* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
- * Licensed under the OpenSSL license (the "License"). You may not use
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
#include <openssl/md5.h>
#include <openssl/dh.h>
#include <openssl/rand.h>
+#include <openssl/trace.h>
#include "internal/cryptlib.h"
#define TLS13_NUM_CIPHERS OSSL_NELEM(tls13_ciphers)
TLS1_3_RFC_AES_128_GCM_SHA256,
TLS1_3_RFC_AES_128_GCM_SHA256,
TLS1_3_CK_AES_128_GCM_SHA256,
- 0, 0,
+ SSL_kANY,
+ SSL_aANY,
SSL_AES128GCM,
SSL_AEAD,
TLS1_3_VERSION, TLS1_3_VERSION,
- SSL_kANY,
- SSL_aANY,
+ 0, 0,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256,
128,
int ssl3_new(SSL *s)
{
- SSL3_STATE *s3;
-
- if ((s3 = OPENSSL_zalloc(sizeof(*s3))) == NULL)
- goto err;
- s->s3 = s3;
-
#ifndef OPENSSL_NO_SRP
if (!SSL_SRP_CTX_init(s))
- goto err;
+ return 0;
#endif
if (!s->method->ssl_clear(s))
return 0;
return 1;
- err:
- return 0;
}
void ssl3_free(SSL *s)
{
- if (s == NULL || s->s3 == NULL)
+ if (s == NULL)
return;
ssl3_cleanup_key_block(s);
#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
- EVP_PKEY_free(s->s3->peer_tmp);
- s->s3->peer_tmp = NULL;
- EVP_PKEY_free(s->s3->tmp.pkey);
- s->s3->tmp.pkey = NULL;
+ EVP_PKEY_free(s->s3.peer_tmp);
+ s->s3.peer_tmp = NULL;
+ EVP_PKEY_free(s->s3.tmp.pkey);
+ s->s3.tmp.pkey = NULL;
#endif
- OPENSSL_free(s->s3->tmp.ctype);
- sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
- OPENSSL_free(s->s3->tmp.ciphers_raw);
- OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen);
- OPENSSL_free(s->s3->tmp.peer_sigalgs);
- OPENSSL_free(s->s3->tmp.peer_cert_sigalgs);
+ OPENSSL_free(s->s3.tmp.ctype);
+ sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
+ OPENSSL_free(s->s3.tmp.ciphers_raw);
+ OPENSSL_clear_free(s->s3.tmp.pms, s->s3.tmp.pmslen);
+ OPENSSL_free(s->s3.tmp.peer_sigalgs);
+ OPENSSL_free(s->s3.tmp.peer_cert_sigalgs);
ssl3_free_digest_list(s);
- OPENSSL_free(s->s3->alpn_selected);
- OPENSSL_free(s->s3->alpn_proposed);
+ OPENSSL_free(s->s3.alpn_selected);
+ OPENSSL_free(s->s3.alpn_proposed);
#ifndef OPENSSL_NO_SRP
SSL_SRP_CTX_free(s);
#endif
- OPENSSL_clear_free(s->s3, sizeof(*s->s3));
- s->s3 = NULL;
+ memset(&s->s3, 0, sizeof(s->s3));
}
int ssl3_clear(SSL *s)
{
ssl3_cleanup_key_block(s);
- OPENSSL_free(s->s3->tmp.ctype);
- sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
- OPENSSL_free(s->s3->tmp.ciphers_raw);
- OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen);
- OPENSSL_free(s->s3->tmp.peer_sigalgs);
- OPENSSL_free(s->s3->tmp.peer_cert_sigalgs);
+ OPENSSL_free(s->s3.tmp.ctype);
+ sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
+ OPENSSL_free(s->s3.tmp.ciphers_raw);
+ OPENSSL_clear_free(s->s3.tmp.pms, s->s3.tmp.pmslen);
+ OPENSSL_free(s->s3.tmp.peer_sigalgs);
+ OPENSSL_free(s->s3.tmp.peer_cert_sigalgs);
#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
- EVP_PKEY_free(s->s3->tmp.pkey);
- EVP_PKEY_free(s->s3->peer_tmp);
+ EVP_PKEY_free(s->s3.tmp.pkey);
+ EVP_PKEY_free(s->s3.peer_tmp);
#endif /* !OPENSSL_NO_EC */
ssl3_free_digest_list(s);
- OPENSSL_free(s->s3->alpn_selected);
- OPENSSL_free(s->s3->alpn_proposed);
