X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fstatem%2Fstatem_lib.c;h=595d7c13a75cf584328fe6efa3df21f280a9d843;hp=3a6b672a0ffff82799cc30ecb02a32018c71954f;hb=4004ce5f6cd6540a07d6d1a4cef7138821d5e596;hpb=ec15acb6bc554b8f87a519c3519f5bf4d367ded9 diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 3a6b672a0f..595d7c13a7 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -72,7 +72,8 @@ int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype) return 1; } -int tls_setup_handshake(SSL *s) { +int tls_setup_handshake(SSL *s) +{ if (!ssl3_init_finished_mac(s)) return 0; @@ -107,9 +108,8 @@ int tls_setup_handshake(SSL *s) { s->s3->tmp.cert_req = 0; - if (SSL_IS_DTLS(s)) { + if (SSL_IS_DTLS(s)) s->statem.use_timer = 1; - } } return 1; @@ -171,31 +171,27 @@ static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs, int tls_construct_cert_verify(SSL *s, WPACKET *pkt) { - EVP_PKEY *pkey; - const EVP_MD *md; + EVP_PKEY *pkey = NULL; + const EVP_MD *md = NULL; EVP_MD_CTX *mctx = NULL; EVP_PKEY_CTX *pctx = NULL; size_t hdatalen = 0, siglen = 0; void *hdata; unsigned char *sig = NULL; unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; - int pktype, ispss = 0; + const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg; - if (s->server) { - /* Only happens in TLSv1.3 */ - /* - * TODO(TLS1.3): This needs to change. We should not get this from the - * cipher. However, for now, we have not done the work to separate the - * certificate type from the ciphersuite - */ - pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md); - if (pkey == NULL) - goto err; - } else { - md = s->s3->tmp.md[s->cert->key - s->cert->pkeys]; - pkey = s->cert->key->privatekey; + if (lu == NULL || s->s3->tmp.cert == NULL) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_INTERNAL_ERROR); + goto err; + } + pkey = s->s3->tmp.cert->privatekey; + md = ssl_md(lu->hash_idx); + + if (pkey == NULL || md == NULL) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_INTERNAL_ERROR); + goto err; } - pktype = EVP_PKEY_id(pkey); mctx = EVP_MD_CTX_new(); if (mctx == NULL) { @@ -209,13 +205,10 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt) goto err; } - if (SSL_USE_SIGALGS(s) && !tls12_get_sigandhash(s, pkt, pkey, md, &ispss)) { + if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) { SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_INTERNAL_ERROR); goto err; } -#ifdef SSL_DEBUG - fprintf(stderr, "Using client alg %s\n", EVP_MD_name(md)); -#endif siglen = EVP_PKEY_size(pkey); sig = OPENSSL_malloc(siglen); if (sig == NULL) { @@ -229,10 +222,10 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt) goto err; } - if (ispss) { + if (lu->sig == EVP_PKEY_RSA_PSS) { if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 - /* -1 here means set saltlen to the digest len */ - || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1) <= 0) { + || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, + RSA_PSS_SALTLEN_DIGEST) <= 0) { SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_EVP_LIB); goto err; } @@ -252,6 +245,8 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt) #ifndef OPENSSL_NO_GOST { + int pktype = lu->sig; + if (pktype == NID_id_GostR3410_2001 || pktype == NID_id_GostR3410_2012_256 || pktype == NID_id_GostR3410_2012_512) @@ -286,7 +281,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) unsigned char *gost_data = NULL; #endif int al = SSL_AD_INTERNAL_ERROR, ret = MSG_PROCESS_ERROR; - int type = 0, j, pktype, ispss = 0; + int type = 0, j, pktype; unsigned int len; X509 *peer; const EVP_MD *md = NULL; @@ -303,6 +298,11 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) peer = s->session->peer; pkey = X509_get0_pubkey(peer); + if (pkey == NULL) { + al = SSL_AD_INTERNAL_ERROR; + goto f_err; + } + pktype = EVP_PKEY_id(pkey); type = X509_certificate_type(peer, pkey); @@ -333,28 +333,23 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) al = SSL_AD_DECODE_ERROR; goto f_err; } - rv = tls12_check_peer_sigalg(&md, s, sigalg, pkey); + rv = tls12_check_peer_sigalg(s, sigalg, pkey); if (rv == -1) { goto f_err; } else if (rv == 0) { al = SSL_AD_DECODE_ERROR; goto f_err; } - ispss = SIGID_IS_PSS(sigalg); #ifdef SSL_DEBUG fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); #endif - } else { - /* Use default digest for this key type */ - int idx = ssl_cert_type(NULL, pkey); - if (idx >= 0) - md = s->s3->tmp.md[idx]; - if (md == NULL) { + } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { al = SSL_AD_INTERNAL_ERROR; goto f_err; - } } + md = ssl_md(s->s3->tmp.peer_sigalg->hash_idx); + if (!PACKET_get_net_2(pkt, &len)) { SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH); al = SSL_AD_DECODE_ERROR; @@ -402,10 +397,10 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) } #endif - if (ispss) { + if (SSL_USE_PSS(s)) { if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 - /* -1 here means set saltlen to the digest len */ - || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1) <= 0) { + || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, + RSA_PSS_SALTLEN_DIGEST) <= 0) { SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); goto f_err; } @@ -470,10 +465,13 @@ int tls_construct_finished(SSL *s, WPACKET *pkt) goto err; } - /* Log the master secret, if logging is enabled. */ - if (!ssl_log_master_secret(s, s->s3->client_random, SSL3_RANDOM_SIZE, - s->session->master_key, - s->session->master_key_length)) + /* + * Log the master secret, if logging is enabled. We don't log it for + * TLSv1.3: there's a different key schedule for that. + */ + if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL, + s->session->master_key, + s->session->master_key_length)) return 0; /* @@ -497,6 +495,63 @@ int tls_construct_finished(SSL *s, WPACKET *pkt) return 0; } +int tls_construct_key_update(SSL *s, WPACKET *pkt) +{ + if (!WPACKET_put_bytes_u8(pkt, s->key_update)) { + SSLerr(SSL_F_TLS_CONSTRUCT_KEY_UPDATE, ERR_R_INTERNAL_ERROR); + goto err; + } + + s->key_update = SSL_KEY_UPDATE_NONE; + return 1; + + err: + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + return 0; +} + +MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt) +{ + int al; + unsigned int updatetype; + + s->key_update_count++; + if (s->key_update_count > MAX_KEY_UPDATE_MESSAGES) { + al = SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_TLS_PROCESS_KEY_UPDATE, SSL_R_TOO_MANY_KEY_UPDATES); + goto err; + } + + if (!PACKET_get_1(pkt, &updatetype) + || PACKET_remaining(pkt) != 0 + || (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED + && updatetype != SSL_KEY_UPDATE_REQUESTED)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_KEY_UPDATE, SSL_R_BAD_KEY_UPDATE); + goto err; + } + + /* + * If we get a request for us to update our sending keys too then, we need + * to additionally send a KeyUpdate message. However that message should + * not also request an update (otherwise we get into an infinite loop). + */ + if (updatetype == SSL_KEY_UPDATE_REQUESTED) + s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED; + + if (!tls13_update_key(s, 0)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_TLS_PROCESS_KEY_UPDATE, ERR_R_INTERNAL_ERROR); + goto err; + } + + return MSG_PROCESS_FINISHED_READING; + err: + ssl3_send_alert(s, SSL3_AL_FATAL, al); + ossl_statem_set_error(s); + return MSG_PROCESS_ERROR; +} + #ifndef OPENSSL_NO_NEXTPROTONEG /* * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen @@ -599,6 +654,10 @@ MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) int al = SSL_AD_INTERNAL_ERROR; size_t md_len; + + /* This is a real handshake so make sure we clean it up at the end */ + s->statem.cleanuphand = 1; + /* If this occurs, we have missed a message */ if (!SSL_IS_TLS13(s) && !s->s3->change_cipher_spec) { al = SSL_AD_UNEXPECTED_MESSAGE; @@ -889,6 +948,7 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs) s->d1->next_handshake_write_seq = 0; dtls1_clear_received_buffer(s); } + s->early_data_state = SSL_EARLY_DATA_NONE; } /* @@ -898,6 +958,7 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs) if (!clearbufs) return WORK_FINISHED_CONTINUE; + ossl_statem_set_in_init(s, 0); return WORK_FINISHED_STOP; } @@ -1077,7 +1138,7 @@ int ssl_cert_type(const X509 *x, const EVP_PKEY *pk) default: return -1; case EVP_PKEY_RSA: - return SSL_PKEY_RSA_ENC; + return SSL_PKEY_RSA; case EVP_PKEY_DSA: return SSL_PKEY_DSA_SIGN; #ifndef OPENSSL_NO_EC @@ -1266,8 +1327,6 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method) return SSL_R_UNSUPPORTED_PROTOCOL; if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s)) return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE; - else if ((method->flags & SSL_METHOD_NO_FIPS) != 0 && FIPS_mode()) - return SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE; return 0; } @@ -1440,21 +1499,22 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello) switch (server_version) { default: + if (!SSL_IS_TLS13(s)) { + if (version_cmp(s, client_version, s->version) < 0) + return SSL_R_WRONG_SSL_VERSION; + /* + * If this SSL handle is not from a version flexible method we don't + * (and never did) check min/max FIPS or Suite B constraints. Hope + * that's OK. It is up to the caller to not choose fixed protocol + * versions they don't want. If not, then easy to fix, just return + * ssl_method_error(s, s->method) + */ + return 0; + } /* - * TODO(TLS1.3): This check will fail if someone attempts to do - * renegotiation in TLS1.3 at the moment. We need to ensure we disable - * renegotiation for TLS1.3 - */ - if (version_cmp(s, client_version, s->version) < 0) - return SSL_R_WRONG_SSL_VERSION; - /* - * If this SSL handle is not from a version flexible method we don't - * (and never did) check min/max FIPS or Suite B constraints. Hope - * that's OK. It is up to the caller to not choose fixed protocol - * versions they don't want. If not, then easy to fix, just return - * ssl_method_error(s, s->method) + * Fall through if we are TLSv1.3 already (this means we must be after + * a HelloRetryRequest */ - return 0; case TLS_ANY_VERSION: table = tls_version_table; break; @@ -1509,6 +1569,15 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello) } if (best_vers > 0) { + if (SSL_IS_TLS13(s)) { + /* + * We get here if this is after a HelloRetryRequest. In this + * case we just check that we still negotiated TLSv1.3 + */ + if (best_vers != TLS1_3_VERSION) + return SSL_R_UNSUPPORTED_PROTOCOL; + return 0; + } s->version = best_vers; s->method = best_method; return 0; @@ -1591,6 +1660,9 @@ int ssl_choose_client_version(SSL *s, int version) continue; if (vent->cmeth == NULL) break; + if (s->hello_retry_request && version != TLS1_3_VERSION) + return SSL_R_WRONG_SSL_VERSION; + method = vent->cmeth(); err = ssl_method_error(s, method); if (err != 0) @@ -1612,7 +1684,7 @@ int ssl_choose_client_version(SSL *s, int version) * Work out what version we should be using for the initial ClientHello if the * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx * options, the MinProtocol and MaxProtocol configuration commands, any Suite B - * or FIPS_mode() constraints and any floor imposed by the security level here, + * constraints and any floor imposed by the security level here, * so we don't advertise the wrong protocol version to only reject the outcome later. * * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled, @@ -1731,3 +1803,33 @@ int ssl_set_client_hello_version(SSL *s) s->client_version = ver_max; return 0; } + +/* + * Checks a list of |groups| to determine if the |group_id| is in it. If it is + * and |checkallow| is 1 then additionally check if the group is allowed to be + * used. Returns 1 if the group is in the list (and allowed if |checkallow| is + * 1) or 0 otherwise. + */ +#ifndef OPENSSL_NO_EC +int check_in_list(SSL *s, unsigned int group_id, const unsigned char *groups, + size_t num_groups, int checkallow) +{ + size_t i; + + if (groups == NULL || num_groups == 0) + return 0; + + for (i = 0; i < num_groups; i++, groups += 2) { + unsigned int share_id = (groups[0] << 8) | (groups[1]); + + if (group_id == share_id + && (!checkallow + || tls_curve_allowed(s, groups, SSL_SECOP_CURVE_CHECK))) { + break; + } + } + + /* If i == num_groups then not in the list */ + return i < num_groups; +} +#endif