X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fs3_lib.c;h=a7f1e4d83ab174ecefd3e23a93a3f05819d62a56;hp=1a5c3f76b817d2dab3851079507c70b57ae2b6f8;hb=260009d877bfd6fe75aef08ecf4c366127f1f78e;hpb=677963e5a428739062ab5d46d5baed5eadd0195d diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 1a5c3f76b8..a7f1e4d83a 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -1,9 +1,9 @@ /* - * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html @@ -12,13 +12,19 @@ #include #include #include "internal/nelem.h" -#include "ssl_locl.h" -#include "e_os.h" +#include "ssl_local.h" #include #include #include +#include +#include #include "internal/cryptlib.h" +DEFINE_STACK_OF(X509_NAME) +DEFINE_STACK_OF(X509) +DEFINE_STACK_OF_CONST(SSL_CIPHER) + +#define TLS13_NUM_CIPHERS OSSL_NELEM(tls13_ciphers) #define SSL3_NUM_CIPHERS OSSL_NELEM(ssl3_ciphers) #define SSL3_NUM_SCSVS OSSL_NELEM(ssl3_scsvs) @@ -30,6 +36,90 @@ const unsigned char tls12downgrade[] = { 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01 }; +/* The list of available TLSv1.3 ciphers */ +static SSL_CIPHER tls13_ciphers[] = { + { + 1, + TLS1_3_RFC_AES_128_GCM_SHA256, + TLS1_3_RFC_AES_128_GCM_SHA256, + TLS1_3_CK_AES_128_GCM_SHA256, + SSL_kANY, + SSL_aANY, + SSL_AES128GCM, + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, + SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256, + 128, + 128, + }, { + 1, + TLS1_3_RFC_AES_256_GCM_SHA384, + TLS1_3_RFC_AES_256_GCM_SHA384, + TLS1_3_CK_AES_256_GCM_SHA384, + SSL_kANY, + SSL_aANY, + SSL_AES256GCM, + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, + SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA384, + 256, + 256, + }, +#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) + { + 1, + TLS1_3_RFC_CHACHA20_POLY1305_SHA256, + TLS1_3_RFC_CHACHA20_POLY1305_SHA256, + TLS1_3_CK_CHACHA20_POLY1305_SHA256, + SSL_kANY, + SSL_aANY, + SSL_CHACHA20POLY1305, + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, + SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256, + 256, + 256, + }, +#endif + { + 1, + TLS1_3_RFC_AES_128_CCM_SHA256, + TLS1_3_RFC_AES_128_CCM_SHA256, + TLS1_3_CK_AES_128_CCM_SHA256, + SSL_kANY, + SSL_aANY, + SSL_AES128CCM, + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256, + 128, + 128, + }, { + 1, + TLS1_3_RFC_AES_128_CCM_8_SHA256, + TLS1_3_RFC_AES_128_CCM_8_SHA256, + TLS1_3_CK_AES_128_CCM_8_SHA256, + SSL_kANY, + SSL_aANY, + SSL_AES128CCM8, + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256, + 128, + 128, + } +}; + /* * The list of available ciphers, mostly organized into the following * groups: @@ -859,90 +949,6 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, - { - 1, - TLS1_3_TXT_AES_128_GCM_SHA256, - TLS1_3_RFC_AES_128_GCM_SHA256, - TLS1_3_CK_AES_128_GCM_SHA256, - 0, 0, - SSL_AES128GCM, - SSL_AEAD, - TLS1_3_VERSION, TLS1_3_VERSION, - SSL_kANY, - SSL_aANY, - SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256, - 128, - 128, - }, - { - 1, - TLS1_3_TXT_AES_256_GCM_SHA384, - TLS1_3_RFC_AES_256_GCM_SHA384, - TLS1_3_CK_AES_256_GCM_SHA384, - SSL_kANY, - SSL_aANY, - SSL_AES256GCM, - SSL_AEAD, - TLS1_3_VERSION, TLS1_3_VERSION, - 0, 0, - SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA384, - 256, - 256, - }, -#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) - { - 1, - TLS1_3_TXT_CHACHA20_POLY1305_SHA256, - TLS1_3_RFC_CHACHA20_POLY1305_SHA256, - TLS1_3_CK_CHACHA20_POLY1305_SHA256, - SSL_kANY, - SSL_aANY, - SSL_CHACHA20POLY1305, - SSL_AEAD, - TLS1_3_VERSION, TLS1_3_VERSION, - 0, 0, - SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256, - 256, - 256, - }, -#endif - { - 1, - TLS1_3_TXT_AES_128_CCM_SHA256, - TLS1_3_RFC_AES_128_CCM_SHA256, - TLS1_3_CK_AES_128_CCM_SHA256, - SSL_kANY, - SSL_aANY, - SSL_AES128CCM, - SSL_AEAD, - TLS1_3_VERSION, TLS1_3_VERSION, - 0, 0, - SSL_NOT_DEFAULT | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256, - 128, - 128, - }, - { - 1, - TLS1_3_TXT_AES_128_CCM_8_SHA256, - TLS1_3_RFC_AES_128_CCM_8_SHA256, - TLS1_3_CK_AES_128_CCM_8_SHA256, - SSL_kANY, - SSL_aANY, - SSL_AES128CCM8, - SSL_AEAD, - TLS1_3_VERSION, TLS1_3_VERSION, - 0, 0, - SSL_NOT_DEFAULT | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256, - 128, - 128, - }, - -#ifndef OPENSSL_NO_EC { 1, TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, @@ -1269,9 +1275,6 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, -#endif /* OPENSSL_NO_EC */ - -#ifndef OPENSSL_NO_PSK { 1, TLS1_TXT_PSK_WITH_NULL_SHA, @@ -1758,7 +1761,6 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, }, -# ifndef OPENSSL_NO_EC # ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, @@ -1889,10 +1891,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, }, -# endif /* OPENSSL_NO_EC */ -#endif /* OPENSSL_NO_PSK */ -#ifndef OPENSSL_NO_SRP # ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, @@ -2039,10 +2038,8 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, -#endif /* OPENSSL_NO_SRP */ #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) -# ifndef OPENSSL_NO_RSA { 1, TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, @@ -2059,9 +2056,6 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, -# endif /* OPENSSL_NO_RSA */ - -# ifndef OPENSSL_NO_EC { 1, TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, @@ -2094,9 +2088,6 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, -# endif /* OPENSSL_NO_EC */ - -# ifndef OPENSSL_NO_PSK { 1, TLS1_TXT_PSK_WITH_CHACHA20_POLY1305, @@ -2161,7 +2152,6 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, -# endif /* OPENSSL_NO_PSK */ #endif /* !defined(OPENSSL_NO_CHACHA) && * !defined(OPENSSL_NO_POLY1305) */ @@ -2422,8 +2412,6 @@ static SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, - -# ifndef OPENSSL_NO_EC { 1, TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, @@ -2488,9 +2476,6 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, -# endif /* OPENSSL_NO_EC */ - -# ifndef OPENSSL_NO_PSK { 1, TLS1_TXT_PSK_WITH_CAMELLIA_128_CBC_SHA256, @@ -2619,8 +2604,6 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, -# endif /* OPENSSL_NO_PSK */ - #endif /* OPENSSL_NO_CAMELLIA */ #ifndef OPENSSL_NO_GOST @@ -2658,7 +2641,23 @@ static SSL_CIPHER ssl3_ciphers[] = { }, { 1, - "GOST2012-GOST8912-GOST8912", + "IANA-GOST2012-GOST8912-GOST8912", + NULL, + 0x0300c102, + SSL_kGOST, + SSL_aGOST12 | SSL_aGOST01, + SSL_eGOST2814789CNT12, + SSL_GOST89MAC12, + TLS1_VERSION, TLS1_2_VERSION, + 0, 0, + SSL_HIGH, + SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC, + 256, + 256, + }, + { + 1, + "LEGACY-GOST2012-GOST8912-GOST8912", NULL, 0x0300ff85, SSL_kGOST, @@ -2688,6 +2687,38 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, }, + { + 1, + "GOST2012-KUZNYECHIK-KUZNYECHIKOMAC", + NULL, + 0x0300C100, + SSL_kGOST18, + SSL_aGOST12, + SSL_KUZNYECHIK, + SSL_KUZNYECHIKOMAC, + TLS1_2_VERSION, TLS1_2_VERSION, + 0, 0, + SSL_HIGH, + SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_TLSTREE, + 256, + 256, + }, + { + 1, + "GOST2012-MAGMA-MAGMAOMAC", + NULL, + 0x0300C101, + SSL_kGOST18, + SSL_aGOST12, + SSL_MAGMA, + SSL_MAGMAOMAC, + TLS1_2_VERSION, TLS1_2_VERSION, + 0, 0, + SSL_HIGH, + SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_TLSTREE, + 256, + 256, + }, #endif /* OPENSSL_NO_GOST */ #ifndef OPENSSL_NO_IDEA @@ -2825,8 +2856,6 @@ static SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, - -# ifndef OPENSSL_NO_EC { 1, TLS1_TXT_ECDHE_PSK_WITH_RC4_128_SHA, @@ -2891,9 +2920,6 @@ static SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, -# endif /* OPENSSL_NO_EC */ - -# ifndef OPENSSL_NO_PSK { 1, TLS1_TXT_PSK_WITH_RC4_128_SHA, @@ -2942,10 +2968,266 @@ static SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, -# endif /* OPENSSL_NO_PSK */ - #endif /* OPENSSL_NO_WEAK_SSL_CIPHERS */ +#ifndef OPENSSL_NO_ARIA + { + 1, + TLS1_TXT_RSA_WITH_ARIA_128_GCM_SHA256, + TLS1_RFC_RSA_WITH_ARIA_128_GCM_SHA256, + TLS1_CK_RSA_WITH_ARIA_128_GCM_SHA256, + SSL_kRSA, + SSL_aRSA, + SSL_ARIA128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, + }, + { + 1, + TLS1_TXT_RSA_WITH_ARIA_256_GCM_SHA384, + TLS1_RFC_RSA_WITH_ARIA_256_GCM_SHA384, + TLS1_CK_RSA_WITH_ARIA_256_GCM_SHA384, + SSL_kRSA, + SSL_aRSA, + SSL_ARIA256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, + }, + { + 1, + TLS1_TXT_DHE_RSA_WITH_ARIA_128_GCM_SHA256, + TLS1_RFC_DHE_RSA_WITH_ARIA_128_GCM_SHA256, + TLS1_CK_DHE_RSA_WITH_ARIA_128_GCM_SHA256, + SSL_kDHE, + SSL_aRSA, + SSL_ARIA128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, + }, + { + 1, + TLS1_TXT_DHE_RSA_WITH_ARIA_256_GCM_SHA384, + TLS1_RFC_DHE_RSA_WITH_ARIA_256_GCM_SHA384, + TLS1_CK_DHE_RSA_WITH_ARIA_256_GCM_SHA384, + SSL_kDHE, + SSL_aRSA, + SSL_ARIA256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, + }, + { + 1, + TLS1_TXT_DHE_DSS_WITH_ARIA_128_GCM_SHA256, + TLS1_RFC_DHE_DSS_WITH_ARIA_128_GCM_SHA256, + TLS1_CK_DHE_DSS_WITH_ARIA_128_GCM_SHA256, + SSL_kDHE, + SSL_aDSS, + SSL_ARIA128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, + }, + { + 1, + TLS1_TXT_DHE_DSS_WITH_ARIA_256_GCM_SHA384, + TLS1_RFC_DHE_DSS_WITH_ARIA_256_GCM_SHA384, + TLS1_CK_DHE_DSS_WITH_ARIA_256_GCM_SHA384, + SSL_kDHE, + SSL_aDSS, + SSL_ARIA256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, + }, + { + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256, + TLS1_RFC_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256, + TLS1_CK_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256, + SSL_kECDHE, + SSL_aECDSA, + SSL_ARIA128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, + }, + { + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384, + TLS1_RFC_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384, + TLS1_CK_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384, + SSL_kECDHE, + SSL_aECDSA, + SSL_ARIA256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, + }, + { + 1, + TLS1_TXT_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, + TLS1_RFC_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, + TLS1_CK_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, + SSL_kECDHE, + SSL_aRSA, + SSL_ARIA128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, + }, + { + 1, + TLS1_TXT_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, + TLS1_RFC_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, + TLS1_CK_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, + SSL_kECDHE, + SSL_aRSA, + SSL_ARIA256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, + }, + { + 1, + TLS1_TXT_PSK_WITH_ARIA_128_GCM_SHA256, + TLS1_RFC_PSK_WITH_ARIA_128_GCM_SHA256, + TLS1_CK_PSK_WITH_ARIA_128_GCM_SHA256, + SSL_kPSK, + SSL_aPSK, + SSL_ARIA128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, + }, + { + 1, + TLS1_TXT_PSK_WITH_ARIA_256_GCM_SHA384, + TLS1_RFC_PSK_WITH_ARIA_256_GCM_SHA384, + TLS1_CK_PSK_WITH_ARIA_256_GCM_SHA384, + SSL_kPSK, + SSL_aPSK, + SSL_ARIA256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, + }, + { + 1, + TLS1_TXT_DHE_PSK_WITH_ARIA_128_GCM_SHA256, + TLS1_RFC_DHE_PSK_WITH_ARIA_128_GCM_SHA256, + TLS1_CK_DHE_PSK_WITH_ARIA_128_GCM_SHA256, + SSL_kDHEPSK, + SSL_aPSK, + SSL_ARIA128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, + }, + { + 1, + TLS1_TXT_DHE_PSK_WITH_ARIA_256_GCM_SHA384, + TLS1_RFC_DHE_PSK_WITH_ARIA_256_GCM_SHA384, + TLS1_CK_DHE_PSK_WITH_ARIA_256_GCM_SHA384, + SSL_kDHEPSK, + SSL_aPSK, + SSL_ARIA256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, + }, + { + 1, + TLS1_TXT_RSA_PSK_WITH_ARIA_128_GCM_SHA256, + TLS1_RFC_RSA_PSK_WITH_ARIA_128_GCM_SHA256, + TLS1_CK_RSA_PSK_WITH_ARIA_128_GCM_SHA256, + SSL_kRSAPSK, + SSL_aRSA, + SSL_ARIA128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, + }, + { + 1, + TLS1_TXT_RSA_PSK_WITH_ARIA_256_GCM_SHA384, + TLS1_RFC_RSA_PSK_WITH_ARIA_256_GCM_SHA384, + TLS1_CK_RSA_PSK_WITH_ARIA_256_GCM_SHA384, + SSL_kRSAPSK, + SSL_aRSA, + SSL_ARIA256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, + }, +#endif /* OPENSSL_NO_ARIA */ }; /* @@ -2982,9 +3264,25 @@ static int cipher_compare(const void *a, const void *b) void ssl_sort_cipher_list(void) { - qsort(ssl3_ciphers, SSL3_NUM_CIPHERS, sizeof ssl3_ciphers[0], + qsort(tls13_ciphers, TLS13_NUM_CIPHERS, sizeof(tls13_ciphers[0]), cipher_compare); - qsort(ssl3_scsvs, SSL3_NUM_SCSVS, sizeof ssl3_scsvs[0], cipher_compare); + qsort(ssl3_ciphers, SSL3_NUM_CIPHERS, sizeof(ssl3_ciphers[0]), + cipher_compare); + qsort(ssl3_scsvs, SSL3_NUM_SCSVS, sizeof(ssl3_scsvs[0]), cipher_compare); +} + +static int ssl_undefined_function_1(SSL *ssl, unsigned char *r, size_t s, + const char * t, size_t u, + const unsigned char * v, size_t w, int x) +{ + (void)r; + (void)s; + (void)t; + (void)u; + (void)v; + (void)w; + (void)x; + return ssl_undefined_function(ssl); } const SSL3_ENC_METHOD SSLv3_enc_data = { @@ -2997,9 +3295,7 @@ const SSL3_ENC_METHOD SSLv3_enc_data = { SSL3_MD_CLIENT_FINISHED_CONST, 4, SSL3_MD_SERVER_FINISHED_CONST, 4, ssl3_alert_code, - (int (*)(SSL *, unsigned char *, size_t, const char *, - size_t, const unsigned char *, size_t, - int use_context))ssl_undefined_function, + ssl_undefined_function_1, 0, ssl3_set_handshake_header, tls_close_construct_packet, @@ -3017,15 +3313,15 @@ long ssl3_default_timeout(void) int ssl3_num_ciphers(void) { - return (SSL3_NUM_CIPHERS); + return SSL3_NUM_CIPHERS; } const SSL_CIPHER *ssl3_get_cipher(unsigned int u) { if (u < SSL3_NUM_CIPHERS) - return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u])); + return &(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u]); else - return (NULL); + return NULL; } int ssl3_set_handshake_header(SSL *s, WPACKET *pkt, int htype) @@ -3049,76 +3345,72 @@ int ssl3_handshake_write(SSL *s) int ssl3_new(SSL *s) { - SSL3_STATE *s3; - - if ((s3 = OPENSSL_zalloc(sizeof(*s3))) == NULL) - goto err; - s->s3 = s3; - #ifndef OPENSSL_NO_SRP if (!SSL_SRP_CTX_init(s)) - goto err; + return 0; #endif if (!s->method->ssl_clear(s)) return 0; return 1; - err: - return 0; } void ssl3_free(SSL *s) { - if (s == NULL || s->s3 == NULL) + if (s == NULL) return; ssl3_cleanup_key_block(s); #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) - EVP_PKEY_free(s->s3->peer_tmp); - s->s3->peer_tmp = NULL; - EVP_PKEY_free(s->s3->tmp.pkey); - s->s3->tmp.pkey = NULL; + EVP_PKEY_free(s->s3.peer_tmp); + s->s3.peer_tmp = NULL; + EVP_PKEY_free(s->s3.tmp.pkey); + s->s3.tmp.pkey = NULL; #endif - OPENSSL_free(s->s3->tmp.ctype); - sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free); - OPENSSL_free(s->s3->tmp.ciphers_raw); - OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen); - OPENSSL_free(s->s3->tmp.peer_sigalgs); + ssl_evp_cipher_free(s->s3.tmp.new_sym_enc); + ssl_evp_md_free(s->s3.tmp.new_hash); + + OPENSSL_free(s->s3.tmp.ctype); + sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free); + OPENSSL_free(s->s3.tmp.ciphers_raw); + OPENSSL_clear_free(s->s3.tmp.pms, s->s3.tmp.pmslen); + OPENSSL_free(s->s3.tmp.peer_sigalgs); + OPENSSL_free(s->s3.tmp.peer_cert_sigalgs); ssl3_free_digest_list(s); - OPENSSL_free(s->s3->alpn_selected); - OPENSSL_free(s->s3->alpn_proposed); + OPENSSL_free(s->s3.alpn_selected); + OPENSSL_free(s->s3.alpn_proposed); #ifndef OPENSSL_NO_SRP SSL_SRP_CTX_free(s); #endif - OPENSSL_clear_free(s->s3, sizeof(*s->s3)); - s->s3 = NULL; + memset(&s->s3, 0, sizeof(s->s3)); } int ssl3_clear(SSL *s) { ssl3_cleanup_key_block(s); - OPENSSL_free(s->s3->tmp.ctype); - sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free); - OPENSSL_free(s->s3->tmp.ciphers_raw); - OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen); - OPENSSL_free(s->s3->tmp.peer_sigalgs); + OPENSSL_free(s->s3.tmp.ctype); + sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free); + OPENSSL_free(s->s3.tmp.ciphers_raw); + OPENSSL_clear_free(s->s3.tmp.pms, s->s3.tmp.pmslen); + OPENSSL_free(s->s3.tmp.peer_sigalgs); + OPENSSL_free(s->s3.tmp.peer_cert_sigalgs); #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) - EVP_PKEY_free(s->s3->tmp.pkey); - EVP_PKEY_free(s->s3->peer_tmp); + EVP_PKEY_free(s->s3.tmp.pkey); + EVP_PKEY_free(s->s3.peer_tmp); #endif /* !OPENSSL_NO_EC */ ssl3_free_digest_list(s); - OPENSSL_free(s->s3->alpn_selected); - OPENSSL_free(s->s3->alpn_proposed); + OPENSSL_free(s->s3.alpn_selected); + OPENSSL_free(s->s3.alpn_proposed); /* NULL/zero-out everything in the s3 struct */ - memset(s->s3, 0, sizeof(*s->s3)); + memset(&s->s3, 0, sizeof(s->s3)); if (!ssl_free_wbio_buffer(s)) return 0; @@ -3151,17 +3443,17 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_CLIENT_CERT_REQUEST: break; case SSL_CTRL_GET_NUM_RENEGOTIATIONS: - ret = s->s3->num_renegotiations; + ret = s->s3.num_renegotiations; break; case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS: - ret = s->s3->num_renegotiations; - s->s3->num_renegotiations = 0; + ret = s->s3.num_renegotiations; + s->s3.num_renegotiations = 0; break; case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS: - ret = s->s3->total_renegotiations; + ret = s->s3.total_renegotiations; break; case SSL_CTRL_GET_FLAGS: - ret = (int)(s->s3->flags); + ret = (int)(s->s3.flags); break; #ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH: @@ -3170,7 +3462,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) EVP_PKEY *pkdh = NULL; if (dh == NULL) { SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); - return (ret); + return 0; } pkdh = ssl_dh_to_pkey(dh); if (pkdh == NULL) { @@ -3181,17 +3473,17 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) EVP_PKEY_security_bits(pkdh), 