+ OPENSSL_free(s->s3.alpn_selected);
+ OPENSSL_free(s->s3.alpn_proposed);
/* NULL/zero-out everything in the s3 struct */
- memset(s->s3, 0, sizeof(*s->s3));
+ memset(&s->s3, 0, sizeof(s->s3));
if (!ssl_free_wbio_buffer(s))
return 0;
case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
break;
case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
- ret = s->s3->num_renegotiations;
+ ret = s->s3.num_renegotiations;
break;
case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
- ret = s->s3->num_renegotiations;
- s->s3->num_renegotiations = 0;
+ ret = s->s3.num_renegotiations;
+ s->s3.num_renegotiations = 0;
break;
case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
- ret = s->s3->total_renegotiations;
+ ret = s->s3.total_renegotiations;
break;
case SSL_CTRL_GET_FLAGS:
- ret = (int)(s->s3->flags);
+ ret = (int)(s->s3.flags);
break;
#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH:
EVP_PKEY *pkdh = NULL;
if (dh == NULL) {
SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
- return ret;
+ return 0;
}
pkdh = ssl_dh_to_pkey(dh);
if (pkdh == NULL) {
EVP_PKEY_security_bits(pkdh), 0, pkdh)) {
SSLerr(SSL_F_SSL3_CTRL, SSL_R_DH_KEY_TOO_SMALL);
EVP_PKEY_free(pkdh);
- return ret;
+ return 0;
}
EVP_PKEY_free(s->cert->dh_tmp);
s->cert->dh_tmp = pkdh;
- ret = 1;
+ return 1;
}
break;
case SSL_CTRL_SET_TMP_DH_CB:
break;
#endif /* !OPENSSL_NO_EC */
case SSL_CTRL_SET_TLSEXT_HOSTNAME:
+ /*
+ * TODO(OpenSSL1.2)
+ * This API is only used for a client to set what SNI it will request
+ * from the server, but we currently allow it to be used on servers
+ * as well, which is a programming error. Currently we just clear
+ * the field in SSL_do_handshake() for server SSLs, but when we can
+ * make ABI-breaking changes, we may want to make use of this API
+ * an error on server SSLs.
+ */
if (larg == TLSEXT_NAMETYPE_host_name) {
size_t len;
ret = 1;
break;
-#ifndef OPENSSL_NO_HEARTBEATS
- case SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT:
- case SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING:
- case SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS:
- break;
-#endif
-
case SSL_CTRL_CHAIN:
if (larg)
return ssl_cert_set1_chain(s, NULL, (STACK_OF(X509) *)parg);
const SSL_CIPHER *cipher;
if (!s->server)
return 0;
- cipher = s->s3->tmp.new_cipher;
+ cipher = s->s3.tmp.new_cipher;
if (cipher == NULL)
return 0;
/*
*/
if (cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
return 2;
- if (s->s3->tmp.cert == NULL)
+ if (s->s3.tmp.cert == NULL)
return 0;
- s->cert->key = s->s3->tmp.cert;
+ s->cert->key = s->s3.tmp.cert;
return 1;
}
return ssl_cert_set_current(s->cert, larg);
case SSL_CTRL_GET_CLIENT_CERT_TYPES:
{
const unsigned char **pctype = parg;
- if (s->server || !s->s3->tmp.cert_req)
+ if (s->server || !s->s3.tmp.cert_req)
return 0;
if (pctype)
- *pctype = s->s3->tmp.ctype;
- return s->s3->tmp.ctype_len;
+ *pctype = s->s3.tmp.ctype;
+ return s->s3.tmp.ctype_len;
}
case SSL_CTRL_SET_CLIENT_CERT_TYPES:
return ssl_cert_set_cert_store(s->cert, parg, 1, larg);
case SSL_CTRL_GET_PEER_SIGNATURE_NID:
- if (s->s3->tmp.peer_sigalg == NULL)
+ if (s->s3.tmp.peer_sigalg == NULL)
