X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_locl.h;h=23e6a6747089c9c73a90a4a1934ae2df70181044;hp=a59683bdff9272ca267b7624f9b9a1e7e9874f99;hb=4020c0b33b25f829ca68976970d44227d115eb9e;hpb=534a43ffeaec03e50768ccf84d431f96f11256e3 diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index a59683bdff..23e6a67470 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -229,6 +229,9 @@ # define SSL_PSK (SSL_kPSK | SSL_kRSAPSK | SSL_kECDHEPSK | SSL_kDHEPSK) +/* Any appropriate key exchange algorithm (for TLS 1.3 ciphersuites) */ +# define SSL_kANY 0x00000000U + /* Bits for algorithm_auth (server authentication) */ /* RSA auth */ # define SSL_aRSA 0x00000001U @@ -246,6 +249,8 @@ # define SSL_aSRP 0x00000040U /* GOST R 34.10-2012 signature auth */ # define SSL_aGOST12 0x00000080U +/* Any appropriate signature auth (for TLS 1.3 ciphersuites) */ +# define SSL_aANY 0x00000000U /* Bits for algorithm_enc (symmetric encryption) */ # define SSL_DES 0x00000001U @@ -348,6 +353,9 @@ /* we have used 0000003f - 26 bits left to go */ +/* Flag used on OpenSSL ciphersuite ids to indicate they are for SSLv3+ */ +# define SSL3_CK_CIPHERSUITE_FLAG 0x03000000 + /* Check if an SSL structure is using DTLS */ # define SSL_IS_DTLS(s) (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) @@ -390,20 +398,25 @@ # define SSL_USE_ETM(s) (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) /* Mostly for SSLv3 */ -# define SSL_PKEY_RSA_ENC 0 -# define SSL_PKEY_RSA_SIGN 1 -# define SSL_PKEY_DSA_SIGN 2 -# define SSL_PKEY_ECC 3 -# define SSL_PKEY_GOST01 4 -# define SSL_PKEY_GOST12_256 5 -# define SSL_PKEY_GOST12_512 6 -# define SSL_PKEY_NUM 7 +# define SSL_PKEY_RSA 0 +# define SSL_PKEY_DSA_SIGN 1 +# define SSL_PKEY_ECC 2 +# define SSL_PKEY_GOST01 3 +# define SSL_PKEY_GOST12_256 4 +# define SSL_PKEY_GOST12_512 5 +# define SSL_PKEY_NUM 6 /* * Pseudo-constant. GOST cipher suites can use different certs for 1 * SSL_CIPHER. So let's see which one we have in fact. */ # define SSL_PKEY_GOST_EC SSL_PKEY_NUM+1 +/* + * TODO(TLS1.3) for now use SSL_PKEY_RSA keys for PSS + */ + +#define SSL_PKEY_RSA_PSS_SIGN SSL_PKEY_RSA + /*- * SSL_kRSA <- RSA_ENC * SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN) @@ -515,7 +528,7 @@ struct ssl_session_st { * For <=TLS1.2 this is the master_key. For TLS1.3 this is the resumption * master secret */ - unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; + unsigned char master_key[TLS13_MAX_RESUMPTION_MASTER_LENGTH]; /* session_id - valid? */ size_t session_id_length; unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; @@ -992,6 +1005,9 @@ struct ssl_st { unsigned char cert_verify_hash[EVP_MAX_MD_SIZE]; size_t cert_verify_hash_len; + /* Flag to indicate whether we should send a HelloRetryRequest or not */ + int hello_retry_request; + /* * the session_id_context is used to ensure sessions are only reused in * the appropriate context @@ -1141,10 +1157,7 @@ struct ssl_st { /* Have we attempted to find/parse SCTs yet? */ int scts_parsed; # endif - SSL_CTX *initial_ctx; /* initial ctx, used to store sessions */ -# ifndef OPENSSL_NO_NEXTPROTONEG -# endif -# define session_ctx initial_ctx + SSL_CTX *session_ctx; /* initial ctx, used to store sessions */ /* What we'll do */ STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; /* What's been chosen */ @@ -1177,6 +1190,29 @@ struct ssl_st { CRYPTO_RWLOCK *lock; }; +/* + * Structure containing table entry of values associated with the signature + * algorithms (signature scheme) extension +*/ +typedef struct sigalg_lookup_st { + /* TLS 1.3 signature scheme name */ + const char *name; + /* Raw value used in extension */ + uint16_t sigalg; + /* NID of hash algorithm */ + int hash; + /* Index of hash algorithm */ + int hash_idx; + /* NID of signature algorithm */ + int sig; + /* Index of signature algorithm */ + int sig_idx; + /* Combined hash and signature NID, if any */ + int sigandhash; + /* Required public key curve (ECDSA only) */ + int curve; +} SIGALG_LOOKUP; + typedef struct ssl3_state_st { long flags; size_t read_mac_secret_size; @@ -1258,16 +1294,20 @@ typedef struct ssl3_state_st { unsigned char *psk; size_t psklen; # endif + /* Signature algorithm we actually use */ + const SIGALG_LOOKUP *sigalg; + /* Index of certificate we use */ + int cert_idx; /* * signature algorithms peer reports: e.g. supported signature * algorithms extension for server or as part of a certificate * request for client. */ - unsigned int *peer_sigalgs; + uint16_t *peer_sigalgs; /* Size of above array */ size_t peer_sigalgslen; - /* Digest peer uses for signing */ - const EVP_MD *peer_md; + /* Sigalg peer actualy uses */ + const SIGALG_LOOKUP *peer_sigalg; /* Array of digests used for signing */ const EVP_MD *md[SSL_PKEY_NUM]; /* @@ -1532,7 +1572,7 @@ typedef struct cert_st { * the client hello as the supported signature algorithms extension. For * servers it represents the signature algorithms we are willing to use. */ - unsigned int *conf_sigalgs; + uint16_t *conf_sigalgs; /* Size of above array */ size_t conf_sigalgslen; /* @@ -1542,14 +1582,14 @@ typedef struct cert_st { * represents the signature algorithms we are willing to use for client * authentication. */ - unsigned int *client_sigalgs; + uint16_t *client_sigalgs; /* Size of above array */ size_t client_sigalgslen; /* * Signature algorithms shared by client and server: cached because these * are used most often. */ - TLS_SIGALGS *shared_sigalgs; + const SIGALG_LOOKUP **shared_sigalgs; size_t shared_sigalgslen; /* * Certificate setup callback: if set is called whenever a certificate @@ -1583,18 +1623,6 @@ typedef struct cert_st { CRYPTO_RWLOCK *lock; } CERT; -/* Structure containing decoded values of signature algorithms extension */ -struct tls_sigalgs_st { - /* NID of hash algorithm */ - int hash_nid; - /* NID of signature algorithm */ - int sign_nid; - /* Combined hash and signature NID */ - int signandhash_nid; - /* Raw value used in extension */ - unsigned int rsigalg; -}; - # define FP_ICC (int (*)(const void *,const void *)) /* @@ -1738,10 +1766,8 @@ typedef enum tlsext_index_en { /* An invalid index into the TLSv1.3 PSK identities */ #define TLSEXT_PSK_BAD_IDENTITY -1 -#define SIGID_IS_PSS(sigid) ((sigid) == TLSEXT_SIGALG_rsa_pss_sha256 \ - || (sigid) == TLSEXT_SIGALG_rsa_pss_sha384 \ - || (sigid) == TLSEXT_SIGALG_rsa_pss_sha512) - +#define SSL_USE_PSS(s) (s->s3->tmp.peer_sigalg != NULL && \ + s->s3->tmp.peer_sigalg->sig == EVP_PKEY_RSA_PSS) /* A dummy signature value not valid for TLSv1.2 signature algs */ #define TLSEXT_signature_rsa_pss 0x0101 @@ -1924,6 +1950,15 @@ struct openssl_ssl_test_functions { const char *ssl_protocol_to_string(int version); +/* Returns true if certificate and private key for 'idx' are present */ +static ossl_inline int ssl_has_cert(const SSL *s, int idx) +{ + if (idx < 0 || idx >= SSL_PKEY_NUM) + return 0; + return s->cert->pkeys[idx].x509 != NULL + && s->cert->pkeys[idx].privatekey != NULL; +} + # ifndef OPENSSL_UNIT_TEST void ssl_clear_cipher_ctx(SSL *s); @@ -1933,7 +1968,7 @@ __owur CERT *ssl_cert_dup(CERT *cert); void ssl_cert_clear_certs(CERT *c); void ssl_cert_free(CERT *c); __owur int ssl_get_new_session(SSL *s, int session); -__owur int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello); +__owur int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello, int *al); __owur SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket); __owur int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b); DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id); @@ -2168,6 +2203,9 @@ SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n); # define TLS_CURVE_PRIME 0x0 # define TLS_CURVE_CHAR2 0x1 # define TLS_CURVE_CUSTOM 0x2 + +#define bytestogroup(bytes) ((unsigned int)(bytes[0] << 8 | bytes[1])) + __owur int tls1_ec_curve_id2nid(int curve_id, unsigned int *pflags); __owur int tls1_ec_nid2curve_id(int nid); __owur int tls1_check_curve(SSL *s, const unsigned char *p, size_t len); @@ -2191,24 +2229,36 @@ __owur int tls1_get_curvelist(SSL *s, int sess, const unsigned char **pcurves, void ssl_set_default_md(SSL *s); __owur int tls1_set_server_sigalgs(SSL *s); -__owur int tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello, - SSL_SESSION **ret); - -/* Return codes for tls_decrypt_ticket */ -#define TICKET_FATAL_ERR_MALLOC -2 -#define TICKET_FATAL_ERR_OTHER -1 -#define TICKET_NO_DECRYPT 2 -#define TICKET_SUCCESS 3 -#define TICKET_SUCCESS_RENEW 4 -__owur int tls_decrypt_ticket(SSL *s, const unsigned char *etick, - size_t eticklen, const unsigned char *sess_id, - size_t sesslen, SSL_SESSION **psess); + +/* Return codes for tls_get_ticket_from_client() and tls_decrypt_ticket() */ +typedef enum ticket_en { + /* fatal error, malloc failure */ + TICKET_FATAL_ERR_MALLOC, + /* fatal error, either from parsing or decrypting the ticket */ + TICKET_FATAL_ERR_OTHER, + /* No ticket present */ + TICKET_NONE, + /* Empty ticket present */ + TICKET_EMPTY, + /* the ticket couldn't be decrypted */ + TICKET_NO_DECRYPT, + /* a ticket was successfully decrypted */ + TICKET_SUCCESS, + /* same as above but the ticket needs to be reneewed */ + TICKET_SUCCESS_RENEW +} TICKET_RETURN; + +__owur TICKET_RETURN tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello, + SSL_SESSION **ret); +__owur TICKET_RETURN tls_decrypt_ticket(SSL *s, const unsigned char *etick, + size_t eticklen, + const unsigned char *sess_id, + size_t sesslen, SSL_SESSION **psess); __owur int tls_use_ticket(SSL *s); __owur int tls12_get_sigandhash(SSL *s, WPACKET *pkt, const EVP_PKEY *pk, const EVP_MD *md, int *ispss); -__owur const EVP_MD *tls12_get_hash(int hash_nid); void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op); __owur int tls1_set_sigalgs_list(CERT *c, const char *str, int client); @@ -2230,16 +2280,17 @@ __owur int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee); __owur int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *ex, int vfy); +int tls_choose_sigalg(SSL *s); + __owur EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md); void ssl_clear_hash_ctx(EVP_MD_CTX **hash); __owur long ssl_get_algorithm2(SSL *s); __owur int tls12_copy_sigalgs(SSL *s, WPACKET *pkt, - const unsigned int *psig, size_t psiglen); + const uint16_t *psig, size_t psiglen); __owur int tls1_save_sigalgs(SSL *s, PACKET *pkt); __owur int tls1_process_sigalgs(SSL *s); -__owur size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned int **psigs); -__owur int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, unsigned int sig, - EVP_PKEY *pkey); +__owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs); +__owur int tls12_check_peer_sigalg(SSL *s, uint16_t, EVP_PKEY *pkey); void ssl_set_client_disabled(SSL *s); __owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op); @@ -2261,13 +2312,19 @@ __owur int ssl_log_rsa_client_key_exchange(SSL *ssl, const uint8_t *premaster, size_t premaster_len); -/* ssl_log_master_secret logs |master| to the SSL_CTX associated with |ssl|, if - * logging is enabled. It returns one on success and zero on failure. The entry - * is identified by |client_random|. +/* + * ssl_log_secret logs |secret| to the SSL_CTX associated with |ssl|, if + * logging is available. It returns one on success and zero on failure. It tags + * the entry with |label|. */ -__owur int ssl_log_master_secret(SSL *ssl, const uint8_t *client_random, - size_t client_random_len, - const uint8_t *master, size_t master_len); +__owur int ssl_log_secret(SSL *ssl, const char *label, + const uint8_t *secret, size_t secret_len); + +#define MASTER_SECRET_LABEL "CLIENT_RANDOM" +#define CLIENT_HANDSHAKE_LABEL "CLIENT_HANDSHAKE_TRAFFIC_SECRET" +#define SERVER_HANDSHAKE_LABEL "SERVER_HANDSHAKE_TRAFFIC_SECRET" +#define CLIENT_APPLICATION_LABEL "CLIENT_TRAFFIC_SECRET_0" +#define SERVER_APPLICATION_LABEL "SERVER_TRAFFIC_SECRET_0" /* s3_cbc.c */ __owur char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);