X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fs3_lib.c;h=d7b8fb03bc660234a8ac21825cefc86cefa10739;hp=16696526443d18973da5b3b308badadb72d86638;hb=c80149d9f09b3a5a5b1621fa705e900d455334d4;hpb=38f2837b1b1b3d1bd417cd1032a3dd3b264352ef diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 1669652644..d7b8fb03bc 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -1,5 +1,7 @@ /* * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved + * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,46 +9,6 @@ * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * - * Portions of the attached software ("Contribution") are developed by - * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. - * - * The Contribution is licensed pursuant to the OpenSSL open source - * license provided above. - * - * ECC cipher suite support in OpenSSL originally written by - * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. - * - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - #include #include #include "ssl_locl.h" @@ -57,6 +19,14 @@ #define SSL3_NUM_CIPHERS OSSL_NELEM(ssl3_ciphers) #define SSL3_NUM_SCSVS OSSL_NELEM(ssl3_scsvs) +/* TLSv1.3 downgrade protection sentinel values */ +const unsigned char tls11downgrade[] = { + 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00 +}; +const unsigned char tls12downgrade[] = { + 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01 +}; + /* * The list of available ciphers, mostly organized into the following * groups: @@ -922,7 +892,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_eNULL, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -938,7 +908,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_3DES, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -954,7 +924,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_AES128, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -969,7 +939,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_AES256, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -984,7 +954,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_eNULL, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1000,7 +970,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_3DES, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1016,7 +986,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES128, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1031,7 +1001,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES256, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1046,7 +1016,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_eNULL, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1062,7 +1032,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_3DES, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1078,7 +1048,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_AES128, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1093,7 +1063,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_AES256, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1689,7 +1659,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_3DES, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1705,7 +1675,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES128, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1720,7 +1690,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES256, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1765,7 +1735,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_eNULL, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -2692,7 +2662,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_RC4, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -2707,7 +2677,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_RC4, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -2722,7 +2692,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_RC4, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -2737,7 +2707,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_RC4, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -2905,10 +2875,13 @@ int ssl3_new(SSL *s) if (!SSL_SRP_CTX_init(s)) goto err; #endif - s->method->ssl_clear(s); - return (1); + + if (!s->method->ssl_clear(s)) + return 0; + + return 1; err: - return (0); + return 0; } void ssl3_free(SSL *s) @@ -2926,7 +2899,7 @@ void ssl3_free(SSL *s) #endif OPENSSL_free(s->s3->tmp.ctype); - sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); + sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free); OPENSSL_free(s->s3->tmp.ciphers_raw); OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen); OPENSSL_free(s->s3->tmp.peer_sigalgs); @@ -2941,11 +2914,11 @@ void ssl3_free(SSL *s) s->s3 = NULL; } -void ssl3_clear(SSL *s) +int ssl3_clear(SSL *s) { ssl3_cleanup_key_block(s); OPENSSL_free(s->s3->tmp.ctype); - sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); + sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free); OPENSSL_free(s->s3->tmp.ciphers_raw); OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen); OPENSSL_free(s->s3->tmp.peer_sigalgs); @@ -2963,7 +2936,8 @@ void ssl3_clear(SSL *s) /* NULL/zero-out everything in the s3 struct */ memset(s->s3, 0, sizeof(*s->s3)); - ssl_free_wbio_buffer(s); + if (!ssl_free_wbio_buffer(s)) + return 0; s->version = SSL3_VERSION; @@ -2972,6 +2946,8 @@ void ssl3_clear(SSL *s) s->ext.npn = NULL; s->ext.npn_len = 0; #endif + + return 1; } #ifndef OPENSSL_NO_SRP @@ -3457,7 +3433,12 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD: ctx->srp_ctx.SRP_give_srp_client_pwd_callback = srp_password_from_info_cb; - ctx->srp_ctx.info = parg; + if (ctx->srp_ctx.info != NULL) + OPENSSL_free(ctx->srp_ctx.info); + if ((ctx->srp_ctx.info = BUF_strdup((char *)parg)) == NULL) { + SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_INTERNAL_ERROR); + return 0; + } break; case SSL_CTRL_SET_SRP_ARG: ctx->srp_ctx.srp_Mask |= SSL_kSRP; @@ -3661,7 +3642,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, const SSL_CIPHER *c, *ret = NULL; STACK_OF(SSL_CIPHER) *prio, *allow; int i, ii, ok; - unsigned long alg_k = 0, alg_a = 0, mask_k, mask_a; + unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0; /* Let's see which ciphers we can support */ @@ -3695,8 +3676,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, allow = srvr; } - tls1_set_cert_validity(s); - ssl_set_masks(s); + if (!SSL_IS_TLS13(s)) { + tls1_set_cert_validity(s); + ssl_set_masks(s); + } for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) { c = sk_SSL_CIPHER_value(prio, i); @@ -3709,6 +3692,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, (DTLS_VERSION_LT(s->version, c->min_dtls) || DTLS_VERSION_GT(s->version, c->max_dtls))) continue; + /* * Since TLS 1.3 ciphersuites can be used with any auth or * key exchange scheme skip tests. @@ -4007,9 +3991,10 @@ long ssl_get_algorithm2(SSL *s) * Fill a ClientRandom or ServerRandom field of length len. Returns <= 0 on * failure, 1 on success. */ -int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len) +int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len, + DOWNGRADE dgrd) { - int send_time = 0; + int send_time = 0, ret; if (len < 4) return 0; @@ -4022,9 +4007,24 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len) unsigned char *p = result; l2n(Time, p); /* TODO(size_t): Convert this */ - return RAND_bytes(p, (int)(len - 4)); - } else - return RAND_bytes(result, (int)len); + ret = RAND_bytes(p, (int)(len - 4)); + } else { + ret = RAND_bytes(result, (int)len); + } +#ifndef OPENSSL_NO_TLS13DOWNGRADE + if (ret) { + if (!ossl_assert(sizeof(tls11downgrade) < len) + || !ossl_assert(sizeof(tls12downgrade) < len)) + return 0; + if (dgrd == DOWNGRADE_TO_1_2) + memcpy(result + len - sizeof(tls12downgrade), tls12downgrade, + sizeof(tls12downgrade)); + else if (dgrd == DOWNGRADE_TO_1_1) + memcpy(result + len - sizeof(tls11downgrade), tls11downgrade, + sizeof(tls11downgrade)); + } +#endif + return ret; } int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,