]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/statem/statem_lib.c
projects / thirdparty / openssl.git / blob
? search:


960b34526873d44b93bd695db4566b9970c91e16
[thirdparty/openssl.git] / ssl / statem / statem_lib.c
1 /*
2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 *
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
9 */
10
11 #include <limits.h>
12 #include <string.h>
13 #include <stdio.h>
14 #include "../ssl_local.h"
15 #include "statem_local.h"
16 #include "internal/cryptlib.h"
17 #include <openssl/buffer.h>
18 #include <openssl/objects.h>
19 #include <openssl/evp.h>
20 #include <openssl/x509.h>
21 #include <openssl/trace.h>
22
23 /*
24 * Map error codes to TLS/SSL alart types.
25 */
26 typedef struct x509err2alert_st {
27 int x509err;
28 int alert;
29 } X509ERR2ALERT;
30
31 /* Fixed value used in the ServerHello random field to identify an HRR */
32 const unsigned char hrrrandom[] = {
33 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
34 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
35 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
36 };
37
38 /*
39 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
40 * SSL3_RT_CHANGE_CIPHER_SPEC)
41 */
42 int ssl3_do_write(SSL *s, int type)
43 {
44 int ret;
45 size_t written = 0;
46
47 ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
48 s->init_num, &written);
49 if (ret < 0)
50 return -1;
51 if (type == SSL3_RT_HANDSHAKE)
52 /*
53 * should not be done for 'Hello Request's, but in that case we'll
54 * ignore the result anyway
55 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
56 */
57 if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
58 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
59 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
60 if (!ssl3_finish_mac(s,
61 (unsigned char *)&s->init_buf->data[s->init_off],
62 written))
63 return -1;
64 if (written == s->init_num) {
65 if (s->msg_callback)
66 s->msg_callback(1, s->version, type, s->init_buf->data,
67 (size_t)(s->init_off + s->init_num), s,
68 s->msg_callback_arg);
69 return 1;
70 }
71 s->init_off += written;
72 s->init_num -= written;
73 return 0;
74 }
75
76 int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype)
77 {
78 size_t msglen;
79
80 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
81 || !WPACKET_get_length(pkt, &msglen)
82 || msglen > INT_MAX)
83 return 0;
84 s->init_num = (int)msglen;
85 s->init_off = 0;
86
87 return 1;
88 }
89
90 int tls_setup_handshake(SSL *s)
91 {
92 if (!ssl3_init_finished_mac(s)) {
93 /* SSLfatal() already called */
94 return 0;
95 }
96
97 /* Reset any extension flags */
98 memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
99
100 if (s->server) {
101 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
102 int i, ver_min, ver_max, ok = 0;
103
104 /*
105 * Sanity check that the maximum version we accept has ciphers
106 * enabled. For clients we do this check during construction of the
107 * ClientHello.
108 */
109 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
110 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_SETUP_HANDSHAKE,
111 ERR_R_INTERNAL_ERROR);
112 return 0;
113 }
114 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
115 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
116
117 if (SSL_IS_DTLS(s)) {
118 if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
119 DTLS_VERSION_LE(ver_max, c->max_dtls))
120 ok = 1;
121 } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
122 ok = 1;
123 }
124 if (ok)
125 break;
126 }
127 if (!ok) {
128 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE,
129 SSL_R_NO_CIPHERS_AVAILABLE);
130 ERR_add_error_data(1, "No ciphers enabled for max supported "
131 "SSL/TLS version");
132 return 0;
133 }
134 if (SSL_IS_FIRST_HANDSHAKE(s)) {
135 /* N.B. s->session_ctx == s->ctx here */
136 tsan_counter(&s->session_ctx->stats.sess_accept);
137 } else {
138 /* N.B. s->ctx may not equal s->session_ctx */
139 tsan_counter(&s->ctx->stats.sess_accept_renegotiate);
140
141 s->s3.tmp.cert_request = 0;
142 }
143 } else {
144 if (SSL_IS_FIRST_HANDSHAKE(s))
145 tsan_counter(&s->session_ctx->stats.sess_connect);
146 else
147 tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate);
148
149 /* mark client_random uninitialized */
150 memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
151 s->hit = 0;
152
153 s->s3.tmp.cert_req = 0;
154
155 if (SSL_IS_DTLS(s))
156 s->statem.use_timer = 1;
157 }
158
159 return 1;
160 }
161
162 /*
163 * Size of the to-be-signed TLS13 data, without the hash size itself:
164 * 64 bytes of value 32, 33 context bytes, 1 byte separator
165 */
166 #define TLS13_TBS_START_SIZE 64
167 #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
168
169 static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
170 void **hdata, size_t *hdatalen)
171 {
172 #ifdef CHARSET_EBCDIC
173 static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
174 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
175 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
176 0x69, 0x66, 0x79, 0x00 };
177 static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
178 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
179 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
180 0x69, 0x66, 0x79, 0x00 };
181 #else
182 static const char servercontext[] = "TLS 1.3, server CertificateVerify";
183 static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
184 #endif
185 if (SSL_IS_TLS13(s)) {
186 size_t hashlen;
187
188 /* Set the first 64 bytes of to-be-signed data to octet 32 */
189 memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
190 /* This copies the 33 bytes of context plus the 0 separator byte */
191 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
192 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
193 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
194 else
195 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
196
197 /*
198 * If we're currently reading then we need to use the saved handshake
199 * hash value. We can't use the current handshake hash state because
200 * that includes the CertVerify itself.
201 */
202 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
203 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
204 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
205 s->cert_verify_hash_len);
206 hashlen = s->cert_verify_hash_len;
207 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
208 EVP_MAX_MD_SIZE, &hashlen)) {
209 /* SSLfatal() already called */
210 return 0;
211 }
212
213 *hdata = tls13tbs;
214 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
215 } else {
216 size_t retlen;
217 long retlen_l;
218
219 retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
220 if (retlen_l <= 0) {
221 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_GET_CERT_VERIFY_TBS_DATA,
222 ERR_R_INTERNAL_ERROR);
223 return 0;
224 }
225 *hdatalen = retlen;
226 }
227
228 return 1;
229 }
230
231 int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
232 {
233 EVP_PKEY *pkey = NULL;
234 const EVP_MD *md = NULL;
235 EVP_MD_CTX *mctx = NULL;
236 EVP_PKEY_CTX *pctx = NULL;
237 size_t hdatalen = 0, siglen = 0;
238 void *hdata;
239 unsigned char *sig = NULL;
240 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
241 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
242
243 if (lu == NULL || s->s3.tmp.cert == NULL) {
244 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
245 ERR_R_INTERNAL_ERROR);
246 goto err;
247 }
248 pkey = s->s3.tmp.cert->privatekey;
249
250 if (pkey == NULL || !tls1_lookup_md(lu, &md)) {
251 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
252 ERR_R_INTERNAL_ERROR);
253 goto err;
254 }
255
256 mctx = EVP_MD_CTX_new();
257 if (mctx == NULL) {
258 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
259 ERR_R_MALLOC_FAILURE);
260 goto err;
261 }
262
263 /* Get the data to be signed */
264 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
265 /* SSLfatal() already called */
266 goto err;
267 }
268
269 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
270 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
271 ERR_R_INTERNAL_ERROR);
272 goto err;
273 }
274 siglen = EVP_PKEY_size(pkey);
275 sig = OPENSSL_malloc(siglen);
276 if (sig == NULL) {
277 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
278 ERR_R_MALLOC_FAILURE);
279 goto err;
280 }
281
282 if (EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey) <= 0) {
283 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
284 ERR_R_EVP_LIB);
285 goto err;
286 }
287
288 if (lu->sig == EVP_PKEY_RSA_PSS) {
289 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
290 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
291 RSA_PSS_SALTLEN_DIGEST) <= 0) {
292 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
293 ERR_R_EVP_LIB);
294 goto err;
295 }
296 }
297 if (s->version == SSL3_VERSION) {
298 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
299 /*
300 * TODO(3.0) Replace this when EVP_MD_CTX_ctrl() is deprecated
301 * with a call to ssl3_digest_master_key_set_params()
302 */
303 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
304 (int)s->session->master_key_length,
305 s->session->master_key) <= 0
306 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
307
308 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
309 ERR_R_EVP_LIB);
310 goto err;
311 }
312 } else if (EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
313 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
314 ERR_R_EVP_LIB);
315 goto err;
316 }
317
318 #ifndef OPENSSL_NO_GOST
319 {
320 int pktype = lu->sig;
321
322 if (pktype == NID_id_GostR3410_2001
323 || pktype == NID_id_GostR3410_2012_256
324 || pktype == NID_id_GostR3410_2012_512)
325 BUF_reverse(sig, NULL, siglen);
326 }
327 #endif
328
329 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
330 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
331 ERR_R_INTERNAL_ERROR);
332 goto err;
333 }
334
335 /* Digest cached records and discard handshake buffer */
336 if (!ssl3_digest_cached_records(s, 0)) {
337 /* SSLfatal() already called */
338 goto err;
339 }
340
341 OPENSSL_free(sig);
342 EVP_MD_CTX_free(mctx);
343 return 1;
344 err:
345 OPENSSL_free(sig);
346 EVP_MD_CTX_free(mctx);
347 return 0;
348 }
349
350 MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
351 {
352 EVP_PKEY *pkey = NULL;
353 const unsigned char *data;
354 #ifndef OPENSSL_NO_GOST
355 unsigned char *gost_data = NULL;
356 #endif
357 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
358 int j;
359 unsigned int len;
360 X509 *peer;
361 const EVP_MD *md = NULL;
362 size_t hdatalen = 0;
363 void *hdata;
364 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
365 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
366 EVP_PKEY_CTX *pctx = NULL;
367
368 if (mctx == NULL) {
369 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
370 ERR_R_MALLOC_FAILURE);
371 goto err;
372 }
373
374 peer = s->session->peer;
375 pkey = X509_get0_pubkey(peer);
376 if (pkey == NULL) {
377 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
378 ERR_R_INTERNAL_ERROR);
379 goto err;
380 }
381
382 if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
383 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CERT_VERIFY,
384 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
385 goto err;
386 }
387
388 if (SSL_USE_SIGALGS(s)) {
389 unsigned int sigalg;
390
391 if (!PACKET_get_net_2(pkt, &sigalg)) {
392 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
393 SSL_R_BAD_PACKET);
394 goto err;
395 }
396 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
397 /* SSLfatal() already called */
398 goto err;
399 }
400 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
401 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
402 ERR_R_INTERNAL_ERROR);
403 goto err;
404 }
405
406 if (!tls1_lookup_md(s->s3.tmp.peer_sigalg, &md)) {
407 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
408 ERR_R_INTERNAL_ERROR);
409 goto err;
410 }
411
412 if (SSL_USE_SIGALGS(s))
413 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
414 md == NULL ? "n/a" : EVP_MD_name(md));
415
416 /* Check for broken implementations of GOST ciphersuites */
417 /*
418 * If key is GOST and len is exactly 64 or 128, it is signature without
419 * length field (CryptoPro implementations at least till TLS 1.2)
420 */
421 #ifndef OPENSSL_NO_GOST
422 if (!SSL_USE_SIGALGS(s)
423 && ((PACKET_remaining(pkt) == 64
424 && (EVP_PKEY_id(pkey) == NID_id_GostR3410_2001
425 || EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_256))
426 || (PACKET_remaining(pkt) == 128
427 && EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_512))) {
428 len = PACKET_remaining(pkt);
429 } else
430 #endif
431 if (!PACKET_get_net_2(pkt, &len)) {
432 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
433 SSL_R_LENGTH_MISMATCH);
434 goto err;
435 }
436
437 j = EVP_PKEY_size(pkey);
438 if (((int)len > j) || ((int)PACKET_remaining(pkt) > j)
439 || (PACKET_remaining(pkt) == 0)) {
440 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
441 SSL_R_WRONG_SIGNATURE_SIZE);
442 goto err;
443 }
444 if (!PACKET_get_bytes(pkt, &data, len)) {
445 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
446 SSL_R_LENGTH_MISMATCH);
447 goto err;
448 }
449
450 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
451 /* SSLfatal() already called */
452 goto err;
453 }
454
455 OSSL_TRACE1(TLS, "Using client verify alg %s\n",
456 md == NULL ? "n/a" : EVP_MD_name(md));
457
458 if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0) {
459 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
460 ERR_R_EVP_LIB);
461 goto err;
462 }
463 #ifndef OPENSSL_NO_GOST
464 {
465 int pktype = EVP_PKEY_id(pkey);
466 if (pktype == NID_id_GostR3410_2001
467 || pktype == NID_id_GostR3410_2012_256
468 || pktype == NID_id_GostR3410_2012_512) {
469 if ((gost_data = OPENSSL_malloc(len)) == NULL) {
470 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
471 SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
472 goto err;
473 }
474 BUF_reverse(gost_data, data, len);
475 data = gost_data;
476 }
477 }
478 #endif
479
480 if (SSL_USE_PSS(s)) {
481 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
482 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
483 RSA_PSS_SALTLEN_DIGEST) <= 0) {
484 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
485 ERR_R_EVP_LIB);
486 goto err;
487 }
488 }
489 if (s->version == SSL3_VERSION) {
490 /*
491 * TODO(3.0) Replace this when EVP_MD_CTX_ctrl() is deprecated
492 * with a call to ssl3_digest_master_key_set_params()
493 */
494 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
495 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
496 (int)s->session->master_key_length,
497 s->session->master_key) <= 0) {
498 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
499 ERR_R_EVP_LIB);
500 goto err;
501 }
502 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
503 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
504 SSL_R_BAD_SIGNATURE);
505 goto err;
506 }
507 } else {
508 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
509 if (j <= 0) {
510 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
511 SSL_R_BAD_SIGNATURE);
512 goto err;
513 }
514 }
515
516 /*
517 * In TLSv1.3 on the client side we make sure we prepare the client
518 * certificate after the CertVerify instead of when we get the
519 * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
520 * comes *before* the Certificate message. In TLSv1.2 it comes after. We
521 * want to make sure that SSL_get_peer_certificate() will return the actual
522 * server certificate from the client_cert_cb callback.
523 */
524 if (!s->server && SSL_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
525 ret = MSG_PROCESS_CONTINUE_PROCESSING;
526 else
527 ret = MSG_PROCESS_CONTINUE_READING;
528 err:
529 BIO_free(s->s3.handshake_buffer);
530 s->s3.handshake_buffer = NULL;
531 EVP_MD_CTX_free(mctx);
532 #ifndef OPENSSL_NO_GOST
533 OPENSSL_free(gost_data);
534 #endif
535 return ret;
536 }
537
538 int tls_construct_finished(SSL *s, WPACKET *pkt)
539 {
540 size_t finish_md_len;
541 const char *sender;
542 size_t slen;
543
544 /* This is a real handshake so make sure we clean it up at the end */
545 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
546 s->statem.cleanuphand = 1;
547
548 /*
549 * We only change the keys if we didn't already do this when we sent the
550 * client certificate
551 */
552 if (SSL_IS_TLS13(s)
553 && !s->server
554 && s->s3.tmp.cert_req == 0
555 && (!s->method->ssl3_enc->change_cipher_state(s,
556 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
557 /* SSLfatal() already called */
558 return 0;
559 }
560
561 if (s->server) {
562 sender = s->method->ssl3_enc->server_finished_label;
563 slen = s->method->ssl3_enc->server_finished_label_len;
564 } else {
565 sender = s->method->ssl3_enc->client_finished_label;
566 slen = s->method->ssl3_enc->client_finished_label_len;
567 }
568
569 finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
570 sender, slen,
571 s->s3.tmp.finish_md);
572 if (finish_md_len == 0) {
573 /* SSLfatal() already called */
574 return 0;
575 }
576
577 s->s3.tmp.finish_md_len = finish_md_len;
578
579 if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
580 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
581 ERR_R_INTERNAL_ERROR);
582 return 0;
583 }
584
585 /*
586 * Log the master secret, if logging is enabled. We don't log it for
587 * TLSv1.3: there's a different key schedule for that.
588 */
589 if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
590 s->session->master_key,
591 s->session->master_key_length)) {
592 /* SSLfatal() already called */
593 return 0;
594 }
595
596 /*
597 * Copy the finished so we can use it for renegotiation checks
598 */
599 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
600 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
601 ERR_R_INTERNAL_ERROR);
602 return 0;
603 }
604 if (!s->server) {
605 memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
606 finish_md_len);
607 s->s3.previous_client_finished_len = finish_md_len;
608 } else {
609 memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
610 finish_md_len);
611 s->s3.previous_server_finished_len = finish_md_len;
612 }
613
614 return 1;
615 }
616
617 int tls_construct_key_update(SSL *s, WPACKET *pkt)
618 {
619 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
620 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_KEY_UPDATE,
621 ERR_R_INTERNAL_ERROR);
622 return 0;
623 }
624
625 s->key_update = SSL_KEY_UPDATE_NONE;
626 return 1;
627 }
628
629 MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
630 {
631 unsigned int updatetype;
632
633 /*
634 * A KeyUpdate message signals a key change so the end of the message must
635 * be on a record boundary.
636 */
637 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
638 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_UPDATE,
639 SSL_R_NOT_ON_RECORD_BOUNDARY);
640 return MSG_PROCESS_ERROR;
641 }
642
643 if (!PACKET_get_1(pkt, &updatetype)
644 || PACKET_remaining(pkt) != 0) {
645 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_UPDATE,
646 SSL_R_BAD_KEY_UPDATE);
647 return MSG_PROCESS_ERROR;
648 }
649
650 /*
651 * There are only two defined key update types. Fail if we get a value we
652 * didn't recognise.
653 */
654 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
655 && updatetype != SSL_KEY_UPDATE_REQUESTED) {
656 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE,
657 SSL_R_BAD_KEY_UPDATE);
658 return MSG_PROCESS_ERROR;
659 }
660
661 /*
662 * If we get a request for us to update our sending keys too then, we need
663 * to additionally send a KeyUpdate message. However that message should
664 * not also request an update (otherwise we get into an infinite loop).
665 */
666 if (updatetype == SSL_KEY_UPDATE_REQUESTED)
667 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
668
669 if (!tls13_update_key(s, 0)) {
670 /* SSLfatal() already called */
671 return MSG_PROCESS_ERROR;
672 }
673
674 return MSG_PROCESS_FINISHED_READING;
675 }
676
677 /*
678 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
679 * to far.
680 */
681 int ssl3_take_mac(SSL *s)
682 {
683 const char *sender;
684 size_t slen;
685
686 if (!s->server) {
687 sender = s->method->ssl3_enc->server_finished_label;
688 slen = s->method->ssl3_enc->server_finished_label_len;
689 } else {
690 sender = s->method->ssl3_enc->client_finished_label;
691 slen = s->method->ssl3_enc->client_finished_label_len;
692 }
693
694 s->s3.tmp.peer_finish_md_len =
695 s->method->ssl3_enc->final_finish_mac(s, sender, slen,
696 s->s3.tmp.peer_finish_md);
697
698 if (s->s3.tmp.peer_finish_md_len == 0) {
699 /* SSLfatal() already called */
700 return 0;
701 }
702
703 return 1;
704 }
705
706 MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
707 {
708 size_t remain;
709
710 remain = PACKET_remaining(pkt);
711 /*
712 * 'Change Cipher Spec' is just a single byte, which should already have
713 * been consumed by ssl_get_message() so there should be no bytes left,
714 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
715 */
716 if (SSL_IS_DTLS(s)) {
717 if ((s->version == DTLS1_BAD_VER
718 && remain != DTLS1_CCS_HEADER_LENGTH + 1)
719 || (s->version != DTLS1_BAD_VER
720 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
721 SSLfatal(s, SSL_AD_DECODE_ERROR,
722 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
723 SSL_R_BAD_CHANGE_CIPHER_SPEC);
724 return MSG_PROCESS_ERROR;
725 }
726 } else {
727 if (remain != 0) {
728 SSLfatal(s, SSL_AD_DECODE_ERROR,
729 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
730 SSL_R_BAD_CHANGE_CIPHER_SPEC);
731 return MSG_PROCESS_ERROR;
732 }
733 }
734
735 /* Check we have a cipher to change to */
736 if (s->s3.tmp.new_cipher == NULL) {
737 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
738 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY);
739 return MSG_PROCESS_ERROR;
740 }
741
742 s->s3.change_cipher_spec = 1;
743 if (!ssl3_do_change_cipher_spec(s)) {
744 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
745 ERR_R_INTERNAL_ERROR);
746 return MSG_PROCESS_ERROR;
747 }
748
749 if (SSL_IS_DTLS(s)) {
750 dtls1_reset_seq_numbers(s, SSL3_CC_READ);
751
752 if (s->version == DTLS1_BAD_VER)
753 s->d1->handshake_read_seq++;
754
755 #ifndef OPENSSL_NO_SCTP
756 /*
757 * Remember that a CCS has been received, so that an old key of
758 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
759 * SCTP is used
760 */
761 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
762 #endif
763 }
764
765 return MSG_PROCESS_CONTINUE_READING;
766 }
767
768 MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
769 {
770 size_t md_len;
771
772
773 /* This is a real handshake so make sure we clean it up at the end */
774 if (s->server) {
775 /*
776 * To get this far we must have read encrypted data from the client. We
777 * no longer tolerate unencrypted alerts. This value is ignored if less
778 * than TLSv1.3
779 */
780 s->statem.enc_read_state = ENC_READ_STATE_VALID;
781 if (s->post_handshake_auth != SSL_PHA_REQUESTED)
782 s->statem.cleanuphand = 1;
783 if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
784 /* SSLfatal() already called */
785 return MSG_PROCESS_ERROR;
786 }
787 }
788
789 /*
790 * In TLSv1.3 a Finished message signals a key change so the end of the
791 * message must be on a record boundary.
792 */
793 if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
794 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
795 SSL_R_NOT_ON_RECORD_BOUNDARY);
796 return MSG_PROCESS_ERROR;
797 }
798
799 /* If this occurs, we have missed a message */
800 if (!SSL_IS_TLS13(s) && !s->s3.change_cipher_spec) {
801 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
802 SSL_R_GOT_A_FIN_BEFORE_A_CCS);
803 return MSG_PROCESS_ERROR;
804 }
805 s->s3.change_cipher_spec = 0;
806
807 md_len = s->s3.tmp.peer_finish_md_len;
808
809 if (md_len != PACKET_remaining(pkt)) {
810 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_FINISHED,
811 SSL_R_BAD_DIGEST_LENGTH);
812 return MSG_PROCESS_ERROR;
813 }
814
815 if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
816 md_len) != 0) {
817 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_FINISHED,
818 SSL_R_DIGEST_CHECK_FAILED);
819 return MSG_PROCESS_ERROR;
820 }
821
822 /*
823 * Copy the finished so we can use it for renegotiation checks
824 */
825 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
826 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_FINISHED,
827 ERR_R_INTERNAL_ERROR);
828 return MSG_PROCESS_ERROR;
829 }
830 if (s->server) {
831 memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
832 md_len);
833 s->s3.previous_client_finished_len = md_len;
834 } else {
835 memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
836 md_len);
837 s->s3.previous_server_finished_len = md_len;
838 }
839
840 /*
841 * In TLS1.3 we also have to change cipher state and do any final processing
842 * of the initial server flight (if we are a client)
843 */
844 if (SSL_IS_TLS13(s)) {
845 if (s->server) {
846 if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
847 !s->method->ssl3_enc->change_cipher_state(s,
848 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
849 /* SSLfatal() already called */
850 return MSG_PROCESS_ERROR;
851 }
852 } else {
853 if (!s->method->ssl3_enc->generate_master_secret(s,
854 s->master_secret, s->handshake_secret, 0,
855 &s->session->master_key_length)) {
856 /* SSLfatal() already called */
857 return MSG_PROCESS_ERROR;
858 }
859 if (!s->method->ssl3_enc->change_cipher_state(s,
860 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
861 /* SSLfatal() already called */
862 return MSG_PROCESS_ERROR;
863 }
864 if (!tls_process_initial_server_flight(s)) {
865 /* SSLfatal() already called */
866 return MSG_PROCESS_ERROR;
867 }
868 }
869 }
870
871 return MSG_PROCESS_FINISHED_READING;
872 }
873
874 int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
875 {
876 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
877 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
878 SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
879 return 0;
880 }
881
882 return 1;
883 }
884
885 /* Add a certificate to the WPACKET */
886 static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain)
887 {
888 int len;
889 unsigned char *outbytes;
890
891 len = i2d_X509(x, NULL);
892 if (len < 0) {
893 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
894 ERR_R_BUF_LIB);
895 return 0;
896 }
897 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
898 || i2d_X509(x, &outbytes) != len) {
899 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
900 ERR_R_INTERNAL_ERROR);
901 return 0;
902 }
903
904 if (SSL_IS_TLS13(s)
905 && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
906 chain)) {
907 /* SSLfatal() already called */
908 return 0;
909 }
910
911 return 1;
912 }
913
914 /* Add certificate chain to provided WPACKET */
915 static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
916 {
917 int i, chain_count;
918 X509 *x;
919 STACK_OF(X509) *extra_certs;
920 STACK_OF(X509) *chain = NULL;
921 X509_STORE *chain_store;
922
923 if (cpk == NULL || cpk->x509 == NULL)
924 return 1;
925
926 x = cpk->x509;
927
928 /*
929 * If we have a certificate specific chain use it, else use parent ctx.
930 */
931 if (cpk->chain != NULL)
932 extra_certs = cpk->chain;
933 else
934 extra_certs = s->ctx->extra_certs;
935
936 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
937 chain_store = NULL;
938 else if (s->cert->chain_store)
939 chain_store = s->cert->chain_store;
940 else
941 chain_store = s->ctx->cert_store;
942
943 if (chain_store != NULL) {
944 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new();
945
946 if (xs_ctx == NULL) {
947 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
948 ERR_R_MALLOC_FAILURE);
949 return 0;
950 }
951 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
952 X509_STORE_CTX_free(xs_ctx);
953 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
954 ERR_R_X509_LIB);
955 return 0;
956 }
957 /*
958 * It is valid for the chain not to be complete (because normally we
959 * don't include the root cert in the chain). Therefore we deliberately
960 * ignore the error return from this call. We're not actually verifying
961 * the cert - we're just building as much of the chain as we can
962 */
963 (void)X509_verify_cert(xs_ctx);
964 /* Don't leave errors in the queue */
965 ERR_clear_error();
966 chain = X509_STORE_CTX_get0_chain(xs_ctx);
967 i = ssl_security_cert_chain(s, chain, NULL, 0);
968 if (i != 1) {
969 #if 0
970 /* Dummy error calls so mkerr generates them */
971 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL);
972 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL);
973 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK);
974 #endif
975 X509_STORE_CTX_free(xs_ctx);
976 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
977 return 0;
978 }
979 chain_count = sk_X509_num(chain);
980 for (i = 0; i < chain_count; i++) {
981 x = sk_X509_value(chain, i);
982
983 if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
984 /* SSLfatal() already called */
985 X509_STORE_CTX_free(xs_ctx);
986 return 0;
987 }
988 }
989 X509_STORE_CTX_free(xs_ctx);
990 } else {
991 i = ssl_security_cert_chain(s, extra_certs, x, 0);
992 if (i != 1) {
993 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
994 return 0;
995 }
996 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
997 /* SSLfatal() already called */
998 return 0;
999 }
1000 for (i = 0; i < sk_X509_num(extra_certs); i++) {
1001 x = sk_X509_value(extra_certs, i);
1002 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
1003 /* SSLfatal() already called */
1004 return 0;
1005 }
1006 }
1007 }
1008 return 1;
1009 }
1010
1011 unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
1012 {
1013 if (!WPACKET_start_sub_packet_u24(pkt)) {
1014 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1015 ERR_R_INTERNAL_ERROR);
1016 return 0;
1017 }
1018
1019 if (!ssl_add_cert_chain(s, pkt, cpk))
1020 return 0;
1021
1022 if (!WPACKET_close(pkt)) {
1023 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1024 ERR_R_INTERNAL_ERROR);
1025 return 0;
1026 }
1027
1028 return 1;
1029 }
1030
1031 /*
1032 * Tidy up after the end of a handshake. In the case of SCTP this may result
1033 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1034 * freed up as well.
1035 */
1036 WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
1037 {
1038 void (*cb) (const SSL *ssl, int type, int val) = NULL;
1039 int cleanuphand = s->statem.cleanuphand;
1040
1041 if (clearbufs) {
1042 if (!SSL_IS_DTLS(s)
1043 #ifndef OPENSSL_NO_SCTP
1044 /*
1045 * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1046 * messages that require it. Therefore, DTLS procedures for retransmissions
1047 * MUST NOT be used.
1048 * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1049 */
1050 || BIO_dgram_is_sctp(SSL_get_wbio(s))
1051 #endif
1052 ) {
1053 /*
1054 * We don't do this in DTLS over UDP because we may still need the init_buf
1055 * in case there are any unexpected retransmits
1056 */
1057 BUF_MEM_free(s->init_buf);
1058 s->init_buf = NULL;
1059 }
1060
1061 if (!ssl_free_wbio_buffer(s)) {
1062 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE,
1063 ERR_R_INTERNAL_ERROR);
1064 return WORK_ERROR;
1065 }
1066 s->init_num = 0;
1067 }
1068
1069 if (SSL_IS_TLS13(s) && !s->server
1070 && s->post_handshake_auth == SSL_PHA_REQUESTED)
1071 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1072
1073 /*
1074 * Only set if there was a Finished message and this isn't after a TLSv1.3
1075 * post handshake exchange
1076 */
1077 if (cleanuphand) {
1078 /* skipped if we just sent a HelloRequest */
1079 s->renegotiate = 0;
1080 s->new_session = 0;
1081 s->statem.cleanuphand = 0;
1082 s->ext.ticket_expected = 0;
1083
1084 ssl3_cleanup_key_block(s);
1085
1086 if (s->server) {
1087 /*
1088 * In TLSv1.3 we update the cache as part of constructing the
1089 * NewSessionTicket
1090 */
1091 if (!SSL_IS_TLS13(s))
1092 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
1093
1094 /* N.B. s->ctx may not equal s->session_ctx */
1095 tsan_counter(&s->ctx->stats.sess_accept_good);
1096 s->handshake_func = ossl_statem_accept;
1097 } else {
1098 if (SSL_IS_TLS13(s)) {
1099 /*
1100 * We encourage applications to only use TLSv1.3 tickets once,
1101 * so we remove this one from the cache.
1102 */
1103 if ((s->session_ctx->session_cache_mode
1104 & SSL_SESS_CACHE_CLIENT) != 0)
1105 SSL_CTX_remove_session(s->session_ctx, s->session);
1106 } else {
1107 /*
1108 * In TLSv1.3 we update the cache as part of processing the
1109 * NewSessionTicket
1110 */
1111 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
1112 }
1113 if (s->hit)
1114 tsan_counter(&s->session_ctx->stats.sess_hit);
1115
1116 s->handshake_func = ossl_statem_connect;
1117 tsan_counter(&s->session_ctx->stats.sess_connect_good);
1118 }
1119
1120 if (SSL_IS_DTLS(s)) {
1121 /* done with handshaking */
1122 s->d1->handshake_read_seq = 0;
1123 s->d1->handshake_write_seq = 0;
1124 s->d1->next_handshake_write_seq = 0;
1125 dtls1_clear_received_buffer(s);
1126 }
1127 }
1128
1129 if (s->info_callback != NULL)
1130 cb = s->info_callback;
1131 else if (s->ctx->info_callback != NULL)
1132 cb = s->ctx->info_callback;
1133
1134 /* The callback may expect us to not be in init at handshake done */
1135 ossl_statem_set_in_init(s, 0);
1136
1137 if (cb != NULL) {
1138 if (cleanuphand
1139 || !SSL_IS_TLS13(s)
1140 || SSL_IS_FIRST_HANDSHAKE(s))
1141 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
1142 }
1143
1144 if (!stop) {
1145 /* If we've got more work to do we go back into init */
1146 ossl_statem_set_in_init(s, 1);
1147 return WORK_FINISHED_CONTINUE;
1148 }
1149
1150 return WORK_FINISHED_STOP;
1151 }
1152
1153 int tls_get_message_header(SSL *s, int *mt)
1154 {
1155 /* s->init_num < SSL3_HM_HEADER_LENGTH */
1156 int skip_message, i, recvd_type;
1157 unsigned char *p;
1158 size_t l, readbytes;
1159
1160 p = (unsigned char *)s->init_buf->data;
1161
1162 do {
1163 while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1164 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
1165 &p[s->init_num],
1166 SSL3_HM_HEADER_LENGTH - s->init_num,
1167 0, &readbytes);
1168 if (i <= 0) {
1169 s->rwstate = SSL_READING;
1170 return 0;
1171 }
1172 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1173 /*
1174 * A ChangeCipherSpec must be a single byte and may not occur
1175 * in the middle of a handshake message.
1176 */
1177 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
1178 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1179 SSL_F_TLS_GET_MESSAGE_HEADER,
1180 SSL_R_BAD_CHANGE_CIPHER_SPEC);
1181 return 0;
1182 }
1183 if (s->statem.hand_state == TLS_ST_BEFORE
1184 && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
1185 /*
1186 * We are stateless and we received a CCS. Probably this is
1187 * from a client between the first and second ClientHellos.
1188 * We should ignore this, but return an error because we do
1189 * not return success until we see the second ClientHello
1190 * with a valid cookie.
1191 */
1192 return 0;
1193 }
1194 s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
1195 s->init_num = readbytes - 1;
1196 s->init_msg = s->init_buf->data;
1197 s->s3.tmp.message_size = readbytes;
1198 return 1;
1199 } else if (recvd_type != SSL3_RT_HANDSHAKE) {
1200 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1201 SSL_F_TLS_GET_MESSAGE_HEADER,
1202 SSL_R_CCS_RECEIVED_EARLY);
1203 return 0;
1204 }
1205 s->init_num += readbytes;
1206 }
1207
1208 skip_message = 0;
1209 if (!s->server)
1210 if (s->statem.hand_state != TLS_ST_OK
1211 && p[0] == SSL3_MT_HELLO_REQUEST)
1212 /*
1213 * The server may always send 'Hello Request' messages --
1214 * we are doing a handshake anyway now, so ignore them if
1215 * their format is correct. Does not count for 'Finished'
1216 * MAC.
1217 */
1218 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1219 s->init_num = 0;
1220 skip_message = 1;
1221
1222 if (s->msg_callback)
1223 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1224 p, SSL3_HM_HEADER_LENGTH, s,
1225 s->msg_callback_arg);
1226 }
1227 } while (skip_message);
1228 /* s->init_num == SSL3_HM_HEADER_LENGTH */
1229
1230 *mt = *p;
1231 s->s3.tmp.message_type = *(p++);
1232
1233 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1234 /*
1235 * Only happens with SSLv3+ in an SSLv2 backward compatible
1236 * ClientHello
1237 *
1238 * Total message size is the remaining record bytes to read
1239 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
1240 */
1241 l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1242 + SSL3_HM_HEADER_LENGTH;
1243 s->s3.tmp.message_size = l;
1244
1245 s->init_msg = s->init_buf->data;
1246 s->init_num = SSL3_HM_HEADER_LENGTH;
1247 } else {
1248 n2l3(p, l);
1249 /* BUF_MEM_grow takes an 'int' parameter */
1250 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
1251 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_GET_MESSAGE_HEADER,
1252 SSL_R_EXCESSIVE_MESSAGE_SIZE);
1253 return 0;
1254 }
1255 s->s3.tmp.message_size = l;
1256
1257 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1258 s->init_num = 0;
1259 }
1260
1261 return 1;
1262 }
1263
1264 int tls_get_message_body(SSL *s, size_t *len)
1265 {
1266 size_t n, readbytes;
1267 unsigned char *p;
1268 int i;
1269
1270 if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
1271 /* We've already read everything in */
1272 *len = (unsigned long)s->init_num;
1273 return 1;
1274 }
1275
1276 p = s->init_msg;
1277 n = s->s3.tmp.message_size - s->init_num;
1278 while (n > 0) {
1279 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
1280 &p[s->init_num], n, 0, &readbytes);
1281 if (i <= 0) {
1282 s->rwstate = SSL_READING;
1283 *len = 0;
1284 return 0;
1285 }
1286 s->init_num += readbytes;
1287 n -= readbytes;
1288 }
1289
1290 /*
1291 * If receiving Finished, record MAC of prior handshake messages for
1292 * Finished verification.
1293 */
1294 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1295 /* SSLfatal() already called */
1296 *len = 0;
1297 return 0;
1298 }
1299
1300 /* Feed this message into MAC computation. */
1301 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1302 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1303 s->init_num)) {
1304 /* SSLfatal() already called */
1305 *len = 0;
1306 return 0;
1307 }
1308 if (s->msg_callback)
1309 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
1310 (size_t)s->init_num, s, s->msg_callback_arg);
1311 } else {
1312 /*
1313 * We defer feeding in the HRR until later. We'll do it as part of
1314 * processing the message
1315 * The TLsv1.3 handshake transcript stops at the ClientFinished
1316 * message.
1317 */
1318 #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
1319 /* KeyUpdate and NewSessionTicket do not need to be added */
1320 if (!SSL_IS_TLS13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1321 && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1322 if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
1323 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1324 || memcmp(hrrrandom,
1325 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1326 SSL3_RANDOM_SIZE) != 0) {
1327 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1328 s->init_num + SSL3_HM_HEADER_LENGTH)) {
1329 /* SSLfatal() already called */
1330 *len = 0;
1331 return 0;
1332 }
1333 }
1334 }
1335 if (s->msg_callback)
1336 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1337 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
1338 s->msg_callback_arg);
1339 }
1340
1341 *len = s->init_num;
1342 return 1;
1343 }
1344
1345 static const X509ERR2ALERT x509table[] = {
1346 {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1347 {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1348 {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1349 {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1350 {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1351 {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1352 {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1353 {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1354 {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1355 {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1356 {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1357 {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1358 {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1359 {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1360 {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1361 {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1362 {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1363 {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1364 {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1365 {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1366 {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1367 {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1368 {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1369 {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1370 {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1371 {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1372 {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1373 {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1374 {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1375 {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1376 {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1377 {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1378 {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1379 {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1380 {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1381 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1382 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1383 {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1384 {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1385
1386 /* Last entry; return this if we don't find the value above. */
1387 {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1388 };
1389
1390 int ssl_x509err2alert(int x509err)
1391 {
1392 const X509ERR2ALERT *tp;
1393
1394 for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1395 if (tp->x509err == x509err)
1396 break;
1397 return tp->alert;
1398 }
1399
1400 int ssl_allow_compression(SSL *s)
1401 {
1402 if (s->options & SSL_OP_NO_COMPRESSION)
1403 return 0;
1404 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1405 }
1406
1407 static int version_cmp(const SSL *s, int a, int b)
1408 {
1409 int dtls = SSL_IS_DTLS(s);
1410
1411 if (a == b)
1412 return 0;
1413 if (!dtls)
1414 return a < b ? -1 : 1;
1415 return DTLS_VERSION_LT(a, b) ? -1 : 1;
1416 }
1417
1418 typedef struct {
1419 int version;
1420 const SSL_METHOD *(*cmeth) (void);
1421 const SSL_METHOD *(*smeth) (void);
1422 } version_info;
1423
1424 #if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
1425 # error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
1426 #endif
1427
1428 /* Must be in order high to low */
1429 static const version_info tls_version_table[] = {
1430 #ifndef OPENSSL_NO_TLS1_3
1431 {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1432 #else
1433 {TLS1_3_VERSION, NULL, NULL},
1434 #endif
1435 #ifndef OPENSSL_NO_TLS1_2
1436 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
1437 #else
1438 {TLS1_2_VERSION, NULL, NULL},
1439 #endif
1440 #ifndef OPENSSL_NO_TLS1_1
1441 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
1442 #else
1443 {TLS1_1_VERSION, NULL, NULL},
1444 #endif
1445 #ifndef OPENSSL_NO_TLS1
1446 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
1447 #else
1448 {TLS1_VERSION, NULL, NULL},
1449 #endif
1450 #ifndef OPENSSL_NO_SSL3
1451 {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
1452 #else
1453 {SSL3_VERSION, NULL, NULL},
1454 #endif
1455 {0, NULL, NULL},
1456 };
1457
1458 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
1459 # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1460 #endif
1461
1462 /* Must be in order high to low */
1463 static const version_info dtls_version_table[] = {
1464 #ifndef OPENSSL_NO_DTLS1_2
1465 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
1466 #else
1467 {DTLS1_2_VERSION, NULL, NULL},
1468 #endif
1469 #ifndef OPENSSL_NO_DTLS1
1470 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1471 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
1472 #else
1473 {DTLS1_VERSION, NULL, NULL},
1474 {DTLS1_BAD_VER, NULL, NULL},
1475 #endif
1476 {0, NULL, NULL},
1477 };
1478
1479 /*
1480 * ssl_method_error - Check whether an SSL_METHOD is enabled.
1481 *
1482 * @s: The SSL handle for the candidate method
1483 * @method: the intended method.
1484 *
1485 * Returns 0 on success, or an SSL error reason on failure.
1486 */
1487 static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
1488 {
1489 int version = method->version;
1490
1491 if ((s->min_proto_version != 0 &&
1492 version_cmp(s, version, s->min_proto_version) < 0) ||
1493 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1494 return SSL_R_VERSION_TOO_LOW;
1495
1496 if (s->max_proto_version != 0 &&
1497 version_cmp(s, version, s->max_proto_version) > 0)
1498 return SSL_R_VERSION_TOO_HIGH;
1499
1500 if ((s->options & method->mask) != 0)
1501 return SSL_R_UNSUPPORTED_PROTOCOL;
1502 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1503 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
1504
1505 return 0;
1506 }
1507
1508 /*
1509 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
1510 * certificate type, or has PSK or a certificate callback configured. Otherwise
1511 * returns 0.
1512 */
1513 static int is_tls13_capable(const SSL *s)
1514 {
1515 int i;
1516 #ifndef OPENSSL_NO_EC
1517 int curve;
1518 EC_KEY *eckey;
1519 #endif
1520
1521 #ifndef OPENSSL_NO_PSK
1522 if (s->psk_server_callback != NULL)
1523 return 1;
1524 #endif
1525
1526 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
1527 return 1;
1528
1529 for (i = 0; i < SSL_PKEY_NUM; i++) {
1530 /* Skip over certs disallowed for TLSv1.3 */
1531 switch (i) {
1532 case SSL_PKEY_DSA_SIGN:
1533 case SSL_PKEY_GOST01:
1534 case SSL_PKEY_GOST12_256:
1535 case SSL_PKEY_GOST12_512:
1536 continue;
1537 default:
1538 break;
1539 }
1540 if (!ssl_has_cert(s, i))
1541 continue;
1542 #ifndef OPENSSL_NO_EC
1543 if (i != SSL_PKEY_ECC)
1544 return 1;
1545 /*
1546 * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1547 * more restrictive so check that our sig algs are consistent with this
1548 * EC cert. See section 4.2.3 of RFC8446.
1549 */
1550 eckey = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
1551 if (eckey == NULL)
1552 continue;
1553 curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
1554 if (tls_check_sigalg_curve(s, curve))
1555 return 1;
1556 #else
1557 return 1;
1558 #endif
1559 }
1560
1561 return 0;
1562 }
1563
1564 /*
1565 * ssl_version_supported - Check that the specified `version` is supported by
1566 * `SSL *` instance
1567 *
1568 * @s: The SSL handle for the candidate method
1569 * @version: Protocol version to test against
1570 *
1571 * Returns 1 when supported, otherwise 0
1572 */
1573 int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth)
1574 {
1575 const version_info *vent;
1576 const version_info *table;
1577
1578 switch (s->method->version) {
1579 default:
1580 /* Version should match method version for non-ANY method */
1581 return version_cmp(s, version, s->version) == 0;
1582 case TLS_ANY_VERSION:
1583 table = tls_version_table;
1584 break;
1585 case DTLS_ANY_VERSION:
1586 table = dtls_version_table;
1587 break;
1588 }
1589
1590 for (vent = table;
1591 vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1592 ++vent) {
1593 if (vent->cmeth != NULL
1594 && version_cmp(s, version, vent->version) == 0
1595 && ssl_method_error(s, vent->cmeth()) == 0
1596 && (!s->server
1597 || version != TLS1_3_VERSION
1598 || is_tls13_capable(s))) {
1599 if (meth != NULL)
1600 *meth = vent->cmeth();
1601 return 1;
1602 }
1603 }
1604 return 0;
1605 }
1606
1607 /*
1608 * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1609 * fallback indication from a client check whether we're using the highest
1610 * supported protocol version.
1611 *
1612 * @s server SSL handle.
1613 *
1614 * Returns 1 when using the highest enabled version, 0 otherwise.
1615 */
1616 int ssl_check_version_downgrade(SSL *s)
1617 {
1618 const version_info *vent;
1619 const version_info *table;
1620
1621 /*
1622 * Check that the current protocol is the highest enabled version
1623 * (according to s->ctx->method, as version negotiation may have changed
1624 * s->method).
1625 */
1626 if (s->version == s->ctx->method->version)
1627 return 1;
1628
1629 /*
1630 * Apparently we're using a version-flexible SSL_METHOD (not at its
1631 * highest protocol version).
1632 */
1633 if (s->ctx->method->version == TLS_method()->version)
1634 table = tls_version_table;
1635 else if (s->ctx->method->version == DTLS_method()->version)
1636 table = dtls_version_table;
1637 else {
1638 /* Unexpected state; fail closed. */
1639 return 0;
1640 }
1641
1642 for (vent = table; vent->version != 0; ++vent) {
1643 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
1644 return s->version == vent->version;
1645 }
1646 return 0;
1647 }
1648
1649 /*
1650 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1651 * protocols, provided the initial (D)TLS method is version-flexible. This
1652 * function sanity-checks the proposed value and makes sure the method is
1653 * version-flexible, then sets the limit if all is well.
1654 *
1655 * @method_version: The version of the current SSL_METHOD.
1656 * @version: the intended limit.
1657 * @bound: pointer to limit to be updated.
1658 *
1659 * Returns 1 on success, 0 on failure.
1660 */
1661 int ssl_set_version_bound(int method_version, int version, int *bound)
1662 {
1663 if (version == 0) {
1664 *bound = version;
1665 return 1;
1666 }
1667
1668 /*-
1669 * Restrict TLS methods to TLS protocol versions.
1670 * Restrict DTLS methods to DTLS protocol versions.
1671 * Note, DTLS version numbers are decreasing, use comparison macros.
1672 *
1673 * Note that for both lower-bounds we use explicit versions, not
1674 * (D)TLS_MIN_VERSION. This is because we don't want to break user
1675 * configurations. If the MIN (supported) version ever rises, the user's
1676 * "floor" remains valid even if no longer available. We don't expect the
1677 * MAX ceiling to ever get lower, so making that variable makes sense.
1678 */
1679 switch (method_version) {
1680 default:
1681 /*
1682 * XXX For fixed version methods, should we always fail and not set any
1683 * bounds, always succeed and not set any bounds, or set the bounds and
1684 * arrange to fail later if they are not met? At present fixed-version
1685 * methods are not subject to controls that disable individual protocol
1686 * versions.
1687 */
1688 return 0;
1689
1690 case TLS_ANY_VERSION:
1691 if (version < SSL3_VERSION || version > TLS_MAX_VERSION_INTERNAL)
1692 return 0;
1693 break;
1694
1695 case DTLS_ANY_VERSION:
1696 if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION_INTERNAL) ||
1697 DTLS_VERSION_LT(version, DTLS1_BAD_VER))
1698 return 0;
1699 break;
1700 }
1701
1702 *bound = version;
1703 return 1;
1704 }
1705
1706 static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
1707 {
1708 if (vers == TLS1_2_VERSION
1709 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
1710 *dgrd = DOWNGRADE_TO_1_2;
1711 } else if (!SSL_IS_DTLS(s)
1712 && vers < TLS1_2_VERSION
1713 /*
1714 * We need to ensure that a server that disables TLSv1.2
1715 * (creating a hole between TLSv1.3 and TLSv1.1) can still
1716 * complete handshakes with clients that support TLSv1.2 and
1717 * below. Therefore we do not enable the sentinel if TLSv1.3 is
1718 * enabled and TLSv1.2 is not.
1719 */
1720 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
1721 *dgrd = DOWNGRADE_TO_1_1;
1722 } else {
1723 *dgrd = DOWNGRADE_NONE;
1724 }
1725 }
1726
1727 /*
1728 * ssl_choose_server_version - Choose server (D)TLS version. Called when the
1729 * client HELLO is received to select the final server protocol version and
1730 * the version specific method.
1731 *
1732 * @s: server SSL handle.
1733 *
1734 * Returns 0 on success or an SSL error reason number on failure.
1735 */
1736 int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1737 {
1738 /*-
1739 * With version-flexible methods we have an initial state with:
1740 *
1741 * s->method->version == (D)TLS_ANY_VERSION,
1742 * s->version == (D)TLS_MAX_VERSION_INTERNAL.
1743 *
1744 * So we detect version-flexible methods via the method version, not the
1745 * handle version.
1746 */
1747 int server_version = s->method->version;
1748 int client_version = hello->legacy_version;
1749 const version_info *vent;
1750 const version_info *table;
1751 int disabled = 0;
1752 RAW_EXTENSION *suppversions;
1753
1754 s->client_version = client_version;
1755
1756 switch (server_version) {
1757 default:
1758 if (!SSL_IS_TLS13(s)) {
1759 if (version_cmp(s, client_version, s->version) < 0)
1760 return SSL_R_WRONG_SSL_VERSION;
1761 *dgrd = DOWNGRADE_NONE;
1762 /*
1763 * If this SSL handle is not from a version flexible method we don't
1764 * (and never did) check min/max FIPS or Suite B constraints. Hope
1765 * that's OK. It is up to the caller to not choose fixed protocol
1766 * versions they don't want. If not, then easy to fix, just return
1767 * ssl_method_error(s, s->method)
1768 */
1769 return 0;
1770 }
1771 /*
1772 * Fall through if we are TLSv1.3 already (this means we must be after
1773 * a HelloRetryRequest
1774 */
1775 /* fall thru */
1776 case TLS_ANY_VERSION:
1777 table = tls_version_table;
1778 break;
1779 case DTLS_ANY_VERSION:
1780 table = dtls_version_table;
1781 break;
1782 }
1783
1784 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
1785
1786 /* If we did an HRR then supported versions is mandatory */
1787 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
1788 return SSL_R_UNSUPPORTED_PROTOCOL;
1789
1790 if (suppversions->present && !SSL_IS_DTLS(s)) {
1791 unsigned int candidate_vers = 0;
1792 unsigned int best_vers = 0;
1793 const SSL_METHOD *best_method = NULL;
1794 PACKET versionslist;
1795
1796 suppversions->parsed = 1;
1797
1798 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
1799 /* Trailing or invalid data? */
1800 return SSL_R_LENGTH_MISMATCH;
1801 }
1802
1803 /*
1804 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1805 * The spec only requires servers to check that it isn't SSLv3:
1806 * "Any endpoint receiving a Hello message with
1807 * ClientHello.legacy_version or ServerHello.legacy_version set to
1808 * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1809 * We are slightly stricter and require that it isn't SSLv3 or lower.
1810 * We tolerate TLSv1 and TLSv1.1.
1811 */
1812 if (client_version <= SSL3_VERSION)
1813 return SSL_R_BAD_LEGACY_VERSION;
1814
1815 while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1816 if (version_cmp(s, candidate_vers, best_vers) <= 0)
1817 continue;
1818 if (ssl_version_supported(s, candidate_vers, &best_method))
1819 best_vers = candidate_vers;
1820 }
1821 if (PACKET_remaining(&versionslist) != 0) {
1822 /* Trailing data? */
1823 return SSL_R_LENGTH_MISMATCH;
1824 }
1825
1826 if (best_vers > 0) {
1827 if (s->hello_retry_request != SSL_HRR_NONE) {
1828 /*
1829 * This is after a HelloRetryRequest so we better check that we
1830 * negotiated TLSv1.3
1831 */
1832 if (best_vers != TLS1_3_VERSION)
1833 return SSL_R_UNSUPPORTED_PROTOCOL;
1834 return 0;
1835 }
1836 check_for_downgrade(s, best_vers, dgrd);
1837 s->version = best_vers;
1838 s->method = best_method;
1839 return 0;
1840 }
1841 return SSL_R_UNSUPPORTED_PROTOCOL;
1842 }
1843
1844 /*
1845 * If the supported versions extension isn't present, then the highest
1846 * version we can negotiate is TLSv1.2
1847 */
1848 if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1849 client_version = TLS1_2_VERSION;
1850
1851 /*
1852 * No supported versions extension, so we just use the version supplied in
1853 * the ClientHello.
1854 */
1855 for (vent = table; vent->version != 0; ++vent) {
1856 const SSL_METHOD *method;
1857
1858 if (vent->smeth == NULL ||
1859 version_cmp(s, client_version, vent->version) < 0)
1860 continue;
1861 method = vent->smeth();
1862 if (ssl_method_error(s, method) == 0) {
1863 check_for_downgrade(s, vent->version, dgrd);
1864 s->version = vent->version;
1865 s->method = method;
1866 return 0;
1867 }
1868 disabled = 1;
1869 }
1870 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1871 }
1872
1873 /*
1874 * ssl_choose_client_version - Choose client (D)TLS version. Called when the
1875 * server HELLO is received to select the final client protocol version and
1876 * the version specific method.
1877 *
1878 * @s: client SSL handle.
1879 * @version: The proposed version from the server's HELLO.
1880 * @extensions: The extensions received
1881 *
1882 * Returns 1 on success or 0 on error.
1883 */
1884 int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)
1885 {
1886 const version_info *vent;
1887 const version_info *table;
1888 int ret, ver_min, ver_max, real_max, origv;
1889
1890 origv = s->version;
1891 s->version = version;
1892
1893 /* This will overwrite s->version if the extension is present */
1894 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1895 SSL_EXT_TLS1_2_SERVER_HELLO
1896 | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1897 NULL, 0)) {
1898 s->version = origv;
1899 return 0;
1900 }
1901
1902 if (s->hello_retry_request != SSL_HRR_NONE
1903 && s->version != TLS1_3_VERSION) {
1904 s->version = origv;
1905 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1906 SSL_R_WRONG_SSL_VERSION);
1907 return 0;
1908 }
1909
1910 switch (s->method->version) {
1911 default:
1912 if (s->version != s->method->version) {
1913 s->version = origv;
1914 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1915 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1916 SSL_R_WRONG_SSL_VERSION);
1917 return 0;
1918 }
1919 /*
1920 * If this SSL handle is not from a version flexible method we don't
1921 * (and never did) check min/max, FIPS or Suite B constraints. Hope
1922 * that's OK. It is up to the caller to not choose fixed protocol
1923 * versions they don't want. If not, then easy to fix, just return
1924 * ssl_method_error(s, s->method)
1925 */
1926 return 1;
1927 case TLS_ANY_VERSION:
1928 table = tls_version_table;
1929 break;
1930 case DTLS_ANY_VERSION:
1931 table = dtls_version_table;
1932 break;
1933 }
1934
1935 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1936 if (ret != 0) {
1937 s->version = origv;
1938 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1939 SSL_F_SSL_CHOOSE_CLIENT_VERSION, ret);
1940 return 0;
1941 }
1942 if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
1943 : s->version < ver_min) {
1944 s->version = origv;
1945 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1946 SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1947 return 0;
1948 } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
1949 : s->version > ver_max) {
1950 s->version = origv;
1951 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1952 SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1953 return 0;
1954 }
1955
1956 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
1957 real_max = ver_max;
1958
1959 /* Check for downgrades */
1960 if (s->version == TLS1_2_VERSION && real_max > s->version) {
1961 if (memcmp(tls12downgrade,
1962 s->s3.server_random + SSL3_RANDOM_SIZE
1963 - sizeof(tls12downgrade),
1964 sizeof(tls12downgrade)) == 0) {
1965 s->version = origv;
1966 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1967 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1968 SSL_R_INAPPROPRIATE_FALLBACK);
1969 return 0;
1970 }
1971 } else if (!SSL_IS_DTLS(s)
1972 && s->version < TLS1_2_VERSION
1973 && real_max > s->version) {
1974 if (memcmp(tls11downgrade,
1975 s->s3.server_random + SSL3_RANDOM_SIZE
1976 - sizeof(tls11downgrade),
1977 sizeof(tls11downgrade)) == 0) {
1978 s->version = origv;
1979 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1980 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1981 SSL_R_INAPPROPRIATE_FALLBACK);
1982 return 0;
1983 }
1984 }
1985
1986 for (vent = table; vent->version != 0; ++vent) {
1987 if (vent->cmeth == NULL || s->version != vent->version)
1988 continue;
1989
1990 s->method = vent->cmeth();
1991 return 1;
1992 }
1993
1994 s->version = origv;
1995 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1996 SSL_R_UNSUPPORTED_PROTOCOL);
1997 return 0;
1998 }
1999
2000 /*
2001 * ssl_get_min_max_version - get minimum and maximum protocol version
2002 * @s: The SSL connection
2003 * @min_version: The minimum supported version
2004 * @max_version: The maximum supported version
2005 * @real_max: The highest version below the lowest compile time version hole
2006 * where that hole lies above at least one run-time enabled
2007 * protocol.
2008 *
2009 * Work out what version we should be using for the initial ClientHello if the
2010 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2011 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
2012 * constraints and any floor imposed by the security level here,
2013 * so we don't advertise the wrong protocol version to only reject the outcome later.
2014 *
2015 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
2016 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2017 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2018 *
2019 * Returns 0 on success or an SSL error reason number on failure. On failure
2020 * min_version and max_version will also be set to 0.
2021 */
2022 int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version,
2023 int *real_max)
2024 {
2025 int version, tmp_real_max;
2026 int hole;
2027 const SSL_METHOD *single = NULL;
2028 const SSL_METHOD *method;
2029 const version_info *table;
2030 const version_info *vent;
2031
2032 switch (s->method->version) {
2033 default:
2034 /*
2035 * If this SSL handle is not from a version flexible method we don't
2036 * (and never did) check min/max FIPS or Suite B constraints. Hope
2037 * that's OK. It is up to the caller to not choose fixed protocol
2038 * versions they don't want. If not, then easy to fix, just return
2039 * ssl_method_error(s, s->method)
2040 */
2041 *min_version = *max_version = s->version;
2042 /*
2043 * Providing a real_max only makes sense where we're using a version
2044 * flexible method.
2045 */
2046 if (!ossl_assert(real_max == NULL))
2047 return ERR_R_INTERNAL_ERROR;
2048 return 0;
2049 case TLS_ANY_VERSION:
2050 table = tls_version_table;
2051 break;
2052 case DTLS_ANY_VERSION:
2053 table = dtls_version_table;
2054 break;
2055 }
2056
2057 /*
2058 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2059 * below X enabled. This is required in order to maintain the "version
2060 * capability" vector contiguous. Any versions with a NULL client method
2061 * (protocol version client is disabled at compile-time) is also a "hole".
2062 *
2063 * Our initial state is hole == 1, version == 0. That is, versions above
2064 * the first version in the method table are disabled (a "hole" above
2065 * the valid protocol entries) and we don't have a selected version yet.
2066 *
2067 * Whenever "hole == 1", and we hit an enabled method, its version becomes
2068 * the selected version, and the method becomes a candidate "single"
2069 * method. We're no longer in a hole, so "hole" becomes 0.
2070 *
2071 * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2072 * as we support a contiguous range of at least two methods. If we hit
2073 * a disabled method, then hole becomes true again, but nothing else
2074 * changes yet, because all the remaining methods may be disabled too.
2075 * If we again hit an enabled method after the new hole, it becomes
2076 * selected, as we start from scratch.
2077 */
2078 *min_version = version = 0;
2079 hole = 1;
2080 if (real_max != NULL)
2081 *real_max = 0;
2082 tmp_real_max = 0;
2083 for (vent = table; vent->version != 0; ++vent) {
2084 /*
2085 * A table entry with a NULL client method is still a hole in the
2086 * "version capability" vector.
