1 /* 2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4 * 5 * Licensed under the OpenSSL license (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10 11 #include <limits.h> 12 #include <string.h> 13 #include <stdio.h> 14 #include "../ssl_local.h" 15 #include "statem_local.h" 16 #include "internal/cryptlib.h" 17 #include <openssl/buffer.h> 18 #include <openssl/objects.h> 19 #include <openssl/evp.h> 20 #include <openssl/x509.h> 21 22 /* 23 * Map error codes to TLS/SSL alart types. 24 */ 25 typedef struct x509err2alert_st { 26 int x509err; 27 int alert; 28 } X509ERR2ALERT; 29 30 /* Fixed value used in the ServerHello random field to identify an HRR */ 31 const unsigned char hrrrandom[] = { 32 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 33 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 34 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c 35 }; 36 37 /* 38 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or 39 * SSL3_RT_CHANGE_CIPHER_SPEC) 40 */ 41 int ssl3_do_write(SSL *s, int type) 42 { 43 int ret; 44 size_t written = 0; 45 46 ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off], 47 s->init_num, &written); 48 if (ret < 0) 49 return -1; 50 if (type == SSL3_RT_HANDSHAKE) 51 /* 52 * should not be done for 'Hello Request's, but in that case we'll 53 * ignore the result anyway 54 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added 55 */ 56 if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET 57 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE 58 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE)) 59 if (!ssl3_finish_mac(s, 60 (unsigned char *)&s->init_buf->data[s->init_off], 61 written)) 62 return -1; 63 if (written == s->init_num) { 64 if (s->msg_callback) 65 s->msg_callback(1, s->version, type, s->init_buf->data, 66 (size_t)(s->init_off + s->init_num), s, 67 s->msg_callback_arg); 68 return 1; 69 } 70 s->init_off += written; 71 s->init_num -= written; 72 return 0; 73 } 74 75 int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype) 76 { 77 size_t msglen; 78 79 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt)) 80 || !WPACKET_get_length(pkt, &msglen) 81 || msglen > INT_MAX) 82 return 0; 83 s->init_num = (int)msglen; 84 s->init_off = 0; 85 86 return 1; 87 } 88 89 int tls_setup_handshake(SSL *s) 90 { 91 if (!ssl3_init_finished_mac(s)) { 92 /* SSLfatal() already called */ 93 return 0; 94 } 95 96 /* Reset any extension flags */ 97 memset(s->ext.extflags, 0, sizeof(s->ext.extflags)); 98 99 if (s->server) { 100 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s); 101 int i, ver_min, ver_max, ok = 0; 102 103 /* 104 * Sanity check that the maximum version we accept has ciphers 105 * enabled. For clients we do this check during construction of the 106 * ClientHello. 107 */ 108 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) { 109 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_SETUP_HANDSHAKE, 110 ERR_R_INTERNAL_ERROR); 111 return 0; 112 } 113 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { 114 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i); 115 116 if (SSL_IS_DTLS(s)) { 117 if (DTLS_VERSION_GE(ver_max, c->min_dtls) && 118 DTLS_VERSION_LE(ver_max, c->max_dtls)) 119 ok = 1; 120 } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) { 121 ok = 1; 122 } 123 if (ok) 124 break; 125 } 126 if (!ok) { 127 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE, 128 SSL_R_NO_CIPHERS_AVAILABLE); 129 ERR_add_error_data(1, "No ciphers enabled for max supported " 130 "SSL/TLS version"); 131 return 0; 132 } 133 if (SSL_IS_FIRST_HANDSHAKE(s)) { 134 /* N.B. s->session_ctx == s->ctx here */ 135 tsan_counter(&s->session_ctx->stats.sess_accept); 136 } else { 137 /* N.B. s->ctx may not equal s->session_ctx */ 138 tsan_counter(&s->ctx->stats.sess_accept_renegotiate); 139 140 s->s3->tmp.cert_request = 0; 141 } 142 } else { 143 if (SSL_IS_FIRST_HANDSHAKE(s)) 144 tsan_counter(&s->session_ctx->stats.sess_connect); 145 else 146 tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate); 147 148 /* mark client_random uninitialized */ 149 memset(s->s3->client_random, 0, sizeof(s->s3->client_random)); 150 s->hit = 0; 151 152 s->s3->tmp.cert_req = 0; 153 154 if (SSL_IS_DTLS(s)) 155 s->statem.use_timer = 1; 156 } 157 158 return 1; 159 } 160 161 /* 162 * Size of the to-be-signed TLS13 data, without the hash size itself: 163 * 64 bytes of value 32, 33 context bytes, 1 byte separator 164 */ 165 #define TLS13_TBS_START_SIZE 64 166 #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1) 167 168 static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs, 169 void **hdata, size_t *hdatalen) 170 { 171 #ifdef CHARSET_EBCDIC 172 static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 173 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65, 174 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 175 0x69, 0x66, 0x79, 0x00 }; 176 static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 177 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65, 178 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 179 0x69, 0x66, 0x79, 0x00 }; 180 #else 181 static const char servercontext[] = "TLS 1.3, server CertificateVerify"; 182 static const char clientcontext[] = "TLS 1.3, client CertificateVerify"; 183 #endif 184 if (SSL_IS_TLS13(s)) { 185 size_t hashlen; 186 187 /* Set the first 64 bytes of to-be-signed data to octet 32 */ 188 memset(tls13tbs, 32, TLS13_TBS_START_SIZE); 189 /* This copies the 33 bytes of context plus the 0 separator byte */ 190 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY 191 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY) 192 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext); 193 else 194 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext); 195 196 /* 197 * If we're currently reading then we need to use the saved handshake 198 * hash value. We can't use the current handshake hash state because 199 * that includes the CertVerify itself. 200 */ 201 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY 202 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) { 203 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash, 204 s->cert_verify_hash_len); 205 hashlen = s->cert_verify_hash_len; 206 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE, 207 EVP_MAX_MD_SIZE, &hashlen)) { 208 /* SSLfatal() already called */ 209 return 0; 210 } 211 212 *hdata = tls13tbs; 213 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen; 214 } else { 215 size_t retlen; 216 long retlen_l; 217 218 retlen = retlen_l = BIO_get_mem_data(s->s3->handshake_buffer, hdata); 219 if (retlen_l <= 0) { 220 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_GET_CERT_VERIFY_TBS_DATA, 221 ERR_R_INTERNAL_ERROR); 222 return 0; 223 } 224 *hdatalen = retlen; 225 } 226 227 return 1; 228 } 229 230 int tls_construct_cert_verify(SSL *s, WPACKET *pkt) 231 { 232 EVP_PKEY *pkey = NULL; 233 const EVP_MD *md = NULL; 234 EVP_MD_CTX *mctx = NULL; 235 EVP_PKEY_CTX *pctx = NULL; 236 size_t hdatalen = 0, siglen = 0; 237 void *hdata; 238 unsigned char *sig = NULL; 239 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; 240 const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg; 241 242 if (lu == NULL || s->s3->tmp.cert == NULL) { 243 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 244 ERR_R_INTERNAL_ERROR); 245 goto err; 246 } 247 pkey = s->s3->tmp.cert->privatekey; 248 249 if (pkey == NULL || !tls1_lookup_md(lu, &md)) { 250 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 251 ERR_R_INTERNAL_ERROR); 252 goto err; 253 } 254 255 mctx = EVP_MD_CTX_new(); 256 if (mctx == NULL) { 257 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 258 ERR_R_MALLOC_FAILURE); 259 goto err; 260 } 261 262 /* Get the data to be signed */ 263 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { 264 /* SSLfatal() already called */ 265 goto err; 266 } 267 268 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) { 269 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 270 ERR_R_INTERNAL_ERROR); 271 goto err; 272 } 273 siglen = EVP_PKEY_size(pkey); 274 sig = OPENSSL_malloc(siglen); 275 if (sig == NULL) { 276 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 277 ERR_R_MALLOC_FAILURE); 278 goto err; 279 } 280 281 if (EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey) <= 0) { 282 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 283 ERR_R_EVP_LIB); 284 goto err; 285 } 