1 /*
2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 *
5 * Licensed under the OpenSSL license (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
9 */
10
11 #include <limits.h>
12 #include <string.h>
13 #include <stdio.h>
14 #include "../ssl_local.h"
15 #include "statem_local.h"
16 #include "internal/cryptlib.h"
17 #include <openssl/buffer.h>
18 #include <openssl/objects.h>
19 #include <openssl/evp.h>
20 #include <openssl/x509.h>
21
22 /*
23 * Map error codes to TLS/SSL alart types.
24 */
25 typedef struct x509err2alert_st {
26 int x509err;
27 int alert;
28 } X509ERR2ALERT;
29
30 /* Fixed value used in the ServerHello random field to identify an HRR */
31 const unsigned char hrrrandom[] = {
32 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
33 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
34 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
35 };
36
37 /*
38 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
39 * SSL3_RT_CHANGE_CIPHER_SPEC)
40 */
ssl3_do_write(SSL * s,int type)41 int ssl3_do_write(SSL *s, int type)
42 {
43 int ret;
44 size_t written = 0;
45
46 ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
47 s->init_num, &written);
48 if (ret < 0)
49 return -1;
50 if (type == SSL3_RT_HANDSHAKE)
51 /*
52 * should not be done for 'Hello Request's, but in that case we'll
53 * ignore the result anyway
54 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
55 */
56 if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
57 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
58 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
59 if (!ssl3_finish_mac(s,
60 (unsigned char *)&s->init_buf->data[s->init_off],
61 written))
62 return -1;
63 if (written == s->init_num) {
64 if (s->msg_callback)
65 s->msg_callback(1, s->version, type, s->init_buf->data,
66 (size_t)(s->init_off + s->init_num), s,
67 s->msg_callback_arg);
68 return 1;
69 }
70 s->init_off += written;
71 s->init_num -= written;
72 return 0;
73 }
74
tls_close_construct_packet(SSL * s,WPACKET * pkt,int htype)75 int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype)
76 {
77 size_t msglen;
78
79 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
80 || !WPACKET_get_length(pkt, &msglen)
81 || msglen > INT_MAX)
82 return 0;
83 s->init_num = (int)msglen;
84 s->init_off = 0;
85
86 return 1;
87 }
88
tls_setup_handshake(SSL * s)89 int tls_setup_handshake(SSL *s)
90 {
91 if (!ssl3_init_finished_mac(s)) {
92 /* SSLfatal() already called */
93 return 0;
94 }
95
96 /* Reset any extension flags */
97 memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
98
99 if (s->server) {
100 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
101 int i, ver_min, ver_max, ok = 0;
102
103 /*
104 * Sanity check that the maximum version we accept has ciphers
105 * enabled. For clients we do this check during construction of the
106 * ClientHello.
107 */
108 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
109 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_SETUP_HANDSHAKE,
110 ERR_R_INTERNAL_ERROR);
111 return 0;
112 }
113 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
114 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
115
116 if (SSL_IS_DTLS(s)) {
117 if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
118 DTLS_VERSION_LE(ver_max, c->max_dtls))
119 ok = 1;
120 } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
121 ok = 1;
122 }
123 if (ok)
124 break;
125 }
126 if (!ok) {
127 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE,
128 SSL_R_NO_CIPHERS_AVAILABLE);
129 ERR_add_error_data(1, "No ciphers enabled for max supported "
130 "SSL/TLS version");
131 return 0;
132 }
133 if (SSL_IS_FIRST_HANDSHAKE(s)) {
134 /* N.B. s->session_ctx == s->ctx here */
135 tsan_counter(&s->session_ctx->stats.sess_accept);
136 } else {
137 /* N.B. s->ctx may not equal s->session_ctx */
138 tsan_counter(&s->ctx->stats.sess_accept_renegotiate);
139
140 s->s3->tmp.cert_request = 0;
141 }
142 } else {
143 if (SSL_IS_FIRST_HANDSHAKE(s))
144 tsan_counter(&s->session_ctx->stats.sess_connect);
145 else
146 tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate);
147
148 /* mark client_random uninitialized */
149 memset(s->s3->client_random, 0, sizeof(s->s3->client_random));
150 s->hit = 0;
151
152 s->s3->tmp.cert_req = 0;
153
154 if (SSL_IS_DTLS(s))
155 s->statem.use_timer = 1;
156 }
157
158 return 1;
159 }
160
161 /*
162 * Size of the to-be-signed TLS13 data, without the hash size itself:
163 * 64 bytes of value 32, 33 context bytes, 1 byte separator
164 */
165 #define TLS13_TBS_START_SIZE 64
166 #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
167
get_cert_verify_tbs_data(SSL * s,unsigned char * tls13tbs,void ** hdata,size_t * hdatalen)168 static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
169 void **hdata, size_t *hdatalen)
170 {
171 #ifdef CHARSET_EBCDIC
172 static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
173 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
174 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
175 0x69, 0x66, 0x79, 0x00 };
176 static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
177 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
178 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
179 0x69, 0x66, 0x79, 0x00 };
180 #else
181 static const char servercontext[] = "TLS 1.3, server CertificateVerify";
182 static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
183 #endif
184 if (SSL_IS_TLS13(s)) {
185 size_t hashlen;
186
187 /* Set the first 64 bytes of to-be-signed data to octet 32 */
188 memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
189 /* This copies the 33 bytes of context plus the 0 separator byte */
190 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
191 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
192 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
193 else
194 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
195
196 /*
197 * If we're currently reading then we need to use the saved handshake
198 * hash value. We can't use the current handshake hash state because
199 * that includes the CertVerify itself.
200 */
201 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
202 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
203 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
204 s->cert_verify_hash_len);
205 hashlen = s->cert_verify_hash_len;
206 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
207 EVP_MAX_MD_SIZE, &hashlen)) {
208 /* SSLfatal() already called */
209 return 0;
210 }
211
212 *hdata = tls13tbs;
213 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
214 } else {
215 size_t retlen;
216 long retlen_l;
217
218 retlen = retlen_l = BIO_get_mem_data(s->s3->handshake_buffer, hdata);
219 if (retlen_l <= 0) {
220 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_GET_CERT_VERIFY_TBS_DATA,
221 ERR_R_INTERNAL_ERROR);
222 return 0;
223 }
224 *hdatalen = retlen;
225 }
226
227 return 1;
228 }
229
tls_construct_cert_verify(SSL * s,WPACKET * pkt)230 int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
231 {
232 EVP_PKEY *pkey = NULL;
233 const EVP_MD *md = NULL;
234 EVP_MD_CTX *mctx = NULL;
235 EVP_PKEY_CTX *pctx = NULL;
236 size_t hdatalen = 0, siglen = 0;
237 void *hdata;
238 unsigned char *sig = NULL;
239 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
240 const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg;
241
242 if (lu == NULL || s->s3->tmp.cert == NULL) {
243 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
244 ERR_R_INTERNAL_ERROR);
245 goto err;
246 }
247 pkey = s->s3->tmp.cert->privatekey;
248
249 if (pkey == NULL || !tls1_lookup_md(lu, &md)) {
250 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
251 ERR_R_INTERNAL_ERROR);
252 goto err;
253 }
254
255 mctx = EVP_MD_CTX_new();
256 if (mctx == NULL) {
257 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
258 ERR_R_MALLOC_FAILURE);
259 goto err;
260 }
261
262 /* Get the data to be signed */
263 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
264 /* SSLfatal() already called */
265 goto err;
266 }
267
268 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
269 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
270 ERR_R_INTERNAL_ERROR);
271 goto err;
272 }
273 siglen = EVP_PKEY_size(pkey);
274 sig = OPENSSL_malloc(siglen);
275 if (sig == NULL) {
276 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
277 ERR_R_MALLOC_FAILURE);
278 goto err;
279 }
280
281 if (EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey) <= 0) {
282 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
283 ERR_R_EVP_LIB);
284 goto err;
285 }
286
287 if (lu->sig == EVP_PKEY_RSA_PSS) {
288 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
289 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
290 RSA_PSS_SALTLEN_DIGEST) <= 0) {
291 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
292 ERR_R_EVP_LIB);
293 goto err;
294 }
295 }
296 if (s->version == SSL3_VERSION) {
297 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
298 || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
299 (int)s->session->master_key_length,
300 s->session->master_key)
301 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
302
303 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
304 ERR_R_EVP_LIB);
305 goto err;
306 }
307 } else if (EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
308 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
309 ERR_R_EVP_LIB);
310 goto err;
311 }
312
313 #ifndef OPENSSL_NO_GOST
314 {
315 int pktype = lu->sig;
316
317 if (pktype == NID_id_GostR3410_2001
318 || pktype == NID_id_GostR3410_2012_256
319 || pktype == NID_id_GostR3410_2012_512)
320 BUF_reverse(sig, NULL, siglen);
321 }
322 #endif
323
324 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
325 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
326 ERR_R_INTERNAL_ERROR);
327 goto err;
328 }
329
330 /* Digest cached records and discard handshake buffer */
