OLD | NEW |
| (Empty) |
1 diff --git android-openssl.orig/ssl/t1_lib.c android-openssl/ssl/t1_lib.c | |
2 index 3fe6612..ea7fefa 100644 | |
3 --- android-openssl.orig/ssl/t1_lib.c | |
4 +++ android-openssl/ssl/t1_lib.c | |
5 @@ -444,55 +444,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned
char *buf, unsigned c | |
6 } | |
7 #endif | |
8 | |
9 -#ifndef OPENSSL_NO_EC | |
10 - if (s->tlsext_ecpointformatlist != NULL && | |
11 - s->version != DTLS1_VERSION) | |
12 - { | |
13 - /* Add TLS extension ECPointFormats to the ClientHello message *
/ | |
14 - long lenmax; | |
15 - | |
16 - if ((lenmax = limit - ret - 5) < 0) return NULL; | |
17 - if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax)
return NULL; | |
18 - if (s->tlsext_ecpointformatlist_length > 255) | |
19 - { | |
20 - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_
ERROR); | |
21 - return NULL; | |
22 - } | |
23 - | |
24 - s2n(TLSEXT_TYPE_ec_point_formats,ret); | |
25 - s2n(s->tlsext_ecpointformatlist_length + 1,ret); | |
26 - *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; | |
27 - memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformat
list_length); | |
28 - ret+=s->tlsext_ecpointformatlist_length; | |
29 - } | |
30 - if (s->tlsext_ellipticcurvelist != NULL && | |
31 - s->version != DTLS1_VERSION) | |
32 - { | |
33 - /* Add TLS extension EllipticCurves to the ClientHello message *
/ | |
34 - long lenmax; | |
35 - | |
36 - if ((lenmax = limit - ret - 6) < 0) return NULL; | |
37 - if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax)
return NULL; | |
38 - if (s->tlsext_ellipticcurvelist_length > 65532) | |
39 - { | |
40 - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_
ERROR); | |
41 - return NULL; | |
42 - } | |
43 - | |
44 - s2n(TLSEXT_TYPE_elliptic_curves,ret); | |
45 - s2n(s->tlsext_ellipticcurvelist_length + 2, ret); | |
46 - | |
47 - /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for | |
48 - * elliptic_curve_list, but the examples use two bytes. | |
49 - * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.ht
ml | |
50 - * resolves this to two bytes. | |
51 - */ | |
52 - s2n(s->tlsext_ellipticcurvelist_length, ret); | |
53 - memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurve
list_length); | |
54 - ret+=s->tlsext_ellipticcurvelist_length; | |
55 - } | |
56 -#endif /* OPENSSL_NO_EC */ | |
57 - | |
58 if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) | |
59 { | |
60 int ticklen; | |
61 @@ -665,6 +616,58 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned
char *buf, unsigned c | |
62 } | |
63 #endif | |
64 | |
65 +#ifndef OPENSSL_NO_EC | |
66 + /* WebSphere Application Server 7.0 is intolerant to the last extension | |
67 + * being zero-length. ECC extensions are non-empty and not dropped until | |
68 + * fallback to SSL3, at which point all extensions are gone. */ | |
69 + if (s->tlsext_ecpointformatlist != NULL && | |
70 + s->version != DTLS1_VERSION) | |
71 + { | |
72 + /* Add TLS extension ECPointFormats to the ClientHello message *
/ | |
73 + long lenmax; | |
74 + | |
75 + if ((lenmax = limit - ret - 5) < 0) return NULL; | |
76 + if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax)
return NULL; | |
77 + if (s->tlsext_ecpointformatlist_length > 255) | |
78 + { | |
79 + SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_
ERROR); | |
80 + return NULL; | |
81 + } | |
82 + | |
83 + s2n(TLSEXT_TYPE_ec_point_formats,ret); | |
84 + s2n(s->tlsext_ecpointformatlist_length + 1,ret); | |
85 + *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; | |
86 + memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformat
list_length); | |
87 + ret+=s->tlsext_ecpointformatlist_length; | |
88 + } | |
89 + if (s->tlsext_ellipticcurvelist != NULL && | |
90 + s->version != DTLS1_VERSION) | |
91 + { | |
92 + /* Add TLS extension EllipticCurves to the ClientHello message *
/ | |
93 + long lenmax; | |
94 + | |
95 + if ((lenmax = limit - ret - 6) < 0) return NULL; | |
96 + if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax)
return NULL; | |
97 + if (s->tlsext_ellipticcurvelist_length > 65532) | |
98 + { | |
99 + SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_
ERROR); | |
100 + return NULL; | |
101 + } | |
102 + | |
103 + s2n(TLSEXT_TYPE_elliptic_curves,ret); | |
104 + s2n(s->tlsext_ellipticcurvelist_length + 2, ret); | |
105 + | |
106 + /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for | |
107 + * elliptic_curve_list, but the examples use two bytes. | |
108 + * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.ht
ml | |
109 + * resolves this to two bytes. | |
110 + */ | |
111 + s2n(s->tlsext_ellipticcurvelist_length, ret); | |
112 + memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurve
list_length); | |
113 + ret+=s->tlsext_ellipticcurvelist_length; | |
114 + } | |
115 +#endif /* OPENSSL_NO_EC */ | |
116 + | |
117 /* Add padding to workaround bugs in F5 terminators. | |
118 * See https://tools.ietf.org/html/draft-agl-tls-padding-02 */ | |
119 if (header_len > 0) | |
120 @@ -673,10 +676,14 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned
char *buf, unsigned c | |
121 if (header_len > 0xff && header_len < 0x200) | |
122 { | |
123 size_t padding_len = 0x200 - header_len; | |
124 - if (padding_len >= 4) | |
125 + /* Extensions take at least four bytes to encode. Always | |
126 + * include least one byte of data if including the | |
127 + * extension. WebSphere Application Server 7.0 is | |
128 + * intolerant to the last extension being zero-length. *
/ | |
129 + if (padding_len >= 4 + 1) | |
130 padding_len -= 4; | |
131 else | |
132 - padding_len = 0; | |
133 + padding_len = 1; | |
134 if (limit - ret - 4 - (long)padding_len < 0) | |
135 return NULL; | |
136 | |
OLD | NEW |