X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fs3_srvr.c;h=bfbf951f72cc8d6691e9ded771f60717129b7f3f;hp=4b1931a71fe1e0f016bf6087e4c4fb564819db11;hb=332737217a9b8eb07d53634ae72b0e2e9ec9b8c6;hpb=9dd84053419aa220b5e66a5f9fcf809dbd6d9369 diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 4b1931a71f..bfbf951f72 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -121,6 +121,32 @@ * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. * */ +/* ==================================================================== + * Copyright 2005 Nokia. All rights reserved. + * + * The portions of the attached software ("Contribution") is developed by + * Nokia Corporation and is licensed pursuant to the OpenSSL open source + * license. + * + * The Contribution, originally written by Mika Kousa and Pasi Eronen of + * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites + * support (see RFC 4279) to OpenSSL. + * + * No patent licenses or other rights except those expressly stated in + * the OpenSSL open source license shall be deemed granted or received + * expressly, by implication, estoppel, or otherwise. + * + * No assurances are provided by Nokia that the Contribution does not + * infringe the patent or other intellectual property rights of any third + * party or that the license provides you with all the necessary rights + * to make use of the Contribution. + * + * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN + * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA + * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY + * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR + * OTHERWISE. + */ #define REUSE_CIPHER_BUG #define NETSCAPE_HANG_BUG @@ -133,20 +159,18 @@ #include #include #include +#ifndef OPENSSL_NO_DH #include +#endif #include #ifndef OPENSSL_NO_KRB5 #include #endif #include -static SSL_METHOD *ssl3_get_server_method(int ver); - -#ifndef OPENSSL_NO_ECDH -static int nid2curve_id(int nid); -#endif +static const SSL_METHOD *ssl3_get_server_method(int ver); -static SSL_METHOD *ssl3_get_server_method(int ver) +static const SSL_METHOD *ssl3_get_server_method(int ver) { if (ver == SSL3_VERSION) return(SSLv3_server_method()); @@ -154,33 +178,15 @@ static SSL_METHOD *ssl3_get_server_method(int ver) return(NULL); } -SSL_METHOD *SSLv3_server_method(void) - { - static int init=1; - static SSL_METHOD SSLv3_server_data; - - if (init) - { - CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); - - if (init) - { - memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(), - sizeof(SSL_METHOD)); - SSLv3_server_data.ssl_accept=ssl3_accept; - SSLv3_server_data.get_ssl_method=ssl3_get_server_method; - init=0; - } - - CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); - } - return(&SSLv3_server_data); - } +IMPLEMENT_ssl3_meth_func(SSLv3_server_method, + ssl3_accept, + ssl_undefined_function, + ssl3_get_server_method) int ssl3_accept(SSL *s) { BUF_MEM *buf; - unsigned long l,Time=time(NULL); + unsigned long l,Time=(unsigned long)time(NULL); void (*cb)(const SSL *ssl,int type,int val)=NULL; long num1; int ret= -1; @@ -297,6 +303,7 @@ int ssl3_accept(SSL *s) s->shutdown=0; ret=ssl3_get_client_hello(s); if (ret <= 0) goto end; + s->new_session = 2; s->state=SSL3_ST_SW_SRVR_HELLO_A; s->init_num=0; @@ -317,7 +324,9 @@ int ssl3_accept(SSL *s) case SSL3_ST_SW_CERT_A: case SSL3_ST_SW_CERT_B: /* Check if it is anon DH or anon ECDH */ - if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) + /* or normal PSK */ + if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL) + && !(s->s3->tmp.new_cipher->algorithms & SSL_kPSK)) { ret=ssl3_send_server_certificate(s); if (ret <= 0) goto end; @@ -351,6 +360,8 @@ int ssl3_accept(SSL *s) /* only send if a DH key exchange, fortezza or * RSA but we have a sign only certificate * + * PSK: may send PSK identity hints + * * For ECC ciphersuites, we send a serverKeyExchange * message only if the cipher suite is either * ECDH-anon or ECDHE. In other cases, the @@ -358,6 +369,11 @@ int ssl3_accept(SSL *s) * public key for key exchange. */ if (s->s3->tmp.use_rsa_tmp + /* PSK: send ServerKeyExchange if PSK identity + * hint if provided */ +#ifndef OPENSSL_NO_PSK + || ((l & SSL_kPSK) && s->ctx->psk_identity_hint) +#endif || (l & SSL_kECDHE) || (l & (SSL_DH|SSL_kFZA)) || ((l & SSL_kRSA) @@ -395,7 +411,10 @@ int ssl3_accept(SSL *s) * (against the specs, but s3_clnt.c accepts this for SSL 3) */ !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || /* never request cert in Kerberos ciphersuites */ - (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) + (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5) + /* With normal PSK Certificates and + * Certificate Requests are omitted */ + || (s->s3->tmp.new_cipher->algorithms & SSL_kPSK)) { /* no cert request */ skip=1; @@ -682,7 +701,9 @@ int ssl3_get_client_hello(SSL *s) unsigned long id; unsigned char *p,*d,*q; SSL_CIPHER *c; +#ifndef OPENSSL_NO_COMP SSL_COMP *comp=NULL; +#endif STACK_OF(SSL_CIPHER) *ciphers=NULL; /* We do this so that we will respond with our native type. @@ -909,11 +930,29 @@ int ssl3_get_client_hello(SSL *s) goto f_err; } +#ifndef OPENSSL_NO_TLSEXT + /* TLS extensions*/ + if (s->version > SSL3_VERSION) + { + if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al)) + { + /* 'al' set by ssl_parse_clienthello_tlsext */ + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT); + goto f_err; + } + } + if (ssl_check_clienthello_tlsext(s) <= 0) { + SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT); + goto err; + } +#endif + /* Worst case, we will use the NULL compression, but if we have other * options, we will now look for them. We have i-1 compression * algorithms from the client, starting at q. */ s->s3->tmp.new_compression=NULL; - if (s->ctx->comp_methods != NULL) +#ifndef OPENSSL_NO_COMP + if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods) { /* See if we have a match */ int m,nn,o,v,done=0; @@ -937,22 +976,6 @@ int ssl3_get_client_hello(SSL *s) else comp=NULL; } - - /* TLS does not mind if there is extra stuff */ -#if 0 /* SSL 3.0 does not mind either, so we should disable this test - * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b, - * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */ - if (s->version == SSL3_VERSION) - { - if (p < (d+n)) - { - /* wrong number of bytes, - * there could be more to follow */ - al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); - goto f_err; - } - } #endif /* Given s->session->ciphers and SSL_get_ciphers, we must @@ -960,7 +983,11 @@ int ssl3_get_client_hello(SSL *s) if (!s->hit) { +#ifdef OPENSSL_NO_COMP + s->session->compress_meth=0; +#else s->session->compress_meth=(comp == NULL)?0:comp->id; +#endif if (s->session->ciphers != NULL) sk_SSL_CIPHER_free(s->session->ciphers); s->session->ciphers=ciphers; @@ -1046,7 +1073,7 @@ int ssl3_send_server_hello(SSL *s) { buf=(unsigned char *)s->init_buf->data; p=s->s3->server_random; - Time=time(NULL); /* Time */ + Time=(unsigned long)time(NULL); /* Time */ l2n(Time,p); if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) return -1; @@ -1086,10 +1113,26 @@ int ssl3_send_server_hello(SSL *s) p+=i; /* put the compression method */ +#ifdef OPENSSL_NO_COMP + *(p++)=0; +#else if (s->s3->tmp.new_compression == NULL) *(p++)=0; else *(p++)=s->s3->tmp.new_compression->id; +#endif +#ifndef OPENSSL_NO_TLSEXT + if (ssl_prepare_serverhello_tlsext(s) <= 0) + { + SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT); + return -1; + } + if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) + { + SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR); + return -1; + } +#endif /* do the header */ l=(p-d); @@ -1329,7 +1372,7 @@ int ssl3_send_server_key_exchange(SSL *s) * supported named curves, curve_id is non-zero. */ if ((curve_id = - nid2curve_id(EC_GROUP_get_curve_name(group))) + tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group))) == 0) { SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); @@ -1370,11 +1413,11 @@ int ssl3_send_server_key_exchange(SSL *s) /* XXX: For now, we only support named (not * generic) curves in ECDH ephemeral key exchanges. - * In this situation, we need three additional bytes + * In this situation, we need four additional bytes * to encode the entire ServerECDHParams * structure. */ - n = 3 + encodedlen; + n = 4 + encodedlen; /* We'll generate the serverKeyExchange message * explicitly so we can set these to NULLs @@ -1382,9 +1425,18 @@ int ssl3_send_server_key_exchange(SSL *s) r[0]=NULL; r[1]=NULL; r[2]=NULL; + r[3]=NULL; } else #endif /* !OPENSSL_NO_ECDH */ +#ifndef OPENSSL_NO_PSK + if (type & SSL_kPSK) + { + /* reserve size for record length and PSK identity hint*/ + n+=2+strlen(s->ctx->psk_identity_hint); + } + else +#endif /* !OPENSSL_NO_PSK */ { al=SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); @@ -1396,7 +1448,8 @@ int ssl3_send_server_key_exchange(SSL *s) n+=2+nr[i]; } - if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) + if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL) + && !(s->s3->tmp.new_cipher->algorithms & SSL_kPSK)) { if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher)) == NULL) @@ -1432,12 +1485,14 @@ int ssl3_send_server_key_exchange(SSL *s) { /* XXX: For now, we only support named (not generic) curves. * In this situation, the serverKeyExchange message has: - * [1 byte CurveType], [1 byte CurveName] + * [1 byte CurveType], [2 byte CurveName] * [1 byte length of encoded point], followed by * the actual encoded point itself */ *p = NAMED_CURVE_TYPE; p += 1; + *p = 0; + p += 1; *p = curve_id; p += 1; *p = encodedlen; @@ -1450,6 +1505,16 @@ int ssl3_send_server_key_exchange(SSL *s) } #endif +#ifndef OPENSSL_NO_PSK + if (type & SSL_kPSK) + { + /* copy PSK identity hint */ + s2n(strlen(s->ctx->psk_identity_hint), p); + strncpy((char *)p, s->ctx->psk_identity_hint, strlen(s->ctx->psk_identity_hint)); + p+=strlen(s->ctx->psk_identity_hint); + } +#endif + /* not anonymous */ if (pkey != NULL) { @@ -1641,21 +1706,6 @@ err: return(-1); } - -static const int KDF1_SHA1_len = 20; -static void *KDF1_SHA1(const void *in, size_t inlen, void *out, size_t *outlen) - { -#ifndef OPENSSL_NO_SHA - if (*outlen < SHA_DIGEST_LENGTH) - return NULL; - else - *outlen = SHA_DIGEST_LENGTH; - return SHA1(in, inlen, out); -#else - return NULL; -#endif - } - int ssl3_get_client_key_exchange(SSL *s) { int i,al,ok; @@ -2118,8 +2168,13 @@ int ssl3_get_client_key_exchange(SSL *s) goto f_err; } - EC_POINT_copy(clnt_ecpoint, - EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)); + if (EC_POINT_copy(clnt_ecpoint, + EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + ERR_R_EC_LIB); + goto err; + } ret = 2; /* Skip certificate verify processing */ } else @@ -2158,14 +2213,7 @@ int ssl3_get_client_key_exchange(SSL *s) ERR_R_ECDH_LIB); goto err; } - /* If field size is not more than 24 octets, then use SHA-1 hash of result; - * otherwise, use result (see section 4.8 of draft-ietf-tls-ecc-03.txt; - * this is new with this version of the Internet Draft). - */ - if (field_size <= 24 * 8) - i = ECDH_compute_key(p, KDF1_SHA1_len, clnt_ecpoint, srvr_ecdh, KDF1_SHA1); - else - i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL); + i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL); if (i <= 0) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, @@ -2187,6 +2235,101 @@ int ssl3_get_client_key_exchange(SSL *s) return (ret); } else +#endif +#ifndef OPENSSL_NO_PSK + if (l & SSL_kPSK) + { + unsigned char *t = NULL; + unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4]; + unsigned int pre_ms_len = 0, psk_len = 0; + int psk_err = 1; + char tmp_id[PSK_MAX_IDENTITY_LEN+1]; + + al=SSL_AD_HANDSHAKE_FAILURE; + + n2s(p,i); + if (n != i+2) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_LENGTH_MISMATCH); + goto psk_err; + } + if (i > PSK_MAX_IDENTITY_LEN) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_DATA_LENGTH_TOO_LONG); + goto psk_err; + } + if (s->psk_server_callback == NULL) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_PSK_NO_SERVER_CB); + goto psk_err; + } + + /* Create guaranteed NULL-terminated identity + * string for the callback */ + memcpy(tmp_id, p, i); + memset(tmp_id+i, 0, PSK_MAX_IDENTITY_LEN+1-i); + psk_len = s->psk_server_callback(s, tmp_id, + psk_or_pre_ms, sizeof(psk_or_pre_ms)); + OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN+1); + + if (psk_len > PSK_MAX_PSK_LEN) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto psk_err; + } + else if (psk_len == 0) + { + /* PSK related to the given identity not found */ + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_PSK_IDENTITY_NOT_FOUND); + al=SSL_AD_UNKNOWN_PSK_IDENTITY; + goto psk_err; + } + + /* create PSK pre_master_secret */ + pre_ms_len=2+psk_len+2+psk_len; + t = psk_or_pre_ms; + memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len); + s2n(psk_len, t); + memset(t, 0, psk_len); + t+=psk_len; + s2n(psk_len, t); + + if (s->session->psk_identity != NULL) + OPENSSL_free(s->session->psk_identity); + s->session->psk_identity = BUF_strdup((char *)p); + if (s->session->psk_identity == NULL) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + ERR_R_MALLOC_FAILURE); + goto psk_err; + } + + if (s->session->psk_identity_hint != NULL) + OPENSSL_free(s->session->psk_identity_hint); + s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); + if (s->ctx->psk_identity_hint != NULL && + s->session->psk_identity_hint == NULL) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + ERR_R_MALLOC_FAILURE); + goto psk_err; + } + + s->session->master_key_length= + s->method->ssl3_enc->generate_master_secret(s, + s->session->master_key, psk_or_pre_ms, pre_ms_len); + psk_err = 0; + psk_err: + OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); + if (psk_err != 0) + goto f_err; + } + else #endif { al=SSL_AD_HANDSHAKE_FAILURE; @@ -2549,67 +2692,3 @@ int ssl3_send_server_certificate(SSL *s) /* SSL3_ST_SW_CERT_B */ return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); } - - -#ifndef OPENSSL_NO_ECDH -/* This is the complement of curve_id2nid in s3_clnt.c. */ -static int nid2curve_id(int nid) -{ - /* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) - * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */ - switch (nid) { - case NID_sect163k1: /* sect163k1 (1) */ - return 1; - case NID_sect163r1: /* sect163r1 (2) */ - return 2; - case NID_sect163r2: /* sect163r2 (3) */ - return 3; - case NID_sect193r1: /* sect193r1 (4) */ - return 4; - case NID_sect193r2: /* sect193r2 (5) */ - return 5; - case NID_sect233k1: /* sect233k1 (6) */ - return 6; - case NID_sect233r1: /* sect233r1 (7) */ - return 7; - case NID_sect239k1: /* sect239k1 (8) */ - return 8; - case NID_sect283k1: /* sect283k1 (9) */ - return 9; - case NID_sect283r1: /* sect283r1 (10) */ - return 10; - case NID_sect409k1: /* sect409k1 (11) */ - return 11; - case NID_sect409r1: /* sect409r1 (12) */ - return 12; - case NID_sect571k1: /* sect571k1 (13) */ - return 13; - case NID_sect571r1: /* sect571r1 (14) */ - return 14; - case NID_secp160k1: /* secp160k1 (15) */ - return 15; - case NID_secp160r1: /* secp160r1 (16) */ - return 16; - case NID_secp160r2: /* secp160r2 (17) */ - return 17; - case NID_secp192k1: /* secp192k1 (18) */ - return 18; - case NID_X9_62_prime192v1: /* secp192r1 (19) */ - return 19; - case NID_secp224k1: /* secp224k1 (20) */ - return 20; - case NID_secp224r1: /* secp224r1 (21) */ - return 21; - case NID_secp256k1: /* secp256k1 (22) */ - return 22; - case NID_X9_62_prime256v1: /* secp256r1 (23) */ - return 23; - case NID_secp384r1: /* secp384r1 (24) */ - return 24; - case NID_secp521r1: /* secp521r1 (25) */ - return 25; - default: - return 0; - } -} -#endif