X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fstatem%2Fstatem_srvr.c;h=26c37c73d029345c80302694cc8bcbef5e0c3e6e;hp=6aa897bfd56792eb3bac80dd8398401fcbabf6f1;hb=03f44b974b1c85804b54af7c3ffb5241d5ffd952;hpb=348240c676a1b2beaebb865e8be0b62f88c10b7d diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 6aa897bfd5..26c37c73d0 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -61,31 +61,113 @@ #include #include -static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, - PACKET *cipher_suites, - STACK_OF(SSL_CIPHER) - **skp, int sslv2format, - int *al); +static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt); +static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt); /* - * server_read_transition() encapsulates the logic for the allowed handshake - * state transitions when the server is reading messages from the client. The - * message type that the client has sent is provided in |mt|. The current state - * is in |s->statem.hand_state|. + * ossl_statem_server13_read_transition() encapsulates the logic for the allowed + * handshake state transitions when a TLSv1.3 server is reading messages from + * the client. The message type that the client has sent is provided in |mt|. + * The current state is in |s->statem.hand_state|. * - * Valid return values are: - * 1: Success (transition allowed) - * 0: Error (transition not allowed) + * Return values are 1 for success (transition allowed) and 0 on error + * (transition not allowed) + */ +static int ossl_statem_server13_read_transition(SSL *s, int mt) +{ + OSSL_STATEM *st = &s->statem; + + /* + * Note: There is no case for TLS_ST_BEFORE because at that stage we have + * not negotiated TLSv1.3 yet, so that case is handled by + * ossl_statem_server_read_transition() + */ + switch (st->hand_state) { + default: + break; + + case TLS_ST_SW_HELLO_RETRY_REQUEST: + if (mt == SSL3_MT_CLIENT_HELLO) { + st->hand_state = TLS_ST_SR_CLNT_HELLO; + return 1; + } + break; + + case TLS_ST_SW_FINISHED: + if (s->s3->tmp.cert_request) { + if (mt == SSL3_MT_CERTIFICATE) { + st->hand_state = TLS_ST_SR_CERT; + return 1; + } + } else { + if (mt == SSL3_MT_FINISHED) { + st->hand_state = TLS_ST_SR_FINISHED; + return 1; + } + } + break; + + case TLS_ST_SR_CERT: + if (s->session->peer == NULL) { + if (mt == SSL3_MT_FINISHED) { + st->hand_state = TLS_ST_SR_FINISHED; + return 1; + } + } else { + if (mt == SSL3_MT_CERTIFICATE_VERIFY) { + st->hand_state = TLS_ST_SR_CERT_VRFY; + return 1; + } + } + break; + + case TLS_ST_SR_CERT_VRFY: + if (mt == SSL3_MT_FINISHED) { + st->hand_state = TLS_ST_SR_FINISHED; + return 1; + } + break; + + case TLS_ST_OK: + if (mt == SSL3_MT_KEY_UPDATE) { + st->hand_state = TLS_ST_SR_KEY_UPDATE; + return 1; + } + break; + } + + /* No valid transition found */ + ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE); + SSLerr(SSL_F_OSSL_STATEM_SERVER13_READ_TRANSITION, + SSL_R_UNEXPECTED_MESSAGE); + return 0; +} + +/* + * ossl_statem_server_read_transition() encapsulates the logic for the allowed + * handshake state transitions when the server is reading messages from the + * client. The message type that the client has sent is provided in |mt|. The + * current state is in |s->statem.hand_state|. + * + * Return values are 1 for success (transition allowed) and 0 on error + * (transition not allowed) */ int ossl_statem_server_read_transition(SSL *s, int mt) { OSSL_STATEM *st = &s->statem; + if (SSL_IS_TLS13(s)) { + if (!ossl_statem_server13_read_transition(s, mt)) + goto err; + return 1; + } + switch (st->hand_state) { default: break; case TLS_ST_BEFORE: + case TLS_ST_OK: case DTLS_ST_SW_HELLO_VERIFY_REQUEST: if (mt == SSL3_MT_CLIENT_HELLO) { st->hand_state = TLS_ST_SR_CLNT_HELLO; @@ -179,7 +261,7 @@ int ossl_statem_server_read_transition(SSL *s, int mt) case TLS_ST_SR_CHANGE: #ifndef OPENSSL_NO_NEXTPROTONEG - if (s->s3->next_proto_neg_seen) { + if (s->s3->npn_seen) { if (mt == SSL3_MT_NEXT_PROTO) { st->hand_state = TLS_ST_SR_NEXT_PROTO; return 1; @@ -212,6 +294,7 @@ int ossl_statem_server_read_transition(SSL *s, int mt) break; } + err: /* No valid transition found */ ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE); SSLerr(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, SSL_R_UNEXPECTED_MESSAGE); @@ -276,7 +359,7 @@ static int send_certificate_request(SSL *s) * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert * during re-negotiation: */ - && ((s->session->peer == NULL) || + && (s->s3->tmp.finish_md_len == 0 || !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) /* * never request cert in anonymous ciphersuites (see @@ -304,27 +387,137 @@ static int send_certificate_request(SSL *s) } /* - * server_write_transition() works out what handshake state to move to next - * when the server is writing messages to be sent to the client. + * ossl_statem_server13_write_transition() works out what handshake state to + * move to next when a TLSv1.3 server is writing messages to be sent to the + * client. + */ +static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s) +{ + OSSL_STATEM *st = &s->statem; + + /* + * No case for TLS_ST_BEFORE, because at that stage we have not negotiated + * TLSv1.3 yet, so that is handled by ossl_statem_server_write_transition() + */ + + switch (st->hand_state) { + default: + /* Shouldn't happen */ + return WRITE_TRAN_ERROR; + + case TLS_ST_OK: + if (s->key_update != SSL_KEY_UPDATE_NONE) { + st->hand_state = TLS_ST_SW_KEY_UPDATE; + return WRITE_TRAN_CONTINUE; + } + /* Try to read from the client instead */ + return WRITE_TRAN_FINISHED; + + case TLS_ST_SR_CLNT_HELLO: + if (s->hello_retry_request) + st->hand_state = TLS_ST_SW_HELLO_RETRY_REQUEST; + else + st->hand_state = TLS_ST_SW_SRVR_HELLO; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SW_HELLO_RETRY_REQUEST: + return WRITE_TRAN_FINISHED; + + case TLS_ST_SW_SRVR_HELLO: + st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SW_ENCRYPTED_EXTENSIONS: + if (s->hit) + st->hand_state = TLS_ST_SW_FINISHED; + else if (send_certificate_request(s)) + st->hand_state = TLS_ST_SW_CERT_REQ; + else + st->hand_state = TLS_ST_SW_CERT; + + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SW_CERT_REQ: + st->hand_state = TLS_ST_SW_CERT; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SW_CERT: + st->hand_state = TLS_ST_SW_CERT_VRFY; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SW_CERT_VRFY: + st->hand_state = TLS_ST_SW_FINISHED; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SW_FINISHED: + return WRITE_TRAN_FINISHED; + + case TLS_ST_SR_FINISHED: + /* + * Technically we have finished the handshake at this point, but we're + * going to remain "in_init" for now and write out the session ticket + * immediately. + * TODO(TLS1.3): Perhaps we need to be able to control this behaviour + * and give the application the opportunity to delay sending the + * session ticket? + */ + st->hand_state = TLS_ST_SW_SESSION_TICKET; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SR_KEY_UPDATE: + if (s->key_update != SSL_KEY_UPDATE_NONE) { + st->hand_state = TLS_ST_SW_KEY_UPDATE; + return WRITE_TRAN_CONTINUE; + } + /* Fall through */ + + case TLS_ST_SW_KEY_UPDATE: + case TLS_ST_SW_SESSION_TICKET: + st->hand_state = TLS_ST_OK; + ossl_statem_set_in_init(s, 0); + return WRITE_TRAN_CONTINUE; + } +} + +/* + * ossl_statem_server_write_transition() works out what handshake state to move + * to next when the server is writing messages to be sent to the client. */ WRITE_TRAN ossl_statem_server_write_transition(SSL *s) { OSSL_STATEM *st = &s->statem; + /* + * Note that before the ClientHello we don't know what version we are going + * to negotiate yet, so we don't take this branch until later + */ + + if (SSL_IS_TLS13(s)) + return ossl_statem_server13_write_transition(s); + switch (st->hand_state) { default: /* Shouldn't happen */ return WRITE_TRAN_ERROR; + case TLS_ST_OK: + if (st->request_state == TLS_ST_SW_HELLO_REQ) { + /* We must be trying to renegotiate */ + st->hand_state = TLS_ST_SW_HELLO_REQ; + st->request_state = TLS_ST_BEFORE; + return WRITE_TRAN_CONTINUE; + } + /* Must be an incoming ClientHello */ + if (!tls_setup_handshake(s)) { + ossl_statem_set_error(s); + return WRITE_TRAN_ERROR; + } + /* Fall through */ + case TLS_ST_BEFORE: /* Just go straight to trying to read from the client */ return WRITE_TRAN_FINISHED; - case TLS_ST_OK: - /* We must be trying to renegotiate */ - st->hand_state = TLS_ST_SW_HELLO_REQ; - return WRITE_TRAN_CONTINUE; - case TLS_ST_SW_HELLO_REQ: st->hand_state = TLS_ST_OK; ossl_statem_set_in_init(s, 0); @@ -343,7 +536,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s) case TLS_ST_SW_SRVR_HELLO: if (s->hit) { - if (s->tlsext_ticket_expected) + if (s->ext.ticket_expected) st->hand_state = TLS_ST_SW_SESSION_TICKET; else st->hand_state = TLS_ST_SW_CHANGE; @@ -364,7 +557,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s) return WRITE_TRAN_CONTINUE; case TLS_ST_SW_CERT: - if (s->tlsext_status_expected) { + if (s->ext.status_expected) { st->hand_state = TLS_ST_SW_CERT_STATUS; return WRITE_TRAN_CONTINUE; } @@ -396,7 +589,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s) st->hand_state = TLS_ST_OK; ossl_statem_set_in_init(s, 0); return WRITE_TRAN_CONTINUE; - } else if (s->tlsext_ticket_expected) { + } else if (s->ext.ticket_expected) { st->hand_state = TLS_ST_SW_SESSION_TICKET; } else { st->hand_state = TLS_ST_SW_CHANGE; @@ -467,7 +660,14 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) return WORK_FINISHED_CONTINUE; case TLS_ST_SW_SESSION_TICKET: - if (SSL_IS_DTLS(s)) { + if (SSL_IS_TLS13(s)) { + /* + * Actually this is the end of the handshake, but we're going + * straight into writing the session ticket out. So we finish off + * the handshake, but keep the various buffers active. + */ + return tls_finish_handshake(s, wst, 0); + } if (SSL_IS_DTLS(s)) { /* * We're into the last flight. We don't retransmit the last flight * unless we need to, so we don't use the timer @@ -494,7 +694,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) return WORK_FINISHED_CONTINUE; case TLS_ST_OK: - return tls_finish_handshake(s, wst); + return tls_finish_handshake(s, wst, 1); } return WORK_FINISHED_CONTINUE; @@ -515,6 +715,11 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) /* No post work to be done */ break; + case TLS_ST_SW_HELLO_RETRY_REQUEST: + if (statem_flush(s) != 1) + return WORK_MORE_A; + break; + case TLS_ST_SW_HELLO_REQ: if (statem_flush(s) != 1) return WORK_MORE_A; @@ -564,6 +769,20 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) sizeof(sctpauthkey), sctpauthkey); } #endif + /* + * TODO(TLS1.3): This actually causes a problem. We don't yet know + * whether the next record we are going to receive is an unencrypted + * alert, or an encrypted handshake message. We're going to need + * something clever in the record layer for this. + */ + if (SSL_IS_TLS13(s)) { + if (!s->method->ssl3_enc->setup_key_block(s) + || !s->method->ssl3_enc->change_cipher_state(s, + SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE) + || !s->method->ssl3_enc->change_cipher_state(s, + SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ)) + return WORK_ERROR; + } break; case TLS_ST_SW_CHANGE: @@ -606,6 +825,26 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) 0, NULL); } #endif + if (SSL_IS_TLS13(s)) { + if (!s->method->ssl3_enc->generate_master_secret(s, + s->master_secret, s->handshake_secret, 0, + &s->session->master_key_length) + || !s->method->ssl3_enc->change_cipher_state(s, + SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE)) + return WORK_ERROR; + } + break; + + case TLS_ST_SW_KEY_UPDATE: + if (statem_flush(s) != 1) + return WORK_MORE_A; + if (!tls13_update_key(s, 1)) + return WORK_ERROR; + break; + + case TLS_ST_SW_SESSION_TICKET: + if (SSL_IS_TLS13(s) && statem_flush(s) != 1) + return WORK_MORE_A; break; } @@ -659,6 +898,12 @@ int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt, *mt = SSL3_MT_CERTIFICATE; break; + case TLS_ST_SW_CERT_VRFY: + *confunc = tls_construct_cert_verify; + *mt = SSL3_MT_CERTIFICATE_VERIFY; + break; + + case TLS_ST_SW_KEY_EXCH: *confunc = tls_construct_server_key_exchange; *mt = SSL3_MT_SERVER_KEY_EXCHANGE; @@ -688,6 +933,21 @@ int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt, *confunc = tls_construct_finished; *mt = SSL3_MT_FINISHED; break; + + case TLS_ST_SW_ENCRYPTED_EXTENSIONS: + *confunc = tls_construct_encrypted_extensions; + *mt = SSL3_MT_ENCRYPTED_EXTENSIONS; + break; + + case TLS_ST_SW_HELLO_RETRY_REQUEST: + *confunc = tls_construct_hello_retry_request; + *mt = SSL3_MT_HELLO_RETRY_REQUEST; + break; + + case TLS_ST_SW_KEY_UPDATE: + *confunc = tls_construct_key_update; + *mt = SSL3_MT_KEY_UPDATE; + break; } return 1; @@ -748,6 +1008,9 @@ size_t ossl_statem_server_max_message_size(SSL *s) case TLS_ST_SR_FINISHED: return FINISHED_MAX_LENGTH; + + case TLS_ST_SR_KEY_UPDATE: + return KEY_UPDATE_MAX_LENGTH; } } @@ -785,6 +1048,10 @@ MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt) case TLS_ST_SR_FINISHED: return tls_process_finished(s, pkt); + + case TLS_ST_SR_KEY_UPDATE: + return tls_process_key_update(s, pkt); + } } @@ -825,7 +1092,7 @@ WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst) #endif return WORK_FINISHED_CONTINUE; } - + return WORK_FINISHED_CONTINUE; } #ifndef OPENSSL_NO_SRP @@ -885,30 +1152,106 @@ int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt) return 1; } +#ifndef OPENSSL_NO_EC +/*- + * ssl_check_for_safari attempts to fingerprint Safari using OS X + * SecureTransport using the TLS extension block in |hello|. + * Safari, since 10.6, sends exactly these extensions, in this order: + * SNI, + * elliptic_curves + * ec_point_formats + * + * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8, + * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them. + * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from + * 10.8..10.8.3 (which don't work). + */ +static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello) +{ + static const unsigned char kSafariExtensionsBlock[] = { + 0x00, 0x0a, /* elliptic_curves extension */ + 0x00, 0x08, /* 8 bytes */ + 0x00, 0x06, /* 6 bytes of curve ids */ + 0x00, 0x17, /* P-256 */ + 0x00, 0x18, /* P-384 */ + 0x00, 0x19, /* P-521 */ + + 0x00, 0x0b, /* ec_point_formats */ + 0x00, 0x02, /* 2 bytes */ + 0x01, /* 1 point format */ + 0x00, /* uncompressed */ + /* The following is only present in TLS 1.2 */ + 0x00, 0x0d, /* signature_algorithms */ + 0x00, 0x0c, /* 12 bytes */ + 0x00, 0x0a, /* 10 bytes */ + 0x05, 0x01, /* SHA-384/RSA */ + 0x04, 0x01, /* SHA-256/RSA */ + 0x02, 0x01, /* SHA-1/RSA */ + 0x04, 0x03, /* SHA-256/ECDSA */ + 0x02, 0x03, /* SHA-1/ECDSA */ + }; + /* Length of the common prefix (first two extensions). */ + static const size_t kSafariCommonExtensionsLength = 18; + unsigned int type; + PACKET sni, tmppkt; + size_t ext_len; + + tmppkt = hello->extensions; + + if (!PACKET_forward(&tmppkt, 2) + || !PACKET_get_net_2(&tmppkt, &type) + || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) { + return; + } + + if (type != TLSEXT_TYPE_server_name) + return; + + ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ? + sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength; + + s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock, + ext_len); +} +#endif /* !OPENSSL_NO_EC */ + MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) { - int i, al = SSL_AD_INTERNAL_ERROR; - unsigned int j; - size_t loop, complen = 0; - unsigned long id; - const SSL_CIPHER *c; -#ifndef OPENSSL_NO_COMP - SSL_COMP *comp = NULL; -#endif - STACK_OF(SSL_CIPHER) *ciphers = NULL; - int protverr; + int al = SSL_AD_INTERNAL_ERROR; /* |cookie| will only be initialized for DTLS. */ - PACKET session_id, cipher_suites, compression, extensions, cookie; - int is_v2_record; + PACKET session_id, compression, extensions, cookie; static const unsigned char null_compression = 0; + CLIENTHELLO_MSG *clienthello; - is_v2_record = RECORD_LAYER_is_sslv2_record(&s->rlayer); + clienthello = OPENSSL_zalloc(sizeof(*clienthello)); + if (clienthello == NULL) { + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + goto err; + } + /* Check if this is actually an unexpected renegotiation ClientHello */ + if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) { + s->renegotiate = 1; + s->new_session = 1; + } + /* This is a real handshake so make sure we clean it up at the end */ + s->statem.cleanuphand = 1; + + /* + * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure. + */ + clienthello->isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer); PACKET_null_init(&cookie); - /* First lets get s->client_version set correctly */ - if (is_v2_record) { - unsigned int version; + + if (clienthello->isv2) { unsigned int mt; + + if (!SSL_IS_FIRST_HANDSHAKE(s) || s->hello_retry_request) { + al = SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNEXPECTED_MESSAGE); + goto f_err; + } + /*- * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2 * header is sent directly on the wire, not wrapped as a TLS @@ -934,73 +1277,25 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); goto err; } - - if (!PACKET_get_net_2(pkt, &version)) { - /* No protocol version supplied! */ - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); - goto err; - } - if (version == 0x0002) { - /* This is real SSLv2. We don't support it. */ - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); - goto err; - } else if ((version & 0xff00) == (SSL3_VERSION_MAJOR << 8)) { - /* SSLv3/TLS */ - s->client_version = version; - } else { - /* No idea what protocol this is */ - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); - goto err; - } - } else { - /* - * use version from inside client hello, not from record header (may - * differ: see RFC 2246, Appendix E, second paragraph) - */ - if (!PACKET_get_net_2(pkt, (unsigned int *)&s->client_version)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; - } - } - - /* - * Do SSL/TLS version negotiation if applicable. For DTLS we just check - * versions are potentially compatible. Version negotiation comes later. - */ - if (!SSL_IS_DTLS(s)) { - protverr = ssl_choose_server_version(s); - } else if (s->method->version != DTLS_ANY_VERSION && - DTLS_VERSION_LT(s->client_version, s->version)) { - protverr = SSL_R_VERSION_TOO_LOW; - } else { - protverr = 0; } - if (protverr) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr); - if ((!s->enc_write_ctx && !s->write_hash)) { - /* - * similar to ssl3_get_record, send alert using remote version - * number - */ - s->version = s->client_version; - } - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; + if (!PACKET_get_net_2(pkt, &clienthello->legacy_version)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto err; } /* Parse the message and load client random. */ - if (is_v2_record) { + if (clienthello->isv2) { /* * Handle an SSLv2 backwards compatible ClientHello * Note, this is only for SSLv3+ using the backward compatible format. - * Real SSLv2 is not supported, and is rejected above. + * Real SSLv2 is not supported, and is rejected below. */ - unsigned int cipher_len, session_id_len, challenge_len; + unsigned int ciphersuite_len, session_id_len, challenge_len; PACKET challenge; - if (!PACKET_get_net_2(pkt, &cipher_len) + if (!PACKET_get_net_2(pkt, &ciphersuite_len) || !PACKET_get_net_2(pkt, &session_id_len) || !PACKET_get_net_2(pkt, &challenge_len)) { SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, @@ -1015,8 +1310,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) goto f_err; } - if (!PACKET_get_sub_packet(pkt, &cipher_suites, cipher_len) - || !PACKET_get_sub_packet(pkt, &session_id, session_id_len) + if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites, + ciphersuite_len) + || !PACKET_copy_bytes(pkt, clienthello->session_id, session_id_len) || !PACKET_get_sub_packet(pkt, &challenge, challenge_len) /* No extensions. */ || PACKET_remaining(pkt) != 0) { @@ -1025,13 +1321,18 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) al = SSL_AD_DECODE_ERROR; goto f_err; } + clienthello->session_id_len = session_id_len; - /* Load the client random and compression list. */ - challenge_len = challenge_len > SSL3_RANDOM_SIZE ? SSL3_RANDOM_SIZE : - challenge_len; - memset(s->s3->client_random, 0, SSL3_RANDOM_SIZE); + /* Load the client random and compression list. We use SSL3_RANDOM_SIZE + * here rather than sizeof(clienthello->random) because that is the limit + * for SSLv3 and it is fixed. It won't change even if + * sizeof(clienthello->random) does. + */ + challenge_len = challenge_len > SSL3_RANDOM_SIZE + ? SSL3_RANDOM_SIZE : challenge_len; + memset(clienthello->random, 0, SSL3_RANDOM_SIZE); if (!PACKET_copy_bytes(&challenge, - s->s3->client_random + SSL3_RANDOM_SIZE - + clienthello->random + SSL3_RANDOM_SIZE - challenge_len, challenge_len) /* Advertise only null compression. */ || !PACKET_buf_init(&compression, &null_compression, 1)) { @@ -1040,17 +1341,14 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) goto f_err; } - PACKET_null_init(&extensions); + PACKET_null_init(&clienthello->extensions); } else { /* Regular ClientHello. */ - if (!PACKET_copy_bytes(pkt, s->s3->client_random, SSL3_RANDOM_SIZE) - || !PACKET_get_length_prefixed_1(pkt, &session_id)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); - goto f_err; - } - - if (PACKET_remaining(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) { + if (!PACKET_copy_bytes(pkt, clienthello->random, SSL3_RANDOM_SIZE) + || !PACKET_get_length_prefixed_1(pkt, &session_id) + || !PACKET_copy_all(&session_id, clienthello->session_id, + SSL_MAX_SSL_SESSION_ID_LENGTH, + &clienthello->session_id_len)) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; @@ -1062,60 +1360,193 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; } + if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie, + DTLS1_COOKIE_LENGTH, + &clienthello->dtls_cookie_len)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); + goto f_err; + } /* * If we require cookies and this ClientHello doesn't contain one, * just return since we do not want to allocate any memory yet. * So check cookie length... */ if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { - if (PACKET_remaining(&cookie) == 0) + if (clienthello->dtls_cookie_len == 0) return 1; } } - if (!PACKET_get_length_prefixed_2(pkt, &cipher_suites) - || !PACKET_get_length_prefixed_1(pkt, &compression)) { + if (!PACKET_get_length_prefixed_2(pkt, &clienthello->ciphersuites)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); + goto f_err; + } + + if (!PACKET_get_length_prefixed_1(pkt, &compression)) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; } + /* Could be empty. */ - extensions = *pkt; + if (PACKET_remaining(pkt) == 0) { + PACKET_null_init(&clienthello->extensions); + } else { + if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); + goto f_err; + } + } + } + + if (!PACKET_copy_all(&compression, clienthello->compressions, + MAX_COMPRESSIONS_SIZE, + &clienthello->compressions_len)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); + goto f_err; + } + + /* Preserve the raw extensions PACKET for later use */ + extensions = clienthello->extensions; + if (!tls_collect_extensions(s, &extensions, EXT_CLIENT_HELLO, + &clienthello->pre_proc_exts, &al, + &clienthello->pre_proc_exts_len)) { + /* SSLerr already been called */ + goto f_err; + } + s->clienthello = clienthello; + + return MSG_PROCESS_CONTINUE_PROCESSING; + f_err: + ssl3_send_alert(s, SSL3_AL_FATAL, al); + err: + ossl_statem_set_error(s); + + OPENSSL_free(clienthello->pre_proc_exts); + OPENSSL_free(clienthello); + + return MSG_PROCESS_ERROR; +} + +static int tls_early_post_process_client_hello(SSL *s, int *al) +{ + unsigned int j; + int i; + int protverr; + size_t loop; + unsigned long id; +#ifndef OPENSSL_NO_COMP + SSL_COMP *comp = NULL; +#endif + const SSL_CIPHER *c; + STACK_OF(SSL_CIPHER) *ciphers = NULL; + STACK_OF(SSL_CIPHER) *scsvs = NULL; + CLIENTHELLO_MSG *clienthello = s->clienthello; + + *al = SSL_AD_INTERNAL_ERROR; + /* Finished parsing the ClientHello, now we can start processing it */ + /* Give the early callback a crack at things */ + if (s->ctx->early_cb != NULL) { + int code; + /* A failure in the early callback terminates the connection. */ + code = s->ctx->early_cb(s, al, s->ctx->early_cb_arg); + if (code == 0) + goto err; + if (code < 0) { + s->rwstate = SSL_EARLY_WORK; + return code; + } + } + + /* Set up the client_random */ + memcpy(s->s3->client_random, clienthello->random, SSL3_RANDOM_SIZE); + + /* Choose the version */ + + if (clienthello->isv2) { + if (clienthello->legacy_version == SSL2_VERSION + || (clienthello->legacy_version & 0xff00) + != (SSL3_VERSION_MAJOR << 8)) { + /* + * This is real SSLv2 or something complete unknown. We don't + * support it. + */ + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); + goto err; + } + /* SSLv3/TLS */ + s->client_version = clienthello->legacy_version; + } + /* + * Do SSL/TLS version negotiation if applicable. For DTLS we just check + * versions are potentially compatible. Version negotiation comes later. + */ + if (!SSL_IS_DTLS(s)) { + protverr = ssl_choose_server_version(s, clienthello); + } else if (s->method->version != DTLS_ANY_VERSION && + DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) { + protverr = SSL_R_VERSION_TOO_LOW; + } else { + protverr = 0; + } + + if (protverr) { + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr); + if (SSL_IS_FIRST_HANDSHAKE(s)) { + /* like ssl3_get_record, send alert using remote version number */ + s->version = s->client_version = clienthello->legacy_version; + } + *al = SSL_AD_PROTOCOL_VERSION; + goto err; } if (SSL_IS_DTLS(s)) { /* Empty cookie was already handled above by returning early. */ if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { if (s->ctx->app_verify_cookie_cb != NULL) { - if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookie), - (unsigned int)PACKET_remaining(&cookie)) == 0) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, + if (s->ctx->app_verify_cookie_cb(s, clienthello->dtls_cookie, + clienthello->dtls_cookie_len) == 0) { + *al = SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); - goto f_err; + goto err; /* else cookie verification succeeded */ } /* default verification */ - } else if (!PACKET_equal(&cookie, s->d1->cookie, s->d1->cookie_len)) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); - goto f_err; + } else if (s->d1->cookie_len != clienthello->dtls_cookie_len + || memcmp(clienthello->dtls_cookie, s->d1->cookie, + s->d1->cookie_len) != 0) { + *al = SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); + goto err; } s->d1->cookie_verified = 1; } if (s->method->version == DTLS_ANY_VERSION) { - protverr = ssl_choose_server_version(s); + protverr = ssl_choose_server_version(s, clienthello); if (protverr != 0) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr); + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr); s->version = s->client_version; - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; + *al = SSL_AD_PROTOCOL_VERSION; + goto err; } } } s->hit = 0; + /* We need to do this before getting the session */ + if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret, + EXT_CLIENT_HELLO, + clienthello->pre_proc_exts, NULL, 0, al)) { + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); + goto err; + } + /* * We don't allow resumption in a backwards compatible ClientHello. * TODO(openssl-team): in TLS1.1+, session_id MUST be empty. @@ -1132,23 +1563,14 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be * ignored. */ - if (is_v2_record || + if (clienthello->isv2 || (s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) { if (!ssl_get_new_session(s, 1)) goto err; } else { - i = ssl_get_prev_session(s, &extensions, &session_id); - /* - * Only resume if the session's version matches the negotiated - * version. - * RFC 5246 does not provide much useful advice on resumption - * with a different protocol version. It doesn't forbid it but - * the sanity of such behaviour would be questionable. - * In practice, clients do not accept a version mismatch and - * will abort the handshake with an error. - */ - if (i == 1 && s->version == s->session->ssl_version) { + i = ssl_get_prev_session(s, clienthello, al); + if (i == 1) { /* previous session */ s->hit = 1; } else if (i == -1) { @@ -1160,9 +1582,42 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) } } - if (ssl_bytes_to_cipher_list(s, &cipher_suites, &(ciphers), - is_v2_record, &al) == NULL) { - goto f_err; + if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites, + clienthello->isv2, al) || + !bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, &scsvs, + clienthello->isv2, al)) { + goto err; + } + + s->s3->send_connection_binding = 0; + /* Check what signalling cipher-suite values were received. */ + if (scsvs != NULL) { + for(i = 0; i < sk_SSL_CIPHER_num(scsvs); i++) { + c = sk_SSL_CIPHER_value(scsvs, i); + if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) { + if (s->renegotiate) { + /* SCSV is fatal if renegotiating */ + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); + *al = SSL_AD_HANDSHAKE_FAILURE; + goto err; + } + s->s3->send_connection_binding = 1; + } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV && + !ssl_check_version_downgrade(s)) { + /* + * This SCSV indicates that the client previously tried + * a higher version. We should fail if the current version + * is an unexpected downgrade, as that indicates that the first + * connection may have been tampered with in order to trigger + * an insecure downgrade. + */ + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_INAPPROPRIATE_FALLBACK); + *al = SSL_AD_INAPPROPRIATE_FALLBACK; + goto err; + } + } } /* If it is a hit, check that the cipher is in the list */ @@ -1189,32 +1644,35 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) * we need to have the cipher in the cipher list if we are asked * to reuse it */ - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, + *al = SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_REQUIRED_CIPHER_MISSING); - goto f_err; + goto err; } } - complen = PACKET_remaining(&compression); - for (loop = 0; loop < complen; loop++) { - if (PACKET_data(&compression)[loop] == 0) + for (loop = 0; loop < clienthello->compressions_len; loop++) { + if (clienthello->compressions[loop] == 0) break; } - if (loop >= complen) { + if (loop >= clienthello->compressions_len) { /* no compress */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED); - goto f_err; + *al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED); + goto err; } +#ifndef OPENSSL_NO_EC + if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) + ssl_check_for_safari(s, clienthello); +#endif /* !OPENSSL_NO_EC */ + /* TLS extensions */ - if (s->version >= SSL3_VERSION) { - if (!ssl_parse_clienthello_tlsext(s, &extensions)) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT); - goto err; - } + if (!tls_parse_all_extensions(s, EXT_CLIENT_HELLO, + clienthello->pre_proc_exts, NULL, 0, al)) { + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT); + goto err; } /* @@ -1227,11 +1685,11 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) unsigned char *pos; pos = s->s3->server_random; if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) { - goto f_err; + goto err; } } - if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) { + if (!s->hit && s->version >= TLS1_VERSION && s->ext.session_secret_cb) { const SSL_CIPHER *pref_cipher = NULL; /* * s->session->master_key_length is a size_t, but this is an int for @@ -1240,10 +1698,10 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) int master_key_length; master_key_length = sizeof(s->session->master_key); - if (s->tls_session_secret_cb(s, s->session->master_key, + if (s->ext.session_secret_cb(s, s->session->master_key, &master_key_length, ciphers, &pref_cipher, - s->tls_session_secret_cb_arg) + s->ext.session_secret_cb_arg) && master_key_length > 0) { s->session->master_key_length = master_key_length; s->hit = 1; @@ -1253,16 +1711,13 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ciphers = NULL; /* check if some cipher was preferred by call back */ - pref_cipher = - pref_cipher ? pref_cipher : ssl3_choose_cipher(s, - s-> - session->ciphers, - SSL_get_ciphers - (s)); + if (pref_cipher == NULL) + pref_cipher = ssl3_choose_cipher(s, s->session->ciphers, + SSL_get_ciphers(s)); if (pref_cipher == NULL) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER); - goto f_err; + *al = SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER); + goto err; } s->session->cipher = pref_cipher; @@ -1287,9 +1742,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) /* Perform sanity checks on resumed compression algorithm */ /* Can't disable compression */ if (!ssl_allow_compression(s)) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION); - goto f_err; + goto err; } /* Look for resumed compression method */ for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) { @@ -1300,20 +1755,20 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) } } if (s->s3->tmp.new_compression == NULL) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_INVALID_COMPRESSION_ALGORITHM); - goto f_err; + goto err; } /* Look for resumed method in compression list */ - for (k = 0; k < complen; k++) { - if (PACKET_data(&compression)[k] == comp_id) + for (k = 0; k < clienthello->compressions_len; k++) { + if (clienthello->compressions[k] == comp_id) break; } - if (k >= complen) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, + if (k >= clienthello->compressions_len) { + *al = SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING); - goto f_err; + goto err; } } else if (s->hit) comp = NULL; @@ -1326,8 +1781,8 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) for (m = 0; m < nn; m++) { comp = sk_SSL_COMP_value(s->ctx->comp_methods, m); v = comp->id; - for (o = 0; o < complen; o++) { - if (v == PACKET_data(&compression)[o]) { + for (o = 0; o < clienthello->compressions_len; o++) { + if (v == clienthello->compressions[o]) { done = 1; break; } @@ -1346,8 +1801,8 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) * using compression. */ if (s->session->compress_meth != 0) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION); - goto f_err; + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION); + goto err; } #endif @@ -1364,27 +1819,81 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) sk_SSL_CIPHER_free(s->session->ciphers); s->session->ciphers = ciphers; if (ciphers == NULL) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); - goto f_err; + *al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + goto err; } ciphers = NULL; if (!tls1_set_server_sigalgs(s)) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); goto err; } } - sk_SSL_CIPHER_free(ciphers); - return MSG_PROCESS_CONTINUE_PROCESSING; - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - err: - ossl_statem_set_error(s); - - sk_SSL_CIPHER_free(ciphers); - return MSG_PROCESS_ERROR; - + sk_SSL_CIPHER_free(ciphers); + sk_SSL_CIPHER_free(scsvs); + OPENSSL_free(clienthello->pre_proc_exts); + OPENSSL_free(s->clienthello); + s->clienthello = NULL; + return 1; + err: + ossl_statem_set_error(s); + + sk_SSL_CIPHER_free(ciphers); + sk_SSL_CIPHER_free(scsvs); + OPENSSL_free(clienthello->pre_proc_exts); + OPENSSL_free(s->clienthello); + s->clienthello = NULL; + + return 0; +} + +/* + * Call the status request callback if needed. Upon success, returns 1. + * Upon failure, returns 0 and sets |*al| to the appropriate fatal alert. + */ +static int tls_handle_status_request(SSL *s, int *al) +{ + s->ext.status_expected = 0; + + /* + * If status request then ask callback what to do. Note: this must be + * called after servername callbacks in case the certificate has changed, + * and must be called after the cipher has been chosen because this may + * influence which certificate is sent + */ + if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL + && s->ctx->ext.status_cb != NULL) { + int ret; + + /* If no certificate can't return certificate status */ + if (s->s3->tmp.cert != NULL) { + /* + * Set current certificate to one we will use so SSL_get_certificate + * et al can pick it up. + */ + s->cert->key = s->s3->tmp.cert; + ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg); + switch (ret) { + /* We don't want to send a status request response */ + case SSL_TLSEXT_ERR_NOACK: + s->ext.status_expected = 0; + break; + /* status request response should be sent */ + case SSL_TLSEXT_ERR_OK: + if (s->ext.ocsp.resp) + s->ext.status_expected = 1; + break; + /* something bad happened */ + case SSL_TLSEXT_ERR_ALERT_FATAL: + default: + *al = SSL_AD_INTERNAL_ERROR; + return 0; + } + } + } + + return 1; } WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) @@ -1393,6 +1902,16 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) const SSL_CIPHER *cipher; if (wst == WORK_MORE_A) { + int rv = tls_early_post_process_client_hello(s, &al); + if (rv == 0) { + /* SSLErr() was already called */ + goto f_err; + } + if (rv < 0) + return WORK_MORE_A; + wst = WORK_MORE_B; + } + if (wst == WORK_MORE_B) { if (!s->hit) { /* Let cert callback update server certificates if required */ if (s->cert->cert_cb) { @@ -1405,7 +1924,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) } if (rv < 0) { s->rwstate = SSL_X509_LOOKUP; - return WORK_MORE_A; + return WORK_MORE_B; } s->rwstate = SSL_NOTHING; } @@ -1418,25 +1937,22 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) goto f_err; } s->s3->tmp.new_cipher = cipher; + if (!tls_choose_sigalg(s, &al)) + goto f_err; /* check whether we should disable session resumption */ if (s->not_resumable_session_cb != NULL) - s->session->not_resumable = s->not_resumable_session_cb(s, - ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) != 0)); + s->session->not_resumable = + s->not_resumable_session_cb(s, ((cipher->algorithm_mkey + & (SSL_kDHE | SSL_kECDHE)) + != 0)); if (s->session->not_resumable) /* do not send a session ticket */ - s->tlsext_ticket_expected = 0; + s->ext.ticket_expected = 0; } else { /* Session-id reuse */ s->s3->tmp.new_cipher = s->session->cipher; } - if (!(s->verify_mode & SSL_VERIFY_PEER)) { - if (!ssl3_digest_cached_records(s, 0)) { - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - } - /*- * we now have the following setup. * client_random @@ -1449,26 +1965,27 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) * s->s3->tmp.new_cipher- the new cipher to use. */ - /* Handles TLS extensions that we couldn't check earlier */ - if (s->version >= SSL3_VERSION) { - if (!ssl_check_clienthello_tlsext_late(s, &al)) { - SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, - SSL_R_CLIENTHELLO_TLSEXT); - goto f_err; - } + /* + * Call status_request callback if needed. Has to be done after the + * certificate callbacks etc above. + */ + if (!tls_handle_status_request(s, &al)) { + SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, + SSL_R_CLIENTHELLO_TLSEXT); + goto f_err; } - wst = WORK_MORE_B; + wst = WORK_MORE_C; } #ifndef OPENSSL_NO_SRP - if (wst == WORK_MORE_B) { + if (wst == WORK_MORE_C) { int ret; if ((ret = ssl_check_srp_ext_ClientHello(s, &al)) < 0) { /* * callback indicates further work to be done */ s->rwstate = SSL_X509_LOOKUP; - return WORK_MORE_B; + return WORK_MORE_C; } if (ret != SSL_ERROR_NONE) { /* @@ -1478,11 +1995,13 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY) SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); + else + SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, + SSL_R_PSK_IDENTITY_NOT_FOUND); goto f_err; } } #endif - s->renegotiate = 2; return WORK_FINISHED_STOP; f_err: @@ -1495,8 +2014,11 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) { int compm, al = SSL_AD_INTERNAL_ERROR; size_t sl, len; + int version; - if (!WPACKET_put_bytes_u16(pkt, s->version) + /* TODO(TLS1.3): Remove the DRAFT conditional before release */ + version = SSL_IS_TLS13(s) ? TLS1_3_VERSION_DRAFT : s->version; + if (!WPACKET_put_bytes_u16(pkt, version) /* * Random stuff. Filling of the server_random takes place in * tls_process_client_hello() @@ -1543,18 +2065,29 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) compm = s->s3->tmp.new_compression->id; #endif - if (!WPACKET_sub_memcpy_u8(pkt, s->session->session_id, sl) + if ((!SSL_IS_TLS13(s) + && !WPACKET_sub_memcpy_u8(pkt, s->session->session_id, sl)) || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len) - || !WPACKET_put_bytes_u8(pkt, compm) - || !ssl_prepare_serverhello_tlsext(s) - || !ssl_add_serverhello_tlsext(s, pkt, &al)) { + || (!SSL_IS_TLS13(s) + && !WPACKET_put_bytes_u8(pkt, compm)) + || !tls_construct_extensions(s, pkt, + SSL_IS_TLS13(s) + ? EXT_TLS1_3_SERVER_HELLO + : EXT_TLS1_2_SERVER_HELLO, + NULL, 0, &al)) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); goto err; } + if (!(s->verify_mode & SSL_VERIFY_PEER) + && !ssl3_digest_cached_records(s, 0)) { + al = SSL_AD_INTERNAL_ERROR; + goto err; + } + return 1; err: - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + ssl3_send_alert(s, SSL3_AL_FATAL, al); return 0; } @@ -1579,12 +2112,12 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) size_t encodedlen = 0; int curve_id = 0; #endif - EVP_PKEY *pkey; - const EVP_MD *md = NULL; + const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg; int al = SSL_AD_INTERNAL_ERROR, i; unsigned long type; const BIGNUM *r[4]; EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); + EVP_PKEY_CTX *pctx = NULL; size_t paramlen, paramoffset; if (!WPACKET_get_total_written(pkt, ¶moffset)) { @@ -1682,7 +2215,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) } /* Get NID of appropriate shared curve */ - nid = tls1_shared_curve(s, -2); + nid = tls1_shared_group(s, -2); curve_id = tls1_ec_nid2curve_id(nid); if (curve_id == 0) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, @@ -1736,15 +2269,12 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) goto f_err; } - if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) - && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) { - if ((pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md)) - == NULL) { - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - } else { - pkey = NULL; + if (((s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0) + || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) { + lu = NULL; + } else if (lu == NULL) { + al = SSL_AD_DECODE_ERROR; + goto f_err; } #ifndef OPENSSL_NO_PSK @@ -1834,60 +2364,66 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) #endif /* not anonymous */ - if (pkey != NULL) { + if (lu != NULL) { + EVP_PKEY *pkey = s->s3->tmp.cert->privatekey; + const EVP_MD *md = ssl_md(lu->hash_idx); + unsigned char *sigbytes1, *sigbytes2; + size_t siglen; + + if (pkey == NULL || md == NULL) { + /* Should never happen */ + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto f_err; + } /* * n is the length of the params, they start at &(d[4]) and p * points to the space at the end. */ - if (md) { - unsigned char *sigbytes1, *sigbytes2; - unsigned int siglen; - /* Get length of the parameters we have written above */ - if (!WPACKET_get_length(pkt, ¶mlen)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto f_err; - } - /* send signature algorithm */ - if (SSL_USE_SIGALGS(s)) { - if (!tls12_get_sigandhash(pkt, pkey, md)) { - /* Should never happen */ - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto f_err; - } - } -#ifdef SSL_DEBUG - fprintf(stderr, "Using hash %s\n", EVP_MD_name(md)); -#endif - /* - * Create the signature. We don't know the actual length of the sig - * until after we've created it, so we reserve enough bytes for it - * up front, and then properly allocate them in the WPACKET - * afterwards. - */ - if (!WPACKET_sub_reserve_bytes_u16(pkt, EVP_PKEY_size(pkey), - &sigbytes1) - || EVP_SignInit_ex(md_ctx, md, NULL) <= 0 - || EVP_SignUpdate(md_ctx, &(s->s3->client_random[0]), - SSL3_RANDOM_SIZE) <= 0 - || EVP_SignUpdate(md_ctx, &(s->s3->server_random[0]), - SSL3_RANDOM_SIZE) <= 0 - || EVP_SignUpdate(md_ctx, s->init_buf->data + paramoffset, - paramlen) <= 0 - || EVP_SignFinal(md_ctx, sigbytes1, &siglen, pkey) <= 0 - || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2) - || sigbytes1 != sigbytes2) { + /* Get length of the parameters we have written above */ + if (!WPACKET_get_length(pkt, ¶mlen)) { + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto f_err; + } + /* send signature algorithm */ + if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) + return 0; + /* + * Create the signature. We don't know the actual length of the sig + * until after we've created it, so we reserve enough bytes for it + * up front, and then properly allocate them in the WPACKET + * afterwards. + */ + siglen = EVP_PKEY_size(pkey); + if (!WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1) + || EVP_DigestSignInit(md_ctx, &pctx, md, NULL, pkey) <= 0) { + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto f_err; + } + if (lu->sig == EVP_PKEY_RSA_PSS) { + if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 + || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); + ERR_R_EVP_LIB); goto f_err; } - } else { - /* Is this error check actually needed? */ - al = SSL_AD_HANDSHAKE_FAILURE; + } + if (EVP_DigestSignUpdate(md_ctx, &(s->s3->client_random[0]), + SSL3_RANDOM_SIZE) <= 0 + || EVP_DigestSignUpdate(md_ctx, &(s->s3->server_random[0]), + SSL3_RANDOM_SIZE) <= 0 + || EVP_DigestSignUpdate(md_ctx, + s->init_buf->data + paramoffset, + paramlen) <= 0 + || EVP_DigestSignFinal(md_ctx, sigbytes1, &siglen) <= 0 + || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2) + || sigbytes1 != sigbytes2) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - SSL_R_UNKNOWN_PKEY_TYPE); + ERR_R_INTERNAL_ERROR); goto f_err; } } @@ -1912,17 +2448,27 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt) int i; STACK_OF(X509_NAME) *sk = NULL; - /* get the list of acceptable cert types */ - if (!WPACKET_start_sub_packet_u8(pkt) - || !ssl3_get_req_cert_type(s, pkt) - || !WPACKET_close(pkt)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); - goto err; + if (SSL_IS_TLS13(s)) { + /* TODO(TLS1.3) for now send empty request context */ + if (!WPACKET_put_bytes_u8(pkt, 0)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, + ERR_R_INTERNAL_ERROR); + goto err; + } + } else { + /* get the list of acceptable cert types */ + if (!WPACKET_start_sub_packet_u8(pkt) + || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, + ERR_R_INTERNAL_ERROR); + goto err; + } } if (SSL_USE_SIGALGS(s)) { - const unsigned char *psigs; - size_t nl = tls12_get_psigalgs(s, &psigs); + const uint16_t *psigs; + size_t nl = tls12_get_psigalgs(s, 1, &psigs); + if (!WPACKET_start_sub_packet_u16(pkt) || !tls12_copy_sigalgs(s, pkt, psigs, nl) || !WPACKET_close(pkt)) { @@ -1957,11 +2503,18 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt) } } /* else no CA names */ - if (!WPACKET_close(pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); goto err; } + /* + * TODO(TLS1.3) implement configurable certificate_extensions + * For now just send zero length extensions. + */ + if (SSL_IS_TLS13(s) && !WPACKET_put_bytes_u16(pkt, 0)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); + goto err; + } s->s3->tmp.cert_request = 1; @@ -2050,7 +2603,7 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) unsigned char *rsa_decrypt = NULL; int ret = 0; - rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey); + rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA].privatekey); if (rsa == NULL) { *al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_MISSING_RSA_CERTIFICATE); @@ -2253,7 +2806,7 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al) goto err; } - if (ssl_derive(s, skey, ckey) == 0) { + if (ssl_derive(s, skey, ckey, 1) == 0) { *al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR); goto err; @@ -2313,7 +2866,7 @@ static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al) } } - if (ssl_derive(s, skey, ckey) == 0) { + if (ssl_derive(s, skey, ckey, 1) == 0) { *al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_INTERNAL_ERROR); goto err; @@ -2555,7 +3108,7 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) sizeof(labelbuffer), NULL, 0, 0) <= 0) { ossl_statem_set_error(s); - return WORK_ERROR;; + return WORK_ERROR; } BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, @@ -2613,162 +3166,6 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) return WORK_FINISHED_CONTINUE; } -MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) -{ - EVP_PKEY *pkey = NULL; - const unsigned char *sig, *data; -#ifndef OPENSSL_NO_GOST - unsigned char *gost_data = NULL; -#endif - int al, ret = MSG_PROCESS_ERROR; - int type = 0, j; - unsigned int len; - X509 *peer; - const EVP_MD *md = NULL; - long hdatalen = 0; - void *hdata; - - EVP_MD_CTX *mctx = EVP_MD_CTX_new(); - - if (mctx == NULL) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - - peer = s->session->peer; - pkey = X509_get0_pubkey(peer); - type = X509_certificate_type(peer, pkey); - - if (!(type & EVP_PKT_SIGN)) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, - SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); - al = SSL_AD_ILLEGAL_PARAMETER; - goto f_err; - } - - /* Check for broken implementations of GOST ciphersuites */ - /* - * If key is GOST and n is exactly 64, it is bare signature without - * length field (CryptoPro implementations at least till CSP 4.0) - */ -#ifndef OPENSSL_NO_GOST - if (PACKET_remaining(pkt) == 64 - && EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) { - len = 64; - } else -#endif - { - if (SSL_USE_SIGALGS(s)) { - int rv; - - if (!PACKET_get_bytes(pkt, &sig, 2)) { - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - rv = tls12_check_peer_sigalg(&md, s, sig, pkey); - if (rv == -1) { - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } else if (rv == 0) { - al = SSL_AD_DECODE_ERROR; - goto f_err; - } -#ifdef SSL_DEBUG - fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); -#endif - } else { - /* Use default digest for this key type */ - int idx = ssl_cert_type(NULL, pkey); - if (idx >= 0) - md = s->s3->tmp.md[idx]; - if (md == NULL) { - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - } - - if (!PACKET_get_net_2(pkt, &len)) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - } - j = EVP_PKEY_size(pkey); - if (((int)len > j) || ((int)PACKET_remaining(pkt) > j) - || (PACKET_remaining(pkt) == 0)) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - if (!PACKET_get_bytes(pkt, &data, len)) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - - hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); - if (hdatalen <= 0) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_INTERNAL_ERROR); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } -#ifdef SSL_DEBUG - fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md)); -#endif - if (!EVP_VerifyInit_ex(mctx, md, NULL) - || !EVP_VerifyUpdate(mctx, hdata, hdatalen)) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } -#ifndef OPENSSL_NO_GOST - { - int pktype = EVP_PKEY_id(pkey); - if (pktype == NID_id_GostR3410_2001 - || pktype == NID_id_GostR3410_2012_256 - || pktype == NID_id_GostR3410_2012_512) { - if ((gost_data = OPENSSL_malloc(len)) == NULL) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - BUF_reverse(gost_data, data, len); - data = gost_data; - } - } -#endif - - if (s->version == SSL3_VERSION - && !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, - (int)s->session->master_key_length, - s->session->master_key)) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - - if (EVP_VerifyFinal(mctx, data, len, pkey) <= 0) { - al = SSL_AD_DECRYPT_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_SIGNATURE); - goto f_err; - } - - ret = MSG_PROCESS_CONTINUE_PROCESSING; - if (0) { - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - ossl_statem_set_error(s); - } - BIO_free(s->s3->handshake_buffer); - s->s3->handshake_buffer = NULL; - EVP_MD_CTX_free(mctx); -#ifndef OPENSSL_NO_GOST - OPENSSL_free(gost_data); -#endif - return ret; -} - MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) { int i, al = SSL_AD_INTERNAL_ERROR, ret = MSG_PROCESS_ERROR; @@ -2776,22 +3173,25 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) unsigned long l, llen; const unsigned char *certstart, *certbytes; STACK_OF(X509) *sk = NULL; - PACKET spkt; + PACKET spkt, context; + size_t chainidx; if ((sk = sk_X509_new_null()) == NULL) { SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); goto f_err; } - if (!PACKET_get_net_3(pkt, &llen) - || !PACKET_get_sub_packet(pkt, &spkt, llen) - || PACKET_remaining(pkt) != 0) { + /* TODO(TLS1.3): For now we ignore the context. We need to verify this */ + if ((SSL_IS_TLS13(s) && !PACKET_get_length_prefixed_1(pkt, &context)) + || !PACKET_get_net_3(pkt, &llen) + || !PACKET_get_sub_packet(pkt, &spkt, llen) + || PACKET_remaining(pkt) != 0) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH); goto f_err; } - while (PACKET_remaining(&spkt) > 0) { + for (chainidx = 0; PACKET_remaining(&spkt) > 0; chainidx++) { if (!PACKET_get_net_3(&spkt, &l) || !PACKET_get_bytes(&spkt, &certbytes, l)) { al = SSL_AD_DECODE_ERROR; @@ -2812,6 +3212,26 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) SSL_R_CERT_LENGTH_MISMATCH); goto f_err; } + + if (SSL_IS_TLS13(s)) { + RAW_EXTENSION *rawexts = NULL; + PACKET extensions; + + if (!PACKET_get_length_prefixed_2(&spkt, &extensions)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_BAD_LENGTH); + goto f_err; + } + if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_CERTIFICATE, + &rawexts, &al, NULL) + || !tls_parse_all_extensions(s, EXT_TLS1_3_CERTIFICATE, + rawexts, x, chainidx, &al)) { + OPENSSL_free(rawexts); + goto f_err; + } + OPENSSL_free(rawexts); + } + if (!sk_X509_push(sk, x)) { SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); goto f_err; @@ -2868,11 +3288,33 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) sk_X509_pop_free(s->session->peer_chain, X509_free); s->session->peer_chain = sk; + + /* + * Freeze the handshake buffer. For cert_verify_hash, + sizeof(s->cert_verify_hash), + &s->cert_verify_hash_len)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR); + goto f_err; + } + ret = MSG_PROCESS_CONTINUE_READING; goto done; @@ -2887,16 +3329,22 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) int tls_construct_server_certificate(SSL *s, WPACKET *pkt) { - CERT_PKEY *cpk; + CERT_PKEY *cpk = s->s3->tmp.cert; + int al = SSL_AD_INTERNAL_ERROR; - cpk = ssl_get_server_send_pkey(s); if (cpk == NULL) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); return 0; } - if (!ssl3_output_cert_chain(s, pkt, cpk)) { + /* + * In TLSv1.3 the certificate chain is always preceded by a 0 length context + * for the server Certificate message + */ + if ((SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) + || !ssl3_output_cert_chain(s, pkt, cpk, &al)) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); + ssl3_send_alert(s, SSL3_AL_FATAL, al); return 0; } @@ -2913,11 +3361,21 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) int len, slen_full, slen, lenfinal; SSL_SESSION *sess; unsigned int hlen; - SSL_CTX *tctx = s->initial_ctx; + SSL_CTX *tctx = s->session_ctx; unsigned char iv[EVP_MAX_IV_LENGTH]; unsigned char key_name[TLSEXT_KEYNAME_LENGTH]; - int