-/* ssl/statem/statem_srvr.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/x509.h>
-#ifndef OPENSSL_NO_DH
-# include <openssl/dh.h>
-#endif
+#include <openssl/dh.h>
#include <openssl/bn.h>
#include <openssl/md5.h>
if (mt == SSL3_MT_CERTIFICATE) {
st->hand_state = TLS_ST_SR_CERT;
return 1;
- }
+ }
}
break;
len = dtls_raw_hello_verify_request(&buf[DTLS1_HM_HEADER_LENGTH],
s->d1->cookie, s->d1->cookie_len);
- dtls1_set_message_header(s, buf, DTLS1_MT_HELLO_VERIFY_REQUEST, len, 0,
+ dtls1_set_message_header(s, DTLS1_MT_HELLO_VERIFY_REQUEST, len, 0,
len);
len += DTLS1_HM_HEADER_LENGTH;
int i, al = SSL_AD_INTERNAL_ERROR;
unsigned int j, complen = 0;
unsigned long id;
- SSL_CIPHER *c;
+ const SSL_CIPHER *c;
#ifndef OPENSSL_NO_COMP
SSL_COMP *comp = NULL;
#endif
STACK_OF(SSL_CIPHER) *ciphers = NULL;
- int protverr = 1;
+ int protverr;
/* |cookie| will only be initialized for DTLS. */
PACKET session_id, cipher_suites, compression, extensions, cookie;
int is_v2_record;
}
}
- /* Do SSL/TLS version negotiation if applicable */
+ /*
+ * Do SSL/TLS version negotiation if applicable. For DTLS we just check
+ * versions are potentially compatible. Version negotiation comes later.
+ */
if (!SSL_IS_DTLS(s)) {
- if (s->version != TLS_ANY_VERSION) {
- if (s->client_version >= s->version) {
- protverr = 0;
- }
- } else if (s->client_version >= SSL3_VERSION) {
- int max_version = TLS_MAX_VERSION;
-
- if (s->max_proto_version != 0)
- max_version = s->max_proto_version;
-
- switch(s->client_version) {
- default:
- case TLS1_2_VERSION:
- if(!(s->options & SSL_OP_NO_TLSv1_2) &&
- (max_version >= TLS1_2_VERSION) &&
- (s->min_proto_version <= TLS1_2_VERSION)) {
- s->version = TLS1_2_VERSION;
- s->method = TLSv1_2_server_method();
- protverr = 0;
- break;
- }
- /* Deliberately fall through */
- case TLS1_1_VERSION:
- if(!(s->options & SSL_OP_NO_TLSv1_1) &&
- (max_version >= TLS1_1_VERSION) &&
- (s->min_proto_version <= TLS1_1_VERSION)) {
- s->version = TLS1_1_VERSION;
- s->method = TLSv1_1_server_method();
- protverr = 0;
- break;
- }
- /* Deliberately fall through */
- case TLS1_VERSION:
- if(!(s->options & SSL_OP_NO_TLSv1) &&
- (max_version >= TLS1_VERSION) &&
- (s->min_proto_version <= TLS1_VERSION)) {
- s->version = TLS1_VERSION;
- s->method = TLSv1_server_method();
- protverr = 0;
- break;
- }
- /* Deliberately fall through */
- case SSL3_VERSION:
-#ifndef OPENSSL_NO_SSL3
- if(!(s->options & SSL_OP_NO_SSLv3) &&
- (max_version >= SSL3_VERSION) &&
- (s->min_proto_version <= SSL3_VERSION)) {
- s->version = SSL3_VERSION;
- s->method = SSLv3_server_method();
- protverr = 0;
- break;
- }
-#else
- break;
-#endif
- }
- }
- } else if (s->client_version <= s->version
- || s->method->version == DTLS_ANY_VERSION) {
- /*
- * For DTLS we just check versions are potentially compatible. Version
- * negotiation comes later.
