case TLS_ST_SW_SRVR_HELLO:
if (SSL_IS_DTLS(s)) {
/*
- * Messages we write from now on should be bufferred and
+ * Messages we write from now on should be buffered and
* retransmitted if necessary, so we need to use the timer now
*/
st->use_timer = 1;
case TLS_ST_SR_KEY_EXCH:
return tls_post_process_client_key_exchange(s, wst);
-
- case TLS_ST_SR_CERT_VRFY:
-#ifndef OPENSSL_NO_SCTP
- if ( /* Is this SCTP? */
- BIO_dgram_is_sctp(SSL_get_wbio(s))
- /* Are we renegotiating? */
- && s->renegotiate && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
- s->s3->in_read_app_data = 2;
- s->rwstate = SSL_READING;
- BIO_clear_retry_flags(SSL_get_rbio(s));
- BIO_set_retry_read(SSL_get_rbio(s));
- ossl_statem_set_sctp_read_sock(s, 1);
- return WORK_MORE_A;
- } else {
- ossl_statem_set_sctp_read_sock(s, 0);
- }
-#endif
- return WORK_FINISHED_CONTINUE;
}
return WORK_FINISHED_CONTINUE;
}
* SNI,
* elliptic_curves
* ec_point_formats
+ * signature_algorithms (for TLSv1.2 only)
*
* We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
* but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
/* Preserve the raw extensions PACKET for later use */
extensions = clienthello->extensions;
- if (!tls_collect_extensions(s, &extensions, EXT_CLIENT_HELLO,
+ if (!tls_collect_extensions(s, &extensions, SSL_EXT_CLIENT_HELLO,
&clienthello->pre_proc_exts, &al,
- &clienthello->pre_proc_exts_len)) {
+ &clienthello->pre_proc_exts_len, 1)) {
/* SSLerr already been called */
goto f_err;
}
return MSG_PROCESS_ERROR;
}
-static int tls_early_post_process_client_hello(SSL *s, int *al)
+static int tls_early_post_process_client_hello(SSL *s, int *pal)
{
unsigned int j;
- int i;
+ int i, al = SSL_AD_INTERNAL_ERROR;
int protverr;
size_t loop;
unsigned long id;
STACK_OF(SSL_CIPHER) *ciphers = NULL;
STACK_OF(SSL_CIPHER) *scsvs = NULL;
CLIENTHELLO_MSG *clienthello = s->clienthello;
+ DOWNGRADE dgrd = DOWNGRADE_NONE;
- *al = SSL_AD_INTERNAL_ERROR;
/* Finished parsing the ClientHello, now we can start processing it */
/* Give the early callback a crack at things */
if (s->ctx->early_cb != NULL) {
int code;
/* A failure in the early callback terminates the connection. */
- code = s->ctx->early_cb(s, al, s->ctx->early_cb_arg);
+ code = s->ctx->early_cb(s, &al, s->ctx->early_cb_arg);
if (code == 0)
goto err;
if (code < 0) {
* versions are potentially compatible. Version negotiation comes later.
