]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/statem/statem_lib.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Convert ssl3_get_record to tls_read_record
[thirdparty/openssl.git] / ssl / statem / statem_lib.c
1 /*
2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 *
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
9 */
10
11 #include <limits.h>
12 #include <string.h>
13 #include <stdio.h>
14 #include "../ssl_local.h"
15 #include "statem_local.h"
16 #include "internal/cryptlib.h"
17 #include <openssl/buffer.h>
18 #include <openssl/objects.h>
19 #include <openssl/evp.h>
20 #include <openssl/rsa.h>
21 #include <openssl/x509.h>
22 #include <openssl/trace.h>
23
24 /*
25 * Map error codes to TLS/SSL alart types.
26 */
27 typedef struct x509err2alert_st {
28 int x509err;
29 int alert;
30 } X509ERR2ALERT;
31
32 /* Fixed value used in the ServerHello random field to identify an HRR */
33 const unsigned char hrrrandom[] = {
34 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
35 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
36 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
37 };
38
39 /*
40 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
41 * SSL3_RT_CHANGE_CIPHER_SPEC)
42 */
43 int ssl3_do_write(SSL_CONNECTION *s, int type)
44 {
45 int ret;
46 size_t written = 0;
47 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
48
49 ret = ssl3_write_bytes(ssl, type, &s->init_buf->data[s->init_off],
50 s->init_num, &written);
51 if (ret < 0)
52 return -1;
53 if (type == SSL3_RT_HANDSHAKE)
54 /*
55 * should not be done for 'Hello Request's, but in that case we'll
56 * ignore the result anyway
57 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
58 */
59 if (!SSL_CONNECTION_IS_TLS13(s)
60 || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
61 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
62 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
63 if (!ssl3_finish_mac(s,
64 (unsigned char *)&s->init_buf->data[s->init_off],
65 written))
66 return -1;
67 if (written == s->init_num) {
68 if (s->msg_callback)
69 s->msg_callback(1, s->version, type, s->init_buf->data,
70 (size_t)(s->init_off + s->init_num), ssl,
71 s->msg_callback_arg);
72 return 1;
73 }
74 s->init_off += written;
75 s->init_num -= written;
76 return 0;
77 }
78
79 int tls_close_construct_packet(SSL_CONNECTION *s, WPACKET *pkt, int htype)
80 {
81 size_t msglen;
82
83 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
84 || !WPACKET_get_length(pkt, &msglen)
85 || msglen > INT_MAX)
86 return 0;
87 s->init_num = (int)msglen;
88 s->init_off = 0;
89
90 return 1;
91 }
92
93 int tls_setup_handshake(SSL_CONNECTION *s)
94 {
95 int ver_min, ver_max, ok;
96 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
97 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
98
99 if (!ssl3_init_finished_mac(s)) {
100 /* SSLfatal() already called */
101 return 0;
102 }
103
104 /* Reset any extension flags */
105 memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
106
107 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
108 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE);
109 return 0;
110 }
111
112 /* Sanity check that we have MD5-SHA1 if we need it */
113 if (sctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) {
114 int md5sha1_needed = 0;
115
116 /* We don't have MD5-SHA1 - do we need it? */
117 if (SSL_CONNECTION_IS_DTLS(s)) {
118 if (DTLS_VERSION_LE(ver_max, DTLS1_VERSION))
119 md5sha1_needed = 1;
120 } else {
121 if (ver_max <= TLS1_1_VERSION)
122 md5sha1_needed = 1;
123 }
124 if (md5sha1_needed) {
125 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
126 SSL_R_NO_SUITABLE_DIGEST_ALGORITHM,
127 "The max supported SSL/TLS version needs the"
128 " MD5-SHA1 digest but it is not available"
129 " in the loaded providers. Use (D)TLSv1.2 or"
130 " above, or load different providers");
131 return 0;
132 }
133
134 ok = 1;
135 /* Don't allow TLSv1.1 or below to be negotiated */
136 if (SSL_CONNECTION_IS_DTLS(s)) {
137 if (DTLS_VERSION_LT(ver_min, DTLS1_2_VERSION))
138 ok = SSL_set_min_proto_version(ssl, DTLS1_2_VERSION);
139 } else {
140 if (ver_min < TLS1_2_VERSION)
141 ok = SSL_set_min_proto_version(ssl, TLS1_2_VERSION);
142 }
143 if (!ok) {
144 /* Shouldn't happen */
145 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
146 return 0;
147 }
148 }
149
150 ok = 0;
151 if (s->server) {
152 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(ssl);
153 int i;
154
155 /*
156 * Sanity check that the maximum version we accept has ciphers
157 * enabled. For clients we do this check during construction of the
158 * ClientHello.
159 */
160 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
161 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
162
163 if (SSL_CONNECTION_IS_DTLS(s)) {
164 if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
165 DTLS_VERSION_LE(ver_max, c->max_dtls))
166 ok = 1;
167 } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
168 ok = 1;
169 }
170 if (ok)
171 break;
172 }
173 if (!ok) {
174 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
175 SSL_R_NO_CIPHERS_AVAILABLE,
176 "No ciphers enabled for max supported "
177 "SSL/TLS version");
178 return 0;
179 }
180 if (SSL_IS_FIRST_HANDSHAKE(s)) {
181 /* N.B. s->session_ctx == s->ctx here */
182 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_accept);
183 } else {
184 /* N.B. s->ctx may not equal s->session_ctx */
185 ssl_tsan_counter(sctx, &sctx->stats.sess_accept_renegotiate);
186
187 s->s3.tmp.cert_request = 0;
188 }
189 } else {
190 if (SSL_IS_FIRST_HANDSHAKE(s))
191 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_connect);
192 else
193 ssl_tsan_counter(s->session_ctx,
194 &s->session_ctx->stats.sess_connect_renegotiate);
195
196 /* mark client_random uninitialized */
197 memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
198 s->hit = 0;
199
200 s->s3.tmp.cert_req = 0;
201
202 if (SSL_CONNECTION_IS_DTLS(s))
203 s->statem.use_timer = 1;
204 }
205
206 return 1;
207 }
208
209 /*
210 * Size of the to-be-signed TLS13 data, without the hash size itself:
211 * 64 bytes of value 32, 33 context bytes, 1 byte separator
212 */
213 #define TLS13_TBS_START_SIZE 64
214 #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
215
216 static int get_cert_verify_tbs_data(SSL_CONNECTION *s, unsigned char *tls13tbs,
217 void **hdata, size_t *hdatalen)
218 {
219 #ifdef CHARSET_EBCDIC
220 static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
221 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
222 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
223 0x69, 0x66, 0x79, 0x00 };
224 static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
225 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
226 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
227 0x69, 0x66, 0x79, 0x00 };
228 #else
229 static const char servercontext[] = "TLS 1.3, server CertificateVerify";
230 static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
231 #endif
232
233 if (SSL_CONNECTION_IS_TLS13(s)) {
234 size_t hashlen;
235
236 /* Set the first 64 bytes of to-be-signed data to octet 32 */
237 memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
238 /* This copies the 33 bytes of context plus the 0 separator byte */
239 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
240 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
241 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
242 else
243 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
244
245 /*
246 * If we're currently reading then we need to use the saved handshake
247 * hash value. We can't use the current handshake hash state because
248 * that includes the CertVerify itself.
249 */
250 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
251 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
252 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
253 s->cert_verify_hash_len);
254 hashlen = s->cert_verify_hash_len;
255 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
256 EVP_MAX_MD_SIZE, &hashlen)) {
257 /* SSLfatal() already called */
258 return 0;
259 }
260
261 *hdata = tls13tbs;
262 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
263 } else {
264 size_t retlen;
265 long retlen_l;
266
267 retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
268 if (retlen_l <= 0) {
269 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
270 return 0;
271 }
272 *hdatalen = retlen;
273 }
274
275 return 1;
276 }
277
278 int tls_construct_cert_verify(SSL_CONNECTION *s, WPACKET *pkt)
279 {
280 EVP_PKEY *pkey = NULL;
281 const EVP_MD *md = NULL;
282 EVP_MD_CTX *mctx = NULL;
283 EVP_PKEY_CTX *pctx = NULL;
284 size_t hdatalen = 0, siglen = 0;
285 void *hdata;
286 unsigned char *sig = NULL;
287 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
288 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
289 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
290
291 if (lu == NULL || s->s3.tmp.cert == NULL) {
292 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
293 goto err;
294 }
295 pkey = s->s3.tmp.cert->privatekey;
296
297 if (pkey == NULL || !tls1_lookup_md(sctx, lu, &md)) {
298 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
299 goto err;
300 }
301
302 mctx = EVP_MD_CTX_new();
303 if (mctx == NULL) {
304 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
305 goto err;
306 }
307
308 /* Get the data to be signed */
309 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
310 /* SSLfatal() already called */
311 goto err;
312 }
313
314 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
315 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
316 goto err;
317 }
318
319 if (EVP_DigestSignInit_ex(mctx, &pctx,
320 md == NULL ? NULL : EVP_MD_get0_name(md),
321 sctx->libctx, sctx->propq, pkey,
322 NULL) <= 0) {
323 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
324 goto err;
325 }
326
327 if (lu->sig == EVP_PKEY_RSA_PSS) {
328 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
329 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
330 RSA_PSS_SALTLEN_DIGEST) <= 0) {
331 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
332 goto err;
333 }
334 }
335 if (s->version == SSL3_VERSION) {
336 /*
337 * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
338 * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
339 */
340 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
341 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
342 (int)s->session->master_key_length,
343 s->session->master_key) <= 0
344 || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) {
345
346 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
347 goto err;
348 }
349 sig = OPENSSL_malloc(siglen);
350 if (sig == NULL
351 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
352 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
353 goto err;
354 }
355 } else {
356 /*
357 * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not
358 * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
359 */
360 if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) {
361 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
362 goto err;
363 }
364 sig = OPENSSL_malloc(siglen);
365 if (sig == NULL
366 || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
367 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
368 goto err;
369 }
370 }
371
372 #ifndef OPENSSL_NO_GOST
373 {
374 int pktype = lu->sig;
375
376 if (pktype == NID_id_GostR3410_2001
377 || pktype == NID_id_GostR3410_2012_256
378 || pktype == NID_id_GostR3410_2012_512)
379 BUF_reverse(sig, NULL, siglen);
380 }
381 #endif
382
383 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
384 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
385 goto err;
386 }
387
388 /* Digest cached records and discard handshake buffer */
389 if (!ssl3_digest_cached_records(s, 0)) {
390 /* SSLfatal() already called */
391 goto err;
392 }
393
394 OPENSSL_free(sig);
395 EVP_MD_CTX_free(mctx);
396 return 1;
397 err:
398 OPENSSL_free(sig);
399 EVP_MD_CTX_free(mctx);
400 return 0;
401 }
402
403 MSG_PROCESS_RETURN tls_process_cert_verify(SSL_CONNECTION *s, PACKET *pkt)
404 {
405 EVP_PKEY *pkey = NULL;
406 const unsigned char *data;
407 #ifndef OPENSSL_NO_GOST
408 unsigned char *gost_data = NULL;
409 #endif
410 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
411 int j;
412 unsigned int len;
413 X509 *peer;
414 const EVP_MD *md = NULL;
415 size_t hdatalen = 0;
416 void *hdata;
417 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
418 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
419 EVP_PKEY_CTX *pctx = NULL;
420 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
421
422 if (mctx == NULL) {
423 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
424 goto err;
425 }
426
427 peer = s->session->peer;
428 pkey = X509_get0_pubkey(peer);
429 if (pkey == NULL) {
430 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
431 goto err;
432 }
433
434 if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
435 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
436 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
437 goto err;
438 }
439
440 if (SSL_USE_SIGALGS(s)) {
441 unsigned int sigalg;
442
443 if (!PACKET_get_net_2(pkt, &sigalg)) {
444 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET);
445 goto err;
446 }
447 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
448 /* SSLfatal() already called */
449 goto err;
450 }
451 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
452 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
453 goto err;
454 }
455
456 if (!tls1_lookup_md(sctx, s->s3.tmp.peer_sigalg, &md)) {
457 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
458 goto err;
459 }
460
461 if (SSL_USE_SIGALGS(s))
462 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
463 md == NULL ? "n/a" : EVP_MD_get0_name(md));
464
465 /* Check for broken implementations of GOST ciphersuites */
466 /*
467 * If key is GOST and len is exactly 64 or 128, it is signature without
468 * length field (CryptoPro implementations at least till TLS 1.2)
469 */
470 #ifndef OPENSSL_NO_GOST
471 if (!SSL_USE_SIGALGS(s)
472 && ((PACKET_remaining(pkt) == 64
473 && (EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2001
474 || EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_256))
475 || (PACKET_remaining(pkt) == 128
476 && EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_512))) {
477 len = PACKET_remaining(pkt);
478 } else
479 #endif
480 if (!PACKET_get_net_2(pkt, &len)) {
481 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
482 goto err;
483 }
484
485 if (!PACKET_get_bytes(pkt, &data, len)) {
486 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
487 goto err;
488 }
489
490 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
491 /* SSLfatal() already called */
492 goto err;
493 }
494
495 OSSL_TRACE1(TLS, "Using client verify alg %s\n",
496 md == NULL ? "n/a" : EVP_MD_get0_name(md));
497
498 if (EVP_DigestVerifyInit_ex(mctx, &pctx,
499 md == NULL ? NULL : EVP_MD_get0_name(md),
500 sctx->libctx, sctx->propq, pkey,
501 NULL) <= 0) {
502 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
503 goto err;
504 }
505 #ifndef OPENSSL_NO_GOST
506 {
507 int pktype = EVP_PKEY_get_id(pkey);
508 if (pktype == NID_id_GostR3410_2001
509 || pktype == NID_id_GostR3410_2012_256
510 || pktype == NID_id_GostR3410_2012_512) {
511 if ((gost_data = OPENSSL_malloc(len)) == NULL) {
512 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
513 goto err;
514 }
515 BUF_reverse(gost_data, data, len);
516 data = gost_data;
517 }
518 }
519 #endif
520
521 if (SSL_USE_PSS(s)) {
522 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
523 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
524 RSA_PSS_SALTLEN_DIGEST) <= 0) {
525 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
526 goto err;
527 }
528 }
529 if (s->version == SSL3_VERSION) {
530 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
531 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
532 (int)s->session->master_key_length,
533 s->session->master_key) <= 0) {
534 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
535 goto err;
536 }
537 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
538 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
539 goto err;
540 }
541 } else {
542 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
543 if (j <= 0) {
544 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
545 goto err;
546 }
547 }
548
549 /*
550 * In TLSv1.3 on the client side we make sure we prepare the client
551 * certificate after the CertVerify instead of when we get the
552 * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
553 * comes *before* the Certificate message. In TLSv1.2 it comes after. We
554 * want to make sure that SSL_get1_peer_certificate() will return the actual
555 * server certificate from the client_cert_cb callback.
556 */
557 if (!s->server && SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
558 ret = MSG_PROCESS_CONTINUE_PROCESSING;
559 else
560 ret = MSG_PROCESS_CONTINUE_READING;
561 err:
562 BIO_free(s->s3.handshake_buffer);
563 s->s3.handshake_buffer = NULL;
564 EVP_MD_CTX_free(mctx);
565 #ifndef OPENSSL_NO_GOST
566 OPENSSL_free(gost_data);
567 #endif
568 return ret;
569 }
570
571 int tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt)
572 {
573 size_t finish_md_len;
574 const char *sender;
575 size_t slen;
576 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
577
578 /* This is a real handshake so make sure we clean it up at the end */
579 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
580 s->statem.cleanuphand = 1;
581
582 /*
583 * We only change the keys if we didn't already do this when we sent the
584 * client certificate
585 */
586 if (SSL_CONNECTION_IS_TLS13(s)
587 && !s->server
588 && s->s3.tmp.cert_req == 0
589 && (!ssl->method->ssl3_enc->change_cipher_state(s,
590 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
591 /* SSLfatal() already called */
592 return 0;
593 }
594
595 if (s->server) {
596 sender = ssl->method->ssl3_enc->server_finished_label;
597 slen = ssl->method->ssl3_enc->server_finished_label_len;
598 } else {
599 sender = ssl->method->ssl3_enc->client_finished_label;
600 slen = ssl->method->ssl3_enc->client_finished_label_len;
601 }
602
603 finish_md_len = ssl->method->ssl3_enc->final_finish_mac(s,
604 sender, slen,
605 s->s3.tmp.finish_md);
606 if (finish_md_len == 0) {
607 /* SSLfatal() already called */
608 return 0;
609 }
610
611 s->s3.tmp.finish_md_len = finish_md_len;
612
613 if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
614 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
615 return 0;
616 }
617
618 /*
619 * Log the master secret, if logging is enabled. We don't log it for
620 * TLSv1.3: there's a different key schedule for that.
621 */
622 if (!SSL_CONNECTION_IS_TLS13(s)
623 && !ssl_log_secret(s, MASTER_SECRET_LABEL, s->session->master_key,
624 s->session->master_key_length)) {
625 /* SSLfatal() already called */
626 return 0;
627 }
628
629 /*
630 * Copy the finished so we can use it for renegotiation checks
631 */
632 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
633 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
634 return 0;
635 }
636 if (!s->server) {
637 memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
638 finish_md_len);
639 s->s3.previous_client_finished_len = finish_md_len;
640 } else {
641 memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
642 finish_md_len);
643 s->s3.previous_server_finished_len = finish_md_len;
644 }
645
646 return 1;
647 }
648
649 int tls_construct_key_update(SSL_CONNECTION *s, WPACKET *pkt)
650 {
651 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
652 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
653 return 0;
654 }
655
656 s->key_update = SSL_KEY_UPDATE_NONE;
657 return 1;
658 }
659
660 MSG_PROCESS_RETURN tls_process_key_update(SSL_CONNECTION *s, PACKET *pkt)
661 {
662 unsigned int updatetype;
663
664 /*
665 * A KeyUpdate message signals a key change so the end of the message must
666 * be on a record boundary.
667 */
668 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
669 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
670 return MSG_PROCESS_ERROR;
671 }
672
673 if (!PACKET_get_1(pkt, &updatetype)
674 || PACKET_remaining(pkt) != 0) {
675 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_KEY_UPDATE);
676 return MSG_PROCESS_ERROR;
677 }
678
679 /*
680 * There are only two defined key update types. Fail if we get a value we
681 * didn't recognise.
682 */
683 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
684 && updatetype != SSL_KEY_UPDATE_REQUESTED) {
685 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_UPDATE);
686 return MSG_PROCESS_ERROR;
687 }
688
689 /*
690 * If we get a request for us to update our sending keys too then, we need
691 * to additionally send a KeyUpdate message. However that message should
692 * not also request an update (otherwise we get into an infinite loop).
693 */
694 if (updatetype == SSL_KEY_UPDATE_REQUESTED)
695 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
696
697 if (!tls13_update_key(s, 0)) {
698 /* SSLfatal() already called */
699 return MSG_PROCESS_ERROR;
700 }
701
702 return MSG_PROCESS_FINISHED_READING;
703 }
704
705 /*
706 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
707 * to far.
708 */
709 int ssl3_take_mac(SSL_CONNECTION *s)
710 {
711 const char *sender;
712 size_t slen;
713 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
714
715 if (!s->server) {
716 sender = ssl->method->ssl3_enc->server_finished_label;
717 slen = ssl->method->ssl3_enc->server_finished_label_len;
718 } else {
719 sender = ssl->method->ssl3_enc->client_finished_label;
720 slen = ssl->method->ssl3_enc->client_finished_label_len;
721 }
722
723 s->s3.tmp.peer_finish_md_len =
724 ssl->method->ssl3_enc->final_finish_mac(s, sender, slen,
725 s->s3.tmp.peer_finish_md);
726
727 if (s->s3.tmp.peer_finish_md_len == 0) {
728 /* SSLfatal() already called */
729 return 0;
730 }
731
732 return 1;
733 }
734
735 MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL_CONNECTION *s,
736 PACKET *pkt)
737 {
738 size_t remain;
739
740 remain = PACKET_remaining(pkt);
741 /*
742 * 'Change Cipher Spec' is just a single byte, which should already have
743 * been consumed by ssl_get_message() so there should be no bytes left,
744 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
745 */
746 if (SSL_CONNECTION_IS_DTLS(s)) {
747 if ((s->version == DTLS1_BAD_VER
748 && remain != DTLS1_CCS_HEADER_LENGTH + 1)
749 || (s->version != DTLS1_BAD_VER
750 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
751 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
752 return MSG_PROCESS_ERROR;
753 }
754 } else {
755 if (remain != 0) {
756 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
757 return MSG_PROCESS_ERROR;
758 }
759 }
760
761 /* Check we have a cipher to change to */
762 if (s->s3.tmp.new_cipher == NULL) {
763 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY);
764 return MSG_PROCESS_ERROR;
765 }
766
767 s->s3.change_cipher_spec = 1;
768 if (!ssl3_do_change_cipher_spec(s)) {
769 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
770 return MSG_PROCESS_ERROR;
771 }
772
773 if (SSL_CONNECTION_IS_DTLS(s)) {
774 dtls1_reset_seq_numbers(s, SSL3_CC_READ);
775
776 if (s->version == DTLS1_BAD_VER)
777 s->d1->handshake_read_seq++;
778
779 #ifndef OPENSSL_NO_SCTP
780 /*
781 * Remember that a CCS has been received, so that an old key of
782 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
783 * SCTP is used
784 */
785 BIO_ctrl(SSL_get_wbio(SSL_CONNECTION_GET_SSL(s)),
786 BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
787 #endif
788 }
789
790 return MSG_PROCESS_CONTINUE_READING;
791 }
792
793 MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt)
794 {
795 size_t md_len;
796 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
797
798
799 /* This is a real handshake so make sure we clean it up at the end */
800 if (s->server) {
801 /*
802 * To get this far we must have read encrypted data from the client. We
803 * no longer tolerate unencrypted alerts. This value is ignored if less
804 * than TLSv1.3
805 */
806 s->statem.enc_read_state = ENC_READ_STATE_VALID;
807 if (s->post_handshake_auth != SSL_PHA_REQUESTED)
808 s->statem.cleanuphand = 1;
809 if (SSL_CONNECTION_IS_TLS13(s)
810 && !tls13_save_handshake_digest_for_pha(s)) {
811 /* SSLfatal() already called */
812 return MSG_PROCESS_ERROR;
813 }
814 }
815
816 /*
817 * In TLSv1.3 a Finished message signals a key change so the end of the
818 * message must be on a record boundary.
819 */
820 if (SSL_CONNECTION_IS_TLS13(s)
821 && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
822 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
823 return MSG_PROCESS_ERROR;
824 }
825
826 /* If this occurs, we have missed a message */
827 if (!SSL_CONNECTION_IS_TLS13(s) && !s->s3.change_cipher_spec) {
828 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
829 return MSG_PROCESS_ERROR;
830 }
831 s->s3.change_cipher_spec = 0;
832
833 md_len = s->s3.tmp.peer_finish_md_len;
834
835 if (md_len != PACKET_remaining(pkt)) {
836 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DIGEST_LENGTH);
837 return MSG_PROCESS_ERROR;
838 }
839
840 if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
841 md_len) != 0) {
842 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DIGEST_CHECK_FAILED);
843 return MSG_PROCESS_ERROR;
844 }
845
846 /*
847 * Copy the finished so we can use it for renegotiation checks
848 */
849 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
850 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
851 return MSG_PROCESS_ERROR;
852 }
853 if (s->server) {
854 memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
855 md_len);
856 s->s3.previous_client_finished_len = md_len;
857 } else {
858 memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
859 md_len);
860 s->s3.previous_server_finished_len = md_len;
861 }
862
863 /*
864 * In TLS1.3 we also have to change cipher state and do any final processing
865 * of the initial server flight (if we are a client)
866 */
867 if (SSL_CONNECTION_IS_TLS13(s)) {
868 if (s->server) {
869 if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
870 !ssl->method->ssl3_enc->change_cipher_state(s,
871 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
872 /* SSLfatal() already called */
873 return MSG_PROCESS_ERROR;
874 }
875 } else {
876 /* TLS 1.3 gets the secret size from the handshake md */
877 size_t dummy;
878 if (!ssl->method->ssl3_enc->generate_master_secret(s,
879 s->master_secret, s->handshake_secret, 0,
880 &dummy)) {
881 /* SSLfatal() already called */
882 return MSG_PROCESS_ERROR;
883 }
884 if (!ssl->method->ssl3_enc->change_cipher_state(s,
885 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
886 /* SSLfatal() already called */
887 return MSG_PROCESS_ERROR;
888 }
889 if (!tls_process_initial_server_flight(s)) {
890 /* SSLfatal() already called */
891 return MSG_PROCESS_ERROR;
892 }
893 }
894 }
895
896 return MSG_PROCESS_FINISHED_READING;
897 }
898
899 int tls_construct_change_cipher_spec(SSL_CONNECTION *s, WPACKET *pkt)
900 {
901 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
902 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
903 return 0;
904 }
905
906 return 1;
907 }
908
909 /* Add a certificate to the WPACKET */
910 static int ssl_add_cert_to_wpacket(SSL_CONNECTION *s, WPACKET *pkt,
911 X509 *x, int chain)
912 {
913 int len;
914 unsigned char *outbytes;
915
916 len = i2d_X509(x, NULL);
917 if (len < 0) {
918 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB);
919 return 0;
920 }
921 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
922 || i2d_X509(x, &outbytes) != len) {
923 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
924 return 0;
925 }
926
927 if (SSL_CONNECTION_IS_TLS13(s)
928 && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
929 chain)) {
930 /* SSLfatal() already called */
931 return 0;
932 }
933
934 return 1;
935 }
936
937 /* Add certificate chain to provided WPACKET */
938 static int ssl_add_cert_chain(SSL_CONNECTION *s, WPACKET *pkt, CERT_PKEY *cpk)
939 {
940 int i, chain_count;
941 X509 *x;
942 STACK_OF(X509) *extra_certs;
943 STACK_OF(X509) *chain = NULL;
944 X509_STORE *chain_store;
945 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
946
947 if (cpk == NULL || cpk->x509 == NULL)
948 return 1;
949
950 x = cpk->x509;
951
952 /*
953 * If we have a certificate specific chain use it, else use parent ctx.
954 */
955 if (cpk->chain != NULL)
956 extra_certs = cpk->chain;
957 else
958 extra_certs = sctx->extra_certs;
959
960 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
961 chain_store = NULL;
962 else if (s->cert->chain_store)
963 chain_store = s->cert->chain_store;
964 else
965 chain_store = sctx->cert_store;
966
967 if (chain_store != NULL) {
968 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(sctx->libctx,
969 sctx->propq);
970
971 if (xs_ctx == NULL) {
972 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
973 return 0;
974 }
975 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
976 X509_STORE_CTX_free(xs_ctx);
977 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB);
978 return 0;
979 }
980 /*
981 * It is valid for the chain not to be complete (because normally we
982 * don't include the root cert in the chain). Therefore we deliberately
983 * ignore the error return from this call. We're not actually verifying
984 * the cert - we're just building as much of the chain as we can
985 */
986 (void)X509_verify_cert(xs_ctx);
987 /* Don't leave errors in the queue */
988 ERR_clear_error();
989 chain = X509_STORE_CTX_get0_chain(xs_ctx);
990 i = ssl_security_cert_chain(s, chain, NULL, 0);
991 if (i != 1) {
992 #if 0
993 /* Dummy error calls so mkerr generates them */
994 ERR_raise(ERR_LIB_SSL, SSL_R_EE_KEY_TOO_SMALL);
995 ERR_raise(ERR_LIB_SSL, SSL_R_CA_KEY_TOO_SMALL);
996 ERR_raise(ERR_LIB_SSL, SSL_R_CA_MD_TOO_WEAK);
997 #endif
998 X509_STORE_CTX_free(xs_ctx);
999 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
1000 return 0;
1001 }
1002 chain_count = sk_X509_num(chain);
1003 for (i = 0; i < chain_count; i++) {
1004 x = sk_X509_value(chain, i);
1005
1006 if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
1007 /* SSLfatal() already called */
1008 X509_STORE_CTX_free(xs_ctx);
1009 return 0;
1010 }
1011 }
1012 X509_STORE_CTX_free(xs_ctx);
1013 } else {
1014 i = ssl_security_cert_chain(s, extra_certs, x, 0);
1015 if (i != 1) {
1016 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
1017 return 0;
1018 }
1019 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
1020 /* SSLfatal() already called */
1021 return 0;
1022 }
1023 for (i = 0; i < sk_X509_num(extra_certs); i++) {
1024 x = sk_X509_value(extra_certs, i);
1025 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
1026 /* SSLfatal() already called */
1027 return 0;
1028 }
1029 }
1030 }
1031 return 1;
1032 }
1033
1034 unsigned long ssl3_output_cert_chain(SSL_CONNECTION *s, WPACKET *pkt,
1035 CERT_PKEY *cpk)
1036 {
1037 if (!WPACKET_start_sub_packet_u24(pkt)) {
1038 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1039 return 0;
1040 }
1041
1042 if (!ssl_add_cert_chain(s, pkt, cpk))
1043 return 0;
1044
1045 if (!WPACKET_close(pkt)) {
1046 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1047 return 0;
1048 }
1049
1050 return 1;
1051 }
1052
1053 /*
1054 * Tidy up after the end of a handshake. In the case of SCTP this may result
1055 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1056 * freed up as well.
1057 */
1058 WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst,
1059 int clearbufs, int stop)
1060 {
1061 void (*cb) (const SSL *ssl, int type, int val) = NULL;
1062 int cleanuphand = s->statem.cleanuphand;
1063 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1064 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1065
1066 if (clearbufs) {
1067 if (!SSL_CONNECTION_IS_DTLS(s)
1068 #ifndef OPENSSL_NO_SCTP
1069 /*
1070 * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1071 * messages that require it. Therefore, DTLS procedures for retransmissions
1072 * MUST NOT be used.
1073 * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1074 */
1075 || BIO_dgram_is_sctp(SSL_get_wbio(ssl))
1076 #endif
1077 ) {
1078 /*
1079 * We don't do this in DTLS over UDP because we may still need the init_buf
1080 * in case there are any unexpected retransmits
1081 */
1082 BUF_MEM_free(s->init_buf);
1083 s->init_buf = NULL;
1084 }
1085
1086 if (!ssl_free_wbio_buffer(s)) {
1087 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1088 return WORK_ERROR;
1089 }
1090 s->init_num = 0;
1091 }
1092
1093 if (SSL_CONNECTION_IS_TLS13(s) && !s->server
1094 && s->post_handshake_auth == SSL_PHA_REQUESTED)
1095 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1096
1097 /*
1098 * Only set if there was a Finished message and this isn't after a TLSv1.3
1099 * post handshake exchange
1100 */
1101 if (cleanuphand) {
1102 /* skipped if we just sent a HelloRequest */
1103 s->renegotiate = 0;
1104 s->new_session = 0;
1105 s->statem.cleanuphand = 0;
1106 s->ext.ticket_expected = 0;
1107
1108 ssl3_cleanup_key_block(s);
1109
1110 if (s->server) {
1111 /*
1112 * In TLSv1.3 we update the cache as part of constructing the
1113 * NewSessionTicket
1114 */
1115 if (!SSL_CONNECTION_IS_TLS13(s))
1116 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
1117
1118 /* N.B. s->ctx may not equal s->session_ctx */
1119 ssl_tsan_counter(sctx, &sctx->stats.sess_accept_good);
1120 s->handshake_func = ossl_statem_accept;
1121 } else {
1122 if (SSL_CONNECTION_IS_TLS13(s)) {
1123 /*
1124 * We encourage applications to only use TLSv1.3 tickets once,
1125 * so we remove this one from the cache.
1126 */
1127 if ((s->session_ctx->session_cache_mode
1128 & SSL_SESS_CACHE_CLIENT) != 0)
1129 SSL_CTX_remove_session(s->session_ctx, s->session);
1130 } else {
1131 /*
1132 * In TLSv1.3 we update the cache as part of processing the
1133 * NewSessionTicket
1134 */
1135 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
1136 }
1137 if (s->hit)
1138 ssl_tsan_counter(s->session_ctx,
1139 &s->session_ctx->stats.sess_hit);
1140
1141 s->handshake_func = ossl_statem_connect;
1142 ssl_tsan_counter(s->session_ctx,
1143 &s->session_ctx->stats.sess_connect_good);
1144 }
1145
1146 if (SSL_CONNECTION_IS_DTLS(s)) {
1147 /* done with handshaking */
1148 s->d1->handshake_read_seq = 0;
1149 s->d1->handshake_write_seq = 0;
1150 s->d1->next_handshake_write_seq = 0;
1151 dtls1_clear_received_buffer(s);
1152 }
1153 }
1154
1155 if (s->info_callback != NULL)
1156 cb = s->info_callback;
1157 else if (sctx->info_callback != NULL)
1158 cb = sctx->info_callback;
1159
1160 /* The callback may expect us to not be in init at handshake done */
1161 ossl_statem_set_in_init(s, 0);
1162
1163 if (cb != NULL) {
1164 if (cleanuphand
1165 || !SSL_CONNECTION_IS_TLS13(s)
1166 || SSL_IS_FIRST_HANDSHAKE(s))
1167 cb(ssl, SSL_CB_HANDSHAKE_DONE, 1);
1168 }
1169
1170 if (!stop) {
1171 /* If we've got more work to do we go back into init */
1172 ossl_statem_set_in_init(s, 1);
1173 return WORK_FINISHED_CONTINUE;
1174 }
1175
1176 return WORK_FINISHED_STOP;
1177 }
1178
1179 int tls_get_message_header(SSL_CONNECTION *s, int *mt)
1180 {
1181 /* s->init_num < SSL3_HM_HEADER_LENGTH */
1182 int skip_message, i, recvd_type;
1183 unsigned char *p;
1184 size_t l, readbytes;
1185 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1186
1187 p = (unsigned char *)s->init_buf->data;
1188
1189 do {
1190 while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1191 i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, &recvd_type,
1192 &p[s->init_num],
1193 SSL3_HM_HEADER_LENGTH - s->init_num,
1194 0, &readbytes);
1195 if (i <= 0) {
1196 s->rwstate = SSL_READING;
1197 return 0;
1198 }
1199 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1200 /*
1201 * A ChangeCipherSpec must be a single byte and may not occur
1202 * in the middle of a handshake message.
1203 */
1204 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
1205 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1206 SSL_R_BAD_CHANGE_CIPHER_SPEC);
1207 return 0;
1208 }
1209 if (s->statem.hand_state == TLS_ST_BEFORE
1210 && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
1211 /*
1212 * We are stateless and we received a CCS. Probably this is
1213 * from a client between the first and second ClientHellos.
1214 * We should ignore this, but return an error because we do
1215 * not return success until we see the second ClientHello
1216 * with a valid cookie.
1217 */
1218 return 0;
1219 }
1220 s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
1221 s->init_num = readbytes - 1;
1222 s->init_msg = s->init_buf->data;
1223 s->s3.tmp.message_size = readbytes;
1224 return 1;
1225 } else if (recvd_type != SSL3_RT_HANDSHAKE) {
1226 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1227 SSL_R_CCS_RECEIVED_EARLY);
1228 return 0;
1229 }
1230 s->init_num += readbytes;
1231 }
1232
1233 skip_message = 0;
1234 if (!s->server)
1235 if (s->statem.hand_state != TLS_ST_OK
1236 && p[0] == SSL3_MT_HELLO_REQUEST)
1237 /*
1238 * The server may always send 'Hello Request' messages --
1239 * we are doing a handshake anyway now, so ignore them if
1240 * their format is correct. Does not count for 'Finished'
1241 * MAC.
1242 */
1243 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1244 s->init_num = 0;
1245 skip_message = 1;
1246
1247 if (s->msg_callback)
1248 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1249 p, SSL3_HM_HEADER_LENGTH, ssl,
1250 s->msg_callback_arg);
1251 }
1252 } while (skip_message);
1253 /* s->init_num == SSL3_HM_HEADER_LENGTH */
1254
1255 *mt = *p;
1256 s->s3.tmp.message_type = *(p++);
1257
1258 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1259 /*
1260 * Only happens with SSLv3+ in an SSLv2 backward compatible
1261 * ClientHello
1262 *
1263 * Total message size is the remaining record bytes to read
1264 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
1265 */
1266 l = s->rlayer.tlsrecs[0].length + SSL3_HM_HEADER_LENGTH;
1267 s->s3.tmp.message_size = l;
1268
1269 s->init_msg = s->init_buf->data;
1270 s->init_num = SSL3_HM_HEADER_LENGTH;
1271 } else {
1272 n2l3(p, l);
1273 /* BUF_MEM_grow takes an 'int' parameter */
1274 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
1275 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1276 SSL_R_EXCESSIVE_MESSAGE_SIZE);
1277 return 0;
1278 }
1279 s->s3.tmp.message_size = l;
1280
1281 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1282 s->init_num = 0;
1283 }
1284
1285 return 1;
1286 }
1287
1288 int tls_get_message_body(SSL_CONNECTION *s, size_t *len)
1289 {
1290 size_t n, readbytes;
1291 unsigned char *p;
1292 int i;
1293 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1294
1295 if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
1296 /* We've already read everything in */
1297 *len = (unsigned long)s->init_num;
1298 return 1;
1299 }
1300
1301 p = s->init_msg;
1302 n = s->s3.tmp.message_size - s->init_num;
1303 while (n > 0) {
1304 i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, NULL,
1305 &p[s->init_num], n, 0, &readbytes);
1306 if (i <= 0) {
1307 s->rwstate = SSL_READING;
1308 *len = 0;
1309 return 0;
1310 }
1311 s->init_num += readbytes;
1312 n -= readbytes;
1313 }
1314
1315 /*
1316 * If receiving Finished, record MAC of prior handshake messages for
1317 * Finished verification.
1318 */
1319 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1320 /* SSLfatal() already called */
1321 *len = 0;
1322 return 0;
1323 }
1324
1325 /* Feed this message into MAC computation. */
1326 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1327 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1328 s->init_num)) {
1329 /* SSLfatal() already called */
1330 *len = 0;
1331 return 0;
1332 }
1333 if (s->msg_callback)
1334 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
1335 (size_t)s->init_num, ssl, s->msg_callback_arg);
1336 } else {
1337 /*
1338 * We defer feeding in the HRR until later. We'll do it as part of
1339 * processing the message
1340 * The TLsv1.3 handshake transcript stops at the ClientFinished
1341 * message.
1342 */
1343 #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
1344 /* KeyUpdate and NewSessionTicket do not need to be added */
1345 if (!SSL_CONNECTION_IS_TLS13(s)
1346 || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1347 && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1348 if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
1349 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1350 || memcmp(hrrrandom,
1351 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1352 SSL3_RANDOM_SIZE) != 0) {
1353 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1354 s->init_num + SSL3_HM_HEADER_LENGTH)) {
1355 /* SSLfatal() already called */
1356 *len = 0;
1357 return 0;
1358 }
1359 }
1360 }
1361 if (s->msg_callback)
1362 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1363 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, ssl,
1364 s->msg_callback_arg);
1365 }
1366
1367 *len = s->init_num;
1368 return 1;
1369 }
1370
1371 static const X509ERR2ALERT x509table[] = {
1372 {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1373 {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1374 {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
1375 {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1376 {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1377 {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1378 {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1379 {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1380 {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1381 {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1382 {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1383 {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1384 {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1385 {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1386 {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1387 {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1388 {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1389 {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1390 {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1391 {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1392 {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1393 {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1394 {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1395 {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1396 {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1397 {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1398 {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1399 {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1400 {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1401 {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1402 {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1403 {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1404 {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1405 {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1406 {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1407 {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1408 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1409 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1410 {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1411 {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1412
1413 /* Last entry; return this if we don't find the value above. */
1414 {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1415 };
1416
1417 int ssl_x509err2alert(int x509err)
1418 {
1419 const X509ERR2ALERT *tp;
1420
1421 for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1422 if (tp->x509err == x509err)
1423 break;
1424 return tp->alert;
1425 }
1426
1427 int ssl_allow_compression(SSL_CONNECTION *s)
1428 {
1429 if (s->options & SSL_OP_NO_COMPRESSION)
1430 return 0;
1431 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1432 }
1433
1434 static int version_cmp(const SSL_CONNECTION *s, int a, int b)
1435 {
1436 int dtls = SSL_CONNECTION_IS_DTLS(s);
1437
1438 if (a == b)
1439 return 0;
1440 if (!dtls)
1441 return a < b ? -1 : 1;
1442 return DTLS_VERSION_LT(a, b) ? -1 : 1;
1443 }
1444
1445 typedef struct {
1446 int version;
1447 const SSL_METHOD *(*cmeth) (void);
1448 const SSL_METHOD *(*smeth) (void);
1449 } version_info;
1450
1451 #if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
1452 # error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
1453 #endif
1454
1455 /* Must be in order high to low */
1456 static const version_info tls_version_table[] = {
1457 #ifndef OPENSSL_NO_TLS1_3
1458 {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1459 #else
1460 {TLS1_3_VERSION, NULL, NULL},
1461 #endif
1462 #ifndef OPENSSL_NO_TLS1_2
1463 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
1464 #else
1465 {TLS1_2_VERSION, NULL, NULL},
1466 #endif
1467 #ifndef OPENSSL_NO_TLS1_1
1468 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
1469 #else
1470 {TLS1_1_VERSION, NULL, NULL},
1471 #endif
1472 #ifndef OPENSSL_NO_TLS1
1473 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
1474 #else
1475 {TLS1_VERSION, NULL, NULL},
1476 #endif
1477 #ifndef OPENSSL_NO_SSL3
1478 {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
1479 #else
1480 {SSL3_VERSION, NULL, NULL},
1481 #endif
1482 {0, NULL, NULL},
1483 };
1484
1485 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
1486 # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1487 #endif
1488
1489 /* Must be in order high to low */
1490 static const version_info dtls_version_table[] = {
1491 #ifndef OPENSSL_NO_DTLS1_2
1492 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
1493 #else
1494 {DTLS1_2_VERSION, NULL, NULL},
1495 #endif
1496 #ifndef OPENSSL_NO_DTLS1
1497 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1498 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
1499 #else
1500 {DTLS1_VERSION, NULL, NULL},
1501 {DTLS1_BAD_VER, NULL, NULL},
1502 #endif
1503 {0, NULL, NULL},
1504 };
1505
1506 /*
1507 * ssl_method_error - Check whether an SSL_METHOD is enabled.
1508 *
1509 * @s: The SSL handle for the candidate method
1510 * @method: the intended method.
1511 *
1512 * Returns 0 on success, or an SSL error reason on failure.
1513 */
1514 static int ssl_method_error(const SSL_CONNECTION *s, const SSL_METHOD *method)
1515 {
1516 int version = method->version;
1517
1518 if ((s->min_proto_version != 0 &&
1519 version_cmp(s, version, s->min_proto_version) < 0) ||
1520 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1521 return SSL_R_VERSION_TOO_LOW;
1522
1523 if (s->max_proto_version != 0 &&
1524 version_cmp(s, version, s->max_proto_version) > 0)
1525 return SSL_R_VERSION_TOO_HIGH;
1526
1527 if ((s->options & method->mask) != 0)
1528 return SSL_R_UNSUPPORTED_PROTOCOL;
1529 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1530 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
1531
1532 return 0;
1533 }
1534
1535 /*
1536 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
1537 * certificate type, or has PSK or a certificate callback configured, or has
1538 * a servername callback configure. Otherwise returns 0.
1539 */
1540 static int is_tls13_capable(const SSL_CONNECTION *s)
1541 {
1542 int i;
1543 int curve;
1544 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1545
1546 if (!ossl_assert(sctx != NULL) || !ossl_assert(s->session_ctx != NULL))
1547 return 0;
1548
1549 /*
1550 * A servername callback can change the available certs, so if a servername
1551 * cb is set then we just assume TLSv1.3 will be ok
1552 */
1553 if (sctx->ext.servername_cb != NULL
1554 || s->session_ctx->ext.servername_cb != NULL)
1555 return 1;
1556
1557 #ifndef OPENSSL_NO_PSK
1558 if (s->psk_server_callback != NULL)
1559 return 1;
1560 #endif
1561
1562 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
1563 return 1;
1564
1565 for (i = 0; i < SSL_PKEY_NUM; i++) {
1566 /* Skip over certs disallowed for TLSv1.3 */
1567 switch (i) {
1568 case SSL_PKEY_DSA_SIGN:
1569 case SSL_PKEY_GOST01:
1570 case SSL_PKEY_GOST12_256:
1571 case SSL_PKEY_GOST12_512:
1572 continue;
1573 default:
1574 break;
1575 }
1576 if (!ssl_has_cert(s, i))
1577 continue;
1578 if (i != SSL_PKEY_ECC)
1579 return 1;
1580 /*
1581 * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1582 * more restrictive so check that our sig algs are consistent with this
1583 * EC cert. See section 4.2.3 of RFC8446.
1584 */
1585 curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
1586 if (tls_check_sigalg_curve(s, curve))
1587 return 1;
1588 }
1589
1590 return 0;
1591 }
1592
1593 /*
1594 * ssl_version_supported - Check that the specified `version` is supported by
1595 * `SSL *` instance
1596 *
1597 * @s: The SSL handle for the candidate method
1598 * @version: Protocol version to test against
1599 *
1600 * Returns 1 when supported, otherwise 0
1601 */
1602 int ssl_version_supported(const SSL_CONNECTION *s, int version,
1603 const SSL_METHOD **meth)
1604 {
1605 const version_info *vent;
1606 const version_info *table;
1607
1608 switch (SSL_CONNECTION_GET_SSL(s)->method->version) {
1609 default:
1610 /* Version should match method version for non-ANY method */
1611 return version_cmp(s, version, s->version) == 0;
1612 case TLS_ANY_VERSION:
1613 table = tls_version_table;
1614 break;
1615 case DTLS_ANY_VERSION:
1616 table = dtls_version_table;
1617 break;
1618 }
1619
1620 for (vent = table;
1621 vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1622 ++vent) {
1623 if (vent->cmeth != NULL
1624 && version_cmp(s, version, vent->version) == 0
1625 && ssl_method_error(s, vent->cmeth()) == 0
1626 && (!s->server
1627 || version != TLS1_3_VERSION
1628 || is_tls13_capable(s))) {
1629 if (meth != NULL)
1630 *meth = vent->cmeth();
1631 return 1;
1632 }
1633 }
1634 return 0;
1635 }
1636
1637 /*
1638 * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1639 * fallback indication from a client check whether we're using the highest
1640 * supported protocol version.
1641 *
1642 * @s server SSL handle.
1643 *
1644 * Returns 1 when using the highest enabled version, 0 otherwise.
1645 */
1646 int ssl_check_version_downgrade(SSL_CONNECTION *s)
1647 {
1648 const version_info *vent;
1649 const version_info *table;
1650 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1651
1652 /*
1653 * Check that the current protocol is the highest enabled version
1654 * (according to s->ctx->method, as version negotiation may have changed
1655 * s->method).
1656 */
1657 if (s->version == sctx->method->version)
1658 return 1;
1659
1660 /*
1661 * Apparently we're using a version-flexible SSL_METHOD (not at its
1662 * highest protocol version).
1663 */
1664 if (sctx->method->version == TLS_method()->version)
1665 table = tls_version_table;
1666 else if (sctx->method->version == DTLS_method()->version)
1667 table = dtls_version_table;
1668 else {
1669 /* Unexpected state; fail closed. */
1670 return 0;
1671 }
1672
1673 for (vent = table; vent->version != 0; ++vent) {
1674 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
1675 return s->version == vent->version;
1676 }
1677 return 0;
1678 }
1679
1680 /*
1681 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1682 * protocols, provided the initial (D)TLS method is version-flexible. This
1683 * function sanity-checks the proposed value and makes sure the method is
1684 * version-flexible, then sets the limit if all is well.
1685 *
1686 * @method_version: The version of the current SSL_METHOD.
1687 * @version: the intended limit.
1688 * @bound: pointer to limit to be updated.
1689 *
1690 * Returns 1 on success, 0 on failure.
1691 */
1692 int ssl_set_version_bound(int method_version, int version, int *bound)
1693 {
1694 int valid_tls;
1695 int valid_dtls;
1696
1697 if (version == 0) {
1698 *bound = version;
1699 return 1;
1700 }
1701
1702 valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
1703 valid_dtls =
1704 DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) &&
1705 DTLS_VERSION_GE(version, DTLS1_BAD_VER);
1706
1707 if (!valid_tls && !valid_dtls)
1708 return 0;
1709
1710 /*-
1711 * Restrict TLS methods to TLS protocol versions.
1712 * Restrict DTLS methods to DTLS protocol versions.
1713 * Note, DTLS version numbers are decreasing, use comparison macros.
1714 *
1715 * Note that for both lower-bounds we use explicit versions, not
1716 * (D)TLS_MIN_VERSION. This is because we don't want to break user
1717 * configurations. If the MIN (supported) version ever rises, the user's
1718 * "floor" remains valid even if no longer available. We don't expect the
1719 * MAX ceiling to ever get lower, so making that variable makes sense.
1720 *
1721 * We ignore attempts to set bounds on version-inflexible methods,
1722 * returning success.
1723 */
1724 switch (method_version) {
1725 default:
1726 break;
1727
1728 case TLS_ANY_VERSION:
1729 if (valid_tls)
1730 *bound = version;
1731 break;
1732
1733 case DTLS_ANY_VERSION:
1734 if (valid_dtls)
1735 *bound = version;
1736 break;
1737 }
1738 return 1;
1739 }
1740
1741 static void check_for_downgrade(SSL_CONNECTION *s, int vers, DOWNGRADE *dgrd)
1742 {
1743 if (vers == TLS1_2_VERSION
1744 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
1745 *dgrd = DOWNGRADE_TO_1_2;
1746 } else if (!SSL_CONNECTION_IS_DTLS(s)
1747 && vers < TLS1_2_VERSION
1748 /*
1749 * We need to ensure that a server that disables TLSv1.2
1750 * (creating a hole between TLSv1.3 and TLSv1.1) can still
1751 * complete handshakes with clients that support TLSv1.2 and
1752 * below. Therefore we do not enable the sentinel if TLSv1.3 is
1753 * enabled and TLSv1.2 is not.
1754 */
1755 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
1756 *dgrd = DOWNGRADE_TO_1_1;
1757 } else {
1758 *dgrd = DOWNGRADE_NONE;
1759 }
1760 }
1761
1762 /*
1763 * ssl_choose_server_version - Choose server (D)TLS version. Called when the
1764 * client HELLO is received to select the final server protocol version and
1765 * the version specific method.
1766 *
1767 * @s: server SSL handle.
1768 *
1769 * Returns 0 on success or an SSL error reason number on failure.
1770 */
1771 int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello,
1772 DOWNGRADE *dgrd)
1773 {
1774 /*-
1775 * With version-flexible methods we have an initial state with:
1776 *
1777 * s->method->version == (D)TLS_ANY_VERSION,
1778 * s->version == (D)TLS_MAX_VERSION_INTERNAL.
1779 *
1780 * So we detect version-flexible methods via the method version, not the
1781 * handle version.
1782 */
1783 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1784 int server_version = ssl->method->version;
1785 int client_version = hello->legacy_version;
1786 const version_info *vent;
1787 const version_info *table;
1788 int disabled = 0;
1789 RAW_EXTENSION *suppversions;
1790
1791 s->client_version = client_version;
1792
1793 switch (server_version) {
1794 default:
1795 if (!SSL_CONNECTION_IS_TLS13(s)) {
1796 if (version_cmp(s, client_version, s->version) < 0)
1797 return SSL_R_WRONG_SSL_VERSION;
1798 *dgrd = DOWNGRADE_NONE;
1799 /*
1800 * If this SSL handle is not from a version flexible method we don't
1801 * (and never did) check min/max FIPS or Suite B constraints. Hope
1802 * that's OK. It is up to the caller to not choose fixed protocol
1803 * versions they don't want. If not, then easy to fix, just return
1804 * ssl_method_error(s, s->method)
1805 */
1806 return 0;
1807 }
1808 /*
1809 * Fall through if we are TLSv1.3 already (this means we must be after
1810 * a HelloRetryRequest
1811 */
1812 /* fall thru */
1813 case TLS_ANY_VERSION:
1814 table = tls_version_table;
1815 break;
1816 case DTLS_ANY_VERSION:
1817 table = dtls_version_table;
1818 break;
1819 }
1820
1821 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
1822
1823 /* If we did an HRR then supported versions is mandatory */
1824 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
1825 return SSL_R_UNSUPPORTED_PROTOCOL;
1826
1827 if (suppversions->present && !SSL_CONNECTION_IS_DTLS(s)) {
1828 unsigned int candidate_vers = 0;
1829 unsigned int best_vers = 0;
1830 const SSL_METHOD *best_method = NULL;
1831 PACKET versionslist;
1832
1833 suppversions->parsed = 1;
1834
1835 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
1836 /* Trailing or invalid data? */
1837 return SSL_R_LENGTH_MISMATCH;
1838 }
1839
1840 /*
1841 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1842 * The spec only requires servers to check that it isn't SSLv3:
1843 * "Any endpoint receiving a Hello message with
1844 * ClientHello.legacy_version or ServerHello.legacy_version set to
1845 * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1846 * We are slightly stricter and require that it isn't SSLv3 or lower.
1847 * We tolerate TLSv1 and TLSv1.1.
1848 */
1849 if (client_version <= SSL3_VERSION)
1850 return SSL_R_BAD_LEGACY_VERSION;
1851
1852 while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1853 if (version_cmp(s, candidate_vers, best_vers) <= 0)
1854 continue;
1855 if (ssl_version_supported(s, candidate_vers, &best_method))
1856 best_vers = candidate_vers;
1857 }
1858 if (PACKET_remaining(&versionslist) != 0) {
1859 /* Trailing data? */
1860 return SSL_R_LENGTH_MISMATCH;
1861 }
1862
1863 if (best_vers > 0) {
1864 if (s->hello_retry_request != SSL_HRR_NONE) {
1865 /*
1866 * This is after a HelloRetryRequest so we better check that we
1867 * negotiated TLSv1.3
1868 */
1869 if (best_vers != TLS1_3_VERSION)
1870 return SSL_R_UNSUPPORTED_PROTOCOL;
1871 return 0;
1872 }
1873 check_for_downgrade(s, best_vers, dgrd);
1874 s->version = best_vers;
1875 ssl->method = best_method;
1876 return 0;
1877 }
1878 return SSL_R_UNSUPPORTED_PROTOCOL;
1879 }
1880
1881 /*
1882 * If the supported versions extension isn't present, then the highest
1883 * version we can negotiate is TLSv1.2
1884 */
1885 if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1886 client_version = TLS1_2_VERSION;
1887
1888 /*
1889 * No supported versions extension, so we just use the version supplied in
1890 * the ClientHello.
1891 */
1892 for (vent = table; vent->version != 0; ++vent) {
1893 const SSL_METHOD *method;
1894
1895 if (vent->smeth == NULL ||
1896 version_cmp(s, client_version, vent->version) < 0)
1897 continue;
1898 method = vent->smeth();
1899 if (ssl_method_error(s, method) == 0) {
1900 check_for_downgrade(s, vent->version, dgrd);
1901 s->version = vent->version;
1902 ssl->method = method;
1903 return 0;
1904 }
1905 disabled = 1;
1906 }
1907 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1908 }
1909
1910 /*
1911 * ssl_choose_client_version - Choose client (D)TLS version. Called when the
1912 * server HELLO is received to select the final client protocol version and
1913 * the version specific method.
1914 *
1915 * @s: client SSL handle.
1916 * @version: The proposed version from the server's HELLO.
1917 * @extensions: The extensions received
1918 *
1919 * Returns 1 on success or 0 on error.
1920 */
1921 int ssl_choose_client_version(SSL_CONNECTION *s, int version,
1922 RAW_EXTENSION *extensions)
1923 {
1924 const version_info *vent;
1925 const version_info *table;
1926 int ret, ver_min, ver_max, real_max, origv;
1927 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1928
1929 origv = s->version;
1930 s->version = version;
1931
1932 /* This will overwrite s->version if the extension is present */
1933 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1934 SSL_EXT_TLS1_2_SERVER_HELLO
1935 | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1936 NULL, 0)) {
1937 s->version = origv;
1938 return 0;
1939 }
1940
1941 if (s->hello_retry_request != SSL_HRR_NONE
1942 && s->version != TLS1_3_VERSION) {
1943 s->version = origv;
1944 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
1945 return 0;
1946 }
1947
1948 switch (ssl->method->version) {
1949 default:
1950 if (s->version != ssl->method->version) {
1951 s->version = origv;
1952 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
1953 return 0;
1954 }
1955 /*
1956 * If this SSL handle is not from a version flexible method we don't
1957 * (and never did) check min/max, FIPS or Suite B constraints. Hope
1958 * that's OK. It is up to the caller to not choose fixed protocol
1959 * versions they don't want. If not, then easy to fix, just return
1960 * ssl_method_error(s, s->method)
1961 */
1962 return 1;
1963 case TLS_ANY_VERSION:
1964 table = tls_version_table;
1965 break;
1966 case DTLS_ANY_VERSION:
1967 table = dtls_version_table;
1968 break;
1969 }
1970
1971 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1972 if (ret != 0) {
1973 s->version = origv;
1974 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, ret);
1975 return 0;
1976 }
1977 if (SSL_CONNECTION_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
1978 : s->version < ver_min) {
1979 s->version = origv;
1980 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1981 return 0;
1982 } else if (SSL_CONNECTION_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
1983 : s->version > ver_max) {
1984 s->version = origv;
1985 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1986 return 0;
1987 }
1988
1989 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
1990 real_max = ver_max;
1991
1992 /* Check for downgrades */
1993 if (s->version == TLS1_2_VERSION && real_max > s->version) {
1994 if (memcmp(tls12downgrade,
1995 s->s3.server_random + SSL3_RANDOM_SIZE
1996 - sizeof(tls12downgrade),
1997 sizeof(tls12downgrade)) == 0) {
1998 s->version = origv;
1999 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
2000 SSL_R_INAPPROPRIATE_FALLBACK);
2001 return 0;
2002 }
2003 } else if (!SSL_CONNECTION_IS_DTLS(s)
2004 && s->version < TLS1_2_VERSION
2005 && real_max > s->version) {
2006 if (memcmp(tls11downgrade,
2007 s->s3.server_random + SSL3_RANDOM_SIZE
2008 - sizeof(tls11downgrade),
2009 sizeof(tls11downgrade)) == 0) {
2010 s->version = origv;
2011 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
2012 SSL_R_INAPPROPRIATE_FALLBACK);
2013 return 0;
2014 }
2015 }
2016
2017 for (vent = table; vent->version != 0; ++vent) {
2018 if (vent->cmeth == NULL || s->version != vent->version)
2019 continue;
2020
2021 ssl->method = vent->cmeth();
2022 return 1;
2023 }
2024
2025 s->version = origv;
2026 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
2027 return 0;
2028 }
2029
2030 /*
2031 * ssl_get_min_max_version - get minimum and maximum protocol version
2032 * @s: The SSL connection
2033 * @min_version: The minimum supported version
2034 * @max_version: The maximum supported version
2035 * @real_max: The highest version below the lowest compile time version hole
2036 * where that hole lies above at least one run-time enabled
2037 * protocol.
2038 *
2039 * Work out what version we should be using for the initial ClientHello if the
2040 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2041 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
2042 * constraints and any floor imposed by the security level here,
2043 * so we don't advertise the wrong protocol version to only reject the outcome later.
2044 *
2045 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
2046 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2047 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2048 *
2049 * Returns 0 on success or an SSL error reason number on failure. On failure
2050 * min_version and max_version will also be set to 0.
2051 */
2052 int ssl_get_min_max_version(const SSL_CONNECTION *s, int *min_version,
2053 int *max_version, int *real_max)
2054 {
2055 int version, tmp_real_max;
2056 int hole;
2057 const SSL_METHOD *single = NULL;
2058 const SSL_METHOD *method;
2059 const version_info *table;
2060 const version_info *vent;
2061 const SSL *ssl = SSL_CONNECTION_GET_SSL(s);
2062
2063 switch (ssl->method->version) {
2064 default:
2065 /*
2066 * If this SSL handle is not from a version flexible method we don't
2067 * (and never did) check min/max FIPS or Suite B constraints. Hope
2068 * that's OK. It is up to the caller to not choose fixed protocol
2069 * versions they don't want. If not, then easy to fix, just return
2070 * ssl_method_error(s, s->method)
2071 */
2072 *min_version = *max_version = s->version;
2073 /*
2074 * Providing a real_max only makes sense where we're using a version
2075 * flexible method.
2076 */
2077 if (!ossl_assert(real_max == NULL))
2078 return ERR_R_INTERNAL_ERROR;
2079 return 0;
2080 case TLS_ANY_VERSION:
2081 table = tls_version_table;
2082 break;
2083 case DTLS_ANY_VERSION:
2084 table = dtls_version_table;
2085 break;
2086 }
2087
2088 /*
2089 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2090 * below X enabled. This is required in order to maintain the "version
2091 * capability" vector contiguous. Any versions with a NULL client method
2092 * (protocol version client is disabled at compile-time) is also a "hole".
2093 *
2094 * Our initial state is hole == 1, version == 0. That is, versions above
2095 * the first version in the method table are disabled (a "hole" above
2096 * the valid protocol entries) and we don't have a selected version yet.
2097 *
2098 * Whenever "hole == 1", and we hit an enabled method, its version becomes
2099 * the selected version, and the method becomes a candidate "single"
2100 * method. We're no longer in a hole, so "hole" becomes 0.
2101 *
2102 * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2103 * as we support a contiguous range of at least two methods. If we hit
2104 * a disabled method, then hole becomes true again, but nothing else
2105 * changes yet, because all the remaining methods may be disabled too.
2106 * If we again hit an enabled method after the new hole, it becomes
2107 * selected, as we start from scratch.
2108 */
2109 *min_version = version = 0;
2110 hole = 1;
2111 if (real_max != NULL)
2112 *real_max = 0;
2113 tmp_real_max = 0;
2114 for (vent = table; vent->version != 0; ++vent) {
2115 /*
2116 * A table entry with a NULL client method is still a hole in the
2117 * "version capability" vector.
2118 */
2119 if (vent->cmeth == NULL) {
2120 hole = 1;
2121 tmp_real_max = 0;
2122 continue;
2123 }
2124 method = vent->cmeth();
2125
2126 if (hole == 1 && tmp_real_max == 0)
2127 tmp_real_max = vent->version;
2128
2129 if (ssl_method_error(s, method) != 0) {
2130 hole = 1;
2131 } else if (!hole) {
2132 single = NULL;
2133 *min_version = method->version;
2134 } else {
2135 if (real_max != NULL && tmp_real_max != 0)
2136 *real_max = tmp_real_max;
2137 version = (single = method)->version;
2138 *min_version = version;
2139 hole = 0;
2140 }
2141 }
2142
2143 *max_version = version;
2144
2145 /* Fail if everything is disabled */
2146 if (version == 0)
2147 return SSL_R_NO_PROTOCOLS_AVAILABLE;
2148
2149 return 0;
2150 }
2151
2152 /*
2153 * ssl_set_client_hello_version - Work out what version we should be using for
2154 * the initial ClientHello.legacy_version field.
2155 *
2156 * @s: client SSL handle.
2157 *
2158 * Returns 0 on success or an SSL error reason number on failure.
2159 */
2160 int ssl_set_client_hello_version(SSL_CONNECTION *s)
2161 {
2162 int ver_min, ver_max, ret;
2163
2164 /*
2165 * In a renegotiation we always send the same client_version that we sent
2166 * last time, regardless of which version we eventually negotiated.
2167 */
2168 if (!SSL_IS_FIRST_HANDSHAKE(s))
2169 return 0;
2170
2171 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
2172
2173 if (ret != 0)
2174 return ret;
2175
2176 s->version = ver_max;
2177
2178 /* TLS1.3 always uses TLS1.2 in the legacy_version field */
2179 if (!SSL_CONNECTION_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
2180 ver_max = TLS1_2_VERSION;
2181
2182 s->client_version = ver_max;
2183 return 0;
2184 }
2185
2186 /*
2187 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2188 * and |checkallow| is 1 then additionally check if the group is allowed to be
2189 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2190 * 1) or 0 otherwise.
2191 */
2192 int check_in_list(SSL_CONNECTION *s, uint16_t group_id, const uint16_t *groups,
2193 size_t num_groups, int checkallow)
2194 {
2195 size_t i;
2196
2197 if (groups == NULL || num_groups == 0)
2198 return 0;
2199
2200 if (checkallow == 1)
2201 group_id = ssl_group_id_tls13_to_internal(group_id);
2202
2203 for (i = 0; i < num_groups; i++) {
2204 uint16_t group = groups[i];
2205
2206 if (checkallow == 2)
2207 group = ssl_group_id_tls13_to_internal(group);
2208
2209 if (group_id == group
2210 && (!checkallow
2211 || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
2212 return 1;
2213 }
2214 }
2215
2216 return 0;
2217 }
2218
2219 /* Replace ClientHello1 in the transcript hash with a synthetic message */
2220 int create_synthetic_message_hash(SSL_CONNECTION *s,
2221 const unsigned char *hashval,
2222 size_t hashlen, const unsigned char *hrr,
2223 size_t hrrlen)
2224 {
2225 unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
2226 unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2227
2228 memset(msghdr, 0, sizeof(msghdr));
2229
2230 if (hashval == NULL) {
2231 hashval = hashvaltmp;
2232 hashlen = 0;
2233 /* Get the hash of the initial ClientHello */
2234 if (!ssl3_digest_cached_records(s, 0)
2235 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2236 &hashlen)) {
2237 /* SSLfatal() already called */
2238 return 0;
2239 }
2240 }
2241
2242 /* Reinitialise the transcript hash */
2243 if (!ssl3_init_finished_mac(s)) {
2244 /* SSLfatal() already called */
2245 return 0;
2246 }
2247
2248 /* Inject the synthetic message_hash message */
2249 msghdr[0] = SSL3_MT_MESSAGE_HASH;
2250 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
2251 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2252 || !ssl3_finish_mac(s, hashval, hashlen)) {
2253 /* SSLfatal() already called */
2254 return 0;
2255 }
2256
2257 /*
2258 * Now re-inject the HRR and current message if appropriate (we just deleted
2259 * it when we reinitialised the transcript hash above). Only necessary after
2260 * receiving a ClientHello2 with a cookie.
2261 */
2262 if (hrr != NULL
2263 && (!ssl3_finish_mac(s, hrr, hrrlen)
2264 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
2265 s->s3.tmp.message_size
2266 + SSL3_HM_HEADER_LENGTH))) {
2267 /* SSLfatal() already called */
2268 return 0;
2269 }
2270
2271 return 1;
2272 }
2273
2274 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2275 {
2276 return X509_NAME_cmp(*a, *b);
2277 }
2278
2279 int parse_ca_names(SSL_CONNECTION *s, PACKET *pkt)
2280 {
2281 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2282 X509_NAME *xn = NULL;
2283 PACKET cadns;
2284
2285 if (ca_sk == NULL) {
2286 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2287 goto err;
2288 }
2289 /* get the CA RDNs */
2290 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
2291 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2292 goto err;
2293 }
2294
2295 while (PACKET_remaining(&cadns)) {
2296 const unsigned char *namestart, *namebytes;
2297 unsigned int name_len;
2298
2299 if (!PACKET_get_net_2(&cadns, &name_len)
2300 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
2301 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2302 goto err;
2303 }
2304
2305 namestart = namebytes;
2306 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
2307 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB);
2308 goto err;
2309 }
2310 if (namebytes != (namestart + name_len)) {
2311 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CA_DN_LENGTH_MISMATCH);
2312 goto err;
2313 }
2314
2315 if (!sk_X509_NAME_push(ca_sk, xn)) {
2316 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2317 goto err;
2318 }
2319 xn = NULL;
2320 }
2321
2322 sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
2323 s->s3.tmp.peer_ca_names = ca_sk;
2324
2325 return 1;
2326
2327 err:
2328 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2329 X509_NAME_free(xn);
2330 return 0;
2331 }
2332
2333 const STACK_OF(X509_NAME) *get_ca_names(SSL_CONNECTION *s)
2334 {
2335 const STACK_OF(X509_NAME) *ca_sk = NULL;
2336 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
2337
2338 if (s->server) {
2339 ca_sk = SSL_get_client_CA_list(ssl);
2340 if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2341 ca_sk = NULL;
2342 }
2343
2344 if (ca_sk == NULL)
2345 ca_sk = SSL_get0_CA_list(ssl);
2346
2347 return ca_sk;
2348 }
2349
2350 int construct_ca_names(SSL_CONNECTION *s, const STACK_OF(X509_NAME) *ca_sk,
2351 WPACKET *pkt)
2352 {
2353 /* Start sub-packet for client CA list */
2354 if (!WPACKET_start_sub_packet_u16(pkt)) {
2355 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2356 return 0;
2357 }
2358
2359 if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) {
2360 int i;
2361
2362 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2363 unsigned char *namebytes;
2364 X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2365 int namelen;
2366
2367 if (name == NULL
2368 || (namelen = i2d_X509_NAME(name, NULL)) < 0
2369 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2370 &namebytes)
2371 || i2d_X509_NAME(name, &namebytes) != namelen) {
2372 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2373 return 0;
2374 }
2375 }
2376 }
2377
2378 if (!WPACKET_close(pkt)) {
2379 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2380 return 0;
2381 }
2382
2383 return 1;
2384 }
2385
2386 /* Create a buffer containing data to be signed for server key exchange */
2387 size_t construct_key_exchange_tbs(SSL_CONNECTION *s, unsigned char **ptbs,
2388 const void *param, size_t paramlen)
2389 {
2390 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2391 unsigned char *tbs = OPENSSL_malloc(tbslen);
2392
2393 if (tbs == NULL) {
2394 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2395 return 0;
2396 }
2397 memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
2398 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
2399
2400 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2401
2402 *ptbs = tbs;
2403 return tbslen;
2404 }
2405
2406 /*
2407 * Saves the current handshake digest for Post-Handshake Auth,
2408 * Done after ClientFinished is processed, done exactly once
2409 */
2410 int tls13_save_handshake_digest_for_pha(SSL_CONNECTION *s)
2411 {
2412 if (s->pha_dgst == NULL) {
2413 if (!ssl3_digest_cached_records(s, 1))
2414 /* SSLfatal() already called */
2415 return 0;
2416
2417 s->pha_dgst = EVP_MD_CTX_new();
2418 if (s->pha_dgst == NULL) {
2419 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2420 return 0;
2421 }
2422 if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
2423 s->s3.handshake_dgst)) {
2424 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2425 EVP_MD_CTX_free(s->pha_dgst);
2426 s->pha_dgst = NULL;
2427 return 0;
2428 }
2429 }
2430 return 1;
2431 }
2432
2433 /*
2434 * Restores the Post-Handshake Auth handshake digest
2435 * Done just before sending/processing the Cert Request
2436 */
2437 int tls13_restore_handshake_digest_for_pha(SSL_CONNECTION *s)
2438 {
2439 if (s->pha_dgst == NULL) {
2440 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2441 return 0;
2442 }
2443 if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
2444 s->pha_dgst)) {
2445 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2446 return 0;
2447 }
2448 return 1;
2449 }
A mirror of the official openssl repository