diff options
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/d1_pkt.c | 5 | ||||
-rw-r--r-- | ssl/d1_srvr.c | 16 | ||||
-rw-r--r-- | ssl/s23_srvr.c | 6 | ||||
-rw-r--r-- | ssl/s3_clnt.c | 22 | ||||
-rw-r--r-- | ssl/s3_pkt.c | 2 | ||||
-rw-r--r-- | ssl/s3_srvr.c | 18 | ||||
-rw-r--r-- | ssl/ssl.h | 14 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 1 |
8 files changed, 43 insertions, 41 deletions
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index d12604e6573eb..bc478c240cc3f 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -595,8 +595,6 @@ again: /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */ i=rr->length; n=ssl3_read_n(s,i,i,1); - if (n <= 0) return(n); /* error or non-blocking io */ - /* this packet contained a partial record, dump it */ if ( n != i) { @@ -626,7 +624,8 @@ again: * would be dropped unnecessarily. */ if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE && - *p == SSL3_MT_CLIENT_HELLO) && + s->packet_length > DTLS1_RT_HEADER_LENGTH && + s->packet[DTLS1_RT_HEADER_LENGTH] == SSL3_MT_CLIENT_HELLO) && ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num))) { rr->length = 0; diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c index 0e6bf46c028b7..0e9bb204add7b 100644 --- a/ssl/d1_srvr.c +++ b/ssl/d1_srvr.c @@ -371,23 +371,11 @@ int dtls1_accept(SSL *s) /* clear this, it may get reset by * send_server_key_exchange */ - if ((s->options & SSL_OP_EPHEMERAL_RSA) -#ifndef OPENSSL_NO_KRB5 - && !(l & SSL_KRB5) -#endif /* OPENSSL_NO_KRB5 */ - ) - /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key - * even when forbidden by protocol specs - * (handshake may fail as clients are not required to - * be able to handle this) */ - s->s3->tmp.use_rsa_tmp=1; - else - s->s3->tmp.use_rsa_tmp=0; + s->s3->tmp.use_rsa_tmp=0; /* only send if a DH key exchange, fortezza or * RSA but we have a sign only certificate */ - if (s->s3->tmp.use_rsa_tmp - || (l & (SSL_DH|SSL_kFZA)) + if ((l & (SSL_DH|SSL_kFZA)) || ((l & SSL_kRSA) && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index 3d0069baf3e2a..5486a3621dcbb 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -559,12 +559,14 @@ int ssl23_get_client_hello(SSL *s) if ((type == 2) || (type == 3)) { /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */ - s->method = ssl23_get_server_method(s->version); - if (s->method == NULL) + SSL_METHOD *new_method; + new_method = ssl23_get_server_method(s->version); + if (new_method == NULL) { SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); goto err; } + s->method = new_method; if (!ssl_init_wbio_buffer(s,1)) goto err; diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 4828937566939..3352e2d19a165 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -1123,8 +1123,21 @@ int ssl3_get_key_exchange(SSL *s) if (!ok) return((int)n); + alg=s->s3->tmp.new_cipher->algorithms; + EVP_MD_CTX_init(&md_ctx); + if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { + /* + * Can't skip server key exchange if this is an ephemeral + * ciphersuite. + */ + if (alg & (SSL_kEDH|SSL_kECDHE)) + { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE); + al = SSL_AD_UNEXPECTED_MESSAGE; + goto f_err; + } s->s3->tmp.reuse_message=1; return(1); } @@ -1162,13 +1175,18 @@ int ssl3_get_key_exchange(SSL *s) /* Total length of the parameters including the length prefix */ param_len=0; - alg=s->s3->tmp.new_cipher->algorithms; - EVP_MD_CTX_init(&md_ctx); al=SSL_AD_DECODE_ERROR; #ifndef OPENSSL_NO_RSA if (alg & SSL_kRSA) { + /* Temporary RSA keys only allowed in export ciphersuites */ + if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)) + { + al=SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); + goto f_err; + } if ((rsa=RSA_new()) == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index a3b45fba9dc1a..1adc30191138c 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -147,6 +147,8 @@ int ssl3_read_n(SSL *s, int n, int max, int extend) * at once (as long as it fits into the buffer). */ if (SSL_version(s) == DTLS1_VERSION) { + if (s->s3->rbuf.left == 0 && extend) + return 0; if ( s->s3->rbuf.left > 0 && n > s->s3->rbuf.left) n = s->s3->rbuf.left; } diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index ca3e77aef668e..496ae80a250fd 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -355,18 +355,7 @@ int ssl3_accept(SSL *s) /* clear this, it may get reset by * send_server_key_exchange */ - if ((s->options & SSL_OP_EPHEMERAL_RSA) -#ifndef OPENSSL_NO_KRB5 - && !(l & SSL_KRB5) -#endif /* OPENSSL_NO_KRB5 */ - ) - /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key - * even when forbidden by protocol specs - * (handshake may fail as clients are not required to - * be able to handle this) */ - s->s3->tmp.use_rsa_tmp=1; - else - s->s3->tmp.use_rsa_tmp=0; + s->s3->tmp.use_rsa_tmp=0; /* only send if a DH key exchange, fortezza or @@ -378,8 +367,7 @@ int ssl3_accept(SSL *s) * server certificate contains the server's * public key for key exchange. */ - if (s->s3->tmp.use_rsa_tmp - || (l & SSL_kECDHE) + if ((l & SSL_kECDHE) || (l & (SSL_DH|SSL_kFZA)) || ((l & SSL_kRSA) && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL @@ -2412,7 +2400,7 @@ int ssl3_get_cert_verify(SSL *s) if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) { s->s3->tmp.reuse_message=1; - if ((peer != NULL) && (type | EVP_PKT_SIGN)) + if (peer != NULL) { al=SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE); diff --git a/ssl/ssl.h b/ssl/ssl.h index 6435c5966dbf5..8420100cf01a6 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -526,9 +526,8 @@ typedef struct ssl_session_st #define SSL_OP_SINGLE_ECDH_USE 0x00080000L /* If set, always create a new key when using tmp_dh parameters */ #define SSL_OP_SINGLE_DH_USE 0x00100000L -/* Set to always use the tmp_rsa key when doing RSA operations, - * even when this violates protocol specs */ -#define SSL_OP_EPHEMERAL_RSA 0x00200000L +/* Does nothing: retained for compatibiity */ +#define SSL_OP_EPHEMERAL_RSA 0x0 /* Set on servers to choose the cipher according to the server's * preferences */ #define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L @@ -564,8 +563,13 @@ typedef struct ssl_session_st /* Don't attempt to automatically build certificate chain */ #define SSL_MODE_NO_AUTO_CHAIN 0x00000008L /* Send TLS_FALLBACK_SCSV in the ClientHello. - * To be set by applications that reconnect with a downgraded protocol - * version; see draft-ietf-tls-downgrade-scsv-00 for details. */ + * To be set only by applications that reconnect with a downgraded protocol + * version; see draft-ietf-tls-downgrade-scsv-00 for details. + * + * DO NOT ENABLE THIS if your application attempts a normal handshake. + * Only use this in explicit fallback retries, following the guidance + * in draft-ietf-tls-downgrade-scsv-00. + */ #define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 5db0b5276e3f1..542ab5a558499 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1401,6 +1401,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK); goto err; } + p += n; continue; } |