X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=ssl%2Fstatem%2Fstatem_lib.c;h=13174abb1703ef0068d38c110bc9df7b3023254e;hb=7d061fced39d72bd664d04e254c1e3ba6cf99fbc;hp=ad1466f9a920b7ebf82f69c60996501b1c628e60;hpb=30f05b19d3bad0fb0b223f6b0c5c68bb667c3a5a;p=openssl.git diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index ad1466f9a9..13174abb17 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -72,7 +72,8 @@ int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype) return 1; } -int tls_setup_handshake(SSL *s) { +int tls_setup_handshake(SSL *s) +{ if (!ssl3_init_finished_mac(s)) return 0; @@ -107,9 +108,8 @@ int tls_setup_handshake(SSL *s) { s->s3->tmp.cert_req = 0; - if (SSL_IS_DTLS(s)) { + if (SSL_IS_DTLS(s)) s->statem.use_timer = 1; - } } return 1; @@ -171,8 +171,8 @@ static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs, int tls_construct_cert_verify(SSL *s, WPACKET *pkt) { - EVP_PKEY *pkey; - const EVP_MD *md; + EVP_PKEY *pkey = s->cert->key->privatekey; + const EVP_MD *md = s->s3->tmp.md[s->cert->key - s->cert->pkeys]; EVP_MD_CTX *mctx = NULL; EVP_PKEY_CTX *pctx = NULL; size_t hdatalen = 0, siglen = 0; @@ -181,20 +181,6 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt) unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; int pktype, ispss = 0; - if (s->server) { - /* Only happens in TLSv1.3 */ - /* - * TODO(TLS1.3): This needs to change. We should not get this from the - * cipher. However, for now, we have not done the work to separate the - * certificate type from the ciphersuite - */ - pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md); - if (pkey == NULL) - goto err; - } else { - md = s->s3->tmp.md[s->cert->key - s->cert->pkeys]; - pkey = s->cert->key->privatekey; - } pktype = EVP_PKEY_id(pkey); mctx = EVP_MD_CTX_new(); @@ -231,8 +217,8 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt) if (ispss) { if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 - /* -1 here means set saltlen to the digest len */ - || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1) <= 0) { + || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, + RSA_PSS_SALTLEN_DIGEST) <= 0) { SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_EVP_LIB); goto err; } @@ -286,7 +272,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) unsigned char *gost_data = NULL; #endif int al = SSL_AD_INTERNAL_ERROR, ret = MSG_PROCESS_ERROR; - int type = 0, j, pktype, ispss = 0; + int type = 0, j, pktype; unsigned int len; X509 *peer; const EVP_MD *md = NULL; @@ -303,6 +289,11 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) peer = s->session->peer; pkey = X509_get0_pubkey(peer); + if (pkey == NULL) { + al = SSL_AD_INTERNAL_ERROR; + goto f_err; + } + pktype = EVP_PKEY_id(pkey); type = X509_certificate_type(peer, pkey); @@ -333,14 +324,14 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) al = SSL_AD_DECODE_ERROR; goto f_err; } - rv = tls12_check_peer_sigalg(&md, s, sigalg, pkey); + rv = tls12_check_peer_sigalg(s, sigalg, pkey); if (rv == -1) { goto f_err; } else if (rv == 0) { al = SSL_AD_DECODE_ERROR; goto f_err; } - ispss = SIGID_IS_PSS(sigalg); + md = ssl_md(s->s3->tmp.peer_sigalg->hash_idx); #ifdef SSL_DEBUG fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); #endif @@ -402,10 +393,10 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) } #endif - if (ispss) { + if (SSL_USE_PSS(s)) { if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 - /* -1 here means set saltlen to the digest len */ - || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1) <= 0) { + || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, + RSA_PSS_SALTLEN_DIGEST) <= 0) { SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); goto f_err; } @@ -470,10 +461,13 @@ int tls_construct_finished(SSL *s, WPACKET *pkt) goto err; } - /* Log the master secret, if logging is enabled. */ - if (!ssl_log_master_secret(s, s->s3->client_random, SSL3_RANDOM_SIZE, - s->session->master_key, - s->session->master_key_length)) + /* + * Log the master secret, if logging is enabled. We don't log it for + * TLSv1.3: there's a different key schedule for that. + */ + if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL, + s->session->master_key, + s->session->master_key_length)) return 0; /* @@ -650,7 +644,7 @@ MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) } } else { if (!s->method->ssl3_enc->generate_master_secret(s, - s->session->master_key, s->handshake_secret, 0, + s->master_secret, s->handshake_secret, 0, &s->session->master_key_length)) { SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_CANNOT_CHANGE_CIPHER); goto f_err; @@ -1077,7 +1071,7 @@ int ssl_cert_type(const X509 *x, const EVP_PKEY *pk) default: return -1; case EVP_PKEY_RSA: - return SSL_PKEY_RSA_ENC; + return SSL_PKEY_RSA; case EVP_PKEY_DSA: return SSL_PKEY_DSA_SIGN; #ifndef OPENSSL_NO_EC @@ -1440,21 +1434,22 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello) switch (server_version) { default: + if (!SSL_IS_TLS13(s)) { + if (version_cmp(s, client_version, s->version) < 0) + return SSL_R_WRONG_SSL_VERSION; + /* + * If this SSL handle is not from a version flexible method we don't + * (and never did) check min/max FIPS or Suite B constraints. Hope + * that's OK. It is up to the caller to not choose fixed protocol + * versions they don't want. If not, then easy to fix, just return + * ssl_method_error(s, s->method) + */ + return 0; + } /* - * TODO(TLS1.3): This check will fail if someone attempts to do - * renegotiation in TLS1.3 at the moment. We need to ensure we disable - * renegotiation for TLS1.3 - */ - if (version_cmp(s, client_version, s->version) < 0) - return SSL_R_WRONG_SSL_VERSION; - /* - * If this SSL handle is not from a version flexible method we don't - * (and never did) check min/max FIPS or Suite B constraints. Hope - * that's OK. It is up to the caller to not choose fixed protocol - * versions they don't want. If not, then easy to fix, just return - * ssl_method_error(s, s->method) + * Fall through if we are TLSv1.3 already (this means we must be after + * a HelloRetryRequest */ - return 0; case TLS_ANY_VERSION: table = tls_version_table; break; @@ -1509,6 +1504,15 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello) } if (best_vers > 0) { + if (SSL_IS_TLS13(s)) { + /* + * We get here if this is after a HelloRetryRequest. In this + * case we just check that we still negotiated TLSv1.3 + */ + if (best_vers != TLS1_3_VERSION) + return SSL_R_UNSUPPORTED_PROTOCOL; + return 0; + } s->version = best_vers; s->method = best_method; return 0;