1 /* 2 * Copyright 1995-2026 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4 * 5 * Licensed under the Apache License 2.0 (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10 11 #include <limits.h> 12 #include <string.h> 13 #include <stdio.h> 14 #include "../ssl_local.h" 15 #include "statem_local.h" 16 #include "internal/cryptlib.h" 17 #include "internal/ssl_unwrap.h" 18 #include <openssl/buffer.h> 19 #include <openssl/objects.h> 20 #include <openssl/evp.h> 21 #include <openssl/rsa.h> 22 #include <openssl/x509.h> 23 #include <openssl/trace.h> 24 #include <openssl/encoder.h> 25 26 /* 27 * Map error codes to TLS/SSL alart types. 28 */ 29 typedef struct x509err2alert_st { 30 int x509err; 31 int alert; 32 } X509ERR2ALERT; 33 34 /* Fixed value used in the ServerHello random field to identify an HRR */ 35 const unsigned char hrrrandom[] = { 36 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 37 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 38 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c 39 }; 40 41 int ossl_statem_set_mutator(SSL *s, 42 ossl_statem_mutate_handshake_cb mutate_handshake_cb, 43 ossl_statem_finish_mutate_handshake_cb finish_mutate_handshake_cb, 44 void *mutatearg) 45 { 46 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); 47 48 if (sc == NULL) 49 return 0; 50 51 sc->statem.mutate_handshake_cb = mutate_handshake_cb; 52 sc->statem.mutatearg = mutatearg; 53 sc->statem.finish_mutate_handshake_cb = finish_mutate_handshake_cb; 54 55 return 1; 56 } 57 58 /* 59 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or 60 * SSL3_RT_CHANGE_CIPHER_SPEC) 61 */ 62 int ssl3_do_write(SSL_CONNECTION *s, uint8_t type) 63 { 64 int ret; 65 size_t written = 0; 66 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 67 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); 68 69 /* 70 * If we're running the test suite then we may need to mutate the message 71 * we've been asked to write. Does not happen in normal operation. 72 */ 73 if (s->statem.mutate_handshake_cb != NULL 74 && !s->statem.write_in_progress 75 && type == SSL3_RT_HANDSHAKE 76 && s->init_num >= SSL3_HM_HEADER_LENGTH) { 77 unsigned char *msg; 78 size_t msglen; 79 80 if (!s->statem.mutate_handshake_cb((unsigned char *)s->init_buf->data, 81 s->init_num, 82 &msg, &msglen, 83 s->statem.mutatearg)) 84 return -1; 85 if (msglen < SSL3_HM_HEADER_LENGTH 86 || !BUF_MEM_grow(s->init_buf, msglen)) 87 return -1; 88 memcpy(s->init_buf->data, msg, msglen); 89 s->init_num = msglen; 90 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH; 91 s->statem.finish_mutate_handshake_cb(s->statem.mutatearg); 92 s->statem.write_in_progress = 1; 93 } 94 95 ret = ssl3_write_bytes(ssl, type, &s->init_buf->data[s->init_off], 96 s->init_num, &written); 97 if (ret <= 0) 98 return -1; 99 if (type == SSL3_RT_HANDSHAKE) 100 /* 101 * should not be done for 'Hello Request's, but in that case we'll 102 * ignore the result anyway 103 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added 104 */ 105 if (!SSL_CONNECTION_IS_TLS13(s) 106 || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET 107 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE 108 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE)) 109 if (!ssl3_finish_mac(s, 110 (unsigned char *)&s->init_buf->data[s->init_off], 111 written)) 112 return -1; 113 if (written == s->init_num) { 114 s->statem.write_in_progress = 0; 115 if (s->msg_callback) 116 s->msg_callback(1, s->version, type, s->init_buf->data, 117 (size_t)(s->init_off + s->init_num), ussl, 118 s->msg_callback_arg); 119 return 1; 120 } 121 s->init_off += written; 122 s->init_num -= written; 123 return 0; 124 } 125 126 int tls_close_construct_packet(SSL_CONNECTION *s, WPACKET *pkt, int htype) 127 { 128 size_t msglen; 129 130 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt)) 131 || !WPACKET_get_length(pkt, &msglen) 132 || msglen > INT_MAX) 133 return 0; 134 s->init_num = (int)msglen; 135 s->init_off = 0; 136 137 return 1; 138 } 139 140 int tls_setup_handshake(SSL_CONNECTION *s) 141 { 142 int ver_min, ver_max, ok; 143 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 144 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 145 146 if (!ssl3_init_finished_mac(s)) { 147 /* SSLfatal() already called */ 148 return 0; 149 } 150 151 /* Reset any extension flags */ 152 memset(s->ext.extflags, 0, sizeof(s->ext.extflags)); 153 154 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) { 155 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE); 156 return 0; 157 } 158 159 /* Sanity check that we have MD5-SHA1 if we need it */ 160 if (sctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) { 161 int negotiated_minversion; 162 int md5sha1_needed_maxversion = SSL_CONNECTION_IS_DTLS(s) 163 ? DTLS1_VERSION 164 : TLS1_1_VERSION; 165 166 /* We don't have MD5-SHA1 - do we need it? */ 167 if (ssl_version_cmp(s, ver_max, md5sha1_needed_maxversion) <= 0) { 168 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE, 169 SSL_R_NO_SUITABLE_DIGEST_ALGORITHM, 170 "The max supported SSL/TLS version needs the" 171 " MD5-SHA1 digest but it is not available" 172 " in the loaded providers. Use (D)TLSv1.2 or" 173 " above, or load different providers"); 174 return 0; 175 } 176 177 ok = 1; 178 179 /* Don't allow TLSv1.1 or below to be negotiated */ 180 negotiated_minversion = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_2_VERSION : TLS1_2_VERSION; 181 if (ssl_version_cmp(s, ver_min, negotiated_minversion) < 0) 182 ok = SSL_set_min_proto_version(ssl, negotiated_minversion); 183 if (!ok) { 184 /* Shouldn't happen */ 185 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR); 186 return 0; 187 } 188 } 189 190 ok = 0; 191 if (s->server) { 192 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(ssl); 193 int i; 194 195 /* 196 * Sanity check that the maximum version we accept has ciphers 197 * enabled. For clients we do this check during construction of the 198 * ClientHello. 199 */ 200 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { 201 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i); 202 int cipher_minprotover = SSL_CONNECTION_IS_DTLS(s) 203 ? c->min_dtls 204 : c->min_tls; 205 int cipher_maxprotover = SSL_CONNECTION_IS_DTLS(s) 206 ? c->max_dtls 207 : c->max_tls; 208 209 if (ssl_version_cmp(s, ver_max, cipher_minprotover) >= 0 210 && ssl_version_cmp(s, ver_max, cipher_maxprotover) <= 0) { 211 ok = 1; 212 break; 213 } 214 } 215 if (!ok) { 216 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE, 217 SSL_R_NO_CIPHERS_AVAILABLE, 218 "No ciphers enabled for max supported " 219 "SSL/TLS version"); 220 return 0; 221 } 222 if (SSL_IS_FIRST_HANDSHAKE(s)) { 223 /* N.B. s->session_ctx == s->ctx here */ 224 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_accept); 225 } else { 226 /* N.B. s->ctx may not equal s->session_ctx */ 227 ssl_tsan_counter(sctx, &sctx->stats.sess_accept_renegotiate); 228 229 s->s3.tmp.cert_request = 0; 230 } 231 } else { 232 if (SSL_IS_FIRST_HANDSHAKE(s)) 233 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_connect); 234 else 235 ssl_tsan_counter(s->session_ctx, 236 &s->session_ctx->stats.sess_connect_renegotiate); 237 238 /* mark client_random uninitialized */ 239 memset(s->s3.client_random, 0, sizeof(s->s3.client_random)); 240 s->hit = 0; 241 242 s->s3.tmp.cert_req = 0; 243 244 if (SSL_CONNECTION_IS_DTLS(s)) 245 s->statem.use_timer = 1; 246 } 247 248 return 1; 249 } 250 251 /* 252 * Size of the to-be-signed TLS13 data, without the hash size itself: 253 * 64 bytes of value 32, 33 context bytes, 1 byte separator 254 */ 255 #define TLS13_TBS_START_SIZE 64 256 #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1) 257 258 static int get_cert_verify_tbs_data(SSL_CONNECTION *s, unsigned char *tls13tbs, 259 void **hdata, size_t *hdatalen) 260 { 261 /* ASCII: "TLS 1.3, server CertificateVerify", in hex for EBCDIC compatibility */ 262 static const char servercontext[] = "\x54\x4c\x53\x20\x31\x2e\x33\x2c\x20\x73\x65\x72" 263 "\x76\x65\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x56\x65\x72\x69\x66\x79"; 264 /* ASCII: "TLS 1.3, client CertificateVerify", in hex for EBCDIC compatibility */ 265 static const char clientcontext[] = "\x54\x4c\x53\x20\x31\x2e\x33\x2c\x20\x63\x6c\x69" 266 "\x65\x6e\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x56\x65\x72\x69\x66\x79"; 267 268 if (SSL_CONNECTION_IS_TLS13(s)) { 269 size_t hashlen; 270 271 /* Set the first 64 bytes of to-be-signed data to octet 32 */ 272 memset(tls13tbs, 32, TLS13_TBS_START_SIZE); 273 /* This copies the 33 bytes of context plus the 0 separator byte */ 274 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY 275 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY) 276 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext); 277 else 278 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext); 279 280 /* 281 * If we're currently reading then we need to use the saved handshake 282 * hash value. We can't use the current handshake hash state because 283 * that includes the CertVerify itself. 284 */ 285 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY 286 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) { 287 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash, 288 s->cert_verify_hash_len); 289 hashlen = s->cert_verify_hash_len; 290 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE, 291 EVP_MAX_MD_SIZE, &hashlen)) { 292 /* SSLfatal() already called */ 293 return 0; 294 } 295 296 *hdata = tls13tbs; 297 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen; 298 } else { 299 size_t retlen; 300 long retlen_l; 301 302 retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata); 303 if (retlen_l <= 0) { 304 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 305 return 0; 306 } 307 *hdatalen = retlen; 308 } 309 310 return 1; 311 } 312 313 CON_FUNC_RETURN tls_construct_cert_verify(SSL_CONNECTION *s, WPACKET *pkt) 314 { 315 EVP_PKEY *pkey = NULL; 316 const EVP_MD *md = NULL; 317 EVP_MD_CTX *mctx = NULL; 318 EVP_PKEY_CTX *pctx = NULL; 319 size_t hdatalen = 0, siglen = 0; 320 void *hdata; 321 unsigned char *sig = NULL; 322 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; 323 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg; 324 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 325 326 if (lu == NULL || s->s3.tmp.cert == NULL) { 327 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 328 goto err; 329 } 330 pkey = s->s3.tmp.cert->privatekey; 331 332 if (pkey == NULL || !tls1_lookup_md(sctx, lu, &md)) { 333 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 334 goto err; 335 } 336 337 mctx = EVP_MD_CTX_new(); 338 if (mctx == NULL) { 339 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 340 goto err; 341 } 342 343 /* Get the data to be signed */ 344 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { 345 /* SSLfatal() already called */ 346 goto err; 347 } 348 349 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) { 350 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 351 goto err; 352 } 353 354 if (EVP_DigestSignInit_ex(mctx, &pctx, 355 md == NULL ? NULL : EVP_MD_get0_name(md), 356 sctx->libctx, sctx->propq, pkey, 357 NULL) 358 <= 0) { 359 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 360 goto err; 361 } 362 363 if (lu->sig == EVP_PKEY_RSA_PSS) { 364 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 365 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 366 RSA_PSS_SALTLEN_DIGEST) 367 <= 0) { 368 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 369 goto err; 370 } 371 } 372 if (s->version == SSL3_VERSION) { 373 /* 374 * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal 375 * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them. 376 */ 377 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0 378 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, 379 (int)s->session->master_key_length, 380 s->session->master_key) 381 <= 0 382 || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) { 383 384 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 385 goto err; 386 } 387 sig = OPENSSL_malloc(siglen); 388 if (sig == NULL 389 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) { 390 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 391 goto err; 392 } 393 } else { 394 /* 395 * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not 396 * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal 397 */ 398 if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) { 399 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 400 goto err; 401 } 402 sig = OPENSSL_malloc(siglen); 403 if (sig == NULL 404 || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) { 405 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 406 goto err; 407 } 408 } 409 410 #ifndef OPENSSL_NO_GOST 411 { 412 int pktype = lu->sig; 413 414 if (pktype == NID_id_GostR3410_2001 415 || pktype == NID_id_GostR3410_2012_256 416 || pktype == NID_id_GostR3410_2012_512) 417 BUF_reverse(sig, NULL, siglen); 418 } 419 #endif 420 421 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) { 422 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 423 goto err; 424 } 425 426 /* Digest cached records and discard handshake buffer */ 427 if (!ssl3_digest_cached_records(s, 0)) { 428 /* SSLfatal() already called */ 429 goto err; 430 } 431 432 OPENSSL_free(sig); 433 EVP_MD_CTX_free(mctx); 434 return CON_FUNC_SUCCESS; 435 err: 436 OPENSSL_free(sig); 437 EVP_MD_CTX_free(mctx); 438 return CON_FUNC_ERROR; 439 } 440 441 MSG_PROCESS_RETURN tls_process_cert_verify(SSL_CONNECTION *s, PACKET *pkt) 442 { 443 EVP_PKEY *pkey = NULL; 444 const unsigned char *data; 445 #ifndef OPENSSL_NO_GOST 446 unsigned char *gost_data = NULL; 447 #endif 448 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; 449 int j; 450 unsigned int len; 451 const EVP_MD *md = NULL; 452 size_t hdatalen = 0; 453 void *hdata; 454 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; 455 EVP_MD_CTX *mctx = EVP_MD_CTX_new(); 456 EVP_PKEY_CTX *pctx = NULL; 457 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 458 459 if (mctx == NULL) { 460 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 461 goto err; 462 } 463 464 pkey = tls_get_peer_pkey(s); 465 if (pkey == NULL) { 466 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 467 goto err; 468 } 469 470 if (ssl_cert_lookup_by_pkey(pkey, NULL, sctx) == NULL) { 471 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 472 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); 473 goto err; 474 } 475 476 if (SSL_USE_SIGALGS(s)) { 477 unsigned int sigalg; 478 479 if (!PACKET_get_net_2(pkt, &sigalg)) { 480 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET); 481 goto err; 482 } 483 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) { 484 /* SSLfatal() already called */ 485 goto err; 486 } 487 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { 488 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 489 SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED); 490 goto err; 491 } 492 493 if (!tls1_lookup_md(sctx, s->s3.tmp.peer_sigalg, &md)) { 494 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 495 goto err; 496 } 497 498 if (SSL_USE_SIGALGS(s)) 499 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n", 500 md == NULL ? "n/a" : EVP_MD_get0_name(md)); 501 502 /* Check for broken implementations of GOST ciphersuites */ 503 /* 504 * If key is GOST and len is exactly 64 or 128, it is signature without 505 * length field (CryptoPro implementations at least till TLS 1.2) 506 */ 507 #ifndef OPENSSL_NO_GOST 508 if (!SSL_USE_SIGALGS(s) 509 && ((PACKET_remaining(pkt) == 64 510 && (EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2001 511 || EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_256)) 512 || (PACKET_remaining(pkt) == 128 513 && EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_512))) { 514 len = PACKET_remaining(pkt); 515 } else 516 #endif 517 if (!PACKET_get_net_2(pkt, &len)) { 518 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 519 goto err; 520 } 521 522 if (!PACKET_get_bytes(pkt, &data, len)) { 523 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 524 goto err; 525 } 526 if (PACKET_remaining(pkt) != 0) { 527 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 528 goto err; 529 } 530 531 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { 532 /* SSLfatal() already called */ 533 goto err; 534 } 535 536 OSSL_TRACE1(TLS, "Using client verify alg %s\n", 537 md == NULL ? "n/a" : EVP_MD_get0_name(md)); 538 539 if (EVP_DigestVerifyInit_ex(mctx, &pctx, 540 md == NULL ? NULL : EVP_MD_get0_name(md), 541 sctx->libctx, sctx->propq, pkey, 542 NULL) 543 <= 0) { 544 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 545 goto err; 546 } 547 #ifndef OPENSSL_NO_GOST 548 { 549 int pktype = EVP_PKEY_get_id(pkey); 550 if (pktype == NID_id_GostR3410_2001 551 || pktype == NID_id_GostR3410_2012_256 552 || pktype == NID_id_GostR3410_2012_512) { 553 if ((gost_data = OPENSSL_malloc(len)) == NULL) 554 goto err; 555 BUF_reverse(gost_data, data, len); 556 data = gost_data; 557 } 558 } 559 #endif 560 561 if (SSL_USE_PSS(s)) { 562 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 563 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 564 RSA_PSS_SALTLEN_DIGEST) 565 <= 0) { 566 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 567 goto err; 568 } 569 } 570 if (s->version == SSL3_VERSION) { 571 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0 572 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, 573 (int)s->session->master_key_length, 574 s->session->master_key) 575 <= 0) { 576 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 577 goto err; 578 } 579 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) { 580 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE); 581 goto err; 582 } 583 } else { 584 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen); 585 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION 586 /* Ignore bad signatures when fuzzing */ 587 if (SSL_IS_QUIC_HANDSHAKE(s)) 588 j = 1; 589 #endif 590 if (j <= 0) { 591 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE); 592 goto err; 593 } 594 } 595 596 /* 597 * In TLSv1.3 on the client side we make sure we prepare the client 598 * certificate after the CertVerify instead of when we get the 599 * CertificateRequest. This is because in TLSv1.3 the CertificateRequest 600 * comes *before* the Certificate message. In TLSv1.2 it comes after. We 601 * want to make sure that SSL_get1_peer_certificate() will return the actual 602 * server certificate from the client_cert_cb callback. 603 */ 604 if (!s->server && SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.cert_req == 1) 605 ret = MSG_PROCESS_CONTINUE_PROCESSING; 606 else 607 ret = MSG_PROCESS_CONTINUE_READING; 608 err: 609 BIO_free(s->s3.handshake_buffer); 610 s->s3.handshake_buffer = NULL; 611 EVP_MD_CTX_free(mctx); 612 #ifndef OPENSSL_NO_GOST 613 OPENSSL_free(gost_data); 614 #endif 615 return ret; 616 } 617 618 CON_FUNC_RETURN tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt) 619 { 620 size_t finish_md_len; 621 const char *sender; 622 size_t slen; 623 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 624 625 /* This is a real handshake so make sure we clean it up at the end */ 626 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED) 627 s->statem.cleanuphand = 1; 628 629 /* 630 * If we attempted to write early data or we're in middlebox compat mode 631 * then we deferred changing the handshake write keys to the last possible 632 * moment. If we didn't already do this when we sent the client certificate 633 * then we need to do it now. 634 */ 635 if (SSL_CONNECTION_IS_TLS13(s) 636 && !s->server 637 && !SSL_IS_QUIC_HANDSHAKE(s) 638 && (s->early_data_state != SSL_EARLY_DATA_NONE 639 || (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) 640 && s->s3.tmp.cert_req == 0 641 && (!ssl->method->ssl3_enc->change_cipher_state(s, 642 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) { 643 ; 644 /* SSLfatal() already called */ 645 return CON_FUNC_ERROR; 646 } 647 648 if (s->server) { 649 sender = ssl->method->ssl3_enc->server_finished_label; 650 slen = ssl->method->ssl3_enc->server_finished_label_len; 651 } else { 652 sender = ssl->method->ssl3_enc->client_finished_label; 653 slen = ssl->method->ssl3_enc->client_finished_label_len; 654 } 655 656 finish_md_len = ssl->method->ssl3_enc->final_finish_mac(s, 657 sender, slen, 658 s->s3.tmp.finish_md); 659 if (finish_md_len == 0) { 660 /* SSLfatal() already called */ 661 return CON_FUNC_ERROR; 662 } 663 664 s->s3.tmp.finish_md_len = finish_md_len; 665 666 if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) { 667 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 668 return CON_FUNC_ERROR; 669 } 670 671 /* 672 * Log the master secret, if logging is enabled. We don't log it for 673 * TLSv1.3: there's a different key schedule for that. 674 */ 675 if (!SSL_CONNECTION_IS_TLS13(s) 676 && !ssl_log_secret(s, MASTER_SECRET_LABEL, s->session->master_key, 677 s->session->master_key_length)) { 678 /* SSLfatal() already called */ 679 return CON_FUNC_ERROR; 680 } 681 682 /* 683 * Copy the finished so we can use it for renegotiation checks 684 */ 685 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) { 686 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 687 return CON_FUNC_ERROR; 688 } 689 if (!s->server) { 690 memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md, 691 finish_md_len); 692 s->s3.previous_client_finished_len = finish_md_len; 693 } else { 694 memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md, 695 finish_md_len); 696 s->s3.previous_server_finished_len = finish_md_len; 697 } 698 699 return CON_FUNC_SUCCESS; 700 } 701 702 CON_FUNC_RETURN tls_construct_key_update(SSL_CONNECTION *s, WPACKET *pkt) 703 { 704 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) { 705 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 706 return CON_FUNC_ERROR; 707 } 708 709 s->key_update = SSL_KEY_UPDATE_NONE; 710 return CON_FUNC_SUCCESS; 711 } 712 713 MSG_PROCESS_RETURN tls_process_key_update(SSL_CONNECTION *s, PACKET *pkt) 714 { 715 unsigned int updatetype; 716 717 /* 718 * A KeyUpdate message signals a key change so the end of the message must 719 * be on a record boundary. 720 */ 721 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { 722 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY); 723 return MSG_PROCESS_ERROR; 724 } 725 726 if (!PACKET_get_1(pkt, &updatetype) 727 || PACKET_remaining(pkt) != 0) { 728 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_KEY_UPDATE); 729 return MSG_PROCESS_ERROR; 730 } 731 732 /* 733 * There are only two defined key update types. Fail if we get a value we 734 * didn't recognise. 735 */ 736 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED 737 && updatetype != SSL_KEY_UPDATE_REQUESTED) { 738 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_UPDATE); 739 return MSG_PROCESS_ERROR; 740 } 741 742 /* 743 * If we get a request for us to update our sending keys too then, we need 744 * to additionally send a KeyUpdate message. However that message should 745 * not also request an update (otherwise we get into an infinite loop). 