The branch master has been updated via 26a556e778f167070037fee243d7e6b9800fdb7f (commit) via 5032abdfa817f86a722f9342cf57eee346c4f313 (commit) via 26212351b624376bebac447fc3b8434d335c579f (commit) via 52434847b10858548f32be086d2855b4beb94a78 (commit) via b9d71999b06cff481c40f87a6e512dbf6e5daa01 (commit) via f1dae5f08ad5e62c871cf5d8152f2c180c042227 (commit) via 6e7c55399ccd81de3b1215ba8b1cf0694fd36c9b (commit) via 395f7c4217be456ae10e414466bf277fc09b944c (commit) from 57d0d048a85d641181ac5aec2792109e15630f96 (commit)
- Log ----------------------------------------------------------------- commit 26a556e778f167070037fee243d7e6b9800fdb7f Author: Dr. Stephen Henson <st...@openssl.org> Date: Sun Feb 26 16:04:31 2017 +0000 Add missing blank lines and cosmetic improvements Reviewed-by: Rich Salz <rs...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2747) commit 5032abdfa817f86a722f9342cf57eee346c4f313 Author: Dr. Stephen Henson <st...@openssl.org> Date: Sun Feb 26 13:40:03 2017 +0000 TLS 1.3 support for ssl_print_ticket() Reviewed-by: Rich Salz <rs...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2747) commit 26212351b624376bebac447fc3b8434d335c579f Author: Dr. Stephen Henson <st...@openssl.org> Date: Sun Feb 26 03:14:53 2017 +0000 print out alpn extension Reviewed-by: Rich Salz <rs...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2747) commit 52434847b10858548f32be086d2855b4beb94a78 Author: Dr. Stephen Henson <st...@openssl.org> Date: Sun Feb 26 01:16:30 2017 +0000 Add ffdhe groups to trace output Reviewed-by: Rich Salz <rs...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2747) commit b9d71999b06cff481c40f87a6e512dbf6e5daa01 Author: Dr. Stephen Henson <st...@openssl.org> Date: Wed Feb 22 17:25:17 2017 +0000 Print numerical value of named roups Reviewed-by: Rich Salz <rs...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2747) commit f1dae5f08ad5e62c871cf5d8152f2c180c042227 Author: Dr. Stephen Henson <st...@openssl.org> Date: Wed Feb 22 17:24:42 2017 +0000 Add entry for PSK extension Reviewed-by: Rich Salz <rs...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2747) commit 6e7c55399ccd81de3b1215ba8b1cf0694fd36c9b Author: Dr. Stephen Henson <st...@openssl.org> Date: Wed Feb 22 17:24:18 2017 +0000 Add trace entries for remaining TLS 1.3 ciphersuites Reviewed-by: Rich Salz <rs...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2747) commit 395f7c4217be456ae10e414466bf277fc09b944c Author: Dr. Stephen Henson <st...@openssl.org> Date: Tue Feb 21 18:43:46 2017 +0000 Print signature type to out, not bio_err Reviewed-by: Rich Salz <rs...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2747) ----------------------------------------------------------------------- Summary of changes: apps/s_cb.c | 2 +- ssl/t1_trce.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++-------- 2 files changed, 68 insertions(+), 11 deletions(-) diff --git a/apps/s_cb.c b/apps/s_cb.c index 89033d5..080fc59 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -292,7 +292,7 @@ int ssl_print_sigalgs(BIO *out, SSL *s) if (SSL_get_peer_signature_nid(s, &nid)) BIO_printf(out, "Peer signing digest: %s\n", OBJ_nid2sn(nid)); if (SSL_get_peer_signature_type_nid(s, &nid)) - BIO_printf(bio_err, "Peer signature type: %s\n", get_sigtype(nid)); + BIO_printf(out, "Peer signature type: %s\n", get_sigtype(nid)); return 1; } diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c index 6f340c9..7340fd1 100644 --- a/ssl/t1_trce.c +++ b/ssl/t1_trce.c @@ -28,6 +28,7 @@ typedef struct { static const char *do_ssl_trace_str(int val, ssl_trace_tbl *tbl, size_t ntbl) { size_t i; + for (i = 0; i < ntbl; i++, tbl++) { if (tbl->num == val) return tbl->name; @@ -40,6 +41,7 @@ static int do_ssl_trace_list(BIO *bio, int indent, size_t vlen, ssl_trace_tbl *tbl, size_t ntbl) { int val; + if (msglen % vlen) return 0; while (msglen) { @@ -428,6 +430,10 @@ static ssl_trace_tbl ssl_ciphers_tbl[] = { {0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305"}, {0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305"}, {0x1301, "TLS_AES_128_GCM_SHA256"}, + {0x1302, "TLS_AES_256_GCM_SHA384"}, + {0x1303, "TLS_CHACHA20_POLY1305_SHA256"}, + {0x1304, "TLS_AES_128_CCM_SHA256"}, + {0x1305, "TLS_AES_128_CCM_8_SHA256"}, {0xFEFE, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"}, {0xFEFF, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"}, }; @@ -451,6 +457,7 @@ static ssl_trace_tbl ssl_exts_tbl[] = { {TLSEXT_TYPE_server_authz, "server_authz"}, {TLSEXT_TYPE_cert_type, "cert_type"}, {TLSEXT_TYPE_key_share, "key_share"}, + {TLSEXT_TYPE_psk, "psk"}, {TLSEXT_TYPE_psk_kex_modes, "psk_key_exchange_modes"}, {TLSEXT_TYPE_supported_groups, "supported_groups"}, {TLSEXT_TYPE_ec_point_formats, "ec_point_formats"}, @@ -463,6 +470,8 @@ static ssl_trace_tbl ssl_exts_tbl[] = { # ifndef OPENSSL_NO_NEXTPROTONEG {TLSEXT_TYPE_next_proto_neg, "next_proto_neg"}, # endif + {TLSEXT_TYPE_application_layer_protocol_negotiation, + "application_layer_protocol_negotiation"}, {TLSEXT_TYPE_signed_certificate_timestamp, "signed_certificate_timestamps"}, {TLSEXT_TYPE_padding, "padding"}, {TLSEXT_TYPE_encrypt_then_mac, "encrypt_then_mac"}, @@ -499,6 +508,11 @@ static ssl_trace_tbl ssl_groups_tbl[] = { {27, "brainpoolP384r1"}, {28, "brainpoolP512r1"}, {29, "ecdh_x25519"}, + {256, "ffdhe2048"}, + {257, "ffdhe3072"}, + {258, "ffdhe4096"}, + {259, "ffdhe6144"}, + {260, "ffdhe8192"}, {0xFF01, "arbitrary_explicit_prime_curves"}, {0xFF02, "arbitrary_explicit_char2_curves"} }; @@ -572,6 +586,7 @@ static void ssl_print_hex(BIO *bio, int indent, const char *name, const unsigned char *msg, size_t msglen) { size_t i; + BIO_indent(bio, indent, 80); BIO_printf(bio, "%s (len=%d): ", name, (int)msglen); for (i = 0; i < msglen; i++) @@ -585,6 +600,7 @@ static int ssl_print_hexbuf(BIO *bio, int indent, { size_t blen; const unsigned char *p = *pmsg; + if (*pmsglen < nlen) return 0; blen = p[0]; @@ -625,6 +641,7 @@ static int ssl_print_random(BIO *bio, int indent, { unsigned int tm; const unsigned char *p = *pmsg; + if (*pmsglen < 32) return 0; tm = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; @@ -683,6 +700,25 @@ static int ssl_print_extension(BIO *bio, int indent, int server, if (extlen != xlen + 2) return 0; return ssl_trace_list(bio, indent + 2, ext + 2, xlen, 2, ssl_groups_tbl); + case TLSEXT_TYPE_application_layer_protocol_negotiation: + if (extlen < 2) + return 0; + xlen = (ext[0] << 8) | ext[1]; + if (extlen != xlen + 2) + return 0; + ext += 2; + while (xlen > 0) { + size_t plen = *ext++; + + if (plen > xlen + 1) + return 0; + BIO_indent(bio, indent + 2, 80); + BIO_write(bio, ext, plen); + BIO_puts(bio, "\n"); + ext += plen; + xlen -= plen + 1; + } + return 1; case TLSEXT_TYPE_signature_algorithms: @@ -744,8 +780,8 @@ static int ssl_print_extension(BIO *bio, int indent, int server, return 0; group_id = (ext[0] << 8) | ext[1]; BIO_indent(bio, indent + 4, 80); - BIO_printf(bio, "NamedGroup: %s\n", - ssl_trace_str(group_id, ssl_groups_tbl)); + BIO_printf(bio, "NamedGroup: %s (%d)\n", + ssl_trace_str(group_id, ssl_groups_tbl), group_id); break; } if (extlen < 2) @@ -770,8 +806,8 @@ static int ssl_print_extension(BIO *bio, int indent, int server, if (xlen < share_len) return 0; BIO_indent(bio, indent + 4, 80); - BIO_printf(bio, "NamedGroup: %s\n", - ssl_trace_str(group_id, ssl_groups_tbl)); + BIO_printf(bio, "NamedGroup: %s (%d)\n", + ssl_trace_str(group_id, ssl_groups_tbl), group_id); ssl_print_hex(bio, indent + 4, "key_exchange: ", ext, share_len); } break; @@ -845,6 +881,7 @@ static int ssl_print_client_hello(BIO *bio, SSL *ssl, int indent, { size_t len; unsigned int cs; + if (!ssl_print_version(bio, indent, "client_version", &msg, &msglen, NULL)) return 0; if (!ssl_print_random(bio, indent, &msg, &msglen)) @@ -945,6 +982,7 @@ static int ssl_print_server_hello(BIO *bio, int indent, static int ssl_get_keyex(const char **pname, SSL *ssl) { unsigned long alg_k = ssl->s3->tmp.new_cipher->algorithm_mkey; + if (alg_k & SSL_kRSA) { *pname = "rsa"; return SSL_kRSA; @@ -989,8 +1027,8 @@ static int ssl_print_client_keyex(BIO *bio, int indent, SSL *ssl, const unsigned char *msg, size_t msglen) { const char *algname; - int id; - id = ssl_get_keyex(&algname, ssl); + int id = ssl_get_keyex(&algname, ssl); + BIO_indent(bio, indent, 80); BIO_printf(bio, "KeyExchangeAlgorithm=%s\n", algname); if (id & SSL_PSK) { @@ -1033,8 +1071,8 @@ static int ssl_print_server_keyex(BIO *bio, int indent, SSL *ssl, const unsigned char *msg, size_t msglen) { const char *algname; - int id; - id = ssl_get_keyex(&algname, ssl); + int id = ssl_get_keyex(&algname, ssl); + BIO_indent(bio, indent, 80); BIO_printf(bio, "KeyExchangeAlgorithm=%s\n", algname); if (id & SSL_PSK) { @@ -1106,6 +1144,7 @@ static int ssl_print_certificate(BIO *bio, int indent, size_t clen; X509 *x; const unsigned char *p = *pmsg, *q; + if (msglen < 3) return 0; clen = (p[0] << 16) | (p[1] << 8) | p[2]; @@ -1235,10 +1274,11 @@ static int ssl_print_cert_request(BIO *bio, int indent, SSL *s, return 1; } -static int ssl_print_ticket(BIO *bio, int indent, +static int ssl_print_ticket(BIO *bio, int indent, SSL *s, const unsigned char *msg, size_t msglen) { unsigned int tick_life; + if (msglen == 0) { BIO_indent(bio, indent + 2, 80); BIO_puts(bio, "No Ticket\n"); @@ -1251,8 +1291,24 @@ static int ssl_print_ticket(BIO *bio, int indent, msg += 4; BIO_indent(bio, indent + 2, 80); BIO_printf(bio, "ticket_lifetime_hint=%u\n", tick_life); + if (SSL_IS_TLS13(s)) { + unsigned int ticket_age_add; + + if (msglen < 4) + return 0; + ticket_age_add = (msg[0] << 24) | (msg[1] << 16) | (msg[2] << 8) + | msg[3]; + msglen -= 4; + msg += 4; + BIO_indent(bio, indent + 2, 80); + BIO_printf(bio, "ticket_age_add=%u\n", ticket_age_add); + } if (!ssl_print_hexbuf(bio, indent + 2, "ticket", 2, &msg, &msglen)) return 0; + if (SSL_IS_TLS13(s) && !ssl_print_extensions(bio, indent + 2, 0, + SSL3_MT_NEWSESSION_TICKET, + &msg, &msglen)) + return 0; if (msglen) return 0; return 1; @@ -1264,6 +1320,7 @@ static int ssl_print_handshake(BIO *bio, SSL *ssl, int server, { size_t hlen; unsigned char htype; + if (msglen < 4) return 0; htype = msg[0]; @@ -1338,7 +1395,7 @@ static int ssl_print_handshake(BIO *bio, SSL *ssl, int server, break; case SSL3_MT_NEWSESSION_TICKET: - if (!ssl_print_ticket(bio, indent + 2, msg, msglen)) + if (!ssl_print_ticket(bio, indent + 2, ssl, msg, msglen)) return 0; break; _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits