X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=ssl%2Ft1_lib.c;h=b604741827275783ae5e9f98d8a619ce2e175e0e;hb=2fa2d15ac87645959be4cf736d2169fa5be12c9e;hp=6a9dc5db28343315c2edd059bbaeeacc9690a5c2;hpb=6977e8ee4a718a76351ba5275a9f0be4e530eab5;p=openssl.git diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 6a9dc5db28..b604741827 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1,4 +1,3 @@ -/* ssl/t1_lib.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -208,7 +207,10 @@ void tls1_free(SSL *s) void tls1_clear(SSL *s) { ssl3_clear(s); - s->version = s->method->version; + if (s->method->version == TLS_ANY_VERSION) + s->version = TLS_MAX_VERSION; + else + s->version = s->method->version; } #ifndef OPENSSL_NO_EC @@ -222,6 +224,12 @@ typedef struct { # define TLS_CURVE_CHAR2 0x1 # define TLS_CURVE_PRIME 0x0 +/* + * Table of curve information. + * NB: do not delete entries or reorder this array. It is used as a lookup + * table: the index of each entry is one less than the TLS curve id. + */ + static const tls_curve_info nid_list[] = { {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */ {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */ @@ -259,8 +267,8 @@ static const unsigned char ecformats_default[] = { TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 }; -/* The client's default curves / the server's 'auto' curves. */ -static const unsigned char eccurves_auto[] = { +/* The default curves */ +static const unsigned char eccurves_default[] = { /* Prefer P-256 which has the fastest and most secure implementations. */ 0, 23, /* secp256r1 (23) */ /* Other >= 256-bit prime curves. */ @@ -333,67 +341,12 @@ int tls1_ec_curve_id2nid(int curve_id) int tls1_ec_nid2curve_id(int nid) { - /* ECC curves from RFC 4492 and RFC 7027 */ - switch (nid) { - case NID_sect163k1: /* sect163k1 (1) */ - return 1; - case NID_sect163r1: /* sect163r1 (2) */ - return 2; - case NID_sect163r2: /* sect163r2 (3) */ - return 3; - case NID_sect193r1: /* sect193r1 (4) */ - return 4; - case NID_sect193r2: /* sect193r2 (5) */ - return 5; - case NID_sect233k1: /* sect233k1 (6) */ - return 6; - case NID_sect233r1: /* sect233r1 (7) */ - return 7; - case NID_sect239k1: /* sect239k1 (8) */ - return 8; - case NID_sect283k1: /* sect283k1 (9) */ - return 9; - case NID_sect283r1: /* sect283r1 (10) */ - return 10; - case NID_sect409k1: /* sect409k1 (11) */ - return 11; - case NID_sect409r1: /* sect409r1 (12) */ - return 12; - case NID_sect571k1: /* sect571k1 (13) */ - return 13; - case NID_sect571r1: /* sect571r1 (14) */ - return 14; - case NID_secp160k1: /* secp160k1 (15) */ - return 15; - case NID_secp160r1: /* secp160r1 (16) */ - return 16; - case NID_secp160r2: /* secp160r2 (17) */ - return 17; - case NID_secp192k1: /* secp192k1 (18) */ - return 18; - case NID_X9_62_prime192v1: /* secp192r1 (19) */ - return 19; - case NID_secp224k1: /* secp224k1 (20) */ - return 20; - case NID_secp224r1: /* secp224r1 (21) */ - return 21; - case NID_secp256k1: /* secp256k1 (22) */ - return 22; - case NID_X9_62_prime256v1: /* secp256r1 (23) */ - return 23; - case NID_secp384r1: /* secp384r1 (24) */ - return 24; - case NID_secp521r1: /* secp521r1 (25) */ - return 25; - case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */ - return 26; - case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */ - return 27; - case NID_brainpoolP512r1: /* brainpool512r1 (28) */ - return 28; - default: - return 0; + size_t i; + for (i = 0; i < OSSL_NELEM(nid_list); i++) { + if (nid_list[i].nid == nid) + return i + 1; } + return 0; } /* @@ -438,13 +391,8 @@ static int tls1_get_curvelist(SSL *s, int sess, pcurveslen = s->tlsext_ellipticcurvelist_length; } if (!*pcurves) { - if (!s->server || s->cert->ecdh_tmp_auto) { - *pcurves = eccurves_auto; - pcurveslen = sizeof(eccurves_auto); - } else { - *pcurves = eccurves_all; - pcurveslen = sizeof(eccurves_all); - } + *pcurves = eccurves_default; + pcurveslen = sizeof(eccurves_default); } } @@ -791,16 +739,13 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) unsigned char comp_id, curve_id[2]; EVP_PKEY *pkey; int rv; - pkey = X509_get_pubkey(x); + pkey = X509_get0_pubkey(x); if (!pkey) return 0; /* If not EC nothing to do */ - if (pkey->type != EVP_PKEY_EC) { - EVP_PKEY_free(pkey); + if (EVP_PKEY_id(pkey) != EVP_PKEY_EC) return 1; - } - rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec); - EVP_PKEY_free(pkey); + rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)); if (!rv) return 0; /* @@ -877,19 +822,11 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) /* Check this curve is acceptable */ if (!tls1_check_ec_key(s, curve_id, NULL)) return 0; - /* If auto assume OK */ - if (s->cert->ecdh_tmp_auto) - return 1; - else - return 0; - } - if (s->cert->ecdh_tmp_auto) { - /* Need a shared curve */ - if (tls1_shared_curve(s, 0)) - return 1; - else - return 0; + return 1; } + /* Need a shared curve */ + if (tls1_shared_curve(s, 0)) + return 1; return 0; } # endif /* OPENSSL_NO_EC */ @@ -1003,10 +940,10 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, return 0; } #ifndef OPENSSL_NO_EC - if (pkey->type == EVP_PKEY_EC) { + if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { unsigned char curve_id[2], comp_id; /* Check compression and curve matches extensions */ - if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec)) + if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey))) return 0; if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) { SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); @@ -1086,16 +1023,6 @@ void ssl_set_client_disabled(SSL *s) if (s->client_version == SSL3_VERSION) s->s3->tmp.mask_ssl |= SSL_TLSV1; ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK); - /* - * Disable static DH if we don't include any appropriate signature - * algorithms. - */ - if (s->s3->tmp.mask_a & SSL_aRSA) - s->s3->tmp.mask_k |= SSL_kDHr | SSL_kECDHr; - if (s->s3->tmp.mask_a & SSL_aDSS) - s->s3->tmp.mask_k |= SSL_kDHd; - if (s->s3->tmp.mask_a & SSL_aECDSA) - s->s3->tmp.mask_k |= SSL_kECDHe; # ifndef OPENSSL_NO_PSK /* with PSK there must be client callback set */ if (!s->psk_client_callback) { @@ -1142,12 +1069,12 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { - SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); + const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); alg_k = c->algorithm_mkey; alg_a = c->algorithm_auth; - if ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe | SSL_kECDHEPSK) - || (alg_a & SSL_aECDSA))) { + if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) + || (alg_a & SSL_aECDSA)) { using_ecc = 1; break; } @@ -1405,20 +1332,22 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); } #ifndef OPENSSL_NO_HEARTBEATS - /* Add Heartbeat extension */ - if ((limit - ret - 4 - 1) < 0) - return NULL; - s2n(TLSEXT_TYPE_heartbeat, ret); - s2n(1, ret); - /*- - * Set mode: - * 1: peer may send requests - * 2: peer not allowed to send requests - */ - if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS) - *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS; - else - *(ret++) = SSL_TLSEXT_HB_ENABLED; + if (SSL_IS_DTLS(s)) { + /* Add Heartbeat extension */ + if ((limit - ret - 4 - 1) < 0) + return NULL; + s2n(TLSEXT_TYPE_heartbeat, ret); + s2n(1, ret); + /*- + * Set mode: + * 1: peer may send requests + * 2: peer not allowed to send requests + */ + if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS) + *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS; + else + *(ret++) = SSL_DTLSEXT_HB_ENABLED; + } #endif #ifndef OPENSSL_NO_NEXTPROTONEG @@ -1521,8 +1450,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, #ifndef OPENSSL_NO_EC unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; - int using_ecc = (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe)) - || (alg_a & SSL_aECDSA); + int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA); using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); #endif @@ -1653,7 +1581,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, } #ifndef OPENSSL_NO_HEARTBEATS /* Add Heartbeat extension if we've received one */ - if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) { + if (SSL_IS_DTLS(s) && (s->tlsext_heartbeat & SSL_DTLSEXT_HB_ENABLED)) { if ((limit - ret - 4 - 1) < 0) return NULL; s2n(TLSEXT_TYPE_heartbeat, ret); @@ -1663,10 +1591,10 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, * 1: peer may send requests * 2: peer not allowed to send requests */ - if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS) - *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS; + if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS) + *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS; else - *(ret++) = SSL_TLSEXT_HB_ENABLED; + *(ret++) = SSL_DTLSEXT_HB_ENABLED; } #endif @@ -1712,7 +1640,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, } } #endif - if (!s->hit && s->session->flags & SSL_SESS_FLAG_EXTMS) { + if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) { s2n(TLSEXT_TYPE_extended_master_secret, ret); s2n(0, ret); } @@ -1752,7 +1680,7 @@ static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al) unsigned int data_len; unsigned int proto_len; const unsigned char *selected; - unsigned char *data; + const unsigned char *data; unsigned char selected_len; int r; @@ -1811,7 +1739,7 @@ static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al) static void ssl_check_for_safari(SSL *s, const PACKET *pkt) { unsigned int type, size; - unsigned char *eblock1, *eblock2; + const unsigned char *eblock1, *eblock2; PACKET tmppkt; static const unsigned char kSafariExtensionsBlock[] = { @@ -1882,7 +1810,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) unsigned int type; unsigned int size; unsigned int len; - unsigned char *data; + const unsigned char *data; int renegotiate_seen = 0; s->servername_done = 0; @@ -1894,8 +1822,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) OPENSSL_free(s->s3->alpn_selected); s->s3->alpn_selected = NULL; #ifndef OPENSSL_NO_HEARTBEATS - s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | - SSL_TLSEXT_HB_DONT_SEND_REQUESTS); + s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED | + SSL_DTLSEXT_HB_DONT_SEND_REQUESTS); #endif #ifndef OPENSSL_NO_EC @@ -1970,7 +1898,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) */ else if (type == TLSEXT_TYPE_server_name) { - unsigned char *sdata; + const unsigned char *sdata; unsigned int servname_type; unsigned int dsize; PACKET ssubpkt; @@ -2213,7 +2141,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) s->tlsext_status_type = -1; } #ifndef OPENSSL_NO_HEARTBEATS - else if (type == TLSEXT_TYPE_heartbeat) { + else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) { unsigned int hbtype; if (!PACKET_get_1(&subpkt, &hbtype) @@ -2223,11 +2151,11 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) } switch (hbtype) { case 0x01: /* Client allows us to send HB requests */ - s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; + s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED; break; case 0x02: /* Client doesn't accept HB requests */ - s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; - s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; + s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED; + s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS; break; default: *al = SSL_AD_ILLEGAL_PARAMETER; @@ -2282,10 +2210,11 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) else if (type == TLSEXT_TYPE_encrypt_then_mac) s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC; #endif - else if (type == TLSEXT_TYPE_extended_master_secret) { - if (!s->hit) - s->session->flags |= SSL_SESS_FLAG_EXTMS; - } + /* + * Note: extended master secret extension handled in + * tls_check_serverhello_tlsext_early() + */ + /* * If this ClientHello extension was unhandled and this is a * nonresumed connection, check whether the extension is a custom @@ -2371,14 +2300,16 @@ static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al) OPENSSL_free(s->s3->alpn_selected); s->s3->alpn_selected = NULL; #ifndef OPENSSL_NO_HEARTBEATS - s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | - SSL_TLSEXT_HB_DONT_SEND_REQUESTS); + s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED | + SSL_DTLSEXT_HB_DONT_SEND_REQUESTS); #endif #ifdef TLSEXT_TYPE_encrypt_then_mac s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC; #endif + s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS; + if (!PACKET_get_net_2(pkt, &length)) goto ri_check; @@ -2388,7 +2319,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al) } while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) { - unsigned char *data; + const unsigned char *data; PACKET spkt; if (!PACKET_get_sub_packet(pkt, &spkt, size) @@ -2532,7 +2463,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al) s->s3->alpn_selected_len = len; } #ifndef OPENSSL_NO_HEARTBEATS - else if (type == TLSEXT_TYPE_heartbeat) { + else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) { unsigned int hbtype; if (!PACKET_get_1(&spkt, &hbtype)) { *al = SSL_AD_DECODE_ERROR; @@ -2540,11 +2471,11 @@ static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al) } switch (hbtype) { case 0x01: /* Server allows us to send HB requests */ - s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; + s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED; break; case 0x02: /* Server doesn't accept HB requests */ - s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; - s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; + s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED; + s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS; break; default: *al = SSL_AD_ILLEGAL_PARAMETER; @@ -2567,6 +2498,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al) } #endif else if (type == TLSEXT_TYPE_extended_master_secret) { + s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS; if (!s->hit) s->session->flags |= SSL_SESS_FLAG_EXTMS; } @@ -2586,7 +2518,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al) if (!s->hit && tlsext_servername == 1) { if (s->tlsext_hostname) { if (s->session->tlsext_hostname == NULL) { - s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); + s->session->tlsext_hostname = OPENSSL_strdup(s->tlsext_hostname); if (!s->session->tlsext_hostname) { *al = SSL_AD_UNRECOGNIZED_NAME; return 0; @@ -2616,6 +2548,19 @@ static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al) return 0; } + if (s->hit) { + /* + * Check extended master secret extension is consistent with + * original session. + */ + if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) != + !(s->session->flags & SSL_SESS_FLAG_EXTMS)) { + *al = SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS); + return 0; + } + } + return 1; } @@ -2812,8 +2757,7 @@ int ssl_check_serverhello_tlsext(SSL *s) && (s->tlsext_ecpointformatlist_length > 0) && (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) - && ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe)) - || (alg_a & SSL_aECDSA))) { + && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) { /* we are using an ECC cipher */ size_t i; unsigned char *list; @@ -2846,29 +2790,12 @@ int ssl_check_serverhello_tlsext(SSL *s) initial_ctx->tlsext_servername_arg); /* - * If we've requested certificate status and we wont get one tell the - * callback + * Ensure we get sensible values passed to tlsext_status_cb in the event + * that we don't receive a status message */ - if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) - && s->ctx && s->ctx->tlsext_status_cb) { - int r; - /* - * Set resp to NULL, resplen to -1 so callback knows there is no - * response. - */ - OPENSSL_free(s->tlsext_ocsp_resp); - s->tlsext_ocsp_resp = NULL; - s->tlsext_ocsp_resplen = -1; - r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); - if (r == 0) { - al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; - ret = SSL_TLSEXT_ERR_ALERT_FATAL; - } - if (r < 0) { - al = SSL_AD_INTERNAL_ERROR; - ret = SSL_TLSEXT_ERR_ALERT_FATAL; - } - } + OPENSSL_free(s->tlsext_ocsp_resp); + s->tlsext_ocsp_resp = NULL; + s->tlsext_ocsp_resplen = -1; switch (ret) { case SSL_TLSEXT_ERR_ALERT_FATAL: @@ -2905,8 +2832,11 @@ int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt) /*- * Since the server cache lookup is done early on in the processing of the - * ClientHello, and other operations depend on the result, we need to handle - * any TLS session ticket extension at the same time. + * ClientHello and other operations depend on the result some extensions + * need to be handled at the same time. + * + * Two extensions are currently handled, session ticket and extended master + * secret. * * session_id: ClientHello session ID. * ext: ClientHello extensions (including length prefix) @@ -2933,23 +2863,29 @@ int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt) * a session ticket or we couldn't use the one it gave us, or if * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. * Otherwise, s->tlsext_ticket_expected is set to 0. + * + * For extended master secret flag is set if the extension is present. + * */ -int tls1_process_ticket(SSL *s, const PACKET *ext, const PACKET *session_id, - SSL_SESSION **ret) +int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext, + const PACKET *session_id, + SSL_SESSION **ret) { unsigned int i; PACKET local_ext = *ext; int retv = -1; + int have_ticket = 0; + int use_ticket = tls_use_ticket(s); + *ret = NULL; s->tlsext_ticket_expected = 0; + s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS; /* * If tickets disabled behave as if no ticket present to permit stateful * resumption. */ - if (!tls_use_ticket(s)) - return 0; if ((s->version <= SSL3_VERSION)) return 0; @@ -2970,9 +2906,16 @@ int tls1_process_ticket(SSL *s, const PACKET *ext, const PACKET *session_id, retv = 0; goto end; } - if (type == TLSEXT_TYPE_session_ticket) { + if (type == TLSEXT_TYPE_session_ticket && use_ticket) { int r; - unsigned char *etick; + const unsigned char *etick; + + /* Duplicate extension */ + if (have_ticket != 0) { + retv = -1; + goto end; + } + have_ticket = 1; if (size == 0) { /* @@ -2981,7 +2924,7 @@ int tls1_process_ticket(SSL *s, const PACKET *ext, const PACKET *session_id, */ s->tlsext_ticket_expected = 1; retv = 1; - goto end; + continue; } if (s->tls_session_secret_cb) { /* @@ -2991,7 +2934,7 @@ int tls1_process_ticket(SSL *s, const PACKET *ext, const PACKET *session_id, * calculate the master secret later. */ retv = 2; - goto end; + continue; } if (!PACKET_get_bytes(&local_ext, &etick, size)) { /* Shouldn't ever happen */ @@ -3016,15 +2959,18 @@ int tls1_process_ticket(SSL *s, const PACKET *ext, const PACKET *session_id, retv = -1; break; } - goto end; + continue; } else { + if (type == TLSEXT_TYPE_extended_master_secret) + s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS; if (!PACKET_forward(&local_ext, size)) { retv = -1; goto end; } } } - retv = 0; + if (have_ticket == 0) + retv = 0; end: return retv; } @@ -3040,6 +2986,7 @@ end: * point to the resulting session. * * Returns: + * -2: fatal error, malloc failure. * -1: fatal error, either from parsing or decrypting the ticket. * 2: the ticket couldn't be decrypted. * 3: a ticket was successfully decrypted and *psess was set. @@ -3054,19 +3001,21 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, const unsigned char *p; int slen, mlen, renew_ticket = 0; unsigned char tick_hmac[EVP_MAX_MD_SIZE]; - HMAC_CTX hctx; - EVP_CIPHER_CTX ctx; + HMAC_CTX *hctx = NULL; + EVP_CIPHER_CTX *ctx; SSL_CTX *tctx = s->initial_ctx; /* Need at least keyname + iv + some encrypted data */ if (eticklen < 48) return 2; /* Initialize session ticket encryption and HMAC contexts */ - HMAC_CTX_init(&hctx); - EVP_CIPHER_CTX_init(&ctx); + hctx = HMAC_CTX_new(); + if (hctx == NULL) + return -2; + ctx = EVP_CIPHER_CTX_new(); if (tctx->tlsext_ticket_key_cb) { unsigned char *nctick = (unsigned char *)etick; int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, - &ctx, &hctx, 0); + ctx, hctx, 0); if (rv < 0) return -1; if (rv == 0) @@ -3077,9 +3026,9 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, /* Check key name matches */ if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) return 2; - if (HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, + if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16, EVP_sha256(), NULL) <= 0 - || EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, + || EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, tctx->tlsext_tick_aes_key, etick + 16) <= 0) { goto err; @@ -3089,38 +3038,39 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, * Attempt to process session ticket, first conduct sanity and integrity * checks on ticket. */ - mlen = HMAC_size(&hctx); + mlen = HMAC_size(hctx); if (mlen < 0) { goto err; } eticklen -= mlen; /* Check HMAC of encrypted ticket */ - if (HMAC_Update(&hctx, etick, eticklen) <= 0 - || HMAC_Final(&hctx, tick_hmac, NULL) <= 0) { + if (HMAC_Update(hctx, etick, eticklen) <= 0 + || HMAC_Final(hctx, tick_hmac, NULL) <= 0) { goto err; } - HMAC_CTX_cleanup(&hctx); + HMAC_CTX_free(hctx); if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); return 2; } /* Attempt to decrypt session data */ /* Move p after IV to start of encrypted ticket, update length */ - p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); - eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); + p = etick + 16 + EVP_CIPHER_CTX_iv_length(ctx); + eticklen -= 16 + EVP_CIPHER_CTX_iv_length(ctx); sdec = OPENSSL_malloc(eticklen); if (sdec == NULL - || EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) { - EVP_CIPHER_CTX_cleanup(&ctx); + || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) { + EVP_CIPHER_CTX_free(ctx); return -1; } - if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) { - EVP_CIPHER_CTX_cleanup(&ctx); + if (EVP_DecryptFinal(ctx, sdec + slen, &mlen) <= 0) { + EVP_CIPHER_CTX_free(ctx); OPENSSL_free(sdec); return 2; } slen += mlen; - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; p = sdec; sess = d2i_SSL_SESSION(NULL, &p, slen); @@ -3147,8 +3097,8 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, */ return 2; err: - EVP_CIPHER_CTX_cleanup(&ctx); - HMAC_CTX_cleanup(&hctx); + EVP_CIPHER_CTX_free(ctx); + HMAC_CTX_free(hctx); return -1; } @@ -3219,7 +3169,7 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, int tls12_get_sigid(const EVP_PKEY *pk) { - return tls12_find_id(pk->type, tls12_sig, OSSL_NELEM(tls12_sig)); + return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig)); } typedef struct { @@ -3300,7 +3250,7 @@ static int tls12_get_pkey_idx(unsigned char sig_alg) static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid, int *psignhash_nid, const unsigned char *data) { - int sign_nid = 0, hash_nid = 0; + int sign_nid = NID_undef, hash_nid = NID_undef; if (!phash_nid && !psign_nid && !psignhash_nid) return; if (phash_nid || psignhash_nid) { @@ -3314,9 +3264,9 @@ static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid, *psign_nid = sign_nid; } if (psignhash_nid) { - if (sign_nid && hash_nid) - OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid); - else + if (sign_nid == NID_undef || hash_nid == NID_undef + || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, + sign_nid) <= 0) *psignhash_nid = NID_undef; } } @@ -3620,160 +3570,6 @@ int SSL_get_shared_sigalgs(SSL *s, int idx, return s->cert->shared_sigalgslen; } -#ifndef OPENSSL_NO_HEARTBEATS -int tls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length) -{ - unsigned char *pl; - unsigned short hbtype; - unsigned int payload; - unsigned int padding = 16; /* Use minimum padding */ - - if (s->msg_callback) - s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, - p, length, - s, s->msg_callback_arg); - - /* Read type and payload length first */ - if (1 + 2 + 16 > length) - return 0; /* silently discard */ - hbtype = *p++; - n2s(p, payload); - if (1 + 2 + payload + 16 > length) - return 0; /* silently discard per RFC 6520 sec. 4 */ - pl = p; - - if (hbtype == TLS1_HB_REQUEST) { - unsigned char *buffer, *bp; - int r; - - /* - * Allocate memory for the response, size is 1 bytes message type, - * plus 2 bytes payload length, plus payload, plus padding - */ - buffer = OPENSSL_malloc(1 + 2 + payload + padding); - if (buffer == NULL) { - SSLerr(SSL_F_TLS1_PROCESS_HEARTBEAT, ERR_R_MALLOC_FAILURE); - return -1; - } - bp = buffer; - - /* Enter response type, length and copy payload */ - *bp++ = TLS1_HB_RESPONSE; - s2n(payload, bp); - memcpy(bp, pl, payload); - bp += payload; - /* Random padding */ - if (RAND_bytes(bp, padding) <= 0) { - OPENSSL_free(buffer); - return -1; - } - - r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, - 3 + payload + padding); - - if (r >= 0 && s->msg_callback) - s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, - buffer, 3 + payload + padding, - s, s->msg_callback_arg); - - OPENSSL_free(buffer); - - if (r < 0) - return r; - } else if (hbtype == TLS1_HB_RESPONSE) { - unsigned int seq; - - /* - * We only send sequence numbers (2 bytes unsigned int), and 16 - * random bytes, so we just try to read the sequence number - */ - n2s(pl, seq); - - if (payload == 18 && seq == s->tlsext_hb_seq) { - s->tlsext_hb_seq++; - s->tlsext_hb_pending = 0; - } - } - - return 0; -} - -int tls1_heartbeat(SSL *s) -{ - unsigned char *buf, *p; - int ret = -1; - unsigned int payload = 18; /* Sequence number + random bytes */ - unsigned int padding = 16; /* Use minimum padding */ - - /* Only send if peer supports and accepts HB requests... */ - if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) || - s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) { - SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT); - return -1; - } - - /* ...and there is none in flight yet... */ - if (s->tlsext_hb_pending) { - SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING); - return -1; - } - - /* ...and no handshake in progress. */ - if (SSL_in_init(s) || ossl_statem_get_in_handshake(s)) { - SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE); - return -1; - } - - /*- - * Create HeartBeat message, we just use a sequence number - * as payload to distuingish different messages and add - * some random stuff. - * - Message Type, 1 byte - * - Payload Length, 2 bytes (unsigned int) - * - Payload, the sequence number (2 bytes uint) - * - Payload, random bytes (16 bytes uint) - * - Padding - */ - buf = OPENSSL_malloc(1 + 2 + payload + padding); - if (buf == NULL) { - SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_MALLOC_FAILURE); - return -1; - } - p = buf; - /* Message Type */ - *p++ = TLS1_HB_REQUEST; - /* Payload length (18 bytes here) */ - s2n(payload, p); - /* Sequence number */ - s2n(s->tlsext_hb_seq, p); - /* 16 random bytes */ - if (RAND_bytes(p, 16) <= 0) { - SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR); - goto err; - } - p += 16; - /* Random padding */ - if (RAND_bytes(p, padding) <= 0) { - SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR); - goto err; - } - - ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding); - if (ret >= 0) { - if (s->msg_callback) - s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, - buf, 3 + payload + padding, - s, s->msg_callback_arg); - - s->tlsext_hb_pending = 1; - } - - err: - OPENSSL_free(buf); - return ret; -} -#endif - #define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2) typedef struct { @@ -4005,13 +3801,11 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, switch (idx) { case SSL_PKEY_RSA_ENC: case SSL_PKEY_RSA_SIGN: - case SSL_PKEY_DH_RSA: rsign = TLSEXT_signature_rsa; default_nid = NID_sha1WithRSAEncryption; break; case SSL_PKEY_DSA_SIGN: - case SSL_PKEY_DH_DSA: rsign = TLSEXT_signature_dsa; default_nid = NID_dsaWithSHA1; break; @@ -4104,7 +3898,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, if (!s->server && strict_mode) { STACK_OF(X509_NAME) *ca_dn; int check_type = 0; - switch (pk->type) { + switch (EVP_PKEY_id(pk)) { case EVP_PKEY_RSA: check_type = TLS_CT_RSA_SIGN; break; @@ -4114,15 +3908,6 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, case EVP_PKEY_EC: check_type = TLS_CT_ECDSA_SIGN; break; - case EVP_PKEY_DH: - case EVP_PKEY_DHX: - { - int cert_type = X509_certificate_type(x, pk); - if (cert_type & EVP_PKS_RSA) - check_type = TLS_CT_RSA_FIXED_DH; - if (cert_type & EVP_PKS_DSA) - check_type = TLS_CT_DSS_FIXED_DH; - } } if (check_type) { const unsigned char *ctypes; @@ -4203,8 +3988,6 @@ void tls1_set_cert_validity(SSL *s) tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC); tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN); tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN); - tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA); - tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA); tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC); tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01); tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256); @@ -4259,13 +4042,17 @@ DH *ssl_get_auto_dh(SSL *s) static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op) { - int secbits; - EVP_PKEY *pkey = X509_get_pubkey(x); + int secbits = -1; + EVP_PKEY *pkey = X509_get0_pubkey(x); if (pkey) { + /* + * If no parameters this will return -1 and fail using the default + * security callback for any non-zero security level. This will + * reject keys which omit parameters but this only affects DSA and + * omission of parameters is never (?) done in practice. + */ secbits = EVP_PKEY_security_bits(pkey); - EVP_PKEY_free(pkey); - } else - secbits = -1; + } if (s) return ssl_security(s, op, secbits, 0, x); else @@ -4276,6 +4063,9 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) { /* Lookup signature algorithm digest */ int secbits = -1, md_nid = NID_undef, sig_nid; + /* Don't check signature if self signed */ + if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) + return 1; sig_nid = X509_get_signature_nid(x); if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) { const EVP_MD *md;