]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/statem/statem_lib.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Don't write to the session when computing TLS 1.3 keys
[thirdparty/openssl.git] / ssl / statem / statem_lib.c
1 /*
2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 *
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
9 */
10
11 #include <limits.h>
12 #include <string.h>
13 #include <stdio.h>
14 #include "../ssl_local.h"
15 #include "statem_local.h"
16 #include "internal/cryptlib.h"
17 #include <openssl/buffer.h>
18 #include <openssl/objects.h>
19 #include <openssl/evp.h>
20 #include <openssl/x509.h>
21 #include <openssl/trace.h>
22
23 /*
24 * Map error codes to TLS/SSL alart types.
25 */
26 typedef struct x509err2alert_st {
27 int x509err;
28 int alert;
29 } X509ERR2ALERT;
30
31 /* Fixed value used in the ServerHello random field to identify an HRR */
32 const unsigned char hrrrandom[] = {
33 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
34 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
35 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
36 };
37
38 /*
39 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
40 * SSL3_RT_CHANGE_CIPHER_SPEC)
41 */
42 int ssl3_do_write(SSL *s, int type)
43 {
44 int ret;
45 size_t written = 0;
46
47 ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
48 s->init_num, &written);
49 if (ret < 0)
50 return -1;
51 if (type == SSL3_RT_HANDSHAKE)
52 /*
53 * should not be done for 'Hello Request's, but in that case we'll
54 * ignore the result anyway
55 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
56 */
57 if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
58 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
59 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
60 if (!ssl3_finish_mac(s,
61 (unsigned char *)&s->init_buf->data[s->init_off],
62 written))
63 return -1;
64 if (written == s->init_num) {
65 if (s->msg_callback)
66 s->msg_callback(1, s->version, type, s->init_buf->data,
67 (size_t)(s->init_off + s->init_num), s,
68 s->msg_callback_arg);
69 return 1;
70 }
71 s->init_off += written;
72 s->init_num -= written;
73 return 0;
74 }
75
76 int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype)
77 {
78 size_t msglen;
79
80 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
81 || !WPACKET_get_length(pkt, &msglen)
82 || msglen > INT_MAX)
83 return 0;
84 s->init_num = (int)msglen;
85 s->init_off = 0;
86
87 return 1;
88 }
89
90 int tls_setup_handshake(SSL *s)
91 {
92 if (!ssl3_init_finished_mac(s)) {
93 /* SSLfatal() already called */
94 return 0;
95 }
96
97 /* Reset any extension flags */
98 memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
99
100 if (s->server) {
101 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
102 int i, ver_min, ver_max, ok = 0;
103
104 /*
105 * Sanity check that the maximum version we accept has ciphers
106 * enabled. For clients we do this check during construction of the
107 * ClientHello.
108 */
109 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
110 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_SETUP_HANDSHAKE,
111 ERR_R_INTERNAL_ERROR);
112 return 0;
113 }
114 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
115 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
116
117 if (SSL_IS_DTLS(s)) {
118 if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
119 DTLS_VERSION_LE(ver_max, c->max_dtls))
120 ok = 1;
121 } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
122 ok = 1;
123 }
124 if (ok)
125 break;
126 }
127 if (!ok) {
128 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE,
129 SSL_R_NO_CIPHERS_AVAILABLE);
130 ERR_add_error_data(1, "No ciphers enabled for max supported "
131 "SSL/TLS version");
132 return 0;
133 }
134 if (SSL_IS_FIRST_HANDSHAKE(s)) {
135 /* N.B. s->session_ctx == s->ctx here */
136 tsan_counter(&s->session_ctx->stats.sess_accept);
137 } else {
138 /* N.B. s->ctx may not equal s->session_ctx */
139 tsan_counter(&s->ctx->stats.sess_accept_renegotiate);
140
141 s->s3.tmp.cert_request = 0;
142 }
143 } else {
144 if (SSL_IS_FIRST_HANDSHAKE(s))
145 tsan_counter(&s->session_ctx->stats.sess_connect);
146 else
147 tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate);
148
149 /* mark client_random uninitialized */
150 memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
151 s->hit = 0;
152
153 s->s3.tmp.cert_req = 0;
154
155 if (SSL_IS_DTLS(s))
156 s->statem.use_timer = 1;
157 }
158
159 return 1;
160 }
161
162 /*
163 * Size of the to-be-signed TLS13 data, without the hash size itself:
164 * 64 bytes of value 32, 33 context bytes, 1 byte separator
165 */
166 #define TLS13_TBS_START_SIZE 64
167 #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
168
169 static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
170 void **hdata, size_t *hdatalen)
171 {
172 #ifdef CHARSET_EBCDIC
173 static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
174 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
175 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
176 0x69, 0x66, 0x79, 0x00 };
177 static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
178 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
179 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
180 0x69, 0x66, 0x79, 0x00 };
181 #else
182 static const char servercontext[] = "TLS 1.3, server CertificateVerify";
183 static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
184 #endif
185 if (SSL_IS_TLS13(s)) {
186 size_t hashlen;
187
188 /* Set the first 64 bytes of to-be-signed data to octet 32 */
189 memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
190 /* This copies the 33 bytes of context plus the 0 separator byte */
191 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
192 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
193 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
194 else
195 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
196
197 /*
198 * If we're currently reading then we need to use the saved handshake
199 * hash value. We can't use the current handshake hash state because
200 * that includes the CertVerify itself.
201 */
202 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
203 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
204 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
205 s->cert_verify_hash_len);
206 hashlen = s->cert_verify_hash_len;
207 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
208 EVP_MAX_MD_SIZE, &hashlen)) {
209 /* SSLfatal() already called */
210 return 0;
211 }
212
213 *hdata = tls13tbs;
214 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
215 } else {
216 size_t retlen;
217 long retlen_l;
218
219 retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
220 if (retlen_l <= 0) {
221 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_GET_CERT_VERIFY_TBS_DATA,
222 ERR_R_INTERNAL_ERROR);
223 return 0;
224 }
225 *hdatalen = retlen;
226 }
227
228 return 1;
229 }
230
231 int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
232 {
233 EVP_PKEY *pkey = NULL;
234 const EVP_MD *md = NULL;
235 EVP_MD_CTX *mctx = NULL;
236 EVP_PKEY_CTX *pctx = NULL;
237 size_t hdatalen = 0, siglen = 0;
238 void *hdata;
239 unsigned char *sig = NULL;
240 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
241 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
242
243 if (lu == NULL || s->s3.tmp.cert == NULL) {
244 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
245 ERR_R_INTERNAL_ERROR);
246 goto err;
247 }
248 pkey = s->s3.tmp.cert->privatekey;
249
250 if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) {
251 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
252 ERR_R_INTERNAL_ERROR);
253 goto err;
254 }
255
256 mctx = EVP_MD_CTX_new();
257 if (mctx == NULL) {
258 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
259 ERR_R_MALLOC_FAILURE);
260 goto err;
261 }
262
263 /* Get the data to be signed */
264 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
265 /* SSLfatal() already called */
266 goto err;
267 }
268
269 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
270 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
271 ERR_R_INTERNAL_ERROR);
272 goto err;
273 }
274
275 if (EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey) <= 0) {
276 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
277 ERR_R_EVP_LIB);
278 goto err;
279 }
280
281 if (lu->sig == EVP_PKEY_RSA_PSS) {
282 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
283 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
284 RSA_PSS_SALTLEN_DIGEST) <= 0) {
285 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
286 ERR_R_EVP_LIB);
287 goto err;
288 }
289 }
290 if (s->version == SSL3_VERSION) {
291 /*
292 * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
293 * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
294 */
295 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
296 /*
297 * TODO(3.0) Replace this when EVP_MD_CTX_ctrl() is deprecated
298 * with a call to ssl3_digest_master_key_set_params()
299 */
300 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
301 (int)s->session->master_key_length,
302 s->session->master_key) <= 0
303 || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) {
304
305 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
306 ERR_R_EVP_LIB);
307 goto err;
308 }
309 sig = OPENSSL_malloc(siglen);
310 if (sig == NULL
311 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
312 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
313 ERR_R_EVP_LIB);
314 goto err;
315 }
316 } else {
317 /*
318 * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not
319 * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
320 */
321 if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) {
322 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
323 ERR_R_EVP_LIB);
