*/
return WRITE_TRAN_FINISHED;
}
- /* Renegotiation - fall through */
+ /* Renegotiation */
+ /* fall thru */
case TLS_ST_BEFORE:
st->hand_state = TLS_ST_CW_CLNT_HELLO;
return WRITE_TRAN_CONTINUE;
case TLS_ST_CR_CERT_REQ:
return tls_prepare_client_certificate(s, wst);
-
-#ifndef OPENSSL_NO_SCTP
- case TLS_ST_CR_SRVR_DONE:
- /* We only get here if we are using SCTP and we are renegotiating */
- if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
- s->s3->in_read_app_data = 2;
- s->rwstate = SSL_READING;
- BIO_clear_retry_flags(SSL_get_rbio(s));
- BIO_set_retry_read(SSL_get_rbio(s));
- ossl_statem_set_sctp_read_sock(s, 1);
- return WORK_MORE_A;
- }
- ossl_statem_set_sctp_read_sock(s, 0);
- return WORK_FINISHED_STOP;
-#endif
}
}
return 0;
}
- if ((sess == NULL) || !ssl_version_supported(s, sess->ssl_version) ||
- /*
- * In the case of EAP-FAST, we can have a pre-shared
- * "ticket" without a session ID.
- */
- (!sess->session_id_length && !sess->ext.tick) ||
- (sess->not_resumable)) {
+ if (sess == NULL
+ || !ssl_version_supported(s, sess->ssl_version)
+ || !SSL_SESSION_is_resumable(sess)) {
if (!ssl_get_new_session(s, 0))
return 0;
}
}
/* TLS extensions */
- if (!tls_construct_extensions(s, pkt, EXT_CLIENT_HELLO, NULL, 0, &al)) {
- ssl3_send_alert(s, SSL3_AL_FATAL, al);
+ if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0, &al)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
return 0;
}
* If it is a disabled cipher we either didn't send it in client hello,
* or it's not allowed for the selected protocol. So we return an error.
*/
- if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK)) {
+ if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) {
SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE, SSL_R_WRONG_CIPHER_RETURNED);
return 0;
}
if (s->session->cipher != NULL)
s->session->cipher_id = s->session->cipher->id;
if (s->hit && (s->session->cipher_id != c->id)) {
- SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE,
- SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
- return 0;
+ if (SSL_IS_TLS13(s)) {
+ /*
+ * In TLSv1.3 it is valid for the server to select a different
+ * ciphersuite as long as the hash is the same.
+ */
+ if (ssl_md(c->algorithm2)
+ != ssl_md(s->session->cipher->algorithm2)) {
+ SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE,
+ SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED);
+ return 0;
+ }
+ } else {
+ /*
+ * Prior to TLSv1.3 resuming a session always meant using the same
+ * ciphersuite.
+ */
+ SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE,
+ SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
+ return 0;
+ }
}
s->s3->tmp.new_cipher = c;
goto f_err;
}
- /* We do this immediately so we know what format the ServerHello is in */
- protverr = ssl_choose_client_version(s, sversion);
+ /* load the server random */
+ if (!PACKET_copy_bytes(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
+ goto f_err;
+ }
+
+ /*
+ * We do this immediately so we know what format the ServerHello is in.
+ * Must be done after reading the random data so we can check for the
+ * TLSv1.3 downgrade sentinels
+ */
+ protverr = ssl_choose_client_version(s, sversion, 1, &al);
if (protverr != 0) {
- al = SSL_AD_PROTOCOL_VERSION;
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, protverr);
goto f_err;
}
goto f_err;
}
- /* load the server hello data */
- /* load the server random */
- if (!PACKET_copy_bytes(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
- goto f_err;
- }
-
/* Get the session-id. */
if (!SSL_IS_TLS13(s)) {
if (!PACKET_get_length_prefixed_1(pkt, &session_id)) {
/* TLS extensions */
if (PACKET_remaining(pkt) == 0) {
PACKET_null_init(&extpkt);
- } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt)) {
+ } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
+ || PACKET_remaining(pkt) != 0) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_BAD_LENGTH);
goto f_err;
}
- context = SSL_IS_TLS13(s) ? EXT_TLS1_3_SERVER_HELLO
- : EXT_TLS1_2_SERVER_HELLO;
- if (!tls_collect_extensions(s, &extpkt, context, &extensions, &al, NULL))
+ context = SSL_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO
+ : SSL_EXT_TLS1_2_SERVER_HELLO;
+ if (!tls_collect_extensions(s, &extpkt, context, &extensions, &al, NULL, 1))
goto f_err;
s->hit = 0;
if (SSL_IS_TLS13(s)) {
/* This will set s->hit if we are resuming */
if (!tls_parse_extension(s, TLSEXT_IDX_psk,
- EXT_TLS1_3_SERVER_HELLO,
+ SSL_EXT_TLS1_3_SERVER_HELLO,
extensions, NULL, 0, &al))
goto f_err;
} else {
}
#endif
- if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, &al))
+ if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, &al, 1))
goto f_err;
#ifndef OPENSSL_NO_SCTP
s->hello_retry_request = 1;
