X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fstatem%2Fstatem_srvr.c;h=880996b126b3169e56860c09740d64063048259c;hp=bfdd4383f18be1001abef564d338a2bc71cdfc1d;hb=90134d9806f0191bc0eb0cde2750f0cd68667a6d;hpb=805a2e9e1388f21bd381a8c55e66bae2e6325667 diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index bfdd4383f1..880996b126 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -62,11 +62,7 @@ #include static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt); -static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, - PACKET *cipher_suites, - STACK_OF(SSL_CIPHER) - **skp, int sslv2format, - int *al); +static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt); /* * ossl_statem_server13_read_transition() encapsulates the logic for the allowed @@ -81,11 +77,6 @@ static int ossl_statem_server13_read_transition(SSL *s, int mt) { OSSL_STATEM *st = &s->statem; - /* - * TODO(TLS1.3): This is still based on the TLSv1.2 state machine. Over time - * we will update this to look more like real TLSv1.3 - */ - /* * Note: There is no case for TLS_ST_BEFORE because at that stage we have * not negotiated TLSv1.3 yet, so that case is handled by @@ -95,6 +86,13 @@ static int ossl_statem_server13_read_transition(SSL *s, int mt) default: break; + case TLS_ST_SW_HELLO_RETRY_REQUEST: + if (mt == SSL3_MT_CLIENT_HELLO) { + st->hand_state = TLS_ST_SR_CLNT_HELLO; + return 1; + } + break; + case TLS_ST_SW_FINISHED: if (s->s3->tmp.cert_request) { if (mt == SSL3_MT_CERTIFICATE) { @@ -129,6 +127,13 @@ static int ossl_statem_server13_read_transition(SSL *s, int mt) return 1; } break; + + case TLS_ST_OK: + if (mt == SSL3_MT_KEY_UPDATE) { + st->hand_state = TLS_ST_SR_KEY_UPDATE; + return 1; + } + break; } /* No valid transition found */ @@ -162,6 +167,7 @@ int ossl_statem_server_read_transition(SSL *s, int mt) break; case TLS_ST_BEFORE: + case TLS_ST_OK: case DTLS_ST_SW_HELLO_VERIFY_REQUEST: if (mt == SSL3_MT_CLIENT_HELLO) { st->hand_state = TLS_ST_SR_CLNT_HELLO; @@ -255,7 +261,7 @@ int ossl_statem_server_read_transition(SSL *s, int mt) case TLS_ST_SR_CHANGE: #ifndef OPENSSL_NO_NEXTPROTONEG - if (s->s3->next_proto_neg_seen) { + if (s->s3->npn_seen) { if (mt == SSL3_MT_NEXT_PROTO) { st->hand_state = TLS_ST_SR_NEXT_PROTO; return 1; @@ -353,7 +359,7 @@ static int send_certificate_request(SSL *s) * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert * during re-negotiation: */ - && ((s->session->peer == NULL) || + && (s->s3->tmp.finish_md_len == 0 || !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) /* * never request cert in anonymous ciphersuites (see @@ -389,11 +395,6 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s) { OSSL_STATEM *st = &s->statem; - /* - * TODO(TLS1.3): This is still based on the TLSv1.2 state machine. Over time - * we will update this to look more like real TLSv1.3 - */ - /* * No case for TLS_ST_BEFORE, because at that stage we have not negotiated * TLSv1.3 yet, so that is handled by ossl_statem_server_write_transition() @@ -404,10 +405,24 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s) /* Shouldn't happen */ return WRITE_TRAN_ERROR; + case TLS_ST_OK: + if (s->key_update != SSL_KEY_UPDATE_NONE) { + st->hand_state = TLS_ST_SW_KEY_UPDATE; + return WRITE_TRAN_CONTINUE; + } + /* Try to read from the client instead */ + return WRITE_TRAN_FINISHED; + case TLS_ST_SR_CLNT_HELLO: - st->hand_state = TLS_ST_SW_SRVR_HELLO; + if (s->hello_retry_request) + st->hand_state = TLS_ST_SW_HELLO_RETRY_REQUEST; + else + st->hand_state = TLS_ST_SW_SRVR_HELLO; return WRITE_TRAN_CONTINUE; + case TLS_ST_SW_HELLO_RETRY_REQUEST: + return WRITE_TRAN_FINISHED; + case TLS_ST_SW_SRVR_HELLO: st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS; return WRITE_TRAN_CONTINUE; @@ -427,11 +442,10 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s) return WRITE_TRAN_CONTINUE; case TLS_ST_SW_CERT: - st->hand_state = s->tlsext_status_expected ? TLS_ST_SW_CERT_STATUS - : TLS_ST_SW_FINISHED; + st->hand_state = TLS_ST_SW_CERT_VRFY; return WRITE_TRAN_CONTINUE; - case TLS_ST_SW_CERT_STATUS: + case TLS_ST_SW_CERT_VRFY: st->hand_state = TLS_ST_SW_FINISHED; return WRITE_TRAN_CONTINUE; @@ -439,6 +453,26 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s) return WRITE_TRAN_FINISHED; case TLS_ST_SR_FINISHED: + /* + * Technically we have finished the handshake at this point, but we're + * going to remain "in_init" for now and write out the session ticket + * immediately. + * TODO(TLS1.3): Perhaps we need to be able to control this behaviour + * and give the application the opportunity to delay sending the + * session ticket? + */ + st->hand_state = TLS_ST_SW_SESSION_TICKET; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SR_KEY_UPDATE: + if (s->key_update != SSL_KEY_UPDATE_NONE) { + st->hand_state = TLS_ST_SW_KEY_UPDATE; + return WRITE_TRAN_CONTINUE; + } + /* Fall through */ + + case TLS_ST_SW_KEY_UPDATE: + case TLS_ST_SW_SESSION_TICKET: st->hand_state = TLS_ST_OK; ossl_statem_set_in_init(s, 0); return WRITE_TRAN_CONTINUE; @@ -466,15 +500,24 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s) /* Shouldn't happen */ return WRITE_TRAN_ERROR; + case TLS_ST_OK: + if (st->request_state == TLS_ST_SW_HELLO_REQ) { + /* We must be trying to renegotiate */ + st->hand_state = TLS_ST_SW_HELLO_REQ; + st->request_state = TLS_ST_BEFORE; + return WRITE_TRAN_CONTINUE; + } + /* Must be an incoming ClientHello */ + if (!tls_setup_handshake(s)) { + ossl_statem_set_error(s); + return WRITE_TRAN_ERROR; + } + /* Fall through */ + case TLS_ST_BEFORE: /* Just go straight to trying to read from the client */ return WRITE_TRAN_FINISHED; - case TLS_ST_OK: - /* We must be trying to renegotiate */ - st->hand_state = TLS_ST_SW_HELLO_REQ; - return WRITE_TRAN_CONTINUE; - case TLS_ST_SW_HELLO_REQ: st->hand_state = TLS_ST_OK; ossl_statem_set_in_init(s, 0); @@ -493,7 +536,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s) case TLS_ST_SW_SRVR_HELLO: if (s->hit) { - if (s->tlsext_ticket_expected) + if (s->ext.ticket_expected) st->hand_state = TLS_ST_SW_SESSION_TICKET; else st->hand_state = TLS_ST_SW_CHANGE; @@ -514,7 +557,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s) return WRITE_TRAN_CONTINUE; case TLS_ST_SW_CERT: - if (s->tlsext_status_expected) { + if (s->ext.status_expected) { st->hand_state = TLS_ST_SW_CERT_STATUS; return WRITE_TRAN_CONTINUE; } @@ -546,7 +589,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s) st->hand_state = TLS_ST_OK; ossl_statem_set_in_init(s, 0); return WRITE_TRAN_CONTINUE; - } else if (s->tlsext_ticket_expected) { + } else if (s->ext.ticket_expected) { st->hand_state = TLS_ST_SW_SESSION_TICKET; } else { st->hand_state = TLS_ST_SW_CHANGE; @@ -617,7 +660,14 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) return WORK_FINISHED_CONTINUE; case TLS_ST_SW_SESSION_TICKET: - if (SSL_IS_DTLS(s)) { + if (SSL_IS_TLS13(s)) { + /* + * Actually this is the end of the handshake, but we're going + * straight into writing the session ticket out. So we finish off + * the handshake, but keep the various buffers active. + */ + return tls_finish_handshake(s, wst, 0); + } if (SSL_IS_DTLS(s)) { /* * We're into the last flight. We don't retransmit the last flight * unless we need to, so we don't use the timer @@ -644,7 +694,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) return WORK_FINISHED_CONTINUE; case TLS_ST_OK: - return tls_finish_handshake(s, wst); + return tls_finish_handshake(s, wst, 1); } return WORK_FINISHED_CONTINUE; @@ -665,6 +715,11 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) /* No post work to be done */ break; + case TLS_ST_SW_HELLO_RETRY_REQUEST: + if (statem_flush(s) != 1) + return WORK_MORE_A; + break; + case TLS_ST_SW_HELLO_REQ: if (statem_flush(s) != 1) return WORK_MORE_A; @@ -772,13 +827,25 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) #endif if (SSL_IS_TLS13(s)) { if (!s->method->ssl3_enc->generate_master_secret(s, - s->session->master_key, s->handshake_secret, 0, + s->master_secret, s->handshake_secret, 0, &s->session->master_key_length) || !s->method->ssl3_enc->change_cipher_state(s, SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE)) return WORK_ERROR; } break; + + case TLS_ST_SW_KEY_UPDATE: + if (statem_flush(s) != 1) + return WORK_MORE_A; + if (!tls13_update_key(s, 1)) + return WORK_ERROR; + break; + + case TLS_ST_SW_SESSION_TICKET: + if (SSL_IS_TLS13(s) && statem_flush(s) != 1) + return WORK_MORE_A; + break; } return WORK_FINISHED_CONTINUE; @@ -831,6 +898,12 @@ int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt, *mt = SSL3_MT_CERTIFICATE; break; + case TLS_ST_SW_CERT_VRFY: + *confunc = tls_construct_cert_verify; + *mt = SSL3_MT_CERTIFICATE_VERIFY; + break; + + case TLS_ST_SW_KEY_EXCH: *confunc = tls_construct_server_key_exchange; *mt = SSL3_MT_SERVER_KEY_EXCHANGE; @@ -865,6 +938,16 @@ int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt, *confunc = tls_construct_encrypted_extensions; *mt = SSL3_MT_ENCRYPTED_EXTENSIONS; break; + + case TLS_ST_SW_HELLO_RETRY_REQUEST: + *confunc = tls_construct_hello_retry_request; + *mt = SSL3_MT_HELLO_RETRY_REQUEST; + break; + + case TLS_ST_SW_KEY_UPDATE: + *confunc = tls_construct_key_update; + *mt = SSL3_MT_KEY_UPDATE; + break; } return 1; @@ -925,6 +1008,9 @@ size_t ossl_statem_server_max_message_size(SSL *s) case TLS_ST_SR_FINISHED: return FINISHED_MAX_LENGTH; + + case TLS_ST_SR_KEY_UPDATE: + return KEY_UPDATE_MAX_LENGTH; } } @@ -962,6 +1048,10 @@ MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt) case TLS_ST_SR_FINISHED: return tls_process_finished(s, pkt); + + case TLS_ST_SR_KEY_UPDATE: + return tls_process_key_update(s, pkt); + } } @@ -1062,24 +1152,6 @@ int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt) return 1; } -/* - * Parse the extensions in the ClientHello that were collected earlier. Returns - * 1 for success or 0 for failure. - */ -static int tls_parse_clienthello_tlsext(SSL *s, CLIENTHELLO_MSG *hello) -{ - int al = -1; - - - - if (tls_scan_clienthello_tlsext(s, hello, &al) <= 0) { - ssl3_send_alert(s, SSL3_AL_FATAL, al); - return 0; - } - - return 1; -} - #ifndef OPENSSL_NO_EC /*- * ssl_check_for_safari attempts to fingerprint Safari using OS X @@ -1096,10 +1168,6 @@ static int tls_parse_clienthello_tlsext(SSL *s, CLIENTHELLO_MSG *hello) */ static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello) { - unsigned int type; - PACKET sni, tmppkt; - size_t ext_len; - static const unsigned char kSafariExtensionsBlock[] = { 0x00, 0x0a, /* elliptic_curves extension */ 0x00, 0x08, /* 8 bytes */ @@ -1122,9 +1190,11 @@ static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello) 0x04, 0x03, /* SHA-256/ECDSA */ 0x02, 0x03, /* SHA-1/ECDSA */ }; - /* Length of the common prefix (first two extensions). */ static const size_t kSafariCommonExtensionsLength = 18; + unsigned int type; + PACKET sni, tmppkt; + size_t ext_len; tmppkt = hello->extensions; @@ -1156,12 +1226,22 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) SSL_COMP *comp = NULL; #endif STACK_OF(SSL_CIPHER) *ciphers = NULL; + STACK_OF(SSL_CIPHER) *scsvs = NULL; int protverr; /* |cookie| will only be initialized for DTLS. */ PACKET session_id, compression, extensions, cookie; static const unsigned char null_compression = 0; CLIENTHELLO_MSG clienthello; + /* Check if this is actually an unexpected renegotiation ClientHello */ + if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) { + s->renegotiate = 1; + s->new_session = 1; + } + + /* This is a real handshake so make sure we clean it up at the end */ + s->statem.cleanuphand = 1; + /* * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure. */ @@ -1172,6 +1252,12 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) if (clienthello.isv2) { unsigned int mt; + if (!SSL_IS_FIRST_HANDSHAKE(s) || s->hello_retry_request) { + al = SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNEXPECTED_MESSAGE); + goto f_err; + } + /*- * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2 * header is sent directly on the wire, not wrapped as a TLS @@ -1333,8 +1419,8 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) /* Preserve the raw extensions PACKET for later use */ extensions = clienthello.extensions; if (!tls_collect_extensions(s, &extensions, EXT_CLIENT_HELLO, - &clienthello.pre_proc_exts, - &clienthello.num_extensions, &al)) { + &clienthello.pre_proc_exts, &al, + &clienthello.pre_proc_exts_len)) { /* SSLerr already been called */ goto f_err; } @@ -1375,7 +1461,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) if (protverr) { SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr); - if ((!s->enc_write_ctx && !s->write_hash)) { + if (SSL_IS_FIRST_HANDSHAKE(s)) { /* like ssl3_get_record, send alert using remote version number */ s->version = s->client_version = clienthello.legacy_version; } @@ -1419,10 +1505,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) s->hit = 0; /* We need to do this before getting the session */ - if (!tls_parse_extension(s, TLSEXT_TYPE_extended_master_secret, + if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret, EXT_CLIENT_HELLO, - clienthello.pre_proc_exts, - clienthello.num_extensions, &al)) { + clienthello.pre_proc_exts, NULL, 0, &al)) { SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); goto f_err; } @@ -1449,21 +1534,12 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) if (!ssl_get_new_session(s, 1)) goto err; } else { - i = ssl_get_prev_session(s, &clienthello); - /* - * Only resume if the session's version matches the negotiated - * version. - * RFC 5246 does not provide much useful advice on resumption - * with a different protocol version. It doesn't forbid it but - * the sanity of such behaviour would be questionable. - * In practice, clients do not accept a version mismatch and - * will abort the handshake with an error. - */ - if (i == 1 && s->version == s->session->ssl_version) { + i = ssl_get_prev_session(s, &clienthello, &al); + if (i == 1) { /* previous session */ s->hit = 1; } else if (i == -1) { - goto err; + goto f_err; } else { /* i == 0 */ if (!ssl_get_new_session(s, 1)) @@ -1471,11 +1547,44 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) } } - if (ssl_bytes_to_cipher_list(s, &clienthello.ciphersuites, &ciphers, - clienthello.isv2, &al) == NULL) { + if (!ssl_cache_cipherlist(s, &clienthello.ciphersuites, + clienthello.isv2, &al) || + !bytes_to_cipher_list(s, &clienthello.ciphersuites, &ciphers, &scsvs, + clienthello.isv2, &al)) { goto f_err; } + s->s3->send_connection_binding = 0; + /* Check what signalling cipher-suite values were received. */ + if (scsvs != NULL) { + for(i = 0; i < sk_SSL_CIPHER_num(scsvs); i++) { + c = sk_SSL_CIPHER_value(scsvs, i); + if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) { + if (s->renegotiate) { + /* SCSV is fatal if renegotiating */ + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, + SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); + al = SSL_AD_HANDSHAKE_FAILURE; + goto f_err; + } + s->s3->send_connection_binding = 1; + } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV && + !ssl_check_version_downgrade(s)) { + /* + * This SCSV indicates that the client previously tried + * a higher version. We should fail if the current version + * is an unexpected downgrade, as that indicates that the first + * connection may have been tampered with in order to trigger + * an insecure downgrade. + */ + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, + SSL_R_INAPPROPRIATE_FALLBACK); + al = SSL_AD_INAPPROPRIATE_FALLBACK; + goto f_err; + } + } + } + /* If it is a hit, check that the cipher is in the list */ if (s->hit) { j = 0; @@ -1525,17 +1634,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) #endif /* !OPENSSL_NO_EC */ /* TLS extensions */ - if (!tls_parse_clienthello_tlsext(s, &clienthello)) { + if (!tls_parse_all_extensions(s, EXT_CLIENT_HELLO, + clienthello.pre_proc_exts, NULL, 0, &al)) { SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT); - goto err; - } - - /* Check we've got a key_share for TLSv1.3 */ - if (SSL_IS_TLS13(s) && s->s3->peer_tmp == NULL && !s->hit) { - /* No suitable share */ - /* TODO(TLS1.3): Send a HelloRetryRequest */ - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_SUITABLE_KEY_SHARE); goto f_err; } @@ -1553,7 +1654,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) } } - if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) { + if (!s->hit && s->version >= TLS1_VERSION && s->ext.session_secret_cb) { const SSL_CIPHER *pref_cipher = NULL; /* * s->session->master_key_length is a size_t, but this is an int for @@ -1562,10 +1663,10 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) int master_key_length; master_key_length = sizeof(s->session->master_key); - if (s->tls_session_secret_cb(s, s->session->master_key, + if (s->ext.session_secret_cb(s, s->session->master_key, &master_key_length, ciphers, &pref_cipher, - s->tls_session_secret_cb_arg) + s->ext.session_secret_cb_arg) && master_key_length > 0) { s->session->master_key_length = master_key_length; s->hit = 1; @@ -1575,12 +1676,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ciphers = NULL; /* check if some cipher was preferred by call back */ - pref_cipher = - pref_cipher ? pref_cipher : ssl3_choose_cipher(s, - s-> - session->ciphers, - SSL_get_ciphers - (s)); + if (pref_cipher == NULL) + pref_cipher = ssl3_choose_cipher(s, s->session->ciphers, + SSL_get_ciphers(s)); if (pref_cipher == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER); @@ -1711,6 +1809,54 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) return MSG_PROCESS_ERROR; } +/* + * Call the status request callback if needed. Upon success, returns 1. + * Upon failure, returns 0 and sets |*al| to the appropriate fatal alert. + */ +static int tls_handle_status_request(SSL *s, int *al) +{ + s->ext.status_expected = 0; + + /* + * If status request then ask callback what to do. Note: this must be + * called after servername callbacks in case the certificate has changed, + * and must be called after the cipher has been chosen because this may + * influence which certificate is sent + */ + if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL + && s->ctx->ext.status_cb != NULL) { + int ret; + + /* If no certificate can't return certificate status */ + if (s->s3->tmp.cert != NULL) { + /* + * Set current certificate to one we will use so SSL_get_certificate + * et al can pick it up. + */ + s->cert->key = s->s3->tmp.cert; + ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg); + switch (ret) { + /* We don't want to send a status request response */ + case SSL_TLSEXT_ERR_NOACK: + s->ext.status_expected = 0; + break; + /* status request response should be sent */ + case SSL_TLSEXT_ERR_OK: + if (s->ext.ocsp.resp) + s->ext.status_expected = 1; + break; + /* something bad happened */ + case SSL_TLSEXT_ERR_ALERT_FATAL: + default: + *al = SSL_AD_INTERNAL_ERROR; + return 0; + } + } + } + + return 1; +} + WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) { int al = SSL_AD_HANDSHAKE_FAILURE; @@ -1742,25 +1888,22 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) goto f_err; } s->s3->tmp.new_cipher = cipher; + if (!tls_choose_sigalg(s, &al)) + goto f_err; /* check whether we should disable session resumption */ if (s->not_resumable_session_cb != NULL) - s->session->not_resumable = s->not_resumable_session_cb(s, - ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) != 0)); + s->session->not_resumable = + s->not_resumable_session_cb(s, ((cipher->algorithm_mkey + & (SSL_kDHE | SSL_kECDHE)) + != 0)); if (s->session->not_resumable) /* do not send a session ticket */ - s->tlsext_ticket_expected = 0; + s->ext.ticket_expected = 0; } else { /* Session-id reuse */ s->s3->tmp.new_cipher = s->session->cipher; } - if (!(s->verify_mode & SSL_VERIFY_PEER)) { - if (!ssl3_digest_cached_records(s, 0)) { - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - } - /*- * we now have the following setup. * client_random @@ -1773,13 +1916,14 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) * s->s3->tmp.new_cipher- the new cipher to use. */ - /* Handles TLS extensions that we couldn't check earlier */ - if (s->version >= SSL3_VERSION) { - if (!ssl_check_clienthello_tlsext_late(s, &al)) { - SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, - SSL_R_CLIENTHELLO_TLSEXT); - goto f_err; - } + /* + * Call status_request callback if needed. Has to be done after the + * certificate callbacks etc above. + */ + if (!tls_handle_status_request(s, &al)) { + SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, + SSL_R_CLIENTHELLO_TLSEXT); + goto f_err; } wst = WORK_MORE_B; @@ -1809,7 +1953,6 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) } } #endif - s->renegotiate = 2; return WORK_FINISHED_STOP; f_err: @@ -1878,19 +2021,21 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len) || (!SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, compm)) - /* - * TODO(TLS1.3): For now we add all 1.2 and 1.3 extensions. Later - * we will do this based on the actual protocol - */ || !tls_construct_extensions(s, pkt, - EXT_TLS1_2_SERVER_HELLO - | EXT_TLS1_3_SERVER_HELLO - | EXT_TLS1_3_ENCRYPTED_EXTENSIONS - | EXT_TLS1_3_CERTIFICATE, &al)) { + SSL_IS_TLS13(s) + ? EXT_TLS1_3_SERVER_HELLO + : EXT_TLS1_2_SERVER_HELLO, + NULL, 0, &al)) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); goto err; } + if (!(s->verify_mode & SSL_VERIFY_PEER) + && !ssl3_digest_cached_records(s, 0)) { + al = SSL_AD_INTERNAL_ERROR; + goto err; + } + return 1; err: ssl3_send_alert(s, SSL3_AL_FATAL, al); @@ -1918,12 +2063,12 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) size_t encodedlen = 0; int curve_id = 0; #endif - EVP_PKEY *pkey; - const EVP_MD *md = NULL; + const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg; int al = SSL_AD_INTERNAL_ERROR, i; unsigned long type; const BIGNUM *r[4]; EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); + EVP_PKEY_CTX *pctx = NULL; size_t paramlen, paramoffset; if (!WPACKET_get_total_written(pkt, ¶moffset)) { @@ -2075,15 +2220,12 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) goto f_err; } - if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) - && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) { - if ((pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md)) - == NULL) { - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - } else { - pkey = NULL; + if (((s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0) + || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) { + lu = NULL; + } else if (lu == NULL) { + al = SSL_AD_DECODE_ERROR; + goto f_err; } #ifndef OPENSSL_NO_PSK @@ -2173,60 +2315,66 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) #endif /* not anonymous */ - if (pkey != NULL) { + if (lu != NULL) { + EVP_PKEY *pkey = s->s3->tmp.cert->privatekey; + const EVP_MD *md = ssl_md(lu->hash_idx); + unsigned char *sigbytes1, *sigbytes2; + size_t siglen; + + if (pkey == NULL || md == NULL) { + /* Should never happen */ + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto f_err; + } /* * n is the length of the params, they start at &(d[4]) and p * points to the space at the end. */ - if (md) { - unsigned char *sigbytes1, *sigbytes2; - unsigned int siglen; - /* Get length of the parameters we have written above */ - if (!WPACKET_get_length(pkt, ¶mlen)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto f_err; - } - /* send signature algorithm */ - if (SSL_USE_SIGALGS(s)) { - if (!tls12_get_sigandhash(pkt, pkey, md)) { - /* Should never happen */ - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto f_err; - } - } -#ifdef SSL_DEBUG - fprintf(stderr, "Using hash %s\n", EVP_MD_name(md)); -#endif - /* - * Create the signature. We don't know the actual length of the sig - * until after we've created it, so we reserve enough bytes for it - * up front, and then properly allocate them in the WPACKET - * afterwards. - */ - if (!WPACKET_sub_reserve_bytes_u16(pkt, EVP_PKEY_size(pkey), - &sigbytes1) - || EVP_SignInit_ex(md_ctx, md, NULL) <= 0 - || EVP_SignUpdate(md_ctx, &(s->s3->client_random[0]), - SSL3_RANDOM_SIZE) <= 0 - || EVP_SignUpdate(md_ctx, &(s->s3->server_random[0]), - SSL3_RANDOM_SIZE) <= 0 - || EVP_SignUpdate(md_ctx, s->init_buf->data + paramoffset, - paramlen) <= 0 - || EVP_SignFinal(md_ctx, sigbytes1, &siglen, pkey) <= 0 - || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2) - || sigbytes1 != sigbytes2) { + /* Get length of the parameters we have written above */ + if (!WPACKET_get_length(pkt, ¶mlen)) { + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto f_err; + } + /* send signature algorithm */ + if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) + return 0; + /* + * Create the signature. We don't know the actual length of the sig + * until after we've created it, so we reserve enough bytes for it + * up front, and then properly allocate them in the WPACKET + * afterwards. + */ + siglen = EVP_PKEY_size(pkey); + if (!WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1) + || EVP_DigestSignInit(md_ctx, &pctx, md, NULL, pkey) <= 0) { + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto f_err; + } + if (lu->sig == EVP_PKEY_RSA_PSS) { + if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 + || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); + ERR_R_EVP_LIB); goto f_err; } - } else { - /* Is this error check actually needed? */ - al = SSL_AD_HANDSHAKE_FAILURE; + } + if (EVP_DigestSignUpdate(md_ctx, &(s->s3->client_random[0]), + SSL3_RANDOM_SIZE) <= 0 + || EVP_DigestSignUpdate(md_ctx, &(s->s3->server_random[0]), + SSL3_RANDOM_SIZE) <= 0 + || EVP_DigestSignUpdate(md_ctx, + s->init_buf->data + paramoffset, + paramlen) <= 0 + || EVP_DigestSignFinal(md_ctx, sigbytes1, &siglen) <= 0 + || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2) + || sigbytes1 != sigbytes2) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - SSL_R_UNKNOWN_PKEY_TYPE); + ERR_R_INTERNAL_ERROR); goto f_err; } } @@ -2260,8 +2408,9 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt) } if (SSL_USE_SIGALGS(s)) { - const unsigned char *psigs; - size_t nl = tls12_get_psigalgs(s, &psigs); + const uint16_t *psigs; + size_t nl = tls12_get_psigalgs(s, 1, &psigs); + if (!WPACKET_start_sub_packet_u16(pkt) || !tls12_copy_sigalgs(s, pkt, psigs, nl) || !WPACKET_close(pkt)) { @@ -2389,7 +2538,7 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) unsigned char *rsa_decrypt = NULL; int ret = 0; - rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey); + rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA].privatekey); if (rsa == NULL) { *al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_MISSING_RSA_CERTIFICATE); @@ -2894,7 +3043,7 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) sizeof(labelbuffer), NULL, 0, 0) <= 0) { ossl_statem_set_error(s); - return WORK_ERROR;; + return WORK_ERROR; } BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, @@ -2952,163 +3101,6 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) return WORK_FINISHED_CONTINUE; } -MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) -{ - EVP_PKEY *pkey = NULL; - const unsigned char *sig, *data; -#ifndef OPENSSL_NO_GOST - unsigned char *gost_data = NULL; -#endif - int al, ret = MSG_PROCESS_ERROR; - int type = 0, j; - unsigned int len; - X509 *peer; - const EVP_MD *md = NULL; - long hdatalen = 0; - void *hdata; - - EVP_MD_CTX *mctx = EVP_MD_CTX_new(); - - if (mctx == NULL) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - - peer = s->session->peer; - pkey = X509_get0_pubkey(peer); - type = X509_certificate_type(peer, pkey); - - if (!(type & EVP_PKT_SIGN)) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, - SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); - al = SSL_AD_ILLEGAL_PARAMETER; - goto f_err; - } - - /* Check for broken implementations of GOST ciphersuites */ - /* - * If key is GOST and n is exactly 64, it is bare signature without - * length field (CryptoPro implementations at least till CSP 4.0) - */ -#ifndef OPENSSL_NO_GOST - if (PACKET_remaining(pkt) == 64 - && EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) { - len = 64; - } else -#endif - { - if (SSL_USE_SIGALGS(s)) { - int rv; - - if (!PACKET_get_bytes(pkt, &sig, 2)) { - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - rv = tls12_check_peer_sigalg(&md, s, sig, pkey); - if (rv == -1) { - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } else if (rv == 0) { - al = SSL_AD_DECODE_ERROR; - goto f_err; - } -#ifdef SSL_DEBUG - fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); -#endif - } else { - /* Use default digest for this key type */ - int idx = ssl_cert_type(NULL, pkey); - if (idx >= 0) - md = s->s3->tmp.md[idx]; - if (md == NULL) { - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - } - - if (!PACKET_get_net_2(pkt, &len)) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - } - j = EVP_PKEY_size(pkey); - if (((int)len > j) || ((int)PACKET_remaining(pkt) > j) - || (PACKET_remaining(pkt) == 0)) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - if (!PACKET_get_bytes(pkt, &data, len)) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - - hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); - if (hdatalen <= 0) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_INTERNAL_ERROR); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - -#ifdef SSL_DEBUG - fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md)); -#endif - if (!EVP_VerifyInit_ex(mctx, md, NULL) - || !EVP_VerifyUpdate(mctx, hdata, hdatalen)) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } -#ifndef OPENSSL_NO_GOST - { - int pktype = EVP_PKEY_id(pkey); - if (pktype == NID_id_GostR3410_2001 - || pktype == NID_id_GostR3410_2012_256 - || pktype == NID_id_GostR3410_2012_512) { - if ((gost_data = OPENSSL_malloc(len)) == NULL) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - BUF_reverse(gost_data, data, len); - data = gost_data; - } - } -#endif - - if (s->version == SSL3_VERSION - && !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, - (int)s->session->master_key_length, - s->session->master_key)) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - - if (EVP_VerifyFinal(mctx, data, len, pkey) <= 0) { - al = SSL_AD_DECRYPT_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_SIGNATURE); - goto f_err; - } - - ret = MSG_PROCESS_CONTINUE_PROCESSING; - if (0) { - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - ossl_statem_set_error(s); - } - BIO_free(s->s3->handshake_buffer); - s->s3->handshake_buffer = NULL; - EVP_MD_CTX_free(mctx); -#ifndef OPENSSL_NO_GOST - OPENSSL_free(gost_data); -#endif - return ret; -} - MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) { int i, al = SSL_AD_INTERNAL_ERROR, ret = MSG_PROCESS_ERROR; @@ -3116,22 +3108,25 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) unsigned long l, llen; const unsigned char *certstart, *certbytes; STACK_OF(X509) *sk = NULL; - PACKET spkt; + PACKET spkt, context; + size_t chainidx; if ((sk = sk_X509_new_null()) == NULL) { SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); goto f_err; } - if (!PACKET_get_net_3(pkt, &llen) - || !PACKET_get_sub_packet(pkt, &spkt, llen) - || PACKET_remaining(pkt) != 0) { + /* TODO(TLS1.3): For now we ignore the context. We need to verify this */ + if ((SSL_IS_TLS13(s) && !PACKET_get_length_prefixed_1(pkt, &context)) + || !PACKET_get_net_3(pkt, &llen) + || !PACKET_get_sub_packet(pkt, &spkt, llen) + || PACKET_remaining(pkt) != 0) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH); goto f_err; } - while (PACKET_remaining(&spkt) > 0) { + for (chainidx = 0; PACKET_remaining(&spkt) > 0; chainidx++) { if (!PACKET_get_net_3(&spkt, &l) || !PACKET_get_bytes(&spkt, &certbytes, l)) { al = SSL_AD_DECODE_ERROR; @@ -3152,6 +3147,26 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) SSL_R_CERT_LENGTH_MISMATCH); goto f_err; } + + if (SSL_IS_TLS13(s)) { + RAW_EXTENSION *rawexts = NULL; + PACKET extensions; + + if (!PACKET_get_length_prefixed_2(&spkt, &extensions)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_BAD_LENGTH); + goto f_err; + } + if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_CERTIFICATE, + &rawexts, &al, NULL) + || !tls_parse_all_extensions(s, EXT_TLS1_3_CERTIFICATE, + rawexts, x, chainidx, &al)) { + OPENSSL_free(rawexts); + goto f_err; + } + OPENSSL_free(rawexts); + } + if (!sk_X509_push(sk, x)) { SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); goto f_err; @@ -3224,6 +3239,17 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) * certificate, while we do include it in statem_clnt.c */ sk = NULL; + + /* Save the current hash state for when we receive the CertificateVerify */ + if (SSL_IS_TLS13(s) + && !ssl_handshake_hash(s, s->cert_verify_hash, + sizeof(s->cert_verify_hash), + &s->cert_verify_hash_len)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR); + goto f_err; + } + ret = MSG_PROCESS_CONTINUE_READING; goto done; @@ -3238,16 +3264,22 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) int tls_construct_server_certificate(SSL *s, WPACKET *pkt) { - CERT_PKEY *cpk; + CERT_PKEY *cpk = s->s3->tmp.cert; + int al = SSL_AD_INTERNAL_ERROR; - cpk = ssl_get_server_send_pkey(s); if (cpk == NULL) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); return 0; } - if (!ssl3_output_cert_chain(s, pkt, cpk)) { + /* + * In TLSv1.3 the certificate chain is always preceded by a 0 length context + * for the server Certificate message + */ + if ((SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) + || !ssl3_output_cert_chain(s, pkt, cpk, &al)) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); + ssl3_send_alert(s, SSL3_AL_FATAL, al); return 0; } @@ -3264,11 +3296,21 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) int len, slen_full, slen, lenfinal; SSL_SESSION *sess; unsigned int hlen; - SSL_CTX *tctx = s->initial_ctx; + SSL_CTX *tctx = s->session_ctx; unsigned char iv[EVP_MAX_IV_LENGTH]; unsigned char key_name[TLSEXT_KEYNAME_LENGTH]; - int iv_len; + int iv_len, al = SSL_AD_INTERNAL_ERROR; size_t macoffset, macendoffset; + union { + unsigned char age_add_c[sizeof(uint32_t)]; + uint32_t age_add; + } age_add_u; + + if (SSL_IS_TLS13(s)) { + if (RAND_bytes(age_add_u.age_add_c, sizeof(age_add_u)) <= 0) + goto err; + s->session->ext.tick_age_add = age_add_u.age_add; + } /* get session encoding length */ slen_full = i2d_SSL_SESSION(s->session, NULL); @@ -3322,9 +3364,9 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) * Initialize HMAC and cipher contexts. If callback present it does * all the work otherwise use generated values from parent ctx. */ - if (tctx->tlsext_ticket_key_cb) { + if (tctx->ext.ticket_key_cb) { /* if 0 is returned, write an empty ticket */ - int ret = tctx->tlsext_ticket_key_cb(s, key_name, iv, ctx, + int ret = tctx->ext.ticket_key_cb(s, key_name, iv, ctx, hctx, 1); if (ret == 0) { @@ -3351,14 +3393,14 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) if (RAND_bytes(iv, iv_len) <= 0) goto err; if (!EVP_EncryptInit_ex(ctx, cipher, NULL, - tctx->tlsext_tick_aes_key, iv)) + tctx->ext.tick_aes_key, iv)) goto err; - if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, - sizeof(tctx->tlsext_tick_hmac_key), + if (!HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key, + sizeof(tctx->ext.tick_hmac_key), EVP_sha256(), NULL)) goto err; - memcpy(key_name, tctx->tlsext_tick_key_name, - sizeof(tctx->tlsext_tick_key_name)); + memcpy(key_name, tctx->ext.tick_key_name, + sizeof(tctx->ext.tick_key_name)); } /* @@ -3367,6 +3409,8 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) * new sessions will live as long as their sessions. */ if (!WPACKET_put_bytes_u32(pkt, s->hit ? 0 : s->session->timeout) + || (SSL_IS_TLS13(s) + && !WPACKET_put_bytes_u32(pkt, age_add_u.age_add)) /* Now the actual ticket data */ || !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_get_total_written(pkt, &macoffset) @@ -3393,7 +3437,11 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) || hlen > EVP_MAX_MD_SIZE || !WPACKET_allocate_bytes(pkt, hlen, &macdata2) || macdata1 != macdata2 - || !WPACKET_close(pkt)) { + || !WPACKET_close(pkt) + || (SSL_IS_TLS13(s) + && !tls_construct_extensions(s, pkt, + EXT_TLS1_3_NEW_SESSION_TICKET, + NULL, 0, &al))) { SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR); goto err; } @@ -3410,12 +3458,25 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) return 0; } +/* + * In TLSv1.3 this is called from the extensions code, otherwise it is used to + * create a separate message. Returns 1 on success or 0 on failure. + */ +int tls_construct_cert_status_body(SSL *s, WPACKET *pkt) +{ + if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type) + || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp, + s->ext.ocsp.resp_len)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS_BODY, ERR_R_INTERNAL_ERROR); + return 0; + } + + return 1; +} + int tls_construct_cert_status(SSL *s, WPACKET *pkt) { - if (!WPACKET_put_bytes_u8(pkt, s->tlsext_status_type) - || !WPACKET_sub_memcpy_u24(pkt, s->tlsext_ocsp_resp, - s->tlsext_ocsp_resplen)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS, ERR_R_INTERNAL_ERROR); + if (!tls_construct_cert_status_body(s, pkt)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); return 0; } @@ -3447,12 +3508,12 @@ MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt) goto err; } - if (!PACKET_memdup(&next_proto, &s->next_proto_negotiated, &next_proto_len)) { - s->next_proto_negotiated_len = 0; + if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) { + s->ext.npn_len = 0; goto err; } - s->next_proto_negotiated_len = (unsigned char)next_proto_len; + s->ext.npn_len = (unsigned char)next_proto_len; return MSG_PROCESS_CONTINUE_READING; err: @@ -3463,125 +3524,39 @@ MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt) static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt) { - /* TODO(TLS1.3): Zero length encrypted extensions message for now */ - if (!WPACKET_put_bytes_u16(pkt, 0)) { + int al; + + if (!tls_construct_extensions(s, pkt, EXT_TLS1_3_ENCRYPTED_EXTENSIONS, + NULL, 0, &al)) { + ssl3_send_alert(s, SSL3_AL_FATAL, al); SSLerr(SSL_F_TLS_CONSTRUCT_ENCRYPTED_EXTENSIONS, ERR_R_INTERNAL_ERROR); - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + ssl3_send_alert(s, SSL3_AL_FATAL, al); return 0; } return 1; } -#define SSLV2_CIPHER_LEN 3 - -STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, - PACKET *cipher_suites, - STACK_OF(SSL_CIPHER) **skp, - int sslv2format, int *al) +static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt) { - const SSL_CIPHER *c; - STACK_OF(SSL_CIPHER) *sk; - int n; - /* 3 = SSLV2_CIPHER_LEN > TLS_CIPHER_LEN = 2. */ - unsigned char cipher[SSLV2_CIPHER_LEN]; - - s->s3->send_connection_binding = 0; - - n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN; - - if (PACKET_remaining(cipher_suites) == 0) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, SSL_R_NO_CIPHERS_SPECIFIED); - *al = SSL_AD_ILLEGAL_PARAMETER; - return NULL; - } - - if (PACKET_remaining(cipher_suites) % n != 0) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, - SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); - *al = SSL_AD_DECODE_ERROR; - return NULL; - } - - if ((skp == NULL) || (*skp == NULL)) { - sk = sk_SSL_CIPHER_new_null(); /* change perhaps later */ - if (sk == NULL) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); - *al = SSL_AD_INTERNAL_ERROR; - return NULL; - } - } else { - sk = *skp; - sk_SSL_CIPHER_zero(sk); - } + int al = SSL_AD_INTERNAL_ERROR; - if (!PACKET_memdup(cipher_suites, &s->s3->tmp.ciphers_raw, - &s->s3->tmp.ciphers_rawlen)) { - *al = SSL_AD_INTERNAL_ERROR; - goto err; + /* + * TODO(TLS1.3): Remove the DRAFT version before release + * (should be s->version) + */ + if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT) + || !tls_construct_extensions(s, pkt, EXT_TLS1_3_HELLO_RETRY_REQUEST, + NULL, 0, &al)) { + SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_RETRY_REQUEST, ERR_R_INTERNAL_ERROR); + ssl3_send_alert(s, SSL3_AL_FATAL, al); + return 0; } - while (PACKET_copy_bytes(cipher_suites, cipher, n)) { - /* - * SSLv3 ciphers wrapped in an SSLv2-compatible ClientHello have the - * first byte set to zero, while true SSLv2 ciphers have a non-zero - * first byte. We don't support any true SSLv2 ciphers, so skip them. - */ - if (sslv2format && cipher[0] != '\0') - continue; - - /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */ - if ((cipher[n - 2] == ((SSL3_CK_SCSV >> 8) & 0xff)) && - (cipher[n - 1] == (SSL3_CK_SCSV & 0xff))) { - /* SCSV fatal if renegotiating */ - if (s->renegotiate) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, - SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); - *al = SSL_AD_HANDSHAKE_FAILURE; - goto err; - } - s->s3->send_connection_binding = 1; - continue; - } - - /* Check for TLS_FALLBACK_SCSV */ - if ((cipher[n - 2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) && - (cipher[n - 1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) { - /* - * The SCSV indicates that the client previously tried a higher - * version. Fail if the current version is an unexpected - * downgrade. - */ - if (!ssl_check_version_downgrade(s)) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, - SSL_R_INAPPROPRIATE_FALLBACK); - *al = SSL_AD_INAPPROPRIATE_FALLBACK; - goto err; - } - continue; - } - - /* For SSLv2-compat, ignore leading 0-byte. */ - c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher); - if (c != NULL) { - if (!sk_SSL_CIPHER_push(sk, c)) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); - *al = SSL_AD_INTERNAL_ERROR; - goto err; - } - } - } - if (PACKET_remaining(cipher_suites) > 0) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_INTERNAL_ERROR); - goto err; - } + /* Ditch the session. We'll create a new one next time around */ + SSL_SESSION_free(s->session); + s->session = NULL; + s->hit = 0; - if (skp != NULL) - *skp = sk; - return (sk); - err: - if ((skp == NULL) || (*skp == NULL)) - sk_SSL_CIPHER_free(sk); - return NULL; + return 1; }