summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s3_srvr.c
diff options
context:
space:
mode:
authordjm <>2012-10-13 21:25:14 +0000
committerdjm <>2012-10-13 21:25:14 +0000
commit942650cdef05a877200cb7aff3a075935a5fd0cd (patch)
tree281e0a29ae8f87a8c47fbd4deaa1f3d48b8cc5c1 /src/lib/libssl/s3_srvr.c
parent37f091539f73e1650c83acd0c78677ef48c209a6 (diff)
downloadopenbsd-942650cdef05a877200cb7aff3a075935a5fd0cd.tar.gz
openbsd-942650cdef05a877200cb7aff3a075935a5fd0cd.tar.bz2
openbsd-942650cdef05a877200cb7aff3a075935a5fd0cd.zip
resolve conflicts
Diffstat (limited to 'src/lib/libssl/s3_srvr.c')
-rw-r--r--src/lib/libssl/s3_srvr.c546
1 files changed, 460 insertions, 86 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index d734c359fb..118939fabb 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -179,6 +179,31 @@ static const SSL_METHOD *ssl3_get_server_method(int ver)
179 return(NULL); 179 return(NULL);
180 } 180 }
181 181
182#ifndef OPENSSL_NO_SRP
183static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
184 {
185 int ret = SSL_ERROR_NONE;
186
187 *al = SSL_AD_UNRECOGNIZED_NAME;
188
189 if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
190 (s->srp_ctx.TLS_ext_srp_username_callback != NULL))
191 {
192 if(s->srp_ctx.login == NULL)
193 {
194 /* There isn't any srp login extension !!! */
195 ret = SSL3_AL_FATAL;
196 *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
197 }
198 else
199 {
200 ret = SSL_srp_server_param_with_username(s,al);
201 }
202 }
203 return ret;
204 }
205#endif
206
182IMPLEMENT_ssl3_meth_func(SSLv3_server_method, 207IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
183 ssl3_accept, 208 ssl3_accept,
184 ssl_undefined_function, 209 ssl_undefined_function,
@@ -211,6 +236,18 @@ int ssl3_accept(SSL *s)
211 return(-1); 236 return(-1);
212 } 237 }
213 238
239#ifndef OPENSSL_NO_HEARTBEATS
240 /* If we're awaiting a HeartbeatResponse, pretend we
241 * already got and don't await it anymore, because
242 * Heartbeats don't make sense during handshakes anyway.
243 */
244 if (s->tlsext_hb_pending)
245 {
246 s->tlsext_hb_pending = 0;
247 s->tlsext_hb_seq++;
248 }
249#endif
250
214 for (;;) 251 for (;;)
215 { 252 {
216 state=s->state; 253 state=s->state;
@@ -218,7 +255,7 @@ int ssl3_accept(SSL *s)
218 switch (s->state) 255 switch (s->state)
219 { 256 {
220 case SSL_ST_RENEGOTIATE: 257 case SSL_ST_RENEGOTIATE:
221 s->new_session=1; 258 s->renegotiate=1;
222 /* s->state=SSL_ST_ACCEPT; */ 259 /* s->state=SSL_ST_ACCEPT; */
223 260
224 case SSL_ST_BEFORE: 261 case SSL_ST_BEFORE:
@@ -314,10 +351,34 @@ int ssl3_accept(SSL *s)
314 case SSL3_ST_SR_CLNT_HELLO_C: 351 case SSL3_ST_SR_CLNT_HELLO_C:
315 352
316 s->shutdown=0; 353 s->shutdown=0;
317 ret=ssl3_get_client_hello(s); 354 if (s->rwstate != SSL_X509_LOOKUP)
318 if (ret <= 0) goto end; 355 {
319 356 ret=ssl3_get_client_hello(s);
320 s->new_session = 2; 357 if (ret <= 0) goto end;
358 }
359#ifndef OPENSSL_NO_SRP
360 {
361 int al;
362 if ((ret = ssl_check_srp_ext_ClientHello(s,&al)) < 0)
363 {
364 /* callback indicates firther work to be done */
365 s->rwstate=SSL_X509_LOOKUP;
366 goto end;
367 }
368 if (ret != SSL_ERROR_NONE)
369 {
370 ssl3_send_alert(s,SSL3_AL_FATAL,al);
371 /* This is not really an error but the only means to
372 for a client to detect whether srp is supported. */
373 if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
374 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT);
375 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
376 ret= -1;
377 goto end;
378 }
379 }
380#endif
381 s->renegotiate = 2;
321 s->state=SSL3_ST_SW_SRVR_HELLO_A; 382 s->state=SSL3_ST_SW_SRVR_HELLO_A;
322 s->init_num=0; 383 s->init_num=0;
323 break; 384 break;
@@ -346,7 +407,7 @@ int ssl3_accept(SSL *s)
346 case SSL3_ST_SW_CERT_A: 407 case SSL3_ST_SW_CERT_A:
347 case SSL3_ST_SW_CERT_B: 408 case SSL3_ST_SW_CERT_B:
348 /* Check if it is anon DH or anon ECDH, */ 409 /* Check if it is anon DH or anon ECDH, */
349 /* normal PSK or KRB5 */ 410 /* normal PSK or KRB5 or SRP */
350 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 411 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
351 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) 412 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
352 && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 413 && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
@@ -411,6 +472,10 @@ int ssl3_accept(SSL *s)
411#ifndef OPENSSL_NO_PSK 472#ifndef OPENSSL_NO_PSK
412 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint) 473 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
413#endif 474#endif
475#ifndef OPENSSL_NO_SRP
476 /* SRP: send ServerKeyExchange */
477 || (alg_k & SSL_kSRP)
478#endif
414 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) 479 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
415 || (alg_k & SSL_kEECDH) 480 || (alg_k & SSL_kEECDH)
416 || ((alg_k & SSL_kRSA) 481 || ((alg_k & SSL_kRSA)
@@ -457,6 +522,9 @@ int ssl3_accept(SSL *s)
457 skip=1; 522 skip=1;
458 s->s3->tmp.cert_request=0; 523 s->s3->tmp.cert_request=0;
459 s->state=SSL3_ST_SW_SRVR_DONE_A; 524 s->state=SSL3_ST_SW_SRVR_DONE_A;
525 if (s->s3->handshake_buffer)
526 if (!ssl3_digest_cached_records(s))
527 return -1;
460 } 528 }
461 else 529 else
462 { 530 {
@@ -539,9 +607,34 @@ int ssl3_accept(SSL *s)
539 * the client uses its key from the certificate 607 * the client uses its key from the certificate
540 * for key exchange. 608 * for key exchange.
541 */ 609 */
610#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
542 s->state=SSL3_ST_SR_FINISHED_A; 611 s->state=SSL3_ST_SR_FINISHED_A;
612#else
613 if (s->s3->next_proto_neg_seen)
614 s->state=SSL3_ST_SR_NEXT_PROTO_A;
615 else
616 s->state=SSL3_ST_SR_FINISHED_A;
617#endif
543 s->init_num = 0; 618 s->init_num = 0;
544 } 619 }
620 else if (TLS1_get_version(s) >= TLS1_2_VERSION)
621 {
622 s->state=SSL3_ST_SR_CERT_VRFY_A;
623 s->init_num=0;
624 if (!s->session->peer)
625 break;
626 /* For TLS v1.2 freeze the handshake buffer
627 * at this point and digest cached records.
628 */
629 if (!s->s3->handshake_buffer)
630 {
631 SSLerr(SSL_F_SSL3_ACCEPT,ERR_R_INTERNAL_ERROR);
632 return -1;
633 }
634 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
635 if (!ssl3_digest_cached_records(s))
636 return -1;
637 }
545 else 638 else
546 { 639 {
547 int offset=0; 640 int offset=0;
@@ -582,23 +675,37 @@ int ssl3_accept(SSL *s)
582 ret=ssl3_get_cert_verify(s); 675 ret=ssl3_get_cert_verify(s);
583 if (ret <= 0) goto end; 676 if (ret <= 0) goto end;
584 677
678#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
585 s->state=SSL3_ST_SR_FINISHED_A; 679 s->state=SSL3_ST_SR_FINISHED_A;
680#else
681 if (s->s3->next_proto_neg_seen)
682 s->state=SSL3_ST_SR_NEXT_PROTO_A;
683 else
684 s->state=SSL3_ST_SR_FINISHED_A;
685#endif
586 s->init_num=0; 686 s->init_num=0;
587 break; 687 break;
588 688
689#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
690 case SSL3_ST_SR_NEXT_PROTO_A:
691 case SSL3_ST_SR_NEXT_PROTO_B:
692 ret=ssl3_get_next_proto(s);
693 if (ret <= 0) goto end;
694 s->init_num = 0;
695 s->state=SSL3_ST_SR_FINISHED_A;
696 break;
697#endif
698
589 case SSL3_ST_SR_FINISHED_A: 699 case SSL3_ST_SR_FINISHED_A:
590 case SSL3_ST_SR_FINISHED_B: 700 case SSL3_ST_SR_FINISHED_B:
591 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, 701 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
592 SSL3_ST_SR_FINISHED_B); 702 SSL3_ST_SR_FINISHED_B);
593 if (ret <= 0) goto end; 703 if (ret <= 0) goto end;
594#ifndef OPENSSL_NO_TLSEXT
595 if (s->tlsext_ticket_expected)
596 s->state=SSL3_ST_SW_SESSION_TICKET_A;
597 else if (s->hit)
598 s->state=SSL_ST_OK;
599#else
600 if (s->hit) 704 if (s->hit)
601 s->state=SSL_ST_OK; 705 s->state=SSL_ST_OK;
706#ifndef OPENSSL_NO_TLSEXT
707 else if (s->tlsext_ticket_expected)
708 s->state=SSL3_ST_SW_SESSION_TICKET_A;
602#endif 709#endif
603 else 710 else
604 s->state=SSL3_ST_SW_CHANGE_A; 711 s->state=SSL3_ST_SW_CHANGE_A;
@@ -656,7 +763,16 @@ int ssl3_accept(SSL *s)
656 if (ret <= 0) goto end; 763 if (ret <= 0) goto end;
657 s->state=SSL3_ST_SW_FLUSH; 764 s->state=SSL3_ST_SW_FLUSH;
658 if (s->hit) 765 if (s->hit)
766 {
767#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
659 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 768 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
769#else
770 if (s->s3->next_proto_neg_seen)
771 s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A;
772 else
773 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
774#endif
775 }
660 else 776 else
661 s->s3->tmp.next_state=SSL_ST_OK; 777 s->s3->tmp.next_state=SSL_ST_OK;
662 s->init_num=0; 778 s->init_num=0;
@@ -674,11 +790,9 @@ int ssl3_accept(SSL *s)
674 790
675 s->init_num=0; 791 s->init_num=0;
676 792
677 if (s->new_session == 2) /* skipped if we just sent a HelloRequest */ 793 if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */
678 { 794 {
679 /* actually not necessarily a 'new' session unless 795 s->renegotiate=0;
680 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
681
682 s->new_session=0; 796 s->new_session=0;
683 797
684 ssl_update_cache(s,SSL_SESS_CACHE_SERVER); 798 ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
@@ -756,14 +870,6 @@ int ssl3_check_client_hello(SSL *s)
756 int ok; 870 int ok;
757 long n; 871 long n;
758 872
759 /* We only allow the client to restart the handshake once per
760 * negotiation. */
761 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
762 {
763 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
764 return -1;
765 }
766
767 /* this function is called when we really expect a Certificate message, 873 /* this function is called when we really expect a Certificate message,
768 * so permit appropriate message length */ 874 * so permit appropriate message length */
769 n=s->method->ssl_get_message(s, 875 n=s->method->ssl_get_message(s,
@@ -776,6 +882,13 @@ int ssl3_check_client_hello(SSL *s)
776 s->s3->tmp.reuse_message = 1; 882 s->s3->tmp.reuse_message = 1;
777 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) 883 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
778 { 884 {
885 /* We only allow the client to restart the handshake once per
886 * negotiation. */
887 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
888 {
889 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
890 return -1;
891 }
779 /* Throw away what we have done so far in the current handshake, 892 /* Throw away what we have done so far in the current handshake,
780 * which will now be aborted. (A full SSL_clear would be too much.) */ 893 * which will now be aborted. (A full SSL_clear would be too much.) */
781#ifndef OPENSSL_NO_DH 894#ifndef OPENSSL_NO_DH
@@ -817,7 +930,8 @@ int ssl3_get_client_hello(SSL *s)
817 * If we are SSLv3, we will respond with SSLv3, even if prompted with 930 * If we are SSLv3, we will respond with SSLv3, even if prompted with
818 * TLSv1. 931 * TLSv1.
819 */ 932 */
820 if (s->state == SSL3_ST_SR_CLNT_HELLO_A) 933 if (s->state == SSL3_ST_SR_CLNT_HELLO_A
934 )
821 { 935 {
822 s->state=SSL3_ST_SR_CLNT_HELLO_B; 936 s->state=SSL3_ST_SR_CLNT_HELLO_B;
823 } 937 }
@@ -874,13 +988,16 @@ int ssl3_get_client_hello(SSL *s)
874 j= *(p++); 988 j= *(p++);
875 989
876 s->hit=0; 990 s->hit=0;
877 /* Versions before 0.9.7 always allow session reuse during renegotiation 991 /* Versions before 0.9.7 always allow clients to resume sessions in renegotiation.
878 * (i.e. when s->new_session is true), option 992 * 0.9.7 and later allow this by default, but optionally ignore resumption requests
879 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is new with 0.9.7. 993 * with flag SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
880 * Maybe this optional behaviour should always have been the default, 994 * than a change to default behavior so that applications relying on this for security
881 * but we cannot safely change the default behaviour (or new applications 995 * won't even compile against older library versions).
882 * might be written that become totally unsecure when compiled with 996 *
883 * an earlier library version) 997 * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to request
998 * renegotiation but not a new session (s->new_session remains unset): for servers,
999 * this essentially just means that the SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1000 * setting will be ignored.
884 */ 1001 */
885 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) 1002 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)))
886 { 1003 {
@@ -1269,8 +1386,11 @@ int ssl3_get_client_hello(SSL *s)
1269 s->s3->tmp.new_cipher=s->session->cipher; 1386 s->s3->tmp.new_cipher=s->session->cipher;
1270 } 1387 }
1271 1388
1272 if (!ssl3_digest_cached_records(s)) 1389 if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER))
1273 goto f_err; 1390 {
1391 if (!ssl3_digest_cached_records(s))
1392 goto f_err;
1393 }
1274 1394
1275 /* we now have the following setup. 1395 /* we now have the following setup.
1276 * client_random 1396 * client_random
@@ -1325,20 +1445,20 @@ int ssl3_send_server_hello(SSL *s)
1325 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 1445 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
1326 p+=SSL3_RANDOM_SIZE; 1446 p+=SSL3_RANDOM_SIZE;
1327 1447
1328 /* now in theory we have 3 options to sending back the 1448 /* There are several cases for the session ID to send
1329 * session id. If it is a re-use, we send back the 1449 * back in the server hello:
1330 * old session-id, if it is a new session, we send 1450 * - For session reuse from the session cache,
1331 * back the new session-id or we send back a 0 length 1451 * we send back the old session ID.
1332 * session-id if we want it to be single use. 1452 * - If stateless session reuse (using a session ticket)
1333 * Currently I will not implement the '0' length session-id 1453 * is successful, we send back the client's "session ID"
1334 * 12-Jan-98 - I'll now support the '0' length stuff. 1454 * (which doesn't actually identify the session).
1335 * 1455 * - If it is a new session, we send back the new
1336 * We also have an additional case where stateless session 1456 * session ID.
1337 * resumption is successful: we always send back the old 1457 * - However, if we want the new session to be single-use,
1338 * session id. In this case s->hit is non zero: this can 1458 * we send back a 0-length session ID.
1339 * only happen if stateless session resumption is succesful 1459 * s->hit is non-zero in either case of session reuse,
1340 * if session caching is disabled so existing functionality 1460 * so the following won't overwrite an ID that we're supposed
1341 * is unaffected. 1461 * to send back.
1342 */ 1462 */
1343 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) 1463 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
1344 && !s->hit) 1464 && !s->hit)
@@ -1439,6 +1559,7 @@ int ssl3_send_server_key_exchange(SSL *s)
1439 BN_CTX *bn_ctx = NULL; 1559 BN_CTX *bn_ctx = NULL;
1440#endif 1560#endif
1441 EVP_PKEY *pkey; 1561 EVP_PKEY *pkey;
1562 const EVP_MD *md = NULL;
1442 unsigned char *p,*d; 1563 unsigned char *p,*d;
1443 int al,i; 1564 int al,i;
1444 unsigned long type; 1565 unsigned long type;
@@ -1679,21 +1800,44 @@ int ssl3_send_server_key_exchange(SSL *s)
1679 } 1800 }
1680 else 1801 else
1681#endif /* !OPENSSL_NO_PSK */ 1802#endif /* !OPENSSL_NO_PSK */
1803#ifndef OPENSSL_NO_SRP
1804 if (type & SSL_kSRP)
1805 {
1806 if ((s->srp_ctx.N == NULL) ||
1807 (s->srp_ctx.g == NULL) ||
1808 (s->srp_ctx.s == NULL) ||
1809 (s->srp_ctx.B == NULL))
1810 {
1811 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_SRP_PARAM);
1812 goto err;
1813 }
1814 r[0]=s->srp_ctx.N;
1815 r[1]=s->srp_ctx.g;
1816 r[2]=s->srp_ctx.s;
1817 r[3]=s->srp_ctx.B;
1818 }
1819 else
1820#endif
1682 { 1821 {
1683 al=SSL_AD_HANDSHAKE_FAILURE; 1822 al=SSL_AD_HANDSHAKE_FAILURE;
1684 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1823 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1685 goto f_err; 1824 goto f_err;
1686 } 1825 }
1687 for (i=0; r[i] != NULL; i++) 1826 for (i=0; r[i] != NULL && i<4; i++)
1688 { 1827 {
1689 nr[i]=BN_num_bytes(r[i]); 1828 nr[i]=BN_num_bytes(r[i]);
1829#ifndef OPENSSL_NO_SRP
1830 if ((i == 2) && (type & SSL_kSRP))
1831 n+=1+nr[i];
1832 else
1833#endif
1690 n+=2+nr[i]; 1834 n+=2+nr[i];
1691 } 1835 }
1692 1836
1693 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 1837 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
1694 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 1838 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
1695 { 1839 {
1696 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher)) 1840 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher,&md))
1697 == NULL) 1841 == NULL)
1698 { 1842 {
1699 al=SSL_AD_DECODE_ERROR; 1843 al=SSL_AD_DECODE_ERROR;
@@ -1715,8 +1859,16 @@ int ssl3_send_server_key_exchange(SSL *s)
1715 d=(unsigned char *)s->init_buf->data; 1859 d=(unsigned char *)s->init_buf->data;
1716 p= &(d[4]); 1860 p= &(d[4]);
1717 1861
1718 for (i=0; r[i] != NULL; i++) 1862 for (i=0; r[i] != NULL && i<4; i++)
1719 { 1863 {
1864#ifndef OPENSSL_NO_SRP
1865 if ((i == 2) && (type & SSL_kSRP))
1866 {
1867 *p = nr[i];
1868 p++;
1869 }
1870 else
1871#endif
1720 s2n(nr[i],p); 1872 s2n(nr[i],p);
1721 BN_bn2bin(r[i],p); 1873 BN_bn2bin(r[i],p);
1722 p+=nr[i]; 1874 p+=nr[i];
@@ -1764,12 +1916,15 @@ int ssl3_send_server_key_exchange(SSL *s)
1764 /* n is the length of the params, they start at &(d[4]) 1916 /* n is the length of the params, they start at &(d[4])
1765 * and p points to the space at the end. */ 1917 * and p points to the space at the end. */
1766#ifndef OPENSSL_NO_RSA 1918#ifndef OPENSSL_NO_RSA
1767 if (pkey->type == EVP_PKEY_RSA) 1919 if (pkey->type == EVP_PKEY_RSA
1920 && TLS1_get_version(s) < TLS1_2_VERSION)
1768 { 1921 {
1769 q=md_buf; 1922 q=md_buf;
1770 j=0; 1923 j=0;
1771 for (num=2; num > 0; num--) 1924 for (num=2; num > 0; num--)
1772 { 1925 {
1926 EVP_MD_CTX_set_flags(&md_ctx,
1927 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1773 EVP_DigestInit_ex(&md_ctx,(num == 2) 1928 EVP_DigestInit_ex(&md_ctx,(num == 2)
1774 ?s->ctx->md5:s->ctx->sha1, NULL); 1929 ?s->ctx->md5:s->ctx->sha1, NULL);
1775 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1930 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
@@ -1791,44 +1946,41 @@ int ssl3_send_server_key_exchange(SSL *s)
1791 } 1946 }
1792 else 1947 else
1793#endif 1948#endif
1794#if !defined(OPENSSL_NO_DSA) 1949 if (md)
1795 if (pkey->type == EVP_PKEY_DSA)
1796 { 1950 {
1797 /* lets do DSS */ 1951 /* For TLS1.2 and later send signature
1798 EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL); 1952 * algorithm */
1799 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1953 if (TLS1_get_version(s) >= TLS1_2_VERSION)
1800 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1801 EVP_SignUpdate(&md_ctx,&(d[4]),n);
1802 if (!EVP_SignFinal(&md_ctx,&(p[2]),
1803 (unsigned int *)&i,pkey))
1804 { 1954 {
1805 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA); 1955 if (!tls12_get_sigandhash(p, pkey, md))
1806 goto err; 1956 {
1957 /* Should never happen */
1958 al=SSL_AD_INTERNAL_ERROR;
1959 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1960 goto f_err;
1961 }
1962 p+=2;
1807 } 1963 }
1808 s2n(i,p); 1964#ifdef SSL_DEBUG
1809 n+=i+2; 1965 fprintf(stderr, "Using hash %s\n",
1810 } 1966 EVP_MD_name(md));
1811 else
1812#endif 1967#endif
1813#if !defined(OPENSSL_NO_ECDSA) 1968 EVP_SignInit_ex(&md_ctx, md, NULL);
1814 if (pkey->type == EVP_PKEY_EC)
1815 {
1816 /* let's do ECDSA */
1817 EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL);
1818 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1969 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1819 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1970 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1820 EVP_SignUpdate(&md_ctx,&(d[4]),n); 1971 EVP_SignUpdate(&md_ctx,&(d[4]),n);
1821 if (!EVP_SignFinal(&md_ctx,&(p[2]), 1972 if (!EVP_SignFinal(&md_ctx,&(p[2]),
1822 (unsigned int *)&i,pkey)) 1973 (unsigned int *)&i,pkey))
1823 { 1974 {
1824 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_ECDSA); 1975 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_EVP);
1825 goto err; 1976 goto err;
1826 } 1977 }
1827 s2n(i,p); 1978 s2n(i,p);
1828 n+=i+2; 1979 n+=i+2;
1980 if (TLS1_get_version(s) >= TLS1_2_VERSION)
1981 n+= 2;
1829 } 1982 }
1830 else 1983 else
1831#endif
1832 { 1984 {
1833 /* Is this error check actually needed? */ 1985 /* Is this error check actually needed? */
1834 al=SSL_AD_HANDSHAKE_FAILURE; 1986 al=SSL_AD_HANDSHAKE_FAILURE;
@@ -1881,6 +2033,14 @@ int ssl3_send_certificate_request(SSL *s)
1881 p+=n; 2033 p+=n;
1882 n++; 2034 n++;
1883 2035
2036 if (TLS1_get_version(s) >= TLS1_2_VERSION)
2037 {
2038 nl = tls12_get_req_sig_algs(s, p + 2);
2039 s2n(nl, p);
2040 p += nl + 2;
2041 n += nl + 2;
2042 }
2043
1884 off=n; 2044 off=n;
1885 p+=2; 2045 p+=2;
1886 n+=2; 2046 n+=2;
@@ -2600,6 +2760,44 @@ int ssl3_get_client_key_exchange(SSL *s)
2600 } 2760 }
2601 else 2761 else
2602#endif 2762#endif
2763#ifndef OPENSSL_NO_SRP
2764 if (alg_k & SSL_kSRP)
2765 {
2766 int param_len;
2767
2768 n2s(p,i);
2769 param_len=i+2;
2770 if (param_len > n)
2771 {
2772 al=SSL_AD_DECODE_ERROR;
2773 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_SRP_A_LENGTH);
2774 goto f_err;
2775 }
2776 if (!(s->srp_ctx.A=BN_bin2bn(p,i,NULL)))
2777 {
2778 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_BN_LIB);
2779 goto err;
2780 }
2781 if (s->session->srp_username != NULL)
2782 OPENSSL_free(s->session->srp_username);
2783 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2784 if (s->session->srp_username == NULL)
2785 {
2786 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2787 ERR_R_MALLOC_FAILURE);
2788 goto err;
2789 }
2790
2791 if ((s->session->master_key_length = SRP_generate_server_master_secret(s,s->session->master_key))<0)
2792 {
2793 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
2794 goto err;
2795 }
2796
2797 p+=i;
2798 }
2799 else
2800#endif /* OPENSSL_NO_SRP */
2603 if (alg_k & SSL_kGOST) 2801 if (alg_k & SSL_kGOST)
2604 { 2802 {
2605 int ret = 0; 2803 int ret = 0;
@@ -2683,7 +2881,7 @@ int ssl3_get_client_key_exchange(SSL *s)
2683 return(1); 2881 return(1);
2684f_err: 2882f_err:
2685 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2883 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2686#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) 2884#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) || defined(OPENSSL_NO_SRP)
2687err: 2885err:
2688#endif 2886#endif
2689#ifndef OPENSSL_NO_ECDH 2887#ifndef OPENSSL_NO_ECDH
@@ -2704,12 +2902,15 @@ int ssl3_get_cert_verify(SSL *s)
2704 long n; 2902 long n;
2705 int type=0,i,j; 2903 int type=0,i,j;
2706 X509 *peer; 2904 X509 *peer;
2905 const EVP_MD *md = NULL;
2906 EVP_MD_CTX mctx;
2907 EVP_MD_CTX_init(&mctx);
2707 2908
2708 n=s->method->ssl_get_message(s, 2909 n=s->method->ssl_get_message(s,
2709 SSL3_ST_SR_CERT_VRFY_A, 2910 SSL3_ST_SR_CERT_VRFY_A,
2710 SSL3_ST_SR_CERT_VRFY_B, 2911 SSL3_ST_SR_CERT_VRFY_B,
2711 -1, 2912 -1,
2712 514, /* 514? */ 2913 516, /* Enough for 4096 bit RSA key with TLS v1.2 */
2713 &ok); 2914 &ok);
2714 2915
2715 if (!ok) return((int)n); 2916 if (!ok) return((int)n);
@@ -2729,7 +2930,7 @@ int ssl3_get_cert_verify(SSL *s)
2729 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) 2930 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY)
2730 { 2931 {
2731 s->s3->tmp.reuse_message=1; 2932 s->s3->tmp.reuse_message=1;
2732 if ((peer != NULL) && (type | EVP_PKT_SIGN)) 2933 if ((peer != NULL) && (type & EVP_PKT_SIGN))
2733 { 2934 {
2734 al=SSL_AD_UNEXPECTED_MESSAGE; 2935 al=SSL_AD_UNEXPECTED_MESSAGE;
2735 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE); 2936 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
@@ -2772,6 +2973,36 @@ int ssl3_get_cert_verify(SSL *s)
2772 } 2973 }
2773 else 2974 else
2774 { 2975 {
2976 if (TLS1_get_version(s) >= TLS1_2_VERSION)
2977 {
2978 int sigalg = tls12_get_sigid(pkey);
2979 /* Should never happen */
2980 if (sigalg == -1)
2981 {
2982 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR);
2983 al=SSL_AD_INTERNAL_ERROR;
2984 goto f_err;
2985 }
2986 /* Check key type is consistent with signature */
2987 if (sigalg != (int)p[1])
2988 {
2989 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_TYPE);
2990 al=SSL_AD_DECODE_ERROR;
2991 goto f_err;
2992 }
2993 md = tls12_get_hash(p[0]);
2994 if (md == NULL)
2995 {
2996 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_UNKNOWN_DIGEST);
2997 al=SSL_AD_DECODE_ERROR;
2998 goto f_err;
2999 }
3000#ifdef SSL_DEBUG
3001fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
3002#endif
3003 p += 2;
3004 n -= 2;
3005 }
2775 n2s(p,i); 3006 n2s(p,i);
2776 n-=2; 3007 n-=2;
2777 if (i > n) 3008 if (i > n)
@@ -2789,6 +3020,37 @@ int ssl3_get_cert_verify(SSL *s)
2789 goto f_err; 3020 goto f_err;
2790 } 3021 }
2791 3022
3023 if (TLS1_get_version(s) >= TLS1_2_VERSION)
3024 {
3025 long hdatalen = 0;
3026 void *hdata;
3027 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
3028 if (hdatalen <= 0)
3029 {
3030 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
3031 al=SSL_AD_INTERNAL_ERROR;
3032 goto f_err;
3033 }
3034#ifdef SSL_DEBUG
3035 fprintf(stderr, "Using TLS 1.2 with client verify alg %s\n",
3036 EVP_MD_name(md));
3037#endif
3038 if (!EVP_VerifyInit_ex(&mctx, md, NULL)
3039 || !EVP_VerifyUpdate(&mctx, hdata, hdatalen))
3040 {
3041 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_EVP_LIB);
3042 al=SSL_AD_INTERNAL_ERROR;
3043 goto f_err;
3044 }
3045
3046 if (EVP_VerifyFinal(&mctx, p , i, pkey) <= 0)
3047 {
3048 al=SSL_AD_DECRYPT_ERROR;
3049 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_SIGNATURE);
3050 goto f_err;
3051 }
3052 }
3053 else
2792#ifndef OPENSSL_NO_RSA 3054#ifndef OPENSSL_NO_RSA
2793 if (pkey->type == EVP_PKEY_RSA) 3055 if (pkey->type == EVP_PKEY_RSA)
2794 { 3056 {
@@ -2879,6 +3141,13 @@ f_err:
2879 ssl3_send_alert(s,SSL3_AL_FATAL,al); 3141 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2880 } 3142 }
2881end: 3143end:
3144 if (s->s3->handshake_buffer)
3145 {
3146 BIO_free(s->s3->handshake_buffer);
3147 s->s3->handshake_buffer = NULL;
3148 s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE;
3149 }
3150 EVP_MD_CTX_cleanup(&mctx);
2882 EVP_PKEY_free(pkey); 3151 EVP_PKEY_free(pkey);
2883 return(ret); 3152 return(ret);
2884 } 3153 }
@@ -2991,6 +3260,12 @@ int ssl3_get_client_certificate(SSL *s)
2991 al=SSL_AD_HANDSHAKE_FAILURE; 3260 al=SSL_AD_HANDSHAKE_FAILURE;
2992 goto f_err; 3261 goto f_err;
2993 } 3262 }
3263 /* No client certificate so digest cached records */
3264 if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s))
3265 {
3266 al=SSL_AD_INTERNAL_ERROR;
3267 goto f_err;
3268 }
2994 } 3269 }
2995 else 3270 else
2996 { 3271 {
@@ -3067,13 +3342,17 @@ int ssl3_send_server_certificate(SSL *s)
3067 /* SSL3_ST_SW_CERT_B */ 3342 /* SSL3_ST_SW_CERT_B */
3068 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3343 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
3069 } 3344 }
3345
3070#ifndef OPENSSL_NO_TLSEXT 3346#ifndef OPENSSL_NO_TLSEXT
3347/* send a new session ticket (not necessarily for a new session) */
3071int ssl3_send_newsession_ticket(SSL *s) 3348int ssl3_send_newsession_ticket(SSL *s)
3072 { 3349 {
3073 if (s->state == SSL3_ST_SW_SESSION_TICKET_A) 3350 if (s->state == SSL3_ST_SW_SESSION_TICKET_A)
3074 { 3351 {
3075 unsigned char *p, *senc, *macstart; 3352 unsigned char *p, *senc, *macstart;
3076 int len, slen; 3353 const unsigned char *const_p;
3354 int len, slen_full, slen;
3355 SSL_SESSION *sess;
3077 unsigned int hlen; 3356 unsigned int hlen;
3078 EVP_CIPHER_CTX ctx; 3357 EVP_CIPHER_CTX ctx;
3079 HMAC_CTX hctx; 3358 HMAC_CTX hctx;
@@ -3082,12 +3361,38 @@ int ssl3_send_newsession_ticket(SSL *s)
3082 unsigned char key_name[16]; 3361 unsigned char key_name[16];
3083 3362
3084 /* get session encoding length */ 3363 /* get session encoding length */
3085 slen = i2d_SSL_SESSION(s->session, NULL); 3364 slen_full = i2d_SSL_SESSION(s->session, NULL);
3086 /* Some length values are 16 bits, so forget it if session is 3365 /* Some length values are 16 bits, so forget it if session is
3087 * too long 3366 * too long
3088 */ 3367 */
3089 if (slen > 0xFF00) 3368 if (slen_full > 0xFF00)
3369 return -1;
3370 senc = OPENSSL_malloc(slen_full);
3371 if (!senc)
3372 return -1;
3373 p = senc;
3374 i2d_SSL_SESSION(s->session, &p);
3375
3376 /* create a fresh copy (not shared with other threads) to clean up */
3377 const_p = senc;
3378 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
3379 if (sess == NULL)
3380 {
3381 OPENSSL_free(senc);
3090 return -1; 3382 return -1;
3383 }
3384 sess->session_id_length = 0; /* ID is irrelevant for the ticket */
3385
3386 slen = i2d_SSL_SESSION(sess, NULL);
3387 if (slen > slen_full) /* shouldn't ever happen */
3388 {
