diff options
Diffstat (limited to 'deps/openssl/openssl/ssl')
53 files changed, 25742 insertions, 12159 deletions
diff --git a/deps/openssl/openssl/ssl/bio_ssl.c b/deps/openssl/openssl/ssl/bio_ssl.c index 97540e6c7c..d1876d8b8c 100644 --- a/deps/openssl/openssl/ssl/bio_ssl.c +++ b/deps/openssl/openssl/ssl/bio_ssl.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -16,8 +16,8 @@ #include <openssl/err.h> #include "ssl_locl.h" -static int ssl_write(BIO *h, const char *buf, int num); -static int ssl_read(BIO *h, char *buf, int size); +static int ssl_write(BIO *h, const char *buf, size_t size, size_t *written); +static int ssl_read(BIO *b, char *buf, size_t size, size_t *readbytes); static int ssl_puts(BIO *h, const char *str); static long ssl_ctrl(BIO *h, int cmd, long arg1, void *arg2); static int ssl_new(BIO *h); @@ -28,7 +28,7 @@ typedef struct bio_ssl_st { /* re-negotiate every time the total number of bytes is this size */ int num_renegotiates; unsigned long renegotiate_count; - unsigned long byte_count; + size_t byte_count; unsigned long renegotiate_timeout; unsigned long last_time; } BIO_SSL; @@ -37,7 +37,9 @@ static const BIO_METHOD methods_sslp = { BIO_TYPE_SSL, "ssl", ssl_write, + NULL, /* ssl_write_old, */ ssl_read, + NULL, /* ssl_read_old, */ ssl_puts, NULL, /* ssl_gets, */ ssl_ctrl, @@ -48,7 +50,7 @@ static const BIO_METHOD methods_sslp = { const BIO_METHOD *BIO_f_ssl(void) { - return (&methods_sslp); + return &methods_sslp; } static int ssl_new(BIO *bi) @@ -57,7 +59,7 @@ static int ssl_new(BIO *bi) if (bs == NULL) { BIOerr(BIO_F_SSL_NEW, ERR_R_MALLOC_FAILURE); - return (0); + return 0; } BIO_set_init(bi, 0); BIO_set_data(bi, bs); @@ -72,7 +74,7 @@ static int ssl_free(BIO *a) BIO_SSL *bs; if (a == NULL) - return (0); + return 0; bs = BIO_get_data(a); if (bs->ssl != NULL) SSL_shutdown(bs->ssl); @@ -87,7 +89,7 @@ static int ssl_free(BIO *a) return 1; } -static int ssl_read(BIO *b, char *out, int outl) +static int ssl_read(BIO *b, char *buf, size_t size, size_t *readbytes) { int ret = 1; BIO_SSL *sb; @@ -95,21 +97,19 @@ static int ssl_read(BIO *b, char *out, int outl) int retry_reason = 0; int r = 0; - if (out == NULL) - return (0); + if (buf == NULL) + return 0; sb = BIO_get_data(b); ssl = sb->ssl; BIO_clear_retry_flags(b); - ret = SSL_read(ssl, out, outl); + ret = ssl_read_internal(ssl, buf, size, readbytes); switch (SSL_get_error(ssl, ret)) { case SSL_ERROR_NONE: - if (ret <= 0) - break; if (sb->renegotiate_count > 0) { - sb->byte_count += ret; + sb->byte_count += *readbytes; if (sb->byte_count > sb->renegotiate_count) { sb->byte_count = 0; sb->num_renegotiates++; @@ -155,34 +155,30 @@ static int ssl_read(BIO *b, char *out, int outl) } BIO_set_retry_reason(b, retry_reason); - return (ret); + + return ret; } -static int ssl_write(BIO *b, const char *out, int outl) +static int ssl_write(BIO *b, const char *buf, size_t size, size_t *written) { int ret, r = 0; int retry_reason = 0; SSL *ssl; BIO_SSL *bs; - if (out == NULL) - return (0); + if (buf == NULL) + return 0; bs = BIO_get_data(b); ssl = bs->ssl; BIO_clear_retry_flags(b); - /* - * ret=SSL_do_handshake(ssl); if (ret > 0) - */ - ret = SSL_write(ssl, out, outl); + ret = ssl_write_internal(ssl, buf, size, written); switch (SSL_get_error(ssl, ret)) { case SSL_ERROR_NONE: - if (ret <= 0) - break; if (bs->renegotiate_count > 0) { - bs->byte_count += ret; + bs->byte_count += *written; if (bs->byte_count > bs->renegotiate_count) { bs->byte_count = 0; bs->num_renegotiates++; @@ -221,6 +217,7 @@ static int ssl_write(BIO *b, const char *out, int outl) } BIO_set_retry_reason(b, retry_reason); + return ret; } @@ -236,7 +233,7 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr) next = BIO_next(b); ssl = bs->ssl; if ((ssl == NULL) && (cmd != BIO_C_SET_SSL)) - return (0); + return 0; switch (cmd) { case BIO_CTRL_RESET: SSL_shutdown(ssl); @@ -384,21 +381,13 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr) ret = BIO_ctrl(ssl->rbio, cmd, num, ptr); break; case BIO_CTRL_SET_CALLBACK: - { -#if 0 /* FIXME: Should this be used? -- Richard - * Levitte */ - SSLerr(SSL_F_SSL_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - ret = -1; -#else - ret = 0; -#endif - } + ret = 0; /* use callback ctrl */ break; default: ret = BIO_ctrl(ssl->rbio, cmd, num, ptr); break; } - return (ret); + return ret; } static long ssl_callback_ctrl(BIO *b, int cmd, BIO_info_cb *fp) @@ -417,7 +406,7 @@ static long ssl_callback_ctrl(BIO *b, int cmd, BIO_info_cb *fp) ret = 0; break; } - return (ret); + return ret; } static int ssl_puts(BIO *bp, const char *str) @@ -426,7 +415,7 @@ static int ssl_puts(BIO *bp, const char *str) n = strlen(str); ret = BIO_write(bp, str, n); - return (ret); + return ret; } BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx) @@ -435,17 +424,17 @@ BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx) BIO *ret = NULL, *buf = NULL, *ssl = NULL; if ((buf = BIO_new(BIO_f_buffer())) == NULL) - return (NULL); + return NULL; if ((ssl = BIO_new_ssl_connect(ctx)) == NULL) goto err; if ((ret = BIO_push(buf, ssl)) == NULL) goto err; - return (ret); + return ret; err: BIO_free(buf); BIO_free(ssl); #endif - return (NULL); + return NULL; } BIO *BIO_new_ssl_connect(SSL_CTX *ctx) @@ -454,16 +443,16 @@ BIO *BIO_new_ssl_connect(SSL_CTX *ctx) BIO *ret = NULL, *con = NULL, *ssl = NULL; if ((con = BIO_new(BIO_s_connect())) == NULL) - return (NULL); + return NULL; if ((ssl = BIO_new_ssl(ctx, 1)) == NULL) goto err; if ((ret = BIO_push(ssl, con)) == NULL) goto err; - return (ret); + return ret; err: BIO_free(con); #endif - return (NULL); + return NULL; } BIO *BIO_new_ssl(SSL_CTX *ctx, int client) @@ -472,10 +461,10 @@ BIO *BIO_new_ssl(SSL_CTX *ctx, int client) SSL *ssl; if ((ret = BIO_new(BIO_f_ssl())) == NULL) - return (NULL); + return NULL; if ((ssl = SSL_new(ctx)) == NULL) { BIO_free(ret); - return (NULL); + return NULL; } if (client) SSL_set_connect_state(ssl); @@ -483,7 +472,7 @@ BIO *BIO_new_ssl(SSL_CTX *ctx, int client) SSL_set_accept_state(ssl); BIO_set_ssl(ret, ssl, BIO_CLOSE); - return (ret); + return ret; } int BIO_ssl_copy_session_id(BIO *t, BIO *f) @@ -496,10 +485,10 @@ int BIO_ssl_copy_session_id(BIO *t, BIO *f) tdata = BIO_get_data(t); fdata = BIO_get_data(f); if ((tdata->ssl == NULL) || (fdata->ssl == NULL)) - return (0); + return 0; if (!SSL_copy_session_id(tdata->ssl, (fdata->ssl))) return 0; - return (1); + return 1; } void BIO_ssl_shutdown(BIO *b) diff --git a/deps/openssl/openssl/ssl/build.info b/deps/openssl/openssl/ssl/build.info index 69772465d9..bb2f1deb53 100644 --- a/deps/openssl/openssl/ssl/build.info +++ b/deps/openssl/openssl/ssl/build.info @@ -1,14 +1,15 @@ LIBS=../libssl SOURCE[../libssl]=\ - pqueue.c \ + pqueue.c packet.c \ statem/statem_srvr.c statem/statem_clnt.c s3_lib.c s3_enc.c record/rec_layer_s3.c \ - statem/statem_lib.c s3_cbc.c s3_msg.c \ - methods.c t1_lib.c t1_enc.c t1_ext.c \ + statem/statem_lib.c statem/extensions.c statem/extensions_srvr.c \ + statem/extensions_clnt.c statem/extensions_cust.c s3_cbc.c s3_msg.c \ + methods.c t1_lib.c t1_enc.c tls13_enc.c \ d1_lib.c record/rec_layer_d1.c d1_msg.c \ statem/statem_dtls.c d1_srtp.c \ ssl_lib.c ssl_cert.c ssl_sess.c \ ssl_ciph.c ssl_stat.c ssl_rsa.c \ ssl_asn1.c ssl_txt.c ssl_init.c ssl_conf.c ssl_mcnf.c \ - bio_ssl.c ssl_err.c t1_reneg.c tls_srp.c t1_trce.c ssl_utst.c \ + bio_ssl.c ssl_err.c tls_srp.c t1_trce.c ssl_utst.c \ record/ssl3_buffer.c record/ssl3_record.c record/dtls1_bitmap.c \ - statem/statem.c + statem/statem.c record/ssl3_record_tls13.c diff --git a/deps/openssl/openssl/ssl/d1_lib.c b/deps/openssl/openssl/ssl/d1_lib.c index 55a81c34ba..fcda327547 100644 --- a/deps/openssl/openssl/ssl/d1_lib.c +++ b/deps/openssl/openssl/ssl/d1_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,27 +7,18 @@ * https://www.openssl.org/source/license.html */ +#include "e_os.h" #include <stdio.h> -#define USE_SOCKETS #include <openssl/objects.h> #include <openssl/rand.h> #include "ssl_locl.h" -#if defined(OPENSSL_SYS_VMS) -# include <sys/timeb.h> -#elif defined(OPENSSL_SYS_VXWORKS) -# include <sys/times.h> -#elif !defined(OPENSSL_SYS_WIN32) -# include <sys/time.h> -#endif - static void get_current_time(struct timeval *t); -static int dtls1_set_handshake_header(SSL *s, int type, unsigned long len); static int dtls1_handshake_write(SSL *s); -static unsigned int dtls1_link_min_mtu(void); +static size_t dtls1_link_min_mtu(void); /* XDTLS: figure out the right values */ -static const unsigned int g_probable_mtu[] = { 1500, 512, 256 }; +static const size_t g_probable_mtu[] = { 1500, 512, 256 }; const SSL3_ENC_METHOD DTLSv1_enc_data = { tls1_enc, @@ -36,14 +27,13 @@ const SSL3_ENC_METHOD DTLSv1_enc_data = { tls1_generate_master_secret, tls1_change_cipher_state, tls1_final_finish_mac, - TLS1_FINISH_MAC_LENGTH, TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, tls1_alert_code, tls1_export_keying_material, SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_EXPLICIT_IV, - DTLS1_HM_HEADER_LENGTH, dtls1_set_handshake_header, + dtls1_close_construct_packet, dtls1_handshake_write }; @@ -54,15 +44,14 @@ const SSL3_ENC_METHOD DTLSv1_2_enc_data = { tls1_generate_master_secret, tls1_change_cipher_state, tls1_final_finish_mac, - TLS1_FINISH_MAC_LENGTH, TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, tls1_alert_code, tls1_export_keying_material, SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF | SSL_ENC_FLAG_TLS1_2_CIPHERS, - DTLS1_HM_HEADER_LENGTH, dtls1_set_handshake_header, + dtls1_close_construct_packet, dtls1_handshake_write }; @@ -84,10 +73,10 @@ int dtls1_new(SSL *s) } if (!ssl3_new(s)) - return (0); + return 0; if ((d1 = OPENSSL_zalloc(sizeof(*d1))) == NULL) { ssl3_free(s); - return (0); + return 0; } d1->buffered_messages = pqueue_new(); @@ -105,12 +94,15 @@ int dtls1_new(SSL *s) pqueue_free(d1->sent_messages); OPENSSL_free(d1); ssl3_free(s); - return (0); + return 0; } s->d1 = d1; - s->method->ssl_clear(s); - return (1); + + if (!s->method->ssl_clear(s)) + return 0; + + return 1; } static void dtls1_clear_queues(SSL *s) @@ -159,16 +151,18 @@ void dtls1_free(SSL *s) s->d1 = NULL; } -void dtls1_clear(SSL *s) +int dtls1_clear(SSL *s) { pqueue *buffered_messages; pqueue *sent_messages; - unsigned int mtu; - unsigned int link_mtu; + size_t mtu; + size_t link_mtu; DTLS_RECORD_LAYER_clear(&s->rlayer); if (s->d1) { + DTLS_timer_cb timer_cb = s->d1->timer_cb; + buffered_messages = s->d1->buffered_messages; sent_messages = s->d1->sent_messages; mtu = s->d1->mtu; @@ -178,6 +172,9 @@ void dtls1_clear(SSL *s) memset(s->d1, 0, sizeof(*s->d1)); + /* Restore the timer callback from previous state */ + s->d1->timer_cb = timer_cb; + if (s->server) { s->d1->cookie_len = sizeof(s->d1->cookie); } @@ -191,7 +188,8 @@ void dtls1_clear(SSL *s) s->d1->sent_messages = sent_messages; } - ssl3_clear(s); + if (!ssl3_clear(s)) + return 0; if (s->method->version == DTLS_ANY_VERSION) s->version = DTLS_MAX_VERSION; @@ -201,6 +199,8 @@ void dtls1_clear(SSL *s) #endif else s->version = s->method->version; + + return 1; } long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg) @@ -236,11 +236,13 @@ long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg) ret = ssl3_ctrl(s, cmd, larg, parg); break; } - return (ret); + return ret; } void dtls1_start_timer(SSL *s) { + unsigned int sec, usec; + #ifndef OPENSSL_NO_SCTP /* Disable timer for SCTP */ if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { @@ -249,16 +251,34 @@ void dtls1_start_timer(SSL *s) } #endif - /* If timer is not set, initialize duration with 1 second */ + /* + * If timer is not set, initialize duration with 1 second or + * a user-specified value if the timer callback is installed. + */ if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) { - s->d1->timeout_duration = 1; + + if (s->d1->timer_cb != NULL) + s->d1->timeout_duration_us = s->d1->timer_cb(s, 0); + else + s->d1->timeout_duration_us = 1000000; } /* Set timeout to current time */ get_current_time(&(s->d1->next_timeout)); /* Add duration to current time */ - s->d1->next_timeout.tv_sec += s->d1->timeout_duration; + + sec = s->d1->timeout_duration_us / 1000000; + usec = s->d1->timeout_duration_us - (sec * 1000000); + + s->d1->next_timeout.tv_sec += sec; + s->d1->next_timeout.tv_usec += usec; + + if (s->d1->next_timeout.tv_usec >= 1000000) { + s->d1->next_timeout.tv_sec++; + s->d1->next_timeout.tv_usec -= 1000000; + } + BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, &(s->d1->next_timeout)); } @@ -323,9 +343,9 @@ int dtls1_is_timer_expired(SSL *s) void dtls1_double_timeout(SSL *s) { - s->d1->timeout_duration *= 2; - if (s->d1->timeout_duration > 60) - s->d1->timeout_duration = 60; + s->d1->timeout_duration_us *= 2; + if (s->d1->timeout_duration_us > 60000000) + s->d1->timeout_duration_us = 60000000; dtls1_start_timer(s); } @@ -334,7 +354,7 @@ void dtls1_stop_timer(SSL *s) /* Reset everything */ memset(&s->d1->timeout, 0, sizeof(s->d1->timeout)); memset(&s->d1->next_timeout, 0, sizeof(s->d1->next_timeout)); - s->d1->timeout_duration = 1; + s->d1->timeout_duration_us = 1000000; BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, &(s->d1->next_timeout)); /* Clear retransmission buffer */ @@ -343,7 +363,7 @@ void dtls1_stop_timer(SSL *s) int dtls1_check_timeout_num(SSL *s) { - unsigned int mtu; + size_t mtu; s->d1->timeout.num_alerts++; @@ -358,7 +378,8 @@ int dtls1_check_timeout_num(SSL *s) if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) { /* fail the connection, enough alerts have been sent */ - SSLerr(SSL_F_DTLS1_CHECK_TIMEOUT_NUM, SSL_R_READ_TIMEOUT_EXPIRED); + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS1_CHECK_TIMEOUT_NUM, + SSL_R_READ_TIMEOUT_EXPIRED); return -1; } @@ -372,23 +393,23 @@ int dtls1_handle_timeout(SSL *s) return 0; } - dtls1_double_timeout(s); + if (s->d1->timer_cb != NULL) + s->d1->timeout_duration_us = s->d1->timer_cb(s, s->d1->timeout_duration_us); + else + dtls1_double_timeout(s); - if (dtls1_check_timeout_num(s) < 0) + if (dtls1_check_timeout_num(s) < 0) { + /* SSLfatal() already called */ return -1; + } s->d1->timeout.read_timeouts++; if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) { s->d1->timeout.read_timeouts = 1; } -#ifndef OPENSSL_NO_HEARTBEATS - if (s->tlsext_hb_pending) { - s->tlsext_hb_pending = 0; - return dtls1_heartbeat(s); - } -#endif dtls1_start_timer(s); + /* Calls SSLfatal() if required */ return dtls1_retransmit_buffered_messages(s); } @@ -413,11 +434,6 @@ static void get_current_time(struct timeval *t) # endif t->tv_sec = (long)(now.ul / 10000000); t->tv_usec = ((int)(now.ul % 10000000)) / 10; -#elif defined(OPENSSL_SYS_VMS) - struct timeb tb; - ftime(&tb); - t->tv_sec = (long)tb.time; - t->tv_usec = (long)tb.millitm * 1000; #else gettimeofday(t, NULL); #endif @@ -429,15 +445,14 @@ static void get_current_time(struct timeval *t) #ifndef OPENSSL_NO_SOCK int DTLSv1_listen(SSL *s, BIO_ADDR *client) { - int next, n, ret = 0, clearpkt = 0; + int next, n, ret = 0; unsigned char cookie[DTLS1_COOKIE_LENGTH]; unsigned char seq[SEQ_NUM_SIZE]; const unsigned char *data; - unsigned char *p, *buf; - unsigned long reclen, fragoff, fraglen, msglen; + unsigned char *buf, *wbuf; + size_t fragoff, fraglen, msglen, reclen, align = 0; unsigned int rectype, versmajor, msgseq, msgtype, clientvers, cookielen; BIO *rbio, *wbio; - BUF_MEM *bufm; BIO_ADDR *tmpclient = NULL; PACKET pkt, msgpkt, msgpayload, session, cookiepkt; @@ -461,13 +476,6 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client) } /* - * We only peek at incoming ClientHello's until we're sure we are going to - * to respond with a HelloVerifyRequest. If its a ClientHello with a valid - * cookie then we leave it in the BIO for accept to handle. - */ - BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_PEEK_MODE, 1, NULL); - - /* * Note: This check deliberately excludes DTLS1_BAD_VER because that version * requires the MAC to be calculated *including* the first ClientHello * (without the cookie). Since DTLSv1_listen is stateless that cannot be @@ -479,35 +487,32 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client) return -1; } - if (s->init_buf == NULL) { - if ((bufm = BUF_MEM_new()) == NULL) { - SSLerr(SSL_F_DTLSV1_LISTEN, ERR_R_MALLOC_FAILURE); - return -1; - } - - if (!BUF_MEM_grow(bufm, SSL3_RT_MAX_PLAIN_LENGTH)) { - BUF_MEM_free(bufm); - SSLerr(SSL_F_DTLSV1_LISTEN, ERR_R_MALLOC_FAILURE); - return -1; - } - s->init_buf = bufm; + if (!ssl3_setup_buffers(s)) { + /* SSLerr already called */ + return -1; } - buf = (unsigned char *)s->init_buf->data; + buf = RECORD_LAYER_get_rbuf(&s->rlayer)->buf; + wbuf = RECORD_LAYER_get_wbuf(&s->rlayer)[0].buf; +#if defined(SSL3_ALIGN_PAYLOAD) +# if SSL3_ALIGN_PAYLOAD != 0 + /* + * Using SSL3_RT_HEADER_LENGTH here instead of DTLS1_RT_HEADER_LENGTH for + * consistency with ssl3_read_n. In practice it should make no difference + * for sensible values of SSL3_ALIGN_PAYLOAD because the difference between + * SSL3_RT_HEADER_LENGTH and DTLS1_RT_HEADER_LENGTH is exactly 8 + */ + align = (size_t)buf + SSL3_RT_HEADER_LENGTH; + align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD); +# endif +#endif + buf += align; do { /* Get a packet */ clear_sys_error(); - /* - * Technically a ClientHello could be SSL3_RT_MAX_PLAIN_LENGTH - * + DTLS1_RT_HEADER_LENGTH bytes long. Normally init_buf does not store - * the record header as well, but we do here. We've set up init_buf to - * be the standard size for simplicity. In practice we shouldn't ever - * receive a ClientHello as long as this. If we do it will get dropped - * in the record length check below. - */ - n = BIO_read(rbio, buf, SSL3_RT_MAX_PLAIN_LENGTH); - + n = BIO_read(rbio, buf, SSL3_RT_MAX_PLAIN_LENGTH + + DTLS1_RT_HEADER_LENGTH); if (n <= 0) { if (BIO_should_retry(rbio)) { /* Non-blocking IO */ @@ -516,9 +521,6 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client) return -1; } - /* If we hit any problems we need to clear this packet from the BIO */ - clearpkt = 1; - if (!PACKET_buf_init(&pkt, buf, n)) { SSLerr(SSL_F_DTLSV1_LISTEN, ERR_R_INTERNAL_ERROR); return -1; @@ -571,6 +573,7 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client) SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_LENGTH_MISMATCH); goto end; } + reclen = PACKET_remaining(&msgpkt); /* * We allow data remaining at the end of the packet because there could * be a second record (but we ignore it) @@ -587,10 +590,10 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client) /* Finished processing the record header, now process the message */ if (!PACKET_get_1(&msgpkt, &msgtype) - || !PACKET_get_net_3(&msgpkt, &msglen) + || !PACKET_get_net_3_len(&msgpkt, &msglen) || !PACKET_get_net_2(&msgpkt, &msgseq) - || !PACKET_get_net_3(&msgpkt, &fragoff) - || !PACKET_get_net_3(&msgpkt, &fraglen) + || !PACKET_get_net_3_len(&msgpkt, &fragoff) + || !PACKET_get_net_3_len(&msgpkt, &fraglen) || !PACKET_get_sub_packet(&msgpkt, &msgpayload, fraglen) || PACKET_remaining(&msgpkt) != 0) { SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_LENGTH_MISMATCH); @@ -667,8 +670,7 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client) return -1; } if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookiepkt), - PACKET_remaining(&cookiepkt)) == - 0) { + (unsigned int)PACKET_remaining(&cookiepkt)) == 0) { /* * We treat invalid cookies in the same was as no cookie as * per RFC6347 @@ -681,20 +683,16 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client) } if (next == LISTEN_SEND_VERIFY_REQUEST) { + WPACKET wpkt; + unsigned int version; + size_t wreclen; + /* * There was no cookie in the ClientHello so we need to send a * HelloVerifyRequest. If this fails we do not worry about trying * to resend, we just drop it. */ - /* - * Dump the read packet, we don't need it any more. Ignore return - * value - */ - BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_PEEK_MODE, 0, NULL); - BIO_read(rbio, buf, SSL3_RT_MAX_PLAIN_LENGTH); - BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_PEEK_MODE, 1, NULL); - /* Generate the cookie */ if (s->ctx->app_gen_cookie_cb == NULL || s->ctx->app_gen_cookie_cb(s, cookie, &cookielen) == 0 || @@ -704,60 +702,80 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client) return -1; } - p = &buf[DTLS1_RT_HEADER_LENGTH]; - msglen = dtls_raw_hello_verify_request(p + DTLS1_HM_HEADER_LENGTH, - cookie, cookielen); - - *p++ = DTLS1_MT_HELLO_VERIFY_REQUEST; - - /* Message length */ - l2n3(msglen, p); - - /* Message sequence number is always 0 for a HelloVerifyRequest */ - s2n(0, p); - - /* - * We never fragment a HelloVerifyRequest, so fragment offset is 0 - * and fragment length is message length - */ - l2n3(0, p); - l2n3(msglen, p); - - /* Set reclen equal to length of whole handshake message */ - reclen = msglen + DTLS1_HM_HEADER_LENGTH; - - /* Add the record header */ - p = buf; - - *(p++) = SSL3_RT_HANDSHAKE; /* * Special case: for hello verify request, client version 1.0 and we * haven't decided which version to use yet send back using version * 1.0 header: otherwise some clients will ignore it. */ - if (s->method->version == DTLS_ANY_VERSION) { - *(p++) = DTLS1_VERSION >> 8; - *(p++) = DTLS1_VERSION & 0xff; - } else { - *(p++) = s->version >> 8; - *(p++) = s->version & 0xff; + version = (s->method->version == DTLS_ANY_VERSION) ? DTLS1_VERSION + : s->version; + + /* Construct the record and message headers */ + if (!WPACKET_init_static_len(&wpkt, + wbuf, + ssl_get_max_send_fragment(s) + + DTLS1_RT_HEADER_LENGTH, + 0) + || !WPACKET_put_bytes_u8(&wpkt, SSL3_RT_HANDSHAKE) + || !WPACKET_put_bytes_u16(&wpkt, version) + /* + * Record sequence number is always the same as in the + * received ClientHello + */ + || !WPACKET_memcpy(&wpkt, seq, SEQ_NUM_SIZE) + /* End of record, start sub packet for message */ + || !WPACKET_start_sub_packet_u16(&wpkt) + /* Message type */ + || !WPACKET_put_bytes_u8(&wpkt, + DTLS1_MT_HELLO_VERIFY_REQUEST) + /* + * Message length - doesn't follow normal TLS convention: + * the length isn't the last thing in the message header. + * We'll need to fill this in later when we know the + * length. Set it to zero for now + */ + || !WPACKET_put_bytes_u24(&wpkt, 0) + /* + * Message sequence number is always 0 for a + * HelloVerifyRequest + */ + || !WPACKET_put_bytes_u16(&wpkt, 0) + /* + * We never fragment a HelloVerifyRequest, so fragment + * offset is 0 + */ + || !WPACKET_put_bytes_u24(&wpkt, 0) + /* + * Fragment length is the same as message length, but + * this *is* the last thing in the message header so we + * can just start a sub-packet. No need to come back + * later for this one. + */ + || !WPACKET_start_sub_packet_u24(&wpkt) + /* Create the actual HelloVerifyRequest body */ + || !dtls_raw_hello_verify_request(&wpkt, cookie, cookielen) + /* Close message body */ + || !WPACKET_close(&wpkt) + /* Close record body */ + || !WPACKET_close(&wpkt) + || !WPACKET_get_total_written(&wpkt, &wreclen) + || !WPACKET_finish(&wpkt)) { + SSLerr(SSL_F_DTLSV1_LISTEN, ERR_R_INTERNAL_ERROR); + WPACKET_cleanup(&wpkt); + /* This is fatal */ + return -1; } /* - * Record sequence number is always the same as in the received - * ClientHello + * Fix up the message len in the message header. Its the same as the + * fragment len which has been filled in by WPACKET, so just copy + * that. Destination for the message len is after the record header + * plus one byte for the message content type. The source is the + * last 3 bytes of the message header */ - memcpy(p, seq, SEQ_NUM_SIZE); - p += SEQ_NUM_SIZE; - - /* Length */ - s2n(reclen, p); - - /* - * Set reclen equal to length of whole record including record - * header - */ - reclen += DTLS1_RT_HEADER_LENGTH; + memcpy(&wbuf[DTLS1_RT_HEADER_LENGTH + 1], + &wbuf[DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH - 3], + 3); if (s->msg_callback) s->msg_callback(1, 0, SSL3_RT_HEADER, buf, @@ -779,7 +797,8 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client) BIO_ADDR_free(tmpclient); tmpclient = NULL; - if (BIO_write(wbio, buf, reclen) < (int)reclen) { + /* TODO(size_t): convert this call */ + if (BIO_write(wbio, wbuf, wreclen) < (int)wreclen) { if (BIO_should_retry(wbio)) { /* * Non-blocking IO...but we're stateless, so we're just @@ -829,197 +848,22 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client) if (BIO_dgram_get_peer(rbio, client) <= 0) BIO_ADDR_clear(client); + /* Buffer the record in the processed_rcds queue */ + if (!dtls_buffer_listen_record(s, reclen, seq, align)) + return -1; + ret = 1; - clearpkt = 0; end: BIO_ADDR_free(tmpclient); - BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_PEEK_MODE, 0, NULL); - if (clearpkt) { - /* Dump this packet. Ignore return value */ - BIO_read(rbio, buf, SSL3_RT_MAX_PLAIN_LENGTH); - } return ret; } #endif -static int dtls1_set_handshake_header(SSL *s, int htype, unsigned long len) -{ - dtls1_set_message_header(s, htype, len, 0, len); - s->init_num = (int)len + DTLS1_HM_HEADER_LENGTH; - s->init_off = 0; - /* Buffer the message to handle re-xmits */ - - if (!dtls1_buffer_message(s, 0)) - return 0; - - return 1; -} - static int dtls1_handshake_write(SSL *s) { return dtls1_do_write(s, SSL3_RT_HANDSHAKE); } -#ifndef OPENSSL_NO_HEARTBEATS - -# define HEARTBEAT_SIZE(payload, padding) ( \ - 1 /* heartbeat type */ + \ - 2 /* heartbeat length */ + \ - (payload) + (padding)) - -# define HEARTBEAT_SIZE_STD(payload) HEARTBEAT_SIZE(payload, 16) - -int dtls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length) -{ - unsigned char *pl; - unsigned short hbtype; - unsigned int payload; - unsigned int padding = 16; /* Use minimum padding */ - - if (s->msg_callback) - s->msg_callback(0, s->version, DTLS1_RT_HEARTBEAT, - p, length, s, s->msg_callback_arg); - - /* Read type and payload length */ - if (HEARTBEAT_SIZE_STD(0) > length) - return 0; /* silently discard */ - if (length > SSL3_RT_MAX_PLAIN_LENGTH) - return 0; /* silently discard per RFC 6520 sec. 4 */ - - hbtype = *p++; - n2s(p, payload); - if (HEARTBEAT_SIZE_STD(payload) > length) - return 0; /* silently discard per RFC 6520 sec. 4 */ - pl = p; - - if (hbtype == TLS1_HB_REQUEST) { - unsigned char *buffer, *bp; - unsigned int write_length = HEARTBEAT_SIZE(payload, padding); - int r; - - if (write_length > SSL3_RT_MAX_PLAIN_LENGTH) - return 0; - - /* Allocate memory for the response. */ - buffer = OPENSSL_malloc(write_length); - if (buffer == NULL) - return -1; - bp = buffer; - - /* Enter response type, length and copy payload */ - *bp++ = TLS1_HB_RESPONSE; - s2n(payload, bp); - memcpy(bp, pl, payload); - bp += payload; - /* Random padding */ - if (RAND_bytes(bp, padding) <= 0) { - OPENSSL_free(buffer); - return -1; - } - - r = dtls1_write_bytes(s, DTLS1_RT_HEARTBEAT, buffer, write_length); - - if (r >= 0 && s->msg_callback) - s->msg_callback(1, s->version, DTLS1_RT_HEARTBEAT, - buffer, write_length, s, s->msg_callback_arg); - - OPENSSL_free(buffer); - - if (r < 0) - return r; - } else if (hbtype == TLS1_HB_RESPONSE) { - unsigned int seq; - - /* - * We only send sequence numbers (2 bytes unsigned int), and 16 - * random bytes, so we just try to read the sequence number - */ - n2s(pl, seq); - - if (payload == 18 && seq == s->tlsext_hb_seq) { - dtls1_stop_timer(s); - s->tlsext_hb_seq++; - s->tlsext_hb_pending = 0; - } - } - - return 0; -} - -int dtls1_heartbeat(SSL *s) -{ - unsigned char *buf, *p; - int ret = -1; - unsigned int payload = 18; /* Sequence number + random bytes */ - unsigned int padding = 16; /* Use minimum padding */ - unsigned int size; - - /* Only send if peer supports and accepts HB requests... */ - if (!(s->tlsext_heartbeat & SSL_DTLSEXT_HB_ENABLED) || - s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_SEND_REQUESTS) { - SSLerr(SSL_F_DTLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT); - return -1; - } - - /* ...and there is none in flight yet... */ - if (s->tlsext_hb_pending) { - SSLerr(SSL_F_DTLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING); - return -1; - } - - /* ...and no handshake in progress. */ - if (SSL_in_init(s) || ossl_statem_get_in_handshake(s)) { - SSLerr(SSL_F_DTLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE); - return -1; - } - - /*- - * Create HeartBeat message, we just use a sequence number - * as payload to distinguish different messages and add - * some random stuff. - */ - size = HEARTBEAT_SIZE(payload, padding); - buf = OPENSSL_malloc(size); - if (buf == NULL) { - SSLerr(SSL_F_DTLS1_HEARTBEAT, ERR_R_MALLOC_FAILURE); - return -1; - } - p = buf; - /* Message Type */ - *p++ = TLS1_HB_REQUEST; - /* Payload length (18 bytes here) */ - s2n(payload, p); - /* Sequence number */ - s2n(s->tlsext_hb_seq, p); - /* 16 random bytes */ - if (RAND_bytes(p, 16) <= 0) { - SSLerr(SSL_F_DTLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR); - goto err; - } - p += 16; - /* Random padding */ - if (RAND_bytes(p, padding) <= 0) { - SSLerr(SSL_F_DTLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR); - goto err; - } - - ret = dtls1_write_bytes(s, DTLS1_RT_HEARTBEAT, buf, size); - if (ret >= 0) { - if (s->msg_callback) - s->msg_callback(1, s->version, DTLS1_RT_HEARTBEAT, - buf, size, s, s->msg_callback_arg); - - dtls1_start_timer(s); - s->tlsext_hb_pending = 1; - } - - err: - OPENSSL_free(buf); - - return ret; -} -#endif - int dtls1_shutdown(SSL *s) { int ret; @@ -1067,7 +911,7 @@ int dtls1_query_mtu(SSL *s) /* Set to min mtu */ s->d1->mtu = dtls1_min_mtu(s); BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SET_MTU, - s->d1->mtu, NULL); + (long)s->d1->mtu, NULL); } } else return 0; @@ -1075,13 +919,54 @@ int dtls1_query_mtu(SSL *s) return 1; } -static unsigned int dtls1_link_min_mtu(void) +static size_t dtls1_link_min_mtu(void) { return (g_probable_mtu[(sizeof(g_probable_mtu) / sizeof(g_probable_mtu[0])) - 1]); } -unsigned int dtls1_min_mtu(SSL *s) +size_t dtls1_min_mtu(SSL *s) { return dtls1_link_min_mtu() - BIO_dgram_get_mtu_overhead(SSL_get_wbio(s)); } + +size_t DTLS_get_data_mtu(const SSL *s) +{ + size_t mac_overhead, int_overhead, blocksize, ext_overhead; + const SSL_CIPHER *ciph = SSL_get_current_cipher(s); + size_t mtu = s->d1->mtu; + + if (ciph == NULL) + return 0; + + if (!ssl_cipher_get_overhead(ciph, &mac_overhead, &int_overhead, + &blocksize, &ext_overhead)) + return 0; + + if (SSL_READ_ETM(s)) + ext_overhead += mac_overhead; + else + int_overhead += mac_overhead; + + /* Subtract external overhead (e.g. IV/nonce, separate MAC) */ + if (ext_overhead + DTLS1_RT_HEADER_LENGTH >= mtu) + return 0; + mtu -= ext_overhead + DTLS1_RT_HEADER_LENGTH; + + /* Round encrypted payload down to cipher block size (for CBC etc.) + * No check for overflow since 'mtu % blocksize' cannot exceed mtu. */ + if (blocksize) + mtu -= (mtu % blocksize); + + /* Subtract internal overhead (e.g. CBC padding len byte) */ + if (int_overhead >= mtu) + return 0; + mtu -= int_overhead; + + return mtu; +} + +void DTLS_set_timer_cb(SSL *s, DTLS_timer_cb cb) +{ + s->d1->timer_cb = cb; +} diff --git a/deps/openssl/openssl/ssl/d1_msg.c b/deps/openssl/openssl/ssl/d1_msg.c index 7471fd3e98..5906e88ca6 100644 --- a/deps/openssl/openssl/ssl/d1_msg.c +++ b/deps/openssl/openssl/ssl/d1_msg.c @@ -7,17 +7,17 @@ * https://www.openssl.org/source/license.html */ -#define USE_SOCKETS #include "ssl_locl.h" -int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) +int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, size_t len, + size_t *written) { int i; if (SSL_in_init(s) && !ossl_statem_get_in_handshake(s)) { i = s->handshake_func(s); if (i < 0) - return (i); + return i; if (i == 0) { SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); @@ -30,8 +30,7 @@ int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) return -1; } - i = dtls1_write_bytes(s, type, buf_, len); - return i; + return dtls1_write_bytes(s, type, buf_, len, written); } int dtls1_dispatch_alert(SSL *s) @@ -40,6 +39,7 @@ int dtls1_dispatch_alert(SSL *s) void (*cb) (const SSL *ssl, int type, int val) = NULL; unsigned char buf[DTLS1_AL_HEADER_LENGTH]; unsigned char *ptr = &buf[0]; + size_t written; s->s3->alert_dispatch = 0; @@ -47,23 +47,12 @@ int dtls1_dispatch_alert(SSL *s) *ptr++ = s->s3->send_alert[0]; *ptr++ = s->s3->send_alert[1]; -#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE - if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) { - s2n(s->d1->handshake_read_seq, ptr); - l2n3(s->d1->r_msg_hdr.frag_off, ptr); - } -#endif - - i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0); + i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0, &written); if (i <= 0) { s->s3->alert_dispatch = 1; /* fprintf( stderr, "not done with alert\n" ); */ } else { - if (s->s3->send_alert[0] == SSL3_AL_FATAL -#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE - || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE -#endif - ) + if (s->s3->send_alert[0] == SSL3_AL_FATAL) (void)BIO_flush(s->wbio); if (s->msg_callback) @@ -80,5 +69,5 @@ int dtls1_dispatch_alert(SSL *s) cb(s, SSL_CB_WRITE_ALERT, j); } } - return (i); + return i; } diff --git a/deps/openssl/openssl/ssl/d1_srtp.c b/deps/openssl/openssl/ssl/d1_srtp.c index 7e88f17754..ff8f0c5712 100644 --- a/deps/openssl/openssl/ssl/d1_srtp.c +++ b/deps/openssl/openssl/ssl/d1_srtp.c @@ -40,7 +40,7 @@ static SRTP_PROTECTION_PROFILE srtp_known_profiles[] = { }; static int find_profile_by_name(char *profile_name, - SRTP_PROTECTION_PROFILE **pptr, unsigned len) + SRTP_PROTECTION_PROFILE **pptr, size_t len) { SRTP_PROTECTION_PROFILE *p; @@ -76,7 +76,8 @@ static int ssl_ctx_make_profiles(const char *profiles_string, do { col = strchr(ptr, ':'); - if (!find_profile_by_name(ptr, &p, col ? col - ptr : (int)strlen(ptr))) { + if (!find_profile_by_name(ptr, &p, col ? (size_t)(col - ptr) + : strlen(ptr))) { if (sk_SRTP_PROTECTION_PROFILE_find(profiles, p) >= 0) { SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); @@ -135,195 +136,4 @@ SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s) { return s->srtp_profile; } - -/* - * Note: this function returns 0 length if there are no profiles specified - */ -int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, - int maxlen) -{ - int ct = 0; - int i; - STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = 0; - SRTP_PROTECTION_PROFILE *prof; - - clnt = SSL_get_srtp_profiles(s); - ct = sk_SRTP_PROTECTION_PROFILE_num(clnt); /* -1 if clnt == 0 */ - - if (p) { - if (ct == 0) { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT, - SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST); - return 1; - } - - if ((2 + ct * 2 + 1) > maxlen) { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT, - SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG); - return 1; - } - - /* Add the length */ - s2n(ct * 2, p); - for (i = 0; i < ct; i++) { - prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i); - s2n(prof->id, p); - } - - /* Add an empty use_mki value */ - *p++ = 0; - } - - *len = 2 + ct * 2 + 1; - - return 0; -} - -int ssl_parse_clienthello_use_srtp_ext(SSL *s, PACKET *pkt, int *al) -{ - SRTP_PROTECTION_PROFILE *sprof; - STACK_OF(SRTP_PROTECTION_PROFILE) *srvr; - unsigned int ct, mki_len, id; - int i, srtp_pref; - PACKET subpkt; - - /* Pull off the length of the cipher suite list and check it is even */ - if (!PACKET_get_net_2(pkt, &ct) - || (ct & 1) != 0 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT, - SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); - *al = SSL_AD_DECODE_ERROR; - return 1; - } - - srvr = SSL_get_srtp_profiles(s); - s->srtp_profile = NULL; - /* Search all profiles for a match initially */ - srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr); - - while (PACKET_remaining(&subpkt)) { - if (!PACKET_get_net_2(&subpkt, &id)) { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT, - SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); - *al = SSL_AD_DECODE_ERROR; - return 1; - } - - /* - * Only look for match in profiles of higher preference than - * current match. - * If no profiles have been have been configured then this - * does nothing. - */ - for (i = 0; i < srtp_pref; i++) { - sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i); - if (sprof->id == id) { - s->srtp_profile = sprof; - srtp_pref = i; - break; - } - } - } - - /* - * Now extract the MKI value as a sanity check, but discard it for now - */ - if (!PACKET_get_1(pkt, &mki_len)) { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT, - SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); - *al = SSL_AD_DECODE_ERROR; - return 1; - } - - if (!PACKET_forward(pkt, mki_len) - || PACKET_remaining(pkt)) { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT, - SSL_R_BAD_SRTP_MKI_VALUE); - *al = SSL_AD_DECODE_ERROR; - return 1; - } - - return 0; -} - -int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, - int maxlen) -{ - if (p) { - if (maxlen < 5) { - SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT, - SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG); - return 1; - } - - if (s->srtp_profile == 0) { - SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT, - SSL_R_USE_SRTP_NOT_NEGOTIATED); - return 1; - } - s2n(2, p); - s2n(s->srtp_profile->id, p); - *p++ = 0; - } - *len = 5; - - return 0; -} - -int ssl_parse_serverhello_use_srtp_ext(SSL *s, PACKET *pkt, int *al) -{ - unsigned int id, ct, mki; - int i; - - STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; - SRTP_PROTECTION_PROFILE *prof; - - if (!PACKET_get_net_2(pkt, &ct) - || ct != 2 || !PACKET_get_net_2(pkt, &id) - || !PACKET_get_1(pkt, &mki) - || PACKET_remaining(pkt) != 0) { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, - SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); - *al = SSL_AD_DECODE_ERROR; - return 1; - } - - if (mki != 0) { - /* Must be no MKI, since we never offer one */ - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, - SSL_R_BAD_SRTP_MKI_VALUE); - *al = SSL_AD_ILLEGAL_PARAMETER; - return 1; - } - - clnt = SSL_get_srtp_profiles(s); - - /* Throw an error if the server gave us an unsolicited extension */ - if (clnt == NULL) { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, - SSL_R_NO_SRTP_PROFILES); - *al = SSL_AD_DECODE_ERROR; - return 1; - } - - /* - * Check to see if the server gave us something we support (and - * presumably offered) - */ - for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { - prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i); - - if (prof->id == id) { - s->srtp_profile = prof; - *al = 0; - return 0; - } - } - - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, - SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); - *al = SSL_AD_DECODE_ERROR; - return 1; -} - #endif diff --git a/deps/openssl/openssl/ssl/methods.c b/deps/openssl/openssl/ssl/methods.c index c846143277..348efe467d 100644 --- a/deps/openssl/openssl/ssl/methods.c +++ b/deps/openssl/openssl/ssl/methods.c @@ -19,6 +19,10 @@ IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0, TLS_method, ossl_statem_accept, ossl_statem_connect, TLSv1_2_enc_data) +IMPLEMENT_tls_meth_func(TLS1_3_VERSION, 0, SSL_OP_NO_TLSv1_3, + tlsv1_3_method, + ossl_statem_accept, + ossl_statem_connect, TLSv1_3_enc_data) #ifndef OPENSSL_NO_TLS1_2_METHOD IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2, tlsv1_2_method, @@ -46,6 +50,10 @@ IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0, TLS_server_method, ossl_statem_accept, ssl_undefined_function, TLSv1_2_enc_data) +IMPLEMENT_tls_meth_func(TLS1_3_VERSION, 0, SSL_OP_NO_TLSv1_3, + tlsv1_3_server_method, + ossl_statem_accept, + ssl_undefined_function, TLSv1_3_enc_data) #ifndef OPENSSL_NO_TLS1_2_METHOD IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2, tlsv1_2_server_method, @@ -75,6 +83,10 @@ IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0, TLS_client_method, ssl_undefined_function, ossl_statem_connect, TLSv1_2_enc_data) +IMPLEMENT_tls_meth_func(TLS1_3_VERSION, 0, SSL_OP_NO_TLSv1_3, + tlsv1_3_client_method, + ssl_undefined_function, + ossl_statem_connect, TLSv1_3_enc_data) #ifndef OPENSSL_NO_TLS1_2_METHOD IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2, tlsv1_2_client_method, diff --git a/deps/openssl/openssl/ssl/packet.c b/deps/openssl/openssl/ssl/packet.c new file mode 100644 index 0000000000..95031430ed --- /dev/null +++ b/deps/openssl/openssl/ssl/packet.c @@ -0,0 +1,424 @@ +/* + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "internal/cryptlib.h" +#include "packet_locl.h" +#include <openssl/sslerr.h> + +#define DEFAULT_BUF_SIZE 256 + +int WPACKET_allocate_bytes(WPACKET *pkt, size_t len, unsigned char **allocbytes) +{ + if (!WPACKET_reserve_bytes(pkt, len, allocbytes)) + return 0; + + pkt->written += len; + pkt->curr += len; + return 1; +} + +int WPACKET_sub_allocate_bytes__(WPACKET *pkt, size_t len, + unsigned char **allocbytes, size_t lenbytes) +{ + if (!WPACKET_start_sub_packet_len__(pkt, lenbytes) + || !WPACKET_allocate_bytes(pkt, len, allocbytes) + || !WPACKET_close(pkt)) + return 0; + + return 1; +} + +#define GETBUF(p) (((p)->staticbuf != NULL) \ + ? (p)->staticbuf : (unsigned char *)(p)->buf->data) + +int WPACKET_reserve_bytes(WPACKET *pkt, size_t len, unsigned char **allocbytes) +{ + /* Internal API, so should not fail */ + if (!ossl_assert(pkt->subs != NULL && len != 0)) + return 0; + + if (pkt->maxsize - pkt->written < len) + return 0; + + if (pkt->staticbuf == NULL && (pkt->buf->length - pkt->written < len)) { + size_t newlen; + size_t reflen; + + reflen = (len > pkt->buf->length) ? len : pkt->buf->length; + + if (reflen > SIZE_MAX / 2) { + newlen = SIZE_MAX; + } else { + newlen = reflen * 2; + if (newlen < DEFAULT_BUF_SIZE) + newlen = DEFAULT_BUF_SIZE; + } + if (BUF_MEM_grow(pkt->buf, newlen) == 0) + return 0; + } + if (allocbytes != NULL) + *allocbytes = WPACKET_get_curr(pkt); + + return 1; +} + +int WPACKET_sub_reserve_bytes__(WPACKET *pkt, size_t len, + unsigned char **allocbytes, size_t lenbytes) +{ + if (!WPACKET_reserve_bytes(pkt, lenbytes + len, allocbytes)) + return 0; + + *allocbytes += lenbytes; + + return 1; +} + +static size_t maxmaxsize(size_t lenbytes) +{ + if (lenbytes >= sizeof(size_t) || lenbytes == 0) + return SIZE_MAX; + + return ((size_t)1 << (lenbytes * 8)) - 1 + lenbytes; +} + +static int wpacket_intern_init_len(WPACKET *pkt, size_t lenbytes) +{ + unsigned char *lenchars; + + pkt->curr = 0; + pkt->written = 0; + + if ((pkt->subs = OPENSSL_zalloc(sizeof(*pkt->subs))) == NULL) { + SSLerr(SSL_F_WPACKET_INTERN_INIT_LEN, ERR_R_MALLOC_FAILURE); + return 0; + } + + if (lenbytes == 0) + return 1; + + pkt->subs->pwritten = lenbytes; + pkt->subs->lenbytes = lenbytes; + + if (!WPACKET_allocate_bytes(pkt, lenbytes, &lenchars)) { + OPENSSL_free(pkt->subs); + pkt->subs = NULL; + return 0; + } + pkt->subs->packet_len = lenchars - GETBUF(pkt); + + return 1; +} + +int WPACKET_init_static_len(WPACKET *pkt, unsigned char *buf, size_t len, + size_t lenbytes) +{ + size_t max = maxmaxsize(lenbytes); + + /* Internal API, so should not fail */ + if (!ossl_assert(buf != NULL && len > 0)) + return 0; + + pkt->staticbuf = buf; + pkt->buf = NULL; + pkt->maxsize = (max < len) ? max : len; + + return wpacket_intern_init_len(pkt, lenbytes); +} + +int WPACKET_init_len(WPACKET *pkt, BUF_MEM *buf, size_t lenbytes) +{ + /* Internal API, so should not fail */ + if (!ossl_assert(buf != NULL)) + return 0; + + pkt->staticbuf = NULL; + pkt->buf = buf; + pkt->maxsize = maxmaxsize(lenbytes); + + return wpacket_intern_init_len(pkt, lenbytes); +} + +int WPACKET_init(WPACKET *pkt, BUF_MEM *buf) +{ + return WPACKET_init_len(pkt, buf, 0); +} + +int WPACKET_set_flags(WPACKET *pkt, unsigned int flags) +{ + /* Internal API, so should not fail */ + if (!ossl_assert(pkt->subs != NULL)) + return 0; + + pkt->subs->flags = flags; + + return 1; +} + +/* Store the |value| of length |len| at location |data| */ +static int put_value(unsigned char *data, size_t value, size_t len) +{ + for (data += len - 1; len > 0; len--) { + *data = (unsigned char)(value & 0xff); + data--; + value >>= 8; + } + + /* Check whether we could fit the value in the assigned number of bytes */ + if (value > 0) + return 0; + + return 1; +} + + +/* + * Internal helper function used by WPACKET_close(), WPACKET_finish() and + * WPACKET_fill_lengths() to close a sub-packet and write out its length if + * necessary. If |doclose| is 0 then it goes through the motions of closing + * (i.e. it fills in all the lengths), but doesn't actually close anything. + */ +static int wpacket_intern_close(WPACKET *pkt, WPACKET_SUB *sub, int doclose) +{ + size_t packlen = pkt->written - sub->pwritten; + + if (packlen == 0 + && (sub->flags & WPACKET_FLAGS_NON_ZERO_LENGTH) != 0) + return 0; + + if (packlen == 0 + && sub->flags & WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH) { + /* We can't handle this case. Return an error */ + if (!doclose) + return 0; + + /* Deallocate any bytes allocated for the length of the WPACKET */ + if ((pkt->curr - sub->lenbytes) == sub->packet_len) { + pkt->written -= sub->lenbytes; + pkt->curr -= sub->lenbytes; + } + + /* Don't write out the packet length */ + sub->packet_len = 0; + sub->lenbytes = 0; + } + + /* Write out the WPACKET length if needed */ + if (sub->lenbytes > 0 + && !put_value(&GETBUF(pkt)[sub->packet_len], packlen, + sub->lenbytes)) + return 0; + + if (doclose) { + pkt->subs = sub->parent; + OPENSSL_free(sub); + } + + return 1; +} + +int WPACKET_fill_lengths(WPACKET *pkt) +{ + WPACKET_SUB *sub; + + if (!ossl_assert(pkt->subs != NULL)) + return 0; + + for (sub = pkt->subs; sub != NULL; sub = sub->parent) { + if (!wpacket_intern_close(pkt, sub, 0)) + return 0; + } + + return 1; +} + +int WPACKET_close(WPACKET *pkt) +{ + /* + * Internal API, so should not fail - but we do negative testing of this + * so no assert (otherwise the tests fail) + */ + if (pkt->subs == NULL || pkt->subs->parent == NULL) + return 0; + + return wpacket_intern_close(pkt, pkt->subs, 1); +} + +int WPACKET_finish(WPACKET *pkt) +{ + int ret; + + /* + * Internal API, so should not fail - but we do negative testing of this + * so no assert (otherwise the tests fail) + */ + if (pkt->subs == NULL || pkt->subs->parent != NULL) + return 0; + + ret = wpacket_intern_close(pkt, pkt->subs, 1); + if (ret) { + OPENSSL_free(pkt->subs); + pkt->subs = NULL; + } + + return ret; +} + +int WPACKET_start_sub_packet_len__(WPACKET *pkt, size_t lenbytes) +{ + WPACKET_SUB *sub; + unsigned char *lenchars; + + /* Internal API, so should not fail */ + if (!ossl_assert(pkt->subs != NULL)) + return 0; + + if ((sub = OPENSSL_zalloc(sizeof(*sub))) == NULL) { + SSLerr(SSL_F_WPACKET_START_SUB_PACKET_LEN__, ERR_R_MALLOC_FAILURE); + return 0; + } + + sub->parent = pkt->subs; + pkt->subs = sub; + sub->pwritten = pkt->written + lenbytes; + sub->lenbytes = lenbytes; + + if (lenbytes == 0) { + sub->packet_len = 0; + return 1; + } + + if (!WPACKET_allocate_bytes(pkt, lenbytes, &lenchars)) + return 0; + /* Convert to an offset in case the underlying BUF_MEM gets realloc'd */ + sub->packet_len = lenchars - GETBUF(pkt); + + return 1; +} + +int WPACKET_start_sub_packet(WPACKET *pkt) +{ + return WPACKET_start_sub_packet_len__(pkt, 0); +} + +int WPACKET_put_bytes__(WPACKET *pkt, unsigned int val, size_t size) +{ + unsigned char *data; + + /* Internal API, so should not fail */ + if (!ossl_assert(size <= sizeof(unsigned int)) + || !WPACKET_allocate_bytes(pkt, size, &data) + || !put_value(data, val, size)) + return 0; + + return 1; +} + +int WPACKET_set_max_size(WPACKET *pkt, size_t maxsize) +{ + WPACKET_SUB *sub; + size_t lenbytes; + + /* Internal API, so should not fail */ + if (!ossl_assert(pkt->subs != NULL)) + return 0; + + /* Find the WPACKET_SUB for the top level */ + for (sub = pkt->subs; sub->parent != NULL; sub = sub->parent) + continue; + + lenbytes = sub->lenbytes; + if (lenbytes == 0) + lenbytes = sizeof(pkt->maxsize); + + if (maxmaxsize(lenbytes) < maxsize || maxsize < pkt->written) + return 0; + + pkt->maxsize = maxsize; + + return 1; +} + +int WPACKET_memset(WPACKET *pkt, int ch, size_t len) +{ + unsigned char *dest; + + if (len == 0) + return 1; + + if (!WPACKET_allocate_bytes(pkt, len, &dest)) + return 0; + + memset(dest, ch, len); + + return 1; +} + +int WPACKET_memcpy(WPACKET *pkt, const void *src, size_t len) +{ + unsigned char *dest; + + if (len == 0) + return 1; + + if (!WPACKET_allocate_bytes(pkt, len, &dest)) + return 0; + + memcpy(dest, src, len); + + return 1; +} + +int WPACKET_sub_memcpy__(WPACKET *pkt, const void *src, size_t len, + size_t lenbytes) +{ + if (!WPACKET_start_sub_packet_len__(pkt, lenbytes) + || !WPACKET_memcpy(pkt, src, len) + || !WPACKET_close(pkt)) + return 0; + + return 1; +} + +int WPACKET_get_total_written(WPACKET *pkt, size_t *written) +{ + /* Internal API, so should not fail */ + if (!ossl_assert(written != NULL)) + return 0; + + *written = pkt->written; + + return 1; +} + +int WPACKET_get_length(WPACKET *pkt, size_t *len) +{ + /* Internal API, so should not fail */ + if (!ossl_assert(pkt->subs != NULL && len != NULL)) + return 0; + + *len = pkt->written - pkt->subs->pwritten; + + return 1; +} + +unsigned char *WPACKET_get_curr(WPACKET *pkt) +{ + return GETBUF(pkt) + pkt->curr; +} + +void WPACKET_cleanup(WPACKET *pkt) +{ + WPACKET_SUB *sub, *parent; + + for (sub = pkt->subs; sub != NULL; sub = parent) { + parent = sub->parent; + OPENSSL_free(sub); + } + pkt->subs = NULL; +} diff --git a/deps/openssl/openssl/ssl/packet_locl.h b/deps/openssl/openssl/ssl/packet_locl.h index d34034dedb..860360b8b2 100644 --- a/deps/openssl/openssl/ssl/packet_locl.h +++ b/deps/openssl/openssl/ssl/packet_locl.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -18,10 +18,6 @@ # include "internal/numbers.h" -# ifdef __cplusplus -extern "C" { -# endif - typedef struct { /* Pointer to where we are currently reading from */ const unsigned char *curr; @@ -160,6 +156,18 @@ __owur static ossl_inline int PACKET_get_net_2(PACKET *pkt, unsigned int *data) return 1; } +/* Same as PACKET_get_net_2() but for a size_t */ +__owur static ossl_inline int PACKET_get_net_2_len(PACKET *pkt, size_t *data) +{ + unsigned int i; + int ret = PACKET_get_net_2(pkt, &i); + + if (ret) + *data = (size_t)i; + + return ret; +} + /* * Peek ahead at 3 bytes in network order from |pkt| and store the value in * |*data| @@ -189,6 +197,18 @@ __owur static ossl_inline int PACKET_get_net_3(PACKET *pkt, unsigned long *data) return 1; } +/* Same as PACKET_get_net_3() but for a size_t */ +__owur static ossl_inline int PACKET_get_net_3_len(PACKET *pkt, size_t *data) +{ + unsigned long i; + int ret = PACKET_get_net_3(pkt, &i); + + if (ret) + *data = (size_t)i; + + return ret; +} + /* * Peek ahead at 4 bytes in network order from |pkt| and store the value in * |*data| @@ -219,6 +239,18 @@ __owur static ossl_inline int PACKET_get_net_4(PACKET *pkt, unsigned long *data) return 1; } +/* Same as PACKET_get_net_4() but for a size_t */ +__owur static ossl_inline int PACKET_get_net_4_len(PACKET *pkt, size_t *data) +{ + unsigned long i; + int ret = PACKET_get_net_4(pkt, &i); + + if (ret) + *data = (size_t)i; + + return ret; +} + /* Peek ahead at 1 byte from |pkt| and store the value in |*data| */ __owur static ossl_inline int PACKET_peek_1(const PACKET *pkt, unsigned int *data) @@ -242,6 +274,18 @@ __owur static ossl_inline int PACKET_get_1(PACKET *pkt, unsigned int *data) return 1; } +/* Same as PACKET_get_1() but for a size_t */ +__owur static ossl_inline int PACKET_get_1_len(PACKET *pkt, size_t *data) +{ + unsigned int i; + int ret = PACKET_get_1(pkt, &i); + + if (ret) + *data = (size_t)i; + + return ret; +} + /* * Peek ahead at 4 bytes in reverse network order from |pkt| and store the value * in |*data| @@ -548,8 +592,283 @@ __owur static ossl_inline int PACKET_get_length_prefixed_3(PACKET *pkt, return 1; } -# ifdef __cplusplus -} -# endif + +/* Writeable packets */ + +typedef struct wpacket_sub WPACKET_SUB; +struct wpacket_sub { + /* The parent WPACKET_SUB if we have one or NULL otherwise */ + WPACKET_SUB *parent; + + /* + * Offset into the buffer where the length of this WPACKET goes. We use an + * offset in case the buffer grows and gets reallocated. + */ + size_t packet_len; + + /* Number of bytes in the packet_len or 0 if we don't write the length */ + size_t lenbytes; + + /* Number of bytes written to the buf prior to this packet starting */ + size_t pwritten; + + /* Flags for this sub-packet */ + unsigned int flags; +}; + +typedef struct wpacket_st WPACKET; +struct wpacket_st { + /* The buffer where we store the output data */ + BUF_MEM *buf; + + /* Fixed sized buffer which can be used as an alternative to buf */ + unsigned char *staticbuf; + + /* + * Offset into the buffer where we are currently writing. We use an offset + * in case the buffer grows and gets reallocated. + */ + size_t curr; + + /* Number of bytes written so far */ + size_t written; + + /* Maximum number of bytes we will allow to be written to this WPACKET */ + size_t maxsize; + + /* Our sub-packets (always at least one if not finished) */ + WPACKET_SUB *subs; +}; + +/* Flags */ + +/* Default */ +#define WPACKET_FLAGS_NONE 0 + +/* Error on WPACKET_close() if no data written to the WPACKET */ +#define WPACKET_FLAGS_NON_ZERO_LENGTH 1 + +/* + * Abandon all changes on WPACKET_close() if no data written to the WPACKET, + * i.e. this does not write out a zero packet length + */ +#define WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH 2 + + +/* + * Initialise a WPACKET with the buffer in |buf|. The buffer must exist + * for the whole time that the WPACKET is being used. Additionally |lenbytes| of + * data is preallocated at the start of the buffer to store the length of the + * WPACKET once we know it. + */ +int WPACKET_init_len(WPACKET *pkt, BUF_MEM *buf, size_t lenbytes); + +/* + * Same as WPACKET_init_len except there is no preallocation of the WPACKET + * length. + */ +int WPACKET_init(WPACKET *pkt, BUF_MEM *buf); + +/* + * Same as WPACKET_init_len except we do not use a growable BUF_MEM structure. + * A fixed buffer of memory |buf| of size |len| is used instead. A failure will + * occur if you attempt to write beyond the end of the buffer + */ +int WPACKET_init_static_len(WPACKET *pkt, unsigned char *buf, size_t len, + size_t lenbytes); +/* + * Set the flags to be applied to the current sub-packet + */ +int WPACKET_set_flags(WPACKET *pkt, unsigned int flags); + +/* + * Closes the most recent sub-packet. It also writes out the length of the + * packet to the required location (normally the start of the WPACKET) if + * appropriate. The top level WPACKET should be closed using WPACKET_finish() + * instead of this function. + */ +int WPACKET_close(WPACKET *pkt); + +/* + * The same as WPACKET_close() but only for the top most WPACKET. Additionally + * frees memory resources for this WPACKET. + */ +int WPACKET_finish(WPACKET *pkt); + +/* + * Iterate through all the sub-packets and write out their lengths as if they + * were being closed. The lengths will be overwritten with the final lengths + * when the sub-packets are eventually closed (which may be different if more + * data is added to the WPACKET). This function fails if a sub-packet is of 0 + * length and WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH is set. + */ +int WPACKET_fill_lengths(WPACKET *pkt); + +/* + * Initialise a new sub-packet. Additionally |lenbytes| of data is preallocated + * at the start of the sub-packet to store its length once we know it. Don't + * call this directly. Use the convenience macros below instead. + */ +int WPACKET_start_sub_packet_len__(WPACKET *pkt, size_t lenbytes); + +/* + * Convenience macros for calling WPACKET_start_sub_packet_len with different + * lengths + */ +#define WPACKET_start_sub_packet_u8(pkt) \ + WPACKET_start_sub_packet_len__((pkt), 1) +#define WPACKET_start_sub_packet_u16(pkt) \ + WPACKET_start_sub_packet_len__((pkt), 2) +#define WPACKET_start_sub_packet_u24(pkt) \ + WPACKET_start_sub_packet_len__((pkt), 3) +#define WPACKET_start_sub_packet_u32(pkt) \ + WPACKET_start_sub_packet_len__((pkt), 4) + +/* + * Same as WPACKET_start_sub_packet_len__() except no bytes are pre-allocated + * for the sub-packet length. + */ +int WPACKET_start_sub_packet(WPACKET *pkt); + +/* + * Allocate bytes in the WPACKET for the output. This reserves the bytes + * and counts them as "written", but doesn't actually do the writing. A pointer + * to the allocated bytes is stored in |*allocbytes|. |allocbytes| may be NULL. + * WARNING: the allocated bytes must be filled in immediately, without further + * WPACKET_* calls. If not then the underlying buffer may be realloc'd and + * change its location. + */ +int WPACKET_allocate_bytes(WPACKET *pkt, size_t len, + unsigned char **allocbytes); + +/* + * The same as WPACKET_allocate_bytes() except additionally a new sub-packet is + * started for the allocated bytes, and then closed immediately afterwards. The + * number of length bytes for the sub-packet is in |lenbytes|. Don't call this + * directly. Use the convenience macros below instead. + */ +int WPACKET_sub_allocate_bytes__(WPACKET *pkt, size_t len, + unsigned char **allocbytes, size_t lenbytes); + +/* + * Convenience macros for calling WPACKET_sub_allocate_bytes with different + * lengths + */ +#define WPACKET_sub_allocate_bytes_u8(pkt, len, bytes) \ + WPACKET_sub_allocate_bytes__((pkt), (len), (bytes), 1) +#define WPACKET_sub_allocate_bytes_u16(pkt, len, bytes) \ + WPACKET_sub_allocate_bytes__((pkt), (len), (bytes), 2) +#define WPACKET_sub_allocate_bytes_u24(pkt, len, bytes) \ + WPACKET_sub_allocate_bytes__((pkt), (len), (bytes), 3) +#define WPACKET_sub_allocate_bytes_u32(pkt, len, bytes) \ + WPACKET_sub_allocate_bytes__((pkt), (len), (bytes), 4) + +/* + * The same as WPACKET_allocate_bytes() except the reserved bytes are not + * actually counted as written. Typically this will be for when we don't know + * how big arbitrary data is going to be up front, but we do know what the + * maximum size will be. If this function is used, then it should be immediately + * followed by a WPACKET_allocate_bytes() call before any other WPACKET + * functions are called (unless the write to the allocated bytes is abandoned). + * + * For example: If we are generating a signature, then the size of that + * signature may not be known in advance. We can use WPACKET_reserve_bytes() to + * handle this: + * + * if (!WPACKET_sub_reserve_bytes_u16(&pkt, EVP_PKEY_size(pkey), &sigbytes1) + * || EVP_SignFinal(md_ctx, sigbytes1, &siglen, pkey) <= 0 + * || !WPACKET_sub_allocate_bytes_u16(&pkt, siglen, &sigbytes2) + * || sigbytes1 != sigbytes2) + * goto err; + */ +int WPACKET_reserve_bytes(WPACKET *pkt, size_t len, unsigned char **allocbytes); + +/* + * The "reserve_bytes" equivalent of WPACKET_sub_allocate_bytes__() + */ +int WPACKET_sub_reserve_bytes__(WPACKET *pkt, size_t len, + unsigned char **allocbytes, size_t lenbytes); + +/* + * Convenience macros for WPACKET_sub_reserve_bytes with different lengths + */ +#define WPACKET_sub_reserve_bytes_u8(pkt, len, bytes) \ + WPACKET_reserve_bytes__((pkt), (len), (bytes), 1) +#define WPACKET_sub_reserve_bytes_u16(pkt, len, bytes) \ + WPACKET_sub_reserve_bytes__((pkt), (len), (bytes), 2) +#define WPACKET_sub_reserve_bytes_u24(pkt, len, bytes) \ + WPACKET_sub_reserve_bytes__((pkt), (len), (bytes), 3) +#define WPACKET_sub_reserve_bytes_u32(pkt, len, bytes) \ + WPACKET_sub_reserve_bytes__((pkt), (len), (bytes), 4) + +/* + * Write the value stored in |val| into the WPACKET. The value will consume + * |bytes| amount of storage. An error will occur if |val| cannot be + * accommodated in |bytes| storage, e.g. attempting to write the value 256 into + * 1 byte will fail. Don't call this directly. Use the convenience macros below + * instead. + */ +int WPACKET_put_bytes__(WPACKET *pkt, unsigned int val, size_t bytes); + +/* + * Convenience macros for calling WPACKET_put_bytes with different + * lengths + */ +#define WPACKET_put_bytes_u8(pkt, val) \ + WPACKET_put_bytes__((pkt), (val), 1) +#define WPACKET_put_bytes_u16(pkt, val) \ + WPACKET_put_bytes__((pkt), (val), 2) +#define WPACKET_put_bytes_u24(pkt, val) \ + WPACKET_put_bytes__((pkt), (val), 3) +#define WPACKET_put_bytes_u32(pkt, val) \ + WPACKET_put_bytes__((pkt), (val), 4) + +/* Set a maximum size that we will not allow the WPACKET to grow beyond */ +int WPACKET_set_max_size(WPACKET *pkt, size_t maxsize); + +/* Copy |len| bytes of data from |*src| into the WPACKET. */ +int WPACKET_memcpy(WPACKET *pkt, const void *src, size_t len); + +/* Set |len| bytes of data to |ch| into the WPACKET. */ +int WPACKET_memset(WPACKET *pkt, int ch, size_t len); + +/* + * Copy |len| bytes of data from |*src| into the WPACKET and prefix with its + * length (consuming |lenbytes| of data for the length). Don't call this + * directly. Use the convenience macros below instead. + */ +int WPACKET_sub_memcpy__(WPACKET *pkt, const void *src, size_t len, + size_t lenbytes); + +/* Convenience macros for calling WPACKET_sub_memcpy with different lengths */ +#define WPACKET_sub_memcpy_u8(pkt, src, len) \ + WPACKET_sub_memcpy__((pkt), (src), (len), 1) +#define WPACKET_sub_memcpy_u16(pkt, src, len) \ + WPACKET_sub_memcpy__((pkt), (src), (len), 2) +#define WPACKET_sub_memcpy_u24(pkt, src, len) \ + WPACKET_sub_memcpy__((pkt), (src), (len), 3) +#define WPACKET_sub_memcpy_u32(pkt, src, len) \ + WPACKET_sub_memcpy__((pkt), (src), (len), 4) + +/* + * Return the total number of bytes written so far to the underlying buffer + * including any storage allocated for length bytes + */ +int WPACKET_get_total_written(WPACKET *pkt, size_t *written); + +/* + * Returns the length of the current sub-packet. This excludes any bytes + * allocated for the length itself. + */ +int WPACKET_get_length(WPACKET *pkt, size_t *len); + +/* + * Returns a pointer to the current write location, but does not allocate any + * bytes. + */ +unsigned char *WPACKET_get_curr(WPACKET *pkt); + +/* Release resources in a WPACKET if a failure has occurred. */ +void WPACKET_cleanup(WPACKET *pkt); #endif /* HEADER_PACKET_LOCL_H */ diff --git a/deps/openssl/openssl/ssl/pqueue.c b/deps/openssl/openssl/ssl/pqueue.c index b447e1dceb..548a7a443d 100644 --- a/deps/openssl/openssl/ssl/pqueue.c +++ b/deps/openssl/openssl/ssl/pqueue.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -18,14 +18,15 @@ struct pqueue_st { pitem *pitem_new(unsigned char *prio64be, void *data) { pitem *item = OPENSSL_malloc(sizeof(*item)); - if (item == NULL) + + if (item == NULL) { + SSLerr(SSL_F_PITEM_NEW, ERR_R_MALLOC_FAILURE); return NULL; + } memcpy(item->priority, prio64be, sizeof(item->priority)); - item->data = data; item->next = NULL; - return item; } @@ -34,10 +35,13 @@ void pitem_free(pitem *item) OPENSSL_free(item); } -pqueue *pqueue_new() +pqueue *pqueue_new(void) { pqueue *pq = OPENSSL_zalloc(sizeof(*pq)); + if (pq == NULL) + SSLerr(SSL_F_PQUEUE_NEW, ERR_R_MALLOC_FAILURE); + return pq; } @@ -127,7 +131,7 @@ pitem *pqueue_iterator(pqueue *pq) return pqueue_peek(pq); } -pitem *pqueue_next(pitem **item) +pitem *pqueue_next(piterator *item) { pitem *ret; @@ -141,10 +145,10 @@ pitem *pqueue_next(pitem **item) return ret; } -int pqueue_size(pqueue *pq) +size_t pqueue_size(pqueue *pq) { pitem *item = pq->items; - int count = 0; + size_t count = 0; while (item != NULL) { count++; diff --git a/deps/openssl/openssl/ssl/record/rec_layer_d1.c b/deps/openssl/openssl/ssl/record/rec_layer_d1.c index 6111a2e191..1f9b31969d 100644 --- a/deps/openssl/openssl/ssl/record/rec_layer_d1.c +++ b/deps/openssl/openssl/ssl/record/rec_layer_d1.c @@ -9,18 +9,21 @@ #include <stdio.h> #include <errno.h> -#define USE_SOCKETS #include "../ssl_locl.h" #include <openssl/evp.h> #include <openssl/buffer.h> #include "record_locl.h" +#include "../packet_locl.h" +#include "internal/cryptlib.h" int DTLS_RECORD_LAYER_new(RECORD_LAYER *rl) { DTLS_RECORD_LAYER *d; - if ((d = OPENSSL_malloc(sizeof(*d))) == NULL) - return (0); + if ((d = OPENSSL_malloc(sizeof(*d))) == NULL) { + SSLerr(SSL_F_DTLS_RECORD_LAYER_NEW, ERR_R_MALLOC_FAILURE); + return 0; + } rl->d = d; @@ -35,7 +38,7 @@ int DTLS_RECORD_LAYER_new(RECORD_LAYER *rl) pqueue_free(d->buffered_app_data.q); OPENSSL_free(d); rl->d = NULL; - return (0); + return 0; } return 1; @@ -108,19 +111,11 @@ void DTLS_RECORD_LAYER_set_saved_w_epoch(RECORD_LAYER *rl, unsigned short e) rl->d->w_epoch = e; } -void DTLS_RECORD_LAYER_resync_write(RECORD_LAYER *rl) -{ - memcpy(rl->write_sequence, rl->read_sequence, sizeof(rl->write_sequence)); -} - void DTLS_RECORD_LAYER_set_write_sequence(RECORD_LAYER *rl, unsigned char *seq) { memcpy(rl->write_sequence, seq, SEQ_NUM_SIZE); } -static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, - int len); - /* copy buffered record into SSL structure */ static int dtls1_copy_record(SSL *s, pitem *item) { @@ -138,7 +133,7 @@ static int dtls1_copy_record(SSL *s, pitem *item) /* Set proper sequence number for mac calculation */ memcpy(&(s->rlayer.read_sequence[2]), &(rdata->packet[5]), 6); - return (1); + return 1; } int dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) @@ -155,7 +150,8 @@ int dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) if (rdata == NULL || item == NULL) { OPENSSL_free(rdata); pitem_free(item); - SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_BUFFER_RECORD, + ERR_R_INTERNAL_ERROR); return -1; } @@ -182,23 +178,21 @@ int dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) memset(&s->rlayer.rrec, 0, sizeof(s->rlayer.rrec)); if (!ssl3_setup_buffers(s)) { - SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); + /* SSLfatal() already called */ OPENSSL_free(rdata->rbuf.buf); OPENSSL_free(rdata); pitem_free(item); - return (-1); + return -1; } - /* insert should not fail, since duplicates are dropped */ if (pqueue_insert(queue->q, item) == NULL) { - SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); + /* Must be a duplicate so ignore it */ OPENSSL_free(rdata->rbuf.buf); OPENSSL_free(rdata); pitem_free(item); - return (-1); } - return (1); + return 1; } int dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) @@ -212,10 +206,10 @@ int dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) OPENSSL_free(item->data); pitem_free(item); - return (1); + return 1; } - return (0); + return 0; } /* @@ -265,8 +259,9 @@ int dtls1_process_buffered_records(SSL *s) * current record is from a different epoch. But that cannot * be the case because we already checked the epoch above */ - SSLerr(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS, - ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS, + ERR_R_INTERNAL_ERROR); return 0; } #ifndef OPENSSL_NO_SCTP @@ -284,6 +279,10 @@ int dtls1_process_buffered_records(SSL *s) } if (!replayok || !dtls1_process_record(s, bitmap)) { + if (ossl_statem_in_error(s)) { + /* dtls1_process_record called SSLfatal() */ + return -1; + } /* dump this record */ rr->length = 0; RECORD_LAYER_reset_packet_length(&s->rlayer); @@ -291,8 +290,10 @@ int dtls1_process_buffered_records(SSL *s) } if (dtls1_buffer_record(s, &(s->rlayer.d->processed_rcds), - SSL3_RECORD_get_seq_num(s->rlayer.rrec)) < 0) + SSL3_RECORD_get_seq_num(s->rlayer.rrec)) < 0) { + /* SSLfatal() already called */ return 0; + } } } @@ -336,49 +337,37 @@ int dtls1_process_buffered_records(SSL *s) * none of our business */ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, - int len, int peek) + size_t len, int peek, size_t *readbytes) { - int al, i, j, ret; - unsigned int n; + int i, j, iret; + size_t n; SSL3_RECORD *rr; void (*cb) (const SSL *ssl, int type2, int val) = NULL; if (!SSL3_BUFFER_is_initialised(&s->rlayer.rbuf)) { /* Not initialized yet */ - if (!ssl3_setup_buffers(s)) - return (-1); + if (!ssl3_setup_buffers(s)) { + /* SSLfatal() already called */ + return -1; + } } if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE)) || (peek && (type != SSL3_RT_APPLICATION_DATA))) { - SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_READ_BYTES, + ERR_R_INTERNAL_ERROR); return -1; } - /* - * check whether there's a handshake message (client hello?) waiting - */ - if ((ret = have_handshake_fragment(s, type, buf, len))) { - *recvd_type = SSL3_RT_HANDSHAKE; - return ret; - } - - /* - * Now s->rlayer.d->handshake_fragment_len == 0 if - * type == SSL3_RT_HANDSHAKE. - */ - - if (!ossl_statem_get_in_handshake(s) && SSL_in_init(s)) - { + if (!ossl_statem_get_in_handshake(s) && SSL_in_init(s)) { /* type == SSL3_RT_APPLICATION_DATA */ i = s->handshake_func(s); + /* SSLfatal() already called if appropriate */ if (i < 0) - return (i); - if (i == 0) { - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); - return (-1); - } + return i; + if (i == 0) + return -1; } start: @@ -417,19 +406,26 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, } /* Check for timeout */ - if (dtls1_handle_timeout(s) > 0) + if (dtls1_handle_timeout(s) > 0) { goto start; + } else if (ossl_statem_in_error(s)) { + /* dtls1_handle_timeout() has failed with a fatal error */ + return -1; + } /* get new packet if necessary */ if ((SSL3_RECORD_get_length(rr) == 0) || (s->rlayer.rstate == SSL_ST_READ_BODY)) { RECORD_LAYER_set_numrpipes(&s->rlayer, 0); - ret = dtls1_get_record(s); - if (ret <= 0) { - ret = dtls1_read_failed(s, ret); - /* anything other than a timeout is an error */ - if (ret <= 0) - return (ret); + iret = dtls1_get_record(s); + if (iret <= 0) { + iret = dtls1_read_failed(s, iret); + /* + * Anything other than a timeout is an error. SSLfatal() already + * called if appropriate. + */ + if (iret <= 0) + return iret; else goto start; } @@ -469,7 +465,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, */ if (dtls1_buffer_record(s, &(s->rlayer.d->buffered_app_data), SSL3_RECORD_get_seq_num(rr)) < 0) { - SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); + /* SSLfatal() already called */ return -1; } SSL3_RECORD_set_length(rr, 0); @@ -502,15 +498,15 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, */ if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && (s->enc_read_ctx == NULL)) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_APP_DATA_IN_HANDSHAKE); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES, + SSL_R_APP_DATA_IN_HANDSHAKE); + return -1; } if (recvd_type != NULL) *recvd_type = SSL3_RECORD_get_type(rr); - if (len <= 0) { + if (len == 0) { /* * Mark a zero length record as read. This ensures multiple calls to * SSL_read() with a zero length buffer will eventually cause @@ -518,13 +514,13 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, */ if (SSL3_RECORD_get_length(rr) == 0) SSL3_RECORD_set_read(rr); - return len; + return 0; } - if ((unsigned int)len > SSL3_RECORD_get_length(rr)) + if (len > SSL3_RECORD_get_length(rr)) n = SSL3_RECORD_get_length(rr); else - n = (unsigned int)len; + n = len; memcpy(buf, &(SSL3_RECORD_get_data(rr)[SSL3_RECORD_get_off(rr)]), n); if (peek) { @@ -549,10 +545,11 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, s->d1->shutdown_received && !BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) { s->shutdown |= SSL_RECEIVED_SHUTDOWN; - return (0); + return 0; } #endif - return (n); + *readbytes = n; + return 1; } /* @@ -560,199 +557,23 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, * then it was unexpected (Hello Request or Client Hello). */ - /* - * In case of record types for which we have 'fragment' storage, fill - * that so that we can process the data at a fixed place. - */ - { - unsigned int k, dest_maxlen = 0; - unsigned char *dest = NULL; - unsigned int *dest_len = NULL; - - if (SSL3_RECORD_get_type(rr) == SSL3_RT_HANDSHAKE) { - dest_maxlen = sizeof(s->rlayer.d->handshake_fragment); - dest = s->rlayer.d->handshake_fragment; - dest_len = &s->rlayer.d->handshake_fragment_len; - } else if (SSL3_RECORD_get_type(rr) == SSL3_RT_ALERT) { - dest_maxlen = sizeof(s->rlayer.d->alert_fragment); - dest = s->rlayer.d->alert_fragment; - dest_len = &s->rlayer.d->alert_fragment_len; - } -#ifndef OPENSSL_NO_HEARTBEATS - else if (SSL3_RECORD_get_type(rr) == DTLS1_RT_HEARTBEAT) { - /* We allow a 0 return */ - if (dtls1_process_heartbeat(s, SSL3_RECORD_get_data(rr), - SSL3_RECORD_get_length(rr)) < 0) { - return -1; - } - /* Exit and notify application to read again */ - SSL3_RECORD_set_length(rr, 0); - SSL3_RECORD_set_read(rr); - s->rwstate = SSL_READING; - BIO_clear_retry_flags(SSL_get_rbio(s)); - BIO_set_retry_read(SSL_get_rbio(s)); - return (-1); - } -#endif - /* else it's a CCS message, or application data or wrong */ - else if (SSL3_RECORD_get_type(rr) != SSL3_RT_CHANGE_CIPHER_SPEC) { - /* - * Application data while renegotiating is allowed. Try again - * reading. - */ - if (SSL3_RECORD_get_type(rr) == SSL3_RT_APPLICATION_DATA) { - BIO *bio; - s->s3->in_read_app_data = 2; - bio = SSL_get_rbio(s); - s->rwstate = SSL_READING; - BIO_clear_retry_flags(bio); - BIO_set_retry_read(bio); - return (-1); - } - - /* Not certain if this is the right error handling */ - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD); - goto f_err; - } - - if (dest_maxlen > 0) { - /* - * XDTLS: In a pathological case, the Client Hello may be - * fragmented--don't always expect dest_maxlen bytes - */ - if (SSL3_RECORD_get_length(rr) < dest_maxlen) { -#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE - /* - * for normal alerts rr->length is 2, while - * dest_maxlen is 7 if we were to handle this - * non-existing alert... - */ - FIX ME; -#endif - s->rlayer.rstate = SSL_ST_READ_HEADER; - SSL3_RECORD_set_length(rr, 0); - SSL3_RECORD_set_read(rr); - goto start; - } - - /* now move 'n' bytes: */ - for (k = 0; k < dest_maxlen; k++) { - dest[k] = SSL3_RECORD_get_data(rr)[SSL3_RECORD_get_off(rr)]; - SSL3_RECORD_add_off(rr, 1); - SSL3_RECORD_add_length(rr, -1); - } - if (SSL3_RECORD_get_length(rr) == 0) - SSL3_RECORD_set_read(rr); - *dest_len = dest_maxlen; - } - } - - /*- - * s->rlayer.d->handshake_fragment_len == 12 iff rr->type == SSL3_RT_HANDSHAKE; - * s->rlayer.d->alert_fragment_len == 7 iff rr->type == SSL3_RT_ALERT. - * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) - */ - - /* If we are a client, check for an incoming 'Hello Request': */ - if ((!s->server) && - (s->rlayer.d->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && - (s->rlayer.d->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) && - (s->session != NULL) && (s->session->cipher != NULL)) { - s->rlayer.d->handshake_fragment_len = 0; - - if ((s->rlayer.d->handshake_fragment[1] != 0) || - (s->rlayer.d->handshake_fragment[2] != 0) || - (s->rlayer.d->handshake_fragment[3] != 0)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_BAD_HELLO_REQUEST); - goto f_err; - } - - /* - * no need to check sequence number on HELLO REQUEST messages - */ - - if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, - s->rlayer.d->handshake_fragment, 4, s, - s->msg_callback_arg); - - if (SSL_is_init_finished(s) && - (s->options & SSL_OP_NO_RENEGOTIATION) == 0 && - !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && - !s->s3->renegotiate) { - s->d1->handshake_read_seq++; - s->new_session = 1; - ssl3_renegotiate(s); - if (ssl3_renegotiate_check(s)) { - i = s->handshake_func(s); - if (i < 0) - return (i); - if (i == 0) { - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); - return (-1); - } - - if (!(s->mode & SSL_MODE_AUTO_RETRY)) { - if (SSL3_BUFFER_get_left(&s->rlayer.rbuf) == 0) { - /* no read-ahead left? */ - BIO *bio; - /* - * In the case where we try to read application data, - * but we trigger an SSL handshake, we return -1 with - * the retry option set. Otherwise renegotiation may - * cause nasty problems in the blocking world - */ - s->rwstate = SSL_READING; - bio = SSL_get_rbio(s); - BIO_clear_retry_flags(bio); - BIO_set_retry_read(bio); - return (-1); - } - } - } - } else { - SSL3_RECORD_set_length(rr, 0); - SSL3_RECORD_set_read(rr); - ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); + if (SSL3_RECORD_get_type(rr) == SSL3_RT_ALERT) { + unsigned int alert_level, alert_descr; + unsigned char *alert_bytes = SSL3_RECORD_get_data(rr) + + SSL3_RECORD_get_off(rr); + PACKET alert; + + if (!PACKET_buf_init(&alert, alert_bytes, SSL3_RECORD_get_length(rr)) + || !PACKET_get_1(&alert, &alert_level) + || !PACKET_get_1(&alert, &alert_descr) + || PACKET_remaining(&alert) != 0) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES, + SSL_R_INVALID_ALERT); + return -1; } - /* - * we either finished a handshake or ignored the request, now try - * again to obtain the (application) data we were asked for - */ - goto start; - } - - /* - * If we are a server and get a client hello when renegotiation isn't - * allowed send back a no renegotiation alert and carry on. - */ - if (s->server - && SSL_is_init_finished(s) - && s->rlayer.d->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH - && s->rlayer.d->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO - && s->s3->previous_client_finished_len != 0 - && ((!s->s3->send_connection_binding - && (s->options - & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) == 0) - || (s->options & SSL_OP_NO_RENEGOTIATION) != 0)) { - s->rlayer.d->handshake_fragment_len = 0; - SSL3_RECORD_set_length(rr, 0); - SSL3_RECORD_set_read(rr); - ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); - goto start; - } - - if (s->rlayer.d->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH) { - int alert_level = s->rlayer.d->alert_fragment[0]; - int alert_descr = s->rlayer.d->alert_fragment[1]; - - s->rlayer.d->alert_fragment_len = 0; if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_ALERT, - s->rlayer.d->alert_fragment, 2, s, + s->msg_callback(0, s->version, SSL3_RT_ALERT, alert_bytes, 2, s, s->msg_callback_arg); if (s->info_callback != NULL) @@ -771,9 +592,9 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, s->rlayer.alert_count++; if (s->rlayer.alert_count == MAX_WARN_ALERT_COUNT) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES, + SSL_R_TOO_MANY_WARN_ALERTS); + return -1; } if (alert_descr == SSL_AD_CLOSE_NOTIFY) { @@ -793,52 +614,25 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, } #endif s->shutdown |= SSL_RECEIVED_SHUTDOWN; - return (0); - } -#if 0 - /* XXX: this is a possible improvement in the future */ - /* now check if it's a missing record */ - if (alert_descr == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) { - unsigned short seq; - unsigned int frag_off; - unsigned char *p = &(s->rlayer.d->alert_fragment[2]); - - n2s(p, seq); - n2l3(p, frag_off); - - dtls1_retransmit_message(s, - dtls1_get_queue_priority - (frag->msg_header.seq, 0), frag_off, - &found); - if (!found && SSL_in_init(s)) { - /* - * fprintf( stderr,"in init = %d\n", SSL_in_init(s)); - */ - /* - * requested a message not yet sent, send an alert - * ourselves - */ - ssl3_send_alert(s, SSL3_AL_WARNING, - DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); - } + return 0; } -#endif } else if (alert_level == SSL3_AL_FATAL) { char tmp[16]; s->rwstate = SSL_NOTHING; s->s3->fatal_alert = alert_descr; - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr); - BIO_snprintf(tmp, sizeof(tmp), "%d", alert_descr); + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS1_READ_BYTES, + SSL_AD_REASON_OFFSET + alert_descr); + BIO_snprintf(tmp, sizeof tmp, "%d", alert_descr); ERR_add_error_data(2, "SSL alert number ", tmp); s->shutdown |= SSL_RECEIVED_SHUTDOWN; SSL3_RECORD_set_read(rr); SSL_CTX_remove_session(s->session_ctx, s->session); - return (0); + return 0; } else { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_DTLS1_READ_BYTES, + SSL_R_UNKNOWN_ALERT_TYPE); + return -1; } goto start; @@ -865,27 +659,38 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, /* * Unexpected handshake message (Client Hello, or protocol violation) */ - if ((s->rlayer.d->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && - !ossl_statem_get_in_handshake(s)) { + if ((SSL3_RECORD_get_type(rr) == SSL3_RT_HANDSHAKE) && + !ossl_statem_get_in_handshake(s)) { struct hm_header_st msg_hdr; - /* this may just be a stale retransmit */ - dtls1_get_message_header(rr->data, &msg_hdr); - if (SSL3_RECORD_get_epoch(rr) != s->rlayer.d->r_epoch) { + /* + * This may just be a stale retransmit. Also sanity check that we have + * at least enough record bytes for a message header + */ + if (SSL3_RECORD_get_epoch(rr) != s->rlayer.d->r_epoch + || SSL3_RECORD_get_length(rr) < DTLS1_HM_HEADER_LENGTH) { SSL3_RECORD_set_length(rr, 0); SSL3_RECORD_set_read(rr); goto start; } + dtls1_get_message_header(rr->data, &msg_hdr); + /* * If we are server, we may have a repeated FINISHED of the client * here, then retransmit our CCS and FINISHED. */ if (msg_hdr.type == SSL3_MT_FINISHED) { - if (dtls1_check_timeout_num(s) < 0) + if (dtls1_check_timeout_num(s) < 0) { + /* SSLfatal) already called */ return -1; + } - dtls1_retransmit_buffered_messages(s); + if (dtls1_retransmit_buffered_messages(s) <= 0) { + /* Fail if we encountered a fatal error */ + if (ossl_statem_in_error(s)) + return -1; + } SSL3_RECORD_set_length(rr, 0); SSL3_RECORD_set_read(rr); if (!(s->mode & SSL_MODE_AUTO_RETRY)) { @@ -903,19 +708,27 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, goto start; } - if (SSL_is_init_finished(s) && - !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { - ossl_statem_set_in_init(s, 1); - s->renegotiate = 1; - s->new_session = 1; + /* + * To get here we must be trying to read app data but found handshake + * data. But if we're trying to read app data, and we're not in init + * (which is tested for at the top of this function) then init must be + * finished + */ + if (!ossl_assert(SSL_is_init_finished(s))) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_READ_BYTES, + ERR_R_INTERNAL_ERROR); + return -1; } + + /* We found handshake data, so we're going back into init */ + ossl_statem_set_in_init(s, 1); + i = s->handshake_func(s); + /* SSLfatal() called if appropriate */ if (i < 0) - return (i); - if (i == 0) { - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); - return (-1); - } + return i; + if (i == 0) + return -1; if (!(s->mode & SSL_MODE_AUTO_RETRY)) { if (SSL3_BUFFER_get_left(&s->rlayer.rbuf) == 0) { @@ -931,7 +744,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, bio = SSL_get_rbio(s); BIO_clear_retry_flags(bio); BIO_set_retry_read(bio); - return (-1); + return -1; } } goto start; @@ -939,15 +752,9 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, switch (SSL3_RECORD_get_type(rr)) { default: - /* TLS just ignores unknown message types */ - if (s->version == TLS1_VERSION) { - SSL3_RECORD_set_length(rr, 0); - SSL3_RECORD_set_read(rr); - goto start; - } - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES, + SSL_R_UNEXPECTED_RECORD); + return -1; case SSL3_RT_CHANGE_CIPHER_SPEC: case SSL3_RT_ALERT: case SSL3_RT_HANDSHAKE: @@ -956,9 +763,9 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, * SSL3_RT_HANDSHAKE when ossl_statem_get_in_handshake(s) is true, but * that should not happen when type != rr->type */ - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES, + ERR_R_INTERNAL_ERROR); + return -1; case SSL3_RT_APPLICATION_DATA: /* * At this point, we were expecting handshake data, but have @@ -971,73 +778,41 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, (s->s3->total_renegotiations != 0) && ossl_statem_app_data_allowed(s)) { s->s3->in_read_app_data = 2; - return (-1); + return -1; } else { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES, + SSL_R_UNEXPECTED_RECORD); + return -1; } } /* not reached */ - - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - return (-1); -} - - /* - * this only happens when a client hello is received and a handshake - * is started. - */ -static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, - int len) -{ - - if ((type == SSL3_RT_HANDSHAKE) - && (s->rlayer.d->handshake_fragment_len > 0)) - /* (partially) satisfy request from storage */ - { - unsigned char *src = s->rlayer.d->handshake_fragment; - unsigned char *dst = buf; - unsigned int k, n; - - /* peek == 0 */ - n = 0; - while ((len > 0) && (s->rlayer.d->handshake_fragment_len > 0)) { - *dst++ = *src++; - len--; - s->rlayer.d->handshake_fragment_len--; - n++; - } - /* move any remaining fragment bytes: */ - for (k = 0; k < s->rlayer.d->handshake_fragment_len; k++) - s->rlayer.d->handshake_fragment[k] = *src++; - return n; - } - - return 0; } /* * Call this to write data in records of type 'type' It will return <= 0 if * not all data has been sent or non-blocking IO. */ -int dtls1_write_bytes(SSL *s, int type, const void *buf, int len) +int dtls1_write_bytes(SSL *s, int type, const void *buf, size_t len, + size_t *written) { int i; - OPENSSL_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH); + if (!ossl_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_WRITE_BYTES, + ERR_R_INTERNAL_ERROR); + return -1; + } s->rwstate = SSL_NOTHING; - i = do_dtls1_write(s, type, buf, len, 0); + i = do_dtls1_write(s, type, buf, len, 0, written); return i; } int do_dtls1_write(SSL *s, int type, const unsigned char *buf, - unsigned int len, int create_empty_fragment) + size_t len, int create_empty_fragment, size_t *written) { unsigned char *p, *pseq; int i, mac_size, clear = 0; - int prefix_len = 0; + size_t prefix_len = 0; int eivlen; SSL3_RECORD wr; SSL3_BUFFER *wb; @@ -1049,24 +824,26 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, * first check if there is a SSL3_BUFFER still being written out. This * will happen with non blocking IO */ - if (SSL3_BUFFER_get_left(wb) != 0) { - OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */ - return (ssl3_write_pending(s, type, buf, len)); + if (!ossl_assert(SSL3_BUFFER_get_left(wb) == 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE, + ERR_R_INTERNAL_ERROR); + return 0; } /* If we have an alert to send, lets send it */ if (s->s3->alert_dispatch) { i = s->method->ssl_dispatch_alert(s); if (i <= 0) - return (i); + return i; /* if it went, fall through and send more stuff */ } if (len == 0 && !create_empty_fragment) return 0; - if (len > s->max_send_fragment) { - SSLerr(SSL_F_DO_DTLS1_WRITE, SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE); + if (len > ssl_get_max_send_fragment(s)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE, + SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE); return 0; } @@ -1080,8 +857,11 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, mac_size = 0; else { mac_size = EVP_MD_CTX_size(s->write_hash); - if (mac_size < 0) - goto err; + if (mac_size < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE, + SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE); + return -1; + } } p = SSL3_BUFFER_get_buf(wb) + prefix_len; @@ -1128,7 +908,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, /* lets setup the record stuff. */ SSL3_RECORD_set_data(&wr, p + eivlen); /* make room for IV in case of CBC */ - SSL3_RECORD_set_length(&wr, (int)len); + SSL3_RECORD_set_length(&wr, len); SSL3_RECORD_set_input(&wr, (unsigned char *)buf); /* @@ -1138,8 +918,9 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, /* first we compress */ if (s->compress != NULL) { if (!ssl3_do_compress(s, &wr)) { - SSLerr(SSL_F_DO_DTLS1_WRITE, SSL_R_COMPRESSION_FAILURE); - goto err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE, + SSL_R_COMPRESSION_FAILURE); + return -1; } } else { memcpy(SSL3_RECORD_get_data(&wr), SSL3_RECORD_get_input(&wr), @@ -1153,11 +934,14 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, * wb->buf */ - if (mac_size != 0) { - if (s->method->ssl3_enc->mac(s, &wr, - &(p[SSL3_RECORD_get_length(&wr) + eivlen]), - 1) < 0) - goto err; + if (!SSL_WRITE_ETM(s) && mac_size != 0) { + if (!s->method->ssl3_enc->mac(s, &wr, + &(p[SSL3_RECORD_get_length(&wr) + eivlen]), + 1)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE, + ERR_R_INTERNAL_ERROR); + return -1; + } SSL3_RECORD_add_length(&wr, mac_size); } @@ -1168,24 +952,30 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, if (eivlen) SSL3_RECORD_add_length(&wr, eivlen); - if (s->method->ssl3_enc->enc(s, &wr, 1, 1) < 1) - goto err; + if (s->method->ssl3_enc->enc(s, &wr, 1, 1) < 1) { + if (!ossl_statem_in_error(s)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE, + ERR_R_INTERNAL_ERROR); + } + return -1; + } + + if (SSL_WRITE_ETM(s) && mac_size != 0) { + if (!s->method->ssl3_enc->mac(s, &wr, + &(p[SSL3_RECORD_get_length(&wr)]), 1)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE, + ERR_R_INTERNAL_ERROR); + return -1; + } + SSL3_RECORD_add_length(&wr, mac_size); + } /* record length after mac and block padding */ - /* - * if (type == SSL3_RT_APPLICATION_DATA || (type == SSL3_RT_ALERT && ! - * SSL_in_init(s))) - */ /* there's only one epoch between handshake and app data */ s2n(s->rlayer.d->w_epoch, pseq); - /* XDTLS: ?? */ - /* - * else s2n(s->d1->handshake_epoch, pseq); - */ - memcpy(pseq, &(s->rlayer.write_sequence[2]), 6); pseq += 6; s2n(SSL3_RECORD_get_length(&wr), pseq); @@ -1208,7 +998,8 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, * we are in a recursive call; just return the length, don't write * out anything here */ - return wr.length; + *written = wr.length; + return 1; } /* now let's set up wb */ @@ -1224,10 +1015,8 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, s->rlayer.wpend_type = type; s->rlayer.wpend_ret = len; - /* we now just need to write the buffer */ - return ssl3_write_pending(s, type, buf, len); - err: - return -1; + /* we now just need to write the buffer. Calls SSLfatal() as required. */ + return ssl3_write_pending(s, type, buf, len, written); } DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, diff --git a/deps/openssl/openssl/ssl/record/rec_layer_s3.c b/deps/openssl/openssl/ssl/record/rec_layer_s3.c index 1ffc1205d9..6d495715b2 100644 --- a/deps/openssl/openssl/ssl/record/rec_layer_s3.c +++ b/deps/openssl/openssl/ssl/record/rec_layer_s3.c @@ -10,12 +10,12 @@ #include <stdio.h> #include <limits.h> #include <errno.h> -#define USE_SOCKETS #include "../ssl_locl.h" #include <openssl/evp.h> #include <openssl/buffer.h> #include <openssl/rand.h> #include "record_locl.h" +#include "../packet_locl.h" #if defined(OPENSSL_SMALL_FOOTPRINT) || \ !( defined(AES_ASM) && ( \ @@ -46,8 +46,6 @@ void RECORD_LAYER_clear(RECORD_LAYER *rl) rl->packet = NULL; rl->packet_length = 0; rl->wnum = 0; - memset(rl->alert_fragment, 0, sizeof(rl->alert_fragment)); - rl->alert_fragment_len = 0; memset(rl->handshake_fragment, 0, sizeof(rl->handshake_fragment)); rl->handshake_fragment_len = 0; rl->wpend_tot = 0; @@ -100,22 +98,6 @@ int RECORD_LAYER_write_pending(const RECORD_LAYER *rl) && SSL3_BUFFER_get_left(&rl->wbuf[rl->numwpipes - 1]) != 0; } -int RECORD_LAYER_set_data(RECORD_LAYER *rl, const unsigned char *buf, int len) -{ - rl->packet_length = len; - if (len != 0) { - rl->rstate = SSL_ST_READ_HEADER; - if (!SSL3_BUFFER_is_initialised(&rl->rbuf)) - if (!ssl3_setup_read_buffer(rl->s)) - return 0; - } - - rl->packet = SSL3_BUFFER_get_buf(&rl->rbuf); - SSL3_BUFFER_set_data(&rl->rbuf, buf, len); - - return 1; -} - void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl) { memset(rl->read_sequence, 0, sizeof(rl->read_sequence)); @@ -126,10 +108,9 @@ void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl) memset(rl->write_sequence, 0, sizeof(rl->write_sequence)); } -int ssl3_pending(const SSL *s) +size_t ssl3_pending(const SSL *s) { - unsigned int i; - int num = 0; + size_t i, num = 0; if (s->rlayer.rstate == SSL_ST_READ_BODY) return 0; @@ -185,7 +166,8 @@ const char *SSL_rstate_string(const SSL *s) /* * Return values are as per SSL_read() */ -int ssl3_read_n(SSL *s, int n, int max, int extend, int clearold) +int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold, + size_t *readbytes) { /* * If extend == 0, obtain new n-byte packet; if extend == 1, increase @@ -196,18 +178,19 @@ int ssl3_read_n(SSL *s, int n, int max, int extend, int clearold) * if clearold == 1, move the packet to the start of the buffer; if * clearold == 0 then leave any old packets where they were */ - int i, len, left; - size_t align = 0; + size_t len, left, align = 0; unsigned char *pkt; SSL3_BUFFER *rb; - if (n <= 0) - return n; + if (n == 0) + return 0; rb = &s->rlayer.rbuf; if (rb->buf == NULL) - if (!ssl3_setup_read_buffer(s)) + if (!ssl3_setup_read_buffer(s)) { + /* SSLfatal() already called */ return -1; + } left = rb->left; #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0 @@ -272,13 +255,16 @@ int ssl3_read_n(SSL *s, int n, int max, int extend, int clearold) s->rlayer.packet_length += n; rb->left = left - n; rb->offset += n; - return (n); + *readbytes = n; + return 1; } /* else we need to read more data */ - if (n > (int)(rb->len - rb->offset)) { /* does not happen */ - SSLerr(SSL_F_SSL3_READ_N, ERR_R_INTERNAL_ERROR); + if (n > rb->len - rb->offset) { + /* does not happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N, + ERR_R_INTERNAL_ERROR); return -1; } @@ -289,11 +275,14 @@ int ssl3_read_n(SSL *s, int n, int max, int extend, int clearold) else { if (max < n) max = n; - if (max > (int)(rb->len - rb->offset)) + if (max > rb->len - rb->offset) max = rb->len - rb->offset; } while (left < n) { + size_t bioread = 0; + int ret; + /* * Now we have len+left bytes at the front of s->s3->rbuf.buf and * need to read in more until we have len+n (up to len+max if @@ -303,20 +292,24 @@ int ssl3_read_n(SSL *s, int n, int max, int extend, int clearold) clear_sys_error(); if (s->rbio != NULL) { s->rwstate = SSL_READING; - i = BIO_read(s->rbio, pkt + len + left, max - left); + /* TODO(size_t): Convert this function */ + ret = BIO_read(s->rbio, pkt + len + left, max - left); + if (ret >= 0) + bioread = ret; } else { - SSLerr(SSL_F_SSL3_READ_N, SSL_R_READ_BIO_NOT_SET); - i = -1; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N, + SSL_R_READ_BIO_NOT_SET); + ret = -1; } - if (i <= 0) { + if (ret <= 0) { rb->left = left; if (s->mode & SSL_MODE_RELEASE_BUFFERS && !SSL_IS_DTLS(s)) if (len + left == 0) ssl3_release_read_buffer(s); - return i; + return ret; } - left += i; + left += bioread; /* * reads should *never* span multiple packets for DTLS because the * underlying transport protocol is message oriented as opposed to @@ -333,55 +326,65 @@ int ssl3_read_n(SSL *s, int n, int max, int extend, int clearold) rb->left = left - n; s->rlayer.packet_length += n; s->rwstate = SSL_NOTHING; - return (n); + *readbytes = n; + return 1; } /* * Call this to write data in records of type 'type' It will return <= 0 if * not all data has been sent or non-blocking IO. */ -int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) +int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, + size_t *written) { const unsigned char *buf = buf_; - int tot; - unsigned int n, split_send_fragment, maxpipes; + size_t tot; + size_t n, max_send_fragment, split_send_fragment, maxpipes; #if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK - unsigned int max_send_fragment, nw; - unsigned int u_len = (unsigned int)len; + size_t nw; #endif SSL3_BUFFER *wb = &s->rlayer.wbuf[0]; int i; - - if (len < 0) { - SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_SSL_NEGATIVE_LENGTH); - return -1; - } + size_t tmpwrit; s->rwstate = SSL_NOTHING; tot = s->rlayer.wnum; /* * ensure that if we end up with a smaller value of data to write out - * than the the original len from a write which didn't complete for + * than the original len from a write which didn't complete for * non-blocking I/O and also somehow ended up avoiding the check for * this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be * possible to end up with (len-tot) as a large number that will then * promptly send beyond the end of the users buffer ... so we trap and * report the error in a way the user will notice */ - if (((unsigned int)len < s->rlayer.wnum) - || ((wb->left != 0) && ((unsigned int)len < (s->rlayer.wnum + s->rlayer.wpend_tot)))) { - SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_BAD_LENGTH); + if ((len < s->rlayer.wnum) + || ((wb->left != 0) && (len < (s->rlayer.wnum + s->rlayer.wpend_tot)))) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_BYTES, + SSL_R_BAD_LENGTH); + return -1; + } + + if (s->early_data_state == SSL_EARLY_DATA_WRITING + && !early_data_count_ok(s, len, 0, 1)) { + /* SSLfatal() already called */ return -1; } s->rlayer.wnum = 0; - if (SSL_in_init(s) && !ossl_statem_get_in_handshake(s)) { + /* + * When writing early data on the server side we could be "in_init" in + * between receiving the EoED and the CF - but we don't want to handle those + * messages yet. + */ + if (SSL_in_init(s) && !ossl_statem_get_in_handshake(s) + && s->early_data_state != SSL_EARLY_DATA_UNAUTH_WRITING) { i = s->handshake_func(s); + /* SSLfatal() already called */ if (i < 0) - return (i); + return i; if (i == 0) { - SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); return -1; } } @@ -391,13 +394,15 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) * will happen with non blocking IO */ if (wb->left != 0) { - i = ssl3_write_pending(s, type, &buf[tot], s->rlayer.wpend_tot); + /* SSLfatal() already called if appropriate */ + i = ssl3_write_pending(s, type, &buf[tot], s->rlayer.wpend_tot, + &tmpwrit); if (i <= 0) { /* XXX should we ssl3_release_write_buffer if i<0? */ s->rlayer.wnum = tot; return i; } - tot += i; /* this might be last fragment */ + tot += tmpwrit; /* this might be last fragment */ } #if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK /* @@ -407,14 +412,15 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) * compromise is considered worthy. */ if (type == SSL3_RT_APPLICATION_DATA && - u_len >= 4 * (max_send_fragment = s->max_send_fragment) && + len >= 4 * (max_send_fragment = ssl_get_max_send_fragment(s)) && s->compress == NULL && s->msg_callback == NULL && !SSL_WRITE_ETM(s) && SSL_USE_EXPLICIT_IV(s) && EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx)) & EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) { unsigned char aad[13]; EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param; - int packlen; + size_t packlen; + int packleni; /* minimize address aliasing conflicts */ if ((max_send_fragment & 0xfff) == 0) @@ -425,21 +431,22 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) packlen = EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE, - max_send_fragment, NULL); + (int)max_send_fragment, NULL); - if (u_len >= 8 * max_send_fragment) + if (len >= 8 * max_send_fragment) packlen *= 8; else packlen *= 4; if (!ssl3_setup_write_buffer(s, 1, packlen)) { - SSLerr(SSL_F_SSL3_WRITE_BYTES, ERR_R_MALLOC_FAILURE); + /* SSLfatal() already called */ return -1; } } else if (tot == len) { /* done? */ /* free jumbo buffer */ ssl3_release_write_buffer(s); - return tot; + *written = tot; + return 1; } n = (len - tot); @@ -453,6 +460,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) if (s->s3->alert_dispatch) { i = s->method->ssl_dispatch_alert(s); if (i <= 0) { + /* SSLfatal() already called if appropriate */ s->rlayer.wnum = tot; return i; } @@ -473,11 +481,11 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) mb_param.inp = aad; mb_param.len = nw; - packlen = EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, + packleni = EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_TLS1_1_MULTIBLOCK_AAD, sizeof(mb_param), &mb_param); - - if (packlen <= 0 || packlen > (int)wb->len) { /* never happens */ + packlen = (size_t)packleni; + if (packleni <= 0 || packlen > wb->len) { /* never happens */ /* free jumbo buffer */ ssl3_release_write_buffer(s); break; @@ -506,8 +514,9 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) s->rlayer.wpend_type = type; s->rlayer.wpend_ret = nw; - i = ssl3_write_pending(s, type, &buf[tot], nw); + i = ssl3_write_pending(s, type, &buf[tot], nw, &tmpwrit); if (i <= 0) { + /* SSLfatal() already called if appropriate */ if (i < 0 && (!s->wbio || !BIO_should_retry(s->wbio))) { /* free jumbo buffer */ ssl3_release_write_buffer(s); @@ -515,26 +524,29 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) s->rlayer.wnum = tot; return i; } - if (i == (int)n) { + if (tmpwrit == n) { /* free jumbo buffer */ ssl3_release_write_buffer(s); - return tot + i; + *written = tot + tmpwrit; + return 1; } - n -= i; - tot += i; + n -= tmpwrit; + tot += tmpwrit; } } else -#endif +#endif /* !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK */ if (tot == len) { /* done? */ if (s->mode & SSL_MODE_RELEASE_BUFFERS && !SSL_IS_DTLS(s)) ssl3_release_write_buffer(s); - return tot; + *written = tot; + return 1; } n = (len - tot); - split_send_fragment = s->split_send_fragment; + max_send_fragment = ssl_get_max_send_fragment(s); + split_send_fragment = ssl_get_split_send_fragment(s); /* * If max_pipelines is 0 then this means "undefined" and we default to * 1 pipeline. Similarly if the cipher does not support pipelined @@ -547,7 +559,8 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) * We should have prevented this when we set max_pipelines so we * shouldn't get here */ - SSLerr(SSL_F_SSL3_WRITE_BYTES, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_BYTES, + ERR_R_INTERNAL_ERROR); return -1; } if (maxpipes == 0 @@ -556,19 +569,20 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) & EVP_CIPH_FLAG_PIPELINE) || !SSL_USE_EXPLICIT_IV(s)) maxpipes = 1; - if (s->max_send_fragment == 0 || split_send_fragment > s->max_send_fragment - || split_send_fragment == 0) { + if (max_send_fragment == 0 || split_send_fragment == 0 + || split_send_fragment > max_send_fragment) { /* - * We should have prevented this when we set the split and max send + * We should have prevented this when we set/get the split and max send * fragments so we shouldn't get here */ - SSLerr(SSL_F_SSL3_WRITE_BYTES, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_BYTES, + ERR_R_INTERNAL_ERROR); return -1; } for (;;) { - unsigned int pipelens[SSL_MAX_PIPELINES], tmppipelen, remain; - unsigned int numpipes, j; + size_t pipelens[SSL_MAX_PIPELINES], tmppipelen, remain; + size_t numpipes, j; if (n == 0) numpipes = 1; @@ -577,13 +591,13 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) if (numpipes > maxpipes) numpipes = maxpipes; - if (n / numpipes >= s->max_send_fragment) { + if (n / numpipes >= max_send_fragment) { /* * We have enough data to completely fill all available * pipelines */ for (j = 0; j < numpipes; j++) { - pipelens[j] = s->max_send_fragment; + pipelens[j] = max_send_fragment; } } else { /* We can partially fill all available pipelines */ @@ -596,14 +610,16 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) } } - i = do_ssl3_write(s, type, &(buf[tot]), pipelens, numpipes, 0); + i = do_ssl3_write(s, type, &(buf[tot]), pipelens, numpipes, 0, + &tmpwrit); if (i <= 0) { + /* SSLfatal() already called if appropriate */ /* XXX should we ssl3_release_write_buffer if i<0? */ s->rlayer.wnum = tot; return i; } - if ((i == (int)n) || + if (tmpwrit == n || (type == SSL3_RT_APPLICATION_DATA && (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) { /* @@ -616,28 +632,32 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) !SSL_IS_DTLS(s)) ssl3_release_write_buffer(s); - return tot + i; + *written = tot + tmpwrit; + return 1; } - n -= i; - tot += i; + n -= tmpwrit; + tot += tmpwrit; } } int do_ssl3_write(SSL *s, int type, const unsigned char *buf, - unsigned int *pipelens, unsigned int numpipes, - int create_empty_fragment) + size_t *pipelens, size_t numpipes, + int create_empty_fragment, size_t *written) { - unsigned char *outbuf[SSL_MAX_PIPELINES], *plen[SSL_MAX_PIPELINES]; + WPACKET pkt[SSL_MAX_PIPELINES]; SSL3_RECORD wr[SSL_MAX_PIPELINES]; + WPACKET *thispkt; + SSL3_RECORD *thiswr; + unsigned char *recordstart; int i, mac_size, clear = 0; - int prefix_len = 0; - int eivlen; + size_t prefix_len = 0; + int eivlen = 0; size_t align = 0; SSL3_BUFFER *wb; SSL_SESSION *sess; - unsigned int totlen = 0; - unsigned int j; + size_t totlen = 0, len, wpinited = 0; + size_t j; for (j = 0; j < numpipes; j++) totlen += pipelens[j]; @@ -645,20 +665,27 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, * first check if there is a SSL3_BUFFER still being written out. This * will happen with non blocking IO */ - if (RECORD_LAYER_write_pending(&s->rlayer)) - return (ssl3_write_pending(s, type, buf, totlen)); + if (RECORD_LAYER_write_pending(&s->rlayer)) { + /* Calls SSLfatal() as required */ + return ssl3_write_pending(s, type, buf, totlen, written); + } /* If we have an alert to send, lets send it */ if (s->s3->alert_dispatch) { i = s->method->ssl_dispatch_alert(s); - if (i <= 0) - return (i); + if (i <= 0) { + /* SSLfatal() already called if appropriate */ + return i; + } /* if it went, fall through and send more stuff */ } - if (s->rlayer.numwpipes < numpipes) - if (!ssl3_setup_write_buffer(s, numpipes, 0)) + if (s->rlayer.numwpipes < numpipes) { + if (!ssl3_setup_write_buffer(s, numpipes, 0)) { + /* SSLfatal() already called */ return -1; + } + } if (totlen == 0 && !create_empty_fragment) return 0; @@ -670,9 +697,13 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, clear = s->enc_write_ctx ? 0 : 1; /* must be AEAD cipher */ mac_size = 0; } else { + /* TODO(siz_t): Convert me */ mac_size = EVP_MD_CTX_size(s->write_hash); - if (mac_size < 0) + if (mac_size < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); goto err; + } } /* @@ -691,16 +722,20 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, * 'prefix_len' bytes are sent out later together with the actual * payload) */ - unsigned int tmppipelen = 0; + size_t tmppipelen = 0; + int ret; - prefix_len = do_ssl3_write(s, type, buf, &tmppipelen, 1, 1); - if (prefix_len <= 0) + ret = do_ssl3_write(s, type, buf, &tmppipelen, 1, 1, &prefix_len); + if (ret <= 0) { + /* SSLfatal() already called if appropriate */ goto err; + } if (prefix_len > (SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD)) { /* insufficient space */ - SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); goto err; } } @@ -719,136 +754,325 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, align = (size_t)SSL3_BUFFER_get_buf(wb) + 2 * SSL3_RT_HEADER_LENGTH; align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD); #endif - outbuf[0] = SSL3_BUFFER_get_buf(wb) + align; SSL3_BUFFER_set_offset(wb, align); + if (!WPACKET_init_static_len(&pkt[0], SSL3_BUFFER_get_buf(wb), + SSL3_BUFFER_get_len(wb), 0) + || !WPACKET_allocate_bytes(&pkt[0], align, NULL)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); + goto err; + } + wpinited = 1; } else if (prefix_len) { wb = &s->rlayer.wbuf[0]; - outbuf[0] = SSL3_BUFFER_get_buf(wb) + SSL3_BUFFER_get_offset(wb) - + prefix_len; + if (!WPACKET_init_static_len(&pkt[0], + SSL3_BUFFER_get_buf(wb), + SSL3_BUFFER_get_len(wb), 0) + || !WPACKET_allocate_bytes(&pkt[0], SSL3_BUFFER_get_offset(wb) + + prefix_len, NULL)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); + goto err; + } + wpinited = 1; } else { for (j = 0; j < numpipes; j++) { + thispkt = &pkt[j]; + wb = &s->rlayer.wbuf[j]; -#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0 +#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD != 0 align = (size_t)SSL3_BUFFER_get_buf(wb) + SSL3_RT_HEADER_LENGTH; align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD); #endif - outbuf[j] = SSL3_BUFFER_get_buf(wb) + align; SSL3_BUFFER_set_offset(wb, align); + if (!WPACKET_init_static_len(thispkt, SSL3_BUFFER_get_buf(wb), + SSL3_BUFFER_get_len(wb), 0) + || !WPACKET_allocate_bytes(thispkt, align, NULL)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); + goto err; + } + wpinited++; } } /* Explicit IV length, block ciphers appropriate version flag */ - if (s->enc_write_ctx && SSL_USE_EXPLICIT_IV(s)) { + if (s->enc_write_ctx && SSL_USE_EXPLICIT_IV(s) && !SSL_TREAT_AS_TLS13(s)) { int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx); if (mode == EVP_CIPH_CBC_MODE) { + /* TODO(size_t): Convert me */ eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx); if (eivlen <= 1) eivlen = 0; - } - /* Need explicit part of IV for GCM mode */ - else if (mode == EVP_CIPH_GCM_MODE) + } else if (mode == EVP_CIPH_GCM_MODE) { + /* Need explicit part of IV for GCM mode */ eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN; - else if (mode == EVP_CIPH_CCM_MODE) + } else if (mode == EVP_CIPH_CCM_MODE) { eivlen = EVP_CCM_TLS_EXPLICIT_IV_LEN; - else - eivlen = 0; - } else - eivlen = 0; + } + } totlen = 0; /* Clear our SSL3_RECORD structures */ memset(wr, 0, sizeof(wr)); for (j = 0; j < numpipes; j++) { - /* write the header */ - *(outbuf[j]++) = type & 0xff; - SSL3_RECORD_set_type(&wr[j], type); + unsigned int version = (s->version == TLS1_3_VERSION) ? TLS1_2_VERSION + : s->version; + unsigned char *compressdata = NULL; + size_t maxcomplen; + unsigned int rectype; + + thispkt = &pkt[j]; + thiswr = &wr[j]; + + /* + * In TLSv1.3, once encrypting, we always use application data for the + * record type + */ + if (SSL_TREAT_AS_TLS13(s) + && s->enc_write_ctx != NULL + && (s->statem.enc_write_state != ENC_WRITE_STATE_WRITE_PLAIN_ALERTS + || type != SSL3_RT_ALERT)) + rectype = SSL3_RT_APPLICATION_DATA; + else + rectype = type; + SSL3_RECORD_set_type(thiswr, rectype); - *(outbuf[j]++) = (s->version >> 8); /* * Some servers hang if initial client hello is larger than 256 bytes * and record version number > TLS 1.0 */ if (SSL_get_state(s) == TLS_ST_CW_CLNT_HELLO - && !s->renegotiate && TLS1_get_version(s) > TLS1_VERSION) - *(outbuf[j]++) = 0x1; - else - *(outbuf[j]++) = s->version & 0xff; + && !s->renegotiate + && TLS1_get_version(s) > TLS1_VERSION + && s->hello_retry_request == SSL_HRR_NONE) + version = TLS1_VERSION; + SSL3_RECORD_set_rec_version(thiswr, version); + + maxcomplen = pipelens[j]; + if (s->compress != NULL) + maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD; - /* field where we are to write out packet length */ - plen[j] = outbuf[j]; - outbuf[j] += 2; + /* write the header */ + if (!WPACKET_put_bytes_u8(thispkt, rectype) + || !WPACKET_put_bytes_u16(thispkt, version) + || !WPACKET_start_sub_packet_u16(thispkt) + || (eivlen > 0 + && !WPACKET_allocate_bytes(thispkt, eivlen, NULL)) + || (maxcomplen > 0 + && !WPACKET_reserve_bytes(thispkt, maxcomplen, + &compressdata))) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); + goto err; + } /* lets setup the record stuff. */ - SSL3_RECORD_set_data(&wr[j], outbuf[j] + eivlen); - SSL3_RECORD_set_length(&wr[j], (int)pipelens[j]); - SSL3_RECORD_set_input(&wr[j], (unsigned char *)&buf[totlen]); + SSL3_RECORD_set_data(thiswr, compressdata); + SSL3_RECORD_set_length(thiswr, pipelens[j]); + SSL3_RECORD_set_input(thiswr, (unsigned char *)&buf[totlen]); totlen += pipelens[j]; /* - * we now 'read' from wr->input, wr->length bytes into wr->data + * we now 'read' from thiswr->input, thiswr->length bytes into + * thiswr->data */ /* first we compress */ if (s->compress != NULL) { - if (!ssl3_do_compress(s, &wr[j])) { - SSLerr(SSL_F_DO_SSL3_WRITE, SSL_R_COMPRESSION_FAILURE); + if (!ssl3_do_compress(s, thiswr) + || !WPACKET_allocate_bytes(thispkt, thiswr->length, NULL)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + SSL_R_COMPRESSION_FAILURE); goto err; } } else { - memcpy(wr[j].data, wr[j].input, wr[j].length); + if (!WPACKET_memcpy(thispkt, thiswr->input, thiswr->length)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); + goto err; + } SSL3_RECORD_reset_input(&wr[j]); } + if (SSL_TREAT_AS_TLS13(s) + && s->enc_write_ctx != NULL + && (s->statem.enc_write_state != ENC_WRITE_STATE_WRITE_PLAIN_ALERTS + || type != SSL3_RT_ALERT)) { + size_t rlen, max_send_fragment; + + if (!WPACKET_put_bytes_u8(thispkt, type)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); + goto err; + } + SSL3_RECORD_add_length(thiswr, 1); + + /* Add TLS1.3 padding */ + max_send_fragment = ssl_get_max_send_fragment(s); + rlen = SSL3_RECORD_get_length(thiswr); + if (rlen < max_send_fragment) { + size_t padding = 0; + size_t max_padding = max_send_fragment - rlen; + if (s->record_padding_cb != NULL) { + padding = s->record_padding_cb(s, type, rlen, s->record_padding_arg); + } else if (s->block_padding > 0) { + size_t mask = s->block_padding - 1; + size_t remainder; + + /* optimize for power of 2 */ + if ((s->block_padding & mask) == 0) + remainder = rlen & mask; + else + remainder = rlen % s->block_padding; + /* don't want to add a block of padding if we don't have to */ + if (remainder == 0) + padding = 0; + else + padding = s->block_padding - remainder; + } + if (padding > 0) { + /* do not allow the record to exceed max plaintext length */ + if (padding > max_padding) + padding = max_padding; + if (!WPACKET_memset(thispkt, 0, padding)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); + goto err; + } + SSL3_RECORD_add_length(thiswr, padding); + } + } + } + /* - * we should still have the output to wr->data and the input from - * wr->input. Length should be wr->length. wr->data still points in the - * wb->buf + * we should still have the output to thiswr->data and the input from + * wr->input. Length should be thiswr->length. thiswr->data still points + * in the wb->buf */ if (!SSL_WRITE_ETM(s) && mac_size != 0) { - if (s->method->ssl3_enc->mac(s, &wr[j], - &(outbuf[j][wr[j].length + eivlen]), - 1) < 0) + unsigned char *mac; + + if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac) + || !s->method->ssl3_enc->mac(s, thiswr, mac, 1)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); goto err; - SSL3_RECORD_add_length(&wr[j], mac_size); + } } - SSL3_RECORD_set_data(&wr[j], outbuf[j]); - SSL3_RECORD_reset_input(&wr[j]); - - if (eivlen) { - /* - * if (RAND_pseudo_bytes(p, eivlen) <= 0) goto err; - */ - SSL3_RECORD_add_length(&wr[j], eivlen); + /* + * Reserve some bytes for any growth that may occur during encryption. + * This will be at most one cipher block or the tag length if using + * AEAD. SSL_RT_MAX_CIPHER_BLOCK_SIZE covers either case. + */ + if (!WPACKET_reserve_bytes(thispkt, SSL_RT_MAX_CIPHER_BLOCK_SIZE, + NULL) + /* + * We also need next the amount of bytes written to this + * sub-packet + */ + || !WPACKET_get_length(thispkt, &len)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); + goto err; } + + /* Get a pointer to the start of this record excluding header */ + recordstart = WPACKET_get_curr(thispkt) - len; + + SSL3_RECORD_set_data(thiswr, recordstart); + SSL3_RECORD_reset_input(thiswr); + SSL3_RECORD_set_length(thiswr, len); } - if (s->method->ssl3_enc->enc(s, wr, numpipes, 1) < 1) - goto err; + if (s->statem.enc_write_state == ENC_WRITE_STATE_WRITE_PLAIN_ALERTS) { + /* + * We haven't actually negotiated the version yet, but we're trying to + * send early data - so we need to use the tls13enc function. + */ + if (tls13_enc(s, wr, numpipes, 1) < 1) { + if (!ossl_statem_in_error(s)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); + } + goto err; + } + } else { + if (s->method->ssl3_enc->enc(s, wr, numpipes, 1) < 1) { + if (!ossl_statem_in_error(s)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); + } + goto err; + } + } for (j = 0; j < numpipes; j++) { + size_t origlen; + + thispkt = &pkt[j]; + thiswr = &wr[j]; + + /* Allocate bytes for the encryption overhead */ + if (!WPACKET_get_length(thispkt, &origlen) + /* Encryption should never shrink the data! */ + || origlen > thiswr->length + || (thiswr->length > origlen + && !WPACKET_allocate_bytes(thispkt, + thiswr->length - origlen, NULL))) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); + goto err; + } if (SSL_WRITE_ETM(s) && mac_size != 0) { - if (s->method->ssl3_enc->mac(s, &wr[j], - outbuf[j] + wr[j].length, 1) < 0) + unsigned char *mac; + + if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac) + || !s->method->ssl3_enc->mac(s, thiswr, mac, 1)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); goto err; - SSL3_RECORD_add_length(&wr[j], mac_size); + } + SSL3_RECORD_add_length(thiswr, mac_size); } - /* record length after mac and block padding */ - s2n(SSL3_RECORD_get_length(&wr[j]), plen[j]); + if (!WPACKET_get_length(thispkt, &len) + || !WPACKET_close(thispkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); + goto err; + } - if (s->msg_callback) - s->msg_callback(1, 0, SSL3_RT_HEADER, plen[j] - 5, 5, s, + if (s->msg_callback) { + recordstart = WPACKET_get_curr(thispkt) - len + - SSL3_RT_HEADER_LENGTH; + s->msg_callback(1, 0, SSL3_RT_HEADER, recordstart, + SSL3_RT_HEADER_LENGTH, s, s->msg_callback_arg); + if (SSL_TREAT_AS_TLS13(s) && s->enc_write_ctx != NULL) { + unsigned char ctype = type; + + s->msg_callback(1, s->version, SSL3_RT_INNER_CONTENT_TYPE, + &ctype, 1, s, s->msg_callback_arg); + } + } + + if (!WPACKET_finish(thispkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); + goto err; + } + /* - * we should now have wr->data pointing to the encrypted data, which is - * wr->length long + * we should now have thiswr->data pointing to the encrypted data, which + * is thiswr->length long */ - SSL3_RECORD_set_type(&wr[j], type); /* not needed but helps for + SSL3_RECORD_set_type(thiswr, type); /* not needed but helps for * debugging */ - SSL3_RECORD_add_length(&wr[j], SSL3_RT_HEADER_LENGTH); + SSL3_RECORD_add_length(thiswr, SSL3_RT_HEADER_LENGTH); if (create_empty_fragment) { /* @@ -857,15 +1081,17 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, */ if (j > 0) { /* We should never be pipelining an empty fragment!! */ - SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); goto err; } - return SSL3_RECORD_get_length(wr); + *written = SSL3_RECORD_get_length(thiswr); + return 1; } /* now let's set up wb */ SSL3_BUFFER_set_left(&s->rlayer.wbuf[j], - prefix_len + SSL3_RECORD_get_length(&wr[j])); + prefix_len + SSL3_RECORD_get_length(thiswr)); } /* @@ -878,8 +1104,10 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, s->rlayer.wpend_ret = totlen; /* we now just need to write the buffer */ - return ssl3_write_pending(s, type, buf, totlen); + return ssl3_write_pending(s, type, buf, totlen, written); err: + for (j = 0; j < wpinited; j++) + WPACKET_cleanup(&pkt[j]); return -1; } @@ -887,19 +1115,21 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, * * Return values are as per SSL_write() */ -int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, - unsigned int len) +int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len, + size_t *written) { int i; SSL3_BUFFER *wb = s->rlayer.wbuf; - unsigned int currbuf = 0; + size_t currbuf = 0; + size_t tmpwrit = 0; - if ((s->rlayer.wpend_tot > (int)len) + if ((s->rlayer.wpend_tot > len) || (!(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER) && (s->rlayer.wpend_buf != buf)) || (s->rlayer.wpend_type != type)) { - SSLerr(SSL_F_SSL3_WRITE_PENDING, SSL_R_BAD_WRITE_RETRY); - return (-1); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_PENDING, + SSL_R_BAD_WRITE_RETRY); + return -1; } for (;;) { @@ -912,21 +1142,26 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, clear_sys_error(); if (s->wbio != NULL) { s->rwstate = SSL_WRITING; + /* TODO(size_t): Convert this call */ i = BIO_write(s->wbio, (char *) &(SSL3_BUFFER_get_buf(&wb[currbuf]) [SSL3_BUFFER_get_offset(&wb[currbuf])]), (unsigned int)SSL3_BUFFER_get_left(&wb[currbuf])); + if (i >= 0) + tmpwrit = i; } else { - SSLerr(SSL_F_SSL3_WRITE_PENDING, SSL_R_BIO_NOT_SET); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_PENDING, + SSL_R_BIO_NOT_SET); i = -1; } - if (i == SSL3_BUFFER_get_left(&wb[currbuf])) { + if (i > 0 && tmpwrit == SSL3_BUFFER_get_left(&wb[currbuf])) { SSL3_BUFFER_set_left(&wb[currbuf], 0); - SSL3_BUFFER_add_offset(&wb[currbuf], i); + SSL3_BUFFER_add_offset(&wb[currbuf], tmpwrit); if (currbuf + 1 < s->rlayer.numwpipes) continue; s->rwstate = SSL_NOTHING; - return (s->rlayer.wpend_ret); + *written = s->rlayer.wpend_ret; + return 1; } else if (i <= 0) { if (SSL_IS_DTLS(s)) { /* @@ -937,8 +1172,8 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, } return i; } - SSL3_BUFFER_add_offset(&wb[currbuf], i); - SSL3_BUFFER_add_left(&wb[currbuf], -i); + SSL3_BUFFER_add_offset(&wb[currbuf], tmpwrit); + SSL3_BUFFER_sub_left(&wb[currbuf], tmpwrit); } } @@ -972,27 +1207,31 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, * none of our business */ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, - int len, int peek) + size_t len, int peek, size_t *readbytes) { - int al, i, j, ret; - unsigned int n, curr_rec, num_recs, read_bytes; + int i, j, ret; + size_t n, curr_rec, num_recs, totalbytes; SSL3_RECORD *rr; SSL3_BUFFER *rbuf; void (*cb) (const SSL *ssl, int type2, int val) = NULL; + int is_tls13 = SSL_IS_TLS13(s); rbuf = &s->rlayer.rbuf; if (!SSL3_BUFFER_is_initialised(rbuf)) { /* Not initialized yet */ - if (!ssl3_setup_read_buffer(s)) - return (-1); + if (!ssl3_setup_read_buffer(s)) { + /* SSLfatal() already called */ + return -1; + } } if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE)) || (peek && (type != SSL3_RT_APPLICATION_DATA))) { - SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_BYTES, + ERR_R_INTERNAL_ERROR); return -1; } @@ -1018,7 +1257,8 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, if (recvd_type != NULL) *recvd_type = SSL3_RT_HANDSHAKE; - return n; + *readbytes = n; + return 1; } /* @@ -1028,12 +1268,11 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, if (!ossl_statem_get_in_handshake(s) && SSL_in_init(s)) { /* type == SSL3_RT_APPLICATION_DATA */ i = s->handshake_func(s); + /* SSLfatal() already called */ if (i < 0) - return (i); - if (i == 0) { - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); - return (-1); - } + return i; + if (i == 0) + return -1; } start: s->rwstate = SSL_NOTHING; @@ -1052,14 +1291,16 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, /* get new records if necessary */ if (num_recs == 0) { ret = ssl3_get_record(s); - if (ret <= 0) - return (ret); + if (ret <= 0) { + /* SSLfatal() already called if appropriate */ + return ret; + } num_recs = RECORD_LAYER_get_numrpipes(&s->rlayer); if (num_recs == 0) { /* Shouldn't happen */ - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_BYTES, + ERR_R_INTERNAL_ERROR); + return -1; } } /* Skip over any records we have already read */ @@ -1087,9 +1328,9 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, * reset by ssl3_get_finished */ && (SSL3_RECORD_get_type(rr) != SSL3_RT_HANDSHAKE)) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, + SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); + return -1; } /* @@ -1099,12 +1340,13 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { SSL3_RECORD_set_length(rr, 0); s->rwstate = SSL_NOTHING; - return (0); + return 0; } if (type == SSL3_RECORD_get_type(rr) || (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC - && type == SSL3_RT_HANDSHAKE && recvd_type != NULL)) { + && type == SSL3_RT_HANDSHAKE && recvd_type != NULL + && !is_tls13)) { /* * SSL3_RT_APPLICATION_DATA or * SSL3_RT_HANDSHAKE or @@ -1116,23 +1358,23 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, */ if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && (s->enc_read_ctx == NULL)) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_APP_DATA_IN_HANDSHAKE); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, + SSL_R_APP_DATA_IN_HANDSHAKE); + return -1; } if (type == SSL3_RT_HANDSHAKE && SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC && s->rlayer.handshake_fragment_len > 0) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_CCS_RECEIVED_EARLY); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, + SSL_R_CCS_RECEIVED_EARLY); + return -1; } if (recvd_type != NULL) *recvd_type = SSL3_RECORD_get_type(rr); - if (len <= 0) { + if (len == 0) { /* * Mark a zero length record as read. This ensures multiple calls to * SSL_read() with a zero length buffer will eventually cause @@ -1140,15 +1382,15 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, */ if (SSL3_RECORD_get_length(rr) == 0) SSL3_RECORD_set_read(rr); - return len; + return 0; } - read_bytes = 0; + totalbytes = 0; do { - if ((unsigned int)len - read_bytes > SSL3_RECORD_get_length(rr)) + if (len - totalbytes > SSL3_RECORD_get_length(rr)) n = SSL3_RECORD_get_length(rr); else - n = (unsigned int)len - read_bytes; + n = len - totalbytes; memcpy(buf, &(rr->data[rr->off]), n); buf += n; @@ -1170,10 +1412,10 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, curr_rec++; rr++; } - read_bytes += n; + totalbytes += n; } while (type == SSL3_RT_APPLICATION_DATA && curr_rec < num_recs - && read_bytes < (unsigned int)len); - if (read_bytes == 0) { + && totalbytes < len); + if (totalbytes == 0) { /* We must have read empty records. Get more data */ goto start; } @@ -1181,7 +1423,8 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, && (s->mode & SSL_MODE_RELEASE_BUFFERS) && SSL3_BUFFER_get_left(rbuf) == 0) ssl3_release_read_buffer(s); - return read_bytes; + *readbytes = totalbytes; + return 1; } /* @@ -1200,9 +1443,9 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, * initial ClientHello. Therefore |type| should always be equal to * |rr->type|. If not then something has gone horribly wrong */ - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_BYTES, + ERR_R_INTERNAL_ERROR); + return -1; } if (s->method->version == TLS_ANY_VERSION @@ -1214,147 +1457,33 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, * other than a ClientHello if we are a server. */ s->version = rr->rec_version; - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_MESSAGE); - goto f_err; - } - - /* - * In case of record types for which we have 'fragment' storage, fill - * that so that we can process the data at a fixed place. - */ - { - unsigned int dest_maxlen = 0; - unsigned char *dest = NULL; - unsigned int *dest_len = NULL; - - if (SSL3_RECORD_get_type(rr) == SSL3_RT_HANDSHAKE) { - dest_maxlen = sizeof(s->rlayer.handshake_fragment); - dest = s->rlayer.handshake_fragment; - dest_len = &s->rlayer.handshake_fragment_len; - } else if (SSL3_RECORD_get_type(rr) == SSL3_RT_ALERT) { - dest_maxlen = sizeof(s->rlayer.alert_fragment); - dest = s->rlayer.alert_fragment; - dest_len = &s->rlayer.alert_fragment_len; - } - - if (dest_maxlen > 0) { - n = dest_maxlen - *dest_len; /* available space in 'dest' */ - if (SSL3_RECORD_get_length(rr) < n) - n = SSL3_RECORD_get_length(rr); /* available bytes */ - - /* now move 'n' bytes: */ - while (n-- > 0) { - dest[(*dest_len)++] = - SSL3_RECORD_get_data(rr)[SSL3_RECORD_get_off(rr)]; - SSL3_RECORD_add_off(rr, 1); - SSL3_RECORD_add_length(rr, -1); - } - - if (*dest_len < dest_maxlen) { - SSL3_RECORD_set_read(rr); - goto start; /* fragment was too small */ - } - } + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, + SSL_R_UNEXPECTED_MESSAGE); + return -1; } /*- * s->rlayer.handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE; - * s->rlayer.alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT. * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */ - /* If we are a client, check for an incoming 'Hello Request': */ - if ((!s->server) && - (s->rlayer.handshake_fragment_len >= 4) && - (s->rlayer.handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) && - (s->session != NULL) && (s->session->cipher != NULL)) { - s->rlayer.handshake_fragment_len = 0; - - if ((s->rlayer.handshake_fragment[1] != 0) || - (s->rlayer.handshake_fragment[2] != 0) || - (s->rlayer.handshake_fragment[3] != 0)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_BAD_HELLO_REQUEST); - goto f_err; - } - - if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, - s->rlayer.handshake_fragment, 4, s, - s->msg_callback_arg); - if (SSL_is_init_finished(s) && - (s->options & SSL_OP_NO_RENEGOTIATION) == 0 && - !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && - !s->s3->renegotiate) { - ssl3_renegotiate(s); - if (ssl3_renegotiate_check(s)) { - i = s->handshake_func(s); - if (i < 0) - return (i); - if (i == 0) { - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); - return (-1); - } - - if (!(s->mode & SSL_MODE_AUTO_RETRY)) { - if (SSL3_BUFFER_get_left(rbuf) == 0) { - /* no read-ahead left? */ - BIO *bio; - /* - * In the case where we try to read application data, - * but we trigger an SSL handshake, we return -1 with - * the retry option set. Otherwise renegotiation may - * cause nasty problems in the blocking world - */ - s->rwstate = SSL_READING; - bio = SSL_get_rbio(s); - BIO_clear_retry_flags(bio); - BIO_set_retry_read(bio); - return (-1); - } - } - } else { - SSL3_RECORD_set_read(rr); - } - } else { - ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); - SSL3_RECORD_set_read(rr); + if (SSL3_RECORD_get_type(rr) == SSL3_RT_ALERT) { + unsigned int alert_level, alert_descr; + unsigned char *alert_bytes = SSL3_RECORD_get_data(rr) + + SSL3_RECORD_get_off(rr); + PACKET alert; + + if (!PACKET_buf_init(&alert, alert_bytes, SSL3_RECORD_get_length(rr)) + || !PACKET_get_1(&alert, &alert_level) + || !PACKET_get_1(&alert, &alert_descr) + || PACKET_remaining(&alert) != 0) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, + SSL_R_INVALID_ALERT); + return -1; } - /* - * we either finished a handshake or ignored the request, now try - * again to obtain the (application) data we were asked for - */ - goto start; - } - /* - * If we are a server and get a client hello when renegotiation isn't - * allowed send back a no renegotiation alert and carry on. - */ - if (s->server - && SSL_is_init_finished(s) - && s->version > SSL3_VERSION - && s->rlayer.handshake_fragment_len >= SSL3_HM_HEADER_LENGTH - && s->rlayer.handshake_fragment[0] == SSL3_MT_CLIENT_HELLO - && s->s3->previous_client_finished_len != 0 - && ((!s->s3->send_connection_binding - && (s->options - & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) == 0) - || (s->options & SSL_OP_NO_RENEGOTIATION) != 0)) { - SSL3_RECORD_set_length(rr, 0); - SSL3_RECORD_set_read(rr); - ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); - goto start; - } - if (s->rlayer.alert_fragment_len >= 2) { - int alert_level = s->rlayer.alert_fragment[0]; - int alert_descr = s->rlayer.alert_fragment[1]; - - s->rlayer.alert_fragment_len = 0; if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_ALERT, - s->rlayer.alert_fragment, 2, s, + s->msg_callback(0, s->version, SSL3_RT_ALERT, alert_bytes, 2, s, s->msg_callback_arg); if (s->info_callback != NULL) @@ -1367,21 +1496,43 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, cb(s, SSL_CB_READ_ALERT, j); } - if (alert_level == SSL3_AL_WARNING) { + if (alert_level == SSL3_AL_WARNING + || (is_tls13 && alert_descr == SSL_AD_USER_CANCELLED)) { s->s3->warn_alert = alert_descr; SSL3_RECORD_set_read(rr); s->rlayer.alert_count++; if (s->rlayer.alert_count == MAX_WARN_ALERT_COUNT) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, + SSL_R_TOO_MANY_WARN_ALERTS); + return -1; } + } - if (alert_descr == SSL_AD_CLOSE_NOTIFY) { - s->shutdown |= SSL_RECEIVED_SHUTDOWN; - return (0); - } + /* + * Apart from close_notify the only other warning alert in TLSv1.3 + * is user_cancelled - which we just ignore. + */ + if (is_tls13 && alert_descr == SSL_AD_USER_CANCELLED) { + goto start; + } else if (alert_descr == SSL_AD_CLOSE_NOTIFY + && (is_tls13 || alert_level == SSL3_AL_WARNING)) { + s->shutdown |= SSL_RECEIVED_SHUTDOWN; + return 0; + } else if (alert_level == SSL3_AL_FATAL || is_tls13) { + char tmp[16]; + + s->rwstate = SSL_NOTHING; + s->s3->fatal_alert = alert_descr; + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_READ_BYTES, + SSL_AD_REASON_OFFSET + alert_descr); + BIO_snprintf(tmp, sizeof tmp, "%d", alert_descr); + ERR_add_error_data(2, "SSL alert number ", tmp); + s->shutdown |= SSL_RECEIVED_SHUTDOWN; + SSL3_RECORD_set_read(rr); + SSL_CTX_remove_session(s->session_ctx, s->session); + return 0; + } else if (alert_descr == SSL_AD_NO_RENEGOTIATION) { /* * This is a warning but we receive it if we requested * renegotiation and the peer denied it. Terminate with a fatal @@ -1390,69 +1541,120 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, * future we might have a renegotiation where we don't care if * the peer refused it where we carry on. */ - else if (alert_descr == SSL_AD_NO_RENEGOTIATION) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_NO_RENEGOTIATION); - goto f_err; - } -#ifdef SSL_AD_MISSING_SRP_USERNAME - else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME) - return (0); -#endif - } else if (alert_level == SSL3_AL_FATAL) { - char tmp[16]; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_SSL3_READ_BYTES, + SSL_R_NO_RENEGOTIATION); + return -1; + } else if (alert_level == SSL3_AL_WARNING) { + /* We ignore any other warning alert in TLSv1.2 and below */ + goto start; + } - s->rwstate = SSL_NOTHING; - s->s3->fatal_alert = alert_descr; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr); - BIO_snprintf(tmp, sizeof(tmp), "%d", alert_descr); - ERR_add_error_data(2, "SSL alert number ", tmp); - s->shutdown |= SSL_RECEIVED_SHUTDOWN; - SSL3_RECORD_set_read(rr); - SSL_CTX_remove_session(s->session_ctx, s->session); - return (0); + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL3_READ_BYTES, + SSL_R_UNKNOWN_ALERT_TYPE); + return -1; + } + + if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) { + if (SSL3_RECORD_get_type(rr) == SSL3_RT_HANDSHAKE) { + BIO *rbio; + + /* + * We ignore any handshake messages sent to us unless they are + * TLSv1.3 in which case we want to process them. For all other + * handshake messages we can't do anything reasonable with them + * because we are unable to write any response due to having already + * sent close_notify. + */ + if (!SSL_IS_TLS13(s)) { + SSL3_RECORD_set_length(rr, 0); + SSL3_RECORD_set_read(rr); + + if ((s->mode & SSL_MODE_AUTO_RETRY) != 0) + goto start; + + s->rwstate = SSL_READING; + rbio = SSL_get_rbio(s); + BIO_clear_retry_flags(rbio); + BIO_set_retry_read(rbio); + return -1; + } } else { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE); - goto f_err; + /* + * The peer is continuing to send application data, but we have + * already sent close_notify. If this was expected we should have + * been called via SSL_read() and this would have been handled + * above. + * No alert sent because we already sent close_notify + */ + SSL3_RECORD_set_length(rr, 0); + SSL3_RECORD_set_read(rr); + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_READ_BYTES, + SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY); + return -1; } - - goto start; } - if (s->shutdown & SSL_SENT_SHUTDOWN) { /* but we have not received a - * shutdown */ - s->rwstate = SSL_NOTHING; - SSL3_RECORD_set_length(rr, 0); - SSL3_RECORD_set_read(rr); - return (0); + /* + * For handshake data we have 'fragment' storage, so fill that so that we + * can process the header at a fixed place. This is done after the + * "SHUTDOWN" code above to avoid filling the fragment storage with data + * that we're just going to discard. + */ + if (SSL3_RECORD_get_type(rr) == SSL3_RT_HANDSHAKE) { + size_t dest_maxlen = sizeof(s->rlayer.handshake_fragment); + unsigned char *dest = s->rlayer.handshake_fragment; + size_t *dest_len = &s->rlayer.handshake_fragment_len; + + n = dest_maxlen - *dest_len; /* available space in 'dest' */ + if (SSL3_RECORD_get_length(rr) < n) + n = SSL3_RECORD_get_length(rr); /* available bytes */ + + /* now move 'n' bytes: */ + memcpy(dest + *dest_len, + SSL3_RECORD_get_data(rr) + SSL3_RECORD_get_off(rr), n); + SSL3_RECORD_add_off(rr, n); + SSL3_RECORD_sub_length(rr, n); + *dest_len += n; + if (SSL3_RECORD_get_length(rr) == 0) + SSL3_RECORD_set_read(rr); + + if (*dest_len < dest_maxlen) + goto start; /* fragment was too small */ } if (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_CCS_RECEIVED_EARLY); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, + SSL_R_CCS_RECEIVED_EARLY); + return -1; } /* - * Unexpected handshake message (Client Hello, or protocol violation) + * Unexpected handshake message (ClientHello, NewSessionTicket (TLS1.3) or + * protocol violation) */ if ((s->rlayer.handshake_fragment_len >= 4) - && !ossl_statem_get_in_handshake(s)) { - if (SSL_is_init_finished(s) && - !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { - ossl_statem_set_in_init(s, 1); - s->renegotiate = 1; - s->new_session = 1; - } + && !ossl_statem_get_in_handshake(s)) { + int ined = (s->early_data_state == SSL_EARLY_DATA_READING); + + /* We found handshake data, so we're going back into init */ + ossl_statem_set_in_init(s, 1); + i = s->handshake_func(s); + /* SSLfatal() already called if appropriate */ if (i < 0) - return (i); + return i; if (i == 0) { - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); - return (-1); + return -1; } + /* + * If we were actually trying to read early data and we found a + * handshake message, then we don't want to continue to try and read + * the application data any more. It won't be "early" now. + */ + if (ined) + return -1; + if (!(s->mode & SSL_MODE_AUTO_RETRY)) { if (SSL3_BUFFER_get_left(rbuf) == 0) { /* no read-ahead left? */ @@ -1467,7 +1669,7 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, bio = SSL_get_rbio(s); BIO_clear_retry_flags(bio); BIO_set_retry_read(bio); - return (-1); + return -1; } } goto start; @@ -1482,9 +1684,9 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, * no progress is being made and the peer continually sends unrecognised * record types, using up resources processing them. */ - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, + SSL_R_UNEXPECTED_RECORD); + return -1; case SSL3_RT_CHANGE_CIPHER_SPEC: case SSL3_RT_ALERT: case SSL3_RT_HANDSHAKE: @@ -1493,9 +1695,9 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, * SSL3_RT_HANDSHAKE when ossl_statem_get_in_handshake(s) is true, but * that should not happen when type != rr->type */ - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, + ERR_R_INTERNAL_ERROR); + return -1; case SSL3_RT_APPLICATION_DATA: /* * At this point, we were expecting handshake data, but have @@ -1506,18 +1708,30 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, */ if (ossl_statem_app_data_allowed(s)) { s->s3->in_read_app_data = 2; - return (-1); + return -1; + } else if (ossl_statem_skip_early_data(s)) { + /* + * This can happen after a client sends a CH followed by early_data, + * but the server responds with a HelloRetryRequest. The server + * reads the next record from the client expecting to find a + * plaintext ClientHello but gets a record which appears to be + * application data. The trial decrypt "works" because null + * decryption was applied. We just skip it and move on to the next + * record. + */ + if (!early_data_count_ok(s, rr->length, + EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) { + /* SSLfatal() already called */ + return -1; + } + SSL3_RECORD_set_read(rr); + goto start; } else { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, + SSL_R_UNEXPECTED_RECORD); + return -1; } } - /* not reached */ - - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - return (-1); } void ssl3_record_sequence_update(unsigned char *seq) @@ -1543,7 +1757,7 @@ int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl) /* * Returns the length in bytes of the current rrec */ -unsigned int RECORD_LAYER_get_rrec_length(RECORD_LAYER *rl) +size_t RECORD_LAYER_get_rrec_length(RECORD_LAYER *rl) { return SSL3_RECORD_get_length(&rl->rrec[0]); } diff --git a/deps/openssl/openssl/ssl/record/record.h b/deps/openssl/openssl/ssl/record/record.h index 9bb24311be..af56206e07 100644 --- a/deps/openssl/openssl/ssl/record/record.h +++ b/deps/openssl/openssl/ssl/record/record.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -22,9 +22,9 @@ typedef struct ssl3_buffer_st { /* buffer size */ size_t len; /* where to 'copy from' */ - int offset; + size_t offset; /* how many bytes left */ - int left; + size_t left; } SSL3_BUFFER; #define SEQ_NUM_SIZE 8 @@ -38,16 +38,16 @@ typedef struct ssl3_record_st { int type; /* How many bytes available */ /* rw */ - unsigned int length; + size_t length; /* * How many bytes were available before padding was removed? This is used * to implement the MAC check in constant time for CBC records. */ /* rw */ - unsigned int orig_len; + size_t orig_len; /* read/write offset into 'buf' */ /* r */ - unsigned int off; + size_t off; /* pointer to the record data */ /* rw */ unsigned char *data; @@ -82,7 +82,7 @@ typedef struct record_pqueue_st { typedef struct dtls1_record_data_st { unsigned char *packet; - unsigned int packet_length; + size_t packet_length; SSL3_BUFFER rbuf; SSL3_RECORD rrec; #ifndef OPENSSL_NO_SCTP @@ -111,14 +111,6 @@ typedef struct dtls_record_layer_st { * loss. */ record_pqueue buffered_app_data; - /* - * storage for Alert/Handshake protocol data received but not yet - * processed by ssl3_read_bytes: - */ - unsigned char alert_fragment[DTLS1_AL_HEADER_LENGTH]; - unsigned int alert_fragment_len; - unsigned char handshake_fragment[DTLS1_HM_HEADER_LENGTH]; - unsigned int handshake_fragment_len; /* save last and current sequence numbers for retransmissions */ unsigned char last_write_sequence[8]; unsigned char curr_write_sequence[8]; @@ -143,9 +135,9 @@ typedef struct record_layer_st { /* where we are when reading */ int rstate; /* How many pipelines can be used to read data */ - unsigned int numrpipes; + size_t numrpipes; /* How many pipelines can be used to write data */ - unsigned int numwpipes; + size_t numwpipes; /* read IO goes into here */ SSL3_BUFFER rbuf; /* write IO goes into here */ @@ -154,25 +146,19 @@ typedef struct record_layer_st { SSL3_RECORD rrec[SSL_MAX_PIPELINES]; /* used internally to point at a raw packet */ unsigned char *packet; - unsigned int packet_length; + size_t packet_length; /* number of bytes sent so far */ - unsigned int wnum; - /* - * storage for Alert/Handshake protocol data received but not yet - * processed by ssl3_read_bytes: - */ - unsigned char alert_fragment[2]; - unsigned int alert_fragment_len; + size_t wnum; unsigned char handshake_fragment[4]; - unsigned int handshake_fragment_len; + size_t handshake_fragment_len; /* The number of consecutive empty records we have received */ - unsigned int empty_record_count; + size_t empty_record_count; /* partial write - check the numbers match */ /* number bytes written */ - int wpend_tot; + size_t wpend_tot; int wpend_type; /* number of bytes submitted */ - int wpend_ret; + size_t wpend_ret; const unsigned char *wpend_buf; unsigned char read_sequence[SEQ_NUM_SIZE]; unsigned char write_sequence[SEQ_NUM_SIZE]; @@ -202,6 +188,8 @@ typedef struct record_layer_st { ((rl)->d->processed_rcds) #define DTLS_RECORD_LAYER_get_unprocessed_rcds(rl) \ ((rl)->d->unprocessed_rcds) +#define RECORD_LAYER_get_rbuf(rl) (&(rl)->rbuf) +#define RECORD_LAYER_get_wbuf(rl) ((rl)->wbuf) void RECORD_LAYER_init(RECORD_LAYER *rl, SSL *s); void RECORD_LAYER_clear(RECORD_LAYER *rl); @@ -209,35 +197,40 @@ void RECORD_LAYER_release(RECORD_LAYER *rl); int RECORD_LAYER_read_pending(const RECORD_LAYER *rl); int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl); int RECORD_LAYER_write_pending(const RECORD_LAYER *rl); -int RECORD_LAYER_set_data(RECORD_LAYER *rl, const unsigned char *buf, int len); void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl); void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl); int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl); -unsigned int RECORD_LAYER_get_rrec_length(RECORD_LAYER *rl); -__owur int ssl3_pending(const SSL *s); -__owur int ssl3_write_bytes(SSL *s, int type, const void *buf, int len); -__owur int do_ssl3_write(SSL *s, int type, const unsigned char *buf, - unsigned int *pipelens, unsigned int numpipes, - int create_empty_fragment); +size_t RECORD_LAYER_get_rrec_length(RECORD_LAYER *rl); +__owur size_t ssl3_pending(const SSL *s); +__owur int ssl3_write_bytes(SSL *s, int type, const void *buf, size_t len, + size_t *written); +int do_ssl3_write(SSL *s, int type, const unsigned char *buf, + size_t *pipelens, size_t numpipes, + int create_empty_fragment, size_t *written); __owur int ssl3_read_bytes(SSL *s, int type, int *recvd_type, - unsigned char *buf, int len, int peek); + unsigned char *buf, size_t len, int peek, + size_t *readbytes); __owur int ssl3_setup_buffers(SSL *s); -__owur int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, unsigned int n_recs, int send); +__owur int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int send); __owur int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send); -__owur int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, - unsigned int len); -__owur int tls1_enc(SSL *s, SSL3_RECORD *recs, unsigned int n_recs, int send); +__owur int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len, + size_t *written); +__owur int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send); __owur int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send); +__owur int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send); int DTLS_RECORD_LAYER_new(RECORD_LAYER *rl); void DTLS_RECORD_LAYER_free(RECORD_LAYER *rl); void DTLS_RECORD_LAYER_clear(RECORD_LAYER *rl); void DTLS_RECORD_LAYER_set_saved_w_epoch(RECORD_LAYER *rl, unsigned short e); void DTLS_RECORD_LAYER_clear(RECORD_LAYER *rl); -void DTLS_RECORD_LAYER_resync_write(RECORD_LAYER *rl); void DTLS_RECORD_LAYER_set_write_sequence(RECORD_LAYER *rl, unsigned char *seq); __owur int dtls1_read_bytes(SSL *s, int type, int *recvd_type, - unsigned char *buf, int len, int peek); -__owur int dtls1_write_bytes(SSL *s, int type, const void *buf, int len); -__owur int do_dtls1_write(SSL *s, int type, const unsigned char *buf, - unsigned int len, int create_empty_fragement); + unsigned char *buf, size_t len, int peek, + size_t *readbytes); +__owur int dtls1_write_bytes(SSL *s, int type, const void *buf, size_t len, + size_t *written); +int do_dtls1_write(SSL *s, int type, const unsigned char *buf, + size_t len, int create_empty_fragment, size_t *written); void dtls1_reset_seq_numbers(SSL *s, int rw); +int dtls_buffer_listen_record(SSL *s, size_t len, unsigned char *seq, + size_t off); diff --git a/deps/openssl/openssl/ssl/record/record_locl.h b/deps/openssl/openssl/ssl/record/record_locl.h index b69afd8002..5e8dd7f704 100644 --- a/deps/openssl/openssl/ssl/record/record_locl.h +++ b/deps/openssl/openssl/ssl/record/record_locl.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -18,8 +18,6 @@ /* Functions/macros provided by the RECORD_LAYER component */ -#define RECORD_LAYER_get_rbuf(rl) (&(rl)->rbuf) -#define RECORD_LAYER_get_wbuf(rl) ((rl)->wbuf) #define RECORD_LAYER_get_rrec(rl) ((rl)->rrec) #define RECORD_LAYER_set_packet(rl, p) ((rl)->packet = (p)) #define RECORD_LAYER_reset_packet_length(rl) ((rl)->packet_length = 0) @@ -38,9 +36,9 @@ #define RECORD_LAYER_clear_first_record(rl) ((rl)->is_first_record = 0) #define DTLS_RECORD_LAYER_get_r_epoch(rl) ((rl)->d->r_epoch) -__owur int ssl3_read_n(SSL *s, int n, int max, int extend, int clearold); +__owur int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold, + size_t *readbytes); -void RECORD_LAYER_set_write_sequence(RECORD_LAYER *rl, const unsigned char *ws); DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch); int dtls1_process_buffered_records(SSL *s); @@ -61,7 +59,7 @@ void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); #define SSL3_BUFFER_set_len(b, l) ((b)->len = (l)) #define SSL3_BUFFER_get_left(b) ((b)->left) #define SSL3_BUFFER_set_left(b, l) ((b)->left = (l)) -#define SSL3_BUFFER_add_left(b, l) ((b)->left += (l)) +#define SSL3_BUFFER_sub_left(b, l) ((b)->left -= (l)) #define SSL3_BUFFER_get_offset(b) ((b)->offset) #define SSL3_BUFFER_set_offset(b, o) ((b)->offset = (o)) #define SSL3_BUFFER_add_offset(b, o) ((b)->offset += (o)) @@ -69,10 +67,10 @@ void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); #define SSL3_BUFFER_set_default_len(b, l) ((b)->default_len = (l)) void SSL3_BUFFER_clear(SSL3_BUFFER *b); -void SSL3_BUFFER_set_data(SSL3_BUFFER *b, const unsigned char *d, int n); +void SSL3_BUFFER_set_data(SSL3_BUFFER *b, const unsigned char *d, size_t n); void SSL3_BUFFER_release(SSL3_BUFFER *b); __owur int ssl3_setup_read_buffer(SSL *s); -__owur int ssl3_setup_write_buffer(SSL *s, unsigned int numwpipes, size_t len); +__owur int ssl3_setup_write_buffer(SSL *s, size_t numwpipes, size_t len); int ssl3_release_read_buffer(SSL *s); int ssl3_release_write_buffer(SSL *s); @@ -80,6 +78,7 @@ int ssl3_release_write_buffer(SSL *s); #define SSL3_RECORD_get_type(r) ((r)->type) #define SSL3_RECORD_set_type(r, t) ((r)->type = (t)) +#define SSL3_RECORD_set_rec_version(r, v) ((r)->rec_version = (v)) #define SSL3_RECORD_get_length(r) ((r)->length) #define SSL3_RECORD_set_length(r, l) ((r)->length = (l)) #define SSL3_RECORD_add_length(r, l) ((r)->length += (l)) @@ -99,18 +98,19 @@ int ssl3_release_write_buffer(SSL *s); #define SSL3_RECORD_is_read(r) ((r)->read) #define SSL3_RECORD_set_read(r) ((r)->read = 1) -void SSL3_RECORD_clear(SSL3_RECORD *r, unsigned int num_recs); -void SSL3_RECORD_release(SSL3_RECORD *r, unsigned int num_recs); +void SSL3_RECORD_clear(SSL3_RECORD *r, size_t); +void SSL3_RECORD_release(SSL3_RECORD *r, size_t num_recs); void SSL3_RECORD_set_seq_num(SSL3_RECORD *r, const unsigned char *seq_num); int ssl3_get_record(SSL *s); __owur int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr); __owur int ssl3_do_uncompress(SSL *ssl, SSL3_RECORD *rr); -void ssl3_cbc_copy_mac(unsigned char *out, - const SSL3_RECORD *rec, unsigned md_size); +int ssl3_cbc_copy_mac(unsigned char *out, + const SSL3_RECORD *rec, size_t md_size); __owur int ssl3_cbc_remove_padding(SSL3_RECORD *rec, - unsigned block_size, unsigned mac_size); + size_t block_size, size_t mac_size); __owur int tls1_cbc_remove_padding(const SSL *s, SSL3_RECORD *rec, - unsigned block_size, unsigned mac_size); + size_t block_size, size_t mac_size); int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap); __owur int dtls1_get_record(SSL *s); +int early_data_count_ok(SSL *s, size_t length, size_t overhead, int send); diff --git a/deps/openssl/openssl/ssl/record/ssl3_buffer.c b/deps/openssl/openssl/ssl/record/ssl3_buffer.c index b6ed771ca9..53bd4cb190 100644 --- a/deps/openssl/openssl/ssl/record/ssl3_buffer.c +++ b/deps/openssl/openssl/ssl/record/ssl3_buffer.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -10,7 +10,7 @@ #include "../ssl_locl.h" #include "record_locl.h" -void SSL3_BUFFER_set_data(SSL3_BUFFER *b, const unsigned char *d, int n) +void SSL3_BUFFER_set_data(SSL3_BUFFER *b, const unsigned char *d, size_t n) { if (d != NULL) memcpy(b->buf, d, n); @@ -60,26 +60,30 @@ int ssl3_setup_read_buffer(SSL *s) #endif if (b->default_len > len) len = b->default_len; - if ((p = OPENSSL_malloc(len)) == NULL) - goto err; + if ((p = OPENSSL_malloc(len)) == NULL) { + /* + * We've got a malloc failure, and we're still initialising buffers. + * We assume we're so doomed that we won't even be able to send an + * alert. + */ + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_SETUP_READ_BUFFER, + ERR_R_MALLOC_FAILURE); + return 0; + } b->buf = p; b->len = len; } RECORD_LAYER_set_packet(&s->rlayer, &(b->buf[0])); return 1; - - err: - SSLerr(SSL_F_SSL3_SETUP_READ_BUFFER, ERR_R_MALLOC_FAILURE); - return 0; } -int ssl3_setup_write_buffer(SSL *s, unsigned int numwpipes, size_t len) +int ssl3_setup_write_buffer(SSL *s, size_t numwpipes, size_t len) { unsigned char *p; size_t align = 0, headerlen; SSL3_BUFFER *wb; - unsigned int currpipe; + size_t currpipe; s->rlayer.numwpipes = numwpipes; @@ -93,7 +97,7 @@ int ssl3_setup_write_buffer(SSL *s, unsigned int numwpipes, size_t len) align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1); #endif - len = s->max_send_fragment + len = ssl_get_max_send_fragment(s) + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align; #ifndef OPENSSL_NO_COMP if (ssl_allow_compression(s)) @@ -107,11 +111,23 @@ int ssl3_setup_write_buffer(SSL *s, unsigned int numwpipes, size_t len) for (currpipe = 0; currpipe < numwpipes; currpipe++) { SSL3_BUFFER *thiswb = &wb[currpipe]; + if (thiswb->buf != NULL && thiswb->len != len) { + OPENSSL_free(thiswb->buf); + thiswb->buf = NULL; /* force reallocation */ + } + if (thiswb->buf == NULL) { p = OPENSSL_malloc(len); if (p == NULL) { s->rlayer.numwpipes = currpipe; - goto err; + /* + * We've got a malloc failure, and we're still initialising + * buffers. We assume we're so doomed that we won't even be able + * to send an alert. + */ + SSLfatal(s, SSL_AD_NO_ALERT, + SSL_F_SSL3_SETUP_WRITE_BUFFER, ERR_R_MALLOC_FAILURE); + return 0; } memset(thiswb, 0, sizeof(SSL3_BUFFER)); thiswb->buf = p; @@ -120,25 +136,25 @@ int ssl3_setup_write_buffer(SSL *s, unsigned int numwpipes, size_t len) } return 1; - - err: - SSLerr(SSL_F_SSL3_SETUP_WRITE_BUFFER, ERR_R_MALLOC_FAILURE); - return 0; } int ssl3_setup_buffers(SSL *s) { - if (!ssl3_setup_read_buffer(s)) + if (!ssl3_setup_read_buffer(s)) { + /* SSLfatal() already called */ return 0; - if (!ssl3_setup_write_buffer(s, 1, 0)) + } + if (!ssl3_setup_write_buffer(s, 1, 0)) { + /* SSLfatal() already called */ return 0; + } return 1; } int ssl3_release_write_buffer(SSL *s) { SSL3_BUFFER *wb; - unsigned int pipes; + size_t pipes; pipes = s->rlayer.numwpipes; while (pipes > 0) { diff --git a/deps/openssl/openssl/ssl/record/ssl3_record.c b/deps/openssl/openssl/ssl/record/ssl3_record.c index c80add37f9..e59ac5a676 100644 --- a/deps/openssl/openssl/ssl/record/ssl3_record.c +++ b/deps/openssl/openssl/ssl/record/ssl3_record.c @@ -7,11 +7,11 @@ * https://www.openssl.org/source/license.html */ -#include <assert.h> #include "../ssl_locl.h" #include "internal/constant_time_locl.h" #include <openssl/rand.h> #include "record_locl.h" +#include "internal/cryptlib.h" static const unsigned char ssl3_pad_1[48] = { 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, @@ -34,10 +34,10 @@ static const unsigned char ssl3_pad_2[48] = { /* * Clear the contents of an SSL3_RECORD but retain any memory allocated */ -void SSL3_RECORD_clear(SSL3_RECORD *r, unsigned int num_recs) +void SSL3_RECORD_clear(SSL3_RECORD *r, size_t num_recs) { unsigned char *comp; - unsigned int i; + size_t i; for (i = 0; i < num_recs; i++) { comp = r[i].comp; @@ -47,9 +47,9 @@ void SSL3_RECORD_clear(SSL3_RECORD *r, unsigned int num_recs) } } -void SSL3_RECORD_release(SSL3_RECORD *r, unsigned int num_recs) +void SSL3_RECORD_release(SSL3_RECORD *r, size_t num_recs) { - unsigned int i; + size_t i; for (i = 0; i < num_recs; i++) { OPENSSL_free(r[i].comp); @@ -69,7 +69,7 @@ void SSL3_RECORD_set_seq_num(SSL3_RECORD *r, const unsigned char *seq_num) static int ssl3_record_app_data_waiting(SSL *s) { SSL3_BUFFER *rbuf; - int left, len; + size_t left, len; unsigned char *p; rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); @@ -101,6 +101,53 @@ static int ssl3_record_app_data_waiting(SSL *s) return 1; } +int early_data_count_ok(SSL *s, size_t length, size_t overhead, int send) +{ + uint32_t max_early_data; + SSL_SESSION *sess = s->session; + + /* + * If we are a client then we always use the max_early_data from the + * session/psksession. Otherwise we go with the lowest out of the max early + * data set in the session and the configured max_early_data. + */ + if (!s->server && sess->ext.max_early_data == 0) { + if (!ossl_assert(s->psksession != NULL + && s->psksession->ext.max_early_data > 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_EARLY_DATA_COUNT_OK, + ERR_R_INTERNAL_ERROR); + return 0; + } + sess = s->psksession; + } + + if (!s->server) + max_early_data = sess->ext.max_early_data; + else if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED) + max_early_data = s->recv_max_early_data; + else + max_early_data = s->recv_max_early_data < sess->ext.max_early_data + ? s->recv_max_early_data : sess->ext.max_early_data; + + if (max_early_data == 0) { + SSLfatal(s, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA); + return 0; + } + + /* If we are dealing with ciphertext we need to allow for the overhead */ + max_early_data += overhead; + + if (s->early_data_count + length > max_early_data) { + SSLfatal(s, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA); + return 0; + } + s->early_data_count += length; + + return 1; +} + /* * MAX_EMPTY_RECORDS defines the number of consecutive, empty records that * will be processed per call to ssl3_get_record. Without this limit an @@ -125,19 +172,20 @@ static int ssl3_record_app_data_waiting(SSL *s) /* used only by ssl3_read_bytes */ int ssl3_get_record(SSL *s) { - int ssl_major, ssl_minor, al; - int enc_err, n, i, ret = -1; - SSL3_RECORD *rr; + int enc_err, rret; + int i; + size_t more, n; + SSL3_RECORD *rr, *thisrr; SSL3_BUFFER *rbuf; SSL_SESSION *sess; unsigned char *p; unsigned char md[EVP_MAX_MD_SIZE]; - short version; - unsigned mac_size; + unsigned int version; + size_t mac_size; int imac_size; - unsigned int num_recs = 0; - unsigned int max_recs; - unsigned int j; + size_t num_recs = 0, max_recs, j; + PACKET pkt, sslv2pkt; + size_t first_rec_len; rr = RECORD_LAYER_get_rrec(&s->rlayer); rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); @@ -147,24 +195,42 @@ int ssl3_get_record(SSL *s) sess = s->session; do { + thisrr = &rr[num_recs]; + /* check if we have the header */ if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) || (RECORD_LAYER_get_packet_length(&s->rlayer) < SSL3_RT_HEADER_LENGTH)) { - n = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, - SSL3_BUFFER_get_len(rbuf), 0, - num_recs == 0 ? 1 : 0); - if (n <= 0) - return (n); /* error or non-blocking */ + size_t sslv2len; + unsigned int type; + + rret = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, + SSL3_BUFFER_get_len(rbuf), 0, + num_recs == 0 ? 1 : 0, &n); + if (rret <= 0) + return rret; /* error or non-blocking */ RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY); p = RECORD_LAYER_get_packet(&s->rlayer); - + if (!PACKET_buf_init(&pkt, RECORD_LAYER_get_packet(&s->rlayer), + RECORD_LAYER_get_packet_length(&s->rlayer))) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_R_INTERNAL_ERROR); + return -1; + } + sslv2pkt = pkt; + if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len) + || !PACKET_get_1(&sslv2pkt, &type)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_R_INTERNAL_ERROR); + return -1; + } /* * The first record received by the server may be a V2ClientHello. */ if (s->server && RECORD_LAYER_is_first_record(&s->rlayer) - && (p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO)) { + && (sslv2len & 0x8000) != 0 + && (type == SSL2_MT_CLIENT_HELLO)) { /* * SSLv2 style record * @@ -174,22 +240,22 @@ int ssl3_get_record(SSL *s) * because it is an SSLv2ClientHello. We keep it using * |num_recs| for the sake of consistency */ - rr[num_recs].type = SSL3_RT_HANDSHAKE; - rr[num_recs].rec_version = SSL2_VERSION; + thisrr->type = SSL3_RT_HANDSHAKE; + thisrr->rec_version = SSL2_VERSION; - rr[num_recs].length = ((p[0] & 0x7f) << 8) | p[1]; + thisrr->length = sslv2len & 0x7fff; - if (rr[num_recs].length > SSL3_BUFFER_get_len(rbuf) + if (thisrr->length > SSL3_BUFFER_get_len(rbuf) - SSL2_RT_HEADER_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_PACKET_LENGTH_TOO_LONG); + return -1; } - if (rr[num_recs].length < MIN_SSL2_RECORD_LEN) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT); - goto f_err; + if (thisrr->length < MIN_SSL2_RECORD_LEN) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, + SSL_R_LENGTH_TOO_SHORT); + return -1; } } else { /* SSLv3+ style record */ @@ -198,19 +264,29 @@ int ssl3_get_record(SSL *s) s->msg_callback_arg); /* Pull apart the header into the SSL3_RECORD */ - rr[num_recs].type = *(p++); - ssl_major = *(p++); - ssl_minor = *(p++); - version = (ssl_major << 8) | ssl_minor; - rr[num_recs].rec_version = version; - n2s(p, rr[num_recs].length); - - /* Lets check version */ - if (!s->first_packet && version != s->version) { - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER); + if (!PACKET_get_1(&pkt, &type) + || !PACKET_get_net_2(&pkt, &version) + || !PACKET_get_net_2_len(&pkt, &thisrr->length)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_R_INTERNAL_ERROR); + return -1; + } + thisrr->type = type; + thisrr->rec_version = version; + + /* + * Lets check version. In TLSv1.3 we only check this field + * when encryption is occurring (see later check). For the + * ServerHello after an HRR we haven't actually selected TLSv1.3 + * yet, but we still treat it as TLSv1.3, so we must check for + * that explicitly + */ + if (!s->first_packet && !SSL_IS_TLS13(s) + && s->hello_retry_request != SSL_HRR_PENDING + && version != (unsigned int)s->version) { if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash) { - if (rr->type == SSL3_RT_ALERT) { + if (thisrr->type == SSL3_RT_ALERT) { /* * The record is using an incorrect version number, * but what we've got appears to be an alert. We @@ -219,15 +295,18 @@ int ssl3_get_record(SSL *s) * shouldn't send a fatal alert back. We'll just * end. */ - goto err; + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD, + SSL_R_WRONG_VERSION_NUMBER); + return -1; } /* * Send back error using their minor version number :-) */ s->version = (unsigned short)version; } - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL3_GET_RECORD, + SSL_R_WRONG_VERSION_NUMBER); + return -1; } if ((version >> 8) != SSL3_VERSION_MAJOR) { @@ -239,97 +318,135 @@ int ssl3_get_record(SSL *s) strncmp((char *)p, "POST ", 5) == 0 || strncmp((char *)p, "HEAD ", 5) == 0 || strncmp((char *)p, "PUT ", 4) == 0) { - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_HTTP_REQUEST); - goto err; + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD, + SSL_R_HTTP_REQUEST); + return -1; } else if (strncmp((char *)p, "CONNE", 5) == 0) { - SSLerr(SSL_F_SSL3_GET_RECORD, - SSL_R_HTTPS_PROXY_REQUEST); - goto err; + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD, + SSL_R_HTTPS_PROXY_REQUEST); + return -1; } /* Doesn't look like TLS - don't send an alert */ - SSLerr(SSL_F_SSL3_GET_RECORD, - SSL_R_WRONG_VERSION_NUMBER); - goto err; + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD, + SSL_R_WRONG_VERSION_NUMBER); + return -1; } else { - SSLerr(SSL_F_SSL3_GET_RECORD, - SSL_R_WRONG_VERSION_NUMBER); - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, + SSL_F_SSL3_GET_RECORD, + SSL_R_WRONG_VERSION_NUMBER); + return -1; + } + } + + if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL) { + if (thisrr->type != SSL3_RT_APPLICATION_DATA + && (thisrr->type != SSL3_RT_CHANGE_CIPHER_SPEC + || !SSL_IS_FIRST_HANDSHAKE(s)) + && (thisrr->type != SSL3_RT_ALERT + || s->statem.enc_read_state + != ENC_READ_STATE_ALLOW_PLAIN_ALERTS)) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE); + return -1; + } + if (thisrr->rec_version != TLS1_2_VERSION) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, + SSL_R_WRONG_VERSION_NUMBER); + return -1; } } - if (rr[num_recs].length > + if (thisrr->length > SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_PACKET_LENGTH_TOO_LONG); + return -1; } } /* now s->rlayer.rstate == SSL_ST_READ_BODY */ } + if (SSL_IS_TLS13(s)) { + if (thisrr->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) { + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + return -1; + } + } else { + size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH; + +#ifndef OPENSSL_NO_COMP + /* + * If OPENSSL_NO_COMP is defined then SSL3_RT_MAX_ENCRYPTED_LENGTH + * does not include the compression overhead anyway. + */ + if (s->expand == NULL) + len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD; +#endif + + if (thisrr->length > len) { + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + return -1; + } + } + /* * s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data. * Calculate how much more data we need to read for the rest of the * record */ - if (rr[num_recs].rec_version == SSL2_VERSION) { - i = rr[num_recs].length + SSL2_RT_HEADER_LENGTH + if (thisrr->rec_version == SSL2_VERSION) { + more = thisrr->length + SSL2_RT_HEADER_LENGTH - SSL3_RT_HEADER_LENGTH; } else { - i = rr[num_recs].length; + more = thisrr->length; } - if (i > 0) { + if (more > 0) { /* now s->packet_length == SSL3_RT_HEADER_LENGTH */ - n = ssl3_read_n(s, i, i, 1, 0); - if (n <= 0) - return (n); /* error or non-blocking io */ + rret = ssl3_read_n(s, more, more, 1, 0, &n); + if (rret <= 0) + return rret; /* error or non-blocking io */ } /* set state for later operations */ RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER); /* - * At this point, s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length, - * or s->packet_length == SSL2_RT_HEADER_LENGTH + rr->length - * and we have that many bytes in s->packet + * At this point, s->packet_length == SSL3_RT_HEADER_LENGTH + * + thisrr->length, or s->packet_length == SSL2_RT_HEADER_LENGTH + * + thisrr->length and we have that many bytes in s->packet */ - if (rr[num_recs].rec_version == SSL2_VERSION) { - rr[num_recs].input = + if (thisrr->rec_version == SSL2_VERSION) { + thisrr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[SSL2_RT_HEADER_LENGTH]); } else { - rr[num_recs].input = + thisrr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[SSL3_RT_HEADER_LENGTH]); } /* - * ok, we can now read from 's->packet' data into 'rr' rr->input points - * at rr->length bytes, which need to be copied into rr->data by either - * the decryption or by the decompression When the data is 'copied' into - * the rr->data buffer, rr->input will be pointed at the new buffer + * ok, we can now read from 's->packet' data into 'thisrr' thisrr->input + * points at thisrr->length bytes, which need to be copied into + * thisrr->data by either the decryption or by the decompression When + * the data is 'copied' into the thisrr->data buffer, thisrr->input will + * be pointed at the new buffer */ /* - * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length - * bytes of encrypted compressed stuff. + * We now have - encrypted [ MAC [ compressed [ plain ] ] ] + * thisrr->length bytes of encrypted compressed stuff. */ - /* check is not needed I believe */ - if (rr[num_recs].length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); - goto f_err; - } - - /* decrypt in place in 'rr->input' */ - rr[num_recs].data = rr[num_recs].input; - rr[num_recs].orig_len = rr[num_recs].length; + /* decrypt in place in 'thisrr->input' */ + thisrr->data = thisrr->input; + thisrr->orig_len = thisrr->length; /* Mark this record as not read by upper layers yet */ - rr[num_recs].read = 0; + thisrr->read = 0; num_recs++; @@ -337,65 +454,121 @@ int ssl3_get_record(SSL *s) RECORD_LAYER_reset_packet_length(&s->rlayer); RECORD_LAYER_clear_first_record(&s->rlayer); } while (num_recs < max_recs - && rr[num_recs - 1].type == SSL3_RT_APPLICATION_DATA + && thisrr->type == SSL3_RT_APPLICATION_DATA && SSL_USE_EXPLICIT_IV(s) && s->enc_read_ctx != NULL && (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx)) & EVP_CIPH_FLAG_PIPELINE) && ssl3_record_app_data_waiting(s)); + if (num_recs == 1 + && thisrr->type == SSL3_RT_CHANGE_CIPHER_SPEC + && (SSL_IS_TLS13(s) || s->hello_retry_request != SSL_HRR_NONE) + && SSL_IS_FIRST_HANDSHAKE(s)) { + /* + * CCS messages must be exactly 1 byte long, containing the value 0x01 + */ + if (thisrr->length != 1 || thisrr->data[0] != 0x01) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL3_GET_RECORD, + SSL_R_INVALID_CCS_MESSAGE); + return -1; + } + /* + * CCS messages are ignored in TLSv1.3. We treat it like an empty + * handshake record + */ + thisrr->type = SSL3_RT_HANDSHAKE; + RECORD_LAYER_inc_empty_record_count(&s->rlayer); + if (RECORD_LAYER_get_empty_record_count(&s->rlayer) + > MAX_EMPTY_RECORDS) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, + SSL_R_UNEXPECTED_CCS_MESSAGE); + return -1; + } + thisrr->read = 1; + RECORD_LAYER_set_numrpipes(&s->rlayer, 1); + + return 1; + } + /* * If in encrypt-then-mac mode calculate mac from encrypted record. All * the details below are public so no timing details can leak. */ if (SSL_READ_ETM(s) && s->read_hash) { unsigned char *mac; - + /* TODO(size_t): convert this to do size_t properly */ imac_size = EVP_MD_CTX_size(s->read_hash); - assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE); - if (imac_size < 0 || imac_size > EVP_MAX_MD_SIZE) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, ERR_LIB_EVP); - goto f_err; + if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_LIB_EVP); + return -1; } - mac_size = (unsigned)imac_size; - + mac_size = (size_t)imac_size; for (j = 0; j < num_recs; j++) { - if (rr[j].length < mac_size) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT); - goto f_err; + thisrr = &rr[j]; + + if (thisrr->length < mac_size) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, + SSL_R_LENGTH_TOO_SHORT); + return -1; } - rr[j].length -= mac_size; - mac = rr[j].data + rr[j].length; - i = s->method->ssl3_enc->mac(s, &rr[j], md, 0 /* not send */ ); - if (i < 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) { - al = SSL_AD_BAD_RECORD_MAC; - SSLerr(SSL_F_SSL3_GET_RECORD, + thisrr->length -= mac_size; + mac = thisrr->data + thisrr->length; + i = s->method->ssl3_enc->mac(s, thisrr, md, 0 /* not send */ ); + if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) { + SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); - goto f_err; + return -1; } } } + first_rec_len = rr[0].length; + enc_err = s->method->ssl3_enc->enc(s, rr, num_recs, 0); + /*- * enc_err is: - * 0: (in non-constant time) if the record is publically invalid. + * 0: (in non-constant time) if the record is publicly invalid. * 1: if the padding is valid * -1: if the padding is invalid */ if (enc_err == 0) { - al = SSL_AD_DECRYPTION_FAILED; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); - goto f_err; + if (ossl_statem_in_error(s)) { + /* SSLfatal() already got called */ + return -1; + } + if (num_recs == 1 && ossl_statem_skip_early_data(s)) { + /* + * Valid early_data that we cannot decrypt might fail here as + * publicly invalid. We treat it like an empty record. + */ + + thisrr = &rr[0]; + + if (!early_data_count_ok(s, thisrr->length, + EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) { + /* SSLfatal() already called */ + return -1; + } + + thisrr->length = 0; + thisrr->read = 1; + RECORD_LAYER_set_numrpipes(&s->rlayer, 1); + RECORD_LAYER_reset_read_sequence(&s->rlayer); + return 1; + } + SSLfatal(s, SSL_AD_DECRYPTION_FAILED, SSL_F_SSL3_GET_RECORD, + SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); + return -1; } #ifdef SSL_DEBUG - printf("dec %d\n", rr->length); + printf("dec %lu\n", (unsigned long)rr[0].length); { - unsigned int z; - for (z = 0; z < rr->length; z++) - printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n'); + size_t z; + for (z = 0; z < rr[0].length; z++) + printf("%02X%c", rr[0].data[z], ((z + 1) % 16) ? ' ' : '\n'); } printf("\n"); #endif @@ -409,22 +582,27 @@ int ssl3_get_record(SSL *s) unsigned char mac_tmp[EVP_MAX_MD_SIZE]; mac_size = EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); + if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_R_INTERNAL_ERROR); + return -1; + } for (j = 0; j < num_recs; j++) { + thisrr = &rr[j]; /* * orig_len is the length of the record before any padding was * removed. This is public information, as is the MAC in use, * therefore we can safely process the record in a different amount * of time if it's too short to possibly contain a MAC. */ - if (rr[j].orig_len < mac_size || + if (thisrr->orig_len < mac_size || /* CBC records must have a padding length byte too. */ (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && - rr[j].orig_len < mac_size + 1)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT); - goto f_err; + thisrr->orig_len < mac_size + 1)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, + SSL_R_LENGTH_TOO_SHORT); + return -1; } if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { @@ -435,28 +613,59 @@ int ssl3_get_record(SSL *s) * contents of the padding bytes. */ mac = mac_tmp; - ssl3_cbc_copy_mac(mac_tmp, &rr[j], mac_size); - rr[j].length -= mac_size; + if (!ssl3_cbc_copy_mac(mac_tmp, thisrr, mac_size)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_R_INTERNAL_ERROR); + return -1; + } + thisrr->length -= mac_size; } else { /* * In this case there's no padding, so |rec->orig_len| equals * |rec->length| and we checked that there's enough bytes for * |mac_size| above. */ - rr[j].length -= mac_size; - mac = &rr[j].data[rr[j].length]; + thisrr->length -= mac_size; + mac = &thisrr->data[thisrr->length]; } - i = s->method->ssl3_enc->mac(s, &rr[j], md, 0 /* not send */ ); - if (i < 0 || mac == NULL + i = s->method->ssl3_enc->mac(s, thisrr, md, 0 /* not send */ ); + if (i == 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) enc_err = -1; - if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) + if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) enc_err = -1; } } if (enc_err < 0) { + if (ossl_statem_in_error(s)) { + /* We already called SSLfatal() */ + return -1; + } + if (num_recs == 1 && ossl_statem_skip_early_data(s)) { + /* + * We assume this is unreadable early_data - we treat it like an + * empty record + */ + + /* + * The record length may have been modified by the mac check above + * so we use the previously saved value + */ + if (!early_data_count_ok(s, first_rec_len, + EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) { + /* SSLfatal() already called */ + return -1; + } + + thisrr = &rr[0]; + thisrr->length = 0; + thisrr->read = 1; + RECORD_LAYER_set_numrpipes(&s->rlayer, 1); + RECORD_LAYER_reset_read_sequence(&s->rlayer); + return 1; + } /* * A separate 'decryption_failed' alert was introduced with TLS 1.0, * SSL 3.0 only has 'bad_record_mac'. But unless a decryption @@ -464,63 +673,120 @@ int ssl3_get_record(SSL *s) * not reveal which kind of error occurred -- this might become * visible to an attacker (e.g. via a logfile) */ - al = SSL_AD_BAD_RECORD_MAC; - SSLerr(SSL_F_SSL3_GET_RECORD, - SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); - goto f_err; + SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD, + SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); + return -1; } for (j = 0; j < num_recs; j++) { - /* rr[j].length is now just compressed */ + thisrr = &rr[j]; + + /* thisrr->length is now just compressed */ if (s->expand != NULL) { - if (rr[j].length > SSL3_RT_MAX_COMPRESSED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_COMPRESSED_LENGTH_TOO_LONG); - goto f_err; + if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_COMPRESSED_LENGTH_TOO_LONG); + return -1; } - if (!ssl3_do_uncompress(s, &rr[j])) { - al = SSL_AD_DECOMPRESSION_FAILURE; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_DECOMPRESSION); - goto f_err; + if (!ssl3_do_uncompress(s, thisrr)) { + SSLfatal(s, SSL_AD_DECOMPRESSION_FAILURE, SSL_F_SSL3_GET_RECORD, + SSL_R_BAD_DECOMPRESSION); + return -1; } } - if (rr[j].length > SSL3_RT_MAX_PLAIN_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG); - goto f_err; + if (SSL_IS_TLS13(s) + && s->enc_read_ctx != NULL + && thisrr->type != SSL3_RT_ALERT) { + size_t end; + + if (thisrr->length == 0 + || thisrr->type != SSL3_RT_APPLICATION_DATA) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, + SSL_R_BAD_RECORD_TYPE); + return -1; + } + + /* Strip trailing padding */ + for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0; + end--) + continue; + + thisrr->length = end; + thisrr->type = thisrr->data[end]; + if (thisrr->type != SSL3_RT_APPLICATION_DATA + && thisrr->type != SSL3_RT_ALERT + && thisrr->type != SSL3_RT_HANDSHAKE) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, + SSL_R_BAD_RECORD_TYPE); + return -1; + } + if (s->msg_callback) + s->msg_callback(0, s->version, SSL3_RT_INNER_CONTENT_TYPE, + &thisrr->data[end], 1, s, s->msg_callback_arg); } - rr[j].off = 0; + /* + * TLSv1.3 alert and handshake records are required to be non-zero in + * length. + */ + if (SSL_IS_TLS13(s) + && (thisrr->type == SSL3_RT_HANDSHAKE + || thisrr->type == SSL3_RT_ALERT) + && thisrr->length == 0) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, + SSL_R_BAD_LENGTH); + return -1; + } + + if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) { + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_DATA_LENGTH_TOO_LONG); + return -1; + } + + /* If received packet overflows current Max Fragment Length setting */ + if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) + && thisrr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) { + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_DATA_LENGTH_TOO_LONG); + return -1; + } + + thisrr->off = 0; /*- * So at this point the following is true - * rr[j].type is the type of record - * rr[j].length == number of bytes in record - * rr[j].off == offset to first valid byte - * rr[j].data == where to take bytes from, increment after use :-). + * thisrr->type is the type of record + * thisrr->length == number of bytes in record + * thisrr->off == offset to first valid byte + * thisrr->data == where to take bytes from, increment after use :-). */ /* just read a 0 length packet */ - if (rr[j].length == 0) { + if (thisrr->length == 0) { RECORD_LAYER_inc_empty_record_count(&s->rlayer); if (RECORD_LAYER_get_empty_record_count(&s->rlayer) > MAX_EMPTY_RECORDS) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_RECORD_TOO_SMALL); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, + SSL_R_RECORD_TOO_SMALL); + return -1; } } else { RECORD_LAYER_reset_empty_record_count(&s->rlayer); } } + if (s->early_data_state == SSL_EARLY_DATA_READING) { + thisrr = &rr[0]; + if (thisrr->type == SSL3_RT_APPLICATION_DATA + && !early_data_count_ok(s, thisrr->length, 0, 0)) { + /* SSLfatal already called */ + return -1; + } + } + RECORD_LAYER_set_numrpipes(&s->rlayer, num_recs); return 1; - - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - err: - return ret; } int ssl3_do_uncompress(SSL *ssl, SSL3_RECORD *rr) @@ -535,6 +801,7 @@ int ssl3_do_uncompress(SSL *ssl, SSL3_RECORD *rr) if (rr->comp == NULL) return 0; + /* TODO(size_t): Convert this call */ i = COMP_expand_block(ssl->expand, rr->comp, SSL3_RT_MAX_PLAIN_LENGTH, rr->data, (int)rr->length); if (i < 0) @@ -551,21 +818,23 @@ int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr) #ifndef OPENSSL_NO_COMP int i; + /* TODO(size_t): Convert this call */ i = COMP_compress_block(ssl->compress, wr->data, - SSL3_RT_MAX_COMPRESSED_LENGTH, + (int)(wr->length + SSL3_RT_MAX_COMPRESSED_OVERHEAD), wr->input, (int)wr->length); if (i < 0) - return (0); + return 0; else wr->length = i; wr->input = wr->data; #endif - return (1); + return 1; } /*- - * ssl3_enc encrypts/decrypts |n_recs| records in |inrecs| + * ssl3_enc encrypts/decrypts |n_recs| records in |inrecs|. Will call + * SSLfatal() for internal errors, but not otherwise. * * Returns: * 0: (in non-constant time) if the record is publically invalid (i.e. too @@ -574,12 +843,13 @@ int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr) * -1: if the record's padding is invalid or, if sending, an internal error * occurred. */ -int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, unsigned int n_recs, int sending) +int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending) { SSL3_RECORD *rec; EVP_CIPHER_CTX *ds; - unsigned long l; - int bs, i, mac_size = 0; + size_t l, i; + size_t bs, mac_size = 0; + int imac_size; const EVP_CIPHER *enc; rec = inrecs; @@ -607,12 +877,13 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, unsigned int n_recs, int sending) rec->input = rec->data; } else { l = rec->length; + /* TODO(size_t): Convert this call */ bs = EVP_CIPHER_CTX_block_size(ds); /* COMPRESS */ if ((bs != 1) && sending) { - i = bs - ((int)l % bs); + i = bs - (l % bs); /* we need to add 'i-1' padding bytes */ l += i; @@ -622,7 +893,7 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, unsigned int n_recs, int sending) */ memset(&rec->input[rec->length], 0, i); rec->length += i; - rec->input[l - 1] = (i - 1); + rec->input[l - 1] = (unsigned char)(i - 1); } if (!sending) { @@ -631,19 +902,30 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, unsigned int n_recs, int sending) /* otherwise, rec->length >= bs */ } - if (EVP_Cipher(ds, rec->data, rec->input, l) < 1) + /* TODO(size_t): Convert this call */ + if (EVP_Cipher(ds, rec->data, rec->input, (unsigned int)l) < 1) return -1; - if (EVP_MD_CTX_md(s->read_hash) != NULL) - mac_size = EVP_MD_CTX_size(s->read_hash); + if (EVP_MD_CTX_md(s->read_hash) != NULL) { + /* TODO(size_t): convert me */ + imac_size = EVP_MD_CTX_size(s->read_hash); + if (imac_size < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_ENC, + ERR_R_INTERNAL_ERROR); + return -1; + } + mac_size = (size_t)imac_size; + } if ((bs != 1) && !sending) return ssl3_cbc_remove_padding(rec, bs, mac_size); } - return (1); + return 1; } +#define MAX_PADDING 256 /*- - * tls1_enc encrypts/decrypts |n_recs| in |recs|. + * tls1_enc encrypts/decrypts |n_recs| in |recs|. Will call SSLfatal() for + * internal errors, but not otherwise. * * Returns: * 0: (in non-constant time) if the record is publically invalid (i.e. too @@ -652,22 +934,31 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, unsigned int n_recs, int sending) * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, * an internal error occurred. */ -int tls1_enc(SSL *s, SSL3_RECORD *recs, unsigned int n_recs, int sending) +int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) { EVP_CIPHER_CTX *ds; size_t reclen[SSL_MAX_PIPELINES]; unsigned char buf[SSL_MAX_PIPELINES][EVP_AEAD_TLS1_AAD_LEN]; - int bs, i, j, k, pad = 0, ret, mac_size = 0; + int i, pad = 0, ret, tmpr; + size_t bs, mac_size = 0, ctr, padnum, loop; + unsigned char padval; + int imac_size; const EVP_CIPHER *enc; - unsigned int ctr; - if (n_recs == 0) + if (n_recs == 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return 0; + } if (sending) { if (EVP_MD_CTX_md(s->write_hash)) { int n = EVP_MD_CTX_size(s->write_hash); - OPENSSL_assert(n >= 0); + if (!ossl_assert(n >= 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); + return -1; + } } ds = s->enc_write_ctx; if (s->enc_write_ctx == NULL) @@ -688,10 +979,12 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, unsigned int n_recs, int sending) * we can't write into the input stream: Can this ever * happen?? (steve) */ - SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return -1; } else if (RAND_bytes(recs[ctr].input, ivlen) <= 0) { - SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return -1; } } @@ -700,7 +993,11 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, unsigned int n_recs, int sending) } else { if (EVP_MD_CTX_md(s->read_hash)) { int n = EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(n >= 0); + if (!ossl_assert(n >= 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); + return -1; + } } ds = s->enc_read_ctx; if (s->enc_read_ctx == NULL) @@ -725,7 +1022,8 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, unsigned int n_recs, int sending) * We shouldn't have been called with pipeline data if the * cipher doesn't support pipelining */ - SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + SSL_R_PIPELINE_FAILURE); return -1; } } @@ -759,12 +1057,15 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, unsigned int n_recs, int sending) buf[ctr][8] = recs[ctr].type; buf[ctr][9] = (unsigned char)(s->version >> 8); buf[ctr][10] = (unsigned char)(s->version); - buf[ctr][11] = recs[ctr].length >> 8; - buf[ctr][12] = recs[ctr].length & 0xff; + buf[ctr][11] = (unsigned char)(recs[ctr].length >> 8); + buf[ctr][12] = (unsigned char)(recs[ctr].length & 0xff); pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, EVP_AEAD_TLS1_AAD_LEN, buf[ctr]); - if (pad <= 0) + if (pad <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return -1; + } if (sending) { reclen[ctr] += pad; @@ -772,16 +1073,21 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, unsigned int n_recs, int sending) } } else if ((bs != 1) && sending) { - i = bs - ((int)reclen[ctr] % bs); + padnum = bs - (reclen[ctr] % bs); /* Add weird padding of upto 256 bytes */ - /* we need to add 'i' padding bytes of value j */ - j = i - 1; - for (k = (int)reclen[ctr]; k < (int)(reclen[ctr] + i); k++) - recs[ctr].input[k] = j; - reclen[ctr] += i; - recs[ctr].length += i; + if (padnum > MAX_PADDING) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); + return -1; + } + /* we need to add 'padnum' padding bytes of value padval */ + padval = (unsigned char)(padnum - 1); + for (loop = reclen[ctr]; loop < reclen[ctr] + padnum; loop++) + recs[ctr].input[loop] = padval; + reclen[ctr] += padnum; + recs[ctr].length += padnum; } if (!sending) { @@ -797,28 +1103,34 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, unsigned int n_recs, int sending) data[ctr] = recs[ctr].data; } if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS, - n_recs, data) <= 0) { - SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE); + (int)n_recs, data) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + SSL_R_PIPELINE_FAILURE); + return -1; } /* Set the input buffers */ for (ctr = 0; ctr < n_recs; ctr++) { data[ctr] = recs[ctr].input; } if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_BUFS, - n_recs, data) <= 0 + (int)n_recs, data) <= 0 || EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_LENS, - n_recs, reclen) <= 0) { - SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE); + (int)n_recs, reclen) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + SSL_R_PIPELINE_FAILURE); return -1; } } - i = EVP_Cipher(ds, recs[0].data, recs[0].input, reclen[0]); + /* TODO(size_t): Convert this call */ + tmpr = EVP_Cipher(ds, recs[0].data, recs[0].input, + (unsigned int)reclen[0]); if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds)) & EVP_CIPH_FLAG_CUSTOM_CIPHER) - ? (i < 0) - : (i == 0)) + ? (tmpr < 0) + : (tmpr == 0)) return -1; /* AEAD can fail to verify MAC */ + if (sending == 0) { if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE) { for (ctr = 0; ctr < n_recs; ctr++) { @@ -836,8 +1148,15 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, unsigned int n_recs, int sending) } ret = 1; - if (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL) - mac_size = EVP_MD_CTX_size(s->read_hash); + if (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL) { + imac_size = EVP_MD_CTX_size(s->read_hash); + if (imac_size < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); + return -1; + } + mac_size = (size_t)imac_size; + } if ((bs != 1) && !sending) { int tmpret; for (ctr = 0; ctr < n_recs; ctr++) { @@ -868,7 +1187,7 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) const EVP_MD_CTX *hash; unsigned char *p, rec_char; size_t md_size; - int npad; + size_t npad; int t; if (sending) { @@ -883,7 +1202,7 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) t = EVP_MD_CTX_size(hash); if (t < 0) - return -1; + return 0; md_size = t; npad = (48 / md_size) * md_size; @@ -905,7 +1224,7 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) * total size. */ unsigned char header[75]; - unsigned j = 0; + size_t j = 0; memcpy(header + j, mac_sec, md_size); j += md_size; memcpy(header + j, ssl3_pad_1, npad); @@ -913,8 +1232,8 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) memcpy(header + j, seq, 8); j += 8; header[j++] = rec->type; - header[j++] = rec->length >> 8; - header[j++] = rec->length & 0xff; + header[j++] = (unsigned char)(rec->length >> 8); + header[j++] = (unsigned char)(rec->length & 0xff); /* Final param == is SSLv3 */ if (ssl3_cbc_digest_record(hash, @@ -922,14 +1241,14 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) header, rec->input, rec->length + md_size, rec->orig_len, mac_sec, md_size, 1) <= 0) - return -1; + return 0; } else { unsigned int md_size_u; /* Chop the digest off the end :-) */ EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); if (md_ctx == NULL) - return -1; + return 0; rec_char = rec->type; p = md; @@ -948,15 +1267,14 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) || EVP_DigestUpdate(md_ctx, md, md_size) <= 0 || EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) { EVP_MD_CTX_free(md_ctx); - return -1; + return 0; } - md_size = md_size_u; EVP_MD_CTX_free(md_ctx); } ssl3_record_sequence_update(seq); - return (md_size); + return 1; } int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) @@ -980,7 +1298,8 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) } t = EVP_MD_CTX_size(hash); - OPENSSL_assert(t >= 0); + if (!ossl_assert(t >= 0)) + return 0; md_size = t; /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ @@ -990,7 +1309,7 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) hmac = EVP_MD_CTX_new(); if (hmac == NULL || !EVP_MD_CTX_copy(hmac, hash)) { EVP_MD_CTX_free(hmac); - return -1; + return 0; } mac_ctx = hmac; } @@ -1009,8 +1328,8 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) header[8] = rec->type; header[9] = (unsigned char)(ssl->version >> 8); header[10] = (unsigned char)(ssl->version); - header[11] = (rec->length) >> 8; - header[12] = (rec->length) & 0xff; + header[11] = (unsigned char)(rec->length >> 8); + header[12] = (unsigned char)(rec->length & 0xff); if (!sending && !SSL_READ_ETM(ssl) && EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && @@ -1028,22 +1347,16 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) ssl->s3->read_mac_secret, ssl->s3->read_mac_secret_size, 0) <= 0) { EVP_MD_CTX_free(hmac); - return -1; + return 0; } } else { + /* TODO(size_t): Convert these calls */ if (EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)) <= 0 || EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length) <= 0 || EVP_DigestSignFinal(mac_ctx, md, &md_size) <= 0) { EVP_MD_CTX_free(hmac); - return -1; + return 0; } - if (!sending && !SSL_READ_ETM(ssl) && FIPS_mode()) - if (!tls_fips_digest_extra(ssl->enc_read_ctx, - mac_ctx, rec->input, - rec->length, rec->orig_len)) { - EVP_MD_CTX_free(hmac); - return -1; - } } EVP_MD_CTX_free(hmac); @@ -1058,7 +1371,7 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) } fprintf(stderr, "rec="); { - unsigned int z; + size_t z; for (z = 0; z < rec->length; z++) fprintf(stderr, "%02X ", rec->data[z]); fprintf(stderr, "\n"); @@ -1080,7 +1393,7 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) fprintf(stderr, "\n"); } #endif - return (md_size); + return 1; } /*- @@ -1094,10 +1407,11 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) * -1: otherwise. */ int ssl3_cbc_remove_padding(SSL3_RECORD *rec, - unsigned block_size, unsigned mac_size) + size_t block_size, size_t mac_size) { - unsigned padding_length, good; - const unsigned overhead = 1 /* padding length byte */ + mac_size; + size_t padding_length; + size_t good; + const size_t overhead = 1 /* padding length byte */ + mac_size; /* * These lengths are all public so we can test them in non-constant time. @@ -1106,11 +1420,11 @@ int ssl3_cbc_remove_padding(SSL3_RECORD *rec, return 0; padding_length = rec->data[rec->length - 1]; - good = constant_time_ge(rec->length, padding_length + overhead); + good = constant_time_ge_s(rec->length, padding_length + overhead); /* SSLv3 requires that the padding is minimal. */ - good &= constant_time_ge(block_size, padding_length + 1); + good &= constant_time_ge_s(block_size, padding_length + 1); rec->length -= good & (padding_length + 1); - return constant_time_select_int(good, 1, -1); + return constant_time_select_int_s(good, 1, -1); } /*- @@ -1128,10 +1442,11 @@ int ssl3_cbc_remove_padding(SSL3_RECORD *rec, */ int tls1_cbc_remove_padding(const SSL *s, SSL3_RECORD *rec, - unsigned block_size, unsigned mac_size) + size_t block_size, size_t mac_size) { - unsigned padding_length, good, to_check, i; - const unsigned overhead = 1 /* padding length byte */ + mac_size; + size_t good; + size_t padding_length, to_check, i; + const size_t overhead = 1 /* padding length byte */ + mac_size; /* Check if version requires explicit IV */ if (SSL_USE_EXPLICIT_IV(s)) { /* @@ -1157,7 +1472,7 @@ int tls1_cbc_remove_padding(const SSL *s, return 1; } - good = constant_time_ge(rec->length, overhead + padding_length); + good = constant_time_ge_s(rec->length, overhead + padding_length); /* * The padding consists of a length byte at the end of the record and * then that many bytes of padding, all with the same value as the length @@ -1172,7 +1487,7 @@ int tls1_cbc_remove_padding(const SSL *s, to_check = rec->length; for (i = 0; i < to_check; i++) { - unsigned char mask = constant_time_ge_8(padding_length, i); + unsigned char mask = constant_time_ge_8_s(padding_length, i); unsigned char b = rec->data[rec->length - 1 - i]; /* * The final |padding_length+1| bytes should all have the value @@ -1185,10 +1500,10 @@ int tls1_cbc_remove_padding(const SSL *s, * If any of the final |padding_length+1| bytes had the wrong value, one * or more of the lower eight bits of |good| will be cleared. */ - good = constant_time_eq(0xff, good & 0xff); + good = constant_time_eq_s(0xff, good & 0xff); rec->length -= good & (padding_length + 1); - return constant_time_select_int(good, 1, -1); + return constant_time_select_int_s(good, 1, -1); } /*- @@ -1211,8 +1526,8 @@ int tls1_cbc_remove_padding(const SSL *s, */ #define CBC_MAC_ROTATE_IN_PLACE -void ssl3_cbc_copy_mac(unsigned char *out, - const SSL3_RECORD *rec, unsigned md_size) +int ssl3_cbc_copy_mac(unsigned char *out, + const SSL3_RECORD *rec, size_t md_size) { #if defined(CBC_MAC_ROTATE_IN_PLACE) unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE]; @@ -1224,19 +1539,20 @@ void ssl3_cbc_copy_mac(unsigned char *out, /* * mac_end is the index of |rec->data| just after the end of the MAC. */ - unsigned mac_end = rec->length; - unsigned mac_start = mac_end - md_size; - unsigned in_mac; + size_t mac_end = rec->length; + size_t mac_start = mac_end - md_size; + size_t in_mac; /* * scan_start contains the number of bytes that we can ignore because the * MAC's position can only vary by 255 bytes. */ - unsigned scan_start = 0; - unsigned i, j; - unsigned rotate_offset; + size_t scan_start = 0; + size_t i, j; + size_t rotate_offset; - OPENSSL_assert(rec->orig_len >= md_size); - OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE); + if (!ossl_assert(rec->orig_len >= md_size + && md_size <= EVP_MAX_MD_SIZE)) + return 0; #if defined(CBC_MAC_ROTATE_IN_PLACE) rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf) & 63); @@ -1250,15 +1566,15 @@ void ssl3_cbc_copy_mac(unsigned char *out, rotate_offset = 0; memset(rotated_mac, 0, md_size); for (i = scan_start, j = 0; i < rec->orig_len; i++) { - unsigned mac_started = constant_time_eq(i, mac_start); - unsigned mac_ended = constant_time_lt(i, mac_end); + size_t mac_started = constant_time_eq_s(i, mac_start); + size_t mac_ended = constant_time_lt_s(i, mac_end); unsigned char b = rec->data[i]; in_mac |= mac_started; in_mac &= mac_ended; rotate_offset |= j & mac_started; rotated_mac[j++] |= b & in_mac; - j &= constant_time_lt(j, md_size); + j &= constant_time_lt_s(j, md_size); } /* Now rotate the MAC */ @@ -1268,28 +1584,31 @@ void ssl3_cbc_copy_mac(unsigned char *out, /* in case cache-line is 32 bytes, touch second line */ ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32]; out[j++] = rotated_mac[rotate_offset++]; - rotate_offset &= constant_time_lt(rotate_offset, md_size); + rotate_offset &= constant_time_lt_s(rotate_offset, md_size); } #else memset(out, 0, md_size); rotate_offset = md_size - rotate_offset; - rotate_offset &= constant_time_lt(rotate_offset, md_size); + rotate_offset &= constant_time_lt_s(rotate_offset, md_size); for (i = 0; i < md_size; i++) { for (j = 0; j < md_size; j++) - out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset); + out[j] |= rotated_mac[i] & constant_time_eq_8_s(j, rotate_offset); rotate_offset++; - rotate_offset &= constant_time_lt(rotate_offset, md_size); + rotate_offset &= constant_time_lt_s(rotate_offset, md_size); } #endif + + return 1; } int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) { - int i, al; + int i; int enc_err; SSL_SESSION *sess; SSL3_RECORD *rr; - unsigned int mac_size; + int imac_size; + size_t mac_size; unsigned char md[EVP_MAX_MD_SIZE]; rr = RECORD_LAYER_get_rrec(&s->rlayer); @@ -1315,15 +1634,38 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) /* check is not needed I believe */ if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD, + SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + return 0; } /* decrypt in place in 'rr->input' */ rr->data = rr->input; rr->orig_len = rr->length; + if (SSL_READ_ETM(s) && s->read_hash) { + unsigned char *mac; + mac_size = EVP_MD_CTX_size(s->read_hash); + if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + ERR_R_INTERNAL_ERROR); + return 0; + } + if (rr->orig_len < mac_size) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + SSL_R_LENGTH_TOO_SHORT); + return 0; + } + rr->length -= mac_size; + mac = rr->data + rr->length; + i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ ); + if (i == 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) { + SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_DTLS1_PROCESS_RECORD, + SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); + return 0; + } + } + enc_err = s->method->ssl3_enc->enc(s, rr, 1, 0); /*- * enc_err is: @@ -1332,15 +1674,19 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) * -1: if the padding is invalid */ if (enc_err == 0) { + if (ossl_statem_in_error(s)) { + /* SSLfatal() got called */ + return 0; + } /* For DTLS we simply ignore bad packets. */ rr->length = 0; RECORD_LAYER_reset_packet_length(&s->rlayer); - goto err; + return 0; } #ifdef SSL_DEBUG - printf("dec %d\n", rr->length); + printf("dec %ld\n", rr->length); { - unsigned int z; + size_t z; for (z = 0; z < rr->length; z++) printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n'); } @@ -1348,13 +1694,25 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) #endif /* r->length is now the compressed data plus mac */ - if ((sess != NULL) && + if ((sess != NULL) && !SSL_READ_ETM(s) && (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) { /* s->read_hash != NULL => mac_size != -1 */ unsigned char *mac = NULL; unsigned char mac_tmp[EVP_MAX_MD_SIZE]; - mac_size = EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); + + /* TODO(size_t): Convert this to do size_t properly */ + imac_size = EVP_MD_CTX_size(s->read_hash); + if (imac_size < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + ERR_LIB_EVP); + return 0; + } + mac_size = (size_t)imac_size; + if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + ERR_R_INTERNAL_ERROR); + return 0; + } /* * orig_len is the length of the record before any padding was @@ -1366,9 +1724,9 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) /* CBC records must have a padding length byte too. */ (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && rr->orig_len < mac_size + 1)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + SSL_R_LENGTH_TOO_SHORT); + return 0; } if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { @@ -1379,7 +1737,11 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) * contents of the padding bytes. */ mac = mac_tmp; - ssl3_cbc_copy_mac(mac_tmp, rr, mac_size); + if (!ssl3_cbc_copy_mac(mac_tmp, rr, mac_size)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + ERR_R_INTERNAL_ERROR); + return 0; + } rr->length -= mac_size; } else { /* @@ -1392,8 +1754,8 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) } i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ ); - if (i < 0 || mac == NULL - || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) + if (i == 0 || mac == NULL + || CRYPTO_memcmp(md, mac, mac_size) != 0) enc_err = -1; if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) enc_err = -1; @@ -1403,28 +1765,27 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) /* decryption failed, silently discard message */ rr->length = 0; RECORD_LAYER_reset_packet_length(&s->rlayer); - goto err; + return 0; } /* r->length is now just compressed */ if (s->expand != NULL) { if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, - SSL_R_COMPRESSED_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD, + SSL_R_COMPRESSED_LENGTH_TOO_LONG); + return 0; } if (!ssl3_do_uncompress(s, rr)) { - al = SSL_AD_DECOMPRESSION_FAILURE; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION); - goto f_err; + SSLfatal(s, SSL_AD_DECOMPRESSION_FAILURE, + SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION); + return 0; } } if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD, + SSL_R_DATA_LENGTH_TOO_LONG); + return 0; } rr->off = 0; @@ -1443,12 +1804,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) /* Mark receipt of record. */ dtls1_record_bitmap_update(s, bitmap); - return (1); - - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - err: - return (0); + return 1; } /* @@ -1471,7 +1827,8 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) int dtls1_get_record(SSL *s) { int ssl_major, ssl_minor; - int i, n; + int rret; + size_t more, n; SSL3_RECORD *rr; unsigned char *p = NULL; unsigned short version; @@ -1485,8 +1842,10 @@ int dtls1_get_record(SSL *s) * The epoch may have changed. If so, process all the pending records. * This is a non-blocking operation. */ - if (!dtls1_process_buffered_records(s)) + if (!dtls1_process_buffered_records(s)) { + /* SSLfatal() already called */ return -1; + } /* if we're renegotiating, then there may be buffered records */ if (dtls1_get_processed_record(s)) @@ -1497,11 +1856,13 @@ int dtls1_get_record(SSL *s) /* check if we have the header */ if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) || (RECORD_LAYER_get_packet_length(&s->rlayer) < DTLS1_RT_HEADER_LENGTH)) { - n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, - SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0, 1); + rret = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, + SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0, 1, &n); /* read timeout is handled by dtls1_read_bytes */ - if (n <= 0) - return (n); /* error or non-blocking */ + if (rret <= 0) { + /* SSLfatal() already called if appropriate */ + return rret; /* error or non-blocking */ + } /* this packet contained a partial record, dump it */ if (RECORD_LAYER_get_packet_length(&s->rlayer) != @@ -1562,6 +1923,17 @@ int dtls1_get_record(SSL *s) RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; } + + /* If received packet overflows own-client Max Fragment Length setting */ + if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) + && rr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) { + /* record too long, silently discard it */ + rr->length = 0; + rr->read = 1; + RECORD_LAYER_reset_packet_length(&s->rlayer); + goto again; + } + /* now s->rlayer.rstate == SSL_ST_READ_BODY */ } @@ -1570,10 +1942,14 @@ int dtls1_get_record(SSL *s) if (rr->length > RECORD_LAYER_get_packet_length(&s->rlayer) - DTLS1_RT_HEADER_LENGTH) { /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */ - i = rr->length; - n = ssl3_read_n(s, i, i, 1, 1); + more = rr->length; + rret = ssl3_read_n(s, more, more, 1, 1, &n); /* this packet contained a partial record, dump it */ - if (n != i) { + if (rret <= 0 || n != more) { + if (ossl_statem_in_error(s)) { + /* ssl3_read_n() called SSLfatal() */ + return -1; + } rr->length = 0; rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); @@ -1592,7 +1968,6 @@ int dtls1_get_record(SSL *s) bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); if (bitmap == NULL) { rr->length = 0; - rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */ goto again; /* get another record */ } @@ -1628,10 +2003,12 @@ int dtls1_get_record(SSL *s) */ if (is_next_epoch) { if ((SSL_in_init(s) || ossl_statem_get_in_handshake(s))) { - if (dtls1_buffer_record - (s, &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)), - rr->seq_num) < 0) + if (dtls1_buffer_record (s, + &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)), + rr->seq_num) < 0) { + /* SSLfatal() already called */ return -1; + } } rr->length = 0; rr->read = 1; @@ -1640,12 +2017,41 @@ int dtls1_get_record(SSL *s) } if (!dtls1_process_record(s, bitmap)) { + if (ossl_statem_in_error(s)) { + /* dtls1_process_record() called SSLfatal */ + return -1; + } rr->length = 0; rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */ goto again; /* get another record */ } - return (1); + return 1; + +} + +int dtls_buffer_listen_record(SSL *s, size_t len, unsigned char *seq, size_t off) +{ + SSL3_RECORD *rr; + rr = RECORD_LAYER_get_rrec(&s->rlayer); + memset(rr, 0, sizeof(SSL3_RECORD)); + + rr->length = len; + rr->type = SSL3_RT_HANDSHAKE; + memcpy(rr->seq_num, seq, sizeof(rr->seq_num)); + rr->off = off; + + s->rlayer.packet = RECORD_LAYER_get_rbuf(&s->rlayer)->buf; + s->rlayer.packet_length = DTLS1_RT_HEADER_LENGTH + len; + rr->data = s->rlayer.packet + DTLS1_RT_HEADER_LENGTH; + + if (dtls1_buffer_record(s, &(s->rlayer.d->processed_rcds), + SSL3_RECORD_get_seq_num(s->rlayer.rrec)) <= 0) { + /* SSLfatal() already called */ + return 0; + } + + return 1; } diff --git a/deps/openssl/openssl/ssl/record/ssl3_record_tls13.c b/deps/openssl/openssl/ssl/record/ssl3_record_tls13.c new file mode 100644 index 0000000000..a11ed483e6 --- /dev/null +++ b/deps/openssl/openssl/ssl/record/ssl3_record_tls13.c @@ -0,0 +1,196 @@ +/* + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "../ssl_locl.h" +#include "record_locl.h" +#include "internal/cryptlib.h" + +/*- + * tls13_enc encrypts/decrypts |n_recs| in |recs|. Will call SSLfatal() for + * internal errors, but not otherwise. + * + * Returns: + * 0: (in non-constant time) if the record is publically invalid (i.e. too + * short etc). + * 1: if the record encryption was successful. + * -1: if the record's AEAD-authenticator is invalid or, if sending, + * an internal error occurred. + */ +int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) +{ + EVP_CIPHER_CTX *ctx; + unsigned char iv[EVP_MAX_IV_LENGTH], recheader[SSL3_RT_HEADER_LENGTH]; + size_t ivlen, taglen, offset, loop, hdrlen; + unsigned char *staticiv; + unsigned char *seq; + int lenu, lenf; + SSL3_RECORD *rec = &recs[0]; + uint32_t alg_enc; + WPACKET wpkt; + + if (n_recs != 1) { + /* Should not happen */ + /* TODO(TLS1.3): Support pipelining */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, + ERR_R_INTERNAL_ERROR); + return -1; + } + + if (sending) { + ctx = s->enc_write_ctx; + staticiv = s->write_iv; + seq = RECORD_LAYER_get_write_sequence(&s->rlayer); + } else { + ctx = s->enc_read_ctx; + staticiv = s->read_iv; + seq = RECORD_LAYER_get_read_sequence(&s->rlayer); + } + + /* + * If we're sending an alert and ctx != NULL then we must be forcing + * plaintext alerts. If we're reading and ctx != NULL then we allow + * plaintext alerts at certain points in the handshake. If we've got this + * far then we have already validated that a plaintext alert is ok here. + */ + if (ctx == NULL || rec->type == SSL3_RT_ALERT) { + memmove(rec->data, rec->input, rec->length); + rec->input = rec->data; + return 1; + } + + ivlen = EVP_CIPHER_CTX_iv_length(ctx); + + if (s->early_data_state == SSL_EARLY_DATA_WRITING + || s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) { + if (s->session != NULL && s->session->ext.max_early_data > 0) { + alg_enc = s->session->cipher->algorithm_enc; + } else { + if (!ossl_assert(s->psksession != NULL + && s->psksession->ext.max_early_data > 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, + ERR_R_INTERNAL_ERROR); + return -1; + } + alg_enc = s->psksession->cipher->algorithm_enc; + } + } else { + /* + * To get here we must have selected a ciphersuite - otherwise ctx would + * be NULL + */ + if (!ossl_assert(s->s3->tmp.new_cipher != NULL)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, + ERR_R_INTERNAL_ERROR); + return -1; + } + alg_enc = s->s3->tmp.new_cipher->algorithm_enc; + } + + if (alg_enc & SSL_AESCCM) { + if (alg_enc & (SSL_AES128CCM8 | SSL_AES256CCM8)) + taglen = EVP_CCM8_TLS_TAG_LEN; + else + taglen = EVP_CCM_TLS_TAG_LEN; + if (sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, + NULL) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, + ERR_R_INTERNAL_ERROR); + return -1; + } + } else if (alg_enc & SSL_AESGCM) { + taglen = EVP_GCM_TLS_TAG_LEN; + } else if (alg_enc & SSL_CHACHA20) { + taglen = EVP_CHACHAPOLY_TLS_TAG_LEN; + } else { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, + ERR_R_INTERNAL_ERROR); + return -1; + } + + if (!sending) { + /* + * Take off tag. There must be at least one byte of content type as + * well as the tag + */ + if (rec->length < taglen + 1) + return 0; + rec->length -= taglen; + } + + /* Set up IV */ + if (ivlen < SEQ_NUM_SIZE) { + /* Should not happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, + ERR_R_INTERNAL_ERROR); + return -1; + } + offset = ivlen - SEQ_NUM_SIZE; + memcpy(iv, staticiv, offset); + for (loop = 0; loop < SEQ_NUM_SIZE; loop++) + iv[offset + loop] = staticiv[offset + loop] ^ seq[loop]; + + /* Increment the sequence counter */ + for (loop = SEQ_NUM_SIZE; loop > 0; loop--) { + ++seq[loop - 1]; + if (seq[loop - 1] != 0) + break; + } + if (loop == 0) { + /* Sequence has wrapped */ + return -1; + } + + /* TODO(size_t): lenu/lenf should be a size_t but EVP doesn't support it */ + if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv, sending) <= 0 + || (!sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, + taglen, + rec->data + rec->length) <= 0)) { + return -1; + } + + /* Set up the AAD */ + if (!WPACKET_init_static_len(&wpkt, recheader, sizeof(recheader), 0) + || !WPACKET_put_bytes_u8(&wpkt, rec->type) + || !WPACKET_put_bytes_u16(&wpkt, rec->rec_version) + || !WPACKET_put_bytes_u16(&wpkt, rec->length + taglen) + || !WPACKET_get_total_written(&wpkt, &hdrlen) + || hdrlen != SSL3_RT_HEADER_LENGTH + || !WPACKET_finish(&wpkt)) { + WPACKET_cleanup(&wpkt); + return -1; + } + + /* + * For CCM we must explicitly set the total plaintext length before we add + * any AAD. + */ + if (((alg_enc & SSL_AESCCM) != 0 + && EVP_CipherUpdate(ctx, NULL, &lenu, NULL, + (unsigned int)rec->length) <= 0) + || EVP_CipherUpdate(ctx, NULL, &lenu, recheader, + sizeof(recheader)) <= 0 + || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input, + (unsigned int)rec->length) <= 0 + || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0 + || (size_t)(lenu + lenf) != rec->length) { + return -1; + } + if (sending) { + /* Add the tag */ + if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, + rec->data + rec->length) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, + ERR_R_INTERNAL_ERROR); + return -1; + } + rec->length += taglen; + } + + return 1; +} diff --git a/deps/openssl/openssl/ssl/s3_cbc.c b/deps/openssl/openssl/ssl/s3_cbc.c index 9a228f7de2..8377d7fe13 100644 --- a/deps/openssl/openssl/ssl/s3_cbc.c +++ b/deps/openssl/openssl/ssl/s3_cbc.c @@ -1,5 +1,5 @@ /* - * Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -9,6 +9,7 @@ #include "internal/constant_time_locl.h" #include "ssl_locl.h" +#include "internal/cryptlib.h" #include <openssl/md5.h> #include <openssl/sha.h> @@ -89,8 +90,6 @@ static void tls1_sha512_final_raw(void *ctx, unsigned char *md_out) */ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) { - if (FIPS_mode()) - return 0; switch (EVP_MD_CTX_type(ctx)) { case NID_md5: case NID_sha1: @@ -134,7 +133,7 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, size_t data_plus_mac_size, size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret, - unsigned mac_secret_length, char is_sslv3) + size_t mac_secret_length, char is_sslv3) { union { double align; @@ -142,23 +141,24 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, } md_state; void (*md_final_raw) (void *ctx, unsigned char *md_out); void (*md_transform) (void *ctx, const unsigned char *block); - unsigned md_size, md_block_size = 64; - unsigned sslv3_pad_length = 40, header_length, variance_blocks, + size_t md_size, md_block_size = 64; + size_t sslv3_pad_length = 40, header_length, variance_blocks, len, max_mac_bytes, num_blocks, num_starting_blocks, k, mac_end_offset, c, index_a, index_b; - unsigned int bits; /* at most 18 bits */ + size_t bits; /* at most 18 bits */ unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES]; /* hmac_pad is the masked HMAC key. */ unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE]; unsigned char first_block[MAX_HASH_BLOCK_SIZE]; unsigned char mac_out[EVP_MAX_MD_SIZE]; - unsigned i, j, md_out_size_u; + size_t i, j; + unsigned md_out_size_u; EVP_MD_CTX *md_ctx = NULL; /* * mdLengthSize is the number of bytes in the length field that * terminates * the hash. */ - unsigned md_length_size = 8; + size_t md_length_size = 8; char length_is_big_endian = 1; int ret; @@ -166,7 +166,8 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, * This is a, hopefully redundant, check that allows us to forget about * many possible overflows later in this function. */ - OPENSSL_assert(data_plus_mac_plus_padding_size < 1024 * 1024); + if (!ossl_assert(data_plus_mac_plus_padding_size < 1024 * 1024)) + return 0; switch (EVP_MD_CTX_type(ctx)) { case NID_md5: @@ -228,15 +229,15 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, * ssl3_cbc_record_digest_supported should have been called first to * check that the hash function is supported. */ - OPENSSL_assert(0); - if (md_out_size) + if (md_out_size != NULL) *md_out_size = 0; - return 0; + return ossl_assert(0); } - OPENSSL_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES); - OPENSSL_assert(md_block_size <= MAX_HASH_BLOCK_SIZE); - OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE); + if (!ossl_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES) + || !ossl_assert(md_block_size <= MAX_HASH_BLOCK_SIZE) + || !ossl_assert(md_size <= EVP_MAX_MD_SIZE)) + return 0; header_length = 13; if (is_sslv3) { @@ -255,12 +256,13 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, * of hash termination (0x80 + 64-bit length) don't fit in the final * block, we say that the final two blocks can vary based on the padding. * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not - * required to be minimal. Therefore we say that the final six blocks can + * required to be minimal. Therefore we say that the final |variance_blocks| + * blocks can * vary based on the padding. Later in the function, if the message is * short and there obviously cannot be this many blocks then * variance_blocks can be reduced. */ - variance_blocks = is_sslv3 ? 2 : 6; + variance_blocks = is_sslv3 ? 2 : ( ((255 + 1 + md_size + md_block_size - 1) / md_block_size) + 1); /* * From now on we're dealing with the MAC, which conceptually has 13 * bytes of `header' before the start of the data (TLS) or 71/75 bytes @@ -332,7 +334,8 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, */ bits += 8 * md_block_size; memset(hmac_pad, 0, md_block_size); - OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad)); + if (!ossl_assert(mac_secret_length <= sizeof(hmac_pad))) + return 0; memcpy(hmac_pad, mac_secret, mac_secret_length); for (i = 0; i < md_block_size; i++) hmac_pad[i] ^= 0x36; @@ -356,7 +359,7 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, if (k > 0) { if (is_sslv3) { - unsigned overhang; + size_t overhang; /* * The SSLv3 header is larger than a single block. overhang is @@ -399,8 +402,8 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, for (i = num_starting_blocks; i <= num_starting_blocks + variance_blocks; i++) { unsigned char block[MAX_HASH_BLOCK_SIZE]; - unsigned char is_block_a = constant_time_eq_8(i, index_a); - unsigned char is_block_b = constant_time_eq_8(i, index_b); + unsigned char is_block_a = constant_time_eq_8_s(i, index_a); + unsigned char is_block_b = constant_time_eq_8_s(i, index_b); for (j = 0; j < md_block_size; j++) { unsigned char b = 0, is_past_c, is_past_cp1; if (k < header_length) @@ -409,8 +412,8 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, b = data[k - header_length]; k++; - is_past_c = is_block_a & constant_time_ge_8(j, c); - is_past_cp1 = is_block_a & constant_time_ge_8(j, c + 1); + is_past_c = is_block_a & constant_time_ge_8_s(j, c); + is_past_cp1 = is_block_a & constant_time_ge_8_s(j, c + 1); /* * If this is the block containing the end of the application * data, and we are at the offset for the 0x80 value, then @@ -418,8 +421,8 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, */ b = constant_time_select_8(is_past_c, 0x80, b); /* - * If this the the block containing the end of the application - * data and we're past the 0x80 value then just write zero. + * If this block contains the end of the application data + * and we're past the 0x80 value then just write zero. */ b = b & ~is_past_cp1; /* @@ -471,6 +474,7 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0) goto err; } + /* TODO(size_t): Convert me */ ret = EVP_DigestFinal(md_ctx, md_out, &md_out_size_u); if (ret && md_out_size) *md_out_size = md_out_size_u; @@ -481,49 +485,3 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, EVP_MD_CTX_free(md_ctx); return 0; } - -/* - * Due to the need to use EVP in FIPS mode we can't reimplement digests but - * we can ensure the number of blocks processed is equal for all cases by - * digesting additional data. - */ - -int tls_fips_digest_extra(const EVP_CIPHER_CTX *cipher_ctx, - EVP_MD_CTX *mac_ctx, const unsigned char *data, - size_t data_len, size_t orig_len) -{ - size_t block_size, digest_pad, blocks_data, blocks_orig; - if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE) - return 1; - block_size = EVP_MD_CTX_block_size(mac_ctx); - /*- - * We are in FIPS mode if we get this far so we know we have only SHA* - * digests and TLS to deal with. - * Minimum digest padding length is 17 for SHA384/SHA512 and 9 - * otherwise. - * Additional header is 13 bytes. To get the number of digest blocks - * processed round up the amount of data plus padding to the nearest - * block length. Block length is 128 for SHA384/SHA512 and 64 otherwise. - * So we have: - * blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size - * equivalently: - * blocks = (payload_len + digest_pad + 12)/block_size + 1 - * HMAC adds a constant overhead. - * We're ultimately only interested in differences so this becomes - * blocks = (payload_len + 29)/128 - * for SHA384/SHA512 and - * blocks = (payload_len + 21)/64 - * otherwise. - */ - digest_pad = block_size == 64 ? 21 : 29; - blocks_orig = (orig_len + digest_pad) / block_size; - blocks_data = (data_len + digest_pad) / block_size; - /* - * MAC enough blocks to make up the difference between the original and - * actual lengths plus one extra block to ensure this is never a no op. - * The "data" pointer should always have enough space to perform this - * operation as it is large enough for a maximum length TLS buffer. - */ - return EVP_DigestSignUpdate(mac_ctx, data, - (blocks_orig - blocks_data + 1) * block_size); -} diff --git a/deps/openssl/openssl/ssl/s3_enc.c b/deps/openssl/openssl/ssl/s3_enc.c index 65fe913141..fca84ef99a 100644 --- a/deps/openssl/openssl/ssl/s3_enc.c +++ b/deps/openssl/openssl/ssl/s3_enc.c @@ -1,5 +1,6 @@ /* * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,37 +8,11 @@ * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - #include <stdio.h> #include "ssl_locl.h" #include <openssl/evp.h> #include <openssl/md5.h> +#include "internal/cryptlib.h" static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) { @@ -55,7 +30,8 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) m5 = EVP_MD_CTX_new(); s1 = EVP_MD_CTX_new(); if (m5 == NULL || s1 == NULL) { - SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_KEY_BLOCK, + ERR_R_MALLOC_FAILURE); goto err; } EVP_MD_CTX_set_flags(m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); @@ -63,7 +39,8 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) k++; if (k > sizeof(buf)) { /* bug: 'buf' is too small for this ciphersuite */ - SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_KEY_BLOCK, + ERR_R_INTERNAL_ERROR); goto err; } @@ -80,15 +57,24 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) || !EVP_DigestInit_ex(m5, EVP_md5(), NULL) || !EVP_DigestUpdate(m5, s->session->master_key, s->session->master_key_length) - || !EVP_DigestUpdate(m5, smd, SHA_DIGEST_LENGTH)) + || !EVP_DigestUpdate(m5, smd, SHA_DIGEST_LENGTH)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_KEY_BLOCK, + ERR_R_INTERNAL_ERROR); goto err; + } if ((int)(i + MD5_DIGEST_LENGTH) > num) { - if (!EVP_DigestFinal_ex(m5, smd, NULL)) + if (!EVP_DigestFinal_ex(m5, smd, NULL)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR); goto err; + } memcpy(km, smd, (num - i)); } else { - if (!EVP_DigestFinal_ex(m5, km, NULL)) + if (!EVP_DigestFinal_ex(m5, km, NULL)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR); goto err; + } } km += MD5_DIGEST_LENGTH; @@ -113,13 +99,18 @@ int ssl3_change_cipher_state(SSL *s, int which) COMP_METHOD *comp; #endif const EVP_MD *m; - int n, i, j, k, cl; + int mdi; + size_t n, i, j, k, cl; int reuse_dd = 0; c = s->s3->tmp.new_sym_enc; m = s->s3->tmp.new_hash; /* m == NULL will lead to a crash later */ - OPENSSL_assert(m); + if (!ossl_assert(m != NULL)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, + ERR_R_INTERNAL_ERROR); + goto err; + } #ifndef OPENSSL_NO_COMP if (s->s3->tmp.new_compression == NULL) comp = NULL; @@ -128,20 +119,24 @@ int ssl3_change_cipher_state(SSL *s, int which) #endif if (which & SSL3_CC_READ) { - if (s->enc_read_ctx != NULL) + if (s->enc_read_ctx != NULL) { reuse_dd = 1; - else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) + } else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, + ERR_R_MALLOC_FAILURE); goto err; - else + } else { /* * make sure it's initialised in case we exit later with an error */ EVP_CIPHER_CTX_reset(s->enc_read_ctx); + } dd = s->enc_read_ctx; if (ssl_replace_hash(&s->read_hash, m) == NULL) { - SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); - goto err2; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, + ERR_R_INTERNAL_ERROR); + goto err; } #ifndef OPENSSL_NO_COMP /* COMPRESS */ @@ -150,28 +145,34 @@ int ssl3_change_cipher_state(SSL *s, int which) if (comp != NULL) { s->expand = COMP_CTX_new(comp); if (s->expand == NULL) { - SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, - SSL_R_COMPRESSION_LIBRARY_ERROR); - goto err2; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_SSL3_CHANGE_CIPHER_STATE, + SSL_R_COMPRESSION_LIBRARY_ERROR); + goto err; } } #endif RECORD_LAYER_reset_read_sequence(&s->rlayer); mac_secret = &(s->s3->read_mac_secret[0]); } else { - if (s->enc_write_ctx != NULL) + s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; + if (s->enc_write_ctx != NULL) { reuse_dd = 1; - else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) + } else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, + ERR_R_MALLOC_FAILURE); goto err; - else + } else { /* * make sure it's initialised in case we exit later with an error */ EVP_CIPHER_CTX_reset(s->enc_write_ctx); + } dd = s->enc_write_ctx; if (ssl_replace_hash(&s->write_hash, m) == NULL) { - SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); - goto err2; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, + ERR_R_MALLOC_FAILURE); + goto err; } #ifndef OPENSSL_NO_COMP /* COMPRESS */ @@ -180,9 +181,10 @@ int ssl3_change_cipher_state(SSL *s, int which) if (comp != NULL) { s->compress = COMP_CTX_new(comp); if (s->compress == NULL) { - SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, - SSL_R_COMPRESSION_LIBRARY_ERROR); - goto err2; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_SSL3_CHANGE_CIPHER_STATE, + SSL_R_COMPRESSION_LIBRARY_ERROR); + goto err; } } #endif @@ -194,9 +196,13 @@ int ssl3_change_cipher_state(SSL *s, int which) EVP_CIPHER_CTX_reset(dd); p = s->s3->tmp.key_block; - i = EVP_MD_size(m); - if (i < 0) - goto err2; + mdi = EVP_MD_size(m); + if (mdi < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, + ERR_R_INTERNAL_ERROR); + goto err; + } + i = mdi; cl = EVP_CIPHER_key_length(c); j = cl; k = EVP_CIPHER_iv_length(c); @@ -219,24 +225,27 @@ int ssl3_change_cipher_state(SSL *s, int which) } if (n > s->s3->tmp.key_block_length) { - SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); - goto err2; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, + ERR_R_INTERNAL_ERROR); + goto err; } memcpy(mac_secret, ms, i); - if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) - goto err2; + if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, + ERR_R_INTERNAL_ERROR); + goto err; + } + s->statem.enc_write_state = ENC_WRITE_STATE_VALID; OPENSSL_cleanse(exp_key, sizeof(exp_key)); OPENSSL_cleanse(exp_iv, sizeof(exp_iv)); - return (1); + return 1; err: - SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); - err2: OPENSSL_cleanse(exp_key, sizeof(exp_key)); OPENSSL_cleanse(exp_iv, sizeof(exp_iv)); - return (0); + return 0; } int ssl3_setup_key_block(SSL *s) @@ -249,11 +258,12 @@ int ssl3_setup_key_block(SSL *s) SSL_COMP *comp; if (s->s3->tmp.key_block_length != 0) - return (1); + return 1; if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp, 0)) { - SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); - return (0); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_SETUP_KEY_BLOCK, + SSL_R_CIPHER_OR_HASH_UNAVAILABLE); + return 0; } s->s3->tmp.new_sym_enc = c; @@ -273,12 +283,16 @@ int ssl3_setup_key_block(SSL *s) ssl3_cleanup_key_block(s); - if ((p = OPENSSL_malloc(num)) == NULL) - goto err; + if ((p = OPENSSL_malloc(num)) == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_SETUP_KEY_BLOCK, + ERR_R_MALLOC_FAILURE); + return 0; + } s->s3->tmp.key_block_length = num; s->s3->tmp.key_block = p; + /* Calls SSLfatal() as required */ ret = ssl3_generate_key_block(s, p, num); if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) { @@ -300,10 +314,6 @@ int ssl3_setup_key_block(SSL *s) } return ret; - - err: - SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE); - return (0); } void ssl3_cleanup_key_block(SSL *s) @@ -318,7 +328,8 @@ int ssl3_init_finished_mac(SSL *s) BIO *buf = BIO_new(BIO_s_mem()); if (buf == NULL) { - SSLerr(SSL_F_SSL3_INIT_FINISHED_MAC, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_INIT_FINISHED_MAC, + ERR_R_MALLOC_FAILURE); return 0; } ssl3_free_digest_list(s); @@ -340,13 +351,32 @@ void ssl3_free_digest_list(SSL *s) s->s3->handshake_dgst = NULL; } -int ssl3_finish_mac(SSL *s, const unsigned char *buf, int len) +int ssl3_finish_mac(SSL *s, const unsigned char *buf, size_t len) { - if (s->s3->handshake_dgst == NULL) + int ret; + + if (s->s3->handshake_dgst == NULL) { /* Note: this writes to a memory BIO so a failure is a fatal error */ - return BIO_write(s->s3->handshake_buffer, (void *)buf, len) == len; - else - return EVP_DigestUpdate(s->s3->handshake_dgst, buf, len); + if (len > INT_MAX) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINISH_MAC, + SSL_R_OVERFLOW_ERROR); + return 0; + } + ret = BIO_write(s->s3->handshake_buffer, (void *)buf, (int)len); + if (ret <= 0 || ret != (int)len) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINISH_MAC, + ERR_R_INTERNAL_ERROR); + return 0; + } + } else { + ret = EVP_DigestUpdate(s->s3->handshake_dgst, buf, len); + if (!ret) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINISH_MAC, + ERR_R_INTERNAL_ERROR); + return 0; + } + } + return 1; } int ssl3_digest_cached_records(SSL *s, int keep) @@ -358,21 +388,23 @@ int ssl3_digest_cached_records(SSL *s, int keep) if (s->s3->handshake_dgst == NULL) { hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); if (hdatalen <= 0) { - SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, - SSL_R_BAD_HANDSHAKE_LENGTH); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_DIGEST_CACHED_RECORDS, + SSL_R_BAD_HANDSHAKE_LENGTH); return 0; } s->s3->handshake_dgst = EVP_MD_CTX_new(); if (s->s3->handshake_dgst == NULL) { - SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_DIGEST_CACHED_RECORDS, + ERR_R_MALLOC_FAILURE); return 0; } md = ssl_handshake_md(s); if (md == NULL || !EVP_DigestInit_ex(s->s3->handshake_dgst, md, NULL) || !EVP_DigestUpdate(s->s3->handshake_dgst, hdata, hdatalen)) { - SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_DIGEST_CACHED_RECORDS, + ERR_R_INTERNAL_ERROR); return 0; } } @@ -384,42 +416,51 @@ int ssl3_digest_cached_records(SSL *s, int keep) return 1; } -int ssl3_final_finish_mac(SSL *s, const char *sender, int len, unsigned char *p) +size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t len, + unsigned char *p) { int ret; EVP_MD_CTX *ctx = NULL; - if (!ssl3_digest_cached_records(s, 0)) + if (!ssl3_digest_cached_records(s, 0)) { + /* SSLfatal() already called */ return 0; + } if (EVP_MD_CTX_type(s->s3->handshake_dgst) != NID_md5_sha1) { - SSLerr(SSL_F_SSL3_FINAL_FINISH_MAC, SSL_R_NO_REQUIRED_DIGEST); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, + SSL_R_NO_REQUIRED_DIGEST); return 0; } ctx = EVP_MD_CTX_new(); if (ctx == NULL) { - SSLerr(SSL_F_SSL3_FINAL_FINISH_MAC, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, + ERR_R_MALLOC_FAILURE); return 0; } if (!EVP_MD_CTX_copy_ex(ctx, s->s3->handshake_dgst)) { - SSLerr(SSL_F_SSL3_FINAL_FINISH_MAC, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, + ERR_R_INTERNAL_ERROR); ret = 0; goto err; } ret = EVP_MD_CTX_size(ctx); if (ret < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, + ERR_R_INTERNAL_ERROR); ret = 0; goto err; } if ((sender != NULL && EVP_DigestUpdate(ctx, sender, len) <= 0) || EVP_MD_CTX_ctrl(ctx, EVP_CTRL_SSL3_MASTER_SECRET, - s->session->master_key_length, + (int)s->session->master_key_length, s->session->master_key) <= 0 || EVP_DigestFinal_ex(ctx, p, NULL) <= 0) { - SSLerr(SSL_F_SSL3_FINAL_FINISH_MAC, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, + ERR_R_INTERNAL_ERROR); ret = 0; } @@ -430,7 +471,7 @@ int ssl3_final_finish_mac(SSL *s, const char *sender, int len, unsigned char *p) } int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, - int len) + size_t len, size_t *secret_size) { static const unsigned char *salt[3] = { #ifndef CHARSET_EBCDIC @@ -445,11 +486,13 @@ int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, }; unsigned char buf[EVP_MAX_MD_SIZE]; EVP_MD_CTX *ctx = EVP_MD_CTX_new(); - int i, ret = 0; + int i, ret = 1; unsigned int n; + size_t ret_secret_size = 0; if (ctx == NULL) { - SSLerr(SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_MASTER_SECRET, + ERR_R_MALLOC_FAILURE); return 0; } for (i = 0; i < 3; i++) { @@ -461,92 +504,98 @@ int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, SSL3_RANDOM_SIZE) <= 0 || EVP_DigestUpdate(ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE) <= 0 + /* TODO(size_t) : convert me */ || EVP_DigestFinal_ex(ctx, buf, &n) <= 0 || EVP_DigestInit_ex(ctx, s->ctx->md5, NULL) <= 0 || EVP_DigestUpdate(ctx, p, len) <= 0 || EVP_DigestUpdate(ctx, buf, n) <= 0 || EVP_DigestFinal_ex(ctx, out, &n) <= 0) { - SSLerr(SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_INTERNAL_ERROR); ret = 0; break; } out += n; - ret += n; + ret_secret_size += n; } EVP_MD_CTX_free(ctx); OPENSSL_cleanse(buf, sizeof(buf)); - return (ret); + if (ret) + *secret_size = ret_secret_size; + return ret; } int ssl3_alert_code(int code) { switch (code) { case SSL_AD_CLOSE_NOTIFY: - return (SSL3_AD_CLOSE_NOTIFY); + return SSL3_AD_CLOSE_NOTIFY; case SSL_AD_UNEXPECTED_MESSAGE: - return (SSL3_AD_UNEXPECTED_MESSAGE); + return SSL3_AD_UNEXPECTED_MESSAGE; case SSL_AD_BAD_RECORD_MAC: - return (SSL3_AD_BAD_RECORD_MAC); + return SSL3_AD_BAD_RECORD_MAC; case SSL_AD_DECRYPTION_FAILED: - return (SSL3_AD_BAD_RECORD_MAC); + return SSL3_AD_BAD_RECORD_MAC; case SSL_AD_RECORD_OVERFLOW: - return (SSL3_AD_BAD_RECORD_MAC); + return SSL3_AD_BAD_RECORD_MAC; case SSL_AD_DECOMPRESSION_FAILURE: - return (SSL3_AD_DECOMPRESSION_FAILURE); + return SSL3_AD_DECOMPRESSION_FAILURE; case SSL_AD_HANDSHAKE_FAILURE: - return (SSL3_AD_HANDSHAKE_FAILURE); + return SSL3_AD_HANDSHAKE_FAILURE; case SSL_AD_NO_CERTIFICATE: - return (SSL3_AD_NO_CERTIFICATE); + return SSL3_AD_NO_CERTIFICATE; case SSL_AD_BAD_CERTIFICATE: - return (SSL3_AD_BAD_CERTIFICATE); + return SSL3_AD_BAD_CERTIFICATE; case SSL_AD_UNSUPPORTED_CERTIFICATE: - return (SSL3_AD_UNSUPPORTED_CERTIFICATE); + return SSL3_AD_UNSUPPORTED_CERTIFICATE; case SSL_AD_CERTIFICATE_REVOKED: - return (SSL3_AD_CERTIFICATE_REVOKED); + return SSL3_AD_CERTIFICATE_REVOKED; case SSL_AD_CERTIFICATE_EXPIRED: - return (SSL3_AD_CERTIFICATE_EXPIRED); + return SSL3_AD_CERTIFICATE_EXPIRED; case SSL_AD_CERTIFICATE_UNKNOWN: - return (SSL3_AD_CERTIFICATE_UNKNOWN); + return SSL3_AD_CERTIFICATE_UNKNOWN; case SSL_AD_ILLEGAL_PARAMETER: - return (SSL3_AD_ILLEGAL_PARAMETER); + return SSL3_AD_ILLEGAL_PARAMETER; case SSL_AD_UNKNOWN_CA: - return (SSL3_AD_BAD_CERTIFICATE); + return SSL3_AD_BAD_CERTIFICATE; case SSL_AD_ACCESS_DENIED: - return (SSL3_AD_HANDSHAKE_FAILURE); + return SSL3_AD_HANDSHAKE_FAILURE; case SSL_AD_DECODE_ERROR: - return (SSL3_AD_HANDSHAKE_FAILURE); + return SSL3_AD_HANDSHAKE_FAILURE; case SSL_AD_DECRYPT_ERROR: - return (SSL3_AD_HANDSHAKE_FAILURE); + return SSL3_AD_HANDSHAKE_FAILURE; case SSL_AD_EXPORT_RESTRICTION: - return (SSL3_AD_HANDSHAKE_FAILURE); + return SSL3_AD_HANDSHAKE_FAILURE; case SSL_AD_PROTOCOL_VERSION: - return (SSL3_AD_HANDSHAKE_FAILURE); + return SSL3_AD_HANDSHAKE_FAILURE; case SSL_AD_INSUFFICIENT_SECURITY: - return (SSL3_AD_HANDSHAKE_FAILURE); + return SSL3_AD_HANDSHAKE_FAILURE; case SSL_AD_INTERNAL_ERROR: - return (SSL3_AD_HANDSHAKE_FAILURE); + return SSL3_AD_HANDSHAKE_FAILURE; case SSL_AD_USER_CANCELLED: - return (SSL3_AD_HANDSHAKE_FAILURE); + return SSL3_AD_HANDSHAKE_FAILURE; case SSL_AD_NO_RENEGOTIATION: - return (-1); /* Don't send it :-) */ + return -1; /* Don't send it :-) */ case SSL_AD_UNSUPPORTED_EXTENSION: - return (SSL3_AD_HANDSHAKE_FAILURE); + return SSL3_AD_HANDSHAKE_FAILURE; case SSL_AD_CERTIFICATE_UNOBTAINABLE: - return (SSL3_AD_HANDSHAKE_FAILURE); + return SSL3_AD_HANDSHAKE_FAILURE; case SSL_AD_UNRECOGNIZED_NAME: - return (SSL3_AD_HANDSHAKE_FAILURE); + return SSL3_AD_HANDSHAKE_FAILURE; case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: - return (SSL3_AD_HANDSHAKE_FAILURE); + return SSL3_AD_HANDSHAKE_FAILURE; case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: - return (SSL3_AD_HANDSHAKE_FAILURE); + return SSL3_AD_HANDSHAKE_FAILURE; case SSL_AD_UNKNOWN_PSK_IDENTITY: - return (TLS1_AD_UNKNOWN_PSK_IDENTITY); + return TLS1_AD_UNKNOWN_PSK_IDENTITY; case SSL_AD_INAPPROPRIATE_FALLBACK: - return (TLS1_AD_INAPPROPRIATE_FALLBACK); + return TLS1_AD_INAPPROPRIATE_FALLBACK; case SSL_AD_NO_APPLICATION_PROTOCOL: - return (TLS1_AD_NO_APPLICATION_PROTOCOL); + return TLS1_AD_NO_APPLICATION_PROTOCOL; + case SSL_AD_CERTIFICATE_REQUIRED: + return SSL_AD_HANDSHAKE_FAILURE; default: - return (-1); + return -1; } } diff --git a/deps/openssl/openssl/ssl/s3_lib.c b/deps/openssl/openssl/ssl/s3_lib.c index ad7532bd0c..866ca4dfa9 100644 --- a/deps/openssl/openssl/ssl/s3_lib.c +++ b/deps/openssl/openssl/ssl/s3_lib.c @@ -1,5 +1,7 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved + * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,54 +9,110 @@ * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * - * Portions of the attached software ("Contribution") are developed by - * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. - * - * The Contribution is licensed pursuant to the OpenSSL open source - * license provided above. - * - * ECC cipher suite support in OpenSSL originally written by - * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. - * - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - #include <stdio.h> #include <openssl/objects.h> +#include "internal/nelem.h" #include "ssl_locl.h" #include <openssl/md5.h> #include <openssl/dh.h> #include <openssl/rand.h> +#include "internal/cryptlib.h" +#define TLS13_NUM_CIPHERS OSSL_NELEM(tls13_ciphers) #define SSL3_NUM_CIPHERS OSSL_NELEM(ssl3_ciphers) +#define SSL3_NUM_SCSVS OSSL_NELEM(ssl3_scsvs) + +/* TLSv1.3 downgrade protection sentinel values */ +const unsigned char tls11downgrade[] = { + 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00 +}; +const unsigned char tls12downgrade[] = { + 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01 +}; + +/* The list of available TLSv1.3 ciphers */ +static SSL_CIPHER tls13_ciphers[] = { + { + 1, + TLS1_3_RFC_AES_128_GCM_SHA256, + TLS1_3_RFC_AES_128_GCM_SHA256, + TLS1_3_CK_AES_128_GCM_SHA256, + SSL_kANY, + SSL_aANY, + SSL_AES128GCM, + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, + SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256, + 128, + 128, + }, { + 1, + TLS1_3_RFC_AES_256_GCM_SHA384, + TLS1_3_RFC_AES_256_GCM_SHA384, + TLS1_3_CK_AES_256_GCM_SHA384, + SSL_kANY, + SSL_aANY, + SSL_AES256GCM, + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, + SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA384, + 256, + 256, + }, +#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) + { + 1, + TLS1_3_RFC_CHACHA20_POLY1305_SHA256, + TLS1_3_RFC_CHACHA20_POLY1305_SHA256, + TLS1_3_CK_CHACHA20_POLY1305_SHA256, + SSL_kANY, + SSL_aANY, + SSL_CHACHA20POLY1305, + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, + SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256, + 256, + 256, + }, +#endif + { + 1, + TLS1_3_RFC_AES_128_CCM_SHA256, + TLS1_3_RFC_AES_128_CCM_SHA256, + TLS1_3_CK_AES_128_CCM_SHA256, + SSL_kANY, + SSL_aANY, + SSL_AES128CCM, + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256, + 128, + 128, + }, { + 1, + TLS1_3_RFC_AES_128_CCM_8_SHA256, + TLS1_3_RFC_AES_128_CCM_8_SHA256, + TLS1_3_CK_AES_128_CCM_8_SHA256, + SSL_kANY, + SSL_aANY, + SSL_AES128CCM8, + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256, + 128, + 128, + } +}; /* * The list of available ciphers, mostly organized into the following @@ -63,13 +121,14 @@ * EC * PSK * SRP (within that: RSA EC PSK) - * Cipher families: Chacha/poly, Camellila, Gost, IDEA, SEED + * Cipher families: Chacha/poly, Camellia, Gost, IDEA, SEED * Weak ciphers */ static SSL_CIPHER ssl3_ciphers[] = { { 1, SSL3_TXT_RSA_NULL_MD5, + SSL3_RFC_RSA_NULL_MD5, SSL3_CK_RSA_NULL_MD5, SSL_kRSA, SSL_aRSA, @@ -85,6 +144,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, SSL3_TXT_RSA_NULL_SHA, + SSL3_RFC_RSA_NULL_SHA, SSL3_CK_RSA_NULL_SHA, SSL_kRSA, SSL_aRSA, @@ -101,6 +161,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, SSL3_TXT_RSA_DES_192_CBC3_SHA, + SSL3_RFC_RSA_DES_192_CBC3_SHA, SSL3_CK_RSA_DES_192_CBC3_SHA, SSL_kRSA, SSL_aRSA, @@ -116,6 +177,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, SSL3_TXT_DHE_DSS_DES_192_CBC3_SHA, + SSL3_RFC_DHE_DSS_DES_192_CBC3_SHA, SSL3_CK_DHE_DSS_DES_192_CBC3_SHA, SSL_kDHE, SSL_aDSS, @@ -131,6 +193,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, SSL3_TXT_DHE_RSA_DES_192_CBC3_SHA, + SSL3_RFC_DHE_RSA_DES_192_CBC3_SHA, SSL3_CK_DHE_RSA_DES_192_CBC3_SHA, SSL_kDHE, SSL_aRSA, @@ -146,6 +209,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, SSL3_TXT_ADH_DES_192_CBC_SHA, + SSL3_RFC_ADH_DES_192_CBC_SHA, SSL3_CK_ADH_DES_192_CBC_SHA, SSL_kDHE, SSL_aNULL, @@ -162,6 +226,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_WITH_AES_128_SHA, + TLS1_RFC_RSA_WITH_AES_128_SHA, TLS1_CK_RSA_WITH_AES_128_SHA, SSL_kRSA, SSL_aRSA, @@ -177,6 +242,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_DSS_WITH_AES_128_SHA, + TLS1_RFC_DHE_DSS_WITH_AES_128_SHA, TLS1_CK_DHE_DSS_WITH_AES_128_SHA, SSL_kDHE, SSL_aDSS, @@ -192,6 +258,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, + TLS1_RFC_DHE_RSA_WITH_AES_128_SHA, TLS1_CK_DHE_RSA_WITH_AES_128_SHA, SSL_kDHE, SSL_aRSA, @@ -207,6 +274,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ADH_WITH_AES_128_SHA, + TLS1_RFC_ADH_WITH_AES_128_SHA, TLS1_CK_ADH_WITH_AES_128_SHA, SSL_kDHE, SSL_aNULL, @@ -222,6 +290,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_WITH_AES_256_SHA, + TLS1_RFC_RSA_WITH_AES_256_SHA, TLS1_CK_RSA_WITH_AES_256_SHA, SSL_kRSA, SSL_aRSA, @@ -237,6 +306,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA, + TLS1_RFC_DHE_DSS_WITH_AES_256_SHA, TLS1_CK_DHE_DSS_WITH_AES_256_SHA, SSL_kDHE, SSL_aDSS, @@ -252,6 +322,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, + TLS1_RFC_DHE_RSA_WITH_AES_256_SHA, TLS1_CK_DHE_RSA_WITH_AES_256_SHA, SSL_kDHE, SSL_aRSA, @@ -267,6 +338,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ADH_WITH_AES_256_SHA, + TLS1_RFC_ADH_WITH_AES_256_SHA, TLS1_CK_ADH_WITH_AES_256_SHA, SSL_kDHE, SSL_aNULL, @@ -282,6 +354,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_WITH_NULL_SHA256, + TLS1_RFC_RSA_WITH_NULL_SHA256, TLS1_CK_RSA_WITH_NULL_SHA256, SSL_kRSA, SSL_aRSA, @@ -297,6 +370,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_WITH_AES_128_SHA256, + TLS1_RFC_RSA_WITH_AES_128_SHA256, TLS1_CK_RSA_WITH_AES_128_SHA256, SSL_kRSA, SSL_aRSA, @@ -312,6 +386,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_WITH_AES_256_SHA256, + TLS1_RFC_RSA_WITH_AES_256_SHA256, TLS1_CK_RSA_WITH_AES_256_SHA256, SSL_kRSA, SSL_aRSA, @@ -327,6 +402,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_DSS_WITH_AES_128_SHA256, + TLS1_RFC_DHE_DSS_WITH_AES_128_SHA256, TLS1_CK_DHE_DSS_WITH_AES_128_SHA256, SSL_kDHE, SSL_aDSS, @@ -342,6 +418,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256, + TLS1_RFC_DHE_RSA_WITH_AES_128_SHA256, TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, SSL_kDHE, SSL_aRSA, @@ -357,6 +434,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA256, + TLS1_RFC_DHE_DSS_WITH_AES_256_SHA256, TLS1_CK_DHE_DSS_WITH_AES_256_SHA256, SSL_kDHE, SSL_aDSS, @@ -372,6 +450,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256, + TLS1_RFC_DHE_RSA_WITH_AES_256_SHA256, TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, SSL_kDHE, SSL_aRSA, @@ -387,6 +466,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ADH_WITH_AES_128_SHA256, + TLS1_RFC_ADH_WITH_AES_128_SHA256, TLS1_CK_ADH_WITH_AES_128_SHA256, SSL_kDHE, SSL_aNULL, @@ -402,6 +482,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ADH_WITH_AES_256_SHA256, + TLS1_RFC_ADH_WITH_AES_256_SHA256, TLS1_CK_ADH_WITH_AES_256_SHA256, SSL_kDHE, SSL_aNULL, @@ -417,6 +498,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256, + TLS1_RFC_RSA_WITH_AES_128_GCM_SHA256, TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, SSL_kRSA, SSL_aRSA, @@ -432,6 +514,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384, + TLS1_RFC_RSA_WITH_AES_256_GCM_SHA384, TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, SSL_kRSA, SSL_aRSA, @@ -447,6 +530,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256, + TLS1_RFC_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kDHE, SSL_aRSA, @@ -462,6 +546,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384, + TLS1_RFC_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kDHE, SSL_aRSA, @@ -477,6 +562,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_DSS_WITH_AES_128_GCM_SHA256, + TLS1_RFC_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS1_CK_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_kDHE, SSL_aDSS, @@ -492,6 +578,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_DSS_WITH_AES_256_GCM_SHA384, + TLS1_RFC_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS1_CK_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_kDHE, SSL_aDSS, @@ -507,6 +594,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256, + TLS1_RFC_ADH_WITH_AES_128_GCM_SHA256, TLS1_CK_ADH_WITH_AES_128_GCM_SHA256, SSL_kDHE, SSL_aNULL, @@ -522,6 +610,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384, + TLS1_RFC_ADH_WITH_AES_256_GCM_SHA384, TLS1_CK_ADH_WITH_AES_256_GCM_SHA384, SSL_kDHE, SSL_aNULL, @@ -537,6 +626,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_WITH_AES_128_CCM, + TLS1_RFC_RSA_WITH_AES_128_CCM, TLS1_CK_RSA_WITH_AES_128_CCM, SSL_kRSA, SSL_aRSA, @@ -552,6 +642,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_WITH_AES_256_CCM, + TLS1_RFC_RSA_WITH_AES_256_CCM, TLS1_CK_RSA_WITH_AES_256_CCM, SSL_kRSA, SSL_aRSA, @@ -567,6 +658,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_RSA_WITH_AES_128_CCM, + TLS1_RFC_DHE_RSA_WITH_AES_128_CCM, TLS1_CK_DHE_RSA_WITH_AES_128_CCM, SSL_kDHE, SSL_aRSA, @@ -582,6 +674,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_RSA_WITH_AES_256_CCM, + TLS1_RFC_DHE_RSA_WITH_AES_256_CCM, TLS1_CK_DHE_RSA_WITH_AES_256_CCM, SSL_kDHE, SSL_aRSA, @@ -597,6 +690,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_WITH_AES_128_CCM_8, + TLS1_RFC_RSA_WITH_AES_128_CCM_8, TLS1_CK_RSA_WITH_AES_128_CCM_8, SSL_kRSA, SSL_aRSA, @@ -612,6 +706,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_WITH_AES_256_CCM_8, + TLS1_RFC_RSA_WITH_AES_256_CCM_8, TLS1_CK_RSA_WITH_AES_256_CCM_8, SSL_kRSA, SSL_aRSA, @@ -627,6 +722,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_RSA_WITH_AES_128_CCM_8, + TLS1_RFC_DHE_RSA_WITH_AES_128_CCM_8, TLS1_CK_DHE_RSA_WITH_AES_128_CCM_8, SSL_kDHE, SSL_aRSA, @@ -642,6 +738,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_RSA_WITH_AES_256_CCM_8, + TLS1_RFC_DHE_RSA_WITH_AES_256_CCM_8, TLS1_CK_DHE_RSA_WITH_AES_256_CCM_8, SSL_kDHE, SSL_aRSA, @@ -657,6 +754,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_PSK_WITH_AES_128_CCM, + TLS1_RFC_PSK_WITH_AES_128_CCM, TLS1_CK_PSK_WITH_AES_128_CCM, SSL_kPSK, SSL_aPSK, @@ -672,6 +770,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_PSK_WITH_AES_256_CCM, + TLS1_RFC_PSK_WITH_AES_256_CCM, TLS1_CK_PSK_WITH_AES_256_CCM, SSL_kPSK, SSL_aPSK, @@ -687,6 +786,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_PSK_WITH_AES_128_CCM, + TLS1_RFC_DHE_PSK_WITH_AES_128_CCM, TLS1_CK_DHE_PSK_WITH_AES_128_CCM, SSL_kDHEPSK, SSL_aPSK, @@ -702,6 +802,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_PSK_WITH_AES_256_CCM, + TLS1_RFC_DHE_PSK_WITH_AES_256_CCM, TLS1_CK_DHE_PSK_WITH_AES_256_CCM, SSL_kDHEPSK, SSL_aPSK, @@ -717,6 +818,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_PSK_WITH_AES_128_CCM_8, + TLS1_RFC_PSK_WITH_AES_128_CCM_8, TLS1_CK_PSK_WITH_AES_128_CCM_8, SSL_kPSK, SSL_aPSK, @@ -732,6 +834,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_PSK_WITH_AES_256_CCM_8, + TLS1_RFC_PSK_WITH_AES_256_CCM_8, TLS1_CK_PSK_WITH_AES_256_CCM_8, SSL_kPSK, SSL_aPSK, @@ -747,6 +850,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_PSK_WITH_AES_128_CCM_8, + TLS1_RFC_DHE_PSK_WITH_AES_128_CCM_8, TLS1_CK_DHE_PSK_WITH_AES_128_CCM_8, SSL_kDHEPSK, SSL_aPSK, @@ -762,6 +866,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_PSK_WITH_AES_256_CCM_8, + TLS1_RFC_DHE_PSK_WITH_AES_256_CCM_8, TLS1_CK_DHE_PSK_WITH_AES_256_CCM_8, SSL_kDHEPSK, SSL_aPSK, @@ -777,6 +882,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM, + TLS1_RFC_ECDHE_ECDSA_WITH_AES_128_CCM, TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CCM, SSL_kECDHE, SSL_aECDSA, @@ -792,6 +898,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CCM, + TLS1_RFC_ECDHE_ECDSA_WITH_AES_256_CCM, TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CCM, SSL_kECDHE, SSL_aECDSA, @@ -807,6 +914,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM_8, + TLS1_RFC_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CCM_8, SSL_kECDHE, SSL_aECDSA, @@ -822,6 +930,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CCM_8, + TLS1_RFC_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CCM_8, SSL_kECDHE, SSL_aECDSA, @@ -834,11 +943,10 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, - -#ifndef OPENSSL_NO_EC { 1, TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, + TLS1_RFC_ECDHE_ECDSA_WITH_NULL_SHA, TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA, SSL_kECDHE, SSL_aECDSA, @@ -855,6 +963,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, + TLS1_RFC_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, SSL_kECDHE, SSL_aECDSA, @@ -871,6 +980,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS1_RFC_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE, SSL_aECDSA, @@ -886,6 +996,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS1_RFC_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE, SSL_aECDSA, @@ -901,6 +1012,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, + TLS1_RFC_ECDHE_RSA_WITH_NULL_SHA, TLS1_CK_ECDHE_RSA_WITH_NULL_SHA, SSL_kECDHE, SSL_aRSA, @@ -917,6 +1029,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, + TLS1_RFC_ECDHE_RSA_WITH_DES_192_CBC3_SHA, TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, SSL_kECDHE, SSL_aRSA, @@ -933,6 +1046,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS1_RFC_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE, SSL_aRSA, @@ -948,6 +1062,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS1_RFC_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE, SSL_aRSA, @@ -963,6 +1078,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDH_anon_WITH_NULL_SHA, + TLS1_RFC_ECDH_anon_WITH_NULL_SHA, TLS1_CK_ECDH_anon_WITH_NULL_SHA, SSL_kECDHE, SSL_aNULL, @@ -979,6 +1095,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, + TLS1_RFC_ECDH_anon_WITH_DES_192_CBC3_SHA, TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA, SSL_kECDHE, SSL_aNULL, @@ -995,6 +1112,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, + TLS1_RFC_ECDH_anon_WITH_AES_128_CBC_SHA, TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, SSL_kECDHE, SSL_aNULL, @@ -1010,6 +1128,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, + TLS1_RFC_ECDH_anon_WITH_AES_256_CBC_SHA, TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, SSL_kECDHE, SSL_aNULL, @@ -1025,6 +1144,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, + TLS1_RFC_ECDHE_ECDSA_WITH_AES_128_SHA256, TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, SSL_kECDHE, SSL_aECDSA, @@ -1040,6 +1160,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, + TLS1_RFC_ECDHE_ECDSA_WITH_AES_256_SHA384, TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, SSL_kECDHE, SSL_aECDSA, @@ -1055,6 +1176,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, + TLS1_RFC_ECDHE_RSA_WITH_AES_128_SHA256, TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, SSL_kECDHE, SSL_aRSA, @@ -1070,6 +1192,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, + TLS1_RFC_ECDHE_RSA_WITH_AES_256_SHA384, TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, SSL_kECDHE, SSL_aRSA, @@ -1085,6 +1208,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS1_RFC_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE, SSL_aECDSA, @@ -1100,6 +1224,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS1_RFC_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE, SSL_aECDSA, @@ -1115,6 +1240,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS1_RFC_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE, SSL_aRSA, @@ -1130,6 +1256,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS1_RFC_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE, SSL_aRSA, @@ -1142,12 +1269,10 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, -#endif /* OPENSSL_NO_EC */ - -#ifndef OPENSSL_NO_PSK { 1, TLS1_TXT_PSK_WITH_NULL_SHA, + TLS1_RFC_PSK_WITH_NULL_SHA, TLS1_CK_PSK_WITH_NULL_SHA, SSL_kPSK, SSL_aPSK, @@ -1163,6 +1288,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_PSK_WITH_NULL_SHA, + TLS1_RFC_DHE_PSK_WITH_NULL_SHA, TLS1_CK_DHE_PSK_WITH_NULL_SHA, SSL_kDHEPSK, SSL_aPSK, @@ -1178,6 +1304,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_PSK_WITH_NULL_SHA, + TLS1_RFC_RSA_PSK_WITH_NULL_SHA, TLS1_CK_RSA_PSK_WITH_NULL_SHA, SSL_kRSAPSK, SSL_aRSA, @@ -1194,6 +1321,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_PSK_WITH_3DES_EDE_CBC_SHA, + TLS1_RFC_PSK_WITH_3DES_EDE_CBC_SHA, TLS1_CK_PSK_WITH_3DES_EDE_CBC_SHA, SSL_kPSK, SSL_aPSK, @@ -1210,6 +1338,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_PSK_WITH_AES_128_CBC_SHA, + TLS1_RFC_PSK_WITH_AES_128_CBC_SHA, TLS1_CK_PSK_WITH_AES_128_CBC_SHA, SSL_kPSK, SSL_aPSK, @@ -1225,6 +1354,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_PSK_WITH_AES_256_CBC_SHA, + TLS1_RFC_PSK_WITH_AES_256_CBC_SHA, TLS1_CK_PSK_WITH_AES_256_CBC_SHA, SSL_kPSK, SSL_aPSK, @@ -1241,6 +1371,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_PSK_WITH_3DES_EDE_CBC_SHA, + TLS1_RFC_DHE_PSK_WITH_3DES_EDE_CBC_SHA, TLS1_CK_DHE_PSK_WITH_3DES_EDE_CBC_SHA, SSL_kDHEPSK, SSL_aPSK, @@ -1257,6 +1388,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_PSK_WITH_AES_128_CBC_SHA, + TLS1_RFC_DHE_PSK_WITH_AES_128_CBC_SHA, TLS1_CK_DHE_PSK_WITH_AES_128_CBC_SHA, SSL_kDHEPSK, SSL_aPSK, @@ -1272,6 +1404,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_PSK_WITH_AES_256_CBC_SHA, + TLS1_RFC_DHE_PSK_WITH_AES_256_CBC_SHA, TLS1_CK_DHE_PSK_WITH_AES_256_CBC_SHA, SSL_kDHEPSK, SSL_aPSK, @@ -1288,6 +1421,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_PSK_WITH_3DES_EDE_CBC_SHA, + TLS1_RFC_RSA_PSK_WITH_3DES_EDE_CBC_SHA, TLS1_CK_RSA_PSK_WITH_3DES_EDE_CBC_SHA, SSL_kRSAPSK, SSL_aRSA, @@ -1304,6 +1438,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_PSK_WITH_AES_128_CBC_SHA, + TLS1_RFC_RSA_PSK_WITH_AES_128_CBC_SHA, TLS1_CK_RSA_PSK_WITH_AES_128_CBC_SHA, SSL_kRSAPSK, SSL_aRSA, @@ -1319,6 +1454,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_PSK_WITH_AES_256_CBC_SHA, + TLS1_RFC_RSA_PSK_WITH_AES_256_CBC_SHA, TLS1_CK_RSA_PSK_WITH_AES_256_CBC_SHA, SSL_kRSAPSK, SSL_aRSA, @@ -1334,6 +1470,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_PSK_WITH_AES_128_GCM_SHA256, + TLS1_RFC_PSK_WITH_AES_128_GCM_SHA256, TLS1_CK_PSK_WITH_AES_128_GCM_SHA256, SSL_kPSK, SSL_aPSK, @@ -1349,6 +1486,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_PSK_WITH_AES_256_GCM_SHA384, + TLS1_RFC_PSK_WITH_AES_256_GCM_SHA384, TLS1_CK_PSK_WITH_AES_256_GCM_SHA384, SSL_kPSK, SSL_aPSK, @@ -1364,6 +1502,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_PSK_WITH_AES_128_GCM_SHA256, + TLS1_RFC_DHE_PSK_WITH_AES_128_GCM_SHA256, TLS1_CK_DHE_PSK_WITH_AES_128_GCM_SHA256, SSL_kDHEPSK, SSL_aPSK, @@ -1379,6 +1518,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_PSK_WITH_AES_256_GCM_SHA384, + TLS1_RFC_DHE_PSK_WITH_AES_256_GCM_SHA384, TLS1_CK_DHE_PSK_WITH_AES_256_GCM_SHA384, SSL_kDHEPSK, SSL_aPSK, @@ -1394,6 +1534,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_PSK_WITH_AES_128_GCM_SHA256, + TLS1_RFC_RSA_PSK_WITH_AES_128_GCM_SHA256, TLS1_CK_RSA_PSK_WITH_AES_128_GCM_SHA256, SSL_kRSAPSK, SSL_aRSA, @@ -1409,6 +1550,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_PSK_WITH_AES_256_GCM_SHA384, + TLS1_RFC_RSA_PSK_WITH_AES_256_GCM_SHA384, TLS1_CK_RSA_PSK_WITH_AES_256_GCM_SHA384, SSL_kRSAPSK, SSL_aRSA, @@ -1424,6 +1566,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_PSK_WITH_AES_128_CBC_SHA256, + TLS1_RFC_PSK_WITH_AES_128_CBC_SHA256, TLS1_CK_PSK_WITH_AES_128_CBC_SHA256, SSL_kPSK, SSL_aPSK, @@ -1439,6 +1582,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_PSK_WITH_AES_256_CBC_SHA384, + TLS1_RFC_PSK_WITH_AES_256_CBC_SHA384, TLS1_CK_PSK_WITH_AES_256_CBC_SHA384, SSL_kPSK, SSL_aPSK, @@ -1454,6 +1598,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_PSK_WITH_NULL_SHA256, + TLS1_RFC_PSK_WITH_NULL_SHA256, TLS1_CK_PSK_WITH_NULL_SHA256, SSL_kPSK, SSL_aPSK, @@ -1469,6 +1614,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_PSK_WITH_NULL_SHA384, + TLS1_RFC_PSK_WITH_NULL_SHA384, TLS1_CK_PSK_WITH_NULL_SHA384, SSL_kPSK, SSL_aPSK, @@ -1484,6 +1630,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_PSK_WITH_AES_128_CBC_SHA256, + TLS1_RFC_DHE_PSK_WITH_AES_128_CBC_SHA256, TLS1_CK_DHE_PSK_WITH_AES_128_CBC_SHA256, SSL_kDHEPSK, SSL_aPSK, @@ -1499,6 +1646,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_PSK_WITH_AES_256_CBC_SHA384, + TLS1_RFC_DHE_PSK_WITH_AES_256_CBC_SHA384, TLS1_CK_DHE_PSK_WITH_AES_256_CBC_SHA384, SSL_kDHEPSK, SSL_aPSK, @@ -1514,6 +1662,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_PSK_WITH_NULL_SHA256, + TLS1_RFC_DHE_PSK_WITH_NULL_SHA256, TLS1_CK_DHE_PSK_WITH_NULL_SHA256, SSL_kDHEPSK, SSL_aPSK, @@ -1529,6 +1678,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_PSK_WITH_NULL_SHA384, + TLS1_RFC_DHE_PSK_WITH_NULL_SHA384, TLS1_CK_DHE_PSK_WITH_NULL_SHA384, SSL_kDHEPSK, SSL_aPSK, @@ -1544,6 +1694,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_PSK_WITH_AES_128_CBC_SHA256, + TLS1_RFC_RSA_PSK_WITH_AES_128_CBC_SHA256, TLS1_CK_RSA_PSK_WITH_AES_128_CBC_SHA256, SSL_kRSAPSK, SSL_aRSA, @@ -1559,6 +1710,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_PSK_WITH_AES_256_CBC_SHA384, + TLS1_RFC_RSA_PSK_WITH_AES_256_CBC_SHA384, TLS1_CK_RSA_PSK_WITH_AES_256_CBC_SHA384, SSL_kRSAPSK, SSL_aRSA, @@ -1574,6 +1726,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_PSK_WITH_NULL_SHA256, + TLS1_RFC_RSA_PSK_WITH_NULL_SHA256, TLS1_CK_RSA_PSK_WITH_NULL_SHA256, SSL_kRSAPSK, SSL_aRSA, @@ -1589,6 +1742,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_PSK_WITH_NULL_SHA384, + TLS1_RFC_RSA_PSK_WITH_NULL_SHA384, TLS1_CK_RSA_PSK_WITH_NULL_SHA384, SSL_kRSAPSK, SSL_aRSA, @@ -1601,11 +1755,11 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, }, -# ifndef OPENSSL_NO_EC # ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, + TLS1_RFC_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, TLS1_CK_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, SSL_kECDHEPSK, SSL_aPSK, @@ -1622,6 +1776,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA, + TLS1_RFC_ECDHE_PSK_WITH_AES_128_CBC_SHA, TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA, SSL_kECDHEPSK, SSL_aPSK, @@ -1637,6 +1792,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA, + TLS1_RFC_ECDHE_PSK_WITH_AES_256_CBC_SHA, TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA, SSL_kECDHEPSK, SSL_aPSK, @@ -1652,6 +1808,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA256, + TLS1_RFC_ECDHE_PSK_WITH_AES_128_CBC_SHA256, TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA256, SSL_kECDHEPSK, SSL_aPSK, @@ -1667,6 +1824,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA384, + TLS1_RFC_ECDHE_PSK_WITH_AES_256_CBC_SHA384, TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA384, SSL_kECDHEPSK, SSL_aPSK, @@ -1682,6 +1840,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_PSK_WITH_NULL_SHA, + TLS1_RFC_ECDHE_PSK_WITH_NULL_SHA, TLS1_CK_ECDHE_PSK_WITH_NULL_SHA, SSL_kECDHEPSK, SSL_aPSK, @@ -1697,6 +1856,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_PSK_WITH_NULL_SHA256, + TLS1_RFC_ECDHE_PSK_WITH_NULL_SHA256, TLS1_CK_ECDHE_PSK_WITH_NULL_SHA256, SSL_kECDHEPSK, SSL_aPSK, @@ -1712,6 +1872,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_PSK_WITH_NULL_SHA384, + TLS1_RFC_ECDHE_PSK_WITH_NULL_SHA384, TLS1_CK_ECDHE_PSK_WITH_NULL_SHA384, SSL_kECDHEPSK, SSL_aPSK, @@ -1724,14 +1885,12 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, }, -# endif /* OPENSSL_NO_EC */ -#endif /* OPENSSL_NO_PSK */ -#ifndef OPENSSL_NO_SRP # ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA, + TLS1_RFC_SRP_SHA_WITH_3DES_EDE_CBC_SHA, TLS1_CK_SRP_SHA_WITH_3DES_EDE_CBC_SHA, SSL_kSRP, SSL_aSRP, @@ -1747,6 +1906,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA, + TLS1_RFC_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA, TLS1_CK_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kSRP, SSL_aRSA, @@ -1762,6 +1922,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA, + TLS1_RFC_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA, TLS1_CK_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA, SSL_kSRP, SSL_aDSS, @@ -1778,6 +1939,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_SRP_SHA_WITH_AES_128_CBC_SHA, + TLS1_RFC_SRP_SHA_WITH_AES_128_CBC_SHA, TLS1_CK_SRP_SHA_WITH_AES_128_CBC_SHA, SSL_kSRP, SSL_aSRP, @@ -1793,6 +1955,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_SRP_SHA_RSA_WITH_AES_128_CBC_SHA, + TLS1_RFC_SRP_SHA_RSA_WITH_AES_128_CBC_SHA, TLS1_CK_SRP_SHA_RSA_WITH_AES_128_CBC_SHA, SSL_kSRP, SSL_aRSA, @@ -1808,6 +1971,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_SRP_SHA_DSS_WITH_AES_128_CBC_SHA, + TLS1_RFC_SRP_SHA_DSS_WITH_AES_128_CBC_SHA, TLS1_CK_SRP_SHA_DSS_WITH_AES_128_CBC_SHA, SSL_kSRP, SSL_aDSS, @@ -1823,6 +1987,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_SRP_SHA_WITH_AES_256_CBC_SHA, + TLS1_RFC_SRP_SHA_WITH_AES_256_CBC_SHA, TLS1_CK_SRP_SHA_WITH_AES_256_CBC_SHA, SSL_kSRP, SSL_aSRP, @@ -1838,6 +2003,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_SRP_SHA_RSA_WITH_AES_256_CBC_SHA, + TLS1_RFC_SRP_SHA_RSA_WITH_AES_256_CBC_SHA, TLS1_CK_SRP_SHA_RSA_WITH_AES_256_CBC_SHA, SSL_kSRP, SSL_aRSA, @@ -1853,6 +2019,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_SRP_SHA_DSS_WITH_AES_256_CBC_SHA, + TLS1_RFC_SRP_SHA_DSS_WITH_AES_256_CBC_SHA, TLS1_CK_SRP_SHA_DSS_WITH_AES_256_CBC_SHA, SSL_kSRP, SSL_aDSS, @@ -1865,13 +2032,12 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, -#endif /* OPENSSL_NO_SRP */ #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) -# ifndef OPENSSL_NO_RSA { 1, TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, + TLS1_RFC_DHE_RSA_WITH_CHACHA20_POLY1305, TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305, SSL_kDHE, SSL_aRSA, @@ -1884,12 +2050,10 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, -# endif /* OPENSSL_NO_RSA */ - -# ifndef OPENSSL_NO_EC { 1, TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, + TLS1_RFC_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305, SSL_kECDHE, SSL_aRSA, @@ -1905,6 +2069,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + TLS1_RFC_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, SSL_kECDHE, SSL_aECDSA, @@ -1917,12 +2082,10 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, -# endif /* OPENSSL_NO_EC */ - -# ifndef OPENSSL_NO_PSK { 1, TLS1_TXT_PSK_WITH_CHACHA20_POLY1305, + TLS1_RFC_PSK_WITH_CHACHA20_POLY1305, TLS1_CK_PSK_WITH_CHACHA20_POLY1305, SSL_kPSK, SSL_aPSK, @@ -1938,6 +2101,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305, + TLS1_RFC_ECDHE_PSK_WITH_CHACHA20_POLY1305, TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305, SSL_kECDHEPSK, SSL_aPSK, @@ -1953,6 +2117,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_PSK_WITH_CHACHA20_POLY1305, + TLS1_RFC_DHE_PSK_WITH_CHACHA20_POLY1305, TLS1_CK_DHE_PSK_WITH_CHACHA20_POLY1305, SSL_kDHEPSK, SSL_aPSK, @@ -1968,6 +2133,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_PSK_WITH_CHACHA20_POLY1305, + TLS1_RFC_RSA_PSK_WITH_CHACHA20_POLY1305, TLS1_CK_RSA_PSK_WITH_CHACHA20_POLY1305, SSL_kRSAPSK, SSL_aRSA, @@ -1980,7 +2146,6 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, -# endif /* OPENSSL_NO_PSK */ #endif /* !defined(OPENSSL_NO_CHACHA) && * !defined(OPENSSL_NO_POLY1305) */ @@ -1988,6 +2153,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_RFC_RSA_WITH_CAMELLIA_128_CBC_SHA256, TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256, SSL_kRSA, SSL_aRSA, @@ -2003,6 +2169,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_RFC_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256, TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256, SSL_kEDH, SSL_aDSS, @@ -2018,6 +2185,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_RFC_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, SSL_kEDH, SSL_aRSA, @@ -2033,6 +2201,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_RFC_ADH_WITH_CAMELLIA_128_CBC_SHA256, TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256, SSL_kEDH, SSL_aNULL, @@ -2048,6 +2217,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256, + TLS1_RFC_RSA_WITH_CAMELLIA_256_CBC_SHA256, TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256, SSL_kRSA, SSL_aRSA, @@ -2063,6 +2233,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256, + TLS1_RFC_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256, TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256, SSL_kEDH, SSL_aDSS, @@ -2078,6 +2249,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, + TLS1_RFC_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, SSL_kEDH, SSL_aRSA, @@ -2093,6 +2265,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256, + TLS1_RFC_ADH_WITH_CAMELLIA_256_CBC_SHA256, TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256, SSL_kEDH, SSL_aNULL, @@ -2108,6 +2281,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA, + TLS1_RFC_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kRSA, SSL_aRSA, @@ -2123,6 +2297,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, + TLS1_RFC_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kDHE, SSL_aDSS, @@ -2138,6 +2313,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, + TLS1_RFC_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kDHE, SSL_aRSA, @@ -2153,6 +2329,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA, + TLS1_RFC_ADH_WITH_CAMELLIA_256_CBC_SHA, TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA, SSL_kDHE, SSL_aNULL, @@ -2168,6 +2345,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA, + TLS1_RFC_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kRSA, SSL_aRSA, @@ -2183,6 +2361,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, + TLS1_RFC_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kDHE, SSL_aDSS, @@ -2198,6 +2377,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, + TLS1_RFC_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kDHE, SSL_aRSA, @@ -2213,6 +2393,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA, + TLS1_RFC_ADH_WITH_CAMELLIA_128_CBC_SHA, TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA, SSL_kDHE, SSL_aNULL, @@ -2225,11 +2406,10 @@ static SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, - -# ifndef OPENSSL_NO_EC { 1, TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_RFC_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, TLS1_CK_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, SSL_kECDHE, SSL_aECDSA, @@ -2245,6 +2425,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, + TLS1_RFC_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, TLS1_CK_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, SSL_kECDHE, SSL_aECDSA, @@ -2260,6 +2441,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_RFC_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, TLS1_CK_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, SSL_kECDHE, SSL_aRSA, @@ -2275,6 +2457,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384, + TLS1_RFC_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384, TLS1_CK_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384, SSL_kECDHE, SSL_aRSA, @@ -2287,12 +2470,10 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, -# endif /* OPENSSL_NO_EC */ - -# ifndef OPENSSL_NO_PSK { 1, TLS1_TXT_PSK_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_RFC_PSK_WITH_CAMELLIA_128_CBC_SHA256, TLS1_CK_PSK_WITH_CAMELLIA_128_CBC_SHA256, SSL_kPSK, SSL_aPSK, @@ -2308,6 +2489,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_PSK_WITH_CAMELLIA_256_CBC_SHA384, + TLS1_RFC_PSK_WITH_CAMELLIA_256_CBC_SHA384, TLS1_CK_PSK_WITH_CAMELLIA_256_CBC_SHA384, SSL_kPSK, SSL_aPSK, @@ -2323,6 +2505,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_RFC_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, TLS1_CK_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, SSL_kDHEPSK, SSL_aPSK, @@ -2338,6 +2521,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, + TLS1_RFC_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, TLS1_CK_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, SSL_kDHEPSK, SSL_aPSK, @@ -2353,6 +2537,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_RFC_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256, TLS1_CK_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256, SSL_kRSAPSK, SSL_aRSA, @@ -2368,6 +2553,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384, + TLS1_RFC_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384, TLS1_CK_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384, SSL_kRSAPSK, SSL_aRSA, @@ -2383,6 +2569,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_RFC_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, SSL_kECDHEPSK, SSL_aPSK, @@ -2398,6 +2585,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, + TLS1_RFC_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, SSL_kECDHEPSK, SSL_aPSK, @@ -2410,14 +2598,13 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, -# endif /* OPENSSL_NO_PSK */ - #endif /* OPENSSL_NO_CAMELLIA */ #ifndef OPENSSL_NO_GOST { 1, "GOST2001-GOST89-GOST89", + "TLS_GOSTR341001_WITH_28147_CNT_IMIT", 0x3000081, SSL_kGOST, SSL_aGOST01, @@ -2433,6 +2620,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, "GOST2001-NULL-GOST94", + "TLS_GOSTR341001_WITH_NULL_GOSTR3411", 0x3000083, SSL_kGOST, SSL_aGOST01, @@ -2448,6 +2636,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, "GOST2012-GOST8912-GOST8912", + NULL, 0x0300ff85, SSL_kGOST, SSL_aGOST12 | SSL_aGOST01, @@ -2463,6 +2652,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, "GOST2012-NULL-GOST12", + NULL, 0x0300ff87, SSL_kGOST, SSL_aGOST12 | SSL_aGOST01, @@ -2481,6 +2671,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, SSL3_TXT_RSA_IDEA_128_SHA, + SSL3_RFC_RSA_IDEA_128_SHA, SSL3_CK_RSA_IDEA_128_SHA, SSL_kRSA, SSL_aRSA, @@ -2499,6 +2690,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_WITH_SEED_SHA, + TLS1_RFC_RSA_WITH_SEED_SHA, TLS1_CK_RSA_WITH_SEED_SHA, SSL_kRSA, SSL_aRSA, @@ -2514,6 +2706,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_DSS_WITH_SEED_SHA, + TLS1_RFC_DHE_DSS_WITH_SEED_SHA, TLS1_CK_DHE_DSS_WITH_SEED_SHA, SSL_kDHE, SSL_aDSS, @@ -2529,6 +2722,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_RSA_WITH_SEED_SHA, + TLS1_RFC_DHE_RSA_WITH_SEED_SHA, TLS1_CK_DHE_RSA_WITH_SEED_SHA, SSL_kDHE, SSL_aRSA, @@ -2544,6 +2738,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ADH_WITH_SEED_SHA, + TLS1_RFC_ADH_WITH_SEED_SHA, TLS1_CK_ADH_WITH_SEED_SHA, SSL_kDHE, SSL_aNULL, @@ -2562,6 +2757,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, SSL3_TXT_RSA_RC4_128_MD5, + SSL3_RFC_RSA_RC4_128_MD5, SSL3_CK_RSA_RC4_128_MD5, SSL_kRSA, SSL_aRSA, @@ -2577,6 +2773,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, SSL3_TXT_RSA_RC4_128_SHA, + SSL3_RFC_RSA_RC4_128_SHA, SSL3_CK_RSA_RC4_128_SHA, SSL_kRSA, SSL_aRSA, @@ -2592,6 +2789,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, SSL3_TXT_ADH_RC4_128_MD5, + SSL3_RFC_ADH_RC4_128_MD5, SSL3_CK_ADH_RC4_128_MD5, SSL_kDHE, SSL_aNULL, @@ -2604,11 +2802,10 @@ static SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, - -# ifndef OPENSSL_NO_EC { 1, TLS1_TXT_ECDHE_PSK_WITH_RC4_128_SHA, + TLS1_RFC_ECDHE_PSK_WITH_RC4_128_SHA, TLS1_CK_ECDHE_PSK_WITH_RC4_128_SHA, SSL_kECDHEPSK, SSL_aPSK, @@ -2624,6 +2821,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, + TLS1_RFC_ECDH_anon_WITH_RC4_128_SHA, TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, SSL_kECDHE, SSL_aNULL, @@ -2639,6 +2837,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, + TLS1_RFC_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE, SSL_aECDSA, @@ -2654,6 +2853,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, + TLS1_RFC_ECDHE_RSA_WITH_RC4_128_SHA, TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, SSL_kECDHE, SSL_aRSA, @@ -2666,12 +2866,10 @@ static SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, -# endif /* OPENSSL_NO_EC */ - -# ifndef OPENSSL_NO_PSK { 1, TLS1_TXT_PSK_WITH_RC4_128_SHA, + TLS1_RFC_PSK_WITH_RC4_128_SHA, TLS1_CK_PSK_WITH_RC4_128_SHA, SSL_kPSK, SSL_aPSK, @@ -2687,6 +2885,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_RSA_PSK_WITH_RC4_128_SHA, + TLS1_RFC_RSA_PSK_WITH_RC4_128_SHA, TLS1_CK_RSA_PSK_WITH_RC4_128_SHA, SSL_kRSAPSK, SSL_aRSA, @@ -2702,6 +2901,7 @@ static SSL_CIPHER ssl3_ciphers[] = { { 1, TLS1_TXT_DHE_PSK_WITH_RC4_128_SHA, + TLS1_RFC_DHE_PSK_WITH_RC4_128_SHA, TLS1_CK_DHE_PSK_WITH_RC4_128_SHA, SSL_kDHEPSK, SSL_aPSK, @@ -2714,10 +2914,288 @@ static SSL_CIPHER ssl3_ciphers[] = { 128, 128, }, -# endif /* OPENSSL_NO_PSK */ - #endif /* OPENSSL_NO_WEAK_SSL_CIPHERS */ +#ifndef OPENSSL_NO_ARIA + { + 1, + TLS1_TXT_RSA_WITH_ARIA_128_GCM_SHA256, + TLS1_RFC_RSA_WITH_ARIA_128_GCM_SHA256, + TLS1_CK_RSA_WITH_ARIA_128_GCM_SHA256, + SSL_kRSA, + SSL_aRSA, + SSL_ARIA128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, + }, + { + 1, + TLS1_TXT_RSA_WITH_ARIA_256_GCM_SHA384, + TLS1_RFC_RSA_WITH_ARIA_256_GCM_SHA384, + TLS1_CK_RSA_WITH_ARIA_256_GCM_SHA384, + SSL_kRSA, + SSL_aRSA, + SSL_ARIA256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, + }, + { + 1, + TLS1_TXT_DHE_RSA_WITH_ARIA_128_GCM_SHA256, + TLS1_RFC_DHE_RSA_WITH_ARIA_128_GCM_SHA256, + TLS1_CK_DHE_RSA_WITH_ARIA_128_GCM_SHA256, + SSL_kDHE, + SSL_aRSA, + SSL_ARIA128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, + }, + { + 1, + TLS1_TXT_DHE_RSA_WITH_ARIA_256_GCM_SHA384, + TLS1_RFC_DHE_RSA_WITH_ARIA_256_GCM_SHA384, + TLS1_CK_DHE_RSA_WITH_ARIA_256_GCM_SHA384, + SSL_kDHE, + SSL_aRSA, + SSL_ARIA256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, + }, + { + 1, + TLS1_TXT_DHE_DSS_WITH_ARIA_128_GCM_SHA256, + TLS1_RFC_DHE_DSS_WITH_ARIA_128_GCM_SHA256, + TLS1_CK_DHE_DSS_WITH_ARIA_128_GCM_SHA256, + SSL_kDHE, + SSL_aDSS, + SSL_ARIA128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, + }, + { + 1, + TLS1_TXT_DHE_DSS_WITH_ARIA_256_GCM_SHA384, + TLS1_RFC_DHE_DSS_WITH_ARIA_256_GCM_SHA384, + TLS1_CK_DHE_DSS_WITH_ARIA_256_GCM_SHA384, + SSL_kDHE, + SSL_aDSS, + SSL_ARIA256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, + }, + { + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256, + TLS1_RFC_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256, + TLS1_CK_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256, + SSL_kECDHE, + SSL_aECDSA, + SSL_ARIA128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, + }, + { + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384, + TLS1_RFC_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384, + TLS1_CK_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384, + SSL_kECDHE, + SSL_aECDSA, + SSL_ARIA256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, + }, + { + 1, + TLS1_TXT_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, + TLS1_RFC_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, + TLS1_CK_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, + SSL_kECDHE, + SSL_aRSA, + SSL_ARIA128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, + }, + { + 1, + TLS1_TXT_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, + TLS1_RFC_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, + TLS1_CK_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, + SSL_kECDHE, + SSL_aRSA, + SSL_ARIA256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, + }, + { + 1, + TLS1_TXT_PSK_WITH_ARIA_128_GCM_SHA256, + TLS1_RFC_PSK_WITH_ARIA_128_GCM_SHA256, + TLS1_CK_PSK_WITH_ARIA_128_GCM_SHA256, + SSL_kPSK, + SSL_aPSK, + SSL_ARIA128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, + }, + { + 1, + TLS1_TXT_PSK_WITH_ARIA_256_GCM_SHA384, + TLS1_RFC_PSK_WITH_ARIA_256_GCM_SHA384, + TLS1_CK_PSK_WITH_ARIA_256_GCM_SHA384, + SSL_kPSK, + SSL_aPSK, + SSL_ARIA256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, + }, + { + 1, + TLS1_TXT_DHE_PSK_WITH_ARIA_128_GCM_SHA256, + TLS1_RFC_DHE_PSK_WITH_ARIA_128_GCM_SHA256, + TLS1_CK_DHE_PSK_WITH_ARIA_128_GCM_SHA256, + SSL_kDHEPSK, + SSL_aPSK, + SSL_ARIA128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, + }, + { + 1, + TLS1_TXT_DHE_PSK_WITH_ARIA_256_GCM_SHA384, + TLS1_RFC_DHE_PSK_WITH_ARIA_256_GCM_SHA384, + TLS1_CK_DHE_PSK_WITH_ARIA_256_GCM_SHA384, + SSL_kDHEPSK, + SSL_aPSK, + SSL_ARIA256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, + }, + { + 1, + TLS1_TXT_RSA_PSK_WITH_ARIA_128_GCM_SHA256, + TLS1_RFC_RSA_PSK_WITH_ARIA_128_GCM_SHA256, + TLS1_CK_RSA_PSK_WITH_ARIA_128_GCM_SHA256, + SSL_kRSAPSK, + SSL_aRSA, + SSL_ARIA128GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, + }, + { + 1, + TLS1_TXT_RSA_PSK_WITH_ARIA_256_GCM_SHA384, + TLS1_RFC_RSA_PSK_WITH_ARIA_256_GCM_SHA384, + TLS1_CK_RSA_PSK_WITH_ARIA_256_GCM_SHA384, + SSL_kRSAPSK, + SSL_aRSA, + SSL_ARIA256GCM, + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, + SSL_NOT_DEFAULT | SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, + 256, + 256, + }, +#endif /* OPENSSL_NO_ARIA */ +}; + +/* + * The list of known Signalling Cipher-Suite Value "ciphers", non-valid + * values stuffed into the ciphers field of the wire protocol for signalling + * purposes. + */ +static SSL_CIPHER ssl3_scsvs[] = { + { + 0, + "TLS_EMPTY_RENEGOTIATION_INFO_SCSV", + "TLS_EMPTY_RENEGOTIATION_INFO_SCSV", + SSL3_CK_SCSV, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + }, + { + 0, + "TLS_FALLBACK_SCSV", + "TLS_FALLBACK_SCSV", + SSL3_CK_FALLBACK_SCSV, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + }, }; static int cipher_compare(const void *a, const void *b) @@ -2732,8 +3210,11 @@ static int cipher_compare(const void *a, const void *b) void ssl_sort_cipher_list(void) { - qsort(ssl3_ciphers, OSSL_NELEM(ssl3_ciphers), sizeof(ssl3_ciphers[0]), + qsort(tls13_ciphers, TLS13_NUM_CIPHERS, sizeof(tls13_ciphers[0]), cipher_compare); + qsort(ssl3_ciphers, SSL3_NUM_CIPHERS, sizeof(ssl3_ciphers[0]), + cipher_compare); + qsort(ssl3_scsvs, SSL3_NUM_SCSVS, sizeof(ssl3_scsvs[0]), cipher_compare); } static int ssl_undefined_function_1(SSL *ssl, unsigned char *r, size_t s, @@ -2757,14 +3238,13 @@ const SSL3_ENC_METHOD SSLv3_enc_data = { ssl3_generate_master_secret, ssl3_change_cipher_state, ssl3_final_finish_mac, - MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, SSL3_MD_CLIENT_FINISHED_CONST, 4, SSL3_MD_SERVER_FINISHED_CONST, 4, ssl3_alert_code, ssl_undefined_function_1, 0, - SSL3_HM_HEADER_LENGTH, ssl3_set_handshake_header, + tls_close_construct_packet, ssl3_handshake_write }; @@ -2779,24 +3259,27 @@ long ssl3_default_timeout(void) int ssl3_num_ciphers(void) { - return (SSL3_NUM_CIPHERS); + return SSL3_NUM_CIPHERS; } const SSL_CIPHER *ssl3_get_cipher(unsigned int u) { if (u < SSL3_NUM_CIPHERS) - return (&(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u])); + return &(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u]); else - return (NULL); + return NULL; } -int ssl3_set_handshake_header(SSL *s, int htype, unsigned long len) +int ssl3_set_handshake_header(SSL *s, WPACKET *pkt, int htype) { - unsigned char *p = (unsigned char *)s->init_buf->data; - *(p++) = htype; - l2n3(len, p); - s->init_num = (int)len + SSL3_HM_HEADER_LENGTH; - s->init_off = 0; + /* No header in the event of a CCS */ + if (htype == SSL3_MT_CHANGE_CIPHER_SPEC) + return 1; + + /* Set the content type and 3 bytes for the message len */ + if (!WPACKET_put_bytes_u8(pkt, htype) + || !WPACKET_start_sub_packet_u24(pkt)) + return 0; return 1; } @@ -2818,10 +3301,13 @@ int ssl3_new(SSL *s) if (!SSL_SRP_CTX_init(s)) goto err; #endif - s->method->ssl_clear(s); - return (1); + + if (!s->method->ssl_clear(s)) + return 0; + + return 1; err: - return (0); + return 0; } void ssl3_free(SSL *s) @@ -2838,10 +3324,12 @@ void ssl3_free(SSL *s) s->s3->tmp.pkey = NULL; #endif - sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); + OPENSSL_free(s->s3->tmp.ctype); + sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free); OPENSSL_free(s->s3->tmp.ciphers_raw); OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen); OPENSSL_free(s->s3->tmp.peer_sigalgs); + OPENSSL_free(s->s3->tmp.peer_cert_sigalgs); ssl3_free_digest_list(s); OPENSSL_free(s->s3->alpn_selected); OPENSSL_free(s->s3->alpn_proposed); @@ -2853,13 +3341,15 @@ void ssl3_free(SSL *s) s->s3 = NULL; } -void ssl3_clear(SSL *s) +int ssl3_clear(SSL *s) { ssl3_cleanup_key_block(s); - sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); + OPENSSL_free(s->s3->tmp.ctype); + sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free); OPENSSL_free(s->s3->tmp.ciphers_raw); OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen); OPENSSL_free(s->s3->tmp.peer_sigalgs); + OPENSSL_free(s->s3->tmp.peer_cert_sigalgs); #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) EVP_PKEY_free(s->s3->tmp.pkey); @@ -2874,15 +3364,18 @@ void ssl3_clear(SSL *s) /* NULL/zero-out everything in the s3 struct */ memset(s->s3, 0, sizeof(*s->s3)); - ssl_free_wbio_buffer(s); + if (!ssl_free_wbio_buffer(s)) + return 0; s->version = SSL3_VERSION; #if !defined(OPENSSL_NO_NEXTPROTONEG) - OPENSSL_free(s->next_proto_negotiated); - s->next_proto_negotiated = NULL; - s->next_proto_negotiated_len = 0; + OPENSSL_free(s->ext.npn); + s->ext.npn = NULL; + s->ext.npn_len = 0; #endif + + return 1; } #ifndef OPENSSL_NO_SRP @@ -2921,7 +3414,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) EVP_PKEY *pkdh = NULL; if (dh == NULL) { SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); - return (ret); + return ret; } pkdh = ssl_dh_to_pkey(dh); if (pkdh == NULL) { @@ -2942,7 +3435,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_SET_TMP_DH_CB: { SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (ret); + return ret; } case SSL_CTRL_SET_DH_AUTO: s->cert->dh_tmp_auto = larg; @@ -2966,18 +3459,27 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) nid = EC_GROUP_get_curve_name(group); if (nid == NID_undef) return 0; - return tls1_set_curves(&s->tlsext_ellipticcurvelist, - &s->tlsext_ellipticcurvelist_length, + return tls1_set_groups(&s->ext.supportedgroups, + &s->ext.supportedgroups_len, &nid, 1); } break; #endif /* !OPENSSL_NO_EC */ case SSL_CTRL_SET_TLSEXT_HOSTNAME: + /* + * TODO(OpenSSL1.2) + * This API is only used for a client to set what SNI it will request + * from the server, but we currently allow it to be used on servers + * as well, which is a programming error. Currently we just clear + * the field in SSL_do_handshake() for server SSLs, but when we can + * make ABI-breaking changes, we may want to make use of this API + * an error on server SSLs. + */ if (larg == TLSEXT_NAMETYPE_host_name) { size_t len; - OPENSSL_free(s->tlsext_hostname); - s->tlsext_hostname = NULL; + OPENSSL_free(s->ext.hostname); + s->ext.hostname = NULL; ret = 1; if (parg == NULL) @@ -2987,7 +3489,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME); return 0; } - if ((s->tlsext_hostname = OPENSSL_strdup((char *)parg)) == NULL) { + if ((s->ext.hostname = OPENSSL_strdup((char *)parg)) == NULL) { SSLerr(SSL_F_SSL3_CTRL, ERR_R_INTERNAL_ERROR); return 0; } @@ -2997,69 +3499,57 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) } break; case SSL_CTRL_SET_TLSEXT_DEBUG_ARG: - s->tlsext_debug_arg = parg; + s->ext.debug_arg = parg; ret = 1; break; case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE: - ret = s->tlsext_status_type; + ret = s->ext.status_type; break; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: - s->tlsext_status_type = larg; + s->ext.status_type = larg; ret = 1; break; case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS: - *(STACK_OF(X509_EXTENSION) **)parg = s->tlsext_ocsp_exts; + *(STACK_OF(X509_EXTENSION) **)parg = s->ext.ocsp.exts; ret = 1; break; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS: - s->tlsext_ocsp_exts = parg; + s->ext.ocsp.exts = parg; ret = 1; break; case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS: - *(STACK_OF(OCSP_RESPID) **)parg = s->tlsext_ocsp_ids; + *(STACK_OF(OCSP_RESPID) **)parg = s->ext.ocsp.ids; ret = 1; break; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS: - s->tlsext_ocsp_ids = parg; + s->ext.ocsp.ids = parg; ret = 1; break; case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP: - *(unsigned char **)parg = s->tlsext_ocsp_resp; - return s->tlsext_ocsp_resplen; + *(unsigned char **)parg = s->ext.ocsp.resp; + if (s->ext.ocsp.resp_len == 0 + || s->ext.ocsp.resp_len > LONG_MAX) + return -1; + return (long)s->ext.ocsp.resp_len; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: - OPENSSL_free(s->tlsext_ocsp_resp); - s->tlsext_ocsp_resp = parg; - s->tlsext_ocsp_resplen = larg; + OPENSSL_free(s->ext.ocsp.resp); + s->ext.ocsp.resp = parg; + s->ext.ocsp.resp_len = larg; ret = 1; break; #ifndef OPENSSL_NO_HEARTBEATS case SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT: - if (SSL_IS_DTLS(s)) - ret = dtls1_heartbeat(s); - break; - case SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING: - if (SSL_IS_DTLS(s)) - ret = s->tlsext_hb_pending; - break; - case SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS: - if (SSL_IS_DTLS(s)) { - if (larg) - s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_RECV_REQUESTS; - else - s->tlsext_heartbeat &= ~SSL_DTLSEXT_HB_DONT_RECV_REQUESTS; - ret = 1; - } break; #endif @@ -3084,12 +3574,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_SET_CURRENT_CERT: if (larg == SSL_CERT_SET_SERVER) { - CERT_PKEY *cpk; const SSL_CIPHER *cipher; if (!s->server) return 0; cipher = s->s3->tmp.new_cipher; - if (!cipher) + if (cipher == NULL) return 0; /* * No certificate for unauthenticated ciphersuites or using SRP @@ -3097,50 +3586,58 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) */ if (cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) return 2; - cpk = ssl_get_server_send_pkey(s); - if (!cpk) + if (s->s3->tmp.cert == NULL) return 0; - s->cert->key = cpk; + s->cert->key = s->s3->tmp.cert; return 1; } return ssl_cert_set_current(s->cert, larg); #ifndef OPENSSL_NO_EC - case SSL_CTRL_GET_CURVES: + case SSL_CTRL_GET_GROUPS: { - unsigned char *clist; + uint16_t *clist; size_t clistlen; + if (!s->session) return 0; - clist = s->session->tlsext_ellipticcurvelist; - clistlen = s->session->tlsext_ellipticcurvelist_length / 2; + clist = s->session->ext.supportedgroups; + clistlen = s->session->ext.supportedgroups_len; if (parg) { size_t i; int *cptr = parg; - unsigned int cid, nid; + for (i = 0; i < clistlen; i++) { - n2s(clist, cid); - nid = tls1_ec_curve_id2nid(cid, NULL); - if (nid != 0) - cptr[i] = nid; + const TLS_GROUP_INFO *cinf = tls1_group_id_lookup(clist[i]); + + if (cinf != NULL) + cptr[i] = cinf->nid; else - cptr[i] = TLSEXT_nid_unknown | cid; + cptr[i] = TLSEXT_nid_unknown | clist[i]; } } return (int)clistlen; } - case SSL_CTRL_SET_CURVES: - return tls1_set_curves(&s->tlsext_ellipticcurvelist, - &s->tlsext_ellipticcurvelist_length, parg, larg); + case SSL_CTRL_SET_GROUPS: + return tls1_set_groups(&s->ext.supportedgroups, + &s->ext.supportedgroups_len, parg, larg); + + case SSL_CTRL_SET_GROUPS_LIST: + return tls1_set_groups_list(&s->ext.supportedgroups, + &s->ext.supportedgroups_len, parg); - case SSL_CTRL_SET_CURVES_LIST: - return tls1_set_curves_list(&s->tlsext_ellipticcurvelist, - &s->tlsext_ellipticcurvelist_length, parg); + case SSL_CTRL_GET_SHARED_GROUP: + { + uint16_t id = tls1_shared_group(s, larg); - case SSL_CTRL_GET_SHARED_CURVE: - return tls1_shared_curve(s, larg); + if (larg != -1) { + const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id); + return ginf == NULL ? 0 : ginf->nid; + } + return id; + } #endif case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(s->cert, parg, larg, 0); @@ -3159,14 +3656,9 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) const unsigned char **pctype = parg; if (s->server || !s->s3->tmp.cert_req) return 0; - if (s->cert->ctypes) { - if (pctype) - *pctype = s->cert->ctypes; - return (int)s->cert->ctype_num; - } if (pctype) - *pctype = (unsigned char *)s->s3->tmp.ctype; - return s->s3->tmp.ctype_num; + *pctype = s->s3->tmp.ctype; + return s->s3->tmp.ctype_len; } case SSL_CTRL_SET_CLIENT_CERT_TYPES: @@ -3184,24 +3676,20 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return ssl_cert_set_cert_store(s->cert, parg, 1, larg); case SSL_CTRL_GET_PEER_SIGNATURE_NID: - if (SSL_USE_SIGALGS(s)) { - if (s->session) { - const EVP_MD *sig; - sig = s->s3->tmp.peer_md; - if (sig) { - *(int *)parg = EVP_MD_type(sig); - return 1; - } - } + if (s->s3->tmp.peer_sigalg == NULL) return 0; - } - /* Might want to do something here for other versions */ - else + *(int *)parg = s->s3->tmp.peer_sigalg->hash; + return 1; + + case SSL_CTRL_GET_SIGNATURE_NID: + if (s->s3->tmp.sigalg == NULL) return 0; + *(int *)parg = s->s3->tmp.sigalg->hash; + return 1; - case SSL_CTRL_GET_SERVER_TMP_KEY: + case SSL_CTRL_GET_PEER_TMP_KEY: #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) - if (s->server || s->session == NULL || s->s3->peer_tmp == NULL) { + if (s->session == NULL || s->s3->peer_tmp == NULL) { return 0; } else { EVP_PKEY_up_ref(s->s3->peer_tmp); @@ -3211,22 +3699,37 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) #else return 0; #endif + + case SSL_CTRL_GET_TMP_KEY: +#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) + if (s->session == NULL || s->s3->tmp.pkey == NULL) { + return 0; + } else { + EVP_PKEY_up_ref(s->s3->tmp.pkey); + *(EVP_PKEY **)parg = s->s3->tmp.pkey; + return 1; + } +#else + return 0; +#endif + #ifndef OPENSSL_NO_EC case SSL_CTRL_GET_EC_POINT_FORMATS: { SSL_SESSION *sess = s->session; const unsigned char **pformat = parg; - if (!sess || !sess->tlsext_ecpointformatlist) + + if (sess == NULL || sess->ext.ecpointformats == NULL) return 0; - *pformat = sess->tlsext_ecpointformatlist; - return (int)sess->tlsext_ecpointformatlist_length; + *pformat = sess->ext.ecpointformats; + return (int)sess->ext.ecpointformats_len; } #endif default: break; } - return (ret); + return ret; } long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) @@ -3242,8 +3745,8 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) break; #endif case SSL_CTRL_SET_TLSEXT_DEBUG_CB: - s->tlsext_debug_cb = (void (*)(SSL *, int, int, - const unsigned char *, int, void *))fp; + s->ext.debug_cb = (void (*)(SSL *, int, int, + const unsigned char *, int, void *))fp; break; case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB: @@ -3254,7 +3757,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) default: break; } - return (ret); + return ret; } long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) @@ -3284,13 +3787,10 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) ctx->cert->dh_tmp = pkdh; return 1; } - /* - * break; - */ case SSL_CTRL_SET_TMP_DH_CB: { SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (0); + return 0; } case SSL_CTRL_SET_DH_AUTO: ctx->cert->dh_tmp_auto = larg; @@ -3314,69 +3814,68 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) nid = EC_GROUP_get_curve_name(group); if (nid == NID_undef) return 0; - return tls1_set_curves(&ctx->tlsext_ellipticcurvelist, - &ctx->tlsext_ellipticcurvelist_length, + return tls1_set_groups(&ctx->ext.supportedgroups, + &ctx->ext.supportedgroups_len, &nid, 1); } - /* break; */ #endif /* !OPENSSL_NO_EC */ case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: - ctx->tlsext_servername_arg = parg; + ctx->ext.servername_arg = parg; break; case SSL_CTRL_SET_TLSEXT_TICKET_KEYS: case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: { unsigned char *keys = parg; - long tlsext_tick_keylen = (sizeof(ctx->tlsext_tick_key_name) + - sizeof(ctx->tlsext_tick_hmac_key) + - sizeof(ctx->tlsext_tick_aes_key)); + long tick_keylen = (sizeof(ctx->ext.tick_key_name) + + sizeof(ctx->ext.secure->tick_hmac_key) + + sizeof(ctx->ext.secure->tick_aes_key)); if (keys == NULL) - return tlsext_tick_keylen; - if (larg != tlsext_tick_keylen) { + return tick_keylen; + if (larg != tick_keylen) { SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_TICKET_KEYS_LENGTH); return 0; } if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) { - memcpy(ctx->tlsext_tick_key_name, keys, - sizeof(ctx->tlsext_tick_key_name)); - memcpy(ctx->tlsext_tick_hmac_key, - keys + sizeof(ctx->tlsext_tick_key_name), - sizeof(ctx->tlsext_tick_hmac_key)); - memcpy(ctx->tlsext_tick_aes_key, - keys + sizeof(ctx->tlsext_tick_key_name) + - sizeof(ctx->tlsext_tick_hmac_key), - sizeof(ctx->tlsext_tick_aes_key)); + memcpy(ctx->ext.tick_key_name, keys, + sizeof(ctx->ext.tick_key_name)); + memcpy(ctx->ext.secure->tick_hmac_key, + keys + sizeof(ctx->ext.tick_key_name), + sizeof(ctx->ext.secure->tick_hmac_key)); + memcpy(ctx->ext.secure->tick_aes_key, + keys + sizeof(ctx->ext.tick_key_name) + + sizeof(ctx->ext.secure->tick_hmac_key), + sizeof(ctx->ext.secure->tick_aes_key)); } else { - memcpy(keys, ctx->tlsext_tick_key_name, - sizeof(ctx->tlsext_tick_key_name)); - memcpy(keys + sizeof(ctx->tlsext_tick_key_name), - ctx->tlsext_tick_hmac_key, - sizeof(ctx->tlsext_tick_hmac_key)); - memcpy(keys + sizeof(ctx->tlsext_tick_key_name) + - sizeof(ctx->tlsext_tick_hmac_key), - ctx->tlsext_tick_aes_key, - sizeof(ctx->tlsext_tick_aes_key)); + memcpy(keys, ctx->ext.tick_key_name, + sizeof(ctx->ext.tick_key_name)); + memcpy(keys + sizeof(ctx->ext.tick_key_name), + ctx->ext.secure->tick_hmac_key, + sizeof(ctx->ext.secure->tick_hmac_key)); + memcpy(keys + sizeof(ctx->ext.tick_key_name) + + sizeof(ctx->ext.secure->tick_hmac_key), + ctx->ext.secure->tick_aes_key, + sizeof(ctx->ext.secure->tick_aes_key)); } return 1; } case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE: - return ctx->tlsext_status_type; + return ctx->ext.status_type; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: - ctx->tlsext_status_type = larg; + ctx->ext.status_type = larg; break; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: - ctx->tlsext_status_arg = parg; + ctx->ext.status_arg = parg; return 1; case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG: - *(void**)parg = ctx->tlsext_status_arg; + *(void**)parg = ctx->ext.status_arg; break; case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB: - *(int (**)(SSL*, void*))parg = ctx->tlsext_status_cb; + *(int (**)(SSL*, void*))parg = ctx->ext.status_cb; break; #ifndef OPENSSL_NO_SRP @@ -3416,14 +3915,14 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) #endif #ifndef OPENSSL_NO_EC - case SSL_CTRL_SET_CURVES: - return tls1_set_curves(&ctx->tlsext_ellipticcurvelist, - &ctx->tlsext_ellipticcurvelist_length, + case SSL_CTRL_SET_GROUPS: + return tls1_set_groups(&ctx->ext.supportedgroups, + &ctx->ext.supportedgroups_len, parg, larg); - case SSL_CTRL_SET_CURVES_LIST: - return tls1_set_curves_list(&ctx->tlsext_ellipticcurvelist, - &ctx->tlsext_ellipticcurvelist_length, + case SSL_CTRL_SET_GROUPS_LIST: + return tls1_set_groups_list(&ctx->ext.supportedgroups, + &ctx->ext.supportedgroups_len, parg); #endif case SSL_CTRL_SET_SIGALGS: @@ -3499,9 +3998,9 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return ssl_cert_set_current(ctx->cert, larg); default: - return (0); + return 0; } - return (1); + return 1; } long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) @@ -3515,15 +4014,15 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) break; #endif case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: - ctx->tlsext_servername_callback = (int (*)(SSL *, int *, void *))fp; + ctx->ext.servername_cb = (int (*)(SSL *, int *, void *))fp; break; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: - ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp; + ctx->ext.status_cb = (int (*)(SSL *, void *))fp; break; case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: - ctx->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *, + ctx->ext.ticket_key_cb = (int (*)(SSL *, unsigned char *, unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; @@ -3551,39 +4050,78 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) } break; default: - return (0); + return 0; } - return (1); + return 1; } -/* - * This function needs to check if the ciphers required are actually - * available - */ -const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) +const SSL_CIPHER *ssl3_get_cipher_by_id(uint32_t id) { SSL_CIPHER c; const SSL_CIPHER *cp; - uint32_t id; - id = 0x03000000 | ((uint32_t)p[0] << 8L) | (uint32_t)p[1]; c.id = id; + cp = OBJ_bsearch_ssl_cipher_id(&c, tls13_ciphers, TLS13_NUM_CIPHERS); + if (cp != NULL) + return cp; cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS); - return cp; + if (cp != NULL) + return cp; + return OBJ_bsearch_ssl_cipher_id(&c, ssl3_scsvs, SSL3_NUM_SCSVS); } -int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) +const SSL_CIPHER *ssl3_get_cipher_by_std_name(const char *stdname) { - long l; - - if (p != NULL) { - l = c->id; - if ((l & 0xff000000) != 0x03000000) - return (0); - p[0] = ((unsigned char)(l >> 8L)) & 0xFF; - p[1] = ((unsigned char)(l)) & 0xFF; + SSL_CIPHER *c = NULL, *tbl; + SSL_CIPHER *alltabs[] = {tls13_ciphers, ssl3_ciphers}; + size_t i, j, tblsize[] = {TLS13_NUM_CIPHERS, SSL3_NUM_CIPHERS}; + + /* this is not efficient, necessary to optimize this? */ + for (j = 0; j < OSSL_NELEM(alltabs); j++) { + for (i = 0, tbl = alltabs[j]; i < tblsize[j]; i++, tbl++) { + if (tbl->stdname == NULL) + continue; + if (strcmp(stdname, tbl->stdname) == 0) { + c = tbl; + break; + } + } } - return (2); + if (c == NULL) { + tbl = ssl3_scsvs; + for (i = 0; i < SSL3_NUM_SCSVS; i++, tbl++) { + if (strcmp(stdname, tbl->stdname) == 0) { + c = tbl; + break; + } + } + } + return c; +} + +/* + * This function needs to check if the ciphers required are actually + * available + */ +const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) +{ + return ssl3_get_cipher_by_id(SSL3_CK_CIPHERSUITE_FLAG + | ((uint32_t)p[0] << 8L) + | (uint32_t)p[1]); +} + +int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len) +{ + if ((c->id & 0xff000000) != SSL3_CK_CIPHERSUITE_FLAG) { + *len = 0; + return 1; + } + + if (!WPACKET_put_bytes_u16(pkt, c->id & 0xffff)) + return 0; + + *len = 2; + return 1; } /* @@ -3599,21 +4137,21 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, { const SSL_CIPHER *c, *ret = NULL; STACK_OF(SSL_CIPHER) *prio, *allow; - int i, ii, ok; - unsigned long alg_k, alg_a, mask_k, mask_a; + int i, ii, ok, prefer_sha256 = 0; + unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0; + const EVP_MD *mdsha256 = EVP_sha256(); +#ifndef OPENSSL_NO_CHACHA + STACK_OF(SSL_CIPHER) *prio_chacha = NULL; +#endif /* Let's see which ciphers we can support */ -#if 0 /* * Do not set the compare functions, because this may lead to a * reordering by "id". We want to keep the original ordering. We may pay * a price in performance during sk_SSL_CIPHER_find(), but would have to * pay with the price of sk_SSL_CIPHER_dup(). */ - sk_SSL_CIPHER_set_cmp_func(srvr, ssl_cipher_ptr_id_cmp); - sk_SSL_CIPHER_set_cmp_func(clnt, ssl_cipher_ptr_id_cmp); -#endif #ifdef CIPHER_DEBUG fprintf(stderr, "Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), @@ -3630,16 +4168,81 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, } #endif - if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s)) { + /* SUITE-B takes precedence over server preference and ChaCha priortiy */ + if (tls1_suiteb(s)) { + prio = srvr; + allow = clnt; + } else if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { prio = srvr; allow = clnt; +#ifndef OPENSSL_NO_CHACHA + /* If ChaCha20 is at the top of the client preference list, + and there are ChaCha20 ciphers in the server list, then + temporarily prioritize all ChaCha20 ciphers in the servers list. */ + if (s->options & SSL_OP_PRIORITIZE_CHACHA && sk_SSL_CIPHER_num(clnt) > 0) { + c = sk_SSL_CIPHER_value(clnt, 0); + if (c->algorithm_enc == SSL_CHACHA20POLY1305) { + /* ChaCha20 is client preferred, check server... */ + int num = sk_SSL_CIPHER_num(srvr); + int found = 0; + for (i = 0; i < num; i++) { + c = sk_SSL_CIPHER_value(srvr, i); + if (c->algorithm_enc == SSL_CHACHA20POLY1305) { + found = 1; + break; + } + } + if (found) { + prio_chacha = sk_SSL_CIPHER_new_reserve(NULL, num); + /* if reserve fails, then there's likely a memory issue */ + if (prio_chacha != NULL) { + /* Put all ChaCha20 at the top, starting with the one we just found */ + sk_SSL_CIPHER_push(prio_chacha, c); + for (i++; i < num; i++) { + c = sk_SSL_CIPHER_value(srvr, i); + if (c->algorithm_enc == SSL_CHACHA20POLY1305) + sk_SSL_CIPHER_push(prio_chacha, c); + } + /* Pull in the rest */ + for (i = 0; i < num; i++) { + c = sk_SSL_CIPHER_value(srvr, i); + if (c->algorithm_enc != SSL_CHACHA20POLY1305) + sk_SSL_CIPHER_push(prio_chacha, c); + } + prio = prio_chacha; + } + } + } + } +# endif } else { prio = clnt; allow = srvr; } - tls1_set_cert_validity(s); - ssl_set_masks(s); + if (SSL_IS_TLS13(s)) { +#ifndef OPENSSL_NO_PSK + int j; + + /* + * If we allow "old" style PSK callbacks, and we have no certificate (so + * we're not going to succeed without a PSK anyway), and we're in + * TLSv1.3 then the default hash for a PSK is SHA-256 (as per the + * TLSv1.3 spec). Therefore we should prioritise ciphersuites using + * that. + */ + if (s->psk_server_callback != NULL) { + for (j = 0; j < SSL_PKEY_NUM && !ssl_has_cert(s, j); j++); + if (j == SSL_PKEY_NUM) { + /* There are no certificates */ + prefer_sha256 = 1; + } + } +#endif + } else { + tls1_set_cert_validity(s); + ssl_set_masks(s); + } for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) { c = sk_SSL_CIPHER_value(prio, i); @@ -3653,41 +4256,47 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, DTLS_VERSION_GT(s->version, c->max_dtls))) continue; - mask_k = s->s3->tmp.mask_k; - mask_a = s->s3->tmp.mask_a; + /* + * Since TLS 1.3 ciphersuites can be used with any auth or + * key exchange scheme skip tests. + */ + if (!SSL_IS_TLS13(s)) { + mask_k = s->s3->tmp.mask_k; + mask_a = s->s3->tmp.mask_a; #ifndef OPENSSL_NO_SRP - if (s->srp_ctx.srp_Mask & SSL_kSRP) { - mask_k |= SSL_kSRP; - mask_a |= SSL_aSRP; - } + if (s->srp_ctx.srp_Mask & SSL_kSRP) { + mask_k |= SSL_kSRP; + mask_a |= SSL_aSRP; + } #endif - alg_k = c->algorithm_mkey; - alg_a = c->algorithm_auth; + alg_k = c->algorithm_mkey; + alg_a = c->algorithm_auth; #ifndef OPENSSL_NO_PSK - /* with PSK there must be server callback set */ - if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL) - continue; + /* with PSK there must be server callback set */ + if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL) + continue; #endif /* OPENSSL_NO_PSK */ - ok = (alg_k & mask_k) && (alg_a & mask_a); + ok = (alg_k & mask_k) && (alg_a & mask_a); #ifdef CIPHER_DEBUG - fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k, - alg_a, mask_k, mask_a, (void *)c, c->name); + fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k, + alg_a, mask_k, mask_a, (void *)c, c->name); #endif #ifndef OPENSSL_NO_EC - /* - * if we are considering an ECC cipher suite that uses an ephemeral - * EC key check it - */ - if (alg_k & SSL_kECDHE) - ok = ok && tls1_check_ec_tmp_key(s, c->id); + /* + * if we are considering an ECC cipher suite that uses an ephemeral + * EC key check it + */ + if (alg_k & SSL_kECDHE) + ok = ok && tls1_check_ec_tmp_key(s, c->id); #endif /* OPENSSL_NO_EC */ - if (!ok) - continue; + if (!ok) + continue; + } ii = sk_SSL_CIPHER_find(allow, c); if (ii >= 0) { /* Check security callback permits this cipher */ @@ -3702,83 +4311,92 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, continue; } #endif + if (prefer_sha256) { + const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii); + + if (ssl_md(tmp->algorithm2) == mdsha256) { + ret = tmp; + break; + } + if (ret == NULL) + ret = tmp; + continue; + } ret = sk_SSL_CIPHER_value(allow, ii); break; } } - return (ret); +#ifndef OPENSSL_NO_CHACHA + sk_SSL_CIPHER_free(prio_chacha); +#endif + return ret; } -int ssl3_get_req_cert_type(SSL *s, unsigned char *p) +int ssl3_get_req_cert_type(SSL *s, WPACKET *pkt) { - int ret = 0; uint32_t alg_k, alg_a = 0; /* If we have custom certificate types set, use them */ - if (s->cert->ctypes) { - memcpy(p, s->cert->ctypes, s->cert->ctype_num); - return (int)s->cert->ctype_num; - } + if (s->cert->ctype) + return WPACKET_memcpy(pkt, s->cert->ctype, s->cert->ctype_len); /* Get mask of algorithms disabled by signature list */ ssl_set_sig_mask(&alg_a, s, SSL_SECOP_SIGALG_MASK); alg_k = s->s3->tmp.new_cipher->algorithm_mkey; #ifndef OPENSSL_NO_GOST - if (s->version >= TLS1_VERSION) { - if (alg_k & SSL_kGOST) { - p[ret++] = TLS_CT_GOST01_SIGN; - p[ret++] = TLS_CT_GOST12_SIGN; - p[ret++] = TLS_CT_GOST12_512_SIGN; - return (ret); - } - } + if (s->version >= TLS1_VERSION && (alg_k & SSL_kGOST)) + return WPACKET_put_bytes_u8(pkt, TLS_CT_GOST01_SIGN) + && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_SIGN) + && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_512_SIGN); #endif if ((s->version == SSL3_VERSION) && (alg_k & SSL_kDHE)) { #ifndef OPENSSL_NO_DH # ifndef OPENSSL_NO_RSA - p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH; + if (!WPACKET_put_bytes_u8(pkt, SSL3_CT_RSA_EPHEMERAL_DH)) + return 0; # endif # ifndef OPENSSL_NO_DSA - p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH; + if (!WPACKET_put_bytes_u8(pkt, SSL3_CT_DSS_EPHEMERAL_DH)) + return 0; # endif #endif /* !OPENSSL_NO_DH */ } #ifndef OPENSSL_NO_RSA - if (!(alg_a & SSL_aRSA)) - p[ret++] = SSL3_CT_RSA_SIGN; + if (!(alg_a & SSL_aRSA) && !WPACKET_put_bytes_u8(pkt, SSL3_CT_RSA_SIGN)) + return 0; #endif #ifndef OPENSSL_NO_DSA - if (!(alg_a & SSL_aDSS)) - p[ret++] = SSL3_CT_DSS_SIGN; + if (!(alg_a & SSL_aDSS) && !WPACKET_put_bytes_u8(pkt, SSL3_CT_DSS_SIGN)) + return 0; #endif #ifndef OPENSSL_NO_EC /* * ECDSA certs can be used with RSA cipher suites too so we don't * need to check for SSL_kECDH or SSL_kECDHE */ - if (s->version >= TLS1_VERSION) { - if (!(alg_a & SSL_aECDSA)) - p[ret++] = TLS_CT_ECDSA_SIGN; - } + if (s->version >= TLS1_VERSION + && !(alg_a & SSL_aECDSA) + && !WPACKET_put_bytes_u8(pkt, TLS_CT_ECDSA_SIGN)) + return 0; #endif - return (ret); + return 1; } static int ssl3_set_req_cert_type(CERT *c, const unsigned char *p, size_t len) { - OPENSSL_free(c->ctypes); - c->ctypes = NULL; - if (!p || !len) + OPENSSL_free(c->ctype); + c->ctype = NULL; + c->ctype_len = 0; + if (p == NULL || len == 0) return 1; if (len > 0xff) return 0; - c->ctypes = OPENSSL_malloc(len); - if (c->ctypes == NULL) + c->ctype = OPENSSL_memdup(p, len); + if (c->ctype == NULL) return 0; - memcpy(c->ctypes, p, len); - c->ctype_num = len; + c->ctype_len = len; return 1; } @@ -3792,7 +4410,7 @@ int ssl3_shutdown(SSL *s) */ if (s->quiet_shutdown || SSL_in_before(s)) { s->shutdown = (SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); - return (1); + return 1; } if (!(s->shutdown & SSL_SENT_SHUTDOWN)) { @@ -3803,7 +4421,7 @@ int ssl3_shutdown(SSL *s) * written, s->s3->alert_dispatch will be true */ if (s->s3->alert_dispatch) - return (-1); /* return WANT_WRITE */ + return -1; /* return WANT_WRITE */ } else if (s->s3->alert_dispatch) { /* resend it if not sent */ ret = s->method->ssl_dispatch_alert(s); @@ -3813,45 +4431,48 @@ int ssl3_shutdown(SSL *s) * have already signalled return 0 upon a previous invocation, * return WANT_WRITE */ - return (ret); + return ret; } } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { + size_t readbytes; /* * If we are waiting for a close from our peer, we are closed */ - s->method->ssl_read_bytes(s, 0, NULL, NULL, 0, 0); + s->method->ssl_read_bytes(s, 0, NULL, NULL, 0, 0, &readbytes); if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { - return (-1); /* return WANT_READ */ + return -1; /* return WANT_READ */ } } if ((s->shutdown == (SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN)) && !s->s3->alert_dispatch) - return (1); + return 1; else - return (0); + return 0; } -int ssl3_write(SSL *s, const void *buf, int len) +int ssl3_write(SSL *s, const void *buf, size_t len, size_t *written) { clear_sys_error(); if (s->s3->renegotiate) - ssl3_renegotiate_check(s); + ssl3_renegotiate_check(s, 0); - return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len); + return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, + written); } -static int ssl3_read_internal(SSL *s, void *buf, int len, int peek) +static int ssl3_read_internal(SSL *s, void *buf, size_t len, int peek, + size_t *readbytes) { int ret; clear_sys_error(); if (s->s3->renegotiate) - ssl3_renegotiate_check(s); + ssl3_renegotiate_check(s, 0); s->s3->in_read_app_data = 1; ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, NULL, buf, len, - peek); + peek, readbytes); if ((ret == -1) && (s->s3->in_read_app_data == 2)) { /* * ssl3_read_bytes decided to call s->handshake_func, which called @@ -3863,44 +4484,49 @@ static int ssl3_read_internal(SSL *s, void *buf, int len, int peek) ossl_statem_set_in_handshake(s, 1); ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, NULL, buf, - len, peek); + len, peek, readbytes); ossl_statem_set_in_handshake(s, 0); } else s->s3->in_read_app_data = 0; - return (ret); + return ret; } -int ssl3_read(SSL *s, void *buf, int len) +int ssl3_read(SSL *s, void *buf, size_t len, size_t *readbytes) { - return ssl3_read_internal(s, buf, len, 0); + return ssl3_read_internal(s, buf, len, 0, readbytes); } -int ssl3_peek(SSL *s, void *buf, int len) +int ssl3_peek(SSL *s, void *buf, size_t len, size_t *readbytes) { - return ssl3_read_internal(s, buf, len, 1); + return ssl3_read_internal(s, buf, len, 1, readbytes); } int ssl3_renegotiate(SSL *s) { if (s->handshake_func == NULL) - return (1); - - if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) - return (0); + return 1; s->s3->renegotiate = 1; - return (1); + return 1; } -int ssl3_renegotiate_check(SSL *s) +/* + * Check if we are waiting to do a renegotiation and if so whether now is a + * good time to do it. If |initok| is true then we are being called from inside + * the state machine so ignore the result of SSL_in_init(s). Otherwise we + * should not do a renegotiation if SSL_in_init(s) is true. Returns 1 if we + * should do a renegotiation now and sets up the state machine for it. Otherwise + * returns 0. + */ +int ssl3_renegotiate_check(SSL *s, int initok) { int ret = 0; if (s->s3->renegotiate) { if (!RECORD_LAYER_read_pending(&s->rlayer) && !RECORD_LAYER_write_pending(&s->rlayer) - && !SSL_in_init(s)) { + && (initok || !SSL_in_init(s))) { /* * if we are the server, and we have sent a 'RENEGOTIATE' * message, we need to set the state machine into the renegotiate @@ -3913,7 +4539,7 @@ int ssl3_renegotiate_check(SSL *s) ret = 1; } } - return (ret); + return ret; } /* @@ -3942,9 +4568,10 @@ long ssl_get_algorithm2(SSL *s) * Fill a ClientRandom or ServerRandom field of length len. Returns <= 0 on * failure, 1 on success. */ -int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len) +int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len, + DOWNGRADE dgrd) { - int send_time = 0; + int send_time = 0, ret; if (len < 4) return 0; @@ -3955,16 +4582,34 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len) if (send_time) { unsigned long Time = (unsigned long)time(NULL); unsigned char *p = result; + l2n(Time, p); - return RAND_bytes(p, len - 4); - } else - return RAND_bytes(result, len); + ret = RAND_bytes(p, len - 4); + } else { + ret = RAND_bytes(result, len); + } + + if (ret > 0) { + if (!ossl_assert(sizeof(tls11downgrade) < len) + || !ossl_assert(sizeof(tls12downgrade) < len)) + return 0; + if (dgrd == DOWNGRADE_TO_1_2) + memcpy(result + len - sizeof(tls12downgrade), tls12downgrade, + sizeof(tls12downgrade)); + else if (dgrd == DOWNGRADE_TO_1_1) + memcpy(result + len - sizeof(tls11downgrade), tls11downgrade, + sizeof(tls11downgrade)); + } + + return ret; } int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, int free_pms) { unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; + int ret = 0; + if (alg_k & SSL_PSK) { #ifndef OPENSSL_NO_PSK unsigned char *pskpms, *t; @@ -3979,10 +4624,8 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, pskpmslen = 4 + pmslen + psklen; pskpms = OPENSSL_malloc(pskpmslen); - if (pskpms == NULL) { - s->session->master_key_length = 0; + if (pskpms == NULL) goto err; - } t = pskpms; s2n(pmslen, t); if (alg_k & SSL_kPSK) @@ -3995,23 +4638,28 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, OPENSSL_clear_free(s->s3->tmp.psk, psklen); s->s3->tmp.psk = NULL; - s->session->master_key_length = - s->method->ssl3_enc->generate_master_secret(s, - s->session->master_key, - pskpms, pskpmslen); + if (!s->method->ssl3_enc->generate_master_secret(s, + s->session->master_key,pskpms, pskpmslen, + &s->session->master_key_length)) { + OPENSSL_clear_free(pskpms, pskpmslen); + /* SSLfatal() already called */ + goto err; + } OPENSSL_clear_free(pskpms, pskpmslen); #else /* Should never happen */ - s->session->master_key_length = 0; goto err; #endif } else { - s->session->master_key_length = - s->method->ssl3_enc->generate_master_secret(s, - s->session->master_key, - pms, pmslen); + if (!s->method->ssl3_enc->generate_master_secret(s, + s->session->master_key, pms, pmslen, + &s->session->master_key_length)) { + /* SSLfatal() already called */ + goto err; + } } + ret = 1; err: if (pms) { if (free_pms) @@ -4021,7 +4669,7 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, } if (s->server == 0) s->s3->tmp.pms = NULL; - return s->session->master_key_length >= 0; + return ret; } /* Generate a private key from parameters */ @@ -4047,29 +4695,80 @@ EVP_PKEY *ssl_generate_pkey(EVP_PKEY *pm) return pkey; } #ifndef OPENSSL_NO_EC -/* Generate a private key a curve ID */ -EVP_PKEY *ssl_generate_pkey_curve(int id) +/* Generate a private key from a group ID */ +EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id) { EVP_PKEY_CTX *pctx = NULL; EVP_PKEY *pkey = NULL; - unsigned int curve_flags; - int nid = tls1_ec_curve_id2nid(id, &curve_flags); + const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id); + uint16_t gtype; - if (nid == 0) + if (ginf == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, + ERR_R_INTERNAL_ERROR); goto err; - if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) { - pctx = EVP_PKEY_CTX_new_id(nid, NULL); - nid = 0; - } else { + } + gtype = ginf->flags & TLS_CURVE_TYPE; + if (gtype == TLS_CURVE_CUSTOM) + pctx = EVP_PKEY_CTX_new_id(ginf->nid, NULL); + else pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); + if (pctx == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, + ERR_R_MALLOC_FAILURE); + goto err; + } + if (EVP_PKEY_keygen_init(pctx) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, + ERR_R_EVP_LIB); + goto err; + } + if (gtype != TLS_CURVE_CUSTOM + && EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, + ERR_R_EVP_LIB); + goto err; } + if (EVP_PKEY_keygen(pctx, &pkey) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, + ERR_R_EVP_LIB); + EVP_PKEY_free(pkey); + pkey = NULL; + } + + err: + EVP_PKEY_CTX_free(pctx); + return pkey; +} + +/* + * Generate parameters from a group ID + */ +EVP_PKEY *ssl_generate_param_group(uint16_t id) +{ + EVP_PKEY_CTX *pctx = NULL; + EVP_PKEY *pkey = NULL; + const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id); + + if (ginf == NULL) + goto err; + + if ((ginf->flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) { + pkey = EVP_PKEY_new(); + if (pkey != NULL && EVP_PKEY_set_type(pkey, ginf->nid)) + return pkey; + EVP_PKEY_free(pkey); + return NULL; + } + + pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); if (pctx == NULL) goto err; - if (EVP_PKEY_keygen_init(pctx) <= 0) + if (EVP_PKEY_paramgen_init(pctx) <= 0) goto err; - if (nid != 0 && EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, nid) <= 0) + if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0) goto err; - if (EVP_PKEY_keygen(pctx, &pkey) <= 0) { + if (EVP_PKEY_paramgen(pctx, &pkey) <= 0) { EVP_PKEY_free(pkey); pkey = NULL; } @@ -4080,38 +4779,63 @@ EVP_PKEY *ssl_generate_pkey_curve(int id) } #endif -/* Derive premaster or master secret for ECDH/DH */ -int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey) +/* Derive secrets for ECDH/DH */ +int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret) { int rv = 0; unsigned char *pms = NULL; size_t pmslen = 0; EVP_PKEY_CTX *pctx; - if (privkey == NULL || pubkey == NULL) + if (privkey == NULL || pubkey == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_DERIVE, + ERR_R_INTERNAL_ERROR); return 0; + } pctx = EVP_PKEY_CTX_new(privkey, NULL); if (EVP_PKEY_derive_init(pctx) <= 0 || EVP_PKEY_derive_set_peer(pctx, pubkey) <= 0 || EVP_PKEY_derive(pctx, NULL, &pmslen) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_DERIVE, + ERR_R_INTERNAL_ERROR); goto err; } pms = OPENSSL_malloc(pmslen); - if (pms == NULL) + if (pms == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_DERIVE, + ERR_R_MALLOC_FAILURE); goto err; + } - if (EVP_PKEY_derive(pctx, pms, &pmslen) <= 0) + if (EVP_PKEY_derive(pctx, pms, &pmslen) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_DERIVE, + ERR_R_INTERNAL_ERROR); goto err; + } - if (s->server) { - /* For server generate master secret and discard premaster */ - rv = ssl_generate_master_secret(s, pms, pmslen, 1); - pms = NULL; + if (gensecret) { + /* SSLfatal() called as appropriate in the below functions */ + if (SSL_IS_TLS13(s)) { + /* + * If we are resuming then we already generated the early secret + * when we created the ClientHello, so don't recreate it. + */ + if (!s->hit) + rv = tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, + 0, + (unsigned char *)&s->early_secret); + else + rv = 1; + + rv = rv && tls13_generate_handshake_secret(s, pms, pmslen); + } else { + rv = ssl_generate_master_secret(s, pms, pmslen, 0); + } } else { - /* For client just save premaster secret */ + /* Save premaster secret */ s->s3->tmp.pms = pms; s->s3->tmp.pmslen = pmslen; pms = NULL; diff --git a/deps/openssl/openssl/ssl/s3_msg.c b/deps/openssl/openssl/ssl/s3_msg.c index 4961cc88da..42382547fb 100644 --- a/deps/openssl/openssl/ssl/s3_msg.c +++ b/deps/openssl/openssl/ssl/s3_msg.c @@ -7,7 +7,6 @@ * https://www.openssl.org/source/license.html */ -#define USE_SOCKETS #include "ssl_locl.h" int ssl3_do_change_cipher_spec(SSL *s) @@ -23,16 +22,16 @@ int ssl3_do_change_cipher_spec(SSL *s) if (s->session == NULL || s->session->master_key_length == 0) { /* might happen if dtls1_read_bytes() calls this */ SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY); - return (0); + return 0; } s->session->cipher = s->s3->tmp.new_cipher; if (!s->method->ssl3_enc->setup_key_block(s)) - return (0); + return 0; } if (!s->method->ssl3_enc->change_cipher_state(s, i)) - return (0); + return 0; return 1; } @@ -40,7 +39,10 @@ int ssl3_do_change_cipher_spec(SSL *s) int ssl3_send_alert(SSL *s, int level, int desc) { /* Map tls/ssl alert value to correct one */ - desc = s->method->ssl3_enc->alert_value(desc); + if (SSL_TREAT_AS_TLS13(s)) + desc = tls13_alert_code(desc); + else + desc = s->method->ssl3_enc->alert_value(desc); if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION) desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have * protocol_version alerts */ @@ -67,22 +69,22 @@ int ssl3_send_alert(SSL *s, int level, int desc) int ssl3_dispatch_alert(SSL *s) { int i, j; - unsigned int alertlen; + size_t alertlen; void (*cb) (const SSL *ssl, int type, int val) = NULL; + size_t written; s->s3->alert_dispatch = 0; alertlen = 2; - i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], &alertlen, 1, 0); + i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], &alertlen, 1, 0, + &written); if (i <= 0) { s->s3->alert_dispatch = 1; } else { /* - * Alert sent to BIO. If it is important, flush it now. If the - * message does not get sent due to non-blocking IO, we will not - * worry too much. + * Alert sent to BIO - now flush. If the message does not get sent due + * to non-blocking IO, we will not worry too much. */ - if (s->s3->send_alert[0] == SSL3_AL_FATAL) - (void)BIO_flush(s->wbio); + (void)BIO_flush(s->wbio); if (s->msg_callback) s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, @@ -98,5 +100,5 @@ int ssl3_dispatch_alert(SSL *s) cb(s, SSL_CB_WRITE_ALERT, j); } } - return (i); + return i; } diff --git a/deps/openssl/openssl/ssl/ssl_asn1.c b/deps/openssl/openssl/ssl/ssl_asn1.c index 3e9c1c4f2a..b56c5e96c5 100644 --- a/deps/openssl/openssl/ssl/ssl_asn1.c +++ b/deps/openssl/openssl/ssl/ssl_asn1.c @@ -1,5 +1,6 @@ /* - * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,37 +8,10 @@ * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - #include <stdio.h> #include <stdlib.h> #include "ssl_locl.h" -#include "internal/asn1t.h" +#include <openssl/asn1t.h> #include <openssl/x509.h> typedef struct { @@ -54,7 +28,8 @@ typedef struct { ASN1_OCTET_STRING *session_id_context; int32_t verify_result; ASN1_OCTET_STRING *tlsext_hostname; - int64_t tlsext_tick_lifetime_hint; + uint64_t tlsext_tick_lifetime_hint; + uint32_t tlsext_tick_age_add; ASN1_OCTET_STRING *tlsext_tick; #ifndef OPENSSL_NO_PSK ASN1_OCTET_STRING *psk_identity_hint; @@ -64,6 +39,10 @@ typedef struct { ASN1_OCTET_STRING *srp_username; #endif uint64_t flags; + uint32_t max_early_data; + ASN1_OCTET_STRING *alpn_selected; + uint32_t tlsext_max_fragment_len_mode; + ASN1_OCTET_STRING *ticket_appdata; } SSL_SESSION_ASN1; ASN1_SEQUENCE(SSL_SESSION_ASN1) = { @@ -89,7 +68,12 @@ ASN1_SEQUENCE(SSL_SESSION_ASN1) = { #ifndef OPENSSL_NO_SRP ASN1_EXP_OPT(SSL_SESSION_ASN1, srp_username, ASN1_OCTET_STRING, 12), #endif - ASN1_EXP_OPT_EMBED(SSL_SESSION_ASN1, flags, ZUINT64, 13) + ASN1_EXP_OPT_EMBED(SSL_SESSION_ASN1, flags, ZUINT64, 13), + ASN1_EXP_OPT_EMBED(SSL_SESSION_ASN1, tlsext_tick_age_add, ZUINT32, 14), + ASN1_EXP_OPT_EMBED(SSL_SESSION_ASN1, max_early_data, ZUINT32, 15), + ASN1_EXP_OPT(SSL_SESSION_ASN1, alpn_selected, ASN1_OCTET_STRING, 16), + ASN1_EXP_OPT_EMBED(SSL_SESSION_ASN1, tlsext_max_fragment_len_mode, ZUINT32, 17), + ASN1_EXP_OPT(SSL_SESSION_ASN1, ticket_appdata, ASN1_OCTET_STRING, 18) } static_ASN1_SEQUENCE_END(SSL_SESSION_ASN1) IMPLEMENT_STATIC_ASN1_ENCODE_FUNCTIONS(SSL_SESSION_ASN1) @@ -102,7 +86,7 @@ static void ssl_session_oinit(ASN1_OCTET_STRING **dest, ASN1_OCTET_STRING *os, unsigned char *data, size_t len) { os->data = data; - os->length = len; + os->length = (int)len; os->flags = 0; *dest = os; } @@ -130,16 +114,15 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) ASN1_OCTET_STRING comp_id; unsigned char comp_id_data; #endif - ASN1_OCTET_STRING tlsext_hostname, tlsext_tick; - #ifndef OPENSSL_NO_SRP ASN1_OCTET_STRING srp_username; #endif - #ifndef OPENSSL_NO_PSK ASN1_OCTET_STRING psk_identity, psk_identity_hint; #endif + ASN1_OCTET_STRING alpn_selected; + ASN1_OCTET_STRING ticket_appdata; long l; @@ -183,13 +166,14 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) as.peer = in->peer; ssl_session_sinit(&as.tlsext_hostname, &tlsext_hostname, - in->tlsext_hostname); - if (in->tlsext_tick) { + in->ext.hostname); + if (in->ext.tick) { ssl_session_oinit(&as.tlsext_tick, &tlsext_tick, - in->tlsext_tick, in->tlsext_ticklen); + in->ext.tick, in->ext.ticklen); } - if (in->tlsext_tick_lifetime_hint > 0) - as.tlsext_tick_lifetime_hint = in->tlsext_tick_lifetime_hint; + if (in->ext.tick_lifetime_hint > 0) + as.tlsext_tick_lifetime_hint = in->ext.tick_lifetime_hint; + as.tlsext_tick_age_add = in->ext.tick_age_add; #ifndef OPENSSL_NO_PSK ssl_session_sinit(&as.psk_identity_hint, &psk_identity_hint, in->psk_identity_hint); @@ -200,6 +184,21 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) #endif /* OPENSSL_NO_SRP */ as.flags = in->flags; + as.max_early_data = in->ext.max_early_data; + + if (in->ext.alpn_selected == NULL) + as.alpn_selected = NULL; + else + ssl_session_oinit(&as.alpn_selected, &alpn_selected, + in->ext.alpn_selected, in->ext.alpn_selected_len); + + as.tlsext_max_fragment_len_mode = in->ext.max_fragment_len_mode; + + if (in->ticket_appdata == NULL) + as.ticket_appdata = NULL; + else + ssl_session_oinit(&as.ticket_appdata, &ticket_appdata, + in->ticket_appdata, in->ticket_appdata_len); return i2d_SSL_SESSION_ASN1(&as, pp); @@ -223,14 +222,14 @@ static int ssl_session_strndup(char **pdst, ASN1_OCTET_STRING *src) /* Copy an OCTET STRING, return error if it exceeds maximum length */ -static int ssl_session_memcpy(unsigned char *dst, unsigned int *pdstlen, - ASN1_OCTET_STRING *src, int maxlen) +static int ssl_session_memcpy(unsigned char *dst, size_t *pdstlen, + ASN1_OCTET_STRING *src, size_t maxlen) { if (src == NULL) { *pdstlen = 0; return 1; } - if (src->length > maxlen) + if (src->length < 0 || src->length > (int)maxlen) return 0; memcpy(dst, src->data, src->length); *pdstlen = src->length; @@ -241,7 +240,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) { long id; - unsigned int tmpl; + size_t tmpl; const unsigned char *p = *pp; SSL_SESSION_ASN1 *as = NULL; SSL_SESSION *ret = NULL; @@ -281,26 +280,28 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, id = 0x03000000L | ((unsigned long)as->cipher->data[0] << 8L) | (unsigned long)as->cipher->data[1]; - ret->cipher = NULL; ret->cipher_id = id; + ret->cipher = ssl3_get_cipher_by_id(id); + if (ret->cipher == NULL) + goto err; if (!ssl_session_memcpy(ret->session_id, &ret->session_id_length, as->session_id, SSL3_MAX_SSL_SESSION_ID_LENGTH)) goto err; if (!ssl_session_memcpy(ret->master_key, &tmpl, - as->master_key, SSL_MAX_MASTER_KEY_LENGTH)) + as->master_key, TLS13_MAX_RESUMPTION_PSK_LENGTH)) goto err; ret->master_key_length = tmpl; if (as->time != 0) - ret->time = as->time; + ret->time = (long)as->time; else - ret->time = (unsigned long)time(NULL); + ret->time = (long)time(NULL); if (as->timeout != 0) - ret->timeout = as->timeout; + ret->timeout = (long)as->timeout; else ret->timeout = 3; @@ -315,7 +316,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, /* NB: this defaults to zero which is X509_V_OK */ ret->verify_result = as->verify_result; - if (!ssl_session_strndup(&ret->tlsext_hostname, as->tlsext_hostname)) + if (!ssl_session_strndup(&ret->ext.hostname, as->tlsext_hostname)) goto err; #ifndef OPENSSL_NO_PSK @@ -325,13 +326,15 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, goto err; #endif - ret->tlsext_tick_lifetime_hint = as->tlsext_tick_lifetime_hint; - if (as->tlsext_tick) { - ret->tlsext_tick = as->tlsext_tick->data; - ret->tlsext_ticklen = as->tlsext_tick->length; + ret->ext.tick_lifetime_hint = (unsigned long)as->tlsext_tick_lifetime_hint; + ret->ext.tick_age_add = as->tlsext_tick_age_add; + OPENSSL_free(ret->ext.tick); + if (as->tlsext_tick != NULL) { + ret->ext.tick = as->tlsext_tick->data; + ret->ext.ticklen = as->tlsext_tick->length; as->tlsext_tick->data = NULL; } else { - ret->tlsext_tick = NULL; + ret->ext.tick = NULL; } #ifndef OPENSSL_NO_COMP if (as->comp_id) { @@ -350,7 +353,30 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, goto err; #endif /* OPENSSL_NO_SRP */ /* Flags defaults to zero which is fine */ - ret->flags = as->flags; + ret->flags = (int32_t)as->flags; + ret->ext.max_early_data = as->max_early_data; + + OPENSSL_free(ret->ext.alpn_selected); + if (as->alpn_selected != NULL) { + ret->ext.alpn_selected = as->alpn_selected->data; + ret->ext.alpn_selected_len = as->alpn_selected->length; + as->alpn_selected->data = NULL; + } else { + ret->ext.alpn_selected = NULL; + ret->ext.alpn_selected_len = 0; + } + + ret->ext.max_fragment_len_mode = as->tlsext_max_fragment_len_mode; + + OPENSSL_free(ret->ticket_appdata); + if (as->ticket_appdata != NULL) { + ret->ticket_appdata = as->ticket_appdata->data; + ret->ticket_appdata_len = as->ticket_appdata->length; + as->ticket_appdata->data = NULL; + } else { + ret->ticket_appdata = NULL; + ret->ticket_appdata_len = 0; + } M_ASN1_free_of(as, SSL_SESSION_ASN1); diff --git a/deps/openssl/openssl/ssl/ssl_cert.c b/deps/openssl/openssl/ssl/ssl_cert.c index deaaeb0936..3314507896 100644 --- a/deps/openssl/openssl/ssl/ssl_cert.c +++ b/deps/openssl/openssl/ssl/ssl_cert.c @@ -1,5 +1,6 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,25 +8,20 @@ * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * ECC cipher suite support in OpenSSL originally developed by - * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. - */ - #include <stdio.h> #include <sys/types.h> -#include "e_os.h" +#include "internal/nelem.h" #include "internal/o_dir.h" -#include <openssl/lhash.h> #include <openssl/bio.h> #include <openssl/pem.h> #include <openssl/x509v3.h> #include <openssl/dh.h> #include <openssl/bn.h> #include <openssl/crypto.h> +#include "internal/refcount.h" #include "ssl_locl.h" +#include "ssl_cert_table.h" #include "internal/thread_once.h" static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, @@ -60,7 +56,7 @@ CERT *ssl_cert_new(void) return NULL; } - ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]); + ret->key = &(ret->pkeys[SSL_PKEY_RSA]); ret->references = 1; ret->sec_cb = ssl_security_default_callback; ret->sec_level = OPENSSL_TLS_SECURITY_LEVEL; @@ -138,32 +134,34 @@ CERT *ssl_cert_dup(CERT *cert) /* Configured sigalgs copied across */ if (cert->conf_sigalgs) { - ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen); + ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen + * sizeof(*cert->conf_sigalgs)); if (ret->conf_sigalgs == NULL) goto err; - memcpy(ret->conf_sigalgs, cert->conf_sigalgs, cert->conf_sigalgslen); + memcpy(ret->conf_sigalgs, cert->conf_sigalgs, + cert->conf_sigalgslen * sizeof(*cert->conf_sigalgs)); ret->conf_sigalgslen = cert->conf_sigalgslen; } else ret->conf_sigalgs = NULL; if (cert->client_sigalgs) { - ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen); + ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen + * sizeof(*cert->client_sigalgs)); if (ret->client_sigalgs == NULL) goto err; memcpy(ret->client_sigalgs, cert->client_sigalgs, - cert->client_sigalgslen); + cert->client_sigalgslen * sizeof(*cert->client_sigalgs)); ret->client_sigalgslen = cert->client_sigalgslen; } else ret->client_sigalgs = NULL; /* Shared sigalgs also NULL */ ret->shared_sigalgs = NULL; /* Copy any custom client certificate types */ - if (cert->ctypes) { - ret->ctypes = OPENSSL_malloc(cert->ctype_num); - if (ret->ctypes == NULL) + if (cert->ctype) { + ret->ctype = OPENSSL_memdup(cert->ctype, cert->ctype_len); + if (ret->ctype == NULL) goto err; - memcpy(ret->ctypes, cert->ctypes, cert->ctype_num); - ret->ctype_num = cert->ctype_num; + ret->ctype_len = cert->ctype_len; } ret->cert_flags = cert->cert_flags; @@ -185,9 +183,7 @@ CERT *ssl_cert_dup(CERT *cert) ret->sec_level = cert->sec_level; ret->sec_ex = cert->sec_ex; - if (!custom_exts_copy(&ret->cli_ext, &cert->cli_ext)) - goto err; - if (!custom_exts_copy(&ret->srv_ext, &cert->srv_ext)) + if (!custom_exts_copy(&ret->custext, &cert->custext)) goto err; #ifndef OPENSSL_NO_PSK if (cert->psk_identity_hint) { @@ -231,8 +227,7 @@ void ssl_cert_free(CERT *c) if (c == NULL) return; - - CRYPTO_atomic_add(&c->references, -1, &i, c->lock); + CRYPTO_DOWN_REF(&c->references, &i, c->lock); REF_PRINT_COUNT("CERT", c); if (i > 0) return; @@ -246,11 +241,10 @@ void ssl_cert_free(CERT *c) OPENSSL_free(c->conf_sigalgs); OPENSSL_free(c->client_sigalgs); OPENSSL_free(c->shared_sigalgs); - OPENSSL_free(c->ctypes); + OPENSSL_free(c->ctype); X509_STORE_free(c->verify_store); X509_STORE_free(c->chain_store); - custom_exts_free(&c->cli_ext); - custom_exts_free(&c->srv_ext); + custom_exts_free(&c->custext); #ifndef OPENSSL_NO_PSK OPENSSL_free(c->psk_identity_hint); #endif @@ -454,102 +448,155 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) return i; } -static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list, - STACK_OF(X509_NAME) *name_list) +static void set0_CA_list(STACK_OF(X509_NAME) **ca_list, + STACK_OF(X509_NAME) *name_list) { sk_X509_NAME_pop_free(*ca_list, X509_NAME_free); *ca_list = name_list; } -STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk) +STACK_OF(X509_NAME) *SSL_dup_CA_list(const STACK_OF(X509_NAME) *sk) { int i; + const int num = sk_X509_NAME_num(sk); STACK_OF(X509_NAME) *ret; X509_NAME *name; - ret = sk_X509_NAME_new_null(); + ret = sk_X509_NAME_new_reserve(NULL, num); if (ret == NULL) { SSLerr(SSL_F_SSL_DUP_CA_LIST, ERR_R_MALLOC_FAILURE); return NULL; } - for (i = 0; i < sk_X509_NAME_num(sk); i++) { + for (i = 0; i < num; i++) { name = X509_NAME_dup(sk_X509_NAME_value(sk, i)); - if (name == NULL || !sk_X509_NAME_push(ret, name)) { + if (name == NULL) { + SSLerr(SSL_F_SSL_DUP_CA_LIST, ERR_R_MALLOC_FAILURE); sk_X509_NAME_pop_free(ret, X509_NAME_free); - X509_NAME_free(name); return NULL; } + sk_X509_NAME_push(ret, name); /* Cannot fail after reserve call */ } - return (ret); + return ret; } -void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list) +void SSL_set0_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list) +{ + set0_CA_list(&s->ca_names, name_list); +} + +void SSL_CTX_set0_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) +{ + set0_CA_list(&ctx->ca_names, name_list); +} + +const STACK_OF(X509_NAME) *SSL_CTX_get0_CA_list(const SSL_CTX *ctx) { - set_client_CA_list(&(s->client_CA), name_list); + return ctx->ca_names; +} + +const STACK_OF(X509_NAME) *SSL_get0_CA_list(const SSL *s) +{ + return s->ca_names != NULL ? s->ca_names : s->ctx->ca_names; } void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) { - set_client_CA_list(&(ctx->client_CA), name_list); + set0_CA_list(&ctx->client_ca_names, name_list); } STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) { - return (ctx->client_CA); + return ctx->client_ca_names; +} + +void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list) +{ + set0_CA_list(&s->client_ca_names, name_list); +} + +const STACK_OF(X509_NAME) *SSL_get0_peer_CA_list(const SSL *s) +{ + return s->s3 != NULL ? s->s3->tmp.peer_ca_names : NULL; } STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s) { - if (!s->server) { /* we are in the client */ - if (((s->version >> 8) == SSL3_VERSION_MAJOR) && (s->s3 != NULL)) - return (s->s3->tmp.ca_names); - else - return (NULL); - } else { - if (s->client_CA != NULL) - return (s->client_CA); - else - return (s->ctx->client_CA); - } + if (!s->server) + return s->s3 != NULL ? s->s3->tmp.peer_ca_names : NULL; + return s->client_ca_names != NULL ? s->client_ca_names + : s->ctx->client_ca_names; } -static int add_client_CA(STACK_OF(X509_NAME) **sk, X509 *x) +static int add_ca_name(STACK_OF(X509_NAME) **sk, const X509 *x) { X509_NAME *name; if (x == NULL) - return (0); - if ((*sk == NULL) && ((*sk = sk_X509_NAME_new_null()) == NULL)) - return (0); + return 0; + if (*sk == NULL && ((*sk = sk_X509_NAME_new_null()) == NULL)) + return 0; if ((name = X509_NAME_dup(X509_get_subject_name(x))) == NULL) - return (0); + return 0; if (!sk_X509_NAME_push(*sk, name)) { X509_NAME_free(name); - return (0); + return 0; } - return (1); + return 1; +} + +int SSL_add1_to_CA_list(SSL *ssl, const X509 *x) +{ + return add_ca_name(&ssl->ca_names, x); +} + +int SSL_CTX_add1_to_CA_list(SSL_CTX *ctx, const X509 *x) +{ + return add_ca_name(&ctx->ca_names, x); } +/* + * The following two are older names are to be replaced with + * SSL(_CTX)_add1_to_CA_list + */ int SSL_add_client_CA(SSL *ssl, X509 *x) { - return (add_client_CA(&(ssl->client_CA), x)); + return add_ca_name(&ssl->client_ca_names, x); } int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x) { - return (add_client_CA(&(ctx->client_CA), x)); + return add_ca_name(&ctx->client_ca_names, x); } -static int xname_sk_cmp(const X509_NAME *const *a, const X509_NAME *const *b) +static int xname_cmp(const X509_NAME *a, const X509_NAME *b) { - return (X509_NAME_cmp(*a, *b)); + unsigned char *abuf = NULL, *bbuf = NULL; + int alen, blen, ret; + + /* X509_NAME_cmp() itself casts away constness in this way, so + * assume it's safe: + */ + alen = i2d_X509_NAME((X509_NAME *)a, &abuf); + blen = i2d_X509_NAME((X509_NAME *)b, &bbuf); + + if (alen < 0 || blen < 0) + ret = -2; + else if (alen != blen) + ret = alen - blen; + else /* alen == blen */ + ret = memcmp(abuf, bbuf, alen); + + OPENSSL_free(abuf); + OPENSSL_free(bbuf); + + return ret; } -static int xname_cmp(const X509_NAME *a, const X509_NAME *b) +static int xname_sk_cmp(const X509_NAME *const *a, const X509_NAME *const *b) { - return X509_NAME_cmp(a, b); + return xname_cmp(*a, *b); } static unsigned long xname_hash(const X509_NAME *a) @@ -619,7 +666,7 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) lh_X509_NAME_free(name_hash); if (ret != NULL) ERR_clear_error(); - return (ret); + return ret; } /** @@ -737,128 +784,6 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, return ret; } -/* Add a certificate to a BUF_MEM structure */ - -static int ssl_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x) -{ - int n; - unsigned char *p; - - n = i2d_X509(x, NULL); - if (n < 0 || !BUF_MEM_grow_clean(buf, (int)(n + (*l) + 3))) { - SSLerr(SSL_F_SSL_ADD_CERT_TO_BUF, ERR_R_BUF_LIB); - return 0; - } - p = (unsigned char *)&(buf->data[*l]); - l2n3(n, p); - n = i2d_X509(x, &p); - if (n < 0) { - /* Shouldn't happen */ - SSLerr(SSL_F_SSL_ADD_CERT_TO_BUF, ERR_R_BUF_LIB); - return 0; - } - *l += n + 3; - - return 1; -} - -/* Add certificate chain to internal SSL BUF_MEM structure */ -int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l) -{ - BUF_MEM *buf = s->init_buf; - int i, chain_count; - X509 *x; - STACK_OF(X509) *extra_certs; - STACK_OF(X509) *chain = NULL; - X509_STORE *chain_store; - - /* TLSv1 sends a chain with nothing in it, instead of an alert */ - if (!BUF_MEM_grow_clean(buf, 10)) { - SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_BUF_LIB); - return 0; - } - - if (!cpk || !cpk->x509) - return 1; - - x = cpk->x509; - - /* - * If we have a certificate specific chain use it, else use parent ctx. - */ - if (cpk->chain) - extra_certs = cpk->chain; - else - extra_certs = s->ctx->extra_certs; - - if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs) - chain_store = NULL; - else if (s->cert->chain_store) - chain_store = s->cert->chain_store; - else - chain_store = s->ctx->cert_store; - - if (chain_store) { - X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new(); - - if (xs_ctx == NULL) { - SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_MALLOC_FAILURE); - return (0); - } - if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) { - X509_STORE_CTX_free(xs_ctx); - SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_X509_LIB); - return (0); - } - /* - * It is valid for the chain not to be complete (because normally we - * don't include the root cert in the chain). Therefore we deliberately - * ignore the error return from this call. We're not actually verifying - * the cert - we're just building as much of the chain as we can - */ - (void)X509_verify_cert(xs_ctx); - /* Don't leave errors in the queue */ - ERR_clear_error(); - chain = X509_STORE_CTX_get0_chain(xs_ctx); - i = ssl_security_cert_chain(s, chain, NULL, 0); - if (i != 1) { -#if 0 - /* Dummy error calls so mkerr generates them */ - SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL); - SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL); - SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK); -#endif - X509_STORE_CTX_free(xs_ctx); - SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, i); - return 0; - } - chain_count = sk_X509_num(chain); - for (i = 0; i < chain_count; i++) { - x = sk_X509_value(chain, i); - - if (!ssl_add_cert_to_buf(buf, l, x)) { - X509_STORE_CTX_free(xs_ctx); - return 0; - } - } - X509_STORE_CTX_free(xs_ctx); - } else { - i = ssl_security_cert_chain(s, extra_certs, x, 0); - if (i != 1) { - SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, i); - return 0; - } - if (!ssl_add_cert_to_buf(buf, l, x)) - return 0; - for (i = 0; i < sk_X509_num(extra_certs); i++) { - x = sk_X509_value(extra_certs, i); - if (!ssl_add_cert_to_buf(buf, l, x)) - return 0; - } - } - return 1; -} - /* Build a certificate chain for current certificate */ int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags) { @@ -869,7 +794,6 @@ int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags) STACK_OF(X509) *chain = NULL, *untrusted = NULL; X509 *x; int i, rv = 0; - unsigned long error; if (!cpk->x509) { SSLerr(SSL_F_SSL_BUILD_CERT_CHAIN, SSL_R_NO_CERTIFICATE_SET); @@ -882,22 +806,12 @@ int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags) goto err; for (i = 0; i < sk_X509_num(cpk->chain); i++) { x = sk_X509_value(cpk->chain, i); - if (!X509_STORE_add_cert(chain_store, x)) { - error = ERR_peek_last_error(); - if (ERR_GET_LIB(error) != ERR_LIB_X509 || - ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) - goto err; - ERR_clear_error(); - } - } - /* Add EE cert too: it might be self signed */ - if (!X509_STORE_add_cert(chain_store, cpk->x509)) { - error = ERR_peek_last_error(); - if (ERR_GET_LIB(error) != ERR_LIB_X509 || - ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) + if (!X509_STORE_add_cert(chain_store, x)) goto err; - ERR_clear_error(); } + /* Add EE cert too: it might be self signed */ + if (!X509_STORE_add_cert(chain_store, cpk->x509)) + goto err; } else { if (c->chain_store) chain_store = c->chain_store; @@ -1038,7 +952,8 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, if (level >= 2 && c->algorithm_enc == SSL_RC4) return 0; /* Level 3: forward secure ciphersuites only */ - if (level >= 3 && !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))) + if (level >= 3 && c->min_tls != TLS1_3_VERSION && + !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))) return 0; break; } @@ -1085,3 +1000,41 @@ int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other) return ctx->cert->sec_cb(NULL, ctx, op, bits, nid, other, ctx->cert->sec_ex); } + +int ssl_cert_lookup_by_nid(int nid, size_t *pidx) +{ + size_t i; + + for (i = 0; i < OSSL_NELEM(ssl_cert_info); i++) { + if (ssl_cert_info[i].nid == nid) { + *pidx = i; + return 1; + } + } + + return 0; +} + +const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, size_t *pidx) +{ + int nid = EVP_PKEY_id(pk); + size_t tmpidx; + + if (nid == NID_undef) + return NULL; + + if (!ssl_cert_lookup_by_nid(nid, &tmpidx)) + return NULL; + + if (pidx != NULL) + *pidx = tmpidx; + + return &ssl_cert_info[tmpidx]; +} + +const SSL_CERT_LOOKUP *ssl_cert_lookup_by_idx(size_t idx) +{ + if (idx >= OSSL_NELEM(ssl_cert_info)) + return NULL; + return &ssl_cert_info[idx]; +} diff --git a/deps/openssl/openssl/ssl/ssl_cert_table.h b/deps/openssl/openssl/ssl/ssl_cert_table.h new file mode 100644 index 0000000000..0c47241c02 --- /dev/null +++ b/deps/openssl/openssl/ssl/ssl_cert_table.h @@ -0,0 +1,23 @@ +/* + * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Certificate table information. NB: table entries must match SSL_PKEY indices + */ +static const SSL_CERT_LOOKUP ssl_cert_info [] = { + {EVP_PKEY_RSA, SSL_aRSA}, /* SSL_PKEY_RSA */ + {EVP_PKEY_RSA_PSS, SSL_aRSA}, /* SSL_PKEY_RSA_PSS_SIGN */ + {EVP_PKEY_DSA, SSL_aDSS}, /* SSL_PKEY_DSA_SIGN */ + {EVP_PKEY_EC, SSL_aECDSA}, /* SSL_PKEY_ECC */ + {NID_id_GostR3410_2001, SSL_aGOST01}, /* SSL_PKEY_GOST01 */ + {NID_id_GostR3410_2012_256, SSL_aGOST12}, /* SSL_PKEY_GOST12_256 */ + {NID_id_GostR3410_2012_512, SSL_aGOST12}, /* SSL_PKEY_GOST12_512 */ + {EVP_PKEY_ED25519, SSL_aECDSA}, /* SSL_PKEY_ED25519 */ + {EVP_PKEY_ED448, SSL_aECDSA} /* SSL_PKEY_ED448 */ +}; diff --git a/deps/openssl/openssl/ssl/ssl_ciph.c b/deps/openssl/openssl/ssl/ssl_ciph.c index b8da982105..14066d0ea4 100644 --- a/deps/openssl/openssl/ssl/ssl_ciph.c +++ b/deps/openssl/openssl/ssl/ssl_ciph.c @@ -1,5 +1,7 @@ /* * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved + * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,46 +9,17 @@ * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * ECC cipher suite support in OpenSSL originally developed by - * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - #include <stdio.h> #include <ctype.h> #include <openssl/objects.h> #include <openssl/comp.h> #include <openssl/engine.h> #include <openssl/crypto.h> +#include <openssl/conf.h> +#include "internal/nelem.h" #include "ssl_locl.h" #include "internal/thread_once.h" +#include "internal/cryptlib.h" #define SSL_ENC_DES_IDX 0 #define SSL_ENC_3DES_IDX 1 @@ -68,7 +41,9 @@ #define SSL_ENC_AES256CCM8_IDX 17 #define SSL_ENC_GOST8912_IDX 18 #define SSL_ENC_CHACHA_IDX 19 -#define SSL_ENC_NUM_IDX 20 +#define SSL_ENC_ARIA128GCM_IDX 20 +#define SSL_ENC_ARIA256GCM_IDX 21 +#define SSL_ENC_NUM_IDX 22 /* NB: make sure indices in these tables match values above */ @@ -97,8 +72,10 @@ static const ssl_cipher_table ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = { {SSL_AES256CCM, NID_aes_256_ccm}, /* SSL_ENC_AES256CCM_IDX 15 */ {SSL_AES128CCM8, NID_aes_128_ccm}, /* SSL_ENC_AES128CCM8_IDX 16 */ {SSL_AES256CCM8, NID_aes_256_ccm}, /* SSL_ENC_AES256CCM8_IDX 17 */ - {SSL_eGOST2814789CNT12, NID_gost89_cnt_12}, /* SSL_ENC_GOST8912_IDX */ - {SSL_CHACHA20POLY1305, NID_chacha20_poly1305}, + {SSL_eGOST2814789CNT12, NID_gost89_cnt_12}, /* SSL_ENC_GOST8912_IDX 18 */ + {SSL_CHACHA20POLY1305, NID_chacha20_poly1305}, /* SSL_ENC_CHACHA_IDX 19 */ + {SSL_ARIA128GCM, NID_aria_128_gcm}, /* SSL_ENC_ARIA128GCM_IDX 20 */ + {SSL_ARIA256GCM, NID_aria_256_gcm}, /* SSL_ENC_ARIA256GCM_IDX 21 */ }; static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]; @@ -150,7 +127,8 @@ static const ssl_cipher_table ssl_cipher_table_kx[] = { {SSL_kRSAPSK, NID_kx_rsa_psk}, {SSL_kPSK, NID_kx_psk}, {SSL_kSRP, NID_kx_srp}, - {SSL_kGOST, NID_kx_gost} + {SSL_kGOST, NID_kx_gost}, + {SSL_kANY, NID_kx_any} }; static const ssl_cipher_table ssl_cipher_table_auth[] = { @@ -161,7 +139,8 @@ static const ssl_cipher_table ssl_cipher_table_auth[] = { {SSL_aGOST01, NID_auth_gost01}, {SSL_aGOST12, NID_auth_gost12}, {SSL_aSRP, NID_auth_srp}, - {SSL_aNULL, NID_auth_null} + {SSL_aNULL, NID_auth_null}, + {SSL_aANY, NID_auth_any} }; /* *INDENT-ON* */ @@ -172,7 +151,7 @@ static int ssl_cipher_info_find(const ssl_cipher_table * table, size_t i; for (i = 0; i < table_cnt; i++, table++) { if (table->mask == mask) - return i; + return (int)i; } return -1; } @@ -194,7 +173,7 @@ static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = { EVP_PKEY_HMAC, }; -static int ssl_mac_secret_size[SSL_MD_NUM_IDX]; +static size_t ssl_mac_secret_size[SSL_MD_NUM_IDX]; #define CIPHER_ADD 1 #define CIPHER_KILL 2 @@ -216,112 +195,117 @@ typedef struct cipher_order_st { static const SSL_CIPHER cipher_aliases[] = { /* "ALL" doesn't include eNULL (must be specifically enabled) */ - {0, SSL_TXT_ALL, 0, 0, 0, ~SSL_eNULL}, + {0, SSL_TXT_ALL, NULL, 0, 0, 0, ~SSL_eNULL}, /* "COMPLEMENTOFALL" */ - {0, SSL_TXT_CMPALL, 0, 0, 0, SSL_eNULL}, + {0, SSL_TXT_CMPALL, NULL, 0, 0, 0, SSL_eNULL}, /* * "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in * ALL!) */ - {0, SSL_TXT_CMPDEF, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_NOT_DEFAULT}, + {0, SSL_TXT_CMPDEF, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_NOT_DEFAULT}, /* * key exchange aliases (some of those using only a single bit here * combine multiple key exchange algs according to the RFCs, e.g. kDHE * combines DHE_DSS and DHE_RSA) */ - {0, SSL_TXT_kRSA, 0, SSL_kRSA}, + {0, SSL_TXT_kRSA, NULL, 0, SSL_kRSA}, - {0, SSL_TXT_kEDH, 0, SSL_kDHE}, - {0, SSL_TXT_kDHE, 0, SSL_kDHE}, - {0, SSL_TXT_DH, 0, SSL_kDHE}, + {0, SSL_TXT_kEDH, NULL, 0, SSL_kDHE}, + {0, SSL_TXT_kDHE, NULL, 0, SSL_kDHE}, + {0, SSL_TXT_DH, NULL, 0, SSL_kDHE}, - {0, SSL_TXT_kEECDH, 0, SSL_kECDHE}, - {0, SSL_TXT_kECDHE, 0, SSL_kECDHE}, - {0, SSL_TXT_ECDH, 0, SSL_kECDHE}, + {0, SSL_TXT_kEECDH, NULL, 0, SSL_kECDHE}, + {0, SSL_TXT_kECDHE, NULL, 0, SSL_kECDHE}, + {0, SSL_TXT_ECDH, NULL, 0, SSL_kECDHE}, - {0, SSL_TXT_kPSK, 0, SSL_kPSK}, - {0, SSL_TXT_kRSAPSK, 0, SSL_kRSAPSK}, - {0, SSL_TXT_kECDHEPSK, 0, SSL_kECDHEPSK}, - {0, SSL_TXT_kDHEPSK, 0, SSL_kDHEPSK}, - {0, SSL_TXT_kSRP, 0, SSL_kSRP}, - {0, SSL_TXT_kGOST, 0, SSL_kGOST}, + {0, SSL_TXT_kPSK, NULL, 0, SSL_kPSK}, + {0, SSL_TXT_kRSAPSK, NULL, 0, SSL_kRSAPSK}, + {0, SSL_TXT_kECDHEPSK, NULL, 0, SSL_kECDHEPSK}, + {0, SSL_TXT_kDHEPSK, NULL, 0, SSL_kDHEPSK}, + {0, SSL_TXT_kSRP, NULL, 0, SSL_kSRP}, + {0, SSL_TXT_kGOST, NULL, 0, SSL_kGOST}, /* server authentication aliases */ - {0, SSL_TXT_aRSA, 0, 0, SSL_aRSA}, - {0, SSL_TXT_aDSS, 0, 0, SSL_aDSS}, - {0, SSL_TXT_DSS, 0, 0, SSL_aDSS}, - {0, SSL_TXT_aNULL, 0, 0, SSL_aNULL}, - {0, SSL_TXT_aECDSA, 0, 0, SSL_aECDSA}, - {0, SSL_TXT_ECDSA, 0, 0, SSL_aECDSA}, - {0, SSL_TXT_aPSK, 0, 0, SSL_aPSK}, - {0, SSL_TXT_aGOST01, 0, 0, SSL_aGOST01}, - {0, SSL_TXT_aGOST12, 0, 0, SSL_aGOST12}, - {0, SSL_TXT_aGOST, 0, 0, SSL_aGOST01 | SSL_aGOST12}, - {0, SSL_TXT_aSRP, 0, 0, SSL_aSRP}, + {0, SSL_TXT_aRSA, NULL, 0, 0, SSL_aRSA}, + {0, SSL_TXT_aDSS, NULL, 0, 0, SSL_aDSS}, + {0, SSL_TXT_DSS, NULL, 0, 0, SSL_aDSS}, + {0, SSL_TXT_aNULL, NULL, 0, 0, SSL_aNULL}, + {0, SSL_TXT_aECDSA, NULL, 0, 0, SSL_aECDSA}, + {0, SSL_TXT_ECDSA, NULL, 0, 0, SSL_aECDSA}, + {0, SSL_TXT_aPSK, NULL, 0, 0, SSL_aPSK}, + {0, SSL_TXT_aGOST01, NULL, 0, 0, SSL_aGOST01}, + {0, SSL_TXT_aGOST12, NULL, 0, 0, SSL_aGOST12}, + {0, SSL_TXT_aGOST, NULL, 0, 0, SSL_aGOST01 | SSL_aGOST12}, + {0, SSL_TXT_aSRP, NULL, 0, 0, SSL_aSRP}, /* aliases combining key exchange and server authentication */ - {0, SSL_TXT_EDH, 0, SSL_kDHE, ~SSL_aNULL}, - {0, SSL_TXT_DHE, 0, SSL_kDHE, ~SSL_aNULL}, - {0, SSL_TXT_EECDH, 0, SSL_kECDHE, ~SSL_aNULL}, - {0, SSL_TXT_ECDHE, 0, SSL_kECDHE, ~SSL_aNULL}, - {0, SSL_TXT_NULL, 0, 0, 0, SSL_eNULL}, - {0, SSL_TXT_RSA, 0, SSL_kRSA, SSL_aRSA}, - {0, SSL_TXT_ADH, 0, SSL_kDHE, SSL_aNULL}, - {0, SSL_TXT_AECDH, 0, SSL_kECDHE, SSL_aNULL}, - {0, SSL_TXT_PSK, 0, SSL_PSK}, - {0, SSL_TXT_SRP, 0, SSL_kSRP}, + {0, SSL_TXT_EDH, NULL, 0, SSL_kDHE, ~SSL_aNULL}, + {0, SSL_TXT_DHE, NULL, 0, SSL_kDHE, ~SSL_aNULL}, + {0, SSL_TXT_EECDH, NULL, 0, SSL_kECDHE, ~SSL_aNULL}, + {0, SSL_TXT_ECDHE, NULL, 0, SSL_kECDHE, ~SSL_aNULL}, + {0, SSL_TXT_NULL, NULL, 0, 0, 0, SSL_eNULL}, + {0, SSL_TXT_RSA, NULL, 0, SSL_kRSA, SSL_aRSA}, + {0, SSL_TXT_ADH, NULL, 0, SSL_kDHE, SSL_aNULL}, + {0, SSL_TXT_AECDH, NULL, 0, SSL_kECDHE, SSL_aNULL}, + {0, SSL_TXT_PSK, NULL, 0, SSL_PSK}, + {0, SSL_TXT_SRP, NULL, 0, SSL_kSRP}, /* symmetric encryption aliases */ - {0, SSL_TXT_3DES, 0, 0, 0, SSL_3DES}, - {0, SSL_TXT_RC4, 0, 0, 0, SSL_RC4}, - {0, SSL_TXT_RC2, 0, 0, 0, SSL_RC2}, - {0, SSL_TXT_IDEA, 0, 0, 0, SSL_IDEA}, - {0, SSL_TXT_SEED, 0, 0, 0, SSL_SEED}, - {0, SSL_TXT_eNULL, 0, 0, 0, SSL_eNULL}, - {0, SSL_TXT_GOST, 0, 0, 0, SSL_eGOST2814789CNT | SSL_eGOST2814789CNT12}, - {0, SSL_TXT_AES128, 0, 0, 0, + {0, SSL_TXT_3DES, NULL, 0, 0, 0, SSL_3DES}, + {0, SSL_TXT_RC4, NULL, 0, 0, 0, SSL_RC4}, + {0, SSL_TXT_RC2, NULL, 0, 0, 0, SSL_RC2}, + {0, SSL_TXT_IDEA, NULL, 0, 0, 0, SSL_IDEA}, + {0, SSL_TXT_SEED, NULL, 0, 0, 0, SSL_SEED}, + {0, SSL_TXT_eNULL, NULL, 0, 0, 0, SSL_eNULL}, + {0, SSL_TXT_GOST, NULL, 0, 0, 0, SSL_eGOST2814789CNT | SSL_eGOST2814789CNT12}, + {0, SSL_TXT_AES128, NULL, 0, 0, 0, SSL_AES128 | SSL_AES128GCM | SSL_AES128CCM | SSL_AES128CCM8}, - {0, SSL_TXT_AES256, 0, 0, 0, + {0, SSL_TXT_AES256, NULL, 0, 0, 0, SSL_AES256 | SSL_AES256GCM | SSL_AES256CCM | SSL_AES256CCM8}, - {0, SSL_TXT_AES, 0, 0, 0, SSL_AES}, - {0, SSL_TXT_AES_GCM, 0, 0, 0, SSL_AES128GCM | SSL_AES256GCM}, - {0, SSL_TXT_AES_CCM, 0, 0, 0, + {0, SSL_TXT_AES, NULL, 0, 0, 0, SSL_AES}, + {0, SSL_TXT_AES_GCM, NULL, 0, 0, 0, SSL_AES128GCM | SSL_AES256GCM}, + {0, SSL_TXT_AES_CCM, NULL, 0, 0, 0, SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8}, - {0, SSL_TXT_AES_CCM_8, 0, 0, 0, SSL_AES128CCM8 | SSL_AES256CCM8}, - {0, SSL_TXT_CAMELLIA128, 0, 0, 0, SSL_CAMELLIA128}, - {0, SSL_TXT_CAMELLIA256, 0, 0, 0, SSL_CAMELLIA256}, - {0, SSL_TXT_CAMELLIA, 0, 0, 0, SSL_CAMELLIA}, - {0, SSL_TXT_CHACHA20, 0, 0, 0, SSL_CHACHA20}, + {0, SSL_TXT_AES_CCM_8, NULL, 0, 0, 0, SSL_AES128CCM8 | SSL_AES256CCM8}, + {0, SSL_TXT_CAMELLIA128, NULL, 0, 0, 0, SSL_CAMELLIA128}, + {0, SSL_TXT_CAMELLIA256, NULL, 0, 0, 0, SSL_CAMELLIA256}, + {0, SSL_TXT_CAMELLIA, NULL, 0, 0, 0, SSL_CAMELLIA}, + {0, SSL_TXT_CHACHA20, NULL, 0, 0, 0, SSL_CHACHA20}, + + {0, SSL_TXT_ARIA, NULL, 0, 0, 0, SSL_ARIA}, + {0, SSL_TXT_ARIA_GCM, NULL, 0, 0, 0, SSL_ARIA128GCM | SSL_ARIA256GCM}, + {0, SSL_TXT_ARIA128, NULL, 0, 0, 0, SSL_ARIA128GCM}, + {0, SSL_TXT_ARIA256, NULL, 0, 0, 0, SSL_ARIA256GCM}, /* MAC aliases */ - {0, SSL_TXT_MD5, 0, 0, 0, 0, SSL_MD5}, - {0, SSL_TXT_SHA1, 0, 0, 0, 0, SSL_SHA1}, - {0, SSL_TXT_SHA, 0, 0, 0, 0, SSL_SHA1}, - {0, SSL_TXT_GOST94, 0, 0, 0, 0, SSL_GOST94}, - {0, SSL_TXT_GOST89MAC, 0, 0, 0, 0, SSL_GOST89MAC | SSL_GOST89MAC12}, - {0, SSL_TXT_SHA256, 0, 0, 0, 0, SSL_SHA256}, - {0, SSL_TXT_SHA384, 0, 0, 0, 0, SSL_SHA384}, - {0, SSL_TXT_GOST12, 0, 0, 0, 0, SSL_GOST12_256}, + {0, SSL_TXT_MD5, NULL, 0, 0, 0, 0, SSL_MD5}, + {0, SSL_TXT_SHA1, NULL, 0, 0, 0, 0, SSL_SHA1}, + {0, SSL_TXT_SHA, NULL, 0, 0, 0, 0, SSL_SHA1}, + {0, SSL_TXT_GOST94, NULL, 0, 0, 0, 0, SSL_GOST94}, + {0, SSL_TXT_GOST89MAC, NULL, 0, 0, 0, 0, SSL_GOST89MAC | SSL_GOST89MAC12}, + {0, SSL_TXT_SHA256, NULL, 0, 0, 0, 0, SSL_SHA256}, + {0, SSL_TXT_SHA384, NULL, 0, 0, 0, 0, SSL_SHA384}, + {0, SSL_TXT_GOST12, NULL, 0, 0, 0, 0, SSL_GOST12_256}, /* protocol version aliases */ - {0, SSL_TXT_SSLV3, 0, 0, 0, 0, 0, SSL3_VERSION}, - {0, SSL_TXT_TLSV1, 0, 0, 0, 0, 0, TLS1_VERSION}, - {0, "TLSv1.0", 0, 0, 0, 0, 0, TLS1_VERSION}, - {0, SSL_TXT_TLSV1_2, 0, 0, 0, 0, 0, TLS1_2_VERSION}, + {0, SSL_TXT_SSLV3, NULL, 0, 0, 0, 0, 0, SSL3_VERSION}, + {0, SSL_TXT_TLSV1, NULL, 0, 0, 0, 0, 0, TLS1_VERSION}, + {0, "TLSv1.0", NULL, 0, 0, 0, 0, 0, TLS1_VERSION}, + {0, SSL_TXT_TLSV1_2, NULL, 0, 0, 0, 0, 0, TLS1_2_VERSION}, /* strength classes */ - {0, SSL_TXT_LOW, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_LOW}, - {0, SSL_TXT_MEDIUM, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_MEDIUM}, - {0, SSL_TXT_HIGH, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_HIGH}, + {0, SSL_TXT_LOW, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_LOW}, + {0, SSL_TXT_MEDIUM, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_MEDIUM}, + {0, SSL_TXT_HIGH, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_HIGH}, /* FIPS 140-2 approved ciphersuite */ - {0, SSL_TXT_FIPS, 0, 0, 0, ~SSL_eNULL, 0, 0, 0, 0, 0, SSL_FIPS}, + {0, SSL_TXT_FIPS, NULL, 0, 0, 0, ~SSL_eNULL, 0, 0, 0, 0, 0, SSL_FIPS}, /* "EDH-" aliases to "DHE-" labels (for backward compatibility) */ - {0, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, 0, + {0, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, NULL, 0, SSL_kDHE, SSL_aDSS, SSL_3DES, SSL_SHA1, 0, 0, 0, 0, SSL_HIGH | SSL_FIPS}, - {0, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, 0, + {0, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, NULL, 0, SSL_kDHE, SSL_aRSA, SSL_3DES, SSL_SHA1, 0, 0, 0, 0, SSL_HIGH | SSL_FIPS}, }; @@ -338,9 +322,8 @@ static int get_optional_pkey_id(const char *pkey_name) int pkey_id = 0; ameth = EVP_PKEY_asn1_find_str(NULL, pkey_name, -1); if (ameth && EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, - ameth) > 0) { + ameth) > 0) return pkey_id; - } return 0; } @@ -369,7 +352,7 @@ static uint32_t disabled_mac_mask; static uint32_t disabled_mkey_mask; static uint32_t disabled_auth_mask; -void ssl_load_ciphers(void) +int ssl_load_ciphers(void) { size_t i; const ssl_cipher_table *t; @@ -386,9 +369,6 @@ void ssl_load_ciphers(void) disabled_enc_mask |= t->mask; } } -#ifdef SSL_FORBID_ENULL - disabled_enc_mask |= SSL_eNULL; -#endif disabled_mac_mask = 0; for (i = 0, t = ssl_cipher_table_mac; i < SSL_MD_NUM_IDX; i++, t++) { const EVP_MD *md = EVP_get_digestbynid(t->nid); @@ -396,13 +376,17 @@ void ssl_load_ciphers(void) if (md == NULL) { disabled_mac_mask |= t->mask; } else { - ssl_mac_secret_size[i] = EVP_MD_size(md); - OPENSSL_assert(ssl_mac_secret_size[i] >= 0); + int tmpsize = EVP_MD_size(md); + if (!ossl_assert(tmpsize >= 0)) + return 0; + ssl_mac_secret_size[i] = tmpsize; } } /* Make sure we can access MD5 and SHA1 */ - OPENSSL_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL); - OPENSSL_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL); + if (!ossl_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL)) + return 0; + if (!ossl_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL)) + return 0; disabled_mkey_mask = 0; disabled_auth_mask = 0; @@ -418,7 +402,7 @@ void ssl_load_ciphers(void) disabled_mkey_mask |= SSL_kDHE | SSL_kDHEPSK; #endif #ifdef OPENSSL_NO_EC - disabled_mkey_mask |= SSL_kECDHEPSK; + disabled_mkey_mask |= SSL_kECDHE | SSL_kECDHEPSK; disabled_auth_mask |= SSL_aECDSA; #endif #ifdef OPENSSL_NO_PSK @@ -434,19 +418,17 @@ void ssl_load_ciphers(void) * present, disable appropriate auth and key exchange */ ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id("gost-mac"); - if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) { + if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32; - } else { + else disabled_mac_mask |= SSL_GOST89MAC; - } ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX] = get_optional_pkey_id("gost-mac-12"); - if (ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX]) { + if (ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX]) ssl_mac_secret_size[SSL_MD_GOST89MAC12_IDX] = 32; - } else { + else disabled_mac_mask |= SSL_GOST89MAC12; - } if (!get_optional_pkey_id("gost2001")) disabled_auth_mask |= SSL_aGOST01 | SSL_aGOST12; @@ -460,6 +442,8 @@ void ssl_load_ciphers(void) if ((disabled_auth_mask & (SSL_aGOST01 | SSL_aGOST12)) == (SSL_aGOST01 | SSL_aGOST12)) disabled_mkey_mask |= SSL_kGOST; + + return 1; } #ifndef OPENSSL_NO_COMP @@ -499,14 +483,14 @@ static int load_builtin_compressions(void) int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, const EVP_MD **md, int *mac_pkey_type, - int *mac_secret_size, SSL_COMP **comp, int use_etm) + size_t *mac_secret_size, SSL_COMP **comp, int use_etm) { int i; const SSL_CIPHER *c; c = s->cipher; if (c == NULL) - return (0); + return 0; if (comp != NULL) { SSL_COMP ctmp; #ifndef OPENSSL_NO_COMP @@ -521,10 +505,7 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, ctmp.id = s->compress_meth; if (ssl_comp_methods != NULL) { i = sk_SSL_COMP_find(ssl_comp_methods, &ctmp); - if (i >= 0) - *comp = sk_SSL_COMP_value(ssl_comp_methods, i); - else - *comp = NULL; + *comp = sk_SSL_COMP_value(ssl_comp_methods, i); } /* If were only interested in comp then return success */ if ((enc == NULL) && (md == NULL)) @@ -536,9 +517,9 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, i = ssl_cipher_info_lookup(ssl_cipher_table_cipher, c->algorithm_enc); - if (i == -1) + if (i == -1) { *enc = NULL; - else { + } else { if (i == SSL_ENC_NULL_IDX) *enc = EVP_enc_null(); else @@ -574,9 +555,6 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, s->ssl_version < TLS1_VERSION) return 1; - if (FIPS_mode()) - return 1; - if (c->algorithm_enc == SSL_RC4 && c->algorithm_mac == SSL_MD5 && (evp = EVP_get_cipherbyname("RC4-HMAC-MD5"))) @@ -597,9 +575,10 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, c->algorithm_mac == SSL_SHA256 && (evp = EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA256"))) *enc = evp, *md = NULL; - return (1); - } else - return (0); + return 1; + } else { + return 0; + } } const EVP_MD *ssl_md(int idx) @@ -684,8 +663,6 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, /* drop those that use any of that is not available */ if (c == NULL || !c->valid) continue; - if (FIPS_mode() && (c->algo_strength & SSL_FIPS)) - continue; if ((c->algorithm_mkey & disabled_mkey) || (c->algorithm_auth & disabled_auth) || (c->algorithm_enc & disabled_enc) || @@ -703,9 +680,6 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, co_list[co_list_num].prev = NULL; co_list[co_list_num].active = 0; co_list_num++; - /* - * if (!sk_push(ca_list,(char *)c)) goto err; - */ } /* @@ -856,6 +830,8 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey, cp->algorithm_enc, cp->algorithm_mac, cp->min_tls, cp->algo_strength); #endif + if (cipher_id != 0 && (cipher_id != cp->id)) + continue; if (alg_mkey && !(alg_mkey & cp->algorithm_mkey)) continue; if (alg_auth && !(alg_auth & cp->algorithm_auth)) @@ -951,7 +927,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, number_uses = OPENSSL_zalloc(sizeof(int) * (max_strength_bits + 1)); if (number_uses == NULL) { SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT, ERR_R_MALLOC_FAILURE); - return (0); + return 0; } /* @@ -973,7 +949,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, tail_p); OPENSSL_free(number_uses); - return (1); + return 1; } static int ssl_cipher_process_rulestr(const char *rule_str, @@ -990,7 +966,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, retval = 1; l = rule_str; - for (;;) { + for ( ; ; ) { ch = *l; if (ch == '\0') @@ -1062,8 +1038,9 @@ static int ssl_cipher_process_rulestr(const char *rule_str, if (ch == '+') { multi = 1; l++; - } else + } else { multi = 0; + } /* * Now search for the cipher alias in the ca_list. Be careful @@ -1097,8 +1074,9 @@ static int ssl_cipher_process_rulestr(const char *rule_str, found = 0; break; } - } else + } else { alg_mkey = ca_list[j]->algorithm_mkey; + } } if (ca_list[j]->algorithm_auth) { @@ -1108,8 +1086,9 @@ static int ssl_cipher_process_rulestr(const char *rule_str, found = 0; break; } - } else + } else { alg_auth = ca_list[j]->algorithm_auth; + } } if (ca_list[j]->algorithm_enc) { @@ -1119,8 +1098,9 @@ static int ssl_cipher_process_rulestr(const char *rule_str, found = 0; break; } - } else + } else { alg_enc = ca_list[j]->algorithm_enc; + } } if (ca_list[j]->algorithm_mac) { @@ -1130,8 +1110,9 @@ static int ssl_cipher_process_rulestr(const char *rule_str, found = 0; break; } - } else + } else { alg_mac = ca_list[j]->algorithm_mac; + } } if (ca_list[j]->algo_strength & SSL_STRONG_MASK) { @@ -1143,8 +1124,9 @@ static int ssl_cipher_process_rulestr(const char *rule_str, found = 0; break; } - } else + } else { algo_strength = ca_list[j]->algo_strength & SSL_STRONG_MASK; + } } if (ca_list[j]->algo_strength & SSL_DEFAULT_MASK) { @@ -1156,9 +1138,10 @@ static int ssl_cipher_process_rulestr(const char *rule_str, found = 0; break; } - } else + } else { algo_strength |= ca_list[j]->algo_strength & SSL_DEFAULT_MASK; + } } if (ca_list[j]->valid) { @@ -1193,9 +1176,9 @@ static int ssl_cipher_process_rulestr(const char *rule_str, */ if (rule == CIPHER_SPECIAL) { /* special command */ ok = 0; - if ((buflen == 8) && strncmp(buf, "STRENGTH", 8) == 0) + if ((buflen == 8) && strncmp(buf, "STRENGTH", 8) == 0) { ok = ssl_cipher_strength_sort(head_p, tail_p); - else if (buflen == 10 && strncmp(buf, "SECLEVEL=", 9) == 0) { + } else if (buflen == 10 && strncmp(buf, "SECLEVEL=", 9) == 0) { int level = buf[9] - '0'; if (level < 0 || level > 5) { SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, @@ -1204,8 +1187,9 @@ static int ssl_cipher_process_rulestr(const char *rule_str, c->sec_level = level; ok = 1; } - } else + } else { SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND); + } if (ok == 0) retval = 0; /* @@ -1229,7 +1213,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, break; /* done */ } - return (retval); + return retval; } #ifndef OPENSSL_NO_EC @@ -1251,8 +1235,9 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, if (suiteb_flags) { c->cert_flags &= ~SSL_CERT_FLAG_SUITEB_128_LOS; c->cert_flags |= suiteb_flags; - } else + } else { suiteb_flags = c->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS; + } if (!suiteb_flags) return 1; @@ -1287,14 +1272,141 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, } #endif -STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER) - **cipher_list, STACK_OF(SSL_CIPHER) - **cipher_list_by_id, - const char *rule_str, CERT *c) +static int ciphersuite_cb(const char *elem, int len, void *arg) +{ + STACK_OF(SSL_CIPHER) *ciphersuites = (STACK_OF(SSL_CIPHER) *)arg; + const SSL_CIPHER *cipher; + /* Arbitrary sized temp buffer for the cipher name. Should be big enough */ + char name[80]; + + if (len > (int)(sizeof(name) - 1)) { + SSLerr(SSL_F_CIPHERSUITE_CB, SSL_R_NO_CIPHER_MATCH); + return 0; + } + + memcpy(name, elem, len); + name[len] = '\0'; + + cipher = ssl3_get_cipher_by_std_name(name); + if (cipher == NULL) { + SSLerr(SSL_F_CIPHERSUITE_CB, SSL_R_NO_CIPHER_MATCH); + return 0; + } + + if (!sk_SSL_CIPHER_push(ciphersuites, cipher)) { + SSLerr(SSL_F_CIPHERSUITE_CB, ERR_R_INTERNAL_ERROR); + return 0; + } + + return 1; +} + +static __owur int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const char *str) +{ + STACK_OF(SSL_CIPHER) *newciphers = sk_SSL_CIPHER_new_null(); + + if (newciphers == NULL) + return 0; + + /* Parse the list. We explicitly allow an empty list */ + if (*str != '\0' + && !CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers)) { + sk_SSL_CIPHER_free(newciphers); + return 0; + } + sk_SSL_CIPHER_free(*currciphers); + *currciphers = newciphers; + + return 1; +} + +static int update_cipher_list_by_id(STACK_OF(SSL_CIPHER) **cipher_list_by_id, + STACK_OF(SSL_CIPHER) *cipherstack) +{ + STACK_OF(SSL_CIPHER) *tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack); + + if (tmp_cipher_list == NULL) { + return 0; + } + + sk_SSL_CIPHER_free(*cipher_list_by_id); + *cipher_list_by_id = tmp_cipher_list; + + (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, ssl_cipher_ptr_id_cmp); + sk_SSL_CIPHER_sort(*cipher_list_by_id); + + return 1; +} + +static int update_cipher_list(STACK_OF(SSL_CIPHER) **cipher_list, + STACK_OF(SSL_CIPHER) **cipher_list_by_id, + STACK_OF(SSL_CIPHER) *tls13_ciphersuites) +{ + int i; + STACK_OF(SSL_CIPHER) *tmp_cipher_list = sk_SSL_CIPHER_dup(*cipher_list); + + if (tmp_cipher_list == NULL) + return 0; + + /* + * Delete any existing TLSv1.3 ciphersuites. These are always first in the + * list. + */ + while (sk_SSL_CIPHER_num(tmp_cipher_list) > 0 + && sk_SSL_CIPHER_value(tmp_cipher_list, 0)->min_tls + == TLS1_3_VERSION) + sk_SSL_CIPHER_delete(tmp_cipher_list, 0); + + /* Insert the new TLSv1.3 ciphersuites */ + for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) + sk_SSL_CIPHER_insert(tmp_cipher_list, + sk_SSL_CIPHER_value(tls13_ciphersuites, i), i); + + if (!update_cipher_list_by_id(cipher_list_by_id, tmp_cipher_list)) + return 0; + + sk_SSL_CIPHER_free(*cipher_list); + *cipher_list = tmp_cipher_list; + + return 1; +} + +int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str) +{ + int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str); + + if (ret && ctx->cipher_list != NULL) { + /* We already have a cipher_list, so we need to update it */ + return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id, + ctx->tls13_ciphersuites); + } + + return ret; +} + +int SSL_set_ciphersuites(SSL *s, const char *str) { - int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; + int ret = set_ciphersuites(&(s->tls13_ciphersuites), str); + + if (ret && s->cipher_list != NULL) { + /* We already have a cipher_list, so we need to update it */ + return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id, + s->tls13_ciphersuites); + } + + return ret; +} + +STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, + STACK_OF(SSL_CIPHER) *tls13_ciphersuites, + STACK_OF(SSL_CIPHER) **cipher_list, + STACK_OF(SSL_CIPHER) **cipher_list_by_id, + const char *rule_str, + CERT *c) +{ + int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases, i; uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac; - STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list; + STACK_OF(SSL_CIPHER) *cipherstack; const char *rule_p; CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; const SSL_CIPHER **ca_list = NULL; @@ -1329,7 +1441,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); if (co_list == NULL) { SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE); - return (NULL); /* Failure */ + return NULL; /* Failure */ } ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, @@ -1386,7 +1498,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); - /* RC4 is sort-of broken -- move the the end */ + /* RC4 is sort-of broken -- move to the end */ ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); @@ -1443,7 +1555,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK if (ca_list == NULL) { OPENSSL_free(co_list); SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE); - return (NULL); /* Failure */ + return NULL; /* Failure */ } ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mkey, disabled_auth, disabled_enc, @@ -1470,7 +1582,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK if (!ok) { /* Rule processing failure */ OPENSSL_free(co_list); - return (NULL); + return NULL; } /* @@ -1479,7 +1591,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK */ if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { OPENSSL_free(co_list); - return (NULL); + return NULL; + } + + /* Add TLSv1.3 ciphers first - we always prefer those if possible */ + for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { + if (!sk_SSL_CIPHER_push(cipherstack, + sk_SSL_CIPHER_value(tls13_ciphersuites, i))) { + sk_SSL_CIPHER_free(cipherstack); + return NULL; + } } /* @@ -1487,8 +1608,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK * to the resulting precedence to the STACK_OF(SSL_CIPHER). */ for (curr = head; curr != NULL; curr = curr->next) { - if (curr->active - && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) { + if (curr->active) { if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) { OPENSSL_free(co_list); sk_SSL_CIPHER_free(cipherstack); @@ -1501,20 +1621,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK } OPENSSL_free(co_list); /* Not needed any longer */ - tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack); - if (tmp_cipher_list == NULL) { + if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack)) { sk_SSL_CIPHER_free(cipherstack); return NULL; } sk_SSL_CIPHER_free(*cipher_list); *cipher_list = cipherstack; - if (*cipher_list_by_id != NULL) - sk_SSL_CIPHER_free(*cipher_list_by_id); - *cipher_list_by_id = tmp_cipher_list; - (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, ssl_cipher_ptr_id_cmp); - sk_SSL_CIPHER_sort(*cipher_list_by_id); - return (cipherstack); + return cipherstack; } char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) @@ -1526,11 +1640,13 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) if (buf == NULL) { len = 128; - buf = OPENSSL_malloc(len); - if (buf == NULL) + if ((buf = OPENSSL_malloc(len)) == NULL) { + SSLerr(SSL_F_SSL_CIPHER_DESCRIPTION, ERR_R_MALLOC_FAILURE); return NULL; - } else if (len < 128) + } + } else if (len < 128) { return NULL; + } alg_mkey = cipher->algorithm_mkey; alg_auth = cipher->algorithm_auth; @@ -1567,6 +1683,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_kGOST: kx = "GOST"; break; + case SSL_kANY: + kx = "any"; + break; default: kx = "unknown"; } @@ -1593,10 +1712,13 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_aGOST01: au = "GOST01"; break; - /* New GOST ciphersuites have both SSL_aGOST12 and SSL_aGOST01 bits */ + /* New GOST ciphersuites have both SSL_aGOST12 and SSL_aGOST01 bits */ case (SSL_aGOST12 | SSL_aGOST01): au = "GOST12"; break; + case SSL_aANY: + au = "any"; + break; default: au = "unknown"; break; @@ -1651,6 +1773,12 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_CAMELLIA256: enc = "Camellia(256)"; break; + case SSL_ARIA128GCM: + enc = "ARIAGCM(128)"; + break; + case SSL_ARIA256GCM: + enc = "ARIAGCM(256)"; + break; case SSL_SEED: enc = "SEED(128)"; break; @@ -1700,7 +1828,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) BIO_snprintf(buf, len, format, cipher->name, ver, kx, au, enc, mac); - return (buf); + return buf; } const char *SSL_CIPHER_get_version(const SSL_CIPHER *c) @@ -1721,8 +1849,27 @@ const char *SSL_CIPHER_get_version(const SSL_CIPHER *c) const char *SSL_CIPHER_get_name(const SSL_CIPHER *c) { if (c != NULL) - return (c->name); - return ("(NONE)"); + return c->name; + return "(NONE)"; +} + +/* return the actual cipher being used in RFC standard name */ +const char *SSL_CIPHER_standard_name(const SSL_CIPHER *c) +{ + if (c != NULL) + return c->stdname; + return "(NONE)"; +} + +/* return the OpenSSL name based on given RFC standard name */ +const char *OPENSSL_cipher_name(const char *stdname) +{ + const SSL_CIPHER *c; + + if (stdname == NULL) + return "(NONE)"; + c = ssl3_get_cipher_by_std_name(stdname); + return SSL_CIPHER_get_name(c); } /* number of bits for symmetric cipher */ @@ -1743,20 +1890,25 @@ uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c) return c->id; } +uint16_t SSL_CIPHER_get_protocol_id(const SSL_CIPHER *c) +{ + return c->id & 0xFFFF; +} + SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n) { SSL_COMP *ctmp; int i, nn; if ((n == 0) || (sk == NULL)) - return (NULL); + return NULL; nn = sk_SSL_COMP_num(sk); for (i = 0; i < nn; i++) { ctmp = sk_SSL_COMP_value(sk, i); if (ctmp->id == n) - return (ctmp); + return ctmp; } - return (NULL); + return NULL; } #ifdef OPENSSL_NO_COMP @@ -1780,7 +1932,7 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) { load_builtin_compressions(); - return (ssl_comp_methods); + return ssl_comp_methods; } STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP) @@ -1829,7 +1981,7 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) if (comp == NULL) { CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE); SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD, ERR_R_MALLOC_FAILURE); - return (1); + return 1; } comp->id = id; @@ -1840,16 +1992,16 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE); SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD, SSL_R_DUPLICATE_COMPRESSION_ID); - return (1); + return 1; } if (ssl_comp_methods == NULL || !sk_SSL_COMP_push(ssl_comp_methods, comp)) { OPENSSL_free(comp); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE); SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD, ERR_R_MALLOC_FAILURE); - return (1); + return 1; } CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE); - return (0); + return 0; } #endif @@ -1880,32 +2032,12 @@ int SSL_COMP_get_id(const SSL_COMP *comp) #endif } -/* For a cipher return the index corresponding to the certificate type */ -int ssl_cipher_get_cert_index(const SSL_CIPHER *c) -{ - uint32_t alg_a; - - alg_a = c->algorithm_auth; - - if (alg_a & SSL_aECDSA) - return SSL_PKEY_ECC; - else if (alg_a & SSL_aDSS) - return SSL_PKEY_DSA_SIGN; - else if (alg_a & SSL_aRSA) - return SSL_PKEY_RSA_ENC; - else if (alg_a & SSL_aGOST12) - return SSL_PKEY_GOST_EC; - else if (alg_a & SSL_aGOST01) - return SSL_PKEY_GOST01; - - return -1; -} - -const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr) +const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr, + int all) { const SSL_CIPHER *c = ssl->method->get_cipher_by_char(ptr); - if (c == NULL || c->valid == 0) + if (c == NULL || (!all && c->valid == 0)) return NULL; return c; } @@ -1953,7 +2085,77 @@ int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c) return ssl_cipher_table_auth[i].nid; } +const EVP_MD *SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c) +{ + int idx = c->algorithm2 & SSL_HANDSHAKE_MAC_MASK; + + if (idx < 0 || idx >= SSL_MD_NUM_IDX) + return NULL; + return ssl_digest_methods[idx]; +} + int SSL_CIPHER_is_aead(const SSL_CIPHER *c) { return (c->algorithm_mac & SSL_AEAD) ? 1 : 0; } + +int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead, + size_t *int_overhead, size_t *blocksize, + size_t *ext_overhead) +{ + size_t mac = 0, in = 0, blk = 0, out = 0; + + /* Some hard-coded numbers for the CCM/Poly1305 MAC overhead + * because there are no handy #defines for those. */ + if (c->algorithm_enc & (SSL_AESGCM | SSL_ARIAGCM)) { + out = EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; + } else if (c->algorithm_enc & (SSL_AES128CCM | SSL_AES256CCM)) { + out = EVP_CCM_TLS_EXPLICIT_IV_LEN + 16; + } else if (c->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8)) { + out = EVP_CCM_TLS_EXPLICIT_IV_LEN + 8; + } else if (c->algorithm_enc & SSL_CHACHA20POLY1305) { + out = 16; + } else if (c->algorithm_mac & SSL_AEAD) { + /* We're supposed to have handled all the AEAD modes above */ + return 0; + } else { + /* Non-AEAD modes. Calculate MAC/cipher overhead separately */ + int digest_nid = SSL_CIPHER_get_digest_nid(c); + const EVP_MD *e_md = EVP_get_digestbynid(digest_nid); + + if (e_md == NULL) + return 0; + + mac = EVP_MD_size(e_md); + if (c->algorithm_enc != SSL_eNULL) { + int cipher_nid = SSL_CIPHER_get_cipher_nid(c); + const EVP_CIPHER *e_ciph = EVP_get_cipherbynid(cipher_nid); + + /* If it wasn't AEAD or SSL_eNULL, we expect it to be a + known CBC cipher. */ + if (e_ciph == NULL || + EVP_CIPHER_mode(e_ciph) != EVP_CIPH_CBC_MODE) + return 0; + + in = 1; /* padding length byte */ + out = EVP_CIPHER_iv_length(e_ciph); + blk = EVP_CIPHER_block_size(e_ciph); + } + } + + *mac_overhead = mac; + *int_overhead = in; + *blocksize = blk; + *ext_overhead = out; + + return 1; +} + +int ssl_cert_is_disabled(size_t idx) +{ + const SSL_CERT_LOOKUP *cl = ssl_cert_lookup_by_idx(idx); + + if (cl == NULL || (cl->amask & disabled_auth_mask) != 0) + return 1; + return 0; +} diff --git a/deps/openssl/openssl/ssl/ssl_conf.c b/deps/openssl/openssl/ssl/ssl_conf.c index 9d9309ac15..9c202708d7 100644 --- a/deps/openssl/openssl/ssl/ssl_conf.c +++ b/deps/openssl/openssl/ssl/ssl_conf.c @@ -12,6 +12,7 @@ #include <openssl/conf.h> #include <openssl/objects.h> #include <openssl/dh.h> +#include "internal/nelem.h" /* * structure holding name tables. This is used for permitted elements in lists @@ -202,17 +203,23 @@ static int cmd_ClientSignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value) return rv > 0; } -static int cmd_Curves(SSL_CONF_CTX *cctx, const char *value) +static int cmd_Groups(SSL_CONF_CTX *cctx, const char *value) { int rv; if (cctx->ssl) - rv = SSL_set1_curves_list(cctx->ssl, value); + rv = SSL_set1_groups_list(cctx->ssl, value); /* NB: ctx == NULL performs syntax checking only */ else - rv = SSL_CTX_set1_curves_list(cctx->ctx, value); + rv = SSL_CTX_set1_groups_list(cctx->ctx, value); return rv > 0; } +/* This is the old name for cmd_Groups - retained for backwards compatibility */ +static int cmd_Curves(SSL_CONF_CTX *cctx, const char *value) +{ + return cmd_Groups(cctx, value); +} + #ifndef OPENSSL_NO_EC /* ECDH temporary parameters */ static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) @@ -250,6 +257,7 @@ static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) static int cmd_CipherString(SSL_CONF_CTX *cctx, const char *value) { int rv = 1; + if (cctx->ctx) rv = SSL_CTX_set_cipher_list(cctx->ctx, value); if (cctx->ssl) @@ -257,6 +265,17 @@ static int cmd_CipherString(SSL_CONF_CTX *cctx, const char *value) return rv > 0; } +static int cmd_Ciphersuites(SSL_CONF_CTX *cctx, const char *value) +{ + int rv = 1; + + if (cctx->ctx) + rv = SSL_CTX_set_ciphersuites(cctx->ctx, value); + if (cctx->ssl) + rv = SSL_set_ciphersuites(cctx->ssl, value); + return rv > 0; +} + static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value) { static const ssl_flag_tbl ssl_protocol_list[] = { @@ -266,6 +285,7 @@ static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value) SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1), SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1), SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2), + SSL_FLAG_TBL_INV("TLSv1.3", SSL_OP_NO_TLSv1_3), SSL_FLAG_TBL_INV("DTLSv1", SSL_OP_NO_DTLSv1), SSL_FLAG_TBL_INV("DTLSv1.2", SSL_OP_NO_DTLSv1_2) }; @@ -291,6 +311,7 @@ static int protocol_from_string(const char *value) {"TLSv1", TLS1_VERSION}, {"TLSv1.1", TLS1_1_VERSION}, {"TLSv1.2", TLS1_2_VERSION}, + {"TLSv1.3", TLS1_3_VERSION}, {"DTLSv1", DTLS1_VERSION}, {"DTLSv1.2", DTLS1_2_VERSION} }; @@ -360,6 +381,10 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION), SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC), SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION), + SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX), + SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA), + SSL_FLAG_TBL("MiddleboxCompat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT), + SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY) }; if (value == NULL) return -3; @@ -375,7 +400,12 @@ static int cmd_VerifyMode(SSL_CONF_CTX *cctx, const char *value) SSL_FLAG_VFY_SRV("Request", SSL_VERIFY_PEER), SSL_FLAG_VFY_SRV("Require", SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), - SSL_FLAG_VFY_SRV("Once", SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE) + SSL_FLAG_VFY_SRV("Once", SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE), + SSL_FLAG_VFY_SRV("RequestPostHandshake", + SSL_VERIFY_PEER | SSL_VERIFY_POST_HANDSHAKE), + SSL_FLAG_VFY_SRV("RequirePostHandshake", + SSL_VERIFY_PEER | SSL_VERIFY_POST_HANDSHAKE | + SSL_VERIFY_FAIL_IF_NO_PEER_CERT), }; if (value == NULL) return -3; @@ -467,7 +497,7 @@ static int cmd_VerifyCAFile(SSL_CONF_CTX *cctx, const char *value) return do_store(cctx, value, NULL, 1); } -static int cmd_ClientCAFile(SSL_CONF_CTX *cctx, const char *value) +static int cmd_RequestCAFile(SSL_CONF_CTX *cctx, const char *value) { if (cctx->canames == NULL) cctx->canames = sk_X509_NAME_new_null(); @@ -476,7 +506,12 @@ static int cmd_ClientCAFile(SSL_CONF_CTX *cctx, const char *value) return SSL_add_file_cert_subjects_to_stack(cctx->canames, value); } -static int cmd_ClientCAPath(SSL_CONF_CTX *cctx, const char *value) +static int cmd_ClientCAFile(SSL_CONF_CTX *cctx, const char *value) +{ + return cmd_RequestCAFile(cctx, value); +} + +static int cmd_RequestCAPath(SSL_CONF_CTX *cctx, const char *value) { if (cctx->canames == NULL) cctx->canames = sk_X509_NAME_new_null(); @@ -485,6 +520,11 @@ static int cmd_ClientCAPath(SSL_CONF_CTX *cctx, const char *value) return SSL_add_dir_cert_subjects_to_stack(cctx->canames, value); } +static int cmd_ClientCAPath(SSL_CONF_CTX *cctx, const char *value) +{ + return cmd_RequestCAPath(cctx, value); +} + #ifndef OPENSSL_NO_DH static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value) { @@ -512,6 +552,40 @@ static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value) return rv > 0; } #endif + +static int cmd_RecordPadding(SSL_CONF_CTX *cctx, const char *value) +{ + int rv = 0; + int block_size = atoi(value); + + /* + * All we care about is a non-negative value, + * the setters check the range + */ + if (block_size >= 0) { + if (cctx->ctx) + rv = SSL_CTX_set_block_padding(cctx->ctx, block_size); + if (cctx->ssl) + rv = SSL_set_block_padding(cctx->ssl, block_size); + } + return rv; +} + + +static int cmd_NumTickets(SSL_CONF_CTX *cctx, const char *value) +{ + int rv = 0; + int num_tickets = atoi(value); + + if (num_tickets >= 0) { + if (cctx->ctx) + rv = SSL_CTX_set_num_tickets(cctx->ctx, num_tickets); + if (cctx->ssl) + rv = SSL_set_num_tickets(cctx->ssl, num_tickets); + } + return rv; +} + typedef struct { int (*cmd) (SSL_CONF_CTX *cctx, const char *value); const char *str_file; @@ -537,6 +611,7 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { SSL_CONF_CMD_SWITCH("no_tls1", 0), SSL_CONF_CMD_SWITCH("no_tls1_1", 0), SSL_CONF_CMD_SWITCH("no_tls1_2", 0), + SSL_CONF_CMD_SWITCH("no_tls1_3", 0), SSL_CONF_CMD_SWITCH("bugs", 0), SSL_CONF_CMD_SWITCH("no_comp", 0), SSL_CONF_CMD_SWITCH("comp", 0), @@ -548,14 +623,21 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { SSL_CONF_CMD_SWITCH("no_renegotiation", 0), SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER), SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_SERVER), + SSL_CONF_CMD_SWITCH("allow_no_dhe_kex", 0), + SSL_CONF_CMD_SWITCH("prioritize_chacha", SSL_CONF_FLAG_SERVER), SSL_CONF_CMD_SWITCH("strict", 0), + SSL_CONF_CMD_SWITCH("no_middlebox", 0), + SSL_CONF_CMD_SWITCH("anti_replay", SSL_CONF_FLAG_SERVER), + SSL_CONF_CMD_SWITCH("no_anti_replay", SSL_CONF_FLAG_SERVER), SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs", 0), SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0), SSL_CONF_CMD_STRING(Curves, "curves", 0), + SSL_CONF_CMD_STRING(Groups, "groups", 0), #ifndef OPENSSL_NO_EC SSL_CONF_CMD_STRING(ECDHParameters, "named_curve", SSL_CONF_FLAG_SERVER), #endif SSL_CONF_CMD_STRING(CipherString, "cipher", 0), + SSL_CONF_CMD_STRING(Ciphersuites, "ciphersuites", 0), SSL_CONF_CMD_STRING(Protocol, NULL, 0), SSL_CONF_CMD_STRING(MinProtocol, "min_protocol", 0), SSL_CONF_CMD_STRING(MaxProtocol, "max_protocol", 0), @@ -576,17 +658,23 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { SSL_CONF_TYPE_DIR), SSL_CONF_CMD(VerifyCAFile, "verifyCAfile", SSL_CONF_FLAG_CERTIFICATE, SSL_CONF_TYPE_FILE), + SSL_CONF_CMD(RequestCAFile, "requestCAFile", SSL_CONF_FLAG_CERTIFICATE, + SSL_CONF_TYPE_FILE), SSL_CONF_CMD(ClientCAFile, NULL, SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, SSL_CONF_TYPE_FILE), + SSL_CONF_CMD(RequestCAPath, NULL, SSL_CONF_FLAG_CERTIFICATE, + SSL_CONF_TYPE_DIR), SSL_CONF_CMD(ClientCAPath, NULL, SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, SSL_CONF_TYPE_DIR), #ifndef OPENSSL_NO_DH SSL_CONF_CMD(DHParameters, "dhparam", SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, - SSL_CONF_TYPE_FILE) + SSL_CONF_TYPE_FILE), #endif + SSL_CONF_CMD_STRING(RecordPadding, "record_padding", 0), + SSL_CONF_CMD_STRING(NumTickets, "num_tickets", SSL_CONF_FLAG_SERVER), }; /* Supported switches: must match order of switches in ssl_conf_cmds */ @@ -595,6 +683,7 @@ static const ssl_switch_tbl ssl_cmd_switches[] = { {SSL_OP_NO_TLSv1, 0}, /* no_tls1 */ {SSL_OP_NO_TLSv1_1, 0}, /* no_tls1_1 */ {SSL_OP_NO_TLSv1_2, 0}, /* no_tls1_2 */ + {SSL_OP_NO_TLSv1_3, 0}, /* no_tls1_3 */ {SSL_OP_ALL, 0}, /* bugs */ {SSL_OP_NO_COMPRESSION, 0}, /* no_comp */ {SSL_OP_NO_COMPRESSION, SSL_TFLAG_INV}, /* comp */ @@ -611,7 +700,17 @@ static const ssl_switch_tbl ssl_cmd_switches[] = { {SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, 0}, /* no_legacy_server_connect */ {SSL_OP_LEGACY_SERVER_CONNECT, SSL_TFLAG_INV}, + /* allow_no_dhe_kex */ + {SSL_OP_ALLOW_NO_DHE_KEX, 0}, + /* chacha reprioritization */ + {SSL_OP_PRIORITIZE_CHACHA, 0}, {SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */ + /* no_middlebox */ + {SSL_OP_ENABLE_MIDDLEBOX_COMPAT, SSL_TFLAG_INV}, + /* anti_replay */ + {SSL_OP_NO_ANTI_REPLAY, SSL_TFLAG_INV}, + /* no_anti_replay */ + {SSL_OP_NO_ANTI_REPLAY, 0}, }; static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd) @@ -804,9 +903,9 @@ int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx) } if (cctx->canames) { if (cctx->ssl) - SSL_set_client_CA_list(cctx->ssl, cctx->canames); + SSL_set0_CA_list(cctx->ssl, cctx->canames); else if (cctx->ctx) - SSL_CTX_set_client_CA_list(cctx->ctx, cctx->canames); + SSL_CTX_set0_CA_list(cctx->ctx, cctx->canames); else sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free); cctx->canames = NULL; diff --git a/deps/openssl/openssl/ssl/ssl_err.c b/deps/openssl/openssl/ssl/ssl_err.c index 580861eaed..11331ce41f 100644 --- a/deps/openssl/openssl/ssl/ssl_err.c +++ b/deps/openssl/openssl/ssl/ssl_err.c @@ -8,669 +8,1256 @@ * https://www.openssl.org/source/license.html */ -#include <stdio.h> #include <openssl/err.h> -#include <openssl/ssl.h> +#include <openssl/sslerr.h> -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR -# define ERR_FUNC(func) ERR_PACK(ERR_LIB_SSL,func,0) -# define ERR_REASON(reason) ERR_PACK(ERR_LIB_SSL,0,reason) - -static ERR_STRING_DATA SSL_str_functs[] = { - {ERR_FUNC(SSL_F_CHECK_SUITEB_CIPHER_LIST), "check_suiteb_cipher_list"}, - {ERR_FUNC(SSL_F_CT_MOVE_SCTS), "ct_move_scts"}, - {ERR_FUNC(SSL_F_CT_STRICT), "ct_strict"}, - {ERR_FUNC(SSL_F_D2I_SSL_SESSION), "d2i_SSL_SESSION"}, - {ERR_FUNC(SSL_F_DANE_CTX_ENABLE), "dane_ctx_enable"}, - {ERR_FUNC(SSL_F_DANE_MTYPE_SET), "dane_mtype_set"}, - {ERR_FUNC(SSL_F_DANE_TLSA_ADD), "dane_tlsa_add"}, - {ERR_FUNC(SSL_F_DO_DTLS1_WRITE), "do_dtls1_write"}, - {ERR_FUNC(SSL_F_DO_SSL3_WRITE), "do_ssl3_write"}, - {ERR_FUNC(SSL_F_DTLS1_BUFFER_RECORD), "dtls1_buffer_record"}, - {ERR_FUNC(SSL_F_DTLS1_CHECK_TIMEOUT_NUM), "dtls1_check_timeout_num"}, - {ERR_FUNC(SSL_F_DTLS1_HEARTBEAT), "dtls1_heartbeat"}, - {ERR_FUNC(SSL_F_DTLS1_PREPROCESS_FRAGMENT), "dtls1_preprocess_fragment"}, - {ERR_FUNC(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS), +static const ERR_STRING_DATA SSL_str_functs[] = { + {ERR_PACK(ERR_LIB_SSL, SSL_F_ADD_CLIENT_KEY_SHARE_EXT, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_ADD_KEY_SHARE, 0), "add_key_share"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_BYTES_TO_CIPHER_LIST, 0), + "bytes_to_cipher_list"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_CHECK_SUITEB_CIPHER_LIST, 0), + "check_suiteb_cipher_list"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_CIPHERSUITE_CB, 0), "ciphersuite_cb"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_CONSTRUCT_CA_NAMES, 0), "construct_ca_names"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS, 0), + "construct_key_exchange_tbs"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_CONSTRUCT_STATEFUL_TICKET, 0), + "construct_stateful_ticket"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_CONSTRUCT_STATELESS_TICKET, 0), + "construct_stateless_ticket"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_CREATE_SYNTHETIC_MESSAGE_HASH, 0), + "create_synthetic_message_hash"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_CREATE_TICKET_PREQUEL, 0), + "create_ticket_prequel"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_CT_MOVE_SCTS, 0), "ct_move_scts"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_CT_STRICT, 0), "ct_strict"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_CUSTOM_EXT_ADD, 0), "custom_ext_add"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_CUSTOM_EXT_PARSE, 0), "custom_ext_parse"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_D2I_SSL_SESSION, 0), "d2i_SSL_SESSION"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_DANE_CTX_ENABLE, 0), "dane_ctx_enable"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_DANE_MTYPE_SET, 0), "dane_mtype_set"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_DANE_TLSA_ADD, 0), "dane_tlsa_add"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_DERIVE_SECRET_KEY_AND_IV, 0), + "derive_secret_key_and_iv"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_DO_DTLS1_WRITE, 0), "do_dtls1_write"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_DO_SSL3_WRITE, 0), "do_ssl3_write"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_BUFFER_RECORD, 0), + "dtls1_buffer_record"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_CHECK_TIMEOUT_NUM, 0), + "dtls1_check_timeout_num"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_HEARTBEAT, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_HM_FRAGMENT_NEW, 0), + "dtls1_hm_fragment_new"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_PREPROCESS_FRAGMENT, 0), + "dtls1_preprocess_fragment"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS, 0), "dtls1_process_buffered_records"}, - {ERR_FUNC(SSL_F_DTLS1_PROCESS_RECORD), "dtls1_process_record"}, - {ERR_FUNC(SSL_F_DTLS1_READ_BYTES), "dtls1_read_bytes"}, - {ERR_FUNC(SSL_F_DTLS1_READ_FAILED), "dtls1_read_failed"}, - {ERR_FUNC(SSL_F_DTLS1_RETRANSMIT_MESSAGE), "dtls1_retransmit_message"}, - {ERR_FUNC(SSL_F_DTLS1_WRITE_APP_DATA_BYTES), + {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_PROCESS_RECORD, 0), + "dtls1_process_record"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_READ_BYTES, 0), "dtls1_read_bytes"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_READ_FAILED, 0), "dtls1_read_failed"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_RETRANSMIT_MESSAGE, 0), + "dtls1_retransmit_message"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_WRITE_APP_DATA_BYTES, 0), "dtls1_write_app_data_bytes"}, - {ERR_FUNC(SSL_F_DTLSV1_LISTEN), "DTLSv1_listen"}, - {ERR_FUNC(SSL_F_DTLS_CONSTRUCT_CHANGE_CIPHER_SPEC), + {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_WRITE_BYTES, 0), "dtls1_write_bytes"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLSV1_LISTEN, 0), "DTLSv1_listen"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS_CONSTRUCT_CHANGE_CIPHER_SPEC, 0), "dtls_construct_change_cipher_spec"}, - {ERR_FUNC(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST), + {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, 0), "dtls_construct_hello_verify_request"}, - {ERR_FUNC(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE), + {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, 0), "dtls_get_reassembled_message"}, - {ERR_FUNC(SSL_F_DTLS_PROCESS_HELLO_VERIFY), "dtls_process_hello_verify"}, - {ERR_FUNC(SSL_F_DTLS_WAIT_FOR_DRY), "dtls_wait_for_dry"}, - {ERR_FUNC(SSL_F_OPENSSL_INIT_SSL), "OPENSSL_init_ssl"}, - {ERR_FUNC(SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION), + {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS_PROCESS_HELLO_VERIFY, 0), + "dtls_process_hello_verify"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS_RECORD_LAYER_NEW, 0), + "DTLS_RECORD_LAYER_new"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS_WAIT_FOR_DRY, 0), "dtls_wait_for_dry"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_EARLY_DATA_COUNT_OK, 0), + "early_data_count_ok"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_EARLY_DATA, 0), "final_early_data"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_EC_PT_FORMATS, 0), + "final_ec_pt_formats"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_EMS, 0), "final_ems"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_KEY_SHARE, 0), "final_key_share"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_MAXFRAGMENTLEN, 0), + "final_maxfragmentlen"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_RENEGOTIATE, 0), "final_renegotiate"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_SERVER_NAME, 0), "final_server_name"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_SIG_ALGS, 0), "final_sig_algs"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_GET_CERT_VERIFY_TBS_DATA, 0), + "get_cert_verify_tbs_data"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_NSS_KEYLOG_INT, 0), "nss_keylog_int"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_OPENSSL_INIT_SSL, 0), "OPENSSL_init_ssl"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_CLIENT13_READ_TRANSITION, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_CLIENT13_WRITE_TRANSITION, 0), + "ossl_statem_client13_write_transition"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_CLIENT_CONSTRUCT_MESSAGE, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_CLIENT_POST_PROCESS_MESSAGE, 0), + "ossl_statem_client_post_process_message"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_CLIENT_PROCESS_MESSAGE, 0), + "ossl_statem_client_process_message"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION, 0), "ossl_statem_client_read_transition"}, - {ERR_FUNC(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION), + {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_CLIENT_WRITE_TRANSITION, 0), + "ossl_statem_client_write_transition"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER13_READ_TRANSITION, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER13_WRITE_TRANSITION, 0), + "ossl_statem_server13_write_transition"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER_POST_PROCESS_MESSAGE, 0), + "ossl_statem_server_post_process_message"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER_POST_WORK, 0), + "ossl_statem_server_post_work"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE, 0), + "ossl_statem_server_process_message"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, 0), "ossl_statem_server_read_transition"}, - {ERR_FUNC(SSL_F_READ_STATE_MACHINE), "read_state_machine"}, - {ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "ssl3_change_cipher_state"}, - {ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), + {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_SERVER_WRITE_TRANSITION, 0), + "ossl_statem_server_write_transition"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_PARSE_CA_NAMES, 0), "parse_ca_names"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_PITEM_NEW, 0), "pitem_new"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_PQUEUE_NEW, 0), "pqueue_new"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_PROCESS_KEY_SHARE_EXT, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_READ_STATE_MACHINE, 0), "read_state_machine"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SET_CLIENT_CIPHERSUITE, 0), + "set_client_ciphersuite"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET, 0), + "srp_generate_client_master_secret"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SRP_GENERATE_SERVER_MASTER_SECRET, 0), + "srp_generate_server_master_secret"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SRP_VERIFY_SERVER_PARAM, 0), + "srp_verify_server_param"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_CHANGE_CIPHER_STATE, 0), + "ssl3_change_cipher_state"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, 0), "ssl3_check_cert_and_algorithm"}, - {ERR_FUNC(SSL_F_SSL3_CTRL), "ssl3_ctrl"}, - {ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "ssl3_ctx_ctrl"}, - {ERR_FUNC(SSL_F_SSL3_DIGEST_CACHED_RECORDS), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_CTRL, 0), "ssl3_ctrl"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_CTX_CTRL, 0), "ssl3_ctx_ctrl"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_DIGEST_CACHED_RECORDS, 0), "ssl3_digest_cached_records"}, - {ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, 0), "ssl3_do_change_cipher_spec"}, - {ERR_FUNC(SSL_F_SSL3_FINAL_FINISH_MAC), "ssl3_final_finish_mac"}, - {ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "ssl3_generate_key_block"}, - {ERR_FUNC(SSL_F_SSL3_GENERATE_MASTER_SECRET), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_ENC, 0), "ssl3_enc"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_FINAL_FINISH_MAC, 0), + "ssl3_final_finish_mac"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_FINISH_MAC, 0), "ssl3_finish_mac"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GENERATE_KEY_BLOCK, 0), + "ssl3_generate_key_block"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GENERATE_MASTER_SECRET, 0), "ssl3_generate_master_secret"}, - {ERR_FUNC(SSL_F_SSL3_GET_RECORD), "ssl3_get_record"}, - {ERR_FUNC(SSL_F_SSL3_INIT_FINISHED_MAC), "ssl3_init_finished_mac"}, - {ERR_FUNC(SSL_F_SSL3_OUTPUT_CERT_CHAIN), "ssl3_output_cert_chain"}, - {ERR_FUNC(SSL_F_SSL3_READ_BYTES), "ssl3_read_bytes"}, - {ERR_FUNC(SSL_F_SSL3_READ_N), "ssl3_read_n"}, - {ERR_FUNC(SSL_F_SSL3_SETUP_KEY_BLOCK), "ssl3_setup_key_block"}, - {ERR_FUNC(SSL_F_SSL3_SETUP_READ_BUFFER), "ssl3_setup_read_buffer"}, - {ERR_FUNC(SSL_F_SSL3_SETUP_WRITE_BUFFER), "ssl3_setup_write_buffer"}, - {ERR_FUNC(SSL_F_SSL3_TAKE_MAC), "ssl3_take_mac"}, - {ERR_FUNC(SSL_F_SSL3_WRITE_BYTES), "ssl3_write_bytes"}, - {ERR_FUNC(SSL_F_SSL3_WRITE_PENDING), "ssl3_write_pending"}, - {ERR_FUNC(SSL_F_SSL_ADD_CERT_CHAIN), "ssl_add_cert_chain"}, - {ERR_FUNC(SSL_F_SSL_ADD_CERT_TO_BUF), "ssl_add_cert_to_buf"}, - {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT), - "ssl_add_clienthello_renegotiate_ext"}, - {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT), - "ssl_add_clienthello_tlsext"}, - {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT), - "ssl_add_clienthello_use_srtp_ext"}, - {ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GET_RECORD, 0), "ssl3_get_record"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_INIT_FINISHED_MAC, 0), + "ssl3_init_finished_mac"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_OUTPUT_CERT_CHAIN, 0), + "ssl3_output_cert_chain"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_READ_BYTES, 0), "ssl3_read_bytes"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_READ_N, 0), "ssl3_read_n"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_SETUP_KEY_BLOCK, 0), + "ssl3_setup_key_block"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_SETUP_READ_BUFFER, 0), + "ssl3_setup_read_buffer"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_SETUP_WRITE_BUFFER, 0), + "ssl3_setup_write_buffer"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_WRITE_BYTES, 0), "ssl3_write_bytes"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_WRITE_PENDING, 0), "ssl3_write_pending"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_ADD_CERT_CHAIN, 0), "ssl_add_cert_chain"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_ADD_CERT_TO_BUF, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_ADD_CERT_TO_WPACKET, 0), + "ssl_add_cert_to_wpacket"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, 0), "SSL_add_dir_cert_subjects_to_stack"}, - {ERR_FUNC(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK, 0), "SSL_add_file_cert_subjects_to_stack"}, - {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT), - "ssl_add_serverhello_renegotiate_ext"}, - {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT), - "ssl_add_serverhello_tlsext"}, - {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT), - "ssl_add_serverhello_use_srtp_ext"}, - {ERR_FUNC(SSL_F_SSL_BAD_METHOD), "ssl_bad_method"}, - {ERR_FUNC(SSL_F_SSL_BUILD_CERT_CHAIN), "ssl_build_cert_chain"}, - {ERR_FUNC(SSL_F_SSL_BYTES_TO_CIPHER_LIST), "ssl_bytes_to_cipher_list"}, - {ERR_FUNC(SSL_F_SSL_CERT_ADD0_CHAIN_CERT), "ssl_cert_add0_chain_cert"}, - {ERR_FUNC(SSL_F_SSL_CERT_DUP), "ssl_cert_dup"}, - {ERR_FUNC(SSL_F_SSL_CERT_NEW), "ssl_cert_new"}, - {ERR_FUNC(SSL_F_SSL_CERT_SET0_CHAIN), "ssl_cert_set0_chain"}, - {ERR_FUNC(SSL_F_SSL_CHECK_PRIVATE_KEY), "SSL_check_private_key"}, - {ERR_FUNC(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT), - "ssl_check_serverhello_tlsext"}, - {ERR_FUNC(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_BAD_METHOD, 0), "ssl_bad_method"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_BUILD_CERT_CHAIN, 0), + "ssl_build_cert_chain"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_BYTES_TO_CIPHER_LIST, 0), + "SSL_bytes_to_cipher_list"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CACHE_CIPHERLIST, 0), + "ssl_cache_cipherlist"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CERT_ADD0_CHAIN_CERT, 0), + "ssl_cert_add0_chain_cert"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CERT_DUP, 0), "ssl_cert_dup"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CERT_NEW, 0), "ssl_cert_new"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CERT_SET0_CHAIN, 0), + "ssl_cert_set0_chain"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CHECK_PRIVATE_KEY, 0), + "SSL_check_private_key"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO, 0), + "ssl_check_srp_ext_ClientHello"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, 0), "ssl_check_srvr_ecc_cert_and_alg"}, - {ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CHOOSE_CLIENT_VERSION, 0), + "ssl_choose_client_version"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CIPHER_DESCRIPTION, 0), + "SSL_CIPHER_description"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CIPHER_LIST_TO_BYTES, 0), + "ssl_cipher_list_to_bytes"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CIPHER_PROCESS_RULESTR, 0), "ssl_cipher_process_rulestr"}, - {ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT), "ssl_cipher_strength_sort"}, - {ERR_FUNC(SSL_F_SSL_CLEAR), "SSL_clear"}, - {ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CIPHER_STRENGTH_SORT, 0), + "ssl_cipher_strength_sort"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CLEAR, 0), "SSL_clear"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CLIENT_HELLO_GET1_EXTENSIONS_PRESENT, 0), + "SSL_client_hello_get1_extensions_present"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD, 0), "SSL_COMP_add_compression_method"}, - {ERR_FUNC(SSL_F_SSL_CONF_CMD), "SSL_CONF_cmd"}, - {ERR_FUNC(SSL_F_SSL_CREATE_CIPHER_LIST), "ssl_create_cipher_list"}, - {ERR_FUNC(SSL_F_SSL_CTRL), "SSL_ctrl"}, - {ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY), "SSL_CTX_check_private_key"}, - {ERR_FUNC(SSL_F_SSL_CTX_ENABLE_CT), "SSL_CTX_enable_ct"}, - {ERR_FUNC(SSL_F_SSL_CTX_MAKE_PROFILES), "ssl_ctx_make_profiles"}, - {ERR_FUNC(SSL_F_SSL_CTX_NEW), "SSL_CTX_new"}, - {ERR_FUNC(SSL_F_SSL_CTX_SET_ALPN_PROTOS), "SSL_CTX_set_alpn_protos"}, - {ERR_FUNC(SSL_F_SSL_CTX_SET_CIPHER_LIST), "SSL_CTX_set_cipher_list"}, - {ERR_FUNC(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CONF_CMD, 0), "SSL_CONF_cmd"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CREATE_CIPHER_LIST, 0), + "ssl_create_cipher_list"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTRL, 0), "SSL_ctrl"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, 0), + "SSL_CTX_check_private_key"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_ENABLE_CT, 0), "SSL_CTX_enable_ct"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_MAKE_PROFILES, 0), + "ssl_ctx_make_profiles"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_NEW, 0), "SSL_CTX_new"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_SET_ALPN_PROTOS, 0), + "SSL_CTX_set_alpn_protos"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_SET_CIPHER_LIST, 0), + "SSL_CTX_set_cipher_list"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, 0), "SSL_CTX_set_client_cert_engine"}, - {ERR_FUNC(SSL_F_SSL_CTX_SET_CT_VALIDATION_CALLBACK), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_SET_CT_VALIDATION_CALLBACK, 0), "SSL_CTX_set_ct_validation_callback"}, - {ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT, 0), "SSL_CTX_set_session_id_context"}, - {ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION), "SSL_CTX_set_ssl_version"}, - {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE), "SSL_CTX_use_certificate"}, - {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_SET_SSL_VERSION, 0), + "SSL_CTX_set_ssl_version"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_SET_TLSEXT_MAX_FRAGMENT_LENGTH, 0), + "SSL_CTX_set_tlsext_max_fragment_length"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_USE_CERTIFICATE, 0), + "SSL_CTX_use_certificate"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1, 0), "SSL_CTX_use_certificate_ASN1"}, - {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, 0), "SSL_CTX_use_certificate_file"}, - {ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY), "SSL_CTX_use_PrivateKey"}, - {ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_USE_PRIVATEKEY, 0), + "SSL_CTX_use_PrivateKey"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1, 0), "SSL_CTX_use_PrivateKey_ASN1"}, - {ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, 0), "SSL_CTX_use_PrivateKey_file"}, - {ERR_FUNC(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT, 0), "SSL_CTX_use_psk_identity_hint"}, - {ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY), "SSL_CTX_use_RSAPrivateKey"}, - {ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, 0), + "SSL_CTX_use_RSAPrivateKey"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1, 0), "SSL_CTX_use_RSAPrivateKey_ASN1"}, - {ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, 0), "SSL_CTX_use_RSAPrivateKey_file"}, - {ERR_FUNC(SSL_F_SSL_CTX_USE_SERVERINFO), "SSL_CTX_use_serverinfo"}, - {ERR_FUNC(SSL_F_SSL_CTX_USE_SERVERINFO_FILE), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_USE_SERVERINFO, 0), + "SSL_CTX_use_serverinfo"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_USE_SERVERINFO_EX, 0), + "SSL_CTX_use_serverinfo_ex"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_USE_SERVERINFO_FILE, 0), "SSL_CTX_use_serverinfo_file"}, - {ERR_FUNC(SSL_F_SSL_DANE_DUP), "ssl_dane_dup"}, - {ERR_FUNC(SSL_F_SSL_DANE_ENABLE), "SSL_dane_enable"}, - {ERR_FUNC(SSL_F_SSL_DO_CONFIG), "ssl_do_config"}, - {ERR_FUNC(SSL_F_SSL_DO_HANDSHAKE), "SSL_do_handshake"}, - {ERR_FUNC(SSL_F_SSL_DUP_CA_LIST), "SSL_dup_CA_list"}, - {ERR_FUNC(SSL_F_SSL_ENABLE_CT), "SSL_enable_ct"}, - {ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION), "ssl_get_new_session"}, - {ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION), "ssl_get_prev_session"}, - {ERR_FUNC(SSL_F_SSL_GET_SERVER_CERT_INDEX), "ssl_get_server_cert_index"}, - {ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY), "ssl_get_sign_pkey"}, - {ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "ssl_init_wbio_buffer"}, - {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"}, - {ERR_FUNC(SSL_F_SSL_MODULE_INIT), "ssl_module_init"}, - {ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"}, - {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), - "ssl_parse_clienthello_renegotiate_ext"}, - {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), - "ssl_parse_clienthello_tlsext"}, - {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT), - "ssl_parse_clienthello_use_srtp_ext"}, - {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), - "ssl_parse_serverhello_renegotiate_ext"}, - {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), - "ssl_parse_serverhello_tlsext"}, - {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT), - "ssl_parse_serverhello_use_srtp_ext"}, - {ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"}, - {ERR_FUNC(SSL_F_SSL_READ), "SSL_read"}, - {ERR_FUNC(SSL_F_SSL_RENEGOTIATE), "SSL_renegotiate"}, - {ERR_FUNC(SSL_F_SSL_RENEGOTIATE_ABBREVIATED), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_DANE_DUP, 0), "ssl_dane_dup"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_DANE_ENABLE, 0), "SSL_dane_enable"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_DERIVE, 0), "ssl_derive"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_DO_CONFIG, 0), "ssl_do_config"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_DO_HANDSHAKE, 0), "SSL_do_handshake"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_DUP_CA_LIST, 0), "SSL_dup_CA_list"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_ENABLE_CT, 0), "SSL_enable_ct"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_GENERATE_PKEY_GROUP, 0), + "ssl_generate_pkey_group"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_GENERATE_SESSION_ID, 0), + "ssl_generate_session_id"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_GET_NEW_SESSION, 0), + "ssl_get_new_session"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_GET_PREV_SESSION, 0), + "ssl_get_prev_session"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_GET_SERVER_CERT_INDEX, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_GET_SIGN_PKEY, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_HANDSHAKE_HASH, 0), "ssl_handshake_hash"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_INIT_WBIO_BUFFER, 0), + "ssl_init_wbio_buffer"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_KEY_UPDATE, 0), "SSL_key_update"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_LOAD_CLIENT_CA_FILE, 0), + "SSL_load_client_CA_file"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_LOG_MASTER_SECRET, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_LOG_RSA_CLIENT_KEY_EXCHANGE, 0), + "ssl_log_rsa_client_key_exchange"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_MODULE_INIT, 0), "ssl_module_init"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_NEW, 0), "SSL_new"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_NEXT_PROTO_VALIDATE, 0), + "ssl_next_proto_validate"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_PEEK, 0), "SSL_peek"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_PEEK_EX, 0), "SSL_peek_ex"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_PEEK_INTERNAL, 0), "ssl_peek_internal"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_READ, 0), "SSL_read"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_READ_EARLY_DATA, 0), + "SSL_read_early_data"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_READ_EX, 0), "SSL_read_ex"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_READ_INTERNAL, 0), "ssl_read_internal"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_RENEGOTIATE, 0), "SSL_renegotiate"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_RENEGOTIATE_ABBREVIATED, 0), "SSL_renegotiate_abbreviated"}, - {ERR_FUNC(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT), - "ssl_scan_clienthello_tlsext"}, - {ERR_FUNC(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT), - "ssl_scan_serverhello_tlsext"}, - {ERR_FUNC(SSL_F_SSL_SESSION_DUP), "ssl_session_dup"}, - {ERR_FUNC(SSL_F_SSL_SESSION_NEW), "SSL_SESSION_new"}, - {ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"}, - {ERR_FUNC(SSL_F_SSL_SESSION_SET1_ID), "SSL_SESSION_set1_id"}, - {ERR_FUNC(SSL_F_SSL_SESSION_SET1_ID_CONTEXT), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_DUP, 0), "ssl_session_dup"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_NEW, 0), "SSL_SESSION_new"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_PRINT_FP, 0), + "SSL_SESSION_print_fp"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_SET1_ID, 0), + "SSL_SESSION_set1_id"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_SET1_ID_CONTEXT, 0), "SSL_SESSION_set1_id_context"}, - {ERR_FUNC(SSL_F_SSL_SET_ALPN_PROTOS), "SSL_set_alpn_protos"}, - {ERR_FUNC(SSL_F_SSL_SET_CERT), "ssl_set_cert"}, - {ERR_FUNC(SSL_F_SSL_SET_CIPHER_LIST), "SSL_set_cipher_list"}, - {ERR_FUNC(SSL_F_SSL_SET_CT_VALIDATION_CALLBACK), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SET_ALPN_PROTOS, 0), + "SSL_set_alpn_protos"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SET_CERT, 0), "ssl_set_cert"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SET_CERT_AND_KEY, 0), + "ssl_set_cert_and_key"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SET_CIPHER_LIST, 0), + "SSL_set_cipher_list"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SET_CT_VALIDATION_CALLBACK, 0), "SSL_set_ct_validation_callback"}, - {ERR_FUNC(SSL_F_SSL_SET_FD), "SSL_set_fd"}, - {ERR_FUNC(SSL_F_SSL_SET_PKEY), "ssl_set_pkey"}, - {ERR_FUNC(SSL_F_SSL_SET_RFD), "SSL_set_rfd"}, - {ERR_FUNC(SSL_F_SSL_SET_SESSION), "SSL_set_session"}, - {ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SET_FD, 0), "SSL_set_fd"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SET_PKEY, 0), "ssl_set_pkey"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SET_RFD, 0), "SSL_set_rfd"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SET_SESSION, 0), "SSL_set_session"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SET_SESSION_ID_CONTEXT, 0), "SSL_set_session_id_context"}, - {ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SET_SESSION_TICKET_EXT, 0), "SSL_set_session_ticket_ext"}, - {ERR_FUNC(SSL_F_SSL_SET_WFD), "SSL_set_wfd"}, - {ERR_FUNC(SSL_F_SSL_SHUTDOWN), "SSL_shutdown"}, - {ERR_FUNC(SSL_F_SSL_SRP_CTX_INIT), "SSL_SRP_CTX_init"}, - {ERR_FUNC(SSL_F_SSL_START_ASYNC_JOB), "ssl_start_async_job"}, - {ERR_FUNC(SSL_F_SSL_UNDEFINED_FUNCTION), "ssl_undefined_function"}, - {ERR_FUNC(SSL_F_SSL_UNDEFINED_VOID_FUNCTION), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SET_TLSEXT_MAX_FRAGMENT_LENGTH, 0), + "SSL_set_tlsext_max_fragment_length"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SET_WFD, 0), "SSL_set_wfd"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SHUTDOWN, 0), "SSL_shutdown"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SRP_CTX_INIT, 0), "SSL_SRP_CTX_init"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_START_ASYNC_JOB, 0), + "ssl_start_async_job"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_UNDEFINED_FUNCTION, 0), + "ssl_undefined_function"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_UNDEFINED_VOID_FUNCTION, 0), "ssl_undefined_void_function"}, - {ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE), "SSL_use_certificate"}, - {ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_ASN1), "SSL_use_certificate_ASN1"}, - {ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_FILE), "SSL_use_certificate_file"}, - {ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY), "SSL_use_PrivateKey"}, - {ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_ASN1), "SSL_use_PrivateKey_ASN1"}, - {ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_FILE), "SSL_use_PrivateKey_file"}, - {ERR_FUNC(SSL_F_SSL_USE_PSK_IDENTITY_HINT), "SSL_use_psk_identity_hint"}, - {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY), "SSL_use_RSAPrivateKey"}, - {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_USE_CERTIFICATE, 0), + "SSL_use_certificate"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_USE_CERTIFICATE_ASN1, 0), + "SSL_use_certificate_ASN1"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_USE_CERTIFICATE_FILE, 0), + "SSL_use_certificate_file"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_USE_PRIVATEKEY, 0), "SSL_use_PrivateKey"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_USE_PRIVATEKEY_ASN1, 0), + "SSL_use_PrivateKey_ASN1"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_USE_PRIVATEKEY_FILE, 0), + "SSL_use_PrivateKey_file"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_USE_PSK_IDENTITY_HINT, 0), + "SSL_use_psk_identity_hint"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_USE_RSAPRIVATEKEY, 0), + "SSL_use_RSAPrivateKey"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1, 0), "SSL_use_RSAPrivateKey_ASN1"}, - {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, 0), "SSL_use_RSAPrivateKey_file"}, - {ERR_FUNC(SSL_F_SSL_VALIDATE_CT), "ssl_validate_ct"}, - {ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "ssl_verify_cert_chain"}, - {ERR_FUNC(SSL_F_SSL_WRITE), "SSL_write"}, - {ERR_FUNC(SSL_F_STATE_MACHINE), "state_machine"}, - {ERR_FUNC(SSL_F_TLS12_CHECK_PEER_SIGALG), "tls12_check_peer_sigalg"}, - {ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE), "tls1_change_cipher_state"}, - {ERR_FUNC(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS), - "tls1_check_duplicate_extensions"}, - {ERR_FUNC(SSL_F_TLS1_ENC), "tls1_enc"}, - {ERR_FUNC(SSL_F_TLS1_EXPORT_KEYING_MATERIAL), + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_VALIDATE_CT, 0), "ssl_validate_ct"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_VERIFY_CERT_CHAIN, 0), + "ssl_verify_cert_chain"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, 0), + "SSL_verify_client_post_handshake"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_WRITE, 0), "SSL_write"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_WRITE_EARLY_DATA, 0), + "SSL_write_early_data"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_WRITE_EARLY_FINISH, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_WRITE_EX, 0), "SSL_write_ex"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_WRITE_INTERNAL, 0), "ssl_write_internal"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_STATE_MACHINE, 0), "state_machine"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS12_CHECK_PEER_SIGALG, 0), + "tls12_check_peer_sigalg"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS12_COPY_SIGALGS, 0), "tls12_copy_sigalgs"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS13_CHANGE_CIPHER_STATE, 0), + "tls13_change_cipher_state"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS13_ENC, 0), "tls13_enc"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS13_FINAL_FINISH_MAC, 0), + "tls13_final_finish_mac"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS13_GENERATE_SECRET, 0), + "tls13_generate_secret"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS13_HKDF_EXPAND, 0), "tls13_hkdf_expand"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA, 0), + "tls13_restore_handshake_digest_for_pha"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA, 0), + "tls13_save_handshake_digest_for_pha"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS13_SETUP_KEY_BLOCK, 0), + "tls13_setup_key_block"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS1_CHANGE_CIPHER_STATE, 0), + "tls1_change_cipher_state"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS1_ENC, 0), "tls1_enc"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS1_EXPORT_KEYING_MATERIAL, 0), "tls1_export_keying_material"}, - {ERR_FUNC(SSL_F_TLS1_GET_CURVELIST), "tls1_get_curvelist"}, - {ERR_FUNC(SSL_F_TLS1_PRF), "tls1_PRF"}, - {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "tls1_setup_key_block"}, - {ERR_FUNC(SSL_F_TLS1_SET_SERVER_SIGALGS), "tls1_set_server_sigalgs"}, - {ERR_FUNC(SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK), + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS1_GET_CURVELIST, 0), "tls1_get_curvelist"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS1_PRF, 0), "tls1_PRF"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS1_SAVE_U16, 0), "tls1_save_u16"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS1_SETUP_KEY_BLOCK, 0), + "tls1_setup_key_block"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS1_SET_GROUPS, 0), "tls1_set_groups"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS1_SET_RAW_SIGALGS, 0), + "tls1_set_raw_sigalgs"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS1_SET_SERVER_SIGALGS, 0), + "tls1_set_server_sigalgs"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS1_SET_SHARED_SIGALGS, 0), + "tls1_set_shared_sigalgs"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS1_SET_SIGALGS, 0), "tls1_set_sigalgs"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CHOOSE_SIGALG, 0), "tls_choose_sigalg"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK, 0), "tls_client_key_exchange_post_work"}, - {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST), + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_COLLECT_EXTENSIONS, 0), + "tls_collect_extensions"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES, 0), + "tls_construct_certificate_authorities"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, 0), "tls_construct_certificate_request"}, - {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CKE_DHE), "tls_construct_cke_dhe"}, - {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CKE_ECDHE), "tls_construct_cke_ecdhe"}, - {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CKE_GOST), "tls_construct_cke_gost"}, - {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE), + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CERT_STATUS, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CERT_STATUS_BODY, 0), + "tls_construct_cert_status_body"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 0), + "tls_construct_cert_verify"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC, 0), + "tls_construct_change_cipher_spec"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CKE_DHE, 0), + "tls_construct_cke_dhe"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CKE_ECDHE, 0), + "tls_construct_cke_ecdhe"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CKE_GOST, 0), + "tls_construct_cke_gost"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, 0), "tls_construct_cke_psk_preamble"}, - {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CKE_RSA), "tls_construct_cke_rsa"}, - {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CKE_SRP), "tls_construct_cke_srp"}, - {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE), + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CKE_RSA, 0), + "tls_construct_cke_rsa"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CKE_SRP, 0), + "tls_construct_cke_srp"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, 0), "tls_construct_client_certificate"}, - {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO), + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 0), "tls_construct_client_hello"}, - {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE), + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, 0), "tls_construct_client_key_exchange"}, - {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY), - "tls_construct_client_verify"}, - {ERR_FUNC(SSL_F_TLS_CONSTRUCT_FINISHED), "tls_construct_finished"}, - {ERR_FUNC(SSL_F_TLS_CONSTRUCT_HELLO_REQUEST), - "tls_construct_hello_request"}, - {ERR_FUNC(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET), + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_ALPN, 0), + "tls_construct_ctos_alpn"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_CERTIFICATE, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_COOKIE, 0), + "tls_construct_ctos_cookie"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 0), + "tls_construct_ctos_early_data"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, 0), + "tls_construct_ctos_ec_pt_formats"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_EMS, 0), + "tls_construct_ctos_ems"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_ETM, 0), + "tls_construct_ctos_etm"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_HELLO, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_KEY_EXCHANGE, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, 0), + "tls_construct_ctos_key_share"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_MAXFRAGMENTLEN, 0), + "tls_construct_ctos_maxfragmentlen"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_NPN, 0), + "tls_construct_ctos_npn"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_PADDING, 0), + "tls_construct_ctos_padding"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_POST_HANDSHAKE_AUTH, 0), + "tls_construct_ctos_post_handshake_auth"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_PSK, 0), + "tls_construct_ctos_psk"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_PSK_KEX_MODES, 0), + "tls_construct_ctos_psk_kex_modes"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE, 0), + "tls_construct_ctos_renegotiate"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_SCT, 0), + "tls_construct_ctos_sct"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME, 0), + "tls_construct_ctos_server_name"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, 0), + "tls_construct_ctos_session_ticket"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_SIG_ALGS, 0), + "tls_construct_ctos_sig_algs"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_SRP, 0), + "tls_construct_ctos_srp"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, 0), + "tls_construct_ctos_status_request"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, 0), + "tls_construct_ctos_supported_groups"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, 0), + "tls_construct_ctos_supported_versions"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, 0), + "tls_construct_ctos_use_srtp"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_CTOS_VERIFY, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_ENCRYPTED_EXTENSIONS, 0), + "tls_construct_encrypted_extensions"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_END_OF_EARLY_DATA, 0), + "tls_construct_end_of_early_data"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_EXTENSIONS, 0), + "tls_construct_extensions"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_FINISHED, 0), + "tls_construct_finished"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_HELLO_REQUEST, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_HELLO_RETRY_REQUEST, 0), + "tls_construct_hello_retry_request"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_KEY_UPDATE, 0), + "tls_construct_key_update"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, 0), "tls_construct_new_session_ticket"}, - {ERR_FUNC(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE), + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_NEXT_PROTO, 0), + "tls_construct_next_proto"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, 0), "tls_construct_server_certificate"}, - {ERR_FUNC(SSL_F_TLS_CONSTRUCT_SERVER_DONE), "tls_construct_server_done"}, - {ERR_FUNC(SSL_F_TLS_CONSTRUCT_SERVER_HELLO), + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_SERVER_HELLO, 0), "tls_construct_server_hello"}, - {ERR_FUNC(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE), + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, 0), "tls_construct_server_key_exchange"}, - {ERR_FUNC(SSL_F_TLS_GET_MESSAGE_BODY), "tls_get_message_body"}, - {ERR_FUNC(SSL_F_TLS_GET_MESSAGE_HEADER), "tls_get_message_header"}, - {ERR_FUNC(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO), + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_ALPN, 0), + "tls_construct_stoc_alpn"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_CERTIFICATE, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_COOKIE, 0), + "tls_construct_stoc_cookie"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, 0), + "tls_construct_stoc_cryptopro_bug"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_DONE, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, 0), + "tls_construct_stoc_early_data"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA_INFO, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, 0), + "tls_construct_stoc_ec_pt_formats"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_EMS, 0), + "tls_construct_stoc_ems"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_ETM, 0), + "tls_construct_stoc_etm"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_HELLO, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_KEY_EXCHANGE, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, 0), + "tls_construct_stoc_key_share"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, 0), + "tls_construct_stoc_maxfragmentlen"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG, 0), + "tls_construct_stoc_next_proto_neg"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_PSK, 0), + "tls_construct_stoc_psk"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, 0), + "tls_construct_stoc_renegotiate"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, 0), + "tls_construct_stoc_server_name"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, 0), + "tls_construct_stoc_session_ticket"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, 0), + "tls_construct_stoc_status_request"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, 0), + "tls_construct_stoc_supported_groups"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS, 0), + "tls_construct_stoc_supported_versions"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, 0), + "tls_construct_stoc_use_srtp"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 0), + "tls_early_post_process_client_hello"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_FINISH_HANDSHAKE, 0), + "tls_finish_handshake"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_GET_MESSAGE_BODY, 0), + "tls_get_message_body"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_GET_MESSAGE_HEADER, 0), + "tls_get_message_header"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_HANDLE_ALPN, 0), "tls_handle_alpn"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_HANDLE_STATUS_REQUEST, 0), + "tls_handle_status_request"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CERTIFICATE_AUTHORITIES, 0), + "tls_parse_certificate_authorities"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CLIENTHELLO_TLSEXT, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_ALPN, 0), + "tls_parse_ctos_alpn"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_COOKIE, 0), + "tls_parse_ctos_cookie"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_EARLY_DATA, 0), + "tls_parse_ctos_early_data"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, 0), + "tls_parse_ctos_ec_pt_formats"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_EMS, 0), "tls_parse_ctos_ems"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_KEY_SHARE, 0), + "tls_parse_ctos_key_share"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN, 0), + "tls_parse_ctos_maxfragmentlen"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH, 0), + "tls_parse_ctos_post_handshake_auth"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_PSK, 0), "tls_parse_ctos_psk"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES, 0), + "tls_parse_ctos_psk_kex_modes"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE, 0), + "tls_parse_ctos_renegotiate"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_SERVER_NAME, 0), + "tls_parse_ctos_server_name"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, 0), + "tls_parse_ctos_session_ticket"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_SIG_ALGS, 0), + "tls_parse_ctos_sig_algs"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, 0), + "tls_parse_ctos_sig_algs_cert"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_SRP, 0), "tls_parse_ctos_srp"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, 0), + "tls_parse_ctos_status_request"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, 0), + "tls_parse_ctos_supported_groups"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_USE_SRTP, 0), + "tls_parse_ctos_use_srtp"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_ALPN, 0), + "tls_parse_stoc_alpn"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_COOKIE, 0), + "tls_parse_stoc_cookie"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_EARLY_DATA, 0), + "tls_parse_stoc_early_data"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_EARLY_DATA_INFO, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, 0), + "tls_parse_stoc_ec_pt_formats"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 0), + "tls_parse_stoc_key_share"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN, 0), + "tls_parse_stoc_maxfragmentlen"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_NPN, 0), "tls_parse_stoc_npn"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_PSK, 0), "tls_parse_stoc_psk"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, 0), + "tls_parse_stoc_renegotiate"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_SCT, 0), "tls_parse_stoc_sct"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_SERVER_NAME, 0), + "tls_parse_stoc_server_name"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_SESSION_TICKET, 0), + "tls_parse_stoc_session_ticket"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_STATUS_REQUEST, 0), + "tls_parse_stoc_status_request"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS, 0), + "tls_parse_stoc_supported_versions"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_USE_SRTP, 0), + "tls_parse_stoc_use_srtp"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, 0), "tls_post_process_client_hello"}, - {ERR_FUNC(SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE), + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE, 0), "tls_post_process_client_key_exchange"}, - {ERR_FUNC(SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE), + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE, 0), "tls_prepare_client_certificate"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST), + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_AS_HELLO_RETRY_REQUEST, 0), + "tls_process_as_hello_retry_request"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 0), "tls_process_certificate_request"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_CERT_STATUS), "tls_process_cert_status"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_CERT_VERIFY), "tls_process_cert_verify"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC), + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CERT_STATUS, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CERT_STATUS_BODY, 0), + "tls_process_cert_status_body"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CERT_VERIFY, 0), + "tls_process_cert_verify"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, 0), "tls_process_change_cipher_spec"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_CKE_DHE), "tls_process_cke_dhe"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_CKE_ECDHE), "tls_process_cke_ecdhe"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_CKE_GOST), "tls_process_cke_gost"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE), + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CKE_DHE, 0), + "tls_process_cke_dhe"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CKE_ECDHE, 0), + "tls_process_cke_ecdhe"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CKE_GOST, 0), + "tls_process_cke_gost"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, 0), "tls_process_cke_psk_preamble"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_CKE_RSA), "tls_process_cke_rsa"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_CKE_SRP), "tls_process_cke_srp"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE), + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CKE_RSA, 0), + "tls_process_cke_rsa"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CKE_SRP, 0), + "tls_process_cke_srp"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, 0), "tls_process_client_certificate"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_CLIENT_HELLO), "tls_process_client_hello"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE), + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CLIENT_HELLO, 0), + "tls_process_client_hello"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, 0), "tls_process_client_key_exchange"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_FINISHED), "tls_process_finished"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_KEY_EXCHANGE), "tls_process_key_exchange"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET), + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_ENCRYPTED_EXTENSIONS, 0), + "tls_process_encrypted_extensions"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA, 0), + "tls_process_end_of_early_data"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_FINISHED, 0), + "tls_process_finished"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_HELLO_REQ, 0), + "tls_process_hello_req"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, 0), + "tls_process_hello_retry_request"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT, 0), + "tls_process_initial_server_flight"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 0), + "tls_process_key_exchange"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_KEY_UPDATE, 0), + "tls_process_key_update"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, 0), "tls_process_new_session_ticket"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_NEXT_PROTO), "tls_process_next_proto"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE), + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_NEXT_PROTO, 0), + "tls_process_next_proto"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 0), "tls_process_server_certificate"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_SERVER_DONE), "tls_process_server_done"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_SERVER_HELLO), "tls_process_server_hello"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_SKE_DHE), "tls_process_ske_dhe"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_SKE_ECDHE), "tls_process_ske_ecdhe"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE), + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_SERVER_DONE, 0), + "tls_process_server_done"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_SERVER_HELLO, 0), + "tls_process_server_hello"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_SKE_DHE, 0), + "tls_process_ske_dhe"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_SKE_ECDHE, 0), + "tls_process_ske_ecdhe"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, 0), "tls_process_ske_psk_preamble"}, - {ERR_FUNC(SSL_F_TLS_PROCESS_SKE_SRP), "tls_process_ske_srp"}, - {ERR_FUNC(SSL_F_USE_CERTIFICATE_CHAIN_FILE), + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PROCESS_SKE_SRP, 0), + "tls_process_ske_srp"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PSK_DO_BINDER, 0), "tls_psk_do_binder"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_SCAN_CLIENTHELLO_TLSEXT, 0), ""}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_SETUP_HANDSHAKE, 0), + "tls_setup_handshake"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_USE_CERTIFICATE_CHAIN_FILE, 0), "use_certificate_chain_file"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_WPACKET_INTERN_INIT_LEN, 0), + "wpacket_intern_init_len"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_WPACKET_START_SUB_PACKET_LEN__, 0), + "WPACKET_start_sub_packet_len__"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_WRITE_STATE_MACHINE, 0), + "write_state_machine"}, {0, NULL} }; -static ERR_STRING_DATA SSL_str_reasons[] = { - {ERR_REASON(SSL_R_APP_DATA_IN_HANDSHAKE), "app data in handshake"}, - {ERR_REASON(SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT), - "attempt to reuse session in different context"}, - {ERR_REASON(SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE), - "at least TLS 1.0 needed in FIPS mode"}, - {ERR_REASON(SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE), - "at least (D)TLS 1.2 needed in Suite B mode"}, - {ERR_REASON(SSL_R_BAD_CHANGE_CIPHER_SPEC), "bad change cipher spec"}, - {ERR_REASON(SSL_R_BAD_DATA), "bad data"}, - {ERR_REASON(SSL_R_BAD_DATA_RETURNED_BY_CALLBACK), - "bad data returned by callback"}, - {ERR_REASON(SSL_R_BAD_DECOMPRESSION), "bad decompression"}, - {ERR_REASON(SSL_R_BAD_DH_VALUE), "bad dh value"}, - {ERR_REASON(SSL_R_BAD_DIGEST_LENGTH), "bad digest length"}, - {ERR_REASON(SSL_R_BAD_ECC_CERT), "bad ecc cert"}, - {ERR_REASON(SSL_R_BAD_ECPOINT), "bad ecpoint"}, - {ERR_REASON(SSL_R_BAD_HANDSHAKE_LENGTH), "bad handshake length"}, - {ERR_REASON(SSL_R_BAD_HELLO_REQUEST), "bad hello request"}, - {ERR_REASON(SSL_R_BAD_LENGTH), "bad length"}, - {ERR_REASON(SSL_R_BAD_PACKET_LENGTH), "bad packet length"}, - {ERR_REASON(SSL_R_BAD_PROTOCOL_VERSION_NUMBER), - "bad protocol version number"}, - {ERR_REASON(SSL_R_BAD_RSA_ENCRYPT), "bad rsa encrypt"}, - {ERR_REASON(SSL_R_BAD_SIGNATURE), "bad signature"}, - {ERR_REASON(SSL_R_BAD_SRP_A_LENGTH), "bad srp a length"}, - {ERR_REASON(SSL_R_BAD_SRP_PARAMETERS), "bad srp parameters"}, - {ERR_REASON(SSL_R_BAD_SRTP_MKI_VALUE), "bad srtp mki value"}, - {ERR_REASON(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST), - "bad srtp protection profile list"}, - {ERR_REASON(SSL_R_BAD_SSL_FILETYPE), "bad ssl filetype"}, - {ERR_REASON(SSL_R_BAD_VALUE), "bad value"}, - {ERR_REASON(SSL_R_BAD_WRITE_RETRY), "bad write retry"}, - {ERR_REASON(SSL_R_BIO_NOT_SET), "bio not set"}, - {ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG), - "block cipher pad is wrong"}, - {ERR_REASON(SSL_R_BN_LIB), "bn lib"}, - {ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH), "ca dn length mismatch"}, - {ERR_REASON(SSL_R_CA_KEY_TOO_SMALL), "ca key too small"}, - {ERR_REASON(SSL_R_CA_MD_TOO_WEAK), "ca md too weak"}, - {ERR_REASON(SSL_R_CCS_RECEIVED_EARLY), "ccs received early"}, - {ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED), - "certificate verify failed"}, - {ERR_REASON(SSL_R_CERT_CB_ERROR), "cert cb error"}, - {ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH), "cert length mismatch"}, - {ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH), "cipher code wrong length"}, - {ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE), - "cipher or hash unavailable"}, - {ERR_REASON(SSL_R_CLIENTHELLO_TLSEXT), "clienthello tlsext"}, - {ERR_REASON(SSL_R_COMPRESSED_LENGTH_TOO_LONG), - "compressed length too long"}, - {ERR_REASON(SSL_R_COMPRESSION_DISABLED), "compression disabled"}, - {ERR_REASON(SSL_R_COMPRESSION_FAILURE), "compression failure"}, - {ERR_REASON(SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE), - "compression id not within private range"}, - {ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR), - "compression library error"}, - {ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET), "connection type not set"}, - {ERR_REASON(SSL_R_CONTEXT_NOT_DANE_ENABLED), "context not dane enabled"}, - {ERR_REASON(SSL_R_COOKIE_GEN_CALLBACK_FAILURE), - "cookie gen callback failure"}, - {ERR_REASON(SSL_R_COOKIE_MISMATCH), "cookie mismatch"}, - {ERR_REASON(SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED), - "custom ext handler already installed"}, - {ERR_REASON(SSL_R_DANE_ALREADY_ENABLED), "dane already enabled"}, - {ERR_REASON(SSL_R_DANE_CANNOT_OVERRIDE_MTYPE_FULL), - "dane cannot override mtype full"}, - {ERR_REASON(SSL_R_DANE_NOT_ENABLED), "dane not enabled"}, - {ERR_REASON(SSL_R_DANE_TLSA_BAD_CERTIFICATE), - "dane tlsa bad certificate"}, - {ERR_REASON(SSL_R_DANE_TLSA_BAD_CERTIFICATE_USAGE), - "dane tlsa bad certificate usage"}, - {ERR_REASON(SSL_R_DANE_TLSA_BAD_DATA_LENGTH), - "dane tlsa bad data length"}, - {ERR_REASON(SSL_R_DANE_TLSA_BAD_DIGEST_LENGTH), - "dane tlsa bad digest length"}, - {ERR_REASON(SSL_R_DANE_TLSA_BAD_MATCHING_TYPE), - "dane tlsa bad matching type"}, - {ERR_REASON(SSL_R_DANE_TLSA_BAD_PUBLIC_KEY), "dane tlsa bad public key"}, - {ERR_REASON(SSL_R_DANE_TLSA_BAD_SELECTOR), "dane tlsa bad selector"}, - {ERR_REASON(SSL_R_DANE_TLSA_NULL_DATA), "dane tlsa null data"}, - {ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED), - "data between ccs and finished"}, - {ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG), "data length too long"}, - {ERR_REASON(SSL_R_DECRYPTION_FAILED), "decryption failed"}, - {ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC), - "decryption failed or bad record mac"}, - {ERR_REASON(SSL_R_DH_KEY_TOO_SMALL), "dh key too small"}, - {ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG), - "dh public value length is wrong"}, - {ERR_REASON(SSL_R_DIGEST_CHECK_FAILED), "digest check failed"}, - {ERR_REASON(SSL_R_DTLS_MESSAGE_TOO_BIG), "dtls message too big"}, - {ERR_REASON(SSL_R_DUPLICATE_COMPRESSION_ID), "duplicate compression id"}, - {ERR_REASON(SSL_R_ECC_CERT_NOT_FOR_SIGNING), "ecc cert not for signing"}, - {ERR_REASON(SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE), - "ecdh required for suiteb mode"}, - {ERR_REASON(SSL_R_EE_KEY_TOO_SMALL), "ee key too small"}, - {ERR_REASON(SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST), - "empty srtp protection profile list"}, - {ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG), - "encrypted length too long"}, - {ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST), - "error in received cipher list"}, - {ERR_REASON(SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN), - "error setting tlsa base domain"}, - {ERR_REASON(SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE), - "exceeds max fragment size"}, - {ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE), "excessive message size"}, - {ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE), "extra data in message"}, - {ERR_REASON(SSL_R_FAILED_TO_INIT_ASYNC), "failed to init async"}, - {ERR_REASON(SSL_R_FRAGMENTED_CLIENT_HELLO), "fragmented client hello"}, - {ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS), "got a fin before a ccs"}, - {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST), "https proxy request"}, - {ERR_REASON(SSL_R_HTTP_REQUEST), "http request"}, - {ERR_REASON(SSL_R_ILLEGAL_SUITEB_DIGEST), "illegal Suite B digest"}, - {ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK), "inappropriate fallback"}, - {ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION), "inconsistent compression"}, - {ERR_REASON(SSL_R_INCONSISTENT_EXTMS), "inconsistent extms"}, - {ERR_REASON(SSL_R_INVALID_COMMAND), "invalid command"}, - {ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM), - "invalid compression algorithm"}, - {ERR_REASON(SSL_R_INVALID_CONFIGURATION_NAME), - "invalid configuration name"}, - {ERR_REASON(SSL_R_INVALID_CT_VALIDATION_TYPE), - "invalid ct validation type"}, - {ERR_REASON(SSL_R_INVALID_NULL_CMD_NAME), "invalid null cmd name"}, - {ERR_REASON(SSL_R_INVALID_SEQUENCE_NUMBER), "invalid sequence number"}, - {ERR_REASON(SSL_R_INVALID_SERVERINFO_DATA), "invalid serverinfo data"}, - {ERR_REASON(SSL_R_INVALID_SRP_USERNAME), "invalid srp username"}, - {ERR_REASON(SSL_R_INVALID_STATUS_RESPONSE), "invalid status response"}, - {ERR_REASON(SSL_R_INVALID_TICKET_KEYS_LENGTH), - "invalid ticket keys length"}, - {ERR_REASON(SSL_R_LENGTH_MISMATCH), "length mismatch"}, - {ERR_REASON(SSL_R_LENGTH_TOO_LONG), "length too long"}, - {ERR_REASON(SSL_R_LENGTH_TOO_SHORT), "length too short"}, - {ERR_REASON(SSL_R_LIBRARY_BUG), "library bug"}, - {ERR_REASON(SSL_R_LIBRARY_HAS_NO_CIPHERS), "library has no ciphers"}, - {ERR_REASON(SSL_R_MISSING_DSA_SIGNING_CERT), "missing dsa signing cert"}, - {ERR_REASON(SSL_R_MISSING_ECDSA_SIGNING_CERT), - "missing ecdsa signing cert"}, - {ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE), "missing rsa certificate"}, - {ERR_REASON(SSL_R_MISSING_RSA_ENCRYPTING_CERT), - "missing rsa encrypting cert"}, - {ERR_REASON(SSL_R_MISSING_RSA_SIGNING_CERT), "missing rsa signing cert"}, - {ERR_REASON(SSL_R_MISSING_SRP_PARAM), "can't find SRP server param"}, - {ERR_REASON(SSL_R_MISSING_TMP_DH_KEY), "missing tmp dh key"}, - {ERR_REASON(SSL_R_MISSING_TMP_ECDH_KEY), "missing tmp ecdh key"}, - {ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED), "no certificates returned"}, - {ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED), "no certificate assigned"}, - {ERR_REASON(SSL_R_NO_CERTIFICATE_SET), "no certificate set"}, - {ERR_REASON(SSL_R_NO_CIPHERS_AVAILABLE), "no ciphers available"}, - {ERR_REASON(SSL_R_NO_CIPHERS_SPECIFIED), "no ciphers specified"}, - {ERR_REASON(SSL_R_NO_CIPHER_MATCH), "no cipher match"}, - {ERR_REASON(SSL_R_NO_CLIENT_CERT_METHOD), "no client cert method"}, - {ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED), "no compression specified"}, - {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER), - "Peer haven't sent GOST certificate, required for selected ciphersuite"}, - {ERR_REASON(SSL_R_NO_METHOD_SPECIFIED), "no method specified"}, - {ERR_REASON(SSL_R_NO_PEM_EXTENSIONS), "no pem extensions"}, - {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED), "no private key assigned"}, - {ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE), "no protocols available"}, - {ERR_REASON(SSL_R_NO_RENEGOTIATION), "no renegotiation"}, - {ERR_REASON(SSL_R_NO_REQUIRED_DIGEST), "no required digest"}, - {ERR_REASON(SSL_R_NO_SHARED_CIPHER), "no shared cipher"}, - {ERR_REASON(SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS), - "no shared signature algorithms"}, - {ERR_REASON(SSL_R_NO_SRTP_PROFILES), "no srtp profiles"}, - {ERR_REASON(SSL_R_NO_VALID_SCTS), "no valid scts"}, - {ERR_REASON(SSL_R_NO_VERIFY_COOKIE_CALLBACK), - "no verify cookie callback"}, - {ERR_REASON(SSL_R_NULL_SSL_CTX), "null ssl ctx"}, - {ERR_REASON(SSL_R_NULL_SSL_METHOD_PASSED), "null ssl method passed"}, - {ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED), - "old session cipher not returned"}, - {ERR_REASON(SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED), - "old session compression algorithm not returned"}, - {ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG), "packet length too long"}, - {ERR_REASON(SSL_R_PARSE_TLSEXT), "parse tlsext"}, - {ERR_REASON(SSL_R_PATH_TOO_LONG), "path too long"}, - {ERR_REASON(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE), - "peer did not return a certificate"}, - {ERR_REASON(SSL_R_PEM_NAME_BAD_PREFIX), "pem name bad prefix"}, - {ERR_REASON(SSL_R_PEM_NAME_TOO_SHORT), "pem name too short"}, - {ERR_REASON(SSL_R_PIPELINE_FAILURE), "pipeline failure"}, - {ERR_REASON(SSL_R_PROTOCOL_IS_SHUTDOWN), "protocol is shutdown"}, - {ERR_REASON(SSL_R_PSK_IDENTITY_NOT_FOUND), "psk identity not found"}, - {ERR_REASON(SSL_R_PSK_NO_CLIENT_CB), "psk no client cb"}, - {ERR_REASON(SSL_R_PSK_NO_SERVER_CB), "psk no server cb"}, - {ERR_REASON(SSL_R_READ_BIO_NOT_SET), "read bio not set"}, - {ERR_REASON(SSL_R_READ_TIMEOUT_EXPIRED), "read timeout expired"}, - {ERR_REASON(SSL_R_RECORD_LENGTH_MISMATCH), "record length mismatch"}, - {ERR_REASON(SSL_R_RECORD_TOO_SMALL), "record too small"}, - {ERR_REASON(SSL_R_RENEGOTIATE_EXT_TOO_LONG), "renegotiate ext too long"}, - {ERR_REASON(SSL_R_RENEGOTIATION_ENCODING_ERR), - "renegotiation encoding err"}, - {ERR_REASON(SSL_R_RENEGOTIATION_MISMATCH), "renegotiation mismatch"}, - {ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING), "required cipher missing"}, - {ERR_REASON(SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING), - "required compression algorithm missing"}, - {ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING), - "scsv received when renegotiating"}, - {ERR_REASON(SSL_R_SCT_VERIFICATION_FAILED), "sct verification failed"}, - {ERR_REASON(SSL_R_SERVERHELLO_TLSEXT), "serverhello tlsext"}, - {ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED), - "session id context uninitialized"}, - {ERR_REASON(SSL_R_SHUTDOWN_WHILE_IN_INIT), "shutdown while in init"}, - {ERR_REASON(SSL_R_SIGNATURE_ALGORITHMS_ERROR), - "signature algorithms error"}, - {ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE), - "signature for non signing certificate"}, - {ERR_REASON(SSL_R_SRP_A_CALC), "error with the srp params"}, - {ERR_REASON(SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES), - "srtp could not allocate profiles"}, - {ERR_REASON(SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG), - "srtp protection profile list too long"}, - {ERR_REASON(SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE), - "srtp unknown protection profile"}, - {ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME), - "ssl3 ext invalid servername"}, - {ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE), - "ssl3 ext invalid servername type"}, - {ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_LONG), "ssl3 session id too long"}, - {ERR_REASON(SSL_R_SSLV3_ALERT_BAD_CERTIFICATE), - "sslv3 alert bad certificate"}, - {ERR_REASON(SSL_R_SSLV3_ALERT_BAD_RECORD_MAC), - "sslv3 alert bad record mac"}, - {ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED), - "sslv3 alert certificate expired"}, - {ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED), - "sslv3 alert certificate revoked"}, - {ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN), - "sslv3 alert certificate unknown"}, - {ERR_REASON(SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE), - "sslv3 alert decompression failure"}, - {ERR_REASON(SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE), - "sslv3 alert handshake failure"}, - {ERR_REASON(SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER), - "sslv3 alert illegal parameter"}, - {ERR_REASON(SSL_R_SSLV3_ALERT_NO_CERTIFICATE), - "sslv3 alert no certificate"}, - {ERR_REASON(SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE), - "sslv3 alert unexpected message"}, - {ERR_REASON(SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE), - "sslv3 alert unsupported certificate"}, - {ERR_REASON(SSL_R_SSL_COMMAND_SECTION_EMPTY), - "ssl command section empty"}, - {ERR_REASON(SSL_R_SSL_COMMAND_SECTION_NOT_FOUND), - "ssl command section not found"}, - {ERR_REASON(SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION), - "ssl ctx has no default ssl version"}, - {ERR_REASON(SSL_R_SSL_HANDSHAKE_FAILURE), "ssl handshake failure"}, - {ERR_REASON(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS), - "ssl library has no ciphers"}, - {ERR_REASON(SSL_R_SSL_NEGATIVE_LENGTH), "ssl negative length"}, - {ERR_REASON(SSL_R_SSL_SECTION_EMPTY), "ssl section empty"}, - {ERR_REASON(SSL_R_SSL_SECTION_NOT_FOUND), "ssl section not found"}, - {ERR_REASON(SSL_R_SSL_SESSION_ID_CALLBACK_FAILED), - "ssl session id callback failed"}, - {ERR_REASON(SSL_R_SSL_SESSION_ID_CONFLICT), "ssl session id conflict"}, - {ERR_REASON(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG), - "ssl session id context too long"}, - {ERR_REASON(SSL_R_SSL_SESSION_ID_TOO_LONG), - "ssl session id too long"}, - {ERR_REASON(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH), - "ssl session id has bad length"}, - {ERR_REASON(SSL_R_SSL_SESSION_VERSION_MISMATCH), - "ssl session version mismatch"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED), - "tlsv1 alert access denied"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_DECODE_ERROR), "tlsv1 alert decode error"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED), - "tlsv1 alert decryption failed"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR), - "tlsv1 alert decrypt error"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION), - "tlsv1 alert export restriction"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK), - "tlsv1 alert inappropriate fallback"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY), - "tlsv1 alert insufficient security"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR), - "tlsv1 alert internal error"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION), - "tlsv1 alert no renegotiation"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_PROTOCOL_VERSION), - "tlsv1 alert protocol version"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_RECORD_OVERFLOW), - "tlsv1 alert record overflow"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_UNKNOWN_CA), "tlsv1 alert unknown ca"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_USER_CANCELLED), - "tlsv1 alert user cancelled"}, - {ERR_REASON(SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE), - "tlsv1 bad certificate hash value"}, - {ERR_REASON(SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE), - "tlsv1 bad certificate status response"}, - {ERR_REASON(SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE), - "tlsv1 certificate unobtainable"}, - {ERR_REASON(SSL_R_TLSV1_UNRECOGNIZED_NAME), "tlsv1 unrecognized name"}, - {ERR_REASON(SSL_R_TLSV1_UNSUPPORTED_EXTENSION), - "tlsv1 unsupported extension"}, - {ERR_REASON(SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT), - "peer does not accept heartbeats"}, - {ERR_REASON(SSL_R_TLS_HEARTBEAT_PENDING), - "heartbeat request already pending"}, - {ERR_REASON(SSL_R_TLS_ILLEGAL_EXPORTER_LABEL), - "tls illegal exporter label"}, - {ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST), - "tls invalid ecpointformat list"}, - {ERR_REASON(SSL_R_TOO_MANY_WARN_ALERTS), "too many warn alerts"}, - {ERR_REASON(SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS), - "unable to find ecdh parameters"}, - {ERR_REASON(SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS), - "unable to find public key parameters"}, - {ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES), - "unable to load ssl3 md5 routines"}, - {ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES), - "unable to load ssl3 sha1 routines"}, - {ERR_REASON(SSL_R_UNEXPECTED_MESSAGE), "unexpected message"}, - {ERR_REASON(SSL_R_UNEXPECTED_RECORD), "unexpected record"}, - {ERR_REASON(SSL_R_UNINITIALIZED), "uninitialized"}, - {ERR_REASON(SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"}, - {ERR_REASON(SSL_R_UNKNOWN_CERTIFICATE_TYPE), "unknown certificate type"}, - {ERR_REASON(SSL_R_UNKNOWN_CIPHER_RETURNED), "unknown cipher returned"}, - {ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE), "unknown cipher type"}, - {ERR_REASON(SSL_R_UNKNOWN_CMD_NAME), "unknown cmd name"}, - {ERR_REASON(SSL_R_UNKNOWN_COMMAND), "unknown command"}, - {ERR_REASON(SSL_R_UNKNOWN_DIGEST), "unknown digest"}, - {ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE), - "unknown key exchange type"}, - {ERR_REASON(SSL_R_UNKNOWN_PKEY_TYPE), "unknown pkey type"}, - {ERR_REASON(SSL_R_UNKNOWN_PROTOCOL), "unknown protocol"}, - {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION), "unknown ssl version"}, - {ERR_REASON(SSL_R_UNKNOWN_STATE), "unknown state"}, - {ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED), - "unsafe legacy renegotiation disabled"}, - {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM), - "unsupported compression algorithm"}, - {ERR_REASON(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE), - "unsupported elliptic curve"}, - {ERR_REASON(SSL_R_UNSUPPORTED_PROTOCOL), "unsupported protocol"}, - {ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION), "unsupported ssl version"}, - {ERR_REASON(SSL_R_UNSUPPORTED_STATUS_TYPE), "unsupported status type"}, - {ERR_REASON(SSL_R_USE_SRTP_NOT_NEGOTIATED), "use srtp not negotiated"}, - {ERR_REASON(SSL_R_VERSION_TOO_HIGH), "version too high"}, - {ERR_REASON(SSL_R_VERSION_TOO_LOW), "version too low"}, - {ERR_REASON(SSL_R_WRONG_CERTIFICATE_TYPE), "wrong certificate type"}, - {ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED), "wrong cipher returned"}, - {ERR_REASON(SSL_R_WRONG_CURVE), "wrong curve"}, - {ERR_REASON(SSL_R_WRONG_SIGNATURE_LENGTH), "wrong signature length"}, - {ERR_REASON(SSL_R_WRONG_SIGNATURE_SIZE), "wrong signature size"}, - {ERR_REASON(SSL_R_WRONG_SIGNATURE_TYPE), "wrong signature type"}, - {ERR_REASON(SSL_R_WRONG_SSL_VERSION), "wrong ssl version"}, - {ERR_REASON(SSL_R_WRONG_VERSION_NUMBER), "wrong version number"}, - {ERR_REASON(SSL_R_X509_LIB), "x509 lib"}, - {ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS), - "x509 verification setup problems"}, +static const ERR_STRING_DATA SSL_str_reasons[] = { + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY), + "application data after close notify"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APP_DATA_IN_HANDSHAKE), + "app data in handshake"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT), + "attempt to reuse session in different context"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE), + "at least TLS 1.0 needed in FIPS mode"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE), + "at least (D)TLS 1.2 needed in Suite B mode"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_CHANGE_CIPHER_SPEC), + "bad change cipher spec"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_CIPHER), "bad cipher"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DATA), "bad data"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK), + "bad data returned by callback"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DECOMPRESSION), "bad decompression"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DH_VALUE), "bad dh value"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DIGEST_LENGTH), "bad digest length"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_EARLY_DATA), "bad early data"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_ECC_CERT), "bad ecc cert"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_ECPOINT), "bad ecpoint"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_EXTENSION), "bad extension"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HANDSHAKE_LENGTH), + "bad handshake length"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HANDSHAKE_STATE), + "bad handshake state"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HELLO_REQUEST), "bad hello request"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HRR_VERSION), "bad hrr version"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_KEY_SHARE), "bad key share"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_KEY_UPDATE), "bad key update"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_LEGACY_VERSION), "bad legacy version"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_LENGTH), "bad length"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PACKET), "bad packet"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PACKET_LENGTH), "bad packet length"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PROTOCOL_VERSION_NUMBER), + "bad protocol version number"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PSK), "bad psk"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PSK_IDENTITY), "bad psk identity"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_RECORD_TYPE), "bad record type"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_RSA_ENCRYPT), "bad rsa encrypt"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SIGNATURE), "bad signature"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRP_A_LENGTH), "bad srp a length"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRP_PARAMETERS), "bad srp parameters"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRTP_MKI_VALUE), "bad srtp mki value"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST), + "bad srtp protection profile list"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SSL_FILETYPE), "bad ssl filetype"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_VALUE), "bad value"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_WRITE_RETRY), "bad write retry"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BINDER_DOES_NOT_VERIFY), + "binder does not verify"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BIO_NOT_SET), "bio not set"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG), + "block cipher pad is wrong"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BN_LIB), "bn lib"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CALLBACK_FAILED), "callback failed"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CANNOT_CHANGE_CIPHER), + "cannot change cipher"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CA_DN_LENGTH_MISMATCH), + "ca dn length mismatch"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CA_KEY_TOO_SMALL), "ca key too small"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CA_MD_TOO_WEAK), "ca md too weak"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CCS_RECEIVED_EARLY), "ccs received early"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CERTIFICATE_VERIFY_FAILED), + "certificate verify failed"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CERT_CB_ERROR), "cert cb error"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CERT_LENGTH_MISMATCH), + "cert length mismatch"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED), + "ciphersuite digest has changed"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CIPHER_CODE_WRONG_LENGTH), + "cipher code wrong length"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CIPHER_OR_HASH_UNAVAILABLE), + "cipher or hash unavailable"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CLIENTHELLO_TLSEXT), "clienthello tlsext"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSED_LENGTH_TOO_LONG), + "compressed length too long"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSION_DISABLED), + "compression disabled"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSION_FAILURE), + "compression failure"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE), + "compression id not within private range"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSION_LIBRARY_ERROR), + "compression library error"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CONNECTION_TYPE_NOT_SET), + "connection type not set"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CONTEXT_NOT_DANE_ENABLED), + "context not dane enabled"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COOKIE_GEN_CALLBACK_FAILURE), + "cookie gen callback failure"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COOKIE_MISMATCH), "cookie mismatch"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED), + "custom ext handler already installed"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_ALREADY_ENABLED), + "dane already enabled"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_CANNOT_OVERRIDE_MTYPE_FULL), + "dane cannot override mtype full"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_NOT_ENABLED), "dane not enabled"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_BAD_CERTIFICATE), + "dane tlsa bad certificate"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_BAD_CERTIFICATE_USAGE), + "dane tlsa bad certificate usage"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_BAD_DATA_LENGTH), + "dane tlsa bad data length"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_BAD_DIGEST_LENGTH), + "dane tlsa bad digest length"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_BAD_MATCHING_TYPE), + "dane tlsa bad matching type"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_BAD_PUBLIC_KEY), + "dane tlsa bad public key"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_BAD_SELECTOR), + "dane tlsa bad selector"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_NULL_DATA), + "dane tlsa null data"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DATA_BETWEEN_CCS_AND_FINISHED), + "data between ccs and finished"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DATA_LENGTH_TOO_LONG), + "data length too long"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DECRYPTION_FAILED), "decryption failed"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC), + "decryption failed or bad record mac"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DH_KEY_TOO_SMALL), "dh key too small"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG), + "dh public value length is wrong"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DIGEST_CHECK_FAILED), + "digest check failed"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DTLS_MESSAGE_TOO_BIG), + "dtls message too big"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DUPLICATE_COMPRESSION_ID), + "duplicate compression id"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ECC_CERT_NOT_FOR_SIGNING), + "ecc cert not for signing"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE), + "ecdh required for suiteb mode"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EE_KEY_TOO_SMALL), "ee key too small"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST), + "empty srtp protection profile list"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ENCRYPTED_LENGTH_TOO_LONG), + "encrypted length too long"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST), + "error in received cipher list"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN), + "error setting tlsa base domain"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE), + "exceeds max fragment size"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXCESSIVE_MESSAGE_SIZE), + "excessive message size"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXTENSION_NOT_RECEIVED), + "extension not received"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXTRA_DATA_IN_MESSAGE), + "extra data in message"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXT_LENGTH_MISMATCH), + "ext length mismatch"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_FAILED_TO_INIT_ASYNC), + "failed to init async"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_FRAGMENTED_CLIENT_HELLO), + "fragmented client hello"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_GOT_A_FIN_BEFORE_A_CCS), + "got a fin before a ccs"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_HTTPS_PROXY_REQUEST), + "https proxy request"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_HTTP_REQUEST), "http request"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ILLEGAL_POINT_COMPRESSION), + "illegal point compression"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ILLEGAL_SUITEB_DIGEST), + "illegal Suite B digest"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INAPPROPRIATE_FALLBACK), + "inappropriate fallback"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INCONSISTENT_COMPRESSION), + "inconsistent compression"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INCONSISTENT_EARLY_DATA_ALPN), + "inconsistent early data alpn"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INCONSISTENT_EARLY_DATA_SNI), + "inconsistent early data sni"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INCONSISTENT_EXTMS), "inconsistent extms"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INSUFFICIENT_SECURITY), + "insufficient security"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_ALERT), "invalid alert"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_CCS_MESSAGE), + "invalid ccs message"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_CERTIFICATE_OR_ALG), + "invalid certificate or alg"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_COMMAND), "invalid command"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_COMPRESSION_ALGORITHM), + "invalid compression algorithm"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_CONFIG), "invalid config"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_CONFIGURATION_NAME), + "invalid configuration name"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_CONTEXT), "invalid context"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_CT_VALIDATION_TYPE), + "invalid ct validation type"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_KEY_UPDATE_TYPE), + "invalid key update type"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_MAX_EARLY_DATA), + "invalid max early data"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_NULL_CMD_NAME), + "invalid null cmd name"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_SEQUENCE_NUMBER), + "invalid sequence number"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_SERVERINFO_DATA), + "invalid serverinfo data"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_SESSION_ID), "invalid session id"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_SRP_USERNAME), + "invalid srp username"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_STATUS_RESPONSE), + "invalid status response"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_TICKET_KEYS_LENGTH), + "invalid ticket keys length"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LENGTH_MISMATCH), "length mismatch"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LENGTH_TOO_LONG), "length too long"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LENGTH_TOO_SHORT), "length too short"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LIBRARY_BUG), "library bug"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LIBRARY_HAS_NO_CIPHERS), + "library has no ciphers"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_DSA_SIGNING_CERT), + "missing dsa signing cert"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_ECDSA_SIGNING_CERT), + "missing ecdsa signing cert"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_FATAL), "missing fatal"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_PARAMETERS), "missing parameters"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_RSA_CERTIFICATE), + "missing rsa certificate"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_RSA_ENCRYPTING_CERT), + "missing rsa encrypting cert"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_RSA_SIGNING_CERT), + "missing rsa signing cert"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_SIGALGS_EXTENSION), + "missing sigalgs extension"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_SIGNING_CERT), + "missing signing cert"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_SRP_PARAM), + "can't find SRP server param"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION), + "missing supported groups extension"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_DH_KEY), "missing tmp dh key"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_ECDH_KEY), + "missing tmp ecdh key"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_ON_RECORD_BOUNDARY), + "not on record boundary"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_REPLACING_CERTIFICATE), + "not replacing certificate"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_SERVER), "not server"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_APPLICATION_PROTOCOL), + "no application protocol"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CERTIFICATES_RETURNED), + "no certificates returned"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CERTIFICATE_ASSIGNED), + "no certificate assigned"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CERTIFICATE_SET), "no certificate set"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CHANGE_FOLLOWING_HRR), + "no change following hrr"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CIPHERS_AVAILABLE), + "no ciphers available"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CIPHERS_SPECIFIED), + "no ciphers specified"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CIPHER_MATCH), "no cipher match"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CLIENT_CERT_METHOD), + "no client cert method"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_COMPRESSION_SPECIFIED), + "no compression specified"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_COOKIE_CALLBACK_SET), + "no cookie callback set"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER), + "Peer haven't sent GOST certificate, required for selected ciphersuite"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_METHOD_SPECIFIED), + "no method specified"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_PEM_EXTENSIONS), "no pem extensions"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_PRIVATE_KEY_ASSIGNED), + "no private key assigned"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_PROTOCOLS_AVAILABLE), + "no protocols available"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_RENEGOTIATION), "no renegotiation"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_REQUIRED_DIGEST), "no required digest"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SHARED_CIPHER), "no shared cipher"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SHARED_GROUPS), "no shared groups"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS), + "no shared signature algorithms"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SRTP_PROFILES), "no srtp profiles"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SUITABLE_KEY_SHARE), + "no suitable key share"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM), + "no suitable signature algorithm"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_VALID_SCTS), "no valid scts"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_VERIFY_COOKIE_CALLBACK), + "no verify cookie callback"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NULL_SSL_CTX), "null ssl ctx"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NULL_SSL_METHOD_PASSED), + "null ssl method passed"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED), + "old session cipher not returned"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED), + "old session compression algorithm not returned"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OVERFLOW_ERROR), "overflow error"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PACKET_LENGTH_TOO_LONG), + "packet length too long"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PARSE_TLSEXT), "parse tlsext"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PATH_TOO_LONG), "path too long"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE), + "peer did not return a certificate"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEM_NAME_BAD_PREFIX), + "pem name bad prefix"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEM_NAME_TOO_SHORT), "pem name too short"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PIPELINE_FAILURE), "pipeline failure"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR), + "post handshake auth encoding err"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PRIVATE_KEY_MISMATCH), + "private key mismatch"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PROTOCOL_IS_SHUTDOWN), + "protocol is shutdown"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PSK_IDENTITY_NOT_FOUND), + "psk identity not found"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PSK_NO_CLIENT_CB), "psk no client cb"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PSK_NO_SERVER_CB), "psk no server cb"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_READ_BIO_NOT_SET), "read bio not set"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_READ_TIMEOUT_EXPIRED), + "read timeout expired"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RECORD_LENGTH_MISMATCH), + "record length mismatch"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RECORD_TOO_SMALL), "record too small"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RENEGOTIATE_EXT_TOO_LONG), + "renegotiate ext too long"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RENEGOTIATION_ENCODING_ERR), + "renegotiation encoding err"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RENEGOTIATION_MISMATCH), + "renegotiation mismatch"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REQUEST_PENDING), "request pending"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REQUEST_SENT), "request sent"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REQUIRED_CIPHER_MISSING), + "required cipher missing"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING), + "required compression algorithm missing"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING), + "scsv received when renegotiating"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SCT_VERIFICATION_FAILED), + "sct verification failed"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SERVERHELLO_TLSEXT), "serverhello tlsext"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED), + "session id context uninitialized"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SHUTDOWN_WHILE_IN_INIT), + "shutdown while in init"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SIGNATURE_ALGORITHMS_ERROR), + "signature algorithms error"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE), + "signature for non signing certificate"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SRP_A_CALC), "error with the srp params"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES), + "srtp could not allocate profiles"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG), + "srtp protection profile list too long"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE), + "srtp unknown protection profile"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH), + "ssl3 ext invalid max fragment length"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_EXT_INVALID_SERVERNAME), + "ssl3 ext invalid servername"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE), + "ssl3 ext invalid servername type"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_SESSION_ID_TOO_LONG), + "ssl3 session id too long"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_BAD_CERTIFICATE), + "sslv3 alert bad certificate"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_BAD_RECORD_MAC), + "sslv3 alert bad record mac"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED), + "sslv3 alert certificate expired"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED), + "sslv3 alert certificate revoked"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN), + "sslv3 alert certificate unknown"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE), + "sslv3 alert decompression failure"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE), + "sslv3 alert handshake failure"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER), + "sslv3 alert illegal parameter"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_NO_CERTIFICATE), + "sslv3 alert no certificate"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE), + "sslv3 alert unexpected message"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE), + "sslv3 alert unsupported certificate"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_COMMAND_SECTION_EMPTY), + "ssl command section empty"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_COMMAND_SECTION_NOT_FOUND), + "ssl command section not found"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION), + "ssl ctx has no default ssl version"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_HANDSHAKE_FAILURE), + "ssl handshake failure"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS), + "ssl library has no ciphers"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_NEGATIVE_LENGTH), + "ssl negative length"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SECTION_EMPTY), "ssl section empty"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SECTION_NOT_FOUND), + "ssl section not found"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_CALLBACK_FAILED), + "ssl session id callback failed"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_CONFLICT), + "ssl session id conflict"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG), + "ssl session id context too long"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH), + "ssl session id has bad length"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_TOO_LONG), + "ssl session id too long"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_VERSION_MISMATCH), + "ssl session version mismatch"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_STILL_IN_INIT), "still in init"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED), + "tlsv13 alert certificate required"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV13_ALERT_MISSING_EXTENSION), + "tlsv13 alert missing extension"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_ACCESS_DENIED), + "tlsv1 alert access denied"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_DECODE_ERROR), + "tlsv1 alert decode error"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_DECRYPTION_FAILED), + "tlsv1 alert decryption failed"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_DECRYPT_ERROR), + "tlsv1 alert decrypt error"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION), + "tlsv1 alert export restriction"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK), + "tlsv1 alert inappropriate fallback"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY), + "tlsv1 alert insufficient security"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_INTERNAL_ERROR), + "tlsv1 alert internal error"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_NO_RENEGOTIATION), + "tlsv1 alert no renegotiation"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_PROTOCOL_VERSION), + "tlsv1 alert protocol version"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_RECORD_OVERFLOW), + "tlsv1 alert record overflow"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_UNKNOWN_CA), + "tlsv1 alert unknown ca"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_USER_CANCELLED), + "tlsv1 alert user cancelled"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE), + "tlsv1 bad certificate hash value"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE), + "tlsv1 bad certificate status response"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE), + "tlsv1 certificate unobtainable"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_UNRECOGNIZED_NAME), + "tlsv1 unrecognized name"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_UNSUPPORTED_EXTENSION), + "tlsv1 unsupported extension"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT), + "peer does not accept heartbeats"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_HEARTBEAT_PENDING), + "heartbeat request already pending"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL), + "tls illegal exporter label"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST), + "tls invalid ecpointformat list"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TOO_MANY_KEY_UPDATES), + "too many key updates"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TOO_MANY_WARN_ALERTS), + "too many warn alerts"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TOO_MUCH_EARLY_DATA), + "too much early data"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS), + "unable to find ecdh parameters"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS), + "unable to find public key parameters"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES), + "unable to load ssl3 md5 routines"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES), + "unable to load ssl3 sha1 routines"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_CCS_MESSAGE), + "unexpected ccs message"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA), + "unexpected end of early data"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_CERTIFICATE_TYPE), + "unknown certificate type"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_CIPHER_RETURNED), + "unknown cipher returned"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_CIPHER_TYPE), + "unknown cipher type"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_CMD_NAME), "unknown cmd name"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_COMMAND), "unknown command"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_DIGEST), "unknown digest"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE), + "unknown key exchange type"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_PKEY_TYPE), "unknown pkey type"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_PROTOCOL), "unknown protocol"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_SSL_VERSION), + "unknown ssl version"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_STATE), "unknown state"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED), + "unsafe legacy renegotiation disabled"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSOLICITED_EXTENSION), + "unsolicited extension"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM), + "unsupported compression algorithm"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE), + "unsupported elliptic curve"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_PROTOCOL), + "unsupported protocol"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_SSL_VERSION), + "unsupported ssl version"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_STATUS_TYPE), + "unsupported status type"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_USE_SRTP_NOT_NEGOTIATED), + "use srtp not negotiated"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_VERSION_TOO_HIGH), "version too high"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_VERSION_TOO_LOW), "version too low"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_CERTIFICATE_TYPE), + "wrong certificate type"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_CIPHER_RETURNED), + "wrong cipher returned"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_CURVE), "wrong curve"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_SIGNATURE_LENGTH), + "wrong signature length"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_SIGNATURE_SIZE), + "wrong signature size"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_SIGNATURE_TYPE), + "wrong signature type"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_SSL_VERSION), "wrong ssl version"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_VERSION_NUMBER), + "wrong version number"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_X509_LIB), "x509 lib"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS), + "x509 verification setup problems"}, {0, NULL} }; @@ -679,10 +1266,9 @@ static ERR_STRING_DATA SSL_str_reasons[] = { int ERR_load_SSL_strings(void) { #ifndef OPENSSL_NO_ERR - if (ERR_func_error_string(SSL_str_functs[0].error) == NULL) { - ERR_load_strings(0, SSL_str_functs); - ERR_load_strings(0, SSL_str_reasons); + ERR_load_strings_const(SSL_str_functs); + ERR_load_strings_const(SSL_str_reasons); } #endif return 1; diff --git a/deps/openssl/openssl/ssl/ssl_init.c b/deps/openssl/openssl/ssl/ssl_init.c index dc16e39bf3..c0ccb9304a 100644 --- a/deps/openssl/openssl/ssl/ssl_init.c +++ b/deps/openssl/openssl/ssl/ssl_init.c @@ -12,8 +12,6 @@ #include "internal/err.h" #include <openssl/crypto.h> #include <openssl/evp.h> -#include <openssl/conf.h> -#include <assert.h> #include "ssl_locl.h" #include "internal/thread_once.h" @@ -61,6 +59,10 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_base) EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1()); EVP_add_cipher(EVP_aes_128_cbc_hmac_sha256()); EVP_add_cipher(EVP_aes_256_cbc_hmac_sha256()); +#ifndef OPENSSL_NO_ARIA + EVP_add_cipher(EVP_aria_128_gcm()); + EVP_add_cipher(EVP_aria_256_gcm()); +#endif #ifndef OPENSSL_NO_CAMELLIA EVP_add_cipher(EVP_camellia_128_cbc()); EVP_add_cipher(EVP_camellia_256_cbc()); @@ -97,13 +99,13 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_base) SSL_COMP_get_compression_methods(); #endif /* initialize cipher/digest methods table */ - ssl_load_ciphers(); + if (!ssl_load_ciphers()) + return 0; #ifdef OPENSSL_INIT_DEBUG fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: " "SSL_add_ssl_module()\n"); #endif - SSL_add_ssl_module(); /* * We ignore an error return here. Not much we can do - but not that bad * either. We can still safely continue. @@ -193,6 +195,9 @@ int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS * settings) } if (!OPENSSL_init_crypto(opts +#ifndef OPENSSL_NO_AUTOLOAD_CONFIG + | OPENSSL_INIT_LOAD_CONFIG +#endif | OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS, settings)) diff --git a/deps/openssl/openssl/ssl/ssl_lib.c b/deps/openssl/openssl/ssl/ssl_lib.c index 2002c1712f..61a0ea2cc9 100644 --- a/deps/openssl/openssl/ssl/ssl_lib.c +++ b/deps/openssl/openssl/ssl/ssl_lib.c @@ -1,5 +1,7 @@ /* * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved + * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,55 +9,23 @@ * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * ECC cipher suite support in OpenSSL originally developed by - * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - -#include <assert.h> #include <stdio.h> #include "ssl_locl.h" #include <openssl/objects.h> -#include <openssl/lhash.h> #include <openssl/x509v3.h> #include <openssl/rand.h> +#include <openssl/rand_drbg.h> #include <openssl/ocsp.h> #include <openssl/dh.h> #include <openssl/engine.h> #include <openssl/async.h> #include <openssl/ct.h> +#include "internal/cryptlib.h" +#include "internal/refcount.h" const char SSL_version_str[] = OPENSSL_VERSION_TEXT; -static int ssl_undefined_function_1(SSL *ssl, SSL3_RECORD *r, unsigned int s, - int t) +static int ssl_undefined_function_1(SSL *ssl, SSL3_RECORD *r, size_t s, int t) { (void)r; (void)s; @@ -73,11 +43,12 @@ static int ssl_undefined_function_2(SSL *ssl, SSL3_RECORD *r, unsigned char *s, } static int ssl_undefined_function_3(SSL *ssl, unsigned char *r, - unsigned char *s, int t) + unsigned char *s, size_t t, size_t *u) { (void)r; (void)s; (void)t; + (void)u; return ssl_undefined_function(ssl); } @@ -87,8 +58,8 @@ static int ssl_undefined_function_4(SSL *ssl, int r) return ssl_undefined_function(ssl); } -static int ssl_undefined_function_5(SSL *ssl, const char *r, int s, - unsigned char *t) +static size_t ssl_undefined_function_5(SSL *ssl, const char *r, size_t s, + unsigned char *t) { (void)r; (void)s; @@ -123,7 +94,6 @@ SSL3_ENC_METHOD ssl3_undef_enc_method = { ssl_undefined_function_3, ssl_undefined_function_4, ssl_undefined_function_5, - 0, /* finish_mac_length */ NULL, /* client_finished_label */ 0, /* client_finished_label_len */ NULL, /* server_finished_label */ @@ -135,11 +105,11 @@ SSL3_ENC_METHOD ssl3_undef_enc_method = { struct ssl_async_args { SSL *s; void *buf; - int num; + size_t num; enum { READFUNC, WRITEFUNC, OTHERFUNC } type; union { - int (*func_read) (SSL *, void *, int); - int (*func_write) (SSL *, const void *, int); + int (*func_read) (SSL *, void *, size_t, size_t *); + int (*func_write) (SSL *, const void *, size_t, size_t *); int (*func_other) (SSL *); } f; }; @@ -244,17 +214,17 @@ static int ssl_dane_dup(SSL *to, SSL *from) if (!DANETLS_ENABLED(&from->dane)) return 1; + num = sk_danetls_record_num(from->dane.trecs); dane_final(&to->dane); to->dane.flags = from->dane.flags; to->dane.dctx = &to->ctx->dane; - to->dane.trecs = sk_danetls_record_new_null(); + to->dane.trecs = sk_danetls_record_new_reserve(NULL, num); if (to->dane.trecs == NULL) { SSLerr(SSL_F_SSL_DANE_DUP, ERR_R_MALLOC_FAILURE); return 0; } - num = sk_danetls_record_num(from->dane.trecs); for (i = 0; i < num; ++i) { danetls_record *t = sk_danetls_record_value(from->dane.trecs, i); @@ -373,14 +343,14 @@ static int dane_tlsa_add(SSL_DANE *dane, t->usage = usage; t->selector = selector; t->mtype = mtype; - t->data = OPENSSL_malloc(ilen); + t->data = OPENSSL_malloc(dlen); if (t->data == NULL) { tlsa_free(t); SSLerr(SSL_F_DANE_TLSA_ADD, ERR_R_MALLOC_FAILURE); return -1; } - memcpy(t->data, data, ilen); - t->dlen = ilen; + memcpy(t->data, data, dlen); + t->dlen = dlen; /* Validate and cache full certificate or public key */ if (mtype == DANETLS_MATCHING_FULL) { @@ -390,7 +360,7 @@ static int dane_tlsa_add(SSL_DANE *dane, switch (selector) { case DANETLS_SELECTOR_CERT: - if (!d2i_X509(&cert, &p, dlen) || p < data || + if (!d2i_X509(&cert, &p, ilen) || p < data || dlen != (size_t)(p - data)) { tlsa_free(t); SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_CERTIFICATE); @@ -425,7 +395,7 @@ static int dane_tlsa_add(SSL_DANE *dane, break; case DANETLS_SELECTOR_SPKI: - if (!d2i_PUBKEY(&pkey, &p, dlen) || p < data || + if (!d2i_PUBKEY(&pkey, &p, ilen) || p < data || dlen != (size_t)(p - data)) { tlsa_free(t); SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_PUBLIC_KEY); @@ -523,8 +493,8 @@ static int ssl_check_allowed_versions(int min_version, int max_version) if (min_version == DTLS1_VERSION) min_version = DTLS1_2_VERSION; #endif - /* Done massaging versions; do the check. */ - if (0 + /* Done massaging versions; do the check. */ + if (0 #ifdef OPENSSL_NO_DTLS1 || (DTLS_VERSION_GE(min_version, DTLS1_VERSION) && DTLS_VERSION_GE(DTLS1_VERSION, max_version)) @@ -537,36 +507,44 @@ static int ssl_check_allowed_versions(int min_version, int max_version) return 0; } else { /* Regular TLS version checks. */ - if (min_version == 0) - min_version = SSL3_VERSION; - if (max_version == 0) - max_version = TLS1_2_VERSION; + if (min_version == 0) + min_version = SSL3_VERSION; + if (max_version == 0) + max_version = TLS1_3_VERSION; +#ifdef OPENSSL_NO_TLS1_3 + if (max_version == TLS1_3_VERSION) + max_version = TLS1_2_VERSION; +#endif #ifdef OPENSSL_NO_TLS1_2 - if (max_version == TLS1_2_VERSION) - max_version = TLS1_1_VERSION; + if (max_version == TLS1_2_VERSION) + max_version = TLS1_1_VERSION; #endif #ifdef OPENSSL_NO_TLS1_1 - if (max_version == TLS1_1_VERSION) - max_version = TLS1_VERSION; + if (max_version == TLS1_1_VERSION) + max_version = TLS1_VERSION; #endif #ifdef OPENSSL_NO_TLS1 - if (max_version == TLS1_VERSION) - max_version = SSL3_VERSION; + if (max_version == TLS1_VERSION) + max_version = SSL3_VERSION; #endif #ifdef OPENSSL_NO_SSL3 - if (min_version == SSL3_VERSION) - min_version = TLS1_VERSION; + if (min_version == SSL3_VERSION) + min_version = TLS1_VERSION; #endif #ifdef OPENSSL_NO_TLS1 - if (min_version == TLS1_VERSION) - min_version = TLS1_1_VERSION; + if (min_version == TLS1_VERSION) + min_version = TLS1_1_VERSION; #endif #ifdef OPENSSL_NO_TLS1_1 - if (min_version == TLS1_1_VERSION) - min_version = TLS1_2_VERSION; + if (min_version == TLS1_1_VERSION) + min_version = TLS1_2_VERSION; +#endif +#ifdef OPENSSL_NO_TLS1_2 + if (min_version == TLS1_2_VERSION) + min_version = TLS1_3_VERSION; #endif - /* Done massaging versions; do the check. */ - if (0 + /* Done massaging versions; do the check. */ + if (0 #ifdef OPENSSL_NO_SSL3 || (min_version <= SSL3_VERSION && SSL3_VERSION <= max_version) #endif @@ -579,6 +557,9 @@ static int ssl_check_allowed_versions(int min_version, int max_version) #ifdef OPENSSL_NO_TLS1_2 || (min_version <= TLS1_2_VERSION && TLS1_2_VERSION <= max_version) #endif +#ifdef OPENSSL_NO_TLS1_3 + || (min_version <= TLS1_3_VERSION && TLS1_3_VERSION <= max_version) +#endif ) return 0; } @@ -597,13 +578,20 @@ int SSL_clear(SSL *s) { if (s->method == NULL) { SSLerr(SSL_F_SSL_CLEAR, SSL_R_NO_METHOD_SPECIFIED); - return (0); + return 0; } if (ssl_clear_bad_session(s)) { SSL_SESSION_free(s->session); s->session = NULL; } + SSL_SESSION_free(s->psksession); + s->psksession = NULL; + OPENSSL_free(s->psksession_id); + s->psksession_id = NULL; + s->psksession_id_len = 0; + s->hello_retry_request = 0; + s->sent_tickets = 0; s->error = 0; s->hit = 0; @@ -625,6 +613,11 @@ int SSL_clear(SSL *s) clear_ciphers(s); s->first_packet = 0; + s->key_update = SSL_KEY_UPDATE_NONE; + + EVP_MD_CTX_free(s->pha_dgst); + s->pha_dgst = NULL; + /* Reset DANE verification result state */ s->dane.mdpth = -1; s->dane.pdpth = -1; @@ -637,20 +630,21 @@ int SSL_clear(SSL *s) /* * Check to see if we were changed into a different method, if so, revert - * back if we are not doing session-id reuse. + * back. */ - if (!ossl_statem_get_in_handshake(s) && (s->session == NULL) - && (s->method != s->ctx->method)) { + if (s->method != s->ctx->method) { s->method->ssl_free(s); s->method = s->ctx->method; if (!s->method->ssl_new(s)) - return (0); - } else - s->method->ssl_clear(s); + return 0; + } else { + if (!s->method->ssl_clear(s)) + return 0; + } RECORD_LAYER_clear(&s->rlayer); - return (1); + return 1; } /** Used to change an SSL_CTXs default SSL method type */ @@ -660,14 +654,20 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) ctx->method = meth; - sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list), + if (!SSL_CTX_set_ciphersuites(ctx, TLS_DEFAULT_CIPHERSUITES)) { + SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); + return 0; + } + sk = ssl_create_cipher_list(ctx->method, + ctx->tls13_ciphersuites, + &(ctx->cipher_list), &(ctx->cipher_list_by_id), SSL_DEFAULT_CIPHER_LIST, ctx->cert); if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); - return (0); + return 0; } - return (1); + return 1; } SSL *SSL_new(SSL_CTX *ctx) @@ -676,22 +676,23 @@ SSL *SSL_new(SSL_CTX *ctx) if (ctx == NULL) { SSLerr(SSL_F_SSL_NEW, SSL_R_NULL_SSL_CTX); - return (NULL); + return NULL; } if (ctx->method == NULL) { SSLerr(SSL_F_SSL_NEW, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION); - return (NULL); + return NULL; } s = OPENSSL_zalloc(sizeof(*s)); if (s == NULL) goto err; + s->references = 1; s->lock = CRYPTO_THREAD_lock_new(); if (s->lock == NULL) { - SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE); OPENSSL_free(s); - return NULL; + s = NULL; + goto err; } RECORD_LAYER_init(&s->rlayer, s); @@ -702,7 +703,15 @@ SSL *SSL_new(SSL_CTX *ctx) s->max_proto_version = ctx->max_proto_version; s->mode = ctx->mode; s->max_cert_list = ctx->max_cert_list; - s->references = 1; + s->max_early_data = ctx->max_early_data; + s->recv_max_early_data = ctx->recv_max_early_data; + s->num_tickets = ctx->num_tickets; + s->pha_enabled = ctx->pha_enabled; + + /* Shallow copy of the ciphersuites stack */ + s->tls13_ciphersuites = sk_SSL_CIPHER_dup(ctx->tls13_ciphersuites); + if (s->tls13_ciphersuites == NULL) + goto err; /* * Earlier library versions used to copy the pointer to the CERT, not @@ -722,8 +731,12 @@ SSL *SSL_new(SSL_CTX *ctx) s->msg_callback_arg = ctx->msg_callback_arg; s->verify_mode = ctx->verify_mode; s->not_resumable_session_cb = ctx->not_resumable_session_cb; + s->record_padding_cb = ctx->record_padding_cb; + s->record_padding_arg = ctx->record_padding_arg; + s->block_padding = ctx->block_padding; s->sid_ctx_length = ctx->sid_ctx_length; - OPENSSL_assert(s->sid_ctx_length <= sizeof(s->sid_ctx)); + if (!ossl_assert(s->sid_ctx_length <= sizeof(s->sid_ctx))) + goto err; memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx)); s->verify_callback = ctx->default_verify_callback; s->generate_session_id = ctx->generate_session_id; @@ -733,6 +746,8 @@ SSL *SSL_new(SSL_CTX *ctx) goto err; X509_VERIFY_PARAM_inherit(s->param, ctx->param); s->quiet_shutdown = ctx->quiet_shutdown; + + s->ext.max_fragment_len_mode = ctx->ext.max_fragment_len_mode; s->max_send_fragment = ctx->max_send_fragment; s->split_send_fragment = ctx->split_send_fragment; s->max_pipelines = ctx->max_pipelines; @@ -743,49 +758,47 @@ SSL *SSL_new(SSL_CTX *ctx) SSL_CTX_up_ref(ctx); s->ctx = ctx; - s->tlsext_debug_cb = 0; - s->tlsext_debug_arg = NULL; - s->tlsext_ticket_expected = 0; - s->tlsext_status_type = ctx->tlsext_status_type; - s->tlsext_status_expected = 0; - s->tlsext_ocsp_ids = NULL; - s->tlsext_ocsp_exts = NULL; - s->tlsext_ocsp_resp = NULL; - s->tlsext_ocsp_resplen = -1; + s->ext.debug_cb = 0; + s->ext.debug_arg = NULL; + s->ext.ticket_expected = 0; + s->ext.status_type = ctx->ext.status_type; + s->ext.status_expected = 0; + s->ext.ocsp.ids = NULL; + s->ext.ocsp.exts = NULL; + s->ext.ocsp.resp = NULL; + s->ext.ocsp.resp_len = 0; SSL_CTX_up_ref(ctx); s->session_ctx = ctx; #ifndef OPENSSL_NO_EC - if (ctx->tlsext_ecpointformatlist) { - s->tlsext_ecpointformatlist = - OPENSSL_memdup(ctx->tlsext_ecpointformatlist, - ctx->tlsext_ecpointformatlist_length); - if (!s->tlsext_ecpointformatlist) + if (ctx->ext.ecpointformats) { + s->ext.ecpointformats = + OPENSSL_memdup(ctx->ext.ecpointformats, + ctx->ext.ecpointformats_len); + if (!s->ext.ecpointformats) goto err; - s->tlsext_ecpointformatlist_length = - ctx->tlsext_ecpointformatlist_length; - } - if (ctx->tlsext_ellipticcurvelist) { - s->tlsext_ellipticcurvelist = - OPENSSL_memdup(ctx->tlsext_ellipticcurvelist, - ctx->tlsext_ellipticcurvelist_length); - if (!s->tlsext_ellipticcurvelist) + s->ext.ecpointformats_len = + ctx->ext.ecpointformats_len; + } + if (ctx->ext.supportedgroups) { + s->ext.supportedgroups = + OPENSSL_memdup(ctx->ext.supportedgroups, + ctx->ext.supportedgroups_len + * sizeof(*ctx->ext.supportedgroups)); + if (!s->ext.supportedgroups) goto err; - s->tlsext_ellipticcurvelist_length = - ctx->tlsext_ellipticcurvelist_length; + s->ext.supportedgroups_len = ctx->ext.supportedgroups_len; } #endif #ifndef OPENSSL_NO_NEXTPROTONEG - s->next_proto_negotiated = NULL; + s->ext.npn = NULL; #endif - if (s->ctx->alpn_client_proto_list) { - s->alpn_client_proto_list = - OPENSSL_malloc(s->ctx->alpn_client_proto_list_len); - if (s->alpn_client_proto_list == NULL) + if (s->ctx->ext.alpn) { + s->ext.alpn = OPENSSL_malloc(s->ctx->ext.alpn_len); + if (s->ext.alpn == NULL) goto err; - memcpy(s->alpn_client_proto_list, s->ctx->alpn_client_proto_list, - s->ctx->alpn_client_proto_list_len); - s->alpn_client_proto_list_len = s->ctx->alpn_client_proto_list_len; + memcpy(s->ext.alpn, s->ctx->ext.alpn, s->ctx->ext.alpn_len); + s->ext.alpn_len = s->ctx->ext.alpn_len; } s->verified_chain = NULL; @@ -796,6 +809,11 @@ SSL *SSL_new(SSL_CTX *ctx) s->method = ctx->method; + s->key_update = SSL_KEY_UPDATE_NONE; + + s->allow_early_data_cb = ctx->allow_early_data_cb; + s->allow_early_data_cb_data = ctx->allow_early_data_cb_data; + if (!s->method->ssl_new(s)) goto err; @@ -811,6 +829,8 @@ SSL *SSL_new(SSL_CTX *ctx) s->psk_client_callback = ctx->psk_client_callback; s->psk_server_callback = ctx->psk_server_callback; #endif + s->psk_find_session_cb = ctx->psk_find_session_cb; + s->psk_use_session_cb = ctx->psk_use_session_cb; s->job = NULL; @@ -836,7 +856,7 @@ int SSL_up_ref(SSL *s) { int i; - if (CRYPTO_atomic_add(&s->references, 1, &i, s->lock) <= 0) + if (CRYPTO_UP_REF(&s->references, &i, s->lock) <= 0) return 0; REF_PRINT_COUNT("SSL", s); @@ -992,7 +1012,7 @@ int SSL_dane_enable(SSL *s, const char *basedomain) * accepts them and disables host name checks. To avoid side-effects with * invalid input, set the SNI name first. */ - if (s->tlsext_hostname == NULL) { + if (s->ext.hostname == NULL) { if (!SSL_set_tlsext_host_name(s, basedomain)) { SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN); return -1; @@ -1118,8 +1138,7 @@ void SSL_free(SSL *s) if (s == NULL) return; - - CRYPTO_atomic_add(&s->references, -1, &i, s->lock); + CRYPTO_DOWN_REF(&s->references, &i, s->lock); REF_PRINT_COUNT("SSL", s); if (i > 0) return; @@ -1129,6 +1148,7 @@ void SSL_free(SSL *s) dane_final(&s->dane); CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); + /* Ignore return value */ ssl_free_wbio_buffer(s); BIO_free_all(s->wbio); @@ -1139,36 +1159,44 @@ void SSL_free(SSL *s) /* add extra stuff */ sk_SSL_CIPHER_free(s->cipher_list); sk_SSL_CIPHER_free(s->cipher_list_by_id); + sk_SSL_CIPHER_free(s->tls13_ciphersuites); /* Make the next call work :-) */ if (s->session != NULL) { ssl_clear_bad_session(s); SSL_SESSION_free(s->session); } + SSL_SESSION_free(s->psksession); + OPENSSL_free(s->psksession_id); clear_ciphers(s); ssl_cert_free(s->cert); /* Free up if allocated */ - OPENSSL_free(s->tlsext_hostname); + OPENSSL_free(s->ext.hostname); SSL_CTX_free(s->session_ctx); #ifndef OPENSSL_NO_EC - OPENSSL_free(s->tlsext_ecpointformatlist); - OPENSSL_free(s->tlsext_ellipticcurvelist); + OPENSSL_free(s->ext.ecpointformats); + OPENSSL_free(s->ext.supportedgroups); #endif /* OPENSSL_NO_EC */ - sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, X509_EXTENSION_free); + sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, X509_EXTENSION_free); #ifndef OPENSSL_NO_OCSP - sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free); + sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free); #endif #ifndef OPENSSL_NO_CT SCT_LIST_free(s->scts); - OPENSSL_free(s->tlsext_scts); + OPENSSL_free(s->ext.scts); #endif - OPENSSL_free(s->tlsext_ocsp_resp); - OPENSSL_free(s->alpn_client_proto_list); + OPENSSL_free(s->ext.ocsp.resp); + OPENSSL_free(s->ext.alpn); + OPENSSL_free(s->ext.tls13_cookie); + OPENSSL_free(s->clienthello); + OPENSSL_free(s->pha_context); + EVP_MD_CTX_free(s->pha_dgst); - sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free); + sk_X509_NAME_pop_free(s->ca_names, X509_NAME_free); + sk_X509_NAME_pop_free(s->client_ca_names, X509_NAME_free); sk_X509_pop_free(s->verified_chain, X509_free); @@ -1182,7 +1210,7 @@ void SSL_free(SSL *s) ASYNC_WAIT_CTX_free(s->waitctx); #if !defined(OPENSSL_NO_NEXTPROTONEG) - OPENSSL_free(s->next_proto_negotiated); + OPENSSL_free(s->ext.npn); #endif #ifndef OPENSSL_NO_SRTP @@ -1287,7 +1315,7 @@ int SSL_get_rfd(const SSL *s) r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR); if (r != NULL) BIO_get_fd(r, &ret); - return (ret); + return ret; } int SSL_get_wfd(const SSL *s) @@ -1299,7 +1327,7 @@ int SSL_get_wfd(const SSL *s) r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR); if (r != NULL) BIO_get_fd(r, &ret); - return (ret); + return ret; } #ifndef OPENSSL_NO_SOCK @@ -1318,7 +1346,7 @@ int SSL_set_fd(SSL *s, int fd) SSL_set_bio(s, bio, bio); ret = 1; err: - return (ret); + return ret; } int SSL_set_wfd(SSL *s, int fd) @@ -1395,7 +1423,7 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count) int SSL_get_verify_mode(const SSL *s) { - return (s->verify_mode); + return s->verify_mode; } int SSL_get_verify_depth(const SSL *s) @@ -1404,12 +1432,12 @@ int SSL_get_verify_depth(const SSL *s) } int (*SSL_get_verify_callback(const SSL *s)) (int, X509_STORE_CTX *) { - return (s->verify_callback); + return s->verify_callback; } int SSL_CTX_get_verify_mode(const SSL_CTX *ctx) { - return (ctx->verify_mode); + return ctx->verify_mode; } int SSL_CTX_get_verify_depth(const SSL_CTX *ctx) @@ -1418,7 +1446,7 @@ int SSL_CTX_get_verify_depth(const SSL_CTX *ctx) } int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx)) (int, X509_STORE_CTX *) { - return (ctx->default_verify_callback); + return ctx->default_verify_callback; } void SSL_set_verify(SSL *s, int mode, @@ -1446,14 +1474,19 @@ int SSL_get_read_ahead(const SSL *s) int SSL_pending(const SSL *s) { + size_t pending = s->method->ssl_pending(s); + /* * SSL_pending cannot work properly if read-ahead is enabled * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), and it is * impossible to fix since SSL_pending cannot report errors that may be * observed while scanning the new data. (Note that SSL_pending() is * often used as a boolean value, so we'd better not return -1.) + * + * SSL_pending also cannot work properly if the value >INT_MAX. In that case + * we just return INT_MAX. */ - return (s->method->ssl_pending(s)); + return pending < INT_MAX ? (int)pending : INT_MAX; } int SSL_has_pending(const SSL *s) @@ -1482,11 +1515,11 @@ X509 *SSL_get_peer_certificate(const SSL *s) r = s->session->peer; if (r == NULL) - return (r); + return r; X509_up_ref(r); - return (r); + return r; } STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s) @@ -1503,7 +1536,7 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s) * we are a server, it does not. */ - return (r); + return r; } /* @@ -1528,10 +1561,10 @@ int SSL_copy_session_id(SSL *t, const SSL *f) return 0; } - CRYPTO_atomic_add(&f->cert->references, 1, &i, f->cert->lock); + CRYPTO_UP_REF(&f->cert->references, &i, f->cert->lock); ssl_cert_free(t->cert); t->cert = f->cert; - if (!SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length)) { + if (!SSL_set_session_id_context(t, f->sid_ctx, (int)f->sid_ctx_length)) { return 0; } @@ -1543,14 +1576,14 @@ int SSL_CTX_check_private_key(const SSL_CTX *ctx) { if ((ctx == NULL) || (ctx->cert->key->x509 == NULL)) { SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, SSL_R_NO_CERTIFICATE_ASSIGNED); - return (0); + return 0; } if (ctx->cert->key->privatekey == NULL) { SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, SSL_R_NO_PRIVATE_KEY_ASSIGNED); - return (0); + return 0; } - return (X509_check_private_key - (ctx->cert->key->x509, ctx->cert->key->privatekey)); + return X509_check_private_key + (ctx->cert->key->x509, ctx->cert->key->privatekey); } /* Fix this function so that it takes an optional type parameter */ @@ -1558,18 +1591,18 @@ int SSL_check_private_key(const SSL *ssl) { if (ssl == NULL) { SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, ERR_R_PASSED_NULL_PARAMETER); - return (0); + return 0; } if (ssl->cert->key->x509 == NULL) { SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, SSL_R_NO_CERTIFICATE_ASSIGNED); - return (0); + return 0; } if (ssl->cert->key->privatekey == NULL) { SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, SSL_R_NO_PRIVATE_KEY_ASSIGNED); - return (0); + return 0; } - return (X509_check_private_key(ssl->cert->key->x509, - ssl->cert->key->privatekey)); + return X509_check_private_key(ssl->cert->key->x509, + ssl->cert->key->privatekey); } int SSL_waiting_for_async(SSL *s) @@ -1622,7 +1655,7 @@ int SSL_connect(SSL *s) long SSL_get_default_timeout(const SSL *s) { - return (s->method->get_timeout()); + return s->method->get_timeout(); } static int ssl_start_async_job(SSL *s, struct ssl_async_args *args, @@ -1662,7 +1695,7 @@ static int ssl_io_intern(void *vargs) struct ssl_async_args *args; SSL *s; void *buf; - int num; + size_t num; args = (struct ssl_async_args *)vargs; s = args->s; @@ -1670,29 +1703,41 @@ static int ssl_io_intern(void *vargs) num = args->num; switch (args->type) { case READFUNC: - return args->f.func_read(s, buf, num); + return args->f.func_read(s, buf, num, &s->asyncrw); case WRITEFUNC: - return args->f.func_write(s, buf, num); + return args->f.func_write(s, buf, num, &s->asyncrw); case OTHERFUNC: return args->f.func_other(s); } return -1; } -int SSL_read(SSL *s, void *buf, int num) +int ssl_read_internal(SSL *s, void *buf, size_t num, size_t *readbytes) { if (s->handshake_func == NULL) { - SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED); + SSLerr(SSL_F_SSL_READ_INTERNAL, SSL_R_UNINITIALIZED); return -1; } if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { s->rwstate = SSL_NOTHING; - return (0); + return 0; } + if (s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY + || s->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY) { + SSLerr(SSL_F_SSL_READ_INTERNAL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + /* + * If we are a client and haven't received the ServerHello etc then we + * better do that + */ + ossl_statem_check_finish_init(s, 0); + if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { struct ssl_async_args args; + int ret; args.s = s; args.buf = buf; @@ -1700,24 +1745,118 @@ int SSL_read(SSL *s, void *buf, int num) args.type = READFUNC; args.f.func_read = s->method->ssl_read; - return ssl_start_async_job(s, &args, ssl_io_intern); + ret = ssl_start_async_job(s, &args, ssl_io_intern); + *readbytes = s->asyncrw; + return ret; } else { - return s->method->ssl_read(s, buf, num); + return s->method->ssl_read(s, buf, num, readbytes); } } -int SSL_peek(SSL *s, void *buf, int num) +int SSL_read(SSL *s, void *buf, int num) +{ + int ret; + size_t readbytes; + + if (num < 0) { + SSLerr(SSL_F_SSL_READ, SSL_R_BAD_LENGTH); + return -1; + } + + ret = ssl_read_internal(s, buf, (size_t)num, &readbytes); + + /* + * The cast is safe here because ret should be <= INT_MAX because num is + * <= INT_MAX + */ + if (ret > 0) + ret = (int)readbytes; + + return ret; +} + +int SSL_read_ex(SSL *s, void *buf, size_t num, size_t *readbytes) +{ + int ret = ssl_read_internal(s, buf, num, readbytes); + + if (ret < 0) + ret = 0; + return ret; +} + +int SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes) +{ + int ret; + + if (!s->server) { + SSLerr(SSL_F_SSL_READ_EARLY_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return SSL_READ_EARLY_DATA_ERROR; + } + + switch (s->early_data_state) { + case SSL_EARLY_DATA_NONE: + if (!SSL_in_before(s)) { + SSLerr(SSL_F_SSL_READ_EARLY_DATA, + ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return SSL_READ_EARLY_DATA_ERROR; + } + /* fall through */ + + case SSL_EARLY_DATA_ACCEPT_RETRY: + s->early_data_state = SSL_EARLY_DATA_ACCEPTING; + ret = SSL_accept(s); + if (ret <= 0) { + /* NBIO or error */ + s->early_data_state = SSL_EARLY_DATA_ACCEPT_RETRY; + return SSL_READ_EARLY_DATA_ERROR; + } + /* fall through */ + + case SSL_EARLY_DATA_READ_RETRY: + if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) { + s->early_data_state = SSL_EARLY_DATA_READING; + ret = SSL_read_ex(s, buf, num, readbytes); + /* + * State machine will update early_data_state to + * SSL_EARLY_DATA_FINISHED_READING if we get an EndOfEarlyData + * message + */ + if (ret > 0 || (ret <= 0 && s->early_data_state + != SSL_EARLY_DATA_FINISHED_READING)) { + s->early_data_state = SSL_EARLY_DATA_READ_RETRY; + return ret > 0 ? SSL_READ_EARLY_DATA_SUCCESS + : SSL_READ_EARLY_DATA_ERROR; + } + } else { + s->early_data_state = SSL_EARLY_DATA_FINISHED_READING; + } + *readbytes = 0; + return SSL_READ_EARLY_DATA_FINISH; + + default: + SSLerr(SSL_F_SSL_READ_EARLY_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return SSL_READ_EARLY_DATA_ERROR; + } +} + +int SSL_get_early_data_status(const SSL *s) +{ + return s->ext.early_data; +} + +static int ssl_peek_internal(SSL *s, void *buf, size_t num, size_t *readbytes) { if (s->handshake_func == NULL) { - SSLerr(SSL_F_SSL_PEEK, SSL_R_UNINITIALIZED); + SSLerr(SSL_F_SSL_PEEK_INTERNAL, SSL_R_UNINITIALIZED); return -1; } if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { - return (0); + return 0; } if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { struct ssl_async_args args; + int ret; args.s = s; args.buf = buf; @@ -1725,26 +1864,70 @@ int SSL_peek(SSL *s, void *buf, int num) args.type = READFUNC; args.f.func_read = s->method->ssl_peek; - return ssl_start_async_job(s, &args, ssl_io_intern); + ret = ssl_start_async_job(s, &args, ssl_io_intern); + *readbytes = s->asyncrw; + return ret; } else { - return s->method->ssl_peek(s, buf, num); + return s->method->ssl_peek(s, buf, num, readbytes); } } -int SSL_write(SSL *s, const void *buf, int num) +int SSL_peek(SSL *s, void *buf, int num) +{ + int ret; + size_t readbytes; + + if (num < 0) { + SSLerr(SSL_F_SSL_PEEK, SSL_R_BAD_LENGTH); + return -1; + } + + ret = ssl_peek_internal(s, buf, (size_t)num, &readbytes); + + /* + * The cast is safe here because ret should be <= INT_MAX because num is + * <= INT_MAX + */ + if (ret > 0) + ret = (int)readbytes; + + return ret; +} + + +int SSL_peek_ex(SSL *s, void *buf, size_t num, size_t *readbytes) +{ + int ret = ssl_peek_internal(s, buf, num, readbytes); + + if (ret < 0) + ret = 0; + return ret; +} + +int ssl_write_internal(SSL *s, const void *buf, size_t num, size_t *written) { if (s->handshake_func == NULL) { - SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED); + SSLerr(SSL_F_SSL_WRITE_INTERNAL, SSL_R_UNINITIALIZED); return -1; } if (s->shutdown & SSL_SENT_SHUTDOWN) { s->rwstate = SSL_NOTHING; - SSLerr(SSL_F_SSL_WRITE, SSL_R_PROTOCOL_IS_SHUTDOWN); - return (-1); + SSLerr(SSL_F_SSL_WRITE_INTERNAL, SSL_R_PROTOCOL_IS_SHUTDOWN); + return -1; + } + + if (s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY + || s->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY + || s->early_data_state == SSL_EARLY_DATA_READ_RETRY) { + SSLerr(SSL_F_SSL_WRITE_INTERNAL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; } + /* If we are a client and haven't sent the Finished we better do that */ + ossl_statem_check_finish_init(s, 1); if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { + int ret; struct ssl_async_args args; args.s = s; @@ -1753,9 +1936,114 @@ int SSL_write(SSL *s, const void *buf, int num) args.type = WRITEFUNC; args.f.func_write = s->method->ssl_write; - return ssl_start_async_job(s, &args, ssl_io_intern); + ret = ssl_start_async_job(s, &args, ssl_io_intern); + *written = s->asyncrw; + return ret; } else { - return s->method->ssl_write(s, buf, num); + return s->method->ssl_write(s, buf, num, written); + } +} + +int SSL_write(SSL *s, const void *buf, int num) +{ + int ret; + size_t written; + + if (num < 0) { + SSLerr(SSL_F_SSL_WRITE, SSL_R_BAD_LENGTH); + return -1; + } + + ret = ssl_write_internal(s, buf, (size_t)num, &written); + + /* + * The cast is safe here because ret should be <= INT_MAX because num is + * <= INT_MAX + */ + if (ret > 0) + ret = (int)written; + + return ret; +} + +int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written) +{ + int ret = ssl_write_internal(s, buf, num, written); + + if (ret < 0) + ret = 0; + return ret; +} + +int SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written) +{ + int ret, early_data_state; + size_t writtmp; + uint32_t partialwrite; + + switch (s->early_data_state) { + case SSL_EARLY_DATA_NONE: + if (s->server + || !SSL_in_before(s) + || ((s->session == NULL || s->session->ext.max_early_data == 0) + && (s->psk_use_session_cb == NULL))) { + SSLerr(SSL_F_SSL_WRITE_EARLY_DATA, + ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + /* fall through */ + + case SSL_EARLY_DATA_CONNECT_RETRY: + s->early_data_state = SSL_EARLY_DATA_CONNECTING; + ret = SSL_connect(s); + if (ret <= 0) { + /* NBIO or error */ + s->early_data_state = SSL_EARLY_DATA_CONNECT_RETRY; + return 0; + } + /* fall through */ + + case SSL_EARLY_DATA_WRITE_RETRY: + s->early_data_state = SSL_EARLY_DATA_WRITING; + /* + * We disable partial write for early data because we don't keep track + * of how many bytes we've written between the SSL_write_ex() call and + * the flush if the flush needs to be retried) + */ + partialwrite = s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE; + s->mode &= ~SSL_MODE_ENABLE_PARTIAL_WRITE; + ret = SSL_write_ex(s, buf, num, &writtmp); + s->mode |= partialwrite; + if (!ret) { + s->early_data_state = SSL_EARLY_DATA_WRITE_RETRY; + return ret; + } + s->early_data_state = SSL_EARLY_DATA_WRITE_FLUSH; + /* fall through */ + + case SSL_EARLY_DATA_WRITE_FLUSH: + /* The buffering BIO is still in place so we need to flush it */ + if (statem_flush(s) != 1) + return 0; + *written = num; + s->early_data_state = SSL_EARLY_DATA_WRITE_RETRY; + return 1; + + case SSL_EARLY_DATA_FINISHED_READING: + case SSL_EARLY_DATA_READ_RETRY: + early_data_state = s->early_data_state; + /* We are a server writing to an unauthenticated client */ + s->early_data_state = SSL_EARLY_DATA_UNAUTH_WRITING; + ret = SSL_write_ex(s, buf, num, written); + /* The buffering BIO is still in place */ + if (ret) + (void)BIO_flush(s->wbio); + s->early_data_state = early_data_state; + return ret; + + default: + SSLerr(SSL_F_SSL_WRITE_EARLY_DATA, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; } } @@ -1791,34 +2079,73 @@ int SSL_shutdown(SSL *s) } } +int SSL_key_update(SSL *s, int updatetype) +{ + /* + * TODO(TLS1.3): How will applications know whether TLSv1.3 has been + * negotiated, and that it is appropriate to call SSL_key_update() instead + * of SSL_renegotiate(). + */ + if (!SSL_IS_TLS13(s)) { + SSLerr(SSL_F_SSL_KEY_UPDATE, SSL_R_WRONG_SSL_VERSION); + return 0; + } + + if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED + && updatetype != SSL_KEY_UPDATE_REQUESTED) { + SSLerr(SSL_F_SSL_KEY_UPDATE, SSL_R_INVALID_KEY_UPDATE_TYPE); + return 0; + } + + if (!SSL_is_init_finished(s)) { + SSLerr(SSL_F_SSL_KEY_UPDATE, SSL_R_STILL_IN_INIT); + return 0; + } + + ossl_statem_set_in_init(s, 1); + s->key_update = updatetype; + return 1; +} + +int SSL_get_key_update_type(SSL *s) +{ + return s->key_update; +} + int SSL_renegotiate(SSL *s) { + if (SSL_IS_TLS13(s)) { + SSLerr(SSL_F_SSL_RENEGOTIATE, SSL_R_WRONG_SSL_VERSION); + return 0; + } + if ((s->options & SSL_OP_NO_RENEGOTIATION)) { SSLerr(SSL_F_SSL_RENEGOTIATE, SSL_R_NO_RENEGOTIATION); return 0; } - if (s->renegotiate == 0) - s->renegotiate = 1; - + s->renegotiate = 1; s->new_session = 1; - return (s->method->ssl_renegotiate(s)); + return s->method->ssl_renegotiate(s); } int SSL_renegotiate_abbreviated(SSL *s) { + if (SSL_IS_TLS13(s)) { + SSLerr(SSL_F_SSL_RENEGOTIATE_ABBREVIATED, SSL_R_WRONG_SSL_VERSION); + return 0; + } + if ((s->options & SSL_OP_NO_RENEGOTIATION)) { SSLerr(SSL_F_SSL_RENEGOTIATE_ABBREVIATED, SSL_R_NO_RENEGOTIATION); return 0; } - if (s->renegotiate == 0) - s->renegotiate = 1; - + s->renegotiate = 1; s->new_session = 0; - return (s->method->ssl_renegotiate(s)); + return s->method->ssl_renegotiate(s); } int SSL_renegotiate_pending(SSL *s) @@ -1836,11 +2163,11 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) switch (cmd) { case SSL_CTRL_GET_READ_AHEAD: - return (RECORD_LAYER_get_read_ahead(&s->rlayer)); + return RECORD_LAYER_get_read_ahead(&s->rlayer); case SSL_CTRL_SET_READ_AHEAD: l = RECORD_LAYER_get_read_ahead(&s->rlayer); RECORD_LAYER_set_read_ahead(&s->rlayer, larg); - return (l); + return l; case SSL_CTRL_SET_MSG_CALLBACK_ARG: s->msg_callback_arg = parg; @@ -1851,11 +2178,13 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_CLEAR_MODE: return (s->mode &= ~larg); case SSL_CTRL_GET_MAX_CERT_LIST: - return (s->max_cert_list); + return (long)s->max_cert_list; case SSL_CTRL_SET_MAX_CERT_LIST: - l = s->max_cert_list; - s->max_cert_list = larg; - return (l); + if (larg < 0) + return 0; + l = (long)s->max_cert_list; + s->max_cert_list = (size_t)larg; + return l; case SSL_CTRL_SET_MAX_SEND_FRAGMENT: if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) return 0; @@ -1864,7 +2193,7 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) s->split_send_fragment = s->max_send_fragment; return 1; case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT: - if ((unsigned int)larg > s->max_send_fragment || larg == 0) + if ((size_t)larg > s->max_send_fragment || larg == 0) return 0; s->split_send_fragment = larg; return 1; @@ -1914,7 +2243,7 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_MAX_PROTO_VERSION: return s->max_proto_version; default: - return (s->method->ssl_ctrl(s, cmd, larg, parg)); + return s->method->ssl_ctrl(s, cmd, larg, parg); } } @@ -1929,7 +2258,7 @@ long SSL_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) return 1; default: - return (s->method->ssl_callback_ctrl(s, cmd, fp)); + return s->method->ssl_callback_ctrl(s, cmd, fp); } } @@ -1945,8 +2274,8 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) if (ctx == NULL) { switch (cmd) { #ifndef OPENSSL_NO_EC - case SSL_CTRL_SET_CURVES_LIST: - return tls1_set_curves_list(NULL, NULL, parg); + case SSL_CTRL_SET_GROUPS_LIST: + return tls1_set_groups_list(NULL, NULL, parg); #endif case SSL_CTRL_SET_SIGALGS_LIST: case SSL_CTRL_SET_CLIENT_SIGALGS_LIST: @@ -1958,60 +2287,64 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) switch (cmd) { case SSL_CTRL_GET_READ_AHEAD: - return (ctx->read_ahead); + return ctx->read_ahead; case SSL_CTRL_SET_READ_AHEAD: l = ctx->read_ahead; ctx->read_ahead = larg; - return (l); + return l; case SSL_CTRL_SET_MSG_CALLBACK_ARG: ctx->msg_callback_arg = parg; return 1; case SSL_CTRL_GET_MAX_CERT_LIST: - return (ctx->max_cert_list); + return (long)ctx->max_cert_list; case SSL_CTRL_SET_MAX_CERT_LIST: - l = ctx->max_cert_list; - ctx->max_cert_list = larg; - return (l); + if (larg < 0) + return 0; + l = (long)ctx->max_cert_list; + ctx->max_cert_list = (size_t)larg; + return l; case SSL_CTRL_SET_SESS_CACHE_SIZE: - l = ctx->session_cache_size; - ctx->session_cache_size = larg; - return (l); + if (larg < 0) + return 0; + l = (long)ctx->session_cache_size; + ctx->session_cache_size = (size_t)larg; + return l; case SSL_CTRL_GET_SESS_CACHE_SIZE: - return (ctx->session_cache_size); + return (long)ctx->session_cache_size; case SSL_CTRL_SET_SESS_CACHE_MODE: l = ctx->session_cache_mode; ctx->session_cache_mode = larg; - return (l); + return l; case SSL_CTRL_GET_SESS_CACHE_MODE: - return (ctx->session_cache_mode); + return ctx->session_cache_mode; case SSL_CTRL_SESS_NUMBER: - return (lh_SSL_SESSION_num_items(ctx->sessions)); + return lh_SSL_SESSION_num_items(ctx->sessions); case SSL_CTRL_SESS_CONNECT: - return (ctx->stats.sess_connect); + return tsan_load(&ctx->stats.sess_connect); case SSL_CTRL_SESS_CONNECT_GOOD: - return (ctx->stats.sess_connect_good); + return tsan_load(&ctx->stats.sess_connect_good); case SSL_CTRL_SESS_CONNECT_RENEGOTIATE: - return (ctx->stats.sess_connect_renegotiate); + return tsan_load(&ctx->stats.sess_connect_renegotiate); case SSL_CTRL_SESS_ACCEPT: - return (ctx->stats.sess_accept); + return tsan_load(&ctx->stats.sess_accept); case SSL_CTRL_SESS_ACCEPT_GOOD: - return (ctx->stats.sess_accept_good); + return tsan_load(&ctx->stats.sess_accept_good); case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE: - return (ctx->stats.sess_accept_renegotiate); + return tsan_load(&ctx->stats.sess_accept_renegotiate); case SSL_CTRL_SESS_HIT: - return (ctx->stats.sess_hit); + return tsan_load(&ctx->stats.sess_hit); case SSL_CTRL_SESS_CB_HIT: - return (ctx->stats.sess_cb_hit); + return tsan_load(&ctx->stats.sess_cb_hit); case SSL_CTRL_SESS_MISSES: - return (ctx->stats.sess_miss); + return tsan_load(&ctx->stats.sess_miss); case SSL_CTRL_SESS_TIMEOUTS: - return (ctx->stats.sess_timeout); + return tsan_load(&ctx->stats.sess_timeout); case SSL_CTRL_SESS_CACHE_FULL: - return (ctx->stats.sess_cache_full); + return tsan_load(&ctx->stats.sess_cache_full); case SSL_CTRL_MODE: return (ctx->mode |= larg); case SSL_CTRL_CLEAR_MODE: @@ -2024,7 +2357,7 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) ctx->split_send_fragment = ctx->max_send_fragment; return 1; case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT: - if ((unsigned int)larg > ctx->max_send_fragment || larg == 0) + if ((size_t)larg > ctx->max_send_fragment || larg == 0) return 0; ctx->split_send_fragment = larg; return 1; @@ -2050,7 +2383,7 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_GET_MAX_PROTO_VERSION: return ctx->max_proto_version; default: - return (ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg)); + return ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg); } } @@ -2065,7 +2398,7 @@ long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) return 1; default: - return (ctx->method->ssl_ctx_callback_ctrl(ctx, cmd, fp)); + return ctx->method->ssl_ctx_callback_ctrl(ctx, cmd, fp); } } @@ -2094,12 +2427,12 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s) { if (s != NULL) { if (s->cipher_list != NULL) { - return (s->cipher_list); + return s->cipher_list; } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) { - return (s->ctx->cipher_list); + return s->ctx->cipher_list; } } - return (NULL); + return NULL; } STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *s) @@ -2113,10 +2446,12 @@ STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s) { STACK_OF(SSL_CIPHER) *sk = NULL, *ciphers; int i; + ciphers = SSL_get_ciphers(s); if (!ciphers) return NULL; - ssl_set_client_disabled(s); + if (!ssl_set_client_disabled(s)) + return NULL; for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i); if (!ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) { @@ -2139,12 +2474,12 @@ STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s) { if (s != NULL) { if (s->cipher_list_by_id != NULL) { - return (s->cipher_list_by_id); + return s->cipher_list_by_id; } else if ((s->ctx != NULL) && (s->ctx->cipher_list_by_id != NULL)) { - return (s->ctx->cipher_list_by_id); + return s->ctx->cipher_list_by_id; } } - return (NULL); + return NULL; } /** The old interface to get the same thing as SSL_get_ciphers() */ @@ -2154,14 +2489,14 @@ const char *SSL_get_cipher_list(const SSL *s, int n) STACK_OF(SSL_CIPHER) *sk; if (s == NULL) - return (NULL); + return NULL; sk = SSL_get_ciphers(s); if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n)) - return (NULL); + return NULL; c = sk_SSL_CIPHER_value(sk, n); if (c == NULL) - return (NULL); - return (c->name); + return NULL; + return c->name; } /** return a STACK of the ciphers available for the SSL_CTX and in order of @@ -2178,8 +2513,9 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) { STACK_OF(SSL_CIPHER) *sk; - sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, - &ctx->cipher_list_by_id, str, ctx->cert); + sk = ssl_create_cipher_list(ctx->method, ctx->tls13_ciphersuites, + &ctx->cipher_list, &ctx->cipher_list_by_id, str, + ctx->cert); /* * ssl_create_cipher_list may return an empty stack if it was unable to * find a cipher matching the given rule string (for example if the rule @@ -2201,8 +2537,9 @@ int SSL_set_cipher_list(SSL *s, const char *str) { STACK_OF(SSL_CIPHER) *sk; - sk = ssl_create_cipher_list(s->ctx->method, &s->cipher_list, - &s->cipher_list_by_id, str, s->cert); + sk = ssl_create_cipher_list(s->ctx->method, s->tls13_ciphersuites, + &s->cipher_list, &s->cipher_list_by_id, str, + s->cert); /* see comment in SSL_CTX_set_cipher_list */ if (sk == NULL) return 0; @@ -2249,13 +2586,13 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size) *p = '\0'; return buf; } - memcpy(p, c->name, n + 1); + strcpy(p, c->name); p += n; *(p++) = ':'; size -= n + 1; } p[-1] = '\0'; - return (buf); + return buf; } /** return a servername extension value if provided in Client Hello, or NULL. @@ -2267,15 +2604,22 @@ const char *SSL_get_servername(const SSL *s, const int type) if (type != TLSEXT_NAMETYPE_host_name) return NULL; - return s->session && !s->tlsext_hostname ? - s->session->tlsext_hostname : s->tlsext_hostname; + /* + * SNI is not negotiated in pre-TLS-1.3 resumption flows, so fake up an + * SNI value to return if we are resuming/resumed. N.B. that we still + * call the relevant callbacks for such resumption flows, and callbacks + * might error out if there is not a SNI value available. + */ + if (s->hit) + return s->session->ext.hostname; + return s->ext.hostname; } int SSL_get_servername_type(const SSL *s) { if (s->session - && (!s->tlsext_hostname ? s->session-> - tlsext_hostname : s->tlsext_hostname)) + && (!s->ext.hostname ? s->session-> + ext.hostname : s->ext.hostname)) return TLSEXT_NAMETYPE_host_name; return -1; } @@ -2350,16 +2694,16 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, unsigned *len) { - *data = s->next_proto_negotiated; + *data = s->ext.npn; if (!*data) { *len = 0; } else { - *len = s->next_proto_negotiated_len; + *len = (unsigned int)s->ext.npn_len; } } /* - * SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when + * SSL_CTX_set_npn_advertised_cb sets a callback that is called when * a TLS server needs a list of supported protocols for Next Protocol * Negotiation. The returned list must be in wire format. The list is * returned by setting |out| to point to it and |outlen| to its length. This @@ -2368,15 +2712,12 @@ void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, * wishes to advertise. Otherwise, no such extension will be included in the * ServerHello. */ -void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, - int (*cb) (SSL *ssl, - const unsigned char - **out, - unsigned int *outlen, - void *arg), void *arg) +void SSL_CTX_set_npn_advertised_cb(SSL_CTX *ctx, + SSL_CTX_npn_advertised_cb_func cb, + void *arg) { - ctx->next_protos_advertised_cb = cb; - ctx->next_protos_advertised_cb_arg = arg; + ctx->ext.npn_advertised_cb = cb; + ctx->ext.npn_advertised_cb_arg = arg; } /* @@ -2389,15 +2730,12 @@ void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, * select a protocol. It is fatal to the connection if this callback returns * a value other than SSL_TLSEXT_ERR_OK. */ -void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, - int (*cb) (SSL *s, unsigned char **out, - unsigned char *outlen, - const unsigned char *in, - unsigned int inlen, - void *arg), void *arg) +void SSL_CTX_set_npn_select_cb(SSL_CTX *ctx, + SSL_CTX_npn_select_cb_func cb, + void *arg) { - ctx->next_proto_select_cb = cb; - ctx->next_proto_select_cb_arg = arg; + ctx->ext.npn_select_cb = cb; + ctx->ext.npn_select_cb_arg = arg; } #endif @@ -2409,13 +2747,13 @@ void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, unsigned int protos_len) { - OPENSSL_free(ctx->alpn_client_proto_list); - ctx->alpn_client_proto_list = OPENSSL_memdup(protos, protos_len); - if (ctx->alpn_client_proto_list == NULL) { + OPENSSL_free(ctx->ext.alpn); + ctx->ext.alpn = OPENSSL_memdup(protos, protos_len); + if (ctx->ext.alpn == NULL) { SSLerr(SSL_F_SSL_CTX_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE); return 1; } - ctx->alpn_client_proto_list_len = protos_len; + ctx->ext.alpn_len = protos_len; return 0; } @@ -2428,13 +2766,13 @@ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos, unsigned int protos_len) { - OPENSSL_free(ssl->alpn_client_proto_list); - ssl->alpn_client_proto_list = OPENSSL_memdup(protos, protos_len); - if (ssl->alpn_client_proto_list == NULL) { + OPENSSL_free(ssl->ext.alpn); + ssl->ext.alpn = OPENSSL_memdup(protos, protos_len); + if (ssl->ext.alpn == NULL) { SSLerr(SSL_F_SSL_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE); return 1; } - ssl->alpn_client_proto_list_len = protos_len; + ssl->ext.alpn_len = protos_len; return 0; } @@ -2445,15 +2783,11 @@ int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos, * from the client's list of offered protocols. */ void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, - int (*cb) (SSL *ssl, - const unsigned char **out, - unsigned char *outlen, - const unsigned char *in, - unsigned int inlen, - void *arg), void *arg) + SSL_CTX_alpn_select_cb_func cb, + void *arg) { - ctx->alpn_select_cb = cb; - ctx->alpn_select_cb_arg = arg; + ctx->ext.alpn_select_cb = cb; + ctx->ext.alpn_select_cb_arg = arg; } /* @@ -2471,7 +2805,7 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, if (*data == NULL) *len = 0; else - *len = ssl->s3->alpn_selected_len; + *len = (unsigned int)ssl->s3->alpn_selected_len; } int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, @@ -2487,6 +2821,18 @@ int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, contextlen, use_context); } +int SSL_export_keying_material_early(SSL *s, unsigned char *out, size_t olen, + const char *label, size_t llen, + const unsigned char *context, + size_t contextlen) +{ + if (s->version != TLS1_3_VERSION) + return 0; + + return tls13_export_keying_material_early(s, out, olen, label, llen, + context, contextlen); +} + static unsigned long ssl_session_hash(const SSL_SESSION *a) { const unsigned char *session_id = a->session_id; @@ -2504,7 +2850,7 @@ static unsigned long ssl_session_hash(const SSL_SESSION *a) ((unsigned long)session_id[1] << 8L) | ((unsigned long)session_id[2] << 16L) | ((unsigned long)session_id[3] << 24L); - return (l); + return l; } /* @@ -2517,10 +2863,10 @@ static unsigned long ssl_session_hash(const SSL_SESSION *a) static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) { if (a->ssl_version != b->ssl_version) - return (1); + return 1; if (a->session_id_length != b->session_id_length) - return (1); - return (memcmp(a->session_id, b->session_id, a->session_id_length)); + return 1; + return memcmp(a->session_id, b->session_id, a->session_id_length); } /* @@ -2536,17 +2882,12 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) if (meth == NULL) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_NULL_SSL_METHOD_PASSED); - return (NULL); + return NULL; } if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL)) return NULL; - if (FIPS_mode() && (meth->version < TLS1_VERSION)) { - SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE); - return NULL; - } - if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); goto err; @@ -2558,6 +2899,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ret->method = meth; ret->min_proto_version = 0; ret->max_proto_version = 0; + ret->mode = SSL_MODE_AUTO_RETRY; ret->session_cache_mode = SSL_SESS_CACHE_SERVER; ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; /* We take the system default. */ @@ -2585,7 +2927,12 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) if (ret->ctlog_store == NULL) goto err; #endif + + if (!SSL_CTX_set_ciphersuites(ret, TLS_DEFAULT_CIPHERSUITES)) + goto err; + if (!ssl_create_cipher_list(ret->method, + ret->tls13_ciphersuites, &ret->cipher_list, &ret->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST, ret->cert) || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { @@ -2606,12 +2953,18 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) goto err2; } - if ((ret->client_CA = sk_X509_NAME_new_null()) == NULL) + if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL) + goto err; + + if ((ret->client_ca_names = sk_X509_NAME_new_null()) == NULL) goto err; if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data)) goto err; + if ((ret->ext.secure = OPENSSL_secure_zalloc(sizeof(*ret->ext.secure))) == NULL) + goto err; + /* No compression for DTLS */ if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)) ret->comp_methods = SSL_COMP_get_compression_methods(); @@ -2620,14 +2973,18 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ret->split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; /* Setup RFC5077 ticket keys */ - if ((RAND_bytes(ret->tlsext_tick_key_name, - sizeof(ret->tlsext_tick_key_name)) <= 0) - || (RAND_bytes(ret->tlsext_tick_hmac_key, - sizeof(ret->tlsext_tick_hmac_key)) <= 0) - || (RAND_bytes(ret->tlsext_tick_aes_key, - sizeof(ret->tlsext_tick_aes_key)) <= 0)) + if ((RAND_bytes(ret->ext.tick_key_name, + sizeof(ret->ext.tick_key_name)) <= 0) + || (RAND_priv_bytes(ret->ext.secure->tick_hmac_key, + sizeof(ret->ext.secure->tick_hmac_key)) <= 0) + || (RAND_priv_bytes(ret->ext.secure->tick_aes_key, + sizeof(ret->ext.secure->tick_aes_key)) <= 0)) ret->options |= SSL_OP_NO_TICKET; + if (RAND_priv_bytes(ret->ext.cookie_hmac_key, + sizeof(ret->ext.cookie_hmac_key)) <= 0) + goto err; + #ifndef OPENSSL_NO_SRP if (!SSL_CTX_SRP_CTX_init(ret)) goto err; @@ -2659,11 +3016,46 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) * Disable compression by default to prevent CRIME. Applications can * re-enable compression by configuring * SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION); - * or by using the SSL_CONF library. + * or by using the SSL_CONF library. Similarly we also enable TLSv1.3 + * middlebox compatibility by default. This may be disabled by default in + * a later OpenSSL version. + */ + ret->options |= SSL_OP_NO_COMPRESSION | SSL_OP_ENABLE_MIDDLEBOX_COMPAT; + + ret->ext.status_type = TLSEXT_STATUSTYPE_nothing; + + /* + * We cannot usefully set a default max_early_data here (which gets + * propagated in SSL_new(), for the following reason: setting the + * SSL field causes tls_construct_stoc_early_data() to tell the + * client that early data will be accepted when constructing a TLS 1.3 + * session ticket, and the client will accordingly send us early data + * when using that ticket (if the client has early data to send). + * However, in order for the early data to actually be consumed by + * the application, the application must also have calls to + * SSL_read_early_data(); otherwise we'll just skip past the early data + * and ignore it. So, since the application must add calls to + * SSL_read_early_data(), we also require them to add + * calls to SSL_CTX_set_max_early_data() in order to use early data, + * eliminating the bandwidth-wasting early data in the case described + * above. + */ + ret->max_early_data = 0; + + /* + * Default recv_max_early_data is a fully loaded single record. Could be + * split across multiple records in practice. We set this differently to + * max_early_data so that, in the default case, we do not advertise any + * support for early_data, but if a client were to send us some (e.g. + * because of an old, stale ticket) then we will tolerate it and skip over + * it. */ - ret->options |= SSL_OP_NO_COMPRESSION; + ret->recv_max_early_data = SSL3_RT_MAX_PLAIN_LENGTH; + + /* By default we send two session tickets automatically in TLSv1.3 */ + ret->num_tickets = 2; - ret->tlsext_status_type = -1; + ssl_ctx_system_config(ret); return ret; err: @@ -2677,7 +3069,7 @@ int SSL_CTX_up_ref(SSL_CTX *ctx) { int i; - if (CRYPTO_atomic_add(&ctx->references, 1, &i, ctx->lock) <= 0) + if (CRYPTO_UP_REF(&ctx->references, &i, ctx->lock) <= 0) return 0; REF_PRINT_COUNT("SSL_CTX", ctx); @@ -2692,7 +3084,7 @@ void SSL_CTX_free(SSL_CTX *a) if (a == NULL) return; - CRYPTO_atomic_add(&a->references, -1, &i, a->lock); + CRYPTO_DOWN_REF(&a->references, &i, a->lock); REF_PRINT_COUNT("SSL_CTX", a); if (i > 0) return; @@ -2721,8 +3113,10 @@ void SSL_CTX_free(SSL_CTX *a) #endif sk_SSL_CIPHER_free(a->cipher_list); sk_SSL_CIPHER_free(a->cipher_list_by_id); + sk_SSL_CIPHER_free(a->tls13_ciphersuites); ssl_cert_free(a->cert); - sk_X509_NAME_pop_free(a->client_CA, X509_NAME_free); + sk_X509_NAME_pop_free(a->ca_names, X509_NAME_free); + sk_X509_NAME_pop_free(a->client_ca_names, X509_NAME_free); sk_X509_pop_free(a->extra_certs, X509_free); a->comp_methods = NULL; #ifndef OPENSSL_NO_SRTP @@ -2736,10 +3130,11 @@ void SSL_CTX_free(SSL_CTX *a) #endif #ifndef OPENSSL_NO_EC - OPENSSL_free(a->tlsext_ecpointformatlist); - OPENSSL_free(a->tlsext_ellipticcurvelist); + OPENSSL_free(a->ext.ecpointformats); + OPENSSL_free(a->ext.supportedgroups); #endif - OPENSSL_free(a->alpn_client_proto_list); + OPENSSL_free(a->ext.alpn); + OPENSSL_secure_free(a->ext.secure); CRYPTO_THREAD_lock_free(a->lock); @@ -2818,16 +3213,12 @@ void SSL_set_cert_cb(SSL *s, int (*cb) (SSL *ssl, void *arg), void *arg) void ssl_set_masks(SSL *s) { -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_GOST) - CERT_PKEY *cpk; -#endif CERT *c = s->cert; uint32_t *pvalid = s->s3->tmp.valid_flags; int rsa_enc, rsa_sign, dh_tmp, dsa_sign; unsigned long mask_k, mask_a; #ifndef OPENSSL_NO_EC int have_ecc_cert, ecdsa_ok; - X509 *x = NULL; #endif if (c == NULL) return; @@ -2838,9 +3229,9 @@ void ssl_set_masks(SSL *s) dh_tmp = 0; #endif - rsa_enc = pvalid[SSL_PKEY_RSA_ENC] & CERT_PKEY_VALID; - rsa_sign = pvalid[SSL_PKEY_RSA_SIGN] & CERT_PKEY_SIGN; - dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_SIGN; + rsa_enc = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID; + rsa_sign = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID; + dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_VALID; #ifndef OPENSSL_NO_EC have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID; #endif @@ -2853,18 +3244,15 @@ void ssl_set_masks(SSL *s) #endif #ifndef OPENSSL_NO_GOST - cpk = &(c->pkeys[SSL_PKEY_GOST12_512]); - if (cpk->x509 != NULL && cpk->privatekey != NULL) { + if (ssl_has_cert(s, SSL_PKEY_GOST12_512)) { mask_k |= SSL_kGOST; mask_a |= SSL_aGOST12; } - cpk = &(c->pkeys[SSL_PKEY_GOST12_256]); - if (cpk->x509 != NULL && cpk->privatekey != NULL) { + if (ssl_has_cert(s, SSL_PKEY_GOST12_256)) { mask_k |= SSL_kGOST; mask_a |= SSL_aGOST12; } - cpk = &(c->pkeys[SSL_PKEY_GOST01]); - if (cpk->x509 != NULL && cpk->privatekey != NULL) { + if (ssl_has_cert(s, SSL_PKEY_GOST01)) { mask_k |= SSL_kGOST; mask_a |= SSL_aGOST01; } @@ -2876,9 +3264,15 @@ void ssl_set_masks(SSL *s) if (dh_tmp) mask_k |= SSL_kDHE; - if (rsa_enc || rsa_sign) { + /* + * If we only have an RSA-PSS certificate allow RSA authentication + * if TLS 1.2 and peer supports it. + */ + + if (rsa_enc || rsa_sign || (ssl_has_cert(s, SSL_PKEY_RSA_PSS_SIGN) + && pvalid[SSL_PKEY_RSA_PSS_SIGN] & CERT_PKEY_EXPLICIT_SIGN + && TLS1_get_version(s) == TLS1_2_VERSION)) mask_a |= SSL_aRSA; - } if (dsa_sign) { mask_a |= SSL_aDSS; @@ -2893,15 +3287,24 @@ void ssl_set_masks(SSL *s) #ifndef OPENSSL_NO_EC if (have_ecc_cert) { uint32_t ex_kusage; - cpk = &c->pkeys[SSL_PKEY_ECC]; - x = cpk->x509; - ex_kusage = X509_get_key_usage(x); + ex_kusage = X509_get_key_usage(c->pkeys[SSL_PKEY_ECC].x509); ecdsa_ok = ex_kusage & X509v3_KU_DIGITAL_SIGNATURE; if (!(pvalid[SSL_PKEY_ECC] & CERT_PKEY_SIGN)) ecdsa_ok = 0; if (ecdsa_ok) mask_a |= SSL_aECDSA; } + /* Allow Ed25519 for TLS 1.2 if peer supports it */ + if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED25519) + && pvalid[SSL_PKEY_ED25519] & CERT_PKEY_EXPLICIT_SIGN + && TLS1_get_version(s) == TLS1_2_VERSION) + mask_a |= SSL_aECDSA; + + /* Allow Ed448 for TLS 1.2 if peer supports it */ + if (!(mask_a & SSL_aECDSA) && ssl_has_cert(s, SSL_PKEY_ED448) + && pvalid[SSL_PKEY_ED448] & CERT_PKEY_EXPLICIT_SIGN + && TLS1_get_version(s) == TLS1_2_VERSION) + mask_a |= SSL_aECDSA; #endif #ifndef OPENSSL_NO_EC @@ -2940,93 +3343,17 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) #endif -static int ssl_get_server_cert_index(const SSL *s) -{ - int idx; - idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher); - if (idx == SSL_PKEY_RSA_ENC && !s->cert->pkeys[SSL_PKEY_RSA_ENC].x509) - idx = SSL_PKEY_RSA_SIGN; - if (idx == SSL_PKEY_GOST_EC) { - if (s->cert->pkeys[SSL_PKEY_GOST12_512].x509) - idx = SSL_PKEY_GOST12_512; - else if (s->cert->pkeys[SSL_PKEY_GOST12_256].x509) - idx = SSL_PKEY_GOST12_256; - else if (s->cert->pkeys[SSL_PKEY_GOST01].x509) - idx = SSL_PKEY_GOST01; - else - idx = -1; - } - if (idx == -1) - SSLerr(SSL_F_SSL_GET_SERVER_CERT_INDEX, ERR_R_INTERNAL_ERROR); - return idx; -} - -CERT_PKEY *ssl_get_server_send_pkey(SSL *s) -{ - CERT *c; - int i; - - c = s->cert; - if (!s->s3 || !s->s3->tmp.new_cipher) - return NULL; - ssl_set_masks(s); - - i = ssl_get_server_cert_index(s); - - /* This may or may not be an error. */ - if (i < 0) - return NULL; - - /* May be NULL. */ - return &c->pkeys[i]; -} - -EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, - const EVP_MD **pmd) -{ - unsigned long alg_a; - CERT *c; - int idx = -1; - - alg_a = cipher->algorithm_auth; - c = s->cert; - - if ((alg_a & SSL_aDSS) && (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)) - idx = SSL_PKEY_DSA_SIGN; - else if (alg_a & SSL_aRSA) { - if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL) - idx = SSL_PKEY_RSA_SIGN; - else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL) - idx = SSL_PKEY_RSA_ENC; - } else if ((alg_a & SSL_aECDSA) && - (c->pkeys[SSL_PKEY_ECC].privatekey != NULL)) - idx = SSL_PKEY_ECC; - if (idx == -1) { - SSLerr(SSL_F_SSL_GET_SIGN_PKEY, ERR_R_INTERNAL_ERROR); - return (NULL); - } - if (pmd) - *pmd = s->s3->tmp.md[idx]; - return c->pkeys[idx].privatekey; -} - int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo, size_t *serverinfo_length) { - CERT *c = NULL; - int i = 0; + CERT_PKEY *cpk = s->s3->tmp.cert; *serverinfo_length = 0; - c = s->cert; - i = ssl_get_server_cert_index(s); - - if (i == -1) - return 0; - if (c->pkeys[i].serverinfo == NULL) + if (cpk == NULL || cpk->serverinfo == NULL) return 0; - *serverinfo = c->pkeys[i].serverinfo; - *serverinfo_length = c->pkeys[i].serverinfo_length; + *serverinfo = cpk->serverinfo; + *serverinfo_length = cpk->serverinfo_length; return 1; } @@ -3055,22 +3382,49 @@ void ssl_update_cache(SSL *s, int mode) return; i = s->session_ctx->session_cache_mode; - if ((i & mode) && (!s->hit) - && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) - || SSL_CTX_add_session(s->session_ctx, s->session)) - && (s->session_ctx->new_session_cb != NULL)) { - SSL_SESSION_up_ref(s->session); - if (!s->session_ctx->new_session_cb(s, s->session)) - SSL_SESSION_free(s->session); + if ((i & mode) != 0 + && (!s->hit || SSL_IS_TLS13(s))) { + /* + * Add the session to the internal cache. In server side TLSv1.3 we + * normally don't do this because by default it's a full stateless ticket + * with only a dummy session id so there is no reason to cache it, + * unless: + * - we are doing early_data, in which case we cache so that we can + * detect replays + * - the application has set a remove_session_cb so needs to know about + * session timeout events + * - SSL_OP_NO_TICKET is set in which case it is a stateful ticket + */ + if ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) == 0 + && (!SSL_IS_TLS13(s) + || !s->server + || (s->max_early_data > 0 + && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0) + || s->session_ctx->remove_session_cb != NULL + || (s->options & SSL_OP_NO_TICKET) != 0)) + SSL_CTX_add_session(s->session_ctx, s->session); + + /* + * Add the session to the external cache. We do this even in server side + * TLSv1.3 without early data because some applications just want to + * know about the creation of a session and aren't doing a full cache. + */ + if (s->session_ctx->new_session_cb != NULL) { + SSL_SESSION_up_ref(s->session); + if (!s->session_ctx->new_session_cb(s, s->session)) + SSL_SESSION_free(s->session); + } } /* auto flush every 255 connections */ if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && ((i & mode) == mode)) { - if ((((mode & SSL_SESS_CACHE_CLIENT) - ? s->session_ctx->stats.sess_connect_good - : s->session_ctx->stats.sess_accept_good) & 0xff) == 0xff) { + TSAN_QUALIFIER int *stat; + if (mode & SSL_SESS_CACHE_CLIENT) + stat = &s->session_ctx->stats.sess_connect_good; + else + stat = &s->session_ctx->stats.sess_accept_good; + if ((tsan_load(stat) & 0xff) == 0xff) SSL_CTX_flush_sessions(s->session_ctx, (unsigned long)time(NULL)); - } } } @@ -3081,7 +3435,7 @@ const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx) const SSL_METHOD *SSL_get_ssl_method(SSL *s) { - return (s->method); + return s->method; } int SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth) @@ -3105,7 +3459,7 @@ int SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth) else if (hf == sm->ssl_accept) s->handshake_func = meth->ssl_accept; } - return (ret); + return ret; } int SSL_get_error(const SSL *s, int i) @@ -3115,7 +3469,7 @@ int SSL_get_error(const SSL *s, int i) BIO *bio; if (i > 0) - return (SSL_ERROR_NONE); + return SSL_ERROR_NONE; /* * Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc, @@ -3123,78 +3477,71 @@ int SSL_get_error(const SSL *s, int i) */ if ((l = ERR_peek_error()) != 0) { if (ERR_GET_LIB(l) == ERR_LIB_SYS) - return (SSL_ERROR_SYSCALL); + return SSL_ERROR_SYSCALL; else - return (SSL_ERROR_SSL); - } - - if (i < 0) { - if (SSL_want_read(s)) { - bio = SSL_get_rbio(s); - if (BIO_should_read(bio)) - return (SSL_ERROR_WANT_READ); - else if (BIO_should_write(bio)) - /* - * This one doesn't make too much sense ... We never try to write - * to the rbio, and an application program where rbio and wbio - * are separate couldn't even know what it should wait for. - * However if we ever set s->rwstate incorrectly (so that we have - * SSL_want_read(s) instead of SSL_want_write(s)) and rbio and - * wbio *are* the same, this test works around that bug; so it - * might be safer to keep it. - */ - return (SSL_ERROR_WANT_WRITE); - else if (BIO_should_io_special(bio)) { - reason = BIO_get_retry_reason(bio); - if (reason == BIO_RR_CONNECT) - return (SSL_ERROR_WANT_CONNECT); - else if (reason == BIO_RR_ACCEPT) - return (SSL_ERROR_WANT_ACCEPT); - else - return (SSL_ERROR_SYSCALL); /* unknown */ - } - } + return SSL_ERROR_SSL; + } - if (SSL_want_write(s)) { + if (SSL_want_read(s)) { + bio = SSL_get_rbio(s); + if (BIO_should_read(bio)) + return SSL_ERROR_WANT_READ; + else if (BIO_should_write(bio)) /* - * Access wbio directly - in order to use the buffered bio if - * present + * This one doesn't make too much sense ... We never try to write + * to the rbio, and an application program where rbio and wbio + * are separate couldn't even know what it should wait for. + * However if we ever set s->rwstate incorrectly (so that we have + * SSL_want_read(s) instead of SSL_want_write(s)) and rbio and + * wbio *are* the same, this test works around that bug; so it + * might be safer to keep it. */ - bio = s->wbio; - if (BIO_should_write(bio)) - return (SSL_ERROR_WANT_WRITE); - else if (BIO_should_read(bio)) - /* - * See above (SSL_want_read(s) with BIO_should_write(bio)) - */ - return (SSL_ERROR_WANT_READ); - else if (BIO_should_io_special(bio)) { - reason = BIO_get_retry_reason(bio); - if (reason == BIO_RR_CONNECT) - return (SSL_ERROR_WANT_CONNECT); - else if (reason == BIO_RR_ACCEPT) - return (SSL_ERROR_WANT_ACCEPT); - else - return (SSL_ERROR_SYSCALL); - } - } - if (SSL_want_x509_lookup(s)) { - return (SSL_ERROR_WANT_X509_LOOKUP); - } - if (SSL_want_async(s)) { - return SSL_ERROR_WANT_ASYNC; - } - if (SSL_want_async_job(s)) { - return SSL_ERROR_WANT_ASYNC_JOB; + return SSL_ERROR_WANT_WRITE; + else if (BIO_should_io_special(bio)) { + reason = BIO_get_retry_reason(bio); + if (reason == BIO_RR_CONNECT) + return SSL_ERROR_WANT_CONNECT; + else if (reason == BIO_RR_ACCEPT) + return SSL_ERROR_WANT_ACCEPT; + else + return SSL_ERROR_SYSCALL; /* unknown */ } } - if (i == 0) { - if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && - (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) - return (SSL_ERROR_ZERO_RETURN); + if (SSL_want_write(s)) { + /* Access wbio directly - in order to use the buffered bio if present */ + bio = s->wbio; + if (BIO_should_write(bio)) + return SSL_ERROR_WANT_WRITE; + else if (BIO_should_read(bio)) + /* + * See above (SSL_want_read(s) with BIO_should_write(bio)) + */ + return SSL_ERROR_WANT_READ; + else if (BIO_should_io_special(bio)) { + reason = BIO_get_retry_reason(bio); + if (reason == BIO_RR_CONNECT) + return SSL_ERROR_WANT_CONNECT; + else if (reason == BIO_RR_ACCEPT) + return SSL_ERROR_WANT_ACCEPT; + else + return SSL_ERROR_SYSCALL; + } } - return (SSL_ERROR_SYSCALL); + if (SSL_want_x509_lookup(s)) + return SSL_ERROR_WANT_X509_LOOKUP; + if (SSL_want_async(s)) + return SSL_ERROR_WANT_ASYNC; + if (SSL_want_async_job(s)) + return SSL_ERROR_WANT_ASYNC_JOB; + if (SSL_want_client_hello_cb(s)) + return SSL_ERROR_WANT_CLIENT_HELLO_CB; + + if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && + (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) + return SSL_ERROR_ZERO_RETURN; + + return SSL_ERROR_SYSCALL; } static int ssl_do_handshake_intern(void *vargs) @@ -3217,7 +3564,9 @@ int SSL_do_handshake(SSL *s) return -1; } - s->method->ssl_renegotiate_check(s); + ossl_statem_check_finish_init(s, -1); + + s->method->ssl_renegotiate_check(s, 0); if (SSL_in_init(s) || SSL_in_before(s)) { if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) { @@ -3254,45 +3603,58 @@ void SSL_set_connect_state(SSL *s) int ssl_undefined_function(SSL *s) { SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (0); + return 0; } int ssl_undefined_void_function(void) { SSLerr(SSL_F_SSL_UNDEFINED_VOID_FUNCTION, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (0); + return 0; } int ssl_undefined_const_function(const SSL *s) { - return (0); + return 0; } const SSL_METHOD *ssl_bad_method(int ver) { SSLerr(SSL_F_SSL_BAD_METHOD, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return (NULL); + return NULL; } const char *ssl_protocol_to_string(int version) { - if (version == TLS1_2_VERSION) + switch(version) + { + case TLS1_3_VERSION: + return "TLSv1.3"; + + case TLS1_2_VERSION: return "TLSv1.2"; - else if (version == TLS1_1_VERSION) + + case TLS1_1_VERSION: return "TLSv1.1"; - else if (version == TLS1_VERSION) + + case TLS1_VERSION: return "TLSv1"; - else if (version == SSL3_VERSION) + + case SSL3_VERSION: return "SSLv3"; - else if (version == DTLS1_BAD_VER) + + case DTLS1_BAD_VER: return "DTLSv0.9"; - else if (version == DTLS1_VERSION) + + case DTLS1_VERSION: return "DTLSv1"; - else if (version == DTLS1_2_VERSION) + + case DTLS1_2_VERSION: return "DTLSv1.2"; - else - return ("unknown"); + + default: + return "unknown"; + } } const char *SSL_get_version(const SSL *s) @@ -3300,16 +3662,44 @@ const char *SSL_get_version(const SSL *s) return ssl_protocol_to_string(s->version); } -SSL *SSL_dup(SSL *s) +static int dup_ca_names(STACK_OF(X509_NAME) **dst, STACK_OF(X509_NAME) *src) { STACK_OF(X509_NAME) *sk; X509_NAME *xn; + int i; + + if (src == NULL) { + *dst = NULL; + return 1; + } + + if ((sk = sk_X509_NAME_new_null()) == NULL) + return 0; + for (i = 0; i < sk_X509_NAME_num(src); i++) { + xn = X509_NAME_dup(sk_X509_NAME_value(src, i)); + if (xn == NULL) { + sk_X509_NAME_pop_free(sk, X509_NAME_free); + return 0; + } + if (sk_X509_NAME_insert(sk, xn, i) == 0) { + X509_NAME_free(xn); + sk_X509_NAME_pop_free(sk, X509_NAME_free); + return 0; + } + } + *dst = sk; + + return 1; +} + +SSL *SSL_dup(SSL *s) +{ SSL *ret; int i; /* If we're not quiescent, just up_ref! */ if (!SSL_in_init(s) || !SSL_in_before(s)) { - CRYPTO_atomic_add(&s->references, 1, &i, s->lock); + CRYPTO_UP_REF(&s->references, &i, s->lock); return s; } @@ -3317,7 +3707,7 @@ SSL *SSL_dup(SSL *s) * Otherwise, copy configuration state, and session if set. */ if ((ret = SSL_new(SSL_get_SSL_CTX(s))) == NULL) - return (NULL); + return NULL; if (s->session != NULL) { /* @@ -3343,7 +3733,8 @@ SSL *SSL_dup(SSL *s) goto err; } - if (!SSL_set_session_id_context(ret, s->sid_ctx, s->sid_ctx_length)) + if (!SSL_set_session_id_context(ret, s->sid_ctx, + (int)s->sid_ctx_length)) goto err; } @@ -3407,18 +3798,10 @@ SSL *SSL_dup(SSL *s) goto err; /* Dup the client_CA list */ - if (s->client_CA != NULL) { - if ((sk = sk_X509_NAME_dup(s->client_CA)) == NULL) - goto err; - ret->client_CA = sk; - for (i = 0; i < sk_X509_NAME_num(sk); i++) { - xn = sk_X509_NAME_value(sk, i); - if (sk_X509_NAME_set(sk, i, X509_NAME_dup(xn)) == NULL) { - X509_NAME_free(xn); - goto err; - } - } - } + if (!dup_ca_names(&ret->ca_names, s->ca_names) + || !dup_ca_names(&ret->client_ca_names, s->client_ca_names)) + goto err; + return ret; err: @@ -3447,17 +3830,17 @@ void ssl_clear_cipher_ctx(SSL *s) X509 *SSL_get_certificate(const SSL *s) { if (s->cert != NULL) - return (s->cert->key->x509); + return s->cert->key->x509; else - return (NULL); + return NULL; } EVP_PKEY *SSL_get_privatekey(const SSL *s) { if (s->cert != NULL) - return (s->cert->key->privatekey); + return s->cert->key->privatekey; else - return (NULL); + return NULL; } X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx) @@ -3479,8 +3862,13 @@ EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx) const SSL_CIPHER *SSL_get_current_cipher(const SSL *s) { if ((s->session != NULL) && (s->session->cipher != NULL)) - return (s->session->cipher); - return (NULL); + return s->session->cipher; + return NULL; +} + +const SSL_CIPHER *SSL_get_pending_cipher(const SSL *s) +{ + return s->s3->tmp.new_cipher; } const COMP_METHOD *SSL_get_current_compression(SSL *s) @@ -3522,15 +3910,17 @@ int ssl_init_wbio_buffer(SSL *s) return 1; } -void ssl_free_wbio_buffer(SSL *s) +int ssl_free_wbio_buffer(SSL *s) { /* callers ensure s is never null */ if (s->bbio == NULL) - return; + return 1; s->wbio = BIO_pop(s->wbio); BIO_free(s->bbio); s->bbio = NULL; + + return 1; } void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) @@ -3540,7 +3930,7 @@ void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) { - return (ctx->quiet_shutdown); + return ctx->quiet_shutdown; } void SSL_set_quiet_shutdown(SSL *s, int mode) @@ -3550,7 +3940,7 @@ void SSL_set_quiet_shutdown(SSL *s, int mode) int SSL_get_quiet_shutdown(const SSL *s) { - return (s->quiet_shutdown); + return s->quiet_shutdown; } void SSL_set_shutdown(SSL *s, int mode) @@ -3590,7 +3980,7 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) return NULL; } - if (!custom_exts_copy_flags(&new_cert->srv_ext, &ssl->cert->srv_ext)) { + if (!custom_exts_copy_flags(&new_cert->custext, &ssl->cert->custext)) { ssl_cert_free(new_cert); return NULL; } @@ -3602,7 +3992,8 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) * Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH), * so setter APIs must prevent invalid lengths from entering the system. */ - OPENSSL_assert(ssl->sid_ctx_length <= sizeof(ssl->sid_ctx)); + if (!ossl_assert(ssl->sid_ctx_length <= sizeof(ssl->sid_ctx))) + return NULL; /* * If the session ID context matches that of the parent SSL_CTX, @@ -3626,7 +4017,7 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) { - return (X509_STORE_set_default_paths(ctx->cert_store)); + return X509_STORE_set_default_paths(ctx->cert_store); } int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx) @@ -3663,7 +4054,7 @@ int SSL_CTX_set_default_verify_file(SSL_CTX *ctx) int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath) { - return (X509_STORE_load_locations(ctx->cert_store, CAfile, CApath)); + return X509_STORE_load_locations(ctx->cert_store, CAfile, CApath); } void SSL_set_info_callback(SSL *ssl, @@ -3689,7 +4080,7 @@ void SSL_set_verify_result(SSL *ssl, long arg) long SSL_get_verify_result(const SSL *ssl) { - return (ssl->verify_result); + return ssl->verify_result; } size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, size_t outlen) @@ -3715,46 +4106,49 @@ size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, size_t outlen) size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, unsigned char *out, size_t outlen) { - if (session->master_key_length < 0) { - /* Should never happen */ - return 0; - } if (outlen == 0) return session->master_key_length; - if (outlen > (size_t)session->master_key_length) + if (outlen > session->master_key_length) outlen = session->master_key_length; memcpy(out, session->master_key, outlen); return outlen; } +int SSL_SESSION_set1_master_key(SSL_SESSION *sess, const unsigned char *in, + size_t len) +{ + if (len > sizeof(sess->master_key)) + return 0; + + memcpy(sess->master_key, in, len); + sess->master_key_length = len; + return 1; +} + + int SSL_set_ex_data(SSL *s, int idx, void *arg) { - return (CRYPTO_set_ex_data(&s->ex_data, idx, arg)); + return CRYPTO_set_ex_data(&s->ex_data, idx, arg); } void *SSL_get_ex_data(const SSL *s, int idx) { - return (CRYPTO_get_ex_data(&s->ex_data, idx)); + return CRYPTO_get_ex_data(&s->ex_data, idx); } int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg) { - return (CRYPTO_set_ex_data(&s->ex_data, idx, arg)); + return CRYPTO_set_ex_data(&s->ex_data, idx, arg); } void *SSL_CTX_get_ex_data(const SSL_CTX *s, int idx) { - return (CRYPTO_get_ex_data(&s->ex_data, idx)); -} - -int ssl_ok(SSL *s) -{ - return (1); + return CRYPTO_get_ex_data(&s->ex_data, idx); } X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx) { - return (ctx->cert_store); + return ctx->cert_store; } void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store) @@ -3763,9 +4157,16 @@ void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store) ctx->cert_store = store; } +void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store) +{ + if (store != NULL) + X509_STORE_up_ref(store); + SSL_CTX_set_cert_store(ctx, store); +} + int SSL_want(const SSL *s) { - return (s->rwstate); + return s->rwstate; } /** @@ -3829,61 +4230,59 @@ const char *SSL_get_psk_identity_hint(const SSL *s) { if (s == NULL || s->session == NULL) return NULL; - return (s->session->psk_identity_hint); + return s->session->psk_identity_hint; } const char *SSL_get_psk_identity(const SSL *s) { if (s == NULL || s->session == NULL) return NULL; - return (s->session->psk_identity); + return s->session->psk_identity; } -void SSL_set_psk_client_callback(SSL *s, - unsigned int (*cb) (SSL *ssl, - const char *hint, - char *identity, - unsigned int - max_identity_len, - unsigned char *psk, - unsigned int max_psk_len)) +void SSL_set_psk_client_callback(SSL *s, SSL_psk_client_cb_func cb) { s->psk_client_callback = cb; } -void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, - unsigned int (*cb) (SSL *ssl, - const char *hint, - char *identity, - unsigned int - max_identity_len, - unsigned char *psk, - unsigned int - max_psk_len)) +void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, SSL_psk_client_cb_func cb) { ctx->psk_client_callback = cb; } -void SSL_set_psk_server_callback(SSL *s, - unsigned int (*cb) (SSL *ssl, - const char *identity, - unsigned char *psk, - unsigned int max_psk_len)) +void SSL_set_psk_server_callback(SSL *s, SSL_psk_server_cb_func cb) { s->psk_server_callback = cb; } -void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, - unsigned int (*cb) (SSL *ssl, - const char *identity, - unsigned char *psk, - unsigned int - max_psk_len)) +void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb) { ctx->psk_server_callback = cb; } #endif +void SSL_set_psk_find_session_callback(SSL *s, SSL_psk_find_session_cb_func cb) +{ + s->psk_find_session_cb = cb; +} + +void SSL_CTX_set_psk_find_session_callback(SSL_CTX *ctx, + SSL_psk_find_session_cb_func cb) +{ + ctx->psk_find_session_cb = cb; +} + +void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb) +{ + s->psk_use_session_cb = cb; +} + +void SSL_CTX_set_psk_use_session_callback(SSL_CTX *ctx, + SSL_psk_use_session_cb_func cb) +{ + ctx->psk_use_session_cb = cb; +} + void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb) (int write_p, int version, int content_type, const void *buf, @@ -3917,6 +4316,88 @@ void SSL_set_not_resumable_session_callback(SSL *ssl, (void (*)(void))cb); } +void SSL_CTX_set_record_padding_callback(SSL_CTX *ctx, + size_t (*cb) (SSL *ssl, int type, + size_t len, void *arg)) +{ + ctx->record_padding_cb = cb; +} + +void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg) +{ + ctx->record_padding_arg = arg; +} + +void *SSL_CTX_get_record_padding_callback_arg(SSL_CTX *ctx) +{ + return ctx->record_padding_arg; +} + +int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size) +{ + /* block size of 0 or 1 is basically no padding */ + if (block_size == 1) + ctx->block_padding = 0; + else if (block_size <= SSL3_RT_MAX_PLAIN_LENGTH) + ctx->block_padding = block_size; + else + return 0; + return 1; +} + +void SSL_set_record_padding_callback(SSL *ssl, + size_t (*cb) (SSL *ssl, int type, + size_t len, void *arg)) +{ + ssl->record_padding_cb = cb; +} + +void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg) +{ + ssl->record_padding_arg = arg; +} + +void *SSL_get_record_padding_callback_arg(SSL *ssl) +{ + return ssl->record_padding_arg; +} + +int SSL_set_block_padding(SSL *ssl, size_t block_size) +{ + /* block size of 0 or 1 is basically no padding */ + if (block_size == 1) + ssl->block_padding = 0; + else if (block_size <= SSL3_RT_MAX_PLAIN_LENGTH) + ssl->block_padding = block_size; + else + return 0; + return 1; +} + +int SSL_set_num_tickets(SSL *s, size_t num_tickets) +{ + s->num_tickets = num_tickets; + + return 1; +} + +size_t SSL_get_num_tickets(SSL *s) +{ + return s->num_tickets; +} + +int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets) +{ + ctx->num_tickets = num_tickets; + + return 1; +} + +size_t SSL_CTX_get_num_tickets(SSL_CTX *ctx) +{ + return ctx->num_tickets; +} + /* * Allocates new EVP_MD_CTX and sets pointer to it into given pointer * variable, freeing EVP_MD_CTX previously stored in that variable, if any. @@ -3939,29 +4420,39 @@ EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md) void ssl_clear_hash_ctx(EVP_MD_CTX **hash) { - if (*hash) - EVP_MD_CTX_free(*hash); + EVP_MD_CTX_free(*hash); *hash = NULL; } /* Retrieve handshake hashes */ -int ssl_handshake_hash(SSL *s, unsigned char *out, int outlen) +int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen, + size_t *hashlen) { EVP_MD_CTX *ctx = NULL; EVP_MD_CTX *hdgst = s->s3->handshake_dgst; - int ret = EVP_MD_CTX_size(hdgst); - if (ret < 0 || ret > outlen) { - ret = 0; + int hashleni = EVP_MD_CTX_size(hdgst); + int ret = 0; + + if (hashleni < 0 || (size_t)hashleni > outlen) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_HANDSHAKE_HASH, + ERR_R_INTERNAL_ERROR); goto err; } + ctx = EVP_MD_CTX_new(); - if (ctx == NULL) { - ret = 0; + if (ctx == NULL) goto err; - } + if (!EVP_MD_CTX_copy_ex(ctx, hdgst) - || EVP_DigestFinal_ex(ctx, out, NULL) <= 0) - ret = 0; + || EVP_DigestFinal_ex(ctx, out, NULL) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_HANDSHAKE_HASH, + ERR_R_INTERNAL_ERROR); + goto err; + } + + *hashlen = hashleni; + + ret = 1; err: EVP_MD_CTX_free(ctx); return ret; @@ -4147,9 +4638,9 @@ static int ct_extract_tls_extension_scts(SSL *s) { int scts_extracted = 0; - if (s->tlsext_scts != NULL) { - const unsigned char *p = s->tlsext_scts; - STACK_OF(SCT) *scts = o2i_SCT_LIST(NULL, &p, s->tlsext_scts_len); + if (s->ext.scts != NULL) { + const unsigned char *p = s->ext.scts; + STACK_OF(SCT) *scts = o2i_SCT_LIST(NULL, &p, s->ext.scts_len); scts_extracted = ct_move_scts(&s->scts, scts, SCT_SOURCE_TLS_EXTENSION); @@ -4177,11 +4668,11 @@ static int ct_extract_ocsp_response_scts(SSL *s) STACK_OF(SCT) *scts = NULL; int i; - if (s->tlsext_ocsp_resp == NULL || s->tlsext_ocsp_resplen == 0) + if (s->ext.ocsp.resp == NULL || s->ext.ocsp.resp_len == 0) goto err; - p = s->tlsext_ocsp_resp; - rsp = d2i_OCSP_RESPONSE(NULL, &p, s->tlsext_ocsp_resplen); + p = s->ext.ocsp.resp; + rsp = d2i_OCSP_RESPONSE(NULL, &p, (int)s->ext.ocsp.resp_len); if (rsp == NULL) goto err; @@ -4377,7 +4868,8 @@ int ssl_validate_ct(SSL *s) ctx = CT_POLICY_EVAL_CTX_new(); if (ctx == NULL) { - SSLerr(SSL_F_SSL_VALIDATE_CT, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_VALIDATE_CT, + ERR_R_MALLOC_FAILURE); goto end; } @@ -4405,13 +4897,17 @@ int ssl_validate_ct(SSL *s) * ought to correspond to an inability to carry out its duties. */ if (SCT_LIST_validate(scts, ctx) < 0) { - SSLerr(SSL_F_SSL_VALIDATE_CT, SSL_R_SCT_VERIFICATION_FAILED); + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_SSL_VALIDATE_CT, + SSL_R_SCT_VERIFICATION_FAILED); goto end; } ret = s->ct_validation_callback(ctx, scts, s->ct_validation_callback_arg); if (ret < 0) ret = 0; /* This function returns 0 on failure */ + if (!ret) + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_SSL_VALIDATE_CT, + SSL_R_CALLBACK_FAILED); end: CT_POLICY_EVAL_CTX_free(ctx); @@ -4482,4 +4978,584 @@ const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx) return ctx->ctlog_store; } -#endif +#endif /* OPENSSL_NO_CT */ + +void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb, + void *arg) +{ + c->client_hello_cb = cb; + c->client_hello_cb_arg = arg; +} + +int SSL_client_hello_isv2(SSL *s) +{ + if (s->clienthello == NULL) + return 0; + return s->clienthello->isv2; +} + +unsigned int SSL_client_hello_get0_legacy_version(SSL *s) +{ + if (s->clienthello == NULL) + return 0; + return s->clienthello->legacy_version; +} + +size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out) +{ + if (s->clienthello == NULL) + return 0; + if (out != NULL) + *out = s->clienthello->random; + return SSL3_RANDOM_SIZE; +} + +size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out) +{ + if (s->clienthello == NULL) + return 0; + if (out != NULL) + *out = s->clienthello->session_id; + return s->clienthello->session_id_len; +} + +size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out) +{ + if (s->clienthello == NULL) + return 0; + if (out != NULL) + *out = PACKET_data(&s->clienthello->ciphersuites); + return PACKET_remaining(&s->clienthello->ciphersuites); +} + +size_t SSL_client_hello_get0_compression_methods(SSL *s, const unsigned char **out) +{ + if (s->clienthello == NULL) + return 0; + if (out != NULL) + *out = s->clienthello->compressions; + return s->clienthello->compressions_len; +} + +int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen) +{ + RAW_EXTENSION *ext; + int *present; + size_t num = 0, i; + + if (s->clienthello == NULL || out == NULL || outlen == NULL) + return 0; + for (i = 0; i < s->clienthello->pre_proc_exts_len; i++) { + ext = s->clienthello->pre_proc_exts + i; + if (ext->present) + num++; + } + if ((present = OPENSSL_malloc(sizeof(*present) * num)) == NULL) { + SSLerr(SSL_F_SSL_CLIENT_HELLO_GET1_EXTENSIONS_PRESENT, + ERR_R_MALLOC_FAILURE); + return 0; + } + for (i = 0; i < s->clienthello->pre_proc_exts_len; i++) { + ext = s->clienthello->pre_proc_exts + i; + if (ext->present) { + if (ext->received_order >= num) + goto err; + present[ext->received_order] = ext->type; + } + } + *out = present; + *outlen = num; + return 1; + err: + OPENSSL_free(present); + return 0; +} + +int SSL_client_hello_get0_ext(SSL *s, unsigned int type, const unsigned char **out, + size_t *outlen) +{ + size_t i; + RAW_EXTENSION *r; + + if (s->clienthello == NULL) + return 0; + for (i = 0; i < s->clienthello->pre_proc_exts_len; ++i) { + r = s->clienthello->pre_proc_exts + i; + if (r->present && r->type == type) { + if (out != NULL) + *out = PACKET_data(&r->data); + if (outlen != NULL) + *outlen = PACKET_remaining(&r->data); + return 1; + } + } + return 0; +} + +int SSL_free_buffers(SSL *ssl) +{ + RECORD_LAYER *rl = &ssl->rlayer; + + if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl)) + return 0; + + RECORD_LAYER_release(rl); + return 1; +} + +int SSL_alloc_buffers(SSL *ssl) +{ + return ssl3_setup_buffers(ssl); +} + +void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb) +{ + ctx->keylog_callback = cb; +} + +SSL_CTX_keylog_cb_func SSL_CTX_get_keylog_callback(const SSL_CTX *ctx) +{ + return ctx->keylog_callback; +} + +static int nss_keylog_int(const char *prefix, + SSL *ssl, + const uint8_t *parameter_1, + size_t parameter_1_len, + const uint8_t *parameter_2, + size_t parameter_2_len) +{ + char *out = NULL; + char *cursor = NULL; + size_t out_len = 0; + size_t i; + size_t prefix_len; + + if (ssl->ctx->keylog_callback == NULL) + return 1; + + /* + * Our output buffer will contain the following strings, rendered with + * space characters in between, terminated by a NULL character: first the + * prefix, then the first parameter, then the second parameter. The + * meaning of each parameter depends on the specific key material being + * logged. Note that the first and second parameters are encoded in + * hexadecimal, so we need a buffer that is twice their lengths. + */ + prefix_len = strlen(prefix); + out_len = prefix_len + (2 * parameter_1_len) + (2 * parameter_2_len) + 3; + if ((out = cursor = OPENSSL_malloc(out_len)) == NULL) { + SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, SSL_F_NSS_KEYLOG_INT, + ERR_R_MALLOC_FAILURE); + return 0; + } + + strcpy(cursor, prefix); + cursor += prefix_len; + *cursor++ = ' '; + + for (i = 0; i < parameter_1_len; i++) { + sprintf(cursor, "%02x", parameter_1[i]); + cursor += 2; + } + *cursor++ = ' '; + + for (i = 0; i < parameter_2_len; i++) { + sprintf(cursor, "%02x", parameter_2[i]); + cursor += 2; + } + *cursor = '\0'; + + ssl->ctx->keylog_callback(ssl, (const char *)out); + OPENSSL_clear_free(out, out_len); + return 1; + +} + +int ssl_log_rsa_client_key_exchange(SSL *ssl, + const uint8_t *encrypted_premaster, + size_t encrypted_premaster_len, + const uint8_t *premaster, + size_t premaster_len) +{ + if (encrypted_premaster_len < 8) { + SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, + SSL_F_SSL_LOG_RSA_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + return 0; + } + + /* We only want the first 8 bytes of the encrypted premaster as a tag. */ + return nss_keylog_int("RSA", + ssl, + encrypted_premaster, + 8, + premaster, + premaster_len); +} + +int ssl_log_secret(SSL *ssl, + const char *label, + const uint8_t *secret, + size_t secret_len) +{ + return nss_keylog_int(label, + ssl, + ssl->s3->client_random, + SSL3_RANDOM_SIZE, + secret, + secret_len); +} + +#define SSLV2_CIPHER_LEN 3 + +int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format) +{ + int n; + + n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN; + + if (PACKET_remaining(cipher_suites) == 0) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL_CACHE_CIPHERLIST, + SSL_R_NO_CIPHERS_SPECIFIED); + return 0; + } + + if (PACKET_remaining(cipher_suites) % n != 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL_CACHE_CIPHERLIST, + SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); + return 0; + } + + OPENSSL_free(s->s3->tmp.ciphers_raw); + s->s3->tmp.ciphers_raw = NULL; + s->s3->tmp.ciphers_rawlen = 0; + + if (sslv2format) { + size_t numciphers = PACKET_remaining(cipher_suites) / n; + PACKET sslv2ciphers = *cipher_suites; + unsigned int leadbyte; + unsigned char *raw; + + /* + * We store the raw ciphers list in SSLv3+ format so we need to do some + * preprocessing to convert the list first. If there are any SSLv2 only + * ciphersuites with a non-zero leading byte then we are going to + * slightly over allocate because we won't store those. But that isn't a + * problem. + */ + raw = OPENSSL_malloc(numciphers * TLS_CIPHER_LEN); + s->s3->tmp.ciphers_raw = raw; + if (raw == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CACHE_CIPHERLIST, + ERR_R_MALLOC_FAILURE); + return 0; + } + for (s->s3->tmp.ciphers_rawlen = 0; + PACKET_remaining(&sslv2ciphers) > 0; + raw += TLS_CIPHER_LEN) { + if (!PACKET_get_1(&sslv2ciphers, &leadbyte) + || (leadbyte == 0 + && !PACKET_copy_bytes(&sslv2ciphers, raw, + TLS_CIPHER_LEN)) + || (leadbyte != 0 + && !PACKET_forward(&sslv2ciphers, TLS_CIPHER_LEN))) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL_CACHE_CIPHERLIST, + SSL_R_BAD_PACKET); + OPENSSL_free(s->s3->tmp.ciphers_raw); + s->s3->tmp.ciphers_raw = NULL; + s->s3->tmp.ciphers_rawlen = 0; + return 0; + } + if (leadbyte == 0) + s->s3->tmp.ciphers_rawlen += TLS_CIPHER_LEN; + } + } else if (!PACKET_memdup(cipher_suites, &s->s3->tmp.ciphers_raw, + &s->s3->tmp.ciphers_rawlen)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CACHE_CIPHERLIST, + ERR_R_INTERNAL_ERROR); + return 0; + } + return 1; +} + +int SSL_bytes_to_cipher_list(SSL *s, const unsigned char *bytes, size_t len, + int isv2format, STACK_OF(SSL_CIPHER) **sk, + STACK_OF(SSL_CIPHER) **scsvs) +{ + PACKET pkt; + + if (!PACKET_buf_init(&pkt, bytes, len)) + return 0; + return bytes_to_cipher_list(s, &pkt, sk, scsvs, isv2format, 0); +} + +int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites, + STACK_OF(SSL_CIPHER) **skp, + STACK_OF(SSL_CIPHER) **scsvs_out, + int sslv2format, int fatal) +{ + const SSL_CIPHER *c; + STACK_OF(SSL_CIPHER) *sk = NULL; + STACK_OF(SSL_CIPHER) *scsvs = NULL; + int n; + /* 3 = SSLV2_CIPHER_LEN > TLS_CIPHER_LEN = 2. */ + unsigned char cipher[SSLV2_CIPHER_LEN]; + + n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN; + + if (PACKET_remaining(cipher_suites) == 0) { + if (fatal) + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_BYTES_TO_CIPHER_LIST, + SSL_R_NO_CIPHERS_SPECIFIED); + else + SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, SSL_R_NO_CIPHERS_SPECIFIED); + return 0; + } + + if (PACKET_remaining(cipher_suites) % n != 0) { + if (fatal) + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_BYTES_TO_CIPHER_LIST, + SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); + else + SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, + SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); + return 0; + } + + sk = sk_SSL_CIPHER_new_null(); + scsvs = sk_SSL_CIPHER_new_null(); + if (sk == NULL || scsvs == NULL) { + if (fatal) + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_BYTES_TO_CIPHER_LIST, + ERR_R_MALLOC_FAILURE); + else + SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); + goto err; + } + + while (PACKET_copy_bytes(cipher_suites, cipher, n)) { + /* + * SSLv3 ciphers wrapped in an SSLv2-compatible ClientHello have the + * first byte set to zero, while true SSLv2 ciphers have a non-zero + * first byte. We don't support any true SSLv2 ciphers, so skip them. + */ + if (sslv2format && cipher[0] != '\0') + continue; + + /* For SSLv2-compat, ignore leading 0-byte. */ + c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher, 1); + if (c != NULL) { + if ((c->valid && !sk_SSL_CIPHER_push(sk, c)) || + (!c->valid && !sk_SSL_CIPHER_push(scsvs, c))) { + if (fatal) + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); + else + SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); + goto err; + } + } + } + if (PACKET_remaining(cipher_suites) > 0) { + if (fatal) + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_BYTES_TO_CIPHER_LIST, + SSL_R_BAD_LENGTH); + else + SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, SSL_R_BAD_LENGTH); + goto err; + } + + if (skp != NULL) + *skp = sk; + else + sk_SSL_CIPHER_free(sk); + if (scsvs_out != NULL) + *scsvs_out = scsvs; + else + sk_SSL_CIPHER_free(scsvs); + return 1; + err: + sk_SSL_CIPHER_free(sk); + sk_SSL_CIPHER_free(scsvs); + return 0; +} + +int SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data) +{ + ctx->max_early_data = max_early_data; + + return 1; +} + +uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx) +{ + return ctx->max_early_data; +} + +int SSL_set_max_early_data(SSL *s, uint32_t max_early_data) +{ + s->max_early_data = max_early_data; + + return 1; +} + +uint32_t SSL_get_max_early_data(const SSL *s) +{ + return s->max_early_data; +} + +int SSL_CTX_set_recv_max_early_data(SSL_CTX *ctx, uint32_t recv_max_early_data) +{ + ctx->recv_max_early_data = recv_max_early_data; + + return 1; +} + +uint32_t SSL_CTX_get_recv_max_early_data(const SSL_CTX *ctx) +{ + return ctx->recv_max_early_data; +} + +int SSL_set_recv_max_early_data(SSL *s, uint32_t recv_max_early_data) +{ + s->recv_max_early_data = recv_max_early_data; + + return 1; +} + +uint32_t SSL_get_recv_max_early_data(const SSL *s) +{ + return s->recv_max_early_data; +} + +__owur unsigned int ssl_get_max_send_fragment(const SSL *ssl) +{ + /* Return any active Max Fragment Len extension */ + if (ssl->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(ssl->session)) + return GET_MAX_FRAGMENT_LENGTH(ssl->session); + + /* return current SSL connection setting */ + return ssl->max_send_fragment; +} + +__owur unsigned int ssl_get_split_send_fragment(const SSL *ssl) +{ + /* Return a value regarding an active Max Fragment Len extension */ + if (ssl->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(ssl->session) + && ssl->split_send_fragment > GET_MAX_FRAGMENT_LENGTH(ssl->session)) + return GET_MAX_FRAGMENT_LENGTH(ssl->session); + + /* else limit |split_send_fragment| to current |max_send_fragment| */ + if (ssl->split_send_fragment > ssl->max_send_fragment) + return ssl->max_send_fragment; + + /* return current SSL connection setting */ + return ssl->split_send_fragment; +} + +int SSL_stateless(SSL *s) +{ + int ret; + + /* Ensure there is no state left over from a previous invocation */ + if (!SSL_clear(s)) + return 0; + + ERR_clear_error(); + + s->s3->flags |= TLS1_FLAGS_STATELESS; + ret = SSL_accept(s); + s->s3->flags &= ~TLS1_FLAGS_STATELESS; + + if (ret > 0 && s->ext.cookieok) + return 1; + + if (s->hello_retry_request == SSL_HRR_PENDING && !ossl_statem_in_error(s)) + return 0; + + return -1; +} + +void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val) +{ + ctx->pha_enabled = val; +} + +void SSL_set_post_handshake_auth(SSL *ssl, int val) +{ + ssl->pha_enabled = val; +} + +int SSL_verify_client_post_handshake(SSL *ssl) +{ + if (!SSL_IS_TLS13(ssl)) { + SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_WRONG_SSL_VERSION); + return 0; + } + if (!ssl->server) { + SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_NOT_SERVER); + return 0; + } + + if (!SSL_is_init_finished(ssl)) { + SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_STILL_IN_INIT); + return 0; + } + + switch (ssl->post_handshake_auth) { + case SSL_PHA_NONE: + SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_EXTENSION_NOT_RECEIVED); + return 0; + default: + case SSL_PHA_EXT_SENT: + SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, ERR_R_INTERNAL_ERROR); + return 0; + case SSL_PHA_EXT_RECEIVED: + break; + case SSL_PHA_REQUEST_PENDING: + SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_REQUEST_PENDING); + return 0; + case SSL_PHA_REQUESTED: + SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_REQUEST_SENT); + return 0; + } + + ssl->post_handshake_auth = SSL_PHA_REQUEST_PENDING; + + /* checks verify_mode and algorithm_auth */ + if (!send_certificate_request(ssl)) { + ssl->post_handshake_auth = SSL_PHA_EXT_RECEIVED; /* restore on error */ + SSLerr(SSL_F_SSL_VERIFY_CLIENT_POST_HANDSHAKE, SSL_R_INVALID_CONFIG); + return 0; + } + + ossl_statem_set_in_init(ssl, 1); + return 1; +} + +int SSL_CTX_set_session_ticket_cb(SSL_CTX *ctx, + SSL_CTX_generate_session_ticket_fn gen_cb, + SSL_CTX_decrypt_session_ticket_fn dec_cb, + void *arg) +{ + ctx->generate_ticket_cb = gen_cb; + ctx->decrypt_ticket_cb = dec_cb; + ctx->ticket_cb_data = arg; + return 1; +} + +void SSL_CTX_set_allow_early_data_cb(SSL_CTX *ctx, + SSL_allow_early_data_cb_fn cb, + void *arg) +{ + ctx->allow_early_data_cb = cb; + ctx->allow_early_data_cb_data = arg; +} + +void SSL_set_allow_early_data_cb(SSL *s, + SSL_allow_early_data_cb_fn cb, + void *arg) +{ + s->allow_early_data_cb = cb; + s->allow_early_data_cb_data = arg; +} diff --git a/deps/openssl/openssl/ssl/ssl_locl.h b/deps/openssl/openssl/ssl/ssl_locl.h index 3c7c1a8e64..70e5a1740f 100644 --- a/deps/openssl/openssl/ssl/ssl_locl.h +++ b/deps/openssl/openssl/ssl/ssl_locl.h @@ -1,5 +1,7 @@ /* * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved + * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,54 +9,18 @@ * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * ECC cipher suite support in OpenSSL originally developed by - * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - #ifndef HEADER_SSL_LOCL_H # define HEADER_SSL_LOCL_H + +# include "e_os.h" /* struct timeval for DTLS */ # include <stdlib.h> # include <time.h> # include <string.h> # include <errno.h> -# include "e_os.h" -# if defined(__unix) || defined(__unix__) -# include <sys/time.h> /* struct timeval for DTLS */ -# endif - # include <openssl/buffer.h> # include <openssl/comp.h> # include <openssl/bio.h> -# include <openssl/stack.h> # include <openssl/rsa.h> # include <openssl/dsa.h> # include <openssl/err.h> @@ -66,14 +32,14 @@ # include "statem/statem.h" # include "packet_locl.h" # include "internal/dane.h" +# include "internal/refcount.h" +# include "internal/tsan_assist.h" # ifdef OPENSSL_BUILD_SHLIBSSL # undef OPENSSL_EXTERN # define OPENSSL_EXTERN OPENSSL_EXPORT # endif -# undef PKCS1_CHECK - # define c2l(c,l) (l = ((unsigned long)(*((c)++))) , \ l|=(((unsigned long)(*((c)++)))<< 8), \ l|=(((unsigned long)(*((c)++)))<<16), \ @@ -164,8 +130,6 @@ (c)[1]=(unsigned char)(((l)>> 8)&0xff), \ (c)[2]=(unsigned char)(((l) )&0xff)),(c)+=3) -# define SSL_MAX_2_BYTE_LEN (0xffff) - /* * DTLS version numbers are strange because they're inverted. Except for * DTLS1_BAD_VER, which should be considered "lower" than the rest. @@ -176,19 +140,6 @@ # define DTLS_VERSION_LT(v1, v2) (dtls_ver_ordinal(v1) > dtls_ver_ordinal(v2)) # define DTLS_VERSION_LE(v1, v2) (dtls_ver_ordinal(v1) >= dtls_ver_ordinal(v2)) -/* LOCAL STUFF */ - -# define SSL_DECRYPT 0 -# define SSL_ENCRYPT 1 - -# define TWO_BYTE_BIT 0x80 -# define SEC_ESC_BIT 0x40 -# define TWO_BYTE_MASK 0x7fff -# define THREE_BYTE_MASK 0x3fff - -# define INC32(a) ((a)=((a)+1)&0xffffffffL) -# define DEC32(a) ((a)=((a)-1)&0xffffffffL) -# define MAX_MAC_SIZE 20 /* up from 16 for SSLv3 */ /* * Define the Bitmasks for SSL_CIPHER.algorithms. @@ -230,6 +181,9 @@ # define SSL_PSK (SSL_kPSK | SSL_kRSAPSK | SSL_kECDHEPSK | SSL_kDHEPSK) +/* Any appropriate key exchange algorithm (for TLS 1.3 ciphersuites) */ +# define SSL_kANY 0x00000000U + /* Bits for algorithm_auth (server authentication) */ /* RSA auth */ # define SSL_aRSA 0x00000001U @@ -247,6 +201,11 @@ # define SSL_aSRP 0x00000040U /* GOST R 34.10-2012 signature auth */ # define SSL_aGOST12 0x00000080U +/* Any appropriate signature auth (for TLS 1.3 ciphersuites) */ +# define SSL_aANY 0x00000000U +/* All bits requiring a certificate */ +#define SSL_aCERT \ + (SSL_aRSA | SSL_aDSS | SSL_aECDSA | SSL_aGOST01 | SSL_aGOST12) /* Bits for algorithm_enc (symmetric encryption) */ # define SSL_DES 0x00000001U @@ -269,12 +228,16 @@ # define SSL_AES256CCM8 0x00020000U # define SSL_eGOST2814789CNT12 0x00040000U # define SSL_CHACHA20POLY1305 0x00080000U +# define SSL_ARIA128GCM 0x00100000U +# define SSL_ARIA256GCM 0x00200000U # define SSL_AESGCM (SSL_AES128GCM | SSL_AES256GCM) # define SSL_AESCCM (SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8) # define SSL_AES (SSL_AES128|SSL_AES256|SSL_AESGCM|SSL_AESCCM) # define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256) # define SSL_CHACHA20 (SSL_CHACHA20POLY1305) +# define SSL_ARIAGCM (SSL_ARIA128GCM | SSL_ARIA256GCM) +# define SSL_ARIA (SSL_ARIAGCM) /* Bits for algorithm_mac (symmetric authentication) */ @@ -349,11 +312,27 @@ /* we have used 0000003f - 26 bits left to go */ -# define SSL_IS_FIRST_HANDSHAKE(S) ((s)->s3->tmp.finish_md_len == 0 \ - || (s)->s3->tmp.peer_finish_md_len == 0) +/* Flag used on OpenSSL ciphersuite ids to indicate they are for SSLv3+ */ +# define SSL3_CK_CIPHERSUITE_FLAG 0x03000000 /* Check if an SSL structure is using DTLS */ # define SSL_IS_DTLS(s) (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) + +/* Check if we are using TLSv1.3 */ +# define SSL_IS_TLS13(s) (!SSL_IS_DTLS(s) \ + && (s)->method->version >= TLS1_3_VERSION \ + && (s)->method->version != TLS_ANY_VERSION) + +# define SSL_TREAT_AS_TLS13(s) \ + (SSL_IS_TLS13(s) || (s)->early_data_state == SSL_EARLY_DATA_CONNECTING \ + || (s)->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY \ + || (s)->early_data_state == SSL_EARLY_DATA_WRITING \ + || (s)->early_data_state == SSL_EARLY_DATA_WRITE_RETRY \ + || (s)->hello_retry_request == SSL_HRR_PENDING) + +# define SSL_IS_FIRST_HANDSHAKE(S) ((s)->s3->tmp.finish_md_len == 0 \ + || (s)->s3->tmp.peer_finish_md_len == 0) + /* See if we need explicit IV */ # define SSL_USE_EXPLICIT_IV(s) \ (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_EXPLICIT_IV) @@ -383,23 +362,28 @@ # define SSL_CLIENT_USE_SIGALGS(s) \ SSL_CLIENT_USE_TLS1_2_CIPHERS(s) +# define IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value) \ + (((value) >= TLSEXT_max_fragment_length_512) && \ + ((value) <= TLSEXT_max_fragment_length_4096)) +# define USE_MAX_FRAGMENT_LENGTH_EXT(session) \ + IS_MAX_FRAGMENT_LENGTH_EXT_VALID(session->ext.max_fragment_len_mode) +# define GET_MAX_FRAGMENT_LENGTH(session) \ + (512U << (session->ext.max_fragment_len_mode - 1)) + # define SSL_READ_ETM(s) (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC_READ) # define SSL_WRITE_ETM(s) (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE) /* Mostly for SSLv3 */ -# define SSL_PKEY_RSA_ENC 0 -# define SSL_PKEY_RSA_SIGN 1 +# define SSL_PKEY_RSA 0 +# define SSL_PKEY_RSA_PSS_SIGN 1 # define SSL_PKEY_DSA_SIGN 2 # define SSL_PKEY_ECC 3 # define SSL_PKEY_GOST01 4 # define SSL_PKEY_GOST12_256 5 # define SSL_PKEY_GOST12_512 6 -# define SSL_PKEY_NUM 7 -/* - * Pseudo-constant. GOST cipher suites can use different certs for 1 - * SSL_CIPHER. So let's see which one we have in fact. - */ -# define SSL_PKEY_GOST_EC SSL_PKEY_NUM+1 +# define SSL_PKEY_ED25519 7 +# define SSL_PKEY_ED448 8 +# define SSL_PKEY_NUM 9 /*- * SSL_kRSA <- RSA_ENC @@ -415,12 +399,22 @@ #define CERT_PRIVATE_KEY 2 */ +/* Post-Handshake Authentication state */ +typedef enum { + SSL_PHA_NONE = 0, + SSL_PHA_EXT_SENT, /* client-side only: extension sent */ + SSL_PHA_EXT_RECEIVED, /* server-side only: extension received */ + SSL_PHA_REQUEST_PENDING, /* server-side only: request pending */ + SSL_PHA_REQUESTED /* request received by client, or sent by server */ +} SSL_PHA_STATE; + /* CipherSuite length. SSLv3 and all TLS versions. */ # define TLS_CIPHER_LEN 2 /* used to hold info on the particular ciphers used */ struct ssl_cipher_st { uint32_t valid; const char *name; /* text name */ + const char *stdname; /* RFC name */ uint32_t id; /* id, 4 bytes, first is version */ /* * changed in 1.0.0: these four used to be portions of a single value @@ -446,25 +440,28 @@ struct ssl_method_st { unsigned flags; unsigned long mask; int (*ssl_new) (SSL *s); - void (*ssl_clear) (SSL *s); + int (*ssl_clear) (SSL *s); void (*ssl_free) (SSL *s); int (*ssl_accept) (SSL *s); int (*ssl_connect) (SSL *s); - int (*ssl_read) (SSL *s, void *buf, int len); - int (*ssl_peek) (SSL *s, void *buf, int len); - int (*ssl_write) (SSL *s, const void *buf, int len); + int (*ssl_read) (SSL *s, void *buf, size_t len, size_t *readbytes); + int (*ssl_peek) (SSL *s, void *buf, size_t len, size_t *readbytes); + int (*ssl_write) (SSL *s, const void *buf, size_t len, size_t *written); int (*ssl_shutdown) (SSL *s); int (*ssl_renegotiate) (SSL *s); - int (*ssl_renegotiate_check) (SSL *s); + int (*ssl_renegotiate_check) (SSL *s, int); int (*ssl_read_bytes) (SSL *s, int type, int *recvd_type, - unsigned char *buf, int len, int peek); - int (*ssl_write_bytes) (SSL *s, int type, const void *buf_, int len); + unsigned char *buf, size_t len, int peek, + size_t *readbytes); + int (*ssl_write_bytes) (SSL *s, int type, const void *buf_, size_t len, + size_t *written); int (*ssl_dispatch_alert) (SSL *s); long (*ssl_ctrl) (SSL *s, int cmd, long larg, void *parg); long (*ssl_ctx_ctrl) (SSL_CTX *ctx, int cmd, long larg, void *parg); const SSL_CIPHER *(*get_cipher_by_char) (const unsigned char *ptr); - int (*put_cipher_by_char) (const SSL_CIPHER *cipher, unsigned char *ptr); - int (*ssl_pending) (const SSL *s); + int (*put_cipher_by_char) (const SSL_CIPHER *cipher, WPACKET *pkt, + size_t *len); + size_t (*ssl_pending) (const SSL *s); int (*num_ciphers) (void); const SSL_CIPHER *(*get_cipher) (unsigned ncipher); long (*get_timeout) (void); @@ -474,6 +471,12 @@ struct ssl_method_st { long (*ssl_ctx_callback_ctrl) (SSL_CTX *s, int cb_id, void (*fp) (void)); }; +/* + * Matches the length of PSK_MAX_PSK_LEN. We keep it the same value for + * consistency, even in the event of OPENSSL_NO_PSK being defined. + */ +# define TLS13_MAX_RESUMPTION_PSK_LENGTH 256 + /*- * Lets make this into an ASN.1 type structure as follows * SSL_SESSION_ID ::= SEQUENCE { @@ -503,17 +506,24 @@ struct ssl_method_st { struct ssl_session_st { int ssl_version; /* what ssl version session info is being kept * in here? */ - int master_key_length; - unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; + size_t master_key_length; + + /* TLSv1.3 early_secret used for external PSKs */ + unsigned char early_secret[EVP_MAX_MD_SIZE]; + /* + * For <=TLS1.2 this is the master_key. For TLS1.3 this is the resumption + * PSK + */ + unsigned char master_key[TLS13_MAX_RESUMPTION_PSK_LENGTH]; /* session_id - valid? */ - unsigned int session_id_length; + size_t session_id_length; unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; /* * this is used to determine whether the session is being reused in the * appropriate context. It is up to the application to set this, via * SSL_new */ - unsigned int sid_ctx_length; + size_t sid_ctx_length; unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; # ifndef OPENSSL_NO_PSK char *psk_identity_hint; @@ -528,14 +538,14 @@ struct ssl_session_st { /* This is the cert and type for the other end. */ X509 *peer; int peer_type; - /* Certificate chain peer sent */ + /* Certificate chain peer sent. */ STACK_OF(X509) *peer_chain; /* * when app_verify_callback accepts a session where the peer's * certificate is not ok, we must remember the error for session reuse: */ long verify_result; /* only for servers */ - int references; + CRYPTO_REF_COUNT references; long timeout; long time; unsigned int compress_meth; /* Need to lookup the method */ @@ -549,21 +559,40 @@ struct ssl_session_st { * implement a maximum cache size. */ struct ssl_session_st *prev, *next; - char *tlsext_hostname; + + struct { + char *hostname; # ifndef OPENSSL_NO_EC - size_t tlsext_ecpointformatlist_length; - unsigned char *tlsext_ecpointformatlist; /* peer's list */ - size_t tlsext_ellipticcurvelist_length; - unsigned char *tlsext_ellipticcurvelist; /* peer's list */ + size_t ecpointformats_len; + unsigned char *ecpointformats; /* peer's list */ # endif /* OPENSSL_NO_EC */ + size_t supportedgroups_len; + uint16_t *supportedgroups; /* peer's list */ /* RFC4507 info */ - unsigned char *tlsext_tick; /* Session ticket */ - size_t tlsext_ticklen; /* Session ticket length */ - unsigned long tlsext_tick_lifetime_hint; /* Session lifetime hint in - * seconds */ + unsigned char *tick; /* Session ticket */ + size_t ticklen; /* Session ticket length */ + /* Session lifetime hint in seconds */ + unsigned long tick_lifetime_hint; + uint32_t tick_age_add; + int tick_identity; + /* Max number of bytes that can be sent as early data */ + uint32_t max_early_data; + /* The ALPN protocol selected for this session */ + unsigned char *alpn_selected; + size_t alpn_selected_len; + /* + * Maximum Fragment Length as per RFC 4366. + * If this value does not contain RFC 4366 allowed values (1-4) then + * either the Maximum Fragment Length Negotiation failed or was not + * performed at all. + */ + uint8_t max_fragment_len_mode; + } ext; # ifndef OPENSSL_NO_SRP char *srp_username; # endif + unsigned char *ticket_appdata; + size_t ticket_appdata_len; uint32_t flags; CRYPTO_RWLOCK *lock; }; @@ -592,30 +621,140 @@ typedef struct srp_ctx_st { # endif +typedef enum { + SSL_EARLY_DATA_NONE = 0, + SSL_EARLY_DATA_CONNECT_RETRY, + SSL_EARLY_DATA_CONNECTING, + SSL_EARLY_DATA_WRITE_RETRY, + SSL_EARLY_DATA_WRITING, + SSL_EARLY_DATA_WRITE_FLUSH, + SSL_EARLY_DATA_UNAUTH_WRITING, + SSL_EARLY_DATA_FINISHED_WRITING, + SSL_EARLY_DATA_ACCEPT_RETRY, + SSL_EARLY_DATA_ACCEPTING, + SSL_EARLY_DATA_READ_RETRY, + SSL_EARLY_DATA_READING, + SSL_EARLY_DATA_FINISHED_READING +} SSL_EARLY_DATA_STATE; + +/* + * We check that the amount of unreadable early data doesn't exceed + * max_early_data. max_early_data is given in plaintext bytes. However if it is + * unreadable then we only know the number of ciphertext bytes. We also don't + * know how much the overhead should be because it depends on the ciphersuite. + * We make a small allowance. We assume 5 records of actual data plus the end + * of early data alert record. Each record has a tag and a content type byte. + * The longest tag length we know of is EVP_GCM_TLS_TAG_LEN. We don't count the + * content of the alert record either which is 2 bytes. + */ +# define EARLY_DATA_CIPHERTEXT_OVERHEAD ((6 * (EVP_GCM_TLS_TAG_LEN + 1)) + 2) + +/* + * The allowance we have between the client's calculated ticket age and our own. + * We allow for 10 seconds (units are in ms). If a ticket is presented and the + * client's age calculation is different by more than this than our own then we + * do not allow that ticket for early_data. + */ +# define TICKET_AGE_ALLOWANCE (10 * 1000) + +#define MAX_COMPRESSIONS_SIZE 255 + struct ssl_comp_st { int id; const char *name; COMP_METHOD *method; }; +typedef struct raw_extension_st { + /* Raw packet data for the extension */ + PACKET data; + /* Set to 1 if the extension is present or 0 otherwise */ + int present; + /* Set to 1 if we have already parsed the extension or 0 otherwise */ + int parsed; + /* The type of this extension, i.e. a TLSEXT_TYPE_* value */ + unsigned int type; + /* Track what order extensions are received in (0-based). */ + size_t received_order; +} RAW_EXTENSION; + +typedef struct { + unsigned int isv2; + unsigned int legacy_version; + unsigned char random[SSL3_RANDOM_SIZE]; + size_t session_id_len; + unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; + size_t dtls_cookie_len; + unsigned char dtls_cookie[DTLS1_COOKIE_LENGTH]; + PACKET ciphersuites; + size_t compressions_len; + unsigned char compressions[MAX_COMPRESSIONS_SIZE]; + PACKET extensions; + size_t pre_proc_exts_len; + RAW_EXTENSION *pre_proc_exts; +} CLIENTHELLO_MSG; + +/* + * Extension index values NOTE: Any updates to these defines should be mirrored + * with equivalent updates to ext_defs in extensions.c + */ +typedef enum tlsext_index_en { + TLSEXT_IDX_renegotiate, + TLSEXT_IDX_server_name, + TLSEXT_IDX_max_fragment_length, + TLSEXT_IDX_srp, + TLSEXT_IDX_ec_point_formats, + TLSEXT_IDX_supported_groups, + TLSEXT_IDX_session_ticket, + TLSEXT_IDX_status_request, + TLSEXT_IDX_next_proto_neg, + TLSEXT_IDX_application_layer_protocol_negotiation, + TLSEXT_IDX_use_srtp, + TLSEXT_IDX_encrypt_then_mac, + TLSEXT_IDX_signed_certificate_timestamp, + TLSEXT_IDX_extended_master_secret, + TLSEXT_IDX_signature_algorithms_cert, + TLSEXT_IDX_post_handshake_auth, + TLSEXT_IDX_signature_algorithms, + TLSEXT_IDX_supported_versions, + TLSEXT_IDX_psk_kex_modes, + TLSEXT_IDX_key_share, + TLSEXT_IDX_cookie, + TLSEXT_IDX_cryptopro_bug, + TLSEXT_IDX_early_data, + TLSEXT_IDX_certificate_authorities, + TLSEXT_IDX_padding, + TLSEXT_IDX_psk, + /* Dummy index - must always be the last entry */ + TLSEXT_IDX_num_builtins +} TLSEXT_INDEX; + DEFINE_LHASH_OF(SSL_SESSION); /* Needed in ssl_cert.c */ DEFINE_LHASH_OF(X509_NAME); -# define TLSEXT_KEYNAME_LENGTH 16 +# define TLSEXT_KEYNAME_LENGTH 16 +# define TLSEXT_TICK_KEY_LENGTH 32 + +typedef struct ssl_ctx_ext_secure_st { + unsigned char tick_hmac_key[TLSEXT_TICK_KEY_LENGTH]; + unsigned char tick_aes_key[TLSEXT_TICK_KEY_LENGTH]; +} SSL_CTX_EXT_SECURE; struct ssl_ctx_st { const SSL_METHOD *method; STACK_OF(SSL_CIPHER) *cipher_list; /* same as above but sorted for lookup */ STACK_OF(SSL_CIPHER) *cipher_list_by_id; + /* TLSv1.3 specific ciphersuites */ + STACK_OF(SSL_CIPHER) *tls13_ciphersuites; struct x509_store_st /* X509_STORE */ *cert_store; LHASH_OF(SSL_SESSION) *sessions; /* * Most session-ids that will be cached, default is * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */ - unsigned long session_cache_size; + size_t session_cache_size; struct ssl_session_st *session_cache_head; struct ssl_session_st *session_cache_tail; /* @@ -645,24 +784,26 @@ struct ssl_ctx_st { const unsigned char *data, int len, int *copy); struct { - int sess_connect; /* SSL new conn - started */ - int sess_connect_renegotiate; /* SSL reneg - requested */ - int sess_connect_good; /* SSL new conne/reneg - finished */ - int sess_accept; /* SSL new accept - started */ - int sess_accept_renegotiate; /* SSL reneg - requested */ - int sess_accept_good; /* SSL accept/reneg - finished */ - int sess_miss; /* session lookup misses */ - int sess_timeout; /* reuse attempt on timeouted session */ - int sess_cache_full; /* session removed due to full cache */ - int sess_hit; /* session reuse actually done */ - int sess_cb_hit; /* session-id that was not in the cache was - * passed back via the callback. This - * indicates that the application is supplying - * session-id's from other processes - spooky - * :-) */ + TSAN_QUALIFIER int sess_connect; /* SSL new conn - started */ + TSAN_QUALIFIER int sess_connect_renegotiate; /* SSL reneg - requested */ + TSAN_QUALIFIER int sess_connect_good; /* SSL new conne/reneg - finished */ + TSAN_QUALIFIER int sess_accept; /* SSL new accept - started */ + TSAN_QUALIFIER int sess_accept_renegotiate; /* SSL reneg - requested */ + TSAN_QUALIFIER int sess_accept_good; /* SSL accept/reneg - finished */ + TSAN_QUALIFIER int sess_miss; /* session lookup misses */ + TSAN_QUALIFIER int sess_timeout; /* reuse attempt on timeouted session */ + TSAN_QUALIFIER int sess_cache_full; /* session removed due to full cache */ + TSAN_QUALIFIER int sess_hit; /* session reuse actually done */ + TSAN_QUALIFIER int sess_cb_hit; /* session-id that was not in + * the cache was passed back via + * the callback. This indicates + * that the application is + * supplying session-id's from + * other processes - spooky + * :-) */ } stats; - int references; + CRYPTO_REF_COUNT references; /* if defined, these override the X509_verify_cert() calls */ int (*app_verify_callback) (X509_STORE_CTX *, void *); @@ -689,6 +830,14 @@ struct ssl_ctx_st { int (*app_verify_cookie_cb) (SSL *ssl, const unsigned char *cookie, unsigned int cookie_len); + /* TLS1.3 app-controlled cookie generate callback */ + int (*gen_stateless_cookie_cb) (SSL *ssl, unsigned char *cookie, + size_t *cookie_len); + + /* TLS1.3 verify app-controlled cookie callback */ + int (*verify_stateless_cookie_cb) (SSL *ssl, const unsigned char *cookie, + size_t cookie_len); + CRYPTO_EX_DATA ex_data; const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */ @@ -702,8 +851,14 @@ struct ssl_ctx_st { /* used if SSL's info_callback is NULL */ void (*info_callback) (const SSL *ssl, int type, int val); - /* what we put in client cert requests */ - STACK_OF(X509_NAME) *client_CA; + /* + * What we put in certificate_authorities extension for TLS 1.3 + * (ClientHello and CertificateRequest) or just client cert requests for + * earlier versions. If client_ca_names is populated then it is only used + * for client cert requests, and in preference to ca_names. + */ + STACK_OF(X509_NAME) *ca_names; + STACK_OF(X509_NAME) *client_ca_names; /* * Default values to use in SSL structures follow (these are copied by @@ -714,7 +869,7 @@ struct ssl_ctx_st { uint32_t mode; int min_proto_version; int max_proto_version; - long max_cert_list; + size_t max_cert_list; struct cert_st /* CERT */ *cert; int read_ahead; @@ -725,7 +880,7 @@ struct ssl_ctx_st { void *msg_callback_arg; uint32_t verify_mode; - unsigned int sid_ctx_length; + size_t sid_ctx_length; unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; /* called 'verify_callback' in the SSL */ int (*default_verify_callback) (int ok, X509_STORE_CTX *ctx); @@ -751,15 +906,15 @@ struct ssl_ctx_st { * If we're using more than one pipeline how should we divide the data * up between the pipes? */ - unsigned int split_send_fragment; + size_t split_send_fragment; /* * Maximum amount of data to send in one fragment. actual record size can * be more than this due to padding and MAC overheads. */ - unsigned int max_send_fragment; + size_t max_send_fragment; /* Up to how many pipelines should we use? If 0 then 1 is assumed */ - unsigned int max_pipelines; + size_t max_pipelines; /* The default read buffer length to use (0 means not set) */ size_t default_read_buf_len; @@ -771,63 +926,44 @@ struct ssl_ctx_st { ENGINE *client_cert_engine; # endif - /* TLS extensions servername callback */ - int (*tlsext_servername_callback) (SSL *, int *, void *); - void *tlsext_servername_arg; - /* RFC 4507 session ticket keys */ - unsigned char tlsext_tick_key_name[TLSEXT_KEYNAME_LENGTH]; - unsigned char tlsext_tick_hmac_key[32]; - unsigned char tlsext_tick_aes_key[32]; - /* Callback to support customisation of ticket key setting */ - int (*tlsext_ticket_key_cb) (SSL *ssl, - unsigned char *name, unsigned char *iv, - EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc); - - /* certificate status request info */ - /* Callback for status request */ - int (*tlsext_status_cb) (SSL *ssl, void *arg); - void *tlsext_status_arg; - -# ifndef OPENSSL_NO_PSK - unsigned int (*psk_client_callback) (SSL *ssl, const char *hint, - char *identity, - unsigned int max_identity_len, - unsigned char *psk, - unsigned int max_psk_len); - unsigned int (*psk_server_callback) (SSL *ssl, const char *identity, - unsigned char *psk, - unsigned int max_psk_len); -# endif - -# ifndef OPENSSL_NO_SRP - SRP_CTX srp_ctx; /* ctx for SRP authentication */ -# endif + /* ClientHello callback. Mostly for extensions, but not entirely. */ + SSL_client_hello_cb_fn client_hello_cb; + void *client_hello_cb_arg; -# ifndef OPENSSL_NO_NEXTPROTONEG - /* Next protocol negotiation information */ + /* TLS extensions. */ + struct { + /* TLS extensions servername callback */ + int (*servername_cb) (SSL *, int *, void *); + void *servername_arg; + /* RFC 4507 session ticket keys */ + unsigned char tick_key_name[TLSEXT_KEYNAME_LENGTH]; + SSL_CTX_EXT_SECURE *secure; + /* Callback to support customisation of ticket key setting */ + int (*ticket_key_cb) (SSL *ssl, + unsigned char *name, unsigned char *iv, + EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc); + + /* certificate status request info */ + /* Callback for status request */ + int (*status_cb) (SSL *ssl, void *arg); + void *status_arg; + /* ext status type used for CSR extension (OCSP Stapling) */ + int status_type; + /* RFC 4366 Maximum Fragment Length Negotiation */ + uint8_t max_fragment_len_mode; - /* - * For a server, this contains a callback function by which the set of - * advertised protocols can be provided. - */ - int (*next_protos_advertised_cb) (SSL *s, const unsigned char **buf, - unsigned int *len, void *arg); - void *next_protos_advertised_cb_arg; - /* - * For a client, this contains a callback function that selects the next - * protocol from the list provided by the server. - */ - int (*next_proto_select_cb) (SSL *s, unsigned char **out, - unsigned char *outlen, - const unsigned char *in, - unsigned int inlen, void *arg); - void *next_proto_select_cb_arg; -# endif +# ifndef OPENSSL_NO_EC + /* EC extension values inherited by SSL structure */ + size_t ecpointformats_len; + unsigned char *ecpointformats; + size_t supportedgroups_len; + uint16_t *supportedgroups; +# endif /* OPENSSL_NO_EC */ - /* - * ALPN information (we are in the process of transitioning from NPN to - * ALPN.) - */ + /* + * ALPN information (we are in the process of transitioning from NPN to + * ALPN.) + */ /*- * For a server, this contains a callback function that allows the @@ -839,42 +975,103 @@ struct ssl_ctx_st { * wire-format. * inlen: the length of |in|. */ - int (*alpn_select_cb) (SSL *s, - const unsigned char **out, - unsigned char *outlen, - const unsigned char *in, - unsigned int inlen, void *arg); - void *alpn_select_cb_arg; + int (*alpn_select_cb) (SSL *s, + const unsigned char **out, + unsigned char *outlen, + const unsigned char *in, + unsigned int inlen, void *arg); + void *alpn_select_cb_arg; - /* - * For a client, this contains the list of supported protocols in wire - * format. - */ - unsigned char *alpn_client_proto_list; - unsigned alpn_client_proto_list_len; + /* + * For a client, this contains the list of supported protocols in wire + * format. + */ + unsigned char *alpn; + size_t alpn_len; + +# ifndef OPENSSL_NO_NEXTPROTONEG + /* Next protocol negotiation information */ + + /* + * For a server, this contains a callback function by which the set of + * advertised protocols can be provided. + */ + SSL_CTX_npn_advertised_cb_func npn_advertised_cb; + void *npn_advertised_cb_arg; + /* + * For a client, this contains a callback function that selects the next + * protocol from the list provided by the server. + */ + SSL_CTX_npn_select_cb_func npn_select_cb; + void *npn_select_cb_arg; +# endif + + unsigned char cookie_hmac_key[SHA256_DIGEST_LENGTH]; + } ext; + +# ifndef OPENSSL_NO_PSK + SSL_psk_client_cb_func psk_client_callback; + SSL_psk_server_cb_func psk_server_callback; +# endif + SSL_psk_find_session_cb_func psk_find_session_cb; + SSL_psk_use_session_cb_func psk_use_session_cb; + +# ifndef OPENSSL_NO_SRP + SRP_CTX srp_ctx; /* ctx for SRP authentication */ +# endif /* Shared DANE context */ struct dane_ctx_st dane; +# ifndef OPENSSL_NO_SRTP /* SRTP profiles we are willing to do from RFC 5764 */ STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; +# endif /* * Callback for disabling session caching and ticket support on a session * basis, depending on the chosen cipher. */ int (*not_resumable_session_cb) (SSL *ssl, int is_forward_secure); -# ifndef OPENSSL_NO_EC - /* EC extension values inherited by SSL structure */ - size_t tlsext_ecpointformatlist_length; - unsigned char *tlsext_ecpointformatlist; - size_t tlsext_ellipticcurvelist_length; - unsigned char *tlsext_ellipticcurvelist; -# endif /* OPENSSL_NO_EC */ - - /* ext status type used for CSR extension (OCSP Stapling) */ - int tlsext_status_type; CRYPTO_RWLOCK *lock; + + /* + * Callback for logging key material for use with debugging tools like + * Wireshark. The callback should log `line` followed by a newline. + */ + SSL_CTX_keylog_cb_func keylog_callback; + + /* + * The maximum number of bytes advertised in session tickets that can be + * sent as early data. + */ + uint32_t max_early_data; + + /* + * The maximum number of bytes of early data that a server will tolerate + * (which should be at least as much as max_early_data). + */ + uint32_t recv_max_early_data; + + /* TLS1.3 padding callback */ + size_t (*record_padding_cb)(SSL *s, int type, size_t len, void *arg); + void *record_padding_arg; + size_t block_padding; + + /* Session ticket appdata */ + SSL_CTX_generate_session_ticket_fn generate_ticket_cb; + SSL_CTX_decrypt_session_ticket_fn decrypt_ticket_cb; + void *ticket_cb_data; + + /* The number of TLS1.3 tickets to automatically send */ + size_t num_tickets; + + /* Callback to determine if early_data is acceptable or not */ + SSL_allow_early_data_cb_fn allow_early_data_cb; + void *allow_early_data_cb_data; + + /* Do we advertise Post-handshake auth support? */ + int pha_enabled; }; struct ssl_st { @@ -924,11 +1121,12 @@ struct ssl_st { int shutdown; /* where we are */ OSSL_STATEM statem; + SSL_EARLY_DATA_STATE early_data_state; BUF_MEM *init_buf; /* buffer used during init */ void *init_msg; /* pointer to handshake message body, set by * ssl3_get_message() */ - int init_num; /* amount read/written */ - int init_off; /* amount read/written */ + size_t init_num; /* amount read/written */ + size_t init_off; /* amount read/written */ struct ssl3_state_st *s3; /* SSLv3 variables */ struct dtls1_state_st *d1; /* DTLSv1 variables */ /* callback that allows applications to peek at protocol messages */ @@ -942,31 +1140,74 @@ struct ssl_st { /* crypto */ STACK_OF(SSL_CIPHER) *cipher_list; STACK_OF(SSL_CIPHER) *cipher_list_by_id; + /* TLSv1.3 specific ciphersuites */ + STACK_OF(SSL_CIPHER) *tls13_ciphersuites; /* * These are the ones being used, the ones in SSL_SESSION are the ones to * be 'copied' into these ones */ uint32_t mac_flags; + /* + * The TLS1.3 secrets. + */ + unsigned char early_secret[EVP_MAX_MD_SIZE]; + unsigned char handshake_secret[EVP_MAX_MD_SIZE]; + unsigned char master_secret[EVP_MAX_MD_SIZE]; + unsigned char resumption_master_secret[EVP_MAX_MD_SIZE]; + unsigned char client_finished_secret[EVP_MAX_MD_SIZE]; + unsigned char server_finished_secret[EVP_MAX_MD_SIZE]; + unsigned char server_finished_hash[EVP_MAX_MD_SIZE]; + unsigned char handshake_traffic_hash[EVP_MAX_MD_SIZE]; + unsigned char client_app_traffic_secret[EVP_MAX_MD_SIZE]; + unsigned char server_app_traffic_secret[EVP_MAX_MD_SIZE]; + unsigned char exporter_master_secret[EVP_MAX_MD_SIZE]; + unsigned char early_exporter_master_secret[EVP_MAX_MD_SIZE]; EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */ + unsigned char read_iv[EVP_MAX_IV_LENGTH]; /* TLSv1.3 static read IV */ EVP_MD_CTX *read_hash; /* used for mac generation */ COMP_CTX *compress; /* compression */ COMP_CTX *expand; /* uncompress */ EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */ + unsigned char write_iv[EVP_MAX_IV_LENGTH]; /* TLSv1.3 static write IV */ EVP_MD_CTX *write_hash; /* used for mac generation */ + /* Count of how many KeyUpdate messages we have received */ + unsigned int key_update_count; /* session info */ /* client cert? */ /* This is used to hold the server certificate used */ struct cert_st /* CERT */ *cert; + + /* + * The hash of all messages prior to the CertificateVerify, and the length + * of that hash. + */ + unsigned char cert_verify_hash[EVP_MAX_MD_SIZE]; + size_t cert_verify_hash_len; + + /* Flag to indicate whether we should send a HelloRetryRequest or not */ + enum {SSL_HRR_NONE = 0, SSL_HRR_PENDING, SSL_HRR_COMPLETE} + hello_retry_request; + /* * the session_id_context is used to ensure sessions are only reused in * the appropriate context */ - unsigned int sid_ctx_length; + size_t sid_ctx_length; unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; /* This can also be in the session once a session is established */ SSL_SESSION *session; + /* TLSv1.3 PSK session */ + SSL_SESSION *psksession; + unsigned char *psksession_id; + size_t psksession_id_len; /* Default generate session ID callback. */ GEN_SESSION_CB generate_session_id; + /* + * The temporary TLSv1.3 session id. This isn't really a session id at all + * but is a random value sent in the legacy session id field. + */ + unsigned char tmp_session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; + size_t tmp_session_id_len; /* Used in SSL3 */ /* * 0 don't care about verify failure. @@ -982,51 +1223,149 @@ struct ssl_st { /* actual code */ int error_code; # ifndef OPENSSL_NO_PSK - unsigned int (*psk_client_callback) (SSL *ssl, const char *hint, - char *identity, - unsigned int max_identity_len, - unsigned char *psk, - unsigned int max_psk_len); - unsigned int (*psk_server_callback) (SSL *ssl, const char *identity, - unsigned char *psk, - unsigned int max_psk_len); + SSL_psk_client_cb_func psk_client_callback; + SSL_psk_server_cb_func psk_server_callback; # endif + SSL_psk_find_session_cb_func psk_find_session_cb; + SSL_psk_use_session_cb_func psk_use_session_cb; + SSL_CTX *ctx; /* Verified chain of peer */ STACK_OF(X509) *verified_chain; long verify_result; /* extra application data */ CRYPTO_EX_DATA ex_data; - /* for server side, keep the list of CA_dn we can use */ - STACK_OF(X509_NAME) *client_CA; - int references; + /* + * What we put in certificate_authorities extension for TLS 1.3 + * (ClientHello and CertificateRequest) or just client cert requests for + * earlier versions. If client_ca_names is populated then it is only used + * for client cert requests, and in preference to ca_names. + */ + STACK_OF(X509_NAME) *ca_names; + STACK_OF(X509_NAME) *client_ca_names; + CRYPTO_REF_COUNT references; /* protocol behaviour */ uint32_t options; /* API behaviour */ uint32_t mode; int min_proto_version; int max_proto_version; - long max_cert_list; + size_t max_cert_list; int first_packet; - /* what was passed, used for SSLv3/TLS rollback check */ + /* + * What was passed in ClientHello.legacy_version. Used for RSA pre-master + * secret and SSLv3/TLS (<=1.2) rollback check + */ int client_version; /* * If we're using more than one pipeline how should we divide the data * up between the pipes? */ - unsigned int split_send_fragment; + size_t split_send_fragment; /* * Maximum amount of data to send in one fragment. actual record size can * be more than this due to padding and MAC overheads. */ - unsigned int max_send_fragment; + size_t max_send_fragment; /* Up to how many pipelines should we use? If 0 then 1 is assumed */ - unsigned int max_pipelines; - /* TLS extension debug callback */ - void (*tlsext_debug_cb) (SSL *s, int client_server, int type, - const unsigned char *data, int len, void *arg); - void *tlsext_debug_arg; - char *tlsext_hostname; + size_t max_pipelines; + + struct { + /* Built-in extension flags */ + uint8_t extflags[TLSEXT_IDX_num_builtins]; + /* TLS extension debug callback */ + void (*debug_cb)(SSL *s, int client_server, int type, + const unsigned char *data, int len, void *arg); + void *debug_arg; + char *hostname; + /* certificate status request info */ + /* Status type or -1 if no status type */ + int status_type; + /* Raw extension data, if seen */ + unsigned char *scts; + /* Length of raw extension data, if seen */ + uint16_t scts_len; + /* Expect OCSP CertificateStatus message */ + int status_expected; + + struct { + /* OCSP status request only */ + STACK_OF(OCSP_RESPID) *ids; + X509_EXTENSIONS *exts; + /* OCSP response received or to be sent */ + unsigned char *resp; + size_t resp_len; + } ocsp; + + /* RFC4507 session ticket expected to be received or sent */ + int ticket_expected; +# ifndef OPENSSL_NO_EC + size_t ecpointformats_len; + /* our list */ + unsigned char *ecpointformats; +# endif /* OPENSSL_NO_EC */ + size_t supportedgroups_len; + /* our list */ + uint16_t *supportedgroups; + /* TLS Session Ticket extension override */ + TLS_SESSION_TICKET_EXT *session_ticket; + /* TLS Session Ticket extension callback */ + tls_session_ticket_ext_cb_fn session_ticket_cb; + void *session_ticket_cb_arg; + /* TLS pre-shared secret session resumption */ + tls_session_secret_cb_fn session_secret_cb; + void *session_secret_cb_arg; + /* + * For a client, this contains the list of supported protocols in wire + * format. + */ + unsigned char *alpn; + size_t alpn_len; + /* + * Next protocol negotiation. For the client, this is the protocol that + * we sent in NextProtocol and is set when handling ServerHello + * extensions. For a server, this is the client's selected_protocol from + * NextProtocol and is set when handling the NextProtocol message, before + * the Finished message. + */ + unsigned char *npn; + size_t npn_len; + + /* The available PSK key exchange modes */ + int psk_kex_mode; + + /* Set to one if we have negotiated ETM */ + int use_etm; + + /* Are we expecting to receive early data? */ + int early_data; + /* Is the session suitable for early data? */ + int early_data_ok; + + /* May be sent by a server in HRR. Must be echoed back in ClientHello */ + unsigned char *tls13_cookie; + size_t tls13_cookie_len; + /* Have we received a cookie from the client? */ + int cookieok; + + /* + * Maximum Fragment Length as per RFC 4366. + * If this member contains one of the allowed values (1-4) + * then we should include Maximum Fragment Length Negotiation + * extension in Client Hello. + * Please note that value of this member does not have direct + * effect. The actual (binding) value is stored in SSL_SESSION, + * as this extension is optional on server side. + */ + uint8_t max_fragment_len_mode; + } ext; + + /* + * Parsed form of the ClientHello, kept around across client_hello_cb + * calls. + */ + CLIENTHELLO_MSG *clienthello; + /*- * no further mod of servername * 0 : call the servername extension callback. @@ -1034,98 +1373,45 @@ struct ssl_st { * 2 : don't call servername callback, no ack in server hello */ int servername_done; - /* certificate status request info */ - /* Status type or -1 if no status type */ - int tlsext_status_type; # ifndef OPENSSL_NO_CT /* * Validates that the SCTs (Signed Certificate Timestamps) are sufficient. * If they are not, the connection should be aborted. */ ssl_ct_validation_cb ct_validation_callback; - /* User-supplied argument tha tis passed to the ct_validation_callback */ + /* User-supplied argument that is passed to the ct_validation_callback */ void *ct_validation_callback_arg; /* * Consolidated stack of SCTs from all sources. * Lazily populated by CT_get_peer_scts(SSL*) */ STACK_OF(SCT) *scts; - /* Raw extension data, if seen */ - unsigned char *tlsext_scts; - /* Length of raw extension data, if seen */ - uint16_t tlsext_scts_len; /* Have we attempted to find/parse SCTs yet? */ int scts_parsed; # endif - /* Expect OCSP CertificateStatus message */ - int tlsext_status_expected; - /* OCSP status request only */ - STACK_OF(OCSP_RESPID) *tlsext_ocsp_ids; - X509_EXTENSIONS *tlsext_ocsp_exts; - /* OCSP response received or to be sent */ - unsigned char *tlsext_ocsp_resp; - int tlsext_ocsp_resplen; - /* RFC4507 session ticket expected to be received or sent */ - int tlsext_ticket_expected; -# ifndef OPENSSL_NO_EC - size_t tlsext_ecpointformatlist_length; - /* our list */ - unsigned char *tlsext_ecpointformatlist; - size_t tlsext_ellipticcurvelist_length; - /* our list */ - unsigned char *tlsext_ellipticcurvelist; -# endif /* OPENSSL_NO_EC */ - /* TLS Session Ticket extension override */ - TLS_SESSION_TICKET_EXT *tlsext_session_ticket; - /* TLS Session Ticket extension callback */ - tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb; - void *tls_session_ticket_ext_cb_arg; - /* TLS pre-shared secret session resumption */ - tls_session_secret_cb_fn tls_session_secret_cb; - void *tls_session_secret_cb_arg; SSL_CTX *session_ctx; /* initial ctx, used to store sessions */ -# ifndef OPENSSL_NO_NEXTPROTONEG - /* - * Next protocol negotiation. For the client, this is the protocol that - * we sent in NextProtocol and is set when handling ServerHello - * extensions. For a server, this is the client's selected_protocol from - * NextProtocol and is set when handling the NextProtocol message, before - * the Finished message. - */ - unsigned char *next_proto_negotiated; - unsigned char next_proto_negotiated_len; -# endif +# ifndef OPENSSL_NO_SRTP /* What we'll do */ STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; /* What's been chosen */ SRTP_PROTECTION_PROFILE *srtp_profile; - /*- - * Is use of the Heartbeat extension negotiated? - * 0: disabled - * 1: enabled - * 2: enabled, but not allowed to send Requests - */ - unsigned int tlsext_heartbeat; - /* Indicates if a HeartbeatRequest is in flight */ - unsigned int tlsext_hb_pending; - /* HeartbeatRequest sequence number */ - unsigned int tlsext_hb_seq; - /* - * For a client, this contains the list of supported protocols in wire - * format. - */ - unsigned char *alpn_client_proto_list; - unsigned alpn_client_proto_list_len; - - /* Set to one if we have negotiated ETM */ - int tlsext_use_etm; - +# endif /*- * 1 if we are renegotiating. * 2 if we are a server and are inside a handshake * (i.e. not just sending a HelloRequest) */ int renegotiate; + /* If sending a KeyUpdate is pending */ + int key_update; + /* Post-handshake authentication state */ + SSL_PHA_STATE post_handshake_auth; + int pha_enabled; + uint8_t* pha_context; + size_t pha_context_len; + int certreqs_sent; + EVP_MD_CTX *pha_dgst; /* this is just the digest through ClientFinished */ + # ifndef OPENSSL_NO_SRP /* ctx for SRP authentication */ SRP_CTX srp_ctx; @@ -1143,14 +1429,97 @@ struct ssl_st { /* Async Job info */ ASYNC_JOB *job; ASYNC_WAIT_CTX *waitctx; + size_t asyncrw; + + /* + * The maximum number of bytes advertised in session tickets that can be + * sent as early data. + */ + uint32_t max_early_data; + /* + * The maximum number of bytes of early data that a server will tolerate + * (which should be at least as much as max_early_data). + */ + uint32_t recv_max_early_data; + + /* + * The number of bytes of early data received so far. If we accepted early + * data then this is a count of the plaintext bytes. If we rejected it then + * this is a count of the ciphertext bytes. + */ + uint32_t early_data_count; + + /* TLS1.3 padding callback */ + size_t (*record_padding_cb)(SSL *s, int type, size_t len, void *arg); + void *record_padding_arg; + size_t block_padding; + CRYPTO_RWLOCK *lock; + RAND_DRBG *drbg; + + /* The number of TLS1.3 tickets to automatically send */ + size_t num_tickets; + /* The number of TLS1.3 tickets actually sent so far */ + size_t sent_tickets; + /* The next nonce value to use when we send a ticket on this connection */ + uint64_t next_ticket_nonce; + + /* Callback to determine if early_data is acceptable or not */ + SSL_allow_early_data_cb_fn allow_early_data_cb; + void *allow_early_data_cb_data; }; +/* + * Structure containing table entry of values associated with the signature + * algorithms (signature scheme) extension +*/ +typedef struct sigalg_lookup_st { + /* TLS 1.3 signature scheme name */ + const char *name; + /* Raw value used in extension */ + uint16_t sigalg; + /* NID of hash algorithm or NID_undef if no hash */ + int hash; + /* Index of hash algorithm or -1 if no hash algorithm */ + int hash_idx; + /* NID of signature algorithm */ + int sig; + /* Index of signature algorithm */ + int sig_idx; + /* Combined hash and signature NID, if any */ + int sigandhash; + /* Required public key curve (ECDSA only) */ + int curve; +} SIGALG_LOOKUP; + +typedef struct tls_group_info_st { + int nid; /* Curve NID */ + int secbits; /* Bits of security (from SP800-57) */ + uint16_t flags; /* Flags: currently just group type */ +} TLS_GROUP_INFO; + +/* flags values */ +# define TLS_CURVE_TYPE 0x3 /* Mask for group type */ +# define TLS_CURVE_PRIME 0x0 +# define TLS_CURVE_CHAR2 0x1 +# define TLS_CURVE_CUSTOM 0x2 + +typedef struct cert_pkey_st CERT_PKEY; + +/* + * Structure containing table entry of certificate info corresponding to + * CERT_PKEY entries + */ +typedef struct { + int nid; /* NID of pubic key algorithm */ + uint32_t amask; /* authmask corresponding to key type */ +} SSL_CERT_LOOKUP; + typedef struct ssl3_state_st { long flags; - int read_mac_secret_size; + size_t read_mac_secret_size; unsigned char read_mac_secret[EVP_MAX_MD_SIZE]; - int write_mac_secret_size; + size_t write_mac_secret_size; unsigned char write_mac_secret[EVP_MAX_MD_SIZE]; unsigned char server_random[SSL3_RANDOM_SIZE]; unsigned char client_random[SSL3_RANDOM_SIZE]; @@ -1189,10 +1558,10 @@ typedef struct ssl3_state_st { struct { /* actually only need to be 16+20 for SSLv3 and 12 for TLS */ unsigned char finish_md[EVP_MAX_MD_SIZE * 2]; - int finish_md_len; + size_t finish_md_len; unsigned char peer_finish_md[EVP_MAX_MD_SIZE * 2]; - int peer_finish_md_len; - unsigned long message_size; + size_t peer_finish_md_len; + size_t message_size; int message_type; /* used to hold the new cipher we are going to use */ const SSL_CIPHER *new_cipher; @@ -1201,15 +1570,17 @@ typedef struct ssl3_state_st { # endif /* used for certificate requests */ int cert_req; - int ctype_num; - char ctype[SSL3_CT_NUMBER]; - STACK_OF(X509_NAME) *ca_names; - int key_block_length; + /* Certificate types in certificate request message. */ + uint8_t *ctype; + size_t ctype_len; + /* Certificate authorities list peer sent */ + STACK_OF(X509_NAME) *peer_ca_names; + size_t key_block_length; unsigned char *key_block; const EVP_CIPHER *new_sym_enc; const EVP_MD *new_hash; int new_mac_pkey_type; - int new_mac_secret_size; + size_t new_mac_secret_size; # ifndef OPENSSL_NO_COMP const SSL_COMP *new_compression; # else @@ -1227,18 +1598,23 @@ typedef struct ssl3_state_st { unsigned char *psk; size_t psklen; # endif + /* Signature algorithm we actually use */ + const SIGALG_LOOKUP *sigalg; + /* Pointer to certificate we use */ + CERT_PKEY *cert; /* * signature algorithms peer reports: e.g. supported signature * algorithms extension for server or as part of a certificate * request for client. + * Keep track of the algorithms for TLS and X.509 usage separately. */ - unsigned char *peer_sigalgs; - /* Size of above array */ + uint16_t *peer_sigalgs; + uint16_t *peer_cert_sigalgs; + /* Size of above arrays */ size_t peer_sigalgslen; - /* Digest peer uses for signing */ - const EVP_MD *peer_md; - /* Array of digests used for signing */ - const EVP_MD *md[SSL_PKEY_NUM]; + size_t peer_cert_sigalgslen; + /* Sigalg peer actually uses */ + const SIGALG_LOOKUP *peer_sigalg; /* * Set if corresponding CERT_PKEY can be used with current * SSL session: e.g. appropriate curve, signature algorithms etc. @@ -1263,16 +1639,16 @@ typedef struct ssl3_state_st { /* Connection binding to prevent renegotiation attacks */ unsigned char previous_client_finished[EVP_MAX_MD_SIZE]; - unsigned char previous_client_finished_len; + size_t previous_client_finished_len; unsigned char previous_server_finished[EVP_MAX_MD_SIZE]; - unsigned char previous_server_finished_len; + size_t previous_server_finished_len; int send_connection_binding; /* TODOEKR */ # ifndef OPENSSL_NO_NEXTPROTONEG /* * Set if we saw the Next Protocol Negotiation extension from our peer. */ - int next_proto_neg_seen; + int npn_seen; # endif /* @@ -1304,6 +1680,8 @@ typedef struct ssl3_state_st { /* For clients: peer temporary key */ # if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) + /* The group_id for the DH/ECDH key */ + uint16_t group_id; EVP_PKEY *peer_tmp; # endif @@ -1320,7 +1698,7 @@ typedef struct ssl3_state_st { /* * Flag used in message reuse to indicate the buffer contains the record - * header as well as the the handshake message header. + * header as well as the handshake message header. */ # define DTLS1_SKIP_RECORD_HEADER 2 @@ -1334,10 +1712,10 @@ struct dtls1_retransmit_state { struct hm_header_st { unsigned char type; - unsigned long msg_len; + size_t msg_len; unsigned short seq; - unsigned long frag_off; - unsigned long frag_len; + size_t frag_off; + size_t frag_len; unsigned int is_ccs; struct dtls1_retransmit_state saved_retransmit_state; }; @@ -1378,11 +1756,11 @@ pitem *pqueue_pop(pqueue *pq); pitem *pqueue_find(pqueue *pq, unsigned char *prio64be); pitem *pqueue_iterator(pqueue *pq); pitem *pqueue_next(piterator *iter); -int pqueue_size(pqueue *pq); +size_t pqueue_size(pqueue *pq); typedef struct dtls1_state_st { unsigned char cookie[DTLS1_COOKIE_LENGTH]; - unsigned int cookie_len; + size_t cookie_len; unsigned int cookie_verified; /* handshake message numbers */ unsigned short handshake_write_seq; @@ -1392,21 +1770,25 @@ typedef struct dtls1_state_st { pqueue *buffered_messages; /* Buffered (sent) handshake records */ pqueue *sent_messages; - unsigned int link_mtu; /* max on-the-wire DTLS packet size */ - unsigned int mtu; /* max DTLS packet size */ + size_t link_mtu; /* max on-the-wire DTLS packet size */ + size_t mtu; /* max DTLS packet size */ struct hm_header_st w_msg_hdr; struct hm_header_st r_msg_hdr; struct dtls1_timeout_st timeout; /* - * Indicates when the last handshake msg or heartbeat sent will timeout + * Indicates when the last handshake msg sent will timeout */ struct timeval next_timeout; /* Timeout duration */ - unsigned short timeout_duration; + unsigned int timeout_duration_us; + unsigned int retransmitting; # ifndef OPENSSL_NO_SCTP int shutdown_received; # endif + + DTLS_timer_cb timer_cb; + } DTLS1_STATE; # ifndef OPENSSL_NO_EC @@ -1418,7 +1800,7 @@ typedef struct dtls1_state_st { # define NAMED_CURVE_TYPE 3 # endif /* OPENSSL_NO_EC */ -typedef struct cert_pkey_st { +struct cert_pkey_st { X509 *x509; EVP_PKEY *privatekey; /* Chain for this certificate */ @@ -1432,24 +1814,34 @@ typedef struct cert_pkey_st { */ unsigned char *serverinfo; size_t serverinfo_length; -} CERT_PKEY; +}; /* Retrieve Suite B flags */ # define tls1_suiteb(s) (s->cert->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS) /* Uses to check strict mode: suite B modes are always strict */ # define SSL_CERT_FLAGS_CHECK_TLS_STRICT \ (SSL_CERT_FLAG_SUITEB_128_LOS|SSL_CERT_FLAG_TLS_STRICT) +typedef enum { + ENDPOINT_CLIENT = 0, + ENDPOINT_SERVER, + ENDPOINT_BOTH +} ENDPOINT; + + typedef struct { unsigned short ext_type; + ENDPOINT role; + /* The context which this extension applies to */ + unsigned int context; /* * Per-connection flags relating to this extension type: not used if * part of an SSL_CTX structure. */ uint32_t ext_flags; - custom_ext_add_cb add_cb; - custom_ext_free_cb free_cb; + SSL_custom_ext_add_cb_ex add_cb; + SSL_custom_ext_free_cb_ex free_cb; void *add_arg; - custom_ext_parse_cb parse_cb; + SSL_custom_ext_parse_cb_ex parse_cb; void *parse_arg; } custom_ext_method; @@ -1487,36 +1879,32 @@ typedef struct cert_st { /* Flags related to certificates */ uint32_t cert_flags; CERT_PKEY pkeys[SSL_PKEY_NUM]; - /* - * Certificate types (received or sent) in certificate request message. - * On receive this is only set if number of certificate types exceeds - * SSL3_CT_NUMBER. - */ - unsigned char *ctypes; - size_t ctype_num; + /* Custom certificate types sent in certificate request message. */ + uint8_t *ctype; + size_t ctype_len; /* * supported signature algorithms. When set on a client this is sent in * the client hello as the supported signature algorithms extension. For * servers it represents the signature algorithms we are willing to use. */ - unsigned char *conf_sigalgs; + uint16_t *conf_sigalgs; /* Size of above array */ size_t conf_sigalgslen; /* * Client authentication signature algorithms, if not set then uses * conf_sigalgs. On servers these will be the signature algorithms sent - * to the client in a cerificate request for TLS 1.2. On a client this - * represents the signature algortithms we are willing to use for client + * to the client in a certificate request for TLS 1.2. On a client this + * represents the signature algorithms we are willing to use for client * authentication. */ - unsigned char *client_sigalgs; + uint16_t *client_sigalgs; /* Size of above array */ size_t client_sigalgslen; /* * Signature algorithms shared by client and server: cached because these * are used most often. */ - TLS_SIGALGS *shared_sigalgs; + const SIGALG_LOOKUP **shared_sigalgs; size_t shared_sigalgslen; /* * Certificate setup callback: if set is called whenever a certificate @@ -1533,9 +1921,8 @@ typedef struct cert_st { */ X509_STORE *chain_store; X509_STORE *verify_store; - /* Custom extension methods for server and client */ - custom_ext_methods cli_ext; - custom_ext_methods srv_ext; + /* Custom extensions */ + custom_ext_methods custext; /* Security callback */ int (*sec_cb) (const SSL *s, const SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex); @@ -1546,23 +1933,10 @@ typedef struct cert_st { /* If not NULL psk identity hint to use for servers */ char *psk_identity_hint; # endif - int references; /* >1 only if SSL_copy_session_id is used */ + CRYPTO_REF_COUNT references; /* >1 only if SSL_copy_session_id is used */ CRYPTO_RWLOCK *lock; } CERT; -/* Structure containing decoded values of signature algorithms extension */ -struct tls_sigalgs_st { - /* NID of hash algorithm */ - int hash_nid; - /* NID of signature algorithm */ - int sign_nid; - /* Combined hash and signature NID */ - int signandhash_nid; - /* Raw values used in extension */ - unsigned char rsign; - unsigned char rhash; -}; - # define FP_ICC (int (*)(const void *,const void *)) /* @@ -1570,18 +1944,17 @@ struct tls_sigalgs_st { * of a mess of functions, but hell, think of it as an opaque structure :-) */ typedef struct ssl3_enc_method { - int (*enc) (SSL *, SSL3_RECORD *, unsigned int, int); + int (*enc) (SSL *, SSL3_RECORD *, size_t, int); int (*mac) (SSL *, SSL3_RECORD *, unsigned char *, int); int (*setup_key_block) (SSL *); int (*generate_master_secret) (SSL *, unsigned char *, unsigned char *, - int); + size_t, size_t *); int (*change_cipher_state) (SSL *, int); - int (*final_finish_mac) (SSL *, const char *, int, unsigned char *); - int finish_mac_length; + size_t (*final_finish_mac) (SSL *, const char *, size_t, unsigned char *); const char *client_finished_label; - int client_finished_label_len; + size_t client_finished_label_len; const char *server_finished_label; - int server_finished_label_len; + size_t server_finished_label_len; int (*alert_value) (int); int (*export_keying_material) (SSL *, unsigned char *, size_t, const char *, size_t, @@ -1589,19 +1962,18 @@ typedef struct ssl3_enc_method { int use_context); /* Various flags indicating protocol version requirements */ uint32_t enc_flags; - /* Handshake header length */ - unsigned int hhlen; /* Set the handshake header */ - int (*set_handshake_header) (SSL *s, int type, unsigned long len); + int (*set_handshake_header) (SSL *s, WPACKET *pkt, int type); + /* Close construction of the handshake message */ + int (*close_construct_packet) (SSL *s, WPACKET *pkt, int htype); /* Write out handshake message */ int (*do_write) (SSL *s); } SSL3_ENC_METHOD; -# define SSL_HM_HEADER_LENGTH(s) s->method->ssl3_enc->hhlen -# define ssl_handshake_start(s) \ - (((unsigned char *)s->init_buf->data) + s->method->ssl3_enc->hhlen) -# define ssl_set_handshake_header(s, htype, len) \ - s->method->ssl3_enc->set_handshake_header(s, htype, len) +# define ssl_set_handshake_header(s, pkt, htype) \ + s->method->ssl3_enc->set_handshake_header((s), (pkt), (htype)) +# define ssl_close_construct_packet(s, pkt, htype) \ + s->method->ssl3_enc->close_construct_packet((s), (pkt), (htype)) # define ssl_do_write(s) s->method->ssl3_enc->do_write(s) /* Values for enc_flags */ @@ -1630,6 +2002,71 @@ typedef struct ssl3_comp_st { } SSL3_COMP; # endif +typedef enum downgrade_en { + DOWNGRADE_NONE, + DOWNGRADE_TO_1_2, + DOWNGRADE_TO_1_1 +} DOWNGRADE; + +/* + * Dummy status type for the status_type extension. Indicates no status type + * set + */ +#define TLSEXT_STATUSTYPE_nothing -1 + +/* Sigalgs values */ +#define TLSEXT_SIGALG_ecdsa_secp256r1_sha256 0x0403 +#define TLSEXT_SIGALG_ecdsa_secp384r1_sha384 0x0503 +#define TLSEXT_SIGALG_ecdsa_secp521r1_sha512 0x0603 +#define TLSEXT_SIGALG_ecdsa_sha224 0x0303 +#define TLSEXT_SIGALG_ecdsa_sha1 0x0203 +#define TLSEXT_SIGALG_rsa_pss_rsae_sha256 0x0804 +#define TLSEXT_SIGALG_rsa_pss_rsae_sha384 0x0805 +#define TLSEXT_SIGALG_rsa_pss_rsae_sha512 0x0806 +#define TLSEXT_SIGALG_rsa_pss_pss_sha256 0x0809 +#define TLSEXT_SIGALG_rsa_pss_pss_sha384 0x080a +#define TLSEXT_SIGALG_rsa_pss_pss_sha512 0x080b +#define TLSEXT_SIGALG_rsa_pkcs1_sha256 0x0401 +#define TLSEXT_SIGALG_rsa_pkcs1_sha384 0x0501 +#define TLSEXT_SIGALG_rsa_pkcs1_sha512 0x0601 +#define TLSEXT_SIGALG_rsa_pkcs1_sha224 0x0301 +#define TLSEXT_SIGALG_rsa_pkcs1_sha1 0x0201 +#define TLSEXT_SIGALG_dsa_sha256 0x0402 +#define TLSEXT_SIGALG_dsa_sha384 0x0502 +#define TLSEXT_SIGALG_dsa_sha512 0x0602 +#define TLSEXT_SIGALG_dsa_sha224 0x0302 +#define TLSEXT_SIGALG_dsa_sha1 0x0202 +#define TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256 0xeeee +#define TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512 0xefef +#define TLSEXT_SIGALG_gostr34102001_gostr3411 0xeded + +#define TLSEXT_SIGALG_ed25519 0x0807 +#define TLSEXT_SIGALG_ed448 0x0808 + +/* Known PSK key exchange modes */ +#define TLSEXT_KEX_MODE_KE 0x00 +#define TLSEXT_KEX_MODE_KE_DHE 0x01 + +/* + * Internal representations of key exchange modes + */ +#define TLSEXT_KEX_MODE_FLAG_NONE 0 +#define TLSEXT_KEX_MODE_FLAG_KE 1 +#define TLSEXT_KEX_MODE_FLAG_KE_DHE 2 + +/* An invalid index into the TLSv1.3 PSK identities */ +#define TLSEXT_PSK_BAD_IDENTITY -1 + +#define SSL_USE_PSS(s) (s->s3->tmp.peer_sigalg != NULL && \ + s->s3->tmp.peer_sigalg->sig == EVP_PKEY_RSA_PSS) + +/* A dummy signature value not valid for TLSv1.2 signature algs */ +#define TLSEXT_signature_rsa_pss 0x0101 + +/* TLSv1.3 downgrade protection sentinel values */ +extern const unsigned char tls11downgrade[8]; +extern const unsigned char tls12downgrade[8]; + extern SSL3_ENC_METHOD ssl3_undef_enc_method; __owur const SSL_METHOD *ssl_bad_method(int ver); @@ -1645,6 +2082,9 @@ __owur const SSL_METHOD *tlsv1_1_client_method(void); __owur const SSL_METHOD *tlsv1_2_method(void); __owur const SSL_METHOD *tlsv1_2_server_method(void); __owur const SSL_METHOD *tlsv1_2_client_method(void); +__owur const SSL_METHOD *tlsv1_3_method(void); +__owur const SSL_METHOD *tlsv1_3_server_method(void); +__owur const SSL_METHOD *tlsv1_3_client_method(void); __owur const SSL_METHOD *dtlsv1_method(void); __owur const SSL_METHOD *dtlsv1_server_method(void); __owur const SSL_METHOD *dtlsv1_client_method(void); @@ -1656,6 +2096,7 @@ __owur const SSL_METHOD *dtlsv1_2_client_method(void); extern const SSL3_ENC_METHOD TLSv1_enc_data; extern const SSL3_ENC_METHOD TLSv1_1_enc_data; extern const SSL3_ENC_METHOD TLSv1_2_enc_data; +extern const SSL3_ENC_METHOD TLSv1_3_enc_data; extern const SSL3_ENC_METHOD SSLv3_enc_data; extern const SSL3_ENC_METHOD DTLSv1_enc_data; extern const SSL3_ENC_METHOD DTLSv1_2_enc_data; @@ -1782,55 +2223,78 @@ const SSL_METHOD *func_name(void) \ struct openssl_ssl_test_functions { int (*p_ssl_init_wbio_buffer) (SSL *s); int (*p_ssl3_setup_buffers) (SSL *s); -# ifndef OPENSSL_NO_HEARTBEATS - int (*p_dtls1_process_heartbeat) (SSL *s, - unsigned char *p, unsigned int length); -# endif }; const char *ssl_protocol_to_string(int version); +/* Returns true if certificate and private key for 'idx' are present */ +static ossl_inline int ssl_has_cert(const SSL *s, int idx) +{ + if (idx < 0 || idx >= SSL_PKEY_NUM) + return 0; + return s->cert->pkeys[idx].x509 != NULL + && s->cert->pkeys[idx].privatekey != NULL; +} + +static ossl_inline void tls1_get_peer_groups(SSL *s, const uint16_t **pgroups, + size_t *pgroupslen) +{ + *pgroups = s->session->ext.supportedgroups; + *pgroupslen = s->session->ext.supportedgroups_len; +} + # ifndef OPENSSL_UNIT_TEST +__owur int ssl_read_internal(SSL *s, void *buf, size_t num, size_t *readbytes); +__owur int ssl_write_internal(SSL *s, const void *buf, size_t num, size_t *written); void ssl_clear_cipher_ctx(SSL *s); int ssl_clear_bad_session(SSL *s); __owur CERT *ssl_cert_new(void); __owur CERT *ssl_cert_dup(CERT *cert); void ssl_cert_clear_certs(CERT *c); void ssl_cert_free(CERT *c); +__owur int ssl_generate_session_id(SSL *s, SSL_SESSION *ss); __owur int ssl_get_new_session(SSL *s, int session); -__owur int ssl_get_prev_session(SSL *s, const PACKET *ext, - const PACKET *session_id); +__owur SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id, + size_t sess_id_len); +__owur int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello); __owur SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket); __owur int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b); DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id); __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap, const SSL_CIPHER *const *bp); -__owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth, - STACK_OF(SSL_CIPHER) **pref, - STACK_OF(SSL_CIPHER) - **sorted, +__owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, + STACK_OF(SSL_CIPHER) *tls13_ciphersuites, + STACK_OF(SSL_CIPHER) **cipher_list, + STACK_OF(SSL_CIPHER) **cipher_list_by_id, const char *rule_str, CERT *c); +__owur int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format); +__owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites, + STACK_OF(SSL_CIPHER) **skp, + STACK_OF(SSL_CIPHER) **scsvs, int sslv2format, + int fatal); void ssl_update_cache(SSL *s, int mode); __owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, const EVP_MD **md, int *mac_pkey_type, - int *mac_secret_size, SSL_COMP **comp, + size_t *mac_secret_size, SSL_COMP **comp, int use_etm); -__owur int ssl_cipher_get_cert_index(const SSL_CIPHER *c); +__owur int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead, + size_t *int_overhead, size_t *blocksize, + size_t *ext_overhead); +__owur int ssl_cert_is_disabled(size_t idx); __owur const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, - const unsigned char *ptr); + const unsigned char *ptr, + int all); __owur int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain); __owur int ssl_cert_set1_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain); __owur int ssl_cert_add0_chain_cert(SSL *s, SSL_CTX *ctx, X509 *x); __owur int ssl_cert_add1_chain_cert(SSL *s, SSL_CTX *ctx, X509 *x); __owur int ssl_cert_select_current(CERT *c, X509 *x); __owur int ssl_cert_set_current(CERT *c, long arg); -__owur X509 *ssl_cert_get0_next_certificate(CERT *c, int first); void ssl_cert_set_cert_cb(CERT *c, int (*cb) (SSL *ssl, void *arg), void *arg); __owur int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk); -__owur int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l); __owur int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags); __owur int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref); @@ -1839,31 +2303,38 @@ __owur int ssl_security(const SSL *s, int op, int bits, int nid, void *other); __owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other); +__owur int ssl_cert_lookup_by_nid(int nid, size_t *pidx); +__owur const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, + size_t *pidx); +__owur const SSL_CERT_LOOKUP *ssl_cert_lookup_by_idx(size_t idx); + int ssl_undefined_function(SSL *s); __owur int ssl_undefined_void_function(void); __owur int ssl_undefined_const_function(const SSL *s); -__owur CERT_PKEY *ssl_get_server_send_pkey(SSL *s); __owur int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo, size_t *serverinfo_length); -__owur EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, - const EVP_MD **pmd); -__owur int ssl_cert_type(const X509 *x, const EVP_PKEY *pkey); void ssl_set_masks(SSL *s); __owur STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); -__owur int ssl_verify_alarm_type(long type); +__owur int ssl_x509err2alert(int type); void ssl_sort_cipher_list(void); -void ssl_load_ciphers(void); +int ssl_load_ciphers(void); __owur int ssl_fill_hello_random(SSL *s, int server, unsigned char *field, - int len); + size_t len, DOWNGRADE dgrd); __owur int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, int free_pms); __owur EVP_PKEY *ssl_generate_pkey(EVP_PKEY *pm); -__owur int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey); +__owur int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, + int genmaster); __owur EVP_PKEY *ssl_dh_to_pkey(DH *dh); +__owur unsigned int ssl_get_max_send_fragment(const SSL *ssl); +__owur unsigned int ssl_get_split_send_fragment(const SSL *ssl); +__owur const SSL_CIPHER *ssl3_get_cipher_by_id(uint32_t id); +__owur const SSL_CIPHER *ssl3_get_cipher_by_std_name(const char *stdname); __owur const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p); -__owur int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p); +__owur int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, + size_t *len); int ssl3_init_finished_mac(SSL *s); __owur int ssl3_setup_key_block(SSL *s); __owur int ssl3_change_cipher_state(SSL *s, int which); @@ -1871,29 +2342,31 @@ void ssl3_cleanup_key_block(SSL *s); __owur int ssl3_do_write(SSL *s, int type); int ssl3_send_alert(SSL *s, int level, int desc); __owur int ssl3_generate_master_secret(SSL *s, unsigned char *out, - unsigned char *p, int len); -__owur int ssl3_get_req_cert_type(SSL *s, unsigned char *p); + unsigned char *p, size_t len, + size_t *secret_size); +__owur int ssl3_get_req_cert_type(SSL *s, WPACKET *pkt); __owur int ssl3_num_ciphers(void); __owur const SSL_CIPHER *ssl3_get_cipher(unsigned int u); int ssl3_renegotiate(SSL *ssl); -int ssl3_renegotiate_check(SSL *ssl); +int ssl3_renegotiate_check(SSL *ssl, int initok); __owur int ssl3_dispatch_alert(SSL *s); -__owur int ssl3_final_finish_mac(SSL *s, const char *sender, int slen, - unsigned char *p); -__owur int ssl3_finish_mac(SSL *s, const unsigned char *buf, int len); +__owur size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t slen, + unsigned char *p); +__owur int ssl3_finish_mac(SSL *s, const unsigned char *buf, size_t len); void ssl3_free_digest_list(SSL *s); -__owur unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk); +__owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, + CERT_PKEY *cpk); __owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl, STACK_OF(SSL_CIPHER) *clnt, STACK_OF(SSL_CIPHER) *srvr); __owur int ssl3_digest_cached_records(SSL *s, int keep); __owur int ssl3_new(SSL *s); void ssl3_free(SSL *s); -__owur int ssl3_read(SSL *s, void *buf, int len); -__owur int ssl3_peek(SSL *s, void *buf, int len); -__owur int ssl3_write(SSL *s, const void *buf, int len); +__owur int ssl3_read(SSL *s, void *buf, size_t len, size_t *readbytes); +__owur int ssl3_peek(SSL *s, void *buf, size_t len, size_t *readbytes); +__owur int ssl3_write(SSL *s, const void *buf, size_t len, size_t *written); __owur int ssl3_shutdown(SSL *s); -void ssl3_clear(SSL *s); +int ssl3_clear(SSL *s); __owur long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg); __owur long ssl3_ctx_ctrl(SSL_CTX *s, int cmd, long larg, void *parg); __owur long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)); @@ -1902,30 +2375,37 @@ __owur long ssl3_ctx_callback_ctrl(SSL_CTX *s, int cmd, void (*fp) (void)); __owur int ssl3_do_change_cipher_spec(SSL *ssl); __owur long ssl3_default_timeout(void); -__owur int ssl3_set_handshake_header(SSL *s, int htype, unsigned long len); +__owur int ssl3_set_handshake_header(SSL *s, WPACKET *pkt, int htype); +__owur int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype); +__owur int tls_setup_handshake(SSL *s); +__owur int dtls1_set_handshake_header(SSL *s, WPACKET *pkt, int htype); +__owur int dtls1_close_construct_packet(SSL *s, WPACKET *pkt, int htype); __owur int ssl3_handshake_write(SSL *s); __owur int ssl_allow_compression(SSL *s); -__owur int ssl_version_supported(const SSL *s, int version); +__owur int ssl_version_supported(const SSL *s, int version, + const SSL_METHOD **meth); __owur int ssl_set_client_hello_version(SSL *s); __owur int ssl_check_version_downgrade(SSL *s); __owur int ssl_set_version_bound(int method_version, int version, int *bound); -__owur int ssl_choose_server_version(SSL *s); -__owur int ssl_choose_client_version(SSL *s, int version); -int ssl_get_client_min_max_version(const SSL *s, int *min_version, - int *max_version); +__owur int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, + DOWNGRADE *dgrd); +__owur int ssl_choose_client_version(SSL *s, int version, + RAW_EXTENSION *extensions); +__owur int ssl_get_min_max_version(const SSL *s, int *min_version, + int *max_version, int *real_max); __owur long tls1_default_timeout(void); __owur int dtls1_do_write(SSL *s, int type); void dtls1_set_message_header(SSL *s, unsigned char mt, - unsigned long len, - unsigned long frag_off, unsigned long frag_len); + size_t len, + size_t frag_off, size_t frag_len); -__owur int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf, - int len); +int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, size_t len, + size_t *written); __owur int dtls1_read_failed(SSL *s, int code); __owur int dtls1_buffer_message(SSL *s, int ccs); @@ -1944,44 +2424,80 @@ void dtls1_start_timer(SSL *s); void dtls1_stop_timer(SSL *s); __owur int dtls1_is_timer_expired(SSL *s); void dtls1_double_timeout(SSL *s); -__owur unsigned int dtls_raw_hello_verify_request(unsigned char *buf, - unsigned char *cookie, - unsigned char cookie_len); -__owur int dtls1_send_newsession_ticket(SSL *s); -__owur unsigned int dtls1_min_mtu(SSL *s); +__owur int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie, + size_t cookie_len); +__owur size_t dtls1_min_mtu(SSL *s); void dtls1_hm_fragment_free(hm_fragment *frag); __owur int dtls1_query_mtu(SSL *s); __owur int tls1_new(SSL *s); void tls1_free(SSL *s); -void tls1_clear(SSL *s); -long tls1_ctrl(SSL *s, int cmd, long larg, void *parg); -long tls1_callback_ctrl(SSL *s, int cmd, void (*fp) (void)); +int tls1_clear(SSL *s); __owur int dtls1_new(SSL *s); void dtls1_free(SSL *s); -void dtls1_clear(SSL *s); +int dtls1_clear(SSL *s); long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg); __owur int dtls1_shutdown(SSL *s); __owur int dtls1_dispatch_alert(SSL *s); __owur int ssl_init_wbio_buffer(SSL *s); -void ssl_free_wbio_buffer(SSL *s); +int ssl_free_wbio_buffer(SSL *s); __owur int tls1_change_cipher_state(SSL *s, int which); __owur int tls1_setup_key_block(SSL *s); -__owur int tls1_final_finish_mac(SSL *s, - const char *str, int slen, unsigned char *p); +__owur size_t tls1_final_finish_mac(SSL *s, const char *str, size_t slen, + unsigned char *p); __owur int tls1_generate_master_secret(SSL *s, unsigned char *out, - unsigned char *p, int len); + unsigned char *p, size_t len, + size_t *secret_size); +__owur int tls13_setup_key_block(SSL *s); +__owur size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen, + unsigned char *p); +__owur int tls13_change_cipher_state(SSL *s, int which); +__owur int tls13_update_key(SSL *s, int send); +__owur int tls13_hkdf_expand(SSL *s, const EVP_MD *md, + const unsigned char *secret, + const unsigned char *label, size_t labellen, + const unsigned char *data, size_t datalen, + unsigned char *out, size_t outlen); +__owur int tls13_derive_key(SSL *s, const EVP_MD *md, + const unsigned char *secret, unsigned char *key, + size_t keylen); +__owur int tls13_derive_iv(SSL *s, const EVP_MD *md, + const unsigned char *secret, unsigned char *iv, + size_t ivlen); +__owur int tls13_derive_finishedkey(SSL *s, const EVP_MD *md, + const unsigned char *secret, + unsigned char *fin, size_t finlen); +int tls13_generate_secret(SSL *s, const EVP_MD *md, + const unsigned char *prevsecret, + const unsigned char *insecret, + size_t insecretlen, + unsigned char *outsecret); +__owur int tls13_generate_handshake_secret(SSL *s, + const unsigned char *insecret, + size_t insecretlen); +__owur int tls13_generate_master_secret(SSL *s, unsigned char *out, + unsigned char *prev, size_t prevlen, + size_t *secret_size); __owur int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, const char *label, size_t llen, const unsigned char *p, size_t plen, int use_context); +__owur int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen, + const char *label, size_t llen, + const unsigned char *context, + size_t contextlen, int use_context); +__owur int tls13_export_keying_material_early(SSL *s, unsigned char *out, + size_t olen, const char *label, + size_t llen, + const unsigned char *context, + size_t contextlen); __owur int tls1_alert_code(int code); +__owur int tls13_alert_code(int code); __owur int ssl3_alert_code(int code); -__owur int ssl_ok(SSL *s); # ifndef OPENSSL_NO_EC __owur int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s); @@ -1990,56 +2506,41 @@ __owur int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s); SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n); # ifndef OPENSSL_NO_EC -/* Flags values from tls1_ec_curve_id2nid() */ -/* Mask for curve type */ -# define TLS_CURVE_TYPE 0x3 -# define TLS_CURVE_PRIME 0x0 -# define TLS_CURVE_CHAR2 0x1 -# define TLS_CURVE_CUSTOM 0x2 -__owur int tls1_ec_curve_id2nid(int curve_id, unsigned int *pflags); -__owur int tls1_ec_nid2curve_id(int nid); -__owur int tls1_check_curve(SSL *s, const unsigned char *p, size_t len); -__owur int tls1_shared_curve(SSL *s, int nmatch); -__owur int tls1_set_curves(unsigned char **pext, size_t *pextlen, + +__owur const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t curve_id); +__owur int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_curves); +__owur uint16_t tls1_shared_group(SSL *s, int nmatch); +__owur int tls1_set_groups(uint16_t **pext, size_t *pextlen, int *curves, size_t ncurves); -__owur int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, +__owur int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, const char *str); +void tls1_get_formatlist(SSL *s, const unsigned char **pformats, + size_t *num_formats); __owur int tls1_check_ec_tmp_key(SSL *s, unsigned long id); -__owur EVP_PKEY *ssl_generate_pkey_curve(int id); +__owur EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id); +__owur EVP_PKEY *ssl_generate_param_group(uint16_t id); # endif /* OPENSSL_NO_EC */ -__owur int tls1_shared_list(SSL *s, - const unsigned char *l1, size_t l1len, - const unsigned char *l2, size_t l2len, int nmatch); -__owur unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, - unsigned char *limit, int *al); -__owur unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, - unsigned char *limit, int *al); -__owur int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt); -void ssl_set_default_md(SSL *s); +__owur int tls_curve_allowed(SSL *s, uint16_t curve, int op); +void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, + size_t *pgroupslen); + __owur int tls1_set_server_sigalgs(SSL *s); -__owur int ssl_check_clienthello_tlsext_late(SSL *s, int *al); -__owur int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt); -__owur int ssl_prepare_clienthello_tlsext(SSL *s); -__owur int ssl_prepare_serverhello_tlsext(SSL *s); - -# ifndef OPENSSL_NO_HEARTBEATS -__owur int dtls1_heartbeat(SSL *s); -__owur int dtls1_process_heartbeat(SSL *s, unsigned char *p, - unsigned int length); -# endif -__owur int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext, - const PACKET *session_id, - SSL_SESSION **ret); +__owur SSL_TICKET_STATUS tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello, + SSL_SESSION **ret); +__owur SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick, + size_t eticklen, + const unsigned char *sess_id, + size_t sesslen, SSL_SESSION **psess); + +__owur int tls_use_ticket(SSL *s); -__owur int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, - const EVP_MD *md); -__owur int tls12_get_sigid(const EVP_PKEY *pk); -__owur const EVP_MD *tls12_get_hash(unsigned char hash_alg); void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op); __owur int tls1_set_sigalgs_list(CERT *c, const char *str, int client); +__owur int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen, + int client); __owur int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen, int client); int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, @@ -2058,37 +2559,61 @@ __owur int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee); __owur int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *ex, int vfy); +int tls_choose_sigalg(SSL *s, int fatalerrs); + __owur EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md); void ssl_clear_hash_ctx(EVP_MD_CTX **hash); -__owur int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, - int *len, int maxlen); -__owur int ssl_parse_serverhello_renegotiate_ext(SSL *s, PACKET *pkt, int *al); -__owur int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, - int *len, int maxlen); -__owur int ssl_parse_clienthello_renegotiate_ext(SSL *s, PACKET *pkt, int *al); __owur long ssl_get_algorithm2(SSL *s); -__owur size_t tls12_copy_sigalgs(SSL *s, unsigned char *out, - const unsigned char *psig, size_t psiglen); -__owur int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize); +__owur int tls12_copy_sigalgs(SSL *s, WPACKET *pkt, + const uint16_t *psig, size_t psiglen); +__owur int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen); +__owur int tls1_save_sigalgs(SSL *s, PACKET *pkt, int cert); __owur int tls1_process_sigalgs(SSL *s); -__owur size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs); -__owur int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, - const unsigned char *sig, EVP_PKEY *pkey); -void ssl_set_client_disabled(SSL *s); +__owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey); +__owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd); +__owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs); +# ifndef OPENSSL_NO_EC +__owur int tls_check_sigalg_curve(const SSL *s, int curve); +# endif +__owur int tls12_check_peer_sigalg(SSL *s, uint16_t, EVP_PKEY *pkey); +__owur int ssl_set_client_disabled(SSL *s); __owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int echde); -__owur int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, - int maxlen); -__owur int ssl_parse_clienthello_use_srtp_ext(SSL *s, PACKET *pkt, int *al); -__owur int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, - int maxlen); -__owur int ssl_parse_serverhello_use_srtp_ext(SSL *s, PACKET *pkt, int *al); - -__owur int ssl_handshake_hash(SSL *s, unsigned char *out, int outlen); +__owur int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen, + size_t *hashlen); __owur const EVP_MD *ssl_md(int idx); __owur const EVP_MD *ssl_handshake_md(SSL *s); __owur const EVP_MD *ssl_prf_md(SSL *s); +/* + * ssl_log_rsa_client_key_exchange logs |premaster| to the SSL_CTX associated + * with |ssl|, if logging is enabled. It returns one on success and zero on + * failure. The entry is identified by the first 8 bytes of + * |encrypted_premaster|. + */ +__owur int ssl_log_rsa_client_key_exchange(SSL *ssl, + const uint8_t *encrypted_premaster, + size_t encrypted_premaster_len, + const uint8_t *premaster, + size_t premaster_len); + +/* + * ssl_log_secret logs |secret| to the SSL_CTX associated with |ssl|, if + * logging is available. It returns one on success and zero on failure. It tags + * the entry with |label|. + */ +__owur int ssl_log_secret(SSL *ssl, const char *label, + const uint8_t *secret, size_t secret_len); + +#define MASTER_SECRET_LABEL "CLIENT_RANDOM" +#define CLIENT_EARLY_LABEL "CLIENT_EARLY_TRAFFIC_SECRET" +#define CLIENT_HANDSHAKE_LABEL "CLIENT_HANDSHAKE_TRAFFIC_SECRET" +#define SERVER_HANDSHAKE_LABEL "SERVER_HANDSHAKE_TRAFFIC_SECRET" +#define CLIENT_APPLICATION_LABEL "CLIENT_TRAFFIC_SECRET_0" +#define SERVER_APPLICATION_LABEL "SERVER_TRAFFIC_SECRET_0" +#define EARLY_EXPORTER_SECRET_LABEL "EARLY_EXPORTER_SECRET" +#define EXPORTER_SECRET_LABEL "EXPORTER_SECRET" + /* s3_cbc.c */ __owur char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx); __owur int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, @@ -2099,26 +2624,29 @@ __owur int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, size_t data_plus_mac_size, size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret, - unsigned mac_secret_length, char is_sslv3); - -__owur int tls_fips_digest_extra(const EVP_CIPHER_CTX *cipher_ctx, - EVP_MD_CTX *mac_ctx, const unsigned char *data, - size_t data_len, size_t orig_len); + size_t mac_secret_length, char is_sslv3); __owur int srp_generate_server_master_secret(SSL *s); __owur int srp_generate_client_master_secret(SSL *s); -__owur int srp_verify_server_param(SSL *s, int *al); +__owur int srp_verify_server_param(SSL *s); + +/* statem/statem_srvr.c */ + +__owur int send_certificate_request(SSL *s); -/* t1_ext.c */ +/* statem/extensions_cust.c */ + +custom_ext_method *custom_ext_find(const custom_ext_methods *exts, + ENDPOINT role, unsigned int ext_type, + size_t *idx); void custom_ext_init(custom_ext_methods *meths); -__owur int custom_ext_parse(SSL *s, int server, - unsigned int ext_type, +__owur int custom_ext_parse(SSL *s, unsigned int context, unsigned int ext_type, const unsigned char *ext_data, size_t ext_size, - int *al); -__owur int custom_ext_add(SSL *s, int server, unsigned char **pret, - unsigned char *limit, int *al); + X509 *x, size_t chainidx); +__owur int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x, + size_t chainidx, int maxversion); __owur int custom_exts_copy(custom_ext_methods *dst, const custom_ext_methods *src); @@ -2128,11 +2656,13 @@ void custom_exts_free(custom_ext_methods *exts); void ssl_comp_free_compression_methods_int(void); -# else +/* ssl_mcnf.c */ +void ssl_ctx_system_config(SSL_CTX *ctx); + +# else /* OPENSSL_UNIT_TEST */ # define ssl_init_wbio_buffer SSL_test_functions()->p_ssl_init_wbio_buffer # define ssl3_setup_buffers SSL_test_functions()->p_ssl3_setup_buffers -# define dtls1_process_heartbeat SSL_test_functions()->p_dtls1_process_heartbeat # endif #endif diff --git a/deps/openssl/openssl/ssl/ssl_mcnf.c b/deps/openssl/openssl/ssl/ssl_mcnf.c index 24742660e4..a0e2657714 100644 --- a/deps/openssl/openssl/ssl/ssl_mcnf.c +++ b/deps/openssl/openssl/ssl/ssl_mcnf.c @@ -17,11 +17,10 @@ void SSL_add_ssl_module(void) { - /* Just load all of the crypto builtin modules. This includes the SSL one */ - OPENSSL_load_builtin_modules(); + /* Do nothing. This will be added automatically by libcrypto */ } -static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name) +static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system) { SSL_CONF_CTX *cctx = NULL; size_t i, idx, cmd_count; @@ -34,9 +33,14 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name) SSLerr(SSL_F_SSL_DO_CONFIG, ERR_R_PASSED_NULL_PARAMETER); goto err; } + + if (name == NULL && system) + name = "system_default"; if (!conf_ssl_name_find(name, &idx)) { - SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_INVALID_CONFIGURATION_NAME); - ERR_add_error_data(2, "name=", name); + if (!system) { + SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_INVALID_CONFIGURATION_NAME); + ERR_add_error_data(2, "name=", name); + } goto err; } cmds = conf_ssl_get(idx, &name, &cmd_count); @@ -44,7 +48,8 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name) if (cctx == NULL) goto err; flags = SSL_CONF_FLAG_FILE; - flags |= SSL_CONF_FLAG_CERTIFICATE | SSL_CONF_FLAG_REQUIRE_PRIVATE; + if (!system) + flags |= SSL_CONF_FLAG_CERTIFICATE | SSL_CONF_FLAG_REQUIRE_PRIVATE; if (s != NULL) { meth = s->method; SSL_CONF_CTX_set_ssl(cctx, s); @@ -80,10 +85,15 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name) int SSL_config(SSL *s, const char *name) { - return ssl_do_config(s, NULL, name); + return ssl_do_config(s, NULL, name, 0); } int SSL_CTX_config(SSL_CTX *ctx, const char *name) { - return ssl_do_config(NULL, ctx, name); + return ssl_do_config(NULL, ctx, name, 0); +} + +void ssl_ctx_system_config(SSL_CTX *ctx) +{ + ssl_do_config(NULL, ctx, NULL, 1); } diff --git a/deps/openssl/openssl/ssl/ssl_rsa.c b/deps/openssl/openssl/ssl/ssl_rsa.c index a94fb13b89..172e15f920 100644 --- a/deps/openssl/openssl/ssl/ssl_rsa.c +++ b/deps/openssl/openssl/ssl/ssl_rsa.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -9,6 +9,7 @@ #include <stdio.h> #include "ssl_locl.h" +#include "packet_locl.h" #include <openssl/bio.h> #include <openssl/objects.h> #include <openssl/evp.h> @@ -17,12 +18,18 @@ static int ssl_set_cert(CERT *c, X509 *x509); static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey); + +#define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \ + | SSL_EXT_CLIENT_HELLO \ + | SSL_EXT_TLS1_2_SERVER_HELLO \ + | SSL_EXT_IGNORE_ON_RESUMPTION) + int SSL_use_certificate(SSL *ssl, X509 *x) { int rv; if (x == NULL) { SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER); - return (0); + return 0; } rv = ssl_security_cert(ssl, NULL, x, 0, 1); if (rv != 1) { @@ -30,7 +37,7 @@ int SSL_use_certificate(SSL *ssl, X509 *x) return 0; } - return (ssl_set_cert(ssl->cert, x)); + return ssl_set_cert(ssl->cert, x); } int SSL_use_certificate_file(SSL *ssl, const char *file, int type) @@ -71,7 +78,7 @@ int SSL_use_certificate_file(SSL *ssl, const char *file, int type) end: X509_free(x); BIO_free(in); - return (ret); + return ret; } int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len) @@ -82,12 +89,12 @@ int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len) x = d2i_X509(NULL, &d, (long)len); if (x == NULL) { SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB); - return (0); + return 0; } ret = SSL_use_certificate(ssl, x); X509_free(x); - return (ret); + return ret; } #ifndef OPENSSL_NO_RSA @@ -98,11 +105,11 @@ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) if (rsa == NULL) { SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); - return (0); + return 0; } if ((pkey = EVP_PKEY_new()) == NULL) { SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB); - return (0); + return 0; } RSA_up_ref(rsa); @@ -114,17 +121,17 @@ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) ret = ssl_set_pkey(ssl->cert, pkey); EVP_PKEY_free(pkey); - return (ret); + return ret; } #endif static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) { - int i; - i = ssl_cert_type(NULL, pkey); - if (i < 0) { + size_t i; + + if (ssl_cert_lookup_by_pkey(pkey, &i) == NULL) { SSLerr(SSL_F_SSL_SET_PKEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE); - return (0); + return 0; } if (c->pkeys[i].x509 != NULL) { @@ -160,8 +167,8 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) EVP_PKEY_free(c->pkeys[i].privatekey); EVP_PKEY_up_ref(pkey); c->pkeys[i].privatekey = pkey; - c->key = &(c->pkeys[i]); - return (1); + c->key = &c->pkeys[i]; + return 1; } #ifndef OPENSSL_NO_RSA @@ -201,7 +208,7 @@ int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) RSA_free(rsa); end: BIO_free(in); - return (ret); + return ret; } int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len) @@ -213,12 +220,12 @@ int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len) p = d; if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) { SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB); - return (0); + return 0; } ret = SSL_use_RSAPrivateKey(ssl, rsa); RSA_free(rsa); - return (ret); + return ret; } #endif /* !OPENSSL_NO_RSA */ @@ -228,10 +235,10 @@ int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) if (pkey == NULL) { SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); - return (0); + return 0; } ret = ssl_set_pkey(ssl->cert, pkey); - return (ret); + return ret; } int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type) @@ -270,7 +277,7 @@ int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type) EVP_PKEY_free(pkey); end: BIO_free(in); - return (ret); + return ret; } int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, @@ -283,12 +290,12 @@ int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, p = d; if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) { SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB); - return (0); + return 0; } ret = SSL_use_PrivateKey(ssl, pkey); EVP_PKEY_free(pkey); - return (ret); + return ret; } int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) @@ -296,29 +303,28 @@ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) int rv; if (x == NULL) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER); - return (0); + return 0; } rv = ssl_security_cert(NULL, ctx, x, 0, 1); if (rv != 1) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, rv); return 0; } - return (ssl_set_cert(ctx->cert, x)); + return ssl_set_cert(ctx->cert, x); } static int ssl_set_cert(CERT *c, X509 *x) { EVP_PKEY *pkey; - int i; + size_t i; pkey = X509_get0_pubkey(x); if (pkey == NULL) { SSLerr(SSL_F_SSL_SET_CERT, SSL_R_X509_LIB); - return (0); + return 0; } - i = ssl_cert_type(x, pkey); - if (i < 0) { + if (ssl_cert_lookup_by_pkey(pkey, &i) == NULL) { SSLerr(SSL_F_SSL_SET_CERT, SSL_R_UNKNOWN_CERTIFICATE_TYPE); return 0; } @@ -405,7 +411,7 @@ int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) end: X509_free(x); BIO_free(in); - return (ret); + return ret; } int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d) @@ -416,12 +422,12 @@ int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d) x = d2i_X509(NULL, &d, (long)len); if (x == NULL) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB); - return (0); + return 0; } ret = SSL_CTX_use_certificate(ctx, x); X509_free(x); - return (ret); + return ret; } #ifndef OPENSSL_NO_RSA @@ -432,11 +438,11 @@ int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) if (rsa == NULL) { SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); - return (0); + return 0; } if ((pkey = EVP_PKEY_new()) == NULL) { SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB); - return (0); + return 0; } RSA_up_ref(rsa); @@ -448,7 +454,7 @@ int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) ret = ssl_set_pkey(ctx->cert, pkey); EVP_PKEY_free(pkey); - return (ret); + return ret; } int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) @@ -487,7 +493,7 @@ int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) RSA_free(rsa); end: BIO_free(in); - return (ret); + return ret; } int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, @@ -500,12 +506,12 @@ int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, p = d; if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) { SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB); - return (0); + return 0; } ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); RSA_free(rsa); - return (ret); + return ret; } #endif /* !OPENSSL_NO_RSA */ @@ -513,9 +519,9 @@ int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) { if (pkey == NULL) { SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); - return (0); + return 0; } - return (ssl_set_pkey(ctx->cert, pkey)); + return ssl_set_pkey(ctx->cert, pkey); } int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) @@ -554,7 +560,7 @@ int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) EVP_PKEY_free(pkey); end: BIO_free(in); - return (ret); + return ret; } int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, @@ -567,12 +573,12 @@ int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, p = d; if ((pkey = d2i_PrivateKey(type, NULL, &p, (long)len)) == NULL) { SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB); - return (0); + return 0; } ret = SSL_CTX_use_PrivateKey(ctx, pkey); EVP_PKEY_free(pkey); - return (ret); + return ret; } /* @@ -674,7 +680,7 @@ static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file) end: X509_free(x); BIO_free(in); - return (ret); + return ret; } int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) @@ -693,50 +699,43 @@ static int serverinfo_find_extension(const unsigned char *serverinfo, const unsigned char **extension_data, size_t *extension_length) { + PACKET pkt, data; + *extension_data = NULL; *extension_length = 0; if (serverinfo == NULL || serverinfo_length == 0) return -1; + + if (!PACKET_buf_init(&pkt, serverinfo, serverinfo_length)) + return -1; + for (;;) { unsigned int type = 0; - size_t len = 0; + unsigned long context = 0; /* end of serverinfo */ - if (serverinfo_length == 0) + if (PACKET_remaining(&pkt) == 0) return 0; /* Extension not found */ - /* read 2-byte type field */ - if (serverinfo_length < 2) - return -1; /* Error */ - type = (serverinfo[0] << 8) + serverinfo[1]; - serverinfo += 2; - serverinfo_length -= 2; - - /* read 2-byte len field */ - if (serverinfo_length < 2) - return -1; /* Error */ - len = (serverinfo[0] << 8) + serverinfo[1]; - serverinfo += 2; - serverinfo_length -= 2; - - if (len > serverinfo_length) - return -1; /* Error */ + if (!PACKET_get_net_4(&pkt, &context) + || !PACKET_get_net_2(&pkt, &type) + || !PACKET_get_length_prefixed_2(&pkt, &data)) + return -1; if (type == extension_type) { - *extension_data = serverinfo; - *extension_length = len; + *extension_data = PACKET_data(&data); + *extension_length = PACKET_remaining(&data);; return 1; /* Success */ } - - serverinfo += len; - serverinfo_length -= len; } /* Unreachable */ } -static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type, - const unsigned char *in, - size_t inlen, int *al, void *arg) +static int serverinfoex_srv_parse_cb(SSL *s, unsigned int ext_type, + unsigned int context, + const unsigned char *in, + size_t inlen, X509 *x, size_t chainidx, + int *al, void *arg) { if (inlen != 0) { @@ -747,13 +746,27 @@ static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type, return 1; } -static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type, - const unsigned char **out, size_t *outlen, - int *al, void *arg) +static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type, + const unsigned char *in, + size_t inlen, int *al, void *arg) +{ + return serverinfoex_srv_parse_cb(s, ext_type, 0, in, inlen, NULL, 0, al, + arg); +} + +static int serverinfoex_srv_add_cb(SSL *s, unsigned int ext_type, + unsigned int context, + const unsigned char **out, + size_t *outlen, X509 *x, size_t chainidx, + int *al, void *arg) { const unsigned char *serverinfo = NULL; size_t serverinfo_length = 0; + /* We only support extensions for the first Certificate */ + if ((context & SSL_EXT_TLS1_3_CERTIFICATE) != 0 && chainidx > 0) + return 0; + /* Is there serverinfo data for the chosen server cert? */ if ((ssl_get_server_cert_serverinfo(s, &serverinfo, &serverinfo_length)) != 0) { @@ -761,7 +774,7 @@ static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type, int retval = serverinfo_find_extension(serverinfo, serverinfo_length, ext_type, out, outlen); if (retval == -1) { - *al = SSL_AD_DECODE_ERROR; + *al = SSL_AD_INTERNAL_ERROR; return -1; /* Error */ } if (retval == 0) @@ -772,91 +785,101 @@ static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type, * extension */ } +static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type, + const unsigned char **out, size_t *outlen, + int *al, void *arg) +{ + return serverinfoex_srv_add_cb(s, ext_type, 0, out, outlen, NULL, 0, al, + arg); +} + /* * With a NULL context, this function just checks that the serverinfo data * parses correctly. With a non-NULL context, it registers callbacks for * the included extensions. */ -static int serverinfo_process_buffer(const unsigned char *serverinfo, +static int serverinfo_process_buffer(unsigned int version, + const unsigned char *serverinfo, size_t serverinfo_length, SSL_CTX *ctx) { + PACKET pkt; + if (serverinfo == NULL || serverinfo_length == 0) return 0; - for (;;) { - unsigned int ext_type = 0; - size_t len = 0; - - /* end of serverinfo */ - if (serverinfo_length == 0) - return 1; - /* read 2-byte type field */ - if (serverinfo_length < 2) - return 0; - /* FIXME: check for types we understand explicitly? */ - - /* Register callbacks for extensions */ - ext_type = (serverinfo[0] << 8) + serverinfo[1]; - if (ctx) { - int have_ext_cbs = 0; - size_t i; - custom_ext_methods *exts = &ctx->cert->srv_ext; - custom_ext_method *meth = exts->meths; - - for (i = 0; i < exts->meths_count; i++, meth++) { - if (ext_type == meth->ext_type) { - have_ext_cbs = 1; - break; - } - } + if (version != SSL_SERVERINFOV1 && version != SSL_SERVERINFOV2) + return 0; - if (!have_ext_cbs && !SSL_CTX_add_server_custom_ext(ctx, ext_type, - serverinfo_srv_add_cb, - NULL, NULL, - serverinfo_srv_parse_cb, - NULL)) - return 0; - } + if (!PACKET_buf_init(&pkt, serverinfo, serverinfo_length)) + return 0; - serverinfo += 2; - serverinfo_length -= 2; + while (PACKET_remaining(&pkt)) { + unsigned long context = 0; + unsigned int ext_type = 0; + PACKET data; - /* read 2-byte len field */ - if (serverinfo_length < 2) + if ((version == SSL_SERVERINFOV2 && !PACKET_get_net_4(&pkt, &context)) + || !PACKET_get_net_2(&pkt, &ext_type) + || !PACKET_get_length_prefixed_2(&pkt, &data)) return 0; - len = (serverinfo[0] << 8) + serverinfo[1]; - serverinfo += 2; - serverinfo_length -= 2; - if (len > serverinfo_length) - return 0; + if (ctx == NULL) + continue; - serverinfo += len; - serverinfo_length -= len; + /* + * The old style custom extensions API could be set separately for + * server/client, i.e. you could set one custom extension for a client, + * and *for the same extension in the same SSL_CTX* you could set a + * custom extension for the server as well. It seems quite weird to be + * setting a custom extension for both client and server in a single + * SSL_CTX - but theoretically possible. This isn't possible in the + * new API. Therefore, if we have V1 serverinfo we use the old API. We + * also use the old API even if we have V2 serverinfo but the context + * looks like an old style <= TLSv1.2 extension. + */ + if (version == SSL_SERVERINFOV1 || context == SYNTHV1CONTEXT) { + if (!SSL_CTX_add_server_custom_ext(ctx, ext_type, + serverinfo_srv_add_cb, + NULL, NULL, + serverinfo_srv_parse_cb, + NULL)) + return 0; + } else { + if (!SSL_CTX_add_custom_ext(ctx, ext_type, context, + serverinfoex_srv_add_cb, + NULL, NULL, + serverinfoex_srv_parse_cb, + NULL)) + return 0; + } } + + return 1; } -int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, - size_t serverinfo_length) +int SSL_CTX_use_serverinfo_ex(SSL_CTX *ctx, unsigned int version, + const unsigned char *serverinfo, + size_t serverinfo_length) { unsigned char *new_serverinfo; if (ctx == NULL || serverinfo == NULL || serverinfo_length == 0) { - SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_PASSED_NULL_PARAMETER); + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_PASSED_NULL_PARAMETER); return 0; } - if (!serverinfo_process_buffer(serverinfo, serverinfo_length, NULL)) { - SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, SSL_R_INVALID_SERVERINFO_DATA); + if (!serverinfo_process_buffer(version, serverinfo, serverinfo_length, + NULL)) { + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, SSL_R_INVALID_SERVERINFO_DATA); return 0; } if (ctx->cert->key == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_INTERNAL_ERROR); return 0; } new_serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo, serverinfo_length); if (new_serverinfo == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_MALLOC_FAILURE); + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_MALLOC_FAILURE); return 0; } ctx->cert->key->serverinfo = new_serverinfo; @@ -867,13 +890,21 @@ int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, * Now that the serverinfo is validated and stored, go ahead and * register callbacks. */ - if (!serverinfo_process_buffer(serverinfo, serverinfo_length, ctx)) { - SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, SSL_R_INVALID_SERVERINFO_DATA); + if (!serverinfo_process_buffer(version, serverinfo, serverinfo_length, + ctx)) { + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, SSL_R_INVALID_SERVERINFO_DATA); return 0; } return 1; } +int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, + size_t serverinfo_length) +{ + return SSL_CTX_use_serverinfo_ex(ctx, SSL_SERVERINFOV1, serverinfo, + serverinfo_length); +} + int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) { unsigned char *serverinfo = NULL; @@ -883,10 +914,11 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) long extension_length = 0; char *name = NULL; char *header = NULL; - char namePrefix[] = "SERVERINFO FOR "; + char namePrefix1[] = "SERVERINFO FOR "; + char namePrefix2[] = "SERVERINFOV2 FOR "; int ret = 0; BIO *bin = NULL; - size_t num_extensions = 0; + size_t num_extensions = 0, contextoff = 0; if (ctx == NULL || file == NULL) { SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PASSED_NULL_PARAMETER); @@ -904,6 +936,8 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) } for (num_extensions = 0;; num_extensions++) { + unsigned int version; + if (PEM_read_bio(bin, &name, &header, &extension, &extension_length) == 0) { /* @@ -917,32 +951,70 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) break; } /* Check that PEM name starts with "BEGIN SERVERINFO FOR " */ - if (strlen(name) < strlen(namePrefix)) { + if (strlen(name) < strlen(namePrefix1)) { SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_PEM_NAME_TOO_SHORT); goto end; } - if (strncmp(name, namePrefix, strlen(namePrefix)) != 0) { - SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, - SSL_R_PEM_NAME_BAD_PREFIX); - goto end; + if (strncmp(name, namePrefix1, strlen(namePrefix1)) == 0) { + version = SSL_SERVERINFOV1; + } else { + if (strlen(name) < strlen(namePrefix2)) { + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, + SSL_R_PEM_NAME_TOO_SHORT); + goto end; + } + if (strncmp(name, namePrefix2, strlen(namePrefix2)) != 0) { + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, + SSL_R_PEM_NAME_BAD_PREFIX); + goto end; + } + version = SSL_SERVERINFOV2; } /* * Check that the decoded PEM data is plausible (valid length field) */ - if (extension_length < 4 - || (extension[2] << 8) + extension[3] != extension_length - 4) { - SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA); - goto end; + if (version == SSL_SERVERINFOV1) { + /* 4 byte header: 2 bytes type, 2 bytes len */ + if (extension_length < 4 + || (extension[2] << 8) + extension[3] + != extension_length - 4) { + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA); + goto end; + } + /* + * File does not have a context value so we must take account of + * this later. + */ + contextoff = 4; + } else { + /* 8 byte header: 4 bytes context, 2 bytes type, 2 bytes len */ + if (extension_length < 8 + || (extension[6] << 8) + extension[7] + != extension_length - 8) { + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA); + goto end; + } } /* Append the decoded extension to the serverinfo buffer */ - tmp = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length); + tmp = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length + + contextoff); if (tmp == NULL) { SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE); goto end; } serverinfo = tmp; - memcpy(serverinfo + serverinfo_length, extension, extension_length); - serverinfo_length += extension_length; + if (contextoff > 0) { + unsigned char *sinfo = serverinfo + serverinfo_length; + + /* We know this only uses the last 2 bytes */ + sinfo[0] = 0; + sinfo[1] = 0; + sinfo[2] = (SYNTHV1CONTEXT >> 8) & 0xff; + sinfo[3] = SYNTHV1CONTEXT & 0xff; + } + memcpy(serverinfo + serverinfo_length + contextoff, + extension, extension_length); + serverinfo_length += extension_length + contextoff; OPENSSL_free(name); name = NULL; @@ -952,7 +1024,8 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) extension = NULL; } - ret = SSL_CTX_use_serverinfo(ctx, serverinfo, serverinfo_length); + ret = SSL_CTX_use_serverinfo_ex(ctx, SSL_SERVERINFOV2, serverinfo, + serverinfo_length); end: /* SSL_CTX_use_serverinfo makes a local copy of the serverinfo. */ OPENSSL_free(name); @@ -962,3 +1035,114 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) BIO_free(bin); return ret; } + +static int ssl_set_cert_and_key(SSL *ssl, SSL_CTX *ctx, X509 *x509, EVP_PKEY *privatekey, + STACK_OF(X509) *chain, int override) +{ + int ret = 0; + size_t i; + int j; + int rv; + CERT *c = ssl != NULL ? ssl->cert : ctx->cert; + STACK_OF(X509) *dup_chain = NULL; + EVP_PKEY *pubkey = NULL; + + /* Do all security checks before anything else */ + rv = ssl_security_cert(ssl, ctx, x509, 0, 1); + if (rv != 1) { + SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, rv); + goto out; + } + for (j = 0; j < sk_X509_num(chain); j++) { + rv = ssl_security_cert(ssl, ctx, sk_X509_value(chain, j), 0, 0); + if (rv != 1) { + SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, rv); + goto out; + } + } + + pubkey = X509_get_pubkey(x509); /* bumps reference */ + if (pubkey == NULL) + goto out; + if (privatekey == NULL) { + privatekey = pubkey; + } else { + /* For RSA, which has no parameters, missing returns 0 */ + if (EVP_PKEY_missing_parameters(privatekey)) { + if (EVP_PKEY_missing_parameters(pubkey)) { + /* nobody has parameters? - error */ + SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_MISSING_PARAMETERS); + goto out; + } else { + /* copy to privatekey from pubkey */ + EVP_PKEY_copy_parameters(privatekey, pubkey); + } + } else if (EVP_PKEY_missing_parameters(pubkey)) { + /* copy to pubkey from privatekey */ + EVP_PKEY_copy_parameters(pubkey, privatekey); + } /* else both have parameters */ + + /* Copied from ssl_set_cert/pkey */ +#ifndef OPENSSL_NO_RSA + if ((EVP_PKEY_id(privatekey) == EVP_PKEY_RSA) && + ((RSA_flags(EVP_PKEY_get0_RSA(privatekey)) & RSA_METHOD_FLAG_NO_CHECK))) + /* no-op */ ; + else +#endif + /* check that key <-> cert match */ + if (EVP_PKEY_cmp(pubkey, privatekey) != 1) { + SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_PRIVATE_KEY_MISMATCH); + goto out; + } + } + if (ssl_cert_lookup_by_pkey(pubkey, &i) == NULL) { + SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE); + goto out; + } + + if (!override && (c->pkeys[i].x509 != NULL + || c->pkeys[i].privatekey != NULL + || c->pkeys[i].chain != NULL)) { + /* No override, and something already there */ + SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_NOT_REPLACING_CERTIFICATE); + goto out; + } + + if (chain != NULL) { + dup_chain = X509_chain_up_ref(chain); + if (dup_chain == NULL) { + SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, ERR_R_MALLOC_FAILURE); + goto out; + } + } + + sk_X509_pop_free(c->pkeys[i].chain, X509_free); + c->pkeys[i].chain = dup_chain; + + X509_free(c->pkeys[i].x509); + X509_up_ref(x509); + c->pkeys[i].x509 = x509; + + EVP_PKEY_free(c->pkeys[i].privatekey); + EVP_PKEY_up_ref(privatekey); + c->pkeys[i].privatekey = privatekey; + + c->key = &(c->pkeys[i]); + + ret = 1; + out: + EVP_PKEY_free(pubkey); + return ret; +} + +int SSL_use_cert_and_key(SSL *ssl, X509 *x509, EVP_PKEY *privatekey, + STACK_OF(X509) *chain, int override) +{ + return ssl_set_cert_and_key(ssl, NULL, x509, privatekey, chain, override); +} + +int SSL_CTX_use_cert_and_key(SSL_CTX *ctx, X509 *x509, EVP_PKEY *privatekey, + STACK_OF(X509) *chain, int override) +{ + return ssl_set_cert_and_key(NULL, ctx, x509, privatekey, chain, override); +} diff --git a/deps/openssl/openssl/ssl/ssl_sess.c b/deps/openssl/openssl/ssl/ssl_sess.c index 926b55c7ba..5ad2792a1b 100644 --- a/deps/openssl/openssl/ssl/ssl_sess.c +++ b/deps/openssl/openssl/ssl/ssl_sess.c @@ -1,5 +1,6 @@ /* * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,47 +8,31 @@ * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - #include <stdio.h> -#include <openssl/lhash.h> #include <openssl/rand.h> #include <openssl/engine.h> +#include "internal/refcount.h" +#include "internal/cryptlib.h" #include "ssl_locl.h" +#include "statem/statem_locl.h" static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s); static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck); +/* + * SSL_get_session() and SSL_get1_session() are problematic in TLS1.3 because, + * unlike in earlier protocol versions, the session ticket may not have been + * sent yet even though a handshake has finished. The session ticket data could + * come in sometime later...or even change if multiple session ticket messages + * are sent from the server. The preferred way for applications to obtain + * a resumable session is to use SSL_CTX_sess_set_new_cb(). + */ + SSL_SESSION *SSL_get_session(const SSL *ssl) /* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */ { - return (ssl->session); + return ssl->session; } SSL_SESSION *SSL_get1_session(SSL *ssl) @@ -69,18 +54,21 @@ SSL_SESSION *SSL_get1_session(SSL *ssl) int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg) { - return (CRYPTO_set_ex_data(&s->ex_data, idx, arg)); + return CRYPTO_set_ex_data(&s->ex_data, idx, arg); } void *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx) { - return (CRYPTO_get_ex_data(&s->ex_data, idx)); + return CRYPTO_get_ex_data(&s->ex_data, idx); } SSL_SESSION *SSL_SESSION_new(void) { SSL_SESSION *ss; + if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL)) + return NULL; + ss = OPENSSL_zalloc(sizeof(*ss)); if (ss == NULL) { SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE); @@ -106,6 +94,11 @@ SSL_SESSION *SSL_SESSION_new(void) return ss; } +SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src) +{ + return ssl_session_dup(src, 1); +} + /* * Create a new SSL_SESSION and duplicate the contents of |src| into it. If * ticket == 0 then no ticket information is duplicated, otherwise it is. @@ -129,17 +122,19 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) dest->psk_identity = NULL; #endif dest->ciphers = NULL; - dest->tlsext_hostname = NULL; + dest->ext.hostname = NULL; #ifndef OPENSSL_NO_EC - dest->tlsext_ecpointformatlist = NULL; - dest->tlsext_ellipticcurvelist = NULL; + dest->ext.ecpointformats = NULL; + dest->ext.supportedgroups = NULL; #endif - dest->tlsext_tick = NULL; + dest->ext.tick = NULL; + dest->ext.alpn_selected = NULL; #ifndef OPENSSL_NO_SRP dest->srp_username = NULL; #endif dest->peer_chain = NULL; dest->peer = NULL; + dest->ticket_appdata = NULL; memset(&dest->ex_data, 0, sizeof(dest->ex_data)); /* We deliberately don't copy the prev and next pointers */ @@ -192,37 +187,45 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) goto err; } - if (src->tlsext_hostname) { - dest->tlsext_hostname = OPENSSL_strdup(src->tlsext_hostname); - if (dest->tlsext_hostname == NULL) { + if (src->ext.hostname) { + dest->ext.hostname = OPENSSL_strdup(src->ext.hostname); + if (dest->ext.hostname == NULL) { goto err; } } #ifndef OPENSSL_NO_EC - if (src->tlsext_ecpointformatlist) { - dest->tlsext_ecpointformatlist = - OPENSSL_memdup(src->tlsext_ecpointformatlist, - src->tlsext_ecpointformatlist_length); - if (dest->tlsext_ecpointformatlist == NULL) + if (src->ext.ecpointformats) { + dest->ext.ecpointformats = + OPENSSL_memdup(src->ext.ecpointformats, + src->ext.ecpointformats_len); + if (dest->ext.ecpointformats == NULL) goto err; } - if (src->tlsext_ellipticcurvelist) { - dest->tlsext_ellipticcurvelist = - OPENSSL_memdup(src->tlsext_ellipticcurvelist, - src->tlsext_ellipticcurvelist_length); - if (dest->tlsext_ellipticcurvelist == NULL) + if (src->ext.supportedgroups) { + dest->ext.supportedgroups = + OPENSSL_memdup(src->ext.supportedgroups, + src->ext.supportedgroups_len + * sizeof(*src->ext.supportedgroups)); + if (dest->ext.supportedgroups == NULL) goto err; } #endif - if (ticket != 0 && src->tlsext_tick != NULL) { - dest->tlsext_tick = - OPENSSL_memdup(src->tlsext_tick, src->tlsext_ticklen); - if (dest->tlsext_tick == NULL) + if (ticket != 0 && src->ext.tick != NULL) { + dest->ext.tick = + OPENSSL_memdup(src->ext.tick, src->ext.ticklen); + if (dest->ext.tick == NULL) goto err; } else { - dest->tlsext_tick_lifetime_hint = 0; - dest->tlsext_ticklen = 0; + dest->ext.tick_lifetime_hint = 0; + dest->ext.ticklen = 0; + } + + if (src->ext.alpn_selected != NULL) { + dest->ext.alpn_selected = OPENSSL_memdup(src->ext.alpn_selected, + src->ext.alpn_selected_len); + if (dest->ext.alpn_selected == NULL) + goto err; } #ifndef OPENSSL_NO_SRP @@ -234,6 +237,13 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) } #endif + if (src->ticket_appdata != NULL) { + dest->ticket_appdata = + OPENSSL_memdup(src->ticket_appdata, src->ticket_appdata_len); + if (dest->ticket_appdata == NULL) + goto err; + } + return dest; err: SSLerr(SSL_F_SSL_SESSION_DUP, ERR_R_MALLOC_FAILURE); @@ -244,14 +254,14 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) { if (len) - *len = s->session_id_length; + *len = (unsigned int)s->session_id_length; return s->session_id; } const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *s, unsigned int *len) { if (len != NULL) - *len = s->sid_ctx_length; + *len = (unsigned int)s->sid_ctx_length; return s->sid_ctx; } @@ -272,7 +282,7 @@ unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s) */ #define MAX_SESS_ID_ATTEMPTS 10 -static int def_generate_session_id(const SSL *ssl, unsigned char *id, +static int def_generate_session_id(SSL *ssl, unsigned char *id, unsigned int *id_len) { unsigned int retry = 0; @@ -295,16 +305,99 @@ static int def_generate_session_id(const SSL *ssl, unsigned char *id, return 0; } +int ssl_generate_session_id(SSL *s, SSL_SESSION *ss) +{ + unsigned int tmp; + GEN_SESSION_CB cb = def_generate_session_id; + + switch (s->version) { + case SSL3_VERSION: + case TLS1_VERSION: + case TLS1_1_VERSION: + case TLS1_2_VERSION: + case TLS1_3_VERSION: + case DTLS1_BAD_VER: + case DTLS1_VERSION: + case DTLS1_2_VERSION: + ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; + break; + default: + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_SESSION_ID, + SSL_R_UNSUPPORTED_SSL_VERSION); + return 0; + } + + /*- + * If RFC5077 ticket, use empty session ID (as server). + * Note that: + * (a) ssl_get_prev_session() does lookahead into the + * ClientHello extensions to find the session ticket. + * When ssl_get_prev_session() fails, statem_srvr.c calls + * ssl_get_new_session() in tls_process_client_hello(). + * At that point, it has not yet parsed the extensions, + * however, because of the lookahead, it already knows + * whether a ticket is expected or not. + * + * (b) statem_clnt.c calls ssl_get_new_session() before parsing + * ServerHello extensions, and before recording the session + * ID received from the server, so this block is a noop. + */ + if (s->ext.ticket_expected) { + ss->session_id_length = 0; + return 1; + } + + /* Choose which callback will set the session ID */ + CRYPTO_THREAD_read_lock(s->lock); + CRYPTO_THREAD_read_lock(s->session_ctx->lock); + if (s->generate_session_id) + cb = s->generate_session_id; + else if (s->session_ctx->generate_session_id) + cb = s->session_ctx->generate_session_id; + CRYPTO_THREAD_unlock(s->session_ctx->lock); + CRYPTO_THREAD_unlock(s->lock); + /* Choose a session ID */ + memset(ss->session_id, 0, ss->session_id_length); + tmp = (int)ss->session_id_length; + if (!cb(s, ss->session_id, &tmp)) { + /* The callback failed */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_SESSION_ID, + SSL_R_SSL_SESSION_ID_CALLBACK_FAILED); + return 0; + } + /* + * Don't allow the callback to set the session length to zero. nor + * set it higher than it was. + */ + if (tmp == 0 || tmp > ss->session_id_length) { + /* The callback set an illegal length */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_SESSION_ID, + SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH); + return 0; + } + ss->session_id_length = tmp; + /* Finally, check for a conflict */ + if (SSL_has_matching_session_id(s, ss->session_id, + (unsigned int)ss->session_id_length)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_SESSION_ID, + SSL_R_SSL_SESSION_ID_CONFLICT); + return 0; + } + + return 1; +} + int ssl_get_new_session(SSL *s, int session) { /* This gets used by clients and servers. */ - unsigned int tmp; SSL_SESSION *ss = NULL; - GEN_SESSION_CB cb = def_generate_session_id; - if ((ss = SSL_SESSION_new()) == NULL) - return (0); + if ((ss = SSL_SESSION_new()) == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GET_NEW_SESSION, + ERR_R_MALLOC_FAILURE); + return 0; + } /* If the context has a default timeout, use it */ if (s->session_ctx->session_timeout == 0) @@ -316,107 +409,25 @@ int ssl_get_new_session(SSL *s, int session) s->session = NULL; if (session) { - if (s->version == SSL3_VERSION) { - ss->ssl_version = SSL3_VERSION; - ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; - } else if (s->version == TLS1_VERSION) { - ss->ssl_version = TLS1_VERSION; - ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; - } else if (s->version == TLS1_1_VERSION) { - ss->ssl_version = TLS1_1_VERSION; - ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; - } else if (s->version == TLS1_2_VERSION) { - ss->ssl_version = TLS1_2_VERSION; - ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; - } else if (s->version == DTLS1_BAD_VER) { - ss->ssl_version = DTLS1_BAD_VER; - ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; - } else if (s->version == DTLS1_VERSION) { - ss->ssl_version = DTLS1_VERSION; - ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; - } else if (s->version == DTLS1_2_VERSION) { - ss->ssl_version = DTLS1_2_VERSION; - ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; - } else { - SSLerr(SSL_F_SSL_GET_NEW_SESSION, SSL_R_UNSUPPORTED_SSL_VERSION); - SSL_SESSION_free(ss); - return (0); - } - - /*- - * If RFC5077 ticket, use empty session ID (as server). - * Note that: - * (a) ssl_get_prev_session() does lookahead into the - * ClientHello extensions to find the session ticket. - * When ssl_get_prev_session() fails, statem_srvr.c calls - * ssl_get_new_session() in tls_process_client_hello(). - * At that point, it has not yet parsed the extensions, - * however, because of the lookahead, it already knows - * whether a ticket is expected or not. - * - * (b) statem_clnt.c calls ssl_get_new_session() before parsing - * ServerHello extensions, and before recording the session - * ID received from the server, so this block is a noop. - */ - if (s->tlsext_ticket_expected) { + if (SSL_IS_TLS13(s)) { + /* + * We generate the session id while constructing the + * NewSessionTicket in TLSv1.3. + */ ss->session_id_length = 0; - goto sess_id_done; - } - - /* Choose which callback will set the session ID */ - CRYPTO_THREAD_read_lock(s->lock); - CRYPTO_THREAD_read_lock(s->session_ctx->lock); - if (s->generate_session_id) - cb = s->generate_session_id; - else if (s->session_ctx->generate_session_id) - cb = s->session_ctx->generate_session_id; - CRYPTO_THREAD_unlock(s->session_ctx->lock); - CRYPTO_THREAD_unlock(s->lock); - /* Choose a session ID */ - memset(ss->session_id, 0, ss->session_id_length); - tmp = ss->session_id_length; - if (!cb(s, ss->session_id, &tmp)) { - /* The callback failed */ - SSLerr(SSL_F_SSL_GET_NEW_SESSION, - SSL_R_SSL_SESSION_ID_CALLBACK_FAILED); + } else if (!ssl_generate_session_id(s, ss)) { + /* SSLfatal() already called */ SSL_SESSION_free(ss); - return (0); - } - /* - * Don't allow the callback to set the session length to zero. nor - * set it higher than it was. - */ - if (tmp == 0 || tmp > ss->session_id_length) { - /* The callback set an illegal length */ - SSLerr(SSL_F_SSL_GET_NEW_SESSION, - SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH); - SSL_SESSION_free(ss); - return (0); - } - ss->session_id_length = tmp; - /* Finally, check for a conflict */ - if (SSL_has_matching_session_id(s, ss->session_id, - ss->session_id_length)) { - SSLerr(SSL_F_SSL_GET_NEW_SESSION, SSL_R_SSL_SESSION_ID_CONFLICT); - SSL_SESSION_free(ss); - return (0); + return 0; } - sess_id_done: - if (s->tlsext_hostname) { - ss->tlsext_hostname = OPENSSL_strdup(s->tlsext_hostname); - if (ss->tlsext_hostname == NULL) { - SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR); - SSL_SESSION_free(ss); - return 0; - } - } } else { ss->session_id_length = 0; } if (s->sid_ctx_length > sizeof(ss->sid_ctx)) { - SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GET_NEW_SESSION, + ERR_R_INTERNAL_ERROR); SSL_SESSION_free(ss); return 0; } @@ -430,68 +441,25 @@ int ssl_get_new_session(SSL *s, int session) if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) ss->flags |= SSL_SESS_FLAG_EXTMS; - return (1); + return 1; } -/*- - * ssl_get_prev attempts to find an SSL_SESSION to be used to resume this - * connection. It is only called by servers. - * - * ext: ClientHello extensions (including length prefix) - * session_id: ClientHello session ID. - * - * Returns: - * -1: error - * 0: a session may have been found. - * - * Side effects: - * - If a session is found then s->session is pointed at it (after freeing an - * existing session if need be) and s->verify_result is set from the session. - * - Both for new and resumed sessions, s->tlsext_ticket_expected is set to 1 - * if the server should issue a new session ticket (to 0 otherwise). - */ -int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id) +SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id, + size_t sess_id_len) { - /* This is used only by servers. */ - SSL_SESSION *ret = NULL; - int fatal = 0; - int try_session_cache = 1; - int r; - if (PACKET_remaining(session_id) == 0) - try_session_cache = 0; - - /* sets s->tlsext_ticket_expected and extended master secret flag */ - r = tls_check_serverhello_tlsext_early(s, ext, session_id, &ret); - switch (r) { - case -1: /* Error during processing */ - fatal = 1; - goto err; - case 0: /* No ticket found */ - case 1: /* Zero length ticket found */ - break; /* Ok to carry on processing session id. */ - case 2: /* Ticket found but not decrypted. */ - case 3: /* Ticket decrypted, *ret has been set. */ - try_session_cache = 0; - break; - default: - abort(); - } - - if (try_session_cache && - ret == NULL && - !(s->session_ctx->session_cache_mode & - SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) { + if ((s->session_ctx->session_cache_mode + & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP) == 0) { SSL_SESSION data; - size_t local_len; + data.ssl_version = s->version; - memset(data.session_id, 0, sizeof(data.session_id)); - if (!PACKET_copy_all(session_id, data.session_id, - sizeof(data.session_id), &local_len)) { - goto err; - } - data.session_id_length = local_len; + if (!ossl_assert(sess_id_len <= SSL_MAX_SSL_SESSION_ID_LENGTH)) + return NULL; + + memcpy(data.session_id, sess_id, sess_id_len); + data.session_id_length = sess_id_len; + CRYPTO_THREAD_read_lock(s->session_ctx->lock); ret = lh_SSL_SESSION_retrieve(s->session_ctx->sessions, &data); if (ret != NULL) { @@ -500,18 +468,16 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id) } CRYPTO_THREAD_unlock(s->session_ctx->lock); if (ret == NULL) - s->session_ctx->stats.sess_miss++; + tsan_counter(&s->session_ctx->stats.sess_miss); } - if (try_session_cache && - ret == NULL && s->session_ctx->get_session_cb != NULL) { + if (ret == NULL && s->session_ctx->get_session_cb != NULL) { int copy = 1; - ret = s->session_ctx->get_session_cb(s, PACKET_data(session_id), - PACKET_remaining(session_id), - ©); + + ret = s->session_ctx->get_session_cb(s, sess_id, sess_id_len, ©); if (ret != NULL) { - s->session_ctx->stats.sess_cb_hit++; + tsan_counter(&s->session_ctx->stats.sess_cb_hit); /* * Increment reference count now if the session callback asks us @@ -527,16 +493,83 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id) * Add the externally cached session to the internal cache as * well if and only if we are supposed to. */ - if (! - (s->session_ctx->session_cache_mode & - SSL_SESS_CACHE_NO_INTERNAL_STORE)) { + if ((s->session_ctx->session_cache_mode & + SSL_SESS_CACHE_NO_INTERNAL_STORE) == 0) { /* * Either return value of SSL_CTX_add_session should not * interrupt the session resumption process. The return * value is intentionally ignored. */ - SSL_CTX_add_session(s->session_ctx, ret); + (void)SSL_CTX_add_session(s->session_ctx, ret); + } + } + } + + return ret; +} + +/*- + * ssl_get_prev attempts to find an SSL_SESSION to be used to resume this + * connection. It is only called by servers. + * + * hello: The parsed ClientHello data + * + * Returns: + * -1: fatal error + * 0: no session found + * 1: a session may have been found. + * + * Side effects: + * - If a session is found then s->session is pointed at it (after freeing an + * existing session if need be) and s->verify_result is set from the session. + * - Both for new and resumed sessions, s->ext.ticket_expected is set to 1 + * if the server should issue a new session ticket (to 0 otherwise). + */ +int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello) +{ + /* This is used only by servers. */ + + SSL_SESSION *ret = NULL; + int fatal = 0; + int try_session_cache = 0; + SSL_TICKET_STATUS r; + + if (SSL_IS_TLS13(s)) { + /* + * By default we will send a new ticket. This can be overridden in the + * ticket processing. + */ + s->ext.ticket_expected = 1; + if (!tls_parse_extension(s, TLSEXT_IDX_psk_kex_modes, + SSL_EXT_CLIENT_HELLO, hello->pre_proc_exts, + NULL, 0) + || !tls_parse_extension(s, TLSEXT_IDX_psk, SSL_EXT_CLIENT_HELLO, + hello->pre_proc_exts, NULL, 0)) + return -1; + + ret = s->session; + } else { + /* sets s->ext.ticket_expected */ + r = tls_get_ticket_from_client(s, hello, &ret); + switch (r) { + case SSL_TICKET_FATAL_ERR_MALLOC: + case SSL_TICKET_FATAL_ERR_OTHER: + fatal = 1; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GET_PREV_SESSION, + ERR_R_INTERNAL_ERROR); + goto err; + case SSL_TICKET_NONE: + case SSL_TICKET_EMPTY: + if (hello->session_id_len > 0) { + try_session_cache = 1; + ret = lookup_sess_in_cache(s, hello->session_id, + hello->session_id_len); } + break; + case SSL_TICKET_NO_DECRYPT: + case SSL_TICKET_SUCCESS: + case SSL_TICKET_SUCCESS_RENEW: + break; } } @@ -545,6 +578,10 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id) /* Now ret is non-NULL and we own one of its reference counts. */ + /* Check TLS version consistency */ + if (ret->ssl_version != s->version) + goto err; + if (ret->sid_ctx_length != s->sid_ctx_length || memcmp(ret->sid_ctx, s->sid_ctx, ret->sid_ctx_length)) { /* @@ -565,29 +602,14 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id) * noticing). */ - SSLerr(SSL_F_SSL_GET_PREV_SESSION, - SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GET_PREV_SESSION, + SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED); fatal = 1; goto err; } - if (ret->cipher == NULL) { - unsigned char buf[5], *p; - unsigned long l; - - p = buf; - l = ret->cipher_id; - l2n(l, p); - if ((ret->ssl_version >> 8) >= SSL3_VERSION_MAJOR) - ret->cipher = ssl_get_cipher_by_char(s, &(buf[2])); - else - ret->cipher = ssl_get_cipher_by_char(s, &(buf[1])); - if (ret->cipher == NULL) - goto err; - } - if (ret->timeout < (long)(time(NULL) - ret->time)) { /* timeout */ - s->session_ctx->stats.sess_timeout++; + tsan_counter(&s->session_ctx->stats.sess_timeout); if (try_session_cache) { /* session was from the cache, so remove it */ SSL_CTX_remove_session(s->session_ctx, ret); @@ -599,8 +621,8 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id) if (ret->flags & SSL_SESS_FLAG_EXTMS) { /* If old session includes extms, but new does not: abort handshake */ if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)) { - SSLerr(SSL_F_SSL_GET_PREV_SESSION, SSL_R_INCONSISTENT_EXTMS); - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL_GET_PREV_SESSION, + SSL_R_INCONSISTENT_EXTMS); fatal = 1; goto err; } @@ -609,29 +631,35 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id) goto err; } - s->session_ctx->stats.sess_hit++; + if (!SSL_IS_TLS13(s)) { + /* We already did this for TLS1.3 */ + SSL_SESSION_free(s->session); + s->session = ret; + } - SSL_SESSION_free(s->session); - s->session = ret; + tsan_counter(&s->session_ctx->stats.sess_hit); s->verify_result = s->session->verify_result; return 1; err: if (ret != NULL) { SSL_SESSION_free(ret); + /* In TLSv1.3 s->session was already set to ret, so we NULL it out */ + if (SSL_IS_TLS13(s)) + s->session = NULL; if (!try_session_cache) { /* * The session was from a ticket, so we should issue a ticket for * the new session */ - s->tlsext_ticket_expected = 1; + s->ext.ticket_expected = 1; } } if (fatal) return -1; - else - return 0; + + return 0; } int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c) @@ -703,7 +731,7 @@ int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c) if (!remove_session_lock(ctx, ctx->session_cache_tail, 0)) break; else - ctx->stats.sess_cache_full++; + tsan_counter(&ctx->stats.sess_cache_full); } } } @@ -724,10 +752,10 @@ static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck) if ((c != NULL) && (c->session_id_length != 0)) { if (lck) CRYPTO_THREAD_write_lock(ctx->lock); - if ((r = lh_SSL_SESSION_retrieve(ctx->sessions, c)) == c) { + if ((r = lh_SSL_SESSION_retrieve(ctx->sessions, c)) != NULL) { ret = 1; - r = lh_SSL_SESSION_delete(ctx->sessions, c); - SSL_SESSION_list_remove(ctx, c); + r = lh_SSL_SESSION_delete(ctx->sessions, r); + SSL_SESSION_list_remove(ctx, r); } c->not_resumable = 1; @@ -741,7 +769,7 @@ static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck) SSL_SESSION_free(r); } else ret = 0; - return (ret); + return ret; } void SSL_SESSION_free(SSL_SESSION *ss) @@ -750,8 +778,7 @@ void SSL_SESSION_free(SSL_SESSION *ss) if (ss == NULL) return; - - CRYPTO_atomic_add(&ss->references, -1, &i, ss->lock); + CRYPTO_DOWN_REF(&ss->references, &i, ss->lock); REF_PRINT_COUNT("SSL_SESSION", ss); if (i > 0) return; @@ -764,13 +791,15 @@ void SSL_SESSION_free(SSL_SESSION *ss) X509_free(ss->peer); sk_X509_pop_free(ss->peer_chain, X509_free); sk_SSL_CIPHER_free(ss->ciphers); - OPENSSL_free(ss->tlsext_hostname); - OPENSSL_free(ss->tlsext_tick); + OPENSSL_free(ss->ext.hostname); + OPENSSL_free(ss->ext.tick); #ifndef OPENSSL_NO_EC - ss->tlsext_ecpointformatlist_length = 0; - OPENSSL_free(ss->tlsext_ecpointformatlist); - ss->tlsext_ellipticcurvelist_length = 0; - OPENSSL_free(ss->tlsext_ellipticcurvelist); + OPENSSL_free(ss->ext.ecpointformats); + ss->ext.ecpointformats = NULL; + ss->ext.ecpointformats_len = 0; + OPENSSL_free(ss->ext.supportedgroups); + ss->ext.supportedgroups = NULL; + ss->ext.supportedgroups_len = 0; #endif /* OPENSSL_NO_EC */ #ifndef OPENSSL_NO_PSK OPENSSL_free(ss->psk_identity_hint); @@ -779,6 +808,8 @@ void SSL_SESSION_free(SSL_SESSION *ss) #ifndef OPENSSL_NO_SRP OPENSSL_free(ss->srp_username); #endif + OPENSSL_free(ss->ext.alpn_selected); + OPENSSL_free(ss->ticket_appdata); CRYPTO_THREAD_lock_free(ss->lock); OPENSSL_clear_free(ss, sizeof(*ss)); } @@ -787,7 +818,7 @@ int SSL_SESSION_up_ref(SSL_SESSION *ss) { int i; - if (CRYPTO_atomic_add(&ss->references, 1, &i, ss->lock) <= 0) + if (CRYPTO_UP_REF(&ss->references, &i, ss->lock) <= 0) return 0; REF_PRINT_COUNT("SSL_SESSION", ss); @@ -830,31 +861,31 @@ int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid, long SSL_SESSION_set_timeout(SSL_SESSION *s, long t) { if (s == NULL) - return (0); + return 0; s->timeout = t; - return (1); + return 1; } long SSL_SESSION_get_timeout(const SSL_SESSION *s) { if (s == NULL) - return (0); - return (s->timeout); + return 0; + return s->timeout; } long SSL_SESSION_get_time(const SSL_SESSION *s) { if (s == NULL) - return (0); - return (s->time); + return 0; + return s->time; } long SSL_SESSION_set_time(SSL_SESSION *s, long t) { if (s == NULL) - return (0); + return 0; s->time = t; - return (t); + return t; } int SSL_SESSION_get_protocol_version(const SSL_SESSION *s) @@ -862,32 +893,95 @@ int SSL_SESSION_get_protocol_version(const SSL_SESSION *s) return s->ssl_version; } +int SSL_SESSION_set_protocol_version(SSL_SESSION *s, int version) +{ + s->ssl_version = version; + return 1; +} + const SSL_CIPHER *SSL_SESSION_get0_cipher(const SSL_SESSION *s) { return s->cipher; } +int SSL_SESSION_set_cipher(SSL_SESSION *s, const SSL_CIPHER *cipher) +{ + s->cipher = cipher; + return 1; +} + const char *SSL_SESSION_get0_hostname(const SSL_SESSION *s) { - return s->tlsext_hostname; + return s->ext.hostname; +} + +int SSL_SESSION_set1_hostname(SSL_SESSION *s, const char *hostname) +{ + OPENSSL_free(s->ext.hostname); + if (hostname == NULL) { + s->ext.hostname = NULL; + return 1; + } + s->ext.hostname = OPENSSL_strdup(hostname); + + return s->ext.hostname != NULL; } int SSL_SESSION_has_ticket(const SSL_SESSION *s) { - return (s->tlsext_ticklen > 0) ? 1 : 0; + return (s->ext.ticklen > 0) ? 1 : 0; } unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s) { - return s->tlsext_tick_lifetime_hint; + return s->ext.tick_lifetime_hint; } void SSL_SESSION_get0_ticket(const SSL_SESSION *s, const unsigned char **tick, size_t *len) { - *len = s->tlsext_ticklen; + *len = s->ext.ticklen; if (tick != NULL) - *tick = s->tlsext_tick; + *tick = s->ext.tick; +} + +uint32_t SSL_SESSION_get_max_early_data(const SSL_SESSION *s) +{ + return s->ext.max_early_data; +} + +int SSL_SESSION_set_max_early_data(SSL_SESSION *s, uint32_t max_early_data) +{ + s->ext.max_early_data = max_early_data; + + return 1; +} + +void SSL_SESSION_get0_alpn_selected(const SSL_SESSION *s, + const unsigned char **alpn, + size_t *len) +{ + *alpn = s->ext.alpn_selected; + *len = s->ext.alpn_selected_len; +} + +int SSL_SESSION_set1_alpn_selected(SSL_SESSION *s, const unsigned char *alpn, + size_t len) +{ + OPENSSL_free(s->ext.alpn_selected); + if (alpn == NULL || len == 0) { + s->ext.alpn_selected = NULL; + s->ext.alpn_selected_len = 0; + return 1; + } + s->ext.alpn_selected = OPENSSL_memdup(alpn, len); + if (s->ext.alpn_selected == NULL) { + s->ext.alpn_selected_len = 0; + return 0; + } + s->ext.alpn_selected_len = len; + + return 1; } X509 *SSL_SESSION_get0_peer(SSL_SESSION *s) @@ -910,70 +1004,73 @@ int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx, return 1; } +int SSL_SESSION_is_resumable(const SSL_SESSION *s) +{ + /* + * In the case of EAP-FAST, we can have a pre-shared "ticket" without a + * session ID. + */ + return !s->not_resumable + && (s->session_id_length > 0 || s->ext.ticklen > 0); +} + long SSL_CTX_set_timeout(SSL_CTX *s, long t) { long l; if (s == NULL) - return (0); + return 0; l = s->session_timeout; s->session_timeout = t; - return (l); + return l; } long SSL_CTX_get_timeout(const SSL_CTX *s) { if (s == NULL) - return (0); - return (s->session_timeout); + return 0; + return s->session_timeout; } int SSL_set_session_secret_cb(SSL *s, - int (*tls_session_secret_cb) (SSL *s, - void *secret, - int *secret_len, - STACK_OF(SSL_CIPHER) - *peer_ciphers, - const SSL_CIPHER - **cipher, - void *arg), + tls_session_secret_cb_fn tls_session_secret_cb, void *arg) { if (s == NULL) - return (0); - s->tls_session_secret_cb = tls_session_secret_cb; - s->tls_session_secret_cb_arg = arg; - return (1); + return 0; + s->ext.session_secret_cb = tls_session_secret_cb; + s->ext.session_secret_cb_arg = arg; + return 1; } int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb, void *arg) { if (s == NULL) - return (0); - s->tls_session_ticket_ext_cb = cb; - s->tls_session_ticket_ext_cb_arg = arg; - return (1); + return 0; + s->ext.session_ticket_cb = cb; + s->ext.session_ticket_cb_arg = arg; + return 1; } int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len) { if (s->version >= TLS1_VERSION) { - OPENSSL_free(s->tlsext_session_ticket); - s->tlsext_session_ticket = NULL; - s->tlsext_session_ticket = + OPENSSL_free(s->ext.session_ticket); + s->ext.session_ticket = NULL; + s->ext.session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len); - if (s->tlsext_session_ticket == NULL) { + if (s->ext.session_ticket == NULL) { SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE); return 0; } - if (ext_data) { - s->tlsext_session_ticket->length = ext_len; - s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1; - memcpy(s->tlsext_session_ticket->data, ext_data, ext_len); + if (ext_data != NULL) { + s->ext.session_ticket->length = ext_len; + s->ext.session_ticket->data = s->ext.session_ticket + 1; + memcpy(s->ext.session_ticket->data, ext_data, ext_len); } else { - s->tlsext_session_ticket->length = 0; - s->tlsext_session_ticket->data = NULL; + s->ext.session_ticket->length = 0; + s->ext.session_ticket->data = NULL; } return 1; @@ -1030,9 +1127,9 @@ int ssl_clear_bad_session(SSL *s) !(s->shutdown & SSL_SENT_SHUTDOWN) && !(SSL_in_init(s) || SSL_in_before(s))) { SSL_CTX_remove_session(s->session_ctx, s->session); - return (1); + return 1; } else - return (0); + return 0; } /* locked by SSL_CTX in the calling function */ @@ -1176,4 +1273,45 @@ void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, ctx->app_verify_cookie_cb = cb; } +int SSL_SESSION_set1_ticket_appdata(SSL_SESSION *ss, const void *data, size_t len) +{ + OPENSSL_free(ss->ticket_appdata); + ss->ticket_appdata_len = 0; + if (data == NULL || len == 0) { + ss->ticket_appdata = NULL; + return 1; + } + ss->ticket_appdata = OPENSSL_memdup(data, len); + if (ss->ticket_appdata != NULL) { + ss->ticket_appdata_len = len; + return 1; + } + return 0; +} + +int SSL_SESSION_get0_ticket_appdata(SSL_SESSION *ss, void **data, size_t *len) +{ + *data = ss->ticket_appdata; + *len = ss->ticket_appdata_len; + return 1; +} + +void SSL_CTX_set_stateless_cookie_generate_cb( + SSL_CTX *ctx, + int (*cb) (SSL *ssl, + unsigned char *cookie, + size_t *cookie_len)) +{ + ctx->gen_stateless_cookie_cb = cb; +} + +void SSL_CTX_set_stateless_cookie_verify_cb( + SSL_CTX *ctx, + int (*cb) (SSL *ssl, + const unsigned char *cookie, + size_t cookie_len)) +{ + ctx->verify_stateless_cookie_cb = cb; +} + IMPLEMENT_PEM_rw(SSL_SESSION, SSL_SESSION, PEM_STRING_SSL_SESSION, SSL_SESSION) diff --git a/deps/openssl/openssl/ssl/ssl_stat.c b/deps/openssl/openssl/ssl/ssl_stat.c index ad7a019b25..179513b1a3 100644 --- a/deps/openssl/openssl/ssl/ssl_stat.c +++ b/deps/openssl/openssl/ssl/ssl_stat.c @@ -1,5 +1,6 @@ /* * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,33 +8,6 @@ * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - #include <stdio.h> #include "ssl_locl.h" @@ -113,6 +87,32 @@ const char *SSL_state_string_long(const SSL *s) return "DTLS1 read hello verify request"; case DTLS_ST_SW_HELLO_VERIFY_REQUEST: return "DTLS1 write hello verify request"; + case TLS_ST_SW_ENCRYPTED_EXTENSIONS: + return "TLSv1.3 write encrypted extensions"; + case TLS_ST_CR_ENCRYPTED_EXTENSIONS: + return "TLSv1.3 read encrypted extensions"; + case TLS_ST_CR_CERT_VRFY: + return "TLSv1.3 read server certificate verify"; + case TLS_ST_SW_CERT_VRFY: + return "TLSv1.3 write server certificate verify"; + case TLS_ST_CR_HELLO_REQ: + return "SSLv3/TLS read hello request"; + case TLS_ST_SW_KEY_UPDATE: + return "TLSv1.3 write server key update"; + case TLS_ST_CW_KEY_UPDATE: + return "TLSv1.3 write client key update"; + case TLS_ST_SR_KEY_UPDATE: + return "TLSv1.3 read client key update"; + case TLS_ST_CR_KEY_UPDATE: + return "TLSv1.3 read server key update"; + case TLS_ST_EARLY_DATA: + return "TLSv1.3 early data"; + case TLS_ST_PENDING_EARLY_DATA_END: + return "TLSv1.3 pending early data end"; + case TLS_ST_CW_END_OF_EARLY_DATA: + return "TLSv1.3 write end of early data"; + case TLS_ST_SR_END_OF_EARLY_DATA: + return "TLSv1.3 read end of early data"; default: return "unknown state"; } @@ -194,6 +194,32 @@ const char *SSL_state_string(const SSL *s) return "DRCHV"; case DTLS_ST_SW_HELLO_VERIFY_REQUEST: return "DWCHV"; + case TLS_ST_SW_ENCRYPTED_EXTENSIONS: + return "TWEE"; + case TLS_ST_CR_ENCRYPTED_EXTENSIONS: + return "TREE"; + case TLS_ST_CR_CERT_VRFY: + return "TRSCV"; + case TLS_ST_SW_CERT_VRFY: + return "TRSCV"; + case TLS_ST_CR_HELLO_REQ: + return "TRHR"; + case TLS_ST_SW_KEY_UPDATE: + return "TWSKU"; + case TLS_ST_CW_KEY_UPDATE: + return "TWCKU"; + case TLS_ST_SR_KEY_UPDATE: + return "TRCKU"; + case TLS_ST_CR_KEY_UPDATE: + return "TRSKU"; + case TLS_ST_EARLY_DATA: + return "TED"; + case TLS_ST_PENDING_EARLY_DATA_END: + return "TPEDE"; + case TLS_ST_CW_END_OF_EARLY_DATA: + return "TWEOED"; + case TLS_ST_SR_END_OF_EARLY_DATA: + return "TWEOED"; default: return "UNKWN "; } diff --git a/deps/openssl/openssl/ssl/ssl_txt.c b/deps/openssl/openssl/ssl/ssl_txt.c index f149a3ad09..cf6e4c3c05 100644 --- a/deps/openssl/openssl/ssl/ssl_txt.c +++ b/deps/openssl/openssl/ssl/ssl_txt.c @@ -1,5 +1,6 @@ /* * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,33 +8,6 @@ * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - #include <stdio.h> #include <openssl/buffer.h> #include "ssl_locl.h" @@ -46,22 +20,24 @@ int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x) if ((b = BIO_new(BIO_s_file())) == NULL) { SSLerr(SSL_F_SSL_SESSION_PRINT_FP, ERR_R_BUF_LIB); - return (0); + return 0; } BIO_set_fp(b, fp, BIO_NOCLOSE); ret = SSL_SESSION_print(b, x); BIO_free(b); - return (ret); + return ret; } #endif int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) { - unsigned int i; + size_t i; const char *s; + int istls13; if (x == NULL) goto err; + istls13 = (x->ssl_version == TLS1_3_VERSION); if (BIO_puts(bp, "SSL-Session:\n") <= 0) goto err; s = ssl_protocol_to_string(x->ssl_version); @@ -96,9 +72,12 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) if (BIO_printf(bp, "%02X", x->sid_ctx[i]) <= 0) goto err; } - if (BIO_puts(bp, "\n Master-Key: ") <= 0) + if (istls13) { + if (BIO_puts(bp, "\n Resumption PSK: ") <= 0) + goto err; + } else if (BIO_puts(bp, "\n Master-Key: ") <= 0) goto err; - for (i = 0; i < (unsigned int)x->master_key_length; i++) { + for (i = 0; i < x->master_key_length; i++) { if (BIO_printf(bp, "%02X", x->master_key[i]) <= 0) goto err; } @@ -119,17 +98,18 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) if (BIO_printf(bp, "%s", x->srp_username ? x->srp_username : "None") <= 0) goto err; #endif - if (x->tlsext_tick_lifetime_hint) { + if (x->ext.tick_lifetime_hint) { if (BIO_printf(bp, "\n TLS session ticket lifetime hint: %ld (seconds)", - x->tlsext_tick_lifetime_hint) <= 0) + x->ext.tick_lifetime_hint) <= 0) goto err; } - if (x->tlsext_tick) { + if (x->ext.tick) { if (BIO_puts(bp, "\n TLS session ticket:\n") <= 0) goto err; + /* TODO(size_t): Convert this call */ if (BIO_dump_indent - (bp, (const char *)x->tlsext_tick, x->tlsext_ticklen, 4) + (bp, (const char *)x->ext.tick, (int)x->ext.ticklen, 4) <= 0) goto err; } @@ -170,9 +150,15 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) x->flags & SSL_SESS_FLAG_EXTMS ? "yes" : "no") <= 0) goto err; - return (1); + if (istls13) { + if (BIO_printf(bp, " Max Early Data: %u\n", + x->ext.max_early_data) <= 0) + goto err; + } + + return 1; err: - return (0); + return 0; } /* @@ -181,7 +167,7 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) */ int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x) { - unsigned int i; + size_t i; if (x == NULL) goto err; @@ -204,14 +190,14 @@ int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x) } if (BIO_puts(bp, " Master-Key:") <= 0) goto err; - for (i = 0; i < (unsigned int)x->master_key_length; i++) { + for (i = 0; i < x->master_key_length; i++) { if (BIO_printf(bp, "%02X", x->master_key[i]) <= 0) goto err; } if (BIO_puts(bp, "\n") <= 0) goto err; - return (1); + return 1; err: - return (0); + return 0; } diff --git a/deps/openssl/openssl/ssl/ssl_utst.c b/deps/openssl/openssl/ssl/ssl_utst.c index 09e76d14a7..cea1bc2707 100644 --- a/deps/openssl/openssl/ssl/ssl_utst.c +++ b/deps/openssl/openssl/ssl/ssl_utst.c @@ -14,10 +14,6 @@ static const struct openssl_ssl_test_functions ssl_test_functions = { ssl_init_wbio_buffer, ssl3_setup_buffers, -# ifndef OPENSSL_NO_HEARTBEATS -# undef dtls1_process_heartbeat - dtls1_process_heartbeat -# endif }; const struct openssl_ssl_test_functions *SSL_test_functions(void) diff --git a/deps/openssl/openssl/ssl/statem/extensions.c b/deps/openssl/openssl/ssl/statem/extensions.c new file mode 100644 index 0000000000..63e61c6184 --- /dev/null +++ b/deps/openssl/openssl/ssl/statem/extensions.c @@ -0,0 +1,1693 @@ +/* + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <string.h> +#include "internal/nelem.h" +#include "internal/cryptlib.h" +#include "../ssl_locl.h" +#include "statem_locl.h" +#include "internal/cryptlib.h" + +static int final_renegotiate(SSL *s, unsigned int context, int sent); +static int init_server_name(SSL *s, unsigned int context); +static int final_server_name(SSL *s, unsigned int context, int sent); +#ifndef OPENSSL_NO_EC +static int final_ec_pt_formats(SSL *s, unsigned int context, int sent); +#endif +static int init_session_ticket(SSL *s, unsigned int context); +#ifndef OPENSSL_NO_OCSP +static int init_status_request(SSL *s, unsigned int context); +#endif +#ifndef OPENSSL_NO_NEXTPROTONEG +static int init_npn(SSL *s, unsigned int context); +#endif +static int init_alpn(SSL *s, unsigned int context); +static int final_alpn(SSL *s, unsigned int context, int sent); +static int init_sig_algs_cert(SSL *s, unsigned int context); +static int init_sig_algs(SSL *s, unsigned int context); +static int init_certificate_authorities(SSL *s, unsigned int context); +static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt, + unsigned int context, + X509 *x, + size_t chainidx); +static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx); +#ifndef OPENSSL_NO_SRP +static int init_srp(SSL *s, unsigned int context); +#endif +static int init_etm(SSL *s, unsigned int context); +static int init_ems(SSL *s, unsigned int context); +static int final_ems(SSL *s, unsigned int context, int sent); +static int init_psk_kex_modes(SSL *s, unsigned int context); +#ifndef OPENSSL_NO_EC +static int final_key_share(SSL *s, unsigned int context, int sent); +#endif +#ifndef OPENSSL_NO_SRTP +static int init_srtp(SSL *s, unsigned int context); +#endif +static int final_sig_algs(SSL *s, unsigned int context, int sent); +static int final_early_data(SSL *s, unsigned int context, int sent); +static int final_maxfragmentlen(SSL *s, unsigned int context, int sent); +static int init_post_handshake_auth(SSL *s, unsigned int context); + +/* Structure to define a built-in extension */ +typedef struct extensions_definition_st { + /* The defined type for the extension */ + unsigned int type; + /* + * The context that this extension applies to, e.g. what messages and + * protocol versions + */ + unsigned int context; + /* + * Initialise extension before parsing. Always called for relevant contexts + * even if extension not present + */ + int (*init)(SSL *s, unsigned int context); + /* Parse extension sent from client to server */ + int (*parse_ctos)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx); + /* Parse extension send from server to client */ + int (*parse_stoc)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx); + /* Construct extension sent from server to client */ + EXT_RETURN (*construct_stoc)(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); + /* Construct extension sent from client to server */ + EXT_RETURN (*construct_ctos)(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); + /* + * Finalise extension after parsing. Always called where an extensions was + * initialised even if the extension was not present. |sent| is set to 1 if + * the extension was seen, or 0 otherwise. + */ + int (*final)(SSL *s, unsigned int context, int sent); +} EXTENSION_DEFINITION; + +/* + * Definitions of all built-in extensions. NOTE: Changes in the number or order + * of these extensions should be mirrored with equivalent changes to the + * indexes ( TLSEXT_IDX_* ) defined in ssl_locl.h. + * Each extension has an initialiser, a client and + * server side parser and a finaliser. The initialiser is called (if the + * extension is relevant to the given context) even if we did not see the + * extension in the message that we received. The parser functions are only + * called if we see the extension in the message. The finalisers are always + * called if the initialiser was called. + * There are also server and client side constructor functions which are always + * called during message construction if the extension is relevant for the + * given context. + * The initialisation, parsing, finalisation and construction functions are + * always called in the order defined in this list. Some extensions may depend + * on others having been processed first, so the order of this list is + * significant. + * The extension context is defined by a series of flags which specify which + * messages the extension is relevant to. These flags also specify whether the + * extension is relevant to a particular protocol or protocol version. + * + * TODO(TLS1.3): Make sure we have a test to check the consistency of these + * + * NOTE: WebSphere Application Server 7+ cannot handle empty extensions at + * the end, keep these extensions before signature_algorithm. + */ +#define INVALID_EXTENSION { 0x10000, 0, NULL, NULL, NULL, NULL, NULL, NULL } +static const EXTENSION_DEFINITION ext_defs[] = { + { + TLSEXT_TYPE_renegotiate, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO + | SSL_EXT_SSL3_ALLOWED | SSL_EXT_TLS1_2_AND_BELOW_ONLY, + NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate, + tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate, + final_renegotiate + }, + { + TLSEXT_TYPE_server_name, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO + | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, + init_server_name, + tls_parse_ctos_server_name, tls_parse_stoc_server_name, + tls_construct_stoc_server_name, tls_construct_ctos_server_name, + final_server_name + }, + { + TLSEXT_TYPE_max_fragment_length, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO + | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, + NULL, tls_parse_ctos_maxfragmentlen, tls_parse_stoc_maxfragmentlen, + tls_construct_stoc_maxfragmentlen, tls_construct_ctos_maxfragmentlen, + final_maxfragmentlen + }, +#ifndef OPENSSL_NO_SRP + { + TLSEXT_TYPE_srp, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY, + init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL + }, +#else + INVALID_EXTENSION, +#endif +#ifndef OPENSSL_NO_EC + { + TLSEXT_TYPE_ec_point_formats, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO + | SSL_EXT_TLS1_2_AND_BELOW_ONLY, + NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats, + tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats, + final_ec_pt_formats + }, + { + /* + * "supported_groups" is spread across several specifications. + * It was originally specified as "elliptic_curves" in RFC 4492, + * and broadened to include named FFDH groups by RFC 7919. + * Both RFCs 4492 and 7919 do not include a provision for the server + * to indicate to the client the complete list of groups supported + * by the server, with the server instead just indicating the + * selected group for this connection in the ServerKeyExchange + * message. TLS 1.3 adds a scheme for the server to indicate + * to the client its list of supported groups in the + * EncryptedExtensions message, but none of the relevant + * specifications permit sending supported_groups in the ServerHello. + * Nonetheless (possibly due to the close proximity to the + * "ec_point_formats" extension, which is allowed in the ServerHello), + * there are several servers that send this extension in the + * ServerHello anyway. Up to and including the 1.1.0 release, + * we did not check for the presence of nonpermitted extensions, + * so to avoid a regression, we must permit this extension in the + * TLS 1.2 ServerHello as well. + * + * Note that there is no tls_parse_stoc_supported_groups function, + * so we do not perform any additional parsing, validation, or + * processing on the server's group list -- this is just a minimal + * change to preserve compatibility with these misbehaving servers. + */ + TLSEXT_TYPE_supported_groups, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS + | SSL_EXT_TLS1_2_SERVER_HELLO, + NULL, tls_parse_ctos_supported_groups, NULL, + tls_construct_stoc_supported_groups, + tls_construct_ctos_supported_groups, NULL + }, +#else + INVALID_EXTENSION, + INVALID_EXTENSION, +#endif + { + TLSEXT_TYPE_session_ticket, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO + | SSL_EXT_TLS1_2_AND_BELOW_ONLY, + init_session_ticket, tls_parse_ctos_session_ticket, + tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket, + tls_construct_ctos_session_ticket, NULL + }, +#ifndef OPENSSL_NO_OCSP + { + TLSEXT_TYPE_status_request, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO + | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, + init_status_request, tls_parse_ctos_status_request, + tls_parse_stoc_status_request, tls_construct_stoc_status_request, + tls_construct_ctos_status_request, NULL + }, +#else + INVALID_EXTENSION, +#endif +#ifndef OPENSSL_NO_NEXTPROTONEG + { + TLSEXT_TYPE_next_proto_neg, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO + | SSL_EXT_TLS1_2_AND_BELOW_ONLY, + init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn, + tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL + }, +#else + INVALID_EXTENSION, +#endif + { + /* + * Must appear in this list after server_name so that finalisation + * happens after server_name callbacks + */ + TLSEXT_TYPE_application_layer_protocol_negotiation, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO + | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, + init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn, + tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn + }, +#ifndef OPENSSL_NO_SRTP + { + TLSEXT_TYPE_use_srtp, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO + | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS | SSL_EXT_DTLS_ONLY, + init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp, + tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL + }, +#else + INVALID_EXTENSION, +#endif + { + TLSEXT_TYPE_encrypt_then_mac, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO + | SSL_EXT_TLS1_2_AND_BELOW_ONLY, + init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm, + tls_construct_stoc_etm, tls_construct_ctos_etm, NULL + }, +#ifndef OPENSSL_NO_CT + { + TLSEXT_TYPE_signed_certificate_timestamp, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO + | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, + NULL, + /* + * No server side support for this, but can be provided by a custom + * extension. This is an exception to the rule that custom extensions + * cannot override built in ones. + */ + NULL, tls_parse_stoc_sct, NULL, tls_construct_ctos_sct, NULL + }, +#else + INVALID_EXTENSION, +#endif + { + TLSEXT_TYPE_extended_master_secret, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO + | SSL_EXT_TLS1_2_AND_BELOW_ONLY, + init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems, + tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems + }, + { + TLSEXT_TYPE_signature_algorithms_cert, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, + init_sig_algs_cert, tls_parse_ctos_sig_algs_cert, + tls_parse_ctos_sig_algs_cert, + /* We do not generate signature_algorithms_cert at present. */ + NULL, NULL, NULL + }, + { + TLSEXT_TYPE_post_handshake_auth, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ONLY, + init_post_handshake_auth, + tls_parse_ctos_post_handshake_auth, NULL, + NULL, tls_construct_ctos_post_handshake_auth, + NULL, + }, + { + TLSEXT_TYPE_signature_algorithms, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, + init_sig_algs, tls_parse_ctos_sig_algs, + tls_parse_ctos_sig_algs, tls_construct_ctos_sig_algs, + tls_construct_ctos_sig_algs, final_sig_algs + }, + { + TLSEXT_TYPE_supported_versions, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO + | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY, + NULL, + /* Processed inline as part of version selection */ + NULL, tls_parse_stoc_supported_versions, + tls_construct_stoc_supported_versions, + tls_construct_ctos_supported_versions, NULL + }, + { + TLSEXT_TYPE_psk_kex_modes, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY + | SSL_EXT_TLS1_3_ONLY, + init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL, + tls_construct_ctos_psk_kex_modes, NULL + }, +#ifndef OPENSSL_NO_EC + { + /* + * Must be in this list after supported_groups. We need that to have + * been parsed before we do this one. + */ + TLSEXT_TYPE_key_share, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO + | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY + | SSL_EXT_TLS1_3_ONLY, + NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share, + tls_construct_stoc_key_share, tls_construct_ctos_key_share, + final_key_share + }, +#endif + { + /* Must be after key_share */ + TLSEXT_TYPE_cookie, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST + | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY, + NULL, tls_parse_ctos_cookie, tls_parse_stoc_cookie, + tls_construct_stoc_cookie, tls_construct_ctos_cookie, NULL + }, + { + /* + * Special unsolicited ServerHello extension only used when + * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set + */ + TLSEXT_TYPE_cryptopro_bug, + SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY, + NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL + }, + { + TLSEXT_TYPE_early_data, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS + | SSL_EXT_TLS1_3_NEW_SESSION_TICKET | SSL_EXT_TLS1_3_ONLY, + NULL, tls_parse_ctos_early_data, tls_parse_stoc_early_data, + tls_construct_stoc_early_data, tls_construct_ctos_early_data, + final_early_data + }, + { + TLSEXT_TYPE_certificate_authorities, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST + | SSL_EXT_TLS1_3_ONLY, + init_certificate_authorities, + tls_parse_certificate_authorities, tls_parse_certificate_authorities, + tls_construct_certificate_authorities, + tls_construct_certificate_authorities, NULL, + }, + { + /* Must be immediately before pre_shared_key */ + TLSEXT_TYPE_padding, + SSL_EXT_CLIENT_HELLO, + NULL, + /* We send this, but don't read it */ + NULL, NULL, NULL, tls_construct_ctos_padding, NULL + }, + { + /* Required by the TLSv1.3 spec to always be the last extension */ + TLSEXT_TYPE_psk, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO + | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY, + NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk, + tls_construct_ctos_psk, NULL + } +}; + +/* Check whether an extension's context matches the current context */ +static int validate_context(SSL *s, unsigned int extctx, unsigned int thisctx) +{ + /* Check we're allowed to use this extension in this context */ + if ((thisctx & extctx) == 0) + return 0; + + if (SSL_IS_DTLS(s)) { + if ((extctx & SSL_EXT_TLS_ONLY) != 0) + return 0; + } else if ((extctx & SSL_EXT_DTLS_ONLY) != 0) { + return 0; + } + + return 1; +} + +int tls_validate_all_contexts(SSL *s, unsigned int thisctx, RAW_EXTENSION *exts) +{ + size_t i, num_exts, builtin_num = OSSL_NELEM(ext_defs), offset; + RAW_EXTENSION *thisext; + unsigned int context; + ENDPOINT role = ENDPOINT_BOTH; + + if ((thisctx & SSL_EXT_CLIENT_HELLO) != 0) + role = ENDPOINT_SERVER; + else if ((thisctx & SSL_EXT_TLS1_2_SERVER_HELLO) != 0) + role = ENDPOINT_CLIENT; + + /* Calculate the number of extensions in the extensions list */ + num_exts = builtin_num + s->cert->custext.meths_count; + + for (thisext = exts, i = 0; i < num_exts; i++, thisext++) { + if (!thisext->present) + continue; + + if (i < builtin_num) { + context = ext_defs[i].context; + } else { + custom_ext_method *meth = NULL; + + meth = custom_ext_find(&s->cert->custext, role, thisext->type, + &offset); + if (!ossl_assert(meth != NULL)) + return 0; + context = meth->context; + } + + if (!validate_context(s, context, thisctx)) + return 0; + } + + return 1; +} + +/* + * Verify whether we are allowed to use the extension |type| in the current + * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to + * indicate the extension is not allowed. If returning 1 then |*found| is set to + * the definition for the extension we found. + */ +static int verify_extension(SSL *s, unsigned int context, unsigned int type, + custom_ext_methods *meths, RAW_EXTENSION *rawexlist, + RAW_EXTENSION **found) +{ + size_t i; + size_t builtin_num = OSSL_NELEM(ext_defs); + const EXTENSION_DEFINITION *thisext; + + for (i = 0, thisext = ext_defs; i < builtin_num; i++, thisext++) { + if (type == thisext->type) { + if (!validate_context(s, thisext->context, context)) + return 0; + + *found = &rawexlist[i]; + return 1; + } + } + + /* Check the custom extensions */ + if (meths != NULL) { + size_t offset = 0; + ENDPOINT role = ENDPOINT_BOTH; + custom_ext_method *meth = NULL; + + if ((context & SSL_EXT_CLIENT_HELLO) != 0) + role = ENDPOINT_SERVER; + else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0) + role = ENDPOINT_CLIENT; + + meth = custom_ext_find(meths, role, type, &offset); + if (meth != NULL) { + if (!validate_context(s, meth->context, context)) + return 0; + *found = &rawexlist[offset + builtin_num]; + return 1; + } + } + + /* Unknown extension. We allow it */ + *found = NULL; + return 1; +} + +/* + * Check whether the context defined for an extension |extctx| means whether + * the extension is relevant for the current context |thisctx| or not. Returns + * 1 if the extension is relevant for this context, and 0 otherwise + */ +int extension_is_relevant(SSL *s, unsigned int extctx, unsigned int thisctx) +{ + int is_tls13; + + /* + * For HRR we haven't selected the version yet but we know it will be + * TLSv1.3 + */ + if ((thisctx & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) + is_tls13 = 1; + else + is_tls13 = SSL_IS_TLS13(s); + + if ((SSL_IS_DTLS(s) + && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0) + || (s->version == SSL3_VERSION + && (extctx & SSL_EXT_SSL3_ALLOWED) == 0) + /* + * Note that SSL_IS_TLS13() means "TLS 1.3 has been negotiated", + * which is never true when generating the ClientHello. + * However, version negotiation *has* occurred by the time the + * ClientHello extensions are being parsed. + * Be careful to allow TLS 1.3-only extensions when generating + * the ClientHello. + */ + || (is_tls13 && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0) + || (!is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0 + && (thisctx & SSL_EXT_CLIENT_HELLO) == 0) + || (s->server && !is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0) + || (s->hit && (extctx & SSL_EXT_IGNORE_ON_RESUMPTION) != 0)) + return 0; + return 1; +} + +/* + * Gather a list of all the extensions from the data in |packet]. |context| + * tells us which message this extension is for. The raw extension data is + * stored in |*res| on success. We don't actually process the content of the + * extensions yet, except to check their types. This function also runs the + * initialiser functions for all known extensions if |init| is nonzero (whether + * we have collected them or not). If successful the caller is responsible for + * freeing the contents of |*res|. + * + * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be + * more than one extension of the same type in a ClientHello or ServerHello. + * This function returns 1 if all extensions are unique and we have parsed their + * types, and 0 if the extensions contain duplicates, could not be successfully + * found, or an internal error occurred. We only check duplicates for + * extensions that we know about. We ignore others. + */ +int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, + RAW_EXTENSION **res, size_t *len, int init) +{ + PACKET extensions = *packet; + size_t i = 0; + size_t num_exts; + custom_ext_methods *exts = &s->cert->custext; + RAW_EXTENSION *raw_extensions = NULL; + const EXTENSION_DEFINITION *thisexd; + + *res = NULL; + + /* + * Initialise server side custom extensions. Client side is done during + * construction of extensions for the ClientHello. + */ + if ((context & SSL_EXT_CLIENT_HELLO) != 0) + custom_ext_init(&s->cert->custext); + + num_exts = OSSL_NELEM(ext_defs) + (exts != NULL ? exts->meths_count : 0); + raw_extensions = OPENSSL_zalloc(num_exts * sizeof(*raw_extensions)); + if (raw_extensions == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS, + ERR_R_MALLOC_FAILURE); + return 0; + } + + i = 0; + while (PACKET_remaining(&extensions) > 0) { + unsigned int type, idx; + PACKET extension; + RAW_EXTENSION *thisex; + + if (!PACKET_get_net_2(&extensions, &type) || + !PACKET_get_length_prefixed_2(&extensions, &extension)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS, + SSL_R_BAD_EXTENSION); + goto err; + } + /* + * Verify this extension is allowed. We only check duplicates for + * extensions that we recognise. We also have a special case for the + * PSK extension, which must be the last one in the ClientHello. + */ + if (!verify_extension(s, context, type, exts, raw_extensions, &thisex) + || (thisex != NULL && thisex->present == 1) + || (type == TLSEXT_TYPE_psk + && (context & SSL_EXT_CLIENT_HELLO) != 0 + && PACKET_remaining(&extensions) != 0)) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_COLLECT_EXTENSIONS, + SSL_R_BAD_EXTENSION); + goto err; + } + idx = thisex - raw_extensions; + /*- + * Check that we requested this extension (if appropriate). Requests can + * be sent in the ClientHello and CertificateRequest. Unsolicited + * extensions can be sent in the NewSessionTicket. We only do this for + * the built-in extensions. Custom extensions have a different but + * similar check elsewhere. + * Special cases: + * - The HRR cookie extension is unsolicited + * - The renegotiate extension is unsolicited (the client signals + * support via an SCSV) + * - The signed_certificate_timestamp extension can be provided by a + * custom extension or by the built-in version. We let the extension + * itself handle unsolicited response checks. + */ + if (idx < OSSL_NELEM(ext_defs) + && (context & (SSL_EXT_CLIENT_HELLO + | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST + | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) == 0 + && type != TLSEXT_TYPE_cookie + && type != TLSEXT_TYPE_renegotiate + && type != TLSEXT_TYPE_signed_certificate_timestamp + && (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0) { + SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, + SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_UNSOLICITED_EXTENSION); + goto err; + } + if (thisex != NULL) { + thisex->data = extension; + thisex->present = 1; + thisex->type = type; + thisex->received_order = i++; + if (s->ext.debug_cb) + s->ext.debug_cb(s, !s->server, thisex->type, + PACKET_data(&thisex->data), + PACKET_remaining(&thisex->data), + s->ext.debug_arg); + } + } + + if (init) { + /* + * Initialise all known extensions relevant to this context, + * whether we have found them or not + */ + for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs); + i++, thisexd++) { + if (thisexd->init != NULL && (thisexd->context & context) != 0 + && extension_is_relevant(s, thisexd->context, context) + && !thisexd->init(s, context)) { + /* SSLfatal() already called */ + goto err; + } + } + } + + *res = raw_extensions; + if (len != NULL) + *len = num_exts; + return 1; + + err: + OPENSSL_free(raw_extensions); + return 0; +} + +/* + * Runs the parser for a given extension with index |idx|. |exts| contains the + * list of all parsed extensions previously collected by + * tls_collect_extensions(). The parser is only run if it is applicable for the + * given |context| and the parser has not already been run. If this is for a + * Certificate message, then we also provide the parser with the relevant + * Certificate |x| and its position in the |chainidx| with 0 being the first + * Certificate. Returns 1 on success or 0 on failure. If an extension is not + * present this counted as success. + */ +int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context, + RAW_EXTENSION *exts, X509 *x, size_t chainidx) +{ + RAW_EXTENSION *currext = &exts[idx]; + int (*parser)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) = NULL; + + /* Skip if the extension is not present */ + if (!currext->present) + return 1; + + /* Skip if we've already parsed this extension */ + if (currext->parsed) + return 1; + + currext->parsed = 1; + + if (idx < OSSL_NELEM(ext_defs)) { + /* We are handling a built-in extension */ + const EXTENSION_DEFINITION *extdef = &ext_defs[idx]; + + /* Check if extension is defined for our protocol. If not, skip */ + if (!extension_is_relevant(s, extdef->context, context)) + return 1; + + parser = s->server ? extdef->parse_ctos : extdef->parse_stoc; + + if (parser != NULL) + return parser(s, &currext->data, context, x, chainidx); + + /* + * If the parser is NULL we fall through to the custom extension + * processing + */ + } + + /* Parse custom extensions */ + return custom_ext_parse(s, context, currext->type, + PACKET_data(&currext->data), + PACKET_remaining(&currext->data), + x, chainidx); +} + +/* + * Parse all remaining extensions that have not yet been parsed. Also calls the + * finalisation for all extensions at the end if |fin| is nonzero, whether we + * collected them or not. Returns 1 for success or 0 for failure. If we are + * working on a Certificate message then we also pass the Certificate |x| and + * its position in the |chainidx|, with 0 being the first certificate. + */ +int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x, + size_t chainidx, int fin) +{ + size_t i, numexts = OSSL_NELEM(ext_defs); + const EXTENSION_DEFINITION *thisexd; + + /* Calculate the number of extensions in the extensions list */ + numexts += s->cert->custext.meths_count; + + /* Parse each extension in turn */ + for (i = 0; i < numexts; i++) { + if (!tls_parse_extension(s, i, context, exts, x, chainidx)) { + /* SSLfatal() already called */ + return 0; + } + } + + if (fin) { + /* + * Finalise all known extensions relevant to this context, + * whether we have found them or not + */ + for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); + i++, thisexd++) { + if (thisexd->final != NULL && (thisexd->context & context) != 0 + && !thisexd->final(s, context, exts[i].present)) { + /* SSLfatal() already called */ + return 0; + } + } + } + + return 1; +} + +int should_add_extension(SSL *s, unsigned int extctx, unsigned int thisctx, + int max_version) +{ + /* Skip if not relevant for our context */ + if ((extctx & thisctx) == 0) + return 0; + + /* Check if this extension is defined for our protocol. If not, skip */ + if (!extension_is_relevant(s, extctx, thisctx) + || ((extctx & SSL_EXT_TLS1_3_ONLY) != 0 + && (thisctx & SSL_EXT_CLIENT_HELLO) != 0 + && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION))) + return 0; + + return 1; +} + +/* + * Construct all the extensions relevant to the current |context| and write + * them to |pkt|. If this is an extension for a Certificate in a Certificate + * message, then |x| will be set to the Certificate we are handling, and + * |chainidx| will indicate the position in the chainidx we are processing (with + * 0 being the first in the chain). Returns 1 on success or 0 on failure. On a + * failure construction stops at the first extension to fail to construct. + */ +int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + size_t i; + int min_version, max_version = 0, reason; + const EXTENSION_DEFINITION *thisexd; + + if (!WPACKET_start_sub_packet_u16(pkt) + /* + * If extensions are of zero length then we don't even add the + * extensions length bytes to a ClientHello/ServerHello + * (for non-TLSv1.3). + */ + || ((context & + (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0 + && !WPACKET_set_flags(pkt, + WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS, + ERR_R_INTERNAL_ERROR); + return 0; + } + + if ((context & SSL_EXT_CLIENT_HELLO) != 0) { + reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); + if (reason != 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS, + reason); + return 0; + } + } + + /* Add custom extensions first */ + if ((context & SSL_EXT_CLIENT_HELLO) != 0) { + /* On the server side with initialise during ClientHello parsing */ + custom_ext_init(&s->cert->custext); + } + if (!custom_ext_add(s, context, pkt, x, chainidx, max_version)) { + /* SSLfatal() already called */ + return 0; + } + + for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) { + EXT_RETURN (*construct)(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); + EXT_RETURN ret; + + /* Skip if not relevant for our context */ + if (!should_add_extension(s, thisexd->context, context, max_version)) + continue; + + construct = s->server ? thisexd->construct_stoc + : thisexd->construct_ctos; + + if (construct == NULL) + continue; + + ret = construct(s, pkt, context, x, chainidx); + if (ret == EXT_RETURN_FAIL) { + /* SSLfatal() already called */ + return 0; + } + if (ret == EXT_RETURN_SENT + && (context & (SSL_EXT_CLIENT_HELLO + | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST + | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) != 0) + s->ext.extflags[i] |= SSL_EXT_FLAG_SENT; + } + + if (!WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS, + ERR_R_INTERNAL_ERROR); + return 0; + } + + return 1; +} + +/* + * Built in extension finalisation and initialisation functions. All initialise + * or finalise the associated extension type for the given |context|. For + * finalisers |sent| is set to 1 if we saw the extension during parsing, and 0 + * otherwise. These functions return 1 on success or 0 on failure. + */ + +static int final_renegotiate(SSL *s, unsigned int context, int sent) +{ + if (!s->server) { + /* + * Check if we can connect to a server that doesn't support safe + * renegotiation + */ + if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT) + && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) + && !sent) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE, + SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + return 0; + } + + return 1; + } + + /* Need RI if renegotiating */ + if (s->renegotiate + && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) + && !sent) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE, + SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + return 0; + } + + + return 1; +} + +static int init_server_name(SSL *s, unsigned int context) +{ + if (s->server) { + s->servername_done = 0; + + OPENSSL_free(s->ext.hostname); + s->ext.hostname = NULL; + } + + return 1; +} + +static int final_server_name(SSL *s, unsigned int context, int sent) +{ + int ret = SSL_TLSEXT_ERR_NOACK; + int altmp = SSL_AD_UNRECOGNIZED_NAME; + int was_ticket = (SSL_get_options(s) & SSL_OP_NO_TICKET) == 0; + + if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME, + ERR_R_INTERNAL_ERROR); + return 0; + } + + if (s->ctx->ext.servername_cb != NULL) + ret = s->ctx->ext.servername_cb(s, &altmp, + s->ctx->ext.servername_arg); + else if (s->session_ctx->ext.servername_cb != NULL) + ret = s->session_ctx->ext.servername_cb(s, &altmp, + s->session_ctx->ext.servername_arg); + + /* + * For servers, propagate the SNI hostname from the temporary + * storage in the SSL to the persistent SSL_SESSION, now that we + * know we accepted it. + * Clients make this copy when parsing the server's response to + * the extension, which is when they find out that the negotiation + * was successful. + */ + if (s->server) { + /* TODO(OpenSSL1.2) revisit !sent case */ + if (sent && ret == SSL_TLSEXT_ERR_OK && (!s->hit || SSL_IS_TLS13(s))) { + /* Only store the hostname in the session if we accepted it. */ + OPENSSL_free(s->session->ext.hostname); + s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname); + if (s->session->ext.hostname == NULL && s->ext.hostname != NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME, + ERR_R_INTERNAL_ERROR); + } + } + } + + /* + * If we switched contexts (whether here or in the client_hello callback), + * move the sess_accept increment from the session_ctx to the new + * context, to avoid the confusing situation of having sess_accept_good + * exceed sess_accept (zero) for the new context. + */ + if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) { + tsan_counter(&s->ctx->stats.sess_accept); + tsan_decr(&s->session_ctx->stats.sess_accept); + } + + /* + * If we're expecting to send a ticket, and tickets were previously enabled, + * and now tickets are disabled, then turn off expected ticket. + * Also, if this is not a resumption, create a new session ID + */ + if (ret == SSL_TLSEXT_ERR_OK && s->ext.ticket_expected + && was_ticket && (SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) { + s->ext.ticket_expected = 0; + if (!s->hit) { + SSL_SESSION* ss = SSL_get_session(s); + + if (ss != NULL) { + OPENSSL_free(ss->ext.tick); + ss->ext.tick = NULL; + ss->ext.ticklen = 0; + ss->ext.tick_lifetime_hint = 0; + ss->ext.tick_age_add = 0; + ss->ext.tick_identity = 0; + if (!ssl_generate_session_id(s, ss)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME, + ERR_R_INTERNAL_ERROR); + return 0; + } + } else { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME, + ERR_R_INTERNAL_ERROR); + return 0; + } + } + } + + switch (ret) { + case SSL_TLSEXT_ERR_ALERT_FATAL: + SSLfatal(s, altmp, SSL_F_FINAL_SERVER_NAME, SSL_R_CALLBACK_FAILED); + return 0; + + case SSL_TLSEXT_ERR_ALERT_WARNING: + /* TLSv1.3 doesn't have warning alerts so we suppress this */ + if (!SSL_IS_TLS13(s)) + ssl3_send_alert(s, SSL3_AL_WARNING, altmp); + return 1; + + case SSL_TLSEXT_ERR_NOACK: + s->servername_done = 0; + return 1; + + default: + return 1; + } +} + +#ifndef OPENSSL_NO_EC +static int final_ec_pt_formats(SSL *s, unsigned int context, int sent) +{ + unsigned long alg_k, alg_a; + + if (s->server) + return 1; + + alg_k = s->s3->tmp.new_cipher->algorithm_mkey; + alg_a = s->s3->tmp.new_cipher->algorithm_auth; + + /* + * If we are client and using an elliptic curve cryptography cipher + * suite, then if server returns an EC point formats lists extension it + * must contain uncompressed. + */ + if (s->ext.ecpointformats != NULL + && s->ext.ecpointformats_len > 0 + && s->session->ext.ecpointformats != NULL + && s->session->ext.ecpointformats_len > 0 + && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) { + /* we are using an ECC cipher */ + size_t i; + unsigned char *list = s->session->ext.ecpointformats; + + for (i = 0; i < s->session->ext.ecpointformats_len; i++) { + if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed) + break; + } + if (i == s->session->ext.ecpointformats_len) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EC_PT_FORMATS, + SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); + return 0; + } + } + + return 1; +} +#endif + +static int init_session_ticket(SSL *s, unsigned int context) +{ + if (!s->server) + s->ext.ticket_expected = 0; + + return 1; +} + +#ifndef OPENSSL_NO_OCSP +static int init_status_request(SSL *s, unsigned int context) +{ + if (s->server) { + s->ext.status_type = TLSEXT_STATUSTYPE_nothing; + } else { + /* + * Ensure we get sensible values passed to tlsext_status_cb in the event + * that we don't receive a status message + */ + OPENSSL_free(s->ext.ocsp.resp); + s->ext.ocsp.resp = NULL; + s->ext.ocsp.resp_len = 0; + } + + return 1; +} +#endif + +#ifndef OPENSSL_NO_NEXTPROTONEG +static int init_npn(SSL *s, unsigned int context) +{ + s->s3->npn_seen = 0; + + return 1; +} +#endif + +static int init_alpn(SSL *s, unsigned int context) +{ + OPENSSL_free(s->s3->alpn_selected); + s->s3->alpn_selected = NULL; + s->s3->alpn_selected_len = 0; + if (s->server) { + OPENSSL_free(s->s3->alpn_proposed); + s->s3->alpn_proposed = NULL; + s->s3->alpn_proposed_len = 0; + } + return 1; +} + +static int final_alpn(SSL *s, unsigned int context, int sent) +{ + if (!s->server && !sent && s->session->ext.alpn_selected != NULL) + s->ext.early_data_ok = 0; + + if (!s->server || !SSL_IS_TLS13(s)) + return 1; + + /* + * Call alpn_select callback if needed. Has to be done after SNI and + * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3 + * we also have to do this before we decide whether to accept early_data. + * In TLSv1.3 we've already negotiated our cipher so we do this call now. + * For < TLSv1.3 we defer it until after cipher negotiation. + * + * On failure SSLfatal() already called. + */ + return tls_handle_alpn(s); +} + +static int init_sig_algs(SSL *s, unsigned int context) +{ + /* Clear any signature algorithms extension received */ + OPENSSL_free(s->s3->tmp.peer_sigalgs); + s->s3->tmp.peer_sigalgs = NULL; + + return 1; +} + +static int init_sig_algs_cert(SSL *s, unsigned int context) +{ + /* Clear any signature algorithms extension received */ + OPENSSL_free(s->s3->tmp.peer_cert_sigalgs); + s->s3->tmp.peer_cert_sigalgs = NULL; + + return 1; +} + +#ifndef OPENSSL_NO_SRP +static int init_srp(SSL *s, unsigned int context) +{ + OPENSSL_free(s->srp_ctx.login); + s->srp_ctx.login = NULL; + + return 1; +} +#endif + +static int init_etm(SSL *s, unsigned int context) +{ + s->ext.use_etm = 0; + + return 1; +} + +static int init_ems(SSL *s, unsigned int context) +{ + if (!s->server) + s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS; + + return 1; +} + +static int final_ems(SSL *s, unsigned int context, int sent) +{ + if (!s->server && s->hit) { + /* + * Check extended master secret extension is consistent with + * original session. + */ + if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) != + !