X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_lib.c;h=9d4c4d48998066e41cd866d610a70071ba30af32;hp=85425a1887368a080a57d1e3993e2fe649021d7c;hb=e6e9170d6e28038768895e1af18e3aad8093bf4b;hpb=e431363f8c241abd0dfe9b83dfc1cec1bdfe13ab diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 85425a1887..9d4c4d4899 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -12,41 +12,94 @@ #include #include "ssl_locl.h" #include -#include #include #include +#include #include #include #include #include #include #include "internal/cryptlib.h" -#include "internal/rand.h" #include "internal/refcount.h" const char SSL_version_str[] = OPENSSL_VERSION_TEXT; +static int ssl_undefined_function_1(SSL *ssl, SSL3_RECORD *r, size_t s, int t) +{ + (void)r; + (void)s; + (void)t; + return ssl_undefined_function(ssl); +} + +static int ssl_undefined_function_2(SSL *ssl, SSL3_RECORD *r, unsigned char *s, + int t) +{ + (void)r; + (void)s; + (void)t; + return ssl_undefined_function(ssl); +} + +static int ssl_undefined_function_3(SSL *ssl, unsigned char *r, + unsigned char *s, size_t t, size_t *u) +{ + (void)r; + (void)s; + (void)t; + (void)u; + return ssl_undefined_function(ssl); +} + +static int ssl_undefined_function_4(SSL *ssl, int r) +{ + (void)r; + return ssl_undefined_function(ssl); +} + +static size_t ssl_undefined_function_5(SSL *ssl, const char *r, size_t s, + unsigned char *t) +{ + (void)r; + (void)s; + (void)t; + return ssl_undefined_function(ssl); +} + +static int ssl_undefined_function_6(int r) +{ + (void)r; + return ssl_undefined_function(NULL); +} + +static int ssl_undefined_function_7(SSL *ssl, unsigned char *r, size_t s, + const char *t, size_t u, + const unsigned char *v, size_t w, int x) +{ + (void)r; + (void)s; + (void)t; + (void)u; + (void)v; + (void)w; + (void)x; + return ssl_undefined_function(ssl); +} + SSL3_ENC_METHOD ssl3_undef_enc_method = { - /* - * evil casts, but these functions are only called if there's a library - * bug - */ - (int (*)(SSL *, SSL3_RECORD *, size_t, int))ssl_undefined_function, - (int (*)(SSL *, SSL3_RECORD *, unsigned char *, int))ssl_undefined_function, + ssl_undefined_function_1, + ssl_undefined_function_2, ssl_undefined_function, - (int (*)(SSL *, unsigned char *, unsigned char *, size_t, size_t *)) - ssl_undefined_function, - (int (*)(SSL *, int))ssl_undefined_function, - (size_t (*)(SSL *, const char *, size_t, unsigned char *)) - ssl_undefined_function, + ssl_undefined_function_3, + ssl_undefined_function_4, + ssl_undefined_function_5, NULL, /* client_finished_label */ 0, /* client_finished_label_len */ NULL, /* server_finished_label */ 0, /* server_finished_label_len */ - (int (*)(int))ssl_undefined_function, - (int (*)(SSL *, unsigned char *, size_t, const char *, - size_t, const unsigned char *, size_t, - int use_context))ssl_undefined_function, + ssl_undefined_function_6, + ssl_undefined_function_7, }; struct ssl_async_args { @@ -165,14 +218,12 @@ static int ssl_dane_dup(SSL *to, SSL *from) dane_final(&to->dane); to->dane.flags = from->dane.flags; to->dane.dctx = &to->ctx->dane; - to->dane.trecs = sk_danetls_record_new_null(); + to->dane.trecs = sk_danetls_record_new_reserve(NULL, num); if (to->dane.trecs == NULL) { SSLerr(SSL_F_SSL_DANE_DUP, ERR_R_MALLOC_FAILURE); return 0; } - if (!sk_danetls_record_reserve(to->dane.trecs, num)) - return 0; for (i = 0; i < num; ++i) { danetls_record *t = sk_danetls_record_value(from->dane.trecs, i); @@ -239,7 +290,7 @@ static const EVP_MD *tlsa_md_get(SSL_DANE *dane, uint8_t mtype) static int dane_tlsa_add(SSL_DANE *dane, uint8_t usage, uint8_t selector, - uint8_t mtype, unsigned char *data, size_t dlen) + uint8_t mtype, unsigned const char *data, size_t dlen) { danetls_record *t; const EVP_MD *md = NULL; @@ -539,6 +590,7 @@ int SSL_clear(SSL *s) OPENSSL_free(s->psksession_id); s->psksession_id = NULL; s->psksession_id_len = 0; + s->hello_retry_request = 0; s->error = 0; s->hit = 0; @@ -562,6 +614,9 @@ int SSL_clear(SSL *s) s->key_update = SSL_KEY_UPDATE_NONE; + EVP_MD_CTX_free(s->pha_dgst); + s->pha_dgst = NULL; + /* Reset DANE verification result state */ s->dane.mdpth = -1; s->dane.pdpth = -1; @@ -598,14 +653,16 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) ctx->method = meth; - sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list), + sk = ssl_create_cipher_list(ctx->method, + ctx->tls13_ciphersuites, + &(ctx->cipher_list), &(ctx->cipher_list_by_id), SSL_DEFAULT_CIPHER_LIST, ctx->cert); if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); - return (0); + return 0; } - return (1); + return 1; } SSL *SSL_new(SSL_CTX *ctx) @@ -614,33 +671,23 @@ SSL *SSL_new(SSL_CTX *ctx) if (ctx == NULL) { SSLerr(SSL_F_SSL_NEW, SSL_R_NULL_SSL_CTX); - return (NULL); + return NULL; } if (ctx->method == NULL) { SSLerr(SSL_F_SSL_NEW, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION); - return (NULL); + return NULL; } s = OPENSSL_zalloc(sizeof(*s)); if (s == NULL) goto err; + s->references = 1; s->lock = CRYPTO_THREAD_lock_new(); - if (s->lock == NULL) + if (s->lock == NULL) { + OPENSSL_free(s); + s = NULL; goto err; - - /* - * If not using the standard RAND (say for fuzzing), then don't use a - * chained DRBG. - */ - if (RAND_get_rand_method() == RAND_OpenSSL()) { - s->drbg = RAND_DRBG_new(NID_aes_128_ctr, RAND_DRBG_FLAG_CTR_USE_DF, - RAND_DRBG_get0_global()); - if (s->drbg == NULL - || RAND_DRBG_instantiate(s->drbg, NULL, 0) == 0) { - CRYPTO_THREAD_lock_free(s->lock); - goto err; - } } RECORD_LAYER_init(&s->rlayer, s); @@ -651,9 +698,13 @@ SSL *SSL_new(SSL_CTX *ctx) s->max_proto_version = ctx->max_proto_version; s->mode = ctx->mode; s->max_cert_list = ctx->max_cert_list; - s->references = 1; s->max_early_data = ctx->max_early_data; + /* Shallow copy of the ciphersuites stack */ + s->tls13_ciphersuites = sk_SSL_CIPHER_dup(ctx->tls13_ciphersuites); + if (s->tls13_ciphersuites == NULL) + goto err; + /* * Earlier library versions used to copy the pointer to the CERT, not * its contents; only when setting new parameters for the per-SSL @@ -676,7 +727,7 @@ SSL *SSL_new(SSL_CTX *ctx) s->record_padding_arg = ctx->record_padding_arg; s->block_padding = ctx->block_padding; s->sid_ctx_length = ctx->sid_ctx_length; - if (!ossl_assert(s->sid_ctx_length <= sizeof s->sid_ctx)) + if (!ossl_assert(s->sid_ctx_length <= sizeof(s->sid_ctx))) goto err; memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx)); s->verify_callback = ctx->default_verify_callback; @@ -687,6 +738,8 @@ SSL *SSL_new(SSL_CTX *ctx) goto err; X509_VERIFY_PARAM_inherit(s->param, ctx->param); s->quiet_shutdown = ctx->quiet_shutdown; + + s->ext.max_fragment_len_mode = ctx->ext.max_fragment_len_mode; s->max_send_fragment = ctx->max_send_fragment; s->split_send_fragment = ctx->split_send_fragment; s->max_pipelines = ctx->max_pipelines; @@ -803,7 +856,7 @@ int SSL_up_ref(SSL *s) int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx, unsigned int sid_ctx_len) { - if (sid_ctx_len > sizeof ctx->sid_ctx) { + if (sid_ctx_len > sizeof(ctx->sid_ctx)) { SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); return 0; @@ -856,7 +909,7 @@ int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, */ SSL_SESSION r, *p; - if (id_len > sizeof r.session_id) + if (id_len > sizeof(r.session_id)) return 0; r.ssl_version = ssl->version; @@ -1032,7 +1085,7 @@ SSL_DANE *SSL_get0_dane(SSL *s) } int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector, - uint8_t mtype, unsigned char *data, size_t dlen) + uint8_t mtype, unsigned const char *data, size_t dlen) { return dane_tlsa_add(&s->dane, usage, selector, mtype, data, dlen); } @@ -1074,7 +1127,6 @@ void SSL_free(SSL *s) if (s == NULL) return; - CRYPTO_DOWN_REF(&s->references, &i, s->lock); REF_PRINT_COUNT("SSL", s); if (i > 0) @@ -1096,6 +1148,7 @@ void SSL_free(SSL *s) /* add extra stuff */ sk_SSL_CIPHER_free(s->cipher_list); sk_SSL_CIPHER_free(s->cipher_list_by_id); + sk_SSL_CIPHER_free(s->tls13_ciphersuites); /* Make the next call work :-) */ if (s->session != NULL) { @@ -1128,6 +1181,8 @@ void SSL_free(SSL *s) OPENSSL_free(s->ext.alpn); OPENSSL_free(s->ext.tls13_cookie); OPENSSL_free(s->clienthello); + OPENSSL_free(s->pha_context); + EVP_MD_CTX_free(s->pha_dgst); sk_X509_NAME_pop_free(s->ca_names, X509_NAME_free); @@ -1150,7 +1205,6 @@ void SSL_free(SSL *s) sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles); #endif - RAND_DRBG_free(s->drbg); CRYPTO_THREAD_lock_free(s->lock); OPENSSL_free(s); @@ -1249,7 +1303,7 @@ int SSL_get_rfd(const SSL *s) r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR); if (r != NULL) BIO_get_fd(r, &ret); - return (ret); + return ret; } int SSL_get_wfd(const SSL *s) @@ -1261,7 +1315,7 @@ int SSL_get_wfd(const SSL *s) r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR); if (r != NULL) BIO_get_fd(r, &ret); - return (ret); + return ret; } #ifndef OPENSSL_NO_SOCK @@ -1280,7 +1334,7 @@ int SSL_set_fd(SSL *s, int fd) SSL_set_bio(s, bio, bio); ret = 1; err: - return (ret); + return ret; } int SSL_set_wfd(SSL *s, int fd) @@ -1357,7 +1411,7 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count) int SSL_get_verify_mode(const SSL *s) { - return (s->verify_mode); + return s->verify_mode; } int SSL_get_verify_depth(const SSL *s) @@ -1366,12 +1420,12 @@ int SSL_get_verify_depth(const SSL *s) } int (*SSL_get_verify_callback(const SSL *s)) (int, X509_STORE_CTX *) { - return (s->verify_callback); + return s->verify_callback; } int SSL_CTX_get_verify_mode(const SSL_CTX *ctx) { - return (ctx->verify_mode); + return ctx->verify_mode; } int SSL_CTX_get_verify_depth(const SSL_CTX *ctx) @@ -1380,7 +1434,7 @@ int SSL_CTX_get_verify_depth(const SSL_CTX *ctx) } int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx)) (int, X509_STORE_CTX *) { - return (ctx->default_verify_callback); + return ctx->default_verify_callback; } void SSL_set_verify(SSL *s, int mode, @@ -1449,11 +1503,11 @@ X509 *SSL_get_peer_certificate(const SSL *s) r = s->session->peer; if (r == NULL) - return (r); + return r; X509_up_ref(r); - return (r); + return r; } STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s) @@ -1470,7 +1524,7 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s) * we are a server, it does not. */ - return (r); + return r; } /* @@ -1510,14 +1564,14 @@ int SSL_CTX_check_private_key(const SSL_CTX *ctx) { if ((ctx == NULL) || (ctx->cert->key->x509 == NULL)) { SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, SSL_R_NO_CERTIFICATE_ASSIGNED); - return (0); + return 0; } if (ctx->cert->key->privatekey == NULL) { SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, SSL_R_NO_PRIVATE_KEY_ASSIGNED); - return (0); + return 0; } - return (X509_check_private_key - (ctx->cert->key->x509, ctx->cert->key->privatekey)); + return X509_check_private_key + (ctx->cert->key->x509, ctx->cert->key->privatekey); } /* Fix this function so that it takes an optional type parameter */ @@ -1525,18 +1579,18 @@ int SSL_check_private_key(const SSL *ssl) { if (ssl == NULL) { SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, ERR_R_PASSED_NULL_PARAMETER); - return (0); + return 0; } if (ssl->cert->key->x509 == NULL) { SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, SSL_R_NO_CERTIFICATE_ASSIGNED); - return (0); + return 0; } if (ssl->cert->key->privatekey == NULL) { SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, SSL_R_NO_PRIVATE_KEY_ASSIGNED); - return (0); + return 0; } - return (X509_check_private_key(ssl->cert->key->x509, - ssl->cert->key->privatekey)); + return X509_check_private_key(ssl->cert->key->x509, + ssl->cert->key->privatekey); } int SSL_waiting_for_async(SSL *s) @@ -1589,7 +1643,7 @@ int SSL_connect(SSL *s) long SSL_get_default_timeout(const SSL *s) { - return (s->method->get_timeout()); + return s->method->get_timeout(); } static int ssl_start_async_job(SSL *s, struct ssl_async_args *args, @@ -1912,6 +1966,8 @@ int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written) int SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written) { int ret, early_data_state; + size_t writtmp; + uint32_t partialwrite; switch (s->early_data_state) { case SSL_EARLY_DATA_NONE: @@ -1937,9 +1993,29 @@ int SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written) case SSL_EARLY_DATA_WRITE_RETRY: s->early_data_state = SSL_EARLY_DATA_WRITING; - ret = SSL_write_ex(s, buf, num, written); + /* + * We disable partial write for early data because we don't keep track + * of how many bytes we've written between the SSL_write_ex() call and + * the flush if the flush needs to be retried) + */ + partialwrite = s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE; + s->mode &= ~SSL_MODE_ENABLE_PARTIAL_WRITE; + ret = SSL_write_ex(s, buf, num, &writtmp); + s->mode |= partialwrite; + if (!ret) { + s->early_data_state = SSL_EARLY_DATA_WRITE_RETRY; + return ret; + } + s->early_data_state = SSL_EARLY_DATA_WRITE_FLUSH; + /* fall through */ + + case SSL_EARLY_DATA_WRITE_FLUSH: + /* The buffering BIO is still in place so we need to flush it */ + if (statem_flush(s) != 1) + return 0; + *written = num; s->early_data_state = SSL_EARLY_DATA_WRITE_RETRY; - return ret; + return 1; case SSL_EARLY_DATA_FINISHED_READING: case SSL_EARLY_DATA_READ_RETRY: @@ -2036,7 +2112,7 @@ int SSL_renegotiate(SSL *s) s->renegotiate = 1; s->new_session = 1; - return (s->method->ssl_renegotiate(s)); + return s->method->ssl_renegotiate(s); } int SSL_renegotiate_abbreviated(SSL *s) @@ -2054,7 +2130,7 @@ int SSL_renegotiate_abbreviated(SSL *s) s->renegotiate = 1; s->new_session = 0; - return (s->method->ssl_renegotiate(s)); + return s->method->ssl_renegotiate(s); } int SSL_renegotiate_pending(SSL *s) @@ -2072,11 +2148,11 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) switch (cmd) { case SSL_CTRL_GET_READ_AHEAD: - return (RECORD_LAYER_get_read_ahead(&s->rlayer)); + return RECORD_LAYER_get_read_ahead(&s->rlayer); case SSL_CTRL_SET_READ_AHEAD: l = RECORD_LAYER_get_read_ahead(&s->rlayer); RECORD_LAYER_set_read_ahead(&s->rlayer, larg); - return (l); + return l; case SSL_CTRL_SET_MSG_CALLBACK_ARG: s->msg_callback_arg = parg; @@ -2087,7 +2163,7 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_CLEAR_MODE: return (s->mode &= ~larg); case SSL_CTRL_GET_MAX_CERT_LIST: - return (long)(s->max_cert_list); + return (long)s->max_cert_list; case SSL_CTRL_SET_MAX_CERT_LIST: if (larg < 0) return 0; @@ -2152,7 +2228,7 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_MAX_PROTO_VERSION: return s->max_proto_version; default: - return (s->method->ssl_ctrl(s, cmd, larg, parg)); + return s->method->ssl_ctrl(s, cmd, larg, parg); } } @@ -2167,7 +2243,7 @@ long SSL_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) return 1; default: - return (s->method->ssl_callback_ctrl(s, cmd, fp)); + return s->method->ssl_callback_ctrl(s, cmd, fp); } } @@ -2179,6 +2255,7 @@ LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx) long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { long l; + int i; /* For some cases with ctx == NULL perform syntax checks */ if (ctx == NULL) { switch (cmd) { @@ -2196,18 +2273,18 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) switch (cmd) { case SSL_CTRL_GET_READ_AHEAD: - return (ctx->read_ahead); + return ctx->read_ahead; case SSL_CTRL_SET_READ_AHEAD: l = ctx->read_ahead; ctx->read_ahead = larg; - return (l); + return l; case SSL_CTRL_SET_MSG_CALLBACK_ARG: ctx->msg_callback_arg = parg; return 1; case SSL_CTRL_GET_MAX_CERT_LIST: - return (long)(ctx->max_cert_list); + return (long)ctx->max_cert_list; case SSL_CTRL_SET_MAX_CERT_LIST: if (larg < 0) return 0; @@ -2222,38 +2299,51 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) ctx->session_cache_size = (size_t)larg; return l; case SSL_CTRL_GET_SESS_CACHE_SIZE: - return (long)(ctx->session_cache_size); + return (long)ctx->session_cache_size; case SSL_CTRL_SET_SESS_CACHE_MODE: l = ctx->session_cache_mode; ctx->session_cache_mode = larg; - return (l); + return l; case SSL_CTRL_GET_SESS_CACHE_MODE: - return (ctx->session_cache_mode); + return ctx->session_cache_mode; case SSL_CTRL_SESS_NUMBER: - return (lh_SSL_SESSION_num_items(ctx->sessions)); + return lh_SSL_SESSION_num_items(ctx->sessions); case SSL_CTRL_SESS_CONNECT: - return (ctx->stats.sess_connect); + return CRYPTO_atomic_read(&ctx->stats.sess_connect, &i, ctx->lock) + ? i : 0; case SSL_CTRL_SESS_CONNECT_GOOD: - return (ctx->stats.sess_connect_good); + return CRYPTO_atomic_read(&ctx->stats.sess_connect_good, &i, ctx->lock) + ? i : 0; case SSL_CTRL_SESS_CONNECT_RENEGOTIATE: - return (ctx->stats.sess_connect_renegotiate); + return CRYPTO_atomic_read(&ctx->stats.sess_connect_renegotiate, &i, + ctx->lock) + ? i : 0; case SSL_CTRL_SESS_ACCEPT: - return (ctx->stats.sess_accept); + return CRYPTO_atomic_read(&ctx->stats.sess_accept, &i, ctx->lock) + ? i : 0; case SSL_CTRL_SESS_ACCEPT_GOOD: - return (ctx->stats.sess_accept_good); + return CRYPTO_atomic_read(&ctx->stats.sess_accept_good, &i, ctx->lock) + ? i : 0; case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE: - return (ctx->stats.sess_accept_renegotiate); + return CRYPTO_atomic_read(&ctx->stats.sess_accept_renegotiate, &i, + ctx->lock) + ? i : 0; case SSL_CTRL_SESS_HIT: - return (ctx->stats.sess_hit); + return CRYPTO_atomic_read(&ctx->stats.sess_hit, &i, ctx->lock) + ? i : 0; case SSL_CTRL_SESS_CB_HIT: - return (ctx->stats.sess_cb_hit); + return CRYPTO_atomic_read(&ctx->stats.sess_cb_hit, &i, ctx->lock) + ? i : 0; case SSL_CTRL_SESS_MISSES: - return (ctx->stats.sess_miss); + return CRYPTO_atomic_read(&ctx->stats.sess_miss, &i, ctx->lock) + ? i : 0; case SSL_CTRL_SESS_TIMEOUTS: - return (ctx->stats.sess_timeout); + return CRYPTO_atomic_read(&ctx->stats.sess_timeout, &i, ctx->lock) + ? i : 0; case SSL_CTRL_SESS_CACHE_FULL: - return (ctx->stats.sess_cache_full); + return CRYPTO_atomic_read(&ctx->stats.sess_cache_full, &i, ctx->lock) + ? i : 0; case SSL_CTRL_MODE: return (ctx->mode |= larg); case SSL_CTRL_CLEAR_MODE: @@ -2292,7 +2382,7 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_GET_MAX_PROTO_VERSION: return ctx->max_proto_version; default: - return (ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg)); + return ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg); } } @@ -2307,7 +2397,7 @@ long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) return 1; default: - return (ctx->method->ssl_ctx_callback_ctrl(ctx, cmd, fp)); + return ctx->method->ssl_ctx_callback_ctrl(ctx, cmd, fp); } } @@ -2336,12 +2426,12 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s) { if (s != NULL) { if (s->cipher_list != NULL) { - return (s->cipher_list); + return s->cipher_list; } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) { - return (s->ctx->cipher_list); + return s->ctx->cipher_list; } } - return (NULL); + return NULL; } STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *s) @@ -2355,10 +2445,12 @@ STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s) { STACK_OF(SSL_CIPHER) *sk = NULL, *ciphers; int i; + ciphers = SSL_get_ciphers(s); if (!ciphers) return NULL; - ssl_set_client_disabled(s); + if (!ssl_set_client_disabled(s)) + return NULL; for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i); if (!ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) { @@ -2381,12 +2473,12 @@ STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s) { if (s != NULL) { if (s->cipher_list_by_id != NULL) { - return (s->cipher_list_by_id); + return s->cipher_list_by_id; } else if ((s->ctx != NULL) && (s->ctx->cipher_list_by_id != NULL)) { - return (s->ctx->cipher_list_by_id); + return s->ctx->cipher_list_by_id; } } - return (NULL); + return NULL; } /** The old interface to get the same thing as SSL_get_ciphers() */ @@ -2396,14 +2488,14 @@ const char *SSL_get_cipher_list(const SSL *s, int n) STACK_OF(SSL_CIPHER) *sk; if (s == NULL) - return (NULL); + return NULL; sk = SSL_get_ciphers(s); if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n)) - return (NULL); + return NULL; c = sk_SSL_CIPHER_value(sk, n); if (c == NULL) - return (NULL); - return (c->name); + return NULL; + return c->name; } /** return a STACK of the ciphers available for the SSL_CTX and in order of @@ -2420,8 +2512,9 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) { STACK_OF(SSL_CIPHER) *sk; - sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, - &ctx->cipher_list_by_id, str, ctx->cert); + sk = ssl_create_cipher_list(ctx->method, ctx->tls13_ciphersuites, + &ctx->cipher_list, &ctx->cipher_list_by_id, str, + ctx->cert); /* * ssl_create_cipher_list may return an empty stack if it was unable to * find a cipher matching the given rule string (for example if the rule @@ -2443,8 +2536,9 @@ int SSL_set_cipher_list(SSL *s, const char *str) { STACK_OF(SSL_CIPHER) *sk; - sk = ssl_create_cipher_list(s->ctx->method, &s->cipher_list, - &s->cipher_list_by_id, str, s->cert); + sk = ssl_create_cipher_list(s->ctx->method, s->tls13_ciphersuites, + &s->cipher_list, &s->cipher_list_by_id, str, + s->cert); /* see comment in SSL_CTX_set_cipher_list */ if (sk == NULL) return 0; @@ -2455,6 +2549,99 @@ int SSL_set_cipher_list(SSL *s, const char *str) return 1; } +static int ciphersuite_cb(const char *elem, int len, void *arg) +{ + STACK_OF(SSL_CIPHER) *ciphersuites = (STACK_OF(SSL_CIPHER) *)arg; + const SSL_CIPHER *cipher; + /* Arbitrary sized temp buffer for the cipher name. Should be big enough */ + char name[80]; + + if (len > (int)(sizeof(name) - 1)) { + SSLerr(SSL_F_CIPHERSUITE_CB, SSL_R_NO_CIPHER_MATCH); + return 0; + } + + memcpy(name, elem, len); + name[len] = '\0'; + + cipher = ssl3_get_cipher_by_std_name(name); + if (cipher == NULL) { + SSLerr(SSL_F_CIPHERSUITE_CB, SSL_R_NO_CIPHER_MATCH); + return 0; + } + + if (!sk_SSL_CIPHER_push(ciphersuites, cipher)) { + SSLerr(SSL_F_CIPHERSUITE_CB, ERR_R_INTERNAL_ERROR); + return 0; + } + + return 1; +} + +static int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const char *str) +{ + STACK_OF(SSL_CIPHER) *newciphers = sk_SSL_CIPHER_new_null(); + + if (newciphers == NULL) + return 0; + + /* Parse the list. We explicitly allow an empty list */ + if (*str != '\0' + && !CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers)) { + sk_SSL_CIPHER_free(newciphers); + return 0; + } + sk_SSL_CIPHER_free(*currciphers); + *currciphers = newciphers; + + return 1; +} + +static int update_cipher_list(STACK_OF(SSL_CIPHER) *cipher_list, + STACK_OF(SSL_CIPHER) *tls13_ciphersuites) +{ + int i; + + /* + * Delete any existing TLSv1.3 ciphersuites. These are always first in the + * list. + */ + while (sk_SSL_CIPHER_num(cipher_list) > 0 + && sk_SSL_CIPHER_value(cipher_list, 0)->min_tls == TLS1_3_VERSION) + sk_SSL_CIPHER_delete(cipher_list, 0); + + /* Insert the new TLSv1.3 ciphersuites */ + for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) + sk_SSL_CIPHER_insert(cipher_list, + sk_SSL_CIPHER_value(tls13_ciphersuites, i), i); + + return 1; +} + +int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str) +{ + int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str); + + if (ret && ctx->cipher_list != NULL) { + /* We already have a cipher_list, so we need to update it */ + return update_cipher_list(ctx->cipher_list, ctx->tls13_ciphersuites); + } + + return ret; +} + +int SSL_set_ciphersuites(SSL *s, const char *str) +{ + int ret = set_ciphersuites(&(s->tls13_ciphersuites), str); + + if (ret && s->cipher_list != NULL) { + /* We already have a cipher_list, so we need to update it */ + return update_cipher_list(s->cipher_list, s->tls13_ciphersuites); + } + + return ret; +} + char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len) { char *p; @@ -2463,7 +2650,7 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len) int i; if ((s->session == NULL) || (s->session->ciphers == NULL) || (len < 2)) - return (NULL); + return NULL; p = buf; sk = s->session->ciphers; @@ -2488,7 +2675,7 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len) len -= n + 1; } p[-1] = '\0'; - return (buf); + return buf; } /** return a servername extension value if provided in Client Hello, or NULL. @@ -2710,6 +2897,18 @@ int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, contextlen, use_context); } +int SSL_export_keying_material_early(SSL *s, unsigned char *out, size_t olen, + const char *label, size_t llen, + const unsigned char *context, + size_t contextlen) +{ + if (s->version != TLS1_3_VERSION) + return 0; + + return tls13_export_keying_material_early(s, out, olen, label, llen, + context, contextlen); +} + static unsigned long ssl_session_hash(const SSL_SESSION *a) { const unsigned char *session_id = a->session_id; @@ -2727,7 +2926,7 @@ static unsigned long ssl_session_hash(const SSL_SESSION *a) ((unsigned long)session_id[1] << 8L) | ((unsigned long)session_id[2] << 16L) | ((unsigned long)session_id[3] << 24L); - return (l); + return l; } /* @@ -2740,10 +2939,10 @@ static unsigned long ssl_session_hash(const SSL_SESSION *a) static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) { if (a->ssl_version != b->ssl_version) - return (1); + return 1; if (a->session_id_length != b->session_id_length) - return (1); - return (memcmp(a->session_id, b->session_id, a->session_id_length)); + return 1; + return memcmp(a->session_id, b->session_id, a->session_id_length); } /* @@ -2759,7 +2958,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) if (meth == NULL) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_NULL_SSL_METHOD_PASSED); - return (NULL); + return NULL; } if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL)) @@ -2803,7 +3002,12 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) if (ret->ctlog_store == NULL) goto err; #endif + + if (!SSL_CTX_set_ciphersuites(ret, TLS_DEFAULT_CIPHERSUITES)) + goto err; + if (!ssl_create_cipher_list(ret->method, + ret->tls13_ciphersuites, &ret->cipher_list, &ret->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST, ret->cert) || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { @@ -2830,6 +3034,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data)) goto err; + if ((ret->ext.secure = OPENSSL_secure_zalloc(sizeof(*ret->ext.secure))) == NULL) + goto err; + /* No compression for DTLS */ if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)) ret->comp_methods = SSL_COMP_get_compression_methods(); @@ -2840,12 +3047,16 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) /* Setup RFC5077 ticket keys */ if ((RAND_bytes(ret->ext.tick_key_name, sizeof(ret->ext.tick_key_name)) <= 0) - || (RAND_bytes(ret->ext.tick_hmac_key, - sizeof(ret->ext.tick_hmac_key)) <= 0) - || (RAND_bytes(ret->ext.tick_aes_key, - sizeof(ret->ext.tick_aes_key)) <= 0)) + || (RAND_bytes(ret->ext.secure->tick_hmac_key, + sizeof(ret->ext.secure->tick_hmac_key)) <= 0) + || (RAND_bytes(ret->ext.secure->tick_aes_key, + sizeof(ret->ext.secure->tick_aes_key)) <= 0)) ret->options |= SSL_OP_NO_TICKET; + if (RAND_bytes(ret->ext.cookie_hmac_key, + sizeof(ret->ext.cookie_hmac_key)) <= 0) + goto err; + #ifndef OPENSSL_NO_SRP if (!SSL_CTX_SRP_CTX_init(ret)) goto err; @@ -2877,17 +3088,33 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) * Disable compression by default to prevent CRIME. Applications can * re-enable compression by configuring * SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION); - * or by using the SSL_CONF library. + * or by using the SSL_CONF library. Similarly we also enable TLSv1.3 + * middlebox compatibility by default. This may be disabled by default in + * a later OpenSSL version. */ - ret->options |= SSL_OP_NO_COMPRESSION; + ret->options |= SSL_OP_NO_COMPRESSION | SSL_OP_ENABLE_MIDDLEBOX_COMPAT; ret->ext.status_type = TLSEXT_STATUSTYPE_nothing; /* - * Default max early data is a fully loaded single record. Could be split - * across multiple records in practice + * We cannot usefully set a default max_early_data here (which gets + * propagated in SSL_new(), for the following reason: setting the + * SSL field causes tls_construct_stoc_early_data() to tell the + * client that early data will be accepted when constructing a TLS 1.3 + * session ticket, and the client will accordingly send us early data + * when using that ticket (if the client has early data to send). + * However, in order for the early data to actually be consumed by + * the application, the application must also have calls to + * SSL_read_early_data(); otherwise we'll just skip past the early data + * and ignore it. So, since the application must add calls to + * SSL_read_early_data(), we also require them to add + * calls to SSL_CTX_set_max_early_data() in order to use early data, + * eliminating the bandwidth-wasting early data in the case described + * above. */ - ret->max_early_data = SSL3_RT_MAX_PLAIN_LENGTH; + ret->max_early_data = 0; + + ssl_ctx_system_config(ret); return ret; err: @@ -2945,6 +3172,7 @@ void SSL_CTX_free(SSL_CTX *a) #endif sk_SSL_CIPHER_free(a->cipher_list); sk_SSL_CIPHER_free(a->cipher_list_by_id); + sk_SSL_CIPHER_free(a->tls13_ciphersuites); ssl_cert_free(a->cert); sk_X509_NAME_pop_free(a->ca_names, X509_NAME_free); sk_X509_pop_free(a->extra_certs, X509_free); @@ -2964,6 +3192,7 @@ void SSL_CTX_free(SSL_CTX *a) OPENSSL_free(a->ext.supportedgroups); #endif OPENSSL_free(a->ext.alpn); + OPENSSL_secure_free(a->ext.secure); CRYPTO_THREAD_lock_free(a->lock); @@ -3128,6 +3357,12 @@ void ssl_set_masks(SSL *s) && pvalid[SSL_PKEY_ED25519] & CERT_PKEY_EXPLICIT_SIGN && TLS1_get_version(s) == TLS1_2_VERSION) mask_a |= SSL_aECDSA; + + /* Allow Ed448 for TLS 1.2 if peer supports it */ + if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED448) + && pvalid[SSL_PKEY_ED448] & CERT_PKEY_EXPLICIT_SIGN + && TLS1_get_version(s) == TLS1_2_VERSION) + mask_a |= SSL_aECDSA; #endif #ifndef OPENSSL_NO_EC @@ -3191,6 +3426,18 @@ void ssl_update_cache(SSL *s, int mode) if (s->session->session_id_length == 0) return; + /* + * If sid_ctx_length is 0 there is no specific application context + * associated with this session, so when we try to resume it and + * SSL_VERIFY_PEER is requested, we have no indication that this is + * actually a session for the proper application context, and the + * *handshake* will fail, not just the resumption attempt. + * Do not cache these sessions that are not resumable. + */ + if (s->session->sid_ctx_length == 0 + && (s->verify_mode & SSL_VERIFY_PEER) != 0) + return; + i = s->session_ctx->session_cache_mode; if ((i & mode) != 0 && (!s->hit || SSL_IS_TLS13(s)) @@ -3204,11 +3451,14 @@ void ssl_update_cache(SSL *s, int mode) /* auto flush every 255 connections */ if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && ((i & mode) == mode)) { - if ((((mode & SSL_SESS_CACHE_CLIENT) - ? s->session_ctx->stats.sess_connect_good - : s->session_ctx->stats.sess_accept_good) & 0xff) == 0xff) { + int *stat, val; + if (mode & SSL_SESS_CACHE_CLIENT) + stat = &s->session_ctx->stats.sess_connect_good; + else + stat = &s->session_ctx->stats.sess_accept_good; + if (CRYPTO_atomic_read(stat, &val, s->session_ctx->lock) + && (val & 0xff) == 0xff) SSL_CTX_flush_sessions(s->session_ctx, (unsigned long)time(NULL)); - } } } @@ -3219,7 +3469,7 @@ const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx) const SSL_METHOD *SSL_get_ssl_method(SSL *s) { - return (s->method); + return s->method; } int SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth) @@ -3243,7 +3493,7 @@ int SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth) else if (hf == sm->ssl_accept) s->handshake_func = meth->ssl_accept; } - return (ret); + return ret; } int SSL_get_error(const SSL *s, int i) @@ -3253,7 +3503,7 @@ int SSL_get_error(const SSL *s, int i) BIO *bio; if (i > 0) - return (SSL_ERROR_NONE); + return SSL_ERROR_NONE; /* * Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc, @@ -3261,15 +3511,15 @@ int SSL_get_error(const SSL *s, int i) */ if ((l = ERR_peek_error()) != 0) { if (ERR_GET_LIB(l) == ERR_LIB_SYS) - return (SSL_ERROR_SYSCALL); + return SSL_ERROR_SYSCALL; else - return (SSL_ERROR_SSL); + return SSL_ERROR_SSL; } if (SSL_want_read(s)) { bio = SSL_get_rbio(s); if (BIO_should_read(bio)) - return (SSL_ERROR_WANT_READ); + return SSL_ERROR_WANT_READ; else if (BIO_should_write(bio)) /* * This one doesn't make too much sense ... We never try to write @@ -3280,15 +3530,15 @@ int SSL_get_error(const SSL *s, int i) * wbio *are* the same, this test works around that bug; so it * might be safer to keep it. */ - return (SSL_ERROR_WANT_WRITE); + return SSL_ERROR_WANT_WRITE; else if (BIO_should_io_special(bio)) { reason = BIO_get_retry_reason(bio); if (reason == BIO_RR_CONNECT) - return (SSL_ERROR_WANT_CONNECT); + return SSL_ERROR_WANT_CONNECT; else if (reason == BIO_RR_ACCEPT) - return (SSL_ERROR_WANT_ACCEPT); + return SSL_ERROR_WANT_ACCEPT; else - return (SSL_ERROR_SYSCALL); /* unknown */ + return SSL_ERROR_SYSCALL; /* unknown */ } } @@ -3296,24 +3546,24 @@ int SSL_get_error(const SSL *s, int i) /* Access wbio directly - in order to use the buffered bio if present */ bio = s->wbio; if (BIO_should_write(bio)) - return (SSL_ERROR_WANT_WRITE); + return SSL_ERROR_WANT_WRITE; else if (BIO_should_read(bio)) /* * See above (SSL_want_read(s) with BIO_should_write(bio)) */ - return (SSL_ERROR_WANT_READ); + return SSL_ERROR_WANT_READ; else if (BIO_should_io_special(bio)) { reason = BIO_get_retry_reason(bio); if (reason == BIO_RR_CONNECT) - return (SSL_ERROR_WANT_CONNECT); + return SSL_ERROR_WANT_CONNECT; else if (reason == BIO_RR_ACCEPT) - return (SSL_ERROR_WANT_ACCEPT); + return SSL_ERROR_WANT_ACCEPT; else - return (SSL_ERROR_SYSCALL); + return SSL_ERROR_SYSCALL; } } if (SSL_want_x509_lookup(s)) - return (SSL_ERROR_WANT_X509_LOOKUP); + return SSL_ERROR_WANT_X509_LOOKUP; if (SSL_want_async(s)) return SSL_ERROR_WANT_ASYNC; if (SSL_want_async_job(s)) @@ -3323,9 +3573,9 @@ int SSL_get_error(const SSL *s, int i) if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) - return (SSL_ERROR_ZERO_RETURN); + return SSL_ERROR_ZERO_RETURN; - return (SSL_ERROR_SYSCALL); + return SSL_ERROR_SYSCALL; } static int ssl_do_handshake_intern(void *vargs) @@ -3393,25 +3643,25 @@ void SSL_set_connect_state(SSL *s) int ssl_undefined_function(SSL *s) { SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (0); + return 0; } int ssl_undefined_void_function(void) { SSLerr(SSL_F_SSL_UNDEFINED_VOID_FUNCTION, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (0); + return 0; } int ssl_undefined_const_function(const SSL *s) { - return (0); + return 0; } const SSL_METHOD *ssl_bad_method(int ver) { SSLerr(SSL_F_SSL_BAD_METHOD, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (NULL); + return NULL; } const char *ssl_protocol_to_string(int version) @@ -3469,7 +3719,7 @@ SSL *SSL_dup(SSL *s) * Otherwise, copy configuration state, and session if set. */ if ((ret = SSL_new(SSL_get_SSL_CTX(s))) == NULL) - return (NULL); + return NULL; if (s->session != NULL) { /* @@ -3600,17 +3850,17 @@ void ssl_clear_cipher_ctx(SSL *s) X509 *SSL_get_certificate(const SSL *s) { if (s->cert != NULL) - return (s->cert->key->x509); + return s->cert->key->x509; else - return (NULL); + return NULL; } EVP_PKEY *SSL_get_privatekey(const SSL *s) { if (s->cert != NULL) - return (s->cert->key->privatekey); + return s->cert->key->privatekey; else - return (NULL); + return NULL; } X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx) @@ -3632,8 +3882,8 @@ EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx) const SSL_CIPHER *SSL_get_current_cipher(const SSL *s) { if ((s->session != NULL) && (s->session->cipher != NULL)) - return (s->session->cipher); - return (NULL); + return s->session->cipher; + return NULL; } const SSL_CIPHER *SSL_get_pending_cipher(const SSL *s) @@ -3702,7 +3952,7 @@ void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) { - return (ctx->quiet_shutdown); + return ctx->quiet_shutdown; } void SSL_set_quiet_shutdown(SSL *s, int mode) @@ -3712,7 +3962,7 @@ void SSL_set_quiet_shutdown(SSL *s, int mode) int SSL_get_quiet_shutdown(const SSL *s) { - return (s->quiet_shutdown); + return s->quiet_shutdown; } void SSL_set_shutdown(SSL *s, int mode) @@ -3789,7 +4039,7 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) { - return (X509_STORE_set_default_paths(ctx->cert_store)); + return X509_STORE_set_default_paths(ctx->cert_store); } int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx) @@ -3826,7 +4076,7 @@ int SSL_CTX_set_default_verify_file(SSL_CTX *ctx) int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath) { - return (X509_STORE_load_locations(ctx->cert_store, CAfile, CApath)); + return X509_STORE_load_locations(ctx->cert_store, CAfile, CApath); } void SSL_set_info_callback(SSL *ssl, @@ -3852,7 +4102,7 @@ void SSL_set_verify_result(SSL *ssl, long arg) long SSL_get_verify_result(const SSL *ssl) { - return (ssl->verify_result); + return ssl->verify_result; } size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, size_t outlen) @@ -3900,27 +4150,27 @@ int SSL_SESSION_set1_master_key(SSL_SESSION *sess, const unsigned char *in, int SSL_set_ex_data(SSL *s, int idx, void *arg) { - return (CRYPTO_set_ex_data(&s->ex_data, idx, arg)); + return CRYPTO_set_ex_data(&s->ex_data, idx, arg); } void *SSL_get_ex_data(const SSL *s, int idx) { - return (CRYPTO_get_ex_data(&s->ex_data, idx)); + return CRYPTO_get_ex_data(&s->ex_data, idx); } int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg) { - return (CRYPTO_set_ex_data(&s->ex_data, idx, arg)); + return CRYPTO_set_ex_data(&s->ex_data, idx, arg); } void *SSL_CTX_get_ex_data(const SSL_CTX *s, int idx) { - return (CRYPTO_get_ex_data(&s->ex_data, idx)); + return CRYPTO_get_ex_data(&s->ex_data, idx); } X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx) { - return (ctx->cert_store); + return ctx->cert_store; } void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store) @@ -3938,7 +4188,7 @@ void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store) int SSL_want(const SSL *s) { - return (s->rwstate); + return s->rwstate; } /** @@ -4002,14 +4252,14 @@ const char *SSL_get_psk_identity_hint(const SSL *s) { if (s == NULL || s->session == NULL) return NULL; - return (s->session->psk_identity_hint); + return s->session->psk_identity_hint; } const char *SSL_get_psk_identity(const SSL *s) { if (s == NULL || s->session == NULL) return NULL; - return (s->session->psk_identity); + return s->session->psk_identity; } void SSL_set_psk_client_callback(SSL *s, SSL_psk_client_cb_func cb) @@ -4181,16 +4431,22 @@ int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen, int hashleni = EVP_MD_CTX_size(hdgst); int ret = 0; - if (hashleni < 0 || (size_t)hashleni > outlen) + if (hashleni < 0 || (size_t)hashleni > outlen) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_HANDSHAKE_HASH, + ERR_R_INTERNAL_ERROR); goto err; + } ctx = EVP_MD_CTX_new(); if (ctx == NULL) goto err; if (!EVP_MD_CTX_copy_ex(ctx, hdgst) - || EVP_DigestFinal_ex(ctx, out, NULL) <= 0) + || EVP_DigestFinal_ex(ctx, out, NULL) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_HANDSHAKE_HASH, + ERR_R_INTERNAL_ERROR); goto err; + } *hashlen = hashleni; @@ -4610,7 +4866,8 @@ int ssl_validate_ct(SSL *s) ctx = CT_POLICY_EVAL_CTX_new(); if (ctx == NULL) { - SSLerr(SSL_F_SSL_VALIDATE_CT, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_VALIDATE_CT, + ERR_R_MALLOC_FAILURE); goto end; } @@ -4638,13 +4895,17 @@ int ssl_validate_ct(SSL *s) * ought to correspond to an inability to carry out its duties. */ if (SCT_LIST_validate(scts, ctx) < 0) { - SSLerr(SSL_F_SSL_VALIDATE_CT, SSL_R_SCT_VERIFICATION_FAILED); + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_SSL_VALIDATE_CT, + SSL_R_SCT_VERIFICATION_FAILED); goto end; } ret = s->ct_validation_callback(ctx, scts, s->ct_validation_callback_arg); if (ret < 0) ret = 0; /* This function returns 0 on failure */ + if (!ret) + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_SSL_VALIDATE_CT, + SSL_R_CALLBACK_FAILED); end: CT_POLICY_EVAL_CTX_free(ctx); @@ -4879,7 +5140,8 @@ static int nss_keylog_int(const char *prefix, prefix_len = strlen(prefix); out_len = prefix_len + (2*parameter_1_len) + (2*parameter_2_len) + 3; if ((out = cursor = OPENSSL_malloc(out_len)) == NULL) { - SSLerr(SSL_F_NSS_KEYLOG_INT, ERR_R_MALLOC_FAILURE); + SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, SSL_F_NSS_KEYLOG_INT, + ERR_R_MALLOC_FAILURE); return 0; } @@ -4912,7 +5174,8 @@ int ssl_log_rsa_client_key_exchange(SSL *ssl, size_t premaster_len) { if (encrypted_premaster_len < 8) { - SSLerr(SSL_F_SSL_LOG_RSA_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, + SSL_F_SSL_LOG_RSA_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); return 0; } @@ -4940,23 +5203,21 @@ int ssl_log_secret(SSL *ssl, #define SSLV2_CIPHER_LEN 3 -int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format, - int *al) +int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format) { int n; n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN; if (PACKET_remaining(cipher_suites) == 0) { - SSLerr(SSL_F_SSL_CACHE_CIPHERLIST, SSL_R_NO_CIPHERS_SPECIFIED); - *al = SSL_AD_ILLEGAL_PARAMETER; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL_CACHE_CIPHERLIST, + SSL_R_NO_CIPHERS_SPECIFIED); return 0; } if (PACKET_remaining(cipher_suites) % n != 0) { - SSLerr(SSL_F_SSL_CACHE_CIPHERLIST, - SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); - *al = SSL_AD_DECODE_ERROR; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL_CACHE_CIPHERLIST, + SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); return 0; } @@ -4980,8 +5241,9 @@ int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format, raw = OPENSSL_malloc(numciphers * TLS_CIPHER_LEN); s->s3->tmp.ciphers_raw = raw; if (raw == NULL) { - *al = SSL_AD_INTERNAL_ERROR; - goto err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CACHE_CIPHERLIST, + ERR_R_MALLOC_FAILURE); + return 0; } for (s->s3->tmp.ciphers_rawlen = 0; PACKET_remaining(&sslv2ciphers) > 0; @@ -4992,41 +5254,40 @@ int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format, TLS_CIPHER_LEN)) || (leadbyte != 0 && !PACKET_forward(&sslv2ciphers, TLS_CIPHER_LEN))) { - *al = SSL_AD_DECODE_ERROR; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL_CACHE_CIPHERLIST, + SSL_R_BAD_PACKET); OPENSSL_free(s->s3->tmp.ciphers_raw); s->s3->tmp.ciphers_raw = NULL; s->s3->tmp.ciphers_rawlen = 0; - goto err; + return 0; } if (leadbyte == 0) s->s3->tmp.ciphers_rawlen += TLS_CIPHER_LEN; } } else if (!PACKET_memdup(cipher_suites, &s->s3->tmp.ciphers_raw, &s->s3->tmp.ciphers_rawlen)) { - *al = SSL_AD_INTERNAL_ERROR; - goto err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CACHE_CIPHERLIST, + ERR_R_INTERNAL_ERROR); + return 0; } return 1; - err: - return 0; } int SSL_bytes_to_cipher_list(SSL *s, const unsigned char *bytes, size_t len, int isv2format, STACK_OF(SSL_CIPHER) **sk, STACK_OF(SSL_CIPHER) **scsvs) { - int alert; PACKET pkt; if (!PACKET_buf_init(&pkt, bytes, len)) return 0; - return bytes_to_cipher_list(s, &pkt, sk, scsvs, isv2format, &alert); + return bytes_to_cipher_list(s, &pkt, sk, scsvs, isv2format, 0); } int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites, STACK_OF(SSL_CIPHER) **skp, STACK_OF(SSL_CIPHER) **scsvs_out, - int sslv2format, int *al) + int sslv2format, int fatal) { const SSL_CIPHER *c; STACK_OF(SSL_CIPHER) *sk = NULL; @@ -5038,23 +5299,32 @@ int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites, n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN; if (PACKET_remaining(cipher_suites) == 0) { - SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, SSL_R_NO_CIPHERS_SPECIFIED); - *al = SSL_AD_ILLEGAL_PARAMETER; + if (fatal) + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_BYTES_TO_CIPHER_LIST, + SSL_R_NO_CIPHERS_SPECIFIED); + else + SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, SSL_R_NO_CIPHERS_SPECIFIED); return 0; } if (PACKET_remaining(cipher_suites) % n != 0) { - SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, - SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); - *al = SSL_AD_DECODE_ERROR; + if (fatal) + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_BYTES_TO_CIPHER_LIST, + SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); + else + SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, + SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); return 0; } sk = sk_SSL_CIPHER_new_null(); scsvs = sk_SSL_CIPHER_new_null(); if (sk == NULL || scsvs == NULL) { - SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); - *al = SSL_AD_INTERNAL_ERROR; + if (fatal) + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_BYTES_TO_CIPHER_LIST, + ERR_R_MALLOC_FAILURE); + else + SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); goto err; } @@ -5072,15 +5342,21 @@ int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites, if (c != NULL) { if ((c->valid && !sk_SSL_CIPHER_push(sk, c)) || (!c->valid && !sk_SSL_CIPHER_push(scsvs, c))) { - SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); - *al = SSL_AD_INTERNAL_ERROR; + if (fatal) + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); + else + SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); goto err; } } } if (PACKET_remaining(cipher_suites) > 0) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, SSL_R_BAD_LENGTH); + if (fatal) + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_BYTES_TO_CIPHER_LIST, + SSL_R_BAD_LENGTH); + else + SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, SSL_R_BAD_LENGTH); goto err; } @@ -5123,9 +5399,113 @@ uint32_t SSL_get_max_early_data(const SSL *s) return s->max_early_data; } -int ssl_randbytes(SSL *s, unsigned char *rnd, size_t size) +__owur unsigned int ssl_get_max_send_fragment(const SSL *ssl) +{ + /* Return any active Max Fragment Len extension */ + if (ssl->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(ssl->session)) + return GET_MAX_FRAGMENT_LENGTH(ssl->session); + + /* return current SSL connection setting */ + return ssl->max_send_fragment; +} + +__owur unsigned int ssl_get_split_send_fragment(const SSL *ssl) +{ + /* Return a value regarding an active Max Fragment Len extension */ + if (ssl->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(ssl->session) + && ssl->split_send_fragment > GET_MAX_FRAGMENT_LENGTH(ssl->session)) + return GET_MAX_FRAGMENT_LENGTH(ssl->session); + + /* else limit |split_send_fragment| to current |max_send_fragment| */ + if (ssl->split_send_fragment > ssl->max_send_fragment) + return ssl->max_send_fragment; + + /* return current SSL connection setting */ + return ssl->split_send_fragment; +} + +int SSL_stateless(SSL *s) +{ + int ret; + + /* Ensure there is no state left over from a previous invocation */ + if (!SSL_clear(s)) + return 0; + + ERR_clear_error(); + + s->s3->flags |= TLS1_FLAGS_STATELESS; + ret = SSL_accept(s); + s->s3->flags &= ~TLS1_FLAGS_STATELESS; + + if (ret > 0 && s->ext.cookieok) + return 1; + + if (s->hello_retry_request == SSL_HRR_PENDING && !ossl_statem_in_error(s)) + return 0; + + return -1; +} + +void SSL_force_post_handshake_auth(SSL *ssl) { - if (s->drbg != NULL) - return RAND_DRBG_generate(s->drbg, rnd, size, 0, NULL, 0); - return RAND_bytes(rnd, (int)size); + ssl->pha_forced = 1; +} + +int SSL_verify_client_post_handshake(SSL *ssl) +{ + if (!SSL_IS_TLS13(ssl)) { + SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_WRONG_SSL_VERSION); + return 0; + } + if (!ssl->server) { + SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_NOT_SERVER); + return 0; + } + + if (!SSL_is_init_finished(ssl)) { + SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_STILL_IN_INIT); + return 0; + } + + switch (ssl->post_handshake_auth) { + case SSL_PHA_NONE: + SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_EXTENSION_NOT_RECEIVED); + return 0; + default: + case SSL_PHA_EXT_SENT: + SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, ERR_R_INTERNAL_ERROR); + return 0; + case SSL_PHA_EXT_RECEIVED: + break; + case SSL_PHA_REQUEST_PENDING: + SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_REQUEST_PENDING); + return 0; + case SSL_PHA_REQUESTED: + SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_REQUEST_SENT); + return 0; + } + + ssl->post_handshake_auth = SSL_PHA_REQUEST_PENDING; + + /* checks verify_mode and algorithm_auth */ + if (!send_certificate_request(ssl)) { + ssl->post_handshake_auth = SSL_PHA_EXT_RECEIVED; /* restore on error */ + SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_INVALID_CONFIG); + return 0; + } + + ossl_statem_set_in_init(ssl, 1); + return 1; +} + +int SSL_CTX_set_session_ticket_cb(SSL_CTX *ctx, + SSL_CTX_generate_session_ticket_fn gen_cb, + SSL_CTX_decrypt_session_ticket_fn dec_cb, + void *arg) +{ + ctx->generate_ticket_cb = gen_cb; + ctx->decrypt_ticket_cb = dec_cb; + ctx->ticket_cb_data = arg; + return 1; }