0, pkdh)) { SSLerr(SSL_F_SSL3_CTRL, SSL_R_DH_KEY_TOO_SMALL); EVP_PKEY_free(pkdh); - return ret; + return 0; } EVP_PKEY_free(s->cert->dh_tmp); s->cert->dh_tmp = pkdh; - ret = 1; + return 1; } break; case SSL_CTRL_SET_TMP_DH_CB: { SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (ret); + return ret; } case SSL_CTRL_SET_DH_AUTO: s->cert->dh_tmp_auto = larg; @@ -3222,6 +3514,15 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) break; #endif /* !OPENSSL_NO_EC */ case SSL_CTRL_SET_TLSEXT_HOSTNAME: + /* + * TODO(OpenSSL1.2) + * This API is only used for a client to set what SNI it will request + * from the server, but we currently allow it to be used on servers + * as well, which is a programming error. Currently we just clear + * the field in SSL_do_handshake() for server SSLs, but when we can + * make ABI-breaking changes, we may want to make use of this API + * an error on server SSLs. + */ if (larg == TLSEXT_NAMETYPE_host_name) { size_t len; @@ -3293,13 +3594,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) ret = 1; break; -#ifndef OPENSSL_NO_HEARTBEATS - case SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT: - case SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING: - case SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS: - break; -#endif - case SSL_CTRL_CHAIN: if (larg) return ssl_cert_set1_chain(s, NULL, (STACK_OF(X509) *)parg); @@ -3314,6 +3608,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_CHAIN_CERTS: *(STACK_OF(X509) **)parg = s->cert->key->chain; + ret = 1; break; case SSL_CTRL_SELECT_CURRENT_CERT: @@ -3324,7 +3619,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) const SSL_CIPHER *cipher; if (!s->server) return 0; - cipher = s->s3->tmp.new_cipher; + cipher = s->s3.tmp.new_cipher; if (cipher == NULL) return 0; /* @@ -3333,35 +3628,35 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) */ if (cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) return 2; - if (s->s3->tmp.cert == NULL) + if (s->s3.tmp.cert == NULL) return 0; - s->cert->key = s->s3->tmp.cert; + s->cert->key = s->s3.tmp.cert; return 1; } return ssl_cert_set_current(s->cert, larg); -#ifndef OPENSSL_NO_EC +#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) case SSL_CTRL_GET_GROUPS: { - unsigned char *clist; + uint16_t *clist; size_t clistlen; if (!s->session) return 0; - clist = s->session->ext.supportedgroups; - clistlen = s->session->ext.supportedgroups_len / 2; + clist = s->ext.peer_supportedgroups; + clistlen = s->ext.peer_supportedgroups_len; if (parg) { size_t i; int *cptr = parg; - unsigned int cid, nid; + for (i = 0; i < clistlen; i++) { - n2s(clist, cid); - /* TODO(TLS1.3): Handle DH groups here */ - nid = tls1_ec_curve_id2nid(cid, NULL); - if (nid != 0) - cptr[i] = nid; + const TLS_GROUP_INFO *cinf + = tls1_group_id_lookup(s->ctx, clist[i]); + + if (cinf != NULL) + cptr[i] = tls1_group_id2nid(cinf->group_id, 1); else - cptr[i] = TLSEXT_nid_unknown | cid; + cptr[i] = TLSEXT_nid_unknown | clist[i]; } } return (int)clistlen; @@ -3372,13 +3667,22 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) &s->ext.supportedgroups_len, parg, larg); case SSL_CTRL_SET_GROUPS_LIST: - return tls1_set_groups_list(&s->ext.supportedgroups, + return tls1_set_groups_list(s->ctx, &s->ext.supportedgroups, &s->ext.supportedgroups_len, parg); case SSL_CTRL_GET_SHARED_GROUP: - return tls1_shared_group(s, larg); + { + uint16_t id = tls1_shared_group(s, larg); + + if (larg != -1) + return tls1_group_id2nid(id, 1); + return id; + } + case SSL_CTRL_GET_NEGOTIATED_GROUP: + ret = tls1_group_id2nid(s->s3.group_id, 1); + break; +#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ -#endif case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(s->cert, parg, larg, 0); @@ -3394,11 +3698,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_CLIENT_CERT_TYPES: { const unsigned char **pctype = parg; - if (s->server || !s->s3->tmp.cert_req) + if (s->server || !s->s3.tmp.cert_req) return 0; if (pctype) - *pctype = s->s3->tmp.ctype; - return s->s3->tmp.ctype_len; + *pctype = s->s3.tmp.ctype; + return s->s3.tmp.ctype_len; } case SSL_CTRL_SET_CLIENT_CERT_TYPES: @@ -3416,40 +3720,59 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return ssl_cert_set_cert_store(s->cert, parg, 1, larg); case SSL_CTRL_GET_PEER_SIGNATURE_NID: - if (s->s3->tmp.peer_sigalg == NULL) + if (s->s3.tmp.peer_sigalg == NULL) + return 0; + *(int *)parg = s->s3.tmp.peer_sigalg->hash; + return 1; + + case SSL_CTRL_GET_SIGNATURE_NID: + if (s->s3.tmp.sigalg == NULL) return 0; - *(int *)parg = s->s3->tmp.peer_sigalg->hash; + *(int *)parg = s->s3.tmp.sigalg->hash; return 1; - case SSL_CTRL_GET_SERVER_TMP_KEY: + case SSL_CTRL_GET_PEER_TMP_KEY: +#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) + if (s->session == NULL || s->s3.peer_tmp == NULL) { + return 0; + } else { + EVP_PKEY_up_ref(s->s3.peer_tmp); + *(EVP_PKEY **)parg = s->s3.peer_tmp; + return 1; + } +#else + return 0; +#endif + + case SSL_CTRL_GET_TMP_KEY: #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) - if (s->server || s->session == NULL || s->s3->peer_tmp == NULL) { + if (s->session == NULL || s->s3.tmp.pkey == NULL) { return 0; } else { - EVP_PKEY_up_ref(s->s3->peer_tmp); - *(EVP_PKEY **)parg = s->s3->peer_tmp; + EVP_PKEY_up_ref(s->s3.tmp.pkey); + *(EVP_PKEY **)parg = s->s3.tmp.pkey; return 1; } #else return 0; #endif + #ifndef OPENSSL_NO_EC case SSL_CTRL_GET_EC_POINT_FORMATS: { - SSL_SESSION *sess = s->session; const unsigned char **pformat = parg; - if (sess == NULL || sess->ext.ecpointformats == NULL) + if (s->ext.peer_ecpointformats == NULL) return 0; - *pformat = sess->ext.ecpointformats; - return (int)sess->ext.ecpointformats_len; + *pformat = s->ext.peer_ecpointformats; + return (int)s->ext.peer_ecpointformats_len; } #endif default: break; } - return (ret); + return ret; } long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) @@ -3477,7 +3800,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) default: break; } - return (ret); + return ret; } long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) @@ -3501,7 +3824,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) EVP_PKEY_security_bits(pkdh), 0, pkdh)) { SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_DH_KEY_TOO_SMALL); EVP_PKEY_free(pkdh); - return 1; + return 0; } EVP_PKEY_free(ctx->cert->dh_tmp); ctx->cert->dh_tmp = pkdh; @@ -3510,7 +3833,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SET_TMP_DH_CB: { SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (0); + return 0; } case SSL_CTRL_SET_DH_AUTO: ctx->cert->dh_tmp_auto = larg; @@ -3547,8 +3870,8 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { unsigned char *keys = parg; long tick_keylen = (sizeof(ctx->ext.tick_key_name) + - sizeof(ctx->ext.tick_hmac_key) + - sizeof(ctx->ext.tick_aes_key)); + sizeof(ctx->ext.secure->tick_hmac_key) + + sizeof(ctx->ext.secure->tick_aes_key)); if (keys == NULL) return tick_keylen; if (larg != tick_keylen) { @@ -3558,23 +3881,23 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) { memcpy(ctx->ext.tick_key_name, keys, sizeof(ctx->ext.tick_key_name)); - memcpy(ctx->ext.tick_hmac_key, + memcpy(ctx->ext.secure->tick_hmac_key, keys + sizeof(ctx->ext.tick_key_name), - sizeof(ctx->ext.tick_hmac_key)); - memcpy(ctx->ext.tick_aes_key, + sizeof(ctx->ext.secure->tick_hmac_key)); + memcpy(ctx->ext.secure->tick_aes_key, keys + sizeof(ctx->ext.tick_key_name) + - sizeof(ctx->ext.tick_hmac_key), - sizeof(ctx->ext.tick_aes_key)); + sizeof(ctx->ext.secure->tick_hmac_key), + sizeof(ctx->ext.secure->tick_aes_key)); } else { memcpy(keys, ctx->ext.tick_key_name, sizeof(ctx->ext.tick_key_name)); memcpy(keys + sizeof(ctx->ext.tick_key_name), - ctx->ext.tick_hmac_key, - sizeof(ctx->ext.tick_hmac_key)); + ctx->ext.secure->tick_hmac_key, + sizeof(ctx->ext.secure->tick_hmac_key)); memcpy(keys + sizeof(ctx->ext.tick_key_name) + - sizeof(ctx->ext.tick_hmac_key), - ctx->ext.tick_aes_key, - sizeof(ctx->ext.tick_aes_key)); + sizeof(ctx->ext.secure->tick_hmac_key), + ctx->ext.secure->tick_aes_key, + sizeof(ctx->ext.secure->tick_aes_key)); } return 1; } @@ -3619,7 +3942,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) srp_password_from_info_cb; if (ctx->srp_ctx.info != NULL) OPENSSL_free(ctx->srp_ctx.info); - if ((ctx->srp_ctx.info = BUF_strdup((char *)parg)) == NULL) { + if ((ctx->srp_ctx.info = OPENSSL_strdup((char *)parg)) == NULL) { SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_INTERNAL_ERROR); return 0; } @@ -3634,17 +3957,18 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) break; #endif -#ifndef OPENSSL_NO_EC +#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) case SSL_CTRL_SET_GROUPS: return tls1_set_groups(&ctx->ext.supportedgroups, &ctx->ext.supportedgroups_len, parg, larg); case SSL_CTRL_SET_GROUPS_LIST: - return tls1_set_groups_list(&ctx->ext.supportedgroups, + return tls1_set_groups_list(ctx, &ctx->ext.supportedgroups, &ctx->ext.supportedgroups_len, parg); -#endif +#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ + case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(ctx->cert, parg, larg, 0); @@ -3677,6 +4001,10 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return 0; } } + if (!X509v3_cache_extensions((X509 *)parg, ctx->libctx, ctx->propq)) { + SSLerr(0, ERR_LIB_X509); + return 0; + } if (!sk_X509_push(ctx->extra_certs, (X509 *)parg)) { SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_MALLOC_FAILURE); return 0; @@ -3718,9 +4046,9 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return ssl_cert_set_current(ctx->cert, larg); default: - return (0); + return 0; } - return (1); + return 1; } long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) @@ -3741,12 +4069,14 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) ctx->ext.status_cb = (int (*)(SSL *, void *))fp; break; +# ifndef OPENSSL_NO_DEPRECATED_3_0 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: ctx->ext.ticket_key_cb = (int (*)(SSL *, unsigned char *, unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; break; +#endif #ifndef OPENSSL_NO_SRP case SSL_CTRL_SET_SRP_VERIFY_PARAM_CB: @@ -3770,9 +4100,17 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) } break; default: - return (0); + return 0; } - return (1); + return 1; +} + +int SSL_CTX_set_tlsext_ticket_key_evp_cb + (SSL_CTX *ctx, int (*fp)(SSL *, unsigned char *, unsigned char *, + EVP_CIPHER_CTX *, EVP_MAC_CTX *, int)) +{ + ctx->ext.ticket_key_evp_cb = fp; + return 1; } const SSL_CIPHER *ssl3_get_cipher_by_id(uint32_t id) @@ -3781,6 +4119,9 @@ const SSL_CIPHER *ssl3_get_cipher_by_id(uint32_t id) const SSL_CIPHER *cp; c.id = id; + cp = OBJ_bsearch_ssl_cipher_id(&c, tls13_ciphers, TLS13_NUM_CIPHERS); + if (cp != NULL) + return cp; cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS); if (cp != NULL) return cp; @@ -3789,17 +4130,19 @@ const SSL_CIPHER *ssl3_get_cipher_by_id(uint32_t id) const SSL_CIPHER *ssl3_get_cipher_by_std_name(const char *stdname) { - SSL_CIPHER *c = NULL; - SSL_CIPHER *tbl = ssl3_ciphers; - size_t i; + SSL_CIPHER *c = NULL, *tbl; + SSL_CIPHER *alltabs[] = {tls13_ciphers, ssl3_ciphers}; + size_t i, j, tblsize[] = {TLS13_NUM_CIPHERS, SSL3_NUM_CIPHERS}; /* this is not efficient, necessary to optimize this? */ - for (i = 0; i < SSL3_NUM_CIPHERS; i++, tbl++) { - if (tbl->stdname == NULL) - continue; - if (strcmp(stdname, tbl->stdname) == 0) { - c = tbl; - break; + for (j = 0; j < OSSL_NELEM(alltabs); j++) { + for (i = 0, tbl = alltabs[j]; i < tblsize[j]; i++, tbl++) { + if (tbl->stdname == NULL) + continue; + if (strcmp(stdname, tbl->stdname) == 0) { + c = tbl; + break; + } } } if (c == NULL) { @@ -3852,8 +4195,11 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, { const SSL_CIPHER *c, *ret = NULL; STACK_OF(SSL_CIPHER) *prio, *allow; - int i, ii, ok; + int i, ii, ok, prefer_sha256 = 0; unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0; +#ifndef OPENSSL_NO_CHACHA + STACK_OF(SSL_CIPHER) *prio_chacha = NULL; +#endif /* Let's see which ciphers we can support */ @@ -3864,30 +4210,93 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, * pay with the price of sk_SSL_CIPHER_dup(). */ -#ifdef CIPHER_DEBUG - fprintf(stderr, "Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), - (void *)srvr); - for (i = 0; i < sk_SSL_CIPHER_num(srvr); ++i) { - c = sk_SSL_CIPHER_value(srvr, i); - fprintf(stderr, "%p:%s\n", (void *)c, c->name); - } - fprintf(stderr, "Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), - (void *)clnt); - for (i = 0; i < sk_SSL_CIPHER_num(clnt); ++i) { - c = sk_SSL_CIPHER_value(clnt, i); - fprintf(stderr, "%p:%s\n", (void *)c, c->name); - } -#endif + OSSL_TRACE_BEGIN(TLS_CIPHER) { + BIO_printf(trc_out, "Server has %d from %p:\n", + sk_SSL_CIPHER_num(srvr), (void *)srvr); + for (i = 0; i < sk_SSL_CIPHER_num(srvr); ++i) { + c = sk_SSL_CIPHER_value(srvr, i); + BIO_printf(trc_out, "%p:%s\n", (void *)c, c->name); + } + BIO_printf(trc_out, "Client sent %d from %p:\n", + sk_SSL_CIPHER_num(clnt), (void *)clnt); + for (i = 0; i < sk_SSL_CIPHER_num(clnt); ++i) { + c = sk_SSL_CIPHER_value(clnt, i); + BIO_printf(trc_out, "%p:%s\n", (void *)c, c->name); + } + } OSSL_TRACE_END(TLS_CIPHER); - if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s)) { + /* SUITE-B takes precedence over server preference and ChaCha priortiy */ + if (tls1_suiteb(s)) { prio = srvr; allow = clnt; + } else if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { + prio = srvr; + allow = clnt; +#ifndef OPENSSL_NO_CHACHA + /* If ChaCha20 is at the top of the client preference list, + and there are ChaCha20 ciphers in the server list, then + temporarily prioritize all ChaCha20 ciphers in the servers list. */ + if (s->options & SSL_OP_PRIORITIZE_CHACHA && sk_SSL_CIPHER_num(clnt) > 0) { + c = sk_SSL_CIPHER_value(clnt, 0); + if (c->algorithm_enc == SSL_CHACHA20POLY1305) { + /* ChaCha20 is client preferred, check server... */ + int num = sk_SSL_CIPHER_num(srvr); + int found = 0; + for (i = 0; i < num; i++) { + c = sk_SSL_CIPHER_value(srvr, i); + if (c->algorithm_enc == SSL_CHACHA20POLY1305) { + found = 1; + break; + } + } + if (found) { + prio_chacha = sk_SSL_CIPHER_new_reserve(NULL, num); + /* if reserve fails, then there's likely a memory issue */ + if (prio_chacha != NULL) { + /* Put all ChaCha20 at the top, starting with the one we just found */ + sk_SSL_CIPHER_push(prio_chacha, c); + for (i++; i < num; i++) { + c = sk_SSL_CIPHER_value(srvr, i); + if (c->algorithm_enc == SSL_CHACHA20POLY1305) + sk_SSL_CIPHER_push(prio_chacha, c); + } + /* Pull in the rest */ + for (i = 0; i < num; i++) { + c = sk_SSL_CIPHER_value(srvr, i); + if (c->algorithm_enc != SSL_CHACHA20POLY1305) + sk_SSL_CIPHER_push(prio_chacha, c); + } + prio = prio_chacha; + } + } + } + } +# endif } else { prio = clnt; allow = srvr; } - if (!SSL_IS_TLS13(s)) { + if (SSL_IS_TLS13(s)) { +#ifndef OPENSSL_NO_PSK + int j; + + /* + * If we allow "old" style PSK callbacks, and we have no certificate (so + * we're not going to succeed without a PSK anyway), and we're in + * TLSv1.3 then the default hash for a PSK is SHA-256 (as per the + * TLSv1.3 spec). Therefore we should prioritise ciphersuites using + * that. + */ + if (s->psk_server_callback != NULL) { + for (j = 0; j < SSL_PKEY_NUM && !ssl_has_cert(s, j); j++); + if (j == SSL_PKEY_NUM) { + /* There are no certificates */ + prefer_sha256 = 1; + } + } +#endif + } else { tls1_set_cert_validity(s); ssl_set_masks(s); } @@ -3909,8 +4318,8 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, * key exchange scheme skip tests. */ if (!SSL_IS_TLS13(s)) { - mask_k = s->s3->tmp.mask_k; - mask_a = s->s3->tmp.mask_a; + mask_k = s->s3.tmp.mask_k; + mask_a = s->s3.tmp.mask_a; #ifndef OPENSSL_NO_SRP if (s->srp_ctx.srp_Mask & SSL_kSRP) { mask_k |= SSL_kSRP; @@ -3928,10 +4337,9 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, #endif /* OPENSSL_NO_PSK */ ok = (alg_k & mask_k) && (alg_a & mask_a); -#ifdef CIPHER_DEBUG - fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k, - alg_a, mask_k, mask_a, (void *)c, c->name); -#endif + OSSL_TRACE7(TLS_CIPHER, + "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", + ok, alg_k, alg_a, mask_k, mask_a, (void *)c, c->name); #ifndef OPENSSL_NO_EC /* @@ -3953,17 +4361,36 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, continue; #if !defined(OPENSSL_NO_EC) if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA) - && s->s3->is_probably_safari) { + && s->s3.is_probably_safari) { if (!ret) ret = sk_SSL_CIPHER_value(allow, ii); continue; } #endif + if (prefer_sha256) { + const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii); + + /* + * TODO: When there are no more legacy digests we can just use + * OSSL_DIGEST_NAME_SHA2_256 instead of calling OBJ_nid2sn + */ + if (EVP_MD_is_a(ssl_md(s->ctx, tmp->algorithm2), + OBJ_nid2sn(NID_sha256))) { + ret = tmp; + break; + } + if (ret == NULL) + ret = tmp; + continue; + } ret = sk_SSL_CIPHER_value(allow, ii); break; } } - return (ret); +#ifndef OPENSSL_NO_CHACHA + sk_SSL_CIPHER_free(prio_chacha); +#endif + return ret; } int ssl3_get_req_cert_type(SSL *s, WPACKET *pkt) @@ -3976,13 +4403,21 @@ int ssl3_get_req_cert_type(SSL *s, WPACKET *pkt) /* Get mask of algorithms disabled by signature list */ ssl_set_sig_mask(&alg_a, s, SSL_SECOP_SIGALG_MASK); - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; + alg_k = s->s3.tmp.new_cipher->algorithm_mkey; #ifndef OPENSSL_NO_GOST if (s->version >= TLS1_VERSION && (alg_k & SSL_kGOST)) - return WPACKET_put_bytes_u8(pkt, TLS_CT_GOST01_SIGN) - && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_SIGN) - && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_512_SIGN); + if (!WPACKET_put_bytes_u8(pkt, TLS_CT_GOST01_SIGN) + || !WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_IANA_SIGN) + || !WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_IANA_512_SIGN) + || !WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_LEGACY_SIGN) + || !WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_LEGACY_512_SIGN)) + return 0; + + if (s->version >= TLS1_2_VERSION && (alg_k & SSL_kGOST18)) + if (!WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_IANA_SIGN) + || !WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_IANA_512_SIGN)) + return 0; #endif if ((s->version == SSL3_VERSION) && (alg_k & SSL_kDHE)) { @@ -4044,7 +4479,7 @@ int ssl3_shutdown(SSL *s) */ if (s->quiet_shutdown || SSL_in_before(s)) { s->shutdown = (SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); - return (1); + return 1; } if (!(s->shutdown & SSL_SENT_SHUTDOWN)) { @@ -4052,11 +4487,11 @@ int ssl3_shutdown(SSL *s) ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY); /* * our shutdown alert has been sent now, and if it still needs to be - * written, s->s3->alert_dispatch will be true + * written, s->s3.alert_dispatch will be true */ - if (s->s3->alert_dispatch) - return (-1); /* return WANT_WRITE */ - } else if (s->s3->alert_dispatch) { + if (s->s3.alert_dispatch) + return -1; /* return WANT_WRITE */ + } else if (s->s3.alert_dispatch) { /* resend it if not sent */ ret = s->method->ssl_dispatch_alert(s); if (ret == -1) { @@ -4065,7 +4500,7 @@ int ssl3_shutdown(SSL *s) * have already signalled return 0 upon a previous invocation, * return WANT_WRITE */ - return (ret); + return ret; } } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { size_t readbytes; @@ -4079,16 +4514,16 @@ int ssl3_shutdown(SSL *s) } if ((s->shutdown == (SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN)) && - !s->s3->alert_dispatch) - return (1); + !s->s3.alert_dispatch) + return 1; else - return (0); + return 0; } int ssl3_write(SSL *s, const void *buf, size_t len, size_t *written) { clear_sys_error(); - if (s->s3->renegotiate) + if (s->s3.renegotiate) ssl3_renegotiate_check(s, 0); return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, @@ -4101,13 +4536,13 @@ static int ssl3_read_internal(SSL *s, void *buf, size_t len, int peek, int ret; clear_sys_error(); - if (s->s3->renegotiate) + if (s->s3.renegotiate) ssl3_renegotiate_check(s, 0); - s->s3->in_read_app_data = 1; + s->s3.in_read_app_data = 1; ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, NULL, buf, len, peek, readbytes); - if ((ret == -1) && (s->s3->in_read_app_data == 2)) { + if ((ret == -1) && (s->s3.in_read_app_data == 2)) { /* * ssl3_read_bytes decided to call s->handshake_func, which called * ssl3_read_bytes to read handshake data. However, ssl3_read_bytes @@ -4121,7 +4556,7 @@ static int ssl3_read_internal(SSL *s, void *buf, size_t len, int peek, len, peek, readbytes); ossl_statem_set_in_handshake(s, 0); } else - s->s3->in_read_app_data = 0; + s->s3.in_read_app_data = 0; return ret; } @@ -4139,10 +4574,10 @@ int ssl3_peek(SSL *s, void *buf, size_t len, size_t *readbytes) int ssl3_renegotiate(SSL *s) { if (s->handshake_func == NULL) - return (1); + return 1; - s->s3->renegotiate = 1; - return (1); + s->s3.renegotiate = 1; + return 1; } /* @@ -4157,7 +4592,7 @@ int ssl3_renegotiate_check(SSL *s, int initok) { int ret = 0; - if (s->s3->renegotiate) { + if (s->s3.renegotiate) { if (!RECORD_LAYER_read_pending(&s->rlayer) && !RECORD_LAYER_write_pending(&s->rlayer) && (initok || !SSL_in_init(s))) { @@ -4167,9 +4602,9 @@ int ssl3_renegotiate_check(SSL *s, int initok) * state. */ ossl_statem_set_renegotiate(s); - s->s3->renegotiate = 0; - s->s3->num_renegotiations++; - s->s3->total_renegotiations++; + s->s3.renegotiate = 0; + s->s3.num_renegotiations++; + s->s3.total_renegotiations++; ret = 1; } } @@ -4185,13 +4620,13 @@ int ssl3_renegotiate_check(SSL *s, int initok) long ssl_get_algorithm2(SSL *s) { long alg2; - if (s->s3 == NULL || s->s3->tmp.new_cipher == NULL) + if (s->s3.tmp.new_cipher == NULL) return -1; - alg2 = s->s3->tmp.new_cipher->algorithm2; + alg2 = s->s3.tmp.new_cipher->algorithm2; if (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF) { if (alg2 == (SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF)) return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; - } else if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK) { + } else if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK) { if (alg2 == (SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384)) return SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF; } @@ -4218,12 +4653,12 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len, unsigned char *p = result; l2n(Time, p); - ret = ssl_randbytes(s, p, len - 4); + ret = RAND_bytes_ex(s->ctx->libctx, p, len - 4); } else { - ret = ssl_randbytes(s, result, len); + ret = RAND_bytes_ex(s->ctx->libctx, result, len); } -#ifndef OPENSSL_NO_TLS13DOWNGRADE - if (ret) { + + if (ret > 0) { if (!ossl_assert(sizeof(tls11downgrade) < len) || !ossl_assert(sizeof(tls12downgrade) < len)) return 0; @@ -4234,20 +4669,20 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len, memcpy(result + len - sizeof(tls11downgrade), tls11downgrade, sizeof(tls11downgrade)); } -#endif + return ret; } int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, int free_pms) { - unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; + unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey; int ret = 0; if (alg_k & SSL_PSK) { #ifndef OPENSSL_NO_PSK unsigned char *pskpms, *t; - size_t psklen = s->s3->tmp.psklen; + size_t psklen = s->s3.tmp.psklen; size_t pskpmslen; /* create PSK premaster_secret */ @@ -4268,14 +4703,17 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, memcpy(t, pms, pmslen); t += pmslen; s2n(psklen, t); - memcpy(t, s->s3->tmp.psk, psklen); + memcpy(t, s->s3.tmp.psk, psklen); - OPENSSL_clear_free(s->s3->tmp.psk, psklen); - s->s3->tmp.psk = NULL; + OPENSSL_clear_free(s->s3.tmp.psk, psklen); + s->s3.tmp.psk = NULL; if (!s->method->ssl3_enc->generate_master_secret(s, - s->session->master_key,pskpms, pskpmslen, - &s->session->master_key_length)) + s->session->master_key, pskpms, pskpmslen, + &s->session->master_key_length)) { + OPENSSL_clear_free(pskpms, pskpmslen); + /* SSLfatal() already called */ goto err; + } OPENSSL_clear_free(pskpms, pskpmslen); #else /* Should never happen */ @@ -4284,8 +4722,10 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, } else { if (!s->method->ssl3_enc->generate_master_secret(s, s->session->master_key, pms, pmslen, - &s->session->master_key_length)) + &s->session->master_key_length)) { + /* SSLfatal() already called */ goto err; + } } ret = 1; @@ -4297,19 +4737,19 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, OPENSSL_cleanse(pms, pmslen); } if (s->server == 0) - s->s3->tmp.pms = NULL; + s->s3.tmp.pms = NULL; return ret; } /* Generate a private key from parameters */ -EVP_PKEY *ssl_generate_pkey(EVP_PKEY *pm) +EVP_PKEY *ssl_generate_pkey(SSL *s, EVP_PKEY *pm) { EVP_PKEY_CTX *pctx = NULL; EVP_PKEY *pkey = NULL; if (pm == NULL) return NULL; - pctx = EVP_PKEY_CTX_new(pm, NULL); + pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, pm, s->ctx->propq); if (pctx == NULL) goto err; if (EVP_PKEY_keygen_init(pctx) <= 0) @@ -4323,30 +4763,75 @@ EVP_PKEY *ssl_generate_pkey(EVP_PKEY *pm) EVP_PKEY_CTX_free(pctx); return pkey; } -#ifndef OPENSSL_NO_EC -/* Generate a private key a curve ID */ -EVP_PKEY *ssl_generate_pkey_curve(int id) + +/* Generate a private key from a group ID */ +EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id) { + const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(s->ctx, id); EVP_PKEY_CTX *pctx = NULL; EVP_PKEY *pkey = NULL; - unsigned int curve_flags; - int nid = tls1_ec_curve_id2nid(id, &curve_flags); - if (nid == 0) + if (ginf == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, + ERR_R_INTERNAL_ERROR); goto err; - if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) { - pctx = EVP_PKEY_CTX_new_id(nid, NULL); - nid = 0; - } else { - pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); } - if (pctx == NULL) + + pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, ginf->algorithm, + s->ctx->propq); + + if (pctx == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, + ERR_R_MALLOC_FAILURE); goto err; - if (EVP_PKEY_keygen_init(pctx) <= 0) + } + if (EVP_PKEY_keygen_init(pctx) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, + ERR_R_EVP_LIB); goto err; - if (nid != 0 && EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, nid) <= 0) + } + if (!EVP_PKEY_CTX_set_group_name(pctx, ginf->realname)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, + ERR_R_EVP_LIB); goto err; + } if (EVP_PKEY_keygen(pctx, &pkey) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, + ERR_R_EVP_LIB); + EVP_PKEY_free(pkey); + pkey = NULL; + } + + err: + EVP_PKEY_CTX_free(pctx); + return pkey; +} + +/* + * Generate parameters from a group ID + */ +EVP_PKEY *ssl_generate_param_group(SSL *s, uint16_t id) +{ + EVP_PKEY_CTX *pctx = NULL; + EVP_PKEY *pkey = NULL; + const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(s->ctx, id); + + if (ginf == NULL) + goto err; + + pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, ginf->algorithm, + s->ctx->propq); + + if (pctx == NULL) + goto err; + if (EVP_PKEY_paramgen_init(pctx) <= 0) + goto err; + if (!EVP_PKEY_CTX_set_group_name(pctx, ginf->realname)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, + ERR_R_EVP_LIB); + goto err; + } + if (EVP_PKEY_paramgen(pctx, &pkey) <= 0) { EVP_PKEY_free(pkey); pkey = NULL; } @@ -4355,7 +4840,6 @@ EVP_PKEY *ssl_generate_pkey_curve(int id) EVP_PKEY_CTX_free(pctx); return pkey; } -#endif /* Derive secrets for ECDH/DH */ int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret) @@ -4365,25 +4849,42 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret) size_t pmslen = 0; EVP_PKEY_CTX *pctx; - if (privkey == NULL || pubkey == NULL) + if (privkey == NULL || pubkey == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_DERIVE, + ERR_R_INTERNAL_ERROR); return 0; + } - pctx = EVP_PKEY_CTX_new(privkey, NULL); + pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, privkey, s->ctx->propq); if (EVP_PKEY_derive_init(pctx) <= 0 || EVP_PKEY_derive_set_peer(pctx, pubkey) <= 0 || EVP_PKEY_derive(pctx, NULL, &pmslen) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_DERIVE, + ERR_R_INTERNAL_ERROR); goto err; } +#ifndef OPENSSL_NO_DH + if (SSL_IS_TLS13(s) && EVP_PKEY_id(privkey) == EVP_PKEY_DH) + EVP_PKEY_CTX_set_dh_pad(pctx, 1); +#endif + pms = OPENSSL_malloc(pmslen); - if (pms == NULL) + if (pms == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_DERIVE, + ERR_R_MALLOC_FAILURE); goto err; + } - if (EVP_PKEY_derive(pctx, pms, &pmslen) <= 0) + if (EVP_PKEY_derive(pctx, pms, &pmslen) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_DERIVE, + ERR_R_INTERNAL_ERROR); goto err; + } if (gensecret) { + /* SSLfatal() called as appropriate in the below functions */ if (SSL_IS_TLS13(s)) { /* * If we are resuming then we already generated the early secret @@ -4402,8 +4903,8 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret) } } else { /* Save premaster secret */ - s->s3->tmp.pms = pms; - s->s3->tmp.pmslen = pmslen; + s->s3.tmp.pms = pms; + s->s3.tmp.pmslen = pmslen; pms = NULL; rv = 1; }