1 From 1d43b892d27915843e5714d96de269672b5b35db Mon Sep 17 00:00:00 2001 2 From: Adam Langley <agl (a] chromium.org> 3 Date: Thu, 14 Nov 2013 16:12:01 -0500 4 Subject: Implement ECDHE-PSK-WITH-AES. 5 6 Add support for TLS-ECDHE-PSK cipher suites: 7 * TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256, and 8 * TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384. 9 --- 10 ssl/s3_clnt.c | 360 ++++++++++++++++++++++---------------- 11 ssl/s3_enc.c | 2 +- 12 ssl/s3_lib.c | 38 +++++- 13 ssl/s3_srvr.c | 541 ++++++++++++++++++++++++++++++++-------------------------- 14 ssl/ssl_lib.c | 2 +- 15 ssl/tls1.h | 8 + 16 6 files changed, 555 insertions(+), 396 deletions(-) 17 18 diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c 19 index 8f3740f..3672cce 100644 20 --- a/ssl/s3_clnt.c 21 +++ b/ssl/s3_clnt.c 22 @@ -333,9 +333,10 @@ int ssl3_connect(SSL *s) 23 } 24 #endif 25 /* Check if it is anon DH/ECDH, SRP auth */ 26 - /* or PSK */ 27 + /* or non-RSA PSK */ 28 if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP)) && 29 - !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 30 + !((s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK) && 31 + !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kRSA))) 32 { 33 ret=ssl3_get_server_certificate(s); 34 if (ret <= 0) goto end; 35 @@ -1368,7 +1369,7 @@ int ssl3_get_key_exchange(SSL *s) 36 omitted if no identity hint is sent. Set 37 session->sess_cert anyway to avoid problems 38 later.*/ 39 - if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) 40 + if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK) 41 { 42 s->session->sess_cert=ssl_sess_cert_new(); 43 if (s->ctx->psk_identity_hint) 44 @@ -1416,61 +1417,65 @@ int ssl3_get_key_exchange(SSL *s) 45 EVP_MD_CTX_init(&md_ctx); 46 47 #ifndef OPENSSL_NO_PSK 48 - if (alg_k & SSL_kPSK) 49 + if (alg_a & SSL_aPSK) 50 { 51 char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1]; 52 53 param_len = 2; 54 if (param_len > n) 55 { 56 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 57 SSL_R_LENGTH_TOO_SHORT); 58 goto f_err; 59 } 60 n2s(p,i); 61 62 - /* Store PSK identity hint for later use, hint is used 63 - * in ssl3_send_client_key_exchange. Assume that the 64 - * maximum length of a PSK identity hint can be as 65 - * long as the maximum length of a PSK identity. */ 66 - if (i > PSK_MAX_IDENTITY_LEN) 67 - { 68 - al=SSL_AD_HANDSHAKE_FAILURE; 69 - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 70 - SSL_R_DATA_LENGTH_TOO_LONG); 71 - goto f_err; 72 - } 73 - if (i > n - param_len) 74 + s->ctx->psk_identity_hint = NULL; 75 + if (i != 0) 76 { 77 - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 78 - SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH); 79 - goto f_err; 80 + /* Store PSK identity hint for later use, hint is used 81 + * in ssl3_send_client_key_exchange. Assume that the 82 + * maximum length of a PSK identity hint can be as 83 + * long as the maximum length of a PSK identity. */ 84 + if (i > PSK_MAX_IDENTITY_LEN) 85 + { 86 + al=SSL_AD_HANDSHAKE_FAILURE; 87 + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 88 + SSL_R_DATA_LENGTH_TOO_LONG); 89 + goto f_err; 90 + } 91 + if (i > n - param_len) 92 + { 93 + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 94 + SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH); 95 + goto f_err; 96 + } 97 + param_len += i; 98 + 99 + /* If received PSK identity hint contains NULL 100 + * characters, the hint is truncated from the first 101 + * NULL. p may not be ending with NULL, so create a 102 + * NULL-terminated string. */ 103 + memcpy(tmp_id_hint, p, i); 104 + memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i); 105 + if (s->ctx->psk_identity_hint != NULL) 106 + OPENSSL_free(s->ctx->psk_identity_hint); 107 + s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); 108 + if (s->ctx->psk_identity_hint == NULL) 109 + { 110 + al=SSL_AD_HANDSHAKE_FAILURE; 111 + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 112 + goto f_err; 113 + } 114 } 115 - param_len += i; 116 - 117 - /* If received PSK identity hint contains NULL 118 - * characters, the hint is truncated from the first 119 - * NULL. p may not be ending with NULL, so create a 120 - * NULL-terminated string. */ 121 - memcpy(tmp_id_hint, p, i); 122 - memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i); 123 - if (s->ctx->psk_identity_hint != NULL) 124 - OPENSSL_free(s->ctx->psk_identity_hint); 125 - s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); 126 - if (s->ctx->psk_identity_hint == NULL) 127 - { 128 - al=SSL_AD_HANDSHAKE_FAILURE; 129 - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 130 - goto f_err; 131 - } 132 - 133 p+=i; 134 n-=param_len; 135 } 136 - else 137 #endif /* !OPENSSL_NO_PSK */ 138 + 139 + if (0) {} 140 #ifndef OPENSSL_NO_SRP 141 - if (alg_k & SSL_kSRP) 142 + else if (alg_k & SSL_kSRP) 143 { 144 n2s(p,i); 145 param_len=i+2; 146 @@ -1538,10 +1543,9 @@ int ssl3_get_key_exchange(SSL *s) 147 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 148 #endif 149 } 150 - else 151 #endif /* !OPENSSL_NO_SRP */ 152 #ifndef OPENSSL_NO_RSA 153 - if (alg_k & SSL_kRSA) 154 + else if (alg_k & SSL_kRSA) 155 { 156 if ((rsa=RSA_new()) == NULL) 157 { 158 @@ -1590,9 +1594,6 @@ int ssl3_get_key_exchange(SSL *s) 159 s->session->sess_cert->peer_rsa_tmp=rsa; 160 rsa=NULL; 161 } 162 -#else /* OPENSSL_NO_RSA */ 163 - if (0) 164 - ; 165 #endif 166 #ifndef OPENSSL_NO_DH 167 else if (alg_k & SSL_kEDH) 168 @@ -1773,14 +1774,14 @@ int ssl3_get_key_exchange(SSL *s) 169 EC_POINT_free(srvr_ecpoint); 170 srvr_ecpoint = NULL; 171 } 172 - else if (alg_k) 173 +#endif /* !OPENSSL_NO_ECDH */ 174 + 175 + else if (!(alg_k & SSL_kPSK)) 176 { 177 al=SSL_AD_UNEXPECTED_MESSAGE; 178 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); 179 goto f_err; 180 } 181 -#endif /* !OPENSSL_NO_ECDH */ 182 - 183 184 /* p points to the next byte, there are 'n' bytes left */ 185 186 @@ -1885,8 +1886,9 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); 187 } 188 else 189 { 190 - /* aNULL, aSRP or kPSK do not need public keys */ 191 - if (!(alg_a & (SSL_aNULL|SSL_aSRP)) && !(alg_k & SSL_kPSK)) 192 + if (!(alg_a & (SSL_aNULL|SSL_aSRP)) && 193 + /* Among PSK ciphers only RSA_PSK needs a public key */ 194 + !((alg_a & SSL_aPSK) && !(alg_k & SSL_kRSA))) 195 { 196 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 197 goto err; 198 @@ -2286,8 +2288,9 @@ int ssl3_get_server_done(SSL *s) 199 int ssl3_send_client_key_exchange(SSL *s) 200 { 201 unsigned char *p,*d; 202 - int n; 203 + int n = 0; 204 unsigned long alg_k; 205 + unsigned long alg_a; 206 #ifndef OPENSSL_NO_RSA 207 unsigned char *q; 208 EVP_PKEY *pkey=NULL; 209 @@ -2302,7 +2305,11 @@ int ssl3_send_client_key_exchange(SSL *s) 210 unsigned char *encodedPoint = NULL; 211 int encoded_pt_len = 0; 212 BN_CTX * bn_ctx = NULL; 213 -#endif 214 +#ifndef OPENSSL_NO_PSK 215 + unsigned int psk_len = 0; 216 + unsigned char psk[PSK_MAX_PSK_LEN]; 217 +#endif /* OPENSSL_NO_PSK */ 218 +#endif /* OPENSSL_NO_ECDH */ 219 220 if (s->state == SSL3_ST_CW_KEY_EXCH_A) 221 { 222 @@ -2310,7 +2317,106 @@ int ssl3_send_client_key_exchange(SSL *s) 223 p= &(d[4]); 224 225 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 226 + alg_a=s->s3->tmp.new_cipher->algorithm_auth; 227 + 228 +#ifndef OPENSSL_NO_PSK 229 + if (alg_a & SSL_aPSK) 230 + { 231 + /* The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes 232 + * to return a \0-terminated identity. The last byte 233 + * is for us for simulating strnlen. */ 234 + char identity[PSK_MAX_IDENTITY_LEN + 2]; 235 + size_t identity_len; 236 + unsigned char *t = NULL; 237 + unsigned char pre_ms[PSK_MAX_PSK_LEN*2+4]; 238 + unsigned int pre_ms_len = 0; 239 + int psk_err = 1; 240 + 241 + n = 0; 242 + if (s->psk_client_callback == NULL) 243 + { 244 + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 245 + SSL_R_PSK_NO_CLIENT_CB); 246 + goto err; 247 + } 248 249 + psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, 250 + identity, sizeof(identity) - 1, psk, sizeof(psk)); 251 + if (psk_len > PSK_MAX_PSK_LEN) 252 + { 253 + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 254 + ERR_R_INTERNAL_ERROR); 255 + goto psk_err; 256 + } 257 + else if (psk_len == 0) 258 + { 259 + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 260 + SSL_R_PSK_IDENTITY_NOT_FOUND); 261 + goto psk_err; 262 + } 263 + identity[PSK_MAX_IDENTITY_LEN + 1] = '\0'; 264 + identity_len = strlen(identity); 265 + if (identity_len > PSK_MAX_IDENTITY_LEN) 266 + { 267 + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 268 + ERR_R_INTERNAL_ERROR); 269 + goto psk_err; 270 + } 271 + if (!(alg_k & SSL_kEECDH)) 272 + { 273 + /* Create the shared secret now if we're not using ECDHE-PSK.*/ 274 + pre_ms_len = 2+psk_len+2+psk_len; 275 + t = pre_ms; 276 + s2n(psk_len, t); 277 + memset(t, 0, psk_len); 278 + t+=psk_len; 279 + s2n(psk_len, t); 280 + memcpy(t, psk, psk_len); 281 + 282 + s->session->master_key_length = 283 + s->method->ssl3_enc->generate_master_secret(s, 284 + s->session->master_key, 285 + pre_ms, pre_ms_len); 286 + s2n(identity_len, p); 287 + memcpy(p, identity, identity_len); 288 + n = 2 + identity_len; 289 + } 290 + 291 + if (s->session->psk_identity_hint != NULL) 292 + OPENSSL_free(s->session->psk_identity_hint); 293 + s->session->psk_identity_hint = NULL; 294 + if (s->ctx->psk_identity_hint) 295 + { 296 + s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); 297 + if (s->ctx->psk_identity_hint != NULL && 298 + s->session->psk_identity_hint == NULL) 299 + { 300 + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 301 + ERR_R_MALLOC_FAILURE); 302 + goto psk_err; 303 + } 304 + } 305 + 306 + if (s->session->psk_identity != NULL) 307 + OPENSSL_free(s->session->psk_identity); 308 + s->session->psk_identity = BUF_strdup(identity); 309 + if (s->session->psk_identity == NULL) 310 + { 311 + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 312 + ERR_R_MALLOC_FAILURE); 313 + goto psk_err; 314 + } 315 + psk_err = 0; 316 + psk_err: 317 + OPENSSL_cleanse(identity, sizeof(identity)); 318 + OPENSSL_cleanse(pre_ms, sizeof(pre_ms)); 319 + if (psk_err != 0) 320 + { 321 + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 322 + goto err; 323 + } 324 + } 325 +#endif 326 /* Fool emacs indentation */ 327 if (0) {} 328 #ifndef OPENSSL_NO_RSA 329 @@ -2571,14 +2667,19 @@ int ssl3_send_client_key_exchange(SSL *s) 330 /* perhaps clean things up a bit EAY EAY EAY EAY*/ 331 } 332 #endif 333 - 334 -#ifndef OPENSSL_NO_ECDH 335 +#ifndef OPENSSL_NO_ECDH 336 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) 337 { 338 const EC_GROUP *srvr_group = NULL; 339 EC_KEY *tkey; 340 int ecdh_clnt_cert = 0; 341 int field_size = 0; 342 +#ifndef OPENSSL_NO_PSK 343 + unsigned char *pre_ms; 344 + unsigned char *t; 345 + unsigned int pre_ms_len; 346 + unsigned int i; 347 +#endif 348 349 if (s->session->sess_cert == NULL) 350 { 351 @@ -2706,15 +2807,41 @@ int ssl3_send_client_key_exchange(SSL *s) 352 goto err; 353 } 354 355 - /* generate master key from the result */ 356 - s->session->master_key_length = s->method->ssl3_enc \ 357 - -> generate_master_secret(s, 358 - s->session->master_key, 359 - p, n); 360 - 361 +#ifndef OPENSSL_NO_PSK 362 + /* ECDHE PSK ciphersuites from RFC 5489 */ 363 + if ((alg_a & SSL_aPSK) && psk_len != 0) 364 + { 365 + pre_ms_len = 2+n+2+psk_len; 366 + pre_ms = OPENSSL_malloc(pre_ms_len); 367 + if (pre_ms == NULL) 368 + { 369 + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 370 + ERR_R_MALLOC_FAILURE); 371 + goto err; 372 + } 373 + memset(pre_ms, 0, pre_ms_len); 374 + t = pre_ms; 375 + s2n(n, t); 376 + memcpy(t, p, n); 377 + t += n; 378 + s2n(psk_len, t); 379 + memcpy(t, psk, psk_len); 380 + s->session->master_key_length = s->method->ssl3_enc \ 381 + -> generate_master_secret(s, 382 + s->session->master_key, pre_ms, pre_ms_len); 383 + OPENSSL_cleanse(pre_ms, pre_ms_len); 384 + OPENSSL_free(pre_ms); 385 + } 386 +#endif /* OPENSSL_NO_PSK */ 387 + if (!(alg_a & SSL_aPSK)) 388 + { 389 + /* generate master key from the result */ 390 + s->session->master_key_length = s->method->ssl3_enc \ 391 + -> generate_master_secret(s, 392 + s->session->master_key, p, n); 393 + } 394 memset(p, 0, n); /* clean up */ 395 - 396 - if (ecdh_clnt_cert) 397 + if (ecdh_clnt_cert) 398 { 399 /* Send empty client key exch message */ 400 n = 0; 401 @@ -2742,29 +2869,42 @@ int ssl3_send_client_key_exchange(SSL *s) 402 } 403 404 /* Encode the public key */ 405 - n = EC_POINT_point2oct(srvr_group, 406 - EC_KEY_get0_public_key(clnt_ecdh), 407 - POINT_CONVERSION_UNCOMPRESSED, 408 + encoded_pt_len = EC_POINT_point2oct(srvr_group, 409 + EC_KEY_get0_public_key(clnt_ecdh), 410 + POINT_CONVERSION_UNCOMPRESSED, 411 encodedPoint, encoded_pt_len, bn_ctx); 412 + 413 + n = 0; 414 +#ifndef OPENSSL_NO_PSK 415 + if ((alg_a & SSL_aPSK) && psk_len != 0) 416 + { 417 + i = strlen(s->session->psk_identity); 418 + s2n(i, p); 419 + memcpy(p, s->session->psk_identity, i); 420 + p += i; 421 + n = i + 2; 422 + } 423 +#endif 424 425 - *p = n; /* length of encoded point */ 426 + *p = encoded_pt_len; /* length of encoded point */ 427 /* Encoded point will be copied here */ 428 - p += 1; 429 + p += 1; 430 + n += 1; 431 /* copy the point */ 432 - memcpy((unsigned char *)p, encodedPoint, n); 433 + memcpy((unsigned char *)p, encodedPoint, encoded_pt_len); 434 /* increment n to account for length field */ 435 - n += 1; 436 + n += encoded_pt_len; 437 } 438 439 /* Free allocated memory */ 440 BN_CTX_free(bn_ctx); 441 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 442 - if (clnt_ecdh != NULL) 443 + if (clnt_ecdh != NULL) 444 EC_KEY_free(clnt_ecdh); 445 EVP_PKEY_free(srvr_pub_pkey); 446 } 447 #endif /* !OPENSSL_NO_ECDH */ 448 - else if (alg_k & SSL_kGOST) 449 + else if (alg_k & SSL_kGOST) 450 { 451 /* GOST key exchange message creation */ 452 EVP_PKEY_CTX *pkey_ctx; 453 @@ -2887,100 +3027,7 @@ int ssl3_send_client_key_exchange(SSL *s) 454 } 455 } 456 #endif 457 -#ifndef OPENSSL_NO_PSK 458 - else if (alg_k & SSL_kPSK) 459 - { 460 - /* The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes 461 - * to return a \0-terminated identity. The last byte 462 - * is for us for simulating strnlen. */ 463 - char identity[PSK_MAX_IDENTITY_LEN + 2]; 464 - size_t identity_len; 465 - unsigned char *t = NULL; 466 - unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4]; 467 - unsigned int pre_ms_len = 0, psk_len = 0; 468 - int psk_err = 1; 469 - 470 - n = 0; 471 - if (s->psk_client_callback == NULL) 472 - { 473 - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 474 - SSL_R_PSK_NO_CLIENT_CB); 475 - goto err; 476 - } 477 - 478 - memset(identity, 0, sizeof(identity)); 479 - psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, 480 - identity, sizeof(identity) - 1, 481 - psk_or_pre_ms, sizeof(psk_or_pre_ms)); 482 - if (psk_len > PSK_MAX_PSK_LEN) 483 - { 484 - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 485 - ERR_R_INTERNAL_ERROR); 486 - goto psk_err; 487 - } 488 - else if (psk_len == 0) 489 - { 490 - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 491 - SSL_R_PSK_IDENTITY_NOT_FOUND); 492 - goto psk_err; 493 - } 494 - identity[PSK_MAX_IDENTITY_LEN + 1] = '\0'; 495 - identity_len = strlen(identity); 496 - if (identity_len > PSK_MAX_IDENTITY_LEN) 497 - { 498 - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 499 - ERR_R_INTERNAL_ERROR); 500 - goto psk_err; 501 - } 502 - /* create PSK pre_master_secret */ 503 - pre_ms_len = 2+psk_len+2+psk_len; 504 - t = psk_or_pre_ms; 505 - memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len); 506 - s2n(psk_len, t); 507 - memset(t, 0, psk_len); 508 - t+=psk_len; 509 - s2n(psk_len, t); 510 - 511 - if (s->session->psk_identity_hint != NULL) 512 - OPENSSL_free(s->session->psk_identity_hint); 513 - s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); 514 - if (s->ctx->psk_identity_hint != NULL && 515 - s->session->psk_identity_hint == NULL) 516 - { 517 - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 518 - ERR_R_MALLOC_FAILURE); 519 - goto psk_err; 520 - } 521 - 522 - if (s->session->psk_identity != NULL) 523 - OPENSSL_free(s->session->psk_identity); 524 - s->session->psk_identity = BUF_strdup(identity); 525 - if (s->session->psk_identity == NULL) 526 - { 527 - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 528 - ERR_R_MALLOC_FAILURE); 529 - goto psk_err; 530 - } 531 - 532 - s->session->master_key_length = 533 - s->method->ssl3_enc->generate_master_secret(s, 534 - s->session->master_key, 535 - psk_or_pre_ms, pre_ms_len); 536 - s2n(identity_len, p); 537 - memcpy(p, identity, identity_len); 538 - n = 2 + identity_len; 539 - psk_err = 0; 540 - psk_err: 541 - OPENSSL_cleanse(identity, sizeof(identity)); 542 - OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); 543 - if (psk_err != 0) 544 - { 545 - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 546 - goto err; 547 - } 548 - } 549 -#endif 550 - else 551 + else if (!(alg_k & SSL_kPSK) || ((alg_k & SSL_kPSK) && !(alg_a & SSL_aPSK))) 552 { 553 ssl3_send_alert(s, SSL3_AL_FATAL, 554 SSL_AD_HANDSHAKE_FAILURE); 555 diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c 556 index 6358e1b..0dac7e7 100644 557 --- a/ssl/s3_enc.c 558 +++ b/ssl/s3_enc.c 559 @@ -734,7 +734,7 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int send) 560 } 561 562 t=EVP_MD_CTX_size(hash); 563 - if (t < 0) 564 + if (t < 0 || t > 20) 565 return -1; 566 md_size=t; 567 npad=(48/md_size)*md_size; 568 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c 569 index 1d87ac5..77244d3 100644 570 --- a/ssl/s3_lib.c 571 +++ b/ssl/s3_lib.c 572 @@ -2827,6 +2827,42 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 573 256, 574 }, 575 576 +#ifndef OPENSSL_NO_PSK 577 + /* ECDH PSK ciphersuites from RFC 5489 */ 578 + 579 + /* Cipher C037 */ 580 + { 581 + 1, 582 + TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA256, 583 + TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA256, 584 + SSL_kEECDH, 585 + SSL_aPSK, 586 + SSL_AES128, 587 + SSL_SHA256, 588 + SSL_TLSV1, 589 + SSL_NOT_EXP|SSL_HIGH, 590 + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF_SHA256, 591 + 128, 592 + 128, 593 + }, 594 + 595 + /* Cipher C038 */ 596 + { 597 + 1, 598 + TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA384, 599 + TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA384, 600 + SSL_kEECDH, 601 + SSL_aPSK, 602 + SSL_AES256, 603 + SSL_SHA384, 604 + SSL_TLSV1, 605 + SSL_NOT_EXP|SSL_HIGH, 606 + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF_SHA384, 607 + 256, 608 + 256, 609 + }, 610 +#endif /* OPENSSL_NO_PSK */ 611 + 612 #endif /* OPENSSL_NO_ECDH */ 613 614 615 @@ -3979,7 +3999,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, 616 #endif /* OPENSSL_NO_KRB5 */ 617 #ifndef OPENSSL_NO_PSK 618 /* with PSK there must be server callback set */ 619 - if ((alg_k & SSL_kPSK) && s->psk_server_callback == NULL) 620 + if ((alg_a & SSL_aPSK) && s->psk_server_callback == NULL) 621 continue; 622 #endif /* OPENSSL_NO_PSK */ 623 624 diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c 625 index 9335eda..fe70124 100644 626 --- a/ssl/s3_srvr.c 627 +++ b/ssl/s3_srvr.c 628 @@ -217,6 +217,7 @@ int ssl3_accept(SSL *s) 629 { 630 BUF_MEM *buf; 631 unsigned long alg_k,Time=(unsigned long)time(NULL); 632 + unsigned long alg_a; 633 void (*cb)(const SSL *ssl,int type,int val)=NULL; 634 int ret= -1; 635 int new_state,state,skip=0; 636 @@ -418,8 +419,10 @@ int ssl3_accept(SSL *s) 637 case SSL3_ST_SW_CERT_A: 638 case SSL3_ST_SW_CERT_B: 639 /* Check if it is anon DH or anon ECDH, */ 640 - /* normal PSK or KRB5 or SRP */ 641 + /* non-RSA PSK or KRB5 or SRP */ 642 if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aKRB5|SSL_aSRP)) 643 - && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 644 + /* Among PSK ciphersuites only RSA_PSK uses server certificate */ 645 + && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK && 646 + !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kRSA))) 647 { 648 ret=ssl3_send_server_certificate(s); 649 @@ -449,6 +452,7 @@ int ssl3_accept(SSL *s) 650 case SSL3_ST_SW_KEY_EXCH_A: 651 case SSL3_ST_SW_KEY_EXCH_B: 652 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 653 + alg_a = s->s3->tmp.new_cipher->algorithm_auth; 654 655 /* clear this, it may get reset by 656 * send_server_key_exchange */ 657 @@ -478,10 +482,12 @@ int ssl3_accept(SSL *s) 658 * public key for key exchange. 659 */ 660 if (s->s3->tmp.use_rsa_tmp 661 - /* PSK: send ServerKeyExchange if PSK identity 662 - * hint if provided */ 663 + /* PSK: send ServerKeyExchange if either: 664 + * - PSK identity hint is provided, or 665 + * - the key exchange is kEECDH. 666 + */ 667 #ifndef OPENSSL_NO_PSK 668 - || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint) 669 + || ((alg_a & SSL_aPSK) && ((alg_k & SSL_kEECDH) || s->ctx->psk_identity_hint)) 670 #endif 671 #ifndef OPENSSL_NO_SRP 672 /* SRP: send ServerKeyExchange */ 673 @@ -1658,7 +1664,8 @@ int ssl3_send_server_key_exchange(SSL *s) 674 const EVP_MD *md = NULL; 675 unsigned char *p,*d; 676 int al,i; 677 - unsigned long type; 678 + unsigned long alg_k; 679 + unsigned long alg_a; 680 int n; 681 CERT *cert; 682 BIGNUM *r[4]; 683 @@ -1669,15 +1676,25 @@ int ssl3_send_server_key_exchange(SSL *s) 684 EVP_MD_CTX_init(&md_ctx); 685 if (s->state == SSL3_ST_SW_KEY_EXCH_A) 686 { 687 - type=s->s3->tmp.new_cipher->algorithm_mkey; 688 + alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 689 + alg_a=s->s3->tmp.new_cipher->algorithm_auth; 690 cert=s->cert; 691 692 buf=s->init_buf; 693 694 r[0]=r[1]=r[2]=r[3]=NULL; 695 n=0; 696 +#ifndef OPENSSL_NO_PSK 697 + if (alg_a & SSL_aPSK) 698 + { 699 + /* size for PSK identity hint */ 700 + n+=2; 701 + if (s->ctx->psk_identity_hint) 702 + n+=strlen(s->ctx->psk_identity_hint); 703 + } 704 +#endif /* !OPENSSL_NO_PSK */ 705 #ifndef OPENSSL_NO_RSA 706 - if (type & SSL_kRSA) 707 + if (alg_k & SSL_kRSA) 708 { 709 rsa=cert->rsa_tmp; 710 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) 711 @@ -1704,10 +1721,9 @@ int ssl3_send_server_key_exchange(SSL *s) 712 r[1]=rsa->e; 713 s->s3->tmp.use_rsa_tmp=1; 714 } 715 - else 716 #endif 717 #ifndef OPENSSL_NO_DH 718 - if (type & SSL_kEDH) 719 + else if (alg_k & SSL_kEDH) 720 { 721 dhp=cert->dh_tmp; 722 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) 723 @@ -1760,10 +1776,9 @@ int ssl3_send_server_key_exchange(SSL *s) 724 r[1]=dh->g; 725 r[2]=dh->pub_key; 726 } 727 - else 728 #endif 729 #ifndef OPENSSL_NO_ECDH 730 - if (type & SSL_kEECDH) 731 + else if (alg_k & SSL_kEECDH) 732 { 733 const EC_GROUP *group; 734 735 @@ -1876,7 +1891,7 @@ int ssl3_send_server_key_exchange(SSL *s) 736 * to encode the entire ServerECDHParams 737 * structure. 738 */ 739 - n = 4 + encodedlen; 740 + n += 4 + encodedlen; 741 742 /* We'll generate the serverKeyExchange message 743 * explicitly so we can set these to NULLs 744 @@ -1886,18 +1901,9 @@ int ssl3_send_server_key_exchange(SSL *s) 745 r[2]=NULL; 746 r[3]=NULL; 747 } 748 - else 749 #endif /* !OPENSSL_NO_ECDH */ 750 -#ifndef OPENSSL_NO_PSK 751 - if (type & SSL_kPSK) 752 - { 753 - /* reserve size for record length and PSK identity hint*/ 754 - n+=2+strlen(s->ctx->psk_identity_hint); 755 - } 756 - else 757 -#endif /* !OPENSSL_NO_PSK */ 758 #ifndef OPENSSL_NO_SRP 759 - if (type & SSL_kSRP) 760 + else if (alg_k & SSL_kSRP) 761 { 762 if ((s->srp_ctx.N == NULL) || 763 (s->srp_ctx.g == NULL) || 764 @@ -1912,8 +1918,8 @@ int ssl3_send_server_key_exchange(SSL *s) 765 r[2]=s->srp_ctx.s; 766 r[3]=s->srp_ctx.B; 767 } 768 - else 769 #endif 770 + else if (!(alg_k & SSL_kPSK)) 771 { 772 al=SSL_AD_HANDSHAKE_FAILURE; 773 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 774 @@ -1923,15 +1929,16 @@ int ssl3_send_server_key_exchange(SSL *s) 775 { 776 nr[i]=BN_num_bytes(r[i]); 777 #ifndef OPENSSL_NO_SRP 778 - if ((i == 2) && (type & SSL_kSRP)) 779 + if ((i == 2) && (alg_k & SSL_kSRP)) 780 n+=1+nr[i]; 781 else 782 #endif 783 n+=2+nr[i]; 784 } 785 786 - if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP)) 787 - && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 788 + if (!(alg_a & (SSL_aNULL|SSL_aSRP)) 789 + /* Among PSK ciphersuites only RSA uses a certificate */ 790 + && !((alg_a & SSL_aPSK) && !(alg_k & SSL_kRSA))) 791 { 792 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher,&md)) 793 == NULL) 794 @@ -1958,7 +1965,7 @@ int ssl3_send_server_key_exchange(SSL *s) 795 for (i=0; i < 4 && r[i] != NULL; i++) 796 { 797 #ifndef OPENSSL_NO_SRP 798 - if ((i == 2) && (type & SSL_kSRP)) 799 + if ((i == 2) && (alg_k & SSL_kSRP)) 800 { 801 *p = nr[i]; 802 p++; 803 @@ -1970,8 +1977,32 @@ int ssl3_send_server_key_exchange(SSL *s) 804 p+=nr[i]; 805 } 806 807 +/* Note: ECDHE PSK ciphersuites use SSL_kEECDH and SSL_aPSK. 808 + * When one of them is used, the server key exchange record needs to have both 809 + * the psk_identity_hint and the ServerECDHParams. */ 810 +#ifndef OPENSSL_NO_PSK 811 + if (alg_a & SSL_aPSK) 812 + { 813 + if (s->ctx->psk_identity_hint) 814 + { 815 + /* copy PSK identity hint */ 816 + s2n(strlen(s->ctx->psk_identity_hint), p); 817 + strncpy((char *)p, s->ctx->psk_identity_hint, strlen(s->ctx->psk_identity_hint)); 818 + p+=strlen(s->ctx->psk_identity_hint); 819 + } 820 + else 821 + { 822 + /* No identity hint is provided. */ 823 + *p = 0; 824 + p += 1; 825 + *p = 0; 826 + p += 1; 827 + } 828 + } 829 +#endif /* OPENSSL_NO_PSK */ 830 + 831 #ifndef OPENSSL_NO_ECDH 832 - if (type & SSL_kEECDH) 833 + if (alg_k & SSL_kEECDH) 834 { 835 /* XXX: For now, we only support named (not generic) curves. 836 * In this situation, the serverKeyExchange message has: 837 @@ -1994,17 +2025,7 @@ int ssl3_send_server_key_exchange(SSL *s) 838 encodedPoint = NULL; 839 p += encodedlen; 840 } 841 -#endif 842 - 843 -#ifndef OPENSSL_NO_PSK 844 - if (type & SSL_kPSK) 845 - { 846 - /* copy PSK identity hint */ 847 - s2n(strlen(s->ctx->psk_identity_hint), p); 848 - strncpy((char *)p, s->ctx->psk_identity_hint, strlen(s->ctx->psk_identity_hint)); 849 - p+=strlen(s->ctx->psk_identity_hint); 850 - } 851 -#endif 852 +#endif /* OPENSSL_NO_ECDH */ 853 854 /* not anonymous */ 855 if (pkey != NULL) 856 @@ -2041,7 +2062,7 @@ int ssl3_send_server_key_exchange(SSL *s) 857 n+=u+2; 858 } 859 else 860 -#endif 861 +#endif /* OPENSSL_NO_RSA */ 862 if (md) 863 { 864 /* For TLS1.2 and later send signature 865 @@ -2215,6 +2236,7 @@ int ssl3_get_client_key_exchange(SSL *s) 866 int i,al,ok; 867 long n; 868 unsigned long alg_k; 869 + unsigned long alg_a; 870 unsigned char *p; 871 #ifndef OPENSSL_NO_RSA 872 RSA *rsa=NULL; 873 @@ -2232,7 +2254,11 @@ int ssl3_get_client_key_exchange(SSL *s) 874 EC_KEY *srvr_ecdh = NULL; 875 EVP_PKEY *clnt_pub_pkey = NULL; 876 EC_POINT *clnt_ecpoint = NULL; 877 - BN_CTX *bn_ctx = NULL; 878 + BN_CTX *bn_ctx = NULL; 879 +#ifndef OPENSSL_NO_PSK 880 + unsigned int psk_len = 0; 881 + unsigned char psk[PSK_MAX_PSK_LEN]; 882 +#endif /* OPENSSL_NO_PSK */ 883 #endif 884 885 n=s->method->ssl_get_message(s, 886 @@ -2246,7 +2272,106 @@ int ssl3_get_client_key_exchange(SSL *s) 887 p=(unsigned char *)s->init_msg; 888 889 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 890 + alg_a=s->s3->tmp.new_cipher->algorithm_auth; 891 + 892 +#ifndef OPENSSL_NO_PSK 893 + if (alg_a & SSL_aPSK) 894 + { 895 + unsigned char *t = NULL; 896 + unsigned char pre_ms[PSK_MAX_PSK_LEN*2+4]; 897 + unsigned int pre_ms_len = 0; 898 + int psk_err = 1; 899 + char tmp_id[PSK_MAX_IDENTITY_LEN+1]; 900 + 901 + al=SSL_AD_HANDSHAKE_FAILURE; 902 + 903 + n2s(p, i); 904 + if (n != i+2 && !