324 goto err;
325 }
326 sig = OPENSSL_malloc(siglen);
327 if (sig == NULL
328 || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
329 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
330 ERR_R_EVP_LIB);
331 goto err;
332 }
333 }
334
335 #ifndef OPENSSL_NO_GOST
336 {
337 int pktype = lu->sig;
338
339 if (pktype == NID_id_GostR3410_2001
340 || pktype == NID_id_GostR3410_2012_256
341 || pktype == NID_id_GostR3410_2012_512)
342 BUF_reverse(sig, NULL, siglen);
343 }
344 #endif
345
346 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
347 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
348 ERR_R_INTERNAL_ERROR);
349 goto err;
350 }
351
352 /* Digest cached records and discard handshake buffer */
353 if (!ssl3_digest_cached_records(s, 0)) {
354 /* SSLfatal() already called */
355 goto err;
356 }
357
358 OPENSSL_free(sig);
359 EVP_MD_CTX_free(mctx);
360 return 1;
361 err:
362 OPENSSL_free(sig);
363 EVP_MD_CTX_free(mctx);
364 return 0;
365 }
366
367 MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
368 {
369 EVP_PKEY *pkey = NULL;
370 const unsigned char *data;
371 #ifndef OPENSSL_NO_GOST
372 unsigned char *gost_data = NULL;
373 #endif
374 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
375 int j;
376 unsigned int len;
377 X509 *peer;
378 const EVP_MD *md = NULL;
379 size_t hdatalen = 0;
380 void *hdata;
381 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
382 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
383 EVP_PKEY_CTX *pctx = NULL;
384
385 if (mctx == NULL) {
386 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
387 ERR_R_MALLOC_FAILURE);
388 goto err;
389 }
390
391 peer = s->session->peer;
392 pkey = X509_get0_pubkey(peer);
393 if (pkey == NULL) {
394 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
395 ERR_R_INTERNAL_ERROR);
396 goto err;
397 }
398
399 if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
400 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CERT_VERIFY,
401 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
402 goto err;
403 }
404
405 if (SSL_USE_SIGALGS(s)) {
406 unsigned int sigalg;
407
408 if (!PACKET_get_net_2(pkt, &sigalg)) {
409 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
410 SSL_R_BAD_PACKET);
411 goto err;
412 }
413 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
414 /* SSLfatal() already called */
415 goto err;
416 }
417 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
418 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
419 ERR_R_INTERNAL_ERROR);
420 goto err;
421 }
422
423 if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) {
424 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
425 ERR_R_INTERNAL_ERROR);
426 goto err;
427 }
428
429 if (SSL_USE_SIGALGS(s))
430 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
431 md == NULL ? "n/a" : EVP_MD_name(md));
432
433 /* Check for broken implementations of GOST ciphersuites */
434 /*
435 * If key is GOST and len is exactly 64 or 128, it is signature without
436 * length field (CryptoPro implementations at least till TLS 1.2)
437 */
438 #ifndef OPENSSL_NO_GOST
439 if (!SSL_USE_SIGALGS(s)
440 && ((PACKET_remaining(pkt) == 64
441 && (EVP_PKEY_id(pkey) == NID_id_GostR3410_2001
442 || EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_256))
443 || (PACKET_remaining(pkt) == 128
444 && EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_512))) {
445 len = PACKET_remaining(pkt);
446 } else
447 #endif
448 if (!PACKET_get_net_2(pkt, &len)) {
449 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
450 SSL_R_LENGTH_MISMATCH);
451 goto err;
452 }
453
454 if (!PACKET_get_bytes(pkt, &data, len)) {
455 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
456 SSL_R_LENGTH_MISMATCH);
457 goto err;
458 }
459
460 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
461 /* SSLfatal() already called */
462 goto err;
463 }
464
465 OSSL_TRACE1(TLS, "Using client verify alg %s\n",
466 md == NULL ? "n/a" : EVP_MD_name(md));
467
468 if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0) {
469 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
470 ERR_R_EVP_LIB);
471 goto err;
472 }
473 #ifndef OPENSSL_NO_GOST
474 {
475 int pktype = EVP_PKEY_id(pkey);
476 if (pktype == NID_id_GostR3410_2001
477 || pktype == NID_id_GostR3410_2012_256
478 || pktype == NID_id_GostR3410_2012_512) {
479 if ((gost_data = OPENSSL_malloc(len)) == NULL) {
480 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
481 SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
482 goto err;
483 }
484 BUF_reverse(gost_data, data, len);
485 data = gost_data;
486 }
487 }
488 #endif
489
490 if (SSL_USE_PSS(s)) {
491 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
492 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
493 RSA_PSS_SALTLEN_DIGEST) <= 0) {
494 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
495 ERR_R_EVP_LIB);
496 goto err;
497 }
498 }
499 if (s->version == SSL3_VERSION) {
500 /*
501 * TODO(3.0) Replace this when EVP_MD_CTX_ctrl() is deprecated
502 * with a call to ssl3_digest_master_key_set_params()
503 */
504 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
505 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
506 (int)s->session->master_key_length,
507 s->session->master_key) <= 0) {
508 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
509 ERR_R_EVP_LIB);
510 goto err;
511 }
512 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
513 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
514 SSL_R_BAD_SIGNATURE);
515 goto err;
516 }
517 } else {
518 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
519 if (j <= 0) {
520 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
521 SSL_R_BAD_SIGNATURE);
522 goto err;
523 }
524 }
525
526 /*
527 * In TLSv1.3 on the client side we make sure we prepare the client
528 * certificate after the CertVerify instead of when we get the
529 * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
530 * comes *before* the Certificate message. In TLSv1.2 it comes after. We
531 * want to make sure that SSL_get_peer_certificate() will return the actual
532 * server certificate from the client_cert_cb callback.
533 */
534 if (!s->server && SSL_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
535 ret = MSG_PROCESS_CONTINUE_PROCESSING;
536 else
537 ret = MSG_PROCESS_CONTINUE_READING;
538 err:
539 BIO_free(s->s3.handshake_buffer);
540 s->s3.handshake_buffer = NULL;
541 EVP_MD_CTX_free(mctx);
542 #ifndef OPENSSL_NO_GOST
543 OPENSSL_free(gost_data);
544 #endif
545 return ret;
546 }
547
548 int tls_construct_finished(SSL *s, WPACKET *pkt)
549 {
550 size_t finish_md_len;
551 const char *sender;
552 size_t slen;
553
554 /* This is a real handshake so make sure we clean it up at the end */
555 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
556 s->statem.cleanuphand = 1;
557
558 /*
559 * We only change the keys if we didn't already do this when we sent the
560 * client certificate
561 */
562 if (SSL_IS_TLS13(s)
563 && !s->server
564 && s->s3.tmp.cert_req == 0
565 && (!s->method->ssl3_enc->change_cipher_state(s,
566 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
567 /* SSLfatal() already called */
568 return 0;
569 }
570
571 if (s->server) {
572 sender = s->method->ssl3_enc->server_finished_label;
573 slen = s->method->ssl3_enc->server_finished_label_len;
574 } else {
575 sender = s->method->ssl3_enc->client_finished_label;
576 slen = s->method->ssl3_enc->client_finished_label_len;
577 }
578
579 finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
580 sender, slen,
581 s->s3.tmp.finish_md);
582 if (finish_md_len == 0) {
583 /* SSLfatal() already called */
584 return 0;
585 }
586
587 s->s3.tmp.finish_md_len = finish_md_len;
588
589 if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
590 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
591 ERR_R_INTERNAL_ERROR);
592 return 0;
593 }
594
595 /*
596 * Log the master secret, if logging is enabled. We don't log it for
597 * TLSv1.3: there's a different key schedule for that.
598 */
599 if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
600 s->session->master_key,
601 s->session->master_key_length)) {
602 /* SSLfatal() already called */
603 return 0;
604 }
605
606 /*
607 * Copy the finished so we can use it for renegotiation checks
608 */
609 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
610 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
611 ERR_R_INTERNAL_ERROR);
612 return 0;
613 }
614 if (!s->server) {
615 memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
616 finish_md_len);
617 s->s3.previous_client_finished_len = finish_md_len;
618 } else {
619 memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
620 finish_md_len);
621 s->s3.previous_server_finished_len = finish_md_len;
622 }
623
624 return 1;
625 }
626
627 int tls_construct_key_update(SSL *s, WPACKET *pkt)
628 {
629 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
630 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_KEY_UPDATE,
631 ERR_R_INTERNAL_ERROR);
632 return 0;
633 }
634
635 s->key_update = SSL_KEY_UPDATE_NONE;
636 return 1;
637 }
638
639 MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
640 {
641 unsigned int updatetype;
642
643 /*
644 * A KeyUpdate message signals a key change so the end of the message must
645 * be on a record boundary.
646 */
647 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
648 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_UPDATE,
649 SSL_R_NOT_ON_RECORD_BOUNDARY);
650 return MSG_PROCESS_ERROR;
651 }
652
653 if (!PACKET_get_1(pkt, &updatetype)
654 || PACKET_remaining(pkt) != 0) {
655 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_UPDATE,
656 SSL_R_BAD_KEY_UPDATE);
657 return MSG_PROCESS_ERROR;
658 }
659
660 /*
661 * There are only two defined key update types. Fail if we get a value we
662 * didn't recognise.
663 */
664 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
665 && updatetype != SSL_KEY_UPDATE_REQUESTED) {
666 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE,
667 SSL_R_BAD_KEY_UPDATE);
668 return MSG_PROCESS_ERROR;
669 }
670
671 /*
672 * If we get a request for us to update our sending keys too then, we need
673 * to additionally send a KeyUpdate message. However that message should
674 * not also request an update (otherwise we get into an infinite loop).
675 */
676 if (updatetype == SSL_KEY_UPDATE_REQUESTED)
677 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
678
679 if (!tls13_update_key(s, 0)) {
680 /* SSLfatal() already called */
681 return MSG_PROCESS_ERROR;
682 }
683
684 return MSG_PROCESS_FINISHED_READING;
685 }
686
687 /*
688 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
689 * to far.
690 */
691 int ssl3_take_mac(SSL *s)
692 {
693 const char *sender;
694 size_t slen;
695
696 if (!s->server) {
697 sender = s->method->ssl3_enc->server_finished_label;
698 slen = s->method->ssl3_enc->server_finished_label_len;
699 } else {
700 sender = s->method->ssl3_enc->client_finished_label;
701 slen = s->method->ssl3_enc->client_finished_label_len;
702 }
703
704 s->s3.tmp.peer_finish_md_len =
705 s->method->ssl3_enc->final_finish_mac(s, sender, slen,
706 s->s3.tmp.peer_finish_md);
707
708 if (s->s3.tmp.peer_finish_md_len == 0) {
709 /* SSLfatal() already called */
710 return 0;
711 }
712
713 return 1;
714 }
715
716 MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
717 {
718 size_t remain;
719
720 remain = PACKET_remaining(pkt);
721 /*
722 * 'Change Cipher Spec' is just a single byte, which should already have
723 * been consumed by ssl_get_message() so there should be no bytes left,
724 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
725 */
726 if (SSL_IS_DTLS(s)) {
727 if ((s->version == DTLS1_BAD_VER
728 && remain != DTLS1_CCS_HEADER_LENGTH + 1)
729 || (s->version != DTLS1_BAD_VER
730 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
731 SSLfatal(s, SSL_AD_DECODE_ERROR,
732 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
733 SSL_R_BAD_CHANGE_CIPHER_SPEC);
734 return MSG_PROCESS_ERROR;
735 }
736 } else {
737 if (remain != 0) {
738 SSLfatal(s, SSL_AD_DECODE_ERROR,
739 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
740 SSL_R_BAD_CHANGE_CIPHER_SPEC);
741 return MSG_PROCESS_ERROR;
742 }
743 }
744
745 /* Check we have a cipher to change to */
746 if (s->s3.tmp.new_cipher == NULL) {
747 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
748 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY);
749 return MSG_PROCESS_ERROR;
750 }
751
752 s->s3.change_cipher_spec = 1;
753 if (!ssl3_do_change_cipher_spec(s)) {
754 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
755 ERR_R_INTERNAL_ERROR);
756 return MSG_PROCESS_ERROR;
757 }
758
759 if (SSL_IS_DTLS(s)) {
760 dtls1_reset_seq_numbers(s, SSL3_CC_READ);
761
762 if (s->version == DTLS1_BAD_VER)
763 s->d1->handshake_read_seq++;
764
765 #ifndef OPENSSL_NO_SCTP
766 /*
767 * Remember that a CCS has been received, so that an old key of
768 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
769 * SCTP is used
770 */
771 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
772 #endif
773 }
774
775 return MSG_PROCESS_CONTINUE_READING;
776 }
777
778 MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
779 {
780 size_t md_len;
781
782
783 /* This is a real handshake so make sure we clean it up at the end */
784 if (s->server) {
785 /*
786 * To get this far we must have read encrypted data from the client. We
787 * no longer tolerate unencrypted alerts. This value is ignored if less
788 * than TLSv1.3
789 */
790 s->statem.enc_read_state = ENC_READ_STATE_VALID;
791 if (s->post_handshake_auth != SSL_PHA_REQUESTED)
792 s->statem.cleanuphand = 1;
793 if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
794 /* SSLfatal() already called */
795 return MSG_PROCESS_ERROR;
796 }
797 }
798
799 /*
800 * In TLSv1.3 a Finished message signals a key change so the end of the
801 * message must be on a record boundary.
802 */
803 if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
804 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
805 SSL_R_NOT_ON_RECORD_BOUNDARY);
806 return MSG_PROCESS_ERROR;
807 }
808
809 /* If this occurs, we have missed a message */
810 if (!SSL_IS_TLS13(s) && !s->s3.change_cipher_spec) {
811 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
812 SSL_R_GOT_A_FIN_BEFORE_A_CCS);
813 return MSG_PROCESS_ERROR;
814 }
815 s->s3.change_cipher_spec = 0;
816
817 md_len = s->s3.tmp.peer_finish_md_len;
818
819 if (md_len != PACKET_remaining(pkt)) {
820 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_FINISHED,
821 SSL_R_BAD_DIGEST_LENGTH);
822 return MSG_PROCESS_ERROR;
823 }
824
825 if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
826 md_len) != 0) {
827 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_FINISHED,
828 SSL_R_DIGEST_CHECK_FAILED);
829 return MSG_PROCESS_ERROR;
830 }
831
832 /*
833 * Copy the finished so we can use it for renegotiation checks
834 */
835 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
836 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_FINISHED,
837 ERR_R_INTERNAL_ERROR);
838 return MSG_PROCESS_ERROR;
839 }
840 if (s->server) {
841 memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
842 md_len);
843 s->s3.previous_client_finished_len = md_len;
844 } else {
845 memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
846 md_len);
847 s->s3.previous_server_finished_len = md_len;
848 }
849
850 /*
851 * In TLS1.3 we also have to change cipher state and do any final processing
852 * of the initial server flight (if we are a client)
853 */
854 if (SSL_IS_TLS13(s)) {
855 if (s->server) {
856 if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
857 !s->method->ssl3_enc->change_cipher_state(s,
858 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
859 /* SSLfatal() already called */
860 return MSG_PROCESS_ERROR;
861 }
862 } else {
863 /* TLS 1.3 gets the secret size from the handshake md */
864 size_t dummy;
865 if (!s->method->ssl3_enc->generate_master_secret(s,
866 s->master_secret, s->handshake_secret, 0,
867 &dummy)) {
868 /* SSLfatal() already called */
869 return MSG_PROCESS_ERROR;
870 }
871 if (!s->method->ssl3_enc->change_cipher_state(s,
872 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
873 /* SSLfatal() already called */
874 return MSG_PROCESS_ERROR;
875 }
876 if (!tls_process_initial_server_flight(s)) {
877 /* SSLfatal() already called */
878 return MSG_PROCESS_ERROR;
879 }
880 }
881 }
882
883 return MSG_PROCESS_FINISHED_READING;
884 }
885
886 int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
887 {
888 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
889 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
890 SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
891 return 0;
892 }
893
894 return 1;
895 }
896
897 /* Add a certificate to the WPACKET */
898 static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain)
899 {
900 int len;
901 unsigned char *outbytes;
902
903 len = i2d_X509(x, NULL);
904 if (len < 0) {
905 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
906 ERR_R_BUF_LIB);
907 return 0;
908 }
909 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
910 || i2d_X509(x, &outbytes) != len) {
911 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
912 ERR_R_INTERNAL_ERROR);
913 return 0;
914 }
915
916 if (SSL_IS_TLS13(s)
917 && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
918 chain)) {
919 /* SSLfatal() already called */
920 return 0;
921 }
922
923 return 1;
924 }
925
926 /* Add certificate chain to provided WPACKET */
927 static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
928 {
929 int i, chain_count;
930 X509 *x;
931 STACK_OF(X509) *extra_certs;
932 STACK_OF(X509) *chain = NULL;
933 X509_STORE *chain_store;
934
935 if (cpk == NULL || cpk->x509 == NULL)
936 return 1;
937
938 x = cpk->x509;
939
940 /*
941 * If we have a certificate specific chain use it, else use parent ctx.
942 */
943 if (cpk->chain != NULL)
944 extra_certs = cpk->chain;
945 else
946 extra_certs = s->ctx->extra_certs;
947
948 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
949 chain_store = NULL;
950 else if (s->cert->chain_store)
951 chain_store = s->cert->chain_store;
952 else
953 chain_store = s->ctx->cert_store;
954
955 if (chain_store != NULL) {
956 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new();
957
958 if (xs_ctx == NULL) {
959 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
960 ERR_R_MALLOC_FAILURE);
961 return 0;
962 }
963 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
964 X509_STORE_CTX_free(xs_ctx);
965 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
966 ERR_R_X509_LIB);
967 return 0;
968 }
969 /*
970 * It is valid for the chain not to be complete (because normally we
971 * don't include the root cert in the chain). Therefore we deliberately
972 * ignore the error return from this call. We're not actually verifying
973 * the cert - we're just building as much of the chain as we can
974 */
975 (void)X509_verify_cert(xs_ctx);
976 /* Don't leave errors in the queue */
977 ERR_clear_error();
978 chain = X509_STORE_CTX_get0_chain(xs_ctx);
979 i = ssl_security_cert_chain(s, chain, NULL, 0);
980 if (i != 1) {
981 #if 0
982 /* Dummy error calls so mkerr generates them */
983 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL);
984 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL);
985 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK);
986 #endif
987 X509_STORE_CTX_free(xs_ctx);
988 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
989 return 0;
990 }
991 chain_count = sk_X509_num(chain);
992 for (i = 0; i < chain_count; i++) {
993 x = sk_X509_value(chain, i);
994
995 if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
996 /* SSLfatal() already called */
997 X509_STORE_CTX_free(xs_ctx);
998 return 0;
999 }
1000 }
1001 X509_STORE_CTX_free(xs_ctx);
1002 } else {
1003 i = ssl_security_cert_chain(s, extra_certs, x, 0);
1004 if (i != 1) {
1005 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
1006 return 0;
1007 }
1008 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
1009 /* SSLfatal() already called */
1010 return 0;
1011 }
1012 for (i = 0; i < sk_X509_num(extra_certs); i++) {
1013 x = sk_X509_value(extra_certs, i);
1014 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
1015 /* SSLfatal() already called */
1016 return 0;
1017 }
1018 }
1019 }
1020 return 1;
1021 }
1022
1023 unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
1024 {
1025 if (!WPACKET_start_sub_packet_u24(pkt)) {
1026 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1027 ERR_R_INTERNAL_ERROR);
1028 return 0;
1029 }
1030
1031 if (!ssl_add_cert_chain(s, pkt, cpk))
1032 return 0;
1033
1034 if (!WPACKET_close(pkt)) {
1035 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1036 ERR_R_INTERNAL_ERROR);
1037 return 0;
1038 }
1039
1040 return 1;
1041 }
1042
1043 /*
1044 * Tidy up after the end of a handshake. In the case of SCTP this may result
1045 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1046 * freed up as well.
1047 */
1048 WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
1049 {
1050 void (*cb) (const SSL *ssl, int type, int val) = NULL;
1051 int cleanuphand = s->statem.cleanuphand;
1052
1053 if (clearbufs) {
1054 if (!SSL_IS_DTLS(s)
1055 #ifndef OPENSSL_NO_SCTP
1056 /*
1057 * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1058 * messages that require it. Therefore, DTLS procedures for retransmissions
1059 * MUST NOT be used.
1060 * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1061 */
1062 || BIO_dgram_is_sctp(SSL_get_wbio(s))
1063 #endif
1064 ) {
1065 /*
1066 * We don't do this in DTLS over UDP because we may still need the init_buf
1067 * in case there are any unexpected retransmits
1068 */
1069 BUF_MEM_free(s->init_buf);
1070 s->init_buf = NULL;
1071 }
1072
1073 if (!ssl_free_wbio_buffer(s)) {
1074 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE,
1075 ERR_R_INTERNAL_ERROR);
1076 return WORK_ERROR;
1077 }
1078 s->init_num = 0;
1079 }
1080
1081 if (SSL_IS_TLS13(s) && !s->server
1082 && s->post_handshake_auth == SSL_PHA_REQUESTED)
1083 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1084
1085 /*
1086 * Only set if there was a Finished message and this isn't after a TLSv1.3
1087 * post handshake exchange
1088 */
1089 if (cleanuphand) {
1090 /* skipped if we just sent a HelloRequest */
1091 s->renegotiate = 0;
1092 s->new_session = 0;
1093 s->statem.cleanuphand = 0;
1094 s->ext.ticket_expected = 0;
1095
1096 ssl3_cleanup_key_block(s);
1097
1098 if (s->server) {
1099 /*
1100 * In TLSv1.3 we update the cache as part of constructing the
1101 * NewSessionTicket
1102 */
1103 if (!SSL_IS_TLS13(s))
1104 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
1105
1106 /* N.B. s->ctx may not equal s->session_ctx */
1107 tsan_counter(&s->ctx->stats.sess_accept_good);
1108 s->handshake_func = ossl_statem_accept;
1109 } else {
1110 if (SSL_IS_TLS13(s)) {
1111 /*
1112 * We encourage applications to only use TLSv1.3 tickets once,
1113 * so we remove this one from the cache.
1114 */
1115 if ((s->session_ctx->session_cache_mode
1116 & SSL_SESS_CACHE_CLIENT) != 0)
1117 SSL_CTX_remove_session(s->session_ctx, s->session);
1118 } else {
1119 /*
1120 * In TLSv1.3 we update the cache as part of processing the
1121 * NewSessionTicket
1122 */
1123 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
1124 }
1125 if (s->hit)
1126 tsan_counter(&s->session_ctx->stats.sess_hit);
1127
1128 s->handshake_func = ossl_statem_connect;
1129 tsan_counter(&s->session_ctx->stats.sess_connect_good);
1130 }
1131
1132 if (SSL_IS_DTLS(s)) {
1133 /* done with handshaking */
1134 s->d1->handshake_read_seq = 0;
1135 s->d1->handshake_write_seq = 0;
1136 s->d1->next_handshake_write_seq = 0;
1137 dtls1_clear_received_buffer(s);
1138 }
1139 }
1140
1141 if (s->info_callback != NULL)
1142 cb = s->info_callback;
1143 else if (s->ctx->info_callback != NULL)
1144 cb = s->ctx->info_callback;
1145
1146 /* The callback may expect us to not be in init at handshake done */
1147 ossl_statem_set_in_init(s, 0);
1148
1149 if (cb != NULL) {
1150 if (cleanuphand
1151 || !SSL_IS_TLS13(s)
1152 || SSL_IS_FIRST_HANDSHAKE(s))
1153 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
1154 }
1155
1156 if (!stop) {
1157 /* If we've got more work to do we go back into init */
1158 ossl_statem_set_in_init(s, 1);
1159 return WORK_FINISHED_CONTINUE;
1160 }
1161
1162 return WORK_FINISHED_STOP;
1163 }
1164
1165 int tls_get_message_header(SSL *s, int *mt)
1166 {
1167 /* s->init_num < SSL3_HM_HEADER_LENGTH */
1168 int skip_message, i, recvd_type;
1169 unsigned char *p;
1170 size_t l, readbytes;
1171
1172 p = (unsigned char *)s->init_buf->data;
1173
1174 do {
1175 while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1176 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
1177 &p[s->init_num],
1178 SSL3_HM_HEADER_LENGTH - s->init_num,
1179 0, &readbytes);
1180 if (i <= 0) {
1181 s->rwstate = SSL_READING;
1182 return 0;
1183 }
1184 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1185 /*
1186 * A ChangeCipherSpec must be a single byte and may not occur
1187 * in the middle of a handshake message.
1188 */
1189 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
1190 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1191 SSL_F_TLS_GET_MESSAGE_HEADER,
1192 SSL_R_BAD_CHANGE_CIPHER_SPEC);
1193 return 0;
1194 }
1195 if (s->statem.hand_state == TLS_ST_BEFORE
1196 && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
1197 /*
1198 * We are stateless and we received a CCS. Probably this is
1199 * from a client between the first and second ClientHellos.
1200 * We should ignore this, but return an error because we do
1201 * not return success until we see the second ClientHello
1202 * with a valid cookie.
1203 */
1204 return 0;
1205 }
1206 s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
1207 s->init_num = readbytes - 1;
1208 s->init_msg = s->init_buf->data;
1209 s->s3.tmp.message_size = readbytes;
1210 return 1;
1211 } else if (recvd_type != SSL3_RT_HANDSHAKE) {
1212 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1213 SSL_F_TLS_GET_MESSAGE_HEADER,
1214 SSL_R_CCS_RECEIVED_EARLY);
1215 return 0;
1216 }
1217 s->init_num += readbytes;
1218 }
1219
1220 skip_message = 0;
1221 if (!s->server)
1222 if (s->statem.hand_state != TLS_ST_OK
1223 && p[0] == SSL3_MT_HELLO_REQUEST)
1224 /*
1225 * The server may always send 'Hello Request' messages --
1226 * we are doing a handshake anyway now, so ignore them if
1227 * their format is correct. Does not count for 'Finished'
1228 * MAC.
1229 */
1230 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1231 s->init_num = 0;
1232 skip_message = 1;
1233
1234 if (s->msg_callback)
1235 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1236 p, SSL3_HM_HEADER_LENGTH, s,
1237 s->msg_callback_arg);
1238 }
1239 } while (skip_message);
1240 /* s->init_num == SSL3_HM_HEADER_LENGTH */
1241
1242 *mt = *p;
1243 s->s3.tmp.message_type = *(p++);
1244
1245 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1246 /*
1247 * Only happens with SSLv3+ in an SSLv2 backward compatible
1248 * ClientHello
1249 *
1250 * Total message size is the remaining record bytes to read
1251 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
1252 */
1253 l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1254 + SSL3_HM_HEADER_LENGTH;
1255 s->s3.tmp.message_size = l;
1256
1257 s->init_msg = s->init_buf->data;
1258 s->init_num = SSL3_HM_HEADER_LENGTH;
1259 } else {
1260 n2l3(p, l);
1261 /* BUF_MEM_grow takes an 'int' parameter */
1262 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
1263 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_GET_MESSAGE_HEADER,
1264 SSL_R_EXCESSIVE_MESSAGE_SIZE);
1265 return 0;
1266 }
1267 s->s3.tmp.message_size = l;
1268
1269 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1270 s->init_num = 0;
1271 }
1272
1273 return 1;
1274 }
1275
1276 int tls_get_message_body(SSL *s, size_t *len)
1277 {
1278 size_t n, readbytes;
1279 unsigned char *p;
1280 int i;
1281
1282 if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
1283 /* We've already read everything in */
1284 *len = (unsigned long)s->init_num;
1285 return 1;
1286 }
1287
1288 p = s->init_msg;
1289 n = s->s3.tmp.message_size - s->init_num;
1290 while (n > 0) {
1291 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
1292 &p[s->init_num], n, 0, &readbytes);
1293 if (i <= 0) {
1294 s->rwstate = SSL_READING;
1295 *len = 0;
1296 return 0;
1297 }
1298 s->init_num += readbytes;
1299 n -= readbytes;
1300 }
1301
1302 /*
1303 * If receiving Finished, record MAC of prior handshake messages for
1304 * Finished verification.
1305 */
1306 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1307 /* SSLfatal() already called */
1308 *len = 0;
1309 return 0;
1310 }
1311
1312 /* Feed this message into MAC computation. */
1313 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1314 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1315 s->init_num)) {
1316 /* SSLfatal() already called */
1317 *len = 0;
1318 return 0;
1319 }
1320 if (s->msg_callback)
1321 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
1322 (size_t)s->init_num, s, s->msg_callback_arg);
1323 } else {
1324 /*
1325 * We defer feeding in the HRR until later. We'll do it as part of
1326 * processing the message
1327 * The TLsv1.3 handshake transcript stops at the ClientFinished
1328 * message.
1329 */
1330 #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
1331 /* KeyUpdate and NewSessionTicket do not need to be added */
1332 if (!SSL_IS_TLS13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1333 && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1334 if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
1335 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1336 || memcmp(hrrrandom,
1337 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1338 SSL3_RANDOM_SIZE) != 0) {
1339 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1340 s->init_num + SSL3_HM_HEADER_LENGTH)) {
1341 /* SSLfatal() already called */
1342 *len = 0;
1343 return 0;
1344 }
1345 }
1346 }
1347 if (s->msg_callback)
1348 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1349 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
1350 s->msg_callback_arg);
1351 }
1352
1353 *len = s->init_num;
1354 return 1;
1355 }
1356
1357 static const X509ERR2ALERT x509table[] = {
1358 {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1359 {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1360 {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1361 {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1362 {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1363 {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1364 {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1365 {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1366 {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1367 {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1368 {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1369 {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1370 {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1371 {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1372 {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1373 {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1374 {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1375 {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1376 {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1377 {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1378 {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1379 {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1380 {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1381 {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1382 {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1383 {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1384 {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1385 {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1386 {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1387 {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1388 {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1389 {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1390 {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1391 {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1392 {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1393 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1394 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1395 {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1396 {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1397
1398 /* Last entry; return this if we don't find the value above. */
1399 {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1400 };
1401
1402 int ssl_x509err2alert(int x509err)
1403 {
1404 const X509ERR2ALERT *tp;
1405
1406 for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1407 if (tp->x509err == x509err)
1408 break;
1409 return tp->alert;
1410 }
1411
1412 int ssl_allow_compression(SSL *s)
1413 {
1414 if (s->options & SSL_OP_NO_COMPRESSION)
1415 return 0;
1416 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1417 }
1418
1419 static int version_cmp(const SSL *s, int a, int b)
1420 {
1421 int dtls = SSL_IS_DTLS(s);
1422
1423 if (a == b)
1424 return 0;
1425 if (!dtls)
1426 return a < b ? -1 : 1;
1427 return DTLS_VERSION_LT(a, b) ? -1 : 1;
1428 }
1429
1430 typedef struct {
1431 int version;
1432 const SSL_METHOD *(*cmeth) (void);
1433 const SSL_METHOD *(*smeth) (void);
1434 } version_info;
1435
1436 #if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
1437 # error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
1438 #endif
1439
1440 /* Must be in order high to low */
1441 static const version_info tls_version_table[] = {
1442 #ifndef OPENSSL_NO_TLS1_3
1443 {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1444 #else
1445 {TLS1_3_VERSION, NULL, NULL},
1446 #endif
1447 #ifndef OPENSSL_NO_TLS1_2
1448 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
1449 #else
1450 {TLS1_2_VERSION, NULL, NULL},
1451 #endif
1452 #ifndef OPENSSL_NO_TLS1_1
1453 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
1454 #else
1455 {TLS1_1_VERSION, NULL, NULL},
1456 #endif
1457 #ifndef OPENSSL_NO_TLS1
1458 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
1459 #else
1460 {TLS1_VERSION, NULL, NULL},
1461 #endif
1462 #ifndef OPENSSL_NO_SSL3
1463 {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
1464 #else
1465 {SSL3_VERSION, NULL, NULL},
1466 #endif
1467 {0, NULL, NULL},
1468 };
1469
1470 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
1471 # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1472 #endif
1473
1474 /* Must be in order high to low */
1475 static const version_info dtls_version_table[] = {
1476 #ifndef OPENSSL_NO_DTLS1_2
1477 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
1478 #else
1479 {DTLS1_2_VERSION, NULL, NULL},
1480 #endif
1481 #ifndef OPENSSL_NO_DTLS1
1482 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1483 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
1484 #else
1485 {DTLS1_VERSION, NULL, NULL},
1486 {DTLS1_BAD_VER, NULL, NULL},
1487 #endif
1488 {0, NULL, NULL},
1489 };
1490
1491 /*
1492 * ssl_method_error - Check whether an SSL_METHOD is enabled.
1493 *
1494 * @s: The SSL handle for the candidate method
1495 * @method: the intended method.
1496 *
1497 * Returns 0 on success, or an SSL error reason on failure.
1498 */
1499 static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
1500 {
1501 int version = method->version;
1502
1503 if ((s->min_proto_version != 0 &&
1504 version_cmp(s, version, s->min_proto_version) < 0) ||
1505 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1506 return SSL_R_VERSION_TOO_LOW;
1507
1508 if (s->max_proto_version != 0 &&
1509 version_cmp(s, version, s->max_proto_version) > 0)
1510 return SSL_R_VERSION_TOO_HIGH;
1511
1512 if ((s->options & method->mask) != 0)
1513 return SSL_R_UNSUPPORTED_PROTOCOL;
1514 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1515 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
1516
1517 return 0;
1518 }
1519
1520 /*
1521 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
1522 * certificate type, or has PSK or a certificate callback configured. Otherwise
1523 * returns 0.
1524 */
1525 static int is_tls13_capable(const SSL *s)
1526 {
1527 int i;
1528 #ifndef OPENSSL_NO_EC
1529 int curve;
1530 EC_KEY *eckey;
1531 #endif
1532
1533 #ifndef OPENSSL_NO_PSK
1534 if (s->psk_server_callback != NULL)
1535 return 1;
1536 #endif
1537
1538 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
1539 return 1;
1540
1541 for (i = 0; i < SSL_PKEY_NUM; i++) {
1542 /* Skip over certs disallowed for TLSv1.3 */
1543 switch (i) {
1544 case SSL_PKEY_DSA_SIGN:
1545 case SSL_PKEY_GOST01:
1546 case SSL_PKEY_GOST12_256:
1547 case SSL_PKEY_GOST12_512:
1548 continue;
1549 default:
1550 break;
1551 }
1552 if (!ssl_has_cert(s, i))
1553 continue;
1554 #ifndef OPENSSL_NO_EC
1555 if (i != SSL_PKEY_ECC)
1556 return 1;
1557 /*
1558 * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1559 * more restrictive so check that our sig algs are consistent with this
1560 * EC cert. See section 4.2.3 of RFC8446.
1561 */
1562 eckey = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
1563 if (eckey == NULL)
1564 continue;
1565 curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
1566 if (tls_check_sigalg_curve(s, curve))
1567 return 1;
1568 #else
1569 return 1;
1570 #endif
1571 }
1572
1573 return 0;
1574 }
1575
1576 /*
1577 * ssl_version_supported - Check that the specified `version` is supported by
1578 * `SSL *` instance
1579 *
1580 * @s: The SSL handle for the candidate method
1581 * @version: Protocol version to test against
1582 *
1583 * Returns 1 when supported, otherwise 0
1584 */
1585 int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth)
1586 {
1587 const version_info *vent;
1588 const version_info *table;
1589
1590 switch (s->method->version) {
1591 default:
1592 /* Version should match method version for non-ANY method */
1593 return version_cmp(s, version, s->version) == 0;
1594 case TLS_ANY_VERSION:
1595 table = tls_version_table;
1596 break;
1597 case DTLS_ANY_VERSION:
1598 table = dtls_version_table;
1599 break;
1600 }
1601
1602 for (vent = table;
1603 vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1604 ++vent) {
1605 if (vent->cmeth != NULL
1606 && version_cmp(s, version, vent->version) == 0
1607 && ssl_method_error(s, vent->cmeth()) == 0
1608 && (!s->server
1609 || version != TLS1_3_VERSION
1610 || is_tls13_capable(s))) {
1611 if (meth != NULL)
1612 *meth = vent->cmeth();
1613 return 1;
1614 }
1615 }
1616 return 0;
1617 }
1618
1619 /*
1620 * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1621 * fallback indication from a client check whether we're using the highest
1622 * supported protocol version.
1623 *
1624 * @s server SSL handle.
1625 *
1626 * Returns 1 when using the highest enabled version, 0 otherwise.
1627 */
1628 int ssl_check_version_downgrade(SSL *s)
1629 {
1630 const version_info *vent;
1631 const version_info *table;
1632
1633 /*
1634 * Check that the current protocol is the highest enabled version
1635 * (according to s->ctx->method, as version negotiation may have changed
1636 * s->method).
1637 */
1638 if (s->version == s->ctx->method->version)
1639 return 1;
1640
1641 /*
1642 * Apparently we're using a version-flexible SSL_METHOD (not at its
1643 * highest protocol version).
1644 */
1645 if (s->ctx->method->version == TLS_method()->version)
1646 table = tls_version_table;
1647 else if (s->ctx->method->version == DTLS_method()->version)
1648 table = dtls_version_table;
1649 else {
1650 /* Unexpected state; fail closed. */
1651 return 0;
1652 }
1653
1654 for (vent = table; vent->version != 0; ++vent) {
1655 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
1656 return s->version == vent->version;
1657 }
1658 return 0;
1659 }
1660
1661 /*
1662 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1663 * protocols, provided the initial (D)TLS method is version-flexible. This
1664 * function sanity-checks the proposed value and makes sure the method is
1665 * version-flexible, then sets the limit if all is well.
1666 *
1667 * @method_version: The version of the current SSL_METHOD.
1668 * @version: the intended limit.
1669 * @bound: pointer to limit to be updated.
1670 *
1671 * Returns 1 on success, 0 on failure.
1672 */
1673 int ssl_set_version_bound(int method_version, int version, int *bound)
1674 {
1675 if (version == 0) {
1676 *bound = version;
1677 return 1;
1678 }
1679
1680 /*-
1681 * Restrict TLS methods to TLS protocol versions.
1682 * Restrict DTLS methods to DTLS protocol versions.
1683 * Note, DTLS version numbers are decreasing, use comparison macros.
1684 *
1685 * Note that for both lower-bounds we use explicit versions, not
1686 * (D)TLS_MIN_VERSION. This is because we don't want to break user
1687 * configurations. If the MIN (supported) version ever rises, the user's
1688 * "floor" remains valid even if no longer available. We don't expect the
1689 * MAX ceiling to ever get lower, so making that variable makes sense.
1690 */
1691 switch (method_version) {
1692 default:
1693 /*
1694 * XXX For fixed version methods, should we always fail and not set any
1695 * bounds, always succeed and not set any bounds, or set the bounds and
1696 * arrange to fail later if they are not met? At present fixed-version
1697 * methods are not subject to controls that disable individual protocol
1698 * versions.
1699 */
1700 return 0;
1701
1702 case TLS_ANY_VERSION:
1703 if (version < SSL3_VERSION || version > TLS_MAX_VERSION_INTERNAL)
1704 return 0;
1705 break;
1706
1707 case DTLS_ANY_VERSION:
1708 if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION_INTERNAL) ||
1709 DTLS_VERSION_LT(version, DTLS1_BAD_VER))
1710 return 0;
1711 break;
1712 }
1713
1714 *bound = version;
1715 return 1;
1716 }
1717
1718 static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
1719 {
1720 if (vers == TLS1_2_VERSION
1721 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
1722 *dgrd = DOWNGRADE_TO_1_2;
1723 } else if (!SSL_IS_DTLS(s)
1724 && vers < TLS1_2_VERSION
1725 /*
1726 * We need to ensure that a server that disables TLSv1.2
1727 * (creating a hole between TLSv1.3 and TLSv1.1) can still
1728 * complete handshakes with clients that support TLSv1.2 and
1729 * below. Therefore we do not enable the sentinel if TLSv1.3 is
1730 * enabled and TLSv1.2 is not.
1731 */
1732 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
1733 *dgrd = DOWNGRADE_TO_1_1;
1734 } else {
1735 *dgrd = DOWNGRADE_NONE;
1736 }
1737 }
1738
1739 /*
1740 * ssl_choose_server_version - Choose server (D)TLS version. Called when the
1741 * client HELLO is received to select the final server protocol version and
1742 * the version specific method.
1743 *
1744 * @s: server SSL handle.
1745 *
1746 * Returns 0 on success or an SSL error reason number on failure.
1747 */
1748 int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1749 {
1750 /*-
1751 * With version-flexible methods we have an initial state with:
1752 *
1753 * s->method->version == (D)TLS_ANY_VERSION,
1754 * s->version == (D)TLS_MAX_VERSION_INTERNAL.
1755 *
1756 * So we detect version-flexible methods via the method version, not the
1757 * handle version.
1758 */
1759 int server_version = s->method->version;
1760 int client_version = hello->legacy_version;
1761 const version_info *vent;
1762 const version_info *table;
1763 int disabled = 0;
1764 RAW_EXTENSION *suppversions;
1765
1766 s->client_version = client_version;
1767
1768 switch (server_version) {
1769 default:
1770 if (!SSL_IS_TLS13(s)) {
1771 if (version_cmp(s, client_version, s->version) < 0)
1772 return SSL_R_WRONG_SSL_VERSION;
1773 *dgrd = DOWNGRADE_NONE;
1774 /*
1775 * If this SSL handle is not from a version flexible method we don't
1776 * (and never did) check min/max FIPS or Suite B constraints. Hope
1777 * that's OK. It is up to the caller to not choose fixed protocol
1778 * versions they don't want. If not, then easy to fix, just return
1779 * ssl_method_error(s, s->method)
1780 */
1781 return 0;
1782 }
1783 /*
1784 * Fall through if we are TLSv1.3 already (this means we must be after
1785 * a HelloRetryRequest
1786 */
1787 /* fall thru */
1788 case TLS_ANY_VERSION:
1789 table = tls_version_table;
1790 break;
1791 case DTLS_ANY_VERSION:
1792 table = dtls_version_table;
1793 break;
1794 }
1795
1796 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
1797
1798 /* If we did an HRR then supported versions is mandatory */
1799 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
1800 return SSL_R_UNSUPPORTED_PROTOCOL;
1801
1802 if (suppversions->present && !SSL_IS_DTLS(s)) {
1803 unsigned int candidate_vers = 0;
1804 unsigned int best_vers = 0;
1805 const SSL_METHOD *best_method = NULL;
1806 PACKET versionslist;
1807
1808 suppversions->parsed = 1;
1809
1810 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
1811 /* Trailing or invalid data? */
1812 return SSL_R_LENGTH_MISMATCH;
1813 }
1814
1815 /*
1816 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1817 * The spec only requires servers to check that it isn't SSLv3:
1818 * "Any endpoint receiving a Hello message with
1819 * ClientHello.legacy_version or ServerHello.legacy_version set to
1820 * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1821 * We are slightly stricter and require that it isn't SSLv3 or lower.
1822 * We tolerate TLSv1 and TLSv1.1.