746 */ 747 if (updatetype == SSL_KEY_UPDATE_REQUESTED) 748 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED; 749 750 if (!tls13_update_key(s, 0)) { 751 /* SSLfatal() already called */ 752 return MSG_PROCESS_ERROR; 753 } 754 755 return MSG_PROCESS_FINISHED_READING; 756 } 757 758 /* 759 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen 760 * to far. 761 */ 762 int ssl3_take_mac(SSL_CONNECTION *s) 763 { 764 const char *sender; 765 size_t slen; 766 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 767 768 if (!s->server) { 769 sender = ssl->method->ssl3_enc->server_finished_label; 770 slen = ssl->method->ssl3_enc->server_finished_label_len; 771 } else { 772 sender = ssl->method->ssl3_enc->client_finished_label; 773 slen = ssl->method->ssl3_enc->client_finished_label_len; 774 } 775 776 s->s3.tmp.peer_finish_md_len = ssl->method->ssl3_enc->final_finish_mac(s, sender, slen, 777 s->s3.tmp.peer_finish_md); 778 779 if (s->s3.tmp.peer_finish_md_len == 0) { 780 /* SSLfatal() already called */ 781 return 0; 782 } 783 784 return 1; 785 } 786 787 MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL_CONNECTION *s, 788 PACKET *pkt) 789 { 790 size_t remain; 791 792 remain = PACKET_remaining(pkt); 793 /* 794 * 'Change Cipher Spec' is just a single byte, which should already have 795 * been consumed by ssl_get_message() so there should be no bytes left, 796 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes 797 */ 798 if (SSL_CONNECTION_IS_DTLS(s)) { 799 if ((s->version == DTLS1_BAD_VER 800 && remain != DTLS1_CCS_HEADER_LENGTH + 1) 801 || (s->version != DTLS1_BAD_VER 802 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) { 803 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC); 804 return MSG_PROCESS_ERROR; 805 } 806 } else { 807 if (remain != 0) { 808 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC); 809 return MSG_PROCESS_ERROR; 810 } 811 } 812 813 /* Check we have a cipher to change to */ 814 if (s->s3.tmp.new_cipher == NULL) { 815 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY); 816 return MSG_PROCESS_ERROR; 817 } 818 819 s->s3.change_cipher_spec = 1; 820 if (!ssl3_do_change_cipher_spec(s)) { 821 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 822 return MSG_PROCESS_ERROR; 823 } 824 825 if (SSL_CONNECTION_IS_DTLS(s)) { 826 if (s->version == DTLS1_BAD_VER) 827 s->d1->handshake_read_seq++; 828 829 #ifndef OPENSSL_NO_SCTP 830 /* 831 * Remember that a CCS has been received, so that an old key of 832 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no 833 * SCTP is used 834 */ 835 BIO_ctrl(SSL_get_wbio(SSL_CONNECTION_GET_SSL(s)), 836 BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL); 837 #endif 838 } 839 840 return MSG_PROCESS_CONTINUE_READING; 841 } 842 843 MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt) 844 { 845 size_t md_len; 846 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 847 int was_first = SSL_IS_FIRST_HANDSHAKE(s); 848 int ok; 849 850 /* This is a real handshake so make sure we clean it up at the end */ 851 if (s->server) { 852 /* 853 * To get this far we must have read encrypted data from the client. We 854 * no longer tolerate unencrypted alerts. This is ignored if less than 855 * TLSv1.3 856 */ 857 if (s->rlayer.rrlmethod->set_plain_alerts != NULL) 858 s->rlayer.rrlmethod->set_plain_alerts(s->rlayer.rrl, 0); 859 if (s->post_handshake_auth != SSL_PHA_REQUESTED) 860 s->statem.cleanuphand = 1; 861 if (SSL_CONNECTION_IS_TLS13(s) 862 && !tls13_save_handshake_digest_for_pha(s)) { 863 /* SSLfatal() already called */ 864 return MSG_PROCESS_ERROR; 865 } 866 } 867 868 /* 869 * In TLSv1.3 a Finished message signals a key change so the end of the 870 * message must be on a record boundary. 871 */ 872 if (SSL_CONNECTION_IS_TLS13(s) 873 && RECORD_LAYER_processed_read_pending(&s->rlayer)) { 874 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY); 875 return MSG_PROCESS_ERROR; 876 } 877 878 /* If this occurs, we have missed a message */ 879 if (!SSL_CONNECTION_IS_TLS13(s) && !s->s3.change_cipher_spec) { 880 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS); 881 return MSG_PROCESS_ERROR; 882 } 883 s->s3.change_cipher_spec = 0; 884 885 md_len = s->s3.tmp.peer_finish_md_len; 886 887 if (md_len != PACKET_remaining(pkt)) { 888 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DIGEST_LENGTH); 889 return MSG_PROCESS_ERROR; 890 } 891 892 ok = CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md, 893 md_len); 894 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION 895 if (ok != 0) { 896 if ((PACKET_data(pkt)[0] ^ s->s3.tmp.peer_finish_md[0]) != 0xFF) { 897 ok = 0; 898 } 899 } 900 #endif 901 if (ok != 0) { 902 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DIGEST_CHECK_FAILED); 903 return MSG_PROCESS_ERROR; 904 } 905 906 /* 907 * Copy the finished so we can use it for renegotiation checks 908 */ 909 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) { 910 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 911 return MSG_PROCESS_ERROR; 912 } 913 if (s->server) { 914 memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md, 915 md_len); 916 s->s3.previous_client_finished_len = md_len; 917 } else { 918 memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md, 919 md_len); 920 s->s3.previous_server_finished_len = md_len; 921 } 922 923 /* 924 * In TLS1.3 we also have to change cipher state and do any final processing 925 * of the initial server flight (if we are a client) 926 */ 927 if (SSL_CONNECTION_IS_TLS13(s)) { 928 if (s->server) { 929 if (s->post_handshake_auth != SSL_PHA_REQUESTED && !ssl->method->ssl3_enc->change_cipher_state(s, SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) { 930 /* SSLfatal() already called */ 931 return MSG_PROCESS_ERROR; 932 } 933 } else { 934 /* TLS 1.3 gets the secret size from the handshake md */ 935 size_t dummy; 936 if (!ssl->method->ssl3_enc->generate_master_secret(s, 937 s->master_secret, s->handshake_secret, 0, 938 &dummy)) { 939 /* SSLfatal() already called */ 940 return MSG_PROCESS_ERROR; 941 } 942 if (!tls13_store_server_finished_hash(s)) { 943 /* SSLfatal() already called */ 944 return MSG_PROCESS_ERROR; 945 } 946 947 /* 948 * For non-QUIC we set up the client's app data read keys now, so 949 * that we can go straight into reading 0.5RTT data from the server. 950 * For QUIC we don't do that, and instead defer setting up the keys 951 * until after we have set up the write keys in order to ensure that 952 * write keys are always set up before read keys (so that if we read 953 * a message we have the correct keys in place to ack it) 954 */ 955 if (!SSL_IS_QUIC_HANDSHAKE(s) 956 && !ssl->method->ssl3_enc->change_cipher_state(s, 957 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) { 958 /* SSLfatal() already called */ 959 return MSG_PROCESS_ERROR; 960 } 961 if (!tls_process_initial_server_flight(s)) { 962 /* SSLfatal() already called */ 963 return MSG_PROCESS_ERROR; 964 } 965 } 966 } 967 968 if (was_first 969 && !SSL_IS_FIRST_HANDSHAKE(s) 970 && s->rlayer.rrlmethod->set_first_handshake != NULL) 971 s->rlayer.rrlmethod->set_first_handshake(s->rlayer.rrl, 0); 972 973 return MSG_PROCESS_FINISHED_READING; 974 } 975 976 CON_FUNC_RETURN tls_construct_change_cipher_spec(SSL_CONNECTION *s, WPACKET *pkt) 977 { 978 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) { 979 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 980 return CON_FUNC_ERROR; 981 } 982 983 return CON_FUNC_SUCCESS; 984 } 985 986 /* Add a certificate to the WPACKET */ 987 static int ssl_add_cert_to_wpacket(SSL_CONNECTION *s, WPACKET *pkt, 988 X509 *x, int chain, int for_comp) 989 { 990 int len; 991 unsigned char *outbytes; 992 int context = SSL_EXT_TLS1_3_CERTIFICATE; 993 994 if (for_comp) 995 context |= SSL_EXT_TLS1_3_CERTIFICATE_COMPRESSION; 996 997 len = i2d_X509(x, NULL); 998 if (len < 0) { 999 if (!for_comp) 1000 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB); 1001 return 0; 1002 } 1003 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes) 1004 || i2d_X509(x, &outbytes) != len) { 1005 if (!for_comp) 1006 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1007 return 0; 1008 } 1009 1010 if ((SSL_CONNECTION_IS_TLS13(s) || for_comp) 1011 && !tls_construct_extensions(s, pkt, context, x, chain)) { 1012 /* SSLfatal() already called */ 1013 return 0; 1014 } 1015 1016 return 1; 1017 } 1018 1019 /* Add certificate chain to provided WPACKET */ 1020 static int ssl_add_cert_chain(SSL_CONNECTION *s, WPACKET *pkt, CERT_PKEY *cpk, int for_comp) 1021 { 1022 int i, chain_count; 1023 X509 *x; 1024 STACK_OF(X509) *extra_certs; 1025 STACK_OF(X509) *chain = NULL; 1026 X509_STORE *chain_store; 1027 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 1028 1029 if (cpk == NULL || cpk->x509 == NULL) 1030 return 1; 1031 1032 x = cpk->x509; 1033 1034 /* 1035 * If we have a certificate specific chain use it, else use parent ctx. 1036 */ 1037 if (cpk->chain != NULL) 1038 extra_certs = cpk->chain; 1039 else 1040 extra_certs = sctx->extra_certs; 1041 1042 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs) 1043 chain_store = NULL; 1044 else if (s->cert->chain_store) 1045 chain_store = s->cert->chain_store; 1046 else 1047 chain_store = sctx->cert_store; 1048 1049 if (chain_store != NULL) { 1050 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(sctx->libctx, 1051 sctx->propq); 1052 1053 if (xs_ctx == NULL) { 1054 if (!for_comp) 1055 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB); 1056 return 0; 1057 } 1058 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) { 1059 X509_STORE_CTX_free(xs_ctx); 1060 if (!for_comp) 1061 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB); 1062 return 0; 1063 } 1064 /* 1065 * It is valid for the chain not to be complete (because normally we 1066 * don't include the root cert in the chain). Therefore we deliberately 1067 * ignore the error return from this call. We're not actually verifying 1068 * the cert - we're just building as much of the chain as we can 1069 */ 1070 (void)X509_verify_cert(xs_ctx); 1071 /* Don't leave errors in the queue */ 1072 ERR_clear_error(); 1073 chain = X509_STORE_CTX_get0_chain(xs_ctx); 1074 i = ssl_security_cert_chain(s, chain, NULL, 0); 1075 if (i != 1) { 1076 #if 0 1077 /* Dummy error calls so mkerr generates them */ 1078 ERR_raise(ERR_LIB_SSL, SSL_R_EE_KEY_TOO_SMALL); 1079 ERR_raise(ERR_LIB_SSL, SSL_R_CA_KEY_TOO_SMALL); 1080 ERR_raise(ERR_LIB_SSL, SSL_R_CA_MD_TOO_WEAK); 1081 #endif 1082 X509_STORE_CTX_free(xs_ctx); 1083 if (!for_comp) 1084 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i); 1085 return 0; 1086 } 1087 chain_count = sk_X509_num(chain); 1088 for (i = 0; i < chain_count; i++) { 1089 x = sk_X509_value(chain, i); 1090 1091 if (!ssl_add_cert_to_wpacket(s, pkt, x, i, for_comp)) { 1092 /* SSLfatal() already called */ 1093 X509_STORE_CTX_free(xs_ctx); 1094 return 0; 1095 } 1096 } 1097 X509_STORE_CTX_free(xs_ctx); 1098 } else { 1099 i = ssl_security_cert_chain(s, extra_certs, x, 0); 1100 if (i != 1) { 1101 if (!for_comp) 1102 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i); 1103 return 0; 1104 } 1105 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0, for_comp)) { 1106 /* SSLfatal() already called */ 1107 return 0; 1108 } 1109 for (i = 0; i < sk_X509_num(extra_certs); i++) { 1110 x = sk_X509_value(extra_certs, i); 1111 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1, for_comp)) { 1112 /* SSLfatal() already called */ 1113 return 0; 1114 } 1115 } 1116 } 1117 return 1; 1118 } 1119 1120 EVP_PKEY *tls_get_peer_pkey(const SSL_CONNECTION *sc) 1121 { 1122 if (sc->session->peer_rpk != NULL) 1123 return sc->session->peer_rpk; 1124 if (sc->session->peer != NULL) 1125 return X509_get0_pubkey(sc->session->peer); 1126 return NULL; 1127 } 1128 1129 int tls_process_rpk(SSL_CONNECTION *sc, PACKET *pkt, EVP_PKEY **peer_rpk) 1130 { 1131 EVP_PKEY *pkey = NULL; 1132 int ret = 0; 1133 RAW_EXTENSION *rawexts = NULL; 1134 PACKET extensions; 1135 PACKET context; 1136 unsigned long cert_len = 0, spki_len = 0; 1137 const unsigned char *spki, *spkistart; 1138 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(sc); 1139 1140 /*- 1141 * ---------------------------- 1142 * TLS 1.3 Certificate message: 1143 * ---------------------------- 1144 * https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2 1145 * 1146 * enum { 1147 * X509(0), 1148 * RawPublicKey(2), 1149 * (255) 1150 * } CertificateType; 1151 * 1152 * struct { 1153 * select (certificate_type) { 1154 * case RawPublicKey: 1155 * // From RFC 7250 ASN.1_subjectPublicKeyInfo 1156 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>; 1157 * 1158 * case X509: 1159 * opaque cert_data<1..2^24-1>; 1160 * }; 1161 * Extension extensions<0..2^16-1>; 1162 * } CertificateEntry; 1163 * 1164 * struct { 1165 * opaque certificate_request_context<0..2^8-1>; 1166 * CertificateEntry certificate_list<0..2^24-1>; 1167 * } Certificate; 1168 * 1169 * The client MUST send a Certificate message if and only if the server 1170 * has requested client authentication via a CertificateRequest message 1171 * (Section 4.3.2). If the server requests client authentication but no 1172 * suitable certificate is available, the client MUST send a Certificate 1173 * message containing no certificates (i.e., with the "certificate_list" 1174 * field having length 0). 1175 * 1176 * ---------------------------- 1177 * TLS 1.2 Certificate message: 1178 * ---------------------------- 1179 * https://datatracker.ietf.org/doc/html/rfc7250#section-3 1180 * 1181 * opaque ASN.1Cert<1..2^24-1>; 1182 * 1183 * struct { 1184 * select(certificate_type){ 1185 * 1186 * // certificate type defined in this document. 1187 * case RawPublicKey: 1188 * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>; 1189 * 1190 * // X.509 certificate defined in RFC 5246 1191 * case X.509: 1192 * ASN.1Cert certificate_list<0..2^24-1>; 1193 * 1194 * // Additional certificate type based on 1195 * // "TLS Certificate Types" subregistry 1196 * }; 1197 * } Certificate; 1198 * 1199 * ------------- 1200 * Consequently: 1201 * ------------- 1202 * After the (TLS 1.3 only) context octet string (1 byte length + data) the 1203 * Certificate message has a 3-byte length that is zero in the client to 1204 * server message when the client has no RPK to send. In that case, there 1205 * are no (TLS 1.3 only) per-certificate extensions either, because the 1206 * [CertificateEntry] list is empty. 1207 * 1208 * In the server to client direction, or when the client had an RPK to send, 1209 * the TLS 1.3 message just prepends the length of the RPK+extensions, 1210 * while TLS <= 1.2 sends just the RPK (octet-string). 1211 * 1212 * The context must be zero-length in the server to client direction, and 1213 * must match the value recorded in the certificate request in the client 1214 * to server direction. 1215 */ 1216 if (SSL_CONNECTION_IS_TLS13(sc)) { 1217 if (!PACKET_get_length_prefixed_1(pkt, &context)) { 1218 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT); 1219 goto err; 1220 } 1221 if (sc->server) { 1222 if (sc->pha_context == NULL) { 1223 if (PACKET_remaining(&context) != 0) { 1224 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT); 1225 goto err; 1226 } 1227 } else { 1228 if (!PACKET_equal(&context, sc->pha_context, sc->pha_context_len)) { 1229 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT); 1230 goto err; 1231 } 1232 } 1233 } else { 1234 if (PACKET_remaining(&context) != 0) { 1235 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT); 1236 goto err; 1237 } 1238 } 1239 } 1240 1241 if (!PACKET_get_net_3(pkt, &cert_len) 1242 || PACKET_remaining(pkt) != cert_len) { 1243 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1244 goto err; 1245 } 1246 1247 /* 1248 * The list length may be zero when there is no RPK. In the case of TLS 1249 * 1.2 this is actually the RPK length, which cannot be zero as specified, 1250 * but that breaks the ability of the client to decline client auth. We 1251 * overload the 0 RPK length to mean "no RPK". This interpretation is 1252 * also used some other (reference?) implementations, but is not supported 1253 * by the verbatim RFC7250 text. 1254 */ 1255 if (cert_len == 0) 1256 return 1; 1257 1258 if (SSL_CONNECTION_IS_TLS13(sc)) { 1259 /* 1260 * With TLS 1.3, a non-empty explicit-length RPK octet-string followed 1261 * by a possibly empty extension block. 1262 */ 1263 if (!PACKET_get_net_3(pkt, &spki_len)) { 1264 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1265 goto err; 1266 } 1267 if (spki_len == 0) { 1268 /* empty RPK */ 1269 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_EMPTY_RAW_PUBLIC_KEY); 1270 goto err; 1271 } 1272 } else { 1273 spki_len = cert_len; 1274 } 1275 1276 if (!PACKET_get_bytes(pkt, &spki, spki_len)) { 1277 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1278 goto err; 1279 } 1280 spkistart = spki; 1281 if ((pkey = d2i_PUBKEY_ex(NULL, &spki, spki_len, sctx->libctx, sctx->propq)) == NULL 1282 || spki != (spkistart + spki_len)) { 1283 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1284 goto err; 1285 } 1286 if (EVP_PKEY_missing_parameters(pkey)) { 1287 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, 1288 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); 1289 goto err; 1290 } 1291 1292 /* Process the Extensions block */ 1293 if (SSL_CONNECTION_IS_TLS13(sc)) { 1294 if (PACKET_remaining(pkt) != (cert_len - 3 - spki_len)) { 1295 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); 1296 goto err; 1297 } 1298 if (!PACKET_as_length_prefixed_2(pkt, &extensions) 1299 || PACKET_remaining(pkt) != 0) { 1300 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1301 goto err; 1302 } 1303 if (!tls_collect_extensions(sc, &extensions, SSL_EXT_TLS1_3_RAW_PUBLIC_KEY, 1304 &rawexts, NULL, 1)) { 1305 /* SSLfatal already called */ 1306 goto err; 1307 } 1308 /* chain index is always zero and fin always 1 for RPK */ 1309 if (!tls_parse_all_extensions(sc, SSL_EXT_TLS1_3_RAW_PUBLIC_KEY, 1310 rawexts, NULL, 0, 1)) { 1311 /* SSLfatal already called */ 1312 goto err; 1313 } 1314 } 1315 ret = 1; 1316 if (peer_rpk != NULL) { 1317 *peer_rpk = pkey; 1318 pkey = NULL; 1319 } 1320 1321 err: 1322 OPENSSL_free(rawexts); 1323 EVP_PKEY_free(pkey); 1324 return ret; 1325 } 1326 1327 unsigned long tls_output_rpk(SSL_CONNECTION *sc, WPACKET *pkt, CERT_PKEY *cpk) 1328 { 1329 int pdata_len = 0; 1330 unsigned char *pdata = NULL; 1331 X509_PUBKEY *xpk = NULL; 1332 unsigned long ret = 0; 1333 X509 *x509 = NULL; 1334 1335 if (cpk != NULL && cpk->x509 != NULL) { 1336 x509 = cpk->x509; 1337 /* Get the RPK from the certificate */ 1338 xpk = X509_get_X509_PUBKEY(cpk->x509); 1339 if (xpk == NULL) { 1340 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1341 goto err; 1342 } 1343 pdata_len = i2d_X509_PUBKEY(xpk, &pdata); 1344 } else if (cpk != NULL && cpk->privatekey != NULL) { 1345 /* Get the RPK from the private key */ 1346 pdata_len = i2d_PUBKEY(cpk->privatekey, &pdata); 1347 } else { 1348 /* The server RPK is not optional */ 1349 if (sc->server) { 1350 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1351 goto err; 1352 } 1353 /* The client can send a zero length certificate list */ 1354 if (!WPACKET_sub_memcpy_u24(pkt, pdata, pdata_len)) { 1355 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1356 goto err; 1357 } 1358 return 1; 1359 } 1360 1361 if (pdata_len <= 0) { 1362 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1363 goto err; 1364 } 1365 1366 /* 1367 * TLSv1.2 is _just_ the raw public key 1368 * TLSv1.3 includes extensions, so there's a length wrapper 1369 */ 1370 if (SSL_CONNECTION_IS_TLS13(sc)) { 1371 if (!WPACKET_start_sub_packet_u24(pkt)) { 1372 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1373 goto err; 1374 } 1375 } 1376 1377 if (!WPACKET_sub_memcpy_u24(pkt, pdata, pdata_len)) { 1378 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1379 goto err; 1380 } 1381 1382 if (SSL_CONNECTION_IS_TLS13(sc)) { 1383 /* 1384 * Only send extensions relevant to raw public keys. Until such 1385 * extensions are defined, this will be an empty set of extensions. 1386 * |x509| may be NULL, which raw public-key extensions need to handle. 1387 */ 1388 if (!tls_construct_extensions(sc, pkt, SSL_EXT_TLS1_3_RAW_PUBLIC_KEY, 1389 x509, 0)) { 1390 /* SSLfatal() already called */ 1391 goto err; 1392 } 1393 if (!WPACKET_close(pkt)) { 1394 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1395 goto err; 1396 } 1397 } 1398 1399 ret = 1; 1400 err: 1401 OPENSSL_free(pdata); 1402 return ret; 1403 } 1404 1405 unsigned long ssl3_output_cert_chain(SSL_CONNECTION *s, WPACKET *pkt, 1406 CERT_PKEY *cpk, int for_comp) 1407 { 1408 if (!WPACKET_start_sub_packet_u24(pkt)) { 1409 if (!for_comp) 1410 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1411 return 0; 1412 } 1413 1414 if (!ssl_add_cert_chain(s, pkt, cpk, for_comp)) 1415 return 0; 1416 1417 if (!WPACKET_close(pkt)) { 1418 if (!for_comp) 1419 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1420 return 0; 1421 } 1422 1423 return 1; 1424 } 1425 1426 /* 1427 * Tidy up after the end of a handshake. In the case of SCTP this may result 1428 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is 1429 * freed up as well. 1430 */ 1431 WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst, 1432 int clearbufs, int stop) 1433 { 1434 void (*cb)(const SSL *ssl, int type, int val) = NULL; 1435 int cleanuphand = s->statem.cleanuphand; 1436 SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s); 1437 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 1438 1439 if (clearbufs) { 1440 if (!SSL_CONNECTION_IS_DTLS(s) 1441 #ifndef OPENSSL_NO_SCTP 1442 /* 1443 * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS 1444 * messages that require it. Therefore, DTLS procedures for retransmissions 1445 * MUST NOT be used. 1446 * Hence the init_buf can be cleared when DTLS over SCTP as transport is used. 1447 */ 1448 || BIO_dgram_is_sctp(SSL_get_wbio(SSL_CONNECTION_GET_SSL(s))) 1449 #endif 1450 ) { 1451 /* 1452 * We don't do this in DTLS over UDP because we may still need the init_buf 1453 * in case there are any unexpected retransmits 1454 */ 1455 BUF_MEM_free(s->init_buf); 1456 s->init_buf = NULL; 1457 } 1458 1459 if (!ssl_free_wbio_buffer(s)) { 1460 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1461 return WORK_ERROR; 1462 } 1463 s->init_num = 0; 1464 } 1465 1466 if (SSL_CONNECTION_IS_TLS13(s) && !s->server 1467 && s->post_handshake_auth == SSL_PHA_REQUESTED) 1468 s->post_handshake_auth = SSL_PHA_EXT_SENT; 1469 1470 /* 1471 * Only set if there was a Finished message and this isn't after a TLSv1.3 1472 * post handshake exchange 1473 */ 1474 if (cleanuphand) { 1475 /* skipped if we just sent a HelloRequest */ 1476 s->renegotiate = 0; 1477 s->new_session = 0; 1478 s->statem.cleanuphand = 0; 1479 s->ext.ticket_expected = 0; 1480 1481 ssl3_cleanup_key_block(s); 1482 1483 if (s->server) { 1484 /* 1485 * In TLSv1.3 we update the cache as part of constructing the 1486 * NewSessionTicket 1487 */ 1488 if (!SSL_CONNECTION_IS_TLS13(s)) 1489 ssl_update_cache(s, SSL_SESS_CACHE_SERVER); 1490 1491 /* N.B. s->ctx may not equal s->session_ctx */ 1492 ssl_tsan_counter(sctx, &sctx->stats.sess_accept_good); 1493 s->handshake_func = ossl_statem_accept; 1494 } else { 1495 if (SSL_CONNECTION_IS_TLS13(s)) { 1496 /* 1497 * We encourage applications to only use TLSv1.3 tickets once, 1498 * so we remove this one from the cache. 1499 */ 1500 if ((s->session_ctx->session_cache_mode 1501 & SSL_SESS_CACHE_CLIENT) 1502 != 0) 1503 SSL_CTX_remove_session(s->session_ctx, s->session); 1504 } else { 1505 /* 1506 * In TLSv1.3 we update the cache as part of processing the 1507 * NewSessionTicket 1508 */ 1509 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); 1510 } 1511 if (s->hit) 1512 ssl_tsan_counter(s->session_ctx, 1513 &s->session_ctx->stats.sess_hit); 1514 1515 s->handshake_func = ossl_statem_connect; 1516 ssl_tsan_counter(s->session_ctx, 1517 &s->session_ctx->stats.sess_connect_good); 1518 } 1519 1520 if (SSL_CONNECTION_IS_DTLS(s)) { 1521 /* done with handshaking */ 1522 s->d1->handshake_read_seq = 0; 1523 s->d1->handshake_write_seq = 0; 1524 s->d1->next_handshake_write_seq = 0; 1525 dtls1_clear_received_buffer(s); 1526 } 1527 } 1528 1529 if (s->info_callback != NULL) 1530 cb = s->info_callback; 1531 else if (sctx->info_callback != NULL) 1532 cb = sctx->info_callback; 1533 1534 /* The callback may expect us to not be in init at handshake done */ 1535 ossl_statem_set_in_init(s, 0); 1536 1537 if (cb != NULL) { 1538 if (cleanuphand 1539 || !SSL_CONNECTION_IS_TLS13(s) 1540 || SSL_IS_FIRST_HANDSHAKE(s)) 1541 cb(ssl, SSL_CB_HANDSHAKE_DONE, 1); 1542 } 1543 1544 if (!stop) { 1545 /* If we've got more work to do we go back into init */ 1546 ossl_statem_set_in_init(s, 1); 1547 return WORK_FINISHED_CONTINUE; 1548 } 1549 1550 return WORK_FINISHED_STOP; 1551 } 1552 1553 int tls_get_message_header(SSL_CONNECTION *s, int *mt) 1554 { 1555 /* s->init_num < SSL3_HM_HEADER_LENGTH */ 1556 int skip_message, i; 1557 uint8_t recvd_type; 1558 unsigned char *p; 1559 size_t l, readbytes; 1560 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 1561 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); 1562 1563 p = (unsigned char *)s->init_buf->data; 1564 1565 do { 1566 while (s->init_num < SSL3_HM_HEADER_LENGTH) { 1567 i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, &recvd_type, 1568 &p[s->init_num], 1569 SSL3_HM_HEADER_LENGTH - s->init_num, 1570 0, &readbytes); 1571 if (i <= 0) { 1572 s->rwstate = SSL_READING; 1573 return 0; 1574 } 1575 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) { 1576 /* 1577 * A ChangeCipherSpec must be a single byte and may not occur 1578 * in the middle of a handshake message. 1579 */ 1580 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) { 1581 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1582 SSL_R_BAD_CHANGE_CIPHER_SPEC); 1583 return 0; 1584 } 1585 if (s->statem.hand_state == TLS_ST_BEFORE 1586 && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) { 1587 /* 1588 * We are stateless and we received a CCS. Probably this is 1589 * from a client between the first and second ClientHellos. 1590 * We should ignore this, but return an error because we do 1591 * not return success until we see the second ClientHello 1592 * with a valid cookie. 1593 */ 1594 return 0; 1595 } 1596 s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC; 1597 s->init_num = readbytes - 1; 1598 s->init_msg = s->init_buf->data; 1599 s->s3.tmp.message_size = readbytes; 1600 return 1; 1601 } else if (recvd_type != SSL3_RT_HANDSHAKE) { 1602 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1603 SSL_R_CCS_RECEIVED_EARLY); 1604 return 0; 1605 } 1606 s->init_num += readbytes; 1607 } 1608 1609 skip_message = 0; 1610 if (!s->server) 1611 if (s->statem.hand_state != TLS_ST_OK 1612 && p[0] == SSL3_MT_HELLO_REQUEST) 1613 /* 1614 * The server may always send 'Hello Request' messages -- 1615 * we are doing a handshake anyway now, so ignore them if 1616 * their format is correct. Does not count for 'Finished' 1617 * MAC. 1618 */ 1619 if (p[1] == 0 && p[2] == 0 && p[3] == 0) { 1620 s->init_num = 0; 1621 skip_message = 1; 1622 1623 if (s->msg_callback) 1624 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 1625 p, SSL3_HM_HEADER_LENGTH, ussl, 1626 s->msg_callback_arg); 1627 } 1628 } while (skip_message); 1629 /* s->init_num == SSL3_HM_HEADER_LENGTH */ 1630 1631 *mt = *p; 1632 s->s3.tmp.message_type = *(p++); 1633 1634 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { 1635 /* 1636 * Only happens with SSLv3+ in an SSLv2 backward compatible 1637 * ClientHello 1638 * 1639 * Total message size is the remaining record bytes to read 1640 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read 1641 */ 1642 l = s->rlayer.tlsrecs[0].length + SSL3_HM_HEADER_LENGTH; 1643 s->s3.tmp.message_size = l; 1644 1645 s->init_msg = s->init_buf->data; 1646 s->init_num = SSL3_HM_HEADER_LENGTH; 1647 } else { 1648 n2l3(p, l); 1649 /* BUF_MEM_grow takes an 'int' parameter */ 1650 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) { 1651 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1652 SSL_R_EXCESSIVE_MESSAGE_SIZE); 1653 return 0; 1654 } 1655 s->s3.tmp.message_size = l; 1656 1657 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH; 1658 s->init_num = 0; 1659 } 1660 1661 return 1; 1662 } 1663 1664 int tls_get_message_body(SSL_CONNECTION *s, size_t *len) 1665 { 1666 size_t n, readbytes; 1667 unsigned char *p; 1668 int i; 1669 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 1670 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); 1671 1672 if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) { 1673 /* We've already read everything in */ 1674 *len = (unsigned long)s->init_num; 1675 return 1; 1676 } 1677 1678 p = s->init_msg; 1679 n = s->s3.tmp.message_size - s->init_num; 1680 while (n > 0) { 1681 i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, NULL, 1682 &p[s->init_num], n, 0, &readbytes); 1683 if (i <= 0) { 1684 s->rwstate = SSL_READING; 1685 *len = 0; 1686 return 0; 1687 } 1688 s->init_num += readbytes; 1689 n -= readbytes; 1690 } 1691 1692 /* 1693 * If receiving Finished, record MAC of prior handshake messages for 1694 * Finished verification. 1695 */ 1696 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) { 1697 /* SSLfatal() already called */ 1698 *len = 0; 1699 return 0; 1700 } 1701 1702 /* Feed this message into MAC computation. */ 1703 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { 1704 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 1705 s->init_num)) { 1706 /* SSLfatal() already called */ 1707 *len = 0; 1708 return 0; 1709 } 1710 if (s->msg_callback) 1711 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data, 1712 (size_t)s->init_num, ussl, s->msg_callback_arg); 1713 } else { 1714 /* 1715 * We defer feeding in the HRR until later. We'll do it as part of 1716 * processing the message 1717 * The TLsv1.3 handshake transcript stops at the ClientFinished 1718 * message. 1719 */ 1720 #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2) 1721 /* KeyUpdate and NewSessionTicket do not need to be added */ 1722 if (!SSL_CONNECTION_IS_TLS13(s) 1723 || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET 1724 && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) { 1725 if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO 1726 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE 1727 || memcmp(hrrrandom, 1728 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET, 1729 SSL3_RANDOM_SIZE) 1730 != 0) { 1731 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 1732 s->init_num + SSL3_HM_HEADER_LENGTH)) { 1733 /* SSLfatal() already called */ 1734 *len = 0; 1735 return 0; 1736 } 1737 } 1738 } 1739 if (s->msg_callback) 1740 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, 1741 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, ussl, 1742 s->msg_callback_arg); 1743 } 1744 1745 *len = s->init_num; 1746 return 1; 1747 } 1748 1749 static const X509ERR2ALERT x509table[] = { 1750 { X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE }, 1751 { X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE }, 1752 { X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE }, 1753 { X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE }, 1754 { X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA }, 1755 { X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED }, 1756 { X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE }, 1757 { X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE }, 1758 { X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED }, 1759 { X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR }, 1760 { X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE }, 1761 { X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED }, 1762 { X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE }, 1763 { X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR }, 1764 { X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE }, 1765 { X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA }, 1766 { X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE }, 1767 { X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE }, 1768 { X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE }, 1769 { X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE }, 1770 { X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE }, 1771 { X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE }, 1772 { X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE }, 1773 { X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA }, 1774 { X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR }, 1775 { X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE }, 1776 { X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE }, 1777 { X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR }, 1778 { X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA }, 1779 { X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA }, 1780 { X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR }, 1781 { X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE }, 1782 { X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE }, 1783 { X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE }, 1784 { X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA }, 1785 { X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA }, 1786 { X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA }, 1787 { X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA }, 1788 { X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA }, 1789 { X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR }, 1790 1791 /* Last entry; return this if we don't find the value above. */ 1792 { X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN } 1793 }; 1794 1795 int ssl_x509err2alert(int x509err) 1796 { 1797 const X509ERR2ALERT *tp; 1798 1799 for (tp = x509table; tp->x509err != X509_V_OK; ++tp) 1800 if (tp->x509err == x509err) 1801 break; 1802 return tp->alert; 1803 } 1804 1805 int ssl_allow_compression(SSL_CONNECTION *s) 1806 { 1807 if (s->options & SSL_OP_NO_COMPRESSION) 1808 return 0; 1809 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL); 1810 } 1811 1812 /* 1813 * SSL/TLS/DTLS version comparison 1814 * 1815 * Returns 1816 * 0 if versiona is equal to versionb 1817 * 1 if versiona is greater than versionb 1818 * -1 if versiona is less than versionb 1819 */ 1820 int ssl_version_cmp(const SSL_CONNECTION *s, int versiona, int versionb) 1821 { 1822 int dtls = SSL_CONNECTION_IS_DTLS(s); 1823 1824 if (versiona == versionb) 1825 return 0; 1826 if (!dtls) 1827 return versiona < versionb ? -1 : 1; 1828 return DTLS_VERSION_LT(versiona, versionb) ? -1 : 1; 1829 } 1830 1831 typedef struct { 1832 int version; 1833 const SSL_METHOD *(*cmeth)(void); 1834 const SSL_METHOD *(*smeth)(void); 1835 } version_info; 1836 1837 #if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION 1838 #error Code needs update for TLS_method() support beyond TLS1_3_VERSION. 1839 #endif 1840 1841 /* Must be in order high to low */ 1842 static const version_info tls_version_table[] = { 1843 #ifndef OPENSSL_NO_TLS1_3 1844 { TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method }, 1845 #else 1846 { TLS1_3_VERSION, NULL, NULL }, 1847 #endif 1848 #ifndef OPENSSL_NO_TLS1_2 1849 { TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method }, 1850 #else 1851 { TLS1_2_VERSION, NULL, NULL }, 1852 #endif 1853 #ifndef OPENSSL_NO_TLS1_1 1854 { TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method }, 1855 #else 1856 { TLS1_1_VERSION, NULL, NULL }, 1857 #endif 1858 #ifndef OPENSSL_NO_TLS1 1859 { TLS1_VERSION, tlsv1_client_method, tlsv1_server_method }, 1860 #else 1861 { TLS1_VERSION, NULL, NULL }, 1862 #endif 1863 #ifndef OPENSSL_NO_SSL3 1864 { SSL3_VERSION, sslv3_client_method, sslv3_server_method }, 1865 #else 1866 { SSL3_VERSION, NULL, NULL }, 1867 #endif 1868 { 0, NULL, NULL }, 1869 }; 1870 1871 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION 1872 #error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION. 1873 #endif 1874 1875 /* Must be in order high to low */ 1876 static const version_info dtls_version_table[] = { 1877 #ifndef OPENSSL_NO_DTLS1_2 1878 { DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method }, 1879 #else 1880 { DTLS1_2_VERSION, NULL, NULL }, 1881 #endif 1882 #ifndef OPENSSL_NO_DTLS1 1883 { DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method }, 1884 { DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL }, 1885 #else 1886 { DTLS1_VERSION, NULL, NULL }, 1887 { DTLS1_BAD_VER, NULL, NULL }, 1888 #endif 1889 { 0, NULL, NULL }, 1890 }; 1891 1892 /* 1893 * ssl_method_error - Check whether an SSL_METHOD is enabled. 1894 * 1895 * @s: The SSL handle for the candidate method 1896 * @method: the intended method. 1897 * 1898 * Returns 0 on success, or an SSL error reason on failure. 1899 */ 1900 static int ssl_method_error(const SSL_CONNECTION *s, const SSL_METHOD *method) 1901 { 1902 int version = method->version; 1903 1904 if ((s->min_proto_version != 0 && ssl_version_cmp(s, version, s->min_proto_version) < 0) || ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0) 1905 return SSL_R_VERSION_TOO_LOW; 1906 1907 if (s->max_proto_version != 0 && ssl_version_cmp(s, version, s->max_proto_version) > 0) 1908 return SSL_R_VERSION_TOO_HIGH; 1909 1910 if ((s->options & method->mask) != 0) 1911 return SSL_R_UNSUPPORTED_PROTOCOL; 1912 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s)) 1913 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE; 1914 1915 return 0; 1916 } 1917 1918 /* 1919 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable 1920 * certificate type, or has PSK or a certificate callback configured, or has 1921 * a servername callback configure. Otherwise returns 0. 1922 */ 1923 static int is_tls13_capable(const SSL_CONNECTION *s) 1924 { 1925 size_t i; 1926 int curve; 1927 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 1928 1929 if (!ossl_assert(sctx != NULL) || !ossl_assert(s->session_ctx != NULL)) 1930 return 0; 1931 1932 /* 1933 * A servername callback can change the available certs, so if a servername 1934 * cb is set then we just assume TLSv1.3 will be ok 1935 */ 1936 if (sctx->ext.servername_cb != NULL 1937 || s->session_ctx->ext.servername_cb != NULL) 1938 return 1; 1939 1940 #ifndef OPENSSL_NO_PSK 1941 if (s->psk_server_callback != NULL) 1942 return 1; 1943 #endif 1944 1945 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL) 1946 return 1; 1947 1948 /* All provider-based sig algs are required to support at least TLS1.3 */ 1949 for (i = 0; i < s->ssl_pkey_num; i++) { 1950 /* Skip over certs disallowed for TLSv1.3 */ 1951 switch (i) { 1952 case SSL_PKEY_DSA_SIGN: 1953 case SSL_PKEY_GOST01: 1954 case SSL_PKEY_GOST12_256: 1955 case SSL_PKEY_GOST12_512: 1956 continue; 1957 default: 1958 break; 1959 } 1960 if (!ssl_has_cert(s, i)) 1961 continue; 1962 if (i != SSL_PKEY_ECC) 1963 return 1; 1964 /* 1965 * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is 1966 * more restrictive so check that our sig algs are consistent with this 1967 * EC cert. See section 4.2.3 of RFC8446. 1968 */ 1969 curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC].privatekey); 1970 if (tls_check_sigalg_curve(s, curve)) 1971 return 1; 1972 } 1973 1974 return 0; 1975 } 1976 1977 /* 1978 * ssl_version_supported - Check that the specified `version` is supported by 1979 * `SSL *` instance 1980 * 1981 * @s: The SSL handle for the candidate method 1982 * @version: Protocol version to test against 1983 * 1984 * Returns 1 when supported, otherwise 0 1985 */ 1986 int ssl_version_supported(const SSL_CONNECTION *s, int version, 1987 const SSL_METHOD **meth) 1988 { 1989 const version_info *vent; 1990 const version_info *table; 1991 1992 switch (SSL_CONNECTION_GET_SSL(s)->method->version) { 1993 default: 1994 /* Version should match method version for non-ANY method */ 1995 return ssl_version_cmp(s, version, s->version) == 0; 1996 case TLS_ANY_VERSION: 1997 table = tls_version_table; 1998 break; 1999 case DTLS_ANY_VERSION: 2000 table = dtls_version_table; 2001 break; 2002 } 2003 2004 for (vent = table; 2005 vent->version != 0 && ssl_version_cmp(s, version, vent->version) <= 0; 2006 ++vent) { 2007 const SSL_METHOD *(*thismeth)(void) = s->server ? vent->smeth 2008 : vent->cmeth; 2009 2010 if (thismeth != NULL 2011 && ssl_version_cmp(s, version, vent->version) == 0 2012 && ssl_method_error(s, thismeth()) == 0 2013 && (!s->server 2014 || version != TLS1_3_VERSION 2015 || is_tls13_capable(s))) { 2016 if (meth != NULL) 2017 *meth = thismeth(); 2018 return 1; 2019 } 2020 } 2021 return 0; 2022 } 2023 2024 /* 2025 * ssl_check_version_downgrade - In response to RFC7507 SCSV version 2026 * fallback indication from a client check whether we're using the highest 2027 * supported protocol version. 2028 * 2029 * @s server SSL handle. 2030 * 2031 * Returns 1 when using the highest enabled version, 0 otherwise. 2032 */ 2033 int ssl_check_version_downgrade(SSL_CONNECTION *s) 2034 { 2035 const version_info *vent; 2036 const version_info *table; 2037 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 2038 2039 /* 2040 * Check that the current protocol is the highest enabled version 2041 * (according to ssl->defltmethod, as version negotiation may have changed 2042 * s->method). 2043 */ 2044 if (s->version == ssl->defltmeth->version) 2045 return 1; 2046 2047 /* 2048 * Apparently we're using a version-flexible SSL_METHOD (not at its 2049 * highest protocol version). 2050 */ 2051 if (ssl->defltmeth->version == TLS_method()->version) 2052 table = tls_version_table; 2053 else if (ssl->defltmeth->version == DTLS_method()->version) 2054 table = dtls_version_table; 2055 else { 2056 /* Unexpected state; fail closed. */ 2057 return 0; 2058 } 2059 2060 for (vent = table; vent->version != 0; ++vent) { 2061 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0) 2062 return s->version == vent->version; 2063 } 2064 return 0; 2065 } 2066 2067 /* 2068 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS 2069 * protocols, provided the initial (D)TLS method is version-flexible. This 2070 * function sanity-checks the proposed value and makes sure the method is 2071 * version-flexible, then sets the limit if all is well. 2072 * 2073 * @method_version: The version of the current SSL_METHOD. 2074 * @version: the intended limit. 2075 * @bound: pointer to limit to be updated. 2076 * 2077 * Returns 1 on success, 0 on failure. 2078 */ 2079 int ssl_set_version_bound(int method_version, int version, int *bound) 2080 { 2081 int valid_tls; 2082 int valid_dtls; 2083 2084 if (version == 0) { 2085 *bound = version; 2086 return 1; 2087 } 2088 2089 valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL; 2090 valid_dtls = 2091 /* We support client side pre-standardisation version of DTLS */ 2092 (version == DTLS1_BAD_VER) 2093 || (DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) 2094 && DTLS_VERSION_GE(version, DTLS1_VERSION)); 2095 2096 if (!valid_tls && !valid_dtls) 2097 return 0; 2098 2099 /*- 2100 * Restrict TLS methods to TLS protocol versions. 2101 * Restrict DTLS methods to DTLS protocol versions. 2102 * Note, DTLS version numbers are decreasing, use comparison macros. 2103 * 2104 * Note that for both lower-bounds we use explicit versions, not 2105 * (D)TLS_MIN_VERSION. This is because we don't want to break user 2106 * configurations. If the MIN (supported) version ever rises, the user's 2107 * "floor" remains valid even if no longer available. We don't expect the 2108 * MAX ceiling to ever get lower, so making that variable makes sense. 2109 * 2110 * We ignore attempts to set bounds on version-inflexible methods, 2111 * returning success. 2112 */ 2113 switch (method_version) { 2114 default: 2115 break; 2116 2117 case TLS_ANY_VERSION: 2118 if (valid_tls) 2119 *bound = version; 2120 break; 2121 2122 case DTLS_ANY_VERSION: 2123 if (valid_dtls) 2124 *bound = version; 2125 break; 2126 } 2127 return 1; 2128 } 2129 2130 static void check_for_downgrade(SSL_CONNECTION *s, int vers, DOWNGRADE *dgrd) 2131 { 2132 if (vers == TLS1_2_VERSION 2133 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) { 2134 *dgrd = DOWNGRADE_TO_1_2; 2135 } else if (!SSL_CONNECTION_IS_DTLS(s) 2136 && vers < TLS1_2_VERSION 2137 /* 2138 * We need to ensure that a server that disables TLSv1.2 2139 * (creating a hole between TLSv1.3 and TLSv1.1) can still 2140 * complete handshakes with clients that support TLSv1.2 and 2141 * below. Therefore we do not enable the sentinel if TLSv1.3 is 2142 * enabled and TLSv1.2 is not. 2143 */ 2144 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) { 2145 *dgrd = DOWNGRADE_TO_1_1; 2146 } else { 2147 *dgrd = DOWNGRADE_NONE; 2148 } 2149 } 2150 2151 /* 2152 * ssl_choose_server_version - Choose server (D)TLS version. Called when the 2153 * client HELLO is received to select the final server protocol version and 2154 * the version specific method. 2155 * 2156 * @s: server SSL handle. 2157 * 2158 * Returns 0 on success or an SSL error reason number on failure. 2159 */ 2160 int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello, 2161 DOWNGRADE *dgrd) 2162 { 2163 /*- 2164 * With version-flexible methods we have an initial state with: 2165 * 2166 * s->method->version == (D)TLS_ANY_VERSION, 2167 * s->version == (D)TLS_MAX_VERSION_INTERNAL. 2168 * 2169 * So we detect version-flexible methods via the method version, not the 2170 * handle version. 2171 */ 2172 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 2173 int server_version = ssl->method->version; 2174 int client_version = hello->legacy_version; 2175 const version_info *vent; 2176 const version_info *table; 2177 int disabled = 0; 2178 RAW_EXTENSION *suppversions; 2179 2180 s->client_version = client_version; 2181 2182 switch (server_version) { 2183 default: 2184 if (!SSL_CONNECTION_IS_TLS13(s)) { 2185 if (ssl_version_cmp(s, client_version, s->version) < 0) 2186 return SSL_R_WRONG_SSL_VERSION; 2187 *dgrd = DOWNGRADE_NONE; 2188 /* 2189 * If this SSL handle is not from a version flexible method we don't 2190 * (and never did) check min/max FIPS or Suite B constraints. Hope 2191 * that's OK. It is up to the caller to not choose fixed protocol 2192 * versions they don't want. If not, then easy to fix, just return 2193 * ssl_method_error(s, s->method) 2194 */ 2195 return 0; 2196 } 2197 /* 2198 * Fall through if we are TLSv1.3 already (this means we must be after 2199 * a HelloRetryRequest 2200 */ 2201 /* fall thru */ 2202 case TLS_ANY_VERSION: 2203 table = tls_version_table; 2204 break; 2205 case DTLS_ANY_VERSION: 2206 table = dtls_version_table; 2207 break; 2208 } 2209 2210 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions]; 2211 2212 /* If we did an HRR then supported versions is mandatory */ 2213 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE) 2214 return SSL_R_UNSUPPORTED_PROTOCOL; 2215 2216 if (suppversions->present && !SSL_CONNECTION_IS_DTLS(s)) { 2217 unsigned int candidate_vers = 0; 2218 unsigned int best_vers = 0; 2219 const SSL_METHOD *best_method = NULL; 2220 PACKET versionslist; 2221 2222 suppversions->parsed = 1; 2223 2224 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) { 2225 /* Trailing or invalid data? */ 2226 return SSL_R_LENGTH_MISMATCH; 2227 } 2228 2229 /* 2230 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION. 2231 * The spec only requires servers to check that it isn't SSLv3: 2232 * "Any endpoint receiving a Hello message with 2233 * ClientHello.legacy_version or ServerHello.legacy_version set to 2234 * 0x0300 MUST abort the handshake with a "protocol_version" alert." 2235 * We are slightly stricter and require that it isn't SSLv3 or lower. 2236 * We tolerate TLSv1 and TLSv1.1. 2237 */ 2238 if (client_version <= SSL3_VERSION) 2239 return SSL_R_BAD_LEGACY_VERSION; 2240 2241 while (PACKET_get_net_2(&versionslist, &candidate_vers)) { 2242 if (ssl_version_cmp(s, candidate_vers, best_vers) <= 0) 2243 continue; 2244 if (ssl_version_supported(s, candidate_vers, &best_method)) 2245 best_vers = candidate_vers; 2246 } 2247 if (PACKET_remaining(&versionslist) != 0) { 2248 /* Trailing data? */ 2249 return SSL_R_LENGTH_MISMATCH; 2250 } 2251 2252 if (best_vers > 0) { 2253 if (s->hello_retry_request != SSL_HRR_NONE) { 2254 /* 2255 * This is after a HelloRetryRequest so we better check that we 2256 * negotiated TLSv1.3 2257 */ 2258 if (best_vers != TLS1_3_VERSION) 2259 return SSL_R_UNSUPPORTED_PROTOCOL; 2260 return 0; 2261 } 2262 check_for_downgrade(s, best_vers, dgrd); 2263 s->version = best_vers; 2264 ssl->method = best_method; 2265 if (!ssl_set_record_protocol_version(s, best_vers)) 2266 return ERR_R_INTERNAL_ERROR; 2267 2268 return 0; 2269 } 2270 return SSL_R_UNSUPPORTED_PROTOCOL; 2271 } 2272 2273 /* 2274 * If the supported versions extension isn't present, then the highest 2275 * version we can negotiate is TLSv1.2 2276 */ 2277 if (ssl_version_cmp(s, client_version, TLS1_3_VERSION) >= 0) 2278 client_version = TLS1_2_VERSION; 2279 2280 /* 2281 * No supported versions extension, so we just use the version supplied in 2282 * the ClientHello. 2283 */ 2284 for (vent = table; vent->version != 0; ++vent) { 2285 const SSL_METHOD *method; 2286 2287 if (vent->smeth == NULL || ssl_version_cmp(s, client_version, vent->version) < 0) 2288 continue; 2289 method = vent->smeth(); 2290 if (ssl_method_error(s, method) == 0) { 2291 check_for_downgrade(s, vent->version, dgrd); 2292 s->version = vent->version; 2293 ssl->method = method; 2294 if (!ssl_set_record_protocol_version(s, s->version)) 2295 return ERR_R_INTERNAL_ERROR; 2296 2297 return 0; 2298 } 2299 disabled = 1; 2300 } 2301 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW; 2302 } 2303 2304 /* 2305 * ssl_choose_client_version - Choose client (D)TLS version. Called when the 2306 * server HELLO is received to select the final client protocol version and 2307 * the version specific method. 2308 * 2309 * @s: client SSL handle. 2310 * @version: The proposed version from the server's HELLO. 2311 * @extensions: The extensions received 2312 * 2313 * Returns 1 on success or 0 on error. 2314 */ 2315 int ssl_choose_client_version(SSL_CONNECTION *s, int version, 2316 RAW_EXTENSION *extensions) 2317 { 2318 const version_info *vent; 2319 const version_info *table; 2320 int ret, ver_min, ver_max, real_max, origv; 2321 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 2322 2323 origv = s->version; 2324 s->version = version; 2325 2326 /* This will overwrite s->version if the extension is present */ 2327 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions, 2328 SSL_EXT_TLS1_2_SERVER_HELLO 2329 | SSL_EXT_TLS1_3_SERVER_HELLO, 2330 extensions, 2331 NULL, 0)) { 2332 s->version = origv; 2333 return 0; 2334 } 2335 2336 if (s->hello_retry_request != SSL_HRR_NONE 2337 && s->version != TLS1_3_VERSION) { 2338 s->version = origv; 2339 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION); 2340 return 0; 2341 } 2342 2343 switch (ssl->method->version) { 2344 default: 2345 if (s->version != ssl->method->version) { 2346 s->version = origv; 2347 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION); 2348 return 0; 2349 } 2350 /* 2351 * If this SSL handle is not from a version flexible method we don't 2352 * (and never did) check min/max, FIPS or Suite B constraints. Hope 2353 * that's OK. It is up to the caller to not choose fixed protocol 2354 * versions they don't want. If not, then easy to fix, just return 2355 * ssl_method_error(s, s->method) 2356 */ 2357 if (!ssl_set_record_protocol_version(s, s->version)) { 2358 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2359 return 0; 2360 } 2361 return 1; 2362 case TLS_ANY_VERSION: 2363 table = tls_version_table; 2364 break; 2365 case DTLS_ANY_VERSION: 2366 table = dtls_version_table; 2367 break; 2368 } 2369 2370 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max); 2371 if (ret != 0) { 2372 s->version = origv; 2373 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, ret); 2374 return 0; 2375 } 2376 if (ssl_version_cmp(s, s->version, ver_min) < 0 2377 || ssl_version_cmp(s, s->version, ver_max) > 0) { 2378 s->version = origv; 2379 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); 2380 return 0; 2381 } 2382 2383 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0) 2384 real_max = ver_max; 2385 2386 /* Check for downgrades */ 2387 /* TODO(DTLSv1.3): Update this code for DTLSv1.3 */ 2388 if (!SSL_CONNECTION_IS_DTLS(s) && real_max > s->version) { 2389 /* Signal applies to all versions */ 2390 if (memcmp(tls11downgrade, 2391 s->s3.server_random + SSL3_RANDOM_SIZE 2392 - sizeof(tls11downgrade), 2393 sizeof(tls11downgrade)) 2394 == 0) { 2395 s->version = origv; 2396 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 2397 SSL_R_INAPPROPRIATE_FALLBACK); 2398 return 0; 2399 } 2400 /* Only when accepting TLS1.3 */ 2401 if (real_max == TLS1_3_VERSION 2402 && memcmp(tls12downgrade, 2403 s->s3.server_random + SSL3_RANDOM_SIZE 2404 - sizeof(tls12downgrade), 2405 sizeof(tls12downgrade)) 2406 == 0) { 2407 s->version = origv; 2408 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 2409 SSL_R_INAPPROPRIATE_FALLBACK); 2410 return 0; 2411 } 2412 } 2413 2414 for (vent = table; vent->version != 0; ++vent) { 2415 if (vent->cmeth == NULL || s->version != vent->version) 2416 continue; 2417 2418 ssl->method = vent->cmeth(); 2419 if (!ssl_set_record_protocol_version(s, s->version)) { 2420 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2421 return 0; 2422 } 2423 return 1; 2424 } 2425 2426 s->version = origv; 2427 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); 2428 return 0; 2429 } 2430 2431 /* 2432 * ssl_get_min_max_version - get minimum and maximum protocol version 2433 * @s: The SSL connection 2434 * @min_version: The minimum supported version 2435 * @max_version: The maximum supported version 2436 * @real_max: The highest version below the lowest compile time version hole 2437 * where that hole lies above at least one run-time enabled 2438 * protocol. 2439 * 2440 * Work out what version we should be using for the initial ClientHello if the 2441 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx 2442 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B 2443 * constraints and any floor imposed by the security level here, 2444 * so we don't advertise the wrong protocol version to only reject the outcome later. 2445 * 2446 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled, 2447 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol 2448 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1. 2449 * 2450 * Returns 0 on success or an SSL error reason number on failure. On failure 2451 * min_version and max_version will also be set to 0. 2452 */ 2453 int ssl_get_min_max_version(const SSL_CONNECTION *s, int *min_version, 2454 int *max_version, int *real_max) 2455 { 2456 int version, tmp_real_max; 2457 int hole; 2458 const SSL_METHOD *method; 2459 const version_info *table; 2460 const version_info *vent; 2461 const SSL *ssl = SSL_CONNECTION_GET_SSL(s); 2462 2463 switch (ssl->method->version) { 2464 default: 2465 /* 2466 * If this SSL handle is not from a version flexible method we don't 2467 * (and never did) check min/max FIPS or Suite B constraints. Hope 2468 * that's OK. It is up to the caller to not choose fixed protocol 2469 * versions they don't want. If not, then easy to fix, just return 2470 * ssl_method_error(s, s->method) 2471 */ 2472 *min_version = *max_version = s->version; 2473 /* 2474 * Providing a real_max only makes sense where we're using a version 2475 * flexible method. 2476 */ 2477 if (!ossl_assert(real_max == NULL)) 2478 return ERR_R_INTERNAL_ERROR; 2479 return 0; 2480 case TLS_ANY_VERSION: 2481 table = tls_version_table; 2482 break; 2483 case DTLS_ANY_VERSION: 2484 table = dtls_version_table; 2485 break; 2486 } 2487 2488 /* 2489 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols 2490 * below X enabled. This is required in order to maintain the "version 2491 * capability" vector contiguous. Any versions with a NULL client method 2492 * (protocol version client is disabled at compile-time) is also a "hole". 2493 * 2494 * Our initial state is hole == 1, version == 0. That is, versions above 2495 * the first version in the method table are disabled (a "hole" above 2496 * the valid protocol entries) and we don't have a selected version yet. 2497 * 2498 * Whenever "hole == 1", and we hit an enabled method, its version becomes 2499 * the selected version. We're no longer in a hole, so "hole" becomes 0. 2500 * 2501 * If "hole == 0" and we hit an enabled method, we support a contiguous 2502 * range of at least two methods. If we hit a disabled method, 2503 * then hole becomes true again, but nothing else changes yet, 2504 * because all the remaining methods may be disabled too. 2505 * If we again hit an enabled method after the new hole, it becomes 2506 * selected, as we start from scratch. 2507 */ 2508 *min_version = version = 0; 2509 hole = 1; 2510 if (real_max != NULL) 2511 *real_max = 0; 2512 tmp_real_max = 0; 2513 for (vent = table; vent->version != 0; ++vent) { 2514 /* 2515 * A table entry with a NULL client method is still a hole in the 2516 * "version capability" vector. 2517 */ 2518 if (vent->cmeth == NULL) { 2519 hole = 1; 2520 tmp_real_max = 0; 2521 continue; 2522 } 2523 method = vent->cmeth(); 2524 2525 if (hole == 1 && tmp_real_max == 0) 2526 tmp_real_max = vent->version; 2527 2528 if (ssl_method_error(s, method) != 0) { 2529 hole = 1; 2530 } else if (!hole) { 2531 *min_version = method->version; 2532 } else { 2533 if (real_max != NULL && tmp_real_max != 0) 2534 *real_max = tmp_real_max; 2535 version = method->version; 2536 *min_version = version; 2537 hole = 0; 2538 } 2539 } 2540 2541 *max_version = version; 2542 2543 /* Fail if everything is disabled */ 2544 if (version == 0) 2545 return SSL_R_NO_PROTOCOLS_AVAILABLE; 2546 2547 return 0; 2548 } 2549 2550 /* 2551 * ssl_set_client_hello_version - Work out what version we should be using for 2552 * the initial ClientHello.legacy_version field. 2553 * 2554 * @s: client SSL handle. 2555 * 2556 * Returns 0 on success or an SSL error reason number on failure. 2557 */ 2558 int ssl_set_client_hello_version(SSL_CONNECTION *s) 2559 { 2560 int ver_min, ver_max, ret; 2561 2562 /* 2563 * In a renegotiation we always send the same client_version that we sent 2564 * last time, regardless of which version we eventually negotiated. 2565 */ 2566 if (!SSL_IS_FIRST_HANDSHAKE(s)) 2567 return 0; 2568 2569 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL); 2570 2571 if (ret != 0) 2572 return ret; 2573 2574 s->version = ver_max; 2575 2576 if (SSL_CONNECTION_IS_DTLS(s)) { 2577 if (ver_max == DTLS1_BAD_VER) { 2578 /* 2579 * Even though this is technically before version negotiation, 2580 * because we have asked for DTLS1_BAD_VER we will never negotiate 2581 * anything else, and this has impacts on the record layer for when 2582 * we read the ServerHello. So we need to tell the record layer 2583 * about this immediately. 2584 */ 2585 if (!ssl_set_record_protocol_version(s, ver_max)) 2586 return 0; 2587 } 2588 } else if (ver_max > TLS1_2_VERSION) { 2589 /* TLS1.3 always uses TLS1.2 in the legacy_version field */ 2590 ver_max = TLS1_2_VERSION; 2591 } 2592 2593 s->client_version = ver_max; 2594 return 0; 2595 } 2596 2597 /* 2598 * Checks a list of |groups| to determine if the |group_id| is in it. If it is 2599 * and |checkallow| is 1 then additionally check if the group is allowed to be 2600 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is 2601 * 1) or 0 otherwise. If provided a pointer it will also return the position 2602 * where the group was found. 2603 */ 2604 int check_in_list(SSL_CONNECTION *s, uint16_t group_id, const uint16_t *groups, 2605 size_t num_groups, int checkallow, size_t *pos) 2606 { 2607 size_t i; 2608 2609 if (groups == NULL || num_groups == 0) 2610 return 0; 2611 2612 for (i = 0; i < num_groups; i++) { 2613 uint16_t group = groups[i]; 2614 2615 if (group_id == group 2616 && (!checkallow 2617 || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) { 2618 if (pos != NULL) 2619 *pos = i; 2620 return 1; 2621 } 2622 } 2623 2624 return 0; 2625 } 2626 2627 /* Replace ClientHello1 in the transcript hash with a synthetic message */ 2628 int create_synthetic_message_hash(SSL_CONNECTION *s, 2629 const unsigned char *hashval, 2630 size_t hashlen, const unsigned char *hrr, 2631 size_t hrrlen) 2632 { 2633 unsigned char hashvaltmp[EVP_MAX_MD_SIZE]; 2634 unsigned char msghdr[SSL3_HM_HEADER_LENGTH]; 2635 2636 memset(msghdr, 0, sizeof(msghdr)); 2637 2638 if (hashval == NULL) { 2639 hashval = hashvaltmp; 2640 hashlen = 0; 2641 /* Get the hash of the initial ClientHello */ 2642 if (!ssl3_digest_cached_records(s, 0) 2643 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp), 2644 &hashlen)) { 2645 /* SSLfatal() already called */ 2646 return 0; 2647 } 2648 } 2649 2650 /* Reinitialise the transcript hash */ 2651 if (!ssl3_init_finished_mac(s)) { 2652 /* SSLfatal() already called */ 2653 return 0; 2654 } 2655 2656 /* Inject the synthetic message_hash message */ 2657 msghdr[0] = SSL3_MT_MESSAGE_HASH; 2658 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen; 2659 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH) 2660 || !ssl3_finish_mac(s, hashval, hashlen)) { 2661 /* SSLfatal() already called */ 2662 return 0; 2663 } 2664 2665 /* 2666 * Now re-inject the HRR and current message if appropriate (we just deleted 2667 * it when we reinitialised the transcript hash above). Only necessary after 2668 * receiving a ClientHello2 with a cookie. 2669 */ 2670 if (hrr != NULL 2671 && (!ssl3_finish_mac(s, hrr, hrrlen) 2672 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 2673 s->s3.tmp.message_size 2674 + SSL3_HM_HEADER_LENGTH))) { 2675 /* SSLfatal() already called */ 2676 return 0; 2677 } 2678 2679 return 1; 2680 } 2681 2682 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b) 2683 { 2684 return X509_NAME_cmp(*a, *b); 2685 } 2686 2687 int parse_ca_names(SSL_CONNECTION *s, PACKET *pkt) 2688 { 2689 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp); 2690 X509_NAME *xn = NULL; 2691 PACKET cadns; 2692 2693 if (ca_sk == NULL) { 2694 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 2695 goto err; 2696 } 2697 /* get the CA RDNs */ 2698 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) { 2699 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2700 goto err; 2701 } 2702 2703 while (PACKET_remaining(&cadns)) { 2704 const unsigned char *namestart, *namebytes; 2705 unsigned int name_len; 2706 2707 if (!PACKET_get_net_2(&cadns, &name_len) 2708 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) { 2709 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2710 goto err; 2711 } 2712 2713 namestart = namebytes; 2714 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) { 2715 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB); 2716 goto err; 2717 } 2718 if (namebytes != (namestart + name_len)) { 2719 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CA_DN_LENGTH_MISMATCH); 2720 goto err; 2721 } 2722 2723 if (!sk_X509_NAME_push(ca_sk, xn)) { 2724 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 2725 goto err; 2726 } 2727 xn = NULL; 2728 } 2729 2730 sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free); 2731 s->s3.tmp.peer_ca_names = ca_sk; 2732 2733 return 1; 2734 2735 err: 2736 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); 2737 X509_NAME_free(xn); 2738 return 0; 2739 } 2740 2741 const STACK_OF(X509_NAME) *get_ca_names(SSL_CONNECTION *s) 2742 { 2743 const STACK_OF(X509_NAME) *ca_sk = NULL; 2744 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 2745 2746 if (s->server) { 2747 ca_sk = SSL_get_client_CA_list(ssl); 2748 if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0) 2749 ca_sk = NULL; 2750 } 2751 2752 if (ca_sk == NULL) 2753 ca_sk = SSL_get0_CA_list(ssl); 2754 2755 return ca_sk; 2756 } 2757 2758 int construct_ca_names(SSL_CONNECTION *s, const STACK_OF(X509_NAME) *ca_sk, 2759 WPACKET *pkt) 2760 { 2761 /* Start sub-packet for client CA list */ 2762 if (!WPACKET_start_sub_packet_u16(pkt)) { 2763 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2764 return 0; 2765 } 2766 2767 if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) { 2768 int i; 2769 2770 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) { 2771 unsigned char *namebytes; 2772 X509_NAME *name = sk_X509_NAME_value(ca_sk, i); 2773 int namelen; 2774 2775 if (name == NULL 2776 || (namelen = i2d_X509_NAME(name, NULL)) < 0 2777 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen, 2778 &namebytes) 2779 || i2d_X509_NAME(name, &namebytes) != namelen) { 2780 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2781 return 0; 2782 } 2783 } 2784 } 2785 2786 if (!WPACKET_close(pkt)) { 2787 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2788 return 0; 2789 } 2790 2791 return 1; 2792 } 2793 2794 /* Create a buffer containing data to be signed for server key exchange */ 2795 size_t construct_key_exchange_tbs(SSL_CONNECTION *s, unsigned char **ptbs, 2796 const void *param, size_t paramlen) 2797 { 2798 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen; 2799 unsigned char *tbs = OPENSSL_malloc(tbslen); 2800 2801 if (tbs == NULL) { 2802 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 2803 return 0; 2804 } 2805 memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE); 2806 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE); 2807 2808 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen); 2809 2810 *ptbs = tbs; 2811 return tbslen; 2812 } 2813 2814 /* 2815 * Saves the current handshake digest for Post-Handshake Auth, 2816 * Done after ClientFinished is processed, done exactly once 2817 */ 2818 int tls13_save_handshake_digest_for_pha(SSL_CONNECTION *s) 2819 { 2820 if (s->pha_dgst == NULL) { 2821 if (!ssl3_digest_cached_records(s, 1)) 2822 /* SSLfatal() already called */ 2823 return 0; 2824 2825 s->pha_dgst = EVP_MD_CTX_new(); 2826 if (s->pha_dgst == NULL) { 2827 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2828 return 0; 2829 } 2830 if (!EVP_MD_CTX_copy_ex(s->pha_dgst, 2831 s->s3.handshake_dgst)) { 2832 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2833 EVP_MD_CTX_free(s->pha_dgst); 2834 s->pha_dgst = NULL; 2835 return 0; 2836 } 2837 } 2838 return 1; 2839 } 2840 2841 /* 2842 * Restores the Post-Handshake Auth handshake digest 2843 * Done just before sending/processing the Cert Request 2844 */ 2845 int tls13_restore_handshake_digest_for_pha(SSL_CONNECTION *s) 2846 { 2847 if (s->pha_dgst == NULL) { 2848 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2849 return 0; 2850 } 2851 if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst, 2852 s->pha_dgst)) { 2853 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2854 return 0; 2855 } 2856 return 1; 2857 } 2858 2859 #ifndef OPENSSL_NO_COMP_ALG 2860 MSG_PROCESS_RETURN tls13_process_compressed_certificate(SSL_CONNECTION *sc, 2861 PACKET *pkt, 2862 PACKET *tmppkt, 2863 BUF_MEM *buf) 2864 { 2865 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; 2866 int comp_alg; 2867 COMP_METHOD *method = NULL; 2868 COMP_CTX *comp = NULL; 2869 size_t expected_length; 2870 size_t comp_length; 2871 int i; 2872 int found = 0; 2873 2874 if (buf == NULL) { 2875 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2876 goto err; 2877 } 2878 if (!PACKET_get_net_2(pkt, (unsigned int *)&comp_alg)) { 2879 SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, ERR_R_INTERNAL_ERROR); 2880 goto err; 2881 } 2882 /* If we have a prefs list, make sure the algorithm is in it */ 2883 if (sc->cert_comp_prefs[0] != TLSEXT_comp_cert_none) { 2884 for (i = 0; sc->cert_comp_prefs[i] != TLSEXT_comp_cert_none; i++) { 2885 if (sc->cert_comp_prefs[i] == comp_alg) { 2886 found = 1; 2887 break; 2888 } 2889 } 2890 if (!found) { 2891 SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_COMPRESSION_ALGORITHM); 2892 goto err; 2893 } 2894 } 2895 if (!ossl_comp_has_alg(comp_alg)) { 2896 SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, SSL_R_BAD_COMPRESSION_ALGORITHM); 2897 goto err; 2898 } 2899 switch (comp_alg) { 2900 case TLSEXT_comp_cert_zlib: 2901 method = COMP_zlib_oneshot(); 2902 break; 2903 case TLSEXT_comp_cert_brotli: 2904 method = COMP_brotli_oneshot(); 2905 break; 2906 case TLSEXT_comp_cert_zstd: 2907 method = COMP_zstd_oneshot(); 2908 break; 2909 default: 2910 SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, SSL_R_BAD_COMPRESSION_ALGORITHM); 2911 goto err; 2912 } 2913 2914 if ((comp = COMP_CTX_new(method)) == NULL 2915 || !PACKET_get_net_3_len(pkt, &expected_length) 2916 || !PACKET_get_net_3_len(pkt, &comp_length)) { 2917 SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, SSL_R_BAD_DECOMPRESSION); 2918 goto err; 2919 } 2920 2921 /* Prevent excessive pre-decompression allocation */ 2922 if (expected_length > sc->max_cert_list) { 2923 SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, SSL_R_EXCESSIVE_MESSAGE_SIZE); 2924 goto err; 2925 } 2926 2927 if (PACKET_remaining(pkt) != comp_length || comp_length == 0) { 2928 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_DECOMPRESSION); 2929 goto err; 2930 } 2931 2932 if (!BUF_MEM_grow(buf, expected_length) 2933 || !PACKET_buf_init(tmppkt, (unsigned char *)buf->data, expected_length) 2934 || COMP_expand_block(comp, (unsigned char *)buf->data, expected_length, 2935 (unsigned char *)PACKET_data(pkt), comp_length) 2936 != (int)expected_length) { 2937 SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, SSL_R_BAD_DECOMPRESSION); 2938 goto err; 2939 } 2940 ret = MSG_PROCESS_CONTINUE_PROCESSING; 2941 err: 2942 COMP_CTX_free(comp); 2943 return ret; 2944 } 2945 #endif 2946