1e71b7053SJung-uk Kim /* 217f01e99SJung-uk Kim * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. 3e71b7053SJung-uk Kim * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4e71b7053SJung-uk Kim * 5e71b7053SJung-uk Kim * Licensed under the OpenSSL license (the "License"). You may not use 6e71b7053SJung-uk Kim * this file except in compliance with the License. You can obtain a copy 7e71b7053SJung-uk Kim * in the file LICENSE in the source distribution or at 8e71b7053SJung-uk Kim * https://www.openssl.org/source/license.html 9e71b7053SJung-uk Kim */ 10e71b7053SJung-uk Kim 11e71b7053SJung-uk Kim #include <limits.h> 12e71b7053SJung-uk Kim #include <string.h> 13e71b7053SJung-uk Kim #include <stdio.h> 1417f01e99SJung-uk Kim #include "../ssl_local.h" 1517f01e99SJung-uk Kim #include "statem_local.h" 16e71b7053SJung-uk Kim #include "internal/cryptlib.h" 17e71b7053SJung-uk Kim #include <openssl/buffer.h> 18e71b7053SJung-uk Kim #include <openssl/objects.h> 19e71b7053SJung-uk Kim #include <openssl/evp.h> 20e71b7053SJung-uk Kim #include <openssl/x509.h> 21e71b7053SJung-uk Kim 22e71b7053SJung-uk Kim /* 23e71b7053SJung-uk Kim * Map error codes to TLS/SSL alart types. 24e71b7053SJung-uk Kim */ 25e71b7053SJung-uk Kim typedef struct x509err2alert_st { 26e71b7053SJung-uk Kim int x509err; 27e71b7053SJung-uk Kim int alert; 28e71b7053SJung-uk Kim } X509ERR2ALERT; 29e71b7053SJung-uk Kim 30e71b7053SJung-uk Kim /* Fixed value used in the ServerHello random field to identify an HRR */ 31e71b7053SJung-uk Kim const unsigned char hrrrandom[] = { 32e71b7053SJung-uk Kim 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 33e71b7053SJung-uk Kim 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 34e71b7053SJung-uk Kim 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c 35e71b7053SJung-uk Kim }; 36e71b7053SJung-uk Kim 37e71b7053SJung-uk Kim /* 38e71b7053SJung-uk Kim * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or 39e71b7053SJung-uk Kim * SSL3_RT_CHANGE_CIPHER_SPEC) 40e71b7053SJung-uk Kim */ 41e71b7053SJung-uk Kim int ssl3_do_write(SSL *s, int type) 42e71b7053SJung-uk Kim { 43e71b7053SJung-uk Kim int ret; 44e71b7053SJung-uk Kim size_t written = 0; 45e71b7053SJung-uk Kim 46e71b7053SJung-uk Kim ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off], 47e71b7053SJung-uk Kim s->init_num, &written); 48e71b7053SJung-uk Kim if (ret < 0) 49e71b7053SJung-uk Kim return -1; 50e71b7053SJung-uk Kim if (type == SSL3_RT_HANDSHAKE) 51e71b7053SJung-uk Kim /* 52e71b7053SJung-uk Kim * should not be done for 'Hello Request's, but in that case we'll 53e71b7053SJung-uk Kim * ignore the result anyway 54e71b7053SJung-uk Kim * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added 55e71b7053SJung-uk Kim */ 56e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET 57e71b7053SJung-uk Kim && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE 58e71b7053SJung-uk Kim && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE)) 59e71b7053SJung-uk Kim if (!ssl3_finish_mac(s, 60e71b7053SJung-uk Kim (unsigned char *)&s->init_buf->data[s->init_off], 61e71b7053SJung-uk Kim written)) 62e71b7053SJung-uk Kim return -1; 63e71b7053SJung-uk Kim if (written == s->init_num) { 64e71b7053SJung-uk Kim if (s->msg_callback) 65e71b7053SJung-uk Kim s->msg_callback(1, s->version, type, s->init_buf->data, 66e71b7053SJung-uk Kim (size_t)(s->init_off + s->init_num), s, 67e71b7053SJung-uk Kim s->msg_callback_arg); 68e71b7053SJung-uk Kim return 1; 69e71b7053SJung-uk Kim } 70e71b7053SJung-uk Kim s->init_off += written; 71e71b7053SJung-uk Kim s->init_num -= written; 72e71b7053SJung-uk Kim return 0; 73e71b7053SJung-uk Kim } 74e71b7053SJung-uk Kim 75e71b7053SJung-uk Kim int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype) 76e71b7053SJung-uk Kim { 77e71b7053SJung-uk Kim size_t msglen; 78e71b7053SJung-uk Kim 79e71b7053SJung-uk Kim if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt)) 80e71b7053SJung-uk Kim || !WPACKET_get_length(pkt, &msglen) 81e71b7053SJung-uk Kim || msglen > INT_MAX) 82e71b7053SJung-uk Kim return 0; 83e71b7053SJung-uk Kim s->init_num = (int)msglen; 84e71b7053SJung-uk Kim s->init_off = 0; 85e71b7053SJung-uk Kim 86e71b7053SJung-uk Kim return 1; 87e71b7053SJung-uk Kim } 88e71b7053SJung-uk Kim 89e71b7053SJung-uk Kim int tls_setup_handshake(SSL *s) 90e71b7053SJung-uk Kim { 91e71b7053SJung-uk Kim if (!ssl3_init_finished_mac(s)) { 92e71b7053SJung-uk Kim /* SSLfatal() already called */ 93e71b7053SJung-uk Kim return 0; 94e71b7053SJung-uk Kim } 95e71b7053SJung-uk Kim 96e71b7053SJung-uk Kim /* Reset any extension flags */ 97e71b7053SJung-uk Kim memset(s->ext.extflags, 0, sizeof(s->ext.extflags)); 98e71b7053SJung-uk Kim 99e71b7053SJung-uk Kim if (s->server) { 100e71b7053SJung-uk Kim STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s); 101e71b7053SJung-uk Kim int i, ver_min, ver_max, ok = 0; 102e71b7053SJung-uk Kim 103e71b7053SJung-uk Kim /* 104e71b7053SJung-uk Kim * Sanity check that the maximum version we accept has ciphers 105e71b7053SJung-uk Kim * enabled. For clients we do this check during construction of the 106e71b7053SJung-uk Kim * ClientHello. 107e71b7053SJung-uk Kim */ 108e71b7053SJung-uk Kim if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) { 109e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_SETUP_HANDSHAKE, 110e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 111e71b7053SJung-uk Kim return 0; 112e71b7053SJung-uk Kim } 113e71b7053SJung-uk Kim for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { 114e71b7053SJung-uk Kim const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i); 115e71b7053SJung-uk Kim 116e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) { 117e71b7053SJung-uk Kim if (DTLS_VERSION_GE(ver_max, c->min_dtls) && 118e71b7053SJung-uk Kim DTLS_VERSION_LE(ver_max, c->max_dtls)) 119e71b7053SJung-uk Kim ok = 1; 120e71b7053SJung-uk Kim } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) { 121e71b7053SJung-uk Kim ok = 1; 122e71b7053SJung-uk Kim } 123e71b7053SJung-uk Kim if (ok) 124e71b7053SJung-uk Kim break; 125e71b7053SJung-uk Kim } 126e71b7053SJung-uk Kim if (!ok) { 127e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE, 128e71b7053SJung-uk Kim SSL_R_NO_CIPHERS_AVAILABLE); 129e71b7053SJung-uk Kim ERR_add_error_data(1, "No ciphers enabled for max supported " 130e71b7053SJung-uk Kim "SSL/TLS version"); 131e71b7053SJung-uk Kim return 0; 132e71b7053SJung-uk Kim } 133e71b7053SJung-uk Kim if (SSL_IS_FIRST_HANDSHAKE(s)) { 134e71b7053SJung-uk Kim /* N.B. s->session_ctx == s->ctx here */ 135e71b7053SJung-uk Kim tsan_counter(&s->session_ctx->stats.sess_accept); 136e71b7053SJung-uk Kim } else { 137e71b7053SJung-uk Kim /* N.B. s->ctx may not equal s->session_ctx */ 138e71b7053SJung-uk Kim tsan_counter(&s->ctx->stats.sess_accept_renegotiate); 139e71b7053SJung-uk Kim 140e71b7053SJung-uk Kim s->s3->tmp.cert_request = 0; 141e71b7053SJung-uk Kim } 142e71b7053SJung-uk Kim } else { 143e71b7053SJung-uk Kim if (SSL_IS_FIRST_HANDSHAKE(s)) 144e71b7053SJung-uk Kim tsan_counter(&s->session_ctx->stats.sess_connect); 145e71b7053SJung-uk Kim else 146e71b7053SJung-uk Kim tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate); 147e71b7053SJung-uk Kim 148e71b7053SJung-uk Kim /* mark client_random uninitialized */ 149e71b7053SJung-uk Kim memset(s->s3->client_random, 0, sizeof(s->s3->client_random)); 150e71b7053SJung-uk Kim s->hit = 0; 151e71b7053SJung-uk Kim 152e71b7053SJung-uk Kim s->s3->tmp.cert_req = 0; 153e71b7053SJung-uk Kim 154e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) 155e71b7053SJung-uk Kim s->statem.use_timer = 1; 156e71b7053SJung-uk Kim } 157e71b7053SJung-uk Kim 158e71b7053SJung-uk Kim return 1; 159e71b7053SJung-uk Kim } 160e71b7053SJung-uk Kim 161e71b7053SJung-uk Kim /* 162e71b7053SJung-uk Kim * Size of the to-be-signed TLS13 data, without the hash size itself: 163e71b7053SJung-uk Kim * 64 bytes of value 32, 33 context bytes, 1 byte separator 164e71b7053SJung-uk Kim */ 165e71b7053SJung-uk Kim #define TLS13_TBS_START_SIZE 64 166e71b7053SJung-uk Kim #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1) 167e71b7053SJung-uk Kim 168e71b7053SJung-uk Kim static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs, 169e71b7053SJung-uk Kim void **hdata, size_t *hdatalen) 170e71b7053SJung-uk Kim { 171da327cd2SJung-uk Kim #ifdef CHARSET_EBCDIC 17217f01e99SJung-uk Kim static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 173da327cd2SJung-uk Kim 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65, 174da327cd2SJung-uk Kim 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 175da327cd2SJung-uk Kim 0x69, 0x66, 0x79, 0x00 }; 17617f01e99SJung-uk Kim static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 177da327cd2SJung-uk Kim 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65, 178da327cd2SJung-uk Kim 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 179da327cd2SJung-uk Kim 0x69, 0x66, 0x79, 0x00 }; 180da327cd2SJung-uk Kim #else 18117f01e99SJung-uk Kim static const char servercontext[] = "TLS 1.3, server CertificateVerify"; 18217f01e99SJung-uk Kim static const char clientcontext[] = "TLS 1.3, client CertificateVerify"; 183da327cd2SJung-uk Kim #endif 184e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) { 185e71b7053SJung-uk Kim size_t hashlen; 186e71b7053SJung-uk Kim 187e71b7053SJung-uk Kim /* Set the first 64 bytes of to-be-signed data to octet 32 */ 188e71b7053SJung-uk Kim memset(tls13tbs, 32, TLS13_TBS_START_SIZE); 189e71b7053SJung-uk Kim /* This copies the 33 bytes of context plus the 0 separator byte */ 190e71b7053SJung-uk Kim if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY 191e71b7053SJung-uk Kim || s->statem.hand_state == TLS_ST_SW_CERT_VRFY) 192e71b7053SJung-uk Kim strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext); 193e71b7053SJung-uk Kim else 194e71b7053SJung-uk Kim strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext); 195e71b7053SJung-uk Kim 196e71b7053SJung-uk Kim /* 197e71b7053SJung-uk Kim * If we're currently reading then we need to use the saved handshake 198e71b7053SJung-uk Kim * hash value. We can't use the current handshake hash state because 199e71b7053SJung-uk Kim * that includes the CertVerify itself. 200e71b7053SJung-uk Kim */ 201e71b7053SJung-uk Kim if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY 202e71b7053SJung-uk Kim || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) { 203e71b7053SJung-uk Kim memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash, 204e71b7053SJung-uk Kim s->cert_verify_hash_len); 205e71b7053SJung-uk Kim hashlen = s->cert_verify_hash_len; 206e71b7053SJung-uk Kim } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE, 207e71b7053SJung-uk Kim EVP_MAX_MD_SIZE, &hashlen)) { 208e71b7053SJung-uk Kim /* SSLfatal() already called */ 209e71b7053SJung-uk Kim return 0; 210e71b7053SJung-uk Kim } 211e71b7053SJung-uk Kim 212e71b7053SJung-uk Kim *hdata = tls13tbs; 213e71b7053SJung-uk Kim *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen; 214e71b7053SJung-uk Kim } else { 215e71b7053SJung-uk Kim size_t retlen; 216c9cf7b5cSJung-uk Kim long retlen_l; 217e71b7053SJung-uk Kim 218c9cf7b5cSJung-uk Kim retlen = retlen_l = BIO_get_mem_data(s->s3->handshake_buffer, hdata); 219c9cf7b5cSJung-uk Kim if (retlen_l <= 0) { 220e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_GET_CERT_VERIFY_TBS_DATA, 221e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 222e71b7053SJung-uk Kim return 0; 223e71b7053SJung-uk Kim } 224e71b7053SJung-uk Kim *hdatalen = retlen; 225e71b7053SJung-uk Kim } 226e71b7053SJung-uk Kim 227e71b7053SJung-uk Kim return 1; 228e71b7053SJung-uk Kim } 229e71b7053SJung-uk Kim 230e71b7053SJung-uk Kim int tls_construct_cert_verify(SSL *s, WPACKET *pkt) 231e71b7053SJung-uk Kim { 232e71b7053SJung-uk Kim EVP_PKEY *pkey = NULL; 233e71b7053SJung-uk Kim const EVP_MD *md = NULL; 234e71b7053SJung-uk Kim EVP_MD_CTX *mctx = NULL; 235e71b7053SJung-uk Kim EVP_PKEY_CTX *pctx = NULL; 236e71b7053SJung-uk Kim size_t hdatalen = 0, siglen = 0; 237e71b7053SJung-uk Kim void *hdata; 238e71b7053SJung-uk Kim unsigned char *sig = NULL; 239e71b7053SJung-uk Kim unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; 240e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg; 241e71b7053SJung-uk Kim 242e71b7053SJung-uk Kim if (lu == NULL || s->s3->tmp.cert == NULL) { 243e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 244e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 245e71b7053SJung-uk Kim goto err; 246e71b7053SJung-uk Kim } 247e71b7053SJung-uk Kim pkey = s->s3->tmp.cert->privatekey; 248e71b7053SJung-uk Kim 249e71b7053SJung-uk Kim if (pkey == NULL || !tls1_lookup_md(lu, &md)) { 250e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 251e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 252e71b7053SJung-uk Kim goto err; 253e71b7053SJung-uk Kim } 254e71b7053SJung-uk Kim 255e71b7053SJung-uk Kim mctx = EVP_MD_CTX_new(); 256e71b7053SJung-uk Kim if (mctx == NULL) { 257e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 258e71b7053SJung-uk Kim ERR_R_MALLOC_FAILURE); 259e71b7053SJung-uk Kim goto err; 260e71b7053SJung-uk Kim } 261e71b7053SJung-uk Kim 262e71b7053SJung-uk Kim /* Get the data to be signed */ 263e71b7053SJung-uk Kim if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { 264e71b7053SJung-uk Kim /* SSLfatal() already called */ 265e71b7053SJung-uk Kim goto err; 266e71b7053SJung-uk Kim } 267e71b7053SJung-uk Kim 268e71b7053SJung-uk Kim if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) { 269e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 270e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 271e71b7053SJung-uk Kim goto err; 272e71b7053SJung-uk Kim } 273e71b7053SJung-uk Kim siglen = EVP_PKEY_size(pkey); 274e71b7053SJung-uk Kim sig = OPENSSL_malloc(siglen); 275e71b7053SJung-uk Kim if (sig == NULL) { 276e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 277e71b7053SJung-uk Kim ERR_R_MALLOC_FAILURE); 278e71b7053SJung-uk Kim goto err; 279e71b7053SJung-uk Kim } 280e71b7053SJung-uk Kim 281e71b7053SJung-uk Kim if (EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey) <= 0) { 282e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 283e71b7053SJung-uk Kim ERR_R_EVP_LIB); 284e71b7053SJung-uk Kim goto err; 285e71b7053SJung-uk Kim } 286e71b7053SJung-uk Kim 287e71b7053SJung-uk Kim if (lu->sig == EVP_PKEY_RSA_PSS) { 288e71b7053SJung-uk Kim if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 289e71b7053SJung-uk Kim || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 290e71b7053SJung-uk Kim RSA_PSS_SALTLEN_DIGEST) <= 0) { 291e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 292e71b7053SJung-uk Kim ERR_R_EVP_LIB); 293e71b7053SJung-uk Kim goto err; 294e71b7053SJung-uk Kim } 295e71b7053SJung-uk Kim } 296e71b7053SJung-uk Kim if (s->version == SSL3_VERSION) { 297e71b7053SJung-uk Kim if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0 298e71b7053SJung-uk Kim || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, 299e71b7053SJung-uk Kim (int)s->session->master_key_length, 300e71b7053SJung-uk Kim s->session->master_key) 301e71b7053SJung-uk Kim || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) { 302e71b7053SJung-uk Kim 303e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 304e71b7053SJung-uk Kim ERR_R_EVP_LIB); 305e71b7053SJung-uk Kim goto err; 306e71b7053SJung-uk Kim } 307e71b7053SJung-uk