mirror of
https://github.com/ossrs/srs.git
synced 2025-03-09 15:49:59 +00:00
AppleM1: Update openssl to v1.1.1l
This commit is contained in:
parent
1fe12b8e8c
commit
b787656eea
990 changed files with 13406 additions and 18710 deletions
|
@ -40,7 +40,7 @@ Conceptually the state machine component is designed as follows:
|
|||
| |
|
||||
| Core state machine code |
|
||||
|____________________________|
|
||||
statem_locl.h ^ ^
|
||||
statem_local.h ^ ^
|
||||
_________| |_______
|
||||
| |
|
||||
_____________|____________ _____________|____________
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -10,14 +10,15 @@
|
|||
#include <string.h>
|
||||
#include "internal/nelem.h"
|
||||
#include "internal/cryptlib.h"
|
||||
#include "../ssl_locl.h"
|
||||
#include "statem_locl.h"
|
||||
#include "../ssl_local.h"
|
||||
#include "statem_local.h"
|
||||
#include "internal/cryptlib.h"
|
||||
|
||||
static int final_renegotiate(SSL *s, unsigned int context, int sent);
|
||||
static int init_server_name(SSL *s, unsigned int context);
|
||||
static int final_server_name(SSL *s, unsigned int context, int sent);
|
||||
#ifndef OPENSSL_NO_EC
|
||||
static int init_ec_point_formats(SSL *s, unsigned int context);
|
||||
static int final_ec_pt_formats(SSL *s, unsigned int context, int sent);
|
||||
#endif
|
||||
static int init_session_ticket(SSL *s, unsigned int context);
|
||||
|
@ -56,6 +57,7 @@ static int final_sig_algs(SSL *s, unsigned int context, int sent);
|
|||
static int final_early_data(SSL *s, unsigned int context, int sent);
|
||||
static int final_maxfragmentlen(SSL *s, unsigned int context, int sent);
|
||||
static int init_post_handshake_auth(SSL *s, unsigned int context);
|
||||
static int final_psk(SSL *s, unsigned int context, int sent);
|
||||
|
||||
/* Structure to define a built-in extension */
|
||||
typedef struct extensions_definition_st {
|
||||
|
@ -94,7 +96,7 @@ typedef struct extensions_definition_st {
|
|||
/*
|
||||
* Definitions of all built-in extensions. NOTE: Changes in the number or order
|
||||
* of these extensions should be mirrored with equivalent changes to the
|
||||
* indexes ( TLSEXT_IDX_* ) defined in ssl_locl.h.
|
||||
* indexes ( TLSEXT_IDX_* ) defined in ssl_local.h.
|
||||
* Each extension has an initialiser, a client and
|
||||
* server side parser and a finaliser. The initialiser is called (if the
|
||||
* extension is relevant to the given context) even if we did not see the
|
||||
|
@ -158,7 +160,7 @@ static const EXTENSION_DEFINITION ext_defs[] = {
|
|||
TLSEXT_TYPE_ec_point_formats,
|
||||
SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
|
||||
| SSL_EXT_TLS1_2_AND_BELOW_ONLY,
|
||||
NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
|
||||
init_ec_point_formats, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
|
||||
tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
|
||||
final_ec_pt_formats
|
||||
},
|
||||
|
@ -336,6 +338,8 @@ static const EXTENSION_DEFINITION ext_defs[] = {
|
|||
tls_construct_stoc_key_share, tls_construct_ctos_key_share,
|
||||
final_key_share
|
||||
},
|
||||
#else
|
||||
INVALID_EXTENSION,
|
||||
#endif
|
||||
{
|
||||
/* Must be after key_share */
|
||||
|
@ -387,7 +391,7 @@ static const EXTENSION_DEFINITION ext_defs[] = {
|
|||
SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
|
||||
| SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
|
||||
NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk,
|
||||
tls_construct_ctos_psk, NULL
|
||||
tls_construct_ctos_psk, final_psk
|
||||
}
|
||||
};
|
||||
|
||||
|
@ -949,8 +953,7 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
|
|||
* was successful.
|
||||
*/
|
||||
if (s->server) {
|
||||
/* TODO(OpenSSL1.2) revisit !sent case */
|
||||
if (sent && ret == SSL_TLSEXT_ERR_OK && (!s->hit || SSL_IS_TLS13(s))) {
|
||||
if (sent && ret == SSL_TLSEXT_ERR_OK && !s->hit) {
|
||||
/* Only store the hostname in the session if we accepted it. */
|
||||
OPENSSL_free(s->session->ext.hostname);
|
||||
s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
|
||||
|
@ -967,7 +970,8 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
|
|||
* context, to avoid the confusing situation of having sess_accept_good
|
||||
* exceed sess_accept (zero) for the new context.
|
||||
*/
|
||||
if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) {
|
||||
if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx
|
||||
&& s->hello_retry_request == SSL_HRR_NONE) {
|
||||
tsan_counter(&s->ctx->stats.sess_accept);
|
||||
tsan_decr(&s->session_ctx->stats.sess_accept);
|
||||
}
|
||||
|
@ -989,7 +993,6 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
|
|||
ss->ext.ticklen = 0;
|
||||
ss->ext.tick_lifetime_hint = 0;
|
||||
ss->ext.tick_age_add = 0;
|
||||
ss->ext.tick_identity = 0;
|
||||
if (!ssl_generate_session_id(s, ss)) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
|
||||
ERR_R_INTERNAL_ERROR);
|
||||
|
@ -1012,6 +1015,7 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
|
|||
/* TLSv1.3 doesn't have warning alerts so we suppress this */
|
||||
if (!SSL_IS_TLS13(s))
|
||||
ssl3_send_alert(s, SSL3_AL_WARNING, altmp);
|
||||
s->servername_done = 0;
|
||||
return 1;
|
||||
|
||||
case SSL_TLSEXT_ERR_NOACK:
|
||||
|
@ -1024,6 +1028,15 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
|
|||
}
|
||||
|
||||
#ifndef OPENSSL_NO_EC
|
||||
static int init_ec_point_formats(SSL *s, unsigned int context)
|
||||
{
|
||||
OPENSSL_free(s->ext.peer_ecpointformats);
|
||||
s->ext.peer_ecpointformats = NULL;
|
||||
s->ext.peer_ecpointformats_len = 0;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int final_ec_pt_formats(SSL *s, unsigned int context, int sent)
|
||||
{
|
||||
unsigned long alg_k, alg_a;
|
||||
|
@ -1041,18 +1054,18 @@ static int final_ec_pt_formats(SSL *s, unsigned int context, int sent)
|
|||
*/
|
||||
if (s->ext.ecpointformats != NULL
|
||||
&& s->ext.ecpointformats_len > 0
|
||||
&& s->session->ext.ecpointformats != NULL
|
||||
&& s->session->ext.ecpointformats_len > 0
|
||||
&& s->ext.peer_ecpointformats != NULL
|
||||
&& s->ext.peer_ecpointformats_len > 0
|
||||
&& ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
|
||||
/* we are using an ECC cipher */
|
||||
size_t i;
|
||||
unsigned char *list = s->session->ext.ecpointformats;
|
||||
unsigned char *list = s->ext.peer_ecpointformats;
|
||||
|
||||
for (i = 0; i < s->session->ext.ecpointformats_len; i++) {
|
||||
for (i = 0; i < s->ext.peer_ecpointformats_len; i++) {
|
||||
if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed)
|
||||
break;
|
||||
}
|
||||
if (i == s->session->ext.ecpointformats_len) {
|
||||
if (i == s->ext.peer_ecpointformats_len) {
|
||||
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EC_PT_FORMATS,
|
||||
SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
|
||||
return 0;
|
||||
|
@ -1137,6 +1150,7 @@ static int init_sig_algs(SSL *s, unsigned int context)
|
|||
/* Clear any signature algorithms extension received */
|
||||
OPENSSL_free(s->s3->tmp.peer_sigalgs);
|
||||
s->s3->tmp.peer_sigalgs = NULL;
|
||||
s->s3->tmp.peer_sigalgslen = 0;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
@ -1146,6 +1160,7 @@ static int init_sig_algs_cert(SSL *s, unsigned int context)
|
|||
/* Clear any signature algorithms extension received */
|
||||
OPENSSL_free(s->s3->tmp.peer_cert_sigalgs);
|
||||
s->s3->tmp.peer_cert_sigalgs = NULL;
|
||||
s->s3->tmp.peer_cert_sigalgslen = 0;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
@ -1169,14 +1184,26 @@ static int init_etm(SSL *s, unsigned int context)
|
|||
|
||||
static int init_ems(SSL *s, unsigned int context)
|
||||
{
|
||||
if (!s->server)
|
||||
if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
|
||||
s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
|
||||
s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int final_ems(SSL *s, unsigned int context, int sent)
|
||||
{
|
||||
/*
|
||||
* Check extended master secret extension is not dropped on
|
||||
* renegotiation.
|
||||
*/
|
||||
if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
|
||||
&& (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
|
||||
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
|
||||
SSL_R_INCONSISTENT_EXTMS);
|
||||
return 0;
|
||||
}
|
||||
if (!s->server && s->hit) {
|
||||
/*
|
||||
* Check extended master secret extension is consistent with
|
||||
|
@ -1449,8 +1476,13 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
|
|||
unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE];
|
||||
unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE];
|
||||
unsigned char *early_secret;
|
||||
#ifdef CHARSET_EBCDIC
|
||||
static const unsigned char resumption_label[] = { 0x72, 0x65, 0x73, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 };
|
||||
static const unsigned char external_label[] = { 0x65, 0x78, 0x74, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 };
|
||||
#else
|
||||
static const unsigned char resumption_label[] = "res binder";
|
||||
static const unsigned char external_label[] = "ext binder";
|
||||
#endif
|
||||
const unsigned char *label;
|
||||
size_t bindersize, labelsize, hashsize;
|
||||
int hashsizei = EVP_MD_size(md);
|
||||
|
@ -1646,13 +1678,12 @@ static int final_early_data(SSL *s, unsigned int context, int sent)
|
|||
|
||||
if (s->max_early_data == 0
|
||||
|| !s->hit
|
||||
|| s->session->ext.tick_identity != 0
|
||||
|| s->early_data_state != SSL_EARLY_DATA_ACCEPTING
|
||||
|| !s->ext.early_data_ok
|
||||
|| s->hello_retry_request != SSL_HRR_NONE
|
||||
|| (s->ctx->allow_early_data_cb != NULL
|
||||
&& !s->ctx->allow_early_data_cb(s,
|
||||
s->ctx->allow_early_data_cb_data))) {
|
||||
|| (s->allow_early_data_cb != NULL
|
||||
&& !s->allow_early_data_cb(s,
|
||||
s->allow_early_data_cb_data))) {
|
||||
s->ext.early_data = SSL_EARLY_DATA_REJECTED;
|
||||
} else {
|
||||
s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
|
||||
|
@ -1698,3 +1729,19 @@ static int init_post_handshake_auth(SSL *s, unsigned int context)
|
|||
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*
|
||||
* If clients offer "pre_shared_key" without a "psk_key_exchange_modes"
|
||||
* extension, servers MUST abort the handshake.
|
||||
*/
|
||||
static int final_psk(SSL *s, unsigned int context, int sent)
|
||||
{
|
||||
if (s->server && sent && s->clienthello != NULL
|
||||
&& !s->clienthello->pre_proc_exts[TLSEXT_IDX_psk_kex_modes].present) {
|
||||
SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_F_FINAL_PSK,
|
||||
SSL_R_MISSING_PSK_KEX_MODES_EXTENSION);
|
||||
return 0;
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -8,9 +8,9 @@
|
|||
*/
|
||||
|
||||
#include <openssl/ocsp.h>
|
||||
#include "../ssl_locl.h"
|
||||
#include "../ssl_local.h"
|
||||
#include "internal/cryptlib.h"
|
||||
#include "statem_locl.h"
|
||||
#include "statem_local.h"
|
||||
|
||||
EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt,
|
||||
unsigned int context, X509 *x,
|
||||
|
@ -816,6 +816,7 @@ EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
|
|||
OPENSSL_free(s->psksession_id);
|
||||
s->psksession_id = OPENSSL_memdup(id, idlen);
|
||||
if (s->psksession_id == NULL) {
|
||||
s->psksession_id_len = 0;
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
||||
SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);
|
||||
return EXT_RETURN_FAIL;
|
||||
|
@ -993,7 +994,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
|
|||
const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
|
||||
int dores = 0;
|
||||
|
||||
s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY;
|
||||
s->ext.tick_identity = 0;
|
||||
|
||||
/*
|
||||
* Note: At this stage of the code we only support adding a single
|
||||
|
@ -1083,6 +1084,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
|
|||
agems += s->session->ext.tick_age_add;
|
||||
|
||||
reshashsize = EVP_MD_size(mdres);
|
||||
s->ext.tick_identity++;
|
||||
dores = 1;
|
||||
}
|
||||
|
||||
|
@ -1142,6 +1144,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
|
|||
ERR_R_INTERNAL_ERROR);
|
||||
return EXT_RETURN_FAIL;
|
||||
}
|
||||
s->ext.tick_identity++;
|
||||
}
|
||||
|
||||
if (!WPACKET_close(pkt)
|
||||
|
@ -1180,11 +1183,6 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
|
|||
return EXT_RETURN_FAIL;
|
||||
}
|
||||
|
||||
if (dores)
|
||||
s->session->ext.tick_identity = 0;
|
||||
if (s->psksession != NULL)
|
||||
s->psksession->ext.tick_identity = (dores ? 1 : 0);
|
||||
|
||||
return EXT_RETURN_SENT;
|
||||
#else
|
||||
return EXT_RETURN_NOT_SENT;
|
||||
|
@ -1374,19 +1372,20 @@ int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
|
|||
return 0;
|
||||
}
|
||||
|
||||
s->session->ext.ecpointformats_len = 0;
|
||||
OPENSSL_free(s->session->ext.ecpointformats);
|
||||
s->session->ext.ecpointformats = OPENSSL_malloc(ecpointformats_len);
|
||||
if (s->session->ext.ecpointformats == NULL) {
|
||||
s->ext.peer_ecpointformats_len = 0;
|
||||
OPENSSL_free(s->ext.peer_ecpointformats);
|
||||
s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len);
|
||||
if (s->ext.peer_ecpointformats == NULL) {
|
||||
s->ext.peer_ecpointformats_len = 0;
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
||||
SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
}
|
||||
|
||||
s->session->ext.ecpointformats_len = ecpointformats_len;
|
||||
s->ext.peer_ecpointformats_len = ecpointformats_len;
|
||||
|
||||
if (!PACKET_copy_bytes(&ecptformatlist,
|
||||
s->session->ext.ecpointformats,
|
||||
s->ext.peer_ecpointformats,
|
||||
ecpointformats_len)) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
||||
SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
|
||||
|
@ -1495,8 +1494,13 @@ int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
|||
s->ext.scts_len = (uint16_t)size;
|
||||
if (size > 0) {
|
||||
s->ext.scts = OPENSSL_malloc(size);
|
||||
if (s->ext.scts == NULL
|
||||
|| !PACKET_copy_bytes(pkt, s->ext.scts, size)) {
|
||||
if (s->ext.scts == NULL) {
|
||||
s->ext.scts_len = 0;
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT,
|
||||
ERR_R_MALLOC_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT,
|
||||
ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
|
@ -1595,6 +1599,7 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
|||
OPENSSL_free(s->ext.npn);
|
||||
s->ext.npn = OPENSSL_malloc(selected_len);
|
||||
if (s->ext.npn == NULL) {
|
||||
s->ext.npn_len = 0;
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_NPN,
|
||||
ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
|
@ -1635,6 +1640,7 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
|||
OPENSSL_free(s->s3->alpn_selected);
|
||||
s->s3->alpn_selected = OPENSSL_malloc(len);
|
||||
if (s->s3->alpn_selected == NULL) {
|
||||
s->s3->alpn_selected_len = 0;
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
|
||||
ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
|
@ -1666,6 +1672,7 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
|||
s->session->ext.alpn_selected =
|
||||
OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len);
|
||||
if (s->session->ext.alpn_selected == NULL) {
|
||||
s->session->ext.alpn_selected_len = 0;
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
|
||||
ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
|
@ -1861,8 +1868,8 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
|||
return 0;
|
||||
}
|
||||
|
||||
skey = ssl_generate_pkey(ckey);
|
||||
if (skey == NULL) {
|
||||
skey = EVP_PKEY_new();
|
||||
if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
|
||||
ERR_R_MALLOC_FAILURE);
|
||||
return 0;
|
||||
|
@ -1927,8 +1934,7 @@ int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
|
|||
}
|
||||
|
||||
if (!s->ext.early_data_ok
|
||||
|| !s->hit
|
||||
|| s->session->ext.tick_identity != 0) {
|
||||
|| !s->hit) {
|
||||
/*
|
||||
* If we get here then we didn't send early data, or we didn't resume
|
||||
* using the first identity, or the SNI/ALPN is not consistent so the
|
||||
|
@ -1956,17 +1962,28 @@ int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
|||
return 0;
|
||||
}
|
||||
|
||||
if (s->session->ext.tick_identity == (int)identity) {
|
||||
if (identity >= (unsigned int)s->ext.tick_identity) {
|
||||
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK,
|
||||
SSL_R_BAD_PSK_IDENTITY);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Session resumption tickets are always sent before PSK tickets. If the
|
||||
* ticket index is 0 then it must be for a session resumption ticket if we
|
||||
* sent two tickets, or if we didn't send a PSK ticket.
|
||||
*/
|
||||
if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) {
|
||||
s->hit = 1;
|
||||
SSL_SESSION_free(s->psksession);
|
||||
s->psksession = NULL;
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (s->psksession == NULL
|
||||
|| s->psksession->ext.tick_identity != (int)identity) {
|
||||
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK,
|
||||
SSL_R_BAD_PSK_IDENTITY);
|
||||
if (s->psksession == NULL) {
|
||||
/* Should never happen */
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_PSK,
|
||||
ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -1985,6 +2002,9 @@ int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
|||
s->session = s->psksession;
|
||||
s->psksession = NULL;
|
||||
s->hit = 1;
|
||||
/* Early data is only allowed if we used the first ticket */
|
||||
if (identity != 0)
|
||||
s->ext.early_data_ok = 0;
|
||||
#endif
|
||||
|
||||
return 1;
|
||||
|
|
|
@ -10,9 +10,9 @@
|
|||
/* Custom extension utility functions */
|
||||
|
||||
#include <openssl/ct.h>
|
||||
#include "../ssl_locl.h"
|
||||
#include "../ssl_local.h"
|
||||
#include "internal/cryptlib.h"
|
||||
#include "statem_locl.h"
|
||||
#include "statem_local.h"
|
||||
|
||||
typedef struct {
|
||||
void *add_arg;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -8,8 +8,8 @@
|
|||
*/
|
||||
|
||||
#include <openssl/ocsp.h>
|
||||
#include "../ssl_locl.h"
|
||||
#include "statem_locl.h"
|
||||
#include "../ssl_local.h"
|
||||
#include "statem_local.h"
|
||||
#include "internal/cryptlib.h"
|
||||
|
||||
#define COOKIE_STATE_FORMAT_VERSION 0
|
||||
|
@ -127,6 +127,10 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
|
|||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
|
||||
* we always use the SNI value from the handshake.
|
||||
*/
|
||||
if (!s->hit || SSL_IS_TLS13(s)) {
|
||||
if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
|
||||
SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
|
||||
|
@ -155,8 +159,12 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
|
|||
}
|
||||
|
||||
s->servername_done = 1;
|
||||
}
|
||||
if (s->hit) {
|
||||
} else {
|
||||
/*
|
||||
* In TLSv1.2 and below we should check if the SNI is consistent between
|
||||
* the initial handshake and the resumption. In TLSv1.3 SNI is not
|
||||
* associated with the session.
|
||||
*/
|
||||
/*
|
||||
* TODO(openssl-team): if the SNI doesn't match, we MUST
|
||||
* fall back to a full handshake.
