projects
/
openssl.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Use EVP_DigestSignInit_ex and EVP_DigestVerifyInit_ex in libssl
[openssl.git]
/
ssl
/
statem
/
extensions_srvr.c
diff --git
a/ssl/statem/extensions_srvr.c
b/ssl/statem/extensions_srvr.c
index 68fb0863c3b22c45e5a4006d51306ed87d27c556..549a207430386e411eaf4f516507a01de16bf037 100644
(file)
--- a/
ssl/statem/extensions_srvr.c
+++ b/
ssl/statem/extensions_srvr.c
@@
-8,8
+8,8
@@
*/
#include <openssl/ocsp.h>
*/
#include <openssl/ocsp.h>
-#include "../ssl_locl.h"
-#include "statem_locl.h"
+#include "../ssl_loc
a
l.h"
+#include "statem_loc
a
l.h"
#include "internal/cryptlib.h"
#define COOKIE_STATE_FORMAT_VERSION 0
#include "internal/cryptlib.h"
#define COOKIE_STATE_FORMAT_VERSION 0
@@
-127,6
+127,10
@@
int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
return 0;
}
return 0;
}
+ /*
+ * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
+ * we always use the SNI value from the handshake.
+ */
if (!s->hit || SSL_IS_TLS13(s)) {
if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
if (!s->hit || SSL_IS_TLS13(s)) {
if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
@@
-155,8
+159,12
@@
int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
}
s->servername_done = 1;
}
s->servername_done = 1;
- }
- if (s->hit) {
+ } else {
+ /*
+ * In TLSv1.2 and below we should check if the SNI is consistent between
+ * the initial handshake and the resumption. In TLSv1.3 SNI is not
+ * associated with the session.
+ */
/*
* TODO(openssl-team): if the SNI doesn't match, we MUST
* fall back to a full handshake.
/*
* TODO(openssl-team): if the SNI doesn't match, we MUST
* fall back to a full handshake.
@@
-164,9
+172,6
@@
int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
s->servername_done = (s->session->ext.hostname != NULL)
&& PACKET_equal(&hostname, s->session->ext.hostname,
strlen(s->session->ext.hostname));
s->servername_done = (s->session->ext.hostname != NULL)
&& PACKET_equal(&hostname, s->session->ext.hostname,
strlen(s->session->ext.hostname));
-
- if (!s->servername_done && s->session->ext.hostname != NULL)
- s->ext.early_data_ok = 0;
}
return 1;
}
return 1;
@@
-254,8
+259,8
@@
int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
if (!s->hit) {
if (!PACKET_memdup(&ec_point_format_list,
if (!s->hit) {
if (!PACKET_memdup(&ec_point_format_list,
- &s->
session->ext.
ecpointformats,
- &s->
session->ext.
ecpointformats_len)) {
+ &s->
ext.peer_
ecpointformats,
+ &s->
ext.peer_
ecpointformats_len)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
return 0;
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
return 0;
@@
-700,7
+705,7
@@
int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
continue;
}
continue;
}
- if ((s->s3.peer_tmp = ssl_generate_param_group(group_id)) == NULL) {
+ if ((s->s3.peer_tmp = ssl_generate_param_group(
s,
group_id)) == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
return 0;
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
return 0;
@@
-775,7
+780,8
@@
int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
}
hmaclen = SHA256_DIGEST_LENGTH;
}
hmaclen = SHA256_DIGEST_LENGTH;
- if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
+ if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->propq, pkey,
+ s->ctx->libctx) <= 0
|| EVP_DigestSign(hctx, hmac, &hmaclen, data,
rawlen - SHA256_DIGEST_LENGTH) <= 0
|| hmaclen != SHA256_DIGEST_LENGTH) {
|| EVP_DigestSign(hctx, hmac, &hmaclen, data,
rawlen - SHA256_DIGEST_LENGTH) <= 0
|| hmaclen != SHA256_DIGEST_LENGTH) {
@@
-1233,8
+1239,9
@@
int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
}
}
}
}
- md = ssl_md(sess->cipher->algorithm2);
- if (md != ssl_md(s->s3.tmp.new_cipher->algorithm2)) {
+ md = ssl_md(s->ctx, sess->cipher->algorithm2);
+ if (!EVP_MD_is_a(md,
+ EVP_MD_name(ssl_md(s->ctx, s->s3.tmp.new_cipher->algorithm2)))) {
/* The ciphersuite is not compatible with this session. */
SSL_SESSION_free(sess);
sess = NULL;
/* The ciphersuite is not compatible with this session. */
SSL_SESSION_free(sess);
sess = NULL;
@@
-1333,8
+1340,14
@@
EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x,
size_t chainidx)
{
unsigned int context, X509 *x,
size_t chainidx)
{
- if (s->hit || s->servername_done != 1
- || s->ext.hostname == NULL)
+ if (s->servername_done != 1)
+ return EXT_RETURN_NOT_SENT;
+
+ /*
+ * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
+ * We just use the servername from the initial handshake.
+ */
+ if (s->hit && !SSL_IS_TLS13(s))
return EXT_RETURN_NOT_SENT;
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
return EXT_RETURN_NOT_SENT;
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
@@
-1379,7
+1392,7
@@
EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
- && (s->
session->ext.
ecpointformats != NULL);
+ && (s->
ext.peer_
ecpointformats != NULL);
const unsigned char *plist;
size_t plistlen;
const unsigned char *plist;
size_t plistlen;
@@
-1491,6
+1504,10
@@
EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x,
size_t chainidx)
{
unsigned int context, X509 *x,
size_t chainidx)
{
+ /* We don't currently support this extension inside a CertificateRequest */
+ if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
+ return EXT_RETURN_NOT_SENT;
+
if (!s->ext.status_expected)
return EXT_RETURN_NOT_SENT;
if (!s->ext.status_expected)
return EXT_RETURN_NOT_SENT;
@@
-1712,7
+1729,7
@@
EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
return EXT_RETURN_FAIL;
}
return EXT_RETURN_FAIL;
}
- skey = ssl_generate_pkey(ckey);
+ skey = ssl_generate_pkey(
s,
ckey);
if (skey == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
ERR_R_MALLOC_FAILURE);
if (skey == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
ERR_R_MALLOC_FAILURE);
@@
-1848,7
+1865,8
@@
EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
goto err;
}
goto err;
}
- if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
+ if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->propq, pkey,
+ s->ctx->libctx) <= 0
|| EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
totcookielen) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
|| EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
totcookielen) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,