diff options
author | Android Chromium Automerger <chromium-automerger@android> | 2014-05-02 18:43:26 +0000 |
---|---|---|
committer | Android Chromium Automerger <chromium-automerger@android> | 2014-05-02 18:43:26 +0000 |
commit | f0723355079c051efa3f32f9a2982acf807b0894 (patch) | |
tree | b0ee45de62fa6962edfdc353f941d1dcdc243bc1 | |
parent | b841681be7cb664ab8dd571aa7cc57036dc5817a (diff) | |
parent | 55b9eb8eb546355b3d55945cf09a45a434cd796f (diff) | |
download | openssl-f0723355079c051efa3f32f9a2982acf807b0894.tar.gz |
Merge third_party/openssl from https://chromium.googlesource.com/chromium/deps/openssl.git at 55b9eb8eb546355b3d55945cf09a45a434cd796f
This commit was generated by merge_from_chromium.py.
Change-Id: I960f74e6f58953cc7946e4da153494517d9aea1a
-rw-r--r-- | README.chromium | 15 | ||||
-rw-r--r-- | openssl.gyp | 3 | ||||
-rw-r--r-- | openssl/ssl/d1_clnt.c | 2 | ||||
-rw-r--r-- | openssl/ssl/s23_clnt.c | 11 | ||||
-rw-r--r-- | openssl/ssl/s3_clnt.c | 4 | ||||
-rw-r--r-- | openssl/ssl/ssl_locl.h | 4 | ||||
-rw-r--r-- | openssl/ssl/t1_lib.c | 176 | ||||
-rw-r--r-- | patches.chromium/0011-fix_limit_checks.patch | 121 | ||||
-rw-r--r-- | patches.chromium/0012-paddingext2.patch | 137 | ||||
-rw-r--r-- | patches.chromium/0013-reorder_extensions.patch | 136 |
10 files changed, 516 insertions, 93 deletions
diff --git a/README.chromium b/README.chromium index d994e1b..443a75d 100644 --- a/README.chromium +++ b/README.chromium @@ -192,13 +192,26 @@ located in patches.chromium/. Currently this consists of: chacha.patch Add support for ChaCha20+Poly1305 cipher suites. + paddingext.patch + paddingext2.patch + Add ClientHello padding to workaround bug in F5 terminators. + stricter_cutthrough.patch Requires NPN and a PFS cipher suite to enable cut-through (false start) on the client. mac_osx32_assembly.patch Add support for 32 bit OS X with assembly optimization. - + + fix_limit_checks.patch + Fix limit checks in writing extensions. BUF_MEM_grow allocates 4/3 the size + requested, so it doesn't overflow the actual allocation. + + reorder_extensions.patch + Move the ECC extensions to the end of the ClientHello to work around a + server bug. Some servers are intolerant to the last extension being empty. + See https://crbug.com/363583 + ************************************************************************** Adding new Chromium patches: diff --git a/openssl.gyp b/openssl.gyp index 1eb08d5..4406155 100644 --- a/openssl.gyp +++ b/openssl.gyp @@ -92,6 +92,9 @@ }, }], ['component == "shared_library"', { + 'xcode_settings': { + 'GCC_SYMBOLS_PRIVATE_EXTERN': 'NO', # no -fvisibility=hidden + }, 'cflags!': ['-fvisibility=hidden'], }], ['clang==1', { diff --git a/openssl/ssl/d1_clnt.c b/openssl/ssl/d1_clnt.c index 7e8077e..735e544 100644 --- a/openssl/ssl/d1_clnt.c +++ b/openssl/ssl/d1_clnt.c @@ -874,7 +874,7 @@ int dtls1_client_hello(SSL *s) *(p++)=0; /* Add the NULL method */ #ifndef OPENSSL_NO_TLSEXT - if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) + if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH, 0)) == NULL) { SSLerr(SSL_F_DTLS1_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); goto err; diff --git a/openssl/ssl/s23_clnt.c b/openssl/ssl/s23_clnt.c index 08ee86d..750d208 100644 --- a/openssl/ssl/s23_clnt.c +++ b/openssl/ssl/s23_clnt.c @@ -467,9 +467,9 @@ static int ssl23_client_hello(SSL *s) /* create Client Hello in SSL 3.0/TLS 1.0 format */ /* do the record header (5 bytes) and handshake message - * header (4 bytes) last. Note: the code to add the - * padding extension in t1_lib.c depends on the size of - * this prefix. */ + * header (4 bytes) last. Note: the final argument to + * ssl_add_clienthello_tlsext below depends on the size + * of this prefix. */ d = p = &(buf[9]); *(p++) = version_major; @@ -526,7 +526,10 @@ static int ssl23_client_hello(SSL *s) SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); return -1; } - if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) + /* The buffer includes the 5 byte record header, so + * subtract it to compute hlen for + * ssl_add_clienthello_tlsext. */ + if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH, p-buf-5)) == NULL) { SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); return -1; diff --git a/openssl/ssl/s3_clnt.c b/openssl/ssl/s3_clnt.c index d1b3224..640df80 100644 --- a/openssl/ssl/s3_clnt.c +++ b/openssl/ssl/s3_clnt.c @@ -759,7 +759,7 @@ int ssl3_client_hello(SSL *s) goto err; /* Do the message type and length last. - * Note: the code to add the padding extension in t1_lib.c + * Note: the final argument to ssl_add_clienthello_tlsext below * depends on the size of this prefix. */ d=p= &(buf[4]); @@ -867,7 +867,7 @@ int ssl3_client_hello(SSL *s) SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); goto err; } - if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) + if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH, p-buf)) == NULL) { SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); goto err; diff --git a/openssl/ssl/ssl_locl.h b/openssl/ssl/ssl_locl.h index 3732825..531a291 100644 --- a/openssl/ssl/ssl_locl.h +++ b/openssl/ssl/ssl_locl.h @@ -1127,8 +1127,8 @@ int tls1_ec_nid2curve_id(int nid); #endif /* OPENSSL_NO_EC */ #ifndef OPENSSL_NO_TLSEXT -unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); -unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); +unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, size_t header_len); +unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit); int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); int ssl_prepare_clienthello_tlsext(SSL *s); diff --git a/openssl/ssl/t1_lib.c b/openssl/ssl/t1_lib.c index 7a507f9..ea7fefa 100644 --- a/openssl/ssl/t1_lib.c +++ b/openssl/ssl/t1_lib.c @@ -341,15 +341,19 @@ int tls12_get_req_sig_algs(SSL *s, unsigned char *p) return (int)slen; } -unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) +/* header_len is the length of the ClientHello header written so far, used to + * compute padding. It does not include the record header. Pass 0 if no padding + * is to be done. */ +unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, size_t header_len) { int extdatalen=0; - unsigned char *ret = p; + unsigned char *orig = buf; + unsigned char *ret = buf; /* don't add extensions for SSLv3 unless doing secure renegotiation */ if (s->client_version == SSL3_VERSION && !s->s3->send_connection_binding) - return p; + return orig; ret+=2; @@ -398,7 +402,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha return NULL; } - if((limit - p - 4 - el) < 0) return NULL; + if((limit - ret - 4 - el) < 0) return NULL; s2n(TLSEXT_TYPE_renegotiate,ret); s2n(el,ret); @@ -440,55 +444,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha } #endif -#ifndef OPENSSL_NO_EC - if (s->tlsext_ecpointformatlist != NULL && - s->version != DTLS1_VERSION) - { - /* Add TLS extension ECPointFormats to the ClientHello message */ - long lenmax; - - if ((lenmax = limit - ret - 5) < 0) return NULL; - if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; - if (s->tlsext_ecpointformatlist_length > 255) - { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - - s2n(TLSEXT_TYPE_ec_point_formats,ret); - s2n(s->tlsext_ecpointformatlist_length + 1,ret); - *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; - memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); - ret+=s->tlsext_ecpointformatlist_length; - } - if (s->tlsext_ellipticcurvelist != NULL && - s->version != DTLS1_VERSION) - { - /* Add TLS extension EllipticCurves to the ClientHello message */ - long lenmax; - - if ((lenmax = limit - ret - 6) < 0) return NULL; - if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL; - if (s->tlsext_ellipticcurvelist_length > 65532) - { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - - s2n(TLSEXT_TYPE_elliptic_curves,ret); - s2n(s->tlsext_ellipticcurvelist_length + 2, ret); - - /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for - * elliptic_curve_list, but the examples use two bytes. - * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html - * resolves this to two bytes. - */ - s2n(s->tlsext_ellipticcurvelist_length, ret); - memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length); - ret+=s->tlsext_ellipticcurvelist_length; - } -#endif /* OPENSSL_NO_EC */ - if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) { int ticklen; @@ -647,7 +602,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); - if((limit - p - 4 - el) < 0) return NULL; + if((limit - ret - 4 - el) < 0) return NULL; s2n(TLSEXT_TYPE_use_srtp,ret); s2n(el,ret); @@ -661,49 +616,104 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha } #endif +#ifndef OPENSSL_NO_EC + /* WebSphere Application Server 7.0 is intolerant to the last extension + * being zero-length. ECC extensions are non-empty and not dropped until + * fallback to SSL3, at which point all extensions are gone. */ + if (s->tlsext_ecpointformatlist != NULL && + s->version != DTLS1_VERSION) + { + /* Add TLS extension ECPointFormats to the ClientHello message */ + long lenmax; + + if ((lenmax = limit - ret - 5) < 0) return NULL; + if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; + if (s->tlsext_ecpointformatlist_length > 255) + { + SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); + return NULL; + } + + s2n(TLSEXT_TYPE_ec_point_formats,ret); + s2n(s->tlsext_ecpointformatlist_length + 1,ret); + *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; + memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); + ret+=s->tlsext_ecpointformatlist_length; + } + if (s->tlsext_ellipticcurvelist != NULL && + s->version != DTLS1_VERSION) + { + /* Add TLS extension EllipticCurves to the ClientHello message */ + long lenmax; + + if ((lenmax = limit - ret - 6) < 0) return NULL; + if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL; + if (s->tlsext_ellipticcurvelist_length > 65532) + { + SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); + return NULL; + } + + s2n(TLSEXT_TYPE_elliptic_curves,ret); + s2n(s->tlsext_ellipticcurvelist_length + 2, ret); + + /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for + * elliptic_curve_list, but the examples use two bytes. + * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html + * resolves this to two bytes. + */ + s2n(s->tlsext_ellipticcurvelist_length, ret); + memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length); + ret+=s->tlsext_ellipticcurvelist_length; + } +#endif /* OPENSSL_NO_EC */ + /* Add padding to workaround bugs in F5 terminators. * See https://tools.ietf.org/html/draft-agl-tls-padding-02 */ - { - int hlen = ret - (unsigned char *)s->init_buf->data; - /* The code in s23_clnt.c to build ClientHello messages includes the - * 5-byte record header in the buffer, while the code in s3_clnt.c does - * not. */ - if (s->state == SSL23_ST_CW_CLNT_HELLO_A) - hlen -= 5; - if (hlen > 0xff && hlen < 0x200) + if (header_len > 0) { - hlen = 0x200 - hlen; - if (hlen >= 4) - hlen -= 4; - else - hlen = 0; + header_len += ret - orig; + if (header_len > 0xff && header_len < 0x200) + { + size_t padding_len = 0x200 - header_len; + /* Extensions take at least four bytes to encode. Always + * include least one byte of data if including the + * extension. WebSphere Application Server 7.0 is + * intolerant to the last extension being zero-length. */ + if (padding_len >= 4 + 1) + padding_len -= 4; + else + padding_len = 1; + if (limit - ret - 4 - (long)padding_len < 0) + return NULL; - s2n(TLSEXT_TYPE_padding, ret); - s2n(hlen, ret); - memset(ret, 0, hlen); - ret += hlen; + s2n(TLSEXT_TYPE_padding, ret); + s2n(padding_len, ret); + memset(ret, 0, padding_len); + ret += padding_len; + } } - } - if ((extdatalen = ret-p-2)== 0) - return p; + if ((extdatalen = ret-orig-2)== 0) + return orig; - s2n(extdatalen,p); + s2n(extdatalen, orig); return ret; } -unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) +unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit) { int extdatalen=0; - unsigned char *ret = p; + unsigned char *orig = buf; + unsigned char *ret = buf; #ifndef OPENSSL_NO_NEXTPROTONEG int next_proto_neg_seen; #endif /* don't add extensions for SSLv3, unless doing secure renegotiation */ if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) - return p; + return orig; ret+=2; if (ret>=limit) return NULL; /* this really never occurs, but ... */ @@ -726,7 +736,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha return NULL; } - if((limit - p - 4 - el) < 0) return NULL; + if((limit - ret - 4 - el) < 0) return NULL; s2n(TLSEXT_TYPE_renegotiate,ret); s2n(el,ret); @@ -806,7 +816,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); - if((limit - p - 4 - el) < 0) return NULL; + if((limit - ret - 4 - el) < 0) return NULL; s2n(TLSEXT_TYPE_use_srtp,ret); s2n(el,ret); @@ -885,10 +895,10 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha s2n(0,ret); } - if ((extdatalen = ret-p-2)== 0) - return p; + if ((extdatalen = ret-orig-2)== 0) + return orig; - s2n(extdatalen,p); + s2n(extdatalen, orig); return ret; } diff --git a/patches.chromium/0011-fix_limit_checks.patch b/patches.chromium/0011-fix_limit_checks.patch new file mode 100644 index 0000000..b4ab8a3 --- /dev/null +++ b/patches.chromium/0011-fix_limit_checks.patch @@ -0,0 +1,121 @@ +diff --git android-openssl.orig/ssl/ssl_locl.h android-openssl/ssl/ssl_locl.h +index 3732825..4e27d9e 100644 +--- android-openssl.orig/ssl/ssl_locl.h ++++ android-openssl/ssl/ssl_locl.h +@@ -1127,8 +1127,8 @@ int tls1_ec_nid2curve_id(int nid); + #endif /* OPENSSL_NO_EC */ + + #ifndef OPENSSL_NO_TLSEXT +-unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); +-unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); ++unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit); ++unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit); + int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); + int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); + int ssl_prepare_clienthello_tlsext(SSL *s); +diff --git android-openssl.orig/ssl/t1_lib.c android-openssl/ssl/t1_lib.c +index 7a507f9..a53d56b 100644 +--- android-openssl.orig/ssl/t1_lib.c ++++ android-openssl/ssl/t1_lib.c +@@ -341,15 +341,16 @@ int tls12_get_req_sig_algs(SSL *s, unsigned char *p) + return (int)slen; + } + +-unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) ++unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit) + { + int extdatalen=0; +- unsigned char *ret = p; ++ unsigned char *orig = buf; ++ unsigned char *ret = buf; + + /* don't add extensions for SSLv3 unless doing secure renegotiation */ + if (s->client_version == SSL3_VERSION + && !s->s3->send_connection_binding) +- return p; ++ return orig; + + ret+=2; + +@@ -398,7 +399,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha + return NULL; + } + +- if((limit - p - 4 - el) < 0) return NULL; ++ if((limit - ret - 4 - el) < 0) return NULL; + + s2n(TLSEXT_TYPE_renegotiate,ret); + s2n(el,ret); +@@ -647,7 +648,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha + + ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); + +- if((limit - p - 4 - el) < 0) return NULL; ++ if((limit - ret - 4 - el) < 0) return NULL; + + s2n(TLSEXT_TYPE_use_srtp,ret); + s2n(el,ret); +@@ -686,24 +687,25 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha + } + + +- if ((extdatalen = ret-p-2)== 0) +- return p; ++ if ((extdatalen = ret-orig-2)== 0) ++ return orig; + +- s2n(extdatalen,p); ++ s2n(extdatalen, orig); + return ret; + } + +-unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) ++unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit) + { + int extdatalen=0; +- unsigned char *ret = p; ++ unsigned char *orig = buf; ++ unsigned char *ret = buf; + #ifndef OPENSSL_NO_NEXTPROTONEG + int next_proto_neg_seen; + #endif + + /* don't add extensions for SSLv3, unless doing secure renegotiation */ + if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) +- return p; ++ return orig; + + ret+=2; + if (ret>=limit) return NULL; /* this really never occurs, but ... */ +@@ -726,7 +728,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha + return NULL; + } + +- if((limit - p - 4 - el) < 0) return NULL; ++ if((limit - ret - 4 - el) < 0) return NULL; + + s2n(TLSEXT_TYPE_renegotiate,ret); + s2n(el,ret); +@@ -806,7 +808,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha + + ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); + +- if((limit - p - 4 - el) < 0) return NULL; ++ if((limit - ret - 4 - el) < 0) return NULL; + + s2n(TLSEXT_TYPE_use_srtp,ret); + s2n(el,ret); +@@ -885,10 +887,10 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha + s2n(0,ret); + } + +- if ((extdatalen = ret-p-2)== 0) +- return p; ++ if ((extdatalen = ret-orig-2)== 0) ++ return orig; + +- s2n(extdatalen,p); ++ s2n(extdatalen, orig); + return ret; + } + diff --git a/patches.chromium/0012-paddingext2.patch b/patches.chromium/0012-paddingext2.patch new file mode 100644 index 0000000..cb7652a --- /dev/null +++ b/patches.chromium/0012-paddingext2.patch @@ -0,0 +1,137 @@ +diff --git android-openssl.orig/ssl/d1_clnt.c android-openssl/ssl/d1_clnt.c +index 7e8077e..735e544 100644 +--- android-openssl.orig/ssl/d1_clnt.c ++++ android-openssl/ssl/d1_clnt.c +@@ -874,7 +874,7 @@ int dtls1_client_hello(SSL *s) + *(p++)=0; /* Add the NULL method */ + + #ifndef OPENSSL_NO_TLSEXT +- if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) ++ if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH, 0)) == NULL) + { + SSLerr(SSL_F_DTLS1_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); + goto err; +diff --git android-openssl.orig/ssl/s23_clnt.c android-openssl/ssl/s23_clnt.c +index 08ee86d..750d208 100644 +--- android-openssl.orig/ssl/s23_clnt.c ++++ android-openssl/ssl/s23_clnt.c +@@ -467,9 +467,9 @@ static int ssl23_client_hello(SSL *s) + /* create Client Hello in SSL 3.0/TLS 1.0 format */ + + /* do the record header (5 bytes) and handshake message +- * header (4 bytes) last. Note: the code to add the +- * padding extension in t1_lib.c depends on the size of +- * this prefix. */ ++ * header (4 bytes) last. Note: the final argument to ++ * ssl_add_clienthello_tlsext below depends on the size ++ * of this prefix. */ + d = p = &(buf[9]); + + *(p++) = version_major; +@@ -526,7 +526,10 @@ static int ssl23_client_hello(SSL *s) + SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); + return -1; + } +- if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) ++ /* The buffer includes the 5 byte record header, so ++ * subtract it to compute hlen for ++ * ssl_add_clienthello_tlsext. */ ++ if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH, p-buf-5)) == NULL) + { + SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); + return -1; +diff --git android-openssl.orig/ssl/s3_clnt.c android-openssl/ssl/s3_clnt.c +index d1b3224..640df80 100644 +--- android-openssl.orig/ssl/s3_clnt.c ++++ android-openssl/ssl/s3_clnt.c +@@ -759,7 +759,7 @@ int ssl3_client_hello(SSL *s) + goto err; + + /* Do the message type and length last. +- * Note: the code to add the padding extension in t1_lib.c ++ * Note: the final argument to ssl_add_clienthello_tlsext below + * depends on the size of this prefix. */ + d=p= &(buf[4]); + +@@ -867,7 +867,7 @@ int ssl3_client_hello(SSL *s) + SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); + goto err; + } +- if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) ++ if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH, p-buf)) == NULL) + { + SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); + goto err; +diff --git android-openssl.orig/ssl/ssl_locl.h android-openssl/ssl/ssl_locl.h +index 4e27d9e..531a291 100644 +--- android-openssl.orig/ssl/ssl_locl.h ++++ android-openssl/ssl/ssl_locl.h +@@ -1127,7 +1127,7 @@ int tls1_ec_nid2curve_id(int nid); + #endif /* OPENSSL_NO_EC */ + + #ifndef OPENSSL_NO_TLSEXT +-unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit); ++unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, size_t header_len); + unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit); + int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); + int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); +diff --git android-openssl.orig/ssl/t1_lib.c android-openssl/ssl/t1_lib.c +index a53d56b..3fe6612 100644 +--- android-openssl.orig/ssl/t1_lib.c ++++ android-openssl/ssl/t1_lib.c +@@ -341,7 +341,10 @@ int tls12_get_req_sig_algs(SSL *s, unsigned char *p) + return (int)slen; + } + +-unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit) ++/* header_len is the length of the ClientHello header written so far, used to ++ * compute padding. It does not include the record header. Pass 0 if no padding ++ * is to be done. */ ++unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, size_t header_len) + { + int extdatalen=0; + unsigned char *orig = buf; +@@ -664,27 +667,25 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c + + /* Add padding to workaround bugs in F5 terminators. + * See https://tools.ietf.org/html/draft-agl-tls-padding-02 */ +- { +- int hlen = ret - (unsigned char *)s->init_buf->data; +- /* The code in s23_clnt.c to build ClientHello messages includes the +- * 5-byte record header in the buffer, while the code in s3_clnt.c does +- * not. */ +- if (s->state == SSL23_ST_CW_CLNT_HELLO_A) +- hlen -= 5; +- if (hlen > 0xff && hlen < 0x200) ++ if (header_len > 0) + { +- hlen = 0x200 - hlen; +- if (hlen >= 4) +- hlen -= 4; +- else +- hlen = 0; ++ header_len += ret - orig; ++ if (header_len > 0xff && header_len < 0x200) ++ { ++ size_t padding_len = 0x200 - header_len; ++ if (padding_len >= 4) ++ padding_len -= 4; ++ else ++ padding_len = 0; ++ if (limit - ret - 4 - (long)padding_len < 0) ++ return NULL; + +- s2n(TLSEXT_TYPE_padding, ret); +- s2n(hlen, ret); +- memset(ret, 0, hlen); +- ret += hlen; ++ s2n(TLSEXT_TYPE_padding, ret); ++ s2n(padding_len, ret); ++ memset(ret, 0, padding_len); ++ ret += padding_len; ++ } + } +- } + + + if ((extdatalen = ret-orig-2)== 0) diff --git a/patches.chromium/0013-reorder_extensions.patch b/patches.chromium/0013-reorder_extensions.patch new file mode 100644 index 0000000..11bb6a0 --- /dev/null +++ b/patches.chromium/0013-reorder_extensions.patch @@ -0,0 +1,136 @@ +diff --git android-openssl.orig/ssl/t1_lib.c android-openssl/ssl/t1_lib.c +index 3fe6612..ea7fefa 100644 +--- android-openssl.orig/ssl/t1_lib.c ++++ android-openssl/ssl/t1_lib.c +@@ -444,55 +444,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c + } + #endif + +-#ifndef OPENSSL_NO_EC +- if (s->tlsext_ecpointformatlist != NULL && +- s->version != DTLS1_VERSION) +- { +- /* Add TLS extension ECPointFormats to the ClientHello message */ +- long lenmax; +- +- if ((lenmax = limit - ret - 5) < 0) return NULL; +- if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; +- if (s->tlsext_ecpointformatlist_length > 255) +- { +- SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); +- return NULL; +- } +- +- s2n(TLSEXT_TYPE_ec_point_formats,ret); +- s2n(s->tlsext_ecpointformatlist_length + 