X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fs3_clnt.c;h=f81f1602377271ba5819cda84e9af346bda59c7f;hp=1e611c44bebf65d963d63c416d43b2702adaeceb;hb=6c26d0df8318983ff3f2a869d21871dcc1d6b7cc;hpb=10bf4fc2c3da332a54247da1f3c0dcb44944f7ff diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 1e611c44be..f81f160237 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -165,6 +165,9 @@ #endif static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b); +#ifndef OPENSSL_NO_TLSEXT +static int ssl3_check_finished(SSL *s); +#endif #ifndef OPENSSL_NO_SSL3_METHOD static const SSL_METHOD *ssl3_get_client_method(int ver) @@ -197,8 +200,10 @@ int ssl3_connect(SSL *s) cb = s->ctx->info_callback; s->in_handshake++; - if (!SSL_in_init(s) || SSL_in_before(s)) - SSL_clear(s); + if (!SSL_in_init(s) || SSL_in_before(s)) { + if (!SSL_clear(s)) + return -1; + } #ifndef OPENSSL_NO_HEARTBEATS /* @@ -319,6 +324,18 @@ int ssl3_connect(SSL *s) break; case SSL3_ST_CR_CERT_A: case SSL3_ST_CR_CERT_B: +#ifndef OPENSSL_NO_TLSEXT + /* Noop (ret = 0) for everything but EAP-FAST. */ + ret = ssl3_check_finished(s); + if (ret < 0) + goto end; + if (ret == 1) { + s->hit = 1; + s->state = SSL3_ST_CR_FINISHED_A; + s->init_num = 0; + break; + } +#endif /* Check if it is anon DH/ECDH, SRP auth */ /* or PSK */ if (! @@ -555,7 +572,8 @@ int ssl3_connect(SSL *s) case SSL3_ST_CR_FINISHED_A: case SSL3_ST_CR_FINISHED_B: - s->s3->flags |= SSL3_FLAGS_CCS_OK; + if (!s->s3->change_cipher_spec) + s->s3->flags |= SSL3_FLAGS_CCS_OK; ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A, SSL3_ST_CR_FINISHED_B); if (ret <= 0) @@ -581,11 +599,8 @@ int ssl3_connect(SSL *s) case SSL_ST_OK: /* clean a few things up */ ssl3_cleanup_key_block(s); - - if (s->init_buf != NULL) { - BUF_MEM_free(s->init_buf); - s->init_buf = NULL; - } + BUF_MEM_free(s->init_buf); + s->init_buf = NULL; /* * If we are not 'joining' the last two packets, remove the @@ -639,8 +654,7 @@ int ssl3_connect(SSL *s) } end: s->in_handshake--; - if (buf != NULL) - BUF_MEM_free(buf); + BUF_MEM_free(buf); if (cb != NULL) cb(s, SSL_CB_CONNECT_EXIT, ret); return (ret); @@ -661,9 +675,17 @@ int ssl3_client_hello(SSL *s) buf = (unsigned char *)s->init_buf->data; if (s->state == SSL3_ST_CW_CLNT_HELLO_A) { SSL_SESSION *sess = s->session; - if ((sess == NULL) || - (sess->ssl_version != s->version) || - !sess->session_id_length || (sess->not_resumable)) { + if ((sess == NULL) || (sess->ssl_version != s->version) || +#ifdef OPENSSL_NO_TLSEXT + !sess->session_id_length || +#else + /* + * In the case of EAP-FAST, we can have a pre-shared + * "ticket" without a session ID. + */ + (!sess->session_id_length && !sess->tlsext_tick) || +#endif + (sess->not_resumable)) { if (!ssl_get_new_session(s, 0)) goto err; } @@ -841,7 +863,11 @@ int ssl3_client_hello(SSL *s) #endif l = p - d; - ssl_set_handshake_header(s, SSL3_MT_CLIENT_HELLO, l); + if (!ssl_set_handshake_header(s, SSL3_MT_CLIENT_HELLO, l)) { + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); + SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + goto err; + } s->state = SSL3_ST_CW_CLNT_HELLO_B; } @@ -947,10 +973,19 @@ int ssl3_get_server_hello(SSL *s) } #ifndef OPENSSL_NO_TLSEXT /* - * check if we want to resume the session based on external pre-shared - * secret + * Check if we can resume the session based on external pre-shared secret. + * EAP-FAST (RFC 4851) supports two types