1*e71b7053SJung-uk Kim /* 2*e71b7053SJung-uk Kim * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. 3*e71b7053SJung-uk Kim * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4*e71b7053SJung-uk Kim * 5*e71b7053SJung-uk Kim * Licensed under the OpenSSL license (the "License"). You may not use 6*e71b7053SJung-uk Kim * this file except in compliance with the License. You can obtain a copy 7*e71b7053SJung-uk Kim * in the file LICENSE in the source distribution or at 8*e71b7053SJung-uk Kim * https://www.openssl.org/source/license.html 9*e71b7053SJung-uk Kim */ 10*e71b7053SJung-uk Kim 11*e71b7053SJung-uk Kim #include <limits.h> 12*e71b7053SJung-uk Kim #include <string.h> 13*e71b7053SJung-uk Kim #include <stdio.h> 14*e71b7053SJung-uk Kim #include "../ssl_locl.h" 15*e71b7053SJung-uk Kim #include "statem_locl.h" 16*e71b7053SJung-uk Kim #include "internal/cryptlib.h" 17*e71b7053SJung-uk Kim #include <openssl/buffer.h> 18*e71b7053SJung-uk Kim #include <openssl/objects.h> 19*e71b7053SJung-uk Kim #include <openssl/evp.h> 20*e71b7053SJung-uk Kim #include <openssl/x509.h> 21*e71b7053SJung-uk Kim 22*e71b7053SJung-uk Kim /* 23*e71b7053SJung-uk Kim * Map error codes to TLS/SSL alart types. 24*e71b7053SJung-uk Kim */ 25*e71b7053SJung-uk Kim typedef struct x509err2alert_st { 26*e71b7053SJung-uk Kim int x509err; 27*e71b7053SJung-uk Kim int alert; 28*e71b7053SJung-uk Kim } X509ERR2ALERT; 29*e71b7053SJung-uk Kim 30*e71b7053SJung-uk Kim /* Fixed value used in the ServerHello random field to identify an HRR */ 31*e71b7053SJung-uk Kim const unsigned char hrrrandom[] = { 32*e71b7053SJung-uk Kim 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 33*e71b7053SJung-uk Kim 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 34*e71b7053SJung-uk Kim 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c 35*e71b7053SJung-uk Kim }; 36*e71b7053SJung-uk Kim 37*e71b7053SJung-uk Kim /* 38*e71b7053SJung-uk Kim * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or 39*e71b7053SJung-uk Kim * SSL3_RT_CHANGE_CIPHER_SPEC) 40*e71b7053SJung-uk Kim */ 41*e71b7053SJung-uk Kim int ssl3_do_write(SSL *s, int type) 42*e71b7053SJung-uk Kim { 43*e71b7053SJung-uk Kim int ret; 44*e71b7053SJung-uk Kim size_t written = 0; 45*e71b7053SJung-uk Kim 46*e71b7053SJung-uk Kim ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off], 47*e71b7053SJung-uk Kim s->init_num, &written); 48*e71b7053SJung-uk Kim if (ret < 0) 49*e71b7053SJung-uk Kim return -1; 50*e71b7053SJung-uk Kim if (type == SSL3_RT_HANDSHAKE) 51*e71b7053SJung-uk Kim /* 52*e71b7053SJung-uk Kim * should not be done for 'Hello Request's, but in that case we'll 53*e71b7053SJung-uk Kim * ignore the result anyway 54*e71b7053SJung-uk Kim * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added 55*e71b7053SJung-uk Kim */ 56*e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET 57*e71b7053SJung-uk Kim && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE 58*e71b7053SJung-uk Kim && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE)) 59*e71b7053SJung-uk Kim if (!ssl3_finish_mac(s, 60*e71b7053SJung-uk Kim (unsigned char *)&s->init_buf->data[s->init_off], 61*e71b7053SJung-uk Kim written)) 62*e71b7053SJung-uk Kim return -1; 63*e71b7053SJung-uk Kim if (written == s->init_num) { 64*e71b7053SJung-uk Kim if (s->msg_callback) 65*e71b7053SJung-uk Kim s->msg_callback(1, s->version, type, s->init_buf->data, 66*e71b7053SJung-uk Kim (size_t)(s->init_off + s->init_num), s, 67*e71b7053SJung-uk Kim s->msg_callback_arg); 68*e71b7053SJung-uk Kim return 1; 69*e71b7053SJung-uk Kim } 70*e71b7053SJung-uk Kim s->init_off += written; 71*e71b7053SJung-uk Kim s->init_num -= written; 72*e71b7053SJung-uk Kim return 0; 73*e71b7053SJung-uk Kim } 74*e71b7053SJung-uk Kim 75*e71b7053SJung-uk Kim int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype) 76*e71b7053SJung-uk Kim { 77*e71b7053SJung-uk Kim size_t msglen; 78*e71b7053SJung-uk Kim 79*e71b7053SJung-uk Kim if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt)) 80*e71b7053SJung-uk Kim || !WPACKET_get_length(pkt, &msglen) 81*e71b7053SJung-uk Kim || msglen > INT_MAX) 82*e71b7053SJung-uk Kim return 0; 83*e71b7053SJung-uk Kim s->init_num = (int)msglen; 84*e71b7053SJung-uk Kim s->init_off = 0; 85*e71b7053SJung-uk Kim 86*e71b7053SJung-uk Kim return 1; 87*e71b7053SJung-uk Kim } 88*e71b7053SJung-uk Kim 89*e71b7053SJung-uk Kim int tls_setup_handshake(SSL *s) 90*e71b7053SJung-uk Kim { 91*e71b7053SJung-uk Kim if (!ssl3_init_finished_mac(s)) { 92*e71b7053SJung-uk Kim /* SSLfatal() already called */ 93*e71b7053SJung-uk Kim return 0; 94*e71b7053SJung-uk Kim } 95*e71b7053SJung-uk Kim 96*e71b7053SJung-uk Kim /* Reset any extension flags */ 97*e71b7053SJung-uk Kim memset(s->ext.extflags, 0, sizeof(s->ext.extflags)); 98*e71b7053SJung-uk Kim 99*e71b7053SJung-uk Kim if (s->server) { 100*e71b7053SJung-uk Kim STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s); 101*e71b7053SJung-uk Kim int i, ver_min, ver_max, ok = 0; 102*e71b7053SJung-uk Kim 103*e71b7053SJung-uk Kim /* 104*e71b7053SJung-uk Kim * Sanity check that the maximum version we accept has ciphers 105*e71b7053SJung-uk Kim * enabled. For clients we do this check during construction of the 106*e71b7053SJung-uk Kim * ClientHello. 107*e71b7053SJung-uk Kim */ 108*e71b7053SJung-uk Kim if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) { 109*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_SETUP_HANDSHAKE, 110*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 111*e71b7053SJung-uk Kim return 0; 112*e71b7053SJung-uk Kim } 113*e71b7053SJung-uk Kim for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { 114*e71b7053SJung-uk Kim const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i); 115*e71b7053SJung-uk Kim 116*e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) { 117*e71b7053SJung-uk Kim if (DTLS_VERSION_GE(ver_max, c->min_dtls) && 118*e71b7053SJung-uk Kim DTLS_VERSION_LE(ver_max, c->max_dtls)) 119*e71b7053SJung-uk Kim ok = 1; 120*e71b7053SJung-uk Kim } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) { 121*e71b7053SJung-uk Kim ok = 1; 122*e71b7053SJung-uk Kim } 123*e71b7053SJung-uk Kim if (ok) 124*e71b7053SJung-uk Kim break; 125*e71b7053SJung-uk Kim } 126*e71b7053SJung-uk Kim if (!ok) { 127*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE, 128*e71b7053SJung-uk Kim SSL_R_NO_CIPHERS_AVAILABLE); 129*e71b7053SJung-uk Kim ERR_add_error_data(1, "No ciphers enabled for max supported " 130*e71b7053SJung-uk Kim "SSL/TLS version"); 131*e71b7053SJung-uk Kim return 0; 132*e71b7053SJung-uk Kim } 133*e71b7053SJung-uk Kim if (SSL_IS_FIRST_HANDSHAKE(s)) { 134*e71b7053SJung-uk Kim /* N.B. s->session_ctx == s->ctx here */ 135*e71b7053SJung-uk Kim tsan_counter(&s->session_ctx->stats.sess_accept); 136*e71b7053SJung-uk Kim } else { 137*e71b7053SJung-uk Kim /* N.B. s->ctx may not equal s->session_ctx */ 138*e71b7053SJung-uk Kim tsan_counter(&s->ctx->stats.sess_accept_renegotiate); 139*e71b7053SJung-uk Kim 140*e71b7053SJung-uk Kim s->s3->tmp.cert_request = 0; 141*e71b7053SJung-uk Kim } 142*e71b7053SJung-uk Kim } else { 143*e71b7053SJung-uk Kim if (SSL_IS_FIRST_HANDSHAKE(s)) 144*e71b7053SJung-uk Kim tsan_counter(&s->session_ctx->stats.sess_connect); 145*e71b7053SJung-uk Kim else 146*e71b7053SJung-uk Kim tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate); 147*e71b7053SJung-uk Kim 148*e71b7053SJung-uk Kim /* mark client_random uninitialized */ 149*e71b7053SJung-uk Kim memset(s->s3->client_random, 0, sizeof(s->s3->client_random)); 150*e71b7053SJung-uk Kim s->hit = 0; 151*e71b7053SJung-uk Kim 152*e71b7053SJung-uk Kim s->s3->tmp.cert_req = 0; 153*e71b7053SJung-uk Kim 154*e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) 155*e71b7053SJung-uk Kim s->statem.use_timer = 1; 156*e71b7053SJung-uk Kim } 157*e71b7053SJung-uk Kim 158*e71b7053SJung-uk Kim return 1; 159*e71b7053SJung-uk Kim } 160*e71b7053SJung-uk Kim 161*e71b7053SJung-uk Kim /* 162*e71b7053SJung-uk Kim * Size of the to-be-signed TLS13 data, without the hash size itself: 163*e71b7053SJung-uk Kim * 64 bytes of value 32, 33 context bytes, 1 byte separator 164*e71b7053SJung-uk Kim */ 165*e71b7053SJung-uk Kim #define TLS13_TBS_START_SIZE 64 166*e71b7053SJung-uk Kim #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1) 167*e71b7053SJung-uk Kim 168*e71b7053SJung-uk Kim static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs, 169*e71b7053SJung-uk Kim void **hdata, size_t *hdatalen) 170*e71b7053SJung-uk Kim { 171*e71b7053SJung-uk Kim static const char *servercontext = "TLS 1.3, server CertificateVerify"; 172*e71b7053SJung-uk Kim static const char *clientcontext = "TLS 1.3, client CertificateVerify"; 173*e71b7053SJung-uk Kim 174*e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) { 175*e71b7053SJung-uk Kim size_t hashlen; 176*e71b7053SJung-uk Kim 177*e71b7053SJung-uk Kim /* Set the first 64 bytes of to-be-signed data to octet 32 */ 178*e71b7053SJung-uk Kim memset(tls13tbs, 32, TLS13_TBS_START_SIZE); 179*e71b7053SJung-uk Kim /* This copies the 33 bytes of context plus the 0 separator byte */ 180*e71b7053SJung-uk Kim if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY 181*e71b7053SJung-uk Kim || s->statem.hand_state == TLS_ST_SW_CERT_VRFY) 182*e71b7053SJung-uk Kim strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext); 183*e71b7053SJung-uk Kim else 184*e71b7053SJung-uk Kim strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext); 185*e71b7053SJung-uk Kim 186*e71b7053SJung-uk Kim /* 187*e71b7053SJung-uk Kim * If we're currently reading then we need to use the saved handshake 188*e71b7053SJung-uk Kim * hash value. We can't use the current handshake hash state because 189*e71b7053SJung-uk Kim * that includes the CertVerify itself. 190*e71b7053SJung-uk Kim */ 191*e71b7053SJung-uk Kim if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY 192*e71b7053SJung-uk Kim || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) { 193*e71b7053SJung-uk Kim memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash, 194*e71b7053SJung-uk Kim s->cert_verify_hash_len); 195*e71b7053SJung-uk Kim hashlen = s->cert_verify_hash_len; 196*e71b7053SJung-uk Kim } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE, 197*e71b7053SJung-uk Kim EVP_MAX_MD_SIZE, &hashlen)) { 198*e71b7053SJung-uk Kim /* SSLfatal() already called */ 199*e71b7053SJung-uk Kim return 0; 200*e71b7053SJung-uk Kim } 201*e71b7053SJung-uk Kim 202*e71b7053SJung-uk Kim *hdata = tls13tbs; 203*e71b7053SJung-uk Kim *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen; 204*e71b7053SJung-uk Kim } else { 205*e71b7053SJung-uk Kim size_t retlen; 206*e71b7053SJung-uk Kim 207*e71b7053SJung-uk Kim retlen = BIO_get_mem_data(s->s3->handshake_buffer, hdata); 208*e71b7053SJung-uk Kim if (retlen <= 0) { 209*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_GET_CERT_VERIFY_TBS_DATA, 210*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 211*e71b7053SJung-uk Kim return 0; 212*e71b7053SJung-uk Kim } 213*e71b7053SJung-uk Kim *hdatalen = retlen; 214*e71b7053SJung-uk Kim } 215*e71b7053SJung-uk Kim 216*e71b7053SJung-uk Kim return 1; 217*e71b7053SJung-uk Kim } 218*e71b7053SJung-uk Kim 219*e71b7053SJung-uk Kim int tls_construct_cert_verify(SSL *s, WPACKET *pkt) 220*e71b7053SJung-uk Kim { 221*e71b7053SJung-uk Kim EVP_PKEY *pkey = NULL; 222*e71b7053SJung-uk Kim const EVP_MD *md = NULL; 223*e71b7053SJung-uk Kim EVP_MD_CTX *mctx = NULL; 224*e71b7053SJung-uk Kim EVP_PKEY_CTX *pctx = NULL; 225*e71b7053SJung-uk Kim size_t hdatalen = 0, siglen = 0; 226*e71b7053SJung-uk Kim void *hdata; 227*e71b7053SJung-uk Kim unsigned char *sig = NULL; 228*e71b7053SJung-uk Kim unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; 229*e71b7053SJung-uk Kim const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg; 230*e71b7053SJung-uk Kim 231*e71b7053SJung-uk Kim if (lu == NULL || s->s3->tmp.cert == NULL) { 232*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 233*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 234*e71b7053SJung-uk Kim goto err; 235*e71b7053SJung-uk Kim } 236*e71b7053SJung-uk Kim pkey = s->s3->tmp.cert->privatekey; 237*e71b7053SJung-uk Kim 238*e71b7053SJung-uk Kim if (pkey == NULL || !tls1_lookup_md(lu, &md)) { 239*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 240*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 241*e71b7053SJung-uk Kim goto err; 242*e71b7053SJung-uk Kim } 243*e71b7053SJung-uk Kim 244*e71b7053SJung-uk Kim mctx = EVP_MD_CTX_new(); 245*e71b7053SJung-uk Kim if (mctx == NULL) { 246*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 247*e71b7053SJung-uk Kim ERR_R_MALLOC_FAILURE); 248*e71b7053SJung-uk Kim goto err; 249*e71b7053SJung-uk Kim } 250*e71b7053SJung-uk Kim 251*e71b7053SJung-uk Kim /* Get the data to be signed */ 252*e71b7053SJung-uk Kim if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { 253*e71b7053SJung-uk Kim /* SSLfatal() already called */ 254*e71b7053SJung-uk Kim goto err; 255*e71b7053SJung-uk Kim } 256*e71b7053SJung-uk Kim 257*e71b7053SJung-uk Kim if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) { 258*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 259*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 260*e71b7053SJung-uk Kim goto err; 261*e71b7053SJung-uk Kim } 262*e71b7053SJung-uk Kim siglen = EVP_PKEY_size(pkey); 263*e71b7053SJung-uk Kim sig = OPENSSL_malloc(siglen); 264*e71b7053SJung-uk Kim if (sig == NULL) { 265*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 266*e71b7053SJung-uk Kim ERR_R_MALLOC_FAILURE); 267*e71b7053SJung-uk Kim goto err; 268*e71b7053SJung-uk Kim } 269*e71b7053SJung-uk Kim 270*e71b7053SJung-uk Kim if (EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey) <= 0) { 271*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 272*e71b7053SJung-uk Kim ERR_R_EVP_LIB); 273*e71b7053SJung-uk Kim goto err; 274*e71b7053SJung-uk Kim } 275*e71b7053SJung-uk Kim 276*e71b7053SJung-uk Kim if (lu->sig == EVP_PKEY_RSA_PSS) { 277*e71b7053SJung-uk Kim if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 278*e71b7053SJung-uk Kim || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 279*e71b7053SJung-uk Kim RSA_PSS_SALTLEN_DIGEST) <= 0) { 280*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 281*e71b7053SJung-uk Kim ERR_R_EVP_LIB); 282*e71b7053SJung-uk Kim goto err; 283*e71b7053SJung-uk Kim } 284*e71b7053SJung-uk Kim } 285*e71b7053SJung-uk Kim if (s->version == SSL3_VERSION) { 286*e71b7053SJung-uk Kim if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0 287*e71b7053SJung-uk Kim || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, 288*e71b7053SJung-uk Kim (int)s->session->master_key_length, 289*e71b7053SJung-uk Kim s->session->master_key) 290*e71b7053SJung-uk Kim || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) { 291*e71b7053SJung-uk Kim 292*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 293*e71b7053SJung-uk Kim ERR_R_EVP_LIB); 294*e71b7053SJung-uk Kim goto err; 295*e71b7053SJung-uk Kim } 296*e71b7053SJung-uk Kim } else if (EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) { 297*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 298*e71b7053SJung-uk Kim ERR_R_EVP_LIB); 299*e71b7053SJung-uk Kim goto err; 300*e71b7053SJung-uk Kim } 301*e71b7053SJung-uk Kim 