#include <openssl/bn.h>
#include <openssl/md5.h>
-#ifndef OPENSSL_NO_SSL3_METHOD
-static const SSL_METHOD *ssl3_get_server_method(int ver);
+static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, unsigned char *p,
+ int num, STACK_OF(SSL_CIPHER) **skp, int sslv2format);
-static const SSL_METHOD *ssl3_get_server_method(int ver)
-{
- if (ver == SSL3_VERSION)
- return (SSLv3_server_method());
- else
- return (NULL);
-}
-IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
- ssl3_accept,
- ssl_undefined_function, ssl3_get_server_method)
-#endif
#ifndef OPENSSL_NO_SRP
static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
{
ret = ssl3_send_server_hello(s);
if (ret <= 0)
goto end;
-#ifndef OPENSSL_NO_TLSEXT
+
if (s->hit) {
if (s->tlsext_ticket_expected)
s->state = SSL3_ST_SW_SESSION_TICKET_A;
else
s->state = SSL3_ST_SW_CHANGE_A;
- }
-#else
- if (s->hit)
- s->state = SSL3_ST_SW_CHANGE_A;
-#endif
- else
+ } else {
s->state = SSL3_ST_SW_CERT_A;
+ }
s->init_num = 0;
break;
ret = ssl3_send_server_certificate(s);
if (ret <= 0)
goto end;
-#ifndef OPENSSL_NO_TLSEXT
+
if (s->tlsext_status_expected)
s->state = SSL3_ST_SW_CERT_STATUS_A;
else
skip = 1;
s->state = SSL3_ST_SW_KEY_EXCH_A;
}
-#else
- } else
- skip = 1;
-
- s->state = SSL3_ST_SW_KEY_EXCH_A;
-#endif
s->init_num = 0;
break;
skip = 1;
s->s3->tmp.cert_request = 0;
s->state = SSL3_ST_SW_SRVR_DONE_A;
- if (s->s3->handshake_buffer) {
- if (!ssl3_digest_cached_records(s)) {
- s->state = SSL_ST_ERR;
- return -1;
- }
+ if (!ssl3_digest_cached_records(s, 0)) {
+ s->state = SSL_ST_ERR;
+ return -1;
}
} else {
s->s3->tmp.cert_request = 1;
* not sent. Also for GOST ciphersuites when the client uses
* its key from the certificate for key exchange.
*/
-#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
+#if defined(OPENSSL_NO_NEXTPROTONEG)
s->state = SSL3_ST_SR_FINISHED_A;
#else
if (s->s3->next_proto_neg_seen)
}
/*
* For sigalgs freeze the handshake buffer. If we support
- * extms we've done this already.
+ * extms we've done this already so this is a no-op
*/
- if (!(s->s3->flags & SSL_SESS_FLAG_EXTMS)) {
- s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
- if (!ssl3_digest_cached_records(s)) {
- s->state = SSL_ST_ERR;
- return -1;
- }
+ if (!ssl3_digest_cached_records(s, 1)) {
+ s->state = SSL_ST_ERR;
+ return -1;
}
} else {
int offset = 0;
* CertificateVerify should be generalized. But it is next
* step
*/
- if (s->s3->handshake_buffer) {
- if (!ssl3_digest_cached_records(s)) {
- s->state = SSL_ST_ERR;
- return -1;
- }
+ if (!ssl3_digest_cached_records(s, 0)) {
+ s->state = SSL_ST_ERR;
+ return -1;
}
for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST; dgst_num++)
if (s->s3->handshake_dgst[dgst_num]) {
if (ret <= 0)
goto end;
-#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
+#if defined(OPENSSL_NO_NEXTPROTONEG)
s->state = SSL3_ST_SR_FINISHED_A;
#else
if (s->s3->next_proto_neg_seen)
s->init_num = 0;
break;
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_NEXTPROTONEG)
case SSL3_ST_SR_NEXT_PROTO_A:
case SSL3_ST_SR_NEXT_PROTO_B:
/*
goto end;
if (s->hit)
s->state = SSL_ST_OK;
-#ifndef OPENSSL_NO_TLSEXT
else if (s->tlsext_ticket_expected)
s->state = SSL3_ST_SW_SESSION_TICKET_A;
-#endif
else
s->state = SSL3_ST_SW_CHANGE_A;
s->init_num = 0;
break;
-#ifndef OPENSSL_NO_TLSEXT
case SSL3_ST_SW_SESSION_TICKET_A:
case SSL3_ST_SW_SESSION_TICKET_B:
ret = ssl3_send_newsession_ticket(s);
s->init_num = 0;
break;
-#endif
-
case SSL3_ST_SW_CHANGE_A:
case SSL3_ST_SW_CHANGE_B:
goto end;
s->state = SSL3_ST_SW_FLUSH;
if (s->hit) {
-#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
+#if defined(OPENSSL_NO_NEXTPROTONEG)
s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A;
#else
if (s->s3->next_proto_neg_seen) {
int ssl3_get_client_hello(SSL *s)
{
- int i, j, ok, al = SSL_AD_INTERNAL_ERROR, ret = -1;
+ int i, complen, j, ok, al = SSL_AD_INTERNAL_ERROR, ret = -1;
unsigned int cookie_len;
long n;
unsigned long id;
unsigned char *p, *d;
SSL_CIPHER *c;
#ifndef OPENSSL_NO_COMP
- unsigned char *q;
+ unsigned char *q = NULL;
SSL_COMP *comp = NULL;
#endif
STACK_OF(SSL_CIPHER) *ciphers = NULL;
d = p = (unsigned char *)s->init_msg;
/* First lets get s->client_version set correctly */
- if (!s->read_hash && !s->enc_read_ctx
- && RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
- if (n < MIN_SSL2_RECORD_LEN) {
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH);
- al = SSL_AD_DECODE_ERROR;
- goto f_err;
- }
+ if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
/*-
* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
* header is sent directly on the wire, not wrapped as a TLS
* layer in order to have determined that this is a SSLv2 record
* in the first place
*/
- al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
- goto f_err;
+ goto err;
}
if ((p[1] == 0x00) && (p[2] == 0x02)) {
/* Do SSL/TLS version negotiation if applicable */
if (!SSL_IS_DTLS(s)) {
if (s->version != TLS_ANY_VERSION) {
- if (s->client_version >= s->version
- && (((s->client_version >> 8) & 0xff) == SSL3_VERSION_MAJOR)) {
+ if (s->client_version >= s->version) {
protverr = 0;
}
- } else {
- /*
- * We already know that this is an SSL3_VERSION_MAJOR protocol,
- * so we're just testing the minor versions here
- */
+ } else if (s->client_version >= SSL3_VERSION) {
switch(s->client_version) {
default:
case TLS1_2_VERSION:
}
/* Deliberately fall through */
case SSL3_VERSION:
+#ifndef OPENSSL_NO_SSL3
if(!(s->options & SSL_OP_NO_SSLv3)) {
s->version = SSL3_VERSION;
s->method = SSLv3_server_method();
protverr = 0;
break;
}
+#else
+ break;
+#endif
}
}
- } else if (((s->client_version >> 8) & 0xff) == DTLS1_VERSION_MAJOR &&
- (s->client_version <= s->version
- || s->method->version == DTLS_ANY_VERSION)) {
+ } else if (s->client_version <= s->version
+ || s->method->version == DTLS_ANY_VERSION) {
/*
* For DTLS we just check versions are potentially compatible. Version
* negotiation comes later.
