X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fstatem%2Fstatem_clnt.c;h=a3133adcef8ba323bff808b9d3bd9e757779f476;hp=ba873ee0a67602bdbaf1588c7540f48443787b3f;hb=d805a57be266ba68ae40f7177aeea69cba2dfe47;hpb=7acb8b64c32617788959aee2733ac14fd7b97e5f diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index ba873ee0a6..a3133adcef 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -59,6 +59,8 @@ #include #include +static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt); + static ossl_inline int cert_req_allowed(SSL *s); static int key_exchange_expected(SSL *s); static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b); @@ -135,6 +137,13 @@ static int ossl_statem_client13_read_transition(SSL *s, int mt) break; case TLS_ST_CR_SRVR_HELLO: + if (mt == SSL3_MT_ENCRYPTED_EXTENSIONS) { + st->hand_state = TLS_ST_CR_ENCRYPTED_EXTENSIONS; + return 1; + } + break; + + case TLS_ST_CR_ENCRYPTED_EXTENSIONS: if (s->hit) { if (mt == SSL3_MT_FINISHED) { st->hand_state = TLS_ST_CR_FINISHED; @@ -160,17 +169,6 @@ static int ossl_statem_client13_read_transition(SSL *s, int mt) break; case TLS_ST_CR_CERT: - /* - * The CertificateStatus message is optional even if - * |tlsext_status_expected| is set - */ - if (s->tlsext_status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) { - st->hand_state = TLS_ST_CR_CERT_STATUS; - return 1; - } - /* Fall through */ - - case TLS_ST_CR_CERT_STATUS: if (mt == SSL3_MT_FINISHED) { st->hand_state = TLS_ST_CR_FINISHED; return 1; @@ -759,6 +757,9 @@ size_t ossl_statem_client_max_message_size(SSL *s) case TLS_ST_CR_FINISHED: return FINISHED_MAX_LENGTH; + + case TLS_ST_CR_ENCRYPTED_EXTENSIONS: + return ENCRYPTED_EXTENSIONS_MAX_LENGTH; } } @@ -803,6 +804,9 @@ MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt) case TLS_ST_CR_FINISHED: return tls_process_finished(s, pkt); + + case TLS_ST_CR_ENCRYPTED_EXTENSIONS: + return tls_process_encrypted_extensions(s, pkt); } } @@ -996,18 +1000,7 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) } /* TLS extensions */ - if (ssl_prepare_clienthello_tlsext(s) <= 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); - return 0; - } - if (!WPACKET_start_sub_packet_u16(pkt) - /* - * If extensions are of zero length then we don't even add the - * extensions length bytes - */ - || !WPACKET_set_flags(pkt, WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH) - || !ssl_add_clienthello_tlsext(s, pkt, &al) - || !WPACKET_close(pkt)) { + if (!tls_construct_extensions(s, pkt, EXT_CLIENT_HELLO, NULL, 0, &al)) { ssl3_send_alert(s, SSL3_AL_FATAL, al); SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); return 0; @@ -1054,13 +1047,15 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) { STACK_OF(SSL_CIPHER) *sk; const SSL_CIPHER *c; - PACKET session_id; + PACKET session_id, extpkt; size_t session_id_len; const unsigned char *cipherchars; int i, al = SSL_AD_INTERNAL_ERROR; unsigned int compression; unsigned int sversion; + unsigned int context; int protverr; + RAW_EXTENSION *extensions = NULL; #ifndef OPENSSL_NO_COMP SSL_COMP *comp; #endif @@ -1089,17 +1084,23 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) s->hit = 0; /* Get the session-id. */ - if (!PACKET_get_length_prefixed_1(pkt, &session_id)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); - goto f_err; - } - session_id_len = PACKET_remaining(&session_id); - if (session_id_len > sizeof s->session->session_id - || session_id_len > SSL3_SESSION_ID_SIZE) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_SSL3_SESSION_ID_TOO_LONG); - goto f_err; + if (!SSL_IS_TLS13(s)) { + if (!PACKET_get_length_prefixed_1(pkt, &session_id)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); + goto f_err; + } + session_id_len = PACKET_remaining(&session_id); + if (session_id_len > sizeof s->session->session_id + || session_id_len > SSL3_SESSION_ID_SIZE) { + al = SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_SSL3_SESSION_ID_TOO_LONG); + goto f_err; + } + } else { + PACKET_null_init(&session_id); + session_id_len = 0; } if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) { @@ -1120,8 +1121,8 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) * we can resume, and later peek at the next handshake message to see if the * server wants to resume. */ - if (s->version >= TLS1_VERSION && s->tls_session_secret_cb && - s->session->tlsext_tick) { + if (s->version >= TLS1_VERSION && !SSL_IS_TLS13(s) + && s->tls_session_secret_cb != NULL && s->session->tlsext_tick) { const SSL_CIPHER *pref_cipher = NULL; /* * s->session->master_key_length is a size_t, but this is an int for @@ -1174,8 +1175,9 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) s->session->ssl_version = s->version; s->session->session_id_length = session_id_len; /* session_id_len could be 0 */ - memcpy(s->session->session_id, PACKET_data(&session_id), - session_id_len); + if (session_id_len > 0) + memcpy(s->session->session_id, PACKET_data(&session_id), + session_id_len); } /* Session version and negotiated protocol version should match */ @@ -1235,11 +1237,16 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) s->s3->tmp.new_cipher = c; /* lets get the compression algorithm */ /* COMPRESSION */ - if (!PACKET_get_1(pkt, &compression)) { - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); - al = SSL_AD_DECODE_ERROR; - goto f_err; + if (!SSL_IS_TLS13(s)) { + if (!PACKET_get_1(pkt, &compression)) { + SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); + al = SSL_AD_DECODE_ERROR; + goto f_err; + } + } else { + compression = 0; } + #ifdef OPENSSL_NO_COMP if (compression != 0) { al = SSL_AD_ILLEGAL_PARAMETER; @@ -1283,17 +1290,20 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) #endif /* TLS extensions */ - if (!ssl_parse_serverhello_tlsext(s, pkt)) { - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_PARSE_TLSEXT); - goto err; - } - - if (PACKET_remaining(pkt) != 0) { - /* wrong packet length */ + if (PACKET_remaining(pkt) == 0) { + PACKET_null_init(&extpkt); + } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt)) { al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_BAD_PACKET_LENGTH); + SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_BAD_LENGTH); goto f_err; } + + context = SSL_IS_TLS13(s) ? EXT_TLS1_3_SERVER_HELLO + : EXT_TLS1_2_SERVER_HELLO; + if (!tls_collect_extensions(s, &extpkt, context, &extensions, &al) + || !tls_parse_all_extensions(s, context, extensions, NULL, 0, &al)) + goto f_err; + #ifndef OPENSSL_NO_SCTP if (SSL_IS_DTLS(s) && s->hit) { unsigned char sctpauthkey[64]; @@ -1310,7 +1320,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) sizeof(sctpauthkey), labelbuffer, sizeof(labelbuffer), NULL, 0, 0) <= 0) - goto err; + goto f_err; BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, @@ -1333,11 +1343,12 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) goto f_err; } + OPENSSL_free(extensions); return MSG_PROCESS_CONTINUE_READING; f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); - err: ossl_statem_set_error(s); + OPENSSL_free(extensions); return MSG_PROCESS_ERROR; } @@ -1349,19 +1360,23 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) const unsigned char *certstart, *certbytes; STACK_OF(X509) *sk = NULL; EVP_PKEY *pkey = NULL; + size_t chainidx; + unsigned int context = 0; if ((sk = sk_X509_new_null()) == NULL) { SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE); goto err; } - if (!PACKET_get_net_3(pkt, &cert_list_len) - || PACKET_remaining(pkt) != cert_list_len) { + if ((SSL_IS_TLS13(s) && !PACKET_get_1(pkt, &context)) + || context != 0 + || !PACKET_get_net_3(pkt, &cert_list_len) + || PACKET_remaining(pkt) != cert_list_len) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH); goto f_err; } - while (PACKET_remaining(pkt)) { + for (chainidx = 0; PACKET_remaining(pkt); chainidx++) { if (!PACKET_get_net_3(pkt, &cert_len) || !PACKET_get_bytes(pkt, &certbytes, cert_len)) { al = SSL_AD_DECODE_ERROR; @@ -1383,6 +1398,23 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) SSL_R_CERT_LENGTH_MISMATCH); goto f_err; } + + if (SSL_IS_TLS13(s)) { + RAW_EXTENSION *rawexts = NULL; + PACKET extensions; + + if (!PACKET_get_length_prefixed_2(pkt, &extensions)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_BAD_LENGTH); + goto f_err; + } + if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_CERTIFICATE, + &rawexts, &al) + || !tls_parse_all_extensions(s, EXT_TLS1_3_CERTIFICATE, + rawexts, x, chainidx, &al)) + goto f_err; + } + if (!sk_X509_push(sk, x)) { SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE); goto err; @@ -2148,41 +2180,57 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) return MSG_PROCESS_ERROR; } -MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt) +/* + * In TLSv1.3 this is called from the extensions code, otherwise it is used to + * parse a separate message. Returns 1 on success or 0 on failure. On failure + * |*al| is populated with a suitable alert code. + */ +int tls_process_cert_status_body(SSL *s, PACKET *pkt, int *al) { - int al; size_t resplen; unsigned int type; if (!PACKET_get_1(pkt, &type) || type != TLSEXT_STATUSTYPE_ocsp) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS, SSL_R_UNSUPPORTED_STATUS_TYPE); - goto f_err; + *al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY, + SSL_R_UNSUPPORTED_STATUS_TYPE); + return 0; } if (!PACKET_get_net_3_len(pkt, &resplen) || PACKET_remaining(pkt) != resplen) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS, SSL_R_LENGTH_MISMATCH); - goto f_err; + *al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY, SSL_R_LENGTH_MISMATCH); + return 0; } s->tlsext_ocsp_resp = OPENSSL_malloc(resplen); if (s->tlsext_ocsp_resp == NULL) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS, ERR_R_MALLOC_FAILURE); - goto f_err; + *al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY, ERR_R_MALLOC_FAILURE); + return 0; } if (!PACKET_copy_bytes(pkt, s->tlsext_ocsp_resp, resplen)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS, SSL_R_LENGTH_MISMATCH); - goto f_err; + *al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY, SSL_R_LENGTH_MISMATCH); + return 0; } s->tlsext_ocsp_resplen = resplen; + + return 1; +} + + +MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt) +{ + int al; + + if (!tls_process_cert_status_body(s, pkt, &al)) { + ssl3_send_alert(s, SSL3_AL_FATAL, al); + ossl_statem_set_error(s); + return MSG_PROCESS_ERROR; + } + return MSG_PROCESS_CONTINUE_READING; - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - ossl_statem_set_error(s); - return MSG_PROCESS_ERROR; } /* @@ -2207,7 +2255,8 @@ int tls_process_initial_server_flight(SSL *s, int *al) * |tlsext_ocsp_resplen| values will be set if we actually received a status * message, or NULL and -1 otherwise */ - if (s->tlsext_status_type != -1 && s->ctx->tlsext_status_cb != NULL) { + if (s->tlsext_status_type != TLSEXT_STATUSTYPE_nothing + && s->ctx->tlsext_status_cb != NULL) { int ret; ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); if (ret == 0) { @@ -2459,6 +2508,9 @@ static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt, int *al) goto err; ckey = ssl_generate_pkey(skey); + if (ckey == NULL) + goto err; + dh_clnt = EVP_PKEY_get0_DH(ckey); if (dh_clnt == NULL || ssl_derive(s, ckey, skey, 0) == 0) @@ -2496,6 +2548,10 @@ static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt, int *al) } ckey = ssl_generate_pkey(skey); + if (ckey == NULL) { + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_MALLOC_FAILURE); + goto err; + } if (ssl_derive(s, ckey, skey, 0) == 0) { SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_EVP_LIB); @@ -2956,11 +3012,19 @@ WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst) int tls_construct_client_certificate(SSL *s, WPACKET *pkt) { - if (!ssl3_output_cert_chain(s, pkt, + int al = SSL_AD_INTERNAL_ERROR; + + /* + * TODO(TLS1.3): For now we must put an empty context. Needs to be filled in + * later + */ + if ((SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) + || !ssl3_output_cert_chain(s, pkt, (s->s3->tmp.cert_req == 2) ? NULL - : s->cert->key)) { + : s->cert->key, + &al)) { SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR); - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + ssl3_send_alert(s, SSL3_AL_FATAL, al); return 0; } @@ -3066,6 +3130,34 @@ int tls_construct_next_proto(SSL *s, WPACKET *pkt) } #endif +static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt) +{ + int al = SSL_AD_INTERNAL_ERROR; + PACKET extensions; + RAW_EXTENSION *rawexts = NULL; + + if (!PACKET_as_length_prefixed_2(pkt, &extensions)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_ENCRYPTED_EXTENSIONS, SSL_R_LENGTH_MISMATCH); + goto err; + } + + if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_ENCRYPTED_EXTENSIONS, + &rawexts, &al) + || !tls_parse_all_extensions(s, EXT_TLS1_3_ENCRYPTED_EXTENSIONS, + rawexts, NULL, 0, &al)) + goto err; + + OPENSSL_free(rawexts); + return MSG_PROCESS_CONTINUE_READING; + + err: + ssl3_send_alert(s, SSL3_AL_FATAL, al); + ossl_statem_set_error(s); + OPENSSL_free(rawexts); + return MSG_PROCESS_ERROR; +} + int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) { int i = 0;