1 /*
2 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 *
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
9 */
10
11 #include <limits.h>
12 #include <string.h>
13 #include <stdio.h>
14 #include "../ssl_local.h"
15 #include "statem_local.h"
16 #include "internal/cryptlib.h"
17 #include "internal/ssl_unwrap.h"
18 #include <openssl/buffer.h>
19 #include <openssl/objects.h>
20 #include <openssl/evp.h>
21 #include <openssl/rsa.h>
22 #include <openssl/x509.h>
23 #include <openssl/trace.h>
24 #include <openssl/encoder.h>
25
26 /*
27 * Map error codes to TLS/SSL alart types.
28 */
29 typedef struct x509err2alert_st {
30 int x509err;
31 int alert;
32 } X509ERR2ALERT;
33
34 /* Fixed value used in the ServerHello random field to identify an HRR */
35 const unsigned char hrrrandom[] = {
36 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
37 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
38 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
39 };
40
ossl_statem_set_mutator(SSL * s,ossl_statem_mutate_handshake_cb mutate_handshake_cb,ossl_statem_finish_mutate_handshake_cb finish_mutate_handshake_cb,void * mutatearg)41 int ossl_statem_set_mutator(SSL *s,
42 ossl_statem_mutate_handshake_cb mutate_handshake_cb,
43 ossl_statem_finish_mutate_handshake_cb finish_mutate_handshake_cb,
44 void *mutatearg)
45 {
46 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
47
48 if (sc == NULL)
49 return 0;
50
51 sc->statem.mutate_handshake_cb = mutate_handshake_cb;
52 sc->statem.mutatearg = mutatearg;
53 sc->statem.finish_mutate_handshake_cb = finish_mutate_handshake_cb;
54
55 return 1;
56 }
57
58 /*
59 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
60 * SSL3_RT_CHANGE_CIPHER_SPEC)
61 */
ssl3_do_write(SSL_CONNECTION * s,uint8_t type)62 int ssl3_do_write(SSL_CONNECTION *s, uint8_t type)
63 {
64 int ret;
65 size_t written = 0;
66 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
67 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);
68
69 /*
70 * If we're running the test suite then we may need to mutate the message
71 * we've been asked to write. Does not happen in normal operation.
72 */
73 if (s->statem.mutate_handshake_cb != NULL
74 && !s->statem.write_in_progress
75 && type == SSL3_RT_HANDSHAKE
76 && s->init_num >= SSL3_HM_HEADER_LENGTH) {
77 unsigned char *msg;
78 size_t msglen;
79
80 if (!s->statem.mutate_handshake_cb((unsigned char *)s->init_buf->data,
81 s->init_num,
82 &msg, &msglen,
83 s->statem.mutatearg))
84 return -1;
85 if (msglen < SSL3_HM_HEADER_LENGTH
86 || !BUF_MEM_grow(s->init_buf, msglen))
87 return -1;
88 memcpy(s->init_buf->data, msg, msglen);
89 s->init_num = msglen;
90 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
91 s->statem.finish_mutate_handshake_cb(s->statem.mutatearg);
92 s->statem.write_in_progress = 1;
93 }
94
95 ret = ssl3_write_bytes(ssl, type, &s->init_buf->data[s->init_off],
96 s->init_num, &written);
97 if (ret <= 0)
98 return -1;
99 if (type == SSL3_RT_HANDSHAKE)
100 /*
101 * should not be done for 'Hello Request's, but in that case we'll
102 * ignore the result anyway
103 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
104 */
105 if (!SSL_CONNECTION_IS_TLS13(s)
106 || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
107 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
108 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
109 if (!ssl3_finish_mac(s,
110 (unsigned char *)&s->init_buf->data[s->init_off],
111 written))
112 return -1;
113 if (written == s->init_num) {
114 s->statem.write_in_progress = 0;
115 if (s->msg_callback)
116 s->msg_callback(1, s->version, type, s->init_buf->data,
117 (size_t)(s->init_off + s->init_num), ussl,
118 s->msg_callback_arg);
119 return 1;
120 }
121 s->init_off += written;
122 s->init_num -= written;
123 return 0;
124 }
125
tls_close_construct_packet(SSL_CONNECTION * s,WPACKET * pkt,int htype)126 int tls_close_construct_packet(SSL_CONNECTION *s, WPACKET *pkt, int htype)
127 {
128 size_t msglen;
129
130 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
131 || !WPACKET_get_length(pkt, &msglen)
132 || msglen > INT_MAX)
133 return 0;
134 s->init_num = (int)msglen;
135 s->init_off = 0;
136
137 return 1;
138 }
139
tls_setup_handshake(SSL_CONNECTION * s)140 int tls_setup_handshake(SSL_CONNECTION *s)
141 {
142 int ver_min, ver_max, ok;
143 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
144 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
145
146 if (!ssl3_init_finished_mac(s)) {
147 /* SSLfatal() already called */
148 return 0;
149 }
150
151 /* Reset any extension flags */
152 memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
153
154 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
155 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE);
156 return 0;
157 }
158
159 /* Sanity check that we have MD5-SHA1 if we need it */
160 if (sctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) {
161 int negotiated_minversion;
162 int md5sha1_needed_maxversion = SSL_CONNECTION_IS_DTLS(s)
163 ? DTLS1_VERSION : TLS1_1_VERSION;
164
165 /* We don't have MD5-SHA1 - do we need it? */
166 if (ssl_version_cmp(s, ver_max, md5sha1_needed_maxversion) <= 0) {
167 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
168 SSL_R_NO_SUITABLE_DIGEST_ALGORITHM,
169 "The max supported SSL/TLS version needs the"
170 " MD5-SHA1 digest but it is not available"
171 " in the loaded providers. Use (D)TLSv1.2 or"
172 " above, or load different providers");
173 return 0;
174 }
175
176 ok = 1;
177
178 /* Don't allow TLSv1.1 or below to be negotiated */
179 negotiated_minversion = SSL_CONNECTION_IS_DTLS(s) ?
180 DTLS1_2_VERSION : TLS1_2_VERSION;
181 if (ssl_version_cmp(s, ver_min, negotiated_minversion) < 0)
182 ok = SSL_set_min_proto_version(ssl, negotiated_minversion);
183 if (!ok) {
184 /* Shouldn't happen */
185 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
186 return 0;
187 }
188 }
189
190 ok = 0;
191 if (s->server) {
192 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(ssl);
193 int i;
194
195 /*
196 * Sanity check that the maximum version we accept has ciphers
197 * enabled. For clients we do this check during construction of the
198 * ClientHello.
199 */
200 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
201 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
202 int cipher_minprotover = SSL_CONNECTION_IS_DTLS(s)
203 ? c->min_dtls : c->min_tls;
204 int cipher_maxprotover = SSL_CONNECTION_IS_DTLS(s)
205 ? c->max_dtls : c->max_tls;
206
207 if (ssl_version_cmp(s, ver_max, cipher_minprotover) >= 0
208 && ssl_version_cmp(s, ver_max, cipher_maxprotover) <= 0) {
209 ok = 1;
210 break;
211 }
212 }
213 if (!ok) {
214 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
215 SSL_R_NO_CIPHERS_AVAILABLE,
216 "No ciphers enabled for max supported "
217 "SSL/TLS version");
218 return 0;
219 }
220 if (SSL_IS_FIRST_HANDSHAKE(s)) {
221 /* N.B. s->session_ctx == s->ctx here */
222 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_accept);
223 } else {
224 /* N.B. s->ctx may not equal s->session_ctx */
225 ssl_tsan_counter(sctx, &sctx->stats.sess_accept_renegotiate);
226
227 s->s3.tmp.cert_request = 0;
228 }
229 } else {
230 if (SSL_IS_FIRST_HANDSHAKE(s))
231 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_connect);
232 else
233 ssl_tsan_counter(s->session_ctx,
234 &s->session_ctx->stats.sess_connect_renegotiate);
235
236 /* mark client_random uninitialized */
237 memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
238 s->hit = 0;
239
240 s->s3.tmp.cert_req = 0;
241
242 if (SSL_CONNECTION_IS_DTLS(s))
243 s->statem.use_timer = 1;
244 }
245
246 return 1;
247 }
248
249 /*
250 * Size of the to-be-signed TLS13 data, without the hash size itself:
251 * 64 bytes of value 32, 33 context bytes, 1 byte separator
252 */
253 #define TLS13_TBS_START_SIZE 64
254 #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
255
get_cert_verify_tbs_data(SSL_CONNECTION * s,unsigned char * tls13tbs,void ** hdata,size_t * hdatalen)256 static int get_cert_verify_tbs_data(SSL_CONNECTION *s, unsigned char *tls13tbs,
257 void **hdata, size_t *hdatalen)
258 {
259 /* ASCII: "TLS 1.3, server CertificateVerify", in hex for EBCDIC compatibility */
260 static const char servercontext[] = "\x54\x4c\x53\x20\x31\x2e\x33\x2c\x20\x73\x65\x72"
261 "\x76\x65\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x56\x65\x72\x69\x66\x79";
262 /* ASCII: "TLS 1.3, client CertificateVerify", in hex for EBCDIC compatibility */
263 static const char clientcontext[] = "\x54\x4c\x53\x20\x31\x2e\x33\x2c\x20\x63\x6c\x69"
264 "\x65\x6e\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x56\x65\x72\x69\x66\x79";
265
266 if (SSL_CONNECTION_IS_TLS13(s)) {
267 size_t hashlen;
268
269 /* Set the first 64 bytes of to-be-signed data to octet 32 */
270 memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
271 /* This copies the 33 bytes of context plus the 0 separator byte */
272 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
273 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
274 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
275 else
276 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
277
278 /*
279 * If we're currently reading then we need to use the saved handshake
280 * hash value. We can't use the current handshake hash state because
281 * that includes the CertVerify itself.
282 */
283 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
284 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
285 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
286 s->cert_verify_hash_len);
287 hashlen = s->cert_verify_hash_len;
288 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
289 EVP_MAX_MD_SIZE, &hashlen)) {
290 /* SSLfatal() already called */
291 return 0;
292 }
293
294 *hdata = tls13tbs;
295 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
296 } else {
297 size_t retlen;
298 long retlen_l;
299
300 retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
301 if (retlen_l <= 0) {
302 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
303 return 0;
304 }
305 *hdatalen = retlen;
306 }
307
308 return 1;
309 }
310
tls_construct_cert_verify(SSL_CONNECTION * s,WPACKET * pkt)311 CON_FUNC_RETURN tls_construct_cert_verify(SSL_CONNECTION *s, WPACKET *pkt)
312 {
313 EVP_PKEY *pkey = NULL;
314 const EVP_MD *md = NULL;
315 EVP_MD_CTX *mctx = NULL;
316 EVP_PKEY_CTX *pctx = NULL;
317 size_t hdatalen = 0, siglen = 0;
318 void *hdata;
319 unsigned char *sig = NULL;
320 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
321 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
322 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
323
324 if (lu == NULL || s->s3.tmp.cert == NULL) {
325 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
326 goto err;
327 }
328 pkey = s->s3.tmp.cert->privatekey;
329
330 if (pkey == NULL || !tls1_lookup_md(sctx, lu, &md)) {
331 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
332 goto err;
333 }
334
335 mctx = EVP_MD_CTX_new();
336 if (mctx == NULL) {
337 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
338 goto err;
339 }
340
341 /* Get the data to be signed */
342 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
343 /* SSLfatal() already called */
344 goto err;
345 }
346
347 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
348 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
349 goto err;
350 }
351
352 if (EVP_DigestSignInit_ex(mctx, &pctx,
353 md == NULL ? NULL : EVP_MD_get0_name(md),
354 sctx->libctx, sctx->propq, pkey,
355 NULL) <= 0) {
356 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
357 goto err;
358 }
359
360 if (lu->sig == EVP_PKEY_RSA_PSS) {
361 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
362 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
363 RSA_PSS_SALTLEN_DIGEST) <= 0) {
364 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
365 goto err;
366 }
367 }
368 if (s->version == SSL3_VERSION) {
369 /*
370 * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
371 * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
372 */
373 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
374 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
375 (int)s->session->master_key_length,
376 s->session->master_key) <= 0
377 || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) {
378
379 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
380 goto err;
381 }
382 sig = OPENSSL_malloc(siglen);
383 if (sig == NULL
384 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
385 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
386 goto err;
387 }
388 } else {
389 /*
390 * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not
391 * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
392 */
393 if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) {
394 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
395 goto err;
396 }
397 sig = OPENSSL_malloc(siglen);
398 if (sig == NULL
399 || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
400 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
401 goto err;
402 }
403 }
404
405 #ifndef OPENSSL_NO_GOST
406 {
407 int pktype = lu->sig;
408
409 if (pktype == NID_id_GostR3410_2001
410 || pktype == NID_id_GostR3410_2012_256
411 || pktype == NID_id_GostR3410_2012_512)
412 BUF_reverse(sig, NULL, siglen);
413 }
414 #endif
415
416 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
417 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
418 goto err;
419 }
420
421 /* Digest cached records and discard handshake buffer */
422 if (!ssl3_digest_cached_records(s, 0)) {
423 /* SSLfatal() already called */
424 goto err;
425 }
426
427 OPENSSL_free(sig);
428 EVP_MD_CTX_free(mctx);
429 return CON_FUNC_SUCCESS;
430 err:
431 OPENSSL_free(sig);
432 EVP_MD_CTX_free(mctx);
433 return CON_FUNC_ERROR;
434 }
435
tls_process_cert_verify(SSL_CONNECTION * s,PACKET * pkt)436 MSG_PROCESS_RETURN tls_process_cert_verify(SSL_CONNECTION *s, PACKET *pkt)
437 {
438 EVP_PKEY *pkey = NULL;
439 const unsigned char *data;
440 #ifndef OPENSSL_NO_GOST
441 unsigned char *gost_data = NULL;
442 #endif
443 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
444 int j;
445 unsigned int len;
446 const EVP_MD *md = NULL;
447 size_t hdatalen = 0;
448 void *hdata;
449 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
450 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
451 EVP_PKEY_CTX *pctx = NULL;
452 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
453
454 if (mctx == NULL) {
455 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
456 goto err;
457 }
458
459 pkey = tls_get_peer_pkey(s);
460 if (pkey == NULL) {
461 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
462 goto err;
463 }
464
465 if (ssl_cert_lookup_by_pkey(pkey, NULL, sctx) == NULL) {
466 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
467 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
468 goto err;
469 }
470
471 if (SSL_USE_SIGALGS(s)) {
472 unsigned int sigalg;
473
474 if (!PACKET_get_net_2(pkt, &sigalg)) {
475 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET);
476 goto err;
477 }
478 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
479 /* SSLfatal() already called */
480 goto err;
481 }
482 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
483 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
484 SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED);
485 goto err;
486 }
487
488 if (!tls1_lookup_md(sctx, s->s3.tmp.peer_sigalg, &md)) {
489 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
490 goto err;
491 }
492
493 if (SSL_USE_SIGALGS(s))
494 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
495 md == NULL ? "n/a" : EVP_MD_get0_name(md));
496
497 /* Check for broken implementations of GOST ciphersuites */
498 /*
499 * If key is GOST and len is exactly 64 or 128, it is signature without
500 * length field (CryptoPro implementations at least till TLS 1.2)
501 */
502 #ifndef OPENSSL_NO_GOST
503 if (!SSL_USE_SIGALGS(s)
504 && ((PACKET_remaining(pkt) == 64
505 && (EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2001
506 || EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_256))
507 || (PACKET_remaining(pkt) == 128
508 && EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_512))) {
509 len = PACKET_remaining(pkt);
510 } else
511 #endif
512 if (!PACKET_get_net_2(pkt, &len)) {
513 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
514 goto err;
515 }
516
517 if (!PACKET_get_bytes(pkt, &data, len)) {
518 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
519 goto err;
520 }
521 if (PACKET_remaining(pkt) != 0) {
522 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
523 goto err;
524 }
525
526 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
527 /* SSLfatal() already called */
528 goto err;
529 }
530
531 OSSL_TRACE1(TLS, "Using client verify alg %s\n",
532 md == NULL ? "n/a" : EVP_MD_get0_name(md));
533
534 if (EVP_DigestVerifyInit_ex(mctx, &pctx,
535 md == NULL ? NULL : EVP_MD_get0_name(md),
536 sctx->libctx, sctx->propq, pkey,
537 NULL) <= 0) {
538 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
539 goto err;
540 }
541 #ifndef OPENSSL_NO_GOST
542 {
543 int pktype = EVP_PKEY_get_id(pkey);
544 if (pktype == NID_id_GostR3410_2001
545 || pktype == NID_id_GostR3410_2012_256
546 || pktype == NID_id_GostR3410_2012_512) {
547 if ((gost_data = OPENSSL_malloc(len)) == NULL)
548 goto err;
549 BUF_reverse(gost_data, data, len);
550 data = gost_data;
551 }
552 }
553 #endif
554
555 if (SSL_USE_PSS(s)) {
556 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
557 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
558 RSA_PSS_SALTLEN_DIGEST) <= 0) {
559 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
560 goto err;
561 }
562 }
563 if (s->version == SSL3_VERSION) {
564 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
565 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
566 (int)s->session->master_key_length,
567 s->session->master_key) <= 0) {
568 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
569 goto err;
570 }
571 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
572 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
573 goto err;
574 }
575 } else {
576 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
577 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
578 /* Ignore bad signatures when fuzzing */
579 if (SSL_IS_QUIC_HANDSHAKE(s))
580 j = 1;
581 #endif
582 if (j <= 0) {
583 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
584 goto err;
585 }
586 }
587
588 /*
589 * In TLSv1.3 on the client side we make sure we prepare the client
590 * certificate after the CertVerify instead of when we get the
591 * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
592 * comes *before* the Certificate message. In TLSv1.2 it comes after. We
593 * want to make sure that SSL_get1_peer_certificate() will return the actual
594 * server certificate from the client_cert_cb callback.
595 */
596 if (!s->server && SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
597 ret = MSG_PROCESS_CONTINUE_PROCESSING;
598 else
599 ret = MSG_PROCESS_CONTINUE_READING;
600 err:
601 BIO_free(s->s3.handshake_buffer);
602 s->s3.handshake_buffer = NULL;
603 EVP_MD_CTX_free(mctx);
604 #ifndef OPENSSL_NO_GOST
605 OPENSSL_free(gost_data);
606 #endif
607 return ret;
608 }
609
tls_construct_finished(SSL_CONNECTION * s,WPACKET * pkt)610 CON_FUNC_RETURN tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt)
611 {
612 size_t finish_md_len;
613 const char *sender;
614 size_t slen;
615 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
616
617 /* This is a real handshake so make sure we clean it up at the end */
618 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
619 s->statem.cleanuphand = 1;
620
621 /*
622 * If we attempted to write early data or we're in middlebox compat mode
623 * then we deferred changing the handshake write keys to the last possible
624 * moment. If we didn't already do this when we sent the client certificate
625 * then we need to do it now.
626 */
627 if (SSL_CONNECTION_IS_TLS13(s)
628 && !s->server
629 && !SSL_IS_QUIC_HANDSHAKE(s)
630 && (s->early_data_state != SSL_EARLY_DATA_NONE
631 || (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0)
632 && s->s3.tmp.cert_req == 0
633 && (!ssl->method->ssl3_enc->change_cipher_state(s,
634 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
635 /* SSLfatal() already called */
636 return CON_FUNC_ERROR;
637 }
638
639 if (s->server) {
640 sender = ssl->method->ssl3_enc->server_finished_label;
641 slen = ssl->method->ssl3_enc->server_finished_label_len;
642 } else {
643 sender = ssl->method->ssl3_enc->client_finished_label;
644 slen = ssl->method->ssl3_enc->client_finished_label_len;
645 }
646
647 finish_md_len = ssl->method->ssl3_enc->final_finish_mac(s,
648 sender, slen,
649 s->s3.tmp.finish_md);
650 if (finish_md_len == 0) {
651 /* SSLfatal() already called */
652 return CON_FUNC_ERROR;
653 }
654
655 s->s3.tmp.finish_md_len = finish_md_len;
656
657 if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
658 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
659 return CON_FUNC_ERROR;
660 }
661
662 /*
663 * Log the master secret, if logging is enabled. We don't log it for
664 * TLSv1.3: there's a different key schedule for that.
665 */
666 if (!SSL_CONNECTION_IS_TLS13(s)
667 && !ssl_log_secret(s, MASTER_SECRET_LABEL, s->session->master_key,
668 s->session->master_key_length)) {
669 /* SSLfatal() already called */
670 return CON_FUNC_ERROR;
671 }
672
673 /*
674 * Copy the finished so we can use it for renegotiation checks
675 */
676 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
677 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
678 return CON_FUNC_ERROR;
679 }
680 if (!s->server) {
681 memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
682 finish_md_len);
683 s->s3.previous_client_finished_len = finish_md_len;
684 } else {
685 memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
686 finish_md_len);
687 s->s3.previous_server_finished_len = finish_md_len;
688 }
689
690 return CON_FUNC_SUCCESS;
691 }
692
tls_construct_key_update(SSL_CONNECTION * s,WPACKET * pkt)693 CON_FUNC_RETURN tls_construct_key_update(SSL_CONNECTION *s, WPACKET *pkt)
694 {
695 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
696 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
697 return CON_FUNC_ERROR;
698 }
699
700 s->key_update = SSL_KEY_UPDATE_NONE;
701 return CON_FUNC_SUCCESS;
702 }
703
tls_process_key_update(SSL_CONNECTION * s,PACKET * pkt)704 MSG_PROCESS_RETURN tls_process_key_update(SSL_CONNECTION *s, PACKET *pkt)
705 {
706 unsigned int updatetype;
707
708 /*
709 * A KeyUpdate message signals a key change so the end of the message must
710 * be on a record boundary.
711 */
712 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
713 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
714 return MSG_PROCESS_ERROR;
715 }
716
717 if (!PACKET_get_1(pkt, &updatetype)
718 || PACKET_remaining(pkt) != 0) {
719 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_KEY_UPDATE);
720 return MSG_PROCESS_ERROR;
721 }
722
723 /*
724 * There are only two defined key update types. Fail if we get a value we
725 * didn't recognise.
726 */
727 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
728 && updatetype != SSL_KEY_UPDATE_REQUESTED) {
729 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_UPDATE);
730 return MSG_PROCESS_ERROR;
731 }
732
733 /*
734 * If we get a request for us to update our sending keys too then, we need
735 * to additionally send a KeyUpdate message. However that message should
736 * not also request an update (otherwise we get into an infinite loop).
737 */
738 if (updatetype == SSL_KEY_UPDATE_REQUESTED)
739 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
740
741 if (!tls13_update_key(s, 0)) {
742 /* SSLfatal() already called */
743 return MSG_PROCESS_ERROR;
744 }
745
746 return MSG_PROCESS_FINISHED_READING;
747 }
748
749 /*
750 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
751 * to far.
752 */
ssl3_take_mac(SSL_CONNECTION * s)753 int ssl3_take_mac(SSL_CONNECTION *s)
754 {
755 const char *sender;
756 size_t slen;
757 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
758
759 if (!s->server) {
760 sender = ssl->method->ssl3_enc->server_finished_label;
761 slen = ssl->method->ssl3_enc->server_finished_label_len;
762 } else {
763 sender = ssl->method->ssl3_enc->client_finished_label;
764 slen = ssl->method->ssl3_enc->client_finished_label_len;
765 }
766
767 s->s3.tmp.peer_finish_md_len =
768 ssl->method->ssl3_enc->final_finish_mac(s, sender, slen,
769 s->s3.tmp.peer_finish_md);
770
771 if (s->s3.tmp.peer_finish_md_len == 0) {
772 /* SSLfatal() already called */
773 return 0;
774 }
775
776 return 1;
777 }
778
tls_process_change_cipher_spec(SSL_CONNECTION * s,PACKET * pkt)779 MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL_CONNECTION *s,
780 PACKET *pkt)
781 {
782 size_t remain;
783
784 remain = PACKET_remaining(pkt);
785 /*
786 * 'Change Cipher Spec' is just a single byte, which should already have
787 * been consumed by ssl_get_message() so there should be no bytes left,
788 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
789 */
790 if (SSL_CONNECTION_IS_DTLS(s)) {
791 if ((s->version == DTLS1_BAD_VER
792 && remain != DTLS1_CCS_HEADER_LENGTH + 1)
793 || (s->version != DTLS1_BAD_VER
794 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
795 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
796 return MSG_PROCESS_ERROR;
797 }
798 } else {
799 if (remain != 0) {
800 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
801 return MSG_PROCESS_ERROR;
802 }
803 }
804
805 /* Check we have a cipher to change to */
806 if (s->s3.tmp.new_cipher == NULL) {
807 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY);
808 return MSG_PROCESS_ERROR;
809 }
810
811 s->s3.change_cipher_spec = 1;
812 if (!ssl3_do_change_cipher_spec(s)) {
813 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
814 return MSG_PROCESS_ERROR;
815 }
816
817 if (SSL_CONNECTION_IS_DTLS(s)) {
818 if (s->version == DTLS1_BAD_VER)
819 s->d1->handshake_read_seq++;
820
821 #ifndef OPENSSL_NO_SCTP
822 /*
823 * Remember that a CCS has been received, so that an old key of
824 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
825 * SCTP is used
826 */
827 BIO_ctrl(SSL_get_wbio(SSL_CONNECTION_GET_SSL(s)),
828 BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
829 #endif
830 }
831
832 return MSG_PROCESS_CONTINUE_READING;
833 }
834
tls_process_finished(SSL_CONNECTION * s,PACKET * pkt)835 MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt)
836 {
837 size_t md_len;
838 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
839 int was_first = SSL_IS_FIRST_HANDSHAKE(s);
840 int ok;
841
842
843 /* This is a real handshake so make sure we clean it up at the end */
844 if (s->server) {
845 /*
846 * To get this far we must have read encrypted data from the client. We
847 * no longer tolerate unencrypted alerts. This is ignored if less than
848 * TLSv1.3
849 */
850 if (s->rlayer.rrlmethod->set_plain_alerts != NULL)
851 s->rlayer.rrlmethod->set_plain_alerts(s->rlayer.rrl, 0);
852 if (s->post_handshake_auth != SSL_PHA_REQUESTED)
853 s->statem.cleanuphand = 1;
854 if (SSL_CONNECTION_IS_TLS13(s)
855 && !tls13_save_handshake_digest_for_pha(s)) {
856 /* SSLfatal() already called */
857 return MSG_PROCESS_ERROR;
858 }
859 }
860
861 /*
862 * In TLSv1.3 a Finished message signals a key change so the end of the
863 * message must be on a record boundary.
864 */
865 if (SSL_CONNECTION_IS_TLS13(s)
866 && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
867 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
868 return MSG_PROCESS_ERROR;
869 }
870
871 /* If this occurs, we have missed a message */
872 if (!SSL_CONNECTION_IS_TLS13(s) && !s->s3.change_cipher_spec) {
873 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
874 return MSG_PROCESS_ERROR;
875 }
876 s->s3.change_cipher_spec = 0;
877
878 md_len = s->s3.tmp.peer_finish_md_len;
879
880 if (md_len != PACKET_remaining(pkt)) {
881 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DIGEST_LENGTH);
882 return MSG_PROCESS_ERROR;
883 }
884
885 ok = CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
886 md_len);
887 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
888 if (ok != 0) {
889 if ((PACKET_data(pkt)[0] ^ s->s3.tmp.peer_finish_md[0]) != 0xFF) {
890 ok = 0;
891 }
892 }
893 #endif
894 if (ok != 0) {
895 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DIGEST_CHECK_FAILED);
896 return MSG_PROCESS_ERROR;
897 }
898
899 /*
900 * Copy the finished so we can use it for renegotiation checks
901 */
902 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
903 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
904 return MSG_PROCESS_ERROR;
905 }
906 if (s->server) {
907 memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
908 md_len);
909 s->s3.previous_client_finished_len = md_len;
910 } else {
911 memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
912 md_len);
913 s->s3.previous_server_finished_len = md_len;
914 }
915
916 /*
917 * In TLS1.3 we also have to change cipher state and do any final processing
918 * of the initial server flight (if we are a client)
919 */
920 if (SSL_CONNECTION_IS_TLS13(s)) {
921 if (s->server) {
922 if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
923 !ssl->method->ssl3_enc->change_cipher_state(s,
924 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
925 /* SSLfatal() already called */
926 return MSG_PROCESS_ERROR;
927 }
928 } else {
929 /* TLS 1.3 gets the secret size from the handshake md */
930 size_t dummy;
931 if (!ssl->method->ssl3_enc->generate_master_secret(s,
932 s->master_secret, s->handshake_secret, 0,
933 &dummy)) {
934 /* SSLfatal() already called */
935 return MSG_PROCESS_ERROR;
936 }
937 if (!tls13_store_server_finished_hash(s)) {
938 /* SSLfatal() already called */
939 return MSG_PROCESS_ERROR;
940 }
941
942 /*
943 * For non-QUIC we set up the client's app data read keys now, so
944 * that we can go straight into reading 0.5RTT data from the server.
945 * For QUIC we don't do that, and instead defer setting up the keys
946 * until after we have set up the write keys in order to ensure that
947 * write keys are always set up before read keys (so that if we read
948 * a message we have the correct keys in place to ack it)
949 */
950 if (!SSL_IS_QUIC_HANDSHAKE(s)
951 && !ssl->method->ssl3_enc->change_cipher_state(s,
952 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
953 /* SSLfatal() already called */
954 return MSG_PROCESS_ERROR;
955 }
956 if (!tls_process_initial_server_flight(s)) {
957 /* SSLfatal() already called */
958 return MSG_PROCESS_ERROR;
959 }
960 }
961 }
962
963 if (was_first
964 && !SSL_IS_FIRST_HANDSHAKE(s)
965 && s->rlayer.rrlmethod->set_first_handshake != NULL)
966 s->rlayer.rrlmethod->set_first_handshake(s->rlayer.rrl, 0);
967
968 return MSG_PROCESS_FINISHED_READING;
969 }
970
tls_construct_change_cipher_spec(SSL_CONNECTION * s,WPACKET * pkt)971 CON_FUNC_RETURN tls_construct_change_cipher_spec(SSL_CONNECTION *s, WPACKET *pkt)
972 {
973 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
974 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
975 return CON_FUNC_ERROR;
976 }
977
978 return CON_FUNC_SUCCESS;
979 }
980
981 /* Add a certificate to the WPACKET */
ssl_add_cert_to_wpacket(SSL_CONNECTION * s,WPACKET * pkt,X509 * x,int chain,int for_comp)982 static int ssl_add_cert_to_wpacket(SSL_CONNECTION *s, WPACKET *pkt,
983 X509 *x, int chain, int for_comp)
984 {
985 int len;
986 unsigned char *outbytes;
987 int context = SSL_EXT_TLS1_3_CERTIFICATE;
988
989 if (for_comp)
990 context |= SSL_EXT_TLS1_3_CERTIFICATE_COMPRESSION;
991
992 len = i2d_X509(x, NULL);
993 if (len < 0) {
994 if (!for_comp)
995 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB);
996 return 0;
997 }
998 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
999 || i2d_X509(x, &outbytes) != len) {
1000 if (!for_comp)
1001 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1002 return 0;
1003 }
1004
1005 if ((SSL_CONNECTION_IS_TLS13(s) || for_comp)
1006 && !tls_construct_extensions(s, pkt, context, x, chain)) {
1007 /* SSLfatal() already called */
1008 return 0;
1009 }
1010
1011 return 1;
1012 }
1013
1014 /* Add certificate chain to provided WPACKET */
ssl_add_cert_chain(SSL_CONNECTION * s,WPACKET * pkt,CERT_PKEY * cpk,int for_comp)1015 static int ssl_add_cert_chain(SSL_CONNECTION *s, WPACKET *pkt, CERT_PKEY *cpk, int for_comp)
1016 {
1017 int i, chain_count;
1018 X509 *x;
1019 STACK_OF(X509) *extra_certs;
1020 STACK_OF(X509) *chain = NULL;
1021 X509_STORE *chain_store;
1022 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1023
1024 if (cpk == NULL || cpk->x509 == NULL)
1025 return 1;
1026
1027 x = cpk->x509;
1028
1029 /*
1030 * If we have a certificate specific chain use it, else use parent ctx.
1031 */
1032 if (cpk->chain != NULL)
1033 extra_certs = cpk->chain;
1034 else
1035 extra_certs = sctx->extra_certs;
1036
1037 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
1038 chain_store = NULL;
1039 else if (s->cert->chain_store)
1040 chain_store = s->cert->chain_store;
1041 else
1042 chain_store = sctx->cert_store;
1043
1044 if (chain_store != NULL) {
1045 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(sctx->libctx,
1046 sctx->propq);
1047
1048 if (xs_ctx == NULL) {
1049 if (!for_comp)
1050 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB);
1051 return 0;
1052 }
1053 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
1054 X509_STORE_CTX_free(xs_ctx);
1055 if (!for_comp)
1056 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB);
1057 return 0;
1058 }
1059 /*
1060 * It is valid for the chain not to be complete (because normally we
1061 * don't include the root cert in the chain). Therefore we deliberately
1062 * ignore the error return from this call. We're not actually verifying
1063 * the cert - we're just building as much of the chain as we can
1064 */
1065 (void)X509_verify_cert(xs_ctx);
1066 /* Don't leave errors in the queue */
1067 ERR_clear_error();
1068 chain = X509_STORE_CTX_get0_chain(xs_ctx);
1069 i = ssl_security_cert_chain(s, chain, NULL, 0);
1070 if (i != 1) {
1071 #if 0
1072 /* Dummy error calls so mkerr generates them */
1073 ERR_raise(ERR_LIB_SSL, SSL_R_EE_KEY_TOO_SMALL);
1074 ERR_raise(ERR_LIB_SSL, SSL_R_CA_KEY_TOO_SMALL);
1075 ERR_raise(ERR_LIB_SSL, SSL_R_CA_MD_TOO_WEAK);
1076 #endif
1077 X509_STORE_CTX_free(xs_ctx);
1078 if (!for_comp)
1079 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
1080 return 0;
1081 }
1082 chain_count = sk_X509_num(chain);
1083 for (i = 0; i < chain_count; i++) {
1084 x = sk_X509_value(chain, i);
1085
1086 if (!ssl_add_cert_to_wpacket(s, pkt, x, i, for_comp)) {
1087 /* SSLfatal() already called */
1088 X509_STORE_CTX_free(xs_ctx);
1089 return 0;
1090 }
1091 }
1092 X509_STORE_CTX_free(xs_ctx);
1093 } else {
1094 i = ssl_security_cert_chain(s, extra_certs, x, 0);
1095 if (i != 1) {
1096 if (!for_comp)
1097 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
1098 return 0;
1099 }
1100 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0, for_comp)) {
1101 /* SSLfatal() already called */
1102 return 0;
1103 }
1104 for (i = 0; i < sk_X509_num(extra_certs); i++) {
1105 x = sk_X509_value(extra_certs, i);
1106 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1, for_comp)) {
1107 /* SSLfatal() already called */
1108 return 0;
1109 }
1110 }
1111 }
1112 return 1;
1113 }
1114
tls_get_peer_pkey(const SSL_CONNECTION * sc)1115 EVP_PKEY* tls_get_peer_pkey(const SSL_CONNECTION *sc)
1116 {
1117 if (sc->session->peer_rpk != NULL)
1118 return sc->session->peer_rpk;
1119 if (sc->session->peer != NULL)
1120 return X509_get0_pubkey(sc->session->peer);
1121 return NULL;
1122 }
1123
tls_process_rpk(SSL_CONNECTION * sc,PACKET * pkt,EVP_PKEY ** peer_rpk)1124 int tls_process_rpk(SSL_CONNECTION *sc, PACKET *pkt, EVP_PKEY **peer_rpk)
1125 {
1126 EVP_PKEY *pkey = NULL;
1127 int ret = 0;
1128 RAW_EXTENSION *rawexts = NULL;
1129 PACKET extensions;
1130 PACKET context;
1131 unsigned long cert_len = 0, spki_len = 0;
1132 const unsigned char *spki, *spkistart;
1133 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(sc);
1134
1135 /*-
1136 * ----------------------------
1137 * TLS 1.3 Certificate message:
1138 * ----------------------------
1139 * https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2
1140 *
1141 * enum {
1142 * X509(0),
1143 * RawPublicKey(2),
1144 * (255)
1145 * } CertificateType;
1146 *
1147 * struct {
1148 * select (certificate_type) {
1149 * case RawPublicKey:
1150 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
1151 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
1152 *
1153 * case X509:
1154 * opaque cert_data<1..2^24-1>;
1155 * };
1156 * Extension extensions<0..2^16-1>;
1157 * } CertificateEntry;
1158 *
1159 * struct {
1160 * opaque certificate_request_context<0..2^8-1>;
1161 * CertificateEntry certificate_list<0..2^24-1>;
1162 * } Certificate;
1163 *
1164 * The client MUST send a Certificate message if and only if the server
1165 * has requested client authentication via a CertificateRequest message
1166 * (Section 4.3.2). If the server requests client authentication but no
1167 * suitable certificate is available, the client MUST send a Certificate
1168 * message containing no certificates (i.e., with the "certificate_list"
1169 * field having length 0).