286 287 if (lu->sig == EVP_PKEY_RSA_PSS) { 288 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 289 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 290 RSA_PSS_SALTLEN_DIGEST) <= 0) { 291 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 292 ERR_R_EVP_LIB); 293 goto err; 294 } 295 } 296 if (s->version == SSL3_VERSION) { 297 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0 298 || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, 299 (int)s->session->master_key_length, 300 s->session->master_key) 301 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) { 302 303 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 304 ERR_R_EVP_LIB); 305 goto err; 306 } 307 } else if (EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) { 308 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 309 ERR_R_EVP_LIB); 310 goto err; 311 } 312 313 #ifndef OPENSSL_NO_GOST 314 { 315 int pktype = lu->sig; 316 317 if (pktype == NID_id_GostR3410_2001 318 || pktype == NID_id_GostR3410_2012_256 319 || pktype == NID_id_GostR3410_2012_512) 320 BUF_reverse(sig, NULL, siglen); 321 } 322 #endif 323 324 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) { 325 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 326 ERR_R_INTERNAL_ERROR); 327 goto err; 328 } 329 330 /* Digest cached records and discard handshake buffer */ 331 if (!ssl3_digest_cached_records(s, 0)) { 332 /* SSLfatal() already called */ 333 goto err; 334 } 335 336 OPENSSL_free(sig); 337 EVP_MD_CTX_free(mctx); 338 return 1; 339 err: 340 OPENSSL_free(sig); 341 EVP_MD_CTX_free(mctx); 342 return 0; 343 } 344 345 MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) 346 { 347 EVP_PKEY *pkey = NULL; 348 const unsigned char *data; 349 #ifndef OPENSSL_NO_GOST 350 unsigned char *gost_data = NULL; 351 #endif 352 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; 353 int j; 354 unsigned int len; 355 X509 *peer; 356 const EVP_MD *md = NULL; 357 size_t hdatalen = 0; 358 void *hdata; 359 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; 360 EVP_MD_CTX *mctx = EVP_MD_CTX_new(); 361 EVP_PKEY_CTX *pctx = NULL; 362 363 if (mctx == NULL) { 364 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 365 ERR_R_MALLOC_FAILURE); 366 goto err; 367 } 368 369 peer = s->session->peer; 370 pkey = X509_get0_pubkey(peer); 371 if (pkey == NULL) { 372 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 373 ERR_R_INTERNAL_ERROR); 374 goto err; 375 } 376 377 if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) { 378 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CERT_VERIFY, 379 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); 380 goto err; 381 } 382 383 if (SSL_USE_SIGALGS(s)) { 384 unsigned int sigalg; 385 386 if (!PACKET_get_net_2(pkt, &sigalg)) { 387 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 388 SSL_R_BAD_PACKET); 389 goto err; 390 } 391 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) { 392 /* SSLfatal() already called */ 393 goto err; 394 } 395 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { 396 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 397 ERR_R_INTERNAL_ERROR); 398 goto err; 399 } 400 401 if (!tls1_lookup_md(s->s3->tmp.peer_sigalg, &md)) { 402 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 403 ERR_R_INTERNAL_ERROR); 404 goto err; 405 } 406 407 #ifdef SSL_DEBUG 408 if (SSL_USE_SIGALGS(s)) 409 fprintf(stderr, "USING TLSv1.2 HASH %s\n", 410 md == NULL ? "n/a" : EVP_MD_name(md)); 411 #endif 412 413 /* Check for broken implementations of GOST ciphersuites */ 414 /* 415 * If key is GOST and len is exactly 64 or 128, it is signature without 416 * length field (CryptoPro implementations at least till TLS 1.2) 417 */ 418 #ifndef OPENSSL_NO_GOST 419 if (!SSL_USE_SIGALGS(s) 420 && ((PACKET_remaining(pkt) == 64 421 && (EVP_PKEY_id(pkey) == NID_id_GostR3410_2001 422 || EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_256)) 423 || (PACKET_remaining(pkt) == 128 424 && EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_512))) { 425 len = PACKET_remaining(pkt); 426 } else 427 #endif 428 if (!PACKET_get_net_2(pkt, &len)) { 429 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 430 SSL_R_LENGTH_MISMATCH); 431 goto err; 