X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=ssl%2Fstatem%2Fstatem_srvr.c;h=0d68e4b1cf90961413fd39f4e8ce81bc31b97714;hb=b67cb09f8ddf258cf326f3e7b20be095fb53457c;hp=0f05ccbad9a99719a7b88e8acc75920de148bc18;hpb=0089cc7f9d42f6e39872161199fb8b6a99da2492;p=thirdparty%2Fopenssl.git diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 0f05ccbad9..0d68e4b1cf 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -26,6 +26,7 @@ #include #include #include +#include #define TICKET_NONCE_SIZE 8 @@ -43,7 +44,8 @@ ASN1_SEQUENCE(GOST_KX_MESSAGE) = { IMPLEMENT_ASN1_FUNCTIONS(GOST_KX_MESSAGE) -static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt); +static CON_FUNC_RETURN tls_construct_encrypted_extensions(SSL_CONNECTION *s, + WPACKET *pkt); /* * ossl_statem_server13_read_transition() encapsulates the logic for the allowed @@ -54,7 +56,7 @@ static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt); * Return values are 1 for success (transition allowed) and 0 on error * (transition not allowed) */ -static int ossl_statem_server13_read_transition(SSL *s, int mt) +static int ossl_statem_server13_read_transition(SSL_CONNECTION *s, int mt) { OSSL_STATEM *st = &s->statem; @@ -90,6 +92,13 @@ static int ossl_statem_server13_read_transition(SSL *s, int mt) st->hand_state = TLS_ST_SR_CERT; return 1; } +#ifndef OPENSSL_NO_COMP_ALG + if (mt == SSL3_MT_COMPRESSED_CERTIFICATE + && s->ext.compress_certificate_sent) { + st->hand_state = TLS_ST_SR_COMP_CERT; + return 1; + } +#endif } else { if (mt == SSL3_MT_FINISHED) { st->hand_state = TLS_ST_SR_FINISHED; @@ -98,6 +107,7 @@ static int ossl_statem_server13_read_transition(SSL *s, int mt) } break; + case TLS_ST_SR_COMP_CERT: case TLS_ST_SR_CERT: if (s->session->peer == NULL) { if (mt == SSL3_MT_FINISHED) { @@ -127,10 +137,18 @@ static int ossl_statem_server13_read_transition(SSL *s, int mt) if (s->early_data_state == SSL_EARLY_DATA_READING) break; - if (mt == SSL3_MT_CERTIFICATE - && s->post_handshake_auth == SSL_PHA_REQUESTED) { - st->hand_state = TLS_ST_SR_CERT; - return 1; + if (s->post_handshake_auth == SSL_PHA_REQUESTED) { + if (mt == SSL3_MT_CERTIFICATE) { + st->hand_state = TLS_ST_SR_CERT; + return 1; + } +#ifndef OPENSSL_NO_COMP_ALG + if (mt == SSL3_MT_COMPRESSED_CERTIFICATE + && s->ext.compress_certificate_sent) { + st->hand_state = TLS_ST_SR_COMP_CERT; + return 1; + } +#endif } if (mt == SSL3_MT_KEY_UPDATE) { @@ -153,11 +171,11 @@ static int ossl_statem_server13_read_transition(SSL *s, int mt) * Return values are 1 for success (transition allowed) and 0 on error * (transition not allowed) */ -int ossl_statem_server_read_transition(SSL *s, int mt) +int ossl_statem_server_read_transition(SSL_CONNECTION *s, int mt) { OSSL_STATEM *st = &s->statem; - if (SSL_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s)) { if (!ossl_statem_server13_read_transition(s, mt)) goto err; return 1; @@ -295,7 +313,7 @@ int ossl_statem_server_read_transition(SSL *s, int mt) err: /* No valid transition found */ - if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { + if (SSL_CONNECTION_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { BIO *rbio; /* @@ -304,7 +322,7 @@ int ossl_statem_server_read_transition(SSL *s, int mt) */ s->init_num = 0; s->rwstate = SSL_READING; - rbio = SSL_get_rbio(s); + rbio = SSL_get_rbio(SSL_CONNECTION_GET_SSL(s)); BIO_clear_retry_flags(rbio); BIO_set_retry_read(rbio); return 0; @@ -320,7 +338,7 @@ int ossl_statem_server_read_transition(SSL *s, int mt) * 1: Yes * 0: No */ -static int send_server_key_exchange(SSL *s) +static int send_server_key_exchange(SSL_CONNECTION *s) { unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey; @@ -355,6 +373,27 @@ static int send_server_key_exchange(SSL *s) return 0; } +/* + * Used to determine if we shoud send a CompressedCertificate message + * + * Returns the algorithm to use, TLSEXT_comp_cert_none means no compression + */ +static int get_compressed_certificate_alg(SSL_CONNECTION *sc) +{ +#ifndef OPENSSL_NO_COMP_ALG + int *alg = sc->ext.compress_certificate_from_peer; + + if (sc->s3.tmp.cert == NULL) + return TLSEXT_comp_cert_none; + + for (; *alg != TLSEXT_comp_cert_none; alg++) { + if (sc->s3.tmp.cert->comp_cert[*alg] != NULL) + return *alg; + } +#endif + return TLSEXT_comp_cert_none; +} + /* * Should we send a CertificateRequest message? * @@ -362,7 +401,7 @@ static int send_server_key_exchange(SSL *s) * 1: Yes * 0: No */ -int send_certificate_request(SSL *s) +int send_certificate_request(SSL_CONNECTION *s) { if ( /* don't request cert unless asked for it: */ @@ -371,7 +410,8 @@ int send_certificate_request(SSL *s) * don't request if post-handshake-only unless doing * post-handshake in TLSv1.3: */ - && (!SSL_IS_TLS13(s) || !(s->verify_mode & SSL_VERIFY_POST_HANDSHAKE) + && (!SSL_CONNECTION_IS_TLS13(s) + || !(s->verify_mode & SSL_VERIFY_POST_HANDSHAKE) || s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) /* * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert @@ -409,7 +449,7 @@ int send_certificate_request(SSL *s) * move to next when a TLSv1.3 server is writing messages to be sent to the * client. */ -static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s) +static WRITE_TRAN ossl_statem_server13_write_transition(SSL_CONNECTION *s) { OSSL_STATEM *st = &s->statem; @@ -466,6 +506,8 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s) st->hand_state = TLS_ST_SW_FINISHED; else if (send_certificate_request(s)) st->hand_state = TLS_ST_SW_CERT_REQ; + else if (get_compressed_certificate_alg(s) != TLSEXT_comp_cert_none) + st->hand_state = TLS_ST_SW_COMP_CERT; else st->hand_state = TLS_ST_SW_CERT; @@ -475,11 +517,14 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s) if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { s->post_handshake_auth = SSL_PHA_REQUESTED; st->hand_state = TLS_ST_OK; + } else if (get_compressed_certificate_alg(s) != TLSEXT_comp_cert_none) { + st->hand_state = TLS_ST_SW_COMP_CERT; } else { st->hand_state = TLS_ST_SW_CERT; } return WRITE_TRAN_CONTINUE; + case TLS_ST_SW_COMP_CERT: case TLS_ST_SW_CERT: st->hand_state = TLS_ST_SW_CERT_VRFY; return WRITE_TRAN_CONTINUE; @@ -541,7 +586,7 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s) * ossl_statem_server_write_transition() works out what handshake state to move * to next when the server is writing messages to be sent to the client. */ -WRITE_TRAN ossl_statem_server_write_transition(SSL *s) +WRITE_TRAN ossl_statem_server_write_transition(SSL_CONNECTION *s) { OSSL_STATEM *st = &s->statem; @@ -550,7 +595,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s) * to negotiate yet, so we don't take this branch until later */ - if (SSL_IS_TLS13(s)) + if (SSL_CONNECTION_IS_TLS13(s)) return ossl_statem_server13_write_transition(s); switch (st->hand_state) { @@ -582,8 +627,8 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s) return WRITE_TRAN_CONTINUE; case TLS_ST_SR_CLNT_HELLO: - if (SSL_IS_DTLS(s) && !s->d1->cookie_verified - && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) { + if (SSL_CONNECTION_IS_DTLS(s) && !s->d1->cookie_verified + && (SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_COOKIE_EXCHANGE)) { st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST; } else if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) { /* We must have rejected the renegotiation */ @@ -679,9 +724,10 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s) * Perform any pre work that needs to be done prior to sending a message from * the server to the client. */ -WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) +WORK_STATE ossl_statem_server_pre_work(SSL_CONNECTION *s, WORK_STATE wst) { OSSL_STATEM *st = &s->statem; + SSL *ssl = SSL_CONNECTION_GET_SSL(s); switch (st->hand_state) { default: @@ -690,13 +736,13 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) case TLS_ST_SW_HELLO_REQ: s->shutdown = 0; - if (SSL_IS_DTLS(s)) + if (SSL_CONNECTION_IS_DTLS(s)) dtls1_clear_sent_buffer(s); break; case DTLS_ST_SW_HELLO_VERIFY_REQUEST: s->shutdown = 0; - if (SSL_IS_DTLS(s)) { + if (SSL_CONNECTION_IS_DTLS(s)) { dtls1_clear_sent_buffer(s); /* We don't buffer this message so don't use the timer */ st->use_timer = 0; @@ -704,7 +750,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) break; case TLS_ST_SW_SRVR_HELLO: - if (SSL_IS_DTLS(s)) { + if (SSL_CONNECTION_IS_DTLS(s)) { /* * Messages we write from now on should be buffered and * retransmitted if necessary, so we need to use the timer now @@ -715,7 +761,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) case TLS_ST_SW_SRVR_DONE: #ifndef OPENSSL_NO_SCTP - if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) { + if (SSL_CONNECTION_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(ssl))) { /* Calls SSLfatal() as required */ return dtls_wait_for_dry(s); } @@ -723,7 +769,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) return WORK_FINISHED_CONTINUE; case TLS_ST_SW_SESSION_TICKET: - if (SSL_IS_TLS13(s) && s->sent_tickets == 0 + if (SSL_CONNECTION_IS_TLS13(s) && s->sent_tickets == 0 && s->ext.extra_tickets_expected == 0) { /* * Actually this is the end of the handshake, but we're going @@ -734,7 +780,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) */ return tls_finish_handshake(s, wst, 0, 0); } - if (SSL_IS_DTLS(s)) { + if (SSL_CONNECTION_IS_DTLS(s)) { /* * We're into the last flight. We don't retransmit the last flight * unless we need to, so we don't use the timer @@ -744,7 +790,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) break; case TLS_ST_SW_CHANGE: - if (SSL_IS_TLS13(s)) + if (SSL_CONNECTION_IS_TLS13(s)) break; /* Writes to s->session are only safe for initial handshakes */ if (s->session->cipher == NULL) { @@ -753,11 +799,11 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return WORK_ERROR; } - if (!s->method->ssl3_enc->setup_key_block(s)) { + if (!ssl->method->ssl3_enc->setup_key_block(s)) { /* SSLfatal() already called */ return WORK_ERROR; } - if (SSL_IS_DTLS(s)) { + if (SSL_CONNECTION_IS_DTLS(s)) { /* * We're into the last flight. We don't retransmit the last flight * unless we need to, so we don't use the timer. This might have @@ -806,9 +852,10 @@ static ossl_inline int conn_is_closed(void) * Perform any work that needs to be done after sending a message from the * server to the client. */ -WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) +WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) { OSSL_STATEM *st = &s->statem; + SSL *ssl = SSL_CONNECTION_GET_SSL(s); s->init_num = 0; @@ -842,14 +889,15 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) break; case TLS_ST_SW_SRVR_HELLO: - if (SSL_IS_TLS13(s) && s->hello_retry_request == SSL_HRR_PENDING) { + if (SSL_CONNECTION_IS_TLS13(s) + && s->hello_retry_request == SSL_HRR_PENDING) { if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0 && statem_flush(s) != 1) return WORK_MORE_A; break; } #ifndef OPENSSL_NO_SCTP - if (SSL_IS_DTLS(s) && s->hit) { + if (SSL_CONNECTION_IS_DTLS(s) && s->hit) { unsigned char sctpauthkey[64]; char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; size_t labellen; @@ -866,7 +914,7 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) labellen += 1; - if (SSL_export_keying_material(s, sctpauthkey, + if (SSL_export_keying_material(ssl, sctpauthkey, sizeof(sctpauthkey), labelbuffer, labellen, NULL, 0, 0) <= 0) { @@ -874,11 +922,11 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) return WORK_ERROR; } - BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, + BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, sizeof(sctpauthkey), sctpauthkey); } #endif - if (!SSL_IS_TLS13(s) + if (!SSL_CONNECTION_IS_TLS13(s) || ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 && s->hello_retry_request != SSL_HRR_COMPLETE)) break; @@ -891,16 +939,16 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) break; } - if (SSL_IS_TLS13(s)) { - if (!s->method->ssl3_enc->setup_key_block(s) - || !s->method->ssl3_enc->change_cipher_state(s, + if (SSL_CONNECTION_IS_TLS13(s)) { + if (!ssl->method->ssl3_enc->setup_key_block(s) + || !ssl->method->ssl3_enc->change_cipher_state(s, SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) { /* SSLfatal() already called */ return WORK_ERROR; } if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED - && !s->method->ssl3_enc->change_cipher_state(s, + && !ssl->method->ssl3_enc->change_cipher_state(s, SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ)) { /* SSLfatal() already called */ return WORK_ERROR; @@ -910,28 +958,28 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) * is an unencrypted alert, an encrypted alert, or an encrypted * handshake message. We temporarily tolerate unencrypted alerts. */ - s->statem.enc_read_state = ENC_READ_STATE_ALLOW_PLAIN_ALERTS; + if (s->rlayer.rrlmethod->set_plain_alerts != NULL) + s->rlayer.rrlmethod->set_plain_alerts(s->rlayer.rrl, 1); break; } #ifndef OPENSSL_NO_SCTP - if (SSL_IS_DTLS(s) && !s->hit) { + if (SSL_CONNECTION_IS_DTLS(s) && !s->hit) { /* * Change to new shared key of SCTP-Auth, will be ignored if * no SCTP used. */ - BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, + BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL); } #endif - if (!s->method->ssl3_enc->change_cipher_state(s, - SSL3_CHANGE_CIPHER_SERVER_WRITE)) - { + if (!ssl->method->ssl3_enc->change_cipher_state(s, + SSL3_CHANGE_CIPHER_SERVER_WRITE)) { /* SSLfatal() already called */ return WORK_ERROR; } - if (SSL_IS_DTLS(s)) + if (SSL_CONNECTION_IS_DTLS(s)) dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); break; @@ -944,22 +992,22 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) if (statem_flush(s) != 1) return WORK_MORE_A; #ifndef OPENSSL_NO_SCTP - if (SSL_IS_DTLS(s) && s->hit) { + if (SSL_CONNECTION_IS_DTLS(s) && s->hit) { /* * Change to new shared key of SCTP-Auth, will be ignored if * no SCTP used. */ - BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, + BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL); } #endif - if (SSL_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s)) { /* TLS 1.3 gets the secret size from the handshake md */ size_t dummy; - if (!s->method->ssl3_enc->generate_master_secret(s, + if (!ssl->method->ssl3_enc->generate_master_secret(s, s->master_secret, s->handshake_secret, 0, &dummy) - || !s->method->ssl3_enc->change_cipher_state(s, + || !ssl->method->ssl3_enc->change_cipher_state(s, SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE)) /* SSLfatal() already called */ return WORK_ERROR; @@ -970,6 +1018,18 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { if (statem_flush(s) != 1) return WORK_MORE_A; + } else { + if (!SSL_CONNECTION_IS_TLS13(s) + || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0) + s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none; + } + break; + + case TLS_ST_SW_ENCRYPTED_EXTENSIONS: + if (!s->hit && !send_certificate_request(s)) { + if (!SSL_CONNECTION_IS_TLS13(s) + || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0) + s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none; } break; @@ -984,8 +1044,8 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) case TLS_ST_SW_SESSION_TICKET: clear_sys_error(); - if (SSL_IS_TLS13(s) && statem_flush(s) != 1) { - if (SSL_get_error(s, 0) == SSL_ERROR_SYSCALL + if (SSL_CONNECTION_IS_TLS13(s) && statem_flush(s) != 1) { + if (SSL_get_error(ssl, 0) == SSL_ERROR_SYSCALL && conn_is_closed()) { /* * We ignore connection closed errors in TLSv1.3 when sending a @@ -1014,7 +1074,7 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) * 1: Success * 0: Error */ -int ossl_statem_server_construct_message(SSL *s, +int ossl_statem_server_construct_message(SSL_CONNECTION *s, confunc_f *confunc, int *mt) { OSSL_STATEM *st = &s->statem; @@ -1026,7 +1086,7 @@ int ossl_statem_server_construct_message(SSL *s, return 0; case TLS_ST_SW_CHANGE: - if (SSL_IS_DTLS(s)) + if (SSL_CONNECTION_IS_DTLS(s)) *confunc = dtls_construct_change_cipher_spec; else *confunc = tls_construct_change_cipher_spec; @@ -1054,6 +1114,13 @@ int ossl_statem_server_construct_message(SSL *s, *mt = SSL3_MT_CERTIFICATE; break; +#ifndef OPENSSL_NO_COMP_ALG + case TLS_ST_SW_COMP_CERT: + *confunc = tls_construct_server_compressed_certificate; + *mt = SSL3_MT_COMPRESSED_CERTIFICATE; + break; +#endif + case TLS_ST_SW_CERT_VRFY: *confunc = tls_construct_cert_verify; *mt = SSL3_MT_CERTIFICATE_VERIFY; @@ -1133,7 +1200,7 @@ int ossl_statem_server_construct_message(SSL *s, * Returns the maximum allowed length for the current message that we are * reading. Excludes the message header. */ -size_t ossl_statem_server_max_message_size(SSL *s) +size_t ossl_statem_server_max_message_size(SSL_CONNECTION *s) { OSSL_STATEM *st = &s->statem; @@ -1148,6 +1215,7 @@ size_t ossl_statem_server_max_message_size(SSL *s) case TLS_ST_SR_END_OF_EARLY_DATA: return END_OF_EARLY_DATA_MAX_LENGTH; + case TLS_ST_SR_COMP_CERT: case TLS_ST_SR_CERT: return s->max_cert_list; @@ -1176,7 +1244,8 @@ size_t ossl_statem_server_max_message_size(SSL *s) /* * Process a message that the server has received from the client. */ -MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt) +MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL_CONNECTION *s, + PACKET *pkt) { OSSL_STATEM *st = &s->statem; @@ -1195,6 +1264,11 @@ MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt) case TLS_ST_SR_CERT: return tls_process_client_certificate(s, pkt); +#ifndef OPENSSL_NO_COMP_ALG + case TLS_ST_SR_COMP_CERT: + return tls_process_client_compressed_certificate(s, pkt); +#endif + case TLS_ST_SR_KEY_EXCH: return tls_process_client_key_exchange(s, pkt); @@ -1222,7 +1296,8 @@ MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt) * Perform any further processing required following the receipt of a message * from the client */ -WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst) +WORK_STATE ossl_statem_server_post_process_message(SSL_CONNECTION *s, + WORK_STATE wst) { OSSL_STATEM *st = &s->statem; @@ -1242,7 +1317,7 @@ WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst) #ifndef OPENSSL_NO_SRP /* Returns 1 on success, 0 for retryable error, -1 for fatal error */ -static int ssl_check_srp_ext_ClientHello(SSL *s) +static int ssl_check_srp_ext_ClientHello(SSL_CONNECTION *s) { int ret; int al = SSL_AD_UNRECOGNIZED_NAME; @@ -1285,25 +1360,28 @@ int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie, return 1; } -int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt) +CON_FUNC_RETURN dtls_construct_hello_verify_request(SSL_CONNECTION *s, + WPACKET *pkt) { unsigned int cookie_leni; - if (s->ctx->app_gen_cookie_cb == NULL || - s->ctx->app_gen_cookie_cb(s, s->d1->cookie, - &cookie_leni) == 0 || - cookie_leni > DTLS1_COOKIE_LENGTH) { + SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); + + if (sctx->app_gen_cookie_cb == NULL + || sctx->app_gen_cookie_cb(SSL_CONNECTION_GET_SSL(s), s->d1->cookie, + &cookie_leni) == 0 + || cookie_leni > DTLS1_COOKIE_LENGTH) { SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_COOKIE_GEN_CALLBACK_FAILURE); - return 0; + return CON_FUNC_ERROR; } s->d1->cookie_len = cookie_leni; if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie, - s->d1->cookie_len)) { + s->d1->cookie_len)) { SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } - return 1; + return CON_FUNC_SUCCESS; } /*- @@ -1320,7 +1398,8 @@ int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt) * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from * 10.8..10.8.3 (which don't work). */ -static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello) +static void ssl_check_for_safari(SSL_CONNECTION *s, + const CLIENTHELLO_MSG *hello) { static const unsigned char kSafariExtensionsBlock[] = { 0x00, 0x0a, /* elliptic_curves extension */ @@ -1361,8 +1440,9 @@ static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello) if (type != TLSEXT_TYPE_server_name) return; - ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ? - sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength; + ext_len = TLS1_get_client_version( + SSL_CONNECTION_GET_SSL(s)) >= TLS1_2_VERSION ? + sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength; s->s3.is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock, ext_len); @@ -1372,7 +1452,7 @@ static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello) ((options & SSL_OP_NO_RENEGOTIATION) == 0 \ && (options & SSL_OP_ALLOW_CLIENT_RENEGOTIATION) != 0) -MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) +MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt) { /* |cookie| will only be initialized for DTLS. */ PACKET session_id, compression, extensions, cookie; @@ -1381,7 +1461,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) /* Check if this is actually an unexpected renegotiation ClientHello */ if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) { - if (!ossl_assert(!SSL_IS_TLS13(s))) { + if (!ossl_assert(!SSL_CONNECTION_IS_TLS13(s))) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } @@ -1511,7 +1591,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) goto err; } - if (SSL_IS_DTLS(s)) { + if (SSL_CONNECTION_IS_DTLS(s)) { if (!PACKET_get_length_prefixed_1(pkt, &cookie)) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); goto err; @@ -1527,7 +1607,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) * just return since we do not want to allocate any memory yet. * So check cookie length... */ - if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { + if (SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_COOKIE_EXCHANGE) { if (clienthello->dtls_cookie_len == 0) { OPENSSL_free(clienthello); return MSG_PROCESS_FINISHED_READING; @@ -1584,7 +1664,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) return MSG_PROCESS_ERROR; } -static int tls_early_post_process_client_hello(SSL *s) +static int tls_early_post_process_client_hello(SSL_CONNECTION *s) { unsigned int j; int i, al = SSL_AD_INTERNAL_ERROR; @@ -1599,12 +1679,14 @@ static int tls_early_post_process_client_hello(SSL *s) STACK_OF(SSL_CIPHER) *scsvs = NULL; CLIENTHELLO_MSG *clienthello = s->clienthello; DOWNGRADE dgrd = DOWNGRADE_NONE; + SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); + SSL *ssl = SSL_CONNECTION_GET_SSL(s); /* Finished parsing the ClientHello, now we can start processing it */ /* Give the ClientHello callback a crack at things */ - if (s->ctx->client_hello_cb != NULL) { + if (sctx->client_hello_cb != NULL) { /* A failure in the ClientHello callback terminates the connection. */ - switch (s->ctx->client_hello_cb(s, &al, s->ctx->client_hello_cb_arg)) { + switch (sctx->client_hello_cb(ssl, &al, sctx->client_hello_cb_arg)) { case SSL_CLIENT_HELLO_SUCCESS: break; case SSL_CLIENT_HELLO_RETRY: @@ -1640,9 +1722,9 @@ static int tls_early_post_process_client_hello(SSL *s) * Do SSL/TLS version negotiation if applicable. For DTLS we just check * versions are potentially compatible. Version negotiation comes later. */ - if (!SSL_IS_DTLS(s)) { + if (!SSL_CONNECTION_IS_DTLS(s)) { protverr = ssl_choose_server_version(s, clienthello, &dgrd); - } else if (s->method->version != DTLS_ANY_VERSION && + } else if (ssl->method->version != DTLS_ANY_VERSION && DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) { protverr = SSL_R_VERSION_TOO_LOW; } else { @@ -1659,16 +1741,17 @@ static int tls_early_post_process_client_hello(SSL *s) } /* TLSv1.3 specifies that a ClientHello must end on a record boundary */ - if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { + if (SSL_CONNECTION_IS_TLS13(s) + && RECORD_LAYER_processed_read_pending(&s->rlayer)) { SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY); goto err; } - if (SSL_IS_DTLS(s)) { + if (SSL_CONNECTION_IS_DTLS(s)) { /* Empty cookie was already handled above by returning early. */ - if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { - if (s->ctx->app_verify_cookie_cb != NULL) { - if (s->ctx->app_verify_cookie_cb(s, clienthello->dtls_cookie, + if (SSL_get_options(ssl) & SSL_OP_COOKIE_EXCHANGE) { + if (sctx->app_verify_cookie_cb != NULL) { + if (sctx->app_verify_cookie_cb(ssl, clienthello->dtls_cookie, clienthello->dtls_cookie_len) == 0) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_COOKIE_MISMATCH); @@ -1684,7 +1767,7 @@ static int tls_early_post_process_client_hello(SSL *s) } s->d1->cookie_verified = 1; } - if (s->method->version == DTLS_ANY_VERSION) { + if (ssl->method->version == DTLS_ANY_VERSION) { protverr = ssl_choose_server_version(s, clienthello, &dgrd); if (protverr != 0) { s->version = s->client_version; @@ -1698,8 +1781,8 @@ static int tls_early_post_process_client_hello(SSL *s) if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites, clienthello->isv2) || - !bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, &scsvs, - clienthello->isv2, 1)) { + !ossl_bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, + &scsvs, clienthello->isv2, 1)) { /* SSLfatal() already called */ goto err; } @@ -1734,9 +1817,9 @@ static int tls_early_post_process_client_hello(SSL *s) } /* For TLSv1.3 we must select the ciphersuite *before* session resumption */ - if (SSL_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s)) { const SSL_CIPHER *cipher = - ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s)); + ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(ssl)); if (cipher == NULL) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_SHARED_CIPHER); @@ -1803,7 +1886,7 @@ static int tls_early_post_process_client_hello(SSL *s) } } - if (SSL_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s)) { memcpy(s->tmp_session_id, s->clienthello->session_id, s->clienthello->session_id_len); s->tmp_session_id_len = s->clienthello->session_id_len; @@ -1813,7 +1896,7 @@ static int tls_early_post_process_client_hello(SSL *s) * If it is a hit, check that the cipher is in the list. In TLSv1.3 we check * ciphersuite compatibility with the session as part of resumption. */ - if (!SSL_IS_TLS13(s) && s->hit) { + if (!SSL_CONNECTION_IS_TLS13(s) && s->hit) { j = 0; id = s->session->cipher->id; @@ -1882,9 +1965,9 @@ static int tls_early_post_process_client_hello(SSL *s) if (!s->hit && s->version >= TLS1_VERSION - && !SSL_IS_TLS13(s) - && !SSL_IS_DTLS(s) - && s->ext.session_secret_cb) { + && !SSL_CONNECTION_IS_TLS13(s) + && !SSL_CONNECTION_IS_DTLS(s) + && s->ext.session_secret_cb != NULL) { const SSL_CIPHER *pref_cipher = NULL; /* * s->session->master_key_length is a size_t, but this is an int for @@ -1893,7 +1976,7 @@ static int tls_early_post_process_client_hello(SSL *s) int master_key_length; master_key_length = sizeof(s->session->master_key); - if (s->ext.session_secret_cb(s, s->session->master_key, + if (s->ext.session_secret_cb(ssl, s->session->master_key, &master_key_length, ciphers, &pref_cipher, s->ext.session_secret_cb_arg) @@ -1908,7 +1991,7 @@ static int tls_early_post_process_client_hello(SSL *s) /* check if some cipher was preferred by call back */ if (pref_cipher == NULL) pref_cipher = ssl3_choose_cipher(s, s->peer_ciphers, - SSL_get_ciphers(s)); + SSL_get_ciphers(ssl)); if (pref_cipher == NULL) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_SHARED_CIPHER); goto err; @@ -1928,7 +2011,7 @@ static int tls_early_post_process_client_hello(SSL *s) * algorithms from the client, starting at q. */ s->s3.tmp.new_compression = NULL; - if (SSL_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s)) { /* * We already checked above that the NULL compression method appears in * the list. Now we check there aren't any others (which is illegal in @@ -1953,8 +2036,8 @@ static int tls_early_post_process_client_hello(SSL *s) goto err; } /* Look for resumed compression method */ - for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) { - comp = sk_SSL_COMP_value(s->ctx->comp_methods, m); + for (m = 0; m < sk_SSL_COMP_num(sctx->comp_methods); m++) { + comp = sk_SSL_COMP_value(sctx->comp_methods, m); if (comp_id == comp->id) { s->s3.tmp.new_compression = comp; break; @@ -1977,14 +2060,14 @@ static int tls_early_post_process_client_hello(SSL *s) } } else if (s->hit) { comp = NULL; - } else if (ssl_allow_compression(s) && s->ctx->comp_methods) { + } else if (ssl_allow_compression(s) && sctx->comp_methods) { /* See if we have a match */ int m, nn, v, done = 0; unsigned int o; - nn = sk_SSL_COMP_num(s->ctx->comp_methods); + nn = sk_SSL_COMP_num(sctx->comp_methods); for (m = 0; m < nn; m++) { - comp = sk_SSL_COMP_value(s->ctx->comp_methods, m); + comp = sk_SSL_COMP_value(sctx->comp_methods, m); v = comp->id; for (o = 0; o < clienthello->compressions_len; o++) { if (v == clienthello->compressions[o]) { @@ -2015,7 +2098,7 @@ static int tls_early_post_process_client_hello(SSL *s) * Given s->peer_ciphers and SSL_get_ciphers, we must pick a cipher */ - if (!s->hit || SSL_IS_TLS13(s)) { + if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) { sk_SSL_CIPHER_free(s->peer_ciphers); s->peer_ciphers = ciphers; if (ciphers == NULL) { @@ -2057,8 +2140,10 @@ static int tls_early_post_process_client_hello(SSL *s) * Call the status request callback if needed. Upon success, returns 1. * Upon failure, returns 0. */ -static int tls_handle_status_request(SSL *s) +static int tls_handle_status_request(SSL_CONNECTION *s) { + SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); + s->ext.status_expected = 0; /* @@ -2067,8 +2152,8 @@ static int tls_handle_status_request(SSL *s) * and must be called after the cipher has been chosen because this may * influence which certificate is sent */ - if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL - && s->ctx->ext.status_cb != NULL) { + if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && sctx != NULL + && sctx->ext.status_cb != NULL) { int ret; /* If no certificate can't return certificate status */ @@ -2078,7 +2163,8 @@ static int tls_handle_status_request(SSL *s) * et al can pick it up. */ s->cert->key = s->s3.tmp.cert; - ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg); + ret = sctx->ext.status_cb(SSL_CONNECTION_GET_SSL(s), + sctx->ext.status_arg); switch (ret) { /* We don't want to send a status request response */ case SSL_TLSEXT_ERR_NOACK: @@ -2105,16 +2191,18 @@ static int tls_handle_status_request(SSL *s) * Call the alpn_select callback if needed. Upon success, returns 1. * Upon failure, returns 0. */ -int tls_handle_alpn(SSL *s) +int tls_handle_alpn(SSL_CONNECTION *s) { const unsigned char *selected = NULL; unsigned char selected_len = 0; + SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); - if (s->ctx->ext.alpn_select_cb != NULL && s->s3.alpn_proposed != NULL) { - int r = s->ctx->ext.alpn_select_cb(s, &selected, &selected_len, - s->s3.alpn_proposed, - (unsigned int)s->s3.alpn_proposed_len, - s->ctx->ext.alpn_select_cb_arg); + if (sctx->ext.alpn_select_cb != NULL && s->s3.alpn_proposed != NULL) { + int r = sctx->ext.alpn_select_cb(SSL_CONNECTION_GET_SSL(s), + &selected, &selected_len, + s->s3.alpn_proposed, + (unsigned int)s->s3.alpn_proposed_len, + sctx->ext.alpn_select_cb_arg); if (r == SSL_TLSEXT_ERR_OK) { OPENSSL_free(s->s3.alpn_selected); @@ -2181,9 +2269,10 @@ int tls_handle_alpn(SSL *s) return 1; } -WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) +WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst) { const SSL_CIPHER *cipher; + SSL *ssl = SSL_CONNECTION_GET_SSL(s); if (wst == WORK_MORE_A) { int rv = tls_early_post_process_client_hello(s); @@ -2196,10 +2285,10 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) wst = WORK_MORE_B; } if (wst == WORK_MORE_B) { - if (!s->hit || SSL_IS_TLS13(s)) { + if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) { /* Let cert callback update server certificates if required */ if (!s->hit && s->cert->cert_cb != NULL) { - int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg); + int rv = s->cert->cert_cb(ssl, s->cert->cert_cb_arg); if (rv == 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CERT_CB_ERROR); goto err; @@ -2212,9 +2301,10 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) } /* In TLSv1.3 we selected the ciphersuite before resumption */ - if (!SSL_IS_TLS13(s)) { + if (!SSL_CONNECTION_IS_TLS13(s)) { cipher = - ssl3_choose_cipher(s, s->peer_ciphers, SSL_get_ciphers(s)); + ssl3_choose_cipher(s, s->peer_ciphers, + SSL_get_ciphers(ssl)); if (cipher == NULL) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, @@ -2231,7 +2321,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) /* check whether we should disable session resumption */ if (s->not_resumable_session_cb != NULL) s->session->not_resumable = - s->not_resumable_session_cb(s, + s->not_resumable_session_cb(ssl, ((s->s3.tmp.new_cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) != 0)); if (s->session->not_resumable) @@ -2269,7 +2359,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) * we already did this because cipher negotiation happens earlier, and * we must handle ALPN before we decide whether to accept early_data. */ - if (!SSL_IS_TLS13(s) && !tls_handle_alpn(s)) { + if (!SSL_CONNECTION_IS_TLS13(s) && !tls_handle_alpn(s)) { /* SSLfatal() already called */ goto err; } @@ -2298,13 +2388,14 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) return WORK_ERROR; } -int tls_construct_server_hello(SSL *s, WPACKET *pkt) +CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) { int compm; size_t sl, len; int version; unsigned char *session_id; - int usetls13 = SSL_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING; + int usetls13 = SSL_CONNECTION_IS_TLS13(s) + || s->hello_retry_request == SSL_HRR_PENDING; version = usetls13 ? TLS1_2_VERSION : s->version; if (!WPACKET_put_bytes_u16(pkt, version) @@ -2317,7 +2408,7 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) ? hrrrandom : s->s3.server_random, SSL3_RANDOM_SIZE)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } /*- @@ -2339,7 +2430,7 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) * to send back. */ if (s->session->not_resumable || - (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) + (!(SSL_CONNECTION_GET_CTX(s)->session_cache_mode & SSL_SESS_CACHE_SERVER) && !s->hit)) s->session->session_id_length = 0; @@ -2353,7 +2444,7 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) if (sl > sizeof(s->session->session_id)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } /* set up the compression method */ @@ -2367,21 +2458,22 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) #endif if (!WPACKET_sub_memcpy_u8(pkt, session_id, sl) - || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt, &len) + || !SSL_CONNECTION_GET_SSL(s)->method->put_cipher_by_char(s->s3.tmp.new_cipher, + pkt, &len) || !WPACKET_put_bytes_u8(pkt, compm)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } if (!tls_construct_extensions(s, pkt, s->hello_retry_request == SSL_HRR_PENDING ? SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST - : (SSL_IS_TLS13(s) + : (SSL_CONNECTION_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO : SSL_EXT_TLS1_2_SERVER_HELLO), NULL, 0)) { /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } if (s->hello_retry_request == SSL_HRR_PENDING) { @@ -2396,29 +2488,30 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) */ if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) { /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } } else if (!(s->verify_mode & SSL_VERIFY_PEER) && !ssl3_digest_cached_records(s, 0)) { /* SSLfatal() already called */; - return 0; + return CON_FUNC_ERROR; } - return 1; + return CON_FUNC_SUCCESS; } -int tls_construct_server_done(SSL *s, WPACKET *pkt) +CON_FUNC_RETURN tls_construct_server_done(SSL_CONNECTION *s, WPACKET *pkt) { if (!s->s3.tmp.cert_request) { if (!ssl3_digest_cached_records(s, 0)) { /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } } - return 1; + return CON_FUNC_SUCCESS; } -int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) +CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s, + WPACKET *pkt) { EVP_PKEY *pkdh = NULL; unsigned char *encodedPoint = NULL; @@ -2431,7 +2524,9 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); EVP_PKEY_CTX *pctx = NULL; size_t paramlen, paramoffset; - int freer = 0, ret = 0; + int freer = 0; + CON_FUNC_RETURN ret = CON_FUNC_ERROR; + SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); if (!WPACKET_get_total_written(pkt, ¶moffset)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -2439,7 +2534,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) } if (md_ctx == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); goto err; } @@ -2467,7 +2562,8 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) } #if !defined(OPENSSL_NO_DEPRECATED_3_0) if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) { - pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(s, 0, 1024)); + pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(SSL_CONNECTION_GET_SSL(s), + 0, 1024)); if (pkdh == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; @@ -2661,7 +2757,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) unsigned char *sigbytes1, *sigbytes2, *tbs; size_t siglen = 0, tbslen; - if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) { + if (pkey == NULL || !tls1_lookup_md(sctx, lu, &md)) { /* Should never happen */ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; @@ -2679,7 +2775,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) if (EVP_DigestSignInit_ex(md_ctx, &pctx, md == NULL ? NULL : EVP_MD_get0_name(md), - s->ctx->libctx, s->ctx->propq, pkey, + sctx->libctx, sctx->propq, pkey, NULL) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; @@ -2711,7 +2807,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) OPENSSL_free(tbs); } - ret = 1; + ret = CON_FUNC_SUCCESS; err: EVP_PKEY_free(pkdh); OPENSSL_free(encodedPoint); @@ -2725,9 +2821,10 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) return ret; } -int tls_construct_certificate_request(SSL *s, WPACKET *pkt) +CON_FUNC_RETURN tls_construct_certificate_request(SSL_CONNECTION *s, + WPACKET *pkt) { - if (SSL_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s)) { /* Send random context when doing post-handshake auth */ if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { OPENSSL_free(s->pha_context); @@ -2735,24 +2832,24 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt) if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL) { s->pha_context_len = 0; SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } - if (RAND_bytes_ex(s->ctx->libctx, s->pha_context, - s->pha_context_len, 0) <= 0 + if (RAND_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx, + s->pha_context, s->pha_context_len, 0) <= 0 || !WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } /* reset the handshake hash back to just after the ClientFinished */ if (!tls13_restore_handshake_digest_for_pha(s)) { /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } } else { if (!WPACKET_put_bytes_u8(pkt, 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } } @@ -2760,7 +2857,7 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt) SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL, 0)) { /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } goto done; } @@ -2769,7 +2866,7 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt) if (!WPACKET_start_sub_packet_u8(pkt) || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } if (SSL_USE_SIGALGS(s)) { @@ -2781,22 +2878,22 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt) || !tls12_copy_sigalgs(s, pkt, psigs, nl) || !WPACKET_close(pkt)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } } if (!construct_ca_names(s, get_ca_names(s), pkt)) { /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } done: s->certreqs_sent++; s->s3.tmp.cert_request = 1; - return 1; + return CON_FUNC_SUCCESS; } -static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt) +static int tls_process_cke_psk_preamble(SSL_CONNECTION *s, PACKET *pkt) { #ifndef OPENSSL_NO_PSK unsigned char psk[PSK_MAX_PSK_LEN]; @@ -2821,7 +2918,8 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt) return 0; } - psklen = s->psk_server_callback(s, s->session->psk_identity, + psklen = s->psk_server_callback(SSL_CONNECTION_GET_SSL(s), + s->session->psk_identity, psk, sizeof(psk)); if (psklen > PSK_MAX_PSK_LEN) { @@ -2841,7 +2939,7 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt) if (s->s3.tmp.psk == NULL) { s->s3.tmp.psklen = 0; - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); return 0; } @@ -2855,7 +2953,7 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt) #endif } -static int tls_process_cke_rsa(SSL *s, PACKET *pkt) +static int tls_process_cke_rsa(SSL_CONNECTION *s, PACKET *pkt) { size_t outlen; PACKET enc_premaster; @@ -2864,6 +2962,7 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt) int ret = 0; EVP_PKEY_CTX *ctx = NULL; OSSL_PARAM params[3], *p = params; + SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); rsa = s->cert->pkeys[SSL_PKEY_RSA].privatekey; if (rsa == NULL) { @@ -2885,13 +2984,13 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt) outlen = SSL_MAX_MASTER_KEY_LENGTH; rsa_decrypt = OPENSSL_malloc(outlen); if (rsa_decrypt == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); return 0; } - ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, rsa, s->ctx->propq); + ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, rsa, sctx->propq); if (ctx == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); goto err; } @@ -2952,7 +3051,7 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt) return ret; } -static int tls_process_cke_dhe(SSL *s, PACKET *pkt) +static int tls_process_cke_dhe(SSL_CONNECTION *s, PACKET *pkt) { EVP_PKEY *skey = NULL; unsigned int i; @@ -3003,7 +3102,7 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt) return ret; } -static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt) +static int tls_process_cke_ecdhe(SSL_CONNECTION *s, PACKET *pkt) { EVP_PKEY *skey = s->s3.tmp.pkey; EVP_PKEY *ckey = NULL; @@ -3059,7 +3158,7 @@ static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt) return ret; } -static int tls_process_cke_srp(SSL *s, PACKET *pkt) +static int tls_process_cke_srp(SSL_CONNECTION *s, PACKET *pkt) { #ifndef OPENSSL_NO_SRP unsigned int i; @@ -3081,7 +3180,7 @@ static int tls_process_cke_srp(SSL *s, PACKET *pkt) OPENSSL_free(s->session->srp_username); s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login); if (s->session->srp_username == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); return 0; } @@ -3098,7 +3197,7 @@ static int tls_process_cke_srp(SSL *s, PACKET *pkt) #endif } -static int tls_process_cke_gost(SSL *s, PACKET *pkt) +static int tls_process_cke_gost(SSL_CONNECTION *s, PACKET *pkt) { #ifndef OPENSSL_NO_GOST EVP_PKEY_CTX *pkey_ctx; @@ -3110,6 +3209,7 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt) GOST_KX_MESSAGE *pKX = NULL; const unsigned char *ptr; int ret = 0; + SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); /* Get our certificate private key */ alg_a = s->s3.tmp.new_cipher->algorithm_auth; @@ -3128,9 +3228,9 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt) pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; } - pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, pk, s->ctx->propq); + pkey_ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, pk, sctx->propq); if (pkey_ctx == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); return 0; } if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) { @@ -3201,7 +3301,7 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt) #endif } -static int tls_process_cke_gost18(SSL *s, PACKET *pkt) +static int tls_process_cke_gost18(SSL_CONNECTION *s, PACKET *pkt) { #ifndef OPENSSL_NO_GOST unsigned char rnd_dgst[32]; @@ -3212,6 +3312,7 @@ static int tls_process_cke_gost18(SSL *s, PACKET *pkt) size_t outlen = 32, inlen = 0; int ret = 0; int cipher_nid = ossl_gost18_cke_cipher_nid(s); + SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); if (cipher_nid == NID_undef) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -3232,9 +3333,9 @@ static int tls_process_cke_gost18(SSL *s, PACKET *pkt) goto err; } - pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, pk, s->ctx->propq); + pkey_ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, pk, sctx->propq); if (pkey_ctx == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); goto err; } if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) { @@ -3279,7 +3380,8 @@ static int tls_process_cke_gost18(SSL *s, PACKET *pkt) #endif } -MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) +MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL_CONNECTION *s, + PACKET *pkt) { unsigned long alg_k; @@ -3347,11 +3449,12 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) return MSG_PROCESS_ERROR; } -WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) +WORK_STATE tls_post_process_client_key_exchange(SSL_CONNECTION *s, + WORK_STATE wst) { #ifndef OPENSSL_NO_SCTP if (wst == WORK_MORE_A) { - if (SSL_IS_DTLS(s)) { + if (SSL_CONNECTION_IS_DTLS(s)) { unsigned char sctpauthkey[64]; char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; size_t labellen; @@ -3367,7 +3470,8 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) labellen += 1; - if (SSL_export_keying_material(s, sctpauthkey, + if (SSL_export_keying_material(SSL_CONNECTION_GET_SSL(s), + sctpauthkey, sizeof(sctpauthkey), labelbuffer, labellen, NULL, 0, 0) <= 0) { @@ -3375,7 +3479,7 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) return WORK_ERROR; } - BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, + BIO_ctrl(s->wbio, BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, sizeof(sctpauthkey), sctpauthkey); } } @@ -3409,7 +3513,8 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) return WORK_FINISHED_CONTINUE; } -MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) +MSG_PROCESS_RETURN tls_process_client_certificate(SSL_CONNECTION *s, + PACKET *pkt) { int i; MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; @@ -3420,23 +3525,26 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) PACKET spkt, context; size_t chainidx; SSL_SESSION *new_sess = NULL; + SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); /* * To get this far we must have read encrypted data from the client. We no - * longer tolerate unencrypted alerts. This value is ignored if less than - * TLSv1.3 + * longer tolerate unencrypted alerts. This is ignored if less than TLSv1.3 */ - s->statem.enc_read_state = ENC_READ_STATE_VALID; + if (s->rlayer.rrlmethod->set_plain_alerts != NULL) + s->rlayer.rrlmethod->set_plain_alerts(s->rlayer.rrl, 0); if ((sk = sk_X509_new_null()) == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); goto err; } - if (SSL_IS_TLS13(s) && (!PACKET_get_length_prefixed_1(pkt, &context) - || (s->pha_context == NULL && PACKET_remaining(&context) != 0) - || (s->pha_context != NULL && - !PACKET_equal(&context, s->pha_context, s->pha_context_len)))) { + if (SSL_CONNECTION_IS_TLS13(s) + && (!PACKET_get_length_prefixed_1(pkt, &context) + || (s->pha_context == NULL && PACKET_remaining(&context) != 0) + || (s->pha_context != NULL + && !PACKET_equal(&context, s->pha_context, + s->pha_context_len)))) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT); goto err; } @@ -3455,9 +3563,9 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) } certstart = certbytes; - x = X509_new_ex(s->ctx->libctx, s->ctx->propq); + x = X509_new_ex(sctx->libctx, sctx->propq); if (x == NULL) { - SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_X509_LIB); goto err; } if (d2i_X509(&x, (const unsigned char **)&certbytes, l) == NULL) { @@ -3470,7 +3578,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) goto err; } - if (SSL_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s)) { RAW_EXTENSION *rawexts = NULL; PACKET extensions; @@ -3491,7 +3599,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) } if (!sk_X509_push(sk, x)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); goto err; } x = NULL; @@ -3542,7 +3650,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) if (s->post_handshake_auth == SSL_PHA_REQUESTED) { if ((new_sess = ssl_session_dup(s->session, 0)) == 0) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB); goto err; } @@ -3551,7 +3659,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) } X509_free(s->session->peer); - s->session->peer = sk_X509_shift(sk); + s->session->peer = sk_X509_num(sk) == 0 ? NULL: sk_X509_shift(sk); s->session->verify_result = s->verify_result; OSSL_STACK_OF_X509_free(s->session->peer_chain); @@ -3562,7 +3670,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) * Freeze the handshake buffer. For cert_verify_hash, sizeof(s->cert_verify_hash), &s->cert_verify_hash_len)) { @@ -3593,35 +3701,76 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) return ret; } -int tls_construct_server_certificate(SSL *s, WPACKET *pkt) +#ifndef OPENSSL_NO_COMP_ALG +MSG_PROCESS_RETURN tls_process_client_compressed_certificate(SSL_CONNECTION *sc, PACKET *pkt) +{ + MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; + PACKET tmppkt; + BUF_MEM *buf = BUF_MEM_new(); + + if (tls13_process_compressed_certificate(sc, pkt, &tmppkt, buf) != MSG_PROCESS_ERROR) + ret = tls_process_client_certificate(sc, &tmppkt); + + BUF_MEM_free(buf); + return ret; +} +#endif + +CON_FUNC_RETURN tls_construct_server_certificate(SSL_CONNECTION *s, WPACKET *pkt) { CERT_PKEY *cpk = s->s3.tmp.cert; if (cpk == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } /* * In TLSv1.3 the certificate chain is always preceded by a 0 length context * for the server Certificate message */ - if (SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) { + if (SSL_CONNECTION_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } if (!ssl3_output_cert_chain(s, pkt, cpk)) { /* SSLfatal() already called */ + return CON_FUNC_ERROR; + } + + return CON_FUNC_SUCCESS; +} + +#ifndef OPENSSL_NO_COMP_ALG +CON_FUNC_RETURN tls_construct_server_compressed_certificate(SSL_CONNECTION *sc, WPACKET *pkt) +{ + int alg = get_compressed_certificate_alg(sc); + OSSL_COMP_CERT *cc = sc->s3.tmp.cert->comp_cert[alg]; + + if (!ossl_assert(cc != NULL)) { + SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } + /* + * Server can't compress on-demand + * Use pre-compressed certificate + */ + if (!WPACKET_put_bytes_u16(pkt, alg) + || !WPACKET_put_bytes_u24(pkt, cc->orig_len) + || !WPACKET_start_sub_packet_u24(pkt) + || !WPACKET_memcpy(pkt, cc->data, cc->len) + || !WPACKET_close(pkt)) + return 0; + sc->s3.tmp.cert->cert_comp_used++; return 1; } +#endif -static int create_ticket_prequel(SSL *s, WPACKET *pkt, uint32_t age_add, - unsigned char *tick_nonce) +static int create_ticket_prequel(SSL_CONNECTION *s, WPACKET *pkt, + uint32_t age_add, unsigned char *tick_nonce) { - uint32_t timeout = (uint32_t)s->session->timeout; + uint32_t timeout = (uint32_t)ossl_time2seconds(s->session->timeout); /* * Ticket lifetime hint: @@ -3632,8 +3781,9 @@ static int create_ticket_prequel(SSL *s, WPACKET *pkt, uint32_t age_add, */ #define ONE_WEEK_SEC (7 * 24 * 60 * 60) - if (SSL_IS_TLS13(s)) { - if (s->session->timeout > ONE_WEEK_SEC) + if (SSL_CONNECTION_IS_TLS13(s)) { + if (ossl_time_compare(s->session->timeout, + ossl_seconds2time(ONE_WEEK_SEC)) > 0) timeout = ONE_WEEK_SEC; } else if (s->hit) timeout = 0; @@ -3643,7 +3793,7 @@ static int create_ticket_prequel(SSL *s, WPACKET *pkt, uint32_t age_add, return 0; } - if (SSL_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s)) { if (!WPACKET_put_bytes_u32(pkt, age_add) || !WPACKET_sub_memcpy_u8(pkt, tick_nonce, TICKET_NONCE_SIZE)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -3660,8 +3810,10 @@ static int create_ticket_prequel(SSL *s, WPACKET *pkt, uint32_t age_add, return 1; } -static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add, - unsigned char *tick_nonce) +static CON_FUNC_RETURN construct_stateless_ticket(SSL_CONNECTION *s, + WPACKET *pkt, + uint32_t age_add, + unsigned char *tick_nonce) { unsigned char *senc = NULL; EVP_CIPHER_CTX *ctx = NULL; @@ -3674,8 +3826,11 @@ static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add, SSL_CTX *tctx = s->session_ctx; unsigned char iv[EVP_MAX_IV_LENGTH]; unsigned char key_name[TLSEXT_KEYNAME_LENGTH]; - int iv_len, ok = 0; + int iv_len; + CON_FUNC_RETURN ok = CON_FUNC_ERROR; size_t macoffset, macendoffset; + SSL *ssl = SSL_CONNECTION_GET_SSL(s); + SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); /* get session encoding length */ slen_full = i2d_SSL_SESSION(s->session, NULL); @@ -3689,14 +3844,18 @@ static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add, } senc = OPENSSL_malloc(slen_full); if (senc == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); goto err; } ctx = EVP_CIPHER_CTX_new(); + if (ctx == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); + goto err; + } hctx = ssl_hmac_new(tctx); - if (ctx == NULL || hctx == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); + if (hctx == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB); goto err; } @@ -3744,18 +3903,26 @@ static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add, int ret = 0; if (tctx->ext.ticket_key_evp_cb != NULL) - ret = tctx->ext.ticket_key_evp_cb(s, key_name, iv, ctx, + ret = tctx->ext.ticket_key_evp_cb(ssl, key_name, iv, ctx, ssl_hmac_get0_EVP_MAC_CTX(hctx), 1); #ifndef OPENSSL_NO_DEPRECATED_3_0 else if (tctx->ext.ticket_key_cb != NULL) /* if 0 is returned, write an empty ticket */ - ret = tctx->ext.ticket_key_cb(s, key_name, iv, ctx, + ret = tctx->ext.ticket_key_cb(ssl, key_name, iv, ctx, ssl_hmac_get0_HMAC_CTX(hctx), 1); #endif if (ret == 0) { - + /* + * In TLSv1.2 we construct a 0 length ticket. In TLSv1.3 a 0 + * length ticket is not allowed so we abort construction of the + * ticket + */ + if (SSL_CONNECTION_IS_TLS13(s)) { + ok = CON_FUNC_DONT_SEND; + goto err; + } /* Put timeout and length */ if (!WPACKET_put_bytes_u32(pkt, 0) || !WPACKET_put_bytes_u16(pkt, 0)) { @@ -3765,16 +3932,20 @@ static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add, OPENSSL_free(senc); EVP_CIPHER_CTX_free(ctx); ssl_hmac_free(hctx); - return 1; + return CON_FUNC_SUCCESS; } if (ret < 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED); goto err; } iv_len = EVP_CIPHER_CTX_get_iv_length(ctx); + if (iv_len < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + goto err; + } } else { - EVP_CIPHER *cipher = EVP_CIPHER_fetch(s->ctx->libctx, "AES-256-CBC", - s->ctx->propq); + EVP_CIPHER *cipher = EVP_CIPHER_fetch(sctx->libctx, "AES-256-CBC", + sctx->propq); if (cipher == NULL) { /* Error is already recorded */ @@ -3784,7 +3955,7 @@ static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add, iv_len = EVP_CIPHER_get_iv_length(cipher); if (iv_len < 0 - || RAND_bytes_ex(s->ctx->libctx, iv, iv_len, 0) <= 0 + || RAND_bytes_ex(sctx->libctx, iv, iv_len, 0) <= 0 || !EVP_EncryptInit_ex(ctx, cipher, NULL, tctx->ext.secure->tick_aes_key, iv) || !ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key, @@ -3838,7 +4009,7 @@ static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add, goto err; } - ok = 1; + ok = CON_FUNC_SUCCESS; err: OPENSSL_free(senc); EVP_CIPHER_CTX_free(ctx); @@ -3846,7 +4017,8 @@ static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add, return ok; } -static int construct_stateful_ticket(SSL *s, WPACKET *pkt, uint32_t age_add, +static int construct_stateful_ticket(SSL_CONNECTION *s, WPACKET *pkt, + uint32_t age_add, unsigned char *tick_nonce) { if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) { @@ -3864,7 +4036,21 @@ static int construct_stateful_ticket(SSL *s, WPACKET *pkt, uint32_t age_add, return 1; } -int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) +static void tls_update_ticket_counts(SSL_CONNECTION *s) +{ + /* + * Increment both |sent_tickets| and |next_ticket_nonce|. |sent_tickets| + * gets reset to 0 if we send more tickets following a post-handshake + * auth, but |next_ticket_nonce| does not. If we're sending extra + * tickets, decrement the count of pending extra tickets. + */ + s->sent_tickets++; + s->next_ticket_nonce++; + if (s->ext.extra_tickets_expected > 0) + s->ext.extra_tickets_expected--; +} + +CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt) { SSL_CTX *tctx = s->session_ctx; unsigned char tick_nonce[TICKET_NONCE_SIZE]; @@ -3872,10 +4058,11 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) unsigned char age_add_c[sizeof(uint32_t)]; uint32_t age_add; } age_add_u; + CON_FUNC_RETURN ret = CON_FUNC_ERROR; age_add_u.age_add = 0; - if (SSL_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s)) { size_t i, hashlen; uint64_t nonce; static const unsigned char nonce_label[] = "resumption"; @@ -3910,8 +4097,8 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) /* SSLfatal() already called */ goto err; } - if (RAND_bytes_ex(s->ctx->libctx, age_add_u.age_add_c, - sizeof(age_add_u), 0) <= 0) { + if (RAND_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx, + age_add_u.age_add_c, sizeof(age_add_u), 0) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } @@ -3935,7 +4122,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) } s->session->master_key_length = hashlen; - s->session->time = time(NULL); + s->session->time = ossl_time_now(); ssl_session_calculate_timeout(s->session); if (s->s3.alpn_selected != NULL) { OPENSSL_free(s->session->ext.alpn_selected); @@ -3943,7 +4130,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len); if (s->session->ext.alpn_selected == NULL) { s->session->ext.alpn_selected_len = 0; - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); goto err; } s->session->ext.alpn_selected_len = s->s3.alpn_selected_len; @@ -3952,7 +4139,8 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) } if (tctx->generate_ticket_cb != NULL && - tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0) { + tctx->generate_ticket_cb(SSL_CONNECTION_GET_SSL(s), + tctx->ticket_cb_data) == 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } @@ -3961,7 +4149,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there * is no point in using full stateless tickets. */ - if (SSL_IS_TLS13(s) + if (SSL_CONNECTION_IS_TLS13(s) && ((s->options & SSL_OP_NO_TICKET) != 0 || (s->max_early_data > 0 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))) { @@ -3969,42 +4157,44 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) /* SSLfatal() already called */ goto err; } - } else if (!construct_stateless_ticket(s, pkt, age_add_u.age_add, - tick_nonce)) { - /* SSLfatal() already called */ - goto err; + } else { + CON_FUNC_RETURN tmpret; + + tmpret = construct_stateless_ticket(s, pkt, age_add_u.age_add, + tick_nonce); + if (tmpret != CON_FUNC_SUCCESS) { + if (tmpret == CON_FUNC_DONT_SEND) { + /* Non-fatal. Abort construction but continue */ + ret = CON_FUNC_DONT_SEND; + /* We count this as a success so update the counts anwyay */ + tls_update_ticket_counts(s); + } + /* else SSLfatal() already called */ + goto err; + } } - if (SSL_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s)) { if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_NEW_SESSION_TICKET, NULL, 0)) { /* SSLfatal() already called */ goto err; } - /* - * Increment both |sent_tickets| and |next_ticket_nonce|. |sent_tickets| - * gets reset to 0 if we send more tickets following a post-handshake - * auth, but |next_ticket_nonce| does not. If we're sending extra - * tickets, decrement the count of pending extra tickets. - */ - s->sent_tickets++; - s->next_ticket_nonce++; - if (s->ext.extra_tickets_expected > 0) - s->ext.extra_tickets_expected--; + tls_update_ticket_counts(s); ssl_update_cache(s, SSL_SESS_CACHE_SERVER); } - return 1; + ret = CON_FUNC_SUCCESS; err: - return 0; + return ret; } /* * In TLSv1.3 this is called from the extensions code, otherwise it is used to * create a separate message. Returns 1 on success or 0 on failure. */ -int tls_construct_cert_status_body(SSL *s, WPACKET *pkt) +int tls_construct_cert_status_body(SSL_CONNECTION *s, WPACKET *pkt) { if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type) || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp, @@ -4016,14 +4206,14 @@ int tls_construct_cert_status_body(SSL *s, WPACKET *pkt) return 1; } -int tls_construct_cert_status(SSL *s, WPACKET *pkt) +CON_FUNC_RETURN tls_construct_cert_status(SSL_CONNECTION *s, WPACKET *pkt) { if (!tls_construct_cert_status_body(s, pkt)) { /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } - return 1; + return CON_FUNC_SUCCESS; } #ifndef OPENSSL_NO_NEXTPROTONEG @@ -4031,7 +4221,7 @@ int tls_construct_cert_status(SSL *s, WPACKET *pkt) * tls_process_next_proto reads a Next Protocol Negotiation handshake message. * It sets the next_proto member in s if found */ -MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt) +MSG_PROCESS_RETURN tls_process_next_proto(SSL_CONNECTION *s, PACKET *pkt) { PACKET next_proto, padding; size_t next_proto_len; @@ -4062,18 +4252,19 @@ MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt) } #endif -static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt) +static CON_FUNC_RETURN tls_construct_encrypted_extensions(SSL_CONNECTION *s, + WPACKET *pkt) { if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, NULL, 0)) { /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } - return 1; + return CON_FUNC_SUCCESS; } -MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt) +MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL_CONNECTION *s, PACKET *pkt) { if (PACKET_remaining(pkt) != 0) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); @@ -4096,7 +4287,7 @@ MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt) } s->early_data_state = SSL_EARLY_DATA_FINISHED_READING; - if (!s->method->ssl3_enc->change_cipher_state(s, + if (!SSL_CONNECTION_GET_SSL(s)->method->ssl3_enc->change_cipher_state(s, SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ)) { /* SSLfatal() already called */ return MSG_PROCESS_ERROR;