/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
#include <openssl/rsa.h>
#include <openssl/x509.h>
#include <openssl/trace.h>
+#include <openssl/encoder.h>
/*
* Map error codes to TLS/SSL alart types.
0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
};
+int ossl_statem_set_mutator(SSL *s,
+ ossl_statem_mutate_handshake_cb mutate_handshake_cb,
+ ossl_statem_finish_mutate_handshake_cb finish_mutate_handshake_cb,
+ void *mutatearg)
+{
+ SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
+
+ if (sc == NULL)
+ return 0;
+
+ sc->statem.mutate_handshake_cb = mutate_handshake_cb;
+ sc->statem.mutatearg = mutatearg;
+ sc->statem.finish_mutate_handshake_cb = finish_mutate_handshake_cb;
+
+ return 1;
+}
+
/*
* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
* SSL3_RT_CHANGE_CIPHER_SPEC)
size_t written = 0;
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
+ /*
+ * If we're running the test suite then we may need to mutate the message
+ * we've been asked to write. Does not happen in normal operation.
+ */
+ if (s->statem.mutate_handshake_cb != NULL
+ && !s->statem.write_in_progress
+ && type == SSL3_RT_HANDSHAKE
+ && s->init_num >= SSL3_HM_HEADER_LENGTH) {
+ unsigned char *msg;
+ size_t msglen;
+
+ if (!s->statem.mutate_handshake_cb((unsigned char *)s->init_buf->data,
+ s->init_num,
+ &msg, &msglen,
+ s->statem.mutatearg))
+ return -1;
+ if (msglen < SSL3_HM_HEADER_LENGTH
+ || !BUF_MEM_grow(s->init_buf, msglen))
+ return -1;
+ memcpy(s->init_buf->data, msg, msglen);
+ s->init_num = msglen;
+ s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
+ s->statem.finish_mutate_handshake_cb(s->statem.mutatearg);
+ s->statem.write_in_progress = 1;
+ }
+
ret = ssl3_write_bytes(ssl, type, &s->init_buf->data[s->init_off],
s->init_num, &written);
if (ret < 0)
written))
return -1;
if (written == s->init_num) {
+ s->statem.write_in_progress = 0;
if (s->msg_callback)
s->msg_callback(1, s->version, type, s->init_buf->data,
(size_t)(s->init_off + s->init_num), ssl,
MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
int j;
unsigned int len;
- X509 *peer;
const EVP_MD *md = NULL;
size_t hdatalen = 0;
void *hdata;
goto err;
}
- peer = s->session->peer;
- pkey = X509_get0_pubkey(peer);
+ pkey = tls_get_peer_pkey(s);
if (pkey == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
goto err;
}
- if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
+ if (ssl_cert_lookup_by_pkey(pkey, NULL, sctx) == NULL) {
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
goto err;
size_t md_len;
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
int was_first = SSL_IS_FIRST_HANDSHAKE(s);
+ int ok;
/* This is a real handshake so make sure we clean it up at the end */
return MSG_PROCESS_ERROR;
}
- if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
- md_len) != 0) {
+ ok = CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
+ md_len);
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+ if (ok != 0) {
+ if ((PACKET_data(pkt)[0] ^ s->s3.tmp.peer_finish_md[0]) != 0xFF) {
+ ok = 0;
+ }
+ }
+#endif
+ if (ok != 0) {
SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DIGEST_CHECK_FAILED);
return MSG_PROCESS_ERROR;
}
return 1;
}
+EVP_PKEY* tls_get_peer_pkey(const SSL_CONNECTION *sc)
+{
+ if (sc->session->peer_rpk != NULL)
+ return sc->session->peer_rpk;
+ if (sc->session->peer != NULL)
+ return X509_get0_pubkey(sc->session->peer);
+ return NULL;
+}
+
+int tls_process_rpk(SSL_CONNECTION *sc, PACKET *pkt, EVP_PKEY **peer_rpk)
+{
+ EVP_PKEY *pkey = NULL;
+ int ret = 0;
+ RAW_EXTENSION *rawexts = NULL;
+ PACKET extensions;
+ PACKET context;
+ unsigned long cert_len = 0, spki_len = 0;
+ const unsigned char *spki, *spkistart;
+ SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(sc);
+
+ /*-
+ * ----------------------------
+ * TLS 1.3 Certificate message:
+ * ----------------------------
+ * https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2
+ *
+ * enum {
+ * X509(0),
+ * RawPublicKey(2),
+ * (255)
+ * } CertificateType;
+ *
+ * struct {
+ * select (certificate_type) {
+ * case RawPublicKey:
+ * // From RFC 7250 ASN.1_subjectPublicKeyInfo
+ * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
+ *
+ * case X509:
+ * opaque cert_data<1..2^24-1>;
+ * };
+ * Extension extensions<0..2^16-1>;
+ * } CertificateEntry;
+ *
+ * struct {
+ * opaque certificate_request_context<0..2^8-1>;
+ * CertificateEntry certificate_list<0..2^24-1>;
+ * } Certificate;
+ *
+ * The client MUST send a Certificate message if and only if the server
+ * has requested client authentication via a CertificateRequest message
+ * (Section 4.3.2). If the server requests client authentication but no
+ * suitable certificate is available, the client MUST send a Certificate
+ * message containing no certificates (i.e., with the "certificate_list"
+ * field having length 0).
+ *
+ * ----------------------------
+ * TLS 1.2 Certificate message:
+ * ----------------------------
+ * https://datatracker.ietf.org/doc/html/rfc7250#section-3
+ *
+ * opaque ASN.1Cert<1..2^24-1>;
+ *
+ * struct {
+ * select(certificate_type){
+ *
+ * // certificate type defined in this document.
+ * case RawPublicKey:
+ * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;
+ *
+ * // X.509 certificate defined in RFC 5246
+ * case X.509:
+ * ASN.1Cert certificate_list<0..2^24-1>;
+ *
+ * // Additional certificate type based on
+ * // "TLS Certificate Types" subregistry
+ * };
+ * } Certificate;
+ *
+ * -------------
+ * Consequently:
+ * -------------
+ * After the (TLS 1.3 only) context octet string (1 byte length + data) the
+ * Certificate message has a 3-byte length that is zero in the client to
+ * server message when the client has no RPK to send. In that case, there
+ * are no (TLS 1.3 only) per-certificate extensions either, because the
+ * [CertificateEntry] list is empty.
+ *
+ * In the server to client direction, or when the client had an RPK to send,
+ * the TLS 1.3 message just prepends the length of the RPK+extensions,
+ * while TLS <= 1.2 sends just the RPK (octet-string).
+ *
+ * The context must be zero-length in the server to client direction, and
+ * must match the value recorded in the certificate request in the client
+ * to server direction.
+ */
+ if (SSL_CONNECTION_IS_TLS13(sc)) {
+ if (!PACKET_get_length_prefixed_1(pkt, &context)) {
+ SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT);
+ goto err;
+ }
+ if (sc->server) {
+ if (sc->pha_context == NULL) {
+ if (PACKET_remaining(&context) != 0) {
+ SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT);
+ goto err;
+ }
+ } else {
+ if (!PACKET_equal(&context, sc->pha_context, sc->pha_context_len)) {
+ SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT);
+ goto err;
+ }
+ }
+ } else {
+ if (PACKET_remaining(&context) != 0) {
+ SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT);
+ goto err;
+ }
+ }
+ }
+
+ if (!PACKET_get_net_3(pkt, &cert_len)
+ || PACKET_remaining(pkt) != cert_len) {
+ SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
+ goto err;
+ }
+
+ /*
+ * The list length may be zero when there is no RPK. In the case of TLS
+ * 1.2 this is actually the RPK length, which cannot be zero as specified,
+ * but that breaks the ability of the client to decline client auth. We
+ * overload the 0 RPK length to mean "no RPK". This interpretation is
+ * also used some other (reference?) implementations, but is not supported
+ * by the verbatim RFC7250 text.
+ */
+ if (cert_len == 0)
+ return 1;
+
+ if (SSL_CONNECTION_IS_TLS13(sc)) {
+ /*
+ * With TLS 1.3, a non-empty explicit-length RPK octet-string followed
+ * by a possibly empty extension block.
+ */
+ if (!PACKET_get_net_3(pkt, &spki_len)) {
+ SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
+ goto err;
+ }
+ if (spki_len == 0) {
+ /* empty RPK */
+ SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_EMPTY_RAW_PUBLIC_KEY);
+ goto err;
+ }
+ } else {
+ spki_len = cert_len;
+ }
+
+ if (!PACKET_get_bytes(pkt, &spki, spki_len)) {
+ SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
+ goto err;
+ }
+ spkistart = spki;
+ if ((pkey = d2i_PUBKEY_ex(NULL, &spki, spki_len, sctx->libctx, sctx->propq)) == NULL
+ || spki != (spkistart + spki_len)) {
+ SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
+ goto err;
+ }
+ if (EVP_PKEY_missing_parameters(pkey)) {
+ SSLfatal(sc, SSL_AD_INTERNAL_ERROR,
+ SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
+ goto err;
+ }
+
+ /* Process the Extensions block */
+ if (SSL_CONNECTION_IS_TLS13(sc)) {
+ if (PACKET_remaining(pkt) != (cert_len - 3 - spki_len)) {
+ SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
+ goto err;
+ }
+ if (!PACKET_as_length_prefixed_2(pkt, &extensions)
+ || PACKET_remaining(pkt) != 0) {
+ SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
+ goto err;
+ }
+ if (!tls_collect_extensions(sc, &extensions, SSL_EXT_TLS1_3_RAW_PUBLIC_KEY,
+ &rawexts, NULL, 1)) {
+ /* SSLfatal already called */
+ goto err;
+ }
+ /* chain index is always zero and fin always 1 for RPK */
+ if (!tls_parse_all_extensions(sc, SSL_EXT_TLS1_3_RAW_PUBLIC_KEY,
+ rawexts, NULL, 0, 1)) {
+ /* SSLfatal already called */
+ goto err;
+ }
+ }
+ ret = 1;
+ if (peer_rpk != NULL) {
+ *peer_rpk = pkey;
+ pkey = NULL;
+ }
+
+ err:
+ OPENSSL_free(rawexts);
+ EVP_PKEY_free(pkey);
+ return ret;
+}
+
+unsigned long tls_output_rpk(SSL_CONNECTION *sc, WPACKET *pkt, CERT_PKEY *cpk)
+{
+ int pdata_len = 0;
+ unsigned char *pdata = NULL;
+ X509_PUBKEY *xpk = NULL;
+ unsigned long ret = 0;
+ X509 *x509 = NULL;
+
+ if (cpk != NULL && cpk->x509 != NULL) {
+ x509 = cpk->x509;
+ /* Get the RPK from the certificate */
+ xpk = X509_get_X509_PUBKEY(cpk->x509);
+ if (xpk == NULL) {
+ SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ pdata_len = i2d_X509_PUBKEY(xpk, &pdata);
+ } else if (cpk != NULL && cpk->privatekey != NULL) {
+ /* Get the RPK from the private key */
+ pdata_len = i2d_PUBKEY(cpk->privatekey, &pdata);
+ } else {
+ /* The server RPK is not optional */
+ if (sc->server) {
+ SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ /* The client can send a zero length certificate list */
+ if (!WPACKET_sub_memcpy_u24(pkt, pdata, pdata_len)) {
+ SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ return 1;
+ }
+
+ if (pdata_len <= 0) {
+ SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+
+ /*
+ * TLSv1.2 is _just_ the raw public key
+ * TLSv1.3 includes extensions, so there's a length wrapper
+ */
+ if (SSL_CONNECTION_IS_TLS13(sc)) {
+ if (!WPACKET_start_sub_packet_u24(pkt)) {
+ SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ }
+
+ if (!WPACKET_sub_memcpy_u24(pkt, pdata, pdata_len)) {
+ SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+
+ if (SSL_CONNECTION_IS_TLS13(sc)) {
+ /*
+ * Only send extensions relevent to raw public keys. Until such
+ * extensions are defined, this will be an empty set of extensions.
+ * |x509| may be NULL, which raw public-key extensions need to handle.
+ */
+ if (!tls_construct_extensions(sc, pkt, SSL_EXT_TLS1_3_RAW_PUBLIC_KEY,
+ x509, 0)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
+ if (!WPACKET_close(pkt)) {
+ SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ }
+
+ ret = 1;
+ err:
+ OPENSSL_free(pdata);
+ return ret;
+}
+
unsigned long ssl3_output_cert_chain(SSL_CONNECTION *s, WPACKET *pkt,
CERT_PKEY *cpk, int for_comp)
{
*/
static int is_tls13_capable(const SSL_CONNECTION *s)
{
- int i;
+ size_t i;
int curve;
SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
return 1;
- for (i = 0; i < SSL_PKEY_NUM; i++) {
+ /* All provider-based sig algs are required to support at least TLS1.3 */
+ for (i = 0; i < s->ssl_pkey_num; i++) {
/* Skip over certs disallowed for TLSv1.3 */
switch (i) {
case SSL_PKEY_DSA_SIGN: