1 /*
2 * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 *
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
9 */
10
11 #include <limits.h>
12 #include <string.h>
13 #include <stdio.h>
14 #include "../ssl_local.h"
15 #include "statem_local.h"
16 #include "internal/cryptlib.h"
17 #include <openssl/buffer.h>
18 #include <openssl/objects.h>
19 #include <openssl/evp.h>
20 #include <openssl/rsa.h>
21 #include <openssl/x509.h>
22 #include <openssl/trace.h>
23
24 /*
25 * Map error codes to TLS/SSL alart types.
26 */
27 typedef struct x509err2alert_st {
28 int x509err;
29 int alert;
30 } X509ERR2ALERT;
31
32 /* Fixed value used in the ServerHello random field to identify an HRR */
33 const unsigned char hrrrandom[] = {
34 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
35 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
36 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
37 };
38
39 /*
40 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
41 * SSL3_RT_CHANGE_CIPHER_SPEC)
42 */
ssl3_do_write(SSL * s,int type)43 int ssl3_do_write(SSL *s, int type)
44 {
45 int ret;
46 size_t written = 0;
47
48 ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
49 s->init_num, &written);
50 if (ret <= 0)
51 return -1;
52 if (type == SSL3_RT_HANDSHAKE)
53 /*
54 * should not be done for 'Hello Request's, but in that case we'll
55 * ignore the result anyway
56 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
57 */
58 if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
59 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
60 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
61 if (!ssl3_finish_mac(s,
62 (unsigned char *)&s->init_buf->data[s->init_off],
63 written))
64 return -1;
65 if (written == s->init_num) {
66 if (s->msg_callback)
67 s->msg_callback(1, s->version, type, s->init_buf->data,
68 (size_t)(s->init_off + s->init_num), s,
69 s->msg_callback_arg);
70 return 1;
71 }
72 s->init_off += written;
73 s->init_num -= written;
74 return 0;
75 }
76
tls_close_construct_packet(SSL * s,WPACKET * pkt,int htype)77 int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype)
78 {
79 size_t msglen;
80
81 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
82 || !WPACKET_get_length(pkt, &msglen)
83 || msglen > INT_MAX)
84 return 0;
85 s->init_num = (int)msglen;
86 s->init_off = 0;
87
88 return 1;
89 }
90
tls_setup_handshake(SSL * s)91 int tls_setup_handshake(SSL *s)
92 {
93 int ver_min, ver_max, ok;
94
95 if (!ssl3_init_finished_mac(s)) {
96 /* SSLfatal() already called */
97 return 0;
98 }
99
100 /* Reset any extension flags */
101 memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
102
103 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
104 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE);
105 return 0;
106 }
107
108 /* Sanity check that we have MD5-SHA1 if we need it */
109 if (s->ctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) {
110 int md5sha1_needed = 0;
111
112 /* We don't have MD5-SHA1 - do we need it? */
113 if (SSL_IS_DTLS(s)) {
114 if (DTLS_VERSION_LE(ver_max, DTLS1_VERSION))
115 md5sha1_needed = 1;
116 } else {
117 if (ver_max <= TLS1_1_VERSION)
118 md5sha1_needed = 1;
119 }
120 if (md5sha1_needed) {
121 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
122 SSL_R_NO_SUITABLE_DIGEST_ALGORITHM,
123 "The max supported SSL/TLS version needs the"
124 " MD5-SHA1 digest but it is not available"
125 " in the loaded providers. Use (D)TLSv1.2 or"
126 " above, or load different providers");
127 return 0;
128 }
129
130 ok = 1;
131 /* Don't allow TLSv1.1 or below to be negotiated */
132 if (SSL_IS_DTLS(s)) {
133 if (DTLS_VERSION_LT(ver_min, DTLS1_2_VERSION))
134 ok = SSL_set_min_proto_version(s, DTLS1_2_VERSION);
135 } else {
136 if (ver_min < TLS1_2_VERSION)
137 ok = SSL_set_min_proto_version(s, TLS1_2_VERSION);
138 }
139 if (!ok) {
140 /* Shouldn't happen */
141 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
142 return 0;
143 }
144 }
145
146 ok = 0;
147 if (s->server) {
148 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
149 int i;
150
151 /*
152 * Sanity check that the maximum version we accept has ciphers
153 * enabled. For clients we do this check during construction of the
154 * ClientHello.
155 */
156 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
157 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
158
159 if (SSL_IS_DTLS(s)) {
160 if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
161 DTLS_VERSION_LE(ver_max, c->max_dtls))
162 ok = 1;
163 } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
164 ok = 1;
165 }
166 if (ok)
167 break;
168 }
169 if (!ok) {
170 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
171 SSL_R_NO_CIPHERS_AVAILABLE,
172 "No ciphers enabled for max supported "
173 "SSL/TLS version");
174 return 0;
175 }
176 if (SSL_IS_FIRST_HANDSHAKE(s)) {
177 /* N.B. s->session_ctx == s->ctx here */
178 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_accept);
179 } else {
180 /* N.B. s->ctx may not equal s->session_ctx */
181 ssl_tsan_counter(s->ctx, &s->ctx->stats.sess_accept_renegotiate);
182
183 s->s3.tmp.cert_request = 0;
184 }
185 } else {
186 if (SSL_IS_FIRST_HANDSHAKE(s))
187 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_connect);
188 else
189 ssl_tsan_counter(s->session_ctx,
190 &s->session_ctx->stats.sess_connect_renegotiate);
191
192 /* mark client_random uninitialized */
193 memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
194 s->hit = 0;
195
196 s->s3.tmp.cert_req = 0;
197
198 if (SSL_IS_DTLS(s))
199 s->statem.use_timer = 1;
200 }
201
202 return 1;
203 }
204
205 /*
206 * Size of the to-be-signed TLS13 data, without the hash size itself:
207 * 64 bytes of value 32, 33 context bytes, 1 byte separator
208 */
209 #define TLS13_TBS_START_SIZE 64
210 #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
211
get_cert_verify_tbs_data(SSL * s,unsigned char * tls13tbs,void ** hdata,size_t * hdatalen)212 static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
213 void **hdata, size_t *hdatalen)
214 {
215 #ifdef CHARSET_EBCDIC
216 static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
217 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
218 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
219 0x69, 0x66, 0x79, 0x00 };
220 static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
221 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
222 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
223 0x69, 0x66, 0x79, 0x00 };
224 #else
225 static const char servercontext[] = "TLS 1.3, server CertificateVerify";
226 static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
227 #endif
228 if (SSL_IS_TLS13(s)) {
229 size_t hashlen;
230
231 /* Set the first 64 bytes of to-be-signed data to octet 32 */
232 memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
233 /* This copies the 33 bytes of context plus the 0 separator byte */
234 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
235 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
236 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
237 else
238 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
239
240 /*
241 * If we're currently reading then we need to use the saved handshake
242 * hash value. We can't use the current handshake hash state because
243 * that includes the CertVerify itself.
