X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=ssl%2Frecord%2Fssl3_record.c;h=ae510b2ec9a56e34e2584bf57eda0386c8a0acf5;hb=66fab92316c913c781b2a274900d9d1e6a206ed0;hp=213f00104d488e8f6e1de7d6f48064532299c3ab;hpb=921d84a0ad2e70ad91b6e1b06573e97162387f8a;p=oweals%2Fopenssl.git diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index 213f00104d..ae510b2ec9 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -270,13 +270,14 @@ int ssl3_get_record(SSL *s) thisrr->rec_version = version; /* - * Lets check version. In TLSv1.3 we ignore this field. For the + * Lets check version. In TLSv1.3 we only check this field + * when encryption is occurring (see later check). For the * ServerHello after an HRR we haven't actually selected TLSv1.3 * yet, but we still treat it as TLSv1.3, so we must check for * that explicitly */ if (!s->first_packet && !SSL_IS_TLS13(s) - && !s->hello_retry_request + && s->hello_retry_request != SSL_HRR_PENDING && version != (unsigned int)s->version) { if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash) { @@ -333,11 +334,19 @@ int ssl3_get_record(SSL *s) } } - if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL - && thisrr->type != SSL3_RT_APPLICATION_DATA) { - SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, - SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE); - return -1; + if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL) { + if (thisrr->type != SSL3_RT_APPLICATION_DATA + && (thisrr->type != SSL3_RT_CHANGE_CIPHER_SPEC + || !SSL_IS_FIRST_HANDSHAKE(s))) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE); + return -1; + } + if (thisrr->rec_version != TLS1_2_VERSION) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, + SSL_R_WRONG_VERSION_NUMBER); + return -1; + } } if (thisrr->length > @@ -444,6 +453,36 @@ int ssl3_get_record(SSL *s) & EVP_CIPH_FLAG_PIPELINE) && ssl3_record_app_data_waiting(s)); + if (num_recs == 1 + && thisrr->type == SSL3_RT_CHANGE_CIPHER_SPEC + && (SSL_IS_TLS13(s) || s->hello_retry_request != SSL_HRR_NONE) + && SSL_IS_FIRST_HANDSHAKE(s)) { + /* + * CCS messages must be exactly 1 byte long, containing the value 0x01 + */ + if (thisrr->length != 1 || thisrr->data[0] != 0x01) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL3_GET_RECORD, + SSL_R_INVALID_CCS_MESSAGE); + return -1; + } + /* + * CCS messages are ignored in TLSv1.3. We treat it like an empty + * handshake record + */ + thisrr->type = SSL3_RT_HANDSHAKE; + RECORD_LAYER_inc_empty_record_count(&s->rlayer); + if (RECORD_LAYER_get_empty_record_count(&s->rlayer) + > MAX_EMPTY_RECORDS) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, + SSL_R_UNEXPECTED_CCS_MESSAGE); + return -1; + } + thisrr->read = 1; + RECORD_LAYER_set_numrpipes(&s->rlayer, 1); + + return 1; + } + /* * If in encrypt-then-mac mode calculate mac from encrypted record. All * the details below are public so no timing details can leak. @@ -517,7 +556,7 @@ int ssl3_get_record(SSL *s) return -1; } #ifdef SSL_DEBUG - printf("dec %"OSSLzu"\n", rr[0].length); + printf("dec %lu\n", (unsigned long)rr[0].length); { size_t z; for (z = 0; z < rr[0].length; z++) @@ -933,7 +972,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR); return -1; - } else if (ssl_randbytes(s, recs[ctr].input, ivlen) <= 0) { + } else if (RAND_bytes(recs[ctr].input, ivlen) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR); return -1; @@ -1217,7 +1256,7 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) || EVP_DigestUpdate(md_ctx, ssl3_pad_2, npad) <= 0 || EVP_DigestUpdate(md_ctx, md, md_size) <= 0 || EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) { - EVP_MD_CTX_reset(md_ctx); + EVP_MD_CTX_free(md_ctx); return 0; } @@ -1258,8 +1297,10 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) mac_ctx = hash; } else { hmac = EVP_MD_CTX_new(); - if (hmac == NULL || !EVP_MD_CTX_copy(hmac, hash)) + if (hmac == NULL || !EVP_MD_CTX_copy(hmac, hash)) { + EVP_MD_CTX_free(hmac); return 0; + } mac_ctx = hmac; } @@ -1841,12 +1882,17 @@ int dtls1_get_record(SSL *s) p += 6; n2s(p, rr->length); + rr->read = 0; - /* Lets check version */ - if (!s->first_packet) { + /* + * Lets check the version. We tolerate alerts that don't have the exact + * version number (e.g. because of protocol version errors) + */ + if (!s->first_packet && rr->type != SSL3_RT_ALERT) { if (version != s->version) { /* unexpected version, silently discard */ rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; } @@ -1855,6 +1901,7 @@ int dtls1_get_record(SSL *s) if ((version & 0xff00) != (s->version & 0xff00)) { /* wrong version, silently discard record */ rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; } @@ -1862,6 +1909,7 @@ int dtls1_get_record(SSL *s) if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { /* record too long, silently discard it */ rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; } @@ -1871,6 +1919,7 @@ int dtls1_get_record(SSL *s) && rr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) { /* record too long, silently discard it */ rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; } @@ -1892,6 +1941,7 @@ int dtls1_get_record(SSL *s) return -1; } rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; } @@ -1922,6 +1972,7 @@ int dtls1_get_record(SSL *s) */ if (!dtls1_record_replay_check(s, bitmap)) { rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */ goto again; /* get another record */ } @@ -1930,8 +1981,10 @@ int dtls1_get_record(SSL *s) #endif /* just read a 0 length packet */ - if (rr->length == 0) + if (rr->length == 0) { + rr->read = 1; goto again; + } /* * If this record is from the next epoch (either HM or ALERT), and a @@ -1948,6 +2001,7 @@ int dtls1_get_record(SSL *s) } } rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; } @@ -1958,6 +2012,7 @@ int dtls1_get_record(SSL *s) return -1; } rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */ goto again; /* get another record */ }