X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_lib.c;h=048669c45134ef4dd3109a5582edf8ea21ac26bd;hp=e3e7853d602997103ff1365d4ee8b8c38ef406f9;hb=67dc995eaf538ea309c6292a1a5073465201f55b;hpb=d781d247d1ef9331983f456d616659108c857d0d diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index e3e7853d60..048669c451 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1,5 +1,7 @@ /* * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved + * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,39 +9,6 @@ * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * ECC cipher suite support in OpenSSL originally developed by - * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - -#include #include #include "ssl_locl.h" #include @@ -51,6 +20,7 @@ #include #include #include +#include "internal/cryptlib.h" const char SSL_version_str[] = OPENSSL_VERSION_TEXT; @@ -431,6 +401,116 @@ static int dane_tlsa_add(SSL_DANE *dane, return 1; } +/* + * Return 0 if there is only one version configured and it was disabled + * at configure time. Return 1 otherwise. + */ +static int ssl_check_allowed_versions(int min_version, int max_version) +{ + int minisdtls = 0, maxisdtls = 0; + + /* Figure out if we're doing DTLS versions or TLS versions */ + if (min_version == DTLS1_BAD_VER + || min_version >> 8 == DTLS1_VERSION_MAJOR) + minisdtls = 1; + if (max_version == DTLS1_BAD_VER + || max_version >> 8 == DTLS1_VERSION_MAJOR) + maxisdtls = 1; + /* A wildcard version of 0 could be DTLS or TLS. */ + if ((minisdtls && !maxisdtls && max_version != 0) + || (maxisdtls && !minisdtls && min_version != 0)) { + /* Mixing DTLS and TLS versions will lead to sadness; deny it. */ + return 0; + } + + if (minisdtls || maxisdtls) { + /* Do DTLS version checks. */ + if (min_version == 0) + /* Ignore DTLS1_BAD_VER */ + min_version = DTLS1_VERSION; + if (max_version == 0) + max_version = DTLS1_2_VERSION; +#ifdef OPENSSL_NO_DTLS1_2 + if (max_version == DTLS1_2_VERSION) + max_version = DTLS1_VERSION; +#endif +#ifdef OPENSSL_NO_DTLS1 + if (min_version == DTLS1_VERSION) + min_version = DTLS1_2_VERSION; +#endif + /* Done massaging versions; do the check. */ + if (0 +#ifdef OPENSSL_NO_DTLS1 + || (DTLS_VERSION_GE(min_version, DTLS1_VERSION) + && DTLS_VERSION_GE(DTLS1_VERSION, max_version)) +#endif +#ifdef OPENSSL_NO_DTLS1_2 + || (DTLS_VERSION_GE(min_version, DTLS1_2_VERSION) + && DTLS_VERSION_GE(DTLS1_2_VERSION, max_version)) +#endif + ) + return 0; + } else { + /* Regular TLS version checks. */ + if (min_version == 0) + min_version = SSL3_VERSION; + if (max_version == 0) + max_version = TLS1_3_VERSION; +#ifdef OPENSSL_NO_TLS1_3 + if (max_version == TLS1_3_VERSION) + max_version = TLS1_2_VERSION; +#endif +#ifdef OPENSSL_NO_TLS1_2 + if (max_version == TLS1_2_VERSION) + max_version = TLS1_1_VERSION; +#endif +#ifdef OPENSSL_NO_TLS1_1 + if (max_version == TLS1_1_VERSION) + max_version = TLS1_VERSION; +#endif +#ifdef OPENSSL_NO_TLS1 + if (max_version == TLS1_VERSION) + max_version = SSL3_VERSION; +#endif +#ifdef OPENSSL_NO_SSL3 + if (min_version == SSL3_VERSION) + min_version = TLS1_VERSION; +#endif +#ifdef OPENSSL_NO_TLS1 + if (min_version == TLS1_VERSION) + min_version = TLS1_1_VERSION; +#endif +#ifdef OPENSSL_NO_TLS1_1 + if (min_version == TLS1_1_VERSION) + min_version = TLS1_2_VERSION; +#endif +#ifdef OPENSSL_NO_TLS1_2 + if (min_version == TLS1_2_VERSION) + min_version = TLS1_3_VERSION; +#endif + /* Done massaging versions; do the check. */ + if (0 +#ifdef OPENSSL_NO_SSL3 + || (min_version <= SSL3_VERSION && SSL3_VERSION <= max_version) +#endif +#ifdef OPENSSL_NO_TLS1 + || (min_version <= TLS1_VERSION && TLS1_VERSION <= max_version) +#endif +#ifdef OPENSSL_NO_TLS1_1 + || (min_version <= TLS1_1_VERSION && TLS1_1_VERSION <= max_version) +#endif +#ifdef OPENSSL_NO_TLS1_2 + || (min_version <= TLS1_2_VERSION && TLS1_2_VERSION <= max_version) +#endif +#ifdef OPENSSL_NO_TLS1_3 + || (min_version <= TLS1_3_VERSION && TLS1_3_VERSION <= max_version) +#endif + ) + return 0; + } + return 1; +} + static void clear_ciphers(SSL *s) { /* clear the current cipher */ @@ -443,13 +523,15 @@ int SSL_clear(SSL *s) { if (s->method == NULL) { SSLerr(SSL_F_SSL_CLEAR, SSL_R_NO_METHOD_SPECIFIED); - return (0); + return 0; } if (ssl_clear_bad_session(s)) { SSL_SESSION_free(s->session); s->session = NULL; } + SSL_SESSION_free(s->psksession); + s->psksession = NULL; s->error = 0; s->hit = 0; @@ -485,20 +567,21 @@ int SSL_clear(SSL *s) /* * Check to see if we were changed into a different method, if so, revert - * back if we are not doing session-id reuse. + * back. */ - if (!ossl_statem_get_in_handshake(s) && (s->session == NULL) - && (s->method != s->ctx->method)) { + if (s->method != s->ctx->method) { s->method->ssl_free(s); s->method = s->ctx->method; if (!s->method->ssl_new(s)) - return (0); - } else - s->method->ssl_clear(s); + return 0; + } else { + if (!s->method->ssl_clear(s)) + return 0; + } RECORD_LAYER_clear(&s->rlayer); - return (1); + return 1; } /** Used to change an SSL_CTXs default SSL method type */ @@ -571,8 +654,12 @@ SSL *SSL_new(SSL_CTX *ctx) s->msg_callback_arg = ctx->msg_callback_arg; s->verify_mode = ctx->verify_mode; s->not_resumable_session_cb = ctx->not_resumable_session_cb; + s->record_padding_cb = ctx->record_padding_cb; + s->record_padding_arg = ctx->record_padding_arg; + s->block_padding = ctx->block_padding; s->sid_ctx_length = ctx->sid_ctx_length; - OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); + if (!ossl_assert(s->sid_ctx_length <= sizeof s->sid_ctx)) + goto err; memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx)); s->verify_callback = ctx->default_verify_callback; s->generate_session_id = ctx->generate_session_id; @@ -659,6 +746,8 @@ SSL *SSL_new(SSL_CTX *ctx) s->psk_client_callback = ctx->psk_client_callback; s->psk_server_callback = ctx->psk_server_callback; #endif + s->psk_find_session_cb = ctx->psk_find_session_cb; + s->psk_use_session_cb = ctx->psk_use_session_cb; s->job = NULL; @@ -741,7 +830,7 @@ int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, { /* * A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how - * we can "construct" a session to give us the desired check - ie. to + * we can "construct" a session to give us the desired check - i.e. to * find if there's a session in the hash table that would conflict with * any new session built out of this id/id_len and the ssl_version in use * by this SSL. @@ -977,6 +1066,7 @@ void SSL_free(SSL *s) dane_final(&s->dane); CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); + /* Ignore return value */ ssl_free_wbio_buffer(s); BIO_free_all(s->wbio); @@ -993,6 +1083,7 @@ void SSL_free(SSL *s) ssl_clear_bad_session(s); SSL_SESSION_free(s->session); } + SSL_SESSION_free(s->psksession); clear_ciphers(s); @@ -1015,9 +1106,10 @@ void SSL_free(SSL *s) #endif OPENSSL_free(s->ext.ocsp.resp); OPENSSL_free(s->ext.alpn); + OPENSSL_free(s->ext.tls13_cookie); OPENSSL_free(s->clienthello); - sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free); + sk_X509_NAME_pop_free(s->ca_names, X509_NAME_free); sk_X509_pop_free(s->verified_chain, X509_free); @@ -1320,7 +1412,7 @@ int SSL_has_pending(const SSL *s) * data. That data may not result in any application data, or we may fail * to parse the records for some reason. */ - if (SSL_pending(s)) + if (RECORD_LAYER_processed_read_pending(&s->rlayer)) return 1; return RECORD_LAYER_read_pending(&s->rlayer); @@ -1545,6 +1637,17 @@ int ssl_read_internal(SSL *s, void *buf, size_t num, size_t *readbytes) return 0; } + if (s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY + || s->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY) { + SSLerr(SSL_F_SSL_READ_INTERNAL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + /* + * If we are a client and haven't received the ServerHello etc then we + * better do that + */ + ossl_statem_check_finish_init(s, 0); + if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { struct ssl_async_args args; int ret; @@ -1594,25 +1697,21 @@ int SSL_read_ex(SSL *s, void *buf, size_t num, size_t *readbytes) return ret; } -int SSL_read_early(SSL *s, void *buf, size_t num, size_t *readbytes) +int SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes) { int ret; if (!s->server) { - SSLerr(SSL_F_SSL_READ_EARLY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return SSL_READ_EARLY_ERROR; + SSLerr(SSL_F_SSL_READ_EARLY_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return SSL_READ_EARLY_DATA_ERROR; } - /* - * TODO(TLS1.3): Somehow we need to check that we're not receiving too much - * data - */ - switch (s->early_data_state) { case SSL_EARLY_DATA_NONE: if (!SSL_in_before(s)) { - SSLerr(SSL_F_SSL_READ_EARLY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return SSL_READ_EARLY_ERROR; + SSLerr(SSL_F_SSL_READ_EARLY_DATA, + ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return SSL_READ_EARLY_DATA_ERROR; } /* fall through */ @@ -1622,7 +1721,7 @@ int SSL_read_early(SSL *s, void *buf, size_t num, size_t *readbytes) if (ret <= 0) { /* NBIO or error */ s->early_data_state = SSL_EARLY_DATA_ACCEPT_RETRY; - return SSL_READ_EARLY_ERROR; + return SSL_READ_EARLY_DATA_ERROR; } /* fall through */ @@ -1631,36 +1730,31 @@ int SSL_read_early(SSL *s, void *buf, size_t num, size_t *readbytes) s->early_data_state = SSL_EARLY_DATA_READING; ret = SSL_read_ex(s, buf, num, readbytes); /* - * Record layer will call ssl_end_of_early_data_seen() if we see - * that alert - which updates the early_data_state to - * SSL_EARLY_DATA_FINISHED_READING + * State machine will update early_data_state to + * SSL_EARLY_DATA_FINISHED_READING if we get an EndOfEarlyData + * message */ if (ret > 0 || (ret <= 0 && s->early_data_state != SSL_EARLY_DATA_FINISHED_READING)) { s->early_data_state = SSL_EARLY_DATA_READ_RETRY; - return ret > 0 ? SSL_READ_EARLY_SUCCESS : SSL_READ_EARLY_ERROR; + return ret > 0 ? SSL_READ_EARLY_DATA_SUCCESS + : SSL_READ_EARLY_DATA_ERROR; } } else { s->early_data_state = SSL_EARLY_DATA_FINISHED_READING; } *readbytes = 0; - ossl_statem_set_in_init(s, 1); - return SSL_READ_EARLY_FINISH; + return SSL_READ_EARLY_DATA_FINISH; default: - SSLerr(SSL_F_SSL_READ_EARLY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return SSL_READ_EARLY_ERROR; + SSLerr(SSL_F_SSL_READ_EARLY_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return SSL_READ_EARLY_DATA_ERROR; } } -int ssl_end_of_early_data_seen(SSL *s) +int SSL_get_early_data_status(const SSL *s) { - if (s->early_data_state == SSL_EARLY_DATA_READING) { - s->early_data_state = SSL_EARLY_DATA_FINISHED_READING; - return 1; - } - - return 0; + return s->ext.early_data; } static int ssl_peek_internal(SSL *s, void *buf, size_t num, size_t *readbytes) @@ -1736,9 +1830,14 @@ int ssl_write_internal(SSL *s, const void *buf, size_t num, size_t *written) return -1; } - if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY - || s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY) + if (s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY + || s->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY + || s->early_data_state == SSL_EARLY_DATA_READ_RETRY) { + SSLerr(SSL_F_SSL_WRITE_INTERNAL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; + } + /* If we are a client and haven't sent the Finished we better do that */ + ossl_statem_check_finish_init(s, 1); if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { int ret; @@ -1789,24 +1888,18 @@ int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written) return ret; } -int SSL_write_early(SSL *s, const void *buf, size_t num, size_t *written) +int SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written) { - int ret; - - if (s->server) { - SSLerr(SSL_F_SSL_WRITE_EARLY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; - } - - /* - * TODO(TLS1.3): Somehow we need to check that we're not sending too much - * data - */ + int ret, early_data_state; switch (s->early_data_state) { case SSL_EARLY_DATA_NONE: - if (!SSL_in_before(s)) { - SSLerr(SSL_F_SSL_WRITE_EARLY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + if (s->server + || !SSL_in_before(s) + || s->session == NULL + || s->session->ext.max_early_data == 0) { + SSLerr(SSL_F_SSL_WRITE_EARLY_DATA, + ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } /* fall through */ @@ -1827,36 +1920,19 @@ int SSL_write_early(SSL *s, const void *buf, size_t num, size_t *written) s->early_data_state = SSL_EARLY_DATA_WRITE_RETRY; return ret; - default: - SSLerr(SSL_F_SSL_WRITE_EARLY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; - } -} - -int SSL_write_early_finish(SSL *s) -{ - int ret; - - if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY) { - SSLerr(SSL_F_SSL_WRITE_EARLY_FINISH, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; - } + case SSL_EARLY_DATA_FINISHED_READING: + case SSL_EARLY_DATA_READ_RETRY: + early_data_state = s->early_data_state; + /* We are a server writing to an unauthenticated client */ + s->early_data_state = SSL_EARLY_DATA_UNAUTH_WRITING; + ret = SSL_write_ex(s, buf, num, written); + s->early_data_state = early_data_state; + return ret; - s->early_data_state = SSL_EARLY_DATA_WRITING; - ret = ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_END_OF_EARLY_DATA); - if (ret <= 0) { - s->early_data_state = SSL_EARLY_DATA_WRITE_RETRY; + default: + SSLerr(SSL_F_SSL_WRITE_EARLY_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; - /* - * We set the enc_write_ctx back to NULL because we may end up writing - * in cleartext again if we get a HelloRetryRequest from the server. - */ - EVP_CIPHER_CTX_free(s->enc_write_ctx); - s->enc_write_ctx = NULL; - ossl_statem_set_in_init(s, 1); - return 1; } int SSL_shutdown(SSL *s) @@ -1931,9 +2007,12 @@ int SSL_renegotiate(SSL *s) return 0; } - if (s->renegotiate == 0) - s->renegotiate = 1; + if ((s->options & SSL_OP_NO_RENEGOTIATION)) { + SSLerr(SSL_F_SSL_RENEGOTIATE, SSL_R_NO_RENEGOTIATION); + return 0; + } + s->renegotiate = 1; s->new_session = 1; return (s->method->ssl_renegotiate(s)); @@ -1941,12 +2020,17 @@ int SSL_renegotiate(SSL *s) int SSL_renegotiate_abbreviated(SSL *s) { - if (SSL_IS_TLS13(s)) + if (SSL_IS_TLS13(s)) { + SSLerr(SSL_F_SSL_RENEGOTIATE_ABBREVIATED, SSL_R_WRONG_SSL_VERSION); return 0; + } - if (s->renegotiate == 0) - s->renegotiate = 1; + if ((s->options & SSL_OP_NO_RENEGOTIATION)) { + SSLerr(SSL_F_SSL_RENEGOTIATE_ABBREVIATED, SSL_R_NO_RENEGOTIATION); + return 0; + } + s->renegotiate = 1; s->new_session = 0; return (s->method->ssl_renegotiate(s)); @@ -2035,11 +2119,13 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) else return 0; case SSL_CTRL_SET_MIN_PROTO_VERSION: - return ssl_set_version_bound(s->ctx->method->version, (int)larg, - &s->min_proto_version); + return ssl_check_allowed_versions(larg, s->max_proto_version) + && ssl_set_version_bound(s->ctx->method->version, (int)larg, + &s->min_proto_version); case SSL_CTRL_SET_MAX_PROTO_VERSION: - return ssl_set_version_bound(s->ctx->method->version, (int)larg, - &s->max_proto_version); + return ssl_check_allowed_versions(s->min_proto_version, larg) + && ssl_set_version_bound(s->ctx->method->version, (int)larg, + &s->max_proto_version); default: return (s->method->ssl_ctrl(s, cmd, larg, parg)); } @@ -2169,11 +2255,13 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_CLEAR_CERT_FLAGS: return (ctx->cert->cert_flags &= ~larg); case SSL_CTRL_SET_MIN_PROTO_VERSION: - return ssl_set_version_bound(ctx->method->version, (int)larg, - &ctx->min_proto_version); + return ssl_check_allowed_versions(larg, ctx->max_proto_version) + && ssl_set_version_bound(ctx->method->version, (int)larg, + &ctx->min_proto_version); case SSL_CTRL_SET_MAX_PROTO_VERSION: - return ssl_set_version_bound(ctx->method->version, (int)larg, - &ctx->max_proto_version); + return ssl_check_allowed_versions(ctx->min_proto_version, larg) + && ssl_set_version_bound(ctx->method->version, (int)larg, + &ctx->max_proto_version); default: return (ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg)); } @@ -2244,7 +2332,7 @@ STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s) ssl_set_client_disabled(s); for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i); - if (!ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED)) { + if (!ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) { if (!sk) sk = sk_SSL_CIPHER_new_null(); if (!sk) @@ -2563,8 +2651,8 @@ void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, } /* - * SSL_get0_alpn_selected gets the selected ALPN protocol (if any) from - * |ssl|. On return it sets |*data| to point to |*len| bytes of protocol name + * SSL_get0_alpn_selected gets the selected ALPN protocol (if any) from |ssl|. + * On return it sets |*data| to point to |*len| bytes of protocol name * (not including the leading length-prefix byte). If the server didn't * respond with a negotiated protocol then |*len| will be zero. */ @@ -2582,15 +2670,15 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, const char *label, size_t llen, - const unsigned char *p, size_t plen, + const unsigned char *context, size_t contextlen, int use_context) { if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER) return -1; return s->method->ssl3_enc->export_keying_material(s, out, olen, label, - llen, p, plen, - use_context); + llen, context, + contextlen, use_context); } static unsigned long ssl_session_hash(const SSL_SESSION *a) @@ -2707,7 +2795,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) goto err2; } - if ((ret->client_CA = sk_X509_NAME_new_null()) == NULL) + if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL) goto err; if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data)) @@ -2766,6 +2854,12 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ret->ext.status_type = TLSEXT_STATUSTYPE_nothing; + /* + * Default max early data is a fully loaded single record. Could be split + * across multiple records in practice + */ + ret->max_early_data = SSL3_RT_MAX_PLAIN_LENGTH; + return ret; err: SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE); @@ -2823,7 +2917,7 @@ void SSL_CTX_free(SSL_CTX *a) sk_SSL_CIPHER_free(a->cipher_list); sk_SSL_CIPHER_free(a->cipher_list_by_id); ssl_cert_free(a->cert); - sk_X509_NAME_pop_free(a->client_CA, X509_NAME_free); + sk_X509_NAME_pop_free(a->ca_names, X509_NAME_free); sk_X509_pop_free(a->extra_certs, X509_free); a->comp_methods = NULL; #ifndef OPENSSL_NO_SRTP @@ -2994,6 +3088,11 @@ void ssl_set_masks(SSL *s) if (ecdsa_ok) mask_a |= SSL_aECDSA; } + /* Allow Ed25519 for TLS 1.2 if peer supports it */ + if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED25519) + && pvalid[SSL_PKEY_ED25519] & CERT_PKEY_EXPLICIT_SIGN + && TLS1_get_version(s) == TLS1_2_VERSION) + mask_a |= SSL_aECDSA; #endif #ifndef OPENSSL_NO_EC @@ -3058,10 +3157,11 @@ void ssl_update_cache(SSL *s, int mode) return; i = s->session_ctx->session_cache_mode; - if ((i & mode) && (!s->hit) - && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) + if ((i & mode) != 0 + && (!s->hit || SSL_IS_TLS13(s)) + && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) != 0 || SSL_CTX_add_session(s->session_ctx, s->session)) - && (s->session_ctx->new_session_cb != NULL)) { + && s->session_ctx->new_session_cb != NULL) { SSL_SESSION_up_ref(s->session); if (!s->session_ctx->new_session_cb(s, s->session)) SSL_SESSION_free(s->session); @@ -3158,10 +3258,7 @@ int SSL_get_error(const SSL *s, int i) } if (SSL_want_write(s)) { - /* - * Access wbio directly - in order to use the buffered bio if - * present - */ + /* Access wbio directly - in order to use the buffered bio if present */ bio = s->wbio; if (BIO_should_write(bio)) return (SSL_ERROR_WANT_WRITE); @@ -3216,12 +3313,16 @@ int SSL_do_handshake(SSL *s) return -1; } - if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY - || s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY) - return -1; + ossl_statem_check_finish_init(s, -1); s->method->ssl_renegotiate_check(s, 0); + if (SSL_is_server(s)) { + /* clear SNI settings at server-side */ + OPENSSL_free(s->ext.hostname); + s->ext.hostname = NULL; + } + if (SSL_in_init(s) || SSL_in_before(s)) { if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { struct ssl_async_args args; @@ -3424,10 +3525,10 @@ SSL *SSL_dup(SSL *s) goto err; /* Dup the client_CA list */ - if (s->client_CA != NULL) { - if ((sk = sk_X509_NAME_dup(s->client_CA)) == NULL) + if (s->ca_names != NULL) { + if ((sk = sk_X509_NAME_dup(s->ca_names)) == NULL) goto err; - ret->client_CA = sk; + ret->ca_names = sk; for (i = 0; i < sk_X509_NAME_num(sk); i++) { xn = sk_X509_NAME_value(sk, i); if (sk_X509_NAME_set(sk, i, X509_NAME_dup(xn)) == NULL) { @@ -3539,16 +3640,19 @@ int ssl_init_wbio_buffer(SSL *s) return 1; } -void ssl_free_wbio_buffer(SSL *s) +int ssl_free_wbio_buffer(SSL *s) { /* callers ensure s is never null */ if (s->bbio == NULL) - return; + return 1; s->wbio = BIO_pop(s->wbio); - assert(s->wbio != NULL); + if (!ossl_assert(s->wbio != NULL)) + return 0; BIO_free(s->bbio); s->bbio = NULL; + + return 1; } void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) @@ -3607,6 +3711,12 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) if (new_cert == NULL) { return NULL; } + + if (!custom_exts_copy_flags(&new_cert->custext, &ssl->cert->custext)) { + ssl_cert_free(new_cert); + return NULL; + } + ssl_cert_free(ssl->cert); ssl->cert = new_cert; @@ -3614,7 +3724,8 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) * Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH), * so setter APIs must prevent invalid lengths from entering the system. */ - OPENSSL_assert(ssl->sid_ctx_length <= sizeof(ssl->sid_ctx)); + if (!ossl_assert(ssl->sid_ctx_length <= sizeof(ssl->sid_ctx))) + return NULL; /* * If the session ID context matches that of the parent SSL_CTX, @@ -3735,6 +3846,18 @@ size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, return outlen; } +int SSL_SESSION_set1_master_key(SSL_SESSION *sess, const unsigned char *in, + size_t len) +{ + if (len > sizeof(sess->master_key)) + return 0; + + memcpy(sess->master_key, in, len); + sess->master_key_length = len; + return 1; +} + + int SSL_set_ex_data(SSL *s, int idx, void *arg) { return (CRYPTO_set_ex_data(&s->ex_data, idx, arg)); @@ -3870,6 +3993,28 @@ void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb) } #endif +void SSL_set_psk_find_session_callback(SSL *s, SSL_psk_find_session_cb_func cb) +{ + s->psk_find_session_cb = cb; +} + +void SSL_CTX_set_psk_find_session_callback(SSL_CTX *ctx, + SSL_psk_find_session_cb_func cb) +{ + ctx->psk_find_session_cb = cb; +} + +void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb) +{ + s->psk_use_session_cb = cb; +} + +void SSL_CTX_set_psk_use_session_callback(SSL_CTX *ctx, + SSL_psk_use_session_cb_func cb) +{ + ctx->psk_use_session_cb = cb; +} + void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb) (int write_p, int version, int content_type, const void *buf, @@ -3903,10 +4048,68 @@ void SSL_set_not_resumable_session_callback(SSL *ssl, (void (*)(void))cb); } +void SSL_CTX_set_record_padding_callback(SSL_CTX *ctx, + size_t (*cb) (SSL *ssl, int type, + size_t len, void *arg)) +{ + ctx->record_padding_cb = cb; +} + +void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg) +{ + ctx->record_padding_arg = arg; +} + +void *SSL_CTX_get_record_padding_callback_arg(SSL_CTX *ctx) +{ + return ctx->record_padding_arg; +} + +int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size) +{ + /* block size of 0 or 1 is basically no padding */ + if (block_size == 1) + ctx->block_padding = 0; + else if (block_size <= SSL3_RT_MAX_PLAIN_LENGTH) + ctx->block_padding = block_size; + else + return 0; + return 1; +} + +void SSL_set_record_padding_callback(SSL *ssl, + size_t (*cb) (SSL *ssl, int type, + size_t len, void *arg)) +{ + ssl->record_padding_cb = cb; +} + +void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg) +{ + ssl->record_padding_arg = arg; +} + +void *SSL_get_record_padding_callback_arg(SSL *ssl) +{ + return ssl->record_padding_arg; +} + +int SSL_set_block_padding(SSL *ssl, size_t block_size) +{ + /* block size of 0 or 1 is basically no padding */ + if (block_size == 1) + ssl->block_padding = 0; + else if (block_size <= SSL3_RT_MAX_PLAIN_LENGTH) + ssl->block_padding = block_size; + else + return 0; + return 1; +} + /* * Allocates new EVP_MD_CTX and sets pointer to it into given pointer * variable, freeing EVP_MD_CTX previously stored in that variable, if any. - * If EVP_MD pointer is passed, initializes ctx with this md. + * If EVP_MD pointer is passed, initializes ctx with this |md|. * Returns the newly allocated ctx; */ @@ -3962,7 +4165,7 @@ int SSL_session_reused(SSL *s) return s->hit; } -int SSL_is_server(SSL *s) +int SSL_is_server(const SSL *s) { return s->server; } @@ -4375,7 +4578,8 @@ int ssl_validate_ct(SSL *s) CT_POLICY_EVAL_CTX_set1_cert(ctx, cert); CT_POLICY_EVAL_CTX_set1_issuer(ctx, issuer); CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(ctx, s->ctx->ctlog_store); - CT_POLICY_EVAL_CTX_set_time(ctx, SSL_SESSION_get_time(SSL_get0_session(s))); + CT_POLICY_EVAL_CTX_set_time( + ctx, (uint64_t)SSL_SESSION_get_time(SSL_get0_session(s)) * 1000); scts = SSL_get0_peer_scts(s); @@ -4529,6 +4733,38 @@ size_t SSL_early_get0_compression_methods(SSL *s, const unsigned char **out) return s->clienthello->compressions_len; } +int SSL_early_get1_extensions_present(SSL *s, int **out, size_t *outlen) +{ + RAW_EXTENSION *ext; + int *present; + size_t num = 0, i; + + if (s->clienthello == NULL || out == NULL || outlen == NULL) + return 0; + for (i = 0; i < s->clienthello->pre_proc_exts_len; i++) { + ext = s->clienthello->pre_proc_exts + i; + if (ext->present) + num++; + } + present = OPENSSL_malloc(sizeof(*present) * num); + if (present == NULL) + return 0; + for (i = 0; i < s->clienthello->pre_proc_exts_len; i++) { + ext = s->clienthello->pre_proc_exts + i; + if (ext->present) { + if (ext->received_order >= num) + goto err; + present[ext->received_order] = ext->type; + } + } + *out = present; + *outlen = num; + return 1; + err: + OPENSSL_free(present); + return 0; +} + int SSL_early_get0_ext(SSL *s, unsigned int type, const unsigned char **out, size_t *outlen) { @@ -4550,6 +4786,22 @@ int SSL_early_get0_ext(SSL *s, unsigned int type, const unsigned char **out, return 0; } +int SSL_free_buffers(SSL *ssl) +{ + RECORD_LAYER *rl = &ssl->rlayer; + + if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl)) + return 0; + + RECORD_LAYER_release(rl); + return 1; +} + +int SSL_alloc_buffers(SSL *ssl) +{ + return ssl3_setup_buffers(ssl); +} + void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb) { ctx->keylog_callback = cb; @@ -4699,7 +4951,7 @@ int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format, TLS_CIPHER_LEN)) || (leadbyte != 0 && !PACKET_forward(&sslv2ciphers, TLS_CIPHER_LEN))) { - *al = SSL_AD_INTERNAL_ERROR; + *al = SSL_AD_DECODE_ERROR; OPENSSL_free(s->s3->tmp.ciphers_raw); s->s3->tmp.ciphers_raw = NULL; s->s3->tmp.ciphers_rawlen = 0; @@ -4786,8 +5038,8 @@ int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites, } } if (PACKET_remaining(cipher_suites) > 0) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_INTERNAL_ERROR); + *al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, SSL_R_BAD_LENGTH); goto err; } @@ -4813,7 +5065,7 @@ int SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data) return 1; } -uint32_t SSL_CTX_get_max_early_data(SSL_CTX *ctx) +uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx) { return ctx->max_early_data; } @@ -4825,7 +5077,7 @@ int SSL_set_max_early_data(SSL *s, uint32_t max_early_data) return 1; } -uint32_t SSL_get_max_early_data(SSL_CTX *s) +uint32_t SSL_get_max_early_data(const SSL *s) { return s->max_early_data; }