1 /*
2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 *
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
9 */
10
11 #include <limits.h>
12 #include <string.h>
13 #include <stdio.h>
14 #include "../ssl_local.h"
15 #include "statem_local.h"
16 #include "internal/cryptlib.h"
17 #include <openssl/buffer.h>
18 #include <openssl/objects.h>
19 #include <openssl/evp.h>
20 #include <openssl/rsa.h>
21 #include <openssl/x509.h>
22 #include <openssl/trace.h>
23
24 /*
25 * Map error codes to TLS/SSL alart types.
26 */
27 typedef struct x509err2alert_st {
28 int x509err;
29 int alert;
30 } X509ERR2ALERT;
31
32 /* Fixed value used in the ServerHello random field to identify an HRR */
33 const unsigned char hrrrandom[] = {
34 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
35 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
36 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
37 };
38
39 /*
40 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
41 * SSL3_RT_CHANGE_CIPHER_SPEC)
42 */
ssl3_do_write(SSL * s,int type)43 int ssl3_do_write(SSL *s, int type)
44 {
45 int ret;
46 size_t written = 0;
47
48 ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
49 s->init_num, &written);
50 if (ret < 0)
51 return -1;
52 if (type == SSL3_RT_HANDSHAKE)
53 /*
54 * should not be done for 'Hello Request's, but in that case we'll
55 * ignore the result anyway
56 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
57 */
58 if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
59 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
60 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
61 if (!ssl3_finish_mac(s,
62 (unsigned char *)&s->init_buf->data[s->init_off],
63 written))
64 return -1;
65 if (written == s->init_num) {
66 if (s->msg_callback)
67 s->msg_callback(1, s->version, type, s->init_buf->data,
68 (size_t)(s->init_off + s->init_num), s,
69 s->msg_callback_arg);
70 return 1;
71 }
72 s->init_off += written;
73 s->init_num -= written;
74 return 0;
75 }
76
tls_close_construct_packet(SSL * s,WPACKET * pkt,int htype)77 int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype)
78 {
79 size_t msglen;
80
81 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
82 || !WPACKET_get_length(pkt, &msglen)
83 || msglen > INT_MAX)
84 return 0;
85 s->init_num = (int)msglen;
86 s->init_off = 0;
87
88 return 1;
89 }
90
tls_setup_handshake(SSL * s)91 int tls_setup_handshake(SSL *s)
92 {
93 int ver_min, ver_max, ok;
94
95 if (!ssl3_init_finished_mac(s)) {
96 /* SSLfatal() already called */
97 return 0;
98 }
99
100 /* Reset any extension flags */
101 memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
102
103 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
104 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE);
105 return 0;
106 }
107
108 /* Sanity check that we have MD5-SHA1 if we need it */
109 if (s->ctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) {
110 int md5sha1_needed = 0;
111
112 /* We don't have MD5-SHA1 - do we need it? */
113 if (SSL_IS_DTLS(s)) {
114 if (DTLS_VERSION_LE(ver_max, DTLS1_VERSION))
115 md5sha1_needed = 1;
116 } else {
117 if (ver_max <= TLS1_1_VERSION)
118 md5sha1_needed = 1;
119 }
120 if (md5sha1_needed) {
121 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
122 SSL_R_NO_SUITABLE_DIGEST_ALGORITHM,
123 "The max supported SSL/TLS version needs the"
124 " MD5-SHA1 digest but it is not available"
125 " in the loaded providers. Use (D)TLSv1.2 or"
126 " above, or load different providers");
127 return 0;
128 }
129
130 ok = 1;
131 /* Don't allow TLSv1.1 or below to be negotiated */
132 if (SSL_IS_DTLS(s)) {
133 if (DTLS_VERSION_LT(ver_min, DTLS1_2_VERSION))
134 ok = SSL_set_min_proto_version(s, DTLS1_2_VERSION);
135 } else {
136 if (ver_min < TLS1_2_VERSION)
137 ok = SSL_set_min_proto_version(s, TLS1_2_VERSION);
138 }
139 if (!ok) {
140 /* Shouldn't happen */
141 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
142 return 0;
143 }
144 }
145
146 ok = 0;
147 if (s->server) {
148 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
149 int i;
150
151 /*
152 * Sanity check that the maximum version we accept has ciphers
153 * enabled. For clients we do this check during construction of the
154 * ClientHello.
155 */
156 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
157 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
158
159 if (SSL_IS_DTLS(s)) {
160 if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
161 DTLS_VERSION_LE(ver_max, c->max_dtls))
162 ok = 1;
163 } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
164 ok = 1;
165 }
166 if (ok)
167 break;
168 }
169 if (!ok) {
170 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
171 SSL_R_NO_CIPHERS_AVAILABLE,
172 "No ciphers enabled for max supported "
173 "SSL/TLS version");
174 return 0;
175 }
176 if (SSL_IS_FIRST_HANDSHAKE(s)) {
177 /* N.B. s->session_ctx == s->ctx here */
178 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_accept);
179 } else {
180 /* N.B. s->ctx may not equal s->session_ctx */
181 ssl_tsan_counter(s->ctx, &s->ctx->stats.sess_accept_renegotiate);
182
183 s->s3.tmp.cert_request = 0;
184 }
185 } else {
186 if (SSL_IS_FIRST_HANDSHAKE(s))
187 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_connect);
188 else
189 ssl_tsan_counter(s->session_ctx,
190 &s->session_ctx->stats.sess_connect_renegotiate);
191
192 /* mark client_random uninitialized */
193 memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
194 s->hit = 0;
195
196 s->s3.tmp.cert_req = 0;
197
198 if (SSL_IS_DTLS(s))
199 s->statem.use_timer = 1;
200 }
201
202 return 1;
203 }
204
205 /*
206 * Size of the to-be-signed TLS13 data, without the hash size itself:
207 * 64 bytes of value 32, 33 context bytes, 1 byte separator
208 */
209 #define TLS13_TBS_START_SIZE 64
210 #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
211
get_cert_verify_tbs_data(SSL * s,unsigned char * tls13tbs,void ** hdata,size_t * hdatalen)212 static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
213 void **hdata, size_t *hdatalen)
214 {
215 #ifdef CHARSET_EBCDIC
216 static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
217 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
218 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
219 0x69, 0x66, 0x79, 0x00 };
220 static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
221 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
222 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
223 0x69, 0x66, 0x79, 0x00 };
224 #else
225 static const char servercontext[] = "TLS 1.3, server CertificateVerify";
226 static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
227 #endif
228 if (SSL_IS_TLS13(s)) {
229 size_t hashlen;
230
231 /* Set the first 64 bytes of to-be-signed data to octet 32 */
232 memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
233 /* This copies the 33 bytes of context plus the 0 separator byte */
234 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
235 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
236 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
237 else
238 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
239
240 /*
241 * If we're currently reading then we need to use the saved handshake
242 * hash value. We can't use the current handshake hash state because
243 * that includes the CertVerify itself.
244 */
245 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
246 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
247 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
248 s->cert_verify_hash_len);
249 hashlen = s->cert_verify_hash_len;
250 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
251 EVP_MAX_MD_SIZE, &hashlen)) {
252 /* SSLfatal() already called */
253 return 0;
254 }
255
256 *hdata = tls13tbs;
257 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
258 } else {
259 size_t retlen;
260 long retlen_l;
261
262 retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
263 if (retlen_l <= 0) {
264 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
265 return 0;
266 }
267 *hdatalen = retlen;
268 }
269
270 return 1;
271 }
272
tls_construct_cert_verify(SSL * s,WPACKET * pkt)273 int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
274 {
275 EVP_PKEY *pkey = NULL;
276 const EVP_MD *md = NULL;
277 EVP_MD_CTX *mctx = NULL;
278 EVP_PKEY_CTX *pctx = NULL;
279 size_t hdatalen = 0, siglen = 0;
280 void *hdata;
281 unsigned char *sig = NULL;
282 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
283 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
284
285 if (lu == NULL || s->s3.tmp.cert == NULL) {
286 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
287 goto err;
288 }
289 pkey = s->s3.tmp.cert->privatekey;
290
291 if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) {
292 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
293 goto err;
294 }
295
296 mctx = EVP_MD_CTX_new();
297 if (mctx == NULL) {
298 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
299 goto err;
300 }
301
302 /* Get the data to be signed */
303 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
304 /* SSLfatal() already called */
305 goto err;
306 }
307
308 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
309 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
310 goto err;
311 }
312
313 if (EVP_DigestSignInit_ex(mctx, &pctx,
314 md == NULL ? NULL : EVP_MD_get0_name(md),
315 s->ctx->libctx, s->ctx->propq, pkey,
316 NULL) <= 0) {
317 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
318 goto err;
319 }
320
321 if (lu->sig == EVP_PKEY_RSA_PSS) {
322 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
323 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
324 RSA_PSS_SALTLEN_DIGEST) <= 0) {
325 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
326 goto err;
327 }
328 }
329 if (s->version == SSL3_VERSION) {
330 /*
331 * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
332 * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
333 */
334 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
335 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
336 (int)s->session->master_key_length,
337 s->session->master_key) <= 0
338 || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) {
339
340 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
341 goto err;
342 }
343 sig = OPENSSL_malloc(siglen);
344 if (sig == NULL
345 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
346 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
347 goto err;
348 }
349 } else {
350 /*
351 * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not
352 * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
353 */
354 if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) {
355 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
356 goto err;
357 }
358 sig = OPENSSL_malloc(siglen);
359 if (sig == NULL
360 || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
361 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
362 goto err;
363 }
364 }
365
366 #ifndef OPENSSL_NO_GOST
367 {
368 int pktype = lu->sig;
369
370 if (pktype == NID_id_GostR3410_2001
371 || pktype == NID_id_GostR3410_2012_256
372 || pktype == NID_id_GostR3410_2012_512)
373 BUF_reverse(sig, NULL, siglen);
374 }
375 #endif
376
377 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
378 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
379 goto err;
380 }
381
382 /* Digest cached records and discard handshake buffer */
383 if (!ssl3_digest_cached_records(s, 0)) {
384 /* SSLfatal() already called */
385 goto err;
386 }
387
388 OPENSSL_free(sig);
389 EVP_MD_CTX_free(mctx);
390 return 1;
391 err:
392 OPENSSL_free(sig);
393 EVP_MD_CTX_free(mctx);
394 return 0;
395 }
396
tls_process_cert_verify(SSL * s,PACKET * pkt)397 MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
398 {
399 EVP_PKEY *pkey = NULL;
400 const unsigned char *data;
401 #ifndef OPENSSL_NO_GOST
402 unsigned char *gost_data = NULL;
403 #endif
404 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
405 int j;
406 unsigned int len;
407 X509 *peer;
408 const EVP_MD *md = NULL;
409 size_t hdatalen = 0;
410 void *hdata;
411 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
412 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
413 EVP_PKEY_CTX *pctx = NULL;
414
415 if (mctx == NULL) {
416 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
417 goto err;
418 }
419
420 peer = s->session->peer;
421 pkey = X509_get0_pubkey(peer);
422 if (pkey == NULL) {
423 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
424 goto err;
425 }
426
427 if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
428 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
429 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
430 goto err;
431 }
432
433 if (SSL_USE_SIGALGS(s)) {
434 unsigned int sigalg;
435
436 if (!PACKET_get_net_2(pkt, &sigalg)) {
437 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET);
438 goto err;
439 }
440 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
441 /* SSLfatal() already called */
442 goto err;
443 }
444 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
445 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
446 goto err;
447 }
448
449 if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) {
450 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
451 goto err;
452 }
453
454 if (SSL_USE_SIGALGS(s))
455 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
456 md == NULL ? "n/a" : EVP_MD_get0_name(md));
457
458 /* Check for broken implementations of GOST ciphersuites */
459 /*
460 * If key is GOST and len is exactly 64 or 128, it is signature without
461 * length field (CryptoPro implementations at least till TLS 1.2)
462 */
463 #ifndef OPENSSL_NO_GOST
464 if (!SSL_USE_SIGALGS(s)
465 && ((PACKET_remaining(pkt) == 64
466 && (EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2001
467 || EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_256))
468 || (PACKET_remaining(pkt) == 128
469 && EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_512))) {
470 len = PACKET_remaining(pkt);
471 } else
472 #endif
473 if (!PACKET_get_net_2(pkt, &len)) {
474 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
475 goto err;
476 }
477
478 if (!PACKET_get_bytes(pkt, &data, len)) {
479 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
480 goto err;
481 }
482
483 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
484 /* SSLfatal() already called */
485 goto err;
486 }
487
488 OSSL_TRACE1(TLS, "Using client verify alg %s\n",
489 md == NULL ? "n/a" : EVP_MD_get0_name(md));
490
491 if (EVP_DigestVerifyInit_ex(mctx, &pctx,
492 md == NULL ? NULL : EVP_MD_get0_name(md),
493 s->ctx->libctx, s->ctx->propq, pkey,
494 NULL) <= 0) {
495 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
496 goto err;
497 }
498 #ifndef OPENSSL_NO_GOST
499 {
500 int pktype = EVP_PKEY_get_id(pkey);
501 if (pktype == NID_id_GostR3410_2001
502 || pktype == NID_id_GostR3410_2012_256
503 || pktype == NID_id_GostR3410_2012_512) {
504 if ((gost_data = OPENSSL_malloc(len)) == NULL) {
505 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
506 goto err;
507 }
508 BUF_reverse(gost_data, data, len);
509 data = gost_data;
510 }
511 }
512 #endif
513
514 if (SSL_USE_PSS(s)) {
515 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
516 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
517 RSA_PSS_SALTLEN_DIGEST) <= 0) {
518 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
519 goto err;
520 }
521 }
522 if (s->version == SSL3_VERSION) {
523 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
524 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
525 (int)s->session->master_key_length,
526 s->session->master_key) <= 0) {
527 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
528 goto err;
529 }
530 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
531 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
532 goto err;
533 }
534 } else {
535 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
536 if (j <= 0) {
537 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
538 goto err;
539 }
540 }
541
542 /*
543 * In TLSv1.3 on the client side we make sure we prepare the client
544 * certificate after the CertVerify instead of when we get the
545 * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
546 * comes *before* the Certificate message. In TLSv1.2 it comes after. We
547 * want to make sure that SSL_get1_peer_certificate() will return the actual
548 * server certificate from the client_cert_cb callback.
549 */
550 if (!s->server && SSL_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
551 ret = MSG_PROCESS_CONTINUE_PROCESSING;
552 else
553 ret = MSG_PROCESS_CONTINUE_READING;
554 err:
555 BIO_free(s->s3.handshake_buffer);
556 s->s3.handshake_buffer = NULL;
557 EVP_MD_CTX_free(mctx);
558 #ifndef OPENSSL_NO_GOST
559 OPENSSL_free(gost_data);
560 #endif
561 return ret;
562 }
563
tls_construct_finished(SSL * s,WPACKET * pkt)564 int tls_construct_finished(SSL *s, WPACKET *pkt)
565 {
566 size_t finish_md_len;
567 const char *sender;
568 size_t slen;
569
570 /* This is a real handshake so make sure we clean it up at the end */
571 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
572 s->statem.cleanuphand = 1;
573
574 /*
575 * We only change the keys if we didn't already do this when we sent the
576 * client certificate
577 */
578 if (SSL_IS_TLS13(s)
579 && !s->server
580 && s->s3.tmp.cert_req == 0
581 && (!s->method->ssl3_enc->change_cipher_state(s,
582 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
583 /* SSLfatal() already called */
584 return 0;
585 }
586
587 if (s->server) {
588 sender = s->method->ssl3_enc->server_finished_label;
589 slen = s->method->ssl3_enc->server_finished_label_len;
590 } else {
591 sender = s->method->ssl3_enc->client_finished_label;
592 slen = s->method->ssl3_enc->client_finished_label_len;
593 }
594
595 finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
596 sender, slen,
597 s->s3.tmp.finish_md);
598 if (finish_md_len == 0) {
599 /* SSLfatal() already called */
600 return 0;
601 }
602
603 s->s3.tmp.finish_md_len = finish_md_len;
604
605 if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
606 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
607 return 0;
608 }
609
610 /*
611 * Log the master secret, if logging is enabled. We don't log it for
612 * TLSv1.3: there's a different key schedule for that.
613 */
614 if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
615 s->session->master_key,
616 s->session->master_key_length)) {
617 /* SSLfatal() already called */
618 return 0;
619 }
620
621 /*
622 * Copy the finished so we can use it for renegotiation checks
623 */
624 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
625 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
626 return 0;
627 }
628 if (!s->server) {
629 memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
630 finish_md_len);
631 s->s3.previous_client_finished_len = finish_md_len;
632 } else {
633 memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
634 finish_md_len);
635 s->s3.previous_server_finished_len = finish_md_len;
636 }
637
638 return 1;
639 }
640
tls_construct_key_update(SSL * s,WPACKET * pkt)641 int tls_construct_key_update(SSL *s, WPACKET *pkt)
642 {
643 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
644 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
645 return 0;
646 }
647
648 s->key_update = SSL_KEY_UPDATE_NONE;
649 return 1;
650 }
651
tls_process_key_update(SSL * s,PACKET * pkt)652 MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
653 {
654 unsigned int updatetype;
655
656 /*
657 * A KeyUpdate message signals a key change so the end of the message must
658 * be on a record boundary.
659 */
660 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
661 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
662 return MSG_PROCESS_ERROR;
663 }
664
665 if (!PACKET_get_1(pkt, &updatetype)
666 || PACKET_remaining(pkt) != 0) {
667 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_KEY_UPDATE);
668 return MSG_PROCESS_ERROR;
669 }
670
671 /*
672 * There are only two defined key update types. Fail if we get a value we
673 * didn't recognise.
674 */
675 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
676 && updatetype != SSL_KEY_UPDATE_REQUESTED) {
677 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_UPDATE);
678 return MSG_PROCESS_ERROR;
679 }
680
681 /*
682 * If we get a request for us to update our sending keys too then, we need
683 * to additionally send a KeyUpdate message. However that message should
684 * not also request an update (otherwise we get into an infinite loop).
685 */
686 if (updatetype == SSL_KEY_UPDATE_REQUESTED)
687 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
688
689 if (!tls13_update_key(s, 0)) {
690 /* SSLfatal() already called */
691 return MSG_PROCESS_ERROR;
692 }
693
694 return MSG_PROCESS_FINISHED_READING;
695 }
696
697 /*
698 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
699 * to far.
700 */
ssl3_take_mac(SSL * s)701 int ssl3_take_mac(SSL *s)
702 {
703 const char *sender;
704 size_t slen;
705
706 if (!s->server) {
707 sender = s->method->ssl3_enc->server_finished_label;
708 slen = s->method->ssl3_enc->server_finished_label_len;
709 } else {
710 sender = s->method->ssl3_enc->client_finished_label;
711 slen = s->method->ssl3_enc->client_finished_label_len;
712 }
713
714 s->s3.tmp.peer_finish_md_len =
715 s->method->ssl3_enc->final_finish_mac(s, sender, slen,
716 s->s3.tmp.peer_finish_md);
717
718 if (s->s3.tmp.peer_finish_md_len == 0) {
719 /* SSLfatal() already called */
720 return 0;
721 }
722
723 return 1;
724 }
725
tls_process_change_cipher_spec(SSL * s,PACKET * pkt)726 MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
727 {
728 size_t remain;
729
730 remain = PACKET_remaining(pkt);
731 /*
732 * 'Change Cipher Spec' is just a single byte, which should already have
733 * been consumed by ssl_get_message() so there should be no bytes left,
734 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
735 */
736 if (SSL_IS_DTLS(s)) {
737 if ((s->version == DTLS1_BAD_VER
738 && remain != DTLS1_CCS_HEADER_LENGTH + 1)
739 || (s->version != DTLS1_BAD_VER
740 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
741 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
742 return MSG_PROCESS_ERROR;
743 }
744 } else {
745 if (remain != 0) {
746 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
747 return MSG_PROCESS_ERROR;
748 }
749 }
750
751 /* Check we have a cipher to change to */
752 if (s->s3.tmp.new_cipher == NULL) {
753 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY);
754 return MSG_PROCESS_ERROR;
755 }
756
757 s->s3.change_cipher_spec = 1;
758 if (!ssl3_do_change_cipher_spec(s)) {
759 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
760 return MSG_PROCESS_ERROR;
761 }
762
763 if (SSL_IS_DTLS(s)) {
764 dtls1_reset_seq_numbers(s, SSL3_CC_READ);
765
766 if (s->version == DTLS1_BAD_VER)
767 s->d1->handshake_read_seq++;
768
769 #ifndef OPENSSL_NO_SCTP
770 /*
771 * Remember that a CCS has been received, so that an old key of
772 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
773 * SCTP is used
774 */
775 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
776 #endif
777 }
778
779 return MSG_PROCESS_CONTINUE_READING;
780 }
781
tls_process_finished(SSL * s,PACKET * pkt)782 MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
783 {
784 size_t md_len;
785
786
787 /* This is a real handshake so make sure we clean it up at the end */
788 if (s->server) {
789 /*
790 * To get this far we must have read encrypted data from the client. We
791 * no longer tolerate unencrypted alerts. This value is ignored if less
792 * than TLSv1.3
793 */
794 s->statem.enc_read_state = ENC_READ_STATE_VALID;
795 if (s->post_handshake_auth != SSL_PHA_REQUESTED)
796 s->statem.cleanuphand = 1;
797 if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
798 /* SSLfatal() already called */
799 return MSG_PROCESS_ERROR;
800 }
801 }
802
803 /*
804 * In TLSv1.3 a Finished message signals a key change so the end of the
805 * message must be on a record boundary.
806 */
807 if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
808 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
809 return MSG_PROCESS_ERROR;
810 }
811
812 /* If this occurs, we have missed a message */
813 if (!SSL_IS_TLS13(s) && !s->s3.change_cipher_spec) {
814 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
815 return MSG_PROCESS_ERROR;
816 }
817 s->s3.change_cipher_spec = 0;
818
819 md_len = s->s3.tmp.peer_finish_md_len;
820
821 if (md_len != PACKET_remaining(pkt)) {
822 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DIGEST_LENGTH);
823 return MSG_PROCESS_ERROR;
824 }
825
826 if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
827 md_len) != 0) {
828 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DIGEST_CHECK_FAILED);
829 return MSG_PROCESS_ERROR;
830 }
831
832 /*
833 * Copy the finished so we can use it for renegotiation checks
834 */
835 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
836 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
837 return MSG_PROCESS_ERROR;
838 }
839 if (s->server) {
840 memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
841 md_len);
842 s->s3.previous_client_finished_len = md_len;
843 } else {
844 memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
845 md_len);
846 s->s3.previous_server_finished_len = md_len;
847 }
848
849 /*
850 * In TLS1.3 we also have to change cipher state and do any final processing
851 * of the initial server flight (if we are a client)
852 */
853 if (SSL_IS_TLS13(s)) {
854 if (s->server) {
855 if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
856 !s->method->ssl3_enc->change_cipher_state(s,
857 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
858 /* SSLfatal() already called */
859 return MSG_PROCESS_ERROR;
860 }
861 } else {
862 /* TLS 1.3 gets the secret size from the handshake md */
863 size_t dummy;
864 if (!s->method->ssl3_enc->generate_master_secret(s,
865 s->master_secret, s->handshake_secret, 0,
866 &dummy)) {
867 /* SSLfatal() already called */
868 return MSG_PROCESS_ERROR;
869 }
870 if (!s->method->ssl3_enc->change_cipher_state(s,
871 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
872 /* SSLfatal() already called */
873 return MSG_PROCESS_ERROR;
874 }
875 if (!tls_process_initial_server_flight(s)) {
876 /* SSLfatal() already called */
877 return MSG_PROCESS_ERROR;
878 }
879 }
880 }
881
882 return MSG_PROCESS_FINISHED_READING;
883 }
884
tls_construct_change_cipher_spec(SSL * s,WPACKET * pkt)885 int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
886 {
887 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
888 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
889 return 0;
890 }
891
892 return 1;
893 }
894
895 /* Add a certificate to the WPACKET */
ssl_add_cert_to_wpacket(SSL * s,WPACKET * pkt,X509 * x,int chain)896 static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain)
897 {
898 int len;
899 unsigned char *outbytes;
900
901 len = i2d_X509(x, NULL);
902 if (len < 0) {
903 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB);
904 return 0;
905 }
906 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
907 || i2d_X509(x, &outbytes) != len) {
908 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
909 return 0;
910 }
911
912 if (SSL_IS_TLS13(s)
913 && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
914 chain)) {
915 /* SSLfatal() already called */
916 return 0;
917 }
918
919 return 1;
920 }
921
922 /* Add certificate chain to provided WPACKET */
ssl_add_cert_chain(SSL * s,WPACKET * pkt,CERT_PKEY * cpk)923 static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
924 {
925 int i, chain_count;
926 X509 *x;
927 STACK_OF(X509) *extra_certs;
928 STACK_OF(X509) *chain = NULL;
929 X509_STORE *chain_store;
930
931 if (cpk == NULL || cpk->x509 == NULL)
932 return 1;
933
934 x = cpk->x509;
935
936 /*
937 * If we have a certificate specific chain use it, else use parent ctx.
938 */
939 if (cpk->chain != NULL)
940 extra_certs = cpk->chain;
941 else
942 extra_certs = s->ctx->extra_certs;
943
944 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
945 chain_store = NULL;
946 else if (s->cert->chain_store)
947 chain_store = s->cert->chain_store;
948 else
949 chain_store = s->ctx->cert_store;
950
951 if (chain_store != NULL) {
952 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(s->ctx->libctx,
953 s->ctx->propq);
954
955 if (xs_ctx == NULL) {
956 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
957 return 0;
958 }
959 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
960 X509_STORE_CTX_free(xs_ctx);
961 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB);
962 return 0;
963 }
964 /*
965 * It is valid for the chain not to be complete (because normally we
966 * don't include the root cert in the chain). Therefore we deliberately
967 * ignore the error return from this call. We're not actually verifying
968 * the cert - we're just building as much of the chain as we can
969 */
970 (void)X509_verify_cert(xs_ctx);
971 /* Don't leave errors in the queue */
972 ERR_clear_error();
973 chain = X509_STORE_CTX_get0_chain(xs_ctx);
974 i = ssl_security_cert_chain(s, chain, NULL, 0);
975 if (i != 1) {
976 #if 0
977 /* Dummy error calls so mkerr generates them */
978 ERR_raise(ERR_LIB_SSL, SSL_R_EE_KEY_TOO_SMALL);
979 ERR_raise(ERR_LIB_SSL, SSL_R_CA_KEY_TOO_SMALL);
980 ERR_raise(ERR_LIB_SSL, SSL_R_CA_MD_TOO_WEAK);
981 #endif
982 X509_STORE_CTX_free(xs_ctx);
983 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
984 return 0;
985 }
986 chain_count = sk_X509_num(chain);
987 for (i = 0; i < chain_count; i++) {
988 x = sk_X509_value(chain, i);
989
990 if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
991 /* SSLfatal() already called */
992 X509_STORE_CTX_free(xs_ctx);
993 return 0;
994 }
995 }
996 X509_STORE_CTX_free(xs_ctx);
997 } else {
998 i = ssl_security_cert_chain(s, extra_certs, x, 0);
999 if (i != 1) {
1000 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
1001 return 0;
1002 }
1003 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
1004 /* SSLfatal() already called */
1005 return 0;
1006 }
1007 for (i = 0; i < sk_X509_num(extra_certs); i++) {
1008 x = sk_X509_value(extra_certs, i);
1009 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
1010 /* SSLfatal() already called */
1011 return 0;
1012 }
1013 }
1014 }
1015 return 1;
1016 }
1017
ssl3_output_cert_chain(SSL * s,WPACKET * pkt,CERT_PKEY * cpk)1018 unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
1019 {
1020 if (!WPACKET_start_sub_packet_u24(pkt)) {
1021 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1022 return 0;
1023 }
1024
1025 if (!ssl_add_cert_chain(s, pkt, cpk))
1026 return 0;
1027
1028 if (!WPACKET_close(pkt)) {
1029 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1030 return 0;
1031 }
1032
1033 return 1;
1034 }
1035
1036 /*
1037 * Tidy up after the end of a handshake. In the case of SCTP this may result
1038 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1039 * freed up as well.
1040 */
tls_finish_handshake(SSL * s,ossl_unused WORK_STATE wst,int clearbufs,int stop)1041 WORK_STATE tls_finish_handshake(SSL *s, ossl_unused WORK_STATE wst,
1042 int clearbufs, int stop)
1043 {
1044 void (*cb) (const SSL *ssl, int type, int val) = NULL;
1045 int cleanuphand = s->statem.cleanuphand;
1046
1047 if (clearbufs) {
1048 if (!SSL_IS_DTLS(s)
1049 #ifndef OPENSSL_NO_SCTP
1050 /*
1051 * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1052 * messages that require it. Therefore, DTLS procedures for retransmissions
1053 * MUST NOT be used.
1054 * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1055 */
1056 || BIO_dgram_is_sctp(SSL_get_wbio(s))
1057 #endif
1058 ) {
1059 /*
1060 * We don't do this in DTLS over UDP because we may still need the init_buf
1061 * in case there are any unexpected retransmits
1062 */
1063 BUF_MEM_free(s->init_buf);
1064 s->init_buf = NULL;
1065 }
1066
1067 if (!ssl_free_wbio_buffer(s)) {
1068 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1069 return WORK_ERROR;
1070 }
1071 s->init_num = 0;
1072 }
1073
1074 if (SSL_IS_TLS13(s) && !s->server
1075 && s->post_handshake_auth == SSL_PHA_REQUESTED)
1076 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1077
1078 /*
1079 * Only set if there was a Finished message and this isn't after a TLSv1.3
1080 * post handshake exchange
1081 */
1082 if (cleanuphand) {
1083 /* skipped if we just sent a HelloRequest */
1084 s->renegotiate = 0;
1085 s->new_session = 0;
1086 s->statem.cleanuphand = 0;
1087 s->ext.ticket_expected = 0;
1088
1089 ssl3_cleanup_key_block(s);
1090
1091 if (s->server) {
1092 /*
1093 * In TLSv1.3 we update the cache as part of constructing the
1094 * NewSessionTicket
1095 */
1096 if (!SSL_IS_TLS13(s))
1097 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
1098
1099 /* N.B. s->ctx may not equal s->session_ctx */
1100 ssl_tsan_counter(s->ctx, &s->ctx->stats.sess_accept_good);
1101 s->handshake_func = ossl_statem_accept;
1102 } else {
1103 if (SSL_IS_TLS13(s)) {
1104 /*
1105 * We encourage applications to only use TLSv1.3 tickets once,
1106 * so we remove this one from the cache.
1107 */
1108 if ((s->session_ctx->session_cache_mode
1109 & SSL_SESS_CACHE_CLIENT) != 0)
1110 SSL_CTX_remove_session(s->session_ctx, s->session);
1111 } else {
1112 /*
1113 * In TLSv1.3 we update the cache as part of processing the
1114 * NewSessionTicket
1115 */
1116 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
1117 }
1118 if (s->hit)
1119 ssl_tsan_counter(s->session_ctx,
1120 &s->session_ctx->stats.sess_hit);
1121
1122 s->handshake_func = ossl_statem_connect;
1123 ssl_tsan_counter(s->session_ctx,
1124 &s->session_ctx->stats.sess_connect_good);
1125 }
1126
1127 if (SSL_IS_DTLS(s)) {
1128 /* done with handshaking */
1129 s->d1->handshake_read_seq = 0;
1130 s->d1->handshake_write_seq = 0;
1131 s->d1->next_handshake_write_seq = 0;
1132 dtls1_clear_received_buffer(s);
1133 }
1134 }
1135
1136 if (s->info_callback != NULL)
1137 cb = s->info_callback;
1138 else if (s->ctx->info_callback != NULL)
1139 cb = s->ctx->info_callback;
1140
1141 /* The callback may expect us to not be in init at handshake done */
1142 ossl_statem_set_in_init(s, 0);
1143
1144 if (cb != NULL) {
1145 if (cleanuphand
1146 || !SSL_IS_TLS13(s)
1147 || SSL_IS_FIRST_HANDSHAKE(s))
1148 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
1149 }
1150
1151 if (!stop) {
1152 /* If we've got more work to do we go back into init */
1153 ossl_statem_set_in_init(s, 1);
1154 return WORK_FINISHED_CONTINUE;
1155 }
1156
1157 return WORK_FINISHED_STOP;
1158 }
1159
tls_get_message_header(SSL * s,int * mt)1160 int tls_get_message_header(SSL *s, int *mt)
1161 {
1162 /* s->init_num < SSL3_HM_HEADER_LENGTH */
1163 int skip_message, i, recvd_type;
1164 unsigned char *p;
1165 size_t l, readbytes;
1166
1167 p = (unsigned char *)s->init_buf->data;
1168
1169 do {
1170 while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1171 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
1172 &p[s->init_num],
1173 SSL3_HM_HEADER_LENGTH - s->init_num,
1174 0, &readbytes);
1175 if (i <= 0) {
1176 s->rwstate = SSL_READING;
1177 return 0;
1178 }
1179 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1180 /*
1181 * A ChangeCipherSpec must be a single byte and may not occur
1182 * in the middle of a handshake message.
1183 */
1184 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
1185 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1186 SSL_R_BAD_CHANGE_CIPHER_SPEC);
1187 return 0;
1188 }
1189 if (s->statem.hand_state == TLS_ST_BEFORE
1190 && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
1191 /*
1192 * We are stateless and we received a CCS. Probably this is
1193 * from a client between the first and second ClientHellos.
1194 * We should ignore this, but return an error because we do
1195 * not return success until we see the second ClientHello
1196 * with a valid cookie.
1197 */
1198 return 0;
1199 }
1200 s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
1201 s->init_num = readbytes - 1;
1202 s->init_msg = s->init_buf->data;
1203 s->s3.tmp.message_size = readbytes;
1204 return 1;
1205 } else if (recvd_type != SSL3_RT_HANDSHAKE) {
1206 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1207 SSL_R_CCS_RECEIVED_EARLY);
1208 return 0;
1209 }
1210 s->init_num += readbytes;
1211 }
1212
1213 skip_message = 0;
1214 if (!s->server)
1215 if (s->statem.hand_state != TLS_ST_OK
1216 && p[0] == SSL3_MT_HELLO_REQUEST)
1217 /*
1218 * The server may always send 'Hello Request' messages --
1219 * we are doing a handshake anyway now, so ignore them if
1220 * their format is correct. Does not count for 'Finished'
1221 * MAC.
1222 */
1223 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1224 s->init_num = 0;
1225 skip_message = 1;
1226
1227 if (s->msg_callback)
1228 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1229 p, SSL3_HM_HEADER_LENGTH, s,
1230 s->msg_callback_arg);
1231 }
1232 } while (skip_message);
1233 /* s->init_num == SSL3_HM_HEADER_LENGTH */
1234
1235 *mt = *p;
1236 s->s3.tmp.message_type = *(p++);
1237
1238 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1239 /*
1240 * Only happens with SSLv3+ in an SSLv2 backward compatible
1241 * ClientHello
1242 *
1243 * Total message size is the remaining record bytes to read
1244 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
1245 */
1246 l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1247 + SSL3_HM_HEADER_LENGTH;
1248 s->s3.tmp.message_size = l;
1249
1250 s->init_msg = s->init_buf->data;
1251 s->init_num = SSL3_HM_HEADER_LENGTH;
1252 } else {
1253 n2l3(p, l);
1254 /* BUF_MEM_grow takes an 'int' parameter */
1255 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
1256 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1257 SSL_R_EXCESSIVE_MESSAGE_SIZE);
1258 return 0;
1259 }
1260 s->s3.tmp.message_size = l;
1261
1262 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1263 s->init_num = 0;
1264 }
1265
1266 return 1;
1267 }
1268
tls_get_message_body(SSL * s,size_t * len)1269 int tls_get_message_body(SSL *s, size_t *len)
1270 {
1271 size_t n, readbytes;
1272 unsigned char *p;
1273 int i;
1274
1275 if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
1276 /* We've already read everything in */
1277 *len = (unsigned long)s->init_num;
1278 return 1;
1279 }
1280
1281 p = s->init_msg;
1282 n = s->s3.tmp.message_size - s->init_num;
1283 while (n > 0) {
1284 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
1285 &p[s->init_num], n, 0, &readbytes);
1286 if (i <= 0) {
1287 s->rwstate = SSL_READING;
1288 *len = 0;
1289 return 0;
1290 }
1291 s->init_num += readbytes;
1292 n -= readbytes;
1293 }
1294
1295 /*
1296 * If receiving Finished, record MAC of prior handshake messages for
1297 * Finished verification.
1298 */
1299 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1300 /* SSLfatal() already called */
1301 *len = 0;
1302 return 0;
1303 }
1304
1305 /* Feed this message into MAC computation. */
1306 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1307 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1308 s->init_num)) {
1309 /* SSLfatal() already called */
1310 *len = 0;
1311 return 0;
1312 }
1313 if (s->msg_callback)
1314 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
1315 (size_t)s->init_num, s, s->msg_callback_arg);
1316 } else {
1317 /*
1318 * We defer feeding in the HRR until later. We'll do it as part of
1319 * processing the message
1320 * The TLsv1.3 handshake transcript stops at the ClientFinished
1321 * message.
1322 */
1323 #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
1324 /* KeyUpdate and NewSessionTicket do not need to be added */
1325 if (!SSL_IS_TLS13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1326 && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1327 if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
1328 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1329 || memcmp(hrrrandom,
1330 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1331 SSL3_RANDOM_SIZE) != 0) {
1332 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1333 s->init_num + SSL3_HM_HEADER_LENGTH)) {
1334 /* SSLfatal() already called */
1335 *len = 0;
1336 return 0;
1337 }
1338 }
1339 }
1340 if (s->msg_callback)
1341 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1342 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
1343 s->msg_callback_arg);
1344 }
1345
1346 *len = s->init_num;
1347 return 1;
1348 }
1349
1350 static const X509ERR2ALERT x509table[] = {
1351 {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1352 {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1353 {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
1354 {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1355 {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1356 {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1357 {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1358 {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1359 {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1360 {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1361 {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1362 {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1363 {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1364 {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1365 {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1366 {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1367 {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1368 {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1369 {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1370 {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1371 {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1372 {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1373 {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1374 {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1375 {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1376 {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1377 {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1378 {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1379 {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1380 {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1381 {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1382 {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1383 {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1384 {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1385 {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1386 {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1387 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1388 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1389 {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1390 {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1391
1392 /* Last entry; return this if we don't find the value above. */
1393 {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1394 };
1395
ssl_x509err2alert(int x509err)1396 int ssl_x509err2alert(int x509err)
1397 {
1398 const X509ERR2ALERT *tp;
1399
1400 for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1401 if (tp->x509err == x509err)
1402 break;
1403 return tp->alert;
1404 }
1405
ssl_allow_compression(SSL * s)1406 int ssl_allow_compression(SSL *s)
1407 {
1408 if (s->options & SSL_OP_NO_COMPRESSION)
1409 return 0;
1410 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1411 }
1412
version_cmp(const SSL * s,int a,int b)1413 static int version_cmp(const SSL *s, int a, int b)
1414 {
1415 int dtls = SSL_IS_DTLS(s);
1416
1417 if (a == b)
1418 return 0;
1419 if (!dtls)
1420 return a < b ? -1 : 1;
1421 return DTLS_VERSION_LT(a, b) ? -1 : 1;
1422 }
1423
1424 typedef struct {
1425 int version;
1426 const SSL_METHOD *(*cmeth) (void);
1427 const SSL_METHOD *(*smeth) (void);
1428 } version_info;
1429
1430 #if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
1431 # error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
1432 #endif
1433
1434 /* Must be in order high to low */
1435 static const version_info tls_version_table[] = {
1436 #ifndef OPENSSL_NO_TLS1_3
1437 {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1438 #else
1439 {TLS1_3_VERSION, NULL, NULL},
1440 #endif
1441 #ifndef OPENSSL_NO_TLS1_2
1442 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
1443 #else
1444 {TLS1_2_VERSION, NULL, NULL},
1445 #endif
1446 #ifndef OPENSSL_NO_TLS1_1
1447 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
1448 #else
1449 {TLS1_1_VERSION, NULL, NULL},
1450 #endif
1451 #ifndef OPENSSL_NO_TLS1
1452 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
1453 #else
1454 {TLS1_VERSION, NULL, NULL},
1455 #endif
1456 #ifndef OPENSSL_NO_SSL3
1457 {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
1458 #else
1459 {SSL3_VERSION, NULL, NULL},
1460 #endif
1461 {0, NULL, NULL},
1462 };
1463
1464 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
1465 # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1466 #endif
1467
1468 /* Must be in order high to low */
1469 static const version_info dtls_version_table[] = {
1470 #ifndef OPENSSL_NO_DTLS1_2
1471 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
1472 #else
1473 {DTLS1_2_VERSION, NULL, NULL},
1474 #endif
1475 #ifndef OPENSSL_NO_DTLS1
1476 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1477 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
1478 #else
1479 {DTLS1_VERSION, NULL, NULL},
1480 {DTLS1_BAD_VER, NULL, NULL},
1481 #endif
1482 {0, NULL, NULL},
1483 };
1484
1485 /*
1486 * ssl_method_error - Check whether an SSL_METHOD is enabled.
1487 *
1488 * @s: The SSL handle for the candidate method
1489 * @method: the intended method.
1490 *
1491 * Returns 0 on success, or an SSL error reason on failure.
1492 */
ssl_method_error(const SSL * s,const SSL_METHOD * method)1493 static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
1494 {
1495 int version = method->version;
1496
1497 if ((s->min_proto_version != 0 &&
1498 version_cmp(s, version, s->min_proto_version) < 0) ||
1499 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1500 return SSL_R_VERSION_TOO_LOW;
1501
1502 if (s->max_proto_version != 0 &&
1503 version_cmp(s, version, s->max_proto_version) > 0)
1504 return SSL_R_VERSION_TOO_HIGH;
1505
1506 if ((s->options & method->mask) != 0)
1507 return SSL_R_UNSUPPORTED_PROTOCOL;
1508 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1509 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
1510
1511 return 0;
1512 }
1513
1514 /*
1515 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
1516 * certificate type, or has PSK or a certificate callback configured, or has
1517 * a servername callback configure. Otherwise returns 0.
1518 */
is_tls13_capable(const SSL * s)1519 static int is_tls13_capable(const SSL *s)
1520 {
1521 int i;
1522 int curve;
1523
1524 if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL))
1525 return 0;
1526
1527 /*
1528 * A servername callback can change the available certs, so if a servername
1529 * cb is set then we just assume TLSv1.3 will be ok
1530 */
1531 if (s->ctx->ext.servername_cb != NULL
1532 || s->session_ctx->ext.servername_cb != NULL)
1533 return 1;
1534
1535 #ifndef OPENSSL_NO_PSK
1536 if (s->psk_server_callback != NULL)
1537 return 1;
1538 #endif
1539
1540 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
1541 return 1;
1542
1543 for (i = 0; i < SSL_PKEY_NUM; i++) {
1544 /* Skip over certs disallowed for TLSv1.3 */
1545 switch (i) {
1546 case SSL_PKEY_DSA_SIGN:
1547 case SSL_PKEY_GOST01:
1548 case SSL_PKEY_GOST12_256:
1549 case SSL_PKEY_GOST12_512:
1550 continue;
1551 default:
1552 break;
1553 }
1554 if (!ssl_has_cert(s, i))
1555 continue;
1556 if (i != SSL_PKEY_ECC)
1557 return 1;
1558 /*
1559 * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1560 * more restrictive so check that our sig algs are consistent with this
1561 * EC cert. See section 4.2.3 of RFC8446.
1562 */
1563 curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
1564 if (tls_check_sigalg_curve(s, curve))
1565 return 1;
1566 }
1567
1568 return 0;
1569 }
1570
1571 /*
1572 * ssl_version_supported - Check that the specified `version` is supported by
1573 * `SSL *` instance
1574 *
1575 * @s: The SSL handle for the candidate method
1576 * @version: Protocol version to test against
1577 *
1578 * Returns 1 when supported, otherwise 0
1579 */
ssl_version_supported(const SSL * s,int version,const SSL_METHOD ** meth)1580 int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth)
1581 {
1582 const version_info *vent;
1583 const version_info *table;
1584
1585 switch (s->method->version) {
1586 default:
1587 /* Version should match method version for non-ANY method */
1588 return version_cmp(s, version, s->version) == 0;
1589 case TLS_ANY_VERSION:
1590 table = tls_version_table;
1591 break;
1592 case DTLS_ANY_VERSION:
1593 table = dtls_version_table;
1594 break;
1595 }
1596
1597 for (vent = table;
1598 vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1599 ++vent) {
1600 if (vent->cmeth != NULL
1601 && version_cmp(s, version, vent->version) == 0
1602 && ssl_method_error(s, vent->cmeth()) == 0
1603 && (!s->server
1604 || version != TLS1_3_VERSION
1605 || is_tls13_capable(s))) {
1606 if (meth != NULL)
1607 *meth = vent->cmeth();
1608 return 1;
1609 }
1610 }
1611 return 0;
1612 }
1613
1614 /*
1615 * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1616 * fallback indication from a client check whether we're using the highest
1617 * supported protocol version.
1618 *
1619 * @s server SSL handle.
1620 *
1621 * Returns 1 when using the highest enabled version, 0 otherwise.
1622 */
ssl_check_version_downgrade(SSL * s)1623 int ssl_check_version_downgrade(SSL *s)
1624 {
1625 const version_info *vent;
1626 const version_info *table;
1627
1628 /*
1629 * Check that the current protocol is the highest enabled version
1630 * (according to s->ctx->method, as version negotiation may have changed
1631 * s->method).
1632 */
1633 if (s->version == s->ctx->method->version)
1634 return 1;
1635
1636 /*
1637 * Apparently we're using a version-flexible SSL_METHOD (not at its
1638 * highest protocol version).
1639 */
1640 if (s->ctx->method->version == TLS_method()->version)
1641 table = tls_version_table;
1642 else if (s->ctx->method->version == DTLS_method()->version)
1643 table = dtls_version_table;
1644 else {
1645 /* Unexpected state; fail closed. */
1646 return 0;
1647 }
1648
1649 for (vent = table; vent->version != 0; ++vent) {
1650 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
1651 return s->version == vent->version;
1652 }
1653 return 0;
1654 }
1655
1656 /*
1657 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1658 * protocols, provided the initial (D)TLS method is version-flexible. This
1659 * function sanity-checks the proposed value and makes sure the method is
1660 * version-flexible, then sets the limit if all is well.
1661 *
1662 * @method_version: The version of the current SSL_METHOD.
1663 * @version: the intended limit.
1664 * @bound: pointer to limit to be updated.
1665 *
1666 * Returns 1 on success, 0 on failure.
1667 */
ssl_set_version_bound(int method_version,int version,int * bound)1668 int ssl_set_version_bound(int method_version, int version, int *bound)
1669 {
1670 int valid_tls;
1671 int valid_dtls;
1672
1673 if (version == 0) {
1674 *bound = version;
1675 return 1;
1676 }
1677
1678 valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
1679 valid_dtls =
1680 DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) &&
1681 DTLS_VERSION_GE(version, DTLS1_BAD_VER);
1682
1683 if (!valid_tls && !valid_dtls)
1684 return 0;
1685
1686 /*-
1687 * Restrict TLS methods to TLS protocol versions.
1688 * Restrict DTLS methods to DTLS protocol versions.
1689 * Note, DTLS version numbers are decreasing, use comparison macros.
1690 *
1691 * Note that for both lower-bounds we use explicit versions, not
1692 * (D)TLS_MIN_VERSION. This is because we don't want to break user
1693 * configurations. If the MIN (supported) version ever rises, the user's
1694 * "floor" remains valid even if no longer available. We don't expect the
1695 * MAX ceiling to ever get lower, so making that variable makes sense.
1696 *
1697 * We ignore attempts to set bounds on version-inflexible methods,
1698 * returning success.
1699 */
1700 switch (method_version) {
1701 default:
1702 break;
1703
1704 case TLS_ANY_VERSION:
1705 if (valid_tls)
1706 *bound = version;
1707 break;
1708
1709 case DTLS_ANY_VERSION:
1710 if (valid_dtls)
1711 *bound = version;
1712 break;
1713 }
1714 return 1;
1715 }
1716
check_for_downgrade(SSL * s,int vers,DOWNGRADE * dgrd)1717 static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
1718 {
1719 if (vers == TLS1_2_VERSION
1720 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
1721 *dgrd = DOWNGRADE_TO_1_2;
1722 } else if (!SSL_IS_DTLS(s)
1723 && vers < TLS1_2_VERSION
1724 /*
1725 * We need to ensure that a server that disables TLSv1.2
1726 * (creating a hole between TLSv1.3 and TLSv1.1) can still
1727 * complete handshakes with clients that support TLSv1.2 and
1728 * below. Therefore we do not enable the sentinel if TLSv1.3 is
1729 * enabled and TLSv1.2 is not.
1730 */
1731 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
1732 *dgrd = DOWNGRADE_TO_1_1;
1733 } else {
1734 *dgrd = DOWNGRADE_NONE;
1735 }
1736 }
1737
1738 /*
1739 * ssl_choose_server_version - Choose server (D)TLS version. Called when the
1740 * client HELLO is received to select the final server protocol version and
1741 * the version specific method.
1742 *
1743 * @s: server SSL handle.
1744 *
1745 * Returns 0 on success or an SSL error reason number on failure.
1746 */
ssl_choose_server_version(SSL * s,CLIENTHELLO_MSG * hello,DOWNGRADE * dgrd)1747 int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1748 {
1749 /*-
1750 * With version-flexible methods we have an initial state with:
1751 *
1752 * s->method->version == (D)TLS_ANY_VERSION,
1753 * s->version == (D)TLS_MAX_VERSION_INTERNAL.
1754 *
1755 * So we detect version-flexible methods via the method version, not the
1756 * handle version.
1757 */
1758 int server_version = s->method->version;
1759 int client_version = hello->legacy_version;
1760 const version_info *vent;
1761 const version_info *table;
1762 int disabled = 0;
1763 RAW_EXTENSION *suppversions;
1764
1765 s->client_version = client_version;
1766
1767 switch (server_version) {
1768 default:
1769 if (!SSL_IS_TLS13(s)) {
1770 if (version_cmp(s, client_version, s->version) < 0)
1771 return SSL_R_WRONG_SSL_VERSION;
1772 *dgrd = DOWNGRADE_NONE;
1773 /*
1774 * If this SSL handle is not from a version flexible method we don't
1775 * (and never did) check min/max FIPS or Suite B constraints. Hope
1776 * that's OK. It is up to the caller to not choose fixed protocol
1777 * versions they don't want. If not, then easy to fix, just return
1778 * ssl_method_error(s, s->method)
1779 */
1780 return 0;
1781 }
1782 /*
1783 * Fall through if we are TLSv1.3 already (this means we must be after
1784 * a HelloRetryRequest
1785 */
1786 /* fall thru */
1787 case TLS_ANY_VERSION:
1788 table = tls_version_table;
1789 break;
1790 case DTLS_ANY_VERSION:
1791 table = dtls_version_table;
1792 break;
1793 }
1794
1795 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
1796
1797 /* If we did an HRR then supported versions is mandatory */
1798 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
1799 return SSL_R_UNSUPPORTED_PROTOCOL;
1800
1801 if (suppversions->present && !SSL_IS_DTLS(s)) {
1802 unsigned int candidate_vers = 0;
1803 unsigned int best_vers = 0;
1804 const SSL_METHOD *best_method = NULL;
1805 PACKET versionslist;
1806
1807 suppversions->parsed = 1;
1808
1809 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
1810 /* Trailing or invalid data? */
1811 return SSL_R_LENGTH_MISMATCH;
1812 }
1813
1814 /*
1815 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1816 * The spec only requires servers to check that it isn't SSLv3:
1817 * "Any endpoint receiving a Hello message with
1818 * ClientHello.legacy_version or ServerHello.legacy_version set to
1819 * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1820 * We are slightly stricter and require that it isn't SSLv3 or lower.
1821 * We tolerate TLSv1 and TLSv1.1.
1822 */
1823 if (client_version <= SSL3_VERSION)
1824 return SSL_R_BAD_LEGACY_VERSION;
1825
1826 while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1827 if (version_cmp(s, candidate_vers, best_vers) <= 0)
1828 continue;
1829 if (ssl_version_supported(s, candidate_vers, &best_method))
1830 best_vers = candidate_vers;
1831 }
1832 if (PACKET_remaining(&versionslist) != 0) {
1833 /* Trailing data? */
1834 return SSL_R_LENGTH_MISMATCH;
1835 }
1836
1837 if (best_vers > 0) {
1838 if (s->hello_retry_request != SSL_HRR_NONE) {
1839 /*
1840 * This is after a HelloRetryRequest so we better check that we
1841 * negotiated TLSv1.3
1842 */
1843 if (best_vers != TLS1_3_VERSION)
1844 return SSL_R_UNSUPPORTED_PROTOCOL;
1845 return 0;
1846 }
1847 check_for_downgrade(s, best_vers, dgrd);
1848 s->version = best_vers;
1849 s->method = best_method;
1850 return 0;
1851 }
1852 return SSL_R_UNSUPPORTED_PROTOCOL;
1853 }
1854
1855 /*
1856 * If the supported versions extension isn't present, then the highest
1857 * version we can negotiate is TLSv1.2
1858 */
1859 if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1860 client_version = TLS1_2_VERSION;
1861
1862 /*
1863 * No supported versions extension, so we just use the version supplied in
1864 * the ClientHello.
1865 */
1866 for (vent = table; vent->version != 0; ++vent) {
1867 const SSL_METHOD *method;
1868
1869 if (vent->smeth == NULL ||
1870 version_cmp(s, client_version, vent->version) < 0)
1871 continue;
1872 method = vent->smeth();
1873 if (ssl_method_error(s, method) == 0) {
1874 check_for_downgrade(s, vent->version, dgrd);
1875 s->version = vent->version;
1876 s->method = method;
1877 return 0;
1878 }
1879 disabled = 1;
1880 }
1881 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1882 }
1883
1884 /*
1885 * ssl_choose_client_version - Choose client (D)TLS version. Called when the
1886 * server HELLO is received to select the final client protocol version and
1887 * the version specific method.
1888 *
1889 * @s: client SSL handle.
1890 * @version: The proposed version from the server's HELLO.
1891 * @extensions: The extensions received
1892 *
1893 * Returns 1 on success or 0 on error.
1894 */
ssl_choose_client_version(SSL * s,int version,RAW_EXTENSION * extensions)1895 int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)
1896 {
1897 const version_info *vent;
1898 const version_info *table;
1899 int ret, ver_min, ver_max, real_max, origv;
1900
1901 origv = s->version;
1902 s->version = version;
1903
1904 /* This will overwrite s->version if the extension is present */
1905 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1906 SSL_EXT_TLS1_2_SERVER_HELLO
1907 | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1908 NULL, 0)) {
1909 s->version = origv;
1910 return 0;
1911 }
1912
1913 if (s->hello_retry_request != SSL_HRR_NONE
1914 && s->version != TLS1_3_VERSION) {
1915 s->version = origv;
1916 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
1917 return 0;
1918 }
1919
1920 switch (s->method->version) {
1921 default:
1922 if (s->version != s->method->version) {
1923 s->version = origv;
1924 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
1925 return 0;
1926 }
1927 /*
1928 * If this SSL handle is not from a version flexible method we don't
1929 * (and never did) check min/max, FIPS or Suite B constraints. Hope
1930 * that's OK. It is up to the caller to not choose fixed protocol
1931 * versions they don't want. If not, then easy to fix, just return
1932 * ssl_method_error(s, s->method)
1933 */
1934 return 1;
1935 case TLS_ANY_VERSION:
1936 table = tls_version_table;
1937 break;
1938 case DTLS_ANY_VERSION:
1939 table = dtls_version_table;
1940 break;
1941 }
1942
1943 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1944 if (ret != 0) {
1945 s->version = origv;
1946 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, ret);
1947 return 0;
1948 }
1949 if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
1950 : s->version < ver_min) {
1951 s->version = origv;
1952 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1953 return 0;
1954 } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
1955 : s->version > ver_max) {
1956 s->version = origv;
1957 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1958 return 0;
1959 }
1960
1961 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
1962 real_max = ver_max;
1963
1964 /* Check for downgrades */
1965 if (s->version == TLS1_2_VERSION && real_max > s->version) {
1966 if (memcmp(tls12downgrade,
1967 s->s3.server_random + SSL3_RANDOM_SIZE
1968 - sizeof(tls12downgrade),
1969 sizeof(tls12downgrade)) == 0) {
1970 s->version = origv;
1971 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1972 SSL_R_INAPPROPRIATE_FALLBACK);
1973 return 0;
1974 }
1975 } else if (!SSL_IS_DTLS(s)
1976 && s->version < TLS1_2_VERSION
1977 && real_max > s->version) {
1978 if (memcmp(tls11downgrade,
1979 s->s3.server_random + SSL3_RANDOM_SIZE
1980 - sizeof(tls11downgrade),
1981 sizeof(tls11downgrade)) == 0) {
1982 s->version = origv;
1983 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1984 SSL_R_INAPPROPRIATE_FALLBACK);
1985 return 0;
1986 }
1987 }
1988
1989 for (vent = table; vent->version != 0; ++vent) {
1990 if (vent->cmeth == NULL || s->version != vent->version)
1991 continue;
1992
1993 s->method = vent->cmeth();
1994 return 1;
1995 }
1996
1997 s->version = origv;
1998 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1999 return 0;
2000 }
2001
2002 /*
2003 * ssl_get_min_max_version - get minimum and maximum protocol version
2004 * @s: The SSL connection
2005 * @min_version: The minimum supported version
2006 * @max_version: The maximum supported version
2007 * @real_max: The highest version below the lowest compile time version hole
2008 * where that hole lies above at least one run-time enabled
2009 * protocol.
2010 *
2011 * Work out what version we should be using for the initial ClientHello if the
2012 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2013 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
2014 * constraints and any floor imposed by the security level here,
2015 * so we don't advertise the wrong protocol version to only reject the outcome later.
2016 *
2017 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
2018 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2019 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2020 *
2021 * Returns 0 on success or an SSL error reason number on failure. On failure
2022 * min_version and max_version will also be set to 0.
2023 */
ssl_get_min_max_version(const SSL * s,int * min_version,int * max_version,int * real_max)2024 int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version,
2025 int *real_max)
2026 {
2027 int version, tmp_real_max;
2028 int hole;
2029 const SSL_METHOD *single = NULL;
2030 const SSL_METHOD *method;
2031 const version_info *table;
2032 const version_info *vent;
2033
2034 switch (s->method->version) {
2035 default:
2036 /*
2037 * If this SSL handle is not from a version flexible method we don't
2038 * (and never did) check min/max FIPS or Suite B constraints. Hope
2039 * that's OK. It is up to the caller to not choose fixed protocol
2040 * versions they don't want. If not, then easy to fix, just return
2041 * ssl_method_error(s, s->method)
2042 */
2043 *min_version = *max_version = s->version;
2044 /*
2045 * Providing a real_max only makes sense where we're using a version
2046 * flexible method.
2047 */
2048 if (!ossl_assert(real_max == NULL))
2049 return ERR_R_INTERNAL_ERROR;
2050 return 0;
2051 case TLS_ANY_VERSION:
2052 table = tls_version_table;
2053 break;
2054 case DTLS_ANY_VERSION:
2055 table = dtls_version_table;
2056 break;
2057 }
2058
2059 /*
2060 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2061 * below X enabled. This is required in order to maintain the "version
2062 * capability" vector contiguous. Any versions with a NULL client method
2063 * (protocol version client is disabled at compile-time) is also a "hole".
2064 *
2065 * Our initial state is hole == 1, version == 0. That is, versions above
2066 * the first version in the method table are disabled (a "hole" above
2067 * the valid protocol entries) and we don't have a selected version yet.
2068 *
2069 * Whenever "hole == 1", and we hit an enabled method, its version becomes
2070 * the selected version, and the method becomes a candidate "single"
2071 * method. We're no longer in a hole, so "hole" becomes 0.
2072 *
2073 * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2074 * as we support a contiguous range of at least two methods. If we hit
2075 * a disabled method, then hole becomes true again, but nothing else
2076 * changes yet, because all the remaining methods may be disabled too.
2077 * If we again hit an enabled method after the new hole, it becomes
2078 * selected, as we start from scratch.
2079 */
2080 *min_version = version = 0;
2081 hole = 1;
2082 if (real_max != NULL)
2083 *real_max = 0;
2084 tmp_real_max = 0;
2085 for (vent = table; vent->version != 0; ++vent) {
2086 /*
2087 * A table entry with a NULL client method is still a hole in the
2088 * "version capability" vector.
2089 */
2090 if (vent->cmeth == NULL) {
2091 hole = 1;
2092 tmp_real_max = 0;
2093 continue;
2094 }
2095 method = vent->cmeth();
2096
2097 if (hole == 1 && tmp_real_max == 0)
2098 tmp_real_max = vent->version;
2099
2100 if (ssl_method_error(s, method) != 0) {
2101 hole = 1;
2102 } else if (!hole) {
2103 single = NULL;
2104 *min_version = method->version;
2105 } else {
2106 if (real_max != NULL && tmp_real_max != 0)
2107 *real_max = tmp_real_max;
2108 version = (single = method)->version;
2109 *min_version = version;
2110 hole = 0;
2111 }
2112 }
2113
2114 *max_version = version;
2115
2116 /* Fail if everything is disabled */
2117 if (version == 0)
2118 return SSL_R_NO_PROTOCOLS_AVAILABLE;
2119
2120 return 0;
2121 }
2122
2123 /*
2124 * ssl_set_client_hello_version - Work out what version we should be using for
2125 * the initial ClientHello.legacy_version field.
2126 *
2127 * @s: client SSL handle.
2128 *
2129 * Returns 0 on success or an SSL error reason number on failure.
2130 */
ssl_set_client_hello_version(SSL * s)2131 int ssl_set_client_hello_version(SSL *s)
2132 {
2133 int ver_min, ver_max, ret;
2134
2135 /*
2136 * In a renegotiation we always send the same client_version that we sent
2137 * last time, regardless of which version we eventually negotiated.
2138 */
2139 if (!SSL_IS_FIRST_HANDSHAKE(s))
2140 return 0;
2141
2142 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
2143
2144 if (ret != 0)
2145 return ret;
2146
2147 s->version = ver_max;
2148
2149 /* TLS1.3 always uses TLS1.2 in the legacy_version field */
2150 if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
2151 ver_max = TLS1_2_VERSION;
2152
2153 s->client_version = ver_max;
2154 return 0;
2155 }
2156
2157 /*
2158 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2159 * and |checkallow| is 1 then additionally check if the group is allowed to be
2160 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2161 * 1) or 0 otherwise.
2162 */
check_in_list(SSL * s,uint16_t group_id,const uint16_t * groups,size_t num_groups,int checkallow)2163 int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
2164 size_t num_groups, int checkallow)
2165 {
2166 size_t i;
2167
2168 if (groups == NULL || num_groups == 0)
2169 return 0;
2170
2171 for (i = 0; i < num_groups; i++) {
2172 uint16_t group = groups[i];
2173
2174 if (group_id == group
2175 && (!checkallow
2176 || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
2177 return 1;
2178 }
2179 }
2180
2181 return 0;
2182 }
2183
2184 /* Replace ClientHello1 in the transcript hash with a synthetic message */
create_synthetic_message_hash(SSL * s,const unsigned char * hashval,size_t hashlen,const unsigned char * hrr,size_t hrrlen)2185 int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,
2186 size_t hashlen, const unsigned char *hrr,
2187 size_t hrrlen)
2188 {
2189 unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
2190 unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2191
2192 memset(msghdr, 0, sizeof(msghdr));
2193
2194 if (hashval == NULL) {
2195 hashval = hashvaltmp;
2196 hashlen = 0;
2197 /* Get the hash of the initial ClientHello */
2198 if (!ssl3_digest_cached_records(s, 0)
2199 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2200 &hashlen)) {
2201 /* SSLfatal() already called */
2202 return 0;
2203 }
2204 }
2205
2206 /* Reinitialise the transcript hash */
2207 if (!ssl3_init_finished_mac(s)) {
2208 /* SSLfatal() already called */
2209 return 0;
2210 }
2211
2212 /* Inject the synthetic message_hash message */
2213 msghdr[0] = SSL3_MT_MESSAGE_HASH;
2214 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
2215 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2216 || !ssl3_finish_mac(s, hashval, hashlen)) {
2217 /* SSLfatal() already called */
2218 return 0;
2219 }
2220
2221 /*
2222 * Now re-inject the HRR and current message if appropriate (we just deleted
2223 * it when we reinitialised the transcript hash above). Only necessary after
2224 * receiving a ClientHello2 with a cookie.
2225 */
2226 if (hrr != NULL
2227 && (!ssl3_finish_mac(s, hrr, hrrlen)
2228 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
2229 s->s3.tmp.message_size
2230 + SSL3_HM_HEADER_LENGTH))) {
2231 /* SSLfatal() already called */
2232 return 0;
2233 }
2234
2235 return 1;
2236 }
2237
ca_dn_cmp(const X509_NAME * const * a,const X509_NAME * const * b)2238 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2239 {
2240 return X509_NAME_cmp(*a, *b);
2241 }
2242
parse_ca_names(SSL * s,PACKET * pkt)2243 int parse_ca_names(SSL *s, PACKET *pkt)
2244 {
2245 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2246 X509_NAME *xn = NULL;
2247 PACKET cadns;
2248
2249 if (ca_sk == NULL) {
2250 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2251 goto err;
2252 }
2253 /* get the CA RDNs */
2254 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
2255 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2256 goto err;
2257 }
2258
2259 while (PACKET_remaining(&cadns)) {
2260 const unsigned char *namestart, *namebytes;
2261 unsigned int name_len;
2262
2263 if (!PACKET_get_net_2(&cadns, &name_len)
2264 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
2265 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2266 goto err;
2267 }
2268
2269 namestart = namebytes;
2270 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
2271 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB);
2272 goto err;
2273 }
2274 if (namebytes != (namestart + name_len)) {
2275 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CA_DN_LENGTH_MISMATCH);
2276 goto err;
2277 }
2278
2279 if (!sk_X509_NAME_push(ca_sk, xn)) {
2280 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2281 goto err;
2282 }
2283 xn = NULL;
2284 }
2285
2286 sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
2287 s->s3.tmp.peer_ca_names = ca_sk;
2288
2289 return 1;
2290
2291 err:
2292 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2293 X509_NAME_free(xn);
2294 return 0;
2295 }
2296
STACK_OF(X509_NAME)2297 const STACK_OF(X509_NAME) *get_ca_names(SSL *s)
2298 {
2299 const STACK_OF(X509_NAME) *ca_sk = NULL;;
2300
2301 if (s->server) {
2302 ca_sk = SSL_get_client_CA_list(s);
2303 if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2304 ca_sk = NULL;
2305 }
2306
2307 if (ca_sk == NULL)
2308 ca_sk = SSL_get0_CA_list(s);
2309
2310 return ca_sk;
2311 }
2312
construct_ca_names(SSL * s,const STACK_OF (X509_NAME)* ca_sk,WPACKET * pkt)2313 int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt)
2314 {
2315 /* Start sub-packet for client CA list */
2316 if (!WPACKET_start_sub_packet_u16(pkt)) {
2317 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2318 return 0;
2319 }
2320
2321 if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) {
2322 int i;
2323
2324 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2325 unsigned char *namebytes;
2326 X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2327 int namelen;
2328
2329 if (name == NULL
2330 || (namelen = i2d_X509_NAME(name, NULL)) < 0
2331 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2332 &namebytes)
2333 || i2d_X509_NAME(name, &namebytes) != namelen) {
2334 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2335 return 0;
2336 }
2337 }
2338 }
2339
2340 if (!WPACKET_close(pkt)) {
2341 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2342 return 0;
2343 }
2344
2345 return 1;
2346 }
2347
2348 /* Create a buffer containing data to be signed for server key exchange */
construct_key_exchange_tbs(SSL * s,unsigned char ** ptbs,const void * param,size_t paramlen)2349 size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
2350 const void *param, size_t paramlen)
2351 {
2352 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2353 unsigned char *tbs = OPENSSL_malloc(tbslen);
2354
2355 if (tbs == NULL) {
2356 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2357 return 0;
2358 }
2359 memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
2360 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
2361
2362 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2363
2364 *ptbs = tbs;
2365 return tbslen;
2366 }
2367
2368 /*
2369 * Saves the current handshake digest for Post-Handshake Auth,
2370 * Done after ClientFinished is processed, done exactly once
2371 */
tls13_save_handshake_digest_for_pha(SSL * s)2372 int tls13_save_handshake_digest_for_pha(SSL *s)
2373 {
2374 if (s->pha_dgst == NULL) {
2375 if (!ssl3_digest_cached_records(s, 1))
2376 /* SSLfatal() already called */
2377 return 0;
2378
2379 s->pha_dgst = EVP_MD_CTX_new();
2380 if (s->pha_dgst == NULL) {
2381 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2382 return 0;
2383 }
2384 if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
2385 s->s3.handshake_dgst)) {
2386 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2387 EVP_MD_CTX_free(s->pha_dgst);
2388 s->pha_dgst = NULL;
2389 return 0;
2390 }
2391 }
2392 return 1;
2393 }
2394
2395 /*
2396 * Restores the Post-Handshake Auth handshake digest
2397 * Done just before sending/processing the Cert Request
2398 */
tls13_restore_handshake_digest_for_pha(SSL * s)2399 int tls13_restore_handshake_digest_for_pha(SSL *s)
2400 {
2401 if (s->pha_dgst == NULL) {
2402 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2403 return 0;
2404 }
2405 if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
2406 s->pha_dgst)) {
2407 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2408 return 0;
2409 }
2410 return 1;
2411 }
2412