aboutsummaryrefslogtreecommitdiff
path: root/ssl
diff options
context:
space:
mode:
authorJung-uk Kim <jkim@FreeBSD.org>2020-03-17 21:27:57 +0000
committerJung-uk Kim <jkim@FreeBSD.org>2020-03-17 21:27:57 +0000
commitaa144ced5d61b5c7fb74acaebb37d85bd08f0416 (patch)
tree2de6902cff4b007f4fae30a7d6c546b4dd3d1740 /ssl
parentfbc3ad1ae1976eb5f2bac351260f2c5ee255c27f (diff)
downloadsrc-aa144ced5d61b5c7fb74acaebb37d85bd08f0416.tar.gz
src-aa144ced5d61b5c7fb74acaebb37d85bd08f0416.zip
Import OpenSSL 1.1.1e.vendor/openssl/1.1.1e
Notes
Notes: svn path=/vendor-crypto/openssl/dist/; revision=359051 svn path=/vendor-crypto/openssl/1.1.1e/; revision=359052; tag=vendor/openssl/1.1.1e
Diffstat (limited to 'ssl')
-rw-r--r--ssl/bio_ssl.c2
-rw-r--r--ssl/d1_lib.c2
-rw-r--r--ssl/d1_msg.c2
-rw-r--r--ssl/d1_srtp.c2
-rw-r--r--ssl/methods.c2
-rw-r--r--ssl/packet.c2
-rw-r--r--ssl/packet_local.h (renamed from ssl/packet_locl.h)6
-rw-r--r--ssl/pqueue.c2
-rw-r--r--ssl/record/README4
-rw-r--r--ssl/record/dtls1_bitmap.c4
-rw-r--r--ssl/record/rec_layer_d1.c6
-rw-r--r--ssl/record/rec_layer_s3.c16
-rw-r--r--ssl/record/record_local.h (renamed from ssl/record/record_locl.h)0
-rw-r--r--ssl/record/ssl3_buffer.c4
-rw-r--r--ssl/record/ssl3_record.c28
-rw-r--r--ssl/record/ssl3_record_tls13.c6
-rw-r--r--ssl/s3_cbc.c4
-rw-r--r--ssl/s3_enc.c2
-rw-r--r--ssl/s3_lib.c6
-rw-r--r--ssl/s3_msg.c2
-rw-r--r--ssl/ssl_asn1.c2
-rw-r--r--ssl/ssl_cert.c30
-rw-r--r--ssl/ssl_ciph.c4
-rw-r--r--ssl/ssl_conf.c2
-rw-r--r--ssl/ssl_err.c4
-rw-r--r--ssl/ssl_init.c2
-rw-r--r--ssl/ssl_lib.c86
-rw-r--r--ssl/ssl_local.h (renamed from ssl/ssl_locl.h)10
-rw-r--r--ssl/ssl_mcnf.c2
-rw-r--r--ssl/ssl_rsa.c4
-rw-r--r--ssl/ssl_sess.c4
-rw-r--r--ssl/ssl_stat.c2
-rw-r--r--ssl/ssl_txt.c2
-rw-r--r--ssl/ssl_utst.c2
-rw-r--r--ssl/statem/README2
-rw-r--r--ssl/statem/extensions.c14
-rw-r--r--ssl/statem/extensions_clnt.c4
-rw-r--r--ssl/statem/extensions_cust.c4
-rw-r--r--ssl/statem/extensions_srvr.c31
-rw-r--r--ssl/statem/statem.c4
-rw-r--r--ssl/statem/statem_clnt.c4
-rw-r--r--ssl/statem/statem_dtls.c4
-rw-r--r--ssl/statem/statem_lib.c33
-rw-r--r--ssl/statem/statem_local.h (renamed from ssl/statem/statem_locl.h)0
-rw-r--r--ssl/statem/statem_srvr.c91
-rw-r--r--ssl/t1_enc.c4
-rw-r--r--ssl/t1_lib.c99
-rw-r--r--ssl/t1_trce.c7
-rw-r--r--ssl/tls13_enc.c6
-rw-r--r--ssl/tls_srp.c2
50 files changed, 350 insertions, 217 deletions
diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c
index d1876d8b8c1f..ab9e6668cd57 100644
--- a/ssl/bio_ssl.c
+++ b/ssl/bio_ssl.c
@@ -14,7 +14,7 @@
#include <openssl/crypto.h>
#include "internal/bio.h"
#include <openssl/err.h>
-#include "ssl_locl.h"
+#include "ssl_local.h"
static int ssl_write(BIO *h, const char *buf, size_t size, size_t *written);
static int ssl_read(BIO *b, char *buf, size_t size, size_t *readbytes);
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index fcda32754735..2a15ee8ad965 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -11,7 +11,7 @@
#include <stdio.h>
#include <openssl/objects.h>
#include <openssl/rand.h>
-#include "ssl_locl.h"
+#include "ssl_local.h"
static void get_current_time(struct timeval *t);
static int dtls1_handshake_write(SSL *s);
diff --git a/ssl/d1_msg.c b/ssl/d1_msg.c
index 6365b365e7f6..8a31064ae13f 100644
--- a/ssl/d1_msg.c
+++ b/ssl/d1_msg.c
@@ -7,7 +7,7 @@
* https://www.openssl.org/source/license.html
*/
-#include "ssl_locl.h"
+#include "ssl_local.h"
int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, size_t len,
size_t *written)
diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c
index ff8f0c5712df..c05a77e34668 100644
--- a/ssl/d1_srtp.c
+++ b/ssl/d1_srtp.c
@@ -15,7 +15,7 @@
#include <stdio.h>
#include <openssl/objects.h>
-#include "ssl_locl.h"
+#include "ssl_local.h"
#ifndef OPENSSL_NO_SRTP
diff --git a/ssl/methods.c b/ssl/methods.c
index 348efe467dbb..c5e8898364cd 100644
--- a/ssl/methods.c
+++ b/ssl/methods.c
@@ -9,7 +9,7 @@
#include <stdio.h>
#include <openssl/objects.h>
-#include "ssl_locl.h"
+#include "ssl_local.h"
/*-
* TLS/SSLv3 methods
diff --git a/ssl/packet.c b/ssl/packet.c
index 95031430ed66..1ddde969f3b2 100644
--- a/ssl/packet.c
+++ b/ssl/packet.c
@@ -8,7 +8,7 @@
*/
#include "internal/cryptlib.h"
-#include "packet_locl.h"
+#include "packet_local.h"
#include <openssl/sslerr.h>
#define DEFAULT_BUF_SIZE 256
diff --git a/ssl/packet_locl.h b/ssl/packet_local.h
index 860360b8b231..1b6c2fb9bc3f 100644
--- a/ssl/packet_locl.h
+++ b/ssl/packet_local.h
@@ -7,8 +7,8 @@
* https://www.openssl.org/source/license.html
*/
-#ifndef HEADER_PACKET_LOCL_H
-# define HEADER_PACKET_LOCL_H
+#ifndef OSSL_SSL_PACKET_LOCAL_H
+# define OSSL_SSL_PACKET_LOCAL_H
# include <string.h>
# include <openssl/bn.h>
@@ -871,4 +871,4 @@ unsigned char *WPACKET_get_curr(WPACKET *pkt);
/* Release resources in a WPACKET if a failure has occurred. */
void WPACKET_cleanup(WPACKET *pkt);
-#endif /* HEADER_PACKET_LOCL_H */
+#endif /* OSSL_SSL_PACKET_LOCAL_H */
diff --git a/ssl/pqueue.c b/ssl/pqueue.c
index 548a7a443d91..758440217d45 100644
--- a/ssl/pqueue.c
+++ b/ssl/pqueue.c
@@ -7,7 +7,7 @@
* https://www.openssl.org/source/license.html
*/
-#include "ssl_locl.h"
+#include "ssl_local.h"
#include <openssl/bn.h>
struct pqueue_st {
diff --git a/ssl/record/README b/ssl/record/README
index 987e9fd305d9..630fe8027af1 100644
--- a/ssl/record/README
+++ b/ssl/record/README
@@ -12,7 +12,7 @@ of these components is defined by:
3) A set of accessor macros
All struct definitions are in record.h. The functions and macros are either
-defined in record.h or record_locl.h dependent on whether they are intended to
+defined in record.h or record_local.h dependent on whether they are intended to
be private to the record layer, or whether they form part of the API to the rest
of libssl.
@@ -55,7 +55,7 @@ Conceptually it looks like this:
|| rec_layer_d1.c ||
||____________________||
|______________________|
- record_locl.h ^ ^ ^
+ record_local.h ^ ^ ^
_________________| | |_________________
| | |
_____V_________ ______V________ _______V________
diff --git a/ssl/record/dtls1_bitmap.c b/ssl/record/dtls1_bitmap.c
index 5923c53717c9..8167b4183404 100644
--- a/ssl/record/dtls1_bitmap.c
+++ b/ssl/record/dtls1_bitmap.c
@@ -7,8 +7,8 @@
* https://www.openssl.org/source/license.html
*/
-#include "../ssl_locl.h"
-#include "record_locl.h"
+#include "../ssl_local.h"
+#include "record_local.h"
/* mod 128 saturating subtract of two 64-bit values in big-endian order */
static int satsub64be(const unsigned char *v1, const unsigned char *v2)
diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c
index cb5d54ef5a8f..73ca8a6ee4b9 100644
--- a/ssl/record/rec_layer_d1.c
+++ b/ssl/record/rec_layer_d1.c
@@ -9,11 +9,11 @@
#include <stdio.h>
#include <errno.h>
-#include "../ssl_locl.h"
+#include "../ssl_local.h"
#include <openssl/evp.h>
#include <openssl/buffer.h>
-#include "record_locl.h"
-#include "../packet_locl.h"
+#include "record_local.h"
+#include "../packet_local.h"
#include "internal/cryptlib.h"
int DTLS_RECORD_LAYER_new(RECORD_LAYER *rl)
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 982a06089c11..1c885a664f35 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -10,15 +10,15 @@
#include <stdio.h>
#include <limits.h>
#include <errno.h>
-#include "../ssl_locl.h"
+#include "../ssl_local.h"
#include <openssl/evp.h>
#include <openssl/buffer.h>
#include <openssl/rand.h>
-#include "record_locl.h"
-#include "../packet_locl.h"
+#include "record_local.h"
+#include "../packet_local.h"
#if defined(OPENSSL_SMALL_FOOTPRINT) || \
- !( defined(AES_ASM) && ( \
+ !( defined(AESNI_ASM) && ( \
defined(__x86_64) || defined(__x86_64__) || \
defined(_M_AMD64) || defined(_M_X64) ) \
)
@@ -296,6 +296,12 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold,
ret = BIO_read(s->rbio, pkt + len + left, max - left);
if (ret >= 0)
bioread = ret;
+ if (ret <= 0
+ && !BIO_should_retry(s->rbio)
+ && BIO_eof(s->rbio)) {
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_READ_N,
+ SSL_R_UNEXPECTED_EOF_WHILE_READING);
+ }
} else {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N,
SSL_R_READ_BIO_NOT_SET);
diff --git a/ssl/record/record_locl.h b/ssl/record/record_local.h
index 5e8dd7f70442..5e8dd7f70442 100644
--- a/ssl/record/record_locl.h
+++ b/ssl/record/record_local.h
diff --git a/ssl/record/ssl3_buffer.c b/ssl/record/ssl3_buffer.c
index 53bd4cb190d0..605f8f9b75be 100644
--- a/ssl/record/ssl3_buffer.c
+++ b/ssl/record/ssl3_buffer.c
@@ -7,8 +7,8 @@
* https://www.openssl.org/source/license.html
*/
-#include "../ssl_locl.h"
-#include "record_locl.h"
+#include "../ssl_local.h"
+#include "record_local.h"
void SSL3_BUFFER_set_data(SSL3_BUFFER *b, const unsigned char *d, size_t n)
{
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index e59ac5a67676..ab5d22aa10cb 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -7,10 +7,10 @@
* https://www.openssl.org/source/license.html
*/
-#include "../ssl_locl.h"
-#include "internal/constant_time_locl.h"
+#include "../ssl_local.h"
+#include "internal/constant_time.h"
#include <openssl/rand.h>
-#include "record_locl.h"
+#include "record_local.h"
#include "internal/cryptlib.h"
static const unsigned char ssl3_pad_1[48] = {
@@ -559,7 +559,7 @@ int ssl3_get_record(SSL *s)
RECORD_LAYER_reset_read_sequence(&s->rlayer);
return 1;
}
- SSLfatal(s, SSL_AD_DECRYPTION_FAILED, SSL_F_SSL3_GET_RECORD,
+ SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD,
SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
return -1;
}
@@ -837,7 +837,7 @@ int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr)
* SSLfatal() for internal errors, but not otherwise.
*
* Returns:
- * 0: (in non-constant time) if the record is publically invalid (i.e. too
+ * 0: (in non-constant time) if the record is publicly invalid (i.e. too
* short etc).
* 1: if the record's padding is valid / the encryption was successful.
* -1: if the record's padding is invalid or, if sending, an internal error
@@ -928,7 +928,7 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending)
* internal errors, but not otherwise.
*
* Returns:
- * 0: (in non-constant time) if the record is publically invalid (i.e. too
+ * 0: (in non-constant time) if the record is publicly invalid (i.e. too
* short etc).
* 1: if the record's padding is valid / the encryption was successful.
* -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
@@ -1075,7 +1075,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
} else if ((bs != 1) && sending) {
padnum = bs - (reclen[ctr] % bs);
- /* Add weird padding of upto 256 bytes */
+ /* Add weird padding of up to 256 bytes */
if (padnum > MAX_PADDING) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC,
@@ -1610,6 +1610,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
int imac_size;
size_t mac_size;
unsigned char md[EVP_MAX_MD_SIZE];
+ size_t max_plain_length = SSL3_RT_MAX_PLAIN_LENGTH;
rr = RECORD_LAYER_get_rrec(&s->rlayer);
sess = s->session;
@@ -1669,7 +1670,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
enc_err = s->method->ssl3_enc->enc(s, rr, 1, 0);
/*-
* enc_err is:
- * 0: (in non-constant time) if the record is publically invalid.
+ * 0: (in non-constant time) if the record is publicly invalid.
* 1: if the padding is valid
* -1: if the padding is invalid
*/
@@ -1782,7 +1783,12 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
}
}
- if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
+ /* use current Max Fragment Length setting if applicable */
+ if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
+ max_plain_length = GET_MAX_FRAGMENT_LENGTH(s->session);
+
+ /* send overflow if the plaintext is too long now it has passed MAC */
+ if (rr->length > max_plain_length) {
SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD,
SSL_R_DATA_LENGTH_TOO_LONG);
return 0;
@@ -1926,7 +1932,7 @@ int dtls1_get_record(SSL *s)
/* If received packet overflows own-client Max Fragment Length setting */
if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
- && rr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) {
+ && rr->length > GET_MAX_FRAGMENT_LENGTH(s->session) + SSL3_RT_MAX_ENCRYPTED_OVERHEAD) {
/* record too long, silently discard it */
rr->length = 0;
rr->read = 1;
diff --git a/ssl/record/ssl3_record_tls13.c b/ssl/record/ssl3_record_tls13.c
index a11ed483e668..ab50e3762499 100644
--- a/ssl/record/ssl3_record_tls13.c
+++ b/ssl/record/ssl3_record_tls13.c
@@ -7,8 +7,8 @@
* https://www.openssl.org/source/license.html
*/
-#include "../ssl_locl.h"
-#include "record_locl.h"
+#include "../ssl_local.h"
+#include "record_local.h"
#include "internal/cryptlib.h"
/*-
@@ -16,7 +16,7 @@
* internal errors, but not otherwise.
*
* Returns:
- * 0: (in non-constant time) if the record is publically invalid (i.e. too
+ * 0: (in non-constant time) if the record is publicly invalid (i.e. too
* short etc).
* 1: if the record encryption was successful.
* -1: if the record's AEAD-authenticator is invalid or, if sending,
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index 8377d7fe13dc..aa7d63f84a9f 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -7,8 +7,8 @@
* https://www.openssl.org/source/license.html
*/
-#include "internal/constant_time_locl.h"
-#include "ssl_locl.h"
+#include "internal/constant_time.h"
+#include "ssl_local.h"
#include "internal/cryptlib.h"
#include <openssl/md5.h>
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 2e185e9fba9a..8a89f512fe60 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -9,7 +9,7 @@
*/
#include <stdio.h>
-#include "ssl_locl.h"
+#include "ssl_local.h"
#include <openssl/evp.h>
#include <openssl/md5.h>
#include "internal/cryptlib.h"
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 066bf47221e2..a987604bcd0e 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -12,7 +12,7 @@
#include <stdio.h>
#include <openssl/objects.h>
#include "internal/nelem.h"
-#include "ssl_locl.h"
+#include "ssl_local.h"
#include <openssl/md5.h>
#include <openssl/dh.h>
#include <openssl/rand.h>
@@ -4639,7 +4639,7 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
OPENSSL_clear_free(s->s3->tmp.psk, psklen);
s->s3->tmp.psk = NULL;
if (!s->method->ssl3_enc->generate_master_secret(s,
- s->session->master_key,pskpms, pskpmslen,
+ s->session->master_key, pskpms, pskpmslen,
&s->session->master_key_length)) {
OPENSSL_clear_free(pskpms, pskpmslen);
/* SSLfatal() already called */
diff --git a/ssl/s3_msg.c b/ssl/s3_msg.c
index 42382547fb2a..339fb2774a63 100644
--- a/ssl/s3_msg.c
+++ b/ssl/s3_msg.c
@@ -7,7 +7,7 @@
* https://www.openssl.org/source/license.html
*/
-#include "ssl_locl.h"
+#include "ssl_local.h"
int ssl3_do_change_cipher_spec(SSL *s)
{
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index b56c5e96c530..799fee771ba5 100644
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -10,7 +10,7 @@
#include <stdio.h>
#include <stdlib.h>
-#include "ssl_locl.h"
+#include "ssl_local.h"
#include <openssl/asn1t.h>
#include <openssl/x509.h>
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 9df9fb96778d..5d3e83f32897 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -20,7 +20,7 @@
#include <openssl/bn.h>
#include <openssl/crypto.h>
#include "internal/refcount.h"
-#include "ssl_locl.h"
+#include "ssl_local.h"
#include "ssl_cert_table.h"
#include "internal/thread_once.h"
@@ -601,14 +601,6 @@ static unsigned long xname_hash(const X509_NAME *a)
return X509_NAME_hash((X509_NAME *)a);
}
-/**
- * Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed;
- * it doesn't really have anything to do with clients (except that a common use
- * for a stack of CAs is to send it to the client). Actually, it doesn't have
- * much to do with CAs, either, since it will load any old cert.
- * \param file the file containing one or more certs.
- * \return a ::STACK containing the certs.
- */
STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
{
BIO *in = BIO_new(BIO_s_file());
@@ -666,15 +658,6 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
return ret;
}
-/**
- * Add a file of certs to a stack.
- * \param stack the stack to add to.
- * \param file the file to add from. All certs in this file that are not
- * already in the stack will be added.
- * \return 1 for success, 0 for failure. Note that in the case of failure some
- * certs may have been added to \c stack.
- */
-
int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
const char *file)
{
@@ -725,17 +708,6 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
return ret;
}
-/**
- * Add a directory of certs to a stack.
- * \param stack the stack to append to.
- * \param dir the directory to append from. All files in this directory will be
- * examined as potential certs. Any that are acceptable to
- * SSL_add_dir_cert_subjects_to_stack() that are not already in the stack will be
- * included.
- * \return 1 for success, 0 for failure. Note that in the case of failure some
- * certs may have been added to \c stack.
- */
-
int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
const char *dir)
{
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 27a1b2ec68b3..735a483c6448 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -17,7 +17,7 @@
#include <openssl/crypto.h>
#include <openssl/conf.h>
#include "internal/nelem.h"
-#include "ssl_locl.h"
+#include "ssl_local.h"
#include "internal/thread_once.h"
#include "internal/cryptlib.h"
@@ -92,7 +92,7 @@ static CRYPTO_ONCE ssl_load_builtin_comp_once = CRYPTO_ONCE_STATIC_INIT;
/*
* Constant SSL_MAX_DIGEST equal to size of digests array should be defined
- * in the ssl_locl.h
+ * in the ssl_local.h
*/
#define SSL_MD_NUM_IDX SSL_MAX_DIGEST
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 9c202708d7d9..8ef29bb34535 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -8,7 +8,7 @@
*/
#include <stdio.h>
-#include "ssl_locl.h"
+#include "ssl_local.h"
#include <openssl/conf.h>
#include <openssl/objects.h>
#include <openssl/dh.h>
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 4b12ed1485d9..a0c7b79659d4 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1205,6 +1205,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
"unexpected ccs message"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA),
"unexpected end of early data"},
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_EOF_WHILE_READING),
+ "unexpected eof while reading"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
diff --git a/ssl/ssl_init.c b/ssl/ssl_init.c
index f0969fa9b1af..d083d9597091 100644
--- a/ssl/ssl_init.c
+++ b/ssl/ssl_init.c
@@ -12,7 +12,7 @@
#include "internal/err.h"
#include <openssl/crypto.h>
#include <openssl/evp.h>
-#include "ssl_locl.h"
+#include "ssl_local.h"
#include "internal/thread_once.h"
static int stopped;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index ac820cf9fe16..7c7e59789ccd 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -10,7 +10,7 @@
*/
#include <stdio.h>
-#include "ssl_locl.h"
+#include "ssl_local.h"
#include <openssl/objects.h>
#include <openssl/x509v3.h>
#include <openssl/rand.h>
@@ -2623,31 +2623,85 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size)
return buf;
}
-/** return a servername extension value if provided in Client Hello, or NULL.
- * So far, only host_name types are defined (RFC 3546).
+/**
+ * Return the requested servername (SNI) value. Note that the behaviour varies
+ * depending on:
+ * - whether this is called by the client or the server,
+ * - if we are before or during/after the handshake,
+ * - if a resumption or normal handshake is being attempted/has occurred
+ * - whether we have negotiated TLSv1.2 (or below) or TLSv1.3
+ *
+ * Note that only the host_name type is defined (RFC 3546).
*/
-
const char *SSL_get_servername(const SSL *s, const int type)
{
+ /*
+ * If we don't know if we are the client or the server yet then we assume
+ * client.
+ */
+ int server = s->handshake_func == NULL ? 0 : s->server;
if (type != TLSEXT_NAMETYPE_host_name)
return NULL;
- /*
- * SNI is not negotiated in pre-TLS-1.3 resumption flows, so fake up an
- * SNI value to return if we are resuming/resumed. N.B. that we still
- * call the relevant callbacks for such resumption flows, and callbacks
- * might error out if there is not a SNI value available.
- */
- if (s->hit)
- return s->session->ext.hostname;
+ if (server) {
+ /**
+ * Server side
+ * In TLSv1.3 on the server SNI is not associated with the session
+ * but in TLSv1.2 or below it is.
+ *
+ * Before the handshake:
+ * - return NULL
+ *
+ * During/after the handshake (TLSv1.2 or below resumption occurred):
+ * - If a servername was accepted by the server in the original
+ * handshake then it will return that servername, or NULL otherwise.
+ *
+ * During/after the handshake (TLSv1.2 or below resumption did not occur):
+ * - The function will return the servername requested by the client in
+ * this handshake or NULL if none was requested.
+ */
+ if (s->hit && !SSL_IS_TLS13(s))
+ return s->session->ext.hostname;
+ } else {
+ /**
+ * Client side
+ *
+ * Before the handshake:
+ * - If a servername has been set via a call to
+ * SSL_set_tlsext_host_name() then it will return that servername
+ * - If one has not been set, but a TLSv1.2 resumption is being
+ * attempted and the session from the original handshake had a
+ * servername accepted by the server then it will return that
+ * servername
+ * - Otherwise it returns NULL
+ *
+ * During/after the handshake (TLSv1.2 or below resumption occurred):
+ * - If the session from the orignal handshake had a servername accepted
+ * by the server then it will return that servername.
+ * - Otherwise it returns the servername set via
+ * SSL_set_tlsext_host_name() (or NULL if it was not called).
+ *
+ * During/after the handshake (TLSv1.2 or below resumption did not occur):
+ * - It will return the servername set via SSL_set_tlsext_host_name()
+ * (or NULL if it was not called).
+ */
+ if (SSL_in_before(s)) {
+ if (s->ext.hostname == NULL
+ && s->session != NULL
+ && s->session->ssl_version != TLS1_3_VERSION)
+ return s->session->ext.hostname;
+ } else {
+ if (!SSL_IS_TLS13(s) && s->hit && s->session->ext.hostname != NULL)
+ return s->session->ext.hostname;
+ }
+ }
+
return s->ext.hostname;
}
int SSL_get_servername_type(const SSL *s)
{
- if (s->session
- && (!s->ext.hostname ? s->session->
- ext.hostname : s->ext.hostname))
+ if (SSL_get_servername(s, TLSEXT_NAMETYPE_host_name) != NULL)
return TLSEXT_NAMETYPE_host_name;
return -1;
}
diff --git a/ssl/ssl_locl.h b/ssl/ssl_local.h
index 25875c9f6d46..8ddbde772965 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_local.h
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -9,8 +9,8 @@
* https://www.openssl.org/source/license.html
*/
-#ifndef HEADER_SSL_LOCL_H
-# define HEADER_SSL_LOCL_H
+#ifndef OSSL_SSL_LOCAL_H
+# define OSSL_SSL_LOCAL_H
# include "e_os.h" /* struct timeval for DTLS */
# include <stdlib.h>
@@ -30,7 +30,7 @@
# include <openssl/ct.h>
# include "record/record.h"
# include "statem/statem.h"
-# include "packet_locl.h"
+# include "packet_local.h"
# include "internal/dane.h"
# include "internal/refcount.h"
# include "internal/tsan_assist.h"
@@ -2581,7 +2581,7 @@ __owur int tls_check_sigalg_curve(const SSL *s, int curve);
# endif
__owur int tls12_check_peer_sigalg(SSL *s, uint16_t, EVP_PKEY *pkey);
__owur int ssl_set_client_disabled(SSL *s);
-__owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int echde);
+__owur int ssl_cipher_disabled(const SSL *s, const SSL_CIPHER *c, int op, int echde);
__owur int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
size_t *hashlen);
diff --git a/ssl/ssl_mcnf.c b/ssl/ssl_mcnf.c
index a0e265771449..583df4166908 100644
--- a/ssl/ssl_mcnf.c
+++ b/ssl/ssl_mcnf.c
@@ -10,7 +10,7 @@
#include <stdio.h>
#include <openssl/conf.h>
#include <openssl/ssl.h>
-#include "ssl_locl.h"
+#include "ssl_local.h"
#include "internal/sslconf.h"
/* SSL library configuration module. */
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index 172e15f92087..b9693527b3d2 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -8,8 +8,8 @@
*/
#include <stdio.h>
-#include "ssl_locl.h"
-#include "packet_locl.h"
+#include "ssl_local.h"
+#include "packet_local.h"
#include <openssl/bio.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 52cfa7ef6d7f..40c157bb42f8 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -13,8 +13,8 @@
#include <openssl/engine.h>
#include "internal/refcount.h"
#include "internal/cryptlib.h"
-#include "ssl_locl.h"
-#include "statem/statem_locl.h"
+#include "ssl_local.h"
+#include "statem/statem_local.h"
static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s);
diff --git a/ssl/ssl_stat.c b/ssl/ssl_stat.c
index 179513b1a3d0..ca51c0331c22 100644
--- a/ssl/ssl_stat.c
+++ b/ssl/ssl_stat.c
@@ -9,7 +9,7 @@
*/
#include <stdio.h>
-#include "ssl_locl.h"
+#include "ssl_local.h"
const char *SSL_state_string_long(const SSL *s)
{
diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c
index cf6e4c3c0579..457bc8b3c20a 100644
--- a/ssl/ssl_txt.c
+++ b/ssl/ssl_txt.c
@@ -10,7 +10,7 @@
#include <stdio.h>
#include <openssl/buffer.h>
-#include "ssl_locl.h"
+#include "ssl_local.h"
#ifndef OPENSSL_NO_STDIO
int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x)
diff --git a/ssl/ssl_utst.c b/ssl/ssl_utst.c
index cea1bc2707a8..487f56e53935 100644
--- a/ssl/ssl_utst.c
+++ b/ssl/ssl_utst.c
@@ -7,7 +7,7 @@
* https://www.openssl.org/source/license.html
*/
-#include "ssl_locl.h"
+#include "ssl_local.h"
#ifndef OPENSSL_NO_UNIT_TEST
diff --git a/ssl/statem/README b/ssl/statem/README
index 145c69db8d54..86cc06637291 100644
--- a/ssl/statem/README
+++ b/ssl/statem/README
@@ -40,7 +40,7 @@ Conceptually the state machine component is designed as follows:
| |
| Core state machine code |
|____________________________|
- statem_locl.h ^ ^
+ statem_local.h ^ ^
_________| |_______
| |
_____________|____________ _____________|____________
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 24410991b299..4ef8b417b820 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -10,8 +10,8 @@
#include <string.h>
#include "internal/nelem.h"
#include "internal/cryptlib.h"
-#include "../ssl_locl.h"
-#include "statem_locl.h"
+#include "../ssl_local.h"
+#include "statem_local.h"
#include "internal/cryptlib.h"
static int final_renegotiate(SSL *s, unsigned int context, int sent);
@@ -94,7 +94,7 @@ typedef struct extensions_definition_st {
/*
* Definitions of all built-in extensions. NOTE: Changes in the number or order
* of these extensions should be mirrored with equivalent changes to the
- * indexes ( TLSEXT_IDX_* ) defined in ssl_locl.h.
+ * indexes ( TLSEXT_IDX_* ) defined in ssl_local.h.
* Each extension has an initialiser, a client and
* server side parser and a finaliser. The initialiser is called (if the
* extension is relevant to the given context) even if we did not see the
@@ -949,8 +949,7 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
* was successful.
*/
if (s->server) {
- /* TODO(OpenSSL1.2) revisit !sent case */
- if (sent && ret == SSL_TLSEXT_ERR_OK && (!s->hit || SSL_IS_TLS13(s))) {
+ if (sent && ret == SSL_TLSEXT_ERR_OK && !s->hit) {
/* Only store the hostname in the session if we accepted it. */
OPENSSL_free(s->session->ext.hostname);
s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
@@ -1011,6 +1010,7 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
/* TLSv1.3 doesn't have warning alerts so we suppress this */
if (!SSL_IS_TLS13(s))
ssl3_send_alert(s, SSL3_AL_WARNING, altmp);
+ s->servername_done = 0;
return 1;
case SSL_TLSEXT_ERR_NOACK:
@@ -1449,7 +1449,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE];
unsigned char *early_secret;
#ifdef CHARSET_EBCDIC
- static const unsigned char resumption_label[] = { 0x72, 0x65, 0x64, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 };
+ static const unsigned char resumption_label[] = { 0x72, 0x65, 0x73, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 };
static const unsigned char external_label[] = { 0x65, 0x78, 0x74, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 };
#else
static const unsigned char resumption_label[] = "res binder";
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index f0ae642fa098..bcce0f1d9534 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -8,9 +8,9 @@
*/
#include <openssl/ocsp.h>
-#include "../ssl_locl.h"
+#include "../ssl_local.h"
#include "internal/cryptlib.h"
-#include "statem_locl.h"
+#include "statem_local.h"
EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x,
diff --git a/ssl/statem/extensions_cust.c b/ssl/statem/extensions_cust.c
index a4cdc81d68b9..a0ba18efa704 100644
--- a/ssl/statem/extensions_cust.c
+++ b/ssl/statem/extensions_cust.c
@@ -10,9 +10,9 @@
/* Custom extension utility functions */
#include <openssl/ct.h>
-#include "../ssl_locl.h"
+#include "../ssl_local.h"
#include "internal/cryptlib.h"
-#include "statem_locl.h"
+#include "statem_local.h"
typedef struct {
void *add_arg;
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index ab5453f63ecc..3b07c6b940f4 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,8 +8,8 @@
*/
#include <openssl/ocsp.h>
-#include "../ssl_locl.h"
-#include "statem_locl.h"
+#include "../ssl_local.h"
+#include "statem_local.h"
#include "internal/cryptlib.h"
#define COOKIE_STATE_FORMAT_VERSION 0
@@ -127,6 +127,10 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
return 0;
}
+ /*
+ * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
+ * we always use the SNI value from the handshake.
+ */
if (!s->hit || SSL_IS_TLS13(s)) {
if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
@@ -155,8 +159,12 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
}
s->servername_done = 1;
- }
- if (s->hit) {
+ } else {
+ /*
+ * In TLSv1.2 and below we should check if the SNI is consistent between
+ * the initial handshake and the resumption. In TLSv1.3 SNI is not
+ * associated with the session.
+ */
/*
* TODO(openssl-team): if the SNI doesn't match, we MUST
* fall back to a full handshake.
@@ -164,9 +172,6 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
s->servername_done = (s->session->ext.hostname != NULL)
&& PACKET_equal(&hostname, s->session->ext.hostname,
strlen(s->session->ext.hostname));
-
- if (!s->servername_done && s->session->ext.hostname != NULL)
- s->ext.early_data_ok = 0;
}
return 1;
@@ -1330,8 +1335,14 @@ EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x,
size_t chainidx)
{
- if (s->hit || s->servername_done != 1
- || s->ext.hostname == NULL)
+ if (s->servername_done != 1)
+ return EXT_RETURN_NOT_SENT;
+
+ /*
+ * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
+ * We just use the servername from the initial handshake.
+ */
+ if (s->hit && !SSL_IS_TLS13(s))
return EXT_RETURN_NOT_SENT;
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c
index e3c5ec003874..20f5bd584e6c 100644
--- a/ssl/statem/statem.c
+++ b/ssl/statem/statem.c
@@ -9,8 +9,8 @@
#include "internal/cryptlib.h"
#include <openssl/rand.h>
-#include "../ssl_locl.h"
-#include "statem_locl.h"
+#include "../ssl_local.h"
+#include "statem_local.h"
#include <assert.h>
/*
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 6410414fb64a..64e392cfbfc7 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -12,8 +12,8 @@
#include <stdio.h>
#include <time.h>
#include <assert.h>
-#include "../ssl_locl.h"
-#include "statem_locl.h"
+#include "../ssl_local.h"
+#include "statem_local.h"
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c
index b016fa7cff74..8e3fb686ee27 100644
--- a/ssl/statem/statem_dtls.c
+++ b/ssl/statem/statem_dtls.c
@@ -10,8 +10,8 @@
#include <limits.h>
#include <string.h>
#include <stdio.h>
-#include "../ssl_locl.h"
-#include "statem_locl.h"
+#include "../ssl_local.h"
+#include "statem_local.h"
#include "internal/cryptlib.h"
#include <openssl/buffer.h>
#include <openssl/objects.h>
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 22e9f0490e2d..43d6fd5de941 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -11,8 +11,8 @@
#include <limits.h>
#include <string.h>
#include <stdio.h>
-#include "../ssl_locl.h"
-#include "statem_locl.h"
+#include "../ssl_local.h"
+#include "statem_local.h"
#include "internal/cryptlib.h"
#include <openssl/buffer.h>
#include <openssl/objects.h>
@@ -169,17 +169,17 @@ static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
void **hdata, size_t *hdatalen)
{
#ifdef CHARSET_EBCDIC
- static const char *servercontext = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
+ static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
0x69, 0x66, 0x79, 0x00 };
- static const char *clientcontext = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
+ static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
0x69, 0x66, 0x79, 0x00 };
#else
- static const char *servercontext = "TLS 1.3, server CertificateVerify";
- static const char *clientcontext = "TLS 1.3, client CertificateVerify";
+ static const char servercontext[] = "TLS 1.3, server CertificateVerify";
+ static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
#endif
if (SSL_IS_TLS13(s)) {
size_t hashlen;
@@ -844,9 +844,11 @@ MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
return MSG_PROCESS_ERROR;
}
} else {
+ /* TLS 1.3 gets the secret size from the handshake md */
+ size_t dummy;
if (!s->method->ssl3_enc->generate_master_secret(s,
s->master_secret, s->handshake_secret, 0,
- &s->session->master_key_length)) {
+ &dummy)) {
/* SSLfatal() already called */
return MSG_PROCESS_ERROR;
}
@@ -1033,14 +1035,25 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
int cleanuphand = s->statem.cleanuphand;
if (clearbufs) {
- if (!SSL_IS_DTLS(s)) {
+ if (!SSL_IS_DTLS(s)
+#ifndef OPENSSL_NO_SCTP
/*
- * We don't do this in DTLS because we may still need the init_buf
+ * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
+ * messages that require it. Therefore, DTLS procedures for retransmissions
+ * MUST NOT be used.
+ * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
+ */
+ || BIO_dgram_is_sctp(SSL_get_wbio(s))
+#endif
+ ) {
+ /*
+ * We don't do this in DTLS over UDP because we may still need the init_buf
* in case there are any unexpected retransmits
*/
BUF_MEM_free(s->init_buf);
s->init_buf = NULL;
}
+
if (!ssl_free_wbio_buffer(s)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE,
ERR_R_INTERNAL_ERROR);
diff --git a/ssl/statem/statem_locl.h b/ssl/statem/statem_local.h
index e27c0c13a2bb..e27c0c13a2bb 100644
--- a/ssl/statem/statem_locl.h
+++ b/ssl/statem/statem_local.h
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 8cf9c40d15c0..14cb27e6db01 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -10,9 +10,9 @@
*/
#include <stdio.h>
-#include "../ssl_locl.h"
-#include "statem_locl.h"
-#include "internal/constant_time_locl.h"
+#include "../ssl_local.h"
+#include "statem_local.h"
+#include "internal/constant_time.h"
#include "internal/cryptlib.h"
#include <openssl/buffer.h>
#include <openssl/rand.h>
@@ -23,9 +23,24 @@
#include <openssl/dh.h>
#include <openssl/bn.h>
#include <openssl/md5.h>
+#include <openssl/asn1t.h>
#define TICKET_NONCE_SIZE 8
+typedef struct {
+ ASN1_TYPE *kxBlob;
+ ASN1_TYPE *opaqueBlob;
+} GOST_KX_MESSAGE;
+
+DECLARE_ASN1_FUNCTIONS(GOST_KX_MESSAGE)
+
+ASN1_SEQUENCE(GOST_KX_MESSAGE) = {
+ ASN1_SIMPLE(GOST_KX_MESSAGE, kxBlob, ASN1_ANY),
+ ASN1_OPT(GOST_KX_MESSAGE, opaqueBlob, ASN1_ANY),
+} ASN1_SEQUENCE_END(GOST_KX_MESSAGE)
+
+IMPLEMENT_ASN1_FUNCTIONS(GOST_KX_MESSAGE)
+
static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt);
/*
@@ -728,7 +743,15 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
case TLS_ST_SW_CHANGE:
if (SSL_IS_TLS13(s))
break;
- s->session->cipher = s->s3->tmp.new_cipher;
+ /* Writes to s->session are only safe for initial handshakes */
+ if (s->session->cipher == NULL) {
+ s->session->cipher = s->s3->tmp.new_cipher;
+ } else if (s->session->cipher != s->s3->tmp.new_cipher) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR,
+ SSL_F_OSSL_STATEM_SERVER_PRE_WORK,
+ ERR_R_INTERNAL_ERROR);
+ return WORK_ERROR;
+ }
if (!s->method->ssl3_enc->setup_key_block(s)) {
/* SSLfatal() already called */
return WORK_ERROR;
@@ -932,9 +955,11 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
}
#endif
if (SSL_IS_TLS13(s)) {
+ /* TLS 1.3 gets the secret size from the handshake md */
+ size_t dummy;
if (!s->method->ssl3_enc->generate_master_secret(s,
s->master_secret, s->handshake_secret, 0,
- &s->session->master_key_length)
+ &dummy)
|| !s->method->ssl3_enc->change_cipher_state(s,
SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE))
/* SSLfatal() already called */
@@ -3320,9 +3345,9 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt)
const unsigned char *start;
size_t outlen = 32, inlen;
unsigned long alg_a;
- unsigned int asn1id, asn1len;
+ GOST_KX_MESSAGE *pKX = NULL;
+ const unsigned char *ptr;
int ret = 0;
- PACKET encdata;
/* Get our certificate private key */
alg_a = s->s3->tmp.new_cipher->algorithm_auth;
@@ -3363,42 +3388,33 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt)
if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
ERR_clear_error();
}
- /* Decrypt session key */
- if (!PACKET_get_1(pkt, &asn1id)
- || asn1id != (V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)
- || !PACKET_peek_1(pkt, &asn1len)) {
- SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
- SSL_R_DECRYPTION_FAILED);
- goto err;
+
+ ptr = PACKET_data(pkt);
+ /* Some implementations provide extra data in the opaqueBlob
+ * We have nothing to do with this blob so we just skip it */
+ pKX = d2i_GOST_KX_MESSAGE(NULL, &ptr, PACKET_remaining(pkt));
+ if (pKX == NULL
+ || pKX->kxBlob == NULL
+ || ASN1_TYPE_get(pKX->kxBlob) != V_ASN1_SEQUENCE) {
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
+ SSL_R_DECRYPTION_FAILED);
+ goto err;
}
- if (asn1len == 0x81) {
- /*
- * Long form length. Should only be one byte of length. Anything else
- * isn't supported.
- * We did a successful peek before so this shouldn't fail
- */
- if (!PACKET_forward(pkt, 1)) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
- SSL_R_DECRYPTION_FAILED);
- goto err;
- }
- } else if (asn1len >= 0x80) {
- /*
- * Indefinite length, or more than one long form length bytes. We don't
- * support it
- */
- SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
+
+ if (!PACKET_forward(pkt, ptr - PACKET_data(pkt))) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
SSL_R_DECRYPTION_FAILED);
goto err;
- } /* else short form length */
+ }
- if (!PACKET_as_length_prefixed_1(pkt, &encdata)) {
- SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
+ if (PACKET_remaining(pkt) != 0) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
SSL_R_DECRYPTION_FAILED);
goto err;
}
- inlen = PACKET_remaining(&encdata);
- start = PACKET_data(&encdata);
+
+ inlen = pKX->kxBlob->value.sequence->length;
+ start = pKX->kxBlob->value.sequence->data;
if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start,
inlen) <= 0) {
@@ -3420,6 +3436,7 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt)
ret = 1;
err:
EVP_PKEY_CTX_free(pkey_ctx);
+ GOST_KX_MESSAGE_free(pKX);
return ret;
#else
/* Should never happen */
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 57fb17a66031..c85c0b0310e1 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -9,7 +9,7 @@
*/
#include <stdio.h>
-#include "ssl_locl.h"
+#include "ssl_local.h"
#include <openssl/comp.h>
#include <openssl/evp.h>
#include <openssl/kdf.h>
@@ -466,7 +466,7 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
unsigned char hash[EVP_MAX_MD_SIZE * 2];
size_t hashlen;
/*
- * Digest cached records keeping record buffer (if present): this wont
+ * Digest cached records keeping record buffer (if present): this won't
* affect client auth because we're freezing the buffer at the same
* point (after client key exchange and before certificate verify)
*/
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index b482019c4c17..a254fd5a0559 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -18,10 +18,11 @@
#include <openssl/dh.h>
#include <openssl/bn.h>
#include "internal/nelem.h"
-#include "ssl_locl.h"
+#include "ssl_local.h"
#include <openssl/ct.h>
static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey);
+static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu);
SSL3_ENC_METHOD const TLSv1_enc_data = {
tls1_enc,
@@ -849,8 +850,11 @@ static int rsa_pss_check_min_key_size(const RSA *rsa, const SIGALG_LOOKUP *lu)
}
/*
- * Return a signature algorithm for TLS < 1.2 where the signature type
- * is fixed by the certificate type.
+ * Returns a signature algorithm when the peer did not send a list of supported
+ * signature algorithms. The signature algorithm is fixed for the certificate
+ * type. |idx| is a certificate type index (SSL_PKEY_*). When |idx| is -1 the
+ * certificate type from |s| will be used.
+ * Returns the signature algorithm to use, or NULL on error.
*/
static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx)
{
@@ -893,8 +897,12 @@ static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx)
if (!tls1_lookup_md(lu, NULL))
return NULL;
+ if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu))
+ return NULL;
return lu;
}
+ if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, &legacy_rsa_sigalg))
+ return NULL;
return &legacy_rsa_sigalg;
}
/* Set peer sigalg based key type */
@@ -984,6 +992,31 @@ int tls_check_sigalg_curve(const SSL *s, int curve)
#endif
/*
+ * Return the number of security bits for the signature algorithm, or 0 on
+ * error.
+ */
+static int sigalg_security_bits(const SIGALG_LOOKUP *lu)
+{
+ const EVP_MD *md = NULL;
+ int secbits = 0;
+
+ if (!tls1_lookup_md(lu, &md))
+ return 0;
+ if (md != NULL)
+ {
+ /* Security bits: half digest bits */
+ secbits = EVP_MD_size(md) * 4;
+ } else {
+ /* Values from https://tools.ietf.org/html/rfc8032#section-8.5 */
+ if (lu->sigalg == TLSEXT_SIGALG_ed25519)
+ secbits = 128;
+ else if (lu->sigalg == TLSEXT_SIGALG_ed448)
+ secbits = 224;
+ }
+ return secbits;
+}
+
+/*
* Check signature algorithm is consistent with sent supported signature
* algorithms and if so set relevant digest and signature scheme in
* s.
@@ -996,6 +1029,7 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
size_t sent_sigslen, i, cidx;
int pkeyid = EVP_PKEY_id(pkey);
const SIGALG_LOOKUP *lu;
+ int secbits = 0;
/* Should never happen */
if (pkeyid == -1)
@@ -1097,20 +1131,20 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
SSL_R_UNKNOWN_DIGEST);
return 0;
}
- if (md != NULL) {
- /*
- * Make sure security callback allows algorithm. For historical
- * reasons we have to pass the sigalg as a two byte char array.
- */
- sigalgstr[0] = (sig >> 8) & 0xff;
- sigalgstr[1] = sig & 0xff;
- if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
- EVP_MD_size(md) * 4, EVP_MD_type(md),
- (void *)sigalgstr)) {
- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
- SSL_R_WRONG_SIGNATURE_TYPE);
- return 0;
- }
+ /*
+ * Make sure security callback allows algorithm. For historical
+ * reasons we have to pass the sigalg as a two byte char array.
+ */
+ sigalgstr[0] = (sig >> 8) & 0xff;
+ sigalgstr[1] = sig & 0xff;
+ secbits = sigalg_security_bits(lu);
+ if (secbits == 0 ||
+ !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
+ md != NULL ? EVP_MD_type(md) : NID_undef,
+ (void *)sigalgstr)) {
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
+ SSL_R_WRONG_SIGNATURE_TYPE);
+ return 0;
}
/* Store the sigalg the peer uses */
s->s3->tmp.peer_sigalg = lu;
@@ -1176,7 +1210,7 @@ int ssl_set_client_disabled(SSL *s)
*
* Returns 1 when it's disabled, 0 when enabled.
*/
-int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int ecdhe)
+int ssl_cipher_disabled(const SSL *s, const SSL_CIPHER *c, int op, int ecdhe)
{
if (c->algorithm_mkey & s->s3->tmp.mask_k
|| c->algorithm_auth & s->s3->tmp.mask_a)
@@ -1556,7 +1590,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick,
}
/* Check to see if a signature algorithm is allowed */
-static int tls12_sigalg_allowed(SSL *s, int op, const SIGALG_LOOKUP *lu)
+static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
{
unsigned char sigalgstr[2];
int secbits;
@@ -1617,11 +1651,8 @@ static int tls12_sigalg_allowed(SSL *s, int op, const SIGALG_LOOKUP *lu)
}
}
- if (lu->hash == NID_undef)
- return 1;
- /* Security bits: half digest bits */
- secbits = EVP_MD_size(ssl_md(lu->hash_idx)) * 4;
/* Finally see if security callback allows it */
+ secbits = sigalg_security_bits(lu);
sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
sigalgstr[1] = lu->sigalg & 0xff;
return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr);
@@ -2774,6 +2805,26 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
#endif
break;
}
+#ifndef OPENSSL_NO_GOST
+ /*
+ * Some Windows-based implementations do not send GOST algorithms indication
+ * in supported_algorithms extension, so when we have GOST-based ciphersuite,
+ * we have to assume GOST support.
+ */
+ if (i == s->shared_sigalgslen && s->s3->tmp.new_cipher->algorithm_auth & (SSL_aGOST01 | SSL_aGOST12)) {
+ if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
+ if (!fatalerrs)
+ return 1;
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
+ SSL_F_TLS_CHOOSE_SIGALG,
+ SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
+ return 0;
+ } else {
+ i = 0;
+ sig_idx = lu->sig_idx;
+ }
+ }
+#endif
if (i == s->shared_sigalgslen) {
if (!fatalerrs)
return 1;
diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index be3039af3822..5c84339314cd 100644
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -7,7 +7,7 @@
* https://www.openssl.org/source/license.html
*/
-#include "ssl_locl.h"
+#include "ssl_local.h"
#ifndef OPENSSL_NO_SSL_TRACE
@@ -1246,8 +1246,9 @@ static int ssl_print_certificates(BIO *bio, const SSL *ssl, int server,
while (clen > 0) {
if (!ssl_print_certificate(bio, indent + 2, &msg, &clen))
return 0;
- if (!ssl_print_extensions(bio, indent + 2, server, SSL3_MT_CERTIFICATE,
- &msg, &clen))
+ if (SSL_IS_TLS13(ssl)
+ && !ssl_print_extensions(bio, indent + 2, server,
+ SSL3_MT_CERTIFICATE, &msg, &clen))
return 0;
}
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index b5f57a02f747..86754dc9677c 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,7 +8,7 @@
*/
#include <stdlib.h>
-#include "ssl_locl.h"
+#include "ssl_local.h"
#include "internal/cryptlib.h"
#include <openssl/evp.h>
#include <openssl/kdf.h>
@@ -44,7 +44,7 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
* prefix and label + bytes for the label itself + 1 byte length of hash
* + bytes for the hash itself
*/
- unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) +
+ unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t)
+ (sizeof(label_prefix) - 1) + TLS13_MAX_LABEL_LEN
+ 1 + EVP_MAX_MD_SIZE];
WPACKET pkt;
diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c
index f94e46b4e872..ede7427ff89d 100644
--- a/ssl/tls_srp.c
+++ b/ssl/tls_srp.c
@@ -14,7 +14,7 @@
#include <openssl/crypto.h>
#include <openssl/rand.h>
#include <openssl/err.h>
-#include "ssl_locl.h"
+#include "ssl_local.h"
#ifndef OPENSSL_NO_SRP
# include <openssl/srp.h>