Allow use of RSA-PSS certificates in TLS 1.2
[openssl.git] / ssl / ssl_lib.c
index 74767f6..cc110bc 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
@@ -20,6 +20,9 @@
 #include <openssl/engine.h>
 #include <openssl/async.h>
 #include <openssl/ct.h>
+#include "internal/cryptlib.h"
+#include "internal/rand.h"
+#include "internal/refcount.h"
 
 const char SSL_version_str[] = OPENSSL_VERSION_TEXT;
 
@@ -531,6 +534,9 @@ int SSL_clear(SSL *s)
     }
     SSL_SESSION_free(s->psksession);
     s->psksession = NULL;
+    OPENSSL_free(s->psksession_id);
+    s->psksession_id = NULL;
+    s->psksession_id_len = 0;
 
     s->error = 0;
     s->hit = 0;
@@ -618,10 +624,21 @@ SSL *SSL_new(SSL_CTX *ctx)
         goto err;
 
     s->lock = CRYPTO_THREAD_lock_new();
-    if (s->lock == NULL) {
-        SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE);
-        OPENSSL_free(s);
-        return NULL;
+    if (s->lock == NULL)
+        goto err;
+
+    /*
+     * If not using the standard RAND (say for fuzzing), then don't use a
+     * chained DRBG.
+     */
+    if (RAND_get_rand_method() == RAND_OpenSSL()) {
+        s->drbg = RAND_DRBG_new(NID_aes_128_ctr, RAND_DRBG_FLAG_CTR_USE_DF,
+                                RAND_DRBG_get0_global());
+        if (s->drbg == NULL
+            || RAND_DRBG_instantiate(s->drbg, NULL, 0) == 0) {
+            CRYPTO_THREAD_lock_free(s->lock);
+            goto err;
+        }
     }
 
     RECORD_LAYER_init(&s->rlayer, s);
@@ -1083,6 +1100,7 @@ void SSL_free(SSL *s)
         SSL_SESSION_free(s->session);
     }
     SSL_SESSION_free(s->psksession);
+    OPENSSL_free(s->psksession_id);
 
     clear_ciphers(s);
 
@@ -1129,6 +1147,7 @@ void SSL_free(SSL *s)
     sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
 #endif
 
+    RAND_DRBG_free(s->drbg);
     CRYPTO_THREAD_lock_free(s->lock);
 
     OPENSSL_free(s);
@@ -1895,8 +1914,8 @@ int SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written)
     case SSL_EARLY_DATA_NONE:
         if (s->server
                 || !SSL_in_before(s)
-                || s->session == NULL
-                || s->session->ext.max_early_data == 0) {
+                || ((s->session == NULL || s->session->ext.max_early_data == 0)
+                     && (s->psk_use_session_cb == NULL))) {
             SSLerr(SSL_F_SSL_WRITE_EARLY_DATA,
                    ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
             return 0;
@@ -2121,10 +2140,14 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
         return ssl_check_allowed_versions(larg, s->max_proto_version)
                && ssl_set_version_bound(s->ctx->method->version, (int)larg,
                                         &s->min_proto_version);
+    case SSL_CTRL_GET_MIN_PROTO_VERSION:
+        return s->min_proto_version;
     case SSL_CTRL_SET_MAX_PROTO_VERSION:
         return ssl_check_allowed_versions(s->min_proto_version, larg)
                && ssl_set_version_bound(s->ctx->method->version, (int)larg,
                                         &s->max_proto_version);
+    case SSL_CTRL_GET_MAX_PROTO_VERSION:
+        return s->max_proto_version;
     default:
         return (s->method->ssl_ctrl(s, cmd, larg, parg));
     }
@@ -2257,10 +2280,14 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
         return ssl_check_allowed_versions(larg, ctx->max_proto_version)
                && ssl_set_version_bound(ctx->method->version, (int)larg,
                                         &ctx->min_proto_version);
+    case SSL_CTRL_GET_MIN_PROTO_VERSION:
+        return ctx->min_proto_version;
     case SSL_CTRL_SET_MAX_PROTO_VERSION:
         return ssl_check_allowed_versions(ctx->min_proto_version, larg)
                && ssl_set_version_bound(ctx->method->version, (int)larg,
                                         &ctx->max_proto_version);
+    case SSL_CTRL_GET_MAX_PROTO_VERSION:
+        return ctx->max_proto_version;
     default:
         return (ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg));
     }
@@ -2452,7 +2479,7 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len)
             *p = '\0';
             return buf;
         }
-        memcpy(p, c->name, n + 1);
+        strcpy(p, c->name);
         p += n;
         *(p++) = ':';
         len -= n + 1;
@@ -3063,9 +3090,15 @@ void ssl_set_masks(SSL *s)
     if (dh_tmp)
         mask_k |= SSL_kDHE;
 
-    if (rsa_enc || rsa_sign) {
+    /*
+     * If we only have an RSA-PSS certificate allow RSA authentication
+     * if TLS 1.2 and peer supports it.
+     */
+
+    if (rsa_enc || rsa_sign || (ssl_has_cert(s, SSL_PKEY_RSA_PSS_SIGN)
+                && pvalid[SSL_PKEY_RSA_PSS_SIGN] & CERT_PKEY_EXPLICIT_SIGN
+                && TLS1_get_version(s) == TLS1_2_VERSION))
         mask_a |= SSL_aRSA;
-    }
 
     if (dsa_sign) {
         mask_a |= SSL_aDSS;
@@ -3156,10 +3189,11 @@ void ssl_update_cache(SSL *s, int mode)
         return;
 
     i = s->session_ctx->session_cache_mode;
-    if ((i & mode) && (!s->hit)
-        && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
+    if ((i & mode) != 0
+        && (!s->hit || SSL_IS_TLS13(s))
+        && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) != 0
             || SSL_CTX_add_session(s->session_ctx, s->session))
-        && (s->session_ctx->new_session_cb != NULL)) {
+        && s->session_ctx->new_session_cb != NULL) {
         SSL_SESSION_up_ref(s->session);
         if (!s->session_ctx->new_session_cb(s, s->session))
             SSL_SESSION_free(s->session);
@@ -3281,8 +3315,8 @@ int SSL_get_error(const SSL *s, int i)
         return SSL_ERROR_WANT_ASYNC;
     if (SSL_want_async_job(s))
         return SSL_ERROR_WANT_ASYNC_JOB;
-    if (SSL_want_early(s))
-        return SSL_ERROR_WANT_EARLY;
+    if (SSL_want_client_hello_cb(s))
+        return SSL_ERROR_WANT_CLIENT_HELLO_CB;
 
     if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
         (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
@@ -3315,6 +3349,12 @@ int SSL_do_handshake(SSL *s)
 
     s->method->ssl_renegotiate_check(s, 0);
 
+    if (SSL_is_server(s)) {
+        /* clear SNI settings at server-side */
+        OPENSSL_free(s->ext.hostname);
+        s->ext.hostname = NULL;
+    }
+
     if (SSL_in_init(s) || SSL_in_before(s)) {
         if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
             struct ssl_async_args args;
@@ -3593,6 +3633,11 @@ const SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
     return (NULL);
 }
 
+const SSL_CIPHER *SSL_get_pending_cipher(const SSL *s)
+{
+    return s->s3->tmp.new_cipher;
+}
+
 const COMP_METHOD *SSL_get_current_compression(SSL *s)
 {
 #ifndef OPENSSL_NO_COMP
@@ -4669,27 +4714,28 @@ const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx)
 
 #endif  /* OPENSSL_NO_CT */
 
-void SSL_CTX_set_early_cb(SSL_CTX *c, SSL_early_cb_fn cb, void *arg)
+void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb,
+                                 void *arg)
 {
-    c->early_cb = cb;
-    c->early_cb_arg = arg;
+    c->client_hello_cb = cb;
+    c->client_hello_cb_arg = arg;
 }
 
-int SSL_early_isv2(SSL *s)
+int SSL_client_hello_isv2(SSL *s)
 {
     if (s->clienthello == NULL)
         return 0;
     return s->clienthello->isv2;
 }
 
-unsigned int SSL_early_get0_legacy_version(SSL *s)
+unsigned int SSL_client_hello_get0_legacy_version(SSL *s)
 {
     if (s->clienthello == NULL)
         return 0;
     return s->clienthello->legacy_version;
 }
 
-size_t SSL_early_get0_random(SSL *s, const unsigned char **out)
+size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out)
 {
     if (s->clienthello == NULL)
         return 0;
@@ -4698,7 +4744,7 @@ size_t SSL_early_get0_random(SSL *s, const unsigned char **out)
     return SSL3_RANDOM_SIZE;
 }
 
-size_t SSL_early_get0_session_id(SSL *s, const unsigned char **out)
+size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out)
 {
     if (s->clienthello == NULL)
         return 0;
@@ -4707,7 +4753,7 @@ size_t SSL_early_get0_session_id(SSL *s, const unsigned char **out)
     return s->clienthello->session_id_len;
 }
 
-size_t SSL_early_get0_ciphers(SSL *s, const unsigned char **out)
+size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out)
 {
     if (s->clienthello == NULL)
         return 0;
@@ -4716,7 +4762,7 @@ size_t SSL_early_get0_ciphers(SSL *s, const unsigned char **out)
     return PACKET_remaining(&s->clienthello->ciphersuites);
 }
 
-size_t SSL_early_get0_compression_methods(SSL *s, const unsigned char **out)
+size_t SSL_client_hello_get0_compression_methods(SSL *s, const unsigned char **out)
 {
     if (s->clienthello == NULL)
         return 0;
@@ -4725,7 +4771,7 @@ size_t SSL_early_get0_compression_methods(SSL *s, const unsigned char **out)
     return s->clienthello->compressions_len;
 }
 
-int SSL_early_get1_extensions_present(SSL *s, int **out, size_t *outlen)
+int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen)
 {
     RAW_EXTENSION *ext;
     int *present;
@@ -4757,7 +4803,7 @@ int SSL_early_get1_extensions_present(SSL *s, int **out, size_t *outlen)
     return 0;
 }
 
-int SSL_early_get0_ext(SSL *s, unsigned int type, const unsigned char **out,
+int SSL_client_hello_get0_ext(SSL *s, unsigned int type, const unsigned char **out,
                        size_t *outlen)
 {
     size_t i;
@@ -5073,3 +5119,10 @@ uint32_t SSL_get_max_early_data(const SSL *s)
 {
     return s->max_early_data;
 }
+
+int ssl_randbytes(SSL *s, unsigned char *rnd, size_t size)
+{
+    if (s->drbg != NULL)
+        return RAND_DRBG_generate(s->drbg, rnd, size, 0, NULL, 0);
+    return RAND_bytes(rnd, (int)size);
+}