Kim } else if (EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) { 308e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 309e71b7053SJung-uk Kim ERR_R_EVP_LIB); 310e71b7053SJung-uk Kim goto err; 311e71b7053SJung-uk Kim } 312e71b7053SJung-uk Kim 313e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST 314e71b7053SJung-uk Kim { 315e71b7053SJung-uk Kim int pktype = lu->sig; 316e71b7053SJung-uk Kim 317e71b7053SJung-uk Kim if (pktype == NID_id_GostR3410_2001 318e71b7053SJung-uk Kim || pktype == NID_id_GostR3410_2012_256 319e71b7053SJung-uk Kim || pktype == NID_id_GostR3410_2012_512) 320e71b7053SJung-uk Kim BUF_reverse(sig, NULL, siglen); 321e71b7053SJung-uk Kim } 322e71b7053SJung-uk Kim #endif 323e71b7053SJung-uk Kim 324e71b7053SJung-uk Kim if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) { 325e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 326e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 327e71b7053SJung-uk Kim goto err; 328e71b7053SJung-uk Kim } 329e71b7053SJung-uk Kim 330e71b7053SJung-uk Kim /* Digest cached records and discard handshake buffer */ 331e71b7053SJung-uk Kim if (!ssl3_digest_cached_records(s, 0)) { 332e71b7053SJung-uk Kim /* SSLfatal() already called */ 333e71b7053SJung-uk Kim goto err; 334e71b7053SJung-uk Kim } 335e71b7053SJung-uk Kim 336e71b7053SJung-uk Kim OPENSSL_free(sig); 337e71b7053SJung-uk Kim EVP_MD_CTX_free(mctx); 338e71b7053SJung-uk Kim return 1; 339e71b7053SJung-uk Kim err: 340e71b7053SJung-uk Kim OPENSSL_free(sig); 341e71b7053SJung-uk Kim EVP_MD_CTX_free(mctx); 342e71b7053SJung-uk Kim return 0; 343e71b7053SJung-uk Kim } 344e71b7053SJung-uk Kim 345e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) 346e71b7053SJung-uk Kim { 347e71b7053SJung-uk Kim EVP_PKEY *pkey = NULL; 348e71b7053SJung-uk Kim const unsigned char *data; 349e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST 350e71b7053SJung-uk Kim unsigned char *gost_data = NULL; 351e71b7053SJung-uk Kim #endif 352e71b7053SJung-uk Kim MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; 353e71b7053SJung-uk Kim int j; 354e71b7053SJung-uk Kim unsigned int len; 355e71b7053SJung-uk Kim X509 *peer; 356e71b7053SJung-uk Kim const EVP_MD *md = NULL; 357e71b7053SJung-uk Kim size_t hdatalen = 0; 358e71b7053SJung-uk Kim void *hdata; 359e71b7053SJung-uk Kim unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; 360e71b7053SJung-uk Kim EVP_MD_CTX *mctx = EVP_MD_CTX_new(); 361e71b7053SJung-uk Kim EVP_PKEY_CTX *pctx = NULL; 362e71b7053SJung-uk Kim 363e71b7053SJung-uk Kim if (mctx == NULL) { 364e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 365e71b7053SJung-uk Kim ERR_R_MALLOC_FAILURE); 366e71b7053SJung-uk Kim goto err; 367e71b7053SJung-uk Kim } 368e71b7053SJung-uk Kim 369e71b7053SJung-uk Kim peer = s->session->peer; 370e71b7053SJung-uk Kim pkey = X509_get0_pubkey(peer); 371e71b7053SJung-uk Kim if (pkey == NULL) { 372e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 373e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 374e71b7053SJung-uk Kim goto err; 375e71b7053SJung-uk Kim } 376e71b7053SJung-uk Kim 377e71b7053SJung-uk Kim if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) { 378e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CERT_VERIFY, 379e71b7053SJung-uk Kim SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); 380e71b7053SJung-uk Kim goto err; 381e71b7053SJung-uk Kim } 382e71b7053SJung-uk Kim 383e71b7053SJung-uk Kim if (SSL_USE_SIGALGS(s)) { 384e71b7053SJung-uk Kim unsigned int sigalg; 385e71b7053SJung-uk Kim 386e71b7053SJung-uk Kim if (!PACKET_get_net_2(pkt, &sigalg)) { 387e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 388e71b7053SJung-uk Kim SSL_R_BAD_PACKET); 389e71b7053SJung-uk Kim goto err; 390e71b7053SJung-uk Kim } 391e71b7053SJung-uk Kim if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) { 392e71b7053SJung-uk Kim /* SSLfatal() already called */ 393e71b7053SJung-uk Kim goto err; 394e71b7053SJung-uk Kim } 395e71b7053SJung-uk Kim } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { 396e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 397e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 398e71b7053SJung-uk Kim goto err; 399e71b7053SJung-uk Kim } 400e71b7053SJung-uk Kim 401e71b7053SJung-uk Kim if (!tls1_lookup_md(s->s3->tmp.peer_sigalg, &md)) { 402e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 403e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 404e71b7053SJung-uk Kim goto err; 405e71b7053SJung-uk Kim } 406e71b7053SJung-uk Kim 407e71b7053SJung-uk Kim #ifdef SSL_DEBUG 408e71b7053SJung-uk Kim if (SSL_USE_SIGALGS(s)) 4096935a639SJung-uk Kim fprintf(stderr, "USING TLSv1.2 HASH %s\n", 4106935a639SJung-uk Kim md == NULL ? "n/a" : EVP_MD_name(md)); 411e71b7053SJung-uk Kim #endif 412e71b7053SJung-uk Kim 413e71b7053SJung-uk Kim /* Check for broken implementations of GOST ciphersuites */ 414e71b7053SJung-uk Kim /* 415e71b7053SJung-uk Kim * If key is GOST and len is exactly 64 or 128, it is signature without 416e71b7053SJung-uk Kim * length field (CryptoPro implementations at least till TLS 1.2) 417e71b7053SJung-uk Kim */ 418e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST 419e71b7053SJung-uk Kim if (!SSL_USE_SIGALGS(s) 420e71b7053SJung-uk Kim && ((PACKET_remaining(pkt) == 64 421e71b7053SJung-uk Kim && (EVP_PKEY_id(pkey) == NID_id_GostR3410_2001 422e71b7053SJung-uk Kim || EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_256)) 423e71b7053SJung-uk Kim || (PACKET_remaining(pkt) == 128 424e71b7053SJung-uk Kim && EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_512))) { 425e71b7053SJung-uk Kim len = PACKET_remaining(pkt); 426e71b7053SJung-uk Kim } else 427e71b7053SJung-uk Kim #endif 428e71b7053SJung-uk Kim if (!PACKET_get_net_2(pkt, &len)) { 429e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 430e71b7053SJung-uk Kim SSL_R_LENGTH_MISMATCH); 431e71b7053SJung-uk Kim goto err; 432e71b7053SJung-uk Kim } 433e71b7053SJung-uk Kim 434e71b7053SJung-uk Kim j = EVP_PKEY_size(pkey); 435e71b7053SJung-uk Kim if (((int)len > j) || ((int)PACKET_remaining(pkt) > j) 436e71b7053SJung-uk Kim || (PACKET_remaining(pkt) == 0)) { 437e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 438e71b7053SJung-uk Kim SSL_R_WRONG_SIGNATURE_SIZE); 439e71b7053SJung-uk Kim goto err; 440e71b7053SJung-uk Kim } 441e71b7053SJung-uk Kim if (!PACKET_get_bytes(pkt, &data, len)) { 442e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 443e71b7053SJung-uk Kim SSL_R_LENGTH_MISMATCH); 444e71b7053SJung-uk Kim goto err; 445e71b7053SJung-uk Kim } 446e71b7053SJung-uk Kim 447e71b7053SJung-uk Kim if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { 448e71b7053SJung-uk Kim /* SSLfatal() already called */ 449e71b7053SJung-uk Kim goto err; 450e71b7053SJung-uk Kim } 451e71b7053SJung-uk Kim 452e71b7053SJung-uk Kim #ifdef SSL_DEBUG 4536935a639SJung-uk Kim fprintf(stderr, "Using client verify alg %s\n", 4546935a639SJung-uk Kim md == NULL ? "n/a" : EVP_MD_name(md)); 455e71b7053SJung-uk Kim #endif 456e71b7053SJung-uk Kim if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0) { 457e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 458e71b7053SJung-uk Kim ERR_R_EVP_LIB); 459e71b7053SJung-uk Kim goto err; 460e71b7053SJung-uk Kim } 461e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST 462e71b7053SJung-uk Kim { 463e71b7053SJung-uk Kim int pktype = EVP_PKEY_id(pkey); 464e71b7053SJung-uk Kim if (pktype == NID_id_GostR3410_2001 465e71b7053SJung-uk Kim || pktype == NID_id_GostR3410_2012_256 466e71b7053SJung-uk Kim || pktype == NID_id_GostR3410_2012_512) { 467e71b7053SJung-uk Kim if ((gost_data = OPENSSL_malloc(len)) == NULL) { 468e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 469e71b7053SJung-uk Kim SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE); 470e71b7053SJung-uk Kim goto err; 471e71b7053SJung-uk Kim } 472e71b7053SJung-uk Kim BUF_reverse(gost_data, data, len); 473e71b7053SJung-uk Kim data = gost_data; 474e71b7053SJung-uk Kim } 475e71b7053SJung-uk Kim } 476e71b7053SJung-uk Kim #endif 477e71b7053SJung-uk Kim 478e71b7053SJung-uk Kim if (SSL_USE_PSS(s)) { 479e71b7053SJung-uk Kim if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 480e71b7053SJung-uk Kim || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 481e71b7053SJung-uk Kim RSA_PSS_SALTLEN_DIGEST) <= 0) { 482e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 483e71b7053SJung-uk Kim ERR_R_EVP_LIB); 484e71b7053SJung-uk Kim goto err; 485e71b7053SJung-uk Kim } 486e71b7053SJung-uk Kim } 487e71b7053SJung-uk Kim if (s->version == SSL3_VERSION) { 488e71b7053SJung-uk Kim if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0 489e71b7053SJung-uk Kim || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, 490e71b7053SJung-uk Kim (int)s->session->master_key_length, 491e71b7053SJung-uk Kim s->session->master_key)) { 492e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 493e71b7053SJung-uk Kim ERR_R_EVP_LIB); 494e71b7053SJung-uk Kim goto err; 495e71b7053SJung-uk Kim } 496e71b7053SJung-uk Kim if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) { 497e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 498e71b7053SJung-uk Kim SSL_R_BAD_SIGNATURE); 499e71b7053SJung-uk Kim goto err; 500e71b7053SJung-uk Kim } 501e71b7053SJung-uk Kim } else { 502e71b7053SJung-uk Kim j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen); 503e71b7053SJung-uk Kim if (j <= 0) { 504e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 505e71b7053SJung-uk Kim SSL_R_BAD_SIGNATURE); 506e71b7053SJung-uk Kim goto err; 507e71b7053SJung-uk Kim } 508e71b7053SJung-uk Kim } 509e71b7053SJung-uk Kim 510c9cf7b5cSJung-uk Kim /* 511c9cf7b5cSJung-uk Kim * In TLSv1.3 on the client side we make sure we prepare the client 512c9cf7b5cSJung-uk Kim * certificate after the CertVerify instead of when we get the 513c9cf7b5cSJung-uk Kim * CertificateRequest. This is because in TLSv1.3 the CertificateRequest 514c9cf7b5cSJung-uk Kim * comes *before* the Certificate message. In TLSv1.2 it comes after. We 515c9cf7b5cSJung-uk Kim * want to make sure that SSL_get_peer_certificate() will return the actual 516c9cf7b5cSJung-uk Kim * server certificate from the client_cert_cb callback. 517c9cf7b5cSJung-uk Kim */ 518c9cf7b5cSJung-uk Kim if (!s->server && SSL_IS_TLS13(s) && s->s3->tmp.cert_req == 1) 519c9cf7b5cSJung-uk Kim ret = MSG_PROCESS_CONTINUE_PROCESSING; 520c9cf7b5cSJung-uk Kim else 521e71b7053SJung-uk Kim ret = MSG_PROCESS_CONTINUE_READING; 522e71b7053SJung-uk Kim err: 523e71b7053SJung-uk Kim BIO_free(s->s3->handshake_buffer); 524e71b7053SJung-uk Kim s->s3->handshake_buffer = NULL; 525e71b7053SJung-uk Kim EVP_MD_CTX_free(mctx); 526e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST 527e71b7053SJung-uk Kim OPENSSL_free(gost_data); 528e71b7053SJung-uk Kim #endif 529e71b7053SJung-uk Kim return ret; 530e71b7053SJung-uk Kim } 531e71b7053SJung-uk Kim 532e71b7053SJung-uk Kim int tls_construct_finished(SSL *s, WPACKET *pkt) 533e71b7053SJung-uk Kim { 534e71b7053SJung-uk Kim size_t finish_md_len; 535e71b7053SJung-uk Kim const char *sender; 536e71b7053SJung-uk Kim size_t slen; 537e71b7053SJung-uk Kim 538e71b7053SJung-uk Kim /* This is a real handshake so make sure we clean it up at the end */ 539e71b7053SJung-uk Kim if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED) 540e71b7053SJung-uk Kim s->statem.cleanuphand = 1; 541e71b7053SJung-uk Kim 542e71b7053SJung-uk Kim /* 543e71b7053SJung-uk Kim * We only change the keys if we didn't already do this when we sent the 544e71b7053SJung-uk Kim * client certificate 545e71b7053SJung-uk Kim */ 546e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) 547e71b7053SJung-uk Kim && !s->server 548e71b7053SJung-uk Kim && s->s3->tmp.cert_req == 0 549e71b7053SJung-uk Kim && (!s->method->ssl3_enc->change_cipher_state(s, 550e71b7053SJung-uk Kim SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {; 551e71b7053SJung-uk Kim /* SSLfatal() already called */ 552e71b7053SJung-uk Kim return 0; 553e71b7053SJung-uk Kim } 554e71b7053SJung-uk Kim 555e71b7053SJung-uk Kim if (s->server) { 556e71b7053SJung-uk Kim sender = s->method->ssl3_enc->server_finished_label; 557e71b7053SJung-uk Kim slen = s->method->ssl3_enc->server_finished_label_len; 558e71b7053SJung-uk Kim } else { 559e71b7053SJung-uk Kim sender = s->method->ssl3_enc->client_finished_label; 560e71b7053SJung-uk Kim slen = s->method->ssl3_enc->client_finished_label_len; 561e71b7053SJung-uk Kim } 562e71b7053SJung-uk Kim 563e71b7053SJung-uk Kim finish_md_len = s->method->ssl3_enc->final_finish_mac(s, 564e71b7053SJung-uk Kim sender, slen, 565e71b7053SJung-uk Kim s->s3->tmp.finish_md); 566e71b7053SJung-uk Kim if (finish_md_len == 0) { 567e71b7053SJung-uk Kim /* SSLfatal() already called */ 568e71b7053SJung-uk Kim return 0; 569e71b7053SJung-uk Kim } 570e71b7053SJung-uk Kim 571e71b7053SJung-uk Kim s->s3->tmp.finish_md_len = finish_md_len; 572e71b7053SJung-uk Kim 573e71b7053SJung-uk Kim if (!WPACKET_memcpy(pkt, s->s3->tmp.finish_md, finish_md_len)) { 574e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED, 575e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 576e71b7053SJung-uk Kim return 0; 577e71b7053SJung-uk Kim } 578e71b7053SJung-uk Kim 579e71b7053SJung-uk Kim /* 580e71b7053SJung-uk Kim * Log the master secret, if logging is enabled. We don't log it for 581e71b7053SJung-uk Kim * TLSv1.3: there's a different key schedule for that. 582e71b7053SJung-uk Kim */ 583e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL, 584e71b7053SJung-uk Kim s->session->master_key, 585e71b7053SJung-uk Kim s->session->master_key_length)) { 586e71b7053SJung-uk Kim /* SSLfatal() already called */ 587e71b7053SJung-uk Kim return 0; 588e71b7053SJung-uk Kim } 589e71b7053SJung-uk Kim 590e71b7053SJung-uk Kim /* 591e71b7053SJung-uk Kim * Copy the finished so we can use it for renegotiation checks 592e71b7053SJung-uk Kim */ 593e71b7053SJung-uk Kim if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) { 594e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED, 595e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 596e71b7053SJung-uk Kim return 0; 597e71b7053SJung-uk Kim } 598e71b7053SJung-uk Kim if (!s->server) { 599e71b7053SJung-uk Kim memcpy(s->s3->previous_client_finished, s->s3->tmp.finish_md, 600e71b7053SJung-uk Kim finish_md_len); 601e71b7053SJung-uk Kim s->s3->previous_client_finished_len = finish_md_len; 602e71b7053SJung-uk Kim } else { 603e71b7053SJung-uk Kim memcpy(s->s3->previous_server_finished, s->s3->tmp.finish_md, 604e71b7053SJung-uk Kim finish_md_len); 605e71b7053SJung-uk Kim s->s3->previous_server_finished_len = finish_md_len; 606e71b7053SJung-uk Kim } 607e71b7053SJung-uk Kim 608e71b7053SJung-uk Kim return 1; 609e71b7053SJung-uk Kim } 610e71b7053SJung-uk Kim 611e71b7053SJung-uk Kim int tls_construct_key_update(SSL *s, WPACKET *pkt) 612e71b7053SJung-uk Kim { 613e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u8(pkt, s->key_update)) { 614e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_KEY_UPDATE, 615e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 616e71b7053SJung-uk Kim return 0; 617e71b7053SJung-uk Kim } 618e71b7053SJung-uk Kim 619e71b7053SJung-uk Kim s->key_update = SSL_KEY_UPDATE_NONE; 620e71b7053SJung-uk Kim return 1; 621e71b7053SJung-uk Kim } 622e71b7053SJung-uk Kim 623e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt) 624e71b7053SJung-uk Kim { 625e71b7053SJung-uk Kim unsigned int updatetype; 626e71b7053SJung-uk Kim 627e71b7053SJung-uk Kim /* 628e71b7053SJung-uk Kim * A KeyUpdate message signals a key change so the end of the message must 629e71b7053SJung-uk Kim * be on a record boundary. 