244 */
245 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
246 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
247 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
248 s->cert_verify_hash_len);
249 hashlen = s->cert_verify_hash_len;
250 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
251 EVP_MAX_MD_SIZE, &hashlen)) {
252 /* SSLfatal() already called */
253 return 0;
254 }
255
256 *hdata = tls13tbs;
257 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
258 } else {
259 size_t retlen;
260 long retlen_l;
261
262 retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
263 if (retlen_l <= 0) {
264 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
265 return 0;
266 }
267 *hdatalen = retlen;
268 }
269
270 return 1;
271 }
272
tls_construct_cert_verify(SSL * s,WPACKET * pkt)273 int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
274 {
275 EVP_PKEY *pkey = NULL;
276 const EVP_MD *md = NULL;
277 EVP_MD_CTX *mctx = NULL;
278 EVP_PKEY_CTX *pctx = NULL;
279 size_t hdatalen = 0, siglen = 0;
280 void *hdata;
281 unsigned char *sig = NULL;
282 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
283 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
284
285 if (lu == NULL || s->s3.tmp.cert == NULL) {
286 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
287 goto err;
288 }
289 pkey = s->s3.tmp.cert->privatekey;
290
291 if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) {
292 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
293 goto err;
294 }
295
296 mctx = EVP_MD_CTX_new();
297 if (mctx == NULL) {
298 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
299 goto err;
300 }
301
302 /* Get the data to be signed */
303 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
304 /* SSLfatal() already called */
305 goto err;
306 }
307
308 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
309 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
310 goto err;
311 }
312
313 if (EVP_DigestSignInit_ex(mctx, &pctx,
314 md == NULL ? NULL : EVP_MD_get0_name(md),
315 s->ctx->libctx, s->ctx->propq, pkey,
316 NULL) <= 0) {
317 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
318 goto err;
319 }
320
321 if (lu->sig == EVP_PKEY_RSA_PSS) {
322 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
323 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
324 RSA_PSS_SALTLEN_DIGEST) <= 0) {
325 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
326 goto err;
327 }
328 }
329 if (s->version == SSL3_VERSION) {
330 /*
331 * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
332 * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
333 */
334 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
335 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
336 (int)s->session->master_key_length,
337 s->session->master_key) <= 0
338 || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) {
339
340 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
341 goto err;
342 }
343 sig = OPENSSL_malloc(siglen);
344 if (sig == NULL
345 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
346 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
347 goto err;
348 }
349 } else {
350 /*
351 * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not
352 * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
353 */
354 if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) {
355 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
356 goto err;
357 }
358 sig = OPENSSL_malloc(siglen);
359 if (sig == NULL
360 || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
361 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
362 goto err;
363 }
364 }
365
366 #ifndef OPENSSL_NO_GOST
367 {
368 int pktype = lu->sig;
369
370 if (pktype == NID_id_GostR3410_2001
371 || pktype == NID_id_GostR3410_2012_256
372 || pktype == NID_id_GostR3410_2012_512)
373 BUF_reverse(sig, NULL, siglen);
374 }
375 #endif
376
377 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
378 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
379 goto err;
380 }
381
382 /* Digest cached records and discard handshake buffer */
383 if (!ssl3_digest_cached_records(s, 0)) {
384 /* SSLfatal() already called */
385 goto err;
386 }
387
388 OPENSSL_free(sig);
389 EVP_MD_CTX_free(mctx);
390 return 1;
391 err:
392 OPENSSL_free(sig);
393 EVP_MD_CTX_free(mctx);
394 return 0;
395 }
396
tls_process_cert_verify(SSL * s,PACKET * pkt)397 MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
398 {
399 EVP_PKEY *pkey = NULL;
400 const unsigned char *data;
401 #ifndef OPENSSL_NO_GOST
402 unsigned char *gost_data = NULL;
403 #endif
404 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
405 int j;
406 unsigned int len;
407 X509 *peer;
408 const EVP_MD *md = NULL;
409 size_t hdatalen = 0;
410 void *hdata;
411 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
412 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
413 EVP_PKEY_CTX *pctx = NULL;
414
415 if (mctx == NULL) {
416 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
417 goto err;
418 }
419
420 peer = s->session->peer;
421 pkey = X509_get0_pubkey(peer);
422 if (pkey == NULL) {
423 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
424 goto err;
425 }
426
427 if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
428 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
429 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
430 goto err;
431 }
432
433 if (SSL_USE_SIGALGS(s)) {
434 unsigned int sigalg;
435
436 if (!PACKET_get_net_2(pkt, &sigalg)) {
437 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET);
438 goto err;
439 }
440 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
441 /* SSLfatal() already called */
442 goto err;
443 }
444 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
445 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
446 SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED);
447 goto err;
448 }
449
450 if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) {
451 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
452 goto err;
453 }
454
455 if (SSL_USE_SIGALGS(s))
456 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
457 md == NULL ? "n/a" : EVP_MD_get0_name(md));
458
459 /* Check for broken implementations of GOST ciphersuites */
460 /*
461 * If key is GOST and len is exactly 64 or 128, it is signature without
462 * length field (CryptoPro implementations at least till TLS 1.2)
463 */
464 #ifndef OPENSSL_NO_GOST
465 if (!SSL_USE_SIGALGS(s)
466 && ((PACKET_remaining(pkt) == 64
467 && (EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2001
468 || EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_256))
469 || (PACKET_remaining(pkt) == 128
470 && EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_512))) {
471 len = PACKET_remaining(pkt);
472 } else
473 #endif
474 if (!PACKET_get_net_2(pkt, &len)) {
475 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
476 goto err;
477 }
478
479 if (!PACKET_get_bytes(pkt, &data, len)) {
480 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
481 goto err;
482 }
483 if (PACKET_remaining(pkt) != 0) {
484 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
485 goto err;
486 }
487
488 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
489 /* SSLfatal() already called */
490 goto err;
491 }
492
493 OSSL_TRACE1(TLS, "Using client verify alg %s\n",
494 md == NULL ? "n/a" : EVP_MD_get0_name(md));
495
496 if (EVP_DigestVerifyInit_ex(mctx, &pctx,
497 md == NULL ? NULL : EVP_MD_get0_name(md),
498 s->ctx->libctx, s->ctx->propq, pkey,
499 NULL) <= 0) {
500 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
501 goto err;
502 }
503 #ifndef OPENSSL_NO_GOST
504 {
505 int pktype = EVP_PKEY_get_id(pkey);
506 if (pktype == NID_id_GostR3410_2001
507 || pktype == NID_id_GostR3410_2012_256
508 || pktype == NID_id_GostR3410_2012_512) {
509 if ((gost_data = OPENSSL_malloc(len)) == NULL) {
510 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
511 goto err;
512 }
513 BUF_reverse(gost_data, data, len);
514 data = gost_data;
515 }
516 }
517 #endif
518
519 if (SSL_USE_PSS(s)) {
520 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
521 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
522 RSA_PSS_SALTLEN_DIGEST) <= 0) {
523 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
524 goto err;
525 }
526 }
527 if (s->version == SSL3_VERSION) {
528 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
529 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
530 (int)s->session->master_key_length,
531 s->session->master_key) <= 0) {
532 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
533 goto err;
534 }
535 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
536 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
537 goto err;
538 }
539 } else {
540 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
541 if (j <= 0) {
542 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
543 goto err;
544 }
545 }
546
547 /*
548 * In TLSv1.3 on the client side we make sure we prepare the client
549 * certificate after the CertVerify instead of when we get the
550 * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
551 * comes *before* the Certificate message. In TLSv1.2 it comes after. We
552 * want to make sure that SSL_get1_peer_certificate() will return the actual
553 * server certificate from the client_cert_cb callback.
554 */
555 if (!s->server && SSL_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
556 ret = MSG_PROCESS_CONTINUE_PROCESSING;
557 else
558 ret = MSG_PROCESS_CONTINUE_READING;
559 err:
560 BIO_free(s->s3.handshake_buffer);
561 s->s3.handshake_buffer = NULL;
562 EVP_MD_CTX_free(mctx);
563 #ifndef OPENSSL_NO_GOST
564 OPENSSL_free(gost_data);
565 #endif
566 return ret;
567 }
568
tls_construct_finished(SSL * s,WPACKET * pkt)569 int tls_construct_finished(SSL *s, WPACKET *pkt)
570 {
571 size_t finish_md_len;
572 const char *sender;
573 size_t slen;
574
575 /* This is a real handshake so make sure we clean it up at the end */
576 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
577 s->statem.cleanuphand = 1;
578
579 /*
580 * We only change the keys if we didn't already do this when we sent the
581 * client certificate
582 */
583 if (SSL_IS_TLS13(s)
584 && !s->server
585 && s->s3.tmp.cert_req == 0
586 && (!s->method->ssl3_enc->change_cipher_state(s,
587 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
588 /* SSLfatal() already called */
589 return 0;
590 }
591
592 if (s->server) {
593 sender = s->method->ssl3_enc->server_finished_label;
594 slen = s->method->ssl3_enc->server_finished_label_len;
595 } else {
596 sender = s->method->ssl3_enc->client_finished_label;
597 slen = s->method->ssl3_enc->client_finished_label_len;
598 }
599
600 finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
601 sender, slen,
602 s->s3.tmp.finish_md);
603 if (finish_md_len == 0) {
604 /* SSLfatal() already called */
605 return 0;
606 }
607
608 s->s3.tmp.finish_md_len = finish_md_len;
609
610 if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
611 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
612 return 0;
613 }
614
615 /*
616 * Log the master secret, if logging is enabled. We don't log it for
617 * TLSv1.3: there's a different key schedule for that.
618 */
619 if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
620 s->session->master_key,
621 s->session->master_key_length)) {
622 /* SSLfatal() already called */
623 return 0;
624 }
625
626 /*
627 * Copy the finished so we can use it for renegotiation checks
628 */
629 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
630 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
631 return 0;
632 }
633 if (!s->server) {
634 memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
635 finish_md_len);
636 s->s3.previous_client_finished_len = finish_md_len;
637 } else {
638 memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
639 finish_md_len);
640 s->s3.previous_server_finished_len = finish_md_len;
641 }
642
643 return 1;
644 }
645
tls_construct_key_update(SSL * s,WPACKET * pkt)646 int tls_construct_key_update(SSL *s, WPACKET *pkt)
647 {
648 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
649 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
650 return 0;
651 }
652
653 s->key_update = SSL_KEY_UPDATE_NONE;
654 return 1;
655 }
656
tls_process_key_update(SSL * s,PACKET * pkt)657 MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
658 {
659 unsigned int updatetype;
660
661 /*
662 * A KeyUpdate message signals a key change so the end of the message must
663 * be on a record boundary.
664 */
665 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
666 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
667 return MSG_PROCESS_ERROR;
668 }
669
670 if (!PACKET_get_1(pkt, &updatetype)
671 || PACKET_remaining(pkt) != 0) {
672 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_KEY_UPDATE);
673 return MSG_PROCESS_ERROR;
674 }
675
676 /*
677 * There are only two defined key update types. Fail if we get a value we
678 * didn't recognise.