1170 *
1171 * ----------------------------
1172 * TLS 1.2 Certificate message:
1173 * ----------------------------
1174 * https://datatracker.ietf.org/doc/html/rfc7250#section-3
1175 *
1176 * opaque ASN.1Cert<1..2^24-1>;
1177 *
1178 * struct {
1179 * select(certificate_type){
1180 *
1181 * // certificate type defined in this document.
1182 * case RawPublicKey:
1183 * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;
1184 *
1185 * // X.509 certificate defined in RFC 5246
1186 * case X.509:
1187 * ASN.1Cert certificate_list<0..2^24-1>;
1188 *
1189 * // Additional certificate type based on
1190 * // "TLS Certificate Types" subregistry
1191 * };
1192 * } Certificate;
1193 *
1194 * -------------
1195 * Consequently:
1196 * -------------
1197 * After the (TLS 1.3 only) context octet string (1 byte length + data) the
1198 * Certificate message has a 3-byte length that is zero in the client to
1199 * server message when the client has no RPK to send. In that case, there
1200 * are no (TLS 1.3 only) per-certificate extensions either, because the
1201 * [CertificateEntry] list is empty.
1202 *
1203 * In the server to client direction, or when the client had an RPK to send,
1204 * the TLS 1.3 message just prepends the length of the RPK+extensions,
1205 * while TLS <= 1.2 sends just the RPK (octet-string).
1206 *
1207 * The context must be zero-length in the server to client direction, and
1208 * must match the value recorded in the certificate request in the client
1209 * to server direction.
1210 */
1211 if (SSL_CONNECTION_IS_TLS13(sc)) {
1212 if (!PACKET_get_length_prefixed_1(pkt, &context)) {
1213 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT);
1214 goto err;
1215 }
1216 if (sc->server) {
1217 if (sc->pha_context == NULL) {
1218 if (PACKET_remaining(&context) != 0) {
1219 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT);
1220 goto err;
1221 }
1222 } else {
1223 if (!PACKET_equal(&context, sc->pha_context, sc->pha_context_len)) {
1224 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT);
1225 goto err;
1226 }
1227 }
1228 } else {
1229 if (PACKET_remaining(&context) != 0) {
1230 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT);
1231 goto err;
1232 }
1233 }
1234 }
1235
1236 if (!PACKET_get_net_3(pkt, &cert_len)
1237 || PACKET_remaining(pkt) != cert_len) {
1238 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1239 goto err;
1240 }
1241
1242 /*
1243 * The list length may be zero when there is no RPK. In the case of TLS
1244 * 1.2 this is actually the RPK length, which cannot be zero as specified,
1245 * but that breaks the ability of the client to decline client auth. We
1246 * overload the 0 RPK length to mean "no RPK". This interpretation is
1247 * also used some other (reference?) implementations, but is not supported
1248 * by the verbatim RFC7250 text.
1249 */
1250 if (cert_len == 0)
1251 return 1;
1252
1253 if (SSL_CONNECTION_IS_TLS13(sc)) {
1254 /*
1255 * With TLS 1.3, a non-empty explicit-length RPK octet-string followed
1256 * by a possibly empty extension block.
1257 */
1258 if (!PACKET_get_net_3(pkt, &spki_len)) {
1259 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1260 goto err;
1261 }
1262 if (spki_len == 0) {
1263 /* empty RPK */
1264 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_EMPTY_RAW_PUBLIC_KEY);
1265 goto err;
1266 }
1267 } else {
1268 spki_len = cert_len;
1269 }
1270
1271 if (!PACKET_get_bytes(pkt, &spki, spki_len)) {
1272 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1273 goto err;
1274 }
1275 spkistart = spki;
1276 if ((pkey = d2i_PUBKEY_ex(NULL, &spki, spki_len, sctx->libctx, sctx->propq)) == NULL
1277 || spki != (spkistart + spki_len)) {
1278 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1279 goto err;
1280 }
1281 if (EVP_PKEY_missing_parameters(pkey)) {
1282 SSLfatal(sc, SSL_AD_INTERNAL_ERROR,
1283 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1284 goto err;
1285 }
1286
1287 /* Process the Extensions block */
1288 if (SSL_CONNECTION_IS_TLS13(sc)) {
1289 if (PACKET_remaining(pkt) != (cert_len - 3 - spki_len)) {
1290 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
1291 goto err;
1292 }
1293 if (!PACKET_as_length_prefixed_2(pkt, &extensions)
1294 || PACKET_remaining(pkt) != 0) {
1295 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1296 goto err;
1297 }
1298 if (!tls_collect_extensions(sc, &extensions, SSL_EXT_TLS1_3_RAW_PUBLIC_KEY,
1299 &rawexts, NULL, 1)) {
1300 /* SSLfatal already called */
1301 goto err;
1302 }
1303 /* chain index is always zero and fin always 1 for RPK */
1304 if (!tls_parse_all_extensions(sc, SSL_EXT_TLS1_3_RAW_PUBLIC_KEY,
1305 rawexts, NULL, 0, 1)) {
1306 /* SSLfatal already called */
1307 goto err;
1308 }
1309 }
1310 ret = 1;
1311 if (peer_rpk != NULL) {
1312 *peer_rpk = pkey;
1313 pkey = NULL;
1314 }
1315
1316 err:
1317 OPENSSL_free(rawexts);
1318 EVP_PKEY_free(pkey);
1319 return ret;
1320 }
1321
tls_output_rpk(SSL_CONNECTION * sc,WPACKET * pkt,CERT_PKEY * cpk)1322 unsigned long tls_output_rpk(SSL_CONNECTION *sc, WPACKET *pkt, CERT_PKEY *cpk)
1323 {
1324 int pdata_len = 0;
1325 unsigned char *pdata = NULL;
1326 X509_PUBKEY *xpk = NULL;
1327 unsigned long ret = 0;
1328 X509 *x509 = NULL;
1329
1330 if (cpk != NULL && cpk->x509 != NULL) {
1331 x509 = cpk->x509;
1332 /* Get the RPK from the certificate */
1333 xpk = X509_get_X509_PUBKEY(cpk->x509);
1334 if (xpk == NULL) {
1335 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1336 goto err;
1337 }
1338 pdata_len = i2d_X509_PUBKEY(xpk, &pdata);
1339 } else if (cpk != NULL && cpk->privatekey != NULL) {
1340 /* Get the RPK from the private key */
1341 pdata_len = i2d_PUBKEY(cpk->privatekey, &pdata);
1342 } else {
1343 /* The server RPK is not optional */
1344 if (sc->server) {
1345 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1346 goto err;
1347 }
1348 /* The client can send a zero length certificate list */
1349 if (!WPACKET_sub_memcpy_u24(pkt, pdata, pdata_len)) {
1350 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1351 goto err;
1352 }
1353 return 1;
1354 }
1355
1356 if (pdata_len <= 0) {
1357 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1358 goto err;
1359 }
1360
1361 /*
1362 * TLSv1.2 is _just_ the raw public key
1363 * TLSv1.3 includes extensions, so there's a length wrapper
1364 */
1365 if (SSL_CONNECTION_IS_TLS13(sc)) {
1366 if (!WPACKET_start_sub_packet_u24(pkt)) {
1367 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1368 goto err;
1369 }
1370 }
1371
1372 if (!WPACKET_sub_memcpy_u24(pkt, pdata, pdata_len)) {
1373 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1374 goto err;
1375 }
1376
1377 if (SSL_CONNECTION_IS_TLS13(sc)) {
1378 /*
1379 * Only send extensions relevant to raw public keys. Until such
1380 * extensions are defined, this will be an empty set of extensions.
1381 * |x509| may be NULL, which raw public-key extensions need to handle.
1382 */
1383 if (!tls_construct_extensions(sc, pkt, SSL_EXT_TLS1_3_RAW_PUBLIC_KEY,
1384 x509, 0)) {
1385 /* SSLfatal() already called */
1386 goto err;
1387 }
1388 if (!WPACKET_close(pkt)) {
1389 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1390 goto err;
1391 }
1392 }
1393
1394 ret = 1;
1395 err:
1396 OPENSSL_free(pdata);
1397 return ret;
1398 }
1399
ssl3_output_cert_chain(SSL_CONNECTION * s,WPACKET * pkt,CERT_PKEY * cpk,int for_comp)1400 unsigned long ssl3_output_cert_chain(SSL_CONNECTION *s, WPACKET *pkt,
1401 CERT_PKEY *cpk, int for_comp)
1402 {
1403 if (!WPACKET_start_sub_packet_u24(pkt)) {
1404 if (!for_comp)
1405 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1406 return 0;
1407 }
1408
1409 if (!ssl_add_cert_chain(s, pkt, cpk, for_comp))
1410 return 0;
1411
1412 if (!WPACKET_close(pkt)) {
1413 if (!for_comp)
1414 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1415 return 0;
1416 }
1417
1418 return 1;
1419 }
1420
1421 /*
1422 * Tidy up after the end of a handshake. In the case of SCTP this may result
1423 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1424 * freed up as well.
1425 */
tls_finish_handshake(SSL_CONNECTION * s,ossl_unused WORK_STATE wst,int clearbufs,int stop)1426 WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst,
1427 int clearbufs, int stop)
1428 {
1429 void (*cb) (const SSL *ssl, int type, int val) = NULL;
1430 int cleanuphand = s->statem.cleanuphand;
1431 SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s);
1432 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1433
1434 if (clearbufs) {
1435 if (!SSL_CONNECTION_IS_DTLS(s)
1436 #ifndef OPENSSL_NO_SCTP
1437 /*
1438 * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1439 * messages that require it. Therefore, DTLS procedures for retransmissions
1440 * MUST NOT be used.
1441 * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1442 */
1443 || BIO_dgram_is_sctp(SSL_get_wbio(SSL_CONNECTION_GET_SSL(s)))
1444 #endif
1445 ) {
1446 /*
1447 * We don't do this in DTLS over UDP because we may still need the init_buf
1448 * in case there are any unexpected retransmits
1449 */
1450 BUF_MEM_free(s->init_buf);
1451 s->init_buf = NULL;
1452 }
1453
1454 if (!ssl_free_wbio_buffer(s)) {
1455 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1456 return WORK_ERROR;
1457 }
1458 s->init_num = 0;
1459 }
1460
1461 if (SSL_CONNECTION_IS_TLS13(s) && !s->server
1462 && s->post_handshake_auth == SSL_PHA_REQUESTED)
1463 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1464
1465 /*
1466 * Only set if there was a Finished message and this isn't after a TLSv1.3
1467 * post handshake exchange
1468 */
1469 if (cleanuphand) {
1470 /* skipped if we just sent a HelloRequest */
1471 s->renegotiate = 0;
1472 s->new_session = 0;
1473 s->statem.cleanuphand = 0;
1474 s->ext.ticket_expected = 0;
1475
1476 ssl3_cleanup_key_block(s);
1477
1478 if (s->server) {
1479 /*
1480 * In TLSv1.3 we update the cache as part of constructing the
1481 * NewSessionTicket
1482 */
1483 if (!SSL_CONNECTION_IS_TLS13(s))
1484 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
1485
1486 /* N.B. s->ctx may not equal s->session_ctx */
1487 ssl_tsan_counter(sctx, &sctx->stats.sess_accept_good);
1488 s->handshake_func = ossl_statem_accept;
1489 } else {
1490 if (SSL_CONNECTION_IS_TLS13(s)) {
1491 /*
1492 * We encourage applications to only use TLSv1.3 tickets once,
1493 * so we remove this one from the cache.
1494 */
1495 if ((s->session_ctx->session_cache_mode
1496 & SSL_SESS_CACHE_CLIENT) != 0)
1497 SSL_CTX_remove_session(s->session_ctx, s->session);
1498 } else {
1499 /*
1500 * In TLSv1.3 we update the cache as part of processing the
1501 * NewSessionTicket
1502 */
1503 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
1504 }
1505 if (s->hit)
1506 ssl_tsan_counter(s->session_ctx,
1507 &s->session_ctx->stats.sess_hit);
1508
1509 s->handshake_func = ossl_statem_connect;
1510 ssl_tsan_counter(s->session_ctx,
1511 &s->session_ctx->stats.sess_connect_good);
1512 }
1513
1514 if (SSL_CONNECTION_IS_DTLS(s)) {
1515 /* done with handshaking */
1516 s->d1->handshake_read_seq = 0;
1517 s->d1->handshake_write_seq = 0;
1518 s->d1->next_handshake_write_seq = 0;
1519 dtls1_clear_received_buffer(s);
1520 }
1521 }
1522
1523 if (s->info_callback != NULL)
1524 cb = s->info_callback;
1525 else if (sctx->info_callback != NULL)
1526 cb = sctx->info_callback;
1527
1528 /* The callback may expect us to not be in init at handshake done */
1529 ossl_statem_set_in_init(s, 0);
1530
1531 if (cb != NULL) {
1532 if (cleanuphand
1533 || !SSL_CONNECTION_IS_TLS13(s)
1534 || SSL_IS_FIRST_HANDSHAKE(s))
1535 cb(ssl, SSL_CB_HANDSHAKE_DONE, 1);
1536 }
1537
1538 if (!stop) {
1539 /* If we've got more work to do we go back into init */
1540 ossl_statem_set_in_init(s, 1);
1541 return WORK_FINISHED_CONTINUE;
1542 }
1543
1544 return WORK_FINISHED_STOP;
1545 }
1546
tls_get_message_header(SSL_CONNECTION * s,int * mt)1547 int tls_get_message_header(SSL_CONNECTION *s, int *mt)
1548 {
1549 /* s->init_num < SSL3_HM_HEADER_LENGTH */
1550 int skip_message, i;
1551 uint8_t recvd_type;
1552 unsigned char *p;
1553 size_t l, readbytes;
1554 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1555 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);
1556
1557 p = (unsigned char *)s->init_buf->data;
1558
1559 do {
1560 while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1561 i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, &recvd_type,
1562 &p[s->init_num],
1563 SSL3_HM_HEADER_LENGTH - s->init_num,
1564 0, &readbytes);
1565 if (i <= 0) {
1566 s->rwstate = SSL_READING;
1567 return 0;
1568 }
1569 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1570 /*
1571 * A ChangeCipherSpec must be a single byte and may not occur
1572 * in the middle of a handshake message.
1573 */
1574 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
1575 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1576 SSL_R_BAD_CHANGE_CIPHER_SPEC);
1577 return 0;
1578 }
1579 if (s->statem.hand_state == TLS_ST_BEFORE
1580 && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
1581 /*
1582 * We are stateless and we received a CCS. Probably this is
1583 * from a client between the first and second ClientHellos.
1584 * We should ignore this, but return an error because we do
1585 * not return success until we see the second ClientHello
1586 * with a valid cookie.
1587 */
1588 return 0;
1589 }
1590 s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
1591 s->init_num = readbytes - 1;
1592 s->init_msg = s->init_buf->data;
1593 s->s3.tmp.message_size = readbytes;
1594 return 1;
1595 } else if (recvd_type != SSL3_RT_HANDSHAKE) {
1596 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1597 SSL_R_CCS_RECEIVED_EARLY);
1598 return 0;
1599 }
1600 s->init_num += readbytes;
1601 }
1602
1603 skip_message = 0;
1604 if (!s->server)
1605 if (s->statem.hand_state != TLS_ST_OK
1606 && p[0] == SSL3_MT_HELLO_REQUEST)
1607 /*
1608 * The server may always send 'Hello Request' messages --
1609 * we are doing a handshake anyway now, so ignore them if
1610 * their format is correct. Does not count for 'Finished'
1611 * MAC.
1612 */
1613 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1614 s->init_num = 0;
1615 skip_message = 1;
1616
1617 if (s->msg_callback)
1618 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1619 p, SSL3_HM_HEADER_LENGTH, ussl,
1620 s->msg_callback_arg);
1621 }
1622 } while (skip_message);
1623 /* s->init_num == SSL3_HM_HEADER_LENGTH */
1624
1625 *mt = *p;
1626 s->s3.tmp.message_type = *(p++);
1627
1628 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1629 /*
1630 * Only happens with SSLv3+ in an SSLv2 backward compatible
1631 * ClientHello
1632 *
1633 * Total message size is the remaining record bytes to read
1634 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
1635 */
1636 l = s->rlayer.tlsrecs[0].length + SSL3_HM_HEADER_LENGTH;
1637 s->s3.tmp.message_size = l;
1638
1639 s->init_msg = s->init_buf->data;
1640 s->init_num = SSL3_HM_HEADER_LENGTH;
1641 } else {
1642 n2l3(p, l);
1643 /* BUF_MEM_grow takes an 'int' parameter */
1644 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
1645 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1646 SSL_R_EXCESSIVE_MESSAGE_SIZE);
1647 return 0;
1648 }
1649 s->s3.tmp.message_size = l;
1650
1651 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1652 s->init_num = 0;
1653 }
1654
1655 return 1;
1656 }
1657
tls_get_message_body(SSL_CONNECTION * s,size_t * len)1658 int tls_get_message_body(SSL_CONNECTION *s, size_t *len)
1659 {
1660 size_t n, readbytes;
1661 unsigned char *p;
1662 int i;
1663 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1664 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);
1665
1666 if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
1667 /* We've already read everything in */
1668 *len = (unsigned long)s->init_num;
1669 return 1;
1670 }
1671
1672 p = s->init_msg;
1673 n = s->s3.tmp.message_size - s->init_num;
1674 while (n > 0) {
1675 i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, NULL,
1676 &p[s->init_num], n, 0, &readbytes);
1677 if (i <= 0) {
1678 s->rwstate = SSL_READING;
1679 *len = 0;
1680 return 0;
1681 }
1682 s->init_num += readbytes;
1683 n -= readbytes;
1684 }
1685
1686 /*
1687 * If receiving Finished, record MAC of prior handshake messages for
1688 * Finished verification.
1689 */
1690 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1691 /* SSLfatal() already called */
1692 *len = 0;
1693 return 0;
1694 }
1695
1696 /* Feed this message into MAC computation. */
1697 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1698 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1699 s->init_num)) {
1700 /* SSLfatal() already called */
1701 *len = 0;
1702 return 0;
1703 }
1704 if (s->msg_callback)
1705 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
1706 (size_t)s->init_num, ussl, s->msg_callback_arg);
1707 } else {
1708 /*
1709 * We defer feeding in the HRR until later. We'll do it as part of
1710 * processing the message
1711 * The TLsv1.3 handshake transcript stops at the ClientFinished
1712 * message.
1713 */
1714 #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
1715 /* KeyUpdate and NewSessionTicket do not need to be added */
1716 if (!SSL_CONNECTION_IS_TLS13(s)
1717 || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1718 && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1719 if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
1720 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1721 || memcmp(hrrrandom,
1722 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1723 SSL3_RANDOM_SIZE) != 0) {
1724 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1725 s->init_num + SSL3_HM_HEADER_LENGTH)) {
1726 /* SSLfatal() already called */
1727 *len = 0;
1728 return 0;
1729 }
1730 }
1731 }
1732 if (s->msg_callback)
1733 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1734 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, ussl,
1735 s->msg_callback_arg);
1736 }
1737
1738 *len = s->init_num;
1739 return 1;
1740 }
1741
1742 static const X509ERR2ALERT x509table[] = {
1743 {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1744 {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1745 {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
1746 {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1747 {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1748 {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1749 {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1750 {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1751 {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1752 {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1753 {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1754 {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1755 {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1756 {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1757 {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1758 {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1759 {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1760 {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1761 {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1762 {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1763 {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1764 {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1765 {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1766 {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1767 {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1768 {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1769 {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1770 {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1771 {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1772 {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1773 {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1774 {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1775 {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1776 {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1777 {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1778 {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1779 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1780 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1781 {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1782 {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1783
1784 /* Last entry; return this if we don't find the value above. */
1785 {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1786 };
1787
ssl_x509err2alert(int x509err)1788 int ssl_x509err2alert(int x509err)
1789 {
1790 const X509ERR2ALERT *tp;
1791
1792 for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1793 if (tp->x509err == x509err)
1794 break;
1795 return tp->alert;
1796 }
1797
ssl_allow_compression(SSL_CONNECTION * s)1798 int ssl_allow_compression(SSL_CONNECTION *s)
1799 {
1800 if (s->options & SSL_OP_NO_COMPRESSION)
1801 return 0;
1802 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1803 }
1804
1805 /*
1806 * SSL/TLS/DTLS version comparison
1807 *
1808 * Returns
1809 * 0 if versiona is equal to versionb
1810 * 1 if versiona is greater than versionb
1811 * -1 if versiona is less than versionb
1812 */
ssl_version_cmp(const SSL_CONNECTION * s,int versiona,int versionb)1813 int ssl_version_cmp(const SSL_CONNECTION *s, int versiona, int versionb)
1814 {
1815 int dtls = SSL_CONNECTION_IS_DTLS(s);
1816
1817 if (versiona == versionb)
1818 return 0;
1819 if (!dtls)
1820 return versiona < versionb ? -1 : 1;
1821 return DTLS_VERSION_LT(versiona, versionb) ? -1 : 1;
1822 }
1823
1824 typedef struct {
1825 int version;
1826 const SSL_METHOD *(*cmeth) (void);
1827 const SSL_METHOD *(*smeth) (void);
1828 } version_info;
1829
1830 #if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
1831 # error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
1832 #endif
1833
1834 /* Must be in order high to low */
1835 static const version_info tls_version_table[] = {
1836 #ifndef OPENSSL_NO_TLS1_3
1837 {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1838 #else
1839 {TLS1_3_VERSION, NULL, NULL},
1840 #endif
1841 #ifndef OPENSSL_NO_TLS1_2
1842 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
1843 #else
1844 {TLS1_2_VERSION, NULL, NULL},
1845 #endif
1846 #ifndef OPENSSL_NO_TLS1_1
1847 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
1848 #else
1849 {TLS1_1_VERSION, NULL, NULL},
1850 #endif
1851 #ifndef OPENSSL_NO_TLS1
1852 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
1853 #else
1854 {TLS1_VERSION, NULL, NULL},
1855 #endif
1856 #ifndef OPENSSL_NO_SSL3
1857 {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
1858 #else
1859 {SSL3_VERSION, NULL, NULL},
1860 #endif
1861 {0, NULL, NULL},
1862 };
1863
1864 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
1865 # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1866 #endif
1867
1868 /* Must be in order high to low */
1869 static const version_info dtls_version_table[] = {
1870 #ifndef OPENSSL_NO_DTLS1_2
1871 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
1872 #else
1873 {DTLS1_2_VERSION, NULL, NULL},
1874 #endif
1875 #ifndef OPENSSL_NO_DTLS1
1876 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1877 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
1878 #else
1879 {DTLS1_VERSION, NULL, NULL},
1880 {DTLS1_BAD_VER, NULL, NULL},
1881 #endif
1882 {0, NULL, NULL},
1883 };
1884
1885 /*
1886 * ssl_method_error - Check whether an SSL_METHOD is enabled.
