#include <openssl/md5.h>
static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt);
+static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt);
static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
PACKET *cipher_suites,
STACK_OF(SSL_CIPHER)
{
OSSL_STATEM *st = &s->statem;
- /*
- * TODO(TLS1.3): This is still based on the TLSv1.2 state machine. Over time
- * we will update this to look more like real TLSv1.3
- */
-
/*
* Note: There is no case for TLS_ST_BEFORE because at that stage we have
* not negotiated TLSv1.3 yet, so that case is handled by
default:
break;
+ case TLS_ST_SW_HELLO_RETRY_REQUEST:
+ if (mt == SSL3_MT_CLIENT_HELLO) {
+ st->hand_state = TLS_ST_SR_CLNT_HELLO;
+ return 1;
+ }
+ break;
+
case TLS_ST_SW_FINISHED:
if (s->s3->tmp.cert_request) {
if (mt == SSL3_MT_CERTIFICATE) {
return 1;
}
break;
+
+ case TLS_ST_OK:
+ if (mt == SSL3_MT_KEY_UPDATE) {
+ st->hand_state = TLS_ST_SR_KEY_UPDATE;
+ return 1;
+ }
+ break;
}
/* No valid transition found */
{
OSSL_STATEM *st = &s->statem;
- /*
- * TODO(TLS1.3): This is still based on the TLSv1.2 state machine. Over time
- * we will update this to look more like real TLSv1.3
- */
-
/*
* No case for TLS_ST_BEFORE, because at that stage we have not negotiated
* TLSv1.3 yet, so that is handled by ossl_statem_server_write_transition()
/* Shouldn't happen */
return WRITE_TRAN_ERROR;
+ case TLS_ST_OK:
+ if (s->key_update != SSL_KEY_UPDATE_NONE) {
+ st->hand_state = TLS_ST_SW_KEY_UPDATE;
+ return WRITE_TRAN_CONTINUE;
+ }
+ /* Try to read from the client instead */
+ return WRITE_TRAN_FINISHED;
+
case TLS_ST_SR_CLNT_HELLO:
- st->hand_state = TLS_ST_SW_SRVR_HELLO;
+ if (s->hello_retry_request)
+ st->hand_state = TLS_ST_SW_HELLO_RETRY_REQUEST;
+ else
+ st->hand_state = TLS_ST_SW_SRVR_HELLO;
return WRITE_TRAN_CONTINUE;
+ case TLS_ST_SW_HELLO_RETRY_REQUEST:
+ return WRITE_TRAN_FINISHED;
+
case TLS_ST_SW_SRVR_HELLO:
st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
return WRITE_TRAN_CONTINUE;
st->hand_state = TLS_ST_SW_SESSION_TICKET;
return WRITE_TRAN_CONTINUE;
+ case TLS_ST_SR_KEY_UPDATE:
+ if (s->key_update != SSL_KEY_UPDATE_NONE) {
+ st->hand_state = TLS_ST_SW_KEY_UPDATE;
+ return WRITE_TRAN_CONTINUE;
+ }
+ /* Fall through */
+
+ case TLS_ST_SW_KEY_UPDATE:
case TLS_ST_SW_SESSION_TICKET:
st->hand_state = TLS_ST_OK;
ossl_statem_set_in_init(s, 0);
/* No post work to be done */
break;
+ case TLS_ST_SW_HELLO_RETRY_REQUEST:
+ if (statem_flush(s) != 1)
+ return WORK_MORE_A;
+ break;
+
case TLS_ST_SW_HELLO_REQ:
if (statem_flush(s) != 1)
return WORK_MORE_A;
}
break;
+ case TLS_ST_SW_KEY_UPDATE:
+ if (statem_flush(s) != 1)
+ return WORK_MORE_A;
+ if (!tls13_update_key(s, 1))
+ return WORK_ERROR;
+ break;
+
case TLS_ST_SW_SESSION_TICKET:
if (SSL_IS_TLS13(s) && statem_flush(s) != 1)
return WORK_MORE_A;
*confunc = tls_construct_encrypted_extensions;
*mt = SSL3_MT_ENCRYPTED_EXTENSIONS;
break;
+
+ case TLS_ST_SW_HELLO_RETRY_REQUEST:
+ *confunc = tls_construct_hello_retry_request;
+ *mt = SSL3_MT_HELLO_RETRY_REQUEST;
+ break;
+
+ case TLS_ST_SW_KEY_UPDATE:
+ *confunc = tls_construct_key_update;
+ *mt = SSL3_MT_KEY_UPDATE;
+ break;
}
return 1;
case TLS_ST_SR_FINISHED:
return FINISHED_MAX_LENGTH;
+
+ case TLS_ST_SR_KEY_UPDATE:
+ return KEY_UPDATE_MAX_LENGTH;
}
}
case TLS_ST_SR_FINISHED:
return tls_process_finished(s, pkt);
+
+ case TLS_ST_SR_KEY_UPDATE:
+ return tls_process_key_update(s, pkt);
+
}
}
if (clienthello.isv2) {
unsigned int mt;
+ if (!SSL_IS_FIRST_HANDSHAKE(s) || s->hello_retry_request) {
+ al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNEXPECTED_MESSAGE);
+ goto f_err;
+ }
+
/*-
* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
* header is sent directly on the wire, not wrapped as a TLS
/* Preserve the raw extensions PACKET for later use */
extensions = clienthello.extensions;
if (!tls_collect_extensions(s, &extensions, EXT_CLIENT_HELLO,
- &clienthello.pre_proc_exts, &al)) {
+ &clienthello.pre_proc_exts, &al,
+ &clienthello.pre_proc_exts_len)) {
/* SSLerr already been called */
goto f_err;
}
if (protverr) {
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
- if ((!s->enc_write_ctx && !s->write_hash)) {
+ if (SSL_IS_FIRST_HANDSHAKE(s)) {
/* like ssl3_get_record, send alert using remote version number */
s->version = s->client_version = clienthello.legacy_version;
}
if (!ssl_get_new_session(s, 1))
goto err;
} else {
- i = ssl_get_prev_session(s, &clienthello);
- /*
- * Only resume if the session's version matches the negotiated
- * version.
- * RFC 5246 does not provide much useful advice on resumption
- * with a different protocol version. It doesn't forbid it but
- * the sanity of such behaviour would be questionable.
- * In practice, clients do not accept a version mismatch and
- * will abort the handshake with an error.
- */
- if (i == 1 && s->version == s->session->ssl_version) {
+ i = ssl_get_prev_session(s, &clienthello, &al);
+ if (i == 1) {
/* previous session */
s->hit = 1;
} else if (i == -1) {
- goto err;
+ goto f_err;
} else {
/* i == 0 */
if (!ssl_get_new_session(s, 1))
goto f_err;
}
- /* Check we've got a key_share for TLSv1.3 */
- if (SSL_IS_TLS13(s) && s->s3->peer_tmp == NULL && !s->hit) {
- /* No suitable share */
- /* TODO(TLS1.3): Send a HelloRetryRequest */
- al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_SUITABLE_KEY_SHARE);
- goto f_err;
- }
-
/*
* Check if we want to use external pre-shared secret for this handshake
* for not reused session only. We need to generate server_random before
ciphers = NULL;
/* check if some cipher was preferred by call back */
- pref_cipher =
- pref_cipher ? pref_cipher : ssl3_choose_cipher(s,
- s->
- session->ciphers,
- SSL_get_ciphers
- (s));
+ if (pref_cipher == NULL)
+ pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
+ SSL_get_ciphers(s));
if (pref_cipher == NULL) {
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL
&& s->ctx->ext.status_cb != NULL) {
int ret;
- CERT_PKEY *certpkey = ssl_get_server_send_pkey(s);
/* If no certificate can't return certificate status */
- if (certpkey != NULL) {
+ if (s->s3->tmp.cert != NULL) {
/*
* Set current certificate to one we will use so SSL_get_certificate
* et al can pick it up.
*/
- s->cert->key = certpkey;
+ s->cert->key = s->s3->tmp.cert;
ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
switch (ret) {
/* We don't want to send a status request response */
goto f_err;
}
s->s3->tmp.new_cipher = cipher;
+ if (!tls_choose_sigalg(s, &al))
+ goto f_err;
/* check whether we should disable session resumption */
if (s->not_resumable_session_cb != NULL)
s->session->not_resumable =
s->s3->tmp.new_cipher = s->session->cipher;
}
- if (!(s->verify_mode & SSL_VERIFY_PEER)) {
- if (!ssl3_digest_cached_records(s, 0)) {
- al = SSL_AD_INTERNAL_ERROR;
- goto f_err;
- }
- }
-
/*-
* we now have the following setup.
* client_random
goto err;
}
+ if (!(s->verify_mode & SSL_VERIFY_PEER)
+ && !ssl3_digest_cached_records(s, 0)) {
+ al = SSL_AD_INTERNAL_ERROR;
+ goto err;
+ }
+
return 1;
err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
size_t encodedlen = 0;
int curve_id = 0;
#endif
- EVP_PKEY *pkey;
- const EVP_MD *md = NULL;
+ const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg;
int al = SSL_AD_INTERNAL_ERROR, i;
unsigned long type;
const BIGNUM *r[4];
goto f_err;
}
- if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
- && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) {
- if ((pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md))
- == NULL) {
- al = SSL_AD_DECODE_ERROR;
- goto f_err;
- }
- } else {
- pkey = NULL;
+ if (((s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0)
+ || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) {
+ lu = NULL;
+ } else if (lu == NULL) {
+ al = SSL_AD_DECODE_ERROR;
+ goto f_err;
}
#ifndef OPENSSL_NO_PSK
#endif
/* not anonymous */
- if (pkey != NULL) {
+ if (lu != NULL) {
+ EVP_PKEY *pkey = s->s3->tmp.cert->privatekey;
+ const EVP_MD *md = ssl_md(lu->hash_idx);
+ unsigned char *sigbytes1, *sigbytes2;
+ size_t siglen;
+
+ if (pkey == NULL || md == NULL) {
+ /* Should never happen */
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
/*
* n is the length of the params, they start at &(d[4]) and p
* points to the space at the end.
*/
- if (md) {
- unsigned char *sigbytes1, *sigbytes2;
- size_t siglen;
- int ispss = 0;
- /* Get length of the parameters we have written above */
- if (!WPACKET_get_length(pkt, ¶mlen)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
- ERR_R_INTERNAL_ERROR);
- goto f_err;
- }
- /* send signature algorithm */
- if (SSL_USE_SIGALGS(s)) {
- if (!tls12_get_sigandhash(s, pkt, pkey, md, &ispss)) {
- /* Should never happen */
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
- ERR_R_INTERNAL_ERROR);
- goto f_err;
- }
- }
-#ifdef SSL_DEBUG
- fprintf(stderr, "Using hash %s\n", EVP_MD_name(md));
-#endif
- /*
- * Create the signature. We don't know the actual length of the sig
- * until after we've created it, so we reserve enough bytes for it
- * up front, and then properly allocate them in the WPACKET
- * afterwards.
- */
- siglen = EVP_PKEY_size(pkey);
- if (!WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1)
- || EVP_DigestSignInit(md_ctx, &pctx, md, NULL, pkey) <= 0) {
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
- ERR_R_INTERNAL_ERROR);
- goto f_err;
- }
- if (ispss) {
- if (EVP_PKEY_CTX_set_rsa_padding(pctx,
- RSA_PKCS1_PSS_PADDING) <= 0
- /* -1 here means set saltlen to the digest len */
- || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1) <= 0) {
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
- ERR_R_EVP_LIB);
- goto f_err;
- }
- }
- if (EVP_DigestSignUpdate(md_ctx, &(s->s3->client_random[0]),
- SSL3_RANDOM_SIZE) <= 0
- || EVP_DigestSignUpdate(md_ctx, &(s->s3->server_random[0]),
- SSL3_RANDOM_SIZE) <= 0
- || EVP_DigestSignUpdate(md_ctx,
- s->init_buf->data + paramoffset,
- paramlen) <= 0
- || EVP_DigestSignFinal(md_ctx, sigbytes1, &siglen) <= 0
- || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2)
- || sigbytes1 != sigbytes2) {
+ /* Get length of the parameters we have written above */
+ if (!WPACKET_get_length(pkt, ¶mlen)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
+ /* send signature algorithm */
+ if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg))
+ return 0;
+ /*
+ * Create the signature. We don't know the actual length of the sig
+ * until after we've created it, so we reserve enough bytes for it
+ * up front, and then properly allocate them in the WPACKET
+ * afterwards.
+ */
+ siglen = EVP_PKEY_size(pkey);
+ if (!WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1)
+ || EVP_DigestSignInit(md_ctx, &pctx, md, NULL, pkey) <= 0) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
+ if (lu->sig == EVP_PKEY_RSA_PSS) {
+ if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
+ || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
- ERR_R_INTERNAL_ERROR);
+ ERR_R_EVP_LIB);
goto f_err;
}
- } else {
- /* Is this error check actually needed? */
- al = SSL_AD_HANDSHAKE_FAILURE;
+ }
+ if (EVP_DigestSignUpdate(md_ctx, &(s->s3->client_random[0]),
+ SSL3_RANDOM_SIZE) <= 0
+ || EVP_DigestSignUpdate(md_ctx, &(s->s3->server_random[0]),
+ SSL3_RANDOM_SIZE) <= 0
+ || EVP_DigestSignUpdate(md_ctx,
+ s->init_buf->data + paramoffset,
+ paramlen) <= 0
+ || EVP_DigestSignFinal(md_ctx, sigbytes1, &siglen) <= 0
+ || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2)
+ || sigbytes1 != sigbytes2) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
- SSL_R_UNKNOWN_PKEY_TYPE);
+ ERR_R_INTERNAL_ERROR);
goto f_err;
}
}
}
if (SSL_USE_SIGALGS(s)) {
- const unsigned int *psigs;
+ const uint16_t *psigs;
size_t nl = tls12_get_psigalgs(s, 1, &psigs);
if (!WPACKET_start_sub_packet_u16(pkt)
unsigned char *rsa_decrypt = NULL;
int ret = 0;
- rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey);
+ rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA].privatekey);
if (rsa == NULL) {
*al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_MISSING_RSA_CERTIFICATE);
goto f_err;
}
if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_CERTIFICATE,
- &rawexts, &al)
+ &rawexts, &al, NULL)
|| !tls_parse_all_extensions(s, EXT_TLS1_3_CERTIFICATE,
rawexts, x, chainidx, &al)) {
OPENSSL_free(rawexts);
int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
{
- CERT_PKEY *cpk;
+ CERT_PKEY *cpk = s->s3->tmp.cert;
int al = SSL_AD_INTERNAL_ERROR;
- cpk = ssl_get_server_send_pkey(s);
if (cpk == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
return 0;
int len, slen_full, slen, lenfinal;
SSL_SESSION *sess;
unsigned int hlen;
- SSL_CTX *tctx = s->initial_ctx;
+ SSL_CTX *tctx = s->session_ctx;
unsigned char iv[EVP_MAX_IV_LENGTH];
unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
int iv_len, al = SSL_AD_INTERNAL_ERROR;
uint32_t age_add;
} age_add_u;
+ if (SSL_IS_TLS13(s)) {
+ if (RAND_bytes(age_add_u.age_add_c, sizeof(age_add_u)) <= 0)
+ goto err;
+ s->session->ext.tick_age_add = age_add_u.age_add;
+ }
+
/* get session encoding length */
slen_full = i2d_SSL_SESSION(s->session, NULL);
/*
sizeof(tctx->ext.tick_key_name));
}
- if (SSL_IS_TLS13(s) && RAND_bytes(age_add_u.age_add_c,
- sizeof(age_add_u)) <= 0)
- goto err;
-
/*
* Ticket lifetime hint (advisory only): We leave this unspecified
* for resumed session (for simplicity), and guess that tickets for
return NULL;
}
+ OPENSSL_free(s->s3->tmp.ciphers_raw);
+ s->s3->tmp.ciphers_raw = NULL;
+ s->s3->tmp.ciphers_rawlen = 0;
+
if (sslv2format) {
size_t numciphers = PACKET_remaining(cipher_suites) / n;
PACKET sslv2ciphers = *cipher_suites;
sk_SSL_CIPHER_free(sk);
return NULL;
}
+
+static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt)
+{
+ int al = SSL_AD_INTERNAL_ERROR;
+
+ /*
+ * TODO(TLS1.3): Remove the DRAFT version before release
+ * (should be s->version)
+ */
+ if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
+ || !tls_construct_extensions(s, pkt, EXT_TLS1_3_HELLO_RETRY_REQUEST,
+ NULL, 0, &al)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_RETRY_REQUEST, ERR_R_INTERNAL_ERROR);
+ ssl3_send_alert(s, SSL3_AL_FATAL, al);
+ return 0;
+ }
+
+ /* Ditch the session. We'll create a new one next time around */
+ SSL_SESSION_free(s->session);
+ s->session = NULL;
+ s->hit = 0;
+
+ return 1;
+}
projects / openssl.git / blobdiff