diff options
Diffstat (limited to 'ssl')
50 files changed, 350 insertions, 217 deletions
diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c index d1876d8b8c1f..ab9e6668cd57 100644 --- a/ssl/bio_ssl.c +++ b/ssl/bio_ssl.c @@ -14,7 +14,7 @@ #include <openssl/crypto.h> #include "internal/bio.h" #include <openssl/err.h> -#include "ssl_locl.h" +#include "ssl_local.h" static int ssl_write(BIO *h, const char *buf, size_t size, size_t *written); static int ssl_read(BIO *b, char *buf, size_t size, size_t *readbytes); diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index fcda32754735..2a15ee8ad965 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -11,7 +11,7 @@ #include <stdio.h> #include <openssl/objects.h> #include <openssl/rand.h> -#include "ssl_locl.h" +#include "ssl_local.h" static void get_current_time(struct timeval *t); static int dtls1_handshake_write(SSL *s); diff --git a/ssl/d1_msg.c b/ssl/d1_msg.c index 6365b365e7f6..8a31064ae13f 100644 --- a/ssl/d1_msg.c +++ b/ssl/d1_msg.c @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "ssl_locl.h" +#include "ssl_local.h" int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, size_t len, size_t *written) diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c index ff8f0c5712df..c05a77e34668 100644 --- a/ssl/d1_srtp.c +++ b/ssl/d1_srtp.c @@ -15,7 +15,7 @@ #include <stdio.h> #include <openssl/objects.h> -#include "ssl_locl.h" +#include "ssl_local.h" #ifndef OPENSSL_NO_SRTP diff --git a/ssl/methods.c b/ssl/methods.c index 348efe467dbb..c5e8898364cd 100644 --- a/ssl/methods.c +++ b/ssl/methods.c @@ -9,7 +9,7 @@ #include <stdio.h> #include <openssl/objects.h> -#include "ssl_locl.h" +#include "ssl_local.h" /*- * TLS/SSLv3 methods diff --git a/ssl/packet.c b/ssl/packet.c index 95031430ed66..1ddde969f3b2 100644 --- a/ssl/packet.c +++ b/ssl/packet.c @@ -8,7 +8,7 @@ */ #include "internal/cryptlib.h" -#include "packet_locl.h" +#include "packet_local.h" #include <openssl/sslerr.h> #define DEFAULT_BUF_SIZE 256 diff --git a/ssl/packet_locl.h b/ssl/packet_local.h index 860360b8b231..1b6c2fb9bc3f 100644 --- a/ssl/packet_locl.h +++ b/ssl/packet_local.h @@ -7,8 +7,8 @@ * https://www.openssl.org/source/license.html */ -#ifndef HEADER_PACKET_LOCL_H -# define HEADER_PACKET_LOCL_H +#ifndef OSSL_SSL_PACKET_LOCAL_H +# define OSSL_SSL_PACKET_LOCAL_H # include <string.h> # include <openssl/bn.h> @@ -871,4 +871,4 @@ unsigned char *WPACKET_get_curr(WPACKET *pkt); /* Release resources in a WPACKET if a failure has occurred. */ void WPACKET_cleanup(WPACKET *pkt); -#endif /* HEADER_PACKET_LOCL_H */ +#endif /* OSSL_SSL_PACKET_LOCAL_H */ diff --git a/ssl/pqueue.c b/ssl/pqueue.c index 548a7a443d91..758440217d45 100644 --- a/ssl/pqueue.c +++ b/ssl/pqueue.c @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "ssl_locl.h" +#include "ssl_local.h" #include <openssl/bn.h> struct pqueue_st { diff --git a/ssl/record/README b/ssl/record/README index 987e9fd305d9..630fe8027af1 100644 --- a/ssl/record/README +++ b/ssl/record/README @@ -12,7 +12,7 @@ of these components is defined by: 3) A set of accessor macros All struct definitions are in record.h. The functions and macros are either -defined in record.h or record_locl.h dependent on whether they are intended to +defined in record.h or record_local.h dependent on whether they are intended to be private to the record layer, or whether they form part of the API to the rest of libssl. @@ -55,7 +55,7 @@ Conceptually it looks like this: || rec_layer_d1.c || ||____________________|| |______________________| - record_locl.h ^ ^ ^ + record_local.h ^ ^ ^ _________________| | |_________________ | | | _____V_________ ______V________ _______V________ diff --git a/ssl/record/dtls1_bitmap.c b/ssl/record/dtls1_bitmap.c index 5923c53717c9..8167b4183404 100644 --- a/ssl/record/dtls1_bitmap.c +++ b/ssl/record/dtls1_bitmap.c @@ -7,8 +7,8 @@ * https://www.openssl.org/source/license.html */ -#include "../ssl_locl.h" -#include "record_locl.h" +#include "../ssl_local.h" +#include "record_local.h" /* mod 128 saturating subtract of two 64-bit values in big-endian order */ static int satsub64be(const unsigned char *v1, const unsigned char *v2) diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index cb5d54ef5a8f..73ca8a6ee4b9 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -9,11 +9,11 @@ #include <stdio.h> #include <errno.h> -#include "../ssl_locl.h" +#include "../ssl_local.h" #include <openssl/evp.h> #include <openssl/buffer.h> -#include "record_locl.h" -#include "../packet_locl.h" +#include "record_local.h" +#include "../packet_local.h" #include "internal/cryptlib.h" int DTLS_RECORD_LAYER_new(RECORD_LAYER *rl) diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 982a06089c11..1c885a664f35 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -10,15 +10,15 @@ #include <stdio.h> #include <limits.h> #include <errno.h> -#include "../ssl_locl.h" +#include "../ssl_local.h" #include <openssl/evp.h> #include <openssl/buffer.h> #include <openssl/rand.h> -#include "record_locl.h" -#include "../packet_locl.h" +#include "record_local.h" +#include "../packet_local.h" #if defined(OPENSSL_SMALL_FOOTPRINT) || \ - !( defined(AES_ASM) && ( \ + !( defined(AESNI_ASM) && ( \ defined(__x86_64) || defined(__x86_64__) || \ defined(_M_AMD64) || defined(_M_X64) ) \ ) @@ -296,6 +296,12 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold, ret = BIO_read(s->rbio, pkt + len + left, max - left); if (ret >= 0) bioread = ret; + if (ret <= 0 + && !BIO_should_retry(s->rbio) + && BIO_eof(s->rbio)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_READ_N, + SSL_R_UNEXPECTED_EOF_WHILE_READING); + } } else { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N, SSL_R_READ_BIO_NOT_SET); diff --git a/ssl/record/record_locl.h b/ssl/record/record_local.h index 5e8dd7f70442..5e8dd7f70442 100644 --- a/ssl/record/record_locl.h +++ b/ssl/record/record_local.h diff --git a/ssl/record/ssl3_buffer.c b/ssl/record/ssl3_buffer.c index 53bd4cb190d0..605f8f9b75be 100644 --- a/ssl/record/ssl3_buffer.c +++ b/ssl/record/ssl3_buffer.c @@ -7,8 +7,8 @@ * https://www.openssl.org/source/license.html */ -#include "../ssl_locl.h" -#include "record_locl.h" +#include "../ssl_local.h" +#include "record_local.h" void SSL3_BUFFER_set_data(SSL3_BUFFER *b, const unsigned char *d, size_t n) { diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index e59ac5a67676..ab5d22aa10cb 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,10 +7,10 @@ * https://www.openssl.org/source/license.html */ -#include "../ssl_locl.h" -#include "internal/constant_time_locl.h" +#include "../ssl_local.h" +#include "internal/constant_time.h" #include <openssl/rand.h> -#include "record_locl.h" +#include "record_local.h" #include "internal/cryptlib.h" static const unsigned char ssl3_pad_1[48] = { @@ -559,7 +559,7 @@ int ssl3_get_record(SSL *s) RECORD_LAYER_reset_read_sequence(&s->rlayer); return 1; } - SSLfatal(s, SSL_AD_DECRYPTION_FAILED, SSL_F_SSL3_GET_RECORD, + SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); return -1; } @@ -837,7 +837,7 @@ int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr) * SSLfatal() for internal errors, but not otherwise. * * Returns: - * 0: (in non-constant time) if the record is publically invalid (i.e. too + * 0: (in non-constant time) if the record is publicly invalid (i.e. too * short etc). * 1: if the record's padding is valid / the encryption was successful. * -1: if the record's padding is invalid or, if sending, an internal error @@ -928,7 +928,7 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending) * internal errors, but not otherwise. * * Returns: - * 0: (in non-constant time) if the record is publically invalid (i.e. too + * 0: (in non-constant time) if the record is publicly invalid (i.e. too * short etc). * 1: if the record's padding is valid / the encryption was successful. * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, @@ -1075,7 +1075,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) } else if ((bs != 1) && sending) { padnum = bs - (reclen[ctr] % bs); - /* Add weird padding of upto 256 bytes */ + /* Add weird padding of up to 256 bytes */ if (padnum > MAX_PADDING) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, @@ -1610,6 +1610,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) int imac_size; size_t mac_size; unsigned char md[EVP_MAX_MD_SIZE]; + size_t max_plain_length = SSL3_RT_MAX_PLAIN_LENGTH; rr = RECORD_LAYER_get_rrec(&s->rlayer); sess = s->session; @@ -1669,7 +1670,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) enc_err = s->method->ssl3_enc->enc(s, rr, 1, 0); /*- * enc_err is: - * 0: (in non-constant time) if the record is publically invalid. + * 0: (in non-constant time) if the record is publicly invalid. * 1: if the padding is valid * -1: if the padding is invalid */ @@ -1782,7 +1783,12 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) } } - if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) { + /* use current Max Fragment Length setting if applicable */ + if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)) + max_plain_length = GET_MAX_FRAGMENT_LENGTH(s->session); + + /* send overflow if the plaintext is too long now it has passed MAC */ + if (rr->length > max_plain_length) { SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG); return 0; @@ -1926,7 +1932,7 @@ int dtls1_get_record(SSL *s) /* If received packet overflows own-client Max Fragment Length setting */ if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) - && rr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) { + && rr->length > GET_MAX_FRAGMENT_LENGTH(s->session) + SSL3_RT_MAX_ENCRYPTED_OVERHEAD) { /* record too long, silently discard it */ rr->length = 0; rr->read = 1; diff --git a/ssl/record/ssl3_record_tls13.c b/ssl/record/ssl3_record_tls13.c index a11ed483e668..ab50e3762499 100644 --- a/ssl/record/ssl3_record_tls13.c +++ b/ssl/record/ssl3_record_tls13.c @@ -7,8 +7,8 @@ * https://www.openssl.org/source/license.html */ -#include "../ssl_locl.h" -#include "record_locl.h" +#include "../ssl_local.h" +#include "record_local.h" #include "internal/cryptlib.h" /*- @@ -16,7 +16,7 @@ * internal errors, but not otherwise. * * Returns: - * 0: (in non-constant time) if the record is publically invalid (i.e. too + * 0: (in non-constant time) if the record is publicly invalid (i.e. too * short etc). * 1: if the record encryption was successful. * -1: if the record's AEAD-authenticator is invalid or, if sending, diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index 8377d7fe13dc..aa7d63f84a9f 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -7,8 +7,8 @@ * https://www.openssl.org/source/license.html */ -#include "internal/constant_time_locl.h" -#include "ssl_locl.h" +#include "internal/constant_time.h" +#include "ssl_local.h" #include "internal/cryptlib.h" #include <openssl/md5.h> diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 2e185e9fba9a..8a89f512fe60 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -9,7 +9,7 @@ */ #include <stdio.h> -#include "ssl_locl.h" +#include "ssl_local.h" #include <openssl/evp.h> #include <openssl/md5.h> #include "internal/cryptlib.h" diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 066bf47221e2..a987604bcd0e 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -12,7 +12,7 @@ #include <stdio.h> #include <openssl/objects.h> #include "internal/nelem.h" -#include "ssl_locl.h" +#include "ssl_local.h" #include <openssl/md5.h> #include <openssl/dh.h> #include <openssl/rand.h> @@ -4639,7 +4639,7 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, OPENSSL_clear_free(s->s3->tmp.psk, psklen); s->s3->tmp.psk = NULL; if (!s->method->ssl3_enc->generate_master_secret(s, - s->session->master_key,pskpms, pskpmslen, + s->session->master_key, pskpms, pskpmslen, &s->session->master_key_length)) { OPENSSL_clear_free(pskpms, pskpmslen); /* SSLfatal() already called */ diff --git a/ssl/s3_msg.c b/ssl/s3_msg.c index 42382547fb2a..339fb2774a63 100644 --- a/ssl/s3_msg.c +++ b/ssl/s3_msg.c @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "ssl_locl.h" +#include "ssl_local.h" int ssl3_do_change_cipher_spec(SSL *s) { diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c index b56c5e96c530..799fee771ba5 100644 --- a/ssl/ssl_asn1.c +++ b/ssl/ssl_asn1.c @@ -10,7 +10,7 @@ #include <stdio.h> #include <stdlib.h> -#include "ssl_locl.h" +#include "ssl_local.h" #include <openssl/asn1t.h> #include <openssl/x509.h> diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 9df9fb96778d..5d3e83f32897 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -20,7 +20,7 @@ #include <openssl/bn.h> #include <openssl/crypto.h> #include "internal/refcount.h" -#include "ssl_locl.h" +#include "ssl_local.h" #include "ssl_cert_table.h" #include "internal/thread_once.h" @@ -601,14 +601,6 @@ static unsigned long xname_hash(const X509_NAME *a) return X509_NAME_hash((X509_NAME *)a); } -/** - * Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed; - * it doesn't really have anything to do with clients (except that a common use - * for a stack of CAs is to send it to the client). Actually, it doesn't have - * much to do with CAs, either, since it will load any old cert. - * \param file the file containing one or more certs. - * \return a ::STACK containing the certs. - */ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) { BIO *in = BIO_new(BIO_s_file()); @@ -666,15 +658,6 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) return ret; } -/** - * Add a file of certs to a stack. - * \param stack the stack to add to. - * \param file the file to add from. All certs in this file that are not - * already in the stack will be added. - * \return 1 for success, 0 for failure. Note that in the case of failure some - * certs may have been added to \c stack. - */ - int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, const char *file) { @@ -725,17 +708,6 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, return ret; } -/** - * Add a directory of certs to a stack. - * \param stack the stack to append to. - * \param dir the directory to append from. All files in this directory will be - * examined as potential certs. Any that are acceptable to - * SSL_add_dir_cert_subjects_to_stack() that are not already in the stack will be - * included. - * \return 1 for success, 0 for failure. Note that in the case of failure some - * certs may have been added to \c stack. - */ - int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, const char *dir) { diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 27a1b2ec68b3..735a483c6448 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -17,7 +17,7 @@ #include <openssl/crypto.h> #include <openssl/conf.h> #include "internal/nelem.h" -#include "ssl_locl.h" +#include "ssl_local.h" #include "internal/thread_once.h" #include "internal/cryptlib.h" @@ -92,7 +92,7 @@ static CRYPTO_ONCE ssl_load_builtin_comp_once = CRYPTO_ONCE_STATIC_INIT; /* * Constant SSL_MAX_DIGEST equal to size of digests array should be defined - * in the ssl_locl.h + * in the ssl_local.h */ #define SSL_MD_NUM_IDX SSL_MAX_DIGEST diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 9c202708d7d9..8ef29bb34535 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -8,7 +8,7 @@ */ #include <stdio.h> -#include "ssl_locl.h" +#include "ssl_local.h" #include <openssl/conf.h> #include <openssl/objects.h> #include <openssl/dh.h> diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 4b12ed1485d9..a0c7b79659d4 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1205,6 +1205,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { "unexpected ccs message"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA), "unexpected end of early data"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_EOF_WHILE_READING), + "unexpected eof while reading"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"}, diff --git a/ssl/ssl_init.c b/ssl/ssl_init.c index f0969fa9b1af..d083d9597091 100644 --- a/ssl/ssl_init.c +++ b/ssl/ssl_init.c @@ -12,7 +12,7 @@ #include "internal/err.h" #include <openssl/crypto.h> #include <openssl/evp.h> -#include "ssl_locl.h" +#include "ssl_local.h" #include "internal/thread_once.h" static int stopped; diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index ac820cf9fe16..7c7e59789ccd 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -10,7 +10,7 @@ */ #include <stdio.h> -#include "ssl_locl.h" +#include "ssl_local.h" #include <openssl/objects.h> #include <openssl/x509v3.h> #include <openssl/rand.h> @@ -2623,31 +2623,85 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size) return buf; } -/** return a servername extension value if provided in Client Hello, or NULL. - * So far, only host_name types are defined (RFC 3546). +/** + * Return the requested servername (SNI) value. Note that the behaviour varies + * depending on: + * - whether this is called by the client or the server, + * - if we are before or during/after the handshake, + * - if a resumption or normal handshake is being attempted/has occurred + * - whether we have negotiated TLSv1.2 (or below) or TLSv1.3 + * + * Note that only the host_name type is defined (RFC 3546). */ - const char *SSL_get_servername(const SSL *s, const int type) { + /* + * If we don't know if we are the client or the server yet then we assume + * client. + */ + int server = s->handshake_func == NULL ? 