3389 OPENSSL_free(senc);
3390 return -1;
3391 }
3392 p = senc;
3393 i2d_SSL_SESSION(sess, &p);
3394 SSL_SESSION_free(sess);
3395
3091 /* Grow buffer if need be: the length calculation is as 3396 /* Grow buffer if need be: the length calculation is as
3092 * follows 1 (size of message name) + 3 (message length 3397 * follows 1 (size of message name) + 3 (message length
3093 * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) + 3398 * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) +
@@ -3099,11 +3404,6 @@ int ssl3_send_newsession_ticket(SSL *s)
3099 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + 3404 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH +
3100 EVP_MAX_MD_SIZE + slen)) 3405 EVP_MAX_MD_SIZE + slen))
3101 return -1; 3406 return -1;
3102 senc = OPENSSL_malloc(slen);
3103 if (!senc)
3104 return -1;
3105 p = senc;
3106 i2d_SSL_SESSION(s->session, &p);
3107 3407
3108 p=(unsigned char *)s->init_buf->data; 3408 p=(unsigned char *)s->init_buf->data;
3109 /* do the header */ 3409 /* do the header */
@@ -3134,7 +3434,13 @@ int ssl3_send_newsession_ticket(SSL *s)
3134 tlsext_tick_md(), NULL); 3434 tlsext_tick_md(), NULL);
3135 memcpy(key_name, tctx->tlsext_tick_key_name, 16); 3435 memcpy(key_name, tctx->tlsext_tick_key_name, 16);
3136 } 3436 }
3137 l2n(s->session->tlsext_tick_lifetime_hint, p); 3437
3438 /* Ticket lifetime hint (advisory only):
3439 * We leave this unspecified for resumed session (for simplicity),
3440 * and guess that tickets for new sessions will live as long
3441 * as their sessions. */
3442 l2n(s->hit ? 0 : s->session->timeout, p);
3443
3138 /* Skip ticket length for now */ 3444 /* Skip ticket length for now */
3139 p += 2; 3445 p += 2;
3140 /* Output key name */ 3446 /* Output key name */
@@ -3209,4 +3515,72 @@ int ssl3_send_cert_status(SSL *s)
3209 /* SSL3_ST_SW_CERT_STATUS_B */ 3515 /* SSL3_ST_SW_CERT_STATUS_B */
3210 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3516 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
3211 } 3517 }
3518
3519# ifndef OPENSSL_NO_NEXTPROTONEG
3520/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It
3521 * sets the next_proto member in s if found */
3522int ssl3_get_next_proto(SSL *s)
3523 {
3524 int ok;
3525 int proto_len, padding_len;
3526 long n;
3527 const unsigned char *p;
3528
3529 /* Clients cannot send a NextProtocol message if we didn't see the
3530 * extension in their ClientHello */
3531 if (!s->s3->next_proto_neg_seen)
3532 {
3533 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
3534 return -1;
3535 }
3536
3537 n=s->method->ssl_get_message(s,
3538 SSL3_ST_SR_NEXT_PROTO_A,
3539 SSL3_ST_SR_NEXT_PROTO_B,
3540 SSL3_MT_NEXT_PROTO,
3541 514, /* See the payload format below */
3542 &ok);
3543
3544 if (!ok)
3545 return((int)n);
3546
3547 /* s->state doesn't reflect whether ChangeCipherSpec has been received
3548 * in this handshake, but s->s3->change_cipher_spec does (will be reset
3549 * by ssl3_get_finished). */
3550 if (!s->s3->change_cipher_spec)
3551 {
3552 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
3553 return -1;
3554 }
3555
3556 if (n < 2)
3557 return 0; /* The body must be > 1 bytes long */
3558
3559 p=(unsigned char *)s->init_msg;
3560
3561 /* The payload looks like:
3562 * uint8 proto_len;
3563 * uint8 proto[proto_len];
3564 * uint8 padding_len;
3565 * uint8 padding[padding_len];
3566 */
3567 proto_len = p[0];
3568 if (proto_len + 2 > s->init_num)
3569 return 0;
3570 padding_len = p[proto_len + 1];
3571 if (proto_len + padding_len + 2 != s->init_num)
3572 return 0;
3573
3574 s->next_proto_negotiated = OPENSSL_malloc(proto_len);
3575 if (!s->next_proto_negotiated)
3576 {
3577 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,ERR_R_MALLOC_FAILURE);
3578 return 0;
3579 }
3580 memcpy(s->next_proto_negotiated, p + 1, proto_len);
3581 s->next_proto_negotiated_len = proto_len;
3582
3583 return 1;
3584 }
3585# endif
3212#endif 3586#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-24 13:13:48 +0000