1
0
Fork 0
mirror of https://github.com/ossrs/srs.git synced 2025-03-09 15:49:59 +00:00

AppleM1: Update openssl to v1.1.1l

This commit is contained in:
winlin 2022-08-14 19:05:01 +08:00
parent 1fe12b8e8c
commit b787656eea
990 changed files with 13406 additions and 18710 deletions

View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -14,7 +14,7 @@
#include <openssl/crypto.h>
#include "internal/bio.h"
#include <openssl/err.h>
#include "ssl_locl.h"
#include "ssl_local.h"
static int ssl_write(BIO *h, const char *buf, size_t size, size_t *written);
static int ssl_read(BIO *b, char *buf, size_t size, size_t *readbytes);
@ -284,6 +284,7 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
ssl_free(b);
if (!ssl_new(b))
return 0;
bs = BIO_get_data(b);
}
BIO_set_shutdown(b, num);
ssl = (SSL *)ptr;
@ -450,6 +451,7 @@ BIO *BIO_new_ssl_connect(SSL_CTX *ctx)
goto err;
return ret;
err:
BIO_free(ssl);
BIO_free(con);
#endif
return NULL;

View file

@ -1,5 +1,5 @@
/*
* Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -11,7 +11,7 @@
#include <stdio.h>
#include <openssl/objects.h>
#include <openssl/rand.h>
#include "ssl_locl.h"
#include "ssl_local.h"
static void get_current_time(struct timeval *t);
static int dtls1_handshake_write(SSL *s);
@ -142,10 +142,11 @@ void dtls1_free(SSL *s)
ssl3_free(s);
dtls1_clear_queues(s);
pqueue_free(s->d1->buffered_messages);
pqueue_free(s->d1->sent_messages);
if (s->d1 != NULL) {
dtls1_clear_queues(s);
pqueue_free(s->d1->buffered_messages);
pqueue_free(s->d1->sent_messages);
}
OPENSSL_free(s->d1);
s->d1 = NULL;
@ -341,12 +342,11 @@ int dtls1_is_timer_expired(SSL *s)
return 1;
}
void dtls1_double_timeout(SSL *s)
static void dtls1_double_timeout(SSL *s)
{
s->d1->timeout_duration_us *= 2;
if (s->d1->timeout_duration_us > 60000000)
s->d1->timeout_duration_us = 60000000;
dtls1_start_timer(s);
}
void dtls1_stop_timer(SSL *s)

View file

@ -1,5 +1,5 @@
/*
* Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -7,7 +7,7 @@
* https://www.openssl.org/source/license.html
*/
#include "ssl_locl.h"
#include "ssl_local.h"
int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, size_t len,
size_t *written)
@ -52,8 +52,7 @@ int dtls1_dispatch_alert(SSL *s)
s->s3->alert_dispatch = 1;
/* fprintf( stderr, "not done with alert\n" ); */
} else {
if (s->s3->send_alert[0] == SSL3_AL_FATAL)
(void)BIO_flush(s->wbio);
(void)BIO_flush(s->wbio);
if (s->msg_callback)
s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert,

View file

@ -15,7 +15,7 @@
#include <stdio.h>
#include <openssl/objects.h>
#include "ssl_locl.h"
#include "ssl_local.h"
#ifndef OPENSSL_NO_SRTP

View file

@ -9,7 +9,7 @@
#include <stdio.h>
#include <openssl/objects.h>
#include "ssl_locl.h"
#include "ssl_local.h"
/*-
* TLS/SSLv3 methods

View file

@ -8,7 +8,7 @@
*/
#include "internal/cryptlib.h"
#include "packet_locl.h"
#include "packet_local.h"
#include <openssl/sslerr.h>
#define DEFAULT_BUF_SIZE 256

View file

@ -7,8 +7,8 @@
* https://www.openssl.org/source/license.html
*/
#ifndef HEADER_PACKET_LOCL_H
# define HEADER_PACKET_LOCL_H
#ifndef OSSL_SSL_PACKET_LOCAL_H
# define OSSL_SSL_PACKET_LOCAL_H
# include <string.h>
# include <openssl/bn.h>
@ -871,4 +871,4 @@ unsigned char *WPACKET_get_curr(WPACKET *pkt);
/* Release resources in a WPACKET if a failure has occurred. */
void WPACKET_cleanup(WPACKET *pkt);
#endif /* HEADER_PACKET_LOCL_H */
#endif /* OSSL_SSL_PACKET_LOCAL_H */

View file

@ -7,7 +7,7 @@
* https://www.openssl.org/source/license.html
*/
#include "ssl_locl.h"
#include "ssl_local.h"
#include <openssl/bn.h>
struct pqueue_st {

View file

@ -12,7 +12,7 @@ of these components is defined by:
3) A set of accessor macros
All struct definitions are in record.h. The functions and macros are either
defined in record.h or record_locl.h dependent on whether they are intended to
defined in record.h or record_local.h dependent on whether they are intended to
be private to the record layer, or whether they form part of the API to the rest
of libssl.
@ -55,7 +55,7 @@ Conceptually it looks like this:
|| rec_layer_d1.c ||
||____________________||
|______________________|
record_locl.h ^ ^ ^
record_local.h ^ ^ ^
_________________| | |_________________
| | |
_____V_________ ______V________ _______V________

View file

@ -7,8 +7,8 @@
* https://www.openssl.org/source/license.html
*/
#include "../ssl_locl.h"
#include "record_locl.h"
#include "../ssl_local.h"
#include "record_local.h"
/* mod 128 saturating subtract of two 64-bit values in big-endian order */
static int satsub64be(const unsigned char *v1, const unsigned char *v2)

View file

@ -1,5 +1,5 @@
/*
* Copyright 2005-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -9,11 +9,11 @@
#include <stdio.h>
#include <errno.h>
#include "../ssl_locl.h"
#include "../ssl_local.h"
#include <openssl/evp.h>
#include <openssl/buffer.h>
#include "record_locl.h"
#include "../packet_locl.h"
#include "record_local.h"
#include "../packet_local.h"
#include "internal/cryptlib.h"
int DTLS_RECORD_LAYER_new(RECORD_LAYER *rl)
@ -46,6 +46,9 @@ int DTLS_RECORD_LAYER_new(RECORD_LAYER *rl)
void DTLS_RECORD_LAYER_free(RECORD_LAYER *rl)
{
if (rl->d == NULL)
return;
DTLS_RECORD_LAYER_clear(rl);
pqueue_free(rl->d->unprocessed_rcds.q);
pqueue_free(rl->d->processed_rcds.q);
@ -808,8 +811,8 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
wb = &s->rlayer.wbuf[0];
/*
* first check if there is a SSL3_BUFFER still being written out. This
* will happen with non blocking IO
* DTLS writes whole datagrams, so there can't be anything left in
* the buffer.
*/
if (!ossl_assert(SSL3_BUFFER_get_left(wb) == 0)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE,

View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -10,15 +10,15 @@
#include <stdio.h>
#include <limits.h>
#include <errno.h>
#include "../ssl_locl.h"
#include "../ssl_local.h"
#include <openssl/evp.h>
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include "record_locl.h"
#include "../packet_locl.h"
#include "record_local.h"
#include "../packet_local.h"
#if defined(OPENSSL_SMALL_FOOTPRINT) || \
!( defined(AES_ASM) && ( \
!( defined(AESNI_ASM) && ( \
defined(__x86_64) || defined(__x86_64__) || \
defined(_M_AMD64) || defined(_M_X64) ) \
)
@ -172,9 +172,9 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold,
/*
* If extend == 0, obtain new n-byte packet; if extend == 1, increase
* packet by another n bytes. The packet will be in the sub-array of
* s->s3->rbuf.buf specified by s->packet and s->packet_length. (If
* s->rlayer.read_ahead is set, 'max' bytes may be stored in rbuf [plus
* s->packet_length bytes if extend == 1].)
* s->rlayer.rbuf.buf specified by s->rlayer.packet and
* s->rlayer.packet_length. (If s->rlayer.read_ahead is set, 'max' bytes may
* be stored in rbuf [plus s->rlayer.packet_length bytes if extend == 1].)
* if clearold == 1, move the packet to the start of the buffer; if
* clearold == 0 then leave any old packets where they were
*/
@ -373,6 +373,13 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
s->rlayer.wnum = 0;
/*
* If we are supposed to be sending a KeyUpdate then go into init unless we
* have writes pending - in which case we should finish doing that first.
*/
if (wb->left == 0 && s->key_update != SSL_KEY_UPDATE_NONE)
ossl_statem_set_in_init(s, 1);
/*
* When writing early data on the server side we could be "in_init" in
* between receiving the EoED and the CF - but we don't want to handle those
@ -628,8 +635,9 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
*/
s->s3->empty_fragment_done = 0;
if ((i == (int)n) && s->mode & SSL_MODE_RELEASE_BUFFERS &&
!SSL_IS_DTLS(s))
if (tmpwrit == n
&& (s->mode & SSL_MODE_RELEASE_BUFFERS) != 0
&& !SSL_IS_DTLS(s))
ssl3_release_write_buffer(s);
*written = tot + tmpwrit;

View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -7,8 +7,8 @@
* https://www.openssl.org/source/license.html
*/
#include "../ssl_locl.h"
#include "record_locl.h"
#include "../ssl_local.h"
#include "record_local.h"
void SSL3_BUFFER_set_data(SSL3_BUFFER *b, const unsigned char *d, size_t n)
{
@ -74,7 +74,6 @@ int ssl3_setup_read_buffer(SSL *s)
b->len = len;
}
RECORD_LAYER_set_packet(&s->rlayer, &(b->buf[0]));
return 1;
}
@ -94,7 +93,7 @@ int ssl3_setup_write_buffer(SSL *s, size_t numwpipes, size_t len)
headerlen = SSL3_RT_HEADER_LENGTH;
#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1);
align = SSL3_ALIGN_PAYLOAD - 1;
#endif
len = ssl_get_max_send_fragment(s)

View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -7,10 +7,10 @@
* https://www.openssl.org/source/license.html
*/
#include "../ssl_locl.h"
#include "internal/constant_time_locl.h"
#include "../ssl_local.h"
#include "internal/constant_time.h"
#include <openssl/rand.h>
#include "record_locl.h"
#include "record_local.h"
#include "internal/cryptlib.h"
static const unsigned char ssl3_pad_1[48] = {
@ -405,7 +405,7 @@ int ssl3_get_record(SSL *s)
more = thisrr->length;
}
if (more > 0) {
/* now s->packet_length == SSL3_RT_HEADER_LENGTH */
/* now s->rlayer.packet_length == SSL3_RT_HEADER_LENGTH */
rret = ssl3_read_n(s, more, more, 1, 0, &n);
if (rret <= 0)
@ -416,9 +416,9 @@ int ssl3_get_record(SSL *s)
RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER);
/*
* At this point, s->packet_length == SSL3_RT_HEADER_LENGTH
* + thisrr->length, or s->packet_length == SSL2_RT_HEADER_LENGTH
* + thisrr->length and we have that many bytes in s->packet
* At this point, s->rlayer.packet_length == SSL3_RT_HEADER_LENGTH
* + thisrr->length, or s->rlayer.packet_length == SSL2_RT_HEADER_LENGTH
* + thisrr->length and we have that many bytes in s->rlayer.packet
*/
if (thisrr->rec_version == SSL2_VERSION) {
thisrr->input =
@ -429,11 +429,11 @@ int ssl3_get_record(SSL *s)
}
/*
* ok, we can now read from 's->packet' data into 'thisrr' thisrr->input
* points at thisrr->length bytes, which need to be copied into
* thisrr->data by either the decryption or by the decompression When
* the data is 'copied' into the thisrr->data buffer, thisrr->input will
* be pointed at the new buffer
* ok, we can now read from 's->rlayer.packet' data into 'thisrr'.
* thisrr->input points at thisrr->length bytes, which need to be copied
* into thisrr->data by either the decryption or by the decompression.
* When the data is 'copied' into the thisrr->data buffer,
* thisrr->input will be updated to point at the new buffer
*/
/*
@ -559,7 +559,7 @@ int ssl3_get_record(SSL *s)
RECORD_LAYER_reset_read_sequence(&s->rlayer);
return 1;
}
SSLfatal(s, SSL_AD_DECRYPTION_FAILED, SSL_F_SSL3_GET_RECORD,
SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD,
SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
return -1;
}
@ -837,7 +837,7 @@ int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr)
* SSLfatal() for internal errors, but not otherwise.
*
* Returns:
* 0: (in non-constant time) if the record is publically invalid (i.e. too
* 0: (in non-constant time) if the record is publicly invalid (i.e. too
* short etc).
* 1: if the record's padding is valid / the encryption was successful.
* -1: if the record's padding is invalid or, if sending, an internal error
@ -928,7 +928,7 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending)
* internal errors, but not otherwise.
*
* Returns:
* 0: (in non-constant time) if the record is publically invalid (i.e. too
* 0: (in non-constant time) if the record is publicly invalid (i.e. too
* short etc).
* 1: if the record's padding is valid / the encryption was successful.
* -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
@ -1075,7 +1075,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
} else if ((bs != 1) && sending) {
padnum = bs - (reclen[ctr] % bs);
/* Add weird padding of upto 256 bytes */
/* Add weird padding of up to 256 bytes */
if (padnum > MAX_PADDING) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
@ -1610,21 +1610,22 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
int imac_size;
size_t mac_size;
unsigned char md[EVP_MAX_MD_SIZE];
size_t max_plain_length = SSL3_RT_MAX_PLAIN_LENGTH;
rr = RECORD_LAYER_get_rrec(&s->rlayer);
sess = s->session;
/*
* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
* and we have that many bytes in s->packet
* At this point, s->rlayer.packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
* and we have that many bytes in s->rlayer.packet
*/
rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[DTLS1_RT_HEADER_LENGTH]);
/*
* ok, we can now read from 's->packet' data into 'rr' rr->input points
* at rr->length bytes, which need to be copied into rr->data by either
* the decryption or by the decompression When the data is 'copied' into
* the rr->data buffer, rr->input will be pointed at the new buffer
* ok, we can now read from 's->rlayer.packet' data into 'rr'. rr->input
* points at rr->length bytes, which need to be copied into rr->data by
* either the decryption or by the decompression. When the data is 'copied'
* into the rr->data buffer, rr->input will be pointed at the new buffer
*/
/*
@ -1669,7 +1670,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
enc_err = s->method->ssl3_enc->enc(s, rr, 1, 0);
/*-
* enc_err is:
* 0: (in non-constant time) if the record is publically invalid.
* 0: (in non-constant time) if the record is publicly invalid.
* 1: if the padding is valid
* -1: if the padding is invalid
*/
@ -1782,7 +1783,12 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
}
}
if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
/* use current Max Fragment Length setting if applicable */
if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
max_plain_length = GET_MAX_FRAGMENT_LENGTH(s->session);
/* send overflow if the plaintext is too long now it has passed MAC */
if (rr->length > max_plain_length) {
SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD,
SSL_R_DATA_LENGTH_TOO_LONG);
return 0;
@ -1926,7 +1932,7 @@ int dtls1_get_record(SSL *s)
/* If received packet overflows own-client Max Fragment Length setting */
if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
&& rr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) {
&& rr->length > GET_MAX_FRAGMENT_LENGTH(s->session) + SSL3_RT_MAX_ENCRYPTED_OVERHEAD) {
/* record too long, silently discard it */
rr->length = 0;
rr->read = 1;
@ -1941,7 +1947,7 @@ int dtls1_get_record(SSL *s)
if (rr->length >
RECORD_LAYER_get_packet_length(&s->rlayer) - DTLS1_RT_HEADER_LENGTH) {
/* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
/* now s->rlayer.packet_length == DTLS1_RT_HEADER_LENGTH */
more = rr->length;
rret = ssl3_read_n(s, more, more, 1, 1, &n);
/* this packet contained a partial record, dump it */
@ -1957,7 +1963,7 @@ int dtls1_get_record(SSL *s)
}
/*
* now n == rr->length, and s->packet_length ==
* now n == rr->length, and s->rlayer.packet_length ==
* DTLS1_RT_HEADER_LENGTH + rr->length
*/
}

View file

@ -7,8 +7,8 @@
* https://www.openssl.org/source/license.html
*/
#include "../ssl_locl.h"
#include "record_locl.h"
#include "../ssl_local.h"
#include "record_local.h"
#include "internal/cryptlib.h"
/*-
@ -16,7 +16,7 @@
* internal errors, but not otherwise.
*
* Returns:
* 0: (in non-constant time) if the record is publically invalid (i.e. too
* 0: (in non-constant time) if the record is publicly invalid (i.e. too
* short etc).
* 1: if the record encryption was successful.
* -1: if the record's AEAD-authenticator is invalid or, if sending,

View file

@ -7,8 +7,8 @@
* https://www.openssl.org/source/license.html
*/
#include "internal/constant_time_locl.h"
#include "ssl_locl.h"
#include "internal/constant_time.h"
#include "ssl_local.h"
#include "internal/cryptlib.h"
#include <openssl/md5.h>

View file

@ -9,7 +9,7 @@
*/
#include <stdio.h>
#include "ssl_locl.h"
#include "ssl_local.h"
#include <openssl/evp.h>
#include <openssl/md5.h>
#include "internal/cryptlib.h"

View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@ -12,7 +12,7 @@
#include <stdio.h>
#include <openssl/objects.h>
#include "internal/nelem.h"
#include "ssl_locl.h"
#include "ssl_local.h"
#include <openssl/md5.h>
#include <openssl/dh.h>
#include <openssl/rand.h>
@ -3567,6 +3567,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
case SSL_CTRL_GET_CHAIN_CERTS:
*(STACK_OF(X509) **)parg = s->cert->key->chain;
ret = 1;
break;
case SSL_CTRL_SELECT_CURRENT_CERT:
@ -3601,8 +3602,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
if (!s->session)
return 0;
clist = s->session->ext.supportedgroups;
clistlen = s->session->ext.supportedgroups_len;
clist = s->ext.peer_supportedgroups;
clistlen = s->ext.peer_supportedgroups_len;
if (parg) {
size_t i;
int *cptr = parg;
@ -3716,13 +3717,12 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
#ifndef OPENSSL_NO_EC
case SSL_CTRL_GET_EC_POINT_FORMATS:
{
SSL_SESSION *sess = s->session;
const unsigned char **pformat = parg;
if (sess == NULL || sess->ext.ecpointformats == NULL)
if (s->ext.peer_ecpointformats == NULL)
return 0;
*pformat = sess->ext.ecpointformats;
return (int)sess->ext.ecpointformats_len;
*pformat = s->ext.peer_ecpointformats;
return (int)s->ext.peer_ecpointformats_len;
}
#endif
@ -4072,9 +4072,10 @@ const SSL_CIPHER *ssl3_get_cipher_by_id(uint32_t id)
const SSL_CIPHER *ssl3_get_cipher_by_std_name(const char *stdname)
{
SSL_CIPHER *c = NULL, *tbl;
SSL_CIPHER *alltabs[] = {tls13_ciphers, ssl3_ciphers};
size_t i, j, tblsize[] = {TLS13_NUM_CIPHERS, SSL3_NUM_CIPHERS};
SSL_CIPHER *tbl;
SSL_CIPHER *alltabs[] = {tls13_ciphers, ssl3_ciphers, ssl3_scsvs};
size_t i, j, tblsize[] = {TLS13_NUM_CIPHERS, SSL3_NUM_CIPHERS,
SSL3_NUM_SCSVS};
/* this is not efficient, necessary to optimize this? */
for (j = 0; j < OSSL_NELEM(alltabs); j++) {
@ -4082,21 +4083,11 @@ const SSL_CIPHER *ssl3_get_cipher_by_std_name(const char *stdname)
if (tbl->stdname == NULL)
continue;
if (strcmp(stdname, tbl->stdname) == 0) {
c = tbl;
break;
return tbl;
}
}
}
if (c == NULL) {
tbl = ssl3_scsvs;
for (i = 0; i < SSL3_NUM_SCSVS; i++, tbl++) {
if (strcmp(stdname, tbl->stdname) == 0) {
c = tbl;
break;
}
}
}
return c;
return NULL;
}
/*
@ -4638,8 +4629,9 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
OPENSSL_clear_free(s->s3->tmp.psk, psklen);
s->s3->tmp.psk = NULL;
s->s3->tmp.psklen = 0;
if (!s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key,pskpms, pskpmslen,
s->session->master_key, pskpms, pskpmslen,
&s->session->master_key_length)) {
OPENSSL_clear_free(pskpms, pskpmslen);
/* SSLfatal() already called */
@ -4667,8 +4659,10 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
else
OPENSSL_cleanse(pms, pmslen);
}
if (s->server == 0)
if (s->server == 0) {
s->s3->tmp.pms = NULL;
s->s3->tmp.pmslen = 0;
}
return ret;
}

View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -7,7 +7,7 @@
* https://www.openssl.org/source/license.html
*/
#include "ssl_locl.h"
#include "ssl_local.h"
int ssl3_do_change_cipher_spec(SSL *s)
{
@ -48,6 +48,8 @@ int ssl3_send_alert(SSL *s, int level, int desc)
* protocol_version alerts */
if (desc < 0)
return -1;
if (s->shutdown & SSL_SENT_SHUTDOWN && desc != SSL_AD_CLOSE_NOTIFY)
return -1;
/* If a fatal one, remove from cache */
if ((level == SSL3_AL_FATAL) && (s->session != NULL))
SSL_CTX_remove_session(s->session_ctx, s->session);

View file

@ -10,7 +10,7 @@
#include <stdio.h>
#include <stdlib.h>
#include "ssl_locl.h"
#include "ssl_local.h"
#include <openssl/asn1t.h>
#include <openssl/x509.h>

View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@ -20,7 +20,7 @@
#include <openssl/bn.h>
#include <openssl/crypto.h>
#include "internal/refcount.h"
#include "ssl_locl.h"
#include "ssl_local.h"
#include "ssl_cert_table.h"
#include "internal/thread_once.h"
@ -154,8 +154,6 @@ CERT *ssl_cert_dup(CERT *cert)
ret->client_sigalgslen = cert->client_sigalgslen;
} else
ret->client_sigalgs = NULL;
/* Shared sigalgs also NULL */
ret->shared_sigalgs = NULL;
/* Copy any custom client certificate types */
if (cert->ctype) {
ret->ctype = OPENSSL_memdup(cert->ctype, cert->ctype_len);
@ -240,7 +238,6 @@ void ssl_cert_free(CERT *c)
ssl_cert_clear_certs(c);
OPENSSL_free(c->conf_sigalgs);
OPENSSL_free(c->client_sigalgs);
OPENSSL_free(c->shared_sigalgs);
OPENSSL_free(c->ctype);
X509_STORE_free(c->verify_store);
X509_STORE_free(c->chain_store);
@ -604,14 +601,6 @@ static unsigned long xname_hash(const X509_NAME *a)
return X509_NAME_hash((X509_NAME *)a);
}
/**
* Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed;
* it doesn't really have anything to do with clients (except that a common use
* for a stack of CAs is to send it to the client). Actually, it doesn't have
* much to do with CAs, either, since it will load any old cert.
* \param file the file containing one or more certs.
* \return a ::STACK containing the certs.
*/
STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
{
BIO *in = BIO_new(BIO_s_file());
@ -669,15 +658,6 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
return ret;
}
/**
* Add a file of certs to a stack.
* \param stack the stack to add to.
* \param file the file to add from. All certs in this file that are not
* already in the stack will be added.
* \return 1 for success, 0 for failure. Note that in the case of failure some
* certs may have been added to \c stack.
*/
int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
const char *file)
{
@ -728,17 +708,6 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
return ret;
}
/**
* Add a directory of certs to a stack.
* \param stack the stack to append to.
* \param dir the directory to append from. All files in this directory will be
* examined as potential certs. Any that are acceptable to
* SSL_add_dir_cert_subjects_to_stack() that are not already in the stack will be
* included.
* \return 1 for success, 0 for failure. Note that in the case of failure some
* certs may have been added to \c stack.
*/
int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
const char *dir)
{
@ -907,18 +876,36 @@ int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref)
return 1;
}
int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp)
{
int level;
static const int minbits_table[5 + 1] = { 0, 80, 112, 128, 192, 256 };
if (ctx != NULL)
level = SSL_CTX_get_security_level(ctx);
else
level = SSL_get_security_level(s);
if (level > 5)
level = 5;
else if (level < 0)
level = 0;
if (levelp != NULL)
*levelp = level;
return minbits_table[level];
}
static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
int op, int bits, int nid, void *other,
void *ex)
{
int level, minbits;
static const int minbits_table[5] = { 80, 112, 128, 192, 256 };
if (ctx)
level = SSL_CTX_get_security_level(ctx);
else
level = SSL_get_security_level(s);
if (level <= 0) {
minbits = ssl_get_security_level_bits(s, ctx, &level);
if (level == 0) {
/*
* No EDH keys weaker than 1024-bits even at level 0, otherwise,
* anything goes.
@ -927,9 +914,6 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
return 0;
return 1;
}
if (level > 5)
level = 5;
minbits = minbits_table[level - 1];
switch (op) {
case SSL_SECOP_CIPHER_SUPPORTED:
case SSL_SECOP_CIPHER_SHARED:

View file

@ -17,7 +17,7 @@
#include <openssl/crypto.h>
#include <openssl/conf.h>
#include "internal/nelem.h"
#include "ssl_locl.h"
#include "ssl_local.h"
#include "internal/thread_once.h"
#include "internal/cryptlib.h"
@ -92,7 +92,7 @@ static CRYPTO_ONCE ssl_load_builtin_comp_once = CRYPTO_ONCE_STATIC_INIT;
/*
* Constant SSL_MAX_DIGEST equal to size of digests array should be defined
* in the ssl_locl.h
* in the ssl_local.h
*/
#define SSL_MD_NUM_IDX SSL_MAX_DIGEST
@ -1377,24 +1377,25 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
{
int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str);
if (ret && ctx->cipher_list != NULL) {
/* We already have a cipher_list, so we need to update it */
if (ret && ctx->cipher_list != NULL)
return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id,
ctx->tls13_ciphersuites);
}
return ret;
}
int SSL_set_ciphersuites(SSL *s, const char *str)
{
STACK_OF(SSL_CIPHER) *cipher_list;
int ret = set_ciphersuites(&(s->tls13_ciphersuites), str);
if (ret && s->cipher_list != NULL) {
/* We already have a cipher_list, so we need to update it */
if (s->cipher_list == NULL) {
if ((cipher_list = SSL_get_ciphers(s)) != NULL)
s->cipher_list = sk_SSL_CIPHER_dup(cipher_list);
}
if (ret && s->cipher_list != NULL)
return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id,
s->tls13_ciphersuites);
}
return ret;
}

View file

@ -1,5 +1,5 @@
/*
* Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -8,7 +8,7 @@
*/
#include <stdio.h>
#include "ssl_locl.h"
#include "ssl_local.h"
#include <openssl/conf.h>
#include <openssl/objects.h>
#include <openssl/dh.h>
@ -305,6 +305,13 @@ static int protocol_from_string(const char *value)
const char *name;
int version;
};
/*
* Note: To avoid breaking previously valid configurations, we must retain
* legacy entries in this table even if the underlying protocol is no
* longer supported. This also means that the constants SSL3_VERSION, ...
* need to be retained indefinitely. This table can only grow, never
* shrink.
*/
static const struct protocol_versions versions[] = {
{"None", 0},
{"SSLv3", SSL3_VERSION},

View file

@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -85,6 +85,7 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
{ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_KEY_SHARE, 0), "final_key_share"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_MAXFRAGMENTLEN, 0),
"final_maxfragmentlen"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_PSK, 0), "final_psk"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_RENEGOTIATE, 0), "final_renegotiate"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_SERVER_NAME, 0), "final_server_name"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_SIG_ALGS, 0), "final_sig_algs"},
@ -948,6 +949,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
"missing ecdsa signing cert"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_FATAL), "missing fatal"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_PARAMETERS), "missing parameters"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_PSK_KEX_MODES_EXTENSION),
"missing psk kex modes extension"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_RSA_CERTIFICATE),
"missing rsa certificate"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_RSA_ENCRYPTING_CERT),
@ -1018,6 +1021,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NULL_SSL_CTX), "null ssl ctx"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NULL_SSL_METHOD_PASSED),
"null ssl method passed"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OCSP_CALLBACK_FAILURE),
"ocsp callback failure"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),
"old session cipher not returned"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED),

View file

@ -12,7 +12,7 @@
#include "internal/err.h"
#include <openssl/crypto.h>
#include <openssl/evp.h>
#include "ssl_locl.h"
#include "ssl_local.h"
#include "internal/thread_once.h"
static int stopped;