2087 */
2088 if (vent->cmeth == NULL) {
2089 hole = 1;
2090 tmp_real_max = 0;
2091 continue;
2092 }
2093 method = vent->cmeth();
2094
2095 if (hole == 1 && tmp_real_max == 0)
2096 tmp_real_max = vent->version;
2097
2098 if (ssl_method_error(s, method) != 0) {
2099 hole = 1;
2100 } else if (!hole) {
2101 single = NULL;
2102 *min_version = method->version;
2103 } else {
2104 if (real_max != NULL && tmp_real_max != 0)
2105 *real_max = tmp_real_max;
2106 version = (single = method)->version;
2107 *min_version = version;
2108 hole = 0;
2109 }
2110 }
2111
2112 *max_version = version;
2113
2114 /* Fail if everything is disabled */
2115 if (version == 0)
2116 return SSL_R_NO_PROTOCOLS_AVAILABLE;
2117
2118 return 0;
2119 }
2120
2121 /*
2122 * ssl_set_client_hello_version - Work out what version we should be using for
2123 * the initial ClientHello.legacy_version field.
2124 *
2125 * @s: client SSL handle.
2126 *
2127 * Returns 0 on success or an SSL error reason number on failure.
2128 */
2129 int ssl_set_client_hello_version(SSL *s)
2130 {
2131 int ver_min, ver_max, ret;
2132
2133 /*
2134 * In a renegotiation we always send the same client_version that we sent
2135 * last time, regardless of which version we eventually negotiated.
2136 */
2137 if (!SSL_IS_FIRST_HANDSHAKE(s))
2138 return 0;
2139
2140 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
2141
2142 if (ret != 0)
2143 return ret;
2144
2145 s->version = ver_max;
2146
2147 /* TLS1.3 always uses TLS1.2 in the legacy_version field */
2148 if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
2149 ver_max = TLS1_2_VERSION;
2150
2151 s->client_version = ver_max;
2152 return 0;
2153 }
2154
2155 /*
2156 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2157 * and |checkallow| is 1 then additionally check if the group is allowed to be
2158 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2159 * 1) or 0 otherwise.
2160 */
2161 int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
2162 size_t num_groups, int checkallow)
2163 {
2164 size_t i;
2165
2166 if (groups == NULL || num_groups == 0)
2167 return 0;
2168
2169 for (i = 0; i < num_groups; i++) {
2170 uint16_t group = groups[i];
2171
2172 if (group_id == group
2173 && (!checkallow
2174 || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
2175 return 1;
2176 }
2177 }
2178
2179 return 0;
2180 }
2181
2182 /* Replace ClientHello1 in the transcript hash with a synthetic message */
2183 int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,
2184 size_t hashlen, const unsigned char *hrr,
2185 size_t hrrlen)
2186 {
2187 unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
2188 unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2189
2190 memset(msghdr, 0, sizeof(msghdr));
2191
2192 if (hashval == NULL) {
2193 hashval = hashvaltmp;
2194 hashlen = 0;
2195 /* Get the hash of the initial ClientHello */
2196 if (!ssl3_digest_cached_records(s, 0)
2197 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2198 &hashlen)) {
2199 /* SSLfatal() already called */
2200 return 0;
2201 }
2202 }
2203
2204 /* Reinitialise the transcript hash */
2205 if (!ssl3_init_finished_mac(s)) {
2206 /* SSLfatal() already called */
2207 return 0;
2208 }
2209
2210 /* Inject the synthetic message_hash message */
2211 msghdr[0] = SSL3_MT_MESSAGE_HASH;
2212 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
2213 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2214 || !ssl3_finish_mac(s, hashval, hashlen)) {
2215 /* SSLfatal() already called */
2216 return 0;
2217 }
2218
2219 /*
2220 * Now re-inject the HRR and current message if appropriate (we just deleted
2221 * it when we reinitialised the transcript hash above). Only necessary after
2222 * receiving a ClientHello2 with a cookie.
2223 */
2224 if (hrr != NULL
2225 && (!ssl3_finish_mac(s, hrr, hrrlen)
2226 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
2227 s->s3.tmp.message_size
2228 + SSL3_HM_HEADER_LENGTH))) {
2229 /* SSLfatal() already called */
2230 return 0;
2231 }
2232
2233 return 1;
2234 }
2235
2236 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2237 {
2238 return X509_NAME_cmp(*a, *b);
2239 }
2240
2241 int parse_ca_names(SSL *s, PACKET *pkt)
2242 {
2243 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2244 X509_NAME *xn = NULL;
2245 PACKET cadns;
2246
2247 if (ca_sk == NULL) {
2248 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2249 ERR_R_MALLOC_FAILURE);
2250 goto err;
2251 }
2252 /* get the CA RDNs */
2253 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
2254 SSLfatal(s, SSL_AD_DECODE_ERROR,SSL_F_PARSE_CA_NAMES,
2255 SSL_R_LENGTH_MISMATCH);
2256 goto err;
2257 }
2258
2259 while (PACKET_remaining(&cadns)) {
2260 const unsigned char *namestart, *namebytes;
2261 unsigned int name_len;
2262
2263 if (!PACKET_get_net_2(&cadns, &name_len)
2264 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
2265 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2266 SSL_R_LENGTH_MISMATCH);
2267 goto err;
2268 }
2269
2270 namestart = namebytes;
2271 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
2272 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2273 ERR_R_ASN1_LIB);
2274 goto err;
2275 }
2276 if (namebytes != (namestart + name_len)) {
2277 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2278 SSL_R_CA_DN_LENGTH_MISMATCH);
2279 goto err;
2280 }
2281
2282 if (!sk_X509_NAME_push(ca_sk, xn)) {
2283 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2284 ERR_R_MALLOC_FAILURE);
2285 goto err;
2286 }
2287 xn = NULL;
2288 }
2289
2290 sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
2291 s->s3.tmp.peer_ca_names = ca_sk;
2292
2293 return 1;
2294
2295 err:
2296 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2297 X509_NAME_free(xn);
2298 return 0;
2299 }
2300
2301 const STACK_OF(X509_NAME) *get_ca_names(SSL *s)
2302 {
2303 const STACK_OF(X509_NAME) *ca_sk = NULL;;
2304
2305 if (s->server) {
2306 ca_sk = SSL_get_client_CA_list(s);
2307 if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2308 ca_sk = NULL;
2309 }
2310
2311 if (ca_sk == NULL)
2312 ca_sk = SSL_get0_CA_list(s);
2313
2314 return ca_sk;
2315 }
2316
2317 int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt)
2318 {
2319 /* Start sub-packet for client CA list */
2320 if (!WPACKET_start_sub_packet_u16(pkt)) {
2321 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2322 ERR_R_INTERNAL_ERROR);
2323 return 0;
2324 }
2325
2326 if (ca_sk != NULL) {
2327 int i;
2328
2329 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2330 unsigned char *namebytes;
2331 X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2332 int namelen;
2333
2334 if (name == NULL
2335 || (namelen = i2d_X509_NAME(name, NULL)) < 0
2336 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2337 &namebytes)
2338 || i2d_X509_NAME(name, &namebytes) != namelen) {
2339 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2340 ERR_R_INTERNAL_ERROR);
2341 return 0;
2342 }
2343 }
2344 }
2345
2346 if (!WPACKET_close(pkt)) {
2347 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2348 ERR_R_INTERNAL_ERROR);
2349 return 0;
2350 }
2351
2352 return 1;
2353 }
2354
2355 /* Create a buffer containing data to be signed for server key exchange */
2356 size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
2357 const void *param, size_t paramlen)
2358 {
2359 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2360 unsigned char *tbs = OPENSSL_malloc(tbslen);
2361
2362 if (tbs == NULL) {
2363 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS,
2364 ERR_R_MALLOC_FAILURE);
2365 return 0;
2366 }
2367 memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
2368 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
2369
2370 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2371
2372 *ptbs = tbs;
2373 return tbslen;
2374 }
2375
2376 /*
2377 * Saves the current handshake digest for Post-Handshake Auth,
2378 * Done after ClientFinished is processed, done exactly once
2379 */
2380 int tls13_save_handshake_digest_for_pha(SSL *s)
2381 {
2382 if (s->pha_dgst == NULL) {
2383 if (!ssl3_digest_cached_records(s, 1))
2384 /* SSLfatal() already called */
2385 return 0;
2386
2387 s->pha_dgst = EVP_MD_CTX_new();
2388 if (s->pha_dgst == NULL) {
2389 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2390 SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2391 ERR_R_INTERNAL_ERROR);
2392 return 0;
2393 }
2394 if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
2395 s->s3.handshake_dgst)) {
2396 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2397 SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2398 ERR_R_INTERNAL_ERROR);
2399 return 0;
2400 }
2401 }
2402 return 1;
2403 }
2404
2405 /*
2406 * Restores the Post-Handshake Auth handshake digest
2407 * Done just before sending/processing the Cert Request
2408 */
2409 int tls13_restore_handshake_digest_for_pha(SSL *s)
2410 {
2411 if (s->pha_dgst == NULL) {
2412 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2413 SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2414 ERR_R_INTERNAL_ERROR);
2415 return 0;
2416 }
2417 if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
2418 s->pha_dgst)) {
2419 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2420 SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2421 ERR_R_INTERNAL_ERROR);
2422 return 0;
2423 }
2424 return 1;
2425 }
A mirror of the official openssl repository