679 */
680 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
681 && updatetype != SSL_KEY_UPDATE_REQUESTED) {
682 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_UPDATE);
683 return MSG_PROCESS_ERROR;
684 }
685
686 /*
687 * If we get a request for us to update our sending keys too then, we need
688 * to additionally send a KeyUpdate message. However that message should
689 * not also request an update (otherwise we get into an infinite loop).
690 */
691 if (updatetype == SSL_KEY_UPDATE_REQUESTED)
692 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
693
694 if (!tls13_update_key(s, 0)) {
695 /* SSLfatal() already called */
696 return MSG_PROCESS_ERROR;
697 }
698
699 return MSG_PROCESS_FINISHED_READING;
700 }
701
702 /*
703 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
704 * to far.
705 */
ssl3_take_mac(SSL * s)706 int ssl3_take_mac(SSL *s)
707 {
708 const char *sender;
709 size_t slen;
710
711 if (!s->server) {
712 sender = s->method->ssl3_enc->server_finished_label;
713 slen = s->method->ssl3_enc->server_finished_label_len;
714 } else {
715 sender = s->method->ssl3_enc->client_finished_label;
716 slen = s->method->ssl3_enc->client_finished_label_len;
717 }
718
719 s->s3.tmp.peer_finish_md_len =
720 s->method->ssl3_enc->final_finish_mac(s, sender, slen,
721 s->s3.tmp.peer_finish_md);
722
723 if (s->s3.tmp.peer_finish_md_len == 0) {
724 /* SSLfatal() already called */
725 return 0;
726 }
727
728 return 1;
729 }
730
tls_process_change_cipher_spec(SSL * s,PACKET * pkt)731 MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
732 {
733 size_t remain;
734
735 remain = PACKET_remaining(pkt);
736 /*
737 * 'Change Cipher Spec' is just a single byte, which should already have
738 * been consumed by ssl_get_message() so there should be no bytes left,
739 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
740 */
741 if (SSL_IS_DTLS(s)) {
742 if ((s->version == DTLS1_BAD_VER
743 && remain != DTLS1_CCS_HEADER_LENGTH + 1)
744 || (s->version != DTLS1_BAD_VER
745 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
746 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
747 return MSG_PROCESS_ERROR;
748 }
749 } else {
750 if (remain != 0) {
751 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
752 return MSG_PROCESS_ERROR;
753 }
754 }
755
756 /* Check we have a cipher to change to */
757 if (s->s3.tmp.new_cipher == NULL) {
758 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY);
759 return MSG_PROCESS_ERROR;
760 }
761
762 s->s3.change_cipher_spec = 1;
763 if (!ssl3_do_change_cipher_spec(s)) {
764 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
765 return MSG_PROCESS_ERROR;
766 }
767
768 if (SSL_IS_DTLS(s)) {
769 dtls1_reset_seq_numbers(s, SSL3_CC_READ);
770
771 if (s->version == DTLS1_BAD_VER)
772 s->d1->handshake_read_seq++;
773
774 #ifndef OPENSSL_NO_SCTP
775 /*
776 * Remember that a CCS has been received, so that an old key of
777 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
778 * SCTP is used
779 */
780 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
781 #endif
782 }
783
784 return MSG_PROCESS_CONTINUE_READING;
785 }
786
tls_process_finished(SSL * s,PACKET * pkt)787 MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
788 {
789 size_t md_len;
790
791
792 /* This is a real handshake so make sure we clean it up at the end */
793 if (s->server) {
794 /*
795 * To get this far we must have read encrypted data from the client. We
796 * no longer tolerate unencrypted alerts. This value is ignored if less
797 * than TLSv1.3
798 */
799 s->statem.enc_read_state = ENC_READ_STATE_VALID;
800 if (s->post_handshake_auth != SSL_PHA_REQUESTED)
801 s->statem.cleanuphand = 1;
802 if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
803 /* SSLfatal() already called */
804 return MSG_PROCESS_ERROR;
805 }
806 }
807
808 /*
809 * In TLSv1.3 a Finished message signals a key change so the end of the
810 * message must be on a record boundary.
811 */
812 if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
813 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
814 return MSG_PROCESS_ERROR;
815 }
816
817 /* If this occurs, we have missed a message */
818 if (!SSL_IS_TLS13(s) && !s->s3.change_cipher_spec) {
819 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
820 return MSG_PROCESS_ERROR;
821 }
822 s->s3.change_cipher_spec = 0;
823
824 md_len = s->s3.tmp.peer_finish_md_len;
825
826 if (md_len != PACKET_remaining(pkt)) {
827 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DIGEST_LENGTH);
828 return MSG_PROCESS_ERROR;
829 }
830
831 if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
832 md_len) != 0) {
833 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DIGEST_CHECK_FAILED);
834 return MSG_PROCESS_ERROR;
835 }
836
837 /*
838 * Copy the finished so we can use it for renegotiation checks
839 */
840 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
841 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
842 return MSG_PROCESS_ERROR;
843 }
844 if (s->server) {
845 memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
846 md_len);
847 s->s3.previous_client_finished_len = md_len;
848 } else {
849 memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
850 md_len);
851 s->s3.previous_server_finished_len = md_len;
852 }
853
854 /*
855 * In TLS1.3 we also have to change cipher state and do any final processing
856 * of the initial server flight (if we are a client)
857 */
858 if (SSL_IS_TLS13(s)) {
859 if (s->server) {
860 if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
861 !s->method->ssl3_enc->change_cipher_state(s,
862 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
863 /* SSLfatal() already called */
864 return MSG_PROCESS_ERROR;
865 }
866 } else {
867 /* TLS 1.3 gets the secret size from the handshake md */
868 size_t dummy;
869 if (!s->method->ssl3_enc->generate_master_secret(s,
870 s->master_secret, s->handshake_secret, 0,
871 &dummy)) {
872 /* SSLfatal() already called */
873 return MSG_PROCESS_ERROR;
874 }
875 if (!s->method->ssl3_enc->change_cipher_state(s,
876 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
877 /* SSLfatal() already called */
878 return MSG_PROCESS_ERROR;
879 }
880 if (!tls_process_initial_server_flight(s)) {
881 /* SSLfatal() already called */
882 return MSG_PROCESS_ERROR;
883 }
884 }
885 }
886
887 return MSG_PROCESS_FINISHED_READING;
888 }
889
tls_construct_change_cipher_spec(SSL * s,WPACKET * pkt)890 int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
891 {
892 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
893 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
894 return 0;
895 }
896
897 return 1;
898 }
899
900 /* Add a certificate to the WPACKET */
ssl_add_cert_to_wpacket(SSL * s,WPACKET * pkt,X509 * x,int chain)901 static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain)
902 {
903 int len;
904 unsigned char *outbytes;
905
906 len = i2d_X509(x, NULL);
907 if (len < 0) {
908 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB);
909 return 0;
910 }
911 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
912 || i2d_X509(x, &outbytes) != len) {
913 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
914 return 0;
915 }
916
917 if (SSL_IS_TLS13(s)
918 && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
919 chain)) {
920 /* SSLfatal() already called */
921 return 0;
922 }
923
924 return 1;
925 }
926
927 /* Add certificate chain to provided WPACKET */
ssl_add_cert_chain(SSL * s,WPACKET * pkt,CERT_PKEY * cpk)928 static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
929 {
930 int i, chain_count;
931 X509 *x;
932 STACK_OF(X509) *extra_certs;
933 STACK_OF(X509) *chain = NULL;
934 X509_STORE *chain_store;
935
936 if (cpk == NULL || cpk->x509 == NULL)
937 return 1;
938
939 x = cpk->x509;
940
941 /*
942 * If we have a certificate specific chain use it, else use parent ctx.
943 */
944 if (cpk->chain != NULL)
945 extra_certs = cpk->chain;
946 else
947 extra_certs = s->ctx->extra_certs;
948
949 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
950 chain_store = NULL;
951 else if (s->cert->chain_store)
952 chain_store = s->cert->chain_store;
953 else
954 chain_store = s->ctx->cert_store;
955
956 if (chain_store != NULL) {
957 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(s->ctx->libctx,
958 s->ctx->propq);
959
960 if (xs_ctx == NULL) {
961 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
962 return 0;
963 }
964 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
965 X509_STORE_CTX_free(xs_ctx);
966 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB);
967 return 0;
968 }
969 /*
970 * It is valid for the chain not to be complete (because normally we
971 * don't include the root cert in the chain). Therefore we deliberately
972 * ignore the error return from this call. We're not actually verifying
973 * the cert - we're just building as much of the chain as we can
974 */
975 (void)X509_verify_cert(xs_ctx);
976 /* Don't leave errors in the queue */
977 ERR_clear_error();
978 chain = X509_STORE_CTX_get0_chain(xs_ctx);
979 i = ssl_security_cert_chain(s, chain, NULL, 0);
980 if (i != 1) {
981 #if 0
982 /* Dummy error calls so mkerr generates them */
983 ERR_raise(ERR_LIB_SSL, SSL_R_EE_KEY_TOO_SMALL);
984 ERR_raise(ERR_LIB_SSL, SSL_R_CA_KEY_TOO_SMALL);
985 ERR_raise(ERR_LIB_SSL, SSL_R_CA_MD_TOO_WEAK);
986 #endif
987 X509_STORE_CTX_free(xs_ctx);
988 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
989 return 0;
990 }
991 chain_count = sk_X509_num(chain);
992 for (i = 0; i < chain_count; i++) {
993 x = sk_X509_value(chain, i);
994
995 if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
996 /* SSLfatal() already called */
997 X509_STORE_CTX_free(xs_ctx);
998 return 0;
999 }
1000 }
1001 X509_STORE_CTX_free(xs_ctx);
1002 } else {
1003 i = ssl_security_cert_chain(s, extra_certs, x, 0);
1004 if (i != 1) {
1005 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
1006 return 0;
1007 }
1008 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
1009 /* SSLfatal() already called */
1010 return 0;
1011 }
1012 for (i = 0; i < sk_X509_num(extra_certs); i++) {
1013 x = sk_X509_value(extra_certs, i);
1014 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
1015 /* SSLfatal() already called */
1016 return 0;
1017 }
1018 }
1019 }
1020 return 1;
1021 }
1022
ssl3_output_cert_chain(SSL * s,WPACKET * pkt,CERT_PKEY * cpk)1023 unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
1024 {
1025 if (!WPACKET_start_sub_packet_u24(pkt)) {
1026 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1027 return 0;
1028 }
1029
1030 if (!ssl_add_cert_chain(s, pkt, cpk))
1031 return 0;
1032
1033 if (!WPACKET_close(pkt)) {
1034 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1035 return 0;
1036 }
1037
1038 return 1;
1039 }
1040
1041 /*
1042 * Tidy up after the end of a handshake. In the case of SCTP this may result
1043 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1044 * freed up as well.
1045 */
tls_finish_handshake(SSL * s,ossl_unused WORK_STATE wst,int clearbufs,int stop)1046 WORK_STATE tls_finish_handshake(SSL *s, ossl_unused WORK_STATE wst,
1047 int clearbufs, int stop)
1048 {
1049 void (*cb) (const SSL *ssl, int type, int val) = NULL;
1050 int cleanuphand = s->statem.cleanuphand;
1051
1052 if (clearbufs) {
1053 if (!SSL_IS_DTLS(s)
1054 #ifndef OPENSSL_NO_SCTP
1055 /*
1056 * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1057 * messages that require it. Therefore, DTLS procedures for retransmissions
1058 * MUST NOT be used.
1059 * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1060 */
1061 || BIO_dgram_is_sctp(SSL_get_wbio(s))
1062 #endif
1063 ) {
1064 /*
1065 * We don't do this in DTLS over UDP because we may still need the init_buf
1066 * in case there are any unexpected retransmits
1067 */
1068 BUF_MEM_free(s->init_buf);
1069 s->init_buf = NULL;
1070 }
1071
1072 if (!ssl_free_wbio_buffer(s)) {
1073 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1074 return WORK_ERROR;
1075 }
1076 s->init_num = 0;
1077 }
1078
1079 if (SSL_IS_TLS13(s) && !s->server
1080 && s->post_handshake_auth == SSL_PHA_REQUESTED)
1081 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1082
1083 /*
1084 * Only set if there was a Finished message and this isn't after a TLSv1.3
1085 * post handshake exchange
1086 */
1087 if (cleanuphand) {
1088 /* skipped if we just sent a HelloRequest */
1089 s->renegotiate = 0;
1090 s->new_session = 0;
1091 s->statem.cleanuphand = 0;
1092 s->ext.ticket_expected = 0;
1093
1094 ssl3_cleanup_key_block(s);
1095
1096 if (s->server) {
1097 /*
1098 * In TLSv1.3 we update the cache as part of constructing the
1099 * NewSessionTicket
1100 */
1101 if (!SSL_IS_TLS13(s))
1102 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
1103
1104 /* N.B. s->ctx may not equal s->session_ctx */
1105 ssl_tsan_counter(s->ctx, &s->ctx->stats.sess_accept_good);
1106 s->handshake_func = ossl_statem_accept;
1107 } else {
1108 if (SSL_IS_TLS13(s)) {
1109 /*
1110 * We encourage applications to only use TLSv1.3 tickets once,
1111 * so we remove this one from the cache.
1112 */
1113 if ((s->session_ctx->session_cache_mode
1114 & SSL_SESS_CACHE_CLIENT) != 0)
1115 SSL_CTX_remove_session(s->session_ctx, s->session);
1116 } else {
1117 /*
1118 * In TLSv1.3 we update the cache as part of processing the
1119 * NewSessionTicket
1120 */
1121 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
1122 }
1123 if (s->hit)
1124 ssl_tsan_counter(s->session_ctx,
1125 &s->session_ctx->stats.sess_hit);
1126
1127 s->handshake_func = ossl_statem_connect;
1128 ssl_tsan_counter(s->session_ctx,
1129 &s->session_ctx->stats.sess_connect_good);
1130 }
1131
1132 if (SSL_IS_DTLS(s)) {
1133 /* done with handshaking */
1134 s->d1->handshake_read_seq = 0;
1135 s->d1->handshake_write_seq = 0;
1136 s->d1->next_handshake_write_seq = 0;
1137 dtls1_clear_received_buffer(s);
1138 }
1139 }
1140
1141 if (s->info_callback != NULL)
1142 cb = s->info_callback;
1143 else if (s->ctx->info_callback != NULL)
1144 cb = s->ctx->info_callback;
1145
1146 /* The callback may expect us to not be in init at handshake done */
1147 ossl_statem_set_in_init(s, 0);
1148
1149 if (cb != NULL) {
1150 if (cleanuphand
1151 || !SSL_IS_TLS13(s)
1152 || SSL_IS_FIRST_HANDSHAKE(s))
1153 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
1154 }
1155
1156 if (!stop) {
1157 /* If we've got more work to do we go back into init */
1158 ossl_statem_set_in_init(s, 1);
1159 return WORK_FINISHED_CONTINUE;
1160 }
1161
1162 return WORK_FINISHED_STOP;
1163 }
1164
tls_get_message_header(SSL * s,int * mt)1165 int tls_get_message_header(SSL *s, int *mt)
1166 {
1167 /* s->init_num < SSL3_HM_HEADER_LENGTH */
1168 int skip_message, i, recvd_type;
1169 unsigned char *p;
1170 size_t l, readbytes;
1171
1172 p = (unsigned char *)s->init_buf->data;
1173
1174 do {
1175 while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1176 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
1177 &p[s->init_num],
1178 SSL3_HM_HEADER_LENGTH - s->init_num,
1179 0, &readbytes);
1180 if (i <= 0) {
1181 s->rwstate = SSL_READING;
1182 return 0;
1183 }
1184 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1185 /*
1186 * A ChangeCipherSpec must be a single byte and may not occur
1187 * in the middle of a handshake message.
1188 */
1189 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
1190 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1191 SSL_R_BAD_CHANGE_CIPHER_SPEC);
1192 return 0;
1193 }
1194 if (s->statem.hand_state == TLS_ST_BEFORE
1195 && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
1196 /*
1197 * We are stateless and we received a CCS. Probably this is
1198 * from a client between the first and second ClientHellos.
1199 * We should ignore this, but return an error because we do
1200 * not return success until we see the second ClientHello
1201 * with a valid cookie.
1202 */
1203 return 0;
1204 }
1205 s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
1206 s->init_num = readbytes - 1;
1207 s->init_msg = s->init_buf->data;
1208 s->s3.tmp.message_size = readbytes;
1209 return 1;
1210 } else if (recvd_type != SSL3_RT_HANDSHAKE) {
1211 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1212 SSL_R_CCS_RECEIVED_EARLY);
1213 return 0;
1214 }
1215 s->init_num += readbytes;
1216 }
1217
1218 skip_message = 0;
1219 if (!s->server)
1220 if (s->statem.hand_state != TLS_ST_OK
1221 && p[0] == SSL3_MT_HELLO_REQUEST)
1222 /*
1223 * The server may always send 'Hello Request' messages --
1224 * we are doing a handshake anyway now, so ignore them if
1225 * their format is correct. Does not count for 'Finished'
1226 * MAC.
1227 */
1228 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1229 s->init_num = 0;
1230 skip_message = 1;
1231
1232 if (s->msg_callback)
1233 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1234 p, SSL3_HM_HEADER_LENGTH, s,
1235 s->msg_callback_arg);
1236 }
1237 } while (skip_message);
1238 /* s->init_num == SSL3_HM_HEADER_LENGTH */
1239
1240 *mt = *p;
1241 s->s3.tmp.message_type = *(p++);
1242
1243 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1244 /*
1245 * Only happens with SSLv3+ in an SSLv2 backward compatible
1246 * ClientHello
1247 *
1248 * Total message size is the remaining record bytes to read
1249 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
1250 */
1251 l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1252 + SSL3_HM_HEADER_LENGTH;
1253 s->s3.tmp.message_size = l;
1254
1255 s->init_msg = s->init_buf->data;
1256 s->init_num = SSL3_HM_HEADER_LENGTH;
1257 } else {
1258 n2l3(p, l);
1259 /* BUF_MEM_grow takes an 'int' parameter */
1260 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
1261 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1262 SSL_R_EXCESSIVE_MESSAGE_SIZE);
1263 return 0;
1264 }
1265 s->s3.tmp.message_size = l;
1266
1267 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1268 s->init_num = 0;
1269 }
1270
1271 return 1;
1272 }
1273
tls_get_message_body(SSL * s,size_t * len)1274 int tls_get_message_body(SSL *s, size_t *len)
1275 {
1276 size_t n, readbytes;
1277 unsigned char *p;
1278 int i;
1279
1280 if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
1281 /* We've already read everything in */
1282 *len = (unsigned long)s->init_num;
1283 return 1;
1284 }
1285
1286 p = s->init_msg;
1287 n = s->s3.tmp.message_size - s->init_num;
1288 while (n > 0) {
1289 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
1290 &p[s->init_num], n, 0, &readbytes);
1291 if (i <= 0) {
1292 s->rwstate = SSL_READING;
1293 *len = 0;
1294 return 0;
1295 }
1296 s->init_num += readbytes;
1297 n -= readbytes;
1298 }
1299
1300 /*
1301 * If receiving Finished, record MAC of prior handshake messages for
1302 * Finished verification.
1303 */
1304 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1305 /* SSLfatal() already called */
1306 *len = 0;
1307 return 0;
1308 }
1309
1310 /* Feed this message into MAC computation. */
1311 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1312 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1313 s->init_num)) {
1314 /* SSLfatal() already called */
1315 *len = 0;
1316 return 0;
1317 }
1318 if (s->msg_callback)
1319 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
1320 (size_t)s->init_num, s, s->msg_callback_arg);
1321 } else {
1322 /*
1323 * We defer feeding in the HRR until later. We'll do it as part of
1324 * processing the message
1325 * The TLsv1.3 handshake transcript stops at the ClientFinished
1326 * message.
1327 */
1328 #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
1329 /* KeyUpdate and NewSessionTicket do not need to be added */
1330 if (!SSL_IS_TLS13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1331 && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1332 if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
1333 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1334 || memcmp(hrrrandom,
1335 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1336 SSL3_RANDOM_SIZE) != 0) {
1337 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1338 s->init_num + SSL3_HM_HEADER_LENGTH)) {
1339 /* SSLfatal() already called */
1340 *len = 0;
1341 return 0;
1342 }
1343 }
1344 }
1345 if (s->msg_callback)
1346 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1347 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
1348 s->msg_callback_arg);
1349 }
1350
1351 *len = s->init_num;
1352 return 1;
1353 }
1354
1355 static const X509ERR2ALERT x509table[] = {
1356 {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1357 {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1358 {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
1359 {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1360 {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1361 {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1362 {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1363 {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1364 {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1365 {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1366 {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1367 {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1368 {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1369 {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1370 {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1371 {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1372 {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1373 {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1374 {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1375 {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1376 {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1377 {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1378 {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1379 {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1380 {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1381 {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1382 {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1383 {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1384 {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1385 {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1386 {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1387 {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1388 {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1389 {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1390 {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1391 {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1392 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1393 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1394 {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1395 {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1396
1397 /* Last entry; return this if we don't find the value above. */
1398 {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1399 };
1400
ssl_x509err2alert(int x509err)1401 int ssl_x509err2alert(int x509err)
1402 {
1403 const X509ERR2ALERT *tp;
1404
1405 for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1406 if (tp->x509err == x509err)
1407 break;
1408 return tp->alert;
1409 }
1410
ssl_allow_compression(SSL * s)1411 int ssl_allow_compression(SSL *s)
1412 {
1413 if (s->options & SSL_OP_NO_COMPRESSION)
1414 return 0;
1415 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1416 }
1417
version_cmp(const SSL * s,int a,int b)1418 static int version_cmp(const SSL *s, int a, int b)
1419 {
1420 int dtls = SSL_IS_DTLS(s);
1421
1422 if (a == b)
1423 return 0;
1424 if (!dtls)
1425 return a < b ? -1 : 1;
1426 return DTLS_VERSION_LT(a, b) ? -1 : 1;
1427 }
1428
1429 typedef struct {
1430 int version;
1431 const SSL_METHOD *(*cmeth) (void);
1432 const SSL_METHOD *(*smeth) (void);
1433 } version_info;
1434
1435 #if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
1436 # error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
1437 #endif
1438
1439 /* Must be in order high to low */
1440 static const version_info tls_version_table[] = {
1441 #ifndef OPENSSL_NO_TLS1_3
1442 {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1443 #else
1444 {TLS1_3_VERSION, NULL, NULL},
1445 #endif
1446 #ifndef OPENSSL_NO_TLS1_2
1447 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
1448 #else
1449 {TLS1_2_VERSION, NULL, NULL},
1450 #endif
1451 #ifndef OPENSSL_NO_TLS1_1
1452 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
1453 #else
1454 {TLS1_1_VERSION, NULL, NULL},
1455 #endif
1456 #ifndef OPENSSL_NO_TLS1
1457 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
1458 #else
1459 {TLS1_VERSION, NULL, NULL},
1460 #endif
1461 #ifndef OPENSSL_NO_SSL3
1462 {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
1463 #else
1464 {SSL3_VERSION, NULL, NULL},
1465 #endif
1466 {0, NULL, NULL},
1467 };
1468
1469 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
1470 # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1471 #endif
1472
1473 /* Must be in order high to low */
1474 static const version_info dtls_version_table[] = {
1475 #ifndef OPENSSL_NO_DTLS1_2
1476 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
1477 #else
1478 {DTLS1_2_VERSION, NULL, NULL},
1479 #endif
1480 #ifndef OPENSSL_NO_DTLS1
1481 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1482 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
1483 #else
1484 {DTLS1_VERSION, NULL, NULL},
1485 {DTLS1_BAD_VER, NULL, NULL},
1486 #endif
1487 {0, NULL, NULL},
1488 };
1489
1490 /*
1491 * ssl_method_error - Check whether an SSL_METHOD is enabled.
1492 *
1493 * @s: The SSL handle for the candidate method
1494 * @method: the intended method.
1495 *
1496 * Returns 0 on success, or an SSL error reason on failure.
1497 */
ssl_method_error(const SSL * s,const SSL_METHOD * method)1498 static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
1499 {
1500 int version = method->version;
1501
1502 if ((s->min_proto_version != 0 &&
1503 version_cmp(s, version, s->min_proto_version) < 0) ||
1504 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1505 return SSL_R_VERSION_TOO_LOW;
1506
1507 if (s->max_proto_version != 0 &&
1508 version_cmp(s, version, s->max_proto_version) > 0)
1509 return SSL_R_VERSION_TOO_HIGH;
1510
1511 if ((s->options & method->mask) != 0)
1512 return SSL_R_UNSUPPORTED_PROTOCOL;
1513 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1514 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
1515
1516 return 0;
1517 }
1518
1519 /*
1520 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
1521 * certificate type, or has PSK or a certificate callback configured, or has
1522 * a servername callback configure. Otherwise returns 0.
1523 */
is_tls13_capable(const SSL * s)1524 static int is_tls13_capable(const SSL *s)
1525 {
1526 int i;
1527 int curve;
1528
1529 if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL))
1530 return 0;
1531
1532 /*
1533 * A servername callback can change the available certs, so if a servername
1534 * cb is set then we just assume TLSv1.3 will be ok
1535 */
1536 if (s->ctx->ext.servername_cb != NULL
1537 || s->session_ctx->ext.servername_cb != NULL)
1538 return 1;
1539
1540 #ifndef OPENSSL_NO_PSK
1541 if (s->psk_server_callback != NULL)
1542 return 1;
1543 #endif
1544
1545 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
1546 return 1;
1547
1548 for (i = 0; i < SSL_PKEY_NUM; i++) {
1549 /* Skip over certs disallowed for TLSv1.3 */
1550 switch (i) {
1551 case SSL_PKEY_DSA_SIGN:
1552 case SSL_PKEY_GOST01:
1553 case SSL_PKEY_GOST12_256:
1554 case SSL_PKEY_GOST12_512:
1555 continue;
1556 default:
1557 break;
1558 }
1559 if (!ssl_has_cert(s, i))
1560 continue;
1561 if (i != SSL_PKEY_ECC)
1562 return 1;
1563 /*
1564 * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1565 * more restrictive so check that our sig algs are consistent with this
1566 * EC cert. See section 4.2.3 of RFC8446.
1567 */
1568 curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
1569 if (tls_check_sigalg_curve(s, curve))
1570 return 1;
1571 }
1572
1573 return 0;
1574 }
1575
1576 /*
1577 * ssl_version_supported - Check that the specified `version` is supported by
1578 * `SSL *` instance
1579 *
1580 * @s: The SSL handle for the candidate method
1581 * @version: Protocol version to test against
1582 *
1583 * Returns 1 when supported, otherwise 0
1584 */
ssl_version_supported(const SSL * s,int version,const SSL_METHOD ** meth)1585 int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth)
1586 {
1587 const version_info *vent;
1588 const version_info *table;
1589
1590 switch (s->method->version) {
1591 default:
1592 /* Version should match method version for non-ANY method */
1593 return version_cmp(s, version, s->version) == 0;
1594 case TLS_ANY_VERSION:
1595 table = tls_version_table;
1596 break;
1597 case DTLS_ANY_VERSION:
1598 table = dtls_version_table;
1599 break;
1600 }
1601
1602 for (vent = table;
1603 vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1604 ++vent) {
1605 if (vent->cmeth != NULL
1606 && version_cmp(s, version, vent->version) == 0
1607 && ssl_method_error(s, vent->cmeth()) == 0
1608 && (!s->server
1609 || version != TLS1_3_VERSION
1610 || is_tls13_capable(s))) {
1611 if (meth != NULL)
1612 *meth = vent->cmeth();
1613 return 1;
1614 }
1615 }
1616 return 0;
1617 }
1618
1619 /*
1620 * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1621 * fallback indication from a client check whether we're using the highest
1622 * supported protocol version.
1623 *
1624 * @s server SSL handle.
1625 *
1626 * Returns 1 when using the highest enabled version, 0 otherwise.
1627 */
ssl_check_version_downgrade(SSL * s)1628 int ssl_check_version_downgrade(SSL *s)
1629 {
1630 const version_info *vent;
1631 const version_info *table;
1632
1633 /*
1634 * Check that the current protocol is the highest enabled version
1635 * (according to s->ctx->method, as version negotiation may have changed
1636 * s->method).
1637 */
1638 if (s->version == s->ctx->method->version)
1639 return 1;
1640
1641 /*
1642 * Apparently we're using a version-flexible SSL_METHOD (not at its
1643 * highest protocol version).
1644 */
1645 if (s->ctx->method->version == TLS_method()->version)
1646 table = tls_version_table;
1647 else if (s->ctx->method->version == DTLS_method()->version)
1648 table = dtls_version_table;
1649 else {
1650 /* Unexpected state; fail closed. */
1651 return 0;
1652 }
1653
1654 for (vent = table; vent->version != 0; ++vent) {
1655 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
1656 return s->version == vent->version;
1657 }
1658 return 0;
1659 }
1660
1661 /*
1662 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1663 * protocols, provided the initial (D)TLS method is version-flexible. This
1664 * function sanity-checks the proposed value and makes sure the method is
1665 * version-flexible, then sets the limit if all is well.
1666 *
1667 * @method_version: The version of the current SSL_METHOD.
1668 * @version: the intended limit.
1669 * @bound: pointer to limit to be updated.
1670 *
1671 * Returns 1 on success, 0 on failure.
1672 */
ssl_set_version_bound(int method_version,int version,int * bound)1673 int ssl_set_version_bound(int method_version, int version, int *bound)
1674 {
1675 int valid_tls;
1676 int valid_dtls;
1677
1678 if (version == 0) {
1679 *bound = version;
1680 return 1;
1681 }
1682
1683 valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
1684 valid_dtls =
1685 DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) &&
1686 DTLS_VERSION_GE(version, DTLS1_BAD_VER);
1687
1688 if (!valid_tls && !valid_dtls)
1689 return 0;
1690
1691 /*-
1692 * Restrict TLS methods to TLS protocol versions.
1693 * Restrict DTLS methods to DTLS protocol versions.
1694 * Note, DTLS version numbers are decreasing, use comparison macros.
1695 *
1696 * Note that for both lower-bounds we use explicit versions, not
1697 * (D)TLS_MIN_VERSION. This is because we don't want to break user
1698 * configurations. If the MIN (supported) version ever rises, the user's
1699 * "floor" remains valid even if no longer available. We don't expect the
1700 * MAX ceiling to ever get lower, so making that variable makes sense.
1701 *
1702 * We ignore attempts to set bounds on version-inflexible methods,
1703 * returning success.
1704 */
1705 switch (method_version) {
1706 default:
1707 break;
1708
1709 case TLS_ANY_VERSION:
1710 if (valid_tls)
1711 *bound = version;
1712 break;
1713
1714 case DTLS_ANY_VERSION:
1715 if (valid_dtls)
1716 *bound = version;
1717 break;
1718 }
1719 return 1;
1720 }
1721
check_for_downgrade(SSL * s,int vers,DOWNGRADE * dgrd)1722 static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
1723 {
1724 if (vers == TLS1_2_VERSION
1725 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
1726 *dgrd = DOWNGRADE_TO_1_2;
1727 } else if (!SSL_IS_DTLS(s)
1728 && vers < TLS1_2_VERSION
1729 /*
1730 * We need to ensure that a server that disables TLSv1.2
1731 * (creating a hole between TLSv1.3 and TLSv1.1) can still
1732 * complete handshakes with clients that support TLSv1.2 and
1733 * below. Therefore we do not enable the sentinel if TLSv1.3 is
1734 * enabled and TLSv1.2 is not.
1735 */
1736 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
1737 *dgrd = DOWNGRADE_TO_1_1;
1738 } else {
1739 *dgrd = DOWNGRADE_NONE;
1740 }
1741 }
1742
1743 /*
1744 * ssl_choose_server_version - Choose server (D)TLS version. Called when the
1745 * client HELLO is received to select the final server protocol version and
1746 * the version specific method.
1747 *
1748 * @s: server SSL handle.
1749 *
1750 * Returns 0 on success or an SSL error reason number on failure.
1751 */
ssl_choose_server_version(SSL * s,CLIENTHELLO_MSG * hello,DOWNGRADE * dgrd)1752 int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1753 {
1754 /*-
1755 * With version-flexible methods we have an initial state with:
1756 *
1757 * s->method->version == (D)TLS_ANY_VERSION,
1758 * s->version == (D)TLS_MAX_VERSION_INTERNAL.
1759 *
1760 * So we detect version-flexible methods via the method version, not the
1761 * handle version.
1762 */
1763 int server_version = s->method->version;
1764 int client_version = hello->legacy_version;
1765 const version_info *vent;
1766 const version_info *table;
1767 int disabled = 0;
1768 RAW_EXTENSION *suppversions;
1769
1770 s->client_version = client_version;
1771
1772 switch (server_version) {
1773 default:
1774 if (!SSL_IS_TLS13(s)) {
1775 if (version_cmp(s, client_version, s->version) < 0)
1776 return SSL_R_WRONG_SSL_VERSION;
1777 *dgrd = DOWNGRADE_NONE;
1778 /*
1779 * If this SSL handle is not from a version flexible method we don't
1780 * (and never did) check min/max FIPS or Suite B constraints. Hope
1781 * that's OK. It is up to the caller to not choose fixed protocol
1782 * versions they don't want. If not, then easy to fix, just return
1783 * ssl_method_error(s, s->method)
1784 */
1785 return 0;
1786 }
1787 /*
1788 * Fall through if we are TLSv1.3 already (this means we must be after
1789 * a HelloRetryRequest
1790 */
1791 /* fall thru */
1792 case TLS_ANY_VERSION:
1793 table = tls_version_table;
1794 break;
1795 case DTLS_ANY_VERSION:
1796 table = dtls_version_table;
1797 break;
1798 }
1799
1800 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
1801
1802 /* If we did an HRR then supported versions is mandatory */
1803 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
1804 return SSL_R_UNSUPPORTED_PROTOCOL;
1805
1806 if (suppversions->present && !SSL_IS_DTLS(s)) {
1807 unsigned int candidate_vers = 0;
1808 unsigned int best_vers = 0;
1809 const SSL_METHOD *best_method = NULL;
1810 PACKET versionslist;
1811
1812 suppversions->parsed = 1;
1813
1814 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
1815 /* Trailing or invalid data? */
1816 return SSL_R_LENGTH_MISMATCH;
1817 }
1818
1819 /*
1820 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1821 * The spec only requires servers to check that it isn't SSLv3:
1822 * "Any endpoint receiving a Hello message with
1823 * ClientHello.legacy_version or ServerHello.legacy_version set to
1824 * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1825 * We are slightly stricter and require that it isn't SSLv3 or lower.
1826 * We tolerate TLSv1 and TLSv1.1.
1827 */
1828 if (client_version <= SSL3_VERSION)
1829 return SSL_R_BAD_LEGACY_VERSION;
1830
1831 while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1832 if (version_cmp(s, candidate_vers, best_vers) <= 0)
1833 continue;
1834 if (ssl_version_supported(s, candidate_vers, &best_method))
1835 best_vers = candidate_vers;
1836 }
1837 if (PACKET_remaining(&versionslist) != 0) {
1838 /* Trailing data? */
1839 return SSL_R_LENGTH_MISMATCH;
1840 }
1841
1842 if (best_vers > 0) {
1843 if (s->hello_retry_request != SSL_HRR_NONE) {
1844 /*
1845 * This is after a HelloRetryRequest so we better check that we
1846 * negotiated TLSv1.3
1847 */
1848 if (best_vers != TLS1_3_VERSION)
1849 return SSL_R_UNSUPPORTED_PROTOCOL;
1850 return 0;
1851 }
1852 check_for_downgrade(s, best_vers, dgrd);
1853 s->version = best_vers;
1854 s->method = best_method;
1855 return 0;
1856 }
1857 return SSL_R_UNSUPPORTED_PROTOCOL;
1858 }
1859
1860 /*
1861 * If the supported versions extension isn't present, then the highest
1862 * version we can negotiate is TLSv1.2
1863 */
1864 if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1865 client_version = TLS1_2_VERSION;
1866
1867 /*
1868 * No supported versions extension, so we just use the version supplied in
1869 * the ClientHello.
1870 */
1871 for (vent = table; vent->version != 0; ++vent) {
1872 const SSL_METHOD *method;
1873
1874 if (vent->smeth == NULL ||
1875 version_cmp(s, client_version, vent->version) < 0)
1876 continue;
1877 method = vent->smeth();
1878 if (ssl_method_error(s, method) == 0) {
1879 check_for_downgrade(s, vent->version, dgrd);
1880 s->version = vent->version;
1881 s->method = method;
1882 return 0;
1883 }
1884 disabled = 1;
1885 }
1886 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1887 }
1888
1889 /*
1890 * ssl_choose_client_version - Choose client (D)TLS version. Called when the
1891 * server HELLO is received to select the final client protocol version and
1892 * the version specific method.
1893 *
1894 * @s: client SSL handle.
1895 * @version: The proposed version from the server's HELLO.
1896 * @extensions: The extensions received
1897 *
1898 * Returns 1 on success or 0 on error.
1899 */
ssl_choose_client_version(SSL * s,int version,RAW_EXTENSION * extensions)1900 int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)
1901 {
1902 const version_info *vent;
1903 const version_info *table;
1904 int ret, ver_min, ver_max, real_max, origv;
1905
1906 origv = s->version;
1907 s->version = version;
1908
1909 /* This will overwrite s->version if the extension is present */
1910 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1911 SSL_EXT_TLS1_2_SERVER_HELLO
1912 | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1913 NULL, 0)) {
1914 s->version = origv;
1915 return 0;
1916 }
1917
1918 if (s->hello_retry_request != SSL_HRR_NONE
1919 && s->version != TLS1_3_VERSION) {
1920 s->version = origv;
1921 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
1922 return 0;
1923 }
1924
1925 switch (s->method->version) {
1926 default:
1927 if (s->version != s->method->version) {
1928 s->version = origv;
1929 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
1930 return 0;
1931 }
1932 /*
1933 * If this SSL handle is not from a version flexible method we don't
1934 * (and never did) check min/max, FIPS or Suite B constraints. Hope
1935 * that's OK. It is up to the caller to not choose fixed protocol
1936 * versions they don't want. If not, then easy to fix, just return
1937 * ssl_method_error(s, s->method)
1938 */
1939 return 1;
1940 case TLS_ANY_VERSION:
1941 table = tls_version_table;
1942 break;
1943 case DTLS_ANY_VERSION:
1944 table = dtls_version_table;
1945 break;
1946 }
1947
1948 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1949 if (ret != 0) {
1950 s->version = origv;
1951 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, ret);
1952 return 0;
1953 }
1954 if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
1955 : s->version < ver_min) {
1956 s->version = origv;
1957 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1958 return 0;
1959 } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
1960 : s->version > ver_max) {
1961 s->version = origv;
1962 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1963 return 0;
1964 }
1965
1966 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
1967 real_max = ver_max;
1968
1969 /* Check for downgrades */
1970 if (s->version == TLS1_2_VERSION && real_max > s->version) {
1971 if (memcmp(tls12downgrade,
1972 s->s3.server_random + SSL3_RANDOM_SIZE
1973 - sizeof(tls12downgrade),
1974 sizeof(tls12downgrade)) == 0) {
1975 s->version = origv;
1976 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1977 SSL_R_INAPPROPRIATE_FALLBACK);
1978 return 0;
1979 }
1980 } else if (!SSL_IS_DTLS(s)
1981 && s->version < TLS1_2_VERSION
1982 && real_max > s->version) {
1983 if (memcmp(tls11downgrade,
1984 s->s3.server_random + SSL3_RANDOM_SIZE
1985 - sizeof(tls11downgrade),
1986 sizeof(tls11downgrade)) == 0) {
1987 s->version = origv;
1988 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1989 SSL_R_INAPPROPRIATE_FALLBACK);
1990 return 0;
1991 }
1992 }
1993
1994 for (vent = table; vent->version != 0; ++vent) {
1995 if (vent->cmeth == NULL || s->version != vent->version)
1996 continue;
1997
1998 s->method = vent->cmeth();
1999 return 1;
2000 }
2001
2002 s->version = origv;
2003 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
2004 return 0;
2005 }
2006
2007 /*
2008 * ssl_get_min_max_version - get minimum and maximum protocol version
2009 * @s: The SSL connection
2010 * @min_version: The minimum supported version
2011 * @max_version: The maximum supported version
2012 * @real_max: The highest version below the lowest compile time version hole
2013 * where that hole lies above at least one run-time enabled
2014 * protocol.
2015 *
2016 * Work out what version we should be using for the initial ClientHello if the
2017 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2018 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
2019 * constraints and any floor imposed by the security level here,
2020 * so we don't advertise the wrong protocol version to only reject the outcome later.
2021 *
2022 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
2023 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2024 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2025 *
2026 * Returns 0 on success or an SSL error reason number on failure. On failure
2027 * min_version and max_version will also be set to 0.
2028 */
ssl_get_min_max_version(const SSL * s,int * min_version,int * max_version,int * real_max)2029 int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version,
2030 int *real_max)
2031 {
2032 int version, tmp_real_max;
2033 int hole;
2034 const SSL_METHOD *single = NULL;
2035 const SSL_METHOD *method;
2036 const version_info *table;
2037 const version_info *vent;
2038
2039 switch (s->method->version) {
2040 default:
2041 /*
2042 * If this SSL handle is not from a version flexible method we don't
2043 * (and never did) check min/max FIPS or Suite B constraints. Hope
2044 * that's OK. It is up to the caller to not choose fixed protocol
2045 * versions they don't want. If not, then easy to fix, just return
2046 * ssl_method_error(s, s->method)
2047 */
2048 *min_version = *max_version = s->version;
2049 /*
2050 * Providing a real_max only makes sense where we're using a version
2051 * flexible method.
2052 */
2053 if (!ossl_assert(real_max == NULL))
2054 return ERR_R_INTERNAL_ERROR;
2055 return 0;
2056 case TLS_ANY_VERSION:
2057 table = tls_version_table;
2058 break;
2059 case DTLS_ANY_VERSION:
2060 table = dtls_version_table;
2061 break;
2062 }
2063
2064 /*
2065 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2066 * below X enabled. This is required in order to maintain the "version
2067 * capability" vector contiguous. Any versions with a NULL client method
2068 * (protocol version client is disabled at compile-time) is also a "hole".
2069 *
2070 * Our initial state is hole == 1, version == 0. That is, versions above
2071 * the first version in the method table are disabled (a "hole" above
2072 * the valid protocol entries) and we don't have a selected version yet.
2073 *
2074 * Whenever "hole == 1", and we hit an enabled method, its version becomes
2075 * the selected version, and the method becomes a candidate "single"
2076 * method. We're no longer in a hole, so "hole" becomes 0.
2077 *
2078 * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2079 * as we support a contiguous range of at least two methods. If we hit
2080 * a disabled method, then hole becomes true again, but nothing else
2081 * changes yet, because all the remaining methods may be disabled too.
2082 * If we again hit an enabled method after the new hole, it becomes
2083 * selected, as we start from scratch.
2084 */
2085 *min_version = version = 0;
2086 hole = 1;
2087 if (real_max != NULL)
2088 *real_max = 0;
2089 tmp_real_max = 0;
2090 for (vent = table; vent->version != 0; ++vent) {
2091 /*
2092 * A table entry with a NULL client method is still a hole in the
2093 * "version capability" vector.
2094 */
2095 if (vent->cmeth == NULL) {
2096 hole = 1;
2097 tmp_real_max = 0;
2098 continue;
2099 }
2100 method = vent->cmeth();
2101
2102 if (hole == 1 && tmp_real_max == 0)
2103 tmp_real_max = vent->version;
2104
2105 if (ssl_method_error(s, method) != 0) {
2106 hole = 1;
2107 } else if (!hole) {
2108 single = NULL;
2109 *min_version = method->version;
2110 } else {
2111 if (real_max != NULL && tmp_real_max != 0)
2112 *real_max = tmp_real_max;
2113 version = (single = method)->version;
2114 *min_version = version;
2115 hole = 0;
2116 }
2117 }
2118
2119 *max_version = version;
2120
2121 /* Fail if everything is disabled */
2122 if (version == 0)
2123 return SSL_R_NO_PROTOCOLS_AVAILABLE;
2124
2125 return 0;
2126 }
2127
2128 /*
2129 * ssl_set_client_hello_version - Work out what version we should be using for
2130 * the initial ClientHello.legacy_version field.
2131 *
2132 * @s: client SSL handle.
2133 *
2134 * Returns 0 on success or an SSL error reason number on failure.
2135 */
ssl_set_client_hello_version(SSL * s)2136 int ssl_set_client_hello_version(SSL *s)
2137 {
2138 int ver_min, ver_max, ret;
2139
2140 /*
2141 * In a renegotiation we always send the same client_version that we sent
2142 * last time, regardless of which version we eventually negotiated.
2143 */
2144 if (!SSL_IS_FIRST_HANDSHAKE(s))
2145 return 0;
2146
2147 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
2148
2149 if (ret != 0)
2150 return ret;
2151
2152 s->version = ver_max;
2153
2154 /* TLS1.3 always uses TLS1.2 in the legacy_version field */
2155 if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
2156 ver_max = TLS1_2_VERSION;
2157
2158 s->client_version = ver_max;
2159 return 0;
2160 }
2161
2162 /*
2163 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2164 * and |checkallow| is 1 then additionally check if the group is allowed to be
2165 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2166 * 1) or 0 otherwise.
2167 */
check_in_list(SSL * s,uint16_t group_id,const uint16_t * groups,size_t num_groups,int checkallow)2168 int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
2169 size_t num_groups, int checkallow)
2170 {
2171 size_t i;
2172
2173 if (groups == NULL || num_groups == 0)
2174 return 0;
2175
2176 for (i = 0; i < num_groups; i++) {
2177 uint16_t group = groups[i];
2178
2179 if (group_id == group
2180 && (!checkallow
2181 || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
2182 return 1;
2183 }
2184 }
2185
2186 return 0;
2187 }
2188
2189 /* Replace ClientHello1 in the transcript hash with a synthetic message */
create_synthetic_message_hash(SSL * s,const unsigned char * hashval,size_t hashlen,const unsigned char * hrr,size_t hrrlen)2190 int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,
2191 size_t hashlen, const unsigned char *hrr,
2192 size_t hrrlen)
2193 {
2194 unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
2195 unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2196
2197 memset(msghdr, 0, sizeof(msghdr));
2198
2199 if (hashval == NULL) {
2200 hashval = hashvaltmp;
2201 hashlen = 0;
2202 /* Get the hash of the initial ClientHello */
2203 if (!ssl3_digest_cached_records(s, 0)
2204 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2205 &hashlen)) {
2206 /* SSLfatal() already called */
2207 return 0;
2208 }
2209 }
2210
2211 /* Reinitialise the transcript hash */
2212 if (!ssl3_init_finished_mac(s)) {
2213 /* SSLfatal() already called */
2214 return 0;
2215 }
2216
2217 /* Inject the synthetic message_hash message */
2218 msghdr[0] = SSL3_MT_MESSAGE_HASH;
2219 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
2220 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2221 || !ssl3_finish_mac(s, hashval, hashlen)) {
2222 /* SSLfatal() already called */
2223 return 0;
2224 }
2225
2226 /*
2227 * Now re-inject the HRR and current message if appropriate (we just deleted
2228 * it when we reinitialised the transcript hash above). Only necessary after
2229 * receiving a ClientHello2 with a cookie.
2230 */
2231 if (hrr != NULL
2232 && (!ssl3_finish_mac(s, hrr, hrrlen)
2233 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
2234 s->s3.tmp.message_size
2235 + SSL3_HM_HEADER_LENGTH))) {
2236 /* SSLfatal() already called */
2237 return 0;
2238 }
2239
2240 return 1;
2241 }
2242
ca_dn_cmp(const X509_NAME * const * a,const X509_NAME * const * b)2243 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2244 {
2245 return X509_NAME_cmp(*a, *b);
2246 }
2247
parse_ca_names(SSL * s,PACKET * pkt)2248 int parse_ca_names(SSL *s, PACKET *pkt)
2249 {
2250 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2251 X509_NAME *xn = NULL;
2252 PACKET cadns;
2253
2254 if (ca_sk == NULL) {
2255 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2256 goto err;
2257 }
2258 /* get the CA RDNs */
2259 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
2260 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2261 goto err;
2262 }
2263
2264 while (PACKET_remaining(&cadns)) {
2265 const unsigned char *namestart, *namebytes;
2266 unsigned int name_len;
2267
2268 if (!PACKET_get_net_2(&cadns, &name_len)
2269 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
2270 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2271 goto err;
2272 }
2273
2274 namestart = namebytes;
2275 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
2276 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB);
2277 goto err;
2278 }
2279 if (namebytes != (namestart + name_len)) {
2280 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CA_DN_LENGTH_MISMATCH);
2281 goto err;
2282 }
2283
2284 if (!sk_X509_NAME_push(ca_sk, xn)) {
2285 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2286 goto err;
2287 }
2288 xn = NULL;
2289 }
2290
2291 sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
2292 s->s3.tmp.peer_ca_names = ca_sk;
2293
2294 return 1;
2295
2296 err:
2297 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2298 X509_NAME_free(xn);
2299 return 0;
2300 }
2301
STACK_OF(X509_NAME)2302 const STACK_OF(X509_NAME) *get_ca_names(SSL *s)
2303 {
2304 const STACK_OF(X509_NAME) *ca_sk = NULL;;
2305
2306 if (s->server) {
2307 ca_sk = SSL_get_client_CA_list(s);
2308 if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2309 ca_sk = NULL;
2310 }
2311
2312 if (ca_sk == NULL)
2313 ca_sk = SSL_get0_CA_list(s);
2314
2315 return ca_sk;
2316 }
2317
construct_ca_names(SSL * s,const STACK_OF (X509_NAME)* ca_sk,WPACKET * pkt)2318 int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt)
2319 {
2320 /* Start sub-packet for client CA list */
2321 if (!WPACKET_start_sub_packet_u16(pkt)) {
2322 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2323 return 0;
2324 }
2325
2326 if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) {
2327 int i;
2328
2329 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2330 unsigned char *namebytes;
2331 X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2332 int namelen;
2333
2334 if (name == NULL
2335 || (namelen = i2d_X509_NAME(name, NULL)) < 0
2336 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2337 &namebytes)
2338 || i2d_X509_NAME(name, &namebytes) != namelen) {
2339 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2340 return 0;
2341 }
2342 }
2343 }
2344
2345 if (!WPACKET_close(pkt)) {
2346 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2347 return 0;
2348 }
2349
2350 return 1;
2351 }
2352
2353 /* Create a buffer containing data to be signed for server key exchange */
construct_key_exchange_tbs(SSL * s,unsigned char ** ptbs,const void * param,size_t paramlen)2354 size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
2355 const void *param, size_t paramlen)
2356 {
2357 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2358 unsigned char *tbs = OPENSSL_malloc(tbslen);
2359
2360 if (tbs == NULL) {
2361 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2362 return 0;
2363 }
2364 memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
2365 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
2366
2367 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2368
2369 *ptbs = tbs;
2370 return tbslen;
2371 }
2372
2373 /*
2374 * Saves the current handshake digest for Post-Handshake Auth,
2375 * Done after ClientFinished is processed, done exactly once
2376 */
tls13_save_handshake_digest_for_pha(SSL * s)2377 int tls13_save_handshake_digest_for_pha(SSL *s)
2378 {
2379 if (s->pha_dgst == NULL) {
2380 if (!ssl3_digest_cached_records(s, 1))
2381 /* SSLfatal() already called */
2382 return 0;
2383
2384 s->pha_dgst = EVP_MD_CTX_new();
2385 if (s->pha_dgst == NULL) {
2386 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2387 return 0;
2388 }
2389 if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
2390 s->s3.handshake_dgst)) {
2391 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2392 EVP_MD_CTX_free(s->pha_dgst);
2393 s->pha_dgst = NULL;
2394 return 0;
2395 }
2396 }
2397 return 1;
2398 }
2399
2400 /*
2401 * Restores the Post-Handshake Auth handshake digest
2402 * Done just before sending/processing the Cert Request
2403 */
tls13_restore_handshake_digest_for_pha(SSL * s)2404 int tls13_restore_handshake_digest_for_pha(SSL *s)
2405 {
2406 if (s->pha_dgst == NULL) {
2407 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2408 return 0;
2409 }
2410 if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
2411 s->pha_dgst)) {
2412 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2413 return 0;
2414 }
2415 return 1;
2416 }
2417