|
||||
|
@ -164,9 +172,6 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
|
|||
s->servername_done = (s->session->ext.hostname != NULL)
|
||||
&& PACKET_equal(&hostname, s->session->ext.hostname,
|
||||
strlen(s->session->ext.hostname));
|
||||
|
||||
if (!s->servername_done && s->session->ext.hostname != NULL)
|
||||
s->ext.early_data_ok = 0;
|
||||
}
|
||||
|
||||
return 1;
|
||||
|
@ -254,8 +259,8 @@ int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
|
|||
|
||||
if (!s->hit) {
|
||||
if (!PACKET_memdup(&ec_point_format_list,
|
||||
&s->session->ext.ecpointformats,
|
||||
&s->session->ext.ecpointformats_len)) {
|
||||
&s->ext.peer_ecpointformats,
|
||||
&s->ext.peer_ecpointformats_len)) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
||||
SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
|
@ -962,12 +967,12 @@ int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
|
|||
}
|
||||
|
||||
if (!s->hit || SSL_IS_TLS13(s)) {
|
||||
OPENSSL_free(s->session->ext.supportedgroups);
|
||||
s->session->ext.supportedgroups = NULL;
|
||||
s->session->ext.supportedgroups_len = 0;
|
||||
OPENSSL_free(s->ext.peer_supportedgroups);
|
||||
s->ext.peer_supportedgroups = NULL;
|
||||
s->ext.peer_supportedgroups_len = 0;
|
||||
if (!tls1_save_u16(&supported_groups_list,
|
||||
&s->session->ext.supportedgroups,
|
||||
&s->session->ext.supportedgroups_len)) {
|
||||
&s->ext.peer_supportedgroups,
|
||||
&s->ext.peer_supportedgroups_len)) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
||||
SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
|
||||
ERR_R_INTERNAL_ERROR);
|
||||
|
@ -1146,7 +1151,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
|||
if (sesstmp == NULL) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
||||
SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
goto err;
|
||||
}
|
||||
SSL_SESSION_free(sess);
|
||||
sess = sesstmp;
|
||||
|
@ -1274,7 +1279,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
|||
goto err;
|
||||
}
|
||||
|
||||
sess->ext.tick_identity = id;
|
||||
s->ext.tick_identity = id;
|
||||
|
||||
SSL_SESSION_free(s->session);
|
||||
s->session = sess;
|
||||
|
@ -1330,8 +1335,14 @@ EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
|
|||
unsigned int context, X509 *x,
|
||||
size_t chainidx)
|
||||
{
|
||||
if (s->hit || s->servername_done != 1
|
||||
|| s->ext.hostname == NULL)
|
||||
if (s->servername_done != 1)
|
||||
return EXT_RETURN_NOT_SENT;
|
||||
|
||||
/*
|
||||
* Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
|
||||
* We just use the servername from the initial handshake.
|
||||
*/
|
||||
if (s->hit && !SSL_IS_TLS13(s))
|
||||
return EXT_RETURN_NOT_SENT;
|
||||
|
||||
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
|
||||
|
@ -1376,7 +1387,7 @@ EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
|
|||
unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
|
||||
unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
|
||||
int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
|
||||
&& (s->session->ext.ecpointformats != NULL);
|
||||
&& (s->ext.peer_ecpointformats != NULL);
|
||||
const unsigned char *plist;
|
||||
size_t plistlen;
|
||||
|
||||
|
@ -1487,6 +1498,10 @@ EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
|
|||
unsigned int context, X509 *x,
|
||||
size_t chainidx)
|
||||
{
|
||||
/* We don't currently support this extension inside a CertificateRequest */
|
||||
if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
|
||||
return EXT_RETURN_NOT_SENT;
|
||||
|
||||
if (!s->ext.status_expected)
|
||||
return EXT_RETURN_NOT_SENT;
|
||||
|
||||
|
@ -1699,6 +1714,13 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
|
|||
}
|
||||
return EXT_RETURN_NOT_SENT;
|
||||
}
|
||||
if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) {
|
||||
/*
|
||||
* PSK ('hit') and explicitly not doing DHE (if the client sent the
|
||||
* DHE option we always take it); don't send key share.
|
||||
*/
|
||||
return EXT_RETURN_NOT_SENT;
|
||||
}
|
||||
|
||||
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
|
||||
|| !WPACKET_start_sub_packet_u16(pkt)
|
||||
|
@ -1948,7 +1970,7 @@ EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
|
|||
|
||||
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
|
||||
|| !WPACKET_start_sub_packet_u16(pkt)
|
||||
|| !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
|
||||
|| !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
|
||||
|| !WPACKET_close(pkt)) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
||||
SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
|
||||
|
|
|
@ -9,8 +9,8 @@
|
|||
|
||||
#include "internal/cryptlib.h"
|
||||
#include <openssl/rand.h>
|
||||
#include "../ssl_locl.h"
|
||||
#include "statem_locl.h"
|
||||
#include "../ssl_local.h"
|
||||
#include "statem_local.h"
|
||||
#include <assert.h>
|
||||
|
||||
/*
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
* Copyright 2005 Nokia. All rights reserved.
|
||||
*
|
||||
|
@ -12,8 +12,8 @@
|
|||
#include <stdio.h>
|
||||
#include <time.h>
|
||||
#include <assert.h>
|
||||
#include "../ssl_locl.h"
|
||||
#include "statem_locl.h"
|
||||
#include "../ssl_local.h"
|
||||
#include "statem_local.h"
|
||||
#include <openssl/buffer.h>
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/objects.h>
|
||||
|
@ -473,12 +473,6 @@ static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s)
|
|||
return WRITE_TRAN_CONTINUE;
|
||||
|
||||
case TLS_ST_CR_KEY_UPDATE:
|
||||
if (s->key_update != SSL_KEY_UPDATE_NONE) {
|
||||
st->hand_state = TLS_ST_CW_KEY_UPDATE;
|
||||
return WRITE_TRAN_CONTINUE;
|
||||
}
|
||||
/* Fall through */
|
||||
|
||||
case TLS_ST_CW_KEY_UPDATE:
|
||||
case TLS_ST_CR_SESSION_TICKET:
|
||||
case TLS_ST_CW_FINISHED:
|
||||
|
@ -1007,7 +1001,8 @@ size_t ossl_statem_client_max_message_size(SSL *s)
|
|||
return CCS_MAX_LENGTH;
|
||||
|
||||
case TLS_ST_CR_SESSION_TICKET:
|
||||
return SSL3_RT_MAX_PLAIN_LENGTH;
|
||||
return (SSL_IS_TLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13
|
||||
: SESSION_TICKET_MAX_LENGTH_TLS12;
|
||||
|
||||
case TLS_ST_CR_FINISHED:
|
||||
return FINISHED_MAX_LENGTH;
|
||||
|
@ -1613,10 +1608,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
|
|||
* so the PAC-based session secret is always preserved. It'll be
|
||||
* overwritten if the server refuses resumption.
|
||||
*/
|
||||
if (s->session->session_id_length > 0
|
||||
|| (SSL_IS_TLS13(s)
|
||||
&& s->session->ext.tick_identity
|
||||
!= TLSEXT_PSK_BAD_IDENTITY)) {
|
||||
if (s->session->session_id_length > 0) {
|
||||
tsan_counter(&s->session_ctx->stats.sess_miss);
|
||||
if (!ssl_get_new_session(s, 0)) {
|
||||
/* SSLfatal() already called */
|
||||
|
@ -1969,7 +1961,6 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
|
|||
goto err;
|
||||
}
|
||||
}
|
||||
s->session->peer_type = certidx;
|
||||
|
||||
X509_free(s->session->peer);
|
||||
X509_up_ref(x);
|
||||
|
@ -2154,17 +2145,19 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
|
|||
}
|
||||
bnpub_key = NULL;
|
||||
|
||||
if (!ssl_security(s, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh)) {
|
||||
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE,
|
||||
SSL_R_DH_KEY_TOO_SMALL);
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (EVP_PKEY_assign_DH(peer_tmp, dh) == 0) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE,
|
||||
ERR_R_EVP_LIB);
|
||||
goto err;
|
||||
}
|
||||
dh = NULL;
|
||||
|
||||
if (!ssl_security(s, SSL_SECOP_TMP_DH, EVP_PKEY_security_bits(peer_tmp),
|
||||
0, peer_tmp)) {
|
||||
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE,
|
||||
SSL_R_DH_KEY_TOO_SMALL);
|
||||
goto err;
|
||||
}
|
||||
|
||||
s->s3->peer_tmp = peer_tmp;
|
||||
|
||||
|
@ -2470,6 +2463,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
|
|||
s->s3->tmp.ctype_len = 0;
|
||||
OPENSSL_free(s->pha_context);
|
||||
s->pha_context = NULL;
|
||||
s->pha_context_len = 0;
|
||||
|
||||
if (!PACKET_get_length_prefixed_1(pkt, &reqctx) ||
|
||||
!PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) {
|
||||
|
@ -2779,16 +2773,17 @@ int tls_process_cert_status_body(SSL *s, PACKET *pkt)
|
|||
}
|
||||
s->ext.ocsp.resp = OPENSSL_malloc(resplen);
|
||||
if (s->ext.ocsp.resp == NULL) {
|
||||
s->ext.ocsp.resp_len = 0;
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY,
|
||||
ERR_R_MALLOC_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
s->ext.ocsp.resp_len = resplen;
|
||||
if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) {
|
||||
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY,
|
||||
SSL_R_LENGTH_MISMATCH);
|
||||
return 0;
|
||||
}
|
||||
s->ext.ocsp.resp_len = resplen;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
@ -2839,7 +2834,7 @@ int tls_process_initial_server_flight(SSL *s)
|
|||
if (ret < 0) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
||||
SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT,
|
||||
ERR_R_MALLOC_FAILURE);
|
||||
SSL_R_OCSP_CALLBACK_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
@ -2913,6 +2908,7 @@ static int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt)
|
|||
if (psklen > PSK_MAX_PSK_LEN) {
|
||||
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
|
||||
SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
|
||||
psklen = PSK_MAX_PSK_LEN; /* Avoid overrunning the array on cleanse */
|
||||
goto err;
|
||||
} else if (psklen == 0) {
|
||||
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
|
||||
|
@ -3358,9 +3354,11 @@ int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt)
|
|||
err:
|
||||
OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen);
|
||||
s->s3->tmp.pms = NULL;
|
||||
s->s3->tmp.pmslen = 0;
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
|
||||
s->s3->tmp.psk = NULL;
|
||||
s->s3->tmp.psklen = 0;
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
|
@ -3435,6 +3433,7 @@ int tls_client_key_exchange_post_work(SSL *s)
|
|||
err:
|
||||
OPENSSL_clear_free(pms, pmslen);
|
||||
s->s3->tmp.pms = NULL;
|
||||
s->s3->tmp.pmslen = 0;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
|
@ -10,8 +10,8 @@
|
|||
#include <limits.h>
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
#include "../ssl_locl.h"
|
||||
#include "statem_locl.h"
|
||||
#include "../ssl_local.h"
|
||||
#include "statem_local.h"
|
||||
#include "internal/cryptlib.h"
|
||||
#include <openssl/buffer.h>
|
||||
#include <openssl/objects.h>
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
|
@ -11,8 +11,8 @@
|
|||
#include <limits.h>
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
#include "../ssl_locl.h"
|
||||
#include "statem_locl.h"
|
||||
#include "../ssl_local.h"
|
||||
#include "statem_local.h"
|
||||
#include "internal/cryptlib.h"
|
||||
#include <openssl/buffer.h>
|
||||
#include <openssl/objects.h>
|
||||
|
@ -168,9 +168,19 @@ int tls_setup_handshake(SSL *s)
|
|||
static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
|
||||
void **hdata, size_t *hdatalen)
|
||||
{
|
||||
static const char *servercontext = "TLS 1.3, server CertificateVerify";
|
||||
static const char *clientcontext = "TLS 1.3, client CertificateVerify";
|
||||
|
||||
#ifdef CHARSET_EBCDIC
|
||||
static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
|
||||
0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
|
||||
0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
|
||||
0x69, 0x66, 0x79, 0x00 };
|
||||
static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
|
||||
0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
|
||||
0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
|
||||
0x69, 0x66, 0x79, 0x00 };
|
||||
#else
|
||||
static const char servercontext[] = "TLS 1.3, server CertificateVerify";
|
||||
static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
|
||||
#endif
|
||||
if (SSL_IS_TLS13(s)) {
|
||||
size_t hashlen;
|
||||
|
||||
|
@ -645,12 +655,9 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
|
|||
/*
|
||||
* If we get a request for us to update our sending keys too then, we need
|
||||
* to additionally send a KeyUpdate message. However that message should
|
||||
* not also request an update (otherwise we get into an infinite loop). We
|
||||
* ignore a request for us to update our sending keys too if we already
|
||||
* sent close_notify.
|
||||
* not also request an update (otherwise we get into an infinite loop).
|
||||
*/
|
||||
if (updatetype == SSL_KEY_UPDATE_REQUESTED
|
||||
&& (s->shutdown & SSL_SENT_SHUTDOWN) == 0)
|
||||
if (updatetype == SSL_KEY_UPDATE_REQUESTED)
|
||||
s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
|
||||
|
||||
if (!tls13_update_key(s, 0)) {
|
||||
|
@ -837,9 +844,11 @@ MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
|
|||
return MSG_PROCESS_ERROR;
|
||||
}
|
||||
} else {
|
||||
/* TLS 1.3 gets the secret size from the handshake md */
|
||||
size_t dummy;
|
||||
if (!s->method->ssl3_enc->generate_master_secret(s,
|
||||
s->master_secret, s->handshake_secret, 0,
|
||||
&s->session->master_key_length)) {
|
||||
&dummy)) {
|
||||
/* SSLfatal() already called */
|
||||
return MSG_PROCESS_ERROR;
|
||||
}
|
||||
|
@ -1026,14 +1035,25 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
|
|||
int cleanuphand = s->statem.cleanuphand;
|
||||
|
||||
if (clearbufs) {
|
||||
if (!SSL_IS_DTLS(s)) {
|
||||
if (!SSL_IS_DTLS(s)
|
||||
#ifndef OPENSSL_NO_SCTP
|
||||
/*
|
||||
* We don't do this in DTLS because we may still need the init_buf
|
||||
* RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
|
||||
* messages that require it. Therefore, DTLS procedures for retransmissions
|
||||
* MUST NOT be used.
|
||||
* Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
|
||||
*/
|
||||
|| BIO_dgram_is_sctp(SSL_get_wbio(s))
|
||||
#endif
|
||||
) {
|
||||
/*
|
||||
* We don't do this in DTLS over UDP because we may still need the init_buf
|
||||
* in case there are any unexpected retransmits
|
||||
*/
|
||||
BUF_MEM_free(s->init_buf);
|
||||
s->init_buf = NULL;
|
||||
}
|
||||
|
||||
if (!ssl_free_wbio_buffer(s)) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE,
|
||||
ERR_R_INTERNAL_ERROR);
|
||||
|
@ -1321,6 +1341,7 @@ int tls_get_message_body(SSL *s, size_t *len)
|
|||
static const X509ERR2ALERT x509table[] = {
|
||||
{X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
|
||||
{X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
|
||||
{X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
|
||||
{X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
|
||||
{X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
|
||||
{X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
|
||||
|
@ -1483,8 +1504,8 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
|
|||
|
||||
/*
|
||||
* Only called by servers. Returns 1 if the server has a TLSv1.3 capable
|
||||
* certificate type, or has PSK or a certificate callback configured. Otherwise
|
||||
* returns 0.
|
||||
* certificate type, or has PSK or a certificate callback configured, or has
|
||||
* a servername callback configured. Otherwise returns 0.
|
||||
*/
|
||||
static int is_tls13_capable(const SSL *s)
|
||||
{
|
||||
|
@ -1494,6 +1515,17 @@ static int is_tls13_capable(const SSL *s)
|
|||
EC_KEY *eckey;
|
||||
#endif
|
||||
|
||||
if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL))
|
||||
return 0;
|
||||
|
||||
/*
|
||||
* A servername callback can change the available certs, so if a servername
|
||||
* cb is set then we just assume TLSv1.3 will be ok
|
||||
*/
|
||||
if (s->ctx->ext.servername_cb != NULL
|
||||
|| s->session_ctx->ext.servername_cb != NULL)
|
||||
return 1;
|
||||
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
if (s->psk_server_callback != NULL)
|
||||
return 1;
|
||||
|
@ -1636,11 +1668,22 @@ int ssl_check_version_downgrade(SSL *s)
|
|||
*/
|
||||
int ssl_set_version_bound(int method_version, int version, int *bound)
|
||||
{
|
||||
int valid_tls;
|
||||
int valid_dtls;
|
||||
|
||||
if (version == 0) {
|
||||
*bound = version;
|
||||
return 1;
|
||||
}
|
||||
|
||||
valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION;
|
||||
valid_dtls =
|
||||
DTLS_VERSION_LE(version, DTLS_MAX_VERSION) &&
|
||||
DTLS_VERSION_GE(version, DTLS1_BAD_VER);
|
||||
|
||||
if (!valid_tls && !valid_dtls)
|
||||
return 0;
|
||||
|
||||
/*-
|
||||
* Restrict TLS methods to TLS protocol versions.
|
||||
* Restrict DTLS methods to DTLS protocol versions.
|
||||
|
@ -1651,31 +1694,24 @@ int ssl_set_version_bound(int method_version, int version, int *bound)
|
|||
* configurations. If the MIN (supported) version ever rises, the user's
|
||||
* "floor" remains valid even if no longer available. We don't expect the
|
||||
* MAX ceiling to ever get lower, so making that variable makes sense.
|
||||
*
|
||||
* We ignore attempts to set bounds on version-inflexible methods,
|
||||
* returning success.
|
||||
*/
|
||||
switch (method_version) {
|
||||
default:
|
||||
/*
|
||||
* XXX For fixed version methods, should we always fail and not set any
|
||||
* bounds, always succeed and not set any bounds, or set the bounds and
|
||||
* arrange to fail later if they are not met? At present fixed-version
|
||||
* methods are not subject to controls that disable individual protocol
|
||||
* versions.
|
||||
*/
|
||||
return 0;
|
||||
break;
|
||||
|
||||
case TLS_ANY_VERSION:
|
||||
if (version < SSL3_VERSION || version > TLS_MAX_VERSION)
|
||||
return 0;
|
||||
if (valid_tls)
|
||||
*bound = version;
|
||||
break;
|
||||
|
||||
case DTLS_ANY_VERSION:
|
||||
if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION) ||
|
||||
DTLS_VERSION_LT(version, DTLS1_BAD_VER))
|
||||
return 0;
|
||||
if (valid_dtls)
|
||||
*bound = version;
|
||||
break;
|
||||
}
|
||||
|
||||
*bound = version;
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -22,6 +22,8 @@
|
|||
#define SERVER_HELLO_MAX_LENGTH 20000
|
||||
#define HELLO_RETRY_REQUEST_MAX_LENGTH 20000
|
||||
#define ENCRYPTED_EXTENSIONS_MAX_LENGTH 20000
|
||||
#define SESSION_TICKET_MAX_LENGTH_TLS13 131338
|
||||
#define SESSION_TICKET_MAX_LENGTH_TLS12 65541
|
||||
#define SERVER_KEY_EXCH_MAX_LENGTH 102400
|
||||
#define SERVER_HELLO_DONE_MAX_LENGTH 0
|
||||
#define KEY_UPDATE_MAX_LENGTH 1
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
* Copyright 2005 Nokia. All rights reserved.