(alg_k & SSL_kEECDH)) 905 + { 906 + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 907 + SSL_R_LENGTH_MISMATCH); 908 + goto psk_err; 909 + } 910 + if (i > PSK_MAX_IDENTITY_LEN) 911 + { 912 + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 913 + SSL_R_DATA_LENGTH_TOO_LONG); 914 + goto psk_err; 915 + } 916 + if (s->psk_server_callback == NULL) 917 + { 918 + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 919 + SSL_R_PSK_NO_SERVER_CB); 920 + goto psk_err; 921 + } 922 + 923 + /* Create guaranteed NUL-terminated identity 924 + * string for the callback */ 925 + memcpy(tmp_id, p, i); 926 + memset(tmp_id+i, 0, PSK_MAX_IDENTITY_LEN+1-i); 927 + psk_len = s->psk_server_callback(s, tmp_id, psk, sizeof(psk)); 928 929 + if (psk_len > PSK_MAX_PSK_LEN) 930 + { 931 + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 932 + ERR_R_INTERNAL_ERROR); 933 + goto psk_err; 934 + } 935 + else if (psk_len == 0) 936 + { 937 + /* PSK related to the given identity not found */ 938 + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 939 + SSL_R_PSK_IDENTITY_NOT_FOUND); 940 + al=SSL_AD_UNKNOWN_PSK_IDENTITY; 941 + goto psk_err; 942 + } 943 + if (!(alg_k & SSL_kEECDH)) 944 + { 945 + /* Create the shared secret now if we're not using ECDHE-PSK.*/ 946 + pre_ms_len=2+psk_len+2+psk_len; 947 + t = pre_ms; 948 + s2n(psk_len, t); 949 + memset(t, 0, psk_len); 950 + t+=psk_len; 951 + s2n(psk_len, t); 952 + memcpy(t, psk, psk_len); 953 + 954 + s->session->master_key_length= 955 + s->method->ssl3_enc->generate_master_secret(s, 956 + s->session->master_key, pre_ms, pre_ms_len); 957 + } 958 + if (s->session->psk_identity != NULL) 959 + OPENSSL_free(s->session->psk_identity); 960 + s->session->psk_identity = BUF_strdup(tmp_id); 961 + OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN+1); 962 + if (s->session->psk_identity == NULL) 963 + { 964 + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 965 + ERR_R_MALLOC_FAILURE); 966 + goto psk_err; 967 + } 968 + 969 + if (s->session->psk_identity_hint != NULL) 970 + OPENSSL_free(s->session->psk_identity_hint); 971 + s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); 972 + if (s->ctx->psk_identity_hint != NULL && 973 + s->session->psk_identity_hint == NULL) 974 + { 975 + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 976 + ERR_R_MALLOC_FAILURE); 977 + goto psk_err; 978 + } 979 + 980 + p += i; 981 + n -= (i + 2); 982 + psk_err = 0; 983 + psk_err: 984 + OPENSSL_cleanse(pre_ms, sizeof(pre_ms)); 985 + if (psk_err != 0) 986 + goto f_err; 987 + } 988 +#endif /* OPENSSL_NO_PSK */ 989 + if (0) {} 990 #ifndef OPENSSL_NO_RSA 991 if (alg_k & SSL_kRSA) 992 { 993 @@ -2410,10 +2535,9 @@ int ssl3_get_client_key_exchange(SSL *s) 994 p,sizeof(rand_premaster_secret)); 995 OPENSSL_cleanse(p,sizeof(rand_premaster_secret)); 996 } 997 - else 998 #endif 999 #ifndef OPENSSL_NO_DH 1000 - if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 1001 + else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 1002 { 1003 n2s(p,i); 1004 if (n != i+2) 1005 @@ -2474,10 +2598,9 @@ int ssl3_get_client_key_exchange(SSL *s) 1006 s->session->master_key,p,i); 1007 OPENSSL_cleanse(p,i); 1008 } 1009 - else 1010 #endif 1011 #ifndef OPENSSL_NO_KRB5 1012 - if (alg_k & SSL_kKRB5) 1013 + else if (alg_k & SSL_kKRB5) 1014 { 1015 krb5_error_code krb5rc; 1016 krb5_data enc_ticket; 1017 @@ -2666,17 +2789,20 @@ int ssl3_get_client_key_exchange(SSL *s) 1018 ** if (s->kssl_ctx) s->kssl_ctx = NULL; 1019 */ 1020 } 1021 - else 1022 #endif /* OPENSSL_NO_KRB5 */ 1023 - 1024 #ifndef OPENSSL_NO_ECDH 1025 - if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) 1026 + else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) 1027 { 1028 int ret = 1; 1029 int field_size = 0; 1030 const EC_KEY *tkey; 1031 const EC_GROUP *group; 1032 const BIGNUM *priv_key; 1033 +#ifndef OPENSSL_NO_PSK 1034 + unsigned char *pre_ms; 1035 + unsigned int pre_ms_len; 1036 + unsigned char *t; 1037 +#endif /* OPENSSL_NO_PSK */ 1038 1039 /* initialize structures for server's ECDH key pair */ 1040 if ((srvr_ecdh = EC_KEY_new()) == NULL) 1041 @@ -2772,7 +2898,7 @@ int ssl3_get_client_key_exchange(SSL *s) 1042 } 1043 1044 /* Get encoded point length */ 1045 - i = *p; 1046 + i = *p; 1047 p += 1; 1048 if (n != 1 + i) 1049 { 1050 @@ -2814,221 +2940,145 @@ int ssl3_get_client_key_exchange(SSL *s) 1051 EC_KEY_free(srvr_ecdh); 1052 BN_CTX_free(bn_ctx); 1053 EC_KEY_free(s->s3->tmp.ecdh); 1054 - s->s3->tmp.ecdh = NULL; 1055 + s->s3->tmp.ecdh = NULL; 1056 1057 - /* Compute the master secret */ 1058 - s->session->master_key_length = s->method->ssl3_enc-> \ 1059 - generate_master_secret(s, s->session->master_key, p, i); 1060 - 1061 - OPENSSL_cleanse(p, i); 1062 - return (ret); 1063 - } 1064 - else 1065 -#endif 1066 #ifndef OPENSSL_NO_PSK 1067 - if (alg_k & SSL_kPSK) 1068 + /* ECDHE PSK ciphersuites from RFC 5489 */ 1069 + if ((alg_a & SSL_aPSK) && psk_len != 0) 1070 { 1071 - unsigned char *t = NULL; 1072 - unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4]; 1073 - unsigned int pre_ms_len = 0, psk_len = 0; 1074 - int psk_err = 1; 1075 - char tmp_id[PSK_MAX_IDENTITY_LEN+1]; 1076 - 1077 - al=SSL_AD_HANDSHAKE_FAILURE; 1078 - 1079 - n2s(p,i); 1080 - if (n != i+2) 1081 - { 1082 - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1083 - SSL_R_LENGTH_MISMATCH); 1084 - goto psk_err; 1085 - } 1086 - if (i > PSK_MAX_IDENTITY_LEN) 1087 - { 1088 - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1089 - SSL_R_DATA_LENGTH_TOO_LONG); 1090 - goto psk_err; 1091 - } 1092 - if (s->psk_server_callback == NULL) 1093 - { 1094 - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1095 - SSL_R_PSK_NO_SERVER_CB); 1096 - goto psk_err; 1097 - } 1098 - 1099 - /* Create guaranteed NULL-terminated identity 1100 - * string for the callback */ 1101 - memcpy(tmp_id, p, i); 1102 - memset(tmp_id+i, 0, PSK_MAX_IDENTITY_LEN+1-i); 1103 - psk_len = s->psk_server_callback(s, tmp_id, 1104 - psk_or_pre_ms, sizeof(psk_or_pre_ms)); 1105 - OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN+1); 1106 - 1107 - if (psk_len > PSK_MAX_PSK_LEN) 1108 - { 1109 - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1110 - ERR_R_INTERNAL_ERROR); 1111 - goto psk_err; 1112 - } 1113 - else if (psk_len == 0) 1114 - { 1115 - /* PSK related to the given identity not found */ 1116 - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1117 - SSL_R_PSK_IDENTITY_NOT_FOUND); 1118 - al=SSL_AD_UNKNOWN_PSK_IDENTITY; 1119 - goto psk_err; 1120 - } 1121 - 1122 - /* create PSK pre_master_secret */ 1123 - pre_ms_len=2+psk_len+2+psk_len; 1124 - t = psk_or_pre_ms; 1125 - memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len); 1126 - s2n(psk_len, t); 1127 - memset(t, 0, psk_len); 1128 - t+=psk_len; 1129 - s2n(psk_len, t); 1130 - 1131 - if (s->session->psk_identity != NULL) 1132 - OPENSSL_free(s->session->psk_identity); 1133 - s->session->psk_identity = BUF_strdup((char *)p); 1134 - if (s->session->psk_identity == NULL) 1135 - { 1136 - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1137 - ERR_R_MALLOC_FAILURE); 1138 - goto psk_err; 1139 - } 1140 - 1141 - if (s->session->psk_identity_hint != NULL) 1142 - OPENSSL_free(s->session->psk_identity_hint); 1143 - s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); 1144 - if (s->ctx->psk_identity_hint != NULL && 1145 - s->session->psk_identity_hint == NULL) 1146 + pre_ms_len = 2+i+2+psk_len; 1147 + pre_ms = OPENSSL_malloc(pre_ms_len); 1148 + if (pre_ms == NULL) 1149 { 1150 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1151 ERR_R_MALLOC_FAILURE); 1152 - goto psk_err; 1153 + goto err; 1154 } 1155 - 1156 - s->session->master_key_length= 1157 - s->method->ssl3_enc->generate_master_secret(s, 1158 - s->session->master_key, psk_or_pre_ms, pre_ms_len); 1159 - psk_err = 0; 1160 - psk_err: 1161 - OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); 1162 - if (psk_err != 0) 1163 - goto f_err; 1164 + memset(pre_ms, 0, pre_ms_len); 1165 + t = pre_ms; 1166 + s2n(i, t); 1167 + memcpy(t, p, i); 1168 + t += i; 1169 + s2n(psk_len, t); 1170 + memcpy(t, psk, psk_len); 1171 + s->session->master_key_length = s->method->ssl3_enc \ 1172 + -> generate_master_secret(s, 1173 + s->session->master_key, pre_ms, pre_ms_len); 1174 + OPENSSL_cleanse(pre_ms, pre_ms_len); 1175 + OPENSSL_free(pre_ms); 1176 } 1177 - else 1178 -#endif 1179 -#ifndef OPENSSL_NO_SRP 1180 - if (alg_k & SSL_kSRP) 1181 +#endif /* OPENSSL_NO_PSK */ 1182 + if (!(alg_a & SSL_aPSK)) 1183 { 1184 - int param_len; 1185 - 1186 - n2s(p,i); 1187 - param_len=i+2; 1188 - if (param_len > n) 1189 - { 1190 - al=SSL_AD_DECODE_ERROR; 1191 - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_SRP_A_LENGTH); 1192 - goto f_err; 1193 - } 1194 - if (!(s->srp_ctx.A=BN_bin2bn(p,i,NULL))) 1195 - { 1196 - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_BN_LIB); 1197 - goto err; 1198 - } 1199 - if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 1200 - || BN_is_zero(s->srp_ctx.A)) 1201 - { 1202 - al=SSL_AD_ILLEGAL_PARAMETER; 1203 - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_SRP_PARAMETERS); 1204 - goto f_err; 1205 - } 1206 - if (s->session->srp_username != NULL) 1207 - OPENSSL_free(s->session->srp_username); 1208 - s->session->srp_username = BUF_strdup(s->srp_ctx.login); 1209 - if (s->session->srp_username == NULL) 1210 - { 1211 - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1212 - ERR_R_MALLOC_FAILURE); 1213 - goto err; 1214 - } 1215 + /* Compute the master secret */ 1216 + s->session->master_key_length = s->method->ssl3_enc \ 1217 + -> generate_master_secret(s, 1218 + s->session->master_key, p, i); 1219 + } 1220 1221 - if ((s->session->master_key_length = SRP_generate_server_master_secret(s,s->session->master_key))<0) 1222 - { 1223 - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1224 - goto err; 1225 - } 1226 + OPENSSL_cleanse(p, i); 1227 + } 1228 +#endif 1229 +#ifndef OPENSSL_NO_SRP 1230 + else if (alg_k & SSL_kSRP) 1231 + { 1232 + int param_len; 1233 1234 - p+=i; 1235 + n2s(p,i); 1236 + param_len=i+2; 1237 + if (param_len > n) 1238 + { 1239 + al=SSL_AD_DECODE_ERROR; 1240 + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_SRP_A_LENGTH); 1241 + goto f_err; 1242 + } 1243 + if (!(s->srp_ctx.A=BN_bin2bn(p,i,NULL))) 1244 + { 1245 + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_BN_LIB); 1246 + goto err; 1247 + } 1248 + if (s->session->srp_username != NULL) 1249 + OPENSSL_free(s->session->srp_username); 1250 + s->session->srp_username = BUF_strdup(s->srp_ctx.login); 1251 + if (s->session->srp_username == NULL) 1252 + { 1253 + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1254 + ERR_R_MALLOC_FAILURE); 1255 + goto err; 1256 } 1257 - else 1258 -#endif /* OPENSSL_NO_SRP */ 1259 - if (alg_k & SSL_kGOST) 1260 - { 1261 - int ret = 0; 1262 - EVP_PKEY_CTX *pkey_ctx; 1263 - EVP_PKEY *client_pub_pkey = NULL, *pk = NULL; 1264 - unsigned char premaster_secret[32], *start; 1265 - size_t outlen=32, inlen; 1266 - unsigned long alg_a; 1267 - int Ttag, Tclass; 1268 - long Tlen; 1269 - 1270 - /* Get our certificate private key*/ 1271 - alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1272 - if (alg_a & SSL_aGOST94) 1273 - pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey; 1274 - else if (alg_a & SSL_aGOST01) 1275 - pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; 1276 1277 - pkey_ctx = EVP_PKEY_CTX_new(pk,NULL); 1278 - EVP_PKEY_decrypt_init(pkey_ctx); 1279 - /* If client certificate is present and is of the same type, maybe 1280 - * use it for key exchange. Don't mind errors from 1281 - * EVP_PKEY_derive_set_peer, because it is completely valid to use 1282 - * a client certificate for authorization only. */ 1283 - client_pub_pkey = X509_get_pubkey(s->session->peer); 1284 - if (client_pub_pkey) 1285 - { 1286 - if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0) 1287 - ERR_clear_error(); 1288 - } 1289 - /* Decrypt session key */ 1290 - if (ASN1_get_object((const unsigned char **)&p, &Tlen, &Ttag, &Tclass, n) != V_ASN1_CONSTRUCTED || 1291 - Ttag != V_ASN1_SEQUENCE || 1292 - Tclass != V_ASN1_UNIVERSAL) 1293 - { 1294 - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED); 1295 - goto gerr; 1296 - } 1297 - start = p; 1298 - inlen = Tlen; 1299 - if (EVP_PKEY_decrypt(pkey_ctx,premaster_secret,&outlen,start,inlen) <=0) 1300 + if ((s->session->master_key_length = SRP_generate_server_master_secret(s,s->session->master_key))<0) 1301 + { 1302 + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1303 + goto err; 1304 + } 1305 1306 - { 1307 - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED); 1308 - goto gerr; 1309 - } 1310 - /* Generate master secret */ 1311 - s->session->master_key_length= 1312 - s->method->ssl3_enc->generate_master_secret(s, 1313 - s->session->master_key,premaster_secret,32); 1314 - /* Check if pubkey from client certificate was used */ 1315 - if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) 1316 - ret = 2; 1317 - else 1318 - ret = 1; 1319 - gerr: 1320 - EVP_PKEY_free(client_pub_pkey); 1321 - EVP_PKEY_CTX_free(pkey_ctx); 1322 - if (ret) 1323 - return ret; 1324 - else 1325 - goto err; 1326 + p+=i; 1327 + } 1328 +#endif /* OPENSSL_NO_SRP */ 1329 + else if (alg_k & SSL_kGOST) 1330 + { 1331 + int ret = 0; 1332 + EVP_PKEY_CTX *pkey_ctx; 1333 + EVP_PKEY *client_pub_pkey = NULL, *pk = NULL; 1334 + unsigned char premaster_secret[32], *start; 1335 + size_t outlen=32, inlen; 1336 + unsigned long alg_a; 1337 + int Ttag, Tclass; 1338 + long Tlen; 1339 + 1340 + /* Get our certificate private key*/ 1341 + alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1342 + if (alg_a & SSL_aGOST94) 1343 + pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey; 1344 + else if (alg_a & SSL_aGOST01) 1345 + pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; 1346 + 1347 + pkey_ctx = EVP_PKEY_CTX_new(pk,NULL); 1348 + EVP_PKEY_decrypt_init(pkey_ctx); 1349 + /* If client certificate is present and is of the same type, maybe 1350 + * use it for key exchange. Don't mind errors from 1351 + * EVP_PKEY_derive_set_peer, because it is completely valid to use 1352 + * a client certificate for authorization only. */ 1353 + client_pub_pkey = X509_get_pubkey(s->session->peer); 1354 + if (client_pub_pkey) 1355 + { 1356 + if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0) 1357 + ERR_clear_error(); 1358 + } 1359 + /* Decrypt session key */ 1360 + if (ASN1_get_object((const unsigned char **)&p, &Tlen, &Ttag, &Tclass, n) != V_ASN1_CONSTRUCTED || 1361 + Ttag != V_ASN1_SEQUENCE || 1362 + Tclass != V_ASN1_UNIVERSAL) 1363 + { 1364 + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED); 1365 + goto gerr; 1366 + } 1367 + start = p; 1368 + inlen = Tlen; 1369 + if (EVP_PKEY_decrypt(pkey_ctx,premaster_secret,&outlen,start,inlen) <=0) 1370 + { 1371 + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED); 1372 + goto gerr; 1373 } 1374 + /* Generate master secret */ 1375 + s->session->master_key_length= 1376 + s->method->ssl3_enc->generate_master_secret(s, 1377 + s->session->master_key,premaster_secret,32); 1378 + /* Check if pubkey from client certificate was used */ 1379 + if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) 1380 + ret = 2; 1381 + else 1382 + ret = 1; 1383 + gerr: 1384 + EVP_PKEY_free(client_pub_pkey); 1385 + EVP_PKEY_CTX_free(pkey_ctx); 1386 + if (ret) 1387 + return ret; 1388 else 1389 + goto err; 1390 + } 1391 + else if (!(alg_k & SSL_kPSK)) 1392 { 1393 al=SSL_AD_HANDSHAKE_FAILURE; 1394 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1395 diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c 1396 index 0fda4ca..6c57d2a 100644 1397 --- a/ssl/ssl_lib.c 1398 +++ b/ssl/ssl_lib.c 1399 @@ -1424,7 +1424,7 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p, 1400 #endif /* OPENSSL_NO_KRB5 */ 1401 #ifndef OPENSSL_NO_PSK 1402 /* with PSK there must be client callback set */ 1403 - if (((c->algorithm_mkey & SSL_kPSK) || (c->algorithm_auth & SSL_aPSK)) && 1404 + if ((c->algorithm_auth & SSL_aPSK) && 1405 s->psk_client_callback == NULL) 1406 continue; 1407 #endif /* OPENSSL_NO_PSK */ 1408 diff --git a/ssl/tls1.h b/ssl/tls1.h 1409 index 9e035fb..3e6b7c7 100644 1410 --- a/ssl/tls1.h 1411 +++ b/ssl/tls1.h 1412 @@ -536,6 +536,10 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb) 1413 #define TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305 0x0300CC14 1414 #define TLS1_CK_DHE_RSA_CHACHA20_POLY1305 0x0300CC15 1415 1416 +/* ECDHE PSK ciphersuites from RFC 5489 */ 1417 +#define TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA256 0x0300C037 1418 +#define TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA384 0x0300C038 1419 + 1420 /* XXX 1421 * Inconsistency alert: 1422 * The OpenSSL names of ciphers with ephemeral DH here include the string 1423 @@ -691,6 +698,10 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb) 1424 #define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 "ECDHE-ECDSA-CHACHA20-POLY1305" 1425 #define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305 "DHE-RSA-CHACHA20-POLY1305" 1426 1427 +/* ECDHE PSK ciphersuites from RFC 5489 */ 1428 +#define TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA256 "ECDHE-PSK-WITH-AES-128-CBC-SHA256" 1429 +#define TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA384 "ECDHE-PSK-WITH-AES-256-CBC-SHA384" 1430 + 1431 #define TLS_CT_RSA_SIGN 1 1432 #define TLS_CT_DSS_SIGN 2 1433 #define TLS_CT_RSA_FIXED_DH 3 1434 2.0.0.526.g5318336 1435 1436
