diff options
Diffstat (limited to 'deps/openssl/openssl/ssl')
-rw-r--r-- | deps/openssl/openssl/ssl/s23_clnt.c | 28 | ||||
-rw-r--r-- | deps/openssl/openssl/ssl/s3_pkt.c | 2 | ||||
-rw-r--r-- | deps/openssl/openssl/ssl/s3_srvr.c | 36 | ||||
-rw-r--r-- | deps/openssl/openssl/ssl/ssl_ciph.c | 2 | ||||
-rw-r--r-- | deps/openssl/openssl/ssl/ssl_lib.c | 10 | ||||
-rw-r--r-- | deps/openssl/openssl/ssl/ssl_sess.c | 6 | ||||
-rw-r--r-- | deps/openssl/openssl/ssl/ssltest.c | 71 | ||||
-rw-r--r-- | deps/openssl/openssl/ssl/tls1.h | 2 |
8 files changed, 133 insertions, 24 deletions
diff --git a/deps/openssl/openssl/ssl/s23_clnt.c b/deps/openssl/openssl/ssl/s23_clnt.c index b80d1fd8ce..92f41dd549 100644 --- a/deps/openssl/openssl/ssl/s23_clnt.c +++ b/deps/openssl/openssl/ssl/s23_clnt.c @@ -735,7 +735,35 @@ static int ssl23_get_server_hello(SSL *s) s->version = TLS1_2_VERSION; s->method = TLSv1_2_client_method(); } else { + /* + * Unrecognised version, we'll send a protocol version alert using + * our preferred version. + */ + switch(s->client_version) { + default: + /* + * Shouldn't happen + * Fall through + */ + case TLS1_2_VERSION: + s->version = TLS1_2_VERSION; + s->method = TLSv1_2_client_method(); + break; + case TLS1_1_VERSION: + s->version = TLS1_1_VERSION; + s->method = TLSv1_1_client_method(); + break; + case TLS1_VERSION: + s->version = TLS1_VERSION; + s->method = TLSv1_client_method(); + break; + case SSL3_VERSION: + s->version = SSL3_VERSION; + s->method = SSLv3_client_method(); + break; + } SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION); goto err; } diff --git a/deps/openssl/openssl/ssl/s3_pkt.c b/deps/openssl/openssl/ssl/s3_pkt.c index 0290c991d8..04212c51e7 100644 --- a/deps/openssl/openssl/ssl/s3_pkt.c +++ b/deps/openssl/openssl/ssl/s3_pkt.c @@ -1427,7 +1427,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) (s->s3->handshake_fragment_len >= 4) && (s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) && (s->session != NULL) && (s->session->cipher != NULL) && - !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { + !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { /* * s->s3->handshake_fragment_len = 0; */ diff --git a/deps/openssl/openssl/ssl/s3_srvr.c b/deps/openssl/openssl/ssl/s3_srvr.c index ba17f1b562..0fb4845d44 100644 --- a/deps/openssl/openssl/ssl/s3_srvr.c +++ b/deps/openssl/openssl/ssl/s3_srvr.c @@ -2202,7 +2202,7 @@ int ssl3_get_client_key_exchange(SSL *s) unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH]; int decrypt_len; unsigned char decrypt_good, version_good; - size_t j; + size_t j, padding_len; /* FIX THIS UP EAY EAY EAY EAY */ if (s->s3->tmp.use_rsa_tmp) { @@ -2270,16 +2270,38 @@ int ssl3_get_client_key_exchange(SSL *s) if (RAND_bytes(rand_premaster_secret, sizeof(rand_premaster_secret)) <= 0) goto err; + + /* + * Decrypt with no padding. PKCS#1 padding will be removed as part of + * the timing-sensitive code below. + */ decrypt_len = - RSA_private_decrypt((int)n, p, p, rsa, RSA_PKCS1_PADDING); - ERR_clear_error(); + RSA_private_decrypt((int)n, p, p, rsa, RSA_NO_PADDING); + if (decrypt_len < 0) + goto err; + + /* Check the padding. See RFC 3447, section 7.2.2. */ /* - * decrypt_len should be SSL_MAX_MASTER_KEY_LENGTH. decrypt_good will - * be 0xff if so and zero otherwise. + * The smallest padded premaster is 11 bytes of overhead. Small keys + * are publicly invalid, so this may return immediately. This ensures + * PS is at least 8 bytes. */ - decrypt_good = - constant_time_eq_int_8(decrypt_len, SSL_MAX_MASTER_KEY_LENGTH); + if (decrypt_len < 11 + SSL_MAX_MASTER_KEY_LENGTH) { + al = SSL_AD_DECRYPT_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_DECRYPTION_FAILED); + goto f_err; + } + + padding_len = decrypt_len - SSL_MAX_MASTER_KEY_LENGTH; + decrypt_good = constant_time_eq_int_8(p[0], 0) & + constant_time_eq_int_8(p[1], 2); + for (j = 2; j < padding_len - 1; j++) { + decrypt_good &= ~constant_time_is_zero_8(p[j]); + } + decrypt_good &= constant_time_is_zero_8(p[padding_len - 1]); + p += padding_len; /* * If the version in the decrypted pre-master secret is correct then diff --git a/deps/openssl/openssl/ssl/ssl_ciph.c b/deps/openssl/openssl/ssl/ssl_ciph.c index 40021329a9..ccdf00fa1b 100644 --- a/deps/openssl/openssl/ssl/ssl_ciph.c +++ b/deps/openssl/openssl/ssl/ssl_ciph.c @@ -1205,7 +1205,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, ((ch >= '0') && (ch <= '9')) || ((ch >= 'a') && (ch <= 'z')) || (ch == '-') || (ch == '.')) #else - while (isalnum(ch) || (ch == '-') || (ch == '.')) + while (isalnum((unsigned char)ch) || (ch == '-') || (ch == '.')) #endif { ch = *(++l); diff --git a/deps/openssl/openssl/ssl/ssl_lib.c b/deps/openssl/openssl/ssl/ssl_lib.c index 24be376c9f..3539f4b8d2 100644 --- a/deps/openssl/openssl/ssl/ssl_lib.c +++ b/deps/openssl/openssl/ssl/ssl_lib.c @@ -1825,15 +1825,15 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, const char *label, size_t llen, - const unsigned char *p, size_t plen, + const unsigned char *context, size_t contextlen, int use_context) { if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER) return -1; return s->method->ssl3_enc->export_keying_material(s, out, olen, label, - llen, p, plen, - use_context); + llen, context, + contextlen, use_context); } static unsigned long ssl_session_hash(const SSL_SESSION *a) @@ -3180,6 +3180,7 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) #endif ssl->cert = ssl_cert_dup(ctx->cert); if (ocert) { + int i; /* Preserve any already negotiated parameters */ if (ssl->server) { ssl->cert->peer_sigalgs = ocert->peer_sigalgs; @@ -3189,6 +3190,9 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) ssl->cert->ciphers_rawlen = ocert->ciphers_rawlen; ocert->ciphers_raw = NULL; } + for (i = 0; i < SSL_PKEY_NUM; i++) { + ssl->cert->pkeys[i].digest = ocert->pkeys[i].digest; + } #ifndef OPENSSL_NO_TLSEXT ssl->cert->alpn_proposed = ocert->alpn_proposed; ssl->cert->alpn_proposed_len = ocert->alpn_proposed_len; diff --git a/deps/openssl/openssl/ssl/ssl_sess.c b/deps/openssl/openssl/ssl/ssl_sess.c index f50f514212..23dd3e7a01 100644 --- a/deps/openssl/openssl/ssl/ssl_sess.c +++ b/deps/openssl/openssl/ssl/ssl_sess.c @@ -261,7 +261,6 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) #ifndef OPENSSL_NO_SRP dest->srp_username = NULL; #endif - memset(&dest->ex_data, 0, sizeof(dest->ex_data)); /* We deliberately don't copy the prev and next pointers */ dest->prev = NULL; @@ -275,6 +274,9 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) if (src->peer != NULL) CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509); + if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, dest, &dest->ex_data)) + goto err; + #ifndef OPENSSL_NO_PSK if (src->psk_identity_hint) { dest->psk_identity_hint = BUF_strdup(src->psk_identity_hint); @@ -325,7 +327,7 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) } # endif - if (ticket != 0) { + if (ticket != 0 && src->tlsext_tick != NULL) { dest->tlsext_tick = BUF_memdup(src->tlsext_tick, src->tlsext_ticklen); if(dest->tlsext_tick == NULL) goto err; diff --git a/deps/openssl/openssl/ssl/ssltest.c b/deps/openssl/openssl/ssl/ssltest.c index b75cac61fb..2d6141cd95 100644 --- a/deps/openssl/openssl/ssl/ssltest.c +++ b/deps/openssl/openssl/ssl/ssltest.c @@ -315,6 +315,9 @@ static int s_ticket1 = 0; static int s_ticket2 = 0; static int c_ticket = 0; static int ticket_expect = -1; +static int sni_in_cert_cb = 0; +static const char *client_sigalgs = NULL; +static const char *server_digest_expect = NULL; static int servername_cb(SSL *s, int *ad, void *arg) { @@ -355,6 +358,11 @@ static int verify_servername(SSL *client, SSL *server) BIO_printf(bio_stdout, "Servername: context is unknown\n"); return -1; } +static int cert_cb(SSL *ssl, void *arg) +{ + int unused; + return servername_cb(ssl, &unused, NULL) != SSL_TLSEXT_ERR_ALERT_FATAL; +} static int verify_ticket(SSL* ssl) { @@ -371,6 +379,20 @@ static int verify_ticket(SSL* ssl) return -1; } +static int verify_server_digest(SSL* ssl) +{ + int nid = NID_undef; + + if (server_digest_expect == NULL) + return 0; + SSL_get_peer_signature_nid(ssl, &nid); + if (strcmp(server_digest_expect, OBJ_nid2sn(nid)) == 0) + return 1; + BIO_printf(bio_stdout, "Expected server digest %s, got %s.\n", + server_digest_expect, OBJ_nid2sn(nid)); + return -1; +} + /*- * next_protos_parse parses a comma separated list of strings into a string * in a format suitable for passing to SSL_CTX_set_next_protos_advertised. @@ -831,6 +853,7 @@ static void sv_usage(void) #endif #ifndef OPENSSL_NO_TLS1 fprintf(stderr, " -tls1 - use TLSv1\n"); + fprintf(stderr, " -tls12 - use TLSv1.2\n"); #endif #ifndef OPENSSL_NO_DTLS fprintf(stderr, " -dtls1 - use DTLSv1\n"); @@ -884,6 +907,9 @@ static void sv_usage(void) fprintf(stderr, " -c_ticket <yes|no> - enable/disable session tickets on the client\n"); fprintf(stderr, " -ticket_expect <yes|no> - indicate that the client should (or should not) have a ticket\n"); #endif + fprintf(stderr, " -sni_in_cert_cb - have the server handle SNI in the certificate callback\n"); + fprintf(stderr, " -client_sigalgs arg - the signature algorithms to configure on the client\n"); + fprintf(stderr, " -server_digest_expect arg - the expected server signing digest\n"); } static void print_details(SSL *c_ssl, const char *prefix) @@ -1010,7 +1036,7 @@ int main(int argc, char *argv[]) int badop = 0; int bio_pair = 0; int force = 0; - int dtls1 = 0, dtls12 = 0, tls1 = 0, ssl2 = 0, ssl3 = 0, ret = 1; + int dtls1 = 0, dtls12 = 0, tls1 = 0, tls12 = 0, ssl2 = 0, ssl3 = 0, ret = 1; int client_auth = 0; int server_auth = 0, i; struct app_verify_arg app_verify_arg = @@ -1164,6 +1190,11 @@ int main(int argc, char *argv[]) no_protocol = 1; #endif tls1 = 1; + } else if (strcmp(*argv, "-tls12") == 0) { +#ifdef OPENSSL_NO_TLS1 + no_protocol = 1; +#endif + tls12 = 1; } else if (strcmp(*argv, "-ssl3") == 0) { #ifdef OPENSSL_NO_SSL3_METHOD no_protocol = 1; @@ -1343,6 +1374,16 @@ int main(int argc, char *argv[]) else if (strcmp(*argv, "no") == 0) ticket_expect = 0; #endif + } else if (strcmp(*argv, "-sni_in_cert_cb") == 0) { + sni_in_cert_cb = 1; + } else if (strcmp(*argv, "-client_sigalgs") == 0) { + if (--argc < 1) + goto bad; + client_sigalgs = *(++argv); + } else if (strcmp(*argv, "-server_digest_expect") == 0) { + if (--argc < 1) + goto bad; + server_digest_expect = *(++argv); } else { fprintf(stderr, "unknown option %s\n", *argv); badop = 1; @@ -1373,9 +1414,9 @@ int main(int argc, char *argv[]) goto end; } - if (ssl2 + ssl3 + tls1 + dtls1 + dtls12 > 1) { - fprintf(stderr, "At most one of -ssl2, -ssl3, -tls1, -dtls1 or -dtls12 should " - "be requested.\n"); + if (ssl2 + ssl3 + tls1 + tls12 + dtls1 + dtls12 > 1) { + fprintf(stderr, "At most one of -ssl2, -ssl3, -tls1, -tls12, -dtls1 or " + "-dtls12 should be requested.\n"); EXIT(1); } @@ -1391,10 +1432,11 @@ int main(int argc, char *argv[]) goto end; } - if (!ssl2 && !ssl3 && !tls1 && !dtls1 && !dtls12 && number > 1 && !reuse && !force) { + if (!ssl2 && !ssl3 && !tls1 && !tls12 && !dtls1 && !dtls12 && number > 1 + && !reuse && !force) { fprintf(stderr, "This case cannot work. Use -f to perform " "the test anyway (and\n-d to see what happens), " - "or add one of ssl2, -ssl3, -tls1, -dtls1, -dtls12, -reuse\n" + "or add one of ssl2, -ssl3, -tls1, -tls12, -dtls1, -dtls12, -reuse\n" "to avoid protocol mismatch.\n"); EXIT(1); } @@ -1458,7 +1500,7 @@ int main(int argc, char *argv[]) #endif /* - * At this point, ssl2/ssl3/tls1 is only set if the protocol is + * At this point, ssl2/ssl3/tls1/tls12 is only set if the protocol is * available. (Otherwise we exit early.) However the compiler doesn't * know this, so we ifdef. */ @@ -1482,6 +1524,8 @@ int main(int argc, char *argv[]) #ifndef OPENSSL_NO_TLS1 if (tls1) meth = TLSv1_method(); + else if (tls12) + meth = TLSv1_2_method(); else #endif meth = SSLv23_method(); @@ -1778,8 +1822,12 @@ int main(int argc, char *argv[]) OPENSSL_free(alpn); } - if (sn_server1 || sn_server2) - SSL_CTX_set_tlsext_servername_callback(s_ctx, servername_cb); + if (sn_server1 || sn_server2) { + if (sni_in_cert_cb) + SSL_CTX_set_cert_cb(s_ctx, cert_cb, NULL); + else + SSL_CTX_set_tlsext_servername_callback(s_ctx, servername_cb); + } #ifndef OPENSSL_NO_TLSEXT if (s_ticket1 == 0) @@ -1799,6 +1847,9 @@ int main(int argc, char *argv[]) SSL_CTX_set_options(c_ctx, SSL_OP_NO_TICKET); #endif + if (client_sigalgs != NULL) + SSL_CTX_set1_sigalgs_list(c_ctx, client_sigalgs); + c_ssl = SSL_new(c_ctx); s_ssl = SSL_new(s_ctx); @@ -1864,6 +1915,8 @@ int main(int argc, char *argv[]) ret = 1; if (verify_ticket(c_ssl) < 0) ret = 1; + if (verify_server_digest(c_ssl) < 0) + ret = 1; SSL_free(s_ssl); SSL_free(c_ssl); diff --git a/deps/openssl/openssl/ssl/tls1.h b/deps/openssl/openssl/ssl/tls1.h index 7e237d0631..dd1d8c109e 100644 --- a/deps/openssl/openssl/ssl/tls1.h +++ b/deps/openssl/openssl/ssl/tls1.h @@ -317,7 +317,7 @@ int SSL_get_servername_type(const SSL *s); */ int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, const char *label, size_t llen, - const unsigned char *p, size_t plen, + const unsigned char *context, size_t contextlen, int use_context); int SSL_get_sigalgs(SSL *s, int idx, |