]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/statem/statem_lib.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Enable brainpool curves for TLS1.3
[thirdparty/openssl.git] / ssl / statem / statem_lib.c
1 /*
2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 *
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
9 */
10
11 #include <limits.h>
12 #include <string.h>
13 #include <stdio.h>
14 #include "../ssl_local.h"
15 #include "statem_local.h"
16 #include "internal/cryptlib.h"
17 #include <openssl/buffer.h>
18 #include <openssl/objects.h>
19 #include <openssl/evp.h>
20 #include <openssl/rsa.h>
21 #include <openssl/x509.h>
22 #include <openssl/trace.h>
23
24 /*
25 * Map error codes to TLS/SSL alart types.
26 */
27 typedef struct x509err2alert_st {
28 int x509err;
29 int alert;
30 } X509ERR2ALERT;
31
32 /* Fixed value used in the ServerHello random field to identify an HRR */
33 const unsigned char hrrrandom[] = {
34 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
35 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
36 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
37 };
38
39 /*
40 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
41 * SSL3_RT_CHANGE_CIPHER_SPEC)
42 */
43 int ssl3_do_write(SSL *s, int type)
44 {
45 int ret;
46 size_t written = 0;
47
48 ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
49 s->init_num, &written);
50 if (ret < 0)
51 return -1;
52 if (type == SSL3_RT_HANDSHAKE)
53 /*
54 * should not be done for 'Hello Request's, but in that case we'll
55 * ignore the result anyway
56 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
57 */
58 if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
59 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
60 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
61 if (!ssl3_finish_mac(s,
62 (unsigned char *)&s->init_buf->data[s->init_off],
63 written))
64 return -1;
65 if (written == s->init_num) {
66 if (s->msg_callback)
67 s->msg_callback(1, s->version, type, s->init_buf->data,
68 (size_t)(s->init_off + s->init_num), s,
69 s->msg_callback_arg);
70 return 1;
71 }
72 s->init_off += written;
73 s->init_num -= written;
74 return 0;
75 }
76
77 int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype)
78 {
79 size_t msglen;
80
81 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
82 || !WPACKET_get_length(pkt, &msglen)
83 || msglen > INT_MAX)
84 return 0;
85 s->init_num = (int)msglen;
86 s->init_off = 0;
87
88 return 1;
89 }
90
91 int tls_setup_handshake(SSL *s)
92 {
93 int ver_min, ver_max, ok;
94
95 if (!ssl3_init_finished_mac(s)) {
96 /* SSLfatal() already called */
97 return 0;
98 }
99
100 /* Reset any extension flags */
101 memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
102
103 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
104 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE);
105 return 0;
106 }
107
108 /* Sanity check that we have MD5-SHA1 if we need it */
109 if (s->ctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) {
110 int md5sha1_needed = 0;
111
112 /* We don't have MD5-SHA1 - do we need it? */
113 if (SSL_IS_DTLS(s)) {
114 if (DTLS_VERSION_LE(ver_max, DTLS1_VERSION))
115 md5sha1_needed = 1;
116 } else {
117 if (ver_max <= TLS1_1_VERSION)
118 md5sha1_needed = 1;
119 }
120 if (md5sha1_needed) {
121 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
122 SSL_R_NO_SUITABLE_DIGEST_ALGORITHM,
123 "The max supported SSL/TLS version needs the"
124 " MD5-SHA1 digest but it is not available"
125 " in the loaded providers. Use (D)TLSv1.2 or"
126 " above, or load different providers");
127 return 0;
128 }
129
130 ok = 1;
131 /* Don't allow TLSv1.1 or below to be negotiated */
132 if (SSL_IS_DTLS(s)) {
133 if (DTLS_VERSION_LT(ver_min, DTLS1_2_VERSION))
134 ok = SSL_set_min_proto_version(s, DTLS1_2_VERSION);
135 } else {
136 if (ver_min < TLS1_2_VERSION)
137 ok = SSL_set_min_proto_version(s, TLS1_2_VERSION);
138 }
139 if (!ok) {
140 /* Shouldn't happen */
141 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
142 return 0;
143 }
144 }
145
146 ok = 0;
147 if (s->server) {
148 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
149 int i;
150
151 /*
152 * Sanity check that the maximum version we accept has ciphers
153 * enabled. For clients we do this check during construction of the
154 * ClientHello.
155 */
156 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
157 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
158
159 if (SSL_IS_DTLS(s)) {
160 if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
161 DTLS_VERSION_LE(ver_max, c->max_dtls))
162 ok = 1;
163 } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
164 ok = 1;
165 }
166 if (ok)
167 break;
168 }
169 if (!ok) {
170 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
171 SSL_R_NO_CIPHERS_AVAILABLE,
172 "No ciphers enabled for max supported "
173 "SSL/TLS version");
174 return 0;
175 }
176 if (SSL_IS_FIRST_HANDSHAKE(s)) {
177 /* N.B. s->session_ctx == s->ctx here */
178 tsan_counter(&s->session_ctx->stats.sess_accept);
179 } else {
180 /* N.B. s->ctx may not equal s->session_ctx */
181 tsan_counter(&s->ctx->stats.sess_accept_renegotiate);
182
183 s->s3.tmp.cert_request = 0;
184 }
185 } else {
186 if (SSL_IS_FIRST_HANDSHAKE(s))
187 tsan_counter(&s->session_ctx->stats.sess_connect);
188 else
189 tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate);
190
191 /* mark client_random uninitialized */
192 memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
193 s->hit = 0;
194
195 s->s3.tmp.cert_req = 0;
196
197 if (SSL_IS_DTLS(s))
198 s->statem.use_timer = 1;
199 }
200
201 return 1;
202 }
203
204 /*
205 * Size of the to-be-signed TLS13 data, without the hash size itself:
206 * 64 bytes of value 32, 33 context bytes, 1 byte separator
207 */
208 #define TLS13_TBS_START_SIZE 64
209 #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
210
211 static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
212 void **hdata, size_t *hdatalen)
213 {
214 #ifdef CHARSET_EBCDIC
215 static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
216 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
217 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
218 0x69, 0x66, 0x79, 0x00 };
219 static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
220 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
221 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
222 0x69, 0x66, 0x79, 0x00 };
223 #else
224 static const char servercontext[] = "TLS 1.3, server CertificateVerify";
225 static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
226 #endif
227 if (SSL_IS_TLS13(s)) {
228 size_t hashlen;
229
230 /* Set the first 64 bytes of to-be-signed data to octet 32 */
231 memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
232 /* This copies the 33 bytes of context plus the 0 separator byte */
233 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
234 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
235 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
236 else
237 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
238
239 /*
240 * If we're currently reading then we need to use the saved handshake
241 * hash value. We can't use the current handshake hash state because
242 * that includes the CertVerify itself.
243 */
244 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
245 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
246 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
247 s->cert_verify_hash_len);
248 hashlen = s->cert_verify_hash_len;
249 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
250 EVP_MAX_MD_SIZE, &hashlen)) {
251 /* SSLfatal() already called */
252 return 0;
253 }
254
255 *hdata = tls13tbs;
256 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
257 } else {
258 size_t retlen;
259 long retlen_l;
260
261 retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
262 if (retlen_l <= 0) {
263 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
264 return 0;
265 }
266 *hdatalen = retlen;
267 }
268
269 return 1;
270 }
271
272 int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
273 {
274 EVP_PKEY *pkey = NULL;
275 const EVP_MD *md = NULL;
276 EVP_MD_CTX *mctx = NULL;
277 EVP_PKEY_CTX *pctx = NULL;
278 size_t hdatalen = 0, siglen = 0;
279 void *hdata;
280 unsigned char *sig = NULL;
281 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
282 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
283
284 if (lu == NULL || s->s3.tmp.cert == NULL) {
285 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
286 goto err;
287 }
288 pkey = s->s3.tmp.cert->privatekey;
289
290 if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) {
291 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
292 goto err;
293 }
294
295 mctx = EVP_MD_CTX_new();
296 if (mctx == NULL) {
297 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
298 goto err;
299 }
300
301 /* Get the data to be signed */
302 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
303 /* SSLfatal() already called */
304 goto err;
305 }
306
307 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
308 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
309 goto err;
310 }
311
312 if (EVP_DigestSignInit_ex(mctx, &pctx,
313 md == NULL ? NULL : EVP_MD_get0_name(md),
314 s->ctx->libctx, s->ctx->propq, pkey,
315 NULL) <= 0) {
316 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
317 goto err;
318 }
319
320 if (lu->sig == EVP_PKEY_RSA_PSS) {
321 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
322 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
323 RSA_PSS_SALTLEN_DIGEST) <= 0) {
324 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
325 goto err;
326 }
327 }
328 if (s->version == SSL3_VERSION) {
329 /*
330 * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
331 * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
332 */
333 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
334 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
335 (int)s->session->master_key_length,
336 s->session->master_key) <= 0
337 || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) {
338
339 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
340 goto err;
341 }
342 sig = OPENSSL_malloc(siglen);
343 if (sig == NULL
344 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
345 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
346 goto err;
347 }
348 } else {
349 /*
350 * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not
351 * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
352 */
353 if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) {
354 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
355 goto err;
356 }
357 sig = OPENSSL_malloc(siglen);
358 if (sig == NULL
359 || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
360 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
361 goto err;
362 }
363 }
364
365 #ifndef OPENSSL_NO_GOST
366 {
367 int pktype = lu->sig;
368
369 if (pktype == NID_id_GostR3410_2001
370 || pktype == NID_id_GostR3410_2012_256
371 || pktype == NID_id_GostR3410_2012_512)
372 BUF_reverse(sig, NULL, siglen);
373 }
374 #endif
375
376 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
377 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
378 goto err;
379 }
380
381 /* Digest cached records and discard handshake buffer */
382 if (!ssl3_digest_cached_records(s, 0)) {
383 /* SSLfatal() already called */
384 goto err;
385 }
386
387 OPENSSL_free(sig);
388 EVP_MD_CTX_free(mctx);
389 return 1;
390 err:
391 OPENSSL_free(sig);
392 EVP_MD_CTX_free(mctx);
393 return 0;
394 }
395
396 MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
397 {
398 EVP_PKEY *pkey = NULL;
399 const unsigned char *data;
400 #ifndef OPENSSL_NO_GOST
401 unsigned char *gost_data = NULL;
402 #endif
403 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
404 int j;
405 unsigned int len;
406 X509 *peer;
407 const EVP_MD *md = NULL;
408 size_t hdatalen = 0;
409 void *hdata;
410 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
411 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
412 EVP_PKEY_CTX *pctx = NULL;
413
414 if (mctx == NULL) {
415 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
416 goto err;
417 }
418
419 peer = s->session->peer;
420 pkey = X509_get0_pubkey(peer);
421 if (pkey == NULL) {
422 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
423 goto err;
424 }
425
426 if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
427 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
428 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
429 goto err;
430 }
431
432 if (SSL_USE_SIGALGS(s)) {
433 unsigned int sigalg;
434
435 if (!PACKET_get_net_2(pkt, &sigalg)) {
436 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET);
437 goto err;
438 }
439 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
440 /* SSLfatal() already called */
441 goto err;
442 }
443 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
444 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
445 goto err;
446 }
447
448 if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) {
449 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
450 goto err;
451 }
452
453 if (SSL_USE_SIGALGS(s))
454 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
455 md == NULL ? "n/a" : EVP_MD_get0_name(md));
456
457 /* Check for broken implementations of GOST ciphersuites */
458 /*
459 * If key is GOST and len is exactly 64 or 128, it is signature without
460 * length field (CryptoPro implementations at least till TLS 1.2)
461 */
462 #ifndef OPENSSL_NO_GOST
463 if (!SSL_USE_SIGALGS(s)
464 && ((PACKET_remaining(pkt) == 64
465 && (EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2001
466 || EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_256))
467 || (PACKET_remaining(pkt) == 128
468 && EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_512))) {
469 len = PACKET_remaining(pkt);
470 } else
471 #endif
472 if (!PACKET_get_net_2(pkt, &len)) {
473 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
474 goto err;
475 }
476
477 if (!PACKET_get_bytes(pkt, &data, len)) {
478 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
479 goto err;
480 }
481
482 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
483 /* SSLfatal() already called */
484 goto err;
485 }
486
487 OSSL_TRACE1(TLS, "Using client verify alg %s\n",
488 md == NULL ? "n/a" : EVP_MD_get0_name(md));
489
490 if (EVP_DigestVerifyInit_ex(mctx, &pctx,
491 md == NULL ? NULL : EVP_MD_get0_name(md),
492 s->ctx->libctx, s->ctx->propq, pkey,
493 NULL) <= 0) {
494 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
495 goto err;
496 }
497 #ifndef OPENSSL_NO_GOST
498 {
499 int pktype = EVP_PKEY_get_id(pkey);
500 if (pktype == NID_id_GostR3410_2001
501 || pktype == NID_id_GostR3410_2012_256
502 || pktype == NID_id_GostR3410_2012_512) {
503 if ((gost_data = OPENSSL_malloc(len)) == NULL) {
504 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
505 goto err;
506 }
507 BUF_reverse(gost_data, data, len);
508 data = gost_data;
509 }
510 }
511 #endif
512
513 if (SSL_USE_PSS(s)) {
514 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
515 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
516 RSA_PSS_SALTLEN_DIGEST) <= 0) {
517 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
518 goto err;
519 }
520 }
521 if (s->version == SSL3_VERSION) {
522 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
523 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
524 (int)s->session->master_key_length,
525 s->session->master_key) <= 0) {
526 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
527 goto err;
528 }
529 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
530 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
531 goto err;
532 }
533 } else {
534 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
535 if (j <= 0) {
536 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
537 goto err;
538 }
539 }
540
541 /*
542 * In TLSv1.3 on the client side we make sure we prepare the client
543 * certificate after the CertVerify instead of when we get the
544 * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
545 * comes *before* the Certificate message. In TLSv1.2 it comes after. We
546 * want to make sure that SSL_get1_peer_certificate() will return the actual
547 * server certificate from the client_cert_cb callback.
548 */
549 if (!s->server && SSL_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
550 ret = MSG_PROCESS_CONTINUE_PROCESSING;
551 else
552 ret = MSG_PROCESS_CONTINUE_READING;
553 err:
554 BIO_free(s->s3.handshake_buffer);
555 s->s3.handshake_buffer = NULL;
556 EVP_MD_CTX_free(mctx);
557 #ifndef OPENSSL_NO_GOST
558 OPENSSL_free(gost_data);
559 #endif
560 return ret;
561 }
562
563 int tls_construct_finished(SSL *s, WPACKET *pkt)
564 {
565 size_t finish_md_len;
566 const char *sender;
567 size_t slen;
568
569 /* This is a real handshake so make sure we clean it up at the end */
570 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
571 s->statem.cleanuphand = 1;
572
573 /*
574 * We only change the keys if we didn't already do this when we sent the
575 * client certificate
576 */
577 if (SSL_IS_TLS13(s)
578 && !s->server
579 && s->s3.tmp.cert_req == 0
580 && (!s->method->ssl3_enc->change_cipher_state(s,
581 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
582 /* SSLfatal() already called */
583 return 0;
584 }
585
586 if (s->server) {
587 sender = s->method->ssl3_enc->server_finished_label;
588 slen = s->method->ssl3_enc->server_finished_label_len;
589 } else {
590 sender = s->method->ssl3_enc->client_finished_label;
591 slen = s->method->ssl3_enc->client_finished_label_len;
592 }
593
594 finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
595 sender, slen,
596 s->s3.tmp.finish_md);
597 if (finish_md_len == 0) {
598 /* SSLfatal() already called */
599 return 0;
600 }
601
602 s->s3.tmp.finish_md_len = finish_md_len;
603
604 if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
605 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
606 return 0;
607 }
608
609 /*
610 * Log the master secret, if logging is enabled. We don't log it for
611 * TLSv1.3: there's a different key schedule for that.
612 */
613 if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
614 s->session->master_key,
615 s->session->master_key_length)) {
616 /* SSLfatal() already called */
617 return 0;
618 }
619
620 /*
621 * Copy the finished so we can use it for renegotiation checks
622 */
623 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
624 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
625 return 0;
626 }
627 if (!s->server) {
628 memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
629 finish_md_len);
630 s->s3.previous_client_finished_len = finish_md_len;
631 } else {
632 memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
633 finish_md_len);
634 s->s3.previous_server_finished_len = finish_md_len;
635 }
636
637 return 1;
638 }
639
640 int tls_construct_key_update(SSL *s, WPACKET *pkt)
641 {
642 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
643 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
644 return 0;
645 }
646
647 s->key_update = SSL_KEY_UPDATE_NONE;
648 return 1;
649 }
650
651 MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
652 {
653 unsigned int updatetype;
654
655 /*
656 * A KeyUpdate message signals a key change so the end of the message must
657 * be on a record boundary.
658 */
659 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
660 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
661 return MSG_PROCESS_ERROR;
662 }
663
664 if (!PACKET_get_1(pkt, &updatetype)
665 || PACKET_remaining(pkt) != 0) {
666 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_KEY_UPDATE);
667 return MSG_PROCESS_ERROR;
668 }
669
670 /*
671 * There are only two defined key update types. Fail if we get a value we
672 * didn't recognise.
673 */
674 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
675 && updatetype != SSL_KEY_UPDATE_REQUESTED) {
676 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_UPDATE);
677 return MSG_PROCESS_ERROR;
678 }
679
680 /*
681 * If we get a request for us to update our sending keys too then, we need
682 * to additionally send a KeyUpdate message. However that message should
683 * not also request an update (otherwise we get into an infinite loop).
684 */
685 if (updatetype == SSL_KEY_UPDATE_REQUESTED)
686 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
687
688 if (!tls13_update_key(s, 0)) {
689 /* SSLfatal() already called */
690 return MSG_PROCESS_ERROR;
691 }
692
693 return MSG_PROCESS_FINISHED_READING;
694 }
695
696 /*
697 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
698 * to far.
699 */
700 int ssl3_take_mac(SSL *s)
701 {
702 const char *sender;
703 size_t slen;
704
705 if (!s->server) {
706 sender = s->method->ssl3_enc->server_finished_label;
707 slen = s->method->ssl3_enc->server_finished_label_len;
708 } else {
709 sender = s->method->ssl3_enc->client_finished_label;
710 slen = s->method->ssl3_enc->client_finished_label_len;
711 }
712
713 s->s3.tmp.peer_finish_md_len =
714 s->method->ssl3_enc->final_finish_mac(s, sender, slen,
715 s->s3.tmp.peer_finish_md);
716
717 if (s->s3.tmp.peer_finish_md_len == 0) {
718 /* SSLfatal() already called */
719 return 0;
720 }
721
722 return 1;
723 }
724
725 MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
726 {
727 size_t remain;
728
729 remain = PACKET_remaining(pkt);
730 /*
731 * 'Change Cipher Spec' is just a single byte, which should already have
732 * been consumed by ssl_get_message() so there should be no bytes left,
733 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
734 */
735 if (SSL_IS_DTLS(s)) {
736 if ((s->version == DTLS1_BAD_VER
737 && remain != DTLS1_CCS_HEADER_LENGTH + 1)
738 || (s->version != DTLS1_BAD_VER
739 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
740 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
741 return MSG_PROCESS_ERROR;
742 }
743 } else {
744 if (remain != 0) {
745 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
746 return MSG_PROCESS_ERROR;
747 }
748 }
749
750 /* Check we have a cipher to change to */
751 if (s->s3.tmp.new_cipher == NULL) {
752 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY);
753 return MSG_PROCESS_ERROR;
754 }
755
756 s->s3.change_cipher_spec = 1;
757 if (!ssl3_do_change_cipher_spec(s)) {
758 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
759 return MSG_PROCESS_ERROR;
760 }
761
762 if (SSL_IS_DTLS(s)) {
763 dtls1_reset_seq_numbers(s, SSL3_CC_READ);
764
765 if (s->version == DTLS1_BAD_VER)
766 s->d1->handshake_read_seq++;
767
768 #ifndef OPENSSL_NO_SCTP
769 /*
770 * Remember that a CCS has been received, so that an old key of
771 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
772 * SCTP is used
773 */
774 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
775 #endif
776 }
777
778 return MSG_PROCESS_CONTINUE_READING;
779 }
780
781 MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
782 {
783 size_t md_len;
784
785
786 /* This is a real handshake so make sure we clean it up at the end */
787 if (s->server) {
788 /*
789 * To get this far we must have read encrypted data from the client. We
790 * no longer tolerate unencrypted alerts. This value is ignored if less
791 * than TLSv1.3
792 */
793 s->statem.enc_read_state = ENC_READ_STATE_VALID;
794 if (s->post_handshake_auth != SSL_PHA_REQUESTED)
795 s->statem.cleanuphand = 1;
796 if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
797 /* SSLfatal() already called */
798 return MSG_PROCESS_ERROR;
799 }
800 }
801
802 /*
803 * In TLSv1.3 a Finished message signals a key change so the end of the
804 * message must be on a record boundary.
805 */
806 if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
807 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
808 return MSG_PROCESS_ERROR;
809 }
810
811 /* If this occurs, we have missed a message */
812 if (!SSL_IS_TLS13(s) && !s->s3.change_cipher_spec) {
813 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
814 return MSG_PROCESS_ERROR;
815 }
816 s->s3.change_cipher_spec = 0;
817
818 md_len = s->s3.tmp.peer_finish_md_len;
819
820 if (md_len != PACKET_remaining(pkt)) {
821 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DIGEST_LENGTH);
822 return MSG_PROCESS_ERROR;
823 }
824
825 if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
826 md_len) != 0) {
827 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DIGEST_CHECK_FAILED);
828 return MSG_PROCESS_ERROR;
829 }
830
831 /*
832 * Copy the finished so we can use it for renegotiation checks
833 */
834 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
835 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
836 return MSG_PROCESS_ERROR;
837 }
838 if (s->server) {
839 memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
840 md_len);
841 s->s3.previous_client_finished_len = md_len;
842 } else {
843 memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
844 md_len);
845 s->s3.previous_server_finished_len = md_len;
846 }
847
848 /*
849 * In TLS1.3 we also have to change cipher state and do any final processing
850 * of the initial server flight (if we are a client)
851 */
852 if (SSL_IS_TLS13(s)) {
853 if (s->server) {
854 if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
855 !s->method->ssl3_enc->change_cipher_state(s,
856 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
857 /* SSLfatal() already called */
858 return MSG_PROCESS_ERROR;
859 }
860 } else {
861 /* TLS 1.3 gets the secret size from the handshake md */
862 size_t dummy;
863 if (!s->method->ssl3_enc->generate_master_secret(s,
864 s->master_secret, s->handshake_secret, 0,
865 &dummy)) {
866 /* SSLfatal() already called */
867 return MSG_PROCESS_ERROR;
868 }
869 if (!s->method->ssl3_enc->change_cipher_state(s,
870 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
871 /* SSLfatal() already called */
872 return MSG_PROCESS_ERROR;
873 }
874 if (!tls_process_initial_server_flight(s)) {
875 /* SSLfatal() already called */
876 return MSG_PROCESS_ERROR;
877 }
878 }
879 }
880
881 return MSG_PROCESS_FINISHED_READING;
882 }
883
884 int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
885 {
886 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
887 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
888 return 0;
889 }
890
891 return 1;
892 }
893
894 /* Add a certificate to the WPACKET */
895 static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain)
896 {
897 int len;
898 unsigned char *outbytes;
899
900 len = i2d_X509(x, NULL);
901 if (len < 0) {
902 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB);
903 return 0;
904 }
905 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
906 || i2d_X509(x, &outbytes) != len) {
907 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
908 return 0;
909 }
910
911 if (SSL_IS_TLS13(s)
912 && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
913 chain)) {
914 /* SSLfatal() already called */
915 return 0;
916 }
917
918 return 1;
919 }
920
921 /* Add certificate chain to provided WPACKET */
922 static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
923 {
924 int i, chain_count;
925 X509 *x;
926 STACK_OF(X509) *extra_certs;
927 STACK_OF(X509) *chain = NULL;
928 X509_STORE *chain_store;
929
930 if (cpk == NULL || cpk->x509 == NULL)
931 return 1;
932
933 x = cpk->x509;
934
935 /*
936 * If we have a certificate specific chain use it, else use parent ctx.
937 */
938 if (cpk->chain != NULL)
939 extra_certs = cpk->chain;
940 else
941 extra_certs = s->ctx->extra_certs;
942
943 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
944 chain_store = NULL;
945 else if (s->cert->chain_store)
946 chain_store = s->cert->chain_store;
947 else
948 chain_store = s->ctx->cert_store;
949
950 if (chain_store != NULL) {
951 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(s->ctx->libctx,
952 s->ctx->propq);
953
954 if (xs_ctx == NULL) {
955 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
956 return 0;
957 }
958 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
959 X509_STORE_CTX_free(xs_ctx);
960 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB);
961 return 0;
962 }
963 /*
964 * It is valid for the chain not to be complete (because normally we
965 * don't include the root cert in the chain). Therefore we deliberately
966 * ignore the error return from this call. We're not actually verifying
967 * the cert - we're just building as much of the chain as we can
968 */
969 (void)X509_verify_cert(xs_ctx);
970 /* Don't leave errors in the queue */
971 ERR_clear_error();
972 chain = X509_STORE_CTX_get0_chain(xs_ctx);
973 i = ssl_security_cert_chain(s, chain, NULL, 0);
974 if (i != 1) {
975 #if 0
976 /* Dummy error calls so mkerr generates them */
977 ERR_raise(ERR_LIB_SSL, SSL_R_EE_KEY_TOO_SMALL);
978 ERR_raise(ERR_LIB_SSL, SSL_R_CA_KEY_TOO_SMALL);
979 ERR_raise(ERR_LIB_SSL, SSL_R_CA_MD_TOO_WEAK);
980 #endif
981 X509_STORE_CTX_free(xs_ctx);
982 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
983 return 0;
984 }
985 chain_count = sk_X509_num(chain);
986 for (i = 0; i < chain_count; i++) {
987 x = sk_X509_value(chain, i);
988
989 if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
990 /* SSLfatal() already called */
991 X509_STORE_CTX_free(xs_ctx);
992 return 0;
993 }
994 }
995 X509_STORE_CTX_free(xs_ctx);
996 } else {
997 i = ssl_security_cert_chain(s, extra_certs, x, 0);
998 if (i != 1) {
999 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
1000 return 0;
1001 }
1002 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
1003 /* SSLfatal() already called */
1004 return 0;
1005 }
1006 for (i = 0; i < sk_X509_num(extra_certs); i++) {
1007 x = sk_X509_value(extra_certs, i);
1008 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
1009 /* SSLfatal() already called */
1010 return 0;
1011 }
1012 }
1013 }
1014 return 1;
1015 }
1016
1017 unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
1018 {
1019 if (!WPACKET_start_sub_packet_u24(pkt)) {
1020 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1021 return 0;
1022 }
1023
1024 if (!ssl_add_cert_chain(s, pkt, cpk))
1025 return 0;
1026
1027 if (!WPACKET_close(pkt)) {
1028 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1029 return 0;
1030 }
1031
1032 return 1;
1033 }
1034
1035 /*
1036 * Tidy up after the end of a handshake. In the case of SCTP this may result
1037 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1038 * freed up as well.
1039 */
1040 WORK_STATE tls_finish_handshake(SSL *s, ossl_unused WORK_STATE wst,
1041 int clearbufs, int stop)
1042 {
1043 void (*cb) (const SSL *ssl, int type, int val) = NULL;
1044 int cleanuphand = s->statem.cleanuphand;
1045
1046 if (clearbufs) {
1047 if (!SSL_IS_DTLS(s)
1048 #ifndef OPENSSL_NO_SCTP
1049 /*
1050 * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1051 * messages that require it. Therefore, DTLS procedures for retransmissions
1052 * MUST NOT be used.
1053 * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1054 */
1055 || BIO_dgram_is_sctp(SSL_get_wbio(s))
1056 #endif
1057 ) {
1058 /*
1059 * We don't do this in DTLS over UDP because we may still need the init_buf
1060 * in case there are any unexpected retransmits
1061 */
1062 BUF_MEM_free(s->init_buf);
1063 s->init_buf = NULL;
1064 }
1065
1066 if (!ssl_free_wbio_buffer(s)) {
1067 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1068 return WORK_ERROR;
1069 }
1070 s->init_num = 0;
1071 }
1072
1073 if (SSL_IS_TLS13(s) && !s->server
1074 && s->post_handshake_auth == SSL_PHA_REQUESTED)
1075 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1076
1077 /*
1078 * Only set if there was a Finished message and this isn't after a TLSv1.3
1079 * post handshake exchange
1080 */
1081 if (cleanuphand) {
1082 /* skipped if we just sent a HelloRequest */
1083 s->renegotiate = 0;
1084 s->new_session = 0;
1085 s->statem.cleanuphand = 0;
1086 s->ext.ticket_expected = 0;
1087
1088 ssl3_cleanup_key_block(s);
1089
1090 if (s->server) {
1091 /*
1092 * In TLSv1.3 we update the cache as part of constructing the
1093 * NewSessionTicket
1094 */
1095 if (!SSL_IS_TLS13(s))
1096 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
1097
1098 /* N.B. s->ctx may not equal s->session_ctx */
1099 tsan_counter(&s->ctx->stats.sess_accept_good);
1100 s->handshake_func = ossl_statem_accept;
1101 } else {
1102 if (SSL_IS_TLS13(s)) {
1103 /*
1104 * We encourage applications to only use TLSv1.3 tickets once,
1105 * so we remove this one from the cache.
1106 */
1107 if ((s->session_ctx->session_cache_mode
1108 & SSL_SESS_CACHE_CLIENT) != 0)
1109 SSL_CTX_remove_session(s->session_ctx, s->session);
1110 } else {
1111 /*
1112 * In TLSv1.3 we update the cache as part of processing the
1113 * NewSessionTicket
1114 */
1115 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
1116 }
1117 if (s->hit)
1118 tsan_counter(&s->session_ctx->stats.sess_hit);
1119
1120 s->handshake_func = ossl_statem_connect;
1121 tsan_counter(&s->session_ctx->stats.sess_connect_good);
1122 }
1123
1124 if (SSL_IS_DTLS(s)) {
1125 /* done with handshaking */
1126 s->d1->handshake_read_seq = 0;
1127 s->d1->handshake_write_seq = 0;
1128 s->d1->next_handshake_write_seq = 0;
1129 dtls1_clear_received_buffer(s);
1130 }
1131 }
1132
1133 if (s->info_callback != NULL)
1134 cb = s->info_callback;
1135 else if (s->ctx->info_callback != NULL)
1136 cb = s->ctx->info_callback;
1137
1138 /* The callback may expect us to not be in init at handshake done */
1139 ossl_statem_set_in_init(s, 0);
1140
1141 if (cb != NULL) {
1142 if (cleanuphand
1143 || !SSL_IS_TLS13(s)
1144 || SSL_IS_FIRST_HANDSHAKE(s))
1145 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
1146 }
1147
1148 if (!stop) {
1149 /* If we've got more work to do we go back into init */
1150 ossl_statem_set_in_init(s, 1);
1151 return WORK_FINISHED_CONTINUE;
1152 }
1153
1154 return WORK_FINISHED_STOP;
1155 }
1156
1157 int tls_get_message_header(SSL *s, int *mt)
1158 {
1159 /* s->init_num < SSL3_HM_HEADER_LENGTH */
1160 int skip_message, i, recvd_type;
1161 unsigned char *p;
1162 size_t l, readbytes;
1163
1164 p = (unsigned char *)s->init_buf->data;
1165
1166 do {
1167 while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1168 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
1169 &p[s->init_num],
1170 SSL3_HM_HEADER_LENGTH - s->init_num,
1171 0, &readbytes);
1172 if (i <= 0) {
1173 s->rwstate = SSL_READING;
1174 return 0;
1175 }
1176 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1177 /*
1178 * A ChangeCipherSpec must be a single byte and may not occur
1179 * in the middle of a handshake message.
1180 */
1181 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
1182 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1183 SSL_R_BAD_CHANGE_CIPHER_SPEC);
1184 return 0;
1185 }
1186 if (s->statem.hand_state == TLS_ST_BEFORE
1187 && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
1188 /*
1189 * We are stateless and we received a CCS. Probably this is
1190 * from a client between the first and second ClientHellos.
1191 * We should ignore this, but return an error because we do
1192 * not return success until we see the second ClientHello
1193 * with a valid cookie.
1194 */
1195 return 0;
1196 }
1197 s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
1198 s->init_num = readbytes - 1;
1199 s->init_msg = s->init_buf->data;
1200 s->s3.tmp.message_size = readbytes;
1201 return 1;
1202 } else if (recvd_type != SSL3_RT_HANDSHAKE) {
1203 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1204 SSL_R_CCS_RECEIVED_EARLY);
1205 return 0;
1206 }
1207 s->init_num += readbytes;
1208 }
1209
1210 skip_message = 0;
1211 if (!s->server)
1212 if (s->statem.hand_state != TLS_ST_OK
1213 && p[0] == SSL3_MT_HELLO_REQUEST)
1214 /*
1215 * The server may always send 'Hello Request' messages --
1216 * we are doing a handshake anyway now, so ignore them if
1217 * their format is correct. Does not count for 'Finished'
1218 * MAC.
1219 */
1220 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1221 s->init_num = 0;
1222 skip_message = 1;
1223
1224 if (s->msg_callback)
1225 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1226 p, SSL3_HM_HEADER_LENGTH, s,
1227 s->msg_callback_arg);
1228 }
1229 } while (skip_message);
1230 /* s->init_num == SSL3_HM_HEADER_LENGTH */
1231
1232 *mt = *p;
1233 s->s3.tmp.message_type = *(p++);
1234
1235 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1236 /*
1237 * Only happens with SSLv3+ in an SSLv2 backward compatible
1238 * ClientHello
1239 *
1240 * Total message size is the remaining record bytes to read
1241 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
1242 */
1243 l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1244 + SSL3_HM_HEADER_LENGTH;
1245 s->s3.tmp.message_size = l;
1246
1247 s->init_msg = s->init_buf->data;
1248 s->init_num = SSL3_HM_HEADER_LENGTH;
1249 } else {
1250 n2l3(p, l);
1251 /* BUF_MEM_grow takes an 'int' parameter */
1252 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
1253 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1254 SSL_R_EXCESSIVE_MESSAGE_SIZE);
1255 return 0;
1256 }
1257 s->s3.tmp.message_size = l;
1258
1259 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1260 s->init_num = 0;
1261 }
1262
1263 return 1;
1264 }
1265
1266 int tls_get_message_body(SSL *s, size_t *len)
1267 {
1268 size_t n, readbytes;
1269 unsigned char *p;
1270 int i;
1271
1272 if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
1273 /* We've already read everything in */
1274 *len = (unsigned long)s->init_num;
1275 return 1;
1276 }
1277
1278 p = s->init_msg;
1279 n = s->s3.tmp.message_size - s->init_num;
1280 while (n > 0) {
1281 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
1282 &p[s->init_num], n, 0, &readbytes);
1283 if (i <= 0) {
1284 s->rwstate = SSL_READING;
1285 *len = 0;
1286 return 0;
1287 }
1288 s->init_num += readbytes;
1289 n -= readbytes;
1290 }
1291
1292 /*
1293 * If receiving Finished, record MAC of prior handshake messages for
1294 * Finished verification.
1295 */
1296 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1297 /* SSLfatal() already called */
1298 *len = 0;
1299 return 0;
1300 }
1301
1302 /* Feed this message into MAC computation. */
1303 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1304 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1305 s->init_num)) {
1306 /* SSLfatal() already called */
1307 *len = 0;
1308 return 0;
1309 }
1310 if (s->msg_callback)
1311 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
1312 (size_t)s->init_num, s, s->msg_callback_arg);
1313 } else {
1314 /*
1315 * We defer feeding in the HRR until later. We'll do it as part of
1316 * processing the message
1317 * The TLsv1.3 handshake transcript stops at the ClientFinished
1318 * message.
1319 */
1320 #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
1321 /* KeyUpdate and NewSessionTicket do not need to be added */
1322 if (!SSL_IS_TLS13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1323 && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1324 if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
1325 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1326 || memcmp(hrrrandom,
1327 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1328 SSL3_RANDOM_SIZE) != 0) {
1329 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1330 s->init_num + SSL3_HM_HEADER_LENGTH)) {
1331 /* SSLfatal() already called */
1332 *len = 0;
1333 return 0;
1334 }
1335 }
1336 }
1337 if (s->msg_callback)
1338 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1339 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
1340 s->msg_callback_arg);
1341 }
1342
1343 *len = s->init_num;
1344 return 1;
1345 }
1346
1347 static const X509ERR2ALERT x509table[] = {
1348 {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1349 {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1350 {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
1351 {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1352 {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1353 {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1354 {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1355 {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1356 {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1357 {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1358 {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1359 {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1360 {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1361 {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1362 {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1363 {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1364 {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1365 {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1366 {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1367 {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1368 {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1369 {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1370 {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1371 {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1372 {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1373 {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1374 {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1375 {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1376 {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1377 {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1378 {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1379 {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1380 {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1381 {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1382 {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1383 {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1384 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1385 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1386 {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1387 {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1388
1389 /* Last entry; return this if we don't find the value above. */
1390 {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1391 };
1392
1393 int ssl_x509err2alert(int x509err)
1394 {
1395 const X509ERR2ALERT *tp;
1396
1397 for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1398 if (tp->x509err == x509err)
1399 break;
1400 return tp->alert;
1401 }
1402
1403 int ssl_allow_compression(SSL *s)
1404 {
1405 if (s->options & SSL_OP_NO_COMPRESSION)
1406 return 0;
1407 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1408 }
1409
1410 static int version_cmp(const SSL *s, int a, int b)
1411 {
1412 int dtls = SSL_IS_DTLS(s);
1413
1414 if (a == b)
1415 return 0;
1416 if (!dtls)
1417 return a < b ? -1 : 1;
1418 return DTLS_VERSION_LT(a, b) ? -1 : 1;
1419 }
1420
1421 typedef struct {
1422 int version;
1423 const SSL_METHOD *(*cmeth) (void);
1424 const SSL_METHOD *(*smeth) (void);
1425 } version_info;
1426
1427 #if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
1428 # error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
1429 #endif
1430
1431 /* Must be in order high to low */
1432 static const version_info tls_version_table[] = {
1433 #ifndef OPENSSL_NO_TLS1_3
1434 {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1435 #else
1436 {TLS1_3_VERSION, NULL, NULL},
1437 #endif
1438 #ifndef OPENSSL_NO_TLS1_2
1439 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
1440 #else
1441 {TLS1_2_VERSION, NULL, NULL},
1442 #endif
1443 #ifndef OPENSSL_NO_TLS1_1
1444 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
1445 #else
1446 {TLS1_1_VERSION, NULL, NULL},
1447 #endif
1448 #ifndef OPENSSL_NO_TLS1
1449 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
1450 #else
1451 {TLS1_VERSION, NULL, NULL},
1452 #endif
1453 #ifndef OPENSSL_NO_SSL3
1454 {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
1455 #else
1456 {SSL3_VERSION, NULL, NULL},
1457 #endif
1458 {0, NULL, NULL},
1459 };
1460
1461 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
1462 # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1463 #endif
1464
1465 /* Must be in order high to low */
1466 static const version_info dtls_version_table[] = {
1467 #ifndef OPENSSL_NO_DTLS1_2
1468 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
1469 #else
1470 {DTLS1_2_VERSION, NULL, NULL},
1471 #endif
1472 #ifndef OPENSSL_NO_DTLS1
1473 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1474 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
1475 #else
1476 {DTLS1_VERSION, NULL, NULL},
1477 {DTLS1_BAD_VER, NULL, NULL},
1478 #endif
1479 {0, NULL, NULL},
1480 };
1481
1482 /*
1483 * ssl_method_error - Check whether an SSL_METHOD is enabled.
1484 *
1485 * @s: The SSL handle for the candidate method
1486 * @method: the intended method.
1487 *
1488 * Returns 0 on success, or an SSL error reason on failure.
1489 */
1490 static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
1491 {
1492 int version = method->version;
1493
1494 if ((s->min_proto_version != 0 &&
1495 version_cmp(s, version, s->min_proto_version) < 0) ||
1496 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1497 return SSL_R_VERSION_TOO_LOW;
1498
1499 if (s->max_proto_version != 0 &&
1500 version_cmp(s, version, s->max_proto_version) > 0)
1501 return SSL_R_VERSION_TOO_HIGH;
1502
1503 if ((s->options & method->mask) != 0)
1504 return SSL_R_UNSUPPORTED_PROTOCOL;
1505 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1506 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
1507
1508 return 0;
1509 }
1510
1511 /*
1512 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
1513 * certificate type, or has PSK or a certificate callback configured, or has
1514 * a servername callback configure. Otherwise returns 0.
1515 */
1516 static int is_tls13_capable(const SSL *s)
1517 {
1518 int i;
1519 int curve;
1520
1521 if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL))
1522 return 0;
1523
1524 /*
1525 * A servername callback can change the available certs, so if a servername
1526 * cb is set then we just assume TLSv1.3 will be ok
1527 */
1528 if (s->ctx->ext.servername_cb != NULL
1529 || s->session_ctx->ext.servername_cb != NULL)
1530 return 1;
1531
1532 #ifndef OPENSSL_NO_PSK
1533 if (s->psk_server_callback != NULL)
1534 return 1;
1535 #endif
1536
1537 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
1538 return 1;
1539
1540 for (i = 0; i < SSL_PKEY_NUM; i++) {
1541 /* Skip over certs disallowed for TLSv1.3 */
1542 switch (i) {
1543 case SSL_PKEY_DSA_SIGN:
1544 case SSL_PKEY_GOST01:
1545 case SSL_PKEY_GOST12_256:
1546 case SSL_PKEY_GOST12_512:
1547 continue;
1548 default:
1549 break;
1550 }
1551 if (!ssl_has_cert(s, i))
1552 continue;
1553 if (i != SSL_PKEY_ECC)
1554 return 1;
1555 /*
1556 * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1557 * more restrictive so check that our sig algs are consistent with this
1558 * EC cert. See section 4.2.3 of RFC8446.
1559 */
1560 curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
1561 if (tls_check_sigalg_curve(s, curve))
1562 return 1;
1563 }
1564
1565 return 0;
1566 }
1567
1568 /*
1569 * ssl_version_supported - Check that the specified `version` is supported by
1570 * `SSL *` instance
1571 *
1572 * @s: The SSL handle for the candidate method
1573 * @version: Protocol version to test against
1574 *
1575 * Returns 1 when supported, otherwise 0
1576 */
1577 int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth)
1578 {
1579 const version_info *vent;
1580 const version_info *table;
1581
1582 switch (s->method->version) {
1583 default:
1584 /* Version should match method version for non-ANY method */
1585 return version_cmp(s, version, s->version) == 0;
1586 case TLS_ANY_VERSION:
1587 table = tls_version_table;
1588 break;
1589 case DTLS_ANY_VERSION:
1590 table = dtls_version_table;
1591 break;
1592 }
1593
1594 for (vent = table;
1595 vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1596 ++vent) {
1597 if (vent->cmeth != NULL
1598 && version_cmp(s, version, vent->version) == 0
1599 && ssl_method_error(s, vent->cmeth()) == 0
1600 && (!s->server
1601 || version != TLS1_3_VERSION
1602 || is_tls13_capable(s))) {
1603 if (meth != NULL)
1604 *meth = vent->cmeth();
1605 return 1;
1606 }
1607 }
1608 return 0;
1609 }
1610
1611 /*
1612 * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1613 * fallback indication from a client check whether we're using the highest
1614 * supported protocol version.
1615 *
1616 * @s server SSL handle.
1617 *
1618 * Returns 1 when using the highest enabled version, 0 otherwise.
1619 */
1620 int ssl_check_version_downgrade(SSL *s)
1621 {
1622 const version_info *vent;
1623 const version_info *table;
1624
1625 /*
1626 * Check that the current protocol is the highest enabled version
1627 * (according to s->ctx->method, as version negotiation may have changed
1628 * s->method).
1629 */
1630 if (s->version == s->ctx->method->version)
1631 return 1;
1632
1633 /*
1634 * Apparently we're using a version-flexible SSL_METHOD (not at its
1635 * highest protocol version).
1636 */
1637 if (s->ctx->method->version == TLS_method()->version)
1638 table = tls_version_table;
1639 else if (s->ctx->method->version == DTLS_method()->version)
1640 table = dtls_version_table;
1641 else {
1642 /* Unexpected state; fail closed. */
1643 return 0;
1644 }
1645
1646 for (vent = table; vent->version != 0; ++vent) {
1647 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
1648 return s->version == vent->version;
1649 }
1650 return 0;
1651 }
1652
1653 /*
1654 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1655 * protocols, provided the initial (D)TLS method is version-flexible. This
1656 * function sanity-checks the proposed value and makes sure the method is
1657 * version-flexible, then sets the limit if all is well.
1658 *
1659 * @method_version: The version of the current SSL_METHOD.
1660 * @version: the intended limit.
1661 * @bound: pointer to limit to be updated.
1662 *
1663 * Returns 1 on success, 0 on failure.
1664 */
1665 int ssl_set_version_bound(int method_version, int version, int *bound)
1666 {
1667 int valid_tls;
1668 int valid_dtls;
1669
1670 if (version == 0) {
1671 *bound = version;
1672 return 1;
1673 }
1674
1675 valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
1676 valid_dtls =
1677 DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) &&
1678 DTLS_VERSION_GE(version, DTLS1_BAD_VER);
1679
1680 if (!valid_tls && !valid_dtls)
1681 return 0;
1682
1683 /*-
1684 * Restrict TLS methods to TLS protocol versions.
1685 * Restrict DTLS methods to DTLS protocol versions.
1686 * Note, DTLS version numbers are decreasing, use comparison macros.
1687 *
1688 * Note that for both lower-bounds we use explicit versions, not
1689 * (D)TLS_MIN_VERSION. This is because we don't want to break user
1690 * configurations. If the MIN (supported) version ever rises, the user's
1691 * "floor" remains valid even if no longer available. We don't expect the
1692 * MAX ceiling to ever get lower, so making that variable makes sense.
1693 *
1694 * We ignore attempts to set bounds on version-inflexible methods,
1695 * returning success.
1696 */
1697 switch (method_version) {
1698 default:
1699 break;
1700
1701 case TLS_ANY_VERSION:
1702 if (valid_tls)
1703 *bound = version;
1704 break;
1705
1706 case DTLS_ANY_VERSION:
1707 if (valid_dtls)
1708 *bound = version;
1709 break;
1710 }
1711 return 1;
1712 }
1713
1714 static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
1715 {
1716 if (vers == TLS1_2_VERSION
1717 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
1718 *dgrd = DOWNGRADE_TO_1_2;
1719 } else if (!SSL_IS_DTLS(s)
1720 && vers < TLS1_2_VERSION
1721 /*
1722 * We need to ensure that a server that disables TLSv1.2
1723 * (creating a hole between TLSv1.3 and TLSv1.1) can still
1724 * complete handshakes with clients that support TLSv1.2 and
1725 * below. Therefore we do not enable the sentinel if TLSv1.3 is
1726 * enabled and TLSv1.2 is not.
1727 */
1728 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
1729 *dgrd = DOWNGRADE_TO_1_1;
1730 } else {
1731 *dgrd = DOWNGRADE_NONE;
1732 }
1733 }
1734
1735 /*
1736 * ssl_choose_server_version - Choose server (D)TLS version. Called when the
1737 * client HELLO is received to select the final server protocol version and
1738 * the version specific method.
1739 *
1740 * @s: server SSL handle.
1741 *
1742 * Returns 0 on success or an SSL error reason number on failure.
1743 */
1744 int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1745 {
1746 /*-
1747 * With version-flexible methods we have an initial state with:
1748 *
1749 * s->method->version == (D)TLS_ANY_VERSION,
1750 * s->version == (D)TLS_MAX_VERSION_INTERNAL.
1751 *
1752 * So we detect version-flexible methods via the method version, not the
1753 * handle version.
1754 */
1755 int server_version = s->method->version;
1756 int client_version = hello->legacy_version;
1757 const version_info *vent;
1758 const version_info *table;
1759 int disabled = 0;
1760 RAW_EXTENSION *suppversions;
1761
1762 s->client_version = client_version;
1763
1764 switch (server_version) {
1765 default:
1766 if (!SSL_IS_TLS13(s)) {
1767 if (version_cmp(s, client_version, s->version) < 0)
1768 return SSL_R_WRONG_SSL_VERSION;
1769 *dgrd = DOWNGRADE_NONE;
1770 /*
1771 * If this SSL handle is not from a version flexible method we don't
1772 * (and never did) check min/max FIPS or Suite B constraints. Hope
1773 * that's OK. It is up to the caller to not choose fixed protocol
1774 * versions they don't want. If not, then easy to fix, just return
1775 * ssl_method_error(s, s->method)
1776 */
1777 return 0;
1778 }
1779 /*
1780 * Fall through if we are TLSv1.3 already (this means we must be after
1781 * a HelloRetryRequest
1782 */
1783 /* fall thru */
1784 case TLS_ANY_VERSION:
1785 table = tls_version_table;
1786 break;
1787 case DTLS_ANY_VERSION:
1788 table = dtls_version_table;
1789 break;
1790 }
1791
1792 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
1793
1794 /* If we did an HRR then supported versions is mandatory */
1795 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
1796 return SSL_R_UNSUPPORTED_PROTOCOL;
1797
1798 if (suppversions->present && !SSL_IS_DTLS(s)) {
1799 unsigned int candidate_vers = 0;
1800 unsigned int best_vers = 0;
1801 const SSL_METHOD *best_method = NULL;
1802 PACKET versionslist;
1803
1804 suppversions->parsed = 1;
1805
1806 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
1807 /* Trailing or invalid data? */
1808 return SSL_R_LENGTH_MISMATCH;
1809 }
1810
1811 /*
1812 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1813 * The spec only requires servers to check that it isn't SSLv3:
1814 * "Any endpoint receiving a Hello message with
1815 * ClientHello.legacy_version or ServerHello.legacy_version set to
1816 * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1817 * We are slightly stricter and require that it isn't SSLv3 or lower.
1818 * We tolerate TLSv1 and TLSv1.1.
1819 */
1820 if (client_version <= SSL3_VERSION)
1821 return SSL_R_BAD_LEGACY_VERSION;
1822
1823 while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1824 if (version_cmp(s, candidate_vers, best_vers) <= 0)
1825 continue;
1826 if (ssl_version_supported(s, candidate_vers, &best_method))
1827 best_vers = candidate_vers;
1828 }
1829 if (PACKET_remaining(&versionslist) != 0) {
1830 /* Trailing data? */
1831 return SSL_R_LENGTH_MISMATCH;
1832 }
1833
1834 if (best_vers > 0) {
1835 if (s->hello_retry_request != SSL_HRR_NONE) {
1836 /*
1837 * This is after a HelloRetryRequest so we better check that we
1838 * negotiated TLSv1.3
1839 */
1840 if (best_vers != TLS1_3_VERSION)
1841 return SSL_R_UNSUPPORTED_PROTOCOL;
1842 return 0;
1843 }
1844 check_for_downgrade(s, best_vers, dgrd);
1845 s->version = best_vers;
1846 s->method = best_method;
1847 return 0;
1848 }
1849 return SSL_R_UNSUPPORTED_PROTOCOL;
1850 }
1851
1852 /*
1853 * If the supported versions extension isn't present, then the highest
1854 * version we can negotiate is TLSv1.2
1855 */
1856 if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1857 client_version = TLS1_2_VERSION;
1858
1859 /*
1860 * No supported versions extension, so we just use the version supplied in
1861 * the ClientHello.
1862 */
1863 for (vent = table; vent->version != 0; ++vent) {
1864 const SSL_METHOD *method;
1865
1866 if (vent->smeth == NULL ||
1867 version_cmp(s, client_version, vent->version) < 0)
1868 continue;
1869 method = vent->smeth();
1870 if (ssl_method_error(s, method) == 0) {
1871 check_for_downgrade(s, vent->version, dgrd);
1872 s->version = vent->version;
1873 s->method = method;
1874 return 0;
1875 }
1876 disabled = 1;
1877 }
1878 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1879 }
1880
1881 /*
1882 * ssl_choose_client_version - Choose client (D)TLS version. Called when the
1883 * server HELLO is received to select the final client protocol version and
1884 * the version specific method.
1885 *
1886 * @s: client SSL handle.
1887 * @version: The proposed version from the server's HELLO.
1888 * @extensions: The extensions received
1889 *
1890 * Returns 1 on success or 0 on error.
1891 */
1892 int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)
1893 {
1894 const version_info *vent;
1895 const version_info *table;
1896 int ret, ver_min, ver_max, real_max, origv;
1897
1898 origv = s->version;
1899 s->version = version;
1900
1901 /* This will overwrite s->version if the extension is present */
1902 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1903 SSL_EXT_TLS1_2_SERVER_HELLO
1904 | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1905 NULL, 0)) {
1906 s->version = origv;
1907 return 0;
1908 }
1909
1910 if (s->hello_retry_request != SSL_HRR_NONE
1911 && s->version != TLS1_3_VERSION) {
1912 s->version = origv;
1913 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
1914 return 0;
1915 }
1916
1917 switch (s->method->version) {
1918 default:
1919 if (s->version != s->method->version) {
1920 s->version = origv;
1921 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
1922 return 0;
1923 }
1924 /*
1925 * If this SSL handle is not from a version flexible method we don't
1926 * (and never did) check min/max, FIPS or Suite B constraints. Hope
1927 * that's OK. It is up to the caller to not choose fixed protocol
1928 * versions they don't want. If not, then easy to fix, just return
1929 * ssl_method_error(s, s->method)
1930 */
1931 return 1;
1932 case TLS_ANY_VERSION:
1933 table = tls_version_table;
1934 break;
1935 case DTLS_ANY_VERSION:
1936 table = dtls_version_table;
1937 break;
1938 }
1939
1940 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1941 if (ret != 0) {
1942 s->version = origv;
1943 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, ret);
1944 return 0;
1945 }
1946 if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
1947 : s->version < ver_min) {
1948 s->version = origv;
1949 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1950 return 0;
1951 } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
1952 : s->version > ver_max) {
1953 s->version = origv;
1954 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1955 return 0;
1956 }
1957
1958 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
1959 real_max = ver_max;
1960
1961 /* Check for downgrades */
1962 if (s->version == TLS1_2_VERSION && real_max > s->version) {
1963 if (memcmp(tls12downgrade,
1964 s->s3.server_random + SSL3_RANDOM_SIZE
1965 - sizeof(tls12downgrade),
1966 sizeof(tls12downgrade)) == 0) {
1967 s->version = origv;
1968 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1969 SSL_R_INAPPROPRIATE_FALLBACK);
1970 return 0;
1971 }
1972 } else if (!SSL_IS_DTLS(s)
1973 && s->version < TLS1_2_VERSION
1974 && real_max > s->version) {
1975 if (memcmp(tls11downgrade,
1976 s->s3.server_random + SSL3_RANDOM_SIZE
1977 - sizeof(tls11downgrade),
1978 sizeof(tls11downgrade)) == 0) {
1979 s->version = origv;
1980 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1981 SSL_R_INAPPROPRIATE_FALLBACK);
1982 return 0;
1983 }
1984 }
1985
1986 for (vent = table; vent->version != 0; ++vent) {
1987 if (vent->cmeth == NULL || s->version != vent->version)
1988 continue;
1989
1990 s->method = vent->cmeth();
1991 return 1;
1992 }
1993
1994 s->version = origv;
1995 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1996 return 0;
1997 }
1998
1999 /*
2000 * ssl_get_min_max_version - get minimum and maximum protocol version
2001 * @s: The SSL connection
2002 * @min_version: The minimum supported version
2003 * @max_version: The maximum supported version
2004 * @real_max: The highest version below the lowest compile time version hole
2005 * where that hole lies above at least one run-time enabled
2006 * protocol.
2007 *
2008 * Work out what version we should be using for the initial ClientHello if the
2009 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2010 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
2011 * constraints and any floor imposed by the security level here,
2012 * so we don't advertise the wrong protocol version to only reject the outcome later.
2013 *
2014 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
2015 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2016 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2017 *
2018 * Returns 0 on success or an SSL error reason number on failure. On failure
2019 * min_version and max_version will also be set to 0.
2020 */
2021 int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version,
2022 int *real_max)
2023 {
2024 int version, tmp_real_max;
2025 int hole;
2026 const SSL_METHOD *single = NULL;
2027 const SSL_METHOD *method;
2028 const version_info *table;
2029 const version_info *vent;
2030
2031 switch (s->method->version) {
2032 default:
2033 /*
2034 * If this SSL handle is not from a version flexible method we don't
2035 * (and never did) check min/max FIPS or Suite B constraints. Hope
2036 * that's OK. It is up to the caller to not choose fixed protocol
2037 * versions they don't want. If not, then easy to fix, just return
2038 * ssl_method_error(s, s->method)
2039 */
2040 *min_version = *max_version = s->version;
2041 /*
2042 * Providing a real_max only makes sense where we're using a version
2043 * flexible method.
2044 */
2045 if (!ossl_assert(real_max == NULL))
2046 return ERR_R_INTERNAL_ERROR;
2047 return 0;
2048 case TLS_ANY_VERSION:
2049 table = tls_version_table;
2050 break;
2051 case DTLS_ANY_VERSION:
2052 table = dtls_version_table;
2053 break;
2054 }
2055
2056 /*
2057 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2058 * below X enabled. This is required in order to maintain the "version
2059 * capability" vector contiguous. Any versions with a NULL client method
2060 * (protocol version client is disabled at compile-time) is also a "hole".
2061 *
2062 * Our initial state is hole == 1, version == 0. That is, versions above
2063 * the first version in the method table are disabled (a "hole" above
2064 * the valid protocol entries) and we don't have a selected version yet.
2065 *
2066 * Whenever "hole == 1", and we hit an enabled method, its version becomes
2067 * the selected version, and the method becomes a candidate "single"
2068 * method. We're no longer in a hole, so "hole" becomes 0.
2069 *
2070 * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2071 * as we support a contiguous range of at least two methods. If we hit
2072 * a disabled method, then hole becomes true again, but nothing else
2073 * changes yet, because all the remaining methods may be disabled too.
2074 * If we again hit an enabled method after the new hole, it becomes
2075 * selected, as we start from scratch.
2076 */
2077 *min_version = version = 0;
2078 hole = 1;
2079 if (real_max != NULL)
2080 *real_max = 0;
2081 tmp_real_max = 0;
2082 for (vent = table; vent->version != 0; ++vent) {
2083 /*
2084 * A table entry with a NULL client method is still a hole in the
2085 * "version capability" vector.