|
||||
*
|
||||
|
@ -10,9 +10,9 @@
|
|||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include "../ssl_locl.h"
|
||||
#include "statem_locl.h"
|
||||
#include "internal/constant_time_locl.h"
|
||||
#include "../ssl_local.h"
|
||||
#include "statem_local.h"
|
||||
#include "internal/constant_time.h"
|
||||
#include "internal/cryptlib.h"
|
||||
#include <openssl/buffer.h>
|
||||
#include <openssl/rand.h>
|
||||
|
@ -23,9 +23,24 @@
|
|||
#include <openssl/dh.h>
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/md5.h>
|
||||
#include <openssl/asn1t.h>
|
||||
|
||||
#define TICKET_NONCE_SIZE 8
|
||||
|
||||
typedef struct {
|
||||
ASN1_TYPE *kxBlob;
|
||||
ASN1_TYPE *opaqueBlob;
|
||||
} GOST_KX_MESSAGE;
|
||||
|
||||
DECLARE_ASN1_FUNCTIONS(GOST_KX_MESSAGE)
|
||||
|
||||
ASN1_SEQUENCE(GOST_KX_MESSAGE) = {
|
||||
ASN1_SIMPLE(GOST_KX_MESSAGE, kxBlob, ASN1_ANY),
|
||||
ASN1_OPT(GOST_KX_MESSAGE, opaqueBlob, ASN1_ANY),
|
||||
} ASN1_SEQUENCE_END(GOST_KX_MESSAGE)
|
||||
|
||||
IMPLEMENT_ASN1_FUNCTIONS(GOST_KX_MESSAGE)
|
||||
|
||||
static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt);
|
||||
|
||||
/*
|
||||
|
@ -502,12 +517,6 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
|
|||
return WRITE_TRAN_CONTINUE;
|
||||
|
||||
case TLS_ST_SR_KEY_UPDATE:
|
||||
if (s->key_update != SSL_KEY_UPDATE_NONE) {
|
||||
st->hand_state = TLS_ST_SW_KEY_UPDATE;
|
||||
return WRITE_TRAN_CONTINUE;
|
||||
}
|
||||
/* Fall through */
|
||||
|
||||
case TLS_ST_SW_KEY_UPDATE:
|
||||
st->hand_state = TLS_ST_OK;
|
||||
return WRITE_TRAN_CONTINUE;
|
||||
|
@ -734,7 +743,15 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
|
|||
case TLS_ST_SW_CHANGE:
|
||||
if (SSL_IS_TLS13(s))
|
||||
break;
|
||||
s->session->cipher = s->s3->tmp.new_cipher;
|
||||
/* Writes to s->session are only safe for initial handshakes */
|
||||
if (s->session->cipher == NULL) {
|
||||
s->session->cipher = s->s3->tmp.new_cipher;
|
||||
} else if (s->session->cipher != s->s3->tmp.new_cipher) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
||||
SSL_F_OSSL_STATEM_SERVER_PRE_WORK,
|
||||
ERR_R_INTERNAL_ERROR);
|
||||
return WORK_ERROR;
|
||||
}
|
||||
if (!s->method->ssl3_enc->setup_key_block(s)) {
|
||||
/* SSLfatal() already called */
|
||||
return WORK_ERROR;
|
||||
|
@ -774,6 +791,10 @@ static ossl_inline int conn_is_closed(void)
|
|||
#if defined(ECONNRESET)
|
||||
case ECONNRESET:
|
||||
return 1;
|
||||
#endif
|
||||
#if defined(WSAECONNRESET)
|
||||
case WSAECONNRESET:
|
||||
return 1;
|
||||
#endif
|
||||
default:
|
||||
return 0;
|
||||
|
@ -934,9 +955,11 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
|
|||
}
|
||||
#endif
|
||||
if (SSL_IS_TLS13(s)) {
|
||||
/* TLS 1.3 gets the secret size from the handshake md */
|
||||
size_t dummy;
|
||||
if (!s->method->ssl3_enc->generate_master_secret(s,
|
||||
s->master_secret, s->handshake_secret, 0,
|
||||
&s->session->master_key_length)
|
||||
&dummy)
|
||||
|| !s->method->ssl3_enc->change_cipher_state(s,
|
||||
SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE))
|
||||
/* SSLfatal() already called */
|
||||
|
@ -1923,14 +1946,14 @@ static int tls_early_post_process_client_hello(SSL *s)
|
|||
&& master_key_length > 0) {
|
||||
s->session->master_key_length = master_key_length;
|
||||
s->hit = 1;
|
||||
s->session->ciphers = ciphers;
|
||||
s->peer_ciphers = ciphers;
|
||||
s->session->verify_result = X509_V_OK;
|
||||
|
||||
ciphers = NULL;
|
||||
|
||||
/* check if some cipher was preferred by call back */
|
||||
if (pref_cipher == NULL)
|
||||
pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
|
||||
pref_cipher = ssl3_choose_cipher(s, s->peer_ciphers,
|
||||
SSL_get_ciphers(s));
|
||||
if (pref_cipher == NULL) {
|
||||
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
|
||||
|
@ -1941,9 +1964,9 @@ static int tls_early_post_process_client_hello(SSL *s)
|
|||
|
||||
s->session->cipher = pref_cipher;
|
||||
sk_SSL_CIPHER_free(s->cipher_list);
|
||||
s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
|
||||
s->cipher_list = sk_SSL_CIPHER_dup(s->peer_ciphers);
|
||||
sk_SSL_CIPHER_free(s->cipher_list_by_id);
|
||||
s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
|
||||
s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->peer_ciphers);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -2043,12 +2066,12 @@ static int tls_early_post_process_client_hello(SSL *s)
|
|||
#endif
|
||||
|
||||
/*
|
||||
* Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher
|
||||
* Given s->peer_ciphers and SSL_get_ciphers, we must pick a cipher
|
||||
*/
|
||||
|
||||
if (!s->hit || SSL_IS_TLS13(s)) {
|
||||
sk_SSL_CIPHER_free(s->session->ciphers);
|
||||
s->session->ciphers = ciphers;
|
||||
sk_SSL_CIPHER_free(s->peer_ciphers);
|
||||
s->peer_ciphers = ciphers;
|
||||
if (ciphers == NULL) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
||||
SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
|
||||
|
@ -2064,6 +2087,10 @@ static int tls_early_post_process_client_hello(SSL *s)
|
|||
#else
|
||||
s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
|
||||
#endif
|
||||
if (!tls1_set_server_sigalgs(s)) {
|
||||
/* SSLfatal() already called */
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
sk_SSL_CIPHER_free(ciphers);
|
||||
|
@ -2151,6 +2178,7 @@ int tls_handle_alpn(SSL *s)
|
|||
OPENSSL_free(s->s3->alpn_selected);
|
||||
s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
|
||||
if (s->s3->alpn_selected == NULL) {
|
||||
s->s3->alpn_selected_len = 0;
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_HANDLE_ALPN,
|
||||
ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
|
@ -2231,31 +2259,25 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
|
|||
if (wst == WORK_MORE_B) {
|
||||
if (!s->hit || SSL_IS_TLS13(s)) {
|
||||
/* Let cert callback update server certificates if required */
|
||||
if (!s->hit) {
|
||||
if (s->cert->cert_cb != NULL) {
|
||||
int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
|
||||
if (rv == 0) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
||||
SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
|
||||
SSL_R_CERT_CB_ERROR);
|
||||
goto err;
|
||||
}
|
||||
if (rv < 0) {
|
||||
s->rwstate = SSL_X509_LOOKUP;
|
||||
return WORK_MORE_B;
|
||||
}
|
||||
s->rwstate = SSL_NOTHING;
|
||||
}
|
||||
if (!tls1_set_server_sigalgs(s)) {
|
||||
/* SSLfatal already called */
|
||||
if (!s->hit && s->cert->cert_cb != NULL) {
|
||||
int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
|
||||
if (rv == 0) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
||||
SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
|
||||
SSL_R_CERT_CB_ERROR);
|
||||
goto err;
|
||||
}
|
||||
if (rv < 0) {
|
||||
s->rwstate = SSL_X509_LOOKUP;
|
||||
return WORK_MORE_B;
|
||||
}
|
||||
s->rwstate = SSL_NOTHING;
|
||||
}
|
||||
|
||||
/* In TLSv1.3 we selected the ciphersuite before resumption */
