X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=ssl%2Fstatem%2Fstatem_lib.c;h=29fb9dcf1fa11d35ee2976aac6cf86e11a87bab3;hb=db0f35dda18403accabe98e7780f3dfc516f49de;hp=33206c6ea96c9e7f2bf8e5e4fe56b5d91e3f9d32;hpb=6af87546375953d5937fb4bdaac6a887765af615;p=openssl.git diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 33206c6ea9..29fb9dcf1f 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -77,6 +77,9 @@ int tls_setup_handshake(SSL *s) if (!ssl3_init_finished_mac(s)) return 0; + /* Reset any extension flags */ + memset(s->ext.extflags, 0, sizeof(s->ext.extflags)); + if (s->server) { STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s); int i, ver_min, ver_max, ok = 0; @@ -113,6 +116,10 @@ int tls_setup_handshake(SSL *s) } if (SSL_IS_FIRST_HANDSHAKE(s)) { s->ctx->stats.sess_accept++; + } else if ((s->options & SSL_OP_NO_RENEGOTIATION)) { + /* Renegotiation is disabled */ + ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); + return 0; } else if (!s->s3->send_connection_binding && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { @@ -249,8 +256,7 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt) goto err; } - if (EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey) <= 0 - || EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0) { + if (EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey) <= 0) { SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_EVP_LIB); goto err; } @@ -262,16 +268,18 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt) SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_EVP_LIB); goto err; } - } else if (s->version == SSL3_VERSION) { - if (!EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, - (int)s->session->master_key_length, - s->session->master_key)) { + } + if (s->version == SSL3_VERSION) { + if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0 + || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, + (int)s->session->master_key_length, + s->session->master_key) + || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_EVP_LIB); goto err; } - } - - if (EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) { + } else if (EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) { SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_EVP_LIB); goto err; } @@ -331,10 +339,8 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) peer = s->session->peer; pkey = X509_get0_pubkey(peer); - if (pkey == NULL) { - al = SSL_AD_INTERNAL_ERROR; + if (pkey == NULL) goto f_err; - } type = X509_certificate_type(peer, pkey); @@ -409,8 +415,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) #ifdef SSL_DEBUG fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md)); #endif - if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0 - || EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0) { + if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0) { SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); goto f_err; } @@ -437,18 +442,30 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); goto f_err; } - } else if (s->version == SSL3_VERSION - && !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, - (int)s->session->master_key_length, - s->session->master_key)) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); - goto f_err; } - - if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) { - al = SSL_AD_DECRYPT_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_SIGNATURE); - goto f_err; + if (s->version == SSL3_VERSION) { + if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0 + || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, + (int)s->session->master_key_length, + s->session->master_key)) { + SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); + goto f_err; + } + if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) { + al = SSL_AD_DECRYPT_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_SIGNATURE); + goto f_err; + } + } else { + j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen); + if (j < 0) { + SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); + goto f_err; + } else if (j == 0) { + al = SSL_AD_DECRYPT_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_SIGNATURE); + goto f_err; + } } ret = MSG_PROCESS_CONTINUE_READING; @@ -518,19 +535,23 @@ int tls_construct_finished(SSL *s, WPACKET *pkt) */ if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL, s->session->master_key, - s->session->master_key_length)) - return 0; + s->session->master_key_length)) { + SSLerr(SSL_F_TLS_CONSTRUCT_FINISHED, ERR_R_INTERNAL_ERROR); + goto err; + } /* * Copy the finished so we can use it for renegotiation checks */ + if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) { + SSLerr(SSL_F_TLS_CONSTRUCT_FINISHED, ERR_R_INTERNAL_ERROR); + goto err; + } if (!s->server) { - OPENSSL_assert(finish_md_len <= EVP_MAX_MD_SIZE); memcpy(s->s3->previous_client_finished, s->s3->tmp.finish_md, finish_md_len); s->s3->previous_client_finished_len = finish_md_len; } else { - OPENSSL_assert(finish_md_len <= EVP_MAX_MD_SIZE); memcpy(s->s3->previous_server_finished, s->s3->tmp.finish_md, finish_md_len); s->s3->previous_server_finished_len = finish_md_len; @@ -580,14 +601,23 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt) } if (!PACKET_get_1(pkt, &updatetype) - || PACKET_remaining(pkt) != 0 - || (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED - && updatetype != SSL_KEY_UPDATE_REQUESTED)) { + || PACKET_remaining(pkt) != 0) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_KEY_UPDATE, SSL_R_BAD_KEY_UPDATE); goto err; } + /* + * There are only two defined key update types. Fail if we get a value we + * didn't recognise. + */ + if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED + && updatetype != SSL_KEY_UPDATE_REQUESTED) { + al = SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_TLS_PROCESS_KEY_UPDATE, SSL_R_BAD_KEY_UPDATE); + goto err; + } + /* * If we get a request for us to update our sending keys too then, we need * to additionally send a KeyUpdate message. However that message should @@ -655,14 +685,14 @@ MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt) && remain != DTLS1_CCS_HEADER_LENGTH + 1) || (s->version != DTLS1_BAD_VER && remain != DTLS1_CCS_HEADER_LENGTH - 1)) { - al = SSL_AD_ILLEGAL_PARAMETER; + al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_BAD_CHANGE_CIPHER_SPEC); goto f_err; } } else { if (remain != 0) { - al = SSL_AD_ILLEGAL_PARAMETER; + al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_BAD_CHANGE_CIPHER_SPEC); goto f_err; @@ -752,13 +782,16 @@ MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) /* * Copy the finished so we can use it for renegotiation checks */ + if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_TLS_PROCESS_FINISHED, ERR_R_INTERNAL_ERROR); + goto f_err; + } if (s->server) { - OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE); memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md, md_len); s->s3->previous_client_finished_len = md_len; } else { - OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE); memcpy(s->s3->previous_server_finished, s->s3->tmp.peer_finish_md, md_len); s->s3->previous_server_finished_len = md_len; @@ -975,7 +1008,8 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs) BUF_MEM_free(s->init_buf); s->init_buf = NULL; } - ssl_free_wbio_buffer(s); + if (!ssl_free_wbio_buffer(s)) + return WORK_ERROR; s->init_num = 0; } @@ -1604,6 +1638,7 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd) * Fall through if we are TLSv1.3 already (this means we must be after * a HelloRetryRequest */ + /* fall thru */ case TLS_ANY_VERSION: table = tls_version_table; break;