2086 */
2087 if (vent->cmeth == NULL) {
2088 hole = 1;
2089 tmp_real_max = 0;
2090 continue;
2091 }
2092 method = vent->cmeth();
2093
2094 if (hole == 1 && tmp_real_max == 0)
2095 tmp_real_max = vent->version;
2096
2097 if (ssl_method_error(s, method) != 0) {
2098 hole = 1;
2099 } else if (!hole) {
2100 single = NULL;
2101 *min_version = method->version;
2102 } else {
2103 if (real_max != NULL && tmp_real_max != 0)
2104 *real_max = tmp_real_max;
2105 version = (single = method)->version;
2106 *min_version = version;
2107 hole = 0;
2108 }
2109 }
2110
2111 *max_version = version;
2112
2113 /* Fail if everything is disabled */
2114 if (version == 0)
2115 return SSL_R_NO_PROTOCOLS_AVAILABLE;
2116
2117 return 0;
2118 }
2119
2120 /*
2121 * ssl_set_client_hello_version - Work out what version we should be using for
2122 * the initial ClientHello.legacy_version field.
2123 *
2124 * @s: client SSL handle.
2125 *
2126 * Returns 0 on success or an SSL error reason number on failure.
2127 */
2128 int ssl_set_client_hello_version(SSL *s)
2129 {
2130 int ver_min, ver_max, ret;
2131
2132 /*
2133 * In a renegotiation we always send the same client_version that we sent
2134 * last time, regardless of which version we eventually negotiated.
2135 */
2136 if (!SSL_IS_FIRST_HANDSHAKE(s))
2137 return 0;
2138
2139 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
2140
2141 if (ret != 0)
2142 return ret;
2143
2144 s->version = ver_max;
2145
2146 /* TLS1.3 always uses TLS1.2 in the legacy_version field */
2147 if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
2148 ver_max = TLS1_2_VERSION;
2149
2150 s->client_version = ver_max;
2151 return 0;
2152 }
2153
2154 /*
2155 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2156 * and |checkallow| is 1 then additionally check if the group is allowed to be
2157 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2158 * 1) or 0 otherwise.
2159 */
2160 int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
2161 size_t num_groups, int checkallow)
2162 {
2163 size_t i;
2164
2165 if (groups == NULL || num_groups == 0)
2166 return 0;
2167
2168 if (checkallow == 1)
2169 group_id = ssl_group_id_tls13_to_internal(group_id);
2170
2171 for (i = 0; i < num_groups; i++) {
2172 uint16_t group = groups[i];
2173
2174 if (checkallow == 2)
2175 group = ssl_group_id_tls13_to_internal(group);
2176
2177 if (group_id == group
2178 && (!checkallow
2179 || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
2180 return 1;
2181 }
2182 }
2183
2184 return 0;
2185 }
2186
2187 /* Replace ClientHello1 in the transcript hash with a synthetic message */
2188 int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,
2189 size_t hashlen, const unsigned char *hrr,
2190 size_t hrrlen)
2191 {
2192 unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
2193 unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2194
2195 memset(msghdr, 0, sizeof(msghdr));
2196
2197 if (hashval == NULL) {
2198 hashval = hashvaltmp;
2199 hashlen = 0;
2200 /* Get the hash of the initial ClientHello */
2201 if (!ssl3_digest_cached_records(s, 0)
2202 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2203 &hashlen)) {
2204 /* SSLfatal() already called */
2205 return 0;
2206 }
2207 }
2208
2209 /* Reinitialise the transcript hash */
2210 if (!ssl3_init_finished_mac(s)) {
2211 /* SSLfatal() already called */
2212 return 0;
2213 }
2214
2215 /* Inject the synthetic message_hash message */
2216 msghdr[0] = SSL3_MT_MESSAGE_HASH;
2217 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
2218 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2219 || !ssl3_finish_mac(s, hashval, hashlen)) {
2220 /* SSLfatal() already called */
2221 return 0;
2222 }
2223
2224 /*
2225 * Now re-inject the HRR and current message if appropriate (we just deleted
2226 * it when we reinitialised the transcript hash above). Only necessary after
2227 * receiving a ClientHello2 with a cookie.
2228 */
2229 if (hrr != NULL
2230 && (!ssl3_finish_mac(s, hrr, hrrlen)
2231 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
2232 s->s3.tmp.message_size
2233 + SSL3_HM_HEADER_LENGTH))) {
2234 /* SSLfatal() already called */
2235 return 0;
2236 }
2237
2238 return 1;
2239 }
2240
2241 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2242 {
2243 return X509_NAME_cmp(*a, *b);
2244 }
2245
2246 int parse_ca_names(SSL *s, PACKET *pkt)
2247 {
2248 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2249 X509_NAME *xn = NULL;
2250 PACKET cadns;
2251
2252 if (ca_sk == NULL) {
2253 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2254 goto err;
2255 }
2256 /* get the CA RDNs */
2257 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
2258 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2259 goto err;
2260 }
2261
2262 while (PACKET_remaining(&cadns)) {
2263 const unsigned char *namestart, *namebytes;
2264 unsigned int name_len;
2265
2266 if (!PACKET_get_net_2(&cadns, &name_len)
2267 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
2268 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2269 goto err;
2270 }
2271
2272 namestart = namebytes;
2273 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
2274 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB);
2275 goto err;
2276 }
2277 if (namebytes != (namestart + name_len)) {
2278 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CA_DN_LENGTH_MISMATCH);
2279 goto err;
2280 }
2281
2282 if (!sk_X509_NAME_push(ca_sk, xn)) {
2283 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2284 goto err;
2285 }
2286 xn = NULL;
2287 }
2288
2289 sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
2290 s->s3.tmp.peer_ca_names = ca_sk;
2291
2292 return 1;
2293
2294 err:
2295 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2296 X509_NAME_free(xn);
2297 return 0;
2298 }
2299
2300 const STACK_OF(X509_NAME) *get_ca_names(SSL *s)
2301 {
2302 const STACK_OF(X509_NAME) *ca_sk = NULL;;
2303
2304 if (s->server) {
2305 ca_sk = SSL_get_client_CA_list(s);
2306 if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2307 ca_sk = NULL;
2308 }
2309
2310 if (ca_sk == NULL)
2311 ca_sk = SSL_get0_CA_list(s);
2312
2313 return ca_sk;
2314 }
2315
2316 int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt)
2317 {
2318 /* Start sub-packet for client CA list */
2319 if (!WPACKET_start_sub_packet_u16(pkt)) {
2320 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2321 return 0;
2322 }
2323
2324 if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) {
2325 int i;
2326
2327 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2328 unsigned char *namebytes;
2329 X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2330 int namelen;
2331
2332 if (name == NULL
2333 || (namelen = i2d_X509_NAME(name, NULL)) < 0
2334 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2335 &namebytes)
2336 || i2d_X509_NAME(name, &namebytes) != namelen) {
2337 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2338 return 0;
2339 }
2340 }
2341 }
2342
2343 if (!WPACKET_close(pkt)) {
2344 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2345 return 0;
2346 }
2347
2348 return 1;
2349 }
2350
2351 /* Create a buffer containing data to be signed for server key exchange */
2352 size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
2353 const void *param, size_t paramlen)
2354 {
2355 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2356 unsigned char *tbs = OPENSSL_malloc(tbslen);
2357
2358 if (tbs == NULL) {
2359 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2360 return 0;
2361 }
2362 memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
2363 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
2364
2365 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2366
2367 *ptbs = tbs;
2368 return tbslen;
2369 }
2370
2371 /*
2372 * Saves the current handshake digest for Post-Handshake Auth,
2373 * Done after ClientFinished is processed, done exactly once
2374 */
2375 int tls13_save_handshake_digest_for_pha(SSL *s)
2376 {
2377 if (s->pha_dgst == NULL) {
2378 if (!ssl3_digest_cached_records(s, 1))
2379 /* SSLfatal() already called */
2380 return 0;
2381
2382 s->pha_dgst = EVP_MD_CTX_new();
2383 if (s->pha_dgst == NULL) {
2384 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2385 return 0;
2386 }
2387 if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
2388 s->s3.handshake_dgst)) {
2389 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2390 EVP_MD_CTX_free(s->pha_dgst);
2391 s->pha_dgst = NULL;
2392 return 0;
2393 }
2394 }
2395 return 1;
2396 }
2397
2398 /*
2399 * Restores the Post-Handshake Auth handshake digest
2400 * Done just before sending/processing the Cert Request
2401 */
2402 int tls13_restore_handshake_digest_for_pha(SSL *s)
2403 {
2404 if (s->pha_dgst == NULL) {
2405 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2406 return 0;
2407 }
2408 if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
2409 s->pha_dgst)) {
2410 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2411 return 0;
2412 }
2413 return 1;
2414 }
A mirror of the official openssl repository