-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code. The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * "This product includes cryptographic software written by
- * Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
- * being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- * the apps directory (application code) you must include an acknowledgement:
- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed. i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+/*
+ * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
+
/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
*
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/md5.h>
-#ifndef OPENSSL_NO_DH
-# include <openssl/dh.h>
-#endif
+#include <openssl/dh.h>
#include <openssl/bn.h>
-#ifndef OPENSSL_NO_ENGINE
-# include <openssl/engine.h>
-#endif
+#include <openssl/engine.h>
static ossl_inline int cert_req_allowed(SSL *s);
static int key_exchange_expected(SSL *s);
break;
case TLS_ST_CW_FINISHED:
- if (mt == SSL3_MT_NEWSESSION_TICKET && s->tlsext_ticket_expected) {
- st->hand_state = TLS_ST_CR_SESSION_TICKET;
- return 1;
+ if (s->tlsext_ticket_expected) {
+ if (mt == SSL3_MT_NEWSESSION_TICKET) {
+ st->hand_state = TLS_ST_CR_SESSION_TICKET;
+ return 1;
+ }
} else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
st->hand_state = TLS_ST_CR_CHANGE;
return 1;
s->shutdown = 0;
if (SSL_IS_DTLS(s)) {
/* every DTLS ClientHello resets Finished MAC */
- ssl3_init_finished_mac(s);
+ if (!ssl3_init_finished_mac(s)) {
+ ossl_statem_set_error(s);
+ return WORK_ERROR;
+ }
}
break;
switch(st->hand_state) {
case TLS_ST_CW_CLNT_HELLO:
- if (SSL_IS_DTLS(s) && s->d1->cookie_len > 0 && statem_flush(s) != 1)
+ if (wst == WORK_MORE_A && statem_flush(s) != 1)
return WORK_MORE_A;
-#ifndef OPENSSL_NO_SCTP
- /* Disable buffering for SCTP */
- if (!SSL_IS_DTLS(s) || !BIO_dgram_is_sctp(SSL_get_wbio(s))) {
-#endif
- /*
- * turn on buffering for the next lot of output
- */
- if (s->bbio != s->wbio)
- s->wbio = BIO_push(s->bbio, s->wbio);
-#ifndef OPENSSL_NO_SCTP
- }
-#endif
+
if (SSL_IS_DTLS(s)) {
/* Treat the next message as the first packet */
s->first_packet = 1;
goto err;
}
- if ((sess == NULL) || (sess->ssl_version != s->version) ||
+ if ((sess == NULL) ||
+ !ssl_version_supported(s, sess->ssl_version) ||
/*
* In the case of EAP-FAST, we can have a pre-shared
* "ticket" without a session ID.
* 1. Client hello indicates TLS 1.2
* 2. Server hello says TLS 1.0
* 3. RSA encrypted premaster secret uses 1.2.
- * 4. Handhaked proceeds using TLS 1.0.
+ * 4. Handshake proceeds using TLS 1.0.
* 5. Server sends hello request to renegotiate.
* 6. Client hello indicates TLS v1.0 as we now
* know that is maximum server supports.
const SSL_CIPHER *c;
PACKET session_id;
size_t session_id_len;
- unsigned char *cipherchars;
+ const unsigned char *cipherchars;
int i, al = SSL_AD_INTERNAL_ERROR;
unsigned int compression;
unsigned int sversion;
* overwritten if the server refuses resumption.
*/
if (s->session->session_id_length > 0) {
+ s->ctx->stats.sess_miss++;
if (!ssl_get_new_session(s, 0)) {
goto f_err;
}
}
+ s->session->ssl_version = s->version;
s->session->session_id_length = session_id_len;
/* session_id_len could be 0 */
memcpy(s->session->session_id, PACKET_data(&session_id),
session_id_len);
}
+ /* Session version and negotiated protocol version should match */
+ if (s->version != s->session->ssl_version) {
+ al = SSL_AD_PROTOCOL_VERSION;
+
+ SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
+ SSL_R_SSL_SESSION_VERSION_MISMATCH);
+ goto f_err;
+ }
+
c = ssl_get_cipher_by_char(s, cipherchars);
if (c == NULL) {
/* unknown cipher */
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_UNKNOWN_CIPHER_RETURNED);
goto f_err;
}
- /* Set version disabled mask now we know version */
- if (!SSL_USE_TLS1_2_CIPHERS(s))
- s->s3->tmp.mask_ssl = SSL_TLSV1_2;
- else
- s->s3->tmp.mask_ssl = 0;
- /* Skip TLS v1.0 ciphersuites if SSLv3 */
- if ((c->algorithm_ssl & SSL_TLSV1) && s->version == SSL3_VERSION)
- s->s3->tmp.mask_ssl |= SSL_TLSV1;
/*
- * If it is a disabled cipher we didn't send it in client hello, so
- * return an error.
+ * Now that we know the version, update the check to see if it's an allowed
+ * version.
+ */
+ s->s3->tmp.min_ver = s->version;
+ s->s3->tmp.max_ver = s->version;
+ /*
+ * If it is a disabled cipher we either didn't send it in client hello,
+ * or it's not allowed for the selected protocol. So we return an error.
*/
if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK)) {
al = SSL_AD_ILLEGAL_PARAMETER;
int al, i, ret = MSG_PROCESS_ERROR, exp_idx;
unsigned long cert_list_len, cert_len;
X509 *x = NULL;
- unsigned char *certstart, *certbytes;
+ const unsigned char *certstart, *certbytes;
STACK_OF(X509) *sk = NULL;
EVP_PKEY *pkey = NULL;
}
i = ssl_verify_cert_chain(s, sk);
- if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) {
+ if ((s->verify_mode & SSL_VERIFY_PEER) && i <= 0) {
al = ssl_verify_alarm_type(s->verify_result);
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
SSL_R_CERTIFICATE_VERIFY_FAILED);
s->session->peer_chain = sk;
/*
* Inconsistency alert: cert_chain does include the peer's certificate,
- * which we don't include in s3_srvr.c
+ * which we don't include in statem_srvr.c
*/
x = sk_X509_value(sk, 0);
sk = NULL;
#ifndef OPENSSL_NO_DH
else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
PACKET prime, generator, pub_key;
+ EVP_PKEY *peer_tmp = NULL;
- DH *dh;
+ DH *dh = NULL;
+ BIGNUM *p = NULL, *g = NULL, *bnpub_key = NULL;
if (!PACKET_get_length_prefixed_2(pkt, &prime)
|| !PACKET_get_length_prefixed_2(pkt, &generator)
goto f_err;
}
- s->s3->peer_tmp = EVP_PKEY_new();
+ peer_tmp = EVP_PKEY_new();
dh = DH_new();
- if (s->s3->peer_tmp == NULL || dh == NULL) {
+ if (peer_tmp == NULL || dh == NULL) {
+ al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
- DH_free(dh);
- goto err;
+ goto dherr;
}
- if (EVP_PKEY_assign_DH(s->s3->peer_tmp, dh) == 0) {
- SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB);
- DH_free(dh);
- goto err;
+ p = BN_bin2bn(PACKET_data(&prime), PACKET_remaining(&prime), NULL);
+ g = BN_bin2bn(PACKET_data(&generator), PACKET_remaining(&generator),
+ NULL);
+ bnpub_key = BN_bin2bn(PACKET_data(&pub_key), PACKET_remaining(&pub_key),
+ NULL);
+ if (p == NULL || g == NULL || bnpub_key == NULL) {
+ SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_BN_LIB);
+ goto dherr;
+ }
+
+ if (BN_is_zero(p) || BN_is_zero(g) || BN_is_zero(bnpub_key)) {
+ SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_BAD_DH_VALUE);
+ goto dherr;
}
- if ((dh->p = BN_bin2bn(PACKET_data(&prime),
- PACKET_remaining(&prime), NULL)) == NULL
- || (dh->g = BN_bin2bn(PACKET_data(&generator),
- PACKET_remaining(&generator), NULL)) == NULL
- || (dh->pub_key =
- BN_bin2bn(PACKET_data(&pub_key),
- PACKET_remaining(&pub_key), NULL)) == NULL) {
+ if (!DH_set0_pqg(dh, p, NULL, g)) {
+ al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_BN_LIB);
- goto err;
+ goto dherr;
}
- if (BN_is_zero(dh->p) || BN_is_zero(dh->g) || BN_is_zero(dh->pub_key)) {
- SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_BAD_DH_VALUE);
- goto f_err;
+ if (!DH_set0_key(dh, bnpub_key, NULL)) {
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_BN_LIB);
+ goto dherr;
}
if (!ssl_security(s, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh)) {
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_DH_KEY_TOO_SMALL);
- goto f_err;
+ goto dherr;
+ }
+
+ if (EVP_PKEY_assign_DH(peer_tmp, dh) == 0) {
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB);
+ goto dherr;
}
+
+ s->s3->peer_tmp = peer_tmp;
+
+ goto dhend;
+ dherr:
+ BN_free(p);
+ BN_free(g);
+ BN_free(bnpub_key);
+ DH_free(dh);
+ EVP_PKEY_free(peer_tmp);
+ goto f_err;
+ dhend:
+ /*
+ * FIXME: This makes assumptions about which ciphersuites come with
+ * public keys. We should have a less ad-hoc way of doing this
+ */
if (alg_a & (SSL_aRSA|SSL_aDSS))
pkey = X509_get0_pubkey(s->session->peer);
/* else anonymous DH, so no certificate or pkey. */
#ifndef OPENSSL_NO_EC
else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
PACKET encoded_pt;
- unsigned char *ecparams;
+ const unsigned char *ecparams;
int curve_nid;
/*
}
if (SSL_USE_SIGALGS(s)) {
- unsigned char *sigalgs;
+ const unsigned char *sigalgs;
int rv;
if (!PACKET_get_bytes(pkt, &sigalgs, 2)) {
SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
int ret = MSG_PROCESS_ERROR;
unsigned int list_len, ctype_num, i, name_len;
X509_NAME *xn = NULL;
- unsigned char *data;
- unsigned char *namestart, *namebytes;
+ const unsigned char *data;
+ const unsigned char *namestart, *namebytes;
STACK_OF(X509_NAME) *ca_sk = NULL;
if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) {
SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
goto err;
}
+ xn = NULL;
}
/* we should setup a certificate to return.... */
err:
ossl_statem_set_error(s);
done:
+ X509_NAME_free(xn);
sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
return ret;
}
}
}
+#ifndef OPENSSL_NO_CT
+ if (s->ct_validation_callback != NULL) {
+ /* Note we validate the SCTs whether or not we abort on error */
+ if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) {
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+ return MSG_PROCESS_ERROR;
+ }
+ }
+#endif
+
#ifndef OPENSSL_NO_SCTP
/* Only applies to renegotiation */
if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))
#ifndef OPENSSL_NO_DH
else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
DH *dh_clnt = NULL;
+ const BIGNUM *pub_key;
skey = s->s3->peer_tmp;
if (skey == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
/* send off the data */
- n = BN_num_bytes(dh_clnt->pub_key);
+ DH_get0_key(dh_clnt, &pub_key, NULL);
+ n = BN_num_bytes(pub_key);
s2n(n, p);
- BN_bn2bin(dh_clnt->pub_key, p);
+ BN_bn2bin(pub_key, p);
n += 2;
EVP_PKEY_free(ckey);
ckey = NULL;
#endif
#ifndef OPENSSL_NO_EC
- else if (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe | SSL_kECDHEPSK)) {
+ else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
- if (s->s3->peer_tmp != NULL) {
- skey = s->s3->peer_tmp;
- } else {
- /* Get the Server Public Key from Cert */
- skey = X509_get0_pubkey(s->session->peer);
- if ((skey == NULL) || EVP_PKEY_get0_EC_KEY(skey) == NULL) {
- SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
+ skey = s->s3->peer_tmp;
+ if ((skey == NULL) || EVP_PKEY_get0_EC_KEY(skey) == NULL) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
- goto err;
+ goto err;
}
- }
ckey = ssl_generate_pkey(skey, NID_undef);
unsigned char *pms = NULL;
size_t pmslen = 0;
+ pms = s->s3->tmp.pms;
+ pmslen = s->s3->tmp.pmslen;
+
#ifndef OPENSSL_NO_SRP
/* Check for SRP */
if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
return 1;
}
#endif
- pms = s->s3->tmp.pms;
- pmslen = s->s3->tmp.pmslen;
if (pms == NULL && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
if (!ssl_generate_master_secret(s, pms, pmslen, 1)) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
SSLerr(SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK, ERR_R_INTERNAL_ERROR);
+ /* ssl_generate_master_secret frees the pms even on error */
+ pms = NULL;
+ pmslen = 0;
goto err;
}
+ pms = NULL;
+ pmslen = 0;
#ifndef OPENSSL_NO_SCTP
if (SSL_IS_DTLS(s)) {
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
SSL_R_MISSING_ECDSA_SIGNING_CERT);
goto f_err;
- } else if (alg_k & (SSL_kECDHr | SSL_kECDHe)) {
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_ECDH_CERT);
- goto f_err;
}
#endif
pkey = X509_get0_pubkey(s->session->peer);
/* Skip disabled ciphers */
if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED))
continue;
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
- if (c->id == SSL3_CK_SCSV) {
- if (!empty_reneg_info_scsv)
- continue;
- else
- empty_reneg_info_scsv = 0;
- }
-#endif
j = s->method->put_cipher_by_char(c, p);
p += j;
}
};
j = s->method->put_cipher_by_char(&scsv, p);
p += j;
-#ifdef OPENSSL_RI_DEBUG
- fprintf(stderr,
- "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n");
-#endif
}
if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) {
static SSL_CIPHER scsv = {