|
||||
if (!SSL_IS_TLS13(s)) {
|
||||
cipher =
|
||||
ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
|
||||
ssl3_choose_cipher(s, s->peer_ciphers, SSL_get_ciphers(s));
|
||||
|
||||
if (cipher == NULL) {
|
||||
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
|
||||
|
@ -2556,7 +2578,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
|
|||
|
||||
s->s3->tmp.pkey = ssl_generate_pkey(pkdhp);
|
||||
if (s->s3->tmp.pkey == NULL) {
|
||||
/* SSLfatal() already called */
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, 0, ERR_R_INTERNAL_ERROR);
|
||||
goto err;
|
||||
}
|
||||
|
||||
|
@ -2832,9 +2854,16 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
|
|||
if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
|
||||
OPENSSL_free(s->pha_context);
|
||||
s->pha_context_len = 32;
|
||||
if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL
|
||||
|| RAND_bytes(s->pha_context, s->pha_context_len) <= 0
|
||||
|| !WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) {
|
||||
if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL) {
|
||||
s->pha_context_len = 0;
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
||||
SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
|
||||
ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
}
|
||||
if (RAND_bytes(s->pha_context, s->pha_context_len) <= 0
|
||||
|| !WPACKET_sub_memcpy_u8(pkt, s->pha_context,
|
||||
s->pha_context_len)) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
||||
SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
|
||||
ERR_R_INTERNAL_ERROR);
|
||||
|
@ -2948,6 +2977,7 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt)
|
|||
OPENSSL_cleanse(psk, psklen);
|
||||
|
||||
if (s->s3->tmp.psk == NULL) {
|
||||
s->s3->tmp.psklen = 0;
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
||||
SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE);
|
||||
return 0;
|
||||
|
@ -3324,9 +3354,9 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt)
|
|||
const unsigned char *start;
|
||||
size_t outlen = 32, inlen;
|
||||
unsigned long alg_a;
|
||||
unsigned int asn1id, asn1len;
|
||||
GOST_KX_MESSAGE *pKX = NULL;
|
||||
const unsigned char *ptr;
|
||||
int ret = 0;
|
||||
PACKET encdata;
|
||||
|
||||
/* Get our certificate private key */
|
||||
alg_a = s->s3->tmp.new_cipher->algorithm_auth;
|
||||
|
@ -3367,42 +3397,33 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt)
|
|||
if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
|
||||
ERR_clear_error();
|
||||
}
|
||||
/* Decrypt session key */
|
||||
if (!PACKET_get_1(pkt, &asn1id)
|
||||
|| asn1id != (V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)
|
||||
|| !PACKET_peek_1(pkt, &asn1len)) {
|
||||
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
|
||||
SSL_R_DECRYPTION_FAILED);
|
||||
goto err;
|
||||
}
|
||||
if (asn1len == 0x81) {
|
||||
/*
|
||||
* Long form length. Should only be one byte of length. Anything else
|
||||
* isn't supported.
|
||||
* We did a successful peek before so this shouldn't fail
|
||||
*/
|
||||
if (!PACKET_forward(pkt, 1)) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
|
||||
SSL_R_DECRYPTION_FAILED);
|
||||
goto err;
|
||||
}
|
||||
} else if (asn1len >= 0x80) {
|
||||
/*
|
||||
* Indefinite length, or more than one long form length bytes. We don't
|
||||
* support it
|
||||
*/
|
||||
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
|
||||
SSL_R_DECRYPTION_FAILED);
|
||||
goto err;
|
||||
} /* else short form length */
|
||||
|
||||
if (!PACKET_as_length_prefixed_1(pkt, &encdata)) {
|
||||
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
|
||||
ptr = PACKET_data(pkt);
|
||||
/* Some implementations provide extra data in the opaqueBlob
|
||||
* We have nothing to do with this blob so we just skip it */
|
||||
pKX = d2i_GOST_KX_MESSAGE(NULL, &ptr, PACKET_remaining(pkt));
|
||||
if (pKX == NULL
|
||||
|| pKX->kxBlob == NULL
|
||||
|| ASN1_TYPE_get(pKX->kxBlob) != V_ASN1_SEQUENCE) {
|
||||
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
|
||||
SSL_R_DECRYPTION_FAILED);
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (!PACKET_forward(pkt, ptr - PACKET_data(pkt))) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
|
||||
SSL_R_DECRYPTION_FAILED);
|
||||
goto err;
|
||||
}
|
||||
inlen = PACKET_remaining(&encdata);
|
||||
start = PACKET_data(&encdata);
|
||||
|
||||
if (PACKET_remaining(pkt) != 0) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
|
||||
SSL_R_DECRYPTION_FAILED);
|
||||
goto err;
|
||||
}
|
||||
|
||||
inlen = pKX->kxBlob->value.sequence->length;
|
||||
start = pKX->kxBlob->value.sequence->data;
|
||||
|
||||
if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start,
|
||||
inlen) <= 0) {
|
||||
|
@ -3424,6 +3445,7 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt)
|
|||
ret = 1;
|
||||
err:
|
||||
EVP_PKEY_CTX_free(pkey_ctx);
|
||||
GOST_KX_MESSAGE_free(pKX);
|
||||
return ret;
|
||||
#else
|
||||
/* Should never happen */
|
||||
|
@ -3495,6 +3517,7 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
|
|||
#ifndef OPENSSL_NO_PSK
|
||||
OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
|
||||
s->s3->tmp.psk = NULL;
|
||||
s->s3->tmp.psklen = 0;
|
||||
#endif
|
||||
return MSG_PROCESS_ERROR;
|
||||
}
|
||||
|
@ -3730,6 +3753,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
|
|||
|
||||
sk_X509_pop_free(s->session->peer_chain, X509_free);
|
||||
s->session->peer_chain = sk;
|
||||
sk = NULL;
|
||||
|
||||
/*
|
||||
* Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
|
||||
|
@ -3744,7 +3768,6 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
|
|||
* Inconsistency alert: cert_chain does *not* include the peer's own
|
||||
* certificate, while we do include it in statem_clnt.c
|
||||
*/
|
||||
sk = NULL;
|
||||
|
||||
/* Save the current hash state for when we receive the CertificateVerify */
|
||||
if (SSL_IS_TLS13(s)) {
|
||||
|
@ -4104,6 +4127,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
|
|||
s->session->ext.alpn_selected =
|
||||
OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len);
|
||||
if (s->session->ext.alpn_selected == NULL) {
|
||||
s->session->ext.alpn_selected_len = 0;
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
||||
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
|
||||
ERR_R_MALLOC_FAILURE);
|
||||
|
@ -4115,9 +4139,12 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
|
|||
}
|
||||
|
||||
if (tctx->generate_ticket_cb != NULL &&
|
||||
tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0)
|
||||
tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
||||
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
|
||||
ERR_R_INTERNAL_ERROR);
|
||||
goto err;
|
||||
|
||||
}
|
||||
/*
|
||||
* If we are using anti-replay protection then we behave as if
|
||||
* SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue