udpate Supported Point Formats Extension code
Submitted by: Douglas Stebila
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 0537a16..aecf6d6 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1754,30 +1754,6 @@
}
s->options |= SSL_OP_NO_SSLv2; /* can't use extension w/ SSL 2.0 format */
break;
-#ifndef OPENSSL_NO_EC
- case SSL_CTRL_SET_TLSEXT_ECPOINTFORMATLIST:
- if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(larg)) == NULL)
- {
- SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE);
- return 0;
- }
- {
- int i;
- unsigned char *sparg = (unsigned char *) parg;
- for (i = 0; i < larg; i++, sparg++)
- {
- if (TLSEXT_ECPOINTFORMAT_last < *sparg)
- {
- SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT);
- return(0);
- }
- }
- }
- s->tlsext_ecpointformatlist_length = larg;
- memcpy(s->tlsext_ecpointformatlist, parg, larg);
- s->options |= SSL_OP_NO_SSLv2; /* can't use extension w/ SSL 2.0 format */
- break;
-#endif /* OPENSSL_NO_EC */
#endif /* !OPENSSL_NO_TLSEXT */
default:
break;
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 70d8b4d..5557f4c 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1289,7 +1289,6 @@
#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53
#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54
#define SSL_CTRL_SET_TLSEXT_HOSTNAME 55
-#define SSL_CTRL_SET_TLSEXT_ECPOINTFORMATLIST 56
#endif
#define SSL_session_reused(ssl) \
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 9372a4e..b5db209 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -359,6 +359,7 @@
#ifndef OPENSSL_NO_EC
if (s->tlsext_ecpointformatlist)
{
+ if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(ss->tlsext_ecpointformatlist);
if ((ss->tlsext_ecpointformatlist = OPENSSL_malloc(s->tlsext_ecpointformatlist_length)) == NULL)
{
SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_MALLOC_FAILURE);
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 7f42cee..07149eb 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -359,6 +359,7 @@
return 0;
}
s->session->tlsext_ecpointformatlist_length = 0;
+ if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
{
*al = TLS1_AD_INTERNAL_ERROR;
@@ -430,6 +431,7 @@
return 0;
}
s->session->tlsext_ecpointformatlist_length = 0;
+ if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
{
*al = TLS1_AD_INTERNAL_ERROR;
@@ -485,6 +487,7 @@
if (s->session->tlsext_ecpointformatlist == NULL)
{
s->session->tlsext_ecpointformatlist_length = s->tlsext_ecpointformatlist_length;
+ if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(s->tlsext_ecpointformatlist_length)) == NULL)
{
*al = TLS1_AD_INTERNAL_ERROR;
@@ -509,7 +512,7 @@
{
#ifndef OPENSSL_NO_EC
/* If we are client and using an elliptic curve cryptography cipher suite, send the point formats we
- * support (namely, only uncompressed points).
+ * support.
*/
int using_ecc = 0;
int i;
@@ -528,13 +531,16 @@
using_ecc = using_ecc && (s->version == TLS1_VERSION);
if (using_ecc)
{
- if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(1)) == NULL)
+ if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
+ if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
{
SSLerr(SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
return -1;
}
- s->tlsext_ecpointformatlist_length = 1;
- *s->tlsext_ecpointformatlist = TLSEXT_ECPOINTFORMAT_uncompressed;
+ s->tlsext_ecpointformatlist_length = 3;
+ s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
+ s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
+ s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
}
#endif /* OPENSSL_NO_EC */
return 1;
@@ -543,8 +549,8 @@
int ssl_prepare_serverhello_tlsext(SSL *s)
{
#ifndef OPENSSL_NO_EC
- /* If we are server and using an ECC cipher suite, send the point formats we support (namely, only
- * uncompressed points) if the client sent us an ECPointsFormat extension.
+ /* If we are server and using an ECC cipher suite, send the point formats we support
+ * if the client sent us an ECPointsFormat extension.
*/
int i;
int algs = s->s3->tmp.new_cipher->algorithms;
@@ -553,13 +559,16 @@
if (using_ecc)
{
- if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(1)) == NULL)
+ if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
+ if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
{
SSLerr(SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
return -1;
}
- s->tlsext_ecpointformatlist_length = 1;
- *s->tlsext_ecpointformatlist = TLSEXT_ECPOINTFORMAT_uncompressed;
+ s->tlsext_ecpointformatlist_length = 3;
+ s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
+ s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
+ s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
}
#endif /* OPENSSL_NO_EC */
return 1;
diff --git a/ssl/tls1.h b/ssl/tls1.h
index d839e9b..fbe80e9 100644
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -223,11 +223,6 @@
#define SSL_CTX_set_tlsext_servername_arg(ctx, arg) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG,0, (void *)arg)
-
-#ifndef OPENSSL_NO_EC
-#define SSL_set_tlsext_ecpointformat(s,length,list) \
-SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_ECPOINTFORMATLIST,length,(unsigned char *)list)
-#endif /* OPENSSL_NO_EC */
#endif
/* PSK ciphersuites from 4279 */
