1e71b7053SJung-uk Kim /*
2*a7148ab3SEnji Cooper * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
3e71b7053SJung-uk Kim * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4e71b7053SJung-uk Kim *
5b077aed3SPierre Pronchery * Licensed under the Apache License 2.0 (the "License"). You may not use
6e71b7053SJung-uk Kim * this file except in compliance with the License. You can obtain a copy
7e71b7053SJung-uk Kim * in the file LICENSE in the source distribution or at
8e71b7053SJung-uk Kim * https://www.openssl.org/source/license.html
9e71b7053SJung-uk Kim */
10e71b7053SJung-uk Kim
11e71b7053SJung-uk Kim #include <limits.h>
12e71b7053SJung-uk Kim #include <string.h>
13e71b7053SJung-uk Kim #include <stdio.h>
1417f01e99SJung-uk Kim #include "../ssl_local.h"
1517f01e99SJung-uk Kim #include "statem_local.h"
16e71b7053SJung-uk Kim #include "internal/cryptlib.h"
17e71b7053SJung-uk Kim #include <openssl/buffer.h>
18e71b7053SJung-uk Kim #include <openssl/objects.h>
19e71b7053SJung-uk Kim #include <openssl/evp.h>
20b077aed3SPierre Pronchery #include <openssl/rsa.h>
21e71b7053SJung-uk Kim #include <openssl/x509.h>
22b077aed3SPierre Pronchery #include <openssl/trace.h>
23e71b7053SJung-uk Kim
24e71b7053SJung-uk Kim /*
25e71b7053SJung-uk Kim * Map error codes to TLS/SSL alart types.
26e71b7053SJung-uk Kim */
27e71b7053SJung-uk Kim typedef struct x509err2alert_st {
28e71b7053SJung-uk Kim int x509err;
29e71b7053SJung-uk Kim int alert;
30e71b7053SJung-uk Kim } X509ERR2ALERT;
31e71b7053SJung-uk Kim
32e71b7053SJung-uk Kim /* Fixed value used in the ServerHello random field to identify an HRR */
33e71b7053SJung-uk Kim const unsigned char hrrrandom[] = {
34e71b7053SJung-uk Kim 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
35e71b7053SJung-uk Kim 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
36e71b7053SJung-uk Kim 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
37e71b7053SJung-uk Kim };
38e71b7053SJung-uk Kim
39e71b7053SJung-uk Kim /*
40e71b7053SJung-uk Kim * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
41e71b7053SJung-uk Kim * SSL3_RT_CHANGE_CIPHER_SPEC)
42e71b7053SJung-uk Kim */
ssl3_do_write(SSL * s,int type)43e71b7053SJung-uk Kim int ssl3_do_write(SSL *s, int type)
44e71b7053SJung-uk Kim {
45e71b7053SJung-uk Kim int ret;
46e71b7053SJung-uk Kim size_t written = 0;
47e71b7053SJung-uk Kim
48e71b7053SJung-uk Kim ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
49e71b7053SJung-uk Kim s->init_num, &written);
50aa795734SPierre Pronchery if (ret <= 0)
51e71b7053SJung-uk Kim return -1;
52e71b7053SJung-uk Kim if (type == SSL3_RT_HANDSHAKE)
53e71b7053SJung-uk Kim /*
54e71b7053SJung-uk Kim * should not be done for 'Hello Request's, but in that case we'll
55e71b7053SJung-uk Kim * ignore the result anyway
56e71b7053SJung-uk Kim * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
57e71b7053SJung-uk Kim */
58e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
59e71b7053SJung-uk Kim && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
60e71b7053SJung-uk Kim && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
61e71b7053SJung-uk Kim if (!ssl3_finish_mac(s,
62e71b7053SJung-uk Kim (unsigned char *)&s->init_buf->data[s->init_off],
63e71b7053SJung-uk Kim written))
64e71b7053SJung-uk Kim return -1;
65e71b7053SJung-uk Kim if (written == s->init_num) {
66e71b7053SJung-uk Kim if (s->msg_callback)
67e71b7053SJung-uk Kim s->msg_callback(1, s->version, type, s->init_buf->data,
68e71b7053SJung-uk Kim (size_t)(s->init_off + s->init_num), s,
69e71b7053SJung-uk Kim s->msg_callback_arg);
70e71b7053SJung-uk Kim return 1;
71e71b7053SJung-uk Kim }
72e71b7053SJung-uk Kim s->init_off += written;
73e71b7053SJung-uk Kim s->init_num -= written;
74e71b7053SJung-uk Kim return 0;
75e71b7053SJung-uk Kim }
76e71b7053SJung-uk Kim
tls_close_construct_packet(SSL * s,WPACKET * pkt,int htype)77e71b7053SJung-uk Kim int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype)
78e71b7053SJung-uk Kim {
79e71b7053SJung-uk Kim size_t msglen;
80e71b7053SJung-uk Kim
81e71b7053SJung-uk Kim if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
82e71b7053SJung-uk Kim || !WPACKET_get_length(pkt, &msglen)
83e71b7053SJung-uk Kim || msglen > INT_MAX)
84e71b7053SJung-uk Kim return 0;
85e71b7053SJung-uk Kim s->init_num = (int)msglen;
86e71b7053SJung-uk Kim s->init_off = 0;
87e71b7053SJung-uk Kim
88e71b7053SJung-uk Kim return 1;
89e71b7053SJung-uk Kim }
90e71b7053SJung-uk Kim
tls_setup_handshake(SSL * s)91e71b7053SJung-uk Kim int tls_setup_handshake(SSL *s)
92e71b7053SJung-uk Kim {
93b077aed3SPierre Pronchery int ver_min, ver_max, ok;
94b077aed3SPierre Pronchery
95e71b7053SJung-uk Kim if (!ssl3_init_finished_mac(s)) {
96e71b7053SJung-uk Kim /* SSLfatal() already called */
97e71b7053SJung-uk Kim return 0;
98e71b7053SJung-uk Kim }
99e71b7053SJung-uk Kim
100e71b7053SJung-uk Kim /* Reset any extension flags */
101e71b7053SJung-uk Kim memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
102e71b7053SJung-uk Kim
103b077aed3SPierre Pronchery if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
104b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE);
105b077aed3SPierre Pronchery return 0;
106b077aed3SPierre Pronchery }
107b077aed3SPierre Pronchery
108b077aed3SPierre Pronchery /* Sanity check that we have MD5-SHA1 if we need it */
109b077aed3SPierre Pronchery if (s->ctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) {
110b077aed3SPierre Pronchery int md5sha1_needed = 0;
111b077aed3SPierre Pronchery
112b077aed3SPierre Pronchery /* We don't have MD5-SHA1 - do we need it? */
113b077aed3SPierre Pronchery if (SSL_IS_DTLS(s)) {
114b077aed3SPierre Pronchery if (DTLS_VERSION_LE(ver_max, DTLS1_VERSION))
115b077aed3SPierre Pronchery md5sha1_needed = 1;
116b077aed3SPierre Pronchery } else {
117b077aed3SPierre Pronchery if (ver_max <= TLS1_1_VERSION)
118b077aed3SPierre Pronchery md5sha1_needed = 1;
119b077aed3SPierre Pronchery }
120b077aed3SPierre Pronchery if (md5sha1_needed) {
121b077aed3SPierre Pronchery SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
122b077aed3SPierre Pronchery SSL_R_NO_SUITABLE_DIGEST_ALGORITHM,
123b077aed3SPierre Pronchery "The max supported SSL/TLS version needs the"
124b077aed3SPierre Pronchery " MD5-SHA1 digest but it is not available"
125b077aed3SPierre Pronchery " in the loaded providers. Use (D)TLSv1.2 or"
126b077aed3SPierre Pronchery " above, or load different providers");
127b077aed3SPierre Pronchery return 0;
128b077aed3SPierre Pronchery }
129b077aed3SPierre Pronchery
130b077aed3SPierre Pronchery ok = 1;
131b077aed3SPierre Pronchery /* Don't allow TLSv1.1 or below to be negotiated */
132b077aed3SPierre Pronchery if (SSL_IS_DTLS(s)) {
133b077aed3SPierre Pronchery if (DTLS_VERSION_LT(ver_min, DTLS1_2_VERSION))
134b077aed3SPierre Pronchery ok = SSL_set_min_proto_version(s, DTLS1_2_VERSION);
135b077aed3SPierre Pronchery } else {
136b077aed3SPierre Pronchery if (ver_min < TLS1_2_VERSION)
137b077aed3SPierre Pronchery ok = SSL_set_min_proto_version(s, TLS1_2_VERSION);
138b077aed3SPierre Pronchery }
139b077aed3SPierre Pronchery if (!ok) {
140b077aed3SPierre Pronchery /* Shouldn't happen */
141b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
142b077aed3SPierre Pronchery return 0;
143b077aed3SPierre Pronchery }
144b077aed3SPierre Pronchery }
145b077aed3SPierre Pronchery
146b077aed3SPierre Pronchery ok = 0;
147e71b7053SJung-uk Kim if (s->server) {
148e71b7053SJung-uk Kim STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
149b077aed3SPierre Pronchery int i;
150e71b7053SJung-uk Kim
151e71b7053SJung-uk Kim /*
152e71b7053SJung-uk Kim * Sanity check that the maximum version we accept has ciphers
153e71b7053SJung-uk Kim * enabled. For clients we do this check during construction of the
154e71b7053SJung-uk Kim * ClientHello.
155e71b7053SJung-uk Kim */
156e71b7053SJung-uk Kim for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
157e71b7053SJung-uk Kim const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
158e71b7053SJung-uk Kim
159e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) {
160e71b7053SJung-uk Kim if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
161e71b7053SJung-uk Kim DTLS_VERSION_LE(ver_max, c->max_dtls))
162e71b7053SJung-uk Kim ok = 1;
163e71b7053SJung-uk Kim } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
164e71b7053SJung-uk Kim ok = 1;
165e71b7053SJung-uk Kim }
166e71b7053SJung-uk Kim if (ok)
167e71b7053SJung-uk Kim break;
168e71b7053SJung-uk Kim }
169e71b7053SJung-uk Kim if (!ok) {
170b077aed3SPierre Pronchery SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
171b077aed3SPierre Pronchery SSL_R_NO_CIPHERS_AVAILABLE,
172b077aed3SPierre Pronchery "No ciphers enabled for max supported "
173e71b7053SJung-uk Kim "SSL/TLS version");
174e71b7053SJung-uk Kim return 0;
175e71b7053SJung-uk Kim }
176e71b7053SJung-uk Kim if (SSL_IS_FIRST_HANDSHAKE(s)) {
177e71b7053SJung-uk Kim /* N.B. s->session_ctx == s->ctx here */
178b077aed3SPierre Pronchery ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_accept);
179e71b7053SJung-uk Kim } else {
180e71b7053SJung-uk Kim /* N.B. s->ctx may not equal s->session_ctx */
181b077aed3SPierre Pronchery ssl_tsan_counter(s->ctx, &s->ctx->stats.sess_accept_renegotiate);
182e71b7053SJung-uk Kim
183b077aed3SPierre Pronchery s->s3.tmp.cert_request = 0;
184e71b7053SJung-uk Kim }
185e71b7053SJung-uk Kim } else {
186e71b7053SJung-uk Kim if (SSL_IS_FIRST_HANDSHAKE(s))
187b077aed3SPierre Pronchery ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_connect);
188e71b7053SJung-uk Kim else
189b077aed3SPierre Pronchery ssl_tsan_counter(s->session_ctx,
190b077aed3SPierre Pronchery &s->session_ctx->stats.sess_connect_renegotiate);
191e71b7053SJung-uk Kim
192e71b7053SJung-uk Kim /* mark client_random uninitialized */
193b077aed3SPierre Pronchery memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
194e71b7053SJung-uk Kim s->hit = 0;
195e71b7053SJung-uk Kim
196b077aed3SPierre Pronchery s->s3.tmp.cert_req = 0;
197e71b7053SJung-uk Kim
198e71b7053SJung-uk Kim if (SSL_IS_DTLS(s))
199e71b7053SJung-uk Kim s->statem.use_timer = 1;
200e71b7053SJung-uk Kim }
201e71b7053SJung-uk Kim
202e71b7053SJung-uk Kim return 1;
203e71b7053SJung-uk Kim }
204e71b7053SJung-uk Kim
205e71b7053SJung-uk Kim /*
206e71b7053SJung-uk Kim * Size of the to-be-signed TLS13 data, without the hash size itself:
207e71b7053SJung-uk Kim * 64 bytes of value 32, 33 context bytes, 1 byte separator
208e71b7053SJung-uk Kim */
209e71b7053SJung-uk Kim #define TLS13_TBS_START_SIZE 64
210e71b7053SJung-uk Kim #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
211e71b7053SJung-uk Kim
get_cert_verify_tbs_data(SSL * s,unsigned char * tls13tbs,void ** hdata,size_t * hdatalen)212e71b7053SJung-uk Kim static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
213e71b7053SJung-uk Kim void **hdata, size_t *hdatalen)
214e71b7053SJung-uk Kim {
215da327cd2SJung-uk Kim #ifdef CHARSET_EBCDIC
21617f01e99SJung-uk Kim static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
217da327cd2SJung-uk Kim 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
218da327cd2SJung-uk Kim 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
219da327cd2SJung-uk Kim 0x69, 0x66, 0x79, 0x00 };
22017f01e99SJung-uk Kim static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
221da327cd2SJung-uk Kim 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
222da327cd2SJung-uk Kim 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
223da327cd2SJung-uk Kim 0x69, 0x66, 0x79, 0x00 };
224da327cd2SJung-uk Kim #else
22517f01e99SJung-uk Kim static const char servercontext[] = "TLS 1.3, server CertificateVerify";
22617f01e99SJung-uk Kim static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
227da327cd2SJung-uk Kim #endif
228e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) {
229e71b7053SJung-uk Kim size_t hashlen;
230e71b7053SJung-uk Kim
231e71b7053SJung-uk Kim /* Set the first 64 bytes of to-be-signed data to octet 32 */
232e71b7053SJung-uk Kim memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
233e71b7053SJung-uk Kim /* This copies the 33 bytes of context plus the 0 separator byte */
234e71b7053SJung-uk Kim if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
235e71b7053SJung-uk Kim || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
236e71b7053SJung-uk Kim strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
237e71b7053SJung-uk Kim else
238e71b7053SJung-uk Kim strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
239e71b7053SJung-uk Kim
240e71b7053SJung-uk Kim /*
241e71b7053SJung-uk Kim * If we're currently reading then we need to use the saved handshake
242e71b7053SJung-uk Kim * hash value. We can't use the current handshake hash state because
243e71b7053SJung-uk Kim * that includes the CertVerify itself.
244e71b7053SJung-uk Kim */
245e71b7053SJung-uk Kim if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
246e71b7053SJung-uk Kim || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
247e71b7053SJung-uk Kim memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
248e71b7053SJung-uk Kim s->cert_verify_hash_len);
249e71b7053SJung-uk Kim hashlen = s->cert_verify_hash_len;
250e71b7053SJung-uk Kim } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
251e71b7053SJung-uk Kim EVP_MAX_MD_SIZE, &hashlen)) {
252e71b7053SJung-uk Kim /* SSLfatal() already called */
253e71b7053SJung-uk Kim return 0;
254e71b7053SJung-uk Kim }
255e71b7053SJung-uk Kim
256e71b7053SJung-uk Kim *hdata = tls13tbs;
257e71b7053SJung-uk Kim *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
258e71b7053SJung-uk Kim } else {
259e71b7053SJung-uk Kim size_t retlen;
260c9cf7b5cSJung-uk Kim long retlen_l;
261e71b7053SJung-uk Kim
262b077aed3SPierre Pronchery retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
263c9cf7b5cSJung-uk Kim if (retlen_l <= 0) {
264b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
265e71b7053SJung-uk Kim return 0;
266e71b7053SJung-uk Kim }
267e71b7053SJung-uk Kim *hdatalen = retlen;
268e71b7053SJung-uk Kim }
269e71b7053SJung-uk Kim
270e71b7053SJung-uk Kim return 1;
271e71b7053SJung-uk Kim }
272e71b7053SJung-uk Kim
tls_construct_cert_verify(SSL * s,WPACKET * pkt)273e71b7053SJung-uk Kim int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
274e71b7053SJung-uk Kim {
275e71b7053SJung-uk Kim EVP_PKEY *pkey = NULL;
276e71b7053SJung-uk Kim const EVP_MD *md = NULL;
277e71b7053SJung-uk Kim EVP_MD_CTX *mctx = NULL;
278e71b7053SJung-uk Kim EVP_PKEY_CTX *pctx = NULL;
279e71b7053SJung-uk Kim size_t hdatalen = 0, siglen = 0;
280e71b7053SJung-uk Kim void *hdata;
281e71b7053SJung-uk Kim unsigned char *sig = NULL;
282e71b7053SJung-uk Kim unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
283b077aed3SPierre Pronchery const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
284e71b7053SJung-uk Kim
285b077aed3SPierre Pronchery if (lu == NULL || s->s3.tmp.cert == NULL) {
286b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
287e71b7053SJung-uk Kim goto err;
288e71b7053SJung-uk Kim }
289b077aed3SPierre Pronchery pkey = s->s3.tmp.cert->privatekey;
290e71b7053SJung-uk Kim
291b077aed3SPierre Pronchery if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) {
292b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
293e71b7053SJung-uk Kim goto err;
294e71b7053SJung-uk Kim }
295e71b7053SJung-uk Kim
296e71b7053SJung-uk Kim mctx = EVP_MD_CTX_new();
297e71b7053SJung-uk Kim if (mctx == NULL) {
298b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
299e71b7053SJung-uk Kim goto err;
300e71b7053SJung-uk Kim }
301e71b7053SJung-uk Kim
302e71b7053SJung-uk Kim /* Get the data to be signed */
303e71b7053SJung-uk Kim if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
304e71b7053SJung-uk Kim /* SSLfatal() already called */
305e71b7053SJung-uk Kim goto err;
306e71b7053SJung-uk Kim }
307e71b7053SJung-uk Kim
308e71b7053SJung-uk Kim if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
309b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
310e71b7053SJung-uk Kim goto err;
311e71b7053SJung-uk Kim }
312e71b7053SJung-uk Kim
313b077aed3SPierre Pronchery if (EVP_DigestSignInit_ex(mctx, &pctx,
314b077aed3SPierre Pronchery md == NULL ? NULL : EVP_MD_get0_name(md),
315b077aed3SPierre Pronchery s->ctx->libctx, s->ctx->propq, pkey,
316b077aed3SPierre Pronchery NULL) <= 0) {
317b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
318e71b7053SJung-uk Kim goto err;
319e71b7053SJung-uk Kim }
320e71b7053SJung-uk Kim
321e71b7053SJung-uk Kim if (lu->sig == EVP_PKEY_RSA_PSS) {
322e71b7053SJung-uk Kim if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
323e71b7053SJung-uk Kim || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
324e71b7053SJung-uk Kim RSA_PSS_SALTLEN_DIGEST) <= 0) {
325b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
326e71b7053SJung-uk Kim goto err;
327e71b7053SJung-uk Kim }
328e71b7053SJung-uk Kim }
329e71b7053SJung-uk Kim if (s->version == SSL3_VERSION) {
330b077aed3SPierre Pronchery /*
331b077aed3SPierre Pronchery * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
332b077aed3SPierre Pronchery * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
333b077aed3SPierre Pronchery */
334e71b7053SJung-uk Kim if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
335b077aed3SPierre Pronchery || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
336e71b7053SJung-uk Kim (int)s->session->master_key_length,
337b077aed3SPierre Pronchery s->session->master_key) <= 0
338b077aed3SPierre Pronchery || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) {
339e71b7053SJung-uk Kim
340b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
341e71b7053SJung-uk Kim goto err;
342e71b7053SJung-uk Kim }
343b077aed3SPierre Pronchery sig = OPENSSL_malloc(siglen);
344b077aed3SPierre Pronchery if (sig == NULL
345b077aed3SPierre Pronchery || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
346b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
347e71b7053SJung-uk Kim goto err;
348e71b7053SJung-uk Kim }
349b077aed3SPierre Pronchery } else {
350b077aed3SPierre Pronchery /*
351b077aed3SPierre Pronchery * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not
352b077aed3SPierre Pronchery * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
353b077aed3SPierre Pronchery */
354b077aed3SPierre Pronchery if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) {
355b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
356b077aed3SPierre Pronchery goto err;
357b077aed3SPierre Pronchery }
358b077aed3SPierre Pronchery sig = OPENSSL_malloc(siglen);
359b077aed3SPierre Pronchery if (sig == NULL
360b077aed3SPierre Pronchery || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
361b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
362b077aed3SPierre Pronchery goto err;
363b077aed3SPierre Pronchery }
364b077aed3SPierre Pronchery }
365e71b7053SJung-uk Kim
366e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST
367e71b7053SJung-uk Kim {
368e71b7053SJung-uk Kim int pktype = lu->sig;
369e71b7053SJung-uk Kim
370e71b7053SJung-uk Kim if (pktype == NID_id_GostR3410_2001
371e71b7053SJung-uk Kim || pktype == NID_id_GostR3410_2012_256
372e71b7053SJung-uk Kim || pktype == NID_id_GostR3410_2012_512)
373e71b7053SJung-uk Kim BUF_reverse(sig, NULL, siglen);
374e71b7053SJung-uk Kim }
375e71b7053SJung-uk Kim #endif
376e71b7053SJung-uk Kim
377e71b7053SJung-uk Kim if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
378b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
379e71b7053SJung-uk Kim goto err;
380e71b7053SJung-uk Kim }
381e71b7053SJung-uk Kim
382e71b7053SJung-uk Kim /* Digest cached records and discard handshake buffer */
383e71b7053SJung-uk Kim if (!ssl3_digest_cached_records(s, 0)) {
384e71b7053SJung-uk Kim /* SSLfatal() already called */
385e71b7053SJung-uk Kim goto err;
386e71b7053SJung-uk Kim }
387e71b7053SJung-uk Kim
388e71b7053SJung-uk Kim OPENSSL_free(sig);
389e71b7053SJung-uk Kim EVP_MD_CTX_free(mctx);
390e71b7053SJung-uk Kim return 1;
391e71b7053SJung-uk Kim err:
392e71b7053SJung-uk Kim OPENSSL_free(sig);
393e71b7053SJung-uk Kim EVP_MD_CTX_free(mctx);
394e71b7053SJung-uk Kim return 0;
395e71b7053SJung-uk Kim }
396e71b7053SJung-uk Kim
tls_process_cert_verify(SSL * s,PACKET * pkt)397e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
398e71b7053SJung-uk Kim {
399e71b7053SJung-uk Kim EVP_PKEY *pkey = NULL;
400e71b7053SJung-uk Kim const unsigned char *data;
401e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST
402e71b7053SJung-uk Kim unsigned char *gost_data = NULL;
403e71b7053SJung-uk Kim #endif
404e71b7053SJung-uk Kim MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
405e71b7053SJung-uk Kim int j;
406e71b7053SJung-uk Kim unsigned int len;
407e71b7053SJung-uk Kim X509 *peer;
408e71b7053SJung-uk Kim const EVP_MD *md = NULL;
409e71b7053SJung-uk Kim size_t hdatalen = 0;
410e71b7053SJung-uk Kim void *hdata;
411e71b7053SJung-uk Kim unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
412e71b7053SJung-uk Kim EVP_MD_CTX *mctx = EVP_MD_CTX_new();
413e71b7053SJung-uk Kim EVP_PKEY_CTX *pctx = NULL;
414e71b7053SJung-uk Kim
415e71b7053SJung-uk Kim if (mctx == NULL) {
416b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
417e71b7053SJung-uk Kim goto err;
418e71b7053SJung-uk Kim }
419e71b7053SJung-uk Kim
420e71b7053SJung-uk Kim peer = s->session->peer;
421e71b7053SJung-uk Kim pkey = X509_get0_pubkey(peer);
422e71b7053SJung-uk Kim if (pkey == NULL) {
423b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
424e71b7053SJung-uk Kim goto err;
425e71b7053SJung-uk Kim }
426e71b7053SJung-uk Kim
427e71b7053SJung-uk Kim if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
428b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
429e71b7053SJung-uk Kim SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
430e71b7053SJung-uk Kim goto err;
431e71b7053SJung-uk Kim }
432e71b7053SJung-uk Kim
433e71b7053SJung-uk Kim if (SSL_USE_SIGALGS(s)) {
434e71b7053SJung-uk Kim unsigned int sigalg;
435e71b7053SJung-uk Kim
436e71b7053SJung-uk Kim if (!PACKET_get_net_2(pkt, &sigalg)) {
437b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET);
438e71b7053SJung-uk Kim goto err;
439e71b7053SJung-uk Kim }
440e71b7053SJung-uk Kim if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
441e71b7053SJung-uk Kim /* SSLfatal() already called */
442e71b7053SJung-uk Kim goto err;
443e71b7053SJung-uk Kim }
444e71b7053SJung-uk Kim } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
445b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR,
446b077aed3SPierre Pronchery SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED);
447e71b7053SJung-uk Kim goto err;
448e71b7053SJung-uk Kim }
449e71b7053SJung-uk Kim
450b077aed3SPierre Pronchery if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) {
451b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
452e71b7053SJung-uk Kim goto err;
453e71b7053SJung-uk Kim }
454e71b7053SJung-uk Kim
455e71b7053SJung-uk Kim if (SSL_USE_SIGALGS(s))
456b077aed3SPierre Pronchery OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
457b077aed3SPierre Pronchery md == NULL ? "n/a" : EVP_MD_get0_name(md));
458e71b7053SJung-uk Kim
459e71b7053SJung-uk Kim /* Check for broken implementations of GOST ciphersuites */
460e71b7053SJung-uk Kim /*
461e71b7053SJung-uk Kim * If key is GOST and len is exactly 64 or 128, it is signature without
462e71b7053SJung-uk Kim * length field (CryptoPro implementations at least till TLS 1.2)
463e71b7053SJung-uk Kim */
464e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST
465e71b7053SJung-uk Kim if (!SSL_USE_SIGALGS(s)
466e71b7053SJung-uk Kim && ((PACKET_remaining(pkt) == 64
467b077aed3SPierre Pronchery && (EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2001
468b077aed3SPierre Pronchery || EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_256))
469e71b7053SJung-uk Kim || (PACKET_remaining(pkt) == 128
470b077aed3SPierre Pronchery && EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_512))) {
471e71b7053SJung-uk Kim len = PACKET_remaining(pkt);
472e71b7053SJung-uk Kim } else
473e71b7053SJung-uk Kim #endif
474e71b7053SJung-uk Kim if (!PACKET_get_net_2(pkt, &len)) {
475b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
476e71b7053SJung-uk Kim goto err;
477e71b7053SJung-uk Kim }
478e71b7053SJung-uk Kim
479e71b7053SJung-uk Kim if (!PACKET_get_bytes(pkt, &data, len)) {
480b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
481e71b7053SJung-uk Kim goto err;
482e71b7053SJung-uk Kim }
483*a7148ab3SEnji Cooper if (PACKET_remaining(pkt) != 0) {
484*a7148ab3SEnji Cooper SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
485*a7148ab3SEnji Cooper goto err;
486*a7148ab3SEnji Cooper }
487e71b7053SJung-uk Kim
488e71b7053SJung-uk Kim if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
489e71b7053SJung-uk Kim /* SSLfatal() already called */
490e71b7053SJung-uk Kim goto err;
491e71b7053SJung-uk Kim }
492e71b7053SJung-uk Kim
493b077aed3SPierre Pronchery OSSL_TRACE1(TLS, "Using client verify alg %s\n",
494b077aed3SPierre Pronchery md == NULL ? "n/a" : EVP_MD_get0_name(md));
495b077aed3SPierre Pronchery
496b077aed3SPierre Pronchery if (EVP_DigestVerifyInit_ex(mctx, &pctx,
497b077aed3SPierre Pronchery md == NULL ? NULL : EVP_MD_get0_name(md),
498b077aed3SPierre Pronchery s->ctx->libctx, s->ctx->propq, pkey,
499b077aed3SPierre Pronchery NULL) <= 0) {
500b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
501e71b7053SJung-uk Kim goto err;
502e71b7053SJung-uk Kim }
503e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST
504e71b7053SJung-uk Kim {
505b077aed3SPierre Pronchery int pktype = EVP_PKEY_get_id(pkey);
506e71b7053SJung-uk Kim if (pktype == NID_id_GostR3410_2001
507e71b7053SJung-uk Kim || pktype == NID_id_GostR3410_2012_256
508e71b7053SJung-uk Kim || pktype == NID_id_GostR3410_2012_512) {
509e71b7053SJung-uk Kim if ((gost_data = OPENSSL_malloc(len)) == NULL) {
510b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
511e71b7053SJung-uk Kim goto err;
512e71b7053SJung-uk Kim }
513e71b7053SJung-uk Kim BUF_reverse(gost_data, data, len);
514e71b7053SJung-uk Kim data = gost_data;
515e71b7053SJung-uk Kim }
516e71b7053SJung-uk Kim }
517e71b7053SJung-uk Kim #endif
518e71b7053SJung-uk Kim
519e71b7053SJung-uk Kim if (SSL_USE_PSS(s)) {
520e71b7053SJung-uk Kim if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
521e71b7053SJung-uk Kim || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
522e71b7053SJung-uk Kim RSA_PSS_SALTLEN_DIGEST) <= 0) {
523b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
524e71b7053SJung-uk Kim goto err;
525e71b7053SJung-uk Kim }
526e71b7053SJung-uk Kim }
527e71b7053SJung-uk Kim if (s->version == SSL3_VERSION) {
528e71b7053SJung-uk Kim if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
529b077aed3SPierre Pronchery || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
530e71b7053SJung-uk Kim (int)s->session->master_key_length,
531b077aed3SPierre Pronchery s->session->master_key) <= 0) {
532b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
533e71b7053SJung-uk Kim goto err;
534e71b7053SJung-uk Kim }
535e71b7053SJung-uk Kim if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
536b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
537e71b7053SJung-uk Kim goto err;
538e71b7053SJung-uk Kim }
539e71b7053SJung-uk Kim } else {
540e71b7053SJung-uk Kim j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
541e71b7053SJung-uk Kim if (j <= 0) {
542b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
543e71b7053SJung-uk Kim goto err;
544e71b7053SJung-uk Kim }
545e71b7053SJung-uk Kim }
546e71b7053SJung-uk Kim
547c9cf7b5cSJung-uk Kim /*
548c9cf7b5cSJung-uk Kim * In TLSv1.3 on the client side we make sure we prepare the client
549c9cf7b5cSJung-uk Kim * certificate after the CertVerify instead of when we get the
550c9cf7b5cSJung-uk Kim * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
551c9cf7b5cSJung-uk Kim * comes *before* the Certificate message. In TLSv1.2 it comes after. We
552b077aed3SPierre Pronchery * want to make sure that SSL_get1_peer_certificate() will return the actual
553c9cf7b5cSJung-uk Kim * server certificate from the client_cert_cb callback.
554c9cf7b5cSJung-uk Kim */
555b077aed3SPierre Pronchery if (!s->server && SSL_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
556c9cf7b5cSJung-uk Kim ret = MSG_PROCESS_CONTINUE_PROCESSING;
557c9cf7b5cSJung-uk Kim else
558e71b7053SJung-uk Kim ret = MSG_PROCESS_CONTINUE_READING;
559e71b7053SJung-uk Kim err:
560b077aed3SPierre Pronchery BIO_free(s->s3.handshake_buffer);
561b077aed3SPierre Pronchery s->s3.handshake_buffer = NULL;
562e71b7053SJung-uk Kim EVP_MD_CTX_free(mctx);
563e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST
564e71b7053SJung-uk Kim OPENSSL_free(gost_data);
565e71b7053SJung-uk Kim #endif
566e71b7053SJung-uk Kim return ret;
567e71b7053SJung-uk Kim }
568e71b7053SJung-uk Kim
tls_construct_finished(SSL * s,WPACKET * pkt)569e71b7053SJung-uk Kim int tls_construct_finished(SSL *s, WPACKET *pkt)
570e71b7053SJung-uk Kim {
571e71b7053SJung-uk Kim size_t finish_md_len;
572e71b7053SJung-uk Kim const char *sender;
573e71b7053SJung-uk Kim size_t slen;
574e71b7053SJung-uk Kim
575e71b7053SJung-uk Kim /* This is a real handshake so make sure we clean it up at the end */
576e71b7053SJung-uk Kim if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
577e71b7053SJung-uk Kim s->statem.cleanuphand = 1;
578e71b7053SJung-uk Kim
579e71b7053SJung-uk Kim /*
580e71b7053SJung-uk Kim * We only change the keys if we didn't already do this when we sent the
581e71b7053SJung-uk Kim * client certificate
582e71b7053SJung-uk Kim */
583e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)
584e71b7053SJung-uk Kim && !s->server
585b077aed3SPierre Pronchery && s->s3.tmp.cert_req == 0
586e71b7053SJung-uk Kim && (!s->method->ssl3_enc->change_cipher_state(s,
587e71b7053SJung-uk Kim SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
588e71b7053SJung-uk Kim /* SSLfatal() already called */
589e71b7053SJung-uk Kim return 0;
590e71b7053SJung-uk Kim }
591e71b7053SJung-uk Kim
592e71b7053SJung-uk Kim if (s->server) {
593e71b7053SJung-uk Kim sender = s->method->ssl3_enc->server_finished_label;
594e71b7053SJung-uk Kim slen = s->method->ssl3_enc->server_finished_label_len;
595e71b7053SJung-uk Kim } else {
596e71b7053SJung-uk Kim sender = s->method->ssl3_enc->client_finished_label;
597e71b7053SJung-uk Kim slen = s->method->ssl3_enc->client_finished_label_len;
598e71b7053SJung-uk Kim }
599e71b7053SJung-uk Kim
600e71b7053SJung-uk Kim finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
601e71b7053SJung-uk Kim sender, slen,
602b077aed3SPierre Pronchery s->s3.tmp.finish_md);
603e71b7053SJung-uk Kim if (finish_md_len == 0) {
604e71b7053SJung-uk Kim /* SSLfatal() already called */
605e71b7053SJung-uk Kim return 0;
606e71b7053SJung-uk Kim }
607e71b7053SJung-uk Kim
608b077aed3SPierre Pronchery s->s3.tmp.finish_md_len = finish_md_len;
609e71b7053SJung-uk Kim
610b077aed3SPierre Pronchery if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
611b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
612e71b7053SJung-uk Kim return 0;
613e71b7053SJung-uk Kim }
614e71b7053SJung-uk Kim
615e71b7053SJung-uk Kim /*
616e71b7053SJung-uk Kim * Log the master secret, if logging is enabled. We don't log it for
617e71b7053SJung-uk Kim * TLSv1.3: there's a different key schedule for that.
618e71b7053SJung-uk Kim */
619e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
620e71b7053SJung-uk Kim s->session->master_key,
621e71b7053SJung-uk Kim s->session->master_key_length)) {
622e71b7053SJung-uk Kim /* SSLfatal() already called */
623e71b7053SJung-uk Kim return 0;
624e71b7053SJung-uk Kim }
625e71b7053SJung-uk Kim
626e71b7053SJung-uk Kim /*
627e71b7053SJung-uk Kim * Copy the finished so we can use it for renegotiation checks
628e71b7053SJung-uk Kim */
629e71b7053SJung-uk Kim if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
630b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
631e71b7053SJung-uk Kim return 0;
632e71b7053SJung-uk Kim }
633e71b7053SJung-uk Kim if (!s->server) {
634b077aed3SPierre Pronchery memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
635e71b7053SJung-uk Kim finish_md_len);
636b077aed3SPierre Pronchery s->s3.previous_client_finished_len = finish_md_len;
637e71b7053SJung-uk Kim } else {
638b077aed3SPierre Pronchery memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
639e71b7053SJung-uk Kim finish_md_len);
640b077aed3SPierre Pronchery s->s3.previous_server_finished_len = finish_md_len;
641e71b7053SJung-uk Kim }
642e71b7053SJung-uk Kim
643e71b7053SJung-uk Kim return 1;
644e71b7053SJung-uk Kim }
645e71b7053SJung-uk Kim
tls_construct_key_update(SSL * s,WPACKET * pkt)646e71b7053SJung-uk Kim int tls_construct_key_update(SSL *s, WPACKET *pkt)
647e71b7053SJung-uk Kim {
648e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
649b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
650e71b7053SJung-uk Kim return 0;
651e71b7053SJung-uk Kim }
652e71b7053SJung-uk Kim
653e71b7053SJung-uk Kim s->key_update = SSL_KEY_UPDATE_NONE;
654e71b7053SJung-uk Kim return 1;
655e71b7053SJung-uk Kim }
656e71b7053SJung-uk Kim
tls_process_key_update(SSL * s,PACKET * pkt)657e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
658e71b7053SJung-uk Kim {
659e71b7053SJung-uk Kim unsigned int updatetype;
660e71b7053SJung-uk Kim
661e71b7053SJung-uk Kim /*
662e71b7053SJung-uk Kim * A KeyUpdate message signals a key change so the end of the message must
663e71b7053SJung-uk Kim * be on a record boundary.
664e71b7053SJung-uk Kim */
665e71b7053SJung-uk Kim if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
666b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
667e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
668e71b7053SJung-uk Kim }
669e71b7053SJung-uk Kim
670e71b7053SJung-uk Kim if (!PACKET_get_1(pkt, &updatetype)
671e71b7053SJung-uk Kim || PACKET_remaining(pkt) != 0) {
672b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_KEY_UPDATE);
673e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
674e71b7053SJung-uk Kim }
675e71b7053SJung-uk Kim
676e71b7053SJung-uk Kim /*
677e71b7053SJung-uk Kim * There are only two defined key update types. Fail if we get a value we
678e71b7053SJung-uk Kim * didn't recognise.
679e71b7053SJung-uk Kim */
680e71b7053SJung-uk Kim if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
681e71b7053SJung-uk Kim && updatetype != SSL_KEY_UPDATE_REQUESTED) {
682b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_UPDATE);
683e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
684e71b7053SJung-uk Kim }
685e71b7053SJung-uk Kim
686e71b7053SJung-uk Kim /*
687e71b7053SJung-uk Kim * If we get a request for us to update our sending keys too then, we need
688e71b7053SJung-uk Kim * to additionally send a KeyUpdate message. However that message should
689da327cd2SJung-uk Kim * not also request an update (otherwise we get into an infinite loop).
690e71b7053SJung-uk Kim */
691da327cd2SJung-uk Kim if (updatetype == SSL_KEY_UPDATE_REQUESTED)
692e71b7053SJung-uk Kim s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
693e71b7053SJung-uk Kim
694e71b7053SJung-uk Kim if (!tls13_update_key(s, 0)) {
695e71b7053SJung-uk Kim /* SSLfatal() already called */
696e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
697e71b7053SJung-uk Kim }
698e71b7053SJung-uk Kim
699e71b7053SJung-uk Kim return MSG_PROCESS_FINISHED_READING;
700e71b7053SJung-uk Kim }
701e71b7053SJung-uk Kim
702e71b7053SJung-uk Kim /*
703e71b7053SJung-uk Kim * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
704e71b7053SJung-uk Kim * to far.
705e71b7053SJung-uk Kim */
ssl3_take_mac(SSL * s)706e71b7053SJung-uk Kim int ssl3_take_mac(SSL *s)
707e71b7053SJung-uk Kim {
708e71b7053SJung-uk Kim const char *sender;
709e71b7053SJung-uk Kim size_t slen;
710e71b7053SJung-uk Kim
711e71b7053SJung-uk Kim if (!s->server) {
712e71b7053SJung-uk Kim sender = s->method->ssl3_enc->server_finished_label;
713e71b7053SJung-uk Kim slen = s->method->ssl3_enc->server_finished_label_len;
714e71b7053SJung-uk Kim } else {
715e71b7053SJung-uk Kim sender = s->method->ssl3_enc->client_finished_label;
716e71b7053SJung-uk Kim slen = s->method->ssl3_enc->client_finished_label_len;
717e71b7053SJung-uk Kim }
718e71b7053SJung-uk Kim
719b077aed3SPierre Pronchery s->s3.tmp.peer_finish_md_len =
720e71b7053SJung-uk Kim s->method->ssl3_enc->final_finish_mac(s, sender, slen,
721b077aed3SPierre Pronchery s->s3.tmp.peer_finish_md);
722e71b7053SJung-uk Kim
723b077aed3SPierre Pronchery if (s->s3.tmp.peer_finish_md_len == 0) {
724e71b7053SJung-uk Kim /* SSLfatal() already called */
725e71b7053SJung-uk Kim return 0;
726e71b7053SJung-uk Kim }
727e71b7053SJung-uk Kim
728e71b7053SJung-uk Kim return 1;
729e71b7053SJung-uk Kim }
730e71b7053SJung-uk Kim
tls_process_change_cipher_spec(SSL * s,PACKET * pkt)731e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
732e71b7053SJung-uk Kim {
733e71b7053SJung-uk Kim size_t remain;
734e71b7053SJung-uk Kim
735e71b7053SJung-uk Kim remain = PACKET_remaining(pkt);
736e71b7053SJung-uk Kim /*
737e71b7053SJung-uk Kim * 'Change Cipher Spec' is just a single byte, which should already have
738e71b7053SJung-uk Kim * been consumed by ssl_get_message() so there should be no bytes left,
739e71b7053SJung-uk Kim * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
740e71b7053SJung-uk Kim */
741e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) {
742e71b7053SJung-uk Kim if ((s->version == DTLS1_BAD_VER
743e71b7053SJung-uk Kim && remain != DTLS1_CCS_HEADER_LENGTH + 1)
744e71b7053SJung-uk Kim || (s->version != DTLS1_BAD_VER
745e71b7053SJung-uk Kim && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
746b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
747e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
748e71b7053SJung-uk Kim }
749e71b7053SJung-uk Kim } else {
750e71b7053SJung-uk Kim if (remain != 0) {
751b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
752e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
753e71b7053SJung-uk Kim }
754e71b7053SJung-uk Kim }
755e71b7053SJung-uk Kim
756e71b7053SJung-uk Kim /* Check we have a cipher to change to */
757b077aed3SPierre Pronchery if (s->s3.tmp.new_cipher == NULL) {
758b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY);
759e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
760e71b7053SJung-uk Kim }
761e71b7053SJung-uk Kim
762b077aed3SPierre Pronchery s->s3.change_cipher_spec = 1;
763e71b7053SJung-uk Kim if (!ssl3_do_change_cipher_spec(s)) {
764b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
765e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
766e71b7053SJung-uk Kim }
767e71b7053SJung-uk Kim
768e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) {
769e71b7053SJung-uk Kim dtls1_reset_seq_numbers(s, SSL3_CC_READ);
770e71b7053SJung-uk Kim
771e71b7053SJung-uk Kim if (s->version == DTLS1_BAD_VER)
772e71b7053SJung-uk Kim s->d1->handshake_read_seq++;
773e71b7053SJung-uk Kim
774e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SCTP
775e71b7053SJung-uk Kim /*
776e71b7053SJung-uk Kim * Remember that a CCS has been received, so that an old key of
777e71b7053SJung-uk Kim * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
778e71b7053SJung-uk Kim * SCTP is used
779e71b7053SJung-uk Kim */
780e71b7053SJung-uk Kim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
781e71b7053SJung-uk Kim #endif
782e71b7053SJung-uk Kim }
783e71b7053SJung-uk Kim
784e71b7053SJung-uk Kim return MSG_PROCESS_CONTINUE_READING;
785e71b7053SJung-uk Kim }
786e71b7053SJung-uk Kim
tls_process_finished(SSL * s,PACKET * pkt)787e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
788e71b7053SJung-uk Kim {
789e71b7053SJung-uk Kim size_t md_len;
790e71b7053SJung-uk Kim
791e71b7053SJung-uk Kim
792e71b7053SJung-uk Kim /* This is a real handshake so make sure we clean it up at the end */
793e71b7053SJung-uk Kim if (s->server) {
794e71b7053SJung-uk Kim /*
795e71b7053SJung-uk Kim * To get this far we must have read encrypted data from the client. We
796e71b7053SJung-uk Kim * no longer tolerate unencrypted alerts. This value is ignored if less
797e71b7053SJung-uk Kim * than TLSv1.3
798e71b7053SJung-uk Kim */
799e71b7053SJung-uk Kim s->statem.enc_read_state = ENC_READ_STATE_VALID;
800e71b7053SJung-uk Kim if (s->post_handshake_auth != SSL_PHA_REQUESTED)
801e71b7053SJung-uk Kim s->statem.cleanuphand = 1;
802e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
803e71b7053SJung-uk Kim /* SSLfatal() already called */
804e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
805e71b7053SJung-uk Kim }
806e71b7053SJung-uk Kim }
807e71b7053SJung-uk Kim
808e71b7053SJung-uk Kim /*
809e71b7053SJung-uk Kim * In TLSv1.3 a Finished message signals a key change so the end of the
810e71b7053SJung-uk Kim * message must be on a record boundary.
811e71b7053SJung-uk Kim */
812e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
813b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
814e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
815e71b7053SJung-uk Kim }
816e71b7053SJung-uk Kim
817e71b7053SJung-uk Kim /* If this occurs, we have missed a message */
818b077aed3SPierre Pronchery if (!SSL_IS_TLS13(s) && !s->s3.change_cipher_spec) {
819b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
820e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
821e71b7053SJung-uk Kim }
822b077aed3SPierre Pronchery s->s3.change_cipher_spec = 0;
823e71b7053SJung-uk Kim
824b077aed3SPierre Pronchery md_len = s->s3.tmp.peer_finish_md_len;
825e71b7053SJung-uk Kim
826e71b7053SJung-uk Kim if (md_len != PACKET_remaining(pkt)) {
827b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DIGEST_LENGTH);
828e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
829e71b7053SJung-uk Kim }
830e71b7053SJung-uk Kim
831b077aed3SPierre Pronchery if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
832e71b7053SJung-uk Kim md_len) != 0) {
833b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DIGEST_CHECK_FAILED);
834e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
835e71b7053SJung-uk Kim }
836e71b7053SJung-uk Kim
837e71b7053SJung-uk Kim /*
838e71b7053SJung-uk Kim * Copy the finished so we can use it for renegotiation checks
839e71b7053SJung-uk Kim */
840e71b7053SJung-uk Kim if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
841b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
842e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
843e71b7053SJung-uk Kim }
844e71b7053SJung-uk Kim if (s->server) {
845b077aed3SPierre Pronchery memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
846e71b7053SJung-uk Kim md_len);
847b077aed3SPierre Pronchery s->s3.previous_client_finished_len = md_len;
848e71b7053SJung-uk Kim } else {
849b077aed3SPierre Pronchery memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
850e71b7053SJung-uk Kim md_len);
851b077aed3SPierre Pronchery s->s3.previous_server_finished_len = md_len;
852e71b7053SJung-uk Kim }
853e71b7053SJung-uk Kim
854e71b7053SJung-uk Kim /*
855e71b7053SJung-uk Kim * In TLS1.3 we also have to change cipher state and do any final processing
856e71b7053SJung-uk Kim * of the initial server flight (if we are a client)
857e71b7053SJung-uk Kim */
858e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) {
859e71b7053SJung-uk Kim if (s->server) {
860e71b7053SJung-uk Kim if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
861e71b7053SJung-uk Kim !s->method->ssl3_enc->change_cipher_state(s,
862e71b7053SJung-uk Kim SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
863e71b7053SJung-uk Kim /* SSLfatal() already called */
864e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
865e71b7053SJung-uk Kim }
866e71b7053SJung-uk Kim } else {
86717f01e99SJung-uk Kim /* TLS 1.3 gets the secret size from the handshake md */
86817f01e99SJung-uk Kim size_t dummy;
869e71b7053SJung-uk Kim if (!s->method->ssl3_enc->generate_master_secret(s,
870e71b7053SJung-uk Kim s->master_secret, s->handshake_secret, 0,
87117f01e99SJung-uk Kim &dummy)) {
872e71b7053SJung-uk Kim /* SSLfatal() already called */
873e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
874e71b7053SJung-uk Kim }
875e71b7053SJung-uk Kim if (!s->method->ssl3_enc->change_cipher_state(s,
876e71b7053SJung-uk Kim SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
877e71b7053SJung-uk Kim /* SSLfatal() already called */
878e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
879e71b7053SJung-uk Kim }
880e71b7053SJung-uk Kim if (!tls_process_initial_server_flight(s)) {
881e71b7053SJung-uk Kim /* SSLfatal() already called */
882e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
883e71b7053SJung-uk Kim }
884e71b7053SJung-uk Kim }
885e71b7053SJung-uk Kim }
886e71b7053SJung-uk Kim
887e71b7053SJung-uk Kim return MSG_PROCESS_FINISHED_READING;
888e71b7053SJung-uk Kim }
889e71b7053SJung-uk Kim
tls_construct_change_cipher_spec(SSL * s,WPACKET * pkt)890e71b7053SJung-uk Kim int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
891e71b7053SJung-uk Kim {
892e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
893b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
894e71b7053SJung-uk Kim return 0;
895e71b7053SJung-uk Kim }
896e71b7053SJung-uk Kim
897e71b7053SJung-uk Kim return 1;
898e71b7053SJung-uk Kim }
899e71b7053SJung-uk Kim
900e71b7053SJung-uk Kim /* Add a certificate to the WPACKET */
ssl_add_cert_to_wpacket(SSL * s,WPACKET * pkt,X509 * x,int chain)901e71b7053SJung-uk Kim static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain)
902e71b7053SJung-uk Kim {
903e71b7053SJung-uk Kim int len;
904e71b7053SJung-uk Kim unsigned char *outbytes;
905e71b7053SJung-uk Kim
906e71b7053SJung-uk Kim len = i2d_X509(x, NULL);
907e71b7053SJung-uk Kim if (len < 0) {
908b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB);
909e71b7053SJung-uk Kim return 0;
910e71b7053SJung-uk Kim }
911e71b7053SJung-uk Kim if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
912e71b7053SJung-uk Kim || i2d_X509(x, &outbytes) != len) {
913b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
914e71b7053SJung-uk Kim return 0;
915e71b7053SJung-uk Kim }
916e71b7053SJung-uk Kim
917e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)
918e71b7053SJung-uk Kim && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
919e71b7053SJung-uk Kim chain)) {
920e71b7053SJung-uk Kim /* SSLfatal() already called */
921e71b7053SJung-uk Kim return 0;
922e71b7053SJung-uk Kim }
923e71b7053SJung-uk Kim
924e71b7053SJung-uk Kim return 1;
925e71b7053SJung-uk Kim }
926e71b7053SJung-uk Kim
927e71b7053SJung-uk Kim /* Add certificate chain to provided WPACKET */
ssl_add_cert_chain(SSL * s,WPACKET * pkt,CERT_PKEY * cpk)928e71b7053SJung-uk Kim static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
929e71b7053SJung-uk Kim {
930e71b7053SJung-uk Kim int i, chain_count;
931e71b7053SJung-uk Kim X509 *x;
932e71b7053SJung-uk Kim STACK_OF(X509) *extra_certs;
933e71b7053SJung-uk Kim STACK_OF(X509) *chain = NULL;
934e71b7053SJung-uk Kim X509_STORE *chain_store;
935e71b7053SJung-uk Kim
936e71b7053SJung-uk Kim if (cpk == NULL || cpk->x509 == NULL)
937e71b7053SJung-uk Kim return 1;
938e71b7053SJung-uk Kim
939e71b7053SJung-uk Kim x = cpk->x509;
940e71b7053SJung-uk Kim
941e71b7053SJung-uk Kim /*
942e71b7053SJung-uk Kim * If we have a certificate specific chain use it, else use parent ctx.
943e71b7053SJung-uk Kim */
944e71b7053SJung-uk Kim if (cpk->chain != NULL)
945e71b7053SJung-uk Kim extra_certs = cpk->chain;
946e71b7053SJung-uk Kim else
947e71b7053SJung-uk Kim extra_certs = s->ctx->extra_certs;
948e71b7053SJung-uk Kim
949e71b7053SJung-uk Kim if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
950e71b7053SJung-uk Kim chain_store = NULL;
951e71b7053SJung-uk Kim else if (s->cert->chain_store)
952e71b7053SJung-uk Kim chain_store = s->cert->chain_store;
953e71b7053SJung-uk Kim else
954e71b7053SJung-uk Kim chain_store = s->ctx->cert_store;
955e71b7053SJung-uk Kim
956e71b7053SJung-uk Kim if (chain_store != NULL) {
957b077aed3SPierre Pronchery X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(s->ctx->libctx,
958b077aed3SPierre Pronchery s->ctx->propq);
959e71b7053SJung-uk Kim
960e71b7053SJung-uk Kim if (xs_ctx == NULL) {
961b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
962e71b7053SJung-uk Kim return 0;
963e71b7053SJung-uk Kim }
964e71b7053SJung-uk Kim if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
965e71b7053SJung-uk Kim X509_STORE_CTX_free(xs_ctx);
966b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB);
967e71b7053SJung-uk Kim return 0;
968e71b7053SJung-uk Kim }
969e71b7053SJung-uk Kim /*
970e71b7053SJung-uk Kim * It is valid for the chain not to be complete (because normally we
971e71b7053SJung-uk Kim * don't include the root cert in the chain). Therefore we deliberately
972e71b7053SJung-uk Kim * ignore the error return from this call. We're not actually verifying
973e71b7053SJung-uk Kim * the cert - we're just building as much of the chain as we can
974e71b7053SJung-uk Kim */
975e71b7053SJung-uk Kim (void)X509_verify_cert(xs_ctx);
976e71b7053SJung-uk Kim /* Don't leave errors in the queue */
977e71b7053SJung-uk Kim ERR_clear_error();
978e71b7053SJung-uk Kim chain = X509_STORE_CTX_get0_chain(xs_ctx);
979e71b7053SJung-uk Kim i = ssl_security_cert_chain(s, chain, NULL, 0);
980e71b7053SJung-uk Kim if (i != 1) {
981e71b7053SJung-uk Kim #if 0
982e71b7053SJung-uk Kim /* Dummy error calls so mkerr generates them */
983b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, SSL_R_EE_KEY_TOO_SMALL);
984b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, SSL_R_CA_KEY_TOO_SMALL);
985b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, SSL_R_CA_MD_TOO_WEAK);
986e71b7053SJung-uk Kim #endif
987e71b7053SJung-uk Kim X509_STORE_CTX_free(xs_ctx);
988b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
989e71b7053SJung-uk Kim return 0;
990e71b7053SJung-uk Kim }
991e71b7053SJung-uk Kim chain_count = sk_X509_num(chain);
992e71b7053SJung-uk Kim for (i = 0; i < chain_count; i++) {
993e71b7053SJung-uk Kim x = sk_X509_value(chain, i);
994e71b7053SJung-uk Kim
995e71b7053SJung-uk Kim if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
996e71b7053SJung-uk Kim /* SSLfatal() already called */
997e71b7053SJung-uk Kim X509_STORE_CTX_free(xs_ctx);
998e71b7053SJung-uk Kim return 0;
999e71b7053SJung-uk Kim }
1000e71b7053SJung-uk Kim }
1001e71b7053SJung-uk Kim X509_STORE_CTX_free(xs_ctx);
1002e71b7053SJung-uk Kim } else {
1003e71b7053SJung-uk Kim i = ssl_security_cert_chain(s, extra_certs, x, 0);
1004e71b7053SJung-uk Kim if (i != 1) {
1005b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
1006e71b7053SJung-uk Kim return 0;
1007e71b7053SJung-uk Kim }
1008e71b7053SJung-uk Kim if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
1009e71b7053SJung-uk Kim /* SSLfatal() already called */
1010e71b7053SJung-uk Kim return 0;
1011e71b7053SJung-uk Kim }
1012e71b7053SJung-uk Kim for (i = 0; i < sk_X509_num(extra_certs); i++) {
1013e71b7053SJung-uk Kim x = sk_X509_value(extra_certs, i);
1014e71b7053SJung-uk Kim if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
1015e71b7053SJung-uk Kim /* SSLfatal() already called */
1016e71b7053SJung-uk Kim return 0;
1017e71b7053SJung-uk Kim }
1018e71b7053SJung-uk Kim }
1019e71b7053SJung-uk Kim }
1020e71b7053SJung-uk Kim return 1;
1021e71b7053SJung-uk Kim }
1022e71b7053SJung-uk Kim
ssl3_output_cert_chain(SSL * s,WPACKET * pkt,CERT_PKEY * cpk)1023e71b7053SJung-uk Kim unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
1024e71b7053SJung-uk Kim {
1025e71b7053SJung-uk Kim if (!WPACKET_start_sub_packet_u24(pkt)) {
1026b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1027e71b7053SJung-uk Kim return 0;
1028e71b7053SJung-uk Kim }
1029e71b7053SJung-uk Kim
1030e71b7053SJung-uk Kim if (!ssl_add_cert_chain(s, pkt, cpk))
1031e71b7053SJung-uk Kim return 0;
1032e71b7053SJung-uk Kim
1033e71b7053SJung-uk Kim if (!WPACKET_close(pkt)) {
1034b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1035e71b7053SJung-uk Kim return 0;
1036e71b7053SJung-uk Kim }
1037e71b7053SJung-uk Kim
1038e71b7053SJung-uk Kim return 1;
1039e71b7053SJung-uk Kim }
1040e71b7053SJung-uk Kim
1041e71b7053SJung-uk Kim /*
1042e71b7053SJung-uk Kim * Tidy up after the end of a handshake. In the case of SCTP this may result
1043e71b7053SJung-uk Kim * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1044e71b7053SJung-uk Kim * freed up as well.
1045e71b7053SJung-uk Kim */
tls_finish_handshake(SSL * s,ossl_unused WORK_STATE wst,int clearbufs,int stop)1046b077aed3SPierre Pronchery WORK_STATE tls_finish_handshake(SSL *s, ossl_unused WORK_STATE wst,
1047b077aed3SPierre Pronchery int clearbufs, int stop)
1048e71b7053SJung-uk Kim {
1049e71b7053SJung-uk Kim void (*cb) (const SSL *ssl, int type, int val) = NULL;
10506935a639SJung-uk Kim int cleanuphand = s->statem.cleanuphand;
1051e71b7053SJung-uk Kim
1052e71b7053SJung-uk Kim if (clearbufs) {
105317f01e99SJung-uk Kim if (!SSL_IS_DTLS(s)
105417f01e99SJung-uk Kim #ifndef OPENSSL_NO_SCTP
1055e71b7053SJung-uk Kim /*
105617f01e99SJung-uk Kim * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
105717f01e99SJung-uk Kim * messages that require it. Therefore, DTLS procedures for retransmissions
105817f01e99SJung-uk Kim * MUST NOT be used.
105917f01e99SJung-uk Kim * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
106017f01e99SJung-uk Kim */
106117f01e99SJung-uk Kim || BIO_dgram_is_sctp(SSL_get_wbio(s))
106217f01e99SJung-uk Kim #endif
106317f01e99SJung-uk Kim ) {
106417f01e99SJung-uk Kim /*
106517f01e99SJung-uk Kim * We don't do this in DTLS over UDP because we may still need the init_buf
1066e71b7053SJung-uk Kim * in case there are any unexpected retransmits
1067e71b7053SJung-uk Kim */
1068e71b7053SJung-uk Kim BUF_MEM_free(s->init_buf);
1069e71b7053SJung-uk Kim s->init_buf = NULL;
1070e71b7053SJung-uk Kim }
107117f01e99SJung-uk Kim
1072e71b7053SJung-uk Kim if (!ssl_free_wbio_buffer(s)) {
1073b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1074e71b7053SJung-uk Kim return WORK_ERROR;
1075e71b7053SJung-uk Kim }
1076e71b7053SJung-uk Kim s->init_num = 0;
1077e71b7053SJung-uk Kim }
1078e71b7053SJung-uk Kim
1079e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) && !s->server
1080e71b7053SJung-uk Kim && s->post_handshake_auth == SSL_PHA_REQUESTED)
1081e71b7053SJung-uk Kim s->post_handshake_auth = SSL_PHA_EXT_SENT;
1082e71b7053SJung-uk Kim
1083e71b7053SJung-uk Kim /*
1084e71b7053SJung-uk Kim * Only set if there was a Finished message and this isn't after a TLSv1.3
1085e71b7053SJung-uk Kim * post handshake exchange
1086e71b7053SJung-uk Kim */
10876935a639SJung-uk Kim if (cleanuphand) {
1088e71b7053SJung-uk Kim /* skipped if we just sent a HelloRequest */
1089e71b7053SJung-uk Kim s->renegotiate = 0;
1090e71b7053SJung-uk Kim s->new_session = 0;
1091e71b7053SJung-uk Kim s->statem.cleanuphand = 0;
1092e71b7053SJung-uk Kim s->ext.ticket_expected = 0;
1093e71b7053SJung-uk Kim
1094e71b7053SJung-uk Kim ssl3_cleanup_key_block(s);
1095e71b7053SJung-uk Kim
1096e71b7053SJung-uk Kim if (s->server) {
1097e71b7053SJung-uk Kim /*
1098e71b7053SJung-uk Kim * In TLSv1.3 we update the cache as part of constructing the
1099e71b7053SJung-uk Kim * NewSessionTicket
1100e71b7053SJung-uk Kim */
1101e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s))
1102e71b7053SJung-uk Kim ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
1103e71b7053SJung-uk Kim
1104e71b7053SJung-uk Kim /* N.B. s->ctx may not equal s->session_ctx */
1105b077aed3SPierre Pronchery ssl_tsan_counter(s->ctx, &s->ctx->stats.sess_accept_good);
1106e71b7053SJung-uk Kim s->handshake_func = ossl_statem_accept;
1107e71b7053SJung-uk Kim } else {
1108e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) {
1109e71b7053SJung-uk Kim /*
1110e71b7053SJung-uk Kim * We encourage applications to only use TLSv1.3 tickets once,
1111e71b7053SJung-uk Kim * so we remove this one from the cache.
1112e71b7053SJung-uk Kim */
1113e71b7053SJung-uk Kim if ((s->session_ctx->session_cache_mode
1114e71b7053SJung-uk Kim & SSL_SESS_CACHE_CLIENT) != 0)
1115e71b7053SJung-uk Kim SSL_CTX_remove_session(s->session_ctx, s->session);
1116e71b7053SJung-uk Kim } else {
1117e71b7053SJung-uk Kim /*
1118e71b7053SJung-uk Kim * In TLSv1.3 we update the cache as part of processing the
1119e71b7053SJung-uk Kim * NewSessionTicket
1120e71b7053SJung-uk Kim */
1121e71b7053SJung-uk Kim ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
1122e71b7053SJung-uk Kim }
1123e71b7053SJung-uk Kim if (s->hit)
1124b077aed3SPierre Pronchery ssl_tsan_counter(s->session_ctx,
1125b077aed3SPierre Pronchery &s->session_ctx->stats.sess_hit);
1126e71b7053SJung-uk Kim
1127e71b7053SJung-uk Kim s->handshake_func = ossl_statem_connect;
1128b077aed3SPierre Pronchery ssl_tsan_counter(s->session_ctx,
1129b077aed3SPierre Pronchery &s->session_ctx->stats.sess_connect_good);
1130e71b7053SJung-uk Kim }
1131e71b7053SJung-uk Kim
1132e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) {
1133e71b7053SJung-uk Kim /* done with handshaking */
1134e71b7053SJung-uk Kim s->d1->handshake_read_seq = 0;
1135e71b7053SJung-uk Kim s->d1->handshake_write_seq = 0;
1136e71b7053SJung-uk Kim s->d1->next_handshake_write_seq = 0;
1137e71b7053SJung-uk Kim dtls1_clear_received_buffer(s);
1138e71b7053SJung-uk Kim }
1139e71b7053SJung-uk Kim }
1140e71b7053SJung-uk Kim
1141e71b7053SJung-uk Kim if (s->info_callback != NULL)
1142e71b7053SJung-uk Kim cb = s->info_callback;
1143e71b7053SJung-uk Kim else if (s->ctx->info_callback != NULL)
1144e71b7053SJung-uk Kim cb = s->ctx->info_callback;
1145e71b7053SJung-uk Kim
1146e71b7053SJung-uk Kim /* The callback may expect us to not be in init at handshake done */
1147e71b7053SJung-uk Kim ossl_statem_set_in_init(s, 0);
1148e71b7053SJung-uk Kim
11496935a639SJung-uk Kim if (cb != NULL) {
11506935a639SJung-uk Kim if (cleanuphand
11516935a639SJung-uk Kim || !SSL_IS_TLS13(s)
11526935a639SJung-uk Kim || SSL_IS_FIRST_HANDSHAKE(s))
1153e71b7053SJung-uk Kim cb(s, SSL_CB_HANDSHAKE_DONE, 1);
11546935a639SJung-uk Kim }
1155e71b7053SJung-uk Kim
1156e71b7053SJung-uk Kim if (!stop) {
1157e71b7053SJung-uk Kim /* If we've got more work to do we go back into init */
1158e71b7053SJung-uk Kim ossl_statem_set_in_init(s, 1);
1159e71b7053SJung-uk Kim return WORK_FINISHED_CONTINUE;
1160e71b7053SJung-uk Kim }
1161e71b7053SJung-uk Kim
1162e71b7053SJung-uk Kim return WORK_FINISHED_STOP;
1163e71b7053SJung-uk Kim }
1164e71b7053SJung-uk Kim
tls_get_message_header(SSL * s,int * mt)1165e71b7053SJung-uk Kim int tls_get_message_header(SSL *s, int *mt)
1166e71b7053SJung-uk Kim {
1167e71b7053SJung-uk Kim /* s->init_num < SSL3_HM_HEADER_LENGTH */
1168e71b7053SJung-uk Kim int skip_message, i, recvd_type;
1169e71b7053SJung-uk Kim unsigned char *p;
1170e71b7053SJung-uk Kim size_t l, readbytes;
1171e71b7053SJung-uk Kim
1172e71b7053SJung-uk Kim p = (unsigned char *)s->init_buf->data;
1173e71b7053SJung-uk Kim
1174e71b7053SJung-uk Kim do {
1175e71b7053SJung-uk Kim while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1176e71b7053SJung-uk Kim i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
1177e71b7053SJung-uk Kim &p[s->init_num],
1178e71b7053SJung-uk Kim SSL3_HM_HEADER_LENGTH - s->init_num,
1179e71b7053SJung-uk Kim 0, &readbytes);
1180e71b7053SJung-uk Kim if (i <= 0) {
1181e71b7053SJung-uk Kim s->rwstate = SSL_READING;
1182e71b7053SJung-uk Kim return 0;
1183e71b7053SJung-uk Kim }
1184e71b7053SJung-uk Kim if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1185e71b7053SJung-uk Kim /*
1186e71b7053SJung-uk Kim * A ChangeCipherSpec must be a single byte and may not occur
1187e71b7053SJung-uk Kim * in the middle of a handshake message.
1188e71b7053SJung-uk Kim */
1189e71b7053SJung-uk Kim if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
1190e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1191e71b7053SJung-uk Kim SSL_R_BAD_CHANGE_CIPHER_SPEC);
1192e71b7053SJung-uk Kim return 0;
1193e71b7053SJung-uk Kim }
1194e71b7053SJung-uk Kim if (s->statem.hand_state == TLS_ST_BEFORE
1195b077aed3SPierre Pronchery && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
1196e71b7053SJung-uk Kim /*
1197e71b7053SJung-uk Kim * We are stateless and we received a CCS. Probably this is
1198e71b7053SJung-uk Kim * from a client between the first and second ClientHellos.
1199e71b7053SJung-uk Kim * We should ignore this, but return an error because we do
1200e71b7053SJung-uk Kim * not return success until we see the second ClientHello
1201e71b7053SJung-uk Kim * with a valid cookie.
1202e71b7053SJung-uk Kim */
1203e71b7053SJung-uk Kim return 0;
1204e71b7053SJung-uk Kim }
1205b077aed3SPierre Pronchery s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
1206e71b7053SJung-uk Kim s->init_num = readbytes - 1;
1207e71b7053SJung-uk Kim s->init_msg = s->init_buf->data;
1208b077aed3SPierre Pronchery s->s3.tmp.message_size = readbytes;
1209e71b7053SJung-uk Kim return 1;
1210e71b7053SJung-uk Kim } else if (recvd_type != SSL3_RT_HANDSHAKE) {
1211e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1212e71b7053SJung-uk Kim SSL_R_CCS_RECEIVED_EARLY);
1213e71b7053SJung-uk Kim return 0;
1214e71b7053SJung-uk Kim }
1215e71b7053SJung-uk Kim s->init_num += readbytes;
1216e71b7053SJung-uk Kim }
1217e71b7053SJung-uk Kim
1218e71b7053SJung-uk Kim skip_message = 0;
1219e71b7053SJung-uk Kim if (!s->server)
1220e71b7053SJung-uk Kim if (s->statem.hand_state != TLS_ST_OK
1221e71b7053SJung-uk Kim && p[0] == SSL3_MT_HELLO_REQUEST)
1222e71b7053SJung-uk Kim /*
1223e71b7053SJung-uk Kim * The server may always send 'Hello Request' messages --
1224e71b7053SJung-uk Kim * we are doing a handshake anyway now, so ignore them if
1225e71b7053SJung-uk Kim * their format is correct. Does not count for 'Finished'
1226e71b7053SJung-uk Kim * MAC.
