diff options
| author | Jung-uk Kim <jkim@FreeBSD.org> | 2014-10-15 17:35:39 +0000 |
|---|---|---|
| committer | Jung-uk Kim <jkim@FreeBSD.org> | 2014-10-15 17:35:39 +0000 |
| commit | f62b4332f57a140c7a64082fb139c06b1a71584c (patch) | |
| tree | 8df07ff17fed10701bf6420470d0c11581fdf345 /ssl | |
| parent | 2af9154f28669943cf601ecc3c9bbbe372587787 (diff) | |
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/Makefile | 89 | ||||
| -rw-r--r-- | ssl/d1_lib.c | 10 | ||||
| -rw-r--r-- | ssl/dtls1.h | 3 | ||||
| -rw-r--r-- | ssl/s23_clnt.c | 12 | ||||
| -rw-r--r-- | ssl/s23_srvr.c | 18 | ||||
| -rw-r--r-- | ssl/s2_lib.c | 4 | ||||
| -rw-r--r-- | ssl/s3_cbc.c | 65 | ||||
| -rw-r--r-- | ssl/s3_clnt.c | 114 | ||||
| -rw-r--r-- | ssl/s3_enc.c | 2 | ||||
| -rw-r--r-- | ssl/s3_lib.c | 24 | ||||
| -rw-r--r-- | ssl/s3_pkt.c | 19 | ||||
| -rw-r--r-- | ssl/s3_srvr.c | 102 | ||||
| -rw-r--r-- | ssl/ssl.h | 9 | ||||
| -rw-r--r-- | ssl/ssl3.h | 7 | ||||
| -rw-r--r-- | ssl/ssl_err.c | 2 | ||||
| -rw-r--r-- | ssl/ssl_lib.c | 60 | ||||
| -rw-r--r-- | ssl/t1_enc.c | 2 | ||||
| -rw-r--r-- | ssl/t1_lib.c | 3 | ||||
| -rw-r--r-- | ssl/tls1.h | 23 |
19 files changed, 362 insertions, 206 deletions
diff --git a/ssl/Makefile b/ssl/Makefile index 90b9b9d44bd0..c0a627e90ab8 100644 --- a/ssl/Makefile +++ b/ssl/Makefile @@ -545,27 +545,28 @@ s3_both.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s3_both.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s3_both.o: ../include/openssl/tls1.h ../include/openssl/x509.h s3_both.o: ../include/openssl/x509_vfy.h s3_both.c ssl_locl.h -s3_cbc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -s3_cbc.o: ../include/openssl/bn.h ../include/openssl/buffer.h -s3_cbc.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s3_cbc.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h -s3_cbc.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -s3_cbc.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -s3_cbc.o: ../include/openssl/err.h ../include/openssl/evp.h -s3_cbc.o: ../include/openssl/fips.h ../include/openssl/hmac.h -s3_cbc.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s3_cbc.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h -s3_cbc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s3_cbc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -s3_cbc.o: ../include/openssl/pem.h ../include/openssl/pem2.h -s3_cbc.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h -s3_cbc.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h -s3_cbc.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s3_cbc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s3_cbc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s3_cbc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s3_cbc.o: ../include/openssl/tls1.h ../include/openssl/x509.h -s3_cbc.o: ../include/openssl/x509_vfy.h s3_cbc.c ssl_locl.h +s3_cbc.o: ../crypto/constant_time_locl.h ../e_os.h ../include/openssl/asn1.h +s3_cbc.o: ../include/openssl/bio.h ../include/openssl/bn.h +s3_cbc.o: ../include/openssl/buffer.h ../include/openssl/comp.h +s3_cbc.o: ../include/openssl/crypto.h ../include/openssl/dsa.h +s3_cbc.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +s3_cbc.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +s3_cbc.o: ../include/openssl/ecdsa.h ../include/openssl/err.h +s3_cbc.o: ../include/openssl/evp.h ../include/openssl/fips.h +s3_cbc.o: ../include/openssl/hmac.h ../include/openssl/kssl.h +s3_cbc.o: ../include/openssl/lhash.h ../include/openssl/md5.h +s3_cbc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +s3_cbc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +s3_cbc.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +s3_cbc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +s3_cbc.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h +s3_cbc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +s3_cbc.o: ../include/openssl/sha.h ../include/openssl/ssl.h +s3_cbc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s3_cbc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s3_cbc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s3_cbc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s3_cbc.c +s3_cbc.o: ssl_locl.h s3_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s3_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h s3_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h @@ -674,29 +675,29 @@ s3_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s3_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s3_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s3_pkt.c s3_pkt.o: ssl_locl.h -s3_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -s3_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h -s3_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s3_srvr.o: ../include/openssl/dh.h ../include/openssl/dsa.h -s3_srvr.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h -s3_srvr.o: ../include/openssl/ec.h ../include/openssl/ecdh.h -s3_srvr.o: ../include/openssl/ecdsa.h ../include/openssl/err.h -s3_srvr.o: ../include/openssl/evp.h ../include/openssl/fips.h -s3_srvr.o: ../include/openssl/hmac.h ../include/openssl/krb5_asn.h -s3_srvr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s3_srvr.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h -s3_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s3_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -s3_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h -s3_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h -s3_srvr.o: ../include/openssl/pqueue.h ../include/openssl/rand.h -s3_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s3_srvr.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s3_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s3_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s3_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s3_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h kssl_lcl.h -s3_srvr.o: s3_srvr.c ssl_locl.h +s3_srvr.o: ../crypto/constant_time_locl.h ../e_os.h ../include/openssl/asn1.h +s3_srvr.o: ../include/openssl/bio.h ../include/openssl/bn.h +s3_srvr.o: ../include/openssl/buffer.h ../include/openssl/comp.h +s3_srvr.o: ../include/openssl/crypto.h ../include/openssl/dh.h +s3_srvr.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h +s3_srvr.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +s3_srvr.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +s3_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h +s3_srvr.o: ../include/openssl/fips.h ../include/openssl/hmac.h +s3_srvr.o: ../include/openssl/krb5_asn.h ../include/openssl/kssl.h +s3_srvr.o: ../include/openssl/lhash.h ../include/openssl/md5.h +s3_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +s3_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +s3_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +s3_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +s3_srvr.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h +s3_srvr.o: ../include/openssl/rand.h ../include/openssl/rsa.h +s3_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s3_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s3_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s3_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s3_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h +s3_srvr.o: ../include/openssl/x509_vfy.h kssl_lcl.h s3_srvr.c ssl_locl.h ssl_algs.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ssl_algs.o: ../include/openssl/bn.h ../include/openssl/buffer.h ssl_algs.o: ../include/openssl/comp.h ../include/openssl/crypto.h diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index c872cb659451..8427798bbfaf 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -305,6 +305,16 @@ long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg) case DTLS_CTRL_LISTEN: ret = dtls1_listen(s, parg); break; + case SSL_CTRL_CHECK_PROTO_VERSION: + /* For library-internal use; checks that the current protocol + * is the highest enabled version (according to s->ctx->method, + * as version negotiation may have changed s->method). */ +#if DTLS_MAX_VERSION != DTLS1_VERSION +# error Code needs update for DTLS_method() support beyond DTLS1_VERSION. +#endif + /* Just one protocol version is supported so far; + * fail closed if the version is not as expected. */ + return s->version == DTLS_MAX_VERSION; default: ret = ssl3_ctrl(s, cmd, larg, parg); diff --git a/ssl/dtls1.h b/ssl/dtls1.h index 697ff6e31593..a1b188487d68 100644 --- a/ssl/dtls1.h +++ b/ssl/dtls1.h @@ -80,6 +80,8 @@ extern "C" { #endif #define DTLS1_VERSION 0xFEFF +#define DTLS_MAX_VERSION DTLS1_VERSION + #define DTLS1_BAD_VER 0x0100 #if 0 @@ -262,4 +264,3 @@ typedef struct dtls1_record_data_st } #endif #endif - diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index 830eff0f511a..123120868a4f 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -72,9 +72,11 @@ static SSL_METHOD *ssl23_get_client_method(int ver) if (ver == SSL2_VERSION) return(SSLv2_client_method()); #endif +#ifndef OPENSSL_NO_SSL3 if (ver == SSL3_VERSION) return(SSLv3_client_method()); - else if (ver == TLS1_VERSION) +#endif + if (ver == TLS1_VERSION) return(TLSv1_client_method()); else return(NULL); @@ -533,6 +535,7 @@ static int ssl23_get_server_hello(SSL *s) { /* we have sslv3 or tls1 (server hello or alert) */ +#ifndef OPENSSL_NO_SSL3 if ((p[2] == SSL3_VERSION_MINOR) && !(s->options & SSL_OP_NO_SSLv3)) { @@ -547,7 +550,9 @@ static int ssl23_get_server_hello(SSL *s) s->version=SSL3_VERSION; s->method=SSLv3_client_method(); } - else if ((p[2] == TLS1_VERSION_MINOR) && + else +#endif + if ((p[2] == TLS1_VERSION_MINOR) && !