331 if (!ssl3_digest_cached_records(s, 0)) {
332 /* SSLfatal() already called */
333 goto err;
334 }
335
336 OPENSSL_free(sig);
337 EVP_MD_CTX_free(mctx);
338 return 1;
339 err:
340 OPENSSL_free(sig);
341 EVP_MD_CTX_free(mctx);
342 return 0;
343 }
344
tls_process_cert_verify(SSL * s,PACKET * pkt)345 MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
346 {
347 EVP_PKEY *pkey = NULL;
348 const unsigned char *data;
349 #ifndef OPENSSL_NO_GOST
350 unsigned char *gost_data = NULL;
351 #endif
352 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
353 int j;
354 unsigned int len;
355 X509 *peer;
356 const EVP_MD *md = NULL;
357 size_t hdatalen = 0;
358 void *hdata;
359 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
360 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
361 EVP_PKEY_CTX *pctx = NULL;
362
363 if (mctx == NULL) {
364 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
365 ERR_R_MALLOC_FAILURE);
366 goto err;
367 }
368
369 peer = s->session->peer;
370 pkey = X509_get0_pubkey(peer);
371 if (pkey == NULL) {
372 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
373 ERR_R_INTERNAL_ERROR);
374 goto err;
375 }
376
377 if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
378 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CERT_VERIFY,
379 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
380 goto err;
381 }
382
383 if (SSL_USE_SIGALGS(s)) {
384 unsigned int sigalg;
385
386 if (!PACKET_get_net_2(pkt, &sigalg)) {
387 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
388 SSL_R_BAD_PACKET);
389 goto err;
390 }
391 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
392 /* SSLfatal() already called */
393 goto err;
394 }
395 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
396 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
397 ERR_R_INTERNAL_ERROR);
398 goto err;
399 }
400
401 if (!tls1_lookup_md(s->s3->tmp.peer_sigalg, &md)) {
402 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
403 ERR_R_INTERNAL_ERROR);
404 goto err;
405 }
406
407 #ifdef SSL_DEBUG
408 if (SSL_USE_SIGALGS(s))
409 fprintf(stderr, "USING TLSv1.2 HASH %s\n",
410 md == NULL ? "n/a" : EVP_MD_name(md));
411 #endif
412
413 /* Check for broken implementations of GOST ciphersuites */
414 /*
415 * If key is GOST and len is exactly 64 or 128, it is signature without
416 * length field (CryptoPro implementations at least till TLS 1.2)
417 */
418 #ifndef OPENSSL_NO_GOST
419 if (!SSL_USE_SIGALGS(s)
420 && ((PACKET_remaining(pkt) == 64
421 && (EVP_PKEY_id(pkey) == NID_id_GostR3410_2001
422 || EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_256))
423 || (PACKET_remaining(pkt) == 128
424 && EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_512))) {
425 len = PACKET_remaining(pkt);
426 } else
427 #endif
428 if (!PACKET_get_net_2(pkt, &len)) {
429 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
430 SSL_R_LENGTH_MISMATCH);
431 goto err;
432 }
433
434 j = EVP_PKEY_size(pkey);
435 if (((int)len > j) || ((int)PACKET_remaining(pkt) > j)
436 || (PACKET_remaining(pkt) == 0)) {
437 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
438 SSL_R_WRONG_SIGNATURE_SIZE);
439 goto err;
440 }
441 if (!PACKET_get_bytes(pkt, &data, len)) {
442 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
443 SSL_R_LENGTH_MISMATCH);
444 goto err;
445 }
446
447 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
448 /* SSLfatal() already called */
449 goto err;
450 }
451
452 #ifdef SSL_DEBUG
453 fprintf(stderr, "Using client verify alg %s\n",
454 md == NULL ? "n/a" : EVP_MD_name(md));
455 #endif
456 if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0) {
457 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
458 ERR_R_EVP_LIB);
459 goto err;
460 }
461 #ifndef OPENSSL_NO_GOST
462 {
463 int pktype = EVP_PKEY_id(pkey);
464 if (pktype == NID_id_GostR3410_2001
465 || pktype == NID_id_GostR3410_2012_256
466 || pktype == NID_id_GostR3410_2012_512) {
467 if ((gost_data = OPENSSL_malloc(len)) == NULL) {
468 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
469 SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
470 goto err;
471 }
472 BUF_reverse(gost_data, data, len);
473 data = gost_data;
474 }
475 }
476 #endif
477
478 if (SSL_USE_PSS(s)) {
479 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
480 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
481 RSA_PSS_SALTLEN_DIGEST) <= 0) {
482 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
483 ERR_R_EVP_LIB);
484 goto err;
485 }
486 }
487 if (s->version == SSL3_VERSION) {
488 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
489 || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
490 (int)s->session->master_key_length,
491 s->session->master_key)) {
492 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
493 ERR_R_EVP_LIB);
494 goto err;
495 }
496 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
497 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
498 SSL_R_BAD_SIGNATURE);
499 goto err;
500 }
501 } else {
502 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
503 if (j <= 0) {
504 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
505 SSL_R_BAD_SIGNATURE);
506 goto err;
507 }
508 }
509
510 /*
511 * In TLSv1.3 on the client side we make sure we prepare the client
512 * certificate after the CertVerify instead of when we get the
513 * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
514 * comes *before* the Certificate message. In TLSv1.2 it comes after. We
515 * want to make sure that SSL_get_peer_certificate() will return the actual
516 * server certificate from the client_cert_cb callback.
517 */
518 if (!s->server && SSL_IS_TLS13(s) && s->s3->tmp.cert_req == 1)
519 ret = MSG_PROCESS_CONTINUE_PROCESSING;
520 else
521 ret = MSG_PROCESS_CONTINUE_READING;
522 err:
523 BIO_free(s->s3->handshake_buffer);
524 s->s3->handshake_buffer = NULL;
525 EVP_MD_CTX_free(mctx);
526 #ifndef OPENSSL_NO_GOST
527 OPENSSL_free(gost_data);
528 #endif
529 return ret;
530 }
531
tls_construct_finished(SSL * s,WPACKET * pkt)532 int tls_construct_finished(SSL *s, WPACKET *pkt)
533 {
534 size_t finish_md_len;
535 const char *sender;
536 size_t slen;
537
538 /* This is a real handshake so make sure we clean it up at the end */
539 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
540 s->statem.cleanuphand = 1;
541
542 /*
543 * We only change the keys if we didn't already do this when we sent the
544 * client certificate
545 */
546 if (SSL_IS_TLS13(s)
547 && !s->server
548 && s->s3->tmp.cert_req == 0
549 && (!s->method->ssl3_enc->change_cipher_state(s,
550 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
551 /* SSLfatal() already called */
552 return 0;
553 }
554
555 if (s->server) {
556 sender = s->method->ssl3_enc->server_finished_label;
557 slen = s->method->ssl3_enc->server_finished_label_len;
558 } else {
559 sender = s->method->ssl3_enc->client_finished_label;
560 slen = s->method->ssl3_enc->client_finished_label_len;
561 }
562
563 finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
564 sender, slen,
565 s->s3->tmp.finish_md);
566 if (finish_md_len == 0) {
567 /* SSLfatal() already called */
568 return 0;
569 }
570
571 s->s3->tmp.finish_md_len = finish_md_len;
572
573 if (!WPACKET_memcpy(pkt, s->s3->tmp.finish_md, finish_md_len)) {
574 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
575 ERR_R_INTERNAL_ERROR);
576 return 0;
577 }
578
579 /*
580 * Log the master secret, if logging is enabled. We don't log it for
581 * TLSv1.3: there's a different key schedule for that.
582 */
583 if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
584 s->session->master_key,
585 s->session->master_key_length)) {
586 /* SSLfatal() already called */
587 return 0;
588 }
589
590 /*
591 * Copy the finished so we can use it for renegotiation checks
592 */
593 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
594 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
595 ERR_R_INTERNAL_ERROR);
596 return 0;
597 }
598 if (!s->server) {
599 memcpy(s->s3->previous_client_finished, s->s3->tmp.finish_md,
600 finish_md_len);
601 s->s3->previous_client_finished_len = finish_md_len;
602 } else {
603 memcpy(s->s3->previous_server_finished, s->s3->tmp.finish_md,
604 finish_md_len);
605 s->s3->previous_server_finished_len = finish_md_len;
606 }
607
608 return 1;
609 }
610
tls_construct_key_update(SSL * s,WPACKET * pkt)611 int tls_construct_key_update(SSL *s, WPACKET *pkt)
612 {
613 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
614 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_KEY_UPDATE,
615 ERR_R_INTERNAL_ERROR);
616 return 0;
617 }
618
619 s->key_update = SSL_KEY_UPDATE_NONE;
620 return 1;
621 }
622
tls_process_key_update(SSL * s,PACKET * pkt)623 MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
624 {
625 unsigned int updatetype;
626
627 /*
628 * A KeyUpdate message signals a key change so the end of the message must
629 * be on a record boundary.
630 */
631 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
632 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_UPDATE,
633 SSL_R_NOT_ON_RECORD_BOUNDARY);
634 return MSG_PROCESS_ERROR;
635 }
636
637 if (!PACKET_get_1(pkt, &updatetype)
638 || PACKET_remaining(pkt) != 0) {
639 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_UPDATE,
640 SSL_R_BAD_KEY_UPDATE);
641 return MSG_PROCESS_ERROR;
642 }
643
644 /*
645 * There are only two defined key update types. Fail if we get a value we
646 * didn't recognise.
647 */
648 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
649 && updatetype != SSL_KEY_UPDATE_REQUESTED) {
650 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE,
651 SSL_R_BAD_KEY_UPDATE);
652 return MSG_PROCESS_ERROR;
653 }
654
655 /*
656 * If we get a request for us to update our sending keys too then, we need
657 * to additionally send a KeyUpdate message. However that message should
658 * not also request an update (otherwise we get into an infinite loop).
659 */
660 if (updatetype == SSL_KEY_UPDATE_REQUESTED)
661 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
662
663 if (!tls13_update_key(s, 0)) {
664 /* SSLfatal() already called */
665 return MSG_PROCESS_ERROR;
666 }
667
668 return MSG_PROCESS_FINISHED_READING;
669 }
670
671 /*
672 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
673 * to far.
674 */
ssl3_take_mac(SSL * s)675 int ssl3_take_mac(SSL *s)
676 {
677 const char *sender;
678 size_t slen;
679
680 if (!s->server) {
681 sender = s->method->ssl3_enc->server_finished_label;
682 slen = s->method->ssl3_enc->server_finished_label_len;
683 } else {
684 sender = s->method->ssl3_enc->client_finished_label;
685 slen = s->method->ssl3_enc->client_finished_label_len;
686 }
687
688 s->s3->tmp.peer_finish_md_len =
689 s->method->ssl3_enc->final_finish_mac(s, sender, slen,
690 s->s3->tmp.peer_finish_md);
691
692 if (s->s3->tmp.peer_finish_md_len == 0) {
693 /* SSLfatal() already called */
694 return 0;
695 }
696
697 return 1;
698 }
699
tls_process_change_cipher_spec(SSL * s,PACKET * pkt)700 MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
701 {
702 size_t remain;
703
704 remain = PACKET_remaining(pkt);
705 /*
706 * 'Change Cipher Spec' is just a single byte, which should already have
707 * been consumed by ssl_get_message() so there should be no bytes left,
708 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
709 */
710 if (SSL_IS_DTLS(s)) {
711 if ((s->version == DTLS1_BAD_VER
712 && remain != DTLS1_CCS_HEADER_LENGTH + 1)
713 || (s->version != DTLS1_BAD_VER
714 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
715 SSLfatal(s, SSL_AD_DECODE_ERROR,
716 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
717 SSL_R_BAD_CHANGE_CIPHER_SPEC);
718 return MSG_PROCESS_ERROR;
719 }
720 } else {
721 if (remain != 0) {
722 SSLfatal(s, SSL_AD_DECODE_ERROR,
723 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
724 SSL_R_BAD_CHANGE_CIPHER_SPEC);
725 return MSG_PROCESS_ERROR;
726 }
727 }
728
729 /* Check we have a cipher to change to */
730 if (s->s3->tmp.new_cipher == NULL) {
731 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
732 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY);
733 return MSG_PROCESS_ERROR;
734 }
735
736 s->s3->change_cipher_spec = 1;
737 if (!ssl3_do_change_cipher_spec(s)) {
738 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
739 ERR_R_INTERNAL_ERROR);
740 return MSG_PROCESS_ERROR;
741 }
742
743 if (SSL_IS_DTLS(s)) {
744 dtls1_reset_seq_numbers(s, SSL3_CC_READ);
745
746 if (s->version == DTLS1_BAD_VER)
747 s->d1->handshake_read_seq++;
748
749 #ifndef OPENSSL_NO_SCTP
750 /*
751 * Remember that a CCS has been received, so that an old key of
752 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
753 * SCTP is used
754 */
755 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
756 #endif
757 }
758
759 return MSG_PROCESS_CONTINUE_READING;
760 }
761
tls_process_finished(SSL * s,PACKET * pkt)762 MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
763 {
764 size_t md_len;
765
766
767 /* This is a real handshake so make sure we clean it up at the end */
768 if (s->server) {
769 /*
770 * To get this far we must have read encrypted data from the client. We
771 * no longer tolerate unencrypted alerts. This value is ignored if less
772 * than TLSv1.3
773 */
774 s->statem.enc_read_state = ENC_READ_STATE_VALID;
775 if (s->post_handshake_auth != SSL_PHA_REQUESTED)
776 s->statem.cleanuphand = 1;
777 if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
778 /* SSLfatal() already called */
779 return MSG_PROCESS_ERROR;
780 }
781 }
782
783 /*
784 * In TLSv1.3 a Finished message signals a key change so the end of the
785 * message must be on a record boundary.
786 */
787 if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
788 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
789 SSL_R_NOT_ON_RECORD_BOUNDARY);
790 return MSG_PROCESS_ERROR;
791 }
792
793 /* If this occurs, we have missed a message */
794 if (!SSL_IS_TLS13(s) && !s->s3->change_cipher_spec) {
795 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
796 SSL_R_GOT_A_FIN_BEFORE_A_CCS);
797 return MSG_PROCESS_ERROR;
798 }
799 s->s3->change_cipher_spec = 0;
800
801 md_len = s->s3->tmp.peer_finish_md_len;
802
803 if (md_len != PACKET_remaining(pkt)) {
804 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_FINISHED,
805 SSL_R_BAD_DIGEST_LENGTH);
806 return MSG_PROCESS_ERROR;
807 }
808
809 if (CRYPTO_memcmp(PACKET_data(pkt), s->s3->tmp.peer_finish_md,
810 md_len) != 0) {
811 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_FINISHED,
812 SSL_R_DIGEST_CHECK_FAILED);
813 return MSG_PROCESS_ERROR;
814 }
815
816 /*
817 * Copy the finished so we can use it for renegotiation checks
818 */
819 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
820 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_FINISHED,
821 ERR_R_INTERNAL_ERROR);
822 return MSG_PROCESS_ERROR;
823 }
824 if (s->server) {
825 memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md,
826 md_len);
827 s->s3->previous_client_finished_len = md_len;
828 } else {
829 memcpy(s->s3->previous_server_finished, s->s3->tmp.peer_finish_md,
830 md_len);
831 s->s3->previous_server_finished_len = md_len;
832 }
833
834 /*
835 * In TLS1.3 we also have to change cipher state and do any final processing
836 * of the initial server flight (if we are a client)
837 */
838 if (SSL_IS_TLS13(s)) {
839 if (s->server) {
840 if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
841 !s->method->ssl3_enc->change_cipher_state(s,
842 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
843 /* SSLfatal() already called */
844 return MSG_PROCESS_ERROR;
845 }
846 } else {
847 /* TLS 1.3 gets the secret size from the handshake md */
848 size_t dummy;
849 if (!s->method->ssl3_enc->generate_master_secret(s,
850 s->master_secret, s->handshake_secret, 0,
851 &dummy)) {
852 /* SSLfatal() already called */
853 return MSG_PROCESS_ERROR;
854 }
855 if (!s->method->ssl3_enc->change_cipher_state(s,
856 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
857 /* SSLfatal() already called */
858 return MSG_PROCESS_ERROR;
859 }
860 if (!tls_process_initial_server_flight(s)) {
861 /* SSLfatal() already called */
862 return MSG_PROCESS_ERROR;
863 }
864 }
865 }
866
867 return MSG_PROCESS_FINISHED_READING;
868 }
869
tls_construct_change_cipher_spec(SSL * s,WPACKET * pkt)870 int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
871 {
872 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
873 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
874 SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
875 return 0;
876 }
877
878 return 1;
879 }
880
881 /* Add a certificate to the WPACKET */
ssl_add_cert_to_wpacket(SSL * s,WPACKET * pkt,X509 * x,int chain)882 static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain)
883 {
884 int len;
885 unsigned char *outbytes;
886
887 len = i2d_X509(x, NULL);
888 if (len < 0) {
889 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
890 ERR_R_BUF_LIB);
891 return 0;
892 }
893 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
894 || i2d_X509(x, &outbytes) != len) {
895 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
896 ERR_R_INTERNAL_ERROR);
897 return 0;
898 }
899
900 if (SSL_IS_TLS13(s)
901 && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
902 chain)) {
903 /* SSLfatal() already called */
904 return 0;
905 }
906
907 return 1;
908 }
909
910 /* Add certificate chain to provided WPACKET */
ssl_add_cert_chain(SSL * s,WPACKET * pkt,CERT_PKEY * cpk)911 static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
912 {
913 int i, chain_count;
914 X509 *x;
915 STACK_OF(X509) *extra_certs;
916 STACK_OF(X509) *chain = NULL;
917 X509_STORE *chain_store;
918
919 if (cpk == NULL || cpk->x509 == NULL)
920 return 1;
921
922 x = cpk->x509;
923
924 /*
925 * If we have a certificate specific chain use it, else use parent ctx.
926 */
927 if (cpk->chain != NULL)
928 extra_certs = cpk->chain;
929 else
930 extra_certs = s->ctx->extra_certs;
931
932 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
933 chain_store = NULL;
934 else if (s->cert->chain_store)
935 chain_store = s->cert->chain_store;
936 else
937 chain_store = s->ctx->cert_store;
938
939 if (chain_store != NULL) {
940 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new();
941
942 if (xs_ctx == NULL) {
943 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
944 ERR_R_MALLOC_FAILURE);
945 return 0;
946 }
947 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
948 X509_STORE_CTX_free(xs_ctx);
949 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
950 ERR_R_X509_LIB);
951 return 0;
952 }
953 /*
954 * It is valid for the chain not to be complete (because normally we
955 * don't include the root cert in the chain). Therefore we deliberately
956 * ignore the error return from this call. We're not actually verifying
957 * the cert - we're just building as much of the chain as we can
958 */
959 (void)X509_verify_cert(xs_ctx);
960 /* Don't leave errors in the queue */
961 ERR_clear_error();
962 chain = X509_STORE_CTX_get0_chain(xs_ctx);
963 i = ssl_security_cert_chain(s, chain, NULL, 0);
964 if (i != 1) {
965 #if 0
966 /* Dummy error calls so mkerr generates them */
967 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL);
968 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL);
969 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK);
970 #endif
971 X509_STORE_CTX_free(xs_ctx);
972 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
973 return 0;
974 }
975 chain_count = sk_X509_num(chain);
976 for (i = 0; i < chain_count; i++) {
977 x = sk_X509_value(chain, i);
978
979 if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
980 /* SSLfatal() already called */
981 X509_STORE_CTX_free(xs_ctx);
982 return 0;
983 }
984 }
985 X509_STORE_CTX_free(xs_ctx);
986 } else {
987 i = ssl_security_cert_chain(s, extra_certs, x, 0);
988 if (i != 1) {
989 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
990 return 0;
991 }
992 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
993 /* SSLfatal() already called */
994 return 0;
995 }
996 for (i = 0; i < sk_X509_num(extra_certs); i++) {
997 x = sk_X509_value(extra_certs, i);
998 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
999 /* SSLfatal() already called */
1000 return 0;
1001 }
1002 }
1003 }
1004 return 1;
1005 }
1006
ssl3_output_cert_chain(SSL * s,WPACKET * pkt,CERT_PKEY * cpk)1007 unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
1008 {
1009 if (!WPACKET_start_sub_packet_u24(pkt)) {
1010 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1011 ERR_R_INTERNAL_ERROR);
1012 return 0;
1013 }
1014
1015 if (!ssl_add_cert_chain(s, pkt, cpk))
1016 return 0;
1017
1018 if (!WPACKET_close(pkt)) {
1019 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1020 ERR_R_INTERNAL_ERROR);
1021 return 0;
1022 }
1023
1024 return 1;
1025 }
1026
1027 /*
1028 * Tidy up after the end of a handshake. In the case of SCTP this may result
1029 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1030 * freed up as well.
1031 */
tls_finish_handshake(SSL * s,WORK_STATE wst,int clearbufs,int stop)1032 WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
1033 {
1034 void (*cb) (const SSL *ssl, int type, int val) = NULL;
1035 int cleanuphand = s->statem.cleanuphand;
1036
1037 if (clearbufs) {
1038 if (!SSL_IS_DTLS(s)
1039 #ifndef OPENSSL_NO_SCTP
1040 /*
1041 * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1042 * messages that require it. Therefore, DTLS procedures for retransmissions
1043 * MUST NOT be used.
1044 * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1045 */
1046 || BIO_dgram_is_sctp(SSL_get_wbio(s))
1047 #endif
1048 ) {
1049 /*
1050 * We don't do this in DTLS over UDP because we may still need the init_buf
1051 * in case there are any unexpected retransmits
1052 */
1053 BUF_MEM_free(s->init_buf);
1054 s->init_buf = NULL;
1055 }
1056
1057 if (!ssl_free_wbio_buffer(s)) {
1058 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE,
1059 ERR_R_INTERNAL_ERROR);
1060 return WORK_ERROR;
1061 }
1062 s->init_num = 0;
1063 }
1064
1065 if (SSL_IS_TLS13(s) && !s->server
1066 && s->post_handshake_auth == SSL_PHA_REQUESTED)
1067 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1068
1069 /*
1070 * Only set if there was a Finished message and this isn't after a TLSv1.3
1071 * post handshake exchange
1072 */
1073 if (cleanuphand) {
1074 /* skipped if we just sent a HelloRequest */
1075 s->renegotiate = 0;
1076 s->new_session = 0;
1077 s->statem.cleanuphand = 0;
1078 s->ext.ticket_expected = 0;
1079
1080 ssl3_cleanup_key_block(s);
1081
1082 if (s->server) {
1083 /*
1084 * In TLSv1.3 we update the cache as part of constructing the
1085 * NewSessionTicket
1086 */
1087 if (!SSL_IS_TLS13(s))
1088 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
1089
1090 /* N.B. s->ctx may not equal s->session_ctx */
1091 tsan_counter(&s->ctx->stats.sess_accept_good);
1092 s->handshake_func = ossl_statem_accept;
1093 } else {
1094 if (SSL_IS_TLS13(s)) {
1095 /*
1096 * We encourage applications to only use TLSv1.3 tickets once,
1097 * so we remove this one from the cache.
1098 */
1099 if ((s->session_ctx->session_cache_mode
1100 & SSL_SESS_CACHE_CLIENT) != 0)
1101 SSL_CTX_remove_session(s->session_ctx, s->session);
1102 } else {
1103 /*
1104 * In TLSv1.3 we update the cache as part of processing the
1105 * NewSessionTicket
1106 */
1107 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
1108 }
1109 if (s->hit)
1110 tsan_counter(&s->session_ctx->stats.sess_hit);
1111
1112 s->handshake_func = ossl_statem_connect;
1113 tsan_counter(&s->session_ctx->stats.sess_connect_good);
1114 }
1115
1116 if (SSL_IS_DTLS(s)) {
1117 /* done with handshaking */
1118 s->d1->handshake_read_seq = 0;
1119 s->d1->handshake_write_seq = 0;
1120 s->d1->next_handshake_write_seq = 0;
1121 dtls1_clear_received_buffer(s);
1122 }
1123 }
1124
1125 if (s->info_callback != NULL)
1126 cb = s->info_callback;
1127 else if (s->ctx->info_callback != NULL)
1128 cb = s->ctx->info_callback;
1129
1130 /* The callback may expect us to not be in init at handshake done */
1131 ossl_statem_set_in_init(s, 0);
1132
1133 if (cb != NULL) {
1134 if (cleanuphand
1135 || !SSL_IS_TLS13(s)
1136 || SSL_IS_FIRST_HANDSHAKE(s))
1137 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
1138 }
1139
1140 if (!stop) {
1141 /* If we've got more work to do we go back into init */
1142 ossl_statem_set_in_init(s, 1);
1143 return WORK_FINISHED_CONTINUE;
1144 }
1145
1146 return WORK_FINISHED_STOP;
1147 }
1148
tls_get_message_header(SSL * s,int * mt)1149 int tls_get_message_header(SSL *s, int *mt)
1150 {
1151 /* s->init_num < SSL3_HM_HEADER_LENGTH */
1152 int skip_message, i, recvd_type;
1153 unsigned char *p;
1154 size_t l, readbytes;
1155
1156 p = (unsigned char *)s->init_buf->data;
1157
1158 do {
1159 while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1160 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
1161 &p[s->init_num],
1162 SSL3_HM_HEADER_LENGTH - s->init_num,
1163 0, &readbytes);
1164 if (i <= 0) {
1165 s->rwstate = SSL_READING;
1166 return 0;
1167 }
1168 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1169 /*
1170 * A ChangeCipherSpec must be a single byte and may not occur
1171 * in the middle of a handshake message.
1172 */
1173 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
1174 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1175 SSL_F_TLS_GET_MESSAGE_HEADER,
1176 SSL_R_BAD_CHANGE_CIPHER_SPEC);
1177 return 0;
1178 }
1179 if (s->statem.hand_state == TLS_ST_BEFORE
1180 && (s->s3->flags & TLS1_FLAGS_STATELESS) != 0) {
1181 /*
1182 * We are stateless and we received a CCS. Probably this is
1183 * from a client between the first and second ClientHellos.
1184 * We should ignore this, but return an error because we do
1185 * not return success until we see the second ClientHello
1186 * with a valid cookie.
1187 */
1188 return 0;
1189 }
1190 s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
1191 s->init_num = readbytes - 1;
1192 s->init_msg = s->init_buf->data;
1193 s->s3->tmp.message_size = readbytes;
1194 return 1;
1195 } else if (recvd_type != SSL3_RT_HANDSHAKE) {
1196 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1197 SSL_F_TLS_GET_MESSAGE_HEADER,
1198 SSL_R_CCS_RECEIVED_EARLY);
1199 return 0;
1200 }
1201 s->init_num += readbytes;
1202 }
1203
1204 skip_message = 0;
1205 if (!s->server)
1206 if (s->statem.hand_state != TLS_ST_OK
1207 && p[0] == SSL3_MT_HELLO_REQUEST)
1208 /*
1209 * The server may always send 'Hello Request' messages --
1210 * we are doing a handshake anyway now, so ignore them if
1211 * their format is correct. Does not count for 'Finished'
1212 * MAC.
1213 */
1214 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1215 s->init_num = 0;
1216 skip_message = 1;
1217
1218 if (s->msg_callback)
1219 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1220 p, SSL3_HM_HEADER_LENGTH, s,
1221 s->msg_callback_arg);
1222 }
1223 } while (skip_message);
1224 /* s->init_num == SSL3_HM_HEADER_LENGTH */
1225
1226 *mt = *p;
1227 s->s3->tmp.message_type = *(p++);
1228
1229 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1230 /*
1231 * Only happens with SSLv3+ in an SSLv2 backward compatible
1232 * ClientHello
1233 *
1234 * Total message size is the remaining record bytes to read
1235 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
1236 */
1237 l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1238 + SSL3_HM_HEADER_LENGTH;
1239 s->s3->tmp.message_size = l;
1240
1241 s->init_msg = s->init_buf->data;
1242 s->init_num = SSL3_HM_HEADER_LENGTH;
1243 } else {
1244 n2l3(p, l);
1245 /* BUF_MEM_grow takes an 'int' parameter */
1246 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
1247 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_GET_MESSAGE_HEADER,
1248 SSL_R_EXCESSIVE_MESSAGE_SIZE);
1249 return 0;
1250 }
1251 s->s3->tmp.message_size = l;
1252
1253 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1254 s->init_num = 0;
1255 }
1256
1257 return 1;
1258 }
1259
tls_get_message_body(SSL * s,size_t * len)1260 int tls_get_message_body(SSL *s, size_t *len)
1261 {
1262 size_t n, readbytes;
1263 unsigned char *p;
1264 int i;
1265
1266 if (s->s3->tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
1267 /* We've already read everything in */
1268 *len = (unsigned long)s->init_num;
1269 return 1;
1270 }
1271
1272 p = s->init_msg;
1273 n = s->s3->tmp.message_size - s->init_num;
1274 while (n > 0) {
1275 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
1276 &p[s->init_num], n, 0, &readbytes);
1277 if (i <= 0) {
1278 s->rwstate = SSL_READING;
1279 *len = 0;
1280 return 0;
1281 }
1282 s->init_num += readbytes;
1283 n -= readbytes;
1284 }
1285
1286 /*
1287 * If receiving Finished, record MAC of prior handshake messages for
1288 * Finished verification.
1289 */
1290 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1291 /* SSLfatal() already called */
1292 *len = 0;
1293 return 0;
1294 }
1295
1296 /* Feed this message into MAC computation. */
1297 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1298 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1299 s->init_num)) {
1300 /* SSLfatal() already called */
1301 *len = 0;
1302 return 0;
1303 }
1304 if (s->msg_callback)
1305 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
1306 (size_t)s->init_num, s, s->msg_callback_arg);
1307 } else {
1308 /*
1309 * We defer feeding in the HRR until later. We'll do it as part of
1310 * processing the message
1311 * The TLsv1.3 handshake transcript stops at the ClientFinished
1312 * message.
1313 */
1314 #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
1315 /* KeyUpdate and NewSessionTicket do not need to be added */
1316 if (!SSL_IS_TLS13(s) || (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1317 && s->s3->tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1318 if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO
1319 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1320 || memcmp(hrrrandom,
1321 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1322 SSL3_RANDOM_SIZE) != 0) {
1323 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1324 s->init_num + SSL3_HM_HEADER_LENGTH)) {
1325 /* SSLfatal() already called */
1326 *len = 0;
1327 return 0;
1328 }
1329 }
1330 }
1331 if (s->msg_callback)
1332 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1333 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
1334 s->msg_callback_arg);
1335 }
1336
1337 *len = s->init_num;
1338 return 1;
1339 }
1340
1341 static const X509ERR2ALERT x509table[] = {
1342 {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1343 {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1344 {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
1345 {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1346 {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1347 {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1348 {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1349 {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1350 {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1351 {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1352 {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1353 {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1354 {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1355 {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1356 {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1357 {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1358 {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1359 {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1360 {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1361 {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1362 {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1363 {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1364 {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1365 {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1366 {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1367 {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1368 {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1369 {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1370 {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1371 {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1372 {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1373 {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1374 {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1375 {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1376 {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1377 {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1378 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1379 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1380 {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1381 {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1382
1383 /* Last entry; return this if we don't find the value above. */
1384 {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1385 };
1386
ssl_x509err2alert(int x509err)1387 int ssl_x509err2alert(int x509err)
1388 {
1389 const X509ERR2ALERT *tp;
1390
1391 for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1392 if (tp->x509err == x509err)
1393 break;
1394 return tp->alert;
1395 }
1396
ssl_allow_compression(SSL * s)1397 int ssl_allow_compression(SSL *s)
1398 {
1399 if (s->options & SSL_OP_NO_COMPRESSION)
1400 return 0;
1401 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1402 }
1403
version_cmp(const SSL * s,int a,int b)1404 static int version_cmp(const SSL *s, int a, int b)
1405 {
1406 int dtls = SSL_IS_DTLS(s);
1407
1408 if (a == b)
1409 return 0;
1410 if (!dtls)
1411 return a < b ? -1 : 1;
1412 return DTLS_VERSION_LT(a, b) ? -1 : 1;
1413 }
1414
1415 typedef struct {
1416 int version;
1417 const SSL_METHOD *(*cmeth) (void);
1418 const SSL_METHOD *(*smeth) (void);
1419 } version_info;
1420
1421 #if TLS_MAX_VERSION != TLS1_3_VERSION
1422 # error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
1423 #endif
1424
1425 /* Must be in order high to low */
1426 static const version_info tls_version_table[] = {
1427 #ifndef OPENSSL_NO_TLS1_3
1428 {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1429 #else
1430 {TLS1_3_VERSION, NULL, NULL},
1431 #endif
1432 #ifndef OPENSSL_NO_TLS1_2
1433 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
1434 #else
1435 {TLS1_2_VERSION, NULL, NULL},
1436 #endif
1437 #ifndef OPENSSL_NO_TLS1_1
1438 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
1439 #else
1440 {TLS1_1_VERSION, NULL, NULL},
1441 #endif
1442 #ifndef OPENSSL_NO_TLS1
1443 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
1444 #else
1445 {TLS1_VERSION, NULL, NULL},
1446 #endif
1447 #ifndef OPENSSL_NO_SSL3
1448 {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
1449 #else
1450 {SSL3_VERSION, NULL, NULL},
1451 #endif
1452 {0, NULL, NULL},
1453 };
1454
1455 #if DTLS_MAX_VERSION != DTLS1_2_VERSION
1456 # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1457 #endif
1458
1459 /* Must be in order high to low */
1460 static const version_info dtls_version_table[] = {
1461 #ifndef OPENSSL_NO_DTLS1_2
1462 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
1463 #else
1464 {DTLS1_2_VERSION, NULL, NULL},
1465 #endif
1466 #ifndef OPENSSL_NO_DTLS1
1467 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1468 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
1469 #else
1470 {DTLS1_VERSION, NULL, NULL},
1471 {DTLS1_BAD_VER, NULL, NULL},
1472 #endif
1473 {0, NULL, NULL},
1474 };
1475
1476 /*
1477 * ssl_method_error - Check whether an SSL_METHOD is enabled.
1478 *
1479 * @s: The SSL handle for the candidate method
1480 * @method: the intended method.
1481 *
1482 * Returns 0 on success, or an SSL error reason on failure.
1483 */
ssl_method_error(const SSL * s,const SSL_METHOD * method)1484 static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
1485 {
1486 int version = method->version;
1487
1488 if ((s->min_proto_version != 0 &&
1489 version_cmp(s, version, s->min_proto_version) < 0) ||
1490 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1491 return SSL_R_VERSION_TOO_LOW;
1492
1493 if (s->max_proto_version != 0 &&
1494 version_cmp(s, version, s->max_proto_version) > 0)
1495 return SSL_R_VERSION_TOO_HIGH;
1496
1497 if ((s->options & method->mask) != 0)
1498 return SSL_R_UNSUPPORTED_PROTOCOL;
1499 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1500 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
1501
1502 return 0;
1503 }
1504
1505 /*
1506 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
1507 * certificate type, or has PSK or a certificate callback configured, or has
1508 * a servername callback configured. Otherwise returns 0.
1509 */
is_tls13_capable(const SSL * s)1510 static int is_tls13_capable(const SSL *s)
1511 {
1512 int i;
1513 #ifndef OPENSSL_NO_EC
1514 int curve;
1515 EC_KEY *eckey;
1516 #endif
1517
1518 if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL))
1519 return 0;
1520
1521 /*
1522 * A servername callback can change the available certs, so if a servername
1523 * cb is set then we just assume TLSv1.3 will be ok
1524 */
1525 if (s->ctx->ext.servername_cb != NULL
1526 || s->session_ctx->ext.servername_cb != NULL)
1527 return 1;
1528
1529 #ifndef OPENSSL_NO_PSK
1530 if (s->psk_server_callback != NULL)
1531 return 1;
1532 #endif
1533
1534 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
1535 return 1;
1536
1537 for (i = 0; i < SSL_PKEY_NUM; i++) {
1538 /* Skip over certs disallowed for TLSv1.3 */
1539 switch (i) {
1540 case SSL_PKEY_DSA_SIGN:
1541 case SSL_PKEY_GOST01:
1542 case SSL_PKEY_GOST12_256:
1543 case SSL_PKEY_GOST12_512:
1544 continue;
1545 default:
1546 break;
1547 }
1548 if (!ssl_has_cert(s, i))
1549 continue;
1550 #ifndef OPENSSL_NO_EC
1551 if (i != SSL_PKEY_ECC)
1552 return 1;
1553 /*
1554 * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1555 * more restrictive so check that our sig algs are consistent with this
1556 * EC cert. See section 4.2.3 of RFC8446.
1557 */
1558 eckey = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
1559 if (eckey == NULL)
1560 continue;
1561 curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
1562 if (tls_check_sigalg_curve(s, curve))
1563 return 1;
1564 #else
1565 return 1;
1566 #endif
1567 }
1568
1569 return 0;
1570 }
1571
1572 /*
1573 * ssl_version_supported - Check that the specified `version` is supported by
1574 * `SSL *` instance
1575 *
1576 * @s: The SSL handle for the candidate method
1577 * @version: Protocol version to test against
1578 *
1579 * Returns 1 when supported, otherwise 0
1580 */
ssl_version_supported(const SSL * s,int version,const SSL_METHOD ** meth)1581 int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth)
1582 {
1583 const version_info *vent;
1584 const version_info *table;
1585
1586 switch (s->method->version) {
1587 default:
1588 /* Version should match method version for non-ANY method */
1589 return version_cmp(s, version, s->version) == 0;
1590 case TLS_ANY_VERSION:
1591 table = tls_version_table;
1592 break;
1593 case DTLS_ANY_VERSION:
1594 table = dtls_version_table;
1595 break;
1596 }
1597
1598 for (vent = table;
1599 vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1600 ++vent) {
1601 if (vent->cmeth != NULL
1602 && version_cmp(s, version, vent->version) == 0
1603 && ssl_method_error(s, vent->cmeth()) == 0
1604 && (!s->server
1605 || version != TLS1_3_VERSION
1606 || is_tls13_capable(s))) {
1607 if (meth != NULL)
1608 *meth = vent->cmeth();
1609 return 1;
1610 }
1611 }
1612 return 0;
1613 }
1614
1615 /*
1616 * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1617 * fallback indication from a client check whether we're using the highest
1618 * supported protocol version.
1619 *
1620 * @s server SSL handle.
1621 *
1622 * Returns 1 when using the highest enabled version, 0 otherwise.
1623 */
ssl_check_version_downgrade(SSL * s)1624 int ssl_check_version_downgrade(SSL *s)
1625 {
1626 const version_info *vent;
1627 const version_info *table;
1628
1629 /*
1630 * Check that the current protocol is the highest enabled version
1631 * (according to s->ctx->method, as version negotiation may have changed
1632 * s->method).
1633 */
1634 if (s->version == s->ctx->method->version)
1635 return 1;
1636
1637 /*
1638 * Apparently we're using a version-flexible SSL_METHOD (not at its
1639 * highest protocol version).
1640 */
1641 if (s->ctx->method->version == TLS_method()->version)
1642 table = tls_version_table;
1643 else if (s->ctx->method->version == DTLS_method()->version)
1644 table = dtls_version_table;
1645 else {
1646 /* Unexpected state; fail closed. */
1647 return 0;
1648 }
1649
1650 for (vent = table; vent->version != 0; ++vent) {
1651 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
1652 return s->version == vent->version;
1653 }
1654 return 0;
1655 }
1656
1657 /*
1658 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1659 * protocols, provided the initial (D)TLS method is version-flexible. This
1660 * function sanity-checks the proposed value and makes sure the method is
1661 * version-flexible, then sets the limit if all is well.
1662 *
1663 * @method_version: The version of the current SSL_METHOD.
1664 * @version: the intended limit.
1665 * @bound: pointer to limit to be updated.
1666 *
1667 * Returns 1 on success, 0 on failure.
1668 */
ssl_set_version_bound(int method_version,int version,int * bound)1669 int ssl_set_version_bound(int method_version, int version, int *bound)
1670 {
1671 int valid_tls;
1672 int valid_dtls;
1673
1674 if (version == 0) {
1675 *bound = version;
1676 return 1;
1677 }
1678
1679 valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION;
1680 valid_dtls =
1681 DTLS_VERSION_LE(version, DTLS_MAX_VERSION) &&
1682 DTLS_VERSION_GE(version, DTLS1_BAD_VER);
1683
1684 if (!valid_tls && !valid_dtls)
1685 return 0;
1686
1687 /*-
1688 * Restrict TLS methods to TLS protocol versions.
1689 * Restrict DTLS methods to DTLS protocol versions.
1690 * Note, DTLS version numbers are decreasing, use comparison macros.
1691 *
1692 * Note that for both lower-bounds we use explicit versions, not
1693 * (D)TLS_MIN_VERSION. This is because we don't want to break user
1694 * configurations. If the MIN (supported) version ever rises, the user's
1695 * "floor" remains valid even if no longer available. We don't expect the
1696 * MAX ceiling to ever get lower, so making that variable makes sense.
1697 *
1698 * We ignore attempts to set bounds on version-inflexible methods,
1699 * returning success.
1700 */
1701 switch (method_version) {
1702 default:
1703 break;
1704
1705 case TLS_ANY_VERSION:
1706 if (valid_tls)
1707 *bound = version;
1708 break;
1709
1710 case DTLS_ANY_VERSION:
1711 if (valid_dtls)
1712 *bound = version;
1713 break;
1714 }
1715 return 1;
1716 }
1717
check_for_downgrade(SSL * s,int vers,DOWNGRADE * dgrd)1718 static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
1719 {
1720 if (vers == TLS1_2_VERSION
1721 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
1722 *dgrd = DOWNGRADE_TO_1_2;
1723 } else if (!SSL_IS_DTLS(s)
1724 && vers < TLS1_2_VERSION
1725 /*
1726 * We need to ensure that a server that disables TLSv1.2
1727 * (creating a hole between TLSv1.3 and TLSv1.1) can still
1728 * complete handshakes with clients that support TLSv1.2 and
1729 * below. Therefore we do not enable the sentinel if TLSv1.3 is
1730 * enabled and TLSv1.2 is not.
1731 */
1732 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
1733 *dgrd = DOWNGRADE_TO_1_1;
1734 } else {
1735 *dgrd = DOWNGRADE_NONE;
1736 }
1737 }
1738
1739 /*
1740 * ssl_choose_server_version - Choose server (D)TLS version. Called when the
1741 * client HELLO is received to select the final server protocol version and
1742 * the version specific method.
1743 *
1744 * @s: server SSL handle.
1745 *
1746 * Returns 0 on success or an SSL error reason number on failure.
1747 */
ssl_choose_server_version(SSL * s,CLIENTHELLO_MSG * hello,DOWNGRADE * dgrd)1748 int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1749 {
1750 /*-
1751 * With version-flexible methods we have an initial state with:
1752 *
1753 * s->method->version == (D)TLS_ANY_VERSION,
1754 * s->version == (D)TLS_MAX_VERSION.
1755 *
1756 * So we detect version-flexible methods via the method version, not the
1757 * handle version.
1758 */
1759 int server_version = s->method->version;
1760 int client_version = hello->legacy_version;
1761 const version_info *vent;
1762 const version_info *table;
1763 int disabled = 0;
1764 RAW_EXTENSION *suppversions;
1765
1766 s->client_version = client_version;
1767
1768 switch (server_version) {
1769 default:
1770 if (!SSL_IS_TLS13(s)) {
1771 if (version_cmp(s, client_version, s->version) < 0)
1772 return SSL_R_WRONG_SSL_VERSION;
1773 *dgrd = DOWNGRADE_NONE;
1774 /*
1775 * If this SSL handle is not from a version flexible method we don't
1776 * (and never did) check min/max FIPS or Suite B constraints. Hope
1777 * that's OK. It is up to the caller to not choose fixed protocol
1778 * versions they don't want. If not, then easy to fix, just return
1779 * ssl_method_error(s, s->method)
1780 */
1781 return 0;
1782 }
1783 /*
1784 * Fall through if we are TLSv1.3 already (this means we must be after
1785 * a HelloRetryRequest
1786 */
1787 /* fall thru */
1788 case TLS_ANY_VERSION:
1789 table = tls_version_table;
1790 break;
1791 case DTLS_ANY_VERSION:
1792 table = dtls_version_table;
1793 break;
1794 }
1795
1796 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
1797
1798 /* If we did an HRR then supported versions is mandatory */
1799 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
1800 return SSL_R_UNSUPPORTED_PROTOCOL;
1801
1802 if (suppversions->present && !SSL_IS_DTLS(s)) {
1803 unsigned int candidate_vers = 0;
1804 unsigned int best_vers = 0;
1805 const SSL_METHOD *best_method = NULL;
1806 PACKET versionslist;
1807
1808 suppversions->parsed = 1;
1809
1810 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
1811 /* Trailing or invalid data? */
1812 return SSL_R_LENGTH_MISMATCH;
1813 }
1814
1815 /*
1816 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1817 * The spec only requires servers to check that it isn't SSLv3:
1818 * "Any endpoint receiving a Hello message with
1819 * ClientHello.legacy_version or ServerHello.legacy_version set to
1820 * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1821 * We are slightly stricter and require that it isn't SSLv3 or lower.
1822 * We tolerate TLSv1 and TLSv1.1.
1823 */
1824 if (client_version <= SSL3_VERSION)
1825 return SSL_R_BAD_LEGACY_VERSION;
1826
1827 while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1828 if (version_cmp(s, candidate_vers, best_vers) <= 0)
1829 continue;
1830 if (ssl_version_supported(s, candidate_vers, &best_method))
1831 best_vers = candidate_vers;
1832 }
1833 if (PACKET_remaining(&versionslist) != 0) {
1834 /* Trailing data? */
1835 return SSL_R_LENGTH_MISMATCH;
1836 }
1837
1838 if (best_vers > 0) {
1839 if (s->hello_retry_request != SSL_HRR_NONE) {
1840 /*
1841 * This is after a HelloRetryRequest so we better check that we
1842 * negotiated TLSv1.3
1843 */
1844 if (best_vers != TLS1_3_VERSION)
1845 return SSL_R_UNSUPPORTED_PROTOCOL;
1846 return 0;
1847 }
1848 check_for_downgrade(s, best_vers, dgrd);
1849 s->version = best_vers;
1850 s->method = best_method;
1851 return 0;
1852 }
1853 return SSL_R_UNSUPPORTED_PROTOCOL;
1854 }
1855
1856 /*
1857 * If the supported versions extension isn't present, then the highest
1858 * version we can negotiate is TLSv1.2
1859 */
1860 if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1861 client_version = TLS1_2_VERSION;
1862
1863 /*
1864 * No supported versions extension, so we just use the version supplied in
1865 * the ClientHello.
1866 */
1867 for (vent = table; vent->version != 0; ++vent) {
1868 const SSL_METHOD *method;
1869
1870 if (vent->smeth == NULL ||
1871 version_cmp(s, client_version, vent->version) < 0)
1872 continue;
1873 method = vent->smeth();
1874 if (ssl_method_error(s, method) == 0) {
1875 check_for_downgrade(s, vent->version, dgrd);
1876 s->version = vent->version;
1877 s->method = method;
1878 return 0;
1879 }
1880 disabled = 1;
1881 }
1882 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1883 }
1884
1885 /*
1886 * ssl_choose_client_version - Choose client (D)TLS version. Called when the
1887 * server HELLO is received to select the final client protocol version and
1888 * the version specific method.
1889 *
1890 * @s: client SSL handle.
1891 * @version: The proposed version from the server's HELLO.
1892 * @extensions: The extensions received
1893 *
1894 * Returns 1 on success or 0 on error.
1895 */
ssl_choose_client_version(SSL * s,int version,RAW_EXTENSION * extensions)1896 int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)
1897 {
1898 const version_info *vent;
1899 const version_info *table;
1900 int ret, ver_min, ver_max, real_max, origv;
1901
1902 origv = s->version;
1903 s->version = version;
1904
1905 /* This will overwrite s->version if the extension is present */
1906 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1907 SSL_EXT_TLS1_2_SERVER_HELLO
1908 | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1909 NULL, 0)) {
1910 s->version = origv;
1911 return 0;
1912 }
1913
1914 if (s->hello_retry_request != SSL_HRR_NONE
1915 && s->version != TLS1_3_VERSION) {
1916 s->version = origv;
1917 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1918 SSL_R_WRONG_SSL_VERSION);
1919 return 0;
1920 }
1921
1922 switch (s->method->version) {
1923 default:
1924 if (s->version != s->method->version) {
1925 s->version = origv;
1926 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1927 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1928 SSL_R_WRONG_SSL_VERSION);
1929 return 0;
1930 }
1931 /*
1932 * If this SSL handle is not from a version flexible method we don't
1933 * (and never did) check min/max, FIPS or Suite B constraints. Hope
1934 * that's OK. It is up to the caller to not choose fixed protocol
1935 * versions they don't want. If not, then easy to fix, just return
1936 * ssl_method_error(s, s->method)
1937 */
1938 return 1;
1939 case TLS_ANY_VERSION:
1940 table = tls_version_table;
1941 break;
1942 case DTLS_ANY_VERSION:
1943 table = dtls_version_table;
1944 break;
1945 }
1946
1947 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1948 if (ret != 0) {
1949 s->version = origv;
1950 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1951 SSL_F_SSL_CHOOSE_CLIENT_VERSION, ret);
1952 return 0;
1953 }
1954 if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
1955 : s->version < ver_min) {
1956 s->version = origv;
1957 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1958 SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1959 return 0;
1960 } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
1961 : s->version > ver_max) {
1962 s->version = origv;
1963 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1964 SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1965 return 0;
1966 }
1967
1968 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
1969 real_max = ver_max;
1970
1971 /* Check for downgrades */
1972 if (s->version == TLS1_2_VERSION && real_max > s->version) {
1973 if (memcmp(tls12downgrade,
1974 s->s3->server_random + SSL3_RANDOM_SIZE
1975 - sizeof(tls12downgrade),
1976 sizeof(tls12downgrade)) == 0) {
1977 s->version = origv;
1978 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1979 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1980 SSL_R_INAPPROPRIATE_FALLBACK);
1981 return 0;
1982 }
1983 } else if (!SSL_IS_DTLS(s)
1984 && s->version < TLS1_2_VERSION
1985 && real_max > s->version) {
1986 if (memcmp(tls11downgrade,
1987 s->s3->server_random + SSL3_RANDOM_SIZE
1988 - sizeof(tls11downgrade),
1989 sizeof(tls11downgrade)) == 0) {
1990 s->version = origv;
1991 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1992 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1993 SSL_R_INAPPROPRIATE_FALLBACK);
1994 return 0;
1995 }
1996 }
1997
1998 for (vent = table; vent->version != 0; ++vent) {
1999 if (vent->cmeth == NULL || s->version != vent->version)
2000 continue;
2001
2002 s->method = vent->cmeth();
2003 return 1;
2004 }
2005
2006 s->version = origv;
2007 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
2008 SSL_R_UNSUPPORTED_PROTOCOL);
2009 return 0;
2010 }
2011
2012 /*
2013 * ssl_get_min_max_version - get minimum and maximum protocol version
2014 * @s: The SSL connection
2015 * @min_version: The minimum supported version
2016 * @max_version: The maximum supported version
2017 * @real_max: The highest version below the lowest compile time version hole
2018 * where that hole lies above at least one run-time enabled
2019 * protocol.
2020 *
2021 * Work out what version we should be using for the initial ClientHello if the
2022 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2023 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
2024 * constraints and any floor imposed by the security level here,
2025 * so we don't advertise the wrong protocol version to only reject the outcome later.
2026 *
2027 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
2028 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2029 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2030 *
2031 * Returns 0 on success or an SSL error reason number on failure. On failure
2032 * min_version and max_version will also be set to 0.
2033 */
ssl_get_min_max_version(const SSL * s,int * min_version,int * max_version,int * real_max)2034 int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version,
2035 int *real_max)
2036 {
2037 int version, tmp_real_max;
2038 int hole;
2039 const SSL_METHOD *single = NULL;
2040 const SSL_METHOD *method;
2041 const version_info *table;
2042 const version_info *vent;
2043
2044 switch (s->method->version) {
2045 default:
2046 /*
2047 * If this SSL handle is not from a version flexible method we don't
2048 * (and never did) check min/max FIPS or Suite B constraints. Hope
2049 * that's OK. It is up to the caller to not choose fixed protocol
2050 * versions they don't want. If not, then easy to fix, just return
2051 * ssl_method_error(s, s->method)
2052 */
2053 *min_version = *max_version = s->version;
2054 /*
2055 * Providing a real_max only makes sense where we're using a version
2056 * flexible method.
2057 */
2058 if (!ossl_assert(real_max == NULL))
2059 return ERR_R_INTERNAL_ERROR;
2060 return 0;
2061 case TLS_ANY_VERSION:
2062 table = tls_version_table;
2063 break;
2064 case DTLS_ANY_VERSION:
2065 table = dtls_version_table;
2066 break;
2067 }
2068
2069 /*
2070 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2071 * below X enabled. This is required in order to maintain the "version
2072 * capability" vector contiguous. Any versions with a NULL client method
2073 * (protocol version client is disabled at compile-time) is also a "hole".
2074 *
2075 * Our initial state is hole == 1, version == 0. That is, versions above
2076 * the first version in the method table are disabled (a "hole" above
2077 * the valid protocol entries) and we don't have a selected version yet.
2078 *
2079 * Whenever "hole == 1", and we hit an enabled method, its version becomes
2080 * the selected version, and the method becomes a candidate "single"
2081 * method. We're no longer in a hole, so "hole" becomes 0.
2082 *
2083 * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2084 * as we support a contiguous range of at least two methods. If we hit
2085 * a disabled method, then hole becomes true again, but nothing else
2086 * changes yet, because all the remaining methods may be disabled too.
2087 * If we again hit an enabled method after the new hole, it becomes
2088 * selected, as we start from scratch.
2089 */
2090 *min_version = version = 0;
2091 hole = 1;
2092 if (real_max != NULL)
2093 *real_max = 0;
2094 tmp_real_max = 0;
2095 for (vent = table; vent->version != 0; ++vent) {
2096 /*
2097 * A table entry with a NULL client method is still a hole in the
2098 * "version capability" vector.
2099 */
2100 if (vent->cmeth == NULL) {
2101 hole = 1;
2102 tmp_real_max = 0;
2103 continue;
2104 }
2105 method = vent->cmeth();
2106
2107 if (hole == 1 && tmp_real_max == 0)
2108 tmp_real_max = vent->version;
2109
2110 if (ssl_method_error(s, method) != 0) {
2111 hole = 1;
2112 } else if (!hole) {
2113 single = NULL;
2114 *min_version = method->version;
2115 } else {
2116 if (real_max != NULL && tmp_real_max != 0)
2117 *real_max = tmp_real_max;
2118 version = (single = method)->version;
2119 *min_version = version;
2120 hole = 0;
2121 }
2122 }
2123
2124 *max_version = version;
2125
2126 /* Fail if everything is disabled */
2127 if (version == 0)
2128 return SSL_R_NO_PROTOCOLS_AVAILABLE;
2129
2130 return 0;
2131 }
2132
2133 /*
2134 * ssl_set_client_hello_version - Work out what version we should be using for
2135 * the initial ClientHello.legacy_version field.
2136 *
2137 * @s: client SSL handle.
2138 *
2139 * Returns 0 on success or an SSL error reason number on failure.
2140 */
ssl_set_client_hello_version(SSL * s)2141 int ssl_set_client_hello_version(SSL *s)
2142 {
2143 int ver_min, ver_max, ret;
2144
2145 /*
2146 * In a renegotiation we always send the same client_version that we sent
2147 * last time, regardless of which version we eventually negotiated.
2148 */
2149 if (!SSL_IS_FIRST_HANDSHAKE(s))
2150 return 0;
2151
2152 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
2153
2154 if (ret != 0)
2155 return ret;
2156
2157 s->version = ver_max;
2158
2159 /* TLS1.3 always uses TLS1.2 in the legacy_version field */
2160 if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
2161 ver_max = TLS1_2_VERSION;
2162
2163 s->client_version = ver_max;
2164 return 0;
2165 }
2166
2167 /*
2168 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2169 * and |checkallow| is 1 then additionally check if the group is allowed to be
2170 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2171 * 1) or 0 otherwise.
2172 */
2173 #ifndef OPENSSL_NO_EC
check_in_list(SSL * s,uint16_t group_id,const uint16_t * groups,size_t num_groups,int checkallow)2174 int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
2175 size_t num_groups, int checkallow)
2176 {
2177 size_t i;
2178
2179 if (groups == NULL || num_groups == 0)
2180 return 0;
2181
2182 for (i = 0; i < num_groups; i++) {
2183 uint16_t group = groups[i];
2184
2185 if (group_id == group
2186 && (!checkallow
2187 || tls_curve_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
2188 return 1;
2189 }
2190 }
2191
2192 return 0;
2193 }
2194 #endif
2195
2196 /* Replace ClientHello1 in the transcript hash with a synthetic message */
create_synthetic_message_hash(SSL * s,const unsigned char * hashval,size_t hashlen,const unsigned char * hrr,size_t hrrlen)2197 int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,
2198 size_t hashlen, const unsigned char *hrr,
2199 size_t hrrlen)
2200 {
2201 unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
2202 unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2203
2204 memset(msghdr, 0, sizeof(msghdr));
2205
2206 if (hashval == NULL) {
2207 hashval = hashvaltmp;
2208 hashlen = 0;
2209 /* Get the hash of the initial ClientHello */
2210 if (!ssl3_digest_cached_records(s, 0)
2211 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2212 &hashlen)) {
2213 /* SSLfatal() already called */
2214 return 0;
2215 }
2216 }
2217
2218 /* Reinitialise the transcript hash */
2219 if (!ssl3_init_finished_mac(s)) {
2220 /* SSLfatal() already called */
2221 return 0;
2222 }
2223
2224 /* Inject the synthetic message_hash message */
2225 msghdr[0] = SSL3_MT_MESSAGE_HASH;
2226 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
2227 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2228 || !ssl3_finish_mac(s, hashval, hashlen)) {
2229 /* SSLfatal() already called */
2230 return 0;
2231 }
2232
2233 /*
2234 * Now re-inject the HRR and current message if appropriate (we just deleted
2235 * it when we reinitialised the transcript hash above). Only necessary after
2236 * receiving a ClientHello2 with a cookie.
2237 */
2238 if (hrr != NULL
2239 && (!ssl3_finish_mac(s, hrr, hrrlen)
2240 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
2241 s->s3->tmp.message_size
2242 + SSL3_HM_HEADER_LENGTH))) {
2243 /* SSLfatal() already called */
2244 return 0;
2245 }
2246
2247 return 1;
2248 }
2249
ca_dn_cmp(const X509_NAME * const * a,const X509_NAME * const * b)2250 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2251 {
2252 return X509_NAME_cmp(*a, *b);
2253 }
2254
parse_ca_names(SSL * s,PACKET * pkt)2255 int parse_ca_names(SSL *s, PACKET *pkt)
2256 {
2257 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2258 X509_NAME *xn = NULL;
2259 PACKET cadns;
2260
2261 if (ca_sk == NULL) {
2262 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2263 ERR_R_MALLOC_FAILURE);
2264 goto err;
2265 }
2266 /* get the CA RDNs */
2267 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
2268 SSLfatal(s, SSL_AD_DECODE_ERROR,SSL_F_PARSE_CA_NAMES,
2269 SSL_R_LENGTH_MISMATCH);
2270 goto err;
2271 }
2272
2273 while (PACKET_remaining(&cadns)) {
2274 const unsigned char *namestart, *namebytes;
2275 unsigned int name_len;
2276
2277 if (!PACKET_get_net_2(&cadns, &name_len)
2278 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
2279 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2280 SSL_R_LENGTH_MISMATCH);
2281 goto err;
2282 }
2283
2284 namestart = namebytes;
2285 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
2286 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2287 ERR_R_ASN1_LIB);
2288 goto err;
2289 }
2290 if (namebytes != (namestart + name_len)) {
2291 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2292 SSL_R_CA_DN_LENGTH_MISMATCH);
2293 goto err;
2294 }
2295
2296 if (!sk_X509_NAME_push(ca_sk, xn)) {
2297 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2298 ERR_R_MALLOC_FAILURE);
2299 goto err;
2300 }
2301 xn = NULL;
2302 }
2303
2304 sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
2305 s->s3->tmp.peer_ca_names = ca_sk;
2306
2307 return 1;
2308
2309 err:
2310 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2311 X509_NAME_free(xn);
2312 return 0;
2313 }
2314
STACK_OF(X509_NAME)2315 const STACK_OF(X509_NAME) *get_ca_names(SSL *s)
2316 {
2317 const STACK_OF(X509_NAME) *ca_sk = NULL;;
2318
2319 if (s->server) {
2320 ca_sk = SSL_get_client_CA_list(s);
2321 if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2322 ca_sk = NULL;
2323 }
2324
2325 if (ca_sk == NULL)
2326 ca_sk = SSL_get0_CA_list(s);
2327
2328 return ca_sk;
2329 }
2330
construct_ca_names(SSL * s,const STACK_OF (X509_NAME)* ca_sk,WPACKET * pkt)2331 int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt)
2332 {
2333 /* Start sub-packet for client CA list */
2334 if (!WPACKET_start_sub_packet_u16(pkt)) {
2335 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2336 ERR_R_INTERNAL_ERROR);
2337 return 0;
2338 }
2339
2340 if (ca_sk != NULL) {
2341 int i;
2342
2343 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2344 unsigned char *namebytes;
2345 X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2346 int namelen;
2347
2348 if (name == NULL
2349 || (namelen = i2d_X509_NAME(name, NULL)) < 0
2350 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2351 &namebytes)
2352 || i2d_X509_NAME(name, &namebytes) != namelen) {
2353 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2354 ERR_R_INTERNAL_ERROR);
2355 return 0;
2356 }
2357 }
2358 }
2359
2360 if (!WPACKET_close(pkt)) {
2361 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2362 ERR_R_INTERNAL_ERROR);
2363 return 0;
2364 }
2365
2366 return 1;
2367 }
2368
2369 /* Create a buffer containing data to be signed for server key exchange */
construct_key_exchange_tbs(SSL * s,unsigned char ** ptbs,const void * param,size_t paramlen)2370 size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
2371 const void *param, size_t paramlen)
2372 {
2373 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2374 unsigned char *tbs = OPENSSL_malloc(tbslen);
2375
2376 if (tbs == NULL) {
2377 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS,
2378 ERR_R_MALLOC_FAILURE);
2379 return 0;
2380 }
2381 memcpy(tbs, s->s3->client_random, SSL3_RANDOM_SIZE);
2382 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3->server_random, SSL3_RANDOM_SIZE);
2383
2384 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2385
2386 *ptbs = tbs;
2387 return tbslen;
2388 }
2389
2390 /*
2391 * Saves the current handshake digest for Post-Handshake Auth,
2392 * Done after ClientFinished is processed, done exactly once
2393 */
tls13_save_handshake_digest_for_pha(SSL * s)2394 int tls13_save_handshake_digest_for_pha(SSL *s)
2395 {
2396 if (s->pha_dgst == NULL) {
2397 if (!ssl3_digest_cached_records(s, 1))
2398 /* SSLfatal() already called */
2399 return 0;
2400
2401 s->pha_dgst = EVP_MD_CTX_new();
2402 if (s->pha_dgst == NULL) {
2403 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2404 SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2405 ERR_R_INTERNAL_ERROR);
2406 return 0;
2407 }
2408 if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
2409 s->s3->handshake_dgst)) {
2410 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2411 SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2412 ERR_R_INTERNAL_ERROR);
2413 EVP_MD_CTX_free(s->pha_dgst);
2414 s->pha_dgst = NULL;
2415 return 0;
2416 }
2417 }
2418 return 1;
2419 }
2420
2421 /*
2422 * Restores the Post-Handshake Auth handshake digest
2423 * Done just before sending/processing the Cert Request
2424 */
tls13_restore_handshake_digest_for_pha(SSL * s)2425 int tls13_restore_handshake_digest_for_pha(SSL *s)
2426 {
2427 if (s->pha_dgst == NULL) {
2428 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2429 SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2430 ERR_R_INTERNAL_ERROR);
2431 return 0;
2432 }
2433 if (!EVP_MD_CTX_copy_ex(s->s3->handshake_dgst,
2434 s->pha_dgst)) {
2435 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2436 SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2437 ERR_R_INTERNAL_ERROR);
2438 return 0;
2439 }
2440 return 1;
2441 }
2442