1227e71b7053SJung-uk Kim */
1228e71b7053SJung-uk Kim if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1229e71b7053SJung-uk Kim s->init_num = 0;
1230e71b7053SJung-uk Kim skip_message = 1;
1231e71b7053SJung-uk Kim
1232e71b7053SJung-uk Kim if (s->msg_callback)
1233e71b7053SJung-uk Kim s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1234e71b7053SJung-uk Kim p, SSL3_HM_HEADER_LENGTH, s,
1235e71b7053SJung-uk Kim s->msg_callback_arg);
1236e71b7053SJung-uk Kim }
1237e71b7053SJung-uk Kim } while (skip_message);
1238e71b7053SJung-uk Kim /* s->init_num == SSL3_HM_HEADER_LENGTH */
1239e71b7053SJung-uk Kim
1240e71b7053SJung-uk Kim *mt = *p;
1241b077aed3SPierre Pronchery s->s3.tmp.message_type = *(p++);
1242e71b7053SJung-uk Kim
1243e71b7053SJung-uk Kim if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1244e71b7053SJung-uk Kim /*
1245e71b7053SJung-uk Kim * Only happens with SSLv3+ in an SSLv2 backward compatible
1246e71b7053SJung-uk Kim * ClientHello
1247e71b7053SJung-uk Kim *
1248e71b7053SJung-uk Kim * Total message size is the remaining record bytes to read
1249e71b7053SJung-uk Kim * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
1250e71b7053SJung-uk Kim */
1251e71b7053SJung-uk Kim l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1252e71b7053SJung-uk Kim + SSL3_HM_HEADER_LENGTH;
1253b077aed3SPierre Pronchery s->s3.tmp.message_size = l;
1254e71b7053SJung-uk Kim
1255e71b7053SJung-uk Kim s->init_msg = s->init_buf->data;
1256e71b7053SJung-uk Kim s->init_num = SSL3_HM_HEADER_LENGTH;
1257e71b7053SJung-uk Kim } else {
1258e71b7053SJung-uk Kim n2l3(p, l);
1259e71b7053SJung-uk Kim /* BUF_MEM_grow takes an 'int' parameter */
1260e71b7053SJung-uk Kim if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
1261b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1262e71b7053SJung-uk Kim SSL_R_EXCESSIVE_MESSAGE_SIZE);
1263e71b7053SJung-uk Kim return 0;
1264e71b7053SJung-uk Kim }
1265b077aed3SPierre Pronchery s->s3.tmp.message_size = l;
1266e71b7053SJung-uk Kim
1267e71b7053SJung-uk Kim s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1268e71b7053SJung-uk Kim s->init_num = 0;
1269e71b7053SJung-uk Kim }
1270e71b7053SJung-uk Kim
1271e71b7053SJung-uk Kim return 1;
1272e71b7053SJung-uk Kim }
1273e71b7053SJung-uk Kim
tls_get_message_body(SSL * s,size_t * len)1274e71b7053SJung-uk Kim int tls_get_message_body(SSL *s, size_t *len)
1275e71b7053SJung-uk Kim {
1276e71b7053SJung-uk Kim size_t n, readbytes;
1277e71b7053SJung-uk Kim unsigned char *p;
1278e71b7053SJung-uk Kim int i;
1279e71b7053SJung-uk Kim
1280b077aed3SPierre Pronchery if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
1281e71b7053SJung-uk Kim /* We've already read everything in */
1282e71b7053SJung-uk Kim *len = (unsigned long)s->init_num;
1283e71b7053SJung-uk Kim return 1;
1284e71b7053SJung-uk Kim }
1285e71b7053SJung-uk Kim
1286e71b7053SJung-uk Kim p = s->init_msg;
1287b077aed3SPierre Pronchery n = s->s3.tmp.message_size - s->init_num;
1288e71b7053SJung-uk Kim while (n > 0) {
1289e71b7053SJung-uk Kim i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
1290e71b7053SJung-uk Kim &p[s->init_num], n, 0, &readbytes);
1291e71b7053SJung-uk Kim if (i <= 0) {
1292e71b7053SJung-uk Kim s->rwstate = SSL_READING;
1293e71b7053SJung-uk Kim *len = 0;
1294e71b7053SJung-uk Kim return 0;
1295e71b7053SJung-uk Kim }
1296e71b7053SJung-uk Kim s->init_num += readbytes;
1297e71b7053SJung-uk Kim n -= readbytes;
1298e71b7053SJung-uk Kim }
1299e71b7053SJung-uk Kim
1300e71b7053SJung-uk Kim /*
1301e71b7053SJung-uk Kim * If receiving Finished, record MAC of prior handshake messages for
1302e71b7053SJung-uk Kim * Finished verification.
1303e71b7053SJung-uk Kim */
1304e71b7053SJung-uk Kim if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1305e71b7053SJung-uk Kim /* SSLfatal() already called */
1306e71b7053SJung-uk Kim *len = 0;
1307e71b7053SJung-uk Kim return 0;
1308e71b7053SJung-uk Kim }
1309e71b7053SJung-uk Kim
1310e71b7053SJung-uk Kim /* Feed this message into MAC computation. */
1311e71b7053SJung-uk Kim if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1312e71b7053SJung-uk Kim if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1313e71b7053SJung-uk Kim s->init_num)) {
1314e71b7053SJung-uk Kim /* SSLfatal() already called */
1315e71b7053SJung-uk Kim *len = 0;
1316e71b7053SJung-uk Kim return 0;
1317e71b7053SJung-uk Kim }
1318e71b7053SJung-uk Kim if (s->msg_callback)
1319e71b7053SJung-uk Kim s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
1320e71b7053SJung-uk Kim (size_t)s->init_num, s, s->msg_callback_arg);
1321e71b7053SJung-uk Kim } else {
1322e71b7053SJung-uk Kim /*
1323e71b7053SJung-uk Kim * We defer feeding in the HRR until later. We'll do it as part of
1324e71b7053SJung-uk Kim * processing the message
1325e71b7053SJung-uk Kim * The TLsv1.3 handshake transcript stops at the ClientFinished
1326e71b7053SJung-uk Kim * message.
1327e71b7053SJung-uk Kim */
1328e71b7053SJung-uk Kim #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
1329e71b7053SJung-uk Kim /* KeyUpdate and NewSessionTicket do not need to be added */
1330b077aed3SPierre Pronchery if (!SSL_IS_TLS13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1331b077aed3SPierre Pronchery && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1332b077aed3SPierre Pronchery if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
1333e71b7053SJung-uk Kim || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1334e71b7053SJung-uk Kim || memcmp(hrrrandom,
1335e71b7053SJung-uk Kim s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1336e71b7053SJung-uk Kim SSL3_RANDOM_SIZE) != 0) {
1337e71b7053SJung-uk Kim if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1338e71b7053SJung-uk Kim s->init_num + SSL3_HM_HEADER_LENGTH)) {
1339e71b7053SJung-uk Kim /* SSLfatal() already called */
1340e71b7053SJung-uk Kim *len = 0;
1341e71b7053SJung-uk Kim return 0;
1342e71b7053SJung-uk Kim }
1343e71b7053SJung-uk Kim }
1344e71b7053SJung-uk Kim }
1345e71b7053SJung-uk Kim if (s->msg_callback)
1346e71b7053SJung-uk Kim s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1347e71b7053SJung-uk Kim (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
1348e71b7053SJung-uk Kim s->msg_callback_arg);
1349e71b7053SJung-uk Kim }
1350e71b7053SJung-uk Kim
1351e71b7053SJung-uk Kim *len = s->init_num;
1352e71b7053SJung-uk Kim return 1;
1353e71b7053SJung-uk Kim }
1354e71b7053SJung-uk Kim
1355e71b7053SJung-uk Kim static const X509ERR2ALERT x509table[] = {
1356e71b7053SJung-uk Kim {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1357e71b7053SJung-uk Kim {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
135858f35182SJung-uk Kim {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
1359e71b7053SJung-uk Kim {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1360e71b7053SJung-uk Kim {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1361e71b7053SJung-uk Kim {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1362e71b7053SJung-uk Kim {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1363e71b7053SJung-uk Kim {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1364e71b7053SJung-uk Kim {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1365e71b7053SJung-uk Kim {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1366e71b7053SJung-uk Kim {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1367e71b7053SJung-uk Kim {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1368e71b7053SJung-uk Kim {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1369e71b7053SJung-uk Kim {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1370e71b7053SJung-uk Kim {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1371e71b7053SJung-uk Kim {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1372e71b7053SJung-uk Kim {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1373e71b7053SJung-uk Kim {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1374e71b7053SJung-uk Kim {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1375e71b7053SJung-uk Kim {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1376e71b7053SJung-uk Kim {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1377e71b7053SJung-uk Kim {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1378e71b7053SJung-uk Kim {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1379e71b7053SJung-uk Kim {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1380e71b7053SJung-uk Kim {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1381e71b7053SJung-uk Kim {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1382e71b7053SJung-uk Kim {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1383e71b7053SJung-uk Kim {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1384e71b7053SJung-uk Kim {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1385e71b7053SJung-uk Kim {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1386e71b7053SJung-uk Kim {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1387e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1388e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1389e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1390e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1391e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1392e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1393e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1394e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1395e71b7053SJung-uk Kim {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1396e71b7053SJung-uk Kim
1397e71b7053SJung-uk Kim /* Last entry; return this if we don't find the value above. */
1398e71b7053SJung-uk Kim {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1399e71b7053SJung-uk Kim };
1400e71b7053SJung-uk Kim
ssl_x509err2alert(int x509err)1401e71b7053SJung-uk Kim int ssl_x509err2alert(int x509err)
1402e71b7053SJung-uk Kim {
1403e71b7053SJung-uk Kim const X509ERR2ALERT *tp;
1404e71b7053SJung-uk Kim
1405e71b7053SJung-uk Kim for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1406e71b7053SJung-uk Kim if (tp->x509err == x509err)
1407e71b7053SJung-uk Kim break;
1408e71b7053SJung-uk Kim return tp->alert;
1409e71b7053SJung-uk Kim }
1410e71b7053SJung-uk Kim
ssl_allow_compression(SSL * s)1411e71b7053SJung-uk Kim int ssl_allow_compression(SSL *s)
1412e71b7053SJung-uk Kim {
1413e71b7053SJung-uk Kim if (s->options & SSL_OP_NO_COMPRESSION)
1414e71b7053SJung-uk Kim return 0;
1415e71b7053SJung-uk Kim return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1416e71b7053SJung-uk Kim }
1417e71b7053SJung-uk Kim
version_cmp(const SSL * s,int a,int b)1418e71b7053SJung-uk Kim static int version_cmp(const SSL *s, int a, int b)
1419e71b7053SJung-uk Kim {
1420e71b7053SJung-uk Kim int dtls = SSL_IS_DTLS(s);
1421e71b7053SJung-uk Kim
1422e71b7053SJung-uk Kim if (a == b)
1423e71b7053SJung-uk Kim return 0;
1424e71b7053SJung-uk Kim if (!dtls)
1425e71b7053SJung-uk Kim return a < b ? -1 : 1;
1426e71b7053SJung-uk Kim return DTLS_VERSION_LT(a, b) ? -1 : 1;
1427e71b7053SJung-uk Kim }
1428e71b7053SJung-uk Kim
1429e71b7053SJung-uk Kim typedef struct {
1430e71b7053SJung-uk Kim int version;
1431e71b7053SJung-uk Kim const SSL_METHOD *(*cmeth) (void);
1432e71b7053SJung-uk Kim const SSL_METHOD *(*smeth) (void);
1433e71b7053SJung-uk Kim } version_info;
1434e71b7053SJung-uk Kim
1435b077aed3SPierre Pronchery #if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
1436e71b7053SJung-uk Kim # error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
1437e71b7053SJung-uk Kim #endif
1438e71b7053SJung-uk Kim
1439e71b7053SJung-uk Kim /* Must be in order high to low */
1440e71b7053SJung-uk Kim static const version_info tls_version_table[] = {
1441e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1_3
1442e71b7053SJung-uk Kim {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1443e71b7053SJung-uk Kim #else
1444e71b7053SJung-uk Kim {TLS1_3_VERSION, NULL, NULL},
1445e71b7053SJung-uk Kim #endif
1446e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1_2
1447e71b7053SJung-uk Kim {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
1448e71b7053SJung-uk Kim #else
1449e71b7053SJung-uk Kim {TLS1_2_VERSION, NULL, NULL},
1450e71b7053SJung-uk Kim #endif
1451e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1_1
1452e71b7053SJung-uk Kim {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
1453e71b7053SJung-uk Kim #else
1454e71b7053SJung-uk Kim {TLS1_1_VERSION, NULL, NULL},
1455e71b7053SJung-uk Kim #endif
1456e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1
1457e71b7053SJung-uk Kim {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
1458e71b7053SJung-uk Kim #else
1459e71b7053SJung-uk Kim {TLS1_VERSION, NULL, NULL},
1460e71b7053SJung-uk Kim #endif
1461e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SSL3
1462e71b7053SJung-uk Kim {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
1463e71b7053SJung-uk Kim #else
1464e71b7053SJung-uk Kim {SSL3_VERSION, NULL, NULL},
1465e71b7053SJung-uk Kim #endif
1466e71b7053SJung-uk Kim {0, NULL, NULL},
1467e71b7053SJung-uk Kim };
1468e71b7053SJung-uk Kim
1469b077aed3SPierre Pronchery #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
1470e71b7053SJung-uk Kim # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1471e71b7053SJung-uk Kim #endif
1472e71b7053SJung-uk Kim
1473e71b7053SJung-uk Kim /* Must be in order high to low */
1474e71b7053SJung-uk Kim static const version_info dtls_version_table[] = {
1475e71b7053SJung-uk Kim #ifndef OPENSSL_NO_DTLS1_2
1476e71b7053SJung-uk Kim {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
1477e71b7053SJung-uk Kim #else
1478e71b7053SJung-uk Kim {DTLS1_2_VERSION, NULL, NULL},
1479e71b7053SJung-uk Kim #endif
1480e71b7053SJung-uk Kim #ifndef OPENSSL_NO_DTLS1
1481e71b7053SJung-uk Kim {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1482e71b7053SJung-uk Kim {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
1483e71b7053SJung-uk Kim #else
1484e71b7053SJung-uk Kim {DTLS1_VERSION, NULL, NULL},
1485e71b7053SJung-uk Kim {DTLS1_BAD_VER, NULL, NULL},
1486e71b7053SJung-uk Kim #endif
1487e71b7053SJung-uk Kim {0, NULL, NULL},
1488e71b7053SJung-uk Kim };
1489e71b7053SJung-uk Kim
1490e71b7053SJung-uk Kim /*
1491e71b7053SJung-uk Kim * ssl_method_error - Check whether an SSL_METHOD is enabled.
1492e71b7053SJung-uk Kim *
1493e71b7053SJung-uk Kim * @s: The SSL handle for the candidate method
1494e71b7053SJung-uk Kim * @method: the intended method.
1495e71b7053SJung-uk Kim *
1496e71b7053SJung-uk Kim * Returns 0 on success, or an SSL error reason on failure.
1497e71b7053SJung-uk Kim */
ssl_method_error(const SSL * s,const SSL_METHOD * method)1498e71b7053SJung-uk Kim static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
1499e71b7053SJung-uk Kim {
1500e71b7053SJung-uk Kim int version = method->version;
1501e71b7053SJung-uk Kim
1502e71b7053SJung-uk Kim if ((s->min_proto_version != 0 &&
1503e71b7053SJung-uk Kim version_cmp(s, version, s->min_proto_version) < 0) ||
1504e71b7053SJung-uk Kim ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1505e71b7053SJung-uk Kim return SSL_R_VERSION_TOO_LOW;
1506e71b7053SJung-uk Kim
1507e71b7053SJung-uk Kim if (s->max_proto_version != 0 &&
1508e71b7053SJung-uk Kim version_cmp(s, version, s->max_proto_version) > 0)
1509e71b7053SJung-uk Kim return SSL_R_VERSION_TOO_HIGH;
1510e71b7053SJung-uk Kim
1511e71b7053SJung-uk Kim if ((s->options & method->mask) != 0)
1512e71b7053SJung-uk Kim return SSL_R_UNSUPPORTED_PROTOCOL;
1513e71b7053SJung-uk Kim if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1514e71b7053SJung-uk Kim return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
1515e71b7053SJung-uk Kim
1516e71b7053SJung-uk Kim return 0;
1517e71b7053SJung-uk Kim }
1518e71b7053SJung-uk Kim
1519e71b7053SJung-uk Kim /*
1520e71b7053SJung-uk Kim * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
152188e852c0SJung-uk Kim * certificate type, or has PSK or a certificate callback configured, or has
1522b077aed3SPierre Pronchery * a servername callback configure. Otherwise returns 0.
1523e71b7053SJung-uk Kim */
is_tls13_capable(const SSL * s)1524e71b7053SJung-uk Kim static int is_tls13_capable(const SSL *s)
1525e71b7053SJung-uk Kim {
1526e71b7053SJung-uk Kim int i;
1527c9cf7b5cSJung-uk Kim int curve;
1528e71b7053SJung-uk Kim
152988e852c0SJung-uk Kim if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL))
153088e852c0SJung-uk Kim return 0;
153188e852c0SJung-uk Kim
153288e852c0SJung-uk Kim /*
153388e852c0SJung-uk Kim * A servername callback can change the available certs, so if a servername
153488e852c0SJung-uk Kim * cb is set then we just assume TLSv1.3 will be ok
153588e852c0SJung-uk Kim */
153688e852c0SJung-uk Kim if (s->ctx->ext.servername_cb != NULL
153788e852c0SJung-uk Kim || s->session_ctx->ext.servername_cb != NULL)
153888e852c0SJung-uk Kim return 1;
153988e852c0SJung-uk Kim
1540e71b7053SJung-uk Kim #ifndef OPENSSL_NO_PSK
1541e71b7053SJung-uk Kim if (s->psk_server_callback != NULL)
1542e71b7053SJung-uk Kim return 1;
1543e71b7053SJung-uk Kim #endif
1544e71b7053SJung-uk Kim
1545e71b7053SJung-uk Kim if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
1546e71b7053SJung-uk Kim return 1;
1547e71b7053SJung-uk Kim
1548e71b7053SJung-uk Kim for (i = 0; i < SSL_PKEY_NUM; i++) {
1549e71b7053SJung-uk Kim /* Skip over certs disallowed for TLSv1.3 */
1550e71b7053SJung-uk Kim switch (i) {
1551e71b7053SJung-uk Kim case SSL_PKEY_DSA_SIGN:
1552e71b7053SJung-uk Kim case SSL_PKEY_GOST01:
1553e71b7053SJung-uk Kim case SSL_PKEY_GOST12_256:
1554e71b7053SJung-uk Kim case SSL_PKEY_GOST12_512:
1555e71b7053SJung-uk Kim continue;
1556e71b7053SJung-uk Kim default:
1557e71b7053SJung-uk Kim break;
1558e71b7053SJung-uk Kim }
1559c9cf7b5cSJung-uk Kim if (!ssl_has_cert(s, i))
1560c9cf7b5cSJung-uk Kim continue;
1561c9cf7b5cSJung-uk Kim if (i != SSL_PKEY_ECC)
1562e71b7053SJung-uk Kim return 1;
1563c9cf7b5cSJung-uk Kim /*
1564c9cf7b5cSJung-uk Kim * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1565c9cf7b5cSJung-uk Kim * more restrictive so check that our sig algs are consistent with this
1566c9cf7b5cSJung-uk Kim * EC cert. See section 4.2.3 of RFC8446.
