X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_lib.c;h=063c312080ce2ab9ef84b3da9e06d33c173c0838;hp=a774452a6112dac35d3729043504e41910b52719;hb=f32b0abe26285c6ba2ff258512c08e8f2fbcbdc9;hpb=1ea4d09a3c049cd3b0748410e0c53b98082980cb diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index a774452a61..063c312080 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1,5 +1,7 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved + * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,43 +9,9 @@ * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * ECC cipher suite support in OpenSSL originally developed by - * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - -#include #include #include "ssl_locl.h" #include -#include #include #include #include @@ -51,6 +19,9 @@ #include #include #include +#include "internal/cryptlib.h" +#include "internal/rand.h" +#include "internal/refcount.h" const char SSL_version_str[] = OPENSSL_VERSION_TEXT; @@ -189,6 +160,7 @@ static int ssl_dane_dup(SSL *to, SSL *from) if (!DANETLS_ENABLED(&from->dane)) return 1; + num = sk_danetls_record_num(from->dane.trecs); dane_final(&to->dane); to->dane.flags = from->dane.flags; to->dane.dctx = &to->ctx->dane; @@ -198,8 +170,9 @@ static int ssl_dane_dup(SSL *to, SSL *from) SSLerr(SSL_F_SSL_DANE_DUP, ERR_R_MALLOC_FAILURE); return 0; } + if (!sk_danetls_record_reserve(to->dane.trecs, num)) + return 0; - num = sk_danetls_record_num(from->dane.trecs); for (i = 0; i < num; ++i) { danetls_record *t = sk_danetls_record_value(from->dane.trecs, i); @@ -431,6 +404,116 @@ static int dane_tlsa_add(SSL_DANE *dane, return 1; } +/* + * Return 0 if there is only one version configured and it was disabled + * at configure time. Return 1 otherwise. + */ +static int ssl_check_allowed_versions(int min_version, int max_version) +{ + int minisdtls = 0, maxisdtls = 0; + + /* Figure out if we're doing DTLS versions or TLS versions */ + if (min_version == DTLS1_BAD_VER + || min_version >> 8 == DTLS1_VERSION_MAJOR) + minisdtls = 1; + if (max_version == DTLS1_BAD_VER + || max_version >> 8 == DTLS1_VERSION_MAJOR) + maxisdtls = 1; + /* A wildcard version of 0 could be DTLS or TLS. */ + if ((minisdtls && !maxisdtls && max_version != 0) + || (maxisdtls && !minisdtls && min_version != 0)) { + /* Mixing DTLS and TLS versions will lead to sadness; deny it. */ + return 0; + } + + if (minisdtls || maxisdtls) { + /* Do DTLS version checks. */ + if (min_version == 0) + /* Ignore DTLS1_BAD_VER */ + min_version = DTLS1_VERSION; + if (max_version == 0) + max_version = DTLS1_2_VERSION; +#ifdef OPENSSL_NO_DTLS1_2 + if (max_version == DTLS1_2_VERSION) + max_version = DTLS1_VERSION; +#endif +#ifdef OPENSSL_NO_DTLS1 + if (min_version == DTLS1_VERSION) + min_version = DTLS1_2_VERSION; +#endif + /* Done massaging versions; do the check. */ + if (0 +#ifdef OPENSSL_NO_DTLS1 + || (DTLS_VERSION_GE(min_version, DTLS1_VERSION) + && DTLS_VERSION_GE(DTLS1_VERSION, max_version)) +#endif +#ifdef OPENSSL_NO_DTLS1_2 + || (DTLS_VERSION_GE(min_version, DTLS1_2_VERSION) + && DTLS_VERSION_GE(DTLS1_2_VERSION, max_version)) +#endif + ) + return 0; + } else { + /* Regular TLS version checks. */ + if (min_version == 0) + min_version = SSL3_VERSION; + if (max_version == 0) + max_version = TLS1_3_VERSION; +#ifdef OPENSSL_NO_TLS1_3 + if (max_version == TLS1_3_VERSION) + max_version = TLS1_2_VERSION; +#endif +#ifdef OPENSSL_NO_TLS1_2 + if (max_version == TLS1_2_VERSION) + max_version = TLS1_1_VERSION; +#endif +#ifdef OPENSSL_NO_TLS1_1 + if (max_version == TLS1_1_VERSION) + max_version = TLS1_VERSION; +#endif +#ifdef OPENSSL_NO_TLS1 + if (max_version == TLS1_VERSION) + max_version = SSL3_VERSION; +#endif +#ifdef OPENSSL_NO_SSL3 + if (min_version == SSL3_VERSION) + min_version = TLS1_VERSION; +#endif +#ifdef OPENSSL_NO_TLS1 + if (min_version == TLS1_VERSION) + min_version = TLS1_1_VERSION; +#endif +#ifdef OPENSSL_NO_TLS1_1 + if (min_version == TLS1_1_VERSION) + min_version = TLS1_2_VERSION; +#endif +#ifdef OPENSSL_NO_TLS1_2 + if (min_version == TLS1_2_VERSION) + min_version = TLS1_3_VERSION; +#endif + /* Done massaging versions; do the check. */ + if (0 +#ifdef OPENSSL_NO_SSL3 + || (min_version <= SSL3_VERSION && SSL3_VERSION <= max_version) +#endif +#ifdef OPENSSL_NO_TLS1 + || (min_version <= TLS1_VERSION && TLS1_VERSION <= max_version) +#endif +#ifdef OPENSSL_NO_TLS1_1 + || (min_version <= TLS1_1_VERSION && TLS1_1_VERSION <= max_version) +#endif +#ifdef OPENSSL_NO_TLS1_2 + || (min_version <= TLS1_2_VERSION && TLS1_2_VERSION <= max_version) +#endif +#ifdef OPENSSL_NO_TLS1_3 + || (min_version <= TLS1_3_VERSION && TLS1_3_VERSION <= max_version) +#endif + ) + return 0; + } + return 1; +} + static void clear_ciphers(SSL *s) { /* clear the current cipher */ @@ -443,13 +526,18 @@ int SSL_clear(SSL *s) { if (s->method == NULL) { SSLerr(SSL_F_SSL_CLEAR, SSL_R_NO_METHOD_SPECIFIED); - return (0); + return 0; } if (ssl_clear_bad_session(s)) { SSL_SESSION_free(s->session); s->session = NULL; } + SSL_SESSION_free(s->psksession); + s->psksession = NULL; + OPENSSL_free(s->psksession_id); + s->psksession_id = NULL; + s->psksession_id_len = 0; s->error = 0; s->hit = 0; @@ -485,20 +573,21 @@ int SSL_clear(SSL *s) /* * Check to see if we were changed into a different method, if so, revert - * back if we are not doing session-id reuse. + * back. */ - if (!ossl_statem_get_in_handshake(s) && (s->session == NULL) - && (s->method != s->ctx->method)) { + if (s->method != s->ctx->method) { s->method->ssl_free(s); s->method = s->ctx->method; if (!s->method->ssl_new(s)) - return (0); - } else - s->method->ssl_clear(s); + return 0; + } else { + if (!s->method->ssl_clear(s)) + return 0; + } RECORD_LAYER_clear(&s->rlayer); - return (1); + return 1; } /** Used to change an SSL_CTXs default SSL method type */ @@ -536,10 +625,21 @@ SSL *SSL_new(SSL_CTX *ctx) goto err; s->lock = CRYPTO_THREAD_lock_new(); - if (s->lock == NULL) { - SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE); - OPENSSL_free(s); - return NULL; + if (s->lock == NULL) + goto err; + + /* + * If not using the standard RAND (say for fuzzing), then don't use a + * chained DRBG. + */ + if (RAND_get_rand_method() == RAND_OpenSSL()) { + s->drbg = RAND_DRBG_new(NID_aes_128_ctr, RAND_DRBG_FLAG_CTR_USE_DF, + RAND_DRBG_get0_global()); + if (s->drbg == NULL + || RAND_DRBG_instantiate(s->drbg, NULL, 0) == 0) { + CRYPTO_THREAD_lock_free(s->lock); + goto err; + } } RECORD_LAYER_init(&s->rlayer, s); @@ -571,8 +671,12 @@ SSL *SSL_new(SSL_CTX *ctx) s->msg_callback_arg = ctx->msg_callback_arg; s->verify_mode = ctx->verify_mode; s->not_resumable_session_cb = ctx->not_resumable_session_cb; + s->record_padding_cb = ctx->record_padding_cb; + s->record_padding_arg = ctx->record_padding_arg; + s->block_padding = ctx->block_padding; s->sid_ctx_length = ctx->sid_ctx_length; - OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); + if (!ossl_assert(s->sid_ctx_length <= sizeof s->sid_ctx)) + goto err; memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx)); s->verify_callback = ctx->default_verify_callback; s->generate_session_id = ctx->generate_session_id; @@ -616,7 +720,8 @@ SSL *SSL_new(SSL_CTX *ctx) if (ctx->ext.supportedgroups) { s->ext.supportedgroups = OPENSSL_memdup(ctx->ext.supportedgroups, - ctx->ext.supportedgroups_len); + ctx->ext.supportedgroups_len + * sizeof(*ctx->ext.supportedgroups)); if (!s->ext.supportedgroups) goto err; s->ext.supportedgroups_len = ctx->ext.supportedgroups_len; @@ -659,6 +764,8 @@ SSL *SSL_new(SSL_CTX *ctx) s->psk_client_callback = ctx->psk_client_callback; s->psk_server_callback = ctx->psk_server_callback; #endif + s->psk_find_session_cb = ctx->psk_find_session_cb; + s->psk_use_session_cb = ctx->psk_use_session_cb; s->job = NULL; @@ -741,7 +848,7 @@ int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, { /* * A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how - * we can "construct" a session to give us the desired check - ie. to + * we can "construct" a session to give us the desired check - i.e. to * find if there's a session in the hash table that would conflict with * any new session built out of this id/id_len and the ssl_version in use * by this SSL. @@ -977,6 +1084,7 @@ void SSL_free(SSL *s) dane_final(&s->dane); CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); + /* Ignore return value */ ssl_free_wbio_buffer(s); BIO_free_all(s->wbio); @@ -993,6 +1101,8 @@ void SSL_free(SSL *s) ssl_clear_bad_session(s); SSL_SESSION_free(s->session); } + SSL_SESSION_free(s->psksession); + OPENSSL_free(s->psksession_id); clear_ciphers(s); @@ -1015,9 +1125,10 @@ void SSL_free(SSL *s) #endif OPENSSL_free(s->ext.ocsp.resp); OPENSSL_free(s->ext.alpn); + OPENSSL_free(s->ext.tls13_cookie); OPENSSL_free(s->clienthello); - sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free); + sk_X509_NAME_pop_free(s->ca_names, X509_NAME_free); sk_X509_pop_free(s->verified_chain, X509_free); @@ -1038,6 +1149,7 @@ void SSL_free(SSL *s) sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles); #endif + RAND_DRBG_free(s->drbg); CRYPTO_THREAD_lock_free(s->lock); OPENSSL_free(s); @@ -1320,7 +1432,7 @@ int SSL_has_pending(const SSL *s) * data. That data may not result in any application data, or we may fail * to parse the records for some reason. */ - if (SSL_pending(s)) + if (RECORD_LAYER_processed_read_pending(&s->rlayer)) return 1; return RECORD_LAYER_read_pending(&s->rlayer); @@ -1545,6 +1657,17 @@ int ssl_read_internal(SSL *s, void *buf, size_t num, size_t *readbytes) return 0; } + if (s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY + || s->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY) { + SSLerr(SSL_F_SSL_READ_INTERNAL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + /* + * If we are a client and haven't received the ServerHello etc then we + * better do that + */ + ossl_statem_check_finish_init(s, 0); + if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { struct ssl_async_args args; int ret; @@ -1594,25 +1717,21 @@ int SSL_read_ex(SSL *s, void *buf, size_t num, size_t *readbytes) return ret; } -int SSL_read_early(SSL *s, void *buf, size_t num, size_t *readbytes) +int SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes) { int ret; if (!s->server) { - SSLerr(SSL_F_SSL_READ_EARLY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return SSL_READ_EARLY_ERROR; + SSLerr(SSL_F_SSL_READ_EARLY_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return SSL_READ_EARLY_DATA_ERROR; } - /* - * TODO(TLS1.3): Somehow we need to check that we're not receiving too much - * data - */ - switch (s->early_data_state) { case SSL_EARLY_DATA_NONE: if (!SSL_in_before(s)) { - SSLerr(SSL_F_SSL_READ_EARLY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return SSL_READ_EARLY_ERROR; + SSLerr(SSL_F_SSL_READ_EARLY_DATA, + ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return SSL_READ_EARLY_DATA_ERROR; } /* fall through */ @@ -1622,7 +1741,7 @@ int SSL_read_early(SSL *s, void *buf, size_t num, size_t *readbytes) if (ret <= 0) { /* NBIO or error */ s->early_data_state = SSL_EARLY_DATA_ACCEPT_RETRY; - return SSL_READ_EARLY_ERROR; + return SSL_READ_EARLY_DATA_ERROR; } /* fall through */ @@ -1631,39 +1750,29 @@ int SSL_read_early(SSL *s, void *buf, size_t num, size_t *readbytes) s->early_data_state = SSL_EARLY_DATA_READING; ret = SSL_read_ex(s, buf, num, readbytes); /* - * Record layer will call ssl_end_of_early_data_seen() if we see - * that alert - which updates the early_data_state to - * SSL_EARLY_DATA_FINISHED_READING + * State machine will update early_data_state to + * SSL_EARLY_DATA_FINISHED_READING if we get an EndOfEarlyData + * message */ if (ret > 0 || (ret <= 0 && s->early_data_state != SSL_EARLY_DATA_FINISHED_READING)) { s->early_data_state = SSL_EARLY_DATA_READ_RETRY; - return ret > 0 ? SSL_READ_EARLY_SUCCESS : SSL_READ_EARLY_ERROR; + return ret > 0 ? SSL_READ_EARLY_DATA_SUCCESS + : SSL_READ_EARLY_DATA_ERROR; } } else { s->early_data_state = SSL_EARLY_DATA_FINISHED_READING; } *readbytes = 0; - ossl_statem_set_in_init(s, 1); - return SSL_READ_EARLY_FINISH; + return SSL_READ_EARLY_DATA_FINISH; default: - SSLerr(SSL_F_SSL_READ_EARLY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return SSL_READ_EARLY_ERROR; + SSLerr(SSL_F_SSL_READ_EARLY_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return SSL_READ_EARLY_DATA_ERROR; } } -int ssl_end_of_early_data_seen(SSL *s) -{ - if (s->early_data_state == SSL_EARLY_DATA_READING) { - s->early_data_state = SSL_EARLY_DATA_FINISHED_READING; - return 1; - } - - return 0; -} - -int SSL_get_early_data_status(SSL *s) +int SSL_get_early_data_status(const SSL *s) { return s->ext.early_data; } @@ -1741,9 +1850,14 @@ int ssl_write_internal(SSL *s, const void *buf, size_t num, size_t *written) return -1; } - if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY - || s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY) + if (s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY + || s->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY + || s->early_data_state == SSL_EARLY_DATA_READ_RETRY) { + SSLerr(SSL_F_SSL_WRITE_INTERNAL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; + } + /* If we are a client and haven't sent the Finished we better do that */ + ossl_statem_check_finish_init(s, 1); if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { int ret; @@ -1794,24 +1908,18 @@ int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written) return ret; } -int SSL_write_early(SSL *s, const void *buf, size_t num, size_t *written) +int SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written) { - int ret; - - if (s->server) { - SSLerr(SSL_F_SSL_WRITE_EARLY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; - } - - /* - * TODO(TLS1.3): Somehow we need to check that we're not sending too much - * data - */ + int ret, early_data_state; switch (s->early_data_state) { case SSL_EARLY_DATA_NONE: - if (!SSL_in_before(s)) { - SSLerr(SSL_F_SSL_WRITE_EARLY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + if (s->server + || !SSL_in_before(s) + || ((s->session == NULL || s->session->ext.max_early_data == 0) + && (s->psk_use_session_cb == NULL))) { + SSLerr(SSL_F_SSL_WRITE_EARLY_DATA, + ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } /* fall through */ @@ -1832,36 +1940,19 @@ int SSL_write_early(SSL *s, const void *buf, size_t num, size_t *written) s->early_data_state = SSL_EARLY_DATA_WRITE_RETRY; return ret; - default: - SSLerr(SSL_F_SSL_WRITE_EARLY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; - } -} - -int SSL_write_early_finish(SSL *s) -{ - int ret; - - if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY) { - SSLerr(SSL_F_SSL_WRITE_EARLY_FINISH, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; - } + case SSL_EARLY_DATA_FINISHED_READING: + case SSL_EARLY_DATA_READ_RETRY: + early_data_state = s->early_data_state; + /* We are a server writing to an unauthenticated client */ + s->early_data_state = SSL_EARLY_DATA_UNAUTH_WRITING; + ret = SSL_write_ex(s, buf, num, written); + s->early_data_state = early_data_state; + return ret; - s->early_data_state = SSL_EARLY_DATA_WRITING; - ret = ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_END_OF_EARLY_DATA); - if (ret <= 0) { - s->early_data_state = SSL_EARLY_DATA_WRITE_RETRY; + default: + SSLerr(SSL_F_SSL_WRITE_EARLY_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; - /* - * We set the enc_write_ctx back to NULL because we may end up writing - * in cleartext again if we get a HelloRetryRequest from the server. - */ - EVP_CIPHER_CTX_free(s->enc_write_ctx); - s->enc_write_ctx = NULL; - ossl_statem_set_in_init(s, 1); - return 1; } int SSL_shutdown(SSL *s) @@ -1936,9 +2027,12 @@ int SSL_renegotiate(SSL *s) return 0; } - if (s->renegotiate == 0) - s->renegotiate = 1; + if ((s->options & SSL_OP_NO_RENEGOTIATION)) { + SSLerr(SSL_F_SSL_RENEGOTIATE, SSL_R_NO_RENEGOTIATION); + return 0; + } + s->renegotiate = 1; s->new_session = 1; return (s->method->ssl_renegotiate(s)); @@ -1946,12 +2040,17 @@ int SSL_renegotiate(SSL *s) int SSL_renegotiate_abbreviated(SSL *s) { - if (SSL_IS_TLS13(s)) + if (SSL_IS_TLS13(s)) { + SSLerr(SSL_F_SSL_RENEGOTIATE_ABBREVIATED, SSL_R_WRONG_SSL_VERSION); return 0; + } - if (s->renegotiate == 0) - s->renegotiate = 1; + if ((s->options & SSL_OP_NO_RENEGOTIATION)) { + SSLerr(SSL_F_SSL_RENEGOTIATE_ABBREVIATED, SSL_R_NO_RENEGOTIATION); + return 0; + } + s->renegotiate = 1; s->new_session = 0; return (s->method->ssl_renegotiate(s)); @@ -2040,11 +2139,17 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) else return 0; case SSL_CTRL_SET_MIN_PROTO_VERSION: - return ssl_set_version_bound(s->ctx->method->version, (int)larg, - &s->min_proto_version); + return ssl_check_allowed_versions(larg, s->max_proto_version) + && ssl_set_version_bound(s->ctx->method->version, (int)larg, + &s->min_proto_version); + case SSL_CTRL_GET_MIN_PROTO_VERSION: + return s->min_proto_version; case SSL_CTRL_SET_MAX_PROTO_VERSION: - return ssl_set_version_bound(s->ctx->method->version, (int)larg, - &s->max_proto_version); + return ssl_check_allowed_versions(s->min_proto_version, larg) + && ssl_set_version_bound(s->ctx->method->version, (int)larg, + &s->max_proto_version); + case SSL_CTRL_GET_MAX_PROTO_VERSION: + return s->max_proto_version; default: return (s->method->ssl_ctrl(s, cmd, larg, parg)); } @@ -2174,11 +2279,17 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_CLEAR_CERT_FLAGS: return (ctx->cert->cert_flags &= ~larg); case SSL_CTRL_SET_MIN_PROTO_VERSION: - return ssl_set_version_bound(ctx->method->version, (int)larg, - &ctx->min_proto_version); + return ssl_check_allowed_versions(larg, ctx->max_proto_version) + && ssl_set_version_bound(ctx->method->version, (int)larg, + &ctx->min_proto_version); + case SSL_CTRL_GET_MIN_PROTO_VERSION: + return ctx->min_proto_version; case SSL_CTRL_SET_MAX_PROTO_VERSION: - return ssl_set_version_bound(ctx->method->version, (int)larg, - &ctx->max_proto_version); + return ssl_check_allowed_versions(ctx->min_proto_version, larg) + && ssl_set_version_bound(ctx->method->version, (int)larg, + &ctx->max_proto_version); + case SSL_CTRL_GET_MAX_PROTO_VERSION: + return ctx->max_proto_version; default: return (ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg)); } @@ -2249,7 +2360,7 @@ STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s) ssl_set_client_disabled(s); for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i); - if (!ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED)) { + if (!ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) { if (!sk) sk = sk_SSL_CIPHER_new_null(); if (!sk) @@ -2370,7 +2481,7 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len) *p = '\0'; return buf; } - memcpy(p, c->name, n + 1); + strcpy(p, c->name); p += n; *(p++) = ':'; len -= n + 1; @@ -2568,8 +2679,8 @@ void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, } /* - * SSL_get0_alpn_selected gets the selected ALPN protocol (if any) from - * |ssl|. On return it sets |*data| to point to |*len| bytes of protocol name + * SSL_get0_alpn_selected gets the selected ALPN protocol (if any) from |ssl|. + * On return it sets |*data| to point to |*len| bytes of protocol name * (not including the leading length-prefix byte). If the server didn't * respond with a negotiated protocol then |*len| will be zero. */ @@ -2587,15 +2698,15 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, const char *label, size_t llen, - const unsigned char *p, size_t plen, + const unsigned char *context, size_t contextlen, int use_context) { if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER) return -1; return s->method->ssl3_enc->export_keying_material(s, out, olen, label, - llen, p, plen, - use_context); + llen, context, + contextlen, use_context); } static unsigned long ssl_session_hash(const SSL_SESSION *a) @@ -2712,7 +2823,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) goto err2; } - if ((ret->client_CA = sk_X509_NAME_new_null()) == NULL) + if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL) goto err; if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data)) @@ -2771,6 +2882,12 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ret->ext.status_type = TLSEXT_STATUSTYPE_nothing; + /* + * Default max early data is a fully loaded single record. Could be split + * across multiple records in practice + */ + ret->max_early_data = SSL3_RT_MAX_PLAIN_LENGTH; + return ret; err: SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE); @@ -2828,7 +2945,7 @@ void SSL_CTX_free(SSL_CTX *a) sk_SSL_CIPHER_free(a->cipher_list); sk_SSL_CIPHER_free(a->cipher_list_by_id); ssl_cert_free(a->cert); - sk_X509_NAME_pop_free(a->client_CA, X509_NAME_free); + sk_X509_NAME_pop_free(a->ca_names, X509_NAME_free); sk_X509_pop_free(a->extra_certs, X509_free); a->comp_methods = NULL; #ifndef OPENSSL_NO_SRTP @@ -2975,9 +3092,15 @@ void ssl_set_masks(SSL *s) if (dh_tmp) mask_k |= SSL_kDHE; - if (rsa_enc || rsa_sign) { + /* + * If we only have an RSA-PSS certificate allow RSA authentication + * if TLS 1.2 and peer supports it. + */ + + if (rsa_enc || rsa_sign || (ssl_has_cert(s, SSL_PKEY_RSA_PSS_SIGN) + && pvalid[SSL_PKEY_RSA_PSS_SIGN] & CERT_PKEY_EXPLICIT_SIGN + && TLS1_get_version(s) == TLS1_2_VERSION)) mask_a |= SSL_aRSA; - } if (dsa_sign) { mask_a |= SSL_aDSS; @@ -2999,6 +3122,11 @@ void ssl_set_masks(SSL *s) if (ecdsa_ok) mask_a |= SSL_aECDSA; } + /* Allow Ed25519 for TLS 1.2 if peer supports it */ + if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED25519) + && pvalid[SSL_PKEY_ED25519] & CERT_PKEY_EXPLICIT_SIGN + && TLS1_get_version(s) == TLS1_2_VERSION) + mask_a |= SSL_aECDSA; #endif #ifndef OPENSSL_NO_EC @@ -3063,10 +3191,11 @@ void ssl_update_cache(SSL *s, int mode) return; i = s->session_ctx->session_cache_mode; - if ((i & mode) && (!s->hit) - && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) + if ((i & mode) != 0 + && (!s->hit || SSL_IS_TLS13(s)) + && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) != 0 || SSL_CTX_add_session(s->session_ctx, s->session)) - && (s->session_ctx->new_session_cb != NULL)) { + && s->session_ctx->new_session_cb != NULL) { SSL_SESSION_up_ref(s->session); if (!s->session_ctx->new_session_cb(s, s->session)) SSL_SESSION_free(s->session); @@ -3163,10 +3292,7 @@ int SSL_get_error(const SSL *s, int i) } if (SSL_want_write(s)) { - /* - * Access wbio directly - in order to use the buffered bio if - * present - */ + /* Access wbio directly - in order to use the buffered bio if present */ bio = s->wbio; if (BIO_should_write(bio)) return (SSL_ERROR_WANT_WRITE); @@ -3191,8 +3317,8 @@ int SSL_get_error(const SSL *s, int i) return SSL_ERROR_WANT_ASYNC; if (SSL_want_async_job(s)) return SSL_ERROR_WANT_ASYNC_JOB; - if (SSL_want_early(s)) - return SSL_ERROR_WANT_EARLY; + if (SSL_want_client_hello_cb(s)) + return SSL_ERROR_WANT_CLIENT_HELLO_CB; if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) @@ -3221,12 +3347,16 @@ int SSL_do_handshake(SSL *s) return -1; } - if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY - || s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY) - return -1; + ossl_statem_check_finish_init(s, -1); s->method->ssl_renegotiate_check(s, 0); + if (SSL_is_server(s)) { + /* clear SNI settings at server-side */ + OPENSSL_free(s->ext.hostname); + s->ext.hostname = NULL; + } + if (SSL_in_init(s) || SSL_in_before(s)) { if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { struct ssl_async_args args; @@ -3429,10 +3559,10 @@ SSL *SSL_dup(SSL *s) goto err; /* Dup the client_CA list */ - if (s->client_CA != NULL) { - if ((sk = sk_X509_NAME_dup(s->client_CA)) == NULL) + if (s->ca_names != NULL) { + if ((sk = sk_X509_NAME_dup(s->ca_names)) == NULL) goto err; - ret->client_CA = sk; + ret->ca_names = sk; for (i = 0; i < sk_X509_NAME_num(sk); i++) { xn = sk_X509_NAME_value(sk, i); if (sk_X509_NAME_set(sk, i, X509_NAME_dup(xn)) == NULL) { @@ -3505,6 +3635,11 @@ const SSL_CIPHER *SSL_get_current_cipher(const SSL *s) return (NULL); } +const SSL_CIPHER *SSL_get_pending_cipher(const SSL *s) +{ + return s->s3->tmp.new_cipher; +} + const COMP_METHOD *SSL_get_current_compression(SSL *s) { #ifndef OPENSSL_NO_COMP @@ -3544,16 +3679,19 @@ int ssl_init_wbio_buffer(SSL *s) return 1; } -void ssl_free_wbio_buffer(SSL *s) +int ssl_free_wbio_buffer(SSL *s) { /* callers ensure s is never null */ if (s->bbio == NULL) - return; + return 1; s->wbio = BIO_pop(s->wbio); - assert(s->wbio != NULL); + if (!ossl_assert(s->wbio != NULL)) + return 0; BIO_free(s->bbio); s->bbio = NULL; + + return 1; } void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) @@ -3612,6 +3750,12 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) if (new_cert == NULL) { return NULL; } + + if (!custom_exts_copy_flags(&new_cert->custext, &ssl->cert->custext)) { + ssl_cert_free(new_cert); + return NULL; + } + ssl_cert_free(ssl->cert); ssl->cert = new_cert; @@ -3619,7 +3763,8 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) * Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH), * so setter APIs must prevent invalid lengths from entering the system. */ - OPENSSL_assert(ssl->sid_ctx_length <= sizeof(ssl->sid_ctx)); + if (!ossl_assert(ssl->sid_ctx_length <= sizeof(ssl->sid_ctx))) + return NULL; /* * If the session ID context matches that of the parent SSL_CTX, @@ -3740,6 +3885,18 @@ size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, return outlen; } +int SSL_SESSION_set1_master_key(SSL_SESSION *sess, const unsigned char *in, + size_t len) +{ + if (len > sizeof(sess->master_key)) + return 0; + + memcpy(sess->master_key, in, len); + sess->master_key_length = len; + return 1; +} + + int SSL_set_ex_data(SSL *s, int idx, void *arg) { return (CRYPTO_set_ex_data(&s->ex_data, idx, arg)); @@ -3875,6 +4032,28 @@ void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb) } #endif +void SSL_set_psk_find_session_callback(SSL *s, SSL_psk_find_session_cb_func cb) +{ + s->psk_find_session_cb = cb; +} + +void SSL_CTX_set_psk_find_session_callback(SSL_CTX *ctx, + SSL_psk_find_session_cb_func cb) +{ + ctx->psk_find_session_cb = cb; +} + +void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb) +{ + s->psk_use_session_cb = cb; +} + +void SSL_CTX_set_psk_use_session_callback(SSL_CTX *ctx, + SSL_psk_use_session_cb_func cb) +{ + ctx->psk_use_session_cb = cb; +} + void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb) (int write_p, int version, int content_type, const void *buf, @@ -3908,10 +4087,68 @@ void SSL_set_not_resumable_session_callback(SSL *ssl, (void (*)(void))cb); } +void SSL_CTX_set_record_padding_callback(SSL_CTX *ctx, + size_t (*cb) (SSL *ssl, int type, + size_t len, void *arg)) +{ + ctx->record_padding_cb = cb; +} + +void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg) +{ + ctx->record_padding_arg = arg; +} + +void *SSL_CTX_get_record_padding_callback_arg(SSL_CTX *ctx) +{ + return ctx->record_padding_arg; +} + +int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size) +{ + /* block size of 0 or 1 is basically no padding */ + if (block_size == 1) + ctx->block_padding = 0; + else if (block_size <= SSL3_RT_MAX_PLAIN_LENGTH) + ctx->block_padding = block_size; + else + return 0; + return 1; +} + +void SSL_set_record_padding_callback(SSL *ssl, + size_t (*cb) (SSL *ssl, int type, + size_t len, void *arg)) +{ + ssl->record_padding_cb = cb; +} + +void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg) +{ + ssl->record_padding_arg = arg; +} + +void *SSL_get_record_padding_callback_arg(SSL *ssl) +{ + return ssl->record_padding_arg; +} + +int SSL_set_block_padding(SSL *ssl, size_t block_size) +{ + /* block size of 0 or 1 is basically no padding */ + if (block_size == 1) + ssl->block_padding = 0; + else if (block_size <= SSL3_RT_MAX_PLAIN_LENGTH) + ssl->block_padding = block_size; + else + return 0; + return 1; +} + /* * Allocates new EVP_MD_CTX and sets pointer to it into given pointer * variable, freeing EVP_MD_CTX previously stored in that variable, if any. - * If EVP_MD pointer is passed, initializes ctx with this md. + * If EVP_MD pointer is passed, initializes ctx with this |md|. * Returns the newly allocated ctx; */ @@ -3967,7 +4204,7 @@ int SSL_session_reused(SSL *s) return s->hit; } -int SSL_is_server(SSL *s) +int SSL_is_server(const SSL *s) { return s->server; } @@ -4380,7 +4617,8 @@ int ssl_validate_ct(SSL *s) CT_POLICY_EVAL_CTX_set1_cert(ctx, cert); CT_POLICY_EVAL_CTX_set1_issuer(ctx, issuer); CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(ctx, s->ctx->ctlog_store); - CT_POLICY_EVAL_CTX_set_time(ctx, SSL_SESSION_get_time(SSL_get0_session(s))); + CT_POLICY_EVAL_CTX_set_time( + ctx, (uint64_t)SSL_SESSION_get_time(SSL_get0_session(s)) * 1000); scts = SSL_get0_peer_scts(s); @@ -4478,27 +4716,28 @@ const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx) #endif /* OPENSSL_NO_CT */ -void SSL_CTX_set_early_cb(SSL_CTX *c, SSL_early_cb_fn cb, void *arg) +void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb, + void *arg) { - c->early_cb = cb; - c->early_cb_arg = arg; + c->client_hello_cb = cb; + c->client_hello_cb_arg = arg; } -int SSL_early_isv2(SSL *s) +int SSL_client_hello_isv2(SSL *s) { if (s->clienthello == NULL) return 0; return s->clienthello->isv2; } -unsigned int SSL_early_get0_legacy_version(SSL *s) +unsigned int SSL_client_hello_get0_legacy_version(SSL *s) { if (s->clienthello == NULL) return 0; return s->clienthello->legacy_version; } -size_t SSL_early_get0_random(SSL *s, const unsigned char **out) +size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out) { if (s->clienthello == NULL) return 0; @@ -4507,7 +4746,7 @@ size_t SSL_early_get0_random(SSL *s, const unsigned char **out) return SSL3_RANDOM_SIZE; } -size_t SSL_early_get0_session_id(SSL *s, const unsigned char **out) +size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out) { if (s->clienthello == NULL) return 0; @@ -4516,7 +4755,7 @@ size_t SSL_early_get0_session_id(SSL *s, const unsigned char **out) return s->clienthello->session_id_len; } -size_t SSL_early_get0_ciphers(SSL *s, const unsigned char **out) +size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out) { if (s->clienthello == NULL) return 0; @@ -4525,7 +4764,7 @@ size_t SSL_early_get0_ciphers(SSL *s, const unsigned char **out) return PACKET_remaining(&s->clienthello->ciphersuites); } -size_t SSL_early_get0_compression_methods(SSL *s, const unsigned char **out) +size_t SSL_client_hello_get0_compression_methods(SSL *s, const unsigned char **out) { if (s->clienthello == NULL) return 0; @@ -4534,7 +4773,39 @@ size_t SSL_early_get0_compression_methods(SSL *s, const unsigned char **out) return s->clienthello->compressions_len; } -int SSL_early_get0_ext(SSL *s, unsigned int type, const unsigned char **out, +int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen) +{ + RAW_EXTENSION *ext; + int *present; + size_t num = 0, i; + + if (s->clienthello == NULL || out == NULL || outlen == NULL) + return 0; + for (i = 0; i < s->clienthello->pre_proc_exts_len; i++) { + ext = s->clienthello->pre_proc_exts + i; + if (ext->present) + num++; + } + present = OPENSSL_malloc(sizeof(*present) * num); + if (present == NULL) + return 0; + for (i = 0; i < s->clienthello->pre_proc_exts_len; i++) { + ext = s->clienthello->pre_proc_exts + i; + if (ext->present) { + if (ext->received_order >= num) + goto err; + present[ext->received_order] = ext->type; + } + } + *out = present; + *outlen = num; + return 1; + err: + OPENSSL_free(present); + return 0; +} + +int SSL_client_hello_get0_ext(SSL *s, unsigned int type, const unsigned char **out, size_t *outlen) { size_t i; @@ -4555,6 +4826,22 @@ int SSL_early_get0_ext(SSL *s, unsigned int type, const unsigned char **out, return 0; } +int SSL_free_buffers(SSL *ssl) +{ + RECORD_LAYER *rl = &ssl->rlayer; + + if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl)) + return 0; + + RECORD_LAYER_release(rl); + return 1; +} + +int SSL_alloc_buffers(SSL *ssl) +{ + return ssl3_setup_buffers(ssl); +} + void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb) { ctx->keylog_callback = cb; @@ -4704,7 +4991,7 @@ int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format, TLS_CIPHER_LEN)) || (leadbyte != 0 && !PACKET_forward(&sslv2ciphers, TLS_CIPHER_LEN))) { - *al = SSL_AD_INTERNAL_ERROR; + *al = SSL_AD_DECODE_ERROR; OPENSSL_free(s->s3->tmp.ciphers_raw); s->s3->tmp.ciphers_raw = NULL; s->s3->tmp.ciphers_rawlen = 0; @@ -4791,8 +5078,8 @@ int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites, } } if (PACKET_remaining(cipher_suites) > 0) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_INTERNAL_ERROR); + *al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, SSL_R_BAD_LENGTH); goto err; } @@ -4818,7 +5105,7 @@ int SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data) return 1; } -uint32_t SSL_CTX_get_max_early_data(SSL_CTX *ctx) +uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx) { return ctx->max_early_data; } @@ -4830,7 +5117,14 @@ int SSL_set_max_early_data(SSL *s, uint32_t max_early_data) return 1; } -uint32_t SSL_get_max_early_data(SSL_CTX *s) +uint32_t SSL_get_max_early_data(const SSL *s) { return s->max_early_data; } + +int ssl_randbytes(SSL *s, unsigned char *rnd, size_t size) +{ + if (s->drbg != NULL) + return RAND_DRBG_generate(s->drbg, rnd, size, 0, NULL, 0); + return RAND_bytes(rnd, (int)size); +}