X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=ssl%2Ft1_lib.c;h=d56456e14dfdd26c057c81d1f37a2c330eb585c3;hb=7ecd974f5f1bb38de6c47c188c8709b86b809245;hp=05eb2477b51d3830dbbdb2d3ee1b8b8cc99f9698;hpb=725745d1056d616f7aeeee15b84d383bf16c1d58;p=oweals%2Fopenssl.git diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 05eb2477b5..d56456e14d 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -174,9 +174,10 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha ret+=size_str; } - - /* Add the renegotiation option: TODOEKR switch */ - { + + /* Add RI if renegotiating */ + if (s->new_session) + { int el; if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) @@ -350,32 +351,17 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in unsigned short len; unsigned char *data = *p; int renegotiate_seen = 0; - int need_ri; s->servername_done = 0; s->tlsext_status_type = -1; - /* Need RI if renegotiating unless legacy renegotiation allowed */ - if (s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION - || !s->new_session) - need_ri = 0; - else - need_ri = 1; if (data >= (d+n-2)) - { - if (!need_ri) - return 1; - /* We need to see at least one extension: RI */ - /* FIXME: Spec currently doesn't give alert to use */ - *al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, - SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); - return 0; - } + goto ri_check; + n2s(data,len); if (data > (d+n-len)) - return 1; + goto ri_check; while (data <= (d+n-4)) { @@ -383,7 +369,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in n2s(data,size); if (data+size > (d+n)) - return 1; + goto ri_check; if (s->tlsext_debug_cb) s->tlsext_debug_cb(s, 0, type, data, size, @@ -446,14 +432,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in switch (servname_type) { case TLSEXT_NAMETYPE_host_name: - if (s->session->tlsext_hostname == NULL) + if (!s->hit) { - if (len > TLSEXT_MAXLEN_host_name || - ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) + if(s->session->tlsext_hostname) + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } + if (len > TLSEXT_MAXLEN_host_name) { *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } + if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } memcpy(s->session->tlsext_hostname, sdata, len); s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) { @@ -466,7 +461,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in } else - s->servername_done = strlen(s->session->tlsext_hostname) == len + s->servername_done = s->session->tlsext_hostname + && strlen(s->session->tlsext_hostname) == len && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; break; @@ -525,6 +521,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in } n2s(data, idsize); dsize -= 2 + idsize; + size -= 2 + idsize; if (dsize < 0) { *al = SSL_AD_DECODE_ERROR; @@ -563,9 +560,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in } /* Read in request_extensions */ + if (size < 2) + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } n2s(data,dsize); size -= 2; - if (dsize > size) + if (dsize != size) { *al = SSL_AD_DECODE_ERROR; return 0; @@ -573,6 +575,12 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in sdata = data; if (dsize > 0) { + if (s->tlsext_ocsp_exts) + { + sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, + X509_EXTENSION_free); + } + s->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, &sdata, dsize); @@ -595,63 +603,50 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in data+=size; } + *p = data; + + ri_check: + + /* Need RI if renegotiating */ - if (need_ri && !renegotiate_seen) + if (!renegotiate_seen && s->new_session && + !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { - /* FIXME: Spec currently doesn't give alert to use */ - *al = SSL_AD_ILLEGAL_PARAMETER; + *al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); return 0; } - *p = data; return 1; } int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) { + unsigned short length; unsigned short type; unsigned short size; - unsigned short len; unsigned char *data = *p; int tlsext_servername = 0; int renegotiate_seen = 0; - int need_ri; - /* Determine if we need to see RI. Strictly speaking if we want to - * avoid an attack we should *always* see RI even on initial server - * hello because the client doesn't see any renegotiation during an - * attack. However this would mean we could not connect to any server - * which doesn't support RI so for the immediate future tolerate RI - * absence on initial connect only. - */ - if (s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION || - !s->new_session) - need_ri = 0; - else - need_ri = 1; if (data >= (d+n-2)) + goto ri_check; + + n2s(data,length); + if (data+length != d+n) { - if (!need_ri) - return 1; - /* We need to see at least one extension: RI */ - /* FIXME: Spec currently doesn't give alert to use */ - *al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, - SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + *al = SSL_AD_DECODE_ERROR; return 0; } - n2s(data,len); - while(data <= (d+n-4)) { n2s(data,type); n2s(data,size); if (data+size > (d+n)) - return 1; + goto ri_check; if (s->tlsext_debug_cb) s->tlsext_debug_cb(s, 1, type, data, size, @@ -705,15 +700,6 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in return 0; } - if (!renegotiate_seen && need_ri) - { - /* FIXME: Spec currently doesn't give alert to use */ - *al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, - SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); - return 0; - } - if (!s->hit && tlsext_servername == 1) { if (s->tlsext_hostname) @@ -736,10 +722,30 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in } *p = data; + + ri_check: + + /* Determine if we need to see RI. Strictly speaking if we want to + * avoid an attack we should *always* see RI even on initial server + * hello because the client doesn't see any renegotiation during an + * attack. However this would mean we could not connect to any server + * which doesn't support RI so for the immediate future tolerate RI + * absence on initial connect only. + */ + if (!renegotiate_seen + && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) + && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) + { + *al = SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, + SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + return 0; + } + return 1; } -int ssl_check_clienthello_tlsext(SSL *s) +int ssl_check_clienthello_tlsext_early(SSL *s) { int ret=SSL_TLSEXT_ERR_NOACK; int al = SSL_AD_UNRECOGNIZED_NAME; @@ -749,13 +755,49 @@ int ssl_check_clienthello_tlsext(SSL *s) else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); + switch (ret) + { + case SSL_TLSEXT_ERR_ALERT_FATAL: + ssl3_send_alert(s, SSL3_AL_FATAL, al); + return -1; + + case SSL_TLSEXT_ERR_ALERT_WARNING: + ssl3_send_alert(s, SSL3_AL_WARNING, al); + return 1; + + case SSL_TLSEXT_ERR_NOACK: + s->servername_done = 0; + + default: + return 1; + } + } + +int ssl_check_clienthello_tlsext_late(SSL *s) + { + int ret = SSL_TLSEXT_ERR_OK; + int al; + /* If status request then ask callback what to do. * Note: this must be called after servername callbacks in case - * the certificate has changed. + * the certificate has changed, and must be called after the cipher + * has been chosen because this may influence which certificate is sent */ - if ((s->tlsext_status_type != -1) && s->ctx->tlsext_status_cb) + if (s->tlsext_status_type != -1 && s->ctx && s->ctx->tlsext_status_cb) { int r; + CERT_PKEY *certpkey; + certpkey = ssl_get_server_send_pkey(s); + /* If no certificate can't return certificate status */ + if (certpkey == NULL) + { + s->tlsext_status_expected = 0; + return 1; + } + /* Set current certificate to one we will use so + * SSL_get_certificate et al can pick it up. + */ + s->cert->key = certpkey; r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); switch (r) { @@ -779,7 +821,8 @@ int ssl_check_clienthello_tlsext(SSL *s) } else s->tlsext_status_expected = 0; - err: + + err: switch (ret) { case SSL_TLSEXT_ERR_ALERT_FATAL: @@ -789,11 +832,9 @@ int ssl_check_clienthello_tlsext(SSL *s) case SSL_TLSEXT_ERR_ALERT_WARNING: ssl3_send_alert(s,SSL3_AL_WARNING,al); return 1; - - case SSL_TLSEXT_ERR_NOACK: - s->servername_done=0; - default: - return 1; + + default: + return 1; } } @@ -971,7 +1012,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, HMAC_Update(&hctx, etick, eticklen); HMAC_Final(&hctx, tick_hmac, NULL); HMAC_CTX_cleanup(&hctx); - if (memcmp(tick_hmac, etick + eticklen, mlen)) + if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) goto tickerr; /* Attempt to decrypt session data */ /* Move p after IV to start of encrypted ticket, update length */