1823 */
1824 if (client_version <= SSL3_VERSION)
1825 return SSL_R_BAD_LEGACY_VERSION;
1826
1827 while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1828 if (version_cmp(s, candidate_vers, best_vers) <= 0)
1829 continue;
1830 if (ssl_version_supported(s, candidate_vers, &best_method))
1831 best_vers = candidate_vers;
1832 }
1833 if (PACKET_remaining(&versionslist) != 0) {
1834 /* Trailing data? */
1835 return SSL_R_LENGTH_MISMATCH;
1836 }
1837
1838 if (best_vers > 0) {
1839 if (s->hello_retry_request != SSL_HRR_NONE) {
1840 /*
1841 * This is after a HelloRetryRequest so we better check that we
1842 * negotiated TLSv1.3
1843 */
1844 if (best_vers != TLS1_3_VERSION)
1845 return SSL_R_UNSUPPORTED_PROTOCOL;
1846 return 0;
1847 }
1848 check_for_downgrade(s, best_vers, dgrd);
1849 s->version = best_vers;
1850 s->method = best_method;
1851 return 0;
1852 }
1853 return SSL_R_UNSUPPORTED_PROTOCOL;
1854 }
1855
1856 /*
1857 * If the supported versions extension isn't present, then the highest
1858 * version we can negotiate is TLSv1.2
1859 */
1860 if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1861 client_version = TLS1_2_VERSION;
1862
1863 /*
1864 * No supported versions extension, so we just use the version supplied in
1865 * the ClientHello.
1866 */
1867 for (vent = table; vent->version != 0; ++vent) {
1868 const SSL_METHOD *method;
1869
1870 if (vent->smeth == NULL ||
1871 version_cmp(s, client_version, vent->version) < 0)
1872 continue;
1873 method = vent->smeth();
1874 if (ssl_method_error(s, method) == 0) {
1875 check_for_downgrade(s, vent->version, dgrd);
1876 s->version = vent->version;
1877 s->method = method;
1878 return 0;
1879 }
1880 disabled = 1;
1881 }
1882 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1883 }
1884
1885 /*
1886 * ssl_choose_client_version - Choose client (D)TLS version. Called when the
1887 * server HELLO is received to select the final client protocol version and
1888 * the version specific method.
1889 *
1890 * @s: client SSL handle.
1891 * @version: The proposed version from the server's HELLO.
1892 * @extensions: The extensions received
1893 *
1894 * Returns 1 on success or 0 on error.
1895 */
1896 int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)
1897 {
1898 const version_info *vent;
1899 const version_info *table;
1900 int ret, ver_min, ver_max, real_max, origv;
1901
1902 origv = s->version;
1903 s->version = version;
1904
1905 /* This will overwrite s->version if the extension is present */
1906 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1907 SSL_EXT_TLS1_2_SERVER_HELLO
1908 | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1909 NULL, 0)) {
1910 s->version = origv;
1911 return 0;
1912 }
1913
1914 if (s->hello_retry_request != SSL_HRR_NONE
1915 && s->version != TLS1_3_VERSION) {
1916 s->version = origv;
1917 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1918 SSL_R_WRONG_SSL_VERSION);
1919 return 0;
1920 }
1921
1922 switch (s->method->version) {
1923 default:
1924 if (s->version != s->method->version) {
1925 s->version = origv;
1926 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1927 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1928 SSL_R_WRONG_SSL_VERSION);
1929 return 0;
1930 }
1931 /*
1932 * If this SSL handle is not from a version flexible method we don't
1933 * (and never did) check min/max, FIPS or Suite B constraints. Hope
1934 * that's OK. It is up to the caller to not choose fixed protocol
1935 * versions they don't want. If not, then easy to fix, just return
1936 * ssl_method_error(s, s->method)
1937 */
1938 return 1;
1939 case TLS_ANY_VERSION:
1940 table = tls_version_table;
1941 break;
1942 case DTLS_ANY_VERSION:
1943 table = dtls_version_table;
1944 break;
1945 }
1946
1947 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1948 if (ret != 0) {
1949 s->version = origv;
1950 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1951 SSL_F_SSL_CHOOSE_CLIENT_VERSION, ret);
1952 return 0;
1953 }
1954 if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
1955 : s->version < ver_min) {
1956 s->version = origv;
1957 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1958 SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1959 return 0;
1960 } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
1961 : s->version > ver_max) {
1962 s->version = origv;
1963 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1964 SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1965 return 0;
1966 }
1967
1968 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
1969 real_max = ver_max;
1970
1971 /* Check for downgrades */
1972 if (s->version == TLS1_2_VERSION && real_max > s->version) {
1973 if (memcmp(tls12downgrade,
1974 s->s3.server_random + SSL3_RANDOM_SIZE
1975 - sizeof(tls12downgrade),
1976 sizeof(tls12downgrade)) == 0) {
1977 s->version = origv;
1978 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1979 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1980 SSL_R_INAPPROPRIATE_FALLBACK);
1981 return 0;
1982 }
1983 } else if (!SSL_IS_DTLS(s)
1984 && s->version < TLS1_2_VERSION
1985 && real_max > s->version) {
1986 if (memcmp(tls11downgrade,
1987 s->s3.server_random + SSL3_RANDOM_SIZE
1988 - sizeof(tls11downgrade),
1989 sizeof(tls11downgrade)) == 0) {
1990 s->version = origv;
1991 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1992 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1993 SSL_R_INAPPROPRIATE_FALLBACK);
1994 return 0;
1995 }
1996 }
1997
1998 for (vent = table; vent->version != 0; ++vent) {
1999 if (vent->cmeth == NULL || s->version != vent->version)
2000 continue;
2001
2002 s->method = vent->cmeth();
2003 return 1;
2004 }
2005
2006 s->version = origv;
2007 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
2008 SSL_R_UNSUPPORTED_PROTOCOL);
2009 return 0;
2010 }
2011
2012 /*
2013 * ssl_get_min_max_version - get minimum and maximum protocol version
2014 * @s: The SSL connection
2015 * @min_version: The minimum supported version
2016 * @max_version: The maximum supported version
2017 * @real_max: The highest version below the lowest compile time version hole
2018 * where that hole lies above at least one run-time enabled
2019 * protocol.
2020 *
2021 * Work out what version we should be using for the initial ClientHello if the
2022 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2023 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
2024 * constraints and any floor imposed by the security level here,
2025 * so we don't advertise the wrong protocol version to only reject the outcome later.
2026 *
2027 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
2028 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2029 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2030 *
2031 * Returns 0 on success or an SSL error reason number on failure. On failure
2032 * min_version and max_version will also be set to 0.
2033 */
2034 int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version,
2035 int *real_max)
2036 {
2037 int version, tmp_real_max;
2038 int hole;
2039 const SSL_METHOD *single = NULL;
2040 const SSL_METHOD *method;
2041 const version_info *table;
2042 const version_info *vent;
2043
2044 switch (s->method->version) {
2045 default:
2046 /*
2047 * If this SSL handle is not from a version flexible method we don't
2048 * (and never did) check min/max FIPS or Suite B constraints. Hope
2049 * that's OK. It is up to the caller to not choose fixed protocol
2050 * versions they don't want. If not, then easy to fix, just return
2051 * ssl_method_error(s, s->method)
2052 */
2053 *min_version = *max_version = s->version;
2054 /*
2055 * Providing a real_max only makes sense where we're using a version
2056 * flexible method.
2057 */
2058 if (!ossl_assert(real_max == NULL))
2059 return ERR_R_INTERNAL_ERROR;
2060 return 0;
2061 case TLS_ANY_VERSION:
2062 table = tls_version_table;
2063 break;
2064 case DTLS_ANY_VERSION:
2065 table = dtls_version_table;
2066 break;
2067 }
2068
2069 /*
2070 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2071 * below X enabled. This is required in order to maintain the "version
2072 * capability" vector contiguous. Any versions with a NULL client method
2073 * (protocol version client is disabled at compile-time) is also a "hole".
2074 *
2075 * Our initial state is hole == 1, version == 0. That is, versions above
2076 * the first version in the method table are disabled (a "hole" above
2077 * the valid protocol entries) and we don't have a selected version yet.
2078 *
2079 * Whenever "hole == 1", and we hit an enabled method, its version becomes
2080 * the selected version, and the method becomes a candidate "single"
2081 * method. We're no longer in a hole, so "hole" becomes 0.
2082 *
2083 * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2084 * as we support a contiguous range of at least two methods. If we hit
2085 * a disabled method, then hole becomes true again, but nothing else
2086 * changes yet, because all the remaining methods may be disabled too.
2087 * If we again hit an enabled method after the new hole, it becomes
2088 * selected, as we start from scratch.
2089 */
2090 *min_version = version = 0;
2091 hole = 1;
2092 if (real_max != NULL)
2093 *real_max = 0;
2094 tmp_real_max = 0;
2095 for (vent = table; vent->version != 0; ++vent) {
2096 /*
2097 * A table entry with a NULL client method is still a hole in the
2098 * "version capability" vector.
2099 */
2100 if (vent->cmeth == NULL) {
2101 hole = 1;
2102 tmp_real_max = 0;
2103 continue;
2104 }
2105 method = vent->cmeth();
2106
2107 if (hole == 1 && tmp_real_max == 0)
2108 tmp_real_max = vent->version;
2109
2110 if (ssl_method_error(s, method) != 0) {
2111 hole = 1;
2112 } else if (!hole) {
2113 single = NULL;
2114 *min_version = method->version;
2115 } else {
2116 if (real_max != NULL && tmp_real_max != 0)
2117 *real_max = tmp_real_max;
2118 version = (single = method)->version;
2119 *min_version = version;
2120 hole = 0;
2121 }
2122 }
2123
2124 *max_version = version;
2125
2126 /* Fail if everything is disabled */
2127 if (version == 0)
2128 return SSL_R_NO_PROTOCOLS_AVAILABLE;
2129
2130 return 0;
2131 }
2132
2133 /*
2134 * ssl_set_client_hello_version - Work out what version we should be using for
2135 * the initial ClientHello.legacy_version field.
2136 *
2137 * @s: client SSL handle.
2138 *
2139 * Returns 0 on success or an SSL error reason number on failure.
2140 */
2141 int ssl_set_client_hello_version(SSL *s)
2142 {
2143 int ver_min, ver_max, ret;
2144
2145 /*
2146 * In a renegotiation we always send the same client_version that we sent
2147 * last time, regardless of which version we eventually negotiated.
2148 */
2149 if (!SSL_IS_FIRST_HANDSHAKE(s))
2150 return 0;
2151
2152 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
2153
2154 if (ret != 0)
2155 return ret;
2156
2157 s->version = ver_max;
2158
2159 /* TLS1.3 always uses TLS1.2 in the legacy_version field */
2160 if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
2161 ver_max = TLS1_2_VERSION;
2162
2163 s->client_version = ver_max;
2164 return 0;
2165 }
2166
2167 /*
2168 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2169 * and |checkallow| is 1 then additionally check if the group is allowed to be
2170 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2171 * 1) or 0 otherwise.
2172 */
2173 int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
2174 size_t num_groups, int checkallow)
2175 {
2176 size_t i;
2177
2178 if (groups == NULL || num_groups == 0)
2179 return 0;
2180
2181 for (i = 0; i < num_groups; i++) {
2182 uint16_t group = groups[i];
2183
2184 if (group_id == group
2185 && (!checkallow
2186 || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
2187 return 1;
2188 }
2189 }
2190
2191 return 0;
2192 }
2193
2194 /* Replace ClientHello1 in the transcript hash with a synthetic message */
2195 int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,
2196 size_t hashlen, const unsigned char *hrr,
2197 size_t hrrlen)
2198 {
2199 unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
2200 unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2201
2202 memset(msghdr, 0, sizeof(msghdr));
2203
2204 if (hashval == NULL) {
2205 hashval = hashvaltmp;
2206 hashlen = 0;
2207 /* Get the hash of the initial ClientHello */
2208 if (!ssl3_digest_cached_records(s, 0)
2209 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2210 &hashlen)) {
2211 /* SSLfatal() already called */
2212 return 0;
2213 }
2214 }
2215
2216 /* Reinitialise the transcript hash */
2217 if (!ssl3_init_finished_mac(s)) {
2218 /* SSLfatal() already called */
2219 return 0;
2220 }
2221
2222 /* Inject the synthetic message_hash message */
2223 msghdr[0] = SSL3_MT_MESSAGE_HASH;
2224 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
2225 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2226 || !ssl3_finish_mac(s, hashval, hashlen)) {
2227 /* SSLfatal() already called */
2228 return 0;
2229 }
2230
2231 /*
2232 * Now re-inject the HRR and current message if appropriate (we just deleted
2233 * it when we reinitialised the transcript hash above). Only necessary after
2234 * receiving a ClientHello2 with a cookie.
2235 */
2236 if (hrr != NULL
2237 && (!ssl3_finish_mac(s, hrr, hrrlen)
2238 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
2239 s->s3.tmp.message_size
2240 + SSL3_HM_HEADER_LENGTH))) {
2241 /* SSLfatal() already called */
2242 return 0;
2243 }
2244
2245 return 1;
2246 }
2247
2248 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2249 {
2250 return X509_NAME_cmp(*a, *b);
2251 }
2252
2253 int parse_ca_names(SSL *s, PACKET *pkt)
2254 {
2255 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2256 X509_NAME *xn = NULL;
2257 PACKET cadns;
2258
2259 if (ca_sk == NULL) {
2260 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2261 ERR_R_MALLOC_FAILURE);
2262 goto err;
2263 }
2264 /* get the CA RDNs */
2265 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
2266 SSLfatal(s, SSL_AD_DECODE_ERROR,SSL_F_PARSE_CA_NAMES,
2267 SSL_R_LENGTH_MISMATCH);
2268 goto err;
2269 }
2270
2271 while (PACKET_remaining(&cadns)) {
2272 const unsigned char *namestart, *namebytes;
2273 unsigned int name_len;
2274
2275 if (!PACKET_get_net_2(&cadns, &name_len)
2276 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
2277 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2278 SSL_R_LENGTH_MISMATCH);
2279 goto err;
2280 }
2281
2282 namestart = namebytes;
2283 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
2284 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2285 ERR_R_ASN1_LIB);
2286 goto err;
2287 }
2288 if (namebytes != (namestart + name_len)) {
2289 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2290 SSL_R_CA_DN_LENGTH_MISMATCH);
2291 goto err;
2292 }
2293
2294 if (!sk_X509_NAME_push(ca_sk, xn)) {
2295 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2296 ERR_R_MALLOC_FAILURE);
2297 goto err;
2298 }
2299 xn = NULL;
2300 }
2301
2302 sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
2303 s->s3.tmp.peer_ca_names = ca_sk;
2304
2305 return 1;
2306
2307 err:
2308 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2309 X509_NAME_free(xn);
2310 return 0;
2311 }
2312
2313 const STACK_OF(X509_NAME) *get_ca_names(SSL *s)
2314 {
2315 const STACK_OF(X509_NAME) *ca_sk = NULL;;
2316
2317 if (s->server) {
2318 ca_sk = SSL_get_client_CA_list(s);
2319 if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2320 ca_sk = NULL;
2321 }
2322
2323 if (ca_sk == NULL)
2324 ca_sk = SSL_get0_CA_list(s);
2325
2326 return ca_sk;
2327 }
2328
2329 int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt)
2330 {
2331 /* Start sub-packet for client CA list */
2332 if (!WPACKET_start_sub_packet_u16(pkt)) {
2333 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2334 ERR_R_INTERNAL_ERROR);
2335 return 0;
2336 }
2337
2338 if (ca_sk != NULL) {
2339 int i;
2340
2341 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2342 unsigned char *namebytes;
2343 X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2344 int namelen;
2345
2346 if (name == NULL
2347 || (namelen = i2d_X509_NAME(name, NULL)) < 0
2348 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2349 &namebytes)
2350 || i2d_X509_NAME(name, &namebytes) != namelen) {
2351 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2352 ERR_R_INTERNAL_ERROR);
2353 return 0;
2354 }
2355 }
2356 }
2357
2358 if (!WPACKET_close(pkt)) {
2359 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2360 ERR_R_INTERNAL_ERROR);
2361 return 0;
2362 }
2363
2364 return 1;
2365 }
2366
2367 /* Create a buffer containing data to be signed for server key exchange */
2368 size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
2369 const void *param, size_t paramlen)
2370 {
2371 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2372 unsigned char *tbs = OPENSSL_malloc(tbslen);
2373
2374 if (tbs == NULL) {
2375 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS,
2376 ERR_R_MALLOC_FAILURE);
2377 return 0;
2378 }
2379 memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
2380 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
2381
2382 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2383
2384 *ptbs = tbs;
2385 return tbslen;
2386 }
2387
2388 /*
2389 * Saves the current handshake digest for Post-Handshake Auth,
2390 * Done after ClientFinished is processed, done exactly once
2391 */
2392 int tls13_save_handshake_digest_for_pha(SSL *s)
2393 {
2394 if (s->pha_dgst == NULL) {
2395 if (!ssl3_digest_cached_records(s, 1))
2396 /* SSLfatal() already called */
2397 return 0;
2398
2399 s->pha_dgst = EVP_MD_CTX_new();
2400 if (s->pha_dgst == NULL) {
2401 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2402 SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2403 ERR_R_INTERNAL_ERROR);
2404 return 0;
2405 }
2406 if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
2407 s->s3.handshake_dgst)) {
2408 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2409 SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2410 ERR_R_INTERNAL_ERROR);
2411 return 0;
2412 }
2413 }
2414 return 1;
2415 }
2416
2417 /*
2418 * Restores the Post-Handshake Auth handshake digest
2419 * Done just before sending/processing the Cert Request
2420 */
2421 int tls13_restore_handshake_digest_for_pha(SSL *s)
2422 {
2423 if (s->pha_dgst == NULL) {
2424 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2425 SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2426 ERR_R_INTERNAL_ERROR);
2427 return 0;
2428 }
2429 if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
2430 s->pha_dgst)) {
2431 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2432 SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2433 ERR_R_INTERNAL_ERROR);
2434 return 0;
2435 }
2436 return 1;
2437 }
A mirror of the official openssl repository