1887 *
1888 * @s: The SSL handle for the candidate method
1889 * @method: the intended method.
1890 *
1891 * Returns 0 on success, or an SSL error reason on failure.
1892 */
ssl_method_error(const SSL_CONNECTION * s,const SSL_METHOD * method)1893 static int ssl_method_error(const SSL_CONNECTION *s, const SSL_METHOD *method)
1894 {
1895 int version = method->version;
1896
1897 if ((s->min_proto_version != 0 &&
1898 ssl_version_cmp(s, version, s->min_proto_version) < 0) ||
1899 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1900 return SSL_R_VERSION_TOO_LOW;
1901
1902 if (s->max_proto_version != 0 &&
1903 ssl_version_cmp(s, version, s->max_proto_version) > 0)
1904 return SSL_R_VERSION_TOO_HIGH;
1905
1906 if ((s->options & method->mask) != 0)
1907 return SSL_R_UNSUPPORTED_PROTOCOL;
1908 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1909 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
1910
1911 return 0;
1912 }
1913
1914 /*
1915 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
1916 * certificate type, or has PSK or a certificate callback configured, or has
1917 * a servername callback configure. Otherwise returns 0.
1918 */
is_tls13_capable(const SSL_CONNECTION * s)1919 static int is_tls13_capable(const SSL_CONNECTION *s)
1920 {
1921 size_t i;
1922 int curve;
1923 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1924
1925 if (!ossl_assert(sctx != NULL) || !ossl_assert(s->session_ctx != NULL))
1926 return 0;
1927
1928 /*
1929 * A servername callback can change the available certs, so if a servername
1930 * cb is set then we just assume TLSv1.3 will be ok
1931 */
1932 if (sctx->ext.servername_cb != NULL
1933 || s->session_ctx->ext.servername_cb != NULL)
1934 return 1;
1935
1936 #ifndef OPENSSL_NO_PSK
1937 if (s->psk_server_callback != NULL)
1938 return 1;
1939 #endif
1940
1941 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
1942 return 1;
1943
1944 /* All provider-based sig algs are required to support at least TLS1.3 */
1945 for (i = 0; i < s->ssl_pkey_num; i++) {
1946 /* Skip over certs disallowed for TLSv1.3 */
1947 switch (i) {
1948 case SSL_PKEY_DSA_SIGN:
1949 case SSL_PKEY_GOST01:
1950 case SSL_PKEY_GOST12_256:
1951 case SSL_PKEY_GOST12_512:
1952 continue;
1953 default:
1954 break;
1955 }
1956 if (!ssl_has_cert(s, i))
1957 continue;
1958 if (i != SSL_PKEY_ECC)
1959 return 1;
1960 /*
1961 * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1962 * more restrictive so check that our sig algs are consistent with this
1963 * EC cert. See section 4.2.3 of RFC8446.
1964 */
1965 curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
1966 if (tls_check_sigalg_curve(s, curve))
1967 return 1;
1968 }
1969
1970 return 0;
1971 }
1972
1973 /*
1974 * ssl_version_supported - Check that the specified `version` is supported by
1975 * `SSL *` instance
1976 *
1977 * @s: The SSL handle for the candidate method
1978 * @version: Protocol version to test against
1979 *
1980 * Returns 1 when supported, otherwise 0
1981 */
ssl_version_supported(const SSL_CONNECTION * s,int version,const SSL_METHOD ** meth)1982 int ssl_version_supported(const SSL_CONNECTION *s, int version,
1983 const SSL_METHOD **meth)
1984 {
1985 const version_info *vent;
1986 const version_info *table;
1987
1988 switch (SSL_CONNECTION_GET_SSL(s)->method->version) {
1989 default:
1990 /* Version should match method version for non-ANY method */
1991 return ssl_version_cmp(s, version, s->version) == 0;
1992 case TLS_ANY_VERSION:
1993 table = tls_version_table;
1994 break;
1995 case DTLS_ANY_VERSION:
1996 table = dtls_version_table;
1997 break;
1998 }
1999
2000 for (vent = table;
2001 vent->version != 0 && ssl_version_cmp(s, version, vent->version) <= 0;
2002 ++vent) {
2003 const SSL_METHOD *(*thismeth)(void) = s->server ? vent->smeth
2004 : vent->cmeth;
2005
2006 if (thismeth != NULL
2007 && ssl_version_cmp(s, version, vent->version) == 0
2008 && ssl_method_error(s, thismeth()) == 0
2009 && (!s->server
2010 || version != TLS1_3_VERSION
2011 || is_tls13_capable(s))) {
2012 if (meth != NULL)
2013 *meth = thismeth();
2014 return 1;
2015 }
2016 }
2017 return 0;
2018 }
2019
2020 /*
2021 * ssl_check_version_downgrade - In response to RFC7507 SCSV version
2022 * fallback indication from a client check whether we're using the highest
2023 * supported protocol version.
2024 *
2025 * @s server SSL handle.
2026 *
2027 * Returns 1 when using the highest enabled version, 0 otherwise.
2028 */
ssl_check_version_downgrade(SSL_CONNECTION * s)2029 int ssl_check_version_downgrade(SSL_CONNECTION *s)
2030 {
2031 const version_info *vent;
2032 const version_info *table;
2033 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
2034
2035 /*
2036 * Check that the current protocol is the highest enabled version
2037 * (according to ssl->defltmethod, as version negotiation may have changed
2038 * s->method).
2039 */
2040 if (s->version == ssl->defltmeth->version)
2041 return 1;
2042
2043 /*
2044 * Apparently we're using a version-flexible SSL_METHOD (not at its
2045 * highest protocol version).
2046 */
2047 if (ssl->defltmeth->version == TLS_method()->version)
2048 table = tls_version_table;
2049 else if (ssl->defltmeth->version == DTLS_method()->version)
2050 table = dtls_version_table;
2051 else {
2052 /* Unexpected state; fail closed. */
2053 return 0;
2054 }
2055
2056 for (vent = table; vent->version != 0; ++vent) {
2057 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
2058 return s->version == vent->version;
2059 }
2060 return 0;
2061 }
2062
2063 /*
2064 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
2065 * protocols, provided the initial (D)TLS method is version-flexible. This
2066 * function sanity-checks the proposed value and makes sure the method is
2067 * version-flexible, then sets the limit if all is well.
2068 *
2069 * @method_version: The version of the current SSL_METHOD.
2070 * @version: the intended limit.
2071 * @bound: pointer to limit to be updated.
2072 *
2073 * Returns 1 on success, 0 on failure.
2074 */
ssl_set_version_bound(int method_version,int version,int * bound)2075 int ssl_set_version_bound(int method_version, int version, int *bound)
2076 {
2077 int valid_tls;
2078 int valid_dtls;
2079
2080 if (version == 0) {
2081 *bound = version;
2082 return 1;
2083 }
2084
2085 valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
2086 valid_dtls =
2087 /* We support client side pre-standardisation version of DTLS */
2088 (version == DTLS1_BAD_VER)
2089 || (DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL)
2090 && DTLS_VERSION_GE(version, DTLS1_VERSION));
2091
2092 if (!valid_tls && !valid_dtls)
2093 return 0;
2094
2095 /*-
2096 * Restrict TLS methods to TLS protocol versions.
2097 * Restrict DTLS methods to DTLS protocol versions.
2098 * Note, DTLS version numbers are decreasing, use comparison macros.
2099 *
2100 * Note that for both lower-bounds we use explicit versions, not
2101 * (D)TLS_MIN_VERSION. This is because we don't want to break user
2102 * configurations. If the MIN (supported) version ever rises, the user's
2103 * "floor" remains valid even if no longer available. We don't expect the
2104 * MAX ceiling to ever get lower, so making that variable makes sense.
2105 *
2106 * We ignore attempts to set bounds on version-inflexible methods,
2107 * returning success.
2108 */
2109 switch (method_version) {
2110 default:
2111 break;
2112
2113 case TLS_ANY_VERSION:
2114 if (valid_tls)
2115 *bound = version;
2116 break;
2117
2118 case DTLS_ANY_VERSION:
2119 if (valid_dtls)
2120 *bound = version;
2121 break;
2122 }
2123 return 1;
2124 }
2125
check_for_downgrade(SSL_CONNECTION * s,int vers,DOWNGRADE * dgrd)2126 static void check_for_downgrade(SSL_CONNECTION *s, int vers, DOWNGRADE *dgrd)
2127 {
2128 if (vers == TLS1_2_VERSION
2129 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
2130 *dgrd = DOWNGRADE_TO_1_2;
2131 } else if (!SSL_CONNECTION_IS_DTLS(s)
2132 && vers < TLS1_2_VERSION
2133 /*
2134 * We need to ensure that a server that disables TLSv1.2
2135 * (creating a hole between TLSv1.3 and TLSv1.1) can still
2136 * complete handshakes with clients that support TLSv1.2 and
2137 * below. Therefore we do not enable the sentinel if TLSv1.3 is
2138 * enabled and TLSv1.2 is not.
2139 */
2140 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
2141 *dgrd = DOWNGRADE_TO_1_1;
2142 } else {
2143 *dgrd = DOWNGRADE_NONE;
2144 }
2145 }
2146
2147 /*
2148 * ssl_choose_server_version - Choose server (D)TLS version. Called when the
2149 * client HELLO is received to select the final server protocol version and
2150 * the version specific method.
2151 *
2152 * @s: server SSL handle.
2153 *
2154 * Returns 0 on success or an SSL error reason number on failure.
2155 */
ssl_choose_server_version(SSL_CONNECTION * s,CLIENTHELLO_MSG * hello,DOWNGRADE * dgrd)2156 int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello,
2157 DOWNGRADE *dgrd)
2158 {
2159 /*-
2160 * With version-flexible methods we have an initial state with:
2161 *
2162 * s->method->version == (D)TLS_ANY_VERSION,
2163 * s->version == (D)TLS_MAX_VERSION_INTERNAL.
2164 *
2165 * So we detect version-flexible methods via the method version, not the
2166 * handle version.
2167 */
2168 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
2169 int server_version = ssl->method->version;
2170 int client_version = hello->legacy_version;
2171 const version_info *vent;
2172 const version_info *table;
2173 int disabled = 0;
2174 RAW_EXTENSION *suppversions;
2175
2176 s->client_version = client_version;
2177
2178 switch (server_version) {
2179 default:
2180 if (!SSL_CONNECTION_IS_TLS13(s)) {
2181 if (ssl_version_cmp(s, client_version, s->version) < 0)
2182 return SSL_R_WRONG_SSL_VERSION;
2183 *dgrd = DOWNGRADE_NONE;
2184 /*
2185 * If this SSL handle is not from a version flexible method we don't
2186 * (and never did) check min/max FIPS or Suite B constraints. Hope
2187 * that's OK. It is up to the caller to not choose fixed protocol
2188 * versions they don't want. If not, then easy to fix, just return
2189 * ssl_method_error(s, s->method)
2190 */
2191 return 0;
2192 }
2193 /*
2194 * Fall through if we are TLSv1.3 already (this means we must be after
2195 * a HelloRetryRequest
2196 */
2197 /* fall thru */
2198 case TLS_ANY_VERSION:
2199 table = tls_version_table;
2200 break;
2201 case DTLS_ANY_VERSION:
2202 table = dtls_version_table;
2203 break;
2204 }
2205
2206 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
2207
2208 /* If we did an HRR then supported versions is mandatory */
2209 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
2210 return SSL_R_UNSUPPORTED_PROTOCOL;
2211
2212 if (suppversions->present && !SSL_CONNECTION_IS_DTLS(s)) {
2213 unsigned int candidate_vers = 0;
2214 unsigned int best_vers = 0;
2215 const SSL_METHOD *best_method = NULL;
2216 PACKET versionslist;
2217
2218 suppversions->parsed = 1;
2219
2220 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
2221 /* Trailing or invalid data? */
2222 return SSL_R_LENGTH_MISMATCH;
2223 }
2224
2225 /*
2226 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
2227 * The spec only requires servers to check that it isn't SSLv3:
2228 * "Any endpoint receiving a Hello message with
2229 * ClientHello.legacy_version or ServerHello.legacy_version set to
2230 * 0x0300 MUST abort the handshake with a "protocol_version" alert."
2231 * We are slightly stricter and require that it isn't SSLv3 or lower.
2232 * We tolerate TLSv1 and TLSv1.1.
2233 */
2234 if (client_version <= SSL3_VERSION)
2235 return SSL_R_BAD_LEGACY_VERSION;
2236
2237 while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
2238 if (ssl_version_cmp(s, candidate_vers, best_vers) <= 0)
2239 continue;
2240 if (ssl_version_supported(s, candidate_vers, &best_method))
2241 best_vers = candidate_vers;
2242 }
2243 if (PACKET_remaining(&versionslist) != 0) {
2244 /* Trailing data? */
2245 return SSL_R_LENGTH_MISMATCH;
2246 }
2247
2248 if (best_vers > 0) {
2249 if (s->hello_retry_request != SSL_HRR_NONE) {
2250 /*
2251 * This is after a HelloRetryRequest so we better check that we
2252 * negotiated TLSv1.3
2253 */
2254 if (best_vers != TLS1_3_VERSION)
2255 return SSL_R_UNSUPPORTED_PROTOCOL;
2256 return 0;
2257 }
2258 check_for_downgrade(s, best_vers, dgrd);
2259 s->version = best_vers;
2260 ssl->method = best_method;
2261 if (!ssl_set_record_protocol_version(s, best_vers))
2262 return ERR_R_INTERNAL_ERROR;
2263
2264 return 0;
2265 }
2266 return SSL_R_UNSUPPORTED_PROTOCOL;
2267 }
2268
2269 /*
2270 * If the supported versions extension isn't present, then the highest
2271 * version we can negotiate is TLSv1.2
2272 */
2273 if (ssl_version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
2274 client_version = TLS1_2_VERSION;
2275
2276 /*
2277 * No supported versions extension, so we just use the version supplied in
2278 * the ClientHello.
2279 */
2280 for (vent = table; vent->version != 0; ++vent) {
2281 const SSL_METHOD *method;
2282
2283 if (vent->smeth == NULL ||
2284 ssl_version_cmp(s, client_version, vent->version) < 0)
2285 continue;
2286 method = vent->smeth();
2287 if (ssl_method_error(s, method) == 0) {
2288 check_for_downgrade(s, vent->version, dgrd);
2289 s->version = vent->version;
2290 ssl->method = method;
2291 if (!ssl_set_record_protocol_version(s, s->version))
2292 return ERR_R_INTERNAL_ERROR;
2293
2294 return 0;
2295 }
2296 disabled = 1;
2297 }
2298 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
2299 }
2300
2301 /*
2302 * ssl_choose_client_version - Choose client (D)TLS version. Called when the
2303 * server HELLO is received to select the final client protocol version and
2304 * the version specific method.
2305 *
2306 * @s: client SSL handle.
2307 * @version: The proposed version from the server's HELLO.
2308 * @extensions: The extensions received
2309 *
2310 * Returns 1 on success or 0 on error.
2311 */
ssl_choose_client_version(SSL_CONNECTION * s,int version,RAW_EXTENSION * extensions)2312 int ssl_choose_client_version(SSL_CONNECTION *s, int version,
2313 RAW_EXTENSION *extensions)
2314 {
2315 const version_info *vent;
2316 const version_info *table;
2317 int ret, ver_min, ver_max, real_max, origv;
2318 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
2319
2320 origv = s->version;
2321 s->version = version;
2322
2323 /* This will overwrite s->version if the extension is present */
2324 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
2325 SSL_EXT_TLS1_2_SERVER_HELLO
2326 | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
2327 NULL, 0)) {
2328 s->version = origv;
2329 return 0;
2330 }
2331
2332 if (s->hello_retry_request != SSL_HRR_NONE
2333 && s->version != TLS1_3_VERSION) {
2334 s->version = origv;
2335 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
2336 return 0;
2337 }
2338
2339 switch (ssl->method->version) {
2340 default:
2341 if (s->version != ssl->method->version) {
2342 s->version = origv;
2343 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
2344 return 0;
2345 }
2346 /*
2347 * If this SSL handle is not from a version flexible method we don't
2348 * (and never did) check min/max, FIPS or Suite B constraints. Hope
2349 * that's OK. It is up to the caller to not choose fixed protocol
2350 * versions they don't want. If not, then easy to fix, just return
2351 * ssl_method_error(s, s->method)
2352 */
2353 if (!ssl_set_record_protocol_version(s, s->version)) {
2354 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2355 return 0;
2356 }
2357 return 1;
2358 case TLS_ANY_VERSION:
2359 table = tls_version_table;
2360 break;
2361 case DTLS_ANY_VERSION:
2362 table = dtls_version_table;
2363 break;
2364 }
2365
2366 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
2367 if (ret != 0) {
2368 s->version = origv;
2369 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, ret);
2370 return 0;
2371 }
2372 if (ssl_version_cmp(s, s->version, ver_min) < 0
2373 || ssl_version_cmp(s, s->version, ver_max) > 0) {
2374 s->version = origv;
2375 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
2376 return 0;
2377 }
2378
2379 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
2380 real_max = ver_max;
2381
2382 /* Check for downgrades */
2383 /* TODO(DTLSv1.3): Update this code for DTLSv1.3 */
2384 if (!SSL_CONNECTION_IS_DTLS(s) && real_max > s->version) {
2385 /* Signal applies to all versions */
2386 if (memcmp(tls11downgrade,
2387 s->s3.server_random + SSL3_RANDOM_SIZE
2388 - sizeof(tls11downgrade),
2389 sizeof(tls11downgrade)) == 0) {
2390 s->version = origv;
2391 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
2392 SSL_R_INAPPROPRIATE_FALLBACK);
2393 return 0;
2394 }
2395 /* Only when accepting TLS1.3 */
2396 if (real_max == TLS1_3_VERSION
2397 && memcmp(tls12downgrade,
2398 s->s3.server_random + SSL3_RANDOM_SIZE
2399 - sizeof(tls12downgrade),
2400 sizeof(tls12downgrade)) == 0) {
2401 s->version = origv;
2402 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
2403 SSL_R_INAPPROPRIATE_FALLBACK);
2404 return 0;
2405 }
2406 }
2407
2408 for (vent = table; vent->version != 0; ++vent) {
2409 if (vent->cmeth == NULL || s->version != vent->version)
2410 continue;
2411
2412 ssl->method = vent->cmeth();
2413 if (!ssl_set_record_protocol_version(s, s->version)) {
2414 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2415 return 0;
2416 }
2417 return 1;
2418 }
2419
2420 s->version = origv;
2421 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
2422 return 0;
2423 }
2424
2425 /*
2426 * ssl_get_min_max_version - get minimum and maximum protocol version
2427 * @s: The SSL connection
2428 * @min_version: The minimum supported version
2429 * @max_version: The maximum supported version
2430 * @real_max: The highest version below the lowest compile time version hole
2431 * where that hole lies above at least one run-time enabled
2432 * protocol.
2433 *
2434 * Work out what version we should be using for the initial ClientHello if the
2435 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2436 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
2437 * constraints and any floor imposed by the security level here,
2438 * so we don't advertise the wrong protocol version to only reject the outcome later.
2439 *
2440 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
2441 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2442 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2443 *
2444 * Returns 0 on success or an SSL error reason number on failure. On failure
2445 * min_version and max_version will also be set to 0.
2446 */
ssl_get_min_max_version(const SSL_CONNECTION * s,int * min_version,int * max_version,int * real_max)2447 int ssl_get_min_max_version(const SSL_CONNECTION *s, int *min_version,
2448 int *max_version, int *real_max)
2449 {
2450 int version, tmp_real_max;
2451 int hole;
2452 const SSL_METHOD *method;
2453 const version_info *table;
2454 const version_info *vent;
2455 const SSL *ssl = SSL_CONNECTION_GET_SSL(s);
2456
2457 switch (ssl->method->version) {
2458 default:
2459 /*
2460 * If this SSL handle is not from a version flexible method we don't
2461 * (and never did) check min/max FIPS or Suite B constraints. Hope
2462 * that's OK. It is up to the caller to not choose fixed protocol
2463 * versions they don't want. If not, then easy to fix, just return
2464 * ssl_method_error(s, s->method)
2465 */
2466 *min_version = *max_version = s->version;
2467 /*
2468 * Providing a real_max only makes sense where we're using a version
2469 * flexible method.
2470 */
2471 if (!ossl_assert(real_max == NULL))
2472 return ERR_R_INTERNAL_ERROR;
2473 return 0;
2474 case TLS_ANY_VERSION:
2475 table = tls_version_table;
2476 break;
2477 case DTLS_ANY_VERSION:
2478 table = dtls_version_table;
2479 break;
2480 }
2481
2482 /*
2483 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2484 * below X enabled. This is required in order to maintain the "version
2485 * capability" vector contiguous. Any versions with a NULL client method
2486 * (protocol version client is disabled at compile-time) is also a "hole".
2487 *
2488 * Our initial state is hole == 1, version == 0. That is, versions above
2489 * the first version in the method table are disabled (a "hole" above
2490 * the valid protocol entries) and we don't have a selected version yet.
2491 *
2492 * Whenever "hole == 1", and we hit an enabled method, its version becomes
2493 * the selected version. We're no longer in a hole, so "hole" becomes 0.
2494 *
2495 * If "hole == 0" and we hit an enabled method, we support a contiguous
2496 * range of at least two methods. If we hit a disabled method,
2497 * then hole becomes true again, but nothing else changes yet,
2498 * because all the remaining methods may be disabled too.
2499 * If we again hit an enabled method after the new hole, it becomes
2500 * selected, as we start from scratch.
2501 */
2502 *min_version = version = 0;
2503 hole = 1;
2504 if (real_max != NULL)
2505 *real_max = 0;
2506 tmp_real_max = 0;
2507 for (vent = table; vent->version != 0; ++vent) {
2508 /*
2509 * A table entry with a NULL client method is still a hole in the
2510 * "version capability" vector.
2511 */
2512 if (vent->cmeth == NULL) {
2513 hole = 1;
2514 tmp_real_max = 0;
2515 continue;
2516 }
2517 method = vent->cmeth();
2518
2519 if (hole == 1 && tmp_real_max == 0)
2520 tmp_real_max = vent->version;
2521
2522 if (ssl_method_error(s, method) != 0) {
2523 hole = 1;
2524 } else if (!hole) {
2525 *min_version = method->version;
2526 } else {
2527 if (real_max != NULL && tmp_real_max != 0)
2528 *real_max = tmp_real_max;
2529 version = method->version;
2530 *min_version = version;
2531 hole = 0;
2532 }
2533 }
2534
2535 *max_version = version;
2536
2537 /* Fail if everything is disabled */
2538 if (version == 0)
2539 return SSL_R_NO_PROTOCOLS_AVAILABLE;
2540
2541 return 0;
2542 }
2543
2544 /*
2545 * ssl_set_client_hello_version - Work out what version we should be using for
2546 * the initial ClientHello.legacy_version field.
2547 *
2548 * @s: client SSL handle.
2549 *
2550 * Returns 0 on success or an SSL error reason number on failure.
2551 */
ssl_set_client_hello_version(SSL_CONNECTION * s)2552 int ssl_set_client_hello_version(SSL_CONNECTION *s)
2553 {
2554 int ver_min, ver_max, ret;
2555
2556 /*
2557 * In a renegotiation we always send the same client_version that we sent
2558 * last time, regardless of which version we eventually negotiated.
2559 */
2560 if (!SSL_IS_FIRST_HANDSHAKE(s))
2561 return 0;
2562
2563 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
2564
2565 if (ret != 0)
2566 return ret;
2567
2568 s->version = ver_max;
2569
2570 if (SSL_CONNECTION_IS_DTLS(s)) {
2571 if (ver_max == DTLS1_BAD_VER) {
2572 /*
2573 * Even though this is technically before version negotiation,
2574 * because we have asked for DTLS1_BAD_VER we will never negotiate
2575 * anything else, and this has impacts on the record layer for when
2576 * we read the ServerHello. So we need to tell the record layer
2577 * about this immediately.
2578 */
2579 if (!ssl_set_record_protocol_version(s, ver_max))
2580 return 0;
2581 }
2582 } else if (ver_max > TLS1_2_VERSION) {
2583 /* TLS1.3 always uses TLS1.2 in the legacy_version field */
2584 ver_max = TLS1_2_VERSION;
2585 }
2586
2587 s->client_version = ver_max;
2588 return 0;
2589 }
2590
2591 /*
2592 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2593 * and |checkallow| is 1 then additionally check if the group is allowed to be
2594 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2595 * 1) or 0 otherwise. If provided a pointer it will also return the position
2596 * where the group was found.
2597 */
check_in_list(SSL_CONNECTION * s,uint16_t group_id,const uint16_t * groups,size_t num_groups,int checkallow,size_t * pos)2598 int check_in_list(SSL_CONNECTION *s, uint16_t group_id, const uint16_t *groups,
2599 size_t num_groups, int checkallow, size_t *pos)
2600 {
2601 size_t i;
2602
2603 if (groups == NULL || num_groups == 0)
2604 return 0;
2605
2606 for (i = 0; i < num_groups; i++) {
2607 uint16_t group = groups[i];
2608
2609 if (group_id == group
2610 && (!checkallow
2611 || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
2612 if (pos != NULL)
2613 *pos = i;
2614 return 1;
2615 }
2616 }
2617
2618 return 0;
2619 }
2620
2621 /* Replace ClientHello1 in the transcript hash with a synthetic message */
create_synthetic_message_hash(SSL_CONNECTION * s,const unsigned char * hashval,size_t hashlen,const unsigned char * hrr,size_t hrrlen)2622 int create_synthetic_message_hash(SSL_CONNECTION *s,
2623 const unsigned char *hashval,
2624 size_t hashlen, const unsigned char *hrr,
2625 size_t hrrlen)
2626 {
2627 unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
2628 unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2629
2630 memset(msghdr, 0, sizeof(msghdr));
2631
2632 if (hashval == NULL) {
2633 hashval = hashvaltmp;
2634 hashlen = 0;
2635 /* Get the hash of the initial ClientHello */
2636 if (!ssl3_digest_cached_records(s, 0)
2637 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2638 &hashlen)) {
2639 /* SSLfatal() already called */
2640 return 0;
2641 }
2642 }
2643
2644 /* Reinitialise the transcript hash */
2645 if (!ssl3_init_finished_mac(s)) {
2646 /* SSLfatal() already called */
2647 return 0;
2648 }
2649
2650 /* Inject the synthetic message_hash message */
2651 msghdr[0] = SSL3_MT_MESSAGE_HASH;
2652 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
2653 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2654 || !ssl3_finish_mac(s, hashval, hashlen)) {
2655 /* SSLfatal() already called */
2656 return 0;
2657 }
2658
2659 /*
2660 * Now re-inject the HRR and current message if appropriate (we just deleted
2661 * it when we reinitialised the transcript hash above). Only necessary after
2662 * receiving a ClientHello2 with a cookie.
2663 */
2664 if (hrr != NULL
2665 && (!ssl3_finish_mac(s, hrr, hrrlen)
2666 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
2667 s->s3.tmp.message_size
2668 + SSL3_HM_HEADER_LENGTH))) {
2669 /* SSLfatal() already called */
2670 return 0;
2671 }
2672
2673 return 1;
2674 }
2675
ca_dn_cmp(const X509_NAME * const * a,const X509_NAME * const * b)2676 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2677 {
2678 return X509_NAME_cmp(*a, *b);
2679 }
2680
parse_ca_names(SSL_CONNECTION * s,PACKET * pkt)2681 int parse_ca_names(SSL_CONNECTION *s, PACKET *pkt)
2682 {
2683 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2684 X509_NAME *xn = NULL;
2685 PACKET cadns;
2686
2687 if (ca_sk == NULL) {
2688 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
2689 goto err;
2690 }
2691 /* get the CA RDNs */
2692 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
2693 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2694 goto err;
2695 }
2696
2697 while (PACKET_remaining(&cadns)) {
2698 const unsigned char *namestart, *namebytes;
2699 unsigned int name_len;
2700
2701 if (!PACKET_get_net_2(&cadns, &name_len)
2702 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
2703 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2704 goto err;
2705 }
2706
2707 namestart = namebytes;
2708 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
2709 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB);
2710 goto err;
2711 }
2712 if (namebytes != (namestart + name_len)) {
2713 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CA_DN_LENGTH_MISMATCH);
2714 goto err;
2715 }
2716
2717 if (!sk_X509_NAME_push(ca_sk, xn)) {
2718 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
2719 goto err;
2720 }
2721 xn = NULL;
2722 }
2723
2724 sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
2725 s->s3.tmp.peer_ca_names = ca_sk;
2726
2727 return 1;
2728
2729 err:
2730 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2731 X509_NAME_free(xn);
2732 return 0;
2733 }
2734
STACK_OF(X509_NAME)2735 const STACK_OF(X509_NAME) *get_ca_names(SSL_CONNECTION *s)
2736 {
2737 const STACK_OF(X509_NAME) *ca_sk = NULL;
2738 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
2739
2740 if (s->server) {
2741 ca_sk = SSL_get_client_CA_list(ssl);
2742 if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2743 ca_sk = NULL;
2744 }
2745
2746 if (ca_sk == NULL)
2747 ca_sk = SSL_get0_CA_list(ssl);
2748
2749 return ca_sk;
2750 }
2751
construct_ca_names(SSL_CONNECTION * s,const STACK_OF (X509_NAME)* ca_sk,WPACKET * pkt)2752 int construct_ca_names(SSL_CONNECTION *s, const STACK_OF(X509_NAME) *ca_sk,
2753 WPACKET *pkt)
2754 {
2755 /* Start sub-packet for client CA list */
2756 if (!WPACKET_start_sub_packet_u16(pkt)) {
2757 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2758 return 0;
2759 }
2760
2761 if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) {
2762 int i;
2763
2764 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2765 unsigned char *namebytes;
2766 X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2767 int namelen;
2768
2769 if (name == NULL
2770 || (namelen = i2d_X509_NAME(name, NULL)) < 0
2771 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2772 &namebytes)
2773 || i2d_X509_NAME(name, &namebytes) != namelen) {
2774 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2775 return 0;
2776 }
2777 }
2778 }
2779
2780 if (!WPACKET_close(pkt)) {
2781 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2782 return 0;
2783 }
2784
2785 return 1;
2786 }
2787
2788 /* Create a buffer containing data to be signed for server key exchange */
construct_key_exchange_tbs(SSL_CONNECTION * s,unsigned char ** ptbs,const void * param,size_t paramlen)2789 size_t construct_key_exchange_tbs(SSL_CONNECTION *s, unsigned char **ptbs,
2790 const void *param, size_t paramlen)
2791 {
2792 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2793 unsigned char *tbs = OPENSSL_malloc(tbslen);
2794
2795 if (tbs == NULL) {
2796 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
2797 return 0;
2798 }
2799 memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
2800 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
2801
2802 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2803
2804 *ptbs = tbs;
2805 return tbslen;
2806 }
2807
2808 /*
2809 * Saves the current handshake digest for Post-Handshake Auth,
2810 * Done after ClientFinished is processed, done exactly once
2811 */
tls13_save_handshake_digest_for_pha(SSL_CONNECTION * s)2812 int tls13_save_handshake_digest_for_pha(SSL_CONNECTION *s)
2813 {
2814 if (s->pha_dgst == NULL) {
2815 if (!ssl3_digest_cached_records(s, 1))
2816 /* SSLfatal() already called */
2817 return 0;
2818
2819 s->pha_dgst = EVP_MD_CTX_new();
2820 if (s->pha_dgst == NULL) {
2821 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2822 return 0;
2823 }
2824 if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
2825 s->s3.handshake_dgst)) {
2826 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2827 EVP_MD_CTX_free(s->pha_dgst);
2828 s->pha_dgst = NULL;
2829 return 0;
2830 }
2831 }
2832 return 1;
2833 }
2834
2835 /*
2836 * Restores the Post-Handshake Auth handshake digest
2837 * Done just before sending/processing the Cert Request
2838 */
tls13_restore_handshake_digest_for_pha(SSL_CONNECTION * s)2839 int tls13_restore_handshake_digest_for_pha(SSL_CONNECTION *s)
2840 {
2841 if (s->pha_dgst == NULL) {
2842 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2843 return 0;
2844 }
2845 if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
2846 s->pha_dgst)) {
2847 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2848 return 0;
2849 }
2850 return 1;
2851 }
2852
2853 #ifndef OPENSSL_NO_COMP_ALG
tls13_process_compressed_certificate(SSL_CONNECTION * sc,PACKET * pkt,PACKET * tmppkt,BUF_MEM * buf)2854 MSG_PROCESS_RETURN tls13_process_compressed_certificate(SSL_CONNECTION *sc,
2855 PACKET *pkt,
2856 PACKET *tmppkt,
2857 BUF_MEM *buf)
2858 {
2859 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
2860 int comp_alg;
2861 COMP_METHOD *method = NULL;
2862 COMP_CTX *comp = NULL;
2863 size_t expected_length;
2864 size_t comp_length;
2865 int i;
2866 int found = 0;
2867
2868 if (buf == NULL) {
2869 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2870 goto err;
2871 }
2872 if (!PACKET_get_net_2(pkt, (unsigned int*)&comp_alg)) {
2873 SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, ERR_R_INTERNAL_ERROR);
2874 goto err;
2875 }
2876 /* If we have a prefs list, make sure the algorithm is in it */
2877 if (sc->cert_comp_prefs[0] != TLSEXT_comp_cert_none) {
2878 for (i = 0; sc->cert_comp_prefs[i] != TLSEXT_comp_cert_none; i++) {
2879 if (sc->cert_comp_prefs[i] == comp_alg) {
2880 found = 1;
2881 break;
2882 }
2883 }
2884 if (!found) {
2885 SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_COMPRESSION_ALGORITHM);
2886 goto err;
2887 }
2888 }
2889 if (!ossl_comp_has_alg(comp_alg)) {
2890 SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, SSL_R_BAD_COMPRESSION_ALGORITHM);
2891 goto err;
2892 }
2893 switch (comp_alg) {
2894 case TLSEXT_comp_cert_zlib:
2895 method = COMP_zlib_oneshot();
2896 break;
2897 case TLSEXT_comp_cert_brotli:
2898 method = COMP_brotli_oneshot();
2899 break;
2900 case TLSEXT_comp_cert_zstd:
2901 method = COMP_zstd_oneshot();
2902 break;
2903 default:
2904 SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, SSL_R_BAD_COMPRESSION_ALGORITHM);
2905 goto err;
2906 }
2907
2908 if ((comp = COMP_CTX_new(method)) == NULL
2909 || !PACKET_get_net_3_len(pkt, &expected_length)
2910 || !PACKET_get_net_3_len(pkt, &comp_length)) {
2911 SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, SSL_R_BAD_DECOMPRESSION);
2912 goto err;
2913 }
2914
2915 if (PACKET_remaining(pkt) != comp_length || comp_length == 0) {
2916 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_DECOMPRESSION);
2917 goto err;
2918 }
2919
2920 if (!BUF_MEM_grow(buf, expected_length)
2921 || !PACKET_buf_init(tmppkt, (unsigned char *)buf->data, expected_length)
2922 || COMP_expand_block(comp, (unsigned char *)buf->data, expected_length,
2923 (unsigned char*)PACKET_data(pkt), comp_length) != (int)expected_length) {
2924 SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, SSL_R_BAD_DECOMPRESSION);
2925 goto err;
2926 }
2927 ret = MSG_PROCESS_CONTINUE_PROCESSING;
2928 err:
2929 COMP_CTX_free(comp);
2930 return ret;
2931 }
2932 #endif
2933