of session resumption. + * Resumption based on server-side state works with session IDs. + * Resumption based on pre-shared Protected Access Credentials (PACs) + * works by overriding the SessionTicket extension at the application + * layer, and does not send a session ID. (We do not know whether EAP-FAST + * servers would honour the session ID.) Therefore, the session ID alone + * is not a reliable indicator of session resumption, so we first check if + * we can resume, and later peek at the next handshake message to see if the + * server wants to resume. */ - if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) { + if (s->version >= TLS1_VERSION && s->tls_session_secret_cb && + s->session->tlsext_tick) { SSL_CIPHER *pref_cipher = NULL; s->session->master_key_length = sizeof(s->session->master_key); if (s->tls_session_secret_cb(s, s->session->master_key, @@ -959,12 +994,15 @@ int ssl3_get_server_hello(SSL *s) s->tls_session_secret_cb_arg)) { s->session->cipher = pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s, p + j); - s->hit = 1; + } else { + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR); + al = SSL_AD_INTERNAL_ERROR; + goto f_err; } } #endif /* OPENSSL_NO_TLSEXT */ - if (!s->hit && j != 0 && j == s->session->session_id_length + if (j != 0 && j == s->session->session_id_length && memcmp(p, s->session->session_id, j) == 0) { if (s->sid_ctx_length != s->session->sid_ctx_length || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) { @@ -975,12 +1013,13 @@ int ssl3_get_server_hello(SSL *s) goto f_err; } s->hit = 1; - } - /* a miss or crap from the other end */ - if (!s->hit) { + } else { /* - * If we were trying for session-id reuse, make a new SSL_SESSION so - * we don't stuff up other people + * If we were trying for session-id reuse but the server + * didn't echo the ID, make a new SSL_SESSION. + * In the case of EAP-FAST and PAC, we do not send a session ID, + * so the PAC-based session secret is always preserved. It'll be + * overwritten if the server refuses resumption. */ if (s->session->session_id_length > 0) { if (!ssl_get_new_session(s, 0)) { @@ -1146,7 +1185,7 @@ int ssl3_get_server_certificate(SSL *s) if ((sk = sk_X509_new_null()) == NULL) { SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE); - goto err; + goto done; } n2l3(p, llen); @@ -1179,7 +1218,7 @@ int ssl3_get_server_certificate(SSL *s) } if (!sk_X509_push(sk, x)) { SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE); - goto err; + goto done; } x = NULL; nc += l + 3; @@ -1207,10 +1246,9 @@ int ssl3_get_server_certificate(SSL *s) sc = ssl_sess_cert_new(); if (sc == NULL) - goto err; + goto done; - if (s->session->sess_cert) - ssl_sess_cert_free(s->session->sess_cert); + ssl_sess_cert_free(s->session->sess_cert); s->session->sess_cert = sc; sc->cert_chain = sk; @@ -1272,32 +1310,29 @@ int ssl3_get_server_certificate(SSL *s) * Why would the following ever happen? We just created sc a couple * of lines ago. */ - if (sc->peer_pkeys[i].x509 != NULL) - X509_free(sc->peer_pkeys[i].x509); + X509_free(sc->peer_pkeys[i].x509); sc->peer_pkeys[i].x509 = x; sc->peer_key = &(sc->peer_pkeys[i]); - if (s->session->peer != NULL) - X509_free(s->session->peer); + X509_free(s->session->peer); CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); s->session->peer = x; } else { sc->peer_cert_type = i; sc->peer_key = NULL; - if (s->session->peer != NULL) - X509_free(s->session->peer); + X509_free(s->session->peer); s->session->peer = NULL; } s->session->verify_result = s->verify_result; x = NULL; ret = 1; - if (0) { + goto done; + f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - } - err: + ssl3_send_alert(s, SSL3_AL_FATAL, al); + done: EVP_PKEY_free(pkey); X509_free(x); sk_X509_pop_free(sk, X509_free); @@ -1362,8 +1397,7 @@ int ssl3_get_key_exchange(SSL *s) */ if (alg_k & SSL_kPSK) { s->session->sess_cert = ssl_sess_cert_new(); - if (s->ctx->psk_identity_hint) - OPENSSL_free(s->ctx->psk_identity_hint); + OPENSSL_free(s->ctx->psk_identity_hint); s->ctx->psk_identity_hint = NULL; } #endif @@ -1374,22 +1408,16 @@ int ssl3_get_key_exchange(SSL *s) param = p = (unsigned char *)s->init_msg; if (s->session->sess_cert != NULL) { #ifndef OPENSSL_NO_RSA - if (s->session->sess_cert->peer_rsa_tmp != NULL) { - RSA_free(s->session->sess_cert->peer_rsa_tmp); - s->session->sess_cert->peer_rsa_tmp = NULL; - } + RSA_free(s->session->sess_cert->peer_rsa_tmp); + s->session->sess_cert->peer_rsa_tmp = NULL; #endif #ifndef OPENSSL_NO_DH - if (s->session->sess_cert->peer_dh_tmp) { - DH_free(s->session->sess_cert->peer_dh_tmp); - s->session->sess_cert->peer_dh_tmp = NULL; - } + DH_free(s->session->sess_cert->peer_dh_tmp); + s->session->sess_cert->peer_dh_tmp = NULL; #endif #ifndef OPENSSL_NO_EC - if (s->session->sess_cert->peer_ecdh_tmp) { - EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); - s->session->sess_cert->peer_ecdh_tmp = NULL; - } + EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); + s->session->sess_cert->peer_ecdh_tmp = NULL; #endif } else { s->session->sess_cert = ssl_sess_cert_new(); @@ -1438,8 +1466,7 @@ int ssl3_get_key_exchange(SSL *s) */ memcpy(tmp_id_hint, p, i); memset(tmp_id_hint + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i); - if (s->ctx->psk_identity_hint != NULL) - OPENSSL_free(s->ctx->psk_identity_hint); + OPENSSL_free(s->ctx->psk_identity_hint); s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); if (s->ctx->psk_identity_hint == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; @@ -1716,11 +1743,6 @@ int ssl3_get_key_exchange(SSL *s) s->session->sess_cert->peer_dh_tmp = dh; dh = NULL; - } else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); - goto f_err; } #endif /* !OPENSSL_NO_DH */ @@ -1954,18 +1976,15 @@ int ssl3_get_key_exchange(SSL *s) err: EVP_PKEY_free(pkey); #ifndef OPENSSL_NO_RSA - if (rsa != NULL) - RSA_free(rsa); + RSA_free(rsa); #endif #ifndef OPENSSL_NO_DH - if (dh != NULL) - DH_free(dh); + DH_free(dh); #endif #ifndef OPENSSL_NO_EC BN_CTX_free(bn_ctx); EC_POINT_free(srvr_ecpoint); - if (ecdh != NULL) - EC_KEY_free(ecdh); + EC_KEY_free(ecdh); #endif EVP_MD_CTX_cleanup(&md_ctx); return (-1); @@ -2029,10 +2048,8 @@ int ssl3_get_certificate_request(SSL *s) /* get the certificate types */ ctype_num = *(p++); - if (s->cert->ctypes) { - OPENSSL_free(s->cert->ctypes); - s->cert->ctypes = NULL; - } + OPENSSL_free(s->cert->ctypes); + s->cert->ctypes = NULL; if (ctype_num > SSL3_CT_NUMBER) { /* If we exceed static buffer copy all to cert structure */ s->cert->ctypes = OPENSSL_malloc(ctype_num); @@ -2121,15 +2138,13 @@ int ssl3_get_certificate_request(SSL *s) /* we should setup a certificate to return.... */ s->s3->tmp.cert_req = 1; s->s3->tmp.ctype_num = ctype_num; - if (s->s3->tmp.ca_names != NULL) - sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); + sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); s->s3->tmp.ca_names = ca_sk; ca_sk = NULL; ret = 1; err: - if (ca_sk != NULL) - sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); + sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); return (ret); } @@ -2170,10 +2185,8 @@ int ssl3_get_new_session_ticket(SSL *s) SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH); goto f_err; } - if (s->session->tlsext_tick) { - OPENSSL_free(s->session->tlsext_tick); - s->session->tlsext_ticklen = 0; - } + OPENSSL_free(s->session->tlsext_tick); + s->session->tlsext_ticklen = 0; s->session->tlsext_tick = OPENSSL_malloc(ticklen); if (!s->session->tlsext_tick) { SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); @@ -2234,8 +2247,7 @@ int ssl3_get_cert_status(SSL *s) SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_LENGTH_MISMATCH); goto f_err; } - if (s->tlsext_ocsp_resp) - OPENSSL_free(s->tlsext_ocsp_resp); + OPENSSL_free(s->tlsext_ocsp_resp); s->tlsext_ocsp_resp = BUF_memdup(p, resplen); if (!s->tlsext_ocsp_resp) { al = SSL_AD_INTERNAL_ERROR; @@ -2580,6 +2592,7 @@ int ssl3_send_client_key_exchange(SSL *s) DH_free(dh_clnt); goto err; } + pmslen = n; if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) n = 0; @@ -2762,10 +2775,8 @@ int ssl3_send_client_key_exchange(SSL *s) /* Free allocated memory */ BN_CTX_free(bn_ctx); - if (encodedPoint != NULL) - OPENSSL_free(encodedPoint); - if (clnt_ecdh != NULL) - EC_KEY_free(clnt_ecdh); + OPENSSL_free(encodedPoint); + EC_KEY_free(clnt_ecdh); EVP_PKEY_free(srvr_pub_pkey); } #endif /* !OPENSSL_NO_EC */ @@ -2814,7 +2825,12 @@ int ssl3_send_client_key_exchange(SSL *s) EVP_PKEY_encrypt_init(pkey_ctx); /* Generate session key */ - RAND_bytes(pms, pmslen); + if (RAND_bytes(pms, pmslen) <= 0) { + EVP_PKEY_CTX_free(pkey_ctx); + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; + }; /* * If we have client certificate, use its secret as peer key */ @@ -2891,8 +2907,7 @@ int ssl3_send_client_key_exchange(SSL *s) ERR_R_INTERNAL_ERROR); goto err; } - if (s->session->srp_username != NULL) - OPENSSL_free(s->session->srp_username); + OPENSSL_free(s->session->srp_username); s->session->srp_username = BUF_strdup(s->srp_ctx.login); if (s->session->srp_username == NULL) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, @@ -2957,8 +2972,7 @@ int ssl3_send_client_key_exchange(SSL *s) t += psk_len; s2n(psk_len, t); - if (s->session->psk_identity_hint != NULL) - OPENSSL_free(s->session->psk_identity_hint); + OPENSSL_free(s->session->psk_identity_hint); s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); if (s->ctx->psk_identity_hint != NULL @@ -2968,8 +2982,7 @@ int ssl3_send_client_key_exchange(SSL *s) goto psk_err; } - if (s->session->psk_identity != NULL) - OPENSSL_free(s->session->psk_identity); + OPENSSL_free(s->session->psk_identity); s->session->psk_identity = BUF_strdup(identity); if (s->session->psk_identity == NULL) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, @@ -2995,7 +3008,12 @@ int ssl3_send_client_key_exchange(SSL *s) goto err; } - ssl_set_handshake_header(s, SSL3_MT_CLIENT_KEY_EXCHANGE, n); + if (!ssl_set_handshake_header(s, SSL3_MT_CLIENT_KEY_EXCHANGE, n)) { + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + goto err; + } + s->state = SSL3_ST_CW_KEY_EXCH_B; } @@ -3040,26 +3058,25 @@ int ssl3_send_client_key_exchange(SSL *s) s-> session->master_key, pms, pmslen); - OPENSSL_cleanse(pms, pmslen); - OPENSSL_free(pms); + OPENSSL_clear_free(pms, pmslen); s->cert->pms = NULL; + if (s->session->master_key_length < 0) { + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + goto err; + } } return n; memerr: ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); err: - if (pms) { - OPENSSL_cleanse(pms, pmslen); - OPENSSL_free(pms); - s->cert->pms = NULL; - } + OPENSSL_clear_free(pms, pmslen); + s->cert->pms = NULL; #ifndef OPENSSL_NO_EC BN_CTX_free(bn_ctx); - if (encodedPoint != NULL) - OPENSSL_free(encodedPoint); - if (clnt_ecdh != NULL) - EC_KEY_free(clnt_ecdh); + OPENSSL_free(encodedPoint); + EC_KEY_free(clnt_ecdh); EVP_PKEY_free(srvr_pub_pkey); #endif return (-1); @@ -3189,7 +3206,10 @@ int ssl3_send_client_verify(SSL *s) SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR); goto err; } - ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_VERIFY, n); + if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_VERIFY, n)) { + SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR); + goto err; + } s->state = SSL3_ST_CW_CERT_VRFY_B; } EVP_MD_CTX_cleanup(&mctx); @@ -3294,10 +3314,8 @@ int ssl3_send_client_certificate(SSL *s) SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); } - if (x509 != NULL) - X509_free(x509); - if (pkey != NULL) - EVP_PKEY_free(pkey); + X509_free(x509); + EVP_PKEY_free(pkey); if (i && !ssl3_check_client_certificate(s)) i = 0; if (i == 0) { @@ -3465,13 +3483,56 @@ int ssl3_check_cert_and_algorithm(SSL *s) return (0); } +#ifndef OPENSSL_NO_TLSEXT /* - * Check to see if handshake is full or resumed. Usually this is just a case - * of checking to see if a cache hit has occurred. In the case of session - * tickets we have to check the next message to be sure. + * Normally, we can tell if the server is resuming the session from + * the session ID. EAP-FAST (RFC 4851), however, relies on the next server + * message after the ServerHello to determine if the server is resuming. + * Therefore, we allow EAP-FAST to peek ahead. + * ssl3_check_finished returns 1 if we are resuming from an external + * pre-shared secret, we have a "ticket" and the next server handshake message + * is Finished; and 0 otherwise. It returns -1 upon an error. */ +static int ssl3_check_finished(SSL *s) +{ + int ok = 0; + + if (s->version < TLS1_VERSION || !s->tls_session_secret_cb || + !s->session->tlsext_tick) + return 0; + + /* Need to permit this temporarily, in case the next message is Finished. */ + s->s3->flags |= SSL3_FLAGS_CCS_OK; + /* + * This function is called when we might get a Certificate message instead, + * so permit appropriate message length. + * We ignore the return value as we're only interested in the message type + * and not its length. + */ + s->method->ssl_get_message(s, + SSL3_ST_CR_CERT_A, + SSL3_ST_CR_CERT_B, + -1, s->max_cert_list, &ok); + s->s3->flags &= ~SSL3_FLAGS_CCS_OK; + + if (!ok) + return -1; + + s->s3->tmp.reuse_message = 1; + + if (s->s3->tmp.message_type == SSL3_MT_FINISHED) + return 1; + + /* If we're not done, then the CCS arrived early and we should bail. */ + if (s->s3->change_cipher_spec) { + SSLerr(SSL_F_SSL3_CHECK_FINISHED, SSL_R_CCS_RECEIVED_EARLY); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); + return -1; + } + + return 0; +} -#ifndef OPENSSL_NO_TLSEXT # ifndef OPENSSL_NO_NEXTPROTONEG int ssl3_send_next_proto(SSL *s) {