X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=ssl%2Fs3_lib.c;h=7713f767b2d309035eb98167c35ba04ba429037a;hb=79c2c741303ed188214b9299a51c837635f7e9a8;hp=f230b5ff46a9c9c8817c465ce9f77e410842d95e;hpb=f865b08143b453962ad4afccd69e698d13c60f77;p=oweals%2Fopenssl.git diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index f230b5ff46..7713f767b2 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -37,12 +37,12 @@ static SSL_CIPHER tls13_ciphers[] = { TLS1_3_RFC_AES_128_GCM_SHA256, TLS1_3_RFC_AES_128_GCM_SHA256, TLS1_3_CK_AES_128_GCM_SHA256, - 0, 0, + SSL_kANY, + SSL_aANY, SSL_AES128GCM, SSL_AEAD, TLS1_3_VERSION, TLS1_3_VERSION, - SSL_kANY, - SSL_aANY, + 0, 0, SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256, 128, @@ -3466,6 +3466,15 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) break; #endif /* !OPENSSL_NO_EC */ case SSL_CTRL_SET_TLSEXT_HOSTNAME: + /* + * TODO(OpenSSL1.2) + * This API is only used for a client to set what SNI it will request + * from the server, but we currently allow it to be used on servers + * as well, which is a programming error. Currently we just clear + * the field in SSL_do_handshake() for server SSLs, but when we can + * make ABI-breaking changes, we may want to make use of this API + * an error on server SSLs. + */ if (larg == TLSEXT_NAMETYPE_host_name) { size_t len; @@ -3798,8 +3807,8 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { unsigned char *keys = parg; long tick_keylen = (sizeof(ctx->ext.tick_key_name) + - sizeof(ctx->ext.tick_hmac_key) + - sizeof(ctx->ext.tick_aes_key)); + sizeof(ctx->ext.secure->tick_hmac_key) + + sizeof(ctx->ext.secure->tick_aes_key)); if (keys == NULL) return tick_keylen; if (larg != tick_keylen) { @@ -3809,23 +3818,23 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) { memcpy(ctx->ext.tick_key_name, keys, sizeof(ctx->ext.tick_key_name)); - memcpy(ctx->ext.tick_hmac_key, + memcpy(ctx->ext.secure->tick_hmac_key, keys + sizeof(ctx->ext.tick_key_name), - sizeof(ctx->ext.tick_hmac_key)); - memcpy(ctx->ext.tick_aes_key, + sizeof(ctx->ext.secure->tick_hmac_key)); + memcpy(ctx->ext.secure->tick_aes_key, keys + sizeof(ctx->ext.tick_key_name) + - sizeof(ctx->ext.tick_hmac_key), - sizeof(ctx->ext.tick_aes_key)); + sizeof(ctx->ext.secure->tick_hmac_key), + sizeof(ctx->ext.secure->tick_aes_key)); } else { memcpy(keys, ctx->ext.tick_key_name, sizeof(ctx->ext.tick_key_name)); memcpy(keys + sizeof(ctx->ext.tick_key_name), - ctx->ext.tick_hmac_key, - sizeof(ctx->ext.tick_hmac_key)); + ctx->ext.secure->tick_hmac_key, + sizeof(ctx->ext.secure->tick_hmac_key)); memcpy(keys + sizeof(ctx->ext.tick_key_name) + - sizeof(ctx->ext.tick_hmac_key), - ctx->ext.tick_aes_key, - sizeof(ctx->ext.tick_aes_key)); + sizeof(ctx->ext.secure->tick_hmac_key), + ctx->ext.secure->tick_aes_key, + sizeof(ctx->ext.secure->tick_aes_key)); } return 1; } @@ -4108,8 +4117,9 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, { const SSL_CIPHER *c, *ret = NULL; STACK_OF(SSL_CIPHER) *prio, *allow; - int i, ii, ok; + int i, ii, ok, prefer_sha256 = 0; unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0; + const EVP_MD *mdsha256 = EVP_sha256(); #ifndef OPENSSL_NO_CHACHA STACK_OF(SSL_CIPHER) *prio_chacha = NULL; #endif @@ -4190,7 +4200,26 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, allow = srvr; } - if (!SSL_IS_TLS13(s)) { + if (SSL_IS_TLS13(s)) { +#ifndef OPENSSL_NO_PSK + int j; + + /* + * If we allow "old" style PSK callbacks, and we have no certificate (so + * we're not going to succeed without a PSK anyway), and we're in + * TLSv1.3 then the default hash for a PSK is SHA-256 (as per the + * TLSv1.3 spec). Therefore we should prioritise ciphersuites using + * that. + */ + if (s->psk_server_callback != NULL) { + for (j = 0; j < SSL_PKEY_NUM && !ssl_has_cert(s, j); j++); + if (j == SSL_PKEY_NUM) { + /* There are no certificates */ + prefer_sha256 = 1; + } + } +#endif + } else { tls1_set_cert_validity(s); ssl_set_masks(s); } @@ -4262,6 +4291,17 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, continue; } #endif + if (prefer_sha256) { + const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii); + + if (ssl_md(tmp->algorithm2) == mdsha256) { + ret = tmp; + break; + } + if (ret == NULL) + ret = tmp; + continue; + } ret = sk_SSL_CIPHER_value(allow, ii); break; } @@ -4524,12 +4564,12 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len, unsigned char *p = result; l2n(Time, p); - ret = ssl_randbytes(s, p, len - 4); + ret = RAND_bytes(p, len - 4); } else { - ret = ssl_randbytes(s, result, len); + ret = RAND_bytes(result, len); } -#ifndef OPENSSL_NO_TLS13DOWNGRADE - if (ret) { + + if (ret > 0) { if (!ossl_assert(sizeof(tls11downgrade) < len) || !ossl_assert(sizeof(tls12downgrade) < len)) return 0; @@ -4540,7 +4580,7 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len, memcpy(result + len - sizeof(tls11downgrade), tls11downgrade, sizeof(tls11downgrade)); } -#endif + return ret; } @@ -4581,6 +4621,7 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, if (!s->method->ssl3_enc->generate_master_secret(s, s->session->master_key,pskpms, pskpmslen, &s->session->master_key_length)) { + OPENSSL_clear_free(pskpms, pskpmslen); /* SSLfatal() already called */ goto err; }