1567c9cf7b5cSJung-uk Kim */
1568b077aed3SPierre Pronchery curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
1569c9cf7b5cSJung-uk Kim if (tls_check_sigalg_curve(s, curve))
1570c9cf7b5cSJung-uk Kim return 1;
1571e71b7053SJung-uk Kim }
1572e71b7053SJung-uk Kim
1573e71b7053SJung-uk Kim return 0;
1574e71b7053SJung-uk Kim }
1575e71b7053SJung-uk Kim
1576e71b7053SJung-uk Kim /*
1577e71b7053SJung-uk Kim * ssl_version_supported - Check that the specified `version` is supported by
1578e71b7053SJung-uk Kim * `SSL *` instance
1579e71b7053SJung-uk Kim *
1580e71b7053SJung-uk Kim * @s: The SSL handle for the candidate method
1581e71b7053SJung-uk Kim * @version: Protocol version to test against
1582e71b7053SJung-uk Kim *
1583e71b7053SJung-uk Kim * Returns 1 when supported, otherwise 0
1584e71b7053SJung-uk Kim */
ssl_version_supported(const SSL * s,int version,const SSL_METHOD ** meth)1585e71b7053SJung-uk Kim int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth)
1586e71b7053SJung-uk Kim {
1587e71b7053SJung-uk Kim const version_info *vent;
1588e71b7053SJung-uk Kim const version_info *table;
1589e71b7053SJung-uk Kim
1590e71b7053SJung-uk Kim switch (s->method->version) {
1591e71b7053SJung-uk Kim default:
1592e71b7053SJung-uk Kim /* Version should match method version for non-ANY method */
1593e71b7053SJung-uk Kim return version_cmp(s, version, s->version) == 0;
1594e71b7053SJung-uk Kim case TLS_ANY_VERSION:
1595e71b7053SJung-uk Kim table = tls_version_table;
1596e71b7053SJung-uk Kim break;
1597e71b7053SJung-uk Kim case DTLS_ANY_VERSION:
1598e71b7053SJung-uk Kim table = dtls_version_table;
1599e71b7053SJung-uk Kim break;
1600e71b7053SJung-uk Kim }
1601e71b7053SJung-uk Kim
1602e71b7053SJung-uk Kim for (vent = table;
1603e71b7053SJung-uk Kim vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1604e71b7053SJung-uk Kim ++vent) {
1605e71b7053SJung-uk Kim if (vent->cmeth != NULL
1606e71b7053SJung-uk Kim && version_cmp(s, version, vent->version) == 0
1607e71b7053SJung-uk Kim && ssl_method_error(s, vent->cmeth()) == 0
1608e71b7053SJung-uk Kim && (!s->server
1609e71b7053SJung-uk Kim || version != TLS1_3_VERSION
1610e71b7053SJung-uk Kim || is_tls13_capable(s))) {
1611e71b7053SJung-uk Kim if (meth != NULL)
1612e71b7053SJung-uk Kim *meth = vent->cmeth();
1613e71b7053SJung-uk Kim return 1;
1614e71b7053SJung-uk Kim }
1615e71b7053SJung-uk Kim }
1616e71b7053SJung-uk Kim return 0;
1617e71b7053SJung-uk Kim }
1618e71b7053SJung-uk Kim
1619e71b7053SJung-uk Kim /*
1620e71b7053SJung-uk Kim * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1621e71b7053SJung-uk Kim * fallback indication from a client check whether we're using the highest
1622e71b7053SJung-uk Kim * supported protocol version.
1623e71b7053SJung-uk Kim *
1624e71b7053SJung-uk Kim * @s server SSL handle.
1625e71b7053SJung-uk Kim *
1626e71b7053SJung-uk Kim * Returns 1 when using the highest enabled version, 0 otherwise.
1627e71b7053SJung-uk Kim */
ssl_check_version_downgrade(SSL * s)1628e71b7053SJung-uk Kim int ssl_check_version_downgrade(SSL *s)
1629e71b7053SJung-uk Kim {
1630e71b7053SJung-uk Kim const version_info *vent;
1631e71b7053SJung-uk Kim const version_info *table;
1632e71b7053SJung-uk Kim
1633e71b7053SJung-uk Kim /*
1634e71b7053SJung-uk Kim * Check that the current protocol is the highest enabled version
1635e71b7053SJung-uk Kim * (according to s->ctx->method, as version negotiation may have changed
1636e71b7053SJung-uk Kim * s->method).
1637e71b7053SJung-uk Kim */
1638e71b7053SJung-uk Kim if (s->version == s->ctx->method->version)
1639e71b7053SJung-uk Kim return 1;
1640e71b7053SJung-uk Kim
1641e71b7053SJung-uk Kim /*
1642e71b7053SJung-uk Kim * Apparently we're using a version-flexible SSL_METHOD (not at its
1643e71b7053SJung-uk Kim * highest protocol version).
1644e71b7053SJung-uk Kim */
1645e71b7053SJung-uk Kim if (s->ctx->method->version == TLS_method()->version)
1646e71b7053SJung-uk Kim table = tls_version_table;
1647e71b7053SJung-uk Kim else if (s->ctx->method->version == DTLS_method()->version)
1648e71b7053SJung-uk Kim table = dtls_version_table;
1649e71b7053SJung-uk Kim else {
1650e71b7053SJung-uk Kim /* Unexpected state; fail closed. */
1651e71b7053SJung-uk Kim return 0;
1652e71b7053SJung-uk Kim }
1653e71b7053SJung-uk Kim
1654e71b7053SJung-uk Kim for (vent = table; vent->version != 0; ++vent) {
1655e71b7053SJung-uk Kim if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
1656e71b7053SJung-uk Kim return s->version == vent->version;
1657e71b7053SJung-uk Kim }
1658e71b7053SJung-uk Kim return 0;
1659e71b7053SJung-uk Kim }
1660e71b7053SJung-uk Kim
1661e71b7053SJung-uk Kim /*
1662e71b7053SJung-uk Kim * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1663e71b7053SJung-uk Kim * protocols, provided the initial (D)TLS method is version-flexible. This
1664e71b7053SJung-uk Kim * function sanity-checks the proposed value and makes sure the method is
1665e71b7053SJung-uk Kim * version-flexible, then sets the limit if all is well.
1666e71b7053SJung-uk Kim *
1667e71b7053SJung-uk Kim * @method_version: The version of the current SSL_METHOD.
1668e71b7053SJung-uk Kim * @version: the intended limit.
1669e71b7053SJung-uk Kim * @bound: pointer to limit to be updated.
1670e71b7053SJung-uk Kim *
1671e71b7053SJung-uk Kim * Returns 1 on success, 0 on failure.
1672e71b7053SJung-uk Kim */
ssl_set_version_bound(int method_version,int version,int * bound)1673e71b7053SJung-uk Kim int ssl_set_version_bound(int method_version, int version, int *bound)
1674e71b7053SJung-uk Kim {
167558f35182SJung-uk Kim int valid_tls;
167658f35182SJung-uk Kim int valid_dtls;
167758f35182SJung-uk Kim
1678e71b7053SJung-uk Kim if (version == 0) {
1679e71b7053SJung-uk Kim *bound = version;
1680e71b7053SJung-uk Kim return 1;
1681e71b7053SJung-uk Kim }
1682e71b7053SJung-uk Kim
1683b077aed3SPierre Pronchery valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
168458f35182SJung-uk Kim valid_dtls =
1685b077aed3SPierre Pronchery DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) &&
168658f35182SJung-uk Kim DTLS_VERSION_GE(version, DTLS1_BAD_VER);
168758f35182SJung-uk Kim
168858f35182SJung-uk Kim if (!valid_tls && !valid_dtls)
168958f35182SJung-uk Kim return 0;
169058f35182SJung-uk Kim
1691e71b7053SJung-uk Kim /*-
1692e71b7053SJung-uk Kim * Restrict TLS methods to TLS protocol versions.
1693e71b7053SJung-uk Kim * Restrict DTLS methods to DTLS protocol versions.
1694e71b7053SJung-uk Kim * Note, DTLS version numbers are decreasing, use comparison macros.
1695e71b7053SJung-uk Kim *
1696e71b7053SJung-uk Kim * Note that for both lower-bounds we use explicit versions, not
1697e71b7053SJung-uk Kim * (D)TLS_MIN_VERSION. This is because we don't want to break user
1698e71b7053SJung-uk Kim * configurations. If the MIN (supported) version ever rises, the user's
1699e71b7053SJung-uk Kim * "floor" remains valid even if no longer available. We don't expect the
1700e71b7053SJung-uk Kim * MAX ceiling to ever get lower, so making that variable makes sense.
170158f35182SJung-uk Kim *
170258f35182SJung-uk Kim * We ignore attempts to set bounds on version-inflexible methods,
170358f35182SJung-uk Kim * returning success.
1704e71b7053SJung-uk Kim */
1705e71b7053SJung-uk Kim switch (method_version) {
1706e71b7053SJung-uk Kim default:
170758f35182SJung-uk Kim break;
1708e71b7053SJung-uk Kim
1709e71b7053SJung-uk Kim case TLS_ANY_VERSION:
171058f35182SJung-uk Kim if (valid_tls)
171158f35182SJung-uk Kim *bound = version;
1712e71b7053SJung-uk Kim break;
1713e71b7053SJung-uk Kim
1714e71b7053SJung-uk Kim case DTLS_ANY_VERSION:
171558f35182SJung-uk Kim if (valid_dtls)
171658f35182SJung-uk Kim *bound = version;
1717e71b7053SJung-uk Kim break;
1718e71b7053SJung-uk Kim }
1719e71b7053SJung-uk Kim return 1;
1720e71b7053SJung-uk Kim }
1721e71b7053SJung-uk Kim
check_for_downgrade(SSL * s,int vers,DOWNGRADE * dgrd)1722e71b7053SJung-uk Kim static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
1723e71b7053SJung-uk Kim {
1724e71b7053SJung-uk Kim if (vers == TLS1_2_VERSION
1725e71b7053SJung-uk Kim && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
1726e71b7053SJung-uk Kim *dgrd = DOWNGRADE_TO_1_2;
1727e71b7053SJung-uk Kim } else if (!SSL_IS_DTLS(s)
1728e71b7053SJung-uk Kim && vers < TLS1_2_VERSION
1729e71b7053SJung-uk Kim /*
1730e71b7053SJung-uk Kim * We need to ensure that a server that disables TLSv1.2
1731e71b7053SJung-uk Kim * (creating a hole between TLSv1.3 and TLSv1.1) can still
1732e71b7053SJung-uk Kim * complete handshakes with clients that support TLSv1.2 and
1733e71b7053SJung-uk Kim * below. Therefore we do not enable the sentinel if TLSv1.3 is
1734e71b7053SJung-uk Kim * enabled and TLSv1.2 is not.
1735e71b7053SJung-uk Kim */
1736e71b7053SJung-uk Kim && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
1737e71b7053SJung-uk Kim *dgrd = DOWNGRADE_TO_1_1;
1738e71b7053SJung-uk Kim } else {
1739e71b7053SJung-uk Kim *dgrd = DOWNGRADE_NONE;
1740e71b7053SJung-uk Kim }
1741e71b7053SJung-uk Kim }
1742e71b7053SJung-uk Kim
1743e71b7053SJung-uk Kim /*
1744e71b7053SJung-uk Kim * ssl_choose_server_version - Choose server (D)TLS version. Called when the
1745e71b7053SJung-uk Kim * client HELLO is received to select the final server protocol version and
1746e71b7053SJung-uk Kim * the version specific method.
1747e71b7053SJung-uk Kim *
1748e71b7053SJung-uk Kim * @s: server SSL handle.
1749e71b7053SJung-uk Kim *
1750e71b7053SJung-uk Kim * Returns 0 on success or an SSL error reason number on failure.
1751e71b7053SJung-uk Kim */
ssl_choose_server_version(SSL * s,CLIENTHELLO_MSG * hello,DOWNGRADE * dgrd)1752e71b7053SJung-uk Kim int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1753e71b7053SJung-uk Kim {
1754e71b7053SJung-uk Kim /*-
1755e71b7053SJung-uk Kim * With version-flexible methods we have an initial state with:
1756e71b7053SJung-uk Kim *
1757e71b7053SJung-uk Kim * s->method->version == (D)TLS_ANY_VERSION,
1758b077aed3SPierre Pronchery * s->version == (D)TLS_MAX_VERSION_INTERNAL.
1759e71b7053SJung-uk Kim *
1760e71b7053SJung-uk Kim * So we detect version-flexible methods via the method version, not the
1761e71b7053SJung-uk Kim * handle version.
1762e71b7053SJung-uk Kim */
1763e71b7053SJung-uk Kim int server_version = s->method->version;
1764e71b7053SJung-uk Kim int client_version = hello->legacy_version;
1765e71b7053SJung-uk Kim const version_info *vent;
1766e71b7053SJung-uk Kim const version_info *table;
1767e71b7053SJung-uk Kim int disabled = 0;
1768e71b7053SJung-uk Kim RAW_EXTENSION *suppversions;
1769e71b7053SJung-uk Kim
1770e71b7053SJung-uk Kim s->client_version = client_version;
1771e71b7053SJung-uk Kim
1772e71b7053SJung-uk Kim switch (server_version) {
1773e71b7053SJung-uk Kim default:
1774e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s)) {
1775e71b7053SJung-uk Kim if (version_cmp(s, client_version, s->version) < 0)
1776e71b7053SJung-uk Kim return SSL_R_WRONG_SSL_VERSION;
1777e71b7053SJung-uk Kim *dgrd = DOWNGRADE_NONE;
1778e71b7053SJung-uk Kim /*
1779e71b7053SJung-uk Kim * If this SSL handle is not from a version flexible method we don't
1780e71b7053SJung-uk Kim * (and never did) check min/max FIPS or Suite B constraints. Hope
1781e71b7053SJung-uk Kim * that's OK. It is up to the caller to not choose fixed protocol
1782e71b7053SJung-uk Kim * versions they don't want. If not, then easy to fix, just return
1783e71b7053SJung-uk Kim * ssl_method_error(s, s->method)
1784e71b7053SJung-uk Kim */
1785e71b7053SJung-uk Kim return 0;
1786e71b7053SJung-uk Kim }
1787e71b7053SJung-uk Kim /*
1788e71b7053SJung-uk Kim * Fall through if we are TLSv1.3 already (this means we must be after
1789e71b7053SJung-uk Kim * a HelloRetryRequest
1790e71b7053SJung-uk Kim */
1791e71b7053SJung-uk Kim /* fall thru */
1792e71b7053SJung-uk Kim case TLS_ANY_VERSION:
1793e71b7053SJung-uk Kim table = tls_version_table;
1794e71b7053SJung-uk Kim break;
1795e71b7053SJung-uk Kim case DTLS_ANY_VERSION:
1796e71b7053SJung-uk Kim table = dtls_version_table;
1797e71b7053SJung-uk Kim break;
1798e71b7053SJung-uk Kim }
1799e71b7053SJung-uk Kim
1800e71b7053SJung-uk Kim suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
1801e71b7053SJung-uk Kim
1802e71b7053SJung-uk Kim /* If we did an HRR then supported versions is mandatory */
1803e71b7053SJung-uk Kim if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
1804e71b7053SJung-uk Kim return SSL_R_UNSUPPORTED_PROTOCOL;
1805e71b7053SJung-uk Kim
1806e71b7053SJung-uk Kim if (suppversions->present && !SSL_IS_DTLS(s)) {
1807e71b7053SJung-uk Kim unsigned int candidate_vers = 0;
1808e71b7053SJung-uk Kim unsigned int best_vers = 0;
1809e71b7053SJung-uk Kim const SSL_METHOD *best_method = NULL;
1810e71b7053SJung-uk Kim PACKET versionslist;
1811e71b7053SJung-uk Kim
1812e71b7053SJung-uk Kim suppversions->parsed = 1;
1813e71b7053SJung-uk Kim
1814e71b7053SJung-uk Kim if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
1815e71b7053SJung-uk Kim /* Trailing or invalid data? */
1816e71b7053SJung-uk Kim return SSL_R_LENGTH_MISMATCH;
1817e71b7053SJung-uk Kim }
1818e71b7053SJung-uk Kim
1819e71b7053SJung-uk Kim /*
1820e71b7053SJung-uk Kim * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1821e71b7053SJung-uk Kim * The spec only requires servers to check that it isn't SSLv3:
1822e71b7053SJung-uk Kim * "Any endpoint receiving a Hello message with
1823e71b7053SJung-uk Kim * ClientHello.legacy_version or ServerHello.legacy_version set to
1824e71b7053SJung-uk Kim * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1825e71b7053SJung-uk Kim * We are slightly stricter and require that it isn't SSLv3 or lower.
1826e71b7053SJung-uk Kim * We tolerate TLSv1 and TLSv1.1.
1827e71b7053SJung-uk Kim */
1828e71b7053SJung-uk Kim if (client_version <= SSL3_VERSION)
1829e71b7053SJung-uk Kim return SSL_R_BAD_LEGACY_VERSION;
1830e71b7053SJung-uk Kim
1831e71b7053SJung-uk Kim while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1832e71b7053SJung-uk Kim if (version_cmp(s, candidate_vers, best_vers) <= 0)
1833e71b7053SJung-uk Kim continue;
1834e71b7053SJung-uk Kim if (ssl_version_supported(s, candidate_vers, &best_method))
1835e71b7053SJung-uk Kim best_vers = candidate_vers;
1836e71b7053SJung-uk Kim }
1837e71b7053SJung-uk Kim if (PACKET_remaining(&versionslist) != 0) {
1838e71b7053SJung-uk Kim /* Trailing data? */
1839e71b7053SJung-uk Kim return SSL_R_LENGTH_MISMATCH;
1840e71b7053SJung-uk Kim }
1841e71b7053SJung-uk Kim
1842e71b7053SJung-uk Kim if (best_vers > 0) {
1843e71b7053SJung-uk Kim if (s->hello_retry_request != SSL_HRR_NONE) {
1844e71b7053SJung-uk Kim /*
1845e71b7053SJung-uk Kim * This is after a HelloRetryRequest so we better check that we
1846e71b7053SJung-uk Kim * negotiated TLSv1.3
1847e71b7053SJung-uk Kim */
1848e71b7053SJung-uk Kim if (best_vers != TLS1_3_VERSION)
1849e71b7053SJung-uk Kim return SSL_R_UNSUPPORTED_PROTOCOL;
1850e71b7053SJung-uk Kim return 0;
1851e71b7053SJung-uk Kim }
1852e71b7053SJung-uk Kim check_for_downgrade(s, best_vers, dgrd);
1853e71b7053SJung-uk Kim s->version = best_vers;
1854e71b7053SJung-uk Kim s->method = best_method;
1855e71b7053SJung-uk Kim return 0;
1856e71b7053SJung-uk Kim }
1857e71b7053SJung-uk Kim return SSL_R_UNSUPPORTED_PROTOCOL;
1858e71b7053SJung-uk Kim }
1859e71b7053SJung-uk Kim
1860e71b7053SJung-uk Kim /*
1861e71b7053SJung-uk Kim * If the supported versions extension isn't present, then the highest
1862e71b7053SJung-uk Kim * version we can negotiate is TLSv1.2
1863e71b7053SJung-uk Kim */
1864e71b7053SJung-uk Kim if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1865e71b7053SJung-uk Kim client_version = TLS1_2_VERSION;
1866e71b7053SJung-uk Kim
1867e71b7053SJung-uk Kim /*
1868e71b7053SJung-uk Kim * No supported versions extension, so we just use the version supplied in
1869e71b7053SJung-uk Kim * the ClientHello.
1870e71b7053SJung-uk Kim */
1871e71b7053SJung-uk Kim for (vent = table; vent->version != 0; ++vent) {
1872e71b7053SJung-uk Kim const SSL_METHOD *method;
1873e71b7053SJung-uk Kim
1874e71b7053SJung-uk Kim if (vent->smeth == NULL ||
1875e71b7053SJung-uk Kim version_cmp(s, client_version, vent->version) < 0)
1876e71b7053SJung-uk Kim continue;
1877e71b7053SJung-uk Kim method = vent->smeth();
1878e71b7053SJung-uk Kim if (ssl_method_error(s, method) == 0) {
1879e71b7053SJung-uk Kim check_for_downgrade(s, vent->version, dgrd);
1880e71b7053SJung-uk Kim s->version = vent->version;
1881e71b7053SJung-uk Kim s->method = method;
1882e71b7053SJung-uk Kim return 0;
1883e71b7053SJung-uk Kim }
1884e71b7053SJung-uk Kim disabled = 1;
1885e71b7053SJung-uk Kim }
1886e71b7053SJung-uk Kim return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1887e71b7053SJung-uk Kim }
1888e71b7053SJung-uk Kim
1889e71b7053SJung-uk Kim /*
1890e71b7053SJung-uk Kim * ssl_choose_client_version - Choose client (D)TLS version. Called when the
1891e71b7053SJung-uk Kim * server HELLO is received to select the final client protocol version and
1892e71b7053SJung-uk Kim * the version specific method.
1893e71b7053SJung-uk Kim *
1894e71b7053SJung-uk Kim * @s: client SSL handle.
1895e71b7053SJung-uk Kim * @version: The proposed version from the server's HELLO.
1896e71b7053SJung-uk Kim * @extensions: The extensions received
1897e71b7053SJung-uk Kim *
1898e71b7053SJung-uk Kim * Returns 1 on success or 0 on error.
1899e71b7053SJung-uk Kim */
ssl_choose_client_version(SSL * s,int version,RAW_EXTENSION * extensions)1900e71b7053SJung-uk Kim int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)
1901e71b7053SJung-uk Kim {
1902e71b7053SJung-uk Kim const version_info *vent;
1903e71b7053SJung-uk Kim const version_info *table;
1904e71b7053SJung-uk Kim int ret, ver_min, ver_max, real_max, origv;
1905e71b7053SJung-uk Kim
1906e71b7053SJung-uk Kim origv = s->version;
1907e71b7053SJung-uk Kim s->version = version;
1908e71b7053SJung-uk Kim
1909e71b7053SJung-uk Kim /* This will overwrite s->version if the extension is present */
1910e71b7053SJung-uk Kim if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1911e71b7053SJung-uk Kim SSL_EXT_TLS1_2_SERVER_HELLO
1912e71b7053SJung-uk Kim | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1913e71b7053SJung-uk Kim NULL, 0)) {
1914e71b7053SJung-uk Kim s->version = origv;
1915e71b7053SJung-uk Kim return 0;
1916e71b7053SJung-uk Kim }
1917e71b7053SJung-uk Kim
1918e71b7053SJung-uk Kim if (s->hello_retry_request != SSL_HRR_NONE
1919e71b7053SJung-uk Kim && s->version != TLS1_3_VERSION) {
1920e71b7053SJung-uk Kim s->version = origv;
1921b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
1922e71b7053SJung-uk Kim return 0;
1923e71b7053SJung-uk Kim }
1924e71b7053SJung-uk Kim
1925e71b7053SJung-uk Kim switch (s->method->version) {
1926e71b7053SJung-uk Kim default:
1927e71b7053SJung-uk Kim if (s->version != s->method->version) {
1928e71b7053SJung-uk Kim s->version = origv;
1929b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
1930e71b7053SJung-uk Kim return 0;
1931e71b7053SJung-uk Kim }
1932e71b7053SJung-uk Kim /*
1933e71b7053SJung-uk Kim * If this SSL handle is not from a version flexible method we don't
1934e71b7053SJung-uk Kim * (and never did) check min/max, FIPS or Suite B constraints. Hope
1935e71b7053SJung-uk Kim * that's OK. It is up to the caller to not choose fixed protocol
1936e71b7053SJung-uk Kim * versions they don't want. If not, then easy to fix, just return
1937e71b7053SJung-uk Kim * ssl_method_error(s, s->method)
1938e71b7053SJung-uk Kim */
1939e71b7053SJung-uk Kim return 1;
1940e71b7053SJung-uk Kim case TLS_ANY_VERSION:
1941e71b7053SJung-uk Kim table = tls_version_table;
1942e71b7053SJung-uk Kim break;
1943e71b7053SJung-uk Kim case DTLS_ANY_VERSION:
1944e71b7053SJung-uk Kim table = dtls_version_table;
1945e71b7053SJung-uk Kim break;
1946e71b7053SJung-uk Kim }
1947e71b7053SJung-uk Kim
1948e71b7053SJung-uk Kim ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1949e71b7053SJung-uk Kim if (ret != 0) {
1950e71b7053SJung-uk Kim s->version = origv;
1951b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_PROTOCOL_VERSION, ret);
1952e71b7053SJung-uk Kim return 0;
1953e71b7053SJung-uk Kim }
1954e71b7053SJung-uk Kim if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
1955e71b7053SJung-uk Kim : s->version < ver_min) {
1956e71b7053SJung-uk Kim s->version = origv;
1957b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1958e71b7053SJung-uk Kim return 0;
1959e71b7053SJung-uk Kim } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
1960e71b7053SJung-uk Kim : s->version > ver_max) {
1961e71b7053SJung-uk Kim s->version = origv;
1962b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1963e71b7053SJung-uk Kim return 0;
1964e71b7053SJung-uk Kim }
1965e71b7053SJung-uk Kim
1966e71b7053SJung-uk Kim if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
1967e71b7053SJung-uk Kim real_max = ver_max;
1968e71b7053SJung-uk Kim
1969e71b7053SJung-uk Kim /* Check for downgrades */
1970e71b7053SJung-uk Kim if (s->version == TLS1_2_VERSION && real_max > s->version) {
1971e71b7053SJung-uk Kim if (memcmp(tls12downgrade,
1972b077aed3SPierre Pronchery s->s3.server_random + SSL3_RANDOM_SIZE
1973e71b7053SJung-uk Kim - sizeof(tls12downgrade),
1974e71b7053SJung-uk Kim sizeof(tls12downgrade)) == 0) {
1975e71b7053SJung-uk Kim s->version = origv;
1976e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1977e71b7053SJung-uk Kim SSL_R_INAPPROPRIATE_FALLBACK);
1978e71b7053SJung-uk Kim return 0;
1979e71b7053SJung-uk Kim }
1980e71b7053SJung-uk Kim } else if (!SSL_IS_DTLS(s)
1981e71b7053SJung-uk Kim && s->version < TLS1_2_VERSION
1982e71b7053SJung-uk Kim && real_max > s->version) {
1983e71b7053SJung-uk Kim if (memcmp(tls11downgrade,
1984b077aed3SPierre Pronchery s->s3.server_random + SSL3_RANDOM_SIZE
1985e71b7053SJung-uk Kim - sizeof(tls11downgrade),
1986e71b7053SJung-uk Kim sizeof(tls11downgrade)) == 0) {
1987e71b7053SJung-uk Kim s->version = origv;
1988e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1989e71b7053SJung-uk Kim SSL_R_INAPPROPRIATE_FALLBACK);
1990e71b7053SJung-uk Kim return 0;
1991e71b7053SJung-uk Kim }
1992e71b7053SJung-uk Kim }
1993e71b7053SJung-uk Kim
1994e71b7053SJung-uk Kim for (vent = table; vent->version != 0; ++vent) {
1995e71b7053SJung-uk Kim if (vent->cmeth == NULL || s->version != vent->version)
1996e71b7053SJung-uk Kim continue;
1997e71b7053SJung-uk Kim
1998e71b7053SJung-uk Kim s->method = vent->cmeth();
1999e71b7053SJung-uk Kim return 1;
2000e71b7053SJung-uk Kim }
2001e71b7053SJung-uk Kim
2002e71b7053SJung-uk Kim s->version = origv;
2003b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
2004e71b7053SJung-uk Kim return 0;
2005e71b7053SJung-uk Kim }
2006e71b7053SJung-uk Kim
2007e71b7053SJung-uk Kim /*
2008e71b7053SJung-uk Kim * ssl_get_min_max_version - get minimum and maximum protocol version
2009e71b7053SJung-uk Kim * @s: The SSL connection
2010e71b7053SJung-uk Kim * @min_version: The minimum supported version
2011e71b7053SJung-uk Kim * @max_version: The maximum supported version
2012e71b7053SJung-uk Kim * @real_max: The highest version below the lowest compile time version hole
2013e71b7053SJung-uk Kim * where that hole lies above at least one run-time enabled
2014e71b7053SJung-uk Kim * protocol.
2015e71b7053SJung-uk Kim *
2016e71b7053SJung-uk Kim * Work out what version we should be using for the initial ClientHello if the
2017e71b7053SJung-uk Kim * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2018e71b7053SJung-uk Kim * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
2019e71b7053SJung-uk Kim * constraints and any floor imposed by the security level here,
2020e71b7053SJung-uk Kim * so we don't advertise the wrong protocol version to only reject the outcome later.
2021e71b7053SJung-uk Kim *
2022e71b7053SJung-uk Kim * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
2023e71b7053SJung-uk Kim * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2024e71b7053SJung-uk Kim * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2025e71b7053SJung-uk Kim *
2026e71b7053SJung-uk Kim * Returns 0 on success or an SSL error reason number on failure. On failure
2027e71b7053SJung-uk Kim * min_version and max_version will also be set to 0.
2028e71b7053SJung-uk Kim */
ssl_get_min_max_version(const SSL * s,int * min_version,int * max_version,int * real_max)2029e71b7053SJung-uk Kim int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version,
2030e71b7053SJung-uk Kim int *real_max)
2031e71b7053SJung-uk Kim {
2032e71b7053SJung-uk Kim int version, tmp_real_max;
2033e71b7053SJung-uk Kim int hole;
2034e71b7053SJung-uk Kim const SSL_METHOD *single = NULL;
2035e71b7053SJung-uk Kim const SSL_METHOD *method;
2036e71b7053SJung-uk Kim const version_info *table;
2037e71b7053SJung-uk Kim const version_info *vent;
2038e71b7053SJung-uk Kim
2039e71b7053SJung-uk Kim switch (s->method->version) {
2040e71b7053SJung-uk Kim default:
2041e71b7053SJung-uk Kim /*
2042e71b7053SJung-uk Kim * If this SSL handle is not from a version flexible method we don't
2043e71b7053SJung-uk Kim * (and never did) check min/max FIPS or Suite B constraints. Hope
2044e71b7053SJung-uk Kim * that's OK. It is up to the caller to not choose fixed protocol
2045e71b7053SJung-uk Kim * versions they don't want. If not, then easy to fix, just return
2046e71b7053SJung-uk Kim * ssl_method_error(s, s->method)
2047e71b7053SJung-uk Kim */
2048e71b7053SJung-uk Kim *min_version = *max_version = s->version;
2049e71b7053SJung-uk Kim /*
2050e71b7053SJung-uk Kim * Providing a real_max only makes sense where we're using a version
2051e71b7053SJung-uk Kim * flexible method.
2052e71b7053SJung-uk Kim */
2053e71b7053SJung-uk Kim if (!ossl_assert(real_max == NULL))
2054e71b7053SJung-uk Kim return ERR_R_INTERNAL_ERROR;
2055e71b7053SJung-uk Kim return 0;
2056e71b7053SJung-uk Kim case TLS_ANY_VERSION:
2057e71b7053SJung-uk Kim table = tls_version_table;
2058e71b7053SJung-uk Kim break;
2059e71b7053SJung-uk Kim case DTLS_ANY_VERSION:
2060e71b7053SJung-uk Kim table = dtls_version_table;
2061e71b7053SJung-uk Kim break;
2062e71b7053SJung-uk Kim }
2063e71b7053SJung-uk Kim
2064e71b7053SJung-uk Kim /*
2065e71b7053SJung-uk Kim * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2066e71b7053SJung-uk Kim * below X enabled. This is required in order to maintain the "version
2067e71b7053SJung-uk Kim * capability" vector contiguous. Any versions with a NULL client method
2068e71b7053SJung-uk Kim * (protocol version client is disabled at compile-time) is also a "hole".
2069e71b7053SJung-uk Kim *
2070e71b7053SJung-uk Kim * Our initial state is hole == 1, version == 0. That is, versions above
2071e71b7053SJung-uk Kim * the first version in the method table are disabled (a "hole" above
2072e71b7053SJung-uk Kim * the valid protocol entries) and we don't have a selected version yet.
2073e71b7053SJung-uk Kim *
2074e71b7053SJung-uk Kim * Whenever "hole == 1", and we hit an enabled method, its version becomes
2075e71b7053SJung-uk Kim * the selected version, and the method becomes a candidate "single"
2076e71b7053SJung-uk Kim * method. We're no longer in a hole, so "hole" becomes 0.
2077e71b7053SJung-uk Kim *
2078e71b7053SJung-uk Kim * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2079e71b7053SJung-uk Kim * as we support a contiguous range of at least two methods. If we hit
2080e71b7053SJung-uk Kim * a disabled method, then hole becomes true again, but nothing else
2081e71b7053SJung-uk Kim * changes yet, because all the remaining methods may be disabled too.
2082e71b7053SJung-uk Kim * If we again hit an enabled method after the new hole, it becomes
2083e71b7053SJung-uk Kim * selected, as we start from scratch.
2084e71b7053SJung-uk Kim */
2085e71b7053SJung-uk Kim *min_version = version = 0;
2086e71b7053SJung-uk Kim hole = 1;
2087e71b7053SJung-uk Kim if (real_max != NULL)
2088e71b7053SJung-uk Kim *real_max = 0;
2089e71b7053SJung-uk Kim tmp_real_max = 0;
2090e71b7053SJung-uk Kim for (vent = table; vent->version != 0; ++vent) {
2091e71b7053SJung-uk Kim /*
2092e71b7053SJung-uk Kim * A table entry with a NULL client method is still a hole in the
2093e71b7053SJung-uk Kim * "version capability" vector.
2094e71b7053SJung-uk Kim */
2095e71b7053SJung-uk Kim if (vent->cmeth == NULL) {
2096e71b7053SJung-uk Kim hole = 1;
2097e71b7053SJung-uk Kim tmp_real_max = 0;
2098e71b7053SJung-uk Kim continue;
2099e71b7053SJung-uk Kim }
2100e71b7053SJung-uk Kim method = vent->cmeth();
2101e71b7053SJung-uk Kim
2102e71b7053SJung-uk Kim if (hole == 1 && tmp_real_max == 0)
2103e71b7053SJung-uk Kim tmp_real_max = vent->version;
2104e71b7053SJung-uk Kim
2105e71b7053SJung-uk Kim if (ssl_method_error(s, method) != 0) {
2106e71b7053SJung-uk Kim hole = 1;
2107e71b7053SJung-uk Kim } else if (!hole) {
2108e71b7053SJung-uk Kim single = NULL;
2109e71b7053SJung-uk Kim *min_version = method->version;
2110e71b7053SJung-uk Kim } else {
2111e71b7053SJung-uk Kim if (real_max != NULL && tmp_real_max != 0)
2112e71b7053SJung-uk Kim *real_max = tmp_real_max;
2113e71b7053SJung-uk Kim version = (single = method)->version;
2114e71b7053SJung-uk Kim *min_version = version;
2115e71b7053SJung-uk Kim hole = 0;
2116e71b7053SJung-uk Kim }
2117e71b7053SJung-uk Kim }
2118e71b7053SJung-uk Kim
2119e71b7053SJung-uk Kim *max_version = version;
2120e71b7053SJung-uk Kim
2121e71b7053SJung-uk Kim /* Fail if everything is disabled */
2122e71b7053SJung-uk Kim if (version == 0)
2123e71b7053SJung-uk Kim return SSL_R_NO_PROTOCOLS_AVAILABLE;
2124e71b7053SJung-uk Kim
2125e71b7053SJung-uk Kim return 0;
2126e71b7053SJung-uk Kim }
2127e71b7053SJung-uk Kim
2128e71b7053SJung-uk Kim /*
2129e71b7053SJung-uk Kim * ssl_set_client_hello_version - Work out what version we should be using for
2130e71b7053SJung-uk Kim * the initial ClientHello.legacy_version field.
2131e71b7053SJung-uk Kim *
2132e71b7053SJung-uk Kim * @s: client SSL handle.
2133e71b7053SJung-uk Kim *
2134e71b7053SJung-uk Kim * Returns 0 on success or an SSL error reason number on failure.
2135e71b7053SJung-uk Kim */
ssl_set_client_hello_version(SSL * s)2136e71b7053SJung-uk Kim int ssl_set_client_hello_version(SSL *s)
2137e71b7053SJung-uk Kim {
2138e71b7053SJung-uk Kim int ver_min, ver_max, ret;
2139e71b7053SJung-uk Kim
2140e71b7053SJung-uk Kim /*
2141e71b7053SJung-uk Kim * In a renegotiation we always send the same client_version that we sent
2142e71b7053SJung-uk Kim * last time, regardless of which version we eventually negotiated.
2143e71b7053SJung-uk Kim */
2144e71b7053SJung-uk Kim if (!SSL_IS_FIRST_HANDSHAKE(s))
2145e71b7053SJung-uk Kim return 0;
2146e71b7053SJung-uk Kim
2147e71b7053SJung-uk Kim ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
2148e71b7053SJung-uk Kim
2149e71b7053SJung-uk Kim if (ret != 0)
2150e71b7053SJung-uk Kim return ret;
2151e71b7053SJung-uk Kim
2152e71b7053SJung-uk Kim s->version = ver_max;
2153e71b7053SJung-uk Kim
2154e71b7053SJung-uk Kim /* TLS1.3 always uses TLS1.2 in the legacy_version field */
2155e71b7053SJung-uk Kim if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
2156e71b7053SJung-uk Kim ver_max = TLS1_2_VERSION;
2157e71b7053SJung-uk Kim
2158e71b7053SJung-uk Kim s->client_version = ver_max;
2159e71b7053SJung-uk Kim return 0;
2160e71b7053SJung-uk Kim }
2161e71b7053SJung-uk Kim
2162e71b7053SJung-uk Kim /*
2163e71b7053SJung-uk Kim * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2164e71b7053SJung-uk Kim * and |checkallow| is 1 then additionally check if the group is allowed to be
2165e71b7053SJung-uk Kim * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2166e71b7053SJung-uk Kim * 1) or 0 otherwise.
2167e71b7053SJung-uk Kim */
check_in_list(SSL * s,uint16_t group_id,const uint16_t * groups,size_t num_groups,int checkallow)2168e71b7053SJung-uk Kim int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
2169e71b7053SJung-uk Kim size_t num_groups, int checkallow)
2170e71b7053SJung-uk Kim {
2171e71b7053SJung-uk Kim size_t i;
2172e71b7053SJung-uk Kim
2173e71b7053SJung-uk Kim if (groups == NULL || num_groups == 0)
2174e71b7053SJung-uk Kim return 0;
2175e71b7053SJung-uk Kim
2176e71b7053SJung-uk Kim for (i = 0; i < num_groups; i++) {
2177e71b7053SJung-uk Kim uint16_t group = groups[i];
2178e71b7053SJung-uk Kim
2179e71b7053SJung-uk Kim if (group_id == group
2180e71b7053SJung-uk Kim && (!checkallow
2181b077aed3SPierre Pronchery || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
2182e71b7053SJung-uk Kim return 1;
2183e71b7053SJung-uk Kim }
2184e71b7053SJung-uk Kim }
2185e71b7053SJung-uk Kim
2186e71b7053SJung-uk Kim return 0;
2187e71b7053SJung-uk Kim }
2188e71b7053SJung-uk Kim
2189e71b7053SJung-uk Kim /* Replace ClientHello1 in the transcript hash with a synthetic message */
create_synthetic_message_hash(SSL * s,const unsigned char * hashval,size_t hashlen,const unsigned char * hrr,size_t hrrlen)2190e71b7053SJung-uk Kim int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,
2191e71b7053SJung-uk Kim size_t hashlen, const unsigned char *hrr,
2192e71b7053SJung-uk Kim size_t hrrlen)
2193e71b7053SJung-uk Kim {
2194e71b7053SJung-uk Kim unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
2195e71b7053SJung-uk Kim unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2196e71b7053SJung-uk Kim
2197e71b7053SJung-uk Kim memset(msghdr, 0, sizeof(msghdr));
2198e71b7053SJung-uk Kim
2199e71b7053SJung-uk Kim if (hashval == NULL) {
2200e71b7053SJung-uk Kim hashval = hashvaltmp;
2201e71b7053SJung-uk Kim hashlen = 0;
2202e71b7053SJung-uk Kim /* Get the hash of the initial ClientHello */
2203e71b7053SJung-uk Kim if (!ssl3_digest_cached_records(s, 0)
2204e71b7053SJung-uk Kim || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2205e71b7053SJung-uk Kim &hashlen)) {
2206e71b7053SJung-uk Kim /* SSLfatal() already called */
2207e71b7053SJung-uk Kim return 0;
2208e71b7053SJung-uk Kim }
2209e71b7053SJung-uk Kim }
2210e71b7053SJung-uk Kim
2211e71b7053SJung-uk Kim /* Reinitialise the transcript hash */
2212e71b7053SJung-uk Kim if (!ssl3_init_finished_mac(s)) {
2213e71b7053SJung-uk Kim /* SSLfatal() already called */
2214e71b7053SJung-uk Kim return 0;
2215e71b7053SJung-uk Kim }
2216e71b7053SJung-uk Kim
2217e71b7053SJung-uk Kim /* Inject the synthetic message_hash message */
2218e71b7053SJung-uk Kim msghdr[0] = SSL3_MT_MESSAGE_HASH;
2219e71b7053SJung-uk Kim msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
2220e71b7053SJung-uk Kim if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2221e71b7053SJung-uk Kim || !ssl3_finish_mac(s, hashval, hashlen)) {
2222e71b7053SJung-uk Kim /* SSLfatal() already called */
2223e71b7053SJung-uk Kim return 0;
2224e71b7053SJung-uk Kim }
2225e71b7053SJung-uk Kim
2226e71b7053SJung-uk Kim /*
2227e71b7053SJung-uk Kim * Now re-inject the HRR and current message if appropriate (we just deleted
2228e71b7053SJung-uk Kim * it when we reinitialised the transcript hash above). Only necessary after
2229e71b7053SJung-uk Kim * receiving a ClientHello2 with a cookie.
2230e71b7053SJung-uk Kim */
2231e71b7053SJung-uk Kim if (hrr != NULL
2232e71b7053SJung-uk Kim && (!ssl3_finish_mac(s, hrr, hrrlen)
2233e71b7053SJung-uk Kim || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
2234b077aed3SPierre Pronchery s->s3.tmp.message_size
2235e71b7053SJung-uk Kim + SSL3_HM_HEADER_LENGTH))) {
2236e71b7053SJung-uk Kim /* SSLfatal() already called */
2237e71b7053SJung-uk Kim return 0;
2238e71b7053SJung-uk Kim }
2239e71b7053SJung-uk Kim
2240e71b7053SJung-uk Kim return 1;
2241e71b7053SJung-uk Kim }
2242e71b7053SJung-uk Kim
ca_dn_cmp(const X509_NAME * const * a,const X509_NAME * const * b)2243e71b7053SJung-uk Kim static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2244e71b7053SJung-uk Kim {
2245e71b7053SJung-uk Kim return X509_NAME_cmp(*a, *b);
2246e71b7053SJung-uk Kim }
2247e71b7053SJung-uk Kim
parse_ca_names(SSL * s,PACKET * pkt)2248e71b7053SJung-uk Kim int parse_ca_names(SSL *s, PACKET *pkt)
2249e71b7053SJung-uk Kim {
2250e71b7053SJung-uk Kim STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2251e71b7053SJung-uk Kim X509_NAME *xn = NULL;
2252e71b7053SJung-uk Kim PACKET cadns;
2253e71b7053SJung-uk Kim
2254e71b7053SJung-uk Kim if (ca_sk == NULL) {
2255b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2256e71b7053SJung-uk Kim goto err;
2257e71b7053SJung-uk Kim }
2258e71b7053SJung-uk Kim /* get the CA RDNs */
2259e71b7053SJung-uk Kim if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
2260b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2261e71b7053SJung-uk Kim goto err;
2262e71b7053SJung-uk Kim }
2263e71b7053SJung-uk Kim
2264e71b7053SJung-uk Kim while (PACKET_remaining(&cadns)) {
2265e71b7053SJung-uk Kim const unsigned char *namestart, *namebytes;
2266e71b7053SJung-uk Kim unsigned int name_len;
2267e71b7053SJung-uk Kim
2268e71b7053SJung-uk Kim if (!PACKET_get_net_2(&cadns, &name_len)
2269e71b7053SJung-uk Kim || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
2270b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2271e71b7053SJung-uk Kim goto err;
2272e71b7053SJung-uk Kim }
2273e71b7053SJung-uk Kim
2274e71b7053SJung-uk Kim namestart = namebytes;
2275e71b7053SJung-uk Kim if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
2276b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB);
2277e71b7053SJung-uk Kim goto err;
2278e71b7053SJung-uk Kim }
2279e71b7053SJung-uk Kim if (namebytes != (namestart + name_len)) {
2280b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CA_DN_LENGTH_MISMATCH);
2281e71b7053SJung-uk Kim goto err;
2282e71b7053SJung-uk Kim }
2283e71b7053SJung-uk Kim
2284e71b7053SJung-uk Kim if (!sk_X509_NAME_push(ca_sk, xn)) {
2285b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2286e71b7053SJung-uk Kim goto err;
2287e71b7053SJung-uk Kim }
2288e71b7053SJung-uk Kim xn = NULL;
2289e71b7053SJung-uk Kim }
2290e71b7053SJung-uk Kim
2291b077aed3SPierre Pronchery sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
2292b077aed3SPierre Pronchery s->s3.tmp.peer_ca_names = ca_sk;
2293e71b7053SJung-uk Kim
2294e71b7053SJung-uk Kim return 1;
2295e71b7053SJung-uk Kim
2296e71b7053SJung-uk Kim err:
2297e71b7053SJung-uk Kim sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2298e71b7053SJung-uk Kim X509_NAME_free(xn);
2299e71b7053SJung-uk Kim return 0;
2300e71b7053SJung-uk Kim }
2301e71b7053SJung-uk Kim
STACK_OF(X509_NAME)2302c9cf7b5cSJung-uk Kim const STACK_OF(X509_NAME) *get_ca_names(SSL *s)
2303e71b7053SJung-uk Kim {
2304c9cf7b5cSJung-uk Kim const STACK_OF(X509_NAME) *ca_sk = NULL;;
2305e71b7053SJung-uk Kim
2306c9cf7b5cSJung-uk Kim if (s->server) {
2307c9cf7b5cSJung-uk Kim ca_sk = SSL_get_client_CA_list(s);
2308c9cf7b5cSJung-uk Kim if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2309c9cf7b5cSJung-uk Kim ca_sk = NULL;
2310c9cf7b5cSJung-uk Kim }
2311c9cf7b5cSJung-uk Kim
2312c9cf7b5cSJung-uk Kim if (ca_sk == NULL)
2313c9cf7b5cSJung-uk Kim ca_sk = SSL_get0_CA_list(s);
2314c9cf7b5cSJung-uk Kim
2315c9cf7b5cSJung-uk Kim return ca_sk;
2316c9cf7b5cSJung-uk Kim }
2317c9cf7b5cSJung-uk Kim
construct_ca_names(SSL * s,const STACK_OF (X509_NAME)* ca_sk,WPACKET * pkt)2318c9cf7b5cSJung-uk Kim int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt)
2319c9cf7b5cSJung-uk Kim {
2320e71b7053SJung-uk Kim /* Start sub-packet for client CA list */
2321e71b7053SJung-uk Kim if (!WPACKET_start_sub_packet_u16(pkt)) {
2322b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2323e71b7053SJung-uk Kim return 0;
2324e71b7053SJung-uk Kim }
2325e71b7053SJung-uk Kim
2326b077aed3SPierre Pronchery if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) {
2327e71b7053SJung-uk Kim int i;
2328e71b7053SJung-uk Kim
2329e71b7053SJung-uk Kim for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2330e71b7053SJung-uk Kim unsigned char *namebytes;
2331e71b7053SJung-uk Kim X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2332e71b7053SJung-uk Kim int namelen;
2333e71b7053SJung-uk Kim
2334e71b7053SJung-uk Kim if (name == NULL
2335e71b7053SJung-uk Kim || (namelen = i2d_X509_NAME(name, NULL)) < 0
2336e71b7053SJung-uk Kim || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2337e71b7053SJung-uk Kim &namebytes)
2338e71b7053SJung-uk Kim || i2d_X509_NAME(name, &namebytes) != namelen) {
2339b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2340e71b7053SJung-uk Kim return 0;
2341e71b7053SJung-uk Kim }
2342e71b7053SJung-uk Kim }
2343e71b7053SJung-uk Kim }
2344e71b7053SJung-uk Kim
2345e71b7053SJung-uk Kim if (!WPACKET_close(pkt)) {
2346b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2347e71b7053SJung-uk Kim return 0;
2348e71b7053SJung-uk Kim }
2349e71b7053SJung-uk Kim
2350e71b7053SJung-uk Kim return 1;
2351e71b7053SJung-uk Kim }
2352e71b7053SJung-uk Kim
2353e71b7053SJung-uk Kim /* Create a buffer containing data to be signed for server key exchange */
construct_key_exchange_tbs(SSL * s,unsigned char ** ptbs,const void * param,size_t paramlen)2354e71b7053SJung-uk Kim size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
2355e71b7053SJung-uk Kim const void *param, size_t paramlen)
2356e71b7053SJung-uk Kim {
2357e71b7053SJung-uk Kim size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2358e71b7053SJung-uk Kim unsigned char *tbs = OPENSSL_malloc(tbslen);
2359e71b7053SJung-uk Kim
2360e71b7053SJung-uk Kim if (tbs == NULL) {
2361b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2362e71b7053SJung-uk Kim return 0;
2363e71b7053SJung-uk Kim }
2364b077aed3SPierre Pronchery memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
2365b077aed3SPierre Pronchery memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
2366e71b7053SJung-uk Kim
2367e71b7053SJung-uk Kim memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2368e71b7053SJung-uk Kim
2369e71b7053SJung-uk Kim *ptbs = tbs;
2370e71b7053SJung-uk Kim return tbslen;
2371e71b7053SJung-uk Kim }
2372e71b7053SJung-uk Kim
2373e71b7053SJung-uk Kim /*
2374e71b7053SJung-uk Kim * Saves the current handshake digest for Post-Handshake Auth,
2375e71b7053SJung-uk Kim * Done after ClientFinished is processed, done exactly once
2376e71b7053SJung-uk Kim */
tls13_save_handshake_digest_for_pha(SSL * s)2377e71b7053SJung-uk Kim int tls13_save_handshake_digest_for_pha(SSL *s)
2378e71b7053SJung-uk Kim {
2379e71b7053SJung-uk Kim if (s->pha_dgst == NULL) {
2380e71b7053SJung-uk Kim if (!ssl3_digest_cached_records(s, 1))
2381e71b7053SJung-uk Kim /* SSLfatal() already called */
2382e71b7053SJung-uk Kim return 0;
2383e71b7053SJung-uk Kim
2384e71b7053SJung-uk Kim s->pha_dgst = EVP_MD_CTX_new();
2385e71b7053SJung-uk Kim if (s->pha_dgst == NULL) {
2386b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2387e71b7053SJung-uk Kim return 0;
2388e71b7053SJung-uk Kim }
2389e71b7053SJung-uk Kim if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
2390b077aed3SPierre Pronchery s->s3.handshake_dgst)) {
2391b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2392b2bf0c7eSJung-uk Kim EVP_MD_CTX_free(s->pha_dgst);
2393b2bf0c7eSJung-uk Kim s->pha_dgst = NULL;
2394e71b7053SJung-uk Kim return 0;
2395e71b7053SJung-uk Kim }
2396e71b7053SJung-uk Kim }
2397e71b7053SJung-uk Kim return 1;
2398e71b7053SJung-uk Kim }
2399e71b7053SJung-uk Kim
2400e71b7053SJung-uk Kim /*
2401e71b7053SJung-uk Kim * Restores the Post-Handshake Auth handshake digest
2402e71b7053SJung-uk Kim * Done just before sending/processing the Cert Request
2403e71b7053SJung-uk Kim */
tls13_restore_handshake_digest_for_pha(SSL * s)2404e71b7053SJung-uk Kim int tls13_restore_handshake_digest_for_pha(SSL *s)
2405e71b7053SJung-uk Kim {
2406e71b7053SJung-uk Kim if (s->pha_dgst == NULL) {
2407b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2408e71b7053SJung-uk Kim return 0;
2409e71b7053SJung-uk Kim }
2410b077aed3SPierre Pronchery if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
2411e71b7053SJung-uk Kim s->pha_dgst)) {
2412b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2413e71b7053SJung-uk Kim return 0;
2414e71b7053SJung-uk Kim }
2415e71b7053SJung-uk Kim return 1;
2416e71b7053SJung-uk Kim }
2417