Export keying material using early exporter master secret

[openssl.git] / ssl / statem / statem.c
diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c

index 97fd797f7e1dea21ebbf0253a69d649275634aa5..a5748534878153d70f030f186865aa8a3d99c6d9 100644 (file)
--- a/ssl/statem/statem.c
+++ b/ssl/statem/statem.c
@@ -1,5 +1,5 @@
  /*
  /*
- * Copyright 2015-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
   *
   * Licensed under the OpenSSL license (the "License").  You may not use
   * this file except in compliance with the License.  You can obtain a copy
   *
   * Licensed under the OpenSSL license (the "License").  You may not use
   * this file except in compliance with the License.  You can obtain a copy
@@ -11,6 +11,7 @@
  #include <openssl/rand.h>
  #include "../ssl_locl.h"
  #include "statem_locl.h"
  #include <openssl/rand.h>
  #include "../ssl_locl.h"
  #include "statem_locl.h"
+#include <assert.h>
  
  /*
   * This file implements the SSL/TLS/DTLS state machines.
  
  /*
   * This file implements the SSL/TLS/DTLS state machines.
@@ -117,6 +118,8 @@ void ossl_statem_set_renegotiate(SSL *s)
  void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
                         int line)
  {
  void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
                         int line)
  {
+    /* We shouldn't call SSLfatal() twice. Once is enough */
+    assert(s->statem.state != MSG_FLOW_ERROR);
      s->statem.in_init = 1;
      s->statem.state = MSG_FLOW_ERROR;
      ERR_put_error(ERR_LIB_SSL, func, reason, file, line);
      s->statem.in_init = 1;
      s->statem.state = MSG_FLOW_ERROR;
      ERR_put_error(ERR_LIB_SSL, func, reason, file, line);
@@ -124,6 +127,19 @@ void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
          ssl3_send_alert(s, SSL3_AL_FATAL, al);
  }
  
          ssl3_send_alert(s, SSL3_AL_FATAL, al);
  }
  
+/*
+ * This macro should only be called if we are already expecting to be in
+ * a fatal error state. We verify that we are, and set it if not (this would
+ * indicate a bug).
+ */
+#define check_fatal(s, f) \
+    do { \
+        if (!ossl_assert((s)->statem.in_init \
+                         && (s)->statem.state == MSG_FLOW_ERROR)) \
+            SSLfatal(s, SSL_AD_INTERNAL_ERROR, (f), \
+                     SSL_R_MISSING_FATAL); \
+    } while (0)
+
  /*
   * Discover whether the current connection is in the error state.
   *
  /*
   * Discover whether the current connection is in the error state.
   *
@@ -295,7 +311,11 @@ static int state_machine(SSL *s, int server)
  
      st->in_handshake++;
      if (!SSL_in_init(s) || SSL_in_before(s)) {
  
      st->in_handshake++;
      if (!SSL_in_init(s) || SSL_in_before(s)) {
-        if (!SSL_clear(s))
+        /*
+         * If we are stateless then we already called SSL_clear() - don't do
+         * it again and clear the STATELESS flag itself.
+         */
+        if ((s->s3->flags & TLS1_FLAGS_STATELESS) == 0 && !SSL_clear(s))
              return -1;
      }
  #ifndef OPENSSL_NO_SCTP
              return -1;
      }
  #ifndef OPENSSL_NO_SCTP
@@ -321,29 +341,42 @@ static int state_machine(SSL *s, int server)
          if (cb != NULL)
              cb(s, SSL_CB_HANDSHAKE_START, 1);
  
          if (cb != NULL)
              cb(s, SSL_CB_HANDSHAKE_START, 1);
  
+        /*
+         * Fatal errors in this block don't send an alert because we have
+         * failed to even initialise properly. Sending an alert is probably
+         * doomed to failure.
+         */
+
          if (SSL_IS_DTLS(s)) {
              if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) &&
                  (server || (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00))) {
          if (SSL_IS_DTLS(s)) {
              if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) &&
                  (server || (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00))) {
-                SSLerr(SSL_F_STATE_MACHINE, ERR_R_INTERNAL_ERROR);
+                SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE,
+                         ERR_R_INTERNAL_ERROR);
                  goto end;
              }
          } else {
              if ((s->version >> 8) != SSL3_VERSION_MAJOR) {
                  goto end;
              }
          } else {
              if ((s->version >> 8) != SSL3_VERSION_MAJOR) {
-                SSLerr(SSL_F_STATE_MACHINE, ERR_R_INTERNAL_ERROR);
+                SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE,
+                         ERR_R_INTERNAL_ERROR);
                  goto end;
              }
          }
  
          if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) {
                  goto end;
              }
          }
  
          if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) {
-            SSLerr(SSL_F_STATE_MACHINE, SSL_R_VERSION_TOO_LOW);
+            SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE,
+                     ERR_R_INTERNAL_ERROR);
              goto end;
          }
  
          if (s->init_buf == NULL) {
              if ((buf = BUF_MEM_new()) == NULL) {
              goto end;
          }
  
          if (s->init_buf == NULL) {
              if ((buf = BUF_MEM_new()) == NULL) {
+                SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE,
+                         ERR_R_INTERNAL_ERROR);
                  goto end;
              }
              if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
                  goto end;
              }
              if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
+                SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE,
+                         ERR_R_INTERNAL_ERROR);
                  goto end;
              }
              s->init_buf = buf;
                  goto end;
              }
              s->init_buf = buf;
@@ -351,6 +384,8 @@ static int state_machine(SSL *s, int server)
          }
  
          if (!ssl3_setup_buffers(s)) {
          }
  
          if (!ssl3_setup_buffers(s)) {
+            SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE,
+                     ERR_R_INTERNAL_ERROR);
              goto end;
          }
          s->init_num = 0;
              goto end;
          }
          s->init_num = 0;
@@ -368,13 +403,17 @@ static int state_machine(SSL *s, int server)
          if (!SSL_IS_DTLS(s) || !BIO_dgram_is_sctp(SSL_get_wbio(s)))
  #endif
              if (!ssl_init_wbio_buffer(s)) {
          if (!SSL_IS_DTLS(s) || !BIO_dgram_is_sctp(SSL_get_wbio(s)))
  #endif
              if (!ssl_init_wbio_buffer(s)) {
+                SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE,
+                         ERR_R_INTERNAL_ERROR);
                  goto end;
              }
  
          if ((SSL_in_before(s))
                  || s->renegotiate) {
                  goto end;
              }
  
          if ((SSL_in_before(s))
                  || s->renegotiate) {
-            if (!tls_setup_handshake(s))
+            if (!tls_setup_handshake(s)) {
+                /* SSLfatal() already called */
                  goto end;
                  goto end;
+            }
  
              if (SSL_IS_FIRST_HANDSHAKE(s))
                  st->read_state_first_init = 1;
  
              if (SSL_IS_FIRST_HANDSHAKE(s))
                  st->read_state_first_init = 1;
@@ -407,8 +446,8 @@ static int state_machine(SSL *s, int server)
              }
          } else {
              /* Error */
              }
          } else {
              /* Error */
-            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_STATE_MACHINE,
-                     ERR_R_INTERNAL_ERROR);
+            check_fatal(s, SSL_F_STATE_MACHINE);
+            SSLerr(SSL_F_STATE_MACHINE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
              goto end;
          }
      }
              goto end;
          }
      }
@@ -551,6 +590,7 @@ static SUB_STATE_RETURN read_state_machine(SSL *s)
               * to that state if so
               */
              if (!transition(s, mt)) {
               * to that state if so
               */
              if (!transition(s, mt)) {
+                check_fatal(s, SSL_F_READ_STATE_MACHINE);
                  return SUB_STATE_ERROR;
              }
  
                  return SUB_STATE_ERROR;
              }
  
@@ -596,6 +636,7 @@ static SUB_STATE_RETURN read_state_machine(SSL *s)
  
              switch (ret) {
              case MSG_PROCESS_ERROR:
  
              switch (ret) {
              case MSG_PROCESS_ERROR:
+                check_fatal(s, SSL_F_READ_STATE_MACHINE);
                  return SUB_STATE_ERROR;
  
              case MSG_PROCESS_FINISHED_READING:
                  return SUB_STATE_ERROR;
  
              case MSG_PROCESS_FINISHED_READING:
@@ -619,6 +660,8 @@ static SUB_STATE_RETURN read_state_machine(SSL *s)
              st->read_state_work = post_process_message(s, st->read_state_work);
              switch (st->read_state_work) {
              case WORK_ERROR:
              st->read_state_work = post_process_message(s, st->read_state_work);
              switch (st->read_state_work) {
              case WORK_ERROR:
+                check_fatal(s, SSL_F_READ_STATE_MACHINE);
+                /* Fall through */
              case WORK_MORE_A:
              case WORK_MORE_B:
              case WORK_MORE_C:
              case WORK_MORE_A:
              case WORK_MORE_B:
              case WORK_MORE_C:
@@ -754,6 +797,7 @@ static SUB_STATE_RETURN write_state_machine(SSL *s)
                  break;
  
              case WRITE_TRAN_ERROR:
                  break;
  
              case WRITE_TRAN_ERROR:
+                check_fatal(s, SSL_F_WRITE_STATE_MACHINE);
                  return SUB_STATE_ERROR;
              }
              break;
                  return SUB_STATE_ERROR;
              }
              break;
@@ -761,6 +805,8 @@ static SUB_STATE_RETURN write_state_machine(SSL *s)
          case WRITE_STATE_PRE_WORK:
              switch (st->write_state_work = pre_work(s, st->write_state_work)) {
              case WORK_ERROR:
          case WRITE_STATE_PRE_WORK:
              switch (st->write_state_work = pre_work(s, st->write_state_work)) {
              case WORK_ERROR:
+                check_fatal(s, SSL_F_WRITE_STATE_MACHINE);
+                /* Fall through */
              case WORK_MORE_A:
              case WORK_MORE_B:
              case WORK_MORE_C:
              case WORK_MORE_A:
              case WORK_MORE_B:
              case WORK_MORE_C:
@@ -792,7 +838,7 @@ static SUB_STATE_RETURN write_state_machine(SSL *s)
              }
              if (confunc != NULL && !confunc(s, &pkt)) {
                  WPACKET_cleanup(&pkt);
              }
              if (confunc != NULL && !confunc(s, &pkt)) {
                  WPACKET_cleanup(&pkt);
-                /* SSLfatal() already called */
+                check_fatal(s, SSL_F_WRITE_STATE_MACHINE);
                  return SUB_STATE_ERROR;
              }
              if (!ssl_close_construct_packet(s, &pkt, mt)
                  return SUB_STATE_ERROR;
              }
              if (!ssl_close_construct_packet(s, &pkt, mt)
@@ -820,6 +866,8 @@ static SUB_STATE_RETURN write_state_machine(SSL *s)
          case WRITE_STATE_POST_WORK:
              switch (st->write_state_work = post_work(s, st->write_state_work)) {
              case WORK_ERROR:
          case WRITE_STATE_POST_WORK:
              switch (st->write_state_work = post_work(s, st->write_state_work)) {
              case WORK_ERROR:
+                check_fatal(s, SSL_F_WRITE_STATE_MACHINE);
+                /* Fall through */
              case WORK_MORE_A:
              case WORK_MORE_B:
              case WORK_MORE_C:
              case WORK_MORE_A:
              case WORK_MORE_B:
              case WORK_MORE_C:
@@ -835,6 +883,8 @@ static SUB_STATE_RETURN write_state_machine(SSL *s)
              break;
  
          default:
              break;
  
          default:
+            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_WRITE_STATE_MACHINE,
+                     ERR_R_INTERNAL_ERROR);
              return SUB_STATE_ERROR;
          }
      }
              return SUB_STATE_ERROR;
          }
      }
@@ -891,3 +941,28 @@ int ossl_statem_app_data_allowed(SSL *s)
  
      return 0;
  }
  
      return 0;
  }
+
+/*
+ * This function returns 1 if TLS exporter is ready to export keying
+ * material, or 0 if otherwise.
+ */
+int ossl_statem_export_allowed(SSL *s)
+{
+    return s->s3->previous_server_finished_len != 0
+           && s->statem.hand_state != TLS_ST_SW_FINISHED;
+}
+
+/*
+ * Return 1 if early TLS exporter is ready to export keying material,
+ * or 0 if otherwise.
+ */
+int ossl_statem_export_early_allowed(SSL *s)
+{
+    /*
+     * The early exporter secret is only present on the server if we
+     * have accepted early_data. It is present on the client as long
+     * as we have sent early_data.
+     */
+    return s->ext.early_data == SSL_EARLY_DATA_ACCEPTED
+           || (!s->server && s->ext.early_data != SSL_EARLY_DATA_NOT_SENT);
+}