View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@ -10,7 +10,7 @@
*/
#include <stdio.h>
#include "ssl_locl.h"
#include "ssl_local.h"
#include <openssl/objects.h>
#include <openssl/x509v3.h>
#include <openssl/rand.h>
@ -628,6 +628,11 @@ int SSL_clear(SSL *s)
/* Clear the verification result peername */
X509_VERIFY_PARAM_move_peername(s->param, NULL);
/* Clear any shared connection state */
OPENSSL_free(s->shared_sigalgs);
s->shared_sigalgs = NULL;
s->shared_sigalgslen = 0;
/*
* Check to see if we were changed into a different method, if so, revert
* back.
@ -774,8 +779,10 @@ SSL *SSL_new(SSL_CTX *ctx)
s->ext.ecpointformats =
OPENSSL_memdup(ctx->ext.ecpointformats,
ctx->ext.ecpointformats_len);
if (!s->ext.ecpointformats)
if (!s->ext.ecpointformats) {
s->ext.ecpointformats_len = 0;
goto err;
}
s->ext.ecpointformats_len =
ctx->ext.ecpointformats_len;
}
@ -784,8 +791,10 @@ SSL *SSL_new(SSL_CTX *ctx)
OPENSSL_memdup(ctx->ext.supportedgroups,
ctx->ext.supportedgroups_len
* sizeof(*ctx->ext.supportedgroups));
if (!s->ext.supportedgroups)
if (!s->ext.supportedgroups) {
s->ext.supportedgroups_len = 0;
goto err;
}
s->ext.supportedgroups_len = ctx->ext.supportedgroups_len;
}
#endif
@ -795,8 +804,10 @@ SSL *SSL_new(SSL_CTX *ctx)
if (s->ctx->ext.alpn) {
s->ext.alpn = OPENSSL_malloc(s->ctx->ext.alpn_len);
if (s->ext.alpn == NULL)
if (s->ext.alpn == NULL) {
s->ext.alpn_len = 0;
goto err;
}
memcpy(s->ext.alpn, s->ctx->ext.alpn, s->ctx->ext.alpn_len);
s->ext.alpn_len = s->ctx->ext.alpn_len;
}
@ -867,7 +878,7 @@ int SSL_up_ref(SSL *s)
int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
unsigned int sid_ctx_len)
{
if (sid_ctx_len > sizeof(ctx->sid_ctx)) {
if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,
SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
return 0;
@ -1160,6 +1171,7 @@ void SSL_free(SSL *s)
sk_SSL_CIPHER_free(s->cipher_list);
sk_SSL_CIPHER_free(s->cipher_list_by_id);
sk_SSL_CIPHER_free(s->tls13_ciphersuites);
sk_SSL_CIPHER_free(s->peer_ciphers);
/* Make the next call work :-) */
if (s->session != NULL) {
@ -1172,13 +1184,16 @@ void SSL_free(SSL *s)
clear_ciphers(s);
ssl_cert_free(s->cert);
OPENSSL_free(s->shared_sigalgs);
/* Free up if allocated */
OPENSSL_free(s->ext.hostname);
SSL_CTX_free(s->session_ctx);
#ifndef OPENSSL_NO_EC
OPENSSL_free(s->ext.ecpointformats);
OPENSSL_free(s->ext.peer_ecpointformats);
OPENSSL_free(s->ext.supportedgroups);
OPENSSL_free(s->ext.peer_supportedgroups);
#endif /* OPENSSL_NO_EC */
sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, X509_EXTENSION_free);
#ifndef OPENSSL_NO_OCSP
@ -1191,6 +1206,8 @@ void SSL_free(SSL *s)
OPENSSL_free(s->ext.ocsp.resp);
OPENSSL_free(s->ext.alpn);
OPENSSL_free(s->ext.tls13_cookie);
if (s->clienthello != NULL)
OPENSSL_free(s->clienthello->pre_proc_exts);
OPENSSL_free(s->clienthello);
OPENSSL_free(s->pha_context);
EVP_MD_CTX_free(s->pha_dgst);
@ -2102,6 +2119,11 @@ int SSL_key_update(SSL *s, int updatetype)
return 0;
}
if (RECORD_LAYER_write_pending(&s->rlayer)) {
SSLerr(SSL_F_SSL_KEY_UPDATE, SSL_R_BAD_WRITE_RETRY);
return 0;
}
ossl_statem_set_in_init(s, 1);
s->key_update = updatetype;
return 1;
@ -2437,9 +2459,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *s)
{
if ((s == NULL) || (s->session == NULL) || !s->server)
if ((s == NULL) || !s->server)
return NULL;
return s->session->ciphers;
return s->peer_ciphers;
}
STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s)
@ -2578,13 +2600,12 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size)
int i;
if (!s->server
|| s->session == NULL
|| s->session->ciphers == NULL
|| s->peer_ciphers == NULL
|| size < 2)
return NULL;
p = buf;
clntsk = s->session->ciphers;
clntsk = s->peer_ciphers;
srvrsk = SSL_get_ciphers(s);
if (clntsk == NULL || srvrsk == NULL)
return NULL;
@ -2615,31 +2636,85 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size)
return buf;
}
/** return a servername extension value if provided in Client Hello, or NULL.
* So far, only host_name types are defined (RFC 3546).
/**
* Return the requested servername (SNI) value. Note that the behaviour varies
* depending on:
* - whether this is called by the client or the server,
* - if we are before or during/after the handshake,
* - if a resumption or normal handshake is being attempted/has occurred
* - whether we have negotiated TLSv1.2 (or below) or TLSv1.3
*
* Note that only the host_name type is defined (RFC 3546).
*/
const char *SSL_get_servername(const SSL *s, const int type)
{
/*
* If we don't know if we are the client or the server yet then we assume
* client.
*/
int server = s->handshake_func == NULL ? 0 : s->server;
if (type != TLSEXT_NAMETYPE_host_name)
return NULL;
/*
* SNI is not negotiated in pre-TLS-1.3 resumption flows, so fake up an
* SNI value to return if we are resuming/resumed. N.B. that we still
* call the relevant callbacks for such resumption flows, and callbacks
* might error out if there is not a SNI value available.
*/
if (s->hit)
return s->session->ext.hostname;
if (server) {
/**
* Server side
* In TLSv1.3 on the server SNI is not associated with the session
* but in TLSv1.2 or below it is.
*
* Before the handshake:
* - return NULL
*
* During/after the handshake (TLSv1.2 or below resumption occurred):
* - If a servername was accepted by the server in the original
* handshake then it will return that servername, or NULL otherwise.
*
* During/after the handshake (TLSv1.2 or below resumption did not occur):
* - The function will return the servername requested by the client in
* this handshake or NULL if none was requested.
*/
if (s->hit && !SSL_IS_TLS13(s))
return s->session->ext.hostname;
} else {
/**
* Client side
*
* Before the handshake:
* - If a servername has been set via a call to
* SSL_set_tlsext_host_name() then it will return that servername
* - If one has not been set, but a TLSv1.2 resumption is being
* attempted and the session from the original handshake had a
* servername accepted by the server then it will return that
* servername
* - Otherwise it returns NULL
*
* During/after the handshake (TLSv1.2 or below resumption occurred):
* - If the session from the original handshake had a servername accepted
* by the server then it will return that servername.
* - Otherwise it returns the servername set via
* SSL_set_tlsext_host_name() (or NULL if it was not called).
*
* During/after the handshake (TLSv1.2 or below resumption did not occur):
* - It will return the servername set via SSL_set_tlsext_host_name()
* (or NULL if it was not called).
*/
if (SSL_in_before(s)) {
if (s->ext.hostname == NULL
&& s->session != NULL
&& s->session->ssl_version != TLS1_3_VERSION)
return s->session->ext.hostname;
} else {
if (!SSL_IS_TLS13(s) && s->hit && s->session->ext.hostname != NULL)
return s->session->ext.hostname;
}
}
return s->ext.hostname;
}
int SSL_get_servername_type(const SSL *s)
{
if (s->session
&& (!s->ext.hostname ? s->session->
ext.hostname : s->ext.hostname))
if (SSL_get_servername(s, TLSEXT_NAMETYPE_host_name) != NULL)
return TLSEXT_NAMETYPE_host_name;
return -1;
}
@ -2759,6 +2834,19 @@ void SSL_CTX_set_npn_select_cb(SSL_CTX *ctx,
}
#endif
static int alpn_value_ok(const unsigned char *protos, unsigned int protos_len)
{
unsigned int idx;
if (protos_len < 2 || protos == NULL)
return 0;
for (idx = 0; idx < protos_len; idx += protos[idx] + 1) {
if (protos[idx] == 0)
return 0;
}
return idx == protos_len;
}
/*
* SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|.
* |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
@ -2767,12 +2855,25 @@ void SSL_CTX_set_npn_select_cb(SSL_CTX *ctx,
int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
unsigned int protos_len)
{
OPENSSL_free(ctx->ext.alpn);
ctx->ext.alpn = OPENSSL_memdup(protos, protos_len);
if (ctx->ext.alpn == NULL) {
unsigned char *alpn;
if (protos_len == 0 || protos == NULL) {
OPENSSL_free(ctx->ext.alpn);
ctx->ext.alpn = NULL;
ctx->ext.alpn_len = 0;
return 0;
}
/* Not valid per RFC */
if (!alpn_value_ok(protos, protos_len))
return 1;
alpn = OPENSSL_memdup(protos, protos_len);
if (alpn == NULL) {
SSLerr(SSL_F_SSL_CTX_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE);
return 1;
}
OPENSSL_free(ctx->ext.alpn);
ctx->ext.alpn = alpn;
ctx->ext.alpn_len = protos_len;
return 0;
@ -2786,12 +2887,25 @@ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,
unsigned int protos_len)
{
OPENSSL_free(ssl->ext.alpn);
ssl->ext.alpn = OPENSSL_memdup(protos, protos_len);
if (ssl->ext.alpn == NULL) {
unsigned char *alpn;
if (protos_len == 0 || protos == NULL) {
OPENSSL_free(ssl->ext.alpn);
ssl->ext.alpn = NULL;
ssl->ext.alpn_len = 0;
return 0;
}
/* Not valid per RFC */
if (!alpn_value_ok(protos, protos_len))
return 1;
alpn = OPENSSL_memdup(protos, protos_len);
if (alpn == NULL) {
SSLerr(SSL_F_SSL_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE);
return 1;
}
OPENSSL_free(ssl->ext.alpn);
ssl->ext.alpn = alpn;
ssl->ext.alpn_len = protos_len;
return 0;
@ -2833,7 +2947,8 @@ int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
const unsigned char *context, size_t contextlen,
int use_context)
{
if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER)
if (s->session == NULL
|| (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER))
return -1;
return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
@ -3762,6 +3877,8 @@ SSL *SSL_dup(SSL *s)
goto err;
ret->version = s->version;
ret->options = s->options;
ret->min_proto_version = s->min_proto_version;
ret->max_proto_version = s->max_proto_version;
ret->mode = s->mode;
SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s));
SSL_set_read_ahead(ret, SSL_get_read_ahead(s));
@ -3777,21 +3894,6 @@ SSL *SSL_dup(SSL *s)
if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data))
goto err;
/* setup rbio, and wbio */
if (s->rbio != NULL) {
if (!BIO_dup_state(s->rbio, (char *)&ret->rbio))
goto err;
}
if (s->wbio != NULL) {
if (s->wbio != s->rbio) {
if (!BIO_dup_state(s->wbio, (char *)&ret->wbio))
goto err;
} else {
BIO_up_ref(ret->rbio);
ret->wbio = ret->rbio;
}
}
ret->server = s->server;
if (s->handshake_func) {
if (s->server)
@ -4460,8 +4562,11 @@ int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
}
ctx = EVP_MD_CTX_new();
if (ctx == NULL)
if (ctx == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_HANDSHAKE_HASH,
ERR_R_INTERNAL_ERROR);
goto err;
}
if (!EVP_MD_CTX_copy_ex(ctx, hdgst)
|| EVP_DigestFinal_ex(ctx, out, NULL) <= 0) {
@ -4478,7 +4583,7 @@ int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
return ret;
}
int SSL_session_reused(SSL *s)
int SSL_session_reused(const SSL *s)
{
return s->hit;
}
@ -5070,6 +5175,11 @@ int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen)
if (ext->present)
num++;
}
if (num == 0) {
*out = NULL;
*outlen = 0;
return 1;
}
if ((present = OPENSSL_malloc(sizeof(*present) * num)) == NULL) {
SSLerr(SSL_F_SSL_CLIENT_HELLO_GET1_EXTENSIONS_PRESENT,
ERR_R_MALLOC_FAILURE);

View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@ -9,8 +9,8 @@
* https://www.openssl.org/source/license.html
*/
#ifndef HEADER_SSL_LOCL_H
# define HEADER_SSL_LOCL_H
#ifndef OSSL_SSL_LOCAL_H
# define OSSL_SSL_LOCAL_H
# include "e_os.h" /* struct timeval for DTLS */
# include <stdlib.h>
@ -30,7 +30,7 @@
# include <openssl/ct.h>
# include "record/record.h"
# include "statem/statem.h"
# include "packet_locl.h"
# include "packet_local.h"
# include "internal/dane.h"
# include "internal/refcount.h"
# include "internal/tsan_assist.h"
@ -537,7 +537,6 @@ struct ssl_session_st {
int not_resumable;
/* This is the cert and type for the other end. */
X509 *peer;
int peer_type;
/* Certificate chain peer sent. */
STACK_OF(X509) *peer_chain;
/*
@ -552,7 +551,6 @@ struct ssl_session_st {
const SSL_CIPHER *cipher;
unsigned long cipher_id; /* when ASN.1 loaded, this needs to be used to
* load the 'cipher' structure */
STACK_OF(SSL_CIPHER) *ciphers; /* ciphers offered by the client */
CRYPTO_EX_DATA ex_data; /* application specific data */
/*
* These are used to make removal of session-ids more efficient and to
@ -562,19 +560,12 @@ struct ssl_session_st {
struct {
char *hostname;
# ifndef OPENSSL_NO_EC
size_t ecpointformats_len;
unsigned char *ecpointformats; /* peer's list */
# endif /* OPENSSL_NO_EC */
size_t supportedgroups_len;
uint16_t *supportedgroups; /* peer's list */
/* RFC4507 info */
/* RFC4507 info */
unsigned char *tick; /* Session ticket */
size_t ticklen; /* Session ticket length */
/* Session lifetime hint in seconds */
unsigned long tick_lifetime_hint;
uint32_t tick_age_add;
int tick_identity;
/* Max number of bytes that can be sent as early data */
uint32_t max_early_data;
/* The ALPN protocol selected for this session */
@ -1138,6 +1129,7 @@ struct ssl_st {
/* Per connection DANE state */
SSL_DANE dane;
/* crypto */
STACK_OF(SSL_CIPHER) *peer_ciphers;
STACK_OF(SSL_CIPHER) *cipher_list;
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* TLSv1.3 specific ciphersuites */
@ -1301,10 +1293,19 @@ struct ssl_st {
size_t ecpointformats_len;
/* our list */
unsigned char *ecpointformats;
size_t peer_ecpointformats_len;
/* peer's list */
unsigned char *peer_ecpointformats;
# endif /* OPENSSL_NO_EC */
size_t supportedgroups_len;
/* our list */
uint16_t *supportedgroups;
size_t peer_supportedgroups_len;
/* peer's list */
uint16_t *peer_supportedgroups;
/* TLS Session Ticket extension override */
TLS_SESSION_TICKET_EXT *session_ticket;
/* TLS Session Ticket extension callback */
@ -1356,6 +1357,13 @@ struct ssl_st {
* as this extension is optional on server side.
*/
uint8_t max_fragment_len_mode;
/*
* On the client side the number of ticket identities we sent in the
* ClientHello. On the server side the identity of the ticket we
* selected.
*/
int tick_identity;
} ext;
/*
@ -1453,7 +1461,6 @@ struct ssl_st {
size_t block_padding;
CRYPTO_RWLOCK *lock;
RAND_DRBG *drbg;
/* The number of TLS1.3 tickets to automatically send */
size_t num_tickets;
@ -1465,6 +1472,13 @@ struct ssl_st {
/* Callback to determine if early_data is acceptable or not */
SSL_allow_early_data_cb_fn allow_early_data_cb;
void *allow_early_data_cb_data;
/*
* Signature algorithms shared by client and server: cached because these
* are used most often.
*/
const struct sigalg_lookup_st **shared_sigalgs;
size_t shared_sigalgslen;
};
/*
@ -1509,7 +1523,7 @@ typedef struct cert_pkey_st CERT_PKEY;
* CERT_PKEY entries
*/
typedef struct {
int nid; /* NID of pubic key algorithm */
int nid; /* NID of public key algorithm */
uint32_t amask; /* authmask corresponding to key type */
} SSL_CERT_LOOKUP;
@ -1898,12 +1912,6 @@ typedef struct cert_st {
uint16_t *client_sigalgs;
/* Size of above array */
size_t client_sigalgslen;
/*
* Signature algorithms shared by client and server: cached because these
* are used most often.
*/
const SIGALG_LOOKUP **shared_sigalgs;
size_t shared_sigalgslen;
/*
* Certificate setup callback: if set is called whenever a certificate
* may be required (client or server). the callback can then examine any
@ -2052,9 +2060,6 @@ typedef enum downgrade_en {
#define TLSEXT_KEX_MODE_FLAG_KE 1
#define TLSEXT_KEX_MODE_FLAG_KE_DHE 2
/* An invalid index into the TLSv1.3 PSK identities */
#define TLSEXT_PSK_BAD_IDENTITY -1
#define SSL_USE_PSS(s) (s->s3->tmp.peer_sigalg != NULL && \
s->s3->tmp.peer_sigalg->sig == EVP_PKEY_RSA_PSS)
@ -2237,8 +2242,8 @@ static ossl_inline int ssl_has_cert(const SSL *s, int idx)
static ossl_inline void tls1_get_peer_groups(SSL *s, const uint16_t **pgroups,
size_t *pgroupslen)
{
*pgroups = s->session->ext.supportedgroups;
*pgroupslen = s->session->ext.supportedgroups_len;
*pgroups = s->ext.peer_supportedgroups;
*pgroupslen = s->ext.peer_supportedgroups_len;
}
# ifndef OPENSSL_UNIT_TEST
@ -2300,6 +2305,7 @@ __owur int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain,
__owur int ssl_security(const SSL *s, int op, int bits, int nid, void *other);
__owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid,
void *other);
int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp);
__owur int ssl_cert_lookup_by_nid(int nid, size_t *pidx);
__owur const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk,
@ -2421,7 +2427,6 @@ __owur int dtls1_handle_timeout(SSL *s);
void dtls1_start_timer(SSL *s);
void dtls1_stop_timer(SSL *s);
__owur int dtls1_is_timer_expired(SSL *s);
void dtls1_double_timeout(SSL *s);
__owur int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
size_t cookie_len);
__owur size_t dtls1_min_mtu(SSL *s);
@ -2575,7 +2580,7 @@ __owur int tls_check_sigalg_curve(const SSL *s, int curve);
# endif
__owur int tls12_check_peer_sigalg(SSL *s, uint16_t, EVP_PKEY *pkey);
__owur int ssl_set_client_disabled(SSL *s);
__owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int echde);
__owur int ssl_cipher_disabled(const SSL *s, const SSL_CIPHER *c, int op, int echde);
__owur int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
size_t *hashlen);

View file

@ -10,7 +10,7 @@
#include <stdio.h>
#include <openssl/conf.h>
#include <openssl/ssl.h>
#include "ssl_locl.h"
#include "ssl_local.h"
#include "internal/sslconf.h"
/* SSL library configuration module. */

View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -8,8 +8,8 @@
*/
#include <stdio.h>
#include "ssl_locl.h"
#include "packet_locl.h"
#include "ssl_local.h"
#include "packet_local.h"
#include <openssl/bio.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
@ -148,15 +148,6 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
EVP_PKEY_copy_parameters(pktmp, pkey);
ERR_clear_error();
#ifndef OPENSSL_NO_RSA
/*
* Don't check the public/private key, this is mostly for smart
* cards.
*/
if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA
&& RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK) ;
else
#endif
if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
X509_free(c->pkeys[i].x509);
c->pkeys[i].x509 = NULL;
@ -342,16 +333,6 @@ static int ssl_set_cert(CERT *c, X509 *x)
EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);
ERR_clear_error();
#ifndef OPENSSL_NO_RSA
/*
* Don't check the public/private key, this is mostly for smart
* cards.
*/
if (EVP_PKEY_id(c->pkeys[i].privatekey) == EVP_PKEY_RSA
&& RSA_flags(EVP_PKEY_get0_RSA(c->pkeys[i].privatekey)) &
RSA_METHOD_FLAG_NO_CHECK) ;
else
#endif /* OPENSSL_NO_RSA */
if (!X509_check_private_key(x, c->pkeys[i].privatekey)) {
/*
* don't fail for a cert/key mismatch, just free current private
@ -1082,13 +1063,6 @@ static int ssl_set_cert_and_key(SSL *ssl, SSL_CTX *ctx, X509 *x509, EVP_PKEY *pr
EVP_PKEY_copy_parameters(pubkey, privatekey);
} /* else both have parameters */
/* Copied from ssl_set_cert/pkey */
#ifndef OPENSSL_NO_RSA
if ((EVP_PKEY_id(privatekey) == EVP_PKEY_RSA) &&
((RSA_flags(EVP_PKEY_get0_RSA(privatekey)) & RSA_METHOD_FLAG_NO_CHECK)))
/* no-op */ ;
else
#endif
/* check that key <-> cert match */
if (EVP_PKEY_cmp(pubkey, privatekey) != 1) {
SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_PRIVATE_KEY_MISMATCH);

View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
@ -13,8 +13,8 @@
#include <openssl/engine.h>
#include "internal/refcount.h"
#include "internal/cryptlib.h"
#include "ssl_locl.h"
#include "statem/statem_locl.h"
#include "ssl_local.h"
#include "statem/statem_local.h"
static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s);
@ -107,7 +107,7 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
{
SSL_SESSION *dest;
dest = OPENSSL_malloc(sizeof(*src));
dest = OPENSSL_malloc(sizeof(*dest));
if (dest == NULL) {
goto err;
}
@ -121,12 +121,7 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
dest->psk_identity_hint = NULL;
dest->psk_identity = NULL;
#endif
dest->ciphers = NULL;
dest->ext.hostname = NULL;
#ifndef OPENSSL_NO_EC
dest->ext.ecpointformats = NULL;
dest->ext.supportedgroups = NULL;
#endif
dest->ext.tick = NULL;
dest->ext.alpn_selected = NULL;
#ifndef OPENSSL_NO_SRP
@ -176,12 +171,6 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
}
#endif
if (src->ciphers != NULL) {
dest->ciphers = sk_SSL_CIPHER_dup(src->ciphers);
if (dest->ciphers == NULL)
goto err;
}
if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION,
&dest->ex_data, &src->ex_data)) {
goto err;
@ -193,23 +182,6 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
goto err;
}
}
#ifndef OPENSSL_NO_EC
if (src->ext.ecpointformats) {
dest->ext.ecpointformats =
OPENSSL_memdup(src->ext.ecpointformats,
src->ext.ecpointformats_len);
if (dest->ext.ecpointformats == NULL)
goto err;
}
if (src->ext.supportedgroups) {
dest->ext.supportedgroups =
OPENSSL_memdup(src->ext.supportedgroups,
src->ext.supportedgroups_len
* sizeof(*src->ext.supportedgroups));
if (dest->ext.supportedgroups == NULL)
goto err;
}
#endif
if (ticket != 0 && src->ext.tick != NULL) {
dest->ext.tick =
@ -790,17 +762,8 @@ void SSL_SESSION_free(SSL_SESSION *ss)
OPENSSL_cleanse(ss->session_id, sizeof(ss->session_id));
X509_free(ss->peer);
sk_X509_pop_free(ss->peer_chain, X509_free);
sk_SSL_CIPHER_free(ss->ciphers);
OPENSSL_free(ss->ext.hostname);
OPENSSL_free(ss->ext.tick);
#ifndef OPENSSL_NO_EC
OPENSSL_free(ss->ext.ecpointformats);
ss->ext.ecpointformats = NULL;
ss->ext.ecpointformats_len = 0;
OPENSSL_free(ss->ext.supportedgroups);
ss->ext.supportedgroups = NULL;
ss->ext.supportedgroups_len = 0;
#endif /* OPENSSL_NO_EC */
#ifndef OPENSSL_NO_PSK
OPENSSL_free(ss->psk_identity_hint);
OPENSSL_free(ss->psk_identity);

View file

@ -9,7 +9,7 @@
*/
#include <stdio.h>
#include "ssl_locl.h"
#include "ssl_local.h"
const char *SSL_state_string_long(const SSL *s)
{

View file

@ -10,7 +10,7 @@
#include <stdio.h>
#include <openssl/buffer.h>
#include "ssl_locl.h"
#include "ssl_local.h"
#ifndef OPENSSL_NO_STDIO
int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x)

View file

@ -7,7 +7,7 @@
* https://www.openssl.org/source/license.html
*/
#include "ssl_locl.h"
#include "ssl_local.h"
#ifndef OPENSSL_NO_UNIT_TEST

View file

@ -40,7 +40,7 @@ Conceptually the state machine component is designed as follows:
| |
| Core state machine code |
|____________________________|
statem_locl.h ^ ^
statem_local.h ^ ^
_________| |_______
| |
_____________|____________ _____________|____________

View file

@ -1,5 +1,5 @@
/*
* Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -10,14 +10,15 @@
#include <string.h>
#include "internal/nelem.h"
#include "internal/cryptlib.h"
#include "../ssl_locl.h"
#include "statem_locl.h"
#include "../ssl_local.h"
#include "statem_local.h"
#include "internal/cryptlib.h"
static int final_renegotiate(SSL *s, unsigned int context, int sent);
static int init_server_name(SSL *s, unsigned int context);
static int final_server_name(SSL *s, unsigned int context, int sent);
#ifndef OPENSSL_NO_EC
static int init_ec_point_formats(SSL *s, unsigned int context);
static int final_ec_pt_formats(SSL *s, unsigned int context, int sent);
#endif
static int init_session_ticket(SSL *s, unsigned int context);
@ -56,6 +57,7 @@ static int final_sig_algs(SSL *s, unsigned int context, int sent);
static int final_early_data(SSL *s, unsigned int context, int sent);
static int final_maxfragmentlen(SSL *s, unsigned int context, int sent);
static int init_post_handshake_auth(SSL *s, unsigned int context);
static int final_psk(SSL *s, unsigned int context, int sent);
/* Structure to define a built-in extension */
typedef struct extensions_definition_st {
@ -94,7 +96,7 @@ typedef struct extensions_definition_st {
/*
* Definitions of all built-in extensions. NOTE: Changes in the number or order
* of these extensions should be mirrored with equivalent changes to the
* indexes ( TLSEXT_IDX_* ) defined in ssl_locl.h.
* indexes ( TLSEXT_IDX_* ) defined in ssl_local.h.
* Each extension has an initialiser, a client and
* server side parser and a finaliser. The initialiser is called (if the
* extension is relevant to the given context) even if we did not see the
@ -158,7 +160,7 @@ static const EXTENSION_DEFINITION ext_defs[] = {
TLSEXT_TYPE_ec_point_formats,
SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
| SSL_EXT_TLS1_2_AND_BELOW_ONLY,
NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
init_ec_point_formats, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
final_ec_pt_formats
},
@ -336,6 +338,8 @@ static const EXTENSION_DEFINITION ext_defs[] = {
tls_construct_stoc_key_share, tls_construct_ctos_key_share,
final_key_share
},
#else
INVALID_EXTENSION,
#endif
{
/* Must be after key_share */
@ -387,7 +391,7 @@ static const EXTENSION_DEFINITION ext_defs[] = {
SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
| SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk,
tls_construct_ctos_psk, NULL
tls_construct_ctos_psk, final_psk
}
};
@ -949,8 +953,7 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
* was successful.
*/
if (s->server) {
/* TODO(OpenSSL1.2) revisit !sent case */
if (sent && ret == SSL_TLSEXT_ERR_OK && (!s->hit || SSL_IS_TLS13(s))) {
if (sent && ret == SSL_TLSEXT_ERR_OK && !s->hit) {
/* Only store the hostname in the session if we accepted it. */
OPENSSL_free(s->session->ext.hostname);
s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
@ -967,7 +970,8 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
* context, to avoid the confusing situation of having sess_accept_good
* exceed sess_accept (zero) for the new context.
*/
if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) {
if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx
&& s->hello_retry_request == SSL_HRR_NONE) {
tsan_counter(&s->ctx->stats.sess_accept);
tsan_decr(&s->session_ctx->stats.sess_accept);
}
@ -989,7 +993,6 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
ss->ext.ticklen = 0;
ss->ext.tick_lifetime_hint = 0;
ss->ext.tick_age_add = 0;
ss->ext.tick_identity = 0;
if (!ssl_generate_session_id(s, ss)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
ERR_R_INTERNAL_ERROR);
@ -1012,6 +1015,7 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
/* TLSv1.3 doesn't have warning alerts so we suppress this */
if (!SSL_IS_TLS13(s))
ssl3_send_alert(s, SSL3_AL_WARNING, altmp);
s->servername_done = 0;
return 1;
case SSL_TLSEXT_ERR_NOACK:
@ -1024,6 +1028,15 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
}
#ifndef OPENSSL_NO_EC
static int init_ec_point_formats(SSL *s, unsigned int context)
{
OPENSSL_free(s->ext.peer_ecpointformats);
s->ext.peer_ecpointformats = NULL;
s->ext.peer_ecpointformats_len = 0;
return 1;
}
static int final_ec_pt_formats(SSL *s, unsigned int context, int sent)
{
unsigned long alg_k, alg_a;
@ -1041,18 +1054,18 @@ static int final_ec_pt_formats(SSL *s, unsigned int context, int sent)
*/
if (s->ext.ecpointformats != NULL
&& s->ext.ecpointformats_len > 0
&& s->session->ext.ecpointformats != NULL
&& s->session->ext.ecpointformats_len > 0
&& s->ext.peer_ecpointformats != NULL
&& s->ext.peer_ecpointformats_len > 0
&& ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
/* we are using an ECC cipher */
size_t i;
unsigned char *list = s->session->ext.ecpointformats;
unsigned char *list = s->ext.peer_ecpointformats;
for (i = 0; i < s->session->ext.ecpointformats_len; i++) {
for (i = 0; i < s->ext.peer_ecpointformats_len; i++) {
if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed)
break;
}
if (i == s->session->ext.ecpointformats_len) {
if (i == s->ext.peer_ecpointformats_len) {
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EC_PT_FORMATS,
SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
return 0;
@ -1137,6 +1150,7 @@ static int init_sig_algs(SSL *s, unsigned int context)
/* Clear any signature algorithms extension received */
OPENSSL_free(s->s3->tmp.peer_sigalgs);
s->s3->tmp.peer_sigalgs = NULL;
s->s3->tmp.peer_sigalgslen = 0;
return 1;
}
@ -1146,6 +1160,7 @@ static int init_sig_algs_cert(SSL *s, unsigned int context)
/* Clear any signature algorithms extension received */
OPENSSL_free(s->s3->tmp.peer_cert_sigalgs);
s->s3->tmp.peer_cert_sigalgs = NULL;
s->s3->tmp.peer_cert_sigalgslen = 0;
return 1;
}
@ -1169,14 +1184,26 @@ static int init_etm(SSL *s, unsigned int context)
static int init_ems(SSL *s, unsigned int context)
{
if (!s->server)
if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;
}
return 1;
}
static int final_ems(SSL *s, unsigned int context, int sent)
{
/*
* Check extended master secret extension is not dropped on
* renegotiation.
*/
if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
&& (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
SSL_R_INCONSISTENT_EXTMS);
return 0;
}
if (!s->server && s->hit) {
/*
* Check extended master secret extension is consistent with
@ -1449,8 +1476,13 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE];
unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE];
unsigned char *early_secret;
#ifdef CHARSET_EBCDIC
static const unsigned char resumption_label[] = { 0x72, 0x65, 0x73, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 };
static const unsigned char external_label[] = { 0x65, 0x78, 0x74, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 };
#else
static const unsigned char resumption_label[] = "res binder";
static const unsigned char external_label[] = "ext binder";
#endif
const unsigned char *label;
size_t bindersize, labelsize, hashsize;
int hashsizei = EVP_MD_size(md);
@ -1646,13 +1678,12 @@ static int final_early_data(SSL *s, unsigned int context, int sent)
if (s->max_early_data == 0
|| !s->hit
|| s->session->ext.tick_identity != 0
|| s->early_data_state != SSL_EARLY_DATA_ACCEPTING
|| !s->ext.early_data_ok
|| s->hello_retry_request != SSL_HRR_NONE
|| (s->ctx->allow_early_data_cb != NULL
&& !s->ctx->allow_early_data_cb(s,
s->ctx->allow_early_data_cb_data))) {
|| (s->allow_early_data_cb != NULL
&& !s->allow_early_data_cb(s,
s->allow_early_data_cb_data))) {
s->ext.early_data = SSL_EARLY_DATA_REJECTED;
} else {
s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
@ -1698,3 +1729,19 @@ static int init_post_handshake_auth(SSL *s, unsigned int context)
return 1;
}
/*
* If clients offer "pre_shared_key" without a "psk_key_exchange_modes"
* extension, servers MUST abort the handshake.
*/
static int final_psk(SSL *s, unsigned int context, int sent)
{
if (s->server && sent && s->clienthello != NULL
&& !s->clienthello->pre_proc_exts[TLSEXT_IDX_psk_kex_modes].present) {
SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_F_FINAL_PSK,
SSL_R_MISSING_PSK_KEX_MODES_EXTENSION);
return 0;
}
return 1;
}

