X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fs3_lib.c;h=99ae48199c2d32eb91255a76e6b9b9cbc53c325c;hp=78a5a3a2e233e2b0956e8dc638a13ed2ff22e781;hb=cc4e37f1e4af060dc41a3c84041a183ecd7aa80e;hpb=320a81277e402f393289ae7229b2320324321fb1 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 78a5a3a2e2..99ae48199c 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -37,12 +37,12 @@ static SSL_CIPHER tls13_ciphers[] = { TLS1_3_RFC_AES_128_GCM_SHA256, TLS1_3_RFC_AES_128_GCM_SHA256, TLS1_3_CK_AES_128_GCM_SHA256, - 0, 0, + SSL_kANY, + SSL_aANY, SSL_AES128GCM, SSL_AEAD, TLS1_3_VERSION, TLS1_3_VERSION, - SSL_kANY, - SSL_aANY, + 0, 0, SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256, 128, @@ -3312,7 +3312,7 @@ int ssl3_new(SSL *s) void ssl3_free(SSL *s) { - if (s->s3 == NULL) + if (s == NULL || s->s3 == NULL) return; ssl3_cleanup_key_block(s); @@ -3466,6 +3466,15 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) break; #endif /* !OPENSSL_NO_EC */ case SSL_CTRL_SET_TLSEXT_HOSTNAME: + /* + * TODO(OpenSSL1.2) + * This API is only used for a client to set what SNI it will request + * from the server, but we currently allow it to be used on servers + * as well, which is a programming error. Currently we just clear + * the field in SSL_do_handshake() for server SSLs, but when we can + * make ABI-breaking changes, we may want to make use of this API + * an error on server SSLs. + */ if (larg == TLSEXT_NAMETYPE_host_name) { size_t len; @@ -3672,9 +3681,15 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) *(int *)parg = s->s3->tmp.peer_sigalg->hash; return 1; - case SSL_CTRL_GET_SERVER_TMP_KEY: + case SSL_CTRL_GET_SIGNATURE_NID: + if (s->s3->tmp.sigalg == NULL) + return 0; + *(int *)parg = s->s3->tmp.sigalg->hash; + return 1; + + case SSL_CTRL_GET_PEER_TMP_KEY: #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) - if (s->server || s->session == NULL || s->s3->peer_tmp == NULL) { + if (s->session == NULL || s->s3->peer_tmp == NULL) { return 0; } else { EVP_PKEY_up_ref(s->s3->peer_tmp); @@ -3684,6 +3699,20 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) #else return 0; #endif + + case SSL_CTRL_GET_TMP_KEY: +#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) + if (s->session == NULL || s->s3->tmp.pkey == NULL) { + return 0; + } else { + EVP_PKEY_up_ref(s->s3->tmp.pkey); + *(EVP_PKEY **)parg = s->s3->tmp.pkey; + return 1; + } +#else + return 0; +#endif + #ifndef OPENSSL_NO_EC case SSL_CTRL_GET_EC_POINT_FORMATS: { @@ -3752,7 +3781,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) EVP_PKEY_security_bits(pkdh), 0, pkdh)) { SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_DH_KEY_TOO_SMALL); EVP_PKEY_free(pkdh); - return 1; + return 0; } EVP_PKEY_free(ctx->cert->dh_tmp); ctx->cert->dh_tmp = pkdh; @@ -4108,8 +4137,9 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, { const SSL_CIPHER *c, *ret = NULL; STACK_OF(SSL_CIPHER) *prio, *allow; - int i, ii, ok; + int i, ii, ok, prefer_sha256 = 0; unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0; + const EVP_MD *mdsha256 = EVP_sha256(); #ifndef OPENSSL_NO_CHACHA STACK_OF(SSL_CIPHER) *prio_chacha = NULL; #endif @@ -4190,7 +4220,26 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, allow = srvr; } - if (!SSL_IS_TLS13(s)) { + if (SSL_IS_TLS13(s)) { +#ifndef OPENSSL_NO_PSK + int j; + + /* + * If we allow "old" style PSK callbacks, and we have no certificate (so + * we're not going to succeed without a PSK anyway), and we're in + * TLSv1.3 then the default hash for a PSK is SHA-256 (as per the + * TLSv1.3 spec). Therefore we should prioritise ciphersuites using + * that. + */ + if (s->psk_server_callback != NULL) { + for (j = 0; j < SSL_PKEY_NUM && !ssl_has_cert(s, j); j++); + if (j == SSL_PKEY_NUM) { + /* There are no certificates */ + prefer_sha256 = 1; + } + } +#endif + } else { tls1_set_cert_validity(s); ssl_set_masks(s); } @@ -4262,6 +4311,17 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, continue; } #endif + if (prefer_sha256) { + const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii); + + if (ssl_md(tmp->algorithm2) == mdsha256) { + ret = tmp; + break; + } + if (ret == NULL) + ret = tmp; + continue; + } ret = sk_SSL_CIPHER_value(allow, ii); break; } @@ -4528,7 +4588,7 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len, } else { ret = RAND_bytes(result, len); } -#ifndef OPENSSL_NO_TLS13DOWNGRADE + if (ret > 0) { if (!ossl_assert(sizeof(tls11downgrade) < len) || !ossl_assert(sizeof(tls12downgrade) < len)) @@ -4540,7 +4600,7 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len, memcpy(result + len - sizeof(tls11downgrade), tls11downgrade, sizeof(tls11downgrade)); } -#endif + return ret; } @@ -4581,6 +4641,7 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, if (!s->method->ssl3_enc->generate_master_secret(s, s->session->master_key,pskpms, pskpmslen, &s->session->master_key_length)) { + OPENSSL_clear_free(pskpms, pskpmslen); /* SSLfatal() already called */ goto err; }