diff options
-rw-r--r-- | doc/man3/SSL_CTX_set_early_cb.pod | 110 | ||||
-rw-r--r-- | doc/man3/SSL_get_error.pod | 10 | ||||
-rw-r--r-- | doc/man3/SSL_want.pod | 22 | ||||
-rw-r--r-- | include/openssl/ssl.h | 18 | ||||
-rw-r--r-- | ssl/ssl_err.c | 2 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 91 | ||||
-rw-r--r-- | ssl/ssl_locl.h | 7 | ||||
-rw-r--r-- | ssl/statem/statem_srvr.c | 303 | ||||
-rw-r--r-- | util/libssl.num | 8 |
9 files changed, 431 insertions, 140 deletions
diff --git a/doc/man3/SSL_CTX_set_early_cb.pod b/doc/man3/SSL_CTX_set_early_cb.pod new file mode 100644 index 0000000000..b007292fdb --- /dev/null +++ b/doc/man3/SSL_CTX_set_early_cb.pod @@ -0,0 +1,110 @@ +=pod + +=head1 NAME + +SSL_CTX_set_early_cb, SSL_early_cb_fn, SSL_early_isv2, SSL_early_get0_legacy_version, SSL_early_get0_random, SSL_early_get0_session_id, SSL_early_get0_ciphers, SSL_early_get0_compression_methods, SSL_early_get0_ext - callback functions for early server-side ClientHello processing + +=head1 SYNOPSIS + + typedef int (*SSL_early_cb_fn)(SSL *s, int *al, void *arg); + void SSL_CTX_set_early_cb(SSL_CTX *c, SSL_early_cb_fn *f, void *arg); + int SSL_early_isv2(SSL *s); + unsigned int SSL_early_get0_legacy_version(SSL *s); + size_t SSL_early_get0_random(SSL *s, const unsigned char **out); + size_t SSL_early_get0_session_id(SSL *s, const unsigned char **out); + size_t SSL_early_get0_ciphers(SSL *s, const unsigned char **out); + size_t SSL_early_get0_compression_methods(SSL *s, const unsigned char **out); + int SSL_early_get0_ext(SSL *s, int type, const unsigned char **out, + size_t *outlen); + +=head1 DESCRIPTION + +SSL_CTX_set_early_cb() sets the callback function, which is automatically +called during the early stages of ClientHello processing on the server. +The argument supplied when setting the callback is passed back to the +callback at runtime. A callback that returns failure (0) will cause the +connection to terminate, and callbacks returning failure should indicate +what alert value is to be sent in the B<al> parameter. A callback may +also return a negative value to suspend the handshake, and the handshake +function will return immediately. L<SSL_get_error(3)> will return +SSL_ERROR_WANT_EARLY to indicate that the handshake was suspended. +It is the job of the early callback to store information about the state +of the last call if needed to continue. On the next call into the handshake +function, the early callback will be called again, and, if it returns +success, normal handshake processing will continue from that point. + +SSL_early_isv2() indicates whether the ClientHello was carried in a +SSLv2 record and is in the SSLv2 format. The SSLv2 format has substantial +differences from the normal SSLv3 format, including using three bytes per +cipher suite, and not allowing extensions. Additionally, the SSLv2 format +'challenge' field is exposed via SSL_early_get0_random(), padded to +SSL3_RANDOM_SIZE bytes with zeros if needed. For SSLv2 format ClientHellos, +SSL_early_get0_compression_methods() returns a dummy list that only includes +the null compression method, since the SSLv2 format does not include a +mechanism by which to negotiate compression. + +SSL_early_get0_random(), SSL_early_get0_session_id(), SSL_early_get0_ciphers(), +and SSL_early_get0_compression_methods() provide access to the corresponding +ClientHello fields, returning the field length and optionally setting an +out pointer to the octets of that field. + +Similarly, SSL_early_get0_ext() provides access to individual extensions +from the ClientHello on a per-extension basis. For the provided wire +protocol extension type value, the extension value and length are returned +in the output parameters (if present). + +=head1 NOTES + +The early callback provides a vast window of possibilities for application +code to affect the TLS handshake. A primary use of the callback is to +allow the server to examine the server name indication extension provided +by the client