1 /*
2 * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 *
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
9 */
10
11 #include <limits.h>
12 #include <string.h>
13 #include <stdio.h>
14 #include "../ssl_local.h"
15 #include "statem_local.h"
16 #include "internal/cryptlib.h"
17 #include <openssl/buffer.h>
18 #include <openssl/objects.h>
19 #include <openssl/evp.h>
20 #include <openssl/rsa.h>
21 #include <openssl/x509.h>
22 #include <openssl/trace.h>
23
24 /*
25 * Map error codes to TLS/SSL alart types.
26 */
27 typedef struct x509err2alert_st {
28 int x509err;
29 int alert;
30 } X509ERR2ALERT;
31
32 /* Fixed value used in the ServerHello random field to identify an HRR */
33 const unsigned char hrrrandom[] = {
34 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
35 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
36 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
37 };
38
39 /*
40 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
41 * SSL3_RT_CHANGE_CIPHER_SPEC)
42 */
ssl3_do_write(SSL * s,int type)43 int ssl3_do_write(SSL *s, int type)
44 {
45 int ret;
46 size_t written = 0;
47
48 ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
49 s->init_num, &written);
50 if (ret <= 0)
51 return -1;
52 if (type == SSL3_RT_HANDSHAKE)
53 /*
54 * should not be done for 'Hello Request's, but in that case we'll
55 * ignore the result anyway
56 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
57 */
58 if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
59 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
60 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
61 if (!ssl3_finish_mac(s,
62 (unsigned char *)&s->init_buf->data[s->init_off],
63 written))
64 return -1;
65 if (written == s->init_num) {
66 if (s->msg_callback)
67 s->msg_callback(1, s->version, type, s->init_buf->data,
68 (size_t)(s->init_off + s->init_num), s,
69 s->msg_callback_arg);
70 return 1;
71 }
72 s->init_off += written;
73 s->init_num -= written;
74 return 0;
75 }
76
tls_close_construct_packet(SSL * s,WPACKET * pkt,int htype)77 int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype)
78 {
79 size_t msglen;
80
81 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
82 || !WPACKET_get_length(pkt, &msglen)
83 || msglen > INT_MAX)
84 return 0;
85 s->init_num = (int)msglen;
86 s->init_off = 0;
87
88 return 1;
89 }
90
tls_setup_handshake(SSL * s)91 int tls_setup_handshake(SSL *s)
92 {
93 int ver_min, ver_max, ok;
94
95 if (!ssl3_init_finished_mac(s)) {
96 /* SSLfatal() already called */
97 return 0;
98 }
99
100 /* Reset any extension flags */
101 memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
102
103 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
104 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE);
105 return 0;
106 }
107
108 /* Sanity check that we have MD5-SHA1 if we need it */
109 if (s->ctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) {
110 int md5sha1_needed = 0;
111
112 /* We don't have MD5-SHA1 - do we need it? */
113 if (SSL_IS_DTLS(s)) {
114 if (DTLS_VERSION_LE(ver_max, DTLS1_VERSION))
115 md5sha1_needed = 1;
116 } else {
117 if (ver_max <= TLS1_1_VERSION)
118 md5sha1_needed = 1;
119 }
120 if (md5sha1_needed) {
121 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
122 SSL_R_NO_SUITABLE_DIGEST_ALGORITHM,
123 "The max supported SSL/TLS version needs the"
124 " MD5-SHA1 digest but it is not available"
125 " in the loaded providers. Use (D)TLSv1.2 or"
126 " above, or load different providers");
127 return 0;
128 }
129
130 ok = 1;
131 /* Don't allow TLSv1.1 or below to be negotiated */
132 if (SSL_IS_DTLS(s)) {
133 if (DTLS_VERSION_LT(ver_min, DTLS1_2_VERSION))
134 ok = SSL_set_min_proto_version(s, DTLS1_2_VERSION);
135 } else {
136 if (ver_min < TLS1_2_VERSION)
137 ok = SSL_set_min_proto_version(s, TLS1_2_VERSION);
138 }
139 if (!ok) {
140 /* Shouldn't happen */
141 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
142 return 0;
143 }
144 }
145
146 ok = 0;
147 if (s->server) {
148 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
149 int i;
150
151 /*
152 * Sanity check that the maximum version we accept has ciphers
153 * enabled. For clients we do this check during construction of the
154 * ClientHello.
155 */
156 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
157 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
158
159 if (SSL_IS_DTLS(s)) {
160 if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
161 DTLS_VERSION_LE(ver_max, c->max_dtls))
162 ok = 1;
163 } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
164 ok = 1;
165 }
166 if (ok)
167 break;
168 }
169 if (!ok) {
170 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
171 SSL_R_NO_CIPHERS_AVAILABLE,
172 "No ciphers enabled for max supported "
173 "SSL/TLS version");
174 return 0;
175 }
176 if (SSL_IS_FIRST_HANDSHAKE(s)) {
177 /* N.B. s->session_ctx == s->ctx here */
178 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_accept);
179 } else {
180 /* N.B. s->ctx may not equal s->session_ctx */
181 ssl_tsan_counter(s->ctx, &s->ctx->stats.sess_accept_renegotiate);
182
183 s->s3.tmp.cert_request = 0;
184 }
185 } else {
186 if (SSL_IS_FIRST_HANDSHAKE(s))
187 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_connect);
188 else
189 ssl_tsan_counter(s->session_ctx,
190 &s->session_ctx->stats.sess_connect_renegotiate);
191
192 /* mark client_random uninitialized */
193 memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
194 s->hit = 0;
195
196 s->s3.tmp.cert_req = 0;
197
198 if (SSL_IS_DTLS(s))
199 s->statem.use_timer = 1;
200 }
201
202 return 1;
203 }
204
205 /*
206 * Size of the to-be-signed TLS13 data, without the hash size itself:
207 * 64 bytes of value 32, 33 context bytes, 1 byte separator
208 */
209 #define TLS13_TBS_START_SIZE 64
210 #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
211
get_cert_verify_tbs_data(SSL * s,unsigned char * tls13tbs,void ** hdata,size_t * hdatalen)212 static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
213 void **hdata, size_t *hdatalen)
214 {
215 #ifdef CHARSET_EBCDIC
216 static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
217 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
218 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
219 0x69, 0x66, 0x79, 0x00 };
220 static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
221 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
222 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
223 0x69, 0x66, 0x79, 0x00 };
224 #else
225 static const char servercontext[] = "TLS 1.3, server CertificateVerify";
226 static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
227 #endif
228 if (SSL_IS_TLS13(s)) {
229 size_t hashlen;
230
231 /* Set the first 64 bytes of to-be-signed data to octet 32 */
232 memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
233 /* This copies the 33 bytes of context plus the 0 separator byte */
234 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
235 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
236 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
237 else
238 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
239
240 /*
241 * If we're currently reading then we need to use the saved handshake
242 * hash value. We can't use the current handshake hash state because
243 * that includes the CertVerify itself.
244 */
245 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
246 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
247 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
248 s->cert_verify_hash_len);
249 hashlen = s->cert_verify_hash_len;
250 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
251 EVP_MAX_MD_SIZE, &hashlen)) {
252 /* SSLfatal() already called */
253 return 0;
254 }
255
256 *hdata = tls13tbs;
257 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
258 } else {
259 size_t retlen;
260 long retlen_l;
261
262 retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
263 if (retlen_l <= 0) {
264 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
265 return 0;
266 }
267 *hdatalen = retlen;
268 }
269
270 return 1;
271 }
272
tls_construct_cert_verify(SSL * s,WPACKET * pkt)273 int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
274 {
275 EVP_PKEY *pkey = NULL;
276 const EVP_MD *md = NULL;
277 EVP_MD_CTX *mctx = NULL;
278 EVP_PKEY_CTX *pctx = NULL;
279 size_t hdatalen = 0, siglen = 0;
280 void *hdata;
281 unsigned char *sig = NULL;
282 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
283 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
284
285 if (lu == NULL || s->s3.tmp.cert == NULL) {
286 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
287 goto err;
288 }
289 pkey = s->s3.tmp.cert->privatekey;
290
291 if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) {
292 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
293 goto err;
294 }
295
296 mctx = EVP_MD_CTX_new();
297 if (mctx == NULL) {
298 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
299 goto err;
300 }
301
302 /* Get the data to be signed */
303 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
304 /* SSLfatal() already called */
305 goto err;
306 }
307
308 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
309 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
310 goto err;
311 }
312
313 if (EVP_DigestSignInit_ex(mctx, &pctx,
314 md == NULL ? NULL : EVP_MD_get0_name(md),
315 s->ctx->libctx, s->ctx->propq, pkey,
316 NULL) <= 0) {
317 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
318 goto err;
319 }
320
321 if (lu->sig == EVP_PKEY_RSA_PSS) {
322 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
323 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
324 RSA_PSS_SALTLEN_DIGEST) <= 0) {
325 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
326 goto err;
327 }
328 }
329 if (s->version == SSL3_VERSION) {
330 /*
331 * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
332 * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
333 */
334 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
335 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
336 (int)s->session->master_key_length,
337 s->session->master_key) <= 0
338 || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) {
339
340 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
341 goto err;
342 }
343 sig = OPENSSL_malloc(siglen);
344 if (sig == NULL
345 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
346 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
347 goto err;
348 }
349 } else {
350 /*
351 * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not
352 * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
353 */
354 if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) {
355 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
356 goto err;
357 }
358 sig = OPENSSL_malloc(siglen);
359 if (sig == NULL
360 || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
361 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
362 goto err;
363 }
364 }
365
366 #ifndef OPENSSL_NO_GOST
367 {
368 int pktype = lu->sig;
369
370 if (pktype == NID_id_GostR3410_2001
371 || pktype == NID_id_GostR3410_2012_256
372 || pktype == NID_id_GostR3410_2012_512)
373 BUF_reverse(sig, NULL, siglen);
374 }
375 #endif
376
377 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
378 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
379 goto err;
380 }
381
382 /* Digest cached records and discard handshake buffer */
383 if (!ssl3_digest_cached_records(s, 0)) {
384 /* SSLfatal() already called */
385 goto err;
386 }
387
388 OPENSSL_free(sig);
389 EVP_MD_CTX_free(mctx);
390 return 1;
391 err:
392 OPENSSL_free(sig);
393 EVP_MD_CTX_free(mctx);
394 return 0;
395 }
396
tls_process_cert_verify(SSL * s,PACKET * pkt)397 MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
398 {
399 EVP_PKEY *pkey = NULL;
400 const unsigned char *data;
401 #ifndef OPENSSL_NO_GOST
402 unsigned char *gost_data = NULL;
403 #endif
404 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
405 int j;
406 unsigned int len;
407 X509 *peer;
408 const EVP_MD *md = NULL;
409 size_t hdatalen = 0;
410 void *hdata;
411 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
412 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
413 EVP_PKEY_CTX *pctx = NULL;
414
415 if (mctx == NULL) {
416 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
417 goto err;
418 }
419
420 peer = s->session->peer;
421 pkey = X509_get0_pubkey(peer);
422 if (pkey == NULL) {
423 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
424 goto err;
425 }
426
427 if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
428 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
429 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
430 goto err;
431 }
432
433 if (SSL_USE_SIGALGS(s)) {
434 unsigned int sigalg;
435
436 if (!PACKET_get_net_2(pkt, &sigalg)) {
437 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET);
438 goto err;
439 }
440 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
441 /* SSLfatal() already called */
442 goto err;
443 }
444 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
445 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
446 SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED);
447 goto err;
448 }
449
450 if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) {
451 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
452 goto err;
453 }
454
455 if (SSL_USE_SIGALGS(s))
456 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
457 md == NULL ? "n/a" : EVP_MD_get0_name(md));
458
459 /* Check for broken implementations of GOST ciphersuites */
460 /*
461 * If key is GOST and len is exactly 64 or 128, it is signature without
462 * length field (CryptoPro implementations at least till TLS 1.2)
463 */
464 #ifndef OPENSSL_NO_GOST
465 if (!SSL_USE_SIGALGS(s)
466 && ((PACKET_remaining(pkt) == 64
467 && (EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2001
468 || EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_256))
469 || (PACKET_remaining(pkt) == 128
470 && EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_512))) {
471 len = PACKET_remaining(pkt);
472 } else
473 #endif
474 if (!PACKET_get_net_2(pkt, &len)) {
475 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
476 goto err;
477 }
478
479 if (!PACKET_get_bytes(pkt, &data, len)) {
480 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
481 goto err;
482 }
483
484 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
485 /* SSLfatal() already called */
486 goto err;
487 }
488
489 OSSL_TRACE1(TLS, "Using client verify alg %s\n",
490 md == NULL ? "n/a" : EVP_MD_get0_name(md));
491
492 if (EVP_DigestVerifyInit_ex(mctx, &pctx,
493 md == NULL ? NULL : EVP_MD_get0_name(md),
494 s->ctx->libctx, s->ctx->propq, pkey,
495 NULL) <= 0) {
496 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
497 goto err;
498 }
499 #ifndef OPENSSL_NO_GOST
500 {
501 int pktype = EVP_PKEY_get_id(pkey);
502 if (pktype == NID_id_GostR3410_2001
503 || pktype == NID_id_GostR3410_2012_256
504 || pktype == NID_id_GostR3410_2012_512) {
505 if ((gost_data = OPENSSL_malloc(len)) == NULL) {
506 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
507 goto err;
508 }
509 BUF_reverse(gost_data, data, len);
510 data = gost_data;
511 }
512 }
513 #endif
514
515 if (SSL_USE_PSS(s)) {
516 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
517 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
518 RSA_PSS_SALTLEN_DIGEST) <= 0) {
519 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
520 goto err;
521 }
522 }
523 if (s->version == SSL3_VERSION) {
524 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
525 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
526 (int)s->session->master_key_length,
527 s->session->master_key) <= 0) {
528 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
529 goto err;
530 }
531 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
532 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
533 goto err;
534 }
535 } else {
536 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
537 if (j <= 0) {
538 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
539 goto err;
540 }
541 }
542
543 /*
544 * In TLSv1.3 on the client side we make sure we prepare the client
545 * certificate after the CertVerify instead of when we get the
546 * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
547 * comes *before* the Certificate message. In TLSv1.2 it comes after. We
548 * want to make sure that SSL_get1_peer_certificate() will return the actual
549 * server certificate from the client_cert_cb callback.
550 */
551 if (!s->server && SSL_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
552 ret = MSG_PROCESS_CONTINUE_PROCESSING;
553 else
554 ret = MSG_PROCESS_CONTINUE_READING;
555 err:
556 BIO_free(s->s3.handshake_buffer);
557 s->s3.handshake_buffer = NULL;
558 EVP_MD_CTX_free(mctx);
559 #ifndef OPENSSL_NO_GOST
560 OPENSSL_free(gost_data);
561 #endif
562 return ret;
563 }
564
tls_construct_finished(SSL * s,WPACKET * pkt)565 int tls_construct_finished(SSL *s, WPACKET *pkt)
566 {
567 size_t finish_md_len;
568 const char *sender;
569 size_t slen;
570
571 /* This is a real handshake so make sure we clean it up at the end */
572 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
573 s->statem.cleanuphand = 1;
574
575 /*
576 * We only change the keys if we didn't already do this when we sent the
577 * client certificate
578 */
579 if (SSL_IS_TLS13(s)
580 && !s->server
581 && s->s3.tmp.cert_req == 0
582 && (!s->method->ssl3_enc->change_cipher_state(s,
583 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
584 /* SSLfatal() already called */
585 return 0;
586 }
587
588 if (s->server) {
589 sender = s->method->ssl3_enc->server_finished_label;
590 slen = s->method->ssl3_enc->server_finished_label_len;
591 } else {
592 sender = s->method->ssl3_enc->client_finished_label;
593 slen = s->method->ssl3_enc->client_finished_label_len;
594 }
595
596 finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
597 sender, slen,
598 s->s3.tmp.finish_md);
599 if (finish_md_len == 0) {
600 /* SSLfatal() already called */
601 return 0;
602 }
603
604 s->s3.tmp.finish_md_len = finish_md_len;
605
606 if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
607 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
608 return 0;
609 }
610
611 /*
612 * Log the master secret, if logging is enabled. We don't log it for
613 * TLSv1.3: there's a different key schedule for that.
614 */
615 if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
616 s->session->master_key,
617 s->session->master_key_length)) {
618 /* SSLfatal() already called */
619 return 0;
620 }
621
622 /*
623 * Copy the finished so we can use it for renegotiation checks
624 */
625 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
626 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
627 return 0;
628 }
629 if (!s->server) {
630 memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
631 finish_md_len);
632 s->s3.previous_client_finished_len = finish_md_len;
633 } else {
634 memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
635 finish_md_len);
636 s->s3.previous_server_finished_len = finish_md_len;
637 }
638
639 return 1;
640 }
641
tls_construct_key_update(SSL * s,WPACKET * pkt)642 int tls_construct_key_update(SSL *s, WPACKET *pkt)
643 {
644 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
645 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
646 return 0;
647 }
648
649 s->key_update = SSL_KEY_UPDATE_NONE;
650 return 1;
651 }
652
tls_process_key_update(SSL * s,PACKET * pkt)653 MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
654 {
655 unsigned int updatetype;
656
657 /*
658 * A KeyUpdate message signals a key change so the end of the message must
659 * be on a record boundary.
660 */
661 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
662 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
663 return MSG_PROCESS_ERROR;
664 }
665
666 if (!PACKET_get_1(pkt, &updatetype)
667 || PACKET_remaining(pkt) != 0) {
668 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_KEY_UPDATE);
669 return MSG_PROCESS_ERROR;
670 }
671
672 /*
673 * There are only two defined key update types. Fail if we get a value we
674 * didn't recognise.
675 */
676 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
677 && updatetype != SSL_KEY_UPDATE_REQUESTED) {
678 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_UPDATE);
679 return MSG_PROCESS_ERROR;
680 }
681
682 /*
683 * If we get a request for us to update our sending keys too then, we need
684 * to additionally send a KeyUpdate message. However that message should
685 * not also request an update (otherwise we get into an infinite loop).
686 */
687 if (updatetype == SSL_KEY_UPDATE_REQUESTED)
688 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
689
690 if (!tls13_update_key(s, 0)) {
691 /* SSLfatal() already called */
692 return MSG_PROCESS_ERROR;
693 }
694
695 return MSG_PROCESS_FINISHED_READING;
696 }
697
698 /*
699 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
700 * to far.
701 */
ssl3_take_mac(SSL * s)702 int ssl3_take_mac(SSL *s)
703 {
704 const char *sender;
705 size_t slen;
706
707 if (!s->server) {
708 sender = s->method->ssl3_enc->server_finished_label;
709 slen = s->method->ssl3_enc->server_finished_label_len;
710 } else {
711 sender = s->method->ssl3_enc->client_finished_label;
712 slen = s->method->ssl3_enc->client_finished_label_len;
713 }
714
715 s->s3.tmp.peer_finish_md_len =
716 s->method->ssl3_enc->final_finish_mac(s, sender, slen,
717 s->s3.tmp.peer_finish_md);
718
719 if (s->s3.tmp.peer_finish_md_len == 0) {
720 /* SSLfatal() already called */
721 return 0;
722 }
723
724 return 1;
725 }
726
tls_process_change_cipher_spec(SSL * s,PACKET * pkt)727 MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
728 {
729 size_t remain;
730
731 remain = PACKET_remaining(pkt);
732 /*
733 * 'Change Cipher Spec' is just a single byte, which should already have
734 * been consumed by ssl_get_message() so there should be no bytes left,
735 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
736 */
737 if (SSL_IS_DTLS(s)) {
738 if ((s->version == DTLS1_BAD_VER
739 && remain != DTLS1_CCS_HEADER_LENGTH + 1)
740 || (s->version != DTLS1_BAD_VER
741 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
742 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
743 return MSG_PROCESS_ERROR;
744 }
745 } else {
746 if (remain != 0) {
747 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
748 return MSG_PROCESS_ERROR;
749 }
750 }
751
752 /* Check we have a cipher to change to */
753 if (s->s3.tmp.new_cipher == NULL) {
754 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY);
755 return MSG_PROCESS_ERROR;
756 }
757
758 s->s3.change_cipher_spec = 1;
759 if (!ssl3_do_change_cipher_spec(s)) {
760 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
761 return MSG_PROCESS_ERROR;
762 }
763
764 if (SSL_IS_DTLS(s)) {
765 dtls1_reset_seq_numbers(s, SSL3_CC_READ);
766
767 if (s->version == DTLS1_BAD_VER)
768 s->d1->handshake_read_seq++;
769
770 #ifndef OPENSSL_NO_SCTP
771 /*
772 * Remember that a CCS has been received, so that an old key of
773 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
774 * SCTP is used
775 */
776 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
777 #endif
778 }
779
780 return MSG_PROCESS_CONTINUE_READING;
781 }
782
tls_process_finished(SSL * s,PACKET * pkt)783 MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
784 {
785 size_t md_len;
786
787
788 /* This is a real handshake so make sure we clean it up at the end */
789 if (s->server) {
790 /*
791 * To get this far we must have read encrypted data from the client. We
792 * no longer tolerate unencrypted alerts. This value is ignored if less
793 * than TLSv1.3
794 */
795 s->statem.enc_read_state = ENC_READ_STATE_VALID;
796 if (s->post_handshake_auth != SSL_PHA_REQUESTED)
797 s->statem.cleanuphand = 1;
798 if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
799 /* SSLfatal() already called */
800 return MSG_PROCESS_ERROR;
801 }
802 }
803
804 /*
805 * In TLSv1.3 a Finished message signals a key change so the end of the
806 * message must be on a record boundary.
807 */
808 if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
809 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
810 return MSG_PROCESS_ERROR;
811 }
812
813 /* If this occurs, we have missed a message */
814 if (!SSL_IS_TLS13(s) && !s->s3.change_cipher_spec) {
815 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
816 return MSG_PROCESS_ERROR;
817 }
818 s->s3.change_cipher_spec = 0;
819
820 md_len = s->s3.tmp.peer_finish_md_len;
821
822 if (md_len != PACKET_remaining(pkt)) {
823 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DIGEST_LENGTH);
824 return MSG_PROCESS_ERROR;
825 }
826
827 if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
828 md_len) != 0) {
829 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DIGEST_CHECK_FAILED);
830 return MSG_PROCESS_ERROR;
831 }
832
833 /*
834 * Copy the finished so we can use it for renegotiation checks
835 */
836 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
837 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
838 return MSG_PROCESS_ERROR;
839 }
840 if (s->server) {
841 memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
842 md_len);
843 s->s3.previous_client_finished_len = md_len;
844 } else {
845 memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
846 md_len);
847 s->s3.previous_server_finished_len = md_len;
848 }
849
850 /*
851 * In TLS1.3 we also have to change cipher state and do any final processing
852 * of the initial server flight (if we are a client)
853 */
854 if (SSL_IS_TLS13(s)) {
855 if (s->server) {
856 if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
857 !s->method->ssl3_enc->change_cipher_state(s,
858 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
859 /* SSLfatal() already called */
860 return MSG_PROCESS_ERROR;
861 }
862 } else {
863 /* TLS 1.3 gets the secret size from the handshake md */
864 size_t dummy;
865 if (!s->method->ssl3_enc->generate_master_secret(s,
866 s->master_secret, s->handshake_secret, 0,
867 &dummy)) {
868 /* SSLfatal() already called */
869 return MSG_PROCESS_ERROR;
870 }
871 if (!s->method->ssl3_enc->change_cipher_state(s,
872 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
873 /* SSLfatal() already called */
874 return MSG_PROCESS_ERROR;
875 }
876 if (!tls_process_initial_server_flight(s)) {
877 /* SSLfatal() already called */
878 return MSG_PROCESS_ERROR;
879 }
880 }
881 }
882
883 return MSG_PROCESS_FINISHED_READING;
884 }
885
tls_construct_change_cipher_spec(SSL * s,WPACKET * pkt)886 int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
887 {
888 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
889 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
890 return 0;
891 }
892
893 return 1;
894 }
895
896 /* Add a certificate to the WPACKET */
ssl_add_cert_to_wpacket(SSL * s,WPACKET * pkt,X509 * x,int chain)897 static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain)
898 {
899 int len;
900 unsigned char *outbytes;
901
902 len = i2d_X509(x, NULL);
903 if (len < 0) {
904 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB);
905 return 0;
906 }
907 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
908 || i2d_X509(x, &outbytes) != len) {
909 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
910 return 0;
911 }
912
913 if (SSL_IS_TLS13(s)
914 && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
915 chain)) {
916 /* SSLfatal() already called */
917 return 0;
918 }
919
920 return 1;
921 }
922
923 /* Add certificate chain to provided WPACKET */
ssl_add_cert_chain(SSL * s,WPACKET * pkt,CERT_PKEY * cpk)924 static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
925 {
926 int i, chain_count;
927 X509 *x;
928 STACK_OF(X509) *extra_certs;
929 STACK_OF(X509) *chain = NULL;
930 X509_STORE *chain_store;
931
932 if (cpk == NULL || cpk->x509 == NULL)
933 return 1;
934
935 x = cpk->x509;
936
937 /*
938 * If we have a certificate specific chain use it, else use parent ctx.
939 */
940 if (cpk->chain != NULL)
941 extra_certs = cpk->chain;
942 else
943 extra_certs = s->ctx->extra_certs;
944
945 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
946 chain_store = NULL;
947 else if (s->cert->chain_store)
948 chain_store = s->cert->chain_store;
949 else
950 chain_store = s->ctx->cert_store;
951
952 if (chain_store != NULL) {
953 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(s->ctx->libctx,
954 s->ctx->propq);
955
956 if (xs_ctx == NULL) {
957 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
958 return 0;
959 }
960 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
961 X509_STORE_CTX_free(xs_ctx);
962 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB);
963 return 0;
964 }
965 /*
966 * It is valid for the chain not to be complete (because normally we
967 * don't include the root cert in the chain). Therefore we deliberately
968 * ignore the error return from this call. We're not actually verifying
969 * the cert - we're just building as much of the chain as we can
970 */
971 (void)X509_verify_cert(xs_ctx);
972 /* Don't leave errors in the queue */
973 ERR_clear_error();
974 chain = X509_STORE_CTX_get0_chain(xs_ctx);
975 i = ssl_security_cert_chain(s, chain, NULL, 0);
976 if (i != 1) {
977 #if 0
978 /* Dummy error calls so mkerr generates them */
979 ERR_raise(ERR_LIB_SSL, SSL_R_EE_KEY_TOO_SMALL);
980 ERR_raise(ERR_LIB_SSL, SSL_R_CA_KEY_TOO_SMALL);
981 ERR_raise(ERR_LIB_SSL, SSL_R_CA_MD_TOO_WEAK);
982 #endif
983 X509_STORE_CTX_free(xs_ctx);
984 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
985 return 0;
986 }
987 chain_count = sk_X509_num(chain);
988 for (i = 0; i < chain_count; i++) {
989 x = sk_X509_value(chain, i);
990
991 if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
992 /* SSLfatal() already called */
993 X509_STORE_CTX_free(xs_ctx);
994 return 0;
995 }
996 }
997 X509_STORE_CTX_free(xs_ctx);
998 } else {
999 i = ssl_security_cert_chain(s, extra_certs, x, 0);
1000 if (i != 1) {
1001 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
1002 return 0;
1003 }
1004 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
1005 /* SSLfatal() already called */
1006 return 0;
1007 }
1008 for (i = 0; i < sk_X509_num(extra_certs); i++) {
1009 x = sk_X509_value(extra_certs, i);
1010 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
1011 /* SSLfatal() already called */
1012 return 0;
1013 }
1014 }
1015 }
1016 return 1;
1017 }
1018
ssl3_output_cert_chain(SSL * s,WPACKET * pkt,CERT_PKEY * cpk)1019 unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
1020 {
1021 if (!WPACKET_start_sub_packet_u24(pkt)) {
1022 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1023 return 0;
1024 }
1025
1026 if (!ssl_add_cert_chain(s, pkt, cpk))
1027 return 0;
1028
1029 if (!WPACKET_close(pkt)) {
1030 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1031 return 0;
1032 }
1033
1034 return 1;
1035 }
1036
1037 /*
1038 * Tidy up after the end of a handshake. In the case of SCTP this may result
1039 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1040 * freed up as well.
1041 */
tls_finish_handshake(SSL * s,ossl_unused WORK_STATE wst,int clearbufs,int stop)1042 WORK_STATE tls_finish_handshake(SSL *s, ossl_unused WORK_STATE wst,
1043 int clearbufs, int stop)
1044 {
1045 void (*cb) (const SSL *ssl, int type, int val) = NULL;
1046 int cleanuphand = s->statem.cleanuphand;
1047
1048 if (clearbufs) {
1049 if (!SSL_IS_DTLS(s)
1050 #ifndef OPENSSL_NO_SCTP
1051 /*
1052 * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1053 * messages that require it. Therefore, DTLS procedures for retransmissions
1054 * MUST NOT be used.
1055 * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1056 */
1057 || BIO_dgram_is_sctp(SSL_get_wbio(s))
1058 #endif
1059 ) {
1060 /*
1061 * We don't do this in DTLS over UDP because we may still need the init_buf
1062 * in case there are any unexpected retransmits
1063 */
1064 BUF_MEM_free(s->init_buf);
1065 s->init_buf = NULL;
1066 }
1067
1068 if (!ssl_free_wbio_buffer(s)) {
1069 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1070 return WORK_ERROR;
1071 }
1072 s->init_num = 0;
1073 }
1074
1075 if (SSL_IS_TLS13(s) && !s->server
1076 && s->post_handshake_auth == SSL_PHA_REQUESTED)
1077 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1078
1079 /*
1080 * Only set if there was a Finished message and this isn't after a TLSv1.3
1081 * post handshake exchange
1082 */
1083 if (cleanuphand) {
1084 /* skipped if we just sent a HelloRequest */
1085 s->renegotiate = 0;
1086 s->new_session = 0;
1087 s->statem.cleanuphand = 0;
1088 s->ext.ticket_expected = 0;
1089
1090 ssl3_cleanup_key_block(s);
1091
1092 if (s->server) {
1093 /*
1094 * In TLSv1.3 we update the cache as part of constructing the
1095 * NewSessionTicket
1096 */
1097 if (!SSL_IS_TLS13(s))
1098 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
1099
1100 /* N.B. s->ctx may not equal s->session_ctx */
1101 ssl_tsan_counter(s->ctx, &s->ctx->stats.sess_accept_good);
1102 s->handshake_func = ossl_statem_accept;
1103 } else {
1104 if (SSL_IS_TLS13(s)) {
1105 /*
1106 * We encourage applications to only use TLSv1.3 tickets once,
1107 * so we remove this one from the cache.
1108 */
1109 if ((s->session_ctx->session_cache_mode
1110 & SSL_SESS_CACHE_CLIENT) != 0)
1111 SSL_CTX_remove_session(s->session_ctx, s->session);
1112 } else {
1113 /*
1114 * In TLSv1.3 we update the cache as part of processing the
1115 * NewSessionTicket
1116 */
1117 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
1118 }
1119 if (s->hit)
1120 ssl_tsan_counter(s->session_ctx,
1121 &s->session_ctx->stats.sess_hit);
1122
1123 s->handshake_func = ossl_statem_connect;
1124 ssl_tsan_counter(s->session_ctx,
1125 &s->session_ctx->stats.sess_connect_good);
1126 }
1127
1128 if (SSL_IS_DTLS(s)) {
1129 /* done with handshaking */
1130 s->d1->handshake_read_seq = 0;
1131 s->d1->handshake_write_seq = 0;
1132 s->d1->next_handshake_write_seq = 0;
1133 dtls1_clear_received_buffer(s);
1134 }
1135 }
1136
1137 if (s->info_callback != NULL)
1138 cb = s->info_callback;
1139 else if (s->ctx->info_callback != NULL)
1140 cb = s->ctx->info_callback;
1141
1142 /* The callback may expect us to not be in init at handshake done */
1143 ossl_statem_set_in_init(s, 0);
1144
1145 if (cb != NULL) {
1146 if (cleanuphand
1147 || !SSL_IS_TLS13(s)
1148 || SSL_IS_FIRST_HANDSHAKE(s))
1149 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
1150 }
1151
1152 if (!stop) {
1153 /* If we've got more work to do we go back into init */
1154 ossl_statem_set_in_init(s, 1);
1155 return WORK_FINISHED_CONTINUE;
1156 }
1157
1158 return WORK_FINISHED_STOP;
1159 }
1160
tls_get_message_header(SSL * s,int * mt)1161 int tls_get_message_header(SSL *s, int *mt)
1162 {
1163 /* s->init_num < SSL3_HM_HEADER_LENGTH */
1164 int skip_message, i, recvd_type;
1165 unsigned char *p;
1166 size_t l, readbytes;
1167
1168 p = (unsigned char *)s->init_buf->data;
1169
1170 do {
1171 while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1172 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
1173 &p[s->init_num],
1174 SSL3_HM_HEADER_LENGTH - s->init_num,
1175 0, &readbytes);
1176 if (i <= 0) {
1177 s->rwstate = SSL_READING;
1178 return 0;
1179 }
1180 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1181 /*
1182 * A ChangeCipherSpec must be a single byte and may not occur
1183 * in the middle of a handshake message.
1184 */
1185 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
1186 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1187 SSL_R_BAD_CHANGE_CIPHER_SPEC);
1188 return 0;
1189 }
1190 if (s->statem.hand_state == TLS_ST_BEFORE
1191 && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
1192 /*
1193 * We are stateless and we received a CCS. Probably this is
1194 * from a client between the first and second ClientHellos.
1195 * We should ignore this, but return an error because we do
1196 * not return success until we see the second ClientHello
1197 * with a valid cookie.
1198 */
1199 return 0;
1200 }
1201 s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
1202 s->init_num = readbytes - 1;
1203 s->init_msg = s->init_buf->data;
1204 s->s3.tmp.message_size = readbytes;
1205 return 1;
1206 } else if (recvd_type != SSL3_RT_HANDSHAKE) {
1207 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1208 SSL_R_CCS_RECEIVED_EARLY);
1209 return 0;
1210 }
1211 s->init_num += readbytes;
1212 }
1213
1214 skip_message = 0;
1215 if (!s->server)
1216 if (s->statem.hand_state != TLS_ST_OK
1217 && p[0] == SSL3_MT_HELLO_REQUEST)
1218 /*
1219 * The server may always send 'Hello Request' messages --
1220 * we are doing a handshake anyway now, so ignore them if
1221 * their format is correct. Does not count for 'Finished'
1222 * MAC.
1223 */
1224 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1225 s->init_num = 0;
1226 skip_message = 1;
1227
1228 if (s->msg_callback)
1229 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1230 p, SSL3_HM_HEADER_LENGTH, s,
1231 s->msg_callback_arg);
1232 }
1233 } while (skip_message);
1234 /* s->init_num == SSL3_HM_HEADER_LENGTH */
1235
1236 *mt = *p;
1237 s->s3.tmp.message_type = *(p++);
1238
1239 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1240 /*
1241 * Only happens with SSLv3+ in an SSLv2 backward compatible
1242 * ClientHello
1243 *
1244 * Total message size is the remaining record bytes to read
1245 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
1246 */
1247 l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1248 + SSL3_HM_HEADER_LENGTH;
1249 s->s3.tmp.message_size = l;
1250
1251 s->init_msg = s->init_buf->data;
1252 s->init_num = SSL3_HM_HEADER_LENGTH;
1253 } else {
1254 n2l3(p, l);
1255 /* BUF_MEM_grow takes an 'int' parameter */
1256 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
1257 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1258 SSL_R_EXCESSIVE_MESSAGE_SIZE);
1259 return 0;
1260 }
1261 s->s3.tmp.message_size = l;
1262
1263 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1264 s->init_num = 0;
1265 }
1266
1267 return 1;
1268 }
1269
tls_get_message_body(SSL * s,size_t * len)1270 int tls_get_message_body(SSL *s, size_t *len)
1271 {
1272 size_t n, readbytes;
1273 unsigned char *p;
1274 int i;
1275
1276 if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
1277 /* We've already read everything in */
1278 *len = (unsigned long)s->init_num;
1279 return 1;
1280 }
1281
1282 p = s->init_msg;
1283 n = s->s3.tmp.message_size - s->init_num;
1284 while (n > 0) {
1285 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
1286 &p[s->init_num], n, 0, &readbytes);
1287 if (i <= 0) {
1288 s->rwstate = SSL_READING;
1289 *len = 0;
1290 return 0;
1291 }
1292 s->init_num += readbytes;
1293 n -= readbytes;
1294 }
1295
1296 /*
1297 * If receiving Finished, record MAC of prior handshake messages for
1298 * Finished verification.
1299 */
1300 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1301 /* SSLfatal() already called */
1302 *len = 0;
1303 return 0;
1304 }
1305
1306 /* Feed this message into MAC computation. */
1307 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1308 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1309 s->init_num)) {
1310 /* SSLfatal() already called */
1311 *len = 0;
1312 return 0;
1313 }
1314 if (s->msg_callback)
1315 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
1316 (size_t)s->init_num, s, s->msg_callback_arg);
1317 } else {
1318 /*
1319 * We defer feeding in the HRR until later. We'll do it as part of
1320 * processing the message
1321 * The TLsv1.3 handshake transcript stops at the ClientFinished
1322 * message.
1323 */
1324 #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
1325 /* KeyUpdate and NewSessionTicket do not need to be added */
1326 if (!SSL_IS_TLS13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1327 && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1328 if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
1329 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1330 || memcmp(hrrrandom,
1331 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1332 SSL3_RANDOM_SIZE) != 0) {
1333 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1334 s->init_num + SSL3_HM_HEADER_LENGTH)) {
1335 /* SSLfatal() already called */
1336 *len = 0;
1337 return 0;
1338 }
1339 }
1340 }
1341 if (s->msg_callback)
1342 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1343 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
1344 s->msg_callback_arg);
1345 }
1346
1347 *len = s->init_num;
1348 return 1;
1349 }
1350
1351 static const X509ERR2ALERT x509table[] = {
1352 {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1353 {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1354 {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
1355 {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1356 {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1357 {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1358 {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1359 {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1360 {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1361 {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1362 {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1363 {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1364 {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1365 {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1366 {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1367 {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1368 {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1369 {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1370 {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1371 {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1372 {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1373 {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1374 {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1375 {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1376 {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1377 {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1378 {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1379 {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1380 {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1381 {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1382 {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1383 {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1384 {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1385 {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1386 {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1387 {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1388 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1389 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1390 {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1391 {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1392
1393 /* Last entry; return this if we don't find the value above. */
1394 {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1395 };
1396
ssl_x509err2alert(int x509err)1397 int ssl_x509err2alert(int x509err)
1398 {
1399 const X509ERR2ALERT *tp;
1400
1401 for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1402 if (tp->x509err == x509err)
1403 break;
1404 return tp->alert;
1405 }
1406
ssl_allow_compression(SSL * s)1407 int ssl_allow_compression(SSL *s)
1408 {
1409 if (s->options & SSL_OP_NO_COMPRESSION)
1410 return 0;
1411 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1412 }
1413
version_cmp(const SSL * s,int a,int b)1414 static int version_cmp(const SSL *s, int a, int b)
1415 {
1416 int dtls = SSL_IS_DTLS(s);
1417
1418 if (a == b)
1419 return 0;
1420 if (!dtls)
1421 return a < b ? -1 : 1;
1422 return DTLS_VERSION_LT(a, b) ? -1 : 1;
1423 }
1424
1425 typedef struct {
1426 int version;
1427 const SSL_METHOD *(*cmeth) (void);
1428 const SSL_METHOD *(*smeth) (void);
1429 } version_info;
1430
1431 #if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
1432 # error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
1433 #endif
1434
1435 /* Must be in order high to low */
1436 static const version_info tls_version_table[] = {
1437 #ifndef OPENSSL_NO_TLS1_3
1438 {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1439 #else
1440 {TLS1_3_VERSION, NULL, NULL},
1441 #endif
1442 #ifndef OPENSSL_NO_TLS1_2
1443 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
1444 #else
1445 {TLS1_2_VERSION, NULL, NULL},
1446 #endif
1447 #ifndef OPENSSL_NO_TLS1_1
1448 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
1449 #else
1450 {TLS1_1_VERSION, NULL, NULL},
1451 #endif
1452 #ifndef OPENSSL_NO_TLS1
1453 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
1454 #else
1455 {TLS1_VERSION, NULL, NULL},
1456 #endif
1457 #ifndef OPENSSL_NO_SSL3
1458 {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
1459 #else
1460 {SSL3_VERSION, NULL, NULL},
1461 #endif
1462 {0, NULL, NULL},
1463 };
1464
1465 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
1466 # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1467 #endif
1468
1469 /* Must be in order high to low */
1470 static const version_info dtls_version_table[] = {
1471 #ifndef OPENSSL_NO_DTLS1_2
1472 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
1473 #else
1474 {DTLS1_2_VERSION, NULL, NULL},
1475 #endif
1476 #ifndef OPENSSL_NO_DTLS1
1477 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1478 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
1479 #else
1480 {DTLS1_VERSION, NULL, NULL},
1481 {DTLS1_BAD_VER, NULL, NULL},
1482 #endif
1483 {0, NULL, NULL},
1484 };
1485
1486 /*
1487 * ssl_method_error - Check whether an SSL_METHOD is enabled.
1488 *
1489 * @s: The SSL handle for the candidate method
1490 * @method: the intended method.
1491 *
1492 * Returns 0 on success, or an SSL error reason on failure.
1493 */
ssl_method_error(const SSL * s,const SSL_METHOD * method)1494 static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
1495 {
1496 int version = method->version;
1497
1498 if ((s->min_proto_version != 0 &&
1499 version_cmp(s, version, s->min_proto_version) < 0) ||
1500 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1501 return SSL_R_VERSION_TOO_LOW;
1502
1503 if (s->max_proto_version != 0 &&
1504 version_cmp(s, version, s->max_proto_version) > 0)
1505 return SSL_R_VERSION_TOO_HIGH;
1506
1507 if ((s->options & method->mask) != 0)
1508 return SSL_R_UNSUPPORTED_PROTOCOL;
1509 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1510 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
1511
1512 return 0;
1513 }
1514
1515 /*
1516 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
1517 * certificate type, or has PSK or a certificate callback configured, or has
1518 * a servername callback configure. Otherwise returns 0.
1519 */
is_tls13_capable(const SSL * s)1520 static int is_tls13_capable(const SSL *s)
1521 {
1522 int i;
1523 int curve;
1524
1525 if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL))
1526 return 0;
1527
1528 /*
1529 * A servername callback can change the available certs, so if a servername
1530 * cb is set then we just assume TLSv1.3 will be ok
1531 */
1532 if (s->ctx->ext.servername_cb != NULL
1533 || s->session_ctx->ext.servername_cb != NULL)
1534 return 1;
1535
1536 #ifndef OPENSSL_NO_PSK
1537 if (s->psk_server_callback != NULL)
1538 return 1;
1539 #endif
1540
1541 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
1542 return 1;
1543
1544 for (i = 0; i < SSL_PKEY_NUM; i++) {
1545 /* Skip over certs disallowed for TLSv1.3 */
1546 switch (i) {
1547 case SSL_PKEY_DSA_SIGN:
1548 case SSL_PKEY_GOST01:
1549 case SSL_PKEY_GOST12_256:
1550 case SSL_PKEY_GOST12_512:
1551 continue;
1552 default:
1553 break;
1554 }
1555 if (!ssl_has_cert(s, i))
1556 continue;
1557 if (i != SSL_PKEY_ECC)
1558 return 1;
1559 /*
1560 * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1561 * more restrictive so check that our sig algs are consistent with this
1562 * EC cert. See section 4.2.3 of RFC8446.
1563 */
1564 curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
1565 if (tls_check_sigalg_curve(s, curve))
1566 return 1;
1567 }
1568
1569 return 0;
1570 }
1571
1572 /*
1573 * ssl_version_supported - Check that the specified `version` is supported by
1574 * `SSL *` instance
1575 *
1576 * @s: The SSL handle for the candidate method
1577 * @version: Protocol version to test against
1578 *
1579 * Returns 1 when supported, otherwise 0
1580 */
ssl_version_supported(const SSL * s,int version,const SSL_METHOD ** meth)1581 int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth)
1582 {
1583 const version_info *vent;
1584 const version_info *table;
1585
1586 switch (s->method->version) {
1587 default:
1588 /* Version should match method version for non-ANY method */
1589 return version_cmp(s, version, s->version) == 0;
1590 case TLS_ANY_VERSION:
1591 table = tls_version_table;
1592 break;
1593 case DTLS_ANY_VERSION:
1594 table = dtls_version_table;
1595 break;
1596 }
1597
1598 for (vent = table;
1599 vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1600 ++vent) {
1601 if (vent->cmeth != NULL
1602 && version_cmp(s, version, vent->version) == 0
1603 && ssl_method_error(s, vent->cmeth()) == 0
1604 && (!s->server
1605 || version != TLS1_3_VERSION
1606 || is_tls13_capable(s))) {
1607 if (meth != NULL)
1608 *meth = vent->cmeth();
1609 return 1;
1610 }
1611 }
1612 return 0;
1613 }
1614
1615 /*
1616 * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1617 * fallback indication from a client check whether we're using the highest
1618 * supported protocol version.
1619 *
1620 * @s server SSL handle.
1621 *
1622 * Returns 1 when using the highest enabled version, 0 otherwise.
1623 */
ssl_check_version_downgrade(SSL * s)1624 int ssl_check_version_downgrade(SSL *s)
1625 {
1626 const version_info *vent;
1627 const version_info *table;
1628
1629 /*
1630 * Check that the current protocol is the highest enabled version
1631 * (according to s->ctx->method, as version negotiation may have changed
1632 * s->method).
1633 */
1634 if (s->version == s->ctx->method->version)
1635 return 1;
1636
1637 /*
1638 * Apparently we're using a version-flexible SSL_METHOD (not at its
1639 * highest protocol version).
1640 */
1641 if (s->ctx->method->version == TLS_method()->version)
1642 table = tls_version_table;
1643 else if (s->ctx->method->version == DTLS_method()->version)
1644 table = dtls_version_table;
1645 else {
1646 /* Unexpected state; fail closed. */
1647 return 0;
1648 }
1649
1650 for (vent = table; vent->version != 0; ++vent) {
1651 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
1652 return s->version == vent->version;
1653 }
1654 return 0;
1655 }
1656
1657 /*
1658 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1659 * protocols, provided the initial (D)TLS method is version-flexible. This
1660 * function sanity-checks the proposed value and makes sure the method is
1661 * version-flexible, then sets the limit if all is well.
1662 *
1663 * @method_version: The version of the current SSL_METHOD.
1664 * @version: the intended limit.
1665 * @bound: pointer to limit to be updated.
1666 *
1667 * Returns 1 on success, 0 on failure.
1668 */
ssl_set_version_bound(int method_version,int version,int * bound)1669 int ssl_set_version_bound(int method_version, int version, int *bound)
1670 {
1671 int valid_tls;
1672 int valid_dtls;
1673
1674 if (version == 0) {
1675 *bound = version;
1676 return 1;
1677 }
1678
1679 valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
1680 valid_dtls =
1681 DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) &&
1682 DTLS_VERSION_GE(version, DTLS1_BAD_VER);
1683
1684 if (!valid_tls && !valid_dtls)
1685 return 0;
1686
1687 /*-
1688 * Restrict TLS methods to TLS protocol versions.
1689 * Restrict DTLS methods to DTLS protocol versions.
1690 * Note, DTLS version numbers are decreasing, use comparison macros.
1691 *
1692 * Note that for both lower-bounds we use explicit versions, not
1693 * (D)TLS_MIN_VERSION. This is because we don't want to break user
1694 * configurations. If the MIN (supported) version ever rises, the user's
1695 * "floor" remains valid even if no longer available. We don't expect the
1696 * MAX ceiling to ever get lower, so making that variable makes sense.
1697 *
1698 * We ignore attempts to set bounds on version-inflexible methods,
1699 * returning success.
1700 */
1701 switch (method_version) {
1702 default:
1703 break;
1704
1705 case TLS_ANY_VERSION:
1706 if (valid_tls)
1707 *bound = version;
1708 break;
1709
1710 case DTLS_ANY_VERSION:
1711 if (valid_dtls)
1712 *bound = version;
1713 break;
1714 }
1715 return 1;
1716 }
1717
check_for_downgrade(SSL * s,int vers,DOWNGRADE * dgrd)1718 static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
1719 {
1720 if (vers == TLS1_2_VERSION
1721 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
1722 *dgrd = DOWNGRADE_TO_1_2;
1723 } else if (!SSL_IS_DTLS(s)
1724 && vers < TLS1_2_VERSION
1725 /*
1726 * We need to ensure that a server that disables TLSv1.2
1727 * (creating a hole between TLSv1.3 and TLSv1.1) can still
1728 * complete handshakes with clients that support TLSv1.2 and
1729 * below. Therefore we do not enable the sentinel if TLSv1.3 is
1730 * enabled and TLSv1.2 is not.
1731 */
1732 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
1733 *dgrd = DOWNGRADE_TO_1_1;
1734 } else {
1735 *dgrd = DOWNGRADE_NONE;
1736 }
1737 }
1738
1739 /*
1740 * ssl_choose_server_version - Choose server (D)TLS version. Called when the
1741 * client HELLO is received to select the final server protocol version and
1742 * the version specific method.
1743 *
1744 * @s: server SSL handle.
1745 *
1746 * Returns 0 on success or an SSL error reason number on failure.
1747 */
ssl_choose_server_version(SSL * s,CLIENTHELLO_MSG * hello,DOWNGRADE * dgrd)1748 int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1749 {
1750 /*-
1751 * With version-flexible methods we have an initial state with:
1752 *
1753 * s->method->version == (D)TLS_ANY_VERSION,
1754 * s->version == (D)TLS_MAX_VERSION_INTERNAL.
1755 *
1756 * So we detect version-flexible methods via the method version, not the
1757 * handle version.
1758 */
1759 int server_version = s->method->version;
1760 int client_version = hello->legacy_version;
1761 const version_info *vent;
1762 const version_info *table;
1763 int disabled = 0;
1764 RAW_EXTENSION *suppversions;
1765
1766 s->client_version = client_version;
1767
1768 switch (server_version) {
1769 default:
1770 if (!SSL_IS_TLS13(s)) {
1771 if (version_cmp(s, client_version, s->version) < 0)
1772 return SSL_R_WRONG_SSL_VERSION;
1773 *dgrd = DOWNGRADE_NONE;
1774 /*
1775 * If this SSL handle is not from a version flexible method we don't
1776 * (and never did) check min/max FIPS or Suite B constraints. Hope
1777 * that's OK. It is up to the caller to not choose fixed protocol
1778 * versions they don't want. If not, then easy to fix, just return
1779 * ssl_method_error(s, s->method)
1780 */
1781 return 0;
1782 }
1783 /*
1784 * Fall through if we are TLSv1.3 already (this means we must be after
1785 * a HelloRetryRequest
1786 */
1787 /* fall thru */
1788 case TLS_ANY_VERSION:
1789 table = tls_version_table;
1790 break;
1791 case DTLS_ANY_VERSION:
1792 table = dtls_version_table;
1793 break;
1794 }
1795
1796 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
1797
1798 /* If we did an HRR then supported versions is mandatory */
1799 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
1800 return SSL_R_UNSUPPORTED_PROTOCOL;
1801
1802 if (suppversions->present && !SSL_IS_DTLS(s)) {
1803 unsigned int candidate_vers = 0;
1804 unsigned int best_vers = 0;
1805 const SSL_METHOD *best_method = NULL;
1806 PACKET versionslist;
1807
1808 suppversions->parsed = 1;
1809
1810 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
1811 /* Trailing or invalid data? */
1812 return SSL_R_LENGTH_MISMATCH;
1813 }
1814
1815 /*
1816 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1817 * The spec only requires servers to check that it isn't SSLv3:
1818 * "Any endpoint receiving a Hello message with
1819 * ClientHello.legacy_version or ServerHello.legacy_version set to
1820 * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1821 * We are slightly stricter and require that it isn't SSLv3 or lower.
1822 * We tolerate TLSv1 and TLSv1.1.
1823 */
1824 if (client_version <= SSL3_VERSION)
1825 return SSL_R_BAD_LEGACY_VERSION;
1826
1827 while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1828 if (version_cmp(s, candidate_vers, best_vers) <= 0)
1829 continue;
1830 if (ssl_version_supported(s, candidate_vers, &best_method))
1831 best_vers = candidate_vers;
1832 }
1833 if (PACKET_remaining(&versionslist) != 0) {
1834 /* Trailing data? */
1835 return SSL_R_LENGTH_MISMATCH;
1836 }
1837
1838 if (best_vers > 0) {
1839 if (s->hello_retry_request != SSL_HRR_NONE) {
1840 /*
1841 * This is after a HelloRetryRequest so we better check that we
1842 * negotiated TLSv1.3
1843 */
1844 if (best_vers != TLS1_3_VERSION)
1845 return SSL_R_UNSUPPORTED_PROTOCOL;
1846 return 0;
1847 }
1848 check_for_downgrade(s, best_vers, dgrd);
1849 s->version = best_vers;
1850 s->method = best_method;
1851 return 0;
1852 }
1853 return SSL_R_UNSUPPORTED_PROTOCOL;
1854 }
1855
1856 /*
1857 * If the supported versions extension isn't present, then the highest
1858 * version we can negotiate is TLSv1.2
1859 */
1860 if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1861 client_version = TLS1_2_VERSION;
1862
1863 /*
1864 * No supported versions extension, so we just use the version supplied in
1865 * the ClientHello.
1866 */
1867 for (vent = table; vent->version != 0; ++vent) {
1868 const SSL_METHOD *method;
1869
1870 if (vent->smeth == NULL ||
1871 version_cmp(s, client_version, vent->version) < 0)
1872 continue;
1873 method = vent->smeth();
1874 if (ssl_method_error(s, method) == 0) {
1875 check_for_downgrade(s, vent->version, dgrd);
1876 s->version = vent->version;
1877 s->method = method;
1878 return 0;
1879 }
1880 disabled = 1;
1881 }
1882 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1883 }
1884
1885 /*
1886 * ssl_choose_client_version - Choose client (D)TLS version. Called when the
1887 * server HELLO is received to select the final client protocol version and
1888 * the version specific method.
1889 *
1890 * @s: client SSL handle.
1891 * @version: The proposed version from the server's HELLO.
1892 * @extensions: The extensions received
1893 *
1894 * Returns 1 on success or 0 on error.
1895 */
ssl_choose_client_version(SSL * s,int version,RAW_EXTENSION * extensions)1896 int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)
1897 {
1898 const version_info *vent;
1899 const version_info *table;
1900 int ret, ver_min, ver_max, real_max, origv;
1901
1902 origv = s->version;
1903 s->version = version;
1904
1905 /* This will overwrite s->version if the extension is present */
1906 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1907 SSL_EXT_TLS1_2_SERVER_HELLO
1908 | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1909 NULL, 0)) {
1910 s->version = origv;
1911 return 0;
1912 }
1913
1914 if (s->hello_retry_request != SSL_HRR_NONE
1915 && s->version != TLS1_3_VERSION) {
1916 s->version = origv;
1917 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
1918 return 0;
1919 }
1920
1921 switch (s->method->version) {
1922 default:
1923 if (s->version != s->method->version) {
1924 s->version = origv;
1925 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
1926 return 0;
1927 }
1928 /*
1929 * If this SSL handle is not from a version flexible method we don't
1930 * (and never did) check min/max, FIPS or Suite B constraints. Hope
1931 * that's OK. It is up to the caller to not choose fixed protocol
1932 * versions they don't want. If not, then easy to fix, just return
1933 * ssl_method_error(s, s->method)
1934 */
1935 return 1;
1936 case TLS_ANY_VERSION:
1937 table = tls_version_table;
1938 break;
1939 case DTLS_ANY_VERSION:
1940 table = dtls_version_table;
1941 break;
1942 }
1943
1944 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1945 if (ret != 0) {
1946 s->version = origv;
1947 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, ret);
1948 return 0;
1949 }
1950 if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
1951 : s->version < ver_min) {
1952 s->version = origv;
1953 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1954 return 0;
1955 } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
1956 : s->version > ver_max) {
1957 s->version = origv;
1958 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1959 return 0;
1960 }
1961
1962 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
1963 real_max = ver_max;
1964
1965 /* Check for downgrades */
1966 if (s->version == TLS1_2_VERSION && real_max > s->version) {
1967 if (memcmp(tls12downgrade,
1968 s->s3.server_random + SSL3_RANDOM_SIZE
1969 - sizeof(tls12downgrade),
1970 sizeof(tls12downgrade)) == 0) {
1971 s->version = origv;
1972 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1973 SSL_R_INAPPROPRIATE_FALLBACK);
1974 return 0;
1975 }
1976 } else if (!SSL_IS_DTLS(s)
1977 && s->version < TLS1_2_VERSION
1978 && real_max > s->version) {
1979 if (memcmp(tls11downgrade,
1980 s->s3.server_random + SSL3_RANDOM_SIZE
1981 - sizeof(tls11downgrade),
1982 sizeof(tls11downgrade)) == 0) {
1983 s->version = origv;
1984 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1985 SSL_R_INAPPROPRIATE_FALLBACK);
1986 return 0;
1987 }
1988 }
1989
1990 for (vent = table; vent->version != 0; ++vent) {
1991 if (vent->cmeth == NULL || s->version != vent->version)
1992 continue;
1993
1994 s->method = vent->cmeth();
1995 return 1;
1996 }
1997
1998 s->version = origv;
1999 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
2000 return 0;
2001 }
2002
2003 /*
2004 * ssl_get_min_max_version - get minimum and maximum protocol version
2005 * @s: The SSL connection
2006 * @min_version: The minimum supported version
2007 * @max_version: The maximum supported version
2008 * @real_max: The highest version below the lowest compile time version hole
2009 * where that hole lies above at least one run-time enabled
2010 * protocol.
2011 *
2012 * Work out what version we should be using for the initial ClientHello if the
2013 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2014 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
2015 * constraints and any floor imposed by the security level here,
2016 * so we don't advertise the wrong protocol version to only reject the outcome later.
2017 *
2018 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
2019 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2020 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2021 *
2022 * Returns 0 on success or an SSL error reason number on failure. On failure
2023 * min_version and max_version will also be set to 0.
2024 */
ssl_get_min_max_version(const SSL * s,int * min_version,int * max_version,int * real_max)2025 int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version,
2026 int *real_max)
2027 {
2028 int version, tmp_real_max;
2029 int hole;
2030 const SSL_METHOD *single = NULL;
2031 const SSL_METHOD *method;
2032 const version_info *table;
2033 const version_info *vent;
2034
2035 switch (s->method->version) {
2036 default:
2037 /*
2038 * If this SSL handle is not from a version flexible method we don't
2039 * (and never did) check min/max FIPS or Suite B constraints. Hope
2040 * that's OK. It is up to the caller to not choose fixed protocol
2041 * versions they don't want. If not, then easy to fix, just return
2042 * ssl_method_error(s, s->method)
2043 */
2044 *min_version = *max_version = s->version;
2045 /*
2046 * Providing a real_max only makes sense where we're using a version
2047 * flexible method.
2048 */
2049 if (!ossl_assert(real_max == NULL))
2050 return ERR_R_INTERNAL_ERROR;
2051 return 0;
2052 case TLS_ANY_VERSION:
2053 table = tls_version_table;
2054 break;
2055 case DTLS_ANY_VERSION:
2056 table = dtls_version_table;
2057 break;
2058 }
2059
2060 /*
2061 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2062 * below X enabled. This is required in order to maintain the "version
2063 * capability" vector contiguous. Any versions with a NULL client method
2064 * (protocol version client is disabled at compile-time) is also a "hole".
2065 *
2066 * Our initial state is hole == 1, version == 0. That is, versions above
2067 * the first version in the method table are disabled (a "hole" above
2068 * the valid protocol entries) and we don't have a selected version yet.
2069 *
2070 * Whenever "hole == 1", and we hit an enabled method, its version becomes
2071 * the selected version, and the method becomes a candidate "single"
2072 * method. We're no longer in a hole, so "hole" becomes 0.
2073 *
2074 * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2075 * as we support a contiguous range of at least two methods. If we hit
2076 * a disabled method, then hole becomes true again, but nothing else
2077 * changes yet, because all the remaining methods may be disabled too.
2078 * If we again hit an enabled method after the new hole, it becomes
2079 * selected, as we start from scratch.
2080 */
2081 *min_version = version = 0;
2082 hole = 1;
2083 if (real_max != NULL)
2084 *real_max = 0;
2085 tmp_real_max = 0;
2086 for (vent = table; vent->version != 0; ++vent) {
2087 /*
2088 * A table entry with a NULL client method is still a hole in the
2089 * "version capability" vector.
2090 */
2091 if (vent->cmeth == NULL) {
2092 hole = 1;
2093 tmp_real_max = 0;
2094 continue;
2095 }
2096 method = vent->cmeth();
2097
2098 if (hole == 1 && tmp_real_max == 0)
2099 tmp_real_max = vent->version;
2100
2101 if (ssl_method_error(s, method) != 0) {
2102 hole = 1;
2103 } else if (!hole) {
2104 single = NULL;
2105 *min_version = method->version;
2106 } else {
2107 if (real_max != NULL && tmp_real_max != 0)
2108 *real_max = tmp_real_max;
2109 version = (single = method)->version;
2110 *min_version = version;
2111 hole = 0;
2112 }
2113 }
2114
2115 *max_version = version;
2116
2117 /* Fail if everything is disabled */
2118 if (version == 0)
2119 return SSL_R_NO_PROTOCOLS_AVAILABLE;
2120
2121 return 0;
2122 }
2123
2124 /*
2125 * ssl_set_client_hello_version - Work out what version we should be using for
2126 * the initial ClientHello.legacy_version field.
2127 *
2128 * @s: client SSL handle.
2129 *
2130 * Returns 0 on success or an SSL error reason number on failure.
2131 */
ssl_set_client_hello_version(SSL * s)2132 int ssl_set_client_hello_version(SSL *s)
2133 {
2134 int ver_min, ver_max, ret;
2135
2136 /*
2137 * In a renegotiation we always send the same client_version that we sent
2138 * last time, regardless of which version we eventually negotiated.
2139 */
2140 if (!SSL_IS_FIRST_HANDSHAKE(s))
2141 return 0;
2142
2143 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
2144
2145 if (ret != 0)
2146 return ret;
2147
2148 s->version = ver_max;
2149
2150 /* TLS1.3 always uses TLS1.2 in the legacy_version field */
2151 if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
2152 ver_max = TLS1_2_VERSION;
2153
2154 s->client_version = ver_max;
2155 return 0;
2156 }
2157
2158 /*
2159 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2160 * and |checkallow| is 1 then additionally check if the group is allowed to be
2161 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2162 * 1) or 0 otherwise.
2163 */
check_in_list(SSL * s,uint16_t group_id,const uint16_t * groups,size_t num_groups,int checkallow)2164 int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
2165 size_t num_groups, int checkallow)
2166 {
2167 size_t i;
2168
2169 if (groups == NULL || num_groups == 0)
2170 return 0;
2171
2172 for (i = 0; i < num_groups; i++) {
2173 uint16_t group = groups[i];
2174
2175 if (group_id == group
2176 && (!checkallow
2177 || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
2178 return 1;
2179 }
2180 }
2181
2182 return 0;
2183 }
2184
2185 /* Replace ClientHello1 in the transcript hash with a synthetic message */
create_synthetic_message_hash(SSL * s,const unsigned char * hashval,size_t hashlen,const unsigned char * hrr,size_t hrrlen)2186 int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,
2187 size_t hashlen, const unsigned char *hrr,
2188 size_t hrrlen)
2189 {
2190 unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
2191 unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2192
2193 memset(msghdr, 0, sizeof(msghdr));
2194
2195 if (hashval == NULL) {
2196 hashval = hashvaltmp;
2197 hashlen = 0;
2198 /* Get the hash of the initial ClientHello */
2199 if (!ssl3_digest_cached_records(s, 0)
2200 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2201 &hashlen)) {
2202 /* SSLfatal() already called */
2203 return 0;
2204 }
2205 }
2206
2207 /* Reinitialise the transcript hash */
2208 if (!ssl3_init_finished_mac(s)) {
2209 /* SSLfatal() already called */
2210 return 0;
2211 }
2212
2213 /* Inject the synthetic message_hash message */
2214 msghdr[0] = SSL3_MT_MESSAGE_HASH;
2215 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
2216 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2217 || !ssl3_finish_mac(s, hashval, hashlen)) {
2218 /* SSLfatal() already called */
2219 return 0;
2220 }
2221
2222 /*
2223 * Now re-inject the HRR and current message if appropriate (we just deleted
2224 * it when we reinitialised the transcript hash above). Only necessary after
2225 * receiving a ClientHello2 with a cookie.
2226 */
2227 if (hrr != NULL
2228 && (!ssl3_finish_mac(s, hrr, hrrlen)
2229 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
2230 s->s3.tmp.message_size
2231 + SSL3_HM_HEADER_LENGTH))) {
2232 /* SSLfatal() already called */
2233 return 0;
2234 }
2235
2236 return 1;
2237 }
2238
ca_dn_cmp(const X509_NAME * const * a,const X509_NAME * const * b)2239 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2240 {
2241 return X509_NAME_cmp(*a, *b);
2242 }
2243
parse_ca_names(SSL * s,PACKET * pkt)2244 int parse_ca_names(SSL *s, PACKET *pkt)
2245 {
2246 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2247 X509_NAME *xn = NULL;
2248 PACKET cadns;
2249
2250 if (ca_sk == NULL) {
2251 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2252 goto err;
2253 }
2254 /* get the CA RDNs */
2255 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
2256 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2257 goto err;
2258 }
2259
2260 while (PACKET_remaining(&cadns)) {
2261 const unsigned char *namestart, *namebytes;
2262 unsigned int name_len;
2263
2264 if (!PACKET_get_net_2(&cadns, &name_len)
2265 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
2266 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2267 goto err;
2268 }
2269
2270 namestart = namebytes;
2271 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
2272 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB);
2273 goto err;
2274 }
2275 if (namebytes != (namestart + name_len)) {
2276 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CA_DN_LENGTH_MISMATCH);
2277 goto err;
2278 }
2279
2280 if (!sk_X509_NAME_push(ca_sk, xn)) {
2281 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2282 goto err;
2283 }
2284 xn = NULL;
2285 }
2286
2287 sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
2288 s->s3.tmp.peer_ca_names = ca_sk;
2289
2290 return 1;
2291
2292 err:
2293 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2294 X509_NAME_free(xn);
2295 return 0;
2296 }
2297
STACK_OF(X509_NAME)2298 const STACK_OF(X509_NAME) *get_ca_names(SSL *s)
2299 {
2300 const STACK_OF(X509_NAME) *ca_sk = NULL;;
2301
2302 if (s->server) {
2303 ca_sk = SSL_get_client_CA_list(s);
2304 if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2305 ca_sk = NULL;
2306 }
2307
2308 if (ca_sk == NULL)
2309 ca_sk = SSL_get0_CA_list(s);
2310
2311 return ca_sk;
2312 }
2313
construct_ca_names(SSL * s,const STACK_OF (X509_NAME)* ca_sk,WPACKET * pkt)2314 int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt)
2315 {
2316 /* Start sub-packet for client CA list */
2317 if (!WPACKET_start_sub_packet_u16(pkt)) {
2318 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2319 return 0;
2320 }
2321
2322 if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) {
2323 int i;
2324
2325 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2326 unsigned char *namebytes;
2327 X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2328 int namelen;
2329
2330 if (name == NULL
2331 || (namelen = i2d_X509_NAME(name, NULL)) < 0
2332 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2333 &namebytes)
2334 || i2d_X509_NAME(name, &namebytes) != namelen) {
2335 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2336 return 0;
2337 }
2338 }
2339 }
2340
2341 if (!WPACKET_close(pkt)) {
2342 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2343 return 0;
2344 }
2345
2346 return 1;
2347 }
2348
2349 /* Create a buffer containing data to be signed for server key exchange */
construct_key_exchange_tbs(SSL * s,unsigned char ** ptbs,const void * param,size_t paramlen)2350 size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
2351 const void *param, size_t paramlen)
2352 {
2353 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2354 unsigned char *tbs = OPENSSL_malloc(tbslen);
2355
2356 if (tbs == NULL) {
2357 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2358 return 0;
2359 }
2360 memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
2361 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
2362
2363 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2364
2365 *ptbs = tbs;
2366 return tbslen;
2367 }
2368
2369 /*
2370 * Saves the current handshake digest for Post-Handshake Auth,
2371 * Done after ClientFinished is processed, done exactly once
2372 */
tls13_save_handshake_digest_for_pha(SSL * s)2373 int tls13_save_handshake_digest_for_pha(SSL *s)
2374 {
2375 if (s->pha_dgst == NULL) {
2376 if (!ssl3_digest_cached_records(s, 1))
2377 /* SSLfatal() already called */
2378 return 0;
2379
2380 s->pha_dgst = EVP_MD_CTX_new();
2381 if (s->pha_dgst == NULL) {
2382 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2383 return 0;
2384 }
2385 if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
2386 s->s3.handshake_dgst)) {
2387 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2388 EVP_MD_CTX_free(s->pha_dgst);
2389 s->pha_dgst = NULL;
2390 return 0;
2391 }
2392 }
2393 return 1;
2394 }
2395
2396 /*
2397 * Restores the Post-Handshake Auth handshake digest
2398 * Done just before sending/processing the Cert Request
2399 */
tls13_restore_handshake_digest_for_pha(SSL * s)2400 int tls13_restore_handshake_digest_for_pha(SSL *s)
2401 {
2402 if (s->pha_dgst == NULL) {
2403 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2404 return 0;
2405 }
2406 if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
2407 s->pha_dgst)) {
2408 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2409 return 0;
2410 }
2411 return 1;
2412 }
2413