X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fstatem%2Fstatem_lib.c;h=19b75a7ac70f9cfb91698419219f7ceb296a7547;hp=6ceb9ec39ead7278ddf2a8b0706d5977ae9bc458;hb=f5c7f5dfbaf0d2f7d946d0fe86f08e6bcb36ed0d;hpb=f3e235ed6faa82170d857fdec3287558eb906c58;ds=sidebyside diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 6ceb9ec39e..19b75a7ac7 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -19,7 +19,6 @@ #include "../ssl_locl.h" #include "statem_locl.h" #include -#include #include #include #include @@ -41,8 +40,10 @@ int ssl3_do_write(SSL *s, int type) * should not be done for 'Hello Request's, but in that case we'll * ignore the result anyway */ - ssl3_finish_mac(s, (unsigned char *)&s->init_buf->data[s->init_off], - ret); + if (!ssl3_finish_mac(s, + (unsigned char *)&s->init_buf->data[s->init_off], + ret)) + return -1; if (ret == s->init_num) { if (s->msg_callback) @@ -137,13 +138,13 @@ MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt) */ if (SSL_IS_DTLS(s)) { if ((s->version == DTLS1_BAD_VER - && remain != DTLS1_CCS_HEADER_LENGTH + 1) - || (s->version != DTLS1_BAD_VER - && remain != DTLS1_CCS_HEADER_LENGTH - 1)) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, - SSL_R_BAD_CHANGE_CIPHER_SPEC); - goto f_err; + && remain != DTLS1_CCS_HEADER_LENGTH + 1) + || (s->version != DTLS1_BAD_VER + && remain != DTLS1_CCS_HEADER_LENGTH - 1)) { + al = SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, + SSL_R_BAD_CHANGE_CIPHER_SPEC); + goto f_err; } } else { if (remain != 0) { @@ -330,6 +331,7 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst) s->d1->handshake_read_seq = 0; s->d1->handshake_write_seq = 0; s->d1->next_handshake_write_seq = 0; + dtls1_clear_received_buffer(s); } } @@ -348,12 +350,24 @@ int tls_get_message_header(SSL *s, int *mt) do { while (s->init_num < SSL3_HM_HEADER_LENGTH) { i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type, - &p[s->init_num], SSL3_HM_HEADER_LENGTH - s->init_num, 0); + &p[s->init_num], + SSL3_HM_HEADER_LENGTH - s->init_num, + 0); if (i <= 0) { s->rwstate = SSL_READING; return 0; } if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) { + /* + * A ChangeCipherSpec must be a single byte and may not occur + * in the middle of a handshake message. + */ + if (s->init_num != 0 || i != 1 || p[0] != SSL3_MT_CCS) { + al = SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_TLS_GET_MESSAGE_HEADER, + SSL_R_BAD_CHANGE_CIPHER_SPEC); + goto f_err; + } s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC; s->init_num = i - 1; s->s3->tmp.message_size = i; @@ -390,15 +404,14 @@ int tls_get_message_header(SSL *s, int *mt) *mt = *p; s->s3->tmp.message_type = *(p++); - if(RECORD_LAYER_is_sslv2_record(&s->rlayer)) { + if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { /* * Only happens with SSLv3+ in an SSLv2 backward compatible * ClientHello + * + * Total message size is the remaining record bytes to read + * plus the SSL3_HM_HEADER_LENGTH bytes that we already read */ - /* - * Total message size is the remaining record bytes to read - * plus the SSL3_HM_HEADER_LENGTH bytes that we already read - */ l = RECORD_LAYER_get_rrec_length(&s->rlayer) + SSL3_HM_HEADER_LENGTH; if (l && !BUF_MEM_grow_clean(s->init_buf, (int)l)) { @@ -418,7 +431,7 @@ int tls_get_message_header(SSL *s, int *mt) goto f_err; } if (l && !BUF_MEM_grow_clean(s->init_buf, - (int)l + SSL3_HM_HEADER_LENGTH)) { + (int)l + SSL3_HM_HEADER_LENGTH)) { SSLerr(SSL_F_TLS_GET_MESSAGE_HEADER, ERR_R_BUF_LIB); goto err; } @@ -471,14 +484,25 @@ int tls_get_message_body(SSL *s, unsigned long *len) #endif /* Feed this message into MAC computation. */ - if(RECORD_LAYER_is_sslv2_record(&s->rlayer)) { - ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num); + if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { + if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, + s->init_num)) { + SSLerr(SSL_F_TLS_GET_MESSAGE_BODY, ERR_R_EVP_LIB); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + *len = 0; + return 0; + } if (s->msg_callback) - s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data, + s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data, (size_t)s->init_num, s, s->msg_callback_arg); } else { - ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, - s->init_num + SSL3_HM_HEADER_LENGTH); + if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, + s->init_num + SSL3_HM_HEADER_LENGTH)) { + SSLerr(SSL_F_TLS_GET_MESSAGE_BODY, ERR_R_EVP_LIB); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + *len = 0; + return 0; + } if (s->msg_callback) s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s, @@ -499,10 +523,9 @@ int tls_get_message_body(SSL *s, unsigned long *len) return 1; } -int ssl_cert_type(X509 *x, EVP_PKEY *pk) +int ssl_cert_type(const X509 *x, const EVP_PKEY *pk) { - if (pk == NULL && - (pk = X509_get0_pubkey(x)) == NULL) + if (pk == NULL && (pk = X509_get0_pubkey(x)) == NULL) return -1; switch (EVP_PKEY_id(pk)) { @@ -616,8 +639,8 @@ static int version_cmp(const SSL *s, int a, int b) typedef struct { int version; - const SSL_METHOD *(*cmeth)(void); - const SSL_METHOD *(*smeth)(void); + const SSL_METHOD *(*cmeth) (void); + const SSL_METHOD *(*smeth) (void); } version_info; #if TLS_MAX_VERSION != TLS1_2_VERSION @@ -626,26 +649,26 @@ typedef struct { static const version_info tls_version_table[] = { #ifndef OPENSSL_NO_TLS1_2 - { TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method }, + {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method}, #else - { TLS1_2_VERSION, NULL, NULL }, + {TLS1_2_VERSION, NULL, NULL}, #endif #ifndef OPENSSL_NO_TLS1_1 - { TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method }, + {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method}, #else - { TLS1_1_VERSION, NULL, NULL }, + {TLS1_1_VERSION, NULL, NULL}, #endif #ifndef OPENSSL_NO_TLS1 - { TLS1_VERSION, tlsv1_client_method, tlsv1_server_method }, + {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method}, #else - { TLS1_VERSION, NULL, NULL }, + {TLS1_VERSION, NULL, NULL}, #endif #ifndef OPENSSL_NO_SSL3 - { SSL3_VERSION, sslv3_client_method, sslv3_server_method }, + {SSL3_VERSION, sslv3_client_method, sslv3_server_method}, #else - { SSL3_VERSION, NULL, NULL }, + {SSL3_VERSION, NULL, NULL}, #endif - { 0, NULL, NULL }, + {0, NULL, NULL}, }; #if DTLS_MAX_VERSION != DTLS1_2_VERSION @@ -654,16 +677,18 @@ static const version_info tls_version_table[] = { static const version_info dtls_version_table[] = { #ifndef OPENSSL_NO_DTLS1_2 - { DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method }, + {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method}, #else - { DTLS1_2_VERSION, NULL, NULL }, + {DTLS1_2_VERSION, NULL, NULL}, #endif #ifndef OPENSSL_NO_DTLS1 - { DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method }, + {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method}, + {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL}, #else - { DTLS1_VERSION, NULL, NULL }, + {DTLS1_VERSION, NULL, NULL}, + {DTLS1_BAD_VER, NULL, NULL}, #endif - { 0, NULL, NULL }, + {0, NULL, NULL}, }; /* @@ -684,7 +709,7 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method) return SSL_R_VERSION_TOO_LOW; if (s->max_proto_version != 0 && - version_cmp(s, version, s->max_proto_version) > 0) + version_cmp(s, version, s->max_proto_version) > 0) return SSL_R_VERSION_TOO_HIGH; if ((s->options & method->mask) != 0) @@ -771,8 +796,7 @@ int ssl_check_version_downgrade(SSL *s) } for (vent = table; vent->version != 0; ++vent) { - if (vent->smeth != NULL && - ssl_method_error(s, vent->smeth()) == 0) + if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0) return s->version == vent->version; } return 0; @@ -826,7 +850,7 @@ int ssl_set_version_bound(int method_version, int version, int *bound) case DTLS_ANY_VERSION: if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION) || - DTLS_VERSION_LT(version, DTLS1_VERSION)) + DTLS_VERSION_LT(version, DTLS1_BAD_VER)) return 0; break; } @@ -965,14 +989,15 @@ int ssl_choose_client_version(SSL *s, int version) * or FIPS_mode() constraints and any floor imposed by the security level here, * so we don't advertise the wrong protocol version to only reject the outcome later. * - * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled, + * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled, * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1. * * Returns 0 on success or an SSL error reason number on failure. On failure * min_version and max_version will also be set to 0. */ -int ssl_get_client_min_max_version(const SSL *s, int *min_version, int *max_version) +int ssl_get_client_min_max_version(const SSL *s, int *min_version, + int *max_version) { int version; int hole;