in order to select an appropriate certificate to present, +and make other configuration adjustments relevant to that server name +and its configuration. Such configuration changes can include swapping out +the associated SSL_CTX pointer, modifying the server's list of permitted TLS +versions, changing the server's cipher list, etc. + +It is also recommended that applications utilize an early callback and +not use a servername callback, in order to avoid unexpected behavior that +occurs due to the relative order of processing between things like session +resumption and the historical servername callback. + +The SSL_early_* family of functions may only be called from code executing +within an early callback. + +=head1 RETURN VALUES + +The application's supplied early callback returns 1 on success, 0 on failure, +and a negative value to suspend processing. + +SSL_early_isv2() returns 1 for SSLv2-format ClientHellos and 0 otherwise. + +SSL_early_get0_random(), SSL_early_get0_session_id(), SSL_early_get0_ciphers(), +and SSL_early_get0_compression_methods() return the length of the corresponding +ClientHello fields. If zero is returned, the ouput pointer should not be +assumed to be valid. + +SSL_early_get0_ext() returns 1 if the extension of type 'type' is present, and +0 otherwise. + +=head1 SEE ALSO + +L<ssl(7)>, L<SSL_CTX_set_tlsext_servername_callback(3)> + +=head1 HISTORY + +The SSL early callback, SSL_early_isv2(), SSL_early_get0_random(), +SSL_early_get0_session_id(), SSL_early_get0_ciphers(), +SSL_early_get0_compression_methods(), and SSL_early_get0_ext() were +added in OpenSSL 1.1.1. + +=head1 COPYRIGHT + +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/doc/man3/SSL_get_error.pod b/doc/man3/SSL_get_error.pod index db8f85c90a..e318de84b6 100644 --- a/doc/man3/SSL_get_error.pod +++ b/doc/man3/SSL_get_error.pod @@ -110,6 +110,13 @@ through a call to L<ASYNC_init_thread(3)>. The application should retry the operation after a currently executing asynchronous operation for the current thread has completed. +=item SSL_ERROR_WANT_EARLY + +The operation did not complete because an application callback set by +SSL_CTX_set_early_cb() has asked to be called again. +The TLS/SSL I/O function should be called again later. +Details depend on the application. + =item SSL_ERROR_SYSCALL Some non-recoverable I/O error occurred. @@ -130,10 +137,11 @@ L<ssl(7)>, L<err(7)> =head1 HISTORY SSL_ERROR_WANT_ASYNC was added in OpenSSL 1.1.0. +SSL_ERROR_WANT_EARLY was added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_want.pod b/doc/man3/SSL_want.pod index c86344eece..8efe50bcca 100644 --- a/doc/man3/SSL_want.pod +++ b/doc/man3/SSL_want.pod @@ -3,8 +3,8 @@ =head1 NAME SSL_want, SSL_want_nothing, SSL_want_read, SSL_want_write, SSL_want_x509_lookup, -SSL_want_async, SSL_want_async_job - obtain state information TLS/SSL I/O -operation +SSL_want_async, SSL_want_async_job, SSL_want_early - obtain state information +TLS/SSL I/O operation =head1 SYNOPSIS @@ -17,6 +17,7 @@ operation int SSL_want_x509_lookup(const SSL *ssl); int SSL_want_async(const SSL *ssl); int SSL_want_async_job(const SSL *ssl); + int SSL_want_early(const SSL *ssl); =head1 DESCRIPTION @@ -81,19 +82,30 @@ The asynchronous job could not be started because there were no async jobs available in the pool (see ASYNC_init_thread(3)). A call to L<SSL_get_error(3)> should return SSL_ERROR_WANT_ASYNC_JOB. +=item SSL_EARLY_WORK + +The operation did not complete because an application callback set by +SSL_CTX_set_early_cb() has asked to be called again. +A call to L<SSL_get_error(3)> should return +SSL_ERROR_WANT_EARLY. + =back SSL_want_nothing(), SSL_want_read(), SSL_want_write(), SSL_want_x509_lookup(), -SSL_want_async() and SSL_want_async_job() return 1, when the corresponding -condition is true or 0 otherwise. +SSL_want_async(), SSL_want_async_job(), and SSL_want_early() return 1, when +the corresponding condition is true or 0 otherwise. =head1 SEE ALSO L<ssl(7)>, L<err(7)>, L<SSL_get_error(3)> +=head1 HISTORY + +SSL_want_early() and SSL_EARLY_WORK were added in OpenSSL 1.1.1. + =head1 COPYRIGHT -Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index cb4dbff327..d1614d3a73 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -764,6 +764,7 @@ __owur int SSL_extension_supported(unsigned int ext_type); # define SSL_X509_LOOKUP 4 # define SSL_ASYNC_PAUSED 5 # define SSL_ASYNC_NO_JOBS 6 +# define SSL_EARLY_WORK 7 /* These will only be used when doing non-blocking IO */ # define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING) @@ -772,6 +773,7 @@ __owur int SSL_extension_supported(unsigned int ext_type); # define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP) # define SSL_want_async(s) (SSL_want(s) == SSL_ASYNC_PAUSED) # define SSL_want_async_job(s) (SSL_want(s) == SSL_ASYNC_NO_JOBS) +# define SSL_want_early(s) (SSL_want(s) == SSL_EARLY_WORK) # define SSL_MAC_FLAG_READ_MAC_STREAM 1 # define SSL_MAC_FLAG_WRITE_MAC_STREAM 2 @@ -1041,6 +1043,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) # define SSL_ERROR_WANT_ACCEPT 8 # define SSL_ERROR_WANT_ASYNC 9 # define SSL_ERROR_WANT_ASYNC_JOB 10 +# define SSL_ERROR_WANT_EARLY 11 # define SSL_CTRL_SET_TMP_DH 3 # define SSL_CTRL_SET_TMP_ECDH 4 # define SSL_CTRL_SET_TMP_DH_CB 6 @@ -1572,6 +1575,20 @@ __owur char *SSL_get_srp_username(SSL *s); __owur char *SSL_get_srp_userinfo(SSL *s); # endif +/* + * Early callback and helpers. + */ +typedef int (*SSL_early_cb_fn) (SSL *s, int *al, void *arg); +void SSL_CTX_set_early_cb(SSL_CTX *c, SSL_early_cb_fn cb, void *arg); +int SSL_early_isv2(SSL *s); +unsigned int SSL_early_get0_legacy_version(SSL *s); +size_t SSL_early_get0_random(SSL *s, const unsigned char **out); +size_t SSL_early_get0_session_id(SSL *s, const unsigned char **out); +size_t SSL_early_get0_ciphers(SSL *s, const unsigned char **out); +size_t SSL_early_get0_compression_methods(SSL *s, const unsigned char **out); +int SSL_early_get0_ext(SSL *s, unsigned int type, const unsigned char **out, + size_t *outlen); + void SSL_certs_clear(SSL *s); void SSL_free(SSL *ssl); # ifdef OSSL_ASYNC_FD @@ -2348,6 +2365,7 @@ int ERR_load_SSL_strings(void); # define SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET 460 # define SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST 461 # define SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP 462 +# define SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO 521 # define SSL_F_TLS_GET_MESSAGE_BODY 351 # define SSL_F_TLS_GET_MESSAGE_HEADER 387 # define SSL_F_TLS_PARSE_CLIENTHELLO_TLSEXT 449 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index d937ba2c6e..bcb9ddb4f7 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -376,6 +376,8 @@ static ERR_STRING_DATA SSL_str_functs[] = { "tls_construct_stoc_status_request"}, {ERR_FUNC(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP), "tls_construct_stoc_use_srtp"}, + {ERR_FUNC(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO), + "tls_early_post_process_client_hello"}, {ERR_FUNC(SSL_F_TLS_GET_MESSAGE_BODY), "tls_get_message_body"}, {ERR_FUNC(SSL_F_TLS_GET_MESSAGE_HEADER), "tls_get_message_header"}, {ERR_FUNC(SSL_F_TLS_PARSE_CLIENTHELLO_TLSEXT), diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index ff99c0f707..8304c732ae 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1014,6 +1014,7 @@ void SSL_free(SSL *s) #endif OPENSSL_free(s->ext.ocsp.resp); OPENSSL_free(s->ext.alpn); + OPENSSL_free(s->clienthello); sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free); @@ -3012,15 +3013,14 @@ int SSL_get_error(const SSL *s, int i) return (SSL_ERROR_SYSCALL); } } - if (SSL_want_x509_lookup(s)) { + if (SSL_want_x509_lookup(s)) return (SSL_ERROR_WANT_X509_LOOKUP); - } - if (SSL_want_async(s)) { + if (SSL_want_async(s)) return SSL_ERROR_WANT_ASYNC; - } - if (SSL_want_async_job(s)) { + if (SSL_want_async_job(s)) return SSL_ERROR_WANT_ASYNC_JOB; - } + if (SSL_want_early(s)) + return SSL_ERROR_WANT_EARLY; if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) @@ -4305,7 +4305,84 @@ const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx) return ctx->ctlog_store; } -#endif +#endif /* OPENSSL_NO_CT */ + +void SSL_CTX_set_early_cb(SSL_CTX *c, SSL_early_cb_fn cb, void *arg) +{ + c->early_cb = cb; + c->early_cb_arg = arg; +} + +int SSL_early_isv2(SSL *s) +{ + if (s->clienthello == NULL) + return 0; + return s->clienthello->isv2; +} + +unsigned int SSL_early_get0_legacy_version(SSL *s) +{ + if (s->clienthello == NULL) + return 0; + return s->clienthello->legacy_version; +} + +size_t SSL_early_get0_random(SSL *s, const unsigned char **out) +{ + if (s->clienthello == NULL) + return 0; + if (out != NULL) + *out = s->clienthello->random; + return SSL3_RANDOM_SIZE; +} + +size_t SSL_early_get0_session_id(SSL *s, const unsigned char **out) +{ + if (s->clienthello == NULL) + return 0; + if (out != NULL) + *out = s->clienthello->session_id; + return s->clienthello->session_id_len; +} + +size_t SSL_early_get0_ciphers(SSL *s, const unsigned char **out) +{ + if (s->clienthello == NULL) + return 0; + if (out != NULL) + *out = PACKET_data(&s->clienthello->ciphersuites); + return PACKET_remaining(&s->clienthello->ciphersuites); +} + +size_t SSL_early_get0_compression_methods(SSL *s, const unsigned char **out) +{ + if (s->clienthello == NULL) + return 0; + if (out != NULL) + *out = s->clienthello->compressions; + return s->clienthello->compressions_len; +} + +int SSL_early_get0_ext(SSL *s, unsigned int type, const unsigned char **out, + size_t *outlen) +{ + size_t i; + RAW_EXTENSION *r; + + if (s->clienthello == NULL) + return 0; + for (i = 0; i < s->clienthello->pre_proc_exts_len; ++i) { + r = s->clienthello->pre_proc_exts + i; + if (r->present && r->type == type) { + if (out != NULL) + *out = PACKET_data(&r->data); + if (outlen != NULL) + *outlen = PACKET_remaining(&r->data); + return 1; + } + } + return 0; +} void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb) { diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 40bcdd26f2..89eeb45353 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -830,6 +830,10 @@ struct ssl_ctx_st { ENGINE *client_cert_engine; # endif + /* Early callback. Mostly for extensions, but not entirely. */ + SSL_early_cb_fn early_cb; + void *early_cb_arg; + /* TLS extensions. */ struct { /* TLS extensions servername callback */ @@ -1171,6 +1175,9 @@ struct ssl_st { int use_etm; } ext; + /* Parsed form of the ClientHello, kept around across early_cb calls. */ + CLIENTHELLO_MSG *clienthello; + /*- * no further mod of servername * 0 : call the servername extension callback. diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 880996b126..9c422e4752 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1217,22 +1217,17 @@ static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello) MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) { - int i, al = SSL_AD_INTERNAL_ERROR; - unsigned int j; - size_t loop; - unsigned long id; - const SSL_CIPHER *c; -#ifndef OPENSSL_NO_COMP - SSL_COMP *comp = NULL; -#endif - STACK_OF(SSL_CIPHER) *ciphers = NULL; - STACK_OF(SSL_CIPHER) *scsvs = NULL; - int protverr; + int al = SSL_AD_INTERNAL_ERROR; /* |cookie| will only be initialized for DTLS. */ PACKET session_id, compression, extensions, cookie; static const unsigned char null_compression = 0; - CLIENTHELLO_MSG clienthello; + CLIENTHELLO_MSG *clienthello; + clienthello = OPENSSL_zalloc(sizeof(*clienthello)); + if (clienthello == NULL) { + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + goto err; + } /* Check if this is actually an unexpected renegotiation ClientHello */ if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) { s->renegotiate = 1; @@ -1245,11 +1240,10 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) /* * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure. */ - memset(&clienthello, 0, sizeof(clienthello)); - clienthello.isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer); + clienthello->isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer); PACKET_null_init(&cookie); - if (clienthello.isv2) { + if (clienthello->isv2) { unsigned int mt; if (!SSL_IS_FIRST_HANDSHAKE(s) || s->hello_retry_request) { @@ -1285,14 +1279,14 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) } } - if (!PACKET_get_net_2(pkt, &clienthello.legacy_version)) { + if (!PACKET_get_net_2(pkt, &clienthello->legacy_version)) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); goto err; } /* Parse the message and load client random. */ - if (clienthello.isv2) { + if (clienthello->isv2) { /* * Handle an SSLv2 backwards compatible ClientHello * Note, this is only for SSLv3+ using the backward compatible format. @@ -1316,9 +1310,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) goto f_err; } - if (!PACKET_get_sub_packet(pkt, &clienthello.ciphersuites, + if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites, ciphersuite_len) - || !PACKET_copy_bytes(pkt, clienthello.session_id, session_id_len) + || !PACKET_copy_bytes(pkt, clienthello->session_id, session_id_len) || !PACKET_get_sub_packet(pkt, &challenge, challenge_len) /* No extensions. */ || PACKET_remaining(pkt) != 0) { @@ -1327,18 +1321,18 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) al = SSL_AD_DECODE_ERROR; goto f_err; } - clienthello.session_id_len = session_id_len; + clienthello->session_id_len = session_id_len; /* Load the client random and compression list. We use SSL3_RANDOM_SIZE - * here rather than sizeof(clienthello.random) because that is the limit + * here rather than sizeof(clienthello->random) because that is the limit * for SSLv3 and it is fixed. It won't change even if - * sizeof(clienthello.random) does. + * sizeof(clienthello->random) does. */ challenge_len = challenge_len > SSL3_RANDOM_SIZE ? SSL3_RANDOM_SIZE : challenge_len; - memset(clienthello.random, 0, SSL3_RANDOM_SIZE); + memset(clienthello->random, 0, SSL3_RANDOM_SIZE); if (!PACKET_copy_bytes(&challenge, - clienthello.random + SSL3_RANDOM_SIZE - + clienthello->random + SSL3_RANDOM_SIZE - challenge_len, challenge_len) /* Advertise only null compression. */ || !PACKET_buf_init(&compression, &null_compression, 1)) { @@ -1347,14 +1341,14 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) goto f_err; } - PACKET_null_init(&clienthello.extensions); + PACKET_null_init(&clienthello->extensions); } else { /* Regular ClientHello. */ - if (!PACKET_copy_bytes(pkt, clienthello.random, SSL3_RANDOM_SIZE) + if (!PACKET_copy_bytes(pkt, clienthello->random, SSL3_RANDOM_SIZE) || !PACKET_get_length_prefixed_1(pkt, &session_id) - || !PACKET_copy_all(&session_id, clienthello.session_id, + || !PACKET_copy_all(&session_id, clienthello->session_id, SSL_MAX_SSL_SESSION_ID_LENGTH, - &clienthello.session_id_len)) { + &clienthello->session_id_len)) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; @@ -1366,9 +1360,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; } - if (!PACKET_copy_all(&cookie, clienthello.dtls_cookie, + if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie, DTLS1_COOKIE_LENGTH, - &clienthello.dtls_cookie_len)) { + &clienthello->dtls_cookie_len)) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; @@ -1379,12 +1373,12 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) * So check cookie length... */ if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { - if (clienthello.dtls_cookie_len == 0) + if (clienthello->dtls_cookie_len == 0) return 1; } } - if (!PACKET_get_length_prefixed_2(pkt, &clienthello.ciphersuites)) { + if (!PACKET_get_length_prefixed_2(pkt, &clienthello->ciphersuites)) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; @@ -1398,9 +1392,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) /* Could be empty. */ if (PACKET_remaining(pkt) == 0) { - PACKET_null_init(&clienthello.extensions); + PACKET_null_init(&clienthello->extensions); } else { - if (!PACKET_get_length_prefixed_2(pkt, &clienthello.extensions)) { + if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions)) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; @@ -1408,96 +1402,137 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) } } - if (!PACKET_copy_all(&compression, clienthello.compressions, + if (!PACKET_copy_all(&compression, clienthello->compressions, MAX_COMPRESSIONS_SIZE, - &clienthello.compressions_len)) { + &clienthello->compressions_len)) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; } /* Preserve the raw extensions PACKET for later use */ - extensions = clienthello.extensions; + extensions = clienthello->extensions; if (!tls_collect_extensions(s, &extensions, EXT_CLIENT_HELLO, - &clienthello.pre_proc_exts, &al, - &clienthello.pre_proc_exts_len)) { + &clienthello->pre_proc_exts, &al, + &clienthello->pre_proc_exts_len)) { /* SSLerr already been called */ goto f_err; } + s->clienthello = clienthello; + return MSG_PROCESS_CONTINUE_PROCESSING; + f_err: + ssl3_send_alert(s, SSL3_AL_FATAL, al); + err: + ossl_statem_set_error(s); + + OPENSSL_free(clienthello->pre_proc_exts); + OPENSSL_free(clienthello); + + return MSG_PROCESS_ERROR; +} + +static int tls_early_post_process_client_hello(SSL *s, int *al) +{ + unsigned int j; + int i; + int protverr; + size_t loop; + unsigned long id; +#ifndef OPENSSL_NO_COMP + SSL_COMP *comp = NULL; +#endif + const SSL_CIPHER *c; + STACK_OF(SSL_CIPHER) *ciphers = NULL; + STACK_OF(SSL_CIPHER) *scsvs = NULL; + CLIENTHELLO_MSG *clienthello = s->clienthello; + + *al = SSL_AD_INTERNAL_ERROR; /* Finished parsing the ClientHello, now we can start processing it */ + /* Give the early callback a crack at things */ + if (s->ctx->early_cb != NULL) { + int code; + /* A failure in the early callback terminates the connection. */ + code = s->ctx->early_cb(s, al, s->ctx->early_cb_arg); + if (code == 0) + goto err; + if (code < 0) { + s->rwstate = SSL_EARLY_WORK; + return code; + } + } /* Set up the client_random */ - memcpy(s->s3->client_random, clienthello.random, SSL3_RANDOM_SIZE); + memcpy(s->s3->client_random, clienthello->random, SSL3_RANDOM_SIZE); /* Choose the version */ - if (clienthello.isv2) { - if (clienthello.legacy_version == SSL2_VERSION - || (clienthello.legacy_version & 0xff00) + if (clienthello->isv2) { + if (clienthello->legacy_version == SSL2_VERSION + || (clienthello->legacy_version & 0xff00) != (SSL3_VERSION_MAJOR << 8)) { /* * This is real SSLv2 or something complete unknown. We don't * support it. */ - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); goto err; } /* SSLv3/TLS */ - s->client_version = clienthello.legacy_version; + s->client_version = clienthello->legacy_version; } /* * Do SSL/TLS version negotiation if applicable. For DTLS we just check * versions are potentially compatible. Version negotiation comes later. */ if (!SSL_IS_DTLS(s)) { - protverr = ssl_choose_server_version(s, &clienthello); + protverr = ssl_choose_server_version(s, clienthello); } else if (s->method->version != DTLS_ANY_VERSION && - DTLS_VERSION_LT((int)clienthello.legacy_version, s->version)) { + DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) { protverr = SSL_R_VERSION_TOO_LOW; } else { protverr = 0; } if (protverr) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr); + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr); if (SSL_IS_FIRST_HANDSHAKE(s)) { /* like ssl3_get_record, send alert using remote version number */ - s->version = s->client_version = clienthello.legacy_version; + s->version = s->client_version = clienthello->legacy_version; } - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; + *al = SSL_AD_PROTOCOL_VERSION; + goto err; } if (SSL_IS_DTLS(s)) { /* Empty cookie was already handled above by returning early. */ if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { if (s->ctx->app_verify_cookie_cb != NULL) { - if (s->ctx->app_verify_cookie_cb(s, clienthello.dtls_cookie, - clienthello.dtls_cookie_len) == 0) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, + if (s->ctx->app_verify_cookie_cb(s, clienthello->dtls_cookie, + clienthello->dtls_cookie_len) == 0) { + *al = SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); - goto f_err; + goto err; /* else cookie verification succeeded */ } /* default verification */ - } else if (s->d1->cookie_len != clienthello.dtls_cookie_len - || memcmp(clienthello.dtls_cookie, s->d1->cookie, + } else if (s->d1->cookie_len != clienthello->dtls_cookie_len + || memcmp(clienthello->dtls_cookie, s->d1->cookie, s->d1->cookie_len) != 0) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); - goto f_err; + *al = SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); + goto err; } s->d1->cookie_verified = 1; } if (s->method->version == DTLS_ANY_VERSION) { - protverr = ssl_choose_server_version(s, &clienthello); + protverr = ssl_choose_server_version(s, clienthello); if (protverr != 0) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr); + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr); s->version = s->client_version; - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; + *al = SSL_AD_PROTOCOL_VERSION; + goto err; } } } @@ -1507,9 +1542,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) /* We need to do this before getting the session */ if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret, EXT_CLIENT_HELLO, - clienthello.pre_proc_exts, NULL, 0, &al)) { - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); - goto f_err; + clienthello->pre_proc_exts, NULL, 0, al)) { + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); + goto err; } /* @@ -1528,18 +1563,18 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be * ignored. */ - if (clienthello.isv2 || + if (clienthello->isv2 || (s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) { if (!ssl_get_new_session(s, 1)) goto err; } else { - i = ssl_get_prev_session(s, &clienthello, &al); + i = ssl_get_prev_session(s, clienthello, al); if (i == 1) { /* previous session */ s->hit = 1; } else if (i == -1) { - goto f_err; + goto err; } else { /* i == 0 */ if (!ssl_get_new_session(s, 1)) @@ -1547,11 +1582,11 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) } } - if (!ssl_cache_cipherlist(s, &clienthello.ciphersuites, - clienthello.isv2, &al) || - !bytes_to_cipher_list(s, &clienthello.ciphersuites, &ciphers, &scsvs, - clienthello.isv2, &al)) { - goto f_err; + if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites, + clienthello->isv2, al) || + !bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, &scsvs, + clienthello->isv2, al)) { + goto err; } s->s3->send_connection_binding = 0; @@ -1562,10 +1597,10 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) { if (s->renegotiate) { /* SCSV is fatal if renegotiating */ - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); - al = SSL_AD_HANDSHAKE_FAILURE; - goto f_err; + *al = SSL_AD_HANDSHAKE_FAILURE; + goto err; } s->s3->send_connection_binding = 1; } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV && @@ -1577,10 +1612,10 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) * connection may have been tampered with in order to trigger * an insecure downgrade. */ - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_INAPPROPRIATE_FALLBACK); - al = SSL_AD_INAPPROPRIATE_FALLBACK; - goto f_err; + *al = SSL_AD_INAPPROPRIATE_FALLBACK; + goto err; } } } @@ -1609,35 +1644,35 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) * we need to have the cipher in the cipher list if we are asked * to reuse it */ - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, + *al = SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_REQUIRED_CIPHER_MISSING); - goto f_err; + goto err; } } - for (loop = 0; loop < clienthello.compressions_len; loop++) { - if (clienthello.compressions[loop] == 0) + for (loop = 0; loop < clienthello->compressions_len; loop++) { + if (clienthello->compressions[loop] == 0) break; } - if (loop >= clienthello.compressions_len) { + if (loop >= clienthello->compressions_len) { /* no compress */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED); - goto f_err; + *al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_T |