Merge HRR into ServerHello
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 37c198e..af9e1dc 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -22,7 +22,7 @@
#include <openssl/bn.h>
#include <openssl/engine.h>
-static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt);
+static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, PACKET *pkt);
static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt);
static ossl_inline int cert_req_allowed(SSL *s);
@@ -206,11 +206,6 @@
st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
return 1;
}
- } else {
- if (mt == SSL3_MT_HELLO_RETRY_REQUEST) {
- st->hand_state = TLS_ST_CR_HELLO_RETRY_REQUEST;
- return 1;
- }
}
break;
@@ -224,10 +219,6 @@
st->hand_state = TLS_ST_CR_SRVR_HELLO;
return 1;
}
- if (mt == SSL3_MT_HELLO_RETRY_REQUEST) {
- st->hand_state = TLS_ST_CR_HELLO_RETRY_REQUEST;
- return 1;
- }
break;
case TLS_ST_CR_SRVR_HELLO:
@@ -506,7 +497,8 @@
*/
return WRITE_TRAN_FINISHED;
- case TLS_ST_CR_HELLO_RETRY_REQUEST:
+ case TLS_ST_CR_SRVR_HELLO:
+ /* We only get here in TLSv1.3 */
st->hand_state = TLS_ST_CW_CLNT_HELLO;
return WRITE_TRAN_CONTINUE;
@@ -912,9 +904,6 @@
case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
return HELLO_VERIFY_REQUEST_MAX_LENGTH;
- case TLS_ST_CR_HELLO_RETRY_REQUEST:
- return HELLO_RETRY_REQUEST_MAX_LENGTH;
-
case TLS_ST_CR_CERT:
return s->max_cert_list;
@@ -978,9 +967,6 @@
case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
return dtls_process_hello_verify(s, pkt);
- case TLS_ST_CR_HELLO_RETRY_REQUEST:
- return tls_process_hello_retry_request(s, pkt);
-
case TLS_ST_CR_CERT:
return tls_process_server_certificate(s, pkt);
@@ -1353,6 +1339,7 @@
PACKET session_id, extpkt;
size_t session_id_len;
const unsigned char *cipherchars;
+ int hrr = 0;
unsigned int compression;
unsigned int sversion;
unsigned int context;
@@ -1369,10 +1356,22 @@
}
/* load the server random */
- if (!PACKET_copy_bytes(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) {
- SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
- SSL_R_LENGTH_MISMATCH);
- goto err;
+ if (s->version == TLS1_3_VERSION
+ && sversion == TLS1_2_VERSION
+ && PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE
+ && memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) {
+ s->hello_retry_request = hrr = 1;
+ if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) {
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
+ SSL_R_LENGTH_MISMATCH);
+ goto err;
+ }
+ } else {
+ if (!PACKET_copy_bytes(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) {
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
+ SSL_R_LENGTH_MISMATCH);
+ goto err;
+ }
}
/* Get the session-id. */
@@ -1402,7 +1401,7 @@
}
/* TLS extensions */
- if (PACKET_remaining(pkt) == 0) {
+ if (PACKET_remaining(pkt) == 0 && !hrr) {
PACKET_null_init(&extpkt);
} else if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
|| PACKET_remaining(pkt) != 0) {
@@ -1411,17 +1410,45 @@
goto err;
}
- if (!tls_collect_extensions(s, &extpkt,
- SSL_EXT_TLS1_2_SERVER_HELLO
- | SSL_EXT_TLS1_3_SERVER_HELLO,
- &extensions, NULL, 1)) {
- /* SSLfatal() already called */
- goto err;
+ if (!hrr) {
+ if (!tls_collect_extensions(s, &extpkt,
+ SSL_EXT_TLS1_2_SERVER_HELLO
+ | SSL_EXT_TLS1_3_SERVER_HELLO,
+ &extensions, NULL, 1)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
+
+ if (!ssl_choose_client_version(s, sversion, extensions)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
}
- if (!ssl_choose_client_version(s, sversion, extensions)) {
- /* SSLfatal() already called */
- goto err;
+ if (SSL_IS_TLS13(s) || hrr) {
+ if (compression != 0) {
+ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
+ SSL_F_TLS_PROCESS_SERVER_HELLO,
+ SSL_R_INVALID_COMPRESSION_ALGORITHM);
+ goto err;
+ }
+
+ if (session_id_len != s->tmp_session_id_len
+ || memcmp(PACKET_data(&session_id), s->tmp_session_id,
+ session_id_len) != 0) {
+ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
+ SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_INVALID_SESSION_ID);
+ goto err;
+ }
+ }
+
+ if (hrr) {
+ if (!set_client_ciphersuite(s, cipherchars)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
+
+ return tls_process_as_hello_retry_request(s, &extpkt);
}
/*
@@ -1450,21 +1477,6 @@
goto err;
}
- if (compression != 0) {
- SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
- SSL_F_TLS_PROCESS_SERVER_HELLO,
- SSL_R_INVALID_COMPRESSION_ALGORITHM);
- goto err;
- }
-
- if (session_id_len != s->tmp_session_id_len
- || memcmp(PACKET_data(&session_id), s->tmp_session_id,
- session_id_len) != 0) {
- SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
- SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_INVALID_SESSION_ID);
- goto err;
- }
-
/* This will set s->hit if we are resuming */
if (!tls_parse_extension(s, TLSEXT_IDX_psk,
SSL_EXT_TLS1_3_SERVER_HELLO,
@@ -1670,28 +1682,10 @@
return MSG_PROCESS_ERROR;
}
-static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt)
+static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s,
+ PACKET *extpkt)
{
- unsigned int sversion;
- const unsigned char *cipherchars;
RAW_EXTENSION *extensions = NULL;
- PACKET extpkt;
-
- if (!PACKET_get_net_2(pkt, &sversion)) {
- SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST,
- SSL_R_LENGTH_MISMATCH);
- goto err;
- }
-
- /* TODO(TLS1.3): Remove the TLS1_3_VERSION_DRAFT clause before release */
- if (sversion != TLS1_3_VERSION && sversion != TLS1_3_VERSION_DRAFT) {
- SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
- SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST,
- SSL_R_WRONG_SSL_VERSION);
- goto err;
- }
-
- s->hello_retry_request = 1;
/*
* If we were sending early_data then the enc_write_ctx is now invalid and
@@ -1700,28 +1694,7 @@
EVP_CIPHER_CTX_free(s->enc_write_ctx);
s->enc_write_ctx = NULL;
- if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) {
- SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST,
- SSL_R_LENGTH_MISMATCH);
- goto err;
- }
-
- if (!set_client_ciphersuite(s, cipherchars)) {
- /* SSLfatal() already called */
- goto err;
- }
-
- if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
- /* Must have a non-empty extensions block */
- || PACKET_remaining(&extpkt) == 0
- /* Must be no trailing data after extensions */
- || PACKET_remaining(pkt) != 0) {
- SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST,
- SSL_R_BAD_LENGTH);
- goto err;
- }
-
- if (!tls_collect_extensions(s, &extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
+ if (!tls_collect_extensions(s, extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
&extensions, NULL, 1)
|| !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
extensions, NULL, 0, 1)) {
@@ -1742,8 +1715,8 @@
* ClientHello will not change
*/
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
- SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST,
- SSL_R_NO_CHANGE_FOLLOWING_HRR);
+ SSL_F_TLS_PROCESS_AS_HELLO_RETRY_REQUEST,
+ SSL_R_NO_CHANGE_FOLLOWING_HRR);
goto err;
}
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 7b18115..c38c133 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -19,6 +19,13 @@
#include <openssl/evp.h>
#include <openssl/x509.h>
+/* Fixed value used in the ServerHello random field to identify an HRR */
+const unsigned char hrrrandom[] = {
+ 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
+ 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
+ 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
+};
+
/*
* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
* SSL3_RT_CHANGE_CIPHER_SPEC)
@@ -1238,12 +1245,18 @@
* We defer feeding in the HRR until later. We'll do it as part of
* processing the message
*/
- if (s->s3->tmp.message_type != SSL3_MT_HELLO_RETRY_REQUEST
- && !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
- s->init_num + SSL3_HM_HEADER_LENGTH)) {
- /* SSLfatal() already called */
- *len = 0;
- return 0;
+#define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
+ if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO
+ || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
+ || memcmp(hrrrandom,
+ s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
+ SSL3_RANDOM_SIZE) != 0) {
+ if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
+ s->init_num + SSL3_HM_HEADER_LENGTH)) {
+ /* SSLfatal() already called */
+ *len = 0;
+ return 0;
+ }
}
if (s->msg_callback)
s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
diff --git a/ssl/statem/statem_locl.h b/ssl/statem/statem_locl.h
index ad5b028..5e0ce7e 100644
--- a/ssl/statem/statem_locl.h
+++ b/ssl/statem/statem_locl.h
@@ -35,6 +35,8 @@
/* Dummy message type */
#define SSL3_MT_DUMMY -1
+extern const unsigned char hrrrandom[];
+
/* Message processing return codes */
typedef enum {
/* Something bad happened */
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 43ad4a4..3ebe765 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -24,7 +24,6 @@
#include <openssl/md5.h>
static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt);
-static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt);
/*
* ossl_statem_server13_read_transition() encapsulates the logic for the allowed
@@ -392,18 +391,13 @@
return WRITE_TRAN_FINISHED;
case TLS_ST_SR_CLNT_HELLO:
- if (s->hello_retry_request)
- st->hand_state = TLS_ST_SW_HELLO_RETRY_REQUEST;
- else
- st->hand_state = TLS_ST_SW_SRVR_HELLO;
- return WRITE_TRAN_CONTINUE;
-
- case TLS_ST_SW_HELLO_RETRY_REQUEST:
- st->hand_state = TLS_ST_EARLY_DATA;
+ st->hand_state = TLS_ST_SW_SRVR_HELLO;
return WRITE_TRAN_CONTINUE;
case TLS_ST_SW_SRVR_HELLO:
- if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0)
+ if (s->hello_retry_request)
+ st->hand_state = TLS_ST_EARLY_DATA;
+ else if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0)
st->hand_state = TLS_ST_SW_CHANGE;
else
st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
@@ -714,11 +708,6 @@
/* No post work to be done */
break;
- case TLS_ST_SW_HELLO_RETRY_REQUEST:
- if (statem_flush(s) != 1)
- return WORK_MORE_A;
- break;
-
case TLS_ST_SW_HELLO_REQ:
if (statem_flush(s) != 1)
return WORK_MORE_A;
@@ -744,6 +733,11 @@
break;
case TLS_ST_SW_SRVR_HELLO:
+ if (SSL_IS_TLS13(s) && s->hello_retry_request) {
+ if (statem_flush(s) != 1)
+ return WORK_MORE_A;
+ break;
+ }
#ifndef OPENSSL_NO_SCTP
if (SSL_IS_DTLS(s) && s->hit) {
unsigned char sctpauthkey[64];
@@ -963,11 +957,6 @@
*mt = SSL3_MT_ENCRYPTED_EXTENSIONS;
break;
- case TLS_ST_SW_HELLO_RETRY_REQUEST:
- *confunc = tls_construct_hello_retry_request;
- *mt = SSL3_MT_HELLO_RETRY_REQUEST;
- break;
-
case TLS_ST_SW_KEY_UPDATE:
*confunc = tls_construct_key_update;
*mt = SSL3_MT_KEY_UPDATE;
@@ -2211,14 +2200,18 @@
size_t sl, len;
int version;
unsigned char *session_id;
+ int usetls13 = SSL_IS_TLS13(s) || s->hello_retry_request;
- version = SSL_IS_TLS13(s) ? TLS1_2_VERSION : s->version;
+ version = usetls13 ? TLS1_2_VERSION : s->version;
if (!WPACKET_put_bytes_u16(pkt, version)
/*
* Random stuff. Filling of the server_random takes place in
* tls_process_client_hello()
*/
- || !WPACKET_memcpy(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) {
+ || !WPACKET_memcpy(pkt,
+ s->hello_retry_request
+ ? hrrrandom : s->s3->server_random,
+ SSL3_RANDOM_SIZE)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO,
ERR_R_INTERNAL_ERROR);
return 0;
@@ -2247,7 +2240,7 @@
&& !s->hit))
s->session->session_id_length = 0;
- if (SSL_IS_TLS13(s)) {
+ if (usetls13) {
sl = s->tmp_session_id_len;
session_id = s->tmp_session_id;
} else {
@@ -2265,7 +2258,7 @@
#ifdef OPENSSL_NO_COMP
compm = 0;
#else
- if (SSL_IS_TLS13(s) || s->s3->tmp.new_compression == NULL)
+ if (usetls13 || s->s3->tmp.new_compression == NULL)
compm = 0;
else
compm = s->s3->tmp.new_compression->id;
@@ -2275,16 +2268,32 @@
|| !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len)
|| !WPACKET_put_bytes_u8(pkt, compm)
|| !tls_construct_extensions(s, pkt,
- SSL_IS_TLS13(s)
- ? SSL_EXT_TLS1_3_SERVER_HELLO
- : SSL_EXT_TLS1_2_SERVER_HELLO,
+ s->hello_retry_request
+ ? SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
+ : (SSL_IS_TLS13(s)
+ ? SSL_EXT_TLS1_3_SERVER_HELLO
+ : SSL_EXT_TLS1_2_SERVER_HELLO),
NULL, 0)) {
/* SSLfatal() already called */
return 0;
}
- if (!(s->verify_mode & SSL_VERIFY_PEER)
- && !ssl3_digest_cached_records(s, 0)) {
+ if (s->hello_retry_request) {
+ /* Ditch the session. We'll create a new one next time around */
+ SSL_SESSION_free(s->session);
+ s->session = NULL;
+ s->hit = 0;
+
+ /*
+ * Re-initialise the Transcript Hash. We're going to prepopulate it with
+ * a synthetic message_hash in place of ClientHello1.
+ */
+ if (!create_synthetic_message_hash(s)) {
+ /* SSLfatal() already called */
+ return 0;
+ }
+ } else if (!(s->verify_mode & SSL_VERIFY_PEER)
+ && !ssl3_digest_cached_records(s, 0)) {
/* SSLfatal() already called */;
return 0;
}
@@ -3856,45 +3865,6 @@
return 1;
}
-static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt)
-{
- size_t len = 0;
-
- /*
- * TODO(TLS1.3): Remove the DRAFT version before release
- * (should be s->version)
- */
- if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
- || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt,
- &len)) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR,
- SSL_F_TLS_CONSTRUCT_HELLO_RETRY_REQUEST, ERR_R_INTERNAL_ERROR);
- return 0;
- }
-
- if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
- NULL, 0)) {
- /* SSLfatal() already called */
- return 0;
- }
-
- /* Ditch the session. We'll create a new one next time around */
- SSL_SESSION_free(s->session);
- s->session = NULL;
- s->hit = 0;
-
- /*
- * Re-initialise the Transcript Hash. We're going to prepopulate it with
- * a synthetic message_hash in place of ClientHello1.
- */
- if (!create_synthetic_message_hash(s)) {
- /* SSLfatal() already called */
- return 0;
- }
-
- return 1;
-}
-
MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt)
{
if (PACKET_remaining(pkt) != 0) {
