X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fs3_srvr.c;h=203e894f8e39eb83ee80a04121059fd5909c3a5b;hp=9835f50262ac90d418587ab1ddf3762719d66b95;hb=124037fdc0571b5bd9022412348e9979a1726a31;hpb=d45ba43dab962bdc84158efc0cdddd5f5a08cf5e diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 9835f50262..203e894f8e 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -167,21 +167,7 @@ static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num, STACK_OF(SSL_CIPHER) **skp, int sslv2format); -#ifndef OPENSSL_NO_SSL3_METHOD -static const SSL_METHOD *ssl3_get_server_method(int ver); -static const SSL_METHOD *ssl3_get_server_method(int ver) -{ - if (ver == SSL3_VERSION) - return (SSLv3_server_method()); - else - return (NULL); -} - -IMPLEMENT_ssl3_meth_func(SSLv3_server_method, - ssl3_accept, - ssl_undefined_function, ssl3_get_server_method) -#endif #ifndef OPENSSL_NO_SRP static int ssl_check_srp_ext_ClientHello(SSL *s, int *al) { @@ -401,19 +387,15 @@ int ssl3_accept(SSL *s) ret = ssl3_send_server_hello(s); if (ret <= 0) goto end; -#ifndef OPENSSL_NO_TLSEXT + if (s->hit) { if (s->tlsext_ticket_expected) s->state = SSL3_ST_SW_SESSION_TICKET_A; else s->state = SSL3_ST_SW_CHANGE_A; - } -#else - if (s->hit) - s->state = SSL3_ST_SW_CHANGE_A; -#endif - else + } else { s->state = SSL3_ST_SW_CERT_A; + } s->init_num = 0; break; @@ -428,7 +410,7 @@ int ssl3_accept(SSL *s) ret = ssl3_send_server_certificate(s); if (ret <= 0) goto end; -#ifndef OPENSSL_NO_TLSEXT + if (s->tlsext_status_expected) s->state = SSL3_ST_SW_CERT_STATUS_A; else @@ -437,12 +419,6 @@ int ssl3_accept(SSL *s) skip = 1; s->state = SSL3_ST_SW_KEY_EXCH_A; } -#else - } else - skip = 1; - - s->state = SSL3_ST_SW_KEY_EXCH_A; -#endif s->init_num = 0; break; @@ -531,11 +507,9 @@ int ssl3_accept(SSL *s) skip = 1; s->s3->tmp.cert_request = 0; s->state = SSL3_ST_SW_SRVR_DONE_A; - if (s->s3->handshake_buffer) { - if (!ssl3_digest_cached_records(s)) { - s->state = SSL_ST_ERR; - return -1; - } + if (!ssl3_digest_cached_records(s, 0)) { + s->state = SSL_ST_ERR; + return -1; } } else { s->s3->tmp.cert_request = 1; @@ -601,7 +575,7 @@ int ssl3_accept(SSL *s) * not sent. Also for GOST ciphersuites when the client uses * its key from the certificate for key exchange. */ -#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) +#if defined(OPENSSL_NO_NEXTPROTONEG) s->state = SSL3_ST_SR_FINISHED_A; #else if (s->s3->next_proto_neg_seen) @@ -622,14 +596,11 @@ int ssl3_accept(SSL *s) } /* * For sigalgs freeze the handshake buffer. If we support - * extms we've done this already. + * extms we've done this already so this is a no-op */ - if (!(s->s3->flags & SSL_SESS_FLAG_EXTMS)) { - s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; - if (!ssl3_digest_cached_records(s)) { - s->state = SSL_ST_ERR; - return -1; - } + if (!ssl3_digest_cached_records(s, 1)) { + s->state = SSL_ST_ERR; + return -1; } } else { int offset = 0; @@ -644,11 +615,9 @@ int ssl3_accept(SSL *s) * CertificateVerify should be generalized. But it is next * step */ - if (s->s3->handshake_buffer) { - if (!ssl3_digest_cached_records(s)) { - s->state = SSL_ST_ERR; - return -1; - } + if (!ssl3_digest_cached_records(s, 0)) { + s->state = SSL_ST_ERR; + return -1; } for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST; dgst_num++) if (s->s3->handshake_dgst[dgst_num]) { @@ -680,7 +649,7 @@ int ssl3_accept(SSL *s) if (ret <= 0) goto end; -#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) +#if defined(OPENSSL_NO_NEXTPROTONEG) s->state = SSL3_ST_SR_FINISHED_A; #else if (s->s3->next_proto_neg_seen) @@ -691,7 +660,7 @@ int ssl3_accept(SSL *s) s->init_num = 0; break; -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) +#if !defined(OPENSSL_NO_NEXTPROTONEG) case SSL3_ST_SR_NEXT_PROTO_A: case SSL3_ST_SR_NEXT_PROTO_B: /* @@ -732,16 +701,13 @@ int ssl3_accept(SSL *s) goto end; if (s->hit) s->state = SSL_ST_OK; -#ifndef OPENSSL_NO_TLSEXT else if (s->tlsext_ticket_expected) s->state = SSL3_ST_SW_SESSION_TICKET_A; -#endif else s->state = SSL3_ST_SW_CHANGE_A; s->init_num = 0; break; -#ifndef OPENSSL_NO_TLSEXT case SSL3_ST_SW_SESSION_TICKET_A: case SSL3_ST_SW_SESSION_TICKET_B: ret = ssl3_send_newsession_ticket(s); @@ -760,8 +726,6 @@ int ssl3_accept(SSL *s) s->init_num = 0; break; -#endif - case SSL3_ST_SW_CHANGE_A: case SSL3_ST_SW_CHANGE_B: @@ -804,7 +768,7 @@ int ssl3_accept(SSL *s) goto end; s->state = SSL3_ST_SW_FLUSH; if (s->hit) { -#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) +#if defined(OPENSSL_NO_NEXTPROTONEG) s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A; #else if (s->s3->next_proto_neg_seen) { @@ -897,7 +861,7 @@ int ssl3_send_hello_request(SSL *s) int ssl3_get_client_hello(SSL *s) { - int i, j, ok, al = SSL_AD_INTERNAL_ERROR, ret = -1; + int i, complen, j, ok, al = SSL_AD_INTERNAL_ERROR, ret = -1; unsigned int cookie_len; long n; unsigned long id; @@ -935,13 +899,7 @@ int ssl3_get_client_hello(SSL *s) d = p = (unsigned char *)s->init_msg; /* First lets get s->client_version set correctly */ - if (!s->read_hash && !s->enc_read_ctx - && RECORD_LAYER_is_sslv2_record(&s->rlayer)) { - if (n < MIN_SSL2_RECORD_LEN) { - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } + if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { /*- * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2 * header is sent directly on the wire, not wrapped as a TLS @@ -1000,11 +958,10 @@ int ssl3_get_client_hello(SSL *s) /* Do SSL/TLS version negotiation if applicable */ if (!SSL_IS_DTLS(s)) { if (s->version != TLS_ANY_VERSION) { - if (s->client_version >= s->version - && (((s->client_version >> 8) & 0xff) == SSL3_VERSION_MAJOR)) { + if (s->client_version >= s->version) { protverr = 0; } - } else if (((s->client_version >> 8) & 0xff) == SSL3_VERSION_MAJOR) { + } else if (s->client_version >= SSL3_VERSION) { switch(s->client_version) { default: case TLS1_2_VERSION: @@ -1032,17 +989,20 @@ int ssl3_get_client_hello(SSL *s) } /* Deliberately fall through */ case SSL3_VERSION: +#ifndef OPENSSL_NO_SSL3 if(!(s->options & SSL_OP_NO_SSLv3)) { s->version = SSL3_VERSION; s->method = SSLv3_server_method(); protverr = 0; break; } +#else + break; +#endif } } - } else if (((s->client_version >> 8) & 0xff) == DTLS1_VERSION_MAJOR && - (s->client_version <= s->version - || s->method->version == DTLS_ANY_VERSION)) { + } else if (s->client_version <= s->version + || s->method->version == DTLS_ANY_VERSION) { /* * For DTLS we just check versions are potentially compatible. Version * negotiation comes later. @@ -1110,8 +1070,8 @@ int ssl3_get_client_hello(SSL *s) /* Set p to end of packet to ensure we don't look for extensions */ p = d + n; - /* No compression, so set i to 0 */ - i = 0; + /* No compression, so set complen to 0 */ + complen = 0; } else { /* If we get here we've got SSLv3+ in an SSLv3+ record */ @@ -1355,8 +1315,8 @@ int ssl3_get_client_hello(SSL *s) } /* compression */ - i = *(p++); - if ((p + i) > (d + n)) { + complen = *(p++); + if ((p + complen) > (d + n)) { /* not enough data */ al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); @@ -1365,13 +1325,13 @@ int ssl3_get_client_hello(SSL *s) #ifndef OPENSSL_NO_COMP q = p; #endif - for (j = 0; j < i; j++) { + for (j = 0; j < complen; j++) { if (p[j] == 0) break; } - p += i; - if (j >= i) { + p += complen; + if (j >= complen) { /* no compress */ al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED); @@ -1379,7 +1339,6 @@ int ssl3_get_client_hello(SSL *s) } } -#ifndef OPENSSL_NO_TLSEXT /* TLS extensions */ if (s->version >= SSL3_VERSION) { if (!ssl_parse_clienthello_tlsext(s, &p, d, n)) { @@ -1436,11 +1395,10 @@ int ssl3_get_client_hello(SSL *s) s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers); } } -#endif /* * Worst case, we will use the NULL compression, but if we have other - * options, we will now look for them. We have i-1 compression + * options, we will now look for them. We have complen-1 compression * algorithms from the client, starting at q. */ s->s3->tmp.new_compression = NULL; @@ -1469,11 +1427,11 @@ int ssl3_get_client_hello(SSL *s) goto f_err; } /* Look for resumed method in compression list */ - for (m = 0; m < i; m++) { + for (m = 0; m < complen; m++) { if (q[m] == comp_id) break; } - if (m >= i) { + if (m >= complen) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING); @@ -1489,7 +1447,7 @@ int ssl3_get_client_hello(SSL *s) for (m = 0; m < nn; m++) { comp = sk_SSL_COMP_value(s->ctx->comp_methods, m); v = comp->id; - for (o = 0; o < i; o++) { + for (o = 0; o < complen; o++) { if (v == q[o]) { done = 1; break; @@ -1573,7 +1531,7 @@ int ssl3_get_client_hello(SSL *s) } if (!SSL_USE_SIGALGS(s) || !(s->verify_mode & SSL_VERIFY_PEER)) { - if (!ssl3_digest_cached_records(s)) + if (!ssl3_digest_cached_records(s, 0)) goto f_err; } @@ -1620,13 +1578,13 @@ int ssl3_send_server_hello(SSL *s) if (s->state == SSL3_ST_SW_SRVR_HELLO_A) { buf = (unsigned char *)s->init_buf->data; -#ifdef OPENSSL_NO_TLSEXT + p = s->s3->server_random; if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) { s->state = SSL_ST_ERR; return -1; } -#endif + /* Do the message type and length last */ d = p = ssl_handshake_start(s); @@ -1681,7 +1639,7 @@ int ssl3_send_server_hello(SSL *s) else *(p++) = s->s3->tmp.new_compression->id; #endif -#ifndef OPENSSL_NO_TLSEXT + if (ssl_prepare_serverhello_tlsext(s) <= 0) { SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT); s->state = SSL_ST_ERR; @@ -1695,7 +1653,7 @@ int ssl3_send_server_hello(SSL *s) s->state = SSL_ST_ERR; return -1; } -#endif + /* do the header */ l = (p - d); if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l)) { @@ -2273,7 +2231,6 @@ int ssl3_get_client_key_exchange(SSL *s) BIGNUM *pub = NULL; DH *dh_srvr, *dh_clnt = NULL; #endif - #ifndef OPENSSL_NO_EC EC_KEY *srvr_ecdh = NULL; EVP_PKEY *clnt_pub_pkey = NULL; @@ -2711,7 +2668,7 @@ int ssl3_get_client_key_exchange(SSL *s) psk_len = s->psk_server_callback(s, tmp_id, psk_or_pre_ms, sizeof(psk_or_pre_ms)); - OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN + 1); + OPENSSL_cleanse(tmp_id, sizeof(tmp_id)); if (psk_len > PSK_MAX_PSK_LEN) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); @@ -2861,6 +2818,7 @@ int ssl3_get_client_key_exchange(SSL *s) s-> session->master_key, premaster_secret, 32); + OPENSSL_cleanse(premaster_secret, sizeof(premaster_secret)); if (s->session->master_key_length < 0) { al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); @@ -3090,7 +3048,6 @@ int ssl3_get_cert_verify(SSL *s) end: BIO_free(s->s3->handshake_buffer); s->s3->handshake_buffer = NULL; - s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE; EVP_MD_CTX_cleanup(&mctx); EVP_PKEY_free(pkey); return (ret); @@ -3198,7 +3155,7 @@ int ssl3_get_client_certificate(SSL *s) goto f_err; } /* No client certificate so digest cached records */ - if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s)) { + if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) { al = SSL_AD_INTERNAL_ERROR; goto f_err; } @@ -3230,19 +3187,8 @@ int ssl3_get_client_certificate(SSL *s) s->session->peer = sk_X509_shift(sk); s->session->verify_result = s->verify_result; - /* - * With the current implementation, sess_cert will always be NULL when we - * arrive here. - */ - if (s->session->sess_cert == NULL) { - s->session->sess_cert = ssl_sess_cert_new(); - if (s->session->sess_cert == NULL) { - SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); - goto done; - } - } - sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free); - s->session->sess_cert->cert_chain = sk; + sk_X509_pop_free(s->session->peer_chain, X509_free); + s->session->peer_chain = sk; /* * Inconsistency alert: cert_chain does *not* include the peer's own * certificate, while we do include it in s3_clnt.c @@ -3284,7 +3230,6 @@ int ssl3_send_server_certificate(SSL *s) return ssl_do_write(s); } -#ifndef OPENSSL_NO_TLSEXT /* send a new session ticket (not necessarily for a new session) */ int ssl3_send_newsession_ticket(SSL *s) { @@ -3472,7 +3417,7 @@ int ssl3_send_cert_status(SSL *s) return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); } -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG /* * ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. * It sets the next_proto member in s if found @@ -3551,8 +3496,6 @@ int ssl3_get_next_proto(SSL *s) return 1; } -# endif - #endif #define SSLV2_CIPHER_LEN 3 @@ -3590,13 +3533,13 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, sk_SSL_CIPHER_zero(sk); } - OPENSSL_free(s->cert->ciphers_raw); - s->cert->ciphers_raw = BUF_memdup(p, num); - if (s->cert->ciphers_raw == NULL) { + OPENSSL_free(s->s3->tmp.ciphers_raw); + s->s3->tmp.ciphers_raw = BUF_memdup(p, num); + if (s->s3->tmp.ciphers_raw == NULL) { SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); goto err; } - s->cert->ciphers_rawlen = (size_t)num; + s->s3->tmp.ciphers_rawlen = (size_t)num; for (i = 0; i < num; i += n) { /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */