X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fstatem%2Fstatem_lib.c;h=e6e61f787686d188fc065a08dd6b62e78bfbe108;hp=6262a068c20ebab7c22e7fc39f735e9057388ed1;hb=60690b5b8396d7d5234cd067206190fb8aca78d2;hpb=d162340d367d7a74916106d8706c6b22adb727c2 diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 6262a068c2..e6e61f7876 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -105,7 +105,7 @@ int tls_setup_handshake(SSL *s) * enabled. For clients we do this check during construction of the * ClientHello. */ - if (ssl_get_min_max_version(s, &ver_min, &ver_max) != 0) { + if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_SETUP_HANDSHAKE, ERR_R_INTERNAL_ERROR); return 0; @@ -132,23 +132,18 @@ int tls_setup_handshake(SSL *s) } if (SSL_IS_FIRST_HANDSHAKE(s)) { /* N.B. s->session_ctx == s->ctx here */ - CRYPTO_atomic_add(&s->session_ctx->stats.sess_accept, 1, &i, - s->session_ctx->lock); + tsan_counter(&s->session_ctx->stats.sess_accept); } else { /* N.B. s->ctx may not equal s->session_ctx */ - CRYPTO_atomic_add(&s->ctx->stats.sess_accept_renegotiate, 1, &i, - s->ctx->lock); + tsan_counter(&s->ctx->stats.sess_accept_renegotiate); s->s3->tmp.cert_request = 0; } } else { - int discard; if (SSL_IS_FIRST_HANDSHAKE(s)) - CRYPTO_atomic_add(&s->session_ctx->stats.sess_connect, 1, &discard, - s->session_ctx->lock); + tsan_counter(&s->session_ctx->stats.sess_connect); else - CRYPTO_atomic_add(&s->session_ctx->stats.sess_connect_renegotiate, - 1, &discard, s->session_ctx->lock); + tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate); /* mark client_random uninitialized */ memset(s->s3->client_random, 0, sizeof(s->s3->client_random)); @@ -208,9 +203,10 @@ static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs, *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen; } else { size_t retlen; + long retlen_l; - retlen = BIO_get_mem_data(s->s3->handshake_buffer, hdata); - if (retlen <= 0) { + retlen = retlen_l = BIO_get_mem_data(s->s3->handshake_buffer, hdata); + if (retlen_l <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_GET_CERT_VERIFY_TBS_DATA, ERR_R_INTERNAL_ERROR); return 0; @@ -386,9 +382,6 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) /* SSLfatal() already called */ goto err; } -#ifdef SSL_DEBUG - fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); -#endif } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_INTERNAL_ERROR); @@ -401,6 +394,11 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) goto err; } +#ifdef SSL_DEBUG + if (SSL_USE_SIGALGS(s)) + fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); +#endif + /* Check for broken implementations of GOST ciphersuites */ /* * If key is GOST and len is exactly 64 or 128, it is signature without @@ -641,9 +639,12 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt) /* * If we get a request for us to update our sending keys too then, we need * to additionally send a KeyUpdate message. However that message should - * not also request an update (otherwise we get into an infinite loop). + * not also request an update (otherwise we get into an infinite loop). We + * ignore a request for us to update our sending keys too if we already + * sent close_notify. */ - if (updatetype == SSL_KEY_UPDATE_REQUESTED) + if (updatetype == SSL_KEY_UPDATE_REQUESTED + && (s->shutdown & SSL_SENT_SHUTDOWN) == 0) s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED; if (!tls13_update_key(s, 0)) { @@ -752,6 +753,12 @@ MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) /* This is a real handshake so make sure we clean it up at the end */ if (s->server) { + /* + * To get this far we must have read encrypted data from the client. We + * no longer tolerate unencrypted alerts. This value is ignored if less + * than TLSv1.3 + */ + s->statem.enc_read_state = ENC_READ_STATE_VALID; if (s->post_handshake_auth != SSL_PHA_REQUESTED) s->statem.cleanuphand = 1; if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) { @@ -1009,7 +1016,6 @@ unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk) */ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop) { - int discard; void (*cb) (const SSL *ssl, int type, int val) = NULL; if (clearbufs) { @@ -1055,8 +1061,7 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop) ssl_update_cache(s, SSL_SESS_CACHE_SERVER); /* N.B. s->ctx may not equal s->session_ctx */ - CRYPTO_atomic_add(&s->ctx->stats.sess_accept_good, 1, &discard, - s->ctx->lock); + tsan_counter(&s->ctx->stats.sess_accept_good); s->handshake_func = ossl_statem_accept; if (SSL_IS_DTLS(s) && !s->hit) { @@ -1084,12 +1089,10 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop) ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); } if (s->hit) - CRYPTO_atomic_add(&s->session_ctx->stats.sess_hit, 1, &discard, - s->session_ctx->lock); + tsan_counter(&s->session_ctx->stats.sess_hit); s->handshake_func = ossl_statem_connect; - CRYPTO_atomic_add(&s->session_ctx->stats.sess_connect_good, 1, - &discard, s->session_ctx->lock); + tsan_counter(&s->session_ctx->stats.sess_connect_good); if (SSL_IS_DTLS(s) && s->hit) { /* @@ -1487,7 +1490,8 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method) /* * Only called by servers. Returns 1 if the server has a TLSv1.3 capable - * certificate type, or has PSK configured. Otherwise returns 0. + * certificate type, or has PSK or a certificate callback configured. Otherwise + * returns 0. */ static int is_tls13_capable(const SSL *s) { @@ -1498,7 +1502,7 @@ static int is_tls13_capable(const SSL *s) return 1; #endif - if (s->psk_find_session_cb != NULL) + if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL) return 1; for (i = 0; i < SSL_PKEY_NUM; i++) { @@ -1666,9 +1670,16 @@ static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd) if (vers == TLS1_2_VERSION && ssl_version_supported(s, TLS1_3_VERSION, NULL)) { *dgrd = DOWNGRADE_TO_1_2; - } else if (!SSL_IS_DTLS(s) && vers < TLS1_2_VERSION - && (ssl_version_supported(s, TLS1_2_VERSION, NULL) - || ssl_version_supported(s, TLS1_3_VERSION, NULL))) { + } else if (!SSL_IS_DTLS(s) + && vers < TLS1_2_VERSION + /* + * We need to ensure that a server that disables TLSv1.2 + * (creating a hole between TLSv1.3 and TLSv1.1) can still + * complete handshakes with clients that support TLSv1.2 and + * below. Therefore we do not enable the sentinel if TLSv1.3 is + * enabled and TLSv1.2 is not. + */ + && ssl_version_supported(s, TLS1_2_VERSION, NULL)) { *dgrd = DOWNGRADE_TO_1_1; } else { *dgrd = DOWNGRADE_NONE; @@ -1743,8 +1754,6 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd) unsigned int best_vers = 0; const SSL_METHOD *best_method = NULL; PACKET versionslist; - /* TODO(TLS1.3): Remove this before release */ - unsigned int orig_candidate = 0; suppversions->parsed = 1; @@ -1753,25 +1762,19 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd) return SSL_R_LENGTH_MISMATCH; } + /* + * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION. + * The spec only requires servers to check that it isn't SSLv3: + * "Any endpoint receiving a Hello message with + * ClientHello.legacy_version or ServerHello.legacy_version set to + * 0x0300 MUST abort the handshake with a "protocol_version" alert." + * We are slightly stricter and require that it isn't SSLv3 or lower. + * We tolerate TLSv1 and TLSv1.1. + */ + if (client_version <= SSL3_VERSION) + return SSL_R_BAD_LEGACY_VERSION; + while (PACKET_get_net_2(&versionslist, &candidate_vers)) { - /* TODO(TLS1.3): Remove this before release */ - if (candidate_vers == TLS1_3_VERSION_DRAFT - || candidate_vers == TLS1_3_VERSION_DRAFT_27 - || candidate_vers == TLS1_3_VERSION_DRAFT_26) { - if (best_vers == TLS1_3_VERSION - && orig_candidate > candidate_vers) - continue; - orig_candidate = candidate_vers; - candidate_vers = TLS1_3_VERSION; - } else if (candidate_vers == TLS1_3_VERSION) { - /* Don't actually accept real TLSv1.3 */ - continue; - } - /* - * TODO(TLS1.3): There is some discussion on the TLS list about - * whether to ignore versions version = best_vers; - /* TODO(TLS1.3): Remove this before release */ - if (best_vers == TLS1_3_VERSION) - s->version_draft = orig_candidate; s->method = best_method; return 0; } @@ -1847,8 +1847,7 @@ int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions) { const version_info *vent; const version_info *table; - int highver = 0; - int origv; + int ret, ver_min, ver_max, real_max, origv; origv = s->version; s->version = version; @@ -1895,64 +1894,62 @@ int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions) break; } - for (vent = table; vent->version != 0; ++vent) { - const SSL_METHOD *method; - int err; - - if (vent->cmeth == NULL) - continue; - - if (highver != 0 && s->version != vent->version) - continue; + ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max); + if (ret != 0) { + s->version = origv; + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, + SSL_F_SSL_CHOOSE_CLIENT_VERSION, ret); + return 0; + } + if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min) + : s->version < ver_min) { + s->version = origv; + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, + SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); + return 0; + } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max) + : s->version > ver_max) { + s->version = origv; + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, + SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); + return 0; + } - method = vent->cmeth(); - err = ssl_method_error(s, method); - if (err != 0) { - if (s->version == vent->version) { - s->version = origv; - SSLfatal(s, SSL_AD_PROTOCOL_VERSION, - SSL_F_SSL_CHOOSE_CLIENT_VERSION, err); - return 0; - } + if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0) + real_max = ver_max; - continue; + /* Check for downgrades */ + if (s->version == TLS1_2_VERSION && real_max > s->version) { + if (memcmp(tls12downgrade, + s->s3->server_random + SSL3_RANDOM_SIZE + - sizeof(tls12downgrade), + sizeof(tls12downgrade)) == 0) { + s->version = origv; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_SSL_CHOOSE_CLIENT_VERSION, + SSL_R_INAPPROPRIATE_FALLBACK); + return 0; } - if (highver == 0) - highver = vent->version; + } else if (!SSL_IS_DTLS(s) + && s->version < TLS1_2_VERSION + && real_max > s->version) { + if (memcmp(tls11downgrade, + s->s3->server_random + SSL3_RANDOM_SIZE + - sizeof(tls11downgrade), + sizeof(tls11downgrade)) == 0) { + s->version = origv; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_SSL_CHOOSE_CLIENT_VERSION, + SSL_R_INAPPROPRIATE_FALLBACK); + return 0; + } + } - if (s->version != vent->version) + for (vent = table; vent->version != 0; ++vent) { + if (vent->cmeth == NULL || s->version != vent->version) continue; -#ifndef OPENSSL_NO_TLS13DOWNGRADE - /* Check for downgrades */ - if (s->version == TLS1_2_VERSION && highver > s->version) { - if (memcmp(tls12downgrade, - s->s3->server_random + SSL3_RANDOM_SIZE - - sizeof(tls12downgrade), - sizeof(tls12downgrade)) == 0) { - s->version = origv; - SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, - SSL_F_SSL_CHOOSE_CLIENT_VERSION, - SSL_R_INAPPROPRIATE_FALLBACK); - return 0; - } - } else if (!SSL_IS_DTLS(s) - && s->version < TLS1_2_VERSION - && highver > s->version) { - if (memcmp(tls11downgrade, - s->s3->server_random + SSL3_RANDOM_SIZE - - sizeof(tls11downgrade), - sizeof(tls11downgrade)) == 0) { - s->version = origv; - SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, - SSL_F_SSL_CHOOSE_CLIENT_VERSION, - SSL_R_INAPPROPRIATE_FALLBACK); - return 0; - } - } -#endif - - s->method = method; + s->method = vent->cmeth(); return 1; } @@ -1967,6 +1964,9 @@ int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions) * @s: The SSL connection * @min_version: The minimum supported version * @max_version: The maximum supported version + * @real_max: The highest version below the lowest compile time version hole + * where that hole lies above at least one run-time enabled + * protocol. * * Work out what version we should be using for the initial ClientHello if the * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx @@ -1981,9 +1981,10 @@ int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions) * Returns 0 on success or an SSL error reason number on failure. On failure * min_version and max_version will also be set to 0. */ -int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version) +int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version, + int *real_max) { - int version; + int version, tmp_real_max; int hole; const SSL_METHOD *single = NULL; const SSL_METHOD *method; @@ -2000,6 +2001,12 @@ int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version) * ssl_method_error(s, s->method) */ *min_version = *max_version = s->version; + /* + * Providing a real_max only makes sense where we're using a version + * flexible method. + */ + if (!ossl_assert(real_max == NULL)) + return ERR_R_INTERNAL_ERROR; return 0; case TLS_ANY_VERSION: table = tls_version_table; @@ -2032,6 +2039,9 @@ int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version) */ *min_version = version = 0; hole = 1; + if (real_max != NULL) + *real_max = 0; + tmp_real_max = 0; for (vent = table; vent->version != 0; ++vent) { /* * A table entry with a NULL client method is still a hole in the @@ -2039,15 +2049,22 @@ int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version) */ if (vent->cmeth == NULL) { hole = 1; + tmp_real_max = 0; continue; } method = vent->cmeth(); + + if (hole == 1 && tmp_real_max == 0) + tmp_real_max = vent->version; + if (ssl_method_error(s, method) != 0) { hole = 1; } else if (!hole) { single = NULL; *min_version = method->version; } else { + if (real_max != NULL && tmp_real_max != 0) + *real_max = tmp_real_max; version = (single = method)->version; *min_version = version; hole = 0; @@ -2082,7 +2099,7 @@ int ssl_set_client_hello_version(SSL *s) if (!SSL_IS_FIRST_HANDSHAKE(s)) return 0; - ret = ssl_get_min_max_version(s, &ver_min, &ver_max); + ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL); if (ret != 0) return ret;