X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=ssl%2Fs3_lib.c;h=a5b3dbbfd51562cf4b2f7ba79552357cd08afae2;hb=4746f25ac62e5bbdc07eedcec9c9a27547577141;hp=9d8bd8b041cc91b0e2007fda11347149029f9684;hpb=8175af50cc208c09f92b30358d30dd86c798b60e;p=openssl.git diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 9d8bd8b041..a5b3dbbfd5 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -1,9 +1,9 @@ /* - * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html @@ -18,6 +18,7 @@ #include #include "internal/cryptlib.h" +#define TLS13_NUM_CIPHERS OSSL_NELEM(tls13_ciphers) #define SSL3_NUM_CIPHERS OSSL_NELEM(ssl3_ciphers) #define SSL3_NUM_SCSVS OSSL_NELEM(ssl3_scsvs) @@ -29,6 +30,90 @@ const unsigned char tls12downgrade[] = { 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01 }; +/* The list of available TLSv1.3 ciphers */ +static SSL_CIPHER tls13_ciphers[] = { + { + 1, + TLS1_3_RFC_AES_128_GCM_SHA256, + TLS1_3_RFC_AES_128_GCM_SHA256, + TLS1_3_CK_AES_128_GCM_SHA256, + SSL_kANY, + SSL_aANY, + SSL_AES128GCM, + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, + SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256, + 128, + 128, + }, { + 1, + TLS1_3_RFC_AES_256_GCM_SHA384, + TLS1_3_RFC_AES_256_GCM_SHA384, + TLS1_3_CK_AES_256_GCM_SHA384, + SSL_kANY, + SSL_aANY, + SSL_AES256GCM, + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, + SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA384, + 256, + 256, + }, +#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) + { + 1, + TLS1_3_RFC_CHACHA20_POLY1305_SHA256, + TLS1_3_RFC_CHACHA20_POLY1305_SHA256, + TLS1_3_CK_CHACHA20_POLY1305_SHA256, + SSL_kANY, + SSL_aANY, + SSL_CHACHA20POLY1305, + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, + SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256, + 256, + 256, + }, +#endif + { + 1, + TLS1_3_RFC_AES_128_CCM_SHA256, + TLS1_3_RFC_AES_128_CCM_SHA256, + TLS1_3_CK_AES_128_CCM_SHA256, + SSL_kANY, + SSL_aANY, + SSL_AES128CCM, + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256, + 128, + 128, + }, { + 1, + TLS1_3_RFC_AES_128_CCM_8_SHA256, + TLS1_3_RFC_AES_128_CCM_8_SHA256, + TLS1_3_CK_AES_128_CCM_8_SHA256, + SSL_kANY, + SSL_aANY, + SSL_AES128CCM8, + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256, + 128, + 128, + } +}; + /* * The list of available ciphers, mostly organized into the following * groups: @@ -858,88 +943,6 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, - { - 1, - TLS1_3_TXT_AES_128_GCM_SHA256, - TLS1_3_RFC_AES_128_GCM_SHA256, - TLS1_3_CK_AES_128_GCM_SHA256, - 0, 0, - SSL_AES128GCM, - SSL_AEAD, - TLS1_3_VERSION, TLS1_3_VERSION, - SSL_kANY, - SSL_aANY, - SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256, - 128, - 128, - }, - { - 1, - TLS1_3_TXT_AES_256_GCM_SHA384, - TLS1_3_RFC_AES_256_GCM_SHA384, - TLS1_3_CK_AES_256_GCM_SHA384, - SSL_kANY, - SSL_aANY, - SSL_AES256GCM, - SSL_AEAD, - TLS1_3_VERSION, TLS1_3_VERSION, - 0, 0, - SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA384, - 256, - 256, - }, -#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) - { - 1, - TLS1_3_TXT_CHACHA20_POLY1305_SHA256, - TLS1_3_RFC_CHACHA20_POLY1305_SHA256, - TLS1_3_CK_CHACHA20_POLY1305_SHA256, - SSL_kANY, - SSL_aANY, - SSL_CHACHA20POLY1305, - SSL_AEAD, - TLS1_3_VERSION, TLS1_3_VERSION, - 0, 0, - SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256, - 256, - 256, - }, -#endif - { - 1, - TLS1_3_TXT_AES_128_CCM_SHA256, - TLS1_3_RFC_AES_128_CCM_SHA256, - TLS1_3_CK_AES_128_CCM_SHA256, - SSL_kANY, - SSL_aANY, - SSL_AES128CCM, - SSL_AEAD, - TLS1_3_VERSION, TLS1_3_VERSION, - 0, 0, - SSL_NOT_DEFAULT | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256, - 128, - 128, - }, - { - 1, - TLS1_3_TXT_AES_128_CCM_8_SHA256, - TLS1_3_RFC_AES_128_CCM_8_SHA256, - TLS1_3_CK_AES_128_CCM_8_SHA256, - SSL_kANY, - SSL_aANY, - SSL_AES128CCM8, - SSL_AEAD, - TLS1_3_VERSION, TLS1_3_VERSION, - 0, 0, - SSL_NOT_DEFAULT | SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256, - 128, - 128, - }, { 1, TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, @@ -3207,6 +3210,8 @@ static int cipher_compare(const void *a, const void *b) void ssl_sort_cipher_list(void) { + qsort(tls13_ciphers, TLS13_NUM_CIPHERS, sizeof(tls13_ciphers[0]), + cipher_compare); qsort(ssl3_ciphers, SSL3_NUM_CIPHERS, sizeof(ssl3_ciphers[0]), cipher_compare); qsort(ssl3_scsvs, SSL3_NUM_SCSVS, sizeof(ssl3_scsvs[0]), cipher_compare); @@ -3324,6 +3329,7 @@ void ssl3_free(SSL *s) OPENSSL_free(s->s3->tmp.ciphers_raw); OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen); OPENSSL_free(s->s3->tmp.peer_sigalgs); + OPENSSL_free(s->s3->tmp.peer_cert_sigalgs); ssl3_free_digest_list(s); OPENSSL_free(s->s3->alpn_selected); OPENSSL_free(s->s3->alpn_proposed); @@ -3343,6 +3349,7 @@ int ssl3_clear(SSL *s) OPENSSL_free(s->s3->tmp.ciphers_raw); OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen); OPENSSL_free(s->s3->tmp.peer_sigalgs); + OPENSSL_free(s->s3->tmp.peer_cert_sigalgs); #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) EVP_PKEY_free(s->s3->tmp.pkey); @@ -3407,7 +3414,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) EVP_PKEY *pkdh = NULL; if (dh == NULL) { SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); - return ret; + return 0; } pkdh = ssl_dh_to_pkey(dh); if (pkdh == NULL) { @@ -3418,11 +3425,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) EVP_PKEY_security_bits(pkdh), 0, pkdh)) { SSLerr(SSL_F_SSL3_CTRL, SSL_R_DH_KEY_TOO_SMALL); EVP_PKEY_free(pkdh); - return ret; + return 0; } EVP_PKEY_free(s->cert->dh_tmp); s->cert->dh_tmp = pkdh; - ret = 1; + return 1; } break; case SSL_CTRL_SET_TMP_DH_CB: @@ -3459,6 +3466,15 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) break; #endif /* !OPENSSL_NO_EC */ case SSL_CTRL_SET_TLSEXT_HOSTNAME: + /* + * TODO(OpenSSL1.2) + * This API is only used for a client to set what SNI it will request + * from the server, but we currently allow it to be used on servers + * as well, which is a programming error. Currently we just clear + * the field in SSL_do_handshake() for server SSLs, but when we can + * make ABI-breaking changes, we may want to make use of this API + * an error on server SSLs. + */ if (larg == TLSEXT_NAMETYPE_host_name) { size_t len; @@ -3665,9 +3681,15 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) *(int *)parg = s->s3->tmp.peer_sigalg->hash; return 1; - case SSL_CTRL_GET_SERVER_TMP_KEY: + case SSL_CTRL_GET_SIGNATURE_NID: + if (s->s3->tmp.sigalg == NULL) + return 0; + *(int *)parg = s->s3->tmp.sigalg->hash; + return 1; + + case SSL_CTRL_GET_PEER_TMP_KEY: #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) - if (s->server || s->session == NULL || s->s3->peer_tmp == NULL) { + if (s->session == NULL || s->s3->peer_tmp == NULL) { return 0; } else { EVP_PKEY_up_ref(s->s3->peer_tmp); @@ -3677,6 +3699,20 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) #else return 0; #endif + + case SSL_CTRL_GET_TMP_KEY: +#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) + if (s->session == NULL || s->s3->tmp.pkey == NULL) { + return 0; + } else { + EVP_PKEY_up_ref(s->s3->tmp.pkey); + *(EVP_PKEY **)parg = s->s3->tmp.pkey; + return 1; + } +#else + return 0; +#endif + #ifndef OPENSSL_NO_EC case SSL_CTRL_GET_EC_POINT_FORMATS: { @@ -3745,7 +3781,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) EVP_PKEY_security_bits(pkdh), 0, pkdh)) { SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_DH_KEY_TOO_SMALL); EVP_PKEY_free(pkdh); - return 1; + return 0; } EVP_PKEY_free(ctx->cert->dh_tmp); ctx->cert->dh_tmp = pkdh; @@ -3791,8 +3827,8 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { unsigned char *keys = parg; long tick_keylen = (sizeof(ctx->ext.tick_key_name) + - sizeof(ctx->ext.tick_hmac_key) + - sizeof(ctx->ext.tick_aes_key)); + sizeof(ctx->ext.secure->tick_hmac_key) + + sizeof(ctx->ext.secure->tick_aes_key)); if (keys == NULL) return tick_keylen; if (larg != tick_keylen) { @@ -3802,23 +3838,23 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) { memcpy(ctx->ext.tick_key_name, keys, sizeof(ctx->ext.tick_key_name)); - memcpy(ctx->ext.tick_hmac_key, + memcpy(ctx->ext.secure->tick_hmac_key, keys + sizeof(ctx->ext.tick_key_name), - sizeof(ctx->ext.tick_hmac_key)); - memcpy(ctx->ext.tick_aes_key, + sizeof(ctx->ext.secure->tick_hmac_key)); + memcpy(ctx->ext.secure->tick_aes_key, keys + sizeof(ctx->ext.tick_key_name) + - sizeof(ctx->ext.tick_hmac_key), - sizeof(ctx->ext.tick_aes_key)); + sizeof(ctx->ext.secure->tick_hmac_key), + sizeof(ctx->ext.secure->tick_aes_key)); } else { memcpy(keys, ctx->ext.tick_key_name, sizeof(ctx->ext.tick_key_name)); memcpy(keys + sizeof(ctx->ext.tick_key_name), - ctx->ext.tick_hmac_key, - sizeof(ctx->ext.tick_hmac_key)); + ctx->ext.secure->tick_hmac_key, + sizeof(ctx->ext.secure->tick_hmac_key)); memcpy(keys + sizeof(ctx->ext.tick_key_name) + - sizeof(ctx->ext.tick_hmac_key), - ctx->ext.tick_aes_key, - sizeof(ctx->ext.tick_aes_key)); + sizeof(ctx->ext.secure->tick_hmac_key), + ctx->ext.secure->tick_aes_key, + sizeof(ctx->ext.secure->tick_aes_key)); } return 1; } @@ -4025,6 +4061,9 @@ const SSL_CIPHER *ssl3_get_cipher_by_id(uint32_t id) const SSL_CIPHER *cp; c.id = id; + cp = OBJ_bsearch_ssl_cipher_id(&c, tls13_ciphers, TLS13_NUM_CIPHERS); + if (cp != NULL) + return cp; cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS); if (cp != NULL) return cp; @@ -4033,17 +4072,19 @@ const SSL_CIPHER *ssl3_get_cipher_by_id(uint32_t id) const SSL_CIPHER *ssl3_get_cipher_by_std_name(const char *stdname) { - SSL_CIPHER *c = NULL; - SSL_CIPHER *tbl = ssl3_ciphers; - size_t i; + SSL_CIPHER *c = NULL, *tbl; + SSL_CIPHER *alltabs[] = {tls13_ciphers, ssl3_ciphers}; + size_t i, j, tblsize[] = {TLS13_NUM_CIPHERS, SSL3_NUM_CIPHERS}; /* this is not efficient, necessary to optimize this? */ - for (i = 0; i < SSL3_NUM_CIPHERS; i++, tbl++) { - if (tbl->stdname == NULL) - continue; - if (strcmp(stdname, tbl->stdname) == 0) { - c = tbl; - break; + for (j = 0; j < OSSL_NELEM(alltabs); j++) { + for (i = 0, tbl = alltabs[j]; i < tblsize[j]; i++, tbl++) { + if (tbl->stdname == NULL) + continue; + if (strcmp(stdname, tbl->stdname) == 0) { + c = tbl; + break; + } } } if (c == NULL) { @@ -4096,8 +4137,9 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, { const SSL_CIPHER *c, *ret = NULL; STACK_OF(SSL_CIPHER) *prio, *allow; - int i, ii, ok; + int i, ii, ok, prefer_sha256 = 0; unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0; + const EVP_MD *mdsha256 = EVP_sha256(); #ifndef OPENSSL_NO_CHACHA STACK_OF(SSL_CIPHER) *prio_chacha = NULL; #endif @@ -4178,7 +4220,26 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, allow = srvr; } - if (!SSL_IS_TLS13(s)) { + if (SSL_IS_TLS13(s)) { +#ifndef OPENSSL_NO_PSK + int j; + + /* + * If we allow "old" style PSK callbacks, and we have no certificate (so + * we're not going to succeed without a PSK anyway), and we're in + * TLSv1.3 then the default hash for a PSK is SHA-256 (as per the + * TLSv1.3 spec). Therefore we should prioritise ciphersuites using + * that. + */ + if (s->psk_server_callback != NULL) { + for (j = 0; j < SSL_PKEY_NUM && !ssl_has_cert(s, j); j++); + if (j == SSL_PKEY_NUM) { + /* There are no certificates */ + prefer_sha256 = 1; + } + } +#endif + } else { tls1_set_cert_validity(s); ssl_set_masks(s); } @@ -4250,6 +4311,17 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, continue; } #endif + if (prefer_sha256) { + const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii); + + if (ssl_md(tmp->algorithm2) == mdsha256) { + ret = tmp; + break; + } + if (ret == NULL) + ret = tmp; + continue; + } ret = sk_SSL_CIPHER_value(allow, ii); break; } @@ -4512,12 +4584,12 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len, unsigned char *p = result; l2n(Time, p); - ret = ssl_randbytes(s, p, len - 4); + ret = RAND_bytes(p, len - 4); } else { - ret = ssl_randbytes(s, result, len); + ret = RAND_bytes(result, len); } -#ifndef OPENSSL_NO_TLS13DOWNGRADE - if (ret) { + + if (ret > 0) { if (!ossl_assert(sizeof(tls11downgrade) < len) || !ossl_assert(sizeof(tls12downgrade) < len)) return 0; @@ -4528,7 +4600,7 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len, memcpy(result + len - sizeof(tls11downgrade), tls11downgrade, sizeof(tls11downgrade)); } -#endif + return ret; } @@ -4569,6 +4641,7 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, if (!s->method->ssl3_enc->generate_master_secret(s, s->session->master_key,pskpms, pskpmslen, &s->session->master_key_length)) { + OPENSSL_clear_free(pskpms, pskpmslen); /* SSLfatal() already called */ goto err; }