/* This will fail if it doesn't choose TLSv1.3+ */
- errorcode = ssl_choose_client_version(s, sversion);
+ errorcode = ssl_choose_client_version(s, sversion, 0, &al);
if (errorcode != 0) {
- al = SSL_AD_PROTOCOL_VERSION;
SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, errorcode);
goto f_err;
}
goto f_err;
}
- if (!PACKET_as_length_prefixed_2(pkt, &extpkt)) {
+ if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
+ /* Must have a non-empty extensions block */
+ || PACKET_remaining(&extpkt) == 0
+ /* Must be no trailing data after extensions */
+ || PACKET_remaining(pkt) != 0) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, SSL_R_BAD_LENGTH);
goto f_err;
}
- if (!tls_collect_extensions(s, &extpkt, EXT_TLS1_3_HELLO_RETRY_REQUEST,
- &extensions, &al, NULL)
- || !tls_parse_all_extensions(s, EXT_TLS1_3_HELLO_RETRY_REQUEST,
- extensions, NULL, 0, &al))
+ if (!tls_collect_extensions(s, &extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
+ &extensions, &al, NULL, 1)
+ || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
+ extensions, NULL, 0, &al, 1))
goto f_err;
OPENSSL_free(extensions);
+ extensions = NULL;
+
+ if (s->ext.tls13_cookie_len == 0 && s->s3->tmp.pkey != NULL) {
+ /*
+ * We didn't receive a cookie or a new key_share so the next
+ * ClientHello will not change
+ */
+ al = SSL_AD_ILLEGAL_PARAMETER;
+ SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST,
+ SSL_R_NO_CHANGE_FOLLOWING_HRR);
+ goto f_err;
+ }
/*
* Re-initialise the Transcript Hash. We're going to prepopulate it with
if ((SSL_IS_TLS13(s) && !PACKET_get_1(pkt, &context))
|| context != 0
|| !PACKET_get_net_3(pkt, &cert_list_len)
- || PACKET_remaining(pkt) != cert_list_len) {
+ || PACKET_remaining(pkt) != cert_list_len
+ || PACKET_remaining(pkt) == 0) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
goto f_err;
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_BAD_LENGTH);
goto f_err;
}
- if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_CERTIFICATE,
- &rawexts, &al, NULL)
- || !tls_parse_all_extensions(s, EXT_TLS1_3_CERTIFICATE,
- rawexts, x, chainidx, &al)) {
+ if (!tls_collect_extensions(s, &extensions,
+ SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
+ &al, NULL, chainidx == 0)
+ || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
+ rawexts, x, chainidx, &al,
+ PACKET_remaining(pkt) == 0)) {
OPENSSL_free(rawexts);
goto f_err;
}
if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) {
x = NULL;
- al = SSL3_AL_FATAL;
+ al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
goto f_err;
}
if (!srp_verify_server_param(s, al)) {
- *al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_SKE_SRP, SSL_R_BAD_SRP_PARAMETERS);
return 0;
}
goto err;
}
- /* test non-zero pupkey */
+ /* test non-zero pubkey */
if (BN_is_zero(bnpub_key)) {
- *al = SSL_AD_DECODE_ERROR;
+ *al = SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, SSL_R_BAD_DH_VALUE);
goto err;
}
p = g = NULL;
if (DH_check_params(dh, &check_bits) == 0 || check_bits != 0) {
- *al = SSL_AD_DECODE_ERROR;
+ *al = SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, SSL_R_BAD_DH_VALUE);
goto err;
}
* invalid curve. ECParameters is 3 bytes.
*/
if (!tls1_check_curve(s, ecparams, 3)) {
- *al = SSL_AD_DECODE_ERROR;
+ *al = SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, SSL_R_WRONG_CURVE);
return 0;
}
if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
PACKET_data(&encoded_pt),
PACKET_remaining(&encoded_pt))) {
- *al = SSL_AD_DECODE_ERROR;
+ *al = SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, SSL_R_BAD_ECPOINT);
return 0;
}
if (!PACKET_get_sub_packet(&save_param_start, ¶ms,
PACKET_remaining(&save_param_start) -
PACKET_remaining(pkt))) {
- al = SSL_AD_INTERNAL_ERROR;
+ al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto err;
}
goto err;
}
if (!tls_collect_extensions(s, &extensions,
- EXT_TLS1_3_CERTIFICATE_REQUEST,
- &rawexts, &al, NULL)
- || !tls_parse_all_extensions(s, EXT_TLS1_3_CERTIFICATE_REQUEST,
- rawexts, NULL, 0, &al)) {
+ SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
+ &rawexts, &al, NULL, 1)
+ || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
+ rawexts, NULL, 0, &al, 1)) {
OPENSSL_free(rawexts);
goto err;
}
if (ticklen == 0)
return MSG_PROCESS_CONTINUE_READING;
- /* TODO(TLS1.3): Is this a suitable test for TLS1.3? */
- if (s->session->session_id_length > 0) {
+ /*
+ * Sessions must be immutable once they go into the session cache. Otherwise
+ * we can get multi-thread problems. Therefore we don't "update" sessions,
+ * we replace them with a duplicate. In TLSv1.3 we need to do this every
+ * time a NewSessionTicket arrives because those messages arrive
+ * post-handshake and the session may have already gone into the session
+ * cache.
+ */
+ if (SSL_IS_TLS13(s) || s->session->session_id_length > 0) {
int i = s->session_ctx->session_cache_mode;
SSL_SESSION *new_sess;
/*
PACKET extpkt;
if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
+ || PACKET_remaining(pkt) != 0
|| !tls_collect_extensions(s, &extpkt,
- EXT_TLS1_3_NEW_SESSION_TICKET,
- &exts, &al, NULL)
- || !tls_parse_all_extensions(s, EXT_TLS1_3_NEW_SESSION_TICKET,
- exts, NULL, 0, &al)) {
+ SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
+ &exts, &al, NULL, 1)
+ || !tls_parse_all_extensions(s,
+ SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
+ exts, NULL, 0, &al, 1)) {
SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_BAD_EXTENSION);
goto f_err;
}
if (!tls_process_initial_server_flight(s, &al))
goto err;
-#ifndef OPENSSL_NO_SCTP
- /* Only applies to renegotiation */
- if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))
- && s->renegotiate != 0)
- return MSG_PROCESS_CONTINUE_PROCESSING;
- else
-#endif
- return MSG_PROCESS_FINISHED_READING;
+ return MSG_PROCESS_FINISHED_READING;
err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
identitylen = strlen(identity);
if (identitylen > PSK_MAX_IDENTITY_LEN) {
SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
- *al = SSL_AD_HANDSHAKE_FAILURE;
+ *al = SSL_AD_INTERNAL_ERROR;
goto err;
}
goto err;
}
- s->s3->tmp.pms = pms;
- s->s3->tmp.pmslen = pmslen;
-
/* Log the premaster secret, if logging is enabled. */
if (!ssl_log_rsa_client_key_exchange(s, encdata, enclen, pms, pmslen))
goto err;
+ s->s3->tmp.pms = pms;
+ s->s3->tmp.pmslen = pmslen;
+
return 1;
err:
OPENSSL_clear_free(pms, pmslen);
dgst_nid = NID_id_GostR3411_2012_256;
/*
- * Get server sertificate PKEY and create ctx from it
+ * Get server certificate PKEY and create ctx from it
*/
peer_cert = s->session->peer;
if (!peer_cert) {
if (!tls_construct_cke_srp(s, pkt, &al))
goto err;
} else if (!(alg_k & SSL_kPSK)) {
- ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto err;
}
return MSG_PROCESS_ERROR;
}
+ if ((s->options & SSL_OP_NO_RENEGOTIATION)) {
+ ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
+ return MSG_PROCESS_FINISHED_READING;
+ }
+
/*
* This is a historical discrepancy (not in the RFC) maintained for
* compatibility reasons. If a TLS client receives a HelloRequest it will
PACKET extensions;
RAW_EXTENSION *rawexts = NULL;
- if (!PACKET_as_length_prefixed_2(pkt, &extensions)) {
+ if (!PACKET_as_length_prefixed_2(pkt, &extensions)
+ || PACKET_remaining(pkt) != 0) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_ENCRYPTED_EXTENSIONS, SSL_R_LENGTH_MISMATCH);
goto err;
}
- if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
- &rawexts, &al, NULL)
- || !tls_parse_all_extensions(s, EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
- rawexts, NULL, 0, &al))
+ if (!tls_collect_extensions(s, &extensions,
+ SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, &rawexts,
+ &al, NULL, 1)
+ || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
+ rawexts, NULL, 0, &al, 1))
goto err;
OPENSSL_free(rawexts);
int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt)
{
int i;
- size_t totlen = 0, len, maxlen;
+ size_t totlen = 0, len, maxlen, maxverok = 0;
int empty_reneg_info_scsv = !s->renegotiate;
/* Set disabled masks for this session */
ssl_set_client_disabled(s);
c = sk_SSL_CIPHER_value(sk, i);
/* Skip disabled ciphers */
- if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED))
+ if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0))
continue;
if (!s->method->put_cipher_by_char(c, pkt, &len)) {
return 0;
}
+ /* Sanity check that the maximum version we offer has ciphers enabled */
+ if (!maxverok) {
+ if (SSL_IS_DTLS(s)) {
+ if (DTLS_VERSION_GE(c->max_dtls, s->s3->tmp.max_ver)
+ && DTLS_VERSION_LE(c->min_dtls, s->s3->tmp.max_ver))
+ maxverok = 1;
+ } else {
+ if (c->max_tls >= s->s3->tmp.max_ver
+ && c->min_tls <= s->s3->tmp.max_ver)
+ maxverok = 1;
+ }
+ }
+
totlen += len;
}
- if (totlen == 0) {
+ if (totlen == 0 || !maxverok) {
SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, SSL_R_NO_CIPHERS_AVAILABLE);
+
+ if (!maxverok)
+ ERR_add_error_data(1, "No ciphers enabled for max supported "
+ "SSL/TLS version");
+
return 0;
}
projects / openssl.git / blobdiff