X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fs3_lib.c;h=527ec1f9469ca119d1e889b70b53b2dacd7898c7;hp=72c47d6473b417b85ec87634a9ff13db98208188;hb=12053a81c875473355e441d00ac81ed3c501dc9b;hpb=76106e60a827ddaefe1fee28a749018241d8f517 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 72c47d6473..527ec1f946 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -330,7 +330,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { /* The DH ciphers */ /* Cipher 0B */ { - 1, + 0, SSL3_TXT_DH_DSS_DES_40_CBC_SHA, SSL3_CK_DH_DSS_DES_40_CBC_SHA, SSL_kDHd, @@ -378,7 +378,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { /* Cipher 0E */ { - 1, + 0, SSL3_TXT_DH_RSA_DES_40_CBC_SHA, SSL3_CK_DH_RSA_DES_40_CBC_SHA, SSL_kDHr, @@ -1612,6 +1612,40 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, +#ifndef OPENSSL_NO_PSK + /* Cipher A8 */ + { + 1, + TLS1_TXT_PSK_WITH_AES_128_GCM_SHA256, + TLS1_CK_PSK_WITH_AES_128_GCM_SHA256, + SSL_kPSK, + SSL_aPSK, + SSL_AES128GCM, + SSL_AEAD, + SSL_TLSV1_2, + SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, + }, + + /* Cipher A9 */ + { + 1, + TLS1_TXT_PSK_WITH_AES_256_GCM_SHA384, + TLS1_CK_PSK_WITH_AES_256_GCM_SHA384, + SSL_kPSK, + SSL_aPSK, + SSL_AES256GCM, + SSL_AEAD, + SSL_TLSV1_2, + SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, + }, + +#endif #ifndef OPENSSL_NO_CAMELLIA /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */ @@ -2894,23 +2928,25 @@ void ssl3_free(SSL *s) return; ssl3_cleanup_key_block(s); + +#ifndef OPENSSL_NO_RSA + RSA_free(s->s3->peer_rsa_tmp); +#endif #ifndef OPENSSL_NO_DH DH_free(s->s3->tmp.dh); + DH_free(s->s3->peer_dh_tmp); #endif #ifndef OPENSSL_NO_EC EC_KEY_free(s->s3->tmp.ecdh); + EC_KEY_free(s->s3->peer_ecdh_tmp); #endif sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); OPENSSL_free(s->s3->tmp.ciphers_raw); OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen); OPENSSL_free(s->s3->tmp.peer_sigalgs); - BIO_free(s->s3->handshake_buffer); - if (s->s3->handshake_dgst) - ssl3_free_digest_list(s); -#ifndef OPENSSL_NO_TLSEXT + ssl3_free_digest_list(s); OPENSSL_free(s->s3->alpn_selected); -#endif #ifndef OPENSSL_NO_SRP SSL_SRP_CTX_free(s); @@ -2932,32 +2968,33 @@ void ssl3_clear(SSL *s) OPENSSL_free(s->s3->tmp.peer_sigalgs); s->s3->tmp.peer_sigalgs = NULL; +#ifndef OPENSSL_NO_RSA + RSA_free(s->s3->peer_rsa_tmp); + s->s3->peer_rsa_tmp = NULL; +#endif + #ifndef OPENSSL_NO_DH DH_free(s->s3->tmp.dh); s->s3->tmp.dh = NULL; + DH_free(s->s3->peer_dh_tmp); + s->s3->peer_dh_tmp = NULL; #endif #ifndef OPENSSL_NO_EC EC_KEY_free(s->s3->tmp.ecdh); s->s3->tmp.ecdh = NULL; -#endif -#ifndef OPENSSL_NO_TLSEXT -# ifndef OPENSSL_NO_EC + EC_KEY_free(s->s3->peer_ecdh_tmp); + s->s3->peer_ecdh_tmp = NULL; s->s3->is_probably_safari = 0; -# endif /* !OPENSSL_NO_EC */ -#endif /* !OPENSSL_NO_TLSEXT */ +#endif /* !OPENSSL_NO_EC */ init_extra = s->s3->init_extra; - BIO_free(s->s3->handshake_buffer); - s->s3->handshake_buffer = NULL; - if (s->s3->handshake_dgst) { - ssl3_free_digest_list(s); - } -#if !defined(OPENSSL_NO_TLSEXT) + ssl3_free_digest_list(s); + if (s->s3->alpn_selected) { - free(s->s3->alpn_selected); + OPENSSL_free(s->s3->alpn_selected); s->s3->alpn_selected = NULL; } -#endif + memset(s->s3, 0, sizeof(*s->s3)); s->s3->init_extra = init_extra; @@ -2969,7 +3006,7 @@ void ssl3_clear(SSL *s) s->s3->in_read_app_data = 0; s->version = SSL3_VERSION; -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) +#if !defined(OPENSSL_NO_NEXTPROTONEG) OPENSSL_free(s->next_proto_negotiated); s->next_proto_negotiated = NULL; s->next_proto_negotiated_len = 0; @@ -3109,7 +3146,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return (ret); } #endif /* !OPENSSL_NO_EC */ -#ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_SET_TLSEXT_HOSTNAME: if (larg == TLSEXT_NAMETYPE_host_name) { OPENSSL_free(s->tlsext_hostname); @@ -3172,7 +3208,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) ret = 1; break; -# ifndef OPENSSL_NO_HEARTBEATS +#ifndef OPENSSL_NO_HEARTBEATS case SSL_CTRL_TLS_EXT_SEND_HEARTBEAT: if (SSL_IS_DTLS(s)) ret = dtls1_heartbeat(s); @@ -3191,9 +3227,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) s->tlsext_heartbeat &= ~SSL_TLSEXT_HB_DONT_RECV_REQUESTS; ret = 1; break; -# endif - -#endif /* !OPENSSL_NO_TLSEXT */ +#endif case SSL_CTRL_CHAIN: if (larg) @@ -3324,9 +3358,9 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_PEER_SIGNATURE_NID: if (SSL_USE_SIGALGS(s)) { - if (s->session && s->session->sess_cert) { + if (s->session) { const EVP_MD *sig; - sig = s->session->sess_cert->peer_key->digest; + sig = s->s3->tmp.peer_md; if (sig) { *(int *)parg = EVP_MD_type(sig); return 1; @@ -3339,31 +3373,29 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return 0; case SSL_CTRL_GET_SERVER_TMP_KEY: - if (s->server || !s->session || !s->session->sess_cert) + if (s->server || !s->session) return 0; else { - SESS_CERT *sc; EVP_PKEY *ptmp; int rv = 0; - sc = s->session->sess_cert; #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC) - if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp && !sc->peer_ecdh_tmp) + if (!s->s3->peer_rsa_tmp && !s->s3->peer_dh_tmp && !s->s3->peer_ecdh_tmp) return 0; #endif ptmp = EVP_PKEY_new(); if (!ptmp) return 0; #ifndef OPENSSL_NO_RSA - else if (sc->peer_rsa_tmp) - rv = EVP_PKEY_set1_RSA(ptmp, sc->peer_rsa_tmp); + else if (s->s3->peer_rsa_tmp) + rv = EVP_PKEY_set1_RSA(ptmp, s->s3->peer_rsa_tmp); #endif #ifndef OPENSSL_NO_DH - else if (sc->peer_dh_tmp) - rv = EVP_PKEY_set1_DH(ptmp, sc->peer_dh_tmp); + else if (s->s3->peer_dh_tmp) + rv = EVP_PKEY_set1_DH(ptmp, s->s3->peer_dh_tmp); #endif #ifndef OPENSSL_NO_EC - else if (sc->peer_ecdh_tmp) - rv = EVP_PKEY_set1_EC_KEY(ptmp, sc->peer_ecdh_tmp); + else if (s->s3->peer_ecdh_tmp) + rv = EVP_PKEY_set1_EC_KEY(ptmp, s->s3->peer_ecdh_tmp); #endif if (rv) { *(EVP_PKEY **)parg = ptmp; @@ -3443,12 +3475,11 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) } break; #endif -#ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_SET_TLSEXT_DEBUG_CB: s->tlsext_debug_cb = (void (*)(SSL *, int, int, unsigned char *, int, void *))fp; break; -#endif + case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB: { s->not_resumable_session_cb = (int (*)(SSL *, int))fp; @@ -3578,7 +3609,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return (0); } #endif /* !OPENSSL_NO_EC */ -#ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: ctx->tlsext_servername_arg = parg; break; @@ -3608,7 +3638,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) ctx->tlsext_status_arg = parg; return 1; -# ifndef OPENSSL_NO_SRP +#ifndef OPENSSL_NO_SRP case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME: ctx->srp_ctx.srp_Mask |= SSL_kSRP; OPENSSL_free(ctx->srp_ctx.login); @@ -3638,9 +3668,9 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH: ctx->srp_ctx.strength = larg; break; -# endif +#endif -# ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_EC case SSL_CTRL_SET_CURVES: return tls1_set_curves(&ctx->tlsext_ellipticcurvelist, &ctx->tlsext_ellipticcurvelist_length, @@ -3650,12 +3680,10 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return tls1_set_curves_list(&ctx->tlsext_ellipticcurvelist, &ctx->tlsext_ellipticcurvelist_length, parg); -# ifndef OPENSSL_NO_EC case SSL_CTRL_SET_ECDH_AUTO: ctx->cert->ecdh_tmp_auto = larg; return 1; -# endif -# endif +#endif case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(ctx->cert, parg, larg, 0); @@ -3680,8 +3708,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SET_CHAIN_CERT_STORE: return ssl_cert_set_cert_store(ctx->cert, parg, 1, larg); -#endif /* !OPENSSL_NO_TLSEXT */ - /* A Thawte special :-) */ case SSL_CTRL_EXTRA_CHAIN_CERT: if (ctx->extra_certs == NULL) { @@ -3759,7 +3785,6 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) } break; #endif -#ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: ctx->tlsext_servername_callback = (int (*)(SSL *, int *, void *))fp; break; @@ -3775,7 +3800,7 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) HMAC_CTX *, int))fp; break; -# ifndef OPENSSL_NO_SRP +#ifndef OPENSSL_NO_SRP case SSL_CTRL_SET_SRP_VERIFY_PARAM_CB: ctx->srp_ctx.srp_Mask |= SSL_kSRP; ctx->srp_ctx.SRP_verify_param_callback = (int (*)(SSL *, void *))fp; @@ -3790,7 +3815,6 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) ctx->srp_ctx.SRP_give_srp_client_pwd_callback = (char *(*)(SSL *, void *))fp; break; -# endif #endif case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB: { @@ -3843,11 +3867,9 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, SSL_CIPHER *c, *ret = NULL; STACK_OF(SSL_CIPHER) *prio, *allow; int i, ii, ok; - CERT *cert; unsigned long alg_k, alg_a, mask_k, mask_a, emask_k, emask_a; /* Let's see which ciphers we can support */ - cert = s->cert; #if 0 /* @@ -3892,11 +3914,11 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, if ((c->algorithm_ssl & SSL_TLSV1_2) && !SSL_USE_TLS1_2_CIPHERS(s)) continue; - ssl_set_cert_masks(cert, c); - mask_k = cert->mask_k; - mask_a = cert->mask_a; - emask_k = cert->export_mask_k; - emask_a = cert->export_mask_a; + ssl_set_masks(s, c); + mask_k = s->s3->tmp.mask_k; + mask_a = s->s3->tmp.mask_a; + emask_k = s->s3->tmp.export_mask_k; + emask_a = s->s3->tmp.export_mask_a; #ifndef OPENSSL_NO_SRP if (s->srp_ctx.srp_Mask & SSL_kSRP) { mask_k |= SSL_kSRP; @@ -3911,7 +3933,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, #ifndef OPENSSL_NO_PSK /* with PSK there must be server callback set */ - if ((alg_k & SSL_kPSK) && s->psk_server_callback == NULL) + if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL) continue; #endif /* OPENSSL_NO_PSK */ @@ -3929,7 +3951,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, #endif } -#ifndef OPENSSL_NO_TLSEXT # ifndef OPENSSL_NO_EC /* * if we are considering an ECC cipher suite that uses an ephemeral @@ -3938,7 +3959,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, if (alg_k & SSL_kECDHE) ok = ok && tls1_check_ec_tmp_key(s, c->id); # endif /* OPENSSL_NO_EC */ -#endif /* OPENSSL_NO_TLSEXT */ if (!ok) continue; @@ -3948,7 +3968,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED, c->strength_bits, 0, c)) continue; -#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_TLSEXT) +#if !defined(OPENSSL_NO_EC) if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari) { if (!ret) @@ -4111,54 +4131,12 @@ int ssl3_shutdown(SSL *s) int ssl3_write(SSL *s, const void *buf, int len) { - int ret, n; - -#if 0 - if (s->shutdown & SSL_SEND_SHUTDOWN) { - s->rwstate = SSL_NOTHING; - return (0); - } -#endif clear_sys_error(); if (s->s3->renegotiate) ssl3_renegotiate_check(s); - /* - * This is an experimental flag that sends the last handshake message in - * the same packet as the first use data - used to see if it helps the - * TCP protocol during session-id reuse - */ - /* The second test is because the buffer may have been removed */ - if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio)) { - /* First time through, we write into the buffer */ - if (s->s3->delay_buf_pop_ret == 0) { - ret = ssl3_write_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len); - if (ret <= 0) - return (ret); - - s->s3->delay_buf_pop_ret = ret; - } - - s->rwstate = SSL_WRITING; - n = BIO_flush(s->wbio); - if (n <= 0) - return (n); - s->rwstate = SSL_NOTHING; - - /* We have flushed the buffer, so remove it */ - ssl_free_wbio_buffer(s); - s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER; - - ret = s->s3->delay_buf_pop_ret; - s->s3->delay_buf_pop_ret = 0; - } else { - ret = s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, + return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len); - if (ret <= 0) - return (ret); - } - - return (ret); } static int ssl3_read_internal(SSL *s, void *buf, int len, int peek) @@ -4239,13 +4217,19 @@ int ssl3_renegotiate_check(SSL *s) /* * If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF and * handshake macs if required. + * + * If PSK and using SHA384 for TLS < 1.2 switch to default. */ long ssl_get_algorithm2(SSL *s) { long alg2 = s->s3->tmp.new_cipher->algorithm2; - if (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF - && alg2 == (SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF)) - return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; + if (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF) { + if (alg2 == (SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF)) + return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; + } else if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK) { + if (alg2 == (SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384)) + return SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF; + } return alg2; } @@ -4271,3 +4255,18 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len) } else return RAND_bytes(result, len); } + +int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, + int free_pms) +{ + s->session->master_key_length = + s->method->ssl3_enc->generate_master_secret(s, s->session->master_key, + pms, pmslen); + if (free_pms) + OPENSSL_clear_free(pms, pmslen); + else + OPENSSL_cleanse(pms, pmslen); + if (s->server == 0) + s->s3->tmp.pms = NULL; + return s->session->master_key_length >= 0; +}