diff --git a/apps/apps.h b/apps/apps.h index de50de5..3c1da48 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -213,9 +213,9 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate, OPT_S_NOTLS1_3, OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET, \ OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \ OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_STRICT, OPT_S_SIGALGS, \ - OPT_S_CLIENTSIGALGS, OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, \ - OPT_S_DHPARAM, OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP, \ - OPT_S__LAST + OPT_S_CLIENTSIGALGS, OPT_S_GROUPS, OPT_S_CURVES, OPT_S_NAMEDCURVE, \ + OPT_S_CIPHER, OPT_S_DHPARAM, OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, \ + OPT_S_COMP, OPT_S__LAST # define OPT_S_OPTIONS \ {"no_ssl3", OPT_S_NOSSL3, '-',"Just disable SSLv3" }, \ @@ -244,8 +244,10 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate, {"client_sigalgs", OPT_S_CLIENTSIGALGS, 's', \ "Signature algorithms to support for client certificate" \ " authentication (colon-separated list)" }, \ + {"groups", OPT_S_GROUPS, 's', \ + "Groups to advertise (colon-separated list)" }, \ {"curves", OPT_S_CURVES, 's', \ - "Elliptic curves to advertise (colon-separated list)" }, \ + "Groups to advertise (colon-separated list)" }, \ {"named_curve", OPT_S_NAMEDCURVE, 's', \ "Elliptic curve used for ECDHE (server-side only)" }, \ {"cipher", OPT_S_CIPHER, 's', "Specify cipher list to be used"}, \ @@ -276,6 +278,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate, case OPT_S_STRICT: \ case OPT_S_SIGALGS: \ case OPT_S_CLIENTSIGALGS: \ + case OPT_S_GROUPS: \ case OPT_S_CURVES: \ case OPT_S_NAMEDCURVE: \ case OPT_S_CIPHER: \ diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf index 0092a65..a3ca393 100644 --- a/apps/openssl-vms.cnf +++ b/apps/openssl-vms.cnf @@ -344,3 +344,5 @@ tsa_name = yes # Must the TSA name be included in the reply? # (optional, default: no) ess_cert_id_chain = no # Must the ESS cert id chain be included? # (optional, default: no) +ess_cert_id_alg = sha1 # algorithm to compute certificate + # identifier (optional, default: sha1) diff --git a/apps/openssl.cnf b/apps/openssl.cnf index b3e7444..32ee9e9 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -344,3 +344,5 @@ tsa_name = yes # Must the TSA name be included in the reply? # (optional, default: no) ess_cert_id_chain = no # Must the ESS cert id chain be included? # (optional, default: no) +ess_cert_id_alg = sha1 # algorithm to compute certificate + # identifier (optional, default: sha1) diff --git a/apps/ts.c b/apps/ts.c index 0db6b50..e816c32 100644 --- a/apps/ts.c +++ b/apps/ts.c @@ -709,6 +709,8 @@ static TS_RESP *create_response(CONF *conf, const char *section, const char *eng goto end; } + if (!TS_CONF_set_ess_cert_id_digest(conf, section, resp_ctx)) + goto end; if (!TS_CONF_set_def_policy(conf, section, policy, resp_ctx)) goto end; if (!TS_CONF_set_policies(conf, section, resp_ctx)) diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index 93843e1..d1942c0 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -10,7 +10,7 @@ */ /* Serialized OID's */ -static const unsigned char so[6900] = { +static const unsigned char so[6911] = { 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 0] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 6] OBJ_pkcs */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02, /* [ 13] OBJ_md2 */ @@ -976,9 +976,10 @@ static const unsigned char so[6900] = { 0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x0D, /* [ 6872] OBJ_aria_256_cfb128 */ 0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x0E, /* [ 6881] OBJ_aria_256_ofb128 */ 0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x0F, /* [ 6890] OBJ_aria_256_ctr */ + 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1E, /* [ 6899] OBJ_id_smime_aa_signingCertificateV2 */ }; -#define NUM_NID 1086 +#define NUM_NID 1087 static const ASN1_OBJECT nid_objs[NUM_NID] = { {"UNDEF", "undefined", NID_undef}, {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]}, @@ -2066,9 +2067,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = { {"ARIA-128-CFB8", "aria-128-cfb8", NID_aria_128_cfb8}, {"ARIA-192-CFB8", "aria-192-cfb8", NID_aria_192_cfb8}, {"ARIA-256-CFB8", "aria-256-cfb8", NID_aria_256_cfb8}, + {"id-smime-aa-signingCertificateV2", "id-smime-aa-signingCertificateV2", NID_id_smime_aa_signingCertificateV2, 11, &so[6899]}, }; -#define NUM_SN 1077 +#define NUM_SN 1078 static const unsigned int sn_objs[NUM_SN] = { 364, /* "AD_DVCS" */ 419, /* "AES-128-CBC" */ @@ -2712,6 +2714,7 @@ static const unsigned int sn_objs[NUM_SN] = { 213, /* "id-smime-aa-securityLabel" */ 239, /* "id-smime-aa-signatureType" */ 223, /* "id-smime-aa-signingCertificate" */ + 1086, /* "id-smime-aa-signingCertificateV2" */ 224, /* "id-smime-aa-smimeEncryptCerts" */ 225, /* "id-smime-aa-timeStampToken" */ 192, /* "id-smime-alg" */ @@ -3149,7 +3152,7 @@ static const unsigned int sn_objs[NUM_SN] = { 160, /* "x509Crl" */ }; -#define NUM_LN 1077 +#define NUM_LN 1078 static const unsigned int ln_objs[NUM_LN] = { 363, /* "AD Time Stamping" */ 405, /* "ANSI X9.62" */ @@ -3786,6 +3789,7 @@ static const unsigned int ln_objs[NUM_LN] = { 213, /* "id-smime-aa-securityLabel" */ 239, /* "id-smime-aa-signatureType" */ 223, /* "id-smime-aa-signingCertificate" */ + 1086, /* "id-smime-aa-signingCertificateV2" */ 224, /* "id-smime-aa-smimeEncryptCerts" */ 225, /* "id-smime-aa-timeStampToken" */ 192, /* "id-smime-alg" */ @@ -4230,7 +4234,7 @@ static const unsigned int ln_objs[NUM_LN] = { 125, /* "zlib compression" */ }; -#define NUM_OBJ 971 +#define NUM_OBJ 972 static const unsigned int obj_objs[NUM_OBJ] = { 0, /* OBJ_undef 0 */ 181, /* OBJ_iso 1 */ @@ -5173,6 +5177,7 @@ static const unsigned int obj_objs[NUM_OBJ] = { 238, /* OBJ_id_smime_aa_ets_archiveTimeStamp 1 2 840 113549 1 9 16 2 27 */ 239, /* OBJ_id_smime_aa_signatureType 1 2 840 113549 1 9 16 2 28 */ 240, /* OBJ_id_smime_aa_dvcs_dvc 1 2 840 113549 1 9 16 2 29 */ + 1086, /* OBJ_id_smime_aa_signingCertificateV2 1 2 840 113549 1 9 16 2 30 */ 241, /* OBJ_id_smime_alg_ESDHwith3DES 1 2 840 113549 1 9 16 3 1 */ 242, /* OBJ_id_smime_alg_ESDHwithRC2 1 2 840 113549 1 9 16 3 2 */ 243, /* OBJ_id_smime_alg_3DESwrap 1 2 840 113549 1 9 16 3 3 */ diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num index 270e7e5..ca8dcdb 100644 --- a/crypto/objects/obj_mac.num +++ b/crypto/objects/obj_mac.num @@ -1083,3 +1083,4 @@ aria_256_cfb1 1082 aria_128_cfb8 1083 aria_192_cfb8 1084 aria_256_cfb8 1085 +id_smime_aa_signingCertificateV2 1086 diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt index 442b39c..f19c5ce 100644 --- a/crypto/objects/objects.txt +++ b/crypto/objects/objects.txt @@ -294,6 +294,7 @@ id-smime-aa 26 : id-smime-aa-ets-certCRLTimestamp id-smime-aa 27 : id-smime-aa-ets-archiveTimeStamp id-smime-aa 28 : id-smime-aa-signatureType id-smime-aa 29 : id-smime-aa-dvcs-dvc +id-smime-aa 30 : id-smime-aa-signingCertificateV2 # S/MIME Algorithm Identifiers # obsolete diff --git a/crypto/ts/ts_asn1.c b/crypto/ts/ts_asn1.c index e60675a..8707207 100644 --- a/crypto/ts/ts_asn1.c +++ b/crypto/ts/ts_asn1.c @@ -225,6 +225,23 @@ ASN1_SEQUENCE(ESS_SIGNING_CERT) = { IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT) IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT) +ASN1_SEQUENCE(ESS_CERT_ID_V2) = { + ASN1_OPT(ESS_CERT_ID_V2, hash_alg, X509_ALGOR), + ASN1_SIMPLE(ESS_CERT_ID_V2, hash, ASN1_OCTET_STRING), + ASN1_OPT(ESS_CERT_ID_V2, issuer_serial, ESS_ISSUER_SERIAL) +} static_ASN1_SEQUENCE_END(ESS_CERT_ID_V2) + +IMPLEMENT_ASN1_FUNCTIONS_const(ESS_CERT_ID_V2) +IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID_V2) + +ASN1_SEQUENCE(ESS_SIGNING_CERT_V2) = { + ASN1_SEQUENCE_OF(ESS_SIGNING_CERT_V2, cert_ids, ESS_CERT_ID_V2), + ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT_V2, policy_info, POLICYINFO) +} static_ASN1_SEQUENCE_END(ESS_SIGNING_CERT_V2) + +IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT_V2) +IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2) + /* Getting encapsulated TS_TST_INFO object from PKCS7. */ TS_TST_INFO *PKCS7_to_TS_TST_INFO(PKCS7 *token) { diff --git a/crypto/ts/ts_conf.c b/crypto/ts/ts_conf.c index f5f3934..625089a 100644 --- a/crypto/ts/ts_conf.c +++ b/crypto/ts/ts_conf.c @@ -37,6 +37,7 @@ #define ENV_CLOCK_PRECISION_DIGITS "clock_precision_digits" #define ENV_VALUE_YES "yes" #define ENV_VALUE_NO "no" +#define ENV_ESS_CERT_ID_ALG "ess_cert_id_alg" /* Function definitions for certificate and key loading. */ @@ -466,3 +467,27 @@ int TS_CONF_set_ess_cert_id_chain(CONF *conf, const char *section, return ts_CONF_add_flag(conf, section, ENV_ESS_CERT_ID_CHAIN, TS_ESS_CERT_ID_CHAIN, ctx); } + +int TS_CONF_set_ess_cert_id_digest(CONF *conf, const char *section, + TS_RESP_CTX *ctx) +{ + int ret = 0; + const EVP_MD *cert_md = NULL; + const char *md = NCONF_get_string(conf, section, ENV_ESS_CERT_ID_ALG); + + if (md == NULL) + md = "sha1"; + + cert_md = EVP_get_digestbyname(md); + if (cert_md == NULL) { + ts_CONF_invalid(section, ENV_ESS_CERT_ID_ALG); + goto err; + } + + if (!TS_RESP_CTX_set_ess_cert_id_digest(ctx, cert_md)) + goto err; + + ret = 1; +err: + return ret; +} diff --git a/crypto/ts/ts_err.c b/crypto/ts/ts_err.c index a6d73a1..5aed046 100644 --- a/crypto/ts/ts_err.c +++ b/crypto/ts/ts_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -22,8 +22,12 @@ static ERR_STRING_DATA TS_str_functs[] = { {ERR_FUNC(TS_F_DEF_SERIAL_CB), "def_serial_cb"}, {ERR_FUNC(TS_F_DEF_TIME_CB), "def_time_cb"}, {ERR_FUNC(TS_F_ESS_ADD_SIGNING_CERT), "ESS_add_signing_cert"}, + {ERR_FUNC(TS_F_ESS_ADD_SIGNING_CERT_V2), "ess_add_signing_cert_v2"}, {ERR_FUNC(TS_F_ESS_CERT_ID_NEW_INIT), "ess_CERT_ID_new_init"}, + {ERR_FUNC(TS_F_ESS_CERT_ID_V2_NEW_INIT), "ess_cert_id_new_init"}, {ERR_FUNC(TS_F_ESS_SIGNING_CERT_NEW_INIT), "ess_SIGNING_CERT_new_init"}, + {ERR_FUNC(TS_F_ESS_SIGNING_CERT_V2_NEW_INIT), + "ess_signing_cert_V2_new_init"}, {ERR_FUNC(TS_F_INT_TS_RESP_VERIFY_TOKEN), "int_ts_RESP_verify_token"}, {ERR_FUNC(TS_F_PKCS7_TO_TS_TST_INFO), "PKCS7_to_TS_TST_INFO"}, {ERR_FUNC(TS_F_TS_ACCURACY_SET_MICROS), "TS_ACCURACY_set_micros"}, @@ -92,6 +96,8 @@ static ERR_STRING_DATA TS_str_reasons[] = { {ERR_REASON(TS_R_DETACHED_CONTENT), "detached content"}, {ERR_REASON(TS_R_ESS_ADD_SIGNING_CERT_ERROR), "ess add signing cert error"}, + {ERR_REASON(TS_R_ESS_ADD_SIGNING_CERT_V2_ERROR), + "ess add signing cert v2 error"}, {ERR_REASON(TS_R_ESS_SIGNING_CERTIFICATE_ERROR), "ess signing certificate error"}, {ERR_REASON(TS_R_INVALID_NULL_POINTER), "invalid null pointer"}, diff --git a/crypto/ts/ts_lcl.h b/crypto/ts/ts_lcl.h index d0c3cf8..771784f 100644 --- a/crypto/ts/ts_lcl.h +++ b/crypto/ts/ts_lcl.h @@ -131,11 +131,39 @@ struct ESS_signing_cert { STACK_OF(POLICYINFO) *policy_info; }; +/*- + * ESSCertIDv2 ::= SEQUENCE { + * hashAlgorithm AlgorithmIdentifier + * DEFAULT {algorithm id-sha256}, + * certHash Hash, + * issuerSerial IssuerSerial OPTIONAL + * } + */ + +struct ESS_cert_id_v2_st { + X509_ALGOR *hash_alg; /* Default: SHA-256 */ + ASN1_OCTET_STRING *hash; + ESS_ISSUER_SERIAL *issuer_serial; +}; + +/*- + * SigningCertificateV2 ::= SEQUENCE { + * certs SEQUENCE OF ESSCertIDv2, + * policies SEQUENCE OF PolicyInformation OPTIONAL + * } + */ + +struct ESS_signing_cert_v2_st { + STACK_OF(ESS_CERT_ID_V2) *cert_ids; + STACK_OF(POLICYINFO) *policy_info; +}; + struct TS_resp_ctx { X509 *signer_cert; EVP_PKEY *signer_key; const EVP_MD *signer_md; + const EVP_MD *ess_cert_id_digest; STACK_OF(X509) *certs; /* Certs to include in signed data. */ STACK_OF(ASN1_OBJECT) *policies; /* Acceptable policies. */ ASN1_OBJECT *default_policy; /* It may appear in policies, too. */ diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c index aea7b92..76011ad 100644 --- a/crypto/ts/ts_rsp_sign.c +++ b/crypto/ts/ts_rsp_sign.c @@ -35,7 +35,16 @@ static ESS_SIGNING_CERT *ess_SIGNING_CERT_new_init(X509 *signcert, STACK_OF(X509) *certs); static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed); static int ts_TST_INFO_content_new(PKCS7 *p7); -static int ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc); +static int ess_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc); + +static ESS_SIGNING_CERT_V2 *ess_signing_cert_v2_new_init(const EVP_MD *hash_alg, + X509 *signcert, + STACK_OF(X509) + *certs); +static ESS_CERT_ID_V2 *ess_cert_id_v2_new_init(const EVP_MD *hash_alg, + X509 *cert, int issuer_needed); +static int ess_add_signing_cert_v2(PKCS7_SIGNER_INFO *si, + ESS_SIGNING_CERT_V2 *sc); static ASN1_GENERALIZEDTIME *TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *, long, long, @@ -628,6 +637,7 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx) PKCS7 *p7 = NULL; PKCS7_SIGNER_INFO *si; STACK_OF(X509) *certs; /* Certificates to include in sc. */ + ESS_SIGNING_CERT_V2 *sc2 = NULL; ESS_SIGNING_CERT *sc = NULL; ASN1_OBJECT *oid; BIO *p7bio = NULL; @@ -671,11 +681,24 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx) } certs = ctx->flags & TS_ESS_CERT_ID_CHAIN ? ctx->certs : NULL; - if ((sc = ess_SIGNING_CERT_new_init(ctx->signer_cert, certs)) == NULL) - goto err; - if (!ESS_add_signing_cert(si, sc)) { - TSerr(TS_F_TS_RESP_SIGN, TS_R_ESS_ADD_SIGNING_CERT_ERROR); - goto err; + if (ctx->ess_cert_id_digest == EVP_sha1()) { + if ((sc = ess_SIGNING_CERT_new_init(ctx->signer_cert, certs)) == NULL) + goto err; + + if (!ess_add_signing_cert(si, sc)) { + TSerr(TS_F_TS_RESP_SIGN, TS_R_ESS_ADD_SIGNING_CERT_ERROR); + goto err; + } + } else { + sc2 = ess_signing_cert_v2_new_init(ctx->ess_cert_id_digest, + ctx->signer_cert, certs); + if (sc2 == NULL) + goto err; + + if (!ess_add_signing_cert_v2(si, sc2)) { + TSerr(TS_F_TS_RESP_SIGN, TS_R_ESS_ADD_SIGNING_CERT_V2_ERROR); + goto err; + } } if (!ts_TST_INFO_content_new(p7)) @@ -703,6 +726,7 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx) "Error during signature " "generation."); BIO_free_all(p7bio); + ESS_SIGNING_CERT_V2_free(sc2); ESS_SIGNING_CERT_free(sc); PKCS7_free(p7); return ret; @@ -806,7 +830,7 @@ static int ts_TST_INFO_content_new(PKCS7 *p7) return 0; } -static int ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc) +static int ess_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc) { ASN1_STRING *seq = NULL; unsigned char *p, *pp = NULL; @@ -835,9 +859,133 @@ static int ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc) return 0; } -static ASN1_GENERALIZEDTIME -*TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time, - long sec, long usec, unsigned precision) +static ESS_SIGNING_CERT_V2 *ess_signing_cert_v2_new_init(const EVP_MD *hash_alg, + X509 *signcert, + STACK_OF(X509) *certs) +{ + ESS_CERT_ID_V2 *cid = NULL; + ESS_SIGNING_CERT_V2 *sc = NULL; + int i; + + if ((sc = ESS_SIGNING_CERT_V2_new()) == NULL) + goto err; + if ((cid = ess_cert_id_v2_new_init(hash_alg, signcert, 0)) == NULL) + goto err; + if (!sk_ESS_CERT_ID_V2_push(sc->cert_ids, cid)) + goto err; + cid = NULL; + + for (i = 0; i < sk_X509_num(certs); ++i) { + X509 *cert = sk_X509_value(certs, i); + + if ((cid = ess_cert_id_v2_new_init(hash_alg, cert, 1)) == NULL) + goto err; + if (!sk_ESS_CERT_ID_V2_push(sc->cert_ids, cid)) + goto err; + cid = NULL; + } + + return sc; + err: + ESS_SIGNING_CERT_V2_free(sc); + ESS_CERT_ID_V2_free(cid); + TSerr(TS_F_ESS_SIGNING_CERT_V2_NEW_INIT, ERR_R_MALLOC_FAILURE); + return NULL; +} + +static ESS_CERT_ID_V2 *ess_cert_id_v2_new_init(const EVP_MD *hash_alg, + X509 *cert, int issuer_needed) +{ + ESS_CERT_ID_V2 *cid = NULL; + GENERAL_NAME *name = NULL; + unsigned char hash[EVP_MAX_MD_SIZE]; + unsigned int hash_len = sizeof(hash); + X509_ALGOR *alg = NULL; + + memset(hash, 0, sizeof(hash)); + + if ((cid = ESS_CERT_ID_V2_new()) == NULL) + goto err; + + if (hash_alg != EVP_sha256()) { + alg = X509_ALGOR_new(); + if (alg == NULL) + goto err; + X509_ALGOR_set_md(alg, hash_alg); + if (alg->algorithm == NULL) + goto err; + cid->hash_alg = alg; + alg = NULL; + } else { + cid->hash_alg = NULL; + } + + if (!X509_digest(cert, hash_alg, hash, &hash_len)) + goto err; + + if (!ASN1_OCTET_STRING_set(cid->hash, hash, hash_len)) + goto err; + + if (issuer_needed) { + if ((cid->issuer_serial = ESS_ISSUER_SERIAL_new()) == NULL) + goto err; + if ((name = GENERAL_NAME_new()) == NULL) + goto err; + name->type = GEN_DIRNAME; + if ((name->d.dirn = X509_NAME_dup(X509_get_issuer_name(cert))) == NULL) + goto err; + if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name)) + goto err; + name = NULL; /* Ownership is lost. */ + ASN1_INTEGER_free(cid->issuer_serial->serial); + cid->issuer_serial->serial = + ASN1_INTEGER_dup(X509_get_serialNumber(cert)); + if (cid->issuer_serial->serial == NULL) + goto err; + } + + return cid; + err: + X509_ALGOR_free(alg); + GENERAL_NAME_free(name); + ESS_CERT_ID_V2_free(cid); + TSerr(TS_F_ESS_CERT_ID_V2_NEW_INIT, ERR_R_MALLOC_FAILURE); + return NULL; +} + +static int ess_add_signing_cert_v2(PKCS7_SIGNER_INFO *si, + ESS_SIGNING_CERT_V2 *sc) +{ + ASN1_STRING *seq = NULL; + unsigned char *p, *pp = NULL; + int len = i2d_ESS_SIGNING_CERT_V2(sc, NULL); + + if ((pp = OPENSSL_malloc(len)) == NULL) { + TSerr(TS_F_ESS_ADD_SIGNING_CERT_V2, ERR_R_MALLOC_FAILURE); + goto err; + } + + p = pp; + i2d_ESS_SIGNING_CERT_V2(sc, &p); + if ((seq = ASN1_STRING_new()) == NULL || !ASN1_STRING_set(seq, pp, len)) { + TSerr(TS_F_ESS_ADD_SIGNING_CERT_V2, ERR_R_MALLOC_FAILURE); + goto err; + } + + OPENSSL_free(pp); + pp = NULL; + return PKCS7_add_signed_attribute(si, + NID_id_smime_aa_signingCertificateV2, + V_ASN1_SEQUENCE, seq); + err: + ASN1_STRING_free(seq); + OPENSSL_free(pp); + return 0; +} + +static ASN1_GENERALIZEDTIME *TS_RESP_set_genTime_with_precision( + ASN1_GENERALIZEDTIME *asn1_time, long sec, long usec, + unsigned precision) { time_t time_sec = (time_t)sec; struct tm *tm = NULL; @@ -902,3 +1050,9 @@ static ASN1_GENERALIZEDTIME TSerr(TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION, TS_R_COULD_NOT_SET_TIME); return NULL; } + +int TS_RESP_CTX_set_ess_cert_id_digest(TS_RESP_CTX *ctx, const EVP_MD *md) +{ + ctx->ess_cert_id_digest = md; + return 1; +} diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index 66f5be6..9deda81 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -37,6 +37,8 @@ static int ts_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info); static int ts_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer); static int ts_find_name(STACK_OF(GENERAL_NAME) *gen_names, GENERAL_NAME *name); +static int ts_find_cert_v2(STACK_OF(ESS_CERT_ID_V2) *cert_ids, X509 *cert); +static ESS_SIGNING_CERT_V2 *ess_get_signing_cert_v2(PKCS7_SIGNER_INFO *si); /* * This must be large enough to hold all values in ts_status_text (with @@ -201,34 +203,57 @@ static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si, { ESS_SIGNING_CERT *ss = ess_get_signing_cert(si); STACK_OF(ESS_CERT_ID) *cert_ids = NULL; + ESS_SIGNING_CERT_V2 *ssv2 = ess_get_signing_cert_v2(si); + STACK_OF(ESS_CERT_ID_V2) *cert_ids_v2 = NULL; X509 *cert; int i = 0; int ret = 0; - if (!ss) - goto err; - cert_ids = ss->cert_ids; - cert = sk_X509_value(chain, 0); - if (ts_find_cert(cert_ids, cert) != 0) - goto err; + if (ss != NULL) { + cert_ids = ss->cert_ids; + cert = sk_X509_value(chain, 0); + if (ts_find_cert(cert_ids, cert) != 0) + goto err; - /* - * Check the other certificates of the chain if there are more than one - * certificate ids in cert_ids. - */ - if (sk_ESS_CERT_ID_num(cert_ids) > 1) { - for (i = 1; i < sk_X509_num(chain); ++i) { - cert = sk_X509_value(chain, i); - if (ts_find_cert(cert_ids, cert) < 0) - goto err; + /* + * Check the other certificates of the chain if there are more than one + * certificate ids in cert_ids. + */ + if (sk_ESS_CERT_ID_num(cert_ids) > 1) { + for (i = 1; i < sk_X509_num(chain); ++i) { + cert = sk_X509_value(chain, i); + if (ts_find_cert(cert_ids, cert) < 0) + goto err; + } } + } else if (ssv2 != NULL) { + cert_ids_v2 = ssv2->cert_ids; + cert = sk_X509_value(chain, 0); + if (ts_find_cert_v2(cert_ids_v2, cert) != 0) + goto err; + + /* + * Check the other certificates of the chain if there are more than one + * certificate ids in cert_ids. + */ + if (sk_ESS_CERT_ID_V2_num(cert_ids_v2) > 1) { + for (i = 1; i < sk_X509_num(chain); ++i) { + cert = sk_X509_value(chain, i); + if (ts_find_cert_v2(cert_ids_v2, cert) < 0) + goto err; + } + } + } else { + goto err; } + ret = 1; err: if (!ret) TSerr(TS_F_TS_CHECK_SIGNING_CERTS, TS_R_ESS_SIGNING_CERTIFICATE_ERROR); ESS_SIGNING_CERT_free(ss); + ESS_SIGNING_CERT_V2_free(ssv2); return ret; } @@ -243,6 +268,18 @@ static ESS_SIGNING_CERT *ess_get_signing_cert(PKCS7_SIGNER_INFO *si) return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length); } +static ESS_SIGNING_CERT_V2 *ess_get_signing_cert_v2(PKCS7_SIGNER_INFO *si) +{ + ASN1_TYPE *attr; + const unsigned char *p; + + attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2); + if (attr == NULL) + return NULL; + p = attr->value.sequence->data; + return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length); +} + /* Returns < 0 if certificate is not found, certificate index otherwise. */ static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) { @@ -272,6 +309,38 @@ static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) return -1; } +/* Returns < 0 if certificate is not found, certificate index otherwise. */ +static int ts_find_cert_v2(STACK_OF(ESS_CERT_ID_V2) *cert_ids, X509 *cert) +{ + int i; + unsigned char cert_digest[EVP_MAX_MD_SIZE]; + unsigned int len; + + /* Look for cert in the cert_ids vector. */ + for (i = 0; i < sk_ESS_CERT_ID_V2_num(cert_ids); ++i) { + ESS_CERT_ID_V2 *cid = sk_ESS_CERT_ID_V2_value(cert_ids, i); + const EVP_MD *md; + + if (cid->hash_alg != NULL) + md = EVP_get_digestbyobj(cid->hash_alg->algorithm); + else + md = EVP_sha256(); + + X509_digest(cert, md, cert_digest, &len); + if (cid->hash->length != (int)len) + return -1; + + if (memcmp(cid->hash->data, cert_digest, cid->hash->length) == 0) { + ESS_ISSUER_SERIAL *is = cid->issuer_serial; + + if (is == NULL || !ts_issuer_serial_cmp(is, cert)) + return i; + } + } + + return -1; +} + static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert) { GENERAL_NAME *issuer; diff --git a/doc/man1/ts.pod b/doc/man1/ts.pod index 2ec9837..d469b23 100644 --- a/doc/man1/ts.pod +++ b/doc/man1/ts.pod @@ -503,6 +503,11 @@ be included in the SigningCertificate signed attribute. If this variable is set to no, only the signing certificate identifier is included. Default is no. (Optional) +=item B + +This option specifies the hash function to be used to calculate the TSA's +public key certificate identifier. Default is sha1. (Optional) + =back =head1 EXAMPLES @@ -605,9 +610,6 @@ You could also look at the 'test' directory for more examples. =for comment foreign manuals: procmail(1), perl(1) -If you find any bugs or you have suggestions please write to -Zoltan Glozik . Known issues: - =over 2 =item * diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index efd766d..6731cf7 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -73,6 +73,26 @@ The B argument is a colon separated list of curves. The curve can be either the B name (e.g. B) or an OpenSSL OID name (e.g B). Curve names are case sensitive. +=item B<-groups> + +This sets the supported groups. For clients, the groups are +sent using the supported groups extension. For servers, it is used +to determine which group to use. This setting affects groups used for both +signatures and key exchange, if applicable. It also affects the preferred +key_share sent by a client in a TLSv1.3 compatible connection. + +The B argument is a colon separated list of groups. The group can be +either the B name (e.g. B), some other commonly used name where +applicable (e.g. B) or an OpenSSL OID name (e.g B). Group +names are case sensitive. The list should be in order of preference with the +most preferred group first. The first listed group will be the one used for a +key_share by a TLSv1.3 client. + +=item B<-curves> + +This is a synonym for the "-groups" command. + + =item B<-named_curve> This sets the temporary curve used for ephemeral ECDH modes. Only used by @@ -273,16 +293,24 @@ used to determine which signature algorithm to with the client certificate. The syntax of B is identical to B. If not set then the value set for B will be used instead. -=item B +=item B -This sets the supported elliptic curves. For clients the curves are -sent using the supported curves extension. For servers it is used -to determine which curve to use. This setting affects curves used for both -signatures and key exchange, if applicable. +This sets the supported groups. For clients, the groups are +sent using the supported groups extension. For servers, it is used +to determine which group to use. This setting affects groups used for both +signatures and key exchange, if applicable. It also affects the preferred +key_share sent by a client in a TLSv1.3 compatible connection. -The B argument is a colon separated list of curves. The curve can be -either the B name (e.g. B) or an OpenSSL OID name (e.g -B). Curve names are case sensitive. +The B argument is a colon separated list of groups. The group can be +either the B name (e.g. B), some other commonly used name where +applicable (e.g. B) or an OpenSSL OID name (e.g B). Group +names are case sensitive. The list should be in order of preference with the +most preferred group first. The first listed group will be the one used for a +key_share by a TLSv1.3 client. + +=item B + +This is a synonym for the "Groups" command. =item B diff --git a/doc/man3/SSL_CTX_use_serverinfo.pod b/doc/man3/SSL_CTX_use_serverinfo.pod index bd496ff..d35a196 100644 --- a/doc/man3/SSL_CTX_use_serverinfo.pod +++ b/doc/man3/SSL_CTX_use_serverinfo.pod @@ -2,12 +2,19 @@ =head1 NAME -SSL_CTX_use_serverinfo, SSL_CTX_use_serverinfo_file - use serverinfo extension +SSL_CTX_use_serverinfo_ex, +SSL_CTX_use_serverinfo, +SSL_CTX_use_serverinfo_file +- use serverinfo extension =head1 SYNOPSIS #include + int SSL_CTX_use_serverinfo_ex(SSL_CTX *ctx, unsigned int version, + const unsigned char *serverinfo, + size_t serverinfo_length); + int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, size_t serverinfo_length); @@ -15,20 +22,40 @@ SSL_CTX_use_serverinfo, SSL_CTX_use_serverinfo_file - use serverinfo extension =head1 DESCRIPTION -These functions load "serverinfo" TLS ServerHello Extensions into the SSL_CTX. -A "serverinfo" extension is returned in response to an empty ClientHello +These functions load "serverinfo" TLS extensions into the SSL_CTX. A +"serverinfo" extension is returned in response to an empty ClientHello Extension. -SSL_CTX_use_serverinfo() loads one or more serverinfo extensions from -a byte array into B. The extensions must be concatenated into a -sequence of bytes. Each extension must consist of a 2-byte Extension Type, -a 2-byte length, and then length bytes of extension_data. +SSL_CTX_use_serverinfo_ex() loads one or more serverinfo extensions from +a byte array into B. The B parameter specifies the format of the +byte array provided in B<*serverinfo> which is of length B. + +If B is B then the extensions in the array must +consist of a 4-byte context, a 2-byte Extension Type, a 2-byte length, and then +length bytes of extension_data. The context and type values have the same +meaning as for L. If serverinfo is being loaded for +extensions to be added to a Certificate message, then the extension will only +be added for the first certificate in the message (which is always the +end-entity certificate). + +If B is B then the extensions in the array must +consist of a 2-byte Extension Type, a 2-byte length, and then length bytes of +extension_data. The type value has the same meaning as for +L. The following default context value will be used +in this case: + + SSL_EXT_TLS1_2_AND_BELOW_ONLY | SSL_EXT_CLIENT_HELLO + | SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_IGNORE_ON_RESUMPTION + +SSL_CTX_use_serverinfo() does the same thing as SSL_CTX_use_serverinfo_ex() +except that there is no B parameter so a default version of +SSL_SERVERINFOV1 is used instead. SSL_CTX_use_serverinfo_file() loads one or more serverinfo extensions from B into B. The extensions must be in PEM format. Each extension -must consist of a 2-byte Extension Type, a 2-byte length, and then length -bytes of extension_data. Each PEM extension name must begin with the phrase -"BEGIN SERVERINFO FOR ". +must be in a format as described above for SSL_CTX_use_serverinfo_ex(). Each +PEM extension name must begin with the phrase "BEGIN SERVERINFOV2 FOR " for +SSL_SERVERINFOV2 data or "BEGIN SERVERINFO FOR " for SSL_SERVERINFOV1 data. If more than one certificate (RSA/DSA) is installed using SSL_CTX_use_certificate(), the serverinfo extension will be loaded into the @@ -36,7 +63,7 @@ last certificate installed. If e.g. the last item was a RSA certificate, the loaded serverinfo extension data will be loaded for that certificate. To use the serverinfo extension for multiple certificates, SSL_CTX_use_serverinfo() needs to be called multiple times, once B -each time a certificate is loaded. +each time a certificate is loaded via a call to SSL_CTX_use_certificate(). =head1 RETURN VALUES @@ -46,7 +73,7 @@ the reason. =head1 COPYRIGHT -Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h index d9c45de..3762e51 100644 --- a/include/openssl/obj_mac.h +++ b/include/openssl/obj_mac.h @@ -932,6 +932,10 @@ #define NID_id_smime_aa_dvcs_dvc 240 #define OBJ_id_smime_aa_dvcs_dvc OBJ_id_smime_aa,29L +#define SN_id_smime_aa_signingCertificateV2 "id-smime-aa-signingCertificateV2" +#define NID_id_smime_aa_signingCertificateV2 1086 +#define OBJ_id_smime_aa_signingCertificateV2 OBJ_id_smime_aa,30L + #define SN_id_smime_alg_ESDHwith3DES "id-smime-alg-ESDHwith3DES" #define NID_id_smime_alg_ESDHwith3DES 241 #define OBJ_id_smime_alg_ESDHwith3DES OBJ_id_smime_alg,1L diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index b1da6c5..764ecea 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1451,9 +1451,17 @@ __owur int SSL_use_PrivateKey_ASN1(int pk, SSL *ssl, const unsigned char *d, __owur int SSL_use_certificate(SSL *ssl, X509 *x); __owur int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len); + +/* serverinfo file format versions */ +# define SSL_SERVERINFOV1 1 +# define SSL_SERVERINFOV2 2 + /* Set serverinfo data for the current active cert. */ __owur int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, size_t serverinfo_length); +__owur int SSL_CTX_use_serverinfo_ex(SSL_CTX *ctx, unsigned int version, + const unsigned char *serverinfo, + size_t serverinfo_length); __owur int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file); #ifndef OPENSSL_NO_RSA @@ -2328,6 +2336,7 @@ int ERR_load_SSL_strings(void); # define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 178 # define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 179 # define SSL_F_SSL_CTX_USE_SERVERINFO 336 +# define SSL_F_SSL_CTX_USE_SERVERINFO_EX 543 # define SSL_F_SSL_CTX_USE_SERVERINFO_FILE 337 # define SSL_F_SSL_DANE_DUP 403 # define SSL_F_SSL_DANE_ENABLE 395 diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index 07e735c..aef65cd 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -68,9 +68,9 @@ extern "C" { # define TLS1_3_VERSION 0x0304 # define TLS_MAX_VERSION TLS1_3_VERSION -/* TODO(TLS1.3) REMOVE ME: Version indicator for draft -19 */ -# define TLS1_3_VERSION_DRAFT 0x7f13 -# define TLS1_3_VERSION_DRAFT_TXT "TLS 1.3 (draft 19)" +/* TODO(TLS1.3) REMOVE ME: Version indicator for draft -20 */ +# define TLS1_3_VERSION_DRAFT 0x7f14 +# define TLS1_3_VERSION_DRAFT_TXT "TLS 1.3 (draft 20)" /* Special value for method supporting multiple versions */ # define TLS_ANY_VERSION 0x10000 diff --git a/include/openssl/ts.h b/include/openssl/ts.h index a565982..ce83410 100644 --- a/include/openssl/ts.h +++ b/include/openssl/ts.h @@ -61,6 +61,11 @@ typedef struct ESS_signing_cert ESS_SIGNING_CERT; DEFINE_STACK_OF(ESS_CERT_ID) +typedef struct ESS_cert_id_v2_st ESS_CERT_ID_V2; +typedef struct ESS_signing_cert_v2_st ESS_SIGNING_CERT_V2; + +DEFINE_STACK_OF(ESS_CERT_ID_V2) + typedef struct TS_resp_st TS_RESP; TS_REQ *TS_REQ_new(void); @@ -156,6 +161,21 @@ ESS_SIGNING_CERT *d2i_ESS_SIGNING_CERT(ESS_SIGNING_CERT **a, const unsigned char **pp, long length); ESS_SIGNING_CERT *ESS_SIGNING_CERT_dup(ESS_SIGNING_CERT *a); +ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new(void); +void ESS_CERT_ID_V2_free(ESS_CERT_ID_V2 *a); +int i2d_ESS_CERT_ID_V2(const ESS_CERT_ID_V2 *a, unsigned char **pp); +ESS_CERT_ID_V2 *d2i_ESS_CERT_ID_V2(ESS_CERT_ID_V2 **a, + const unsigned char **pp, long length); +ESS_CERT_ID_V2 *ESS_CERT_ID_V2_dup(ESS_CERT_ID_V2 *a); + +ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_new(void); +void ESS_SIGNING_CERT_V2_free(ESS_SIGNING_CERT_V2 *a); +int i2d_ESS_SIGNING_CERT_V2(const ESS_SIGNING_CERT_V2 *a, unsigned char **pp); +ESS_SIGNING_CERT_V2 *d2i_ESS_SIGNING_CERT_V2(ESS_SIGNING_CERT_V2 **a, + const unsigned char **pp, + long length); +ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_dup(ESS_SIGNING_CERT_V2 *a); + int TS_REQ_set_version(TS_REQ *a, long version); long TS_REQ_get_version(const TS_REQ *a); @@ -316,6 +336,7 @@ int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key); int TS_RESP_CTX_set_signer_digest(TS_RESP_CTX *ctx, const EVP_MD *signer_digest); +int TS_RESP_CTX_set_ess_cert_id_digest(TS_RESP_CTX *ctx, const EVP_MD *md); /* This parameter must be set. */ int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, const ASN1_OBJECT *def_policy); @@ -528,6 +549,8 @@ int TS_CONF_set_ordering(CONF *conf, const char *section, TS_RESP_CTX *ctx); int TS_CONF_set_tsa_name(CONF *conf, const char *section, TS_RESP_CTX *ctx); int TS_CONF_set_ess_cert_id_chain(CONF *conf, const char *section, TS_RESP_CTX *ctx); +int TS_CONF_set_ess_cert_id_digest(CONF *conf, const char *section, + TS_RESP_CTX *ctx); /* -------------------------------------------------- */ /* BEGIN ERROR CODES */ @@ -544,8 +567,11 @@ int ERR_load_TS_strings(void); # define TS_F_DEF_SERIAL_CB 110 # define TS_F_DEF_TIME_CB 111 # define TS_F_ESS_ADD_SIGNING_CERT 112 +# define TS_F_ESS_ADD_SIGNING_CERT_V2 147 # define TS_F_ESS_CERT_ID_NEW_INIT 113 +# define TS_F_ESS_CERT_ID_V2_NEW_INIT 156 # define TS_F_ESS_SIGNING_CERT_NEW_INIT 114 +# define TS_F_ESS_SIGNING_CERT_V2_NEW_INIT 157 # define TS_F_INT_TS_RESP_VERIFY_TOKEN 149 # define TS_F_PKCS7_TO_TS_TST_INFO 148 # define TS_F_TS_ACCURACY_SET_MICROS 115 @@ -606,6 +632,7 @@ int ERR_load_TS_strings(void); # define TS_R_COULD_NOT_SET_TIME 115 # define TS_R_DETACHED_CONTENT 134 # define TS_R_ESS_ADD_SIGNING_CERT_ERROR 116 +# define TS_R_ESS_ADD_SIGNING_CERT_V2_ERROR 139 # define TS_R_ESS_SIGNING_CERTIFICATE_ERROR 101 # define TS_R_INVALID_NULL_POINTER 102 # define TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE 117 diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 43c4a94..bff93eb 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -860,7 +860,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, } if (SSL_TREAT_AS_TLS13(s) && s->enc_write_ctx != NULL) { - size_t padding = 0; + size_t rlen; if (!WPACKET_put_bytes_u8(thispkt, type)) { SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); @@ -869,34 +869,37 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, SSL3_RECORD_add_length(thiswr, 1); /* Add TLS1.3 padding */ - if (s->record_padding_cb != NULL) { - size_t rlen = SSL3_RECORD_get_length(thiswr); - - padding = s->record_padding_cb(s, type, rlen, s->record_padding_arg); - /* do not allow the record to exceed max plaintext length */ - if (padding > (SSL3_RT_MAX_PLAIN_LENGTH - rlen)) - padding = SSL3_RT_MAX_PLAIN_LENGTH - rlen; - } else if (s->block_padding > 0) { - size_t mask = s->block_padding - 1; - size_t remainder; - - /* optimize for power of 2 */ - if ((s->block_padding & mask) == 0) - remainder = SSL3_RECORD_get_length(thiswr) & mask; - else - remainder = SSL3_RECORD_get_length(thiswr) % s->block_padding; - /* don't want to add a block of padding if we don't have to */ - if (remainder == 0) - padding = 0; - else - padding = s->block_padding - remainder; - } - if (padding > 0) { - if (!WPACKET_memset(thispkt, 0, padding)) { - SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); - goto err; + rlen = SSL3_RECORD_get_length(thiswr); + if (rlen < SSL3_RT_MAX_PLAIN_LENGTH) { + size_t padding = 0; + size_t max_padding = SSL3_RT_MAX_PLAIN_LENGTH - rlen; + if (s->record_padding_cb != NULL) { + padding = s->record_padding_cb(s, type, rlen, s->record_padding_arg); + } else if (s->block_padding > 0) { + size_t mask = s->block_padding - 1; + size_t remainder; + + /* optimize for power of 2 */ + if ((s->block_padding & mask) == 0) + remainder = rlen & mask; + else + remainder = rlen % s->block_padding; + /* don't want to add a block of padding if we don't have to */ + if (remainder == 0) + padding = 0; + else + padding = s->block_padding - remainder; + } + if (padding > 0) { + /* do not allow the record to exceed max plaintext length */ + if (padding > max_padding) + padding = max_padding; + if (!WPACKET_memset(thispkt, 0, padding)) { + SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); + goto err; + } + SSL3_RECORD_add_length(thiswr, padding); } - SSL3_RECORD_add_length(thiswr, padding); } } diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 296ce0d..a845dae 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -174,6 +174,7 @@ static ERR_STRING_DATA SSL_str_functs[] = { {ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE), "SSL_CTX_use_RSAPrivateKey_file"}, {ERR_FUNC(SSL_F_SSL_CTX_USE_SERVERINFO), "SSL_CTX_use_serverinfo"}, + {ERR_FUNC(SSL_F_SSL_CTX_USE_SERVERINFO_EX), "SSL_CTX_use_serverinfo_ex"}, {ERR_FUNC(SSL_F_SSL_CTX_USE_SERVERINFO_FILE), "SSL_CTX_use_serverinfo_file"}, {ERR_FUNC(SSL_F_SSL_DANE_DUP), "ssl_dane_dup"}, diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 87be646..f0a058e 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -9,6 +9,7 @@ #include #include "ssl_locl.h" +#include "packet_locl.h" #include #include #include @@ -693,50 +694,43 @@ static int serverinfo_find_extension(const unsigned char *serverinfo, const unsigned char **extension_data, size_t *extension_length) { + PACKET pkt, data; + *extension_data = NULL; *extension_length = 0; if (serverinfo == NULL || serverinfo_length == 0) return -1; + + if (!PACKET_buf_init(&pkt, serverinfo, serverinfo_length)) + return -1; + for (;;) { unsigned int type = 0; - size_t len = 0; + unsigned long context = 0; /* end of serverinfo */ - if (serverinfo_length == 0) + if (PACKET_remaining(&pkt) == 0) return 0; /* Extension not found */ - /* read 2-byte type field */ - if (serverinfo_length < 2) - return -1; /* Error */ - type = (serverinfo[0] << 8) + serverinfo[1]; - serverinfo += 2; - serverinfo_length -= 2; - - /* read 2-byte len field */ - if (serverinfo_length < 2) - return -1; /* Error */ - len = (serverinfo[0] << 8) + serverinfo[1]; - serverinfo += 2; - serverinfo_length -= 2; - - if (len > serverinfo_length) - return -1; /* Error */ + if (!PACKET_get_net_4(&pkt, &context) + || !PACKET_get_net_2(&pkt, &type) + || !PACKET_get_length_prefixed_2(&pkt, &data)) + return -1; if (type == extension_type) { - *extension_data = serverinfo; - *extension_length = len; + *extension_data = PACKET_data(&data); + *extension_length = PACKET_remaining(&data);; return 1; /* Success */ } - - serverinfo += len; - serverinfo_length -= len; } /* Unreachable */ } -static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type, - const unsigned char *in, - size_t inlen, int *al, void *arg) +static int serverinfoex_srv_parse_cb(SSL *s, unsigned int ext_type, + unsigned int context, + const unsigned char *in, + size_t inlen, X509 *x, size_t chainidx, + int *al, void *arg) { if (inlen != 0) { @@ -747,13 +741,27 @@ static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type, return 1; } -static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type, - const unsigned char **out, size_t *outlen, - int *al, void *arg) +static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type, + const unsigned char *in, + size_t inlen, int *al, void *arg) +{ + return serverinfoex_srv_parse_cb(s, ext_type, 0, in, inlen, NULL, 0, al, + arg); +} + +static int serverinfoex_srv_add_cb(SSL *s, unsigned int ext_type, + unsigned int context, + const unsigned char **out, + size_t *outlen, X509 *x, size_t chainidx, + int *al, void *arg) { const unsigned char *serverinfo = NULL; size_t serverinfo_length = 0; + /* We only support extensions for the first Certificate */ + if ((context & SSL_EXT_TLS1_3_CERTIFICATE) != 0 && chainidx > 0) + return 0; + /* Is there serverinfo data for the chosen server cert? */ if ((ssl_get_server_cert_serverinfo(s, &serverinfo, &serverinfo_length)) != 0) { @@ -772,81 +780,90 @@ static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type, * extension */ } +static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type, + const unsigned char **out, size_t *outlen, + int *al, void *arg) +{ + return serverinfoex_srv_add_cb(s, ext_type, 0, out, outlen, NULL, 0, al, + arg); +} + /* * With a NULL context, this function just checks that the serverinfo data * parses correctly. With a non-NULL context, it registers callbacks for * the included extensions. */ -static int serverinfo_process_buffer(const unsigned char *serverinfo, +static int serverinfo_process_buffer(unsigned int version, + const unsigned char *serverinfo, size_t serverinfo_length, SSL_CTX *ctx) { + PACKET pkt; + if (serverinfo == NULL || serverinfo_length == 0) return 0; - for (;;) { - unsigned int ext_type = 0; - size_t len = 0; - /* end of serverinfo */ - if (serverinfo_length == 0) - return 1; - - /* read 2-byte type field */ - if (serverinfo_length < 2) - return 0; - /* FIXME: check for types we understand explicitly? */ - - /* Register callbacks for extensions */ - ext_type = (serverinfo[0] << 8) + serverinfo[1]; - if (ctx != NULL - && custom_ext_find(&ctx->cert->custext, ENDPOINT_SERVER, - ext_type, NULL) - == NULL - && !SSL_CTX_add_server_custom_ext(ctx, ext_type, - serverinfo_srv_add_cb, - NULL, NULL, - serverinfo_srv_parse_cb, - NULL)) - return 0; + if (version != SSL_SERVERINFOV1 && version != SSL_SERVERINFOV2) + return 0; - serverinfo += 2; - serverinfo_length -= 2; + if (!PACKET_buf_init(&pkt, serverinfo, serverinfo_length)) + return 0; - /* read 2-byte len field */ - if (serverinfo_length < 2) - return 0; - len = (serverinfo[0] << 8) + serverinfo[1]; - serverinfo += 2; - serverinfo_length -= 2; + while (PACKET_remaining(&pkt)) { + unsigned long context = 0; + unsigned int ext_type = 0; + PACKET data; - if (len > serverinfo_length) + if (!PACKET_get_net_4(&pkt, &context) + || !PACKET_get_net_2(&pkt, &ext_type) + || !PACKET_get_length_prefixed_2(&pkt, &data)) return 0; - serverinfo += len; - serverinfo_length -= len; + if (ctx == NULL) + continue; + + if (version == SSL_SERVERINFOV1) { + if (!SSL_CTX_add_server_custom_ext(ctx, ext_type, + serverinfo_srv_add_cb, + NULL, NULL, + serverinfo_srv_parse_cb, + NULL)) + return 0; + } else { + if (!SSL_CTX_add_custom_ext(ctx, ext_type, context, + serverinfoex_srv_add_cb, + NULL, NULL, + serverinfoex_srv_parse_cb, + NULL)) + return 0; + } } + + return 1; } -int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, - size_t serverinfo_length) +int SSL_CTX_use_serverinfo_ex(SSL_CTX *ctx, unsigned int version, + const unsigned char *serverinfo, + size_t serverinfo_length) { unsigned char *new_serverinfo; if (ctx == NULL || serverinfo == NULL || serverinfo_length == 0) { - SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_PASSED_NULL_PARAMETER); + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_PASSED_NULL_PARAMETER); return 0; } - if (!serverinfo_process_buffer(serverinfo, serverinfo_length, NULL)) { - SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, SSL_R_INVALID_SERVERINFO_DATA); + if (!serverinfo_process_buffer(version, serverinfo, serverinfo_length, + NULL)) { + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, SSL_R_INVALID_SERVERINFO_DATA); return 0; } if (ctx->cert->key == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_INTERNAL_ERROR); return 0; } new_serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo, serverinfo_length); if (new_serverinfo == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_MALLOC_FAILURE); + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, ERR_R_MALLOC_FAILURE); return 0; } ctx->cert->key->serverinfo = new_serverinfo; @@ -857,13 +874,21 @@ int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, * Now that the serverinfo is validated and stored, go ahead and * register callbacks. */ - if (!serverinfo_process_buffer(serverinfo, serverinfo_length, ctx)) { - SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, SSL_R_INVALID_SERVERINFO_DATA); + if (!serverinfo_process_buffer(version, serverinfo, serverinfo_length, + ctx)) { + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_EX, SSL_R_INVALID_SERVERINFO_DATA); return 0; } return 1; } +int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, + size_t serverinfo_length) +{ + return SSL_CTX_use_serverinfo_ex(ctx, SSL_SERVERINFOV1, serverinfo, + serverinfo_length); +} + int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) { unsigned char *serverinfo = NULL; @@ -873,10 +898,12 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) long extension_length = 0; char *name = NULL; char *header = NULL; - char namePrefix[] = "SERVERINFO FOR "; + char namePrefix1[] = "SERVERINFO FOR "; + char namePrefix2[] = "SERVERINFOV2 FOR "; int ret = 0; BIO *bin = NULL; - size_t num_extensions = 0; + size_t num_extensions = 0, contextoff = 0; + unsigned int version; if (ctx == NULL || file == NULL) { SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PASSED_NULL_PARAMETER); @@ -907,32 +934,72 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) break; } /* Check that PEM name starts with "BEGIN SERVERINFO FOR " */ - if (strlen(name) < strlen(namePrefix)) { + if (strlen(name) < strlen(namePrefix1)) { SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_PEM_NAME_TOO_SHORT); goto end; } - if (strncmp(name, namePrefix, strlen(namePrefix)) != 0) { - SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, - SSL_R_PEM_NAME_BAD_PREFIX); - goto end; + if (strncmp(name, namePrefix1, strlen(namePrefix1)) == 0) { + version = SSL_SERVERINFOV1; + } else { + if (strlen(name) < strlen(namePrefix2)) { + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, + SSL_R_PEM_NAME_TOO_SHORT); + goto end; + } + if (strncmp(name, namePrefix2, strlen(namePrefix2)) != 0) { + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, + SSL_R_PEM_NAME_BAD_PREFIX); + goto end; + } + version = SSL_SERVERINFOV2; } /* * Check that the decoded PEM data is plausible (valid length field) */ - if (extension_length < 4 - || (extension[2] << 8) + extension[3] != extension_length - 4) { - SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA); - goto end; + if (version == SSL_SERVERINFOV1) { + /* 4 byte header: 2 bytes type, 2 bytes len */ + if (extension_length < 4 + || (extension[2] << 8) + extension[3] + != extension_length - 4) { + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA); + goto end; + } + /* + * File does not have a context value so we must take account of + * this later. + */ + contextoff = 4; + } else { + /* 8 byte header: 4 bytes context, 2 bytes type, 2 bytes len */ + if (extension_length < 8 + || (extension[6] << 8) + extension[7] + != extension_length - 8) { + SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_BAD_DATA); + goto end; + } } /* Append the decoded extension to the serverinfo buffer */ - tmp = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length); + tmp = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length + + contextoff); if (tmp == NULL) { SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE); goto end; } serverinfo = tmp; - memcpy(serverinfo + serverinfo_length, extension, extension_length); - serverinfo_length += extension_length; + if (contextoff > 0) { + unsigned int synthcontext = SSL_EXT_CLIENT_HELLO + | SSL_EXT_TLS1_2_SERVER_HELLO; + unsigned char *sinfo = serverinfo + serverinfo_length; + + /* We know this only uses the last 2 bytes */ + sinfo[0] = 0; + sinfo[1] = 0; + sinfo[2] = (synthcontext >> 8) & 0xff; + sinfo[3] = synthcontext & 0xff; + } + memcpy(serverinfo + serverinfo_length + contextoff, + extension, extension_length); + serverinfo_length += extension_length + contextoff; OPENSSL_free(name); name = NULL; @@ -942,7 +1009,8 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) extension = NULL; } - ret = SSL_CTX_use_serverinfo(ctx, serverinfo, serverinfo_length); + ret = SSL_CTX_use_serverinfo_ex(ctx, version, serverinfo, + serverinfo_length); end: /* SSL_CTX_use_serverinfo makes a local copy of the serverinfo. */ OPENSSL_free(name); diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index f892675..847ff13 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -1187,7 +1187,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, EVP_MD_CTX *mctx = NULL; unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE]; unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE]; - const char resumption_label[] = "resumption psk binder key"; + const char resumption_label[] = "res binder"; size_t bindersize, hashsize = EVP_MD_size(md); int ret = -1; diff --git a/ssl/statem/extensions_cust.c b/ssl/statem/extensions_cust.c index 6de59e2..2a21ec4 100644 --- a/ssl/statem/extensions_cust.c +++ b/ssl/statem/extensions_cust.c @@ -181,11 +181,10 @@ int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x, size_t chainidx, if ((context & (SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO - | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS)) != 0) { - /* - * For ServerHello/EncryptedExtensions only send extensions present - * in ClientHello. - */ + | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS + | SSL_EXT_TLS1_3_CERTIFICATE + | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)) != 0) { + /* Only send extensions present in ClientHello. */ if (!(meth->ext_flags & SSL_EXT_FLAG_RECEIVED)) continue; } diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index 9030d1a..255bc96 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -28,7 +28,7 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, const unsigned char *hash, unsigned char *out, size_t outlen) { - const unsigned char label_prefix[] = "TLS 1.3, "; + const unsigned char label_prefix[] = "tls13 "; EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); int ret; size_t hkdflabellen; @@ -124,7 +124,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md, size_t mdlen, prevsecretlen; int ret; EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); - static const char derived_secret_label[] = "derived secret"; + static const char derived_secret_label[] = "derived"; unsigned char preextractsec[EVP_MAX_MD_SIZE]; if (pctx == NULL) @@ -343,18 +343,12 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, int tls13_change_cipher_state(SSL *s, int which) { - static const unsigned char client_early_traffic[] = - "client early traffic secret"; - static const unsigned char client_handshake_traffic[] = - "client handshake traffic secret"; - static const unsigned char client_application_traffic[] = - "client application traffic secret"; - static const unsigned char server_handshake_traffic[] = - "server handshake traffic secret"; - static const unsigned char server_application_traffic[] = - "server application traffic secret"; - static const unsigned char resumption_master_secret[] = - "resumption master secret"; + static const unsigned char client_early_traffic[] = "c e traffic"; + static const unsigned char client_handshake_traffic[] = "c hs traffic"; + static const unsigned char client_application_traffic[] = "c ap traffic"; + static const unsigned char server_handshake_traffic[] = "s hs traffic"; + static const unsigned char server_application_traffic[] = "s ap traffic"; + static const unsigned char resumption_master_secret[] = "res master"; unsigned char *iv; unsigned char secret[EVP_MAX_MD_SIZE]; unsigned char hashval[EVP_MAX_MD_SIZE]; @@ -559,8 +553,7 @@ int tls13_change_cipher_state(SSL *s, int which) int tls13_update_key(SSL *s, int sending) { - static const unsigned char application_traffic[] = - "application traffic secret"; + static const unsigned char application_traffic[] = "traffic upd"; const EVP_MD *md = ssl_handshake_md(s); size_t hashlen = EVP_MD_size(md); unsigned char *insecret, *iv; diff --git a/test/CAtsa.cnf b/test/CAtsa.cnf index ab2f84a..d164287 100644 --- a/test/CAtsa.cnf +++ b/test/CAtsa.cnf @@ -144,6 +144,8 @@ tsa_name = yes # Must the TSA name be included in the reply? # (optional, default: no) ess_cert_id_chain = yes # Must the ESS cert id chain be included? # (optional, default: no) +ess_cert_id_alg = sha256 # algorithm to compute certificate + # identifier (optional, default: sha1) [ tsa_config2 ] diff --git a/test/build.info b/test/build.info index d86acd1..b533db3 100644 --- a/test/build.info +++ b/test/build.info @@ -171,7 +171,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN SOURCE[igetest]=igetest.c INCLUDE[igetest]=.. ../include - DEPEND[igetest]=../libcrypto + DEPEND[igetest]=../libcrypto libtestutil.a SOURCE[v3nametest]=v3nametest.c INCLUDE[v3nametest]=.. ../include diff --git a/test/igetest.c b/test/igetest.c index 1245860..fc80275 100644 --- a/test/igetest.c +++ b/test/igetest.c @@ -12,12 +12,21 @@ #include #include #include -#include #include "e_os.h" +#include "testutil.h" #define TEST_SIZE 128 #define BIG_TEST_SIZE 10240 +#if BIG_TEST_SIZE < TEST_SIZE +#error BIG_TEST_SIZE is smaller than TEST_SIZE +#endif + +static unsigned char rkey[16]; +static unsigned char rkey2[16]; +static unsigned char plaintext[BIG_TEST_SIZE]; +static unsigned char saved_iv[AES_BLOCK_SIZE * 4]; + static void hexdump(FILE *f, const char *title, const unsigned char *s, int l) { int n = 0; @@ -145,114 +154,88 @@ static struct bi_ige_test const bi_ige_test_vectors[] = { }; -static int run_test_vectors(void) +static int test_ige_vectors(int n) { - unsigned int n; - int errs = 0; - - for (n = 0; n < OSSL_NELEM(ige_test_vectors); ++n) { - const struct ige_test *const v = &ige_test_vectors[n]; - AES_KEY key; - unsigned char buf[MAX_VECTOR_SIZE]; - unsigned char iv[AES_BLOCK_SIZE * 2]; - - assert(v->length <= MAX_VECTOR_SIZE); - - if (v->encrypt == AES_ENCRYPT) - AES_set_encrypt_key(v->key, 8 * sizeof v->key, &key); - else - AES_set_decrypt_key(v->key, 8 * sizeof v->key, &key); - memcpy(iv, v->iv, sizeof iv); - AES_ige_encrypt(v->in, buf, v->length, &key, iv, v->encrypt); - - if (memcmp(v->out, buf, v->length)) { - printf("IGE test vector %d failed\n", n); - hexdump(stdout, "key", v->key, sizeof v->key); - hexdump(stdout, "iv", v->iv, sizeof v->iv); - hexdump(stdout, "in", v->in, v->length); - hexdump(stdout, "expected", v->out, v->length); - hexdump(stdout, "got", buf, v->length); - - ++errs; - } - - /* try with in == out */ - memcpy(iv, v->iv, sizeof iv); - memcpy(buf, v->in, v->length); - AES_ige_encrypt(buf, buf, v->length, &key, iv, v->encrypt); - - if (memcmp(v->out, buf, v->length)) { - printf("IGE test vector %d failed (with in == out)\n", n); - hexdump(stdout, "key", v->key, sizeof v->key); - hexdump(stdout, "iv", v->iv, sizeof v->iv); - hexdump(stdout, "in", v->in, v->length); - hexdump(stdout, "expected", v->out, v->length); - hexdump(stdout, "got", buf, v->length); - - ++errs; - } + const struct ige_test *const v = &ige_test_vectors[n]; + AES_KEY key; + unsigned char buf[MAX_VECTOR_SIZE]; + unsigned char iv[AES_BLOCK_SIZE * 2]; + int testresult = 1; + + if (!TEST_int_le(v->length, MAX_VECTOR_SIZE)) + return 0; + + if (v->encrypt == AES_ENCRYPT) + AES_set_encrypt_key(v->key, 8 * sizeof v->key, &key); + else + AES_set_decrypt_key(v->key, 8 * sizeof v->key, &key); + memcpy(iv, v->iv, sizeof iv); + AES_ige_encrypt(v->in, buf, v->length, &key, iv, v->encrypt); + + if (!TEST_mem_eq(v->out, v->length, buf, v->length)) { + TEST_info("IGE test vector %d failed", n); + hexdump(stderr, "key", v->key, sizeof v->key); + hexdump(stderr, "iv", v->iv, sizeof v->iv); + hexdump(stderr, "in", v->in, v->length); + testresult = 0; } - for (n = 0; n < OSSL_NELEM(bi_ige_test_vectors); ++n) { - const struct bi_ige_test *const v = &bi_ige_test_vectors[n]; - AES_KEY key1; - AES_KEY key2; - unsigned char buf[MAX_VECTOR_SIZE]; - - assert(v->length <= MAX_VECTOR_SIZE); - - if (v->encrypt == AES_ENCRYPT) { - AES_set_encrypt_key(v->key1, 8 * v->keysize, &key1); - AES_set_encrypt_key(v->key2, 8 * v->keysize, &key2); - } else { - AES_set_decrypt_key(v->key1, 8 * v->keysize, &key1); - AES_set_decrypt_key(v->key2, 8 * v->keysize, &key2); - } - - AES_bi_ige_encrypt(v->in, buf, v->length, &key1, &key2, v->iv, - v->encrypt); - - if (memcmp(v->out, buf, v->length)) { - printf("Bidirectional IGE test vector %d failed\n", n); - hexdump(stdout, "key 1", v->key1, sizeof v->key1); - hexdump(stdout, "key 2", v->key2, sizeof v->key2); - hexdump(stdout, "iv", v->iv, sizeof v->iv); - hexdump(stdout, "in", v->in, v->length); - hexdump(stdout, "expected", v->out, v->length); - hexdump(stdout, "got", buf, v->length); - - ++errs; - } + /* try with in == out */ + memcpy(iv, v->iv, sizeof iv); + memcpy(buf, v->in, v->length); + AES_ige_encrypt(buf, buf, v->length, &key, iv, v->encrypt); + + if (!TEST_mem_eq(v->out, v->length, buf, v->length)) { + TEST_info("IGE test vector %d failed (with in == out)", n); + hexdump(stderr, "key", v->key, sizeof v->key); + hexdump(stderr, "iv", v->iv, sizeof v->iv); + hexdump(stderr, "in", v->in, v->length); + testresult = 0; } - return errs; + return testresult; } -int main(int argc, char **argv) +static int test_bi_ige_vectors(int n) { - unsigned char rkey[16]; - unsigned char rkey2[16]; - AES_KEY key; + const struct bi_ige_test *const v = &bi_ige_test_vectors[n]; + AES_KEY key1; AES_KEY key2; - unsigned char plaintext[BIG_TEST_SIZE]; - unsigned char ciphertext[BIG_TEST_SIZE]; - unsigned char checktext[BIG_TEST_SIZE]; - unsigned char iv[AES_BLOCK_SIZE * 4]; - unsigned char saved_iv[AES_BLOCK_SIZE * 4]; - int err = 0; - unsigned int n; - unsigned matches; + unsigned char buf[MAX_VECTOR_SIZE]; - assert(BIG_TEST_SIZE >= TEST_SIZE); + if (!TEST_int_le(v->length, MAX_VECTOR_SIZE)) + return 0; - RAND_bytes(rkey, sizeof rkey); - RAND_bytes(plaintext, sizeof plaintext); - RAND_bytes(iv, sizeof iv); - memcpy(saved_iv, iv, sizeof saved_iv); + if (v->encrypt == AES_ENCRYPT) { + AES_set_encrypt_key(v->key1, 8 * v->keysize, &key1); + AES_set_encrypt_key(v->key2, 8 * v->keysize, &key2); + } else { + AES_set_decrypt_key(v->key1, 8 * v->keysize, &key1); + AES_set_decrypt_key(v->key2, 8 * v->keysize, &key2); + } - /* Forward IGE only... */ + AES_bi_ige_encrypt(v->in, buf, v->length, &key1, &key2, v->iv, + v->encrypt); - /* Straight encrypt/decrypt */ + if (!TEST_mem_eq(v->out, v->length, buf, v->length)) { + hexdump(stderr, "key 1", v->key1, sizeof v->key1); + hexdump(stderr, "key 2", v->key2, sizeof v->key2); + hexdump(stderr, "iv", v->iv, sizeof v->iv); + hexdump(stderr, "in", v->in, v->length); + return 0; + } + + return 1; +} + +static int test_ige_enc_dec(void) +{ + AES_KEY key; + unsigned char iv[AES_BLOCK_SIZE * 4]; + unsigned char ciphertext[BIG_TEST_SIZE]; + unsigned char checktext[BIG_TEST_SIZE]; + + memcpy(iv, saved_iv, sizeof iv); AES_set_encrypt_key(rkey, 8 * sizeof rkey, &key); AES_ige_encrypt(plaintext, ciphertext, TEST_SIZE, &key, iv, AES_ENCRYPT); @@ -260,14 +243,16 @@ int main(int argc, char **argv) memcpy(iv, saved_iv, sizeof iv); AES_ige_encrypt(ciphertext, checktext, TEST_SIZE, &key, iv, AES_DECRYPT); - if (memcmp(checktext, plaintext, TEST_SIZE)) { - printf("Encrypt+decrypt doesn't match\n"); - hexdump(stdout, "Plaintext", plaintext, TEST_SIZE); - hexdump(stdout, "Checktext", checktext, TEST_SIZE); - ++err; - } + return TEST_mem_eq(checktext, TEST_SIZE, plaintext, TEST_SIZE); +} + +static int test_ige_enc_chaining(void) +{ + AES_KEY key; + unsigned char iv[AES_BLOCK_SIZE * 4]; + unsigned char ciphertext[BIG_TEST_SIZE]; + unsigned char checktext[BIG_TEST_SIZE]; - /* Now check encrypt chaining works */ AES_set_encrypt_key(rkey, 8 * sizeof rkey, &key); memcpy(iv, saved_iv, sizeof iv); AES_ige_encrypt(plaintext, ciphertext, TEST_SIZE / 2, &key, iv, @@ -280,14 +265,16 @@ int main(int argc, char **argv) memcpy(iv, saved_iv, sizeof iv); AES_ige_encrypt(ciphertext, checktext, TEST_SIZE, &key, iv, AES_DECRYPT); - if (memcmp(checktext, plaintext, TEST_SIZE)) { - printf("Chained encrypt+decrypt doesn't match\n"); - hexdump(stdout, "Plaintext", plaintext, TEST_SIZE); - hexdump(stdout, "Checktext", checktext, TEST_SIZE); - ++err; - } + return TEST_mem_eq(checktext, TEST_SIZE, plaintext, TEST_SIZE); +} + +static int test_ige_dec_chaining(void) +{ + AES_KEY key; + unsigned char iv[AES_BLOCK_SIZE * 4]; + unsigned char ciphertext[BIG_TEST_SIZE]; + unsigned char checktext[BIG_TEST_SIZE]; - /* And check decrypt chaining */ AES_set_encrypt_key(rkey, 8 * sizeof rkey, &key); memcpy(iv, saved_iv, sizeof iv); AES_ige_encrypt(plaintext, ciphertext, TEST_SIZE / 2, &key, iv, @@ -304,14 +291,20 @@ int main(int argc, char **argv) checktext + TEST_SIZE / 2, TEST_SIZE / 2, &key, iv, AES_DECRYPT); - if (memcmp(checktext, plaintext, TEST_SIZE)) { - printf("Chained encrypt+chained decrypt doesn't match\n"); - hexdump(stdout, "Plaintext", plaintext, TEST_SIZE); - hexdump(stdout, "Checktext", checktext, TEST_SIZE); - ++err; - } + return TEST_mem_eq(checktext, TEST_SIZE, plaintext, TEST_SIZE); +} + +static int test_ige_garble_forwards(void) +{ + AES_KEY key; + unsigned char iv[AES_BLOCK_SIZE * 4]; + unsigned char ciphertext[BIG_TEST_SIZE]; + unsigned char checktext[BIG_TEST_SIZE]; + unsigned int n; + int testresult = 1; + const size_t ctsize = sizeof(checktext); + size_t matches; - /* make sure garble extends forwards only */ AES_set_encrypt_key(rkey, 8 * sizeof rkey, &key); memcpy(iv, saved_iv, sizeof iv); AES_ige_encrypt(plaintext, ciphertext, sizeof plaintext, &key, iv, @@ -329,26 +322,24 @@ int main(int argc, char **argv) if (checktext[n] == plaintext[n]) ++matches; - if (matches > sizeof checktext / 2 + sizeof checktext / 100) { - printf("More than 51%% matches after garbling\n"); - ++err; - } - - if (matches < sizeof checktext / 2) { - printf("Garble extends backwards!\n"); - ++err; - } - - /* Bi-directional IGE */ + /* Fail if there is more than 51% matching bytes */ + if (!TEST_size_t_le(matches, ctsize / 2 + ctsize / 100)) + testresult = 0; - /* - * Note that we don't have to recover the IV, because chaining isn't - */ - /* possible with biIGE, so the IV is not updated. */ + /* Fail if the garble goes backwards */ + if (!TEST_size_t_gt(matches, ctsize / 2)) + testresult = 0; + return testresult; +} - RAND_bytes(rkey2, sizeof rkey2); +static int test_bi_ige_enc_dec(void) +{ + AES_KEY key, key2; + unsigned char iv[AES_BLOCK_SIZE * 4]; + unsigned char ciphertext[BIG_TEST_SIZE]; + unsigned char checktext[BIG_TEST_SIZE]; - /* Straight encrypt/decrypt */ + memcpy(iv, saved_iv, sizeof iv); AES_set_encrypt_key(rkey, 8 * sizeof rkey, &key); AES_set_encrypt_key(rkey2, 8 * sizeof rkey2, &key2); AES_bi_ige_encrypt(plaintext, ciphertext, TEST_SIZE, &key, &key2, iv, @@ -359,14 +350,18 @@ int main(int argc, char **argv) AES_bi_ige_encrypt(ciphertext, checktext, TEST_SIZE, &key, &key2, iv, AES_DECRYPT); - if (memcmp(checktext, plaintext, TEST_SIZE)) { - printf("Encrypt+decrypt doesn't match\n"); - hexdump(stdout, "Plaintext", plaintext, TEST_SIZE); - hexdump(stdout, "Checktext", checktext, TEST_SIZE); - ++err; - } + return TEST_mem_eq(checktext, TEST_SIZE, plaintext, TEST_SIZE); +} + +static int test_bi_ige_garble1(void) +{ + AES_KEY key, key2; + unsigned char iv[AES_BLOCK_SIZE * 4]; + unsigned char ciphertext[BIG_TEST_SIZE]; + unsigned char checktext[BIG_TEST_SIZE]; + unsigned int n; + size_t matches; - /* make sure garble extends both ways */ AES_set_encrypt_key(rkey, 8 * sizeof rkey, &key); AES_set_encrypt_key(rkey2, 8 * sizeof rkey2, &key2); AES_ige_encrypt(plaintext, ciphertext, sizeof plaintext, &key, iv, @@ -384,12 +379,19 @@ int main(int argc, char **argv) if (checktext[n] == plaintext[n]) ++matches; - if (matches > sizeof checktext / 100) { - printf("More than 1%% matches after bidirectional garbling\n"); - ++err; - } + /* Fail if there is more than 1% matching bytes */ + return TEST_size_t_le(matches, sizeof checktext / 100); +} + +static int test_bi_ige_garble2(void) +{ + AES_KEY key, key2; + unsigned char iv[AES_BLOCK_SIZE * 4]; + unsigned char ciphertext[BIG_TEST_SIZE]; + unsigned char checktext[BIG_TEST_SIZE]; + unsigned int n; + size_t matches; - /* make sure garble extends both ways (2) */ AES_set_encrypt_key(rkey, 8 * sizeof rkey, &key); AES_set_encrypt_key(rkey2, 8 * sizeof rkey2, &key2); AES_ige_encrypt(plaintext, ciphertext, sizeof plaintext, &key, iv, @@ -407,12 +409,19 @@ int main(int argc, char **argv) if (checktext[n] == plaintext[n]) ++matches; - if (matches > sizeof checktext / 100) { - printf("More than 1%% matches after bidirectional garbling (2)\n"); - ++err; - } + /* Fail if there is more than 1% matching bytes */ + return TEST_size_t_le(matches, sizeof checktext / 100); +} + +static int test_bi_ige_garble3(void) +{ + AES_KEY key, key2; + unsigned char iv[AES_BLOCK_SIZE * 4]; + unsigned char ciphertext[BIG_TEST_SIZE]; + unsigned char checktext[BIG_TEST_SIZE]; + unsigned int n; + size_t matches; - /* make sure garble extends both ways (3) */ AES_set_encrypt_key(rkey, 8 * sizeof rkey, &key); AES_set_encrypt_key(rkey2, 8 * sizeof rkey2, &key2); AES_ige_encrypt(plaintext, ciphertext, sizeof plaintext, &key, iv, @@ -430,12 +439,25 @@ int main(int argc, char **argv) if (checktext[n] == plaintext[n]) ++matches; - if (matches > sizeof checktext / 100) { - printf("More than 1%% matches after bidirectional garbling (3)\n"); - ++err; - } - - err += run_test_vectors(); + /* Fail if there is more than 1% matching bytes */ + return TEST_size_t_le(matches, sizeof checktext / 100); +} - return err; +void register_tests(void) +{ + RAND_bytes(rkey, sizeof rkey); + RAND_bytes(rkey2, sizeof rkey2); + RAND_bytes(plaintext, sizeof plaintext); + RAND_bytes(saved_iv, sizeof saved_iv); + + ADD_TEST(test_ige_enc_dec); + ADD_TEST(test_ige_enc_chaining); + ADD_TEST(test_ige_dec_chaining); + ADD_TEST(test_ige_garble_forwards); + ADD_TEST(test_bi_ige_enc_dec); + ADD_TEST(test_bi_ige_garble1); + ADD_TEST(test_bi_ige_garble2); + ADD_TEST(test_bi_ige_garble3); + ADD_ALL_TESTS(test_ige_vectors, OSSL_NELEM(ige_test_vectors)); + ADD_ALL_TESTS(test_bi_ige_vectors, OSSL_NELEM(bi_ige_test_vectors)); } diff --git a/test/recipes/70-test_tls13messages.t b/test/recipes/70-test_tls13messages.t index c4e20b7..c9603de 100644 --- a/test/recipes/70-test_tls13messages.t +++ b/test/recipes/70-test_tls13messages.t @@ -126,6 +126,8 @@ $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf"); [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_STATUS_REQUEST, checkhandshake::STATUS_REQUEST_SRV_EXTENSION], + [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_SCT, + checkhandshake::SCT_SRV_EXTENSION], [0,0,0] ); @@ -257,25 +259,29 @@ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, | checkhandshake::ALPN_SRV_EXTENSION, "ALPN handshake test"); -#Test 13: SCT handshake (client request only) -#TODO(TLS1.3): This only checks that the client side extension appears. The -#SCT extension is unusual in that we have no built-in server side implementation -#The server side implementation can nomrally be added using the custom -#extensions framework (e.g. by using the "-serverinfo" s_server option). However -#currently we only support <= TLS1.2 for custom extensions because the existing -#framework and API has no knowledge of the TLS1.3 messages -$proxy->clear(); -#Note: -ct also sends status_request -$proxy->clientflags("-ct"); -$proxy->serverflags("-status_file " - .srctop_file("test", "recipes", "ocsp-response.der")); -$proxy->start(); -checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, - checkhandshake::DEFAULT_EXTENSIONS - | checkhandshake::SCT_CLI_EXTENSION - | checkhandshake::STATUS_REQUEST_CLI_EXTENSION - | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, - "SCT handshake test"); +SKIP: { + skip "No CT, EC or OCSP support in this OpenSSL build", 1 + if disabled("ct") || disabled("ec") || disabled("ocsp"); + + #Test 13: SCT handshake (client request only) + $proxy->clear(); + #Note: -ct also sends status_request + $proxy->clientflags("-ct"); + $proxy->serverflags("-status_file " + .srctop_file("test", "recipes", "ocsp-response.der") + ." -serverinfo ".srctop_file("test", "serverinfo2.pem")); + $proxy->start(); + checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + | checkhandshake::SCT_CLI_EXTENSION + | checkhandshake::SCT_SRV_EXTENSION + | checkhandshake::STATUS_REQUEST_CLI_EXTENSION + | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, + "SCT handshake test"); +} + + + #Test 14: HRR Handshake $proxy->clear(); diff --git a/test/serverinfo2.pem b/test/serverinfo2.pem new file mode 100644 index 0000000..792d5c0 --- /dev/null +++ b/test/serverinfo2.pem @@ -0,0 +1,8 @@ +-----BEGIN SERVERINFOV2 FOR CT----- +AAARgAASAPIA8AB2AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6qP3LAAAB +Wxp+yVkAAAQDAEcwRQIhAMhZ7Se2olZ35Mqze2NlDsW35ttyIrRuHyi6F0KlzsSp +AiBDT8YLjNCUByVrD9jhoRbUy+t38fx9WbOWgRVxZ5xk2wB2AN3rHSt6DU+mIIuB +rYFocH4ujp0B1VyIjT0RxM227L7MAAABWxp+x80AAAQDAEcwRQIgEz/5SC+JA5Ko +0ivxGYf5XBCqjfcIrp2BpCVxyYA2ys0CIQC1kcCeihwwbiVFTjR8UecLaCd1l1ix +nopZ9ljhG018+g== +-----END SERVERINFOV2 FOR CT----- diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c index 2904ba9..daccd7c 100644 --- a/test/tls13secretstest.c +++ b/test/tls13secretstest.c @@ -34,7 +34,7 @@ * those, e.g. see * https://www.ietf.org/id/draft-thomson-tls-tls13-vectors-00.txt, however at * the time of writing these are not suitable because they are based on - * draft -16, which works differently to the draft -19 vectors below. + * draft -16, which works differently to the draft -20 vectors below. */ static unsigned char hs_start_hash[] = { @@ -62,83 +62,83 @@ static unsigned char ecdhe_secret[] = { }; static unsigned char handshake_secret[] = { -0xa4, 0xc6, 0x2e, 0x1c, 0x3c, 0xb8, 0x0a, 0xae, 0x34, 0x34, 0x0d, 0xb8, 0xfb, -0x0d, 0xd5, 0x0d, 0x2d, 0x2f, 0x08, 0xa4, 0x54, 0x6b, 0xbb, 0x2e, 0x60, 0xc6, -0x53, 0xac, 0xb3, 0xca, 0xf2, 0x87 +0xf5, 0x51, 0xd0, 0xbd, 0x9e, 0x6a, 0xc0, 0x95, 0x5f, 0x8e, 0xae, 0xb6, 0x28, +0x2e, 0x8d, 0x9e, 0xf3, 0xd4, 0x08, 0x57, 0x81, 0xbc, 0x9d, 0x80, 0x91, 0x8a, +0x81, 0x33, 0x86, 0x58, 0x7f, 0x46 }; -static const char *client_hts_label = "client handshake traffic secret"; +static const char *client_hts_label = "c hs traffic"; static unsigned char client_hts[] = { -0xd7, 0x58, 0x9f, 0x10, 0xa8, 0x30, 0xf3, 0x85, 0x63, 0x6f, 0xd9, 0xb0, 0x61, -0xd5, 0x20, 0x19, 0xb1, 0x45, 0x96, 0x82, 0x24, 0x8e, 0x36, 0x45, 0xf7, 0x5a, -0xd7, 0x2f, 0x31, 0xec, 0x57, 0xf7 +0x61, 0x7b, 0x35, 0x07, 0x6b, 0x9d, 0x0e, 0x08, 0xcf, 0x73, 0x1d, 0x94, 0xa8, +0x66, 0x14, 0x78, 0x41, 0x09, 0xef, 0x25, 0x55, 0x51, 0x92, 0x1d, 0xd4, 0x6e, +0x04, 0x01, 0x35, 0xcf, 0x46, 0xab }; static unsigned char client_hts_key[] = { -0xcc, 0x8b, 0xda, 0xbf, 0x83, 0x74, 0x2d, 0xf4, 0x53, 0x44, 0xff, 0xbc, 0xa4, -0x43, 0xc8, 0x2a +0x62, 0xd0, 0xdd, 0x00, 0xf6, 0x96, 0x19, 0xd3, 0xb8, 0x19, 0x3a, 0xb4, 0xa0, +0x95, 0x85, 0xa7 }; static unsigned char client_hts_iv[] = { -0xa4, 0x83, 0x46, 0x11, 0xc2, 0x78, 0xea, 0x0f, 0x94, 0x52, 0x1d, 0xca +0xff, 0xf7, 0x5d, 0xf5, 0xad, 0x35, 0xd5, 0xcb, 0x3c, 0x53, 0xf3, 0xa9 }; -static const char *server_hts_label = "server handshake traffic secret"; +static const char *server_hts_label = "s hs traffic"; static unsigned char server_hts[] = { -0xba, 0x7c, 0x3b, 0x74, 0x0d, 0x1e, 0x84, 0x82, 0xd6, 0x6f, 0x3e, 0x5e, 0x1d, -0x6e, 0x25, 0xdc, 0x87, 0x1f, 0x48, 0x74, 0x2f, 0x65, 0xa4, 0x40, 0x39, 0xda, -0xdc, 0x02, 0x2a, 0x16, 0x19, 0x5c +0xfc, 0xf7, 0xdf, 0xe6, 0x4f, 0xa2, 0xc0, 0x4f, 0x62, 0x35, 0x38, 0x7f, 0x43, +0x4e, 0x01, 0x42, 0x23, 0x36, 0xd9, 0xc0, 0x39, 0xde, 0x68, 0x47, 0xa0, 0xb9, +0xdd, 0xcf, 0x29, 0xa8, 0x87, 0x59 }; static unsigned char server_hts_key[] = { -0x7d, 0x22, 0x2a, 0x3f, 0x72, 0x37, 0x92, 0xd9, 0x95, 0x9a, 0xe1, 0x66, 0x32, -0x6f, 0x0d, 0xc9 +0x04, 0x67, 0xf3, 0x16, 0xa8, 0x05, 0xb8, 0xc4, 0x97, 0xee, 0x67, 0x04, 0x7b, +0xbc, 0xbc, 0x54 }; static unsigned char server_hts_iv[] = { -0xa2, 0x73, 0xcd, 0x4e, 0x20, 0xe7, 0xe1, 0xe3, 0xcb, 0x0e, 0x18, 0x9e +0xde, 0x83, 0xa7, 0x3e, 0x9d, 0x81, 0x4b, 0x04, 0xc4, 0x8b, 0x78, 0x09 }; static unsigned char master_secret[] = { -0x9a, 0x2f, 0x36, 0xdc, 0x68, 0xab, 0x8f, 0x07, 0xef, 0x41, 0xea, 0x63, 0x39, -0xfc, 0x46, 0x6b, 0x11, 0x24, 0xd6, 0xba, 0x6b, 0x8a, 0x92, 0x74, 0x61, 0xd3, -0x64, 0x82, 0xc1, 0xc9, 0xc7, 0x0e +0x34, 0x83, 0x83, 0x84, 0x67, 0x12, 0xe7, 0xff, 0x24, 0xe8, 0x6e, 0x70, 0x56, +0x95, 0x16, 0x71, 0x43, 0x7f, 0x19, 0xd7, 0x85, 0x06, 0x9d, 0x75, 0x70, 0x49, +0x6e, 0x6c, 0xa4, 0x81, 0xf0, 0xb8 }; -static const char *client_ats_label = "client application traffic secret"; +static const char *client_ats_label = "c ap traffic"; static unsigned char client_ats[] = { -0xc3, 0x60, 0x5f, 0xb3, 0xc4, 0x4b, 0xc2, 0x25, 0xd2, 0xaf, 0x36, 0xad, 0x99, -0xa1, 0xcd, 0xcf, 0x71, 0xc4, 0xb9, 0xa2, 0x3d, 0xd2, 0x3e, 0xe6, 0xff, 0xca, -0x2c, 0x71, 0x86, 0x3d, 0x1f, 0x85 +0xc1, 0x4a, 0x6d, 0x79, 0x76, 0xd8, 0x10, 0x2b, 0x5a, 0x0c, 0x99, 0x51, 0x49, +0x3f, 0xee, 0x87, 0xdc, 0xaf, 0xf8, 0x2c, 0x24, 0xca, 0xb2, 0x14, 0xe8, 0xbe, +0x71, 0xa8, 0x20, 0x6d, 0xbd, 0xa5 }; static unsigned char client_ats_key[] = { -0x3a, 0x25, 0x23, 0x12, 0xde, 0x0f, 0x53, 0xc7, 0xa0, 0xb2, 0xcf, 0x71, 0xb7, -0x1a, 0x0d, 0xc7 +0xcc, 0x9f, 0x5f, 0x98, 0x0b, 0x5f, 0x10, 0x30, 0x6c, 0xba, 0xd7, 0xbe, 0x98, +0xd7, 0x57, 0x2e }; static unsigned char client_ats_iv[] = { -0xbd, 0x0d, 0x3c, 0x26, 0x9d, 0x2d, 0xa6, 0x52, 0x1b, 0x8d, 0x45, 0xef +0xb8, 0x09, 0x29, 0xe8, 0xd0, 0x2c, 0x70, 0xf6, 0x11, 0x62, 0xed, 0x6b }; -static const char *server_ats_label = "server application traffic secret"; +static const char *server_ats_label = "s ap traffic"; static unsigned char server_ats[] = { -0x27, 0x8d, 0x96, 0x76, 0x95, 0x9e, 0x3e, 0x39, 0xa4, 0xa9, 0xfc, 0x46, 0x9c, -0x32, 0x9f, 0xe0, 0x29, 0x50, 0x22, 0x45, 0x39, 0x82, 0xdd, 0x1c, 0xc5, 0xfb, -0xa9, 0x0a, 0x68, 0x29, 0x4e, 0x80 +0x2c, 0x90, 0x77, 0x38, 0xd3, 0xf8, 0x37, 0x02, 0xd1, 0xe4, 0x59, 0x8f, 0x48, +0x48, 0x53, 0x1d, 0x9f, 0x93, 0x65, 0x49, 0x1b, 0x9f, 0x7f, 0x52, 0xc8, 0x22, +0x29, 0x0d, 0x4c, 0x23, 0x21, 0x92 }; static unsigned char server_ats_key[] = { -0x78, 0xbd, 0xd7, 0xc6, 0xb0, 0xf1, 0x50, 0x5e, 0xae, 0x54, 0xff, 0xa5, 0xf2, -0xed, 0x0b, 0x77 +0x0c, 0xb2, 0x95, 0x62, 0xd8, 0xd8, 0x8f, 0x48, 0xb0, 0x2c, 0xbf, 0xbe, 0xd7, +0xe6, 0x2b, 0xb3 }; static unsigned char server_ats_iv[] = { -0xb1, 0x7b, 0x1c, 0xa2, 0xca, 0xbe, 0xe4, 0xac, 0xb5, 0xf3, 0x91, 0x7e +0x0d, 0xb2, 0x8f, 0x98, 0x85, 0x86, 0xa1, 0xb7, 0xe4, 0xd5, 0xc6, 0x9c }; /* Mocked out implementations of various functions */ diff --git a/util/TLSProxy/Record.pm b/util/TLSProxy/Record.pm index 5925119..8c6e901 100644 --- a/util/TLSProxy/Record.pm +++ b/util/TLSProxy/Record.pm @@ -36,7 +36,7 @@ my %record_type = ( use constant { VERS_TLS_1_4 => 0x0305, - VERS_TLS_1_3_DRAFT => 0x7f13, + VERS_TLS_1_3_DRAFT => 0x7f14, VERS_TLS_1_3 => 0x0304, VERS_TLS_1_2 => 0x0303, VERS_TLS_1_1 => 0x0302, diff --git a/util/indent.pro b/util/indent.pro index 81590e1..c147f97 100644 --- a/util/indent.pro +++ b/util/indent.pro @@ -223,8 +223,10 @@ -T ERR_STATE -T ERR_STRING_DATA -T ESS_CERT_ID +-T ESS_CERT_ID_V2 -T ESS_ISSUER_SERIAL -T ESS_SIGNING_CERT +-T ESS_SIGNING_CERT_V2 -T EVP_AES_HMAC_SHA1 -T EVP_AES_HMAC_SHA256 -T EVP_CIPHER @@ -525,6 +527,7 @@ -T STACK_OF_ENGINE_ -T STACK_OF_ENGINE_CLEANUP_ITEM_ -T STACK_OF_ESS_CERT_ID_ +-T STACK_OF_ESS_CERT_ID_V2_ -T STACK_OF_EVP_PBE_CTL_ -T STACK_OF_EVP_PKEY_ASN1_METHOD_ -T STACK_OF_EVP_PKEY_METHOD_ diff --git a/util/libcrypto.num b/util/libcrypto.num index b136a73..2e82042 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4276,3 +4276,15 @@ X509_CRL_print_ex 4218 1_1_1 EXIST::FUNCTION: X509_SIG_INFO_get 4219 1_1_1 EXIST::FUNCTION: X509_get_signature_info 4220 1_1_1 EXIST::FUNCTION: X509_SIG_INFO_set 4221 1_1_1 EXIST::FUNCTION: +ESS_CERT_ID_V2_free 4222 1_1_1 EXIST::FUNCTION:TS +ESS_SIGNING_CERT_V2_new 4223 1_1_1 EXIST::FUNCTION:TS +d2i_ESS_SIGNING_CERT_V2 4224 1_1_1 EXIST::FUNCTION:TS +i2d_ESS_CERT_ID_V2 4225 1_1_1 EXIST::FUNCTION:TS +ESS_CERT_ID_V2_dup 4226 1_1_1 EXIST::FUNCTION:TS +TS_RESP_CTX_set_ess_cert_id_digest 4227 1_1_1 EXIST::FUNCTION:TS +d2i_ESS_CERT_ID_V2 4228 1_1_1 EXIST::FUNCTION:TS +i2d_ESS_SIGNING_CERT_V2 4229 1_1_1 EXIST::FUNCTION:TS +TS_CONF_set_ess_cert_id_digest 4230 1_1_1 EXIST::FUNCTION:TS +ESS_SIGNING_CERT_V2_free 4231 1_1_1 EXIST::FUNCTION:TS +ESS_SIGNING_CERT_V2_dup 4232 1_1_1 EXIST::FUNCTION:TS +ESS_CERT_ID_V2_new 4233 1_1_1 EXIST::FUNCTION:TS diff --git a/util/libssl.num b/util/libssl.num index a17ebbc..b4acb5d 100644 --- a/util/libssl.num +++ b/util/libssl.num @@ -449,3 +449,4 @@ SSL_get_record_padding_callback_arg 449 1_1_1 EXIST::FUNCTION: SSL_set_block_padding 450 1_1_1 EXIST::FUNCTION: SSL_set_record_padding_callback_arg 451 1_1_1 EXIST::FUNCTION: SSL_CTX_set_record_padding_callback_arg 452 1_1_1 EXIST::FUNCTION: +SSL_CTX_use_serverinfo_ex 453 1_1_1 EXIST::FUNCTION: