projects / openssl.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add Next Protocol Negotiation.
[openssl.git] / ssl / s3_srvr.c
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 77d7d878e381cf48dce1af3752ecbc3231d897f1..57e516f6de655307d3a9771232e2383b0918cb91 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -189,7 +189,6 @@ int ssl3_accept(SSL *s)
        BUF_MEM *buf;
        unsigned long alg_k,Time=(unsigned long)time(NULL);
        void (*cb)(const SSL *ssl,int type,int val)=NULL;
        BUF_MEM *buf;
        unsigned long alg_k,Time=(unsigned long)time(NULL);
        void (*cb)(const SSL *ssl,int type,int val)=NULL;
-       long num1;
        int ret= -1;
        int new_state,state,skip=0;
 
        int ret= -1;
        int new_state,state,skip=0;
 
@@ -271,6 +270,18 @@ int ssl3_accept(SSL *s)
                                s->state=SSL3_ST_SR_CLNT_HELLO_A;
                                s->ctx->stats.sess_accept++;
                                }
                                s->state=SSL3_ST_SR_CLNT_HELLO_A;
                                s->ctx->stats.sess_accept++;
                                }
+                       else if (!s->s3->send_connection_binding &&
+                               !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+                               {
+                               /* Server attempting to renegotiate with
+                                * client that doesn't support secure
+                                * renegotiation.
+                                */
+                               SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+                               ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
+                               ret = -1;
+                               goto end;
+                               }
                        else
                                {
                                /* s->state == SSL_ST_RENEGOTIATE,
                        else
                                {
                                /* s->state == SSL_ST_RENEGOTIATE,
@@ -471,15 +482,24 @@ int ssl3_accept(SSL *s)
                        break;
                
                case SSL3_ST_SW_FLUSH:
                        break;
                
                case SSL3_ST_SW_FLUSH:
-                       /* number of bytes to be flushed */
-                       num1=BIO_ctrl(s->wbio,BIO_CTRL_WPENDING,0,NULL);
-                       if (num1 > 0)
+
+                       /* This code originally checked to see if
+                        * any data was pending using BIO_CTRL_INFO
+                        * and then flushed. This caused problems
+                        * as documented in PR#1939. The proposed
+                        * fix doesn't completely resolve this issue
+                        * as buggy implementations of BIO_CTRL_PENDING
+                        * still exist. So instead we just flush
+                        * unconditionally.
+                        */
+
+                       s->rwstate=SSL_WRITING;
+                       if (BIO_flush(s->wbio) <= 0)
                                {
                                {
-                               s->rwstate=SSL_WRITING;
-                               num1=BIO_flush(s->wbio);
-                               if (num1 <= 0) { ret= -1; goto end; }
-                               s->rwstate=SSL_NOTHING;
+                               ret= -1;
+                               goto end;
                                }
                                }
+                       s->rwstate=SSL_NOTHING;
 
                        s->state=s->s3->tmp.next_state;
                        break;
 
                        s->state=s->s3->tmp.next_state;
                        break;
@@ -518,7 +538,14 @@ int ssl3_accept(SSL *s)
                                 * the client uses its key from the certificate
                                 * for key exchange.
                                 */
                                 * the client uses its key from the certificate
                                 * for key exchange.
                                 */
+#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NPN)
                                s->state=SSL3_ST_SR_FINISHED_A;
                                s->state=SSL3_ST_SR_FINISHED_A;
+#else
+                               if (s->s3->next_proto_neg_seen)
+                                       s->state=SSL3_ST_SR_NEXT_PROTO_A;
+                               else
+                                       s->state=SSL3_ST_SR_FINISHED_A;
+#endif
                                s->init_num = 0;
                                }
                        else
                                s->init_num = 0;
                                }
                        else
@@ -561,10 +588,27 @@ int ssl3_accept(SSL *s)
                        ret=ssl3_get_cert_verify(s);
                        if (ret <= 0) goto end;
 
                        ret=ssl3_get_cert_verify(s);
                        if (ret <= 0) goto end;
 
+#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NPN)
                        s->state=SSL3_ST_SR_FINISHED_A;
                        s->state=SSL3_ST_SR_FINISHED_A;
+#else
+                       if (s->s3->next_proto_neg_seen)
+                               s->state=SSL3_ST_SR_NEXT_PROTO_A;
+                       else
+                               s->state=SSL3_ST_SR_FINISHED_A;
+#endif
                        s->init_num=0;
                        break;
 
                        s->init_num=0;
                        break;
 
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NPN)
+               case SSL3_ST_SR_NEXT_PROTO_A:
+               case SSL3_ST_SR_NEXT_PROTO_B:
+                       ret=ssl3_get_next_proto(s);
+                       if (ret <= 0) goto end;
+                       s->init_num = 0;
+                       s->state=SSL3_ST_SR_FINISHED_A;
+                       break;
+#endif
+
                case SSL3_ST_SR_FINISHED_A:
                case SSL3_ST_SR_FINISHED_B:
                        ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
                case SSL3_ST_SR_FINISHED_A:
                case SSL3_ST_SR_FINISHED_B:
                        ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
@@ -635,7 +679,16 @@ int ssl3_accept(SSL *s)
                        if (ret <= 0) goto end;
                        s->state=SSL3_ST_SW_FLUSH;
                        if (s->hit)
                        if (ret <= 0) goto end;
                        s->state=SSL3_ST_SW_FLUSH;
                        if (s->hit)
+                               {
+#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NPN)
                                s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
                                s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
+#else
+                               if (s->s3->next_proto_neg_seen)
+                                       s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A;
+                               else
+                                       s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
+#endif
+                               }
                        else
                                s->s3->tmp.next_state=SSL_ST_OK;
                        s->init_num=0;
                        else
                                s->s3->tmp.next_state=SSL_ST_OK;
                        s->init_num=0;
@@ -1015,7 +1068,7 @@ int ssl3_get_client_hello(SSL *s)
 
 #ifndef OPENSSL_NO_TLSEXT
        /* TLS extensions*/
 
 #ifndef OPENSSL_NO_TLSEXT
        /* TLS extensions*/
-       if (s->version > SSL3_VERSION)
+       if (s->version >= SSL3_VERSION)
                {
                if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
                        {
                {
                if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
                        {
@@ -1088,7 +1141,50 @@ int ssl3_get_client_hello(SSL *s)
         * algorithms from the client, starting at q. */
        s->s3->tmp.new_compression=NULL;
 #ifndef OPENSSL_NO_COMP
         * algorithms from the client, starting at q. */
        s->s3->tmp.new_compression=NULL;
 #ifndef OPENSSL_NO_COMP
-       if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods)
+       /* This only happens if we have a cache hit */
+       if (s->session->compress_meth != 0)
+               {
+               int m, comp_id = s->session->compress_meth;
+               /* Perform sanity checks on resumed compression algorithm */
+               /* Can't disable compression */
+               if (s->options & SSL_OP_NO_COMPRESSION)
+                       {
+                       al=SSL_AD_INTERNAL_ERROR;
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
+                       goto f_err;
+                       }
+               /* Look for resumed compression method */
+               for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++)
+                       {
+                       comp=sk_SSL_COMP_value(s->ctx->comp_methods,m);
+                       if (comp_id == comp->id)
+                               {
+                               s->s3->tmp.new_compression=comp;
+                               break;
+                               }
+                       }
+               if (s->s3->tmp.new_compression == NULL)
+                       {
+                       al=SSL_AD_INTERNAL_ERROR;
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INVALID_COMPRESSION_ALGORITHM);
+                       goto f_err;
+                       }
+               /* Look for resumed method in compression list */
+               for (m = 0; m < i; m++)
+                       {
+                       if (q[m] == comp_id)
+                               break;
+                       }
+               if (m >= i)
+                       {
+                       al=SSL_AD_ILLEGAL_PARAMETER;
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
+                       goto f_err;
+                       }
+               }
+       else if (s->hit)
+               comp = NULL;
+       else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods)
                { /* See if we have a match */
                int m,nn,o,v,done=0;
 
                { /* See if we have a match */
                int m,nn,o,v,done=0;
 
@@ -1112,6 +1208,16 @@ int ssl3_get_client_hello(SSL *s)
                else
                        comp=NULL;
                }
                else
                        comp=NULL;
                }
+#else
+       /* If compression is disabled we'd better not try to resume a session
+        * using compression.
+        */
+       if (s->session->compress_meth != 0)
+               {
+               al=SSL_AD_INTERNAL_ERROR;
+               SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
+               goto f_err;
+               }
 #endif
 
        /* Given s->session->ciphers and SSL_get_ciphers, we must
 #endif
 
        /* Given s->session->ciphers and SSL_get_ciphers, we must
@@ -2213,7 +2319,7 @@ int ssl3_get_client_key_exchange(SSL *s)
                                SSL_R_DATA_LENGTH_TOO_LONG);
                        goto err;
                        }
                                SSL_R_DATA_LENGTH_TOO_LONG);
                        goto err;
                        }
-               if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
+               if (!((pms[0] == (s->client_version>>8)) && (pms[1] == (s->client_version & 0xff))))
                    {
                    /* The premaster secret must contain the same version number as the
                     * ClientHello to detect version rollback attacks (strangely, the
                    {
                    /* The premaster secret must contain the same version number as the
                     * ClientHello to detect version rollback attacks (strangely, the
@@ -2223,8 +2329,7 @@ int ssl3_get_client_key_exchange(SSL *s)
                     * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. 
                     * (Perhaps we should have a separate BUG value for the Kerberos cipher)
                     */
                     * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. 
                     * (Perhaps we should have a separate BUG value for the Kerberos cipher)
                     */
-                   if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
-                          (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
+                   if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG))
                        {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                               SSL_AD_DECODE_ERROR);
                        {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                               SSL_AD_DECODE_ERROR);
@@ -3105,4 +3210,72 @@ int ssl3_send_cert_status(SSL *s)
        /* SSL3_ST_SW_CERT_STATUS_B */
        return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
        }
        /* SSL3_ST_SW_CERT_STATUS_B */
        return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
        }
+
+# ifndef OPENSSL_NO_NPN
+/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It
+ * sets the next_proto member in s if found */
+int ssl3_get_next_proto(SSL *s)
+       {
+       int ok;
+       unsigned proto_len, padding_len;
+       long n;
+       const unsigned char *p;
+
+       /* Clients cannot send a NextProtocol message if we didn't see the
+        * extension in their ClientHello */
+       if (!s->s3->next_proto_neg_seen)
+               {
+               SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
+               return -1;
+               }
+
+       n=s->method->ssl_get_message(s,
+               SSL3_ST_SR_NEXT_PROTO_A,
+               SSL3_ST_SR_NEXT_PROTO_B,
+               SSL3_MT_NEXT_PROTO,
+               129,
+               &ok);
+
+       if (!ok)
+               return((int)n);
+
+       /* s->state doesn't reflect whether ChangeCipherSpec has been received
+        * in this handshake, but s->s3->change_cipher_spec does (will be reset
+        * by ssl3_get_finished). */
+       if (!s->s3->change_cipher_spec)
+               {
+               SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
+               return -1;
+               }
+
+       if (n < 2)
+               return 0;  /* The body must be > 1 bytes long */
+
+       p=(unsigned char *)s->init_msg;
+
+       /* The payload looks like:
+        *   uint8 proto_len;
+        *   uint8 proto[proto_len];
+        *   uint8 padding_len;
+        *   uint8 padding[padding_len];
+        */
+       proto_len = p[0];
+       if (proto_len + 2 > s->init_num)
+               return 0;
+       padding_len = p[proto_len + 1];
+       if (proto_len + padding_len + 2 != s->init_num)
+               return 0;
+
+       s->next_proto_negotiated = OPENSSL_malloc(proto_len);
+       if (!s->next_proto_negotiated)
+               {
+               SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,ERR_R_MALLOC_FAILURE);
+               return 0;
+               }
+       memcpy(s->next_proto_negotiated, p + 1, proto_len);
+       s->next_proto_negotiated_len = proto_len;
+
+       return 1;
+       }
+# endif
 #endif
 #endif
Unnamed repository; edit this file 'description' to name the repository.