1,ret); +- *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; +- memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); +- ret+=s->tlsext_ecpointformatlist_length; +- } +- if (s->tlsext_ellipticcurvelist != NULL && +- s->version != DTLS1_VERSION) +- { +- /* Add TLS extension EllipticCurves to the ClientHello message */ +- long lenmax; +- +- if ((lenmax = limit - ret - 6) < 0) return NULL; +- if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL; +- if (s->tlsext_ellipticcurvelist_length > 65532) +- { +- SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); +- return NULL; +- } +- +- s2n(TLSEXT_TYPE_elliptic_curves,ret); +- s2n(s->tlsext_ellipticcurvelist_length + 2, ret); +- +- /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for +- * elliptic_curve_list, but the examples use two bytes. +- * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html +- * resolves this to two bytes. +- */ +- s2n(s->tlsext_ellipticcurvelist_length, ret); +- memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length); +- ret+=s->tlsext_ellipticcurvelist_length; +- } +-#endif /* OPENSSL_NO_EC */ +- + if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) + { + int ticklen; +@@ -665,6 +616,58 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c + } + #endif + ++#ifndef OPENSSL_NO_EC ++ /* WebSphere Application Server 7.0 is intolerant to the last extension ++ * being zero-length. ECC extensions are non-empty and not dropped until ++ * fallback to SSL3, at which point all extensions are gone. */ ++ if (s->tlsext_ecpointformatlist != NULL && ++ s->version != DTLS1_VERSION) ++ { ++ /* Add TLS extension ECPointFormats to the ClientHello message */ ++ long lenmax; ++ ++ if ((lenmax = limit - ret - 5) < 0) return NULL; ++ if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; ++ if (s->tlsext_ecpointformatlist_length > 255) ++ { ++ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); ++ return NULL; ++ } ++ ++ s2n(TLSEXT_TYPE_ec_point_formats,ret); ++ s2n(s->tlsext_ecpointformatlist_length + 1,ret); ++ *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; ++ memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); ++ ret+=s->tlsext_ecpointformatlist_length; ++ } ++ if (s->tlsext_ellipticcurvelist != NULL && ++ s->version != DTLS1_VERSION) ++ { ++ /* Add TLS extension EllipticCurves to the ClientHello message */ ++ long lenmax; ++ ++ if ((lenmax = limit - ret - 6) < 0) return NULL; ++ if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL; ++ if (s->tlsext_ellipticcurvelist_length > 65532) ++ { ++ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); ++ return NULL; ++ } ++ ++ s2n(TLSEXT_TYPE_elliptic_curves,ret); ++ s2n(s->tlsext_ellipticcurvelist_length + 2, ret); ++ ++ /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for ++ * elliptic_curve_list, but the examples use two bytes. ++ * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html ++ * resolves this to two bytes. ++ */ ++ s2n(s->tlsext_ellipticcurvelist_length, ret); ++ memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length); ++ ret+=s->tlsext_ellipticcurvelist_length; ++ } ++#endif /* OPENSSL_NO_EC */ ++ + /* Add padding to workaround bugs in F5 terminators. + * See https://tools.ietf.org/html/draft-agl-tls-padding-02 */ + if (header_len > 0) +@@ -673,10 +676,14 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c + if (header_len > 0xff && header_len < 0x200) + { + size_t padding_len = 0x200 - header_len; +- if (padding_len >= 4) ++ /* Extensions take at least four bytes to encode. Always ++ * include least one byte of data if including the ++ * extension. WebSphere Application Server 7.0 is ++ * intolerant to the last extension being zero-length. */ ++ if (padding_len >= 4 + 1) + padding_len -= 4; + else +- padding_len = 0; ++ padding_len = 1; + if (limit - ret - 4 - (long)padding_len < 0) + return NULL; + |