X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fstatem%2Fstatem_clnt.c;h=5f6c6b0382e6d1627ee3bc2bfd4dfe28237afb78;hp=671bc5c8a1e2b127604a837aec0accd0241df5ad;hb=5d61491c8816ebad172340aafce713e9654dea94;hpb=aa8f3d76fcf1502586435631be16faa1bef3cdf7 diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 671bc5c8a1..5f6c6b0382 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1,6 +1,7 @@ /* * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved + * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,33 +9,6 @@ * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - #include #include #include "../ssl_locl.h" @@ -1597,6 +1571,13 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt) s->hello_retry_request = 1; + /* + * If we were sending early_data then the enc_write_ctx is now invalid and + * should not be used. + */ + EVP_CIPHER_CTX_free(s->enc_write_ctx); + s->enc_write_ctx = NULL; + /* This will fail if it doesn't choose TLSv1.3+ */ errorcode = ssl_choose_client_version(s, sversion, 0, &al); if (errorcode != 0) { @@ -1677,14 +1658,15 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt) MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) { - int al, i, ret = MSG_PROCESS_ERROR, exp_idx; + int al, i, ret = MSG_PROCESS_ERROR; unsigned long cert_list_len, cert_len; X509 *x = NULL; const unsigned char *certstart, *certbytes; STACK_OF(X509) *sk = NULL; EVP_PKEY *pkey = NULL; - size_t chainidx; + size_t chainidx, certidx; unsigned int context = 0; + const SSL_CERT_LOOKUP *clu; if ((sk = sk_X509_new_null()) == NULL) { SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE); @@ -1800,8 +1782,7 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) goto f_err; } - i = ssl_cert_type(x, pkey); - if (i < 0) { + if ((clu = ssl_cert_lookup_by_pkey(pkey, &certidx)) == NULL) { x = NULL; al = SSL3_AL_FATAL; SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, @@ -1814,11 +1795,7 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) * type. */ if (!SSL_IS_TLS13(s)) { - exp_idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher); - if (exp_idx >= 0 && i != exp_idx - && (exp_idx != SSL_PKEY_GOST_EC || - (i != SSL_PKEY_GOST12_512 && i != SSL_PKEY_GOST12_256 - && i != SSL_PKEY_GOST01))) { + if ((clu->amask & s->s3->tmp.new_cipher->algorithm_auth) == 0) { x = NULL; al = SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, @@ -1826,7 +1803,7 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) goto f_err; } } - s->session->peer_type = i; + s->session->peer_type = certidx; X509_free(s->session->peer); X509_up_ref(x); @@ -2196,6 +2173,9 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) PACKET params; int maxsig; const EVP_MD *md = NULL; + unsigned char *tbs; + size_t tbslen; + int rv; /* * |pkt| now points to the beginning of the signature, so the difference @@ -2211,7 +2191,6 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) if (SSL_USE_SIGALGS(s)) { unsigned int sigalg; - int rv; if (!PACKET_get_net_2(pkt, &sigalg)) { al = SSL_AD_DECODE_ERROR; @@ -2234,7 +2213,10 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) goto err; } - md = ssl_md(s->s3->tmp.peer_sigalg->hash_idx); + if (!tls1_lookup_md(s->s3->tmp.peer_sigalg, &md)) { + al = SSL_AD_INTERNAL_ERROR; + goto err; + } if (!PACKET_get_length_prefixed_2(pkt, &signature) || PACKET_remaining(pkt) != 0) { @@ -2281,19 +2263,18 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) goto err; } } - if (EVP_DigestVerifyUpdate(md_ctx, &(s->s3->client_random[0]), - SSL3_RANDOM_SIZE) <= 0 - || EVP_DigestVerifyUpdate(md_ctx, &(s->s3->server_random[0]), - SSL3_RANDOM_SIZE) <= 0 - || EVP_DigestVerifyUpdate(md_ctx, PACKET_data(¶ms), - PACKET_remaining(¶ms)) <= 0) { + tbslen = construct_key_exchange_tbs(s, &tbs, PACKET_data(¶ms), + PACKET_remaining(¶ms)); + if (tbslen == 0) { al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB); + SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); goto err; } - if (EVP_DigestVerifyFinal(md_ctx, PACKET_data(&signature), - PACKET_remaining(&signature)) <= 0) { - /* bad signature */ + + rv = EVP_DigestVerify(md_ctx, PACKET_data(&signature), + PACKET_remaining(&signature), tbs, tbslen); + OPENSSL_free(tbs); + if (rv <= 0) { al = SSL_AD_DECRYPT_ERROR; SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE); goto err; @@ -2442,9 +2423,14 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) unsigned long ticket_lifetime_hint, age_add = 0; unsigned int sess_len; RAW_EXTENSION *exts = NULL; + PACKET nonce; if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint) - || (SSL_IS_TLS13(s) && !PACKET_get_net_4(pkt, &age_add)) + || (SSL_IS_TLS13(s) + && (!PACKET_get_net_4(pkt, &age_add) + || !PACKET_get_length_prefixed_1(pkt, &nonce) + || !PACKET_memdup(&nonce, &s->session->ext.tick_nonce, + &s->session->ext.tick_nonce_len))) || !PACKET_get_net_2(pkt, &ticklen) || (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) != ticklen) || (SSL_IS_TLS13(s) @@ -2476,6 +2462,12 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) * We reused an existing session, so we need to replace it with a new * one */ + if ((new_sess = ssl_session_dup(s->session, 0)) == 0) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); + goto f_err; + } + if (i & SSL_SESS_CACHE_CLIENT) { /* * Remove the old session from the cache. We carry on if this fails @@ -2483,12 +2475,6 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) SSL_CTX_remove_session(s->session_ctx, s->session); } - if ((new_sess = ssl_session_dup(s->session, 0)) == 0) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); - goto f_err; - } - SSL_SESSION_free(s->session); s->session = new_sess; } @@ -3341,7 +3327,12 @@ int tls_construct_client_certificate(SSL *s, WPACKET *pkt) SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) { SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, SSL_R_CANNOT_CHANGE_CIPHER); - goto err; + /* + * This is a fatal error, which leaves + * enc_write_ctx in an inconsistent state + * and thus ssl3_send_alert may crash. + */ + return 0; } return 1; @@ -3350,62 +3341,39 @@ int tls_construct_client_certificate(SSL *s, WPACKET *pkt) return 0; } -#define has_bits(i,m) (((i)&(m)) == (m)) - int ssl3_check_cert_and_algorithm(SSL *s) { - int i; -#ifndef OPENSSL_NO_EC - int idx; -#endif + const SSL_CERT_LOOKUP *clu; + size_t idx; long alg_k, alg_a; - EVP_PKEY *pkey = NULL; int al = SSL_AD_HANDSHAKE_FAILURE; alg_k = s->s3->tmp.new_cipher->algorithm_mkey; alg_a = s->s3->tmp.new_cipher->algorithm_auth; /* we don't have a certificate */ - if ((alg_a & SSL_aNULL) || (alg_k & SSL_kPSK)) - return (1); + if (!(alg_a & SSL_aCERT)) + return 1; /* This is the passed certificate */ + clu = ssl_cert_lookup_by_pkey(X509_get0_pubkey(s->session->peer), &idx); -#ifndef OPENSSL_NO_EC - idx = s->session->peer_type; - if (idx == SSL_PKEY_ECC) { - if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s) == 0) { - /* check failed */ - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT); - goto f_err; - } else { - return 1; - } - } else if (alg_a & SSL_aECDSA) { - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, - SSL_R_MISSING_ECDSA_SIGNING_CERT); + /* Check certificate is recognised and suitable for cipher */ + if (clu == NULL || (alg_a & clu->amask) == 0) { + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_SIGNING_CERT); goto f_err; } -#endif - pkey = X509_get0_pubkey(s->session->peer); - i = X509_certificate_type(s->session->peer, pkey); - /* Check that we have a certificate if we require one */ - if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA | EVP_PKT_SIGN)) { - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, - SSL_R_MISSING_RSA_SIGNING_CERT); - goto f_err; - } -#ifndef OPENSSL_NO_DSA - else if ((alg_a & SSL_aDSS) && !has_bits(i, EVP_PK_DSA | EVP_PKT_SIGN)) { - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, - SSL_R_MISSING_DSA_SIGNING_CERT); +#ifndef OPENSSL_NO_EC + if (clu->amask & SSL_aECDSA) { + if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s)) + return 1; + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT); goto f_err; } #endif #ifndef OPENSSL_NO_RSA - if (alg_k & (SSL_kRSA | SSL_kRSAPSK) && - !has_bits(i, EVP_PK_RSA | EVP_PKT_ENC)) { + if (alg_k & (SSL_kRSA | SSL_kRSAPSK) && idx != SSL_PKEY_RSA) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_ENCRYPTING_CERT); goto f_err; @@ -3419,10 +3387,10 @@ int ssl3_check_cert_and_algorithm(SSL *s) } #endif - return (1); + return 1; f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); - return (0); + return 0; } #ifndef OPENSSL_NO_NEXTPROTONEG @@ -3600,7 +3568,7 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt) if (totlen != 0) { if (empty_reneg_info_scsv) { static SSL_CIPHER scsv = { - 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 + 0, NULL, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) { SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR); @@ -3609,7 +3577,7 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt) } if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) { static SSL_CIPHER scsv = { - 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 + 0, NULL, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) { SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR);