提交 1ab3836b 编写于 作者: M Matt Caswell

Refactor ClientHello processing so that extensions get parsed earlier

Reviewed-by: NKurt Roeckx <kurt@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
上级 e3fb4d3d
...@@ -2256,6 +2256,7 @@ int ERR_load_SSL_strings(void); ...@@ -2256,6 +2256,7 @@ int ERR_load_SSL_strings(void);
# define SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE 377 # define SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE 377
# define SSL_F_TLS_GET_MESSAGE_BODY 351 # define SSL_F_TLS_GET_MESSAGE_BODY 351
# define SSL_F_TLS_GET_MESSAGE_HEADER 387 # define SSL_F_TLS_GET_MESSAGE_HEADER 387
# define SSL_F_TLS_PARSE_RAW_EXTENSIONS 432
# define SSL_F_TLS_POST_PROCESS_CLIENT_HELLO 378 # define SSL_F_TLS_POST_PROCESS_CLIENT_HELLO 378
# define SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE 384 # define SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE 384
# define SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE 360 # define SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE 360
......
...@@ -279,6 +279,7 @@ static ERR_STRING_DATA SSL_str_functs[] = { ...@@ -279,6 +279,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
"tls_construct_server_key_exchange"}, "tls_construct_server_key_exchange"},
{ERR_FUNC(SSL_F_TLS_GET_MESSAGE_BODY), "tls_get_message_body"}, {ERR_FUNC(SSL_F_TLS_GET_MESSAGE_BODY), "tls_get_message_body"},
{ERR_FUNC(SSL_F_TLS_GET_MESSAGE_HEADER), "tls_get_message_header"}, {ERR_FUNC(SSL_F_TLS_GET_MESSAGE_HEADER), "tls_get_message_header"},
{ERR_FUNC(SSL_F_TLS_PARSE_RAW_EXTENSIONS), "tls_parse_raw_extensions"},
{ERR_FUNC(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO), {ERR_FUNC(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO),
"tls_post_process_client_hello"}, "tls_post_process_client_hello"},
{ERR_FUNC(SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE), {ERR_FUNC(SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE),
......
...@@ -1624,6 +1624,29 @@ typedef struct ssl3_comp_st { ...@@ -1624,6 +1624,29 @@ typedef struct ssl3_comp_st {
} SSL3_COMP; } SSL3_COMP;
# endif # endif
typedef struct {
unsigned int type;
PACKET data;
} RAW_EXTENSION;
#define MAX_COMPRESSIONS_SIZE 255
typedef struct {
unsigned int isv2;
unsigned int version;
unsigned char random[SSL3_RANDOM_SIZE];
size_t session_id_len;
unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
size_t dtls_cookie_len;
unsigned char dtls_cookie[DTLS1_COOKIE_LENGTH];
PACKET ciphersuites;
size_t compressions_len;
unsigned char compressions[MAX_COMPRESSIONS_SIZE];
PACKET extensions;
size_t num_extensions;
RAW_EXTENSION *pre_proc_exts;
} CLIENTHELLO_MSG;
extern SSL3_ENC_METHOD ssl3_undef_enc_method; extern SSL3_ENC_METHOD ssl3_undef_enc_method;
__owur const SSL_METHOD *ssl_bad_method(int ver); __owur const SSL_METHOD *ssl_bad_method(int ver);
...@@ -1797,8 +1820,7 @@ __owur CERT *ssl_cert_dup(CERT *cert); ...@@ -1797,8 +1820,7 @@ __owur CERT *ssl_cert_dup(CERT *cert);
void ssl_cert_clear_certs(CERT *c); void ssl_cert_clear_certs(CERT *c);
void ssl_cert_free(CERT *c); void ssl_cert_free(CERT *c);
__owur int ssl_get_new_session(SSL *s, int session); __owur int ssl_get_new_session(SSL *s, int session);
__owur int ssl_get_prev_session(SSL *s, const PACKET *ext, __owur int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello);
const PACKET *session_id);
__owur SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket); __owur SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket);
__owur int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b); __owur int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b);
DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id); DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
...@@ -1919,7 +1941,7 @@ __owur int ssl_version_supported(const SSL *s, int version); ...@@ -1919,7 +1941,7 @@ __owur int ssl_version_supported(const SSL *s, int version);
__owur int ssl_set_client_hello_version(SSL *s); __owur int ssl_set_client_hello_version(SSL *s);
__owur int ssl_check_version_downgrade(SSL *s); __owur int ssl_check_version_downgrade(SSL *s);
__owur int ssl_set_version_bound(int method_version, int version, int *bound); __owur int ssl_set_version_bound(int method_version, int version, int *bound);
__owur int ssl_choose_server_version(SSL *s); __owur int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello);
__owur int ssl_choose_client_version(SSL *s, int version); __owur int ssl_choose_client_version(SSL *s, int version);
int ssl_get_client_min_max_version(const SSL *s, int *min_version, int ssl_get_client_min_max_version(const SSL *s, int *min_version,
int *max_version); int *max_version);
...@@ -2020,7 +2042,7 @@ __owur int tls1_shared_list(SSL *s, ...@@ -2020,7 +2042,7 @@ __owur int tls1_shared_list(SSL *s,
const unsigned char *l2, size_t l2len, int nmatch); const unsigned char *l2, size_t l2len, int nmatch);
__owur int ssl_add_clienthello_tlsext(SSL *s, WPACKET *pkt, int *al); __owur int ssl_add_clienthello_tlsext(SSL *s, WPACKET *pkt, int *al);
__owur int ssl_add_serverhello_tlsext(SSL *s, WPACKET *pkt, int *al); __owur int ssl_add_serverhello_tlsext(SSL *s, WPACKET *pkt, int *al);
__owur int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt); __owur int ssl_parse_clienthello_tlsext(SSL *s, CLIENTHELLO_MSG *hello);
void ssl_set_default_md(SSL *s); void ssl_set_default_md(SSL *s);
__owur int tls1_set_server_sigalgs(SSL *s); __owur int tls1_set_server_sigalgs(SSL *s);
__owur int ssl_check_clienthello_tlsext_late(SSL *s, int *al); __owur int ssl_check_clienthello_tlsext_late(SSL *s, int *al);
...@@ -2034,9 +2056,9 @@ __owur int dtls1_process_heartbeat(SSL *s, unsigned char *p, ...@@ -2034,9 +2056,9 @@ __owur int dtls1_process_heartbeat(SSL *s, unsigned char *p,
size_t length); size_t length);
# endif # endif
__owur int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext, __owur int tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
const PACKET *session_id, SSL_SESSION **ret);
SSL_SESSION **ret); __owur int tls_check_client_ems_support(SSL *s, CLIENTHELLO_MSG *hello);
__owur int tls12_get_sigandhash(WPACKET *pkt, const EVP_PKEY *pk, __owur int tls12_get_sigandhash(WPACKET *pkt, const EVP_PKEY *pk,
const EVP_MD *md); const EVP_MD *md);
......
...@@ -445,7 +445,7 @@ int ssl_get_new_session(SSL *s, int session) ...@@ -445,7 +445,7 @@ int ssl_get_new_session(SSL *s, int session)
* - Both for new and resumed sessions, s->tlsext_ticket_expected is set to 1 * - Both for new and resumed sessions, s->tlsext_ticket_expected is set to 1
* if the server should issue a new session ticket (to 0 otherwise). * if the server should issue a new session ticket (to 0 otherwise).
*/ */
int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id) int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello)
{ {
/* This is used only by servers. */ /* This is used only by servers. */
...@@ -454,11 +454,11 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id) ...@@ -454,11 +454,11 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id)
int try_session_cache = 1; int try_session_cache = 1;
int r; int r;
if (PACKET_remaining(session_id) == 0) if (hello->session_id_len == 0)
try_session_cache = 0; try_session_cache = 0;
/* sets s->tlsext_ticket_expected and extended master secret flag */ /* sets s->tlsext_ticket_expected */
r = tls_check_serverhello_tlsext_early(s, ext, session_id, &ret); r = tls_get_ticket_from_client(s, hello, &ret);
switch (r) { switch (r) {
case -1: /* Error during processing */ case -1: /* Error during processing */
fatal = 1; fatal = 1;
...@@ -479,14 +479,12 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id) ...@@ -479,14 +479,12 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id)
!(s->session_ctx->session_cache_mode & !(s->session_ctx->session_cache_mode &
SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) { SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) {
SSL_SESSION data; SSL_SESSION data;
size_t local_len;
data.ssl_version = s->version; data.ssl_version = s->version;
memset(data.session_id, 0, sizeof(data.session_id)); memset(data.session_id, 0, sizeof(data.session_id));
if (!PACKET_copy_all(session_id, data.session_id, memcpy(data.session_id, hello->session_id, hello->session_id_len);
sizeof(data.session_id), &local_len)) { data.session_id_length = hello->session_id_len;
goto err;
}
data.session_id_length = local_len;
CRYPTO_THREAD_read_lock(s->session_ctx->lock); CRYPTO_THREAD_read_lock(s->session_ctx->lock);
ret = lh_SSL_SESSION_retrieve(s->session_ctx->sessions, &data); ret = lh_SSL_SESSION_retrieve(s->session_ctx->sessions, &data);
if (ret != NULL) { if (ret != NULL) {
...@@ -501,8 +499,9 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id) ...@@ -501,8 +499,9 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id)
if (try_session_cache && if (try_session_cache &&
ret == NULL && s->session_ctx->get_session_cb != NULL) { ret == NULL && s->session_ctx->get_session_cb != NULL) {
int copy = 1; int copy = 1;
ret = s->session_ctx->get_session_cb(s, PACKET_data(session_id),
(int)PACKET_remaining(session_id), ret = s->session_ctx->get_session_cb(s, hello->session_id,
hello->session_id_len,
&copy); &copy);
if (ret != NULL) { if (ret != NULL) {
......
...@@ -152,6 +152,94 @@ static void ssl3_take_mac(SSL *s) ...@@ -152,6 +152,94 @@ static void ssl3_take_mac(SSL *s)
} }
#endif #endif
static int compare_extensions(const void *p1, const void *p2)
{
const RAW_EXTENSION *e1 = (const RAW_EXTENSION *)p1;
const RAW_EXTENSION *e2 = (const RAW_EXTENSION *)p2;
if (e1->type < e2->type)
return -1;
else if (e1->type > e2->type)
return 1;
else
return 0;
}
/*
* Gather a list of all the extensions. We don't actually process the content
* of the extensions yet, except to check their types.
*
* Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
* more than one extension of the same type in a ClientHello or ServerHello.
* This function returns 1 if all extensions are unique and we have parsed their
* types, and 0 if the extensions contain duplicates, could not be successfully
* parsed, or an internal error occurred.
*/
int tls_parse_raw_extensions(PACKET *packet, RAW_EXTENSION **res,
size_t *numfound, int *ad)
{
PACKET extensions = *packet;
size_t num_extensions = 0, i = 0;
RAW_EXTENSION *raw_extensions = NULL;
/* First pass: count the extensions. */
while (PACKET_remaining(&extensions) > 0) {
unsigned int type;
PACKET extension;
if (!PACKET_get_net_2(&extensions, &type) ||
!PACKET_get_length_prefixed_2(&extensions, &extension)) {
*ad = SSL_AD_DECODE_ERROR;
goto done;
}
num_extensions++;
}
if (num_extensions > 0) {
raw_extensions = OPENSSL_malloc(sizeof(RAW_EXTENSION) * num_extensions);
if (raw_extensions == NULL) {
*ad = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_PARSE_RAW_EXTENSIONS, ERR_R_MALLOC_FAILURE);
goto done;
}
/* Second pass: gather the extension types. */
for (i = 0; i < num_extensions; i++) {
if (!PACKET_get_net_2(packet, &raw_extensions[i].type) ||
!PACKET_get_length_prefixed_2(packet,
&raw_extensions[i].data)) {
/* This should not happen. */
*ad = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_PARSE_RAW_EXTENSIONS, ERR_R_INTERNAL_ERROR);
goto done;
}
}
if (PACKET_remaining(packet) != 0) {
*ad = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PARSE_RAW_EXTENSIONS, SSL_R_LENGTH_MISMATCH);
goto done;
}
/* Sort the extensions and make sure there are no duplicates. */
qsort(raw_extensions, num_extensions, sizeof(RAW_EXTENSION),
compare_extensions);
for (i = 1; i < num_extensions; i++) {
if (raw_extensions[i - 1].type == raw_extensions[i].type) {
*ad = SSL_AD_DECODE_ERROR;
goto done;
}
}
}
*res = raw_extensions;
*numfound = num_extensions;
return 1;
done:
OPENSSL_free(raw_extensions);
return 0;
}
MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt) MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
{ {
int al; int al;
...@@ -875,7 +963,7 @@ int ssl_set_version_bound(int method_version, int version, int *bound) ...@@ -875,7 +963,7 @@ int ssl_set_version_bound(int method_version, int version, int *bound)
* *
* Returns 0 on success or an SSL error reason number on failure. * Returns 0 on success or an SSL error reason number on failure.
*/ */
int ssl_choose_server_version(SSL *s) int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello)
{ {
/*- /*-
* With version-flexible methods we have an initial state with: * With version-flexible methods we have an initial state with:
...@@ -887,11 +975,13 @@ int ssl_choose_server_version(SSL *s) ...@@ -887,11 +975,13 @@ int ssl_choose_server_version(SSL *s)
* handle version. * handle version.
*/ */
int server_version = s->method->version; int server_version = s->method->version;
int client_version = s->client_version; int client_version = hello->version;
const version_info *vent; const version_info *vent;
const version_info *table; const version_info *table;
int disabled = 0; int disabled = 0;
s->client_version = client_version;
switch (server_version) { switch (server_version) {
default: default:
if (version_cmp(s, client_version, s->version) < 0) if (version_cmp(s, client_version, s->version) < 0)
......
...@@ -86,6 +86,9 @@ __owur int tls_construct_finished(SSL *s, WPACKET *pkt); ...@@ -86,6 +86,9 @@ __owur int tls_construct_finished(SSL *s, WPACKET *pkt);
__owur WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst); __owur WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst);
__owur WORK_STATE dtls_wait_for_dry(SSL *s); __owur WORK_STATE dtls_wait_for_dry(SSL *s);
int tls_parse_raw_extensions(PACKET *packet, RAW_EXTENSION **res,
size_t *numfound, int *ad);
/* some client-only functions */ /* some client-only functions */
__owur int tls_construct_client_hello(SSL *s, WPACKET *pkt); __owur int tls_construct_client_hello(SSL *s, WPACKET *pkt);
__owur MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt);
......
...@@ -889,7 +889,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -889,7 +889,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
{ {
int i, al = SSL_AD_INTERNAL_ERROR; int i, al = SSL_AD_INTERNAL_ERROR;
unsigned int j; unsigned int j;
size_t loop, complen = 0; size_t loop;
unsigned long id; unsigned long id;
const SSL_CIPHER *c; const SSL_CIPHER *c;
#ifndef OPENSSL_NO_COMP #ifndef OPENSSL_NO_COMP
...@@ -898,16 +898,20 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -898,16 +898,20 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
STACK_OF(SSL_CIPHER) *ciphers = NULL; STACK_OF(SSL_CIPHER) *ciphers = NULL;
int protverr; int protverr;
/* |cookie| will only be initialized for DTLS. */ /* |cookie| will only be initialized for DTLS. */
PACKET session_id, cipher_suites, compression, extensions, cookie; PACKET session_id, compression, extensions, cookie;
int is_v2_record;
static const unsigned char null_compression = 0; static const unsigned char null_compression = 0;
CLIENTHELLO_MSG clienthello;
is_v2_record = RECORD_LAYER_is_sslv2_record(&s->rlayer); /*
* First step is to parse the raw ClientHello data into the CLIENTHELLO_MSG
* structure.
*/
clienthello.isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer);
PACKET_null_init(&cookie); PACKET_null_init(&cookie);
/* First lets get s->client_version set correctly */
if (is_v2_record) { if (clienthello.isv2) {
unsigned int version;
unsigned int mt; unsigned int mt;
/*- /*-
* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2 * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
...@@ -934,73 +938,25 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -934,73 +938,25 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
if (!PACKET_get_net_2(pkt, &version)) {
/* No protocol version supplied! */
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
goto err;
}
if (version == 0x0002) {
/* This is real SSLv2. We don't support it. */
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
goto err;
} else if ((version & 0xff00) == (SSL3_VERSION_MAJOR << 8)) {
/* SSLv3/TLS */
s->client_version = version;
} else {
/* No idea what protocol this is */
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
goto err;
}
} else {
/*
* use version from inside client hello, not from record header (may
* differ: see RFC 2246, Appendix E, second paragraph)
*/
if (!PACKET_get_net_2(pkt, (unsigned int *)&s->client_version)) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
goto f_err;
}
} }
/* if (!PACKET_get_net_2(pkt, &clienthello.version)) {
* Do SSL/TLS version negotiation if applicable. For DTLS we just check al = SSL_AD_DECODE_ERROR;
* versions are potentially compatible. Version negotiation comes later. SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
*/ goto err;
if (!SSL_IS_DTLS(s)) {
protverr = ssl_choose_server_version(s);
} else if (s->method->version != DTLS_ANY_VERSION &&
DTLS_VERSION_LT(s->client_version, s->version)) {
protverr = SSL_R_VERSION_TOO_LOW;
} else {
protverr = 0;
}
if (protverr) {
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
if ((!s->enc_write_ctx && !s->write_hash)) {
/*
* similar to ssl3_get_record, send alert using remote version
* number
*/
s->version = s->client_version;
}
al = SSL_AD_PROTOCOL_VERSION;
goto f_err;
} }
/* Parse the message and load client random. */ /* Parse the message and load client random. */
if (is_v2_record) { if (clienthello.isv2) {
/* /*
* Handle an SSLv2 backwards compatible ClientHello * Handle an SSLv2 backwards compatible ClientHello
* Note, this is only for SSLv3+ using the backward compatible format. * Note, this is only for SSLv3+ using the backward compatible format.
* Real SSLv2 is not supported, and is rejected above. * Real SSLv2 is not supported, and is rejected above.
*/ */
unsigned int cipher_len, session_id_len, challenge_len; unsigned int ciphersuite_len, session_id_len, challenge_len;
PACKET challenge; PACKET challenge;
if (!PACKET_get_net_2(pkt, &cipher_len) if (!PACKET_get_net_2(pkt, &ciphersuite_len)
|| !PACKET_get_net_2(pkt, &session_id_len) || !PACKET_get_net_2(pkt, &session_id_len)
|| !PACKET_get_net_2(pkt, &challenge_len)) { || !PACKET_get_net_2(pkt, &challenge_len)) {
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
...@@ -1008,6 +964,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1008,6 +964,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
al = SSL_AD_DECODE_ERROR; al = SSL_AD_DECODE_ERROR;
goto f_err; goto f_err;
} }
clienthello.session_id_len = session_id_len;
if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) { if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
al = SSL_AD_DECODE_ERROR; al = SSL_AD_DECODE_ERROR;
...@@ -1015,8 +972,10 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1015,8 +972,10 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
goto f_err; goto f_err;
} }
if (!PACKET_get_sub_packet(pkt, &cipher_suites, cipher_len) if (!PACKET_get_sub_packet(pkt, &clienthello.ciphersuites,
|| !PACKET_get_sub_packet(pkt, &session_id, session_id_len) ciphersuite_len)
|| !PACKET_get_sub_packet(pkt, &session_id,
clienthello.session_id_len)
|| !PACKET_get_sub_packet(pkt, &challenge, challenge_len) || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
/* No extensions. */ /* No extensions. */
|| PACKET_remaining(pkt) != 0) { || PACKET_remaining(pkt) != 0) {
...@@ -1029,9 +988,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1029,9 +988,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
/* Load the client random and compression list. */ /* Load the client random and compression list. */
challenge_len = challenge_len > SSL3_RANDOM_SIZE ? SSL3_RANDOM_SIZE : challenge_len = challenge_len > SSL3_RANDOM_SIZE ? SSL3_RANDOM_SIZE :
challenge_len; challenge_len;
memset(s->s3->client_random, 0, SSL3_RANDOM_SIZE); memset(clienthello.random, 0, SSL3_RANDOM_SIZE);
if (!PACKET_copy_bytes(&challenge, if (!PACKET_copy_bytes(&challenge,
s->s3->client_random + SSL3_RANDOM_SIZE - clienthello.random + SSL3_RANDOM_SIZE -
challenge_len, challenge_len) challenge_len, challenge_len)
/* Advertise only null compression. */ /* Advertise only null compression. */
|| !PACKET_buf_init(&compression, &null_compression, 1)) { || !PACKET_buf_init(&compression, &null_compression, 1)) {
...@@ -1040,55 +999,136 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1040,55 +999,136 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
goto f_err; goto f_err;
} }
PACKET_null_init(&extensions); PACKET_null_init(&clienthello.extensions);
} else { } else {
/* Regular ClientHello. */ /* Regular ClientHello. */
if (!PACKET_copy_bytes(pkt, s->s3->client_random, SSL3_RANDOM_SIZE) if (!PACKET_copy_bytes(pkt, clienthello.random, SSL3_RANDOM_SIZE)
|| !PACKET_get_length_prefixed_1(pkt, &session_id)) { || !PACKET_get_length_prefixed_1(pkt, &session_id)) {
al = SSL_AD_DECODE_ERROR; al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
goto f_err; goto f_err;
} }
if (PACKET_remaining(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
goto f_err;
}
if (SSL_IS_DTLS(s)) { if (SSL_IS_DTLS(s)) {
if (!PACKET_get_length_prefixed_1(pkt, &cookie)) { if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
al = SSL_AD_DECODE_ERROR; al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
goto f_err; goto f_err;
} }
if (!PACKET_copy_all(&cookie, clienthello.dtls_cookie,
DTLS1_COOKIE_LENGTH,
&clienthello.dtls_cookie_len)) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
goto f_err;
}
/* /*
* If we require cookies and this ClientHello doesn't contain one, * If we require cookies and this ClientHello doesn't contain one,
* just return since we do not want to allocate any memory yet. * just return since we do not want to allocate any memory yet.
* So check cookie length... * So check cookie length...
*/ */
if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
if (PACKET_remaining(&cookie) == 0) if (clienthello.dtls_cookie_len == 0)
return 1; return 1;
} }
} }
if (!PACKET_get_length_prefixed_2(pkt, &cipher_suites) if (!PACKET_get_length_prefixed_2(pkt, &clienthello.ciphersuites)) {
|| !PACKET_get_length_prefixed_1(pkt, &compression)) { al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
goto f_err;
}
if (!PACKET_get_length_prefixed_1(pkt, &compression)
|| !PACKET_copy_all(&compression, clienthello.compressions,
MAX_COMPRESSIONS_SIZE,
&clienthello.compressions_len)) {
al = SSL_AD_DECODE_ERROR; al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
goto f_err; goto f_err;
} }
/* Could be empty. */ /* Could be empty. */
extensions = *pkt; if (PACKET_remaining(pkt) == 0) {
PACKET_null_init(&clienthello.extensions);
} else {
if (!PACKET_get_length_prefixed_2(pkt, &clienthello.extensions)) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
goto f_err;
}
}
}
if (!PACKET_copy_all(&session_id, clienthello.session_id,
SSL_MAX_SSL_SESSION_ID_LENGTH,
&clienthello.session_id_len)) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
goto f_err;
}
/* We preserve the raw extensions PACKET for later use */
extensions = clienthello.extensions;
if (!tls_parse_raw_extensions(&extensions, &clienthello.pre_proc_exts,
&clienthello.num_extensions, &al)) {
/* SSLerr already been called */
goto f_err;
}
/* Finished parsing the ClientHello, now we can start processing it */
/* Set up the client_random */
memcpy(s->s3->client_random, clienthello.random, SSL3_RANDOM_SIZE);
/* Choose the version */
if (clienthello.isv2) {
if (clienthello.version == 0x0002) {
/* This is real SSLv2. We don't support it. */
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
goto err;
} else if ((clienthello.version & 0xff00) == (SSL3_VERSION_MAJOR << 8)) {
/* SSLv3/TLS */
s->client_version = clienthello.version;
} else {
/* No idea what protocol this is */
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
goto err;
}
}
/*
* Do SSL/TLS version negotiation if applicable. For DTLS we just check
* versions are potentially compatible. Version negotiation comes later.
*/
if (!SSL_IS_DTLS(s)) {
protverr = ssl_choose_server_version(s, &clienthello);
} else if (s->method->version != DTLS_ANY_VERSION &&
DTLS_VERSION_LT((int)clienthello.version, s->version)) {
protverr = SSL_R_VERSION_TOO_LOW;
} else {
protverr = 0;
}
if (protverr) {
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
if ((!s->enc_write_ctx && !s->write_hash)) {
/*
* similar to ssl3_get_record, send alert using remote version
* number
*/
s->version = s->client_version = clienthello.version;
}
al = SSL_AD_PROTOCOL_VERSION;
goto f_err;
} }
if (SSL_IS_DTLS(s)) { if (SSL_IS_DTLS(s)) {
/* Empty cookie was already handled above by returning early. */ /* Empty cookie was already handled above by returning early. */
if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
if (s->ctx->app_verify_cookie_cb != NULL) { if (s->ctx->app_verify_cookie_cb != NULL) {
if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookie), if (s->ctx->app_verify_cookie_cb(s, clienthello.dtls_cookie,
(unsigned int)PACKET_remaining(&cookie)) == 0) { clienthello.dtls_cookie_len) == 0) {
al = SSL_AD_HANDSHAKE_FAILURE; al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
SSL_R_COOKIE_MISMATCH); SSL_R_COOKIE_MISMATCH);
...@@ -1096,7 +1136,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1096,7 +1136,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
/* else cookie verification succeeded */ /* else cookie verification succeeded */
} }
/* default verification */ /* default verification */
} else if (!PACKET_equal(&cookie, s->d1->cookie, s->d1->cookie_len)) { } else if (s->d1->cookie_len != clienthello.dtls_cookie_len
|| memcmp(clienthello.dtls_cookie, s->d1->cookie,
s->d1->cookie_len) != 0) {
al = SSL_AD_HANDSHAKE_FAILURE; al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
goto f_err; goto f_err;
...@@ -1104,7 +1146,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1104,7 +1146,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
s->d1->cookie_verified = 1; s->d1->cookie_verified = 1;
} }
if (s->method->version == DTLS_ANY_VERSION) { if (s->method->version == DTLS_ANY_VERSION) {
protverr = ssl_choose_server_version(s); protverr = ssl_choose_server_version(s, &clienthello);
if (protverr != 0) { if (protverr != 0) {
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr); SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
s->version = s->client_version; s->version = s->client_version;
...@@ -1116,6 +1158,15 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1116,6 +1158,15 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
s->hit = 0; s->hit = 0;
/* We need to do this before getting the session */
if (!tls_check_client_ems_support(s, &clienthello))
{
/* Only fails if the extension is malformed */
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
goto f_err;
}
/* /*
* We don't allow resumption in a backwards compatible ClientHello. * We don't allow resumption in a backwards compatible ClientHello.
* TODO(openssl-team): in TLS1.1+, session_id MUST be empty. * TODO(openssl-team): in TLS1.1+, session_id MUST be empty.
...@@ -1132,13 +1183,13 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1132,13 +1183,13 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
* SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
* ignored. * ignored.
*/ */
if (is_v2_record || if (clienthello.isv2 ||
(s->new_session && (s->new_session &&
(s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) { (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
if (!ssl_get_new_session(s, 1)) if (!ssl_get_new_session(s, 1))
goto err; goto err;
} else { } else {
i = ssl_get_prev_session(s, &extensions, &session_id); i = ssl_get_prev_session(s, &clienthello);
/* /*
* Only resume if the session's version matches the negotiated * Only resume if the session's version matches the negotiated
* version. * version.
...@@ -1160,8 +1211,8 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1160,8 +1211,8 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
} }
} }
if (ssl_bytes_to_cipher_list(s, &cipher_suites, &(ciphers), if (ssl_bytes_to_cipher_list(s, &clienthello.ciphersuites, &(ciphers),
is_v2_record, &al) == NULL) { clienthello.isv2, &al) == NULL) {
goto f_err; goto f_err;
} }
...@@ -1196,13 +1247,12 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1196,13 +1247,12 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
} }
} }
complen = PACKET_remaining(&compression); for (loop = 0; loop < clienthello.compressions_len; loop++) {
for (loop = 0; loop < complen; loop++) { if (clienthello.compressions[loop] == 0)
if (PACKET_data(&compression)[loop] == 0)
break; break;
} }
if (loop >= complen) { if (loop >= clienthello.compressions_len) {
/* no compress */ /* no compress */
al = SSL_AD_DECODE_ERROR; al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED); SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
...@@ -1210,11 +1260,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1210,11 +1260,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
} }
/* TLS extensions */ /* TLS extensions */
if (s->version >= SSL3_VERSION) { if (!ssl_parse_clienthello_tlsext(s, &clienthello)) {
if (!ssl_parse_clienthello_tlsext(s, &extensions)) { SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT); goto err;
goto err;
}
} }
/* /*
...@@ -1305,11 +1353,11 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1305,11 +1353,11 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
goto f_err; goto f_err;
} }
/* Look for resumed method in compression list */ /* Look for resumed method in compression list */
for (k = 0; k < complen; k++) { for (k = 0; k < clienthello.compressions_len; k++) {
if (PACKET_data(&compression)[k] == comp_id) if (clienthello.compressions[k] == comp_id)
break; break;
} }
if (k >= complen) { if (k >= clienthello.compressions_len) {
al = SSL_AD_ILLEGAL_PARAMETER; al = SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING); SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
...@@ -1326,8 +1374,8 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1326,8 +1374,8 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
for (m = 0; m < nn; m++) { for (m = 0; m < nn; m++) {
comp = sk_SSL_COMP_value(s->ctx->comp_methods, m); comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
v = comp->id; v = comp->id;
for (o = 0; o < complen; o++) { for (o = 0; o < clienthello.compressions_len; o++) {
if (v == PACKET_data(&compression)[o]) { if (v == clienthello.compressions[o]) {
done = 1; done = 1;
break; break;
} }
......
此差异已折叠。
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册