*/
if (!SSL_IS_DTLS(s)) {
- protverr = ssl_choose_server_version(s, clienthello);
+ protverr = ssl_choose_server_version(s, clienthello, &dgrd);
} else if (s->method->version != DTLS_ANY_VERSION &&
DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) {
protverr = SSL_R_VERSION_TOO_LOW;
/* like ssl3_get_record, send alert using remote version number */
s->version = s->client_version = clienthello->legacy_version;
}
- *al = SSL_AD_PROTOCOL_VERSION;
+ al = SSL_AD_PROTOCOL_VERSION;
+ goto err;
+ }
+
+ /* TLSv1.3 specifies that a ClientHello must end on a record boundary */
+ if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
+ al = SSL_AD_UNEXPECTED_MESSAGE;
+ SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
+ SSL_R_NOT_ON_RECORD_BOUNDARY);
goto err;
}
if (s->ctx->app_verify_cookie_cb != NULL) {
if (s->ctx->app_verify_cookie_cb(s, clienthello->dtls_cookie,
clienthello->dtls_cookie_len) == 0) {
- *al = SSL_AD_HANDSHAKE_FAILURE;
+ al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
SSL_R_COOKIE_MISMATCH);
goto err;
} else if (s->d1->cookie_len != clienthello->dtls_cookie_len
|| memcmp(clienthello->dtls_cookie, s->d1->cookie,
s->d1->cookie_len) != 0) {
- *al = SSL_AD_HANDSHAKE_FAILURE;
+ al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
goto err;
}
s->d1->cookie_verified = 1;
}
if (s->method->version == DTLS_ANY_VERSION) {
- protverr = ssl_choose_server_version(s, clienthello);
+ protverr = ssl_choose_server_version(s, clienthello, &dgrd);
if (protverr != 0) {
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
s->version = s->client_version;
- *al = SSL_AD_PROTOCOL_VERSION;
+ al = SSL_AD_PROTOCOL_VERSION;
goto err;
}
}
/* We need to do this before getting the session */
if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret,
- EXT_CLIENT_HELLO,
- clienthello->pre_proc_exts, NULL, 0, al)) {
+ SSL_EXT_CLIENT_HELLO,
+ clienthello->pre_proc_exts, NULL, 0, &al)) {
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
goto err;
}
if (!ssl_get_new_session(s, 1))
goto err;
} else {
- i = ssl_get_prev_session(s, clienthello, al);
+ i = ssl_get_prev_session(s, clienthello, &al);
if (i == 1) {
/* previous session */
s->hit = 1;
}
if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites,
- clienthello->isv2, al) ||
+ clienthello->isv2, &al) ||
!bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, &scsvs,
- clienthello->isv2, al)) {
+ clienthello->isv2, &al)) {
goto err;
}
/* SCSV is fatal if renegotiating */
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
- *al = SSL_AD_HANDSHAKE_FAILURE;
+ al = SSL_AD_HANDSHAKE_FAILURE;
goto err;
}
s->s3->send_connection_binding = 1;
*/
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
SSL_R_INAPPROPRIATE_FALLBACK);
- *al = SSL_AD_INAPPROPRIATE_FALLBACK;
+ al = SSL_AD_INAPPROPRIATE_FALLBACK;
goto err;
}
}
* we need to have the cipher in the cipher list if we are asked
* to reuse it
*/
- *al = SSL_AD_ILLEGAL_PARAMETER;
+ al = SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
SSL_R_REQUIRED_CIPHER_MISSING);
goto err;
if (loop >= clienthello->compressions_len) {
/* no compress */
- *al = SSL_AD_DECODE_ERROR;
+ al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
goto err;
}
#endif /* !OPENSSL_NO_EC */
/* TLS extensions */
- if (!tls_parse_all_extensions(s, EXT_CLIENT_HELLO,
- clienthello->pre_proc_exts, NULL, 0, al)) {
+ if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO,
+ clienthello->pre_proc_exts, NULL, 0, &al, 1)) {
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
goto err;
}
{
unsigned char *pos;
pos = s->s3->server_random;
- if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) {
+ if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE, dgrd) <= 0) {
goto err;
}
}
pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
SSL_get_ciphers(s));
if (pref_cipher == NULL) {
- *al = SSL_AD_HANDSHAKE_FAILURE;
+ al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
goto err;
}
break;
}
if (k >= clienthello->compressions_len) {
- *al = SSL_AD_ILLEGAL_PARAMETER;
+ al = SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
goto err;
* Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher
*/
- if (!s->hit) {
-#ifdef OPENSSL_NO_COMP
- s->session->compress_meth = 0;
-#else
- s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
-#endif
+ if (!s->hit || s->hello_retry_request) {
sk_SSL_CIPHER_free(s->session->ciphers);
s->session->ciphers = ciphers;
if (ciphers == NULL) {
- *al = SSL_AD_INTERNAL_ERROR;
+ al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
goto err;
}
ciphers = NULL;
+ }
+
+ if (!s->hit) {
+#ifdef OPENSSL_NO_COMP
+ s->session->compress_meth = 0;
+#else
+ s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
+#endif
if (!tls1_set_server_sigalgs(s)) {
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
goto err;
return 1;
err:
ossl_statem_set_error(s);
+ *pal = al;
sk_SSL_CIPHER_free(ciphers);
sk_SSL_CIPHER_free(scsvs);
wst = WORK_MORE_B;
}
if (wst == WORK_MORE_B) {
- if (!s->hit) {
+ if (!s->hit || s->hello_retry_request) {
/* Let cert callback update server certificates if required */
if (s->cert->cert_cb) {
int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
SSL_R_NO_SHARED_CIPHER);
goto f_err;
}
- s->s3->tmp.new_cipher = cipher;
- if (!tls_choose_sigalg(s, &al))
+ if (SSL_IS_TLS13(s) && s->s3->tmp.new_cipher != NULL
+ && s->s3->tmp.new_cipher->id != cipher->id) {
+ /*
+ * A previous HRR picked a different ciphersuite to the one we
+ * just selected. Something must have changed.
