X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fstatem%2Fstatem_lib.c;h=595d7c13a75cf584328fe6efa3df21f280a9d843;hp=16c765fabf57c1f8a3e83f0607540b959b8cf36c;hb=4004ce5f6cd6540a07d6d1a4cef7138821d5e596;hpb=83b4049ab75e9da1815e9c854a9297bca3d4af6b diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 16c765fabf..595d7c13a7 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -171,17 +171,27 @@ static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs, int tls_construct_cert_verify(SSL *s, WPACKET *pkt) { - EVP_PKEY *pkey = s->cert->key->privatekey; - const EVP_MD *md = s->s3->tmp.md[s->cert->key - s->cert->pkeys]; + EVP_PKEY *pkey = NULL; + const EVP_MD *md = NULL; EVP_MD_CTX *mctx = NULL; EVP_PKEY_CTX *pctx = NULL; size_t hdatalen = 0, siglen = 0; void *hdata; unsigned char *sig = NULL; unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; - int pktype, ispss = 0; + const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg; - pktype = EVP_PKEY_id(pkey); + if (lu == NULL || s->s3->tmp.cert == NULL) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_INTERNAL_ERROR); + goto err; + } + pkey = s->s3->tmp.cert->privatekey; + md = ssl_md(lu->hash_idx); + + if (pkey == NULL || md == NULL) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_INTERNAL_ERROR); + goto err; + } mctx = EVP_MD_CTX_new(); if (mctx == NULL) { @@ -195,13 +205,10 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt) goto err; } - if (SSL_USE_SIGALGS(s) && !tls12_get_sigandhash(s, pkt, pkey, md, &ispss)) { + if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) { SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_INTERNAL_ERROR); goto err; } -#ifdef SSL_DEBUG - fprintf(stderr, "Using client alg %s\n", EVP_MD_name(md)); -#endif siglen = EVP_PKEY_size(pkey); sig = OPENSSL_malloc(siglen); if (sig == NULL) { @@ -215,7 +222,7 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt) goto err; } - if (ispss) { + if (lu->sig == EVP_PKEY_RSA_PSS) { if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) { @@ -238,6 +245,8 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt) #ifndef OPENSSL_NO_GOST { + int pktype = lu->sig; + if (pktype == NID_id_GostR3410_2001 || pktype == NID_id_GostR3410_2012_256 || pktype == NID_id_GostR3410_2012_512) @@ -331,21 +340,16 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) al = SSL_AD_DECODE_ERROR; goto f_err; } - md = ssl_md(s->s3->tmp.peer_sigalg->hash_idx); #ifdef SSL_DEBUG fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); #endif - } else { - /* Use default digest for this key type */ - int idx = ssl_cert_type(NULL, pkey); - if (idx >= 0) - md = s->s3->tmp.md[idx]; - if (md == NULL) { + } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { al = SSL_AD_INTERNAL_ERROR; goto f_err; - } } + md = ssl_md(s->s3->tmp.peer_sigalg->hash_idx); + if (!PACKET_get_net_2(pkt, &len)) { SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH); al = SSL_AD_DECODE_ERROR; @@ -491,6 +495,63 @@ int tls_construct_finished(SSL *s, WPACKET *pkt) return 0; } +int tls_construct_key_update(SSL *s, WPACKET *pkt) +{ + if (!WPACKET_put_bytes_u8(pkt, s->key_update)) { + SSLerr(SSL_F_TLS_CONSTRUCT_KEY_UPDATE, ERR_R_INTERNAL_ERROR); + goto err; + } + + s->key_update = SSL_KEY_UPDATE_NONE; + return 1; + + err: + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + return 0; +} + +MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt) +{ + int al; + unsigned int updatetype; + + s->key_update_count++; + if (s->key_update_count > MAX_KEY_UPDATE_MESSAGES) { + al = SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_TLS_PROCESS_KEY_UPDATE, SSL_R_TOO_MANY_KEY_UPDATES); + goto err; + } + + if (!PACKET_get_1(pkt, &updatetype) + || PACKET_remaining(pkt) != 0 + || (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED + && updatetype != SSL_KEY_UPDATE_REQUESTED)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_KEY_UPDATE, SSL_R_BAD_KEY_UPDATE); + goto err; + } + + /* + * If we get a request for us to update our sending keys too then, we need + * to additionally send a KeyUpdate message. However that message should + * not also request an update (otherwise we get into an infinite loop). + */ + if (updatetype == SSL_KEY_UPDATE_REQUESTED) + s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED; + + if (!tls13_update_key(s, 0)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_TLS_PROCESS_KEY_UPDATE, ERR_R_INTERNAL_ERROR); + goto err; + } + + return MSG_PROCESS_FINISHED_READING; + err: + ssl3_send_alert(s, SSL3_AL_FATAL, al); + ossl_statem_set_error(s); + return MSG_PROCESS_ERROR; +} + #ifndef OPENSSL_NO_NEXTPROTONEG /* * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen @@ -593,6 +654,10 @@ MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) int al = SSL_AD_INTERNAL_ERROR; size_t md_len; + + /* This is a real handshake so make sure we clean it up at the end */ + s->statem.cleanuphand = 1; + /* If this occurs, we have missed a message */ if (!SSL_IS_TLS13(s) && !s->s3->change_cipher_spec) { al = SSL_AD_UNEXPECTED_MESSAGE; @@ -883,6 +948,7 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs) s->d1->next_handshake_write_seq = 0; dtls1_clear_received_buffer(s); } + s->early_data_state = SSL_EARLY_DATA_NONE; } /* @@ -892,6 +958,7 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs) if (!clearbufs) return WORK_FINISHED_CONTINUE; + ossl_statem_set_in_init(s, 0); return WORK_FINISHED_STOP; } @@ -1071,7 +1138,7 @@ int ssl_cert_type(const X509 *x, const EVP_PKEY *pk) default: return -1; case EVP_PKEY_RSA: - return SSL_PKEY_RSA_ENC; + return SSL_PKEY_RSA; case EVP_PKEY_DSA: return SSL_PKEY_DSA_SIGN; #ifndef OPENSSL_NO_EC @@ -1260,8 +1327,6 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method) return SSL_R_UNSUPPORTED_PROTOCOL; if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s)) return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE; - else if ((method->flags & SSL_METHOD_NO_FIPS) != 0 && FIPS_mode()) - return SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE; return 0; } @@ -1434,21 +1499,22 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello) switch (server_version) { default: + if (!SSL_IS_TLS13(s)) { + if (version_cmp(s, client_version, s->version) < 0) + return SSL_R_WRONG_SSL_VERSION; + /* + * If this SSL handle is not from a version flexible method we don't + * (and never did) check min/max FIPS or Suite B constraints. Hope + * that's OK. It is up to the caller to not choose fixed protocol + * versions they don't want. If not, then easy to fix, just return + * ssl_method_error(s, s->method) + */ + return 0; + } /* - * TODO(TLS1.3): This check will fail if someone attempts to do - * renegotiation in TLS1.3 at the moment. We need to ensure we disable - * renegotiation for TLS1.3 - */ - if (version_cmp(s, client_version, s->version) < 0) - return SSL_R_WRONG_SSL_VERSION; - /* - * If this SSL handle is not from a version flexible method we don't - * (and never did) check min/max FIPS or Suite B constraints. Hope - * that's OK. It is up to the caller to not choose fixed protocol - * versions they don't want. If not, then easy to fix, just return - * ssl_method_error(s, s->method) + * Fall through if we are TLSv1.3 already (this means we must be after + * a HelloRetryRequest */ - return 0; case TLS_ANY_VERSION: table = tls_version_table; break; @@ -1503,6 +1569,15 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello) } if (best_vers > 0) { + if (SSL_IS_TLS13(s)) { + /* + * We get here if this is after a HelloRetryRequest. In this + * case we just check that we still negotiated TLSv1.3 + */ + if (best_vers != TLS1_3_VERSION) + return SSL_R_UNSUPPORTED_PROTOCOL; + return 0; + } s->version = best_vers; s->method = best_method; return 0; @@ -1585,6 +1660,9 @@ int ssl_choose_client_version(SSL *s, int version) continue; if (vent->cmeth == NULL) break; + if (s->hello_retry_request && version != TLS1_3_VERSION) + return SSL_R_WRONG_SSL_VERSION; + method = vent->cmeth(); err = ssl_method_error(s, method); if (err != 0) @@ -1606,7 +1684,7 @@ int ssl_choose_client_version(SSL *s, int version) * Work out what version we should be using for the initial ClientHello if the * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx * options, the MinProtocol and MaxProtocol configuration commands, any Suite B - * or FIPS_mode() constraints and any floor imposed by the security level here, + * constraints and any floor imposed by the security level here, * so we don't advertise the wrong protocol version to only reject the outcome later. * * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled, @@ -1725,3 +1803,33 @@ int ssl_set_client_hello_version(SSL *s) s->client_version = ver_max; return 0; } + +/* + * Checks a list of |groups| to determine if the |group_id| is in it. If it is + * and |checkallow| is 1 then additionally check if the group is allowed to be + * used. Returns 1 if the group is in the list (and allowed if |checkallow| is + * 1) or 0 otherwise. + */ +#ifndef OPENSSL_NO_EC +int check_in_list(SSL *s, unsigned int group_id, const unsigned char *groups, + size_t num_groups, int checkallow) +{ + size_t i; + + if (groups == NULL || num_groups == 0) + return 0; + + for (i = 0; i < num_groups; i++, groups += 2) { + unsigned int share_id = (groups[0] << 8) | (groups[1]); + + if (group_id == share_id + && (!checkallow + || tls_curve_allowed(s, groups, SSL_SECOP_CURVE_CHECK))) { + break; + } + } + + /* If i == num_groups then not in the list */ + return i < num_groups; +} +#endif