X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Ft1_lib.c;h=8d5fd12903c2b83c151c88f2ad88e105742bcf41;hp=4374d6aadd3d5b0804d13d338b27408d8102e8b5;hb=288b4e4f8f97069db63fdca6f6dddcf56282b03d;hpb=22a10c89d7c3f951339c385d57cc8fd23c0a800b diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 4374d6aadd..8d5fd12903 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -232,7 +232,7 @@ typedef struct #define TLS_CURVE_CHAR2 0x1 #define TLS_CURVE_PRIME 0x0 -static tls_curve_info nid_list[] = +static const tls_curve_info nid_list[] = { {NID_sect163k1, 80, TLS_CURVE_CHAR2},/* sect163k1 (1) */ {NID_sect163r1, 80, TLS_CURVE_CHAR2},/* sect163r1 (2) */ @@ -312,7 +312,7 @@ static const unsigned char suiteb_curves[] = int tls1_ec_curve_id2nid(int curve_id) { - /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ + /* ECC curves from RFC 4492 and RFC 7027 */ if ((curve_id < 1) || ((unsigned int)curve_id > sizeof(nid_list)/sizeof(nid_list[0]))) return 0; @@ -321,7 +321,7 @@ int tls1_ec_curve_id2nid(int curve_id) int tls1_ec_nid2curve_id(int nid) { - /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ + /* ECC curves from RFC 4492 and RFC 7027 */ switch (nid) { case NID_sect163k1: /* sect163k1 (1) */ @@ -384,57 +384,86 @@ int tls1_ec_nid2curve_id(int nid) return 0; } } -/* Get curves list, if "sess" is set return client curves otherwise - * preferred list +/* + * Get curves list, if "sess" is set return client curves otherwise + * preferred list. + * Sets |num_curves| to the number of curves in the list, i.e., + * the length of |pcurves| is 2 * num_curves. + * Returns 1 on success and 0 if the client curves list has invalid format. + * The latter indicates an internal error: we should not be accepting such + * lists in the first place. + * TODO(emilia): we should really be storing the curves list in explicitly + * parsed form instead. (However, this would affect binary compatibility + * so cannot happen in the 1.0.x series.) */ -static void tls1_get_curvelist(SSL *s, int sess, +static int tls1_get_curvelist(SSL *s, int sess, const unsigned char **pcurves, - size_t *pcurveslen) + size_t *num_curves) { + size_t pcurveslen = 0; if (sess) { *pcurves = s->session->tlsext_ellipticcurvelist; - *pcurveslen = s->session->tlsext_ellipticcurvelist_length; - return; + pcurveslen = s->session->tlsext_ellipticcurvelist_length; } - /* For Suite B mode only include P-256, P-384 */ - switch (tls1_suiteb(s)) + else { - case SSL_CERT_FLAG_SUITEB_128_LOS: - *pcurves = suiteb_curves; - *pcurveslen = sizeof(suiteb_curves); - break; + /* For Suite B mode only include P-256, P-384 */ + switch (tls1_suiteb(s)) + { + case SSL_CERT_FLAG_SUITEB_128_LOS: + *pcurves = suiteb_curves; + pcurveslen = sizeof(suiteb_curves); + break; - case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: - *pcurves = suiteb_curves; - *pcurveslen = 2; - break; + case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: + *pcurves = suiteb_curves; + pcurveslen = 2; + break; - case SSL_CERT_FLAG_SUITEB_192_LOS: - *pcurves = suiteb_curves + 2; - *pcurveslen = 2; - break; - default: - *pcurves = s->tlsext_ellipticcurvelist; - *pcurveslen = s->tlsext_ellipticcurvelist_length; + case SSL_CERT_FLAG_SUITEB_192_LOS: + *pcurves = suiteb_curves + 2; + pcurveslen = 2; + break; + default: + *pcurves = s->tlsext_ellipticcurvelist; + pcurveslen = s->tlsext_ellipticcurvelist_length; + } + if (!*pcurves) + { + *pcurves = eccurves_default; + pcurveslen = sizeof(eccurves_default); + } + } + + /* We do not allow odd length arrays to enter the system. */ + if (pcurveslen & 1) + { + SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR); + *num_curves = 0; + return 0; } - if (!*pcurves) + else { - *pcurves = eccurves_default; - *pcurveslen = sizeof(eccurves_default); + *num_curves = pcurveslen / 2; + return 1; } } /* See if curve is allowed by security callback */ static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op) { - tls_curve_info *cinfo; + const tls_curve_info *cinfo; if (curve[0]) return 1; if ((curve[1] < 1) || ((size_t)curve[1] > sizeof(nid_list)/sizeof(nid_list[0]))) return 0; cinfo = &nid_list[curve[1]-1]; +#ifdef OPENSSL_NO_EC2M + if (cinfo->flags & TLS_CURVE_CHAR2) + return 0; +#endif return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve); } @@ -442,7 +471,7 @@ static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op) int tls1_check_curve(SSL *s, const unsigned char *p, size_t len) { const unsigned char *curves; - size_t curveslen, i; + size_t num_curves, i; unsigned int suiteb_flags = tls1_suiteb(s); if (len != 3 || p[0] != NAMED_CURVE_TYPE) return 0; @@ -465,8 +494,9 @@ int tls1_check_curve(SSL *s, const unsigned char *p, size_t len) else /* Should never happen */ return 0; } - tls1_get_curvelist(s, 0, &curves, &curveslen); - for (i = 0; i < curveslen; i += 2, curves += 2) + if (!tls1_get_curvelist(s, 0, &curves, &num_curves)) + return 0; + for (i = 0; i < num_curves; i++, curves += 2) { if (p[1] == curves[0] && p[2] == curves[1]) return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK); @@ -474,15 +504,16 @@ int tls1_check_curve(SSL *s, const unsigned char *p, size_t len) return 0; } -/* Return nth shared curve. If nmatch == -1 return number of - * matches. For nmatch == -2 return the NID of the curve to use for - * an EC tmp key. +/* + * Return |nmatch|th shared curve or NID_undef if there is no match. + * For nmatch == -1, return number of matches + * For nmatch == -2, return the NID of the curve to use for + * an EC tmp key, or NID_undef if there is no match. */ - int tls1_shared_curve(SSL *s, int nmatch) { const unsigned char *pref, *supp; - size_t preflen, supplen, i, j; + size_t num_pref, num_supp, i, j; int k; /* Can't do anything on client side */ if (s->server == 0) @@ -506,17 +537,22 @@ int tls1_shared_curve(SSL *s, int nmatch) /* If not Suite B just return first preference shared curve */ nmatch = 0; } - tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), - &supp, &supplen); - tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), - &pref, &preflen); - preflen /= 2; - supplen /= 2; + /* + * Avoid truncation. tls1_get_curvelist takes an int + * but s->options is a long... + */ + if (!tls1_get_curvelist(s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, + &supp, &num_supp)) + /* In practice, NID_undef == 0 but let's be precise. */ + return nmatch == -1 ? 0 : NID_undef; + if(!tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), + &pref, &num_pref)) + return nmatch == -1 ? 0 : NID_undef; k = 0; - for (i = 0; i < preflen; i++, pref+=2) + for (i = 0; i < num_pref; i++, pref+=2) { const unsigned char *tsupp = supp; - for (j = 0; j < supplen; j++, tsupp+=2) + for (j = 0; j < num_supp; j++, tsupp+=2) { if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) { @@ -533,7 +569,8 @@ int tls1_shared_curve(SSL *s, int nmatch) } if (nmatch == -1) return k; - return 0; + /* Out of range (nmatch > k). */ + return NID_undef; } int tls1_set_curves(unsigned char **pext, size_t *pextlen, @@ -671,22 +708,22 @@ static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id, static int tls1_check_ec_key(SSL *s, unsigned char *curve_id, unsigned char *comp_id) { - const unsigned char *p; - size_t plen, i; + const unsigned char *pformats, *pcurves; + size_t num_formats, num_curves, i; int j; /* If point formats extension present check it, otherwise everything * is supported (see RFC4492). */ if (comp_id && s->session->tlsext_ecpointformatlist) { - p = s->session->tlsext_ecpointformatlist; - plen = s->session->tlsext_ecpointformatlist_length; - for (i = 0; i < plen; i++, p++) + pformats = s->session->tlsext_ecpointformatlist; + num_formats = s->session->tlsext_ecpointformatlist_length; + for (i = 0; i < num_formats; i++, pformats++) { - if (*comp_id == *p) + if (*comp_id == *pformats) break; } - if (i == plen) + if (i == num_formats) return 0; } if (!curve_id) @@ -694,13 +731,15 @@ static int tls1_check_ec_key(SSL *s, /* Check curve is consistent with client and server preferences */ for (j = 0; j <= 1; j++) { - tls1_get_curvelist(s, j, &p, &plen); - for (i = 0; i < plen; i+=2, p+=2) + if (!tls1_get_curvelist(s, j, &pcurves, &num_curves)) + return 0; + for (i = 0; i < num_curves; i++, pcurves += 2) { - if (p[0] == curve_id[0] && p[1] == curve_id[1]) + if (pcurves[0] == curve_id[0] && + pcurves[1] == curve_id[1]) break; } - if (i == plen) + if (i == num_curves) return 0; /* For clients can only check sent curve list */ if (!s->server) @@ -710,23 +749,23 @@ static int tls1_check_ec_key(SSL *s, } static void tls1_get_formatlist(SSL *s, const unsigned char **pformats, - size_t *pformatslen) + size_t *num_formats) { /* If we have a custom point format list use it otherwise * use default */ if (s->tlsext_ecpointformatlist) { *pformats = s->tlsext_ecpointformatlist; - *pformatslen = s->tlsext_ecpointformatlist_length; + *num_formats = s->tlsext_ecpointformatlist_length; } else { *pformats = ecformats_default; /* For Suite B we don't support char2 fields */ if (tls1_suiteb(s)) - *pformatslen = sizeof(ecformats_default) - 1; + *num_formats = sizeof(ecformats_default) - 1; else - *pformatslen = sizeof(ecformats_default); + *num_formats = sizeof(ecformats_default); } } @@ -1088,6 +1127,13 @@ void ssl_set_client_disabled(SSL *s) c->mask_k |= SSL_kPSK; } #endif /* OPENSSL_NO_PSK */ +#ifndef OPENSSL_NO_SRP + if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) + { + c->mask_a |= SSL_aSRP; + c->mask_k |= SSL_kSRP; + } +#endif c->valid = 1; } @@ -1136,15 +1182,38 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c } #endif - /* don't add extensions for SSLv3 unless doing secure renegotiation */ - if (s->client_version == SSL3_VERSION - && !s->s3->send_connection_binding) - return orig; - ret+=2; if (ret>=limit) return NULL; /* this really never occurs, but ... */ + /* Add RI if renegotiating */ + if (s->renegotiate) + { + int el; + + if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) + { + SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); + return NULL; + } + + if((limit - ret - 4 - el) < 0) return NULL; + + s2n(TLSEXT_TYPE_renegotiate,ret); + s2n(el,ret); + + if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) + { + SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); + return NULL; + } + + ret += el; + } + /* Only add RI for SSLv3 */ + if (s->client_version == SSL3_VERSION) + goto done; + if (s->tlsext_hostname != NULL) { /* Add TLS extension servername to the Client Hello message */ @@ -1177,31 +1246,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c ret+=size_str; } - /* Add RI if renegotiating */ - if (s->renegotiate) - { - int el; - - if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) - { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - - if((limit - ret - 4 - el) < 0) return NULL; - - s2n(TLSEXT_TYPE_renegotiate,ret); - s2n(el,ret); - - if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) - { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - - ret += el; - } - #ifndef OPENSSL_NO_SRP /* Add SRP username if there is one */ if (s->srp_ctx.login != NULL) @@ -1235,34 +1279,36 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c { /* Add TLS extension ECPointFormats to the ClientHello message */ long lenmax; - const