0 : s->server; if (type != TLSEXT_NAMETYPE_host_name) return NULL; - /* - * SNI is not negotiated in pre-TLS-1.3 resumption flows, so fake up an - * SNI value to return if we are resuming/resumed. N.B. that we still - * call the relevant callbacks for such resumption flows, and callbacks - * might error out if there is not a SNI value available. - */ - if (s->hit) - return s->session->ext.hostname; + if (server) { + /** + * Server side + * In TLSv1.3 on the server SNI is not associated with the session + * but in TLSv1.2 or below it is. + * + * Before the handshake: + * - return NULL + * + * During/after the handshake (TLSv1.2 or below resumption occurred): + * - If a servername was accepted by the server in the original + * handshake then it will return that servername, or NULL otherwise. + * + * During/after the handshake (TLSv1.2 or below resumption did not occur): + * - The function will return the servername requested by the client in + * this handshake or NULL if none was requested. + */ + if (s->hit && !SSL_IS_TLS13(s)) + return s->session->ext.hostname; + } else { + /** + * Client side + * + * Before the handshake: + * - If a servername has been set via a call to + * SSL_set_tlsext_host_name() then it will return that servername + * - If one has not been set, but a TLSv1.2 resumption is being + * attempted and the session from the original handshake had a + * servername accepted by the server then it will return that + * servername + * - Otherwise it returns NULL + * + * During/after the handshake (TLSv1.2 or below resumption occurred): + * - If the session from the orignal handshake had a servername accepted + * by the server then it will return that servername. + * - Otherwise it returns the servername set via + * SSL_set_tlsext_host_name() (or NULL if it was not called). + * + * During/after the handshake (TLSv1.2 or below resumption did not occur): + * - It will return the servername set via SSL_set_tlsext_host_name() + * (or NULL if it was not called). + */ + if (SSL_in_before(s)) { + if (s->ext.hostname == NULL + && s->session != NULL + && s->session->ssl_version != TLS1_3_VERSION) + return s->session->ext.hostname; + } else { + if (!SSL_IS_TLS13(s) && s->hit && s->session->ext.hostname != NULL) + return s->session->ext.hostname; + } + } + return s->ext.hostname; } int SSL_get_servername_type(const SSL *s) { - if (s->session - && (!s->ext.hostname ? s->session-> - ext.hostname : s->ext.hostname)) + if (SSL_get_servername(s, TLSEXT_NAMETYPE_host_name) != NULL) return TLSEXT_NAMETYPE_host_name; return -1; } diff --git a/ssl/ssl_locl.h b/ssl/ssl_local.h index 25875c9f6d46..8ddbde772965 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -9,8 +9,8 @@ * https://www.openssl.org/source/license.html */ -#ifndef HEADER_SSL_LOCL_H -# define HEADER_SSL_LOCL_H +#ifndef OSSL_SSL_LOCAL_H +# define OSSL_SSL_LOCAL_H # include "e_os.h" /* struct timeval for DTLS */ # include <stdlib.h> @@ -30,7 +30,7 @@ # include <openssl/ct.h> # include "record/record.h" # include "statem/statem.h" -# include "packet_locl.h" +# include "packet_local.h" # include "internal/dane.h" # include "internal/refcount.h" # include "internal/tsan_assist.h" @@ -2581,7 +2581,7 @@ __owur int tls_check_sigalg_curve(const SSL *s, int curve); # endif __owur int tls12_check_peer_sigalg(SSL *s, uint16_t, EVP_PKEY *pkey); __owur int ssl_set_client_disabled(SSL *s); -__owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int echde); +__owur int ssl_cipher_disabled(const SSL *s, const SSL_CIPHER *c, int op, int echde); __owur int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen, size_t *hashlen); diff --git a/ssl/ssl_mcnf.c b/ssl/ssl_mcnf.c index a0e265771449..583df4166908 100644 --- a/ssl/ssl_mcnf.c +++ b/ssl/ssl_mcnf.c @@ -10,7 +10,7 @@ #include <stdio.h> #include <openssl/conf.h> #include <openssl/ssl.h> -#include "ssl_locl.h" +#include "ssl_local.h" #include "internal/sslconf.h" /* SSL library configuration module. */ diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 172e15f92087..b9693527b3d2 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -8,8 +8,8 @@ */ #include <stdio.h> -#include "ssl_locl.h" -#include "packet_locl.h" +#include "ssl_local.h" +#include "packet_local.h" #include <openssl/bio.h> #include <openssl/objects.h> #include <openssl/evp.h> diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 52cfa7ef6d7f..40c157bb42f8 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -13,8 +13,8 @@ #include <openssl/engine.h> #include "internal/refcount.h" #include "internal/cryptlib.h" -#include "ssl_locl.h" -#include "statem/statem_locl.h" +#include "ssl_local.h" +#include "statem/statem_local.h" static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s); diff --git a/ssl/ssl_stat.c b/ssl/ssl_stat.c index 179513b1a3d0..ca51c0331c22 100644 --- a/ssl/ssl_stat.c +++ b/ssl/ssl_stat.c @@ -9,7 +9,7 @@ */ #include <stdio.h> -#include "ssl_locl.h" +#include "ssl_local.h" const char *SSL_state_string_long(const SSL *s) { diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index cf6e4c3c0579..457bc8b3c20a 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -10,7 +10,7 @@ #include <stdio.h> #include <openssl/buffer.h> -#include "ssl_locl.h" +#include "ssl_local.h" #ifndef OPENSSL_NO_STDIO int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x) diff --git a/ssl/ssl_utst.c b/ssl/ssl_utst.c index cea1bc2707a8..487f56e53935 100644 --- a/ssl/ssl_utst.c +++ b/ssl/ssl_utst.c @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "ssl_locl.h" +#include "ssl_local.h" #ifndef OPENSSL_NO_UNIT_TEST diff --git a/ssl/statem/README b/ssl/statem/README index 145c69db8d54..86cc06637291 100644 --- a/ssl/statem/README +++ b/ssl/statem/README @@ -40,7 +40,7 @@ Conceptually the state machine component is designed as follows: | | | Core state machine code | |____________________________| - statem_locl.h ^ ^ + statem_local.h ^ ^ _________| |_______ | | _____________|____________ _____________|____________ diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 24410991b299..4ef8b417b820 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -10,8 +10,8 @@ #include <string.h> #include "internal/nelem.h" #include "internal/cryptlib.h" -#include "../ssl_locl.h" -#include "statem_locl.h" +#include "../ssl_local.h" +#include "statem_local.h" #include "internal/cryptlib.h" static int final_renegotiate(SSL *s, unsigned int context, int sent); @@ -94,7 +94,7 @@ typedef struct extensions_definition_st { /* * Definitions of all built-in extensions. NOTE: Changes in the number or order * of these extensions should be mirrored with equivalent changes to the - * indexes ( TLSEXT_IDX_* ) defined in ssl_locl.h. + * indexes ( TLSEXT_IDX_* ) defined in ssl_local.h. * Each extension has an initialiser, a client and * server side parser and a finaliser. The initialiser is called (if the * extension is relevant to the given context) even if we did not see the @@ -949,8 +949,7 @@ static int final_server_name(SSL *s, unsigned int context, int sent) * was successful. */ if (s->server) { - /* TODO(OpenSSL1.2) revisit !sent case */ - if (sent && ret == SSL_TLSEXT_ERR_OK && (!s->hit || SSL_IS_TLS13(s))) { + if (sent && ret == SSL_TLSEXT_ERR_OK && !s->hit) { /* Only store the hostname in the session if we accepted it. */ OPENSSL_free(s->session->ext.hostname); s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname); @@ -1011,6 +1010,7 @@ static int final_server_name(SSL *s, unsigned int context, int sent) /* TLSv1.3 doesn't have warning alerts so we suppress this */ if (!SSL_IS_TLS13(s)) ssl3_send_alert(s, SSL3_AL_WARNING, altmp); + s->servername_done = 0; return 1; case SSL_TLSEXT_ERR_NOACK: @@ -1449,7 +1449,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE]; unsigned char *early_secret; #ifdef CHARSET_EBCDIC - static const unsigned char resumption_label[] = { 0x72, 0x65, 0x64, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 }; + static const unsigned char resumption_label[] = { 0x72, 0x65, 0x73, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 }; static const unsigned char external_label[] = { 0x65, 0x78, 0x74, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 }; #else static const unsigned char resumption_label[] = "res binder"; diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index f0ae642fa098..bcce0f1d9534 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -8,9 +8,9 @@ */ #include <openssl/ocsp.h> -#include "../ssl_locl.h" +#include "../ssl_local.h" #include "internal/cryptlib.h" -#include "statem_locl.h" +#include "statem_local.h" EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, diff --git a/ssl/statem/extensions_cust.c b/ssl/statem/extensions_cust.c index a4cdc81d68b9..a0ba18efa704 100644 --- a/ssl/statem/extensions_cust.c +++ b/ssl/statem/extensions_cust.c @@ -10,9 +10,9 @@ /* Custom extension utility functions */ #include <openssl/ct.h> -#include "../ssl_locl.h" +#include "../ssl_local.h" #include "internal/cryptlib.h" -#include "statem_locl.h" +#include "statem_local.h" typedef struct { void *add_arg; diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index ab5453f63ecc..3b07c6b940f4 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,8 +8,8 @@ */ #include <openssl/ocsp.h> -#include "../ssl_locl.h" -#include "statem_locl.h" +#include "../ssl_local.h" +#include "statem_local.h" #include "internal/cryptlib.h" #define COOKIE_STATE_FORMAT_VERSION 0 @@ -127,6 +127,10 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context, return 0; } + /* + * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3 + * we always use the SNI value from the handshake. + */ if (!s->hit || SSL_IS_TLS13(s)) { if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) { SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, @@ -155,8 +159,12 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context, } s->servername_done = 1; - } - if (s->hit) { + } else { + /* + * In TLSv1.2 and below we should check if the SNI is consistent between + * the initial handshake and the resumption. In TLSv1.3 SNI is not + * associated with the session. + */ /* * TODO(openssl-team): if the SNI doesn't match, we MUST * fall back to a full handshake. @@ -164,9 +172,6 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context, s->servername_done = (s->session->ext.hostname != NULL) && PACKET_equal(&hostname, s->session->ext.hostname, strlen(s->session->ext.hostname)); - - if (!s->servername_done && s->session->ext.hostname != NULL) - s->ext.early_data_ok = 0; } return 1; @@ -1330,8 +1335,14 @@ EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { - if (s->hit || s->servername_done != 1 - || s->ext.hostname == NULL) + if (s->servername_done != 1) + return EXT_RETURN_NOT_SENT; + + /* + * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming. + * We just use the servername from the initial handshake. + */ + if (s->hit && !SSL_IS_TLS13(s)) return EXT_RETURN_NOT_SENT; if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name) diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c index e3c5ec003874..20f5bd584e6c 100644 --- a/ssl/statem/statem.c +++ b/ssl/statem/statem.c @@ -9,8 +9,8 @@ #include "internal/cryptlib.h" #include <openssl/rand.h> -#include "../ssl_locl.h" -#include "statem_locl.h" +#include "../ssl_local.h" +#include "statem_local.h" #include <assert.h> /* diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 6410414fb64a..64e392cfbfc7 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -12,8 +12,8 @@ #include <stdio.h> #include <time.h> #include <assert.h> -#include "../ssl_locl.h" -#include "statem_locl.h" +#include "../ssl_local.h" +#include "statem_local.h" #include <openssl/buffer.h> #include <openssl/rand.h> #include <openssl/objects.h> diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c index b016fa7cff74..8e3fb686ee27 100644 --- a/ssl/statem/statem_dtls.c +++ b/ssl/statem/statem_dtls.c @@ -10,8 +10,8 @@ #include <limits.h> #include <string.h> #include <stdio.h> -#include "../ssl_locl.h" -#include "statem_locl.h" +#include "../ssl_local.h" +#include "statem_local.h" #include "internal/cryptlib.h" #include <openssl/buffer.h> #include <openssl/objects.h> diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 22e9f0490e2d..43d6fd5de941 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use @@ -11,8 +11,8 @@ #include <limits.h> #include <string.h> #include <stdio.h> -#include "../ssl_locl.h" -#include "statem_locl.h" +#include "../ssl_local.h" +#include "statem_local.h" #include "internal/cryptlib.h" #include <openssl/buffer.h> #include <openssl/objects.h> @@ -169,17 +169,17 @@ static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs, void **hdata, size_t *hdatalen) { #ifdef CHARSET_EBCDIC - static const char *servercontext = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, + static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x00 }; - static const char *clientcontext = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, + static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x00 }; #else - static const char *servercontext = "TLS 1.3, server CertificateVerify"; - static const char *clientcontext = "TLS 1.3, client CertificateVerify"; + static const char servercontext[] = "TLS 1.3, server CertificateVerify"; + static const char clientcontext[] = "TLS 1.3, client CertificateVerify"; #endif if (SSL_IS_TLS13(s)) { size_t hashlen; @@ -844,9 +844,11 @@ MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) return MSG_PROCESS_ERROR; } } else { + /* TLS 1.3 gets the secret size from the handshake md */ + size_t dummy; if (!s->method->ssl3_enc->generate_master_secret(s, s->master_secret, s->handshake_secret, 0, - &s->session->master_key_length)) { + &dummy)) { /* SSLfatal() already called */ return MSG_PROCESS_ERROR; } @@ -1033,14 +1035,25 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop) int cleanuphand = s->statem.cleanuphand; if (clearbufs) { - if (!SSL_IS_DTLS(s)) { + if (!SSL_IS_DTLS(s) +#ifndef OPENSSL_NO_SCTP /* - * We don't do this in DTLS because we may still need the init_buf + * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS + * messages that require it. Therefore, DTLS procedures for retransmissions + * MUST NOT be used. + * Hence the init_buf can be cleared when DTLS over SCTP as transport is used. + */ + || BIO_dgram_is_sctp(SSL_get_wbio(s)) +#endif + ) { + /* + * We don't do this in DTLS over UDP because we may still need the init_buf * in case there are any unexpected retransmits */ BUF_MEM_free(s->init_buf); s->init_buf = NULL; } + if (!ssl_free_wbio_buffer(s)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE, ERR_R_INTERNAL_ERROR); diff --git a/ssl/statem/statem_locl.h b/ssl/statem/statem_local.h index e27c0c13a2bb..e27c0c13a2bb 100644 --- a/ssl/statem/statem_locl.h +++ b/ssl/statem/statem_local.h diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 8cf9c40d15c0..14cb27e6db01 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -10,9 +10,9 @@ */ #include <stdio.h> -#include "../ssl_locl.h" -#include "statem_locl.h" -#include "internal/constant_time_locl.h" +#include "../ssl_local.h" +#include "statem_local.h" +#include "internal/constant_time.h" #include "internal/cryptlib.h" #include <openssl/buffer.h> #include <openssl/rand.h> @@ -23,9 +23,24 @@ #include <openssl/dh.h> #include <openssl/bn.h> #include <openssl/md5.h> +#include <openssl/asn1t.h> #define TICKET_NONCE_SIZE 8 +typedef struct { + ASN1_TYPE *kxBlob; + ASN1_TYPE *opaqueBlob; +} GOST_KX_MESSAGE; + +DECLARE_ASN1_FUNCTIONS(GOST_KX_MESSAGE) + +ASN1_SEQUENCE(GOST_KX_MESSAGE) = { + ASN1_SIMPLE(GOST_KX_MESSAGE, kxBlob, ASN1_ANY), + ASN1_OPT(GOST_KX_MESSAGE, opaqueBlob, ASN1_ANY), +} ASN1_SEQUENCE_END(GOST_KX_MESSAGE) + +IMPLEMENT_ASN1_FUNCTIONS(GOST_KX_MESSAGE) + static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt); /* @@ -728,7 +743,15 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) case TLS_ST_SW_CHANGE: if (SSL_IS_TLS13(s)) break; - s->session->cipher = s->s3->tmp.new_cipher; + /* Writes to s->session are only safe for initial handshakes */ + if (s->session->cipher == NULL) { + s->session->cipher = s->s3->tmp.new_cipher; + } else if (s->session->cipher != s->s3->tmp.new_cipher) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_OSSL_STATEM_SERVER_PRE_WORK, + ERR_R_INTERNAL_ERROR); + return WORK_ERROR; + } if (!s->method->ssl3_enc->setup_key_block(s)) { /* SSLfatal() already called */ return WORK_ERROR; @@ -932,9 +955,11 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) } #endif if (SSL_IS_TLS13(s)) { + /* TLS 1.3 gets the secret size from the handshake md */ + size_t dummy; if (!s->method->ssl3_enc->generate_master_secret(s, s->master_secret, s->handshake_secret, 0, - &s->session->master_key_length) + &dummy) || !s->method->ssl3_enc->change_cipher_state(s, SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE)) /* SSLfatal() already called */ @@ -3320,9 +3345,9 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt) const unsigned char *start; size_t outlen = 32, inlen; unsigned long alg_a; - unsigned int asn1id, asn1len; + GOST_KX_MESSAGE *pKX = NULL; + const unsigned char *ptr; int ret = 0; - PACKET encdata; /* Get our certificate private key */ alg_a = s->s3->tmp.new_cipher->algorithm_auth; @@ -3363,42 +3388,33 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt) if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0) ERR_clear_error(); } - /* Decrypt session key */ - if (!PACKET_get_1(pkt, &asn1id) - || asn1id != (V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED) - || !PACKET_peek_1(pkt, &asn1len)) { - SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, - SSL_R_DECRYPTION_FAILED); - goto err; + + ptr = PACKET_data(pkt); + /* Some implementations provide extra data in the opaqueBlob + * We have nothing to do with this blob so we just skip it */ + pKX = d2i_GOST_KX_MESSAGE(NULL, &ptr, PACKET_remaining(pkt)); + if (pKX == NULL + || pKX->kxBlob == NULL + || ASN1_TYPE_get(pKX->kxBlob) != V_ASN1_SEQUENCE) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, + SSL_R_DECRYPTION_FAILED); + goto err; } - if (asn1len == 0x81) { - /* - * Long form length. Should only be one byte of length. Anything else - * isn't supported. - * We did a successful peek before so this shouldn't fail - */ - if (!PACKET_forward(pkt, 1)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, - SSL_R_DECRYPTION_FAILED); - goto err; - } - } else if (asn1len >= 0x80) { - /* - * Indefinite length, or more than one long form length bytes. We don't - * support it - */ - SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, + + if (!PACKET_forward(pkt, ptr - PACKET_data(pkt))) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED); goto err; - } /* else short form length */ + } - if (!PACKET_as_length_prefixed_1(pkt, &encdata)) { - SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, + if (PACKET_remaining(pkt) != 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED); goto err; } - inlen = PACKET_remaining(&encdata); - start = PACKET_data(&encdata); + + inlen = pKX->kxBlob->value.sequence->length; + start = pKX->kxBlob->value.sequence->data; if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) { @@ -3420,6 +3436,7 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt) ret = 1; err: EVP_PKEY_CTX_free(pkey_ctx); + GOST_KX_MESSAGE_free(pKX); return ret; #else /* Should never happen */ diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 57fb17a66031..c85c0b0310e1 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -9,7 +9,7 @@ */ #include <stdio.h> -#include "ssl_locl.h" +#include "ssl_local.h" #include <openssl/comp.h> #include <openssl/evp.h> #include <openssl/kdf.h> @@ -466,7 +466,7 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, unsigned char hash[EVP_MAX_MD_SIZE * 2]; size_t hashlen; /* - * Digest cached records keeping record buffer (if present): this wont + * Digest cached records keeping record buffer (if present): this won't * affect client auth because we're freezing the buffer at the same * point (after client key exchange and before certificate verify) */ diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index b482019c4c17..a254fd5a0559 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -18,10 +18,11 @@ #include <openssl/dh.h> #include <openssl/bn.h> #include "internal/nelem.h" -#include "ssl_locl.h" +#include "ssl_local.h" #include <openssl/ct.h> static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey); +static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu); SSL3_ENC_METHOD const TLSv1_enc_data = { tls1_enc, @@ -849,8 +850,11 @@ static int rsa_pss_check_min_key_size(const RSA *rsa, const SIGALG_LOOKUP *lu) } /* - * Return a signature algorithm for TLS < 1.2 where the signature type - * is fixed by the certificate type. + * Returns a signature algorithm when the peer did not send a list of supported + * signature algorithms. The signature algorithm is fixed for the certificate + * type. |idx| is a certificate type index (SSL_PKEY_*). When |idx| is -1 the + * certificate type from |s| will be used. + * Returns the signature algorithm to use, or NULL on error. */ static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx) { @@ -893,8 +897,12 @@ static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx) if (!tls1_lookup_md(lu, NULL)) return NULL; + if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu)) + return NULL; return lu; } + if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, &legacy_rsa_sigalg)) + return NULL; return &legacy_rsa_sigalg; } /* Set peer sigalg based key type */ @@ -984,6 +992,31 @@ int tls_check_sigalg_curve(const SSL *s, int curve) #endif /* + * Return the number of security bits for the signature algorithm, or 0 on + * error. + */ +static int sigalg_security_bits(const SIGALG_LOOKUP *lu) +{ + const EVP_MD *md = NULL; + int secbits = 0; + + if (!tls1_lookup_md(lu, &md)) + return 0; + if (md != NULL) + { + /* Security bits: half digest bits */ + secbits = EVP_MD_size(md) * 4; + } else { + /* Values from https://tools.ietf.org/html/rfc8032#section-8.5 */ + if (lu->sigalg == TLSEXT_SIGALG_ed25519) + secbits = 128; + else if (lu->sigalg == TLSEXT_SIGALG_ed448) + secbits = 224; + } + return secbits; +} + +/* * Check signature algorithm is consistent with sent supported signature * algorithms and if so set relevant digest and signature scheme in * s. @@ -996,6 +1029,7 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) size_t sent_sigslen, i, cidx; int pkeyid = EVP_PKEY_id(pkey); const SIGALG_LOOKUP *lu; + int secbits = 0; /* Should never happen */ if (pkeyid == -1) @@ -1097,20 +1131,20 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) SSL_R_UNKNOWN_DIGEST); return 0; } - if (md != NULL) { - /* - * Make sure security callback allows algorithm. For historical - * reasons we have to pass the sigalg as a two byte char array. - */ - sigalgstr[0] = (sig >> 8) & 0xff; - sigalgstr[1] = sig & 0xff; - if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK, - EVP_MD_size(md) * 4, EVP_MD_type(md), - (void *)sigalgstr)) { - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, - SSL_R_WRONG_SIGNATURE_TYPE); - return 0; - } + /* + * Make sure security callback allows algorithm. For historical + * reasons we have to pass the sigalg as a two byte char array. + */ + sigalgstr[0] = (sig >> 8) & 0xff; + sigalgstr[1] = sig & 0xff; + secbits = sigalg_security_bits(lu); + if (secbits == 0 || + !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, + md != NULL ? EVP_MD_type(md) : NID_undef, + (void *)sigalgstr)) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG, + SSL_R_WRONG_SIGNATURE_TYPE); + return 0; } /* Store the sigalg the peer uses */ s->s3->tmp.peer_sigalg = lu; @@ -1176,7 +1210,7 @@ int ssl_set_client_disabled(SSL *s) * * Returns 1 when it's disabled, 0 when enabled. */ -int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int ecdhe) +int ssl_cipher_disabled(const SSL *s, const SSL_CIPHER *c, int op, int ecdhe) { if (c->algorithm_mkey & s->s3->tmp.mask_k || c->algorithm_auth & s->s3->tmp.mask_a) @@ -1556,7 +1590,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick, } /* Check to see if a signature algorithm is allowed */ -static int tls12_sigalg_allowed(SSL *s, int op, const SIGALG_LOOKUP *lu) +static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) { unsigned char sigalgstr[2]; int secbits; @@ -1617,11 +1651,8 @@ static int tls12_sigalg_allowed(SSL *s, int op, const SIGALG_LOOKUP *lu) } } - if (lu->hash == NID_undef) - return 1; - /* Security bits: half digest bits */ - secbits = EVP_MD_size(ssl_md(lu->hash_idx)) * 4; /* Finally see if security callback allows it */ + secbits = sigalg_security_bits(lu); sigalgstr[0] = (lu->sigalg >> 8) & 0xff; sigalgstr[1] = lu->sigalg & 0xff; return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr); @@ -2774,6 +2805,26 @@ int tls_choose_sigalg(SSL *s, int fatalerrs) #endif break; } +#ifndef OPENSSL_NO_GOST + /* + * Some Windows-based implementations do not send GOST algorithms indication + * in supported_algorithms extension, so when we have GOST-based ciphersuite, + * we have to assume GOST support. + */ + if (i == s->shared_sigalgslen && s->s3->tmp.new_cipher->algorithm_auth & (SSL_aGOST01 | SSL_aGOST12)) { + if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { + if (!fatalerrs) + return 1; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_CHOOSE_SIGALG, + SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); + return 0; + } else { + i = 0; + sig_idx = lu->sig_idx; + } + } +#endif if (i == s->shared_sigalgslen) { if (!fatalerrs) return 1; diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c index be3039af3822..5c84339314cd 100644 --- a/ssl/t1_trce.c +++ b/ssl/t1_trce.c @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "ssl_locl.h" +#include "ssl_local.h" #ifndef OPENSSL_NO_SSL_TRACE @@ -1246,8 +1246,9 @@ static int ssl_print_certificates(BIO *bio, const SSL *ssl, int server, while (clen > 0) { if (!ssl_print_certificate(bio, indent + 2, &msg, &clen)) return 0; - if (!ssl_print_extensions(bio, indent + 2, server, SSL3_MT_CERTIFICATE, - &msg, &clen)) + if (SSL_IS_TLS13(ssl) + && !ssl_print_extensions(bio, indent + 2, server, + SSL3_MT_CERTIFICATE, &msg, &clen)) return 0; } diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index b5f57a02f747..86754dc9677c 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,7 +8,7 @@ */ #include <stdlib.h> -#include "ssl_locl.h" +#include "ssl_local.h" #include "internal/cryptlib.h" #include <openssl/evp.h> #include <openssl/kdf.h> @@ -44,7 +44,7 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, * prefix and label + bytes for the label itself + 1 byte length of hash * + bytes for the hash itself */ - unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) + + unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) + (sizeof(label_prefix) - 1) + TLS13_MAX_LABEL_LEN + 1 + EVP_MAX_MD_SIZE]; WPACKET pkt; diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c index f94e46b4e872..ede7427ff89d 100644 --- a/ssl/tls_srp.c +++ b/ssl/tls_srp.c @@ -14,7 +14,7 @@ #include <openssl/crypto.h> #include <openssl/rand.h> #include <openssl/err.h> -#include "ssl_locl.h" +#include "ssl_local.h" #ifndef OPENSSL_NO_SRP # include <openssl/srp.h> |