X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fstatem%2Fstatem_srvr.c;h=773e7326427a021cee682875ea1f7487fc277bef;hp=eae0e3cadcfc3ebde6e29daaf9fe406829ed683a;hb=4b299b8e174cd58f762f0f184ceac7955e4227c4;hpb=83ae4661315d3d0ad52ddaa8fa5c8f1055c6c6f6 diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index eae0e3cadc..773e732642 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -61,6 +61,7 @@ #include #include +static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt); static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, PACKET *cipher_suites, STACK_OF(SSL_CIPHER) @@ -68,19 +69,94 @@ static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, int *al); /* - * server_read_transition() encapsulates the logic for the allowed handshake - * state transitions when the server is reading messages from the client. The - * message type that the client has sent is provided in |mt|. The current state - * is in |s->statem.hand_state|. + * ossl_statem_server13_read_transition() encapsulates the logic for the allowed + * handshake state transitions when a TLSv1.3 server is reading messages from + * the client. The message type that the client has sent is provided in |mt|. + * The current state is in |s->statem.hand_state|. * - * Valid return values are: - * 1: Success (transition allowed) - * 0: Error (transition not allowed) + * Return values are 1 for success (transition allowed) and 0 on error + * (transition not allowed) + */ +static int ossl_statem_server13_read_transition(SSL *s, int mt) +{ + OSSL_STATEM *st = &s->statem; + + /* + * TODO(TLS1.3): This is still based on the TLSv1.2 state machine. Over time + * we will update this to look more like real TLSv1.3 + */ + + /* + * Note: There is no case for TLS_ST_BEFORE because at that stage we have + * not negotiated TLSv1.3 yet, so that case is handled by + * ossl_statem_server_read_transition() + */ + switch (st->hand_state) { + default: + break; + + case TLS_ST_SW_FINISHED: + if (s->s3->tmp.cert_request) { + if (mt == SSL3_MT_CERTIFICATE) { + st->hand_state = TLS_ST_SR_CERT; + return 1; + } + } else { + if (mt == SSL3_MT_FINISHED) { + st->hand_state = TLS_ST_SR_FINISHED; + return 1; + } + } + break; + + case TLS_ST_SR_CERT: + if (s->session->peer == NULL) { + if (mt == SSL3_MT_FINISHED) { + st->hand_state = TLS_ST_SR_FINISHED; + return 1; + } + } else { + if (mt == SSL3_MT_CERTIFICATE_VERIFY) { + st->hand_state = TLS_ST_SR_CERT_VRFY; + return 1; + } + } + break; + + case TLS_ST_SR_CERT_VRFY: + if (mt == SSL3_MT_FINISHED) { + st->hand_state = TLS_ST_SR_FINISHED; + return 1; + } + break; + } + + /* No valid transition found */ + ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE); + SSLerr(SSL_F_OSSL_STATEM_SERVER13_READ_TRANSITION, + SSL_R_UNEXPECTED_MESSAGE); + return 0; +} + +/* + * ossl_statem_server_read_transition() encapsulates the logic for the allowed + * handshake state transitions when the server is reading messages from the + * client. The message type that the client has sent is provided in |mt|. The + * current state is in |s->statem.hand_state|. + * + * Return values are 1 for success (transition allowed) and 0 on error + * (transition not allowed) */ int ossl_statem_server_read_transition(SSL *s, int mt) { OSSL_STATEM *st = &s->statem; + if (SSL_IS_TLS13(s)) { + if (!ossl_statem_server13_read_transition(s, mt)) + goto err; + return 1; + } + switch (st->hand_state) { default: break; @@ -212,6 +288,7 @@ int ossl_statem_server_read_transition(SSL *s, int mt) break; } + err: /* No valid transition found */ ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE); SSLerr(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, SSL_R_UNEXPECTED_MESSAGE); @@ -304,13 +381,86 @@ static int send_certificate_request(SSL *s) } /* - * server_write_transition() works out what handshake state to move to next - * when the server is writing messages to be sent to the client. + * ossl_statem_server13_write_transition() works out what handshake state to + * move to next when a TLSv1.3 server is writing messages to be sent to the + * client. + */ +static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s) +{ + OSSL_STATEM *st = &s->statem; + + /* + * TODO(TLS1.3): This is still based on the TLSv1.2 state machine. Over time + * we will update this to look more like real TLSv1.3 + */ + + /* + * No case for TLS_ST_BEFORE, because at that stage we have not negotiated + * TLSv1.3 yet, so that is handled by ossl_statem_server_write_transition() + */ + + switch (st->hand_state) { + default: + /* Shouldn't happen */ + return WRITE_TRAN_ERROR; + + case TLS_ST_SR_CLNT_HELLO: + st->hand_state = TLS_ST_SW_SRVR_HELLO; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SW_SRVR_HELLO: + st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SW_ENCRYPTED_EXTENSIONS: + if (s->hit) + st->hand_state = TLS_ST_SW_FINISHED; + else if (send_certificate_request(s)) + st->hand_state = TLS_ST_SW_CERT_REQ; + else + st->hand_state = TLS_ST_SW_CERT; + + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SW_CERT_REQ: + st->hand_state = TLS_ST_SW_CERT; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SW_CERT: + st->hand_state = s->tlsext_status_expected ? TLS_ST_SW_CERT_STATUS + : TLS_ST_SW_FINISHED; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SW_CERT_STATUS: + st->hand_state = TLS_ST_SW_FINISHED; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SW_FINISHED: + return WRITE_TRAN_FINISHED; + + case TLS_ST_SR_FINISHED: + st->hand_state = TLS_ST_OK; + ossl_statem_set_in_init(s, 0); + return WRITE_TRAN_CONTINUE; + } +} + +/* + * ossl_statem_server_write_transition() works out what handshake state to move + * to next when the server is writing messages to be sent to the client. */ WRITE_TRAN ossl_statem_server_write_transition(SSL *s) { OSSL_STATEM *st = &s->statem; + /* + * Note that before the ClientHello we don't know what version we are going + * to negotiate yet, so we don't take this branch until later + */ + + if (SSL_IS_TLS13(s)) + return ossl_statem_server13_write_transition(s); + switch (st->hand_state) { default: /* Shouldn't happen */ @@ -564,6 +714,20 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) sizeof(sctpauthkey), sctpauthkey); } #endif + /* + * TODO(TLS1.3): This actually causes a problem. We don't yet know + * whether the next record we are going to receive is an unencrypted + * alert, or an encrypted handshake message. We're going to need + * something clever in the record layer for this. + */ + if (SSL_IS_TLS13(s)) { + if (!s->method->ssl3_enc->setup_key_block(s) + || !s->method->ssl3_enc->change_cipher_state(s, + SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE) + || !s->method->ssl3_enc->change_cipher_state(s, + SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ)) + return WORK_ERROR; + } break; case TLS_ST_SW_CHANGE: @@ -606,6 +770,14 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) 0, NULL); } #endif + if (SSL_IS_TLS13(s)) { + if (!s->method->ssl3_enc->generate_master_secret(s, + s->session->master_key, s->handshake_secret, 0, + &s->session->master_key_length) + || !s->method->ssl3_enc->change_cipher_state(s, + SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE)) + return WORK_ERROR; + } break; } @@ -613,13 +785,15 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) } /* - * Construct a message to be sent from the server to the client. + * Get the message construction function and message type for sending from the + * server * * Valid return values are: * 1: Success * 0: Error */ -int ossl_statem_server_construct_message(SSL *s) +int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt, + confunc_f *confunc, int *mt) { OSSL_STATEM *st = &s->statem; @@ -628,46 +802,72 @@ int ossl_statem_server_construct_message(SSL *s) /* Shouldn't happen */ return 0; + case TLS_ST_SW_CHANGE: + if (SSL_IS_DTLS(s)) + *confunc = dtls_construct_change_cipher_spec; + else + *confunc = tls_construct_change_cipher_spec; + *mt = SSL3_MT_CHANGE_CIPHER_SPEC; + break; + case DTLS_ST_SW_HELLO_VERIFY_REQUEST: - return dtls_construct_hello_verify_request(s); + *confunc = dtls_construct_hello_verify_request; + *mt = DTLS1_MT_HELLO_VERIFY_REQUEST; + break; case TLS_ST_SW_HELLO_REQ: - return tls_construct_hello_request(s); + /* No construction function needed */ + *confunc = NULL; + *mt = SSL3_MT_HELLO_REQUEST; + break; case TLS_ST_SW_SRVR_HELLO: - return tls_construct_server_hello(s); + *confunc = tls_construct_server_hello; + *mt = SSL3_MT_SERVER_HELLO; + break; case TLS_ST_SW_CERT: - return tls_construct_server_certificate(s); + *confunc = tls_construct_server_certificate; + *mt = SSL3_MT_CERTIFICATE; + break; case TLS_ST_SW_KEY_EXCH: - return tls_construct_server_key_exchange(s); + *confunc = tls_construct_server_key_exchange; + *mt = SSL3_MT_SERVER_KEY_EXCHANGE; + break; case TLS_ST_SW_CERT_REQ: - return tls_construct_certificate_request(s); + *confunc = tls_construct_certificate_request; + *mt = SSL3_MT_CERTIFICATE_REQUEST; + break; case TLS_ST_SW_SRVR_DONE: - return tls_construct_server_done(s); + *confunc = tls_construct_server_done; + *mt = SSL3_MT_SERVER_DONE; + break; case TLS_ST_SW_SESSION_TICKET: - return tls_construct_new_session_ticket(s); + *confunc = tls_construct_new_session_ticket; + *mt = SSL3_MT_NEWSESSION_TICKET; + break; case TLS_ST_SW_CERT_STATUS: - return tls_construct_cert_status(s); - - case TLS_ST_SW_CHANGE: - if (SSL_IS_DTLS(s)) - return dtls_construct_change_cipher_spec(s); - else - return tls_construct_change_cipher_spec(s); + *confunc = tls_construct_cert_status; + *mt = SSL3_MT_CERTIFICATE_STATUS; + break; case TLS_ST_SW_FINISHED: - return tls_construct_finished(s, - s->method-> - ssl3_enc->server_finished_label, - s->method-> - ssl3_enc->server_finished_label_len); + *confunc = tls_construct_finished; + *mt = SSL3_MT_FINISHED; + break; + + case TLS_ST_SW_ENCRYPTED_EXTENSIONS: + *confunc = tls_construct_encrypted_extensions; + *mt = SSL3_MT_ENCRYPTED_EXTENSIONS; + break; } + + return 1; } /* @@ -694,7 +894,7 @@ int ossl_statem_server_construct_message(SSL *s) * Returns the maximum allowed length for the current message that we are * reading. Excludes the message header. */ -unsigned long ossl_statem_server_max_message_size(SSL *s) +size_t ossl_statem_server_max_message_size(SSL *s) { OSSL_STATEM *st = &s->statem; @@ -802,7 +1002,7 @@ WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst) #endif return WORK_FINISHED_CONTINUE; } - + return WORK_FINISHED_CONTINUE; } #ifndef OPENSSL_NO_SRP @@ -829,24 +1029,8 @@ static int ssl_check_srp_ext_ClientHello(SSL *s, int *al) } #endif -int tls_construct_hello_request(SSL *s) -{ - WPACKET pkt; - - if (!WPACKET_init(&pkt, s->init_buf) - || !ssl_set_handshake_header2(s, &pkt, SSL3_MT_HELLO_REQUEST) - || !ssl_close_construct_packet(s, &pkt)) { - SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_REQUEST, ERR_R_INTERNAL_ERROR); - ossl_statem_set_error(s); - WPACKET_cleanup(&pkt); - return 0; - } - - return 1; -} - int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie, - unsigned char cookie_len) + size_t cookie_len) { /* Always use DTLS 1.0 version: see RFC 6347 */ if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION) @@ -856,44 +1040,214 @@ int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie, return 1; } -int dtls_construct_hello_verify_request(SSL *s) +int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt) { - size_t msglen; - WPACKET pkt; - + unsigned int cookie_leni; if (s->ctx->app_gen_cookie_cb == NULL || s->ctx->app_gen_cookie_cb(s, s->d1->cookie, - &(s->d1->cookie_len)) == 0 || - s->d1->cookie_len > 255) { + &cookie_leni) == 0 || + cookie_leni > 255) { SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, SSL_R_COOKIE_GEN_CALLBACK_FAILURE); - ossl_statem_set_error(s); return 0; } + s->d1->cookie_len = cookie_leni; - if (!WPACKET_init(&pkt, s->init_buf) - || !ssl_set_handshake_header2(s, &pkt, - DTLS1_MT_HELLO_VERIFY_REQUEST) - || !dtls_raw_hello_verify_request(&pkt, s->d1->cookie, - s->d1->cookie_len) - /* - * We don't call close_construct_packet() because we don't want - * to buffer this message - */ - || !WPACKET_close(&pkt) - || !WPACKET_get_length(&pkt, &msglen) - || !WPACKET_finish(&pkt)) { + if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie, + s->d1->cookie_len)) { SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, ERR_R_INTERNAL_ERROR); - WPACKET_cleanup(&pkt); - ossl_statem_set_error(s); return 0; } - /* number of bytes to write */ - s->d1->w_msg_hdr.msg_len = msglen - DTLS1_HM_HEADER_LENGTH; - s->d1->w_msg_hdr.frag_len = msglen - DTLS1_HM_HEADER_LENGTH; - s->init_num = (int)msglen; - s->init_off = 0; + return 1; +} + +#ifndef OPENSSL_NO_EC +/*- + * ssl_check_for_safari attempts to fingerprint Safari using OS X + * SecureTransport using the TLS extension block in |hello|. + * Safari, since 10.6, sends exactly these extensions, in this order: + * SNI, + * elliptic_curves + * ec_point_formats + * + * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8, + * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them. + * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from + * 10.8..10.8.3 (which don't work). + */ +static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello) +{ + unsigned int type; + PACKET sni, tmppkt; + size_t ext_len; + + static const unsigned char kSafariExtensionsBlock[] = { + 0x00, 0x0a, /* elliptic_curves extension */ + 0x00, 0x08, /* 8 bytes */ + 0x00, 0x06, /* 6 bytes of curve ids */ + 0x00, 0x17, /* P-256 */ + 0x00, 0x18, /* P-384 */ + 0x00, 0x19, /* P-521 */ + + 0x00, 0x0b, /* ec_point_formats */ + 0x00, 0x02, /* 2 bytes */ + 0x01, /* 1 point format */ + 0x00, /* uncompressed */ + /* The following is only present in TLS 1.2 */ + 0x00, 0x0d, /* signature_algorithms */ + 0x00, 0x0c, /* 12 bytes */ + 0x00, 0x0a, /* 10 bytes */ + 0x05, 0x01, /* SHA-384/RSA */ + 0x04, 0x01, /* SHA-256/RSA */ + 0x02, 0x01, /* SHA-1/RSA */ + 0x04, 0x03, /* SHA-256/ECDSA */ + 0x02, 0x03, /* SHA-1/ECDSA */ + }; + + /* Length of the common prefix (first two extensions). */ + static const size_t kSafariCommonExtensionsLength = 18; + + tmppkt = hello->extensions; + + if (!PACKET_forward(&tmppkt, 2) + || !PACKET_get_net_2(&tmppkt, &type) + || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) { + return; + } + + if (type != TLSEXT_TYPE_server_name) + return; + + ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ? + sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength; + + s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock, + ext_len); +} +#endif /* !OPENSSL_NO_EC */ + +/* + * Process all remaining ClientHello extensions that we collected earlier and + * haven't already processed. + * + * Behaviour upon resumption is extension-specific. If the extension has no + * effect during resumption, it is parsed (to verify its format) but otherwise + * ignored. Returns 1 on success and 0 on failure. Upon failure, sets |al| to + * the appropriate alert. + */ +static int tls_scan_clienthello_tlsext(SSL *s, CLIENTHELLO_MSG *hello, int *al) +{ + /* Reset various flags that might get set by extensions during parsing */ + s->servername_done = 0; + s->tlsext_status_type = -1; +#ifndef OPENSSL_NO_NEXTPROTONEG + s->s3->next_proto_neg_seen = 0; +#endif + + OPENSSL_free(s->s3->alpn_selected); + s->s3->alpn_selected = NULL; + s->s3->alpn_selected_len = 0; + OPENSSL_free(s->s3->alpn_proposed); + s->s3->alpn_proposed = NULL; + s->s3->alpn_proposed_len = 0; + +#ifndef OPENSSL_NO_EC + if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) + ssl_check_for_safari(s, hello); +#endif /* !OPENSSL_NO_EC */ + + /* Clear any signature algorithms extension received */ + OPENSSL_free(s->s3->tmp.peer_sigalgs); + s->s3->tmp.peer_sigalgs = NULL; + s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC; + +#ifndef OPENSSL_NO_SRP + OPENSSL_free(s->srp_ctx.login); + s->srp_ctx.login = NULL; +#endif + + s->srtp_profile = NULL; + + /* + * We process the supported_groups extension first so that is done before + * we get to key_share which needs to use the information in it. + */ + if (!tls_parse_extension(s, TLSEXT_TYPE_supported_groups, EXT_CLIENT_HELLO, + hello->pre_proc_exts, hello->num_extensions, al)) { + return 0; + } + + /* Need RI if renegotiating */ + if (s->renegotiate + && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) + && tls_get_extension_by_type(hello->pre_proc_exts, + hello->num_extensions, + TLSEXT_TYPE_renegotiate) == NULL) { + *al = SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_TLS_SCAN_CLIENTHELLO_TLSEXT, + SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + return 0; + } + + return tls_parse_all_extensions(s, EXT_CLIENT_HELLO, hello->pre_proc_exts, + hello->num_extensions, al); +} + +/* + * Check the results of extension parsing. Currently just calls the servername + * callback. Returns 1 for success or 0 for failure. + */ +static int tls_check_clienthello_tlsext(SSL *s) +{ + int ret = SSL_TLSEXT_ERR_NOACK; + int al = SSL_AD_UNRECOGNIZED_NAME; + + if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) + ret = s->ctx->tlsext_servername_callback(s, &al, + s->ctx->tlsext_servername_arg); + else if (s->initial_ctx != NULL + && s->initial_ctx->tlsext_servername_callback != 0) + ret = s->initial_ctx->tlsext_servername_callback(s, &al, + s->initial_ctx->tlsext_servername_arg); + + switch (ret) { + case SSL_TLSEXT_ERR_ALERT_FATAL: + ssl3_send_alert(s, SSL3_AL_FATAL, al); + return 0; + + case SSL_TLSEXT_ERR_ALERT_WARNING: + ssl3_send_alert(s, SSL3_AL_WARNING, al); + return 1; + + case SSL_TLSEXT_ERR_NOACK: + s->servername_done = 0; + return 1; + + default: + return 1; + } +} + +/* + * Parse the extensions in the ClientHello that were collected earlier. Returns + * 1 for success or 0 for failure. + */ +static int tls_parse_clienthello_tlsext(SSL *s, CLIENTHELLO_MSG *hello) +{ + int al = -1; + + custom_ext_init(&s->cert->srv_ext); + + if (tls_scan_clienthello_tlsext(s, hello, &al) <= 0) { + ssl3_send_alert(s, SSL3_AL_FATAL, al); + return 0; + } + + if (!tls_check_clienthello_tlsext(s)) { + SSLerr(SSL_F_TLS_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT); + return 0; + } return 1; } @@ -901,7 +1255,8 @@ int dtls_construct_hello_verify_request(SSL *s) MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) { int i, al = SSL_AD_INTERNAL_ERROR; - unsigned int j, complen = 0; + unsigned int j; + size_t loop; unsigned long id; const SSL_CIPHER *c; #ifndef OPENSSL_NO_COMP @@ -910,17 +1265,20 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) STACK_OF(SSL_CIPHER) *ciphers = NULL; int protverr; /* |cookie| will only be initialized for DTLS. */ - PACKET session_id, cipher_suites, compression, extensions, cookie; - int is_v2_record; + PACKET session_id, compression, extensions, cookie; static const unsigned char null_compression = 0; + CLIENTHELLO_MSG clienthello; - is_v2_record = RECORD_LAYER_is_sslv2_record(&s->rlayer); - + /* + * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure. + */ + memset(&clienthello, 0, sizeof(clienthello)); + clienthello.isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer); PACKET_null_init(&cookie); - /* First lets get s->client_version set correctly */ - if (is_v2_record) { - unsigned int version; + + if (clienthello.isv2) { unsigned int mt; + /*- * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2 * header is sent directly on the wire, not wrapped as a TLS @@ -946,73 +1304,25 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); goto err; } - - if (!PACKET_get_net_2(pkt, &version)) { - /* No protocol version supplied! */ - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); - goto err; - } - if (version == 0x0002) { - /* This is real SSLv2. We don't support it. */ - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); - goto err; - } else if ((version & 0xff00) == (SSL3_VERSION_MAJOR << 8)) { - /* SSLv3/TLS */ - s->client_version = version; - } else { - /* No idea what protocol this is */ - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); - goto err; - } - } else { - /* - * use version from inside client hello, not from record header (may - * differ: see RFC 2246, Appendix E, second paragraph) - */ - if (!PACKET_get_net_2(pkt, (unsigned int *)&s->client_version)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; - } - } - - /* - * Do SSL/TLS version negotiation if applicable. For DTLS we just check - * versions are potentially compatible. Version negotiation comes later. - */ - if (!SSL_IS_DTLS(s)) { - protverr = ssl_choose_server_version(s); - } else if (s->method->version != DTLS_ANY_VERSION && - DTLS_VERSION_LT(s->client_version, s->version)) { - protverr = SSL_R_VERSION_TOO_LOW; - } else { - protverr = 0; } - if (protverr) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr); - if ((!s->enc_write_ctx && !s->write_hash)) { - /* - * similar to ssl3_get_record, send alert using remote version - * number - */ - s->version = s->client_version; - } - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; + if (!PACKET_get_net_2(pkt, &clienthello.legacy_version)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto err; } /* Parse the message and load client random. */ - if (is_v2_record) { + if (clienthello.isv2) { /* * Handle an SSLv2 backwards compatible ClientHello * Note, this is only for SSLv3+ using the backward compatible format. - * Real SSLv2 is not supported, and is rejected above. + * Real SSLv2 is not supported, and is rejected below. */ - unsigned int cipher_len, session_id_len, challenge_len; + unsigned int ciphersuite_len, session_id_len, challenge_len; PACKET challenge; - if (!PACKET_get_net_2(pkt, &cipher_len) + if (!PACKET_get_net_2(pkt, &ciphersuite_len) || !PACKET_get_net_2(pkt, &session_id_len) || !PACKET_get_net_2(pkt, &challenge_len)) { SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, @@ -1027,8 +1337,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) goto f_err; } - if (!PACKET_get_sub_packet(pkt, &cipher_suites, cipher_len) - || !PACKET_get_sub_packet(pkt, &session_id, session_id_len) + if (!PACKET_get_sub_packet(pkt, &clienthello.ciphersuites, + ciphersuite_len) + || !PACKET_copy_bytes(pkt, clienthello.session_id, session_id_len) || !PACKET_get_sub_packet(pkt, &challenge, challenge_len) /* No extensions. */ || PACKET_remaining(pkt) != 0) { @@ -1037,13 +1348,18 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) al = SSL_AD_DECODE_ERROR; goto f_err; } + clienthello.session_id_len = session_id_len; - /* Load the client random and compression list. */ - challenge_len = challenge_len > SSL3_RANDOM_SIZE ? SSL3_RANDOM_SIZE : - challenge_len; - memset(s->s3->client_random, 0, SSL3_RANDOM_SIZE); + /* Load the client random and compression list. We use SSL3_RANDOM_SIZE + * here rather than sizeof(clienthello.random) because that is the limit + * for SSLv3 and it is fixed. It won't change even if + * sizeof(clienthello.random) does. + */ + challenge_len = challenge_len > SSL3_RANDOM_SIZE + ? SSL3_RANDOM_SIZE : challenge_len; + memset(clienthello.random, 0, SSL3_RANDOM_SIZE); if (!PACKET_copy_bytes(&challenge, - s->s3->client_random + SSL3_RANDOM_SIZE - + clienthello.random + SSL3_RANDOM_SIZE - challenge_len, challenge_len) /* Advertise only null compression. */ || !PACKET_buf_init(&compression, &null_compression, 1)) { @@ -1052,17 +1368,14 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) goto f_err; } - PACKET_null_init(&extensions); + PACKET_null_init(&clienthello.extensions); } else { /* Regular ClientHello. */ - if (!PACKET_copy_bytes(pkt, s->s3->client_random, SSL3_RANDOM_SIZE) - || !PACKET_get_length_prefixed_1(pkt, &session_id)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); - goto f_err; - } - - if (PACKET_remaining(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) { + if (!PACKET_copy_bytes(pkt, clienthello.random, SSL3_RANDOM_SIZE) + || !PACKET_get_length_prefixed_1(pkt, &session_id) + || !PACKET_copy_all(&session_id, clienthello.session_id, + SSL_MAX_SSL_SESSION_ID_LENGTH, + &clienthello.session_id_len)) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; @@ -1074,34 +1387,115 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; } + if (!PACKET_copy_all(&cookie, clienthello.dtls_cookie, + DTLS1_COOKIE_LENGTH, + &clienthello.dtls_cookie_len)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); + goto f_err; + } /* * If we require cookies and this ClientHello doesn't contain one, * just return since we do not want to allocate any memory yet. * So check cookie length... */ if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { - if (PACKET_remaining(&cookie) == 0) + if (clienthello.dtls_cookie_len == 0) return 1; } } - if (!PACKET_get_length_prefixed_2(pkt, &cipher_suites) - || !PACKET_get_length_prefixed_1(pkt, &compression)) { + if (!PACKET_get_length_prefixed_2(pkt, &clienthello.ciphersuites)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); + goto f_err; + } + + if (!PACKET_get_length_prefixed_1(pkt, &compression)) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; } + /* Could be empty. */ - extensions = *pkt; + if (PACKET_remaining(pkt) == 0) { + PACKET_null_init(&clienthello.extensions); + } else { + if (!PACKET_get_length_prefixed_2(pkt, &clienthello.extensions)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); + goto f_err; + } + } + } + + if (!PACKET_copy_all(&compression, clienthello.compressions, + MAX_COMPRESSIONS_SIZE, + &clienthello.compressions_len)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); + goto f_err; + } + + /* Preserve the raw extensions PACKET for later use */ + extensions = clienthello.extensions; + if (!tls_collect_extensions(s, &extensions, EXT_CLIENT_HELLO, + &clienthello.pre_proc_exts, + &clienthello.num_extensions, &al)) { + /* SSLerr already been called */ + goto f_err; + } + + /* Finished parsing the ClientHello, now we can start processing it */ + + /* Set up the client_random */ + memcpy(s->s3->client_random, clienthello.random, SSL3_RANDOM_SIZE); + + /* Choose the version */ + + if (clienthello.isv2) { + if (clienthello.legacy_version == SSL2_VERSION + || (clienthello.legacy_version & 0xff00) + != (SSL3_VERSION_MAJOR << 8)) { + /* + * This is real SSLv2 or something complete unknown. We don't + * support it. + */ + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); + goto err; + } + /* SSLv3/TLS */ + s->client_version = clienthello.legacy_version; + } + /* + * Do SSL/TLS version negotiation if applicable. For DTLS we just check + * versions are potentially compatible. Version negotiation comes later. + */ + if (!SSL_IS_DTLS(s)) { + protverr = ssl_choose_server_version(s, &clienthello); + } else if (s->method->version != DTLS_ANY_VERSION && + DTLS_VERSION_LT((int)clienthello.legacy_version, s->version)) { + protverr = SSL_R_VERSION_TOO_LOW; + } else { + protverr = 0; + } + + if (protverr) { + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr); + if ((!s->enc_write_ctx && !s->write_hash)) { + /* like ssl3_get_record, send alert using remote version number */ + s->version = s->client_version = clienthello.legacy_version; + } + al = SSL_AD_PROTOCOL_VERSION; + goto f_err; } if (SSL_IS_DTLS(s)) { /* Empty cookie was already handled above by returning early. */ if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { if (s->ctx->app_verify_cookie_cb != NULL) { - if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookie), - PACKET_remaining(&cookie)) == - 0) { + if (s->ctx->app_verify_cookie_cb(s, clienthello.dtls_cookie, + clienthello.dtls_cookie_len) == 0) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); @@ -1109,7 +1503,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) /* else cookie verification succeeded */ } /* default verification */ - } else if (!PACKET_equal(&cookie, s->d1->cookie, s->d1->cookie_len)) { + } else if (s->d1->cookie_len != clienthello.dtls_cookie_len + || memcmp(clienthello.dtls_cookie, s->d1->cookie, + s->d1->cookie_len) != 0) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); goto f_err; @@ -1117,7 +1513,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) s->d1->cookie_verified = 1; } if (s->method->version == DTLS_ANY_VERSION) { - protverr = ssl_choose_server_version(s); + protverr = ssl_choose_server_version(s, &clienthello); if (protverr != 0) { SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr); s->version = s->client_version; @@ -1129,6 +1525,15 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) s->hit = 0; + /* We need to do this before getting the session */ + if (!tls_parse_extension(s, TLSEXT_TYPE_extended_master_secret, + EXT_CLIENT_HELLO, + clienthello.pre_proc_exts, + clienthello.num_extensions, &al)) { + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); + goto f_err; + } + /* * We don't allow resumption in a backwards compatible ClientHello. * TODO(openssl-team): in TLS1.1+, session_id MUST be empty. @@ -1145,13 +1550,13 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be * ignored. */ - if (is_v2_record || + if (clienthello.isv2 || (s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) { if (!ssl_get_new_session(s, 1)) goto err; } else { - i = ssl_get_prev_session(s, &extensions, &session_id); + i = ssl_get_prev_session(s, &clienthello); /* * Only resume if the session's version matches the negotiated * version. @@ -1173,8 +1578,8 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) } } - if (ssl_bytes_to_cipher_list(s, &cipher_suites, &(ciphers), - is_v2_record, &al) == NULL) { + if (ssl_bytes_to_cipher_list(s, &clienthello.ciphersuites, &ciphers, + clienthello.isv2, &al) == NULL) { goto f_err; } @@ -1209,13 +1614,12 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) } } - complen = PACKET_remaining(&compression); - for (j = 0; j < complen; j++) { - if (PACKET_data(&compression)[j] == 0) + for (loop = 0; loop < clienthello.compressions_len; loop++) { + if (clienthello.compressions[loop] == 0) break; } - if (j >= complen) { + if (loop >= clienthello.compressions_len) { /* no compress */ al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED); @@ -1223,11 +1627,18 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) } /* TLS extensions */ - if (s->version >= SSL3_VERSION) { - if (!ssl_parse_clienthello_tlsext(s, &extensions)) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT); - goto err; - } + if (!tls_parse_clienthello_tlsext(s, &clienthello)) { + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT); + goto err; + } + + /* Check we've got a key_share for TLSv1.3 */ + if (SSL_IS_TLS13(s) && s->s3->peer_tmp == NULL && !s->hit) { + /* No suitable share */ + /* TODO(TLS1.3): Send a HelloRetryRequest */ + al = SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_SUITABLE_KEY_SHARE); + goto f_err; } /* @@ -1246,12 +1657,19 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) { const SSL_CIPHER *pref_cipher = NULL; + /* + * s->session->master_key_length is a size_t, but this is an int for + * backwards compat reasons + */ + int master_key_length; - s->session->master_key_length = sizeof(s->session->master_key); + master_key_length = sizeof(s->session->master_key); if (s->tls_session_secret_cb(s, s->session->master_key, - &s->session->master_key_length, ciphers, + &master_key_length, ciphers, &pref_cipher, - s->tls_session_secret_cb_arg)) { + s->tls_session_secret_cb_arg) + && master_key_length > 0) { + s->session->master_key_length = master_key_length; s->hit = 1; s->session->ciphers = ciphers; s->session->verify_result = X509_V_OK; @@ -1311,11 +1729,11 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) goto f_err; } /* Look for resumed method in compression list */ - for (k = 0; k < complen; k++) { - if (PACKET_data(&compression)[k] == comp_id) + for (k = 0; k < clienthello.compressions_len; k++) { + if (clienthello.compressions[k] == comp_id) break; } - if (k >= complen) { + if (k >= clienthello.compressions_len) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING); @@ -1332,8 +1750,8 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) for (m = 0; m < nn; m++) { comp = sk_SSL_COMP_value(s->ctx->comp_methods, m); v = comp->id; - for (o = 0; o < complen; o++) { - if (v == PACKET_data(&compression)[o]) { + for (o = 0; o < clienthello.compressions_len; o++) { + if (v == clienthello.compressions[o]) { done = 1; break; } @@ -1382,6 +1800,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) } sk_SSL_CIPHER_free(ciphers); + OPENSSL_free(clienthello.pre_proc_exts); return MSG_PROCESS_CONTINUE_PROCESSING; f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); @@ -1389,8 +1808,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ossl_statem_set_error(s); sk_SSL_CIPHER_free(ciphers); - return MSG_PROCESS_ERROR; + OPENSSL_free(clienthello.pre_proc_exts); + return MSG_PROCESS_ERROR; } WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) @@ -1484,6 +1904,9 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY) SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); + else + SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, + SSL_R_PSK_IDENTITY_NOT_FOUND); goto f_err; } } @@ -1497,20 +1920,20 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) return WORK_ERROR; } -int tls_construct_server_hello(SSL *s) +int tls_construct_server_hello(SSL *s, WPACKET *pkt) { - int sl, compm, al = SSL_AD_INTERNAL_ERROR; - size_t len; - WPACKET pkt; + int compm, al = SSL_AD_INTERNAL_ERROR; + size_t sl, len; + int version; - if (!WPACKET_init(&pkt, s->init_buf) - || !ssl_set_handshake_header2(s, &pkt, SSL3_MT_SERVER_HELLO) - || !WPACKET_put_bytes_u16(&pkt, s->version) + /* TODO(TLS1.3): Remove the DRAFT conditional before release */ + version = SSL_IS_TLS13(s) ? TLS1_3_VERSION_DRAFT : s->version; + if (!WPACKET_put_bytes_u16(pkt, version) /* * Random stuff. Filling of the server_random takes place in * tls_process_client_hello() */ - || !WPACKET_memcpy(&pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) { + || !WPACKET_memcpy(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); goto err; } @@ -1537,7 +1960,7 @@ int tls_construct_server_hello(SSL *s) s->session->session_id_length = 0; sl = s->session->session_id_length; - if (sl > (int)sizeof(s->session->session_id)) { + if (sl > sizeof(s->session->session_id)) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); goto err; } @@ -1552,49 +1975,42 @@ int tls_construct_server_hello(SSL *s) compm = s->s3->tmp.new_compression->id; #endif - if (!WPACKET_sub_memcpy_u8(&pkt, s->session->session_id, sl) - || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, &pkt, &len) - || !WPACKET_put_bytes_u8(&pkt, compm) + if ((!SSL_IS_TLS13(s) + && !WPACKET_sub_memcpy_u8(pkt, s->session->session_id, sl)) + || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len) + || (!SSL_IS_TLS13(s) + && !WPACKET_put_bytes_u8(pkt, compm)) || !ssl_prepare_serverhello_tlsext(s) - || !ssl_add_serverhello_tlsext(s, &pkt, &al) - || !ssl_close_construct_packet(s, &pkt)) { + || !ssl_add_serverhello_tlsext(s, pkt, &al)) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); goto err; } return 1; err: - WPACKET_cleanup(&pkt); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); - ossl_statem_set_error(s); return 0; } -int tls_construct_server_done(SSL *s) +int tls_construct_server_done(SSL *s, WPACKET *pkt) { - if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_DONE, ERR_R_INTERNAL_ERROR); - ossl_statem_set_error(s); - return 0; - } - if (!s->s3->tmp.cert_request) { if (!ssl3_digest_cached_records(s, 0)) { - ossl_statem_set_error(s); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + return 0; } } - return 1; } -int tls_construct_server_key_exchange(SSL *s) +int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) { #ifndef OPENSSL_NO_DH EVP_PKEY *pkdh = NULL; #endif #ifndef OPENSSL_NO_EC unsigned char *encodedPoint = NULL; - int encodedlen = 0; + size_t encodedlen = 0; int curve_id = 0; #endif EVP_PKEY *pkey; @@ -1603,13 +2019,9 @@ int tls_construct_server_key_exchange(SSL *s) unsigned long type; const BIGNUM *r[4]; EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); - WPACKET pkt; size_t paramlen, paramoffset; - if (!WPACKET_init(&pkt, s->init_buf) - || !ssl_set_handshake_header2(s, &pkt, - SSL3_MT_SERVER_KEY_EXCHANGE) - || !WPACKET_get_total_written(&pkt, ¶moffset)) { + if (!WPACKET_get_total_written(pkt, ¶moffset)) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto f_err; } @@ -1704,7 +2116,7 @@ int tls_construct_server_key_exchange(SSL *s) } /* Get NID of appropriate shared curve */ - nid = tls1_shared_curve(s, -2); + nid = tls1_shared_group(s, -2); curve_id = tls1_ec_nid2curve_id(nid); if (curve_id == 0) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, @@ -1779,7 +2191,7 @@ int tls_construct_server_key_exchange(SSL *s) * checked this when we set the identity hint - but just in case */ if (len > PSK_MAX_IDENTITY_LEN - || !WPACKET_sub_memcpy_u16(&pkt, s->cert->psk_identity_hint, + || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint, len)) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); @@ -1794,10 +2206,10 @@ int tls_construct_server_key_exchange(SSL *s) #ifndef OPENSSL_NO_SRP if ((i == 2) && (type & SSL_kSRP)) { - res = WPACKET_start_sub_packet_u8(&pkt); + res = WPACKET_start_sub_packet_u8(pkt); } else #endif - res = WPACKET_start_sub_packet_u16(&pkt); + res = WPACKET_start_sub_packet_u16(pkt); if (!res) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, @@ -1815,7 +2227,7 @@ int tls_construct_server_key_exchange(SSL *s) size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]); if (len > 0) { - if (!WPACKET_allocate_bytes(&pkt, len, &binval)) { + if (!WPACKET_allocate_bytes(pkt, len, &binval)) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto f_err; @@ -1824,8 +2236,8 @@ int tls_construct_server_key_exchange(SSL *s) } } #endif - if (!WPACKET_allocate_bytes(&pkt, BN_num_bytes(r[i]), &binval) - || !WPACKET_close(&pkt)) { + if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval) + || !WPACKET_close(pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto f_err; @@ -1842,10 +2254,10 @@ int tls_construct_server_key_exchange(SSL *s) * [1 byte length of encoded point], followed by the actual encoded * point itself */ - if (!WPACKET_put_bytes_u8(&pkt, NAMED_CURVE_TYPE) - || !WPACKET_put_bytes_u8(&pkt, 0) - || !WPACKET_put_bytes_u8(&pkt, curve_id) - || !WPACKET_sub_memcpy_u8(&pkt, encodedPoint, encodedlen)) { + if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE) + || !WPACKET_put_bytes_u8(pkt, 0) + || !WPACKET_put_bytes_u8(pkt, curve_id) + || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto f_err; @@ -1866,14 +2278,14 @@ int tls_construct_server_key_exchange(SSL *s) unsigned int siglen; /* Get length of the parameters we have written above */ - if (!WPACKET_get_length(&pkt, ¶mlen)) { + if (!WPACKET_get_length(pkt, ¶mlen)) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto f_err; } /* send signature algorithm */ if (SSL_USE_SIGALGS(s)) { - if (!tls12_get_sigandhash(&pkt, pkey, md)) { + if (!tls12_get_sigandhash(pkt, pkey, md)) { /* Should never happen */ SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); @@ -1889,7 +2301,7 @@ int tls_construct_server_key_exchange(SSL *s) * up front, and then properly allocate them in the WPACKET * afterwards. */ - if (!WPACKET_sub_reserve_bytes_u16(&pkt, EVP_PKEY_size(pkey), + if (!WPACKET_sub_reserve_bytes_u16(pkt, EVP_PKEY_size(pkey), &sigbytes1) || EVP_SignInit_ex(md_ctx, md, NULL) <= 0 || EVP_SignUpdate(md_ctx, &(s->s3->client_random[0]), @@ -1899,7 +2311,7 @@ int tls_construct_server_key_exchange(SSL *s) || EVP_SignUpdate(md_ctx, s->init_buf->data + paramoffset, paramlen) <= 0 || EVP_SignFinal(md_ctx, sigbytes1, &siglen, pkey) <= 0 - || !WPACKET_sub_allocate_bytes_u16(&pkt, siglen, &sigbytes2) + || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2) || sigbytes1 != sigbytes2) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); @@ -1914,11 +2326,6 @@ int tls_construct_server_key_exchange(SSL *s) } } - if (!ssl_close_construct_packet(s, &pkt)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); - goto f_err; - } - EVP_MD_CTX_free(md_ctx); return 1; f_err: @@ -1931,39 +2338,28 @@ int tls_construct_server_key_exchange(SSL *s) OPENSSL_free(encodedPoint); #endif EVP_MD_CTX_free(md_ctx); - ossl_statem_set_error(s); - WPACKET_cleanup(&pkt); return 0; } -int tls_construct_certificate_request(SSL *s) +int tls_construct_certificate_request(SSL *s, WPACKET *pkt) { - int i, nl; + int i; STACK_OF(X509_NAME) *sk = NULL; - WPACKET pkt; - - if (!WPACKET_init(&pkt, s->init_buf) - || !ssl_set_handshake_header2(s, &pkt, - SSL3_MT_CERTIFICATE_REQUEST)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); - goto err; - } - /* get the list of acceptable cert types */ - if (!WPACKET_start_sub_packet_u8(&pkt) - || !ssl3_get_req_cert_type(s, &pkt) - || !WPACKET_close(&pkt)) { + if (!WPACKET_start_sub_packet_u8(pkt) + || !ssl3_get_req_cert_type(s, pkt) + || !WPACKET_close(pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); goto err; } if (SSL_USE_SIGALGS(s)) { const unsigned char *psigs; - nl = tls12_get_psigalgs(s, &psigs); - if (!WPACKET_start_sub_packet_u16(&pkt) - || !tls12_copy_sigalgs(s, &pkt, psigs, nl) - || !WPACKET_close(&pkt)) { + size_t nl = tls12_get_psigalgs(s, &psigs); + if (!WPACKET_start_sub_packet_u16(pkt) + || !tls12_copy_sigalgs(s, pkt, psigs, nl) + || !WPACKET_close(pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); goto err; @@ -1971,7 +2367,7 @@ int tls_construct_certificate_request(SSL *s) } /* Start sub-packet for client CA list */ - if (!WPACKET_start_sub_packet_u16(&pkt)) { + if (!WPACKET_start_sub_packet_u16(pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); goto err; } @@ -1985,7 +2381,7 @@ int tls_construct_certificate_request(SSL *s) if (name == NULL || (namelen = i2d_X509_NAME(name, NULL)) < 0 - || !WPACKET_sub_allocate_bytes_u16(&pkt, namelen, + || !WPACKET_sub_allocate_bytes_u16(pkt, namelen, &namebytes) || i2d_X509_NAME(name, &namebytes) != namelen) { SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, @@ -1996,8 +2392,7 @@ int tls_construct_certificate_request(SSL *s) } /* else no CA names */ - if (!WPACKET_close(&pkt) - || !ssl_close_construct_packet(s, &pkt)) { + if (!WPACKET_close(pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); goto err; } @@ -2006,9 +2401,7 @@ int tls_construct_certificate_request(SSL *s) return 1; err: - WPACKET_cleanup(&pkt); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); - ossl_statem_set_error(s); return 0; } @@ -2144,9 +2537,10 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) * Decrypt with no padding. PKCS#1 padding will be removed as part of * the timing-sensitive code below. */ - decrypt_len = RSA_private_decrypt(PACKET_remaining(&enc_premaster), - PACKET_data(&enc_premaster), - rsa_decrypt, rsa, RSA_NO_PADDING); + /* TODO(size_t): Convert this function */ + decrypt_len = (int)RSA_private_decrypt((int)PACKET_remaining(&enc_premaster), + PACKET_data(&enc_premaster), + rsa_decrypt, rsa, RSA_NO_PADDING); if (decrypt_len < 0) goto err; @@ -2293,7 +2687,7 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al) goto err; } - if (ssl_derive(s, skey, ckey) == 0) { + if (ssl_derive(s, skey, ckey, 1) == 0) { *al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR); goto err; @@ -2353,7 +2747,7 @@ static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al) } } - if (ssl_derive(s, skey, ckey) == 0) { + if (ssl_derive(s, skey, ckey, 1) == 0) { *al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_INTERNAL_ERROR); goto err; @@ -2427,7 +2821,7 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al) unsigned long alg_a; int Ttag, Tclass; long Tlen; - long sess_key_len; + size_t sess_key_len; const unsigned char *data; int ret = 0; @@ -2477,8 +2871,9 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al) SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR); goto err; } + /* TODO(size_t): Convert this function */ if (ASN1_get_object((const unsigned char **)&data, &Tlen, &Ttag, - &Tclass, sess_key_len) != V_ASN1_CONSTRUCTED + &Tclass, (long)sess_key_len) != V_ASN1_CONSTRUCTED || Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) { *al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED); @@ -2752,6 +3147,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) al = SSL_AD_INTERNAL_ERROR; goto f_err; } + #ifdef SSL_DEBUG fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md)); #endif @@ -2780,7 +3176,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) if (s->version == SSL3_VERSION && !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, - s->session->master_key_length, + (int)s->session->master_key_length, s->session->master_key)) { SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); al = SSL_AD_INTERNAL_ERROR; @@ -2907,6 +3303,17 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) sk_X509_pop_free(s->session->peer_chain, X509_free); s->session->peer_chain = sk; + + /* + * Freeze the handshake buffer. For initial_ctx; unsigned char iv[EVP_MAX_IV_LENGTH]; unsigned char key_name[TLSEXT_KEYNAME_LENGTH]; int iv_len; + size_t macoffset, macendoffset; /* get session encoding length */ slen_full = i2d_SSL_SESSION(s->session, NULL); @@ -3007,21 +3413,6 @@ int tls_construct_new_session_ticket(SSL *s) } SSL_SESSION_free(sess); - /*- - * Grow buffer if need be: the length calculation is as - * follows handshake_header_length + - * 4 (ticket lifetime hint) + 2 (ticket length) + - * sizeof(keyname) + max_iv_len (iv length) + - * max_enc_block_size (max encrypted session * length) + - * max_md_size (HMAC) + session_length. - */ - if (!BUF_MEM_grow(s->init_buf, - SSL_HM_HEADER_LENGTH(s) + 6 + sizeof(key_name) + - EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + - EVP_MAX_MD_SIZE + slen)) - goto err; - - p = ssl_handshake_start(s); /* * Initialize HMAC and cipher contexts. If callback present it does * all the work otherwise use generated values from parent ctx. @@ -3032,11 +3423,14 @@ int tls_construct_new_session_ticket(SSL *s) hctx, 1); if (ret == 0) { - l2n(0, p); /* timeout */ - s2n(0, p); /* length */ - if (!ssl_set_handshake_header - (s, SSL3_MT_NEWSESSION_TICKET, p - ssl_handshake_start(s))) + + /* Put timeout and length */ + if (!WPACKET_put_bytes_u32(pkt, 0) + || !WPACKET_put_bytes_u16(pkt, 0)) { + SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, + ERR_R_INTERNAL_ERROR); goto err; + } OPENSSL_free(senc); EVP_CIPHER_CTX_free(ctx); HMAC_CTX_free(hctx); @@ -3067,44 +3461,39 @@ int tls_construct_new_session_ticket(SSL *s) * for resumed session (for simplicity), and guess that tickets for * new sessions will live as long as their sessions. */ - l2n(s->hit ? 0 : s->session->timeout, p); - - /* Skip ticket length for now */ - p += 2; - /* Output key name */ - macstart = p; - memcpy(p, key_name, sizeof(key_name)); - p += sizeof(key_name); - /* output IV */ - memcpy(p, iv, iv_len); - p += iv_len; - /* Encrypt session data */ - if (!EVP_EncryptUpdate(ctx, p, &len, senc, slen)) - goto err; - p += len; - if (!EVP_EncryptFinal(ctx, p, &len)) - goto err; - p += len; - - if (!HMAC_Update(hctx, macstart, p - macstart)) - goto err; - if (!HMAC_Final(hctx, p, &hlen)) + if (!WPACKET_put_bytes_u32(pkt, s->hit ? 0 : s->session->timeout) + /* Now the actual ticket data */ + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_get_total_written(pkt, &macoffset) + /* Output key name */ + || !WPACKET_memcpy(pkt, key_name, sizeof(key_name)) + /* output IV */ + || !WPACKET_memcpy(pkt, iv, iv_len) + || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH, + &encdata1) + /* Encrypt session data */ + || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen) + || !WPACKET_allocate_bytes(pkt, len, &encdata2) + || encdata1 != encdata2 + || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal) + || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2) + || encdata1 + len != encdata2 + || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH + || !WPACKET_get_total_written(pkt, &macendoffset) + || !HMAC_Update(hctx, + (unsigned char *)s->init_buf->data + macoffset, + macendoffset - macoffset) + || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1) + || !HMAC_Final(hctx, macdata1, &hlen) + || hlen > EVP_MAX_MD_SIZE + || !WPACKET_allocate_bytes(pkt, hlen, &macdata2) + || macdata1 != macdata2 + || !WPACKET_close(pkt)) { + SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR); goto err; - + } EVP_CIPHER_CTX_free(ctx); HMAC_CTX_free(hctx); - ctx = NULL; - hctx = NULL; - - p += hlen; - /* Now write out lengths: p points to end of data written */ - /* Total length */ - len = p - ssl_handshake_start(s); - /* Skip ticket lifetime hint */ - p = ssl_handshake_start(s) + 4; - s2n(len - 6, p); - if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len)) - goto err; OPENSSL_free(senc); return 1; @@ -3112,42 +3501,21 @@ int tls_construct_new_session_ticket(SSL *s) OPENSSL_free(senc); EVP_CIPHER_CTX_free(ctx); HMAC_CTX_free(hctx); - ossl_statem_set_error(s); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); return 0; } -int tls_construct_cert_status(SSL *s) +int tls_construct_cert_status(SSL *s, WPACKET *pkt) { - unsigned char *p; - size_t msglen; - - /*- - * Grow buffer if need be: the length calculation is as - * follows handshake_header_length + - * 1 (ocsp response type) + 3 (ocsp response length) - * + (ocsp response) - */ - msglen = 4 + s->tlsext_ocsp_resplen; - if (!BUF_MEM_grow(s->init_buf, SSL_HM_HEADER_LENGTH(s) + msglen)) - goto err; - - p = ssl_handshake_start(s); - - /* status type */ - *(p++) = s->tlsext_status_type; - /* length of OCSP response */ - l2n3(s->tlsext_ocsp_resplen, p); - /* actual response */ - memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen); - - if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_STATUS, msglen)) - goto err; + if (!WPACKET_put_bytes_u8(pkt, s->tlsext_status_type) + || !WPACKET_sub_memcpy_u24(pkt, s->tlsext_ocsp_resp, + s->tlsext_ocsp_resplen)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS, ERR_R_INTERNAL_ERROR); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + return 0; + } return 1; - - err: - ossl_statem_set_error(s); - return 0; } #ifndef OPENSSL_NO_NEXTPROTONEG @@ -3188,6 +3556,18 @@ MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt) } #endif +static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt) +{ + /* TODO(TLS1.3): Zero length encrypted extensions message for now */ + if (!WPACKET_put_bytes_u16(pkt, 0)) { + SSLerr(SSL_F_TLS_CONSTRUCT_ENCRYPTED_EXTENSIONS, ERR_R_INTERNAL_ERROR); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + return 0; + } + + return 1; +} + #define SSLV2_CIPHER_LEN 3 STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,