/* Set p to end of packet to ensure we don't look for extensions */
p = d + n;
- /* No compression, so set i to 0 */
- i = 0;
+ /* No compression, so set complen to 0 */
+ complen = 0;
} else {
/* If we get here we've got SSLv3+ in an SSLv3+ record */
}
/* compression */
- i = *(p++);
- if ((p + i) > (d + n)) {
+ complen = *(p++);
+ if ((p + complen) > (d + n)) {
/* not enough data */
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
#ifndef OPENSSL_NO_COMP
q = p;
#endif
- for (j = 0; j < i; j++) {
+ for (j = 0; j < complen; j++) {
if (p[j] == 0)
break;
}
- p += i;
- if (j >= i) {
+ p += complen;
+ if (j >= complen) {
/* no compress */
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
}
}
-#ifndef OPENSSL_NO_TLSEXT
/* TLS extensions */
if (s->version >= SSL3_VERSION) {
if (!ssl_parse_clienthello_tlsext(s, &p, d, n)) {
s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
}
}
-#endif
/*
* Worst case, we will use the NULL compression, but if we have other
- * options, we will now look for them. We have i-1 compression
+ * options, we will now look for them. We have complen-1 compression
* algorithms from the client, starting at q.
*/
s->s3->tmp.new_compression = NULL;
goto f_err;
}
/* Look for resumed method in compression list */
- for (m = 0; m < i; m++) {
+ for (m = 0; m < complen; m++) {
if (q[m] == comp_id)
break;
}
- if (m >= i) {
+ if (m >= complen) {
al = SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
for (m = 0; m < nn; m++) {
comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
v = comp->id;
- for (o = 0; o < i; o++) {
+ for (o = 0; o < complen; o++) {
if (v == q[o]) {
done = 1;
break;
}
if (!SSL_USE_SIGALGS(s) || !(s->verify_mode & SSL_VERIFY_PEER)) {
- if (!ssl3_digest_cached_records(s))
+ if (!ssl3_digest_cached_records(s, 0))
goto f_err;
}
if (s->state == SSL3_ST_SW_SRVR_HELLO_A) {
buf = (unsigned char *)s->init_buf->data;
-#ifdef OPENSSL_NO_TLSEXT
+
p = s->s3->server_random;
if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) {
s->state = SSL_ST_ERR;
return -1;
}
-#endif
+
/* Do the message type and length last */
d = p = ssl_handshake_start(s);
else
*(p++) = s->s3->tmp.new_compression->id;
#endif
-#ifndef OPENSSL_NO_TLSEXT
+
if (ssl_prepare_serverhello_tlsext(s) <= 0) {
SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
s->state = SSL_ST_ERR;
s->state = SSL_ST_ERR;
return -1;
}
-#endif
+
/* do the header */
l = (p - d);
if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l)) {
BIGNUM *pub = NULL;
DH *dh_srvr, *dh_clnt = NULL;
#endif
-
#ifndef OPENSSL_NO_EC
EC_KEY *srvr_ecdh = NULL;
EVP_PKEY *clnt_pub_pkey = NULL;
psk_len = s->psk_server_callback(s, tmp_id,
psk_or_pre_ms,
sizeof(psk_or_pre_ms));
- OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN + 1);
+ OPENSSL_cleanse(tmp_id, sizeof(tmp_id));
if (psk_len > PSK_MAX_PSK_LEN) {
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
s->
session->master_key,
premaster_secret, 32);
+ OPENSSL_cleanse(premaster_secret, sizeof(premaster_secret));
if (s->session->master_key_length < 0) {
al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
end:
BIO_free(s->s3->handshake_buffer);
s->s3->handshake_buffer = NULL;
- s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE;
EVP_MD_CTX_cleanup(&mctx);
EVP_PKEY_free(pkey);
return (ret);
goto f_err;
}
/* No client certificate so digest cached records */
- if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s)) {
+ if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
al = SSL_AD_INTERNAL_ERROR;
goto f_err;
}
s->session->peer = sk_X509_shift(sk);
s->session->verify_result = s->verify_result;
- /*
- * With the current implementation, sess_cert will always be NULL when we
- * arrive here.