return 0;
- *(int *)parg = s->s3->tmp.peer_sigalg->hash;
+ *(int *)parg = s->s3.tmp.peer_sigalg->hash;
return 1;
- case SSL_CTRL_GET_SERVER_TMP_KEY:
+ case SSL_CTRL_GET_SIGNATURE_NID:
+ if (s->s3.tmp.sigalg == NULL)
+ return 0;
+ *(int *)parg = s->s3.tmp.sigalg->hash;
+ return 1;
+
+ case SSL_CTRL_GET_PEER_TMP_KEY:
+#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
+ if (s->session == NULL || s->s3.peer_tmp == NULL) {
+ return 0;
+ } else {
+ EVP_PKEY_up_ref(s->s3.peer_tmp);
+ *(EVP_PKEY **)parg = s->s3.peer_tmp;
+ return 1;
+ }
+#else
+ return 0;
+#endif
+
+ case SSL_CTRL_GET_TMP_KEY:
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
- if (s->server || s->session == NULL || s->s3->peer_tmp == NULL) {
+ if (s->session == NULL || s->s3.tmp.pkey == NULL) {
return 0;
} else {
- EVP_PKEY_up_ref(s->s3->peer_tmp);
- *(EVP_PKEY **)parg = s->s3->peer_tmp;
+ EVP_PKEY_up_ref(s->s3.tmp.pkey);
+ *(EVP_PKEY **)parg = s->s3.tmp.pkey;
return 1;
}
#else
return 0;
#endif
+
#ifndef OPENSSL_NO_EC
case SSL_CTRL_GET_EC_POINT_FORMATS:
{
EVP_PKEY_security_bits(pkdh), 0, pkdh)) {
SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_DH_KEY_TOO_SMALL);
EVP_PKEY_free(pkdh);
- return 1;
+ return 0;
}
EVP_PKEY_free(ctx->cert->dh_tmp);
ctx->cert->dh_tmp = pkdh;
{
const SSL_CIPHER *c, *ret = NULL;
STACK_OF(SSL_CIPHER) *prio, *allow;
- int i, ii, ok;
+ int i, ii, ok, prefer_sha256 = 0;
unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0;
+ const EVP_MD *mdsha256 = EVP_sha256();
#ifndef OPENSSL_NO_CHACHA
STACK_OF(SSL_CIPHER) *prio_chacha = NULL;
#endif
* pay with the price of sk_SSL_CIPHER_dup().
*/
-#ifdef CIPHER_DEBUG
- fprintf(stderr, "Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr),
- (void *)srvr);
- for (i = 0; i < sk_SSL_CIPHER_num(srvr); ++i) {
- c = sk_SSL_CIPHER_value(srvr, i);
- fprintf(stderr, "%p:%s\n", (void *)c, c->name);
- }
- fprintf(stderr, "Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt),
- (void *)clnt);
- for (i = 0; i < sk_SSL_CIPHER_num(clnt); ++i) {
- c = sk_SSL_CIPHER_value(clnt, i);
- fprintf(stderr, "%p:%s\n", (void *)c, c->name);
- }
-#endif
+ OSSL_TRACE_BEGIN(TLS_CIPHER) {
+ BIO_printf(trc_out, "Server has %d from %p:\n",
+ sk_SSL_CIPHER_num(srvr), (void *)srvr);
+ for (i = 0; i < sk_SSL_CIPHER_num(srvr); ++i) {
+ c = sk_SSL_CIPHER_value(srvr, i);
+ BIO_printf(trc_out, "%p:%s\n", (void *)c, c->name);
+ }
+ BIO_printf(trc_out, "Client sent %d from %p:\n",
+ sk_SSL_CIPHER_num(clnt), (void *)clnt);
+ for (i = 0; i < sk_SSL_CIPHER_num(clnt); ++i) {
+ c = sk_SSL_CIPHER_value(clnt, i);
+ BIO_printf(trc_out, "%p:%s\n", (void *)c, c->name);
+ }
+ } OSSL_TRACE_END(TLS_CIPHER);
/* SUITE-B takes precedence over server preference and ChaCha priortiy */
if (tls1_suiteb(s)) {
allow = srvr;
}
- if (!SSL_IS_TLS13(s)) {
+ if (SSL_IS_TLS13(s)) {
+#ifndef OPENSSL_NO_PSK
+ int j;
+
+ /*
+ * If we allow "old" style PSK callbacks, and we have no certificate (so
+ * we're not going to succeed without a PSK anyway), and we're in
+ * TLSv1.3 then the default hash for a PSK is SHA-256 (as per the
+ * TLSv1.3 spec). Therefore we should prioritise ciphersuites using
+ * that.
+ */
+ if (s->psk_server_callback != NULL) {
+ for (j = 0; j < SSL_PKEY_NUM && !ssl_has_cert(s, j); j++);
+ if (j == SSL_PKEY_NUM) {
+ /* There are no certificates */
+ prefer_sha256 = 1;
+ }
+ }
+#endif
+ } else {
tls1_set_cert_validity(s);
ssl_set_masks(s);
}
* key exchange scheme skip tests.
*/
if (!SSL_IS_TLS13(s)) {
- mask_k = s->s3->tmp.mask_k;
- mask_a = s->s3->tmp.mask_a;
+ mask_k = s->s3.tmp.mask_k;
+ mask_a = s->s3.tmp.mask_a;
#ifndef OPENSSL_NO_SRP
if (s->srp_ctx.srp_Mask & SSL_kSRP) {
mask_k |= SSL_kSRP;
#endif /* OPENSSL_NO_PSK */
ok = (alg_k & mask_k) && (alg_a & mask_a);
-#ifdef CIPHER_DEBUG
- fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k,
- alg_a, mask_k, mask_a, (void *)c, c->name);
-#endif
+ OSSL_TRACE7(TLS_CIPHER,
+ "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",
+ ok, alg_k, alg_a, mask_k, mask_a, (void *)c, c->name);
#ifndef OPENSSL_NO_EC
/*
continue;
#if !defined(OPENSSL_NO_EC)
if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA)
- && s->s3->is_probably_safari) {
+ && s->s3.is_probably_safari) {
if (!ret)
ret = sk_SSL_CIPHER_value(allow, ii);
continue;
}
#endif
+ if (prefer_sha256) {
+ const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
+
+ if (ssl_md(tmp->algorithm2) == mdsha256) {
+ ret = tmp;
+ break;
+ }
+ if (ret == NULL)
+ ret = tmp;
+ continue;
+ }
ret = sk_SSL_CIPHER_value(allow, ii);
break;
}
/* Get mask of algorithms disabled by signature list */
ssl_set_sig_mask(&alg_a, s, SSL_SECOP_SIGALG_MASK);
- alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
+ alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
#ifndef OPENSSL_NO_GOST
if (s->version >= TLS1_VERSION && (alg_k & SSL_kGOST))
ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY);
/*
* our shutdown alert has been sent now, and if it still needs to be
- * written, s->s3->alert_dispatch will be true
+ * written, s->s3.alert_dispatch will be true
*/
- if (s->s3->alert_dispatch)
+ if (s->s3.alert_dispatch)
return -1; /* return WANT_WRITE */
- } else if (s->s3->alert_dispatch) {
+ } else if (s->s3.alert_dispatch) {
/* resend it if not sent */
ret = s->method->ssl_dispatch_alert(s);
if (ret == -1) {
}
if ((s->shutdown == (SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN)) &&
- !s->s3->alert_dispatch)
+ !s->s3.alert_dispatch)
return 1;
else
return 0;
int ssl3_write(SSL *s, const void *buf, size_t len, size_t *written)
{
clear_sys_error();
- if (s->s3->renegotiate)
+ if (s->s3.renegotiate)
ssl3_renegotiate_check(s, 0);
return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len,
int ret;
clear_sys_error();
- if (s->s3->renegotiate)
+ if (s->s3.renegotiate)
ssl3_renegotiate_check(s, 0);
- s->s3->in_read_app_data = 1;
+ s->s3.in_read_app_data = 1;
ret =
s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, NULL, buf, len,
peek, readbytes);
- if ((ret == -1) && (s->s3->in_read_app_data == 2)) {
+ if ((ret == -1) && (s->s3.in_read_app_data == 2)) {
/*
* ssl3_read_bytes decided to call s->handshake_func, which called
* ssl3_read_bytes to read handshake data. However, ssl3_read_bytes
len, peek, readbytes);
ossl_statem_set_in_handshake(s, 0);
} else
- s->s3->in_read_app_data = 0;
+ s->s3.in_read_app_data = 0;
return ret;
}
if (s->handshake_func == NULL)
return 1;
- s->s3->renegotiate = 1;
+ s->s3.renegotiate = 1;
return 1;
}
{
int ret = 0;
- if (s->s3->renegotiate) {
+ if (s->s3.renegotiate) {
if (!RECORD_LAYER_read_pending(&s->rlayer)
&& !RECORD_LAYER_write_pending(&s->rlayer)
&& (initok || !SSL_in_init(s))) {
* state.
*/
ossl_statem_set_renegotiate(s);
- s->s3->renegotiate = 0;
- s->s3->num_renegotiations++;
- s->s3->total_renegotiations++;
+ s->s3.renegotiate = 0;
+ s->s3.num_renegotiations++;
+ s->s3.total_renegotiations++;
ret = 1;
}
}
long ssl_get_algorithm2(SSL *s)
{
long alg2;
- if (s->s3 == NULL || s->s3->tmp.new_cipher == NULL)
+ if (s->s3.tmp.new_cipher == NULL)
return -1;
- alg2 = s->s3->tmp.new_cipher->algorithm2;
+ alg2 = s->s3.tmp.new_cipher->algorithm2;
if (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF) {
if (alg2 == (SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF))
return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
- } else if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK) {
+ } else if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK) {
if (alg2 == (SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384))
return SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF;
}
} else {
ret = RAND_bytes(result, len);
}
-#ifndef OPENSSL_NO_TLS13DOWNGRADE
+
if (ret > 0) {
if (!ossl_assert(sizeof(tls11downgrade) < len)
|| !ossl_assert(sizeof(tls12downgrade) < len))
memcpy(result + len - sizeof(tls11downgrade), tls11downgrade,
sizeof(tls11downgrade));
}
-#endif
+
return ret;
}
int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
int free_pms)
{
- unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
+ unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
int ret = 0;
if (alg_k & SSL_PSK) {
#ifndef OPENSSL_NO_PSK
unsigned char *pskpms, *t;
- size_t psklen = s->s3->tmp.psklen;
+ size_t psklen = s->s3.tmp.psklen;
size_t pskpmslen;
/* create PSK premaster_secret */
memcpy(t, pms, pmslen);
t += pmslen;
s2n(psklen, t);
- memcpy(t, s->s3->tmp.psk, psklen);
+ memcpy(t, s->s3.tmp.psk, psklen);
- OPENSSL_clear_free(s->s3->tmp.psk, psklen);
- s->s3->tmp.psk = NULL;
+ OPENSSL_clear_free(s->s3.tmp.psk, psklen);
+ s->s3.tmp.psk = NULL;
if (!s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key,pskpms, pskpmslen,
&s->session->master_key_length)) {
+ OPENSSL_clear_free(pskpms, pskpmslen);
/* SSLfatal() already called */
goto err;
}
OPENSSL_cleanse(pms, pmslen);
}
if (s->server == 0)
- s->s3->tmp.pms = NULL;
+ s->s3.tmp.pms = NULL;
return ret;
}
}
} else {
/* Save premaster secret */
- s->s3->tmp.pms = pms;
- s->s3->tmp.pmslen = pmslen;
+ s->s3.tmp.pms = pms;
+ s->s3.tmp.pmslen = pmslen;
pms = NULL;
rv = 1;
}