Fix for CVE-2014-0224
[openssl.git] / ssl / s3_srvr.c
index 6dba5c1..fcc97f3 100644 (file)
@@ -166,7 +166,6 @@ int ssl3_accept(SSL *s)
        BUF_MEM *buf;
        unsigned long l,Time=(unsigned long)time(NULL);
        void (*cb)(const SSL *ssl,int type,int val)=NULL;
-       long num1;
        int ret= -1;
        int new_state,state,skip=0;
 
@@ -236,6 +235,7 @@ int ssl3_accept(SSL *s)
                                }
 
                        s->init_num=0;
+                       s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
 
                        if (s->state != SSL_ST_RENEGOTIATE)
                                {
@@ -248,6 +248,18 @@ int ssl3_accept(SSL *s)
                                s->state=SSL3_ST_SR_CLNT_HELLO_A;
                                s->ctx->stats.sess_accept++;
                                }
+                       else if (!s->s3->send_connection_binding &&
+                               !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+                               {
+                               /* Server attempting to renegotiate with
+                                * client that doesn't support secure
+                                * renegotiation.
+                                */
+                               SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+                               ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
+                               ret = -1;
+                               goto end;
+                               }
                        else
                                {
                                /* s->state == SSL_ST_RENEGOTIATE,
@@ -290,9 +302,18 @@ int ssl3_accept(SSL *s)
                case SSL3_ST_SW_SRVR_HELLO_B:
                        ret=ssl3_send_server_hello(s);
                        if (ret <= 0) goto end;
-
+#ifndef OPENSSL_NO_TLSEXT
                        if (s->hit)
-                               s->state=SSL3_ST_SW_CHANGE_A;
+                               {
+                               if (s->tlsext_ticket_expected)
+                                       s->state=SSL3_ST_SW_SESSION_TICKET_A;
+                               else
+                                       s->state=SSL3_ST_SW_CHANGE_A;
+                               }
+#else
+                       if (s->hit)
+                                       s->state=SSL3_ST_SW_CHANGE_A;
+#endif
                        else
                                s->state=SSL3_ST_SW_CERT_A;
                        s->init_num=0;
@@ -306,10 +327,24 @@ int ssl3_accept(SSL *s)
                                {
                                ret=ssl3_send_server_certificate(s);
                                if (ret <= 0) goto end;
+#ifndef OPENSSL_NO_TLSEXT
+                               if (s->tlsext_status_expected)
+                                       s->state=SSL3_ST_SW_CERT_STATUS_A;
+                               else
+                                       s->state=SSL3_ST_SW_KEY_EXCH_A;
+                               }
+                       else
+                               {
+                               skip = 1;
+                               s->state=SSL3_ST_SW_KEY_EXCH_A;
+                               }
+#else
                                }
                        else
                                skip=1;
+
                        s->state=SSL3_ST_SW_KEY_EXCH_A;
+#endif
                        s->init_num=0;
                        break;
 
@@ -412,15 +447,24 @@ int ssl3_accept(SSL *s)
                        break;
                
                case SSL3_ST_SW_FLUSH:
-                       /* number of bytes to be flushed */
-                       num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
-                       if (num1 > 0)
+
+                       /* This code originally checked to see if
+                        * any data was pending using BIO_CTRL_INFO
+                        * and then flushed. This caused problems
+                        * as documented in PR#1939. The proposed
+                        * fix doesn't completely resolve this issue
+                        * as buggy implementations of BIO_CTRL_PENDING
+                        * still exist. So instead we just flush
+                        * unconditionally.
+                        */
+
+                       s->rwstate=SSL_WRITING;
+                       if (BIO_flush(s->wbio) <= 0)
                                {
-                               s->rwstate=SSL_WRITING;
-                               num1=BIO_flush(s->wbio);
-                               if (num1 <= 0) { ret= -1; goto end; }
-                               s->rwstate=SSL_NOTHING;
+                               ret= -1;
+                               goto end;
                                }
+                       s->rwstate=SSL_NOTHING;
 
                        s->state=s->s3->tmp.next_state;
                        break;
@@ -479,6 +523,7 @@ int ssl3_accept(SSL *s)
                case SSL3_ST_SR_CERT_VRFY_A:
                case SSL3_ST_SR_CERT_VRFY_B:
 
+                       s->s3->flags |= SSL3_FLAGS_CCS_OK;
                        /* we should decide if we expected this one */
                        ret=ssl3_get_cert_verify(s);
                        if (ret <= 0) goto end;
@@ -489,6 +534,7 @@ int ssl3_accept(SSL *s)
 
                case SSL3_ST_SR_FINISHED_A:
                case SSL3_ST_SR_FINISHED_B:
+                       s->s3->flags |= SSL3_FLAGS_CCS_OK;
                        ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
                                SSL3_ST_SR_FINISHED_B);
                        if (ret <= 0) goto end;
@@ -512,6 +558,14 @@ int ssl3_accept(SSL *s)
                        s->init_num=0;
                        break;
 
+               case SSL3_ST_SW_CERT_STATUS_A:
+               case SSL3_ST_SW_CERT_STATUS_B:
+                       ret=ssl3_send_cert_status(s);
+                       if (ret <= 0) goto end;
+                       s->state=SSL3_ST_SW_KEY_EXCH_A;
+                       s->init_num=0;
+                       break;
+
 #endif
 
                case SSL3_ST_SW_CHANGE_A:
@@ -658,10 +712,15 @@ int ssl3_check_client_hello(SSL *s)
        s->s3->tmp.reuse_message = 1;
        if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
                {
+               /* We only allow the client to restart the handshake once per
+                * negotiation. */
+               if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
+                       {
+                       SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
+                       return -1;
+                       }
                /* Throw away what we have done so far in the current handshake,
-                * which will now be aborted. (A full SSL_clear would be too much.)
-                * I hope that tmp.dh is the only thing that may need to be cleared
-                * when a handshake is not completed ... */
+                * which will now be aborted. (A full SSL_clear would be too much.) */
 #ifndef OPENSSL_NO_DH
                if (s->s3->tmp.dh != NULL)
                        {
@@ -669,6 +728,14 @@ int ssl3_check_client_hello(SSL *s)
                        s->s3->tmp.dh = NULL;
                        }
 #endif
+#ifndef OPENSSL_NO_ECDH
+               if (s->s3->tmp.ecdh != NULL)
+                       {
+                       EC_KEY_free(s->s3->tmp.ecdh);
+                       s->s3->tmp.ecdh = NULL;
+                       }
+#endif
+               s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
                return 2;
                }
        return 1;
@@ -727,6 +794,21 @@ int ssl3_get_client_hello(SSL *s)
                goto f_err;
                }
 
+       /* If we require cookies and this ClientHello doesn't
+        * contain one, just return since we do not want to
+        * allocate any memory yet. So check cookie length...
+        */
+       if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)
+               {
+               unsigned int session_length, cookie_length;
+               
+               session_length = *(p + SSL3_RANDOM_SIZE);
+               cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1);
+
+               if (cookie_length == 0)
+                       return 1;
+               }
+
        /* load the client random */
        memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE);
        p+=SSL3_RANDOM_SIZE;
@@ -766,23 +848,11 @@ int ssl3_get_client_hello(SSL *s)
 
        p+=j;
 
-       if (s->version == DTLS1_VERSION)
+       if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
                {
                /* cookie stuff */
                cookie_len = *(p++);
 
-               if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
-                       s->d1->send_cookie == 0)
-                       {
-                       /* HelloVerifyMessage has already been sent */
-                       if ( cookie_len != s->d1->cookie_len)
-                               {
-                               al = SSL_AD_HANDSHAKE_FAILURE;
-                               SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
-                               goto f_err;
-                               }
-                       }
-
                /* 
                 * The ClientHello may contain a cookie even if the
                 * HelloVerify message has not been sent--make sure that it
@@ -797,7 +867,7 @@ int ssl3_get_client_hello(SSL *s)
                        }
 
                /* verify the cookie if appropriate option is set. */
-               if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
+               if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
                        cookie_len > 0)
                        {
                        memcpy(s->d1->rcvd_cookie, p, cookie_len);
@@ -822,6 +892,8 @@ int ssl3_get_client_hello(SSL *s)
                                                SSL_R_COOKIE_MISMATCH);
                                        goto f_err;
                                }
+
+                       ret = 2;
                        }
 
                p += cookie_len;
@@ -871,22 +943,33 @@ int ssl3_get_client_hello(SSL *s)
                                break;
                                }
                        }
-               if (j == 0)
-                       {
-                       if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
-                               {
-                               /* Very bad for multi-threading.... */
-                               s->session->cipher=sk_SSL_CIPHER_value(ciphers, 0);
-                               }
-                       else
+/* Disabled because it can be used in a ciphersuite downgrade
+ * attack: CVE-2010-4180.
+ */
+#if 0
+               if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
+                       {
+                       /* Special case as client bug workaround: the previously used cipher may
+                        * not be in the current list, the client instead might be trying to
+                        * continue using a cipher that before wasn't chosen due to server
+                        * preferences.  We'll have to reject the connection if the cipher is not
+                        * enabled, though. */
+                       c = sk_SSL_CIPHER_value(ciphers, 0);
+                       if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0)
                                {
-                               /* we need to have the cipher in the cipher
-                                * list if we are asked to reuse it */
-                               al=SSL_AD_ILLEGAL_PARAMETER;
-                               SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING);
-                               goto f_err;
+                               s->session->cipher = c;
+                               j = 1;
                                }
                        }
+#endif
+               if (j == 0)
+                       {
+                       /* we need to have the cipher in the cipher
+                        * list if we are asked to reuse it */
+                       al=SSL_AD_ILLEGAL_PARAMETER;
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING);
+                       goto f_err;
+                       }
                }
 
        /* compression */
@@ -915,7 +998,7 @@ int ssl3_get_client_hello(SSL *s)
 
 #ifndef OPENSSL_NO_TLSEXT
        /* TLS extensions*/
-       if (s->version > SSL3_VERSION)
+       if (s->version >= SSL3_VERSION)
                {
                if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
                        {
@@ -924,7 +1007,7 @@ int ssl3_get_client_hello(SSL *s)
                        goto f_err;
                        }
                }
-               if (ssl_check_clienthello_tlsext(s) <= 0) {
+               if (ssl_check_clienthello_tlsext_early(s) <= 0) {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
                        goto err;
                }
@@ -1050,7 +1133,19 @@ int ssl3_get_client_hello(SSL *s)
         * s->tmp.new_cipher    - the new cipher to use.
         */
 
-       ret=1;
+#ifndef OPENSSL_NO_TLSEXT
+       /* Handles TLS extensions that we couldn't check earlier */
+       if (s->version >= SSL3_VERSION)
+               {
+               if (ssl_check_clienthello_tlsext_late(s) <= 0)
+                       {
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
+                       goto err;
+                       }
+               }
+#endif
+
+       if (ret < 0) ret=1;
        if (0)
                {
 f_err:
@@ -1093,8 +1188,16 @@ int ssl3_send_server_hello(SSL *s)
                 * session-id if we want it to be single use.
                 * Currently I will not implement the '0' length session-id
                 * 12-Jan-98 - I'll now support the '0' length stuff.
+                *
+                * We also have an additional case where stateless session
+                * resumption is successful: we always send back the old
+                * session id. In this case s->hit is non zero: this can
+                * only happen if stateless session resumption is succesful
+                * if session caching is disabled so existing functionality
+                * is unaffected.
                 */
-               if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
+               if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
+                       && !s->hit)
                        s->session->session_id_length=0;
 
                sl=s->session->session_id_length;
@@ -1133,13 +1236,13 @@ int ssl3_send_server_hello(SSL *s)
                *(d++)=SSL3_MT_SERVER_HELLO;
                l2n3(l,d);
 
-               s->state=SSL3_ST_CW_CLNT_HELLO_B;
+               s->state=SSL3_ST_SW_SRVR_HELLO_B;
                /* number of bytes to write */
                s->init_num=p-buf;
                s->init_off=0;
                }
 
-       /* SSL3_ST_CW_CLNT_HELLO_B */
+       /* SSL3_ST_SW_SRVR_HELLO_B */
        return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
        }
 
@@ -1163,7 +1266,7 @@ int ssl3_send_server_done(SSL *s)
                s->init_off=0;
                }
 
-       /* SSL3_ST_CW_CLNT_HELLO_B */
+       /* SSL3_ST_SW_SRVR_DONE_B */
        return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
        }
 
@@ -1254,7 +1357,6 @@ int ssl3_send_server_key_exchange(SSL *s)
 
                        if (s->s3->tmp.dh != NULL)
                                {
-                               DH_free(dh);
                                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
                                goto err;
                                }
@@ -1315,7 +1417,6 @@ int ssl3_send_server_key_exchange(SSL *s)
 
                        if (s->s3->tmp.ecdh != NULL)
                                {
-                               EC_KEY_free(s->s3->tmp.ecdh); 
                                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
                                goto err;
                                }
@@ -1326,12 +1427,11 @@ int ssl3_send_server_key_exchange(SSL *s)
                                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
                                goto err;
                                }
-                       if (!EC_KEY_up_ref(ecdhp))
+                       if ((ecdh = EC_KEY_dup(ecdhp)) == NULL)
                                {
                                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
                                goto err;
                                }
-                       ecdh = ecdhp;
 
                        s->s3->tmp.ecdh=ecdh;
                        if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
@@ -1485,6 +1585,7 @@ int ssl3_send_server_key_exchange(SSL *s)
                            (unsigned char *)encodedPoint, 
                            encodedlen);
                        OPENSSL_free(encodedPoint);
+                       encodedPoint = NULL;
                        p += encodedlen;
                        }
 #endif
@@ -1501,6 +1602,8 @@ int ssl3_send_server_key_exchange(SSL *s)
                                j=0;
                                for (num=2; num > 0; num--)
                                        {
+                                       EVP_MD_CTX_set_flags(&md_ctx,
+                                               EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
                                        EVP_DigestInit_ex(&md_ctx,(num == 2)
                                                ?s->ctx->md5:s->ctx->sha1, NULL);
                                        EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
@@ -1661,6 +1764,11 @@ int ssl3_send_certificate_request(SSL *s)
                s->init_num=n+4;
                s->init_off=0;
 #ifdef NETSCAPE_HANG_BUG
+               if (!BUF_MEM_grow_clean(buf, s->init_num + 4))
+                       {
+                       SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
+                       goto err;
+                       }
                p=(unsigned char *)s->init_buf->data + s->init_num;
 
                /* do the header */
@@ -1872,6 +1980,7 @@ int ssl3_get_client_key_exchange(SSL *s)
                if (i <= 0)
                        {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
+                       BN_clear_free(pub);
                        goto err;
                        }
 
@@ -2185,6 +2294,12 @@ int ssl3_get_client_key_exchange(SSL *s)
                         /* Get encoded point length */
                         i = *p; 
                        p += 1;
+                       if (n != 1 + i)
+                               {
+                               SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                                   ERR_R_EC_LIB);
+                               goto err;
+                               }
                         if (EC_POINT_oct2point(group, 
                            clnt_ecpoint, p, i, bn_ctx) == 0)
                                {
@@ -2519,7 +2634,7 @@ int ssl3_get_client_certificate(SSL *s)
        else
                {
                i=ssl_verify_cert_chain(s,sk);
-               if (!i)
+               if (i <= 0)
                        {
                        al=ssl_verify_alarm_type(s->verify_result);
                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
@@ -2664,6 +2779,9 @@ int ssl3_send_newsession_ticket(SSL *s)
                unsigned int hlen;
                EVP_CIPHER_CTX ctx;
                HMAC_CTX hctx;
+               SSL_CTX *tctx = s->initial_ctx;
+               unsigned char iv[EVP_MAX_IV_LENGTH];
+               unsigned char key_name[16];
 
                /* get session encoding length */
                slen = i2d_SSL_SESSION(s->session, NULL);
@@ -2694,29 +2812,47 @@ int ssl3_send_newsession_ticket(SSL *s)
                *(p++)=SSL3_MT_NEWSESSION_TICKET;
                /* Skip message length for now */
                p += 3;
+               EVP_CIPHER_CTX_init(&ctx);
+               HMAC_CTX_init(&hctx);
+               /* Initialize HMAC and cipher contexts. If callback present
+                * it does all the work otherwise use generated values
+                * from parent ctx.
+                */
+               if (tctx->tlsext_ticket_key_cb)
+                       {
+                       if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
+                                                        &hctx, 1) < 0)
+                               {
+                               OPENSSL_free(senc);
+                               return -1;
+                               }
+                       }
+               else
+                       {
+                       RAND_pseudo_bytes(iv, 16);
+                       EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
+                                       tctx->tlsext_tick_aes_key, iv);
+                       HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
+                                       tlsext_tick_md(), NULL);
+                       memcpy(key_name, tctx->tlsext_tick_key_name, 16);
+                       }
                l2n(s->session->tlsext_tick_lifetime_hint, p);
                /* Skip ticket length for now */
                p += 2;
                /* Output key name */
                macstart = p;
-               memcpy(p, s->ctx->tlsext_tick_key_name, 16);
+               memcpy(p, key_name, 16);
                p += 16;
-               /* Generate and output IV */
-               RAND_pseudo_bytes(p, 16);
-               EVP_CIPHER_CTX_init(&ctx);
+               /* output IV */
+               memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx));
+               p += EVP_CIPHER_CTX_iv_length(&ctx);
                /* Encrypt session data */
-               EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
-                                       s->ctx->tlsext_tick_aes_key, p);
-               p += 16;
                EVP_EncryptUpdate(&ctx, p, &len, senc, slen);
                p += len;
                EVP_EncryptFinal(&ctx, p, &len);
                p += len;
                EVP_CIPHER_CTX_cleanup(&ctx);
 
-               HMAC_CTX_init(&hctx);
-               HMAC_Init_ex(&hctx, s->ctx->tlsext_tick_hmac_key, 16,
-                               tlsext_tick_md(), NULL);
                HMAC_Update(&hctx, macstart, p - macstart);
                HMAC_Final(&hctx, p, &hlen);
                HMAC_CTX_cleanup(&hctx);
@@ -2740,4 +2876,39 @@ int ssl3_send_newsession_ticket(SSL *s)
        /* SSL3_ST_SW_SESSION_TICKET_B */
        return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
        }
+
+int ssl3_send_cert_status(SSL *s)
+       {
+       if (s->state == SSL3_ST_SW_CERT_STATUS_A)
+               {
+               unsigned char *p;
+               /* Grow buffer if need be: the length calculation is as
+                * follows 1 (message type) + 3 (message length) +
+                * 1 (ocsp response type) + 3 (ocsp response length)
+                * + (ocsp response)
+                */
+               if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen))
+                       return -1;
+
+               p=(unsigned char *)s->init_buf->data;
+
+               /* do the header */
+               *(p++)=SSL3_MT_CERTIFICATE_STATUS;
+               /* message length */
+               l2n3(s->tlsext_ocsp_resplen + 4, p);
+               /* status type */
+               *(p++)= s->tlsext_status_type;
+               /* length of OCSP response */
+               l2n3(s->tlsext_ocsp_resplen, p);
+               /* actual response */
+               memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen);
+               /* number of bytes to write */
+               s->init_num = 8 + s->tlsext_ocsp_resplen;
+               s->state=SSL3_ST_SW_CERT_STATUS_B;
+               s->init_off = 0;
+               }
+
+       /* SSL3_ST_SW_CERT_STATUS_B */
+       return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
+       }
 #endif