- */
- if (s->session->sess_cert == NULL) {
- s->session->sess_cert = ssl_sess_cert_new();
- if (s->session->sess_cert == NULL) {
- SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
- goto done;
- }
- }
- sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
- s->session->sess_cert->cert_chain = sk;
+ sk_X509_pop_free(s->session->peer_chain, X509_free);
+ s->session->peer_chain = sk;
/*
* Inconsistency alert: cert_chain does *not* include the peer's own
* certificate, while we do include it in s3_clnt.c
return ssl_do_write(s);
}
-#ifndef OPENSSL_NO_TLSEXT
/* send a new session ticket (not necessarily for a new session) */
int ssl3_send_newsession_ticket(SSL *s)
{
return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
}
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
/*
* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message.
* It sets the next_proto member in s if found
return 1;
}
-# endif
+#endif
+
+#define SSLV2_CIPHER_LEN 3
+STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, unsigned char *p,
+ int num,
+ STACK_OF(SSL_CIPHER) **skp,
+ int sslv2format)
+{
+ const SSL_CIPHER *c;
+ STACK_OF(SSL_CIPHER) *sk;
+ int i, n;
+
+ if (s->s3)
+ s->s3->send_connection_binding = 0;
+
+ if(sslv2format) {
+ n = SSLV2_CIPHER_LEN;
+ } else {
+ n = ssl_put_cipher_by_char(s, NULL, NULL);
+ }
+ if (n == 0 || (num % n) != 0) {
+ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
+ SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
+ return (NULL);
+ }
+ if ((skp == NULL) || (*skp == NULL)) {
+ sk = sk_SSL_CIPHER_new_null(); /* change perhaps later */
+ if(sk == NULL) {
+ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+ } else {
+ sk = *skp;
+ sk_SSL_CIPHER_zero(sk);
+ }
+
+ OPENSSL_free(s->s3->tmp.ciphers_raw);
+ s->s3->tmp.ciphers_raw = BUF_memdup(p, num);
+ if (s->s3->tmp.ciphers_raw == NULL) {
+ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ s->s3->tmp.ciphers_rawlen = (size_t)num;
+
+ for (i = 0; i < num; i += n) {
+ /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
+ if (s->s3 && (n != 3 || !p[0]) &&
+ (p[n - 2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
+ (p[n - 1] == (SSL3_CK_SCSV & 0xff))) {
+ /* SCSV fatal if renegotiating */
+ if (s->renegotiate) {
+ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
+ SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+ goto err;
+ }
+ s->s3->send_connection_binding = 1;
+ p += n;
+#ifdef OPENSSL_RI_DEBUG
+ fprintf(stderr, "SCSV received by server\n");
#endif
+ continue;
+ }
+
+ /* Check for TLS_FALLBACK_SCSV */
+ if ((n != 3 || !p[0]) &&
+ (p[n - 2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) &&
+ (p[n - 1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) {
+ /*
+ * The SCSV indicates that the client previously tried a higher
+ * version. Fail if the current version is an unexpected
+ * downgrade.
+ */
+ if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL)) {
+ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
+ SSL_R_INAPPROPRIATE_FALLBACK);
+ if (s->s3)
+ ssl3_send_alert(s, SSL3_AL_FATAL,
+ SSL_AD_INAPPROPRIATE_FALLBACK);
+ goto err;
+ }
+ p += n;
+ continue;
+ }
+
+ if(sslv2format) {
+ /*
+ * We only support SSLv2 format ciphers in SSLv3+ using a
+ * SSLv2 backward compatible ClientHello. In this case the first
+ * byte is always 0 for SSLv3 compatible ciphers. Anything else
+ * is an SSLv2 cipher and we ignore it
+ */
+ if(p[0] == 0)
+ c = ssl_get_cipher_by_char(s, &p[1]);
+ else
+ c = NULL;
+ } else {
+ c = ssl_get_cipher_by_char(s, p);
+ }
+ p += n;
+ if (c != NULL) {
+ if (!sk_SSL_CIPHER_push(sk, c)) {
+ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ }
+ }
+
+ if (skp != NULL)
+ *skp = sk;
+ return (sk);
+ err:
+ if ((skp == NULL) || (*skp == NULL))
+ sk_SSL_CIPHER_free(sk);
+ return (NULL);
+}