X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Ft1_lib.c;h=0df324dbde0dcb084408c145e6afb763600d72db;hp=8296ea1f5c43cd270ab1dd5a2825e1bd801738eb;hb=76106e60a827ddaefe1fee28a749018241d8f517;hpb=10bf4fc2c3da332a54247da1f3c0dcb44944f7ff diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 8296ea1f5c..0df324dbde 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -209,9 +209,7 @@ int tls1_new(SSL *s) void tls1_free(SSL *s) { #ifndef OPENSSL_NO_TLSEXT - if (s->tlsext_session_ticket) { - OPENSSL_free(s->tlsext_session_ticket); - } + OPENSSL_free(s->tlsext_session_ticket); #endif /* OPENSSL_NO_TLSEXT */ ssl3_free(s); } @@ -309,8 +307,7 @@ static const unsigned char suiteb_curves[] = { int tls1_ec_curve_id2nid(int curve_id) { /* ECC curves from RFC 4492 and RFC 7027 */ - if ((curve_id < 1) || ((unsigned int)curve_id > - sizeof(nid_list) / sizeof(nid_list[0]))) + if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list))) return 0; return nid_list[curve_id - 1].nid; } @@ -444,8 +441,7 @@ static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op) const tls_curve_info *cinfo; if (curve[0]) return 1; - if ((curve[1] < 1) || ((size_t)curve[1] > - sizeof(nid_list) / sizeof(nid_list[0]))) + if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list))) return 0; cinfo = &nid_list[curve[1] - 1]; # ifdef OPENSSL_NO_EC2M @@ -576,8 +572,7 @@ int tls1_set_curves(unsigned char **pext, size_t *pextlen, dup_list |= idmask; s2n(id, p); } - if (*pext) - OPENSSL_free(*pext); + OPENSSL_free(*pext); *pext = clist; *pextlen = ncurves * 2; return 1; @@ -706,6 +701,16 @@ static int tls1_check_ec_key(SSL *s, for (j = 0; j <= 1; j++) { if (!tls1_get_curvelist(s, j, &pcurves, &num_curves)) return 0; + if (j == 1 && num_curves == 0) { + /* + * If we've not received any curves then skip this check. + * RFC 4492 does not require the supported elliptic curves extension + * so if it is not sent we can just choose any curve. + * It is invalid to send an empty list in the elliptic curves + * extension, so num_curves == 0 always means no extension. + */ + break; + } for (i = 0; i < num_curves; i++, pcurves += 2) { if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1]) break; @@ -1063,12 +1068,6 @@ void ssl_set_client_disabled(SSL *s) c->mask_k |= SSL_kDHd; if (c->mask_a & SSL_aECDSA) c->mask_k |= SSL_kECDHe; -# ifndef OPENSSL_NO_KRB5 - if (!kssl_tgt_is_available(s->kssl_ctx)) { - c->mask_a |= SSL_aKRB5; - c->mask_k |= SSL_kKRB5; - } -# endif # ifndef OPENSSL_NO_PSK /* with PSK there must be client callback set */ if (!s->psk_client_callback) { @@ -1421,7 +1420,11 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { int el; - ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); + /* Returns 0 on success!! */ + if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) { + SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); + return NULL; + } if ((limit - ret - 4 - el) < 0) return NULL; @@ -1455,13 +1458,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, */ if (s->options & SSL_OP_TLSEXT_PADDING) { int hlen = ret - (unsigned char *)s->init_buf->data; - /* - * The code in s23_clnt.c to build ClientHello messages includes the - * 5-byte record header in the buffer, while the code in s3_clnt.c - * does not. - */ - if (s->state == SSL23_ST_CW_CLNT_HELLO_A) - hlen -= 5; + if (hlen > 0xff && hlen < 0x200) { hlen = 0x200 - hlen; if (hlen >= 4) @@ -1591,8 +1588,11 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, if (SSL_IS_DTLS(s) && s->srtp_profile) { int el; - ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); - + /* Returns 0 on success!! */ + if (ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) { + SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); + return NULL; + } if ((limit - ret - 4 - el) < 0) return NULL; @@ -1762,8 +1762,7 @@ static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data, r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len, s->ctx->alpn_select_cb_arg); if (r == SSL_TLSEXT_ERR_OK) { - if (s->s3->alpn_selected) - OPENSSL_free(s->s3->alpn_selected); + OPENSSL_free(s->s3->alpn_selected); s->s3->alpn_selected = OPENSSL_malloc(selected_len); if (!s->s3->alpn_selected) { *al = SSL_AD_INTERNAL_ERROR; @@ -1877,10 +1876,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, s->s3->next_proto_neg_seen = 0; # endif - if (s->s3->alpn_selected) { - OPENSSL_free(s->s3->alpn_selected); - s->s3->alpn_selected = NULL; - } + OPENSSL_free(s->s3->alpn_selected); + s->s3->alpn_selected = NULL; # ifndef OPENSSL_NO_HEARTBEATS s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | SSL_TLSEXT_HB_DONT_SEND_REQUESTS); @@ -1892,19 +1889,15 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, # endif /* !OPENSSL_NO_EC */ /* Clear any signature algorithms extension received */ - if (s->cert->peer_sigalgs) { - OPENSSL_free(s->cert->peer_sigalgs); - s->cert->peer_sigalgs = NULL; - } + OPENSSL_free(s->s3->tmp.peer_sigalgs); + s->s3->tmp.peer_sigalgs = NULL; # ifdef TLSEXT_TYPE_encrypt_then_mac s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC; # endif # ifndef OPENSSL_NO_SRP - if (s->srp_ctx.login != NULL) { - OPENSSL_free(s->srp_ctx.login); - s->srp_ctx.login = NULL; - } + OPENSSL_free(s->srp_ctx.login); + s->srp_ctx.login = NULL; # endif s->srtp_profile = NULL; @@ -2061,10 +2054,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, return 0; } if (!s->hit) { - if (s->session->tlsext_ecpointformatlist) { - OPENSSL_free(s->session->tlsext_ecpointformatlist); - s->session->tlsext_ecpointformatlist = NULL; - } + OPENSSL_free(s->session->tlsext_ecpointformatlist); + s->session->tlsext_ecpointformatlist = NULL; s->session->tlsext_ecpointformatlist_length = 0; if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) { @@ -2116,7 +2107,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, } } else if (type == TLSEXT_TYPE_signature_algorithms) { int dsize; - if (s->cert->peer_sigalgs || size < 2) { + if (s->s3->tmp.peer_sigalgs || size < 2) { *al = SSL_AD_DECODE_ERROR; return 0; } @@ -2202,11 +2193,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, } sdata = data; if (dsize > 0) { - if (s->tlsext_ocsp_exts) { - sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, - X509_EXTENSION_free); - } - + sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, + X509_EXTENSION_free); s->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, &sdata, dsize); if (!s->tlsext_ocsp_exts || (data + dsize != sdata)) { @@ -2373,10 +2361,8 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, # endif s->tlsext_ticket_expected = 0; - if (s->s3->alpn_selected) { - OPENSSL_free(s->s3->alpn_selected); - s->s3->alpn_selected = NULL; - } + OPENSSL_free(s->s3->alpn_selected); + s->s3->alpn_selected = NULL; # ifndef OPENSSL_NO_HEARTBEATS s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | SSL_TLSEXT_HB_DONT_SEND_REQUESTS); @@ -2428,8 +2414,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, } if (!s->hit) { s->session->tlsext_ecpointformatlist_length = 0; - if (s->session->tlsext_ecpointformatlist != NULL) - OPENSSL_free(s->session->tlsext_ecpointformatlist); + OPENSSL_free(s->session->tlsext_ecpointformatlist); if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; @@ -2534,8 +2519,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, *al = TLS1_AD_DECODE_ERROR; return 0; } - if (s->s3->alpn_selected) - OPENSSL_free(s->s3->alpn_selected); + OPENSSL_free(s->s3->alpn_selected); s->s3->alpn_selected = OPENSSL_malloc(len); if (!s->s3->alpn_selected) { *al = TLS1_AD_INTERNAL_ERROR; @@ -2690,10 +2674,9 @@ int tls1_set_server_sigalgs(SSL *s) int al; size_t i; /* Clear any shared sigtnature algorithms */ - if (s->cert->shared_sigalgs) { - OPENSSL_free(s->cert->shared_sigalgs); - s->cert->shared_sigalgs = NULL; - } + OPENSSL_free(s->cert->shared_sigalgs); + s->cert->shared_sigalgs = NULL; + s->cert->shared_sigalgslen = 0; /* Clear certificate digests and validity flags */ for (i = 0; i < SSL_PKEY_NUM; i++) { s->cert->pkeys[i].digest = NULL; @@ -2701,7 +2684,7 @@ int tls1_set_server_sigalgs(SSL *s) } /* If sigalgs received process it. */ - if (s->cert->peer_sigalgs) { + if (s->s3->tmp.peer_sigalgs) { if (!tls1_process_sigalgs(s)) { SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE); al = SSL_AD_INTERNAL_ERROR; @@ -2725,7 +2708,7 @@ int tls1_set_server_sigalgs(SSL *s) int ssl_check_clienthello_tlsext_late(SSL *s) { int ret = SSL_TLSEXT_ERR_OK; - int al; + int al = SSL_AD_INTERNAL_ERROR; /* * If status request then ask callback what to do. Note: this must be @@ -2845,10 +2828,8 @@ int ssl_check_serverhello_tlsext(SSL *s) * Set resp to NULL, resplen to -1 so callback knows there is no * response. */ - if (s->tlsext_ocsp_resp) { - OPENSSL_free(s->tlsext_ocsp_resp); - s->tlsext_ocsp_resp = NULL; - } + OPENSSL_free(s->tlsext_ocsp_resp); + s->tlsext_ocsp_resp = NULL; s->tlsext_ocsp_resplen = -1; r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); if (r == 0) { @@ -3177,8 +3158,7 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, int sig_id, md_id; if (!md) return 0; - md_id = tls12_find_id(EVP_MD_type(md), tls12_md, - sizeof(tls12_md) / sizeof(tls12_lookup)); + md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md)); if (md_id == -1) return 0; sig_id = tls12_get_sigid(pk); @@ -3191,8 +3171,7 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, int tls12_get_sigid(const EVP_PKEY *pk) { - return tls12_find_id(pk->type, tls12_sig, - sizeof(tls12_sig) / sizeof(tls12_lookup)); + return tls12_find_id(pk->type, tls12_sig, OSSL_NELEM(tls12_sig)); } typedef struct { @@ -3218,7 +3197,7 @@ static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg) { if (hash_alg == 0) return NULL; - if (hash_alg > sizeof(tls12_md_info) / sizeof(tls12_md_info[0])) + if (hash_alg > OSSL_NELEM(tls12_md_info)) return NULL; return tls12_md_info + hash_alg - 1; } @@ -3261,14 +3240,12 @@ static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid, if (!phash_nid && !psign_nid && !psignhash_nid) return; if (phash_nid || psignhash_nid) { - hash_nid = tls12_find_nid(data[0], tls12_md, - sizeof(tls12_md) / sizeof(tls12_lookup)); + hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md)); if (phash_nid) *phash_nid = hash_nid; } if (psign_nid || psignhash_nid) { - sign_nid = tls12_find_nid(data[1], tls12_sig, - sizeof(tls12_sig) / sizeof(tls12_lookup)); + sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig)); if (psign_nid) *psign_nid = sign_nid; } @@ -3393,10 +3370,10 @@ static int tls1_set_shared_sigalgs(SSL *s) TLS_SIGALGS *salgs = NULL; CERT *c = s->cert; unsigned int is_suiteb = tls1_suiteb(s); - if (c->shared_sigalgs) { - OPENSSL_free(c->shared_sigalgs); - c->shared_sigalgs = NULL; - } + + OPENSSL_free(c->shared_sigalgs); + c->shared_sigalgs = NULL; + c->shared_sigalgslen = 0; /* If client use client signature algorithms if not NULL */ if (!s->server && c->client_sigalgs && !is_suiteb) { conf = c->client_sigalgs; @@ -3409,21 +3386,23 @@ static int tls1_set_shared_sigalgs(SSL *s) if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) { pref = conf; preflen = conflen; - allow = c->peer_sigalgs; - allowlen = c->peer_sigalgslen; + allow = s->s3->tmp.peer_sigalgs; + allowlen = s->s3->tmp.peer_sigalgslen; } else { allow = conf; allowlen = conflen; - pref = c->peer_sigalgs; - preflen = c->peer_sigalgslen; + pref = s->s3->tmp.peer_sigalgs; + preflen = s->s3->tmp.peer_sigalgslen; } nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen); - if (!nmatch) - return 1; - salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS)); - if (!salgs) - return 0; - nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen); + if (nmatch) { + salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS)); + if (!salgs) + return 0; + nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen); + } else { + salgs = NULL; + } c->shared_sigalgs = salgs; c->shared_sigalgslen = nmatch; return 1; @@ -3441,13 +3420,12 @@ int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize) if (!c) return 0; - if (c->peer_sigalgs) - OPENSSL_free(c->peer_sigalgs); - c->peer_sigalgs = OPENSSL_malloc(dsize); - if (!c->peer_sigalgs) + OPENSSL_free(s->s3->tmp.peer_sigalgs); + s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize); + if (s->s3->tmp.peer_sigalgs == NULL) return 0; - c->peer_sigalgslen = dsize; - memcpy(c->peer_sigalgs, data, dsize); + s->s3->tmp.peer_sigalgslen = dsize; + memcpy(s->s3->tmp.peer_sigalgs, data, dsize); return 1; } @@ -3532,12 +3510,12 @@ int SSL_get_sigalgs(SSL *s, int idx, int *psign, int *phash, int *psignhash, unsigned char *rsig, unsigned char *rhash) { - const unsigned char *psig = s->cert->peer_sigalgs; + const unsigned char *psig = s->s3->tmp.peer_sigalgs; if (psig == NULL) return 0; if (idx >= 0) { idx <<= 1; - if (idx >= (int)s->cert->peer_sigalgslen) + if (idx >= (int)s->s3->tmp.peer_sigalgslen) return 0; psig += idx; if (rhash) @@ -3546,7 +3524,7 @@ int SSL_get_sigalgs(SSL *s, int idx, *rsig = psig[1]; tls1_lookup_sigalg(phash, psign, psignhash, psig); } - return s->cert->peer_sigalgslen / 2; + return s->s3->tmp.peer_sigalgslen / 2; } int SSL_get_shared_sigalgs(SSL *s, int idx, @@ -3571,24 +3549,24 @@ int SSL_get_shared_sigalgs(SSL *s, int idx, } # ifndef OPENSSL_NO_HEARTBEATS -int tls1_process_heartbeat(SSL *s) +int tls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length) { - unsigned char *p = &s->s3->rrec.data[0], *pl; + unsigned char *pl; unsigned short hbtype; unsigned int payload; unsigned int padding = 16; /* Use minimum padding */ if (s->msg_callback) s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, - &s->s3->rrec.data[0], s->s3->rrec.length, + p, length, s, s->msg_callback_arg); /* Read type and payload length first */ - if (1 + 2 + 16 > s->s3->rrec.length) + if (1 + 2 + 16 > length) return 0; /* silently discard */ hbtype = *p++; n2s(p, payload); - if (1 + 2 + payload + 16 > s->s3->rrec.length) + if (1 + 2 + payload + 16 > length) return 0; /* silently discard per RFC 6520 sec. 4 */ pl = p; @@ -3613,7 +3591,10 @@ int tls1_process_heartbeat(SSL *s) memcpy(bp, pl, payload); bp += payload; /* Random padding */ - RAND_pseudo_bytes(bp, padding); + if (RAND_bytes(bp, padding) <= 0) { + OPENSSL_free(buffer); + return -1; + } r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); @@ -3648,7 +3629,7 @@ int tls1_process_heartbeat(SSL *s) int tls1_heartbeat(SSL *s) { unsigned char *buf, *p; - int ret; + int ret = -1; unsigned int payload = 18; /* Sequence number + random bytes */ unsigned int padding = 16; /* Use minimum padding */ @@ -3700,10 +3681,16 @@ int tls1_heartbeat(SSL *s) /* Sequence number */ s2n(s->tlsext_hb_seq, p); /* 16 random bytes */ - RAND_pseudo_bytes(p, 16); + if (RAND_bytes(p, 16) <= 0) { + SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR); + goto err; + } p += 16; /* Random padding */ - RAND_pseudo_bytes(p, padding); + if (RAND_bytes(p, padding) <= 0) { + SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR); + goto err; + } ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding); if (ret >= 0) { @@ -3715,8 +3702,8 @@ int tls1_heartbeat(SSL *s) s->tlsext_hb_pending = 1; } + err: OPENSSL_free(buf); - return ret; } # endif @@ -3750,11 +3737,11 @@ static int sig_cb(const char *elem, int len, void *arg) if (!*p) return 0; - if (!strcmp(etmp, "RSA")) + if (strcmp(etmp, "RSA") == 0) sig_alg = EVP_PKEY_RSA; - else if (!strcmp(etmp, "DSA")) + else if (strcmp(etmp, "DSA") == 0) sig_alg = EVP_PKEY_DSA; - else if (!strcmp(etmp, "ECDSA")) + else if (strcmp(etmp, "ECDSA") == 0) sig_alg = EVP_PKEY_EC; else return 0; @@ -3801,10 +3788,8 @@ int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, if (sigalgs == NULL) return 0; for (i = 0, sptr = sigalgs; i < salglen; i += 2) { - rhash = tls12_find_id(*psig_nids++, tls12_md, - sizeof(tls12_md) / sizeof(tls12_lookup)); - rsign = tls12_find_id(*psig_nids++, tls12_sig, - sizeof(tls12_sig) / sizeof(tls12_lookup)); + rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md)); + rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig)); if (rhash == -1 || rsign == -1) goto err; @@ -3813,13 +3798,11 @@ int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, } if (client) { - if (c->client_sigalgs) - OPENSSL_free(c->client_sigalgs); + OPENSSL_free(c->client_sigalgs); c->client_sigalgs = sigalgs; c->client_sigalgslen = salglen; } else { - if (c->conf_sigalgs) - OPENSSL_free(c->conf_sigalgs); + OPENSSL_free(c->conf_sigalgs); c->conf_sigalgs = sigalgs; c->conf_sigalgslen = salglen; } @@ -3910,10 +3893,10 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, # endif } else { if (!x || !pk) - goto end; + return 0; idx = ssl_cert_type(x, pk); if (idx == -1) - goto end; + return 0; cpk = c->pkeys + idx; if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) check_flags = CERT_PKEY_STRICT_FLAGS; @@ -3940,7 +3923,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) { int default_nid; unsigned char rsign = 0; - if (c->peer_sigalgs) + if (s->s3->tmp.peer_sigalgs) default_nid = 0; /* If no sigalgs extension use defaults from RFC5246 */ else {