projects / openssl.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Allow renegotiation if SSL_OP_LEGACY_SERVER_CONNECT is set as well as
[openssl.git] / ssl / t1_lib.c
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index e6ba33d85b1b847a6ba90670e8865b0fadc3c7e5..9ee7e7d71786f14b176ff7690d7b01500176e273 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -166,7 +166,7 @@ void tls1_free(SSL *s)
 void tls1_clear(SSL *s)
        {
        ssl3_clear(s);
-       s->version=TLS1_VERSION;
+       s->version = s->method->version;
        }
 
 #ifndef OPENSSL_NO_EC
@@ -275,6 +275,11 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
        int extdatalen=0;
        unsigned char *ret = p;
 
+       /* don't add extensions for SSLv3 unless doing secure renegotiation */
+       if (s->client_version == SSL3_VERSION
+                                       && !s->s3->send_connection_binding)
+               return p;
+
        ret+=2;
 
        if (ret>=limit) return NULL; /* this really never occurs, but ... */
@@ -311,8 +316,34 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
                ret+=size_str;
                }
 
+        /* Add RI if renegotiating */
+        if (s->new_session)
+          {
+          int el;
+          
+          if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
+              {
+              SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+              return NULL;
+              }
+
+          if((limit - p - 4 - el) < 0) return NULL;
+          
+          s2n(TLSEXT_TYPE_renegotiate,ret);
+          s2n(el,ret);
+
+          if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
+              {
+              SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+              return NULL;
+              }
+
+          ret += el;
+        }
+
 #ifndef OPENSSL_NO_EC
-       if (s->tlsext_ecpointformatlist != NULL)
+       if (s->tlsext_ecpointformatlist != NULL &&
+           s->version != DTLS1_VERSION)
                {
                /* Add TLS extension ECPointFormats to the ClientHello message */
                long lenmax; 
@@ -331,7 +362,8 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
                memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
                ret+=s->tlsext_ecpointformatlist_length;
                }
-       if (s->tlsext_ellipticcurvelist != NULL)
+       if (s->tlsext_ellipticcurvelist != NULL &&
+           s->version != DTLS1_VERSION)
                {
                /* Add TLS extension EllipticCurves to the ClientHello message */
                long lenmax; 
@@ -361,7 +393,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
        if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
                {
                int ticklen;
-               if (s->session && s->session->tlsext_tick)
+               if (!s->new_session && s->session && s->session->tlsext_tick)
                        ticklen = s->session->tlsext_ticklen;
                else if (s->session && s->tlsext_session_ticket &&
                         s->tlsext_session_ticket->data)
@@ -395,7 +427,8 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
                skip_ext:
 
 #ifdef TLSEXT_TYPE_opaque_prf_input
-       if (s->s3->client_opaque_prf_input != NULL)
+       if (s->s3->client_opaque_prf_input != NULL &&
+           s->version != DTLS1_VERSION)
                {
                size_t col = s->s3->client_opaque_prf_input_len;
                
@@ -412,7 +445,8 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
                }
 #endif
 
-       if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
+       if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
+           s->version != DTLS1_VERSION)
                {
                int i;
                long extlen, idlen, itmp;
@@ -472,6 +506,10 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
        int extdatalen=0;
        unsigned char *ret = p;
 
+       /* don't add extensions for SSLv3, unless doing secure renegotiation */
+       if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
+               return p;
+       
        ret+=2;
        if (ret>=limit) return NULL; /* this really never occurs, but ... */
 
@@ -482,8 +520,34 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
                s2n(TLSEXT_TYPE_server_name,ret);
                s2n(0,ret);
                }
+
+       if(s->s3->send_connection_binding)
+        {
+          int el;
+          
+          if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
+              {
+              SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+              return NULL;
+              }
+
+          if((limit - p - 4 - el) < 0) return NULL;
+          
+          s2n(TLSEXT_TYPE_renegotiate,ret);
+          s2n(el,ret);
+
+          if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
+              {
+              SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+              return NULL;
+              }
+
+          ret += el;
+        }
+
 #ifndef OPENSSL_NO_EC
-       if (s->tlsext_ecpointformatlist != NULL)
+       if (s->tlsext_ecpointformatlist != NULL &&
+           s->version != DTLS1_VERSION)
                {
                /* Add TLS extension ECPointFormats to the ServerHello message */
                long lenmax; 
@@ -522,7 +586,8 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
                }
 
 #ifdef TLSEXT_TYPE_opaque_prf_input
-       if (s->s3->server_opaque_prf_input != NULL)
+       if (s->s3->server_opaque_prf_input != NULL &&
+           s->version != DTLS1_VERSION)
                {
                size_t sol = s->s3->server_opaque_prf_input_len;
                
@@ -566,15 +631,17 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
        unsigned short size;
        unsigned short len;
        unsigned char *data = *p;
+       int renegotiate_seen = 0;
+
        s->servername_done = 0;
        s->tlsext_status_type = -1;
 
        if (data >= (d+n-2))
-               return 1;
+               goto ri_check;
        n2s(data,len);
 
        if (data > (d+n-len)) 
-               return 1;
+               goto ri_check;
 
        while (data <= (d+n-4))
                {
@@ -582,7 +649,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                n2s(data,size);
 
                if (data+size > (d+n))
-                       return 1;
+                       goto ri_check;
 #if 0
                fprintf(stderr,"Received extension type %d size %d\n",type,size);
 #endif
@@ -687,7 +754,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                        }
 
 #ifndef OPENSSL_NO_EC
-               else if (type == TLSEXT_TYPE_ec_point_formats)
+               else if (type == TLSEXT_TYPE_ec_point_formats &&
+                    s->version != DTLS1_VERSION)
                        {
                        unsigned char *sdata = data;
                        int ecpointformatlist_length = *(sdata++);
@@ -714,7 +782,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                        fprintf(stderr,"\n");
 #endif
                        }
-               else if (type == TLSEXT_TYPE_elliptic_curves)
+               else if (type == TLSEXT_TYPE_elliptic_curves &&
+                    s->version != DTLS1_VERSION)
                        {
                        unsigned char *sdata = data;
                        int ellipticcurvelist_length = (*(sdata++) << 8);
@@ -744,7 +813,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                        }
 #endif /* OPENSSL_NO_EC */
 #ifdef TLSEXT_TYPE_opaque_prf_input
-               else if (type == TLSEXT_TYPE_opaque_prf_input)
+               else if (type == TLSEXT_TYPE_opaque_prf_input &&
+                    s->version != DTLS1_VERSION)
                        {
                        unsigned char *sdata = data;
 
@@ -782,8 +852,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                return 0;
                                }
                        }
-               else if (type == TLSEXT_TYPE_status_request
-                                               && s->ctx->tlsext_status_cb)
+               else if (type == TLSEXT_TYPE_renegotiate)
+                       {
+                       if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
+                               return 0;
+                       renegotiate_seen = 1;
+                       }
+               else if (type == TLSEXT_TYPE_status_request &&
+                        s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
                        {
                
                        if (size < 5) 
@@ -888,6 +964,20 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                }
                                
        *p = data;
+
+       ri_check:
+
+       /* Need RI if renegotiating */
+
+       if (!renegotiate_seen && s->new_session &&
+               !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+               {
+               *al = SSL_AD_HANDSHAKE_FAILURE;
+               SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
+                               SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+               return 0;
+               }
+
        return 1;
        }
 
@@ -897,11 +987,11 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
        unsigned short size;
        unsigned short len;  
        unsigned char *data = *p;
-
        int tlsext_servername = 0;
+       int renegotiate_seen = 0;
 
        if (data >= (d+n-2))
-               return 1;
+               goto ri_check;
 
        n2s(data,len);
 
@@ -911,7 +1001,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                n2s(data,size);
 
                if (data+size > (d+n))
-                       return 1;
+                       goto ri_check;
 
                if (s->tlsext_debug_cb)
                        s->tlsext_debug_cb(s, 1, type, data, size,
@@ -928,7 +1018,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                        }
 
 #ifndef OPENSSL_NO_EC
-               else if (type == TLSEXT_TYPE_ec_point_formats)
+               else if (type == TLSEXT_TYPE_ec_point_formats &&
+                    s->version != DTLS1_VERSION)
                        {
                        unsigned char *sdata = data;
                        int ecpointformatlist_length = *(sdata++);
@@ -974,7 +1065,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                        s->tlsext_ticket_expected = 1;
                        }
 #ifdef TLSEXT_TYPE_opaque_prf_input
-               else if (type == TLSEXT_TYPE_opaque_prf_input)
+               else if (type == TLSEXT_TYPE_opaque_prf_input &&
+                    s->version != DTLS1_VERSION)
                        {
                        unsigned char *sdata = data;
 
@@ -1004,7 +1096,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                }
                        }
 #endif
-               else if (type == TLSEXT_TYPE_status_request)
+               else if (type == TLSEXT_TYPE_status_request &&
+                        s->version != DTLS1_VERSION)
                        {
                        /* MUST be empty and only sent if we've requested
                         * a status request message.
@@ -1017,7 +1110,12 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                        /* Set flag to expect CertificateStatus message */
                        s->tlsext_status_expected = 1;
                        }
-
+               else if (type == TLSEXT_TYPE_renegotiate)
+                       {
+                       if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
+                               return 0;
+                       renegotiate_seen = 1;
+                       }
                data+=size;             
                }
 
@@ -1049,6 +1147,26 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                }
 
        *p = data;
+
+       ri_check:
+
+       /* Determine if we need to see RI. Strictly speaking if we want to
+        * avoid an attack we should *always* see RI even on initial server
+        * hello because the client doesn't see any renegotiation during an
+        * attack. However this would mean we could not connect to any server
+        * which doesn't support RI so for the immediate future tolerate RI
+        * absence on initial connect only.
+        */
+       if (!renegotiate_seen
+               && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
+               && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+               {
+               *al = SSL_AD_HANDSHAKE_FAILURE;
+               SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
+                               SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+               return 0;
+               }
+
        return 1;
        }
 
@@ -1197,7 +1315,7 @@ int ssl_check_clienthello_tlsext(SSL *s)
         * Note: this must be called after servername callbacks in case 
         * the certificate has changed.
         */
-       if ((s->tlsext_status_type != -1) && s->ctx->tlsext_status_cb)
+       if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
                {
                int r;
                r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
@@ -1372,7 +1490,7 @@ int ssl_check_serverhello_tlsext(SSL *s)
         * tell the callback
         */
        if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
-                       && s->ctx->tlsext_status_cb)
+                       && s->ctx && s->ctx->tlsext_status_cb)
                {
                int r;
                /* Set resp to NULL, resplen to -1 so callback knows
@@ -1436,6 +1554,14 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
                return 1;
        if (p >= limit)
                return -1;
+       /* Skip past DTLS cookie */
+       if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
+               {
+               i = *(p++);
+               p+= i;
+               if (p >= limit)
+                       return -1;
+               }
        /* Skip past cipher list */
        n2s(p, i);
        p+= i;
@@ -1500,16 +1626,17 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
        unsigned char tick_hmac[EVP_MAX_MD_SIZE];
        HMAC_CTX hctx;
        EVP_CIPHER_CTX ctx;
+       SSL_CTX *tctx = s->initial_ctx;
        /* Need at least keyname + iv + some encrypted data */
        if (eticklen < 48)
                goto tickerr;
        /* Initialize session ticket encryption and HMAC contexts */
        HMAC_CTX_init(&hctx);
        EVP_CIPHER_CTX_init(&ctx);
-       if (s->ctx->tlsext_ticket_key_cb)
+       if (tctx->tlsext_ticket_key_cb)
                {
                unsigned char *nctick = (unsigned char *)etick;
-               int rv = s->ctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
+               int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
                                                        &ctx, &hctx, 0);
                if (rv < 0)
                        return -1;
@@ -1521,17 +1648,22 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
        else
                {
                /* Check key name matches */
-               if (memcmp(etick, s->ctx->tlsext_tick_key_name, 16))
+               if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
                        goto tickerr;
-               HMAC_Init_ex(&hctx, s->ctx->tlsext_tick_hmac_key, 16,
+               HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
                                        tlsext_tick_md(), NULL);
                EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
-                               s->ctx->tlsext_tick_aes_key, etick + 16);
+                               tctx->tlsext_tick_aes_key, etick + 16);
                }
        /* Attempt to process session ticket, first conduct sanity and
         * integrity checks on ticket.
         */
        mlen = HMAC_size(&hctx);
+       if (mlen < 0)
+               {
+               EVP_CIPHER_CTX_cleanup(&ctx);
+               return -1;
+               }
        eticklen -= mlen;
        /* Check HMAC of encrypted ticket */
        HMAC_Update(&hctx, etick, eticklen);
Unnamed repository; edit this file 'description' to name the repository.