iv_len; + int iv_len, al = SSL_AD_INTERNAL_ERROR; size_t macoffset, macendoffset; + union { + unsigned char age_add_c[sizeof(uint32_t)]; + uint32_t age_add; + } age_add_u; + + if (SSL_IS_TLS13(s)) { + if (RAND_bytes(age_add_u.age_add_c, sizeof(age_add_u)) <= 0) + goto err; + s->session->ext.tick_age_add = age_add_u.age_add; + } /* get session encoding length */ slen_full = i2d_SSL_SESSION(s->session, NULL); @@ -2971,9 +3429,9 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) * Initialize HMAC and cipher contexts. If callback present it does * all the work otherwise use generated values from parent ctx. */ - if (tctx->tlsext_ticket_key_cb) { + if (tctx->ext.ticket_key_cb) { /* if 0 is returned, write an empty ticket */ - int ret = tctx->tlsext_ticket_key_cb(s, key_name, iv, ctx, + int ret = tctx->ext.ticket_key_cb(s, key_name, iv, ctx, hctx, 1); if (ret == 0) { @@ -3000,14 +3458,14 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) if (RAND_bytes(iv, iv_len) <= 0) goto err; if (!EVP_EncryptInit_ex(ctx, cipher, NULL, - tctx->tlsext_tick_aes_key, iv)) + tctx->ext.tick_aes_key, iv)) goto err; - if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, - sizeof(tctx->tlsext_tick_hmac_key), + if (!HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key, + sizeof(tctx->ext.tick_hmac_key), EVP_sha256(), NULL)) goto err; - memcpy(key_name, tctx->tlsext_tick_key_name, - sizeof(tctx->tlsext_tick_key_name)); + memcpy(key_name, tctx->ext.tick_key_name, + sizeof(tctx->ext.tick_key_name)); } /* @@ -3016,6 +3474,8 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) * new sessions will live as long as their sessions. */ if (!WPACKET_put_bytes_u32(pkt, s->hit ? 0 : s->session->timeout) + || (SSL_IS_TLS13(s) + && !WPACKET_put_bytes_u32(pkt, age_add_u.age_add)) /* Now the actual ticket data */ || !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_get_total_written(pkt, &macoffset) @@ -3042,7 +3502,11 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) || hlen > EVP_MAX_MD_SIZE || !WPACKET_allocate_bytes(pkt, hlen, &macdata2) || macdata1 != macdata2 - || !WPACKET_close(pkt)) { + || !WPACKET_close(pkt) + || (SSL_IS_TLS13(s) + && !tls_construct_extensions(s, pkt, + EXT_TLS1_3_NEW_SESSION_TICKET, + NULL, 0, &al))) { SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR); goto err; } @@ -3059,12 +3523,25 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) return 0; } +/* + * In TLSv1.3 this is called from the extensions code, otherwise it is used to + * create a separate message. Returns 1 on success or 0 on failure. + */ +int tls_construct_cert_status_body(SSL *s, WPACKET *pkt) +{ + if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type) + || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp, + s->ext.ocsp.resp_len)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS_BODY, ERR_R_INTERNAL_ERROR); + return 0; + } + + return 1; +} + int tls_construct_cert_status(SSL *s, WPACKET *pkt) { - if (!WPACKET_put_bytes_u8(pkt, s->tlsext_status_type) - || !WPACKET_sub_memcpy_u24(pkt, s->tlsext_ocsp_resp, - s->tlsext_ocsp_resplen)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS, ERR_R_INTERNAL_ERROR); + if (!tls_construct_cert_status_body(s, pkt)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); return 0; } @@ -3096,12 +3573,12 @@ MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt) goto err; } - if (!PACKET_memdup(&next_proto, &s->next_proto_negotiated, &next_proto_len)) { - s->next_proto_negotiated_len = 0; + if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) { + s->ext.npn_len = 0; goto err; } - s->next_proto_negotiated_len = (unsigned char)next_proto_len; + s->ext.npn_len = (unsigned char)next_proto_len; return MSG_PROCESS_CONTINUE_READING; err: @@ -3110,115 +3587,41 @@ MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt) } #endif -#define SSLV2_CIPHER_LEN 3 - -STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, - PACKET *cipher_suites, - STACK_OF(SSL_CIPHER) **skp, - int sslv2format, int *al) +static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt) { - const SSL_CIPHER *c; - STACK_OF(SSL_CIPHER) *sk; - int n; - /* 3 = SSLV2_CIPHER_LEN > TLS_CIPHER_LEN = 2. */ - unsigned char cipher[SSLV2_CIPHER_LEN]; + int al; - s->s3->send_connection_binding = 0; - - n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN; - - if (PACKET_remaining(cipher_suites) == 0) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, SSL_R_NO_CIPHERS_SPECIFIED); - *al = SSL_AD_ILLEGAL_PARAMETER; - return NULL; + if (!tls_construct_extensions(s, pkt, EXT_TLS1_3_ENCRYPTED_EXTENSIONS, + NULL, 0, &al)) { + ssl3_send_alert(s, SSL3_AL_FATAL, al); + SSLerr(SSL_F_TLS_CONSTRUCT_ENCRYPTED_EXTENSIONS, ERR_R_INTERNAL_ERROR); + ssl3_send_alert(s, SSL3_AL_FATAL, al); + return 0; } - if (PACKET_remaining(cipher_suites) % n != 0) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, - SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); - *al = SSL_AD_DECODE_ERROR; - return NULL; - } + return 1; +} - if ((skp == NULL) || (*skp == NULL)) { - sk = sk_SSL_CIPHER_new_null(); /* change perhaps later */ - if (sk == NULL) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); - *al = SSL_AD_INTERNAL_ERROR; - return NULL; - } - } else { - sk = *skp; - sk_SSL_CIPHER_zero(sk); - } +static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt) +{ + int al = SSL_AD_INTERNAL_ERROR; - if (!PACKET_memdup(cipher_suites, &s->s3->tmp.ciphers_raw, - &s->s3->tmp.ciphers_rawlen)) { - *al = SSL_AD_INTERNAL_ERROR; - goto err; + /* + * TODO(TLS1.3): Remove the DRAFT version before release + * (should be s->version) + */ + if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT) + || !tls_construct_extensions(s, pkt, EXT_TLS1_3_HELLO_RETRY_REQUEST, + NULL, 0, &al)) { + SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_RETRY_REQUEST, ERR_R_INTERNAL_ERROR); + ssl3_send_alert(s, SSL3_AL_FATAL, al); + return 0; } - while (PACKET_copy_bytes(cipher_suites, cipher, n)) { - /* - * SSLv3 ciphers wrapped in an SSLv2-compatible ClientHello have the - * first byte set to zero, while true SSLv2 ciphers have a non-zero - * first byte. We don't support any true SSLv2 ciphers, so skip them. - */ - if (sslv2format && cipher[0] != '\0') - continue; - - /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */ - if ((cipher[n - 2] == ((SSL3_CK_SCSV >> 8) & 0xff)) && - (cipher[n - 1] == (SSL3_CK_SCSV & 0xff))) { - /* SCSV fatal if renegotiating */ - if (s->renegotiate) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, - SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); - *al = SSL_AD_HANDSHAKE_FAILURE; - goto err; - } - s->s3->send_connection_binding = 1; - continue; - } - - /* Check for TLS_FALLBACK_SCSV */ - if ((cipher[n - 2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) && - (cipher[n - 1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) { - /* - * The SCSV indicates that the client previously tried a higher - * version. Fail if the current version is an unexpected - * downgrade. - */ - if (!ssl_check_version_downgrade(s)) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, - SSL_R_INAPPROPRIATE_FALLBACK); - *al = SSL_AD_INAPPROPRIATE_FALLBACK; - goto err; - } - continue; - } - - /* For SSLv2-compat, ignore leading 0-byte. */ - c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher); - if (c != NULL) { - if (!sk_SSL_CIPHER_push(sk, c)) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); - *al = SSL_AD_INTERNAL_ERROR; - goto err; - } - } - } - if (PACKET_remaining(cipher_suites) > 0) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_INTERNAL_ERROR); - goto err; - } + /* Ditch the session. We'll create a new one next time around */ + SSL_SESSION_free(s->session); + s->session = NULL; + s->hit = 0; - if (skp != NULL) - *skp = sk; - return (sk); - err: - if ((skp == NULL) || (*skp == NULL)) - sk_SSL_CIPHER_free(sk); - return NULL; + return 1; }