X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fstatem%2Fstatem_lib.c;h=4b64541cb950c75519b9f4b86cc3a526fcda81d2;hp=1ce14ee640056f6fe7700a86228a8a702b542caa;hb=d805a57be266ba68ae40f7177aeea69cba2dfe47;hpb=348240c676a1b2beaebb865e8be0b62f88c10b7d diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 1ce14ee640..4b64541cb9 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -221,11 +221,11 @@ MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt) MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) { - int al; + int al = SSL_AD_INTERNAL_ERROR; size_t md_len; /* If this occurs, we have missed a message */ - if (!s->s3->change_cipher_spec) { + if (!SSL_IS_TLS13(s) && !s->s3->change_cipher_spec) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_GOT_A_FIN_BEFORE_A_CCS); goto f_err; @@ -262,6 +262,34 @@ MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) s->s3->previous_server_finished_len = md_len; } + /* + * In TLS1.3 we also have to change cipher state and do any final processing + * of the initial server flight (if we are a client) + */ + if (SSL_IS_TLS13(s)) { + if (s->server) { + if (!s->method->ssl3_enc->change_cipher_state(s, + SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) { + SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_CANNOT_CHANGE_CIPHER); + goto f_err; + } + } else { + if (!s->method->ssl3_enc->generate_master_secret(s, + s->session->master_key, s->handshake_secret, 0, + &s->session->master_key_length)) { + SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_CANNOT_CHANGE_CIPHER); + goto f_err; + } + if (!s->method->ssl3_enc->change_cipher_state(s, + SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) { + SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_CANNOT_CHANGE_CIPHER); + goto f_err; + } + if (!tls_process_initial_server_flight(s, &al)) + goto f_err; + } + } + return MSG_PROCESS_FINISHED_READING; f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); @@ -280,12 +308,139 @@ int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt) return 1; } -unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk) +/* Add a certificate to the WPACKET */ +static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain, + int *al) +{ + int len; + unsigned char *outbytes; + + len = i2d_X509(x, NULL); + if (len < 0) { + SSLerr(SSL_F_SSL_ADD_CERT_TO_WPACKET, ERR_R_BUF_LIB); + *al = SSL_AD_INTERNAL_ERROR; + return 0; + } + if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes) + || i2d_X509(x, &outbytes) != len) { + SSLerr(SSL_F_SSL_ADD_CERT_TO_WPACKET, ERR_R_INTERNAL_ERROR); + *al = SSL_AD_INTERNAL_ERROR; + return 0; + } + + if (SSL_IS_TLS13(s) + && !tls_construct_extensions(s, pkt, EXT_TLS1_3_CERTIFICATE, x, + chain, al)) + return 0; + + return 1; +} + +/* Add certificate chain to provided WPACKET */ +static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk, int *al) { + int i, chain_count; + X509 *x; + STACK_OF(X509) *extra_certs; + STACK_OF(X509) *chain = NULL; + X509_STORE *chain_store; + int tmpal = SSL_AD_INTERNAL_ERROR; + + if (cpk == NULL || cpk->x509 == NULL) + return 1; + + x = cpk->x509; + + /* + * If we have a certificate specific chain use it, else use parent ctx. + */ + if (cpk->chain != NULL) + extra_certs = cpk->chain; + else + extra_certs = s->ctx->extra_certs; + + if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs) + chain_store = NULL; + else if (s->cert->chain_store) + chain_store = s->cert->chain_store; + else + chain_store = s->ctx->cert_store; + + if (chain_store != NULL) { + X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new(); + + if (xs_ctx == NULL) { + SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_MALLOC_FAILURE); + goto err; + } + if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) { + X509_STORE_CTX_free(xs_ctx); + SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_X509_LIB); + goto err; + } + /* + * It is valid for the chain not to be complete (because normally we + * don't include the root cert in the chain). Therefore we deliberately + * ignore the error return from this call. We're not actually verifying + * the cert - we're just building as much of the chain as we can + */ + (void)X509_verify_cert(xs_ctx); + /* Don't leave errors in the queue */ + ERR_clear_error(); + chain = X509_STORE_CTX_get0_chain(xs_ctx); + i = ssl_security_cert_chain(s, chain, NULL, 0); + if (i != 1) { +#if 0 + /* Dummy error calls so mkerr generates them */ + SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL); + SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL); + SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK); +#endif + X509_STORE_CTX_free(xs_ctx); + SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, i); + goto err; + } + chain_count = sk_X509_num(chain); + for (i = 0; i < chain_count; i++) { + x = sk_X509_value(chain, i); + + if (!ssl_add_cert_to_wpacket(s, pkt, x, i, &tmpal)) { + X509_STORE_CTX_free(xs_ctx); + goto err; + } + } + X509_STORE_CTX_free(xs_ctx); + } else { + i = ssl_security_cert_chain(s, extra_certs, x, 0); + if (i != 1) { + SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, i); + goto err; + } + if (!ssl_add_cert_to_wpacket(s, pkt, x, 0, &tmpal)) + goto err; + for (i = 0; i < sk_X509_num(extra_certs); i++) { + x = sk_X509_value(extra_certs, i); + if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1, &tmpal)) + goto err; + } + } + return 1; + + err: + *al = tmpal; + return 0; +} + +unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk, + int *al) +{ + int tmpal = SSL_AD_INTERNAL_ERROR; + if (!WPACKET_start_sub_packet_u24(pkt) - || !ssl_add_cert_chain(s, pkt, cpk) + || !ssl_add_cert_chain(s, pkt, cpk, &tmpal) || !WPACKET_close(pkt)) { SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN, ERR_R_INTERNAL_ERROR); + *al = tmpal; return 0; } return 1; @@ -364,7 +519,7 @@ int tls_get_message_header(SSL *s, int *mt) /* s->init_num < SSL3_HM_HEADER_LENGTH */ int skip_message, i, recvd_type, al; unsigned char *p; - size_t l, read; + size_t l, readbytes; p = (unsigned char *)s->init_buf->data; @@ -373,7 +528,7 @@ int tls_get_message_header(SSL *s, int *mt) i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type, &p[s->init_num], SSL3_HM_HEADER_LENGTH - s->init_num, - 0, &read); + 0, &readbytes); if (i <= 0) { s->rwstate = SSL_READING; return 0; @@ -383,22 +538,23 @@ int tls_get_message_header(SSL *s, int *mt) * A ChangeCipherSpec must be a single byte and may not occur * in the middle of a handshake message. */ - if (s->init_num != 0 || read != 1 || p[0] != SSL3_MT_CCS) { + if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_TLS_GET_MESSAGE_HEADER, SSL_R_BAD_CHANGE_CIPHER_SPEC); goto f_err; } s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC; - s->init_num = read - 1; - s->s3->tmp.message_size = read; + s->init_num = readbytes - 1; + s->init_msg = s->init_buf->data; + s->s3->tmp.message_size = readbytes; return 1; } else if (recvd_type != SSL3_RT_HANDSHAKE) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_TLS_GET_MESSAGE_HEADER, SSL_R_CCS_RECEIVED_EARLY); goto f_err; } - s->init_num += read; + s->init_num += readbytes; } skip_message = 0; @@ -461,7 +617,7 @@ int tls_get_message_header(SSL *s, int *mt) int tls_get_message_body(SSL *s, size_t *len) { - size_t n, read; + size_t n, readbytes; unsigned char *p; int i; @@ -475,14 +631,14 @@ int tls_get_message_body(SSL *s, size_t *len) n = s->s3->tmp.message_size - s->init_num; while (n > 0) { i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, - &p[s->init_num], n, 0, &read); + &p[s->init_num], n, 0, &readbytes); if (i <= 0) { s->rwstate = SSL_READING; *len = 0; return 0; } - s->init_num += read; - n -= read; + s->init_num += readbytes; + n -= readbytes; } #ifndef OPENSSL_NO_NEXTPROTONEG @@ -874,7 +1030,7 @@ int ssl_set_version_bound(int method_version, int version, int *bound) * * Returns 0 on success or an SSL error reason number on failure. */ -int ssl_choose_server_version(SSL *s) +int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello) { /*- * With version-flexible methods we have an initial state with: @@ -886,13 +1042,21 @@ int ssl_choose_server_version(SSL *s) * handle version. */ int server_version = s->method->version; - int client_version = s->client_version; + int client_version = hello->legacy_version; const version_info *vent; const version_info *table; int disabled = 0; + RAW_EXTENSION *suppversions; + + s->client_version = client_version; switch (server_version) { default: + /* + * TODO(TLS1.3): This check will fail if someone attempts to do + * renegotiation in TLS1.3 at the moment. We need to ensure we disable + * renegotiation for TLS1.3 + */ if (version_cmp(s, client_version, s->version) < 0) return SSL_R_WRONG_SSL_VERSION; /* @@ -911,6 +1075,70 @@ int ssl_choose_server_version(SSL *s) break; } + suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions]; + + if (suppversions->present && !SSL_IS_DTLS(s)) { + unsigned int candidate_vers = 0; + unsigned int best_vers = 0; + const SSL_METHOD *best_method = NULL; + PACKET versionslist; + + suppversions->parsed = 1; + + if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) { + /* Trailing or invalid data? */ + return SSL_R_LENGTH_MISMATCH; + } + + while (PACKET_get_net_2(&versionslist, &candidate_vers)) { + /* TODO(TLS1.3): Remove this before release */ + if (candidate_vers == TLS1_3_VERSION_DRAFT) + candidate_vers = TLS1_3_VERSION; + /* + * TODO(TLS1.3): There is some discussion on the TLS list about + * wheter to ignore versions version != 0 && vent->version != (int)candidate_vers; + ++vent) + continue; + if (vent->version != 0 && vent->smeth != NULL) { + const SSL_METHOD *method; + + method = vent->smeth(); + if (ssl_method_error(s, method) == 0) { + best_vers = candidate_vers; + best_method = method; + } + } + } + if (PACKET_remaining(&versionslist) != 0) { + /* Trailing data? */ + return SSL_R_LENGTH_MISMATCH; + } + + if (best_vers > 0) { + s->version = best_vers; + s->method = best_method; + return 0; + } + return SSL_R_UNSUPPORTED_PROTOCOL; + } + + /* + * If the supported versions extension isn't present, then the highest + * version we can negotiate is TLSv1.2 + */ + if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0) + client_version = TLS1_2_VERSION; + + /* + * No supported versions extension, so we just use the version supplied in + * the ClientHello. + */ for (vent = table; vent->version != 0; ++vent) { const SSL_METHOD *method; @@ -943,6 +1171,10 @@ int ssl_choose_client_version(SSL *s, int version) const version_info *vent; const version_info *table; + /* TODO(TLS1.3): Remove this before release */ + if (version == TLS1_3_VERSION_DRAFT) + version = TLS1_3_VERSION; + switch (s->method->version) { default: if (version != s->version) @@ -1087,7 +1319,7 @@ int ssl_get_client_min_max_version(const SSL *s, int *min_version, /* * ssl_set_client_hello_version - Work out what version we should be using for - * the initial ClientHello. + * the initial ClientHello.legacy_version field. * * @s: client SSL handle. * @@ -1102,6 +1334,12 @@ int ssl_set_client_hello_version(SSL *s) if (ret != 0) return ret; - s->client_version = s->version = ver_max; + s->version = ver_max; + + /* TLS1.3 always uses TLS1.2 in the legacy_version field */ + if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION) + ver_max = TLS1_2_VERSION; + + s->client_version = ver_max; return 0; }