unsigned char *plist; - size_t plistlen; + const unsigned char *pcurves, *pformats; + size_t num_curves, num_formats, curves_list_len; size_t i; unsigned char *etmp; - tls1_get_formatlist(s, &plist, &plistlen); + tls1_get_formatlist(s, &pformats, &num_formats); if ((lenmax = limit - ret - 5) < 0) return NULL; - if (plistlen > (size_t)lenmax) return NULL; - if (plistlen > 255) + if (num_formats > (size_t)lenmax) return NULL; + if (num_formats > 255) { SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); return NULL; } s2n(TLSEXT_TYPE_ec_point_formats,ret); - s2n(plistlen + 1,ret); - *(ret++) = (unsigned char)plistlen ; - memcpy(ret, plist, plistlen); - ret+=plistlen; + /* The point format list has 1-byte length. */ + s2n(num_formats + 1,ret); + *(ret++) = (unsigned char)num_formats ; + memcpy(ret, pformats, num_formats); + ret+=num_formats; /* Add TLS extension EllipticCurves to the ClientHello message */ - plist = s->tlsext_ellipticcurvelist; - tls1_get_curvelist(s, 0, &plist, &plistlen); + pcurves = s->tlsext_ellipticcurvelist; + if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) + return NULL; if ((lenmax = limit - ret - 6) < 0) return NULL; - if (plistlen > (size_t)lenmax) return NULL; - if (plistlen > 65532) + if (num_curves > (size_t)lenmax / 2) return NULL; + if (num_curves > 65532 / 2) { SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); return NULL; @@ -1272,25 +1318,20 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c s2n(TLSEXT_TYPE_elliptic_curves,ret); etmp = ret + 4; /* Copy curve ID if supported */ - for (i = 0; i < plistlen; i += 2, plist += 2) + for (i = 0; i < num_curves; i++, pcurves += 2) { - if (tls_curve_allowed(s, plist, SSL_SECOP_CURVE_SUPPORTED)) + if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) { - *etmp++ = plist[0]; - *etmp++ = plist[1]; + *etmp++ = pcurves[0]; + *etmp++ = pcurves[1]; } } - plistlen = etmp - ret - 4; + curves_list_len = etmp - ret - 4; - /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for - * elliptic_curve_list, but the examples use two bytes. - * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html - * resolves this to two bytes. - */ - s2n(plistlen + 2, ret); - s2n(plistlen, ret); - ret+=plistlen; + s2n(curves_list_len + 2, ret); + s2n(curves_list_len, ret); + ret += curves_list_len; } #endif /* OPENSSL_NO_EC */ @@ -1455,7 +1496,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c ret += s->alpn_client_proto_list_len; } - if(SSL_get_srtp_profiles(s)) + if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { int el; @@ -1473,40 +1514,10 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c } ret += el; } - + custom_ext_init(&s->cert->cli_ext); /* Add custom TLS Extensions to ClientHello */ - if (s->ctx->custom_cli_ext_records_count) - { - size_t i; - custom_cli_ext_record* record; - - for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++) - { - const unsigned char* out = NULL; - unsigned short outlen = 0; - - record = &s->ctx->custom_cli_ext_records[i]; - /* NULL callback sends empty extension */ - /* -1 from callback omits extension */ - if (record->fn1) - { - int cb_retval = 0; - cb_retval = record->fn1(s, record->ext_type, - &out, &outlen, al, - record->arg); - if (cb_retval == 0) - return NULL; /* error */ - if (cb_retval == -1) - continue; /* skip this extension */ - } - if (limit < ret + 4 + outlen) - return NULL; - s2n(record->ext_type, ret); - s2n(outlen, ret); - memcpy(ret, out, outlen); - ret += outlen; - } - } + if (!custom_ext_add(s, 0, &ret, limit, al)) + return NULL; #ifdef TLSEXT_TYPE_encrypt_then_mac s2n(TLSEXT_TYPE_encrypt_then_mac,ret); s2n(0,ret); @@ -1542,6 +1553,8 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c } } + done: + if ((extdatalen = ret-orig-2)== 0) return orig; @@ -1554,8 +1567,6 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c int extdatalen=0; unsigned char *orig = buf; unsigned char *ret = buf; - size_t i; - custom_srv_ext_record *record; #ifndef OPENSSL_NO_NEXTPROTONEG int next_proto_neg_seen; #endif @@ -1565,21 +1576,10 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c int using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA); using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); #endif - /* don't add extensions for SSLv3, unless doing secure renegotiation */ - if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) - return orig; ret+=2; if (ret>=limit) return NULL; /* this really never occurs, but ... */ - if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) - { - if ((long)(limit - ret - 4) < 0) return NULL; - - s2n(TLSEXT_TYPE_server_name,ret); - s2n(0,ret); - } - if(s->s3->send_connection_binding) { int el; @@ -1604,6 +1604,18 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c ret += el; } + /* Only add RI for SSLv3 */ + if (s->version == SSL3_VERSION) + goto done; + + if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) + { + if ((long)(limit - ret - 4) < 0) return NULL; + + s2n(TLSEXT_TYPE_server_name,ret); + s2n(0,ret); + } + #ifndef OPENSSL_NO_EC if (using_ecc) { @@ -1664,7 +1676,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c } #endif - if(s->srtp_profile) + if(SSL_IS_DTLS(s) && s->srtp_profile) { int el; @@ -1739,39 +1751,16 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c } } #endif - - for (i = 0; i < s->ctx->custom_srv_ext_records_count; i++) - { - const unsigned char *out = NULL; - unsigned short outlen = 0; - int cb_retval = 0; - - record = &s->ctx->custom_srv_ext_records[i]; - - /* NULL callback or -1 omits extension */ - if (!record->fn2) - continue; - cb_retval = record->fn2(s, record->ext_type, - &out, &outlen, al, - record->arg); - if (cb_retval == 0) - return NULL; /* error */ - if (cb_retval == -1) - continue; /* skip this extension */ - if (limit < ret + 4 + outlen) - return NULL; - s2n(record->ext_type, ret); - s2n(outlen, ret); - memcpy(ret, out, outlen); - ret += outlen; - } + if (!custom_ext_add(s, 1, &ret, limit, al)) + return NULL; #ifdef TLSEXT_TYPE_encrypt_then_mac if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) { - /* Don't use encrypt_then_mac if AEAD: might want - * to disable for other ciphersuites too. + /* Don't use encrypt_then_mac if AEAD or RC4 + * might want to disable for other cases too. */ - if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD) + if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD + || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4) s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC; else { @@ -1796,6 +1785,8 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c ret += len; } + done: + if ((extdatalen = ret-orig-2)== 0) return orig; @@ -1956,6 +1947,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsign } #endif /* !OPENSSL_NO_EC */ + static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) { unsigned short type; @@ -1963,7 +1955,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char unsigned short len; unsigned char *data = *p; int renegotiate_seen = 0; - size_t i; s->servername_done = 0; s->tlsext_status_type = -1; @@ -1977,14 +1968,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char s->s3->alpn_selected = NULL; } - /* Clear observed custom extensions */ - s->s3->serverinfo_client_tlsext_custom_types_count = 0; - if (s->s3->serverinfo_client_tlsext_custom_types != NULL) - { - OPENSSL_free(s->s3->serverinfo_client_tlsext_custom_types); - s->s3->serverinfo_client_tlsext_custom_types = NULL; - } - #ifndef OPENSSL_NO_HEARTBEATS