(s->session->flags & SSL_SESS_FLAG_EXTMS)) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS, + SSL_R_INCONSISTENT_EXTMS); + return 0; + } + } + + return 1; +} + +static int init_certificate_authorities(SSL *s, unsigned int context) +{ + sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free); + s->s3->tmp.peer_ca_names = NULL; + return 1; +} + +static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt, + unsigned int context, + X509 *x, + size_t chainidx) +{ + const STACK_OF(X509_NAME) *ca_sk = get_ca_names(s); + + if (ca_sk == NULL || sk_X509_NAME_num(ca_sk) == 0) + return EXT_RETURN_NOT_SENT; + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_certificate_authorities) + || !WPACKET_start_sub_packet_u16(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + if (!construct_ca_names(s, ca_sk, pkt)) { + /* SSLfatal() already called */ + return EXT_RETURN_FAIL; + } + + if (!WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} + +static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + if (!parse_ca_names(s, pkt)) + return 0; + if (PACKET_remaining(pkt) != 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PARSE_CERTIFICATE_AUTHORITIES, SSL_R_BAD_EXTENSION); + return 0; + } + return 1; +} + +#ifndef OPENSSL_NO_SRTP +static int init_srtp(SSL *s, unsigned int context) +{ + if (s->server) + s->srtp_profile = NULL; + + return 1; +} +#endif + +static int final_sig_algs(SSL *s, unsigned int context, int sent) +{ + if (!sent && SSL_IS_TLS13(s) && !s->hit) { + SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_F_FINAL_SIG_ALGS, + SSL_R_MISSING_SIGALGS_EXTENSION); + return 0; + } + + return 1; +} + +#ifndef OPENSSL_NO_EC +static int final_key_share(SSL *s, unsigned int context, int sent) +{ + if (!SSL_IS_TLS13(s)) + return 1; + + /* Nothing to do for key_share in an HRR */ + if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) + return 1; + + /* + * If + * we are a client + * AND + * we have no key_share + * AND + * (we are not resuming + * OR the kex_mode doesn't allow non key_share resumes) + * THEN + * fail; + */ + if (!s->server + && !sent + && (!s->hit + || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) { + /* Nothing left we can do - just fail */ + SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_KEY_SHARE, + SSL_R_NO_SUITABLE_KEY_SHARE); + return 0; + } + /* + * IF + * we are a server + * THEN + * IF + * we have a suitable key_share + * THEN + * IF + * we are stateless AND we have no cookie + * THEN + * send a HelloRetryRequest + * ELSE + * IF + * we didn't already send a HelloRetryRequest + * AND + * the client sent a key_share extension + * AND + * (we are not resuming + * OR the kex_mode allows key_share resumes) + * AND + * a shared group exists + * THEN + * send a HelloRetryRequest + * ELSE IF + * we are not resuming + * OR + * the kex_mode doesn't allow non key_share resumes + * THEN + * fail + * ELSE IF + * we are stateless AND we have no cookie + * THEN + * send a HelloRetryRequest + */ + if (s->server) { + if (s->s3->peer_tmp != NULL) { + /* We have a suitable key_share */ + if ((s->s3->flags & TLS1_FLAGS_STATELESS) != 0 + && !s->ext.cookieok) { + if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) { + /* + * If we are stateless then we wouldn't know about any + * previously sent HRR - so how can this be anything other + * than 0? + */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE, + ERR_R_INTERNAL_ERROR); + return 0; + } + s->hello_retry_request = SSL_HRR_PENDING; + return 1; + } + } else { + /* No suitable key_share */ + if (s->hello_retry_request == SSL_HRR_NONE && sent + && (!s->hit + || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) + != 0)) { + const uint16_t *pgroups, *clntgroups; + size_t num_groups, clnt_num_groups, i; + unsigned int group_id = 0; + + /* Check if a shared group exists */ + + /* Get the clients list of supported groups. */ + tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups); + tls1_get_supported_groups(s, &pgroups, &num_groups); + + /* + * Find the first group we allow that is also in client's list + */ + for (i = 0; i < num_groups; i++) { + group_id = pgroups[i]; + + if (check_in_list(s, group_id, clntgroups, clnt_num_groups, + 1)) + break; + } + + if (i < num_groups) { + /* A shared group exists so send a HelloRetryRequest */ + s->s3->group_id = group_id; + s->hello_retry_request = SSL_HRR_PENDING; + return 1; + } + } + if (!s->hit + || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) { + /* Nothing left we can do - just fail */ + SSLfatal(s, sent ? SSL_AD_HANDSHAKE_FAILURE + : SSL_AD_MISSING_EXTENSION, + SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE); + return 0; + } + + if ((s->s3->flags & TLS1_FLAGS_STATELESS) != 0 + && !s->ext.cookieok) { + if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) { + /* + * If we are stateless then we wouldn't know about any + * previously sent HRR - so how can this be anything other + * than 0? + */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE, + ERR_R_INTERNAL_ERROR); + return 0; + } + s->hello_retry_request = SSL_HRR_PENDING; + return 1; + } + } + + /* + * We have a key_share so don't send any more HelloRetryRequest + * messages + */ + if (s->hello_retry_request == SSL_HRR_PENDING) + s->hello_retry_request = SSL_HRR_COMPLETE; + } else { + /* + * For a client side resumption with no key_share we need to generate + * the handshake secret (otherwise this is done during key_share + * processing). + */ + if (!sent && !tls13_generate_handshake_secret(s, NULL, 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE, + ERR_R_INTERNAL_ERROR); + return 0; + } + } + + return 1; +} +#endif + +static int init_psk_kex_modes(SSL *s, unsigned int context) +{ + s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_NONE; + return 1; +} + +int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, + size_t binderoffset, const unsigned char *binderin, + unsigned char *binderout, SSL_SESSION *sess, int sign, + int external) +{ + EVP_PKEY *mackey = NULL; + EVP_MD_CTX *mctx = NULL; + unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE]; + unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE]; + unsigned char *early_secret; + static const unsigned char resumption_label[] = "res binder"; + static const unsigned char external_label[] = "ext binder"; + const unsigned char *label; + size_t bindersize, labelsize, hashsize; + int hashsizei = EVP_MD_size(md); + int ret = -1; + int usepskfored = 0; + + /* Ensure cast to size_t is safe */ + if (!ossl_assert(hashsizei >= 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, + ERR_R_INTERNAL_ERROR); + goto err; + } + hashsize = (size_t)hashsizei; + + if (external + && s->early_data_state == SSL_EARLY_DATA_CONNECTING + && s->session->ext.max_early_data == 0 + && sess->ext.max_early_data > 0) + usepskfored = 1; + + if (external) { + label = external_label; + labelsize = sizeof(external_label) - 1; + } else { + label = resumption_label; + labelsize = sizeof(resumption_label) - 1; + } + + /* + * Generate the early_secret. On the server side we've selected a PSK to + * resume with (internal or external) so we always do this. On the client + * side we do this for a non-external (i.e. resumption) PSK or external PSK + * that will be used for early_data so that it is in place for sending early + * data. For client side external PSK not being used for early_data we + * generate it but store it away for later use. + */ + if (s->server || !external || usepskfored) + early_secret = (unsigned char *)s->early_secret; + else + early_secret = (unsigned char *)sess->early_secret; + + if (!tls13_generate_secret(s, md, NULL, sess->master_key, + sess->master_key_length, early_secret)) { + /* SSLfatal() already called */ + goto err; + } + + /* + * Create the handshake hash for the binder key...the messages so far are + * empty! + */ + mctx = EVP_MD_CTX_new(); + if (mctx == NULL + || EVP_DigestInit_ex(mctx, md, NULL) <= 0 + || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, + ERR_R_INTERNAL_ERROR); + goto err; + } + + /* Generate the binder key */ + if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash, + hashsize, binderkey, hashsize)) { + /* SSLfatal() already called */ + goto err; + } + + /* Generate the finished key */ + if (!tls13_derive_finishedkey(s, md, binderkey, finishedkey, hashsize)) { + /* SSLfatal() already called */ + goto err; + } + + if (EVP_DigestInit_ex(mctx, md, NULL) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, + ERR_R_INTERNAL_ERROR); + goto err; + } + + /* + * Get a hash of the ClientHello up to the start of the binders. If we are + * following a HelloRetryRequest then this includes the hash of the first + * ClientHello and the HelloRetryRequest itself. + */ + if (s->hello_retry_request == SSL_HRR_PENDING) { + size_t hdatalen; + long hdatalen_l; + void *hdata; + + hdatalen = hdatalen_l = + BIO_get_mem_data(s->s3->handshake_buffer, &hdata); + if (hdatalen_l <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, + SSL_R_BAD_HANDSHAKE_LENGTH); + goto err; + } + + /* + * For servers the handshake buffer data will include the second + * ClientHello - which we don't want - so we need to take that bit off. + */ + if (s->server) { + PACKET hashprefix, msg; + + /* Find how many bytes are left after the first two messages */ + if (!PACKET_buf_init(&hashprefix, hdata, hdatalen) + || !PACKET_forward(&hashprefix, 1) + || !PACKET_get_length_prefixed_3(&hashprefix, &msg) + || !PACKET_forward(&hashprefix, 1) + || !PACKET_get_length_prefixed_3(&hashprefix, &msg)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, + ERR_R_INTERNAL_ERROR); + goto err; + } + hdatalen -= PACKET_remaining(&hashprefix); + } + + if (EVP_DigestUpdate(mctx, hdata, hdatalen) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, + ERR_R_INTERNAL_ERROR); + goto err; + } + } + + if (EVP_DigestUpdate(mctx, msgstart, binderoffset) <= 0 + || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, + ERR_R_INTERNAL_ERROR); + goto err; + } + + mackey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finishedkey, + hashsize); + if (mackey == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, + ERR_R_INTERNAL_ERROR); + goto err; + } + + if (!sign) + binderout = tmpbinder; + + bindersize = hashsize; + if (EVP_DigestSignInit(mctx, NULL, md, NULL, mackey) <= 0 + || EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0 + || EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0 + || bindersize != hashsize) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, + ERR_R_INTERNAL_ERROR); + goto err; + } + + if (sign) { + ret = 1; + } else { + /* HMAC keys can't do EVP_DigestVerify* - use CRYPTO_memcmp instead */ + ret = (CRYPTO_memcmp(binderin, binderout, hashsize) == 0); + if (!ret) + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PSK_DO_BINDER, + SSL_R_BINDER_DOES_NOT_VERIFY); + } + + err: + OPENSSL_cleanse(binderkey, sizeof(binderkey)); + OPENSSL_cleanse(finishedkey, sizeof(finishedkey)); + EVP_PKEY_free(mackey); + EVP_MD_CTX_free(mctx); + + return ret; +} + +static int final_early_data(SSL *s, unsigned int context, int sent) +{ + if (!sent) + return 1; + + if (!s->server) { + if (context == SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS + && sent + && !s->ext.early_data_ok) { + /* + * If we get here then the server accepted our early_data but we + * later realised that it shouldn't have done (e.g. inconsistent + * ALPN) + */ + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EARLY_DATA, + SSL_R_BAD_EARLY_DATA); + return 0; + } + + return 1; + } + + if (s->max_early_data == 0 + || !s->hit + || s->session->ext.tick_identity != 0 + || s->early_data_state != SSL_EARLY_DATA_ACCEPTING + || !s->ext.early_data_ok + || s->hello_retry_request != SSL_HRR_NONE + || (s->ctx->allow_early_data_cb != NULL + && !s->ctx->allow_early_data_cb(s, + s->ctx->allow_early_data_cb_data))) { + s->ext.early_data = SSL_EARLY_DATA_REJECTED; + } else { + s->ext.early_data = SSL_EARLY_DATA_ACCEPTED; + + if (!tls13_change_cipher_state(s, + SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_SERVER_READ)) { + /* SSLfatal() already called */ + return 0; + } + } + + return 1; +} + +static int final_maxfragmentlen(SSL *s, unsigned int context, int sent) +{ + /* + * Session resumption on server-side with MFL extension active + * BUT MFL extension packet was not resent (i.e. sent == 0) + */ + if (s->server && s->hit && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) + && !sent ) { + SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_MAXFRAGMENTLEN, + SSL_R_BAD_EXTENSION); + return 0; + } + + /* Current SSL buffer is lower than requested MFL */ + if (s->session && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) + && s->max_send_fragment < GET_MAX_FRAGMENT_LENGTH(s->session)) + /* trigger a larger buffer reallocation */ + if (!ssl3_setup_buffers(s)) { + /* SSLfatal() already called */ + return 0; + } + + return 1; +} + +static int init_post_handshake_auth(SSL *s, unsigned int context) +{ + s->post_handshake_auth = SSL_PHA_NONE; + + return 1; +} diff --git a/deps/openssl/openssl/ssl/statem/extensions_clnt.c b/deps/openssl/openssl/ssl/statem/extensions_clnt.c new file mode 100644 index 0000000000..ab4dbf6713 --- /dev/null +++ b/deps/openssl/openssl/ssl/statem/extensions_clnt.c @@ -0,0 +1,1991 @@ +/* + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <openssl/ocsp.h> +#include "../ssl_locl.h" +#include "internal/cryptlib.h" +#include "statem_locl.h" + +EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + /* Add RI if renegotiating */ + if (!s->renegotiate) + return EXT_RETURN_NOT_SENT; + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_sub_memcpy_u8(pkt, s->s3->previous_client_finished, + s->s3->previous_client_finished_len) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} + +EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + if (s->ext.hostname == NULL) + return EXT_RETURN_NOT_SENT; + + /* Add TLS extension servername to the Client Hello message */ + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name) + /* Sub-packet for server_name extension */ + || !WPACKET_start_sub_packet_u16(pkt) + /* Sub-packet for servername list (always 1 hostname)*/ + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name) + || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname, + strlen(s->ext.hostname)) + || !WPACKET_close(pkt) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} + +/* Push a Max Fragment Len extension into ClientHello */ +EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED) + return EXT_RETURN_NOT_SENT; + + /* Add Max Fragment Length extension if client enabled it. */ + /*- + * 4 bytes for this extension type and extension length + * 1 byte for the Max Fragment Length code value. + */ + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length) + /* Sub-packet for Max Fragment Length extension (1 byte) */ + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} + +#ifndef OPENSSL_NO_SRP +EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + /* Add SRP username if there is one */ + if (s->srp_ctx.login == NULL) + return EXT_RETURN_NOT_SENT; + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp) + /* Sub-packet for SRP extension */ + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_start_sub_packet_u8(pkt) + /* login must not be zero...internal error if so */ + || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH) + || !WPACKET_memcpy(pkt, s->srp_ctx.login, + strlen(s->srp_ctx.login)) + || !WPACKET_close(pkt) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SRP, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} +#endif + +#ifndef OPENSSL_NO_EC +static int use_ecc(SSL *s) +{ + int i, end, ret = 0; + unsigned long alg_k, alg_a; + STACK_OF(SSL_CIPHER) *cipher_stack = NULL; + + /* See if we support any ECC ciphersuites */ + if (s->version == SSL3_VERSION) + return 0; + + cipher_stack = SSL_get1_supported_ciphers(s); + end = sk_SSL_CIPHER_num(cipher_stack); + for (i = 0; i < end; i++) { + const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); + + alg_k = c->algorithm_mkey; + alg_a = c->algorithm_auth; + if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) + || (alg_a & SSL_aECDSA) + || c->min_tls >= TLS1_3_VERSION) { + ret = 1; + break; + } + } + + sk_SSL_CIPHER_free(cipher_stack); + return ret; +} + +EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + const unsigned char *pformats; + size_t num_formats; + + if (!use_ecc(s)) + return EXT_RETURN_NOT_SENT; + + /* Add TLS extension ECPointFormats to the ClientHello message */ + tls1_get_formatlist(s, &pformats, &num_formats); + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats) + /* Sub-packet for formats extension */ + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} + +EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + const uint16_t *pgroups = NULL; + size_t num_groups = 0, i; + + if (!use_ecc(s)) + return EXT_RETURN_NOT_SENT; + + /* + * Add TLS extension supported_groups to the ClientHello message + */ + /* TODO(TLS1.3): Add support for DHE groups */ + tls1_get_supported_groups(s, &pgroups, &num_groups); + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups) + /* Sub-packet for supported_groups extension */ + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_start_sub_packet_u16(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + /* Copy curve ID if supported */ + for (i = 0; i < num_groups; i++) { + uint16_t ctmp = pgroups[i]; + + if (tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) { + if (!WPACKET_put_bytes_u16(pkt, ctmp)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + } + } + if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} +#endif + +EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + size_t ticklen; + + if (!tls_use_ticket(s)) + return EXT_RETURN_NOT_SENT; + + if (!s->new_session && s->session != NULL + && s->session->ext.tick != NULL + && s->session->ssl_version != TLS1_3_VERSION) { + ticklen = s->session->ext.ticklen; + } else if (s->session && s->ext.session_ticket != NULL + && s->ext.session_ticket->data != NULL) { + ticklen = s->ext.session_ticket->length; + s->session->ext.tick = OPENSSL_malloc(ticklen); + if (s->session->ext.tick == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + memcpy(s->session->ext.tick, + s->ext.session_ticket->data, ticklen); + s->session->ext.ticklen = ticklen; + } else { + ticklen = 0; + } + + if (ticklen == 0 && s->ext.session_ticket != NULL && + s->ext.session_ticket->data == NULL) + return EXT_RETURN_NOT_SENT; + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket) + || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} + +EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + size_t salglen; + const uint16_t *salg; + + if (!SSL_CLIENT_USE_SIGALGS(s)) + return EXT_RETURN_NOT_SENT; + + salglen = tls12_get_psigalgs(s, 1, &salg); + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms) + /* Sub-packet for sig-algs extension */ + || !WPACKET_start_sub_packet_u16(pkt) + /* Sub-packet for the actual list */ + || !WPACKET_start_sub_packet_u16(pkt) + || !tls12_copy_sigalgs(s, pkt, salg, salglen) + || !WPACKET_close(pkt) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SIG_ALGS, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} + +#ifndef OPENSSL_NO_OCSP +EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + int i; + + /* This extension isn't defined for client Certificates */ + if (x != NULL) + return EXT_RETURN_NOT_SENT; + + if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) + return EXT_RETURN_NOT_SENT; + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request) + /* Sub-packet for status request extension */ + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp) + /* Sub-packet for the ids */ + || !WPACKET_start_sub_packet_u16(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) { + unsigned char *idbytes; + OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i); + int idlen = i2d_OCSP_RESPID(id, NULL); + + if (idlen <= 0 + /* Sub-packet for an individual id */ + || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes) + || i2d_OCSP_RESPID(id, &idbytes) != idlen) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + } + if (!WPACKET_close(pkt) + || !WPACKET_start_sub_packet_u16(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + if (s->ext.ocsp.exts) { + unsigned char *extbytes; + int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL); + + if (extlen < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes) + || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes) + != extlen) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + } + if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} +#endif + +#ifndef OPENSSL_NO_NEXTPROTONEG +EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + if (s->ctx->ext.npn_select_cb == NULL || !SSL_IS_FIRST_HANDSHAKE(s)) + return EXT_RETURN_NOT_SENT; + + /* + * The client advertises an empty extension to indicate its support + * for Next Protocol Negotiation + */ + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg) + || !WPACKET_put_bytes_u16(pkt, 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_NPN, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} +#endif + +EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + s->s3->alpn_sent = 0; + + if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s)) + return EXT_RETURN_NOT_SENT; + + if (!WPACKET_put_bytes_u16(pkt, + TLSEXT_TYPE_application_layer_protocol_negotiation) + /* Sub-packet ALPN extension */ + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_ALPN, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + s->s3->alpn_sent = 1; + + return EXT_RETURN_SENT; +} + + +#ifndef OPENSSL_NO_SRTP +EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s); + int i, end; + + if (clnt == NULL) + return EXT_RETURN_NOT_SENT; + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp) + /* Sub-packet for SRTP extension */ + || !WPACKET_start_sub_packet_u16(pkt) + /* Sub-packet for the protection profile list */ + || !WPACKET_start_sub_packet_u16(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + end = sk_SRTP_PROTECTION_PROFILE_num(clnt); + for (i = 0; i < end; i++) { + const SRTP_PROTECTION_PROFILE *prof = + sk_SRTP_PROTECTION_PROFILE_value(clnt, i); + + if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + } + if (!WPACKET_close(pkt) + /* Add an empty use_mki value */ + || !WPACKET_put_bytes_u8(pkt, 0) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} +#endif + +EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) + return EXT_RETURN_NOT_SENT; + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac) + || !WPACKET_put_bytes_u16(pkt, 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_ETM, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} + +#ifndef OPENSSL_NO_CT +EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + if (s->ct_validation_callback == NULL) + return EXT_RETURN_NOT_SENT; + + /* Not defined for client Certificates */ + if (x != NULL) + return EXT_RETURN_NOT_SENT; + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp) + || !WPACKET_put_bytes_u16(pkt, 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SCT, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} +#endif + +EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) + || !WPACKET_put_bytes_u16(pkt, 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EMS, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} + +EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + int currv, min_version, max_version, reason; + + reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); + if (reason != 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, reason); + return EXT_RETURN_FAIL; + } + + /* + * Don't include this if we can't negotiate TLSv1.3. We can do a straight + * comparison here because we will never be called in DTLS. + */ + if (max_version < TLS1_3_VERSION) + return EXT_RETURN_NOT_SENT; + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_start_sub_packet_u8(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + for (currv = max_version; currv >= min_version; currv--) { + if (!WPACKET_put_bytes_u16(pkt, currv)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + } + if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} + +/* + * Construct a psk_kex_modes extension. + */ +EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ +#ifndef OPENSSL_NO_TLS1_3 + int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX; + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_start_sub_packet_u8(pkt) + || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE) + || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE)) + || !WPACKET_close(pkt) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_PSK_KEX_MODES, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE; + if (nodhe) + s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE; +#endif + + return EXT_RETURN_SENT; +} + +#ifndef OPENSSL_NO_TLS1_3 +static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id) +{ + unsigned char *encoded_point = NULL; + EVP_PKEY *key_share_key = NULL; + size_t encodedlen; + + if (s->s3->tmp.pkey != NULL) { + if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE, + ERR_R_INTERNAL_ERROR); + return 0; + } + /* + * Could happen if we got an HRR that wasn't requesting a new key_share + */ + key_share_key = s->s3->tmp.pkey; + } else { + key_share_key = ssl_generate_pkey_group(s, curve_id); + if (key_share_key == NULL) { + /* SSLfatal() already called */ + return 0; + } + } + + /* Encode the public key. */ + encodedlen = EVP_PKEY_get1_tls_encodedpoint(key_share_key, + &encoded_point); + if (encodedlen == 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE, ERR_R_EC_LIB); + goto err; + } + + /* Create KeyShareEntry */ + if (!WPACKET_put_bytes_u16(pkt, curve_id) + || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE, + ERR_R_INTERNAL_ERROR); + goto err; + } + + /* + * TODO(TLS1.3): When changing to send more than one key_share we're + * going to need to be able to save more than one EVP_PKEY. For now + * we reuse the existing tmp.pkey + */ + s->s3->tmp.pkey = key_share_key; + s->s3->group_id = curve_id; + OPENSSL_free(encoded_point); + + return 1; + err: + if (s->s3->tmp.pkey == NULL) + EVP_PKEY_free(key_share_key); + OPENSSL_free(encoded_point); + return 0; +} +#endif + +EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ +#ifndef OPENSSL_NO_TLS1_3 + size_t i, num_groups = 0; + const uint16_t *pgroups = NULL; + uint16_t curve_id = 0; + + /* key_share extension */ + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) + /* Extension data sub-packet */ + || !WPACKET_start_sub_packet_u16(pkt) + /* KeyShare list sub-packet */ + || !WPACKET_start_sub_packet_u16(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + tls1_get_supported_groups(s, &pgroups, &num_groups); + + /* + * TODO(TLS1.3): Make the number of key_shares sent configurable. For + * now, just send one + */ + if (s->s3->group_id != 0) { + curve_id = s->s3->group_id; + } else { + for (i = 0; i < num_groups; i++) { + + if (!tls_curve_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED)) + continue; + + curve_id = pgroups[i]; + break; + } + } + + if (curve_id == 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, + SSL_R_NO_SUITABLE_KEY_SHARE); + return EXT_RETURN_FAIL; + } + + if (!add_key_share(s, pkt, curve_id)) { + /* SSLfatal() already called */ + return EXT_RETURN_FAIL; + } + + if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + return EXT_RETURN_SENT; +#else + return EXT_RETURN_NOT_SENT; +#endif +} + +EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + EXT_RETURN ret = EXT_RETURN_FAIL; + + /* Should only be set if we've had an HRR */ + if (s->ext.tls13_cookie_len == 0) + return EXT_RETURN_NOT_SENT; + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie) + /* Extension data sub-packet */ + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie, + s->ext.tls13_cookie_len) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_COOKIE, + ERR_R_INTERNAL_ERROR); + goto end; + } + + ret = EXT_RETURN_SENT; + end: + OPENSSL_free(s->ext.tls13_cookie); + s->ext.tls13_cookie = NULL; + s->ext.tls13_cookie_len = 0; + + return ret; +} + +EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ +#ifndef OPENSSL_NO_PSK + char identity[PSK_MAX_IDENTITY_LEN + 1]; +#endif /* OPENSSL_NO_PSK */ + const unsigned char *id = NULL; + size_t idlen = 0; + SSL_SESSION *psksess = NULL; + SSL_SESSION *edsess = NULL; + const EVP_MD *handmd = NULL; + + if (s->hello_retry_request == SSL_HRR_PENDING) + handmd = ssl_handshake_md(s); + + if (s->psk_use_session_cb != NULL + && (!s->psk_use_session_cb(s, handmd, &id, &idlen, &psksess) + || (psksess != NULL + && psksess->ssl_version != TLS1_3_VERSION))) { + SSL_SESSION_free(psksess); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, + SSL_R_BAD_PSK); + return EXT_RETURN_FAIL; + } + +#ifndef OPENSSL_NO_PSK + if (psksess == NULL && s->psk_client_callback != NULL) { + unsigned char psk[PSK_MAX_PSK_LEN]; + size_t psklen = 0; + + memset(identity, 0, sizeof(identity)); + psklen = s->psk_client_callback(s, NULL, identity, sizeof(identity) - 1, + psk, sizeof(psk)); + + if (psklen > PSK_MAX_PSK_LEN) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } else if (psklen > 0) { + const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 }; + const SSL_CIPHER *cipher; + + idlen = strlen(identity); + if (idlen > PSK_MAX_IDENTITY_LEN) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + id = (unsigned char *)identity; + + /* + * We found a PSK using an old style callback. We don't know + * the digest so we default to SHA256 as per the TLSv1.3 spec + */ + cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id); + if (cipher == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + psksess = SSL_SESSION_new(); + if (psksess == NULL + || !SSL_SESSION_set1_master_key(psksess, psk, psklen) + || !SSL_SESSION_set_cipher(psksess, cipher) + || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, + ERR_R_INTERNAL_ERROR); + OPENSSL_cleanse(psk, psklen); + return EXT_RETURN_FAIL; + } + OPENSSL_cleanse(psk, psklen); + } + } +#endif /* OPENSSL_NO_PSK */ + + SSL_SESSION_free(s->psksession); + s->psksession = psksess; + if (psksess != NULL) { + OPENSSL_free(s->psksession_id); + s->psksession_id = OPENSSL_memdup(id, idlen); + if (s->psksession_id == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + s->psksession_id_len = idlen; + } + + if (s->early_data_state != SSL_EARLY_DATA_CONNECTING + || (s->session->ext.max_early_data == 0 + && (psksess == NULL || psksess->ext.max_early_data == 0))) { + s->max_early_data = 0; + return EXT_RETURN_NOT_SENT; + } + edsess = s->session->ext.max_early_data != 0 ? s->session : psksess; + s->max_early_data = edsess->ext.max_early_data; + + if (edsess->ext.hostname != NULL) { + if (s->ext.hostname == NULL + || (s->ext.hostname != NULL + && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, + SSL_R_INCONSISTENT_EARLY_DATA_SNI); + return EXT_RETURN_FAIL; + } + } + + if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, + SSL_R_INCONSISTENT_EARLY_DATA_ALPN); + return EXT_RETURN_FAIL; + } + + /* + * Verify that we are offering an ALPN protocol consistent with the early + * data. + */ + if (edsess->ext.alpn_selected != NULL) { + PACKET prots, alpnpkt; + int found = 0; + + if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) { + if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected, + edsess->ext.alpn_selected_len)) { + found = 1; + break; + } + } + if (!found) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, + SSL_R_INCONSISTENT_EARLY_DATA_ALPN); + return EXT_RETURN_FAIL; + } + } + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + /* + * We set this to rejected here. Later, if the server acknowledges the + * extension, we set it to accepted. + */ + s->ext.early_data = SSL_EARLY_DATA_REJECTED; + s->ext.early_data_ok = 1; + + return EXT_RETURN_SENT; +} + +#define F5_WORKAROUND_MIN_MSG_LEN 0xff +#define F5_WORKAROUND_MAX_MSG_LEN 0x200 + +/* + * PSK pre binder overhead = + * 2 bytes for TLSEXT_TYPE_psk + * 2 bytes for extension length + * 2 bytes for identities list length + * 2 bytes for identity length + * 4 bytes for obfuscated_ticket_age + * 2 bytes for binder list length + * 1 byte for binder length + * The above excludes the number of bytes for the identity itself and the + * subsequent binder bytes + */ +#define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1) + +EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + unsigned char *padbytes; + size_t hlen; + + if ((s->options & SSL_OP_TLSEXT_PADDING) == 0) + return EXT_RETURN_NOT_SENT; + + /* + * Add padding to workaround bugs in F5 terminators. See RFC7685. + * This code calculates the length of all extensions added so far but + * excludes the PSK extension (because that MUST be written last). Therefore + * this extension MUST always appear second to last. + */ + if (!WPACKET_get_total_written(pkt, &hlen)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PADDING, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + /* + * If we're going to send a PSK then that will be written out after this + * extension, so we need to calculate how long it is going to be. + */ + if (s->session->ssl_version == TLS1_3_VERSION + && s->session->ext.ticklen != 0 + && s->session->cipher != NULL) { + const EVP_MD *md = ssl_md(s->session->cipher->algorithm2); + + if (md != NULL) { + /* + * Add the fixed PSK overhead, the identity length and the binder + * length. + */ + hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen + + EVP_MD_size(md); + } + } + + if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) { + /* Calculate the amount of padding we need to add */ + hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen; + + /* + * Take off the size of extension header itself (2 bytes for type and + * 2 bytes for length bytes), but ensure that the extension is at least + * 1 byte long so as not to have an empty extension last (WebSphere 7.x, + * 8.x are intolerant of that condition) + */ + if (hlen > 4) + hlen -= 4; + else + hlen = 1; + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding) + || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PADDING, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + memset(padbytes, 0, hlen); + } + + return EXT_RETURN_SENT; +} + +/* + * Construct the pre_shared_key extension + */ +EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ +#ifndef OPENSSL_NO_TLS1_3 + uint32_t now, agesec, agems = 0; + size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen; + unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL; + const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL; + int dores = 0; + + s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY; + + /* + * Note: At this stage of the code we only support adding a single + * resumption PSK. If we add support for multiple PSKs then the length + * calculations in the padding extension will need to be adjusted. + */ + + /* + * If this is an incompatible or new session then we have nothing to resume + * so don't add this extension. + */ + if (s->session->ssl_version != TLS1_3_VERSION + || (s->session->ext.ticklen == 0 && s->psksession == NULL)) + return EXT_RETURN_NOT_SENT; + + if (s->hello_retry_request == SSL_HRR_PENDING) + handmd = ssl_handshake_md(s); + + if (s->session->ext.ticklen != 0) { + /* Get the digest associated with the ciphersuite in the session */ + if (s->session->cipher == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + mdres = ssl_md(s->session->cipher->algorithm2); + if (mdres == NULL) { + /* + * Don't recognize this cipher so we can't use the session. + * Ignore it + */ + goto dopsksess; + } + + if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) { + /* + * Selected ciphersuite hash does not match the hash for the session + * so we can't use it. + */ + goto dopsksess; + } + + /* + * Technically the C standard just says time() returns a time_t and says + * nothing about the encoding of that type. In practice most + * implementations follow POSIX which holds it as an integral type in + * seconds since epoch. We've already made the assumption that we can do + * this in multiple places in the code, so portability shouldn't be an + * issue. + */ + now = (uint32_t)time(NULL); + agesec = now - (uint32_t)s->session->time; + /* + * We calculate the age in seconds but the server may work in ms. Due to + * rounding errors we could overestimate the age by up to 1s. It is + * better to underestimate it. Otherwise, if the RTT is very short, when + * the server calculates the age reported by the client it could be + * bigger than the age calculated on the server - which should never + * happen. + */ + if (agesec > 0) + agesec--; + + if (s->session->ext.tick_lifetime_hint < agesec) { + /* Ticket is too old. Ignore it. */ + goto dopsksess; + } + + /* + * Calculate age in ms. We're just doing it to nearest second. Should be + * good enough. + */ + agems = agesec * (uint32_t)1000; + + if (agesec != 0 && agems / (uint32_t)1000 != agesec) { + /* + * Overflow. Shouldn't happen unless this is a *really* old session. + * If so we just ignore it. + */ + goto dopsksess; + } + + /* + * Obfuscate the age. Overflow here is fine, this addition is supposed + * to be mod 2^32. + */ + agems += s->session->ext.tick_age_add; + + reshashsize = EVP_MD_size(mdres); + dores = 1; + } + + dopsksess: + if (!dores && s->psksession == NULL) + return EXT_RETURN_NOT_SENT; + + if (s->psksession != NULL) { + mdpsk = ssl_md(s->psksession->cipher->algorithm2); + if (mdpsk == NULL) { + /* + * Don't recognize this cipher so we can't use the session. + * If this happens it's an application bug. + */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, + SSL_R_BAD_PSK); + return EXT_RETURN_FAIL; + } + + if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) { + /* + * Selected ciphersuite hash does not match the hash for the PSK + * session. This is an application bug. + */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, + SSL_R_BAD_PSK); + return EXT_RETURN_FAIL; + } + + pskhashsize = EVP_MD_size(mdpsk); + } + + /* Create the extension, but skip over the binder for now */ + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_start_sub_packet_u16(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + if (dores) { + if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, + s->session->ext.ticklen) + || !WPACKET_put_bytes_u32(pkt, agems)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + } + + if (s->psksession != NULL) { + if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id, + s->psksession_id_len) + || !WPACKET_put_bytes_u32(pkt, 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + } + + if (!WPACKET_close(pkt) + || !WPACKET_get_total_written(pkt, &binderoffset) + || !WPACKET_start_sub_packet_u16(pkt) + || (dores + && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder)) + || (s->psksession != NULL + && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder)) + || !WPACKET_close(pkt) + || !WPACKET_close(pkt) + || !WPACKET_get_total_written(pkt, &msglen) + /* + * We need to fill in all the sub-packet lengths now so we can + * calculate the HMAC of the message up to the binders + */ + || !WPACKET_fill_lengths(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + msgstart = WPACKET_get_curr(pkt) - msglen; + + if (dores + && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL, + resbinder, s->session, 1, 0) != 1) { + /* SSLfatal() already called */ + return EXT_RETURN_FAIL; + } + + if (s->psksession != NULL + && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL, + pskbinder, s->psksession, 1, 1) != 1) { + /* SSLfatal() already called */ + return EXT_RETURN_FAIL; + } + + if (dores) + s->session->ext.tick_identity = 0; + if (s->psksession != NULL) + s->psksession->ext.tick_identity = (dores ? 1 : 0); + + return EXT_RETURN_SENT; +#else + return EXT_RETURN_NOT_SENT; +#endif +} + +EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL *s, WPACKET *pkt, + unsigned int context, + X509 *x, size_t chainidx) +{ +#ifndef OPENSSL_NO_TLS1_3 + if (!s->pha_enabled) + return EXT_RETURN_NOT_SENT; + + /* construct extension - 0 length, no contents */ + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_POST_HANDSHAKE_AUTH, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + s->post_handshake_auth = SSL_PHA_EXT_SENT; + + return EXT_RETURN_SENT; +#else + return EXT_RETURN_NOT_SENT; +#endif +} + + +/* + * Parse the server's renegotiation binding and abort if it's not right + */ +int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + size_t expected_len = s->s3->previous_client_finished_len + + s->s3->previous_server_finished_len; + size_t ilen; + const unsigned char *data; + + /* Check for logic errors */ + if (!ossl_assert(expected_len == 0 + || s->s3->previous_client_finished_len != 0) + || !ossl_assert(expected_len == 0 + || s->s3->previous_server_finished_len != 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, + ERR_R_INTERNAL_ERROR); + return 0; + } + + /* Parse the length byte */ + if (!PACKET_get_1_len(pkt, &ilen)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, + SSL_R_RENEGOTIATION_ENCODING_ERR); + return 0; + } + + /* Consistency check */ + if (PACKET_remaining(pkt) != ilen) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, + SSL_R_RENEGOTIATION_ENCODING_ERR); + return 0; + } + + /* Check that the extension matches */ + if (ilen != expected_len) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, + SSL_R_RENEGOTIATION_MISMATCH); + return 0; + } + + if (!PACKET_get_bytes(pkt, &data, s->s3->previous_client_finished_len) + || memcmp(data, s->s3->previous_client_finished, + s->s3->previous_client_finished_len) != 0) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, + SSL_R_RENEGOTIATION_MISMATCH); + return 0; + } + + if (!PACKET_get_bytes(pkt, &data, s->s3->previous_server_finished_len) + || memcmp(data, s->s3->previous_server_finished, + s->s3->previous_server_finished_len) != 0) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, + SSL_R_RENEGOTIATION_MISMATCH); + return 0; + } + s->s3->send_connection_binding = 1; + + return 1; +} + +/* Parse the server's max fragment len extension packet */ +int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + unsigned int value; + + if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN, + SSL_R_BAD_EXTENSION); + return 0; + } + + /* |value| should contains a valid max-fragment-length code. */ + if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN, + SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); + return 0; + } + + /* Must be the same value as client-configured one who was sent to server */ + /*- + * RFC 6066: if a client receives a maximum fragment length negotiation + * response that differs from the length it requested, ... + * It must abort with SSL_AD_ILLEGAL_PARAMETER alert + */ + if (value != s->ext.max_fragment_len_mode) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN, + SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); + return 0; + } + + /* + * Maximum Fragment Length Negotiation succeeded. + * The negotiated Maximum Fragment Length is binding now. + */ + s->session->ext.max_fragment_len_mode = value; + + return 1; +} + +int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + if (s->ext.hostname == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME, + ERR_R_INTERNAL_ERROR); + return 0; + } + + if (PACKET_remaining(pkt) > 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME, + SSL_R_BAD_EXTENSION); + return 0; + } + + if (!s->hit) { + if (s->session->ext.hostname != NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME, + ERR_R_INTERNAL_ERROR); + return 0; + } + s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname); + if (s->session->ext.hostname == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME, + ERR_R_INTERNAL_ERROR); + return 0; + } + } + + return 1; +} + +#ifndef OPENSSL_NO_EC +int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + size_t ecpointformats_len; + PACKET ecptformatlist; + + if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, + SSL_R_BAD_EXTENSION); + return 0; + } + if (!s->hit) { + ecpointformats_len = PACKET_remaining(&ecptformatlist); + if (ecpointformats_len == 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, SSL_R_BAD_LENGTH); + return 0; + } + + s->session->ext.ecpointformats_len = 0; + OPENSSL_free(s->session->ext.ecpointformats); + s->session->ext.ecpointformats = OPENSSL_malloc(ecpointformats_len); + if (s->session->ext.ecpointformats == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); + return 0; + } + + s->session->ext.ecpointformats_len = ecpointformats_len; + + if (!PACKET_copy_bytes(&ecptformatlist, + s->session->ext.ecpointformats, + ecpointformats_len)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); + return 0; + } + } + + return 1; +} +#endif + +int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + if (s->ext.session_ticket_cb != NULL && + !s->ext.session_ticket_cb(s, PACKET_data(pkt), + PACKET_remaining(pkt), + s->ext.session_ticket_cb_arg)) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION); + return 0; + } + + if (!tls_use_ticket(s)) { + SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, + SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION); + return 0; + } + if (PACKET_remaining(pkt) > 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION); + return 0; + } + + s->ext.ticket_expected = 1; + + return 1; +} + +#ifndef OPENSSL_NO_OCSP +int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { + /* We ignore this if the server sends a CertificateRequest */ + /* TODO(TLS1.3): Add support for this */ + return 1; + } + + /* + * MUST only be sent if we've requested a status + * request message. In TLS <= 1.2 it must also be empty. + */ + if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) { + SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, + SSL_F_TLS_PARSE_STOC_STATUS_REQUEST, SSL_R_BAD_EXTENSION); + return 0; + } + if (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PARSE_STOC_STATUS_REQUEST, SSL_R_BAD_EXTENSION); + return 0; + } + + if (SSL_IS_TLS13(s)) { + /* We only know how to handle this if it's for the first Certificate in + * the chain. We ignore any other responses. + */ + if (chainidx != 0) + return 1; + + /* SSLfatal() already called */ + return tls_process_cert_status_body(s, pkt); + } + + /* Set flag to expect CertificateStatus message */ + s->ext.status_expected = 1; + + return 1; +} +#endif + + +#ifndef OPENSSL_NO_CT +int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { + /* We ignore this if the server sends it in a CertificateRequest */ + /* TODO(TLS1.3): Add support for this */ + return 1; + } + + /* + * Only take it if we asked for it - i.e if there is no CT validation + * callback set, then a custom extension MAY be processing it, so we + * need to let control continue to flow to that. + */ + if (s->ct_validation_callback != NULL) { + size_t size = PACKET_remaining(pkt); + + /* Simply copy it off for later processing */ + OPENSSL_free(s->ext.scts); + s->ext.scts = NULL; + + s->ext.scts_len = (uint16_t)size; + if (size > 0) { + s->ext.scts = OPENSSL_malloc(size); + if (s->ext.scts == NULL + || !PACKET_copy_bytes(pkt, s->ext.scts, size)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT, + ERR_R_INTERNAL_ERROR); + return 0; + } + } + } else { + ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0 + ? ENDPOINT_CLIENT : ENDPOINT_BOTH; + + /* + * If we didn't ask for it then there must be a custom extension, + * otherwise this is unsolicited. + */ + if (custom_ext_find(&s->cert->custext, role, + TLSEXT_TYPE_signed_certificate_timestamp, + NULL) == NULL) { + SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_SCT, + SSL_R_BAD_EXTENSION); + return 0; + } + + if (!custom_ext_parse(s, context, + TLSEXT_TYPE_signed_certificate_timestamp, + PACKET_data(pkt), PACKET_remaining(pkt), + x, chainidx)) { + /* SSLfatal already called */ + return 0; + } + } + + return 1; +} +#endif + + +#ifndef OPENSSL_NO_NEXTPROTONEG +/* + * ssl_next_proto_validate validates a Next Protocol Negotiation block. No + * elements of zero length are allowed and the set of elements must exactly + * fill the length of the block. Returns 1 on success or 0 on failure. + */ +static int ssl_next_proto_validate(SSL *s, PACKET *pkt) +{ + PACKET tmp_protocol; + + while (PACKET_remaining(pkt)) { + if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol) + || PACKET_remaining(&tmp_protocol) == 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL_NEXT_PROTO_VALIDATE, + SSL_R_BAD_EXTENSION); + return 0; + } + } + + return 1; +} + +int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + unsigned char *selected; + unsigned char selected_len; + PACKET tmppkt; + + /* Check if we are in a renegotiation. If so ignore this extension */ + if (!SSL_IS_FIRST_HANDSHAKE(s)) + return 1; + + /* We must have requested it. */ + if (s->ctx->ext.npn_select_cb == NULL) { + SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_NPN, + SSL_R_BAD_EXTENSION); + return 0; + } + + /* The data must be valid */ + tmppkt = *pkt; + if (!ssl_next_proto_validate(s, &tmppkt)) { + /* SSLfatal() already called */ + return 0; + } + if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len, + PACKET_data(pkt), + PACKET_remaining(pkt), + s->ctx->ext.npn_select_cb_arg) != + SSL_TLSEXT_ERR_OK) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_STOC_NPN, + SSL_R_BAD_EXTENSION); + return 0; + } + + /* + * Could be non-NULL if server has sent multiple NPN extensions in + * a single Serverhello + */ + OPENSSL_free(s->ext.npn); + s->ext.npn = OPENSSL_malloc(selected_len); + if (s->ext.npn == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_NPN, + ERR_R_INTERNAL_ERROR); + return 0; + } + + memcpy(s->ext.npn, selected, selected_len); + s->ext.npn_len = selected_len; + s->s3->npn_seen = 1; + + return 1; +} +#endif + +int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + size_t len; + + /* We must have requested it. */ + if (!s->s3->alpn_sent) { + SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_ALPN, + SSL_R_BAD_EXTENSION); + return 0; + } + /*- + * The extension data consists of: + * uint16 list_length + * uint8 proto_length; + * uint8 proto[proto_length]; + */ + if (!PACKET_get_net_2_len(pkt, &len) + || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len) + || PACKET_remaining(pkt) != len) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, + SSL_R_BAD_EXTENSION); + return 0; + } + OPENSSL_free(s->s3->alpn_selected); + s->s3->alpn_selected = OPENSSL_malloc(len); + if (s->s3->alpn_selected == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, + ERR_R_INTERNAL_ERROR); + return 0; + } + if (!PACKET_copy_bytes(pkt, s->s3->alpn_selected, len)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, + SSL_R_BAD_EXTENSION); + return 0; + } + s->s3->alpn_selected_len = len; + + if (s->session->ext.alpn_selected == NULL + || s->session->ext.alpn_selected_len != len + || memcmp(s->session->ext.alpn_selected, s->s3->alpn_selected, len) + != 0) { + /* ALPN not consistent with the old session so cannot use early_data */ + s->ext.early_data_ok = 0; + } + if (!s->hit) { + /* + * This is a new session and so alpn_selected should have been + * initialised to NULL. We should update it with the selected ALPN. + */ + if (!ossl_assert(s->session->ext.alpn_selected == NULL)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, + ERR_R_INTERNAL_ERROR); + return 0; + } + s->session->ext.alpn_selected = + OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len); + if (s->session->ext.alpn_selected == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, + ERR_R_INTERNAL_ERROR); + return 0; + } + s->session->ext.alpn_selected_len = s->s3->alpn_selected_len; + } + + return 1; +} + +#ifndef OPENSSL_NO_SRTP +int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + unsigned int id, ct, mki; + int i; + STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; + SRTP_PROTECTION_PROFILE *prof; + + if (!PACKET_get_net_2(pkt, &ct) || ct != 2 + || !PACKET_get_net_2(pkt, &id) + || !PACKET_get_1(pkt, &mki) + || PACKET_remaining(pkt) != 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP, + SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); + return 0; + } + + if (mki != 0) { + /* Must be no MKI, since we never offer one */ + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_USE_SRTP, + SSL_R_BAD_SRTP_MKI_VALUE); + return 0; + } + + /* Throw an error if the server gave us an unsolicited extension */ + clnt = SSL_get_srtp_profiles(s); + if (clnt == NULL) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP, + SSL_R_NO_SRTP_PROFILES); + return 0; + } + + /* + * Check to see if the server gave us something we support (and + * presumably offered) + */ + for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { + prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i); + + if (prof->id == id) { + s->srtp_profile = prof; + return 1; + } + } + + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP, + SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); + return 0; +} +#endif + +int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + /* Ignore if inappropriate ciphersuite */ + if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) + && s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD + && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4) + s->ext.use_etm = 1; + + return 1; +} + +int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS; + if (!s->hit) + s->session->flags |= SSL_SESS_FLAG_EXTMS; + + return 1; +} + +int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + unsigned int version; + + if (!PACKET_get_net_2(pkt, &version) + || PACKET_remaining(pkt) != 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS, + SSL_R_LENGTH_MISMATCH); + return 0; + } + + /* + * The only protocol version we support which is valid in this extension in + * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else. + */ + if (version != TLS1_3_VERSION) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS, + SSL_R_BAD_PROTOCOL_VERSION_NUMBER); + return 0; + } + + /* We ignore this extension for HRRs except to sanity check it */ + if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) + return 1; + + /* We just set it here. We validate it in ssl_choose_client_version */ + s->version = version; + + return 1; +} + +int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ +#ifndef OPENSSL_NO_TLS1_3 + unsigned int group_id; + PACKET encoded_pt; + EVP_PKEY *ckey = s->s3->tmp.pkey, *skey = NULL; + + /* Sanity check */ + if (ckey == NULL || s->s3->peer_tmp != NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, + ERR_R_INTERNAL_ERROR); + return 0; + } + + if (!PACKET_get_net_2(pkt, &group_id)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, + SSL_R_LENGTH_MISMATCH); + return 0; + } + + if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) { + const uint16_t *pgroups = NULL; + size_t i, num_groups; + + if (PACKET_remaining(pkt) != 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, + SSL_R_LENGTH_MISMATCH); + return 0; + } + + /* + * It is an error if the HelloRetryRequest wants a key_share that we + * already sent in the first ClientHello + */ + if (group_id == s->s3->group_id) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE); + return 0; + } + + /* Validate the selected group is one we support */ + tls1_get_supported_groups(s, &pgroups, &num_groups); + for (i = 0; i < num_groups; i++) { + if (group_id == pgroups[i]) + break; + } + if (i >= num_groups + || !tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE); + return 0; + } + + s->s3->group_id = group_id; + EVP_PKEY_free(s->s3->tmp.pkey); + s->s3->tmp.pkey = NULL; + return 1; + } + + if (group_id != s->s3->group_id) { + /* + * This isn't for the group that we sent in the original + * key_share! + */ + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_KEY_SHARE, + SSL_R_BAD_KEY_SHARE); + return 0; + } + + if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt) + || PACKET_remaining(&encoded_pt) == 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, + SSL_R_LENGTH_MISMATCH); + return 0; + } + + skey = ssl_generate_pkey(ckey); + if (skey == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, + ERR_R_MALLOC_FAILURE); + return 0; + } + if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt), + PACKET_remaining(&encoded_pt))) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_KEY_SHARE, + SSL_R_BAD_ECPOINT); + EVP_PKEY_free(skey); + return 0; + } + + if (ssl_derive(s, ckey, skey, 1) == 0) { + /* SSLfatal() already called */ + EVP_PKEY_free(skey); + return 0; + } + s->s3->peer_tmp = skey; +#endif + + return 1; +} + +int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + PACKET cookie; + + if (!PACKET_as_length_prefixed_2(pkt, &cookie) + || !PACKET_memdup(&cookie, &s->ext.tls13_cookie, + &s->ext.tls13_cookie_len)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_COOKIE, + SSL_R_LENGTH_MISMATCH); + return 0; + } + + return 1; +} + +int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) { + unsigned long max_early_data; + + if (!PACKET_get_net_4(pkt, &max_early_data) + || PACKET_remaining(pkt) != 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EARLY_DATA, + SSL_R_INVALID_MAX_EARLY_DATA); + return 0; + } + + s->session->ext.max_early_data = max_early_data; + + return 1; + } + + if (PACKET_remaining(pkt) != 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EARLY_DATA, + SSL_R_BAD_EXTENSION); + return 0; + } + + if (!s->ext.early_data_ok + || !s->hit + || s->session->ext.tick_identity != 0) { + /* + * If we get here then we didn't send early data, or we didn't resume + * using the first identity, or the SNI/ALPN is not consistent so the + * server should not be accepting it. + */ + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_EARLY_DATA, + SSL_R_BAD_EXTENSION); + return 0; + } + + s->ext.early_data = SSL_EARLY_DATA_ACCEPTED; + + return 1; +} + +int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ +#ifndef OPENSSL_NO_TLS1_3 + unsigned int identity; + + if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_PSK, + SSL_R_LENGTH_MISMATCH); + return 0; + } + + if (s->session->ext.tick_identity == (int)identity) { + s->hit = 1; + SSL_SESSION_free(s->psksession); + s->psksession = NULL; + return 1; + } + + if (s->psksession == NULL + || s->psksession->ext.tick_identity != (int)identity) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK, + SSL_R_BAD_PSK_IDENTITY); + return 0; + } + + /* + * If we used the external PSK for sending early_data then s->early_secret + * is already set up, so don't overwrite it. Otherwise we copy the + * early_secret across that we generated earlier. + */ + if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY + && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) + || s->session->ext.max_early_data > 0 + || s->psksession->ext.max_early_data == 0) + memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE); + + SSL_SESSION_free(s->session); + s->session = s->psksession; + s->psksession = NULL; + s->hit = 1; +#endif + + return 1; +} diff --git a/deps/openssl/openssl/ssl/statem/extensions_cust.c b/deps/openssl/openssl/ssl/statem/extensions_cust.c new file mode 100644 index 0000000000..a4cdc81d68 --- /dev/null +++ b/deps/openssl/openssl/ssl/statem/extensions_cust.c @@ -0,0 +1,533 @@ +/* + * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* Custom extension utility functions */ + +#include <openssl/ct.h> +#include "../ssl_locl.h" +#include "internal/cryptlib.h" +#include "statem_locl.h" + +typedef struct { + void *add_arg; + custom_ext_add_cb add_cb; + custom_ext_free_cb free_cb; +} custom_ext_add_cb_wrap; + +typedef struct { + void *parse_arg; + custom_ext_parse_cb parse_cb; +} custom_ext_parse_cb_wrap; + +/* + * Provide thin wrapper callbacks which convert new style arguments to old style + */ +static int custom_ext_add_old_cb_wrap(SSL *s, unsigned int ext_type, + unsigned int context, + const unsigned char **out, + size_t *outlen, X509 *x, size_t chainidx, + int *al, void *add_arg) +{ + custom_ext_add_cb_wrap *add_cb_wrap = (custom_ext_add_cb_wrap *)add_arg; + + if (add_cb_wrap->add_cb == NULL) + return 1; + + return add_cb_wrap->add_cb(s, ext_type, out, outlen, al, + add_cb_wrap->add_arg); +} + +static void custom_ext_free_old_cb_wrap(SSL *s, unsigned int ext_type, + unsigned int context, + const unsigned char *out, void *add_arg) +{ + custom_ext_add_cb_wrap *add_cb_wrap = (custom_ext_add_cb_wrap *)add_arg; + + if (add_cb_wrap->free_cb == NULL) + return; + + add_cb_wrap->free_cb(s, ext_type, out, add_cb_wrap->add_arg); +} + +static int custom_ext_parse_old_cb_wrap(SSL *s, unsigned int ext_type, + unsigned int context, + const unsigned char *in, + size_t inlen, X509 *x, size_t chainidx, + int *al, void *parse_arg) +{ + custom_ext_parse_cb_wrap *parse_cb_wrap = + (custom_ext_parse_cb_wrap *)parse_arg; + + if (parse_cb_wrap->parse_cb == NULL) + return 1; + + return parse_cb_wrap->parse_cb(s, ext_type, in, inlen, al, + parse_cb_wrap->parse_arg); +} + +/* + * Find a custom extension from the list. The |role| param is there to + * support the legacy API where custom extensions for client and server could + * be set independently on the same SSL_CTX. It is set to ENDPOINT_SERVER if we + * are trying to find a method relevant to the server, ENDPOINT_CLIENT for the + * client, or ENDPOINT_BOTH for either + */ +custom_ext_method *custom_ext_find(const custom_ext_methods *exts, + ENDPOINT role, unsigned int ext_type, + size_t *idx) +{ + size_t i; + custom_ext_method *meth = exts->meths; + + for (i = 0; i < exts->meths_count; i++, meth++) { + if (ext_type == meth->ext_type + && (role == ENDPOINT_BOTH || role == meth->role + || meth->role == ENDPOINT_BOTH)) { + if (idx != NULL) + *idx = i; + return meth; + } + } + return NULL; +} + +/* + * Initialise custom extensions flags to indicate neither sent nor received. + */ +void custom_ext_init(custom_ext_methods *exts) +{ + size_t i; + custom_ext_method *meth = exts->meths; + + for (i = 0; i < exts->meths_count; i++, meth++) + meth->ext_flags = 0; +} + +/* Pass received custom extension data to the application for parsing. */ +int custom_ext_parse(SSL *s, unsigned int context, unsigned int ext_type, + const unsigned char *ext_data, size_t ext_size, X509 *x, + size_t chainidx) +{ + int al; + custom_ext_methods *exts = &s->cert->custext; + custom_ext_method *meth; + ENDPOINT role = ENDPOINT_BOTH; + + if ((context & (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0) + role = s->server ? ENDPOINT_SERVER : ENDPOINT_CLIENT; + + meth = custom_ext_find(exts, role, ext_type, NULL); + /* If not found return success */ + if (!meth) + return 1; + + /* Check if extension is defined for our protocol. If not, skip */ + if (!extension_is_relevant(s, meth->context, context)) + return 1; + + if ((context & (SSL_EXT_TLS1_2_SERVER_HELLO + | SSL_EXT_TLS1_3_SERVER_HELLO + | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS)) != 0) { + /* + * If it's ServerHello or EncryptedExtensions we can't have any + * extensions not sent in ClientHello. + */ + if ((meth->ext_flags & SSL_EXT_FLAG_SENT) == 0) { + SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_F_CUSTOM_EXT_PARSE, + SSL_R_BAD_EXTENSION); + return 0; + } + } + + /* + * Extensions received in the ClientHello are marked with the + * SSL_EXT_FLAG_RECEIVED. This is so we know to add the equivalent + * extensions in the ServerHello/EncryptedExtensions message + */ + if ((context & SSL_EXT_CLIENT_HELLO) != 0) + meth->ext_flags |= SSL_EXT_FLAG_RECEIVED; + + /* If no parse function set return success */ + if (!meth->parse_cb) + return 1; + + if (meth->parse_cb(s, ext_type, context, ext_data, ext_size, x, chainidx, + &al, meth->parse_arg) <= 0) { + SSLfatal(s, al, SSL_F_CUSTOM_EXT_PARSE, SSL_R_BAD_EXTENSION); + return 0; + } + + return 1; +} + +/* + * Request custom extension data from the application and add to the return + * buffer. + */ +int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x, size_t chainidx, + int maxversion) +{ + custom_ext_methods *exts = &s->cert->custext; + custom_ext_method *meth; + size_t i; + int al; + + for (i = 0; i < exts->meths_count; i++) { + const unsigned char *out = NULL; + size_t outlen = 0; + + meth = exts->meths + i; + + if (!should_add_extension(s, meth->context, context, maxversion)) + continue; + + if ((context & (SSL_EXT_TLS1_2_SERVER_HELLO + | SSL_EXT_TLS1_3_SERVER_HELLO + | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS + | SSL_EXT_TLS1_3_CERTIFICATE + | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)) != 0) { + /* Only send extensions present in ClientHello. */ + if (!(meth->ext_flags & SSL_EXT_FLAG_RECEIVED)) + continue; + } + /* + * We skip it if the callback is absent - except for a ClientHello where + * we add an empty extension. + */ + if ((context & SSL_EXT_CLIENT_HELLO) == 0 && meth->add_cb == NULL) + continue; + + if (meth->add_cb != NULL) { + int cb_retval = meth->add_cb(s, meth->ext_type, context, &out, + &outlen, x, chainidx, &al, + meth->add_arg); + + if (cb_retval < 0) { + SSLfatal(s, al, SSL_F_CUSTOM_EXT_ADD, SSL_R_CALLBACK_FAILED); + return 0; /* error */ + } + if (cb_retval == 0) + continue; /* skip this extension */ + } + + if (!WPACKET_put_bytes_u16(pkt, meth->ext_type) + || !WPACKET_start_sub_packet_u16(pkt) + || (outlen > 0 && !WPACKET_memcpy(pkt, out, outlen)) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CUSTOM_EXT_ADD, + ERR_R_INTERNAL_ERROR); + return 0; + } + if ((context & SSL_EXT_CLIENT_HELLO) != 0) { + /* + * We can't send duplicates: code logic should prevent this. + */ + if (!ossl_assert((meth->ext_flags & SSL_EXT_FLAG_SENT) == 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CUSTOM_EXT_ADD, + ERR_R_INTERNAL_ERROR); + return 0; + } + /* + * Indicate extension has been sent: this is both a sanity check to + * ensure we don't send duplicate extensions and indicates that it + * is not an error if the extension is present in ServerHello. + */ + meth->ext_flags |= SSL_EXT_FLAG_SENT; + } + if (meth->free_cb != NULL) + meth->free_cb(s, meth->ext_type, context, out, meth->add_arg); + } + return 1; +} + +/* Copy the flags from src to dst for any extensions that exist in both */ +int custom_exts_copy_flags(custom_ext_methods *dst, + const custom_ext_methods *src) +{ + size_t i; + custom_ext_method *methsrc = src->meths; + + for (i = 0; i < src->meths_count; i++, methsrc++) { + custom_ext_method *methdst = custom_ext_find(dst, methsrc->role, + methsrc->ext_type, NULL); + + if (methdst == NULL) + continue; + + methdst->ext_flags = methsrc->ext_flags; + } + + return 1; +} + +/* Copy table of custom extensions */ +int custom_exts_copy(custom_ext_methods *dst, const custom_ext_methods *src) +{ + size_t i; + int err = 0; + + if (src->meths_count > 0) { + dst->meths = + OPENSSL_memdup(src->meths, + sizeof(*src->meths) * src->meths_count); + if (dst->meths == NULL) + return 0; + dst->meths_count = src->meths_count; + + for (i = 0; i < src->meths_count; i++) { + custom_ext_method *methsrc = src->meths + i; + custom_ext_method *methdst = dst->meths + i; + + if (methsrc->add_cb != custom_ext_add_old_cb_wrap) + continue; + + /* + * We have found an old style API wrapper. We need to copy the + * arguments too. + */ + + if (err) { + methdst->add_arg = NULL; + methdst->parse_arg = NULL; + continue; + } + + methdst->add_arg = OPENSSL_memdup(methsrc->add_arg, + sizeof(custom_ext_add_cb_wrap)); + methdst->parse_arg = OPENSSL_memdup(methsrc->parse_arg, + sizeof(custom_ext_parse_cb_wrap)); + + if (methdst->add_arg == NULL || methdst->parse_arg == NULL) + err = 1; + } + } + + if (err) { + custom_exts_free(dst); + return 0; + } + + return 1; +} + +void custom_exts_free(custom_ext_methods *exts) +{ + size_t i; + custom_ext_method *meth; + + for (i = 0, meth = exts->meths; i < exts->meths_count; i++, meth++) { + if (meth->add_cb != custom_ext_add_old_cb_wrap) + continue; + + /* Old style API wrapper. Need to free the arguments too */ + OPENSSL_free(meth->add_arg); + OPENSSL_free(meth->parse_arg); + } + OPENSSL_free(exts->meths); +} + +/* Return true if a client custom extension exists, false otherwise */ +int SSL_CTX_has_client_custom_ext(const SSL_CTX *ctx, unsigned int ext_type) +{ + return custom_ext_find(&ctx->cert->custext, ENDPOINT_CLIENT, ext_type, + NULL) != NULL; +} + +static int add_custom_ext_intern(SSL_CTX *ctx, ENDPOINT role, + unsigned int ext_type, + unsigned int context, + SSL_custom_ext_add_cb_ex add_cb, + SSL_custom_ext_free_cb_ex free_cb, + void *add_arg, + SSL_custom_ext_parse_cb_ex parse_cb, + void *parse_arg) +{ + custom_ext_methods *exts = &ctx->cert->custext; + custom_ext_method *meth, *tmp; + + /* + * Check application error: if add_cb is not set free_cb will never be + * called. + */ + if (add_cb == NULL && free_cb != NULL) + return 0; + +#ifndef OPENSSL_NO_CT + /* + * We don't want applications registering callbacks for SCT extensions + * whilst simultaneously using the built-in SCT validation features, as + * these two things may not play well together. + */ + if (ext_type == TLSEXT_TYPE_signed_certificate_timestamp + && (context & SSL_EXT_CLIENT_HELLO) != 0 + && SSL_CTX_ct_is_enabled(ctx)) + return 0; +#endif + + /* + * Don't add if extension supported internally, but make exception + * for extension types that previously were not supported, but now are. + */ + if (SSL_extension_supported(ext_type) + && ext_type != TLSEXT_TYPE_signed_certificate_timestamp) + return 0; + + /* Extension type must fit in 16 bits */ + if (ext_type > 0xffff) + return 0; + /* Search for duplicate */ + if (custom_ext_find(exts, role, ext_type, NULL)) + return 0; + tmp = OPENSSL_realloc(exts->meths, + (exts->meths_count + 1) * sizeof(custom_ext_method)); + if (tmp == NULL) + return 0; + + exts->meths = tmp; + meth = exts->meths + exts->meths_count; + memset(meth, 0, sizeof(*meth)); + meth->role = role; + meth->context = context; + meth->parse_cb = parse_cb; + meth->add_cb = add_cb; + meth->free_cb = free_cb; + meth->ext_type = ext_type; + meth->add_arg = add_arg; + meth->parse_arg = parse_arg; + exts->meths_count++; + return 1; +} + +static int add_old_custom_ext(SSL_CTX *ctx, ENDPOINT role, + unsigned int ext_type, + unsigned int context, + custom_ext_add_cb add_cb, + custom_ext_free_cb free_cb, + void *add_arg, + custom_ext_parse_cb parse_cb, void *parse_arg) +{ + custom_ext_add_cb_wrap *add_cb_wrap + = OPENSSL_malloc(sizeof(*add_cb_wrap)); + custom_ext_parse_cb_wrap *parse_cb_wrap + = OPENSSL_malloc(sizeof(*parse_cb_wrap)); + int ret; + + if (add_cb_wrap == NULL || parse_cb_wrap == NULL) { + OPENSSL_free(add_cb_wrap); + OPENSSL_free(parse_cb_wrap); + return 0; + } + + add_cb_wrap->add_arg = add_arg; + add_cb_wrap->add_cb = add_cb; + add_cb_wrap->free_cb = free_cb; + parse_cb_wrap->parse_arg = parse_arg; + parse_cb_wrap->parse_cb = parse_cb; + + ret = add_custom_ext_intern(ctx, role, ext_type, + context, + custom_ext_add_old_cb_wrap, + custom_ext_free_old_cb_wrap, + add_cb_wrap, + custom_ext_parse_old_cb_wrap, + parse_cb_wrap); + + if (!ret) { + OPENSSL_free(add_cb_wrap); + OPENSSL_free(parse_cb_wrap); + } + + return ret; +} + +/* Application level functions to add the old custom extension callbacks */ +int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type, + custom_ext_add_cb add_cb, + custom_ext_free_cb free_cb, + void *add_arg, + custom_ext_parse_cb parse_cb, void *parse_arg) +{ + return add_old_custom_ext(ctx, ENDPOINT_CLIENT, ext_type, + SSL_EXT_TLS1_2_AND_BELOW_ONLY + | SSL_EXT_CLIENT_HELLO + | SSL_EXT_TLS1_2_SERVER_HELLO + | SSL_EXT_IGNORE_ON_RESUMPTION, + add_cb, free_cb, add_arg, parse_cb, parse_arg); +} + +int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx, unsigned int ext_type, + custom_ext_add_cb add_cb, + custom_ext_free_cb free_cb, + void *add_arg, + custom_ext_parse_cb parse_cb, void *parse_arg) +{ + return add_old_custom_ext(ctx, ENDPOINT_SERVER, ext_type, + SSL_EXT_TLS1_2_AND_BELOW_ONLY + | SSL_EXT_CLIENT_HELLO + | SSL_EXT_TLS1_2_SERVER_HELLO + | SSL_EXT_IGNORE_ON_RESUMPTION, + add_cb, free_cb, add_arg, parse_cb, parse_arg); +} + +int SSL_CTX_add_custom_ext(SSL_CTX *ctx, unsigned int ext_type, + unsigned int context, + SSL_custom_ext_add_cb_ex add_cb, + SSL_custom_ext_free_cb_ex free_cb, + void *add_arg, + SSL_custom_ext_parse_cb_ex parse_cb, void *parse_arg) +{ + return add_custom_ext_intern(ctx, ENDPOINT_BOTH, ext_type, context, add_cb, + free_cb, add_arg, parse_cb, parse_arg); +} + +int SSL_extension_supported(unsigned int ext_type) +{ + switch (ext_type) { + /* Internally supported extensions. */ + case TLSEXT_TYPE_application_layer_protocol_negotiation: +#ifndef OPENSSL_NO_EC + case TLSEXT_TYPE_ec_point_formats: + case TLSEXT_TYPE_supported_groups: + case TLSEXT_TYPE_key_share: +#endif +#ifndef OPENSSL_NO_NEXTPROTONEG + case TLSEXT_TYPE_next_proto_neg: +#endif + case TLSEXT_TYPE_padding: + case TLSEXT_TYPE_renegotiate: + case TLSEXT_TYPE_max_fragment_length: + case TLSEXT_TYPE_server_name: + case TLSEXT_TYPE_session_ticket: + case TLSEXT_TYPE_signature_algorithms: +#ifndef OPENSSL_NO_SRP + case TLSEXT_TYPE_srp: +#endif +#ifndef OPENSSL_NO_OCSP + case TLSEXT_TYPE_status_request: +#endif +#ifndef OPENSSL_NO_CT + case TLSEXT_TYPE_signed_certificate_timestamp: +#endif +#ifndef OPENSSL_NO_SRTP + case TLSEXT_TYPE_use_srtp: +#endif + case TLSEXT_TYPE_encrypt_then_mac: + case TLSEXT_TYPE_supported_versions: + case TLSEXT_TYPE_extended_master_secret: + case TLSEXT_TYPE_psk_kex_modes: + case TLSEXT_TYPE_cookie: + case TLSEXT_TYPE_early_data: + case TLSEXT_TYPE_certificate_authorities: + case TLSEXT_TYPE_psk: + case TLSEXT_TYPE_post_handshake_auth: + return 1; + default: + return 0; + } +} diff --git a/deps/openssl/openssl/ssl/statem/extensions_srvr.c b/deps/openssl/openssl/ssl/statem/extensions_srvr.c new file mode 100644 index 0000000000..0f2b22392b --- /dev/null +++ b/deps/openssl/openssl/ssl/statem/extensions_srvr.c @@ -0,0 +1,1959 @@ +/* + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <openssl/ocsp.h> +#include "../ssl_locl.h" +#include "statem_locl.h" +#include "internal/cryptlib.h" + +#define COOKIE_STATE_FORMAT_VERSION 0 + +/* + * 2 bytes for packet length, 2 bytes for format version, 2 bytes for + * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for + * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen, + * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie + * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing. + */ +#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \ + + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH) + +/* + * Message header + 2 bytes for protocol version + number of random bytes + + * + 1 byte for legacy session id length + number of bytes in legacy session id + * + 2 bytes for ciphersuite + 1 byte for legacy compression + * + 2 bytes for extension block length + 6 bytes for key_share extension + * + 4 bytes for cookie extension header + the number of bytes in the cookie + */ +#define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \ + + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \ + + MAX_COOKIE_SIZE) + +/* + * Parse the client's renegotiation binding and abort if it's not right + */ +int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + unsigned int ilen; + const unsigned char *data; + + /* Parse the length byte */ + if (!PACKET_get_1(pkt, &ilen) + || !PACKET_get_bytes(pkt, &data, ilen)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE, + SSL_R_RENEGOTIATION_ENCODING_ERR); + return 0; + } + + /* Check that the extension matches */ + if (ilen != s->s3->previous_client_finished_len) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE, + SSL_R_RENEGOTIATION_MISMATCH); + return 0; + } + + if (memcmp(data, s->s3->previous_client_finished, + s->s3->previous_client_finished_len)) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE, + SSL_R_RENEGOTIATION_MISMATCH); + return 0; + } + + s->s3->send_connection_binding = 1; + + return 1; +} + +/*- + * The servername extension is treated as follows: + * + * - Only the hostname type is supported with a maximum length of 255. + * - The servername is rejected if too long or if it contains zeros, + * in which case an fatal alert is generated. + * - The servername field is maintained together with the session cache. + * - When a session is resumed, the servername call back invoked in order + * to allow the application to position itself to the right context. + * - The servername is acknowledged if it is new for a session or when + * it is identical to a previously used for the same session. + * Applications can control the behaviour. They can at any time + * set a 'desirable' servername for a new SSL object. This can be the + * case for example with HTTPS when a Host: header field is received and + * a renegotiation is requested. In this case, a possible servername + * presented in the new client hello is only acknowledged if it matches + * the value of the Host: field. + * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + * if they provide for changing an explicit servername context for the + * session, i.e. when the session has been established with a servername + * extension. + * - On session reconnect, the servername extension may be absent. + */ +int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + unsigned int servname_type; + PACKET sni, hostname; + + if (!PACKET_as_length_prefixed_2(pkt, &sni) + /* ServerNameList must be at least 1 byte long. */ + || PACKET_remaining(&sni) == 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME, + SSL_R_BAD_EXTENSION); + return 0; + } + + /* + * Although the intent was for server_name to be extensible, RFC 4366 + * was not clear about it; and so OpenSSL among other implementations, + * always and only allows a 'host_name' name types. + * RFC 6066 corrected the mistake but adding new name types + * is nevertheless no longer feasible, so act as if no other + * SNI types can exist, to simplify parsing. + * + * Also note that the RFC permits only one SNI value per type, + * i.e., we can only have a single hostname. + */ + if (!PACKET_get_1(&sni, &servname_type) + || servname_type != TLSEXT_NAMETYPE_host_name + || !PACKET_as_length_prefixed_2(&sni, &hostname)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME, + SSL_R_BAD_EXTENSION); + return 0; + } + + if (!s->hit || SSL_IS_TLS13(s)) { + if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) { + SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, + SSL_F_TLS_PARSE_CTOS_SERVER_NAME, + SSL_R_BAD_EXTENSION); + return 0; + } + + if (PACKET_contains_zero_byte(&hostname)) { + SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, + SSL_F_TLS_PARSE_CTOS_SERVER_NAME, + SSL_R_BAD_EXTENSION); + return 0; + } + + /* + * Store the requested SNI in the SSL as temporary storage. + * If we accept it, it will get stored in the SSL_SESSION as well. + */ + OPENSSL_free(s->ext.hostname); + s->ext.hostname = NULL; + if (!PACKET_strndup(&hostname, &s->ext.hostname)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME, + ERR_R_INTERNAL_ERROR); + return 0; + } + + s->servername_done = 1; + } + if (s->hit) { + /* + * TODO(openssl-team): if the SNI doesn't match, we MUST + * fall back to a full handshake. + */ + s->servername_done = (s->session->ext.hostname != NULL) + && PACKET_equal(&hostname, s->session->ext.hostname, + strlen(s->session->ext.hostname)); + + if (!s->servername_done && s->session->ext.hostname != NULL) + s->ext.early_data_ok = 0; + } + + return 1; +} + +int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + unsigned int value; + + if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN, + SSL_R_BAD_EXTENSION); + return 0; + } + + /* Received |value| should be a valid max-fragment-length code. */ + if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN, + SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); + return 0; + } + + /* + * RFC 6066: The negotiated length applies for the duration of the session + * including session resumptions. + * We should receive the same code as in resumed session ! + */ + if (s->hit && s->session->ext.max_fragment_len_mode != value) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN, + SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); + return 0; + } + + /* + * Store it in session, so it'll become binding for us + * and we'll include it in a next Server Hello. + */ + s->session->ext.max_fragment_len_mode = value; + return 1; +} + +#ifndef OPENSSL_NO_SRP +int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + PACKET srp_I; + + if (!PACKET_as_length_prefixed_1(pkt, &srp_I) + || PACKET_contains_zero_byte(&srp_I)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PARSE_CTOS_SRP, + SSL_R_BAD_EXTENSION); + return 0; + } + + /* + * TODO(openssl-team): currently, we re-authenticate the user + * upon resumption. Instead, we MUST ignore the login. + */ + if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP, + ERR_R_INTERNAL_ERROR); + return 0; + } + + return 1; +} +#endif + +#ifndef OPENSSL_NO_EC +int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + PACKET ec_point_format_list; + + if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list) + || PACKET_remaining(&ec_point_format_list) == 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, + SSL_R_BAD_EXTENSION); + return 0; + } + + if (!s->hit) { + if (!PACKET_memdup(&ec_point_format_list, + &s->session->ext.ecpointformats, + &s->session->ext.ecpointformats_len)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); + return 0; + } + } + + return 1; +} +#endif /* OPENSSL_NO_EC */ + +int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + if (s->ext.session_ticket_cb && + !s->ext.session_ticket_cb(s, PACKET_data(pkt), + PACKET_remaining(pkt), + s->ext.session_ticket_cb_arg)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR); + return 0; + } + + return 1; +} + +int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + PACKET supported_sig_algs; + + if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs) + || PACKET_remaining(&supported_sig_algs) == 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION); + return 0; + } + + if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION); + return 0; + } + + return 1; +} + +int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + PACKET supported_sig_algs; + + if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs) + || PACKET_remaining(&supported_sig_algs) == 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION); + return 0; + } + + if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION); + return 0; + } + + return 1; +} + +#ifndef OPENSSL_NO_OCSP +int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + PACKET responder_id_list, exts; + + /* We ignore this in a resumption handshake */ + if (s->hit) + return 1; + + /* Not defined if we get one of these in a client Certificate */ + if (x != NULL) + return 1; + + if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION); + return 0; + } + + if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) { + /* + * We don't know what to do with any other type so ignore it. + */ + s->ext.status_type = TLSEXT_STATUSTYPE_nothing; + return 1; + } + + if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION); + return 0; + } + + /* + * We remove any OCSP_RESPIDs from a previous handshake + * to prevent unbounded memory growth - CVE-2016-6304 + */ + sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free); + if (PACKET_remaining(&responder_id_list) > 0) { + s->ext.ocsp.ids = sk_OCSP_RESPID_new_null(); + if (s->ext.ocsp.ids == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE); + return 0; + } + } else { + s->ext.ocsp.ids = NULL; + } + + while (PACKET_remaining(&responder_id_list) > 0) { + OCSP_RESPID *id; + PACKET responder_id; + const unsigned char *id_data; + + if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id) + || PACKET_remaining(&responder_id) == 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION); + return 0; + } + + id_data = PACKET_data(&responder_id); + /* TODO(size_t): Convert d2i_* to size_t */ + id = d2i_OCSP_RESPID(NULL, &id_data, + (int)PACKET_remaining(&responder_id)); + if (id == NULL) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION); + return 0; + } + + if (id_data != PACKET_end(&responder_id)) { + OCSP_RESPID_free(id); + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION); + + return 0; + } + + if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) { + OCSP_RESPID_free(id); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); + + return 0; + } + } + + /* Read in request_extensions */ + if (!PACKET_as_length_prefixed_2(pkt, &exts)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION); + return 0; + } + + if (PACKET_remaining(&exts) > 0) { + const unsigned char *ext_data = PACKET_data(&exts); + + sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, + X509_EXTENSION_free); + s->ext.ocsp.exts = + d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts)); + if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION); + return 0; + } + } + + return 1; +} +#endif + +#ifndef OPENSSL_NO_NEXTPROTONEG +int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + /* + * We shouldn't accept this extension on a + * renegotiation. + */ + if (SSL_IS_FIRST_HANDSHAKE(s)) + s->s3->npn_seen = 1; + + return 1; +} +#endif + +/* + * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN + * extension, not including type and length. Returns: 1 on success, 0 on error. + */ +int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + PACKET protocol_list, save_protocol_list, protocol; + + if (!SSL_IS_FIRST_HANDSHAKE(s)) + return 1; + + if (!PACKET_as_length_prefixed_2(pkt, &protocol_list) + || PACKET_remaining(&protocol_list) < 2) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN, + SSL_R_BAD_EXTENSION); + return 0; + } + + save_protocol_list = protocol_list; + do { + /* Protocol names can't be empty. */ + if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol) + || PACKET_remaining(&protocol) == 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN, + SSL_R_BAD_EXTENSION); + return 0; + } + } while (PACKET_remaining(&protocol_list) != 0); + + OPENSSL_free(s->s3->alpn_proposed); + s->s3->alpn_proposed = NULL; + s->s3->alpn_proposed_len = 0; + if (!PACKET_memdup(&save_protocol_list, + &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN, + ERR_R_INTERNAL_ERROR); + return 0; + } + + return 1; +} + +#ifndef OPENSSL_NO_SRTP +int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + STACK_OF(SRTP_PROTECTION_PROFILE) *srvr; + unsigned int ct, mki_len, id; + int i, srtp_pref; + PACKET subpkt; + + /* Ignore this if we have no SRTP profiles */ + if (SSL_get_srtp_profiles(s) == NULL) + return 1; + + /* Pull off the length of the cipher suite list and check it is even */ + if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0 + || !PACKET_get_sub_packet(pkt, &subpkt, ct)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP, + SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); + return 0; + } + + srvr = SSL_get_srtp_profiles(s); + s->srtp_profile = NULL; + /* Search all profiles for a match initially */ + srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr); + + while (PACKET_remaining(&subpkt)) { + if (!PACKET_get_net_2(&subpkt, &id)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP, + SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); + return 0; + } + + /* + * Only look for match in profiles of higher preference than + * current match. + * If no profiles have been have been configured then this + * does nothing. + */ + for (i = 0; i < srtp_pref; i++) { + SRTP_PROTECTION_PROFILE *sprof = + sk_SRTP_PROTECTION_PROFILE_value(srvr, i); + + if (sprof->id == id) { + s->srtp_profile = sprof; + srtp_pref = i; + break; + } + } + } + + /* Now extract the MKI value as a sanity check, but discard it for now */ + if (!PACKET_get_1(pkt, &mki_len)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP, + SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); + return 0; + } + + if (!PACKET_forward(pkt, mki_len) + || PACKET_remaining(pkt)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP, + SSL_R_BAD_SRTP_MKI_VALUE); + return 0; + } + + return 1; +} +#endif + +int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) + s->ext.use_etm = 1; + + return 1; +} + +/* + * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains + * the raw PACKET data for the extension. Returns 1 on success or 0 on failure. + */ +int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ +#ifndef OPENSSL_NO_TLS1_3 + PACKET psk_kex_modes; + unsigned int mode; + + if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes) + || PACKET_remaining(&psk_kex_modes) == 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES, + SSL_R_BAD_EXTENSION); + return 0; + } + + while (PACKET_get_1(&psk_kex_modes, &mode)) { + if (mode == TLSEXT_KEX_MODE_KE_DHE) + s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE; + else if (mode == TLSEXT_KEX_MODE_KE + && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0) + s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE; + } +#endif + + return 1; +} + +/* + * Process a key_share extension received in the ClientHello. |pkt| contains + * the raw PACKET data for the extension. Returns 1 on success or 0 on failure. + */ +int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ +#ifndef OPENSSL_NO_TLS1_3 + unsigned int group_id; + PACKET key_share_list, encoded_pt; + const uint16_t *clntgroups, *srvrgroups; + size_t clnt_num_groups, srvr_num_groups; + int found = 0; + + if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) + return 1; + + /* Sanity check */ + if (s->s3->peer_tmp != NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE, + ERR_R_INTERNAL_ERROR); + return 0; + } + + if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE, + SSL_R_LENGTH_MISMATCH); + return 0; + } + + /* Get our list of supported groups */ + tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups); + /* Get the clients list of supported groups. */ + tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups); + if (clnt_num_groups == 0) { + /* + * This can only happen if the supported_groups extension was not sent, + * because we verify that the length is non-zero when we process that + * extension. + */ + SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE, + SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION); + return 0; + } + + if (s->s3->group_id != 0 && PACKET_remaining(&key_share_list) == 0) { + /* + * If we set a group_id already, then we must have sent an HRR + * requesting a new key_share. If we haven't got one then that is an + * error + */ + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_KEY_SHARE, + SSL_R_BAD_KEY_SHARE); + return 0; + } + + while (PACKET_remaining(&key_share_list) > 0) { + if (!PACKET_get_net_2(&key_share_list, &group_id) + || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt) + || PACKET_remaining(&encoded_pt) == 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE, + SSL_R_LENGTH_MISMATCH); + return 0; + } + + /* + * If we already found a suitable key_share we loop through the + * rest to verify the structure, but don't process them. + */ + if (found) + continue; + + /* + * If we sent an HRR then the key_share sent back MUST be for the group + * we requested, and must be the only key_share sent. + */ + if (s->s3->group_id != 0 + && (group_id != s->s3->group_id + || PACKET_remaining(&key_share_list) != 0)) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE); + return 0; + } + + /* Check if this share is in supported_groups sent from client */ + if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE); + return 0; + } + + /* Check if this share is for a group we can use */ + if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) { + /* Share not suitable */ + continue; + } + + if ((s->s3->peer_tmp = ssl_generate_param_group(group_id)) == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE, + SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); + return 0; + } + + s->s3->group_id = group_id; + + if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp, + PACKET_data(&encoded_pt), + PACKET_remaining(&encoded_pt))) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT); + return 0; + } + + found = 1; + } +#endif + + return 1; +} + +int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ +#ifndef OPENSSL_NO_TLS1_3 + unsigned int format, version, key_share, group_id; + EVP_MD_CTX *hctx; + EVP_PKEY *pkey; + PACKET cookie, raw, chhash, appcookie; + WPACKET hrrpkt; + const unsigned char *data, *mdin, *ciphdata; + unsigned char hmac[SHA256_DIGEST_LENGTH]; + unsigned char hrr[MAX_HRR_SIZE]; + size_t rawlen, hmaclen, hrrlen, ciphlen; + unsigned long tm, now; + + /* Ignore any cookie if we're not set up to verify it */ + if (s->ctx->verify_stateless_cookie_cb == NULL + || (s->s3->flags & TLS1_FLAGS_STATELESS) == 0) + return 1; + + if (!PACKET_as_length_prefixed_2(pkt, &cookie)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE, + SSL_R_LENGTH_MISMATCH); + return 0; + } + + raw = cookie; + data = PACKET_data(&raw); + rawlen = PACKET_remaining(&raw); + if (rawlen < SHA256_DIGEST_LENGTH + || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE, + SSL_R_LENGTH_MISMATCH); + return 0; + } + mdin = PACKET_data(&raw); + + /* Verify the HMAC of the cookie */ + hctx = EVP_MD_CTX_create(); + pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, + s->session_ctx->ext.cookie_hmac_key, + sizeof(s->session_ctx->ext + .cookie_hmac_key)); + if (hctx == NULL || pkey == NULL) { + EVP_MD_CTX_free(hctx); + EVP_PKEY_free(pkey); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE, + ERR_R_MALLOC_FAILURE); + return 0; + } + + hmaclen = SHA256_DIGEST_LENGTH; + if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0 + || EVP_DigestSign(hctx, hmac, &hmaclen, data, + rawlen - SHA256_DIGEST_LENGTH) <= 0 + || hmaclen != SHA256_DIGEST_LENGTH) { + EVP_MD_CTX_free(hctx); + EVP_PKEY_free(pkey); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE, + ERR_R_INTERNAL_ERROR); + return 0; + } + + EVP_MD_CTX_free(hctx); + EVP_PKEY_free(pkey); + + if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE, + SSL_R_COOKIE_MISMATCH); + return 0; + } + + if (!PACKET_get_net_2(&cookie, &format)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE, + SSL_R_LENGTH_MISMATCH); + return 0; + } + /* Check the cookie format is something we recognise. Ignore it if not */ + if (format != COOKIE_STATE_FORMAT_VERSION) + return 1; + + /* + * The rest of these checks really shouldn't fail since we have verified the + * HMAC above. + */ + + /* Check the version number is sane */ + if (!PACKET_get_net_2(&cookie, &version)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE, + SSL_R_LENGTH_MISMATCH); + return 0; + } + if (version != TLS1_3_VERSION) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE, + SSL_R_BAD_PROTOCOL_VERSION_NUMBER); + return 0; + } + + if (!PACKET_get_net_2(&cookie, &group_id)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE, + SSL_R_LENGTH_MISMATCH); + return 0; + } + + ciphdata = PACKET_data(&cookie); + if (!PACKET_forward(&cookie, 2)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE, + SSL_R_LENGTH_MISMATCH); + return 0; + } + if (group_id != s->s3->group_id + || s->s3->tmp.new_cipher + != ssl_get_cipher_by_char(s, ciphdata, 0)) { + /* + * We chose a different cipher or group id this time around to what is + * in the cookie. Something must have changed. + */ + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE, + SSL_R_BAD_CIPHER); + return 0; + } + + if (!PACKET_get_1(&cookie, &key_share) + || !PACKET_get_net_4(&cookie, &tm) + || !PACKET_get_length_prefixed_2(&cookie, &chhash) + || !PACKET_get_length_prefixed_1(&cookie, &appcookie) + || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE, + SSL_R_LENGTH_MISMATCH); + return 0; + } + + /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */ + now = (unsigned long)time(NULL); + if (tm > now || (now - tm) > 600) { + /* Cookie is stale. Ignore it */ + return 1; + } + + /* Verify the app cookie */ + if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie), + PACKET_remaining(&appcookie)) == 0) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE, + SSL_R_COOKIE_MISMATCH); + return 0; + } + + /* + * Reconstruct the HRR that we would have sent in response to the original + * ClientHello so we can add it to the transcript hash. + * Note: This won't work with custom HRR extensions + */ + if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE, + ERR_R_INTERNAL_ERROR); + return 0; + } + if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO) + || !WPACKET_start_sub_packet_u24(&hrrpkt) + || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION) + || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE) + || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id, + s->tmp_session_id_len) + || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, &hrrpkt, + &ciphlen) + || !WPACKET_put_bytes_u8(&hrrpkt, 0) + || !WPACKET_start_sub_packet_u16(&hrrpkt)) { + WPACKET_cleanup(&hrrpkt); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE, + ERR_R_INTERNAL_ERROR); + return 0; + } + if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions) + || !WPACKET_start_sub_packet_u16(&hrrpkt) + || !WPACKET_put_bytes_u16(&hrrpkt, s->version) + || !WPACKET_close(&hrrpkt)) { + WPACKET_cleanup(&hrrpkt); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE, + ERR_R_INTERNAL_ERROR); + return 0; + } + if (key_share) { + if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share) + || !WPACKET_start_sub_packet_u16(&hrrpkt) + || !WPACKET_put_bytes_u16(&hrrpkt, s->s3->group_id) + || !WPACKET_close(&hrrpkt)) { + WPACKET_cleanup(&hrrpkt); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE, + ERR_R_INTERNAL_ERROR); + return 0; + } + } + if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie) + || !WPACKET_start_sub_packet_u16(&hrrpkt) + || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen) + || !WPACKET_close(&hrrpkt) /* cookie extension */ + || !WPACKET_close(&hrrpkt) /* extension block */ + || !WPACKET_close(&hrrpkt) /* message */ + || !WPACKET_get_total_written(&hrrpkt, &hrrlen) + || !WPACKET_finish(&hrrpkt)) { + WPACKET_cleanup(&hrrpkt); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE, + ERR_R_INTERNAL_ERROR); + return 0; + } + + /* Reconstruct the transcript hash */ + if (!create_synthetic_message_hash(s, PACKET_data(&chhash), + PACKET_remaining(&chhash), hrr, + hrrlen)) { + /* SSLfatal() already called */ + return 0; + } + + /* Act as if this ClientHello came after a HelloRetryRequest */ + s->hello_retry_request = 1; + + s->ext.cookieok = 1; +#endif + + return 1; +} + +#ifndef OPENSSL_NO_EC +int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + PACKET supported_groups_list; + + /* Each group is 2 bytes and we must have at least 1. */ + if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list) + || PACKET_remaining(&supported_groups_list) == 0 + || (PACKET_remaining(&supported_groups_list) % 2) != 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION); + return 0; + } + + if (!s->hit || SSL_IS_TLS13(s)) { + OPENSSL_free(s->session->ext.supportedgroups); + s->session->ext.supportedgroups = NULL; + s->session->ext.supportedgroups_len = 0; + if (!tls1_save_u16(&supported_groups_list, + &s->session->ext.supportedgroups, + &s->session->ext.supportedgroups_len)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, + ERR_R_INTERNAL_ERROR); + return 0; + } + } + + return 1; +} +#endif + +int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + /* The extension must always be empty */ + if (PACKET_remaining(pkt) != 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION); + return 0; + } + + s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS; + + return 1; +} + + +int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + if (PACKET_remaining(pkt) != 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION); + return 0; + } + + if (s->hello_retry_request != SSL_HRR_NONE) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION); + return 0; + } + + return 1; +} + +static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick, + SSL_SESSION **sess) +{ + SSL_SESSION *tmpsess = NULL; + + s->ext.ticket_expected = 1; + + switch (PACKET_remaining(tick)) { + case 0: + return SSL_TICKET_EMPTY; + + case SSL_MAX_SSL_SESSION_ID_LENGTH: + break; + + default: + return SSL_TICKET_NO_DECRYPT; + } + + tmpsess = lookup_sess_in_cache(s, PACKET_data(tick), + SSL_MAX_SSL_SESSION_ID_LENGTH); + + if (tmpsess == NULL) + return SSL_TICKET_NO_DECRYPT; + + *sess = tmpsess; + return SSL_TICKET_SUCCESS; +} + +int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) +{ + PACKET identities, binders, binder; + size_t binderoffset, hashsize; + SSL_SESSION *sess = NULL; + unsigned int id, i, ext = 0; + const EVP_MD *md = NULL; + + /* + * If we have no PSK kex mode that we recognise then we can't resume so + * ignore this extension + */ + if ((s->ext.psk_kex_mode + & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0) + return 1; + + if (!PACKET_get_length_prefixed_2(pkt, &identities)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION); + return 0; + } + + s->ext.ticket_expected = 0; + for (id = 0; PACKET_remaining(&identities) != 0; id++) { + PACKET identity; + unsigned long ticket_agel; + size_t idlen; + + if (!PACKET_get_length_prefixed_2(&identities, &identity) + || !PACKET_get_net_4(&identities, &ticket_agel)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION); + return 0; + } + + idlen = PACKET_remaining(&identity); + if (s->psk_find_session_cb != NULL + && !s->psk_find_session_cb(s, PACKET_data(&identity), idlen, + &sess)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION); + return 0; + } + +#ifndef OPENSSL_NO_PSK + if(sess == NULL + && s->psk_server_callback != NULL + && idlen <= PSK_MAX_IDENTITY_LEN) { + char *pskid = NULL; + unsigned char pskdata[PSK_MAX_PSK_LEN]; + unsigned int pskdatalen; + + if (!PACKET_strndup(&identity, &pskid)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK, + ERR_R_INTERNAL_ERROR); + return 0; + } + pskdatalen = s->psk_server_callback(s, pskid, pskdata, + sizeof(pskdata)); + OPENSSL_free(pskid); + if (pskdatalen > PSK_MAX_PSK_LEN) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK, + ERR_R_INTERNAL_ERROR); + return 0; + } else if (pskdatalen > 0) { + const SSL_CIPHER *cipher; + const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 }; + + /* + * We found a PSK using an old style callback. We don't know + * the digest so we default to SHA256 as per the TLSv1.3 spec + */ + cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id); + if (cipher == NULL) { + OPENSSL_cleanse(pskdata, pskdatalen); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK, + ERR_R_INTERNAL_ERROR); + return 0; + } + + sess = SSL_SESSION_new(); + if (sess == NULL + || !SSL_SESSION_set1_master_key(sess, pskdata, + pskdatalen) + || !SSL_SESSION_set_cipher(sess, cipher) + || !SSL_SESSION_set_protocol_version(sess, + TLS1_3_VERSION)) { + OPENSSL_cleanse(pskdata, pskdatalen); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK, + ERR_R_INTERNAL_ERROR); + goto err; + } + OPENSSL_cleanse(pskdata, pskdatalen); + } + } +#endif /* OPENSSL_NO_PSK */ + + if (sess != NULL) { + /* We found a PSK */ + SSL_SESSION *sesstmp = ssl_session_dup(sess, 0); + + if (sesstmp == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR); + return 0; + } + SSL_SESSION_free(sess); + sess = sesstmp; + + /* + * We've just been told to use this session for this context so + * make sure the sid_ctx matches up. + */ + memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length); + sess->sid_ctx_length = s->sid_ctx_length; + ext = 1; + if (id == 0) + s->ext.early_data_ok = 1; + s->ext.ticket_expected = 1; + } else { + uint32_t ticket_age = 0, now, agesec, agems; + int ret; + + /* + * If we are using anti-replay protection then we behave as if + * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there + * is no point in using full stateless tickets. + */ + if ((s->options & SSL_OP_NO_TICKET) != 0 + || (s->max_early_data > 0 + && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0)) + ret = tls_get_stateful_ticket(s, &identity, &sess); + else + ret = tls_decrypt_ticket(s, PACKET_data(&identity), + PACKET_remaining(&identity), NULL, 0, + &sess); + + if (ret == SSL_TICKET_EMPTY) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK, + SSL_R_BAD_EXTENSION); + return 0; + } + + if (ret == SSL_TICKET_FATAL_ERR_MALLOC + || ret == SSL_TICKET_FATAL_ERR_OTHER) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR); + return 0; + } + if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT) + continue; + + /* Check for replay */ + if (s->max_early_data > 0 + && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0 + && !SSL_CTX_remove_session(s->session_ctx, sess)) { + SSL_SESSION_free(sess); + sess = NULL; + continue; + } + + ticket_age = (uint32_t)ticket_agel; + now = (uint32_t)time(NULL); + agesec = now - (uint32_t)sess->time; + agems = agesec * (uint32_t)1000; + ticket_age -= sess->ext.tick_age_add; + + /* + * For simplicity we do our age calculations in seconds. If the + * client does it in ms then it could appear that their ticket age + * is longer than ours (our ticket age calculation should always be + * slightly longer than the client's due to the network latency). + * Therefore we add 1000ms to our age calculation to adjust for + * rounding errors. + */ + if (id == 0 + && sess->timeout >= (long)agesec + && agems / (uint32_t)1000 == agesec + && ticket_age <= agems + 1000 + && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) { + /* + * Ticket age is within tolerance and not expired. We allow it + * for early data + */ + s->ext.early_data_ok = 1; + } + } + + md = ssl_md(sess->cipher->algorithm2); + if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) { + /* The ciphersuite is not compatible with this session. */ + SSL_SESSION_free(sess); + sess = NULL; + s->ext.early_data_ok = 0; + s->ext.ticket_expected = 0; + continue; + } + break; + } + + if (sess == NULL) + return 1; + + binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data; + hashsize = EVP_MD_size(md); + + if (!PACKET_get_length_prefixed_2(pkt, &binders)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK, + SSL_R_BAD_EXTENSION); + goto err; + } + + for (i = 0; i <= id; i++) { + if (!PACKET_get_length_prefixed_1(&binders, &binder)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK, + SSL_R_BAD_EXTENSION); + goto err; + } + } + + if (PACKET_remaining(&binder) != hashsize) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK, + SSL_R_BAD_EXTENSION); + goto err; + } + if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data, + binderoffset, PACKET_data(&binder), NULL, sess, 0, + ext) != 1) { + /* SSLfatal() already called */ + goto err; + } + + sess->ext.tick_identity = id; + + SSL_SESSION_free(s->session); + s->session = sess; + return 1; +err: + SSL_SESSION_free(sess); + return 0; +} + +int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + if (PACKET_remaining(pkt) != 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH, + SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR); + return 0; + } + + s->post_handshake_auth = SSL_PHA_EXT_RECEIVED; + + return 1; +} + +/* + * Add the server's renegotiation binding + */ +EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + if (!s->s3->send_connection_binding) + return EXT_RETURN_NOT_SENT; + + /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */ + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_start_sub_packet_u8(pkt) + || !WPACKET_memcpy(pkt, s->s3->previous_client_finished, + s->s3->previous_client_finished_len) + || !WPACKET_memcpy(pkt, s->s3->previous_server_finished, + s->s3->previous_server_finished_len) + || !WPACKET_close(pkt) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} + +EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + if (s->hit || s->servername_done != 1 + || s->ext.hostname == NULL) + return EXT_RETURN_NOT_SENT; + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name) + || !WPACKET_put_bytes_u16(pkt, 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} + +/* Add/include the server's max fragment len extension into ServerHello */ +EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session)) + return EXT_RETURN_NOT_SENT; + + /*- + * 4 bytes for this extension type and extension length + * 1 byte for the Max Fragment Length code value. + */ + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} + +#ifndef OPENSSL_NO_EC +EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; + unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; + int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) + && (s->session->ext.ecpointformats != NULL); + const unsigned char *plist; + size_t plistlen; + + if (!using_ecc) + return EXT_RETURN_NOT_SENT; + + tls1_get_formatlist(s, &plist, &plistlen); + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} +#endif + +#ifndef OPENSSL_NO_EC +EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + const uint16_t *groups; + size_t numgroups, i, first = 1; + + /* s->s3->group_id is non zero if we accepted a key_share */ + if (s->s3->group_id == 0) + return EXT_RETURN_NOT_SENT; + + /* Get our list of supported groups */ + tls1_get_supported_groups(s, &groups, &numgroups); + if (numgroups == 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + /* Copy group ID if supported */ + for (i = 0; i < numgroups; i++) { + uint16_t group = groups[i]; + + if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) { + if (first) { + /* + * Check if the client is already using our preferred group. If + * so we don't need to add this extension + */ + if (s->s3->group_id == group) + return EXT_RETURN_NOT_SENT; + + /* Add extension header */ + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups) + /* Sub-packet for supported_groups extension */ + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_start_sub_packet_u16(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + first = 0; + } + if (!WPACKET_put_bytes_u16(pkt, group)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + } + } + + if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} +#endif + +EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + if (!s->ext.ticket_expected || !tls_use_ticket(s)) { + s->ext.ticket_expected = 0; + return EXT_RETURN_NOT_SENT; + } + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket) + || !WPACKET_put_bytes_u16(pkt, 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} + +#ifndef OPENSSL_NO_OCSP +EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + if (!s->ext.status_expected) + return EXT_RETURN_NOT_SENT; + + if (SSL_IS_TLS13(s) && chainidx != 0) + return EXT_RETURN_NOT_SENT; + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request) + || !WPACKET_start_sub_packet_u16(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + /* + * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we + * send back an empty extension, with the certificate status appearing as a + * separate message + */ + if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) { + /* SSLfatal() already called */ + return EXT_RETURN_FAIL; + } + if (!WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} +#endif + +#ifndef OPENSSL_NO_NEXTPROTONEG +EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + const unsigned char *npa; + unsigned int npalen; + int ret; + int npn_seen = s->s3->npn_seen; + + s->s3->npn_seen = 0; + if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL) + return EXT_RETURN_NOT_SENT; + + ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen, + s->ctx->ext.npn_advertised_cb_arg); + if (ret == SSL_TLSEXT_ERR_OK) { + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg) + || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + s->s3->npn_seen = 1; + } + + return EXT_RETURN_SENT; +} +#endif + +EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + if (s->s3->alpn_selected == NULL) + return EXT_RETURN_NOT_SENT; + + if (!WPACKET_put_bytes_u16(pkt, + TLSEXT_TYPE_application_layer_protocol_negotiation) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected, + s->s3->alpn_selected_len) + || !WPACKET_close(pkt) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} + +#ifndef OPENSSL_NO_SRTP +EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + if (s->srtp_profile == NULL) + return EXT_RETURN_NOT_SENT; + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_put_bytes_u16(pkt, 2) + || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id) + || !WPACKET_put_bytes_u8(pkt, 0) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} +#endif + +EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + if (!s->ext.use_etm) + return EXT_RETURN_NOT_SENT; + + /* + * Don't use encrypt_then_mac if AEAD or RC4 might want to disable + * for other cases too. + */ + if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD + || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4 + || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT + || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) { + s->ext.use_etm = 0; + return EXT_RETURN_NOT_SENT; + } + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac) + || !WPACKET_put_bytes_u16(pkt, 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} + +EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) + return EXT_RETURN_NOT_SENT; + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) + || !WPACKET_put_bytes_u16(pkt, 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} + +EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + if (!ossl_assert(SSL_IS_TLS13(s))) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_put_bytes_u16(pkt, s->version) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} + +EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ +#ifndef OPENSSL_NO_TLS1_3 + unsigned char *encodedPoint; + size_t encoded_pt_len = 0; + EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL; + + if (s->hello_retry_request == SSL_HRR_PENDING) { + if (ckey != NULL) { + /* Original key_share was acceptable so don't ask for another one */ + return EXT_RETURN_NOT_SENT; + } + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_put_bytes_u16(pkt, s->s3->group_id) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; + } + + if (ckey == NULL) { + /* No key_share received from client - must be resuming */ + if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + return EXT_RETURN_NOT_SENT; + } + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + skey = ssl_generate_pkey(ckey); + if (skey == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, + ERR_R_MALLOC_FAILURE); + return EXT_RETURN_FAIL; + } + + /* Generate encoding of server key */ + encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint); + if (encoded_pt_len == 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, + ERR_R_EC_LIB); + EVP_PKEY_free(skey); + return EXT_RETURN_FAIL; + } + + if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, + ERR_R_INTERNAL_ERROR); + EVP_PKEY_free(skey); + OPENSSL_free(encodedPoint); + return EXT_RETURN_FAIL; + } + OPENSSL_free(encodedPoint); + + /* This causes the crypto state to be updated based on the derived keys */ + s->s3->tmp.pkey = skey; + if (ssl_derive(s, skey, ckey, 1) == 0) { + /* SSLfatal() already called */ + return EXT_RETURN_FAIL; + } + return EXT_RETURN_SENT; +#else + return EXT_RETURN_FAIL; +#endif +} + +EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ +#ifndef OPENSSL_NO_TLS1_3 + unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie; + unsigned char *hmac, *hmac2; + size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen; + EVP_MD_CTX *hctx; + EVP_PKEY *pkey; + int ret = EXT_RETURN_FAIL; + + if ((s->s3->flags & TLS1_FLAGS_STATELESS) == 0) + return EXT_RETURN_NOT_SENT; + + if (s->ctx->gen_stateless_cookie_cb == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE, + SSL_R_NO_COOKIE_CALLBACK_SET); + return EXT_RETURN_FAIL; + } + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_get_total_written(pkt, &startlen) + || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie) + || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION) + || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION) + || !WPACKET_put_bytes_u16(pkt, s->s3->group_id) + || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, + &ciphlen) + /* Is there a key_share extension present in this HRR? */ + || !WPACKET_put_bytes_u8(pkt, s->s3->peer_tmp == NULL) + || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL)) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + /* + * Get the hash of the initial ClientHello. ssl_handshake_hash() operates + * on raw buffers, so we first reserve sufficient bytes (above) and then + * subsequently allocate them (below) + */ + if (!ssl3_digest_cached_records(s, 0) + || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) { + /* SSLfatal() already called */ + return EXT_RETURN_FAIL; + } + + if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2) + || !ossl_assert(hashval1 == hashval2) + || !WPACKET_close(pkt) + || !WPACKET_start_sub_packet_u8(pkt) + || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + /* Generate the application cookie */ + if (s->ctx->gen_stateless_cookie_cb(s, appcookie1, &appcookielen) == 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE, + SSL_R_COOKIE_GEN_CALLBACK_FAILURE); + return EXT_RETURN_FAIL; + } + + if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2) + || !ossl_assert(appcookie1 == appcookie2) + || !WPACKET_close(pkt) + || !WPACKET_get_total_written(pkt, &totcookielen) + || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + hmaclen = SHA256_DIGEST_LENGTH; + + totcookielen -= startlen; + if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + /* HMAC the cookie */ + hctx = EVP_MD_CTX_create(); + pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, + s->session_ctx->ext.cookie_hmac_key, + sizeof(s->session_ctx->ext + .cookie_hmac_key)); + if (hctx == NULL || pkey == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE, + ERR_R_MALLOC_FAILURE); + goto err; + } + + if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0 + || EVP_DigestSign(hctx, hmac, &hmaclen, cookie, + totcookielen) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE, + ERR_R_INTERNAL_ERROR); + goto err; + } + + if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE, + ERR_R_INTERNAL_ERROR); + goto err; + } + + if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2) + || !ossl_assert(hmac == hmac2) + || !ossl_assert(cookie == hmac - totcookielen) + || !WPACKET_close(pkt) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE, + ERR_R_INTERNAL_ERROR); + goto err; + } + + ret = EXT_RETURN_SENT; + + err: + EVP_MD_CTX_free(hctx); + EVP_PKEY_free(pkey); + return ret; +#else + return EXT_RETURN_FAIL; +#endif +} + +EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + const unsigned char cryptopro_ext[36] = { + 0xfd, 0xe8, /* 65000 */ + 0x00, 0x20, /* 32 bytes length */ + 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, + 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, + 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, + 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 + }; + + if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80 + && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81) + || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0) + return EXT_RETURN_NOT_SENT; + + if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} + +EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) +{ + if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) { + if (s->max_early_data == 0) + return EXT_RETURN_NOT_SENT; + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_put_bytes_u32(pkt, s->max_early_data) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; + } + + if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED) + return EXT_RETURN_NOT_SENT; + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, + ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} + +EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ + if (!s->hit) + return EXT_RETURN_NOT_SENT; + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + + return EXT_RETURN_SENT; +} diff --git a/deps/openssl/openssl/ssl/statem/statem.c b/deps/openssl/openssl/ssl/statem/statem.c index 69bb40f00e..f76c0e4803 100644 --- a/deps/openssl/openssl/ssl/statem/statem.c +++ b/deps/openssl/openssl/ssl/statem/statem.c @@ -7,9 +7,11 @@ * https://www.openssl.org/source/license.html */ +#include "internal/cryptlib.h" #include <openssl/rand.h> #include "../ssl_locl.h" #include "statem_locl.h" +#include <assert.h> /* * This file implements the SSL/TLS/DTLS state machines. @@ -66,17 +68,17 @@ OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl) return ssl->statem.hand_state; } -int SSL_in_init(SSL *s) +int SSL_in_init(const SSL *s) { return s->statem.in_init; } -int SSL_is_init_finished(SSL *s) +int SSL_is_init_finished(const SSL *s) { return !(s->statem.in_init) && (s->statem.hand_state == TLS_ST_OK); } -int SSL_in_before(SSL *s) +int SSL_in_before(const SSL *s) { /* * Historically being "in before" meant before anything had happened. In the @@ -105,20 +107,42 @@ void ossl_statem_clear(SSL *s) */ void ossl_statem_set_renegotiate(SSL *s) { - s->statem.state = MSG_FLOW_RENEGOTIATE; s->statem.in_init = 1; + s->statem.request_state = TLS_ST_SW_HELLO_REQ; } /* - * Put the state machine into an error state. This is a permanent error for - * the current connection. + * Put the state machine into an error state and send an alert if appropriate. + * This is a permanent error for the current connection. */ -void ossl_statem_set_error(SSL *s) +void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file, + int line) { + ERR_put_error(ERR_LIB_SSL, func, reason, file, line); + /* We shouldn't call SSLfatal() twice. Once is enough */ + if (s->statem.in_init && s->statem.state == MSG_FLOW_ERROR) + return; + s->statem.in_init = 1; s->statem.state = MSG_FLOW_ERROR; + if (al != SSL_AD_NO_ALERT + && s->statem.enc_write_state != ENC_WRITE_STATE_INVALID) + ssl3_send_alert(s, SSL3_AL_FATAL, al); } /* + * This macro should only be called if we are already expecting to be in + * a fatal error state. We verify that we are, and set it if not (this would + * indicate a bug). + */ +#define check_fatal(s, f) \ + do { \ + if (!ossl_assert((s)->statem.in_init \ + && (s)->statem.state == MSG_FLOW_ERROR)) \ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, (f), \ + SSL_R_MISSING_FATAL); \ + } while (0) + +/* * Discover whether the current connection is in the error state. * * Valid return values are: @@ -151,6 +175,62 @@ void ossl_statem_set_in_handshake(SSL *s, int inhand) s->statem.in_handshake--; } +/* Are we in a sensible state to skip over unreadable early data? */ +int ossl_statem_skip_early_data(SSL *s) +{ + if (s->ext.early_data != SSL_EARLY_DATA_REJECTED) + return 0; + + if (!s->server + || s->statem.hand_state != TLS_ST_EARLY_DATA + || s->hello_retry_request == SSL_HRR_COMPLETE) + return 0; + + return 1; +} + +/* + * Called when we are in SSL_read*(), SSL_write*(), or SSL_accept() + * /SSL_connect()/SSL_do_handshake(). Used to test whether we are in an early + * data state and whether we should attempt to move the handshake on if so. + * |sending| is 1 if we are attempting to send data (SSL_write*()), 0 if we are + * attempting to read data (SSL_read*()), or -1 if we are in SSL_do_handshake() + * or similar. + */ +void ossl_statem_check_finish_init(SSL *s, int sending) +{ + if (sending == -1) { + if (s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END + || s->statem.hand_state == TLS_ST_EARLY_DATA) { + ossl_statem_set_in_init(s, 1); + if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) { + /* + * SSL_connect() or SSL_do_handshake() has been called directly. + * We don't allow any more writing of early data. + */ + s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; + } + } + } else if (!s->server) { + if ((sending && (s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END + || s->statem.hand_state == TLS_ST_EARLY_DATA) + && s->early_data_state != SSL_EARLY_DATA_WRITING) + || (!sending && s->statem.hand_state == TLS_ST_EARLY_DATA)) { + ossl_statem_set_in_init(s, 1); + /* + * SSL_write() has been called directly. We don't allow any more + * writing of early data. + */ + if (sending && s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) + s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; + } + } else { + if (s->early_data_state == SSL_EARLY_DATA_FINISHED_READING + && s->statem.hand_state == TLS_ST_EARLY_DATA) + ossl_statem_set_in_init(s, 1); + } +} + void ossl_statem_set_hello_verify_done(SSL *s) { s->statem.state = MSG_FLOW_UNINITED; @@ -189,10 +269,10 @@ static info_cb get_callback(SSL *s) /* * The main message flow state machine. We start in the MSG_FLOW_UNINITED or - * MSG_FLOW_RENEGOTIATE state and finish in MSG_FLOW_FINISHED. Valid states and + * MSG_FLOW_FINISHED state and finish in MSG_FLOW_FINISHED. Valid states and * transitions are as follows: * - * MSG_FLOW_UNINITED MSG_FLOW_RENEGOTIATE + * MSG_FLOW_UNINITED MSG_FLOW_FINISHED * | | * +-----------------------+ * v @@ -218,7 +298,6 @@ static info_cb get_callback(SSL *s) static int state_machine(SSL *s, int server) { BUF_MEM *buf = NULL; - unsigned long Time = (unsigned long)time(NULL); void (*cb) (const SSL *ssl, int type, int val) = NULL; OSSL_STATEM *st = &s->statem; int ret = -1; @@ -229,7 +308,6 @@ static int state_machine(SSL *s, int server) return -1; } - RAND_add(&Time, sizeof(Time), 0); ERR_clear_error(); clear_sys_error(); @@ -237,7 +315,11 @@ static int state_machine(SSL *s, int server) st->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) { - if (!SSL_clear(s)) + /* + * If we are stateless then we already called SSL_clear() - don't do + * it again and clear the STATELESS flag itself. + */ + if ((s->s3->flags & TLS1_FLAGS_STATELESS) == 0 && !SSL_clear(s)) return -1; } #ifndef OPENSSL_NO_SCTP @@ -251,60 +333,54 @@ static int state_machine(SSL *s, int server) } #endif -#ifndef OPENSSL_NO_HEARTBEATS - /* - * If we're awaiting a HeartbeatResponse, pretend we already got and - * don't await it anymore, because Heartbeats don't make sense during - * handshakes anyway. - */ - if (s->tlsext_hb_pending) { - if (SSL_IS_DTLS(s)) - dtls1_stop_timer(s); - s->tlsext_hb_pending = 0; - s->tlsext_hb_seq++; - } -#endif - /* Initialise state machine */ - - if (st->state == MSG_FLOW_RENEGOTIATE) { - s->renegotiate = 1; - if (!server) - s->ctx->stats.sess_connect_renegotiate++; - } - - if (st->state == MSG_FLOW_UNINITED || st->state == MSG_FLOW_RENEGOTIATE) { + if (st->state == MSG_FLOW_UNINITED + || st->state == MSG_FLOW_FINISHED) { if (st->state == MSG_FLOW_UNINITED) { st->hand_state = TLS_ST_BEFORE; + st->request_state = TLS_ST_BEFORE; } s->server = server; if (cb != NULL) cb(s, SSL_CB_HANDSHAKE_START, 1); + /* + * Fatal errors in this block don't send an alert because we have + * failed to even initialise properly. Sending an alert is probably + * doomed to failure. + */ + if (SSL_IS_DTLS(s)) { if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) && (server || (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00))) { - SSLerr(SSL_F_STATE_MACHINE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE, + ERR_R_INTERNAL_ERROR); goto end; } } else { if ((s->version >> 8) != SSL3_VERSION_MAJOR) { - SSLerr(SSL_F_STATE_MACHINE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE, + ERR_R_INTERNAL_ERROR); goto end; } } if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) { - SSLerr(SSL_F_STATE_MACHINE, SSL_R_VERSION_TOO_LOW); + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE, + ERR_R_INTERNAL_ERROR); goto end; } if (s->init_buf == NULL) { if ((buf = BUF_MEM_new()) == NULL) { + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE, + ERR_R_INTERNAL_ERROR); goto end; } if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE, + ERR_R_INTERNAL_ERROR); goto end; } s->init_buf = buf; @@ -312,6 +388,8 @@ static int state_machine(SSL *s, int server) } if (!ssl3_setup_buffers(s)) { + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE, + ERR_R_INTERNAL_ERROR); goto end; } s->init_num = 0; @@ -329,65 +407,24 @@ static int state_machine(SSL *s, int server) if (!SSL_IS_DTLS(s) || !BIO_dgram_is_sctp(SSL_get_wbio(s))) #endif if (!ssl_init_wbio_buffer(s)) { + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE, + ERR_R_INTERNAL_ERROR); goto end; } - if (!server || st->state != MSG_FLOW_RENEGOTIATE) { - if (!ssl3_init_finished_mac(s)) { - ossl_statem_set_error(s); - goto end; - } - } - - if (server) { - if (st->state != MSG_FLOW_RENEGOTIATE) { - s->ctx->stats.sess_accept++; - } else if ((s->options & SSL_OP_NO_RENEGOTIATION)) { - /* - * Shouldn't happen? The record layer should have prevented this - */ - SSLerr(SSL_F_STATE_MACHINE, ERR_R_INTERNAL_ERROR); - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); - ossl_statem_set_error(s); + if ((SSL_in_before(s)) + || s->renegotiate) { + if (!tls_setup_handshake(s)) { + /* SSLfatal() already called */ goto end; - } else if (!s->s3->send_connection_binding && - !(s->options & - SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { - /* - * Server attempting to renegotiate with client that doesn't - * support secure renegotiation. - */ - SSLerr(SSL_F_STATE_MACHINE, - SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); - ossl_statem_set_error(s); - goto end; - } else { - /* - * st->state == MSG_FLOW_RENEGOTIATE, we will just send a - * HelloRequest - */ - s->ctx->stats.sess_accept_renegotiate++; } - s->s3->tmp.cert_request = 0; - } else { - s->ctx->stats.sess_connect++; - - /* mark client_random uninitialized */ - memset(s->s3->client_random, 0, sizeof(s->s3->client_random)); - s->hit = 0; - - s->s3->tmp.cert_req = 0; - - if (SSL_IS_DTLS(s)) { - st->use_timer = 1; - } + if (SSL_IS_FIRST_HANDSHAKE(s)) + st->read_state_first_init = 1; } st->state = MSG_FLOW_WRITING; init_write_state_machine(s); - st->read_state_first_init = 1; } while (st->state != MSG_FLOW_FINISHED) { @@ -413,12 +450,12 @@ static int state_machine(SSL *s, int server) } } else { /* Error */ - ossl_statem_set_error(s); + check_fatal(s, SSL_F_STATE_MACHINE); + SSLerr(SSL_F_STATE_MACHINE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); goto end; } } - st->state = MSG_FLOW_UNINITED; ret = 1; end: @@ -500,12 +537,12 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) { OSSL_STATEM *st = &s->statem; int ret, mt; - unsigned long len = 0; + size_t len = 0; int (*transition) (SSL *s, int mt); PACKET pkt; MSG_PROCESS_RETURN(*process_message) (SSL *s, PACKET *pkt); WORK_STATE(*post_process_message) (SSL *s, WORK_STATE wst); - unsigned long (*max_message_size) (SSL *s); + size_t (*max_message_size) (SSL *s); void (*cb) (const SSL *ssl, int type, int val) = NULL; cb = get_callback(s); @@ -560,8 +597,8 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) return SUB_STATE_ERROR; if (s->s3->tmp.message_size > max_message_size(s)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); - SSLerr(SSL_F_READ_STATE_MACHINE, SSL_R_EXCESSIVE_MESSAGE_SIZE); + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_READ_STATE_MACHINE, + SSL_R_EXCESSIVE_MESSAGE_SIZE); return SUB_STATE_ERROR; } @@ -570,8 +607,8 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) && s->s3->tmp.message_size > 0 && !grow_init_buf(s, s->s3->tmp.message_size + SSL3_HM_HEADER_LENGTH)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); - SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_BUF_LIB); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_READ_STATE_MACHINE, + ERR_R_BUF_LIB); return SUB_STATE_ERROR; } @@ -590,8 +627,8 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) s->first_packet = 0; if (!PACKET_buf_init(&pkt, s->init_msg, len)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); - SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_READ_STATE_MACHINE, + ERR_R_INTERNAL_ERROR); return SUB_STATE_ERROR; } ret = process_message(s, &pkt); @@ -601,6 +638,7 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) switch (ret) { case MSG_PROCESS_ERROR: + check_fatal(s, SSL_F_READ_STATE_MACHINE); return SUB_STATE_ERROR; case MSG_PROCESS_FINISHED_READING: @@ -623,7 +661,12 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) case READ_STATE_POST_PROCESS: st->read_state_work = post_process_message(s, st->read_state_work); switch (st->read_state_work) { - default: + case WORK_ERROR: + check_fatal(s, SSL_F_READ_STATE_MACHINE); + /* Fall through */ + case WORK_MORE_A: + case WORK_MORE_B: + case WORK_MORE_C: return SUB_STATE_ERROR; case WORK_FINISHED_CONTINUE: @@ -640,9 +683,8 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) default: /* Shouldn't happen */ - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); - SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_INTERNAL_ERROR); - ossl_statem_set_error(s); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_READ_STATE_MACHINE, + ERR_R_INTERNAL_ERROR); return SUB_STATE_ERROR; } } @@ -714,8 +756,13 @@ static SUB_STATE_RETURN write_state_machine(SSL *s) WRITE_TRAN(*transition) (SSL *s); WORK_STATE(*pre_work) (SSL *s, WORK_STATE wst); WORK_STATE(*post_work) (SSL *s, WORK_STATE wst); - int (*construct_message) (SSL *s); + int (*get_construct_message_f) (SSL *s, WPACKET *pkt, + int (**confunc) (SSL *s, WPACKET *pkt), + int *mt); void (*cb) (const SSL *ssl, int type, int val) = NULL; + int (*confunc) (SSL *s, WPACKET *pkt); + int mt; + WPACKET pkt; cb = get_callback(s); @@ -723,12 +770,12 @@ static SUB_STATE_RETURN write_state_machine(SSL *s) transition = ossl_statem_server_write_transition; pre_work = ossl_statem_server_pre_work; post_work = ossl_statem_server_post_work; - construct_message = ossl_statem_server_construct_message; + get_construct_message_f = ossl_statem_server_construct_message; } else { transition = ossl_statem_client_write_transition; pre_work = ossl_statem_client_pre_work; post_work = ossl_statem_client_post_work; - construct_message = ossl_statem_client_construct_message; + get_construct_message_f = ossl_statem_client_construct_message; } while (1) { @@ -751,14 +798,20 @@ static SUB_STATE_RETURN write_state_machine(SSL *s) return SUB_STATE_FINISHED; break; - default: + case WRITE_TRAN_ERROR: + check_fatal(s, SSL_F_WRITE_STATE_MACHINE); return SUB_STATE_ERROR; } break; case WRITE_STATE_PRE_WORK: switch (st->write_state_work = pre_work(s, st->write_state_work)) { - default: + case WORK_ERROR: + check_fatal(s, SSL_F_WRITE_STATE_MACHINE); + /* Fall through */ + case WORK_MORE_A: + case WORK_MORE_B: + case WORK_MORE_C: return SUB_STATE_ERROR; case WORK_FINISHED_CONTINUE: @@ -768,8 +821,35 @@ static SUB_STATE_RETURN write_state_machine(SSL *s) case WORK_FINISHED_STOP: return SUB_STATE_END_HANDSHAKE; } - if (construct_message(s) == 0) + if (!get_construct_message_f(s, &pkt, &confunc, &mt)) { + /* SSLfatal() already called */ + return SUB_STATE_ERROR; + } + if (mt == SSL3_MT_DUMMY) { + /* Skip construction and sending. This isn't a "real" state */ + st->write_state = WRITE_STATE_POST_WORK; + st->write_state_work = WORK_MORE_A; + break; + } + if (!WPACKET_init(&pkt, s->init_buf) + || !ssl_set_handshake_header(s, &pkt, mt)) { + WPACKET_cleanup(&pkt); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_WRITE_STATE_MACHINE, + ERR_R_INTERNAL_ERROR); return SUB_STATE_ERROR; + } + if (confunc != NULL && !confunc(s, &pkt)) { + WPACKET_cleanup(&pkt); + check_fatal(s, SSL_F_WRITE_STATE_MACHINE); + return SUB_STATE_ERROR; + } + if (!ssl_close_construct_packet(s, &pkt, mt) + || !WPACKET_finish(&pkt)) { + WPACKET_cleanup(&pkt); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_WRITE_STATE_MACHINE, + ERR_R_INTERNAL_ERROR); + return SUB_STATE_ERROR; + } /* Fall through */ @@ -787,7 +867,12 @@ static SUB_STATE_RETURN write_state_machine(SSL *s) case WRITE_STATE_POST_WORK: switch (st->write_state_work = post_work(s, st->write_state_work)) { - default: + case WORK_ERROR: + check_fatal(s, SSL_F_WRITE_STATE_MACHINE); + /* Fall through */ + case WORK_MORE_A: + case WORK_MORE_B: + case WORK_MORE_C: return SUB_STATE_ERROR; case WORK_FINISHED_CONTINUE: @@ -800,6 +885,8 @@ static SUB_STATE_RETURN write_state_machine(SSL *s) break; default: + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_WRITE_STATE_MACHINE, + ERR_R_INTERNAL_ERROR); return SUB_STATE_ERROR; } } @@ -821,7 +908,7 @@ int statem_flush(SSL *s) /* * Called by the record layer to determine whether application data is - * allowed to be sent in the current handshake state or not. + * allowed to be received in the current handshake state or not. * * Return values are: * 1: Yes (application data allowed) @@ -831,7 +918,7 @@ int ossl_statem_app_data_allowed(SSL *s) { OSSL_STATEM *st = &s->statem; - if (st->state == MSG_FLOW_UNINITED || st->state == MSG_FLOW_RENEGOTIATE) + if (st->state == MSG_FLOW_UNINITED) return 0; if (!s->s3->in_read_app_data || (s->s3->total_renegotiations == 0)) @@ -856,3 +943,28 @@ int ossl_statem_app_data_allowed(SSL *s) return 0; } + +/* + * This function returns 1 if TLS exporter is ready to export keying + * material, or 0 if otherwise. + */ +int ossl_statem_export_allowed(SSL *s) +{ + return s->s3->previous_server_finished_len != 0 + && s->statem.hand_state != TLS_ST_SW_FINISHED; +} + +/* + * Return 1 if early TLS exporter is ready to export keying material, + * or 0 if otherwise. + */ +int ossl_statem_export_early_allowed(SSL *s) +{ + /* + * The early exporter secret is only present on the server if we + * have accepted early_data. It is present on the client as long + * as we have sent early_data. + */ + return s->ext.early_data == SSL_EARLY_DATA_ACCEPTED + || (!s->server && s->ext.early_data != SSL_EARLY_DATA_NOT_SENT); +} diff --git a/deps/openssl/openssl/ssl/statem/statem.h b/deps/openssl/openssl/ssl/statem/statem.h index c669ee9e78..144d930fc7 100644 --- a/deps/openssl/openssl/ssl/statem/statem.h +++ b/deps/openssl/openssl/ssl/statem/statem.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -27,7 +27,9 @@ typedef enum { /* We're working on phase A */ WORK_MORE_A, /* We're working on phase B */ - WORK_MORE_B + WORK_MORE_B, + /* We're working on phase C */ + WORK_MORE_C } WORK_STATE; /* Write transition return codes */ @@ -46,8 +48,6 @@ typedef enum { MSG_FLOW_UNINITED, /* A permanent error with this connection */ MSG_FLOW_ERROR, - /* We are about to renegotiate */ - MSG_FLOW_RENEGOTIATE, /* We are reading messages */ MSG_FLOW_READING, /* We are writing messages */ @@ -71,6 +71,22 @@ typedef enum { WRITE_STATE_POST_WORK } WRITE_STATE; +typedef enum { + /* The enc_write_ctx can be used normally */ + ENC_WRITE_STATE_VALID, + /* The enc_write_ctx cannot be used */ + ENC_WRITE_STATE_INVALID, + /* Write alerts in plaintext, but otherwise use the enc_write_ctx */ + ENC_WRITE_STATE_WRITE_PLAIN_ALERTS +} ENC_WRITE_STATES; + +typedef enum { + /* The enc_read_ctx can be used normally */ + ENC_READ_STATE_VALID, + /* We may receive encrypted or plaintext alerts */ + ENC_READ_STATE_ALLOW_PLAIN_ALERTS +} ENC_READ_STATES; + /***************************************************************************** * * * This structure should be considered "opaque" to anything outside of the * @@ -86,13 +102,22 @@ struct ossl_statem_st { READ_STATE read_state; WORK_STATE read_state_work; OSSL_HANDSHAKE_STATE hand_state; + /* The handshake state requested by an API call (e.g. HelloRequest) */ + OSSL_HANDSHAKE_STATE request_state; int in_init; int read_state_first_init; /* true when we are actually in SSL_accept() or SSL_connect() */ int in_handshake; + /* + * True when are processing a "real" handshake that needs cleaning up (not + * just a HelloRequest or similar). + */ + int cleanuphand; /* Should we skip the CertificateVerify message? */ unsigned int no_cert_verify; int use_timer; + ENC_WRITE_STATES enc_write_state; + ENC_READ_STATES enc_read_state; }; typedef struct ossl_statem_st OSSL_STATEM; @@ -107,10 +132,26 @@ __owur int ossl_statem_accept(SSL *s); __owur int ossl_statem_connect(SSL *s); void ossl_statem_clear(SSL *s); void ossl_statem_set_renegotiate(SSL *s); -void ossl_statem_set_error(SSL *s); +void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file, + int line); +# define SSL_AD_NO_ALERT -1 +# ifndef OPENSSL_NO_ERR +# define SSLfatal(s, al, f, r) ossl_statem_fatal((s), (al), (f), (r), \ + OPENSSL_FILE, OPENSSL_LINE) +# else +# define SSLfatal(s, al, f, r) ossl_statem_fatal((s), (al), (f), (r), NULL, 0) +# endif + int ossl_statem_in_error(const SSL *s); void ossl_statem_set_in_init(SSL *s, int init); int ossl_statem_get_in_handshake(SSL *s); void ossl_statem_set_in_handshake(SSL *s, int inhand); +__owur int ossl_statem_skip_early_data(SSL *s); +void ossl_statem_check_finish_init(SSL *s, int send); void ossl_statem_set_hello_verify_done(SSL *s); __owur int ossl_statem_app_data_allowed(SSL *s); +__owur int ossl_statem_export_allowed(SSL *s); +__owur int ossl_statem_export_early_allowed(SSL *s); + +/* Flush the write BIO */ +int statem_flush(SSL *s); diff --git a/deps/openssl/openssl/ssl/statem/statem_clnt.c b/deps/openssl/openssl/ssl/statem/statem_clnt.c index ed993553c5..0a11b88183 100644 --- a/deps/openssl/openssl/ssl/statem/statem_clnt.c +++ b/deps/openssl/openssl/ssl/statem/statem_clnt.c @@ -1,5 +1,7 @@ /* * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved + * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,47 +9,9 @@ * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * - * Portions of the attached software ("Contribution") are developed by - * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. - * - * The Contribution is licensed pursuant to the OpenSSL open source - * license provided above. - * - * ECC cipher suite support in OpenSSL originally written by - * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. - * - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - #include <stdio.h> +#include <time.h> +#include <assert.h> #include "../ssl_locl.h" #include "statem_locl.h" #include <openssl/buffer.h> @@ -58,12 +22,15 @@ #include <openssl/dh.h> #include <openssl/bn.h> #include <openssl/engine.h> +#include <internal/cryptlib.h> + +static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, PACKET *pkt); +static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt); static ossl_inline int cert_req_allowed(SSL *s); static int key_exchange_expected(SSL *s); -static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b); static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, - unsigned char *p); + WPACKET *pkt); /* * Is a CertificateRequest message allowed at the moment or not? @@ -108,20 +75,148 @@ static int key_exchange_expected(SSL *s) /* * ossl_statem_client_read_transition() encapsulates the logic for the allowed + * handshake state transitions when a TLS1.3 client is reading messages from the + * server. The message type that the server has sent is provided in |mt|. The + * current state is in |s->statem.hand_state|. + * + * Return values are 1 for success (transition allowed) and 0 on error + * (transition not allowed) + */ +static int ossl_statem_client13_read_transition(SSL *s, int mt) +{ + OSSL_STATEM *st = &s->statem; + + /* + * Note: There is no case for TLS_ST_CW_CLNT_HELLO, because we haven't + * yet negotiated TLSv1.3 at that point so that is handled by + * ossl_statem_client_read_transition() + */ + + switch (st->hand_state) { + default: + break; + + case TLS_ST_CW_CLNT_HELLO: + /* + * This must a ClientHello following a HelloRetryRequest, so the only + * thing we can get now is a ServerHello. + */ + if (mt == SSL3_MT_SERVER_HELLO) { + st->hand_state = TLS_ST_CR_SRVR_HELLO; + return 1; + } + break; + + case TLS_ST_CR_SRVR_HELLO: + if (mt == SSL3_MT_ENCRYPTED_EXTENSIONS) { + st->hand_state = TLS_ST_CR_ENCRYPTED_EXTENSIONS; + return 1; + } + break; + + case TLS_ST_CR_ENCRYPTED_EXTENSIONS: + if (s->hit) { + if (mt == SSL3_MT_FINISHED) { + st->hand_state = TLS_ST_CR_FINISHED; + return 1; + } + } else { + if (mt == SSL3_MT_CERTIFICATE_REQUEST) { + st->hand_state = TLS_ST_CR_CERT_REQ; + return 1; + } + if (mt == SSL3_MT_CERTIFICATE) { + st->hand_state = TLS_ST_CR_CERT; + return 1; + } + } + break; + + case TLS_ST_CR_CERT_REQ: + if (mt == SSL3_MT_CERTIFICATE) { + st->hand_state = TLS_ST_CR_CERT; + return 1; + } + break; + + case TLS_ST_CR_CERT: + if (mt == SSL3_MT_CERTIFICATE_VERIFY) { + st->hand_state = TLS_ST_CR_CERT_VRFY; + return 1; + } + break; + + case TLS_ST_CR_CERT_VRFY: + if (mt == SSL3_MT_FINISHED) { + st->hand_state = TLS_ST_CR_FINISHED; + return 1; + } + break; + + case TLS_ST_OK: + if (mt == SSL3_MT_NEWSESSION_TICKET) { + st->hand_state = TLS_ST_CR_SESSION_TICKET; + return 1; + } + if (mt == SSL3_MT_KEY_UPDATE) { + st->hand_state = TLS_ST_CR_KEY_UPDATE; + return 1; + } + if (mt == SSL3_MT_CERTIFICATE_REQUEST) { +#if DTLS_MAX_VERSION != DTLS1_2_VERSION +# error TODO(DTLS1.3): Restore digest for PHA before adding message. +#endif + if (!SSL_IS_DTLS(s) && s->post_handshake_auth == SSL_PHA_EXT_SENT) { + s->post_handshake_auth = SSL_PHA_REQUESTED; + /* + * In TLS, this is called before the message is added to the + * digest. In DTLS, this is expected to be called after adding + * to the digest. Either move the digest restore, or add the + * message here after the swap, or do it after the clientFinished? + */ + if (!tls13_restore_handshake_digest_for_pha(s)) { + /* SSLfatal() already called */ + return 0; + } + st->hand_state = TLS_ST_CR_CERT_REQ; + return 1; + } + } + break; + } + + /* No valid transition found */ + return 0; +} + +/* + * ossl_statem_client_read_transition() encapsulates the logic for the allowed * handshake state transitions when the client is reading messages from the * server. The message type that the server has sent is provided in |mt|. The * current state is in |s->statem.hand_state|. * - * Return values are: - * 1: Success (transition allowed) - * 0: Error (transition not allowed) + * Return values are 1 for success (transition allowed) and 0 on error + * (transition not allowed) */ int ossl_statem_client_read_transition(SSL *s, int mt) { OSSL_STATEM *st = &s->statem; int ske_expected; + /* + * Note that after writing the first ClientHello we don't know what version + * we are going to negotiate yet, so we don't take this branch until later. + */ + if (SSL_IS_TLS13(s)) { + if (!ossl_statem_client13_read_transition(s, mt)) + goto err; + return 1; + } + switch (st->hand_state) { + default: + break; + case TLS_ST_CW_CLNT_HELLO: if (mt == SSL3_MT_SERVER_HELLO) { st->hand_state = TLS_ST_CR_SRVR_HELLO; @@ -136,9 +231,21 @@ int ossl_statem_client_read_transition(SSL *s, int mt) } break; + case TLS_ST_EARLY_DATA: + /* + * We've not actually selected TLSv1.3 yet, but we have sent early + * data. The only thing allowed now is a ServerHello or a + * HelloRetryRequest. + */ + if (mt == SSL3_MT_SERVER_HELLO) { + st->hand_state = TLS_ST_CR_SRVR_HELLO; + return 1; + } + break; + case TLS_ST_CR_SRVR_HELLO: if (s->hit) { - if (s->tlsext_ticket_expected) { + if (s->ext.ticket_expected) { if (mt == SSL3_MT_NEWSESSION_TICKET) { st->hand_state = TLS_ST_CR_SESSION_TICKET; return 1; @@ -152,8 +259,8 @@ int ossl_statem_client_read_transition(SSL *s, int mt) st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST; return 1; } else if (s->version >= TLS1_VERSION - && s->tls_session_secret_cb != NULL - && s->session->tlsext_tick != NULL + && s->ext.session_secret_cb != NULL + && s->session->ext.tick != NULL && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { /* * Normally, we can tell if the server is resuming the session @@ -195,9 +302,9 @@ int ossl_statem_client_read_transition(SSL *s, int mt) case TLS_ST_CR_CERT: /* * The CertificateStatus message is optional even if - * |tlsext_status_expected| is set + * |ext.status_expected| is set */ - if (s->tlsext_status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) { + if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) { st->hand_state = TLS_ST_CR_CERT_STATUS; return 1; } @@ -234,7 +341,7 @@ int ossl_statem_client_read_transition(SSL *s, int mt) break; case TLS_ST_CW_FINISHED: - if (s->tlsext_ticket_expected) { + if (s->ext.ticket_expected) { if (mt == SSL3_MT_NEWSESSION_TICKET) { st->hand_state = TLS_ST_CR_SESSION_TICKET; return 1; @@ -259,7 +366,11 @@ int ossl_statem_client_read_transition(SSL *s, int mt) } break; - default: + case TLS_ST_OK: + if (mt == SSL3_MT_HELLO_REQUEST) { + st->hand_state = TLS_ST_CR_HELLO_REQ; + return 1; + } break; } @@ -279,34 +390,184 @@ int ossl_statem_client_read_transition(SSL *s, int mt) BIO_set_retry_read(rbio); return 0; } - ossl_statem_set_error(s); - ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE); - SSLerr(SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION, SSL_R_UNEXPECTED_MESSAGE); + SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, + SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION, + SSL_R_UNEXPECTED_MESSAGE); return 0; } /* - * client_write_transition() works out what handshake state to move to next - * when the client is writing messages to be sent to the server. + * ossl_statem_client13_write_transition() works out what handshake state to + * move to next when the TLSv1.3 client is writing messages to be sent to the + * server. + */ +static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s) +{ + OSSL_STATEM *st = &s->statem; + + /* + * Note: There are no cases for TLS_ST_BEFORE because we haven't negotiated + * TLSv1.3 yet at that point. They are handled by + * ossl_statem_client_write_transition(). + */ + switch (st->hand_state) { + default: + /* Shouldn't happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_OSSL_STATEM_CLIENT13_WRITE_TRANSITION, + ERR_R_INTERNAL_ERROR); + return WRITE_TRAN_ERROR; + + case TLS_ST_CR_CERT_REQ: + if (s->post_handshake_auth == SSL_PHA_REQUESTED) { + st->hand_state = TLS_ST_CW_CERT; + return WRITE_TRAN_CONTINUE; + } + /* + * We should only get here if we received a CertificateRequest after + * we already sent close_notify + */ + if (!ossl_assert((s->shutdown & SSL_SENT_SHUTDOWN) != 0)) { + /* Shouldn't happen - same as default case */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_OSSL_STATEM_CLIENT13_WRITE_TRANSITION, + ERR_R_INTERNAL_ERROR); + return WRITE_TRAN_ERROR; + } + st->hand_state = TLS_ST_OK; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_CR_FINISHED: + if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY + || s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING) + st->hand_state = TLS_ST_PENDING_EARLY_DATA_END; + else if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 + && s->hello_retry_request == SSL_HRR_NONE) + st->hand_state = TLS_ST_CW_CHANGE; + else + st->hand_state = (s->s3->tmp.cert_req != 0) ? TLS_ST_CW_CERT + : TLS_ST_CW_FINISHED; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_PENDING_EARLY_DATA_END: + if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) { + st->hand_state = TLS_ST_CW_END_OF_EARLY_DATA; + return WRITE_TRAN_CONTINUE; + } + /* Fall through */ + + case TLS_ST_CW_END_OF_EARLY_DATA: + case TLS_ST_CW_CHANGE: + st->hand_state = (s->s3->tmp.cert_req != 0) ? TLS_ST_CW_CERT + : TLS_ST_CW_FINISHED; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_CW_CERT: + /* If a non-empty Certificate we also send CertificateVerify */ + st->hand_state = (s->s3->tmp.cert_req == 1) ? TLS_ST_CW_CERT_VRFY + : TLS_ST_CW_FINISHED; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_CW_CERT_VRFY: + st->hand_state = TLS_ST_CW_FINISHED; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_CR_KEY_UPDATE: + if (s->key_update != SSL_KEY_UPDATE_NONE) { + st->hand_state = TLS_ST_CW_KEY_UPDATE; + return WRITE_TRAN_CONTINUE; + } + /* Fall through */ + + case TLS_ST_CW_KEY_UPDATE: + case TLS_ST_CR_SESSION_TICKET: + case TLS_ST_CW_FINISHED: + st->hand_state = TLS_ST_OK; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_OK: + if (s->key_update != SSL_KEY_UPDATE_NONE) { + st->hand_state = TLS_ST_CW_KEY_UPDATE; + return WRITE_TRAN_CONTINUE; + } + + /* Try to read from the server instead */ + return WRITE_TRAN_FINISHED; + } +} + +/* + * ossl_statem_client_write_transition() works out what handshake state to + * move to next when the client is writing messages to be sent to the server. */ WRITE_TRAN ossl_statem_client_write_transition(SSL *s) { OSSL_STATEM *st = &s->statem; + /* + * Note that immediately before/after a ClientHello we don't know what + * version we are going to negotiate yet, so we don't take this branch until + * later + */ + if (SSL_IS_TLS13(s)) + return ossl_statem_client13_write_transition(s); + switch (st->hand_state) { + default: + /* Shouldn't happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_OSSL_STATEM_CLIENT_WRITE_TRANSITION, + ERR_R_INTERNAL_ERROR); + return WRITE_TRAN_ERROR; + case TLS_ST_OK: - /* Renegotiation - fall through */ + if (!s->renegotiate) { + /* + * We haven't requested a renegotiation ourselves so we must have + * received a message from the server. Better read it. + */ + return WRITE_TRAN_FINISHED; + } + /* Renegotiation */ + /* fall thru */ case TLS_ST_BEFORE: st->hand_state = TLS_ST_CW_CLNT_HELLO; return WRITE_TRAN_CONTINUE; case TLS_ST_CW_CLNT_HELLO: + if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) { + /* + * We are assuming this is a TLSv1.3 connection, although we haven't + * actually selected a version yet. + */ + if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) + st->hand_state = TLS_ST_CW_CHANGE; + else + st->hand_state = TLS_ST_EARLY_DATA; + return WRITE_TRAN_CONTINUE; + } /* * No transition at the end of writing because we don't know what * we will be sent */ return WRITE_TRAN_FINISHED; + case TLS_ST_CR_SRVR_HELLO: + /* + * We only get here in TLSv1.3. We just received an HRR, so issue a + * CCS unless middlebox compat mode is off, or we already issued one + * because we did early data. + */ + if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 + && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) + st->hand_state = TLS_ST_CW_CHANGE; + else + st->hand_state = TLS_ST_CW_CLNT_HELLO; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_EARLY_DATA: + return WRITE_TRAN_FINISHED; + case DTLS_ST_CR_HELLO_VERIFY_REQUEST: st->hand_state = TLS_ST_CW_CLNT_HELLO; return WRITE_TRAN_CONTINUE; @@ -348,14 +609,20 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL *s) return WRITE_TRAN_CONTINUE; case TLS_ST_CW_CHANGE: + if (s->hello_retry_request == SSL_HRR_PENDING) { + st->hand_state = TLS_ST_CW_CLNT_HELLO; + } else if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) { + st->hand_state = TLS_ST_EARLY_DATA; + } else { #if defined(OPENSSL_NO_NEXTPROTONEG) - st->hand_state = TLS_ST_CW_FINISHED; -#else - if (!SSL_IS_DTLS(s) && s->s3->next_proto_neg_seen) - st->hand_state = TLS_ST_CW_NEXT_PROTO; - else st->hand_state = TLS_ST_CW_FINISHED; +#else + if (!SSL_IS_DTLS(s) && s->s3->npn_seen) + st->hand_state = TLS_ST_CW_NEXT_PROTO; + else + st->hand_state = TLS_ST_CW_FINISHED; #endif + } return WRITE_TRAN_CONTINUE; #if !defined(OPENSSL_NO_NEXTPROTONEG) @@ -367,7 +634,6 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL *s) case TLS_ST_CW_FINISHED: if (s->hit) { st->hand_state = TLS_ST_OK; - ossl_statem_set_in_init(s, 0); return WRITE_TRAN_CONTINUE; } else { return WRITE_TRAN_FINISHED; @@ -379,13 +645,24 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL *s) return WRITE_TRAN_CONTINUE; } else { st->hand_state = TLS_ST_OK; - ossl_statem_set_in_init(s, 0); return WRITE_TRAN_CONTINUE; } - default: - /* Shouldn't happen */ - return WRITE_TRAN_ERROR; + case TLS_ST_CR_HELLO_REQ: + /* + * If we can renegotiate now then do so, otherwise wait for a more + * convenient time. + */ + if (ssl3_renegotiate_check(s, 1)) { + if (!tls_setup_handshake(s)) { + /* SSLfatal() already called */ + return WRITE_TRAN_ERROR; + } + st->hand_state = TLS_ST_CW_CLNT_HELLO; + return WRITE_TRAN_CONTINUE; + } + st->hand_state = TLS_ST_OK; + return WRITE_TRAN_CONTINUE; } } @@ -398,12 +675,16 @@ WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst) OSSL_STATEM *st = &s->statem; switch (st->hand_state) { + default: + /* No pre work to be done */ + break; + case TLS_ST_CW_CLNT_HELLO: s->shutdown = 0; if (SSL_IS_DTLS(s)) { /* every DTLS ClientHello resets Finished MAC */ if (!ssl3_init_finished_mac(s)) { - ossl_statem_set_error(s); + /* SSLfatal() already called */ return WORK_ERROR; } } @@ -419,18 +700,31 @@ WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst) st->use_timer = 0; } #ifndef OPENSSL_NO_SCTP - if (BIO_dgram_is_sctp(SSL_get_wbio(s))) + if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { + /* Calls SSLfatal() as required */ return dtls_wait_for_dry(s); + } #endif } - return WORK_FINISHED_CONTINUE; + break; - case TLS_ST_OK: - return tls_finish_handshake(s, wst); + case TLS_ST_PENDING_EARLY_DATA_END: + /* + * If we've been called by SSL_do_handshake()/SSL_write(), or we did not + * attempt to write early data before calling SSL_read() then we press + * on with the handshake. Otherwise we pause here. + */ + if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING + || s->early_data_state == SSL_EARLY_DATA_NONE) + return WORK_FINISHED_CONTINUE; + /* Fall through */ - default: - /* No pre work to be done */ - break; + case TLS_ST_EARLY_DATA: + return tls_finish_handshake(s, wst, 0, 1); + + case TLS_ST_OK: + /* Calls SSLfatal() as required */ + return tls_finish_handshake(s, wst, 1, 1); } return WORK_FINISHED_CONTINUE; @@ -447,9 +741,29 @@ WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst) s->init_num = 0; switch (st->hand_state) { + default: + /* No post work to be done */ + break; + case TLS_ST_CW_CLNT_HELLO: - if (wst == WORK_MORE_A && statem_flush(s) != 1) + if (s->early_data_state == SSL_EARLY_DATA_CONNECTING + && s->max_early_data > 0) { + /* + * We haven't selected TLSv1.3 yet so we don't call the change + * cipher state function associated with the SSL_METHOD. Instead + * we call tls13_change_cipher_state() directly. + */ + if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) { + if (!tls13_change_cipher_state(s, + SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { + /* SSLfatal() already called */ + return WORK_ERROR; + } + } + /* else we're in compat mode so we delay flushing until after CCS */ + } else if (!statem_flush(s)) { return WORK_MORE_A; + } if (SSL_IS_DTLS(s)) { /* Treat the next message as the first packet */ @@ -457,12 +771,37 @@ WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst) } break; + case TLS_ST_CW_END_OF_EARLY_DATA: + /* + * We set the enc_write_ctx back to NULL because we may end up writing + * in cleartext again if we get a HelloRetryRequest from the server. + */ + EVP_CIPHER_CTX_free(s->enc_write_ctx); + s->enc_write_ctx = NULL; + break; + case TLS_ST_CW_KEY_EXCH: - if (tls_client_key_exchange_post_work(s) == 0) + if (tls_client_key_exchange_post_work(s) == 0) { + /* SSLfatal() already called */ return WORK_ERROR; + } break; case TLS_ST_CW_CHANGE: + if (SSL_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING) + break; + if (s->early_data_state == SSL_EARLY_DATA_CONNECTING + && s->max_early_data > 0) { + /* + * We haven't selected TLSv1.3 yet so we don't call the change + * cipher state function associated with the SSL_METHOD. Instead + * we call tls13_change_cipher_state() directly. + */ + if (!tls13_change_cipher_state(s, + SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) + return WORK_ERROR; + break; + } s->session->cipher = s->s3->tmp.new_cipher; #ifdef OPENSSL_NO_COMP s->session->compress_meth = 0; @@ -472,12 +811,16 @@ WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst) else s->session->compress_meth = s->s3->tmp.new_compression->id; #endif - if (!s->method->ssl3_enc->setup_key_block(s)) + if (!s->method->ssl3_enc->setup_key_block(s)) { + /* SSLfatal() already called */ return WORK_ERROR; + } if (!s->method->ssl3_enc->change_cipher_state(s, - SSL3_CHANGE_CIPHER_CLIENT_WRITE)) + SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { + /* SSLfatal() already called */ return WORK_ERROR; + } if (SSL_IS_DTLS(s)) { #ifndef OPENSSL_NO_SCTP @@ -508,10 +851,29 @@ WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst) #endif if (statem_flush(s) != 1) return WORK_MORE_B; + + if (SSL_IS_TLS13(s)) { + if (!tls13_save_handshake_digest_for_pha(s)) { + /* SSLfatal() already called */ + return WORK_ERROR; + } + if (s->post_handshake_auth != SSL_PHA_REQUESTED) { + if (!s->method->ssl3_enc->change_cipher_state(s, + SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { + /* SSLfatal() already called */ + return WORK_ERROR; + } + } + } break; - default: - /* No post work to be done */ + case TLS_ST_CW_KEY_UPDATE: + if (statem_flush(s) != 1) + return WORK_MORE_A; + if (!tls13_update_key(s, 1)) { + /* SSLfatal() already called */ + return WORK_ERROR; + } break; } @@ -519,63 +881,97 @@ WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst) } /* - * Construct a message to be sent from the client to the server. + * Get the message construction function and message type for sending from the + * client * * Valid return values are: * 1: Success * 0: Error */ -int ossl_statem_client_construct_message(SSL *s) +int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt, + confunc_f *confunc, int *mt) { OSSL_STATEM *st = &s->statem; switch (st->hand_state) { + default: + /* Shouldn't happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_OSSL_STATEM_CLIENT_CONSTRUCT_MESSAGE, + SSL_R_BAD_HANDSHAKE_STATE); + return 0; + + case TLS_ST_CW_CHANGE: + if (SSL_IS_DTLS(s)) + *confunc = dtls_construct_change_cipher_spec; + else + *confunc = tls_construct_change_cipher_spec; + *mt = SSL3_MT_CHANGE_CIPHER_SPEC; + break; + case TLS_ST_CW_CLNT_HELLO: - return tls_construct_client_hello(s); + *confunc = tls_construct_client_hello; + *mt = SSL3_MT_CLIENT_HELLO; + break; + + case TLS_ST_CW_END_OF_EARLY_DATA: + *confunc = tls_construct_end_of_early_data; + *mt = SSL3_MT_END_OF_EARLY_DATA; + break; + + case TLS_ST_PENDING_EARLY_DATA_END: + *confunc = NULL; + *mt = SSL3_MT_DUMMY; + break; case TLS_ST_CW_CERT: - return tls_construct_client_certificate(s); + *confunc = tls_construct_client_certificate; + *mt = SSL3_MT_CERTIFICATE; + break; case TLS_ST_CW_KEY_EXCH: - return tls_construct_client_key_exchange(s); + *confunc = tls_construct_client_key_exchange; + *mt = SSL3_MT_CLIENT_KEY_EXCHANGE; + break; case TLS_ST_CW_CERT_VRFY: - return tls_construct_client_verify(s); - - case TLS_ST_CW_CHANGE: - if (SSL_IS_DTLS(s)) - return dtls_construct_change_cipher_spec(s); - else - return tls_construct_change_cipher_spec(s); + *confunc = tls_construct_cert_verify; + *mt = SSL3_MT_CERTIFICATE_VERIFY; + break; #if !defined(OPENSSL_NO_NEXTPROTONEG) case TLS_ST_CW_NEXT_PROTO: - return tls_construct_next_proto(s); + *confunc = tls_construct_next_proto; + *mt = SSL3_MT_NEXT_PROTO; + break; #endif case TLS_ST_CW_FINISHED: - return tls_construct_finished(s, - s->method-> - ssl3_enc->client_finished_label, - s->method-> - ssl3_enc->client_finished_label_len); + *confunc = tls_construct_finished; + *mt = SSL3_MT_FINISHED; + break; - default: - /* Shouldn't happen */ + case TLS_ST_CW_KEY_UPDATE: + *confunc = tls_construct_key_update; + *mt = SSL3_MT_KEY_UPDATE; break; } - return 0; + return 1; } /* * Returns the maximum allowed length for the current message that we are * reading. Excludes the message header. */ -unsigned long ossl_statem_client_max_message_size(SSL *s) +size_t ossl_statem_client_max_message_size(SSL *s) { OSSL_STATEM *st = &s->statem; switch (st->hand_state) { + default: + /* Shouldn't happen */ + return 0; + case TLS_ST_CR_SRVR_HELLO: return SERVER_HELLO_MAX_LENGTH; @@ -585,6 +981,9 @@ unsigned long ossl_statem_client_max_message_size(SSL *s) case TLS_ST_CR_CERT: return s->max_cert_list; + case TLS_ST_CR_CERT_VRFY: + return SSL3_RT_MAX_PLAIN_LENGTH; + case TLS_ST_CR_CERT_STATUS: return SSL3_RT_MAX_PLAIN_LENGTH; @@ -613,12 +1012,12 @@ unsigned long ossl_statem_client_max_message_size(SSL *s) case TLS_ST_CR_FINISHED: return FINISHED_MAX_LENGTH; - default: - /* Shouldn't happen */ - break; - } + case TLS_ST_CR_ENCRYPTED_EXTENSIONS: + return ENCRYPTED_EXTENSIONS_MAX_LENGTH; - return 0; + case TLS_ST_CR_KEY_UPDATE: + return KEY_UPDATE_MAX_LENGTH; + } } /* @@ -629,6 +1028,13 @@ MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt) OSSL_STATEM *st = &s->statem; switch (st->hand_state) { + default: + /* Shouldn't happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_OSSL_STATEM_CLIENT_PROCESS_MESSAGE, + ERR_R_INTERNAL_ERROR); + return MSG_PROCESS_ERROR; + case TLS_ST_CR_SRVR_HELLO: return tls_process_server_hello(s, pkt); @@ -638,6 +1044,9 @@ MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt) case TLS_ST_CR_CERT: return tls_process_server_certificate(s, pkt); + case TLS_ST_CR_CERT_VRFY: + return tls_process_cert_verify(s, pkt); + case TLS_ST_CR_CERT_STATUS: return tls_process_cert_status(s, pkt); @@ -659,12 +1068,15 @@ MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt) case TLS_ST_CR_FINISHED: return tls_process_finished(s, pkt); - default: - /* Shouldn't happen */ - break; - } + case TLS_ST_CR_HELLO_REQ: + return tls_process_hello_req(s, pkt); - return MSG_PROCESS_ERROR; + case TLS_ST_CR_ENCRYPTED_EXTENSIONS: + return tls_process_encrypted_extensions(s, pkt); + + case TLS_ST_CR_KEY_UPDATE: + return tls_process_key_update(s, pkt); + } } /* @@ -676,49 +1088,53 @@ WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst) OSSL_STATEM *st = &s->statem; switch (st->hand_state) { + default: + /* Shouldn't happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_OSSL_STATEM_CLIENT_POST_PROCESS_MESSAGE, + ERR_R_INTERNAL_ERROR); + return WORK_ERROR; + + case TLS_ST_CR_CERT_VRFY: case TLS_ST_CR_CERT_REQ: return tls_prepare_client_certificate(s, wst); - - default: - break; } - - /* Shouldn't happen */ - return WORK_ERROR; } -int tls_construct_client_hello(SSL *s) +int tls_construct_client_hello(SSL *s, WPACKET *pkt) { - unsigned char *buf; - unsigned char *p, *d; - int i; - int protverr; - unsigned long l; - int al = 0; + unsigned char *p; + size_t sess_id_len; + int i, protverr; #ifndef OPENSSL_NO_COMP - int j; SSL_COMP *comp; #endif SSL_SESSION *sess = s->session; + unsigned char *session_id; - buf = (unsigned char *)s->init_buf->data; + if (!WPACKET_set_max_size(pkt, SSL3_RT_MAX_PLAIN_LENGTH)) { + /* Should not happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + return 0; + } /* Work out what SSL/TLS/DTLS version to use */ protverr = ssl_set_client_hello_version(s); if (protverr != 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, protverr); - goto err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, + protverr); + return 0; } - if ((sess == NULL) || !ssl_version_supported(s, sess->ssl_version) || - /* - * In the case of EAP-FAST, we can have a pre-shared - * "ticket" without a session ID. - */ - (!sess->session_id_length && !sess->tlsext_tick) || - (sess->not_resumable)) { - if (!ssl_get_new_session(s, 0)) - goto err; + if (sess == NULL + || !ssl_version_supported(s, sess->ssl_version, NULL) + || !SSL_SESSION_is_resumable(sess)) { + if (s->hello_retry_request == SSL_HRR_NONE + && !ssl_get_new_session(s, 0)) { + /* SSLfatal() already called */ + return 0; + } } /* else use the pre-loaded session */ @@ -737,14 +1153,16 @@ int tls_construct_client_hello(SSL *s) break; } } - } else - i = 1; - - if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random)) <= 0) - goto err; + } else { + i = (s->hello_retry_request == SSL_HRR_NONE); + } - /* Do the message type and length last */ - d = p = ssl_handshake_start(s); + if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random), + DOWNGRADE_NONE) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); + return 0; + } /*- * version indicates the negotiated version: for example from @@ -775,273 +1193,465 @@ int tls_construct_client_hello(SSL *s) * TLS 1.0 and renegotiating with TLS 1.2. We do this by using * client_version in client hello and not resetting it to * the negotiated version. + * + * For TLS 1.3 we always set the ClientHello version to 1.2 and rely on the + * supported_versions extension for the real supported versions. */ - *(p++) = s->client_version >> 8; - *(p++) = s->client_version & 0xff; - - /* Random stuff */ - memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); - p += SSL3_RANDOM_SIZE; + if (!WPACKET_put_bytes_u16(pkt, s->client_version) + || !WPACKET_memcpy(pkt, s->s3->client_random, SSL3_RANDOM_SIZE)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); + return 0; + } /* Session ID */ - if (s->new_session) - i = 0; - else - i = s->session->session_id_length; - *(p++) = i; - if (i != 0) { - if (i > (int)sizeof(s->session->session_id)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); - goto err; + session_id = s->session->session_id; + if (s->new_session || s->session->ssl_version == TLS1_3_VERSION) { + if (s->version == TLS1_3_VERSION + && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) { + sess_id_len = sizeof(s->tmp_session_id); + s->tmp_session_id_len = sess_id_len; + session_id = s->tmp_session_id; + if (s->hello_retry_request == SSL_HRR_NONE + && RAND_bytes(s->tmp_session_id, sess_id_len) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); + return 0; + } + } else { + sess_id_len = 0; } - memcpy(p, s->session->session_id, i); - p += i; + } else { + assert(s->session->session_id_length <= sizeof(s->session->session_id)); + sess_id_len = s->session->session_id_length; + if (s->version == TLS1_3_VERSION) { + s->tmp_session_id_len = sess_id_len; + memcpy(s->tmp_session_id, s->session->session_id, sess_id_len); + } + } + if (!WPACKET_start_sub_packet_u8(pkt) + || (sess_id_len != 0 && !WPACKET_memcpy(pkt, session_id, + sess_id_len)) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); + return 0; } /* cookie stuff for DTLS */ if (SSL_IS_DTLS(s)) { - if (s->d1->cookie_len > sizeof(s->d1->cookie)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); - goto err; + if (s->d1->cookie_len > sizeof(s->d1->cookie) + || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie, + s->d1->cookie_len)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); + return 0; } - *(p++) = s->d1->cookie_len; - memcpy(p, s->d1->cookie, s->d1->cookie_len); - p += s->d1->cookie_len; } /* Ciphers supported */ - i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &(p[2])); - if (i == 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE); - goto err; + if (!WPACKET_start_sub_packet_u16(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); + return 0; } -#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH - /* - * Some servers hang if client hello > 256 bytes as hack workaround - * chop number of supported ciphers to keep it well below this if we - * use TLS v1.2 - */ - if (TLS1_get_version(s) >= TLS1_2_VERSION - && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) - i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; -#endif - s2n(i, p); - p += i; - /* COMPRESSION */ -#ifdef OPENSSL_NO_COMP - *(p++) = 1; -#else - - if (!ssl_allow_compression(s) || !s->ctx->comp_methods) - j = 0; - else - j = sk_SSL_COMP_num(s->ctx->comp_methods); - *(p++) = 1 + j; - for (i = 0; i < j; i++) { - comp = sk_SSL_COMP_value(s->ctx->comp_methods, i); - *(p++) = comp->id; + if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), pkt)) { + /* SSLfatal() already called */ + return 0; + } + if (!WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); + return 0; } -#endif - *(p++) = 0; /* Add the NULL method */ - /* TLS extensions */ - if (ssl_prepare_clienthello_tlsext(s) <= 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); - goto err; + /* COMPRESSION */ + if (!WPACKET_start_sub_packet_u8(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); + return 0; } - if ((p = - ssl_add_clienthello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH, - &al)) == NULL) { - ssl3_send_alert(s, SSL3_AL_FATAL, al); - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); - goto err; +#ifndef OPENSSL_NO_COMP + if (ssl_allow_compression(s) + && s->ctx->comp_methods + && (SSL_IS_DTLS(s) || s->s3->tmp.max_ver < TLS1_3_VERSION)) { + int compnum = sk_SSL_COMP_num(s->ctx->comp_methods); + for (i = 0; i < compnum; i++) { + comp = sk_SSL_COMP_value(s->ctx->comp_methods, i); + if (!WPACKET_put_bytes_u8(pkt, comp->id)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); + return 0; + } + } + } +#endif + /* Add the NULL method */ + if (!WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); + return 0; } - l = p - d; - if (!ssl_set_handshake_header(s, SSL3_MT_CLIENT_HELLO, l)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); - goto err; + /* TLS extensions */ + if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0)) { + /* SSLfatal() already called */ + return 0; } return 1; - err: - ossl_statem_set_error(s); - return 0; } MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt) { - int al; - unsigned int cookie_len; + size_t cookie_len; PACKET cookiepkt; if (!PACKET_forward(pkt, 2) || !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY, SSL_R_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS_PROCESS_HELLO_VERIFY, + SSL_R_LENGTH_MISMATCH); + return MSG_PROCESS_ERROR; } cookie_len = PACKET_remaining(&cookiepkt); if (cookie_len > sizeof(s->d1->cookie)) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY, SSL_R_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_DTLS_PROCESS_HELLO_VERIFY, + SSL_R_LENGTH_TOO_LONG); + return MSG_PROCESS_ERROR; } if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY, SSL_R_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS_PROCESS_HELLO_VERIFY, + SSL_R_LENGTH_MISMATCH); + return MSG_PROCESS_ERROR; } s->d1->cookie_len = cookie_len; return MSG_PROCESS_FINISHED_READING; - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - ossl_statem_set_error(s); - return MSG_PROCESS_ERROR; } -MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) +static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars) { STACK_OF(SSL_CIPHER) *sk; const SSL_CIPHER *c; - PACKET session_id; + int i; + + c = ssl_get_cipher_by_char(s, cipherchars, 0); + if (c == NULL) { + /* unknown cipher */ + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, + SSL_R_UNKNOWN_CIPHER_RETURNED); + return 0; + } + /* + * If it is a disabled cipher we either didn't send it in client hello, + * or it's not allowed for the selected protocol. So we return an error. + */ + if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, + SSL_R_WRONG_CIPHER_RETURNED); + return 0; + } + + sk = ssl_get_ciphers_by_id(s); + i = sk_SSL_CIPHER_find(sk, c); + if (i < 0) { + /* we did not say we would use this cipher */ + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, + SSL_R_WRONG_CIPHER_RETURNED); + return 0; + } + + if (SSL_IS_TLS13(s) && s->s3->tmp.new_cipher != NULL + && s->s3->tmp.new_cipher->id != c->id) { + /* ServerHello selected a different ciphersuite to that in the HRR */ + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, + SSL_R_WRONG_CIPHER_RETURNED); + return 0; + } + + /* + * Depending on the session caching (internal/external), the cipher + * and/or cipher_id values may not be set. Make sure that cipher_id is + * set and use it for comparison. + */ + if (s->session->cipher != NULL) + s->session->cipher_id = s->session->cipher->id; + if (s->hit && (s->session->cipher_id != c->id)) { + if (SSL_IS_TLS13(s)) { + /* + * In TLSv1.3 it is valid for the server to select a different + * ciphersuite as long as the hash is the same. + */ + if (ssl_md(c->algorithm2) + != ssl_md(s->session->cipher->algorithm2)) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_SET_CLIENT_CIPHERSUITE, + SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED); + return 0; + } + } else { + /* + * Prior to TLSv1.3 resuming a session always meant using the same + * ciphersuite. + */ + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, + SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); + return 0; + } + } + s->s3->tmp.new_cipher = c; + + return 1; +} + +MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) +{ + PACKET session_id, extpkt; size_t session_id_len; const unsigned char *cipherchars; - int i, al = SSL_AD_INTERNAL_ERROR; + int hrr = 0; unsigned int compression; unsigned int sversion; - int protverr; + unsigned int context; + RAW_EXTENSION *extensions = NULL; #ifndef OPENSSL_NO_COMP SSL_COMP *comp; #endif if (!PACKET_get_net_2(pkt, &sversion)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); - goto f_err; - } - - protverr = ssl_choose_client_version(s, sversion); - if (protverr != 0) { - al = SSL_AD_PROTOCOL_VERSION; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, protverr); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_LENGTH_MISMATCH); + goto err; } - /* load the server hello data */ /* load the server random */ - if (!PACKET_copy_bytes(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); - goto f_err; + if (s->version == TLS1_3_VERSION + && sversion == TLS1_2_VERSION + && PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE + && memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) { + s->hello_retry_request = SSL_HRR_PENDING; + hrr = 1; + if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_LENGTH_MISMATCH); + goto err; + } + } else { + if (!PACKET_copy_bytes(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_LENGTH_MISMATCH); + goto err; + } } - s->hit = 0; - /* Get the session-id. */ if (!PACKET_get_length_prefixed_1(pkt, &session_id)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_LENGTH_MISMATCH); + goto err; } session_id_len = PACKET_remaining(&session_id); if (session_id_len > sizeof(s->session->session_id) || session_id_len > SSL3_SESSION_ID_SIZE) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_SSL3_SESSION_ID_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_SSL3_SESSION_ID_TOO_LONG); + goto err; } if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) { - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); - al = SSL_AD_DECODE_ERROR; - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_LENGTH_MISMATCH); + goto err; + } + + if (!PACKET_get_1(pkt, &compression)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_LENGTH_MISMATCH); + goto err; + } + + /* TLS extensions */ + if (PACKET_remaining(pkt) == 0 && !hrr) { + PACKET_null_init(&extpkt); + } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt) + || PACKET_remaining(pkt) != 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_BAD_LENGTH); + goto err; + } + + if (!hrr) { + if (!tls_collect_extensions(s, &extpkt, + SSL_EXT_TLS1_2_SERVER_HELLO + | SSL_EXT_TLS1_3_SERVER_HELLO, + &extensions, NULL, 1)) { + /* SSLfatal() already called */ + goto err; + } + + if (!ssl_choose_client_version(s, sversion, extensions)) { + /* SSLfatal() already called */ + goto err; + } + } + + if (SSL_IS_TLS13(s) || hrr) { + if (compression != 0) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_INVALID_COMPRESSION_ALGORITHM); + goto err; + } + + if (session_id_len != s->tmp_session_id_len + || memcmp(PACKET_data(&session_id), s->tmp_session_id, + session_id_len) != 0) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_INVALID_SESSION_ID); + goto err; + } + } + + if (hrr) { + if (!set_client_ciphersuite(s, cipherchars)) { + /* SSLfatal() already called */ + goto err; + } + + return tls_process_as_hello_retry_request(s, &extpkt); } /* - * Check if we can resume the session based on external pre-shared secret. - * EAP-FAST (RFC 4851) supports two types of session resumption. - * Resumption based on server-side state works with session IDs. - * Resumption based on pre-shared Protected Access Credentials (PACs) - * works by overriding the SessionTicket extension at the application - * layer, and does not send a session ID. (We do not know whether EAP-FAST - * servers would honour the session ID.) Therefore, the session ID alone - * is not a reliable indicator of session resumption, so we first check if - * we can resume, and later peek at the next handshake message to see if the - * server wants to resume. + * Now we have chosen the version we need to check again that the extensions + * are appropriate for this version. */ - if (s->version >= TLS1_VERSION && s->tls_session_secret_cb && - s->session->tlsext_tick) { - const SSL_CIPHER *pref_cipher = NULL; - s->session->master_key_length = sizeof(s->session->master_key); - if (s->tls_session_secret_cb(s, s->session->master_key, - &s->session->master_key_length, - NULL, &pref_cipher, - s->tls_session_secret_cb_arg)) { - s->session->cipher = pref_cipher ? - pref_cipher : ssl_get_cipher_by_char(s, cipherchars); - } else { - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, ERR_R_INTERNAL_ERROR); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; + context = SSL_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO + : SSL_EXT_TLS1_2_SERVER_HELLO; + if (!tls_validate_all_contexts(s, context, extensions)) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_BAD_EXTENSION); + goto err; + } + + s->hit = 0; + + if (SSL_IS_TLS13(s)) { + /* + * In TLSv1.3 a ServerHello message signals a key change so the end of + * the message must be on a record boundary. + */ + if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_NOT_ON_RECORD_BOUNDARY); + goto err; + } + + /* This will set s->hit if we are resuming */ + if (!tls_parse_extension(s, TLSEXT_IDX_psk, + SSL_EXT_TLS1_3_SERVER_HELLO, + extensions, NULL, 0)) { + /* SSLfatal() already called */ + goto err; + } + } else { + /* + * Check if we can resume the session based on external pre-shared + * secret. EAP-FAST (RFC 4851) supports two types of session resumption. + * Resumption based on server-side state works with session IDs. + * Resumption based on pre-shared Protected Access Credentials (PACs) + * works by overriding the SessionTicket extension at the application + * layer, and does not send a session ID. (We do not know whether + * EAP-FAST servers would honour the session ID.) Therefore, the session + * ID alone is not a reliable indicator of session resumption, so we + * first check if we can resume, and later peek at the next handshake + * message to see if the server wants to resume. + */ + if (s->version >= TLS1_VERSION + && s->ext.session_secret_cb != NULL && s->session->ext.tick) { + const SSL_CIPHER *pref_cipher = NULL; + /* + * s->session->master_key_length is a size_t, but this is an int for + * backwards compat reasons + */ + int master_key_length; + master_key_length = sizeof(s->session->master_key); + if (s->ext.session_secret_cb(s, s->session->master_key, + &master_key_length, + NULL, &pref_cipher, + s->ext.session_secret_cb_arg) + && master_key_length > 0) { + s->session->master_key_length = master_key_length; + s->session->cipher = pref_cipher ? + pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0); + } else { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_SERVER_HELLO, ERR_R_INTERNAL_ERROR); + goto err; + } } + + if (session_id_len != 0 + && session_id_len == s->session->session_id_length + && memcmp(PACKET_data(&session_id), s->session->session_id, + session_id_len) == 0) + s->hit = 1; } - if (session_id_len != 0 && session_id_len == s->session->session_id_length - && memcmp(PACKET_data(&session_id), s->session->session_id, - session_id_len) == 0) { + if (s->hit) { if (s->sid_ctx_length != s->session->sid_ctx_length - || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) { + || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) { /* actually a client application bug */ - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, - SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); + goto err; } - s->hit = 1; } else { /* * If we were trying for session-id reuse but the server - * didn't echo the ID, make a new SSL_SESSION. + * didn't resume, make a new SSL_SESSION. * In the case of EAP-FAST and PAC, we do not send a session ID, * so the PAC-based session secret is always preserved. It'll be * overwritten if the server refuses resumption. */ - if (s->session->session_id_length > 0) { - s->ctx->stats.sess_miss++; + if (s->session->session_id_length > 0 + || (SSL_IS_TLS13(s) + && s->session->ext.tick_identity + != TLSEXT_PSK_BAD_IDENTITY)) { + tsan_counter(&s->session_ctx->stats.sess_miss); if (!ssl_get_new_session(s, 0)) { - goto f_err; + /* SSLfatal() already called */ + goto err; } } s->session->ssl_version = s->version; - s->session->session_id_length = session_id_len; - /* session_id_len could be 0 */ - if (session_id_len > 0) - memcpy(s->session->session_id, PACKET_data(&session_id), - session_id_len); + /* + * In TLSv1.2 and below we save the session id we were sent so we can + * resume it later. In TLSv1.3 the session id we were sent is just an + * echo of what we originally sent in the ClientHello and should not be + * used for resumption. + */ + if (!SSL_IS_TLS13(s)) { + s->session->session_id_length = session_id_len; + /* session_id_len could be 0 */ + if (session_id_len > 0) + memcpy(s->session->session_id, PACKET_data(&session_id), + session_id_len); + } } /* Session version and negotiated protocol version should match */ if (s->version != s->session->ssl_version) { - al = SSL_AD_PROTOCOL_VERSION; - - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, - SSL_R_SSL_SESSION_VERSION_MISMATCH); - goto f_err; - } - - c = ssl_get_cipher_by_char(s, cipherchars); - if (c == NULL) { - /* unknown cipher */ - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_UNKNOWN_CIPHER_RETURNED); - goto f_err; + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_SSL_SESSION_VERSION_MISMATCH); + goto err; } /* * Now that we know the version, update the check to see if it's an allowed @@ -1049,100 +1659,57 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) */ s->s3->tmp.min_ver = s->version; s->s3->tmp.max_ver = s->version; - /* - * If it is a disabled cipher we either didn't send it in client hello, - * or it's not allowed for the selected protocol. So we return an error. - */ - if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED); - goto f_err; - } - sk = ssl_get_ciphers_by_id(s); - i = sk_SSL_CIPHER_find(sk, c); - if (i < 0) { - /* we did not say we would use this cipher */ - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED); - goto f_err; + if (!set_client_ciphersuite(s, cipherchars)) { + /* SSLfatal() already called */ + goto err; } - /* - * Depending on the session caching (internal/external), the cipher - * and/or cipher_id values may not be set. Make sure that cipher_id is - * set and use it for comparison. - */ - if (s->session->cipher) - s->session->cipher_id = s->session->cipher->id; - if (s->hit && (s->session->cipher_id != c->id)) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, - SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); - goto f_err; - } - s->s3->tmp.new_cipher = c; - /* lets get the compression algorithm */ - /* COMPRESSION */ - if (!PACKET_get_1(pkt, &compression)) { - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } #ifdef OPENSSL_NO_COMP if (compression != 0) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, - SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); + goto err; } /* * If compression is disabled we'd better not try to resume a session * using compression. */ if (s->session->compress_meth != 0) { - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_INCONSISTENT_COMPRESSION); - goto f_err; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_INCONSISTENT_COMPRESSION); + goto err; } #else if (s->hit && compression != s->session->compress_meth) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, - SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED); + goto err; } if (compression == 0) comp = NULL; else if (!ssl_allow_compression(s)) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_COMPRESSION_DISABLED); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_COMPRESSION_DISABLED); + goto err; } else { comp = ssl3_comp_find(s->ctx->comp_methods, compression); } if (compression != 0 && comp == NULL) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, - SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); + goto err; } else { s->s3->tmp.new_compression = comp; } #endif - /* TLS extensions */ - if (!ssl_parse_serverhello_tlsext(s, pkt)) { - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_PARSE_TLSEXT); + if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, 1)) { + /* SSLfatal() already called */ goto err; } - if (PACKET_remaining(pkt) != 0) { - /* wrong packet length */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_BAD_PACKET_LENGTH); - goto f_err; - } #ifndef OPENSSL_NO_SCTP if (SSL_IS_DTLS(s) && s->hit) { unsigned char sctpauthkey[64]; @@ -1158,8 +1725,11 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) if (SSL_export_keying_material(s, sctpauthkey, sizeof(sctpauthkey), labelbuffer, - sizeof(labelbuffer), NULL, 0, 0) <= 0) + sizeof(labelbuffer), NULL, 0, 0) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, + ERR_R_INTERNAL_ERROR); goto err; + } BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, @@ -1167,58 +1737,168 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) } #endif + /* + * In TLSv1.3 we have some post-processing to change cipher state, otherwise + * we're done with this message + */ + if (SSL_IS_TLS13(s) + && (!s->method->ssl3_enc->setup_key_block(s) + || !s->method->ssl3_enc->change_cipher_state(s, + SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ))) { + /* SSLfatal() already called */ + goto err; + } + + OPENSSL_free(extensions); return MSG_PROCESS_CONTINUE_READING; - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); err: - ossl_statem_set_error(s); + OPENSSL_free(extensions); + return MSG_PROCESS_ERROR; +} + +static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, + PACKET *extpkt) +{ + RAW_EXTENSION *extensions = NULL; + + /* + * If we were sending early_data then the enc_write_ctx is now invalid and + * should not be used. + */ + EVP_CIPHER_CTX_free(s->enc_write_ctx); + s->enc_write_ctx = NULL; + + if (!tls_collect_extensions(s, extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, + &extensions, NULL, 1) + || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, + extensions, NULL, 0, 1)) { + /* SSLfatal() already called */ + goto err; + } + + OPENSSL_free(extensions); + extensions = NULL; + + if (s->ext.tls13_cookie_len == 0 +#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) + && s->s3->tmp.pkey != NULL +#endif + ) { + /* + * We didn't receive a cookie or a new key_share so the next + * ClientHello will not change + */ + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PROCESS_AS_HELLO_RETRY_REQUEST, + SSL_R_NO_CHANGE_FOLLOWING_HRR); + goto err; + } + + /* + * Re-initialise the Transcript Hash. We're going to prepopulate it with + * a synthetic message_hash in place of ClientHello1. + */ + if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) { + /* SSLfatal() already called */ + goto err; + } + + /* + * Add this message to the Transcript Hash. Normally this is done + * automatically prior to the message processing stage. However due to the + * need to create the synthetic message hash, we defer that step until now + * for HRR messages. + */ + if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, + s->init_num + SSL3_HM_HEADER_LENGTH)) { + /* SSLfatal() already called */ + goto err; + } + + return MSG_PROCESS_FINISHED_READING; + err: + OPENSSL_free(extensions); return MSG_PROCESS_ERROR; } MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) { - int al, i, ret = MSG_PROCESS_ERROR, exp_idx; + int i; + MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; unsigned long cert_list_len, cert_len; X509 *x = NULL; const unsigned char *certstart, *certbytes; STACK_OF(X509) *sk = NULL; EVP_PKEY *pkey = NULL; + size_t chainidx, certidx; + unsigned int context = 0; + const SSL_CERT_LOOKUP *clu; if ((sk = sk_X509_new_null()) == NULL) { - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, + ERR_R_MALLOC_FAILURE); goto err; } - if (!PACKET_get_net_3(pkt, &cert_list_len) - || PACKET_remaining(pkt) != cert_list_len) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH); - goto f_err; + if ((SSL_IS_TLS13(s) && !PACKET_get_1(pkt, &context)) + || context != 0 + || !PACKET_get_net_3(pkt, &cert_list_len) + || PACKET_remaining(pkt) != cert_list_len + || PACKET_remaining(pkt) == 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, + SSL_R_LENGTH_MISMATCH); + goto err; } - while (PACKET_remaining(pkt)) { + for (chainidx = 0; PACKET_remaining(pkt); chainidx++) { if (!PACKET_get_net_3(pkt, &cert_len) || !PACKET_get_bytes(pkt, &certbytes, cert_len)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, - SSL_R_CERT_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, + SSL_R_CERT_LENGTH_MISMATCH); + goto err; } certstart = certbytes; x = d2i_X509(NULL, (const unsigned char **)&certbytes, cert_len); if (x == NULL) { - al = SSL_AD_BAD_CERTIFICATE; - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_ASN1_LIB); - goto f_err; + SSLfatal(s, SSL_AD_BAD_CERTIFICATE, + SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_ASN1_LIB); + goto err; } if (certbytes != (certstart + cert_len)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, - SSL_R_CERT_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, + SSL_R_CERT_LENGTH_MISMATCH); + goto err; } + + if (SSL_IS_TLS13(s)) { + RAW_EXTENSION *rawexts = NULL; + PACKET extensions; + + if (!PACKET_get_length_prefixed_2(pkt, &extensions)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, + SSL_R_BAD_LENGTH); + goto err; + } + if (!tls_collect_extensions(s, &extensions, + SSL_EXT_TLS1_3_CERTIFICATE, &rawexts, + NULL, chainidx == 0) + || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE, + rawexts, x, chainidx, + PACKET_remaining(pkt) == 0)) { + OPENSSL_free(rawexts); + /* SSLfatal already called */ + goto err; + } + OPENSSL_free(rawexts); + } + if (!sk_X509_push(sk, x)) { - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, + ERR_R_MALLOC_FAILURE); goto err; } x = NULL; @@ -1240,16 +1920,16 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) * set. The *documented* interface remains the same. */ if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) { - al = ssl_verify_alarm_type(s->verify_result); - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, - SSL_R_CERTIFICATE_VERIFY_FAILED); - goto f_err; + SSLfatal(s, ssl_x509err2alert(s->verify_result), + SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, + SSL_R_CERTIFICATE_VERIFY_FAILED); + goto err; } ERR_clear_error(); /* but we keep s->verify_result */ if (i > 1) { - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, i); - al = SSL_AD_HANDSHAKE_FAILURE; - goto f_err; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, i); + goto err; } s->session->peer_chain = sk; @@ -1264,54 +1944,58 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) { x = NULL; - al = SSL3_AL_FATAL; - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, - SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, + SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); + goto err; } - i = ssl_cert_type(x, pkey); - if (i < 0) { + if ((clu = ssl_cert_lookup_by_pkey(pkey, &certidx)) == NULL) { x = NULL; - al = SSL3_AL_FATAL; - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, - SSL_R_UNKNOWN_CERTIFICATE_TYPE); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, + SSL_R_UNKNOWN_CERTIFICATE_TYPE); + goto err; } - - exp_idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher); - if (exp_idx >= 0 && i != exp_idx - && (exp_idx != SSL_PKEY_GOST_EC || - (i != SSL_PKEY_GOST12_512 && i != SSL_PKEY_GOST12_256 - && i != SSL_PKEY_GOST01))) { - x = NULL; - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, - SSL_R_WRONG_CERTIFICATE_TYPE); - goto f_err; + /* + * Check certificate type is consistent with ciphersuite. For TLS 1.3 + * skip check since TLS 1.3 ciphersuites can be used with any certificate + * type. + */ + if (!SSL_IS_TLS13(s)) { + if ((clu->amask & s->s3->tmp.new_cipher->algorithm_auth) == 0) { + x = NULL; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, + SSL_R_WRONG_CERTIFICATE_TYPE); + goto err; + } } - s->session->peer_type = i; + s->session->peer_type = certidx; X509_free(s->session->peer); X509_up_ref(x); s->session->peer = x; s->session->verify_result = s->verify_result; - x = NULL; + + /* Save the current hash state for when we receive the CertificateVerify */ + if (SSL_IS_TLS13(s) + && !ssl_handshake_hash(s, s->cert_verify_hash, + sizeof(s->cert_verify_hash), + &s->cert_verify_hash_len)) { + /* SSLfatal() already called */; + goto err; + } + ret = MSG_PROCESS_CONTINUE_READING; - goto done; - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); err: - ossl_statem_set_error(s); - done: X509_free(x); sk_X509_pop_free(sk, X509_free); return ret; } -static int tls_process_ske_psk_preamble(SSL *s, PACKET *pkt, int *al) +static int tls_process_ske_psk_preamble(SSL *s, PACKET *pkt) { #ifndef OPENSSL_NO_PSK PACKET psk_identity_hint; @@ -1319,8 +2003,8 @@ static int tls_process_ske_psk_preamble(SSL *s, PACKET *pkt, int *al) /* PSK ciphersuites are preceded by an identity hint */ if (!PACKET_get_length_prefixed_2(pkt, &psk_identity_hint)) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, SSL_R_LENGTH_MISMATCH); + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, + SSL_R_LENGTH_MISMATCH); return 0; } @@ -1331,8 +2015,9 @@ static int tls_process_ske_psk_preamble(SSL *s, PACKET *pkt, int *al) * identity. */ if (PACKET_remaining(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN) { - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, SSL_R_DATA_LENGTH_TOO_LONG); + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, + SSL_R_DATA_LENGTH_TOO_LONG); return 0; } @@ -1341,19 +2026,20 @@ static int tls_process_ske_psk_preamble(SSL *s, PACKET *pkt, int *al) s->session->psk_identity_hint = NULL; } else if (!PACKET_strndup(&psk_identity_hint, &s->session->psk_identity_hint)) { - *al = SSL_AD_INTERNAL_ERROR; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, + ERR_R_INTERNAL_ERROR); return 0; } return 1; #else - SSLerr(SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR); - *al = SSL_AD_INTERNAL_ERROR; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, + ERR_R_INTERNAL_ERROR); return 0; #endif } -static int tls_process_ske_srp(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al) +static int tls_process_ske_srp(SSL *s, PACKET *pkt, EVP_PKEY **pkey) { #ifndef OPENSSL_NO_SRP PACKET prime, generator, salt, server_pub; @@ -1362,31 +2048,31 @@ static int tls_process_ske_srp(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al) || !PACKET_get_length_prefixed_2(pkt, &generator) || !PACKET_get_length_prefixed_1(pkt, &salt) || !PACKET_get_length_prefixed_2(pkt, &server_pub)) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SKE_SRP, SSL_R_LENGTH_MISMATCH); + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_SRP, + SSL_R_LENGTH_MISMATCH); return 0; } + /* TODO(size_t): Convert BN_bin2bn() calls */ if ((s->srp_ctx.N = BN_bin2bn(PACKET_data(&prime), - PACKET_remaining(&prime), NULL)) == NULL + (int)PACKET_remaining(&prime), NULL)) == NULL || (s->srp_ctx.g = BN_bin2bn(PACKET_data(&generator), - PACKET_remaining(&generator), NULL)) == NULL + (int)PACKET_remaining(&generator), NULL)) == NULL || (s->srp_ctx.s = BN_bin2bn(PACKET_data(&salt), - PACKET_remaining(&salt), NULL)) == NULL + (int)PACKET_remaining(&salt), NULL)) == NULL || (s->srp_ctx.B = BN_bin2bn(PACKET_data(&server_pub), - PACKET_remaining(&server_pub), NULL)) == NULL) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SKE_SRP, ERR_R_BN_LIB); + (int)PACKET_remaining(&server_pub), NULL)) == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_SRP, + ERR_R_BN_LIB); return 0; } - if (!srp_verify_server_param(s, al)) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SKE_SRP, SSL_R_BAD_SRP_PARAMETERS); + if (!srp_verify_server_param(s)) { + /* SSLfatal() already called */ return 0; } @@ -1396,13 +2082,13 @@ static int tls_process_ske_srp(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al) return 1; #else - SSLerr(SSL_F_TLS_PROCESS_SKE_SRP, ERR_R_INTERNAL_ERROR); - *al = SSL_AD_INTERNAL_ERROR; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_SRP, + ERR_R_INTERNAL_ERROR); return 0; #endif } -static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al) +static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) { #ifndef OPENSSL_NO_DH PACKET prime, generator, pub_key; @@ -1416,8 +2102,8 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al) if (!PACKET_get_length_prefixed_2(pkt, &prime) || !PACKET_get_length_prefixed_2(pkt, &generator) || !PACKET_get_length_prefixed_2(pkt, &pub_key)) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, SSL_R_LENGTH_MISMATCH); + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, + SSL_R_LENGTH_MISMATCH); return 0; } @@ -1425,57 +2111,59 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al) dh = DH_new(); if (peer_tmp == NULL || dh == NULL) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, + ERR_R_MALLOC_FAILURE); goto err; } - p = BN_bin2bn(PACKET_data(&prime), PACKET_remaining(&prime), NULL); - g = BN_bin2bn(PACKET_data(&generator), PACKET_remaining(&generator), NULL); - bnpub_key = BN_bin2bn(PACKET_data(&pub_key), PACKET_remaining(&pub_key), - NULL); + /* TODO(size_t): Convert these calls */ + p = BN_bin2bn(PACKET_data(&prime), (int)PACKET_remaining(&prime), NULL); + g = BN_bin2bn(PACKET_data(&generator), (int)PACKET_remaining(&generator), + NULL); + bnpub_key = BN_bin2bn(PACKET_data(&pub_key), + (int)PACKET_remaining(&pub_key), NULL); if (p == NULL || g == NULL || bnpub_key == NULL) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_BN_LIB); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, + ERR_R_BN_LIB); goto err; } /* test non-zero pubkey */ if (BN_is_zero(bnpub_key)) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, SSL_R_BAD_DH_VALUE); + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_DHE, + SSL_R_BAD_DH_VALUE); goto err; } if (!DH_set0_pqg(dh, p, NULL, g)) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_BN_LIB); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, + ERR_R_BN_LIB); goto err; } p = g = NULL; if (DH_check_params(dh, &check_bits) == 0 || check_bits != 0) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, SSL_R_BAD_DH_VALUE); + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_DHE, + SSL_R_BAD_DH_VALUE); goto err; } if (!DH_set0_key(dh, bnpub_key, NULL)) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_BN_LIB); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, + ERR_R_BN_LIB); goto err; } bnpub_key = NULL; if (!ssl_security(s, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh)) { - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, SSL_R_DH_KEY_TOO_SMALL); + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE, + SSL_R_DH_KEY_TOO_SMALL); goto err; } if (EVP_PKEY_assign_DH(peer_tmp, dh) == 0) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_EVP_LIB); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, + ERR_R_EVP_LIB); goto err; } @@ -1500,87 +2188,56 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al) return 0; #else - SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_INTERNAL_ERROR); - *al = SSL_AD_INTERNAL_ERROR; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, + ERR_R_INTERNAL_ERROR); return 0; #endif } -static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al) +static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) { #ifndef OPENSSL_NO_EC PACKET encoded_pt; - const unsigned char *ecparams; - int curve_nid; - unsigned int curve_flags; - EVP_PKEY_CTX *pctx = NULL; + unsigned int curve_type, curve_id; /* * Extract elliptic curve parameters and the server's ephemeral ECDH - * public key. For now we only support named (not generic) curves and + * public key. We only support named (not generic) curves and * ECParameters in this case is just three bytes. */ - if (!PACKET_get_bytes(pkt, &ecparams, 3)) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, SSL_R_LENGTH_TOO_SHORT); + if (!PACKET_get_1(pkt, &curve_type) || !PACKET_get_net_2(pkt, &curve_id)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE, + SSL_R_LENGTH_TOO_SHORT); return 0; } /* - * Check curve is one of our preferences, if not server has sent an - * invalid curve. ECParameters is 3 bytes. + * Check curve is named curve type and one of our preferences, if not + * server has sent an invalid curve. */ - if (!tls1_check_curve(s, ecparams, 3)) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, SSL_R_WRONG_CURVE); + if (curve_type != NAMED_CURVE_TYPE + || !tls1_check_group_id(s, curve_id, 1)) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_ECDHE, + SSL_R_WRONG_CURVE); return 0; } - curve_nid = tls1_ec_curve_id2nid(*(ecparams + 2), &curve_flags); - - if (curve_nid == 0) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, - SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); + if ((s->s3->peer_tmp = ssl_generate_param_group(curve_id)) == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE, + SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); return 0; } - if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) { - EVP_PKEY *key = EVP_PKEY_new(); - - if (key == NULL || !EVP_PKEY_set_type(key, curve_nid)) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, ERR_R_EVP_LIB); - EVP_PKEY_free(key); - return 0; - } - s->s3->peer_tmp = key; - } else { - /* Set up EVP_PKEY with named curve as parameters */ - pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); - if (pctx == NULL - || EVP_PKEY_paramgen_init(pctx) <= 0 - || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, curve_nid) <= 0 - || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, ERR_R_EVP_LIB); - EVP_PKEY_CTX_free(pctx); - return 0; - } - EVP_PKEY_CTX_free(pctx); - pctx = NULL; - } - if (!PACKET_get_length_prefixed_1(pkt, &encoded_pt)) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, SSL_R_LENGTH_MISMATCH); + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE, + SSL_R_LENGTH_MISMATCH); return 0; } if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp, PACKET_data(&encoded_pt), PACKET_remaining(&encoded_pt))) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, SSL_R_BAD_ECPOINT); + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_ECDHE, + SSL_R_BAD_ECPOINT); return 0; } @@ -1597,17 +2254,18 @@ static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al) return 1; #else - SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, ERR_R_INTERNAL_ERROR); - *al = SSL_AD_INTERNAL_ERROR; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE, + ERR_R_INTERNAL_ERROR); return 0; #endif } MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) { - int al = -1; long alg_k; EVP_PKEY *pkey = NULL; + EVP_MD_CTX *md_ctx = NULL; + EVP_PKEY_CTX *pctx = NULL; PACKET save_param_start, signature; alg_k = s->s3->tmp.new_cipher->algorithm_mkey; @@ -1620,24 +2278,32 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) #endif if (alg_k & SSL_PSK) { - if (!tls_process_ske_psk_preamble(s, pkt, &al)) + if (!tls_process_ske_psk_preamble(s, pkt)) { + /* SSLfatal() already called */ goto err; + } } /* Nothing else to do for plain PSK or RSAPSK */ if (alg_k & (SSL_kPSK | SSL_kRSAPSK)) { } else if (alg_k & SSL_kSRP) { - if (!tls_process_ske_srp(s, pkt, &pkey, &al)) + if (!tls_process_ske_srp(s, pkt, &pkey)) { + /* SSLfatal() already called */ goto err; + } } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) { - if (!tls_process_ske_dhe(s, pkt, &pkey, &al)) + if (!tls_process_ske_dhe(s, pkt, &pkey)) { + /* SSLfatal() already called */ goto err; + } } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) { - if (!tls_process_ske_ecdhe(s, pkt, &pkey, &al)) + if (!tls_process_ske_ecdhe(s, pkt, &pkey)) { + /* SSLfatal() already called */ goto err; + } } else if (alg_k) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE); + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_EXCHANGE, + SSL_R_UNEXPECTED_MESSAGE); goto err; } @@ -1646,7 +2312,9 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) PACKET params; int maxsig; const EVP_MD *md = NULL; - EVP_MD_CTX *md_ctx; + unsigned char *tbs; + size_t tbslen; + int rv; /* * |pkt| now points to the beginning of the signature, so the difference @@ -1655,46 +2323,49 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) if (!PACKET_get_sub_packet(&save_param_start, ¶ms, PACKET_remaining(&save_param_start) - PACKET_remaining(pkt))) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); goto err; } if (SSL_USE_SIGALGS(s)) { - const unsigned char *sigalgs; - int rv; - if (!PACKET_get_bytes(pkt, &sigalgs, 2)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT); + unsigned int sigalg; + + if (!PACKET_get_net_2(pkt, &sigalg)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, + SSL_R_LENGTH_TOO_SHORT); goto err; } - rv = tls12_check_peer_sigalg(&md, s, sigalgs, pkey); - if (rv == -1) { - al = SSL_AD_INTERNAL_ERROR; - goto err; - } else if (rv == 0) { - al = SSL_AD_DECODE_ERROR; + if (tls12_check_peer_sigalg(s, sigalg, pkey) <=0) { + /* SSLfatal() already called */ goto err; } + } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; + } + + if (!tls1_lookup_md(s->s3->tmp.peer_sigalg, &md)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; + } #ifdef SSL_DEBUG + if (SSL_USE_SIGALGS(s)) fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); #endif - } else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) { - md = EVP_md5_sha1(); - } else { - md = EVP_sha1(); - } if (!PACKET_get_length_prefixed_2(pkt, &signature) || PACKET_remaining(pkt) != 0) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH); + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, + SSL_R_LENGTH_MISMATCH); goto err; } maxsig = EVP_PKEY_size(pkey); if (maxsig < 0) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); goto err; } @@ -1703,255 +2374,324 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) */ if (PACKET_remaining(&signature) > (size_t)maxsig) { /* wrong packet length */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_WRONG_SIGNATURE_LENGTH); goto err; } md_ctx = EVP_MD_CTX_new(); if (md_ctx == NULL) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, + ERR_R_MALLOC_FAILURE); goto err; } - if (EVP_VerifyInit_ex(md_ctx, md, NULL) <= 0 - || EVP_VerifyUpdate(md_ctx, &(s->s3->client_random[0]), - SSL3_RANDOM_SIZE) <= 0 - || EVP_VerifyUpdate(md_ctx, &(s->s3->server_random[0]), - SSL3_RANDOM_SIZE) <= 0 - || EVP_VerifyUpdate(md_ctx, PACKET_data(¶ms), - PACKET_remaining(¶ms)) <= 0) { - EVP_MD_CTX_free(md_ctx); - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB); + if (EVP_DigestVerifyInit(md_ctx, &pctx, md, NULL, pkey) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, + ERR_R_EVP_LIB); + goto err; + } + if (SSL_USE_PSS(s)) { + if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 + || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, + RSA_PSS_SALTLEN_DIGEST) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB); + goto err; + } + } + tbslen = construct_key_exchange_tbs(s, &tbs, PACKET_data(¶ms), + PACKET_remaining(¶ms)); + if (tbslen == 0) { + /* SSLfatal() already called */ goto err; } - if (EVP_VerifyFinal(md_ctx, PACKET_data(&signature), - PACKET_remaining(&signature), pkey) <= 0) { - /* bad signature */ - EVP_MD_CTX_free(md_ctx); - al = SSL_AD_DECRYPT_ERROR; - SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE); + + rv = EVP_DigestVerify(md_ctx, PACKET_data(&signature), + PACKET_remaining(&signature), tbs, tbslen); + OPENSSL_free(tbs); + if (rv <= 0) { + SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, + SSL_R_BAD_SIGNATURE); goto err; } EVP_MD_CTX_free(md_ctx); + md_ctx = NULL; } else { /* aNULL, aSRP or PSK do not need public keys */ if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) && !(alg_k & SSL_PSK)) { /* Might be wrong key type, check it */ if (ssl3_check_cert_and_algorithm(s)) { - /* Otherwise this shouldn't happen */ - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); - } else { - al = SSL_AD_DECODE_ERROR; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, + SSL_R_BAD_DATA); } + /* else this shouldn't happen, SSLfatal() already called */ goto err; } /* still data left over */ if (PACKET_remaining(pkt) != 0) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_EXTRA_DATA_IN_MESSAGE); + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, + SSL_R_EXTRA_DATA_IN_MESSAGE); goto err; } } return MSG_PROCESS_CONTINUE_READING; err: - if (al != -1) - ssl3_send_alert(s, SSL3_AL_FATAL, al); - ossl_statem_set_error(s); + EVP_MD_CTX_free(md_ctx); return MSG_PROCESS_ERROR; } MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt) { - int ret = MSG_PROCESS_ERROR; - unsigned int list_len, ctype_num, i, name_len; - X509_NAME *xn = NULL; - const unsigned char *data; - const unsigned char *namestart, *namebytes; - STACK_OF(X509_NAME) *ca_sk = NULL; + size_t i; - if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) { - SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE); - goto err; - } + /* Clear certificate validity flags */ + for (i = 0; i < SSL_PKEY_NUM; i++) + s->s3->tmp.valid_flags[i] = 0; - /* get the certificate types */ - if (!PACKET_get_1(pkt, &ctype_num) - || !PACKET_get_bytes(pkt, &data, ctype_num)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH); - goto err; - } - OPENSSL_free(s->cert->ctypes); - s->cert->ctypes = NULL; - if (ctype_num > SSL3_CT_NUMBER) { - /* If we exceed static buffer copy all to cert structure */ - s->cert->ctypes = OPENSSL_malloc(ctype_num); - if (s->cert->ctypes == NULL) { - SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE); - goto err; + if (SSL_IS_TLS13(s)) { + PACKET reqctx, extensions; + RAW_EXTENSION *rawexts = NULL; + + if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) { + /* + * We already sent close_notify. This can only happen in TLSv1.3 + * post-handshake messages. We can't reasonably respond to this, so + * we just ignore it + */ + return MSG_PROCESS_FINISHED_READING; } - memcpy(s->cert->ctypes, data, ctype_num); - s->cert->ctype_num = (size_t)ctype_num; - ctype_num = SSL3_CT_NUMBER; - } - for (i = 0; i < ctype_num; i++) - s->s3->tmp.ctype[i] = data[i]; - if (SSL_USE_SIGALGS(s)) { - if (!PACKET_get_net_2(pkt, &list_len) - || !PACKET_get_bytes(pkt, &data, list_len)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, - SSL_R_LENGTH_MISMATCH); - goto err; + /* Free and zero certificate types: it is not present in TLS 1.3 */ + OPENSSL_free(s->s3->tmp.ctype); + s->s3->tmp.ctype = NULL; + s->s3->tmp.ctype_len = 0; + OPENSSL_free(s->pha_context); + s->pha_context = NULL; + + if (!PACKET_get_length_prefixed_1(pkt, &reqctx) || + !PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, + SSL_R_LENGTH_MISMATCH); + return MSG_PROCESS_ERROR; } - /* Clear certificate digests and validity flags */ - for (i = 0; i < SSL_PKEY_NUM; i++) { - s->s3->tmp.md[i] = NULL; - s->s3->tmp.valid_flags[i] = 0; + if (!PACKET_get_length_prefixed_2(pkt, &extensions)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, + SSL_R_BAD_LENGTH); + return MSG_PROCESS_ERROR; } - if ((list_len & 1) || !tls1_save_sigalgs(s, data, list_len)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, - SSL_R_SIGNATURE_ALGORITHMS_ERROR); - goto err; + if (!tls_collect_extensions(s, &extensions, + SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, + &rawexts, NULL, 1) + || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, + rawexts, NULL, 0, 1)) { + /* SSLfatal() already called */ + OPENSSL_free(rawexts); + return MSG_PROCESS_ERROR; } + OPENSSL_free(rawexts); if (!tls1_process_sigalgs(s)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); - SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE); - goto err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, + SSL_R_BAD_LENGTH); + return MSG_PROCESS_ERROR; } } else { - ssl_set_default_md(s); - } + PACKET ctypes; - /* get the CA RDNs */ - if (!PACKET_get_net_2(pkt, &list_len) - || PACKET_remaining(pkt) != list_len) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH); - goto err; - } + /* get the certificate types */ + if (!PACKET_get_length_prefixed_1(pkt, &ctypes)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, + SSL_R_LENGTH_MISMATCH); + return MSG_PROCESS_ERROR; + } - while (PACKET_remaining(pkt)) { - if (!PACKET_get_net_2(pkt, &name_len) - || !PACKET_get_bytes(pkt, &namebytes, name_len)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, - SSL_R_LENGTH_MISMATCH); - goto err; + if (!PACKET_memdup(&ctypes, &s->s3->tmp.ctype, &s->s3->tmp.ctype_len)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, + ERR_R_INTERNAL_ERROR); + return MSG_PROCESS_ERROR; } - namestart = namebytes; + if (SSL_USE_SIGALGS(s)) { + PACKET sigalgs; - if ((xn = d2i_X509_NAME(NULL, (const unsigned char **)&namebytes, - name_len)) == NULL) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB); - goto err; - } + if (!PACKET_get_length_prefixed_2(pkt, &sigalgs)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, + SSL_R_LENGTH_MISMATCH); + return MSG_PROCESS_ERROR; + } - if (namebytes != (namestart + name_len)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, - SSL_R_CA_DN_LENGTH_MISMATCH); - goto err; + /* + * Despite this being for certificates, preserve compatibility + * with pre-TLS 1.3 and use the regular sigalgs field. + */ + if (!tls1_save_sigalgs(s, &sigalgs, 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, + SSL_R_SIGNATURE_ALGORITHMS_ERROR); + return MSG_PROCESS_ERROR; + } + if (!tls1_process_sigalgs(s)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, + ERR_R_MALLOC_FAILURE); + return MSG_PROCESS_ERROR; + } } - if (!sk_X509_NAME_push(ca_sk, xn)) { - SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE); - goto err; + + /* get the CA RDNs */ + if (!parse_ca_names(s, pkt)) { + /* SSLfatal() already called */ + return MSG_PROCESS_ERROR; } - xn = NULL; + } + + if (PACKET_remaining(pkt) != 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, + SSL_R_LENGTH_MISMATCH); + return MSG_PROCESS_ERROR; } /* we should setup a certificate to return.... */ s->s3->tmp.cert_req = 1; - s->s3->tmp.ctype_num = ctype_num; - sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); - s->s3->tmp.ca_names = ca_sk; - ca_sk = NULL; - ret = MSG_PROCESS_CONTINUE_PROCESSING; - goto done; - err: - ossl_statem_set_error(s); - done: - X509_NAME_free(xn); - sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); - return ret; -} + /* + * In TLSv1.3 we don't prepare the client certificate yet. We wait until + * after the CertificateVerify message has been received. This is because + * in TLSv1.3 the CertificateRequest arrives before the Certificate message + * but in TLSv1.2 it is the other way around. We want to make sure that + * SSL_get_peer_certificate() returns something sensible in + * client_cert_cb. + */ + if (SSL_IS_TLS13(s) && s->post_handshake_auth != SSL_PHA_REQUESTED) + return MSG_PROCESS_CONTINUE_READING; -static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b) -{ - return (X509_NAME_cmp(*a, *b)); + return MSG_PROCESS_CONTINUE_PROCESSING; } MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) { - int al; unsigned int ticklen; - unsigned long ticket_lifetime_hint; + unsigned long ticket_lifetime_hint, age_add = 0; + unsigned int sess_len; + RAW_EXTENSION *exts = NULL; + PACKET nonce; + + PACKET_null_init(&nonce); if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint) + || (SSL_IS_TLS13(s) + && (!PACKET_get_net_4(pkt, &age_add) + || !PACKET_get_length_prefixed_1(pkt, &nonce))) || !PACKET_get_net_2(pkt, &ticklen) - || PACKET_remaining(pkt) != ticklen) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH); - goto f_err; + || (SSL_IS_TLS13(s) ? (ticklen == 0 || PACKET_remaining(pkt) < ticklen) + : PACKET_remaining(pkt) != ticklen)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, + SSL_R_LENGTH_MISMATCH); + goto err; } - /* Server is allowed to change its mind and send an empty ticket. */ + /* + * Server is allowed to change its mind (in <=TLSv1.2) and send an empty + * ticket. We already checked this TLSv1.3 case above, so it should never + * be 0 here in that instance + */ if (ticklen == 0) return MSG_PROCESS_CONTINUE_READING; - if (s->session->session_id_length > 0) { - int i = s->session_ctx->session_cache_mode; + /* + * Sessions must be immutable once they go into the session cache. Otherwise + * we can get multi-thread problems. Therefore we don't "update" sessions, + * we replace them with a duplicate. In TLSv1.3 we need to do this every + * time a NewSessionTicket arrives because those messages arrive + * post-handshake and the session may have already gone into the session + * cache. + */ + if (SSL_IS_TLS13(s) || s->session->session_id_length > 0) { SSL_SESSION *new_sess; + /* * We reused an existing session, so we need to replace it with a new * one */ - if (i & SSL_SESS_CACHE_CLIENT) { + if ((new_sess = ssl_session_dup(s->session, 0)) == 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, + ERR_R_MALLOC_FAILURE); + goto err; + } + + if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0 + && !SSL_IS_TLS13(s)) { /* - * Remove the old session from the cache. We carry on if this fails + * In TLSv1.2 and below the arrival of a new tickets signals that + * any old ticket we were using is now out of date, so we remove the + * old session from the cache. We carry on if this fails */ SSL_CTX_remove_session(s->session_ctx, s->session); } - if ((new_sess = ssl_session_dup(s->session, 0)) == 0) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); - goto f_err; - } - SSL_SESSION_free(s->session); s->session = new_sess; } - OPENSSL_free(s->session->tlsext_tick); - s->session->tlsext_ticklen = 0; + /* + * Technically the cast to long here is not guaranteed by the C standard - + * but we use it elsewhere, so this should be ok. + */ + s->session->time = (long)time(NULL); + + OPENSSL_free(s->session->ext.tick); + s->session->ext.tick = NULL; + s->session->ext.ticklen = 0; - s->session->tlsext_tick = OPENSSL_malloc(ticklen); - if (s->session->tlsext_tick == NULL) { - SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); + s->session->ext.tick = OPENSSL_malloc(ticklen); + if (s->session->ext.tick == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, + ERR_R_MALLOC_FAILURE); goto err; } - if (!PACKET_copy_bytes(pkt, s->session->tlsext_tick, ticklen)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH); - goto f_err; + if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, + SSL_R_LENGTH_MISMATCH); + goto err; + } + + s->session->ext.tick_lifetime_hint = ticket_lifetime_hint; + s->session->ext.tick_age_add = age_add; + s->session->ext.ticklen = ticklen; + + if (SSL_IS_TLS13(s)) { + PACKET extpkt; + + if (!PACKET_as_length_prefixed_2(pkt, &extpkt) + || PACKET_remaining(pkt) != 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, + SSL_R_LENGTH_MISMATCH); + goto err; + } + + if (!tls_collect_extensions(s, &extpkt, + SSL_EXT_TLS1_3_NEW_SESSION_TICKET, &exts, + NULL, 1) + || !tls_parse_all_extensions(s, + SSL_EXT_TLS1_3_NEW_SESSION_TICKET, + exts, NULL, 0, 1)) { + /* SSLfatal() already called */ + goto err; + } } - s->session->tlsext_tick_lifetime_hint = ticket_lifetime_hint; - s->session->tlsext_ticklen = ticklen; /* * There are two ways to detect a resumed ticket session. One is to set * an appropriate session ID and then the server must return a match in @@ -1963,123 +2703,186 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) * elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is * SHA256 is disabled) hash of the ticket. */ - if (!EVP_Digest(s->session->tlsext_tick, ticklen, - s->session->session_id, &s->session->session_id_length, + /* + * TODO(size_t): we use sess_len here because EVP_Digest expects an int + * but s->session->session_id_length is a size_t + */ + if (!EVP_Digest(s->session->ext.tick, ticklen, + s->session->session_id, &sess_len, EVP_sha256(), NULL)) { - SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_EVP_LIB); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, + ERR_R_EVP_LIB); goto err; } + s->session->session_id_length = sess_len; + s->session->not_resumable = 0; + + /* This is a standalone message in TLSv1.3, so there is no more to read */ + if (SSL_IS_TLS13(s)) { + const EVP_MD *md = ssl_handshake_md(s); + int hashleni = EVP_MD_size(md); + size_t hashlen; + static const unsigned char nonce_label[] = "resumption"; + + /* Ensure cast to size_t is safe */ + if (!ossl_assert(hashleni >= 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, + ERR_R_INTERNAL_ERROR); + goto err; + } + hashlen = (size_t)hashleni; + + if (!tls13_hkdf_expand(s, md, s->resumption_master_secret, + nonce_label, + sizeof(nonce_label) - 1, + PACKET_data(&nonce), + PACKET_remaining(&nonce), + s->session->master_key, + hashlen)) { + /* SSLfatal() already called */ + goto err; + } + s->session->master_key_length = hashlen; + + OPENSSL_free(exts); + ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); + return MSG_PROCESS_FINISHED_READING; + } + return MSG_PROCESS_CONTINUE_READING; - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); err: - ossl_statem_set_error(s); + OPENSSL_free(exts); return MSG_PROCESS_ERROR; } -MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt) +/* + * In TLSv1.3 this is called from the extensions code, otherwise it is used to + * parse a separate message. Returns 1 on success or 0 on failure + */ +int tls_process_cert_status_body(SSL *s, PACKET *pkt) { - int al; - unsigned long resplen; + size_t resplen; unsigned int type; if (!PACKET_get_1(pkt, &type) || type != TLSEXT_STATUSTYPE_ocsp) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS, SSL_R_UNSUPPORTED_STATUS_TYPE); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY, + SSL_R_UNSUPPORTED_STATUS_TYPE); + return 0; } - if (!PACKET_get_net_3(pkt, &resplen) + if (!PACKET_get_net_3_len(pkt, &resplen) || PACKET_remaining(pkt) != resplen) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS, SSL_R_LENGTH_MISMATCH); - goto f_err; - } - s->tlsext_ocsp_resp = OPENSSL_malloc(resplen); - if (s->tlsext_ocsp_resp == NULL) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS, ERR_R_MALLOC_FAILURE); - goto f_err; - } - if (!PACKET_copy_bytes(pkt, s->tlsext_ocsp_resp, resplen)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS, SSL_R_LENGTH_MISMATCH); - goto f_err; - } - s->tlsext_ocsp_resplen = resplen; - return MSG_PROCESS_CONTINUE_READING; - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - ossl_statem_set_error(s); - return MSG_PROCESS_ERROR; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY, + SSL_R_LENGTH_MISMATCH); + return 0; + } + s->ext.ocsp.resp = OPENSSL_malloc(resplen); + if (s->ext.ocsp.resp == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY, + ERR_R_MALLOC_FAILURE); + return 0; + } + if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY, + SSL_R_LENGTH_MISMATCH); + return 0; + } + s->ext.ocsp.resp_len = resplen; + + return 1; } -MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt) + +MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt) { - if (PACKET_remaining(pkt) > 0) { - /* should contain no data */ - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE, SSL_R_LENGTH_MISMATCH); - ossl_statem_set_error(s); + if (!tls_process_cert_status_body(s, pkt)) { + /* SSLfatal() already called */ return MSG_PROCESS_ERROR; } -#ifndef OPENSSL_NO_SRP - if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) { - if (SRP_Calc_A_param(s) <= 0) { - SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE, SSL_R_SRP_A_CALC); - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); - ossl_statem_set_error(s); - return MSG_PROCESS_ERROR; - } - } -#endif + return MSG_PROCESS_CONTINUE_READING; +} + +/* + * Perform miscellaneous checks and processing after we have received the + * server's initial flight. In TLS1.3 this is after the Server Finished message. + * In <=TLS1.2 this is after the ServerDone message. Returns 1 on success or 0 + * on failure. + */ +int tls_process_initial_server_flight(SSL *s) +{ /* * at this point we check that we have the required stuff from * the server */ if (!ssl3_check_cert_and_algorithm(s)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); - ossl_statem_set_error(s); - return MSG_PROCESS_ERROR; + /* SSLfatal() already called */ + return 0; } /* - * Call the ocsp status callback if needed. The |tlsext_ocsp_resp| and - * |tlsext_ocsp_resplen| values will be set if we actually received a status + * Call the ocsp status callback if needed. The |ext.ocsp.resp| and + * |ext.ocsp.resp_len| values will be set if we actually received a status * message, or NULL and -1 otherwise */ - if (s->tlsext_status_type != -1 && s->ctx->tlsext_status_cb != NULL) { - int ret; - ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); + if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing + && s->ctx->ext.status_cb != NULL) { + int ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg); + if (ret == 0) { - ssl3_send_alert(s, SSL3_AL_FATAL, - SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE); - SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE, - SSL_R_INVALID_STATUS_RESPONSE); - return MSG_PROCESS_ERROR; + SSLfatal(s, SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE, + SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT, + SSL_R_INVALID_STATUS_RESPONSE); + return 0; } if (ret < 0) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); - SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE, ERR_R_MALLOC_FAILURE); - return MSG_PROCESS_ERROR; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT, + ERR_R_MALLOC_FAILURE); + return 0; } } #ifndef OPENSSL_NO_CT if (s->ct_validation_callback != NULL) { /* Note we validate the SCTs whether or not we abort on error */ if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); + /* SSLfatal() already called */ + return 0; + } + } +#endif + + return 1; +} + +MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt) +{ + if (PACKET_remaining(pkt) > 0) { + /* should contain no data */ + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_DONE, + SSL_R_LENGTH_MISMATCH); + return MSG_PROCESS_ERROR; + } +#ifndef OPENSSL_NO_SRP + if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) { + if (SRP_Calc_A_param(s) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_DONE, + SSL_R_SRP_A_CALC); return MSG_PROCESS_ERROR; } } #endif + if (!tls_process_initial_server_flight(s)) { + /* SSLfatal() already called */ + return MSG_PROCESS_ERROR; + } + return MSG_PROCESS_FINISHED_READING; } -static int tls_construct_cke_psk_preamble(SSL *s, unsigned char **p, - size_t *pskhdrlen, int *al) +static int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt) { #ifndef OPENSSL_NO_PSK int ret = 0; @@ -2096,8 +2899,8 @@ static int tls_construct_cke_psk_preamble(SSL *s, unsigned char **p, size_t psklen = 0; if (s->psk_client_callback == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, SSL_R_PSK_NO_CLIENT_CB); - *al = SSL_AD_INTERNAL_ERROR; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, + SSL_R_PSK_NO_CLIENT_CB); goto err; } @@ -2108,28 +2911,28 @@ static int tls_construct_cke_psk_preamble(SSL *s, unsigned char **p, psk, sizeof(psk)); if (psklen > PSK_MAX_PSK_LEN) { - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR); - *al = SSL_AD_HANDSHAKE_FAILURE; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR); goto err; } else if (psklen == 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, - SSL_R_PSK_IDENTITY_NOT_FOUND); - *al = SSL_AD_HANDSHAKE_FAILURE; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, + SSL_R_PSK_IDENTITY_NOT_FOUND); goto err; } identitylen = strlen(identity); if (identitylen > PSK_MAX_IDENTITY_LEN) { - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR); - *al = SSL_AD_HANDSHAKE_FAILURE; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, + ERR_R_INTERNAL_ERROR); goto err; } tmppsk = OPENSSL_memdup(psk, psklen); tmpidentity = OPENSSL_strdup(identity); if (tmppsk == NULL || tmpidentity == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE); - *al = SSL_AD_INTERNAL_ERROR; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, + ERR_R_MALLOC_FAILURE); goto err; } @@ -2140,10 +2943,12 @@ static int tls_construct_cke_psk_preamble(SSL *s, unsigned char **p, OPENSSL_free(s->session->psk_identity); s->session->psk_identity = tmpidentity; tmpidentity = NULL; - s2n(identitylen, *p); - memcpy(*p, identity, identitylen); - *pskhdrlen = 2 + identitylen; - *p += identitylen; + + if (!WPACKET_sub_memcpy_u16(pkt, identity, identitylen)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, + ERR_R_INTERNAL_ERROR); + goto err; + } ret = 1; @@ -2155,16 +2960,16 @@ static int tls_construct_cke_psk_preamble(SSL *s, unsigned char **p, return ret; #else - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR); - *al = SSL_AD_INTERNAL_ERROR; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, + ERR_R_INTERNAL_ERROR); return 0; #endif } -static int tls_construct_cke_rsa(SSL *s, unsigned char **p, int *len, int *al) +static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt) { #ifndef OPENSSL_NO_RSA - unsigned char *q; + unsigned char *encdata = NULL; EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *pctx = NULL; size_t enclen; @@ -2175,58 +2980,68 @@ static int tls_construct_cke_rsa(SSL *s, unsigned char **p, int *len, int *al) /* * We should always have a server certificate with SSL_kRSA. */ - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, + ERR_R_INTERNAL_ERROR); return 0; } pkey = X509_get0_pubkey(s->session->peer); if (EVP_PKEY_get0_RSA(pkey) == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, + ERR_R_INTERNAL_ERROR); return 0; } pmslen = SSL_MAX_MASTER_KEY_LENGTH; pms = OPENSSL_malloc(pmslen); if (pms == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_MALLOC_FAILURE); - *al = SSL_AD_INTERNAL_ERROR; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, + ERR_R_MALLOC_FAILURE); return 0; } pms[0] = s->client_version >> 8; pms[1] = s->client_version & 0xff; - if (RAND_bytes(pms + 2, pmslen - 2) <= 0) { + /* TODO(size_t): Convert this function */ + if (RAND_bytes(pms + 2, (int)(pmslen - 2)) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, + ERR_R_MALLOC_FAILURE); goto err; } - q = *p; /* Fix buf for TLS and beyond */ - if (s->version > SSL3_VERSION) - *p += 2; + if (s->version > SSL3_VERSION && !WPACKET_start_sub_packet_u16(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, + ERR_R_INTERNAL_ERROR); + goto err; + } pctx = EVP_PKEY_CTX_new(pkey, NULL); if (pctx == NULL || EVP_PKEY_encrypt_init(pctx) <= 0 || EVP_PKEY_encrypt(pctx, NULL, &enclen, pms, pmslen) <= 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_EVP_LIB); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, + ERR_R_EVP_LIB); goto err; } - if (EVP_PKEY_encrypt(pctx, *p, &enclen, pms, pmslen) <= 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, SSL_R_BAD_RSA_ENCRYPT); + if (!WPACKET_allocate_bytes(pkt, enclen, &encdata) + || EVP_PKEY_encrypt(pctx, encdata, &enclen, pms, pmslen) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, + SSL_R_BAD_RSA_ENCRYPT); goto err; } - *len = enclen; EVP_PKEY_CTX_free(pctx); pctx = NULL; -# ifdef PKCS1_CHECK - if (s->options & SSL_OP_PKCS1_CHECK_1) - (*p)[1]++; - if (s->options & SSL_OP_PKCS1_CHECK_2) - tmp_buf[0] = 0x70; -# endif /* Fix buf for TLS and beyond */ - if (s->version > SSL3_VERSION) { - s2n(*len, q); - *len += 2; + if (s->version > SSL3_VERSION && !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, + ERR_R_INTERNAL_ERROR); + goto err; + } + + /* Log the premaster secret, if logging is enabled. */ + if (!ssl_log_rsa_client_key_exchange(s, encdata, enclen, pms, pmslen)) { + /* SSLfatal() already called */ + goto err; } s->s3->tmp.pms = pms; @@ -2239,75 +3054,94 @@ static int tls_construct_cke_rsa(SSL *s, unsigned char **p, int *len, int *al) return 0; #else - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_INTERNAL_ERROR); - *al = SSL_AD_INTERNAL_ERROR; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, + ERR_R_INTERNAL_ERROR); return 0; #endif } -static int tls_construct_cke_dhe(SSL *s, unsigned char **p, int *len, int *al) +static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt) { #ifndef OPENSSL_NO_DH DH *dh_clnt = NULL; const BIGNUM *pub_key; EVP_PKEY *ckey = NULL, *skey = NULL; + unsigned char *keybytes = NULL; skey = s->s3->peer_tmp; if (skey == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_DHE, ERR_R_INTERNAL_ERROR); - return 0; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, + ERR_R_INTERNAL_ERROR); + goto err; } + ckey = ssl_generate_pkey(skey); if (ckey == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_DHE, ERR_R_INTERNAL_ERROR); - return 0; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, + ERR_R_INTERNAL_ERROR); + goto err; } dh_clnt = EVP_PKEY_get0_DH(ckey); - if (dh_clnt == NULL || ssl_derive(s, ckey, skey) == 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_DHE, ERR_R_INTERNAL_ERROR); - EVP_PKEY_free(ckey); - return 0; + if (dh_clnt == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, + ERR_R_INTERNAL_ERROR); + goto err; + } + + if (ssl_derive(s, ckey, skey, 0) == 0) { + /* SSLfatal() already called */ + goto err; } /* send off the data */ DH_get0_key(dh_clnt, &pub_key, NULL); - *len = BN_num_bytes(pub_key); - s2n(*len, *p); - BN_bn2bin(pub_key, *p); - *len += 2; + if (!WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(pub_key), + &keybytes)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, + ERR_R_INTERNAL_ERROR); + goto err; + } + + BN_bn2bin(pub_key, keybytes); EVP_PKEY_free(ckey); return 1; + err: + EVP_PKEY_free(ckey); + return 0; #else - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_DHE, ERR_R_INTERNAL_ERROR); - *al = SSL_AD_INTERNAL_ERROR; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, + ERR_R_INTERNAL_ERROR); return 0; #endif } -static int tls_construct_cke_ecdhe(SSL *s, unsigned char **p, int *len, int *al) +static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt) { #ifndef OPENSSL_NO_EC unsigned char *encodedPoint = NULL; - int encoded_pt_len = 0; + size_t encoded_pt_len = 0; EVP_PKEY *ckey = NULL, *skey = NULL; + int ret = 0; skey = s->s3->peer_tmp; if (skey == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE, + ERR_R_INTERNAL_ERROR); return 0; } ckey = ssl_generate_pkey(skey); if (ckey == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE, + ERR_R_MALLOC_FAILURE); goto err; } - if (ssl_derive(s, ckey, skey) == 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_EVP_LIB); + if (ssl_derive(s, ckey, skey, 0) == 0) { + /* SSLfatal() already called */ goto err; } @@ -2315,37 +3149,30 @@ static int tls_construct_cke_ecdhe(SSL *s, unsigned char **p, int *len, int *al) encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(ckey, &encodedPoint); if (encoded_pt_len == 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_EC_LIB); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE, + ERR_R_EC_LIB); goto err; } - EVP_PKEY_free(ckey); - ckey = NULL; - - *len = encoded_pt_len; - - /* length of encoded point */ - **p = *len; - *p += 1; - /* copy the point */ - memcpy(*p, encodedPoint, *len); - /* increment len to account for length field */ - *len += 1; - - OPENSSL_free(encodedPoint); + if (!WPACKET_sub_memcpy_u8(pkt, encodedPoint, encoded_pt_len)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE, + ERR_R_INTERNAL_ERROR); + goto err; + } - return 1; + ret = 1; err: + OPENSSL_free(encodedPoint); EVP_PKEY_free(ckey); - return 0; + return ret; #else - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_INTERNAL_ERROR); - *al = SSL_AD_INTERNAL_ERROR; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE, + ERR_R_INTERNAL_ERROR); return 0; #endif } -static int tls_construct_cke_gost(SSL *s, unsigned char **p, int *len, int *al) +static int tls_construct_cke_gost(SSL *s, WPACKET *pkt) { #ifndef OPENSSL_NO_GOST /* GOST key exchange message creation */ @@ -2367,16 +3194,15 @@ static int tls_construct_cke_gost(SSL *s, unsigned char **p, int *len, int *al) */ peer_cert = s->session->peer; if (!peer_cert) { - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CONSTRUCT_CKE_GOST, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); return 0; } pkey_ctx = EVP_PKEY_CTX_new(X509_get0_pubkey(peer_cert), NULL); if (pkey_ctx == NULL) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, + ERR_R_MALLOC_FAILURE); return 0; } /* @@ -2389,16 +3215,18 @@ static int tls_construct_cke_gost(SSL *s, unsigned char **p, int *len, int *al) pmslen = 32; pms = OPENSSL_malloc(pmslen); if (pms == NULL) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, + ERR_R_MALLOC_FAILURE); goto err; } if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0 - /* Generate session key */ - || RAND_bytes(pms, pmslen) <= 0) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR); + /* Generate session key + * TODO(size_t): Convert this function + */ + || RAND_bytes(pms, (int)pmslen) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, + ERR_R_INTERNAL_ERROR); goto err; }; /* @@ -2413,38 +3241,36 @@ static int tls_construct_cke_gost(SSL *s, unsigned char **p, int *len, int *al) || EVP_DigestUpdate(ukm_hash, s->s3->server_random, SSL3_RANDOM_SIZE) <= 0 || EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, + ERR_R_INTERNAL_ERROR); goto err; } EVP_MD_CTX_free(ukm_hash); ukm_hash = NULL; if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, SSL_R_LIBRARY_BUG); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, + SSL_R_LIBRARY_BUG); goto err; } /* Make GOST keytransport blob message */ /* * Encapsulate it into sequence */ - *((*p)++) = V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED; msglen = 255; if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, SSL_R_LIBRARY_BUG); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, + SSL_R_LIBRARY_BUG); goto err; } - if (msglen >= 0x80) { - *((*p)++) = 0x81; - *((*p)++) = msglen & 0xff; - *len = msglen + 3; - } else { - *((*p)++) = msglen & 0xff; - *len = msglen + 2; + + if (!WPACKET_put_bytes_u8(pkt, V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED) + || (msglen >= 0x80 && !WPACKET_put_bytes_u8(pkt, 0x81)) + || !WPACKET_sub_memcpy_u8(pkt, tmp, msglen)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, + ERR_R_INTERNAL_ERROR); + goto err; } - memcpy(*p, tmp, msglen); EVP_PKEY_CTX_free(pkey_ctx); s->s3->tmp.pms = pms; @@ -2457,98 +3283,85 @@ static int tls_construct_cke_gost(SSL *s, unsigned char **p, int *len, int *al) EVP_MD_CTX_free(ukm_hash); return 0; #else - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR); - *al = SSL_AD_INTERNAL_ERROR; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, + ERR_R_INTERNAL_ERROR); return 0; #endif } -static int tls_construct_cke_srp(SSL *s, unsigned char **p, int *len, int *al) +static int tls_construct_cke_srp(SSL *s, WPACKET *pkt) { #ifndef OPENSSL_NO_SRP - if (s->srp_ctx.A != NULL) { - /* send off the data */ - *len = BN_num_bytes(s->srp_ctx.A); - s2n(*len, *p); - BN_bn2bin(s->srp_ctx.A, *p); - *len += 2; - } else { - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_SRP, ERR_R_INTERNAL_ERROR); + unsigned char *abytes = NULL; + + if (s->srp_ctx.A == NULL + || !WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(s->srp_ctx.A), + &abytes)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_SRP, + ERR_R_INTERNAL_ERROR); return 0; } + BN_bn2bin(s->srp_ctx.A, abytes); + OPENSSL_free(s->session->srp_username); s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login); if (s->session->srp_username == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_SRP, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_SRP, + ERR_R_MALLOC_FAILURE); return 0; } return 1; #else - SSLerr(SSL_F_TLS_CONSTRUCT_CKE_SRP, ERR_R_INTERNAL_ERROR); - *al = SSL_AD_INTERNAL_ERROR; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_SRP, + ERR_R_INTERNAL_ERROR); return 0; #endif } -int tls_construct_client_key_exchange(SSL *s) +int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt) { - unsigned char *p; - int len; - size_t pskhdrlen = 0; unsigned long alg_k; - int al = -1; alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - p = ssl_handshake_start(s); - + /* + * All of the construct functions below call SSLfatal() if necessary so + * no need to do so here. + */ if ((alg_k & SSL_PSK) - && !tls_construct_cke_psk_preamble(s, &p, &pskhdrlen, &al)) + && !tls_construct_cke_psk_preamble(s, pkt)) goto err; - if (alg_k & SSL_kPSK) { - len = 0; - } else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) { - if (!tls_construct_cke_rsa(s, &p, &len, &al)) + if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) { + if (!tls_construct_cke_rsa(s, pkt)) goto err; } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) { - if (!tls_construct_cke_dhe(s, &p, &len, &al)) + if (!tls_construct_cke_dhe(s, pkt)) goto err; } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) { - if (!tls_construct_cke_ecdhe(s, &p, &len, &al)) + if (!tls_construct_cke_ecdhe(s, pkt)) goto err; } else if (alg_k & SSL_kGOST) { - if (!tls_construct_cke_gost(s, &p, &len, &al)) + if (!tls_construct_cke_gost(s, pkt)) goto err; } else if (alg_k & SSL_kSRP) { - if (!tls_construct_cke_srp(s, &p, &len, &al)) + if (!tls_construct_cke_srp(s, pkt)) goto err; - } else { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); - goto err; - } - - len += pskhdrlen; - - if (!ssl_set_handshake_header(s, SSL3_MT_CLIENT_KEY_EXCHANGE, len)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + } else if (!(alg_k & SSL_kPSK)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto err; } return 1; err: - if (al != -1) - ssl3_send_alert(s, SSL3_AL_FATAL, al); OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen); s->s3->tmp.pms = NULL; #ifndef OPENSSL_NO_PSK OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen); s->s3->tmp.psk = NULL; #endif - ossl_statem_set_error(s); return 0; } @@ -2564,8 +3377,7 @@ int tls_client_key_exchange_post_work(SSL *s) /* Check for SRP */ if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) { if (!srp_generate_client_master_secret(s)) { - SSLerr(SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK, - ERR_R_INTERNAL_ERROR); + /* SSLfatal() already called */ goto err; } return 1; @@ -2573,13 +3385,12 @@ int tls_client_key_exchange_post_work(SSL *s) #endif if (pms == NULL && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); - SSLerr(SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK, ERR_R_MALLOC_FAILURE); goto err; } if (!ssl_generate_master_secret(s, pms, pmslen, 1)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); - SSLerr(SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK, ERR_R_INTERNAL_ERROR); + /* SSLfatal() already called */ /* ssl_generate_master_secret frees the pms even on error */ pms = NULL; pmslen = 0; @@ -2602,8 +3413,12 @@ int tls_client_key_exchange_post_work(SSL *s) if (SSL_export_keying_material(s, sctpauthkey, sizeof(sctpauthkey), labelbuffer, - sizeof(labelbuffer), NULL, 0, 0) <= 0) + sizeof(labelbuffer), NULL, 0, 0) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK, + ERR_R_INTERNAL_ERROR); goto err; + } BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, sizeof(sctpauthkey), sctpauthkey); @@ -2617,79 +3432,6 @@ int tls_client_key_exchange_post_work(SSL *s) return 0; } -int tls_construct_client_verify(SSL *s) -{ - unsigned char *p; - EVP_PKEY *pkey; - const EVP_MD *md = s->s3->tmp.md[s->cert->key - s->cert->pkeys]; - EVP_MD_CTX *mctx; - unsigned u = 0; - unsigned long n = 0; - long hdatalen = 0; - void *hdata; - - mctx = EVP_MD_CTX_new(); - if (mctx == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_MALLOC_FAILURE); - goto err; - } - - p = ssl_handshake_start(s); - pkey = s->cert->key->privatekey; - - hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); - if (hdatalen <= 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR); - goto err; - } - if (SSL_USE_SIGALGS(s)) { - if (!tls12_get_sigandhash(p, pkey, md)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR); - goto err; - } - p += 2; - n = 2; - } -#ifdef SSL_DEBUG - fprintf(stderr, "Using client alg %s\n", EVP_MD_name(md)); -#endif - if (!EVP_SignInit_ex(mctx, md, NULL) - || !EVP_SignUpdate(mctx, hdata, hdatalen) - || (s->version == SSL3_VERSION - && !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, - s->session->master_key_length, - s->session->master_key)) - || !EVP_SignFinal(mctx, p + 2, &u, pkey)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_EVP_LIB); - goto err; - } -#ifndef OPENSSL_NO_GOST - { - int pktype = EVP_PKEY_id(pkey); - if (pktype == NID_id_GostR3410_2001 - || pktype == NID_id_GostR3410_2012_256 - || pktype == NID_id_GostR3410_2012_512) - BUF_reverse(p + 2, NULL, u); - } -#endif - - s2n(u, p); - n += u + 2; - /* Digest cached records and discard handshake buffer */ - if (!ssl3_digest_cached_records(s, 0)) - goto err; - if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_VERIFY, n)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR); - goto err; - } - - EVP_MD_CTX_free(mctx); - return 1; - err: - EVP_MD_CTX_free(mctx); - return 0; -} - /* * Check a certificate can be used for client authentication. Currently check * cert exists, if we have a suitable digest for TLS 1.2 if static DH client @@ -2697,10 +3439,8 @@ int tls_construct_client_verify(SSL *s) */ static int ssl3_check_client_certificate(SSL *s) { - if (!s->cert || !s->cert->key->x509 || !s->cert->key->privatekey) - return 0; /* If no suitable signature algorithm can't use certificate */ - if (SSL_USE_SIGALGS(s) && !s->s3->tmp.md[s->cert->key - s->cert->pkeys]) + if (!tls_choose_sigalg(s, 0) || s->s3->tmp.sigalg == NULL) return 0; /* * If strict mode check suitability of chain before using it. This also @@ -2727,14 +3467,19 @@ WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst) return WORK_MORE_A; } if (i == 0) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); - ossl_statem_set_error(s); - return 0; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE, + SSL_R_CALLBACK_FAILED); + return WORK_ERROR; } s->rwstate = SSL_NOTHING; } - if (ssl3_check_client_certificate(s)) + if (ssl3_check_client_certificate(s)) { + if (s->post_handshake_auth == SSL_PHA_REQUESTED) { + return WORK_FINISHED_STOP; + } return WORK_FINISHED_CONTINUE; + } /* Fall through to WORK_MORE_B */ wst = WORK_MORE_B; @@ -2773,131 +3518,194 @@ WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst) } else { s->s3->tmp.cert_req = 2; if (!ssl3_digest_cached_records(s, 0)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); - ossl_statem_set_error(s); - return 0; + /* SSLfatal() already called */ + return WORK_ERROR; } } } + if (s->post_handshake_auth == SSL_PHA_REQUESTED) + return WORK_FINISHED_STOP; return WORK_FINISHED_CONTINUE; } /* Shouldn't ever get here */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE, + ERR_R_INTERNAL_ERROR); return WORK_ERROR; } -int tls_construct_client_certificate(SSL *s) +int tls_construct_client_certificate(SSL *s, WPACKET *pkt) { - if (!ssl3_output_cert_chain(s, - (s->s3->tmp.cert_req == - 2) ? NULL : s->cert->key)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR); - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); - ossl_statem_set_error(s); + if (SSL_IS_TLS13(s)) { + if (s->pha_context == NULL) { + /* no context available, add 0-length context */ + if (!WPACKET_put_bytes_u8(pkt, 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR); + return 0; + } + } else if (!WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR); + return 0; + } + } + if (!ssl3_output_cert_chain(s, pkt, + (s->s3->tmp.cert_req == 2) ? NULL + : s->cert->key)) { + /* SSLfatal() already called */ + return 0; + } + + if (SSL_IS_TLS13(s) + && SSL_IS_FIRST_HANDSHAKE(s) + && (!s->method->ssl3_enc->change_cipher_state(s, + SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) { + /* + * This is a fatal error, which leaves enc_write_ctx in an inconsistent + * state and thus ssl3_send_alert may crash. + */ + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, + SSL_R_CANNOT_CHANGE_CIPHER); return 0; } return 1; } -#define has_bits(i,m) (((i)&(m)) == (m)) - int ssl3_check_cert_and_algorithm(SSL *s) { - int i; -#ifndef OPENSSL_NO_EC - int idx; -#endif + const SSL_CERT_LOOKUP *clu; + size_t idx; long alg_k, alg_a; - EVP_PKEY *pkey = NULL; - int al = SSL_AD_HANDSHAKE_FAILURE; alg_k = s->s3->tmp.new_cipher->algorithm_mkey; alg_a = s->s3->tmp.new_cipher->algorithm_auth; /* we don't have a certificate */ - if ((alg_a & SSL_aNULL) || (alg_k & SSL_kPSK)) - return (1); + if (!(alg_a & SSL_aCERT)) + return 1; /* This is the passed certificate */ + clu = ssl_cert_lookup_by_pkey(X509_get0_pubkey(s->session->peer), &idx); -#ifndef OPENSSL_NO_EC - idx = s->session->peer_type; - if (idx == SSL_PKEY_ECC) { - if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s) == 0) { - /* check failed */ - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT); - goto f_err; - } else { - return 1; - } - } else if (alg_a & SSL_aECDSA) { - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, - SSL_R_MISSING_ECDSA_SIGNING_CERT); - goto f_err; + /* Check certificate is recognised and suitable for cipher */ + if (clu == NULL || (alg_a & clu->amask) == 0) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, + SSL_R_MISSING_SIGNING_CERT); + return 0; } -#endif - pkey = X509_get0_pubkey(s->session->peer); - i = X509_certificate_type(s->session->peer, pkey); - /* Check that we have a certificate if we require one */ - if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA | EVP_PKT_SIGN)) { - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, - SSL_R_MISSING_RSA_SIGNING_CERT); - goto f_err; - } -#ifndef OPENSSL_NO_DSA - else if ((alg_a & SSL_aDSS) && !has_bits(i, EVP_PK_DSA | EVP_PKT_SIGN)) { - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, - SSL_R_MISSING_DSA_SIGNING_CERT); - goto f_err; +#ifndef OPENSSL_NO_EC + if (clu->amask & SSL_aECDSA) { + if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s)) + return 1; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT); + return 0; } #endif #ifndef OPENSSL_NO_RSA - if (alg_k & (SSL_kRSA | SSL_kRSAPSK) && - !has_bits(i, EVP_PK_RSA | EVP_PKT_ENC)) { - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, - SSL_R_MISSING_RSA_ENCRYPTING_CERT); - goto f_err; + if (alg_k & (SSL_kRSA | SSL_kRSAPSK) && idx != SSL_PKEY_RSA) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, + SSL_R_MISSING_RSA_ENCRYPTING_CERT); + return 0; } #endif #ifndef OPENSSL_NO_DH if ((alg_k & SSL_kDHE) && (s->s3->peer_tmp == NULL)) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, + ERR_R_INTERNAL_ERROR); + return 0; } #endif - return (1); - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - return (0); + return 1; } #ifndef OPENSSL_NO_NEXTPROTONEG -int tls_construct_next_proto(SSL *s) +int tls_construct_next_proto(SSL *s, WPACKET *pkt) { - unsigned int len, padding_len; - unsigned char *d; + size_t len, padding_len; + unsigned char *padding = NULL; - len = s->next_proto_negotiated_len; + len = s->ext.npn_len; padding_len = 32 - ((len + 2) % 32); - d = (unsigned char *)s->init_buf->data; - d[4] = len; - memcpy(d + 5, s->next_proto_negotiated, len); - d[5 + len] = padding_len; - memset(d + 6 + len, 0, padding_len); - *(d++) = SSL3_MT_NEXT_PROTO; - l2n3(2 + len + padding_len, d); - s->init_num = 4 + 2 + len + padding_len; - s->init_off = 0; + + if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len) + || !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_NEXT_PROTO, + ERR_R_INTERNAL_ERROR); + return 0; + } + + memset(padding, 0, padding_len); return 1; } #endif +MSG_PROCESS_RETURN tls_process_hello_req(SSL *s, PACKET *pkt) +{ + if (PACKET_remaining(pkt) > 0) { + /* should contain no data */ + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_HELLO_REQ, + SSL_R_LENGTH_MISMATCH); + return MSG_PROCESS_ERROR; + } + + if ((s->options & SSL_OP_NO_RENEGOTIATION)) { + ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); + return MSG_PROCESS_FINISHED_READING; + } + + /* + * This is a historical discrepancy (not in the RFC) maintained for + * compatibility reasons. If a TLS client receives a HelloRequest it will + * attempt an abbreviated handshake. However if a DTLS client receives a + * HelloRequest it will do a full handshake. Either behaviour is reasonable + * but doing one for TLS and another for DTLS is odd. + */ + if (SSL_IS_DTLS(s)) + SSL_renegotiate(s); + else + SSL_renegotiate_abbreviated(s); + + return MSG_PROCESS_FINISHED_READING; +} + +static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt) +{ + PACKET extensions; + RAW_EXTENSION *rawexts = NULL; + + if (!PACKET_as_length_prefixed_2(pkt, &extensions) + || PACKET_remaining(pkt) != 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_ENCRYPTED_EXTENSIONS, + SSL_R_LENGTH_MISMATCH); + goto err; + } + + if (!tls_collect_extensions(s, &extensions, + SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, &rawexts, + NULL, 1) + || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, + rawexts, NULL, 0, 1)) { + /* SSLfatal() already called */ + goto err; + } + + OPENSSL_free(rawexts); + return MSG_PROCESS_CONTINUE_READING; + + err: + OPENSSL_free(rawexts); + return MSG_PROCESS_ERROR; +} + int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) { int i = 0; @@ -2915,47 +3723,123 @@ int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) return i; } -int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, unsigned char *p) +int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt) { - int i, j = 0; - const SSL_CIPHER *c; - unsigned char *q; + int i; + size_t totlen = 0, len, maxlen, maxverok = 0; int empty_reneg_info_scsv = !s->renegotiate; + /* Set disabled masks for this session */ - ssl_set_client_disabled(s); + if (!ssl_set_client_disabled(s)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES, + SSL_R_NO_PROTOCOLS_AVAILABLE); + return 0; + } + + if (sk == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES, + ERR_R_INTERNAL_ERROR); + return 0; + } - if (sk == NULL) - return (0); - q = p; +#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH +# if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6 +# error Max cipher length too short +# endif + /* + * Some servers hang if client hello > 256 bytes as hack workaround + * chop number of supported ciphers to keep it well below this if we + * use TLS v1.2 + */ + if (TLS1_get_version(s) >= TLS1_2_VERSION) + maxlen = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; + else +#endif + /* Maximum length that can be stored in 2 bytes. Length must be even */ + maxlen = 0xfffe; + + if (empty_reneg_info_scsv) + maxlen -= 2; + if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) + maxlen -= 2; + + for (i = 0; i < sk_SSL_CIPHER_num(sk) && totlen < maxlen; i++) { + const SSL_CIPHER *c; - for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { c = sk_SSL_CIPHER_value(sk, i); /* Skip disabled ciphers */ if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) continue; - j = s->method->put_cipher_by_char(c, p); - p += j; + + if (!s->method->put_cipher_by_char(c, pkt, &len)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES, + ERR_R_INTERNAL_ERROR); + return 0; + } + + /* Sanity check that the maximum version we offer has ciphers enabled */ + if (!maxverok) { + if (SSL_IS_DTLS(s)) { + if (DTLS_VERSION_GE(c->max_dtls, s->s3->tmp.max_ver) + && DTLS_VERSION_LE(c->min_dtls, s->s3->tmp.max_ver)) + maxverok = 1; + } else { + if (c->max_tls >= s->s3->tmp.max_ver + && c->min_tls <= s->s3->tmp.max_ver) + maxverok = 1; + } + } + + totlen += len; } - /* - * If p == q, no ciphers; caller indicates an error. Otherwise, add - * applicable SCSVs. - */ - if (p != q) { + + if (totlen == 0 || !maxverok) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES, + SSL_R_NO_CIPHERS_AVAILABLE); + + if (!maxverok) + ERR_add_error_data(1, "No ciphers enabled for max supported " + "SSL/TLS version"); + + return 0; + } + + if (totlen != 0) { if (empty_reneg_info_scsv) { static SSL_CIPHER scsv = { - 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 + 0, NULL, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; - j = s->method->put_cipher_by_char(&scsv, p); - p += j; + if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR); + return 0; + } } if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) { static SSL_CIPHER scsv = { - 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 + 0, NULL, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; - j = s->method->put_cipher_by_char(&scsv, p); - p += j; + if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR); + return 0; + } } } - return (p - q); + return 1; +} + +int tls_construct_end_of_early_data(SSL *s, WPACKET *pkt) +{ + if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY + && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_END_OF_EARLY_DATA, + ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + + s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; + return 1; } diff --git a/deps/openssl/openssl/ssl/statem/statem_dtls.c b/deps/openssl/openssl/ssl/statem/statem_dtls.c index 5b34425445..b016fa7cff 100644 --- a/deps/openssl/openssl/ssl/statem/statem_dtls.c +++ b/deps/openssl/openssl/ssl/statem/statem_dtls.c @@ -12,6 +12,7 @@ #include <stdio.h> #include "../ssl_locl.h" #include "statem_locl.h" +#include "internal/cryptlib.h" #include <openssl/buffer.h> #include <openssl/objects.h> #include <openssl/evp.h> @@ -32,7 +33,6 @@ #define RSMBLY_BITMASK_IS_COMPLETE(bitmask, msg_len, is_complete) { \ long ii; \ - OPENSSL_assert((msg_len) > 0); \ is_complete = 1; \ if (bitmask[(((msg_len) - 1) >> 3)] != bitmask_end_values[((msg_len) & 7)]) is_complete = 0; \ if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \ @@ -43,30 +43,30 @@ static unsigned char bitmask_start_values[] = static unsigned char bitmask_end_values[] = { 0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f }; -static void dtls1_fix_message_header(SSL *s, unsigned long frag_off, - unsigned long frag_len); +static void dtls1_fix_message_header(SSL *s, size_t frag_off, + size_t frag_len); static unsigned char *dtls1_write_message_header(SSL *s, unsigned char *p); static void dtls1_set_message_header_int(SSL *s, unsigned char mt, - unsigned long len, + size_t len, unsigned short seq_num, - unsigned long frag_off, - unsigned long frag_len); -static int dtls_get_reassembled_message(SSL *s, long *len); + size_t frag_off, + size_t frag_len); +static int dtls_get_reassembled_message(SSL *s, int *errtype, size_t *len); -static hm_fragment *dtls1_hm_fragment_new(unsigned long frag_len, - int reassembly) +static hm_fragment *dtls1_hm_fragment_new(size_t frag_len, int reassembly) { hm_fragment *frag = NULL; unsigned char *buf = NULL; unsigned char *bitmask = NULL; - frag = OPENSSL_malloc(sizeof(*frag)); - if (frag == NULL) + if ((frag = OPENSSL_malloc(sizeof(*frag))) == NULL) { + SSLerr(SSL_F_DTLS1_HM_FRAGMENT_NEW, ERR_R_MALLOC_FAILURE); return NULL; + } if (frag_len) { - buf = OPENSSL_malloc(frag_len); - if (buf == NULL) { + if ((buf = OPENSSL_malloc(frag_len)) == NULL) { + SSLerr(SSL_F_DTLS1_HM_FRAGMENT_NEW, ERR_R_MALLOC_FAILURE); OPENSSL_free(frag); return NULL; } @@ -79,6 +79,7 @@ static hm_fragment *dtls1_hm_fragment_new(unsigned long frag_len, if (reassembly) { bitmask = OPENSSL_zalloc(RSMBLY_BITMASK_SIZE(frag_len)); if (bitmask == NULL) { + SSLerr(SSL_F_DTLS1_HM_FRAGMENT_NEW, ERR_R_MALLOC_FAILURE); OPENSSL_free(buf); OPENSSL_free(frag); return NULL; @@ -111,9 +112,10 @@ void dtls1_hm_fragment_free(hm_fragment *frag) int dtls1_do_write(SSL *s, int type) { int ret; - unsigned int curr_mtu; + size_t written; + size_t curr_mtu; int retry = 1; - unsigned int len, frag_off, mac_size, blocksize, used_len; + size_t len, frag_off, mac_size, blocksize, used_len; if (!dtls1_query_mtu(s)) return -1; @@ -122,9 +124,11 @@ int dtls1_do_write(SSL *s, int type) /* should have something reasonable now */ return -1; - if (s->init_off == 0 && type == SSL3_RT_HANDSHAKE) - OPENSSL_assert(s->init_num == - (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH); + if (s->init_off == 0 && type == SSL3_RT_HANDSHAKE) { + if (!ossl_assert(s->init_num == + s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH)) + return -1; + } if (s->write_hash) { if (s->enc_write_ctx @@ -235,7 +239,8 @@ int dtls1_do_write(SSL *s, int type) data[s->init_off]); } - ret = dtls1_write_bytes(s, type, &s->init_buf->data[s->init_off], len); + ret = dtls1_write_bytes(s, type, &s->init_buf->data[s->init_off], len, + &written); if (ret < 0) { /* * might need to update MTU here, but we don't know which @@ -253,7 +258,7 @@ int dtls1_do_write(SSL *s, int type) } else return -1; } else { - return (-1); + return -1; } } else { @@ -261,7 +266,8 @@ int dtls1_do_write(SSL *s, int type) * bad if this assert fails, only part of the handshake message * got sent. but why would this happen? */ - OPENSSL_assert(len == (unsigned int)ret); + if (!ossl_assert(len == written)) + return -1; if (type == SSL3_RT_HANDSHAKE && !s->d1->retransmitting) { /* @@ -271,7 +277,7 @@ int dtls1_do_write(SSL *s, int type) unsigned char *p = (unsigned char *)&s->init_buf->data[s->init_off]; const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; - int xlen; + size_t xlen; if (frag_off == 0 && s->version != DTLS1_BAD_VER) { /* @@ -284,17 +290,17 @@ int dtls1_do_write(SSL *s, int type) l2n3(0, p); l2n3(msg_hdr->msg_len, p); p -= DTLS1_HM_HEADER_LENGTH; - xlen = ret; + xlen = written; } else { p += DTLS1_HM_HEADER_LENGTH; - xlen = ret - DTLS1_HM_HEADER_LENGTH; + xlen = written - DTLS1_HM_HEADER_LENGTH; } if (!ssl3_finish_mac(s, p, xlen)) return -1; } - if (ret == s->init_num) { + if (written == s->init_num) { if (s->msg_callback) s->msg_callback(1, s->version, type, s->init_buf->data, (size_t)(s->init_off + s->init_num), s, @@ -303,12 +309,12 @@ int dtls1_do_write(SSL *s, int type) s->init_off = 0; /* done writing this message */ s->init_num = 0; - return (1); + return 1; } - s->init_off += ret; - s->init_num -= ret; - ret -= DTLS1_HM_HEADER_LENGTH; - frag_off += ret; + s->init_off += written; + s->init_num -= written; + written -= DTLS1_HM_HEADER_LENGTH; + frag_off += written; /* * We save the fragment offset for the next fragment so we have it @@ -319,32 +325,34 @@ int dtls1_do_write(SSL *s, int type) dtls1_fix_message_header(s, frag_off, 0); } } - return (0); + return 0; } -int dtls_get_message(SSL *s, int *mt, unsigned long *len) +int dtls_get_message(SSL *s, int *mt, size_t *len) { struct hm_header_st *msg_hdr; unsigned char *p; - unsigned long msg_len; - int ok; - long tmplen; + size_t msg_len; + size_t tmplen; + int errtype; msg_hdr = &s->d1->r_msg_hdr; memset(msg_hdr, 0, sizeof(*msg_hdr)); again: - ok = dtls_get_reassembled_message(s, &tmplen); - if (tmplen == DTLS1_HM_BAD_FRAGMENT || tmplen == DTLS1_HM_FRAGMENT_RETRY) { - /* bad fragment received */ - goto again; - } else if (tmplen <= 0 && !ok) { + if (!dtls_get_reassembled_message(s, &errtype, &tmplen)) { + if (errtype == DTLS1_HM_BAD_FRAGMENT + || errtype == DTLS1_HM_FRAGMENT_RETRY) { + /* bad fragment received */ + goto again; + } return 0; } *mt = s->s3->tmp.message_type; p = (unsigned char *)s->init_buf->data; + *len = s->init_num; if (*mt == SSL3_MT_CHANGE_CIPHER_SPEC) { if (s->msg_callback) { @@ -354,7 +362,6 @@ int dtls_get_message(SSL *s, int *mt, unsigned long *len) /* * This isn't a real handshake message so skip the processing below. */ - *len = (unsigned long)tmplen; return 1; } @@ -391,7 +398,6 @@ int dtls_get_message(SSL *s, int *mt, unsigned long *len) s->d1->handshake_read_seq++; s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH; - *len = s->init_num; return 1; } @@ -401,11 +407,10 @@ int dtls_get_message(SSL *s, int *mt, unsigned long *len) * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but * may be greater if the maximum certificate list size requires it. */ -static unsigned long dtls1_max_handshake_message_len(const SSL *s) +static size_t dtls1_max_handshake_message_len(const SSL *s) { - unsigned long max_len = - DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; - if (max_len < (unsigned long)s->max_cert_list) + size_t max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; + if (max_len < s->max_cert_list) return s->max_cert_list; return max_len; } @@ -421,8 +426,9 @@ static int dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr) /* sanity checking */ if ((frag_off + frag_len) > msg_len || msg_len > dtls1_max_handshake_message_len(s)) { - SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, SSL_R_EXCESSIVE_MESSAGE_SIZE); - return SSL_AD_ILLEGAL_PARAMETER; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_DTLS1_PREPROCESS_FRAGMENT, + SSL_R_EXCESSIVE_MESSAGE_SIZE); + return 0; } if (s->d1->r_msg_hdr.frag_off == 0) { /* first fragment */ @@ -431,8 +437,9 @@ static int dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr) * dtls_max_handshake_message_len(s) above */ if (!BUF_MEM_grow_clean(s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) { - SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB); - return SSL_AD_INTERNAL_ERROR; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PREPROCESS_FRAGMENT, + ERR_R_BUF_LIB); + return 0; } s->s3->tmp.message_size = msg_len; @@ -445,14 +452,19 @@ static int dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr) * They must be playing with us! BTW, failure to enforce upper limit * would open possibility for buffer overrun. */ - SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, SSL_R_EXCESSIVE_MESSAGE_SIZE); - return SSL_AD_ILLEGAL_PARAMETER; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_DTLS1_PREPROCESS_FRAGMENT, + SSL_R_EXCESSIVE_MESSAGE_SIZE); + return 0; } - return 0; /* no error */ + return 1; } -static int dtls1_retrieve_buffered_fragment(SSL *s, int *ok) +/* + * Returns 1 if there is a buffered fragment available, 0 if not, or -1 on a + * fatal error. + */ +static int dtls1_retrieve_buffered_fragment(SSL *s, size_t *len) { /*- * (0) check whether the desired fragment is available @@ -462,9 +474,7 @@ static int dtls1_retrieve_buffered_fragment(SSL *s, int *ok) */ pitem *item; hm_fragment *frag; - int al; - - *ok = 0; + int ret; do { item = pqueue_peek(s->d1->buffered_messages); @@ -488,13 +498,13 @@ static int dtls1_retrieve_buffered_fragment(SSL *s, int *ok) return 0; if (s->d1->handshake_read_seq == frag->msg_header.seq) { - unsigned long frag_len = frag->msg_header.frag_len; + size_t frag_len = frag->msg_header.frag_len; pqueue_pop(s->d1->buffered_messages); - al = dtls1_preprocess_fragment(s, &frag->msg_header); + /* Calls SSLfatal() as required */ + ret = dtls1_preprocess_fragment(s, &frag->msg_header); - /* al will be 0 if no alert */ - if (al == 0 && frag->msg_header.frag_len > 0) { + if (ret && frag->msg_header.frag_len > 0) { unsigned char *p = (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; memcpy(&p[frag->msg_header.frag_off], frag->fragment, @@ -504,34 +514,36 @@ static int dtls1_retrieve_buffered_fragment(SSL *s, int *ok) dtls1_hm_fragment_free(frag); pitem_free(item); - if (al == 0) { - *ok = 1; - return frag_len; + if (ret) { + *len = frag_len; + return 1; } - ssl3_send_alert(s, SSL3_AL_FATAL, al); + /* Fatal error */ s->init_num = 0; - *ok = 0; return -1; - } else + } else { return 0; + } } static int -dtls1_reassemble_fragment(SSL *s, const struct hm_header_st *msg_hdr, int *ok) +dtls1_reassemble_fragment(SSL *s, const struct hm_header_st *msg_hdr) { hm_fragment *frag = NULL; pitem *item = NULL; int i = -1, is_complete; unsigned char seq64be[8]; - unsigned long frag_len = msg_hdr->frag_len; + size_t frag_len = msg_hdr->frag_len; + size_t readbytes; if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len || msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) goto err; - if (frag_len == 0) + if (frag_len == 0) { return DTLS1_HM_FRAGMENT_RETRY; + } /* Try to find item in queue */ memset(seq64be, 0, sizeof(seq64be)); @@ -568,10 +580,10 @@ dtls1_reassemble_fragment(SSL *s, const struct hm_header_st *msg_hdr, int *ok) devnull, frag_len > sizeof(devnull) ? sizeof(devnull) : - frag_len, 0); + frag_len, 0, &readbytes); if (i <= 0) goto err; - frag_len -= i; + frag_len -= readbytes; } return DTLS1_HM_FRAGMENT_RETRY; } @@ -579,8 +591,8 @@ dtls1_reassemble_fragment(SSL *s, const struct hm_header_st *msg_hdr, int *ok) /* read the body of the fragment (header has already been read */ i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, frag->fragment + msg_hdr->frag_off, - frag_len, 0); - if ((unsigned long)i != frag_len) + frag_len, 0, &readbytes); + if (i <= 0 || readbytes != frag_len) i = -1; if (i <= 0) goto err; @@ -588,6 +600,8 @@ dtls1_reassemble_fragment(SSL *s, const struct hm_header_st *msg_hdr, int *ok) RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off, (long)(msg_hdr->frag_off + frag_len)); + if (!ossl_assert(msg_hdr->msg_len > 0)) + goto err; RSMBLY_BITMASK_IS_COMPLETE(frag->reassembly, (long)msg_hdr->msg_len, is_complete); @@ -610,7 +624,8 @@ dtls1_reassemble_fragment(SSL *s, const struct hm_header_st *msg_hdr, int *ok) * would have returned it and control would never have reached this * branch. */ - OPENSSL_assert(item != NULL); + if (!ossl_assert(item != NULL)) + goto err; } return DTLS1_HM_FRAGMENT_RETRY; @@ -618,19 +633,18 @@ dtls1_reassemble_fragment(SSL *s, const struct hm_header_st *msg_hdr, int *ok) err: if (item == NULL) dtls1_hm_fragment_free(frag); - *ok = 0; - return i; + return -1; } static int -dtls1_process_out_of_seq_message(SSL *s, const struct hm_header_st *msg_hdr, - int *ok) +dtls1_process_out_of_seq_message(SSL *s, const struct hm_header_st *msg_hdr) { int i = -1; hm_fragment *frag = NULL; pitem *item = NULL; unsigned char seq64be[8]; - unsigned long frag_len = msg_hdr->frag_len; + size_t frag_len = msg_hdr->frag_len; + size_t readbytes; if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len) goto err; @@ -663,14 +677,15 @@ dtls1_process_out_of_seq_message(SSL *s, const struct hm_header_st *msg_hdr, devnull, frag_len > sizeof(devnull) ? sizeof(devnull) : - frag_len, 0); + frag_len, 0, &readbytes); if (i <= 0) goto err; - frag_len -= i; + frag_len -= readbytes; } } else { - if (frag_len != msg_hdr->msg_len) - return dtls1_reassemble_fragment(s, msg_hdr, ok); + if (frag_len != msg_hdr->msg_len) { + return dtls1_reassemble_fragment(s, msg_hdr); + } if (frag_len > dtls1_max_handshake_message_len(s)) goto err; @@ -686,8 +701,9 @@ dtls1_process_out_of_seq_message(SSL *s, const struct hm_header_st *msg_hdr, * read the body of the fragment (header has already been read */ i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, - frag->fragment, frag_len, 0); - if ((unsigned long)i != frag_len) + frag->fragment, frag_len, 0, + &readbytes); + if (i<=0 || readbytes != frag_len) i = -1; if (i <= 0) goto err; @@ -706,7 +722,8 @@ dtls1_process_out_of_seq_message(SSL *s, const struct hm_header_st *msg_hdr, * have been processed with |dtls1_reassemble_fragment|, above, or * the record will have been discarded. */ - OPENSSL_assert(item != NULL); + if (!ossl_assert(item != NULL)) + goto err; } return DTLS1_HM_FRAGMENT_RETRY; @@ -714,56 +731,61 @@ dtls1_process_out_of_seq_message(SSL *s, const struct hm_header_st *msg_hdr, err: if (item == NULL) dtls1_hm_fragment_free(frag); - *ok = 0; - return i; + return 0; } -static int dtls_get_reassembled_message(SSL *s, long *len) +static int dtls_get_reassembled_message(SSL *s, int *errtype, size_t *len) { unsigned char wire[DTLS1_HM_HEADER_LENGTH]; - unsigned long mlen, frag_off, frag_len; - int i, al, recvd_type; + size_t mlen, frag_off, frag_len; + int i, ret, recvd_type; struct hm_header_st msg_hdr; - int ok; + size_t readbytes; + + *errtype = 0; redo: /* see if we have the required fragment already */ - if ((frag_len = dtls1_retrieve_buffered_fragment(s, &ok)) || ok) { - if (ok) - s->init_num = frag_len; + ret = dtls1_retrieve_buffered_fragment(s, &frag_len); + if (ret < 0) { + /* SSLfatal() already called */ + return 0; + } + if (ret > 0) { + s->init_num = frag_len; *len = frag_len; - return ok; + return 1; } /* read handshake message header */ i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type, wire, - DTLS1_HM_HEADER_LENGTH, 0); + DTLS1_HM_HEADER_LENGTH, 0, &readbytes); if (i <= 0) { /* nbio, or an error */ s->rwstate = SSL_READING; - *len = i; + *len = 0; return 0; } if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) { if (wire[0] != SSL3_MT_CCS) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, - SSL_R_BAD_CHANGE_CIPHER_SPEC); + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, + SSL_R_BAD_CHANGE_CIPHER_SPEC); goto f_err; } - memcpy(s->init_buf->data, wire, i); - s->init_num = i - 1; + memcpy(s->init_buf->data, wire, readbytes); + s->init_num = readbytes - 1; s->init_msg = s->init_buf->data + 1; s->s3->tmp.message_type = SSL3_MT_CHANGE_CIPHER_SPEC; - s->s3->tmp.message_size = i - 1; - *len = i - 1; + s->s3->tmp.message_size = readbytes - 1; + *len = readbytes - 1; return 1; } /* Handshake fails if message header is incomplete */ - if (i != DTLS1_HM_HEADER_LENGTH) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); + if (readbytes != DTLS1_HM_HEADER_LENGTH) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); goto f_err; } @@ -779,8 +801,8 @@ static int dtls_get_reassembled_message(SSL *s, long *len) * Fragments must not span records. */ if (frag_len > RECORD_LAYER_get_rrec_length(&s->rlayer)) { - al = SSL3_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, SSL_R_BAD_LENGTH); + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, SSL_R_BAD_LENGTH); goto f_err; } @@ -791,17 +813,19 @@ static int dtls_get_reassembled_message(SSL *s, long *len) * although we're still expecting seq 0 (ClientHello) */ if (msg_hdr.seq != s->d1->handshake_read_seq) { - *len = dtls1_process_out_of_seq_message(s, &msg_hdr, &ok); - return ok; + *errtype = dtls1_process_out_of_seq_message(s, &msg_hdr); + return 0; } if (frag_len && frag_len < mlen) { - *len = dtls1_reassemble_fragment(s, &msg_hdr, &ok); - return ok; + *errtype = dtls1_reassemble_fragment(s, &msg_hdr); + return 0; } - if (!s->server && s->d1->r_msg_hdr.frag_off == 0 && - wire[0] == SSL3_MT_HELLO_REQUEST) { + if (!s->server + && s->d1->r_msg_hdr.frag_off == 0 + && s->statem.hand_state != TLS_ST_OK + && wire[0] == SSL3_MT_HELLO_REQUEST) { /* * The server may always send 'Hello Request' messages -- we are * doing a handshake anyway now, so ignore them if their format is @@ -817,22 +841,24 @@ static int dtls_get_reassembled_message(SSL *s, long *len) goto redo; } else { /* Incorrectly formatted Hello request */ - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, - SSL_R_UNEXPECTED_MESSAGE); + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, + SSL_R_UNEXPECTED_MESSAGE); goto f_err; } } - if ((al = dtls1_preprocess_fragment(s, &msg_hdr))) + if (!dtls1_preprocess_fragment(s, &msg_hdr)) { + /* SSLfatal() already called */ goto f_err; + } if (frag_len > 0) { unsigned char *p = (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, - &p[frag_off], frag_len, 0); + &p[frag_off], frag_len, 0, &readbytes); /* * This shouldn't ever fail due to NBIO because we already checked @@ -840,19 +866,20 @@ static int dtls_get_reassembled_message(SSL *s, long *len) */ if (i <= 0) { s->rwstate = SSL_READING; - *len = i; + *len = 0; return 0; } - } else - i = 0; + } else { + readbytes = 0; + } /* * XDTLS: an incorrectly formatted fragment should cause the handshake * to fail */ - if (i != (int)frag_len) { - al = SSL3_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, SSL3_AD_ILLEGAL_PARAMETER); + if (readbytes != frag_len) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, SSL_R_BAD_LENGTH); goto f_err; } @@ -866,9 +893,8 @@ static int dtls_get_reassembled_message(SSL *s, long *len) return 1; f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); s->init_num = 0; - *len = -1; + *len = 0; return 0; } @@ -881,30 +907,17 @@ static int dtls_get_reassembled_message(SSL *s, long *len) * ssl->session->read_compression assign * ssl->session->read_hash assign */ -int dtls_construct_change_cipher_spec(SSL *s) +int dtls_construct_change_cipher_spec(SSL *s, WPACKET *pkt) { - unsigned char *p; - - p = (unsigned char *)s->init_buf->data; - *p++ = SSL3_MT_CCS; - s->d1->handshake_write_seq = s->d1->next_handshake_write_seq; - s->init_num = DTLS1_CCS_HEADER_LENGTH; - if (s->version == DTLS1_BAD_VER) { s->d1->next_handshake_write_seq++; - s2n(s->d1->handshake_write_seq, p); - s->init_num += 2; - } - s->init_off = 0; - - dtls1_set_message_header_int(s, SSL3_MT_CCS, 0, - s->d1->handshake_write_seq, 0, 0); - - /* buffer the message to handle re-xmits */ - if (!dtls1_buffer_message(s, 1)) { - SSLerr(SSL_F_DTLS_CONSTRUCT_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); - return 0; + if (!WPACKET_put_bytes_u16(pkt, s->d1->handshake_write_seq)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_DTLS_CONSTRUCT_CHANGE_CIPHER_SPEC, + ERR_R_INTERNAL_ERROR); + return 0; + } } return 1; @@ -913,17 +926,20 @@ int dtls_construct_change_cipher_spec(SSL *s) #ifndef OPENSSL_NO_SCTP /* * Wait for a dry event. Should only be called at a point in the handshake - * where we are not expecting any data from the peer (except possibly an alert). + * where we are not expecting any data from the peer except an alert. */ WORK_STATE dtls_wait_for_dry(SSL *s) { - int ret; - long len; + int ret, errtype; + size_t len; /* read app data until dry event */ ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s)); - if (ret < 0) + if (ret < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS_WAIT_FOR_DRY, + ERR_R_INTERNAL_ERROR); return WORK_ERROR; + } if (ret == 0) { /* @@ -932,11 +948,10 @@ WORK_STATE dtls_wait_for_dry(SSL *s) * return successfully. Therefore we attempt to read a message. This * should never succeed but will process any waiting alerts. */ - if (dtls_get_reassembled_message(s, &len)) { + if (dtls_get_reassembled_message(s, &errtype, &len)) { /* The call succeeded! This should never happen */ - SSLerr(SSL_F_DTLS_WAIT_FOR_DRY, SSL_R_UNEXPECTED_MESSAGE); - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); - ossl_statem_set_error(s); + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS_WAIT_FOR_DRY, + SSL_R_UNEXPECTED_MESSAGE); return WORK_ERROR; } @@ -953,24 +968,20 @@ WORK_STATE dtls_wait_for_dry(SSL *s) int dtls1_read_failed(SSL *s, int code) { if (code > 0) { - SSLerr(SSL_F_DTLS1_READ_FAILED, ERR_R_INTERNAL_ERROR); - return 1; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_DTLS1_READ_FAILED, ERR_R_INTERNAL_ERROR); + return 0; } - if (!dtls1_is_timer_expired(s)) { + if (!dtls1_is_timer_expired(s) || ossl_statem_in_error(s)) { /* * not a timeout, none of our business, let higher layers handle * this. in fact it's probably an error */ return code; } -#ifndef OPENSSL_NO_HEARTBEATS - /* done, no need to send a retransmit */ - if (!SSL_in_init(s) && !s->tlsext_hb_pending) -#else /* done, no need to send a retransmit */ if (!SSL_in_init(s)) -#endif { BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ); return code; @@ -1026,7 +1037,8 @@ int dtls1_buffer_message(SSL *s, int is_ccs) * this function is called immediately after a message has been * serialized */ - OPENSSL_assert(s->init_off == 0); + if (!ossl_assert(s->init_off == 0)) + return 0; frag = dtls1_hm_fragment_new(s->init_num, 0); if (frag == NULL) @@ -1036,13 +1048,15 @@ int dtls1_buffer_message(SSL *s, int is_ccs) if (is_ccs) { /* For DTLS1_BAD_VER the header length is non-standard */ - OPENSSL_assert(s->d1->w_msg_hdr.msg_len + - ((s->version == - DTLS1_BAD_VER) ? 3 : DTLS1_CCS_HEADER_LENGTH) - == (unsigned int)s->init_num); + if (!ossl_assert(s->d1->w_msg_hdr.msg_len + + ((s->version == + DTLS1_BAD_VER) ? 3 : DTLS1_CCS_HEADER_LENGTH) + == (unsigned int)s->init_num)) + return 0; } else { - OPENSSL_assert(s->d1->w_msg_hdr.msg_len + - DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num); + if (!ossl_assert(s->d1->w_msg_hdr.msg_len + + DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num)) + return 0; } frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len; @@ -1090,11 +1104,6 @@ int dtls1_retransmit_message(SSL *s, unsigned short seq, int *found) unsigned char seq64be[8]; struct dtls1_retransmit_state saved_state; - /*- - OPENSSL_assert(s->init_num == 0); - OPENSSL_assert(s->init_off == 0); - */ - /* XDTLS: the requested message ought to be found, otherwise error */ memset(seq64be, 0, sizeof(seq64be)); seq64be[6] = (unsigned char)(seq >> 8); @@ -1102,7 +1111,8 @@ int dtls1_retransmit_message(SSL *s, unsigned short seq, int *found) item = pqueue_find(s->d1->sent_messages, seq64be); if (item == NULL) { - SSLerr(SSL_F_DTLS1_RETRANSMIT_MESSAGE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_RETRANSMIT_MESSAGE, + ERR_R_INTERNAL_ERROR); *found = 0; return 0; } @@ -1159,8 +1169,8 @@ int dtls1_retransmit_message(SSL *s, unsigned short seq, int *found) } void dtls1_set_message_header(SSL *s, - unsigned char mt, unsigned long len, - unsigned long frag_off, unsigned long frag_len) + unsigned char mt, size_t len, + size_t frag_off, size_t frag_len) { if (frag_off == 0) { s->d1->handshake_write_seq = s->d1->next_handshake_write_seq; @@ -1174,8 +1184,8 @@ void dtls1_set_message_header(SSL *s, /* don't actually do the writing, wait till the MTU has been retrieved */ static void dtls1_set_message_header_int(SSL *s, unsigned char mt, - unsigned long len, unsigned short seq_num, - unsigned long frag_off, unsigned long frag_len) + size_t len, unsigned short seq_num, + size_t frag_off, size_t frag_len) { struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; @@ -1187,7 +1197,7 @@ dtls1_set_message_header_int(SSL *s, unsigned char mt, } static void -dtls1_fix_message_header(SSL *s, unsigned long frag_off, unsigned long frag_len) +dtls1_fix_message_header(SSL *s, size_t frag_off, size_t frag_len) { struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; @@ -1219,3 +1229,53 @@ void dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr) n2l3(data, msg_hdr->frag_off); n2l3(data, msg_hdr->frag_len); } + +int dtls1_set_handshake_header(SSL *s, WPACKET *pkt, int htype) +{ + unsigned char *header; + + if (htype == SSL3_MT_CHANGE_CIPHER_SPEC) { + s->d1->handshake_write_seq = s->d1->next_handshake_write_seq; + dtls1_set_message_header_int(s, SSL3_MT_CCS, 0, + s->d1->handshake_write_seq, 0, 0); + if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) + return 0; + } else { + dtls1_set_message_header(s, htype, 0, 0, 0); + /* + * We allocate space at the start for the message header. This gets + * filled in later + */ + if (!WPACKET_allocate_bytes(pkt, DTLS1_HM_HEADER_LENGTH, &header) + || !WPACKET_start_sub_packet(pkt)) + return 0; + } + + return 1; +} + +int dtls1_close_construct_packet(SSL *s, WPACKET *pkt, int htype) +{ + size_t msglen; + + if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt)) + || !WPACKET_get_length(pkt, &msglen) + || msglen > INT_MAX) + return 0; + + if (htype != SSL3_MT_CHANGE_CIPHER_SPEC) { + s->d1->w_msg_hdr.msg_len = msglen - DTLS1_HM_HEADER_LENGTH; + s->d1->w_msg_hdr.frag_len = msglen - DTLS1_HM_HEADER_LENGTH; + } + s->init_num = (int)msglen; + s->init_off = 0; + + if (htype != DTLS1_MT_HELLO_VERIFY_REQUEST) { + /* Buffer the message to handle re-xmits */ + if (!dtls1_buffer_message(s, htype == SSL3_MT_CHANGE_CIPHER_SPEC + ? 1 : 0)) + return 0; + } + + return 1; +} diff --git a/deps/openssl/openssl/ssl/statem/statem_lib.c b/deps/openssl/openssl/ssl/statem/statem_lib.c index eba4c6fb40..4324896f50 100644 --- a/deps/openssl/openssl/ssl/statem/statem_lib.c +++ b/deps/openssl/openssl/ssl/statem/statem_lib.c @@ -1,5 +1,6 @@ /* * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,94 +8,664 @@ * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * ECC cipher suite support in OpenSSL originally developed by - * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. - */ - #include <limits.h> #include <string.h> #include <stdio.h> #include "../ssl_locl.h" #include "statem_locl.h" +#include "internal/cryptlib.h" #include <openssl/buffer.h> #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/x509.h> /* + * Map error codes to TLS/SSL alart types. + */ +typedef struct x509err2alert_st { + int x509err; + int alert; +} X509ERR2ALERT; + +/* Fixed value used in the ServerHello random field to identify an HRR */ +const unsigned char hrrrandom[] = { + 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, + 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, + 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c +}; + +/* * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or * SSL3_RT_CHANGE_CIPHER_SPEC) */ int ssl3_do_write(SSL *s, int type) { int ret; + size_t written = 0; ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off], - s->init_num); + s->init_num, &written); if (ret < 0) - return (-1); + return -1; if (type == SSL3_RT_HANDSHAKE) /* * should not be done for 'Hello Request's, but in that case we'll * ignore the result anyway + * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added */ - if (!ssl3_finish_mac(s, - (unsigned char *)&s->init_buf->data[s->init_off], - ret)) - return -1; - - if (ret == s->init_num) { + if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET + && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE + && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE)) + if (!ssl3_finish_mac(s, + (unsigned char *)&s->init_buf->data[s->init_off], + written)) + return -1; + if (written == s->init_num) { if (s->msg_callback) s->msg_callback(1, s->version, type, s->init_buf->data, (size_t)(s->init_off + s->init_num), s, s->msg_callback_arg); - return (1); + return 1; } - s->init_off += ret; - s->init_num -= ret; - return (0); + s->init_off += written; + s->init_num -= written; + return 0; } -int tls_construct_finished(SSL *s, const char *sender, int slen) +int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype) { - unsigned char *p; - int i; - unsigned long l; + size_t msglen; - p = ssl_handshake_start(s); + if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt)) + || !WPACKET_get_length(pkt, &msglen) + || msglen > INT_MAX) + return 0; + s->init_num = (int)msglen; + s->init_off = 0; - i = s->method->ssl3_enc->final_finish_mac(s, - sender, slen, - s->s3->tmp.finish_md); - if (i <= 0) + return 1; +} + +int tls_setup_handshake(SSL *s) +{ + if (!ssl3_init_finished_mac(s)) { + /* SSLfatal() already called */ return 0; - s->s3->tmp.finish_md_len = i; - memcpy(p, s->s3->tmp.finish_md, i); - l = i; + } + + /* Reset any extension flags */ + memset(s->ext.extflags, 0, sizeof(s->ext.extflags)); + + if (s->server) { + STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s); + int i, ver_min, ver_max, ok = 0; + + /* + * Sanity check that the maximum version we accept has ciphers + * enabled. For clients we do this check during construction of the + * ClientHello. + */ + if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_SETUP_HANDSHAKE, + ERR_R_INTERNAL_ERROR); + return 0; + } + for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { + const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i); + + if (SSL_IS_DTLS(s)) { + if (DTLS_VERSION_GE(ver_max, c->min_dtls) && + DTLS_VERSION_LE(ver_max, c->max_dtls)) + ok = 1; + } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) { + ok = 1; + } + if (ok) + break; + } + if (!ok) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE, + SSL_R_NO_CIPHERS_AVAILABLE); + ERR_add_error_data(1, "No ciphers enabled for max supported " + "SSL/TLS version"); + return 0; + } + if (SSL_IS_FIRST_HANDSHAKE(s)) { + /* N.B. s->session_ctx == s->ctx here */ + tsan_counter(&s->session_ctx->stats.sess_accept); + } else { + /* N.B. s->ctx may not equal s->session_ctx */ + tsan_counter(&s->ctx->stats.sess_accept_renegotiate); + + s->s3->tmp.cert_request = 0; + } + } else { + if (SSL_IS_FIRST_HANDSHAKE(s)) + tsan_counter(&s->session_ctx->stats.sess_connect); + else + tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate); + + /* mark client_random uninitialized */ + memset(s->s3->client_random, 0, sizeof(s->s3->client_random)); + s->hit = 0; + + s->s3->tmp.cert_req = 0; + + if (SSL_IS_DTLS(s)) + s->statem.use_timer = 1; + } + + return 1; +} + +/* + * Size of the to-be-signed TLS13 data, without the hash size itself: + * 64 bytes of value 32, 33 context bytes, 1 byte separator + */ +#define TLS13_TBS_START_SIZE 64 +#define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1) + +static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs, + void **hdata, size_t *hdatalen) +{ + static const char *servercontext = "TLS 1.3, server CertificateVerify"; + static const char *clientcontext = "TLS 1.3, client CertificateVerify"; + + if (SSL_IS_TLS13(s)) { + size_t hashlen; + + /* Set the first 64 bytes of to-be-signed data to octet 32 */ + memset(tls13tbs, 32, TLS13_TBS_START_SIZE); + /* This copies the 33 bytes of context plus the 0 separator byte */ + if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY + || s->statem.hand_state == TLS_ST_SW_CERT_VRFY) + strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext); + else + strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext); + + /* + * If we're currently reading then we need to use the saved handshake + * hash value. We can't use the current handshake hash state because + * that includes the CertVerify itself. + */ + if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY + || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) { + memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash, + s->cert_verify_hash_len); + hashlen = s->cert_verify_hash_len; + } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE, + EVP_MAX_MD_SIZE, &hashlen)) { + /* SSLfatal() already called */ + return 0; + } + + *hdata = tls13tbs; + *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen; + } else { + size_t retlen; + long retlen_l; + + retlen = retlen_l = BIO_get_mem_data(s->s3->handshake_buffer, hdata); + if (retlen_l <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_GET_CERT_VERIFY_TBS_DATA, + ERR_R_INTERNAL_ERROR); + return 0; + } + *hdatalen = retlen; + } + + return 1; +} + +int tls_construct_cert_verify(SSL *s, WPACKET *pkt) +{ + EVP_PKEY *pkey = NULL; + const EVP_MD *md = NULL; + EVP_MD_CTX *mctx = NULL; + EVP_PKEY_CTX *pctx = NULL; + size_t hdatalen = 0, siglen = 0; + void *hdata; + unsigned char *sig = NULL; + unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; + const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg; + + if (lu == NULL || s->s3->tmp.cert == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, + ERR_R_INTERNAL_ERROR); + goto err; + } + pkey = s->s3->tmp.cert->privatekey; + + if (pkey == NULL || !tls1_lookup_md(lu, &md)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, + ERR_R_INTERNAL_ERROR); + goto err; + } + + mctx = EVP_MD_CTX_new(); + if (mctx == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, + ERR_R_MALLOC_FAILURE); + goto err; + } + + /* Get the data to be signed */ + if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { + /* SSLfatal() already called */ + goto err; + } + + if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, + ERR_R_INTERNAL_ERROR); + goto err; + } + siglen = EVP_PKEY_size(pkey); + sig = OPENSSL_malloc(siglen); + if (sig == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, + ERR_R_MALLOC_FAILURE); + goto err; + } + + if (EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, + ERR_R_EVP_LIB); + goto err; + } + + if (lu->sig == EVP_PKEY_RSA_PSS) { + if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 + || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, + RSA_PSS_SALTLEN_DIGEST) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, + ERR_R_EVP_LIB); + goto err; + } + } + if (s->version == SSL3_VERSION) { + if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0 + || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, + (int)s->session->master_key_length, + s->session->master_key) + || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) { + + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, + ERR_R_EVP_LIB); + goto err; + } + } else if (EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, + ERR_R_EVP_LIB); + goto err; + } + +#ifndef OPENSSL_NO_GOST + { + int pktype = lu->sig; + + if (pktype == NID_id_GostR3410_2001 + || pktype == NID_id_GostR3410_2012_256 + || pktype == NID_id_GostR3410_2012_512) + BUF_reverse(sig, NULL, siglen); + } +#endif + + if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, + ERR_R_INTERNAL_ERROR); + goto err; + } + + /* Digest cached records and discard handshake buffer */ + if (!ssl3_digest_cached_records(s, 0)) { + /* SSLfatal() already called */ + goto err; + } + + OPENSSL_free(sig); + EVP_MD_CTX_free(mctx); + return 1; + err: + OPENSSL_free(sig); + EVP_MD_CTX_free(mctx); + return 0; +} + +MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) +{ + EVP_PKEY *pkey = NULL; + const unsigned char *data; +#ifndef OPENSSL_NO_GOST + unsigned char *gost_data = NULL; +#endif + MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; + int j; + unsigned int len; + X509 *peer; + const EVP_MD *md = NULL; + size_t hdatalen = 0; + void *hdata; + unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; + EVP_MD_CTX *mctx = EVP_MD_CTX_new(); + EVP_PKEY_CTX *pctx = NULL; + + if (mctx == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, + ERR_R_MALLOC_FAILURE); + goto err; + } + + peer = s->session->peer; + pkey = X509_get0_pubkey(peer); + if (pkey == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, + ERR_R_INTERNAL_ERROR); + goto err; + } + + if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CERT_VERIFY, + SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); + goto err; + } + + if (SSL_USE_SIGALGS(s)) { + unsigned int sigalg; + + if (!PACKET_get_net_2(pkt, &sigalg)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, + SSL_R_BAD_PACKET); + goto err; + } + if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) { + /* SSLfatal() already called */ + goto err; + } + } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, + ERR_R_INTERNAL_ERROR); + goto err; + } + + if (!tls1_lookup_md(s->s3->tmp.peer_sigalg, &md)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, + ERR_R_INTERNAL_ERROR); + goto err; + } + +#ifdef SSL_DEBUG + if (SSL_USE_SIGALGS(s)) + fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); +#endif + + /* Check for broken implementations of GOST ciphersuites */ + /* + * If key is GOST and len is exactly 64 or 128, it is signature without + * length field (CryptoPro implementations at least till TLS 1.2) + */ +#ifndef OPENSSL_NO_GOST + if (!SSL_USE_SIGALGS(s) + && ((PACKET_remaining(pkt) == 64 + && (EVP_PKEY_id(pkey) == NID_id_GostR3410_2001 + || EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_256)) + || (PACKET_remaining(pkt) == 128 + && EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_512))) { + len = PACKET_remaining(pkt); + } else +#endif + if (!PACKET_get_net_2(pkt, &len)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, + SSL_R_LENGTH_MISMATCH); + goto err; + } + + j = EVP_PKEY_size(pkey); + if (((int)len > j) || ((int)PACKET_remaining(pkt) > j) + || (PACKET_remaining(pkt) == 0)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, + SSL_R_WRONG_SIGNATURE_SIZE); + goto err; + } + if (!PACKET_get_bytes(pkt, &data, len)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, + SSL_R_LENGTH_MISMATCH); + goto err; + } + + if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { + /* SSLfatal() already called */ + goto err; + } + +#ifdef SSL_DEBUG + fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md)); +#endif + if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, + ERR_R_EVP_LIB); + goto err; + } +#ifndef OPENSSL_NO_GOST + { + int pktype = EVP_PKEY_id(pkey); + if (pktype == NID_id_GostR3410_2001 + || pktype == NID_id_GostR3410_2012_256 + || pktype == NID_id_GostR3410_2012_512) { + if ((gost_data = OPENSSL_malloc(len)) == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE); + goto err; + } + BUF_reverse(gost_data, data, len); + data = gost_data; + } + } +#endif + + if (SSL_USE_PSS(s)) { + if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 + || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, + RSA_PSS_SALTLEN_DIGEST) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, + ERR_R_EVP_LIB); + goto err; + } + } + if (s->version == SSL3_VERSION) { + if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0 + || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, + (int)s->session->master_key_length, + s->session->master_key)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, + ERR_R_EVP_LIB); + goto err; + } + if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) { + SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, + SSL_R_BAD_SIGNATURE); + goto err; + } + } else { + j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen); + if (j <= 0) { + SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, + SSL_R_BAD_SIGNATURE); + goto err; + } + } + + /* + * In TLSv1.3 on the client side we make sure we prepare the client + * certificate after the CertVerify instead of when we get the + * CertificateRequest. This is because in TLSv1.3 the CertificateRequest + * comes *before* the Certificate message. In TLSv1.2 it comes after. We + * want to make sure that SSL_get_peer_certificate() will return the actual + * server certificate from the client_cert_cb callback. + */ + if (!s->server && SSL_IS_TLS13(s) && s->s3->tmp.cert_req == 1) + ret = MSG_PROCESS_CONTINUE_PROCESSING; + else + ret = MSG_PROCESS_CONTINUE_READING; + err: + BIO_free(s->s3->handshake_buffer); + s->s3->handshake_buffer = NULL; + EVP_MD_CTX_free(mctx); +#ifndef OPENSSL_NO_GOST + OPENSSL_free(gost_data); +#endif + return ret; +} + +int tls_construct_finished(SSL *s, WPACKET *pkt) +{ + size_t finish_md_len; + const char *sender; + size_t slen; + + /* This is a real handshake so make sure we clean it up at the end */ + if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED) + s->statem.cleanuphand = 1; + + /* + * We only change the keys if we didn't already do this when we sent the + * client certificate + */ + if (SSL_IS_TLS13(s) + && !s->server + && s->s3->tmp.cert_req == 0 + && (!s->method->ssl3_enc->change_cipher_state(s, + SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {; + /* SSLfatal() already called */ + return 0; + } + + if (s->server) { + sender = s->method->ssl3_enc->server_finished_label; + slen = s->method->ssl3_enc->server_finished_label_len; + } else { + sender = s->method->ssl3_enc->client_finished_label; + slen = s->method->ssl3_enc->client_finished_label_len; + } + + finish_md_len = s->method->ssl3_enc->final_finish_mac(s, + sender, slen, + s->s3->tmp.finish_md); + if (finish_md_len == 0) { + /* SSLfatal() already called */ + return 0; + } + + s->s3->tmp.finish_md_len = finish_md_len; + + if (!WPACKET_memcpy(pkt, s->s3->tmp.finish_md, finish_md_len)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED, + ERR_R_INTERNAL_ERROR); + return 0; + } + + /* + * Log the master secret, if logging is enabled. We don't log it for + * TLSv1.3: there's a different key schedule for that. + */ + if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL, + s->session->master_key, + s->session->master_key_length)) { + /* SSLfatal() already called */ + return 0; + } /* * Copy the finished so we can use it for renegotiation checks */ + if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED, + ERR_R_INTERNAL_ERROR); + return 0; + } if (!s->server) { - OPENSSL_assert(i <= EVP_MAX_MD_SIZE); - memcpy(s->s3->previous_client_finished, s->s3->tmp.finish_md, i); - s->s3->previous_client_finished_len = i; + memcpy(s->s3->previous_client_finished, s->s3->tmp.finish_md, + finish_md_len); + s->s3->previous_client_finished_len = finish_md_len; } else { - OPENSSL_assert(i <= EVP_MAX_MD_SIZE); - memcpy(s->s3->previous_server_finished, s->s3->tmp.finish_md, i); - s->s3->previous_server_finished_len = i; + memcpy(s->s3->previous_server_finished, s->s3->tmp.finish_md, + finish_md_len); + s->s3->previous_server_finished_len = finish_md_len; } - if (!ssl_set_handshake_header(s, SSL3_MT_FINISHED, l)) { - SSLerr(SSL_F_TLS_CONSTRUCT_FINISHED, ERR_R_INTERNAL_ERROR); + return 1; +} + +int tls_construct_key_update(SSL *s, WPACKET *pkt) +{ + if (!WPACKET_put_bytes_u8(pkt, s->key_update)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_KEY_UPDATE, + ERR_R_INTERNAL_ERROR); return 0; } + s->key_update = SSL_KEY_UPDATE_NONE; return 1; } +MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt) +{ + unsigned int updatetype; + + s->key_update_count++; + if (s->key_update_count > MAX_KEY_UPDATE_MESSAGES) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE, + SSL_R_TOO_MANY_KEY_UPDATES); + return MSG_PROCESS_ERROR; + } + + /* + * A KeyUpdate message signals a key change so the end of the message must + * be on a record boundary. + */ + if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_UPDATE, + SSL_R_NOT_ON_RECORD_BOUNDARY); + return MSG_PROCESS_ERROR; + } + + if (!PACKET_get_1(pkt, &updatetype) + || PACKET_remaining(pkt) != 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_UPDATE, + SSL_R_BAD_KEY_UPDATE); + return MSG_PROCESS_ERROR; + } + + /* + * There are only two defined key update types. Fail if we get a value we + * didn't recognise. + */ + if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED + && updatetype != SSL_KEY_UPDATE_REQUESTED) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE, + SSL_R_BAD_KEY_UPDATE); + return MSG_PROCESS_ERROR; + } + + /* + * If we get a request for us to update our sending keys too then, we need + * to additionally send a KeyUpdate message. However that message should + * not also request an update (otherwise we get into an infinite loop). We + * ignore a request for us to update our sending keys too if we already + * sent close_notify. + */ + if (updatetype == SSL_KEY_UPDATE_REQUESTED + && (s->shutdown & SSL_SENT_SHUTDOWN) == 0) + s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED; + + if (!tls13_update_key(s, 0)) { + /* SSLfatal() already called */ + return MSG_PROCESS_ERROR; + } + + return MSG_PROCESS_FINISHED_READING; +} + /* * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen * to far. @@ -102,7 +673,7 @@ int tls_construct_finished(SSL *s, const char *sender, int slen) int ssl3_take_mac(SSL *s) { const char *sender; - int slen; + size_t slen; if (!s->server) { sender = s->method->ssl3_enc->server_finished_label; @@ -117,7 +688,7 @@ int ssl3_take_mac(SSL *s) s->s3->tmp.peer_finish_md); if (s->s3->tmp.peer_finish_md_len == 0) { - SSLerr(SSL_F_SSL3_TAKE_MAC, ERR_R_INTERNAL_ERROR); + /* SSLfatal() already called */ return 0; } @@ -126,8 +697,7 @@ int ssl3_take_mac(SSL *s) MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt) { - int al; - long remain; + size_t remain; remain = PACKET_remaining(pkt); /* @@ -140,32 +710,32 @@ MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt) && remain != DTLS1_CCS_HEADER_LENGTH + 1) || (s->version != DTLS1_BAD_VER && remain != DTLS1_CCS_HEADER_LENGTH - 1)) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, - SSL_R_BAD_CHANGE_CIPHER_SPEC); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, + SSL_R_BAD_CHANGE_CIPHER_SPEC); + return MSG_PROCESS_ERROR; } } else { if (remain != 0) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, - SSL_R_BAD_CHANGE_CIPHER_SPEC); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, + SSL_R_BAD_CHANGE_CIPHER_SPEC); + return MSG_PROCESS_ERROR; } } /* Check we have a cipher to change to */ if (s->s3->tmp.new_cipher == NULL) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY); + return MSG_PROCESS_ERROR; } s->s3->change_cipher_spec = 1; if (!ssl3_do_change_cipher_spec(s)) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, + ERR_R_INTERNAL_ERROR); + return MSG_PROCESS_ERROR; } if (SSL_IS_DTLS(s)) { @@ -185,119 +755,324 @@ MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt) } return MSG_PROCESS_CONTINUE_READING; - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - ossl_statem_set_error(s); - return MSG_PROCESS_ERROR; } MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) { - int al, i; + size_t md_len; + + + /* This is a real handshake so make sure we clean it up at the end */ + if (s->server) { + /* + * To get this far we must have read encrypted data from the client. We + * no longer tolerate unencrypted alerts. This value is ignored if less + * than TLSv1.3 + */ + s->statem.enc_read_state = ENC_READ_STATE_VALID; + if (s->post_handshake_auth != SSL_PHA_REQUESTED) + s->statem.cleanuphand = 1; + if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) { + /* SSLfatal() already called */ + return MSG_PROCESS_ERROR; + } + } + + /* + * In TLSv1.3 a Finished message signals a key change so the end of the + * message must be on a record boundary. + */ + if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED, + SSL_R_NOT_ON_RECORD_BOUNDARY); + return MSG_PROCESS_ERROR; + } /* If this occurs, we have missed a message */ - if (!s->s3->change_cipher_spec) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_GOT_A_FIN_BEFORE_A_CCS); - goto f_err; + if (!SSL_IS_TLS13(s) && !s->s3->change_cipher_spec) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED, + SSL_R_GOT_A_FIN_BEFORE_A_CCS); + return MSG_PROCESS_ERROR; } s->s3->change_cipher_spec = 0; - i = s->s3->tmp.peer_finish_md_len; + md_len = s->s3->tmp.peer_finish_md_len; - if ((unsigned long)i != PACKET_remaining(pkt)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_BAD_DIGEST_LENGTH); - goto f_err; + if (md_len != PACKET_remaining(pkt)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_FINISHED, + SSL_R_BAD_DIGEST_LENGTH); + return MSG_PROCESS_ERROR; } - if (CRYPTO_memcmp(PACKET_data(pkt), s->s3->tmp.peer_finish_md, i) != 0) { - al = SSL_AD_DECRYPT_ERROR; - SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_DIGEST_CHECK_FAILED); - goto f_err; + if (CRYPTO_memcmp(PACKET_data(pkt), s->s3->tmp.peer_finish_md, + md_len) != 0) { + SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_FINISHED, + SSL_R_DIGEST_CHECK_FAILED); + return MSG_PROCESS_ERROR; } /* * Copy the finished so we can use it for renegotiation checks */ + if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_FINISHED, + ERR_R_INTERNAL_ERROR); + return MSG_PROCESS_ERROR; + } if (s->server) { - OPENSSL_assert(i <= EVP_MAX_MD_SIZE); - memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md, i); - s->s3->previous_client_finished_len = i; + memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md, + md_len); + s->s3->previous_client_finished_len = md_len; } else { - OPENSSL_assert(i <= EVP_MAX_MD_SIZE); - memcpy(s->s3->previous_server_finished, s->s3->tmp.peer_finish_md, i); - s->s3->previous_server_finished_len = i; + memcpy(s->s3->previous_server_finished, s->s3->tmp.peer_finish_md, + md_len); + s->s3->previous_server_finished_len = md_len; + } + + /* + * In TLS1.3 we also have to change cipher state and do any final processing + * of the initial server flight (if we are a client) + */ + if (SSL_IS_TLS13(s)) { + if (s->server) { + if (s->post_handshake_auth != SSL_PHA_REQUESTED && + !s->method->ssl3_enc->change_cipher_state(s, + SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) { + /* SSLfatal() already called */ + return MSG_PROCESS_ERROR; + } + } else { + if (!s->method->ssl3_enc->generate_master_secret(s, + s->master_secret, s->handshake_secret, 0, + &s->session->master_key_length)) { + /* SSLfatal() already called */ + return MSG_PROCESS_ERROR; + } + if (!s->method->ssl3_enc->change_cipher_state(s, + SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) { + /* SSLfatal() already called */ + return MSG_PROCESS_ERROR; + } + if (!tls_process_initial_server_flight(s)) { + /* SSLfatal() already called */ + return MSG_PROCESS_ERROR; + } + } } return MSG_PROCESS_FINISHED_READING; - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - ossl_statem_set_error(s); - return MSG_PROCESS_ERROR; } -int tls_construct_change_cipher_spec(SSL *s) +int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt) { - unsigned char *p; - - p = (unsigned char *)s->init_buf->data; - *p = SSL3_MT_CCS; - s->init_num = 1; - s->init_off = 0; + if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); + return 0; + } return 1; } -unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk) +/* Add a certificate to the WPACKET */ +static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain) { - unsigned char *p; - unsigned long l = 3 + SSL_HM_HEADER_LENGTH(s); + int len; + unsigned char *outbytes; - if (!ssl_add_cert_chain(s, cpk, &l)) + len = i2d_X509(x, NULL); + if (len < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET, + ERR_R_BUF_LIB); return 0; + } + if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes) + || i2d_X509(x, &outbytes) != len) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET, + ERR_R_INTERNAL_ERROR); + return 0; + } - l -= 3 + SSL_HM_HEADER_LENGTH(s); - p = ssl_handshake_start(s); - l2n3(l, p); - l += 3; - - if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE, l)) { - SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN, ERR_R_INTERNAL_ERROR); + if (SSL_IS_TLS13(s) + && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x, + chain)) { + /* SSLfatal() already called */ return 0; } - return l + SSL_HM_HEADER_LENGTH(s); + + return 1; } -WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst) +/* Add certificate chain to provided WPACKET */ +static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk) { - void (*cb) (const SSL *ssl, int type, int val) = NULL; + int i, chain_count; + X509 *x; + STACK_OF(X509) *extra_certs; + STACK_OF(X509) *chain = NULL; + X509_STORE *chain_store; - /* clean a few things up */ - ssl3_cleanup_key_block(s); + if (cpk == NULL || cpk->x509 == NULL) + return 1; + + x = cpk->x509; - if (!SSL_IS_DTLS(s)) { + /* + * If we have a certificate specific chain use it, else use parent ctx. + */ + if (cpk->chain != NULL) + extra_certs = cpk->chain; + else + extra_certs = s->ctx->extra_certs; + + if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs) + chain_store = NULL; + else if (s->cert->chain_store) + chain_store = s->cert->chain_store; + else + chain_store = s->ctx->cert_store; + + if (chain_store != NULL) { + X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new(); + + if (xs_ctx == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, + ERR_R_MALLOC_FAILURE); + return 0; + } + if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) { + X509_STORE_CTX_free(xs_ctx); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, + ERR_R_X509_LIB); + return 0; + } /* - * We don't do this in DTLS because we may still need the init_buf - * in case there are any unexpected retransmits + * It is valid for the chain not to be complete (because normally we + * don't include the root cert in the chain). Therefore we deliberately + * ignore the error return from this call. We're not actually verifying + * the cert - we're just building as much of the chain as we can */ - BUF_MEM_free(s->init_buf); - s->init_buf = NULL; + (void)X509_verify_cert(xs_ctx); + /* Don't leave errors in the queue */ + ERR_clear_error(); + chain = X509_STORE_CTX_get0_chain(xs_ctx); + i = ssl_security_cert_chain(s, chain, NULL, 0); + if (i != 1) { +#if 0 + /* Dummy error calls so mkerr generates them */ + SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL); + SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL); + SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK); +#endif + X509_STORE_CTX_free(xs_ctx); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i); + return 0; + } + chain_count = sk_X509_num(chain); + for (i = 0; i < chain_count; i++) { + x = sk_X509_value(chain, i); + + if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) { + /* SSLfatal() already called */ + X509_STORE_CTX_free(xs_ctx); + return 0; + } + } + X509_STORE_CTX_free(xs_ctx); + } else { + i = ssl_security_cert_chain(s, extra_certs, x, 0); + if (i != 1) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i); + return 0; + } + if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) { + /* SSLfatal() already called */ + return 0; + } + for (i = 0; i < sk_X509_num(extra_certs); i++) { + x = sk_X509_value(extra_certs, i); + if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) { + /* SSLfatal() already called */ + return 0; + } + } + } + return 1; +} + +unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk) +{ + if (!WPACKET_start_sub_packet_u24(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN, + ERR_R_INTERNAL_ERROR); + return 0; + } + + if (!ssl_add_cert_chain(s, pkt, cpk)) + return 0; + + if (!WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN, + ERR_R_INTERNAL_ERROR); + return 0; } - ssl_free_wbio_buffer(s); + return 1; +} - s->init_num = 0; +/* + * Tidy up after the end of a handshake. In the case of SCTP this may result + * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is + * freed up as well. + */ +WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop) +{ + void (*cb) (const SSL *ssl, int type, int val) = NULL; - if (!s->server || s->renegotiate == 2) { + if (clearbufs) { + if (!SSL_IS_DTLS(s)) { + /* + * We don't do this in DTLS because we may still need the init_buf + * in case there are any unexpected retransmits + */ + BUF_MEM_free(s->init_buf); + s->init_buf = NULL; + } + if (!ssl_free_wbio_buffer(s)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE, + ERR_R_INTERNAL_ERROR); + return WORK_ERROR; + } + s->init_num = 0; + } + + if (SSL_IS_TLS13(s) && !s->server + && s->post_handshake_auth == SSL_PHA_REQUESTED) + s->post_handshake_auth = SSL_PHA_EXT_SENT; + + /* + * Only set if there was a Finished message and this isn't after a TLSv1.3 + * post handshake exchange + */ + if (s->statem.cleanuphand) { /* skipped if we just sent a HelloRequest */ s->renegotiate = 0; s->new_session = 0; + s->statem.cleanuphand = 0; + s->ext.ticket_expected = 0; - if (s->server) { - ssl_update_cache(s, SSL_SESS_CACHE_SERVER); + ssl3_cleanup_key_block(s); - s->ctx->stats.sess_accept_good++; + if (s->server) { + /* + * In TLSv1.3 we update the cache as part of constructing the + * NewSessionTicket + */ + if (!SSL_IS_TLS13(s)) + ssl_update_cache(s, SSL_SESS_CACHE_SERVER); + + /* N.B. s->ctx may not equal s->session_ctx */ + tsan_counter(&s->ctx->stats.sess_accept_good); s->handshake_func = ossl_statem_accept; if (SSL_IS_DTLS(s) && !s->hit) { @@ -309,12 +1084,26 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst) dtls1_start_timer(s); } } else { - ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); + if (SSL_IS_TLS13(s)) { + /* + * We encourage applications to only use TLSv1.3 tickets once, + * so we remove this one from the cache. + */ + if ((s->session_ctx->session_cache_mode + & SSL_SESS_CACHE_CLIENT) != 0) + SSL_CTX_remove_session(s->session_ctx, s->session); + } else { + /* + * In TLSv1.3 we update the cache as part of processing the + * NewSessionTicket + */ + ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); + } if (s->hit) - s->ctx->stats.sess_hit++; + tsan_counter(&s->session_ctx->stats.sess_hit); s->handshake_func = ossl_statem_connect; - s->ctx->stats.sess_connect_good++; + tsan_counter(&s->session_ctx->stats.sess_connect_good); if (SSL_IS_DTLS(s) && s->hit) { /* @@ -326,14 +1115,6 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst) } } - if (s->info_callback != NULL) - cb = s->info_callback; - else if (s->ctx->info_callback != NULL) - cb = s->ctx->info_callback; - - if (cb != NULL) - cb(s, SSL_CB_HANDSHAKE_DONE, 1); - if (SSL_IS_DTLS(s)) { /* done with handshaking */ s->d1->handshake_read_seq = 0; @@ -343,15 +1124,32 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst) } } + if (s->info_callback != NULL) + cb = s->info_callback; + else if (s->ctx->info_callback != NULL) + cb = s->ctx->info_callback; + + /* The callback may expect us to not be in init at handshake done */ + ossl_statem_set_in_init(s, 0); + + if (cb != NULL) + cb(s, SSL_CB_HANDSHAKE_DONE, 1); + + if (!stop) { + /* If we've got more work to do we go back into init */ + ossl_statem_set_in_init(s, 1); + return WORK_FINISHED_CONTINUE; + } + return WORK_FINISHED_STOP; } int tls_get_message_header(SSL *s, int *mt) { /* s->init_num < SSL3_HM_HEADER_LENGTH */ - int skip_message, i, recvd_type, al; + int skip_message, i, recvd_type; unsigned char *p; - unsigned long l; + size_t l, readbytes; p = (unsigned char *)s->init_buf->data; @@ -360,7 +1158,7 @@ int tls_get_message_header(SSL *s, int *mt) i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type, &p[s->init_num], SSL3_HM_HEADER_LENGTH - s->init_num, - 0); + 0, &readbytes); if (i <= 0) { s->rwstate = SSL_READING; return 0; @@ -370,28 +1168,41 @@ int tls_get_message_header(SSL *s, int *mt) * A ChangeCipherSpec must be a single byte and may not occur * in the middle of a handshake message. */ - if (s->init_num != 0 || i != 1 || p[0] != SSL3_MT_CCS) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_TLS_GET_MESSAGE_HEADER, - SSL_R_BAD_CHANGE_CIPHER_SPEC); - goto f_err; + if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_TLS_GET_MESSAGE_HEADER, + SSL_R_BAD_CHANGE_CIPHER_SPEC); + return 0; + } + if (s->statem.hand_state == TLS_ST_BEFORE + && (s->s3->flags & TLS1_FLAGS_STATELESS) != 0) { + /* + * We are stateless and we received a CCS. Probably this is + * from a client between the first and second ClientHellos. + * We should ignore this, but return an error because we do + * not return success until we see the second ClientHello + * with a valid cookie. + */ + return 0; } s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC; - s->init_num = i - 1; + s->init_num = readbytes - 1; s->init_msg = s->init_buf->data; - s->s3->tmp.message_size = i; + s->s3->tmp.message_size = readbytes; return 1; } else if (recvd_type != SSL3_RT_HANDSHAKE) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_TLS_GET_MESSAGE_HEADER, SSL_R_CCS_RECEIVED_EARLY); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_TLS_GET_MESSAGE_HEADER, + SSL_R_CCS_RECEIVED_EARLY); + return 0; } - s->init_num += i; + s->init_num += readbytes; } skip_message = 0; if (!s->server) - if (p[0] == SSL3_MT_HELLO_REQUEST) + if (s->statem.hand_state != TLS_ST_OK + && p[0] == SSL3_MT_HELLO_REQUEST) /* * The server may always send 'Hello Request' messages -- * we are doing a handshake anyway now, so ignore them if @@ -431,9 +1242,9 @@ int tls_get_message_header(SSL *s, int *mt) n2l3(p, l); /* BUF_MEM_grow takes an 'int' parameter */ if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_GET_MESSAGE_HEADER, SSL_R_EXCESSIVE_MESSAGE_SIZE); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_GET_MESSAGE_HEADER, + SSL_R_EXCESSIVE_MESSAGE_SIZE); + return 0; } s->s3->tmp.message_size = l; @@ -442,14 +1253,11 @@ int tls_get_message_header(SSL *s, int *mt) } return 1; - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - return 0; } -int tls_get_message_body(SSL *s, unsigned long *len) +int tls_get_message_body(SSL *s, size_t *len) { - long n; + size_t n, readbytes; unsigned char *p; int i; @@ -463,14 +1271,14 @@ int tls_get_message_body(SSL *s, unsigned long *len) n = s->s3->tmp.message_size - s->init_num; while (n > 0) { i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, - &p[s->init_num], n, 0); + &p[s->init_num], n, 0, &readbytes); if (i <= 0) { s->rwstate = SSL_READING; *len = 0; return 0; } - s->init_num += i; - n -= i; + s->init_num += readbytes; + n -= readbytes; } /* @@ -487,8 +1295,7 @@ int tls_get_message_body(SSL *s, unsigned long *len) if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num)) { - SSLerr(SSL_F_TLS_GET_MESSAGE_BODY, ERR_R_EVP_LIB); - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + /* SSLfatal() already called */ *len = 0; return 0; } @@ -496,12 +1303,28 @@ int tls_get_message_body(SSL *s, unsigned long *len) s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data, (size_t)s->init_num, s, s->msg_callback_arg); } else { - if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, - s->init_num + SSL3_HM_HEADER_LENGTH)) { - SSLerr(SSL_F_TLS_GET_MESSAGE_BODY, ERR_R_EVP_LIB); - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); - *len = 0; - return 0; + /* + * We defer feeding in the HRR until later. We'll do it as part of + * processing the message + * The TLsv1.3 handshake transcript stops at the ClientFinished + * message. + */ +#define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2) + /* KeyUpdate and NewSessionTicket do not need to be added */ + if (!SSL_IS_TLS13(s) || (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET + && s->s3->tmp.message_type != SSL3_MT_KEY_UPDATE)) { + if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO + || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE + || memcmp(hrrrandom, + s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET, + SSL3_RANDOM_SIZE) != 0) { + if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, + s->init_num + SSL3_HM_HEADER_LENGTH)) { + /* SSLfatal() already called */ + *len = 0; + return 0; + } + } } if (s->msg_callback) s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, @@ -509,114 +1332,63 @@ int tls_get_message_body(SSL *s, unsigned long *len) s->msg_callback_arg); } - /* - * init_num should never be negative...should probably be declared - * unsigned - */ - if (s->init_num < 0) { - SSLerr(SSL_F_TLS_GET_MESSAGE_BODY, ERR_R_INTERNAL_ERROR); - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); - *len = 0; - return 0; - } - *len = (unsigned long)s->init_num; + *len = s->init_num; return 1; } -int ssl_cert_type(const X509 *x, const EVP_PKEY *pk) -{ - if (pk == NULL && (pk = X509_get0_pubkey(x)) == NULL) - return -1; - - switch (EVP_PKEY_id(pk)) { - default: - return -1; - case EVP_PKEY_RSA: - return SSL_PKEY_RSA_ENC; - case EVP_PKEY_DSA: - return SSL_PKEY_DSA_SIGN; -#ifndef OPENSSL_NO_EC - case EVP_PKEY_EC: - return SSL_PKEY_ECC; -#endif -#ifndef OPENSSL_NO_GOST - case NID_id_GostR3410_2001: - return SSL_PKEY_GOST01; - case NID_id_GostR3410_2012_256: - return SSL_PKEY_GOST12_256; - case NID_id_GostR3410_2012_512: - return SSL_PKEY_GOST12_512; -#endif - } -} +static const X509ERR2ALERT x509table[] = { + {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE}, + {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE}, + {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE}, + {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA}, + {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED}, + {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE}, + {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE}, + {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED}, + {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR}, + {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE}, + {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED}, + {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE}, + {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR}, + {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE}, + {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA}, + {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE}, + {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE}, + {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE}, + {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE}, + {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE}, + {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE}, + {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE}, + {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA}, + {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR}, + {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE}, + {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE}, + {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR}, + {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA}, + {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA}, + {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR}, + {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE}, + {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE}, + {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE}, + {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA}, + {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA}, + {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA}, + {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA}, + {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA}, + {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR}, + + /* Last entry; return this if we don't find the value above. */ + {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN} +}; -int ssl_verify_alarm_type(long type) +int ssl_x509err2alert(int x509err) { - int al; + const X509ERR2ALERT *tp; - switch (type) { - case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - case X509_V_ERR_UNABLE_TO_GET_CRL: - case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: - al = SSL_AD_UNKNOWN_CA; - break; - case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: - case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: - case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: - case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: - case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: - case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: - case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: - case X509_V_ERR_CERT_NOT_YET_VALID: - case X509_V_ERR_CRL_NOT_YET_VALID: - case X509_V_ERR_CERT_UNTRUSTED: - case X509_V_ERR_CERT_REJECTED: - case X509_V_ERR_HOSTNAME_MISMATCH: - case X509_V_ERR_EMAIL_MISMATCH: - case X509_V_ERR_IP_ADDRESS_MISMATCH: - case X509_V_ERR_DANE_NO_MATCH: - case X509_V_ERR_EE_KEY_TOO_SMALL: - case X509_V_ERR_CA_KEY_TOO_SMALL: - case X509_V_ERR_CA_MD_TOO_WEAK: - al = SSL_AD_BAD_CERTIFICATE; - break; - case X509_V_ERR_CERT_SIGNATURE_FAILURE: - case X509_V_ERR_CRL_SIGNATURE_FAILURE: - al = SSL_AD_DECRYPT_ERROR; - break; - case X509_V_ERR_CERT_HAS_EXPIRED: - case X509_V_ERR_CRL_HAS_EXPIRED: - al = SSL_AD_CERTIFICATE_EXPIRED; - break; - case X509_V_ERR_CERT_REVOKED: - al = SSL_AD_CERTIFICATE_REVOKED; - break; - case X509_V_ERR_UNSPECIFIED: - case X509_V_ERR_OUT_OF_MEM: - case X509_V_ERR_INVALID_CALL: - case X509_V_ERR_STORE_LOOKUP: - al = SSL_AD_INTERNAL_ERROR; - break; - case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: - case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: - case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: - case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: - case X509_V_ERR_CERT_CHAIN_TOO_LONG: - case X509_V_ERR_PATH_LENGTH_EXCEEDED: - case X509_V_ERR_INVALID_CA: - al = SSL_AD_UNKNOWN_CA; - break; - case X509_V_ERR_APPLICATION_VERIFICATION: - al = SSL_AD_HANDSHAKE_FAILURE; - break; - case X509_V_ERR_INVALID_PURPOSE: - al = SSL_AD_UNSUPPORTED_CERTIFICATE; - break; - default: - al = SSL_AD_CERTIFICATE_UNKNOWN; - break; - } - return (al); + for (tp = x509table; tp->x509err != X509_V_OK; ++tp) + if (tp->x509err == x509err) + break; + return tp->alert; } int ssl_allow_compression(SSL *s) @@ -643,11 +1415,17 @@ typedef struct { const SSL_METHOD *(*smeth) (void); } version_info; -#if TLS_MAX_VERSION != TLS1_2_VERSION -# error Code needs update for TLS_method() support beyond TLS1_2_VERSION. +#if TLS_MAX_VERSION != TLS1_3_VERSION +# error Code needs update for TLS_method() support beyond TLS1_3_VERSION. #endif +/* Must be in order high to low */ static const version_info tls_version_table[] = { +#ifndef OPENSSL_NO_TLS1_3 + {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method}, +#else + {TLS1_3_VERSION, NULL, NULL}, +#endif #ifndef OPENSSL_NO_TLS1_2 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method}, #else @@ -675,6 +1453,7 @@ static const version_info tls_version_table[] = { # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION. #endif +/* Must be in order high to low */ static const version_info dtls_version_table[] = { #ifndef OPENSSL_NO_DTLS1_2 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method}, @@ -716,8 +1495,62 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method) return SSL_R_UNSUPPORTED_PROTOCOL; if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s)) return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE; - else if ((method->flags & SSL_METHOD_NO_FIPS) != 0 && FIPS_mode()) - return SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE; + + return 0; +} + +/* + * Only called by servers. Returns 1 if the server has a TLSv1.3 capable + * certificate type, or has PSK or a certificate callback configured. Otherwise + * returns 0. + */ +static int is_tls13_capable(const SSL *s) +{ + int i; +#ifndef OPENSSL_NO_EC + int curve; + EC_KEY *eckey; +#endif + +#ifndef OPENSSL_NO_PSK + if (s->psk_server_callback != NULL) + return 1; +#endif + + if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL) + return 1; + + for (i = 0; i < SSL_PKEY_NUM; i++) { + /* Skip over certs disallowed for TLSv1.3 */ + switch (i) { + case SSL_PKEY_DSA_SIGN: + case SSL_PKEY_GOST01: + case SSL_PKEY_GOST12_256: + case SSL_PKEY_GOST12_512: + continue; + default: + break; + } + if (!ssl_has_cert(s, i)) + continue; +#ifndef OPENSSL_NO_EC + if (i != SSL_PKEY_ECC) + return 1; + /* + * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is + * more restrictive so check that our sig algs are consistent with this + * EC cert. See section 4.2.3 of RFC8446. + */ + eckey = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey); + if (eckey == NULL) + continue; + curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)); + if (tls_check_sigalg_curve(s, curve)) + return 1; +#else + return 1; +#endif + } return 0; } @@ -731,7 +1564,7 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method) * * Returns 1 when supported, otherwise 0 */ -int ssl_version_supported(const SSL *s, int version) +int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth) { const version_info *vent; const version_info *table; @@ -751,9 +1584,14 @@ int ssl_version_supported(const SSL *s, int version) for (vent = table; vent->version != 0 && version_cmp(s, version, vent->version) <= 0; ++vent) { - if (vent->cmeth != NULL && - version_cmp(s, version, vent->version) == 0 && - ssl_method_error(s, vent->cmeth()) == 0) { + if (vent->cmeth != NULL + && version_cmp(s, version, vent->version) == 0 + && ssl_method_error(s, vent->cmeth()) == 0 + && (!s->server + || version != TLS1_3_VERSION + || is_tls13_capable(s))) { + if (meth != NULL) + *meth = vent->cmeth(); return 1; } } @@ -859,6 +1697,27 @@ int ssl_set_version_bound(int method_version, int version, int *bound) return 1; } +static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd) +{ + if (vers == TLS1_2_VERSION + && ssl_version_supported(s, TLS1_3_VERSION, NULL)) { + *dgrd = DOWNGRADE_TO_1_2; + } else if (!SSL_IS_DTLS(s) + && vers < TLS1_2_VERSION + /* + * We need to ensure that a server that disables TLSv1.2 + * (creating a hole between TLSv1.3 and TLSv1.1) can still + * complete handshakes with clients that support TLSv1.2 and + * below. Therefore we do not enable the sentinel if TLSv1.3 is + * enabled and TLSv1.2 is not. + */ + && ssl_version_supported(s, TLS1_2_VERSION, NULL)) { + *dgrd = DOWNGRADE_TO_1_1; + } else { + *dgrd = DOWNGRADE_NONE; + } +} + /* * ssl_choose_server_version - Choose server (D)TLS version. Called when the * client HELLO is received to select the final server protocol version and @@ -868,7 +1727,7 @@ int ssl_set_version_bound(int method_version, int version, int *bound) * * Returns 0 on success or an SSL error reason number on failure. */ -int ssl_choose_server_version(SSL *s) +int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd) { /*- * With version-flexible methods we have an initial state with: @@ -880,23 +1739,34 @@ int ssl_choose_server_version(SSL *s) * handle version. */ int server_version = s->method->version; - int client_version = s->client_version; + int client_version = hello->legacy_version; const version_info *vent; const version_info *table; int disabled = 0; + RAW_EXTENSION *suppversions; + + s->client_version = client_version; switch (server_version) { default: - if (version_cmp(s, client_version, s->version) < 0) - return SSL_R_WRONG_SSL_VERSION; + if (!SSL_IS_TLS13(s)) { + if (version_cmp(s, client_version, s->version) < 0) + return SSL_R_WRONG_SSL_VERSION; + *dgrd = DOWNGRADE_NONE; + /* + * If this SSL handle is not from a version flexible method we don't + * (and never did) check min/max FIPS or Suite B constraints. Hope + * that's OK. It is up to the caller to not choose fixed protocol + * versions they don't want. If not, then easy to fix, just return + * ssl_method_error(s, s->method) + */ + return 0; + } /* - * If this SSL handle is not from a version flexible method we don't - * (and never did) check min/max FIPS or Suite B constraints. Hope - * that's OK. It is up to the caller to not choose fixed protocol - * versions they don't want. If not, then easy to fix, just return - * ssl_method_error(s, s->method) + * Fall through if we are TLSv1.3 already (this means we must be after + * a HelloRetryRequest */ - return 0; + /* fall thru */ case TLS_ANY_VERSION: table = tls_version_table; break; @@ -905,6 +1775,77 @@ int ssl_choose_server_version(SSL *s) break; } + suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions]; + + /* If we did an HRR then supported versions is mandatory */ + if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE) + return SSL_R_UNSUPPORTED_PROTOCOL; + + if (suppversions->present && !SSL_IS_DTLS(s)) { + unsigned int candidate_vers = 0; + unsigned int best_vers = 0; + const SSL_METHOD *best_method = NULL; + PACKET versionslist; + + suppversions->parsed = 1; + + if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) { + /* Trailing or invalid data? */ + return SSL_R_LENGTH_MISMATCH; + } + + /* + * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION. + * The spec only requires servers to check that it isn't SSLv3: + * "Any endpoint receiving a Hello message with + * ClientHello.legacy_version or ServerHello.legacy_version set to + * 0x0300 MUST abort the handshake with a "protocol_version" alert." + * We are slightly stricter and require that it isn't SSLv3 or lower. + * We tolerate TLSv1 and TLSv1.1. + */ + if (client_version <= SSL3_VERSION) + return SSL_R_BAD_LEGACY_VERSION; + + while (PACKET_get_net_2(&versionslist, &candidate_vers)) { + if (version_cmp(s, candidate_vers, best_vers) <= 0) + continue; + if (ssl_version_supported(s, candidate_vers, &best_method)) + best_vers = candidate_vers; + } + if (PACKET_remaining(&versionslist) != 0) { + /* Trailing data? */ + return SSL_R_LENGTH_MISMATCH; + } + + if (best_vers > 0) { + if (s->hello_retry_request != SSL_HRR_NONE) { + /* + * This is after a HelloRetryRequest so we better check that we + * negotiated TLSv1.3 + */ + if (best_vers != TLS1_3_VERSION) + return SSL_R_UNSUPPORTED_PROTOCOL; + return 0; + } + check_for_downgrade(s, best_vers, dgrd); + s->version = best_vers; + s->method = best_method; + return 0; + } + return SSL_R_UNSUPPORTED_PROTOCOL; + } + + /* + * If the supported versions extension isn't present, then the highest + * version we can negotiate is TLSv1.2 + */ + if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0) + client_version = TLS1_2_VERSION; + + /* + * No supported versions extension, so we just use the version supplied in + * the ClientHello. + */ for (vent = table; vent->version != 0; ++vent) { const SSL_METHOD *method; @@ -913,6 +1854,7 @@ int ssl_choose_server_version(SSL *s) continue; method = vent->smeth(); if (ssl_method_error(s, method) == 0) { + check_for_downgrade(s, vent->version, dgrd); s->version = vent->version; s->method = method; return 0; @@ -929,18 +1871,45 @@ int ssl_choose_server_version(SSL *s) * * @s: client SSL handle. * @version: The proposed version from the server's HELLO. + * @extensions: The extensions received * - * Returns 0 on success or an SSL error reason number on failure. + * Returns 1 on success or 0 on error. */ -int ssl_choose_client_version(SSL *s, int version) +int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions) { const version_info *vent; const version_info *table; + int ret, ver_min, ver_max, real_max, origv; + + origv = s->version; + s->version = version; + + /* This will overwrite s->version if the extension is present */ + if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions, + SSL_EXT_TLS1_2_SERVER_HELLO + | SSL_EXT_TLS1_3_SERVER_HELLO, extensions, + NULL, 0)) { + s->version = origv; + return 0; + } + + if (s->hello_retry_request != SSL_HRR_NONE + && s->version != TLS1_3_VERSION) { + s->version = origv; + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION, + SSL_R_WRONG_SSL_VERSION); + return 0; + } switch (s->method->version) { default: - if (version != s->version) - return SSL_R_WRONG_SSL_VERSION; + if (s->version != s->method->version) { + s->version = origv; + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, + SSL_F_SSL_CHOOSE_CLIENT_VERSION, + SSL_R_WRONG_SSL_VERSION); + return 0; + } /* * If this SSL handle is not from a version flexible method we don't * (and never did) check min/max, FIPS or Suite B constraints. Hope @@ -948,7 +1917,7 @@ int ssl_choose_client_version(SSL *s, int version) * versions they don't want. If not, then easy to fix, just return * ssl_method_error(s, s->method) */ - return 0; + return 1; case TLS_ANY_VERSION: table = tls_version_table; break; @@ -957,36 +1926,84 @@ int ssl_choose_client_version(SSL *s, int version) break; } - for (vent = table; vent->version != 0; ++vent) { - const SSL_METHOD *method; - int err; + ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max); + if (ret != 0) { + s->version = origv; + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, + SSL_F_SSL_CHOOSE_CLIENT_VERSION, ret); + return 0; + } + if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min) + : s->version < ver_min) { + s->version = origv; + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, + SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); + return 0; + } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max) + : s->version > ver_max) { + s->version = origv; + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, + SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); + return 0; + } - if (version != vent->version) + if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0) + real_max = ver_max; + + /* Check for downgrades */ + if (s->version == TLS1_2_VERSION && real_max > s->version) { + if (memcmp(tls12downgrade, + s->s3->server_random + SSL3_RANDOM_SIZE + - sizeof(tls12downgrade), + sizeof(tls12downgrade)) == 0) { + s->version = origv; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_SSL_CHOOSE_CLIENT_VERSION, + SSL_R_INAPPROPRIATE_FALLBACK); + return 0; + } + } else if (!SSL_IS_DTLS(s) + && s->version < TLS1_2_VERSION + && real_max > s->version) { + if (memcmp(tls11downgrade, + s->s3->server_random + SSL3_RANDOM_SIZE + - sizeof(tls11downgrade), + sizeof(tls11downgrade)) == 0) { + s->version = origv; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_SSL_CHOOSE_CLIENT_VERSION, + SSL_R_INAPPROPRIATE_FALLBACK); + return 0; + } + } + + for (vent = table; vent->version != 0; ++vent) { + if (vent->cmeth == NULL || s->version != vent->version) continue; - if (vent->cmeth == NULL) - break; - method = vent->cmeth(); - err = ssl_method_error(s, method); - if (err != 0) - return err; - s->method = method; - s->version = version; - return 0; + + s->method = vent->cmeth(); + return 1; } - return SSL_R_UNSUPPORTED_PROTOCOL; + s->version = origv; + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION, + SSL_R_UNSUPPORTED_PROTOCOL); + return 0; } /* - * ssl_get_client_min_max_version - get minimum and maximum client version + * ssl_get_min_max_version - get minimum and maximum protocol version * @s: The SSL connection * @min_version: The minimum supported version * @max_version: The maximum supported version + * @real_max: The highest version below the lowest compile time version hole + * where that hole lies above at least one run-time enabled + * protocol. * * Work out what version we should be using for the initial ClientHello if the * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx * options, the MinProtocol and MaxProtocol configuration commands, any Suite B - * or FIPS_mode() constraints and any floor imposed by the security level here, + * constraints and any floor imposed by the security level here, * so we don't advertise the wrong protocol version to only reject the outcome later. * * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled, @@ -996,10 +2013,10 @@ int ssl_choose_client_version(SSL *s, int version) * Returns 0 on success or an SSL error reason number on failure. On failure * min_version and max_version will also be set to 0. */ -int ssl_get_client_min_max_version(const SSL *s, int *min_version, - int *max_version) +int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version, + int *real_max) { - int version; + int version, tmp_real_max; int hole; const SSL_METHOD *single = NULL; const SSL_METHOD *method; @@ -1016,6 +2033,12 @@ int ssl_get_client_min_max_version(const SSL *s, int *min_version, * ssl_method_error(s, s->method) */ *min_version = *max_version = s->version; + /* + * Providing a real_max only makes sense where we're using a version + * flexible method. + */ + if (!ossl_assert(real_max == NULL)) + return ERR_R_INTERNAL_ERROR; return 0; case TLS_ANY_VERSION: table = tls_version_table; @@ -1048,6 +2071,9 @@ int ssl_get_client_min_max_version(const SSL *s, int *min_version, */ *min_version = version = 0; hole = 1; + if (real_max != NULL) + *real_max = 0; + tmp_real_max = 0; for (vent = table; vent->version != 0; ++vent) { /* * A table entry with a NULL client method is still a hole in the @@ -1055,15 +2081,22 @@ int ssl_get_client_min_max_version(const SSL *s, int *min_version, */ if (vent->cmeth == NULL) { hole = 1; + tmp_real_max = 0; continue; } method = vent->cmeth(); + + if (hole == 1 && tmp_real_max == 0) + tmp_real_max = vent->version; + if (ssl_method_error(s, method) != 0) { hole = 1; } else if (!hole) { single = NULL; *min_version = method->version; } else { + if (real_max != NULL && tmp_real_max != 0) + *real_max = tmp_real_max; version = (single = method)->version; *min_version = version; hole = 0; @@ -1081,7 +2114,7 @@ int ssl_get_client_min_max_version(const SSL *s, int *min_version, /* * ssl_set_client_hello_version - Work out what version we should be using for - * the initial ClientHello. + * the initial ClientHello.legacy_version field. * * @s: client SSL handle. * @@ -1098,11 +2131,291 @@ int ssl_set_client_hello_version(SSL *s) if (!SSL_IS_FIRST_HANDSHAKE(s)) return 0; - ret = ssl_get_client_min_max_version(s, &ver_min, &ver_max); + ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL); if (ret != 0) return ret; - s->client_version = s->version = ver_max; + s->version = ver_max; + + /* TLS1.3 always uses TLS1.2 in the legacy_version field */ + if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION) + ver_max = TLS1_2_VERSION; + + s->client_version = ver_max; + return 0; +} + +/* + * Checks a list of |groups| to determine if the |group_id| is in it. If it is + * and |checkallow| is 1 then additionally check if the group is allowed to be + * used. Returns 1 if the group is in the list (and allowed if |checkallow| is + * 1) or 0 otherwise. + */ +#ifndef OPENSSL_NO_EC +int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups, + size_t num_groups, int checkallow) +{ + size_t i; + + if (groups == NULL || num_groups == 0) + return 0; + + for (i = 0; i < num_groups; i++) { + uint16_t group = groups[i]; + + if (group_id == group + && (!checkallow + || tls_curve_allowed(s, group, SSL_SECOP_CURVE_CHECK))) { + return 1; + } + } + + return 0; +} +#endif + +/* Replace ClientHello1 in the transcript hash with a synthetic message */ +int create_synthetic_message_hash(SSL *s, const unsigned char *hashval, + size_t hashlen, const unsigned char *hrr, + size_t hrrlen) +{ + unsigned char hashvaltmp[EVP_MAX_MD_SIZE]; + unsigned char msghdr[SSL3_HM_HEADER_LENGTH]; + + memset(msghdr, 0, sizeof(msghdr)); + + if (hashval == NULL) { + hashval = hashvaltmp; + hashlen = 0; + /* Get the hash of the initial ClientHello */ + if (!ssl3_digest_cached_records(s, 0) + || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp), + &hashlen)) { + /* SSLfatal() already called */ + return 0; + } + } + + /* Reinitialise the transcript hash */ + if (!ssl3_init_finished_mac(s)) { + /* SSLfatal() already called */ + return 0; + } + + /* Inject the synthetic message_hash message */ + msghdr[0] = SSL3_MT_MESSAGE_HASH; + msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen; + if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH) + || !ssl3_finish_mac(s, hashval, hashlen)) { + /* SSLfatal() already called */ + return 0; + } + + /* + * Now re-inject the HRR and current message if appropriate (we just deleted + * it when we reinitialised the transcript hash above). Only necessary after + * receiving a ClientHello2 with a cookie. + */ + if (hrr != NULL + && (!ssl3_finish_mac(s, hrr, hrrlen) + || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, + s->s3->tmp.message_size + + SSL3_HM_HEADER_LENGTH))) { + /* SSLfatal() already called */ + return 0; + } + + return 1; +} + +static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b) +{ + return X509_NAME_cmp(*a, *b); +} + +int parse_ca_names(SSL *s, PACKET *pkt) +{ + STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp); + X509_NAME *xn = NULL; + PACKET cadns; + + if (ca_sk == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES, + ERR_R_MALLOC_FAILURE); + goto err; + } + /* get the CA RDNs */ + if (!PACKET_get_length_prefixed_2(pkt, &cadns)) { + SSLfatal(s, SSL_AD_DECODE_ERROR,SSL_F_PARSE_CA_NAMES, + SSL_R_LENGTH_MISMATCH); + goto err; + } + + while (PACKET_remaining(&cadns)) { + const unsigned char *namestart, *namebytes; + unsigned int name_len; + + if (!PACKET_get_net_2(&cadns, &name_len) + || !PACKET_get_bytes(&cadns, &namebytes, name_len)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES, + SSL_R_LENGTH_MISMATCH); + goto err; + } + + namestart = namebytes; + if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES, + ERR_R_ASN1_LIB); + goto err; + } + if (namebytes != (namestart + name_len)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES, + SSL_R_CA_DN_LENGTH_MISMATCH); + goto err; + } + + if (!sk_X509_NAME_push(ca_sk, xn)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES, + ERR_R_MALLOC_FAILURE); + goto err; + } + xn = NULL; + } + + sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free); + s->s3->tmp.peer_ca_names = ca_sk; + + return 1; + + err: + sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); + X509_NAME_free(xn); return 0; } + +const STACK_OF(X509_NAME) *get_ca_names(SSL *s) +{ + const STACK_OF(X509_NAME) *ca_sk = NULL;; + + if (s->server) { + ca_sk = SSL_get_client_CA_list(s); + if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0) + ca_sk = NULL; + } + + if (ca_sk == NULL) + ca_sk = SSL_get0_CA_list(s); + + return ca_sk; +} + +int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt) +{ + /* Start sub-packet for client CA list */ + if (!WPACKET_start_sub_packet_u16(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES, + ERR_R_INTERNAL_ERROR); + return 0; + } + + if (ca_sk != NULL) { + int i; + + for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) { + unsigned char *namebytes; + X509_NAME *name = sk_X509_NAME_value(ca_sk, i); + int namelen; + + if (name == NULL + || (namelen = i2d_X509_NAME(name, NULL)) < 0 + || !WPACKET_sub_allocate_bytes_u16(pkt, namelen, + &namebytes) + || i2d_X509_NAME(name, &namebytes) != namelen) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES, + ERR_R_INTERNAL_ERROR); + return 0; + } + } + } + + if (!WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES, + ERR_R_INTERNAL_ERROR); + return 0; + } + + return 1; +} + +/* Create a buffer containing data to be signed for server key exchange */ +size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs, + const void *param, size_t paramlen) +{ + size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen; + unsigned char *tbs = OPENSSL_malloc(tbslen); + + if (tbs == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS, + ERR_R_MALLOC_FAILURE); + return 0; + } + memcpy(tbs, s->s3->client_random, SSL3_RANDOM_SIZE); + memcpy(tbs + SSL3_RANDOM_SIZE, s->s3->server_random, SSL3_RANDOM_SIZE); + + memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen); + + *ptbs = tbs; + return tbslen; +} + +/* + * Saves the current handshake digest for Post-Handshake Auth, + * Done after ClientFinished is processed, done exactly once + */ +int tls13_save_handshake_digest_for_pha(SSL *s) +{ + if (s->pha_dgst == NULL) { + if (!ssl3_digest_cached_records(s, 1)) + /* SSLfatal() already called */ + return 0; + + s->pha_dgst = EVP_MD_CTX_new(); + if (s->pha_dgst == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA, + ERR_R_INTERNAL_ERROR); + return 0; + } + if (!EVP_MD_CTX_copy_ex(s->pha_dgst, + s->s3->handshake_dgst)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA, + ERR_R_INTERNAL_ERROR); + return 0; + } + } + return 1; +} + +/* + * Restores the Post-Handshake Auth handshake digest + * Done just before sending/processing the Cert Request + */ +int tls13_restore_handshake_digest_for_pha(SSL *s) +{ + if (s->pha_dgst == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA, + ERR_R_INTERNAL_ERROR); + return 0; + } + if (!EVP_MD_CTX_copy_ex(s->s3->handshake_dgst, + s->pha_dgst)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA, + ERR_R_INTERNAL_ERROR); + return 0; + } + return 1; +} diff --git a/deps/openssl/openssl/ssl/statem/statem_locl.h b/deps/openssl/openssl/ssl/statem/statem_locl.h index 5dbc62b67f..6b8cf37faa 100644 --- a/deps/openssl/openssl/ssl/statem/statem_locl.h +++ b/deps/openssl/openssl/ssl/statem/statem_locl.h @@ -18,13 +18,25 @@ /* The spec allows for a longer length than this, but we limit it */ #define HELLO_VERIFY_REQUEST_MAX_LENGTH 258 +#define END_OF_EARLY_DATA_MAX_LENGTH 0 #define SERVER_HELLO_MAX_LENGTH 20000 +#define HELLO_RETRY_REQUEST_MAX_LENGTH 20000 +#define ENCRYPTED_EXTENSIONS_MAX_LENGTH 20000 #define SERVER_KEY_EXCH_MAX_LENGTH 102400 #define SERVER_HELLO_DONE_MAX_LENGTH 0 +#define KEY_UPDATE_MAX_LENGTH 1 #define CCS_MAX_LENGTH 1 /* Max should actually be 36 but we are generous */ #define FINISHED_MAX_LENGTH 64 +/* The maximum number of incoming KeyUpdate messages we will accept */ +#define MAX_KEY_UPDATE_MESSAGES 32 + +/* Dummy message type */ +#define SSL3_MT_DUMMY -1 + +extern const unsigned char hrrrandom[]; + /* Message processing return codes */ typedef enum { /* Something bad happened */ @@ -40,9 +52,19 @@ typedef enum { MSG_PROCESS_CONTINUE_READING } MSG_PROCESS_RETURN; -/* Flush the write BIO */ -int statem_flush(SSL *s); +typedef int (*confunc_f) (SSL *s, WPACKET *pkt); + int ssl3_take_mac(SSL *s); +int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups, + size_t num_groups, int checkallow); +int create_synthetic_message_hash(SSL *s, const unsigned char *hashval, + size_t hashlen, const unsigned char *hrr, + size_t hrrlen); +int parse_ca_names(SSL *s, PACKET *pkt); +const STACK_OF(X509_NAME) *get_ca_names(SSL *s); +int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt); +size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs, + const void *param, size_t paramlen); /* * TLS/DTLS client state machine functions @@ -51,8 +73,9 @@ int ossl_statem_client_read_transition(SSL *s, int mt); WRITE_TRAN ossl_statem_client_write_transition(SSL *s); WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst); WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst); -int ossl_statem_client_construct_message(SSL *s); -unsigned long ossl_statem_client_max_message_size(SSL *s); +int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt, + confunc_f *confunc, int *mt); +size_t ossl_statem_client_max_message_size(SSL *s); MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt); WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst); @@ -63,58 +86,66 @@ int ossl_statem_server_read_transition(SSL *s, int mt); WRITE_TRAN ossl_statem_server_write_transition(SSL *s); WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst); WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst); -int ossl_statem_server_construct_message(SSL *s); -unsigned long ossl_statem_server_max_message_size(SSL *s); +int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt, + confunc_f *confunc,int *mt); +size_t ossl_statem_server_max_message_size(SSL *s); MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt); WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst); /* Functions for getting new message data */ __owur int tls_get_message_header(SSL *s, int *mt); -__owur int tls_get_message_body(SSL *s, unsigned long *len); -__owur int dtls_get_message(SSL *s, int *mt, unsigned long *len); +__owur int tls_get_message_body(SSL *s, size_t *len); +__owur int dtls_get_message(SSL *s, int *mt, size_t *len); /* Message construction and processing functions */ +__owur int tls_process_initial_server_flight(SSL *s); __owur MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt); -__owur int tls_construct_change_cipher_spec(SSL *s); -__owur int dtls_construct_change_cipher_spec(SSL *s); +__owur int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt); +__owur int dtls_construct_change_cipher_spec(SSL *s, WPACKET *pkt); -__owur int tls_construct_finished(SSL *s, const char *sender, int slen); -__owur WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst); +__owur int tls_construct_finished(SSL *s, WPACKET *pkt); +__owur int tls_construct_key_update(SSL *s, WPACKET *pkt); +__owur MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt); +__owur WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, + int stop); __owur WORK_STATE dtls_wait_for_dry(SSL *s); /* some client-only functions */ -__owur int tls_construct_client_hello(SSL *s); +__owur int tls_construct_client_hello(SSL *s, WPACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt); +__owur int tls_process_cert_status_body(SSL *s, PACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt); -__owur int tls_construct_client_verify(SSL *s); +__owur int tls_construct_cert_verify(SSL *s, WPACKET *pkt); __owur WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst); -__owur int tls_construct_client_certificate(SSL *s); +__owur int tls_construct_client_certificate(SSL *s, WPACKET *pkt); __owur int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey); -__owur int tls_construct_client_key_exchange(SSL *s); +__owur int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt); __owur int tls_client_key_exchange_post_work(SSL *s); -__owur int tls_construct_cert_status(SSL *s); +__owur int tls_construct_cert_status_body(SSL *s, WPACKET *pkt); +__owur int tls_construct_cert_status(SSL *s, WPACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt); __owur int ssl3_check_cert_and_algorithm(SSL *s); #ifndef OPENSSL_NO_NEXTPROTONEG -__owur int tls_construct_next_proto(SSL *s); +__owur int tls_construct_next_proto(SSL *s, WPACKET *pkt); #endif +__owur MSG_PROCESS_RETURN tls_process_hello_req(SSL *s, PACKET *pkt); __owur MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt); +__owur int tls_construct_end_of_early_data(SSL *s, WPACKET *pkt); /* some server-only functions */ __owur MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt); __owur WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst); -__owur int tls_construct_server_hello(SSL *s); -__owur int tls_construct_hello_request(SSL *s); -__owur int dtls_construct_hello_verify_request(SSL *s); -__owur int tls_construct_server_certificate(SSL *s); -__owur int tls_construct_server_key_exchange(SSL *s); -__owur int tls_construct_certificate_request(SSL *s); -__owur int tls_construct_server_done(SSL *s); +__owur int tls_construct_server_hello(SSL *s, WPACKET *pkt); +__owur int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt); +__owur int tls_construct_server_certificate(SSL *s, WPACKET *pkt); +__owur int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt); +__owur int tls_construct_certificate_request(SSL *s, WPACKET *pkt); +__owur int tls_construct_server_done(SSL *s, WPACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt); __owur WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst); @@ -122,4 +153,271 @@ __owur MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt); #ifndef OPENSSL_NO_NEXTPROTONEG __owur MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt); #endif -__owur int tls_construct_new_session_ticket(SSL *s); +__owur int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt); +MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt); + + +/* Extension processing */ + +typedef enum ext_return_en { + EXT_RETURN_FAIL, + EXT_RETURN_SENT, + EXT_RETURN_NOT_SENT +} EXT_RETURN; + +__owur int tls_validate_all_contexts(SSL *s, unsigned int thisctx, + RAW_EXTENSION *exts); +__owur int extension_is_relevant(SSL *s, unsigned int extctx, + unsigned int thisctx); +__owur int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, + RAW_EXTENSION **res, size_t *len, int init); +__owur int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context, + RAW_EXTENSION *exts, X509 *x, size_t chainidx); +__owur int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, + X509 *x, size_t chainidx, int fin); +__owur int should_add_extension(SSL *s, unsigned int extctx, + unsigned int thisctx, int max_version); +__owur int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); + +__owur int tls_psk_do_binder(SSL *s, const EVP_MD *md, + const unsigned char *msgstart, + size_t binderoffset, const unsigned char *binderin, + unsigned char *binderout, + SSL_SESSION *sess, int sign, int external); + +/* Server Extension processing */ +int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +#ifndef OPENSSL_NO_SRP +int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx); +#endif +int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +#ifndef OPENSSL_NO_EC +int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidxl); +#endif +int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx); +#ifndef OPENSSL_NO_OCSP +int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +#endif +#ifndef OPENSSL_NO_NEXTPROTONEG +int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx); +#endif +int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx); +#ifndef OPENSSL_NO_SRTP +int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx); +#endif +int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx); +int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx); +int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx); +int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx); +int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx); +int tls_parse_ctos_post_handshake_auth(SSL *, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); + +EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx); +EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx); +EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx); +EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx); +#ifndef OPENSSL_NO_EC +EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx); +#endif +EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx); +EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx); +#ifndef OPENSSL_NO_OCSP +EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx); +#endif +#ifndef OPENSSL_NO_NEXTPROTONEG +EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx); +#endif +EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +#ifndef OPENSSL_NO_SRTP +EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +#endif +EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx); +EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx); +EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +/* + * Not in public headers as this is not an official extension. Only used when + * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set. + */ +#define TLSEXT_TYPE_cryptopro_bug 0xfde8 +EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx); +EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); + +/* Client Extension processing */ +EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +#ifndef OPENSSL_NO_SRP +EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, + size_t chainidx); +#endif +#ifndef OPENSSL_NO_EC +EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx); +EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx); +#endif +EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx); +EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx); +EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx); +#ifndef OPENSSL_NO_OCSP +EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx); +#endif +#ifndef OPENSSL_NO_NEXTPROTONEG +EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +#endif +EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +#ifndef OPENSSL_NO_SRTP +EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +#endif +EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +#ifndef OPENSSL_NO_CT +EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +#endif +EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx); +EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx); +EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx); +EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx); +EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); + +int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +#ifndef OPENSSL_NO_EC +int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +#endif +int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +#ifndef OPENSSL_NO_OCSP +int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +#endif +#ifndef OPENSSL_NO_CT +int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx); +#endif +#ifndef OPENSSL_NO_NEXTPROTONEG +int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx); +#endif +int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx); +#ifndef OPENSSL_NO_SRTP +int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx); +#endif +int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx); +int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx); +int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); +int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx); +int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx); +int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx); + +int tls_handle_alpn(SSL *s); + +int tls13_save_handshake_digest_for_pha(SSL *s); +int tls13_restore_handshake_digest_for_pha(SSL *s); diff --git a/deps/openssl/openssl/ssl/statem/statem_srvr.c b/deps/openssl/openssl/ssl/statem/statem_srvr.c index f81fa5e199..e7c11c4bea 100644 --- a/deps/openssl/openssl/ssl/statem/statem_srvr.c +++ b/deps/openssl/openssl/ssl/statem/statem_srvr.c @@ -1,5 +1,7 @@ /* * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved + * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,50 +9,11 @@ * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * - * Portions of the attached software ("Contribution") are developed by - * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. - * - * The Contribution is licensed pursuant to the OpenSSL open source - * license provided above. - * - * ECC cipher suite support in OpenSSL originally written by - * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. - * - */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - #include <stdio.h> #include "../ssl_locl.h" #include "statem_locl.h" #include "internal/constant_time_locl.h" +#include "internal/cryptlib.h" #include <openssl/buffer.h> #include <openssl/rand.h> #include <openssl/objects.h> @@ -61,28 +24,134 @@ #include <openssl/bn.h> #include <openssl/md5.h> -static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, - PACKET *cipher_suites, - STACK_OF(SSL_CIPHER) - **skp, int sslv2format, - int *al); +#define TICKET_NONCE_SIZE 8 + +static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt); + +/* + * ossl_statem_server13_read_transition() encapsulates the logic for the allowed + * handshake state transitions when a TLSv1.3 server is reading messages from + * the client. The message type that the client has sent is provided in |mt|. + * The current state is in |s->statem.hand_state|. + * + * Return values are 1 for success (transition allowed) and 0 on error + * (transition not allowed) + */ +static int ossl_statem_server13_read_transition(SSL *s, int mt) +{ + OSSL_STATEM *st = &s->statem; + + /* + * Note: There is no case for TLS_ST_BEFORE because at that stage we have + * not negotiated TLSv1.3 yet, so that case is handled by + * ossl_statem_server_read_transition() + */ + switch (st->hand_state) { + default: + break; + + case TLS_ST_EARLY_DATA: + if (s->hello_retry_request == SSL_HRR_PENDING) { + if (mt == SSL3_MT_CLIENT_HELLO) { + st->hand_state = TLS_ST_SR_CLNT_HELLO; + return 1; + } + break; + } else if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) { + if (mt == SSL3_MT_END_OF_EARLY_DATA) { + st->hand_state = TLS_ST_SR_END_OF_EARLY_DATA; + return 1; + } + break; + } + /* Fall through */ + + case TLS_ST_SR_END_OF_EARLY_DATA: + case TLS_ST_SW_FINISHED: + if (s->s3->tmp.cert_request) { + if (mt == SSL3_MT_CERTIFICATE) { + st->hand_state = TLS_ST_SR_CERT; + return 1; + } + } else { + if (mt == SSL3_MT_FINISHED) { + st->hand_state = TLS_ST_SR_FINISHED; + return 1; + } + } + break; + + case TLS_ST_SR_CERT: + if (s->session->peer == NULL) { + if (mt == SSL3_MT_FINISHED) { + st->hand_state = TLS_ST_SR_FINISHED; + return 1; + } + } else { + if (mt == SSL3_MT_CERTIFICATE_VERIFY) { + st->hand_state = TLS_ST_SR_CERT_VRFY; + return 1; + } + } + break; + + case TLS_ST_SR_CERT_VRFY: + if (mt == SSL3_MT_FINISHED) { + st->hand_state = TLS_ST_SR_FINISHED; + return 1; + } + break; + + case TLS_ST_OK: + /* + * Its never ok to start processing handshake messages in the middle of + * early data (i.e. before we've received the end of early data alert) + */ + if (s->early_data_state == SSL_EARLY_DATA_READING) + break; + + if (mt == SSL3_MT_CERTIFICATE + && s->post_handshake_auth == SSL_PHA_REQUESTED) { + st->hand_state = TLS_ST_SR_CERT; + return 1; + } + + if (mt == SSL3_MT_KEY_UPDATE) { + st->hand_state = TLS_ST_SR_KEY_UPDATE; + return 1; + } + break; + } + + /* No valid transition found */ + return 0; +} /* - * server_read_transition() encapsulates the logic for the allowed handshake - * state transitions when the server is reading messages from the client. The - * message type that the client has sent is provided in |mt|. The current state - * is in |s->statem.hand_state|. + * ossl_statem_server_read_transition() encapsulates the logic for the allowed + * handshake state transitions when the server is reading messages from the + * client. The message type that the client has sent is provided in |mt|. The + * current state is in |s->statem.hand_state|. * - * Valid return values are: - * 1: Success (transition allowed) - * 0: Error (transition not allowed) + * Return values are 1 for success (transition allowed) and 0 on error + * (transition not allowed) */ int ossl_statem_server_read_transition(SSL *s, int mt) { OSSL_STATEM *st = &s->statem; + if (SSL_IS_TLS13(s)) { + if (!ossl_statem_server13_read_transition(s, mt)) + goto err; + return 1; + } + switch (st->hand_state) { + default: + break; + case TLS_ST_BEFORE: + case TLS_ST_OK: case DTLS_ST_SW_HELLO_VERIFY_REQUEST: if (mt == SSL3_MT_CLIENT_HELLO) { st->hand_state = TLS_ST_SR_CLNT_HELLO; @@ -111,10 +180,9 @@ int ossl_statem_server_read_transition(SSL *s, int mt) * not going to accept it because we require a client * cert. */ - ssl3_send_alert(s, SSL3_AL_FATAL, - SSL3_AD_HANDSHAKE_FAILURE); - SSLerr(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, - SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, + SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); return 0; } st->hand_state = TLS_ST_SR_KEY_EXCH; @@ -176,7 +244,7 @@ int ossl_statem_server_read_transition(SSL *s, int mt) case TLS_ST_SR_CHANGE: #ifndef OPENSSL_NO_NEXTPROTONEG - if (s->s3->next_proto_neg_seen) { + if (s->s3->npn_seen) { if (mt == SSL3_MT_NEXT_PROTO) { st->hand_state = TLS_ST_SR_NEXT_PROTO; return 1; @@ -207,11 +275,9 @@ int ossl_statem_server_read_transition(SSL *s, int mt) return 1; } break; - - default: - break; } + err: /* No valid transition found */ if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { BIO *rbio; @@ -227,9 +293,9 @@ int ossl_statem_server_read_transition(SSL *s, int mt) BIO_set_retry_read(rbio); return 0; } - ossl_statem_set_error(s); - ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE); - SSLerr(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, SSL_R_UNEXPECTED_MESSAGE); + SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, + SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, + SSL_R_UNEXPECTED_MESSAGE); return 0; } @@ -282,16 +348,22 @@ static int send_server_key_exchange(SSL *s) * 1: Yes * 0: No */ -static int send_certificate_request(SSL *s) +int send_certificate_request(SSL *s) { if ( /* don't request cert unless asked for it: */ s->verify_mode & SSL_VERIFY_PEER /* + * don't request if post-handshake-only unless doing + * post-handshake in TLSv1.3: + */ + && (!SSL_IS_TLS13(s) || !(s->verify_mode & SSL_VERIFY_POST_HANDSHAKE) + || s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) + /* * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert - * during re-negotiation: + * a second time: */ - && (s->s3->tmp.finish_md_len == 0 || + && (s->certreqs_sent < 1 || !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) /* * never request cert in anonymous ciphersuites (see @@ -319,34 +391,197 @@ static int send_certificate_request(SSL *s) } /* - * server_write_transition() works out what handshake state to move to next - * when the server is writing messages to be sent to the client. + * ossl_statem_server13_write_transition() works out what handshake state to + * move to next when a TLSv1.3 server is writing messages to be sent to the + * client. + */ +static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s) +{ + OSSL_STATEM *st = &s->statem; + + /* + * No case for TLS_ST_BEFORE, because at that stage we have not negotiated + * TLSv1.3 yet, so that is handled by ossl_statem_server_write_transition() + */ + + switch (st->hand_state) { + default: + /* Shouldn't happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_OSSL_STATEM_SERVER13_WRITE_TRANSITION, + ERR_R_INTERNAL_ERROR); + return WRITE_TRAN_ERROR; + + case TLS_ST_OK: + if (s->key_update != SSL_KEY_UPDATE_NONE) { + st->hand_state = TLS_ST_SW_KEY_UPDATE; + return WRITE_TRAN_CONTINUE; + } + if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { + st->hand_state = TLS_ST_SW_CERT_REQ; + return WRITE_TRAN_CONTINUE; + } + /* Try to read from the client instead */ + return WRITE_TRAN_FINISHED; + + case TLS_ST_SR_CLNT_HELLO: + st->hand_state = TLS_ST_SW_SRVR_HELLO; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SW_SRVR_HELLO: + if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 + && s->hello_retry_request != SSL_HRR_COMPLETE) + st->hand_state = TLS_ST_SW_CHANGE; + else if (s->hello_retry_request == SSL_HRR_PENDING) + st->hand_state = TLS_ST_EARLY_DATA; + else + st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SW_CHANGE: + if (s->hello_retry_request == SSL_HRR_PENDING) + st->hand_state = TLS_ST_EARLY_DATA; + else + st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SW_ENCRYPTED_EXTENSIONS: + if (s->hit) + st->hand_state = TLS_ST_SW_FINISHED; + else if (send_certificate_request(s)) + st->hand_state = TLS_ST_SW_CERT_REQ; + else + st->hand_state = TLS_ST_SW_CERT; + + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SW_CERT_REQ: + if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { + s->post_handshake_auth = SSL_PHA_REQUESTED; + st->hand_state = TLS_ST_OK; + } else { + st->hand_state = TLS_ST_SW_CERT; + } + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SW_CERT: + st->hand_state = TLS_ST_SW_CERT_VRFY; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SW_CERT_VRFY: + st->hand_state = TLS_ST_SW_FINISHED; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SW_FINISHED: + st->hand_state = TLS_ST_EARLY_DATA; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_EARLY_DATA: + return WRITE_TRAN_FINISHED; + + case TLS_ST_SR_FINISHED: + /* + * Technically we have finished the handshake at this point, but we're + * going to remain "in_init" for now and write out any session tickets + * immediately. + */ + if (s->post_handshake_auth == SSL_PHA_REQUESTED) { + s->post_handshake_auth = SSL_PHA_EXT_RECEIVED; + } else if (!s->ext.ticket_expected) { + /* + * If we're not going to renew the ticket then we just finish the + * handshake at this point. + */ + st->hand_state = TLS_ST_OK; + return WRITE_TRAN_CONTINUE; + } + if (s->num_tickets > s->sent_tickets) + st->hand_state = TLS_ST_SW_SESSION_TICKET; + else + st->hand_state = TLS_ST_OK; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SR_KEY_UPDATE: + if (s->key_update != SSL_KEY_UPDATE_NONE) { + st->hand_state = TLS_ST_SW_KEY_UPDATE; + return WRITE_TRAN_CONTINUE; + } + /* Fall through */ + + case TLS_ST_SW_KEY_UPDATE: + st->hand_state = TLS_ST_OK; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SW_SESSION_TICKET: + /* In a resumption we only ever send a maximum of one new ticket. + * Following an initial handshake we send the number of tickets we have + * been configured for. + */ + if (s->hit || s->num_tickets <= s->sent_tickets) { + /* We've written enough tickets out. */ + st->hand_state = TLS_ST_OK; + } + return WRITE_TRAN_CONTINUE; + } +} + +/* + * ossl_statem_server_write_transition() works out what handshake state to move + * to next when the server is writing messages to be sent to the client. */ WRITE_TRAN ossl_statem_server_write_transition(SSL *s) { OSSL_STATEM *st = &s->statem; + /* + * Note that before the ClientHello we don't know what version we are going + * to negotiate yet, so we don't take this branch until later + */ + + if (SSL_IS_TLS13(s)) + return ossl_statem_server13_write_transition(s); + switch (st->hand_state) { + default: + /* Shouldn't happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_OSSL_STATEM_SERVER_WRITE_TRANSITION, + ERR_R_INTERNAL_ERROR); + return WRITE_TRAN_ERROR; + + case TLS_ST_OK: + if (st->request_state == TLS_ST_SW_HELLO_REQ) { + /* We must be trying to renegotiate */ + st->hand_state = TLS_ST_SW_HELLO_REQ; + st->request_state = TLS_ST_BEFORE; + return WRITE_TRAN_CONTINUE; + } + /* Must be an incoming ClientHello */ + if (!tls_setup_handshake(s)) { + /* SSLfatal() already called */ + return WRITE_TRAN_ERROR; + } + /* Fall through */ + case TLS_ST_BEFORE: /* Just go straight to trying to read from the client */ return WRITE_TRAN_FINISHED; - case TLS_ST_OK: - /* We must be trying to renegotiate */ - st->hand_state = TLS_ST_SW_HELLO_REQ; - return WRITE_TRAN_CONTINUE; - case TLS_ST_SW_HELLO_REQ: st->hand_state = TLS_ST_OK; - ossl_statem_set_in_init(s, 0); return WRITE_TRAN_CONTINUE; case TLS_ST_SR_CLNT_HELLO: if (SSL_IS_DTLS(s) && !s->d1->cookie_verified - && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) + && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) { st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST; - else + } else if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) { + /* We must have rejected the renegotiation */ + st->hand_state = TLS_ST_OK; + return WRITE_TRAN_CONTINUE; + } else { st->hand_state = TLS_ST_SW_SRVR_HELLO; + } return WRITE_TRAN_CONTINUE; case DTLS_ST_SW_HELLO_VERIFY_REQUEST: @@ -354,7 +589,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s) case TLS_ST_SW_SRVR_HELLO: if (s->hit) { - if (s->tlsext_ticket_expected) + if (s->ext.ticket_expected) st->hand_state = TLS_ST_SW_SESSION_TICKET; else st->hand_state = TLS_ST_SW_CHANGE; @@ -375,7 +610,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s) return WRITE_TRAN_CONTINUE; case TLS_ST_SW_CERT: - if (s->tlsext_status_expected) { + if (s->ext.status_expected) { st->hand_state = TLS_ST_SW_CERT_STATUS; return WRITE_TRAN_CONTINUE; } @@ -405,9 +640,8 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s) case TLS_ST_SR_FINISHED: if (s->hit) { st->hand_state = TLS_ST_OK; - ossl_statem_set_in_init(s, 0); return WRITE_TRAN_CONTINUE; - } else if (s->tlsext_ticket_expected) { + } else if (s->ext.ticket_expected) { st->hand_state = TLS_ST_SW_SESSION_TICKET; } else { st->hand_state = TLS_ST_SW_CHANGE; @@ -427,12 +661,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s) return WRITE_TRAN_FINISHED; } st->hand_state = TLS_ST_OK; - ossl_statem_set_in_init(s, 0); return WRITE_TRAN_CONTINUE; - - default: - /* Shouldn't happen */ - return WRITE_TRAN_ERROR; } } @@ -445,6 +674,10 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) OSSL_STATEM *st = &s->statem; switch (st->hand_state) { + default: + /* No pre work to be done */ + break; + case TLS_ST_SW_HELLO_REQ: s->shutdown = 0; if (SSL_IS_DTLS(s)) @@ -472,13 +705,24 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) case TLS_ST_SW_SRVR_DONE: #ifndef OPENSSL_NO_SCTP - if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) + if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) { + /* Calls SSLfatal() as required */ return dtls_wait_for_dry(s); + } #endif return WORK_FINISHED_CONTINUE; case TLS_ST_SW_SESSION_TICKET: - if (SSL_IS_DTLS(s)) { + if (SSL_IS_TLS13(s) && s->sent_tickets == 0) { + /* + * Actually this is the end of the handshake, but we're going + * straight into writing the session ticket out. So we finish off + * the handshake, but keep the various buffers active. + * + * Calls SSLfatal as required. + */ + return tls_finish_handshake(s, wst, 0, 0); + } if (SSL_IS_DTLS(s)) { /* * We're into the last flight. We don't retransmit the last flight * unless we need to, so we don't use the timer @@ -488,9 +732,11 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) break; case TLS_ST_SW_CHANGE: + if (SSL_IS_TLS13(s)) + break; s->session->cipher = s->s3->tmp.new_cipher; if (!s->method->ssl3_enc->setup_key_block(s)) { - ossl_statem_set_error(s); + /* SSLfatal() already called */ return WORK_ERROR; } if (SSL_IS_DTLS(s)) { @@ -504,17 +750,36 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) } return WORK_FINISHED_CONTINUE; - case TLS_ST_OK: - return tls_finish_handshake(s, wst); + case TLS_ST_EARLY_DATA: + if (s->early_data_state != SSL_EARLY_DATA_ACCEPTING + && (s->s3->flags & TLS1_FLAGS_STATELESS) == 0) + return WORK_FINISHED_CONTINUE; + /* Fall through */ - default: - /* No pre work to be done */ - break; + case TLS_ST_OK: + /* Calls SSLfatal() as required */ + return tls_finish_handshake(s, wst, 1, 1); } return WORK_FINISHED_CONTINUE; } +static ossl_inline int conn_is_closed(void) +{ + switch (get_last_sys_error()) { +#if defined(EPIPE) + case EPIPE: + return 1; +#endif +#if defined(ECONNRESET) + case ECONNRESET: + return 1; +#endif + default: + return 0; + } +} + /* * Perform any work that needs to be done after sending a message from the * server to the client. @@ -526,11 +791,15 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) s->init_num = 0; switch (st->hand_state) { + default: + /* No post work to be done */ + break; + case TLS_ST_SW_HELLO_REQ: if (statem_flush(s) != 1) return WORK_MORE_A; if (!ssl3_init_finished_mac(s)) { - ossl_statem_set_error(s); + /* SSLfatal() already called */ return WORK_ERROR; } break; @@ -540,7 +809,7 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) return WORK_MORE_A; /* HelloVerifyRequest resets Finished MAC */ if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) { - ossl_statem_set_error(s); + /* SSLfatal() already called */ return WORK_ERROR; } /* @@ -551,6 +820,12 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) break; case TLS_ST_SW_SRVR_HELLO: + if (SSL_IS_TLS13(s) && s->hello_retry_request == SSL_HRR_PENDING) { + if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0 + && statem_flush(s) != 1) + return WORK_MORE_A; + break; + } #ifndef OPENSSL_NO_SCTP if (SSL_IS_DTLS(s) && s->hit) { unsigned char sctpauthkey[64]; @@ -567,7 +842,9 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) sizeof(sctpauthkey), labelbuffer, sizeof(labelbuffer), NULL, 0, 0) <= 0) { - ossl_statem_set_error(s); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_OSSL_STATEM_SERVER_POST_WORK, + ERR_R_INTERNAL_ERROR); return WORK_ERROR; } @@ -575,9 +852,42 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) sizeof(sctpauthkey), sctpauthkey); } #endif - break; + if (!SSL_IS_TLS13(s) + || ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 + && s->hello_retry_request != SSL_HRR_COMPLETE)) + break; + /* Fall through */ case TLS_ST_SW_CHANGE: + if (s->hello_retry_request == SSL_HRR_PENDING) { + if (!statem_flush(s)) + return WORK_MORE_A; + break; + } + + if (SSL_IS_TLS13(s)) { + if (!s->method->ssl3_enc->setup_key_block(s) + || !s->method->ssl3_enc->change_cipher_state(s, + SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) { + /* SSLfatal() already called */ + return WORK_ERROR; + } + + if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED + && !s->method->ssl3_enc->change_cipher_state(s, + SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ)) { + /* SSLfatal() already called */ + return WORK_ERROR; + } + /* + * We don't yet know whether the next record we are going to receive + * is an unencrypted alert, an encrypted alert, or an encrypted + * handshake message. We temporarily tolerate unencrypted alerts. + */ + s->statem.enc_read_state = ENC_READ_STATE_ALLOW_PLAIN_ALERTS; + break; + } + #ifndef OPENSSL_NO_SCTP if (SSL_IS_DTLS(s) && !s->hit) { /* @@ -591,7 +901,7 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) if (!s->method->ssl3_enc->change_cipher_state(s, SSL3_CHANGE_CIPHER_SERVER_WRITE)) { - ossl_statem_set_error(s); + /* SSLfatal() already called */ return WORK_ERROR; } @@ -617,10 +927,51 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) 0, NULL); } #endif + if (SSL_IS_TLS13(s)) { + if (!s->method->ssl3_enc->generate_master_secret(s, + s->master_secret, s->handshake_secret, 0, + &s->session->master_key_length) + || !s->method->ssl3_enc->change_cipher_state(s, + SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE)) + /* SSLfatal() already called */ + return WORK_ERROR; + } break; - default: - /* No post work to be done */ + case TLS_ST_SW_CERT_REQ: + if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { + if (statem_flush(s) != 1) + return WORK_MORE_A; + } + break; + + case TLS_ST_SW_KEY_UPDATE: + if (statem_flush(s) != 1) + return WORK_MORE_A; + if (!tls13_update_key(s, 1)) { + /* SSLfatal() already called */ + return WORK_ERROR; + } + break; + + case TLS_ST_SW_SESSION_TICKET: + clear_sys_error(); + if (SSL_IS_TLS13(s) && statem_flush(s) != 1) { + if (SSL_get_error(s, 0) == SSL_ERROR_SYSCALL + && conn_is_closed()) { + /* + * We ignore connection closed errors in TLSv1.3 when sending a + * NewSessionTicket and behave as if we were successful. This is + * so that we are still able to read data sent to us by a client + * that closes soon after the end of the handshake without + * waiting to read our post-handshake NewSessionTickets. + */ + s->rwstate = SSL_NOTHING; + break; + } + + return WORK_MORE_A; + } break; } @@ -628,63 +979,108 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) } /* - * Construct a message to be sent from the server to the client. + * Get the message construction function and message type for sending from the + * server * * Valid return values are: * 1: Success * 0: Error */ -int ossl_statem_server_construct_message(SSL *s) +int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt, + confunc_f *confunc, int *mt) { OSSL_STATEM *st = &s->statem; switch (st->hand_state) { + default: + /* Shouldn't happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE, + SSL_R_BAD_HANDSHAKE_STATE); + return 0; + + case TLS_ST_SW_CHANGE: + if (SSL_IS_DTLS(s)) + *confunc = dtls_construct_change_cipher_spec; + else + *confunc = tls_construct_change_cipher_spec; + *mt = SSL3_MT_CHANGE_CIPHER_SPEC; + break; + case DTLS_ST_SW_HELLO_VERIFY_REQUEST: - return dtls_construct_hello_verify_request(s); + *confunc = dtls_construct_hello_verify_request; + *mt = DTLS1_MT_HELLO_VERIFY_REQUEST; + break; case TLS_ST_SW_HELLO_REQ: - return tls_construct_hello_request(s); + /* No construction function needed */ + *confunc = NULL; + *mt = SSL3_MT_HELLO_REQUEST; + break; case TLS_ST_SW_SRVR_HELLO: - return tls_construct_server_hello(s); + *confunc = tls_construct_server_hello; + *mt = SSL3_MT_SERVER_HELLO; + break; case TLS_ST_SW_CERT: - return tls_construct_server_certificate(s); + *confunc = tls_construct_server_certificate; + *mt = SSL3_MT_CERTIFICATE; + break; + + case TLS_ST_SW_CERT_VRFY: + *confunc = tls_construct_cert_verify; + *mt = SSL3_MT_CERTIFICATE_VERIFY; + break; + case TLS_ST_SW_KEY_EXCH: - return tls_construct_server_key_exchange(s); + *confunc = tls_construct_server_key_exchange; + *mt = SSL3_MT_SERVER_KEY_EXCHANGE; + break; case TLS_ST_SW_CERT_REQ: - return tls_construct_certificate_request(s); + *confunc = tls_construct_certificate_request; + *mt = SSL3_MT_CERTIFICATE_REQUEST; + break; case TLS_ST_SW_SRVR_DONE: - return tls_construct_server_done(s); + *confunc = tls_construct_server_done; + *mt = SSL3_MT_SERVER_DONE; + break; case TLS_ST_SW_SESSION_TICKET: - return tls_construct_new_session_ticket(s); + *confunc = tls_construct_new_session_ticket; + *mt = SSL3_MT_NEWSESSION_TICKET; + break; case TLS_ST_SW_CERT_STATUS: - return tls_construct_cert_status(s); - - case TLS_ST_SW_CHANGE: - if (SSL_IS_DTLS(s)) - return dtls_construct_change_cipher_spec(s); - else - return tls_construct_change_cipher_spec(s); + *confunc = tls_construct_cert_status; + *mt = SSL3_MT_CERTIFICATE_STATUS; + break; case TLS_ST_SW_FINISHED: - return tls_construct_finished(s, - s->method-> - ssl3_enc->server_finished_label, - s->method-> - ssl3_enc->server_finished_label_len); + *confunc = tls_construct_finished; + *mt = SSL3_MT_FINISHED; + break; - default: - /* Shouldn't happen */ + case TLS_ST_EARLY_DATA: + *confunc = NULL; + *mt = SSL3_MT_DUMMY; + break; + + case TLS_ST_SW_ENCRYPTED_EXTENSIONS: + *confunc = tls_construct_encrypted_extensions; + *mt = SSL3_MT_ENCRYPTED_EXTENSIONS; + break; + + case TLS_ST_SW_KEY_UPDATE: + *confunc = tls_construct_key_update; + *mt = SSL3_MT_KEY_UPDATE; break; } - return 0; + return 1; } /* @@ -711,14 +1107,21 @@ int ossl_statem_server_construct_message(SSL *s) * Returns the maximum allowed length for the current message that we are * reading. Excludes the message header. */ -unsigned long ossl_statem_server_max_message_size(SSL *s) +size_t ossl_statem_server_max_message_size(SSL *s) { OSSL_STATEM *st = &s->statem; switch (st->hand_state) { + default: + /* Shouldn't happen */ + return 0; + case TLS_ST_SR_CLNT_HELLO: return CLIENT_HELLO_MAX_LENGTH; + case TLS_ST_SR_END_OF_EARLY_DATA: + return END_OF_EARLY_DATA_MAX_LENGTH; + case TLS_ST_SR_CERT: return s->max_cert_list; @@ -739,12 +1142,9 @@ unsigned long ossl_statem_server_max_message_size(SSL *s) case TLS_ST_SR_FINISHED: return FINISHED_MAX_LENGTH; - default: - /* Shouldn't happen */ - break; + case TLS_ST_SR_KEY_UPDATE: + return KEY_UPDATE_MAX_LENGTH; } - - return 0; } /* @@ -755,9 +1155,19 @@ MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt) OSSL_STATEM *st = &s->statem; switch (st->hand_state) { + default: + /* Shouldn't happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE, + ERR_R_INTERNAL_ERROR); + return MSG_PROCESS_ERROR; + case TLS_ST_SR_CLNT_HELLO: return tls_process_client_hello(s, pkt); + case TLS_ST_SR_END_OF_EARLY_DATA: + return tls_process_end_of_early_data(s, pkt); + case TLS_ST_SR_CERT: return tls_process_client_certificate(s, pkt); @@ -778,12 +1188,10 @@ MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt) case TLS_ST_SR_FINISHED: return tls_process_finished(s, pkt); - default: - /* Shouldn't happen */ - break; - } + case TLS_ST_SR_KEY_UPDATE: + return tls_process_key_update(s, pkt); - return MSG_PROCESS_ERROR; + } } /* @@ -795,26 +1203,27 @@ WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst) OSSL_STATEM *st = &s->statem; switch (st->hand_state) { + default: + /* Shouldn't happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_OSSL_STATEM_SERVER_POST_PROCESS_MESSAGE, + ERR_R_INTERNAL_ERROR); + return WORK_ERROR; + case TLS_ST_SR_CLNT_HELLO: return tls_post_process_client_hello(s, wst); case TLS_ST_SR_KEY_EXCH: return tls_post_process_client_key_exchange(s, wst); - - default: - break; } - - /* Shouldn't happen */ - return WORK_ERROR; } #ifndef OPENSSL_NO_SRP -static int ssl_check_srp_ext_ClientHello(SSL *s, int *al) +/* Returns 1 on success, 0 for retryable error, -1 for fatal error */ +static int ssl_check_srp_ext_ClientHello(SSL *s) { - int ret = SSL_ERROR_NONE; - - *al = SSL_AD_UNRECOGNIZED_NAME; + int ret; + int al = SSL_AD_UNRECOGNIZED_NAME; if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) && (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) { @@ -823,100 +1232,173 @@ static int ssl_check_srp_ext_ClientHello(SSL *s, int *al) * RFC 5054 says SHOULD reject, we do so if There is no srp * login name */ - ret = SSL3_AL_FATAL; - *al = SSL_AD_UNKNOWN_PSK_IDENTITY; + SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY, + SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO, + SSL_R_PSK_IDENTITY_NOT_FOUND); + return -1; } else { - ret = SSL_srp_server_param_with_username(s, al); + ret = SSL_srp_server_param_with_username(s, &al); + if (ret < 0) + return 0; + if (ret == SSL3_AL_FATAL) { + SSLfatal(s, al, SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO, + al == SSL_AD_UNKNOWN_PSK_IDENTITY + ? SSL_R_PSK_IDENTITY_NOT_FOUND + : SSL_R_CLIENTHELLO_TLSEXT); + return -1; + } } } - return ret; + return 1; } #endif -int tls_construct_hello_request(SSL *s) +int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie, + size_t cookie_len) { - if (!ssl_set_handshake_header(s, SSL3_MT_HELLO_REQUEST, 0)) { - SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_REQUEST, ERR_R_INTERNAL_ERROR); - ossl_statem_set_error(s); + /* Always use DTLS 1.0 version: see RFC 6347 */ + if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION) + || !WPACKET_sub_memcpy_u8(pkt, cookie, cookie_len)) return 0; - } return 1; } -unsigned int dtls_raw_hello_verify_request(unsigned char *buf, - unsigned char *cookie, - unsigned char cookie_len) +int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt) { - unsigned int msg_len; - unsigned char *p; - - p = buf; - /* Always use DTLS 1.0 version: see RFC 6347 */ - *(p++) = DTLS1_VERSION >> 8; - *(p++) = DTLS1_VERSION & 0xFF; + unsigned int cookie_leni; + if (s->ctx->app_gen_cookie_cb == NULL || + s->ctx->app_gen_cookie_cb(s, s->d1->cookie, + &cookie_leni) == 0 || + cookie_leni > 255) { + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, + SSL_R_COOKIE_GEN_CALLBACK_FAILURE); + return 0; + } + s->d1->cookie_len = cookie_leni; - *(p++) = (unsigned char)cookie_len; - memcpy(p, cookie, cookie_len); - p += cookie_len; - msg_len = p - buf; + if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie, + s->d1->cookie_len)) { + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, + ERR_R_INTERNAL_ERROR); + return 0; + } - return msg_len; + return 1; } -int dtls_construct_hello_verify_request(SSL *s) +#ifndef OPENSSL_NO_EC +/*- + * ssl_check_for_safari attempts to fingerprint Safari using OS X + * SecureTransport using the TLS extension block in |hello|. + * Safari, since 10.6, sends exactly these extensions, in this order: + * SNI, + * elliptic_curves + * ec_point_formats + * signature_algorithms (for TLSv1.2 only) + * + * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8, + * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them. + * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from + * 10.8..10.8.3 (which don't work). + */ +static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello) { - unsigned int len; - unsigned char *buf; - - buf = (unsigned char *)s->init_buf->data; - - if (s->ctx->app_gen_cookie_cb == NULL || - s->ctx->app_gen_cookie_cb(s, s->d1->cookie, - &(s->d1->cookie_len)) == 0 || - s->d1->cookie_len > 255) { - SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, - SSL_R_COOKIE_GEN_CALLBACK_FAILURE); - ossl_statem_set_error(s); - return 0; + static const unsigned char kSafariExtensionsBlock[] = { + 0x00, 0x0a, /* elliptic_curves extension */ + 0x00, 0x08, /* 8 bytes */ + 0x00, 0x06, /* 6 bytes of curve ids */ + 0x00, 0x17, /* P-256 */ + 0x00, 0x18, /* P-384 */ + 0x00, 0x19, /* P-521 */ + + 0x00, 0x0b, /* ec_point_formats */ + 0x00, 0x02, /* 2 bytes */ + 0x01, /* 1 point format */ + 0x00, /* uncompressed */ + /* The following is only present in TLS 1.2 */ + 0x00, 0x0d, /* signature_algorithms */ + 0x00, 0x0c, /* 12 bytes */ + 0x00, 0x0a, /* 10 bytes */ + 0x05, 0x01, /* SHA-384/RSA */ + 0x04, 0x01, /* SHA-256/RSA */ + 0x02, 0x01, /* SHA-1/RSA */ + 0x04, 0x03, /* SHA-256/ECDSA */ + 0x02, 0x03, /* SHA-1/ECDSA */ + }; + /* Length of the common prefix (first two extensions). */ + static const size_t kSafariCommonExtensionsLength = 18; + unsigned int type; + PACKET sni, tmppkt; + size_t ext_len; + + tmppkt = hello->extensions; + + if (!PACKET_forward(&tmppkt, 2) + || !PACKET_get_net_2(&tmppkt, &type) + || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) { + return; } - len = dtls_raw_hello_verify_request(&buf[DTLS1_HM_HEADER_LENGTH], - s->d1->cookie, s->d1->cookie_len); - - dtls1_set_message_header(s, DTLS1_MT_HELLO_VERIFY_REQUEST, len, 0, len); - len += DTLS1_HM_HEADER_LENGTH; + if (type != TLSEXT_TYPE_server_name) + return; - /* number of bytes to write */ - s->init_num = len; - s->init_off = 0; + ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ? + sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength; - return 1; + s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock, + ext_len); } +#endif /* !OPENSSL_NO_EC */ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) { - int i, al = SSL_AD_INTERNAL_ERROR; - unsigned int j, complen = 0; - unsigned long id; - const SSL_CIPHER *c; -#ifndef OPENSSL_NO_COMP - SSL_COMP *comp = NULL; -#endif - STACK_OF(SSL_CIPHER) *ciphers = NULL; - int protverr; /* |cookie| will only be initialized for DTLS. */ - PACKET session_id, cipher_suites, compression, extensions, cookie; - int is_v2_record; + PACKET session_id, compression, extensions, cookie; static const unsigned char null_compression = 0; + CLIENTHELLO_MSG *clienthello = NULL; - is_v2_record = RECORD_LAYER_is_sslv2_record(&s->rlayer); + /* Check if this is actually an unexpected renegotiation ClientHello */ + if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) { + if (!ossl_assert(!SSL_IS_TLS13(s))) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); + goto err; + } + if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0 + || (!s->s3->send_connection_binding + && (s->options + & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) == 0)) { + ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); + return MSG_PROCESS_FINISHED_READING; + } + s->renegotiate = 1; + s->new_session = 1; + } + clienthello = OPENSSL_zalloc(sizeof(*clienthello)); + if (clienthello == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); + goto err; + } + + /* + * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure. + */ + clienthello->isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer); PACKET_null_init(&cookie); - /* First lets get s->client_version set correctly */ - if (is_v2_record) { - unsigned int version; + + if (clienthello->isv2) { unsigned int mt; + + if (!SSL_IS_FIRST_HANDSHAKE(s) + || s->hello_retry_request != SSL_HRR_NONE) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNEXPECTED_MESSAGE); + goto err; + } + /*- * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2 * header is sent directly on the wire, not wrapped as a TLS @@ -939,136 +1421,97 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) * layer in order to have determined that this is a SSLv2 record * in the first place */ - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); - goto err; - } - - if (!PACKET_get_net_2(pkt, &version)) { - /* No protocol version supplied! */ - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); goto err; } - if (version == 0x0002) { - /* This is real SSLv2. We don't support it. */ - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); - goto err; - } else if ((version & 0xff00) == (SSL3_VERSION_MAJOR << 8)) { - /* SSLv3/TLS */ - s->client_version = version; - } else { - /* No idea what protocol this is */ - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); - goto err; - } - } else { - /* - * use version from inside client hello, not from record header (may - * differ: see RFC 2246, Appendix E, second paragraph) - */ - if (!PACKET_get_net_2(pkt, (unsigned int *)&s->client_version)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; - } } - /* - * Do SSL/TLS version negotiation if applicable. For DTLS we just check - * versions are potentially compatible. Version negotiation comes later. - */ - if (!SSL_IS_DTLS(s)) { - protverr = ssl_choose_server_version(s); - } else if (s->method->version != DTLS_ANY_VERSION && - DTLS_VERSION_LT(s->client_version, s->version)) { - protverr = SSL_R_VERSION_TOO_LOW; - } else { - protverr = 0; - } - - if (protverr) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr); - if ((!s->enc_write_ctx && !s->write_hash)) { - /* - * similar to ssl3_get_record, send alert using remote version - * number - */ - s->version = s->client_version; - } - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; + if (!PACKET_get_net_2(pkt, &clienthello->legacy_version)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + SSL_R_LENGTH_TOO_SHORT); + goto err; } /* Parse the message and load client random. */ - if (is_v2_record) { + if (clienthello->isv2) { /* * Handle an SSLv2 backwards compatible ClientHello * Note, this is only for SSLv3+ using the backward compatible format. - * Real SSLv2 is not supported, and is rejected above. + * Real SSLv2 is not supported, and is rejected below. */ - unsigned int cipher_len, session_id_len, challenge_len; + unsigned int ciphersuite_len, session_id_len, challenge_len; PACKET challenge; - if (!PACKET_get_net_2(pkt, &cipher_len) + if (!PACKET_get_net_2(pkt, &ciphersuite_len) || !PACKET_get_net_2(pkt, &session_id_len) || !PACKET_get_net_2(pkt, &challenge_len)) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, - SSL_R_RECORD_LENGTH_MISMATCH); - al = SSL_AD_DECODE_ERROR; - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + SSL_R_RECORD_LENGTH_MISMATCH); + goto err; } if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); + goto err; } - if (!PACKET_get_sub_packet(pkt, &cipher_suites, cipher_len) - || !PACKET_get_sub_packet(pkt, &session_id, session_id_len) + if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites, + ciphersuite_len) + || !PACKET_copy_bytes(pkt, clienthello->session_id, session_id_len) || !PACKET_get_sub_packet(pkt, &challenge, challenge_len) /* No extensions. */ || PACKET_remaining(pkt) != 0) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, - SSL_R_RECORD_LENGTH_MISMATCH); - al = SSL_AD_DECODE_ERROR; - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + SSL_R_RECORD_LENGTH_MISMATCH); + goto err; } + clienthello->session_id_len = session_id_len; - /* Load the client random and compression list. */ - challenge_len = challenge_len > SSL3_RANDOM_SIZE ? SSL3_RANDOM_SIZE : - challenge_len; - memset(s->s3->client_random, 0, SSL3_RANDOM_SIZE); + /* Load the client random and compression list. We use SSL3_RANDOM_SIZE + * here rather than sizeof(clienthello->random) because that is the limit + * for SSLv3 and it is fixed. It won't change even if + * sizeof(clienthello->random) does. + */ + challenge_len = challenge_len > SSL3_RANDOM_SIZE + ? SSL3_RANDOM_SIZE : challenge_len; + memset(clienthello->random, 0, SSL3_RANDOM_SIZE); if (!PACKET_copy_bytes(&challenge, - s->s3->client_random + SSL3_RANDOM_SIZE - + clienthello->random + SSL3_RANDOM_SIZE - challenge_len, challenge_len) /* Advertise only null compression. */ || !PACKET_buf_init(&compression, &null_compression, 1)) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); + goto err; } - PACKET_null_init(&extensions); + PACKET_null_init(&clienthello->extensions); } else { /* Regular ClientHello. */ - if (!PACKET_copy_bytes(pkt, s->s3->client_random, SSL3_RANDOM_SIZE) - || !PACKET_get_length_prefixed_1(pkt, &session_id)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); - goto f_err; - } - - if (PACKET_remaining(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); - goto f_err; + if (!PACKET_copy_bytes(pkt, clienthello->random, SSL3_RANDOM_SIZE) + || !PACKET_get_length_prefixed_1(pkt, &session_id) + || !PACKET_copy_all(&session_id, clienthello->session_id, + SSL_MAX_SSL_SESSION_ID_LENGTH, + &clienthello->session_id_len)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + SSL_R_LENGTH_MISMATCH); + goto err; } if (SSL_IS_DTLS(s)) { if (!PACKET_get_length_prefixed_1(pkt, &cookie)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + SSL_R_LENGTH_MISMATCH); + goto err; + } + if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie, + DTLS1_COOKIE_LENGTH, + &clienthello->dtls_cookie_len)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + goto err; } /* * If we require cookies and this ClientHello doesn't contain one, @@ -1076,55 +1519,262 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) * So check cookie length... */ if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { - if (PACKET_remaining(&cookie) == 0) - return 1; + if (clienthello->dtls_cookie_len == 0) { + OPENSSL_free(clienthello); + return MSG_PROCESS_FINISHED_READING; + } } } - if (!PACKET_get_length_prefixed_2(pkt, &cipher_suites) - || !PACKET_get_length_prefixed_1(pkt, &compression)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); - goto f_err; + if (!PACKET_get_length_prefixed_2(pkt, &clienthello->ciphersuites)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + SSL_R_LENGTH_MISMATCH); + goto err; + } + + if (!PACKET_get_length_prefixed_1(pkt, &compression)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + SSL_R_LENGTH_MISMATCH); + goto err; } + /* Could be empty. */ - extensions = *pkt; + if (PACKET_remaining(pkt) == 0) { + PACKET_null_init(&clienthello->extensions); + } else { + if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions) + || PACKET_remaining(pkt) != 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + SSL_R_LENGTH_MISMATCH); + goto err; + } + } + } + + if (!PACKET_copy_all(&compression, clienthello->compressions, + MAX_COMPRESSIONS_SIZE, + &clienthello->compressions_len)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); + goto err; + } + + /* Preserve the raw extensions PACKET for later use */ + extensions = clienthello->extensions; + if (!tls_collect_extensions(s, &extensions, SSL_EXT_CLIENT_HELLO, + &clienthello->pre_proc_exts, + &clienthello->pre_proc_exts_len, 1)) { + /* SSLfatal already been called */ + goto err; + } + s->clienthello = clienthello; + + return MSG_PROCESS_CONTINUE_PROCESSING; + + err: + if (clienthello != NULL) + OPENSSL_free(clienthello->pre_proc_exts); + OPENSSL_free(clienthello); + + return MSG_PROCESS_ERROR; +} + +static int tls_early_post_process_client_hello(SSL *s) +{ + unsigned int j; + int i, al = SSL_AD_INTERNAL_ERROR; + int protverr; + size_t loop; + unsigned long id; +#ifndef OPENSSL_NO_COMP + SSL_COMP *comp = NULL; +#endif + const SSL_CIPHER *c; + STACK_OF(SSL_CIPHER) *ciphers = NULL; + STACK_OF(SSL_CIPHER) *scsvs = NULL; + CLIENTHELLO_MSG *clienthello = s->clienthello; + DOWNGRADE dgrd = DOWNGRADE_NONE; + + /* Finished parsing the ClientHello, now we can start processing it */ + /* Give the ClientHello callback a crack at things */ + if (s->ctx->client_hello_cb != NULL) { + /* A failure in the ClientHello callback terminates the connection. */ + switch (s->ctx->client_hello_cb(s, &al, s->ctx->client_hello_cb_arg)) { + case SSL_CLIENT_HELLO_SUCCESS: + break; + case SSL_CLIENT_HELLO_RETRY: + s->rwstate = SSL_CLIENT_HELLO_CB; + return -1; + case SSL_CLIENT_HELLO_ERROR: + default: + SSLfatal(s, al, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_CALLBACK_FAILED); + goto err; + } + } + + /* Set up the client_random */ + memcpy(s->s3->client_random, clienthello->random, SSL3_RANDOM_SIZE); + + /* Choose the version */ + + if (clienthello->isv2) { + if (clienthello->legacy_version == SSL2_VERSION + || (clienthello->legacy_version & 0xff00) + != (SSL3_VERSION_MAJOR << 8)) { + /* + * This is real SSLv2 or something completely unknown. We don't + * support it. + */ + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_UNKNOWN_PROTOCOL); + goto err; + } + /* SSLv3/TLS */ + s->client_version = clienthello->legacy_version; + } + /* + * Do SSL/TLS version negotiation if applicable. For DTLS we just check + * versions are potentially compatible. Version negotiation comes later. + */ + if (!SSL_IS_DTLS(s)) { + protverr = ssl_choose_server_version(s, clienthello, &dgrd); + } else if (s->method->version != DTLS_ANY_VERSION && + DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) { + protverr = SSL_R_VERSION_TOO_LOW; + } else { + protverr = 0; + } + + if (protverr) { + if (SSL_IS_FIRST_HANDSHAKE(s)) { + /* like ssl3_get_record, send alert using remote version number */ + s->version = s->client_version = clienthello->legacy_version; + } + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr); + goto err; + } + + /* TLSv1.3 specifies that a ClientHello must end on a record boundary */ + if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_NOT_ON_RECORD_BOUNDARY); + goto err; } if (SSL_IS_DTLS(s)) { /* Empty cookie was already handled above by returning early. */ if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { if (s->ctx->app_verify_cookie_cb != NULL) { - if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookie), - PACKET_remaining(&cookie)) == - 0) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, - SSL_R_COOKIE_MISMATCH); - goto f_err; + if (s->ctx->app_verify_cookie_cb(s, clienthello->dtls_cookie, + clienthello->dtls_cookie_len) == 0) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_COOKIE_MISMATCH); + goto err; /* else cookie verification succeeded */ } /* default verification */ - } else if (!PACKET_equal(&cookie, s->d1->cookie, s->d1->cookie_len)) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); - goto f_err; + } else if (s->d1->cookie_len != clienthello->dtls_cookie_len + || memcmp(clienthello->dtls_cookie, s->d1->cookie, + s->d1->cookie_len) != 0) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_COOKIE_MISMATCH); + goto err; } s->d1->cookie_verified = 1; } if (s->method->version == DTLS_ANY_VERSION) { - protverr = ssl_choose_server_version(s); + protverr = ssl_choose_server_version(s, clienthello, &dgrd); if (protverr != 0) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr); s->version = s->client_version; - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr); + goto err; } } } s->hit = 0; + if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites, + clienthello->isv2) || + !bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, &scsvs, + clienthello->isv2, 1)) { + /* SSLfatal() already called */ + goto err; + } + + s->s3->send_connection_binding = 0; + /* Check what signalling cipher-suite values were received. */ + if (scsvs != NULL) { + for(i = 0; i < sk_SSL_CIPHER_num(scsvs); i++) { + c = sk_SSL_CIPHER_value(scsvs, i); + if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) { + if (s->renegotiate) { + /* SCSV is fatal if renegotiating */ + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); + goto err; + } + s->s3->send_connection_binding = 1; + } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV && + !ssl_check_version_downgrade(s)) { + /* + * This SCSV indicates that the client previously tried + * a higher version. We should fail if the current version + * is an unexpected downgrade, as that indicates that the first + * connection may have been tampered with in order to trigger + * an insecure downgrade. + */ + SSLfatal(s, SSL_AD_INAPPROPRIATE_FALLBACK, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_INAPPROPRIATE_FALLBACK); + goto err; + } + } + } + + /* For TLSv1.3 we must select the ciphersuite *before* session resumption */ + if (SSL_IS_TLS13(s)) { + const SSL_CIPHER *cipher = + ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s)); + + if (cipher == NULL) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_NO_SHARED_CIPHER); + goto err; + } + if (s->hello_retry_request == SSL_HRR_PENDING + && (s->s3->tmp.new_cipher == NULL + || s->s3->tmp.new_cipher->id != cipher->id)) { + /* + * A previous HRR picked a different ciphersuite to the one we + * just selected. Something must have changed. + */ + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_BAD_CIPHER); + goto err; + } + s->s3->tmp.new_cipher = cipher; + } + + /* We need to do this before getting the session */ + if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret, + SSL_EXT_CLIENT_HELLO, + clienthello->pre_proc_exts, NULL, 0)) { + /* SSLfatal() already called */ + goto err; + } + /* * We don't allow resumption in a backwards compatible ClientHello. * TODO(openssl-team): in TLS1.1+, session_id MUST be empty. @@ -1141,41 +1791,41 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be * ignored. */ - if (is_v2_record || + if (clienthello->isv2 || (s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) { - if (!ssl_get_new_session(s, 1)) + if (!ssl_get_new_session(s, 1)) { + /* SSLfatal() already called */ goto err; + } } else { - i = ssl_get_prev_session(s, &extensions, &session_id); - /* - * Only resume if the session's version matches the negotiated - * version. - * RFC 5246 does not provide much useful advice on resumption - * with a different protocol version. It doesn't forbid it but - * the sanity of such behaviour would be questionable. - * In practice, clients do not accept a version mismatch and - * will abort the handshake with an error. - */ - if (i == 1 && s->version == s->session->ssl_version) { + i = ssl_get_prev_session(s, clienthello); + if (i == 1) { /* previous session */ s->hit = 1; } else if (i == -1) { + /* SSLfatal() already called */ goto err; } else { /* i == 0 */ - if (!ssl_get_new_session(s, 1)) + if (!ssl_get_new_session(s, 1)) { + /* SSLfatal() already called */ goto err; + } } } - if (ssl_bytes_to_cipher_list(s, &cipher_suites, &(ciphers), - is_v2_record, &al) == NULL) { - goto f_err; + if (SSL_IS_TLS13(s)) { + memcpy(s->tmp_session_id, s->clienthello->session_id, + s->clienthello->session_id_len); + s->tmp_session_id_len = s->clienthello->session_id_len; } - /* If it is a hit, check that the cipher is in the list */ - if (s->hit) { + /* + * If it is a hit, check that the cipher is in the list. In TLSv1.3 we check + * ciphersuite compatibility with the session as part of resumption. + */ + if (!SSL_IS_TLS13(s) && s->hit) { j = 0; id = s->session->cipher->id; @@ -1198,32 +1848,36 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) * we need to have the cipher in the cipher list if we are asked * to reuse it */ - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, - SSL_R_REQUIRED_CIPHER_MISSING); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_REQUIRED_CIPHER_MISSING); + goto err; } } - complen = PACKET_remaining(&compression); - for (j = 0; j < complen; j++) { - if (PACKET_data(&compression)[j] == 0) + for (loop = 0; loop < clienthello->compressions_len; loop++) { + if (clienthello->compressions[loop] == 0) break; } - if (j >= complen) { + if (loop >= clienthello->compressions_len) { /* no compress */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_NO_COMPRESSION_SPECIFIED); + goto err; } +#ifndef OPENSSL_NO_EC + if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) + ssl_check_for_safari(s, clienthello); +#endif /* !OPENSSL_NO_EC */ + /* TLS extensions */ - if (s->version >= SSL3_VERSION) { - if (!ssl_parse_clienthello_tlsext(s, &extensions)) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT); - goto err; - } + if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO, + clienthello->pre_proc_exts, NULL, 0, 1)) { + /* SSLfatal() already called */ + goto err; } /* @@ -1235,19 +1889,33 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) { unsigned char *pos; pos = s->s3->server_random; - if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) { - goto f_err; + if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE, dgrd) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); + goto err; } } - if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) { + if (!s->hit + && s->version >= TLS1_VERSION + && !SSL_IS_TLS13(s) + && !SSL_IS_DTLS(s) + && s->ext.session_secret_cb) { const SSL_CIPHER *pref_cipher = NULL; + /* + * s->session->master_key_length is a size_t, but this is an int for + * backwards compat reasons + */ + int master_key_length; - s->session->master_key_length = sizeof(s->session->master_key); - if (s->tls_session_secret_cb(s, s->session->master_key, - &s->session->master_key_length, ciphers, + master_key_length = sizeof(s->session->master_key); + if (s->ext.session_secret_cb(s, s->session->master_key, + &master_key_length, ciphers, &pref_cipher, - s->tls_session_secret_cb_arg)) { + s->ext.session_secret_cb_arg) + && master_key_length > 0) { + s->session->master_key_length = master_key_length; s->hit = 1; s->session->ciphers = ciphers; s->session->verify_result = X509_V_OK; @@ -1255,16 +1923,14 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ciphers = NULL; /* check if some cipher was preferred by call back */ - pref_cipher = - pref_cipher ? pref_cipher : ssl3_choose_cipher(s, - s-> - session->ciphers, - SSL_get_ciphers - (s)); + if (pref_cipher == NULL) + pref_cipher = ssl3_choose_cipher(s, s->session->ciphers, + SSL_get_ciphers(s)); if (pref_cipher == NULL) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER); - goto f_err; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_NO_SHARED_CIPHER); + goto err; } s->session->cipher = pref_cipher; @@ -1281,17 +1947,31 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) * algorithms from the client, starting at q. */ s->s3->tmp.new_compression = NULL; + if (SSL_IS_TLS13(s)) { + /* + * We already checked above that the NULL compression method appears in + * the list. Now we check there aren't any others (which is illegal in + * a TLSv1.3 ClientHello. + */ + if (clienthello->compressions_len != 1) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_INVALID_COMPRESSION_ALGORITHM); + goto err; + } + } #ifndef OPENSSL_NO_COMP /* This only happens if we have a cache hit */ - if (s->session->compress_meth != 0) { + else if (s->session->compress_meth != 0) { int m, comp_id = s->session->compress_meth; unsigned int k; /* Perform sanity checks on resumed compression algorithm */ /* Can't disable compression */ if (!ssl_allow_compression(s)) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, - SSL_R_INCONSISTENT_COMPRESSION); - goto f_err; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_INCONSISTENT_COMPRESSION); + goto err; } /* Look for resumed compression method */ for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) { @@ -1302,24 +1982,25 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) } } if (s->s3->tmp.new_compression == NULL) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, - SSL_R_INVALID_COMPRESSION_ALGORITHM); - goto f_err; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_INVALID_COMPRESSION_ALGORITHM); + goto err; } /* Look for resumed method in compression list */ - for (k = 0; k < complen; k++) { - if (PACKET_data(&compression)[k] == comp_id) + for (k = 0; k < clienthello->compressions_len; k++) { + if (clienthello->compressions[k] == comp_id) break; } - if (k >= complen) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, - SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING); - goto f_err; + if (k >= clienthello->compressions_len) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING); + goto err; } - } else if (s->hit) + } else if (s->hit) { comp = NULL; - else if (ssl_allow_compression(s) && s->ctx->comp_methods) { + } else if (ssl_allow_compression(s) && s->ctx->comp_methods) { /* See if we have a match */ int m, nn, v, done = 0; unsigned int o; @@ -1328,8 +2009,8 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) for (m = 0; m < nn; m++) { comp = sk_SSL_COMP_value(s->ctx->comp_methods, m); v = comp->id; - for (o = 0; o < complen; o++) { - if (v == PACKET_data(&compression)[o]) { + for (o = 0; o < clienthello->compressions_len; o++) { + if (v == clienthello->compressions[o]) { done = 1; break; } @@ -1348,8 +2029,10 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) * using compression. */ if (s->session->compress_meth != 0) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION); - goto f_err; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_INCONSISTENT_COMPRESSION); + goto err; } #endif @@ -1357,88 +2040,245 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher */ + if (!s->hit || SSL_IS_TLS13(s)) { + sk_SSL_CIPHER_free(s->session->ciphers); + s->session->ciphers = ciphers; + if (ciphers == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); + goto err; + } + ciphers = NULL; + } + if (!s->hit) { #ifdef OPENSSL_NO_COMP s->session->compress_meth = 0; #else s->session->compress_meth = (comp == NULL) ? 0 : comp->id; #endif - sk_SSL_CIPHER_free(s->session->ciphers); - s->session->ciphers = ciphers; - if (ciphers == NULL) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); - goto f_err; - } - ciphers = NULL; - if (!tls1_set_server_sigalgs(s)) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); - goto err; - } } sk_SSL_CIPHER_free(ciphers); - return MSG_PROCESS_CONTINUE_PROCESSING; - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); + sk_SSL_CIPHER_free(scsvs); + OPENSSL_free(clienthello->pre_proc_exts); + OPENSSL_free(s->clienthello); + s->clienthello = NULL; + return 1; err: - ossl_statem_set_error(s); - sk_SSL_CIPHER_free(ciphers); - return MSG_PROCESS_ERROR; + sk_SSL_CIPHER_free(scsvs); + OPENSSL_free(clienthello->pre_proc_exts); + OPENSSL_free(s->clienthello); + s->clienthello = NULL; + + return 0; +} + +/* + * Call the status request callback if needed. Upon success, returns 1. + * Upon failure, returns 0. + */ +static int tls_handle_status_request(SSL *s) +{ + s->ext.status_expected = 0; + + /* + * If status request then ask callback what to do. Note: this must be + * called after servername callbacks in case the certificate has changed, + * and must be called after the cipher has been chosen because this may + * influence which certificate is sent + */ + if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL + && s->ctx->ext.status_cb != NULL) { + int ret; + + /* If no certificate can't return certificate status */ + if (s->s3->tmp.cert != NULL) { + /* + * Set current certificate to one we will use so SSL_get_certificate + * et al can pick it up. + */ + s->cert->key = s->s3->tmp.cert; + ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg); + switch (ret) { + /* We don't want to send a status request response */ + case SSL_TLSEXT_ERR_NOACK: + s->ext.status_expected = 0; + break; + /* status request response should be sent */ + case SSL_TLSEXT_ERR_OK: + if (s->ext.ocsp.resp) + s->ext.status_expected = 1; + break; + /* something bad happened */ + case SSL_TLSEXT_ERR_ALERT_FATAL: + default: + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_HANDLE_STATUS_REQUEST, + SSL_R_CLIENTHELLO_TLSEXT); + return 0; + } + } + } + + return 1; +} + +/* + * Call the alpn_select callback if needed. Upon success, returns 1. + * Upon failure, returns 0. + */ +int tls_handle_alpn(SSL *s) +{ + const unsigned char *selected = NULL; + unsigned char selected_len = 0; + + if (s->ctx->ext.alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) { + int r = s->ctx->ext.alpn_select_cb(s, &selected, &selected_len, + s->s3->alpn_proposed, + (unsigned int)s->s3->alpn_proposed_len, + s->ctx->ext.alpn_select_cb_arg); + + if (r == SSL_TLSEXT_ERR_OK) { + OPENSSL_free(s->s3->alpn_selected); + s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len); + if (s->s3->alpn_selected == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_HANDLE_ALPN, + ERR_R_INTERNAL_ERROR); + return 0; + } + s->s3->alpn_selected_len = selected_len; +#ifndef OPENSSL_NO_NEXTPROTONEG + /* ALPN takes precedence over NPN. */ + s->s3->npn_seen = 0; +#endif + + /* Check ALPN is consistent with session */ + if (s->session->ext.alpn_selected == NULL + || selected_len != s->session->ext.alpn_selected_len + || memcmp(selected, s->session->ext.alpn_selected, + selected_len) != 0) { + /* Not consistent so can't be used for early_data */ + s->ext.early_data_ok = 0; + + if (!s->hit) { + /* + * This is a new session and so alpn_selected should have + * been initialised to NULL. We should update it with the + * selected ALPN. + */ + if (!ossl_assert(s->session->ext.alpn_selected == NULL)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_HANDLE_ALPN, + ERR_R_INTERNAL_ERROR); + return 0; + } + s->session->ext.alpn_selected = OPENSSL_memdup(selected, + selected_len); + if (s->session->ext.alpn_selected == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_HANDLE_ALPN, + ERR_R_INTERNAL_ERROR); + return 0; + } + s->session->ext.alpn_selected_len = selected_len; + } + } + + return 1; + } else if (r != SSL_TLSEXT_ERR_NOACK) { + SSLfatal(s, SSL_AD_NO_APPLICATION_PROTOCOL, SSL_F_TLS_HANDLE_ALPN, + SSL_R_NO_APPLICATION_PROTOCOL); + return 0; + } + /* + * If r == SSL_TLSEXT_ERR_NOACK then behave as if no callback was + * present. + */ + } + + /* Check ALPN is consistent with session */ + if (s->session->ext.alpn_selected != NULL) { + /* Not consistent so can't be used for early_data */ + s->ext.early_data_ok = 0; + } + return 1; } WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) { - int al = SSL_AD_HANDSHAKE_FAILURE; const SSL_CIPHER *cipher; if (wst == WORK_MORE_A) { - if (!s->hit) { + int rv = tls_early_post_process_client_hello(s); + if (rv == 0) { + /* SSLfatal() was already called */ + goto err; + } + if (rv < 0) + return WORK_MORE_A; + wst = WORK_MORE_B; + } + if (wst == WORK_MORE_B) { + if (!s->hit || SSL_IS_TLS13(s)) { /* Let cert callback update server certificates if required */ - if (s->cert->cert_cb) { - int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg); - if (rv == 0) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, - SSL_R_CERT_CB_ERROR); - goto f_err; + if (!s->hit) { + if (s->cert->cert_cb != NULL) { + int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg); + if (rv == 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, + SSL_R_CERT_CB_ERROR); + goto err; + } + if (rv < 0) { + s->rwstate = SSL_X509_LOOKUP; + return WORK_MORE_B; + } + s->rwstate = SSL_NOTHING; } - if (rv < 0) { - s->rwstate = SSL_X509_LOOKUP; - return WORK_MORE_A; + if (!tls1_set_server_sigalgs(s)) { + /* SSLfatal already called */ + goto err; } - s->rwstate = SSL_NOTHING; } - cipher = - ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); - if (cipher == NULL) { - SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, - SSL_R_NO_SHARED_CIPHER); - goto f_err; + /* In TLSv1.3 we selected the ciphersuite before resumption */ + if (!SSL_IS_TLS13(s)) { + cipher = + ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); + + if (cipher == NULL) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, + SSL_R_NO_SHARED_CIPHER); + goto err; + } + s->s3->tmp.new_cipher = cipher; + } + if (!s->hit) { + if (!tls_choose_sigalg(s, 1)) { + /* SSLfatal already called */ + goto err; + } + /* check whether we should disable session resumption */ + if (s->not_resumable_session_cb != NULL) + s->session->not_resumable = + s->not_resumable_session_cb(s, + ((s->s3->tmp.new_cipher->algorithm_mkey + & (SSL_kDHE | SSL_kECDHE)) != 0)); + if (s->session->not_resumable) + /* do not send a session ticket */ + s->ext.ticket_expected = 0; } - s->s3->tmp.new_cipher = cipher; - /* check whether we should disable session resumption */ - if (s->not_resumable_session_cb != NULL) - s->session->not_resumable = s->not_resumable_session_cb(s, - ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) != 0)); - if (s->session->not_resumable) - /* do not send a session ticket */ - s->tlsext_ticket_expected = 0; } else { /* Session-id reuse */ s->s3->tmp.new_cipher = s->session->cipher; } - if (!(s->verify_mode & SSL_VERIFY_PEER)) { - if (!ssl3_digest_cached_records(s, 0)) { - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - } - /*- * we now have the following setup. * client_random @@ -1451,73 +2291,71 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) * s->s3->tmp.new_cipher- the new cipher to use. */ - /* Handles TLS extensions that we couldn't check earlier */ - if (s->version >= SSL3_VERSION) { - if (!ssl_check_clienthello_tlsext_late(s, &al)) { - SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, - SSL_R_CLIENTHELLO_TLSEXT); - goto f_err; - } + /* + * Call status_request callback if needed. Has to be done after the + * certificate callbacks etc above. + */ + if (!tls_handle_status_request(s)) { + /* SSLfatal() already called */ + goto err; + } + /* + * Call alpn_select callback if needed. Has to be done after SNI and + * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3 + * we already did this because cipher negotiation happens earlier, and + * we must handle ALPN before we decide whether to accept early_data. + */ + if (!SSL_IS_TLS13(s) && !tls_handle_alpn(s)) { + /* SSLfatal() already called */ + goto err; } - wst = WORK_MORE_B; + wst = WORK_MORE_C; } #ifndef OPENSSL_NO_SRP - if (wst == WORK_MORE_B) { + if (wst == WORK_MORE_C) { int ret; - if ((ret = ssl_check_srp_ext_ClientHello(s, &al)) < 0) { + if ((ret = ssl_check_srp_ext_ClientHello(s)) == 0) { /* * callback indicates further work to be done */ s->rwstate = SSL_X509_LOOKUP; - return WORK_MORE_B; + return WORK_MORE_C; } - if (ret != SSL_ERROR_NONE) { - /* - * This is not really an error but the only means to for - * a client to detect whether srp is supported. - */ - if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY) - SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, - SSL_R_CLIENTHELLO_TLSEXT); - else - SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, - SSL_R_PSK_IDENTITY_NOT_FOUND); - goto f_err; + if (ret < 0) { + /* SSLfatal() already called */ + goto err; } } #endif - s->renegotiate = 2; return WORK_FINISHED_STOP; - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - ossl_statem_set_error(s); + err: return WORK_ERROR; } -int tls_construct_server_hello(SSL *s) +int tls_construct_server_hello(SSL *s, WPACKET *pkt) { - unsigned char *buf; - unsigned char *p, *d; - int i, sl; - int al = 0; - unsigned long l; - - buf = (unsigned char *)s->init_buf->data; - - /* Do the message type and length last */ - d = p = ssl_handshake_start(s); - - *(p++) = s->version >> 8; - *(p++) = s->version & 0xff; - - /* - * Random stuff. Filling of the server_random takes place in - * tls_process_client_hello() - */ - memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE); - p += SSL3_RANDOM_SIZE; + int compm; + size_t sl, len; + int version; + unsigned char *session_id; + int usetls13 = SSL_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING; + + version = usetls13 ? TLS1_2_VERSION : s->version; + if (!WPACKET_put_bytes_u16(pkt, version) + /* + * Random stuff. Filling of the server_random takes place in + * tls_process_client_hello() + */ + || !WPACKET_memcpy(pkt, + s->hello_retry_request == SSL_HRR_PENDING + ? hrrrandom : s->s3->server_random, + SSL3_RANDOM_SIZE)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO, + ERR_R_INTERNAL_ERROR); + return 0; + } /*- * There are several cases for the session ID to send @@ -1531,6 +2369,8 @@ int tls_construct_server_hello(SSL *s) * session ID. * - However, if we want the new session to be single-use, * we send back a 0-length session ID. + * - In TLSv1.3 we echo back the session id sent to us by the client + * regardless * s->hit is non-zero in either case of session reuse, * so the following won't overwrite an ID that we're supposed * to send back. @@ -1540,115 +2380,117 @@ int tls_construct_server_hello(SSL *s) && !s->hit)) s->session->session_id_length = 0; - sl = s->session->session_id_length; - if (sl > (int)sizeof(s->session->session_id)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); - ossl_statem_set_error(s); - return 0; + if (usetls13) { + sl = s->tmp_session_id_len; + session_id = s->tmp_session_id; + } else { + sl = s->session->session_id_length; + session_id = s->session->session_id; } - *(p++) = sl; - memcpy(p, s->session->session_id, sl); - p += sl; - /* put the cipher */ - i = ssl3_put_cipher_by_char(s->s3->tmp.new_cipher, p); - p += i; + if (sl > sizeof(s->session->session_id)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO, + ERR_R_INTERNAL_ERROR); + return 0; + } - /* put the compression method */ + /* set up the compression method */ #ifdef OPENSSL_NO_COMP - *(p++) = 0; + compm = 0; #else - if (s->s3->tmp.new_compression == NULL) - *(p++) = 0; + if (usetls13 || s->s3->tmp.new_compression == NULL) + compm = 0; else - *(p++) = s->s3->tmp.new_compression->id; + compm = s->s3->tmp.new_compression->id; #endif - if (ssl_prepare_serverhello_tlsext(s) <= 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT); - ossl_statem_set_error(s); + if (!WPACKET_sub_memcpy_u8(pkt, session_id, sl) + || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len) + || !WPACKET_put_bytes_u8(pkt, compm)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO, + ERR_R_INTERNAL_ERROR); return 0; } - if ((p = - ssl_add_serverhello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH, - &al)) == NULL) { - ssl3_send_alert(s, SSL3_AL_FATAL, al); - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); - ossl_statem_set_error(s); + + if (!tls_construct_extensions(s, pkt, + s->hello_retry_request == SSL_HRR_PENDING + ? SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST + : (SSL_IS_TLS13(s) + ? SSL_EXT_TLS1_3_SERVER_HELLO + : SSL_EXT_TLS1_2_SERVER_HELLO), + NULL, 0)) { + /* SSLfatal() already called */ return 0; } - /* do the header */ - l = (p - d); - if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); - ossl_statem_set_error(s); + if (s->hello_retry_request == SSL_HRR_PENDING) { + /* Ditch the session. We'll create a new one next time around */ + SSL_SESSION_free(s->session); + s->session = NULL; + s->hit = 0; + + /* + * Re-initialise the Transcript Hash. We're going to prepopulate it with + * a synthetic message_hash in place of ClientHello1. + */ + if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) { + /* SSLfatal() already called */ + return 0; + } + } else if (!(s->verify_mode & SSL_VERIFY_PEER) + && !ssl3_digest_cached_records(s, 0)) { + /* SSLfatal() already called */; return 0; } return 1; } -int tls_construct_server_done(SSL *s) +int tls_construct_server_done(SSL *s, WPACKET *pkt) { - if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_DONE, ERR_R_INTERNAL_ERROR); - ossl_statem_set_error(s); - return 0; - } - if (!s->s3->tmp.cert_request) { if (!ssl3_digest_cached_records(s, 0)) { - ossl_statem_set_error(s); + /* SSLfatal() already called */ + return 0; } } - return 1; } -int tls_construct_server_key_exchange(SSL *s) +int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) { #ifndef OPENSSL_NO_DH EVP_PKEY *pkdh = NULL; - int j; #endif #ifndef OPENSSL_NO_EC unsigned char *encodedPoint = NULL; - int encodedlen = 0; + size_t encodedlen = 0; int curve_id = 0; #endif - EVP_PKEY *pkey; - const EVP_MD *md = NULL; - unsigned char *p, *d; - int al, i; + const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg; + int i; unsigned long type; - int n; const BIGNUM *r[4]; - int nr[4], kn; - BUF_MEM *buf; EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); + EVP_PKEY_CTX *pctx = NULL; + size_t paramlen, paramoffset; + + if (!WPACKET_get_total_written(pkt, ¶moffset)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + goto err; + } if (md_ctx == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); + goto err; } type = s->s3->tmp.new_cipher->algorithm_mkey; - buf = s->init_buf; - r[0] = r[1] = r[2] = r[3] = NULL; - n = 0; #ifndef OPENSSL_NO_PSK - if (type & SSL_PSK) { - /* - * reserve size for record length and PSK identity hint - */ - n += 2; - if (s->cert->psk_identity_hint) - n += strlen(s->cert->psk_identity_hint); - } /* Plain PSK or RSAPSK nothing to do */ if (type & (SSL_kPSK | SSL_kRSAPSK)) { } else @@ -1665,10 +2507,10 @@ int tls_construct_server_key_exchange(SSL *s) pkdh = EVP_PKEY_new(); if (pkdh == NULL || dhp == NULL) { DH_free(dhp); - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; } EVP_PKEY_assign_DH(pkdh, dhp); pkdhp = pkdh; @@ -1679,44 +2521,44 @@ int tls_construct_server_key_exchange(SSL *s) DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024); pkdh = ssl_dh_to_pkey(dhp); if (pkdh == NULL) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; } pkdhp = pkdh; } if (pkdhp == NULL) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - SSL_R_MISSING_TMP_DH_KEY); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + SSL_R_MISSING_TMP_DH_KEY); + goto err; } if (!ssl_security(s, SSL_SECOP_TMP_DH, EVP_PKEY_security_bits(pkdhp), 0, pkdhp)) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - SSL_R_DH_KEY_TOO_SMALL); - goto f_err; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + SSL_R_DH_KEY_TOO_SMALL); + goto err; } if (s->s3->tmp.pkey != NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); goto err; } s->s3->tmp.pkey = ssl_generate_pkey(pkdhp); - if (s->s3->tmp.pkey == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB); + /* SSLfatal() already called */ goto err; } dh = EVP_PKEY_get0_DH(s->s3->tmp.pkey); if (dh == NULL) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); goto err; } @@ -1729,46 +2571,39 @@ int tls_construct_server_key_exchange(SSL *s) #endif #ifndef OPENSSL_NO_EC if (type & (SSL_kECDHE | SSL_kECDHEPSK)) { - int nid; if (s->s3->tmp.pkey != NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); goto err; } /* Get NID of appropriate shared curve */ - nid = tls1_shared_curve(s, -2); - curve_id = tls1_ec_nid2curve_id(nid); + curve_id = tls1_shared_group(s, -2); if (curve_id == 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); goto err; } - s->s3->tmp.pkey = ssl_generate_pkey_curve(curve_id); + s->s3->tmp.pkey = ssl_generate_pkey_group(s, curve_id); /* Generate a new key for this curve */ if (s->s3->tmp.pkey == NULL) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB); - goto f_err; + /* SSLfatal() already called */ + goto err; } /* Encode the public key. */ encodedlen = EVP_PKEY_get1_tls_encodedpoint(s->s3->tmp.pkey, &encodedPoint); if (encodedlen == 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB); goto err; } /* - * We only support named (not generic) curves in ECDH ephemeral key - * exchanges. In this situation, we need four additional bytes to - * encode the entire ServerECDHParams structure. - */ - n += 4 + encodedlen; - - /* * We'll generate the serverKeyExchange message explicitly so we * can set these to NULLs */ @@ -1783,8 +2618,9 @@ int tls_construct_server_key_exchange(SSL *s) if ((s->srp_ctx.N == NULL) || (s->srp_ctx.g == NULL) || (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - SSL_R_MISSING_SRP_PARAM); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + SSL_R_MISSING_SRP_PARAM); goto err; } r[0] = s->srp_ctx.N; @@ -1794,85 +2630,59 @@ int tls_construct_server_key_exchange(SSL *s) } else #endif { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); - goto f_err; - } - for (i = 0; i < 4 && r[i] != NULL; i++) { - nr[i] = BN_num_bytes(r[i]); -#ifndef OPENSSL_NO_SRP - if ((i == 2) && (type & SSL_kSRP)) - n += 1 + nr[i]; - else -#endif -#ifndef OPENSSL_NO_DH - /*- - * for interoperability with some versions of the Microsoft TLS - * stack, we need to zero pad the DHE pub key to the same length - * as the prime, so use the length of the prime here - */ - if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) - n += 2 + nr[0]; - else -#endif - n += 2 + nr[i]; - } - - if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) - && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) { - if ((pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md)) - == NULL) { - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - kn = EVP_PKEY_size(pkey); - /* Allow space for signature algorithm */ - if (SSL_USE_SIGALGS(s)) - kn += 2; - /* Allow space for signature length */ - kn += 2; - } else { - pkey = NULL; - kn = 0; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); + goto err; } - if (!BUF_MEM_grow_clean(buf, n + SSL_HM_HEADER_LENGTH(s) + kn)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_LIB_BUF); + if (((s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0) + || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) { + lu = NULL; + } else if (lu == NULL) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto err; } - d = p = ssl_handshake_start(s); #ifndef OPENSSL_NO_PSK if (type & SSL_PSK) { - /* copy PSK identity hint */ - if (s->cert->psk_identity_hint) { - size_t len = strlen(s->cert->psk_identity_hint); - if (len > PSK_MAX_IDENTITY_LEN) { - /* - * Should not happen - we already checked this when we set - * the identity hint - */ - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto err; - } - s2n(len, p); - memcpy(p, s->cert->psk_identity_hint, len); - p += len; - } else { - s2n(0, p); + size_t len = (s->cert->psk_identity_hint == NULL) + ? 0 : strlen(s->cert->psk_identity_hint); + + /* + * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already + * checked this when we set the identity hint - but just in case + */ + if (len > PSK_MAX_IDENTITY_LEN + || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint, + len)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; } } #endif for (i = 0; i < 4 && r[i] != NULL; i++) { + unsigned char *binval; + int res; + #ifndef OPENSSL_NO_SRP if ((i == 2) && (type & SSL_kSRP)) { - *p = nr[i]; - p++; + res = WPACKET_start_sub_packet_u8(pkt); } else #endif + res = WPACKET_start_sub_packet_u16(pkt); + + if (!res) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; + } + #ifndef OPENSSL_NO_DH /*- * for interoperability with some versions of the Microsoft TLS @@ -1880,97 +2690,124 @@ int tls_construct_server_key_exchange(SSL *s) * as the prime */ if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) { - s2n(nr[0], p); - for (j = 0; j < (nr[0] - nr[2]); ++j) { - *p = 0; - ++p; + size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]); + + if (len > 0) { + if (!WPACKET_allocate_bytes(pkt, len, &binval)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; + } + memset(binval, 0, len); } - } else + } #endif - s2n(nr[i], p); - BN_bn2bin(r[i], p); - p += nr[i]; + if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; + } + + BN_bn2bin(r[i], binval); } #ifndef OPENSSL_NO_EC if (type & (SSL_kECDHE | SSL_kECDHEPSK)) { /* - * XXX: For now, we only support named (not generic) curves. In - * this situation, the serverKeyExchange message has: [1 byte - * CurveType], [2 byte CurveName] [1 byte length of encoded - * point], followed by the actual encoded point itself + * We only support named (not generic) curves. In this situation, the + * ServerKeyExchange message has: [1 byte CurveType], [2 byte CurveName] + * [1 byte length of encoded point], followed by the actual encoded + * point itself */ - *p = NAMED_CURVE_TYPE; - p += 1; - *p = 0; - p += 1; - *p = curve_id; - p += 1; - *p = encodedlen; - p += 1; - memcpy(p, encodedPoint, encodedlen); + if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE) + || !WPACKET_put_bytes_u8(pkt, 0) + || !WPACKET_put_bytes_u8(pkt, curve_id) + || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; + } OPENSSL_free(encodedPoint); encodedPoint = NULL; - p += encodedlen; } #endif /* not anonymous */ - if (pkey != NULL) { + if (lu != NULL) { + EVP_PKEY *pkey = s->s3->tmp.cert->privatekey; + const EVP_MD *md; + unsigned char *sigbytes1, *sigbytes2, *tbs; + size_t siglen, tbslen; + int rv; + + if (pkey == NULL || !tls1_lookup_md(lu, &md)) { + /* Should never happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; + } + /* Get length of the parameters we have written above */ + if (!WPACKET_get_length(pkt, ¶mlen)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; + } + /* send signature algorithm */ + if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; + } /* - * n is the length of the params, they start at &(d[4]) and p - * points to the space at the end. + * Create the signature. We don't know the actual length of the sig + * until after we've created it, so we reserve enough bytes for it + * up front, and then properly allocate them in the WPACKET + * afterwards. */ - if (md) { - /* send signature algorithm */ - if (SSL_USE_SIGALGS(s)) { - if (!tls12_get_sigandhash(p, pkey, md)) { - /* Should never happen */ - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto f_err; - } - p += 2; - } -#ifdef SSL_DEBUG - fprintf(stderr, "Using hash %s\n", EVP_MD_name(md)); -#endif - if (EVP_SignInit_ex(md_ctx, md, NULL) <= 0 - || EVP_SignUpdate(md_ctx, &(s->s3->client_random[0]), - SSL3_RANDOM_SIZE) <= 0 - || EVP_SignUpdate(md_ctx, &(s->s3->server_random[0]), - SSL3_RANDOM_SIZE) <= 0 - || EVP_SignUpdate(md_ctx, d, n) <= 0 - || EVP_SignFinal(md_ctx, &(p[2]), - (unsigned int *)&i, pkey) <= 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_LIB_EVP); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; + siglen = EVP_PKEY_size(pkey); + if (!WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1) + || EVP_DigestSignInit(md_ctx, &pctx, md, NULL, pkey) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; + } + if (lu->sig == EVP_PKEY_RSA_PSS) { + if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 + || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_EVP_LIB); + goto err; } - s2n(i, p); - n += i + 2; - if (SSL_USE_SIGALGS(s)) - n += 2; - } else { - /* Is this error check actually needed? */ - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - SSL_R_UNKNOWN_PKEY_TYPE); - goto f_err; } - } - - if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_KEY_EXCHANGE, n)) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); - goto f_err; + tbslen = construct_key_exchange_tbs(s, &tbs, + s->init_buf->data + paramoffset, + paramlen); + if (tbslen == 0) { + /* SSLfatal() already called */ + goto err; + } + rv = EVP_DigestSign(md_ctx, sigbytes1, &siglen, tbs, tbslen); + OPENSSL_free(tbs); + if (rv <= 0 || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2) + || sigbytes1 != sigbytes2) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; + } } EVP_MD_CTX_free(md_ctx); return 1; - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); err: #ifndef OPENSSL_NO_DH EVP_PKEY_free(pkdh); @@ -1979,96 +2816,82 @@ int tls_construct_server_key_exchange(SSL *s) OPENSSL_free(encodedPoint); #endif EVP_MD_CTX_free(md_ctx); - ossl_statem_set_error(s); return 0; } -int tls_construct_certificate_request(SSL *s) +int tls_construct_certificate_request(SSL *s, WPACKET *pkt) { - unsigned char *p, *d; - int i, j, nl, off, n; - STACK_OF(X509_NAME) *sk = NULL; - X509_NAME *name; - BUF_MEM *buf; - - buf = s->init_buf; + if (SSL_IS_TLS13(s)) { + /* Send random context when doing post-handshake auth */ + if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { + OPENSSL_free(s->pha_context); + s->pha_context_len = 32; + if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL + || RAND_bytes(s->pha_context, s->pha_context_len) <= 0 + || !WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, + ERR_R_INTERNAL_ERROR); + return 0; + } + /* reset the handshake hash back to just after the ClientFinished */ + if (!tls13_restore_handshake_digest_for_pha(s)) { + /* SSLfatal() already called */ + return 0; + } + } else { + if (!WPACKET_put_bytes_u8(pkt, 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, + ERR_R_INTERNAL_ERROR); + return 0; + } + } - d = p = ssl_handshake_start(s); + if (!tls_construct_extensions(s, pkt, + SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL, + 0)) { + /* SSLfatal() already called */ + return 0; + } + goto done; + } /* get the list of acceptable cert types */ - p++; - n = ssl3_get_req_cert_type(s, p); - d[0] = n; - p += n; - n++; + if (!WPACKET_start_sub_packet_u8(pkt) + || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); + return 0; + } if (SSL_USE_SIGALGS(s)) { - const unsigned char *psigs; - unsigned char *etmp = p; - nl = tls12_get_psigalgs(s, 1, &psigs); - if (nl > SSL_MAX_2_BYTE_LEN) { - SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, - SSL_R_LENGTH_TOO_LONG); - goto err; - } - /* Skip over length for now */ - p += 2; - nl = tls12_copy_sigalgs(s, p, psigs, nl); - /* Now fill in length */ - s2n(nl, etmp); - p += nl; - n += nl + 2; - } - - off = n; - p += 2; - n += 2; - - sk = SSL_get_client_CA_list(s); - nl = 0; - if (sk != NULL) { - for (i = 0; i < sk_X509_NAME_num(sk); i++) { - name = sk_X509_NAME_value(sk, i); - j = i2d_X509_NAME(name, NULL); - if (j > SSL_MAX_2_BYTE_LEN) { - SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, - SSL_R_LENGTH_TOO_LONG); - goto err; - } - if (!BUF_MEM_grow_clean(buf, SSL_HM_HEADER_LENGTH(s) + n + j + 2)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_BUF_LIB); - goto err; - } - p = ssl_handshake_start(s) + n; - s2n(j, p); - i2d_X509_NAME(name, &p); - n += 2 + j; - nl += 2 + j; - if (nl > SSL_MAX_2_BYTE_LEN) { - SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, - SSL_R_LENGTH_TOO_LONG); - goto err; - } + const uint16_t *psigs; + size_t nl = tls12_get_psigalgs(s, 1, &psigs); + + if (!WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH) + || !tls12_copy_sigalgs(s, pkt, psigs, nl) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, + ERR_R_INTERNAL_ERROR); + return 0; } } - /* else no CA names */ - p = ssl_handshake_start(s) + off; - s2n(nl, p); - if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); - goto err; + if (!construct_ca_names(s, get_ca_names(s), pkt)) { + /* SSLfatal() already called */ + return 0; } + done: + s->certreqs_sent++; s->s3->tmp.cert_request = 1; - return 1; - err: - ossl_statem_set_error(s); - return 0; } -static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al) +static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt) { #ifndef OPENSSL_NO_PSK unsigned char psk[PSK_MAX_PSK_LEN]; @@ -2076,24 +2899,24 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al) PACKET psk_identity; if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_LENGTH_MISMATCH); + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, + SSL_R_LENGTH_MISMATCH); return 0; } if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_DATA_LENGTH_TOO_LONG); + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, + SSL_R_DATA_LENGTH_TOO_LONG); return 0; } if (s->psk_server_callback == NULL) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_PSK_NO_SERVER_CB); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, + SSL_R_PSK_NO_SERVER_CB); return 0; } if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, + ERR_R_INTERNAL_ERROR); return 0; } @@ -2101,16 +2924,16 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al) psk, sizeof(psk)); if (psklen > PSK_MAX_PSK_LEN) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, + ERR_R_INTERNAL_ERROR); return 0; } else if (psklen == 0) { /* * PSK related to the given identity not found */ - *al = SSL_AD_UNKNOWN_PSK_IDENTITY; - SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, - SSL_R_PSK_IDENTITY_NOT_FOUND); + SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY, + SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, + SSL_R_PSK_IDENTITY_NOT_FOUND); return 0; } @@ -2119,8 +2942,8 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al) OPENSSL_cleanse(psk, psklen); if (s->s3->tmp.psk == NULL) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE); return 0; } @@ -2129,13 +2952,13 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al) return 1; #else /* Should never happen */ - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, + ERR_R_INTERNAL_ERROR); return 0; #endif } -static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) +static int tls_process_cke_rsa(SSL *s, PACKET *pkt) { #ifndef OPENSSL_NO_RSA unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH]; @@ -2147,10 +2970,10 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) unsigned char *rsa_decrypt = NULL; int ret = 0; - rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey); + rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA].privatekey); if (rsa == NULL) { - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_MISSING_RSA_CERTIFICATE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, + SSL_R_MISSING_RSA_CERTIFICATE); return 0; } @@ -2160,8 +2983,8 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) } else { if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster) || PACKET_remaining(pkt) != 0) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_LENGTH_MISMATCH); + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, + SSL_R_LENGTH_MISMATCH); return 0; } } @@ -2173,15 +2996,15 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) * their ciphertext cannot accommodate a premaster secret anyway. */ if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, RSA_R_KEY_SIZE_TOO_SMALL); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, + RSA_R_KEY_SIZE_TOO_SMALL); return 0; } rsa_decrypt = OPENSSL_malloc(RSA_size(rsa)); if (rsa_decrypt == NULL) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, + ERR_R_MALLOC_FAILURE); return 0; } @@ -2193,18 +3016,26 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 */ - if (RAND_bytes(rand_premaster_secret, sizeof(rand_premaster_secret)) <= 0) + if (RAND_priv_bytes(rand_premaster_secret, + sizeof(rand_premaster_secret)) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, + ERR_R_INTERNAL_ERROR); goto err; + } /* * Decrypt with no padding. PKCS#1 padding will be removed as part of * the timing-sensitive code below. */ - decrypt_len = RSA_private_decrypt(PACKET_remaining(&enc_premaster), - PACKET_data(&enc_premaster), - rsa_decrypt, rsa, RSA_NO_PADDING); - if (decrypt_len < 0) + /* TODO(size_t): Convert this function */ + decrypt_len = (int)RSA_private_decrypt((int)PACKET_remaining(&enc_premaster), + PACKET_data(&enc_premaster), + rsa_decrypt, rsa, RSA_NO_PADDING); + if (decrypt_len < 0) { + SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, + ERR_R_INTERNAL_ERROR); goto err; + } /* Check the padding. See RFC 3447, section 7.2.2. */ @@ -2214,8 +3045,8 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) * PS is at least 8 bytes. */ if (decrypt_len < 11 + SSL_MAX_MASTER_KEY_LENGTH) { - *al = SSL_AD_DECRYPT_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_DECRYPTION_FAILED); + SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, + SSL_R_DECRYPTION_FAILED); goto err; } @@ -2282,8 +3113,7 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) if (!ssl_generate_master_secret(s, rsa_decrypt + padding_len, sizeof(rand_premaster_secret), 0)) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_INTERNAL_ERROR); + /* SSLfatal() already called */ goto err; } @@ -2293,13 +3123,13 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) return ret; #else /* Should never happen */ - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, + ERR_R_INTERNAL_ERROR); return 0; #endif } -static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al) +static int tls_process_cke_dhe(SSL *s, PACKET *pkt) { #ifndef OPENSSL_NO_DH EVP_PKEY *skey = NULL; @@ -2311,46 +3141,46 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al) int ret = 0; if (!PACKET_get_net_2(pkt, &i) || PACKET_remaining(pkt) != i) { - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); goto err; } skey = s->s3->tmp.pkey; if (skey == NULL) { - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_MISSING_TMP_DH_KEY); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE, + SSL_R_MISSING_TMP_DH_KEY); goto err; } if (PACKET_remaining(pkt) == 0L) { - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_MISSING_TMP_DH_KEY); + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_DHE, + SSL_R_MISSING_TMP_DH_KEY); goto err; } if (!PACKET_get_bytes(pkt, &data, i)) { /* We already checked we have enough data */ - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE, + ERR_R_INTERNAL_ERROR); goto err; } ckey = EVP_PKEY_new(); if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) { - SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_BN_LIB); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE, + SSL_R_BN_LIB); goto err; } cdh = EVP_PKEY_get0_DH(ckey); pub_key = BN_bin2bn(data, i, NULL); if (pub_key == NULL || cdh == NULL || !DH_set0_key(cdh, pub_key, NULL)) { - SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE, + ERR_R_INTERNAL_ERROR); BN_free(pub_key); goto err; } - if (ssl_derive(s, skey, ckey) == 0) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR); + if (ssl_derive(s, skey, ckey, 1) == 0) { + /* SSLfatal() already called */ goto err; } @@ -2362,13 +3192,13 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al) return ret; #else /* Should never happen */ - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE, + ERR_R_INTERNAL_ERROR); return 0; #endif } -static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al) +static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt) { #ifndef OPENSSL_NO_EC EVP_PKEY *skey = s->s3->tmp.pkey; @@ -2377,8 +3207,8 @@ static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al) if (PACKET_remaining(pkt) == 0L) { /* We don't support ECDH client auth */ - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, SSL_R_MISSING_TMP_ECDH_KEY); + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_CKE_ECDHE, + SSL_R_MISSING_TMP_ECDH_KEY); goto err; } else { unsigned int i; @@ -2392,25 +3222,31 @@ static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al) /* Get encoded point length */ if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i) || PACKET_remaining(pkt) != 0) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, SSL_R_LENGTH_MISMATCH); + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE, + SSL_R_LENGTH_MISMATCH); + goto err; + } + if (skey == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE, + SSL_R_MISSING_TMP_ECDH_KEY); goto err; } + ckey = EVP_PKEY_new(); if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) { - SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_EVP_LIB); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE, + ERR_R_EVP_LIB); goto err; } if (EVP_PKEY_set1_tls_encodedpoint(ckey, data, i) == 0) { - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_EC_LIB); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE, + ERR_R_EC_LIB); goto err; } } - if (ssl_derive(s, skey, ckey) == 0) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_INTERNAL_ERROR); + if (ssl_derive(s, skey, ckey, 1) == 0) { + /* SSLfatal() already called */ goto err; } @@ -2423,13 +3259,13 @@ static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al) return ret; #else /* Should never happen */ - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE, + ERR_R_INTERNAL_ERROR); return 0; #endif } -static int tls_process_cke_srp(SSL *s, PACKET *pkt, int *al) +static int tls_process_cke_srp(SSL *s, PACKET *pkt) { #ifndef OPENSSL_NO_SRP unsigned int i; @@ -2437,41 +3273,43 @@ static int tls_process_cke_srp(SSL *s, PACKET *pkt, int *al) if (!PACKET_get_net_2(pkt, &i) || !PACKET_get_bytes(pkt, &data, i)) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_A_LENGTH); + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_SRP, + SSL_R_BAD_SRP_A_LENGTH); return 0; } if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) { - SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_BN_LIB); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP, + ERR_R_BN_LIB); return 0; } if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) { - *al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_PARAMETERS); + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CKE_SRP, + SSL_R_BAD_SRP_PARAMETERS); return 0; } OPENSSL_free(s->session->srp_username); s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login); if (s->session->srp_username == NULL) { - SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP, + ERR_R_MALLOC_FAILURE); return 0; } if (!srp_generate_server_master_secret(s)) { - SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_INTERNAL_ERROR); + /* SSLfatal() already called */ return 0; } return 1; #else /* Should never happen */ - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP, + ERR_R_INTERNAL_ERROR); return 0; #endif } -static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al) +static int tls_process_cke_gost(SSL *s, PACKET *pkt) { #ifndef OPENSSL_NO_GOST EVP_PKEY_CTX *pkey_ctx; @@ -2480,11 +3318,9 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al) const unsigned char *start; size_t outlen = 32, inlen; unsigned long alg_a; - int Ttag, Tclass; - long Tlen; - long sess_key_len; - const unsigned char *data; + unsigned int asn1id, asn1len; int ret = 0; + PACKET encdata; /* Get our certificate private key */ alg_a = s->s3->tmp.new_cipher->algorithm_auth; @@ -2505,13 +3341,13 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al) pkey_ctx = EVP_PKEY_CTX_new(pk, NULL); if (pkey_ctx == NULL) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, + ERR_R_MALLOC_FAILURE); return 0; } if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, + ERR_R_INTERNAL_ERROR); return 0; } /* @@ -2526,37 +3362,57 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al) ERR_clear_error(); } /* Decrypt session key */ - sess_key_len = PACKET_remaining(pkt); - if (!PACKET_get_bytes(pkt, &data, sess_key_len)) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR); + if (!PACKET_get_1(pkt, &asn1id) + || asn1id != (V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED) + || !PACKET_peek_1(pkt, &asn1len)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, + SSL_R_DECRYPTION_FAILED); goto err; } - if (ASN1_get_object((const unsigned char **)&data, &Tlen, &Ttag, - &Tclass, sess_key_len) != V_ASN1_CONSTRUCTED - || Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED); + if (asn1len == 0x81) { + /* + * Long form length. Should only be one byte of length. Anything else + * isn't supported. + * We did a successful peek before so this shouldn't fail + */ + if (!PACKET_forward(pkt, 1)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, + SSL_R_DECRYPTION_FAILED); + goto err; + } + } else if (asn1len >= 0x80) { + /* + * Indefinite length, or more than one long form length bytes. We don't + * support it + */ + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, + SSL_R_DECRYPTION_FAILED); + goto err; + } /* else short form length */ + + if (!PACKET_as_length_prefixed_1(pkt, &encdata)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, + SSL_R_DECRYPTION_FAILED); goto err; } - start = data; - inlen = Tlen; - if (EVP_PKEY_decrypt - (pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) { - *al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED); + inlen = PACKET_remaining(&encdata); + start = PACKET_data(&encdata); + + if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start, + inlen) <= 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, + SSL_R_DECRYPTION_FAILED); goto err; } /* Generate master secret */ if (!ssl_generate_master_secret(s, premaster_secret, sizeof(premaster_secret), 0)) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR); + /* SSLfatal() already called */ goto err; } /* Check if pubkey from client certificate was used */ - if (EVP_PKEY_CTX_ctrl - (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) + if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, + NULL) > 0) s->statem.no_cert_verify = 1; ret = 1; @@ -2565,68 +3421,75 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al) return ret; #else /* Should never happen */ - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, + ERR_R_INTERNAL_ERROR); return 0; #endif } MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) { - int al = -1; unsigned long alg_k; alg_k = s->s3->tmp.new_cipher->algorithm_mkey; /* For PSK parse and retrieve identity, obtain PSK key */ - if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt, &al)) + if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt)) { + /* SSLfatal() already called */ goto err; + } if (alg_k & SSL_kPSK) { /* Identity extracted earlier: should be nothing left */ if (PACKET_remaining(pkt) != 0) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, - SSL_R_LENGTH_MISMATCH); + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, + SSL_R_LENGTH_MISMATCH); goto err; } /* PSK handled by ssl_generate_master_secret */ if (!ssl_generate_master_secret(s, NULL, 0, 0)) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + /* SSLfatal() already called */ goto err; } } else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) { - if (!tls_process_cke_rsa(s, pkt, &al)) + if (!tls_process_cke_rsa(s, pkt)) { + /* SSLfatal() already called */ goto err; + } } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) { - if (!tls_process_cke_dhe(s, pkt, &al)) + if (!tls_process_cke_dhe(s, pkt)) { + /* SSLfatal() already called */ goto err; + } } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) { - if (!tls_process_cke_ecdhe(s, pkt, &al)) + if (!tls_process_cke_ecdhe(s, pkt)) { + /* SSLfatal() already called */ goto err; + } } else if (alg_k & SSL_kSRP) { - if (!tls_process_cke_srp(s, pkt, &al)) + if (!tls_process_cke_srp(s, pkt)) { + /* SSLfatal() already called */ goto err; + } } else if (alg_k & SSL_kGOST) { - if (!tls_process_cke_gost(s, pkt, &al)) + if (!tls_process_cke_gost(s, pkt)) { + /* SSLfatal() already called */ goto err; + } } else { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, - SSL_R_UNKNOWN_CIPHER_TYPE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, + SSL_R_UNKNOWN_CIPHER_TYPE); goto err; } return MSG_PROCESS_CONTINUE_PROCESSING; err: - if (al != -1) - ssl3_send_alert(s, SSL3_AL_FATAL, al); #ifndef OPENSSL_NO_PSK OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen); s->s3->tmp.psk = NULL; #endif - ossl_statem_set_error(s); return MSG_PROCESS_ERROR; } @@ -2648,8 +3511,10 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) sizeof(sctpauthkey), labelbuffer, sizeof(labelbuffer), NULL, 0, 0) <= 0) { - ossl_statem_set_error(s); - return WORK_ERROR;; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + return WORK_ERROR; } BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, @@ -2664,15 +3529,15 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) * the handshake_buffer */ if (!ssl3_digest_cached_records(s, 0)) { - ossl_statem_set_error(s); + /* SSLfatal() already called */ return WORK_ERROR; } return WORK_FINISHED_CONTINUE; } else { if (!s->s3->handshake_buffer) { - SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - ossl_statem_set_error(s); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); return WORK_ERROR; } /* @@ -2680,7 +3545,7 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) * extms we've done this already so this is a no-op */ if (!ssl3_digest_cached_records(s, 1)) { - ossl_statem_set_error(s); + /* SSLfatal() already called */ return WORK_ERROR; } } @@ -2688,216 +3553,97 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) return WORK_FINISHED_CONTINUE; } -MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) -{ - EVP_PKEY *pkey = NULL; - const unsigned char *sig, *data; -#ifndef OPENSSL_NO_GOST - unsigned char *gost_data = NULL; -#endif - int al, ret = MSG_PROCESS_ERROR; - int type = 0, j; - unsigned int len; - X509 *peer; - const EVP_MD *md = NULL; - long hdatalen = 0; - void *hdata; - - EVP_MD_CTX *mctx = EVP_MD_CTX_new(); - - if (mctx == NULL) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - - peer = s->session->peer; - pkey = X509_get0_pubkey(peer); - if (pkey == NULL) { - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - - type = X509_certificate_type(peer, pkey); - - if (!(type & EVP_PKT_SIGN)) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, - SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); - al = SSL_AD_ILLEGAL_PARAMETER; - goto f_err; - } - - if (SSL_USE_SIGALGS(s)) { - int rv; - - if (!PACKET_get_bytes(pkt, &sig, 2)) { - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - rv = tls12_check_peer_sigalg(&md, s, sig, pkey); - if (rv == -1) { - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } else if (rv == 0) { - al = SSL_AD_DECODE_ERROR; - goto f_err; - } -#ifdef SSL_DEBUG - fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); -#endif - } else { - /* Use default digest for this key type */ - int idx = ssl_cert_type(NULL, pkey); - if (idx >= 0) - md = s->s3->tmp.md[idx]; - if (md == NULL) { - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - } - - /* Check for broken implementations of GOST ciphersuites */ - /* - * If key is GOST and len is exactly 64 or 128, it is signature without - * length field (CryptoPro implementations at least till TLS 1.2) - */ -#ifndef OPENSSL_NO_GOST - if (!SSL_USE_SIGALGS(s) - && ((PACKET_remaining(pkt) == 64 - && (EVP_PKEY_id(pkey) == NID_id_GostR3410_2001 - || EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_256)) - || (PACKET_remaining(pkt) == 128 - && EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_512))) { - len = PACKET_remaining(pkt); - } else -#endif - if (!PACKET_get_net_2(pkt, &len)) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - - j = EVP_PKEY_size(pkey); - if (((int)len > j) || ((int)PACKET_remaining(pkt) > j) - || (PACKET_remaining(pkt) == 0)) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - if (!PACKET_get_bytes(pkt, &data, len)) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - - hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); - if (hdatalen <= 0) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_INTERNAL_ERROR); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } -#ifdef SSL_DEBUG - fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md)); -#endif - if (!EVP_VerifyInit_ex(mctx, md, NULL) - || !EVP_VerifyUpdate(mctx, hdata, hdatalen)) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } -#ifndef OPENSSL_NO_GOST - { - int pktype = EVP_PKEY_id(pkey); - if (pktype == NID_id_GostR3410_2001 - || pktype == NID_id_GostR3410_2012_256 - || pktype == NID_id_GostR3410_2012_512) { - if ((gost_data = OPENSSL_malloc(len)) == NULL) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - BUF_reverse(gost_data, data, len); - data = gost_data; - } - } -#endif - - if (s->version == SSL3_VERSION - && !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, - s->session->master_key_length, - s->session->master_key)) { - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - - if (EVP_VerifyFinal(mctx, data, len, pkey) <= 0) { - al = SSL_AD_DECRYPT_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_SIGNATURE); - goto f_err; - } - - ret = MSG_PROCESS_CONTINUE_READING; - if (0) { - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - ossl_statem_set_error(s); - } - BIO_free(s->s3->handshake_buffer); - s->s3->handshake_buffer = NULL; - EVP_MD_CTX_free(mctx); -#ifndef OPENSSL_NO_GOST - OPENSSL_free(gost_data); -#endif - return ret; -} - MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) { - int i, al = SSL_AD_INTERNAL_ERROR, ret = MSG_PROCESS_ERROR; + int i; + MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; X509 *x = NULL; - unsigned long l, llen; + unsigned long l; const unsigned char *certstart, *certbytes; STACK_OF(X509) *sk = NULL; - PACKET spkt; + PACKET spkt, context; + size_t chainidx; + SSL_SESSION *new_sess = NULL; + + /* + * To get this far we must have read encrypted data from the client. We no + * longer tolerate unencrypted alerts. This value is ignored if less than + * TLSv1.3 + */ + s->statem.enc_read_state = ENC_READ_STATE_VALID; if ((sk = sk_X509_new_null()) == NULL) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, + ERR_R_MALLOC_FAILURE); + goto err; + } + + if (SSL_IS_TLS13(s) && (!PACKET_get_length_prefixed_1(pkt, &context) + || (s->pha_context == NULL && PACKET_remaining(&context) != 0) + || (s->pha_context != NULL && + !PACKET_equal(&context, s->pha_context, s->pha_context_len)))) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, + SSL_R_INVALID_CONTEXT); + goto err; } - if (!PACKET_get_net_3(pkt, &llen) - || !PACKET_get_sub_packet(pkt, &spkt, llen) - || PACKET_remaining(pkt) != 0) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH); - goto f_err; + if (!PACKET_get_length_prefixed_3(pkt, &spkt) + || PACKET_remaining(pkt) != 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, + SSL_R_LENGTH_MISMATCH); + goto err; } - while (PACKET_remaining(&spkt) > 0) { + for (chainidx = 0; PACKET_remaining(&spkt) > 0; chainidx++) { if (!PACKET_get_net_3(&spkt, &l) || !PACKET_get_bytes(&spkt, &certbytes, l)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, - SSL_R_CERT_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, + SSL_R_CERT_LENGTH_MISMATCH); + goto err; } certstart = certbytes; x = d2i_X509(NULL, (const unsigned char **)&certbytes, l); if (x == NULL) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB); + goto err; } if (certbytes != (certstart + l)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, - SSL_R_CERT_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, + SSL_R_CERT_LENGTH_MISMATCH); + goto err; } + + if (SSL_IS_TLS13(s)) { + RAW_EXTENSION *rawexts = NULL; + PACKET extensions; + + if (!PACKET_get_length_prefixed_2(&spkt, &extensions)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, + SSL_R_BAD_LENGTH); + goto err; + } + if (!tls_collect_extensions(s, &extensions, + SSL_EXT_TLS1_3_CERTIFICATE, &rawexts, + NULL, chainidx == 0) + || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE, + rawexts, x, chainidx, + PACKET_remaining(&spkt) == 0)) { + OPENSSL_free(rawexts); + goto err; + } + OPENSSL_free(rawexts); + } + if (!sk_X509_push(sk, x)) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, + ERR_R_MALLOC_FAILURE); + goto err; } x = NULL; } @@ -2905,103 +3651,189 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) if (sk_X509_num(sk) <= 0) { /* TLS does not mind 0 certs returned */ if (s->version == SSL3_VERSION) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, - SSL_R_NO_CERTIFICATES_RETURNED); - goto f_err; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, + SSL_R_NO_CERTIFICATES_RETURNED); + goto err; } /* Fail for TLS only if we required a certificate */ else if ((s->verify_mode & SSL_VERIFY_PEER) && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, - SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); - al = SSL_AD_HANDSHAKE_FAILURE; - goto f_err; + SSLfatal(s, SSL_AD_CERTIFICATE_REQUIRED, + SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, + SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); + goto err; } /* No client certificate so digest cached records */ if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) { - goto f_err; + /* SSLfatal() already called */ + goto err; } } else { EVP_PKEY *pkey; i = ssl_verify_cert_chain(s, sk); if (i <= 0) { - al = ssl_verify_alarm_type(s->verify_result); - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, - SSL_R_CERTIFICATE_VERIFY_FAILED); - goto f_err; + SSLfatal(s, ssl_x509err2alert(s->verify_result), + SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, + SSL_R_CERTIFICATE_VERIFY_FAILED); + goto err; } if (i > 1) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, i); - al = SSL_AD_HANDSHAKE_FAILURE; - goto f_err; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, i); + goto err; } pkey = X509_get0_pubkey(sk_X509_value(sk, 0)); if (pkey == NULL) { - al = SSL3_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, - SSL_R_UNKNOWN_CERTIFICATE_TYPE); - goto f_err; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, + SSL_R_UNKNOWN_CERTIFICATE_TYPE); + goto err; } } + /* + * Sessions must be immutable once they go into the session cache. Otherwise + * we can get multi-thread problems. Therefore we don't "update" sessions, + * we replace them with a duplicate. Here, we need to do this every time + * a new certificate is received via post-handshake authentication, as the + * session may have already gone into the session cache. + */ + + if (s->post_handshake_auth == SSL_PHA_REQUESTED) { + if ((new_sess = ssl_session_dup(s->session, 0)) == 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, + ERR_R_MALLOC_FAILURE); + goto err; + } + + SSL_SESSION_free(s->session); + s->session = new_sess; + } + X509_free(s->session->peer); s->session->peer = sk_X509_shift(sk); s->session->verify_result = s->verify_result; sk_X509_pop_free(s->session->peer_chain, X509_free); s->session->peer_chain = sk; + + /* + * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE + * message + */ + if (SSL_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) { + /* SSLfatal() already called */ + goto err; + } + /* * Inconsistency alert: cert_chain does *not* include the peer's own * certificate, while we do include it in statem_clnt.c */ sk = NULL; + + /* Save the current hash state for when we receive the CertificateVerify */ + if (SSL_IS_TLS13(s)) { + if (!ssl_handshake_hash(s, s->cert_verify_hash, + sizeof(s->cert_verify_hash), + &s->cert_verify_hash_len)) { + /* SSLfatal() already called */ + goto err; + } + + /* Resend session tickets */ + s->sent_tickets = 0; + } + ret = MSG_PROCESS_CONTINUE_READING; - goto done; - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - ossl_statem_set_error(s); - done: + err: X509_free(x); sk_X509_pop_free(sk, X509_free); return ret; } -int tls_construct_server_certificate(SSL *s) +int tls_construct_server_certificate(SSL *s, WPACKET *pkt) { - CERT_PKEY *cpk; + CERT_PKEY *cpk = s->s3->tmp.cert; - cpk = ssl_get_server_send_pkey(s); if (cpk == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); - ossl_statem_set_error(s); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); + return 0; + } + + /* + * In TLSv1.3 the certificate chain is always preceded by a 0 length context + * for the server Certificate message + */ + if (SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); + return 0; + } + if (!ssl3_output_cert_chain(s, pkt, cpk)) { + /* SSLfatal() already called */ + return 0; + } + + return 1; +} + +static int create_ticket_prequel(SSL *s, WPACKET *pkt, uint32_t age_add, + unsigned char *tick_nonce) +{ + /* + * Ticket lifetime hint: For TLSv1.2 this is advisory only and we leave this + * unspecified for resumed session (for simplicity). + * In TLSv1.3 we reset the "time" field above, and always specify the + * timeout. + */ + if (!WPACKET_put_bytes_u32(pkt, + (s->hit && !SSL_IS_TLS13(s)) + ? 0 : s->session->timeout)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL, + ERR_R_INTERNAL_ERROR); return 0; } - if (!ssl3_output_cert_chain(s, cpk)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); - ossl_statem_set_error(s); + if (SSL_IS_TLS13(s)) { + if (!WPACKET_put_bytes_u32(pkt, age_add) + || !WPACKET_sub_memcpy_u8(pkt, tick_nonce, TICKET_NONCE_SIZE)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL, + ERR_R_INTERNAL_ERROR); + return 0; + } + } + + /* Start the sub-packet for the actual ticket data */ + if (!WPACKET_start_sub_packet_u16(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL, + ERR_R_INTERNAL_ERROR); return 0; } return 1; } -int tls_construct_new_session_ticket(SSL *s) +static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add, + unsigned char *tick_nonce) { unsigned char *senc = NULL; EVP_CIPHER_CTX *ctx = NULL; HMAC_CTX *hctx = NULL; - unsigned char *p, *macstart; + unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2; const unsigned char *const_p; - int len, slen_full, slen; + int len, slen_full, slen, lenfinal; SSL_SESSION *sess; unsigned int hlen; SSL_CTX *tctx = s->session_ctx; unsigned char iv[EVP_MAX_IV_LENGTH]; unsigned char key_name[TLSEXT_KEYNAME_LENGTH]; - int iv_len; + int iv_len, ok = 0; + size_t macoffset, macendoffset; /* get session encoding length */ slen_full = i2d_SSL_SESSION(s->session, NULL); @@ -3010,190 +3842,357 @@ int tls_construct_new_session_ticket(SSL *s) * long */ if (slen_full == 0 || slen_full > 0xFF00) { - ossl_statem_set_error(s); - return 0; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET, + ERR_R_INTERNAL_ERROR); + goto err; } senc = OPENSSL_malloc(slen_full); if (senc == NULL) { - ossl_statem_set_error(s); - return 0; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_CONSTRUCT_STATELESS_TICKET, ERR_R_MALLOC_FAILURE); + goto err; } ctx = EVP_CIPHER_CTX_new(); hctx = HMAC_CTX_new(); if (ctx == NULL || hctx == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET, + ERR_R_MALLOC_FAILURE); goto err; } p = senc; - if (!i2d_SSL_SESSION(s->session, &p)) + if (!i2d_SSL_SESSION(s->session, &p)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET, + ERR_R_INTERNAL_ERROR); goto err; + } /* * create a fresh copy (not shared with other threads) to clean up */ const_p = senc; sess = d2i_SSL_SESSION(NULL, &const_p, slen_full); - if (sess == NULL) + if (sess == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET, + ERR_R_INTERNAL_ERROR); goto err; - sess->session_id_length = 0; /* ID is irrelevant for the ticket */ + } slen = i2d_SSL_SESSION(sess, NULL); - if (slen == 0 || slen > slen_full) { /* shouldn't ever happen */ + if (slen == 0 || slen > slen_full) { + /* shouldn't ever happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET, + ERR_R_INTERNAL_ERROR); SSL_SESSION_free(sess); goto err; } p = senc; if (!i2d_SSL_SESSION(sess, &p)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET, + ERR_R_INTERNAL_ERROR); SSL_SESSION_free(sess); goto err; } SSL_SESSION_free(sess); - /*- - * Grow buffer if need be: the length calculation is as - * follows handshake_header_length + - * 4 (ticket lifetime hint) + 2 (ticket length) + - * sizeof(keyname) + max_iv_len (iv length) + - * max_enc_block_size (max encrypted session * length) + - * max_md_size (HMAC) + session_length. - */ - if (!BUF_MEM_grow(s->init_buf, - SSL_HM_HEADER_LENGTH(s) + 6 + sizeof(key_name) + - EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + - EVP_MAX_MD_SIZE + slen)) - goto err; - - p = ssl_handshake_start(s); /* * Initialize HMAC and cipher contexts. If callback present it does * all the work otherwise use generated values from parent ctx. */ - if (tctx->tlsext_ticket_key_cb) { + if (tctx->ext.ticket_key_cb) { /* if 0 is returned, write an empty ticket */ - int ret = tctx->tlsext_ticket_key_cb(s, key_name, iv, ctx, + int ret = tctx->ext.ticket_key_cb(s, key_name, iv, ctx, hctx, 1); if (ret == 0) { - l2n(0, p); /* timeout */ - s2n(0, p); /* length */ - if (!ssl_set_handshake_header - (s, SSL3_MT_NEWSESSION_TICKET, p - ssl_handshake_start(s))) + + /* Put timeout and length */ + if (!WPACKET_put_bytes_u32(pkt, 0) + || !WPACKET_put_bytes_u16(pkt, 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_CONSTRUCT_STATELESS_TICKET, + ERR_R_INTERNAL_ERROR); goto err; + } OPENSSL_free(senc); EVP_CIPHER_CTX_free(ctx); HMAC_CTX_free(hctx); return 1; } - if (ret < 0) + if (ret < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET, + SSL_R_CALLBACK_FAILED); goto err; + } iv_len = EVP_CIPHER_CTX_iv_length(ctx); } else { const EVP_CIPHER *cipher = EVP_aes_256_cbc(); iv_len = EVP_CIPHER_iv_length(cipher); - if (RAND_bytes(iv, iv_len) <= 0) - goto err; - if (!EVP_EncryptInit_ex(ctx, cipher, NULL, - tctx->tlsext_tick_aes_key, iv)) - goto err; - if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, - sizeof(tctx->tlsext_tick_hmac_key), - EVP_sha256(), NULL)) + if (RAND_bytes(iv, iv_len) <= 0 + || !EVP_EncryptInit_ex(ctx, cipher, NULL, + tctx->ext.secure->tick_aes_key, iv) + || !HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key, + sizeof(tctx->ext.secure->tick_hmac_key), + EVP_sha256(), NULL)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET, + ERR_R_INTERNAL_ERROR); goto err; - memcpy(key_name, tctx->tlsext_tick_key_name, - sizeof(tctx->tlsext_tick_key_name)); + } + memcpy(key_name, tctx->ext.tick_key_name, + sizeof(tctx->ext.tick_key_name)); } - /* - * Ticket lifetime hint (advisory only): We leave this unspecified - * for resumed session (for simplicity), and guess that tickets for - * new sessions will live as long as their sessions. - */ - l2n(s->hit ? 0 : s->session->timeout, p); - - /* Skip ticket length for now */ - p += 2; - /* Output key name */ - macstart = p; - memcpy(p, key_name, sizeof(key_name)); - p += sizeof(key_name); - /* output IV */ - memcpy(p, iv, iv_len); - p += iv_len; - /* Encrypt session data */ - if (!EVP_EncryptUpdate(ctx, p, &len, senc, slen)) - goto err; - p += len; - if (!EVP_EncryptFinal(ctx, p, &len)) + if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) { + /* SSLfatal() already called */ goto err; - p += len; + } - if (!HMAC_Update(hctx, macstart, p - macstart)) - goto err; - if (!HMAC_Final(hctx, p, &hlen)) + if (!WPACKET_get_total_written(pkt, &macoffset) + /* Output key name */ + || !WPACKET_memcpy(pkt, key_name, sizeof(key_name)) + /* output IV */ + || !WPACKET_memcpy(pkt, iv, iv_len) + || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH, + &encdata1) + /* Encrypt session data */ + || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen) + || !WPACKET_allocate_bytes(pkt, len, &encdata2) + || encdata1 != encdata2 + || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal) + || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2) + || encdata1 + len != encdata2 + || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH + || !WPACKET_get_total_written(pkt, &macendoffset) + || !HMAC_Update(hctx, + (unsigned char *)s->init_buf->data + macoffset, + macendoffset - macoffset) + || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1) + || !HMAC_Final(hctx, macdata1, &hlen) + || hlen > EVP_MAX_MD_SIZE + || !WPACKET_allocate_bytes(pkt, hlen, &macdata2) + || macdata1 != macdata2) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_CONSTRUCT_STATELESS_TICKET, ERR_R_INTERNAL_ERROR); goto err; + } - EVP_CIPHER_CTX_free(ctx); - HMAC_CTX_free(hctx); - ctx = NULL; - hctx = NULL; - - p += hlen; - /* Now write out lengths: p points to end of data written */ - /* Total length */ - len = p - ssl_handshake_start(s); - /* Skip ticket lifetime hint */ - p = ssl_handshake_start(s) + 4; - s2n(len - 6, p); - if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len)) + /* Close the sub-packet created by create_ticket_prequel() */ + if (!WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET, + ERR_R_INTERNAL_ERROR); goto err; - OPENSSL_free(senc); + } - return 1; + ok = 1; err: OPENSSL_free(senc); EVP_CIPHER_CTX_free(ctx); HMAC_CTX_free(hctx); - ossl_statem_set_error(s); - return 0; + return ok; } -int tls_construct_cert_status(SSL *s) +static int construct_stateful_ticket(SSL *s, WPACKET *pkt, uint32_t age_add, + unsigned char *tick_nonce) { - unsigned char *p; - size_t msglen; + if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) { + /* SSLfatal() already called */ + return 0; + } - /*- - * Grow buffer if need be: the length calculation is as - * follows handshake_header_length + - * 1 (ocsp response type) + 3 (ocsp response length) - * + (ocsp response) - */ - msglen = 4 + s->tlsext_ocsp_resplen; - if (!BUF_MEM_grow(s->init_buf, SSL_HM_HEADER_LENGTH(s) + msglen)) - goto err; + if (!WPACKET_memcpy(pkt, s->session->session_id, + s->session->session_id_length) + || !WPACKET_close(pkt)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATEFUL_TICKET, + ERR_R_INTERNAL_ERROR); + return 0; + } + + return 1; +} + +int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) +{ + SSL_CTX *tctx = s->session_ctx; + unsigned char tick_nonce[TICKET_NONCE_SIZE]; + union { + unsigned char age_add_c[sizeof(uint32_t)]; + uint32_t age_add; + } age_add_u; + + age_add_u.age_add = 0; + + if (SSL_IS_TLS13(s)) { + size_t i, hashlen; + uint64_t nonce; + static const unsigned char nonce_label[] = "resumption"; + const EVP_MD *md = ssl_handshake_md(s); + void (*cb) (const SSL *ssl, int type, int val) = NULL; + int hashleni = EVP_MD_size(md); + + /* Ensure cast to size_t is safe */ + if (!ossl_assert(hashleni >= 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, + ERR_R_INTERNAL_ERROR); + goto err; + } + hashlen = (size_t)hashleni; - p = ssl_handshake_start(s); + if (s->info_callback != NULL) + cb = s->info_callback; + else if (s->ctx->info_callback != NULL) + cb = s->ctx->info_callback; - /* status type */ - *(p++) = s->tlsext_status_type; - /* length of OCSP response */ - l2n3(s->tlsext_ocsp_resplen, p); - /* actual response */ - memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen); + if (cb != NULL) { + /* + * We don't start and stop the handshake in between each ticket when + * sending more than one - but it should appear that way to the info + * callback. + */ + if (s->sent_tickets != 0) { + ossl_statem_set_in_init(s, 0); + cb(s, SSL_CB_HANDSHAKE_DONE, 1); + ossl_statem_set_in_init(s, 1); + } + cb(s, SSL_CB_HANDSHAKE_START, 1); + } + /* + * If we already sent one NewSessionTicket, or we resumed then + * s->session may already be in a cache and so we must not modify it. + * Instead we need to take a copy of it and modify that. + */ + if (s->sent_tickets != 0 || s->hit) { + SSL_SESSION *new_sess = ssl_session_dup(s->session, 0); + + if (new_sess == NULL) { + /* SSLfatal already called */ + goto err; + } - if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_STATUS, msglen)) + SSL_SESSION_free(s->session); + s->session = new_sess; + } + + if (!ssl_generate_session_id(s, s->session)) { + /* SSLfatal() already called */ + goto err; + } + if (RAND_bytes(age_add_u.age_add_c, sizeof(age_add_u)) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, + ERR_R_INTERNAL_ERROR); + goto err; + } + s->session->ext.tick_age_add = age_add_u.age_add; + + nonce = s->next_ticket_nonce; + for (i = TICKET_NONCE_SIZE; i > 0; i--) { + tick_nonce[i - 1] = (unsigned char)(nonce & 0xff); + nonce >>= 8; + } + + if (!tls13_hkdf_expand(s, md, s->resumption_master_secret, + nonce_label, + sizeof(nonce_label) - 1, + tick_nonce, + TICKET_NONCE_SIZE, + s->session->master_key, + hashlen)) { + /* SSLfatal() already called */ + goto err; + } + s->session->master_key_length = hashlen; + + s->session->time = (long)time(NULL); + if (s->s3->alpn_selected != NULL) { + OPENSSL_free(s->session->ext.alpn_selected); + s->session->ext.alpn_selected = + OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len); + if (s->session->ext.alpn_selected == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, + ERR_R_MALLOC_FAILURE); + goto err; + } + s->session->ext.alpn_selected_len = s->s3->alpn_selected_len; + } + s->session->ext.max_early_data = s->max_early_data; + } + + if (tctx->generate_ticket_cb != NULL && + tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0) goto err; - return 1; + /* + * If we are using anti-replay protection then we behave as if + * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there + * is no point in using full stateless tickets. + */ + if (SSL_IS_TLS13(s) + && ((s->options & SSL_OP_NO_TICKET) != 0 + || (s->max_early_data > 0 + && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))) { + if (!construct_stateful_ticket(s, pkt, age_add_u.age_add, tick_nonce)) { + /* SSLfatal() already called */ + goto err; + } + } else if (!construct_stateless_ticket(s, pkt, age_add_u.age_add, + tick_nonce)) { + /* SSLfatal() already called */ + goto err; + } + if (SSL_IS_TLS13(s)) { + if (!tls_construct_extensions(s, pkt, + SSL_EXT_TLS1_3_NEW_SESSION_TICKET, + NULL, 0)) { + /* SSLfatal() already called */ + goto err; + } + /* + * Increment both |sent_tickets| and |next_ticket_nonce|. |sent_tickets| + * gets reset to 0 if we send more tickets following a post-handshake + * auth, but |next_ticket_nonce| does not. + */ + s->sent_tickets++; + s->next_ticket_nonce++; + ssl_update_cache(s, SSL_SESS_CACHE_SERVER); + } + + return 1; err: - ossl_statem_set_error(s); return 0; } +/* + * In TLSv1.3 this is called from the extensions code, otherwise it is used to + * create a separate message. Returns 1 on success or 0 on failure. + */ +int tls_construct_cert_status_body(SSL *s, WPACKET *pkt) +{ + if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type) + || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp, + s->ext.ocsp.resp_len)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_STATUS_BODY, + ERR_R_INTERNAL_ERROR); + return 0; + } + + return 1; +} + +int tls_construct_cert_status(SSL *s, WPACKET *pkt) +{ + if (!tls_construct_cert_status_body(s, pkt)) { + /* SSLfatal() already called */ + return 0; + } + + return 1; +} + #ifndef OPENSSL_NO_NEXTPROTONEG /* * tls_process_next_proto reads a Next Protocol Negotiation handshake message. @@ -3214,163 +4213,67 @@ MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt) if (!PACKET_get_length_prefixed_1(pkt, &next_proto) || !PACKET_get_length_prefixed_1(pkt, &padding) || PACKET_remaining(pkt) > 0) { - SSLerr(SSL_F_TLS_PROCESS_NEXT_PROTO, SSL_R_LENGTH_MISMATCH); - goto err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEXT_PROTO, + SSL_R_LENGTH_MISMATCH); + return MSG_PROCESS_ERROR; } - if (!PACKET_memdup(&next_proto, &s->next_proto_negotiated, &next_proto_len)) { - s->next_proto_negotiated_len = 0; - goto err; + if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) { + s->ext.npn_len = 0; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEXT_PROTO, + ERR_R_INTERNAL_ERROR); + return MSG_PROCESS_ERROR; } - s->next_proto_negotiated_len = (unsigned char)next_proto_len; + s->ext.npn_len = (unsigned char)next_proto_len; return MSG_PROCESS_CONTINUE_READING; - err: - ossl_statem_set_error(s); - return MSG_PROCESS_ERROR; } #endif -#define SSLV2_CIPHER_LEN 3 - -STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, - PACKET *cipher_suites, - STACK_OF(SSL_CIPHER) **skp, - int sslv2format, int *al) +static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt) { - const SSL_CIPHER *c; - STACK_OF(SSL_CIPHER) *sk; - int n; - /* 3 = SSLV2_CIPHER_LEN > TLS_CIPHER_LEN = 2. */ - unsigned char cipher[SSLV2_CIPHER_LEN]; - - s->s3->send_connection_binding = 0; - - n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN; - - if (PACKET_remaining(cipher_suites) == 0) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, SSL_R_NO_CIPHERS_SPECIFIED); - *al = SSL_AD_ILLEGAL_PARAMETER; - return NULL; + if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, + NULL, 0)) { + /* SSLfatal() already called */ + return 0; } - if (PACKET_remaining(cipher_suites) % n != 0) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, - SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); - *al = SSL_AD_DECODE_ERROR; - return NULL; - } + return 1; +} - sk = sk_SSL_CIPHER_new_null(); - if (sk == NULL) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); - *al = SSL_AD_INTERNAL_ERROR; - return NULL; +MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt) +{ + if (PACKET_remaining(pkt) != 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA, + SSL_R_LENGTH_MISMATCH); + return MSG_PROCESS_ERROR; } - if (sslv2format) { - size_t numciphers = PACKET_remaining(cipher_suites) / n; - PACKET sslv2ciphers = *cipher_suites; - unsigned int leadbyte; - unsigned char *raw; - - /* - * We store the raw ciphers list in SSLv3+ format so we need to do some - * preprocessing to convert the list first. If there are any SSLv2 only - * ciphersuites with a non-zero leading byte then we are going to - * slightly over allocate because we won't store those. But that isn't a - * problem. - */ - raw = OPENSSL_malloc(numciphers * TLS_CIPHER_LEN); - s->s3->tmp.ciphers_raw = raw; - if (raw == NULL) { - *al = SSL_AD_INTERNAL_ERROR; - goto err; - } - for (s->s3->tmp.ciphers_rawlen = 0; - PACKET_remaining(&sslv2ciphers) > 0; - raw += TLS_CIPHER_LEN) { - if (!PACKET_get_1(&sslv2ciphers, &leadbyte) - || (leadbyte == 0 - && !PACKET_copy_bytes(&sslv2ciphers, raw, - TLS_CIPHER_LEN)) - || (leadbyte != 0 - && !PACKET_forward(&sslv2ciphers, TLS_CIPHER_LEN))) { - *al = SSL_AD_INTERNAL_ERROR; - OPENSSL_free(s->s3->tmp.ciphers_raw); - s->s3->tmp.ciphers_raw = NULL; - s->s3->tmp.ciphers_rawlen = 0; - goto err; - } - if (leadbyte == 0) - s->s3->tmp.ciphers_rawlen += TLS_CIPHER_LEN; - } - } else if (!PACKET_memdup(cipher_suites, &s->s3->tmp.ciphers_raw, - &s->s3->tmp.ciphers_rawlen)) { - *al = SSL_AD_INTERNAL_ERROR; - goto err; + if (s->early_data_state != SSL_EARLY_DATA_READING + && s->early_data_state != SSL_EARLY_DATA_READ_RETRY) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA, + ERR_R_INTERNAL_ERROR); + return MSG_PROCESS_ERROR; } - while (PACKET_copy_bytes(cipher_suites, cipher, n)) { - /* - * SSLv3 ciphers wrapped in an SSLv2-compatible ClientHello have the - * first byte set to zero, while true SSLv2 ciphers have a non-zero - * first byte. We don't support any true SSLv2 ciphers, so skip them. - */ - if (sslv2format && cipher[0] != '\0') - continue; - - /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */ - if ((cipher[n - 2] == ((SSL3_CK_SCSV >> 8) & 0xff)) && - (cipher[n - 1] == (SSL3_CK_SCSV & 0xff))) { - /* SCSV fatal if renegotiating */ - if (s->renegotiate) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, - SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); - *al = SSL_AD_HANDSHAKE_FAILURE; - goto err; - } - s->s3->send_connection_binding = 1; - continue; - } - - /* Check for TLS_FALLBACK_SCSV */ - if ((cipher[n - 2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) && - (cipher[n - 1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) { - /* - * The SCSV indicates that the client previously tried a higher - * version. Fail if the current version is an unexpected - * downgrade. - */ - if (!ssl_check_version_downgrade(s)) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, - SSL_R_INAPPROPRIATE_FALLBACK); - *al = SSL_AD_INAPPROPRIATE_FALLBACK; - goto err; - } - continue; - } - - /* For SSLv2-compat, ignore leading 0-byte. */ - c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher); - if (c != NULL) { - if (!sk_SSL_CIPHER_push(sk, c)) { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); - *al = SSL_AD_INTERNAL_ERROR; - goto err; - } - } + /* + * EndOfEarlyData signals a key change so the end of the message must be on + * a record boundary. + */ + if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_TLS_PROCESS_END_OF_EARLY_DATA, + SSL_R_NOT_ON_RECORD_BOUNDARY); + return MSG_PROCESS_ERROR; } - if (PACKET_remaining(cipher_suites) > 0) { - *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_INTERNAL_ERROR); - goto err; + + s->early_data_state = SSL_EARLY_DATA_FINISHED_READING; + if (!s->method->ssl3_enc->change_cipher_state(s, + SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ)) { + /* SSLfatal() already called */ + return MSG_PROCESS_ERROR; } - *skp = sk; - return sk; - err: - sk_SSL_CIPHER_free(sk); - return NULL; + return MSG_PROCESS_CONTINUE_READING; } diff --git a/deps/openssl/openssl/ssl/t1_enc.c b/deps/openssl/openssl/ssl/t1_enc.c index 235c5e4bc8..2db913fb06 100644 --- a/deps/openssl/openssl/ssl/t1_enc.c +++ b/deps/openssl/openssl/ssl/t1_enc.c @@ -1,5 +1,6 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,33 +8,6 @@ * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2005 Nokia. All rights reserved. - * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. - */ - #include <stdio.h> #include "ssl_locl.h" #include <openssl/comp.h> @@ -43,44 +17,45 @@ /* seed1 through seed5 are concatenated */ static int tls1_PRF(SSL *s, - const void *seed1, int seed1_len, - const void *seed2, int seed2_len, - const void *seed3, int seed3_len, - const void *seed4, int seed4_len, - const void *seed5, int seed5_len, - const unsigned char *sec, int slen, - unsigned char *out, int olen) + const void *seed1, size_t seed1_len, + const void *seed2, size_t seed2_len, + const void *seed3, size_t seed3_len, + const void *seed4, size_t seed4_len, + const void *seed5, size_t seed5_len, + const unsigned char *sec, size_t slen, + unsigned char *out, size_t olen, int fatal) { const EVP_MD *md = ssl_prf_md(s); EVP_PKEY_CTX *pctx = NULL; - int ret = 0; - size_t outlen = olen; if (md == NULL) { /* Should never happen */ - SSLerr(SSL_F_TLS1_PRF, ERR_R_INTERNAL_ERROR); + if (fatal) + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_PRF, + ERR_R_INTERNAL_ERROR); + else + SSLerr(SSL_F_TLS1_PRF, ERR_R_INTERNAL_ERROR); return 0; } pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL); if (pctx == NULL || EVP_PKEY_derive_init(pctx) <= 0 || EVP_PKEY_CTX_set_tls1_prf_md(pctx, md) <= 0 - || EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, sec, slen) <= 0) - goto err; - - if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, seed1_len) <= 0) - goto err; - if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, seed2_len) <= 0) - goto err; - if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, seed3_len) <= 0) - goto err; - if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed4, seed4_len) <= 0) - goto err; - if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed5, seed5_len) <= 0) + || EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, sec, (int)slen) <= 0 + || EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, (int)seed1_len) <= 0 + || EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, (int)seed2_len) <= 0 + || EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, (int)seed3_len) <= 0 + || EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed4, (int)seed4_len) <= 0 + || EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed5, (int)seed5_len) <= 0 + || EVP_PKEY_derive(pctx, out, &olen) <= 0) { + if (fatal) + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_PRF, + ERR_R_INTERNAL_ERROR); + else + SSLerr(SSL_F_TLS1_PRF, ERR_R_INTERNAL_ERROR); goto err; + } - if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) - goto err; ret = 1; err: @@ -88,15 +63,17 @@ static int tls1_PRF(SSL *s, return ret; } -static int tls1_generate_key_block(SSL *s, unsigned char *km, int num) +static int tls1_generate_key_block(SSL *s, unsigned char *km, size_t num) { int ret; + + /* Calls SSLfatal() as required */ ret = tls1_PRF(s, TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE, s->s3->server_random, SSL3_RANDOM_SIZE, s->s3->client_random, SSL3_RANDOM_SIZE, NULL, 0, NULL, 0, s->session->master_key, - s->session->master_key_length, km, num); + s->session->master_key_length, km, num, 1); return ret; } @@ -116,10 +93,10 @@ int tls1_change_cipher_state(SSL *s, int which) #endif const EVP_MD *m; int mac_type; - int *mac_secret_size; + size_t *mac_secret_size; EVP_MD_CTX *mac_ctx; EVP_PKEY *mac_key; - int n, i, j, k, cl; + size_t n, i, j, k, cl; int reuse_dd = 0; c = s->s3->tmp.new_sym_enc; @@ -130,7 +107,7 @@ int tls1_change_cipher_state(SSL *s, int which) #endif if (which & SSL3_CC_READ) { - if (s->tlsext_use_etm) + if (s->ext.use_etm) s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_READ; else s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_READ; @@ -140,15 +117,18 @@ int tls1_change_cipher_state(SSL *s, int which) else s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM; - if (s->enc_read_ctx != NULL) + if (s->enc_read_ctx != NULL) { reuse_dd = 1; - else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) + } else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE, + ERR_R_MALLOC_FAILURE); goto err; - else + } else { /* * make sure it's initialised in case we exit later with an error */ EVP_CIPHER_CTX_reset(s->enc_read_ctx); + } dd = s->enc_read_ctx; mac_ctx = ssl_replace_hash(&s->read_hash, NULL); if (mac_ctx == NULL) @@ -159,9 +139,10 @@ int tls1_change_cipher_state(SSL *s, int which) if (comp != NULL) { s->expand = COMP_CTX_new(comp->method); if (s->expand == NULL) { - SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, - SSL_R_COMPRESSION_LIBRARY_ERROR); - goto err2; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS1_CHANGE_CIPHER_STATE, + SSL_R_COMPRESSION_LIBRARY_ERROR); + goto err; } } #endif @@ -173,7 +154,8 @@ int tls1_change_cipher_state(SSL *s, int which) mac_secret = &(s->s3->read_mac_secret[0]); mac_secret_size = &(s->s3->read_mac_secret_size); } else { - if (s->tlsext_use_etm) + s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; + if (s->ext.use_etm) s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE; else s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE; @@ -182,20 +164,31 @@ int tls1_change_cipher_state(SSL *s, int which) s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; else s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; - if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) + if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) { reuse_dd = 1; - else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) + } else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE, + ERR_R_MALLOC_FAILURE); goto err; + } dd = s->enc_write_ctx; if (SSL_IS_DTLS(s)) { mac_ctx = EVP_MD_CTX_new(); - if (mac_ctx == NULL) + if (mac_ctx == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS1_CHANGE_CIPHER_STATE, + ERR_R_MALLOC_FAILURE); goto err; + } s->write_hash = mac_ctx; } else { mac_ctx = ssl_replace_hash(&s->write_hash, NULL); - if (mac_ctx == NULL) + if (mac_ctx == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS1_CHANGE_CIPHER_STATE, + ERR_R_MALLOC_FAILURE); goto err; + } } #ifndef OPENSSL_NO_COMP COMP_CTX_free(s->compress); @@ -203,9 +196,10 @@ int tls1_change_cipher_state(SSL *s, int which) if (comp != NULL) { s->compress = COMP_CTX_new(comp->method); if (s->compress == NULL) { - SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, - SSL_R_COMPRESSION_LIBRARY_ERROR); - goto err2; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS1_CHANGE_CIPHER_STATE, + SSL_R_COMPRESSION_LIBRARY_ERROR); + goto err; } } #endif @@ -224,6 +218,7 @@ int tls1_change_cipher_state(SSL *s, int which) p = s->s3->tmp.key_block; i = *mac_secret_size = s->s3->tmp.new_mac_secret_size; + /* TODO(size_t): convert me */ cl = EVP_CIPHER_key_length(c); j = cl; /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ @@ -253,27 +248,30 @@ int tls1_change_cipher_state(SSL *s, int which) } if (n > s->s3->tmp.key_block_length) { - SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); - goto err2; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE, + ERR_R_INTERNAL_ERROR); + goto err; } memcpy(mac_secret, ms, i); if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) { - mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, - mac_secret, *mac_secret_size); + /* TODO(size_t): Convert this function */ + mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, mac_secret, + (int)*mac_secret_size); if (mac_key == NULL || EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key) <= 0) { EVP_PKEY_free(mac_key); - SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); - goto err2; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE, + ERR_R_INTERNAL_ERROR); + goto err; } EVP_PKEY_free(mac_key); } #ifdef SSL_DEBUG printf("which = %04X\nmac key=", which); { - int z; + size_t z; for (z = 0; z < i; z++) printf("%02X%c", ms[z], ((z + 1) % 16) ? ' ' : '\n'); } @@ -281,38 +279,44 @@ int tls1_change_cipher_state(SSL *s, int which) if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) { if (!EVP_CipherInit_ex(dd, c, NULL, key, NULL, (which & SSL3_CC_WRITE)) - || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv)) { - SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); - goto err2; + || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, (int)k, + iv)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE, + ERR_R_INTERNAL_ERROR); + goto err; } } else if (EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE) { int taglen; if (s->s3->tmp. new_cipher->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8)) - taglen = 8; + taglen = EVP_CCM8_TLS_TAG_LEN; else - taglen = 16; + taglen = EVP_CCM_TLS_TAG_LEN; if (!EVP_CipherInit_ex(dd, c, NULL, NULL, NULL, (which & SSL3_CC_WRITE)) || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL) || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_TAG, taglen, NULL) - || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_CCM_SET_IV_FIXED, k, iv) + || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_CCM_SET_IV_FIXED, (int)k, iv) || !EVP_CipherInit_ex(dd, NULL, NULL, key, NULL, -1)) { - SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); - goto err2; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE, + ERR_R_INTERNAL_ERROR); + goto err; } } else { if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) { - SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); - goto err2; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE, + ERR_R_INTERNAL_ERROR); + goto err; } } /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size && !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY, - *mac_secret_size, mac_secret)) { - SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); - goto err2; + (int)*mac_secret_size, mac_secret)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE, + ERR_R_INTERNAL_ERROR); + goto err; } + s->statem.enc_write_state = ENC_WRITE_STATE_VALID; #ifdef SSL_DEBUG printf("which = %04X\nkey=", which); @@ -323,7 +327,7 @@ int tls1_change_cipher_state(SSL *s, int which) } printf("\niv="); { - int z; + size_t z; for (z = 0; z < k; z++) printf("%02X%c", iv[z], ((z + 1) % 16) ? ' ' : '\n'); } @@ -334,15 +338,13 @@ int tls1_change_cipher_state(SSL *s, int which) OPENSSL_cleanse(tmp2, sizeof(tmp1)); OPENSSL_cleanse(iv1, sizeof(iv1)); OPENSSL_cleanse(iv2, sizeof(iv2)); - return (1); + return 1; err: - SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); - err2: OPENSSL_cleanse(tmp1, sizeof(tmp1)); OPENSSL_cleanse(tmp2, sizeof(tmp1)); OPENSSL_cleanse(iv1, sizeof(iv1)); OPENSSL_cleanse(iv2, sizeof(iv2)); - return (0); + return 0; } int tls1_setup_key_block(SSL *s) @@ -350,18 +352,19 @@ int tls1_setup_key_block(SSL *s) unsigned char *p; const EVP_CIPHER *c; const EVP_MD *hash; - int num; SSL_COMP *comp; - int mac_type = NID_undef, mac_secret_size = 0; + int mac_type = NID_undef; + size_t num, mac_secret_size = 0; int ret = 0; if (s->s3->tmp.key_block_length != 0) - return (1); + return 1; if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size, - &comp, s->tlsext_use_etm)) { - SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); - return (0); + &comp, s->ext.use_etm)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_SETUP_KEY_BLOCK, + SSL_R_CIPHER_OR_HASH_UNAVAILABLE); + return 0; } s->s3->tmp.new_sym_enc = c; @@ -374,7 +377,8 @@ int tls1_setup_key_block(SSL *s) ssl3_cleanup_key_block(s); if ((p = OPENSSL_malloc(num)) == NULL) { - SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_SETUP_KEY_BLOCK, + ERR_R_MALLOC_FAILURE); goto err; } @@ -398,18 +402,20 @@ int tls1_setup_key_block(SSL *s) } printf("master key\n"); { - int z; + size_t z; for (z = 0; z < s->session->master_key_length; z++) printf("%02X%c", s->session->master_key[z], ((z + 1) % 16) ? ' ' : '\n'); } #endif - if (!tls1_generate_key_block(s, p, num)) + if (!tls1_generate_key_block(s, p, num)) { + /* SSLfatal() already called */ goto err; + } #ifdef SSL_DEBUG printf("\nkey block\n"); { - int z; + size_t z; for (z = 0; z < num; z++) printf("%02X%c", p[z], ((z + 1) % 16) ? ' ' : '\n'); } @@ -436,66 +442,79 @@ int tls1_setup_key_block(SSL *s) ret = 1; err: - return (ret); + return ret; } -int tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *out) +size_t tls1_final_finish_mac(SSL *s, const char *str, size_t slen, + unsigned char *out) { - int hashlen; + size_t hashlen; unsigned char hash[EVP_MAX_MD_SIZE]; - if (!ssl3_digest_cached_records(s, 0)) + if (!ssl3_digest_cached_records(s, 0)) { + /* SSLfatal() already called */ return 0; + } - hashlen = ssl_handshake_hash(s, hash, sizeof(hash)); - - if (hashlen == 0) + if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { + /* SSLfatal() already called */ return 0; + } if (!tls1_PRF(s, str, slen, hash, hashlen, NULL, 0, NULL, 0, NULL, 0, s->session->master_key, s->session->master_key_length, - out, TLS1_FINISH_MAC_LENGTH)) + out, TLS1_FINISH_MAC_LENGTH, 1)) { + /* SSLfatal() already called */ return 0; + } OPENSSL_cleanse(hash, hashlen); return TLS1_FINISH_MAC_LENGTH; } int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, - int len) + size_t len, size_t *secret_size) { if (s->session->flags & SSL_SESS_FLAG_EXTMS) { unsigned char hash[EVP_MAX_MD_SIZE * 2]; - int hashlen; + size_t hashlen; /* * Digest cached records keeping record buffer (if present): this wont * affect client auth because we're freezing the buffer at the same * point (after client key exchange and before certificate verify) */ - if (!ssl3_digest_cached_records(s, 1)) - return -1; - hashlen = ssl_handshake_hash(s, hash, sizeof(hash)); + if (!ssl3_digest_cached_records(s, 1) + || !ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { + /* SSLfatal() already called */ + return 0; + } #ifdef SSL_DEBUG fprintf(stderr, "Handshake hashes:\n"); BIO_dump_fp(stderr, (char *)hash, hashlen); #endif - tls1_PRF(s, - TLS_MD_EXTENDED_MASTER_SECRET_CONST, - TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE, - hash, hashlen, - NULL, 0, - NULL, 0, - NULL, 0, p, len, s->session->master_key, - SSL3_MASTER_SECRET_SIZE); + if (!tls1_PRF(s, + TLS_MD_EXTENDED_MASTER_SECRET_CONST, + TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE, + hash, hashlen, + NULL, 0, + NULL, 0, + NULL, 0, p, len, out, + SSL3_MASTER_SECRET_SIZE, 1)) { + /* SSLfatal() already called */ + return 0; + } OPENSSL_cleanse(hash, hashlen); } else { - tls1_PRF(s, - TLS_MD_MASTER_SECRET_CONST, - TLS_MD_MASTER_SECRET_CONST_SIZE, - s->s3->client_random, SSL3_RANDOM_SIZE, - NULL, 0, - s->s3->server_random, SSL3_RANDOM_SIZE, - NULL, 0, p, len, s->session->master_key, - SSL3_MASTER_SECRET_SIZE); + if (!tls1_PRF(s, + TLS_MD_MASTER_SECRET_CONST, + TLS_MD_MASTER_SECRET_CONST_SIZE, + s->s3->client_random, SSL3_RANDOM_SIZE, + NULL, 0, + s->s3->server_random, SSL3_RANDOM_SIZE, + NULL, 0, p, len, out, + SSL3_MASTER_SECRET_SIZE, 1)) { + /* SSLfatal() already called */ + return 0; + } } #ifdef SSL_DEBUG fprintf(stderr, "Premaster Secret:\n"); @@ -509,7 +528,8 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, SSL3_MASTER_SECRET_SIZE); #endif - return (SSL3_MASTER_SECRET_SIZE); + *secret_size = SSL3_MASTER_SECRET_SIZE; + return 1; } int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, @@ -580,7 +600,7 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, NULL, 0, NULL, 0, s->session->master_key, s->session->master_key_length, - out, olen); + out, olen, 0); goto ret; err1: @@ -592,77 +612,79 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, rv = 0; ret: OPENSSL_clear_free(val, vallen); - return (rv); + return rv; } int tls1_alert_code(int code) { switch (code) { case SSL_AD_CLOSE_NOTIFY: - return (SSL3_AD_CLOSE_NOTIFY); + return SSL3_AD_CLOSE_NOTIFY; case SSL_AD_UNEXPECTED_MESSAGE: - return (SSL3_AD_UNEXPECTED_MESSAGE); + return SSL3_AD_UNEXPECTED_MESSAGE; case SSL_AD_BAD_RECORD_MAC: - return (SSL3_AD_BAD_RECORD_MAC); + return SSL3_AD_BAD_RECORD_MAC; case SSL_AD_DECRYPTION_FAILED: - return (TLS1_AD_DECRYPTION_FAILED); + return TLS1_AD_DECRYPTION_FAILED; case SSL_AD_RECORD_OVERFLOW: - return (TLS1_AD_RECORD_OVERFLOW); + return TLS1_AD_RECORD_OVERFLOW; case SSL_AD_DECOMPRESSION_FAILURE: - return (SSL3_AD_DECOMPRESSION_FAILURE); + return SSL3_AD_DECOMPRESSION_FAILURE; case SSL_AD_HANDSHAKE_FAILURE: - return (SSL3_AD_HANDSHAKE_FAILURE); + return SSL3_AD_HANDSHAKE_FAILURE; case SSL_AD_NO_CERTIFICATE: - return (-1); + return -1; case SSL_AD_BAD_CERTIFICATE: - return (SSL3_AD_BAD_CERTIFICATE); + return SSL3_AD_BAD_CERTIFICATE; case SSL_AD_UNSUPPORTED_CERTIFICATE: - return (SSL3_AD_UNSUPPORTED_CERTIFICATE); + return SSL3_AD_UNSUPPORTED_CERTIFICATE; case SSL_AD_CERTIFICATE_REVOKED: - return (SSL3_AD_CERTIFICATE_REVOKED); + return SSL3_AD_CERTIFICATE_REVOKED; case SSL_AD_CERTIFICATE_EXPIRED: - return (SSL3_AD_CERTIFICATE_EXPIRED); + return SSL3_AD_CERTIFICATE_EXPIRED; case SSL_AD_CERTIFICATE_UNKNOWN: - return (SSL3_AD_CERTIFICATE_UNKNOWN); + return SSL3_AD_CERTIFICATE_UNKNOWN; case SSL_AD_ILLEGAL_PARAMETER: - return (SSL3_AD_ILLEGAL_PARAMETER); + return SSL3_AD_ILLEGAL_PARAMETER; case SSL_AD_UNKNOWN_CA: - return (TLS1_AD_UNKNOWN_CA); + return TLS1_AD_UNKNOWN_CA; case SSL_AD_ACCESS_DENIED: - return (TLS1_AD_ACCESS_DENIED); + return TLS1_AD_ACCESS_DENIED; case SSL_AD_DECODE_ERROR: - return (TLS1_AD_DECODE_ERROR); + return TLS1_AD_DECODE_ERROR; case SSL_AD_DECRYPT_ERROR: - return (TLS1_AD_DECRYPT_ERROR); + return TLS1_AD_DECRYPT_ERROR; case SSL_AD_EXPORT_RESTRICTION: - return (TLS1_AD_EXPORT_RESTRICTION); + return TLS1_AD_EXPORT_RESTRICTION; case SSL_AD_PROTOCOL_VERSION: - return (TLS1_AD_PROTOCOL_VERSION); + return TLS1_AD_PROTOCOL_VERSION; case SSL_AD_INSUFFICIENT_SECURITY: - return (TLS1_AD_INSUFFICIENT_SECURITY); + return TLS1_AD_INSUFFICIENT_SECURITY; case SSL_AD_INTERNAL_ERROR: - return (TLS1_AD_INTERNAL_ERROR); + return TLS1_AD_INTERNAL_ERROR; case SSL_AD_USER_CANCELLED: - return (TLS1_AD_USER_CANCELLED); + return TLS1_AD_USER_CANCELLED; case SSL_AD_NO_RENEGOTIATION: - return (TLS1_AD_NO_RENEGOTIATION); + return TLS1_AD_NO_RENEGOTIATION; case SSL_AD_UNSUPPORTED_EXTENSION: - return (TLS1_AD_UNSUPPORTED_EXTENSION); + return TLS1_AD_UNSUPPORTED_EXTENSION; case SSL_AD_CERTIFICATE_UNOBTAINABLE: - return (TLS1_AD_CERTIFICATE_UNOBTAINABLE); + return TLS1_AD_CERTIFICATE_UNOBTAINABLE; case SSL_AD_UNRECOGNIZED_NAME: - return (TLS1_AD_UNRECOGNIZED_NAME); + return TLS1_AD_UNRECOGNIZED_NAME; case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: - return (TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE); + return TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE; case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: - return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE); + return TLS1_AD_BAD_CERTIFICATE_HASH_VALUE; case SSL_AD_UNKNOWN_PSK_IDENTITY: - return (TLS1_AD_UNKNOWN_PSK_IDENTITY); + return TLS1_AD_UNKNOWN_PSK_IDENTITY; case SSL_AD_INAPPROPRIATE_FALLBACK: - return (TLS1_AD_INAPPROPRIATE_FALLBACK); + return TLS1_AD_INAPPROPRIATE_FALLBACK; case SSL_AD_NO_APPLICATION_PROTOCOL: - return (TLS1_AD_NO_APPLICATION_PROTOCOL); + return TLS1_AD_NO_APPLICATION_PROTOCOL; + case SSL_AD_CERTIFICATE_REQUIRED: + return SSL_AD_HANDSHAKE_FAILURE; default: - return (-1); + return -1; } } diff --git a/deps/openssl/openssl/ssl/t1_ext.c b/deps/openssl/openssl/ssl/t1_ext.c deleted file mode 100644 index a996a20dec..0000000000 --- a/deps/openssl/openssl/ssl/t1_ext.c +++ /dev/null @@ -1,283 +0,0 @@ -/* - * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -/* Custom extension utility functions */ - -#include <openssl/ct.h> -#include "ssl_locl.h" - -/* Find a custom extension from the list. */ -static custom_ext_method *custom_ext_find(const custom_ext_methods *exts, - unsigned int ext_type) -{ - size_t i; - custom_ext_method *meth = exts->meths; - for (i = 0; i < exts->meths_count; i++, meth++) { - if (ext_type == meth->ext_type) - return meth; - } - return NULL; -} - -/* - * Initialise custom extensions flags to indicate neither sent nor received. - */ -void custom_ext_init(custom_ext_methods *exts) -{ - size_t i; - custom_ext_method *meth = exts->meths; - for (i = 0; i < exts->meths_count; i++, meth++) - meth->ext_flags = 0; -} - -/* Pass received custom extension data to the application for parsing. */ -int custom_ext_parse(SSL *s, int server, - unsigned int ext_type, - const unsigned char *ext_data, size_t ext_size, int *al) -{ - custom_ext_methods *exts = server ? &s->cert->srv_ext : &s->cert->cli_ext; - custom_ext_method *meth; - meth = custom_ext_find(exts, ext_type); - /* If not found return success */ - if (!meth) - return 1; - if (!server) { - /* - * If it's ServerHello we can't have any extensions not sent in - * ClientHello. - */ - if (!(meth->ext_flags & SSL_EXT_FLAG_SENT)) { - *al = TLS1_AD_UNSUPPORTED_EXTENSION; - return 0; - } - } - /* If already present it's a duplicate */ - if (meth->ext_flags & SSL_EXT_FLAG_RECEIVED) { - *al = TLS1_AD_DECODE_ERROR; - return 0; - } - meth->ext_flags |= SSL_EXT_FLAG_RECEIVED; - /* If no parse function set return success */ - if (!meth->parse_cb) - return 1; - - return meth->parse_cb(s, ext_type, ext_data, ext_size, al, meth->parse_arg); -} - -/* - * Request custom extension data from the application and add to the return - * buffer. - */ -int custom_ext_add(SSL *s, int server, - unsigned char **pret, unsigned char *limit, int *al) -{ - custom_ext_methods *exts = server ? &s->cert->srv_ext : &s->cert->cli_ext; - custom_ext_method *meth; - unsigned char *ret = *pret; - size_t i; - - for (i = 0; i < exts->meths_count; i++) { - const unsigned char *out = NULL; - size_t outlen = 0; - meth = exts->meths + i; - - if (server) { - /* - * For ServerHello only send extensions present in ClientHello. - */ - if (!(meth->ext_flags & SSL_EXT_FLAG_RECEIVED)) - continue; - /* If callback absent for server skip it */ - if (!meth->add_cb) - continue; - } - if (meth->add_cb) { - int cb_retval = 0; - cb_retval = meth->add_cb(s, meth->ext_type, - &out, &outlen, al, meth->add_arg); - if (cb_retval < 0) - return 0; /* error */ - if (cb_retval == 0) - continue; /* skip this extension */ - } - if (4 > limit - ret || outlen > (size_t)(limit - ret - 4)) - return 0; - s2n(meth->ext_type, ret); - s2n(outlen, ret); - if (outlen) { - memcpy(ret, out, outlen); - ret += outlen; - } - /* - * We can't send duplicates: code logic should prevent this. - */ - OPENSSL_assert(!(meth->ext_flags & SSL_EXT_FLAG_SENT)); - /* - * Indicate extension has been sent: this is both a sanity check to - * ensure we don't send duplicate extensions and indicates that it is - * not an error if the extension is present in ServerHello. - */ - meth->ext_flags |= SSL_EXT_FLAG_SENT; - if (meth->free_cb) - meth->free_cb(s, meth->ext_type, out, meth->add_arg); - } - *pret = ret; - return 1; -} - -/* Copy the flags from src to dst for any extensions that exist in both */ -int custom_exts_copy_flags(custom_ext_methods *dst, - const custom_ext_methods *src) -{ - size_t i; - custom_ext_method *methsrc = src->meths; - - for (i = 0; i < src->meths_count; i++, methsrc++) { - custom_ext_method *methdst = custom_ext_find(dst, methsrc->ext_type); - - if (methdst == NULL) - continue; - - methdst->ext_flags = methsrc->ext_flags; - } - - return 1; -} - -/* Copy table of custom extensions */ -int custom_exts_copy(custom_ext_methods *dst, const custom_ext_methods *src) -{ - if (src->meths_count) { - dst->meths = - OPENSSL_memdup(src->meths, - sizeof(custom_ext_method) * src->meths_count); - if (dst->meths == NULL) - return 0; - dst->meths_count = src->meths_count; - } - return 1; -} - -void custom_exts_free(custom_ext_methods *exts) -{ - OPENSSL_free(exts->meths); -} - -/* Set callbacks for a custom extension. */ -static int custom_ext_meth_add(custom_ext_methods *exts, - unsigned int ext_type, - custom_ext_add_cb add_cb, - custom_ext_free_cb free_cb, - void *add_arg, - custom_ext_parse_cb parse_cb, void *parse_arg) -{ - custom_ext_method *meth, *tmp; - /* - * Check application error: if add_cb is not set free_cb will never be - * called. - */ - if (!add_cb && free_cb) - return 0; - /* - * Don't add if extension supported internally, but make exception - * for extension types that previously were not supported, but now are. - */ - if (SSL_extension_supported(ext_type) && - ext_type != TLSEXT_TYPE_signed_certificate_timestamp) - return 0; - /* Extension type must fit in 16 bits */ - if (ext_type > 0xffff) - return 0; - /* Search for duplicate */ - if (custom_ext_find(exts, ext_type)) - return 0; - tmp = OPENSSL_realloc(exts->meths, - (exts->meths_count + 1) * sizeof(custom_ext_method)); - - if (tmp == NULL) - return 0; - - exts->meths = tmp; - meth = exts->meths + exts->meths_count; - memset(meth, 0, sizeof(*meth)); - meth->parse_cb = parse_cb; - meth->add_cb = add_cb; - meth->free_cb = free_cb; - meth->ext_type = ext_type; - meth->add_arg = add_arg; - meth->parse_arg = parse_arg; - exts->meths_count++; - return 1; -} - -/* Return true if a client custom extension exists, false otherwise */ -int SSL_CTX_has_client_custom_ext(const SSL_CTX *ctx, unsigned int ext_type) -{ - return custom_ext_find(&ctx->cert->cli_ext, ext_type) != NULL; -} - -/* Application level functions to add custom extension callbacks */ -int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type, - custom_ext_add_cb add_cb, - custom_ext_free_cb free_cb, - void *add_arg, - custom_ext_parse_cb parse_cb, void *parse_arg) -{ -#ifndef OPENSSL_NO_CT - /* - * We don't want applications registering callbacks for SCT extensions - * whilst simultaneously using the built-in SCT validation features, as - * these two things may not play well together. - */ - if (ext_type == TLSEXT_TYPE_signed_certificate_timestamp && - SSL_CTX_ct_is_enabled(ctx)) - return 0; -#endif - return custom_ext_meth_add(&ctx->cert->cli_ext, ext_type, add_cb, - free_cb, add_arg, parse_cb, parse_arg); -} - -int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx, unsigned int ext_type, - custom_ext_add_cb add_cb, - custom_ext_free_cb free_cb, - void *add_arg, - custom_ext_parse_cb parse_cb, void *parse_arg) -{ - return custom_ext_meth_add(&ctx->cert->srv_ext, ext_type, - add_cb, free_cb, add_arg, parse_cb, parse_arg); -} - -int SSL_extension_supported(unsigned int ext_type) -{ - switch (ext_type) { - /* Internally supported extensions. */ - case TLSEXT_TYPE_application_layer_protocol_negotiation: - case TLSEXT_TYPE_ec_point_formats: - case TLSEXT_TYPE_elliptic_curves: - case TLSEXT_TYPE_heartbeat: -#ifndef OPENSSL_NO_NEXTPROTONEG - case TLSEXT_TYPE_next_proto_neg: -#endif - case TLSEXT_TYPE_padding: - case TLSEXT_TYPE_renegotiate: - case TLSEXT_TYPE_server_name: - case TLSEXT_TYPE_session_ticket: - case TLSEXT_TYPE_signature_algorithms: - case TLSEXT_TYPE_srp: - case TLSEXT_TYPE_status_request: - case TLSEXT_TYPE_signed_certificate_timestamp: - case TLSEXT_TYPE_use_srtp: -#ifdef TLSEXT_TYPE_encrypt_then_mac - case TLSEXT_TYPE_encrypt_then_mac: -#endif - return 1; - default: - return 0; - } -} diff --git a/deps/openssl/openssl/ssl/t1_lib.c b/deps/openssl/openssl/ssl/t1_lib.c index 95711fb6df..fc41ed90e7 100644 --- a/deps/openssl/openssl/ssl/t1_lib.c +++ b/deps/openssl/openssl/ssl/t1_lib.c @@ -17,19 +17,10 @@ #include <openssl/x509v3.h> #include <openssl/dh.h> #include <openssl/bn.h> +#include "internal/nelem.h" #include "ssl_locl.h" #include <openssl/ct.h> - -#define CHECKLEN(curr, val, limit) \ - (((curr) >= (limit)) || (size_t)((limit) - (curr)) < (size_t)(val)) - -static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, - const unsigned char *sess_id, int sesslen, - SSL_SESSION **psess); -static int ssl_check_clienthello_tlsext_early(SSL *s); -static int ssl_check_serverhello_tlsext(SSL *s); - SSL3_ENC_METHOD const TLSv1_enc_data = { tls1_enc, tls1_mac, @@ -37,14 +28,13 @@ SSL3_ENC_METHOD const TLSv1_enc_data = { tls1_generate_master_secret, tls1_change_cipher_state, tls1_final_finish_mac, - TLS1_FINISH_MAC_LENGTH, TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, tls1_alert_code, tls1_export_keying_material, 0, - SSL3_HM_HEADER_LENGTH, ssl3_set_handshake_header, + tls_close_construct_packet, ssl3_handshake_write }; @@ -55,14 +45,13 @@ SSL3_ENC_METHOD const TLSv1_1_enc_data = { tls1_generate_master_secret, tls1_change_cipher_state, tls1_final_finish_mac, - TLS1_FINISH_MAC_LENGTH, TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, tls1_alert_code, tls1_export_keying_material, SSL_ENC_FLAG_EXPLICIT_IV, - SSL3_HM_HEADER_LENGTH, ssl3_set_handshake_header, + tls_close_construct_packet, ssl3_handshake_write }; @@ -73,15 +62,31 @@ SSL3_ENC_METHOD const TLSv1_2_enc_data = { tls1_generate_master_secret, tls1_change_cipher_state, tls1_final_finish_mac, - TLS1_FINISH_MAC_LENGTH, TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, tls1_alert_code, tls1_export_keying_material, SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF | SSL_ENC_FLAG_TLS1_2_CIPHERS, - SSL3_HM_HEADER_LENGTH, ssl3_set_handshake_header, + tls_close_construct_packet, + ssl3_handshake_write +}; + +SSL3_ENC_METHOD const TLSv1_3_enc_data = { + tls13_enc, + tls1_mac, + tls13_setup_key_block, + tls13_generate_master_secret, + tls13_change_cipher_state, + tls13_final_finish_mac, + TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, + TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, + tls13_alert_code, + tls13_export_keying_material, + SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF, + ssl3_set_handshake_header, + tls_close_construct_packet, ssl3_handshake_write }; @@ -97,40 +102,40 @@ long tls1_default_timeout(void) int tls1_new(SSL *s) { if (!ssl3_new(s)) - return (0); - s->method->ssl_clear(s); - return (1); + return 0; + if (!s->method->ssl_clear(s)) + return 0; + + return 1; } void tls1_free(SSL *s) { - OPENSSL_free(s->tlsext_session_ticket); + OPENSSL_free(s->ext.session_ticket); ssl3_free(s); } -void tls1_clear(SSL *s) +int tls1_clear(SSL *s) { - ssl3_clear(s); + if (!ssl3_clear(s)) + return 0; + if (s->method->version == TLS_ANY_VERSION) s->version = TLS_MAX_VERSION; else s->version = s->method->version; + + return 1; } #ifndef OPENSSL_NO_EC -typedef struct { - int nid; /* Curve NID */ - int secbits; /* Bits of security (from SP800-57) */ - unsigned int flags; /* Flags: currently just field type */ -} tls_curve_info; - /* * Table of curve information. * Do not delete entries or reorder this array! It is used as a lookup * table: the index of each entry is one less than the TLS curve id. */ -static const tls_curve_info nid_list[] = { +static const TLS_GROUP_INFO nid_list[] = { {NID_sect163k1, 80, TLS_CURVE_CHAR2}, /* sect163k1 (1) */ {NID_sect163r1, 80, TLS_CURVE_CHAR2}, /* sect163r1 (2) */ {NID_sect163r2, 80, TLS_CURVE_CHAR2}, /* sect163r2 (3) */ @@ -159,7 +164,8 @@ static const tls_curve_info nid_list[] = { {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */ {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */ {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */ - {NID_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */ + {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */ + {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM}, /* X448 (30) */ }; static const unsigned char ecformats_default[] = { @@ -169,160 +175,117 @@ static const unsigned char ecformats_default[] = { }; /* The default curves */ -static const unsigned char eccurves_default[] = { - 0, 29, /* X25519 (29) */ - 0, 23, /* secp256r1 (23) */ - 0, 25, /* secp521r1 (25) */ - 0, 24, /* secp384r1 (24) */ +static const uint16_t eccurves_default[] = { + 29, /* X25519 (29) */ + 23, /* secp256r1 (23) */ + 30, /* X448 (30) */ + 25, /* secp521r1 (25) */ + 24, /* secp384r1 (24) */ }; -static const unsigned char suiteb_curves[] = { - 0, TLSEXT_curve_P_256, - 0, TLSEXT_curve_P_384 +static const uint16_t suiteb_curves[] = { + TLSEXT_curve_P_256, + TLSEXT_curve_P_384 }; -int tls1_ec_curve_id2nid(int curve_id, unsigned int *pflags) +const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id) { - const tls_curve_info *cinfo; /* ECC curves from RFC 4492 and RFC 7027 */ - if ((curve_id < 1) || ((unsigned int)curve_id > OSSL_NELEM(nid_list))) - return 0; - cinfo = nid_list + curve_id - 1; - if (pflags) - *pflags = cinfo->flags; - return cinfo->nid; + if (group_id < 1 || group_id > OSSL_NELEM(nid_list)) + return NULL; + return &nid_list[group_id - 1]; } -int tls1_ec_nid2curve_id(int nid) +static uint16_t tls1_nid2group_id(int nid) { size_t i; for (i = 0; i < OSSL_NELEM(nid_list); i++) { if (nid_list[i].nid == nid) - return i + 1; + return (uint16_t)(i + 1); } return 0; } /* - * Get curves list, if "sess" is set return client curves otherwise - * preferred list. - * Sets |num_curves| to the number of curves in the list, i.e., - * the length of |pcurves| is 2 * num_curves. - * Returns 1 on success and 0 if the client curves list has invalid format. - * The latter indicates an internal error: we should not be accepting such - * lists in the first place. - * TODO(emilia): we should really be storing the curves list in explicitly - * parsed form instead. (However, this would affect binary compatibility - * so cannot happen in the 1.0.x series.) + * Set *pgroups to the supported groups list and *pgroupslen to + * the number of groups supported. */ -static int tls1_get_curvelist(SSL *s, int sess, - const unsigned char **pcurves, size_t *num_curves) +void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, + size_t *pgroupslen) { - size_t pcurveslen = 0; - if (sess) { - *pcurves = s->session->tlsext_ellipticcurvelist; - pcurveslen = s->session->tlsext_ellipticcurvelist_length; - } else { - /* For Suite B mode only include P-256, P-384 */ - switch (tls1_suiteb(s)) { - case SSL_CERT_FLAG_SUITEB_128_LOS: - *pcurves = suiteb_curves; - pcurveslen = sizeof(suiteb_curves); - break; + /* For Suite B mode only include P-256, P-384 */ + switch (tls1_suiteb(s)) { + case SSL_CERT_FLAG_SUITEB_128_LOS: + *pgroups = suiteb_curves; + *pgroupslen = OSSL_NELEM(suiteb_curves); + break; - case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: - *pcurves = suiteb_curves; - pcurveslen = 2; - break; + case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: + *pgroups = suiteb_curves; + *pgroupslen = 1; + break; - case SSL_CERT_FLAG_SUITEB_192_LOS: - *pcurves = suiteb_curves + 2; - pcurveslen = 2; - break; - default: - *pcurves = s->tlsext_ellipticcurvelist; - pcurveslen = s->tlsext_ellipticcurvelist_length; - } - if (!*pcurves) { - *pcurves = eccurves_default; - pcurveslen = sizeof(eccurves_default); - } - } + case SSL_CERT_FLAG_SUITEB_192_LOS: + *pgroups = suiteb_curves + 1; + *pgroupslen = 1; + break; - /* We do not allow odd length arrays to enter the system. */ - if (pcurveslen & 1) { - SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR); - *num_curves = 0; - return 0; + default: + if (s->ext.supportedgroups == NULL) { + *pgroups = eccurves_default; + *pgroupslen = OSSL_NELEM(eccurves_default); + } else { + *pgroups = s->ext.supportedgroups; + *pgroupslen = s->ext.supportedgroups_len; + } + break; } - *num_curves = pcurveslen / 2; - return 1; } /* See if curve is allowed by security callback */ -static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op) +int tls_curve_allowed(SSL *s, uint16_t curve, int op) { - const tls_curve_info *cinfo; - if (curve[0]) - return 1; - if ((curve[1] < 1) || ((size_t)curve[1] > OSSL_NELEM(nid_list))) + const TLS_GROUP_INFO *cinfo = tls1_group_id_lookup(curve); + unsigned char ctmp[2]; + + if (cinfo == NULL) return 0; - cinfo = &nid_list[curve[1] - 1]; # ifdef OPENSSL_NO_EC2M if (cinfo->flags & TLS_CURVE_CHAR2) return 0; # endif - return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve); + ctmp[0] = curve >> 8; + ctmp[1] = curve & 0xff; + return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp); } -/* Check a curve is one of our preferences */ -int tls1_check_curve(SSL *s, const unsigned char *p, size_t len) +/* Return 1 if "id" is in "list" */ +static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen) { - const unsigned char *curves; - size_t num_curves, i; - unsigned int suiteb_flags = tls1_suiteb(s); - if (len != 3 || p[0] != NAMED_CURVE_TYPE) - return 0; - /* Check curve matches Suite B preferences */ - if (suiteb_flags) { - unsigned long cid = s->s3->tmp.new_cipher->id; - if (p[1]) - return 0; - if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) { - if (p[2] != TLSEXT_curve_P_256) - return 0; - } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) { - if (p[2] != TLSEXT_curve_P_384) - return 0; - } else /* Should never happen */ - return 0; - } - if (!tls1_get_curvelist(s, 0, &curves, &num_curves)) - return 0; - for (i = 0; i < num_curves; i++, curves += 2) { - if (p[1] == curves[0] && p[2] == curves[1]) - return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK); - } + size_t i; + for (i = 0; i < listlen; i++) + if (list[i] == id) + return 1; return 0; } /*- - * For nmatch >= 0, return the NID of the |nmatch|th shared curve or NID_undef + * For nmatch >= 0, return the id of the |nmatch|th shared group or 0 * if there is no match. * For nmatch == -1, return number of matches - * For nmatch == -2, return the NID of the curve to use for - * an EC tmp key, or NID_undef if there is no match. + * For nmatch == -2, return the id of the group to use for + * a tmp key, or 0 if there is no match. */ -int tls1_shared_curve(SSL *s, int nmatch) +uint16_t tls1_shared_group(SSL *s, int nmatch) { - const unsigned char *pref, *supp; - size_t num_pref, num_supp, i, j; + const uint16_t *pref, *supp; + size_t num_pref, num_supp, i; int k; /* Can't do anything on client side */ if (s->server == 0) - return -1; + return 0; if (nmatch == -2) { if (tls1_suiteb(s)) { /* @@ -332,79 +295,78 @@ int tls1_shared_curve(SSL *s, int nmatch) unsigned long cid = s->s3->tmp.new_cipher->id; if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) - return NID_X9_62_prime256v1; /* P-256 */ + return TLSEXT_curve_P_256; if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) - return NID_secp384r1; /* P-384 */ + return TLSEXT_curve_P_384; /* Should never happen */ - return NID_undef; + return 0; } /* If not Suite B just return first preference shared curve */ nmatch = 0; } /* - * Avoid truncation. tls1_get_curvelist takes an int - * but s->options is a long... + * If server preference set, our groups are the preference order + * otherwise peer decides. */ - if (!tls1_get_curvelist(s, - (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, - &supp, &num_supp)) - /* In practice, NID_undef == 0 but let's be precise. */ - return nmatch == -1 ? 0 : NID_undef; - if (!tls1_get_curvelist(s, - (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0, - &pref, &num_pref)) - return nmatch == -1 ? 0 : NID_undef; - - for (k = 0, i = 0; i < num_pref; i++, pref += 2) { - const unsigned char *tsupp = supp; - - for (j = 0; j < num_supp; j++, tsupp += 2) { - if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) { - if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED)) - continue; - if (nmatch == k) { - int id = (pref[0] << 8) | pref[1]; + if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { + tls1_get_supported_groups(s, &pref, &num_pref); + tls1_get_peer_groups(s, &supp, &num_supp); + } else { + tls1_get_peer_groups(s, &pref, &num_pref); + tls1_get_supported_groups(s, &supp, &num_supp); + } - return tls1_ec_curve_id2nid(id, NULL); - } - k++; - } - } + for (k = 0, i = 0; i < num_pref; i++) { + uint16_t id = pref[i]; + + if (!tls1_in_list(id, supp, num_supp) + || !tls_curve_allowed(s, id, SSL_SECOP_CURVE_SHARED)) + continue; + if (nmatch == k) + return id; + k++; } if (nmatch == -1) return k; /* Out of range (nmatch > k). */ - return NID_undef; + return 0; } -int tls1_set_curves(unsigned char **pext, size_t *pextlen, - int *curves, size_t ncurves) +int tls1_set_groups(uint16_t **pext, size_t *pextlen, + int *groups, size_t ngroups) { - unsigned char *clist, *p; + uint16_t *glist; size_t i; /* - * Bitmap of curves included to detect duplicates: only works while curve + * Bitmap of groups included to detect duplicates: only works while group * ids < 32 */ unsigned long dup_list = 0; - clist = OPENSSL_malloc(ncurves * 2); - if (clist == NULL) + + if (ngroups == 0) { + SSLerr(SSL_F_TLS1_SET_GROUPS, SSL_R_BAD_LENGTH); + return 0; + } + if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) { + SSLerr(SSL_F_TLS1_SET_GROUPS, ERR_R_MALLOC_FAILURE); return 0; - for (i = 0, p = clist; i < ncurves; i++) { + } + for (i = 0; i < ngroups; i++) { unsigned long idmask; - int id; - id = tls1_ec_nid2curve_id(curves[i]); + uint16_t id; + /* TODO(TLS1.3): Convert for DH groups */ + id = tls1_nid2group_id(groups[i]); idmask = 1L << id; if (!id || (dup_list & idmask)) { - OPENSSL_free(clist); + OPENSSL_free(glist); return 0; } dup_list |= idmask; - s2n(id, p); + glist[i] = id; } OPENSSL_free(*pext); - *pext = clist; - *pextlen = ncurves * 2; + *pext = glist; + *pextlen = ngroups; return 1; } @@ -443,8 +405,8 @@ static int nid_cb(const char *elem, int len, void *arg) return 1; } -/* Set curves based on a colon separate list */ -int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, const char *str) +/* Set groups based on a colon separate list */ +int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, const char *str) { nid_cb_st ncb; ncb.nidcnt = 0; @@ -452,110 +414,129 @@ int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, const char *str) return 0; if (pext == NULL) return 1; - return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt); + return tls1_set_groups(pext, pextlen, ncb.nid_arr, ncb.nidcnt); } - -/* For an EC key set TLS id and required compression based on parameters */ -static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id, - EC_KEY *ec) +/* Return group id of a key */ +static uint16_t tls1_get_group_id(EVP_PKEY *pkey) { - int id; + EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); const EC_GROUP *grp; - if (!ec) + + if (ec == NULL) return 0; - /* Determine if it is a prime field */ grp = EC_KEY_get0_group(ec); - if (!grp) - return 0; - /* Determine curve ID */ - id = EC_GROUP_get_curve_name(grp); - id = tls1_ec_nid2curve_id(id); - /* If no id return error: we don't support arbitrary explicit curves */ - if (id == 0) - return 0; - curve_id[0] = 0; - curve_id[1] = (unsigned char)id; - if (comp_id) { - if (EC_KEY_get0_public_key(ec) == NULL) - return 0; - if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) { - *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; - } else { - if ((nid_list[id - 1].flags & TLS_CURVE_TYPE) == TLS_CURVE_PRIME) - *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; - else - *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; - } - } - return 1; + return tls1_nid2group_id(EC_GROUP_get_curve_name(grp)); } -# define DONT_CHECK_OWN_GROUPS 0 -# define CHECK_OWN_GROUPS 1 -/* Check an EC key is compatible with extensions */ -static int tls1_check_ec_key(SSL *s, unsigned char *curve_id, - unsigned char *comp_id, int check_own_groups) +/* Check a key is compatible with compression extension */ +static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey) { - const unsigned char *pformats, *pcurves; - size_t num_formats, num_curves, i; - int j; + const EC_KEY *ec; + const EC_GROUP *grp; + unsigned char comp_id; + size_t i; + /* If not an EC key nothing to check */ + if (EVP_PKEY_id(pkey) != EVP_PKEY_EC) + return 1; + ec = EVP_PKEY_get0_EC_KEY(pkey); + grp = EC_KEY_get0_group(ec); + + /* Get required compression id */ + if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) { + comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; + } else if (SSL_IS_TLS13(s)) { + /* + * ec_point_formats extension is not used in TLSv1.3 so we ignore + * this check. + */ + return 1; + } else { + int field_type = EC_METHOD_get_field_type(EC_GROUP_method_of(grp)); + + if (field_type == NID_X9_62_prime_field) + comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; + else if (field_type == NID_X9_62_characteristic_two_field) + comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; + else + return 0; + } /* * If point formats extension present check it, otherwise everything is * supported (see RFC4492). */ - if (comp_id && s->session->tlsext_ecpointformatlist) { - pformats = s->session->tlsext_ecpointformatlist; - num_formats = s->session->tlsext_ecpointformatlist_length; - for (i = 0; i < num_formats; i++, pformats++) { - if (*comp_id == *pformats) - break; - } - if (i == num_formats) - return 0; - } - if (!curve_id) + if (s->session->ext.ecpointformats == NULL) return 1; - if (!s->server && !check_own_groups) - return 1; + for (i = 0; i < s->session->ext.ecpointformats_len; i++) { + if (s->session->ext.ecpointformats[i] == comp_id) + return 1; + } + return 0; +} + +/* Check a group id matches preferences */ +int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups) + { + const uint16_t *groups; + size_t groups_len; - /* Check curve is consistent with client and server preferences */ - for (j = check_own_groups ? 0 : 1; j <= 1; j++) { - if (!tls1_get_curvelist(s, j, &pcurves, &num_curves)) + if (group_id == 0) + return 0; + + /* Check for Suite B compliance */ + if (tls1_suiteb(s) && s->s3->tmp.new_cipher != NULL) { + unsigned long cid = s->s3->tmp.new_cipher->id; + + if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) { + if (group_id != TLSEXT_curve_P_256) + return 0; + } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) { + if (group_id != TLSEXT_curve_P_384) + return 0; + } else { + /* Should never happen */ return 0; - if (j == 1 && num_curves == 0) { - /* - * If we've not received any curves then skip this check. - * RFC 4492 does not require the supported elliptic curves extension - * so if it is not sent we can just choose any curve. - * It is invalid to send an empty list in the elliptic curves - * extension, so num_curves == 0 always means no extension. - */ - break; - } - for (i = 0; i < num_curves; i++, pcurves += 2) { - if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1]) - break; } - if (i == num_curves) + } + + if (check_own_groups) { + /* Check group is one of our preferences */ + tls1_get_supported_groups(s, &groups, &groups_len); + if (!tls1_in_list(group_id, groups, groups_len)) return 0; - /* For clients can only check sent curve list */ - if (!s->server) - break; } - return 1; + + if (!tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_CHECK)) + return 0; + + /* For clients, nothing more to check */ + if (!s->server) + return 1; + + /* Check group is one of peers preferences */ + tls1_get_peer_groups(s, &groups, &groups_len); + + /* + * RFC 4492 does not require the supported elliptic curves extension + * so if it is not sent we can just choose any curve. + * It is invalid to send an empty list in the supported groups + * extension, so groups_len == 0 always means no extension. + */ + if (groups_len == 0) + return 1; + return tls1_in_list(group_id, groups, groups_len); } -static void tls1_get_formatlist(SSL *s, const unsigned char **pformats, - size_t *num_formats) +void tls1_get_formatlist(SSL *s, const unsigned char **pformats, + size_t *num_formats) { /* * If we have a custom point format list use it otherwise use default */ - if (s->tlsext_ecpointformatlist) { - *pformats = s->tlsext_ecpointformatlist; - *num_formats = s->tlsext_ecpointformatlist_length; + if (s->ext.ecpointformats) { + *pformats = s->ext.ecpointformats; + *num_formats = s->ext.ecpointformats_len; } else { *pformats = ecformats_default; /* For Suite B we don't support char2 fields */ @@ -570,63 +551,51 @@ static void tls1_get_formatlist(SSL *s, const unsigned char **pformats, * Check cert parameters compatible with extensions: currently just checks EC * certificates have compatible curves and compression. */ -static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) +static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md) { - unsigned char comp_id, curve_id[2]; + uint16_t group_id; EVP_PKEY *pkey; - int rv; pkey = X509_get0_pubkey(x); - if (!pkey) + if (pkey == NULL) return 0; /* If not EC nothing to do */ if (EVP_PKEY_id(pkey) != EVP_PKEY_EC) return 1; - rv = tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey)); - if (!rv) + /* Check compression */ + if (!tls1_check_pkey_comp(s, pkey)) return 0; + group_id = tls1_get_group_id(pkey); /* - * Can't check curve_id for client certs as we don't have a supported - * curves extension. For server certs we will tolerate certificates that - * aren't in our own list of curves. If we've been configured to use an EC - * cert then we should use it - therefore we use DONT_CHECK_OWN_GROUPS here. + * For a server we allow the certificate to not be in our list of supported + * groups. */ - rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id, - DONT_CHECK_OWN_GROUPS); - if (!rv) + if (!tls1_check_group_id(s, group_id, !s->server)) return 0; /* * Special case for suite B. We *MUST* sign using SHA256+P-256 or - * SHA384+P-384, adjust digest if necessary. + * SHA384+P-384. */ - if (set_ee_md && tls1_suiteb(s)) { + if (check_ee_md && tls1_suiteb(s)) { int check_md; size_t i; CERT *c = s->cert; - if (curve_id[0]) - return 0; + /* Check to see we have necessary signing algorithm */ - if (curve_id[1] == TLSEXT_curve_P_256) + if (group_id == TLSEXT_curve_P_256) check_md = NID_ecdsa_with_SHA256; - else if (curve_id[1] == TLSEXT_curve_P_384) + else if (group_id == TLSEXT_curve_P_384) check_md = NID_ecdsa_with_SHA384; else return 0; /* Should never happen */ - for (i = 0; i < c->shared_sigalgslen; i++) - if (check_md == c->shared_sigalgs[i].signandhash_nid) - break; - if (i == c->shared_sigalgslen) - return 0; - if (set_ee_md == 2) { - if (check_md == NID_ecdsa_with_SHA256) - s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha256(); - else - s->s3->tmp.md[SSL_PKEY_ECC] = EVP_sha384(); + for (i = 0; i < c->shared_sigalgslen; i++) { + if (check_md == c->shared_sigalgs[i]->sigandhash) + return 1;; } + return 0; } - return rv; + return 1; } -# ifndef OPENSSL_NO_EC /* * tls1_check_ec_tmp_key - Check EC temporary key compatibility * @s: SSL connection @@ -639,31 +608,20 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) */ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) { + /* If not Suite B just need a shared group */ + if (!tls1_suiteb(s)) + return tls1_shared_group(s, 0) != 0; /* * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other * curves permitted. */ - if (tls1_suiteb(s)) { - unsigned char curve_id[2]; - /* Curve to check determined by ciphersuite */ - if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) - curve_id[1] = TLSEXT_curve_P_256; - else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) - curve_id[1] = TLSEXT_curve_P_384; - else - return 0; - curve_id[0] = 0; - /* Check this curve is acceptable */ - if (!tls1_check_ec_key(s, curve_id, NULL, CHECK_OWN_GROUPS)) - return 0; - return 1; - } - /* Need a shared curve */ - if (tls1_shared_curve(s, 0)) - return 1; + if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) + return tls1_check_group_id(s, TLSEXT_curve_P_256, 1); + if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) + return tls1_check_group_id(s, TLSEXT_curve_P_384, 1); + return 0; } -# endif /* OPENSSL_NO_EC */ #else @@ -674,54 +632,286 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) #endif /* OPENSSL_NO_EC */ -/* - * List of supported signature algorithms and hashes. Should make this - * customisable at some point, for now include everything we support. - */ - -#ifdef OPENSSL_NO_RSA -# define tlsext_sigalg_rsa(md) /* */ -#else -# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa, +/* Default sigalg schemes */ +static const uint16_t tls12_sigalgs[] = { +#ifndef OPENSSL_NO_EC + TLSEXT_SIGALG_ecdsa_secp256r1_sha256, + TLSEXT_SIGALG_ecdsa_secp384r1_sha384, + TLSEXT_SIGALG_ecdsa_secp521r1_sha512, + TLSEXT_SIGALG_ed25519, + TLSEXT_SIGALG_ed448, #endif -#ifdef OPENSSL_NO_DSA -# define tlsext_sigalg_dsa(md) /* */ -#else -# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa, -#endif + TLSEXT_SIGALG_rsa_pss_pss_sha256, + TLSEXT_SIGALG_rsa_pss_pss_sha384, + TLSEXT_SIGALG_rsa_pss_pss_sha512, + TLSEXT_SIGALG_rsa_pss_rsae_sha256, + TLSEXT_SIGALG_rsa_pss_rsae_sha384, + TLSEXT_SIGALG_rsa_pss_rsae_sha512, -#ifdef OPENSSL_NO_EC -# define tlsext_sigalg_ecdsa(md)/* */ -#else -# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa, + TLSEXT_SIGALG_rsa_pkcs1_sha256, + TLSEXT_SIGALG_rsa_pkcs1_sha384, + TLSEXT_SIGALG_rsa_pkcs1_sha512, + +#ifndef OPENSSL_NO_EC + TLSEXT_SIGALG_ecdsa_sha224, + TLSEXT_SIGALG_ecdsa_sha1, #endif + TLSEXT_SIGALG_rsa_pkcs1_sha224, + TLSEXT_SIGALG_rsa_pkcs1_sha1, +#ifndef OPENSSL_NO_DSA + TLSEXT_SIGALG_dsa_sha224, + TLSEXT_SIGALG_dsa_sha1, -#define tlsext_sigalg(md) \ - tlsext_sigalg_rsa(md) \ - tlsext_sigalg_dsa(md) \ - tlsext_sigalg_ecdsa(md) - -static const unsigned char tls12_sigalgs[] = { - tlsext_sigalg(TLSEXT_hash_sha512) - tlsext_sigalg(TLSEXT_hash_sha384) - tlsext_sigalg(TLSEXT_hash_sha256) - tlsext_sigalg(TLSEXT_hash_sha224) - tlsext_sigalg(TLSEXT_hash_sha1) + TLSEXT_SIGALG_dsa_sha256, + TLSEXT_SIGALG_dsa_sha384, + TLSEXT_SIGALG_dsa_sha512, +#endif #ifndef OPENSSL_NO_GOST - TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001, - TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256, - TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512 + TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, + TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, + TLSEXT_SIGALG_gostr34102001_gostr3411, #endif }; #ifndef OPENSSL_NO_EC -static const unsigned char suiteb_sigalgs[] = { - tlsext_sigalg_ecdsa(TLSEXT_hash_sha256) - tlsext_sigalg_ecdsa(TLSEXT_hash_sha384) +static const uint16_t suiteb_sigalgs[] = { + TLSEXT_SIGALG_ecdsa_secp256r1_sha256, + TLSEXT_SIGALG_ecdsa_secp384r1_sha384 }; #endif -size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs) + +static const SIGALG_LOOKUP sigalg_lookup_tbl[] = { +#ifndef OPENSSL_NO_EC + {"ecdsa_secp256r1_sha256", TLSEXT_SIGALG_ecdsa_secp256r1_sha256, + NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, + NID_ecdsa_with_SHA256, NID_X9_62_prime256v1}, + {"ecdsa_secp384r1_sha384", TLSEXT_SIGALG_ecdsa_secp384r1_sha384, + NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, + NID_ecdsa_with_SHA384, NID_secp384r1}, + {"ecdsa_secp521r1_sha512", TLSEXT_SIGALG_ecdsa_secp521r1_sha512, + NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, + NID_ecdsa_with_SHA512, NID_secp521r1}, + {"ed25519", TLSEXT_SIGALG_ed25519, + NID_undef, -1, EVP_PKEY_ED25519, SSL_PKEY_ED25519, + NID_undef, NID_undef}, + {"ed448", TLSEXT_SIGALG_ed448, + NID_undef, -1, EVP_PKEY_ED448, SSL_PKEY_ED448, + NID_undef, NID_undef}, + {NULL, TLSEXT_SIGALG_ecdsa_sha224, + NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, + NID_ecdsa_with_SHA224, NID_undef}, + {NULL, TLSEXT_SIGALG_ecdsa_sha1, + NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC, + NID_ecdsa_with_SHA1, NID_undef}, +#endif + {"rsa_pss_rsae_sha256", TLSEXT_SIGALG_rsa_pss_rsae_sha256, + NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, + NID_undef, NID_undef}, + {"rsa_pss_rsae_sha384", TLSEXT_SIGALG_rsa_pss_rsae_sha384, + NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, + NID_undef, NID_undef}, + {"rsa_pss_rsae_sha512", TLSEXT_SIGALG_rsa_pss_rsae_sha512, + NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA, + NID_undef, NID_undef}, + {"rsa_pss_pss_sha256", TLSEXT_SIGALG_rsa_pss_pss_sha256, + NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, + NID_undef, NID_undef}, + {"rsa_pss_pss_sha384", TLSEXT_SIGALG_rsa_pss_pss_sha384, + NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, + NID_undef, NID_undef}, + {"rsa_pss_pss_sha512", TLSEXT_SIGALG_rsa_pss_pss_sha512, + NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA_PSS_SIGN, + NID_undef, NID_undef}, + {"rsa_pkcs1_sha256", TLSEXT_SIGALG_rsa_pkcs1_sha256, + NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, + NID_sha256WithRSAEncryption, NID_undef}, + {"rsa_pkcs1_sha384", TLSEXT_SIGALG_rsa_pkcs1_sha384, + NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, + NID_sha384WithRSAEncryption, NID_undef}, + {"rsa_pkcs1_sha512", TLSEXT_SIGALG_rsa_pkcs1_sha512, + NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, + NID_sha512WithRSAEncryption, NID_undef}, + {"rsa_pkcs1_sha224", TLSEXT_SIGALG_rsa_pkcs1_sha224, + NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, + NID_sha224WithRSAEncryption, NID_undef}, + {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1, + NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA, + NID_sha1WithRSAEncryption, NID_undef}, +#ifndef OPENSSL_NO_DSA + {NULL, TLSEXT_SIGALG_dsa_sha256, + NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, + NID_dsa_with_SHA256, NID_undef}, + {NULL, TLSEXT_SIGALG_dsa_sha384, + NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, + NID_undef, NID_undef}, + {NULL, TLSEXT_SIGALG_dsa_sha512, + NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, + NID_undef, NID_undef}, + {NULL, TLSEXT_SIGALG_dsa_sha224, + NID_sha224, SSL_MD_SHA224_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, + NID_undef, NID_undef}, + {NULL, TLSEXT_SIGALG_dsa_sha1, + NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN, + NID_dsaWithSHA1, NID_undef}, +#endif +#ifndef OPENSSL_NO_GOST + {NULL, TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, + NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX, + NID_id_GostR3410_2012_256, SSL_PKEY_GOST12_256, + NID_undef, NID_undef}, + {NULL, TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, + NID_id_GostR3411_2012_512, SSL_MD_GOST12_512_IDX, + NID_id_GostR3410_2012_512, SSL_PKEY_GOST12_512, + NID_undef, NID_undef}, + {NULL, TLSEXT_SIGALG_gostr34102001_gostr3411, + NID_id_GostR3411_94, SSL_MD_GOST94_IDX, + NID_id_GostR3410_2001, SSL_PKEY_GOST01, + NID_undef, NID_undef} +#endif +}; +/* Legacy sigalgs for TLS < 1.2 RSA TLS signatures */ +static const SIGALG_LOOKUP legacy_rsa_sigalg = { + "rsa_pkcs1_md5_sha1", 0, + NID_md5_sha1, SSL_MD_MD5_SHA1_IDX, + EVP_PKEY_RSA, SSL_PKEY_RSA, + NID_undef, NID_undef +}; + +/* + * Default signature algorithm values used if signature algorithms not present. + * From RFC5246. Note: order must match certificate index order. + */ +static const uint16_t tls_default_sigalg[] = { + TLSEXT_SIGALG_rsa_pkcs1_sha1, /* SSL_PKEY_RSA */ + 0, /* SSL_PKEY_RSA_PSS_SIGN */ + TLSEXT_SIGALG_dsa_sha1, /* SSL_PKEY_DSA_SIGN */ + TLSEXT_SIGALG_ecdsa_sha1, /* SSL_PKEY_ECC */ + TLSEXT_SIGALG_gostr34102001_gostr3411, /* SSL_PKEY_GOST01 */ + TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, /* SSL_PKEY_GOST12_256 */ + TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, /* SSL_PKEY_GOST12_512 */ + 0, /* SSL_PKEY_ED25519 */ + 0, /* SSL_PKEY_ED448 */ +}; + +/* Lookup TLS signature algorithm */ +static const SIGALG_LOOKUP *tls1_lookup_sigalg(uint16_t sigalg) +{ + size_t i; + const SIGALG_LOOKUP *s; + + for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); + i++, s++) { + if (s->sigalg == sigalg) + return s; + } + return NULL; +} +/* Lookup hash: return 0 if invalid or not enabled */ +int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd) +{ + const EVP_MD *md; + if (lu == NULL) + return 0; + /* lu->hash == NID_undef means no associated digest */ + if (lu->hash == NID_undef) { + md = NULL; + } else { + md = ssl_md(lu->hash_idx); + if (md == NULL) + return 0; + } + if (pmd) + *pmd = md; + return 1; +} + +/* + * Check if key is large enough to generate RSA-PSS signature. + * + * The key must greater than or equal to 2 * hash length + 2. + * SHA512 has a hash length of 64 bytes, which is incompatible + * with a 128 byte (1024 bit) key. + */ +#define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_size(md) + 2) +static int rsa_pss_check_min_key_size(const RSA *rsa, const SIGALG_LOOKUP *lu) +{ + const EVP_MD *md; + + if (rsa == NULL) + return 0; + if (!tls1_lookup_md(lu, &md) || md == NULL) + return 0; + if (RSA_size(rsa) < RSA_PSS_MINIMUM_KEY_SIZE(md)) + return 0; + return 1; +} + +/* + * Return a signature algorithm for TLS < 1.2 where the signature type + * is fixed by the certificate type. + */ +static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx) +{ + if (idx == -1) { + if (s->server) { + size_t i; + + /* Work out index corresponding to ciphersuite */ + for (i = 0; i < SSL_PKEY_NUM; i++) { + const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(i); + + if (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) { + idx = i; + break; + } + } + + /* + * Some GOST ciphersuites allow more than one signature algorithms + * */ + if (idx == SSL_PKEY_GOST01 && s->s3->tmp.new_cipher->algorithm_auth != SSL_aGOST01) { + int real_idx; + + for (real_idx = SSL_PKEY_GOST12_512; real_idx >= SSL_PKEY_GOST01; + real_idx--) { + if (s->cert->pkeys[real_idx].privatekey != NULL) { + idx = real_idx; + break; + } + } + } + } else { + idx = s->cert->key - s->cert->pkeys; + } + } + if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg)) + return NULL; + if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) { + const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]); + + if (!tls1_lookup_md(lu, NULL)) + return NULL; + return lu; + } + return &legacy_rsa_sigalg; +} +/* Set peer sigalg based key type */ +int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey) +{ + size_t idx; + const SIGALG_LOOKUP *lu; + + if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL) + return 0; + lu = tls1_get_legacy_sigalg(s, idx); + if (lu == NULL) + return 0; + s->s3->tmp.peer_sigalg = lu; + return 1; +} + +size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs) { /* * If Suite B mode use Suite B sigalgs only, ignore any other @@ -731,19 +921,23 @@ size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs) switch (tls1_suiteb(s)) { case SSL_CERT_FLAG_SUITEB_128_LOS: *psigs = suiteb_sigalgs; - return sizeof(suiteb_sigalgs); + return OSSL_NELEM(suiteb_sigalgs); case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: *psigs = suiteb_sigalgs; - return 2; + return 1; case SSL_CERT_FLAG_SUITEB_192_LOS: - *psigs = suiteb_sigalgs + 2; - return 2; + *psigs = suiteb_sigalgs + 1; + return 1; } #endif - /* If server use client authentication sigalgs if not NULL */ - if (s->server == sent && s->cert->client_sigalgs) { + /* + * We use client_sigalgs (if not NULL) if we're a server + * and sending a certificate request or if we're a client and + * determining which shared algorithm to use. + */ + if ((s->server == sent) && s->cert->client_sigalgs != NULL) { *psigs = s->cert->client_sigalgs; return s->cert->client_sigalgslen; } else if (s->cert->conf_sigalgs) { @@ -751,91 +945,190 @@ size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs) return s->cert->conf_sigalgslen; } else { *psigs = tls12_sigalgs; - return sizeof(tls12_sigalgs); + return OSSL_NELEM(tls12_sigalgs); } } +#ifndef OPENSSL_NO_EC /* - * Check signature algorithm received from the peer with a signature is - * consistent with the sent supported signature algorithms and if so return - * relevant digest. + * Called by servers only. Checks that we have a sig alg that supports the + * specified EC curve. */ -int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, - const unsigned char *sig, EVP_PKEY *pkey) +int tls_check_sigalg_curve(const SSL *s, int curve) { - const unsigned char *sent_sigs; - size_t sent_sigslen, i; - int sigalg = tls12_get_sigid(pkey); + const uint16_t *sigs; + size_t siglen, i; + + if (s->cert->conf_sigalgs) { + sigs = s->cert->conf_sigalgs; + siglen = s->cert->conf_sigalgslen; + } else { + sigs = tls12_sigalgs; + siglen = OSSL_NELEM(tls12_sigalgs); + } + + for (i = 0; i < siglen; i++) { + const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(sigs[i]); + + if (lu == NULL) + continue; + if (lu->sig == EVP_PKEY_EC + && lu->curve != NID_undef + && curve == lu->curve) + return 1; + } + + return 0; +} +#endif + +/* + * Check signature algorithm is consistent with sent supported signature + * algorithms and if so set relevant digest and signature scheme in + * s. + */ +int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) +{ + const uint16_t *sent_sigs; + const EVP_MD *md = NULL; + char sigalgstr[2]; + size_t sent_sigslen, i, cidx; + int pkeyid = EVP_PKEY_id(pkey); + const SIGALG_LOOKUP *lu; + /* Should never happen */ - if (sigalg == -1) + if (pkeyid == -1) return -1; - /* Check key type is consistent with signature */ - if (sigalg != (int)sig[1]) { - SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE); + if (SSL_IS_TLS13(s)) { + /* Disallow DSA for TLS 1.3 */ + if (pkeyid == EVP_PKEY_DSA) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG, + SSL_R_WRONG_SIGNATURE_TYPE); + return 0; + } + /* Only allow PSS for TLS 1.3 */ + if (pkeyid == EVP_PKEY_RSA) + pkeyid = EVP_PKEY_RSA_PSS; + } + lu = tls1_lookup_sigalg(sig); + /* + * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type + * is consistent with signature: RSA keys can be used for RSA-PSS + */ + if (lu == NULL + || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224)) + || (pkeyid != lu->sig + && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG, + SSL_R_WRONG_SIGNATURE_TYPE); + return 0; + } + /* Check the sigalg is consistent with the key OID */ + if (!ssl_cert_lookup_by_nid(EVP_PKEY_id(pkey), &cidx) + || lu->sig_idx != (int)cidx) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG, + SSL_R_WRONG_SIGNATURE_TYPE); return 0; } + #ifndef OPENSSL_NO_EC - if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { - unsigned char curve_id[2], comp_id; - /* Check compression and curve matches extensions */ - if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey))) - return 0; - if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id, - CHECK_OWN_GROUPS)) { - SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); + if (pkeyid == EVP_PKEY_EC) { + + /* Check point compression is permitted */ + if (!tls1_check_pkey_comp(s, pkey)) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS12_CHECK_PEER_SIGALG, + SSL_R_ILLEGAL_POINT_COMPRESSION); return 0; } - /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */ - if (tls1_suiteb(s)) { - if (curve_id[0]) + + /* For TLS 1.3 or Suite B check curve matches signature algorithm */ + if (SSL_IS_TLS13(s) || tls1_suiteb(s)) { + EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); + int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); + + if (lu->curve != NID_undef && curve != lu->curve) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); return 0; - if (curve_id[1] == TLSEXT_curve_P_256) { - if (sig[0] != TLSEXT_hash_sha256) { - SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, - SSL_R_ILLEGAL_SUITEB_DIGEST); - return 0; - } - } else if (curve_id[1] == TLSEXT_curve_P_384) { - if (sig[0] != TLSEXT_hash_sha384) { - SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, - SSL_R_ILLEGAL_SUITEB_DIGEST); + } + } + if (!SSL_IS_TLS13(s)) { + /* Check curve matches extensions */ + if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); + return 0; + } + if (tls1_suiteb(s)) { + /* Check sigalg matches a permissible Suite B value */ + if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256 + && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS12_CHECK_PEER_SIGALG, + SSL_R_WRONG_SIGNATURE_TYPE); return 0; } - } else - return 0; + } } - } else if (tls1_suiteb(s)) + } else if (tls1_suiteb(s)) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, + SSL_R_WRONG_SIGNATURE_TYPE); return 0; + } #endif /* Check signature matches a type we sent */ sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); - for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) { - if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1]) + for (i = 0; i < sent_sigslen; i++, sent_sigs++) { + if (sig == *sent_sigs) break; } /* Allow fallback to SHA1 if not strict mode */ - if (i == sent_sigslen - && (sig[0] != TLSEXT_hash_sha1 - || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) { - SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE); + if (i == sent_sigslen && (lu->hash != NID_sha1 + || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, + SSL_R_WRONG_SIGNATURE_TYPE); return 0; } - *pmd = tls12_get_hash(sig[0]); - if (*pmd == NULL) { - SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST); + if (!tls1_lookup_md(lu, &md)) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, + SSL_R_UNKNOWN_DIGEST); return 0; } - /* Make sure security callback allows algorithm */ - if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK, - EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd), (void *)sig)) { - SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE); - return 0; + if (md != NULL) { + /* + * Make sure security callback allows algorithm. For historical + * reasons we have to pass the sigalg as a two byte char array. + */ + sigalgstr[0] = (sig >> 8) & 0xff; + sigalgstr[1] = sig & 0xff; + if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK, + EVP_MD_size(md) * 4, EVP_MD_type(md), + (void *)sigalgstr)) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, + SSL_R_WRONG_SIGNATURE_TYPE); + return 0; + } } - /* - * Store the digest used so applications can retrieve it if they wish. - */ - s->s3->tmp.peer_md = *pmd; + /* Store the sigalg the peer uses */ + s->s3->tmp.peer_sigalg = lu; + return 1; +} + +int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid) +{ + if (s->s3->tmp.peer_sigalg == NULL) + return 0; + *pnid = s->s3->tmp.peer_sigalg->sig; + return 1; +} + +int SSL_get_signature_type_nid(const SSL *s, int *pnid) +{ + if (s->s3->tmp.sigalg == NULL) + return 0; + *pnid = s->s3->tmp.sigalg->sig; return 1; } @@ -849,12 +1142,14 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, * * Call ssl_cipher_disabled() to check that it's enabled or not. */ -void ssl_set_client_disabled(SSL *s) +int ssl_set_client_disabled(SSL *s) { s->s3->tmp.mask_a = 0; s->s3->tmp.mask_k = 0; ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK); - ssl_get_client_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver); + if (ssl_get_min_max_version(s, &s->s3->tmp.min_ver, + &s->s3->tmp.max_ver, NULL) != 0) + return 0; #ifndef OPENSSL_NO_PSK /* with PSK there must be client callback set */ if (!s->psk_client_callback) { @@ -868,6 +1163,7 @@ void ssl_set_client_disabled(SSL *s) s->s3->tmp.mask_k |= SSL_kSRP; } #endif + return 1; } /* @@ -907,2316 +1203,251 @@ int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int ecdhe) return !ssl_security(s, op, c->strength_bits, 0, (void *)c); } -static int tls_use_ticket(SSL *s) +int tls_use_ticket(SSL *s) { - if (s->options & SSL_OP_NO_TICKET) + if ((s->options & SSL_OP_NO_TICKET)) return 0; return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL); } -static int compare_uint(const void *p1, const void *p2) -{ - unsigned int u1 = *((const unsigned int *)p1); - unsigned int u2 = *((const unsigned int *)p2); - if (u1 < u2) - return -1; - else if (u1 > u2) - return 1; - else - return 0; -} - -/* - * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be - * more than one extension of the same type in a ClientHello or ServerHello. - * This function does an initial scan over the extensions block to filter those - * out. It returns 1 if all extensions are unique, and 0 if the extensions - * contain duplicates, could not be successfully parsed, or an internal error - * occurred. - */ -static int tls1_check_duplicate_extensions(const PACKET *packet) -{ - PACKET extensions = *packet; - size_t num_extensions = 0, i = 0; - unsigned int *extension_types = NULL; - int ret = 0; - - /* First pass: count the extensions. */ - while (PACKET_remaining(&extensions) > 0) { - unsigned int type; - PACKET extension; - if (!PACKET_get_net_2(&extensions, &type) || - !PACKET_get_length_prefixed_2(&extensions, &extension)) { - goto done; - } - num_extensions++; - } - - if (num_extensions <= 1) - return 1; - - extension_types = OPENSSL_malloc(sizeof(unsigned int) * num_extensions); - if (extension_types == NULL) { - SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_MALLOC_FAILURE); - goto done; - } - - /* Second pass: gather the extension types. */ - extensions = *packet; - for (i = 0; i < num_extensions; i++) { - PACKET extension; - if (!PACKET_get_net_2(&extensions, &extension_types[i]) || - !PACKET_get_length_prefixed_2(&extensions, &extension)) { - /* This should not happen. */ - SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR); - goto done; - } - } - - if (PACKET_remaining(&extensions) != 0) { - SSLerr(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS, ERR_R_INTERNAL_ERROR); - goto done; - } - /* Sort the extensions and make sure there are no duplicates. */ - qsort(extension_types, num_extensions, sizeof(unsigned int), compare_uint); - for (i = 1; i < num_extensions; i++) { - if (extension_types[i - 1] == extension_types[i]) - goto done; - } - ret = 1; - done: - OPENSSL_free(extension_types); - return ret; -} - -unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, - unsigned char *limit, int *al) -{ - int extdatalen = 0; - unsigned char *orig = buf; - unsigned char *ret = buf; -#ifndef OPENSSL_NO_EC - /* See if we support any ECC ciphersuites */ - int using_ecc = 0; - if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) { - int i; - unsigned long alg_k, alg_a; - STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); - - for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { - const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); - - alg_k = c->algorithm_mkey; - alg_a = c->algorithm_auth; - if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) - || (alg_a & SSL_aECDSA)) { - using_ecc = 1; - break; - } - } - } -#endif - - ret += 2; - - if (ret >= limit) - return NULL; /* this really never occurs, but ... */ - - /* Add RI if renegotiating */ - if (s->renegotiate) { - int el; - - if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - - if (CHECKLEN(ret, 4 + el, limit)) - return NULL; - - s2n(TLSEXT_TYPE_renegotiate, ret); - s2n(el, ret); - - if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - - ret += el; - } - /* Only add RI for SSLv3 */ - if (s->client_version == SSL3_VERSION) - goto done; - - if (s->tlsext_hostname != NULL) { - /* Add TLS extension servername to the Client Hello message */ - size_t size_str; - - /*- - * check for enough space. - * 4 for the servername type and extension length - * 2 for servernamelist length - * 1 for the hostname type - * 2 for hostname length - * + hostname length - */ - size_str = strlen(s->tlsext_hostname); - if (CHECKLEN(ret, 9 + size_str, limit)) - return NULL; - - /* extension type and length */ - s2n(TLSEXT_TYPE_server_name, ret); - s2n(size_str + 5, ret); - - /* length of servername list */ - s2n(size_str + 3, ret); - - /* hostname type, length and hostname */ - *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name; - s2n(size_str, ret); - memcpy(ret, s->tlsext_hostname, size_str); - ret += size_str; - } -#ifndef OPENSSL_NO_SRP - /* Add SRP username if there is one */ - if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the - * Client Hello message */ - - size_t login_len = strlen(s->srp_ctx.login); - if (login_len > 255 || login_len == 0) { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - - /*- - * check for enough space. - * 4 for the srp type type and extension length - * 1 for the srp user identity - * + srp user identity length - */ - if (CHECKLEN(ret, 5 + login_len, limit)) - return NULL; - - /* fill in the extension */ - s2n(TLSEXT_TYPE_srp, ret); - s2n(login_len + 1, ret); - (*ret++) = (unsigned char)login_len; - memcpy(ret, s->srp_ctx.login, login_len); - ret += login_len; - } -#endif - -#ifndef OPENSSL_NO_EC - if (using_ecc) { - /* - * Add TLS extension ECPointFormats to the ClientHello message - */ - const unsigned char *pcurves, *pformats; - size_t num_curves, num_formats, curves_list_len; - size_t i; - unsigned char *etmp; - - tls1_get_formatlist(s, &pformats, &num_formats); - - if (num_formats > 255) { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - /*- - * check for enough space. - * 4 bytes for the ec point formats type and extension length - * 1 byte for the length of the formats - * + formats length - */ - if (CHECKLEN(ret, 5 + num_formats, limit)) - return NULL; - - s2n(TLSEXT_TYPE_ec_point_formats, ret); - /* The point format list has 1-byte length. */ - s2n(num_formats + 1, ret); - *(ret++) = (unsigned char)num_formats; - memcpy(ret, pformats, num_formats); - ret += num_formats; - - /* - * Add TLS extension EllipticCurves to the ClientHello message - */ - pcurves = s->tlsext_ellipticcurvelist; - if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) - return NULL; - - if (num_curves > 65532 / 2) { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - /*- - * check for enough space. - * 4 bytes for the ec curves type and extension length - * 2 bytes for the curve list length - * + curve list length - */ - if (CHECKLEN(ret, 6 + (num_curves * 2), limit)) - return NULL; - - s2n(TLSEXT_TYPE_elliptic_curves, ret); - etmp = ret + 4; - /* Copy curve ID if supported */ - for (i = 0; i < num_curves; i++, pcurves += 2) { - if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) { - *etmp++ = pcurves[0]; - *etmp++ = pcurves[1]; - } - } - - curves_list_len = etmp - ret - 4; - - s2n(curves_list_len + 2, ret); - s2n(curves_list_len, ret); - ret += curves_list_len; - } -#endif /* OPENSSL_NO_EC */ - - if (tls_use_ticket(s)) { - size_t ticklen; - if (!s->new_session && s->session && s->session->tlsext_tick) - ticklen = s->session->tlsext_ticklen; - else if (s->session && s->tlsext_session_ticket && - s->tlsext_session_ticket->data) { - ticklen = s->tlsext_session_ticket->length; - s->session->tlsext_tick = OPENSSL_malloc(ticklen); - if (s->session->tlsext_tick == NULL) - return NULL; - memcpy(s->session->tlsext_tick, - s->tlsext_session_ticket->data, ticklen); - s->session->tlsext_ticklen = ticklen; - } else - ticklen = 0; - if (ticklen == 0 && s->tlsext_session_ticket && - s->tlsext_session_ticket->data == NULL) - goto skip_ext; - /* - * Check for enough room 2 for extension type, 2 for len rest for - * ticket - */ - if (CHECKLEN(ret, 4 + ticklen, limit)) - return NULL; - s2n(TLSEXT_TYPE_session_ticket, ret); - s2n(ticklen, ret); - if (ticklen > 0) { - memcpy(ret, s->session->tlsext_tick, ticklen); - ret += ticklen; - } - } - skip_ext: - -#ifndef OPENSSL_NO_OCSP - if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { - int i; - size_t extlen, idlen; - int lentmp; - OCSP_RESPID *id; - - idlen = 0; - for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { - id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); - lentmp = i2d_OCSP_RESPID(id, NULL); - if (lentmp <= 0) - return NULL; - idlen += (size_t)lentmp + 2; - } - - if (s->tlsext_ocsp_exts) { - lentmp = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); - if (lentmp < 0) - return NULL; - extlen = (size_t)lentmp; - } else - extlen = 0; - - if (extlen + idlen > 0xFFF0) - return NULL; - /* - * 2 bytes for status request type - * 2 bytes for status request len - * 1 byte for OCSP request type - * 2 bytes for length of ids - * 2 bytes for length of extensions - * + length of ids - * + length of extensions - */ - if (CHECKLEN(ret, 9 + idlen + extlen, limit)) - return NULL; - - s2n(TLSEXT_TYPE_status_request, ret); - s2n(extlen + idlen + 5, ret); - *(ret++) = TLSEXT_STATUSTYPE_ocsp; - s2n(idlen, ret); - for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { - /* save position of id len */ - unsigned char *q = ret; - id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); - /* skip over id len */ - ret += 2; - lentmp = i2d_OCSP_RESPID(id, &ret); - /* write id len */ - s2n(lentmp, q); - } - s2n(extlen, ret); - if (extlen > 0) - i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); - } -#endif -#ifndef OPENSSL_NO_HEARTBEATS - if (SSL_IS_DTLS(s)) { - /* Add Heartbeat extension */ - - /*- - * check for enough space. - * 4 bytes for the heartbeat ext type and extension length - * 1 byte for the mode - */ - if (CHECKLEN(ret, 5, limit)) - return NULL; - - s2n(TLSEXT_TYPE_heartbeat, ret); - s2n(1, ret); - /*- - * Set mode: - * 1: peer may send requests - * 2: peer not allowed to send requests - */ - if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS) - *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS; - else - *(ret++) = SSL_DTLSEXT_HB_ENABLED; - } -#endif - -#ifndef OPENSSL_NO_NEXTPROTONEG - if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) { - /* - * The client advertises an empty extension to indicate its support - * for Next Protocol Negotiation - */ - - /*- - * check for enough space. - * 4 bytes for the NPN ext type and extension length - */ - if (CHECKLEN(ret, 4, limit)) - return NULL; - s2n(TLSEXT_TYPE_next_proto_neg, ret); - s2n(0, ret); - } -#endif - - /* - * finish_md_len is non-zero during a renegotiation, so - * this avoids sending ALPN during the renegotiation - * (see longer comment below) - */ - if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) { - /*- - * check for enough space. - * 4 bytes for the ALPN type and extension length - * 2 bytes for the ALPN protocol list length - * + ALPN protocol list length - */ - if (CHECKLEN(ret, 6 + s->alpn_client_proto_list_len, limit)) - return NULL; - s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); - s2n(2 + s->alpn_client_proto_list_len, ret); - s2n(s->alpn_client_proto_list_len, ret); - memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len); - ret += s->alpn_client_proto_list_len; - s->s3->alpn_sent = 1; - } -#ifndef OPENSSL_NO_SRTP - if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { - int el; - - /* Returns 0 on success!! */ - if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - - /*- - * check for enough space. - * 4 bytes for the SRTP type and extension length - * + SRTP profiles length - */ - if (CHECKLEN(ret, 4 + el, limit)) - return NULL; - - s2n(TLSEXT_TYPE_use_srtp, ret); - s2n(el, ret); - - if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - ret += el; - } -#endif - custom_ext_init(&s->cert->cli_ext); - /* Add custom TLS Extensions to ClientHello */ - if (!custom_ext_add(s, 0, &ret, limit, al)) - return NULL; - /* - * In 1.1.0 before 1.1.0c we negotiated EtM with DTLS, then just - * silently failed to actually do it. It is fixed in 1.1.1 but to - * ease the transition especially from 1.1.0b to 1.1.0c, we just - * disable it in 1.1.0. - * Also skip if SSL_OP_NO_ENCRYPT_THEN_MAC is set. - */ - if (!SSL_IS_DTLS(s) && !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) { - /*- - * check for enough space. - * 4 bytes for the ETM type and extension length - */ - if (CHECKLEN(ret, 4, limit)) - return NULL; - s2n(TLSEXT_TYPE_encrypt_then_mac, ret); - s2n(0, ret); - } - -#ifndef OPENSSL_NO_CT - if (s->ct_validation_callback != NULL) { - /*- - * check for enough space. - * 4 bytes for the SCT type and extension length - */ - if (CHECKLEN(ret, 4, limit)) - return NULL; - - s2n(TLSEXT_TYPE_signed_certificate_timestamp, ret); - s2n(0, ret); - } -#endif - - /*- - * check for enough space. - * 4 bytes for the EMS type and extension length - */ - if (CHECKLEN(ret, 4, limit)) - return NULL; - s2n(TLSEXT_TYPE_extended_master_secret, ret); - s2n(0, ret); - - /* - * WebSphere application server can not handle having the - * last extension be 0-length (e.g. EMS, EtM), so keep those - * before SigAlgs - */ - if (SSL_CLIENT_USE_SIGALGS(s)) { - size_t salglen; - const unsigned char *salg; - unsigned char *etmp; - salglen = tls12_get_psigalgs(s, 1, &salg); - - /*- - * check for enough space. - * 4 bytes for the sigalgs type and extension length - * 2 bytes for the sigalg list length - * + sigalg list length - */ - if (CHECKLEN(ret, salglen + 6, limit)) - return NULL; - s2n(TLSEXT_TYPE_signature_algorithms, ret); - etmp = ret; - /* Skip over lengths for now */ - ret += 4; - salglen = tls12_copy_sigalgs(s, ret, salg, salglen); - /* Fill in lengths */ - s2n(salglen + 2, etmp); - s2n(salglen, etmp); - ret += salglen; - } - - /* - * Add padding to workaround bugs in F5 terminators. See - * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this - * code works out the length of all existing extensions it MUST always - * appear last. WebSphere 7.x/8.x is intolerant of empty extensions - * being last, so minimum length of 1. - */ - if (s->options & SSL_OP_TLSEXT_PADDING) { - int hlen = ret - (unsigned char *)s->init_buf->data; - - if (hlen > 0xff && hlen < 0x200) { - hlen = 0x200 - hlen; - if (hlen >= 4) - hlen -= 4; - else - hlen = 1; - - /*- - * check for enough space. Strictly speaking we know we've already - * got enough space because to get here the message size is < 0x200, - * but we know that we've allocated far more than that in the buffer - * - but for consistency and robustness we're going to check anyway. - * - * 4 bytes for the padding type and extension length - * + padding length - */ - if (CHECKLEN(ret, 4 + hlen, limit)) - return NULL; - s2n(TLSEXT_TYPE_padding, ret); - s2n(hlen, ret); - memset(ret, 0, hlen); - ret += hlen; - } - } - - done: - - if ((extdatalen = ret - orig - 2) == 0) - return orig; - - s2n(extdatalen, orig); - return ret; -} - -unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, - unsigned char *limit, int *al) -{ - int extdatalen = 0; - unsigned char *orig = buf; - unsigned char *ret = buf; -#ifndef OPENSSL_NO_NEXTPROTONEG - int next_proto_neg_seen; -#endif -#ifndef OPENSSL_NO_EC - unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; - int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA); - using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); -#endif - - ret += 2; - if (ret >= limit) - return NULL; /* this really never occurs, but ... */ - - if (s->s3->send_connection_binding) { - int el; - - /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */ - if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { - SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - - /*- - * check for enough space. - * 4 bytes for the reneg type and extension length - * + reneg data length - */ - if (CHECKLEN(ret, 4 + el, limit)) - return NULL; - - s2n(TLSEXT_TYPE_renegotiate, ret); - s2n(el, ret); - - if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) { - SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - - ret += el; - } - - /* Only add RI for SSLv3 */ - if (s->version == SSL3_VERSION) - goto done; - - if (!s->hit && s->servername_done == 1 - && s->session->tlsext_hostname != NULL) { - /*- - * check for enough space. - * 4 bytes for the server name type and extension length - */ - if (CHECKLEN(ret, 4, limit)) - return NULL; - - s2n(TLSEXT_TYPE_server_name, ret); - s2n(0, ret); - } -#ifndef OPENSSL_NO_EC - if (using_ecc) { - const unsigned char *plist; - size_t plistlen; - /* - * Add TLS extension ECPointFormats to the ServerHello message - */ - - tls1_get_formatlist(s, &plist, &plistlen); - - if (plistlen > 255) { - SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - - /*- - * check for enough space. - * 4 bytes for the ec points format type and extension length - * 1 byte for the points format list length - * + length of points format list - */ - if (CHECKLEN(ret, 5 + plistlen, limit)) - return NULL; - - s2n(TLSEXT_TYPE_ec_point_formats, ret); - s2n(plistlen + 1, ret); - *(ret++) = (unsigned char)plistlen; - memcpy(ret, plist, plistlen); - ret += plistlen; - - } - /* - * Currently the server should not respond with a SupportedCurves - * extension - */ -#endif /* OPENSSL_NO_EC */ - - if (s->tlsext_ticket_expected && tls_use_ticket(s)) { - /*- - * check for enough space. - * 4 bytes for the Ticket type and extension length - */ - if (CHECKLEN(ret, 4, limit)) - return NULL; - s2n(TLSEXT_TYPE_session_ticket, ret); - s2n(0, ret); - } else { - /* - * if we don't add the above TLSEXT, we can't add a session ticket - * later - */ - s->tlsext_ticket_expected = 0; - } - - if (s->tlsext_status_expected) { - /*- - * check for enough space. - * 4 bytes for the Status request type and extension length - */ - if (CHECKLEN(ret, 4, limit)) - return NULL; - s2n(TLSEXT_TYPE_status_request, ret); - s2n(0, ret); - } -#ifndef OPENSSL_NO_SRTP - if (SSL_IS_DTLS(s) && s->srtp_profile) { - int el; - - /* Returns 0 on success!! */ - if (ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) { - SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - /*- - * check for enough space. - * 4 bytes for the SRTP profiles type and extension length - * + length of the SRTP profiles list - */ - if (CHECKLEN(ret, 4 + el, limit)) - return NULL; - - s2n(TLSEXT_TYPE_use_srtp, ret); - s2n(el, ret); - - if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) { - SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - ret += el; - } -#endif - - if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 - || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) - && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { - const unsigned char cryptopro_ext[36] = { - 0xfd, 0xe8, /* 65000 */ - 0x00, 0x20, /* 32 bytes length */ - 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, - 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, - 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, - 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 - }; - - /* check for enough space. */ - if (CHECKLEN(ret, sizeof(cryptopro_ext), limit)) - return NULL; - memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext)); - ret += sizeof(cryptopro_ext); - - } -#ifndef OPENSSL_NO_HEARTBEATS - /* Add Heartbeat extension if we've received one */ - if (SSL_IS_DTLS(s) && (s->tlsext_heartbeat & SSL_DTLSEXT_HB_ENABLED)) { - /*- - * check for enough space. - * 4 bytes for the Heartbeat type and extension length - * 1 byte for the mode - */ - if (CHECKLEN(ret, 5, limit)) - return NULL; - s2n(TLSEXT_TYPE_heartbeat, ret); - s2n(1, ret); - /*- - * Set mode: - * 1: peer may send requests - * 2: peer not allowed to send requests - */ - if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS) - *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS; - else - *(ret++) = SSL_DTLSEXT_HB_ENABLED; - - } -#endif - -#ifndef OPENSSL_NO_NEXTPROTONEG - next_proto_neg_seen = s->s3->next_proto_neg_seen; - s->s3->next_proto_neg_seen = 0; - if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) { - const unsigned char *npa; - unsigned int npalen; - int r; - - r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, - s-> - ctx->next_protos_advertised_cb_arg); - if (r == SSL_TLSEXT_ERR_OK) { - /*- - * check for enough space. - * 4 bytes for the NPN type and extension length - * + length of protocols list - */ - if (CHECKLEN(ret, 4 + npalen, limit)) - return NULL; - s2n(TLSEXT_TYPE_next_proto_neg, ret); - s2n(npalen, ret); - memcpy(ret, npa, npalen); - ret += npalen; - s->s3->next_proto_neg_seen = 1; - } - } -#endif - if (!custom_ext_add(s, 1, &ret, limit, al)) - return NULL; - if (s->tlsext_use_etm) { - /* - * Don't use encrypt_then_mac if AEAD or RC4 might want to disable - * for other cases too. - */ - if (SSL_IS_DTLS(s) || s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD - || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4 - || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT - || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) - s->tlsext_use_etm = 0; - else { - /*- - * check for enough space. - * 4 bytes for the ETM type and extension length - */ - if (CHECKLEN(ret, 4, limit)) - return NULL; - s2n(TLSEXT_TYPE_encrypt_then_mac, ret); - s2n(0, ret); - } - } - if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) { - /*- - * check for enough space. - * 4 bytes for the EMS type and extension length - */ - if (CHECKLEN(ret, 4, limit)) - return NULL; - s2n(TLSEXT_TYPE_extended_master_secret, ret); - s2n(0, ret); - } - - if (s->s3->alpn_selected != NULL) { - const unsigned char *selected = s->s3->alpn_selected; - size_t len = s->s3->alpn_selected_len; - - /*- - * check for enough space. - * 4 bytes for the ALPN type and extension length - * 2 bytes for ALPN data length - * 1 byte for selected protocol length - * + length of the selected protocol - */ - if (CHECKLEN(ret, 7 + len, limit)) - return NULL; - s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret); - s2n(3 + len, ret); - s2n(1 + len, ret); - *ret++ = len; - memcpy(ret, selected, len); - ret += len; - } - - done: - - if ((extdatalen = ret - orig - 2) == 0) - return orig; - - s2n(extdatalen, orig); - return ret; -} - -/* - * Save the ALPN extension in a ClientHello. - * pkt: the contents of the ALPN extension, not including type and length. - * al: a pointer to the alert value to send in the event of a failure. - * returns: 1 on success, 0 on error. - */ -static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al) -{ - PACKET protocol_list, save_protocol_list, protocol; - - *al = SSL_AD_DECODE_ERROR; - - if (!PACKET_as_length_prefixed_2(pkt, &protocol_list) - || PACKET_remaining(&protocol_list) < 2) { - return 0; - } - - save_protocol_list = protocol_list; - do { - /* Protocol names can't be empty. */ - if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol) - || PACKET_remaining(&protocol) == 0) { - return 0; - } - } while (PACKET_remaining(&protocol_list) != 0); - - if (!PACKET_memdup(&save_protocol_list, - &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; - } - - return 1; -} - -/* - * Process the ALPN extension in a ClientHello. - * al: a pointer to the alert value to send in the event of a failure. - * returns 1 on success, 0 on error. - */ -static int tls1_alpn_handle_client_hello_late(SSL *s, int *al) -{ - const unsigned char *selected = NULL; - unsigned char selected_len = 0; - - if (s->ctx->alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) { - int r = s->ctx->alpn_select_cb(s, &selected, &selected_len, - s->s3->alpn_proposed, - s->s3->alpn_proposed_len, - s->ctx->alpn_select_cb_arg); - - if (r == SSL_TLSEXT_ERR_OK) { - OPENSSL_free(s->s3->alpn_selected); - s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len); - if (s->s3->alpn_selected == NULL) { - *al = SSL_AD_INTERNAL_ERROR; - return 0; - } - s->s3->alpn_selected_len = selected_len; -#ifndef OPENSSL_NO_NEXTPROTONEG - /* ALPN takes precedence over NPN. */ - s->s3->next_proto_neg_seen = 0; -#endif - } else if (r == SSL_TLSEXT_ERR_NOACK) { - /* Behave as if no callback was present. */ - return 1; - } else { - *al = SSL_AD_NO_APPLICATION_PROTOCOL; - return 0; - } - } - - return 1; -} - -#ifndef OPENSSL_NO_EC -/*- - * ssl_check_for_safari attempts to fingerprint Safari using OS X - * SecureTransport using the TLS extension block in |pkt|. - * Safari, since 10.6, sends exactly these extensions, in this order: - * SNI, - * elliptic_curves - * ec_point_formats - * - * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8, - * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them. - * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from - * 10.8..10.8.3 (which don't work). - */ -static void ssl_check_for_safari(SSL *s, const PACKET *pkt) -{ - unsigned int type; - PACKET sni, tmppkt; - size_t ext_len; - - static const unsigned char kSafariExtensionsBlock[] = { - 0x00, 0x0a, /* elliptic_curves extension */ - 0x00, 0x08, /* 8 bytes */ - 0x00, 0x06, /* 6 bytes of curve ids */ - 0x00, 0x17, /* P-256 */ - 0x00, 0x18, /* P-384 */ - 0x00, 0x19, /* P-521 */ - - 0x00, 0x0b, /* ec_point_formats */ - 0x00, 0x02, /* 2 bytes */ - 0x01, /* 1 point format */ - 0x00, /* uncompressed */ - /* The following is only present in TLS 1.2 */ - 0x00, 0x0d, /* signature_algorithms */ - 0x00, 0x0c, /* 12 bytes */ - 0x00, 0x0a, /* 10 bytes */ - 0x05, 0x01, /* SHA-384/RSA */ - 0x04, 0x01, /* SHA-256/RSA */ - 0x02, 0x01, /* SHA-1/RSA */ - 0x04, 0x03, /* SHA-256/ECDSA */ - 0x02, 0x03, /* SHA-1/ECDSA */ - }; - - /* Length of the common prefix (first two extensions). */ - static const size_t kSafariCommonExtensionsLength = 18; - - tmppkt = *pkt; - - if (!PACKET_forward(&tmppkt, 2) - || !PACKET_get_net_2(&tmppkt, &type) - || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) { - return; - } - - if (type != TLSEXT_TYPE_server_name) - return; - - ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ? - sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength; - - s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock, - ext_len); -} -#endif /* !OPENSSL_NO_EC */ - -/* - * Parse ClientHello extensions and stash extension info in various parts of - * the SSL object. Verify that there are no duplicate extensions. - * - * Behaviour upon resumption is extension-specific. If the extension has no - * effect during resumption, it is parsed (to verify its format) but otherwise - * ignored. - * - * Consumes the entire packet in |pkt|. Returns 1 on success and 0 on failure. - * Upon failure, sets |al| to the appropriate alert. - */ -static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) -{ - unsigned int type; - int renegotiate_seen = 0; - PACKET extensions; - - *al = SSL_AD_DECODE_ERROR; - s->servername_done = 0; - s->tlsext_status_type = -1; -#ifndef OPENSSL_NO_NEXTPROTONEG - s->s3->next_proto_neg_seen = 0; -#endif - - OPENSSL_free(s->s3->alpn_selected); - s->s3->alpn_selected = NULL; - s->s3->alpn_selected_len = 0; - OPENSSL_free(s->s3->alpn_proposed); - s->s3->alpn_proposed = NULL; - s->s3->alpn_proposed_len = 0; -#ifndef OPENSSL_NO_HEARTBEATS - s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED | - SSL_DTLSEXT_HB_DONT_SEND_REQUESTS); -#endif - -#ifndef OPENSSL_NO_EC - if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) - ssl_check_for_safari(s, pkt); -#endif /* !OPENSSL_NO_EC */ - - /* Clear any signature algorithms extension received */ - OPENSSL_free(s->s3->tmp.peer_sigalgs); - s->s3->tmp.peer_sigalgs = NULL; - s->tlsext_use_etm = 0; - -#ifndef OPENSSL_NO_SRP - OPENSSL_free(s->srp_ctx.login); - s->srp_ctx.login = NULL; -#endif - - s->srtp_profile = NULL; - - if (PACKET_remaining(pkt) == 0) - goto ri_check; - - if (!PACKET_as_length_prefixed_2(pkt, &extensions)) - return 0; - - if (!tls1_check_duplicate_extensions(&extensions)) - return 0; - - /* - * We parse all extensions to ensure the ClientHello is well-formed but, - * unless an extension specifies otherwise, we ignore extensions upon - * resumption. - */ - while (PACKET_get_net_2(&extensions, &type)) { - PACKET extension; - if (!PACKET_get_length_prefixed_2(&extensions, &extension)) - return 0; - - if (s->tlsext_debug_cb) - s->tlsext_debug_cb(s, 0, type, PACKET_data(&extension), - PACKET_remaining(&extension), - s->tlsext_debug_arg); - - if (type == TLSEXT_TYPE_renegotiate) { - if (!ssl_parse_clienthello_renegotiate_ext(s, &extension, al)) - return 0; - renegotiate_seen = 1; - } else if (s->version == SSL3_VERSION) { - } -/*- - * The servername extension is treated as follows: - * - * - Only the hostname type is supported with a maximum length of 255. - * - The servername is rejected if too long or if it contains zeros, - * in which case an fatal alert is generated. - * - The servername field is maintained together with the session cache. - * - When a session is resumed, the servername call back invoked in order - * to allow the application to position itself to the right context. - * - The servername is acknowledged if it is new for a session or when - * it is identical to a previously used for the same session. - * Applications can control the behaviour. They can at any time - * set a 'desirable' servername for a new SSL object. This can be the - * case for example with HTTPS when a Host: header field is received and - * a renegotiation is requested. In this case, a possible servername - * presented in the new client hello is only acknowledged if it matches - * the value of the Host: field. - * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION - * if they provide for changing an explicit servername context for the - * session, i.e. when the session has been established with a servername - * extension. - * - On session reconnect, the servername extension may be absent. - * - */ - - else if (type == TLSEXT_TYPE_server_name) { - unsigned int servname_type; - PACKET sni, hostname; - - if (!PACKET_as_length_prefixed_2(&extension, &sni) - /* ServerNameList must be at least 1 byte long. */ - || PACKET_remaining(&sni) == 0) { - return 0; - } - - /* - * Although the server_name extension was intended to be - * extensible to new name types, RFC 4366 defined the - * syntax inextensibility and OpenSSL 1.0.x parses it as - * such. - * RFC 6066 corrected the mistake but adding new name types - * is nevertheless no longer feasible, so act as if no other - * SNI types can exist, to simplify parsing. - * - * Also note that the RFC permits only one SNI value per type, - * i.e., we can only have a single hostname. - */ - if (!PACKET_get_1(&sni, &servname_type) - || servname_type != TLSEXT_NAMETYPE_host_name - || !PACKET_as_length_prefixed_2(&sni, &hostname)) { - return 0; - } - - if (!s->hit) { - if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) { - *al = TLS1_AD_UNRECOGNIZED_NAME; - return 0; - } - - if (PACKET_contains_zero_byte(&hostname)) { - *al = TLS1_AD_UNRECOGNIZED_NAME; - return 0; - } - - if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; - } - - s->servername_done = 1; - } else { - /* - * TODO(openssl-team): if the SNI doesn't match, we MUST - * fall back to a full handshake. - */ - s->servername_done = s->session->tlsext_hostname - && PACKET_equal(&hostname, s->session->tlsext_hostname, - strlen(s->session->tlsext_hostname)); - } - } -#ifndef OPENSSL_NO_SRP - else if (type == TLSEXT_TYPE_srp) { - PACKET srp_I; - - if (!PACKET_as_length_prefixed_1(&extension, &srp_I)) - return 0; - - if (PACKET_contains_zero_byte(&srp_I)) - return 0; - - /* - * TODO(openssl-team): currently, we re-authenticate the user - * upon resumption. Instead, we MUST ignore the login. - */ - if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; - } - } -#endif - -#ifndef OPENSSL_NO_EC - else if (type == TLSEXT_TYPE_ec_point_formats) { - PACKET ec_point_format_list; - - if (!PACKET_as_length_prefixed_1(&extension, &ec_point_format_list) - || PACKET_remaining(&ec_point_format_list) == 0) { - return 0; - } - - if (!s->hit) { - if (!PACKET_memdup(&ec_point_format_list, - &s->session->tlsext_ecpointformatlist, - &s-> - session->tlsext_ecpointformatlist_length)) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; - } - } - } else if (type == TLSEXT_TYPE_elliptic_curves) { - PACKET elliptic_curve_list; - - /* Each NamedCurve is 2 bytes and we must have at least 1. */ - if (!PACKET_as_length_prefixed_2(&extension, &elliptic_curve_list) - || PACKET_remaining(&elliptic_curve_list) == 0 - || (PACKET_remaining(&elliptic_curve_list) % 2) != 0) { - return 0; - } - - if (!s->hit) { - if (!PACKET_memdup(&elliptic_curve_list, - &s->session->tlsext_ellipticcurvelist, - &s-> - session->tlsext_ellipticcurvelist_length)) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; - } - } - } -#endif /* OPENSSL_NO_EC */ - else if (type == TLSEXT_TYPE_session_ticket) { - if (s->tls_session_ticket_ext_cb && - !s->tls_session_ticket_ext_cb(s, PACKET_data(&extension), - PACKET_remaining(&extension), - s->tls_session_ticket_ext_cb_arg)) - { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; - } - } else if (type == TLSEXT_TYPE_signature_algorithms) { - PACKET supported_sig_algs; - - if (!PACKET_as_length_prefixed_2(&extension, &supported_sig_algs) - || (PACKET_remaining(&supported_sig_algs) % 2) != 0 - || PACKET_remaining(&supported_sig_algs) == 0) { - return 0; - } - - if (!s->hit) { - if (!tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs), - PACKET_remaining(&supported_sig_algs))) { - return 0; - } - } - } else if (type == TLSEXT_TYPE_status_request) { - /* Ignore this if resuming */ - if (s->hit) - continue; - - if (!PACKET_get_1(&extension, - (unsigned int *)&s->tlsext_status_type)) { - return 0; - } -#ifndef OPENSSL_NO_OCSP - if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { - const unsigned char *ext_data; - PACKET responder_id_list, exts; - if (!PACKET_get_length_prefixed_2 - (&extension, &responder_id_list)) - return 0; - - /* - * We remove any OCSP_RESPIDs from a previous handshake - * to prevent unbounded memory growth - CVE-2016-6304 - */ - sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, - OCSP_RESPID_free); - if (PACKET_remaining(&responder_id_list) > 0) { - s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); - if (s->tlsext_ocsp_ids == NULL) { - *al = SSL_AD_INTERNAL_ERROR; - return 0; - } - } else { - s->tlsext_ocsp_ids = NULL; - } - - while (PACKET_remaining(&responder_id_list) > 0) { - OCSP_RESPID *id; - PACKET responder_id; - const unsigned char *id_data; - - if (!PACKET_get_length_prefixed_2(&responder_id_list, - &responder_id) - || PACKET_remaining(&responder_id) == 0) { - return 0; - } - - id_data = PACKET_data(&responder_id); - id = d2i_OCSP_RESPID(NULL, &id_data, - PACKET_remaining(&responder_id)); - if (id == NULL) - return 0; - - if (id_data != PACKET_end(&responder_id)) { - OCSP_RESPID_free(id); - return 0; - } - - if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { - OCSP_RESPID_free(id); - *al = SSL_AD_INTERNAL_ERROR; - return 0; - } - } - - /* Read in request_extensions */ - if (!PACKET_as_length_prefixed_2(&extension, &exts)) - return 0; - - if (PACKET_remaining(&exts) > 0) { - ext_data = PACKET_data(&exts); - sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, - X509_EXTENSION_free); - s->tlsext_ocsp_exts = - d2i_X509_EXTENSIONS(NULL, &ext_data, - PACKET_remaining(&exts)); - if (s->tlsext_ocsp_exts == NULL - || ext_data != PACKET_end(&exts)) { - return 0; - } - } - } else -#endif - { - /* - * We don't know what to do with any other type so ignore it. - */ - s->tlsext_status_type = -1; - } - } -#ifndef OPENSSL_NO_HEARTBEATS - else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) { - unsigned int hbtype; - - if (!PACKET_get_1(&extension, &hbtype) - || PACKET_remaining(&extension)) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - switch (hbtype) { - case 0x01: /* Client allows us to send HB requests */ - s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED; - break; - case 0x02: /* Client doesn't accept HB requests */ - s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED; - s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS; - break; - default: - *al = SSL_AD_ILLEGAL_PARAMETER; - return 0; - } - } -#endif -#ifndef OPENSSL_NO_NEXTPROTONEG - else if (type == TLSEXT_TYPE_next_proto_neg && - s->s3->tmp.finish_md_len == 0) { - /*- - * We shouldn't accept this extension on a - * renegotiation. - * - * s->new_session will be set on renegotiation, but we - * probably shouldn't rely that it couldn't be set on - * the initial renegotiation too in certain cases (when - * there's some other reason to disallow resuming an - * earlier session -- the current code won't be doing - * anything like that, but this might change). - * - * A valid sign that there's been a previous handshake - * in this connection is if s->s3->tmp.finish_md_len > - * 0. (We are talking about a check that will happen - * in the Hello protocol round, well before a new - * Finished message could have been computed.) - */ - s->s3->next_proto_neg_seen = 1; - } -#endif - - else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation && - s->s3->tmp.finish_md_len == 0) { - if (!tls1_alpn_handle_client_hello(s, &extension, al)) - return 0; - } - - /* session ticket processed earlier */ -#ifndef OPENSSL_NO_SRTP - else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) - && type == TLSEXT_TYPE_use_srtp) { - if (ssl_parse_clienthello_use_srtp_ext(s, &extension, al)) - return 0; - } -#endif - else if (type == TLSEXT_TYPE_encrypt_then_mac && - !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) - s->tlsext_use_etm = 1; - /* - * Note: extended master secret extension handled in - * tls_check_serverhello_tlsext_early() - */ - - /* - * If this ClientHello extension was unhandled and this is a - * nonresumed connection, check whether the extension is a custom - * TLS Extension (has a custom_srv_ext_record), and if so call the - * callback and record the extension number so that an appropriate - * ServerHello may be later returned. - */ - else if (!s->hit) { - if (custom_ext_parse(s, 1, type, PACKET_data(&extension), - PACKET_remaining(&extension), al) <= 0) - return 0; - } - } - - if (PACKET_remaining(pkt) != 0) { - /* - * tls1_check_duplicate_extensions should ensure this never happens. - */ - *al = SSL_AD_INTERNAL_ERROR; - return 0; - } - - ri_check: - - /* Need RI if renegotiating */ - - if (!renegotiate_seen && s->renegotiate && - !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT, - SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); - return 0; - } - - /* - * This function currently has no state to clean up, so it returns directly. - * If parsing fails at any point, the function returns early. - * The SSL object may be left with partial data from extensions, but it must - * then no longer be used, and clearing it up will free the leftovers. - */ - return 1; -} - -int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt) -{ - int al = -1; - custom_ext_init(&s->cert->srv_ext); - if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) { - ssl3_send_alert(s, SSL3_AL_FATAL, al); - return 0; - } - if (ssl_check_clienthello_tlsext_early(s) <= 0) { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT); - return 0; - } - return 1; -} - -#ifndef OPENSSL_NO_NEXTPROTONEG -/* - * ssl_next_proto_validate validates a Next Protocol Negotiation block. No - * elements of zero length are allowed and the set of elements must exactly - * fill the length of the block. - */ -static char ssl_next_proto_validate(PACKET *pkt) -{ - PACKET tmp_protocol; - - while (PACKET_remaining(pkt)) { - if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol) - || PACKET_remaining(&tmp_protocol) == 0) - return 0; - } - - return 1; -} -#endif - -static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al) -{ - unsigned int length, type, size; - int tlsext_servername = 0; - int renegotiate_seen = 0; - -#ifndef OPENSSL_NO_NEXTPROTONEG - s->s3->next_proto_neg_seen = 0; -#endif - s->tlsext_ticket_expected = 0; - - OPENSSL_free(s->s3->alpn_selected); - s->s3->alpn_selected = NULL; -#ifndef OPENSSL_NO_HEARTBEATS - s->tlsext_heartbeat &= ~(SSL_DTLSEXT_HB_ENABLED | - SSL_DTLSEXT_HB_DONT_SEND_REQUESTS); -#endif - - s->tlsext_use_etm = 0; - - s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS; - - if (!PACKET_get_net_2(pkt, &length)) - goto ri_check; - - if (PACKET_remaining(pkt) != length) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - - if (!tls1_check_duplicate_extensions(pkt)) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - - while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) { - const unsigned char *data; - PACKET spkt; - - if (!PACKET_get_sub_packet(pkt, &spkt, size) - || !PACKET_peek_bytes(&spkt, &data, size)) - goto ri_check; - - if (s->tlsext_debug_cb) - s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg); - - if (type == TLSEXT_TYPE_renegotiate) { - if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al)) - return 0; - renegotiate_seen = 1; - } else if (s->version == SSL3_VERSION) { - } else if (type == TLSEXT_TYPE_server_name) { - if (s->tlsext_hostname == NULL || size > 0) { - *al = TLS1_AD_UNRECOGNIZED_NAME; - return 0; - } - tlsext_servername = 1; - } -#ifndef OPENSSL_NO_EC - else if (type == TLSEXT_TYPE_ec_point_formats) { - unsigned int ecpointformatlist_length; - if (!PACKET_get_1(&spkt, &ecpointformatlist_length) - || ecpointformatlist_length != size - 1) { - *al = TLS1_AD_DECODE_ERROR; - return 0; - } - if (!s->hit) { - s->session->tlsext_ecpointformatlist_length = 0; - OPENSSL_free(s->session->tlsext_ecpointformatlist); - if ((s->session->tlsext_ecpointformatlist = - OPENSSL_malloc(ecpointformatlist_length)) == NULL) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; - } - s->session->tlsext_ecpointformatlist_length = - ecpointformatlist_length; - if (!PACKET_copy_bytes(&spkt, - s->session->tlsext_ecpointformatlist, - ecpointformatlist_length)) { - *al = TLS1_AD_DECODE_ERROR; - return 0; - } - - } - } -#endif /* OPENSSL_NO_EC */ - - else if (type == TLSEXT_TYPE_session_ticket) { - if (s->tls_session_ticket_ext_cb && - !s->tls_session_ticket_ext_cb(s, data, size, - s->tls_session_ticket_ext_cb_arg)) - { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; - } - if (!tls_use_ticket(s) || (size > 0)) { - *al = TLS1_AD_UNSUPPORTED_EXTENSION; - return 0; - } - s->tlsext_ticket_expected = 1; - } else if (type == TLSEXT_TYPE_status_request) { - /* - * MUST be empty and only sent if we've requested a status - * request message. - */ - if ((s->tlsext_status_type == -1) || (size > 0)) { - *al = TLS1_AD_UNSUPPORTED_EXTENSION; - return 0; - } - /* Set flag to expect CertificateStatus message */ - s->tlsext_status_expected = 1; - } -#ifndef OPENSSL_NO_CT - /* - * Only take it if we asked for it - i.e if there is no CT validation - * callback set, then a custom extension MAY be processing it, so we - * need to let control continue to flow to that. - */ - else if (type == TLSEXT_TYPE_signed_certificate_timestamp && - s->ct_validation_callback != NULL) { - /* Simply copy it off for later processing */ - if (s->tlsext_scts != NULL) { - OPENSSL_free(s->tlsext_scts); - s->tlsext_scts = NULL; - } - s->tlsext_scts_len = size; - if (size > 0) { - s->tlsext_scts = OPENSSL_malloc(size); - if (s->tlsext_scts == NULL) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; - } - memcpy(s->tlsext_scts, data, size); - } - } -#endif -#ifndef OPENSSL_NO_NEXTPROTONEG - else if (type == TLSEXT_TYPE_next_proto_neg && - s->s3->tmp.finish_md_len == 0) { - unsigned char *selected; - unsigned char selected_len; - /* We must have requested it. */ - if (s->ctx->next_proto_select_cb == NULL) { - *al = TLS1_AD_UNSUPPORTED_EXTENSION; - return 0; - } - /* The data must be valid */ - if (!ssl_next_proto_validate(&spkt)) { - *al = TLS1_AD_DECODE_ERROR; - return 0; - } - if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, - size, - s-> - ctx->next_proto_select_cb_arg) != - SSL_TLSEXT_ERR_OK) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; - } - /* - * Could be non-NULL if server has sent multiple NPN extensions in - * a single Serverhello - */ - OPENSSL_free(s->next_proto_negotiated); - s->next_proto_negotiated = OPENSSL_malloc(selected_len); - if (s->next_proto_negotiated == NULL) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; - } - memcpy(s->next_proto_negotiated, selected, selected_len); - s->next_proto_negotiated_len = selected_len; - s->s3->next_proto_neg_seen = 1; - } -#endif - - else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) { - unsigned len; - /* We must have requested it. */ - if (!s->s3->alpn_sent) { - *al = TLS1_AD_UNSUPPORTED_EXTENSION; - return 0; - } - /*- - * The extension data consists of: - * uint16 list_length - * uint8 proto_length; - * uint8 proto[proto_length]; - */ - if (!PACKET_get_net_2(&spkt, &len) - || PACKET_remaining(&spkt) != len || !PACKET_get_1(&spkt, &len) - || PACKET_remaining(&spkt) != len) { - *al = TLS1_AD_DECODE_ERROR; - return 0; - } - OPENSSL_free(s->s3->alpn_selected); - s->s3->alpn_selected = OPENSSL_malloc(len); - if (s->s3->alpn_selected == NULL) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; - } - if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) { - *al = TLS1_AD_DECODE_ERROR; - return 0; - } - s->s3->alpn_selected_len = len; - } -#ifndef OPENSSL_NO_HEARTBEATS - else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) { - unsigned int hbtype; - if (!PACKET_get_1(&spkt, &hbtype)) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - switch (hbtype) { - case 0x01: /* Server allows us to send HB requests */ - s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED; - break; - case 0x02: /* Server doesn't accept HB requests */ - s->tlsext_heartbeat |= SSL_DTLSEXT_HB_ENABLED; - s->tlsext_heartbeat |= SSL_DTLSEXT_HB_DONT_SEND_REQUESTS; - break; - default: - *al = SSL_AD_ILLEGAL_PARAMETER; - return 0; - } - } -#endif -#ifndef OPENSSL_NO_SRTP - else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { - if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al)) - return 0; - } -#endif - else if (type == TLSEXT_TYPE_encrypt_then_mac) { - /* Ignore if inappropriate ciphersuite */ - if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) && - s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD - && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4) - s->tlsext_use_etm = 1; - } else if (type == TLSEXT_TYPE_extended_master_secret) { - s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS; - if (!s->hit) - s->session->flags |= SSL_SESS_FLAG_EXTMS; - } - /* - * If this extension type was not otherwise handled, but matches a - * custom_cli_ext_record, then send it to the c callback - */ - else if (custom_ext_parse(s, 0, type, data, size, al) <= 0) - return 0; - } - - if (PACKET_remaining(pkt) != 0) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - - if (!s->hit && tlsext_servername == 1) { - if (s->tlsext_hostname) { - if (s->session->tlsext_hostname == NULL) { - s->session->tlsext_hostname = - OPENSSL_strdup(s->tlsext_hostname); - if (!s->session->tlsext_hostname) { - *al = SSL_AD_UNRECOGNIZED_NAME; - return 0; - } - } else { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - } - } - - ri_check: - - /* - * Determine if we need to see RI. Strictly speaking if we want to avoid - * an attack we should *always* see RI even on initial server hello - * because the client doesn't see any renegotiation during an attack. - * However this would mean we could not connect to any server which - * doesn't support RI so for the immediate future tolerate RI absence - */ - if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) - && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, - SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); - return 0; - } - - if (s->hit) { - /* - * Check extended master secret extension is consistent with - * original session. - */ - if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) != - !(s->session->flags & SSL_SESS_FLAG_EXTMS)) { - *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS); - return 0; - } - } - - return 1; -} - -int ssl_prepare_clienthello_tlsext(SSL *s) -{ - s->s3->alpn_sent = 0; - return 1; -} - -int ssl_prepare_serverhello_tlsext(SSL *s) -{ - return 1; -} - -static int ssl_check_clienthello_tlsext_early(SSL *s) -{ - int ret = SSL_TLSEXT_ERR_NOACK; - int al = SSL_AD_UNRECOGNIZED_NAME; - -#ifndef OPENSSL_NO_EC - /* - * The handling of the ECPointFormats extension is done elsewhere, namely - * in ssl3_choose_cipher in s3_lib.c. - */ - /* - * The handling of the EllipticCurves extension is done elsewhere, namely - * in ssl3_choose_cipher in s3_lib.c. - */ -#endif - - if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) - ret = - s->ctx->tlsext_servername_callback(s, &al, - s->ctx->tlsext_servername_arg); - else if (s->session_ctx != NULL - && s->session_ctx->tlsext_servername_callback != 0) - ret = - s->session_ctx->tlsext_servername_callback(s, &al, - s-> - session_ctx->tlsext_servername_arg); - - switch (ret) { - case SSL_TLSEXT_ERR_ALERT_FATAL: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - return -1; - - case SSL_TLSEXT_ERR_ALERT_WARNING: - ssl3_send_alert(s, SSL3_AL_WARNING, al); - return 1; - - case SSL_TLSEXT_ERR_NOACK: - s->servername_done = 0; - /* fall thru */ - default: - return 1; - } -} - -/* Initialise digests to default values */ -void ssl_set_default_md(SSL *s) -{ - const EVP_MD **pmd = s->s3->tmp.md; -#ifndef OPENSSL_NO_DSA - pmd[SSL_PKEY_DSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX); -#endif -#ifndef OPENSSL_NO_RSA - if (SSL_USE_SIGALGS(s)) - pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_SHA1_IDX); - else - pmd[SSL_PKEY_RSA_SIGN] = ssl_md(SSL_MD_MD5_SHA1_IDX); - pmd[SSL_PKEY_RSA_ENC] = pmd[SSL_PKEY_RSA_SIGN]; -#endif -#ifndef OPENSSL_NO_EC - pmd[SSL_PKEY_ECC] = ssl_md(SSL_MD_SHA1_IDX); -#endif -#ifndef OPENSSL_NO_GOST - pmd[SSL_PKEY_GOST01] = ssl_md(SSL_MD_GOST94_IDX); - pmd[SSL_PKEY_GOST12_256] = ssl_md(SSL_MD_GOST12_256_IDX); - pmd[SSL_PKEY_GOST12_512] = ssl_md(SSL_MD_GOST12_512_IDX); -#endif -} - int tls1_set_server_sigalgs(SSL *s) { - int al; size_t i; /* Clear any shared signature algorithms */ OPENSSL_free(s->cert->shared_sigalgs); s->cert->shared_sigalgs = NULL; s->cert->shared_sigalgslen = 0; - /* Clear certificate digests and validity flags */ - for (i = 0; i < SSL_PKEY_NUM; i++) { - s->s3->tmp.md[i] = NULL; + /* Clear certificate validity flags */ + for (i = 0; i < SSL_PKEY_NUM; i++) s->s3->tmp.valid_flags[i] = 0; - } - - /* If sigalgs received process it. */ - if (s->s3->tmp.peer_sigalgs) { - if (!tls1_process_sigalgs(s)) { - SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE); - al = SSL_AD_INTERNAL_ERROR; - goto err; - } - /* Fatal error is no shared signature algorithms */ - if (!s->cert->shared_sigalgs) { - SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, - SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS); - al = SSL_AD_HANDSHAKE_FAILURE; - goto err; - } - } else { - ssl_set_default_md(s); - } - return 1; - err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - return 0; -} - -/* - * Upon success, returns 1. - * Upon failure, returns 0 and sets |al| to the appropriate fatal alert. - */ -int ssl_check_clienthello_tlsext_late(SSL *s, int *al) -{ - s->tlsext_status_expected = 0; - /* - * If status request then ask callback what to do. Note: this must be - * called after servername callbacks in case the certificate has changed, - * and must be called after the cipher has been chosen because this may - * influence which certificate is sent + * If peer sent no signature algorithms check to see if we support + * the default algorithm for each certificate type */ - if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) { - int ret; - CERT_PKEY *certpkey; - certpkey = ssl_get_server_send_pkey(s); - /* If no certificate can't return certificate status */ - if (certpkey != NULL) { - /* - * Set current certificate to one we will use so SSL_get_certificate - * et al can pick it up. - */ - s->cert->key = certpkey; - ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); - switch (ret) { - /* We don't want to send a status request response */ - case SSL_TLSEXT_ERR_NOACK: - s->tlsext_status_expected = 0; - break; - /* status request response should be sent */ - case SSL_TLSEXT_ERR_OK: - if (s->tlsext_ocsp_resp) - s->tlsext_status_expected = 1; - break; - /* something bad happened */ - case SSL_TLSEXT_ERR_ALERT_FATAL: - default: - *al = SSL_AD_INTERNAL_ERROR; - return 0; - } - } - } + if (s->s3->tmp.peer_cert_sigalgs == NULL + && s->s3->tmp.peer_sigalgs == NULL) { + const uint16_t *sent_sigs; + size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); - if (!tls1_alpn_handle_client_hello_late(s, al)) { - return 0; - } - - return 1; -} - -int ssl_check_serverhello_tlsext(SSL *s) -{ - int ret = SSL_TLSEXT_ERR_NOACK; - int al = SSL_AD_UNRECOGNIZED_NAME; + for (i = 0; i < SSL_PKEY_NUM; i++) { + const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i); + size_t j; -#ifndef OPENSSL_NO_EC - /* - * If we are client and using an elliptic curve cryptography cipher - * suite, then if server returns an EC point formats lists extension it - * must contain uncompressed. - */ - unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; - if ((s->tlsext_ecpointformatlist != NULL) - && (s->tlsext_ecpointformatlist_length > 0) - && (s->session->tlsext_ecpointformatlist != NULL) - && (s->session->tlsext_ecpointformatlist_length > 0) - && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) { - /* we are using an ECC cipher */ - size_t i; - unsigned char *list; - int found_uncompressed = 0; - list = s->session->tlsext_ecpointformatlist; - for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) { - if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) { - found_uncompressed = 1; - break; + if (lu == NULL) + continue; + /* Check default matches a type we sent */ + for (j = 0; j < sent_sigslen; j++) { + if (lu->sigalg == sent_sigs[j]) { + s->s3->tmp.valid_flags[i] = CERT_PKEY_SIGN; + break; + } } } - if (!found_uncompressed) { - SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, - SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); - return -1; - } - } - ret = SSL_TLSEXT_ERR_OK; -#endif /* OPENSSL_NO_EC */ - - if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) - ret = - s->ctx->tlsext_servername_callback(s, &al, - s->ctx->tlsext_servername_arg); - else if (s->session_ctx != NULL - && s->session_ctx->tlsext_servername_callback != 0) - ret = - s->session_ctx->tlsext_servername_callback(s, &al, - s-> - session_ctx->tlsext_servername_arg); - - /* - * Ensure we get sensible values passed to tlsext_status_cb in the event - * that we don't receive a status message - */ - OPENSSL_free(s->tlsext_ocsp_resp); - s->tlsext_ocsp_resp = NULL; - s->tlsext_ocsp_resplen = -1; - - switch (ret) { - case SSL_TLSEXT_ERR_ALERT_FATAL: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - return -1; - - case SSL_TLSEXT_ERR_ALERT_WARNING: - ssl3_send_alert(s, SSL3_AL_WARNING, al); - return 1; - - case SSL_TLSEXT_ERR_NOACK: - s->servername_done = 0; - /* fall thru */ - default: return 1; } -} -int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt) -{ - int al = -1; - if (s->version < SSL3_VERSION) - return 1; - if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) { - ssl3_send_alert(s, SSL3_AL_FATAL, al); + if (!tls1_process_sigalgs(s)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_INTERNAL_ERROR); return 0; } + if (s->cert->shared_sigalgs != NULL) + return 1; - if (ssl_check_serverhello_tlsext(s) <= 0) { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT); - return 0; - } - return 1; + /* Fatal error if no shared signature algorithms */ + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS1_SET_SERVER_SIGALGS, + SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS); + return 0; } /*- - * Since the server cache lookup is done early on in the processing of the - * ClientHello and other operations depend on the result some extensions - * need to be handled at the same time. - * - * Two extensions are currently handled, session ticket and extended master - * secret. + * Gets the ticket information supplied by the client if any. * - * session_id: ClientHello session ID. - * ext: ClientHello extensions (including length prefix) + * hello: The parsed ClientHello data * ret: (output) on return, if a ticket was decrypted, then this is set to * point to the resulting session. - * - * If s->tls_session_secret_cb is set then we are expecting a pre-shared key - * ciphersuite, in which case we have no use for session tickets and one will - * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. - * - * Returns: - * -1: fatal error, either from parsing or decrypting the ticket. - * 0: no ticket was found (or was ignored, based on settings). - * 1: a zero length extension was found, indicating that the client supports - * session tickets but doesn't currently have one to offer. - * 2: either s->tls_session_secret_cb was set, or a ticket was offered but - * couldn't be decrypted because of a non-fatal error. - * 3: a ticket was successfully decrypted and *ret was set. - * - * Side effects: - * Sets s->tlsext_ticket_expected to 1 if the server will have to issue - * a new session ticket to the client because the client indicated support - * (and s->tls_session_secret_cb is NULL) but the client either doesn't have - * a session ticket or we couldn't use the one it gave us, or if - * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. - * Otherwise, s->tlsext_ticket_expected is set to 0. - * - * For extended master secret flag is set if the extension is present. - * */ -int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext, - const PACKET *session_id, - SSL_SESSION **ret) +SSL_TICKET_STATUS tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello, + SSL_SESSION **ret) { - unsigned int i; - PACKET local_ext = *ext; - int retv = -1; - - int have_ticket = 0; - int use_ticket = tls_use_ticket(s); + size_t size; + RAW_EXTENSION *ticketext; *ret = NULL; - s->tlsext_ticket_expected = 0; - s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS; + s->ext.ticket_expected = 0; /* - * If tickets disabled behave as if no ticket present to permit stateful + * If tickets disabled or not supported by the protocol version + * (e.g. TLSv1.3) behave as if no ticket present to permit stateful * resumption. */ - if ((s->version <= SSL3_VERSION)) - return 0; + if (s->version <= SSL3_VERSION || !tls_use_ticket(s)) + return SSL_TICKET_NONE; - if (!PACKET_get_net_2(&local_ext, &i)) { - retv = 0; - goto end; - } - while (PACKET_remaining(&local_ext) >= 4) { - unsigned int type, size; + ticketext = &hello->pre_proc_exts[TLSEXT_IDX_session_ticket]; + if (!ticketext->present) + return SSL_TICKET_NONE; - if (!PACKET_get_net_2(&local_ext, &type) - || !PACKET_get_net_2(&local_ext, &size)) { - /* Shouldn't ever happen */ - retv = -1; - goto end; - } - if (PACKET_remaining(&local_ext) < size) { - retv = 0; - goto end; - } - if (type == TLSEXT_TYPE_session_ticket && use_ticket) { - int r; - const unsigned char *etick; - - /* Duplicate extension */ - if (have_ticket != 0) { - retv = -1; - goto end; - } - have_ticket = 1; + size = PACKET_remaining(&ticketext->data); - if (size == 0) { - /* - * The client will accept a ticket but doesn't currently have - * one. - */ - s->tlsext_ticket_expected = 1; - retv = 1; - continue; - } - if (s->tls_session_secret_cb) { - /* - * Indicate that the ticket couldn't be decrypted rather than - * generating the session from ticket now, trigger - * abbreviated handshake based on external mechanism to - * calculate the master secret later. - */ - retv = 2; - continue; - } - if (!PACKET_get_bytes(&local_ext, &etick, size)) { - /* Shouldn't ever happen */ - retv = -1; - goto end; - } - r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id), - PACKET_remaining(session_id), ret); - switch (r) { - case 2: /* ticket couldn't be decrypted */ - s->tlsext_ticket_expected = 1; - retv = 2; - break; - case 3: /* ticket was decrypted */ - retv = r; - break; - case 4: /* ticket decrypted but need to renew */ - s->tlsext_ticket_expected = 1; - retv = 3; - break; - default: /* fatal error */ - retv = -1; - break; - } - continue; - } else { - if (type == TLSEXT_TYPE_extended_master_secret) - s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS; - if (!PACKET_forward(&local_ext, size)) { - retv = -1; - goto end; - } - } - } - if (have_ticket == 0) - retv = 0; - end: - return retv; + return tls_decrypt_ticket(s, PACKET_data(&ticketext->data), size, + hello->session_id, hello->session_id_len, ret); } /*- * tls_decrypt_ticket attempts to decrypt a session ticket. * + * If s->tls_session_secret_cb is set and we're not doing TLSv1.3 then we are + * expecting a pre-shared key ciphersuite, in which case we have no use for + * session tickets and one will never be decrypted, nor will + * s->ext.ticket_expected be set to 1. + * + * Side effects: + * Sets s->ext.ticket_expected to 1 if the server will have to issue + * a new session ticket to the client because the client indicated support + * (and s->tls_session_secret_cb is NULL) but the client either doesn't have + * a session ticket or we couldn't use the one it gave us, or if + * s->ctx->ext.ticket_key_cb asked to renew the client's ticket. + * Otherwise, s->ext.ticket_expected is set to 0. + * * etick: points to the body of the session ticket extension. * eticklen: the length of the session tickets extension. * sess_id: points at the session ID. * sesslen: the length of the session ID. * psess: (output) on return, if a ticket was decrypted, then this is set to * point to the resulting session. - * - * Returns: - * -2: fatal error, malloc failure. - * -1: fatal error, either from parsing or decrypting the ticket. - * 2: the ticket couldn't be decrypted. - * 3: a ticket was successfully decrypted and *psess was set. - * 4: same as 3, but the ticket needs to be renewed. */ -static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, - int eticklen, const unsigned char *sess_id, - int sesslen, SSL_SESSION **psess) +SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick, + size_t eticklen, const unsigned char *sess_id, + size_t sesslen, SSL_SESSION **psess) { - SSL_SESSION *sess; + SSL_SESSION *sess = NULL; unsigned char *sdec; const unsigned char *p; - int slen, mlen, renew_ticket = 0, ret = -1; + int slen, renew_ticket = 0, declen; + SSL_TICKET_STATUS ret = SSL_TICKET_FATAL_ERR_OTHER; + size_t mlen; unsigned char tick_hmac[EVP_MAX_MD_SIZE]; HMAC_CTX *hctx = NULL; EVP_CIPHER_CTX *ctx = NULL; SSL_CTX *tctx = s->session_ctx; + if (eticklen == 0) { + /* + * The client will accept a ticket but doesn't currently have + * one (TLSv1.2 and below), or treated as a fatal error in TLSv1.3 + */ + ret = SSL_TICKET_EMPTY; + goto end; + } + if (!SSL_IS_TLS13(s) && s->ext.session_secret_cb) { + /* + * Indicate that the ticket couldn't be decrypted rather than + * generating the session from ticket now, trigger + * abbreviated handshake based on external mechanism to + * calculate the master secret later. + */ + ret = SSL_TICKET_NO_DECRYPT; + goto end; + } + /* Need at least keyname + iv */ if (eticklen < TLSEXT_KEYNAME_LENGTH + EVP_MAX_IV_LENGTH) { - ret = 2; - goto err; + ret = SSL_TICKET_NO_DECRYPT; + goto end; } /* Initialize session ticket encryption and HMAC contexts */ hctx = HMAC_CTX_new(); - if (hctx == NULL) - return -2; + if (hctx == NULL) { + ret = SSL_TICKET_FATAL_ERR_MALLOC; + goto end; + } ctx = EVP_CIPHER_CTX_new(); if (ctx == NULL) { - ret = -2; - goto err; + ret = SSL_TICKET_FATAL_ERR_MALLOC; + goto end; } - if (tctx->tlsext_ticket_key_cb) { + if (tctx->ext.ticket_key_cb) { unsigned char *nctick = (unsigned char *)etick; - int rv = tctx->tlsext_ticket_key_cb(s, nctick, - nctick + TLSEXT_KEYNAME_LENGTH, - ctx, hctx, 0); - if (rv < 0) - goto err; + int rv = tctx->ext.ticket_key_cb(s, nctick, + nctick + TLSEXT_KEYNAME_LENGTH, + ctx, hctx, 0); + if (rv < 0) { + ret = SSL_TICKET_FATAL_ERR_OTHER; + goto end; + } if (rv == 0) { - ret = 2; - goto err; + ret = SSL_TICKET_NO_DECRYPT; + goto end; } if (rv == 2) renew_ticket = 1; } else { /* Check key name matches */ - if (memcmp(etick, tctx->tlsext_tick_key_name, + if (memcmp(etick, tctx->ext.tick_key_name, TLSEXT_KEYNAME_LENGTH) != 0) { - ret = 2; - goto err; + ret = SSL_TICKET_NO_DECRYPT; + goto end; } - if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, - sizeof(tctx->tlsext_tick_hmac_key), + if (HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key, + sizeof(tctx->ext.secure->tick_hmac_key), EVP_sha256(), NULL) <= 0 || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, - tctx->tlsext_tick_aes_key, + tctx->ext.secure->tick_aes_key, etick + TLSEXT_KEYNAME_LENGTH) <= 0) { - goto err; + ret = SSL_TICKET_FATAL_ERR_OTHER; + goto end; } + if (SSL_IS_TLS13(s)) + renew_ticket = 1; } /* * Attempt to process session ticket, first conduct sanity and integrity * checks on ticket. */ mlen = HMAC_size(hctx); - if (mlen < 0) { - goto err; + if (mlen == 0) { + ret = SSL_TICKET_FATAL_ERR_OTHER; + goto end; } + /* Sanity check ticket length: must exceed keyname + IV + HMAC */ if (eticklen <= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) { - ret = 2; - goto err; + ret = SSL_TICKET_NO_DECRYPT; + goto end; } eticklen -= mlen; /* Check HMAC of encrypted ticket */ if (HMAC_Update(hctx, etick, eticklen) <= 0 || HMAC_Final(hctx, tick_hmac, NULL) <= 0) { - goto err; + ret = SSL_TICKET_FATAL_ERR_OTHER; + goto end; } - HMAC_CTX_free(hctx); + if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) { - EVP_CIPHER_CTX_free(ctx); - return 2; + ret = SSL_TICKET_NO_DECRYPT; + goto end; } /* Attempt to decrypt session data */ /* Move p after IV to start of encrypted ticket, update length */ p = etick + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx); eticklen -= TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx); sdec = OPENSSL_malloc(eticklen); - if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) { - EVP_CIPHER_CTX_free(ctx); + if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, + (int)eticklen) <= 0) { OPENSSL_free(sdec); - return -1; + ret = SSL_TICKET_FATAL_ERR_OTHER; + goto end; } - if (EVP_DecryptFinal(ctx, sdec + slen, &mlen) <= 0) { - EVP_CIPHER_CTX_free(ctx); + if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) { OPENSSL_free(sdec); - return 2; + ret = SSL_TICKET_NO_DECRYPT; + goto end; } - slen += mlen; - EVP_CIPHER_CTX_free(ctx); - ctx = NULL; + slen += declen; p = sdec; sess = d2i_SSL_SESSION(NULL, &p, slen); @@ -3224,9 +1455,11 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, OPENSSL_free(sdec); if (sess) { /* Some additional consistency checks */ - if (slen != 0 || sess->session_id_length != 0) { + if (slen != 0) { SSL_SESSION_free(sess); - return 2; + sess = NULL; + ret = SSL_TICKET_NO_DECRYPT; + goto end; } /* * The session ID, if non-empty, is used by some clients to detect @@ -3234,206 +1467,163 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, * structure. If it is empty set length to zero as required by * standard. */ - if (sesslen) + if (sesslen) { memcpy(sess->session_id, sess_id, sesslen); - sess->session_id_length = sesslen; - *psess = sess; + sess->session_id_length = sesslen; + } if (renew_ticket) - return 4; + ret = SSL_TICKET_SUCCESS_RENEW; else - return 3; + ret = SSL_TICKET_SUCCESS; + goto end; } ERR_clear_error(); /* * For session parse failure, indicate that we need to send a new ticket. */ - return 2; - err: + ret = SSL_TICKET_NO_DECRYPT; + + end: EVP_CIPHER_CTX_free(ctx); HMAC_CTX_free(hctx); - return ret; -} -/* Tables to translate from NIDs to TLS v1.2 ids */ + /* + * If set, the decrypt_ticket_cb() is called unless a fatal error was + * detected above. The callback is responsible for checking |ret| before it + * performs any action + */ + if (s->session_ctx->decrypt_ticket_cb != NULL + && (ret == SSL_TICKET_EMPTY + || ret == SSL_TICKET_NO_DECRYPT + || ret == SSL_TICKET_SUCCESS + || ret == SSL_TICKET_SUCCESS_RENEW)) { + size_t keyname_len = eticklen; + int retcb; + + if (keyname_len > TLSEXT_KEYNAME_LENGTH) + keyname_len = TLSEXT_KEYNAME_LENGTH; + retcb = s->session_ctx->decrypt_ticket_cb(s, sess, etick, keyname_len, + ret, + s->session_ctx->ticket_cb_data); + switch (retcb) { + case SSL_TICKET_RETURN_ABORT: + ret = SSL_TICKET_FATAL_ERR_OTHER; + break; -typedef struct { - int nid; - int id; -} tls12_lookup; - -static const tls12_lookup tls12_md[] = { - {NID_md5, TLSEXT_hash_md5}, - {NID_sha1, TLSEXT_hash_sha1}, - {NID_sha224, TLSEXT_hash_sha224}, - {NID_sha256, TLSEXT_hash_sha256}, - {NID_sha384, TLSEXT_hash_sha384}, - {NID_sha512, TLSEXT_hash_sha512}, - {NID_id_GostR3411_94, TLSEXT_hash_gostr3411}, - {NID_id_GostR3411_2012_256, TLSEXT_hash_gostr34112012_256}, - {NID_id_GostR3411_2012_512, TLSEXT_hash_gostr34112012_512}, -}; + case SSL_TICKET_RETURN_IGNORE: + ret = SSL_TICKET_NONE; + SSL_SESSION_free(sess); + sess = NULL; + break; -static const tls12_lookup tls12_sig[] = { - {EVP_PKEY_RSA, TLSEXT_signature_rsa}, - {EVP_PKEY_DSA, TLSEXT_signature_dsa}, - {EVP_PKEY_EC, TLSEXT_signature_ecdsa}, - {NID_id_GostR3410_2001, TLSEXT_signature_gostr34102001}, - {NID_id_GostR3410_2012_256, TLSEXT_signature_gostr34102012_256}, - {NID_id_GostR3410_2012_512, TLSEXT_signature_gostr34102012_512} -}; + case SSL_TICKET_RETURN_IGNORE_RENEW: + if (ret != SSL_TICKET_EMPTY && ret != SSL_TICKET_NO_DECRYPT) + ret = SSL_TICKET_NO_DECRYPT; + /* else the value of |ret| will already do the right thing */ + SSL_SESSION_free(sess); + sess = NULL; + break; -static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen) -{ - size_t i; - for (i = 0; i < tlen; i++) { - if (table[i].nid == nid) - return table[i].id; + case SSL_TICKET_RETURN_USE: + case SSL_TICKET_RETURN_USE_RENEW: + if (ret != SSL_TICKET_SUCCESS + && ret != SSL_TICKET_SUCCESS_RENEW) + ret = SSL_TICKET_FATAL_ERR_OTHER; + else if (retcb == SSL_TICKET_RETURN_USE) + ret = SSL_TICKET_SUCCESS; + else + ret = SSL_TICKET_SUCCESS_RENEW; + break; + + default: + ret = SSL_TICKET_FATAL_ERR_OTHER; + } } - return -1; -} -static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen) -{ - size_t i; - for (i = 0; i < tlen; i++) { - if ((table[i].id) == id) - return table[i].nid; + if (s->ext.session_secret_cb == NULL || SSL_IS_TLS13(s)) { + switch (ret) { + case SSL_TICKET_NO_DECRYPT: + case SSL_TICKET_SUCCESS_RENEW: + case SSL_TICKET_EMPTY: + s->ext.ticket_expected = 1; + } } - return NID_undef; -} -int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) -{ - int sig_id, md_id; - if (!md) - return 0; - md_id = tls12_find_id(EVP_MD_type(md), tls12_md, OSSL_NELEM(tls12_md)); - if (md_id == -1) - return 0; - sig_id = tls12_get_sigid(pk); - if (sig_id == -1) - return 0; - p[0] = (unsigned char)md_id; - p[1] = (unsigned char)sig_id; - return 1; -} + *psess = sess; -int tls12_get_sigid(const EVP_PKEY *pk) -{ - return tls12_find_id(EVP_PKEY_id(pk), tls12_sig, OSSL_NELEM(tls12_sig)); + return ret; } -typedef struct { - int nid; +/* Check to see if a signature algorithm is allowed */ +static int tls12_sigalg_allowed(SSL *s, int op, const SIGALG_LOOKUP *lu) +{ + unsigned char sigalgstr[2]; int secbits; - int md_idx; - unsigned char tlsext_hash; -} tls12_hash_info; - -static const tls12_hash_info tls12_md_info[] = { - {NID_md5, 64, SSL_MD_MD5_IDX, TLSEXT_hash_md5}, - {NID_sha1, 80, SSL_MD_SHA1_IDX, TLSEXT_hash_sha1}, - {NID_sha224, 112, SSL_MD_SHA224_IDX, TLSEXT_hash_sha224}, - {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256}, - {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384}, - {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512}, - {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411}, - {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX, - TLSEXT_hash_gostr34112012_256}, - {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX, - TLSEXT_hash_gostr34112012_512}, -}; -static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg) -{ - unsigned int i; - if (hash_alg == 0) - return NULL; + /* See if sigalgs is recognised and if hash is enabled */ + if (!tls1_lookup_md(lu, NULL)) + return 0; + /* DSA is not allowed in TLS 1.3 */ + if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA) + return 0; + /* TODO(OpenSSL1.2) fully axe DSA/etc. in ClientHello per TLS 1.3 spec */ + if (!s->server && !SSL_IS_DTLS(s) && s->s3->tmp.min_ver >= TLS1_3_VERSION + && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX + || lu->hash_idx == SSL_MD_MD5_IDX + || lu->hash_idx == SSL_MD_SHA224_IDX)) + return 0; - for (i = 0; i < OSSL_NELEM(tls12_md_info); i++) { - if (tls12_md_info[i].tlsext_hash == hash_alg) - return tls12_md_info + i; - } + /* See if public key algorithm allowed */ + if (ssl_cert_is_disabled(lu->sig_idx)) + return 0; - return NULL; -} + if (lu->sig == NID_id_GostR3410_2012_256 + || lu->sig == NID_id_GostR3410_2012_512 + || lu->sig == NID_id_GostR3410_2001) { + /* We never allow GOST sig algs on the server with TLSv1.3 */ + if (s->server && SSL_IS_TLS13(s)) + return 0; + if (!s->server + && s->method->version == TLS_ANY_VERSION + && s->s3->tmp.max_ver >= TLS1_3_VERSION) { + int i, num; + STACK_OF(SSL_CIPHER) *sk; -const EVP_MD *tls12_get_hash(unsigned char hash_alg) -{ - const tls12_hash_info *inf; - if (hash_alg == TLSEXT_hash_md5 && FIPS_mode()) - return NULL; - inf = tls12_get_hash_info(hash_alg); - if (!inf) - return NULL; - return ssl_md(inf->md_idx); -} + /* + * We're a client that could negotiate TLSv1.3. We only allow GOST + * sig algs if we could negotiate TLSv1.2 or below and we have GOST + * ciphersuites enabled. + */ -static int tls12_get_pkey_idx(unsigned char sig_alg) -{ - switch (sig_alg) { -#ifndef OPENSSL_NO_RSA - case TLSEXT_signature_rsa: - return SSL_PKEY_RSA_SIGN; -#endif -#ifndef OPENSSL_NO_DSA - case TLSEXT_signature_dsa: - return SSL_PKEY_DSA_SIGN; -#endif -#ifndef OPENSSL_NO_EC - case TLSEXT_signature_ecdsa: - return SSL_PKEY_ECC; -#endif -#ifndef OPENSSL_NO_GOST - case TLSEXT_signature_gostr34102001: - return SSL_PKEY_GOST01; + if (s->s3->tmp.min_ver >= TLS1_3_VERSION) + return 0; - case TLSEXT_signature_gostr34102012_256: - return SSL_PKEY_GOST12_256; + sk = SSL_get_ciphers(s); + num = sk != NULL ? sk_SSL_CIPHER_num(sk) : 0; + for (i = 0; i < num; i++) { + const SSL_CIPHER *c; - case TLSEXT_signature_gostr34102012_512: - return SSL_PKEY_GOST12_512; -#endif - } - return -1; -} + c = sk_SSL_CIPHER_value(sk, i); + /* Skip disabled ciphers */ + if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) + continue; -/* Convert TLS 1.2 signature algorithm extension values into NIDs */ -static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid, - int *psignhash_nid, const unsigned char *data) -{ - int sign_nid = NID_undef, hash_nid = NID_undef; - if (!phash_nid && !psign_nid && !psignhash_nid) - return; - if (phash_nid || psignhash_nid) { - hash_nid = tls12_find_nid(data[0], tls12_md, OSSL_NELEM(tls12_md)); - if (phash_nid) - *phash_nid = hash_nid; - } - if (psign_nid || psignhash_nid) { - sign_nid = tls12_find_nid(data[1], tls12_sig, OSSL_NELEM(tls12_sig)); - if (psign_nid) - *psign_nid = sign_nid; - } - if (psignhash_nid) { - if (sign_nid == NID_undef || hash_nid == NID_undef - || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid) <= 0) - *psignhash_nid = NID_undef; + if ((c->algorithm_mkey & SSL_kGOST) != 0) + break; + } + if (i == num) + return 0; + } } -} -/* Check to see if a signature algorithm is allowed */ -static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp) -{ - /* See if we have an entry in the hash table and it is enabled */ - const tls12_hash_info *hinf = tls12_get_hash_info(ptmp[0]); - if (hinf == NULL || ssl_md(hinf->md_idx) == NULL) - return 0; - /* See if public key algorithm allowed */ - if (tls12_get_pkey_idx(ptmp[1]) == -1) - return 0; + if (lu->hash == NID_undef) + return 1; + /* Security bits: half digest bits */ + secbits = EVP_MD_size(ssl_md(lu->hash_idx)) * 4; /* Finally see if security callback allows it */ - return ssl_security(s, op, hinf->secbits, hinf->nid, (void *)ptmp); + sigalgstr[0] = (lu->sigalg >> 8) & 0xff; + sigalgstr[1] = lu->sigalg & 0xff; + return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr); } /* @@ -3444,81 +1634,79 @@ static int tls12_sigalg_allowed(SSL *s, int op, const unsigned char *ptmp) void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op) { - const unsigned char *sigalgs; + const uint16_t *sigalgs; size_t i, sigalgslen; - int have_rsa = 0, have_dsa = 0, have_ecdsa = 0; + uint32_t disabled_mask = SSL_aRSA | SSL_aDSS | SSL_aECDSA; /* - * Now go through all signature algorithms seeing if we support any for - * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep - * down calls to security callback only check if we have to. + * Go through all signature algorithms seeing if we support any + * in disabled_mask. */ sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs); - for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) { - switch (sigalgs[1]) { -#ifndef OPENSSL_NO_RSA - case TLSEXT_signature_rsa: - if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs)) - have_rsa = 1; - break; -#endif -#ifndef OPENSSL_NO_DSA - case TLSEXT_signature_dsa: - if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs)) - have_dsa = 1; - break; -#endif -#ifndef OPENSSL_NO_EC - case TLSEXT_signature_ecdsa: - if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs)) - have_ecdsa = 1; - break; -#endif - } + for (i = 0; i < sigalgslen; i++, sigalgs++) { + const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs); + const SSL_CERT_LOOKUP *clu; + + if (lu == NULL) + continue; + + clu = ssl_cert_lookup_by_idx(lu->sig_idx); + if (clu == NULL) + continue; + + /* If algorithm is disabled see if we can enable it */ + if ((clu->amask & disabled_mask) != 0 + && tls12_sigalg_allowed(s, op, lu)) + disabled_mask &= ~clu->amask; } - if (!have_rsa) - *pmask_a |= SSL_aRSA; - if (!have_dsa) - *pmask_a |= SSL_aDSS; - if (!have_ecdsa) - *pmask_a |= SSL_aECDSA; + *pmask_a |= disabled_mask; } -size_t tls12_copy_sigalgs(SSL *s, unsigned char *out, - const unsigned char *psig, size_t psiglen) +int tls12_copy_sigalgs(SSL *s, WPACKET *pkt, + const uint16_t *psig, size_t psiglen) { - unsigned char *tmpout = out; size_t i; - for (i = 0; i < psiglen; i += 2, psig += 2) { - if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) { - *tmpout++ = psig[0]; - *tmpout++ = psig[1]; - } - } - return tmpout - out; + int rv = 0; + + for (i = 0; i < psiglen; i++, psig++) { + const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*psig); + + if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) + continue; + if (!WPACKET_put_bytes_u16(pkt, *psig)) + return 0; + /* + * If TLS 1.3 must have at least one valid TLS 1.3 message + * signing algorithm: i.e. neither RSA nor SHA1/SHA224 + */ + if (rv == 0 && (!SSL_IS_TLS13(s) + || (lu->sig != EVP_PKEY_RSA + && lu->hash != NID_sha1 + && lu->hash != NID_sha224))) + rv = 1; + } + if (rv == 0) + SSLerr(SSL_F_TLS12_COPY_SIGALGS, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); + return rv; } /* Given preference and allowed sigalgs set shared sigalgs */ -static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig, - const unsigned char *pref, size_t preflen, - const unsigned char *allow, size_t allowlen) +static size_t tls12_shared_sigalgs(SSL *s, const SIGALG_LOOKUP **shsig, + const uint16_t *pref, size_t preflen, + const uint16_t *allow, size_t allowlen) { - const unsigned char *ptmp, *atmp; + const uint16_t *ptmp, *atmp; size_t i, j, nmatch = 0; - for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) { + for (i = 0, ptmp = pref; i < preflen; i++, ptmp++) { + const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*ptmp); + /* Skip disabled hashes or signature algorithms */ - if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, ptmp)) + if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SHARED, lu)) continue; - for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) { - if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) { + for (j = 0, atmp = allow; j < allowlen; j++, atmp++) { + if (*ptmp == *atmp) { nmatch++; - if (shsig) { - shsig->rhash = ptmp[0]; - shsig->rsign = ptmp[1]; - tls1_lookup_sigalg(&shsig->hash_nid, - &shsig->sign_nid, - &shsig->signandhash_nid, ptmp); - shsig++; - } + if (shsig) + *shsig++ = lu; break; } } @@ -3529,10 +1717,10 @@ static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig, /* Set shared signature algorithms for SSL structures */ static int tls1_set_shared_sigalgs(SSL *s) { - const unsigned char *pref, *allow, *conf; + const uint16_t *pref, *allow, *conf; size_t preflen, allowlen, conflen; size_t nmatch; - TLS_SIGALGS *salgs = NULL; + const SIGALG_LOOKUP **salgs = NULL; CERT *c = s->cert; unsigned int is_suiteb = tls1_suiteb(s); @@ -3561,9 +1749,10 @@ static int tls1_set_shared_sigalgs(SSL *s) } nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen); if (nmatch) { - salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS)); - if (salgs == NULL) + if ((salgs = OPENSSL_malloc(nmatch * sizeof(*salgs))) == NULL) { + SSLerr(SSL_F_TLS1_SET_SHARED_SIGALGS, ERR_R_MALLOC_FAILURE); return 0; + } nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen); } else { salgs = NULL; @@ -3573,86 +1762,81 @@ static int tls1_set_shared_sigalgs(SSL *s) return 1; } -/* Set preferred digest for each key type */ +int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen) +{ + unsigned int stmp; + size_t size, i; + uint16_t *buf; + + size = PACKET_remaining(pkt); + + /* Invalid data length */ + if (size == 0 || (size & 1) != 0) + return 0; + + size >>= 1; + + if ((buf = OPENSSL_malloc(size * sizeof(*buf))) == NULL) { + SSLerr(SSL_F_TLS1_SAVE_U16, ERR_R_MALLOC_FAILURE); + return 0; + } + for (i = 0; i < size && PACKET_get_net_2(pkt, &stmp); i++) + buf[i] = stmp; + + if (i != size) { + OPENSSL_free(buf); + return 0; + } + + OPENSSL_free(*pdest); + *pdest = buf; + *pdestlen = size; + + return 1; +} -int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize) +int tls1_save_sigalgs(SSL *s, PACKET *pkt, int cert) { - CERT *c = s->cert; /* Extension ignored for inappropriate versions */ if (!SSL_USE_SIGALGS(s)) return 1; /* Should never happen */ - if (!c) + if (s->cert == NULL) return 0; - OPENSSL_free(s->s3->tmp.peer_sigalgs); - s->s3->tmp.peer_sigalgs = OPENSSL_malloc(dsize); - if (s->s3->tmp.peer_sigalgs == NULL) - return 0; - s->s3->tmp.peer_sigalgslen = dsize; - memcpy(s->s3->tmp.peer_sigalgs, data, dsize); - return 1; + if (cert) + return tls1_save_u16(pkt, &s->s3->tmp.peer_cert_sigalgs, + &s->s3->tmp.peer_cert_sigalgslen); + else + return tls1_save_u16(pkt, &s->s3->tmp.peer_sigalgs, + &s->s3->tmp.peer_sigalgslen); + } +/* Set preferred digest for each key type */ + int tls1_process_sigalgs(SSL *s) { - int idx; size_t i; - const EVP_MD *md; - const EVP_MD **pmd = s->s3->tmp.md; uint32_t *pvalid = s->s3->tmp.valid_flags; CERT *c = s->cert; - TLS_SIGALGS *sigptr; + if (!tls1_set_shared_sigalgs(s)) return 0; - for (i = 0, sigptr = c->shared_sigalgs; - i < c->shared_sigalgslen; i++, sigptr++) { - idx = tls12_get_pkey_idx(sigptr->rsign); - if (idx > 0 && pmd[idx] == NULL) { - md = tls12_get_hash(sigptr->rhash); - pmd[idx] = md; - pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN; - if (idx == SSL_PKEY_RSA_SIGN) { - pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN; - pmd[SSL_PKEY_RSA_ENC] = md; - } - } + for (i = 0; i < SSL_PKEY_NUM; i++) + pvalid[i] = 0; - } - /* - * In strict mode leave unset digests as NULL to indicate we can't use - * the certificate for signing. - */ - if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) { - /* - * Set any remaining keys to default values. NOTE: if alg is not - * supported it stays as NULL. - */ -#ifndef OPENSSL_NO_DSA - if (pmd[SSL_PKEY_DSA_SIGN] == NULL) - pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1(); -#endif -#ifndef OPENSSL_NO_RSA - if (pmd[SSL_PKEY_RSA_SIGN] == NULL) { - pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1(); - pmd[SSL_PKEY_RSA_ENC] = EVP_sha1(); - } -#endif -#ifndef OPENSSL_NO_EC - if (pmd[SSL_PKEY_ECC] == NULL) - pmd[SSL_PKEY_ECC] = EVP_sha1(); -#endif -#ifndef OPENSSL_NO_GOST - if (pmd[SSL_PKEY_GOST01] == NULL) - pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94); - if (pmd[SSL_PKEY_GOST12_256] == NULL) - pmd[SSL_PKEY_GOST12_256] = - EVP_get_digestbynid(NID_id_GostR3411_2012_256); - if (pmd[SSL_PKEY_GOST12_512] == NULL) - pmd[SSL_PKEY_GOST12_512] = - EVP_get_digestbynid(NID_id_GostR3411_2012_512); -#endif + for (i = 0; i < c->shared_sigalgslen; i++) { + const SIGALG_LOOKUP *sigptr = c->shared_sigalgs[i]; + int idx = sigptr->sig_idx; + + /* Ignore PKCS1 based sig algs in TLSv1.3 */ + if (SSL_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA) + continue; + /* If not disabled indicate we can explicitly sign */ + if (pvalid[idx] == 0 && !ssl_cert_is_disabled(idx)) + pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; } return 1; } @@ -3661,55 +1845,70 @@ int SSL_get_sigalgs(SSL *s, int idx, int *psign, int *phash, int *psignhash, unsigned char *rsig, unsigned char *rhash) { - const unsigned char *psig = s->s3->tmp.peer_sigalgs; - if (psig == NULL) + uint16_t *psig = s->s3->tmp.peer_sigalgs; + size_t numsigalgs = s->s3->tmp.peer_sigalgslen; + if (psig == NULL || numsigalgs > INT_MAX) return 0; if (idx >= 0) { - idx <<= 1; - if (idx >= (int)s->s3->tmp.peer_sigalgslen) + const SIGALG_LOOKUP *lu; + + if (idx >= (int)numsigalgs) return 0; psig += idx; - if (rhash) - *rhash = psig[0]; - if (rsig) - *rsig = psig[1]; - tls1_lookup_sigalg(phash, psign, psignhash, psig); + if (rhash != NULL) + *rhash = (unsigned char)((*psig >> 8) & 0xff); + if (rsig != NULL) + *rsig = (unsigned char)(*psig & 0xff); + lu = tls1_lookup_sigalg(*psig); + if (psign != NULL) + *psign = lu != NULL ? lu->sig : NID_undef; + if (phash != NULL) + *phash = lu != NULL ? lu->hash : NID_undef; + if (psignhash != NULL) + *psignhash = lu != NULL ? lu->sigandhash : NID_undef; } - return s->s3->tmp.peer_sigalgslen / 2; + return (int)numsigalgs; } int SSL_get_shared_sigalgs(SSL *s, int idx, int *psign, int *phash, int *psignhash, unsigned char *rsig, unsigned char *rhash) { - TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs; - if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen) + const SIGALG_LOOKUP *shsigalgs; + if (s->cert->shared_sigalgs == NULL + || idx < 0 + || idx >= (int)s->cert->shared_sigalgslen + || s->cert->shared_sigalgslen > INT_MAX) return 0; - shsigalgs += idx; - if (phash) - *phash = shsigalgs->hash_nid; - if (psign) - *psign = shsigalgs->sign_nid; - if (psignhash) - *psignhash = shsigalgs->signandhash_nid; - if (rsig) - *rsig = shsigalgs->rsign; - if (rhash) - *rhash = shsigalgs->rhash; - return s->cert->shared_sigalgslen; -} - -#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2) + shsigalgs = s->cert->shared_sigalgs[idx]; + if (phash != NULL) + *phash = shsigalgs->hash; + if (psign != NULL) + *psign = shsigalgs->sig; + if (psignhash != NULL) + *psignhash = shsigalgs->sigandhash; + if (rsig != NULL) + *rsig = (unsigned char)(shsigalgs->sigalg & 0xff); + if (rhash != NULL) + *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff); + return (int)s->cert->shared_sigalgslen; +} + +/* Maximum possible number of unique entries in sigalgs array */ +#define TLS_MAX_SIGALGCNT (OSSL_NELEM(sigalg_lookup_tbl) * 2) typedef struct { size_t sigalgcnt; - int sigalgs[MAX_SIGALGLEN]; + /* TLSEXT_SIGALG_XXX values */ + uint16_t sigalgs[TLS_MAX_SIGALGCNT]; } sig_cb_st; static void get_sigorhash(int *psig, int *phash, const char *str) { if (strcmp(str, "RSA") == 0) { *psig = EVP_PKEY_RSA; + } else if (strcmp(str, "RSA-PSS") == 0 || strcmp(str, "PSS") == 0) { + *psig = EVP_PKEY_RSA_PSS; } else if (strcmp(str, "DSA") == 0) { *psig = EVP_PKEY_DSA; } else if (strcmp(str, "ECDSA") == 0) { @@ -3720,41 +1919,71 @@ static void get_sigorhash(int *psig, int *phash, const char *str) *phash = OBJ_ln2nid(str); } } +/* Maximum length of a signature algorithm string component */ +#define TLS_MAX_SIGSTRING_LEN 40 static int sig_cb(const char *elem, int len, void *arg) { sig_cb_st *sarg = arg; size_t i; - char etmp[20], *p; + const SIGALG_LOOKUP *s; + char etmp[TLS_MAX_SIGSTRING_LEN], *p; int sig_alg = NID_undef, hash_alg = NID_undef; if (elem == NULL) return 0; - if (sarg->sigalgcnt == MAX_SIGALGLEN) + if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT) return 0; if (len > (int)(sizeof(etmp) - 1)) return 0; memcpy(etmp, elem, len); etmp[len] = 0; p = strchr(etmp, '+'); - if (!p) - return 0; - *p = 0; - p++; - if (!*p) - return 0; - - get_sigorhash(&sig_alg, &hash_alg, etmp); - get_sigorhash(&sig_alg, &hash_alg, p); - - if (sig_alg == NID_undef || hash_alg == NID_undef) - return 0; + /* + * We only allow SignatureSchemes listed in the sigalg_lookup_tbl; + * if there's no '+' in the provided name, look for the new-style combined + * name. If not, match both sig+hash to find the needed SIGALG_LOOKUP. + * Just sig+hash is not unique since TLS 1.3 adds rsa_pss_pss_* and + * rsa_pss_rsae_* that differ only by public key OID; in such cases + * we will pick the _rsae_ variant, by virtue of them appearing earlier + * in the table. + */ + if (p == NULL) { + for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); + i++, s++) { + if (s->name != NULL && strcmp(etmp, s->name) == 0) { + sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; + break; + } + } + if (i == OSSL_NELEM(sigalg_lookup_tbl)) + return 0; + } else { + *p = 0; + p++; + if (*p == 0) + return 0; + get_sigorhash(&sig_alg, &hash_alg, etmp); + get_sigorhash(&sig_alg, &hash_alg, p); + if (sig_alg == NID_undef || hash_alg == NID_undef) + return 0; + for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); + i++, s++) { + if (s->hash == hash_alg && s->sig == sig_alg) { + sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; + break; + } + } + if (i == OSSL_NELEM(sigalg_lookup_tbl)) + return 0; + } - for (i = 0; i < sarg->sigalgcnt; i += 2) { - if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg) + /* Reject duplicates */ + for (i = 0; i < sarg->sigalgcnt - 1; i++) { + if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) { + sarg->sigalgcnt--; return 0; + } } - sarg->sigalgs[sarg->sigalgcnt++] = hash_alg; - sarg->sigalgs[sarg->sigalgcnt++] = sig_alg; return 1; } @@ -3770,37 +1999,70 @@ int tls1_set_sigalgs_list(CERT *c, const char *str, int client) return 0; if (c == NULL) return 1; - return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); + return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); +} + +int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen, + int client) +{ + uint16_t *sigalgs; + + if ((sigalgs = OPENSSL_malloc(salglen * sizeof(*sigalgs))) == NULL) { + SSLerr(SSL_F_TLS1_SET_RAW_SIGALGS, ERR_R_MALLOC_FAILURE); + return 0; + } + memcpy(sigalgs, psigs, salglen * sizeof(*sigalgs)); + + if (client) { + OPENSSL_free(c->client_sigalgs); + c->client_sigalgs = sigalgs; + c->client_sigalgslen = salglen; + } else { + OPENSSL_free(c->conf_sigalgs); + c->conf_sigalgs = sigalgs; + c->conf_sigalgslen = salglen; + } + + return 1; } int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client) { - unsigned char *sigalgs, *sptr; - int rhash, rsign; + uint16_t *sigalgs, *sptr; size_t i; + if (salglen & 1) return 0; - sigalgs = OPENSSL_malloc(salglen); - if (sigalgs == NULL) + if ((sigalgs = OPENSSL_malloc((salglen / 2) * sizeof(*sigalgs))) == NULL) { + SSLerr(SSL_F_TLS1_SET_SIGALGS, ERR_R_MALLOC_FAILURE); return 0; + } for (i = 0, sptr = sigalgs; i < salglen; i += 2) { - rhash = tls12_find_id(*psig_nids++, tls12_md, OSSL_NELEM(tls12_md)); - rsign = tls12_find_id(*psig_nids++, tls12_sig, OSSL_NELEM(tls12_sig)); + size_t j; + const SIGALG_LOOKUP *curr; + int md_id = *psig_nids++; + int sig_id = *psig_nids++; + + for (j = 0, curr = sigalg_lookup_tbl; j < OSSL_NELEM(sigalg_lookup_tbl); + j++, curr++) { + if (curr->hash == md_id && curr->sig == sig_id) { + *sptr++ = curr->sigalg; + break; + } + } - if (rhash == -1 || rsign == -1) + if (j == OSSL_NELEM(sigalg_lookup_tbl)) goto err; - *sptr++ = rhash; - *sptr++ = rsign; } if (client) { OPENSSL_free(c->client_sigalgs); c->client_sigalgs = sigalgs; - c->client_sigalgslen = salglen; + c->client_sigalgslen = salglen / 2; } else { OPENSSL_free(c->conf_sigalgs); c->conf_sigalgs = sigalgs; - c->conf_sigalgslen = salglen; + c->conf_sigalgslen = salglen / 2; } return 1; @@ -3820,7 +2082,7 @@ static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid) if (default_nid) return sig_nid == default_nid ? 1 : 0; for (i = 0; i < c->shared_sigalgslen; i++) - if (sig_nid == c->shared_sigalgs[i].signandhash_nid) + if (sig_nid == c->shared_sigalgs[i]->sigandhash) return 1; return 0; } @@ -3869,7 +2131,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, /* idx == -2 means checking client certificate chains */ if (idx == -2) { cpk = c->key; - idx = cpk - c->pkeys; + idx = (int)(cpk - c->pkeys); } else cpk = c->pkeys + idx; pvalid = s->s3->tmp.valid_flags + idx; @@ -3881,11 +2143,14 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, if (!x || !pk) goto end; } else { + size_t certidx; + if (!x || !pk) return 0; - idx = ssl_cert_type(x, pk); - if (idx == -1) + + if (ssl_cert_lookup_by_pkey(pk, &certidx) == NULL) return 0; + idx = certidx; pvalid = s->s3->tmp.valid_flags + idx; if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) @@ -3912,40 +2177,40 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, */ if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) { int default_nid; - unsigned char rsign = 0; - if (s->s3->tmp.peer_sigalgs) + int rsign = 0; + if (s->s3->tmp.peer_cert_sigalgs != NULL + || s->s3->tmp.peer_sigalgs != NULL) { default_nid = 0; /* If no sigalgs extension use defaults from RFC5246 */ - else { + } else { switch (idx) { - case SSL_PKEY_RSA_ENC: - case SSL_PKEY_RSA_SIGN: - rsign = TLSEXT_signature_rsa; + case SSL_PKEY_RSA: + rsign = EVP_PKEY_RSA; default_nid = NID_sha1WithRSAEncryption; break; case SSL_PKEY_DSA_SIGN: - rsign = TLSEXT_signature_dsa; + rsign = EVP_PKEY_DSA; default_nid = NID_dsaWithSHA1; break; case SSL_PKEY_ECC: - rsign = TLSEXT_signature_ecdsa; + rsign = EVP_PKEY_EC; default_nid = NID_ecdsa_with_SHA1; break; case SSL_PKEY_GOST01: - rsign = TLSEXT_signature_gostr34102001; + rsign = NID_id_GostR3410_2001; default_nid = NID_id_GostR3411_94_with_GostR3410_2001; break; case SSL_PKEY_GOST12_256: - rsign = TLSEXT_signature_gostr34102012_256; + rsign = NID_id_GostR3410_2012_256; default_nid = NID_id_tc26_signwithdigest_gost3410_2012_256; break; case SSL_PKEY_GOST12_512: - rsign = TLSEXT_signature_gostr34102012_512; + rsign = NID_id_GostR3410_2012_512; default_nid = NID_id_tc26_signwithdigest_gost3410_2012_512; break; @@ -3960,9 +2225,11 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, */ if (default_nid > 0 && c->conf_sigalgs) { size_t j; - const unsigned char *p = c->conf_sigalgs; - for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) { - if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign) + const uint16_t *p = c->conf_sigalgs; + for (j = 0; j < c->conf_sigalgslen; j++, p++) { + const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*p); + + if (lu != NULL && lu->hash == NID_sha1 && lu->sig == rsign) break; } if (j == c->conf_sigalgslen) { @@ -3994,7 +2261,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE; skip_sigs: /* Check cert parameters are consistent */ - if (tls1_check_cert_param(s, x, check_flags ? 1 : 2)) + if (tls1_check_cert_param(s, x, 1)) rv |= CERT_PKEY_EE_PARAM; else if (!check_flags) goto end; @@ -4029,27 +2296,22 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, break; } if (check_type) { - const unsigned char *ctypes; - int ctypelen; - if (c->ctypes) { - ctypes = c->ctypes; - ctypelen = (int)c->ctype_num; - } else { - ctypes = (unsigned char *)s->s3->tmp.ctype; - ctypelen = s->s3->tmp.ctype_num; - } - for (i = 0; i < ctypelen; i++) { - if (ctypes[i] == check_type) { + const uint8_t *ctypes = s->s3->tmp.ctype; + size_t j; + + for (j = 0; j < s->s3->tmp.ctype_len; j++, ctypes++) { + if (*ctypes == check_type) { rv |= CERT_PKEY_CERT_TYPE; break; } } if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags) goto end; - } else + } else { rv |= CERT_PKEY_CERT_TYPE; + } - ca_dn = s->s3->tmp.ca_names; + ca_dn = s->s3->tmp.peer_ca_names; if (!sk_X509_NAME_num(ca_dn)) rv |= CERT_PKEY_ISSUER_NAME; @@ -4077,12 +2339,9 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, end: - if (TLS1_get_version(s) >= TLS1_2_VERSION) { - if (*pvalid & CERT_PKEY_EXPLICIT_SIGN) - rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; - else if (s->s3->tmp.md[idx] != NULL) - rv |= CERT_PKEY_SIGN; - } else + if (TLS1_get_version(s) >= TLS1_2_VERSION) + rv |= *pvalid & (CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN); + else rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN; /* @@ -4090,11 +2349,11 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, * chain is invalid. */ if (!check_flags) { - if (rv & CERT_PKEY_VALID) + if (rv & CERT_PKEY_VALID) { *pvalid = rv; - else { - /* Preserve explicit sign flag, clear rest */ - *pvalid &= CERT_PKEY_EXPLICIT_SIGN; + } else { + /* Preserve sign and explicit sign flag, clear rest */ + *pvalid &= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN; return 0; } } @@ -4104,13 +2363,15 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, /* Set validity of certificates in an SSL structure */ void tls1_set_cert_validity(SSL *s) { - tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC); - tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN); + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA); + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_PSS_SIGN); tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN); tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC); tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST01); tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_256); tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_GOST12_512); + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED25519); + tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ED448); } /* User level utility function to check a chain is suitable */ @@ -4131,8 +2392,9 @@ DH *ssl_get_auto_dh(SSL *s) else dh_secbits = 80; } else { - CERT_PKEY *cpk = ssl_get_server_send_pkey(s); - dh_secbits = EVP_PKEY_security_bits(cpk->privatekey); + if (s->s3->tmp.cert == NULL) + return NULL; + dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey); } if (dh_secbits >= 128) { @@ -4186,23 +2448,19 @@ static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op) static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) { /* Lookup signature algorithm digest */ - int secbits = -1, md_nid = NID_undef, sig_nid; + int secbits, nid, pknid; /* Don't check signature if self signed */ if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) return 1; - sig_nid = X509_get_signature_nid(x); - /* We are not able to look up the CA MD for RSA PSS in this version */ - if (sig_nid == NID_rsassaPss) - return 1; - if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) { - const EVP_MD *md; - if (md_nid && (md = EVP_get_digestbynid(md_nid))) - secbits = EVP_MD_size(md) * 4; - } + if (!X509_get_signature_info(x, &nid, &pknid, &secbits, NULL)) + secbits = -1; + /* If digest NID not defined use signature NID */ + if (nid == NID_undef) + nid = pknid; if (s) - return ssl_security(s, op, secbits, md_nid, x); + return ssl_security(s, op, secbits, nid, x); else - return ssl_ctx_security(ctx, op, secbits, md_nid, x); + return ssl_ctx_security(ctx, op, secbits, nid, x); } int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee) @@ -4248,3 +2506,272 @@ int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy) } return 1; } + +/* + * For TLS 1.2 servers check if we have a certificate which can be used + * with the signature algorithm "lu" and return index of certificate. + */ + +static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu) +{ + int sig_idx = lu->sig_idx; + const SSL_CERT_LOOKUP *clu = ssl_cert_lookup_by_idx(sig_idx); + + /* If not recognised or not supported by cipher mask it is not suitable */ + if (clu == NULL + || (clu->amask & s->s3->tmp.new_cipher->algorithm_auth) == 0 + || (clu->nid == EVP_PKEY_RSA_PSS + && (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kRSA) != 0)) + return -1; + + return s->s3->tmp.valid_flags[sig_idx] & CERT_PKEY_VALID ? sig_idx : -1; +} + +/* + * Returns true if |s| has a usable certificate configured for use + * with signature scheme |sig|. + * "Usable" includes a check for presence as well as applying + * the signature_algorithm_cert restrictions sent by the peer (if any). + * Returns false if no usable certificate is found. + */ +static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx) +{ + const SIGALG_LOOKUP *lu; + int mdnid, pknid; + size_t i; + + /* TLS 1.2 callers can override lu->sig_idx, but not TLS 1.3 callers. */ + if (idx == -1) + idx = sig->sig_idx; + if (!ssl_has_cert(s, idx)) + return 0; + if (s->s3->tmp.peer_cert_sigalgs != NULL) { + for (i = 0; i < s->s3->tmp.peer_cert_sigalgslen; i++) { + lu = tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]); + if (lu == NULL + || !X509_get_signature_info(s->cert->pkeys[idx].x509, &mdnid, + &pknid, NULL, NULL)) + continue; + /* + * TODO this does not differentiate between the + * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not + * have a chain here that lets us look at the key OID in the + * signing certificate. + */ + if (mdnid == lu->hash && pknid == lu->sig) + return 1; + } + return 0; + } + return 1; +} + +/* + * Choose an appropriate signature algorithm based on available certificates + * Sets chosen certificate and signature algorithm. + * + * For servers if we fail to find a required certificate it is a fatal error, + * an appropriate error code is set and a TLS alert is sent. + * + * For clients fatalerrs is set to 0. If a certificate is not suitable it is not + * a fatal error: we will either try another certificate or not present one + * to the server. In this case no error is set. + */ +int tls_choose_sigalg(SSL *s, int fatalerrs) +{ + const SIGALG_LOOKUP *lu = NULL; + int sig_idx = -1; + + s->s3->tmp.cert = NULL; + s->s3->tmp.sigalg = NULL; + + if (SSL_IS_TLS13(s)) { + size_t i; +#ifndef OPENSSL_NO_EC + int curve = -1; +#endif + + /* Look for a certificate matching shared sigalgs */ + for (i = 0; i < s->cert->shared_sigalgslen; i++) { + lu = s->cert->shared_sigalgs[i]; + sig_idx = -1; + + /* Skip SHA1, SHA224, DSA and RSA if not PSS */ + if (lu->hash == NID_sha1 + || lu->hash == NID_sha224 + || lu->sig == EVP_PKEY_DSA + || lu->sig == EVP_PKEY_RSA) + continue; + /* Check that we have a cert, and signature_algorithms_cert */ + if (!tls1_lookup_md(lu, NULL) || !has_usable_cert(s, lu, -1)) + continue; + if (lu->sig == EVP_PKEY_EC) { +#ifndef OPENSSL_NO_EC + if (curve == -1) { + EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey); + + curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); + } + if (lu->curve != NID_undef && curve != lu->curve) + continue; +#else + continue; +#endif + } else if (lu->sig == EVP_PKEY_RSA_PSS) { + /* validate that key is large enough for the signature algorithm */ + EVP_PKEY *pkey; + + pkey = s->cert->pkeys[lu->sig_idx].privatekey; + if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(pkey), lu)) + continue; + } + break; + } + if (i == s->cert->shared_sigalgslen) { + if (!fatalerrs) + return 1; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CHOOSE_SIGALG, + SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); + return 0; + } + } else { + /* If ciphersuite doesn't require a cert nothing to do */ + if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aCERT)) + return 1; + if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys)) + return 1; + + if (SSL_USE_SIGALGS(s)) { + size_t i; + if (s->s3->tmp.peer_sigalgs != NULL) { +#ifndef OPENSSL_NO_EC + int curve; + + /* For Suite B need to match signature algorithm to curve */ + if (tls1_suiteb(s)) { + EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey); + curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); + } else { + curve = -1; + } +#endif + + /* + * Find highest preference signature algorithm matching + * cert type + */ + for (i = 0; i < s->cert->shared_sigalgslen; i++) { + lu = s->cert->shared_sigalgs[i]; + + if (s->server) { + if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1) + continue; + } else { + int cc_idx = s->cert->key - s->cert->pkeys; + + sig_idx = lu->sig_idx; + if (cc_idx != sig_idx) + continue; + } + /* Check that we have a cert, and sig_algs_cert */ + if (!has_usable_cert(s, lu, sig_idx)) + continue; + if (lu->sig == EVP_PKEY_RSA_PSS) { + /* validate that key is large enough for the signature algorithm */ + EVP_PKEY *pkey = s->cert->pkeys[sig_idx].privatekey; + + if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(pkey), lu)) + continue; + } +#ifndef OPENSSL_NO_EC + if (curve == -1 || lu->curve == curve) +#endif + break; + } + if (i == s->cert->shared_sigalgslen) { + if (!fatalerrs) + return 1; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_CHOOSE_SIGALG, + SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); + return 0; + } + } else { + /* + * If we have no sigalg use defaults + */ + const uint16_t *sent_sigs; + size_t sent_sigslen; + + if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { + if (!fatalerrs) + return 1; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG, + ERR_R_INTERNAL_ERROR); + return 0; + } + + /* Check signature matches a type we sent */ + sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); + for (i = 0; i < sent_sigslen; i++, sent_sigs++) { + if (lu->sigalg == *sent_sigs + && has_usable_cert(s, lu, lu->sig_idx)) + break; + } + if (i == sent_sigslen) { + if (!fatalerrs) + return 1; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_CHOOSE_SIGALG, + SSL_R_WRONG_SIGNATURE_TYPE); + return 0; + } + } + } else { + if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { + if (!fatalerrs) + return 1; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG, + ERR_R_INTERNAL_ERROR); + return 0; + } + } + } + if (sig_idx == -1) + sig_idx = lu->sig_idx; + s->s3->tmp.cert = &s->cert->pkeys[sig_idx]; + s->cert->key = s->s3->tmp.cert; + s->s3->tmp.sigalg = lu; + return 1; +} + +int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode) +{ + if (mode != TLSEXT_max_fragment_length_DISABLED + && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { + SSLerr(SSL_F_SSL_CTX_SET_TLSEXT_MAX_FRAGMENT_LENGTH, + SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); + return 0; + } + + ctx->ext.max_fragment_len_mode = mode; + return 1; +} + +int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode) +{ + if (mode != TLSEXT_max_fragment_length_DISABLED + && !IS_MAX_FRAGMENT_LENGTH_EXT_VALID(mode)) { + SSLerr(SSL_F_SSL_SET_TLSEXT_MAX_FRAGMENT_LENGTH, + SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); + return 0; + } + + ssl->ext.max_fragment_len_mode = mode; + return 1; +} + +uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session) +{ + return session->ext.max_fragment_len_mode; +} diff --git a/deps/openssl/openssl/ssl/t1_reneg.c b/deps/openssl/openssl/ssl/t1_reneg.c deleted file mode 100644 index 01dc403bdb..0000000000 --- a/deps/openssl/openssl/ssl/t1_reneg.c +++ /dev/null @@ -1,165 +0,0 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include <stdio.h> -#include <openssl/objects.h> -#include "ssl_locl.h" - -/* Add the client's renegotiation binding */ -int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len, - int maxlen) -{ - if (p) { - if ((s->s3->previous_client_finished_len + 1) > maxlen) { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT, - SSL_R_RENEGOTIATE_EXT_TOO_LONG); - return 0; - } - - /* Length byte */ - *p = s->s3->previous_client_finished_len; - p++; - - memcpy(p, s->s3->previous_client_finished, - s->s3->previous_client_finished_len); - } - - *len = s->s3->previous_client_finished_len + 1; - - return 1; -} - -/* - * Parse the client's renegotiation binding and abort if it's not right - */ -int ssl_parse_clienthello_renegotiate_ext(SSL *s, PACKET *pkt, int *al) -{ - unsigned int ilen; - const unsigned char *d; - - /* Parse the length byte */ - if (!PACKET_get_1(pkt, &ilen) - || !PACKET_get_bytes(pkt, &d, ilen)) { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, - SSL_R_RENEGOTIATION_ENCODING_ERR); - *al = SSL_AD_ILLEGAL_PARAMETER; - return 0; - } - - /* Check that the extension matches */ - if (ilen != s->s3->previous_client_finished_len) { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, - SSL_R_RENEGOTIATION_MISMATCH); - *al = SSL_AD_HANDSHAKE_FAILURE; - return 0; - } - - if (memcmp(d, s->s3->previous_client_finished, - s->s3->previous_client_finished_len)) { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, - SSL_R_RENEGOTIATION_MISMATCH); - *al = SSL_AD_HANDSHAKE_FAILURE; - return 0; - } - - s->s3->send_connection_binding = 1; - - return 1; -} - -/* Add the server's renegotiation binding */ -int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len, - int maxlen) -{ - if (p) { - if ((s->s3->previous_client_finished_len + - s->s3->previous_server_finished_len + 1) > maxlen) { - SSLerr(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT, - SSL_R_RENEGOTIATE_EXT_TOO_LONG); - return 0; - } - - /* Length byte */ - *p = s->s3->previous_client_finished_len + - s->s3->previous_server_finished_len; - p++; - - memcpy(p, s->s3->previous_client_finished, - s->s3->previous_client_finished_len); - p += s->s3->previous_client_finished_len; - - memcpy(p, s->s3->previous_server_finished, - s->s3->previous_server_finished_len); - } - - *len = s->s3->previous_client_finished_len - + s->s3->previous_server_finished_len + 1; - - return 1; -} - -/* - * Parse the server's renegotiation binding and abort if it's not right - */ -int ssl_parse_serverhello_renegotiate_ext(SSL *s, PACKET *pkt, int *al) -{ - unsigned int expected_len = s->s3->previous_client_finished_len - + s->s3->previous_server_finished_len; - unsigned int ilen; - const unsigned char *data; - - /* Check for logic errors */ - OPENSSL_assert(!expected_len || s->s3->previous_client_finished_len); - OPENSSL_assert(!expected_len || s->s3->previous_server_finished_len); - - /* Parse the length byte */ - if (!PACKET_get_1(pkt, &ilen)) { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, - SSL_R_RENEGOTIATION_ENCODING_ERR); - *al = SSL_AD_ILLEGAL_PARAMETER; - return 0; - } - - /* Consistency check */ - if (PACKET_remaining(pkt) != ilen) { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, - SSL_R_RENEGOTIATION_ENCODING_ERR); - *al = SSL_AD_ILLEGAL_PARAMETER; - return 0; - } - - /* Check that the extension matches */ - if (ilen != expected_len) { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, - SSL_R_RENEGOTIATION_MISMATCH); - *al = SSL_AD_HANDSHAKE_FAILURE; - return 0; - } - - if (!PACKET_get_bytes(pkt, &data, s->s3->previous_client_finished_len) - || memcmp(data, s->s3->previous_client_finished, - s->s3->previous_client_finished_len) != 0) { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, - SSL_R_RENEGOTIATION_MISMATCH); - *al = SSL_AD_HANDSHAKE_FAILURE; - return 0; - } - - if (!PACKET_get_bytes(pkt, &data, s->s3->previous_server_finished_len) - || memcmp(data, s->s3->previous_server_finished, - s->s3->previous_server_finished_len) != 0) { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, - SSL_R_RENEGOTIATION_MISMATCH); - *al = SSL_AD_ILLEGAL_PARAMETER; - return 0; - } - s->s3->send_connection_binding = 1; - - return 1; -} diff --git a/deps/openssl/openssl/ssl/t1_trce.c b/deps/openssl/openssl/ssl/t1_trce.c index 588cb8cc3d..be3039af38 100644 --- a/deps/openssl/openssl/ssl/t1_trce.c +++ b/deps/openssl/openssl/ssl/t1_trce.c @@ -19,15 +19,17 @@ typedef struct { } ssl_trace_tbl; # define ssl_trace_str(val, tbl) \ - do_ssl_trace_str(val, tbl, OSSL_NELEM(tbl)) + do_ssl_trace_str(val, tbl, OSSL_NELEM(tbl)) # define ssl_trace_list(bio, indent, msg, msglen, value, table) \ - do_ssl_trace_list(bio, indent, msg, msglen, value, \ - table, OSSL_NELEM(table)) + do_ssl_trace_list(bio, indent, msg, msglen, value, \ + table, OSSL_NELEM(table)) -static const char *do_ssl_trace_str(int val, ssl_trace_tbl *tbl, size_t ntbl) +static const char *do_ssl_trace_str(int val, const ssl_trace_tbl *tbl, + size_t ntbl) { size_t i; + for (i = 0; i < ntbl; i++, tbl++) { if (tbl->num == val) return tbl->name; @@ -37,9 +39,10 @@ static const char *do_ssl_trace_str(int val, ssl_trace_tbl *tbl, size_t ntbl) static int do_ssl_trace_list(BIO *bio, int indent, const unsigned char *msg, size_t msglen, - size_t vlen, ssl_trace_tbl *tbl, size_t ntbl) + size_t vlen, const ssl_trace_tbl *tbl, size_t ntbl) { int val; + if (msglen % vlen) return 0; while (msglen) { @@ -56,73 +59,80 @@ static int do_ssl_trace_list(BIO *bio, int indent, /* Version number */ -static ssl_trace_tbl ssl_version_tbl[] = { +static const ssl_trace_tbl ssl_version_tbl[] = { {SSL3_VERSION, "SSL 3.0"}, {TLS1_VERSION, "TLS 1.0"}, {TLS1_1_VERSION, "TLS 1.1"}, {TLS1_2_VERSION, "TLS 1.2"}, + {TLS1_3_VERSION, "TLS 1.3"}, {DTLS1_VERSION, "DTLS 1.0"}, {DTLS1_2_VERSION, "DTLS 1.2"}, {DTLS1_BAD_VER, "DTLS 1.0 (bad)"} }; -static ssl_trace_tbl ssl_content_tbl[] = { +static const ssl_trace_tbl ssl_content_tbl[] = { {SSL3_RT_CHANGE_CIPHER_SPEC, "ChangeCipherSpec"}, {SSL3_RT_ALERT, "Alert"}, {SSL3_RT_HANDSHAKE, "Handshake"}, {SSL3_RT_APPLICATION_DATA, "ApplicationData"}, - {DTLS1_RT_HEARTBEAT, "HeartBeat"} }; -/* Handshake types */ -static ssl_trace_tbl ssl_handshake_tbl[] = { +/* Handshake types, sorted by ascending id */ +static const ssl_trace_tbl ssl_handshake_tbl[] = { {SSL3_MT_HELLO_REQUEST, "HelloRequest"}, {SSL3_MT_CLIENT_HELLO, "ClientHello"}, {SSL3_MT_SERVER_HELLO, "ServerHello"}, {DTLS1_MT_HELLO_VERIFY_REQUEST, "HelloVerifyRequest"}, {SSL3_MT_NEWSESSION_TICKET, "NewSessionTicket"}, + {SSL3_MT_END_OF_EARLY_DATA, "EndOfEarlyData"}, + {SSL3_MT_ENCRYPTED_EXTENSIONS, "EncryptedExtensions"}, {SSL3_MT_CERTIFICATE, "Certificate"}, {SSL3_MT_SERVER_KEY_EXCHANGE, "ServerKeyExchange"}, {SSL3_MT_CERTIFICATE_REQUEST, "CertificateRequest"}, - {SSL3_MT_CLIENT_KEY_EXCHANGE, "ClientKeyExchange"}, - {SSL3_MT_CERTIFICATE_STATUS, "CertificateStatus"}, {SSL3_MT_SERVER_DONE, "ServerHelloDone"}, {SSL3_MT_CERTIFICATE_VERIFY, "CertificateVerify"}, {SSL3_MT_CLIENT_KEY_EXCHANGE, "ClientKeyExchange"}, {SSL3_MT_FINISHED, "Finished"}, - {SSL3_MT_CERTIFICATE_STATUS, "CertificateStatus"} + {SSL3_MT_CERTIFICATE_URL, "CertificateUrl"}, + {SSL3_MT_CERTIFICATE_STATUS, "CertificateStatus"}, + {SSL3_MT_SUPPLEMENTAL_DATA, "SupplementalData"}, + {SSL3_MT_KEY_UPDATE, "KeyUpdate"}, +# ifndef OPENSSL_NO_NEXTPROTONEG + {SSL3_MT_NEXT_PROTO, "NextProto"}, +# endif + {SSL3_MT_MESSAGE_HASH, "MessageHash"} }; /* Cipher suites */ -static ssl_trace_tbl ssl_ciphers_tbl[] = { - {0x0000, "SSL_NULL_WITH_NULL_NULL"}, - {0x0001, "SSL_RSA_WITH_NULL_MD5"}, - {0x0002, "SSL_RSA_WITH_NULL_SHA"}, - {0x0003, "SSL_RSA_EXPORT_WITH_RC4_40_MD5"}, - {0x0004, "SSL_RSA_WITH_RC4_128_MD5"}, - {0x0005, "SSL_RSA_WITH_RC4_128_SHA"}, - {0x0006, "SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5"}, - {0x0007, "SSL_RSA_WITH_IDEA_CBC_SHA"}, - {0x0008, "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA"}, - {0x0009, "SSL_RSA_WITH_DES_CBC_SHA"}, - {0x000A, "SSL_RSA_WITH_3DES_EDE_CBC_SHA"}, - {0x000B, "SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA"}, - {0x000C, "SSL_DH_DSS_WITH_DES_CBC_SHA"}, - {0x000D, "SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA"}, - {0x000E, "SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA"}, - {0x000F, "SSL_DH_RSA_WITH_DES_CBC_SHA"}, - {0x0010, "SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA"}, - {0x0011, "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"}, - {0x0012, "SSL_DHE_DSS_WITH_DES_CBC_SHA"}, - {0x0013, "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"}, - {0x0014, "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA"}, - {0x0015, "SSL_DHE_RSA_WITH_DES_CBC_SHA"}, - {0x0016, "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"}, - {0x0017, "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5"}, - {0x0018, "SSL_DH_anon_WITH_RC4_128_MD5"}, - {0x0019, "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA"}, - {0x001A, "SSL_DH_anon_WITH_DES_CBC_SHA"}, - {0x001B, "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA"}, +static const ssl_trace_tbl ssl_ciphers_tbl[] = { + {0x0000, "TLS_NULL_WITH_NULL_NULL"}, + {0x0001, "TLS_RSA_WITH_NULL_MD5"}, + {0x0002, "TLS_RSA_WITH_NULL_SHA"}, + {0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5"}, + {0x0004, "TLS_RSA_WITH_RC4_128_MD5"}, + {0x0005, "TLS_RSA_WITH_RC4_128_SHA"}, + {0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5"}, + {0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA"}, + {0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA"}, + {0x0009, "TLS_RSA_WITH_DES_CBC_SHA"}, + {0x000A, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}, + {0x000B, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA"}, + {0x000C, "TLS_DH_DSS_WITH_DES_CBC_SHA"}, + {0x000D, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA"}, + {0x000E, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA"}, + {0x000F, "TLS_DH_RSA_WITH_DES_CBC_SHA"}, + {0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA"}, + {0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"}, + {0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA"}, + {0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"}, + {0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA"}, + {0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA"}, + {0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"}, + {0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5"}, + {0x0018, "TLS_DH_anon_WITH_RC4_128_MD5"}, + {0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA"}, + {0x001A, "TLS_DH_anon_WITH_DES_CBC_SHA"}, + {0x001B, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA"}, {0x001D, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA"}, {0x001E, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA"}, {0x001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA"}, @@ -172,6 +182,8 @@ static ssl_trace_tbl ssl_ciphers_tbl[] = { {0x006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"}, {0x006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256"}, {0x006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256"}, + {0x0081, "TLS_GOSTR341001_WITH_28147_CNT_IMIT"}, + {0x0083, "TLS_GOSTR341001_WITH_NULL_GOSTR3411"}, {0x0084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA"}, {0x0085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA"}, {0x0086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA"}, @@ -422,18 +434,25 @@ static ssl_trace_tbl ssl_ciphers_tbl[] = { {0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256"}, {0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256"}, {0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256"}, + {0x1301, "TLS_AES_128_GCM_SHA256"}, + {0x1302, "TLS_AES_256_GCM_SHA384"}, + {0x1303, "TLS_CHACHA20_POLY1305_SHA256"}, + {0x1304, "TLS_AES_128_CCM_SHA256"}, + {0x1305, "TLS_AES_128_CCM_8_SHA256"}, {0xFEFE, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"}, {0xFEFF, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"}, + {0xFF85, "GOST2012-GOST8912-GOST8912"}, + {0xFF87, "GOST2012-NULL-GOST12"}, }; /* Compression methods */ -static ssl_trace_tbl ssl_comp_tbl[] = { +static const ssl_trace_tbl ssl_comp_tbl[] = { {0x0000, "No Compression"}, {0x0001, "Zlib Compression"} }; -/* Extensions */ -static ssl_trace_tbl ssl_exts_tbl[] = { +/* Extensions sorted by ascending id */ +static const ssl_trace_tbl ssl_exts_tbl[] = { {TLSEXT_TYPE_server_name, "server_name"}, {TLSEXT_TYPE_max_fragment_length, "max_fragment_length"}, {TLSEXT_TYPE_client_certificate_url, "client_certificate_url"}, @@ -444,24 +463,35 @@ static ssl_trace_tbl ssl_exts_tbl[] = { {TLSEXT_TYPE_client_authz, "client_authz"}, {TLSEXT_TYPE_server_authz, "server_authz"}, {TLSEXT_TYPE_cert_type, "cert_type"}, - {TLSEXT_TYPE_elliptic_curves, "elliptic_curves"}, + {TLSEXT_TYPE_supported_groups, "supported_groups"}, {TLSEXT_TYPE_ec_point_formats, "ec_point_formats"}, {TLSEXT_TYPE_srp, "srp"}, {TLSEXT_TYPE_signature_algorithms, "signature_algorithms"}, {TLSEXT_TYPE_use_srtp, "use_srtp"}, - {TLSEXT_TYPE_heartbeat, "heartbeat"}, + {TLSEXT_TYPE_heartbeat, "tls_heartbeat"}, + {TLSEXT_TYPE_application_layer_protocol_negotiation, + "application_layer_protocol_negotiation"}, + {TLSEXT_TYPE_signed_certificate_timestamp, "signed_certificate_timestamps"}, + {TLSEXT_TYPE_padding, "padding"}, + {TLSEXT_TYPE_encrypt_then_mac, "encrypt_then_mac"}, + {TLSEXT_TYPE_extended_master_secret, "extended_master_secret"}, {TLSEXT_TYPE_session_ticket, "session_ticket"}, + {TLSEXT_TYPE_psk, "psk"}, + {TLSEXT_TYPE_early_data, "early_data"}, + {TLSEXT_TYPE_supported_versions, "supported_versions"}, + {TLSEXT_TYPE_cookie, "cookie_ext"}, + {TLSEXT_TYPE_psk_kex_modes, "psk_key_exchange_modes"}, + {TLSEXT_TYPE_certificate_authorities, "certificate_authorities"}, + {TLSEXT_TYPE_post_handshake_auth, "post_handshake_auth"}, + {TLSEXT_TYPE_signature_algorithms_cert, "signature_algorithms_cert"}, + {TLSEXT_TYPE_key_share, "key_share"}, {TLSEXT_TYPE_renegotiate, "renegotiate"}, # ifndef OPENSSL_NO_NEXTPROTONEG {TLSEXT_TYPE_next_proto_neg, "next_proto_neg"}, # endif - {TLSEXT_TYPE_signed_certificate_timestamp, "signed_certificate_timestamps"}, - {TLSEXT_TYPE_padding, "padding"}, - {TLSEXT_TYPE_encrypt_then_mac, "encrypt_then_mac"}, - {TLSEXT_TYPE_extended_master_secret, "extended_master_secret"} }; -static ssl_trace_tbl ssl_curve_tbl[] = { +static const ssl_trace_tbl ssl_groups_tbl[] = { {1, "sect163k1 (K-163)"}, {2, "sect163r1"}, {3, "sect163r2 (B-163)"}, @@ -491,50 +521,60 @@ static ssl_trace_tbl ssl_curve_tbl[] = { {27, "brainpoolP384r1"}, {28, "brainpoolP512r1"}, {29, "ecdh_x25519"}, + {30, "ecdh_x448"}, + {256, "ffdhe2048"}, + {257, "ffdhe3072"}, + {258, "ffdhe4096"}, + {259, "ffdhe6144"}, + {260, "ffdhe8192"}, {0xFF01, "arbitrary_explicit_prime_curves"}, {0xFF02, "arbitrary_explicit_char2_curves"} }; -static ssl_trace_tbl ssl_point_tbl[] = { +static const ssl_trace_tbl ssl_point_tbl[] = { {0, "uncompressed"}, {1, "ansiX962_compressed_prime"}, {2, "ansiX962_compressed_char2"} }; -static ssl_trace_tbl ssl_md_tbl[] = { - {TLSEXT_hash_none, "none"}, - {TLSEXT_hash_md5, "md5"}, - {TLSEXT_hash_sha1, "sha1"}, - {TLSEXT_hash_sha224, "sha224"}, - {TLSEXT_hash_sha256, "sha256"}, - {TLSEXT_hash_sha384, "sha384"}, - {TLSEXT_hash_sha512, "sha512"}, - {TLSEXT_hash_gostr3411, "md_gost94"}, - {TLSEXT_hash_gostr34112012_256, "md_gost2012_256"}, - {TLSEXT_hash_gostr34112012_512, "md_gost2012_512"} +static const ssl_trace_tbl ssl_mfl_tbl[] = { + {0, "disabled"}, + {1, "max_fragment_length := 2^9 (512 bytes)"}, + {2, "max_fragment_length := 2^10 (1024 bytes)"}, + {3, "max_fragment_length := 2^11 (2048 bytes)"}, + {4, "max_fragment_length := 2^12 (4096 bytes)"} }; -static ssl_trace_tbl ssl_sig_tbl[] = { - {TLSEXT_signature_anonymous, "anonymous"}, - {TLSEXT_signature_rsa, "rsa"}, - {TLSEXT_signature_dsa, "dsa"}, - {TLSEXT_signature_ecdsa, "ecdsa"}, - {TLSEXT_signature_gostr34102001, "gost2001"}, - {TLSEXT_signature_gostr34102012_256, "gost2012_256"}, - {TLSEXT_signature_gostr34102012_512, "gost2012_512"} +static const ssl_trace_tbl ssl_sigalg_tbl[] = { + {TLSEXT_SIGALG_ecdsa_secp256r1_sha256, "ecdsa_secp256r1_sha256"}, + {TLSEXT_SIGALG_ecdsa_secp384r1_sha384, "ecdsa_secp384r1_sha384"}, + {TLSEXT_SIGALG_ecdsa_secp521r1_sha512, "ecdsa_secp521r1_sha512"}, + {TLSEXT_SIGALG_ecdsa_sha224, "ecdsa_sha224"}, + {TLSEXT_SIGALG_ed25519, "ed25519"}, + {TLSEXT_SIGALG_ed448, "ed448"}, + {TLSEXT_SIGALG_ecdsa_sha1, "ecdsa_sha1"}, + {TLSEXT_SIGALG_rsa_pss_rsae_sha256, "rsa_pss_rsae_sha256"}, + {TLSEXT_SIGALG_rsa_pss_rsae_sha384, "rsa_pss_rsae_sha384"}, + {TLSEXT_SIGALG_rsa_pss_rsae_sha512, "rsa_pss_rsae_sha512"}, + {TLSEXT_SIGALG_rsa_pss_pss_sha256, "rsa_pss_pss_sha256"}, + {TLSEXT_SIGALG_rsa_pss_pss_sha384, "rsa_pss_pss_sha384"}, + {TLSEXT_SIGALG_rsa_pss_pss_sha512, "rsa_pss_pss_sha512"}, + {TLSEXT_SIGALG_rsa_pkcs1_sha256, "rsa_pkcs1_sha256"}, + {TLSEXT_SIGALG_rsa_pkcs1_sha384, "rsa_pkcs1_sha384"}, + {TLSEXT_SIGALG_rsa_pkcs1_sha512, "rsa_pkcs1_sha512"}, + {TLSEXT_SIGALG_rsa_pkcs1_sha224, "rsa_pkcs1_sha224"}, + {TLSEXT_SIGALG_rsa_pkcs1_sha1, "rsa_pkcs1_sha1"}, + {TLSEXT_SIGALG_dsa_sha256, "dsa_sha256"}, + {TLSEXT_SIGALG_dsa_sha384, "dsa_sha384"}, + {TLSEXT_SIGALG_dsa_sha512, "dsa_sha512"}, + {TLSEXT_SIGALG_dsa_sha224, "dsa_sha224"}, + {TLSEXT_SIGALG_dsa_sha1, "dsa_sha1"}, + {TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, "gost2012_256"}, + {TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, "gost2012_512"}, + {TLSEXT_SIGALG_gostr34102001_gostr3411, "gost2001_gost94"}, }; -static ssl_trace_tbl ssl_hb_tbl[] = { - {1, "peer_allowed_to_send"}, - {2, "peer_not_allowed_to_send"} -}; - -static ssl_trace_tbl ssl_hb_type_tbl[] = { - {1, "heartbeat_request"}, - {2, "heartbeat_response"} -}; - -static ssl_trace_tbl ssl_ctype_tbl[] = { +static const ssl_trace_tbl ssl_ctype_tbl[] = { {1, "rsa_sign"}, {2, "dss_sign"}, {3, "rsa_fixed_dh"}, @@ -547,10 +587,21 @@ static ssl_trace_tbl ssl_ctype_tbl[] = { {66, "ecdsa_fixed_ecdh"} }; +static const ssl_trace_tbl ssl_psk_kex_modes_tbl[] = { + {TLSEXT_KEX_MODE_KE, "psk_ke"}, + {TLSEXT_KEX_MODE_KE_DHE, "psk_dhe_ke"} +}; + +static const ssl_trace_tbl ssl_key_update_tbl[] = { + {SSL_KEY_UPDATE_NOT_REQUESTED, "update_not_requested"}, + {SSL_KEY_UPDATE_REQUESTED, "update_requested"} +}; + static void ssl_print_hex(BIO *bio, int indent, const char *name, const unsigned char *msg, size_t msglen) { size_t i; + BIO_indent(bio, indent, 80); BIO_printf(bio, "%s (len=%d): ", name, (int)msglen); for (i = 0; i < msglen; i++) @@ -558,12 +609,12 @@ static void ssl_print_hex(BIO *bio, int indent, const char *name, BIO_puts(bio, "\n"); } -static int ssl_print_hexbuf(BIO *bio, int indent, - const char *name, size_t nlen, +static int ssl_print_hexbuf(BIO *bio, int indent, const char *name, size_t nlen, const unsigned char **pmsg, size_t *pmsglen) { size_t blen; const unsigned char *p = *pmsg; + if (*pmsglen < nlen) return 0; blen = p[0]; @@ -579,12 +630,16 @@ static int ssl_print_hexbuf(BIO *bio, int indent, } static int ssl_print_version(BIO *bio, int indent, const char *name, - const unsigned char **pmsg, size_t *pmsglen) + const unsigned char **pmsg, size_t *pmsglen, + unsigned int *version) { int vers; + if (*pmsglen < 2) return 0; vers = ((*pmsg)[0] << 8) | (*pmsg)[1]; + if (version != NULL) + *version = vers; BIO_indent(bio, indent, 80); BIO_printf(bio, "%s=0x%x (%s)\n", name, vers, ssl_trace_str(vers, ssl_version_tbl)); @@ -598,6 +653,7 @@ static int ssl_print_random(BIO *bio, int indent, { unsigned int tm; const unsigned char *p = *pmsg; + if (*pmsglen < 32) return 0; tm = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; @@ -612,31 +668,42 @@ static int ssl_print_random(BIO *bio, int indent, return 1; } -static int ssl_print_signature(BIO *bio, int indent, SSL *s, +static int ssl_print_signature(BIO *bio, int indent, const SSL *ssl, const unsigned char **pmsg, size_t *pmsglen) { if (*pmsglen < 2) return 0; - if (SSL_USE_SIGALGS(s)) { + if (SSL_USE_SIGALGS(ssl)) { const unsigned char *p = *pmsg; + unsigned int sigalg = (p[0] << 8) | p[1]; + BIO_indent(bio, indent, 80); - BIO_printf(bio, "Signature Algorithm %s+%s (%d+%d)\n", - ssl_trace_str(p[0], ssl_md_tbl), - ssl_trace_str(p[1], ssl_sig_tbl), p[0], p[1]); + BIO_printf(bio, "Signature Algorithm: %s (0x%04x)\n", + ssl_trace_str(sigalg, ssl_sigalg_tbl), sigalg); *pmsg += 2; *pmsglen -= 2; } return ssl_print_hexbuf(bio, indent, "Signature", 2, pmsg, pmsglen); } -static int ssl_print_extension(BIO *bio, int indent, int server, int extype, +static int ssl_print_extension(BIO *bio, int indent, int server, + unsigned char mt, int extype, const unsigned char *ext, size_t extlen) { - size_t xlen; + size_t xlen, share_len; + unsigned int sigalg; + uint32_t max_early_data; + BIO_indent(bio, indent, 80); BIO_printf(bio, "extension_type=%s(%d), length=%d\n", ssl_trace_str(extype, ssl_exts_tbl), extype, (int)extlen); switch (extype) { + case TLSEXT_TYPE_max_fragment_length: + if (extlen < 1) + return 0; + xlen = extlen; + return ssl_trace_list(bio, indent + 2, ext, xlen, 1, ssl_mfl_tbl); + case TLSEXT_TYPE_ec_point_formats: if (extlen < 1) return 0; @@ -645,13 +712,32 @@ static int ssl_print_extension(BIO *bio, int indent, int server, int extype, return 0; return ssl_trace_list(bio, indent + 2, ext + 1, xlen, 1, ssl_point_tbl); - case TLSEXT_TYPE_elliptic_curves: + case TLSEXT_TYPE_supported_groups: if (extlen < 2) return 0; xlen = (ext[0] << 8) | ext[1]; if (extlen != xlen + 2) return 0; - return ssl_trace_list(bio, indent + 2, ext + 2, xlen, 2, ssl_curve_tbl); + return ssl_trace_list(bio, indent + 2, ext + 2, xlen, 2, ssl_groups_tbl); + case TLSEXT_TYPE_application_layer_protocol_negotiation: + if (extlen < 2) + return 0; + xlen = (ext[0] << 8) | ext[1]; + if (extlen != xlen + 2) + return 0; + ext += 2; + while (xlen > 0) { + size_t plen = *ext++; + + if (plen + 1 > xlen) + return 0; + BIO_indent(bio, indent + 2, 80); + BIO_write(bio, ext, plen); + BIO_puts(bio, "\n"); + ext += plen; + xlen -= plen + 1; + } + return 1; case TLSEXT_TYPE_signature_algorithms: @@ -665,9 +751,9 @@ static int ssl_print_extension(BIO *bio, int indent, int server, int extype, ext += 2; while (xlen > 0) { BIO_indent(bio, indent + 2, 80); - BIO_printf(bio, "%s+%s (%d+%d)\n", - ssl_trace_str(ext[0], ssl_md_tbl), - ssl_trace_str(ext[1], ssl_sig_tbl), ext[0], ext[1]); + sigalg = (ext[0] << 8) | ext[1]; + BIO_printf(bio, "%s (0x%04x)\n", + ssl_trace_str(sigalg, ssl_sigalg_tbl), sigalg); xlen -= 2; ext += 2; } @@ -698,18 +784,92 @@ static int ssl_print_extension(BIO *bio, int indent, int server, int extype, break; case TLSEXT_TYPE_heartbeat: - if (extlen != 1) - return 0; - BIO_indent(bio, indent + 2, 80); - BIO_printf(bio, "HeartbeatMode: %s\n", - ssl_trace_str(ext[0], ssl_hb_tbl)); - break; + return 0; case TLSEXT_TYPE_session_ticket: if (extlen != 0) ssl_print_hex(bio, indent + 4, "ticket", ext, extlen); break; + case TLSEXT_TYPE_key_share: + if (server && extlen == 2) { + int group_id; + + /* We assume this is an HRR, otherwise this is an invalid key_share */ + group_id = (ext[0] << 8) | ext[1]; + BIO_indent(bio, indent + 4, 80); + BIO_printf(bio, "NamedGroup: %s (%d)\n", + ssl_trace_str(group_id, ssl_groups_tbl), group_id); + break; + } + if (extlen < 2) + return 0; + if (server) { + xlen = extlen; + } else { + xlen = (ext[0] << 8) | ext[1]; + if (extlen != xlen + 2) + return 0; + ext += 2; + } + for (; xlen > 0; ext += share_len, xlen -= share_len) { + int group_id; + + if (xlen < 4) + return 0; + group_id = (ext[0] << 8) | ext[1]; + share_len = (ext[2] << 8) | ext[3]; + ext += 4; + xlen -= 4; + if (xlen < share_len) + return 0; + BIO_indent(bio, indent + 4, 80); + BIO_printf(bio, "NamedGroup: %s (%d)\n", + ssl_trace_str(group_id, ssl_groups_tbl), group_id); + ssl_print_hex(bio, indent + 4, "key_exchange: ", ext, share_len); + } + break; + + case TLSEXT_TYPE_supported_versions: + if (server) { + int version; + + if (extlen != 2) + return 0; + version = (ext[0] << 8) | ext[1]; + BIO_indent(bio, indent + 4, 80); + BIO_printf(bio, "%s (%d)\n", + ssl_trace_str(version, ssl_version_tbl), version); + break; + } + if (extlen < 1) + return 0; + xlen = ext[0]; + if (extlen != xlen + 1) + return 0; + return ssl_trace_list(bio, indent + 2, ext + 1, xlen, 2, + ssl_version_tbl); + + case TLSEXT_TYPE_psk_kex_modes: + if (extlen < 1) + return 0; + xlen = ext[0]; + if (extlen != xlen + 1) + return 0; + return ssl_trace_list(bio, indent + 2, ext + 1, xlen, 1, + ssl_psk_kex_modes_tbl); + + case TLSEXT_TYPE_early_data: + if (mt != SSL3_MT_NEWSESSION_TICKET) + break; + if (extlen != 4) + return 0; + max_early_data = (ext[0] << 24) | (ext[1] << 16) | (ext[2] << 8) + | ext[3]; + BIO_indent(bio, indent + 2, 80); + BIO_printf(bio, "max_early_data=%u\n", max_early_data); + break; + default: BIO_dump_indent(bio, (const char *)ext, extlen, indent + 2); } @@ -717,46 +877,65 @@ static int ssl_print_extension(BIO *bio, int indent, int server, int extype, } static int ssl_print_extensions(BIO *bio, int indent, int server, - const unsigned char *msg, size_t msglen) + unsigned char mt, const unsigned char **msgin, + size_t *msginlen) { - size_t extslen; + size_t extslen, msglen = *msginlen; + const unsigned char *msg = *msgin; + BIO_indent(bio, indent, 80); if (msglen == 0) { - BIO_puts(bio, "No Extensions\n"); + BIO_puts(bio, "No extensions\n"); return 1; } if (msglen < 2) return 0; extslen = (msg[0] << 8) | msg[1]; - if (extslen != msglen - 2) - return 0; + msglen -= 2; msg += 2; - msglen = extslen; - BIO_printf(bio, "extensions, length = %d\n", (int)msglen); - while (msglen > 0) { + if (extslen == 0) { + BIO_puts(bio, "No extensions\n"); + *msgin = msg; + *msginlen = msglen; + return 1; + } + if (extslen > msglen) + return 0; + BIO_printf(bio, "extensions, length = %d\n", (int)extslen); + msglen -= extslen; + while (extslen > 0) { int extype; size_t extlen; - if (msglen < 4) + if (extslen < 4) return 0; extype = (msg[0] << 8) | msg[1]; extlen = (msg[2] << 8) | msg[3]; - if (msglen < extlen + 4) + if (extslen < extlen + 4) { + BIO_printf(bio, "extensions, extype = %d, extlen = %d\n", extype, + (int)extlen); + BIO_dump_indent(bio, (const char *)msg, extslen, indent + 2); return 0; + } msg += 4; - if (!ssl_print_extension(bio, indent + 2, server, extype, msg, extlen)) + if (!ssl_print_extension(bio, indent + 2, server, mt, extype, msg, + extlen)) return 0; msg += extlen; - msglen -= extlen + 4; + extslen -= extlen + 4; } + + *msgin = msg; + *msginlen = msglen; return 1; } -static int ssl_print_client_hello(BIO *bio, SSL *ssl, int indent, +static int ssl_print_client_hello(BIO *bio, const SSL *ssl, int indent, const unsigned char *msg, size_t msglen) { size_t len; unsigned int cs; - if (!ssl_print_version(bio, indent, "client_version", &msg, &msglen)) + + if (!ssl_print_version(bio, indent, "client_version", &msg, &msglen, NULL)) return 0; if (!ssl_print_random(bio, indent, &msg, &msglen)) return 0; @@ -801,7 +980,8 @@ static int ssl_print_client_hello(BIO *bio, SSL *ssl, int indent, msglen--; len--; } - if (!ssl_print_extensions(bio, indent, 0, msg, msglen)) + if (!ssl_print_extensions(bio, indent, 0, SSL3_MT_CLIENT_HELLO, &msg, + &msglen)) return 0; return 1; } @@ -809,7 +989,7 @@ static int ssl_print_client_hello(BIO *bio, SSL *ssl, int indent, static int dtls_print_hello_vfyrequest(BIO *bio, int indent, const unsigned char *msg, size_t msglen) { - if (!ssl_print_version(bio, indent, "server_version", &msg, &msglen)) + if (!ssl_print_version(bio, indent, "server_version", &msg, &msglen, NULL)) return 0; if (!ssl_print_hexbuf(bio, indent, "cookie", 1, &msg, &msglen)) return 0; @@ -820,11 +1000,14 @@ static int ssl_print_server_hello(BIO *bio, int indent, const unsigned char *msg, size_t msglen) { unsigned int cs; - if (!ssl_print_version(bio, indent, "server_version", &msg, &msglen)) + unsigned int vers; + + if (!ssl_print_version(bio, indent, "server_version", &msg, &msglen, &vers)) return 0; if (!ssl_print_random(bio, indent, &msg, &msglen)) return 0; - if (!ssl_print_hexbuf(bio, indent, "session_id", 1, &msg, &msglen)) + if (vers != TLS1_3_VERSION + && !ssl_print_hexbuf(bio, indent, "session_id", 1, &msg, &msglen)) return 0; if (msglen < 2) return 0; @@ -834,21 +1017,25 @@ static int ssl_print_server_hello(BIO *bio, int indent, msg[0], msg[1], ssl_trace_str(cs, ssl_ciphers_tbl)); msg += 2; msglen -= 2; - if (msglen < 1) - return 0; - BIO_indent(bio, indent, 80); - BIO_printf(bio, "compression_method: %s (0x%02X)\n", - ssl_trace_str(msg[0], ssl_comp_tbl), msg[0]); - msg++; - msglen--; - if (!ssl_print_extensions(bio, indent, 1, msg, msglen)) + if (vers != TLS1_3_VERSION) { + if (msglen < 1) + return 0; + BIO_indent(bio, indent, 80); + BIO_printf(bio, "compression_method: %s (0x%02X)\n", + ssl_trace_str(msg[0], ssl_comp_tbl), msg[0]); + msg++; + msglen--; + } + if (!ssl_print_extensions(bio, indent, 1, SSL3_MT_SERVER_HELLO, &msg, + &msglen)) return 0; return 1; } -static int ssl_get_keyex(const char **pname, SSL *ssl) +static int ssl_get_keyex(const char **pname, const SSL *ssl) { unsigned long alg_k = ssl->s3->tmp.new_cipher->algorithm_mkey; + if (alg_k & SSL_kRSA) { *pname = "rsa"; return SSL_kRSA; @@ -889,12 +1076,12 @@ static int ssl_get_keyex(const char **pname, SSL *ssl) return 0; } -static int ssl_print_client_keyex(BIO *bio, int indent, SSL *ssl, +static int ssl_print_client_keyex(BIO *bio, int indent, const SSL *ssl, const unsigned char *msg, size_t msglen) { const char *algname; - int id; - id = ssl_get_keyex(&algname, ssl); + int id = ssl_get_keyex(&algname, ssl); + BIO_indent(bio, indent, 80); BIO_printf(bio, "KeyExchangeAlgorithm=%s\n", algname); if (id & SSL_PSK) { @@ -908,10 +1095,10 @@ static int ssl_print_client_keyex(BIO *bio, int indent, SSL *ssl, case SSL_kRSAPSK: if (TLS1_get_version(ssl) == SSL3_VERSION) { ssl_print_hex(bio, indent + 2, - "EncyptedPreMasterSecret", msg, msglen); + "EncryptedPreMasterSecret", msg, msglen); } else { if (!ssl_print_hexbuf(bio, indent + 2, - "EncyptedPreMasterSecret", 2, &msg, &msglen)) + "EncryptedPreMasterSecret", 2, &msg, &msglen)) return 0; } break; @@ -933,12 +1120,12 @@ static int ssl_print_client_keyex(BIO *bio, int indent, SSL *ssl, return !msglen; } -static int ssl_print_server_keyex(BIO *bio, int indent, SSL *ssl, +static int ssl_print_server_keyex(BIO *bio, int indent, const SSL *ssl, const unsigned char *msg, size_t msglen) { const char *algname; - int id; - id = ssl_get_keyex(&algname, ssl); + int id = ssl_get_keyex(&algname, ssl); + BIO_indent(bio, indent, 80); BIO_printf(bio, "KeyExchangeAlgorithm=%s\n", algname); if (id & SSL_PSK) { @@ -982,7 +1169,7 @@ static int ssl_print_server_keyex(BIO *bio, int indent, SSL *ssl, return 0; curve = (msg[1] << 8) | msg[2]; BIO_printf(bio, "named_curve: %s (%d)\n", - ssl_trace_str(curve, ssl_curve_tbl), curve); + ssl_trace_str(curve, ssl_groups_tbl), curve); msg += 3; msglen -= 3; if (!ssl_print_hexbuf(bio, indent + 2, "point", 1, &msg, &msglen)) @@ -1010,6 +1197,7 @@ static int ssl_print_certificate(BIO *bio, int indent, size_t clen; X509 *x; const unsigned char *p = *pmsg, *q; + if (msglen < 3) return 0; clen = (p[0] << 16) | (p[1] << 8) | p[2]; @@ -1037,10 +1225,16 @@ static int ssl_print_certificate(BIO *bio, int indent, return 1; } -static int ssl_print_certificates(BIO *bio, int indent, - const unsigned char *msg, size_t msglen) +static int ssl_print_certificates(BIO *bio, const SSL *ssl, int server, + int indent, const unsigned char *msg, + size_t msglen) { size_t clen; + + if (SSL_IS_TLS13(ssl) + && !ssl_print_hexbuf(bio, indent, "context", 1, &msg, &msglen)) + return 0; + if (msglen < 3) return 0; clen = (msg[0] << 16) | (msg[1] << 8) | msg[2]; @@ -1052,48 +1246,62 @@ static int ssl_print_certificates(BIO *bio, int indent, while (clen > 0) { if (!ssl_print_certificate(bio, indent + 2, &msg, &clen)) return 0; + if (!ssl_print_extensions(bio, indent + 2, server, SSL3_MT_CERTIFICATE, + &msg, &clen)) + return 0; + } return 1; } -static int ssl_print_cert_request(BIO *bio, int indent, SSL *s, +static int ssl_print_cert_request(BIO *bio, int indent, const SSL *ssl, const unsigned char *msg, size_t msglen) { size_t xlen; - if (msglen < 1) - return 0; - xlen = msg[0]; - if (msglen < xlen + 1) - return 0; - msg++; - BIO_indent(bio, indent, 80); - BIO_printf(bio, "certificate_types (len=%d)\n", (int)xlen); - if (!ssl_trace_list(bio, indent + 2, msg, xlen, 1, ssl_ctype_tbl)) - return 0; - msg += xlen; - msglen -= xlen + 1; - if (!SSL_USE_SIGALGS(s)) - goto skip_sig; - if (msglen < 2) - return 0; - xlen = (msg[0] << 8) | msg[1]; - if (msglen < xlen + 2 || (xlen & 1)) - return 0; - msg += 2; - BIO_indent(bio, indent, 80); - BIO_printf(bio, "signature_algorithms (len=%d)\n", (int)xlen); - while (xlen > 0) { - BIO_indent(bio, indent + 2, 80); - BIO_printf(bio, "%s+%s (%d+%d)\n", - ssl_trace_str(msg[0], ssl_md_tbl), - ssl_trace_str(msg[1], ssl_sig_tbl), msg[0], msg[1]); - xlen -= 2; + unsigned int sigalg; + + if (SSL_IS_TLS13(ssl)) { + if (!ssl_print_hexbuf(bio, indent, "request_context", 1, &msg, &msglen)) + return 0; + if (!ssl_print_extensions(bio, indent, 1, + SSL3_MT_CERTIFICATE_REQUEST, &msg, &msglen)) + return 0; + return 1; + } else { + if (msglen < 1) + return 0; + xlen = msg[0]; + if (msglen < xlen + 1) + return 0; + msg++; + BIO_indent(bio, indent, 80); + BIO_printf(bio, "certificate_types (len=%d)\n", (int)xlen); + if (!ssl_trace_list(bio, indent + 2, msg, xlen, 1, ssl_ctype_tbl)) + return 0; + msg += xlen; + msglen -= xlen + 1; + } + if (SSL_USE_SIGALGS(ssl)) { + if (msglen < 2) + return 0; + xlen = (msg[0] << 8) | msg[1]; + if (msglen < xlen + 2 || (xlen & 1)) + return 0; msg += 2; + msglen -= xlen + 2; + BIO_indent(bio, indent, 80); + BIO_printf(bio, "signature_algorithms (len=%d)\n", (int)xlen); + while (xlen > 0) { + BIO_indent(bio, indent + 2, 80); + sigalg = (msg[0] << 8) | msg[1]; + BIO_printf(bio, "%s (0x%04x)\n", + ssl_trace_str(sigalg, ssl_sigalg_tbl), sigalg); + xlen -= 2; + msg += 2; + } + msg += xlen; } - msg += xlen; - msglen -= xlen + 2; - skip_sig: if (msglen < 2) return 0; xlen = (msg[0] << 8) | msg[1]; @@ -1101,7 +1309,7 @@ static int ssl_print_cert_request(BIO *bio, int indent, SSL *s, if (msglen < xlen + 2) return 0; msg += 2; - msglen -= 2; + msglen -= 2 + xlen; BIO_printf(bio, "certificate_authorities (len=%d)\n", (int)xlen); while (xlen > 0) { size_t dlen; @@ -1127,13 +1335,19 @@ static int ssl_print_cert_request(BIO *bio, int indent, SSL *s, xlen -= dlen + 2; msg += dlen; } - return 1; + if (SSL_IS_TLS13(ssl)) { + if (!ssl_print_hexbuf(bio, indent, "request_extensions", 2, + &msg, &msglen)) + return 0; + } + return msglen == 0; } -static int ssl_print_ticket(BIO *bio, int indent, +static int ssl_print_ticket(BIO *bio, int indent, const SSL *ssl, const unsigned char *msg, size_t msglen) { unsigned int tick_life; + if (msglen == 0) { BIO_indent(bio, indent + 2, 80); BIO_puts(bio, "No Ticket\n"); @@ -1146,19 +1360,39 @@ static int ssl_print_ticket(BIO *bio, int indent, msg += 4; BIO_indent(bio, indent + 2, 80); BIO_printf(bio, "ticket_lifetime_hint=%u\n", tick_life); + if (SSL_IS_TLS13(ssl)) { + unsigned int ticket_age_add; + + if (msglen < 4) + return 0; + ticket_age_add = + (msg[0] << 24) | (msg[1] << 16) | (msg[2] << 8) | msg[3]; + msglen -= 4; + msg += 4; + BIO_indent(bio, indent + 2, 80); + BIO_printf(bio, "ticket_age_add=%u\n", ticket_age_add); + if (!ssl_print_hexbuf(bio, indent + 2, "ticket_nonce", 1, &msg, + &msglen)) + return 0; + } if (!ssl_print_hexbuf(bio, indent + 2, "ticket", 2, &msg, &msglen)) return 0; + if (SSL_IS_TLS13(ssl) + && !ssl_print_extensions(bio, indent + 2, 0, + SSL3_MT_NEWSESSION_TICKET, &msg, &msglen)) + return 0; if (msglen) return 0; return 1; } -static int ssl_print_handshake(BIO *bio, SSL *ssl, +static int ssl_print_handshake(BIO *bio, const SSL *ssl, int server, const unsigned char *msg, size_t msglen, int indent) { size_t hlen; unsigned char htype; + if (msglen < 4) return 0; htype = msg[0]; @@ -1209,7 +1443,7 @@ static int ssl_print_handshake(BIO *bio, SSL *ssl, break; case SSL3_MT_CERTIFICATE: - if (!ssl_print_certificates(bio, indent + 2, msg, msglen)) + if (!ssl_print_certificates(bio, ssl, server, indent + 2, msg, msglen)) return 0; break; @@ -1233,7 +1467,23 @@ static int ssl_print_handshake(BIO *bio, SSL *ssl, break; case SSL3_MT_NEWSESSION_TICKET: - if (!ssl_print_ticket(bio, indent + 2, msg, msglen)) + if (!ssl_print_ticket(bio, indent + 2, ssl, msg, msglen)) + return 0; + break; + + case SSL3_MT_ENCRYPTED_EXTENSIONS: + if (!ssl_print_extensions(bio, indent + 2, 1, + SSL3_MT_ENCRYPTED_EXTENSIONS, &msg, &msglen)) + return 0; + break; + + case SSL3_MT_KEY_UPDATE: + if (msglen != 1) { + ssl_print_hex(bio, indent + 2, "unexpected value", msg, msglen); + return 0; + } + if (!ssl_trace_list(bio, indent + 2, msg, msglen, 1, + ssl_key_update_tbl)) return 0; break; @@ -1245,27 +1495,6 @@ static int ssl_print_handshake(BIO *bio, SSL *ssl, return 1; } -static int ssl_print_heartbeat(BIO *bio, int indent, - const unsigned char *msg, size_t msglen) -{ - if (msglen < 3) - return 0; - BIO_indent(bio, indent, 80); - BIO_printf(bio, "HeartBeatMessageType: %s\n", - ssl_trace_str(msg[0], ssl_hb_type_tbl)); - msg++; - msglen--; - if (!ssl_print_hexbuf(bio, indent, "payload", 2, &msg, &msglen)) - return 0; - ssl_print_hex(bio, indent, "padding", msg, msglen); - return 1; -} - -const char *SSL_CIPHER_standard_name(const SSL_CIPHER *c) -{ - return ssl_trace_str(c->id & 0xFFFF, ssl_ciphers_tbl); -} - void SSL_trace(int write_p, int version, int content_type, const void *buf, size_t msglen, SSL *ssl, void *arg) { @@ -1279,7 +1508,7 @@ void SSL_trace(int write_p, int version, int content_type, /* avoid overlapping with length at the end of buffer */ if (msglen < (size_t)(SSL_IS_DTLS(ssl) ? - DTLS1_RT_HEADER_LENGTH : SSL3_RT_HEADER_LENGTH)) { + DTLS1_RT_HEADER_LENGTH : SSL3_RT_HEADER_LENGTH)) { BIO_puts(bio, write_p ? "Sent" : "Received"); ssl_print_hex(bio, 0, " too short message", msg, msglen); break; @@ -1301,8 +1530,15 @@ void SSL_trace(int write_p, int version, int content_type, msg[msglen - 2] << 8 | msg[msglen - 1]); } break; + + case SSL3_RT_INNER_CONTENT_TYPE: + BIO_printf(bio, " Inner Content Type = %s (%d)", + ssl_trace_str(msg[0], ssl_content_tbl), msg[0]); + break; + case SSL3_RT_HANDSHAKE: - if (!ssl_print_handshake(bio, ssl, msg, msglen, 4)) + if (!ssl_print_handshake(bio, ssl, ssl->server ? write_p : !write_p, + msg, msglen, 4)) BIO_printf(bio, "Message length parse error!\n"); break; @@ -1314,18 +1550,13 @@ void SSL_trace(int write_p, int version, int content_type, break; case SSL3_RT_ALERT: - if (msglen != 2) { + if (msglen != 2) BIO_puts(bio, " Illegal Alert Length\n"); - } else { + else { BIO_printf(bio, " Level=%s(%d), description=%s(%d)\n", SSL_alert_type_string_long(msg[0] << 8), msg[0], SSL_alert_desc_string_long(msg[1]), msg[1]); } - break; - - case DTLS1_RT_HEARTBEAT: - ssl_print_heartbeat(bio, 4, msg, msglen); - break; } diff --git a/deps/openssl/openssl/ssl/tls13_enc.c b/deps/openssl/openssl/ssl/tls13_enc.c new file mode 100644 index 0000000000..b6825d20c2 --- /dev/null +++ b/deps/openssl/openssl/ssl/tls13_enc.c @@ -0,0 +1,818 @@ +/* + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <stdlib.h> +#include "ssl_locl.h" +#include "internal/cryptlib.h" +#include <openssl/evp.h> +#include <openssl/kdf.h> + +/* + * RFC 8446, 7.1 Key Schedule, says: + * Note: With common hash functions, any label longer than 12 characters + * requires an additional iteration of the hash function to compute. + * The labels in this specification have all been chosen to fit within + * this limit. + */ +#define TLS13_MAX_LABEL_LEN 12 + +/* Always filled with zeros */ +static const unsigned char default_zeros[EVP_MAX_MD_SIZE]; + +/* + * Given a |secret|; a |label| of length |labellen|; and |data| of length + * |datalen| (e.g. typically a hash of the handshake messages), derive a new + * secret |outlen| bytes long and store it in the location pointed to be |out|. + * The |data| value may be zero length. Returns 1 on success 0 on failure. + */ +int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, + const unsigned char *label, size_t labellen, + const unsigned char *data, size_t datalen, + unsigned char *out, size_t outlen) +{ + static const unsigned char label_prefix[] = "tls13 "; + EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); + int ret; + size_t hkdflabellen; + size_t hashlen; + /* + * 2 bytes for length of derived secret + 1 byte for length of combined + * prefix and label + bytes for the label itself + 1 byte length of hash + * + bytes for the hash itself + */ + unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) + + + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN + + EVP_MAX_MD_SIZE]; + WPACKET pkt; + + if (pctx == NULL) + return 0; + + hashlen = EVP_MD_size(md); + + if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0) + || !WPACKET_put_bytes_u16(&pkt, outlen) + || !WPACKET_start_sub_packet_u8(&pkt) + || !WPACKET_memcpy(&pkt, label_prefix, sizeof(label_prefix) - 1) + || !WPACKET_memcpy(&pkt, label, labellen) + || !WPACKET_close(&pkt) + || !WPACKET_sub_memcpy_u8(&pkt, data, (data == NULL) ? 0 : datalen) + || !WPACKET_get_total_written(&pkt, &hkdflabellen) + || !WPACKET_finish(&pkt)) { + EVP_PKEY_CTX_free(pctx); + WPACKET_cleanup(&pkt); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, + ERR_R_INTERNAL_ERROR); + return 0; + } + + ret = EVP_PKEY_derive_init(pctx) <= 0 + || EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) + <= 0 + || EVP_PKEY_CTX_set_hkdf_md(pctx, md) <= 0 + || EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, hashlen) <= 0 + || EVP_PKEY_CTX_add1_hkdf_info(pctx, hkdflabel, hkdflabellen) <= 0 + || EVP_PKEY_derive(pctx, out, &outlen) <= 0; + + EVP_PKEY_CTX_free(pctx); + + if (ret != 0) + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, + ERR_R_INTERNAL_ERROR); + + return ret == 0; +} + +/* + * Given a |secret| generate a |key| of length |keylen| bytes. Returns 1 on + * success 0 on failure. + */ +int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret, + unsigned char *key, size_t keylen) +{ + static const unsigned char keylabel[] = "key"; + + return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1, + NULL, 0, key, keylen); +} + +/* + * Given a |secret| generate an |iv| of length |ivlen| bytes. Returns 1 on + * success 0 on failure. + */ +int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret, + unsigned char *iv, size_t ivlen) +{ + static const unsigned char ivlabel[] = "iv"; + + return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1, + NULL, 0, iv, ivlen); +} + +int tls13_derive_finishedkey(SSL *s, const EVP_MD *md, + const unsigned char *secret, + unsigned char *fin, size_t finlen) +{ + static const unsigned char finishedlabel[] = "finished"; + + return tls13_hkdf_expand(s, md, secret, finishedlabel, + sizeof(finishedlabel) - 1, NULL, 0, fin, finlen); +} + +/* + * Given the previous secret |prevsecret| and a new input secret |insecret| of + * length |insecretlen|, generate a new secret and store it in the location + * pointed to by |outsecret|. Returns 1 on success 0 on failure. + */ +int tls13_generate_secret(SSL *s, const EVP_MD *md, + const unsigned char *prevsecret, + const unsigned char *insecret, + size_t insecretlen, + unsigned char *outsecret) +{ + size_t mdlen, prevsecretlen; + int mdleni; + int ret; + EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); + static const char derived_secret_label[] = "derived"; + unsigned char preextractsec[EVP_MAX_MD_SIZE]; + + if (pctx == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, + ERR_R_INTERNAL_ERROR); + return 0; + } + + mdleni = EVP_MD_size(md); + /* Ensure cast to size_t is safe */ + if (!ossl_assert(mdleni >= 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, + ERR_R_INTERNAL_ERROR); + return 0; + } + mdlen = (size_t)mdleni; + + if (insecret == NULL) { + insecret = default_zeros; + insecretlen = mdlen; + } + if (prevsecret == NULL) { + prevsecret = default_zeros; + prevsecretlen = 0; + } else { + EVP_MD_CTX *mctx = EVP_MD_CTX_new(); + unsigned char hash[EVP_MAX_MD_SIZE]; + + /* The pre-extract derive step uses a hash of no messages */ + if (mctx == NULL + || EVP_DigestInit_ex(mctx, md, NULL) <= 0 + || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, + ERR_R_INTERNAL_ERROR); + EVP_MD_CTX_free(mctx); + EVP_PKEY_CTX_free(pctx); + return 0; + } + EVP_MD_CTX_free(mctx); + + /* Generate the pre-extract secret */ + if (!tls13_hkdf_expand(s, md, prevsecret, + (unsigned char *)derived_secret_label, + sizeof(derived_secret_label) - 1, hash, mdlen, + preextractsec, mdlen)) { + /* SSLfatal() already called */ + EVP_PKEY_CTX_free(pctx); + return 0; + } + + prevsecret = preextractsec; + prevsecretlen = mdlen; + } + + ret = EVP_PKEY_derive_init(pctx) <= 0 + || EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) + <= 0 + || EVP_PKEY_CTX_set_hkdf_md(pctx, md) <= 0 + || EVP_PKEY_CTX_set1_hkdf_key(pctx, insecret, insecretlen) <= 0 + || EVP_PKEY_CTX_set1_hkdf_salt(pctx, prevsecret, prevsecretlen) + <= 0 + || EVP_PKEY_derive(pctx, outsecret, &mdlen) + <= 0; + + if (ret != 0) + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, + ERR_R_INTERNAL_ERROR); + + EVP_PKEY_CTX_free(pctx); + if (prevsecret == preextractsec) + OPENSSL_cleanse(preextractsec, mdlen); + return ret == 0; +} + +/* + * Given an input secret |insecret| of length |insecretlen| generate the + * handshake secret. This requires the early secret to already have been + * generated. Returns 1 on success 0 on failure. + */ +int tls13_generate_handshake_secret(SSL *s, const unsigned char *insecret, + size_t insecretlen) +{ + /* Calls SSLfatal() if required */ + return tls13_generate_secret(s, ssl_handshake_md(s), s->early_secret, + insecret, insecretlen, + (unsigned char *)&s->handshake_secret); +} + +/* + * Given the handshake secret |prev| of length |prevlen| generate the master + * secret and store its length in |*secret_size|. Returns 1 on success 0 on + * failure. + */ +int tls13_generate_master_secret(SSL *s, unsigned char *out, + unsigned char *prev, size_t prevlen, + size_t *secret_size) +{ + const EVP_MD *md = ssl_handshake_md(s); + + *secret_size = EVP_MD_size(md); + /* Calls SSLfatal() if required */ + return tls13_generate_secret(s, md, prev, NULL, 0, out); +} + +/* + * Generates the mac for the Finished message. Returns the length of the MAC or + * 0 on error. + */ +size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen, + unsigned char *out) +{ + const EVP_MD *md = ssl_handshake_md(s); + unsigned char hash[EVP_MAX_MD_SIZE]; + size_t hashlen, ret = 0; + EVP_PKEY *key = NULL; + EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + + if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { + /* SSLfatal() already called */ + goto err; + } + + if (str == s->method->ssl3_enc->server_finished_label) { + key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, + s->server_finished_secret, hashlen); + } else if (SSL_IS_FIRST_HANDSHAKE(s)) { + key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, + s->client_finished_secret, hashlen); + } else { + unsigned char finsecret[EVP_MAX_MD_SIZE]; + + if (!tls13_derive_finishedkey(s, ssl_handshake_md(s), + s->client_app_traffic_secret, + finsecret, hashlen)) + goto err; + + key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finsecret, + hashlen); + OPENSSL_cleanse(finsecret, sizeof(finsecret)); + } + + if (key == NULL + || ctx == NULL + || EVP_DigestSignInit(ctx, NULL, md, NULL, key) <= 0 + || EVP_DigestSignUpdate(ctx, hash, hashlen) <= 0 + || EVP_DigestSignFinal(ctx, out, &hashlen) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_FINAL_FINISH_MAC, + ERR_R_INTERNAL_ERROR); + goto err; + } + + ret = hashlen; + err: + EVP_PKEY_free(key); + EVP_MD_CTX_free(ctx); + return ret; +} + +/* + * There isn't really a key block in TLSv1.3, but we still need this function + * for initialising the cipher and hash. Returns 1 on success or 0 on failure. + */ +int tls13_setup_key_block(SSL *s) +{ + const EVP_CIPHER *c; + const EVP_MD *hash; + int mac_type = NID_undef; + + s->session->cipher = s->s3->tmp.new_cipher; + if (!ssl_cipher_get_evp + (s->session, &c, &hash, &mac_type, NULL, NULL, 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_SETUP_KEY_BLOCK, + SSL_R_CIPHER_OR_HASH_UNAVAILABLE); + return 0; + } + + s->s3->tmp.new_sym_enc = c; + s->s3->tmp.new_hash = hash; + + return 1; +} + +static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, + const EVP_CIPHER *ciph, + const unsigned char *insecret, + const unsigned char *hash, + const unsigned char *label, + size_t labellen, unsigned char *secret, + unsigned char *iv, EVP_CIPHER_CTX *ciph_ctx) +{ + unsigned char key[EVP_MAX_KEY_LENGTH]; + size_t ivlen, keylen, taglen; + int hashleni = EVP_MD_size(md); + size_t hashlen; + + /* Ensure cast to size_t is safe */ + if (!ossl_assert(hashleni >= 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV, + ERR_R_EVP_LIB); + goto err; + } + hashlen = (size_t)hashleni; + + if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen, + secret, hashlen)) { + /* SSLfatal() already called */ + goto err; + } + + /* TODO(size_t): convert me */ + keylen = EVP_CIPHER_key_length(ciph); + if (EVP_CIPHER_mode(ciph) == EVP_CIPH_CCM_MODE) { + uint32_t algenc; + + ivlen = EVP_CCM_TLS_IV_LEN; + if (s->s3->tmp.new_cipher == NULL) { + /* We've not selected a cipher yet - we must be doing early data */ + algenc = s->session->cipher->algorithm_enc; + } else { + algenc = s->s3->tmp.new_cipher->algorithm_enc; + } + if (algenc & (SSL_AES128CCM8 | SSL_AES256CCM8)) + taglen = EVP_CCM8_TLS_TAG_LEN; + else + taglen = EVP_CCM_TLS_TAG_LEN; + } else { + ivlen = EVP_CIPHER_iv_length(ciph); + taglen = 0; + } + + if (!tls13_derive_key(s, md, secret, key, keylen) + || !tls13_derive_iv(s, md, secret, iv, ivlen)) { + /* SSLfatal() already called */ + goto err; + } + + if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, sending) <= 0 + || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL) + || (taglen != 0 && !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, + taglen, NULL)) + || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, -1) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV, + ERR_R_EVP_LIB); + goto err; + } + + return 1; + err: + OPENSSL_cleanse(key, sizeof(key)); + return 0; +} + +int tls13_change_cipher_state(SSL *s, int which) +{ + static const unsigned char client_early_traffic[] = "c e traffic"; + static const unsigned char client_handshake_traffic[] = "c hs traffic"; + static const unsigned char client_application_traffic[] = "c ap traffic"; + static const unsigned char server_handshake_traffic[] = "s hs traffic"; + static const unsigned char server_application_traffic[] = "s ap traffic"; + static const unsigned char exporter_master_secret[] = "exp master"; + static const unsigned char resumption_master_secret[] = "res master"; + static const unsigned char early_exporter_master_secret[] = "e exp master"; + unsigned char *iv; + unsigned char secret[EVP_MAX_MD_SIZE]; + unsigned char hashval[EVP_MAX_MD_SIZE]; + unsigned char *hash = hashval; + unsigned char *insecret; + unsigned char *finsecret = NULL; + const char *log_label = NULL; + EVP_CIPHER_CTX *ciph_ctx; + size_t finsecretlen = 0; + const unsigned char *label; + size_t labellen, hashlen = 0; + int ret = 0; + const EVP_MD *md = NULL; + const EVP_CIPHER *cipher = NULL; + + if (which & SSL3_CC_READ) { + if (s->enc_read_ctx != NULL) { + EVP_CIPHER_CTX_reset(s->enc_read_ctx); + } else { + s->enc_read_ctx = EVP_CIPHER_CTX_new(); + if (s->enc_read_ctx == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); + goto err; + } + } + ciph_ctx = s->enc_read_ctx; + iv = s->read_iv; + + RECORD_LAYER_reset_read_sequence(&s->rlayer); + } else { + s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; + if (s->enc_write_ctx != NULL) { + EVP_CIPHER_CTX_reset(s->enc_write_ctx); + } else { + s->enc_write_ctx = EVP_CIPHER_CTX_new(); + if (s->enc_write_ctx == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); + goto err; + } + } + ciph_ctx = s->enc_write_ctx; + iv = s->write_iv; + + RECORD_LAYER_reset_write_sequence(&s->rlayer); + } + + if (((which & SSL3_CC_CLIENT) && (which & SSL3_CC_WRITE)) + || ((which & SSL3_CC_SERVER) && (which & SSL3_CC_READ))) { + if (which & SSL3_CC_EARLY) { + EVP_MD_CTX *mdctx = NULL; + long handlen; + void *hdata; + unsigned int hashlenui; + const SSL_CIPHER *sslcipher = SSL_SESSION_get0_cipher(s->session); + + insecret = s->early_secret; + label = client_early_traffic; + labellen = sizeof(client_early_traffic) - 1; + log_label = CLIENT_EARLY_LABEL; + + handlen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); + if (handlen <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS13_CHANGE_CIPHER_STATE, + SSL_R_BAD_HANDSHAKE_LENGTH); + goto err; + } + + if (s->early_data_state == SSL_EARLY_DATA_CONNECTING + && s->max_early_data > 0 + && s->session->ext.max_early_data == 0) { + /* + * If we are attempting to send early data, and we've decided to + * actually do it but max_early_data in s->session is 0 then we + * must be using an external PSK. + */ + if (!ossl_assert(s->psksession != NULL + && s->max_early_data == + s->psksession->ext.max_early_data)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS13_CHANGE_CIPHER_STATE, + ERR_R_INTERNAL_ERROR); + goto err; + } + sslcipher = SSL_SESSION_get0_cipher(s->psksession); + } + if (sslcipher == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS13_CHANGE_CIPHER_STATE, SSL_R_BAD_PSK); + goto err; + } + + /* + * We need to calculate the handshake digest using the digest from + * the session. We haven't yet selected our ciphersuite so we can't + * use ssl_handshake_md(). + */ + mdctx = EVP_MD_CTX_new(); + if (mdctx == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); + goto err; + } + cipher = EVP_get_cipherbynid(SSL_CIPHER_get_cipher_nid(sslcipher)); + md = ssl_md(sslcipher->algorithm2); + if (md == NULL || !EVP_DigestInit_ex(mdctx, md, NULL) + || !EVP_DigestUpdate(mdctx, hdata, handlen) + || !EVP_DigestFinal_ex(mdctx, hashval, &hashlenui)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); + EVP_MD_CTX_free(mdctx); + goto err; + } + hashlen = hashlenui; + EVP_MD_CTX_free(mdctx); + + if (!tls13_hkdf_expand(s, md, insecret, + early_exporter_master_secret, + sizeof(early_exporter_master_secret) - 1, + hashval, hashlen, + s->early_exporter_master_secret, hashlen)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); + goto err; + } + + if (!ssl_log_secret(s, EARLY_EXPORTER_SECRET_LABEL, + s->early_exporter_master_secret, hashlen)) { + /* SSLfatal() already called */ + goto err; + } + } else if (which & SSL3_CC_HANDSHAKE) { + insecret = s->handshake_secret; + finsecret = s->client_finished_secret; + finsecretlen = EVP_MD_size(ssl_handshake_md(s)); + label = client_handshake_traffic; + labellen = sizeof(client_handshake_traffic) - 1; + log_label = CLIENT_HANDSHAKE_LABEL; + /* + * The handshake hash used for the server read/client write handshake + * traffic secret is the same as the hash for the server + * write/client read handshake traffic secret. However, if we + * processed early data then we delay changing the server + * read/client write cipher state until later, and the handshake + * hashes have moved on. Therefore we use the value saved earlier + * when we did the server write/client read change cipher state. + */ + hash = s->handshake_traffic_hash; + } else { + insecret = s->master_secret; + label = client_application_traffic; + labellen = sizeof(client_application_traffic) - 1; + log_label = CLIENT_APPLICATION_LABEL; + /* + * For this we only use the handshake hashes up until the server + * Finished hash. We do not include the client's Finished, which is + * what ssl_handshake_hash() would give us. Instead we use the + * previously saved value. + */ + hash = s->server_finished_hash; + } + } else { + /* Early data never applies to client-read/server-write */ + if (which & SSL3_CC_HANDSHAKE) { + insecret = s->handshake_secret; + finsecret = s->server_finished_secret; + finsecretlen = EVP_MD_size(ssl_handshake_md(s)); + label = server_handshake_traffic; + labellen = sizeof(server_handshake_traffic) - 1; + log_label = SERVER_HANDSHAKE_LABEL; + } else { + insecret = s->master_secret; + label = server_application_traffic; + labellen = sizeof(server_application_traffic) - 1; + log_label = SERVER_APPLICATION_LABEL; + } + } + + if (!(which & SSL3_CC_EARLY)) { + md = ssl_handshake_md(s); + cipher = s->s3->tmp.new_sym_enc; + if (!ssl3_digest_cached_records(s, 1) + || !ssl_handshake_hash(s, hashval, sizeof(hashval), &hashlen)) { + /* SSLfatal() already called */; + goto err; + } + } + + /* + * Save the hash of handshakes up to now for use when we calculate the + * client application traffic secret + */ + if (label == server_application_traffic) + memcpy(s->server_finished_hash, hashval, hashlen); + + if (label == server_handshake_traffic) + memcpy(s->handshake_traffic_hash, hashval, hashlen); + + if (label == client_application_traffic) { + /* + * We also create the resumption master secret, but this time use the + * hash for the whole handshake including the Client Finished + */ + if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, + resumption_master_secret, + sizeof(resumption_master_secret) - 1, + hashval, hashlen, s->resumption_master_secret, + hashlen)) { + /* SSLfatal() already called */ + goto err; + } + } + + if (!derive_secret_key_and_iv(s, which & SSL3_CC_WRITE, md, cipher, + insecret, hash, label, labellen, secret, iv, + ciph_ctx)) { + /* SSLfatal() already called */ + goto err; + } + + if (label == server_application_traffic) { + memcpy(s->server_app_traffic_secret, secret, hashlen); + /* Now we create the exporter master secret */ + if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, + exporter_master_secret, + sizeof(exporter_master_secret) - 1, + hash, hashlen, s->exporter_master_secret, + hashlen)) { + /* SSLfatal() already called */ + goto err; + } + + if (!ssl_log_secret(s, EXPORTER_SECRET_LABEL, s->exporter_master_secret, + hashlen)) { + /* SSLfatal() already called */ + goto err; + } + } else if (label == client_application_traffic) + memcpy(s->client_app_traffic_secret, secret, hashlen); + + if (!ssl_log_secret(s, log_label, secret, hashlen)) { + /* SSLfatal() already called */ + goto err; + } + + if (finsecret != NULL + && !tls13_derive_finishedkey(s, ssl_handshake_md(s), secret, + finsecret, finsecretlen)) { + /* SSLfatal() already called */ + goto err; + } + + if (!s->server && label == client_early_traffic) + s->statem.enc_write_state = ENC_WRITE_STATE_WRITE_PLAIN_ALERTS; + else + s->statem.enc_write_state = ENC_WRITE_STATE_VALID; + ret = 1; + err: + OPENSSL_cleanse(secret, sizeof(secret)); + return ret; +} + +int tls13_update_key(SSL *s, int sending) +{ + static const unsigned char application_traffic[] = "traffic upd"; + const EVP_MD *md = ssl_handshake_md(s); + size_t hashlen = EVP_MD_size(md); + unsigned char *insecret, *iv; + unsigned char secret[EVP_MAX_MD_SIZE]; + EVP_CIPHER_CTX *ciph_ctx; + int ret = 0; + + if (s->server == sending) + insecret = s->server_app_traffic_secret; + else + insecret = s->client_app_traffic_secret; + + if (sending) { + s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; + iv = s->write_iv; + ciph_ctx = s->enc_write_ctx; + RECORD_LAYER_reset_write_sequence(&s->rlayer); + } else { + iv = s->read_iv; + ciph_ctx = s->enc_read_ctx; + RECORD_LAYER_reset_read_sequence(&s->rlayer); + } + + if (!derive_secret_key_and_iv(s, sending, ssl_handshake_md(s), + s->s3->tmp.new_sym_enc, insecret, NULL, + application_traffic, + sizeof(application_traffic) - 1, secret, iv, + ciph_ctx)) { + /* SSLfatal() already called */ + goto err; + } + + memcpy(insecret, secret, hashlen); + + s->statem.enc_write_state = ENC_WRITE_STATE_VALID; + ret = 1; + err: + OPENSSL_cleanse(secret, sizeof(secret)); + return ret; +} + +int tls13_alert_code(int code) +{ + /* There are 2 additional alerts in TLSv1.3 compared to TLSv1.2 */ + if (code == SSL_AD_MISSING_EXTENSION || code == SSL_AD_CERTIFICATE_REQUIRED) + return code; + + return tls1_alert_code(code); +} + +int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen, + const char *label, size_t llen, + const unsigned char *context, + size_t contextlen, int use_context) +{ + unsigned char exportsecret[EVP_MAX_MD_SIZE]; + static const unsigned char exporterlabel[] = "exporter"; + unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; + const EVP_MD *md = ssl_handshake_md(s); + EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + unsigned int hashsize, datalen; + int ret = 0; + + if (ctx == NULL || !ossl_statem_export_allowed(s)) + goto err; + + if (!use_context) + contextlen = 0; + + if (EVP_DigestInit_ex(ctx, md, NULL) <= 0 + || EVP_DigestUpdate(ctx, context, contextlen) <= 0 + || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0 + || EVP_DigestInit_ex(ctx, md, NULL) <= 0 + || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0 + || !tls13_hkdf_expand(s, md, s->exporter_master_secret, + (const unsigned char *)label, llen, + data, datalen, exportsecret, hashsize) + || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, + sizeof(exporterlabel) - 1, hash, hashsize, + out, olen)) + goto err; + + ret = 1; + err: + EVP_MD_CTX_free(ctx); + return ret; +} + +int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen, + const char *label, size_t llen, + const unsigned char *context, + size_t contextlen) +{ + static const unsigned char exporterlabel[] = "exporter"; + unsigned char exportsecret[EVP_MAX_MD_SIZE]; + unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; + const EVP_MD *md; + EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + unsigned int hashsize, datalen; + int ret = 0; + const SSL_CIPHER *sslcipher; + + if (ctx == NULL || !ossl_statem_export_early_allowed(s)) + goto err; + + if (!s->server && s->max_early_data > 0 + && s->session->ext.max_early_data == 0) + sslcipher = SSL_SESSION_get0_cipher(s->psksession); + else + sslcipher = SSL_SESSION_get0_cipher(s->session); + + md = ssl_md(sslcipher->algorithm2); + + /* + * Calculate the hash value and store it in |data|. The reason why + * the empty string is used is that the definition of TLS-Exporter + * is like so: + * + * TLS-Exporter(label, context_value, key_length) = + * HKDF-Expand-Label(Derive-Secret(Secret, label, ""), + * "exporter", Hash(context_value), key_length) + * + * Derive-Secret(Secret, Label, Messages) = + * HKDF-Expand-Label(Secret, Label, + * Transcript-Hash(Messages), Hash.length) + * + * Here Transcript-Hash is the cipher suite hash algorithm. + */ + if (EVP_DigestInit_ex(ctx, md, NULL) <= 0 + || EVP_DigestUpdate(ctx, context, contextlen) <= 0 + || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0 + || EVP_DigestInit_ex(ctx, md, NULL) <= 0 + || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0 + || !tls13_hkdf_expand(s, md, s->early_exporter_master_secret, + (const unsigned char *)label, llen, + data, datalen, exportsecret, hashsize) + || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, + sizeof(exporterlabel) - 1, hash, hashsize, + out, olen)) + goto err; + + ret = 1; + err: + EVP_MD_CTX_free(ctx); + return ret; +} diff --git a/deps/openssl/openssl/ssl/tls_srp.c b/deps/openssl/openssl/ssl/tls_srp.c index bfdbdf5874..f94e46b4e8 100644 --- a/deps/openssl/openssl/ssl/tls_srp.c +++ b/deps/openssl/openssl/ssl/tls_srp.c @@ -1,10 +1,14 @@ /* - * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2004, EdelKey Project. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html + * + * Originally written by Christophe Renou and Peter Sylvester, + * for the EdelKey project. */ #include <openssl/crypto.h> @@ -31,7 +35,7 @@ int SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx) BN_free(ctx->srp_ctx.v); memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx)); ctx->srp_ctx.strength = SRP_MINIMAL_N; - return (1); + return 1; } int SSL_SRP_CTX_free(struct ssl_st *s) @@ -50,7 +54,7 @@ int SSL_SRP_CTX_free(struct ssl_st *s) BN_free(s->srp_ctx.v); memset(&s->srp_ctx, 0, sizeof(s->srp_ctx)); s->srp_ctx.strength = SRP_MINIMAL_N; - return (1); + return 1; } int SSL_SRP_CTX_init(struct ssl_st *s) @@ -106,7 +110,7 @@ int SSL_SRP_CTX_init(struct ssl_st *s) } s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask; - return (1); + return 1; err: OPENSSL_free(s->srp_ctx.login); OPENSSL_free(s->srp_ctx.info); @@ -119,7 +123,7 @@ int SSL_SRP_CTX_init(struct ssl_st *s) BN_free(s->srp_ctx.b); BN_free(s->srp_ctx.v); memset(&s->srp_ctx, 0, sizeof(s->srp_ctx)); - return (0); + return 0; } int SSL_CTX_SRP_CTX_init(struct ssl_ctx_st *ctx) @@ -130,7 +134,7 @@ int SSL_CTX_SRP_CTX_init(struct ssl_ctx_st *ctx) memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx)); ctx->srp_ctx.strength = SRP_MINIMAL_N; - return (1); + return 1; } /* server side */ @@ -153,7 +157,7 @@ int SSL_srp_server_param_with_username(SSL *s, int *ad) (s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL)) return SSL3_AL_FATAL; - if (RAND_bytes(b, sizeof(b)) <= 0) + if (RAND_priv_bytes(b, sizeof(b)) <= 0) return SSL3_AL_FATAL; s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL); OPENSSL_cleanse(b, sizeof(b)); @@ -257,9 +261,13 @@ int srp_generate_server_master_secret(SSL *s) goto err; tmp_len = BN_num_bytes(K); - if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) + if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_SRP_GENERATE_SERVER_MASTER_SECRET, ERR_R_MALLOC_FAILURE); goto err; + } BN_bn2bin(K, tmp); + /* Calls SSLfatal() as required */ ret = ssl_generate_master_secret(s, tmp, tmp_len, 1); err: BN_clear_free(K); @@ -278,26 +286,39 @@ int srp_generate_client_master_secret(SSL *s) /* * Checks if b % n == 0 */ - if (SRP_Verify_B_mod_N(s->srp_ctx.B, s->srp_ctx.N) == 0) - goto err; - if ((u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N)) == NULL) - goto err; - if (s->srp_ctx.SRP_give_srp_client_pwd_callback == NULL) + if (SRP_Verify_B_mod_N(s->srp_ctx.B, s->srp_ctx.N) == 0 + || (u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N)) + == NULL + || s->srp_ctx.SRP_give_srp_client_pwd_callback == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET, ERR_R_INTERNAL_ERROR); goto err; - if (! - (passwd = - s->srp_ctx.SRP_give_srp_client_pwd_callback(s, s->srp_ctx.SRP_cb_arg))) - goto err; - if ((x = SRP_Calc_x(s->srp_ctx.s, s->srp_ctx.login, passwd)) == NULL) + } + if ((passwd = s->srp_ctx.SRP_give_srp_client_pwd_callback(s, + s->srp_ctx.SRP_cb_arg)) + == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET, + SSL_R_CALLBACK_FAILED); goto err; - if ((K = SRP_Calc_client_key(s->srp_ctx.N, s->srp_ctx.B, s->srp_ctx.g, x, - s->srp_ctx.a, u)) == NULL) + } + if ((x = SRP_Calc_x(s->srp_ctx.s, s->srp_ctx.login, passwd)) == NULL + || (K = SRP_Calc_client_key(s->srp_ctx.N, s->srp_ctx.B, + s->srp_ctx.g, x, + s->srp_ctx.a, u)) == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET, ERR_R_INTERNAL_ERROR); goto err; + } tmp_len = BN_num_bytes(K); - if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) + if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET, ERR_R_MALLOC_FAILURE); goto err; + } BN_bn2bin(K, tmp); + /* Calls SSLfatal() as required */ ret = ssl_generate_master_secret(s, tmp, tmp_len, 1); err: BN_clear_free(K); @@ -308,7 +329,7 @@ int srp_generate_client_master_secret(SSL *s) return ret; } -int srp_verify_server_param(SSL *s, int *al) +int srp_verify_server_param(SSL *s) { SRP_CTX *srp = &s->srp_ctx; /* @@ -317,22 +338,27 @@ int srp_verify_server_param(SSL *s, int *al) */ if (BN_ucmp(srp->g, srp->N) >= 0 || BN_ucmp(srp->B, srp->N) >= 0 || BN_is_zero(srp->B)) { - *al = SSL3_AD_ILLEGAL_PARAMETER; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SRP_VERIFY_SERVER_PARAM, + SSL_R_BAD_DATA); return 0; } if (BN_num_bits(srp->N) < srp->strength) { - *al = TLS1_AD_INSUFFICIENT_SECURITY; + SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_F_SRP_VERIFY_SERVER_PARAM, + SSL_R_INSUFFICIENT_SECURITY); return 0; } if (srp->SRP_verify_param_callback) { if (srp->SRP_verify_param_callback(s, srp->SRP_cb_arg) <= 0) { - *al = TLS1_AD_INSUFFICIENT_SECURITY; + SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, + SSL_F_SRP_VERIFY_SERVER_PARAM, + SSL_R_CALLBACK_FAILED); return 0; } } else if (!SRP_check_known_gN_param(srp->g, srp->N)) { - *al = TLS1_AD_INSUFFICIENT_SECURITY; + SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_F_SRP_VERIFY_SERVER_PARAM, + SSL_R_INSUFFICIENT_SECURITY); return 0; } @@ -343,7 +369,7 @@ int SRP_Calc_A_param(SSL *s) { unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH]; - if (RAND_bytes(rnd, sizeof(rnd)) <= 0) + if (RAND_priv_bytes(rnd, sizeof(rnd)) <= 0) return 0; s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a); OPENSSL_cleanse(rnd, sizeof(rnd)); |