View file

@ -1,5 +1,5 @@
/*
* Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -8,9 +8,9 @@
*/
#include <openssl/ocsp.h>
#include "../ssl_locl.h"
#include "../ssl_local.h"
#include "internal/cryptlib.h"
#include "statem_locl.h"
#include "statem_local.h"
EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x,
@ -816,6 +816,7 @@ EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
OPENSSL_free(s->psksession_id);
s->psksession_id = OPENSSL_memdup(id, idlen);
if (s->psksession_id == NULL) {
s->psksession_id_len = 0;
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL;
@ -993,7 +994,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
int dores = 0;
s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY;
s->ext.tick_identity = 0;
/*
* Note: At this stage of the code we only support adding a single
@ -1083,6 +1084,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
agems += s->session->ext.tick_age_add;
reshashsize = EVP_MD_size(mdres);
s->ext.tick_identity++;
dores = 1;
}
@ -1142,6 +1144,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL;
}
s->ext.tick_identity++;
}
if (!WPACKET_close(pkt)
@ -1180,11 +1183,6 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
return EXT_RETURN_FAIL;
}
if (dores)
s->session->ext.tick_identity = 0;
if (s->psksession != NULL)
s->psksession->ext.tick_identity = (dores ? 1 : 0);
return EXT_RETURN_SENT;
#else
return EXT_RETURN_NOT_SENT;
@ -1374,19 +1372,20 @@ int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
return 0;
}
s->session->ext.ecpointformats_len = 0;
OPENSSL_free(s->session->ext.ecpointformats);
s->session->ext.ecpointformats = OPENSSL_malloc(ecpointformats_len);
if (s->session->ext.ecpointformats == NULL) {
s->ext.peer_ecpointformats_len = 0;
OPENSSL_free(s->ext.peer_ecpointformats);
s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len);
if (s->ext.peer_ecpointformats == NULL) {
s->ext.peer_ecpointformats_len = 0;
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
return 0;
}
s->session->ext.ecpointformats_len = ecpointformats_len;
s->ext.peer_ecpointformats_len = ecpointformats_len;
if (!PACKET_copy_bytes(&ecptformatlist,
s->session->ext.ecpointformats,
s->ext.peer_ecpointformats,
ecpointformats_len)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
@ -1495,8 +1494,13 @@ int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
s->ext.scts_len = (uint16_t)size;
if (size > 0) {
s->ext.scts = OPENSSL_malloc(size);
if (s->ext.scts == NULL
|| !PACKET_copy_bytes(pkt, s->ext.scts, size)) {
if (s->ext.scts == NULL) {
s->ext.scts_len = 0;
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT,
ERR_R_MALLOC_FAILURE);
return 0;
}
if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT,
ERR_R_INTERNAL_ERROR);
return 0;
@ -1595,6 +1599,7 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
OPENSSL_free(s->ext.npn);
s->ext.npn = OPENSSL_malloc(selected_len);
if (s->ext.npn == NULL) {
s->ext.npn_len = 0;
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_NPN,
ERR_R_INTERNAL_ERROR);
return 0;
@ -1635,6 +1640,7 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
OPENSSL_free(s->s3->alpn_selected);
s->s3->alpn_selected = OPENSSL_malloc(len);
if (s->s3->alpn_selected == NULL) {
s->s3->alpn_selected_len = 0;
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
ERR_R_INTERNAL_ERROR);
return 0;
@ -1666,6 +1672,7 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
s->session->ext.alpn_selected =
OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len);
if (s->session->ext.alpn_selected == NULL) {
s->session->ext.alpn_selected_len = 0;
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
ERR_R_INTERNAL_ERROR);
return 0;
@ -1861,8 +1868,8 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
return 0;
}
skey = ssl_generate_pkey(ckey);
if (skey == NULL) {
skey = EVP_PKEY_new();
if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
ERR_R_MALLOC_FAILURE);
return 0;
@ -1927,8 +1934,7 @@ int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
}
if (!s->ext.early_data_ok
|| !s->hit
|| s->session->ext.tick_identity != 0) {
|| !s->hit) {
/*
* If we get here then we didn't send early data, or we didn't resume
* using the first identity, or the SNI/ALPN is not consistent so the
@ -1956,17 +1962,28 @@ int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
return 0;
}
if (s->session->ext.tick_identity == (int)identity) {
if (identity >= (unsigned int)s->ext.tick_identity) {
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK,
SSL_R_BAD_PSK_IDENTITY);
return 0;
}
/*
* Session resumption tickets are always sent before PSK tickets. If the
* ticket index is 0 then it must be for a session resumption ticket if we
* sent two tickets, or if we didn't send a PSK ticket.
*/
if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) {
s->hit = 1;
SSL_SESSION_free(s->psksession);
s->psksession = NULL;
return 1;
}
if (s->psksession == NULL
|| s->psksession->ext.tick_identity != (int)identity) {
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK,
SSL_R_BAD_PSK_IDENTITY);
if (s->psksession == NULL) {
/* Should never happen */
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_PSK,
ERR_R_INTERNAL_ERROR);
return 0;
}
@ -1985,6 +2002,9 @@ int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
s->session = s->psksession;
s->psksession = NULL;
s->hit = 1;
/* Early data is only allowed if we used the first ticket */
if (identity != 0)
s->ext.early_data_ok = 0;
#endif
return 1;

View file

@ -10,9 +10,9 @@
/* Custom extension utility functions */
#include <openssl/ct.h>
#include "../ssl_locl.h"
#include "../ssl_local.h"
#include "internal/cryptlib.h"
#include "statem_locl.h"
#include "statem_local.h"
typedef struct {
void *add_arg;

View file

@ -1,5 +1,5 @@
/*
* Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -8,8 +8,8 @@
*/
#include <openssl/ocsp.h>
#include "../ssl_locl.h"
#include "statem_locl.h"
#include "../ssl_local.h"
#include "statem_local.h"
#include "internal/cryptlib.h"
#define COOKIE_STATE_FORMAT_VERSION 0
@ -127,6 +127,10 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
return 0;
}
/*
* In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
* we always use the SNI value from the handshake.
*/
if (!s->hit || SSL_IS_TLS13(s)) {
if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
@ -155,8 +159,12 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
}
s->servername_done = 1;
}
if (s->hit) {
} else {
/*
* In TLSv1.2 and below we should check if the SNI is consistent between
* the initial handshake and the resumption. In TLSv1.3 SNI is not
* associated with the session.
*/
/*
* TODO(openssl-team): if the SNI doesn't match, we MUST
* fall back to a full handshake.
@ -164,9 +172,6 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
s->servername_done = (s->session->ext.hostname != NULL)
&& PACKET_equal(&hostname, s->session->ext.hostname,
strlen(s->session->ext.hostname));
if (!s->servername_done && s->session->ext.hostname != NULL)
s->ext.early_data_ok = 0;
}
return 1;
@ -254,8 +259,8 @@ int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
if (!s->hit) {
if (!PACKET_memdup(&ec_point_format_list,
&s->session->ext.ecpointformats,
&s->session->ext.ecpointformats_len)) {
&s->ext.peer_ecpointformats,
&s->ext.peer_ecpointformats_len)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
return 0;
@ -962,12 +967,12 @@ int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
}
if (!s->hit || SSL_IS_TLS13(s)) {
OPENSSL_free(s->session->ext.supportedgroups);
s->session->ext.supportedgroups = NULL;
s->session->ext.supportedgroups_len = 0;
OPENSSL_free(s->ext.peer_supportedgroups);
s->ext.peer_supportedgroups = NULL;
s->ext.peer_supportedgroups_len = 0;
if (!tls1_save_u16(&supported_groups_list,
&s->session->ext.supportedgroups,
&s->session->ext.supportedgroups_len)) {
&s->ext.peer_supportedgroups,
&s->ext.peer_supportedgroups_len)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
ERR_R_INTERNAL_ERROR);
@ -1146,7 +1151,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
if (sesstmp == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
return 0;
goto err;
}
SSL_SESSION_free(sess);
sess = sesstmp;
@ -1274,7 +1279,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
goto err;
}
sess->ext.tick_identity = id;
s->ext.tick_identity = id;
SSL_SESSION_free(s->session);
s->session = sess;
@ -1330,8 +1335,14 @@ EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x,
size_t chainidx)
{
if (s->hit || s->servername_done != 1
|| s->ext.hostname == NULL)
if (s->servername_done != 1)
return EXT_RETURN_NOT_SENT;
/*
* Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
* We just use the servername from the initial handshake.
*/
if (s->hit && !SSL_IS_TLS13(s))
return EXT_RETURN_NOT_SENT;
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
@ -1376,7 +1387,7 @@ EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
&& (s->session->ext.ecpointformats != NULL);
&& (s->ext.peer_ecpointformats != NULL);
const unsigned char *plist;
size_t plistlen;
@ -1487,6 +1498,10 @@ EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x,
size_t chainidx)
{
/* We don't currently support this extension inside a CertificateRequest */
if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
return EXT_RETURN_NOT_SENT;
if (!s->ext.status_expected)
return EXT_RETURN_NOT_SENT;
@ -1699,6 +1714,13 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
}
return EXT_RETURN_NOT_SENT;
}
if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) {
/*
* PSK ('hit') and explicitly not doing DHE (if the client sent the
* DHE option we always take it); don't send key share.
*/
return EXT_RETURN_NOT_SENT;
}
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
|| !WPACKET_start_sub_packet_u16(pkt)
@ -1948,7 +1970,7 @@ EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
|| !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
|| !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
|| !WPACKET_close(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);

View file

@ -9,8 +9,8 @@
#include "internal/cryptlib.h"
#include <openssl/rand.h>
#include "../ssl_locl.h"
#include "statem_locl.h"
#include "../ssl_local.h"
#include "statem_local.h"
#include <assert.h>
/*

View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@ -12,8 +12,8 @@
#include <stdio.h>
#include <time.h>
#include <assert.h>
#include "../ssl_locl.h"
#include "statem_locl.h"
#include "../ssl_local.h"
#include "statem_local.h"
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
@ -473,12 +473,6 @@ static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s)
return WRITE_TRAN_CONTINUE;
case TLS_ST_CR_KEY_UPDATE:
if (s->key_update != SSL_KEY_UPDATE_NONE) {
st->hand_state = TLS_ST_CW_KEY_UPDATE;
return WRITE_TRAN_CONTINUE;
}
/* Fall through */
case TLS_ST_CW_KEY_UPDATE:
case TLS_ST_CR_SESSION_TICKET:
case TLS_ST_CW_FINISHED:
@ -1007,7 +1001,8 @@ size_t ossl_statem_client_max_message_size(SSL *s)
return CCS_MAX_LENGTH;
case TLS_ST_CR_SESSION_TICKET:
return SSL3_RT_MAX_PLAIN_LENGTH;
return (SSL_IS_TLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13
: SESSION_TICKET_MAX_LENGTH_TLS12;
case TLS_ST_CR_FINISHED:
return FINISHED_MAX_LENGTH;
@ -1613,10 +1608,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
* so the PAC-based session secret is always preserved. It'll be
* overwritten if the server refuses resumption.
*/
if (s->session->session_id_length > 0
|| (SSL_IS_TLS13(s)
&& s->session->ext.tick_identity
!= TLSEXT_PSK_BAD_IDENTITY)) {
if (s->session->session_id_length > 0) {
tsan_counter(&s->session_ctx->stats.sess_miss);
if (!ssl_get_new_session(s, 0)) {
/* SSLfatal() already called */
@ -1969,7 +1961,6 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
goto err;
}
}
s->session->peer_type = certidx;
X509_free(s->session->peer);
X509_up_ref(x);
@ -2154,17 +2145,19 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
}
bnpub_key = NULL;
if (!ssl_security(s, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh)) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE,
SSL_R_DH_KEY_TOO_SMALL);
goto err;
}
if (EVP_PKEY_assign_DH(peer_tmp, dh) == 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE,
ERR_R_EVP_LIB);
goto err;
}
dh = NULL;
if (!ssl_security(s, SSL_SECOP_TMP_DH, EVP_PKEY_security_bits(peer_tmp),
0, peer_tmp)) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE,
SSL_R_DH_KEY_TOO_SMALL);
goto err;
}
s->s3->peer_tmp = peer_tmp;
@ -2470,6 +2463,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
s->s3->tmp.ctype_len = 0;
OPENSSL_free(s->pha_context);
s->pha_context = NULL;
s->pha_context_len = 0;
if (!PACKET_get_length_prefixed_1(pkt, &reqctx) ||
!PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) {
@ -2779,16 +2773,17 @@ int tls_process_cert_status_body(SSL *s, PACKET *pkt)
}
s->ext.ocsp.resp = OPENSSL_malloc(resplen);
if (s->ext.ocsp.resp == NULL) {
s->ext.ocsp.resp_len = 0;
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY,
ERR_R_MALLOC_FAILURE);
return 0;
}
s->ext.ocsp.resp_len = resplen;
if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) {
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY,
SSL_R_LENGTH_MISMATCH);
return 0;
}
s->ext.ocsp.resp_len = resplen;
return 1;
}
@ -2839,7 +2834,7 @@ int tls_process_initial_server_flight(SSL *s)
if (ret < 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT,
ERR_R_MALLOC_FAILURE);
SSL_R_OCSP_CALLBACK_FAILURE);
return 0;
}
}
@ -2913,6 +2908,7 @@ static int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt)
if (psklen > PSK_MAX_PSK_LEN) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
psklen = PSK_MAX_PSK_LEN; /* Avoid overrunning the array on cleanse */
goto err;
} else if (psklen == 0) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
@ -3358,9 +3354,11 @@ int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt)
err:
OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen);
s->s3->tmp.pms = NULL;
s->s3->tmp.pmslen = 0;
#ifndef OPENSSL_NO_PSK
OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
s->s3->tmp.psk = NULL;
s->s3->tmp.psklen = 0;
#endif
return 0;
}
@ -3435,6 +3433,7 @@ int tls_client_key_exchange_post_work(SSL *s)
err:
OPENSSL_clear_free(pms, pmslen);
s->s3->tmp.pms = NULL;
s->s3->tmp.pmslen = 0;
return 0;
}

View file

@ -10,8 +10,8 @@
#include <limits.h>
#include <string.h>
#include <stdio.h>
#include "../ssl_locl.h"
#include "statem_locl.h"
#include "../ssl_local.h"
#include "statem_local.h"
#include "internal/cryptlib.h"
#include <openssl/buffer.h>
#include <openssl/objects.h>

View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@ -11,8 +11,8 @@
#include <limits.h>
#include <string.h>
#include <stdio.h>
#include "../ssl_locl.h"
#include "statem_locl.h"
#include "../ssl_local.h"
#include "statem_local.h"
#include "internal/cryptlib.h"
#include <openssl/buffer.h>
#include <openssl/objects.h>
@ -168,9 +168,19 @@ int tls_setup_handshake(SSL *s)
static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
void **hdata, size_t *hdatalen)
{
static const char *servercontext = "TLS 1.3, server CertificateVerify";
static const char *clientcontext = "TLS 1.3, client CertificateVerify";
#ifdef CHARSET_EBCDIC
static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
0x69, 0x66, 0x79, 0x00 };
static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
0x69, 0x66, 0x79, 0x00 };
#else
static const char servercontext[] = "TLS 1.3, server CertificateVerify";
static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
#endif
if (SSL_IS_TLS13(s)) {
size_t hashlen;
@ -645,12 +655,9 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
/*
* If we get a request for us to update our sending keys too then, we need
* to additionally send a KeyUpdate message. However that message should
* not also request an update (otherwise we get into an infinite loop). We
* ignore a request for us to update our sending keys too if we already
* sent close_notify.
* not also request an update (otherwise we get into an infinite loop).
*/
if (updatetype == SSL_KEY_UPDATE_REQUESTED
&& (s->shutdown & SSL_SENT_SHUTDOWN) == 0)
if (updatetype == SSL_KEY_UPDATE_REQUESTED)
s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
if (!tls13_update_key(s, 0)) {
@ -837,9 +844,11 @@ MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
return MSG_PROCESS_ERROR;
}
} else {
/* TLS 1.3 gets the secret size from the handshake md */
size_t dummy;
if (!s->method->ssl3_enc->generate_master_secret(s,
s->master_secret, s->handshake_secret, 0,
&s->session->master_key_length)) {
&dummy)) {
/* SSLfatal() already called */
return MSG_PROCESS_ERROR;
}
@ -1026,14 +1035,25 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
int cleanuphand = s->statem.cleanuphand;
if (clearbufs) {
if (!SSL_IS_DTLS(s)) {
if (!SSL_IS_DTLS(s)
#ifndef OPENSSL_NO_SCTP
/*
* We don't do this in DTLS because we may still need the init_buf
* RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
* messages that require it. Therefore, DTLS procedures for retransmissions
* MUST NOT be used.
* Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
*/
|| BIO_dgram_is_sctp(SSL_get_wbio(s))
#endif
) {
/*
* We don't do this in DTLS over UDP because we may still need the init_buf
* in case there are any unexpected retransmits
*/
BUF_MEM_free(s->init_buf);
s->init_buf = NULL;
}
if (!ssl_free_wbio_buffer(s)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE,
ERR_R_INTERNAL_ERROR);
@ -1321,6 +1341,7 @@ int tls_get_message_body(SSL *s, size_t *len)
static const X509ERR2ALERT x509table[] = {
{X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
{X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
{X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
{X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
{X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
{X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
@ -1483,8 +1504,8 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
/*
* Only called by servers. Returns 1 if the server has a TLSv1.3 capable
* certificate type, or has PSK or a certificate callback configured. Otherwise
* returns 0.
* certificate type, or has PSK or a certificate callback configured, or has
* a servername callback configured. Otherwise returns 0.
*/
static int is_tls13_capable(const SSL *s)
{
@ -1494,6 +1515,17 @@ static int is_tls13_capable(const SSL *s)
EC_KEY *eckey;
#endif
if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL))
return 0;
/*
* A servername callback can change the available certs, so if a servername
* cb is set then we just assume TLSv1.3 will be ok
*/
if (s->ctx->ext.servername_cb != NULL
|| s->session_ctx->ext.servername_cb != NULL)
return 1;
#ifndef OPENSSL_NO_PSK
if (s->psk_server_callback != NULL)
return 1;
@ -1636,11 +1668,22 @@ int ssl_check_version_downgrade(SSL *s)
*/
int ssl_set_version_bound(int method_version, int version, int *bound)
{
int valid_tls;
int valid_dtls;
if (version == 0) {
*bound = version;
return 1;
}
valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION;
valid_dtls =
DTLS_VERSION_LE(version, DTLS_MAX_VERSION) &&
DTLS_VERSION_GE(version, DTLS1_BAD_VER);
if (!valid_tls && !valid_dtls)
return 0;
/*-
* Restrict TLS methods to TLS protocol versions.
* Restrict DTLS methods to DTLS protocol versions.
@ -1651,31 +1694,24 @@ int ssl_set_version_bound(int method_version, int version, int *bound)
* configurations. If the MIN (supported) version ever rises, the user's
* "floor" remains valid even if no longer available. We don't expect the
* MAX ceiling to ever get lower, so making that variable makes sense.
*
* We ignore attempts to set bounds on version-inflexible methods,
* returning success.
*/
switch (method_version) {
default:
/*
* XXX For fixed version methods, should we always fail and not set any
* bounds, always succeed and not set any bounds, or set the bounds and
* arrange to fail later if they are not met? At present fixed-version
* methods are not subject to controls that disable individual protocol
* versions.
*/
return 0;
break;
case TLS_ANY_VERSION:
if (version < SSL3_VERSION || version > TLS_MAX_VERSION)
return 0;
if (valid_tls)
*bound = version;
break;
case DTLS_ANY_VERSION:
if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION) ||
DTLS_VERSION_LT(version, DTLS1_BAD_VER))
return 0;
if (valid_dtls)
*bound = version;
break;
}
*bound = version;
return 1;
}

View file

@ -1,5 +1,5 @@
/*
* Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -22,6 +22,8 @@
#define SERVER_HELLO_MAX_LENGTH 20000
#define HELLO_RETRY_REQUEST_MAX_LENGTH 20000
#define ENCRYPTED_EXTENSIONS_MAX_LENGTH 20000
#define SESSION_TICKET_MAX_LENGTH_TLS13 131338
#define SESSION_TICKET_MAX_LENGTH_TLS12 65541
#define SERVER_KEY_EXCH_MAX_LENGTH 102400
#define SERVER_HELLO_DONE_MAX_LENGTH 0
#define KEY_UPDATE_MAX_LENGTH 1

View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@ -10,9 +10,9 @@
*/
#include <stdio.h>
#include "../ssl_locl.h"
#include "statem_locl.h"
#include "internal/constant_time_locl.h"
#include "../ssl_local.h"
#include "statem_local.h"
#include "internal/constant_time.h"
#include "internal/cryptlib.h"
#include <openssl/buffer.h>
#include <openssl/rand.h>
@ -23,9 +23,24 @@
#include <openssl/dh.h>
#include <openssl/bn.h>
#include <openssl/md5.h>
#include <openssl/asn1t.h>
#define TICKET_NONCE_SIZE 8
typedef struct {
ASN1_TYPE *kxBlob;
ASN1_TYPE *opaqueBlob;
} GOST_KX_MESSAGE;
DECLARE_ASN1_FUNCTIONS(GOST_KX_MESSAGE)
ASN1_SEQUENCE(GOST_KX_MESSAGE) = {
ASN1_SIMPLE(GOST_KX_MESSAGE, kxBlob, ASN1_ANY),
ASN1_OPT(GOST_KX_MESSAGE, opaqueBlob, ASN1_ANY),
} ASN1_SEQUENCE_END(GOST_KX_MESSAGE)
IMPLEMENT_ASN1_FUNCTIONS(GOST_KX_MESSAGE)
static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt);
/*
@ -502,12 +517,6 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
return WRITE_TRAN_CONTINUE;
case TLS_ST_SR_KEY_UPDATE:
if (s->key_update != SSL_KEY_UPDATE_NONE) {
st->hand_state = TLS_ST_SW_KEY_UPDATE;
return WRITE_TRAN_CONTINUE;
}
/* Fall through */
case TLS_ST_SW_KEY_UPDATE:
st->hand_state = TLS_ST_OK;
return WRITE_TRAN_CONTINUE;
@ -734,7 +743,15 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
case TLS_ST_SW_CHANGE:
if (SSL_IS_TLS13(s))
break;
s->session->cipher = s->s3->tmp.new_cipher;
/* Writes to s->session are only safe for initial handshakes */
if (s->session->cipher == NULL) {
s->session->cipher = s->s3->tmp.new_cipher;
} else if (s->session->cipher != s->s3->tmp.new_cipher) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_OSSL_STATEM_SERVER_PRE_WORK,
ERR_R_INTERNAL_ERROR);
return WORK_ERROR;
}
if (!s->method->ssl3_enc->setup_key_block(s)) {
/* SSLfatal() already called */
return WORK_ERROR;
@ -774,6 +791,10 @@ static ossl_inline int conn_is_closed(void)
#if defined(ECONNRESET)
case ECONNRESET:
return 1;
#endif
#if defined(WSAECONNRESET)
case WSAECONNRESET:
return 1;
#endif
default:
return 0;
@ -934,9 +955,11 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
}
#endif
if (SSL_IS_TLS13(s)) {
/* TLS 1.3 gets the secret size from the handshake md */
size_t dummy;
if (!s->method->ssl3_enc->generate_master_secret(s,
s->master_secret, s->handshake_secret, 0,
&s->session->master_key_length)
&dummy)
|| !s->method->ssl3_enc->change_cipher_state(s,
SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE))
/* SSLfatal() already called */
@ -1923,14 +1946,14 @@ static int tls_early_post_process_client_hello(SSL *s)
&& master_key_length > 0) {
s->session->master_key_length = master_key_length;
s->hit = 1;
s->session->ciphers = ciphers;
s->peer_ciphers = ciphers;
s->session->verify_result = X509_V_OK;
ciphers = NULL;
/* check if some cipher was preferred by call back */
if (pref_cipher == NULL)
pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
pref_cipher = ssl3_choose_cipher(s, s->peer_ciphers,
SSL_get_ciphers(s));
if (pref_cipher == NULL) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
@ -1941,9 +1964,9 @@ static int tls_early_post_process_client_hello(SSL *s)
s->session->cipher = pref_cipher;
sk_SSL_CIPHER_free(s->cipher_list);
s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
s->cipher_list = sk_SSL_CIPHER_dup(s->peer_ciphers);
sk_SSL_CIPHER_free(s->cipher_list_by_id);
s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->peer_ciphers);
}
}
@ -2043,12 +2066,12 @@ static int tls_early_post_process_client_hello(SSL *s)
#endif
/*
* Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher
* Given s->peer_ciphers and SSL_get_ciphers, we must pick a cipher
*/
if (!s->hit || SSL_IS_TLS13(s)) {
sk_SSL_CIPHER_free(s->session->ciphers);
s->session->ciphers = ciphers;
sk_SSL_CIPHER_free(s->peer_ciphers);
s->peer_ciphers = ciphers;
if (ciphers == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
@ -2064,6 +2087,10 @@ static int tls_early_post_process_client_hello(SSL *s)
#else
s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
#endif
if (!tls1_set_server_sigalgs(s)) {
/* SSLfatal() already called */
goto err;
}
}
sk_SSL_CIPHER_free(ciphers);
@ -2151,6 +2178,7 @@ int tls_handle_alpn(SSL *s)
OPENSSL_free(s->s3->alpn_selected);
s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
if (s->s3->alpn_selected == NULL) {
s->s3->alpn_selected_len = 0;
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_HANDLE_ALPN,
ERR_R_INTERNAL_ERROR);
return 0;
@ -2231,31 +2259,25 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
if (wst == WORK_MORE_B) {
if (!s->hit || SSL_IS_TLS13(s)) {
/* Let cert callback update server certificates if required */
if (!s->hit) {
if (s->cert->cert_cb != NULL) {
int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
if (rv == 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
SSL_R_CERT_CB_ERROR);
goto err;
}
if (rv < 0) {
s->rwstate = SSL_X509_LOOKUP;
return WORK_MORE_B;
}
s->rwstate = SSL_NOTHING;
}
if (!tls1_set_server_sigalgs(s)) {
/* SSLfatal already called */
if (!s->hit && s->cert->cert_cb != NULL) {
int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
if (rv == 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
SSL_R_CERT_CB_ERROR);
goto err;
}
if (rv < 0) {
s->rwstate = SSL_X509_LOOKUP;
return WORK_MORE_B;
}
s->rwstate = SSL_NOTHING;
}
/* In TLSv1.3 we selected the ciphersuite before resumption */
if (!SSL_IS_TLS13(s)) {
cipher =
ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
ssl3_choose_cipher(s, s->peer_ciphers, SSL_get_ciphers(s));
if (cipher == NULL) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
@ -2556,7 +2578,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
s->s3->tmp.pkey = ssl_generate_pkey(pkdhp);
if (s->s3->tmp.pkey == NULL) {
/* SSLfatal() already called */
SSLfatal(s, SSL_AD_INTERNAL_ERROR, 0, ERR_R_INTERNAL_ERROR);
goto err;
}
@ -2832,9 +2854,16 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
OPENSSL_free(s->pha_context);
s->pha_context_len = 32;
if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL
|| RAND_bytes(s->pha_context, s->pha_context_len) <= 0
|| !WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) {
if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL) {
s->pha_context_len = 0;
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
ERR_R_INTERNAL_ERROR);
return 0;
}
if (RAND_bytes(s->pha_context, s->pha_context_len) <= 0
|| !WPACKET_sub_memcpy_u8(pkt, s->pha_context,
s->pha_context_len)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
ERR_R_INTERNAL_ERROR);
@ -2948,6 +2977,7 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt)
OPENSSL_cleanse(psk, psklen);
if (s->s3->tmp.psk == NULL) {
s->s3->tmp.psklen = 0;
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE);
return 0;
@ -3324,9 +3354,9 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt)
const unsigned char *start;
size_t outlen = 32, inlen;
unsigned long alg_a;
unsigned int asn1id, asn1len;
GOST_KX_MESSAGE *pKX = NULL;
const unsigned char *ptr;
int ret = 0;
PACKET encdata;
/* Get our certificate private key */
alg_a = s->s3->tmp.new_cipher->algorithm_auth;
@ -3367,42 +3397,33 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt)
if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
ERR_clear_error();
}
/* Decrypt session key */
if (!PACKET_get_1(pkt, &asn1id)
|| asn1id != (V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)
|| !PACKET_peek_1(pkt, &asn1len)) {
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
SSL_R_DECRYPTION_FAILED);
goto err;
}
if (asn1len == 0x81) {
/*
* Long form length. Should only be one byte of length. Anything else
* isn't supported.
* We did a successful peek before so this shouldn't fail
*/
if (!PACKET_forward(pkt, 1)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
SSL_R_DECRYPTION_FAILED);
goto err;
}
} else if (asn1len >= 0x80) {
/*
* Indefinite length, or more than one long form length bytes. We don't
* support it
*/
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
SSL_R_DECRYPTION_FAILED);
goto err;
} /* else short form length */
if (!PACKET_as_length_prefixed_1(pkt, &encdata)) {
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
ptr = PACKET_data(pkt);
/* Some implementations provide extra data in the opaqueBlob
* We have nothing to do with this blob so we just skip it */
pKX = d2i_GOST_KX_MESSAGE(NULL, &ptr, PACKET_remaining(pkt));
if (pKX == NULL
|| pKX->kxBlob == NULL
|| ASN1_TYPE_get(pKX->kxBlob) != V_ASN1_SEQUENCE) {
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
SSL_R_DECRYPTION_FAILED);
goto err;
}
if (!PACKET_forward(pkt, ptr - PACKET_data(pkt))) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
SSL_R_DECRYPTION_FAILED);
goto err;
}
inlen = PACKET_remaining(&encdata);
start = PACKET_data(&encdata);
if (PACKET_remaining(pkt) != 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
SSL_R_DECRYPTION_FAILED);
goto err;
}
inlen = pKX->kxBlob->value.sequence->length;
start = pKX->kxBlob->value.sequence->data;
if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start,
inlen) <= 0) {
@ -3424,6 +3445,7 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt)
ret = 1;
err:
EVP_PKEY_CTX_free(pkey_ctx);
GOST_KX_MESSAGE_free(pKX);
return ret;
#else
/* Should never happen */
@ -3495,6 +3517,7 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
#ifndef OPENSSL_NO_PSK
OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
s->s3->tmp.psk = NULL;
s->s3->tmp.psklen = 0;
#endif
return MSG_PROCESS_ERROR;
}
@ -3730,6 +3753,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
sk_X509_pop_free(s->session->peer_chain, X509_free);
s->session->peer_chain = sk;
sk = NULL;
/*
* Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
@ -3744,7 +3768,6 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
* Inconsistency alert: cert_chain does *not* include the peer's own
* certificate, while we do include it in statem_clnt.c
*/
sk = NULL;
/* Save the current hash state for when we receive the CertificateVerify */
if (SSL_IS_TLS13(s)) {
@ -4104,6 +4127,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
s->session->ext.alpn_selected =
OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len);
if (s->session->ext.alpn_selected == NULL) {
s->session->ext.alpn_selected_len = 0;
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
ERR_R_MALLOC_FAILURE);
@ -4115,9 +4139,12 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
}
if (tctx->generate_ticket_cb != NULL &&
tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0)
tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
ERR_R_INTERNAL_ERROR);
goto err;
}
/*
* If we are using anti-replay protection then we behave as if
* SSL_OP_NO_TICKET is set - we are caching tickets anyway so there

View file

@ -9,7 +9,7 @@
*/
#include <stdio.h>
#include "ssl_locl.h"
#include "ssl_local.h"
#include <openssl/comp.h>
#include <openssl/evp.h>
#include <openssl/kdf.h>
@ -466,7 +466,7 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
unsigned char hash[EVP_MAX_MD_SIZE * 2];
size_t hashlen;
/*
* Digest cached records keeping record buffer (if present): this wont
* Digest cached records keeping record buffer (if present): this won't
* affect client auth because we're freezing the buffer at the same
* point (after client key exchange and before certificate verify)
*/

View file

@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -18,9 +18,12 @@
#include <openssl/dh.h>
#include <openssl/bn.h>
#include "internal/nelem.h"
#include "ssl_locl.h"
#include "ssl_local.h"
#include <openssl/ct.h>
static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey);
static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu);
SSL3_ENC_METHOD const TLSv1_enc_data = {
tls1_enc,
tls1_mac,
@ -465,11 +468,11 @@ static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey)
* If point formats extension present check it, otherwise everything is
* supported (see RFC4492).
*/
if (s->session->ext.ecpointformats == NULL)
if (s->ext.peer_ecpointformats == NULL)
return 1;
for (i = 0; i < s->session->ext.ecpointformats_len; i++) {
if (s->session->ext.ecpointformats[i] == comp_id)
for (i = 0; i < s->ext.peer_ecpointformats_len; i++) {
if (s->ext.peer_ecpointformats[i] == comp_id)
return 1;
}
return 0;
@ -578,7 +581,6 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md)
if (check_ee_md && tls1_suiteb(s)) {
int check_md;
size_t i;
CERT *c = s->cert;
/* Check to see we have necessary signing algorithm */
if (group_id == TLSEXT_curve_P_256)
@ -587,8 +589,8 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md)
check_md = NID_ecdsa_with_SHA384;
else
return 0; /* Should never happen */
for (i = 0; i < c->shared_sigalgslen; i++) {
if (check_md == c->shared_sigalgs[i]->sigandhash)
for (i = 0; i < s->shared_sigalgslen; i++) {
if (check_md == s->shared_sigalgs[i]->sigandhash)
return 1;;
}
return 0;
@ -848,8 +850,11 @@ static int rsa_pss_check_min_key_size(const RSA *rsa, const SIGALG_LOOKUP *lu)
}
/*
* Return a signature algorithm for TLS < 1.2 where the signature type
* is fixed by the certificate type.
* Returns a signature algorithm when the peer did not send a list of supported
* signature algorithms. The signature algorithm is fixed for the certificate
* type. |idx| is a certificate type index (SSL_PKEY_*). When |idx| is -1 the
* certificate type from |s| will be used.
* Returns the signature algorithm to use, or NULL on error.
*/
static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx)
{
@ -892,8 +897,12 @@ static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx)
if (!tls1_lookup_md(lu, NULL))
return NULL;
if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu))
return NULL;
return lu;
}
if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, &legacy_rsa_sigalg))
return NULL;
return &legacy_rsa_sigalg;
}
/* Set peer sigalg based key type */
@ -982,6 +991,31 @@ int tls_check_sigalg_curve(const SSL *s, int curve)
}
#endif
/*
* Return the number of security bits for the signature algorithm, or 0 on
* error.
*/
static int sigalg_security_bits(const SIGALG_LOOKUP *lu)
{
const EVP_MD *md = NULL;
int secbits = 0;
if (!tls1_lookup_md(lu, &md))
return 0;
if (md != NULL)
{
/* Security bits: half digest bits */
secbits = EVP_MD_size(md) * 4;
} else {
/* Values from https://tools.ietf.org/html/rfc8032#section-8.5 */
if (lu->sigalg == TLSEXT_SIGALG_ed25519)
secbits = 128;
else if (lu->sigalg == TLSEXT_SIGALG_ed448)
secbits = 224;
}
return secbits;
}
/*
* Check signature algorithm is consistent with sent supported signature
* algorithms and if so set relevant digest and signature scheme in
@ -995,6 +1029,7 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
size_t sent_sigslen, i, cidx;
int pkeyid = EVP_PKEY_id(pkey);
const SIGALG_LOOKUP *lu;
int secbits = 0;
/* Should never happen */
if (pkeyid == -1)
@ -1096,20 +1131,20 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
SSL_R_UNKNOWN_DIGEST);
return 0;
}
if (md != NULL) {
/*
* Make sure security callback allows algorithm. For historical
* reasons we have to pass the sigalg as a two byte char array.
*/
sigalgstr[0] = (sig >> 8) & 0xff;
sigalgstr[1] = sig & 0xff;
if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
EVP_MD_size(md) * 4, EVP_MD_type(md),
(void *)sigalgstr)) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
SSL_R_WRONG_SIGNATURE_TYPE);
return 0;
}
/*
* Make sure security callback allows algorithm. For historical
* reasons we have to pass the sigalg as a two byte char array.
*/
sigalgstr[0] = (sig >> 8) & 0xff;
sigalgstr[1] = sig & 0xff;
secbits = sigalg_security_bits(lu);
if (secbits == 0 ||
!ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
md != NULL ? EVP_MD_type(md) : NID_undef,
(void *)sigalgstr)) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
SSL_R_WRONG_SIGNATURE_TYPE);
return 0;
}
/* Store the sigalg the peer uses */
s->s3->tmp.peer_sigalg = lu;
@ -1175,7 +1210,7 @@ int ssl_set_client_disabled(SSL *s)
*
* Returns 1 when it's disabled, 0 when enabled.
*/
int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int ecdhe)
int ssl_cipher_disabled(const SSL *s, const SSL_CIPHER *c, int op, int ecdhe)
{
if (c->algorithm_mkey & s->s3->tmp.mask_k
|| c->algorithm_auth & s->s3->tmp.mask_a)
@ -1215,9 +1250,9 @@ int tls1_set_server_sigalgs(SSL *s)
size_t i;
/* Clear any shared signature algorithms */
OPENSSL_free(s->cert->shared_sigalgs);
s->cert->shared_sigalgs = NULL;
s->cert->shared_sigalgslen = 0;
OPENSSL_free(s->shared_sigalgs);
s->shared_sigalgs = NULL;
s->shared_sigalgslen = 0;
/* Clear certificate validity flags */
for (i = 0; i < SSL_PKEY_NUM; i++)
s->s3->tmp.valid_flags[i] = 0;
@ -1252,7 +1287,7 @@ int tls1_set_server_sigalgs(SSL *s)
SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_INTERNAL_ERROR);
return 0;
}
if (s->cert->shared_sigalgs != NULL)
if (s->shared_sigalgs != NULL)
return 1;
/* Fatal error if no shared signature algorithms */
@ -1555,7 +1590,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick,
}
/* Check to see if a signature algorithm is allowed */
static int tls12_sigalg_allowed(SSL *s, int op, const SIGALG_LOOKUP *lu)
static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
{
unsigned char sigalgstr[2];
int secbits;
@ -1616,11 +1651,8 @@ static int tls12_sigalg_allowed(SSL *s, int op, const SIGALG_LOOKUP *lu)
}
}
if (lu->hash == NID_undef)
return 1;
/* Security bits: half digest bits */
secbits = EVP_MD_size(ssl_md(lu->hash_idx)) * 4;
/* Finally see if security callback allows it */
secbits = sigalg_security_bits(lu);
sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
sigalgstr[1] = lu->sigalg & 0xff;
return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr);
@ -1724,9 +1756,9 @@ static int tls1_set_shared_sigalgs(SSL *s)
CERT *c = s->cert;
unsigned int is_suiteb = tls1_suiteb(s);
OPENSSL_free(c->shared_sigalgs);
c->shared_sigalgs = NULL;
c->shared_sigalgslen = 0;
OPENSSL_free(s->shared_sigalgs);
s->shared_sigalgs = NULL;
s->shared_sigalgslen = 0;
/* If client use client signature algorithms if not NULL */
if (!s->server && c->client_sigalgs && !is_suiteb) {
conf = c->client_sigalgs;
@ -1757,8 +1789,8 @@ static int tls1_set_shared_sigalgs(SSL *s)
} else {
salgs = NULL;
}
c->shared_sigalgs = salgs;
c->shared_sigalgslen = nmatch;
s->shared_sigalgs = salgs;
s->shared_sigalgslen = nmatch;
return 1;
}
@ -1819,7 +1851,6 @@ int tls1_process_sigalgs(SSL *s)
{
size_t i;
uint32_t *pvalid = s->s3->tmp.valid_flags;
CERT *c = s->cert;
if (!tls1_set_shared_sigalgs(s))
return 0;
@ -1827,8 +1858,8 @@ int tls1_process_sigalgs(SSL *s)
for (i = 0; i < SSL_PKEY_NUM; i++)
pvalid[i] = 0;
for (i = 0; i < c->shared_sigalgslen; i++) {
const SIGALG_LOOKUP *sigptr = c->shared_sigalgs[i];
for (i = 0; i < s->shared_sigalgslen; i++) {
const SIGALG_LOOKUP *sigptr = s->shared_sigalgs[i];
int idx = sigptr->sig_idx;
/* Ignore PKCS1 based sig algs in TLSv1.3 */
@ -1875,12 +1906,12 @@ int SSL_get_shared_sigalgs(SSL *s, int idx,
unsigned char *rsig, unsigned char *rhash)
{
const SIGALG_LOOKUP *shsigalgs;
if (s->cert->shared_sigalgs == NULL
if (s->shared_sigalgs == NULL
|| idx < 0
|| idx >= (int)s->cert->shared_sigalgslen
|| s->cert->shared_sigalgslen > INT_MAX)
|| idx >= (int)s->shared_sigalgslen
|| s->shared_sigalgslen > INT_MAX)
return 0;
shsigalgs = s->cert->shared_sigalgs[idx];
shsigalgs = s->shared_sigalgs[idx];
if (phash != NULL)
*phash = shsigalgs->hash;
if (psign != NULL)
@ -1891,7 +1922,7 @@ int SSL_get_shared_sigalgs(SSL *s, int idx,
*rsig = (unsigned char)(shsigalgs->sigalg & 0xff);
if (rhash != NULL)
*rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff);
return (int)s->cert->shared_sigalgslen;
return (int)s->shared_sigalgslen;
}
/* Maximum possible number of unique entries in sigalgs array */
@ -2072,18 +2103,36 @@ int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
return 0;
}
static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
{
int sig_nid;
int sig_nid, use_pc_sigalgs = 0;
size_t i;
const SIGALG_LOOKUP *sigalg;
size_t sigalgslen;
if (default_nid == -1)
return 1;
sig_nid = X509_get_signature_nid(x);
if (default_nid)
return sig_nid == default_nid ? 1 : 0;
for (i = 0; i < c->shared_sigalgslen; i++)
if (sig_nid == c->shared_sigalgs[i]->sigandhash)
if (SSL_IS_TLS13(s) && s->s3->tmp.peer_cert_sigalgs != NULL) {
/*
* If we're in TLSv1.3 then we only get here if we're checking the
* chain. If the peer has specified peer_cert_sigalgs then we use them
* otherwise we default to normal sigalgs.
*/
sigalgslen = s->s3->tmp.peer_cert_sigalgslen;
use_pc_sigalgs = 1;
} else {
sigalgslen = s->shared_sigalgslen;
}
for (i = 0; i < sigalgslen; i++) {
sigalg = use_pc_sigalgs
? tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i])
: s->shared_sigalgs[i];
if (sigalg != NULL && sig_nid == sigalg->sigandhash)
return 1;
}
return 0;
}
@ -2240,14 +2289,21 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
}
}
/* Check signature algorithm of each cert in chain */
if (!tls1_check_sig_alg(c, x, default_nid)) {
if (SSL_IS_TLS13(s)) {
/*
* We only get here if the application has called SSL_check_chain(),
* so check_flags is always set.
*/
if (find_sig_alg(s, x, pk) != NULL)
rv |= CERT_PKEY_EE_SIGNATURE;
} else if (!tls1_check_sig_alg(s, x, default_nid)) {
if (!check_flags)
goto end;
} else
rv |= CERT_PKEY_EE_SIGNATURE;
rv |= CERT_PKEY_CA_SIGNATURE;
for (i = 0; i < sk_X509_num(chain); i++) {
if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
if (!tls1_check_sig_alg(s, sk_X509_value(chain, i), default_nid)) {
if (check_flags) {
rv &= ~CERT_PKEY_CA_SIGNATURE;
break;
@ -2383,46 +2439,55 @@ int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
#ifndef OPENSSL_NO_DH
DH *ssl_get_auto_dh(SSL *s)
{
int dh_secbits = 80;
if (s->cert->dh_tmp_auto == 2)
return DH_get_1024_160();
if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
if (s->s3->tmp.new_cipher->strength_bits == 256)
dh_secbits = 128;
else
dh_secbits = 80;
} else {
if (s->s3->tmp.cert == NULL)
return NULL;
dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
DH *dhp = NULL;
BIGNUM *p = NULL, *g = NULL;
int dh_secbits = 80, sec_level_bits;
if (s->cert->dh_tmp_auto != 2) {
if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
if (s->s3->tmp.new_cipher->strength_bits == 256)
dh_secbits = 128;
else
dh_secbits = 80;
} else {
if (s->s3->tmp.cert == NULL)
return NULL;
dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
}
}
if (dh_secbits >= 128) {
DH *dhp = DH_new();
BIGNUM *p, *g;
if (dhp == NULL)
return NULL;
g = BN_new();
if (g == NULL || !BN_set_word(g, 2)) {
DH_free(dhp);
BN_free(g);
return NULL;
}
if (dh_secbits >= 192)
p = BN_get_rfc3526_prime_8192(NULL);
else
p = BN_get_rfc3526_prime_3072(NULL);
if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
DH_free(dhp);
BN_free(p);
BN_free(g);
return NULL;
}
return dhp;
dhp = DH_new();
if (dhp == NULL)
return NULL;
g = BN_new();
if (g == NULL || !BN_set_word(g, 2)) {
DH_free(dhp);
BN_free(g);
return NULL;
}
if (dh_secbits >= 112)
return DH_get_2048_224();
return DH_get_1024_160();
/* Do not pick a prime that is too weak for the current security level */
sec_level_bits = ssl_get_security_level_bits(s, NULL, NULL);
if (dh_secbits < sec_level_bits)
dh_secbits = sec_level_bits;
if (dh_secbits >= 192)
p = BN_get_rfc3526_prime_8192(NULL);
else if (dh_secbits >= 152)
p = BN_get_rfc3526_prime_4096(NULL);
else if (dh_secbits >= 128)
p = BN_get_rfc3526_prime_3072(NULL);
else if (dh_secbits >= 112)
p = BN_get_rfc3526_prime_2048(NULL);
else
p = BN_get_rfc2409_prime_1024(NULL);
if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
DH_free(dhp);
BN_free(p);
BN_free(g);
return NULL;
}
return dhp;
}
#endif
@ -2528,44 +2593,33 @@ static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu)
}
/*
* Returns true if |s| has a usable certificate configured for use
* with signature scheme |sig|.
* "Usable" includes a check for presence as well as applying
* the signature_algorithm_cert restrictions sent by the peer (if any).
* Returns false if no usable certificate is found.
* Checks the given cert against signature_algorithm_cert restrictions sent by
* the peer (if any) as well as whether the hash from the sigalg is usable with
* the key.
* Returns true if the cert is usable and false otherwise.
*/
static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx)
static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x,
EVP_PKEY *pkey)
{
const SIGALG_LOOKUP *lu;
int mdnid, pknid, default_mdnid;
int mandatory_md = 0;
size_t i;
/* TLS 1.2 callers can override lu->sig_idx, but not TLS 1.3 callers. */
if (idx == -1)
idx = sig->sig_idx;
if (!ssl_has_cert(s, idx))
return 0;
/* If the EVP_PKEY reports a mandatory digest, allow nothing else. */
ERR_set_mark();
switch (EVP_PKEY_get_default_digest_nid(s->cert->pkeys[idx].privatekey,
&default_mdnid)) {
case 2:
mandatory_md = 1;
break;
case 1:
break;
default: /* If it didn't report a mandatory NID, for whatever reasons,
* just clear the error and allow all hashes to be used. */
ERR_pop_to_mark();
}
if (EVP_PKEY_get_default_digest_nid(pkey, &default_mdnid) == 2 &&
sig->hash != default_mdnid)
return 0;
/* If it didn't report a mandatory NID, for whatever reasons,
* just clear the error and allow all hashes to be used. */
ERR_pop_to_mark();
if (s->s3->tmp.peer_cert_sigalgs != NULL) {
for (i = 0; i < s->s3->tmp.peer_cert_sigalgslen; i++) {
lu = tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]);
if (lu == NULL
|| !X509_get_signature_info(s->cert->pkeys[idx].x509, &mdnid,
&pknid, NULL, NULL)
|| (mandatory_md && mdnid != default_mdnid))
|| !X509_get_signature_info(x, &mdnid, &pknid, NULL, NULL))
continue;
/*
* TODO this does not differentiate between the
@ -2578,7 +2632,104 @@ static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx)
}
return 0;
}
return !mandatory_md || sig->hash == default_mdnid;
return 1;
}
/*
* Returns true if |s| has a usable certificate configured for use
* with signature scheme |sig|.
* "Usable" includes a check for presence as well as applying
* the signature_algorithm_cert restrictions sent by the peer (if any).
* Returns false if no usable certificate is found.
*/
static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx)
{
/* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */
if (idx == -1)
idx = sig->sig_idx;
if (!ssl_has_cert(s, idx))
return 0;
return check_cert_usable(s, sig, s->cert->pkeys[idx].x509,
s->cert->pkeys[idx].privatekey);
}
/*
* Returns true if the supplied cert |x| and key |pkey| is usable with the
* specified signature scheme |sig|, or false otherwise.
*/
static int is_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x,
EVP_PKEY *pkey)
{
size_t idx;
if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL)
return 0;
/* Check the key is consistent with the sig alg */
if ((int)idx != sig->sig_idx)
return 0;
return check_cert_usable(s, sig, x, pkey);
}
/*
* Find a signature scheme that works with the supplied certificate |x| and key
* |pkey|. |x| and |pkey| may be NULL in which case we additionally look at our
* available certs/keys to find one that works.
*/
static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey)
{
const SIGALG_LOOKUP *lu = NULL;
size_t i;
#ifndef OPENSSL_NO_EC
int curve = -1;
#endif
EVP_PKEY *tmppkey;
/* Look for a shared sigalgs matching possible certificates */
for (i = 0; i < s->shared_sigalgslen; i++) {
lu = s->shared_sigalgs[i];
/* Skip SHA1, SHA224, DSA and RSA if not PSS */
if (lu->hash == NID_sha1
|| lu->hash == NID_sha224
|| lu->sig == EVP_PKEY_DSA
|| lu->sig == EVP_PKEY_RSA)
continue;
/* Check that we have a cert, and signature_algorithms_cert */
if (!tls1_lookup_md(lu, NULL))
continue;
if ((pkey == NULL && !has_usable_cert(s, lu, -1))
|| (pkey != NULL && !is_cert_usable(s, lu, x, pkey)))
continue;
tmppkey = (pkey != NULL) ? pkey
: s->cert->pkeys[lu->sig_idx].privatekey;
if (lu->sig == EVP_PKEY_EC) {
#ifndef OPENSSL_NO_EC
if (curve == -1) {
EC_KEY *ec = EVP_PKEY_get0_EC_KEY(tmppkey);
curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
}
if (lu->curve != NID_undef && curve != lu->curve)
continue;
#else
continue;
#endif
} else if (lu->sig == EVP_PKEY_RSA_PSS) {
/* validate that key is large enough for the signature algorithm */
if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(tmppkey), lu))
continue;
}
break;
}
if (i == s->shared_sigalgslen)
return NULL;
return lu;
}
/*
@ -2601,48 +2752,8 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
s->s3->tmp.sigalg = NULL;
if (SSL_IS_TLS13(s)) {
size_t i;
#ifndef OPENSSL_NO_EC
int curve = -1;
#endif
/* Look for a certificate matching shared sigalgs */
for (i = 0; i < s->cert->shared_sigalgslen; i++) {
lu = s->cert->shared_sigalgs[i];
sig_idx = -1;
/* Skip SHA1, SHA224, DSA and RSA if not PSS */
if (lu->hash == NID_sha1
|| lu->hash == NID_sha224
|| lu->sig == EVP_PKEY_DSA
|| lu->sig == EVP_PKEY_RSA)
continue;
/* Check that we have a cert, and signature_algorithms_cert */
if (!tls1_lookup_md(lu, NULL) || !has_usable_cert(s, lu, -1))
continue;
if (lu->sig == EVP_PKEY_EC) {
#ifndef OPENSSL_NO_EC
if (curve == -1) {
EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
}
if (lu->curve != NID_undef && curve != lu->curve)
continue;
#else
continue;
#endif
} else if (lu->sig == EVP_PKEY_RSA_PSS) {
/* validate that key is large enough for the signature algorithm */
EVP_PKEY *pkey;
pkey = s->cert->pkeys[lu->sig_idx].privatekey;
if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(pkey), lu))
continue;
}
break;
}
if (i == s->cert->shared_sigalgslen) {
lu = find_sig_alg(s, NULL, NULL);
if (lu == NULL) {
if (!fatalerrs)
return 1;
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CHOOSE_SIGALG,
@ -2675,8 +2786,8 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
* Find highest preference signature algorithm matching
* cert type
*/
for (i = 0; i < s->cert->shared_sigalgslen; i++) {
lu = s->cert->shared_sigalgs[i];
for (i = 0; i < s->shared_sigalgslen; i++) {
lu = s->shared_sigalgs[i];
if (s->server) {
if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1)
@ -2703,7 +2814,27 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
#endif
break;
}
if (i == s->cert->shared_sigalgslen) {
#ifndef OPENSSL_NO_GOST
/*
* Some Windows-based implementations do not send GOST algorithms indication
* in supported_algorithms extension, so when we have GOST-based ciphersuite,
* we have to assume GOST support.
*/
if (i == s->shared_sigalgslen && s->s3->tmp.new_cipher->algorithm_auth & (SSL_aGOST01 | SSL_aGOST12)) {
if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
if (!fatalerrs)
return 1;
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSL_F_TLS_CHOOSE_SIGALG,
SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
return 0;
} else {
i = 0;
sig_idx = lu->sig_idx;
}
}
#endif
if (i == s->shared_sigalgslen) {
if (!fatalerrs)
return 1;
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,

View file

@ -1,5 +1,5 @@
/*
* Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -7,7 +7,7 @@
* https://www.openssl.org/source/license.html
*/
#include "ssl_locl.h"
#include "ssl_local.h"
#ifndef OPENSSL_NO_SSL_TRACE
@ -656,7 +656,10 @@ static int ssl_print_random(BIO *bio, int indent,
if (*pmsglen < 32)
return 0;
tm = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
tm = ((unsigned int)p[0] << 24)
| ((unsigned int)p[1] << 16)
| ((unsigned int)p[2] << 8)
| (unsigned int)p[3];
p += 4;
BIO_indent(bio, indent, 80);
BIO_puts(bio, "Random:\n");
@ -864,8 +867,10 @@ static int ssl_print_extension(BIO *bio, int indent, int server,
break;
if (extlen != 4)
return 0;
max_early_data = (ext[0] << 24) | (ext[1] << 16) | (ext[2] << 8)
| ext[3];
max_early_data = ((unsigned int)ext[0] << 24)
| ((unsigned int)ext[1] << 16)
| ((unsigned int)ext[2] << 8)
| (unsigned int)ext[3];
BIO_indent(bio, indent + 2, 80);
BIO_printf(bio, "max_early_data=%u\n", max_early_data);
break;
@ -1246,8 +1251,9 @@ static int ssl_print_certificates(BIO *bio, const SSL *ssl, int server,
while (clen > 0) {
if (!ssl_print_certificate(bio, indent + 2, &msg, &clen))
return 0;
if (!ssl_print_extensions(bio, indent + 2, server, SSL3_MT_CERTIFICATE,
&msg, &clen))
if (SSL_IS_TLS13(ssl)
&& !ssl_print_extensions(bio, indent + 2, server,
SSL3_MT_CERTIFICATE, &msg, &clen))
return 0;
}
@ -1355,7 +1361,10 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL *ssl,
}
if (msglen < 4)
return 0;
tick_life = (msg[0] << 24) | (msg[1] << 16) | (msg[2] << 8) | msg[3];
tick_life = ((unsigned int)msg[0] << 24)
| ((unsigned int)msg[1] << 16)
| ((unsigned int)msg[2] << 8)
| (unsigned int)msg[3];
msglen -= 4;
msg += 4;
BIO_indent(bio, indent + 2, 80);
@ -1366,7 +1375,10 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL *ssl,
if (msglen < 4)
return 0;
ticket_age_add =
(msg[0] << 24) | (msg[1] << 16) | (msg[2] << 8) | msg[3];
((unsigned int)msg[0] << 24)
| ((unsigned int)msg[1] << 16)
| ((unsigned int)msg[2] << 8)
| (unsigned int)msg[3];
msglen -= 4;
msg += 4;
BIO_indent(bio, indent + 2, 80);

View file

@ -1,5 +1,5 @@
/*
* Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -8,7 +8,7 @@
*/
#include <stdlib.h>
#include "ssl_locl.h"
#include "ssl_local.h"
#include "internal/cryptlib.h"
#include <openssl/evp.h>
#include <openssl/kdf.h>
@ -30,7 +30,11 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
const unsigned char *data, size_t datalen,
unsigned char *out, size_t outlen, int fatal)
{
#ifdef CHARSET_EBCDIC
static const unsigned char label_prefix[] = { 0x74, 0x6C, 0x73, 0x31, 0x33, 0x20, 0x00 };
#else
static const unsigned char label_prefix[] = "tls13 ";
#endif
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
int ret;
size_t hkdflabellen;
@ -40,7 +44,7 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
* prefix and label + bytes for the label itself + 1 byte length of hash
* + bytes for the hash itself
*/
unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) +
unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t)
+ (sizeof(label_prefix) - 1) + TLS13_MAX_LABEL_LEN
+ 1 + EVP_MAX_MD_SIZE];
WPACKET pkt;
@ -112,7 +116,11 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret,
unsigned char *key, size_t keylen)
{
static const unsigned char keylabel[] = "key";
#ifdef CHARSET_EBCDIC
static const unsigned char keylabel[] ={ 0x6B, 0x65, 0x79, 0x00 };
#else
static const unsigned char keylabel[] = "key";
#endif
return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1,
NULL, 0, key, keylen, 1);
@ -125,7 +133,11 @@ int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret,
int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret,
unsigned char *iv, size_t ivlen)
{
static const unsigned char ivlabel[] = "iv";
#ifdef CHARSET_EBCDIC
static const unsigned char ivlabel[] = { 0x69, 0x76, 0x00 };
#else
static const unsigned char ivlabel[] = "iv";
#endif
return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1,
NULL, 0, iv, ivlen, 1);
@ -135,7 +147,11 @@ int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
const unsigned char *secret,
unsigned char *fin, size_t finlen)
{
static const unsigned char finishedlabel[] = "finished";
#ifdef CHARSET_EBCDIC
static const unsigned char finishedlabel[] = { 0x66, 0x69, 0x6E, 0x69, 0x73, 0x68, 0x65, 0x64, 0x00 };
#else
static const unsigned char finishedlabel[] = "finished";
#endif
return tls13_hkdf_expand(s, md, secret, finishedlabel,
sizeof(finishedlabel) - 1, NULL, 0, fin, finlen, 1);
@ -156,7 +172,11 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md,
int mdleni;
int ret;
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
#ifdef CHARSET_EBCDIC
static const char derived_secret_label[] = { 0x64, 0x65, 0x72, 0x69, 0x76, 0x65, 0x64, 0x00 };
#else
static const char derived_secret_label[] = "derived";
#endif
unsigned char preextractsec[EVP_MAX_MD_SIZE];
if (pctx == NULL) {
@ -370,11 +390,18 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md,
uint32_t algenc;
ivlen = EVP_CCM_TLS_IV_LEN;
if (s->s3->tmp.new_cipher == NULL) {
if (s->s3->tmp.new_cipher != NULL) {
algenc = s->s3->tmp.new_cipher->algorithm_enc;
} else if (s->session->cipher != NULL) {
/* We've not selected a cipher yet - we must be doing early data */
algenc = s->session->cipher->algorithm_enc;
} else if (s->psksession != NULL && s->psksession->cipher != NULL) {
/* We must be doing early data with out-of-band PSK */
algenc = s->psksession->cipher->algorithm_enc;
} else {
algenc = s->s3->tmp.new_cipher->algorithm_enc;
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV,
ERR_R_EVP_LIB);
goto err;
}
if (algenc & (SSL_AES128CCM8 | SSL_AES256CCM8))
taglen = EVP_CCM8_TLS_TAG_LEN;
@ -409,6 +436,16 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md,
int tls13_change_cipher_state(SSL *s, int which)
{
#ifdef CHARSET_EBCDIC
static const unsigned char client_early_traffic[] = {0x63, 0x20, 0x65, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
static const unsigned char client_handshake_traffic[] = {0x63, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
static const unsigned char client_application_traffic[] = {0x63, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
static const unsigned char server_handshake_traffic[] = {0x73, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
static const unsigned char server_application_traffic[] = {0x73, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
static const unsigned char exporter_master_secret[] = {0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00};
static const unsigned char resumption_master_secret[] = {0x72, 0x65, 0x73, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00};
static const unsigned char early_exporter_master_secret[] = {0x65, 0x20, 0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00};
#else
static const unsigned char client_early_traffic[] = "c e traffic";
static const unsigned char client_handshake_traffic[] = "c hs traffic";
static const unsigned char client_application_traffic[] = "c ap traffic";
@ -417,6 +454,7 @@ int tls13_change_cipher_state(SSL *s, int which)
static const unsigned char exporter_master_secret[] = "exp master";
static const unsigned char resumption_master_secret[] = "res master";
static const unsigned char early_exporter_master_secret[] = "e exp master";
#endif
unsigned char *iv;
unsigned char secret[EVP_MAX_MD_SIZE];
unsigned char hashval[EVP_MAX_MD_SIZE];
@ -684,7 +722,11 @@ int tls13_change_cipher_state(SSL *s, int which)
int tls13_update_key(SSL *s, int sending)
{
static const unsigned char application_traffic[] = "traffic upd";
#ifdef CHARSET_EBCDIC
static const unsigned char application_traffic[] = { 0x74, 0x72 ,0x61 ,0x66 ,0x66 ,0x69 ,0x63 ,0x20 ,0x75 ,0x70 ,0x64, 0x00};
#else
static const unsigned char application_traffic[] = "traffic upd";
#endif
const EVP_MD *md = ssl_handshake_md(s);
size_t hashlen = EVP_MD_size(md);
unsigned char *insecret, *iv;
@ -741,7 +783,11 @@ int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen,
size_t contextlen, int use_context)
{
unsigned char exportsecret[EVP_MAX_MD_SIZE];
#ifdef CHARSET_EBCDIC
static const unsigned char exporterlabel[] = {0x65, 0x78, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x72, 0x00};
#else
static const unsigned char exporterlabel[] = "exporter";
#endif
unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE];
const EVP_MD *md = ssl_handshake_md(s);
EVP_MD_CTX *ctx = EVP_MD_CTX_new();
@ -778,7 +824,11 @@ int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen,
const unsigned char *context,
size_t contextlen)
{
static const unsigned char exporterlabel[] = "exporter";
#ifdef CHARSET_EBCDIC
static const unsigned char exporterlabel[] = {0x65, 0x78, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x72, 0x00};
#else
static const unsigned char exporterlabel[] = "exporter";
#endif
unsigned char exportsecret[EVP_MAX_MD_SIZE];
unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE];
const EVP_MD *md;

View file

@ -14,7 +14,7 @@
#include <openssl/crypto.h>
#include <openssl/rand.h>
#include <openssl/err.h>
#include "ssl_locl.h"
#include "ssl_local.h"
#ifndef OPENSSL_NO_SRP
# include <openssl/srp.h>