X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fstatem%2Fstatem_lib.c;h=13174abb1703ef0068d38c110bc9df7b3023254e;hp=0395e9f002e813eb6e68b1da9f21fb83b14a89f8;hb=7d061fced39d72bd664d04e254c1e3ba6cf99fbc;hpb=d8bc139978ee86efe1039a1f783a30b63b89f665 diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 0395e9f002..13174abb17 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -72,62 +72,180 @@ int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype) return 1; } +int tls_setup_handshake(SSL *s) +{ + if (!ssl3_init_finished_mac(s)) + return 0; + + if (s->server) { + if (SSL_IS_FIRST_HANDSHAKE(s)) { + s->ctx->stats.sess_accept++; + } else if (!s->s3->send_connection_binding && + !(s->options & + SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { + /* + * Server attempting to renegotiate with client that doesn't + * support secure renegotiation. + */ + SSLerr(SSL_F_TLS_SETUP_HANDSHAKE, + SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); + return 0; + } else { + s->ctx->stats.sess_accept_renegotiate++; + + s->s3->tmp.cert_request = 0; + } + } else { + if (SSL_IS_FIRST_HANDSHAKE(s)) + s->ctx->stats.sess_connect++; + else + s->ctx->stats.sess_connect_renegotiate++; + + /* mark client_random uninitialized */ + memset(s->s3->client_random, 0, sizeof(s->s3->client_random)); + s->hit = 0; + + s->s3->tmp.cert_req = 0; + + if (SSL_IS_DTLS(s)) + s->statem.use_timer = 1; + } + + return 1; +} + +/* + * Size of the to-be-signed TLS13 data, without the hash size itself: + * 64 bytes of value 32, 33 context bytes, 1 byte separator + */ +#define TLS13_TBS_START_SIZE 64 +#define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1) + +static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs, + void **hdata, size_t *hdatalen) +{ + static const char *servercontext = "TLS 1.3, server CertificateVerify"; + static const char *clientcontext = "TLS 1.3, client CertificateVerify"; + + if (SSL_IS_TLS13(s)) { + size_t hashlen; + + /* Set the first 64 bytes of to-be-signed data to octet 32 */ + memset(tls13tbs, 32, TLS13_TBS_START_SIZE); + /* This copies the 33 bytes of context plus the 0 separator byte */ + if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY + || s->statem.hand_state == TLS_ST_SW_CERT_VRFY) + strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext); + else + strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext); + + /* + * If we're currently reading then we need to use the saved handshake + * hash value. We can't use the current handshake hash state because + * that includes the CertVerify itself. + */ + if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY + || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) { + memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash, + s->cert_verify_hash_len); + hashlen = s->cert_verify_hash_len; + } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE, + EVP_MAX_MD_SIZE, &hashlen)) { + return 0; + } + + *hdata = tls13tbs; + *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen; + } else { + size_t retlen; + + retlen = BIO_get_mem_data(s->s3->handshake_buffer, hdata); + if (retlen <= 0) + return 0; + *hdatalen = retlen; + } + + return 1; +} + int tls_construct_cert_verify(SSL *s, WPACKET *pkt) { - EVP_PKEY *pkey; + EVP_PKEY *pkey = s->cert->key->privatekey; const EVP_MD *md = s->s3->tmp.md[s->cert->key - s->cert->pkeys]; EVP_MD_CTX *mctx = NULL; - unsigned u = 0; - long hdatalen = 0; + EVP_PKEY_CTX *pctx = NULL; + size_t hdatalen = 0, siglen = 0; void *hdata; unsigned char *sig = NULL; + unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; + int pktype, ispss = 0; + + pktype = EVP_PKEY_id(pkey); mctx = EVP_MD_CTX_new(); if (mctx == NULL) { SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_MALLOC_FAILURE); goto err; } - pkey = s->cert->key->privatekey; - hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); - if (hdatalen <= 0) { + /* Get the data to be signed */ + if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_INTERNAL_ERROR); goto err; } - if (SSL_USE_SIGALGS(s)&& !tls12_get_sigandhash(pkt, pkey, md)) { + if (SSL_USE_SIGALGS(s) && !tls12_get_sigandhash(s, pkt, pkey, md, &ispss)) { SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_INTERNAL_ERROR); goto err; } #ifdef SSL_DEBUG fprintf(stderr, "Using client alg %s\n", EVP_MD_name(md)); #endif - sig = OPENSSL_malloc(EVP_PKEY_size(pkey)); + siglen = EVP_PKEY_size(pkey); + sig = OPENSSL_malloc(siglen); if (sig == NULL) { SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_MALLOC_FAILURE); goto err; } - if (!EVP_SignInit_ex(mctx, md, NULL) - || !EVP_SignUpdate(mctx, hdata, hdatalen) - || (s->version == SSL3_VERSION - && !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, - (int)s->session->master_key_length, - s->session->master_key)) - || !EVP_SignFinal(mctx, sig, &u, pkey)) { + + if (EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey) <= 0 + || EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_EVP_LIB); + goto err; + } + + if (ispss) { + if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 + || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, + RSA_PSS_SALTLEN_DIGEST) <= 0) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_EVP_LIB); + goto err; + } + } else if (s->version == SSL3_VERSION) { + if (!EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, + (int)s->session->master_key_length, + s->session->master_key)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_EVP_LIB); + goto err; + } + } + + if (EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) { SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_EVP_LIB); goto err; } + #ifndef OPENSSL_NO_GOST { - int pktype = EVP_PKEY_id(pkey); if (pktype == NID_id_GostR3410_2001 || pktype == NID_id_GostR3410_2012_256 || pktype == NID_id_GostR3410_2012_512) - BUF_reverse(sig, NULL, u); + BUF_reverse(sig, NULL, siglen); } #endif - if (!WPACKET_sub_memcpy_u16(pkt, sig, u)) { + if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) { SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_INTERNAL_ERROR); goto err; } @@ -149,28 +267,34 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt) MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) { EVP_PKEY *pkey = NULL; - const unsigned char *sig, *data; + const unsigned char *data; #ifndef OPENSSL_NO_GOST unsigned char *gost_data = NULL; #endif - int al, ret = MSG_PROCESS_ERROR; - int type = 0, j; + int al = SSL_AD_INTERNAL_ERROR, ret = MSG_PROCESS_ERROR; + int type = 0, j, pktype; unsigned int len; X509 *peer; const EVP_MD *md = NULL; - long hdatalen = 0; + size_t hdatalen = 0; void *hdata; - + unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; EVP_MD_CTX *mctx = EVP_MD_CTX_new(); + EVP_PKEY_CTX *pctx = NULL; if (mctx == NULL) { SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE); - al = SSL_AD_INTERNAL_ERROR; goto f_err; } peer = s->session->peer; pkey = X509_get0_pubkey(peer); + if (pkey == NULL) { + al = SSL_AD_INTERNAL_ERROR; + goto f_err; + } + + pktype = EVP_PKEY_id(pkey); type = X509_certificate_type(peer, pkey); if (!(type & EVP_PKT_SIGN)) { @@ -194,19 +318,20 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) { if (SSL_USE_SIGALGS(s)) { int rv; + unsigned int sigalg; - if (!PACKET_get_bytes(pkt, &sig, 2)) { + if (!PACKET_get_net_2(pkt, &sigalg)) { al = SSL_AD_DECODE_ERROR; goto f_err; } - rv = tls12_check_peer_sigalg(&md, s, sig, pkey); + rv = tls12_check_peer_sigalg(s, sigalg, pkey); if (rv == -1) { - al = SSL_AD_INTERNAL_ERROR; goto f_err; } else if (rv == 0) { al = SSL_AD_DECODE_ERROR; goto f_err; } + md = ssl_md(s->s3->tmp.peer_sigalg->hash_idx); #ifdef SSL_DEBUG fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); #endif @@ -240,31 +365,26 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) goto f_err; } - hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); - if (hdatalen <= 0) { + if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_INTERNAL_ERROR); - al = SSL_AD_INTERNAL_ERROR; goto f_err; } #ifdef SSL_DEBUG fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md)); #endif - if (!EVP_VerifyInit_ex(mctx, md, NULL) - || !EVP_VerifyUpdate(mctx, hdata, hdatalen)) { + if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0 + || EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0) { SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); - al = SSL_AD_INTERNAL_ERROR; goto f_err; } #ifndef OPENSSL_NO_GOST { - int pktype = EVP_PKEY_id(pkey); if (pktype == NID_id_GostR3410_2001 || pktype == NID_id_GostR3410_2012_256 || pktype == NID_id_GostR3410_2012_512) { if ((gost_data = OPENSSL_malloc(len)) == NULL) { SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE); - al = SSL_AD_INTERNAL_ERROR; goto f_err; } BUF_reverse(gost_data, data, len); @@ -273,22 +393,31 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) } #endif - if (s->version == SSL3_VERSION + if (SSL_USE_PSS(s)) { + if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 + || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, + RSA_PSS_SALTLEN_DIGEST) <= 0) { + SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); + goto f_err; + } + } else if (s->version == SSL3_VERSION && !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, (int)s->session->master_key_length, s->session->master_key)) { SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); - al = SSL_AD_INTERNAL_ERROR; goto f_err; } - if (EVP_VerifyFinal(mctx, data, len, pkey) <= 0) { + if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) { al = SSL_AD_DECRYPT_ERROR; SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_SIGNATURE); goto f_err; } - ret = MSG_PROCESS_CONTINUE_PROCESSING; + if (SSL_IS_TLS13(s)) + ret = MSG_PROCESS_CONTINUE_READING; + else + ret = MSG_PROCESS_CONTINUE_PROCESSING; if (0) { f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); @@ -332,6 +461,15 @@ int tls_construct_finished(SSL *s, WPACKET *pkt) goto err; } + /* + * Log the master secret, if logging is enabled. We don't log it for + * TLSv1.3: there's a different key schedule for that. + */ + if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL, + s->session->master_key, + s->session->master_key_length)) + return 0; + /* * Copy the finished so we can use it for renegotiation checks */ @@ -506,7 +644,7 @@ MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) } } else { if (!s->method->ssl3_enc->generate_master_secret(s, - s->session->master_key, s->handshake_secret, 0, + s->master_secret, s->handshake_secret, 0, &s->session->master_key_length)) { SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_CANNOT_CHANGE_CIPHER); goto f_err; @@ -677,7 +815,12 @@ unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk, return 1; } -WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst) +/* + * Tidy up after the end of a handshake. In the case of SCTP this may result + * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is + * freed up as well. + */ +WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs) { void (*cb) (const SSL *ssl, int type, int val) = NULL; @@ -690,26 +833,26 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst) } #endif - /* clean a few things up */ - ssl3_cleanup_key_block(s); - - if (!SSL_IS_DTLS(s)) { - /* - * We don't do this in DTLS because we may still need the init_buf - * in case there are any unexpected retransmits - */ - BUF_MEM_free(s->init_buf); - s->init_buf = NULL; + if (clearbufs) { + if (!SSL_IS_DTLS(s)) { + /* + * We don't do this in DTLS because we may still need the init_buf + * in case there are any unexpected retransmits + */ + BUF_MEM_free(s->init_buf); + s->init_buf = NULL; + } + ssl_free_wbio_buffer(s); + s->init_num = 0; } - ssl_free_wbio_buffer(s); - - s->init_num = 0; - - if (!s->server || s->renegotiate == 2) { + if (s->statem.cleanuphand) { /* skipped if we just sent a HelloRequest */ s->renegotiate = 0; s->new_session = 0; + s->statem.cleanuphand = 0; + + ssl3_cleanup_key_block(s); if (s->server) { ssl_update_cache(s, SSL_SESS_CACHE_SERVER); @@ -742,6 +885,13 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst) } } + /* + * If we've not cleared the buffers its because we've got more work to do, + * so continue. + */ + if (!clearbufs) + return WORK_FINISHED_CONTINUE; + return WORK_FINISHED_STOP; } @@ -790,7 +940,8 @@ int tls_get_message_header(SSL *s, int *mt) skip_message = 0; if (!s->server) - if (p[0] == SSL3_MT_HELLO_REQUEST) + if (s->statem.hand_state != TLS_ST_OK + && p[0] == SSL3_MT_HELLO_REQUEST) /* * The server may always send 'Hello Request' messages -- * we are doing a handshake anyway now, so ignore them if @@ -920,7 +1071,7 @@ int ssl_cert_type(const X509 *x, const EVP_PKEY *pk) default: return -1; case EVP_PKEY_RSA: - return SSL_PKEY_RSA_ENC; + return SSL_PKEY_RSA; case EVP_PKEY_DSA: return SSL_PKEY_DSA_SIGN; #ifndef OPENSSL_NO_EC @@ -1283,21 +1434,22 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello) switch (server_version) { default: + if (!SSL_IS_TLS13(s)) { + if (version_cmp(s, client_version, s->version) < 0) + return SSL_R_WRONG_SSL_VERSION; + /* + * If this SSL handle is not from a version flexible method we don't + * (and never did) check min/max FIPS or Suite B constraints. Hope + * that's OK. It is up to the caller to not choose fixed protocol + * versions they don't want. If not, then easy to fix, just return + * ssl_method_error(s, s->method) + */ + return 0; + } /* - * TODO(TLS1.3): This check will fail if someone attempts to do - * renegotiation in TLS1.3 at the moment. We need to ensure we disable - * renegotiation for TLS1.3 - */ - if (version_cmp(s, client_version, s->version) < 0) - return SSL_R_WRONG_SSL_VERSION; - /* - * If this SSL handle is not from a version flexible method we don't - * (and never did) check min/max FIPS or Suite B constraints. Hope - * that's OK. It is up to the caller to not choose fixed protocol - * versions they don't want. If not, then easy to fix, just return - * ssl_method_error(s, s->method) + * Fall through if we are TLSv1.3 already (this means we must be after + * a HelloRetryRequest */ - return 0; case TLS_ANY_VERSION: table = tls_version_table; break; @@ -1352,6 +1504,15 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello) } if (best_vers > 0) { + if (SSL_IS_TLS13(s)) { + /* + * We get here if this is after a HelloRetryRequest. In this + * case we just check that we still negotiated TLSv1.3 + */ + if (best_vers != TLS1_3_VERSION) + return SSL_R_UNSUPPORTED_PROTOCOL; + return 0; + } s->version = best_vers; s->method = best_method; return 0;