diff options
Diffstat (limited to 'src/lib/libssl/s3_clnt.c')
| -rw-r--r-- | src/lib/libssl/s3_clnt.c | 397 |
1 files changed, 359 insertions, 38 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 53223bd38d..b80d052e1f 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c | |||
| @@ -156,6 +156,9 @@ | |||
| 156 | #include <openssl/objects.h> | 156 | #include <openssl/objects.h> |
| 157 | #include <openssl/evp.h> | 157 | #include <openssl/evp.h> |
| 158 | #include <openssl/md5.h> | 158 | #include <openssl/md5.h> |
| 159 | #ifdef OPENSSL_FIPS | ||
| 160 | #include <openssl/fips.h> | ||
| 161 | #endif | ||
| 159 | #ifndef OPENSSL_NO_DH | 162 | #ifndef OPENSSL_NO_DH |
| 160 | #include <openssl/dh.h> | 163 | #include <openssl/dh.h> |
| 161 | #endif | 164 | #endif |
| @@ -200,6 +203,18 @@ int ssl3_connect(SSL *s) | |||
| 200 | s->in_handshake++; | 203 | s->in_handshake++; |
| 201 | if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); | 204 | if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); |
| 202 | 205 | ||
| 206 | #ifndef OPENSSL_NO_HEARTBEATS | ||
| 207 | /* If we're awaiting a HeartbeatResponse, pretend we | ||
| 208 | * already got and don't await it anymore, because | ||
| 209 | * Heartbeats don't make sense during handshakes anyway. | ||
| 210 | */ | ||
| 211 | if (s->tlsext_hb_pending) | ||
| 212 | { | ||
| 213 | s->tlsext_hb_pending = 0; | ||
| 214 | s->tlsext_hb_seq++; | ||
| 215 | } | ||
| 216 | #endif | ||
| 217 | |||
| 203 | for (;;) | 218 | for (;;) |
| 204 | { | 219 | { |
| 205 | state=s->state; | 220 | state=s->state; |
| @@ -207,7 +222,7 @@ int ssl3_connect(SSL *s) | |||
| 207 | switch(s->state) | 222 | switch(s->state) |
| 208 | { | 223 | { |
| 209 | case SSL_ST_RENEGOTIATE: | 224 | case SSL_ST_RENEGOTIATE: |
| 210 | s->new_session=1; | 225 | s->renegotiate=1; |
| 211 | s->state=SSL_ST_CONNECT; | 226 | s->state=SSL_ST_CONNECT; |
| 212 | s->ctx->stats.sess_connect_renegotiate++; | 227 | s->ctx->stats.sess_connect_renegotiate++; |
| 213 | /* break */ | 228 | /* break */ |
| @@ -280,7 +295,16 @@ int ssl3_connect(SSL *s) | |||
| 280 | if (ret <= 0) goto end; | 295 | if (ret <= 0) goto end; |
| 281 | 296 | ||
| 282 | if (s->hit) | 297 | if (s->hit) |
| 298 | { | ||
| 283 | s->state=SSL3_ST_CR_FINISHED_A; | 299 | s->state=SSL3_ST_CR_FINISHED_A; |
| 300 | #ifndef OPENSSL_NO_TLSEXT | ||
| 301 | if (s->tlsext_ticket_expected) | ||
| 302 | { | ||
| 303 | /* receive renewed session ticket */ | ||
| 304 | s->state=SSL3_ST_CR_SESSION_TICKET_A; | ||
| 305 | } | ||
| 306 | #endif | ||
| 307 | } | ||
| 284 | else | 308 | else |
| 285 | s->state=SSL3_ST_CR_CERT_A; | 309 | s->state=SSL3_ST_CR_CERT_A; |
| 286 | s->init_num=0; | 310 | s->init_num=0; |
| @@ -358,6 +382,17 @@ int ssl3_connect(SSL *s) | |||
| 358 | case SSL3_ST_CR_SRVR_DONE_B: | 382 | case SSL3_ST_CR_SRVR_DONE_B: |
| 359 | ret=ssl3_get_server_done(s); | 383 | ret=ssl3_get_server_done(s); |
| 360 | if (ret <= 0) goto end; | 384 | if (ret <= 0) goto end; |
| 385 | #ifndef OPENSSL_NO_SRP | ||
| 386 | if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) | ||
| 387 | { | ||
| 388 | if ((ret = SRP_Calc_A_param(s))<=0) | ||
| 389 | { | ||
| 390 | SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SRP_A_CALC); | ||
| 391 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR); | ||
| 392 | goto end; | ||
| 393 | } | ||
| 394 | } | ||
| 395 | #endif | ||
| 361 | if (s->s3->tmp.cert_req) | 396 | if (s->s3->tmp.cert_req) |
| 362 | s->state=SSL3_ST_CW_CERT_A; | 397 | s->state=SSL3_ST_CW_CERT_A; |
| 363 | else | 398 | else |
| @@ -423,7 +458,16 @@ int ssl3_connect(SSL *s) | |||
| 423 | ret=ssl3_send_change_cipher_spec(s, | 458 | ret=ssl3_send_change_cipher_spec(s, |
| 424 | SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); | 459 | SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); |
| 425 | if (ret <= 0) goto end; | 460 | if (ret <= 0) goto end; |
| 461 | |||
| 462 | |||
| 463 | #if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) | ||
| 426 | s->state=SSL3_ST_CW_FINISHED_A; | 464 | s->state=SSL3_ST_CW_FINISHED_A; |
| 465 | #else | ||
| 466 | if (s->s3->next_proto_neg_seen) | ||
| 467 | s->state=SSL3_ST_CW_NEXT_PROTO_A; | ||
| 468 | else | ||
| 469 | s->state=SSL3_ST_CW_FINISHED_A; | ||
| 470 | #endif | ||
| 427 | s->init_num=0; | 471 | s->init_num=0; |
| 428 | 472 | ||
| 429 | s->session->cipher=s->s3->tmp.new_cipher; | 473 | s->session->cipher=s->s3->tmp.new_cipher; |
| @@ -451,6 +495,15 @@ int ssl3_connect(SSL *s) | |||
| 451 | 495 | ||
| 452 | break; | 496 | break; |
| 453 | 497 | ||
| 498 | #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) | ||
| 499 | case SSL3_ST_CW_NEXT_PROTO_A: | ||
| 500 | case SSL3_ST_CW_NEXT_PROTO_B: | ||
| 501 | ret=ssl3_send_next_proto(s); | ||
| 502 | if (ret <= 0) goto end; | ||
| 503 | s->state=SSL3_ST_CW_FINISHED_A; | ||
| 504 | break; | ||
| 505 | #endif | ||
| 506 | |||
| 454 | case SSL3_ST_CW_FINISHED_A: | 507 | case SSL3_ST_CW_FINISHED_A: |
| 455 | case SSL3_ST_CW_FINISHED_B: | 508 | case SSL3_ST_CW_FINISHED_B: |
| 456 | ret=ssl3_send_finished(s, | 509 | ret=ssl3_send_finished(s, |
| @@ -546,6 +599,7 @@ int ssl3_connect(SSL *s) | |||
| 546 | /* else do it later in ssl3_write */ | 599 | /* else do it later in ssl3_write */ |
| 547 | 600 | ||
| 548 | s->init_num=0; | 601 | s->init_num=0; |
| 602 | s->renegotiate=0; | ||
| 549 | s->new_session=0; | 603 | s->new_session=0; |
| 550 | 604 | ||
| 551 | ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); | 605 | ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); |
| @@ -635,9 +689,43 @@ int ssl3_client_hello(SSL *s) | |||
| 635 | /* Do the message type and length last */ | 689 | /* Do the message type and length last */ |
| 636 | d=p= &(buf[4]); | 690 | d=p= &(buf[4]); |
| 637 | 691 | ||
| 692 | /* version indicates the negotiated version: for example from | ||
| 693 | * an SSLv2/v3 compatible client hello). The client_version | ||
| 694 | * field is the maximum version we permit and it is also | ||
| 695 | * used in RSA encrypted premaster secrets. Some servers can | ||
| 696 | * choke if we initially report a higher version then | ||
| 697 | * renegotiate to a lower one in the premaster secret. This | ||
| 698 | * didn't happen with TLS 1.0 as most servers supported it | ||
| 699 | * but it can with TLS 1.1 or later if the server only supports | ||
| 700 | * 1.0. | ||
| 701 | * | ||
| 702 | * Possible scenario with previous logic: | ||
| 703 | * 1. Client hello indicates TLS 1.2 | ||
| 704 | * 2. Server hello says TLS 1.0 | ||
| 705 | * 3. RSA encrypted premaster secret uses 1.2. | ||
| 706 | * 4. Handhaked proceeds using TLS 1.0. | ||
| 707 | * 5. Server sends hello request to renegotiate. | ||
| 708 | * 6. Client hello indicates TLS v1.0 as we now | ||
| 709 | * know that is maximum server supports. | ||
| 710 | * 7. Server chokes on RSA encrypted premaster secret | ||
| 711 | * containing version 1.0. | ||
| 712 | * | ||
| 713 | * For interoperability it should be OK to always use the | ||
| 714 | * maximum version we support in client hello and then rely | ||
| 715 | * on the checking of version to ensure the servers isn't | ||
| 716 | * being inconsistent: for example initially negotiating with | ||
| 717 | * TLS 1.0 and renegotiating with TLS 1.2. We do this by using | ||
| 718 | * client_version in client hello and not resetting it to | ||
| 719 | * the negotiated version. | ||
| 720 | */ | ||
| 721 | #if 0 | ||
| 638 | *(p++)=s->version>>8; | 722 | *(p++)=s->version>>8; |
| 639 | *(p++)=s->version&0xff; | 723 | *(p++)=s->version&0xff; |
| 640 | s->client_version=s->version; | 724 | s->client_version=s->version; |
| 725 | #else | ||
| 726 | *(p++)=s->client_version>>8; | ||
| 727 | *(p++)=s->client_version&0xff; | ||
| 728 | #endif | ||
| 641 | 729 | ||
| 642 | /* Random stuff */ | 730 | /* Random stuff */ |
| 643 | memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); | 731 | memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); |
| @@ -667,6 +755,15 @@ int ssl3_client_hello(SSL *s) | |||
| 667 | SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); | 755 | SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); |
| 668 | goto err; | 756 | goto err; |
| 669 | } | 757 | } |
| 758 | #ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH | ||
| 759 | /* Some servers hang if client hello > 256 bytes | ||
| 760 | * as hack workaround chop number of supported ciphers | ||
| 761 | * to keep it well below this if we use TLS v1.2 | ||
| 762 | */ | ||
| 763 | if (TLS1_get_version(s) >= TLS1_2_VERSION | ||
| 764 | && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) | ||
| 765 | i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; | ||
| 766 | #endif | ||
| 670 | s2n(i,p); | 767 | s2n(i,p); |
| 671 | p+=i; | 768 | p+=i; |
| 672 | 769 | ||
| @@ -847,6 +944,14 @@ int ssl3_get_server_hello(SSL *s) | |||
| 847 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED); | 944 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED); |
| 848 | goto f_err; | 945 | goto f_err; |
| 849 | } | 946 | } |
| 947 | /* TLS v1.2 only ciphersuites require v1.2 or later */ | ||
| 948 | if ((c->algorithm_ssl & SSL_TLSV1_2) && | ||
| 949 | (TLS1_get_version(s) < TLS1_2_VERSION)) | ||
| 950 | { | ||
| 951 | al=SSL_AD_ILLEGAL_PARAMETER; | ||
| 952 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); | ||
| 953 | goto f_err; | ||
| 954 | } | ||
| 850 | p+=ssl_put_cipher_by_char(s,NULL,NULL); | 955 | p+=ssl_put_cipher_by_char(s,NULL,NULL); |
| 851 | 956 | ||
| 852 | sk=ssl_get_ciphers_by_id(s); | 957 | sk=ssl_get_ciphers_by_id(s); |
| @@ -878,9 +983,11 @@ int ssl3_get_server_hello(SSL *s) | |||
| 878 | } | 983 | } |
| 879 | } | 984 | } |
| 880 | s->s3->tmp.new_cipher=c; | 985 | s->s3->tmp.new_cipher=c; |
| 881 | if (!ssl3_digest_cached_records(s)) | 986 | /* Don't digest cached records if TLS v1.2: we may need them for |
| 987 | * client authentication. | ||
| 988 | */ | ||
| 989 | if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s)) | ||
| 882 | goto f_err; | 990 | goto f_err; |
| 883 | |||
| 884 | /* lets get the compression algorithm */ | 991 | /* lets get the compression algorithm */ |
| 885 | /* COMPRESSION */ | 992 | /* COMPRESSION */ |
| 886 | #ifdef OPENSSL_NO_COMP | 993 | #ifdef OPENSSL_NO_COMP |
| @@ -1159,6 +1266,7 @@ int ssl3_get_key_exchange(SSL *s) | |||
| 1159 | int al,i,j,param_len,ok; | 1266 | int al,i,j,param_len,ok; |
| 1160 | long n,alg_k,alg_a; | 1267 | long n,alg_k,alg_a; |
| 1161 | EVP_PKEY *pkey=NULL; | 1268 | EVP_PKEY *pkey=NULL; |
| 1269 | const EVP_MD *md = NULL; | ||
| 1162 | #ifndef OPENSSL_NO_RSA | 1270 | #ifndef OPENSSL_NO_RSA |
| 1163 | RSA *rsa=NULL; | 1271 | RSA *rsa=NULL; |
| 1164 | #endif | 1272 | #endif |
| @@ -1282,6 +1390,86 @@ int ssl3_get_key_exchange(SSL *s) | |||
| 1282 | } | 1390 | } |
| 1283 | else | 1391 | else |
| 1284 | #endif /* !OPENSSL_NO_PSK */ | 1392 | #endif /* !OPENSSL_NO_PSK */ |
| 1393 | #ifndef OPENSSL_NO_SRP | ||
| 1394 | if (alg_k & SSL_kSRP) | ||
| 1395 | { | ||
| 1396 | n2s(p,i); | ||
| 1397 | param_len=i+2; | ||
| 1398 | if (param_len > n) | ||
| 1399 | { | ||
| 1400 | al=SSL_AD_DECODE_ERROR; | ||
| 1401 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_N_LENGTH); | ||
| 1402 | goto f_err; | ||
| 1403 | } | ||
| 1404 | if (!(s->srp_ctx.N=BN_bin2bn(p,i,NULL))) | ||
| 1405 | { | ||
| 1406 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); | ||
| 1407 | goto err; | ||
| 1408 | } | ||
| 1409 | p+=i; | ||
| 1410 | |||
| 1411 | n2s(p,i); | ||
| 1412 | param_len+=i+2; | ||
| 1413 | if (param_len > n) | ||
| 1414 | { | ||
| 1415 | al=SSL_AD_DECODE_ERROR; | ||
| 1416 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_G_LENGTH); | ||
| 1417 | goto f_err; | ||
| 1418 | } | ||
| 1419 | if (!(s->srp_ctx.g=BN_bin2bn(p,i,NULL))) | ||
| 1420 | { | ||
| 1421 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); | ||
| 1422 | goto err; | ||
| 1423 | } | ||
| 1424 | p+=i; | ||
| 1425 | |||
| 1426 | i = (unsigned int)(p[0]); | ||
| 1427 | p++; | ||
| 1428 | param_len+=i+1; | ||
| 1429 | if (param_len > n) | ||
| 1430 | { | ||
| 1431 | al=SSL_AD_DECODE_ERROR; | ||
| 1432 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_S_LENGTH); | ||
| 1433 | goto f_err; | ||
| 1434 | } | ||
| 1435 | if (!(s->srp_ctx.s=BN_bin2bn(p,i,NULL))) | ||
| 1436 | { | ||
| 1437 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); | ||
| 1438 | goto err; | ||
| 1439 | } | ||
| 1440 | p+=i; | ||
| 1441 | |||
| 1442 | n2s(p,i); | ||
| 1443 | param_len+=i+2; | ||
| 1444 | if (param_len > n) | ||
| 1445 | { | ||
| 1446 | al=SSL_AD_DECODE_ERROR; | ||
| 1447 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_B_LENGTH); | ||
| 1448 | goto f_err; | ||
| 1449 | } | ||
| 1450 | if (!(s->srp_ctx.B=BN_bin2bn(p,i,NULL))) | ||
| 1451 | { | ||
| 1452 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); | ||
| 1453 | goto err; | ||
| 1454 | } | ||
| 1455 | p+=i; | ||
| 1456 | n-=param_len; | ||
| 1457 | |||
| 1458 | /* We must check if there is a certificate */ | ||
| 1459 | #ifndef OPENSSL_NO_RSA | ||
| 1460 | if (alg_a & SSL_aRSA) | ||
| 1461 | pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); | ||
| 1462 | #else | ||
| 1463 | if (0) | ||
| 1464 | ; | ||
| 1465 | #endif | ||
| 1466 | #ifndef OPENSSL_NO_DSA | ||
| 1467 | else if (alg_a & SSL_aDSS) | ||
| 1468 | pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); | ||
| 1469 | #endif | ||
| 1470 | } | ||
| 1471 | else | ||
| 1472 | #endif /* !OPENSSL_NO_SRP */ | ||
| 1285 | #ifndef OPENSSL_NO_RSA | 1473 | #ifndef OPENSSL_NO_RSA |
| 1286 | if (alg_k & SSL_kRSA) | 1474 | if (alg_k & SSL_kRSA) |
| 1287 | { | 1475 | { |
| @@ -1529,6 +1717,38 @@ int ssl3_get_key_exchange(SSL *s) | |||
| 1529 | /* if it was signed, check the signature */ | 1717 | /* if it was signed, check the signature */ |
| 1530 | if (pkey != NULL) | 1718 | if (pkey != NULL) |
| 1531 | { | 1719 | { |
| 1720 | if (TLS1_get_version(s) >= TLS1_2_VERSION) | ||
| 1721 | { | ||
| 1722 | int sigalg = tls12_get_sigid(pkey); | ||
| 1723 | /* Should never happen */ | ||
| 1724 | if (sigalg == -1) | ||
| 1725 | { | ||
| 1726 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); | ||
| 1727 | goto err; | ||
| 1728 | } | ||
| 1729 | /* Check key type is consistent with signature */ | ||
| 1730 | if (sigalg != (int)p[1]) | ||
| 1731 | { | ||
| 1732 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_TYPE); | ||
| 1733 | al=SSL_AD_DECODE_ERROR; | ||
| 1734 | goto f_err; | ||
| 1735 | } | ||
| 1736 | md = tls12_get_hash(p[0]); | ||
| 1737 | if (md == NULL) | ||
| 1738 | { | ||
| 1739 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNKNOWN_DIGEST); | ||
| 1740 | al=SSL_AD_DECODE_ERROR; | ||
| 1741 | goto f_err; | ||
| 1742 | } | ||
| 1743 | #ifdef SSL_DEBUG | ||
| 1744 | fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); | ||
| 1745 | #endif | ||
| 1746 | p += 2; | ||
| 1747 | n -= 2; | ||
| 1748 | } | ||
| 1749 | else | ||
| 1750 | md = EVP_sha1(); | ||
| 1751 | |||
| 1532 | n2s(p,i); | 1752 | n2s(p,i); |
| 1533 | n-=2; | 1753 | n-=2; |
| 1534 | j=EVP_PKEY_size(pkey); | 1754 | j=EVP_PKEY_size(pkey); |
| @@ -1542,7 +1762,7 @@ int ssl3_get_key_exchange(SSL *s) | |||
| 1542 | } | 1762 | } |
| 1543 | 1763 | ||
| 1544 | #ifndef OPENSSL_NO_RSA | 1764 | #ifndef OPENSSL_NO_RSA |
| 1545 | if (pkey->type == EVP_PKEY_RSA) | 1765 | if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION) |
| 1546 | { | 1766 | { |
| 1547 | int num; | 1767 | int num; |
| 1548 | 1768 | ||
| @@ -1550,6 +1770,8 @@ int ssl3_get_key_exchange(SSL *s) | |||
| 1550 | q=md_buf; | 1770 | q=md_buf; |
| 1551 | for (num=2; num > 0; num--) | 1771 | for (num=2; num > 0; num--) |
| 1552 | { | 1772 | { |
| 1773 | EVP_MD_CTX_set_flags(&md_ctx, | ||
| 1774 | EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); | ||
| 1553 | EVP_DigestInit_ex(&md_ctx,(num == 2) | 1775 | EVP_DigestInit_ex(&md_ctx,(num == 2) |
| 1554 | ?s->ctx->md5:s->ctx->sha1, NULL); | 1776 | ?s->ctx->md5:s->ctx->sha1, NULL); |
| 1555 | EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); | 1777 | EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); |
| @@ -1577,29 +1799,8 @@ int ssl3_get_key_exchange(SSL *s) | |||
| 1577 | } | 1799 | } |
| 1578 | else | 1800 | else |
| 1579 | #endif | 1801 | #endif |
| 1580 | #ifndef OPENSSL_NO_DSA | ||
| 1581 | if (pkey->type == EVP_PKEY_DSA) | ||
| 1582 | { | ||
| 1583 | /* lets do DSS */ | ||
| 1584 | EVP_VerifyInit_ex(&md_ctx,EVP_dss1(), NULL); | ||
| 1585 | EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); | ||
| 1586 | EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); | ||
| 1587 | EVP_VerifyUpdate(&md_ctx,param,param_len); | ||
| 1588 | if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) | ||
| 1589 | { | ||
| 1590 | /* bad signature */ | ||
| 1591 | al=SSL_AD_DECRYPT_ERROR; | ||
| 1592 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); | ||
| 1593 | goto f_err; | ||
| 1594 | } | ||
| 1595 | } | ||
| 1596 | else | ||
| 1597 | #endif | ||
| 1598 | #ifndef OPENSSL_NO_ECDSA | ||
| 1599 | if (pkey->type == EVP_PKEY_EC) | ||
| 1600 | { | 1802 | { |
| 1601 | /* let's do ECDSA */ | 1803 | EVP_VerifyInit_ex(&md_ctx, md, NULL); |
| 1602 | EVP_VerifyInit_ex(&md_ctx,EVP_ecdsa(), NULL); | ||
| 1603 | EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); | 1804 | EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); |
| 1604 | EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); | 1805 | EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); |
| 1605 | EVP_VerifyUpdate(&md_ctx,param,param_len); | 1806 | EVP_VerifyUpdate(&md_ctx,param,param_len); |
| @@ -1611,12 +1812,6 @@ int ssl3_get_key_exchange(SSL *s) | |||
| 1611 | goto f_err; | 1812 | goto f_err; |
| 1612 | } | 1813 | } |
| 1613 | } | 1814 | } |
| 1614 | else | ||
| 1615 | #endif | ||
| 1616 | { | ||
| 1617 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); | ||
| 1618 | goto err; | ||
| 1619 | } | ||
| 1620 | } | 1815 | } |
| 1621 | else | 1816 | else |
| 1622 | { | 1817 | { |
| @@ -1663,7 +1858,7 @@ int ssl3_get_certificate_request(SSL *s) | |||
| 1663 | { | 1858 | { |
| 1664 | int ok,ret=0; | 1859 | int ok,ret=0; |
| 1665 | unsigned long n,nc,l; | 1860 | unsigned long n,nc,l; |
| 1666 | unsigned int llen,ctype_num,i; | 1861 | unsigned int llen, ctype_num,i; |
| 1667 | X509_NAME *xn=NULL; | 1862 | X509_NAME *xn=NULL; |
| 1668 | const unsigned char *p,*q; | 1863 | const unsigned char *p,*q; |
| 1669 | unsigned char *d; | 1864 | unsigned char *d; |
| @@ -1683,6 +1878,14 @@ int ssl3_get_certificate_request(SSL *s) | |||
| 1683 | if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) | 1878 | if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) |
| 1684 | { | 1879 | { |
| 1685 | s->s3->tmp.reuse_message=1; | 1880 | s->s3->tmp.reuse_message=1; |
| 1881 | /* If we get here we don't need any cached handshake records | ||
| 1882 | * as we wont be doing client auth. | ||
| 1883 | */ | ||
| 1884 | if (s->s3->handshake_buffer) | ||
| 1885 | { | ||
| 1886 | if (!ssl3_digest_cached_records(s)) | ||
| 1887 | goto err; | ||
| 1888 | } | ||
| 1686 | return(1); | 1889 | return(1); |
| 1687 | } | 1890 | } |
| 1688 | 1891 | ||
| @@ -1719,6 +1922,26 @@ int ssl3_get_certificate_request(SSL *s) | |||
| 1719 | for (i=0; i<ctype_num; i++) | 1922 | for (i=0; i<ctype_num; i++) |
| 1720 | s->s3->tmp.ctype[i]= p[i]; | 1923 | s->s3->tmp.ctype[i]= p[i]; |
| 1721 | p+=ctype_num; | 1924 | p+=ctype_num; |
| 1925 | if (TLS1_get_version(s) >= TLS1_2_VERSION) | ||
| 1926 | { | ||
| 1927 | n2s(p, llen); | ||
| 1928 | /* Check we have enough room for signature algorithms and | ||
| 1929 | * following length value. | ||
| 1930 | */ | ||
| 1931 | if ((unsigned long)(p - d + llen + 2) > n) | ||
| 1932 | { | ||
| 1933 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); | ||
| 1934 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_DATA_LENGTH_TOO_LONG); | ||
| 1935 | goto err; | ||
| 1936 | } | ||
| 1937 | if ((llen & 1) || !tls1_process_sigalgs(s, p, llen)) | ||
| 1938 | { | ||
| 1939 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); | ||
| 1940 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_SIGNATURE_ALGORITHMS_ERROR); | ||
| 1941 | goto err; | ||
| 1942 | } | ||
| 1943 | p += llen; | ||
| 1944 | } | ||
| 1722 | 1945 | ||
| 1723 | /* get the CA RDNs */ | 1946 | /* get the CA RDNs */ |
| 1724 | n2s(p,llen); | 1947 | n2s(p,llen); |
| @@ -1731,7 +1954,7 @@ fclose(out); | |||
| 1731 | } | 1954 | } |
| 1732 | #endif | 1955 | #endif |
| 1733 | 1956 | ||
| 1734 | if ((llen+ctype_num+2+1) != n) | 1957 | if ((unsigned long)(p - d + llen) != n) |
| 1735 | { | 1958 | { |
| 1736 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); | 1959 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); |
| 1737 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH); | 1960 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH); |
| @@ -2553,6 +2776,39 @@ int ssl3_send_client_key_exchange(SSL *s) | |||
| 2553 | EVP_PKEY_free(pub_key); | 2776 | EVP_PKEY_free(pub_key); |
| 2554 | 2777 | ||
| 2555 | } | 2778 | } |
| 2779 | #ifndef OPENSSL_NO_SRP | ||
| 2780 | else if (alg_k & SSL_kSRP) | ||
| 2781 | { | ||
| 2782 | if (s->srp_ctx.A != NULL) | ||
| 2783 | { | ||
| 2784 | /* send off the data */ | ||
| 2785 | n=BN_num_bytes(s->srp_ctx.A); | ||
| 2786 | s2n(n,p); | ||
| 2787 | BN_bn2bin(s->srp_ctx.A,p); | ||
| 2788 | n+=2; | ||
| 2789 | } | ||
| 2790 | else | ||
| 2791 | { | ||
| 2792 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); | ||
| 2793 | goto err; | ||
| 2794 | } | ||
| 2795 | if (s->session->srp_username != NULL) | ||
| 2796 | OPENSSL_free(s->session->srp_username); | ||
| 2797 | s->session->srp_username = BUF_strdup(s->srp_ctx.login); | ||
| 2798 | if (s->session->srp_username == NULL) | ||
| 2799 | { | ||
| 2800 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | ||
| 2801 | ERR_R_MALLOC_FAILURE); | ||
| 2802 | goto err; | ||
| 2803 | } | ||
| 2804 | |||
| 2805 | if ((s->session->master_key_length = SRP_generate_client_master_secret(s,s->session->master_key))<0) | ||
| 2806 | { | ||
| 2807 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); | ||
| 2808 | goto err; | ||
| 2809 | } | ||
| 2810 | } | ||
| 2811 | #endif | ||
| 2556 | #ifndef OPENSSL_NO_PSK | 2812 | #ifndef OPENSSL_NO_PSK |
| 2557 | else if (alg_k & SSL_kPSK) | 2813 | else if (alg_k & SSL_kPSK) |
| 2558 | { | 2814 | { |
| @@ -2672,12 +2928,13 @@ int ssl3_send_client_verify(SSL *s) | |||
| 2672 | unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; | 2928 | unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; |
| 2673 | EVP_PKEY *pkey; | 2929 | EVP_PKEY *pkey; |
| 2674 | EVP_PKEY_CTX *pctx=NULL; | 2930 | EVP_PKEY_CTX *pctx=NULL; |
| 2675 | #ifndef OPENSSL_NO_RSA | 2931 | EVP_MD_CTX mctx; |
| 2676 | unsigned u=0; | 2932 | unsigned u=0; |
| 2677 | #endif | ||
| 2678 | unsigned long n; | 2933 | unsigned long n; |
| 2679 | int j; | 2934 | int j; |
| 2680 | 2935 | ||
| 2936 | EVP_MD_CTX_init(&mctx); | ||
| 2937 | |||
| 2681 | if (s->state == SSL3_ST_CW_CERT_VRFY_A) | 2938 | if (s->state == SSL3_ST_CW_CERT_VRFY_A) |
| 2682 | { | 2939 | { |
| 2683 | d=(unsigned char *)s->init_buf->data; | 2940 | d=(unsigned char *)s->init_buf->data; |
| @@ -2688,7 +2945,8 @@ int ssl3_send_client_verify(SSL *s) | |||
| 2688 | EVP_PKEY_sign_init(pctx); | 2945 | EVP_PKEY_sign_init(pctx); |
| 2689 | if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0) | 2946 | if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0) |
| 2690 | { | 2947 | { |
| 2691 | s->method->ssl3_enc->cert_verify_mac(s, | 2948 | if (TLS1_get_version(s) < TLS1_2_VERSION) |
| 2949 | s->method->ssl3_enc->cert_verify_mac(s, | ||
| 2692 | NID_sha1, | 2950 | NID_sha1, |
| 2693 | &(data[MD5_DIGEST_LENGTH])); | 2951 | &(data[MD5_DIGEST_LENGTH])); |
| 2694 | } | 2952 | } |
| @@ -2696,6 +2954,41 @@ int ssl3_send_client_verify(SSL *s) | |||
| 2696 | { | 2954 | { |
| 2697 | ERR_clear_error(); | 2955 | ERR_clear_error(); |
| 2698 | } | 2956 | } |
| 2957 | /* For TLS v1.2 send signature algorithm and signature | ||
| 2958 | * using agreed digest and cached handshake records. | ||
| 2959 | */ | ||
| 2960 | if (TLS1_get_version(s) >= TLS1_2_VERSION) | ||
| 2961 | { | ||
| 2962 | long hdatalen = 0; | ||
| 2963 | void *hdata; | ||
| 2964 | const EVP_MD *md = s->cert->key->digest; | ||
| 2965 | hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, | ||
| 2966 | &hdata); | ||
| 2967 | if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) | ||
| 2968 | { | ||
| 2969 | SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, | ||
| 2970 | ERR_R_INTERNAL_ERROR); | ||
| 2971 | goto err; | ||
| 2972 | } | ||
| 2973 | p += 2; | ||
| 2974 | #ifdef SSL_DEBUG | ||
| 2975 | fprintf(stderr, "Using TLS 1.2 with client alg %s\n", | ||
| 2976 | EVP_MD_name(md)); | ||
| 2977 | #endif | ||
| 2978 | if (!EVP_SignInit_ex(&mctx, md, NULL) | ||
| 2979 | || !EVP_SignUpdate(&mctx, hdata, hdatalen) | ||
| 2980 | || !EVP_SignFinal(&mctx, p + 2, &u, pkey)) | ||
| 2981 | { | ||
| 2982 | SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, | ||
| 2983 | ERR_R_EVP_LIB); | ||
| 2984 | goto err; | ||
| 2985 | } | ||
| 2986 | s2n(u,p); | ||
| 2987 | n = u + 4; | ||
| 2988 | if (!ssl3_digest_cached_records(s)) | ||
| 2989 | goto err; | ||
| 2990 | } | ||
| 2991 | else | ||
| 2699 | #ifndef OPENSSL_NO_RSA | 2992 | #ifndef OPENSSL_NO_RSA |
| 2700 | if (pkey->type == EVP_PKEY_RSA) | 2993 | if (pkey->type == EVP_PKEY_RSA) |
| 2701 | { | 2994 | { |
| @@ -2778,9 +3071,11 @@ int ssl3_send_client_verify(SSL *s) | |||
| 2778 | s->init_num=(int)n+4; | 3071 | s->init_num=(int)n+4; |
| 2779 | s->init_off=0; | 3072 | s->init_off=0; |
| 2780 | } | 3073 | } |
| 3074 | EVP_MD_CTX_cleanup(&mctx); | ||
| 2781 | EVP_PKEY_CTX_free(pctx); | 3075 | EVP_PKEY_CTX_free(pctx); |
| 2782 | return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); | 3076 | return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); |
| 2783 | err: | 3077 | err: |
| 3078 | EVP_MD_CTX_cleanup(&mctx); | ||
| 2784 | EVP_PKEY_CTX_free(pctx); | 3079 | EVP_PKEY_CTX_free(pctx); |
| 2785 | return(-1); | 3080 | return(-1); |
| 2786 | } | 3081 | } |
| @@ -2904,7 +3199,7 @@ int ssl3_check_cert_and_algorithm(SSL *s) | |||
| 2904 | if (idx == SSL_PKEY_ECC) | 3199 | if (idx == SSL_PKEY_ECC) |
| 2905 | { | 3200 | { |
| 2906 | if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, | 3201 | if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, |
| 2907 | s->s3->tmp.new_cipher) == 0) | 3202 | s) == 0) |
| 2908 | { /* check failed */ | 3203 | { /* check failed */ |
| 2909 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT); | 3204 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT); |
| 2910 | goto f_err; | 3205 | goto f_err; |
| @@ -3000,6 +3295,32 @@ err: | |||
| 3000 | return(0); | 3295 | return(0); |
| 3001 | } | 3296 | } |
| 3002 | 3297 | ||
| 3298 | #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) | ||
| 3299 | int ssl3_send_next_proto(SSL *s) | ||
| 3300 | { | ||
| 3301 | unsigned int len, padding_len; | ||
| 3302 | unsigned char *d; | ||
| 3303 | |||
| 3304 | if (s->state == SSL3_ST_CW_NEXT_PROTO_A) | ||
| 3305 | { | ||
| 3306 | len = s->next_proto_negotiated_len; | ||
| 3307 | padding_len = 32 - ((len + 2) % 32); | ||
| 3308 | d = (unsigned char *)s->init_buf->data; | ||
| 3309 | d[4] = len; | ||
| 3310 | memcpy(d + 5, s->next_proto_negotiated, len); | ||
| 3311 | d[5 + len] = padding_len; | ||
| 3312 | memset(d + 6 + len, 0, padding_len); | ||
| 3313 | *(d++)=SSL3_MT_NEXT_PROTO; | ||
| 3314 | l2n3(2 + len + padding_len, d); | ||
| 3315 | s->state = SSL3_ST_CW_NEXT_PROTO_B; | ||
| 3316 | s->init_num = 4 + 2 + len + padding_len; | ||
| 3317 | s->init_off = 0; | ||
| 3318 | } | ||
| 3319 | |||
| 3320 | return ssl3_do_write(s, SSL3_RT_HANDSHAKE); | ||
| 3321 | } | ||
| 3322 | #endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */ | ||
| 3323 | |||
| 3003 | /* Check to see if handshake is full or resumed. Usually this is just a | 3324 | /* Check to see if handshake is full or resumed. Usually this is just a |
| 3004 | * case of checking to see if a cache hit has occurred. In the case of | 3325 | * case of checking to see if a cache hit has occurred. In the case of |
| 3005 | * session tickets we have to check the next message to be sure. | 3326 | * session tickets we have to check the next message to be sure. |