Implement support for resumption with a HelloRetryRequest (aff9929b) · Commits · CYBER - Cyber Security / TS 103 523 MSP / ETS / ETS OpenSSL

ssl/statem/extensions.c

+120 −14

Original line number	Original line	Diff line number	Diff line
	@@ -968,29 +968,103 @@ static int final_key_share(SSL s, unsigned int context, int sent, int al)

	/*		/*
	* If		* If
			* we are a client
			* AND
	* we have no key_share		* we have no key_share
	* AND		* AND
	* (we are not resuming		* (we are not resuming
	* OR the kex_mode doesn't allow non key_share resumes)		* OR the kex_mode doesn't allow non key_share resumes)
	* THEN		* THEN
	* fail		* fail;
	*/		*/
	if (((s->server && s->s3->peer_tmp == NULL) \|\| (!s->server && !sent))		if (!s->server
			&& !sent
	&& (!s->hit		&& (!s->hit
	\|\| (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) {		\|\| (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) {
			/* Nothing left we can do - just fail */
			*al = SSL_AD_HANDSHAKE_FAILURE;
			SSLerr(SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);
			return 0;
			}
			/*
			* If
			* we are a server
			* AND
			* we have no key_share
			* THEN
			* If
			* we didn't already send a HelloRetryRequest
			* AND
			* the client sent a key_share extension
			* AND
			* (we are not resuming
			* OR the kex_mode allows key_share resumes)
			* AND
			* a shared group exists
			* THEN
			* send a HelloRetryRequest
			* ELSE If
			* we are not resuming
			* OR
			* the kex_mode doesn't allow non key_share resumes
			* THEN
			* fail;
			*/
			if (s->server && s->s3->peer_tmp == NULL) {
	/* No suitable share */		/* No suitable share */
	if (s->server && s->hello_retry_request == 0 && sent) {		if (s->hello_retry_request == 0 && sent
			&& (!s->hit
			\|\| (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE)
			!= 0)) {
			const unsigned char pcurves, pcurvestmp, *clntcurves;
			size_t num_curves, clnt_num_curves, i;
			unsigned int group_id;

			/* Check a shared group exists */

			/* Get the clients list of supported groups. */
			if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
			*al = SSL_AD_INTERNAL_ERROR;
			SSLerr(SSL_F_FINAL_KEY_SHARE, ERR_R_INTERNAL_ERROR);
			return 0;
			}

			/* Get our list of available groups */
			if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
			*al = SSL_AD_INTERNAL_ERROR;
			SSLerr(SSL_F_FINAL_KEY_SHARE, ERR_R_INTERNAL_ERROR);
			return 0;
			}

			/* Find the first group we allow that is also in client's list */
			for (i = 0, pcurvestmp = pcurves; i < num_curves;
			i++, pcurvestmp += 2) {
			group_id = pcurvestmp[0] << 8 \| pcurvestmp[1];

			if (check_in_list(s, group_id, clntcurves, clnt_num_curves, 1))
			break;
			}

			if (i < num_curves) {
			/* A shared group exists so send a HelloRetryRequest */
			s->s3->group_id = group_id;
	s->hello_retry_request = 1;		s->hello_retry_request = 1;
	return 1;		return 1;
	}		}
			}
			if (!s->hit
			\|\| (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) {
	/* Nothing left we can do - just fail */		/* Nothing left we can do - just fail */
	*al = SSL_AD_HANDSHAKE_FAILURE;		*al = SSL_AD_HANDSHAKE_FAILURE;
	SSLerr(SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);		SSLerr(SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);
	return 0;		return 0;
	}		}
			}

			/* We have a key_share so don't send any more HelloRetryRequest messages */
			if (s->server)
	s->hello_retry_request = 0;		s->hello_retry_request = 0;

	/*		/*
	* For a client side resumption with no key_share we need to generate		* For a client side resumption with no key_share we need to generate
	* the handshake secret (otherwise this is done during key_share		* the handshake secret (otherwise this is done during key_share
	@@ -1059,13 +1133,45 @@ int tls_psk_do_binder(SSL s, const EVP_MD md, const unsigned char *msgstart,
	goto err;		goto err;
	}		}

			if (EVP_DigestInit_ex(mctx, md, NULL) <= 0) {
			SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
			goto err;
			}

	/*		/*
	* Get a hash of the ClientHello up to the start of the binders.		* Get a hash of the ClientHello up to the start of the binders. If we are
	* TODO(TLS1.3): This will need to be tweaked when we implement		* following a HelloRetryRequest then this includes the hash of the first
	* HelloRetryRequest to include the digest of the previous messages here.		* ClientHello and the HelloRetryRequest itself.
	*/		*/
	if (EVP_DigestInit_ex(mctx, md, NULL) <= 0		if (s->hello_retry_request) {
	\|\| EVP_DigestUpdate(mctx, msgstart, binderoffset) <= 0		size_t hdatalen;
			void *hdata;

			hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
			if (hdatalen <= 0) {
			SSLerr(SSL_F_TLS_PSK_DO_BINDER, SSL_R_BAD_HANDSHAKE_LENGTH);
			goto err;
			}

			/*
			* For servers the handshake buffer data will include the second
			* ClientHello - which we don't want - so we need to take that bit off.
			*/
			if (s->server) {
			if (hdatalen < s->init_num + SSL3_HM_HEADER_LENGTH) {
			SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
			goto err;
			}
			hdatalen -= s->init_num + SSL3_HM_HEADER_LENGTH;
			}

			if (EVP_DigestUpdate(mctx, hdata, hdatalen) <= 0) {
			SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
			goto err;
			}
			}

			if (EVP_DigestUpdate(mctx, msgstart, binderoffset) <= 0
	\|\| EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {		\|\| EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
	SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);		SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
	goto err;		goto err;

ssl/statem/extensions_srvr.c

+3 −78

Original line number	Original line	Diff line number	Diff line
	@@ -456,37 +456,6 @@ int tls_parse_ctos_etm(SSL s, PACKET pkt, unsigned int context, X509 *x,
	return 1;		return 1;
	}		}

	/*
	* Checks a list of \|groups\| to determine if the \|group_id\| is in it. If it is
	* and \|checkallow\| is 1 then additionally check if the group is allowed to be
	* used. Returns 1 if the group is in the list (and allowed if \|checkallow\| is
	* 1) or 0 otherwise.
	*/
	#ifndef OPENSSL_NO_TLS1_3
	static int check_in_list(SSL *s, unsigned int group_id,
	const unsigned char *groups, size_t num_groups,
	int checkallow)
	{
	size_t i;

	if (groups == NULL \|\| num_groups == 0)
	return 0;

	for (i = 0; i < num_groups; i++, groups += 2) {
	unsigned int share_id = (groups[0] << 8) \| (groups[1]);

	if (group_id == share_id
	&& (!checkallow
	\|\| tls_curve_allowed(s, groups, SSL_SECOP_CURVE_CHECK))) {
	break;
	}
	}

	/* If i == num_groups then not in the list */
	return i < num_groups;
	}
	#endif

	/*		/*
	* Process a psk_kex_modes extension received in the ClientHello. \|pkt\| contains		* Process a psk_kex_modes extension received in the ClientHello. \|pkt\| contains
	* the raw PACKET data for the extension. Returns 1 on success or 0 on failure.		* the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
	@@ -1034,54 +1003,10 @@ int tls_construct_stoc_key_share(SSL s, WPACKET pkt, unsigned int context,
	if (ckey == NULL) {		if (ckey == NULL) {
	/* No key_share received from client */		/* No key_share received from client */
	if (s->hello_retry_request) {		if (s->hello_retry_request) {
	const unsigned char pcurves, pcurvestmp, *clntcurves;
	size_t num_curves, clnt_num_curves, i;

	/* Get the clients list of supported groups. */
	if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
	*al = SSL_AD_INTERNAL_ERROR;
	SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
	ERR_R_INTERNAL_ERROR);
	return 0;
	}

	/* Get our list of available groups */
	if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
	SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
	ERR_R_INTERNAL_ERROR);
	return 0;
	}

	if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)		if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
	\|\| !WPACKET_start_sub_packet_u16(pkt)) {		\|\| !WPACKET_start_sub_packet_u16(pkt)
	SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,		\|\| !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
	ERR_R_INTERNAL_ERROR);		\|\| !WPACKET_close(pkt)) {
	return 0;
	}

	/* Find first group we allow that is also in client's list */
	for (i = 0, pcurvestmp = pcurves; i < num_curves;
	i++, pcurvestmp += 2) {
	unsigned int group_id = pcurvestmp[0] << 8 \| pcurvestmp[1];

	if (check_in_list(s, group_id, clntcurves, clnt_num_curves,
	1)) {
	if (!WPACKET_put_bytes_u16(pkt, group_id)) {
	SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
	ERR_R_INTERNAL_ERROR);
	return 0;
	}
	break;
	}
	}
	if (i == num_curves) {
	/* No common groups */
	*al = SSL_AD_HANDSHAKE_FAILURE;
	SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
	SSL_R_NO_SHARED_GROUPS);
	return 0;
	}
	if (!WPACKET_close(pkt)) {
	SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,		SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
	ERR_R_INTERNAL_ERROR);		ERR_R_INTERNAL_ERROR);
	return 0;		return 0;

ssl/statem/statem_lib.c

+28 −0

Original line number	Original line	Diff line number	Diff line
	@@ -1738,3 +1738,31 @@ int ssl_set_client_hello_version(SSL *s)
	s->client_version = ver_max;		s->client_version = ver_max;
	return 0;		return 0;
	}		}

			/*
			* Checks a list of \|groups\| to determine if the \|group_id\| is in it. If it is
			* and \|checkallow\| is 1 then additionally check if the group is allowed to be
			* used. Returns 1 if the group is in the list (and allowed if \|checkallow\| is
			* 1) or 0 otherwise.
			*/
			int check_in_list(SSL s, unsigned int group_id, const unsigned char groups,
			size_t num_groups, int checkallow)
			{
			size_t i;

			if (groups == NULL \|\| num_groups == 0)
			return 0;

			for (i = 0; i < num_groups; i++, groups += 2) {
			unsigned int share_id = (groups[0] << 8) \| (groups[1]);

			if (group_id == share_id
			&& (!checkallow
			\|\| tls_curve_allowed(s, groups, SSL_SECOP_CURVE_CHECK))) {
			break;
			}
			}

			/* If i == num_groups then not in the list */
			return i < num_groups;
			}

ssl/statem/statem_locl.h

+3 −0

Original line number	Original line	Diff line number	Diff line
	@@ -69,6 +69,9 @@ int statem_flush(SSL *s);

	typedef int (confunc_f) (SSL s, WPACKET *pkt);		typedef int (confunc_f) (SSL s, WPACKET *pkt);

			int check_in_list(SSL s, unsigned int group_id, const unsigned char groups,
			size_t num_groups, int checkallow);

	/*		/*
	* TLS/DTLS client state machine functions		* TLS/DTLS client state machine functions
	*/		*/

ssl/statem/statem_srvr.c

+6 −7

Original line number	Original line	Diff line number	Diff line
	@@ -1842,13 +1842,6 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
	s->s3->tmp.new_cipher = s->session->cipher;		s->s3->tmp.new_cipher = s->session->cipher;
	}		}

	if (!(s->verify_mode & SSL_VERIFY_PEER)) {
	if (!ssl3_digest_cached_records(s, 0)) {
	al = SSL_AD_INTERNAL_ERROR;
	goto f_err;
	}
	}

	/*-		/*-
	* we now have the following setup.		* we now have the following setup.
	* client_random		* client_random
	@@ -1975,6 +1968,12 @@ int tls_construct_server_hello(SSL s, WPACKET pkt)
	goto err;		goto err;
	}		}

			if (!(s->verify_mode & SSL_VERIFY_PEER)
			&& !ssl3_digest_cached_records(s, 0)) {
			al = SSL_AD_INTERNAL_ERROR;
			goto err;
			}

	return 1;		return 1;
	err:		err:
	ssl3_send_alert(s, SSL3_AL_FATAL, al);		ssl3_send_alert(s, SSL3_AL_FATAL, al);

Admin message