Initial incomplete TLS v1.2 support. New ciphersuites added, new version (7409d7ad) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+8 −0

Original line number	Diff line number	Diff line
		@@ -4,6 +4,14 @@

		Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]

		*) Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch
		to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based
		ciphersuites. At present only RSA key exchange ciphersuites work with
		TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete
		SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods
		and version checking.
		[Steve Henson]

		*) New option OPENSSL_NO_SSL_INTERN. If an application can be compiled
		with this defined it will not be affected by any changes to ssl internal
		structures. Add several utility functions to allow openssl application

apps/s_cb.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -676,6 +676,10 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
		extname = "renegotiate";
		break;

		case TLSEXT_TYPE_signature_algorithms:
		extname = "signature algorithms";
		break;

		#ifdef TLSEXT_TYPE_opaque_prf_input
		case TLSEXT_TYPE_opaque_prf_input:
		extname = "opaque PRF input";

apps/s_client.c

+6 −1

Original line number	Diff line number	Diff line
		@@ -328,11 +328,12 @@ static void sc_usage(void)
		#endif
		BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
		BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
		BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n");
		BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
		BIO_printf(bio_err," -tls1 - just use TLSv1\n");
		BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
		BIO_printf(bio_err," -mtu - set the link layer MTU\n");
		BIO_printf(bio_err," -no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
		BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
		BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
		BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n");
		BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n");
		@@ -790,6 +791,8 @@ int MAIN(int argc, char **argv)
		meth=SSLv3_client_method();
		#endif
		#ifndef OPENSSL_NO_TLS1
		else if (strcmp(*argv,"-tls1_2") == 0)
		meth=TLSv1_2_client_method();
		else if (strcmp(*argv,"-tls1_1") == 0)
		meth=TLSv1_1_client_method();
		else if (strcmp(*argv,"-tls1") == 0)
		@@ -840,6 +843,8 @@ int MAIN(int argc, char **argv)
		if (--argc < 1) goto bad;
		CAfile= *(++argv);
		}
		else if (strcmp(*argv,"-no_tls1_2") == 0)
		off\|=SSL_OP_NO_TLSv1_2;
		else if (strcmp(*argv,"-no_tls1_1") == 0)
		off\|=SSL_OP_NO_TLSv1_1;
		else if (strcmp(*argv,"-no_tls1") == 0)

apps/s_server.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -503,6 +503,7 @@ static void sv_usage(void)
		#endif
		BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n");
		BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n");
		BIO_printf(bio_err," -tls1_2 - Just talk TLSv1.2\n");
		BIO_printf(bio_err," -tls1_1 - Just talk TLSv1.1\n");
		BIO_printf(bio_err," -tls1 - Just talk TLSv1\n");
		BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n");
		@@ -513,6 +514,7 @@ static void sv_usage(void)
		BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n");
		BIO_printf(bio_err," -no_tls1 - Just disable TLSv1\n");
		BIO_printf(bio_err," -no_tls1_1 - Just disable TLSv1.1\n");
		BIO_printf(bio_err," -no_tls1_2 - Just disable TLSv1.2\n");
		#ifndef OPENSSL_NO_DH
		BIO_printf(bio_err," -no_dhe - Disable ephemeral DH\n");
		#endif
		@@ -1226,6 +1228,8 @@ int MAIN(int argc, char *argv[])
		{ off\|=SSL_OP_NO_SSLv2; }
		else if (strcmp(*argv,"-no_ssl3") == 0)
		{ off\|=SSL_OP_NO_SSLv3; }
		else if (strcmp(*argv,"-no_tls1_2") == 0)
		{ off\|=SSL_OP_NO_TLSv1_2; }
		else if (strcmp(*argv,"-no_tls1_1") == 0)
		{ off\|=SSL_OP_NO_TLSv1_1; }
		else if (strcmp(*argv,"-no_tls1") == 0)
		@@ -1245,6 +1249,8 @@ int MAIN(int argc, char *argv[])
		{ meth=SSLv3_server_method(); }
		#endif
		#ifndef OPENSSL_NO_TLS1
		else if (strcmp(*argv,"-tls1_2") == 0)
		{ meth=TLSv1_2_server_method(); }
		else if (strcmp(*argv,"-tls1_1") == 0)
		{ meth=TLSv1_1_server_method(); }
		else if (strcmp(*argv,"-tls1") == 0)

ssl/s23_clnt.c

+20 −3

Original line number	Diff line number	Diff line
		@@ -131,6 +131,8 @@ static const SSL_METHOD *ssl23_get_client_method(int ver)
		return(TLSv1_client_method());
		else if (ver == TLS1_1_VERSION)
		return(TLSv1_1_client_method());
		else if (ver == TLS1_2_VERSION)
		return(TLSv1_2_client_method());
		else
		return(NULL);
		}
		@@ -286,7 +288,11 @@ static int ssl23_client_hello(SSL *s)
		if (ssl2_compat && ssl23_no_ssl2_ciphers(s))
		ssl2_compat = 0;

		if (!(s->options & SSL_OP_NO_TLSv1_1))
		if (!(s->options & SSL_OP_NO_TLSv1_2))
		{
		version = TLS1_2_VERSION;
		}
		else if (!(s->options & SSL_OP_NO_TLSv1_1))
		{
		version = TLS1_1_VERSION;
		}
		@@ -335,7 +341,12 @@ static int ssl23_client_hello(SSL *s)
		if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
		return -1;

		if (version == TLS1_1_VERSION)
		if (version == TLS1_2_VERSION)
		{
		version_major = TLS1_2_VERSION_MAJOR;
		version_minor = TLS1_2_VERSION_MINOR;
		}
		else if (version == TLS1_1_VERSION)
		{
		version_major = TLS1_1_VERSION_MAJOR;
		version_minor = TLS1_1_VERSION_MINOR;
		@@ -619,7 +630,7 @@ static int ssl23_get_server_hello(SSL *s)
		#endif
		}
		else if (p[1] == SSL3_VERSION_MAJOR &&
		p[2] <= TLS1_1_VERSION_MINOR &&
		p[2] <= TLS1_2_VERSION_MINOR &&
		((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) \|\|
		(p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2)))
		{
		@@ -643,6 +654,12 @@ static int ssl23_get_server_hello(SSL *s)
		s->version=TLS1_1_VERSION;
		s->method=TLSv1_1_client_method();
		}
		else if ((p[2] == TLS1_2_VERSION_MINOR) &&
		!(s->options & SSL_OP_NO_TLSv1_2))
		{
		s->version=TLS1_2_VERSION;
		s->method=TLSv1_2_client_method();
		}
		else
		{
		SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);