+ */
+ al = SSL_AD_ILLEGAL_PARAMETER;
+ SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_BAD_CIPHER);
goto f_err;
- /* check whether we should disable session resumption */
- if (s->not_resumable_session_cb != NULL)
- s->session->not_resumable =
- s->not_resumable_session_cb(s, ((cipher->algorithm_mkey
- & (SSL_kDHE | SSL_kECDHE))
- != 0));
- if (s->session->not_resumable)
- /* do not send a session ticket */
- s->ext.ticket_expected = 0;
+ }
+ s->s3->tmp.new_cipher = cipher;
+ if (!s->hit) {
+ if (!tls_choose_sigalg(s, &al))
+ goto f_err;
+ /* check whether we should disable session resumption */
+ if (s->not_resumable_session_cb != NULL)
+ s->session->not_resumable =
+ s->not_resumable_session_cb(s, ((cipher->algorithm_mkey
+ & (SSL_kDHE | SSL_kECDHE))
+ != 0));
+ if (s->session->not_resumable)
+ /* do not send a session ticket */
+ s->ext.ticket_expected = 0;
+ }
} else {
/* Session-id reuse */
s->s3->tmp.new_cipher = s->session->cipher;
&& !WPACKET_put_bytes_u8(pkt, compm))
|| !tls_construct_extensions(s, pkt,
SSL_IS_TLS13(s)
- ? EXT_TLS1_3_SERVER_HELLO
- : EXT_TLS1_2_SERVER_HELLO,
+ ? SSL_EXT_TLS1_3_SERVER_HELLO
+ : SSL_EXT_TLS1_2_SERVER_HELLO,
NULL, 0, &al)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
goto err;
int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
{
- int i;
- STACK_OF(X509_NAME) *sk = NULL;
+ int al = SSL_AD_INTERNAL_ERROR;
if (SSL_IS_TLS13(s)) {
/* TODO(TLS1.3) for now send empty request context */
ERR_R_INTERNAL_ERROR);
goto err;
}
- } else {
- /* get the list of acceptable cert types */
- if (!WPACKET_start_sub_packet_u8(pkt)
- || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) {
+
+ if (!tls_construct_extensions(s, pkt,
+ SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL,
+ 0, &al)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
ERR_R_INTERNAL_ERROR);
goto err;
}
+ goto done;
+ }
+
+ /* get the list of acceptable cert types */
+ if (!WPACKET_start_sub_packet_u8(pkt)
+ || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
+ goto err;
}
if (SSL_USE_SIGALGS(s)) {
}
}
- /* Start sub-packet for client CA list */
- if (!WPACKET_start_sub_packet_u16(pkt)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
- goto err;
- }
-
- sk = SSL_get_client_CA_list(s);
- if (sk != NULL) {
- for (i = 0; i < sk_X509_NAME_num(sk); i++) {
- unsigned char *namebytes;
- X509_NAME *name = sk_X509_NAME_value(sk, i);
- int namelen;
-
- if (name == NULL
- || (namelen = i2d_X509_NAME(name, NULL)) < 0
- || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
- &namebytes)
- || i2d_X509_NAME(name, &namebytes) != namelen) {
- SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
- ERR_R_INTERNAL_ERROR);
- goto err;
- }
- }
- }
- /* else no CA names */
- if (!WPACKET_close(pkt)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
- goto err;
- }
- /*
- * TODO(TLS1.3) implement configurable certificate_extensions
- * For now just send zero length extensions.
- */
- if (SSL_IS_TLS13(s) && !WPACKET_put_bytes_u16(pkt, 0)) {
+ if (!construct_ca_names(s, pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
goto err;
}
+ done:
s->s3->tmp.cert_request = 1;
-
return 1;
err:
- ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+ ssl3_send_alert(s, SSL3_AL_FATAL, al);
return 0;
}
BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
sizeof(sctpauthkey), sctpauthkey);
}
- wst = WORK_MORE_B;
- }
-
- if ((wst == WORK_MORE_B)
- /* Is this SCTP? */
- && BIO_dgram_is_sctp(SSL_get_wbio(s))
- /* Are we renegotiating? */
- && s->renegotiate
- /* Are we going to skip the CertificateVerify? */
- && (s->session->peer == NULL || s->statem.no_cert_verify)
- && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
- s->s3->in_read_app_data = 2;
- s->rwstate = SSL_READING;
- BIO_clear_retry_flags(SSL_get_rbio(s));
- BIO_set_retry_read(SSL_get_rbio(s));
- ossl_statem_set_sctp_read_sock(s, 1);
- return WORK_MORE_B;
- } else {
- ossl_statem_set_sctp_read_sock(s, 0);
}
#endif
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_BAD_LENGTH);
goto f_err;
}
- if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_CERTIFICATE,
- &rawexts, &al, NULL)
- || !tls_parse_all_extensions(s, EXT_TLS1_3_CERTIFICATE,
- rawexts, x, chainidx, &al)) {
+ if (!tls_collect_extensions(s, &extensions,
+ SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
+ &al, NULL, chainidx == 0)
+ || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
+ rawexts, x, chainidx, &al,
+ PACKET_remaining(&spkt) == 0)) {
OPENSSL_free(rawexts);
goto f_err;
}
|| !WPACKET_close(pkt)
|| (SSL_IS_TLS13(s)
&& !tls_construct_extensions(s, pkt,
- EXT_TLS1_3_NEW_SESSION_TICKET,
+ SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
NULL, 0, &al))) {
SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
goto err;
{
int al;
- if (!tls_construct_extensions(s, pkt, EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
+ if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
NULL, 0, &al)) {
ssl3_send_alert(s, SSL3_AL_FATAL, al);
SSLerr(SSL_F_TLS_CONSTRUCT_ENCRYPTED_EXTENSIONS, ERR_R_INTERNAL_ERROR);
static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt)
{
int al = SSL_AD_INTERNAL_ERROR;
+ size_t len = 0;
/*
* TODO(TLS1.3): Remove the DRAFT version before release
* (should be s->version)
*/
if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
- || !tls_construct_extensions(s, pkt, EXT_TLS1_3_HELLO_RETRY_REQUEST,
+ || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len)
+ || !tls_construct_extensions(s, pkt,
+ SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
NULL, 0, &al)) {
SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_RETRY_REQUEST, ERR_R_INTERNAL_ERROR);
- ssl3_send_alert(s, SSL3_AL_FATAL, al);
- return 0;
+ goto err;
}
/* Ditch the session. We'll create a new one next time around */
s->session = NULL;
s->hit = 0;
+ /*
+ * Re-initialise the Transcript Hash. We're going to prepopulate it with
+ * a synthetic message_hash in place of ClientHello1.
+ */
+ if (!create_synthetic_message_hash(s))
+ goto err;
+
return 1;
+ err:
+ ssl3_send_alert(s, SSL3_AL_FATAL, al);
+ return 0;
}
MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt)
projects / openssl.git / blobdiff