X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fs3_lib.c;h=d7b8fb03bc660234a8ac21825cefc86cefa10739;hp=52f9214c3d8ef2193a6835cdf018fb00e8c40087;hb=03327c8bf2af2db937a7d39268ea70ab90819279;hpb=7ee8627f6eb7cf63b34d2701d76bb66f6db811e5 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 52f9214c3d..d7b8fb03bc 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -1,5 +1,7 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved + * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,46 +9,6 @@ * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * - * Portions of the attached software ("Contribution") are developed by - * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. - * - * The Contribution is licensed pursuant to the OpenSSL open source - * license provided above. - * - * ECC cipher suite support in OpenSSL originally written by - * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. - * - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - #include #include #include "ssl_locl.h" @@ -55,6 +17,15 @@ #include #define SSL3_NUM_CIPHERS OSSL_NELEM(ssl3_ciphers) +#define SSL3_NUM_SCSVS OSSL_NELEM(ssl3_scsvs) + +/* TLSv1.3 downgrade protection sentinel values */ +const unsigned char tls11downgrade[] = { + 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00 +}; +const unsigned char tls12downgrade[] = { + 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01 +}; /* * The list of available ciphers, mostly organized into the following @@ -63,7 +34,7 @@ * EC * PSK * SRP (within that: RSA EC PSK) - * Cipher families: Chacha/poly, Camellila, Gost, IDEA, SEED + * Cipher families: Chacha/poly, Camellia, Gost, IDEA, SEED * Weak ciphers */ static SSL_CIPHER ssl3_ciphers[] = { @@ -838,14 +809,76 @@ static SSL_CIPHER ssl3_ciphers[] = { 1, TLS1_3_TXT_AES_128_GCM_SHA256, TLS1_3_CK_AES_128_GCM_SHA256, - SSL_kRSA, - SSL_aRSA, + 0, 0, SSL_AES128GCM, SSL_AEAD, TLS1_3_VERSION, TLS1_3_VERSION, + SSL_kANY, + SSL_aANY, + SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256, + 128, + 128, + }, + { + 1, + TLS1_3_TXT_AES_256_GCM_SHA384, + TLS1_3_CK_AES_256_GCM_SHA384, + SSL_kANY, + SSL_aANY, + SSL_AES256GCM, + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, 0, 0, SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + SSL_HANDSHAKE_MAC_SHA384, + 256, + 256, + }, +#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) + { + 1, + TLS1_3_TXT_CHACHA20_POLY1305_SHA256, + TLS1_3_CK_CHACHA20_POLY1305_SHA256, + SSL_kANY, + SSL_aANY, + SSL_CHACHA20POLY1305, + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, + SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256, + 256, + 256, + }, +#endif + { + 1, + TLS1_3_TXT_AES_128_CCM_SHA256, + TLS1_3_CK_AES_128_CCM_SHA256, + SSL_kANY, + SSL_aANY, + SSL_AES128CCM, + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256, + 128, + 128, + }, + { + 1, + TLS1_3_TXT_AES_128_CCM_8_SHA256, + TLS1_3_CK_AES_128_CCM_8_SHA256, + SSL_kANY, + SSL_aANY, + SSL_AES128CCM8, + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256, 128, 128, }, @@ -859,7 +892,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_eNULL, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -875,7 +908,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_3DES, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -891,7 +924,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_AES128, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -906,7 +939,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_AES256, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -921,7 +954,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_eNULL, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -937,7 +970,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_3DES, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -953,7 +986,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES128, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -968,7 +1001,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_AES256, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -983,7 +1016,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_eNULL, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -999,7 +1032,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_3DES, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1015,7 +1048,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_AES128, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1030,7 +1063,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_AES256, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1626,7 +1659,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_3DES, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1642,7 +1675,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES128, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1657,7 +1690,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_AES256, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -1702,7 +1735,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_eNULL, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, SSL_STRONG_NONE | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -2629,7 +2662,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aPSK, SSL_RC4, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -2644,7 +2677,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aNULL, SSL_RC4, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -2659,7 +2692,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aECDSA, SSL_RC4, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -2674,7 +2707,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_aRSA, SSL_RC4, SSL_SHA1, - SSL3_VERSION, TLS1_2_VERSION, + TLS1_VERSION, TLS1_2_VERSION, 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, @@ -2735,6 +2768,26 @@ static SSL_CIPHER ssl3_ciphers[] = { }; +/* + * The list of known Signalling Cipher-Suite Value "ciphers", non-valid + * values stuffed into the ciphers field of the wire protocol for signalling + * purposes. + */ +static SSL_CIPHER ssl3_scsvs[] = { + { + 0, + "TLS_EMPTY_RENEGOTIATION_INFO_SCSV", + SSL3_CK_SCSV, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + }, + { + 0, + "TLS_FALLBACK_SCSV", + SSL3_CK_FALLBACK_SCSV, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + }, +}; + static int cipher_compare(const void *a, const void *b) { const SSL_CIPHER *ap = (const SSL_CIPHER *)a; @@ -2745,8 +2798,9 @@ static int cipher_compare(const void *a, const void *b) void ssl_sort_cipher_list(void) { - qsort(ssl3_ciphers, OSSL_NELEM(ssl3_ciphers), sizeof ssl3_ciphers[0], + qsort(ssl3_ciphers, SSL3_NUM_CIPHERS, sizeof ssl3_ciphers[0], cipher_compare); + qsort(ssl3_scsvs, SSL3_NUM_SCSVS, sizeof ssl3_scsvs[0], cipher_compare); } const SSL3_ENC_METHOD SSLv3_enc_data = { @@ -2756,7 +2810,6 @@ const SSL3_ENC_METHOD SSLv3_enc_data = { ssl3_generate_master_secret, ssl3_change_cipher_state, ssl3_final_finish_mac, - MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, SSL3_MD_CLIENT_FINISHED_CONST, 4, SSL3_MD_SERVER_FINISHED_CONST, 4, ssl3_alert_code, @@ -2764,7 +2817,6 @@ const SSL3_ENC_METHOD SSLv3_enc_data = { size_t, const unsigned char *, size_t, int use_context))ssl_undefined_function, 0, - SSL3_HM_HEADER_LENGTH, ssl3_set_handshake_header, tls_close_construct_packet, ssl3_handshake_write @@ -2823,10 +2875,13 @@ int ssl3_new(SSL *s) if (!SSL_SRP_CTX_init(s)) goto err; #endif - s->method->ssl_clear(s); - return (1); + + if (!s->method->ssl_clear(s)) + return 0; + + return 1; err: - return (0); + return 0; } void ssl3_free(SSL *s) @@ -2843,7 +2898,8 @@ void ssl3_free(SSL *s) s->s3->tmp.pkey = NULL; #endif - sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); + OPENSSL_free(s->s3->tmp.ctype); + sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free); OPENSSL_free(s->s3->tmp.ciphers_raw); OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen); OPENSSL_free(s->s3->tmp.peer_sigalgs); @@ -2858,10 +2914,11 @@ void ssl3_free(SSL *s) s->s3 = NULL; } -void ssl3_clear(SSL *s) +int ssl3_clear(SSL *s) { ssl3_cleanup_key_block(s); - sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); + OPENSSL_free(s->s3->tmp.ctype); + sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free); OPENSSL_free(s->s3->tmp.ciphers_raw); OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen); OPENSSL_free(s->s3->tmp.peer_sigalgs); @@ -2879,15 +2936,18 @@ void ssl3_clear(SSL *s) /* NULL/zero-out everything in the s3 struct */ memset(s->s3, 0, sizeof(*s->s3)); - ssl_free_wbio_buffer(s); + if (!ssl_free_wbio_buffer(s)) + return 0; s->version = SSL3_VERSION; #if !defined(OPENSSL_NO_NEXTPROTONEG) - OPENSSL_free(s->next_proto_negotiated); - s->next_proto_negotiated = NULL; - s->next_proto_negotiated_len = 0; + OPENSSL_free(s->ext.npn); + s->ext.npn = NULL; + s->ext.npn_len = 0; #endif + + return 1; } #ifndef OPENSSL_NO_SRP @@ -2971,8 +3031,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) nid = EC_GROUP_get_curve_name(group); if (nid == NID_undef) return 0; - return tls1_set_curves(&s->tlsext_ellipticcurvelist, - &s->tlsext_ellipticcurvelist_length, + return tls1_set_groups(&s->ext.supportedgroups, + &s->ext.supportedgroups_len, &nid, 1); } break; @@ -2981,8 +3041,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) if (larg == TLSEXT_NAMETYPE_host_name) { size_t len; - OPENSSL_free(s->tlsext_hostname); - s->tlsext_hostname = NULL; + OPENSSL_free(s->ext.hostname); + s->ext.hostname = NULL; ret = 1; if (parg == NULL) @@ -2992,7 +3052,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME); return 0; } - if ((s->tlsext_hostname = OPENSSL_strdup((char *)parg)) == NULL) { + if ((s->ext.hostname = OPENSSL_strdup((char *)parg)) == NULL) { SSLerr(SSL_F_SSL3_CTRL, ERR_R_INTERNAL_ERROR); return 0; } @@ -3002,69 +3062,57 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) } break; case SSL_CTRL_SET_TLSEXT_DEBUG_ARG: - s->tlsext_debug_arg = parg; + s->ext.debug_arg = parg; ret = 1; break; case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE: - ret = s->tlsext_status_type; + ret = s->ext.status_type; break; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: - s->tlsext_status_type = larg; + s->ext.status_type = larg; ret = 1; break; case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS: - *(STACK_OF(X509_EXTENSION) **)parg = s->tlsext_ocsp_exts; + *(STACK_OF(X509_EXTENSION) **)parg = s->ext.ocsp.exts; ret = 1; break; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS: - s->tlsext_ocsp_exts = parg; + s->ext.ocsp.exts = parg; ret = 1; break; case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS: - *(STACK_OF(OCSP_RESPID) **)parg = s->tlsext_ocsp_ids; + *(STACK_OF(OCSP_RESPID) **)parg = s->ext.ocsp.ids; ret = 1; break; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS: - s->tlsext_ocsp_ids = parg; + s->ext.ocsp.ids = parg; ret = 1; break; case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP: - *(unsigned char **)parg = s->tlsext_ocsp_resp; - return s->tlsext_ocsp_resplen; + *(unsigned char **)parg = s->ext.ocsp.resp; + if (s->ext.ocsp.resp_len == 0 + || s->ext.ocsp.resp_len > LONG_MAX) + return -1; + return (long)s->ext.ocsp.resp_len; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: - OPENSSL_free(s->tlsext_ocsp_resp); - s->tlsext_ocsp_resp = parg; - s->tlsext_ocsp_resplen = larg; + OPENSSL_free(s->ext.ocsp.resp); + s->ext.ocsp.resp = parg; + s->ext.ocsp.resp_len = larg; ret = 1; break; #ifndef OPENSSL_NO_HEARTBEATS case SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT: - if (SSL_IS_DTLS(s)) - ret = dtls1_heartbeat(s); - break; - case SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING: - if (SSL_IS_DTLS(s)) - ret = s->tlsext_hb_pending; - break; - case SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS: - if (SSL_IS_DTLS(s)) { - if (larg) - s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_RECV_REQUESTS; - else - s->tlsext_heartbeat &= ~SSL_DTLSEXT_HB_DONT_RECV_REQUESTS; - ret = 1; - } break; #endif @@ -3089,12 +3137,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_SET_CURRENT_CERT: if (larg == SSL_CERT_SET_SERVER) { - CERT_PKEY *cpk; const SSL_CIPHER *cipher; if (!s->server) return 0; cipher = s->s3->tmp.new_cipher; - if (!cipher) + if (cipher == NULL) return 0; /* * No certificate for unauthenticated ciphersuites or using SRP @@ -3102,29 +3149,30 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) */ if (cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) return 2; - cpk = ssl_get_server_send_pkey(s); - if (!cpk) + if (s->s3->tmp.cert == NULL) return 0; - s->cert->key = cpk; + s->cert->key = s->s3->tmp.cert; return 1; } return ssl_cert_set_current(s->cert, larg); #ifndef OPENSSL_NO_EC - case SSL_CTRL_GET_CURVES: + case SSL_CTRL_GET_GROUPS: { unsigned char *clist; size_t clistlen; + if (!s->session) return 0; - clist = s->session->tlsext_ellipticcurvelist; - clistlen = s->session->tlsext_ellipticcurvelist_length / 2; + clist = s->session->ext.supportedgroups; + clistlen = s->session->ext.supportedgroups_len / 2; if (parg) { size_t i; int *cptr = parg; unsigned int cid, nid; for (i = 0; i < clistlen; i++) { n2s(clist, cid); + /* TODO(TLS1.3): Handle DH groups here */ nid = tls1_ec_curve_id2nid(cid, NULL); if (nid != 0) cptr[i] = nid; @@ -3135,16 +3183,16 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return (int)clistlen; } - case SSL_CTRL_SET_CURVES: - return tls1_set_curves(&s->tlsext_ellipticcurvelist, - &s->tlsext_ellipticcurvelist_length, parg, larg); + case SSL_CTRL_SET_GROUPS: + return tls1_set_groups(&s->ext.supportedgroups, + &s->ext.supportedgroups_len, parg, larg); - case SSL_CTRL_SET_CURVES_LIST: - return tls1_set_curves_list(&s->tlsext_ellipticcurvelist, - &s->tlsext_ellipticcurvelist_length, parg); + case SSL_CTRL_SET_GROUPS_LIST: + return tls1_set_groups_list(&s->ext.supportedgroups, + &s->ext.supportedgroups_len, parg); - case SSL_CTRL_GET_SHARED_CURVE: - return tls1_shared_curve(s, larg); + case SSL_CTRL_GET_SHARED_GROUP: + return tls1_shared_group(s, larg); #endif case SSL_CTRL_SET_SIGALGS: @@ -3164,14 +3212,9 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) const unsigned char **pctype = parg; if (s->server || !s->s3->tmp.cert_req) return 0; - if (s->cert->ctypes) { - if (pctype) - *pctype = s->cert->ctypes; - return (int)s->cert->ctype_num; - } if (pctype) - *pctype = (unsigned char *)s->s3->tmp.ctype; - return s->s3->tmp.ctype_num; + *pctype = s->s3->tmp.ctype; + return s->s3->tmp.ctype_len; } case SSL_CTRL_SET_CLIENT_CERT_TYPES: @@ -3189,20 +3232,10 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return ssl_cert_set_cert_store(s->cert, parg, 1, larg); case SSL_CTRL_GET_PEER_SIGNATURE_NID: - if (SSL_USE_SIGALGS(s)) { - if (s->session) { - const EVP_MD *sig; - sig = s->s3->tmp.peer_md; - if (sig) { - *(int *)parg = EVP_MD_type(sig); - return 1; - } - } - return 0; - } - /* Might want to do something here for other versions */ - else + if (s->s3->tmp.peer_sigalg == NULL) return 0; + *(int *)parg = s->s3->tmp.peer_sigalg->hash; + return 1; case SSL_CTRL_GET_SERVER_TMP_KEY: #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) @@ -3221,10 +3254,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) { SSL_SESSION *sess = s->session; const unsigned char **pformat = parg; - if (!sess || !sess->tlsext_ecpointformatlist) + + if (sess == NULL || sess->ext.ecpointformats == NULL) return 0; - *pformat = sess->tlsext_ecpointformatlist; - return (int)sess->tlsext_ecpointformatlist_length; + *pformat = sess->ext.ecpointformats; + return (int)sess->ext.ecpointformats_len; } #endif @@ -3247,8 +3281,8 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) break; #endif case SSL_CTRL_SET_TLSEXT_DEBUG_CB: - s->tlsext_debug_cb = (void (*)(SSL *, int, int, - const unsigned char *, int, void *))fp; + s->ext.debug_cb = (void (*)(SSL *, int, int, + const unsigned char *, int, void *))fp; break; case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB: @@ -3289,9 +3323,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) ctx->cert->dh_tmp = pkdh; return 1; } - /* - * break; - */ case SSL_CTRL_SET_TMP_DH_CB: { SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); @@ -3319,69 +3350,68 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) nid = EC_GROUP_get_curve_name(group); if (nid == NID_undef) return 0; - return tls1_set_curves(&ctx->tlsext_ellipticcurvelist, - &ctx->tlsext_ellipticcurvelist_length, + return tls1_set_groups(&ctx->ext.supportedgroups, + &ctx->ext.supportedgroups_len, &nid, 1); } - /* break; */ #endif /* !OPENSSL_NO_EC */ case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: - ctx->tlsext_servername_arg = parg; + ctx->ext.servername_arg = parg; break; case SSL_CTRL_SET_TLSEXT_TICKET_KEYS: case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: { unsigned char *keys = parg; - long tlsext_tick_keylen = (sizeof(ctx->tlsext_tick_key_name) + - sizeof(ctx->tlsext_tick_hmac_key) + - sizeof(ctx->tlsext_tick_aes_key)); + long tick_keylen = (sizeof(ctx->ext.tick_key_name) + + sizeof(ctx->ext.tick_hmac_key) + + sizeof(ctx->ext.tick_aes_key)); if (keys == NULL) - return tlsext_tick_keylen; - if (larg != tlsext_tick_keylen) { + return tick_keylen; + if (larg != tick_keylen) { SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_TICKET_KEYS_LENGTH); return 0; } if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) { - memcpy(ctx->tlsext_tick_key_name, keys, - sizeof(ctx->tlsext_tick_key_name)); - memcpy(ctx->tlsext_tick_hmac_key, - keys + sizeof(ctx->tlsext_tick_key_name), - sizeof(ctx->tlsext_tick_hmac_key)); - memcpy(ctx->tlsext_tick_aes_key, - keys + sizeof(ctx->tlsext_tick_key_name) + - sizeof(ctx->tlsext_tick_hmac_key), - sizeof(ctx->tlsext_tick_aes_key)); + memcpy(ctx->ext.tick_key_name, keys, + sizeof(ctx->ext.tick_key_name)); + memcpy(ctx->ext.tick_hmac_key, + keys + sizeof(ctx->ext.tick_key_name), + sizeof(ctx->ext.tick_hmac_key)); + memcpy(ctx->ext.tick_aes_key, + keys + sizeof(ctx->ext.tick_key_name) + + sizeof(ctx->ext.tick_hmac_key), + sizeof(ctx->ext.tick_aes_key)); } else { - memcpy(keys, ctx->tlsext_tick_key_name, - sizeof(ctx->tlsext_tick_key_name)); - memcpy(keys + sizeof(ctx->tlsext_tick_key_name), - ctx->tlsext_tick_hmac_key, - sizeof(ctx->tlsext_tick_hmac_key)); - memcpy(keys + sizeof(ctx->tlsext_tick_key_name) + - sizeof(ctx->tlsext_tick_hmac_key), - ctx->tlsext_tick_aes_key, - sizeof(ctx->tlsext_tick_aes_key)); + memcpy(keys, ctx->ext.tick_key_name, + sizeof(ctx->ext.tick_key_name)); + memcpy(keys + sizeof(ctx->ext.tick_key_name), + ctx->ext.tick_hmac_key, + sizeof(ctx->ext.tick_hmac_key)); + memcpy(keys + sizeof(ctx->ext.tick_key_name) + + sizeof(ctx->ext.tick_hmac_key), + ctx->ext.tick_aes_key, + sizeof(ctx->ext.tick_aes_key)); } return 1; } case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE: - return ctx->tlsext_status_type; + return ctx->ext.status_type; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: - ctx->tlsext_status_type = larg; + ctx->ext.status_type = larg; break; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: - ctx->tlsext_status_arg = parg; + ctx->ext.status_arg = parg; return 1; case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG: - *(void**)parg = ctx->tlsext_status_arg; + *(void**)parg = ctx->ext.status_arg; break; case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB: - *(int (**)(SSL*, void*))parg = ctx->tlsext_status_cb; + *(int (**)(SSL*, void*))parg = ctx->ext.status_cb; break; #ifndef OPENSSL_NO_SRP @@ -3403,7 +3433,12 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD: ctx->srp_ctx.SRP_give_srp_client_pwd_callback = srp_password_from_info_cb; - ctx->srp_ctx.info = parg; + if (ctx->srp_ctx.info != NULL) + OPENSSL_free(ctx->srp_ctx.info); + if ((ctx->srp_ctx.info = BUF_strdup((char *)parg)) == NULL) { + SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_INTERNAL_ERROR); + return 0; + } break; case SSL_CTRL_SET_SRP_ARG: ctx->srp_ctx.srp_Mask |= SSL_kSRP; @@ -3416,14 +3451,14 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) #endif #ifndef OPENSSL_NO_EC - case SSL_CTRL_SET_CURVES: - return tls1_set_curves(&ctx->tlsext_ellipticcurvelist, - &ctx->tlsext_ellipticcurvelist_length, + case SSL_CTRL_SET_GROUPS: + return tls1_set_groups(&ctx->ext.supportedgroups, + &ctx->ext.supportedgroups_len, parg, larg); - case SSL_CTRL_SET_CURVES_LIST: - return tls1_set_curves_list(&ctx->tlsext_ellipticcurvelist, - &ctx->tlsext_ellipticcurvelist_length, + case SSL_CTRL_SET_GROUPS_LIST: + return tls1_set_groups_list(&ctx->ext.supportedgroups, + &ctx->ext.supportedgroups_len, parg); #endif case SSL_CTRL_SET_SIGALGS: @@ -3515,15 +3550,15 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) break; #endif case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: - ctx->tlsext_servername_callback = (int (*)(SSL *, int *, void *))fp; + ctx->ext.servername_cb = (int (*)(SSL *, int *, void *))fp; break; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: - ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp; + ctx->ext.status_cb = (int (*)(SSL *, void *))fp; break; case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: - ctx->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *, + ctx->ext.ticket_key_cb = (int (*)(SSL *, unsigned char *, unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; @@ -3556,25 +3591,32 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) return (1); } -/* - * This function needs to check if the ciphers required are actually - * available - */ -const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) +const SSL_CIPHER *ssl3_get_cipher_by_id(uint32_t id) { SSL_CIPHER c; const SSL_CIPHER *cp; - uint32_t id; - id = 0x03000000 | ((uint32_t)p[0] << 8L) | (uint32_t)p[1]; c.id = id; cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS); - return cp; + if (cp != NULL) + return cp; + return OBJ_bsearch_ssl_cipher_id(&c, ssl3_scsvs, SSL3_NUM_SCSVS); +} + +/* + * This function needs to check if the ciphers required are actually + * available + */ +const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) +{ + return ssl3_get_cipher_by_id(SSL3_CK_CIPHERSUITE_FLAG + | ((uint32_t)p[0] << 8L) + | (uint32_t)p[1]); } int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len) { - if ((c->id & 0xff000000) != 0x03000000) { + if ((c->id & 0xff000000) != SSL3_CK_CIPHERSUITE_FLAG) { *len = 0; return 1; } @@ -3600,20 +3642,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, const SSL_CIPHER *c, *ret = NULL; STACK_OF(SSL_CIPHER) *prio, *allow; int i, ii, ok; - unsigned long alg_k, alg_a, mask_k, mask_a; + unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0; /* Let's see which ciphers we can support */ -#if 0 /* * Do not set the compare functions, because this may lead to a * reordering by "id". We want to keep the original ordering. We may pay * a price in performance during sk_SSL_CIPHER_find(), but would have to * pay with the price of sk_SSL_CIPHER_dup(). */ - sk_SSL_CIPHER_set_cmp_func(srvr, ssl_cipher_ptr_id_cmp); - sk_SSL_CIPHER_set_cmp_func(clnt, ssl_cipher_ptr_id_cmp); -#endif #ifdef CIPHER_DEBUG fprintf(stderr, "Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), @@ -3638,8 +3676,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, allow = srvr; } - tls1_set_cert_validity(s); - ssl_set_masks(s); + if (!SSL_IS_TLS13(s)) { + tls1_set_cert_validity(s); + ssl_set_masks(s); + } for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) { c = sk_SSL_CIPHER_value(prio, i); @@ -3653,41 +3693,47 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, DTLS_VERSION_GT(s->version, c->max_dtls))) continue; - mask_k = s->s3->tmp.mask_k; - mask_a = s->s3->tmp.mask_a; + /* + * Since TLS 1.3 ciphersuites can be used with any auth or + * key exchange scheme skip tests. + */ + if (!SSL_IS_TLS13(s)) { + mask_k = s->s3->tmp.mask_k; + mask_a = s->s3->tmp.mask_a; #ifndef OPENSSL_NO_SRP - if (s->srp_ctx.srp_Mask & SSL_kSRP) { - mask_k |= SSL_kSRP; - mask_a |= SSL_aSRP; - } + if (s->srp_ctx.srp_Mask & SSL_kSRP) { + mask_k |= SSL_kSRP; + mask_a |= SSL_aSRP; + } #endif - alg_k = c->algorithm_mkey; - alg_a = c->algorithm_auth; + alg_k = c->algorithm_mkey; + alg_a = c->algorithm_auth; #ifndef OPENSSL_NO_PSK - /* with PSK there must be server callback set */ - if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL) - continue; + /* with PSK there must be server callback set */ + if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL) + continue; #endif /* OPENSSL_NO_PSK */ - ok = (alg_k & mask_k) && (alg_a & mask_a); + ok = (alg_k & mask_k) && (alg_a & mask_a); #ifdef CIPHER_DEBUG - fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k, - alg_a, mask_k, mask_a, (void *)c, c->name); + fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k, + alg_a, mask_k, mask_a, (void *)c, c->name); #endif #ifndef OPENSSL_NO_EC - /* - * if we are considering an ECC cipher suite that uses an ephemeral - * EC key check it - */ - if (alg_k & SSL_kECDHE) - ok = ok && tls1_check_ec_tmp_key(s, c->id); + /* + * if we are considering an ECC cipher suite that uses an ephemeral + * EC key check it + */ + if (alg_k & SSL_kECDHE) + ok = ok && tls1_check_ec_tmp_key(s, c->id); #endif /* OPENSSL_NO_EC */ - if (!ok) - continue; + if (!ok) + continue; + } ii = sk_SSL_CIPHER_find(allow, c); if (ii >= 0) { /* Check security callback permits this cipher */ @@ -3714,9 +3760,8 @@ int ssl3_get_req_cert_type(SSL *s, WPACKET *pkt) uint32_t alg_k, alg_a = 0; /* If we have custom certificate types set, use them */ - if (s->cert->ctypes) { - return WPACKET_memcpy(pkt, s->cert->ctypes, s->cert->ctype_num); - } + if (s->cert->ctype) + return WPACKET_memcpy(pkt, s->cert->ctype, s->cert->ctype_len); /* Get mask of algorithms disabled by signature list */ ssl_set_sig_mask(&alg_a, s, SSL_SECOP_SIGALG_MASK); @@ -3764,17 +3809,17 @@ int ssl3_get_req_cert_type(SSL *s, WPACKET *pkt) static int ssl3_set_req_cert_type(CERT *c, const unsigned char *p, size_t len) { - OPENSSL_free(c->ctypes); - c->ctypes = NULL; - if (!p || !len) + OPENSSL_free(c->ctype); + c->ctype = NULL; + c->ctype_len = 0; + if (p == NULL || len == 0) return 1; if (len > 0xff) return 0; - c->ctypes = OPENSSL_malloc(len); - if (c->ctypes == NULL) + c->ctype = OPENSSL_memdup(p, len); + if (c->ctype == NULL) return 0; - memcpy(c->ctypes, p, len); - c->ctype_num = len; + c->ctype_len = len; return 1; } @@ -3812,11 +3857,11 @@ int ssl3_shutdown(SSL *s) return (ret); } } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { - size_t read; + size_t readbytes; /* * If we are waiting for a close from our peer, we are closed */ - s->method->ssl_read_bytes(s, 0, NULL, NULL, 0, 0, &read); + s->method->ssl_read_bytes(s, 0, NULL, NULL, 0, 0, &readbytes); if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { return -1; /* return WANT_READ */ } @@ -3833,24 +3878,24 @@ int ssl3_write(SSL *s, const void *buf, size_t len, size_t *written) { clear_sys_error(); if (s->s3->renegotiate) - ssl3_renegotiate_check(s); + ssl3_renegotiate_check(s, 0); return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, written); } static int ssl3_read_internal(SSL *s, void *buf, size_t len, int peek, - size_t *read) + size_t *readbytes) { int ret; clear_sys_error(); if (s->s3->renegotiate) - ssl3_renegotiate_check(s); + ssl3_renegotiate_check(s, 0); s->s3->in_read_app_data = 1; ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, NULL, buf, len, - peek, read); + peek, readbytes); if ((ret == -1) && (s->s3->in_read_app_data == 2)) { /* * ssl3_read_bytes decided to call s->handshake_func, which called @@ -3862,7 +3907,7 @@ static int ssl3_read_internal(SSL *s, void *buf, size_t len, int peek, ossl_statem_set_in_handshake(s, 1); ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, NULL, buf, - len, peek, read); + len, peek, readbytes); ossl_statem_set_in_handshake(s, 0); } else s->s3->in_read_app_data = 0; @@ -3870,14 +3915,14 @@ static int ssl3_read_internal(SSL *s, void *buf, size_t len, int peek, return ret; } -int ssl3_read(SSL *s, void *buf, size_t len, size_t *read) +int ssl3_read(SSL *s, void *buf, size_t len, size_t *readbytes) { - return ssl3_read_internal(s, buf, len, 0, read); + return ssl3_read_internal(s, buf, len, 0, readbytes); } -int ssl3_peek(SSL *s, void *buf, size_t len, size_t *read) +int ssl3_peek(SSL *s, void *buf, size_t len, size_t *readbytes) { - return ssl3_read_internal(s, buf, len, 1, read); + return ssl3_read_internal(s, buf, len, 1, readbytes); } int ssl3_renegotiate(SSL *s) @@ -3885,21 +3930,26 @@ int ssl3_renegotiate(SSL *s) if (s->handshake_func == NULL) return (1); - if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) - return (0); - s->s3->renegotiate = 1; return (1); } -int ssl3_renegotiate_check(SSL *s) +/* + * Check if we are waiting to do a renegotiation and if so whether now is a + * good time to do it. If |initok| is true then we are being called from inside + * the state machine so ignore the result of SSL_in_init(s). Otherwise we + * should not do a renegotiation if SSL_in_init(s) is true. Returns 1 if we + * should do a renegotiation now and sets up the state machine for it. Otherwise + * returns 0. + */ +int ssl3_renegotiate_check(SSL *s, int initok) { int ret = 0; if (s->s3->renegotiate) { if (!RECORD_LAYER_read_pending(&s->rlayer) && !RECORD_LAYER_write_pending(&s->rlayer) - && !SSL_in_init(s)) { + && (initok || !SSL_in_init(s))) { /* * if we are the server, and we have sent a 'RENEGOTIATE' * message, we need to set the state machine into the renegotiate @@ -3912,7 +3962,7 @@ int ssl3_renegotiate_check(SSL *s) ret = 1; } } - return (ret); + return ret; } /* @@ -3941,9 +3991,10 @@ long ssl_get_algorithm2(SSL *s) * Fill a ClientRandom or ServerRandom field of length len. Returns <= 0 on * failure, 1 on success. */ -int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len) +int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len, + DOWNGRADE dgrd) { - int send_time = 0; + int send_time = 0, ret; if (len < 4) return 0; @@ -3955,15 +4006,33 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len) unsigned long Time = (unsigned long)time(NULL); unsigned char *p = result; l2n(Time, p); - return RAND_bytes(p, len - 4); - } else - return RAND_bytes(result, len); + /* TODO(size_t): Convert this */ + ret = RAND_bytes(p, (int)(len - 4)); + } else { + ret = RAND_bytes(result, (int)len); + } +#ifndef OPENSSL_NO_TLS13DOWNGRADE + if (ret) { + if (!ossl_assert(sizeof(tls11downgrade) < len) + || !ossl_assert(sizeof(tls12downgrade) < len)) + return 0; + if (dgrd == DOWNGRADE_TO_1_2) + memcpy(result + len - sizeof(tls12downgrade), tls12downgrade, + sizeof(tls12downgrade)); + else if (dgrd == DOWNGRADE_TO_1_1) + memcpy(result + len - sizeof(tls11downgrade), tls11downgrade, + sizeof(tls11downgrade)); + } +#endif + return ret; } int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, int free_pms) { unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; + int ret = 0; + if (alg_k & SSL_PSK) { #ifndef OPENSSL_NO_PSK unsigned char *pskpms, *t; @@ -3978,10 +4047,8 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, pskpmslen = 4 + pmslen + psklen; pskpms = OPENSSL_malloc(pskpmslen); - if (pskpms == NULL) { - s->session->master_key_length = 0; + if (pskpms == NULL) goto err; - } t = pskpms; s2n(pmslen, t); if (alg_k & SSL_kPSK) @@ -3994,23 +4061,23 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, OPENSSL_clear_free(s->s3->tmp.psk, psklen); s->s3->tmp.psk = NULL; - s->session->master_key_length = - s->method->ssl3_enc->generate_master_secret(s, - s->session->master_key, - pskpms, pskpmslen); + if (!s->method->ssl3_enc->generate_master_secret(s, + s->session->master_key,pskpms, pskpmslen, + &s->session->master_key_length)) + goto err; OPENSSL_clear_free(pskpms, pskpmslen); #else /* Should never happen */ - s->session->master_key_length = 0; goto err; #endif } else { - s->session->master_key_length = - s->method->ssl3_enc->generate_master_secret(s, - s->session->master_key, - pms, pmslen); + if (!s->method->ssl3_enc->generate_master_secret(s, + s->session->master_key, pms, pmslen, + &s->session->master_key_length)) + goto err; } + ret = 1; err: if (pms) { if (free_pms) @@ -4020,7 +4087,7 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, } if (s->server == 0) s->s3->tmp.pms = NULL; - return s->session->master_key_length >= 0; + return ret; } /* Generate a private key from parameters */ @@ -4079,8 +4146,8 @@ EVP_PKEY *ssl_generate_pkey_curve(int id) } #endif -/* Derive premaster or master secret for ECDH/DH */ -int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey) +/* Derive secrets for ECDH/DH */ +int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret) { int rv = 0; unsigned char *pms = NULL; @@ -4105,12 +4172,25 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey) if (EVP_PKEY_derive(pctx, pms, &pmslen) <= 0) goto err; - if (s->server) { - /* For server generate master secret and discard premaster */ - rv = ssl_generate_master_secret(s, pms, pmslen, 1); - pms = NULL; + if (gensecret) { + if (SSL_IS_TLS13(s)) { + /* + * If we are resuming then we already generated the early secret + * when we created the ClientHello, so don't recreate it. + */ + if (!s->hit) + rv = tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, + 0, + (unsigned char *)&s->early_secret); + else + rv = 1; + + rv = rv && tls13_generate_handshake_secret(s, pms, pmslen); + } else { + rv = ssl_generate_master_secret(s, pms, pmslen, 0); + } } else { - /* For client just save premaster secret */ + /* Save premaster secret */ s->s3->tmp.pms = pms; s->s3->tmp.pmslen = pmslen; pms = NULL;