302*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST 303*e71b7053SJung-uk Kim { 304*e71b7053SJung-uk Kim int pktype = lu->sig; 305*e71b7053SJung-uk Kim 306*e71b7053SJung-uk Kim if (pktype == NID_id_GostR3410_2001 307*e71b7053SJung-uk Kim || pktype == NID_id_GostR3410_2012_256 308*e71b7053SJung-uk Kim || pktype == NID_id_GostR3410_2012_512) 309*e71b7053SJung-uk Kim BUF_reverse(sig, NULL, siglen); 310*e71b7053SJung-uk Kim } 311*e71b7053SJung-uk Kim #endif 312*e71b7053SJung-uk Kim 313*e71b7053SJung-uk Kim if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) { 314*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 315*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 316*e71b7053SJung-uk Kim goto err; 317*e71b7053SJung-uk Kim } 318*e71b7053SJung-uk Kim 319*e71b7053SJung-uk Kim /* Digest cached records and discard handshake buffer */ 320*e71b7053SJung-uk Kim if (!ssl3_digest_cached_records(s, 0)) { 321*e71b7053SJung-uk Kim /* SSLfatal() already called */ 322*e71b7053SJung-uk Kim goto err; 323*e71b7053SJung-uk Kim } 324*e71b7053SJung-uk Kim 325*e71b7053SJung-uk Kim OPENSSL_free(sig); 326*e71b7053SJung-uk Kim EVP_MD_CTX_free(mctx); 327*e71b7053SJung-uk Kim return 1; 328*e71b7053SJung-uk Kim err: 329*e71b7053SJung-uk Kim OPENSSL_free(sig); 330*e71b7053SJung-uk Kim EVP_MD_CTX_free(mctx); 331*e71b7053SJung-uk Kim return 0; 332*e71b7053SJung-uk Kim } 333*e71b7053SJung-uk Kim 334*e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) 335*e71b7053SJung-uk Kim { 336*e71b7053SJung-uk Kim EVP_PKEY *pkey = NULL; 337*e71b7053SJung-uk Kim const unsigned char *data; 338*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST 339*e71b7053SJung-uk Kim unsigned char *gost_data = NULL; 340*e71b7053SJung-uk Kim #endif 341*e71b7053SJung-uk Kim MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; 342*e71b7053SJung-uk Kim int j; 343*e71b7053SJung-uk Kim unsigned int len; 344*e71b7053SJung-uk Kim X509 *peer; 345*e71b7053SJung-uk Kim const EVP_MD *md = NULL; 346*e71b7053SJung-uk Kim size_t hdatalen = 0; 347*e71b7053SJung-uk Kim void *hdata; 348*e71b7053SJung-uk Kim unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; 349*e71b7053SJung-uk Kim EVP_MD_CTX *mctx = EVP_MD_CTX_new(); 350*e71b7053SJung-uk Kim EVP_PKEY_CTX *pctx = NULL; 351*e71b7053SJung-uk Kim 352*e71b7053SJung-uk Kim if (mctx == NULL) { 353*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 354*e71b7053SJung-uk Kim ERR_R_MALLOC_FAILURE); 355*e71b7053SJung-uk Kim goto err; 356*e71b7053SJung-uk Kim } 357*e71b7053SJung-uk Kim 358*e71b7053SJung-uk Kim peer = s->session->peer; 359*e71b7053SJung-uk Kim pkey = X509_get0_pubkey(peer); 360*e71b7053SJung-uk Kim if (pkey == NULL) { 361*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 362*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 363*e71b7053SJung-uk Kim goto err; 364*e71b7053SJung-uk Kim } 365*e71b7053SJung-uk Kim 366*e71b7053SJung-uk Kim if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) { 367*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CERT_VERIFY, 368*e71b7053SJung-uk Kim SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); 369*e71b7053SJung-uk Kim goto err; 370*e71b7053SJung-uk Kim } 371*e71b7053SJung-uk Kim 372*e71b7053SJung-uk Kim if (SSL_USE_SIGALGS(s)) { 373*e71b7053SJung-uk Kim unsigned int sigalg; 374*e71b7053SJung-uk Kim 375*e71b7053SJung-uk Kim if (!PACKET_get_net_2(pkt, &sigalg)) { 376*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 377*e71b7053SJung-uk Kim SSL_R_BAD_PACKET); 378*e71b7053SJung-uk Kim goto err; 379*e71b7053SJung-uk Kim } 380*e71b7053SJung-uk Kim if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) { 381*e71b7053SJung-uk Kim /* SSLfatal() already called */ 382*e71b7053SJung-uk Kim goto err; 383*e71b7053SJung-uk Kim } 384*e71b7053SJung-uk Kim } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { 385*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 386*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 387*e71b7053SJung-uk Kim goto err; 388*e71b7053SJung-uk Kim } 389*e71b7053SJung-uk Kim 390*e71b7053SJung-uk Kim if (!tls1_lookup_md(s->s3->tmp.peer_sigalg, &md)) { 391*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 392*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 393*e71b7053SJung-uk Kim goto err; 394*e71b7053SJung-uk Kim } 395*e71b7053SJung-uk Kim 396*e71b7053SJung-uk Kim #ifdef SSL_DEBUG 397*e71b7053SJung-uk Kim if (SSL_USE_SIGALGS(s)) 398*e71b7053SJung-uk Kim fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); 399*e71b7053SJung-uk Kim #endif 400*e71b7053SJung-uk Kim 401*e71b7053SJung-uk Kim /* Check for broken implementations of GOST ciphersuites */ 402*e71b7053SJung-uk Kim /* 403*e71b7053SJung-uk Kim * If key is GOST and len is exactly 64 or 128, it is signature without 404*e71b7053SJung-uk Kim * length field (CryptoPro implementations at least till TLS 1.2) 405*e71b7053SJung-uk Kim */ 406*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST 407*e71b7053SJung-uk Kim if (!SSL_USE_SIGALGS(s) 408*e71b7053SJung-uk Kim && ((PACKET_remaining(pkt) == 64 409*e71b7053SJung-uk Kim && (EVP_PKEY_id(pkey) == NID_id_GostR3410_2001 410*e71b7053SJung-uk Kim || EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_256)) 411*e71b7053SJung-uk Kim || (PACKET_remaining(pkt) == 128 412*e71b7053SJung-uk Kim && EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_512))) { 413*e71b7053SJung-uk Kim len = PACKET_remaining(pkt); 414*e71b7053SJung-uk Kim } else 415*e71b7053SJung-uk Kim #endif 416*e71b7053SJung-uk Kim if (!PACKET_get_net_2(pkt, &len)) { 417*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 418*e71b7053SJung-uk Kim SSL_R_LENGTH_MISMATCH); 419*e71b7053SJung-uk Kim goto err; 420*e71b7053SJung-uk Kim } 421*e71b7053SJung-uk Kim 422*e71b7053SJung-uk Kim j = EVP_PKEY_size(pkey); 423*e71b7053SJung-uk Kim if (((int)len > j) || ((int)PACKET_remaining(pkt) > j) 424*e71b7053SJung-uk Kim || (PACKET_remaining(pkt) == 0)) { 425*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 426*e71b7053SJung-uk Kim SSL_R_WRONG_SIGNATURE_SIZE); 427*e71b7053SJung-uk Kim goto err; 428*e71b7053SJung-uk Kim } 429*e71b7053SJung-uk Kim if (!PACKET_get_bytes(pkt, &data, len)) { 430*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 431*e71b7053SJung-uk Kim SSL_R_LENGTH_MISMATCH); 432*e71b7053SJung-uk Kim goto err; 433*e71b7053SJung-uk Kim } 434*e71b7053SJung-uk Kim 435*e71b7053SJung-uk Kim if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { 436*e71b7053SJung-uk Kim /* SSLfatal() already called */ 437*e71b7053SJung-uk Kim goto err; 438*e71b7053SJung-uk Kim } 439*e71b7053SJung-uk Kim 440*e71b7053SJung-uk Kim #ifdef SSL_DEBUG 441*e71b7053SJung-uk Kim fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md)); 442*e71b7053SJung-uk Kim #endif 443*e71b7053SJung-uk Kim if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0) { 444*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 445*e71b7053SJung-uk Kim ERR_R_EVP_LIB); 446*e71b7053SJung-uk Kim goto err; 447*e71b7053SJung-uk Kim } 448*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST 449*e71b7053SJung-uk Kim { 450*e71b7053SJung-uk Kim int pktype = EVP_PKEY_id(pkey); 451*e71b7053SJung-uk Kim if (pktype == NID_id_GostR3410_2001 452*e71b7053SJung-uk Kim || pktype == NID_id_GostR3410_2012_256 453*e71b7053SJung-uk Kim || pktype == NID_id_GostR3410_2012_512) { 454*e71b7053SJung-uk Kim if ((gost_data = OPENSSL_malloc(len)) == NULL) { 455*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 456*e71b7053SJung-uk Kim SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE); 457*e71b7053SJung-uk Kim goto err; 458*e71b7053SJung-uk Kim } 459*e71b7053SJung-uk Kim BUF_reverse(gost_data, data, len); 460*e71b7053SJung-uk Kim data = gost_data; 461*e71b7053SJung-uk Kim } 462*e71b7053SJung-uk Kim } 463*e71b7053SJung-uk Kim #endif 464*e71b7053SJung-uk Kim 465*e71b7053SJung-uk Kim if (SSL_USE_PSS(s)) { 466*e71b7053SJung-uk Kim if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 467*e71b7053SJung-uk Kim || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 468*e71b7053SJung-uk Kim RSA_PSS_SALTLEN_DIGEST) <= 0) { 469*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 470*e71b7053SJung-uk Kim ERR_R_EVP_LIB); 471*e71b7053SJung-uk Kim goto err; 472*e71b7053SJung-uk Kim } 473*e71b7053SJung-uk Kim } 474*e71b7053SJung-uk Kim if (s->version == SSL3_VERSION) { 475*e71b7053SJung-uk Kim if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0 476*e71b7053SJung-uk Kim || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, 477*e71b7053SJung-uk Kim (int)s->session->master_key_length, 478*e71b7053SJung-uk Kim s->session->master_key)) { 479*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 480*e71b7053SJung-uk Kim ERR_R_EVP_LIB); 481*e71b7053SJung-uk Kim goto err; 482*e71b7053SJung-uk Kim } 483*e71b7053SJung-uk Kim if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) { 484*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 485*e71b7053SJung-uk Kim SSL_R_BAD_SIGNATURE); 486*e71b7053SJung-uk Kim goto err; 487*e71b7053SJung-uk Kim } 488*e71b7053SJung-uk Kim } else { 489*e71b7053SJung-uk Kim j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen); 490*e71b7053SJung-uk Kim if (j <= 0) { 491*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 492*e71b7053SJung-uk Kim SSL_R_BAD_SIGNATURE); 493*e71b7053SJung-uk Kim goto err; 494*e71b7053SJung-uk Kim } 495*e71b7053SJung-uk Kim } 496*e71b7053SJung-uk Kim 497*e71b7053SJung-uk Kim ret = MSG_PROCESS_CONTINUE_READING; 498*e71b7053SJung-uk Kim err: 499*e71b7053SJung-uk Kim BIO_free(s->s3->handshake_buffer); 500*e71b7053SJung-uk Kim s->s3->handshake_buffer = NULL; 501*e71b7053SJung-uk Kim EVP_MD_CTX_free(mctx); 502*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST 503*e71b7053SJung-uk Kim OPENSSL_free(gost_data); 504*e71b7053SJung-uk Kim #endif 505*e71b7053SJung-uk Kim return ret; 506*e71b7053SJung-uk Kim } 507*e71b7053SJung-uk Kim 508*e71b7053SJung-uk Kim int tls_construct_finished(SSL *s, WPACKET *pkt) 509*e71b7053SJung-uk Kim { 510*e71b7053SJung-uk Kim size_t finish_md_len; 511*e71b7053SJung-uk Kim const char *sender; 512*e71b7053SJung-uk Kim size_t slen; 513*e71b7053SJung-uk Kim 514*e71b7053SJung-uk Kim /* This is a real handshake so make sure we clean it up at the end */ 515*e71b7053SJung-uk Kim if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED) 516*e71b7053SJung-uk Kim s->statem.cleanuphand = 1; 517*e71b7053SJung-uk Kim 518*e71b7053SJung-uk Kim /* 519*e71b7053SJung-uk Kim * We only change the keys if we didn't already do this when we sent the 520*e71b7053SJung-uk Kim * client certificate 521*e71b7053SJung-uk Kim */ 522*e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) 523*e71b7053SJung-uk Kim && !s->server 524*e71b7053SJung-uk Kim && s->s3->tmp.cert_req == 0 525*e71b7053SJung-uk Kim && (!s->method->ssl3_enc->change_cipher_state(s, 526*e71b7053SJung-uk Kim SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {; 527*e71b7053SJung-uk Kim /* SSLfatal() already called */ 528*e71b7053SJung-uk Kim return 0; 529*e71b7053SJung-uk Kim } 530*e71b7053SJung-uk Kim 531*e71b7053SJung-uk Kim if (s->server) { 532*e71b7053SJung-uk Kim sender = s->method->ssl3_enc->server_finished_label; 533*e71b7053SJung-uk Kim slen = s->method->ssl3_enc->server_finished_label_len; 534*e71b7053SJung-uk Kim } else { 535*e71b7053SJung-uk Kim sender = s->method->ssl3_enc->client_finished_label; 536*e71b7053SJung-uk Kim slen = s->method->ssl3_enc->client_finished_label_len; 537*e71b7053SJung-uk Kim } 538*e71b7053SJung-uk Kim 539*e71b7053SJung-uk Kim finish_md_len = s->method->ssl3_enc->final_finish_mac(s, 540*e71b7053SJung-uk Kim sender, slen, 541*e71b7053SJung-uk Kim s->s3->tmp.finish_md); 542*e71b7053SJung-uk Kim if (finish_md_len == 0) { 543*e71b7053SJung-uk Kim /* SSLfatal() already called */ 544*e71b7053SJung-uk Kim return 0; 545*e71b7053SJung-uk Kim } 546*e71b7053SJung-uk Kim 547*e71b7053SJung-uk Kim s->s3->tmp.finish_md_len = finish_md_len; 548*e71b7053SJung-uk Kim 549*e71b7053SJung-uk Kim if (!WPACKET_memcpy(pkt, s->s3->tmp.finish_md, finish_md_len)) { 550*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED, 551*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 552*e71b7053SJung-uk Kim return 0; 553*e71b7053SJung-uk Kim } 554*e71b7053SJung-uk Kim 555*e71b7053SJung-uk Kim /* 556*e71b7053SJung-uk Kim * Log the master secret, if logging is enabled. We don't log it for 557*e71b7053SJung-uk Kim * TLSv1.3: there's a different key schedule for that. 558*e71b7053SJung-uk Kim */ 559*e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL, 560*e71b7053SJung-uk Kim s->session->master_key, 561*e71b7053SJung-uk Kim s->session->master_key_length)) { 562*e71b7053SJung-uk Kim /* SSLfatal() already called */ 563*e71b7053SJung-uk Kim return 0; 564*e71b7053SJung-uk Kim } 565*e71b7053SJung-uk Kim 566*e71b7053SJung-uk Kim /* 567*e71b7053SJung-uk Kim * Copy the finished so we can use it for renegotiation checks 568*e71b7053SJung-uk Kim */ 569*e71b7053SJung-uk Kim if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) { 570*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED, 571*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 572*e71b7053SJung-uk Kim return 0; 573*e71b7053SJung-uk Kim } 574*e71b7053SJung-uk Kim if (!s->server) { 575*e71b7053SJung-uk Kim memcpy(s->s3->previous_client_finished, s->s3->tmp.finish_md, 576*e71b7053SJung-uk Kim finish_md_len); 577*e71b7053SJung-uk Kim s->s3->previous_client_finished_len = finish_md_len; 578*e71b7053SJung-uk Kim } else { 579*e71b7053SJung-uk Kim memcpy(s->s3->previous_server_finished, s->s3->tmp.finish_md, 580*e71b7053SJung-uk Kim finish_md_len); 581*e71b7053SJung-uk Kim s->s3->previous_server_finished_len = finish_md_len; 582*e71b7053SJung-uk Kim } 583*e71b7053SJung-uk Kim 584*e71b7053SJung-uk Kim return 1; 585*e71b7053SJung-uk Kim } 586*e71b7053SJung-uk Kim 587*e71b7053SJung-uk Kim int tls_construct_key_update(SSL *s, WPACKET *pkt) 588*e71b7053SJung-uk Kim { 589*e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u8(pkt, s->key_update)) { 590*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_KEY_UPDATE, 591*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 592*e71b7053SJung-uk Kim return 0; 593*e71b7053SJung-uk Kim } 594*e71b7053SJung-uk Kim 595*e71b7053SJung-uk Kim s->key_update = SSL_KEY_UPDATE_NONE; 596*e71b7053SJung-uk Kim return 1; 597*e71b7053SJung-uk Kim } 598*e71b7053SJung-uk Kim 599*e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt) 600*e71b7053SJung-uk Kim { 601*e71b7053SJung-uk Kim unsigned int updatetype; 602*e71b7053SJung-uk Kim 603*e71b7053SJung-uk Kim s->key_update_count++; 604*e71b7053SJung-uk Kim if (s->key_update_count > MAX_KEY_UPDATE_MESSAGES) { 605*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE, 606*e71b7053SJung-uk Kim SSL_R_TOO_MANY_KEY_UPDATES); 607*e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 608*e71b7053SJung-uk Kim } 609*e71b7053SJung-uk Kim 610*e71b7053SJung-uk Kim /* 611*e71b7053SJung-uk Kim * A KeyUpdate message signals a key change so the end of the message must 612*e71b7053SJung-uk Kim * be on a record boundary. 613*e71b7053SJung-uk Kim */ 614*e71b7053SJung-uk Kim if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { 615*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_UPDATE, 616*e71b7053SJung-uk Kim SSL_R_NOT_ON_RECORD_BOUNDARY); 617*e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 618*e71b7053SJung-uk Kim } 619*e71b7053SJung-uk Kim 620*e71b7053SJung-uk Kim if (!PACKET_get_1(pkt, &updatetype) 621*e71b7053SJung-uk Kim || PACKET_remaining(pkt) != 0) { 622*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_UPDATE, 623*e71b7053SJung-uk Kim SSL_R_BAD_KEY_UPDATE); 624*e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 625*e71b7053SJung-uk Kim } 626*e71b7053SJung-uk Kim 627*e71b7053SJung-uk Kim /* 628*e71b7053SJung-uk Kim * There are only two defined key update types. Fail if we get a value we 629*e71b7053SJung-uk Kim * didn't recognise. 630*e71b7053SJung-uk Kim */ 631*e71b7053SJung-uk Kim if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED 632*e71b7053SJung-uk Kim && updatetype != SSL_KEY_UPDATE_REQUESTED) { 633*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE, 634*e71b7053SJung-uk Kim SSL_R_BAD_KEY_UPDATE); 635*e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 636*e71b7053SJung-uk Kim } 637*e71b7053SJung-uk Kim 638*e71b7053SJung-uk Kim /* 639*e71b7053SJung-uk Kim * If we get a request for us to update our sending keys too then, we need 640*e71b7053SJung-uk Kim * to additionally send a KeyUpdate message. However that message should 641*e71b7053SJung-uk Kim * not also request an update (otherwise we get into an infinite loop). We 642*e71b7053SJung-uk Kim * ignore a request for us to update our sending keys too if we already 643*e71b7053SJung-uk Kim * sent close_notify. 644*e71b7053SJung-uk Kim */ 645*e71b7053SJung-uk Kim if (updatetype == SSL_KEY_UPDATE_REQUESTED 646*e71b7053SJung-uk Kim && (s->shutdown & SSL_SENT_SHUTDOWN) == 0) 647*e71b7053SJung-uk Kim s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED; 648*e71b7053SJung-uk Kim 649*e71b7053SJung-uk Kim if (!tls13_update_key(s, 0)) { 650*e71b7053SJung-uk Kim /* SSLfatal() already called */ 651*e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 652*e71b7053SJung-uk Kim } 653*e71b7053SJung-uk Kim 654*e71b7053SJung-uk Kim return MSG_PROCESS_FINISHED_READING; 655*e71b7053SJung-uk Kim } 656*e71b7053SJung-uk Kim 657*e71b7053SJung-uk Kim /* 658*e71b7053SJung-uk Kim * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen 659*e71b7053SJung-uk Kim * to far. 660*e71b7053SJung-uk Kim */ 661*e71b7053SJung-uk Kim int ssl3_take_mac(SSL *s) 662*e71b7053SJung-uk Kim { 663*e71b7053SJung-uk Kim const char *sender; 664*e71b7053SJung-uk Kim size_t slen; 665*e71b7053SJung-uk Kim 666*e71b7053SJung-uk Kim if (!s->server) { 667*e71b7053SJung-uk Kim sender = s->method->ssl3_enc->server_finished_label; 668*e71b7053SJung-uk Kim slen = s->method->ssl3_enc->server_finished_label_len; 669*e71b7053SJung-uk Kim } else { 670*e71b7053SJung-uk Kim sender = s->method->ssl3_enc->client_finished_label; 671*e71b7053SJung-uk Kim slen = s->method->ssl3_enc->client_finished_label_len; 672*e71b7053SJung-uk Kim } 673*e71b7053SJung-uk Kim 674*e71b7053SJung-uk Kim s->s3->tmp.peer_finish_md_len = 675*e71b7053SJung-uk Kim s->method->ssl3_enc->final_finish_mac(s, sender, slen, 676*e71b7053SJung-uk Kim s->s3->tmp.peer_finish_md); 677*e71b7053SJung-uk Kim 678*e71b7053SJung-uk Kim if (s->s3->tmp.peer_finish_md_len == 0) { 679*e71b7053SJung-uk Kim /* SSLfatal() already called */ 680*e71b7053SJung-uk Kim return 0; 681*e71b7053SJung-uk Kim } 682*e71b7053SJung-uk Kim 683*e71b7053SJung-uk Kim return 1; 684*e71b7053SJung-uk Kim } 685*e71b7053SJung-uk Kim 686*e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt) 687*e71b7053SJung-uk Kim { 688*e71b7053SJung-uk Kim size_t remain; 689*e71b7053SJung-uk Kim 690*e71b7053SJung-uk Kim remain = PACKET_remaining(pkt); 691*e71b7053SJung-uk Kim /* 692*e71b7053SJung-uk Kim * 'Change Cipher Spec' is just a single byte, which should already have 693*e71b7053SJung-uk Kim * been consumed by ssl_get_message() so there should be no bytes left, 694*e71b7053SJung-uk Kim * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes 695*e71b7053SJung-uk Kim */ 696*e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) { 697*e71b7053SJung-uk Kim if ((s->version == DTLS1_BAD_VER 698*e71b7053SJung-uk Kim && remain != DTLS1_CCS_HEADER_LENGTH + 1) 699*e71b7053SJung-uk Kim || (s->version != DTLS1_BAD_VER 700*e71b7053SJung-uk Kim && remain != DTLS1_CCS_HEADER_LENGTH - 1)) { 701*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, 702*e71b7053SJung-uk Kim SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, 703*e71b7053SJung-uk Kim SSL_R_BAD_CHANGE_CIPHER_SPEC); 704*e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 705*e71b7053SJung-uk Kim } 706*e71b7053SJung-uk Kim } else { 707*e71b7053SJung-uk Kim if (remain != 0) { 708*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, 709*e71b7053SJung-uk Kim SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, 710*e71b7053SJung-uk Kim SSL_R_BAD_CHANGE_CIPHER_SPEC); 711*e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 712*e71b7053SJung-uk Kim } 713*e71b7053SJung-uk Kim } 714*e71b7053SJung-uk Kim 715*e71b7053SJung-uk Kim /* Check we have a cipher to change to */ 716*e71b7053SJung-uk Kim if (s->s3->tmp.new_cipher == NULL) { 717*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 718*e71b7053SJung-uk Kim SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY); 719*e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 720*e71b7053SJung-uk Kim } 721*e71b7053SJung-uk Kim 722*e71b7053SJung-uk Kim s->s3->change_cipher_spec = 1; 723*e71b7053SJung-uk Kim if (!ssl3_do_change_cipher_spec(s)) { 724*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, 725*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 726*e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 727*e71b7053SJung-uk Kim } 728*e71b7053SJung-uk Kim 729*e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) { 730*e71b7053SJung-uk Kim dtls1_reset_seq_numbers(s, SSL3_CC_READ); 731*e71b7053SJung-uk Kim 732*e71b7053SJung-uk Kim if (s->version == DTLS1_BAD_VER) 733*e71b7053SJung-uk Kim s->d1->handshake_read_seq++; 734*e71b7053SJung-uk Kim 735*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SCTP 736*e71b7053SJung-uk Kim /* 737*e71b7053SJung-uk Kim * Remember that a CCS has been received, so that an old key of 738*e71b7053SJung-uk Kim * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no 739*e71b7053SJung-uk Kim * SCTP is used 740*e71b7053SJung-uk Kim */ 741*e71b7053SJung-uk Kim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL); 742*e71b7053SJung-uk Kim #endif 743*e71b7053SJung-uk Kim } 744*e71b7053SJung-uk Kim 745*e71b7053SJung-uk Kim return MSG_PROCESS_CONTINUE_READING; 746*e71b7053SJung-uk Kim } 747*e71b7053SJung-uk Kim 748*e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) 749*e71b7053SJung-uk Kim { 750*e71b7053SJung-uk Kim size_t md_len; 751*e71b7053SJung-uk Kim 752*e71b7053SJung-uk Kim 753*e71b7053SJung-uk Kim /* This is a real handshake so make sure we clean it up at the end */ 754*e71b7053SJung-uk Kim if (s->server) { 755*e71b7053SJung-uk Kim /* 756*e71b7053SJung-uk Kim * To get this far we must have read encrypted data from the client. We 757*e71b7053SJung-uk Kim * no longer tolerate unencrypted alerts. This value is ignored if less 758*e71b7053SJung-uk Kim * than TLSv1.3 759*e71b7053SJung-uk Kim */ 760*e71b7053SJung-uk Kim s->statem.enc_read_state = ENC_READ_STATE_VALID; 761*e71b7053SJung-uk Kim if (s->post_handshake_auth != SSL_PHA_REQUESTED) 762*e71b7053SJung-uk Kim s->statem.cleanuphand = 1; 763*e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) { 764*e71b7053SJung-uk Kim /* SSLfatal() already called */ 765*e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 766*e71b7053SJung-uk Kim } 767*e71b7053SJung-uk Kim } 768*e71b7053SJung-uk Kim 769*e71b7053SJung-uk Kim /* 770*e71b7053SJung-uk Kim * In TLSv1.3 a Finished message signals a key change so the end of the 771*e71b7053SJung-uk Kim * message must be on a record boundary. 772*e71b7053SJung-uk Kim */ 773*e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { 774*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED, 775*e71b7053SJung-uk Kim SSL_R_NOT_ON_RECORD_BOUNDARY); 776*e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 777*e71b7053SJung-uk Kim } 778*e71b7053SJung-uk Kim 779*e71b7053SJung-uk Kim /* If this occurs, we have missed a message */ 780*e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s) && !s->s3->change_cipher_spec) { 781*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED, 782*e71b7053SJung-uk Kim SSL_R_GOT_A_FIN_BEFORE_A_CCS); 783*e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 784*e71b7053SJung-uk Kim } 785*e71b7053SJung-uk Kim s->s3->change_cipher_spec = 0; 786*e71b7053SJung-uk Kim 787*e71b7053SJung-uk Kim md_len = s->s3->tmp.peer_finish_md_len; 788*e71b7053SJung-uk Kim 789*e71b7053SJung-uk Kim if (md_len != PACKET_remaining(pkt)) { 790*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_FINISHED, 791*e71b7053SJung-uk Kim SSL_R_BAD_DIGEST_LENGTH); 792*e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 793*e71b7053SJung-uk Kim } 794*e71b7053SJung-uk Kim 795*e71b7053SJung-uk Kim if (CRYPTO_memcmp(PACKET_data(pkt), s->s3->tmp.peer_finish_md, 796*e71b7053SJung-uk Kim md_len) != 0) { 797*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_FINISHED, 798*e71b7053SJung-uk Kim SSL_R_DIGEST_CHECK_FAILED); 799*e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 800*e71b7053SJung-uk Kim } 801*e71b7053SJung-uk Kim 802*e71b7053SJung-uk Kim /* 803*e71b7053SJung-uk Kim * Copy the finished so we can use it for renegotiation checks 804*e71b7053SJung-uk Kim */ 805*e71b7053SJung-uk Kim if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) { 806*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_FINISHED, 807*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 808*e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 809*e71b7053SJung-uk Kim } 810*e71b7053SJung-uk Kim if (s->server) { 811*e71b7053SJung-uk Kim memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md, 812*e71b7053SJung-uk Kim md_len); 813*e71b7053SJung-uk Kim s->s3->previous_client_finished_len = md_len; 814*e71b7053SJung-uk Kim } else { 815*e71b7053SJung-uk Kim memcpy(s->s3->previous_server_finished, s->s3->tmp.peer_finish_md, 816*e71b7053SJung-uk Kim md_len); 817*e71b7053SJung-uk Kim s->s3->previous_server_finished_len = md_len; 818*e71b7053SJung-uk Kim } 819*e71b7053SJung-uk Kim 820*e71b7053SJung-uk Kim /* 821*e71b7053SJung-uk Kim * In TLS1.3 we also have to change cipher state and do any final processing 822*e71b7053SJung-uk Kim * of the initial server flight (if we are a client) 823*e71b7053SJung-uk Kim */ 824*e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) { 825*e71b7053SJung-uk Kim if (s->server) { 826*e71b7053SJung-uk Kim if (s->post_handshake_auth != SSL_PHA_REQUESTED && 827*e71b7053SJung-uk Kim !s->method->ssl3_enc->change_cipher_state(s, 828*e71b7053SJung-uk Kim SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) { 829*e71b7053SJung-uk Kim /* SSLfatal() already called */ 830*e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 831*e71b7053SJung-uk Kim } 832*e71b7053SJung-uk Kim } else { 833*e71b7053SJung-uk Kim if (!s->method->ssl3_enc->generate_master_secret(s, 834*e71b7053SJung-uk Kim s->master_secret, s->handshake_secret, 0, 835*e71b7053SJung-uk Kim &s->session->master_key_length)) { 836*e71b7053SJung-uk Kim /* SSLfatal() already called */ 837*e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 838*e71b7053SJung-uk Kim } 839*e71b7053SJung-uk Kim if (!s->method->ssl3_enc->change_cipher_state(s, 840*e71b7053SJung-uk Kim SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) { 841*e71b7053SJung-uk Kim /* SSLfatal() already called */ 842*e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 843*e71b7053SJung-uk Kim } 844*e71b7053SJung-uk Kim if (!tls_process_initial_server_flight(s)) { 845*e71b7053SJung-uk Kim /* SSLfatal() already called */ 846*e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 847*e71b7053SJung-uk Kim } 848*e71b7053SJung-uk Kim } 849*e71b7053SJung-uk Kim } 850*e71b7053SJung-uk Kim 851*e71b7053SJung-uk Kim return MSG_PROCESS_FINISHED_READING; 852*e71b7053SJung-uk Kim } 853*e71b7053SJung-uk Kim 854*e71b7053SJung-uk Kim int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt) 855*e71b7053SJung-uk Kim { 856*e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) { 857*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 858*e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); 859*e71b7053SJung-uk Kim return 0; 860*e71b7053SJung-uk Kim } 861*e71b7053SJung-uk Kim 862*e71b7053SJung-uk Kim return 1; 863*e71b7053SJung-uk Kim } 864*e71b7053SJung-uk Kim 865*e71b7053SJung-uk Kim /* Add a certificate to the WPACKET */ 866*e71b7053SJung-uk Kim static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain) 867*e71b7053SJung-uk Kim { 868*e71b7053SJung-uk Kim int len; 869*e71b7053SJung-uk Kim unsigned char *outbytes; 870*e71b7053SJung-uk Kim 871*e71b7053SJung-uk Kim len = i2d_X509(x, NULL); 872*e71b7053SJung-uk Kim if (len < 0) { 873*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET, 874*e71b7053SJung-uk Kim ERR_R_BUF_LIB); 875*e71b7053SJung-uk Kim return 0; 876*e71b7053SJung-uk Kim } 877*e71b7053SJung-uk Kim if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes) 878*e71b7053SJung-uk Kim || i2d_X509(x, &outbytes) != len) { 879*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET, 880*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 881*e71b7053SJung-uk Kim return 0; 882*e71b7053SJung-uk Kim } 883*e71b7053SJung-uk Kim 884*e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) 885*e71b7053SJung-uk Kim && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x, 886*e71b7053SJung-uk Kim chain)) { 887*e71b7053SJung-uk Kim /* SSLfatal() already called */ 888*e71b7053SJung-uk Kim return 0; 889*e71b7053SJung-uk Kim } 890*e71b7053SJung-uk Kim 891*e71b7053SJung-uk Kim return 1; 892*e71b7053SJung-uk Kim } 893*e71b7053SJung-uk Kim 894*e71b7053SJung-uk Kim /* Add certificate chain to provided WPACKET */ 895*e71b7053SJung-uk Kim static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk) 896*e71b7053SJung-uk Kim { 897*e71b7053SJung-uk Kim int i, chain_count; 898*e71b7053SJung-uk Kim X509 *x; 899*e71b7053SJung-uk Kim STACK_OF(X509) *extra_certs; 900*e71b7053SJung-uk Kim STACK_OF(X509) *chain = NULL; 901*e71b7053SJung-uk Kim X509_STORE *chain_store; 902*e71b7053SJung-uk Kim 903*e71b7053SJung-uk Kim if (cpk == NULL || cpk->x509 == NULL) 904*e71b7053SJung-uk Kim return 1; 905*e71b7053SJung-uk Kim 906*e71b7053SJung-uk Kim x = cpk->x509; 907*e71b7053SJung-uk Kim 908*e71b7053SJung-uk Kim /* 909*e71b7053SJung-uk Kim * If we have a certificate specific chain use it, else use parent ctx. 910*e71b7053SJung-uk Kim */ 911*e71b7053SJung-uk Kim if (cpk->chain != NULL) 912*e71b7053SJung-uk Kim extra_certs = cpk->chain; 913*e71b7053SJung-uk Kim else 914*e71b7053SJung-uk Kim extra_certs = s->ctx->extra_certs; 915*e71b7053SJung-uk Kim 916*e71b7053SJung-uk Kim if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs) 917*e71b7053SJung-uk Kim chain_store = NULL; 918*e71b7053SJung-uk Kim else if (s->cert->chain_store) 919*e71b7053SJung-uk Kim chain_store = s->cert->chain_store; 920*e71b7053SJung-uk Kim else 921*e71b7053SJung-uk Kim chain_store = s->ctx->cert_store; 922*e71b7053SJung-uk Kim 923*e71b7053SJung-uk Kim if (chain_store != NULL) { 924*e71b7053SJung-uk Kim X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new(); 925*e71b7053SJung-uk Kim 926*e71b7053SJung-uk Kim if (xs_ctx == NULL) { 927*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, 928*e71b7053SJung-uk Kim ERR_R_MALLOC_FAILURE); 929*e71b7053SJung-uk Kim return 0; 930*e71b7053SJung-uk Kim } 931*e71b7053SJung-uk Kim if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) { 932*e71b7053SJung-uk Kim X509_STORE_CTX_free(xs_ctx); 933*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, 934*e71b7053SJung-uk Kim ERR_R_X509_LIB); 935*e71b7053SJung-uk Kim return 0; 936*e71b7053SJung-uk Kim } 937*e71b7053SJung-uk Kim /* 938*e71b7053SJung-uk Kim * It is valid for the chain not to be complete (because normally we 939*e71b7053SJung-uk Kim * don't include the root cert in the chain). Therefore we deliberately 940*e71b7053SJung-uk Kim * ignore the error return from this call. We're not actually verifying 941*e71b7053SJung-uk Kim * the cert - we're just building as much of the chain as we can 942*e71b7053SJung-uk Kim */ 943*e71b7053SJung-uk Kim (void)X509_verify_cert(xs_ctx); 944*e71b7053SJung-uk Kim /* Don't leave errors in the queue */ 945*e71b7053SJung-uk Kim ERR_clear_error(); 946*e71b7053SJung-uk Kim chain = X509_STORE_CTX_get0_chain(xs_ctx); 947*e71b7053SJung-uk Kim i = ssl_security_cert_chain(s, chain, NULL, 0); 948*e71b7053SJung-uk Kim if (i != 1) { 949*e71b7053SJung-uk Kim #if 0 950*e71b7053SJung-uk Kim /* Dummy error calls so mkerr generates them */ 951*e71b7053SJung-uk Kim SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL); 952*e71b7053SJung-uk Kim SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL); 953*e71b7053SJung-uk Kim SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK); 954*e71b7053SJung-uk Kim #endif 955*e71b7053SJung-uk Kim X509_STORE_CTX_free(xs_ctx); 956*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i); 957*e71b7053SJung-uk Kim return 0; 958*e71b7053SJung-uk Kim } 959*e71b7053SJung-uk Kim chain_count = sk_X509_num(chain); 960*e71b7053SJung-uk Kim for (i = 0; i < chain_count; i++) { 961*e71b7053SJung-uk Kim x = sk_X509_value(chain, i); 962*e71b7053SJung-uk Kim 963*e71b7053SJung-uk Kim if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) { 964*e71b7053SJung-uk Kim /* SSLfatal() already called */ 965*e71b7053SJung-uk Kim X509_STORE_CTX_free(xs_ctx); 966*e71b7053SJung-uk Kim return 0; 967*e71b7053SJung-uk Kim } 968*e71b7053SJung-uk Kim } 969*e71b7053SJung-uk Kim X509_STORE_CTX_free(xs_ctx); 970*e71b7053SJung-uk Kim } else { 971*e71b7053SJung-uk Kim i = ssl_security_cert_chain(s, extra_certs, x, 0); 972*e71b7053SJung-uk Kim if (i != 1) { 973*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i); 974*e71b7053SJung-uk Kim return 0; 975*e71b7053SJung-uk Kim } 976*e71b7053SJung-uk Kim if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) { 977*e71b7053SJung-uk Kim /* SSLfatal() already called */ 978*e71b7053SJung-uk Kim return 0; 979*e71b7053SJung-uk Kim } 980*e71b7053SJung-uk Kim for (i = 0; i < sk_X509_num(extra_certs); i++) { 981*e71b7053SJung-uk Kim x = sk_X509_value(extra_certs, i); 982*e71b7053SJung-uk Kim if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) { 983*e71b7053SJung-uk Kim /* SSLfatal() already called */ 984*e71b7053SJung-uk Kim return 0; 985*e71b7053SJung-uk Kim } 986*e71b7053SJung-uk Kim } 987*e71b7053SJung-uk Kim } 988*e71b7053SJung-uk Kim return 1; 989*e71b7053SJung-uk Kim } 990*e71b7053SJung-uk Kim 991*e71b7053SJung-uk Kim unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk) 992*e71b7053SJung-uk Kim { 993*e71b7053SJung-uk Kim if (!WPACKET_start_sub_packet_u24(pkt)) { 994*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN, 995*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 996*e71b7053SJung-uk Kim return 0; 997*e71b7053SJung-uk Kim } 998*e71b7053SJung-uk Kim 999*e71b7053SJung-uk Kim if (!ssl_add_cert_chain(s, pkt, cpk)) 1000*e71b7053SJung-uk Kim return 0; 1001*e71b7053SJung-uk Kim 1002*e71b7053SJung-uk Kim if (!WPACKET_close(pkt)) { 1003*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN, 1004*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1005*e71b7053SJung-uk Kim return 0; 1006*e71b7053SJung-uk Kim } 1007*e71b7053SJung-uk Kim 1008*e71b7053SJung-uk Kim return 1; 1009*e71b7053SJung-uk Kim } 1010*e71b7053SJung-uk Kim 1011*e71b7053SJung-uk Kim /* 1012*e71b7053SJung-uk Kim * Tidy up after the end of a handshake. In the case of SCTP this may result 1013*e71b7053SJung-uk Kim * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is 1014*e71b7053SJung-uk Kim * freed up as well. 1015*e71b7053SJung-uk Kim */ 1016*e71b7053SJung-uk Kim WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop) 1017*e71b7053SJung-uk Kim { 1018*e71b7053SJung-uk Kim void (*cb) (const SSL *ssl, int type, int val) = NULL; 1019*e71b7053SJung-uk Kim 1020*e71b7053SJung-uk Kim if (clearbufs) { 1021*e71b7053SJung-uk Kim if (!SSL_IS_DTLS(s)) { 1022*e71b7053SJung-uk Kim /* 1023*e71b7053SJung-uk Kim * We don't do this in DTLS because we may still need the init_buf 1024*e71b7053SJung-uk Kim * in case there are any unexpected retransmits 1025*e71b7053SJung-uk Kim */ 1026*e71b7053SJung-uk Kim BUF_MEM_free(s->init_buf); 1027*e71b7053SJung-uk Kim s->init_buf = NULL; 1028*e71b7053SJung-uk Kim } 1029*e71b7053SJung-uk Kim if (!ssl_free_wbio_buffer(s)) { 1030*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE, 1031*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1032*e71b7053SJung-uk Kim return WORK_ERROR; 1033*e71b7053SJung-uk Kim } 1034*e71b7053SJung-uk Kim s->init_num = 0; 1035*e71b7053SJung-uk Kim } 1036*e71b7053SJung-uk Kim 1037*e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) && !s->server 1038*e71b7053SJung-uk Kim && s->post_handshake_auth == SSL_PHA_REQUESTED) 1039*e71b7053SJung-uk Kim s->post_handshake_auth = SSL_PHA_EXT_SENT; 1040*e71b7053SJung-uk Kim 1041*e71b7053SJung-uk Kim /* 1042*e71b7053SJung-uk Kim * Only set if there was a Finished message and this isn't after a TLSv1.3 1043*e71b7053SJung-uk Kim * post handshake exchange 1044*e71b7053SJung-uk Kim */ 1045*e71b7053SJung-uk Kim if (s->statem.cleanuphand) { 1046*e71b7053SJung-uk Kim /* skipped if we just sent a HelloRequest */ 1047*e71b7053SJung-uk Kim s->renegotiate = 0; 1048*e71b7053SJung-uk Kim s->new_session = 0; 1049*e71b7053SJung-uk Kim s->statem.cleanuphand = 0; 1050*e71b7053SJung-uk Kim s->ext.ticket_expected = 0; 1051*e71b7053SJung-uk Kim 1052*e71b7053SJung-uk Kim ssl3_cleanup_key_block(s); 1053*e71b7053SJung-uk Kim 1054*e71b7053SJung-uk Kim if (s->server) { 1055*e71b7053SJung-uk Kim /* 1056*e71b7053SJung-uk Kim * In TLSv1.3 we update the cache as part of constructing the 1057*e71b7053SJung-uk Kim * NewSessionTicket 1058*e71b7053SJung-uk Kim */ 1059*e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s)) 1060*e71b7053SJung-uk Kim ssl_update_cache(s, SSL_SESS_CACHE_SERVER); 1061*e71b7053SJung-uk Kim 1062*e71b7053SJung-uk Kim /* N.B. s->ctx may not equal s->session_ctx */ 1063*e71b7053SJung-uk Kim tsan_counter(&s->ctx->stats.sess_accept_good); 1064*e71b7053SJung-uk Kim s->handshake_func = ossl_statem_accept; 1065*e71b7053SJung-uk Kim 1066*e71b7053SJung-uk Kim if (SSL_IS_DTLS(s) && !s->hit) { 1067*e71b7053SJung-uk Kim /* 1068*e71b7053SJung-uk Kim * We are finishing after the client. We start the timer going 1069*e71b7053SJung-uk Kim * in case there are any retransmits of our final flight 1070*e71b7053SJung-uk Kim * required. 1071*e71b7053SJung-uk Kim */ 1072*e71b7053SJung-uk Kim dtls1_start_timer(s); 1073*e71b7053SJung-uk Kim } 1074*e71b7053SJung-uk Kim } else { 1075*e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) { 1076*e71b7053SJung-uk Kim /* 1077*e71b7053SJung-uk Kim * We encourage applications to only use TLSv1.3 tickets once, 1078*e71b7053SJung-uk Kim * so we remove this one from the cache. 1079*e71b7053SJung-uk Kim */ 1080*e71b7053SJung-uk Kim if ((s->session_ctx->session_cache_mode 1081*e71b7053SJung-uk Kim & SSL_SESS_CACHE_CLIENT) != 0) 1082*e71b7053SJung-uk Kim SSL_CTX_remove_session(s->session_ctx, s->session); 1083*e71b7053SJung-uk Kim } else { 1084*e71b7053SJung-uk Kim /* 1085*e71b7053SJung-uk Kim * In TLSv1.3 we update the cache as part of processing the 1086*e71b7053SJung-uk Kim * NewSessionTicket 1087*e71b7053SJung-uk Kim */ 1088*e71b7053SJung-uk Kim ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); 1089*e71b7053SJung-uk Kim } 1090*e71b7053SJung-uk Kim if (s->hit) 1091*e71b7053SJung-uk Kim tsan_counter(&s->session_ctx->stats.sess_hit); 1092*e71b7053SJung-uk Kim 1093*e71b7053SJung-uk Kim s->handshake_func = ossl_statem_connect; 1094*e71b7053SJung-uk Kim tsan_counter(&s->session_ctx->stats.sess_connect_good); 1095*e71b7053SJung-uk Kim 1096*e71b7053SJung-uk Kim if (SSL_IS_DTLS(s) && s->hit) { 1097*e71b7053SJung-uk Kim /* 1098*e71b7053SJung-uk Kim * We are finishing after the server. We start the timer going 1099*e71b7053SJung-uk Kim * in case there are any retransmits of our final flight 1100*e71b7053SJung-uk Kim * required. 1101*e71b7053SJung-uk Kim */ 1102*e71b7053SJung-uk Kim dtls1_start_timer(s); 1103*e71b7053SJung-uk Kim } 1104*e71b7053SJung-uk Kim } 1105*e71b7053SJung-uk Kim 1106*e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) { 1107*e71b7053SJung-uk Kim /* done with handshaking */ 1108*e71b7053SJung-uk Kim s->d1->handshake_read_seq = 0; 1109*e71b7053SJung-uk Kim s->d1->handshake_write_seq = 0; 1110*e71b7053SJung-uk Kim s->d1->next_handshake_write_seq = 0; 1111*e71b7053SJung-uk Kim dtls1_clear_received_buffer(s); 1112*e71b7053SJung-uk Kim } 1113*e71b7053SJung-uk Kim } 1114*e71b7053SJung-uk Kim 1115*e71b7053SJung-uk Kim if (s->info_callback != NULL) 1116*e71b7053SJung-uk Kim cb = s->info_callback; 1117*e71b7053SJung-uk Kim else if (s->ctx->info_callback != NULL) 1118*e71b7053SJung-uk Kim cb = s->ctx->info_callback; 1119*e71b7053SJung-uk Kim 1120*e71b7053SJung-uk Kim /* The callback may expect us to not be in init at handshake done */ 1121*e71b7053SJung-uk Kim ossl_statem_set_in_init(s, 0); 1122*e71b7053SJung-uk Kim 1123*e71b7053SJung-uk Kim if (cb != NULL) 1124*e71b7053SJung-uk Kim cb(s, SSL_CB_HANDSHAKE_DONE, 1); 1125*e71b7053SJung-uk Kim 1126*e71b7053SJung-uk Kim if (!stop) { 1127*e71b7053SJung-uk Kim /* If we've got more work to do we go back into init */ 1128*e71b7053SJung-uk Kim ossl_statem_set_in_init(s, 1); 1129*e71b7053SJung-uk Kim return WORK_FINISHED_CONTINUE; 1130*e71b7053SJung-uk Kim } 1131*e71b7053SJung-uk Kim 1132*e71b7053SJung-uk Kim return WORK_FINISHED_STOP; 1133*e71b7053SJung-uk Kim } 1134*e71b7053SJung-uk Kim 1135*e71b7053SJung-uk Kim int tls_get_message_header(SSL *s, int *mt) 1136*e71b7053SJung-uk Kim { 1137*e71b7053SJung-uk Kim /* s->init_num < SSL3_HM_HEADER_LENGTH */ 1138*e71b7053SJung-uk Kim int skip_message, i, recvd_type; 1139*e71b7053SJung-uk Kim unsigned char *p; 1140*e71b7053SJung-uk Kim size_t l, readbytes; 1141*e71b7053SJung-uk Kim 1142*e71b7053SJung-uk Kim p = (unsigned char *)s->init_buf->data; 1143*e71b7053SJung-uk Kim 1144*e71b7053SJung-uk Kim do { 1145*e71b7053SJung-uk Kim while (s->init_num < SSL3_HM_HEADER_LENGTH) { 1146*e71b7053SJung-uk Kim i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type, 1147*e71b7053SJung-uk Kim &p[s->init_num], 1148*e71b7053SJung-uk Kim SSL3_HM_HEADER_LENGTH - s->init_num, 1149*e71b7053SJung-uk Kim 0, &readbytes); 1150*e71b7053SJung-uk Kim if (i <= 0) { 1151*e71b7053SJung-uk Kim s->rwstate = SSL_READING; 1152*e71b7053SJung-uk Kim return 0; 1153*e71b7053SJung-uk Kim } 1154*e71b7053SJung-uk Kim if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) { 1155*e71b7053SJung-uk Kim /* 1156*e71b7053SJung-uk Kim * A ChangeCipherSpec must be a single byte and may not occur 1157*e71b7053SJung-uk Kim * in the middle of a handshake message. 1158*e71b7053SJung-uk Kim */ 1159*e71b7053SJung-uk Kim if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) { 1160*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1161*e71b7053SJung-uk Kim SSL_F_TLS_GET_MESSAGE_HEADER, 1162*e71b7053SJung-uk Kim SSL_R_BAD_CHANGE_CIPHER_SPEC); 1163*e71b7053SJung-uk Kim return 0; 1164*e71b7053SJung-uk Kim } 1165*e71b7053SJung-uk Kim if (s->statem.hand_state == TLS_ST_BEFORE 1166*e71b7053SJung-uk Kim && (s->s3->flags & TLS1_FLAGS_STATELESS) != 0) { 1167*e71b7053SJung-uk Kim /* 1168*e71b7053SJung-uk Kim * We are stateless and we received a CCS. Probably this is 1169*e71b7053SJung-uk Kim * from a client between the first and second ClientHellos. 1170*e71b7053SJung-uk Kim * We should ignore this, but return an error because we do 1171*e71b7053SJung-uk Kim * not return success until we see the second ClientHello 1172*e71b7053SJung-uk Kim * with a valid cookie. 1173*e71b7053SJung-uk Kim */ 1174*e71b7053SJung-uk Kim return 0; 1175*e71b7053SJung-uk Kim } 1176*e71b7053SJung-uk Kim s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC; 1177*e71b7053SJung-uk Kim s->init_num = readbytes - 1; 1178*e71b7053SJung-uk Kim s->init_msg = s->init_buf->data; 1179*e71b7053SJung-uk Kim s->s3->tmp.message_size = readbytes; 1180*e71b7053SJung-uk Kim return 1; 1181*e71b7053SJung-uk Kim } else if (recvd_type != SSL3_RT_HANDSHAKE) { 1182*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1183*e71b7053SJung-uk Kim SSL_F_TLS_GET_MESSAGE_HEADER, 1184*e71b7053SJung-uk Kim SSL_R_CCS_RECEIVED_EARLY); 1185*e71b7053SJung-uk Kim return 0; 1186*e71b7053SJung-uk Kim } 1187*e71b7053SJung-uk Kim s->init_num += readbytes; 1188*e71b7053SJung-uk Kim } 1189*e71b7053SJung-uk Kim 1190*e71b7053SJung-uk Kim skip_message = 0; 1191*e71b7053SJung-uk Kim if (!s->server) 1192*e71b7053SJung-uk Kim if (s->statem.hand_state != TLS_ST_OK 1193*e71b7053SJung-uk Kim && p[0] == SSL3_MT_HELLO_REQUEST) 1194*e71b7053SJung-uk Kim /* 1195*e71b7053SJung-uk Kim * The server may always send 'Hello Request' messages -- 1196*e71b7053SJung-uk Kim * we are doing a handshake anyway now, so ignore them if 1197*e71b7053SJung-uk Kim * their format is correct. Does not count for 'Finished' 1198*e71b7053SJung-uk Kim * MAC. 1199*e71b7053SJung-uk Kim */ 1200*e71b7053SJung-uk Kim if (p[1] == 0 && p[2] == 0 && p[3] == 0) { 1201*e71b7053SJung-uk Kim s->init_num = 0; 1202*e71b7053SJung-uk Kim skip_message = 1; 1203*e71b7053SJung-uk Kim 1204*e71b7053SJung-uk Kim if (s->msg_callback) 1205*e71b7053SJung-uk Kim s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 1206*e71b7053SJung-uk Kim p, SSL3_HM_HEADER_LENGTH, s, 1207*e71b7053SJung-uk Kim s->msg_callback_arg); 1208*e71b7053SJung-uk Kim } 1209*e71b7053SJung-uk Kim } while (skip_message); 1210*e71b7053SJung-uk Kim /* s->init_num == SSL3_HM_HEADER_LENGTH */ 1211*e71b7053SJung-uk Kim 1212*e71b7053SJung-uk Kim *mt = *p; 1213*e71b7053SJung-uk Kim s->s3->tmp.message_type = *(p++); 1214*e71b7053SJung-uk Kim 1215*e71b7053SJung-uk Kim if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { 1216*e71b7053SJung-uk Kim /* 1217*e71b7053SJung-uk Kim * Only happens with SSLv3+ in an SSLv2 backward compatible 1218*e71b7053SJung-uk Kim * ClientHello 1219*e71b7053SJung-uk Kim * 1220*e71b7053SJung-uk Kim * Total message size is the remaining record bytes to read 1221*e71b7053SJung-uk Kim * plus the SSL3_HM_HEADER_LENGTH bytes that we already read 1222*e71b7053SJung-uk Kim */ 1223*e71b7053SJung-uk Kim l = RECORD_LAYER_get_rrec_length(&s->rlayer) 1224*e71b7053SJung-uk Kim + SSL3_HM_HEADER_LENGTH; 1225*e71b7053SJung-uk Kim s->s3->tmp.message_size = l; 1226*e71b7053SJung-uk Kim 1227*e71b7053SJung-uk Kim s->init_msg = s->init_buf->data; 1228*e71b7053SJung-uk Kim s->init_num = SSL3_HM_HEADER_LENGTH; 1229*e71b7053SJung-uk Kim } else { 1230*e71b7053SJung-uk Kim n2l3(p, l); 1231*e71b7053SJung-uk Kim /* BUF_MEM_grow takes an 'int' parameter */ 1232*e71b7053SJung-uk Kim if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) { 1233*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_GET_MESSAGE_HEADER, 1234*e71b7053SJung-uk Kim SSL_R_EXCESSIVE_MESSAGE_SIZE); 1235*e71b7053SJung-uk Kim return 0; 1236*e71b7053SJung-uk Kim } 1237*e71b7053SJung-uk Kim s->s3->tmp.message_size = l; 1238*e71b7053SJung-uk Kim 1239*e71b7053SJung-uk Kim s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH; 1240*e71b7053SJung-uk Kim s->init_num = 0; 1241*e71b7053SJung-uk Kim } 1242*e71b7053SJung-uk Kim 1243*e71b7053SJung-uk Kim return 1; 1244*e71b7053SJung-uk Kim } 1245*e71b7053SJung-uk Kim 1246*e71b7053SJung-uk Kim int tls_get_message_body(SSL *s, size_t *len) 1247*e71b7053SJung-uk Kim { 1248*e71b7053SJung-uk Kim size_t n, readbytes; 1249*e71b7053SJung-uk Kim unsigned char *p; 1250*e71b7053SJung-uk Kim int i; 1251*e71b7053SJung-uk Kim 1252*e71b7053SJung-uk Kim if (s->s3->tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) { 1253*e71b7053SJung-uk Kim /* We've already read everything in */ 1254*e71b7053SJung-uk Kim *len = (unsigned long)s->init_num; 1255*e71b7053SJung-uk Kim return 1; 1256*e71b7053SJung-uk Kim } 1257*e71b7053SJung-uk Kim 1258*e71b7053SJung-uk Kim p = s->init_msg; 1259*e71b7053SJung-uk Kim n = s->s3->tmp.message_size - s->init_num; 1260*e71b7053SJung-uk Kim while (n > 0) { 1261*e71b7053SJung-uk Kim i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, 1262*e71b7053SJung-uk Kim &p[s->init_num], n, 0, &readbytes); 1263*e71b7053SJung-uk Kim if (i <= 0) { 1264*e71b7053SJung-uk Kim s->rwstate = SSL_READING; 1265*e71b7053SJung-uk Kim *len = 0; 1266*e71b7053SJung-uk Kim return 0; 1267*e71b7053SJung-uk Kim } 1268*e71b7053SJung-uk Kim s->init_num += readbytes; 1269*e71b7053SJung-uk Kim n -= readbytes; 1270*e71b7053SJung-uk Kim } 1271*e71b7053SJung-uk Kim 1272*e71b7053SJung-uk Kim /* 1273*e71b7053SJung-uk Kim * If receiving Finished, record MAC of prior handshake messages for 1274*e71b7053SJung-uk Kim * Finished verification. 1275*e71b7053SJung-uk Kim */ 1276*e71b7053SJung-uk Kim if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) { 1277*e71b7053SJung-uk Kim /* SSLfatal() already called */ 1278*e71b7053SJung-uk Kim *len = 0; 1279*e71b7053SJung-uk Kim return 0; 1280*e71b7053SJung-uk Kim } 1281*e71b7053SJung-uk Kim 1282*e71b7053SJung-uk Kim /* Feed this message into MAC computation. */ 1283*e71b7053SJung-uk Kim if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { 1284*e71b7053SJung-uk Kim if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 1285*e71b7053SJung-uk Kim s->init_num)) { 1286*e71b7053SJung-uk Kim /* SSLfatal() already called */ 1287*e71b7053SJung-uk Kim *len = 0; 1288*e71b7053SJung-uk Kim return 0; 1289*e71b7053SJung-uk Kim } 1290*e71b7053SJung-uk Kim if (s->msg_callback) 1291*e71b7053SJung-uk Kim s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data, 1292*e71b7053SJung-uk Kim (size_t)s->init_num, s, s->msg_callback_arg); 1293*e71b7053SJung-uk Kim } else { 1294*e71b7053SJung-uk Kim /* 1295*e71b7053SJung-uk Kim * We defer feeding in the HRR until later. We'll do it as part of 1296*e71b7053SJung-uk Kim * processing the message 1297*e71b7053SJung-uk Kim * The TLsv1.3 handshake transcript stops at the ClientFinished 1298*e71b7053SJung-uk Kim * message. 1299*e71b7053SJung-uk Kim */ 1300*e71b7053SJung-uk Kim #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2) 1301*e71b7053SJung-uk Kim /* KeyUpdate and NewSessionTicket do not need to be added */ 1302*e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s) || (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET 1303*e71b7053SJung-uk Kim && s->s3->tmp.message_type != SSL3_MT_KEY_UPDATE)) { 1304*e71b7053SJung-uk Kim if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO 1305*e71b7053SJung-uk Kim || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE 1306*e71b7053SJung-uk Kim || memcmp(hrrrandom, 1307*e71b7053SJung-uk Kim s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET, 1308*e71b7053SJung-uk Kim SSL3_RANDOM_SIZE) != 0) { 1309*e71b7053SJung-uk Kim if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 1310*e71b7053SJung-uk Kim s->init_num + SSL3_HM_HEADER_LENGTH)) { 1311*e71b7053SJung-uk Kim /* SSLfatal() already called */ 1312*e71b7053SJung-uk Kim *len = 0; 1313*e71b7053SJung-uk Kim return 0; 1314*e71b7053SJung-uk Kim } 1315*e71b7053SJung-uk Kim } 1316*e71b7053SJung-uk Kim } 1317*e71b7053SJung-uk Kim if (s->msg_callback) 1318*e71b7053SJung-uk Kim s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, 1319*e71b7053SJung-uk Kim (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s, 1320*e71b7053SJung-uk Kim s->msg_callback_arg); 1321*e71b7053SJung-uk Kim } 1322*e71b7053SJung-uk Kim 1323*e71b7053SJung-uk Kim *len = s->init_num; 1324*e71b7053SJung-uk Kim return 1; 1325*e71b7053SJung-uk Kim } 1326*e71b7053SJung-uk Kim 1327*e71b7053SJung-uk Kim static const X509ERR2ALERT x509table[] = { 1328*e71b7053SJung-uk Kim {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE}, 1329*e71b7053SJung-uk Kim {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE}, 1330*e71b7053SJung-uk Kim {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE}, 1331*e71b7053SJung-uk Kim {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA}, 1332*e71b7053SJung-uk Kim {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED}, 1333*e71b7053SJung-uk Kim {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE}, 1334*e71b7053SJung-uk Kim {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE}, 1335*e71b7053SJung-uk Kim {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED}, 1336*e71b7053SJung-uk Kim {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR}, 1337*e71b7053SJung-uk Kim {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE}, 1338*e71b7053SJung-uk Kim {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED}, 1339*e71b7053SJung-uk Kim {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE}, 1340*e71b7053SJung-uk Kim {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR}, 1341*e71b7053SJung-uk Kim {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE}, 1342*e71b7053SJung-uk Kim {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA}, 1343*e71b7053SJung-uk Kim {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE}, 1344*e71b7053SJung-uk Kim {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE}, 1345*e71b7053SJung-uk Kim {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE}, 1346*e71b7053SJung-uk Kim {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE}, 1347*e71b7053SJung-uk Kim {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE}, 1348*e71b7053SJung-uk Kim {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE}, 1349*e71b7053SJung-uk Kim {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE}, 1350*e71b7053SJung-uk Kim {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA}, 1351*e71b7053SJung-uk Kim {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR}, 1352*e71b7053SJung-uk Kim {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE}, 1353*e71b7053SJung-uk Kim {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE}, 1354*e71b7053SJung-uk Kim {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR}, 1355*e71b7053SJung-uk Kim {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA}, 1356*e71b7053SJung-uk Kim {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA}, 1357*e71b7053SJung-uk Kim {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR}, 1358*e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE}, 1359*e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE}, 1360*e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE}, 1361*e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA}, 1362*e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA}, 1363*e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA}, 1364*e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA}, 1365*e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA}, 1366*e71b7053SJung-uk Kim {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR}, 1367*e71b7053SJung-uk Kim 1368*e71b7053SJung-uk Kim /* Last entry; return this if we don't find the value above. */ 1369*e71b7053SJung-uk Kim {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN} 1370*e71b7053SJung-uk Kim }; 1371*e71b7053SJung-uk Kim 1372*e71b7053SJung-uk Kim int ssl_x509err2alert(int x509err) 1373*e71b7053SJung-uk Kim { 1374*e71b7053SJung-uk Kim const X509ERR2ALERT *tp; 1375*e71b7053SJung-uk Kim 1376*e71b7053SJung-uk Kim for (tp = x509table; tp->x509err != X509_V_OK; ++tp) 1377*e71b7053SJung-uk Kim if (tp->x509err == x509err) 1378*e71b7053SJung-uk Kim break; 1379*e71b7053SJung-uk Kim return tp->alert; 1380*e71b7053SJung-uk Kim } 1381*e71b7053SJung-uk Kim 1382*e71b7053SJung-uk Kim int ssl_allow_compression(SSL *s) 1383*e71b7053SJung-uk Kim { 1384*e71b7053SJung-uk Kim if (s->options & SSL_OP_NO_COMPRESSION) 1385*e71b7053SJung-uk Kim return 0; 1386*e71b7053SJung-uk Kim return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL); 1387*e71b7053SJung-uk Kim } 1388*e71b7053SJung-uk Kim 1389*e71b7053SJung-uk Kim static int version_cmp(const SSL *s, int a, int b) 1390*e71b7053SJung-uk Kim { 1391*e71b7053SJung-uk Kim int dtls = SSL_IS_DTLS(s); 1392*e71b7053SJung-uk Kim 1393*e71b7053SJung-uk Kim if (a == b) 1394*e71b7053SJung-uk Kim return 0; 1395*e71b7053SJung-uk Kim if (!dtls) 1396*e71b7053SJung-uk Kim return a < b ? -1 : 1; 1397*e71b7053SJung-uk Kim return DTLS_VERSION_LT(a, b) ? -1 : 1; 1398*e71b7053SJung-uk Kim } 1399*e71b7053SJung-uk Kim 1400*e71b7053SJung-uk Kim typedef struct { 1401*e71b7053SJung-uk Kim int version; 1402*e71b7053SJung-uk Kim const SSL_METHOD *(*cmeth) (void); 1403*e71b7053SJung-uk Kim const SSL_METHOD *(*smeth) (void); 1404*e71b7053SJung-uk Kim } version_info; 1405*e71b7053SJung-uk Kim 1406*e71b7053SJung-uk Kim #if TLS_MAX_VERSION != TLS1_3_VERSION 1407*e71b7053SJung-uk Kim # error Code needs update for TLS_method() support beyond TLS1_3_VERSION. 1408*e71b7053SJung-uk Kim #endif 1409*e71b7053SJung-uk Kim 1410*e71b7053SJung-uk Kim /* Must be in order high to low */ 1411*e71b7053SJung-uk Kim static const version_info tls_version_table[] = { 1412*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1_3 1413*e71b7053SJung-uk Kim {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method}, 1414*e71b7053SJung-uk Kim #else 1415*e71b7053SJung-uk Kim {TLS1_3_VERSION, NULL, NULL}, 1416*e71b7053SJung-uk Kim #endif 1417*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1_2 1418*e71b7053SJung-uk Kim {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method}, 1419*e71b7053SJung-uk Kim #else 1420*e71b7053SJung-uk Kim {TLS1_2_VERSION, NULL, NULL}, 1421*e71b7053SJung-uk Kim #endif 1422*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1_1 1423*e71b7053SJung-uk Kim {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method}, 1424*e71b7053SJung-uk Kim #else 1425*e71b7053SJung-uk Kim {TLS1_1_VERSION, NULL, NULL}, 1426*e71b7053SJung-uk Kim #endif 1427*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1 1428*e71b7053SJung-uk Kim {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method}, 1429*e71b7053SJung-uk Kim #else 1430*e71b7053SJung-uk Kim {TLS1_VERSION, NULL, NULL}, 1431*e71b7053SJung-uk Kim #endif 1432*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SSL3 1433*e71b7053SJung-uk Kim {SSL3_VERSION, sslv3_client_method, sslv3_server_method}, 1434*e71b7053SJung-uk Kim #else 1435*e71b7053SJung-uk Kim {SSL3_VERSION, NULL, NULL}, 1436*e71b7053SJung-uk Kim #endif 1437*e71b7053SJung-uk Kim {0, NULL, NULL}, 1438*e71b7053SJung-uk Kim }; 1439*e71b7053SJung-uk Kim 1440*e71b7053SJung-uk Kim #if DTLS_MAX_VERSION != DTLS1_2_VERSION 1441*e71b7053SJung-uk Kim # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION. 1442*e71b7053SJung-uk Kim #endif 1443*e71b7053SJung-uk Kim 1444*e71b7053SJung-uk Kim /* Must be in order high to low */ 1445*e71b7053SJung-uk Kim static const version_info dtls_version_table[] = { 1446*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_DTLS1_2 1447*e71b7053SJung-uk Kim {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method}, 1448*e71b7053SJung-uk Kim #else 1449*e71b7053SJung-uk Kim {DTLS1_2_VERSION, NULL, NULL}, 1450*e71b7053SJung-uk Kim #endif 1451*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_DTLS1 1452*e71b7053SJung-uk Kim {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method}, 1453*e71b7053SJung-uk Kim {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL}, 1454*e71b7053SJung-uk Kim #else 1455*e71b7053SJung-uk Kim {DTLS1_VERSION, NULL, NULL}, 1456*e71b7053SJung-uk Kim {DTLS1_BAD_VER, NULL, NULL}, 1457*e71b7053SJung-uk Kim #endif 1458*e71b7053SJung-uk Kim {0, NULL, NULL}, 1459*e71b7053SJung-uk Kim }; 1460*e71b7053SJung-uk Kim 1461*e71b7053SJung-uk Kim /* 1462*e71b7053SJung-uk Kim * ssl_method_error - Check whether an SSL_METHOD is enabled. 1463*e71b7053SJung-uk Kim * 1464*e71b7053SJung-uk Kim * @s: The SSL handle for the candidate method 1465*e71b7053SJung-uk Kim * @method: the intended method. 1466*e71b7053SJung-uk Kim * 1467*e71b7053SJung-uk Kim * Returns 0 on success, or an SSL error reason on failure. 1468*e71b7053SJung-uk Kim */ 1469*e71b7053SJung-uk Kim static int ssl_method_error(const SSL *s, const SSL_METHOD *method) 1470*e71b7053SJung-uk Kim { 1471*e71b7053SJung-uk Kim int version = method->version; 1472*e71b7053SJung-uk Kim 1473*e71b7053SJung-uk Kim if ((s->min_proto_version != 0 && 1474*e71b7053SJung-uk Kim version_cmp(s, version, s->min_proto_version) < 0) || 1475*e71b7053SJung-uk Kim ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0) 1476*e71b7053SJung-uk Kim return SSL_R_VERSION_TOO_LOW; 1477*e71b7053SJung-uk Kim 1478*e71b7053SJung-uk Kim if (s->max_proto_version != 0 && 1479*e71b7053SJung-uk Kim version_cmp(s, version, s->max_proto_version) > 0) 1480*e71b7053SJung-uk Kim return SSL_R_VERSION_TOO_HIGH; 1481*e71b7053SJung-uk Kim 1482*e71b7053SJung-uk Kim if ((s->options & method->mask) != 0) 1483*e71b7053SJung-uk Kim return SSL_R_UNSUPPORTED_PROTOCOL; 1484*e71b7053SJung-uk Kim if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s)) 1485*e71b7053SJung-uk Kim return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE; 1486*e71b7053SJung-uk Kim 1487*e71b7053SJung-uk Kim return 0; 1488*e71b7053SJung-uk Kim } 1489*e71b7053SJung-uk Kim 1490*e71b7053SJung-uk Kim /* 1491*e71b7053SJung-uk Kim * Only called by servers. Returns 1 if the server has a TLSv1.3 capable 1492*e71b7053SJung-uk Kim * certificate type, or has PSK or a certificate callback configured. Otherwise 1493*e71b7053SJung-uk Kim * returns 0. 1494*e71b7053SJung-uk Kim */ 1495*e71b7053SJung-uk Kim static int is_tls13_capable(const SSL *s) 1496*e71b7053SJung-uk Kim { 1497*e71b7053SJung-uk Kim int i; 1498*e71b7053SJung-uk Kim 1499*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_PSK 1500*e71b7053SJung-uk Kim if (s->psk_server_callback != NULL) 1501*e71b7053SJung-uk Kim return 1; 1502*e71b7053SJung-uk Kim #endif 1503*e71b7053SJung-uk Kim 1504*e71b7053SJung-uk Kim if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL) 1505*e71b7053SJung-uk Kim return 1; 1506*e71b7053SJung-uk Kim 1507*e71b7053SJung-uk Kim for (i = 0; i < SSL_PKEY_NUM; i++) { 1508*e71b7053SJung-uk Kim /* Skip over certs disallowed for TLSv1.3 */ 1509*e71b7053SJung-uk Kim switch (i) { 1510*e71b7053SJung-uk Kim case SSL_PKEY_DSA_SIGN: 1511*e71b7053SJung-uk Kim case SSL_PKEY_GOST01: 1512*e71b7053SJung-uk Kim case SSL_PKEY_GOST12_256: 1513*e71b7053SJung-uk Kim case SSL_PKEY_GOST12_512: 1514*e71b7053SJung-uk Kim continue; 1515*e71b7053SJung-uk Kim default: 1516*e71b7053SJung-uk Kim break; 1517*e71b7053SJung-uk Kim } 1518*e71b7053SJung-uk Kim if (ssl_has_cert(s, i)) 1519*e71b7053SJung-uk Kim return 1; 1520*e71b7053SJung-uk Kim } 1521*e71b7053SJung-uk Kim 1522*e71b7053SJung-uk Kim return 0; 1523*e71b7053SJung-uk Kim } 1524*e71b7053SJung-uk Kim 1525*e71b7053SJung-uk Kim /* 1526*e71b7053SJung-uk Kim * ssl_version_supported - Check that the specified `version` is supported by 1527*e71b7053SJung-uk Kim * `SSL *` instance 1528*e71b7053SJung-uk Kim * 1529*e71b7053SJung-uk Kim * @s: The SSL handle for the candidate method 1530*e71b7053SJung-uk Kim * @version: Protocol version to test against 1531*e71b7053SJung-uk Kim * 1532*e71b7053SJung-uk Kim * Returns 1 when supported, otherwise 0 1533*e71b7053SJung-uk Kim */ 1534*e71b7053SJung-uk Kim int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth) 1535*e71b7053SJung-uk Kim { 1536*e71b7053SJung-uk Kim const version_info *vent; 1537*e71b7053SJung-uk Kim const version_info *table; 1538*e71b7053SJung-uk Kim 1539*e71b7053SJung-uk Kim switch (s->method->version) { 1540*e71b7053SJung-uk Kim default: 1541*e71b7053SJung-uk Kim /* Version should match method version for non-ANY method */ 1542*e71b7053SJung-uk Kim return version_cmp(s, version, s->version) == 0; 1543*e71b7053SJung-uk Kim case TLS_ANY_VERSION: 1544*e71b7053SJung-uk Kim table = tls_version_table; 1545*e71b7053SJung-uk Kim break; 1546*e71b7053SJung-uk Kim case DTLS_ANY_VERSION: 1547*e71b7053SJung-uk Kim table = dtls_version_table; 1548*e71b7053SJung-uk Kim break; 1549*e71b7053SJung-uk Kim } 1550*e71b7053SJung-uk Kim 1551*e71b7053SJung-uk Kim for (vent = table; 1552*e71b7053SJung-uk Kim vent->version != 0 && version_cmp(s, version, vent->version) <= 0; 1553*e71b7053SJung-uk Kim ++vent) { 1554*e71b7053SJung-uk Kim if (vent->cmeth != NULL 1555*e71b7053SJung-uk Kim && version_cmp(s, version, vent->version) == 0 1556*e71b7053SJung-uk Kim && ssl_method_error(s, vent->cmeth()) == 0 1557*e71b7053SJung-uk Kim && (!s->server 1558*e71b7053SJung-uk Kim || version != TLS1_3_VERSION 1559*e71b7053SJung-uk Kim || is_tls13_capable(s))) { 1560*e71b7053SJung-uk Kim if (meth != NULL) 1561*e71b7053SJung-uk Kim *meth = vent->cmeth(); 1562*e71b7053SJung-uk Kim return 1; 1563*e71b7053SJung-uk Kim } 1564*e71b7053SJung-uk Kim } 1565*e71b7053SJung-uk Kim return 0; 1566*e71b7053SJung-uk Kim } 1567*e71b7053SJung-uk Kim 1568*e71b7053SJung-uk Kim /* 1569*e71b7053SJung-uk Kim * ssl_check_version_downgrade - In response to RFC7507 SCSV version 1570*e71b7053SJung-uk Kim * fallback indication from a client check whether we're using the highest 1571*e71b7053SJung-uk Kim * supported protocol version. 1572*e71b7053SJung-uk Kim * 1573*e71b7053SJung-uk Kim * @s server SSL handle. 1574*e71b7053SJung-uk Kim * 1575*e71b7053SJung-uk Kim * Returns 1 when using the highest enabled version, 0 otherwise. 1576*e71b7053SJung-uk Kim */ 1577*e71b7053SJung-uk Kim int ssl_check_version_downgrade(SSL *s) 1578*e71b7053SJung-uk Kim { 1579*e71b7053SJung-uk Kim const version_info *vent; 1580*e71b7053SJung-uk Kim const version_info *table; 1581*e71b7053SJung-uk Kim 1582*e71b7053SJung-uk Kim /* 1583*e71b7053SJung-uk Kim * Check that the current protocol is the highest enabled version 1584*e71b7053SJung-uk Kim * (according to s->ctx->method, as version negotiation may have changed 1585*e71b7053SJung-uk Kim * s->method). 1586*e71b7053SJung-uk Kim */ 1587*e71b7053SJung-uk Kim if (s->version == s->ctx->method->version) 1588*e71b7053SJung-uk Kim return 1; 1589*e71b7053SJung-uk Kim 1590*e71b7053SJung-uk Kim /* 1591*e71b7053SJung-uk Kim * Apparently we're using a version-flexible SSL_METHOD (not at its 1592*e71b7053SJung-uk Kim * highest protocol version). 1593*e71b7053SJung-uk Kim */ 1594*e71b7053SJung-uk Kim if (s->ctx->method->version == TLS_method()->version) 1595*e71b7053SJung-uk Kim table = tls_version_table; 1596*e71b7053SJung-uk Kim else if (s->ctx->method->version == DTLS_method()->version) 1597*e71b7053SJung-uk Kim table = dtls_version_table; 1598*e71b7053SJung-uk Kim else { 1599*e71b7053SJung-uk Kim /* Unexpected state; fail closed. */ 1600*e71b7053SJung-uk Kim return 0; 1601*e71b7053SJung-uk Kim } 1602*e71b7053SJung-uk Kim 1603*e71b7053SJung-uk Kim for (vent = table; vent->version != 0; ++vent) { 1604*e71b7053SJung-uk Kim if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0) 1605*e71b7053SJung-uk Kim return s->version == vent->version; 1606*e71b7053SJung-uk Kim } 1607*e71b7053SJung-uk Kim return 0; 1608*e71b7053SJung-uk Kim } 1609*e71b7053SJung-uk Kim 1610*e71b7053SJung-uk Kim /* 1611*e71b7053SJung-uk Kim * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS 1612*e71b7053SJung-uk Kim * protocols, provided the initial (D)TLS method is version-flexible. This 1613*e71b7053SJung-uk Kim * function sanity-checks the proposed value and makes sure the method is 1614*e71b7053SJung-uk Kim * version-flexible, then sets the limit if all is well. 1615*e71b7053SJung-uk Kim * 1616*e71b7053SJung-uk Kim * @method_version: The version of the current SSL_METHOD. 1617*e71b7053SJung-uk Kim * @version: the intended limit. 1618*e71b7053SJung-uk Kim * @bound: pointer to limit to be updated. 1619*e71b7053SJung-uk Kim * 1620*e71b7053SJung-uk Kim * Returns 1 on success, 0 on failure. 1621*e71b7053SJung-uk Kim */ 1622*e71b7053SJung-uk Kim int ssl_set_version_bound(int method_version, int version, int *bound) 1623*e71b7053SJung-uk Kim { 1624*e71b7053SJung-uk Kim if (version == 0) { 1625*e71b7053SJung-uk Kim *bound = version; 1626*e71b7053SJung-uk Kim return 1; 1627*e71b7053SJung-uk Kim } 1628*e71b7053SJung-uk Kim 1629*e71b7053SJung-uk Kim /*- 1630*e71b7053SJung-uk Kim * Restrict TLS methods to TLS protocol versions. 1631*e71b7053SJung-uk Kim * Restrict DTLS methods to DTLS protocol versions. 1632*e71b7053SJung-uk Kim * Note, DTLS version numbers are decreasing, use comparison macros. 1633*e71b7053SJung-uk Kim * 1634*e71b7053SJung-uk Kim * Note that for both lower-bounds we use explicit versions, not 1635*e71b7053SJung-uk Kim * (D)TLS_MIN_VERSION. This is because we don't want to break user 1636*e71b7053SJung-uk Kim * configurations. If the MIN (supported) version ever rises, the user's 1637*e71b7053SJung-uk Kim * "floor" remains valid even if no longer available. We don't expect the 1638*e71b7053SJung-uk Kim * MAX ceiling to ever get lower, so making that variable makes sense. 1639*e71b7053SJung-uk Kim */ 1640*e71b7053SJung-uk Kim switch (method_version) { 1641*e71b7053SJung-uk Kim default: 1642*e71b7053SJung-uk Kim /* 1643*e71b7053SJung-uk Kim * XXX For fixed version methods, should we always fail and not set any 1644*e71b7053SJung-uk Kim * bounds, always succeed and not set any bounds, or set the bounds and 1645*e71b7053SJung-uk Kim * arrange to fail later if they are not met? At present fixed-version 1646*e71b7053SJung-uk Kim * methods are not subject to controls that disable individual protocol 1647*e71b7053SJung-uk Kim * versions. 1648*e71b7053SJung-uk Kim */ 1649*e71b7053SJung-uk Kim return 0; 1650*e71b7053SJung-uk Kim 1651*e71b7053SJung-uk Kim case TLS_ANY_VERSION: 1652*e71b7053SJung-uk Kim if (version < SSL3_VERSION || version > TLS_MAX_VERSION) 1653*e71b7053SJung-uk Kim return 0; 1654*e71b7053SJung-uk Kim break; 1655*e71b7053SJung-uk Kim 1656*e71b7053SJung-uk Kim case DTLS_ANY_VERSION: 1657*e71b7053SJung-uk Kim if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION) || 1658*e71b7053SJung-uk Kim DTLS_VERSION_LT(version, DTLS1_BAD_VER)) 1659*e71b7053SJung-uk Kim return 0; 1660*e71b7053SJung-uk Kim break; 1661*e71b7053SJung-uk Kim } 1662*e71b7053SJung-uk Kim 1663*e71b7053SJung-uk Kim *bound = version; 1664*e71b7053SJung-uk Kim return 1; 1665*e71b7053SJung-uk Kim } 1666*e71b7053SJung-uk Kim 1667*e71b7053SJung-uk Kim static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd) 1668*e71b7053SJung-uk Kim { 1669*e71b7053SJung-uk Kim if (vers == TLS1_2_VERSION 1670*e71b7053SJung-uk Kim && ssl_version_supported(s, TLS1_3_VERSION, NULL)) { 1671*e71b7053SJung-uk Kim *dgrd = DOWNGRADE_TO_1_2; 1672*e71b7053SJung-uk Kim } else if (!SSL_IS_DTLS(s) 1673*e71b7053SJung-uk Kim && vers < TLS1_2_VERSION 1674*e71b7053SJung-uk Kim /* 1675*e71b7053SJung-uk Kim * We need to ensure that a server that disables TLSv1.2 1676*e71b7053SJung-uk Kim * (creating a hole between TLSv1.3 and TLSv1.1) can still 1677*e71b7053SJung-uk Kim * complete handshakes with clients that support TLSv1.2 and 1678*e71b7053SJung-uk Kim * below. Therefore we do not enable the sentinel if TLSv1.3 is 1679*e71b7053SJung-uk Kim * enabled and TLSv1.2 is not. 1680*e71b7053SJung-uk Kim */ 1681*e71b7053SJung-uk Kim && ssl_version_supported(s, TLS1_2_VERSION, NULL)) { 1682*e71b7053SJung-uk Kim *dgrd = DOWNGRADE_TO_1_1; 1683*e71b7053SJung-uk Kim } else { 1684*e71b7053SJung-uk Kim *dgrd = DOWNGRADE_NONE; 1685*e71b7053SJung-uk Kim } 1686*e71b7053SJung-uk Kim } 1687*e71b7053SJung-uk Kim 1688*e71b7053SJung-uk Kim /* 1689*e71b7053SJung-uk Kim * ssl_choose_server_version - Choose server (D)TLS version. Called when the 1690*e71b7053SJung-uk Kim * client HELLO is received to select the final server protocol version and 1691*e71b7053SJung-uk Kim * the version specific method. 1692*e71b7053SJung-uk Kim * 1693*e71b7053SJung-uk Kim * @s: server SSL handle. 1694*e71b7053SJung-uk Kim * 1695*e71b7053SJung-uk Kim * Returns 0 on success or an SSL error reason number on failure. 1696*e71b7053SJung-uk Kim */ 1697*e71b7053SJung-uk Kim int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd) 1698*e71b7053SJung-uk Kim { 1699*e71b7053SJung-uk Kim /*- 1700*e71b7053SJung-uk Kim * With version-flexible methods we have an initial state with: 1701*e71b7053SJung-uk Kim * 1702*e71b7053SJung-uk Kim * s->method->version == (D)TLS_ANY_VERSION, 1703*e71b7053SJung-uk Kim * s->version == (D)TLS_MAX_VERSION. 1704*e71b7053SJung-uk Kim * 1705*e71b7053SJung-uk Kim * So we detect version-flexible methods via the method version, not the 1706*e71b7053SJung-uk Kim * handle version. 1707*e71b7053SJung-uk Kim */ 1708*e71b7053SJung-uk Kim int server_version = s->method->version; 1709*e71b7053SJung-uk Kim int client_version = hello->legacy_version; 1710*e71b7053SJung-uk Kim const version_info *vent; 1711*e71b7053SJung-uk Kim const version_info *table; 1712*e71b7053SJung-uk Kim int disabled = 0; 1713*e71b7053SJung-uk Kim RAW_EXTENSION *suppversions; 1714*e71b7053SJung-uk Kim 1715*e71b7053SJung-uk Kim s->client_version = client_version; 1716*e71b7053SJung-uk Kim 1717*e71b7053SJung-uk Kim switch (server_version) { 1718*e71b7053SJung-uk Kim default: 1719*e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s)) { 1720*e71b7053SJung-uk Kim if (version_cmp(s, client_version, s->version) < 0) 1721*e71b7053SJung-uk Kim return SSL_R_WRONG_SSL_VERSION; 1722*e71b7053SJung-uk Kim *dgrd = DOWNGRADE_NONE; 1723*e71b7053SJung-uk Kim /* 1724*e71b7053SJung-uk Kim * If this SSL handle is not from a version flexible method we don't 1725*e71b7053SJung-uk Kim * (and never did) check min/max FIPS or Suite B constraints. Hope 1726*e71b7053SJung-uk Kim * that's OK. It is up to the caller to not choose fixed protocol 1727*e71b7053SJung-uk Kim * versions they don't want. If not, then easy to fix, just return 1728*e71b7053SJung-uk Kim * ssl_method_error(s, s->method) 1729*e71b7053SJung-uk Kim */ 1730*e71b7053SJung-uk Kim return 0; 1731*e71b7053SJung-uk Kim } 1732*e71b7053SJung-uk Kim /* 1733*e71b7053SJung-uk Kim * Fall through if we are TLSv1.3 already (this means we must be after 1734*e71b7053SJung-uk Kim * a HelloRetryRequest 1735*e71b7053SJung-uk Kim */ 1736*e71b7053SJung-uk Kim /* fall thru */ 1737*e71b7053SJung-uk Kim case TLS_ANY_VERSION: 1738*e71b7053SJung-uk Kim table = tls_version_table; 1739*e71b7053SJung-uk Kim break; 1740*e71b7053SJung-uk Kim case DTLS_ANY_VERSION: 1741*e71b7053SJung-uk Kim table = dtls_version_table; 1742*e71b7053SJung-uk Kim break; 1743*e71b7053SJung-uk Kim } 1744*e71b7053SJung-uk Kim 1745*e71b7053SJung-uk Kim suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions]; 1746*e71b7053SJung-uk Kim 1747*e71b7053SJung-uk Kim /* If we did an HRR then supported versions is mandatory */ 1748*e71b7053SJung-uk Kim if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE) 1749*e71b7053SJung-uk Kim return SSL_R_UNSUPPORTED_PROTOCOL; 1750*e71b7053SJung-uk Kim 1751*e71b7053SJung-uk Kim if (suppversions->present && !SSL_IS_DTLS(s)) { 1752*e71b7053SJung-uk Kim unsigned int candidate_vers = 0; 1753*e71b7053SJung-uk Kim unsigned int best_vers = 0; 1754*e71b7053SJung-uk Kim const SSL_METHOD *best_method = NULL; 1755*e71b7053SJung-uk Kim PACKET versionslist; 1756*e71b7053SJung-uk Kim 1757*e71b7053SJung-uk Kim suppversions->parsed = 1; 1758*e71b7053SJung-uk Kim 1759*e71b7053SJung-uk Kim if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) { 1760*e71b7053SJung-uk Kim /* Trailing or invalid data? */ 1761*e71b7053SJung-uk Kim return SSL_R_LENGTH_MISMATCH; 1762*e71b7053SJung-uk Kim } 1763*e71b7053SJung-uk Kim 1764*e71b7053SJung-uk Kim /* 1765*e71b7053SJung-uk Kim * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION. 1766*e71b7053SJung-uk Kim * The spec only requires servers to check that it isn't SSLv3: 1767*e71b7053SJung-uk Kim * "Any endpoint receiving a Hello message with 1768*e71b7053SJung-uk Kim * ClientHello.legacy_version or ServerHello.legacy_version set to 1769*e71b7053SJung-uk Kim * 0x0300 MUST abort the handshake with a "protocol_version" alert." 1770*e71b7053SJung-uk Kim * We are slightly stricter and require that it isn't SSLv3 or lower. 1771*e71b7053SJung-uk Kim * We tolerate TLSv1 and TLSv1.1. 1772*e71b7053SJung-uk Kim */ 1773*e71b7053SJung-uk Kim if (client_version <= SSL3_VERSION) 1774*e71b7053SJung-uk Kim return SSL_R_BAD_LEGACY_VERSION; 1775*e71b7053SJung-uk Kim 1776*e71b7053SJung-uk Kim while (PACKET_get_net_2(&versionslist, &candidate_vers)) { 1777*e71b7053SJung-uk Kim if (version_cmp(s, candidate_vers, best_vers) <= 0) 1778*e71b7053SJung-uk Kim continue; 1779*e71b7053SJung-uk Kim if (ssl_version_supported(s, candidate_vers, &best_method)) 1780*e71b7053SJung-uk Kim best_vers = candidate_vers; 1781*e71b7053SJung-uk Kim } 1782*e71b7053SJung-uk Kim if (PACKET_remaining(&versionslist) != 0) { 1783*e71b7053SJung-uk Kim /* Trailing data? */ 1784*e71b7053SJung-uk Kim return SSL_R_LENGTH_MISMATCH; 1785*e71b7053SJung-uk Kim } 1786*e71b7053SJung-uk Kim 1787*e71b7053SJung-uk Kim if (best_vers > 0) { 1788*e71b7053SJung-uk Kim if (s->hello_retry_request != SSL_HRR_NONE) { 1789*e71b7053SJung-uk Kim /* 1790*e71b7053SJung-uk Kim * This is after a HelloRetryRequest so we better check that we 1791*e71b7053SJung-uk Kim * negotiated TLSv1.3 1792*e71b7053SJung-uk Kim */ 1793*e71b7053SJung-uk Kim if (best_vers != TLS1_3_VERSION) 1794*e71b7053SJung-uk Kim return SSL_R_UNSUPPORTED_PROTOCOL; 1795*e71b7053SJung-uk Kim return 0; 1796*e71b7053SJung-uk Kim } 1797*e71b7053SJung-uk Kim check_for_downgrade(s, best_vers, dgrd); 1798*e71b7053SJung-uk Kim s->version = best_vers; 1799*e71b7053SJung-uk Kim s->method = best_method; 1800*e71b7053SJung-uk Kim return 0; 1801*e71b7053SJung-uk Kim } 1802*e71b7053SJung-uk Kim return SSL_R_UNSUPPORTED_PROTOCOL; 1803*e71b7053SJung-uk Kim } 1804*e71b7053SJung-uk Kim 1805*e71b7053SJung-uk Kim /* 1806*e71b7053SJung-uk Kim * If the supported versions extension isn't present, then the highest 1807*e71b7053SJung-uk Kim * version we can negotiate is TLSv1.2 1808*e71b7053SJung-uk Kim */ 1809*e71b7053SJung-uk Kim if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0) 1810*e71b7053SJung-uk Kim client_version = TLS1_2_VERSION; 1811*e71b7053SJung-uk Kim 1812*e71b7053SJung-uk Kim /* 1813*e71b7053SJung-uk Kim * No supported versions extension, so we just use the version supplied in 1814*e71b7053SJung-uk Kim * the ClientHello. 1815*e71b7053SJung-uk Kim */ 1816*e71b7053SJung-uk Kim for (vent = table; vent->version != 0; ++vent) { 1817*e71b7053SJung-uk Kim const SSL_METHOD *method; 1818*e71b7053SJung-uk Kim 1819*e71b7053SJung-uk Kim if (vent->smeth == NULL || 1820*e71b7053SJung-uk Kim version_cmp(s, client_version, vent->version) < 0) 1821*e71b7053SJung-uk Kim continue; 1822*e71b7053SJung-uk Kim method = vent->smeth(); 1823*e71b7053SJung-uk Kim if (ssl_method_error(s, method) == 0) { 1824*e71b7053SJung-uk Kim check_for_downgrade(s, vent->version, dgrd); 1825*e71b7053SJung-uk Kim s->version = vent->version; 1826*e71b7053SJung-uk Kim s->method = method; 1827*e71b7053SJung-uk Kim return 0; 1828*e71b7053SJung-uk Kim } 1829*e71b7053SJung-uk Kim disabled = 1; 1830*e71b7053SJung-uk Kim } 1831*e71b7053SJung-uk Kim return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW; 1832*e71b7053SJung-uk Kim } 1833*e71b7053SJung-uk Kim 1834*e71b7053SJung-uk Kim /* 1835*e71b7053SJung-uk Kim * ssl_choose_client_version - Choose client (D)TLS version. Called when the 1836*e71b7053SJung-uk Kim * server HELLO is received to select the final client protocol version and 1837*e71b7053SJung-uk Kim * the version specific method. 1838*e71b7053SJung-uk Kim * 1839*e71b7053SJung-uk Kim * @s: client SSL handle. 1840*e71b7053SJung-uk Kim * @version: The proposed version from the server's HELLO. 1841*e71b7053SJung-uk Kim * @extensions: The extensions received 1842*e71b7053SJung-uk Kim * 1843*e71b7053SJung-uk Kim * Returns 1 on success or 0 on error. 1844*e71b7053SJung-uk Kim */ 1845*e71b7053SJung-uk Kim int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions) 1846*e71b7053SJung-uk Kim { 1847*e71b7053SJung-uk Kim const version_info *vent; 1848*e71b7053SJung-uk Kim const version_info *table; 1849*e71b7053SJung-uk Kim int ret, ver_min, ver_max, real_max, origv; 1850*e71b7053SJung-uk Kim 1851*e71b7053SJung-uk Kim origv = s->version; 1852*e71b7053SJung-uk Kim s->version = version; 1853*e71b7053SJung-uk Kim 1854*e71b7053SJung-uk Kim /* This will overwrite s->version if the extension is present */ 1855*e71b7053SJung-uk Kim if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions, 1856*e71b7053SJung-uk Kim SSL_EXT_TLS1_2_SERVER_HELLO 1857*e71b7053SJung-uk Kim | SSL_EXT_TLS1_3_SERVER_HELLO, extensions, 1858*e71b7053SJung-uk Kim NULL, 0)) { 1859*e71b7053SJung-uk Kim s->version = origv; 1860*e71b7053SJung-uk Kim return 0; 1861*e71b7053SJung-uk Kim } 1862*e71b7053SJung-uk Kim 1863*e71b7053SJung-uk Kim if (s->hello_retry_request != SSL_HRR_NONE 1864*e71b7053SJung-uk Kim && s->version != TLS1_3_VERSION) { 1865*e71b7053SJung-uk Kim s->version = origv; 1866*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION, 1867*e71b7053SJung-uk Kim SSL_R_WRONG_SSL_VERSION); 1868*e71b7053SJung-uk Kim return 0; 1869*e71b7053SJung-uk Kim } 1870*e71b7053SJung-uk Kim 1871*e71b7053SJung-uk Kim switch (s->method->version) { 1872*e71b7053SJung-uk Kim default: 1873*e71b7053SJung-uk Kim if (s->version != s->method->version) { 1874*e71b7053SJung-uk Kim s->version = origv; 1875*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 1876*e71b7053SJung-uk Kim SSL_F_SSL_CHOOSE_CLIENT_VERSION, 1877*e71b7053SJung-uk Kim SSL_R_WRONG_SSL_VERSION); 1878*e71b7053SJung-uk Kim return 0; 1879*e71b7053SJung-uk Kim } 1880*e71b7053SJung-uk Kim /* 1881*e71b7053SJung-uk Kim * If this SSL handle is not from a version flexible method we don't 1882*e71b7053SJung-uk Kim * (and never did) check min/max, FIPS or Suite B constraints. Hope 1883*e71b7053SJung-uk Kim * that's OK. It is up to the caller to not choose fixed protocol 1884*e71b7053SJung-uk Kim * versions they don't want. If not, then easy to fix, just return 1885*e71b7053SJung-uk Kim * ssl_method_error(s, s->method) 1886*e71b7053SJung-uk Kim */ 1887*e71b7053SJung-uk Kim return 1; 1888*e71b7053SJung-uk Kim case TLS_ANY_VERSION: 1889*e71b7053SJung-uk Kim table = tls_version_table; 1890*e71b7053SJung-uk Kim break; 1891*e71b7053SJung-uk Kim case DTLS_ANY_VERSION: 1892*e71b7053SJung-uk Kim table = dtls_version_table; 1893*e71b7053SJung-uk Kim break; 1894*e71b7053SJung-uk Kim } 1895*e71b7053SJung-uk Kim 1896*e71b7053SJung-uk Kim ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max); 1897*e71b7053SJung-uk Kim if (ret != 0) { 1898*e71b7053SJung-uk Kim s->version = origv; 1899*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 1900*e71b7053SJung-uk Kim SSL_F_SSL_CHOOSE_CLIENT_VERSION, ret); 1901*e71b7053SJung-uk Kim return 0; 1902*e71b7053SJung-uk Kim } 1903*e71b7053SJung-uk Kim if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min) 1904*e71b7053SJung-uk Kim : s->version < ver_min) { 1905*e71b7053SJung-uk Kim s->version = origv; 1906*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 1907*e71b7053SJung-uk Kim SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); 1908*e71b7053SJung-uk Kim return 0; 1909*e71b7053SJung-uk Kim } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max) 1910*e71b7053SJung-uk Kim : s->version > ver_max) { 1911*e71b7053SJung-uk Kim s->version = origv; 1912*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 1913*e71b7053SJung-uk Kim SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); 1914*e71b7053SJung-uk Kim return 0; 1915*e71b7053SJung-uk Kim } 1916*e71b7053SJung-uk Kim 1917*e71b7053SJung-uk Kim if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0) 1918*e71b7053SJung-uk Kim real_max = ver_max; 1919*e71b7053SJung-uk Kim 1920*e71b7053SJung-uk Kim /* Check for downgrades */ 1921*e71b7053SJung-uk Kim if (s->version == TLS1_2_VERSION && real_max > s->version) { 1922*e71b7053SJung-uk Kim if (memcmp(tls12downgrade, 1923*e71b7053SJung-uk Kim s->s3->server_random + SSL3_RANDOM_SIZE 1924*e71b7053SJung-uk Kim - sizeof(tls12downgrade), 1925*e71b7053SJung-uk Kim sizeof(tls12downgrade)) == 0) { 1926*e71b7053SJung-uk Kim s->version = origv; 1927*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1928*e71b7053SJung-uk Kim SSL_F_SSL_CHOOSE_CLIENT_VERSION, 1929*e71b7053SJung-uk Kim SSL_R_INAPPROPRIATE_FALLBACK); 1930*e71b7053SJung-uk Kim return 0; 1931*e71b7053SJung-uk Kim } 1932*e71b7053SJung-uk Kim } else if (!SSL_IS_DTLS(s) 1933*e71b7053SJung-uk Kim && s->version < TLS1_2_VERSION 1934*e71b7053SJung-uk Kim && real_max > s->version) { 1935*e71b7053SJung-uk Kim if (memcmp(tls11downgrade, 1936*e71b7053SJung-uk Kim s->s3->server_random + SSL3_RANDOM_SIZE 1937*e71b7053SJung-uk Kim - sizeof(tls11downgrade), 1938*e71b7053SJung-uk Kim sizeof(tls11downgrade)) == 0) { 1939*e71b7053SJung-uk Kim s->version = origv; 1940*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1941*e71b7053SJung-uk Kim SSL_F_SSL_CHOOSE_CLIENT_VERSION, 1942*e71b7053SJung-uk Kim SSL_R_INAPPROPRIATE_FALLBACK); 1943*e71b7053SJung-uk Kim return 0; 1944*e71b7053SJung-uk Kim } 1945*e71b7053SJung-uk Kim } 1946*e71b7053SJung-uk Kim 1947*e71b7053SJung-uk Kim for (vent = table; vent->version != 0; ++vent) { 1948*e71b7053SJung-uk Kim if (vent->cmeth == NULL || s->version != vent->version) 1949*e71b7053SJung-uk Kim continue; 1950*e71b7053SJung-uk Kim 1951*e71b7053SJung-uk Kim s->method = vent->cmeth(); 1952*e71b7053SJung-uk Kim return 1; 1953*e71b7053SJung-uk Kim } 1954*e71b7053SJung-uk Kim 1955*e71b7053SJung-uk Kim s->version = origv; 1956*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION, 1957*e71b7053SJung-uk Kim SSL_R_UNSUPPORTED_PROTOCOL); 1958*e71b7053SJung-uk Kim return 0; 1959*e71b7053SJung-uk Kim } 1960*e71b7053SJung-uk Kim 1961*e71b7053SJung-uk Kim /* 1962*e71b7053SJung-uk Kim * ssl_get_min_max_version - get minimum and maximum protocol version 1963*e71b7053SJung-uk Kim * @s: The SSL connection 1964*e71b7053SJung-uk Kim * @min_version: The minimum supported version 1965*e71b7053SJung-uk Kim * @max_version: The maximum supported version 1966*e71b7053SJung-uk Kim * @real_max: The highest version below the lowest compile time version hole 1967*e71b7053SJung-uk Kim * where that hole lies above at least one run-time enabled 1968*e71b7053SJung-uk Kim * protocol. 1969*e71b7053SJung-uk Kim * 1970*e71b7053SJung-uk Kim * Work out what version we should be using for the initial ClientHello if the 1971*e71b7053SJung-uk Kim * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx 1972*e71b7053SJung-uk Kim * options, the MinProtocol and MaxProtocol configuration commands, any Suite B 1973*e71b7053SJung-uk Kim * constraints and any floor imposed by the security level here, 1974*e71b7053SJung-uk Kim * so we don't advertise the wrong protocol version to only reject the outcome later. 1975*e71b7053SJung-uk Kim * 1976*e71b7053SJung-uk Kim * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled, 1977*e71b7053SJung-uk Kim * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol 1978*e71b7053SJung-uk Kim * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1. 1979*e71b7053SJung-uk Kim * 1980*e71b7053SJung-uk Kim * Returns 0 on success or an SSL error reason number on failure. On failure 1981*e71b7053SJung-uk Kim * min_version and max_version will also be set to 0. 1982*e71b7053SJung-uk Kim */ 1983*e71b7053SJung-uk Kim int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version, 1984*e71b7053SJung-uk Kim int *real_max) 1985*e71b7053SJung-uk Kim { 1986*e71b7053SJung-uk Kim int version, tmp_real_max; 1987*e71b7053SJung-uk Kim int hole; 1988*e71b7053SJung-uk Kim const SSL_METHOD *single = NULL; 1989*e71b7053SJung-uk Kim const SSL_METHOD *method; 1990*e71b7053SJung-uk Kim const version_info *table; 1991*e71b7053SJung-uk Kim const version_info *vent; 1992*e71b7053SJung-uk Kim 1993*e71b7053SJung-uk Kim switch (s->method->version) { 1994*e71b7053SJung-uk Kim default: 1995*e71b7053SJung-uk Kim /* 1996*e71b7053SJung-uk Kim * If this SSL handle is not from a version flexible method we don't 1997*e71b7053SJung-uk Kim * (and never did) check min/max FIPS or Suite B constraints. Hope 1998*e71b7053SJung-uk Kim * that's OK. It is up to the caller to not choose fixed protocol 1999*e71b7053SJung-uk Kim * versions they don't want. If not, then easy to fix, just return 2000*e71b7053SJung-uk Kim * ssl_method_error(s, s->method) 2001*e71b7053SJung-uk Kim */ 2002*e71b7053SJung-uk Kim *min_version = *max_version = s->version; 2003*e71b7053SJung-uk Kim /* 2004*e71b7053SJung-uk Kim * Providing a real_max only makes sense where we're using a version 2005*e71b7053SJung-uk Kim * flexible method. 2006*e71b7053SJung-uk Kim */ 2007*e71b7053SJung-uk Kim if (!ossl_assert(real_max == NULL)) 2008*e71b7053SJung-uk Kim return ERR_R_INTERNAL_ERROR; 2009*e71b7053SJung-uk Kim return 0; 2010*e71b7053SJung-uk Kim case TLS_ANY_VERSION: 2011*e71b7053SJung-uk Kim table = tls_version_table; 2012*e71b7053SJung-uk Kim break; 2013*e71b7053SJung-uk Kim case DTLS_ANY_VERSION: 2014*e71b7053SJung-uk Kim table = dtls_version_table; 2015*e71b7053SJung-uk Kim break; 2016*e71b7053SJung-uk Kim } 2017*e71b7053SJung-uk Kim 2018*e71b7053SJung-uk Kim /* 2019*e71b7053SJung-uk Kim * SSL_OP_NO_X disables all protocols above X *if* there are some protocols 2020*e71b7053SJung-uk Kim * below X enabled. This is required in order to maintain the "version 2021*e71b7053SJung-uk Kim * capability" vector contiguous. Any versions with a NULL client method 2022*e71b7053SJung-uk Kim * (protocol version client is disabled at compile-time) is also a "hole". 2023*e71b7053SJung-uk Kim * 2024*e71b7053SJung-uk Kim * Our initial state is hole == 1, version == 0. That is, versions above 2025*e71b7053SJung-uk Kim * the first version in the method table are disabled (a "hole" above 2026*e71b7053SJung-uk Kim * the valid protocol entries) and we don't have a selected version yet. 2027*e71b7053SJung-uk Kim * 2028*e71b7053SJung-uk Kim * Whenever "hole == 1", and we hit an enabled method, its version becomes 2029*e71b7053SJung-uk Kim * the selected version, and the method becomes a candidate "single" 2030*e71b7053SJung-uk Kim * method. We're no longer in a hole, so "hole" becomes 0. 2031*e71b7053SJung-uk Kim * 2032*e71b7053SJung-uk Kim * If "hole == 0" and we hit an enabled method, then "single" is cleared, 2033*e71b7053SJung-uk Kim * as we support a contiguous range of at least two methods. If we hit 2034*e71b7053SJung-uk Kim * a disabled method, then hole becomes true again, but nothing else 2035*e71b7053SJung-uk Kim * changes yet, because all the remaining methods may be disabled too. 2036*e71b7053SJung-uk Kim * If we again hit an enabled method after the new hole, it becomes 2037*e71b7053SJung-uk Kim * selected, as we start from scratch. 2038*e71b7053SJung-uk Kim */ 2039*e71b7053SJung-uk Kim *min_version = version = 0; 2040*e71b7053SJung-uk Kim hole = 1; 2041*e71b7053SJung-uk Kim if (real_max != NULL) 2042*e71b7053SJung-uk Kim *real_max = 0; 2043*e71b7053SJung-uk Kim tmp_real_max = 0; 2044*e71b7053SJung-uk Kim for (vent = table; vent->version != 0; ++vent) { 2045*e71b7053SJung-uk Kim /* 2046*e71b7053SJung-uk Kim * A table entry with a NULL client method is still a hole in the 2047*e71b7053SJung-uk Kim * "version capability" vector. 2048*e71b7053SJung-uk Kim */ 2049*e71b7053SJung-uk Kim if (vent->cmeth == NULL) { 2050*e71b7053SJung-uk Kim hole = 1; 2051*e71b7053SJung-uk Kim tmp_real_max = 0; 2052*e71b7053SJung-uk Kim continue; 2053*e71b7053SJung-uk Kim } 2054*e71b7053SJung-uk Kim method = vent->cmeth(); 2055*e71b7053SJung-uk Kim 2056*e71b7053SJung-uk Kim if (hole == 1 && tmp_real_max == 0) 2057*e71b7053SJung-uk Kim tmp_real_max = vent->version; 2058*e71b7053SJung-uk Kim 2059*e71b7053SJung-uk Kim if (ssl_method_error(s, method) != 0) { 2060*e71b7053SJung-uk Kim hole = 1; 2061*e71b7053SJung-uk Kim } else if (!hole) { 2062*e71b7053SJung-uk Kim single = NULL; 2063*e71b7053SJung-uk Kim *min_version = method->version; 2064*e71b7053SJung-uk Kim } else { 2065*e71b7053SJung-uk Kim if (real_max != NULL && tmp_real_max != 0) 2066*e71b7053SJung-uk Kim *real_max = tmp_real_max; 2067*e71b7053SJung-uk Kim version = (single = method)->version; 2068*e71b7053SJung-uk Kim *min_version = version; 2069*e71b7053SJung-uk Kim hole = 0; 2070*e71b7053SJung-uk Kim } 2071*e71b7053SJung-uk Kim } 2072*e71b7053SJung-uk Kim 2073*e71b7053SJung-uk Kim *max_version = version; 2074*e71b7053SJung-uk Kim 2075*e71b7053SJung-uk Kim /* Fail if everything is disabled */ 2076*e71b7053SJung-uk Kim if (version == 0) 2077*e71b7053SJung-uk Kim return SSL_R_NO_PROTOCOLS_AVAILABLE; 2078*e71b7053SJung-uk Kim 2079*e71b7053SJung-uk Kim return 0; 2080*e71b7053SJung-uk Kim } 2081*e71b7053SJung-uk Kim 2082*e71b7053SJung-uk Kim /* 2083*e71b7053SJung-uk Kim * ssl_set_client_hello_version - Work out what version we should be using for 2084*e71b7053SJung-uk Kim * the initial ClientHello.legacy_version field. 2085*e71b7053SJung-uk Kim * 2086*e71b7053SJung-uk Kim * @s: client SSL handle. 2087*e71b7053SJung-uk Kim * 2088*e71b7053SJung-uk Kim * Returns 0 on success or an SSL error reason number on failure. 2089*e71b7053SJung-uk Kim */ 2090*e71b7053SJung-uk Kim int ssl_set_client_hello_version(SSL *s) 2091*e71b7053SJung-uk Kim { 2092*e71b7053SJung-uk Kim int ver_min, ver_max, ret; 2093*e71b7053SJung-uk Kim 2094*e71b7053SJung-uk Kim /* 2095*e71b7053SJung-uk Kim * In a renegotiation we always send the same client_version that we sent 2096*e71b7053SJung-uk Kim * last time, regardless of which version we eventually negotiated. 2097*e71b7053SJung-uk Kim */ 2098*e71b7053SJung-uk Kim if (!SSL_IS_FIRST_HANDSHAKE(s)) 2099*e71b7053SJung-uk Kim return 0; 2100*e71b7053SJung-uk Kim 2101*e71b7053SJung-uk Kim ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL); 2102*e71b7053SJung-uk Kim 2103*e71b7053SJung-uk Kim if (ret != 0) 2104*e71b7053SJung-uk Kim return ret; 2105*e71b7053SJung-uk Kim 2106*e71b7053SJung-uk Kim s->version = ver_max; 2107*e71b7053SJung-uk Kim 2108*e71b7053SJung-uk Kim /* TLS1.3 always uses TLS1.2 in the legacy_version field */ 2109*e71b7053SJung-uk Kim if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION) 2110*e71b7053SJung-uk Kim ver_max = TLS1_2_VERSION; 2111*e71b7053SJung-uk Kim 2112*e71b7053SJung-uk Kim s->client_version = ver_max; 2113*e71b7053SJung-uk Kim return 0; 2114*e71b7053SJung-uk Kim } 2115*e71b7053SJung-uk Kim 2116*e71b7053SJung-uk Kim /* 2117*e71b7053SJung-uk Kim * Checks a list of |groups| to determine if the |group_id| is in it. If it is 2118*e71b7053SJung-uk Kim * and |checkallow| is 1 then additionally check if the group is allowed to be 2119*e71b7053SJung-uk Kim * used. Returns 1 if the group is in the list (and allowed if |checkallow| is 2120*e71b7053SJung-uk Kim * 1) or 0 otherwise. 2121*e71b7053SJung-uk Kim */ 2122*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_EC 2123*e71b7053SJung-uk Kim int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups, 2124*e71b7053SJung-uk Kim size_t num_groups, int checkallow) 2125*e71b7053SJung-uk Kim { 2126*e71b7053SJung-uk Kim size_t i; 2127*e71b7053SJung-uk Kim 2128*e71b7053SJung-uk Kim if (groups == NULL || num_groups == 0) 2129*e71b7053SJung-uk Kim return 0; 2130*e71b7053SJung-uk Kim 2131*e71b7053SJung-uk Kim for (i = 0; i < num_groups; i++) { 2132*e71b7053SJung-uk Kim uint16_t group = groups[i]; 2133*e71b7053SJung-uk Kim 2134*e71b7053SJung-uk Kim if (group_id == group 2135*e71b7053SJung-uk Kim && (!checkallow 2136*e71b7053SJung-uk Kim || tls_curve_allowed(s, group, SSL_SECOP_CURVE_CHECK))) { 2137*e71b7053SJung-uk Kim return 1; 2138*e71b7053SJung-uk Kim } 2139*e71b7053SJung-uk Kim } 2140*e71b7053SJung-uk Kim 2141*e71b7053SJung-uk Kim return 0; 2142*e71b7053SJung-uk Kim } 2143*e71b7053SJung-uk Kim #endif 2144*e71b7053SJung-uk Kim 2145*e71b7053SJung-uk Kim /* Replace ClientHello1 in the transcript hash with a synthetic message */ 2146*e71b7053SJung-uk Kim int create_synthetic_message_hash(SSL *s, const unsigned char *hashval, 2147*e71b7053SJung-uk Kim size_t hashlen, const unsigned char *hrr, 2148*e71b7053SJung-uk Kim size_t hrrlen) 2149*e71b7053SJung-uk Kim { 2150*e71b7053SJung-uk Kim unsigned char hashvaltmp[EVP_MAX_MD_SIZE]; 2151*e71b7053SJung-uk Kim unsigned char msghdr[SSL3_HM_HEADER_LENGTH]; 2152*e71b7053SJung-uk Kim 2153*e71b7053SJung-uk Kim memset(msghdr, 0, sizeof(msghdr)); 2154*e71b7053SJung-uk Kim 2155*e71b7053SJung-uk Kim if (hashval == NULL) { 2156*e71b7053SJung-uk Kim hashval = hashvaltmp; 2157*e71b7053SJung-uk Kim hashlen = 0; 2158*e71b7053SJung-uk Kim /* Get the hash of the initial ClientHello */ 2159*e71b7053SJung-uk Kim if (!ssl3_digest_cached_records(s, 0) 2160*e71b7053SJung-uk Kim || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp), 2161*e71b7053SJung-uk Kim &hashlen)) { 2162*e71b7053SJung-uk Kim /* SSLfatal() already called */ 2163*e71b7053SJung-uk Kim return 0; 2164*e71b7053SJung-uk Kim } 2165*e71b7053SJung-uk Kim } 2166*e71b7053SJung-uk Kim 2167*e71b7053SJung-uk Kim /* Reinitialise the transcript hash */ 2168*e71b7053SJung-uk Kim if (!ssl3_init_finished_mac(s)) { 2169*e71b7053SJung-uk Kim /* SSLfatal() already called */ 2170*e71b7053SJung-uk Kim return 0; 2171*e71b7053SJung-uk Kim } 2172*e71b7053SJung-uk Kim 2173*e71b7053SJung-uk Kim /* Inject the synthetic message_hash message */ 2174*e71b7053SJung-uk Kim msghdr[0] = SSL3_MT_MESSAGE_HASH; 2175*e71b7053SJung-uk Kim msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen; 2176*e71b7053SJung-uk Kim if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH) 2177*e71b7053SJung-uk Kim || !ssl3_finish_mac(s, hashval, hashlen)) { 2178*e71b7053SJung-uk Kim /* SSLfatal() already called */ 2179*e71b7053SJung-uk Kim return 0; 2180*e71b7053SJung-uk Kim } 2181*e71b7053SJung-uk Kim 2182*e71b7053SJung-uk Kim /* 2183*e71b7053SJung-uk Kim * Now re-inject the HRR and current message if appropriate (we just deleted 2184*e71b7053SJung-uk Kim * it when we reinitialised the transcript hash above). Only necessary after 2185*e71b7053SJung-uk Kim * receiving a ClientHello2 with a cookie. 2186*e71b7053SJung-uk Kim */ 2187*e71b7053SJung-uk Kim if (hrr != NULL 2188*e71b7053SJung-uk Kim && (!ssl3_finish_mac(s, hrr, hrrlen) 2189*e71b7053SJung-uk Kim || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 2190*e71b7053SJung-uk Kim s->s3->tmp.message_size 2191*e71b7053SJung-uk Kim + SSL3_HM_HEADER_LENGTH))) { 2192*e71b7053SJung-uk Kim /* SSLfatal() already called */ 2193*e71b7053SJung-uk Kim return 0; 2194*e71b7053SJung-uk Kim } 2195*e71b7053SJung-uk Kim 2196*e71b7053SJung-uk Kim return 1; 2197*e71b7053SJung-uk Kim } 2198*e71b7053SJung-uk Kim 2199*e71b7053SJung-uk Kim static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b) 2200*e71b7053SJung-uk Kim { 2201*e71b7053SJung-uk Kim return X509_NAME_cmp(*a, *b); 2202*e71b7053SJung-uk Kim } 2203*e71b7053SJung-uk Kim 2204*e71b7053SJung-uk Kim int parse_ca_names(SSL *s, PACKET *pkt) 2205*e71b7053SJung-uk Kim { 2206*e71b7053SJung-uk Kim STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp); 2207*e71b7053SJung-uk Kim X509_NAME *xn = NULL; 2208*e71b7053SJung-uk Kim PACKET cadns; 2209*e71b7053SJung-uk Kim 2210*e71b7053SJung-uk Kim if (ca_sk == NULL) { 2211*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES, 2212*e71b7053SJung-uk Kim ERR_R_MALLOC_FAILURE); 2213*e71b7053SJung-uk Kim goto err; 2214*e71b7053SJung-uk Kim } 2215*e71b7053SJung-uk Kim /* get the CA RDNs */ 2216*e71b7053SJung-uk Kim if (!PACKET_get_length_prefixed_2(pkt, &cadns)) { 2217*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR,SSL_F_PARSE_CA_NAMES, 2218*e71b7053SJung-uk Kim SSL_R_LENGTH_MISMATCH); 2219*e71b7053SJung-uk Kim goto err; 2220*e71b7053SJung-uk Kim } 2221*e71b7053SJung-uk Kim 2222*e71b7053SJung-uk Kim while (PACKET_remaining(&cadns)) { 2223*e71b7053SJung-uk Kim const unsigned char *namestart, *namebytes; 2224*e71b7053SJung-uk Kim unsigned int name_len; 2225*e71b7053SJung-uk Kim 2226*e71b7053SJung-uk Kim if (!PACKET_get_net_2(&cadns, &name_len) 2227*e71b7053SJung-uk Kim || !PACKET_get_bytes(&cadns, &namebytes, name_len)) { 2228*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES, 2229*e71b7053SJung-uk Kim SSL_R_LENGTH_MISMATCH); 2230*e71b7053SJung-uk Kim goto err; 2231*e71b7053SJung-uk Kim } 2232*e71b7053SJung-uk Kim 2233*e71b7053SJung-uk Kim namestart = namebytes; 2234*e71b7053SJung-uk Kim if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) { 2235*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES, 2236*e71b7053SJung-uk Kim ERR_R_ASN1_LIB); 2237*e71b7053SJung-uk Kim goto err; 2238*e71b7053SJung-uk Kim } 2239*e71b7053SJung-uk Kim if (namebytes != (namestart + name_len)) { 2240*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES, 2241*e71b7053SJung-uk Kim SSL_R_CA_DN_LENGTH_MISMATCH); 2242*e71b7053SJung-uk Kim goto err; 2243*e71b7053SJung-uk Kim } 2244*e71b7053SJung-uk Kim 2245*e71b7053SJung-uk Kim if (!sk_X509_NAME_push(ca_sk, xn)) { 2246*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES, 2247*e71b7053SJung-uk Kim ERR_R_MALLOC_FAILURE); 2248*e71b7053SJung-uk Kim goto err; 2249*e71b7053SJung-uk Kim } 2250*e71b7053SJung-uk Kim xn = NULL; 2251*e71b7053SJung-uk Kim } 2252*e71b7053SJung-uk Kim 2253*e71b7053SJung-uk Kim sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free); 2254*e71b7053SJung-uk Kim s->s3->tmp.peer_ca_names = ca_sk; 2255*e71b7053SJung-uk Kim 2256*e71b7053SJung-uk Kim return 1; 2257*e71b7053SJung-uk Kim 2258*e71b7053SJung-uk Kim err: 2259*e71b7053SJung-uk Kim sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); 2260*e71b7053SJung-uk Kim X509_NAME_free(xn); 2261*e71b7053SJung-uk Kim return 0; 2262*e71b7053SJung-uk Kim } 2263*e71b7053SJung-uk Kim 2264*e71b7053SJung-uk Kim int construct_ca_names(SSL *s, WPACKET *pkt) 2265*e71b7053SJung-uk Kim { 2266*e71b7053SJung-uk Kim const STACK_OF(X509_NAME) *ca_sk = SSL_get0_CA_list(s); 2267*e71b7053SJung-uk Kim 2268*e71b7053SJung-uk Kim /* Start sub-packet for client CA list */ 2269*e71b7053SJung-uk Kim if (!WPACKET_start_sub_packet_u16(pkt)) { 2270*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES, 2271*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 2272*e71b7053SJung-uk Kim return 0; 2273*e71b7053SJung-uk Kim } 2274*e71b7053SJung-uk Kim 2275*e71b7053SJung-uk Kim if (ca_sk != NULL) { 2276*e71b7053SJung-uk Kim int i; 2277*e71b7053SJung-uk Kim 2278*e71b7053SJung-uk Kim for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) { 2279*e71b7053SJung-uk Kim unsigned char *namebytes; 2280*e71b7053SJung-uk Kim X509_NAME *name = sk_X509_NAME_value(ca_sk, i); 2281*e71b7053SJung-uk Kim int namelen; 2282*e71b7053SJung-uk Kim 2283*e71b7053SJung-uk Kim if (name == NULL 2284*e71b7053SJung-uk Kim || (namelen = i2d_X509_NAME(name, NULL)) < 0 2285*e71b7053SJung-uk Kim || !WPACKET_sub_allocate_bytes_u16(pkt, namelen, 2286*e71b7053SJung-uk Kim &namebytes) 2287*e71b7053SJung-uk Kim || i2d_X509_NAME(name, &namebytes) != namelen) { 2288*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES, 2289*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 2290*e71b7053SJung-uk Kim return 0; 2291*e71b7053SJung-uk Kim } 2292*e71b7053SJung-uk Kim } 2293*e71b7053SJung-uk Kim } 2294*e71b7053SJung-uk Kim 2295*e71b7053SJung-uk Kim if (!WPACKET_close(pkt)) { 2296*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES, 2297*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 2298*e71b7053SJung-uk Kim return 0; 2299*e71b7053SJung-uk Kim } 2300*e71b7053SJung-uk Kim 2301*e71b7053SJung-uk Kim return 1; 2302*e71b7053SJung-uk Kim } 2303*e71b7053SJung-uk Kim 2304*e71b7053SJung-uk Kim /* Create a buffer containing data to be signed for server key exchange */ 2305*e71b7053SJung-uk Kim size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs, 2306*e71b7053SJung-uk Kim const void *param, size_t paramlen) 2307*e71b7053SJung-uk Kim { 2308*e71b7053SJung-uk Kim size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen; 2309*e71b7053SJung-uk Kim unsigned char *tbs = OPENSSL_malloc(tbslen); 2310*e71b7053SJung-uk Kim 2311*e71b7053SJung-uk Kim if (tbs == NULL) { 2312*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS, 2313*e71b7053SJung-uk Kim ERR_R_MALLOC_FAILURE); 2314*e71b7053SJung-uk Kim return 0; 2315*e71b7053SJung-uk Kim } 2316*e71b7053SJung-uk Kim memcpy(tbs, s->s3->client_random, SSL3_RANDOM_SIZE); 2317*e71b7053SJung-uk Kim memcpy(tbs + SSL3_RANDOM_SIZE, s->s3->server_random, SSL3_RANDOM_SIZE); 2318*e71b7053SJung-uk Kim 2319*e71b7053SJung-uk Kim memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen); 2320*e71b7053SJung-uk Kim 2321*e71b7053SJung-uk Kim *ptbs = tbs; 2322*e71b7053SJung-uk Kim return tbslen; 2323*e71b7053SJung-uk Kim } 2324*e71b7053SJung-uk Kim 2325*e71b7053SJung-uk Kim /* 2326*e71b7053SJung-uk Kim * Saves the current handshake digest for Post-Handshake Auth, 2327*e71b7053SJung-uk Kim * Done after ClientFinished is processed, done exactly once 2328*e71b7053SJung-uk Kim */ 2329*e71b7053SJung-uk Kim int tls13_save_handshake_digest_for_pha(SSL *s) 2330*e71b7053SJung-uk Kim { 2331*e71b7053SJung-uk Kim if (s->pha_dgst == NULL) { 2332*e71b7053SJung-uk Kim if (!ssl3_digest_cached_records(s, 1)) 2333*e71b7053SJung-uk Kim /* SSLfatal() already called */ 2334*e71b7053SJung-uk Kim return 0; 2335*e71b7053SJung-uk Kim 2336*e71b7053SJung-uk Kim s->pha_dgst = EVP_MD_CTX_new(); 2337*e71b7053SJung-uk Kim if (s->pha_dgst == NULL) { 2338*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2339*e71b7053SJung-uk Kim SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA, 2340*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 2341*e71b7053SJung-uk Kim return 0; 2342*e71b7053SJung-uk Kim } 2343*e71b7053SJung-uk Kim if (!EVP_MD_CTX_copy_ex(s->pha_dgst, 2344*e71b7053SJung-uk Kim s->s3->handshake_dgst)) { 2345*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2346*e71b7053SJung-uk Kim SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA, 2347*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 2348*e71b7053SJung-uk Kim return 0; 2349*e71b7053SJung-uk Kim } 2350*e71b7053SJung-uk Kim } 2351*e71b7053SJung-uk Kim return 1; 2352*e71b7053SJung-uk Kim } 2353*e71b7053SJung-uk Kim 2354*e71b7053SJung-uk Kim /* 2355*e71b7053SJung-uk Kim * Restores the Post-Handshake Auth handshake digest 2356*e71b7053SJung-uk Kim * Done just before sending/processing the Cert Request 2357*e71b7053SJung-uk Kim */ 2358*e71b7053SJung-uk Kim int tls13_restore_handshake_digest_for_pha(SSL *s) 2359*e71b7053SJung-uk Kim { 2360*e71b7053SJung-uk Kim if (s->pha_dgst == NULL) { 2361*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2362*e71b7053SJung-uk Kim SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA, 2363*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 2364*e71b7053SJung-uk Kim return 0; 2365*e71b7053SJung-uk Kim } 2366*e71b7053SJung-uk Kim if (!EVP_MD_CTX_copy_ex(s->s3->handshake_dgst, 2367*e71b7053SJung-uk Kim s->pha_dgst)) { 2368*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2369*e71b7053SJung-uk Kim SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA, 2370*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 2371*e71b7053SJung-uk Kim return 0; 2372*e71b7053SJung-uk Kim } 2373*e71b7053SJung-uk Kim return 1; 2374*e71b7053SJung-uk Kim } 2375