630e71b7053SJung-uk Kim */ 631e71b7053SJung-uk Kim if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { 632e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_UPDATE, 633e71b7053SJung-uk Kim SSL_R_NOT_ON_RECORD_BOUNDARY); 634e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 635e71b7053SJung-uk Kim } 636e71b7053SJung-uk Kim 637e71b7053SJung-uk Kim if (!PACKET_get_1(pkt, &updatetype) 638e71b7053SJung-uk Kim || PACKET_remaining(pkt) != 0) { 639e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_UPDATE, 640e71b7053SJung-uk Kim SSL_R_BAD_KEY_UPDATE); 641e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 642e71b7053SJung-uk Kim } 643e71b7053SJung-uk Kim 644e71b7053SJung-uk Kim /* 645e71b7053SJung-uk Kim * There are only two defined key update types. Fail if we get a value we 646e71b7053SJung-uk Kim * didn't recognise. 647e71b7053SJung-uk Kim */ 648e71b7053SJung-uk Kim if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED 649e71b7053SJung-uk Kim && updatetype != SSL_KEY_UPDATE_REQUESTED) { 650e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE, 651e71b7053SJung-uk Kim SSL_R_BAD_KEY_UPDATE); 652e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 653e71b7053SJung-uk Kim } 654e71b7053SJung-uk Kim 655e71b7053SJung-uk Kim /* 656e71b7053SJung-uk Kim * If we get a request for us to update our sending keys too then, we need 657e71b7053SJung-uk Kim * to additionally send a KeyUpdate message. However that message should 658da327cd2SJung-uk Kim * not also request an update (otherwise we get into an infinite loop). 659e71b7053SJung-uk Kim */ 660da327cd2SJung-uk Kim if (updatetype == SSL_KEY_UPDATE_REQUESTED) 661e71b7053SJung-uk Kim s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED; 662e71b7053SJung-uk Kim 663e71b7053SJung-uk Kim if (!tls13_update_key(s, 0)) { 664e71b7053SJung-uk Kim /* SSLfatal() already called */ 665e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 666e71b7053SJung-uk Kim } 667e71b7053SJung-uk Kim 668e71b7053SJung-uk Kim return MSG_PROCESS_FINISHED_READING; 669e71b7053SJung-uk Kim } 670e71b7053SJung-uk Kim 671e71b7053SJung-uk Kim /* 672e71b7053SJung-uk Kim * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen 673e71b7053SJung-uk Kim * to far. 674e71b7053SJung-uk Kim */ 675e71b7053SJung-uk Kim int ssl3_take_mac(SSL *s) 676e71b7053SJung-uk Kim { 677e71b7053SJung-uk Kim const char *sender; 678e71b7053SJung-uk Kim size_t slen; 679e71b7053SJung-uk Kim 680e71b7053SJung-uk Kim if (!s->server) { 681e71b7053SJung-uk Kim sender = s->method->ssl3_enc->server_finished_label; 682e71b7053SJung-uk Kim slen = s->method->ssl3_enc->server_finished_label_len; 683e71b7053SJung-uk Kim } else { 684e71b7053SJung-uk Kim sender = s->method->ssl3_enc->client_finished_label; 685e71b7053SJung-uk Kim slen = s->method->ssl3_enc->client_finished_label_len; 686e71b7053SJung-uk Kim } 687e71b7053SJung-uk Kim 688e71b7053SJung-uk Kim s->s3->tmp.peer_finish_md_len = 689e71b7053SJung-uk Kim s->method->ssl3_enc->final_finish_mac(s, sender, slen, 690e71b7053SJung-uk Kim s->s3->tmp.peer_finish_md); 691e71b7053SJung-uk Kim 692e71b7053SJung-uk Kim if (s->s3->tmp.peer_finish_md_len == 0) { 693e71b7053SJung-uk Kim /* SSLfatal() already called */ 694e71b7053SJung-uk Kim return 0; 695e71b7053SJung-uk Kim } 696e71b7053SJung-uk Kim 697e71b7053SJung-uk Kim return 1; 698e71b7053SJung-uk Kim } 699e71b7053SJung-uk Kim 700e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt) 701e71b7053SJung-uk Kim { 702e71b7053SJung-uk Kim size_t remain; 703e71b7053SJung-uk Kim 704e71b7053SJung-uk Kim remain = PACKET_remaining(pkt); 705e71b7053SJung-uk Kim /* 706e71b7053SJung-uk Kim * 'Change Cipher Spec' is just a single byte, which should already have 707e71b7053SJung-uk Kim * been consumed by ssl_get_message() so there should be no bytes left, 708e71b7053SJung-uk Kim * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes 709e71b7053SJung-uk Kim */ 710e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) { 711e71b7053SJung-uk Kim if ((s->version == DTLS1_BAD_VER 712e71b7053SJung-uk Kim && remain != DTLS1_CCS_HEADER_LENGTH + 1) 713e71b7053SJung-uk Kim || (s->version != DTLS1_BAD_VER 714e71b7053SJung-uk Kim && remain != DTLS1_CCS_HEADER_LENGTH - 1)) { 715e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, 716e71b7053SJung-uk Kim SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, 717e71b7053SJung-uk Kim SSL_R_BAD_CHANGE_CIPHER_SPEC); 718e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 719e71b7053SJung-uk Kim } 720e71b7053SJung-uk Kim } else { 721e71b7053SJung-uk Kim if (remain != 0) { 722e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, 723e71b7053SJung-uk Kim SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, 724e71b7053SJung-uk Kim SSL_R_BAD_CHANGE_CIPHER_SPEC); 725e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 726e71b7053SJung-uk Kim } 727e71b7053SJung-uk Kim } 728e71b7053SJung-uk Kim 729e71b7053SJung-uk Kim /* Check we have a cipher to change to */ 730e71b7053SJung-uk Kim if (s->s3->tmp.new_cipher == NULL) { 731e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 732e71b7053SJung-uk Kim SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY); 733e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 734e71b7053SJung-uk Kim } 735e71b7053SJung-uk Kim 736e71b7053SJung-uk Kim s->s3->change_cipher_spec = 1; 737e71b7053SJung-uk Kim if (!ssl3_do_change_cipher_spec(s)) { 738e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, 739e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 740e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 741e71b7053SJung-uk Kim } 742e71b7053SJung-uk Kim 743e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) { 744e71b7053SJung-uk Kim dtls1_reset_seq_numbers(s, SSL3_CC_READ); 745e71b7053SJung-uk Kim 746e71b7053SJung-uk Kim if (s->version == DTLS1_BAD_VER) 747e71b7053SJung-uk Kim s->d1->handshake_read_seq++; 748e71b7053SJung-uk Kim 749e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SCTP 750e71b7053SJung-uk Kim /* 751e71b7053SJung-uk Kim * Remember that a CCS has been received, so that an old key of 752e71b7053SJung-uk Kim * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no 753e71b7053SJung-uk Kim * SCTP is used 754e71b7053SJung-uk Kim */ 755e71b7053SJung-uk Kim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL); 756e71b7053SJung-uk Kim #endif 757e71b7053SJung-uk Kim } 758e71b7053SJung-uk Kim 759e71b7053SJung-uk Kim return MSG_PROCESS_CONTINUE_READING; 760e71b7053SJung-uk Kim } 761e71b7053SJung-uk Kim 762e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) 763e71b7053SJung-uk Kim { 764e71b7053SJung-uk Kim size_t md_len; 765e71b7053SJung-uk Kim 766e71b7053SJung-uk Kim 767e71b7053SJung-uk Kim /* This is a real handshake so make sure we clean it up at the end */ 768e71b7053SJung-uk Kim if (s->server) { 769e71b7053SJung-uk Kim /* 770e71b7053SJung-uk Kim * To get this far we must have read encrypted data from the client. We 771e71b7053SJung-uk Kim * no longer tolerate unencrypted alerts. This value is ignored if less 772e71b7053SJung-uk Kim * than TLSv1.3 773e71b7053SJung-uk Kim */ 774e71b7053SJung-uk Kim s->statem.enc_read_state = ENC_READ_STATE_VALID; 775e71b7053SJung-uk Kim if (s->post_handshake_auth != SSL_PHA_REQUESTED) 776e71b7053SJung-uk Kim s->statem.cleanuphand = 1; 777e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) { 778e71b7053SJung-uk Kim /* SSLfatal() already called */ 779e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 780e71b7053SJung-uk Kim } 781e71b7053SJung-uk Kim } 782e71b7053SJung-uk Kim 783e71b7053SJung-uk Kim /* 784e71b7053SJung-uk Kim * In TLSv1.3 a Finished message signals a key change so the end of the 785e71b7053SJung-uk Kim * message must be on a record boundary. 786e71b7053SJung-uk Kim */ 787e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { 788e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED, 789e71b7053SJung-uk Kim SSL_R_NOT_ON_RECORD_BOUNDARY); 790e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 791e71b7053SJung-uk Kim } 792e71b7053SJung-uk Kim 793e71b7053SJung-uk Kim /* If this occurs, we have missed a message */ 794e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s) && !s->s3->change_cipher_spec) { 795e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED, 796e71b7053SJung-uk Kim SSL_R_GOT_A_FIN_BEFORE_A_CCS); 797e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 798e71b7053SJung-uk Kim } 799e71b7053SJung-uk Kim s->s3->change_cipher_spec = 0; 800e71b7053SJung-uk Kim 801e71b7053SJung-uk Kim md_len = s->s3->tmp.peer_finish_md_len; 802e71b7053SJung-uk Kim 803e71b7053SJung-uk Kim if (md_len != PACKET_remaining(pkt)) { 804e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_FINISHED, 805e71b7053SJung-uk Kim SSL_R_BAD_DIGEST_LENGTH); 806e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 807e71b7053SJung-uk Kim } 808e71b7053SJung-uk Kim 809e71b7053SJung-uk Kim if (CRYPTO_memcmp(PACKET_data(pkt), s->s3->tmp.peer_finish_md, 810e71b7053SJung-uk Kim md_len) != 0) { 811e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_FINISHED, 812e71b7053SJung-uk Kim SSL_R_DIGEST_CHECK_FAILED); 813e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 814e71b7053SJung-uk Kim } 815e71b7053SJung-uk Kim 816e71b7053SJung-uk Kim /* 817e71b7053SJung-uk Kim * Copy the finished so we can use it for renegotiation checks 818e71b7053SJung-uk Kim */ 819e71b7053SJung-uk Kim if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) { 820e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_FINISHED, 821e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 822e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 823e71b7053SJung-uk Kim } 824e71b7053SJung-uk Kim if (s->server) { 825e71b7053SJung-uk Kim memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md, 826e71b7053SJung-uk Kim md_len); 827e71b7053SJung-uk Kim s->s3->previous_client_finished_len = md_len; 828e71b7053SJung-uk Kim } else { 829e71b7053SJung-uk Kim memcpy(s->s3->previous_server_finished, s->s3->tmp.peer_finish_md, 830e71b7053SJung-uk Kim md_len); 831e71b7053SJung-uk Kim s->s3->previous_server_finished_len = md_len; 832e71b7053SJung-uk Kim } 833e71b7053SJung-uk Kim 834e71b7053SJung-uk Kim /* 835e71b7053SJung-uk Kim * In TLS1.3 we also have to change cipher state and do any final processing 836e71b7053SJung-uk Kim * of the initial server flight (if we are a client) 837e71b7053SJung-uk Kim */ 838e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) { 839e71b7053SJung-uk Kim if (s->server) { 840e71b7053SJung-uk Kim if (s->post_handshake_auth != SSL_PHA_REQUESTED && 841e71b7053SJung-uk Kim !s->method->ssl3_enc->change_cipher_state(s, 842e71b7053SJung-uk Kim SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) { 843e71b7053SJung-uk Kim /* SSLfatal() already called */ 844e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 845e71b7053SJung-uk Kim } 846e71b7053SJung-uk Kim } else { 84717f01e99SJung-uk Kim /* TLS 1.3 gets the secret size from the handshake md */ 84817f01e99SJung-uk Kim size_t dummy; 849e71b7053SJung-uk Kim if (!s->method->ssl3_enc->generate_master_secret(s, 850e71b7053SJung-uk Kim s->master_secret, s->handshake_secret, 0, 85117f01e99SJung-uk Kim &dummy)) { 852e71b7053SJung-uk Kim /* SSLfatal() already called */ 853e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 854e71b7053SJung-uk Kim } 855e71b7053SJung-uk Kim if (!s->method->ssl3_enc->change_cipher_state(s, 856e71b7053SJung-uk Kim SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) { 857e71b7053SJung-uk Kim /* SSLfatal() already called */ 858e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 859e71b7053SJung-uk Kim } 860e71b7053SJung-uk Kim if (!tls_process_initial_server_flight(s)) { 861e71b7053SJung-uk Kim /* SSLfatal() already called */ 862e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 863e71b7053SJung-uk Kim } 864e71b7053SJung-uk Kim } 865e71b7053SJung-uk Kim } 866e71b7053SJung-uk Kim 867e71b7053SJung-uk Kim return MSG_PROCESS_FINISHED_READING; 868e71b7053SJung-uk Kim } 869e71b7053SJung-uk Kim 870e71b7053SJung-uk Kim int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt) 871e71b7053SJung-uk Kim { 872e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) { 873e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 874e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); 875e71b7053SJung-uk Kim return 0; 876e71b7053SJung-uk Kim } 877e71b7053SJung-uk Kim 878e71b7053SJung-uk Kim return 1; 879e71b7053SJung-uk Kim } 880e71b7053SJung-uk Kim 881e71b7053SJung-uk Kim /* Add a certificate to the WPACKET */ 882e71b7053SJung-uk Kim static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain) 883e71b7053SJung-uk Kim { 884e71b7053SJung-uk Kim int len; 885e71b7053SJung-uk Kim unsigned char *outbytes; 886e71b7053SJung-uk Kim 887e71b7053SJung-uk Kim len = i2d_X509(x, NULL); 888e71b7053SJung-uk Kim if (len < 0) { 889e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET, 890e71b7053SJung-uk Kim ERR_R_BUF_LIB); 891e71b7053SJung-uk Kim return 0; 892e71b7053SJung-uk Kim } 893e71b7053SJung-uk Kim if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes) 894e71b7053SJung-uk Kim || i2d_X509(x, &outbytes) != len) { 895e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET, 896e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 897e71b7053SJung-uk Kim return 0; 898e71b7053SJung-uk Kim } 899e71b7053SJung-uk Kim 900e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) 901e71b7053SJung-uk Kim && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x, 902e71b7053SJung-uk Kim chain)) { 903e71b7053SJung-uk Kim /* SSLfatal() already called */ 904e71b7053SJung-uk Kim return 0; 905e71b7053SJung-uk Kim } 906e71b7053SJung-uk Kim 907e71b7053SJung-uk Kim return 1; 908e71b7053SJung-uk Kim } 909e71b7053SJung-uk Kim 910e71b7053SJung-uk Kim /* Add certificate chain to provided WPACKET */ 911e71b7053SJung-uk Kim static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk) 912e71b7053SJung-uk Kim { 913e71b7053SJung-uk Kim int i, chain_count; 914e71b7053SJung-uk Kim X509 *x; 915e71b7053SJung-uk Kim STACK_OF(X509) *extra_certs; 916e71b7053SJung-uk Kim STACK_OF(X509) *chain = NULL; 917e71b7053SJung-uk Kim X509_STORE *chain_store; 918e71b7053SJung-uk Kim 919e71b7053SJung-uk Kim if (cpk == NULL || cpk->x509 == NULL) 920e71b7053SJung-uk Kim return 1; 921e71b7053SJung-uk Kim 922e71b7053SJung-uk Kim x = cpk->x509; 923e71b7053SJung-uk Kim 924e71b7053SJung-uk Kim /* 925e71b7053SJung-uk Kim * If we have a certificate specific chain use it, else use parent ctx. 926e71b7053SJung-uk Kim */ 927e71b7053SJung-uk Kim if (cpk->chain != NULL) 928e71b7053SJung-uk Kim extra_certs = cpk->chain; 929e71b7053SJung-uk Kim else 930e71b7053SJung-uk Kim extra_certs = s->ctx->extra_certs; 931e71b7053SJung-uk Kim 932e71b7053SJung-uk Kim if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs) 933e71b7053SJung-uk Kim chain_store = NULL; 934e71b7053SJung-uk Kim else if (s->cert->chain_store) 935e71b7053SJung-uk Kim chain_store = s->cert->chain_store; 936e71b7053SJung-uk Kim else 937e71b7053SJung-uk Kim chain_store = s->ctx->cert_store; 938e71b7053SJung-uk Kim 939e71b7053SJung-uk Kim if (chain_store != NULL) { 940e71b7053SJung-uk Kim X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new(); 941e71b7053SJung-uk Kim 942e71b7053SJung-uk Kim if (xs_ctx == NULL) { 943e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, 944e71b7053SJung-uk Kim ERR_R_MALLOC_FAILURE); 945e71b7053SJung-uk Kim return 0; 946e71b7053SJung-uk Kim } 947e71b7053SJung-uk Kim if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) { 948e71b7053SJung-uk Kim X509_STORE_CTX_free(xs_ctx); 949e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, 950e71b7053SJung-uk Kim ERR_R_X509_LIB); 951e71b7053SJung-uk Kim return 0; 952e71b7053SJung-uk Kim } 953e71b7053SJung-uk Kim /* 954e71b7053SJung-uk Kim * It is valid for the chain not to be complete (because normally we 955e71b7053SJung-uk Kim * don't include the root cert in the chain). Therefore we deliberately 956e71b7053SJung-uk Kim * ignore the error return from this call. We're not actually verifying 957e71b7053SJung-uk Kim * the cert - we're just building as much of the chain as we can 958e71b7053SJung-uk Kim */ 959e71b7053SJung-uk Kim (void)X509_verify_cert(xs_ctx); 960e71b7053SJung-uk Kim /* Don't leave errors in the queue */ 961e71b7053SJung-uk Kim ERR_clear_error(); 962e71b7053SJung-uk Kim chain = X509_STORE_CTX_get0_chain(xs_ctx); 963e71b7053SJung-uk Kim i = ssl_security_cert_chain(s, chain, NULL, 0); 964e71b7053SJung-uk Kim if (i != 1) { 965e71b7053SJung-uk Kim #if 0 966e71b7053SJung-uk Kim /* Dummy error calls so mkerr generates them */ 967e71b7053SJung-uk Kim SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL); 968e71b7053SJung-uk Kim SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL); 969e71b7053SJung-uk Kim SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK); 970e71b7053SJung-uk Kim #endif 971e71b7053SJung-uk Kim X509_STORE_CTX_free(xs_ctx); 972e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i); 973e71b7053SJung-uk Kim return 0; 974e71b7053SJung-uk Kim } 975e71b7053SJung-uk Kim chain_count = sk_X509_num(chain); 976e71b7053SJung-uk Kim for (i = 0; i < chain_count; i++) { 977e71b7053SJung-uk Kim x = sk_X509_value(chain, i); 978e71b7053SJung-uk Kim 979e71b7053SJung-uk Kim if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) { 980e71b7053SJung-uk Kim /* SSLfatal() already called */ 981e71b7053SJung-uk Kim X509_STORE_CTX_free(xs_ctx); 982e71b7053SJung-uk Kim return 0; 983e71b7053SJung-uk Kim } 984e71b7053SJung-uk Kim } 985e71b7053SJung-uk Kim X509_STORE_CTX_free(xs_ctx); 986e71b7053SJung-uk Kim } else { 987e71b7053SJung-uk Kim i = ssl_security_cert_chain(s, extra_certs, x, 0); 988e71b7053SJung-uk Kim if (i != 1) { 989e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i); 990e71b7053SJung-uk Kim return 0; 991e71b7053SJung-uk Kim } 992e71b7053SJung-uk Kim if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) { 993e71b7053SJung-uk Kim /* SSLfatal() already called */ 994e71b7053SJung-uk Kim return 0; 995e71b7053SJung-uk Kim } 996e71b7053SJung-uk Kim for (i = 0; i < sk_X509_num(extra_certs); i++) { 997e71b7053SJung-uk Kim x = sk_X509_value(extra_certs, i); 998e71b7053SJung-uk Kim if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) { 999e71b7053SJung-uk Kim /* SSLfatal() already called */ 1000e71b7053SJung-uk Kim return 0; 1001e71b7053SJung-uk Kim } 1002e71b7053SJung-uk Kim } 1003e71b7053SJung-uk Kim } 1004e71b7053SJung-uk Kim return 1; 1005e71b7053SJung-uk Kim } 1006e71b7053SJung-uk Kim 1007e71b7053SJung-uk Kim unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk) 1008e71b7053SJung-uk Kim { 1009e71b7053SJung-uk Kim if (!WPACKET_start_sub_packet_u24(pkt)) { 1010e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN, 1011e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1012e71b7053SJung-uk Kim return 0; 1013e71b7053SJung-uk Kim } 1014e71b7053SJung-uk Kim 1015e71b7053SJung-uk Kim if (!ssl_add_cert_chain(s, pkt, cpk)) 1016e71b7053SJung-uk Kim return 0; 1017e71b7053SJung-uk Kim 1018e71b7053SJung-uk Kim if (!WPACKET_close(pkt)) { 1019e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN, 1020e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1021e71b7053SJung-uk Kim return 0; 1022e71b7053SJung-uk Kim } 1023e71b7053SJung-uk Kim 1024e71b7053SJung-uk Kim return 1; 1025e71b7053SJung-uk Kim } 1026e71b7053SJung-uk Kim 1027e71b7053SJung-uk Kim /* 1028e71b7053SJung-uk Kim * Tidy up after the end of a handshake. In the case of SCTP this may result 1029e71b7053SJung-uk Kim * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is 1030e71b7053SJung-uk Kim * freed up as well. 1031e71b7053SJung-uk Kim */ 1032e71b7053SJung-uk Kim WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop) 1033e71b7053SJung-uk Kim { 1034e71b7053SJung-uk Kim void (*cb) (const SSL *ssl, int type, int val) = NULL; 10356935a639SJung-uk Kim int cleanuphand = s->statem.cleanuphand; 1036e71b7053SJung-uk Kim 1037e71b7053SJung-uk Kim if (clearbufs) { 103817f01e99SJung-uk Kim if (!SSL_IS_DTLS(s) 103917f01e99SJung-uk Kim #ifndef OPENSSL_NO_SCTP 1040e71b7053SJung-uk Kim /* 104117f01e99SJung-uk Kim * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS 104217f01e99SJung-uk Kim * messages that require it. Therefore, DTLS procedures for retransmissions 104317f01e99SJung-uk Kim * MUST NOT be used. 104417f01e99SJung-uk Kim * Hence the init_buf can be cleared when DTLS over SCTP as transport is used. 104517f01e99SJung-uk Kim */ 104617f01e99SJung-uk Kim || BIO_dgram_is_sctp(SSL_get_wbio(s)) 104717f01e99SJung-uk Kim #endif 104817f01e99SJung-uk Kim ) { 104917f01e99SJung-uk Kim /* 105017f01e99SJung-uk Kim * We don't do this in DTLS over UDP because we may still need the init_buf 1051e71b7053SJung-uk Kim * in case there are any unexpected retransmits 1052e71b7053SJung-uk Kim */ 1053e71b7053SJung-uk Kim BUF_MEM_free(s->init_buf); 1054e71b7053SJung-uk Kim s->init_buf = NULL; 1055e71b7053SJung-uk Kim } 105617f01e99SJung-uk Kim 1057e71b7053SJung-uk Kim if (!ssl_free_wbio_buffer(s)) { 1058e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE, 1059e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1060e71b7053SJung-uk Kim return WORK_ERROR; 1061e71b7053SJung-uk Kim } 1062e71b7053SJung-uk Kim s->init_num = 0; 1063e71b7053SJung-uk Kim } 1064e71b7053SJung-uk Kim 1065e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) && !s->server 1066e71b7053SJung-uk Kim && s->post_handshake_auth == SSL_PHA_REQUESTED) 1067e71b7053SJung-uk Kim s->post_handshake_auth = SSL_PHA_EXT_SENT; 1068e71b7053SJung-uk Kim 1069e71b7053SJung-uk Kim /* 1070e71b7053SJung-uk Kim * Only set if there was a Finished message and this isn't after a TLSv1.3 1071e71b7053SJung-uk Kim * post handshake exchange 1072e71b7053SJung-uk Kim */ 10736935a639SJung-uk Kim if (cleanuphand) { 1074e71b7053SJung-uk Kim /* skipped if we just sent a HelloRequest */ 1075e71b7053SJung-uk Kim s->renegotiate = 0; 1076e71b7053SJung-uk Kim s->new_session = 0; 1077e71b7053SJung-uk Kim s->statem.cleanuphand = 0; 1078e71b7053SJung-uk Kim s->ext.ticket_expected = 0; 1079e71b7053SJung-uk Kim 1080e71b7053SJung-uk Kim ssl3_cleanup_key_block(s); 1081e71b7053SJung-uk Kim 1082e71b7053SJung-uk Kim if (s->server) { 1083e71b7053SJung-uk Kim /* 1084e71b7053SJung-uk Kim * In TLSv1.3 we update the cache as part of constructing the 1085e71b7053SJung-uk Kim * NewSessionTicket 1086e71b7053SJung-uk Kim */ 1087e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s)) 1088e71b7053SJung-uk Kim ssl_update_cache(s, SSL_SESS_CACHE_SERVER); 1089e71b7053SJung-uk Kim 1090e71b7053SJung-uk Kim /* N.B. s->ctx may not equal s->session_ctx */ 1091e71b7053SJung-uk Kim tsan_counter(&s->ctx->stats.sess_accept_good); 1092e71b7053SJung-uk Kim s->handshake_func = ossl_statem_accept; 1093e71b7053SJung-uk Kim } else { 1094e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) { 1095e71b7053SJung-uk Kim /* 1096e71b7053SJung-uk Kim * We encourage applications to only use TLSv1.3 tickets once, 1097e71b7053SJung-uk Kim * so we remove this one from the cache. 1098e71b7053SJung-uk Kim */ 1099e71b7053SJung-uk Kim if ((s->session_ctx->session_cache_mode 1100e71b7053SJung-uk Kim & SSL_SESS_CACHE_CLIENT) != 0) 1101e71b7053SJung-uk Kim SSL_CTX_remove_session(s->session_ctx, s->session); 1102e71b7053SJung-uk Kim } else { 1103e71b7053SJung-uk Kim /* 1104e71b7053SJung-uk Kim * In TLSv1.3 we update the cache as part of processing the 1105e71b7053SJung-uk Kim * NewSessionTicket 1106e71b7053SJung-uk Kim */ 1107e71b7053SJung-uk Kim ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); 1108e71b7053SJung-uk Kim } 1109e71b7053SJung-uk Kim if (s->hit) 1110e71b7053SJung-uk Kim tsan_counter(&s->session_ctx->stats.sess_hit); 1111e71b7053SJung-uk Kim 1112e71b7053SJung-uk Kim s->handshake_func = ossl_statem_connect; 1113e71b7053SJung-uk Kim tsan_counter(&s->session_ctx->stats.sess_connect_good); 1114e71b7053SJung-uk Kim } 1115e71b7053SJung-uk Kim 1116e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) { 1117e71b7053SJung-uk Kim /* done with handshaking */ 1118e71b7053SJung-uk Kim s->d1->handshake_read_seq = 0; 1119e71b7053SJung-uk Kim s->d1->handshake_write_seq = 0; 1120e71b7053SJung-uk Kim s->d1->next_handshake_write_seq = 0; 1121e71b7053SJung-uk Kim dtls1_clear_received_buffer(s); 1122e71b7053SJung-uk Kim } 1123e71b7053SJung-uk Kim } 1124e71b7053SJung-uk Kim 1125e71b7053SJung-uk Kim if (s->info_callback != NULL) 1126e71b7053SJung-uk Kim cb = s->info_callback; 1127e71b7053SJung-uk Kim else if (s->ctx->info_callback != NULL) 1128e71b7053SJung-uk Kim cb = s->ctx->info_callback; 1129e71b7053SJung-uk Kim 1130e71b7053SJung-uk Kim /* The callback may expect us to not be in init at handshake done */ 1131e71b7053SJung-uk Kim ossl_statem_set_in_init(s, 0); 1132e71b7053SJung-uk Kim 11336935a639SJung-uk Kim if (cb != NULL) { 11346935a639SJung-uk Kim if (cleanuphand 11356935a639SJung-uk Kim || !SSL_IS_TLS13(s) 11366935a639SJung-uk Kim || SSL_IS_FIRST_HANDSHAKE(s)) 1137e71b7053SJung-uk Kim cb(s, SSL_CB_HANDSHAKE_DONE, 1); 11386935a639SJung-uk Kim } 1139e71b7053SJung-uk Kim 1140e71b7053SJung-uk Kim if (!stop) { 1141e71b7053SJung-uk Kim /* If we've got more work to do we go back into init */ 1142e71b7053SJung-uk Kim ossl_statem_set_in_init(s, 1); 1143e71b7053SJung-uk Kim return WORK_FINISHED_CONTINUE; 1144e71b7053SJung-uk Kim } 1145e71b7053SJung-uk Kim 1146e71b7053SJung-uk Kim return WORK_FINISHED_STOP; 1147e71b7053SJung-uk Kim } 1148e71b7053SJung-uk Kim 1149e71b7053SJung-uk Kim int tls_get_message_header(SSL *s, int *mt) 1150e71b7053SJung-uk Kim { 1151e71b7053SJung-uk Kim /* s->init_num < SSL3_HM_HEADER_LENGTH */ 1152e71b7053SJung-uk Kim int skip_message, i, recvd_type; 1153e71b7053SJung-uk Kim unsigned char *p; 1154e71b7053SJung-uk Kim size_t l, readbytes; 1155e71b7053SJung-uk Kim 1156e71b7053SJung-uk Kim p = (unsigned char *)s->init_buf->data; 1157e71b7053SJung-uk Kim 1158e71b7053SJung-uk Kim do { 1159e71b7053SJung-uk Kim while (s->init_num < SSL3_HM_HEADER_LENGTH) { 1160e71b7053SJung-uk Kim i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type, 1161e71b7053SJung-uk Kim &p[s->init_num], 1162e71b7053SJung-uk Kim SSL3_HM_HEADER_LENGTH - s->init_num, 1163e71b7053SJung-uk Kim 0, &readbytes); 1164e71b7053SJung-uk Kim if (i <= 0) { 1165e71b7053SJung-uk Kim s->rwstate = SSL_READING; 1166e71b7053SJung-uk Kim return 0; 1167e71b7053SJung-uk Kim } 1168e71b7053SJung-uk Kim if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) { 1169e71b7053SJung-uk Kim /* 1170e71b7053SJung-uk Kim * A ChangeCipherSpec must be a single byte and may not occur 1171e71b7053SJung-uk Kim * in the middle of a handshake message. 1172e71b7053SJung-uk Kim */ 1173e71b7053SJung-uk Kim if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) { 1174e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1175e71b7053SJung-uk Kim SSL_F_TLS_GET_MESSAGE_HEADER, 1176e71b7053SJung-uk Kim SSL_R_BAD_CHANGE_CIPHER_SPEC); 1177e71b7053SJung-uk Kim return 0; 1178e71b7053SJung-uk Kim } 1179e71b7053SJung-uk Kim if (s->statem.hand_state == TLS_ST_BEFORE 1180e71b7053SJung-uk Kim && (s->s3->flags & TLS1_FLAGS_STATELESS) != 0) { 1181e71b7053SJung-uk Kim /* 1182e71b7053SJung-uk Kim * We are stateless and we received a CCS. Probably this is 1183e71b7053SJung-uk Kim * from a client between the first and second ClientHellos. 1184e71b7053SJung-uk Kim * We should ignore this, but return an error because we do 1185e71b7053SJung-uk Kim * not return success until we see the second ClientHello 1186e71b7053SJung-uk Kim * with a valid cookie. 1187e71b7053SJung-uk Kim */ 1188e71b7053SJung-uk Kim return 0; 1189e71b7053SJung-uk Kim } 1190e71b7053SJung-uk Kim s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC; 1191e71b7053SJung-uk Kim s->init_num = readbytes - 1; 1192e71b7053SJung-uk Kim s->init_msg = s->init_buf->data; 1193e71b7053SJung-uk Kim s->s3->tmp.message_size = readbytes; 1194e71b7053SJung-uk Kim return 1; 1195e71b7053SJung-uk Kim } else if (recvd_type != SSL3_RT_HANDSHAKE) { 1196e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1197e71b7053SJung-uk Kim SSL_F_TLS_GET_MESSAGE_HEADER, 1198e71b7053SJung-uk Kim SSL_R_CCS_RECEIVED_EARLY); 1199e71b7053SJung-uk Kim return 0; 1200e71b7053SJung-uk Kim } 1201e71b7053SJung-uk Kim s->init_num += readbytes; 1202e71b7053SJung-uk Kim } 1203e71b7053SJung-uk Kim 1204e71b7053SJung-uk Kim skip_message = 0; 1205e71b7053SJung-uk Kim if (!s->server) 1206e71b7053SJung-uk Kim if (s->statem.hand_state != TLS_ST_OK 1207e71b7053SJung-uk Kim && p[0] == SSL3_MT_HELLO_REQUEST) 1208e71b7053SJung-uk Kim /* 1209e71b7053SJung-uk Kim * The server may always send 'Hello Request' messages -- 1210e71b7053SJung-uk Kim * we are doing a handshake anyway now, so ignore them if 1211e71b7053SJung-uk Kim * their format is correct. Does not count for 'Finished' 1212e71b7053SJung-uk Kim * MAC. 1213e71b7053SJung-uk Kim */ 1214e71b7053SJung-uk Kim if (p[1] == 0 && p[2] == 0 && p[3] == 0) { 1215e71b7053SJung-uk Kim s->init_num = 0; 1216e71b7053SJung-uk Kim skip_message = 1; 1217e71b7053SJung-uk Kim 1218e71b7053SJung-uk Kim if (s->msg_callback) 1219e71b7053SJung-uk Kim s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 1220e71b7053SJung-uk Kim p, SSL3_HM_HEADER_LENGTH, s, 1221e71b7053SJung-uk Kim s->msg_callback_arg); 1222e71b7053SJung-uk Kim } 1223e71b7053SJung-uk Kim } while (skip_message); 1224e71b7053SJung-uk Kim /* s->init_num == SSL3_HM_HEADER_LENGTH */ 1225e71b7053SJung-uk Kim 1226e71b7053SJung-uk Kim *mt = *p; 1227e71b7053SJung-uk Kim s->s3->tmp.message_type = *(p++); 1228e71b7053SJung-uk Kim 1229e71b7053SJung-uk Kim if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { 1230e71b7053SJung-uk Kim /* 1231e71b7053SJung-uk Kim * Only happens with SSLv3+ in an SSLv2 backward compatible 1232e71b7053SJung-uk Kim * ClientHello 1233e71b7053SJung-uk Kim * 1234e71b7053SJung-uk Kim * Total message size is the remaining record bytes to read 1235e71b7053SJung-uk Kim * plus the SSL3_HM_HEADER_LENGTH bytes that we already read 1236e71b7053SJung-uk Kim */ 1237e71b7053SJung-uk Kim l = RECORD_LAYER_get_rrec_length(&s->rlayer) 1238e71b7053SJung-uk Kim + SSL3_HM_HEADER_LENGTH; 1239e71b7053SJung-uk Kim s->s3->tmp.message_size = l; 1240e71b7053SJung-uk Kim 1241e71b7053SJung-uk Kim s->init_msg = s->init_buf->data; 1242e71b7053SJung-uk Kim s->init_num = SSL3_HM_HEADER_LENGTH; 1243e71b7053SJung-uk Kim } else { 1244e71b7053SJung-uk Kim n2l3(p, l); 1245e71b7053SJung-uk Kim /* BUF_MEM_grow takes an 'int' parameter */ 1246e71b7053SJung-uk Kim if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) { 1247e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_GET_MESSAGE_HEADER, 1248e71b7053SJung-uk Kim SSL_R_EXCESSIVE_MESSAGE_SIZE); 1249e71b7053SJung-uk Kim return 0; 1250e71b7053SJung-uk Kim } 1251e71b7053SJung-uk Kim s->s3->tmp.message_size = l; 1252e71b7053SJung-uk Kim 1253e71b7053SJung-uk Kim s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH; 1254e71b7053SJung-uk Kim s->init_num = 0; 1255e71b7053SJung-uk Kim } 1256e71b7053SJung-uk Kim 1257e71b7053SJung-uk Kim return 1; 1258e71b7053SJung-uk Kim } 1259e71b7053SJung-uk Kim 1260e71b7053SJung-uk Kim int tls_get_message_body(SSL *s, size_t *len) 1261e71b7053SJung-uk Kim { 1262e71b7053SJung-uk Kim size_t n, readbytes; 1263e71b7053SJung-uk Kim unsigned char *p; 1264e71b7053SJung-uk Kim int i; 1265e71b7053SJung-uk Kim 1266e71b7053SJung-uk Kim if (s->s3->tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) { 1267e71b7053SJung-uk Kim /* We've already read everything in */ 1268e71b7053SJung-uk Kim *len = (unsigned long)s->init_num; 1269e71b7053SJung-uk Kim return 1; 1270e71b7053SJung-uk Kim } 1271e71b7053SJung-uk Kim 1272e71b7053SJung-uk Kim p = s->init_msg; 1273e71b7053SJung-uk Kim n = s->s3->tmp.message_size - s->init_num; 1274e71b7053SJung-uk Kim while (n > 0) { 1275e71b7053SJung-uk Kim i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, 1276e71b7053SJung-uk Kim &p[s->init_num], n, 0, &readbytes); 1277e71b7053SJung-uk Kim if (i <= 0) { 1278e71b7053SJung-uk Kim s->rwstate = SSL_READING; 1279e71b7053SJung-uk Kim *len = 0; 1280e71b7053SJung-uk Kim return 0; 1281e71b7053SJung-uk Kim } 1282e71b7053SJung-uk Kim s->init_num += readbytes; 1283e71b7053SJung-uk Kim n -= readbytes; 1284e71b7053SJung-uk Kim } 1285e71b7053SJung-uk Kim 1286e71b7053SJung-uk Kim /* 1287e71b7053SJung-uk Kim * If receiving Finished, record MAC of prior handshake messages for 1288e71b7053SJung-uk Kim * Finished verification. 1289e71b7053SJung-uk Kim */ 1290e71b7053SJung-uk Kim if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) { 1291e71b7053SJung-uk Kim /* SSLfatal() already called */ 1292e71b7053SJung-uk Kim *len = 0; 1293e71b7053SJung-uk Kim return 0; 1294e71b7053SJung-uk Kim } 1295e71b7053SJung-uk Kim 1296e71b7053SJung-uk Kim /* Feed this message into MAC computation. */ 1297e71b7053SJung-uk Kim if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { 1298e71b7053SJung-uk Kim if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 1299e71b7053SJung-uk Kim s->init_num)) { 1300e71b7053SJung-uk Kim /* SSLfatal() already called */ 1301e71b7053SJung-uk Kim *len = 0; 1302e71b7053SJung-uk Kim return 0; 1303e71b7053SJung-uk Kim } 1304e71b7053SJung-uk Kim if (s->msg_callback) 1305e71b7053SJung-uk Kim s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data, 1306e71b7053SJung-uk Kim (size_t)s->init_num, s, s->msg_callback_arg); 1307e71b7053SJung-uk Kim } else { 1308e71b7053SJung-uk Kim /* 1309e71b7053SJung-uk Kim * We defer feeding in the HRR until later. We'll do it as part of 1310e71b7053SJung-uk Kim * processing the message 1311e71b7053SJung-uk Kim * The TLsv1.3 handshake transcript stops at the ClientFinished 1312e71b7053SJung-uk Kim * message. 1313e71b7053SJung-uk Kim */ 1314e71b7053SJung-uk Kim #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2) 1315e71b7053SJung-uk Kim /* KeyUpdate and NewSessionTicket do not need to be added */ 1316e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s) || (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET 1317e71b7053SJung-uk Kim && s->s3->tmp.message_type != SSL3_MT_KEY_UPDATE)) { 1318e71b7053SJung-uk Kim if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO 1319e71b7053SJung-uk Kim || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE 1320e71b7053SJung-uk Kim || memcmp(hrrrandom, 1321e71b7053SJung-uk Kim s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET, 1322e71b7053SJung-uk Kim SSL3_RANDOM_SIZE) != 0) { 1323e71b7053SJung-uk Kim if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 1324e71b7053SJung-uk Kim s->init_num + SSL3_HM_HEADER_LENGTH)) { 1325e71b7053SJung-uk Kim /* SSLfatal() already called */ 1326e71b7053SJung-uk Kim *len = 0; 1327e71b7053SJung-uk Kim return 0; 1328e71b7053SJung-uk Kim } 1329e71b7053SJung-uk Kim } 1330e71b7053SJung-uk Kim } 1331e71b7053SJung-uk Kim if (s->msg_callback) 1332e71b7053SJung-uk Kim s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, 1333e71b7053SJung-uk Kim (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s, 1334e71b7053SJung-uk Kim s->msg_callback_arg); 1335e71b7053SJung-uk Kim } 1336e71b7053SJung-uk Kim 1337e71b7053SJung-uk Kim *len = s->init_num; 1338e71b7053SJung-uk Kim return 1; 1339e71b7053SJung-uk Kim } 1340e71b7053SJung-uk Kim 1341e71b7053SJung-uk Kim static const X509ERR2ALERT x509table[] = { 1342e71b7053SJung-uk Kim {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE}, 1343e71b7053SJung-uk Kim {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE}, 134458f35182SJung-uk Kim {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE}, 1345e71b7053SJung-uk Kim {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE}, 1346e71b7053SJung-uk Kim {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA}, 1347e71b7053SJung-uk Kim {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED}, 1348e71b7053SJung-uk Kim {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE}, 1349e71b7053SJung-uk Kim {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE}, 1350e71b7053SJung-uk Kim {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED}, 1351e71b7053SJung-uk Kim {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR}, 1352e71b7053SJung-uk Kim {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE}, 1353e71b7053SJung-uk Kim {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED}, 1354e71b7053SJung-uk Kim {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE}, 1355e71b7053SJung-uk Kim {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR}, 1356e71b7053SJung-uk Kim {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE}, 1357e71b7053SJung-uk Kim {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA}, 1358e71b7053SJung-uk Kim {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE}, 1359e71b7053SJung-uk Kim {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE}, 1360e71b7053SJung-uk Kim {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE}, 1361e71b7053SJung-uk Kim {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE}, 1362e71b7053SJung-uk Kim {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE}, 1363e71b7053SJung-uk Kim {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE}, 1364e71b7053SJung-uk Kim {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE}, 1365e71b7053SJung-uk Kim {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA}, 1366e71b7053SJung-uk Kim {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR}, 1367e71b7053SJung-uk Kim {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE}, 1368e71b7053SJung-uk Kim {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE}, 1369e71b7053SJung-uk Kim {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR}, 1370e71b7053SJung-uk Kim {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA}, 1371e71b7053SJung-uk Kim {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA}, 1372e71b7053SJung-uk Kim {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR}, 1373e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE}, 1374e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE}, 1375e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE}, 1376e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA}, 1377e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA}, 1378e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA}, 1379e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA}, 1380e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA}, 1381e71b7053SJung-uk Kim {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR}, 1382e71b7053SJung-uk Kim 1383e71b7053SJung-uk Kim /* Last entry; return this if we don't find the value above. */ 1384e71b7053SJung-uk Kim {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN} 1385e71b7053SJung-uk Kim }; 1386e71b7053SJung-uk Kim 1387e71b7053SJung-uk Kim int ssl_x509err2alert(int x509err) 1388e71b7053SJung-uk Kim { 1389e71b7053SJung-uk Kim const X509ERR2ALERT *tp; 1390e71b7053SJung-uk Kim 1391e71b7053SJung-uk Kim for (tp = x509table; tp->x509err != X509_V_OK; ++tp) 1392e71b7053SJung-uk Kim if (tp->x509err == x509err) 1393e71b7053SJung-uk Kim break; 1394e71b7053SJung-uk Kim return tp->alert; 1395e71b7053SJung-uk Kim } 1396e71b7053SJung-uk Kim 1397e71b7053SJung-uk Kim int ssl_allow_compression(SSL *s) 1398e71b7053SJung-uk Kim { 1399e71b7053SJung-uk Kim if (s->options & SSL_OP_NO_COMPRESSION) 1400e71b7053SJung-uk Kim return 0; 1401e71b7053SJung-uk Kim return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL); 1402e71b7053SJung-uk Kim } 1403e71b7053SJung-uk Kim 1404e71b7053SJung-uk Kim static int version_cmp(const SSL *s, int a, int b) 1405e71b7053SJung-uk Kim { 1406e71b7053SJung-uk Kim int dtls = SSL_IS_DTLS(s); 1407e71b7053SJung-uk Kim 1408e71b7053SJung-uk Kim if (a == b) 1409e71b7053SJung-uk Kim return 0; 1410e71b7053SJung-uk Kim if (!dtls) 1411e71b7053SJung-uk Kim return a < b ? -1 : 1; 1412e71b7053SJung-uk Kim return DTLS_VERSION_LT(a, b) ? -1 : 1; 1413e71b7053SJung-uk Kim } 1414e71b7053SJung-uk Kim 1415e71b7053SJung-uk Kim typedef struct { 1416e71b7053SJung-uk Kim int version; 1417e71b7053SJung-uk Kim const SSL_METHOD *(*cmeth) (void); 1418e71b7053SJung-uk Kim const SSL_METHOD *(*smeth) (void); 1419e71b7053SJung-uk Kim } version_info; 1420e71b7053SJung-uk Kim 1421e71b7053SJung-uk Kim #if TLS_MAX_VERSION != TLS1_3_VERSION 1422e71b7053SJung-uk Kim # error Code needs update for TLS_method() support beyond TLS1_3_VERSION. 1423e71b7053SJung-uk Kim #endif 1424e71b7053SJung-uk Kim 1425e71b7053SJung-uk Kim /* Must be in order high to low */ 1426e71b7053SJung-uk Kim static const version_info tls_version_table[] = { 1427e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1_3 1428e71b7053SJung-uk Kim {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method}, 1429e71b7053SJung-uk Kim #else 1430e71b7053SJung-uk Kim {TLS1_3_VERSION, NULL, NULL}, 1431e71b7053SJung-uk Kim #endif 1432e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1_2 1433e71b7053SJung-uk Kim {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method}, 1434e71b7053SJung-uk Kim #else 1435e71b7053SJung-uk Kim {TLS1_2_VERSION, NULL, NULL}, 1436e71b7053SJung-uk Kim #endif 1437e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1_1 1438e71b7053SJung-uk Kim {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method}, 1439e71b7053SJung-uk Kim #else 1440e71b7053SJung-uk Kim {TLS1_1_VERSION, NULL, NULL}, 1441e71b7053SJung-uk Kim #endif 1442e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1 1443e71b7053SJung-uk Kim {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method}, 1444e71b7053SJung-uk Kim #else 1445e71b7053SJung-uk Kim {TLS1_VERSION, NULL, NULL}, 1446e71b7053SJung-uk Kim #endif 1447e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SSL3 1448e71b7053SJung-uk Kim {SSL3_VERSION, sslv3_client_method, sslv3_server_method}, 1449e71b7053SJung-uk Kim #else 1450e71b7053SJung-uk Kim {SSL3_VERSION, NULL, NULL}, 1451e71b7053SJung-uk Kim #endif 1452e71b7053SJung-uk Kim {0, NULL, NULL}, 1453e71b7053SJung-uk Kim }; 1454e71b7053SJung-uk Kim 1455e71b7053SJung-uk Kim #if DTLS_MAX_VERSION != DTLS1_2_VERSION 1456e71b7053SJung-uk Kim # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION. 1457e71b7053SJung-uk Kim #endif 1458e71b7053SJung-uk Kim 1459e71b7053SJung-uk Kim /* Must be in order high to low */ 1460e71b7053SJung-uk Kim static const version_info dtls_version_table[] = { 1461e71b7053SJung-uk Kim #ifndef OPENSSL_NO_DTLS1_2 1462e71b7053SJung-uk Kim {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method}, 1463e71b7053SJung-uk Kim #else 1464e71b7053SJung-uk Kim {DTLS1_2_VERSION, NULL, NULL}, 1465e71b7053SJung-uk Kim #endif 1466e71b7053SJung-uk Kim #ifndef OPENSSL_NO_DTLS1 1467e71b7053SJung-uk Kim {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method}, 1468e71b7053SJung-uk Kim {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL}, 1469e71b7053SJung-uk Kim #else 1470e71b7053SJung-uk Kim {DTLS1_VERSION, NULL, NULL}, 1471e71b7053SJung-uk Kim {DTLS1_BAD_VER, NULL, NULL}, 1472e71b7053SJung-uk Kim #endif 1473e71b7053SJung-uk Kim {0, NULL, NULL}, 1474e71b7053SJung-uk Kim }; 1475e71b7053SJung-uk Kim 1476e71b7053SJung-uk Kim /* 1477e71b7053SJung-uk Kim * ssl_method_error - Check whether an SSL_METHOD is enabled. 1478e71b7053SJung-uk Kim * 1479e71b7053SJung-uk Kim * @s: The SSL handle for the candidate method 1480e71b7053SJung-uk Kim * @method: the intended method. 1481e71b7053SJung-uk Kim * 1482e71b7053SJung-uk Kim * Returns 0 on success, or an SSL error reason on failure. 1483e71b7053SJung-uk Kim */ 1484e71b7053SJung-uk Kim static int ssl_method_error(const SSL *s, const SSL_METHOD *method) 1485e71b7053SJung-uk Kim { 1486e71b7053SJung-uk Kim int version = method->version; 1487e71b7053SJung-uk Kim 1488e71b7053SJung-uk Kim if ((s->min_proto_version != 0 && 1489e71b7053SJung-uk Kim version_cmp(s, version, s->min_proto_version) < 0) || 1490e71b7053SJung-uk Kim ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0) 1491e71b7053SJung-uk Kim return SSL_R_VERSION_TOO_LOW; 1492e71b7053SJung-uk Kim 1493e71b7053SJung-uk Kim if (s->max_proto_version != 0 && 1494e71b7053SJung-uk Kim version_cmp(s, version, s->max_proto_version) > 0) 1495e71b7053SJung-uk Kim return SSL_R_VERSION_TOO_HIGH; 1496e71b7053SJung-uk Kim 1497e71b7053SJung-uk Kim if ((s->options & method->mask) != 0) 1498e71b7053SJung-uk Kim return SSL_R_UNSUPPORTED_PROTOCOL; 1499e71b7053SJung-uk Kim if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s)) 1500e71b7053SJung-uk Kim return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE; 1501e71b7053SJung-uk Kim 1502e71b7053SJung-uk Kim return 0; 1503e71b7053SJung-uk Kim } 1504e71b7053SJung-uk Kim 1505e71b7053SJung-uk Kim /* 1506e71b7053SJung-uk Kim * Only called by servers. Returns 1 if the server has a TLSv1.3 capable 1507*88e852c0SJung-uk Kim * certificate type, or has PSK or a certificate callback configured, or has 1508*88e852c0SJung-uk Kim * a servername callback configured. Otherwise returns 0. 1509e71b7053SJung-uk Kim */ 1510e71b7053SJung-uk Kim static int is_tls13_capable(const SSL *s) 1511e71b7053SJung-uk Kim { 1512e71b7053SJung-uk Kim int i; 1513c9cf7b5cSJung-uk Kim #ifndef OPENSSL_NO_EC 1514c9cf7b5cSJung-uk Kim int curve; 1515c9cf7b5cSJung-uk Kim EC_KEY *eckey; 1516c9cf7b5cSJung-uk Kim #endif 1517e71b7053SJung-uk Kim 1518*88e852c0SJung-uk Kim if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL)) 1519*88e852c0SJung-uk Kim return 0; 1520*88e852c0SJung-uk Kim 1521*88e852c0SJung-uk Kim /* 1522*88e852c0SJung-uk Kim * A servername callback can change the available certs, so if a servername 1523*88e852c0SJung-uk Kim * cb is set then we just assume TLSv1.3 will be ok 1524*88e852c0SJung-uk Kim */ 1525*88e852c0SJung-uk Kim if (s->ctx->ext.servername_cb != NULL 1526*88e852c0SJung-uk Kim || s->session_ctx->ext.servername_cb != NULL) 1527*88e852c0SJung-uk Kim return 1; 1528*88e852c0SJung-uk Kim 1529e71b7053SJung-uk Kim #ifndef OPENSSL_NO_PSK 1530e71b7053SJung-uk Kim if (s->psk_server_callback != NULL) 1531e71b7053SJung-uk Kim return 1; 1532e71b7053SJung-uk Kim #endif 1533e71b7053SJung-uk Kim 1534e71b7053SJung-uk Kim if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL) 1535e71b7053SJung-uk Kim return 1; 1536e71b7053SJung-uk Kim 1537e71b7053SJung-uk Kim for (i = 0; i < SSL_PKEY_NUM; i++) { 1538e71b7053SJung-uk Kim /* Skip over certs disallowed for TLSv1.3 */ 1539e71b7053SJung-uk Kim switch (i) { 1540e71b7053SJung-uk Kim case SSL_PKEY_DSA_SIGN: 1541e71b7053SJung-uk Kim case SSL_PKEY_GOST01: 1542e71b7053SJung-uk Kim case SSL_PKEY_GOST12_256: 1543e71b7053SJung-uk Kim case SSL_PKEY_GOST12_512: 1544e71b7053SJung-uk Kim continue; 1545e71b7053SJung-uk Kim default: 1546e71b7053SJung-uk Kim break; 1547e71b7053SJung-uk Kim } 1548c9cf7b5cSJung-uk Kim if (!ssl_has_cert(s, i)) 1549c9cf7b5cSJung-uk Kim continue; 1550c9cf7b5cSJung-uk Kim #ifndef OPENSSL_NO_EC 1551c9cf7b5cSJung-uk Kim if (i != SSL_PKEY_ECC) 1552e71b7053SJung-uk Kim return 1; 1553c9cf7b5cSJung-uk Kim /* 1554c9cf7b5cSJung-uk Kim * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is 1555c9cf7b5cSJung-uk Kim * more restrictive so check that our sig algs are consistent with this 1556c9cf7b5cSJung-uk Kim * EC cert. See section 4.2.3 of RFC8446. 1557c9cf7b5cSJung-uk Kim */ 1558c9cf7b5cSJung-uk Kim eckey = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey); 1559c9cf7b5cSJung-uk Kim if (eckey == NULL) 1560c9cf7b5cSJung-uk Kim continue; 1561c9cf7b5cSJung-uk Kim curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)); 1562c9cf7b5cSJung-uk Kim if (tls_check_sigalg_curve(s, curve)) 1563c9cf7b5cSJung-uk Kim return 1; 1564c9cf7b5cSJung-uk Kim #else 1565c9cf7b5cSJung-uk Kim return 1; 1566c9cf7b5cSJung-uk Kim #endif 1567e71b7053SJung-uk Kim } 1568e71b7053SJung-uk Kim 1569e71b7053SJung-uk Kim return 0; 1570e71b7053SJung-uk Kim } 1571e71b7053SJung-uk Kim 1572e71b7053SJung-uk Kim /* 1573e71b7053SJung-uk Kim * ssl_version_supported - Check that the specified `version` is supported by 1574e71b7053SJung-uk Kim * `SSL *` instance 1575e71b7053SJung-uk Kim * 1576e71b7053SJung-uk Kim * @s: The SSL handle for the candidate method 1577e71b7053SJung-uk Kim * @version: Protocol version to test against 1578e71b7053SJung-uk Kim * 1579e71b7053SJung-uk Kim * Returns 1 when supported, otherwise 0 1580e71b7053SJung-uk Kim */ 1581e71b7053SJung-uk Kim int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth) 1582e71b7053SJung-uk Kim { 1583e71b7053SJung-uk Kim const version_info *vent; 1584e71b7053SJung-uk Kim const version_info *table; 1585e71b7053SJung-uk Kim 1586e71b7053SJung-uk Kim switch (s->method->version) { 1587e71b7053SJung-uk Kim default: 1588e71b7053SJung-uk Kim /* Version should match method version for non-ANY method */ 1589e71b7053SJung-uk Kim return version_cmp(s, version, s->version) == 0; 1590e71b7053SJung-uk Kim case TLS_ANY_VERSION: 1591e71b7053SJung-uk Kim table = tls_version_table; 1592e71b7053SJung-uk Kim break; 1593e71b7053SJung-uk Kim case DTLS_ANY_VERSION: 1594e71b7053SJung-uk Kim table = dtls_version_table; 1595e71b7053SJung-uk Kim break; 1596e71b7053SJung-uk Kim } 1597e71b7053SJung-uk Kim 1598e71b7053SJung-uk Kim for (vent = table; 1599e71b7053SJung-uk Kim vent->version != 0 && version_cmp(s, version, vent->version) <= 0; 1600e71b7053SJung-uk Kim ++vent) { 1601e71b7053SJung-uk Kim if (vent->cmeth != NULL 1602e71b7053SJung-uk Kim && version_cmp(s, version, vent->version) == 0 1603e71b7053SJung-uk Kim && ssl_method_error(s, vent->cmeth()) == 0 1604e71b7053SJung-uk Kim && (!s->server 1605e71b7053SJung-uk Kim || version != TLS1_3_VERSION 1606e71b7053SJung-uk Kim || is_tls13_capable(s))) { 1607e71b7053SJung-uk Kim if (meth != NULL) 1608e71b7053SJung-uk Kim *meth = vent->cmeth(); 1609e71b7053SJung-uk Kim return 1; 1610e71b7053SJung-uk Kim } 1611e71b7053SJung-uk Kim } 1612e71b7053SJung-uk Kim return 0; 1613e71b7053SJung-uk Kim } 1614e71b7053SJung-uk Kim 1615e71b7053SJung-uk Kim /* 1616e71b7053SJung-uk Kim * ssl_check_version_downgrade - In response to RFC7507 SCSV version 1617e71b7053SJung-uk Kim * fallback indication from a client check whether we're using the highest 1618e71b7053SJung-uk Kim * supported protocol version. 1619e71b7053SJung-uk Kim * 1620e71b7053SJung-uk Kim * @s server SSL handle. 1621e71b7053SJung-uk Kim * 1622e71b7053SJung-uk Kim * Returns 1 when using the highest enabled version, 0 otherwise. 1623e71b7053SJung-uk Kim */ 1624e71b7053SJung-uk Kim int ssl_check_version_downgrade(SSL *s) 1625e71b7053SJung-uk Kim { 1626e71b7053SJung-uk Kim const version_info *vent; 1627e71b7053SJung-uk Kim const version_info *table; 1628e71b7053SJung-uk Kim 1629e71b7053SJung-uk Kim /* 1630e71b7053SJung-uk Kim * Check that the current protocol is the highest enabled version 1631e71b7053SJung-uk Kim * (according to s->ctx->method, as version negotiation may have changed 1632e71b7053SJung-uk Kim * s->method). 1633e71b7053SJung-uk Kim */ 1634e71b7053SJung-uk Kim if (s->version == s->ctx->method->version) 1635e71b7053SJung-uk Kim return 1; 1636e71b7053SJung-uk Kim 1637e71b7053SJung-uk Kim /* 1638e71b7053SJung-uk Kim * Apparently we're using a version-flexible SSL_METHOD (not at its 1639e71b7053SJung-uk Kim * highest protocol version). 1640e71b7053SJung-uk Kim */ 1641e71b7053SJung-uk Kim if (s->ctx->method->version == TLS_method()->version) 1642e71b7053SJung-uk Kim table = tls_version_table; 1643e71b7053SJung-uk Kim else if (s->ctx->method->version == DTLS_method()->version) 1644e71b7053SJung-uk Kim table = dtls_version_table; 1645e71b7053SJung-uk Kim else { 1646e71b7053SJung-uk Kim /* Unexpected state; fail closed. */ 1647e71b7053SJung-uk Kim return 0; 1648e71b7053SJung-uk Kim } 1649e71b7053SJung-uk Kim 1650e71b7053SJung-uk Kim for (vent = table; vent->version != 0; ++vent) { 1651e71b7053SJung-uk Kim if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0) 1652e71b7053SJung-uk Kim return s->version == vent->version; 1653e71b7053SJung-uk Kim } 1654e71b7053SJung-uk Kim return 0; 1655e71b7053SJung-uk Kim } 1656e71b7053SJung-uk Kim 1657e71b7053SJung-uk Kim /* 1658e71b7053SJung-uk Kim * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS 1659e71b7053SJung-uk Kim * protocols, provided the initial (D)TLS method is version-flexible. This 1660e71b7053SJung-uk Kim * function sanity-checks the proposed value and makes sure the method is 1661e71b7053SJung-uk Kim * version-flexible, then sets the limit if all is well. 1662e71b7053SJung-uk Kim * 1663e71b7053SJung-uk Kim * @method_version: The version of the current SSL_METHOD. 1664e71b7053SJung-uk Kim * @version: the intended limit. 1665e71b7053SJung-uk Kim * @bound: pointer to limit to be updated. 1666e71b7053SJung-uk Kim * 1667e71b7053SJung-uk Kim * Returns 1 on success, 0 on failure. 1668e71b7053SJung-uk Kim */ 1669e71b7053SJung-uk Kim int ssl_set_version_bound(int method_version, int version, int *bound) 1670e71b7053SJung-uk Kim { 167158f35182SJung-uk Kim int valid_tls; 167258f35182SJung-uk Kim int valid_dtls; 167358f35182SJung-uk Kim 1674e71b7053SJung-uk Kim if (version == 0) { 1675e71b7053SJung-uk Kim *bound = version; 1676e71b7053SJung-uk Kim return 1; 1677e71b7053SJung-uk Kim } 1678e71b7053SJung-uk Kim 167958f35182SJung-uk Kim valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION; 168058f35182SJung-uk Kim valid_dtls = 168158f35182SJung-uk Kim DTLS_VERSION_LE(version, DTLS_MAX_VERSION) && 168258f35182SJung-uk Kim DTLS_VERSION_GE(version, DTLS1_BAD_VER); 168358f35182SJung-uk Kim 168458f35182SJung-uk Kim if (!valid_tls && !valid_dtls) 168558f35182SJung-uk Kim return 0; 168658f35182SJung-uk Kim 1687e71b7053SJung-uk Kim /*- 1688e71b7053SJung-uk Kim * Restrict TLS methods to TLS protocol versions. 1689e71b7053SJung-uk Kim * Restrict DTLS methods to DTLS protocol versions. 1690e71b7053SJung-uk Kim * Note, DTLS version numbers are decreasing, use comparison macros. 1691e71b7053SJung-uk Kim * 1692e71b7053SJung-uk Kim * Note that for both lower-bounds we use explicit versions, not 1693e71b7053SJung-uk Kim * (D)TLS_MIN_VERSION. This is because we don't want to break user 1694e71b7053SJung-uk Kim * configurations. If the MIN (supported) version ever rises, the user's 1695e71b7053SJung-uk Kim * "floor" remains valid even if no longer available. We don't expect the 1696e71b7053SJung-uk Kim * MAX ceiling to ever get lower, so making that variable makes sense. 169758f35182SJung-uk Kim * 169858f35182SJung-uk Kim * We ignore attempts to set bounds on version-inflexible methods, 169958f35182SJung-uk Kim * returning success. 1700e71b7053SJung-uk Kim */ 1701e71b7053SJung-uk Kim switch (method_version) { 1702e71b7053SJung-uk Kim default: 170358f35182SJung-uk Kim break; 1704e71b7053SJung-uk Kim 1705e71b7053SJung-uk Kim case TLS_ANY_VERSION: 170658f35182SJung-uk Kim if (valid_tls) 170758f35182SJung-uk Kim *bound = version; 1708e71b7053SJung-uk Kim break; 1709e71b7053SJung-uk Kim 1710e71b7053SJung-uk Kim case DTLS_ANY_VERSION: 171158f35182SJung-uk Kim if (valid_dtls) 171258f35182SJung-uk Kim *bound = version; 1713e71b7053SJung-uk Kim break; 1714e71b7053SJung-uk Kim } 1715e71b7053SJung-uk Kim return 1; 1716e71b7053SJung-uk Kim } 1717e71b7053SJung-uk Kim 1718e71b7053SJung-uk Kim static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd) 1719e71b7053SJung-uk Kim { 1720e71b7053SJung-uk Kim if (vers == TLS1_2_VERSION 1721e71b7053SJung-uk Kim && ssl_version_supported(s, TLS1_3_VERSION, NULL)) { 1722e71b7053SJung-uk Kim *dgrd = DOWNGRADE_TO_1_2; 1723e71b7053SJung-uk Kim } else if (!SSL_IS_DTLS(s) 1724e71b7053SJung-uk Kim && vers < TLS1_2_VERSION 1725e71b7053SJung-uk Kim /* 1726e71b7053SJung-uk Kim * We need to ensure that a server that disables TLSv1.2 1727e71b7053SJung-uk Kim * (creating a hole between TLSv1.3 and TLSv1.1) can still 1728e71b7053SJung-uk Kim * complete handshakes with clients that support TLSv1.2 and 1729e71b7053SJung-uk Kim * below. Therefore we do not enable the sentinel if TLSv1.3 is 1730e71b7053SJung-uk Kim * enabled and TLSv1.2 is not. 1731e71b7053SJung-uk Kim */ 1732e71b7053SJung-uk Kim && ssl_version_supported(s, TLS1_2_VERSION, NULL)) { 1733e71b7053SJung-uk Kim *dgrd = DOWNGRADE_TO_1_1; 1734e71b7053SJung-uk Kim } else { 1735e71b7053SJung-uk Kim *dgrd = DOWNGRADE_NONE; 1736e71b7053SJung-uk Kim } 1737e71b7053SJung-uk Kim } 1738e71b7053SJung-uk Kim 1739e71b7053SJung-uk Kim /* 1740e71b7053SJung-uk Kim * ssl_choose_server_version - Choose server (D)TLS version. Called when the 1741e71b7053SJung-uk Kim * client HELLO is received to select the final server protocol version and 1742e71b7053SJung-uk Kim * the version specific method. 1743e71b7053SJung-uk Kim * 1744e71b7053SJung-uk Kim * @s: server SSL handle. 1745e71b7053SJung-uk Kim * 1746e71b7053SJung-uk Kim * Returns 0 on success or an SSL error reason number on failure. 1747e71b7053SJung-uk Kim */ 1748e71b7053SJung-uk Kim int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd) 1749e71b7053SJung-uk Kim { 1750e71b7053SJung-uk Kim /*- 1751e71b7053SJung-uk Kim * With version-flexible methods we have an initial state with: 1752e71b7053SJung-uk Kim * 1753e71b7053SJung-uk Kim * s->method->version == (D)TLS_ANY_VERSION, 1754e71b7053SJung-uk Kim * s->version == (D)TLS_MAX_VERSION. 1755e71b7053SJung-uk Kim * 1756e71b7053SJung-uk Kim * So we detect version-flexible methods via the method version, not the 1757e71b7053SJung-uk Kim * handle version. 1758e71b7053SJung-uk Kim */ 1759e71b7053SJung-uk Kim int server_version = s->method->version; 1760e71b7053SJung-uk Kim int client_version = hello->legacy_version; 1761e71b7053SJung-uk Kim const version_info *vent; 1762e71b7053SJung-uk Kim const version_info *table; 1763e71b7053SJung-uk Kim int disabled = 0; 1764e71b7053SJung-uk Kim RAW_EXTENSION *suppversions; 1765e71b7053SJung-uk Kim 1766e71b7053SJung-uk Kim s->client_version = client_version; 1767e71b7053SJung-uk Kim 1768e71b7053SJung-uk Kim switch (server_version) { 1769e71b7053SJung-uk Kim default: 1770e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s)) { 1771e71b7053SJung-uk Kim if (version_cmp(s, client_version, s->version) < 0) 1772e71b7053SJung-uk Kim return SSL_R_WRONG_SSL_VERSION; 1773e71b7053SJung-uk Kim *dgrd = DOWNGRADE_NONE; 1774e71b7053SJung-uk Kim /* 1775e71b7053SJung-uk Kim * If this SSL handle is not from a version flexible method we don't 1776e71b7053SJung-uk Kim * (and never did) check min/max FIPS or Suite B constraints. Hope 1777e71b7053SJung-uk Kim * that's OK. It is up to the caller to not choose fixed protocol 1778e71b7053SJung-uk Kim * versions they don't want. If not, then easy to fix, just return 1779e71b7053SJung-uk Kim * ssl_method_error(s, s->method) 1780e71b7053SJung-uk Kim */ 1781e71b7053SJung-uk Kim return 0; 1782e71b7053SJung-uk Kim } 1783e71b7053SJung-uk Kim /* 1784e71b7053SJung-uk Kim * Fall through if we are TLSv1.3 already (this means we must be after 1785e71b7053SJung-uk Kim * a HelloRetryRequest 1786e71b7053SJung-uk Kim */ 1787e71b7053SJung-uk Kim /* fall thru */ 1788e71b7053SJung-uk Kim case TLS_ANY_VERSION: 1789e71b7053SJung-uk Kim table = tls_version_table; 1790e71b7053SJung-uk Kim break; 1791e71b7053SJung-uk Kim case DTLS_ANY_VERSION: 1792e71b7053SJung-uk Kim table = dtls_version_table; 1793e71b7053SJung-uk Kim break; 1794e71b7053SJung-uk Kim } 1795e71b7053SJung-uk Kim 1796e71b7053SJung-uk Kim suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions]; 1797e71b7053SJung-uk Kim 1798e71b7053SJung-uk Kim /* If we did an HRR then supported versions is mandatory */ 1799e71b7053SJung-uk Kim if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE) 1800e71b7053SJung-uk Kim return SSL_R_UNSUPPORTED_PROTOCOL; 1801e71b7053SJung-uk Kim 1802e71b7053SJung-uk Kim if (suppversions->present && !SSL_IS_DTLS(s)) { 1803e71b7053SJung-uk Kim unsigned int candidate_vers = 0; 1804e71b7053SJung-uk Kim unsigned int best_vers = 0; 1805e71b7053SJung-uk Kim const SSL_METHOD *best_method = NULL; 1806e71b7053SJung-uk Kim PACKET versionslist; 1807e71b7053SJung-uk Kim 1808e71b7053SJung-uk Kim suppversions->parsed = 1; 1809e71b7053SJung-uk Kim 1810e71b7053SJung-uk Kim if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) { 1811e71b7053SJung-uk Kim /* Trailing or invalid data? */ 1812e71b7053SJung-uk Kim return SSL_R_LENGTH_MISMATCH; 1813e71b7053SJung-uk Kim } 1814e71b7053SJung-uk Kim 1815e71b7053SJung-uk Kim /* 1816e71b7053SJung-uk Kim * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION. 1817e71b7053SJung-uk Kim * The spec only requires servers to check that it isn't SSLv3: 1818e71b7053SJung-uk Kim * "Any endpoint receiving a Hello message with 1819e71b7053SJung-uk Kim * ClientHello.legacy_version or ServerHello.legacy_version set to 1820e71b7053SJung-uk Kim * 0x0300 MUST abort the handshake with a "protocol_version" alert." 1821e71b7053SJung-uk Kim * We are slightly stricter and require that it isn't SSLv3 or lower. 1822e71b7053SJung-uk Kim * We tolerate TLSv1 and TLSv1.1. 