- */
+ protverr = ssl_choose_server_version(s);
+ } else if (s->method->version != DTLS_ANY_VERSION &&
+ DTLS_VERSION_LT(s->client_version, s->version)) {
+ protverr = SSL_R_VERSION_TOO_LOW;
+ } else {
protverr = 0;
}
if (protverr) {
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
if ((!s->enc_write_ctx && !s->write_hash)) {
/*
* similar to ssl3_get_record, send alert using remote version
goto f_err;
}
+ if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+ goto f_err;
+ }
+
if (!PACKET_get_sub_packet(pkt, &cipher_suites, cipher_len)
|| !PACKET_get_sub_packet(pkt, &session_id, session_id_len)
|| !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
goto f_err;
}
+ if (PACKET_remaining(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+ goto f_err;
+ }
+
if (SSL_IS_DTLS(s)) {
if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
al = SSL_AD_DECODE_ERROR;
extensions = *pkt;
}
+ if (SSL_IS_DTLS(s)) {
+ /* Empty cookie was already handled above by returning early. */
+ if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
+ if (s->ctx->app_verify_cookie_cb != NULL) {
+ if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookie),
+ PACKET_remaining(&cookie)) == 0) {
+ al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
+ SSL_R_COOKIE_MISMATCH);
+ goto f_err;
+ /* else cookie verification succeeded */
+ }
+ /* default verification */
+ } else if (!PACKET_equal(&cookie, s->d1->cookie,
+ s->d1->cookie_len)) {
+ al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
+ goto f_err;
+ }
+ s->d1->cookie_verified = 1;
+ }
+ if (s->method->version == DTLS_ANY_VERSION) {
+ protverr = ssl_choose_server_version(s);
+ if (protverr != 0) {
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
+ s->version = s->client_version;
+ al = SSL_AD_PROTOCOL_VERSION;
+ goto f_err;
+ }
+ }
+ }
+
s->hit = 0;
/*
}
}
- if (SSL_IS_DTLS(s)) {
- /* Empty cookie was already handled above by returning early. */
- if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
- if (s->ctx->app_verify_cookie_cb != NULL) {
- if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookie),
- PACKET_remaining(&cookie)) == 0) {
- al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
- SSL_R_COOKIE_MISMATCH);
- goto f_err;
- /* else cookie verification succeeded */
- }
- /* default verification */
- } else if (!PACKET_equal(&cookie, s->d1->cookie,
- s->d1->cookie_len)) {
- al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
- goto f_err;
- }
- s->d1->cookie_verified = 1;
- }
- if (s->method->version == DTLS_ANY_VERSION) {
- /* Select version to use */
- int max_version = DTLS_MAX_VERSION;
- int min_version = DTLS_MIN_VERSION;
-
- if (s->max_proto_version != 0)
- max_version = s->max_proto_version;
- if (s->min_proto_version != 0)
- min_version = s->min_proto_version;
-
- if (DTLS_VERSION_GE(s->client_version, DTLS1_2_VERSION) &&
- !(s->options & SSL_OP_NO_DTLSv1_2) &&
- DTLS_VERSION_GE(max_version, DTLS1_2_VERSION) &&
- DTLS_VERSION_LE(min_version, DTLS1_2_VERSION)) {
- s->version = DTLS1_2_VERSION;
- s->method = DTLSv1_2_server_method();
- } else if (tls1_suiteb(s)) {
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
- SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
- s->version = s->client_version;
- al = SSL_AD_PROTOCOL_VERSION;
- goto f_err;
- } else if (DTLS_VERSION_GE(s->client_version, DTLS1_VERSION) &&
- !(s->options & SSL_OP_NO_DTLSv1) &&
- DTLS_VERSION_GE(max_version, DTLS1_VERSION) &&
- DTLS_VERSION_LE(min_version, DTLS1_VERSION)) {
- s->version = DTLS1_VERSION;
- s->method = DTLSv1_server_method();
- } else {
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
- SSL_R_WRONG_VERSION_NUMBER);
- s->version = s->client_version;
- al = SSL_AD_PROTOCOL_VERSION;
- goto f_err;
- }
- s->session->ssl_version = s->version;
- }
- }
-
if (ssl_bytes_to_cipher_list(s, &cipher_suites, &(ciphers),
is_v2_record, &al) == NULL) {
goto f_err;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
goto f_err;
}
-
+
/* TLS extensions */
if (s->version >= SSL3_VERSION) {
if (!ssl_parse_clienthello_tlsext(s, &extensions)) {
}
if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
- SSL_CIPHER *pref_cipher = NULL;
+ const SSL_CIPHER *pref_cipher = NULL;
s->session->master_key_length = sizeof(s->session->master_key);
if (s->tls_session_secret_cb(s, s->session->master_key,
if (k >= complen) {
al = SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
- SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
+ SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
goto f_err;
}
} else if (s->hit)
WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
{
int al = SSL_AD_HANDSHAKE_FAILURE;
- SSL_CIPHER *cipher;
+ const SSL_CIPHER *cipher;
if (wst == WORK_MORE_A) {
if (!s->hit) {
EVP_PKEY_free(pkdh);
pkdh = NULL;
- r[0] = dh->p;
- r[1] = dh->g;
- r[2] = dh->pub_key;
+ DH_get0_pqg(dh, &r[0], NULL, &r[1]);
+ DH_get0_key(dh, &r[2], NULL);
} else
#endif
#ifndef OPENSSL_NO_EC
MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
{
int al;
- unsigned int i;
unsigned long alg_k;
#ifndef OPENSSL_NO_RSA
RSA *rsa = NULL;
- EVP_PKEY *pkey = NULL;
#endif
#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
EVP_PKEY *ckey = NULL;
#endif
PACKET enc_premaster;
- unsigned char *data, *rsa_decrypt = NULL;
+ unsigned char *rsa_decrypt = NULL;
alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
size_t j;
/* FIX THIS UP EAY EAY EAY EAY */
- pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
- if ((pkey == NULL) ||
- (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) {
+ rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey);
+ if (rsa == NULL) {
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
SSL_R_MISSING_RSA_CERTIFICATE);
goto f_err;
}
- rsa = pkey->pkey.rsa;
/* SSLv3 and pre-standard DTLS omit the length bytes. */
if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
EVP_PKEY *skey = NULL;
DH *cdh;
+ unsigned int i;
+ BIGNUM *pub_key;
+ const unsigned char *data;
if (!PACKET_get_net_2(pkt, &i)) {
if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
goto err;
}
cdh = EVP_PKEY_get0_DH(ckey);
- cdh->pub_key = BN_bin2bn(data, i, NULL);
- if (cdh->pub_key == NULL) {
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_BN_LIB);
+ pub_key = BN_bin2bn(data, i, NULL);
+
+ if (pub_key == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+ if (pub_key != NULL)
+ BN_free(pub_key);
goto err;
}
EVP_PKEY_free(ckey);
ckey = NULL;
+ EVP_PKEY_free(s->s3->tmp.pkey);
+ s->s3->tmp.pkey = NULL;
} else
#endif
#ifndef OPENSSL_NO_EC
- if (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe | SSL_kECDHEPSK)) {
- EVP_PKEY *skey = NULL;
-
- /* Let's get server private key and group information */
- if (alg_k & (SSL_kECDHr | SSL_kECDHe)) {
- /* use the certificate */
- skey = s->cert->pkeys[SSL_PKEY_ECC].privatekey;
- } else {
- /*
- * use the ephermeral values we saved when generating the
- * ServerKeyExchange msg.
- */
- skey = s->s3->tmp.pkey;
- }
+ if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
+ EVP_PKEY *skey = s->s3->tmp.pkey;
if (PACKET_remaining(pkt) == 0L) {
/* We don't support ECDH client auth */
SSL_R_MISSING_TMP_ECDH_KEY);
goto f_err;
} else {
+ unsigned int i;
+ const unsigned char *data;
+
/*
* Get client's public key from encoded point in the
* ClientKeyExchange message.
EVP_PKEY_free(ckey);
ckey = NULL;
+ EVP_PKEY_free(s->s3->tmp.pkey);
+ s->s3->tmp.pkey = NULL;
return MSG_PROCESS_CONTINUE_PROCESSING;
} else
#endif
#ifndef OPENSSL_NO_SRP
if (alg_k & SSL_kSRP) {
+ unsigned int i;
+ const unsigned char *data;
+
if (!PACKET_get_net_2(pkt, &i)
|| !PACKET_get_bytes(pkt, &data, i)) {
al = SSL_AD_DECODE_ERROR;
if (alg_k & SSL_kGOST) {
EVP_PKEY_CTX *pkey_ctx;
EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
- unsigned char premaster_secret[32], *start;
+ unsigned char premaster_secret[32];
+ const unsigned char *start;
size_t outlen = 32, inlen;
unsigned long alg_a;
int Ttag, Tclass;
long Tlen;
long sess_key_len;
+ const unsigned char *data;
/* Get our certificate private key */
alg_a = s->s3->tmp.new_cipher->algorithm_auth;
MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
{
EVP_PKEY *pkey = NULL;
- unsigned char *sig, *data;
+ const unsigned char *sig, *data;
+#ifndef OPENSSL_NO_GOST
+ unsigned char *gost_data = NULL;
+#endif
int al, ret = MSG_PROCESS_ERROR;
int type = 0, j;
unsigned int len;
* length field (CryptoPro implementations at least till CSP 4.0)
*/
#ifndef OPENSSL_NO_GOST
- if (PACKET_remaining(pkt) == 64 && pkey->type == NID_id_GostR3410_2001) {
+ if (PACKET_remaining(pkt) == 64
+ && EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
len = 64;
} else
#endif
}
#ifndef OPENSSL_NO_GOST
- if (pkey->type == NID_id_GostR3410_2001
- || pkey->type == NID_id_GostR3410_2012_256
- || pkey->type == NID_id_GostR3410_2012_512) {
- BUF_reverse(data, NULL, len);
+ {
+ int pktype = EVP_PKEY_id(pkey);
+ if (pktype == NID_id_GostR3410_2001
+ || pktype == NID_id_GostR3410_2012_256
+ || pktype == NID_id_GostR3410_2012_512) {
+ if ((gost_data = OPENSSL_malloc(len)) == NULL) {
+ SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
+ al = SSL_AD_INTERNAL_ERROR;
+ goto f_err;
+ }
+ BUF_reverse(gost_data, data, len);
+ data = gost_data;
+ }
}
#endif
BIO_free(s->s3->handshake_buffer);
s->s3->handshake_buffer = NULL;
EVP_MD_CTX_free(mctx);
+#ifndef OPENSSL_NO_GOST
+ OPENSSL_free(gost_data);
+#endif
return ret;
}
int i, al = SSL_AD_INTERNAL_ERROR, ret = MSG_PROCESS_ERROR;
X509 *x = NULL;
unsigned long l, llen;
- const unsigned char *certstart;
- unsigned char *certbytes;
+ const unsigned char *certstart, *certbytes;
STACK_OF(X509) *sk = NULL;
PACKET spkt;
int tls_construct_new_session_ticket(SSL *s)
{
unsigned char *senc = NULL;
- EVP_CIPHER_CTX ctx;
+ EVP_CIPHER_CTX *ctx;
HMAC_CTX *hctx = NULL;
unsigned char *p, *macstart;
const unsigned char *const_p;
return 0;
}
- EVP_CIPHER_CTX_init(&ctx);
+ ctx = EVP_CIPHER_CTX_new();
hctx = HMAC_CTX_new();
p = senc;
* all the work otherwise use generated values from parent ctx.
*/
if (tctx->tlsext_ticket_key_cb) {
- if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, hctx, 1) < 0)
+ if (tctx->tlsext_ticket_key_cb(s, key_name, iv, ctx, hctx, 1) < 0)
goto err;
} else {
if (RAND_bytes(iv, 16) <= 0)
goto err;
- if (!EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
+ if (!EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL,
tctx->tlsext_tick_aes_key, iv))
goto err;
if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16,
memcpy(p, key_name, 16);
p += 16;
/* output IV */
- memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx));
- p += EVP_CIPHER_CTX_iv_length(&ctx);
+ memcpy(p, iv, EVP_CIPHER_CTX_iv_length(ctx));
+ p += EVP_CIPHER_CTX_iv_length(ctx);
/* Encrypt session data */
- if (!EVP_EncryptUpdate(&ctx, p, &len, senc, slen))
+ if (!EVP_EncryptUpdate(ctx, p, &len, senc, slen))
goto err;
p += len;
- if (!EVP_EncryptFinal(&ctx, p, &len))
+ if (!EVP_EncryptFinal(ctx, p, &len))
goto err;
p += len;
if (!HMAC_Final(hctx, p, &hlen))
goto err;
- EVP_CIPHER_CTX_cleanup(&ctx);
+ EVP_CIPHER_CTX_free(ctx);
HMAC_CTX_free(hctx);
+ ctx = NULL;
+ hctx = NULL;
p += hlen;
/* Now write out lengths: p points to end of data written */
return 1;
err:
OPENSSL_free(senc);
- EVP_CIPHER_CTX_cleanup(&ctx);
+ EVP_CIPHER_CTX_free(ctx);
HMAC_CTX_free(hctx);
ossl_statem_set_error(s);
return 0;
goto err;
}
s->s3->send_connection_binding = 1;
-#ifdef OPENSSL_RI_DEBUG
- fprintf(stderr, "SCSV received by server\n");
-#endif
continue;
}
* version. Fail if the current version is an unexpected
* downgrade.
*/
- if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL)) {
+ if (!ssl_check_version_downgrade(s)) {
SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
SSL_R_INAPPROPRIATE_FALLBACK);
*al = SSL_AD_INAPPROPRIATE_FALLBACK;