s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | SSL_TLSEXT_HB_DONT_SEND_REQUESTS); @@ -2001,18 +1984,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char OPENSSL_free(s->cert->peer_sigalgs); s->cert->peer_sigalgs = NULL; } - /* Clear any shared sigtnature algorithms */ - if (s->cert->shared_sigalgs) - { - OPENSSL_free(s->cert->shared_sigalgs); - s->cert->shared_sigalgs = NULL; - } - /* Clear certificate digests and validity flags */ - for (i = 0; i < SSL_PKEY_NUM; i++) - { - s->cert->pkeys[i].digest = NULL; - s->cert->pkeys[i].valid_flags = 0; - } #ifdef TLSEXT_TYPE_encrypt_then_mac s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC; @@ -2038,6 +2009,14 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char if (s->tlsext_debug_cb) s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg); + if (type == TLSEXT_TYPE_renegotiate) + { + if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) + return 0; + renegotiate_seen = 1; + } + else if (s->version == SSL3_VERSION) + {} /* The servername extension is treated as follows: - Only the hostname type is supported with a maximum length of 255. @@ -2061,7 +2040,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char */ - if (type == TLSEXT_TYPE_server_name) + else if (type == TLSEXT_TYPE_server_name) { unsigned char *sdata; int servname_type; @@ -2213,7 +2192,9 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char ellipticcurvelist_length += (*(sdata++)); if (ellipticcurvelist_length != size - 2 || - ellipticcurvelist_length < 1) + ellipticcurvelist_length < 1 || + /* Each NamedCurve is 2 bytes. */ + ellipticcurvelist_length & 1) { *al = TLS1_AD_DECODE_ERROR; return 0; @@ -2282,12 +2263,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char return 0; } } - else if (type == TLSEXT_TYPE_renegotiate) - { - if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) - return 0; - renegotiate_seen = 1; - } else if (type == TLSEXT_TYPE_signature_algorithms) { int dsize; @@ -2303,21 +2278,11 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *al = SSL_AD_DECODE_ERROR; return 0; } - if (!tls1_process_sigalgs(s, data, dsize)) + if (!tls1_save_sigalgs(s, data, dsize)) { *al = SSL_AD_DECODE_ERROR; return 0; } - /* If sigalgs received and no shared algorithms fatal - * error. - */ - if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs) - { - SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT, - SSL_R_NO_SHARED_SIGATURE_ALGORITHMS); - *al = SSL_AD_ILLEGAL_PARAMETER; - return 0; - } } else if (type == TLSEXT_TYPE_status_request) { @@ -2484,36 +2449,28 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char } /* session ticket processed earlier */ - else if (type == TLSEXT_TYPE_use_srtp) + else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) + && type == TLSEXT_TYPE_use_srtp) { if(ssl_parse_clienthello_use_srtp_ext(s, data, size, al)) return 0; } +#ifdef TLSEXT_TYPE_encrypt_then_mac + else if (type == TLSEXT_TYPE_encrypt_then_mac) + s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC; +#endif /* If this ClientHello extension was unhandled and this is * a nonresumed connection, check whether the extension is a * custom TLS Extension (has a custom_srv_ext_record), and if * so call the callback and record the extension number so that * an appropriate ServerHello may be later returned. */ - else if (!s->hit && s->ctx->custom_srv_ext_records_count) + else if (!s->hit) { - custom_srv_ext_record *record; - - for (i=0; i < s->ctx->custom_srv_ext_records_count; i++) - { - record = &s->ctx->custom_srv_ext_records[i]; - if (type == record->ext_type) - { - if (record->fn1 && !record->fn1(s, type, data, size, al, record->arg)) - return 0; - } - } + if (custom_ext_parse(s, 1, type, data, size, al) <= 0) + return 0; } -#ifdef TLSEXT_TYPE_encrypt_then_mac - else if (type == TLSEXT_TYPE_encrypt_then_mac) - s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC; -#endif data+=size; } @@ -2532,9 +2489,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); return 0; } - /* If no signature algorithms extension set default values */ - if (!s->cert->peer_sigalgs) - ssl_cert_set_default_md(s->cert); return 1; } @@ -2542,6 +2496,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) { int al = -1; + custom_ext_init(&s->cert->srv_ext); if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) { ssl3_send_alert(s,SSL3_AL_FATAL,al); @@ -2588,6 +2543,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char #ifndef OPENSSL_NO_NEXTPROTONEG s->s3->next_proto_neg_seen = 0; #endif + s->tlsext_ticket_expected = 0; if (s->s3->alpn_selected) { @@ -2626,7 +2582,16 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg); - if (type == TLSEXT_TYPE_server_name) + + if (type == TLSEXT_TYPE_renegotiate) + { + if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) + return 0; + renegotiate_seen = 1; + } + else if (s->version == SSL3_VERSION) + {} + else if (type == TLSEXT_TYPE_server_name) { if (s->tlsext_hostname == NULL || size > 0) { @@ -2647,15 +2612,18 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *al = TLS1_AD_DECODE_ERROR; return 0; } - s->session->tlsext_ecpointformatlist_length = 0; - if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); - if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) + if (!s->hit) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; + s->session->tlsext_ecpointformatlist_length = 0; + if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); + if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } + s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; + memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); } - s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; - memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); #if 0 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); sdata = s->session->tlsext_ecpointformatlist; @@ -2805,13 +2773,6 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char memcpy(s->s3->alpn_selected, data + 3, len); s->s3->alpn_selected_len = len; } - - else if (type == TLSEXT_TYPE_renegotiate) - { - if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) - return 0; - renegotiate_seen = 1; - } #ifndef OPENSSL_NO_HEARTBEATS else if (type == TLSEXT_TYPE_heartbeat) { @@ -2829,39 +2790,26 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char } } #endif - else if (type == TLSEXT_TYPE_use_srtp) + else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { if(ssl_parse_serverhello_use_srtp_ext(s, data, size, al)) return 0; } - /* If this extension type was not otherwise handled, but - * matches a custom_cli_ext_record, then send it to the c - * callback */ - else if (s->ctx->custom_cli_ext_records_count) - { - size_t i; - custom_cli_ext_record* record; - - for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++) - { - record = &s->ctx->custom_cli_ext_records[i]; - if (record->ext_type == type) - { - if (record->fn2 && !record->fn2(s, type, data, size, al, record->arg)) - return 0; - break; - } - } - } #ifdef TLSEXT_TYPE_encrypt_then_mac else if (type == TLSEXT_TYPE_encrypt_then_mac) { /* Ignore if inappropriate ciphersuite */ - if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD) + if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD + && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4) s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC; } #endif + /* If this extension type was not otherwise handled, but + * matches a custom_cli_ext_record, then send it to the c + * callback */ + else if (custom_ext_parse(s, 0, type, data, size, al) <= 0) + return 0; data += size; } @@ -3058,6 +3006,50 @@ static int ssl_check_clienthello_tlsext_early(SSL *s) } } +int tls1_set_server_sigalgs(SSL *s) + { + int al; + size_t i; + /* Clear any shared sigtnature algorithms */ + if (s->cert->shared_sigalgs) + { + OPENSSL_free(s->cert->shared_sigalgs); + s->cert->shared_sigalgs = NULL; + } + /* Clear certificate digests and validity flags */ + for (i = 0; i < SSL_PKEY_NUM; i++) + { + s->cert->pkeys[i].digest = NULL; + s->cert->pkeys[i].valid_flags = 0; + } + + /* If sigalgs received process it. */ + if (s->cert->peer_sigalgs) + { + if (!tls1_process_sigalgs(s)) + { + SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, + ERR_R_MALLOC_FAILURE); + al = SSL_AD_INTERNAL_ERROR; + goto err; + } + /* Fatal error is no shared signature algorithms */ + if (!s->cert->shared_sigalgs) + { + SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, + SSL_R_NO_SHARED_SIGATURE_ALGORITHMS); + al = SSL_AD_ILLEGAL_PARAMETER; + goto err; + } + } + else + ssl_cert_set_default_md(s->cert); + return 1; + err: + ssl3_send_alert(s, SSL3_AL_FATAL, al); + return 0; + } + int ssl_check_clienthello_tlsext_late(SSL *s) { int ret = SSL_TLSEXT_ERR_OK; @@ -3444,7 +3436,10 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, HMAC_Final(&hctx, tick_hmac, NULL); HMAC_CTX_cleanup(&hctx); if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) + { + EVP_CIPHER_CTX_cleanup(&ctx); return 2; + } /* Attempt to decrypt session data */ /* Move p after IV to start of encrypted ticket, update length */ p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); @@ -3604,10 +3599,8 @@ static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg) const EVP_MD *tls12_get_hash(unsigned char hash_alg) { const tls12_hash_info *inf; -#ifndef OPENSSL_FIPS if (hash_alg == TLSEXT_hash_md5 && FIPS_mode()) return NULL; -#endif inf = tls12_get_hash_info(hash_alg); if (!inf || !inf->mfunc) return NULL; @@ -3832,13 +3825,9 @@ static int tls1_set_shared_sigalgs(SSL *s) /* Set preferred digest for each key type */ -int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) +int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize) { - int idx; - size_t i; - const EVP_MD *md; CERT *c = s->cert; - TLS_SIGALGS *sigptr; /* Extension ignored for inappropriate versions */ if (!SSL_USE_SIGALGS(s)) return 1; @@ -3853,8 +3842,18 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) return 0; c->peer_sigalgslen = dsize; memcpy(c->peer_sigalgs, data, dsize); + return 1; + } - tls1_set_shared_sigalgs(s); +int tls1_process_sigalgs(SSL *s) + { + int idx; + size_t i; + const EVP_MD *md; + CERT *c = s->cert; + TLS_SIGALGS *sigptr; + if (!tls1_set_shared_sigalgs(s)) + return 0; #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) @@ -4004,6 +4003,11 @@ tls1_process_heartbeat(SSL *s) * payload, plus padding */ buffer = OPENSSL_malloc(1 + 2 + payload + padding); + if (buffer == NULL) + { + SSLerr(SSL_F_TLS1_PROCESS_HEARTBEAT,ERR_R_MALLOC_FAILURE); + return -1; + } bp = buffer; /* Enter response type, length and copy payload */ @@ -4090,6 +4094,11 @@ tls1_heartbeat(SSL *s) * - Padding */ buf = OPENSSL_malloc(1 + 2 + payload + padding); + if (buf == NULL) + { + SSLerr(SSL_F_TLS1_HEARTBEAT,ERR_R_MALLOC_FAILURE); + return -1; + } p = buf; /* Message Type */ *p++ = TLS1_HB_REQUEST; @@ -4332,13 +4341,10 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, if (check_flags) check_flags |= CERT_PKEY_SUITEB; ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags); - if (ok != X509_V_OK) - { - if (check_flags) - rv |= CERT_PKEY_SUITEB; - else - goto end; - } + if (ok == X509_V_OK) + rv |= CERT_PKEY_SUITEB; + else if (!check_flags) + goto end; } /* Check all signature algorithms are consistent with