1823e71b7053SJung-uk Kim */ 1824e71b7053SJung-uk Kim if (client_version <= SSL3_VERSION) 1825e71b7053SJung-uk Kim return SSL_R_BAD_LEGACY_VERSION; 1826e71b7053SJung-uk Kim 1827e71b7053SJung-uk Kim while (PACKET_get_net_2(&versionslist, &candidate_vers)) { 1828e71b7053SJung-uk Kim if (version_cmp(s, candidate_vers, best_vers) <= 0) 1829e71b7053SJung-uk Kim continue; 1830e71b7053SJung-uk Kim if (ssl_version_supported(s, candidate_vers, &best_method)) 1831e71b7053SJung-uk Kim best_vers = candidate_vers; 1832e71b7053SJung-uk Kim } 1833e71b7053SJung-uk Kim if (PACKET_remaining(&versionslist) != 0) { 1834e71b7053SJung-uk Kim /* Trailing data? */ 1835e71b7053SJung-uk Kim return SSL_R_LENGTH_MISMATCH; 1836e71b7053SJung-uk Kim } 1837e71b7053SJung-uk Kim 1838e71b7053SJung-uk Kim if (best_vers > 0) { 1839e71b7053SJung-uk Kim if (s->hello_retry_request != SSL_HRR_NONE) { 1840e71b7053SJung-uk Kim /* 1841e71b7053SJung-uk Kim * This is after a HelloRetryRequest so we better check that we 1842e71b7053SJung-uk Kim * negotiated TLSv1.3 1843e71b7053SJung-uk Kim */ 1844e71b7053SJung-uk Kim if (best_vers != TLS1_3_VERSION) 1845e71b7053SJung-uk Kim return SSL_R_UNSUPPORTED_PROTOCOL; 1846e71b7053SJung-uk Kim return 0; 1847e71b7053SJung-uk Kim } 1848e71b7053SJung-uk Kim check_for_downgrade(s, best_vers, dgrd); 1849e71b7053SJung-uk Kim s->version = best_vers; 1850e71b7053SJung-uk Kim s->method = best_method; 1851e71b7053SJung-uk Kim return 0; 1852e71b7053SJung-uk Kim } 1853e71b7053SJung-uk Kim return SSL_R_UNSUPPORTED_PROTOCOL; 1854e71b7053SJung-uk Kim } 1855e71b7053SJung-uk Kim 1856e71b7053SJung-uk Kim /* 1857e71b7053SJung-uk Kim * If the supported versions extension isn't present, then the highest 1858e71b7053SJung-uk Kim * version we can negotiate is TLSv1.2 1859e71b7053SJung-uk Kim */ 1860e71b7053SJung-uk Kim if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0) 1861e71b7053SJung-uk Kim client_version = TLS1_2_VERSION; 1862e71b7053SJung-uk Kim 1863e71b7053SJung-uk Kim /* 1864e71b7053SJung-uk Kim * No supported versions extension, so we just use the version supplied in 1865e71b7053SJung-uk Kim * the ClientHello. 1866e71b7053SJung-uk Kim */ 1867e71b7053SJung-uk Kim for (vent = table; vent->version != 0; ++vent) { 1868e71b7053SJung-uk Kim const SSL_METHOD *method; 1869e71b7053SJung-uk Kim 1870e71b7053SJung-uk Kim if (vent->smeth == NULL || 1871e71b7053SJung-uk Kim version_cmp(s, client_version, vent->version) < 0) 1872e71b7053SJung-uk Kim continue; 1873e71b7053SJung-uk Kim method = vent->smeth(); 1874e71b7053SJung-uk Kim if (ssl_method_error(s, method) == 0) { 1875e71b7053SJung-uk Kim check_for_downgrade(s, vent->version, dgrd); 1876e71b7053SJung-uk Kim s->version = vent->version; 1877e71b7053SJung-uk Kim s->method = method; 1878e71b7053SJung-uk Kim return 0; 1879e71b7053SJung-uk Kim } 1880e71b7053SJung-uk Kim disabled = 1; 1881e71b7053SJung-uk Kim } 1882e71b7053SJung-uk Kim return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW; 1883e71b7053SJung-uk Kim } 1884e71b7053SJung-uk Kim 1885e71b7053SJung-uk Kim /* 1886e71b7053SJung-uk Kim * ssl_choose_client_version - Choose client (D)TLS version. Called when the 1887e71b7053SJung-uk Kim * server HELLO is received to select the final client protocol version and 1888e71b7053SJung-uk Kim * the version specific method. 1889e71b7053SJung-uk Kim * 1890e71b7053SJung-uk Kim * @s: client SSL handle. 1891e71b7053SJung-uk Kim * @version: The proposed version from the server's HELLO. 1892e71b7053SJung-uk Kim * @extensions: The extensions received 1893e71b7053SJung-uk Kim * 1894e71b7053SJung-uk Kim * Returns 1 on success or 0 on error. 1895e71b7053SJung-uk Kim */ 1896e71b7053SJung-uk Kim int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions) 1897e71b7053SJung-uk Kim { 1898e71b7053SJung-uk Kim const version_info *vent; 1899e71b7053SJung-uk Kim const version_info *table; 1900e71b7053SJung-uk Kim int ret, ver_min, ver_max, real_max, origv; 1901e71b7053SJung-uk Kim 1902e71b7053SJung-uk Kim origv = s->version; 1903e71b7053SJung-uk Kim s->version = version; 1904e71b7053SJung-uk Kim 1905e71b7053SJung-uk Kim /* This will overwrite s->version if the extension is present */ 1906e71b7053SJung-uk Kim if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions, 1907e71b7053SJung-uk Kim SSL_EXT_TLS1_2_SERVER_HELLO 1908e71b7053SJung-uk Kim | SSL_EXT_TLS1_3_SERVER_HELLO, extensions, 1909e71b7053SJung-uk Kim NULL, 0)) { 1910e71b7053SJung-uk Kim s->version = origv; 1911e71b7053SJung-uk Kim return 0; 1912e71b7053SJung-uk Kim } 1913e71b7053SJung-uk Kim 1914e71b7053SJung-uk Kim if (s->hello_retry_request != SSL_HRR_NONE 1915e71b7053SJung-uk Kim && s->version != TLS1_3_VERSION) { 1916e71b7053SJung-uk Kim s->version = origv; 1917e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION, 1918e71b7053SJung-uk Kim SSL_R_WRONG_SSL_VERSION); 1919e71b7053SJung-uk Kim return 0; 1920e71b7053SJung-uk Kim } 1921e71b7053SJung-uk Kim 1922e71b7053SJung-uk Kim switch (s->method->version) { 1923e71b7053SJung-uk Kim default: 1924e71b7053SJung-uk Kim if (s->version != s->method->version) { 1925e71b7053SJung-uk Kim s->version = origv; 1926e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 1927e71b7053SJung-uk Kim SSL_F_SSL_CHOOSE_CLIENT_VERSION, 1928e71b7053SJung-uk Kim SSL_R_WRONG_SSL_VERSION); 1929e71b7053SJung-uk Kim return 0; 1930e71b7053SJung-uk Kim } 1931e71b7053SJung-uk Kim /* 1932e71b7053SJung-uk Kim * If this SSL handle is not from a version flexible method we don't 1933e71b7053SJung-uk Kim * (and never did) check min/max, FIPS or Suite B constraints. Hope 1934e71b7053SJung-uk Kim * that's OK. It is up to the caller to not choose fixed protocol 1935e71b7053SJung-uk Kim * versions they don't want. If not, then easy to fix, just return 1936e71b7053SJung-uk Kim * ssl_method_error(s, s->method) 1937e71b7053SJung-uk Kim */ 1938e71b7053SJung-uk Kim return 1; 1939e71b7053SJung-uk Kim case TLS_ANY_VERSION: 1940e71b7053SJung-uk Kim table = tls_version_table; 1941e71b7053SJung-uk Kim break; 1942e71b7053SJung-uk Kim case DTLS_ANY_VERSION: 1943e71b7053SJung-uk Kim table = dtls_version_table; 1944e71b7053SJung-uk Kim break; 1945e71b7053SJung-uk Kim } 1946e71b7053SJung-uk Kim 1947e71b7053SJung-uk Kim ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max); 1948e71b7053SJung-uk Kim if (ret != 0) { 1949e71b7053SJung-uk Kim s->version = origv; 1950e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 1951e71b7053SJung-uk Kim SSL_F_SSL_CHOOSE_CLIENT_VERSION, ret); 1952e71b7053SJung-uk Kim return 0; 1953e71b7053SJung-uk Kim } 1954e71b7053SJung-uk Kim if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min) 1955e71b7053SJung-uk Kim : s->version < ver_min) { 1956e71b7053SJung-uk Kim s->version = origv; 1957e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 1958e71b7053SJung-uk Kim SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); 1959e71b7053SJung-uk Kim return 0; 1960e71b7053SJung-uk Kim } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max) 1961e71b7053SJung-uk Kim : s->version > ver_max) { 1962e71b7053SJung-uk Kim s->version = origv; 1963e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 1964e71b7053SJung-uk Kim SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); 1965e71b7053SJung-uk Kim return 0; 1966e71b7053SJung-uk Kim } 1967e71b7053SJung-uk Kim 1968e71b7053SJung-uk Kim if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0) 1969e71b7053SJung-uk Kim real_max = ver_max; 1970e71b7053SJung-uk Kim 1971e71b7053SJung-uk Kim /* Check for downgrades */ 1972e71b7053SJung-uk Kim if (s->version == TLS1_2_VERSION && real_max > s->version) { 1973e71b7053SJung-uk Kim if (memcmp(tls12downgrade, 1974e71b7053SJung-uk Kim s->s3->server_random + SSL3_RANDOM_SIZE 1975e71b7053SJung-uk Kim - sizeof(tls12downgrade), 1976e71b7053SJung-uk Kim sizeof(tls12downgrade)) == 0) { 1977e71b7053SJung-uk Kim s->version = origv; 1978e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1979e71b7053SJung-uk Kim SSL_F_SSL_CHOOSE_CLIENT_VERSION, 1980e71b7053SJung-uk Kim SSL_R_INAPPROPRIATE_FALLBACK); 1981e71b7053SJung-uk Kim return 0; 1982e71b7053SJung-uk Kim } 1983e71b7053SJung-uk Kim } else if (!SSL_IS_DTLS(s) 1984e71b7053SJung-uk Kim && s->version < TLS1_2_VERSION 1985e71b7053SJung-uk Kim && real_max > s->version) { 1986e71b7053SJung-uk Kim if (memcmp(tls11downgrade, 1987e71b7053SJung-uk Kim s->s3->server_random + SSL3_RANDOM_SIZE 1988e71b7053SJung-uk Kim - sizeof(tls11downgrade), 1989e71b7053SJung-uk Kim sizeof(tls11downgrade)) == 0) { 1990e71b7053SJung-uk Kim s->version = origv; 1991e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1992e71b7053SJung-uk Kim SSL_F_SSL_CHOOSE_CLIENT_VERSION, 1993e71b7053SJung-uk Kim SSL_R_INAPPROPRIATE_FALLBACK); 1994e71b7053SJung-uk Kim return 0; 1995e71b7053SJung-uk Kim } 1996e71b7053SJung-uk Kim } 1997e71b7053SJung-uk Kim 1998e71b7053SJung-uk Kim for (vent = table; vent->version != 0; ++vent) { 1999e71b7053SJung-uk Kim if (vent->cmeth == NULL || s->version != vent->version) 2000e71b7053SJung-uk Kim continue; 2001e71b7053SJung-uk Kim 2002e71b7053SJung-uk Kim s->method = vent->cmeth(); 2003e71b7053SJung-uk Kim return 1; 2004e71b7053SJung-uk Kim } 2005e71b7053SJung-uk Kim 2006e71b7053SJung-uk Kim s->version = origv; 2007e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION, 2008e71b7053SJung-uk Kim SSL_R_UNSUPPORTED_PROTOCOL); 2009e71b7053SJung-uk Kim return 0; 2010e71b7053SJung-uk Kim } 2011e71b7053SJung-uk Kim 2012e71b7053SJung-uk Kim /* 2013e71b7053SJung-uk Kim * ssl_get_min_max_version - get minimum and maximum protocol version 2014e71b7053SJung-uk Kim * @s: The SSL connection 2015e71b7053SJung-uk Kim * @min_version: The minimum supported version 2016e71b7053SJung-uk Kim * @max_version: The maximum supported version 2017e71b7053SJung-uk Kim * @real_max: The highest version below the lowest compile time version hole 2018e71b7053SJung-uk Kim * where that hole lies above at least one run-time enabled 2019e71b7053SJung-uk Kim * protocol. 2020e71b7053SJung-uk Kim * 2021e71b7053SJung-uk Kim * Work out what version we should be using for the initial ClientHello if the 2022e71b7053SJung-uk Kim * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx 2023e71b7053SJung-uk Kim * options, the MinProtocol and MaxProtocol configuration commands, any Suite B 2024e71b7053SJung-uk Kim * constraints and any floor imposed by the security level here, 2025e71b7053SJung-uk Kim * so we don't advertise the wrong protocol version to only reject the outcome later. 2026e71b7053SJung-uk Kim * 2027e71b7053SJung-uk Kim * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled, 2028e71b7053SJung-uk Kim * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol 2029e71b7053SJung-uk Kim * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1. 2030e71b7053SJung-uk Kim * 2031e71b7053SJung-uk Kim * Returns 0 on success or an SSL error reason number on failure. On failure 2032e71b7053SJung-uk Kim * min_version and max_version will also be set to 0. 2033e71b7053SJung-uk Kim */ 2034e71b7053SJung-uk Kim int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version, 2035e71b7053SJung-uk Kim int *real_max) 2036e71b7053SJung-uk Kim { 2037e71b7053SJung-uk Kim int version, tmp_real_max; 2038e71b7053SJung-uk Kim int hole; 2039e71b7053SJung-uk Kim const SSL_METHOD *single = NULL; 2040e71b7053SJung-uk Kim const SSL_METHOD *method; 2041e71b7053SJung-uk Kim const version_info *table; 2042e71b7053SJung-uk Kim const version_info *vent; 2043e71b7053SJung-uk Kim 2044e71b7053SJung-uk Kim switch (s->method->version) { 2045e71b7053SJung-uk Kim default: 2046e71b7053SJung-uk Kim /* 2047e71b7053SJung-uk Kim * If this SSL handle is not from a version flexible method we don't 2048e71b7053SJung-uk Kim * (and never did) check min/max FIPS or Suite B constraints. Hope 2049e71b7053SJung-uk Kim * that's OK. It is up to the caller to not choose fixed protocol 2050e71b7053SJung-uk Kim * versions they don't want. If not, then easy to fix, just return 2051e71b7053SJung-uk Kim * ssl_method_error(s, s->method) 2052e71b7053SJung-uk Kim */ 2053e71b7053SJung-uk Kim *min_version = *max_version = s->version; 2054e71b7053SJung-uk Kim /* 2055e71b7053SJung-uk Kim * Providing a real_max only makes sense where we're using a version 2056e71b7053SJung-uk Kim * flexible method. 2057e71b7053SJung-uk Kim */ 2058e71b7053SJung-uk Kim if (!ossl_assert(real_max == NULL)) 2059e71b7053SJung-uk Kim return ERR_R_INTERNAL_ERROR; 2060e71b7053SJung-uk Kim return 0; 2061e71b7053SJung-uk Kim case TLS_ANY_VERSION: 2062e71b7053SJung-uk Kim table = tls_version_table; 2063e71b7053SJung-uk Kim break; 2064e71b7053SJung-uk Kim case DTLS_ANY_VERSION: 2065e71b7053SJung-uk Kim table = dtls_version_table; 2066e71b7053SJung-uk Kim break; 2067e71b7053SJung-uk Kim } 2068e71b7053SJung-uk Kim 2069e71b7053SJung-uk Kim /* 2070e71b7053SJung-uk Kim * SSL_OP_NO_X disables all protocols above X *if* there are some protocols 2071e71b7053SJung-uk Kim * below X enabled. This is required in order to maintain the "version 2072e71b7053SJung-uk Kim * capability" vector contiguous. Any versions with a NULL client method 2073e71b7053SJung-uk Kim * (protocol version client is disabled at compile-time) is also a "hole". 2074e71b7053SJung-uk Kim * 2075e71b7053SJung-uk Kim * Our initial state is hole == 1, version == 0. That is, versions above 2076e71b7053SJung-uk Kim * the first version in the method table are disabled (a "hole" above 2077e71b7053SJung-uk Kim * the valid protocol entries) and we don't have a selected version yet. 2078e71b7053SJung-uk Kim * 2079e71b7053SJung-uk Kim * Whenever "hole == 1", and we hit an enabled method, its version becomes 2080e71b7053SJung-uk Kim * the selected version, and the method becomes a candidate "single" 2081e71b7053SJung-uk Kim * method. We're no longer in a hole, so "hole" becomes 0. 2082e71b7053SJung-uk Kim * 2083e71b7053SJung-uk Kim * If "hole == 0" and we hit an enabled method, then "single" is cleared, 2084e71b7053SJung-uk Kim * as we support a contiguous range of at least two methods. If we hit 2085e71b7053SJung-uk Kim * a disabled method, then hole becomes true again, but nothing else 2086e71b7053SJung-uk Kim * changes yet, because all the remaining methods may be disabled too. 2087e71b7053SJung-uk Kim * If we again hit an enabled method after the new hole, it becomes 2088e71b7053SJung-uk Kim * selected, as we start from scratch. 2089e71b7053SJung-uk Kim */ 2090e71b7053SJung-uk Kim *min_version = version = 0; 2091e71b7053SJung-uk Kim hole = 1; 2092e71b7053SJung-uk Kim if (real_max != NULL) 2093e71b7053SJung-uk Kim *real_max = 0; 2094e71b7053SJung-uk Kim tmp_real_max = 0; 2095e71b7053SJung-uk Kim for (vent = table; vent->version != 0; ++vent) { 2096e71b7053SJung-uk Kim /* 2097e71b7053SJung-uk Kim * A table entry with a NULL client method is still a hole in the 2098e71b7053SJung-uk Kim * "version capability" vector. 2099e71b7053SJung-uk Kim */ 2100e71b7053SJung-uk Kim if (vent->cmeth == NULL) { 2101e71b7053SJung-uk Kim hole = 1; 2102e71b7053SJung-uk Kim tmp_real_max = 0; 2103e71b7053SJung-uk Kim continue; 2104e71b7053SJung-uk Kim } 2105e71b7053SJung-uk Kim method = vent->cmeth(); 2106e71b7053SJung-uk Kim 2107e71b7053SJung-uk Kim if (hole == 1 && tmp_real_max == 0) 2108e71b7053SJung-uk Kim tmp_real_max = vent->version; 2109e71b7053SJung-uk Kim 2110e71b7053SJung-uk Kim if (ssl_method_error(s, method) != 0) { 2111e71b7053SJung-uk Kim hole = 1; 2112e71b7053SJung-uk Kim } else if (!hole) { 2113e71b7053SJung-uk Kim single = NULL; 2114e71b7053SJung-uk Kim *min_version = method->version; 2115e71b7053SJung-uk Kim } else { 2116e71b7053SJung-uk Kim if (real_max != NULL && tmp_real_max != 0) 2117e71b7053SJung-uk Kim *real_max = tmp_real_max; 2118e71b7053SJung-uk Kim version = (single = method)->version; 2119e71b7053SJung-uk Kim *min_version = version; 2120e71b7053SJung-uk Kim hole = 0; 2121e71b7053SJung-uk Kim } 2122e71b7053SJung-uk Kim } 2123e71b7053SJung-uk Kim 2124e71b7053SJung-uk Kim *max_version = version; 2125e71b7053SJung-uk Kim 2126e71b7053SJung-uk Kim /* Fail if everything is disabled */ 2127e71b7053SJung-uk Kim if (version == 0) 2128e71b7053SJung-uk Kim return SSL_R_NO_PROTOCOLS_AVAILABLE; 2129e71b7053SJung-uk Kim 2130e71b7053SJung-uk Kim return 0; 2131e71b7053SJung-uk Kim } 2132e71b7053SJung-uk Kim 2133e71b7053SJung-uk Kim /* 2134e71b7053SJung-uk Kim * ssl_set_client_hello_version - Work out what version we should be using for 2135e71b7053SJung-uk Kim * the initial ClientHello.legacy_version field. 2136e71b7053SJung-uk Kim * 2137e71b7053SJung-uk Kim * @s: client SSL handle. 2138e71b7053SJung-uk Kim * 2139e71b7053SJung-uk Kim * Returns 0 on success or an SSL error reason number on failure. 2140e71b7053SJung-uk Kim */ 2141e71b7053SJung-uk Kim int ssl_set_client_hello_version(SSL *s) 2142e71b7053SJung-uk Kim { 2143e71b7053SJung-uk Kim int ver_min, ver_max, ret; 2144e71b7053SJung-uk Kim 2145e71b7053SJung-uk Kim /* 2146e71b7053SJung-uk Kim * In a renegotiation we always send the same client_version that we sent 2147e71b7053SJung-uk Kim * last time, regardless of which version we eventually negotiated. 2148e71b7053SJung-uk Kim */ 2149e71b7053SJung-uk Kim if (!SSL_IS_FIRST_HANDSHAKE(s)) 2150e71b7053SJung-uk Kim return 0; 2151e71b7053SJung-uk Kim 2152e71b7053SJung-uk Kim ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL); 2153e71b7053SJung-uk Kim 2154e71b7053SJung-uk Kim if (ret != 0) 2155e71b7053SJung-uk Kim return ret; 2156e71b7053SJung-uk Kim 2157e71b7053SJung-uk Kim s->version = ver_max; 2158e71b7053SJung-uk Kim 2159e71b7053SJung-uk Kim /* TLS1.3 always uses TLS1.2 in the legacy_version field */ 2160e71b7053SJung-uk Kim if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION) 2161e71b7053SJung-uk Kim ver_max = TLS1_2_VERSION; 2162e71b7053SJung-uk Kim 2163e71b7053SJung-uk Kim s->client_version = ver_max; 2164e71b7053SJung-uk Kim return 0; 2165e71b7053SJung-uk Kim } 2166e71b7053SJung-uk Kim 2167e71b7053SJung-uk Kim /* 2168e71b7053SJung-uk Kim * Checks a list of |groups| to determine if the |group_id| is in it. If it is 2169e71b7053SJung-uk Kim * and |checkallow| is 1 then additionally check if the group is allowed to be 2170e71b7053SJung-uk Kim * used. Returns 1 if the group is in the list (and allowed if |checkallow| is 2171e71b7053SJung-uk Kim * 1) or 0 otherwise. 2172e71b7053SJung-uk Kim */ 2173e71b7053SJung-uk Kim #ifndef OPENSSL_NO_EC 2174e71b7053SJung-uk Kim int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups, 2175e71b7053SJung-uk Kim size_t num_groups, int checkallow) 2176e71b7053SJung-uk Kim { 2177e71b7053SJung-uk Kim size_t i; 2178e71b7053SJung-uk Kim 2179e71b7053SJung-uk Kim if (groups == NULL || num_groups == 0) 2180e71b7053SJung-uk Kim return 0; 2181e71b7053SJung-uk Kim 2182e71b7053SJung-uk Kim for (i = 0; i < num_groups; i++) { 2183e71b7053SJung-uk Kim uint16_t group = groups[i]; 2184e71b7053SJung-uk Kim 2185e71b7053SJung-uk Kim if (group_id == group 2186e71b7053SJung-uk Kim && (!checkallow 2187e71b7053SJung-uk Kim || tls_curve_allowed(s, group, SSL_SECOP_CURVE_CHECK))) { 2188e71b7053SJung-uk Kim return 1; 2189e71b7053SJung-uk Kim } 2190e71b7053SJung-uk Kim } 2191e71b7053SJung-uk Kim 2192e71b7053SJung-uk Kim return 0; 2193e71b7053SJung-uk Kim } 2194e71b7053SJung-uk Kim #endif 2195e71b7053SJung-uk Kim 2196e71b7053SJung-uk Kim /* Replace ClientHello1 in the transcript hash with a synthetic message */ 2197e71b7053SJung-uk Kim int create_synthetic_message_hash(SSL *s, const unsigned char *hashval, 2198e71b7053SJung-uk Kim size_t hashlen, const unsigned char *hrr, 2199e71b7053SJung-uk Kim size_t hrrlen) 2200e71b7053SJung-uk Kim { 2201e71b7053SJung-uk Kim unsigned char hashvaltmp[EVP_MAX_MD_SIZE]; 2202e71b7053SJung-uk Kim unsigned char msghdr[SSL3_HM_HEADER_LENGTH]; 2203e71b7053SJung-uk Kim 2204e71b7053SJung-uk Kim memset(msghdr, 0, sizeof(msghdr)); 2205e71b7053SJung-uk Kim 2206e71b7053SJung-uk Kim if (hashval == NULL) { 2207e71b7053SJung-uk Kim hashval = hashvaltmp; 2208e71b7053SJung-uk Kim hashlen = 0; 2209e71b7053SJung-uk Kim /* Get the hash of the initial ClientHello */ 2210e71b7053SJung-uk Kim if (!ssl3_digest_cached_records(s, 0) 2211e71b7053SJung-uk Kim || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp), 2212e71b7053SJung-uk Kim &hashlen)) { 2213e71b7053SJung-uk Kim /* SSLfatal() already called */ 2214e71b7053SJung-uk Kim return 0; 2215e71b7053SJung-uk Kim } 2216e71b7053SJung-uk Kim } 2217e71b7053SJung-uk Kim 2218e71b7053SJung-uk Kim /* Reinitialise the transcript hash */ 2219e71b7053SJung-uk Kim if (!ssl3_init_finished_mac(s)) { 2220e71b7053SJung-uk Kim /* SSLfatal() already called */ 2221e71b7053SJung-uk Kim return 0; 2222e71b7053SJung-uk Kim } 2223e71b7053SJung-uk Kim 2224e71b7053SJung-uk Kim /* Inject the synthetic message_hash message */ 2225e71b7053SJung-uk Kim msghdr[0] = SSL3_MT_MESSAGE_HASH; 2226e71b7053SJung-uk Kim msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen; 2227e71b7053SJung-uk Kim if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH) 2228e71b7053SJung-uk Kim || !ssl3_finish_mac(s, hashval, hashlen)) { 2229e71b7053SJung-uk Kim /* SSLfatal() already called */ 2230e71b7053SJung-uk Kim return 0; 2231e71b7053SJung-uk Kim } 2232e71b7053SJung-uk Kim 2233e71b7053SJung-uk Kim /* 2234e71b7053SJung-uk Kim * Now re-inject the HRR and current message if appropriate (we just deleted 2235e71b7053SJung-uk Kim * it when we reinitialised the transcript hash above). Only necessary after 2236e71b7053SJung-uk Kim * receiving a ClientHello2 with a cookie. 2237e71b7053SJung-uk Kim */ 2238e71b7053SJung-uk Kim if (hrr != NULL 2239e71b7053SJung-uk Kim && (!ssl3_finish_mac(s, hrr, hrrlen) 2240e71b7053SJung-uk Kim || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 2241e71b7053SJung-uk Kim s->s3->tmp.message_size 2242e71b7053SJung-uk Kim + SSL3_HM_HEADER_LENGTH))) { 2243e71b7053SJung-uk Kim /* SSLfatal() already called */ 2244e71b7053SJung-uk Kim return 0; 2245e71b7053SJung-uk Kim } 2246e71b7053SJung-uk Kim 2247e71b7053SJung-uk Kim return 1; 2248e71b7053SJung-uk Kim } 2249e71b7053SJung-uk Kim 2250e71b7053SJung-uk Kim static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b) 2251e71b7053SJung-uk Kim { 2252e71b7053SJung-uk Kim return X509_NAME_cmp(*a, *b); 2253e71b7053SJung-uk Kim } 2254e71b7053SJung-uk Kim 2255e71b7053SJung-uk Kim int parse_ca_names(SSL *s, PACKET *pkt) 2256e71b7053SJung-uk Kim { 2257e71b7053SJung-uk Kim STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp); 2258e71b7053SJung-uk Kim X509_NAME *xn = NULL; 2259e71b7053SJung-uk Kim PACKET cadns; 2260e71b7053SJung-uk Kim 2261e71b7053SJung-uk Kim if (ca_sk == NULL) { 2262e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES, 2263e71b7053SJung-uk Kim ERR_R_MALLOC_FAILURE); 2264e71b7053SJung-uk Kim goto err; 2265e71b7053SJung-uk Kim } 2266e71b7053SJung-uk Kim /* get the CA RDNs */ 2267e71b7053SJung-uk Kim if (!PACKET_get_length_prefixed_2(pkt, &cadns)) { 2268e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR,SSL_F_PARSE_CA_NAMES, 2269e71b7053SJung-uk Kim SSL_R_LENGTH_MISMATCH); 2270e71b7053SJung-uk Kim goto err; 2271e71b7053SJung-uk Kim } 2272e71b7053SJung-uk Kim 2273e71b7053SJung-uk Kim while (PACKET_remaining(&cadns)) { 2274e71b7053SJung-uk Kim const unsigned char *namestart, *namebytes; 2275e71b7053SJung-uk Kim unsigned int name_len; 2276e71b7053SJung-uk Kim 2277e71b7053SJung-uk Kim if (!PACKET_get_net_2(&cadns, &name_len) 2278e71b7053SJung-uk Kim || !PACKET_get_bytes(&cadns, &namebytes, name_len)) { 2279e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES, 2280e71b7053SJung-uk Kim SSL_R_LENGTH_MISMATCH); 2281e71b7053SJung-uk Kim goto err; 2282e71b7053SJung-uk Kim } 2283e71b7053SJung-uk Kim 2284e71b7053SJung-uk Kim namestart = namebytes; 2285e71b7053SJung-uk Kim if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) { 2286e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES, 2287e71b7053SJung-uk Kim ERR_R_ASN1_LIB); 2288e71b7053SJung-uk Kim goto err; 2289e71b7053SJung-uk Kim } 2290e71b7053SJung-uk Kim if (namebytes != (namestart + name_len)) { 2291e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES, 2292e71b7053SJung-uk Kim SSL_R_CA_DN_LENGTH_MISMATCH); 2293e71b7053SJung-uk Kim goto err; 2294e71b7053SJung-uk Kim } 2295e71b7053SJung-uk Kim 2296e71b7053SJung-uk Kim if (!sk_X509_NAME_push(ca_sk, xn)) { 2297e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES, 2298e71b7053SJung-uk Kim ERR_R_MALLOC_FAILURE); 2299e71b7053SJung-uk Kim goto err; 2300e71b7053SJung-uk Kim } 2301e71b7053SJung-uk Kim xn = NULL; 2302e71b7053SJung-uk Kim } 2303e71b7053SJung-uk Kim 2304e71b7053SJung-uk Kim sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free); 2305e71b7053SJung-uk Kim s->s3->tmp.peer_ca_names = ca_sk; 2306e71b7053SJung-uk Kim 2307e71b7053SJung-uk Kim return 1; 2308e71b7053SJung-uk Kim 2309e71b7053SJung-uk Kim err: 2310e71b7053SJung-uk Kim sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); 2311e71b7053SJung-uk Kim X509_NAME_free(xn); 2312e71b7053SJung-uk Kim return 0; 2313e71b7053SJung-uk Kim } 2314e71b7053SJung-uk Kim 2315c9cf7b5cSJung-uk Kim const STACK_OF(X509_NAME) *get_ca_names(SSL *s) 2316e71b7053SJung-uk Kim { 2317c9cf7b5cSJung-uk Kim const STACK_OF(X509_NAME) *ca_sk = NULL;; 2318e71b7053SJung-uk Kim 2319c9cf7b5cSJung-uk Kim if (s->server) { 2320c9cf7b5cSJung-uk Kim ca_sk = SSL_get_client_CA_list(s); 2321c9cf7b5cSJung-uk Kim if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0) 2322c9cf7b5cSJung-uk Kim ca_sk = NULL; 2323c9cf7b5cSJung-uk Kim } 2324c9cf7b5cSJung-uk Kim 2325c9cf7b5cSJung-uk Kim if (ca_sk == NULL) 2326c9cf7b5cSJung-uk Kim ca_sk = SSL_get0_CA_list(s); 2327c9cf7b5cSJung-uk Kim 2328c9cf7b5cSJung-uk Kim return ca_sk; 2329c9cf7b5cSJung-uk Kim } 2330c9cf7b5cSJung-uk Kim 2331c9cf7b5cSJung-uk Kim int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt) 2332c9cf7b5cSJung-uk Kim { 2333e71b7053SJung-uk Kim /* Start sub-packet for client CA list */ 2334e71b7053SJung-uk Kim if (!WPACKET_start_sub_packet_u16(pkt)) { 2335e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES, 2336e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 2337e71b7053SJung-uk Kim return 0; 2338e71b7053SJung-uk Kim } 2339e71b7053SJung-uk Kim 2340e71b7053SJung-uk Kim if (ca_sk != NULL) { 2341e71b7053SJung-uk Kim int i; 2342e71b7053SJung-uk Kim 2343e71b7053SJung-uk Kim for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) { 2344e71b7053SJung-uk Kim unsigned char *namebytes; 2345e71b7053SJung-uk Kim X509_NAME *name = sk_X509_NAME_value(ca_sk, i); 2346e71b7053SJung-uk Kim int namelen; 2347e71b7053SJung-uk Kim 2348e71b7053SJung-uk Kim if (name == NULL 2349e71b7053SJung-uk Kim || (namelen = i2d_X509_NAME(name, NULL)) < 0 2350e71b7053SJung-uk Kim || !WPACKET_sub_allocate_bytes_u16(pkt, namelen, 2351e71b7053SJung-uk Kim &namebytes) 2352e71b7053SJung-uk Kim || i2d_X509_NAME(name, &namebytes) != namelen) { 2353e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES, 2354e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 2355e71b7053SJung-uk Kim return 0; 2356e71b7053SJung-uk Kim } 2357e71b7053SJung-uk Kim } 2358e71b7053SJung-uk Kim } 2359e71b7053SJung-uk Kim 2360e71b7053SJung-uk Kim if (!WPACKET_close(pkt)) { 2361e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES, 2362e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 2363e71b7053SJung-uk Kim return 0; 2364e71b7053SJung-uk Kim } 2365e71b7053SJung-uk Kim 2366e71b7053SJung-uk Kim return 1; 2367e71b7053SJung-uk Kim } 2368e71b7053SJung-uk Kim 2369e71b7053SJung-uk Kim /* Create a buffer containing data to be signed for server key exchange */ 2370e71b7053SJung-uk Kim size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs, 2371e71b7053SJung-uk Kim const void *param, size_t paramlen) 2372e71b7053SJung-uk Kim { 2373e71b7053SJung-uk Kim size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen; 2374e71b7053SJung-uk Kim unsigned char *tbs = OPENSSL_malloc(tbslen); 2375e71b7053SJung-uk Kim 2376e71b7053SJung-uk Kim if (tbs == NULL) { 2377e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS, 2378e71b7053SJung-uk Kim ERR_R_MALLOC_FAILURE); 2379e71b7053SJung-uk Kim return 0; 2380e71b7053SJung-uk Kim } 2381e71b7053SJung-uk Kim memcpy(tbs, s->s3->client_random, SSL3_RANDOM_SIZE); 2382e71b7053SJung-uk Kim memcpy(tbs + SSL3_RANDOM_SIZE, s->s3->server_random, SSL3_RANDOM_SIZE); 2383e71b7053SJung-uk Kim 2384e71b7053SJung-uk Kim memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen); 2385e71b7053SJung-uk Kim 2386e71b7053SJung-uk Kim *ptbs = tbs; 2387e71b7053SJung-uk Kim return tbslen; 2388e71b7053SJung-uk Kim } 2389e71b7053SJung-uk Kim 2390e71b7053SJung-uk Kim /* 2391e71b7053SJung-uk Kim * Saves the current handshake digest for Post-Handshake Auth, 2392e71b7053SJung-uk Kim * Done after ClientFinished is processed, done exactly once 2393e71b7053SJung-uk Kim */ 2394e71b7053SJung-uk Kim int tls13_save_handshake_digest_for_pha(SSL *s) 2395e71b7053SJung-uk Kim { 2396e71b7053SJung-uk Kim if (s->pha_dgst == NULL) { 2397e71b7053SJung-uk Kim if (!ssl3_digest_cached_records(s, 1)) 2398e71b7053SJung-uk Kim /* SSLfatal() already called */ 2399e71b7053SJung-uk Kim return 0; 2400e71b7053SJung-uk Kim 2401e71b7053SJung-uk Kim s->pha_dgst = EVP_MD_CTX_new(); 2402e71b7053SJung-uk Kim if (s->pha_dgst == NULL) { 2403e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2404e71b7053SJung-uk Kim SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA, 2405e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 2406e71b7053SJung-uk Kim return 0; 2407e71b7053SJung-uk Kim } 2408e71b7053SJung-uk Kim if (!EVP_MD_CTX_copy_ex(s->pha_dgst, 2409e71b7053SJung-uk Kim s->s3->handshake_dgst)) { 2410e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2411e71b7053SJung-uk Kim SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA, 2412e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 2413e71b7053SJung-uk Kim return 0; 2414e71b7053SJung-uk Kim } 2415e71b7053SJung-uk Kim } 2416e71b7053SJung-uk Kim return 1; 2417e71b7053SJung-uk Kim } 2418e71b7053SJung-uk Kim 2419e71b7053SJung-uk Kim /* 2420e71b7053SJung-uk Kim * Restores the Post-Handshake Auth handshake digest 2421e71b7053SJung-uk Kim * Done just before sending/processing the Cert Request 2422e71b7053SJung-uk Kim */ 2423e71b7053SJung-uk Kim int tls13_restore_handshake_digest_for_pha(SSL *s) 2424e71b7053SJung-uk Kim { 2425e71b7053SJung-uk Kim if (s->pha_dgst == NULL) { 2426e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2427e71b7053SJung-uk Kim SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA, 2428e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 2429e71b7053SJung-uk Kim return 0; 2430e71b7053SJung-uk Kim } 2431e71b7053SJung-uk Kim if (!EVP_MD_CTX_copy_ex(s->s3->handshake_dgst, 2432e71b7053SJung-uk Kim s->pha_dgst)) { 2433e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2434e71b7053SJung-uk Kim SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA, 2435e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 2436e71b7053SJung-uk Kim return 0; 2437e71b7053SJung-uk Kim } 2438e71b7053SJung-uk Kim return 1; 2439e71b7053SJung-uk Kim } 2440