(s->options & SSL_OP_NO_TLSv1)) { s->version=TLS1_VERSION; @@ -559,6 +564,9 @@ static int ssl23_get_server_hello(SSL *s) goto err; } + /* ensure that TLS_MAX_VERSION is up-to-date */ + OPENSSL_assert(s->version <= TLS_MAX_VERSION); + if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING) { /* fatal alert */ diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index e544853ae430..3d0069baf3e2 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -124,9 +124,11 @@ static SSL_METHOD *ssl23_get_server_method(int ver) if (ver == SSL2_VERSION) return(SSLv2_server_method()); #endif +#ifndef OPENSSL_NO_SSL3 if (ver == SSL3_VERSION) return(SSLv3_server_method()); - else if (ver == TLS1_VERSION) +#endif + if (ver == TLS1_VERSION) return(TLSv1_server_method()); else return(NULL); @@ -398,6 +400,9 @@ int ssl23_get_client_hello(SSL *s) } #endif + /* ensure that TLS_MAX_VERSION is up-to-date */ + OPENSSL_assert(s->version <= TLS_MAX_VERSION); + if (s->state == SSL23_ST_SR_CLNT_HELLO_B) { /* we have SSLv3/TLSv1 in an SSLv2 header @@ -554,6 +559,12 @@ int ssl23_get_client_hello(SSL *s) if ((type == 2) || (type == 3)) { /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */ + s->method = ssl23_get_server_method(s->version); + if (s->method == NULL) + { + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); + goto err; + } if (!ssl_init_wbio_buffer(s,1)) goto err; @@ -577,11 +588,6 @@ int ssl23_get_client_hello(SSL *s) s->s3->rbuf.left=0; s->s3->rbuf.offset=0; } - - if (s->version == TLS1_VERSION) - s->method = TLSv1_server_method(); - else - s->method = SSLv3_server_method(); #if 0 /* ssl3_get_client_hello does this */ s->client_version=(v[0]<<8)|v[1]; #endif diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c index 10751b22baf8..359498c8e5d6 100644 --- a/ssl/s2_lib.c +++ b/ssl/s2_lib.c @@ -314,6 +314,8 @@ long ssl2_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_SESSION_REUSED: ret=s->hit; break; + case SSL_CTRL_CHECK_PROTO_VERSION: + return ssl3_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, larg, parg); default: break; } @@ -362,7 +364,7 @@ int ssl2_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) if (p != NULL) { l=c->id; - if ((l & 0xff000000) != 0x02000000) return(0); + if ((l & 0xff000000) != 0x02000000 && l != SSL3_CK_FALLBACK_SCSV) return(0); p[0]=((unsigned char)(l>>16L))&0xFF; p[1]=((unsigned char)(l>> 8L))&0xFF; p[2]=((unsigned char)(l ))&0xFF; diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index 9f57fc9a622f..320330ffd964 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -53,6 +53,7 @@ * */ +#include "../crypto/constant_time_locl.h" #include "ssl_locl.h" #include <openssl/md5.h> @@ -67,37 +68,6 @@ * supported by TLS.) */ #define MAX_HASH_BLOCK_SIZE 128 -/* Some utility functions are needed: - * - * These macros return the given value with the MSB copied to all the other - * bits. They use the fact that arithmetic shift shifts-in the sign bit. - * However, this is not ensured by the C standard so you may need to replace - * them with something else on odd CPUs. */ -#define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> (sizeof(int)*8-1) ) ) -#define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x))) - -/* constant_time_lt returns 0xff if a<b and 0x00 otherwise. */ -static unsigned constant_time_lt(unsigned a, unsigned b) - { - a -= b; - return DUPLICATE_MSB_TO_ALL(a); - } - -/* constant_time_ge returns 0xff if a>=b and 0x00 otherwise. */ -static unsigned constant_time_ge(unsigned a, unsigned b) - { - a -= b; - return DUPLICATE_MSB_TO_ALL(~a); - } - -/* constant_time_eq_8 returns 0xff if a==b and 0x00 otherwise. */ -static unsigned char constant_time_eq_8(unsigned a, unsigned b) - { - unsigned c = a ^ b; - c--; - return DUPLICATE_MSB_TO_ALL_8(c); - } - /* ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC * record in |rec| by updating |rec->length| in constant time. * @@ -126,8 +96,8 @@ int ssl3_cbc_remove_padding(const SSL* s, padding_length = good & (padding_length+1); rec->length -= padding_length; rec->type |= padding_length<<8; /* kludge: pass padding length */ - return (int)((good & 1) | (~good & -1)); -} + return constant_time_select_int(good, 1, -1); + } /* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC * record in |rec| in constant time and returns 1 if the padding is valid and @@ -201,7 +171,7 @@ int tls1_cbc_remove_padding(const SSL* s, for (i = 0; i < to_check; i++) { - unsigned char mask = constant_time_ge(padding_length, i); + unsigned char mask = constant_time_ge_8(padding_length, i); unsigned char b = rec->data[rec->length-1-i]; /* The final |padding_length+1| bytes should all have the value * |padding_length|. Therefore the XOR should be zero. */ @@ -209,20 +179,14 @@ int tls1_cbc_remove_padding(const SSL* s, } /* If any of the final |padding_length+1| bytes had the wrong value, - * one or more of the lower eight bits of |good| will be cleared. We - * AND the bottom 8 bits together and duplicate the result to all the - * bits. */ - good &= good >> 4; - good &= good >> 2; - good &= good >> 1; - good <<= sizeof(good)*8-1; - good = DUPLICATE_MSB_TO_ALL(good); - + * one or more of the lower eight bits of |good| will be cleared. + */ + good = constant_time_eq(0xff, good & 0xff); padding_length = good & (padding_length+1); rec->length -= padding_length; rec->type |= padding_length<<8; /* kludge: pass padding length */ - return (int)((good & 1) | (~good & -1)); + return constant_time_select_int(good, 1, -1); } /* ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in @@ -289,8 +253,8 @@ void ssl3_cbc_copy_mac(unsigned char* out, memset(rotated_mac, 0, md_size); for (i = scan_start, j = 0; i < orig_len; i++) { - unsigned char mac_started = constant_time_ge(i, mac_start); - unsigned char mac_ended = constant_time_ge(i, mac_end); + unsigned char mac_started = constant_time_ge_8(i, mac_start); + unsigned char mac_ended = constant_time_ge_8(i, mac_end); unsigned char b = rec->data[i]; rotated_mac[j++] |= b & mac_started & ~mac_ended; j &= constant_time_lt(j,md_size); @@ -676,12 +640,12 @@ void ssl3_cbc_digest_record( b = data[k-header_length]; k++; - is_past_c = is_block_a & constant_time_ge(j, c); - is_past_cp1 = is_block_a & constant_time_ge(j, c+1); + is_past_c = is_block_a & constant_time_ge_8(j, c); + is_past_cp1 = is_block_a & constant_time_ge_8(j, c+1); /* If this is the block containing the end of the * application data, and we are at the offset for the * 0x80 value, then overwrite b with 0x80. */ - b = (b&~is_past_c) | (0x80&is_past_c); + b = constant_time_select_8(is_past_c, 0x80, b); /* If this the the block containing the end of the * application data and we're past the 0x80 value then * just write zero. */ @@ -697,7 +661,8 @@ void ssl3_cbc_digest_record( if (j >= md_block_size - md_length_size) { /* If this is index_b, write a length byte. */ - b = (b&~is_block_b) | (is_block_b&length_bytes[j-(md_block_size-md_length_size)]); + b = constant_time_select_8( + is_block_b, length_bytes[j-(md_block_size-md_length_size)], b); } block[j] = b; } diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index c11048edaa68..482893756693 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -1095,8 +1095,8 @@ int ssl3_get_key_exchange(SSL *s) #endif EVP_MD_CTX md_ctx; unsigned char *param,*p; - int al,i,j,param_len,ok; - long n,alg; + int al,j,ok; + long i,param_len,n,alg; EVP_PKEY *pkey=NULL; #ifndef OPENSSL_NO_RSA RSA *rsa=NULL; @@ -1160,10 +1160,12 @@ int ssl3_get_key_exchange(SSL *s) s->session->sess_cert=ssl_sess_cert_new(); } + /* Total length of the parameters including the length prefix */ param_len=0; alg=s->s3->tmp.new_cipher->algorithms; EVP_MD_CTX_init(&md_ctx); + al=SSL_AD_DECODE_ERROR; #ifndef OPENSSL_NO_RSA if (alg & SSL_kRSA) { @@ -1172,14 +1174,23 @@ int ssl3_get_key_exchange(SSL *s) SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); goto err; } - n2s(p,i); - param_len=i+2; + + param_len = 2; if (param_len > n) { - al=SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, + SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + n2s(p,i); + + if (i > n - param_len) + { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH); goto f_err; } + param_len += i; + if (!(rsa->n=BN_bin2bn(p,i,rsa->n))) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); @@ -1187,14 +1198,23 @@ int ssl3_get_key_exchange(SSL *s) } p+=i; + if (2 > n - param_len) + { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, + SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + param_len += 2; + n2s(p,i); - param_len+=i+2; - if (param_len > n) + + if (i > n - param_len) { - al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH); goto f_err; } + param_len += i; + if (!(rsa->e=BN_bin2bn(p,i,rsa->e))) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); @@ -1226,14 +1246,23 @@ int ssl3_get_key_exchange(SSL *s) SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB); goto err; } - n2s(p,i); - param_len=i+2; + + param_len = 2; if (param_len > n) { - al=SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, + SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + n2s(p,i); + + if (i > n - param_len) + { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH); goto f_err; } + param_len += i; + if (!(dh->p=BN_bin2bn(p,i,NULL))) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); @@ -1241,14 +1270,23 @@ int ssl3_get_key_exchange(SSL *s) } p+=i; + if (2 > n - param_len) + { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, + SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + param_len += 2; + n2s(p,i); - param_len+=i+2; - if (param_len > n) + + if (i > n - param_len) { - al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH); goto f_err; } + param_len += i; + if (!(dh->g=BN_bin2bn(p,i,NULL))) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); @@ -1256,14 +1294,23 @@ int ssl3_get_key_exchange(SSL *s) } p+=i; + if (2 > n - param_len) + { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, + SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + param_len += 2; + n2s(p,i); - param_len+=i+2; - if (param_len > n) + + if (i > n - param_len) { - al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH); goto f_err; } + param_len += i; + if (!(dh->pub_key=BN_bin2bn(p,i,NULL))) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); @@ -1315,12 +1362,19 @@ int ssl3_get_key_exchange(SSL *s) */ /* XXX: For now we only support named (not generic) curves - * and the ECParameters in this case is just three bytes. + * and the ECParameters in this case is just three bytes. We + * also need one byte for the length of the encoded point */ - param_len=3; - if ((param_len > n) || - (*p != NAMED_CURVE_TYPE) || - ((curve_nid = curve_id2nid(*(p + 2))) == 0)) + param_len=4; + if (param_len > n) + { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, + SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + + if ((*p != NAMED_CURVE_TYPE) || + ((curve_nid = curve_id2nid(*(p + 2))) == 0)) { al=SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); @@ -1362,15 +1416,15 @@ int ssl3_get_key_exchange(SSL *s) encoded_pt_len = *p; /* length of encoded point */ p+=1; - param_len += (1 + encoded_pt_len); - if ((param_len > n) || + + if ((encoded_pt_len > n - param_len) || (EC_POINT_oct2point(group, srvr_ecpoint, p, encoded_pt_len, bn_ctx) == 0)) { - al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT); goto f_err; } + param_len += encoded_pt_len; n-=param_len; p+=encoded_pt_len; @@ -1421,10 +1475,10 @@ int ssl3_get_key_exchange(SSL *s) n-=2; j=EVP_PKEY_size(pkey); + /* Check signature length. If n is 0 then signature is empty */ if ((i != n) || (n > j) || (n <= 0)) { /* wrong packet length */ - al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH); goto f_err; } @@ -1433,6 +1487,7 @@ int ssl3_get_key_exchange(SSL *s) if (pkey->type == EVP_PKEY_RSA) { int num; + unsigned int size; j=0; q=md_buf; @@ -1445,9 +1500,9 @@ int ssl3_get_key_exchange(SSL *s) EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md_ctx,param,param_len); - EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i); - q+=i; - j+=i; + EVP_DigestFinal_ex(&md_ctx,q,&size); + q+=size; + j+=size; } i=RSA_verify(NID_md5_sha1, md_buf, j, p, n, pkey->pkey.rsa); @@ -1518,7 +1573,6 @@ int ssl3_get_key_exchange(SSL *s) } if (n != 0) { - al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE); goto f_err; } diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 736bfacc6943..f4391ec39471 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -764,7 +764,7 @@ int ssl3_alert_code(int code) case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(SSL3_AD_HANDSHAKE_FAILURE); case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(SSL3_AD_HANDSHAKE_FAILURE); case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY); + case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK); default: return(-1); } } - diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index fc723a00a975..fcdbe4779bf3 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -1986,6 +1986,29 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) break; #endif /* !OPENSSL_NO_TLSEXT */ + + case SSL_CTRL_CHECK_PROTO_VERSION: + /* For library-internal use; checks that the current protocol + * is the highest enabled version (according to s->ctx->method, + * as version negotiation may have changed s->method). */ + if (s->version == s->ctx->method->version) + return 1; + /* Apparently we're using a version-flexible SSL_METHOD + * (not at its highest protocol version). */ + if (s->ctx->method->version == SSLv23_method()->version) + { +#if TLS_MAX_VERSION != TLS1_VERSION +# error Code needs update for SSLv23_method() support beyond TLS1_VERSION. +#endif + if (!(s->options & SSL_OP_NO_TLSv1)) + return s->version == TLS1_VERSION; + if (!(s->options & SSL_OP_NO_SSLv3)) + return s->version == SSL3_VERSION; + if (!(s->options & SSL_OP_NO_SSLv2)) + return s->version == SSL2_VERSION; + } + return 0; /* Unexpected state; fail closed. */ + default: break; } @@ -2274,6 +2297,7 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) break; #endif + default: return(0); } diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index dbbee635c934..a3b45fba9dc1 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -229,6 +229,12 @@ int ssl3_read_n(SSL *s, int n, int max, int extend) return(n); } +/* MAX_EMPTY_RECORDS defines the number of consecutive, empty records that will + * be processed per call to ssl3_get_record. Without this limit an attacker + * could send empty records at a faster rate than we can process and cause + * ssl3_get_record to loop forever. */ +#define MAX_EMPTY_RECORDS 32 + /* Call this to get a new input record. * It will return <= 0 if more data is needed, normally due to an error * or non-blocking IO. @@ -249,6 +255,7 @@ static int ssl3_get_record(SSL *s) short version; unsigned mac_size, orig_len; size_t extra; + unsigned empty_record_count = 0; rr= &(s->s3->rrec); sess=s->session; @@ -476,7 +483,17 @@ printf("\n"); s->packet_length=0; /* just read a 0 length packet */ - if (rr->length == 0) goto again; + if (rr->length == 0) + { + empty_record_count++; + if (empty_record_count > MAX_EMPTY_RECORDS) + { + al=SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_RECORD_TOO_SMALL); + goto f_err; + } + goto again; + } return(1); diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 4ec759574c84..ca3e77aef668 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -128,6 +128,7 @@ #include <stdio.h> #include "ssl_locl.h" #include "kssl_lcl.h" +#include "../crypto/constant_time_locl.h" #include <openssl/buffer.h> #include <openssl/rand.h> #include <openssl/objects.h> @@ -1828,6 +1829,10 @@ int ssl3_get_client_key_exchange(SSL *s) #ifndef OPENSSL_NO_RSA if (l & SSL_kRSA) { + unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH]; + int decrypt_len; + unsigned char decrypt_good, version_good; + /* FIX THIS UP EAY EAY EAY EAY */ if (s->s3->tmp.use_rsa_tmp) { @@ -1876,54 +1881,61 @@ int ssl3_get_client_key_exchange(SSL *s) n=i; } - i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING); - - al = -1; - - if (i != SSL_MAX_MASTER_KEY_LENGTH) - { - al=SSL_AD_DECODE_ERROR; - /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ - } + /* We must not leak whether a decryption failure occurs because + * of Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see + * RFC 2246, section 7.4.7.1). The code follows that advice of + * the TLS RFC and generates a random premaster secret for the + * case that the decrypt fails. See + * https://tools.ietf.org/html/rfc5246#section-7.4.7.1 */ - if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) - { - /* The premaster secret must contain the same version number as the - * ClientHello to detect version rollback attacks (strangely, the - * protocol does not offer such protection for DH ciphersuites). - * However, buggy clients exist that send the negotiated protocol - * version instead if the server does not support the requested - * protocol version. - * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */ - if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && - (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) - { - al=SSL_AD_DECODE_ERROR; - /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ - - /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack - * (http://eprint.iacr.org/2003/052/) exploits the version - * number check as a "bad version oracle" -- an alert would - * reveal that the plaintext corresponding to some ciphertext - * made up by the adversary is properly formatted except - * that the version number is wrong. To avoid such attacks, - * we should treat this just like any other decryption error. */ - } + /* should be RAND_bytes, but we cannot work around a failure. */ + if (RAND_pseudo_bytes(rand_premaster_secret, + sizeof(rand_premaster_secret)) <= 0) + goto err; + decrypt_len = RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING); + ERR_clear_error(); + + /* decrypt_len should be SSL_MAX_MASTER_KEY_LENGTH. + * decrypt_good will be 0xff if so and zero otherwise. */ + decrypt_good = constant_time_eq_int_8(decrypt_len, SSL_MAX_MASTER_KEY_LENGTH); + + /* If the version in the decrypted pre-master secret is correct + * then version_good will be 0xff, otherwise it'll be zero. + * The Klima-Pokorny-Rosa extension of Bleichenbacher's attack + * (http://eprint.iacr.org/2003/052/) exploits the version + * number check as a "bad version oracle". Thus version checks + * are done in constant time and are treated like any other + * decryption error. */ + version_good = constant_time_eq_8(p[0], (unsigned)(s->client_version>>8)); + version_good &= constant_time_eq_8(p[1], (unsigned)(s->client_version&0xff)); + + /* The premaster secret must contain the same version number as + * the ClientHello to detect version rollback attacks + * (strangely, the protocol does not offer such protection for + * DH ciphersuites). However, buggy clients exist that send the + * negotiated protocol version instead if the server does not + * support the requested protocol version. If + * SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */ + if (s->options & SSL_OP_TLS_ROLLBACK_BUG) + { + unsigned char workaround_good; + workaround_good = constant_time_eq_8(p[0], (unsigned)(s->version>>8)); + workaround_good &= constant_time_eq_8(p[1], (unsigned)(s->version&0xff)); + version_good |= workaround_good; + } + + /* Both decryption and version must be good for decrypt_good + * to remain non-zero (0xff). */ + decrypt_good &= version_good; + + /* Now copy rand_premaster_secret over p using + * decrypt_good_mask. */ + for (i = 0; i < (int) sizeof(rand_premaster_secret); i++) + { + p[i] = constant_time_select_8(decrypt_good, p[i], + rand_premaster_secret[i]); } - if (al != -1) - { - /* Some decryption failure -- use random value instead as countermeasure - * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding - * (see RFC 2246, section 7.4.7.1). */ - ERR_clear_error(); - i = SSL_MAX_MASTER_KEY_LENGTH; - p[0] = s->client_version >> 8; - p[1] = s->client_version & 0xff; - if (RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */ - goto err; - } - s->session->master_key_length= s->method->ssl3_enc->generate_master_secret(s, s->session->master_key, diff --git a/ssl/ssl.h b/ssl/ssl.h index 5f2a04e83dbd..6435c5966dbf 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -563,6 +563,10 @@ typedef struct ssl_session_st #define SSL_MODE_AUTO_RETRY 0x00000004L /* Don't attempt to automatically build certificate chain */ #define SSL_MODE_NO_AUTO_CHAIN 0x00000008L +/* Send TLS_FALLBACK_SCSV in the ClientHello. + * To be set by applications that reconnect with a downgraded protocol + * version; see draft-ietf-tls-downgrade-scsv-00 for details. */ +#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, @@ -1209,6 +1213,7 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count); #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE #define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */ +#define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */ #define SSL_ERROR_NONE 0 #define SSL_ERROR_SSL 1 @@ -1298,6 +1303,8 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count); #define SSL_CTRL_CLEAR_OPTIONS 77 #define SSL_CTRL_CLEAR_MODE 78 +#define SSL_CTRL_CHECK_PROTO_VERSION 119 + #define DTLSv1_get_timeout(ssl, arg) \ SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) #define DTLSv1_handle_timeout(ssl) \ @@ -1945,6 +1952,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_HTTPS_PROXY_REQUEST 155 #define SSL_R_HTTP_REQUEST 156 #define SSL_R_ILLEGAL_PADDING 283 +#define SSL_R_INAPPROPRIATE_FALLBACK 373 #define SSL_R_INVALID_CHALLENGE_LENGTH 158 #define SSL_R_INVALID_COMMAND 280 #define SSL_R_INVALID_PURPOSE 278 @@ -2072,6 +2080,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021 #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051 #define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060 +#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086 #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071 #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080 #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100 diff --git a/ssl/ssl3.h b/ssl/ssl3.h index de5e559a59df..76f922e356dc 100644 --- a/ssl/ssl3.h +++ b/ssl/ssl3.h @@ -129,9 +129,14 @@ extern "C" { #endif -/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */ +/* Signalling cipher suite value from RFC 5746 + * (TLS_EMPTY_RENEGOTIATION_INFO_SCSV) */ #define SSL3_CK_SCSV 0x030000FF +/* Signalling cipher suite value from draft-ietf-tls-downgrade-scsv-00 + * (TLS_FALLBACK_SCSV) */ +#define SSL3_CK_FALLBACK_SCSV 0x03005600 + #define SSL3_CK_RSA_NULL_MD5 0x03000001 #define SSL3_CK_RSA_NULL_SHA 0x03000002 #define SSL3_CK_RSA_RC4_40_MD5 0x03000003 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 9e28dfddf103..2896f58cb3b9 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -341,6 +341,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"}, {ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"}, {ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"}, +{ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK),"inappropriate fallback"}, {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"}, {ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"}, {ERR_REASON(SSL_R_INVALID_PURPOSE) ,"invalid purpose"}, @@ -468,6 +469,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"}, {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"}, {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"}, +{ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),"tlsv1 alert inappropriate fallback"}, {ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"}, {ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"}, {ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"}, diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 47a0c7c4eaa8..5db0b5276e3f 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1296,6 +1296,8 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p, if (sk == NULL) return(0); q=p; + if (put_cb == NULL) + put_cb = s->method->put_cipher_by_char; for (i=0; i<sk_SSL_CIPHER_num(sk); i++) { @@ -1305,24 +1307,36 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p, continue; #endif /* OPENSSL_NO_KRB5 */ - j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p); + j = put_cb(c,p); p+=j; } - /* If p == q, no ciphers and caller indicates an error. Otherwise - * add SCSV if not renegotiating. - */ - if (p != q && !s->new_session) + /* If p == q, no ciphers; caller indicates an error. + * Otherwise, add applicable SCSVs. */ + if (p != q) { - static SSL_CIPHER scsv = + if (!s->new_session) { - 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, - }; - j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p); - p+=j; + static SSL_CIPHER scsv = + { + 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, + }; + j = put_cb(&scsv,p); + p+=j; #ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "SCSV sent by client\n"); + fprintf(stderr, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n"); #endif - } + } + + if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) + { + static SSL_CIPHER scsv = + { + 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, + }; + j = put_cb(&scsv,p); + p+=j; + } + } return(p-q); } @@ -1333,11 +1347,12 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, SSL_CIPHER *c; STACK_OF(SSL_CIPHER) *sk; int i,n; + if (s->s3) s->s3->send_connection_binding = 0; n=ssl_put_cipher_by_char(s,NULL,NULL); - if ((num%n) != 0) + if (n == 0 || (num%n) != 0) { SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); return(NULL); @@ -1352,7 +1367,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, for (i=0; i<num; i+=n) { - /* Check for SCSV */ + /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */ if (s->s3 && (n != 3 || !p[0]) && (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) && (p[n-1] == (SSL3_CK_SCSV & 0xff))) @@ -1372,6 +1387,23 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, continue; } + /* Check for TLS_FALLBACK_SCSV */ + if ((n != 3 || !p[0]) && + (p[n-2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) && + (p[n-1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) + { + /* The SCSV indicates that the client previously tried a higher version. + * Fail if the current version is an unexpected downgrade. */ + if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL)) + { + SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_INAPPROPRIATE_FALLBACK); + if (s->s3) + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK); + goto err; + } + continue; + } + c=ssl_get_cipher_by_char(s,p); p+=n; if (c != NULL) diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index eb4acef8b8aa..4b9383adfaf0 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -855,6 +855,7 @@ int tls1_alert_code(int code) case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE); case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE); case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY); + case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK); #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); @@ -862,4 +863,3 @@ int tls1_alert_code(int code) default: return(-1); } } - diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 8638eb9a41ec..68c527dfdf5f 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1101,7 +1101,10 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, HMAC_Final(&hctx, tick_hmac, NULL); HMAC_CTX_cleanup(&hctx); if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) + { + EVP_CIPHER_CTX_cleanup(&ctx); goto tickerr; + } /* Attempt to decrypt session data */ /* Move p after IV to start of encrypted ticket, update length */ p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); diff --git a/ssl/tls1.h b/ssl/tls1.h index 47f25afb1d04..d6f5aeee2c6a 100644 --- a/ssl/tls1.h +++ b/ssl/tls1.h @@ -80,17 +80,24 @@ extern "C" { #define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0 +#define TLS1_VERSION 0x0301 +#define TLS1_1_VERSION 0x0302 #define TLS1_2_VERSION 0x0303 -#define TLS1_2_VERSION_MAJOR 0x03 -#define TLS1_2_VERSION_MINOR 0x03 +/* TLS 1.1 and 1.2 are not supported by this version of OpenSSL, so + * TLS_MAX_VERSION indicates TLS 1.0 regardless of the above + * definitions. (s23_clnt.c and s23_srvr.c have an OPENSSL_assert() + * check that would catch the error if TLS_MAX_VERSION was too low.) + */ +#define TLS_MAX_VERSION TLS1_VERSION + +#define TLS1_VERSION_MAJOR 0x03 +#define TLS1_VERSION_MINOR 0x01 -#define TLS1_1_VERSION 0x0302 #define TLS1_1_VERSION_MAJOR 0x03 #define TLS1_1_VERSION_MINOR 0x02 -#define TLS1_VERSION 0x0301 -#define TLS1_VERSION_MAJOR 0x03 -#define TLS1_VERSION_MINOR 0x01 +#define TLS1_2_VERSION_MAJOR 0x03 +#define TLS1_2_VERSION_MINOR 0x03 #define TLS1_get_version(s) \ ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0) @@ -108,6 +115,7 @@ extern "C" { #define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */ #define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */ #define TLS1_AD_INTERNAL_ERROR 80 /* fatal */ +#define TLS1_AD_INAPPROPRIATE_FALLBACK 86 /* fatal */ #define TLS1_AD_USER_CANCELLED 90 #define TLS1_AD_NO_RENEGOTIATION 100 /* codes 110-114 are from RFC3546 */ @@ -419,6 +427,3 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb) } #endif #endif - - - |