diff options
author | Matt Caswell <matt@openssl.org> | 2017-12-05 10:14:35 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-12-14 15:06:37 +0000 |
commit | 597c51bc980ba6d7470dd8de747ac12a6c7a442b (patch) | |
tree | bfaa1fb62ac77032ed159170cf5df7ab7a31b717 /ssl/statem | |
parent | db37d32cb89160328b0ba48e3808f601a7b3ebe8 (diff) | |
download | openssl-597c51bc980ba6d7470dd8de747ac12a6c7a442b.tar.gz |
Merge HRR into ServerHello
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)
Diffstat (limited to 'ssl/statem')
-rw-r--r-- | ssl/statem/statem_clnt.c | 153 | ||||
-rw-r--r-- | ssl/statem/statem_lib.c | 25 | ||||
-rw-r--r-- | ssl/statem/statem_locl.h | 2 | ||||
-rw-r--r-- | ssl/statem/statem_srvr.c | 106 |
4 files changed, 122 insertions, 164 deletions
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 37c198e713..af9e1dcd7d 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -22,7 +22,7 @@ #include <openssl/bn.h> #include <openssl/engine.h> -static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt); +static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, PACKET *pkt); static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt); static ossl_inline int cert_req_allowed(SSL *s); @@ -206,11 +206,6 @@ int ossl_statem_client_read_transition(SSL *s, int mt) st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST; return 1; } - } else { - if (mt == SSL3_MT_HELLO_RETRY_REQUEST) { - st->hand_state = TLS_ST_CR_HELLO_RETRY_REQUEST; - return 1; - } } break; @@ -224,10 +219,6 @@ int ossl_statem_client_read_transition(SSL *s, int mt) st->hand_state = TLS_ST_CR_SRVR_HELLO; return 1; } - if (mt == SSL3_MT_HELLO_RETRY_REQUEST) { - st->hand_state = TLS_ST_CR_HELLO_RETRY_REQUEST; - return 1; - } break; case TLS_ST_CR_SRVR_HELLO: @@ -506,7 +497,8 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL *s) */ return WRITE_TRAN_FINISHED; - case TLS_ST_CR_HELLO_RETRY_REQUEST: + case TLS_ST_CR_SRVR_HELLO: + /* We only get here in TLSv1.3 */ st->hand_state = TLS_ST_CW_CLNT_HELLO; return WRITE_TRAN_CONTINUE; @@ -912,9 +904,6 @@ size_t ossl_statem_client_max_message_size(SSL *s) case DTLS_ST_CR_HELLO_VERIFY_REQUEST: return HELLO_VERIFY_REQUEST_MAX_LENGTH; - case TLS_ST_CR_HELLO_RETRY_REQUEST: - return HELLO_RETRY_REQUEST_MAX_LENGTH; - case TLS_ST_CR_CERT: return s->max_cert_list; @@ -978,9 +967,6 @@ MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt) case DTLS_ST_CR_HELLO_VERIFY_REQUEST: return dtls_process_hello_verify(s, pkt); - case TLS_ST_CR_HELLO_RETRY_REQUEST: - return tls_process_hello_retry_request(s, pkt); - case TLS_ST_CR_CERT: return tls_process_server_certificate(s, pkt); @@ -1353,6 +1339,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) PACKET session_id, extpkt; size_t session_id_len; const unsigned char *cipherchars; + int hrr = 0; unsigned int compression; unsigned int sversion; unsigned int context; @@ -1369,10 +1356,22 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) } /* load the server random */ - if (!PACKET_copy_bytes(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) { - SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, - SSL_R_LENGTH_MISMATCH); - goto err; + if (s->version == TLS1_3_VERSION + && sversion == TLS1_2_VERSION + && PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE + && memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) { + s->hello_retry_request = hrr = 1; + if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_LENGTH_MISMATCH); + goto err; + } + } else { + if (!PACKET_copy_bytes(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_LENGTH_MISMATCH); + goto err; + } } /* Get the session-id. */ @@ -1402,7 +1401,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) } /* TLS extensions */ - if (PACKET_remaining(pkt) == 0) { + if (PACKET_remaining(pkt) == 0 && !hrr) { PACKET_null_init(&extpkt); } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt) || PACKET_remaining(pkt) != 0) { @@ -1411,17 +1410,45 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) goto err; } - if (!tls_collect_extensions(s, &extpkt, - SSL_EXT_TLS1_2_SERVER_HELLO - | SSL_EXT_TLS1_3_SERVER_HELLO, - &extensions, NULL, 1)) { - /* SSLfatal() already called */ - goto err; + if (!hrr) { + if (!tls_collect_extensions(s, &extpkt, + SSL_EXT_TLS1_2_SERVER_HELLO + | SSL_EXT_TLS1_3_SERVER_HELLO, + &extensions, NULL, 1)) { + /* SSLfatal() already called */ + goto err; + } + + if (!ssl_choose_client_version(s, sversion, extensions)) { + /* SSLfatal() already called */ + goto err; + } } - if (!ssl_choose_client_version(s, sversion, extensions)) { - /* SSLfatal() already called */ - goto err; + if (SSL_IS_TLS13(s) || hrr) { + if (compression != 0) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_INVALID_COMPRESSION_ALGORITHM); + goto err; + } + + if (session_id_len != s->tmp_session_id_len + || memcmp(PACKET_data(&session_id), s->tmp_session_id, + session_id_len) != 0) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_INVALID_SESSION_ID); + goto err; + } + } + + if (hrr) { + if (!set_client_ciphersuite(s, cipherchars)) { + /* SSLfatal() already called */ + goto err; + } + + return tls_process_as_hello_retry_request(s, &extpkt); } /* @@ -1450,21 +1477,6 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) goto err; } - if (compression != 0) { - SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, - SSL_F_TLS_PROCESS_SERVER_HELLO, - SSL_R_INVALID_COMPRESSION_ALGORITHM); - goto err; - } - - if (session_id_len != s->tmp_session_id_len - || memcmp(PACKET_data(&session_id), s->tmp_session_id, - session_id_len) != 0) { - SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, - SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_INVALID_SESSION_ID); - goto err; - } - /* This will set s->hit if we are resuming */ if (!tls_parse_extension(s, TLSEXT_IDX_psk, SSL_EXT_TLS1_3_SERVER_HELLO, @@ -1670,28 +1682,10 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) return MSG_PROCESS_ERROR; } -static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt) +static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, + PACKET *extpkt) { - unsigned int sversion; - const unsigned char *cipherchars; RAW_EXTENSION *extensions = NULL; - PACKET extpkt; - - if (!PACKET_get_net_2(pkt, &sversion)) { - SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, - SSL_R_LENGTH_MISMATCH); - goto err; - } - - /* TODO(TLS1.3): Remove the TLS1_3_VERSION_DRAFT clause before release */ - if (sversion != TLS1_3_VERSION && sversion != TLS1_3_VERSION_DRAFT) { - SSLfatal(s, SSL_AD_PROTOCOL_VERSION, - SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, - SSL_R_WRONG_SSL_VERSION); - goto err; - } - - s->hello_retry_request = 1; /* * If we were sending early_data then the enc_write_ctx is now invalid and @@ -1700,28 +1694,7 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt) EVP_CIPHER_CTX_free(s->enc_write_ctx); s->enc_write_ctx = NULL; - if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) { - SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, - SSL_R_LENGTH_MISMATCH); - goto err; - } - - if (!set_client_ciphersuite(s, cipherchars)) { - /* SSLfatal() already called */ - goto err; - } - - if (!PACKET_as_length_prefixed_2(pkt, &extpkt) - /* Must have a non-empty extensions block */ - || PACKET_remaining(&extpkt) == 0 - /* Must be no trailing data after extensions */ - || PACKET_remaining(pkt) != 0) { - SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, - SSL_R_BAD_LENGTH); - goto err; - } - - if (!tls_collect_extensions(s, &extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, + if (!tls_collect_extensions(s, extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, &extensions, NULL, 1) || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, extensions, NULL, 0, 1)) { @@ -1742,8 +1715,8 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt) * ClientHello will not change */ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, - SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, - SSL_R_NO_CHANGE_FOLLOWING_HRR); + SSL_F_TLS_PROCESS_AS_HELLO_RETRY_REQUEST, + SSL_R_NO_CHANGE_FOLLOWING_HRR); goto err; } diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 7b1811543c..c38c1337b5 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -19,6 +19,13 @@ #include <openssl/evp.h> #include <openssl/x509.h> +/* Fixed value used in the ServerHello random field to identify an HRR */ +const unsigned char hrrrandom[] = { + 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, + 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, + 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c +}; + /* * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or * SSL3_RT_CHANGE_CIPHER_SPEC) @@ -1238,12 +1245,18 @@ int tls_get_message_body(SSL *s, size_t *len) * We defer feeding in the HRR until later. We'll do it as part of * processing the message */ - if (s->s3->tmp.message_type != SSL3_MT_HELLO_RETRY_REQUEST - && !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, - s->init_num + SSL3_HM_HEADER_LENGTH)) { - /* SSLfatal() already called */ - *len = 0; - return 0; +#define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2) + if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO + || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE + || memcmp(hrrrandom, + s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET, + SSL3_RANDOM_SIZE) != 0) { + if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, + s->init_num + SSL3_HM_HEADER_LENGTH)) { + /* SSLfatal() already called */ + *len = 0; + return 0; + } } if (s->msg_callback) s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, diff --git a/ssl/statem/statem_locl.h b/ssl/statem/statem_locl.h index ad5b028da7..5e0ce7e997 100644 --- a/ssl/statem/statem_locl.h +++ b/ssl/statem/statem_locl.h @@ -35,6 +35,8 @@ /* Dummy message type */ #define SSL3_MT_DUMMY -1 +extern const unsigned char hrrrandom[]; + /* Message processing return codes */ typedef enum { /* Something bad happened */ diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 43ad4a4623..3ebe76530a 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -24,7 +24,6 @@ #include <openssl/md5.h> static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt); -static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt); /* * ossl_statem_server13_read_transition() encapsulates the logic for the allowed @@ -392,18 +391,13 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s) return WRITE_TRAN_FINISHED; case TLS_ST_SR_CLNT_HELLO: - if (s->hello_retry_request) - st->hand_state = TLS_ST_SW_HELLO_RETRY_REQUEST; - else - st->hand_state = TLS_ST_SW_SRVR_HELLO; - return WRITE_TRAN_CONTINUE; - - case TLS_ST_SW_HELLO_RETRY_REQUEST: - st->hand_state = TLS_ST_EARLY_DATA; + st->hand_state = TLS_ST_SW_SRVR_HELLO; return WRITE_TRAN_CONTINUE; case TLS_ST_SW_SRVR_HELLO: - if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) + if (s->hello_retry_request) + st->hand_state = TLS_ST_EARLY_DATA; + else if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) st->hand_state = TLS_ST_SW_CHANGE; else st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS; @@ -714,11 +708,6 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) /* No post work to be done */ break; - case TLS_ST_SW_HELLO_RETRY_REQUEST: - if (statem_flush(s) != 1) - return WORK_MORE_A; - break; - case TLS_ST_SW_HELLO_REQ: if (statem_flush(s) != 1) return WORK_MORE_A; @@ -744,6 +733,11 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) break; case TLS_ST_SW_SRVR_HELLO: + if (SSL_IS_TLS13(s) && s->hello_retry_request) { + if (statem_flush(s) != 1) + return WORK_MORE_A; + break; + } #ifndef OPENSSL_NO_SCTP if (SSL_IS_DTLS(s) && s->hit) { unsigned char sctpauthkey[64]; @@ -963,11 +957,6 @@ int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt, *mt = SSL3_MT_ENCRYPTED_EXTENSIONS; break; - case TLS_ST_SW_HELLO_RETRY_REQUEST: - *confunc = tls_construct_hello_retry_request; - *mt = SSL3_MT_HELLO_RETRY_REQUEST; - break; - case TLS_ST_SW_KEY_UPDATE: *confunc = tls_construct_key_update; *mt = SSL3_MT_KEY_UPDATE; @@ -2211,14 +2200,18 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) size_t sl, len; int version; unsigned char *session_id; + int usetls13 = SSL_IS_TLS13(s) || s->hello_retry_request; - version = SSL_IS_TLS13(s) ? TLS1_2_VERSION : s->version; + version = usetls13 ? TLS1_2_VERSION : s->version; if (!WPACKET_put_bytes_u16(pkt, version) /* * Random stuff. Filling of the server_random takes place in * tls_process_client_hello() */ - || !WPACKET_memcpy(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) { + || !WPACKET_memcpy(pkt, + s->hello_retry_request + ? hrrrandom : s->s3->server_random, + SSL3_RANDOM_SIZE)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); return 0; @@ -2247,7 +2240,7 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) && !s->hit)) s->session->session_id_length = 0; - if (SSL_IS_TLS13(s)) { + if (usetls13) { sl = s->tmp_session_id_len; session_id = s->tmp_session_id; } else { @@ -2265,7 +2258,7 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) #ifdef OPENSSL_NO_COMP compm = 0; #else - if (SSL_IS_TLS13(s) || s->s3->tmp.new_compression == NULL) + if (usetls13 || s->s3->tmp.new_compression == NULL) compm = 0; else compm = s->s3->tmp.new_compression->id; @@ -2275,16 +2268,32 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len) || !WPACKET_put_bytes_u8(pkt, compm) || !tls_construct_extensions(s, pkt, - SSL_IS_TLS13(s) - ? SSL_EXT_TLS1_3_SERVER_HELLO - : SSL_EXT_TLS1_2_SERVER_HELLO, + s->hello_retry_request + ? SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST + : (SSL_IS_TLS13(s) + ? SSL_EXT_TLS1_3_SERVER_HELLO + : SSL_EXT_TLS1_2_SERVER_HELLO), NULL, 0)) { /* SSLfatal() already called */ return 0; } - if (!(s->verify_mode & SSL_VERIFY_PEER) - && !ssl3_digest_cached_records(s, 0)) { + if (s->hello_retry_request) { + /* Ditch the session. We'll create a new one next time around */ + SSL_SESSION_free(s->session); + s->session = NULL; + s->hit = 0; + + /* + * Re-initialise the Transcript Hash. We're going to prepopulate it with + * a synthetic message_hash in place of ClientHello1. + */ + if (!create_synthetic_message_hash(s)) { + /* SSLfatal() already called */ + return 0; + } + } else if (!(s->verify_mode & SSL_VERIFY_PEER) + && !ssl3_digest_cached_records(s, 0)) { /* SSLfatal() already called */; return 0; } @@ -3856,45 +3865,6 @@ static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt) return 1; } -static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt) -{ - size_t len = 0; - - /* - * TODO(TLS1.3): Remove the DRAFT version before release - * (should be s->version) - */ - if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT) - || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, - &len)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, - SSL_F_TLS_CONSTRUCT_HELLO_RETRY_REQUEST, ERR_R_INTERNAL_ERROR); - return 0; - } - - if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, - NULL, 0)) { - /* SSLfatal() already called */ - return 0; - } - - /* Ditch the session. We'll create a new one next time around */ - SSL_SESSION_free(s->session); - s->session = NULL; - s->hit = 0; - - /* - * Re-initialise the Transcript Hash. We're going to prepopulate it with - * a synthetic message_hash in place of ClientHello1. - */ - if (!create_synthetic_message_hash(s)) { - /* SSLfatal() already called */ - return 0; - } - - return 1; -} - MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt) { if (PACKET_remaining(pkt) != 0) { |