PR: 1833

[openssl.git] / ssl / s3_clnt.c

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 8f96120d2e963b5719b8b650dde16834fed9933b..99b2f492842c72bf22c5b1ed4920867f93ea4adc 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -166,9 +166,6 @@
 
 static const SSL_METHOD *ssl3_get_client_method(int ver);
 static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
-#ifndef OPENSSL_NO_TLSEXT
-static int ssl3_check_finished(SSL *s);
-#endif
 
 static const SSL_METHOD *ssl3_get_client_method(int ver)
        {
@@ -187,10 +184,9 @@ int ssl3_connect(SSL *s)
        {
        BUF_MEM *buf=NULL;
        unsigned long Time=(unsigned long)time(NULL);
-       long num1;
        void (*cb)(const SSL *ssl,int type,int val)=NULL;
        int ret= -1;
-       int new_state,state,skip=0;;
+       int new_state,state,skip=0;
 
        RAND_add(&Time,sizeof(Time),0);
        ERR_clear_error();
@@ -211,7 +207,7 @@ int ssl3_connect(SSL *s)
                switch(s->state)
                        {
                case SSL_ST_RENEGOTIATE:
-                       s->new_session=1;
+                       s->renegotiate=1;
                        s->state=SSL_ST_CONNECT;
                        s->ctx->stats.sess_connect_renegotiate++;
                        /* break */
@@ -404,6 +400,11 @@ int ssl3_connect(SSL *s)
                                s->state=SSL3_ST_CW_CHANGE_A;
                                s->s3->change_cipher_spec=0;
                                }
+                       if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY)
+                               {
+                               s->state=SSL3_ST_CW_CHANGE_A;
+                               s->s3->change_cipher_spec=0;
+                               }
 
                        s->init_num=0;
                        break;
@@ -518,16 +519,13 @@ int ssl3_connect(SSL *s)
                        break;
 
                case SSL3_ST_CW_FLUSH:
-                       /* number of bytes to be flushed */
-                       num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
-                       if (num1 > 0)
+                       s->rwstate=SSL_WRITING;
+                       if (BIO_flush(s->wbio) <= 0)
                                {
-                               s->rwstate=SSL_WRITING;
-                               num1=BIO_flush(s->wbio);
-                               if (num1 <= 0) { ret= -1; goto end; }
-                               s->rwstate=SSL_NOTHING;
+                               ret= -1;
+                               goto end;
                                }
-
+                       s->rwstate=SSL_NOTHING;
                        s->state=s->s3->tmp.next_state;
                        break;
 
@@ -548,6 +546,7 @@ int ssl3_connect(SSL *s)
                        /* else do it later in ssl3_write */
 
                        s->init_num=0;
+                       s->renegotiate=0;
                        s->new_session=0;
 
                        ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
@@ -613,9 +612,15 @@ int ssl3_client_hello(SSL *s)
        buf=(unsigned char *)s->init_buf->data;
        if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
                {
-               if ((s->session == NULL) ||
-                       (s->session->ssl_version != s->version) ||
-                       (s->session->not_resumable))
+               SSL_SESSION *sess = s->session;
+               if ((sess == NULL) ||
+                       (sess->ssl_version != s->version) ||
+#ifdef OPENSSL_NO_TLSEXT
+                       !sess->session_id_length ||
+#else
+                       (!sess->session_id_length && !sess->tlsext_tick) ||
+#endif
+                       (sess->not_resumable))
                        {
                        if (!ssl_get_new_session(s,0))
                                goto err;
@@ -719,7 +724,7 @@ err:
 int ssl3_get_server_hello(SSL *s)
        {
        STACK_OF(SSL_CIPHER) *sk;
-       SSL_CIPHER *c;
+       const SSL_CIPHER *c;
        unsigned char *p,*d;
        int i,al,ok;
        unsigned int j;
@@ -737,7 +742,7 @@ int ssl3_get_server_hello(SSL *s)
 
        if (!ok) return((int)n);
 
-       if ( SSL_version(s) == DTLS1_VERSION)
+       if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
                {
                if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
                        {
@@ -788,6 +793,23 @@ int ssl3_get_server_hello(SSL *s)
                goto f_err;
                }
 
+#ifndef OPENSSL_NO_TLSEXT
+       /* check if we want to resume the session based on external pre-shared secret */
+       if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
+               {
+               SSL_CIPHER *pref_cipher=NULL;
+               s->session->master_key_length=sizeof(s->session->master_key);
+               if (s->tls_session_secret_cb(s, s->session->master_key,
+                                            &s->session->master_key_length,
+                                            NULL, &pref_cipher,
+                                            s->tls_session_secret_cb_arg))
+                       {
+                       s->session->cipher = pref_cipher ?
+                               pref_cipher : ssl_get_cipher_by_char(s, p+j);
+                       }
+               }
+#endif /* OPENSSL_NO_TLSEXT */
+
        if (j != 0 && j == s->session->session_id_length
            && memcmp(p,s->session->session_id,j) == 0)
            {
@@ -854,7 +876,8 @@ int ssl3_get_server_hello(SSL *s)
                        }
                }
        s->s3->tmp.new_cipher=c;
-       ssl3_digest_cached_records(s);
+       if (!ssl3_digest_cached_records(s))
+               goto f_err;
 
        /* lets get the compression algorithm */
        /* COMPRESSION */
@@ -865,10 +888,31 @@ int ssl3_get_server_hello(SSL *s)
                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
                goto f_err;
                }
+       /* If compression is disabled we'd better not try to resume a session
+        * using compression.
+        */
+       if (s->session->compress_meth != 0)
+               {
+               al=SSL_AD_INTERNAL_ERROR;
+               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
+               goto f_err;
+               }
 #else
        j= *(p++);
-       if ((j == 0) || (s->options & SSL_OP_NO_COMPRESSION))
+       if (s->hit && j != s->session->compress_meth)
+               {
+               al=SSL_AD_ILLEGAL_PARAMETER;
+               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
+               goto f_err;
+               }
+       if (j == 0)
                comp=NULL;
+       else if (s->options & SSL_OP_NO_COMPRESSION)
+               {
+               al=SSL_AD_ILLEGAL_PARAMETER;
+               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_COMPRESSION_DISABLED);
+               goto f_err;
+               }
        else
                comp=ssl3_comp_find(s->ctx->comp_methods,j);
        
@@ -886,7 +930,7 @@ int ssl3_get_server_hello(SSL *s)
 
 #ifndef OPENSSL_NO_TLSEXT
        /* TLS extensions*/
-       if (s->version > SSL3_VERSION)
+       if (s->version >= SSL3_VERSION)
                {
                if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
                        {
@@ -938,7 +982,9 @@ int ssl3_get_server_certificate(SSL *s)
 
        if (!ok) return((int)n);
 
-       if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE)
+       if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) ||
+               ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) && 
+               (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)))
                {
                s->s3->tmp.reuse_message=1;
                return(1);
@@ -1000,7 +1046,7 @@ int ssl3_get_server_certificate(SSL *s)
                }
 
        i=ssl_verify_cert_chain(s,sk);
-       if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)
+       if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)
 #ifndef OPENSSL_NO_KRB5
            && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
                 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
@@ -1536,7 +1582,7 @@ int ssl3_get_key_exchange(SSL *s)
                        EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
                        EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
                        EVP_VerifyUpdate(&md_ctx,param,param_len);
-                       if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey))
+                       if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0)
                                {
                                /* bad signature */
                                al=SSL_AD_DECRYPT_ERROR;
@@ -1554,7 +1600,7 @@ int ssl3_get_key_exchange(SSL *s)
                        EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
                        EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
                        EVP_VerifyUpdate(&md_ctx,param,param_len);
-                       if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey))
+                       if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0)
                                {
                                /* bad signature */
                                al=SSL_AD_DECRYPT_ERROR;
@@ -1792,6 +1838,7 @@ int ssl3_get_new_session_ticket(SSL *s)
                SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
                goto f_err;
                }
+
        p=d=(unsigned char *)s->init_msg;
        n2l(p, s->session->tlsext_tick_lifetime_hint);
        n2s(p, ticklen);
@@ -1815,7 +1862,28 @@ int ssl3_get_new_session_ticket(SSL *s)
                }
        memcpy(s->session->tlsext_tick, p, ticklen);
        s->session->tlsext_ticklen = ticklen;
-       
+       /* There are two ways to detect a resumed ticket sesion.
+        * One is to set an appropriate session ID and then the server
+        * must return a match in ServerHello. This allows the normal
+        * client session ID matching to work and we know much 
+        * earlier that the ticket has been accepted.
+        * 
+        * The other way is to set zero length session ID when the
+        * ticket is presented and rely on the handshake to determine
+        * session resumption.
+        *
+        * We choose the former approach because this fits in with
+        * assumptions elsewhere in OpenSSL. The session ID is set
+        * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the
+        * ticket.
+        */ 
+       EVP_Digest(p, ticklen,
+                       s->session->session_id, &s->session->session_id_length,
+#ifndef OPENSSL_NO_SHA256
+                                                       EVP_sha256(), NULL);
+#else
+                                                       EVP_sha1(), NULL);
+#endif
        ret=1;
        return(ret);
 f_err:
@@ -2016,7 +2084,7 @@ int ssl3_send_client_key_exchange(SSL *s)
                        krb5_data       *enc_ticket;
                        krb5_data       authenticator, *authp = NULL;
                        EVP_CIPHER_CTX  ciph_ctx;
-                       EVP_CIPHER      *enc = NULL;
+                       const EVP_CIPHER *enc = NULL;
                        unsigned char   iv[EVP_MAX_IV_LENGTH];
                        unsigned char   tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
                        unsigned char   epms[SSL_MAX_MASTER_KEY_LENGTH 
@@ -2119,7 +2187,7 @@ int ssl3_send_client_key_exchange(SSL *s)
                                sizeof tmp_buf);
                        EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
                        outl += padl;
-                       if (outl > sizeof epms)
+                       if (outl > (int)sizeof epms)
                                {
                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
                                goto err;
@@ -2398,7 +2466,7 @@ int ssl3_send_client_key_exchange(SSL *s)
                        size_t msglen;
                        unsigned int md_len;
                        int keytype;
-                       unsigned char premaster_secret[32],shared_ukm[32];
+                       unsigned char premaster_secret[32],shared_ukm[32], tmp[256];
                        EVP_MD_CTX *ukm_hash;
                        EVP_PKEY *pub_key;
 
@@ -2424,16 +2492,13 @@ int ssl3_send_client_key_exchange(SSL *s)
                          /* Generate session key */    
                    RAND_bytes(premaster_secret,32);
                        /* If we have client certificate, use its secret as peer key */
-                       if (s->cert->key->privatekey) {
-                               if (EVP_PKEY_derive_set_peer(pkey_ctx,s->cert->key->privatekey) <0) {
+                       if (s->s3->tmp.cert_req && s->cert->key->privatekey) {
+                               if (EVP_PKEY_derive_set_peer(pkey_ctx,s->cert->key->privatekey) <=0) {
                                        /* If there was an error - just ignore it. Ephemeral key
                                        * would be used
                                        */
                                        ERR_clear_error();
-                               } else {
-                                       /* Set flag "client cert key is used for key
-                                        * exchange"*/
-                               }       
+                               }
                        }                       
                        /* Compute shared IV and store it in algorithm-specific
                         * context data */
@@ -2452,15 +2517,30 @@ int ssl3_send_client_key_exchange(SSL *s)
                        /* Make GOST keytransport blob message */
                        /*Encapsulate it into sequence */
                        *(p++)=V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED;
-                       *(p++)=0x81;
-                       msglen=256;
-                       if (EVP_PKEY_encrypt(pkey_ctx,(unsigned char *)p+1,&msglen,premaster_secret,32)<0) {
+                       msglen=255;
+                       if (EVP_PKEY_encrypt(pkey_ctx,tmp,&msglen,premaster_secret,32)<0) {
                        SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
                                        SSL_R_LIBRARY_BUG);
                                goto err;
-                       }       
-                       *(p++)= msglen & 0xff;
-                       n=msglen+3;
+                       }
+                       if (msglen >= 0x80)
+                               {
+                               *(p++)=0x81;
+                               *(p++)= msglen & 0xff;
+                               n=msglen+3;
+                               }
+                       else
+                               {
+                               *(p++)= msglen & 0xff;
+                               n=msglen+2;
+                               }
+                       memcpy(p, tmp, msglen);
+                       /* Check if pubkey from client certificate was used */
+                       if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
+                               {
+                               /* Set flag "skip certificate verify" */
+                               s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
+                               }
                        EVP_PKEY_CTX_free(pkey_ctx);
                        s->session->master_key_length=
                                s->method->ssl3_enc->generate_master_secret(s,
@@ -2591,9 +2671,7 @@ int ssl3_send_client_verify(SSL *s)
        unsigned u=0;
 #endif
        unsigned long n;
-#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
        int j;
-#endif
 
        if (s->state == SSL3_ST_CW_CERT_VRFY_A)
                {
@@ -2672,7 +2750,7 @@ int ssl3_send_client_verify(SSL *s)
                s->method->ssl3_enc->cert_verify_mac(s,
                        NID_id_GostR3411_94,
                        data);
-               if (!EVP_PKEY_sign(pctx,signbuf,&sigsize,data,32)) {
+               if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) {
                        SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
                        ERR_R_INTERNAL_ERROR);
                        goto err;
@@ -2793,13 +2871,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
        DH *dh;
 #endif
 
-       sc=s->session->sess_cert;
-       if (sc == NULL)
-               {
-               SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
-               goto err;
-               }
-
        alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
        alg_a=s->s3->tmp.new_cipher->algorithm_auth;
 
@@ -2807,6 +2878,13 @@ int ssl3_check_cert_and_algorithm(SSL *s)
        if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK))
                return(1);
 
+       sc=s->session->sess_cert;
+       if (sc == NULL)
+               {
+               SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
+               goto err;
+               }
+
 #ifndef OPENSSL_NO_RSA
        rsa=s->session->sess_cert->peer_rsa_tmp;
 #endif
@@ -2923,15 +3001,12 @@ err:
  */
 
 #ifndef OPENSSL_NO_TLSEXT
-static int ssl3_check_finished(SSL *s)
+int ssl3_check_finished(SSL *s)
        {
        int ok;
        long n;
-       /* If we have no ticket or session ID is non-zero length (a match of
-        * a non-zero session length would never reach here) it cannot be a
-        * resumed session.
-        */
-       if (!s->session->tlsext_tick || s->session->session_id_length)
+       /* If we have no ticket it cannot be a resumed session. */
+       if (!s->session->tlsext_tick)
                return 1;
        /* this function is called when we really expect a Certificate
         * message, so permit appropriate message length */
@@ -2959,7 +3034,7 @@ int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
                {
                i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
                                                SSL_get_client_CA_list(s),
-                                               px509, ppkey, NULL, NULL);
+                                               px509, ppkey, NULL, NULL, NULL);
                if (i != 0)
                        return i;
                }