From 61ad8262a066aa0953df3cc84031390c0a903a28 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 14 Mar 2012 13:44:57 +0000 Subject: [PATCH] update FAQ, NEWS --- FAQ | 2 +- NEWS | 13 ++++++++ apps/s_client.c | 15 +++++++++ ssl/s3_lib.c | 88 +++++++++++++++++++++++++++++++++++++++++++++++++ ssl/ssl.h | 4 +++ ssl/t1_lib.c | 30 ++++++++++------- 6 files changed, 139 insertions(+), 13 deletions(-) diff --git a/FAQ b/FAQ index 3b07cd363d..b9243a6104 100644 --- a/FAQ +++ b/FAQ @@ -82,7 +82,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from . -OpenSSL 1.0.0f was released on Jan 4th, 2012. +OpenSSL 1.0.1 was released on Mar 14th, 2012. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at tlsext_ellipticcurvelist) + OPENSSL_free(s->tlsext_ellipticcurvelist); + s->tlsext_ellipticcurvelist = clist; + s->tlsext_ellipticcurvelist_length = nid_listlen * 2; + return 1; + } + + case SSL_CTRL_SHARED_CURVES: + { + unsigned long mask = 0; + unsigned char *pmask, *pref; + size_t pmasklen, preflen, i; + int nmatch = 0; + /* Must be server */ + if (!s->server) + return 0; + /* No curves if client didn't sent supported curves extension */ + if (!s->session->tlsext_ellipticcurvelist) + return 0; + if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) + { + pref = s->tlsext_ellipticcurvelist; + preflen = s->tlsext_ellipticcurvelist_length; + pmask = s->session->tlsext_ellipticcurvelist; + pmasklen = s->session->tlsext_ellipticcurvelist_length; + } + else + { + pref = s->session->tlsext_ellipticcurvelist; + preflen = s->session->tlsext_ellipticcurvelist_length; + pmask = s->tlsext_ellipticcurvelist; + pmasklen = s->tlsext_ellipticcurvelist_length; + } + /* Build a mask of supported curves */ + for (i = 0; i < pmasklen; i+=2, pmask+=2) + { + /* Skip any curves that wont fit in mask */ + if (pmask[0] || (pmask[1] > 31)) + continue; + mask |= 1L << pmask[1]; + } + /* Check preference order against mask */ + for (i = 0; i < preflen; i+=2, pref+=2) + { + if (pref[0] || (pref[1] > 30)) + continue; + /* Search for matching curves in preference order */ + if (mask & (1L << pref[1])) + { + int id = tls1_ec_curve_id2nid(pref[1]); + if (id && parg && nmatch == larg) + { + *((int *)parg) = id; + return 1; + } + nmatch++; + } + } + if (parg) + return 0; + return nmatch; + + } + default: break; } diff --git a/ssl/ssl.h b/ssl/ssl.h index 3e255fcfee..4215dda89e 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -1619,6 +1619,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) #define SSL_CTRL_CHAIN_CERT 89 #define SSL_CTRL_GET_CURVELIST 90 +#define SSL_CTRL_SET_CURVELIST 91 +#define SSL_CTRL_SHARED_CURVES 92 #define DTLSv1_get_timeout(ssl, arg) \ SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) @@ -1680,6 +1682,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) SSL_ctrl(ctx,SSL_CTRL_CHAIN_CERT,1,(char *)x509) #define SSL_get1_curvelist(ctx, s) \ SSL_ctrl(ctx,SSL_CTRL_GET_CURVELIST,0,(char *)s) +#define SSL_set1_curvelist(ctx, clist, clistlen) \ + SSL_ctrl(ctx,SSL_CTRL_SET_CURVELIST,clistlen,(char *)clist) #ifndef OPENSSL_NO_BIO diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index dfd397f9b7..33c0b654d6 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1678,20 +1678,26 @@ int ssl_prepare_clienthello_tlsext(SSL *s) s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */ - if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist); - s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2; - if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) + if (s->tlsext_ellipticcurvelist == NULL) { + unsigned char *clist; + size_t clistlen; s->tlsext_ellipticcurvelist_length = 0; - SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); - return -1; - } - for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i < - sizeof(pref_list)/sizeof(pref_list[0]); i++) - { - int id = tls1_ec_nid2curve_id(pref_list[i]); - s2n(id,j); - } + clistlen = sizeof(pref_list)/sizeof(pref_list[0]) * 2; + clist = OPENSSL_malloc(clistlen); + if (!clist) + { + SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); + return -1; + } + for (i = 0, j = clist; i < (int)clistlen/2; i++) + { + int id = tls1_ec_nid2curve_id(pref_list[i]); + s2n(id,j); + } + s->tlsext_ellipticcurvelist = clist; + s->tlsext_ellipticcurvelist_length = clistlen; + } } #endif /* OPENSSL_NO_EC */ -- 2.40.0