TLS1_get_version(s) >= TLS1_2_VERSION)
|
||||||
if (s->version >= TLS1_2_VERSION)
|
|
||||||
{
|
{
|
||||||
n2s(p, llen);
|
n2s(p, llen);
|
||||||
/* Check we have enough room for signature algorithms and
|
/* Check we have enough room for signature algorithms and
|
||||||
@ -2868,7 +2867,7 @@ int ssl3_send_client_verify(SSL *s)
|
|||||||
EVP_PKEY_sign_init(pctx);
|
EVP_PKEY_sign_init(pctx);
|
||||||
if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0)
|
if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0)
|
||||||
{
|
{
|
||||||
if (s->version < TLS1_2_VERSION)
|
if (TLS1_get_version(s) < TLS1_2_VERSION)
|
||||||
s->method->ssl3_enc->cert_verify_mac(s,
|
s->method->ssl3_enc->cert_verify_mac(s,
|
||||||
NID_sha1,
|
NID_sha1,
|
||||||
&(data[MD5_DIGEST_LENGTH]));
|
&(data[MD5_DIGEST_LENGTH]));
|
||||||
@ -2880,7 +2879,7 @@ int ssl3_send_client_verify(SSL *s)
|
|||||||
/* For TLS v1.2 send signature algorithm and signature
|
/* For TLS v1.2 send signature algorithm and signature
|
||||||
* using agreed digest and cached handshake records.
|
* using agreed digest and cached handshake records.
|
||||||
*/
|
*/
|
||||||
if (s->version >= TLS1_2_VERSION)
|
if (TLS1_get_version(s) >= TLS1_2_VERSION)
|
||||||
{
|
{
|
||||||
long hdatalen = 0;
|
long hdatalen = 0;
|
||||||
void *hdata;
|
void *hdata;
|
||||||
|
|||||||
@ -3761,7 +3761,7 @@ need to go to SSL_ST_ACCEPT.
|
|||||||
long ssl_get_algorithm2(SSL *s)
|
long ssl_get_algorithm2(SSL *s)
|
||||||
{
|
{
|
||||||
long alg2 = s->s3->tmp.new_cipher->algorithm2;
|
long alg2 = s->s3->tmp.new_cipher->algorithm2;
|
||||||
if (s->version >= TLS1_2_VERSION &&
|
if (TLS1_get_version(s) >= TLS1_2_VERSION &&
|
||||||
alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
|
alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
|
||||||
return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
|
return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
|
||||||
return alg2;
|
return alg2;
|
||||||
|
|||||||
@ -601,7 +601,7 @@ int ssl3_accept(SSL *s)
|
|||||||
s->state=SSL3_ST_SR_FINISHED_A;
|
s->state=SSL3_ST_SR_FINISHED_A;
|
||||||
s->init_num = 0;
|
s->init_num = 0;
|
||||||
}
|
}
|
||||||
else if (s->version >= TLS1_2_VERSION)
|
else if (TLS1_get_version(s) >= TLS1_2_VERSION)
|
||||||
{
|
{
|
||||||
s->state=SSL3_ST_SR_CERT_VRFY_A;
|
s->state=SSL3_ST_SR_CERT_VRFY_A;
|
||||||
s->init_num=0;
|
s->init_num=0;
|
||||||
@ -1337,7 +1337,7 @@ int ssl3_get_client_hello(SSL *s)
|
|||||||
s->s3->tmp.new_cipher=s->session->cipher;
|
s->s3->tmp.new_cipher=s->session->cipher;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (s->version < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER))
|
if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER))
|
||||||
{
|
{
|
||||||
if (!ssl3_digest_cached_records(s))
|
if (!ssl3_digest_cached_records(s))
|
||||||
goto f_err;
|
goto f_err;
|
||||||
@ -1871,7 +1871,7 @@ int ssl3_send_server_key_exchange(SSL *s)
|
|||||||
* and p points to the space at the end. */
|
* and p points to the space at the end. */
|
||||||
#ifndef OPENSSL_NO_RSA
|
#ifndef OPENSSL_NO_RSA
|
||||||
if (pkey->type == EVP_PKEY_RSA
|
if (pkey->type == EVP_PKEY_RSA
|
||||||
&& s->version < TLS1_2_VERSION)
|
&& TLS1_get_version(s) < TLS1_2_VERSION)
|
||||||
{
|
{
|
||||||
q=md_buf;
|
q=md_buf;
|
||||||
j=0;
|
j=0;
|
||||||
@ -1904,7 +1904,7 @@ int ssl3_send_server_key_exchange(SSL *s)
|
|||||||
{
|
{
|
||||||
/* For TLS1.2 and later send signature
|
/* For TLS1.2 and later send signature
|
||||||
* algorithm */
|
* algorithm */
|
||||||
if (s->version >= TLS1_2_VERSION)
|
if (TLS1_get_version(s) >= TLS1_2_VERSION)
|
||||||
{
|
{
|
||||||
if (!tls12_get_sigandhash(p, pkey, md))
|
if (!tls12_get_sigandhash(p, pkey, md))
|
||||||
{
|
{
|
||||||
@ -1931,7 +1931,7 @@ int ssl3_send_server_key_exchange(SSL *s)
|
|||||||
}
|
}
|
||||||
s2n(i,p);
|
s2n(i,p);
|
||||||
n+=i+2;
|
n+=i+2;
|
||||||
if (s->version >= TLS1_2_VERSION)
|
if (TLS1_get_version(s) >= TLS1_2_VERSION)
|
||||||
n+= 2;
|
n+= 2;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
@ -1987,7 +1987,7 @@ int ssl3_send_certificate_request(SSL *s)
|
|||||||
p+=n;
|
p+=n;
|
||||||
n++;
|
n++;
|
||||||
|
|
||||||
if (s->version >= TLS1_2_VERSION)
|
if (TLS1_get_version(s) >= TLS1_2_VERSION)
|
||||||
{
|
{
|
||||||
nl = tls12_get_req_sig_algs(s, p + 2);
|
nl = tls12_get_req_sig_algs(s, p + 2);
|
||||||
s2n(nl, p);
|
s2n(nl, p);
|
||||||
@ -2920,7 +2920,7 @@ int ssl3_get_cert_verify(SSL *s)
|
|||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
if (s->version >= TLS1_2_VERSION)
|
if (TLS1_get_version(s) >= TLS1_2_VERSION)
|
||||||
{
|
{
|
||||||
int sigalg = tls12_get_sigid(pkey);
|
int sigalg = tls12_get_sigid(pkey);
|
||||||
/* Should never happen */
|
/* Should never happen */
|
||||||
@ -2967,7 +2967,7 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
|
|||||||
goto f_err;
|
goto f_err;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (s->version >= TLS1_2_VERSION)
|
if (TLS1_get_version(s) >= TLS1_2_VERSION)
|
||||||
{
|
{
|
||||||
long hdatalen = 0;
|
long hdatalen = 0;
|
||||||
void *hdata;
|
void *hdata;
|
||||||
|
|||||||
@ -2094,7 +2094,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
|
|||||||
SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
|
SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
if ((alg_k & SSL_kECDHe) && s->version < TLS1_2_VERSION)
|
if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) < TLS1_2_VERSION)
|
||||||
{
|
{
|
||||||
/* signature alg must be ECDSA */
|
/* signature alg must be ECDSA */
|
||||||
if (signature_nid != NID_ecdsa_with_SHA1)
|
if (signature_nid != NID_ecdsa_with_SHA1)
|
||||||
@ -2103,7 +2103,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if ((alg_k & SSL_kECDHr) && s->version < TLS1_2_VERSION)
|
if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) < TLS1_2_VERSION)
|
||||||
{
|
{
|
||||||
/* signature alg must be RSA */
|
/* signature alg must be RSA */
|
||||||
|
|
||||||
|
|||||||
@ -502,7 +502,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
|
|||||||
}
|
}
|
||||||
skip_ext:
|
skip_ext:
|
||||||
|
|
||||||
if (s->version >= TLS1_2_VERSION)
|
if (TLS1_get_version(s) >= TLS1_2_VERSION)
|
||||||
{
|
{
|
||||||
if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
|
if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
|
||||||
return NULL;
|
return NULL;
|
||||||
@ -1988,7 +1988,7 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
|
|||||||
const EVP_MD *md;
|
const EVP_MD *md;
|
||||||
CERT *c = s->cert;
|
CERT *c = s->cert;
|
||||||
/* Extension ignored for TLS versions below 1.2 */
|
/* Extension ignored for TLS versions below 1.2 */
|
||||||
if (s->version < TLS1_2_VERSION)
|
if (TLS1_get_version(s) < TLS1_2_VERSION)
|
||||||
return 1;
|
return 1;
|
||||||
/* Should never happen */
|
/* Should never happen */
|
||||||
if (!c)
|
if (!c)
|
||||||
|
|||||||
@ -171,6 +171,9 @@ extern "C" {
|
|||||||
#define TLS1_VERSION_MAJOR 0x03
|
#define TLS1_VERSION_MAJOR 0x03
|
||||||
#define TLS1_VERSION_MINOR 0x01
|
#define TLS1_VERSION_MINOR 0x01
|
||||||
|
|
||||||
|
#define TLS1_get_version(s) \
|
||||||
|
((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0)
|
||||||
|
|
||||||
#define TLS1_AD_DECRYPTION_FAILED 21
|
#define TLS1_AD_DECRYPTION_FAILED 21
|
||||||
#define TLS1_AD_RECORD_OVERFLOW 22
|
#define TLS1_AD_RECORD_OVERFLOW 22
|
||||||
#define TLS1_AD_UNKNOWN_CA 48 /* fatal */
|
#define TLS1_AD_UNKNOWN_CA 48 /* fatal */
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user