432 } 433 434 j = EVP_PKEY_size(pkey); 435 if (((int)len > j) || ((int)PACKET_remaining(pkt) > j) 436 || (PACKET_remaining(pkt) == 0)) { 437 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 438 SSL_R_WRONG_SIGNATURE_SIZE); 439 goto err; 440 } 441 if (!PACKET_get_bytes(pkt, &data, len)) { 442 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 443 SSL_R_LENGTH_MISMATCH); 444 goto err; 445 } 446 447 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { 448 /* SSLfatal() already called */ 449 goto err; 450 } 451 452 #ifdef SSL_DEBUG 453 fprintf(stderr, "Using client verify alg %s\n", 454 md == NULL ? "n/a" : EVP_MD_name(md)); 455 #endif 456 if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0) { 457 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 458 ERR_R_EVP_LIB); 459 goto err; 460 } 461 #ifndef OPENSSL_NO_GOST 462 { 463 int pktype = EVP_PKEY_id(pkey); 464 if (pktype == NID_id_GostR3410_2001 465 || pktype == NID_id_GostR3410_2012_256 466 || pktype == NID_id_GostR3410_2012_512) { 467 if ((gost_data = OPENSSL_malloc(len)) == NULL) { 468 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 469 SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE); 470 goto err; 471 } 472 BUF_reverse(gost_data, data, len); 473 data = gost_data; 474 } 475 } 476 #endif 477 478 if (SSL_USE_PSS(s)) { 479 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 480 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 481 RSA_PSS_SALTLEN_DIGEST) <= 0) { 482 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 483 ERR_R_EVP_LIB); 484 goto err; 485 } 486 } 487 if (s->version == SSL3_VERSION) { 488 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0 489 || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, 490 (int)s->session->master_key_length, 491 s->session->master_key)) { 492 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 493 ERR_R_EVP_LIB); 494 goto err; 495 } 496 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) { 497 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 498 SSL_R_BAD_SIGNATURE); 499 goto err; 500 } 501 } else { 502 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen); 503 if (j <= 0) { 504 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 505 SSL_R_BAD_SIGNATURE); 506 goto err; 507 } 508 } 509 510 /* 511 * In TLSv1.3 on the client side we make sure we prepare the client 512 * certificate after the CertVerify instead of when we get the 513 * CertificateRequest. This is because in TLSv1.3 the CertificateRequest 514 * comes *before* the Certificate message. In TLSv1.2 it comes after. We 515 * want to make sure that SSL_get_peer_certificate() will return the actual 516 * server certificate from the client_cert_cb callback. 517 */ 518 if (!s->server && SSL_IS_TLS13(s) && s->s3->tmp.cert_req == 1) 519 ret = MSG_PROCESS_CONTINUE_PROCESSING; 520 else 521 ret = MSG_PROCESS_CONTINUE_READING; 522 err: 523 BIO_free(s->s3->handshake_buffer); 524 s->s3->handshake_buffer = NULL; 525 EVP_MD_CTX_free(mctx); 526 #ifndef OPENSSL_NO_GOST 527 OPENSSL_free(gost_data); 528 #endif 529 return ret; 530 } 531 532 int tls_construct_finished(SSL *s, WPACKET *pkt) 533 { 534 size_t finish_md_len; 535 const char *sender; 536 size_t slen; 537 538 /* This is a real handshake so make sure we clean it up at the end */ 539 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED) 540 s->statem.cleanuphand = 1; 541 542 /* 543 * We only change the keys if we didn't already do this when we sent the 544 * client certificate 545 */ 546 if (SSL_IS_TLS13(s) 547 && !s->server 548 && s->s3->tmp.cert_req == 0 549 && (!s->method->ssl3_enc->change_cipher_state(s, 550 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {; 551 /* SSLfatal() already called */ 552 return 0; 553 } 554 555 if (s->server) { 556 sender = s->method->ssl3_enc->server_finished_label; 557 slen = s->method->ssl3_enc->server_finished_label_len; 558 } else { 559 sender = s->method->ssl3_enc->client_finished_label; 560 slen = s->method->ssl3_enc->client_finished_label_len; 561 } 562 563 finish_md_len = s->method->ssl3_enc->final_finish_mac(s, 564 sender, slen, 565 s->s3->tmp.finish_md); 566 if (finish_md_len == 0) { 567 /* SSLfatal() already called */ 568 return 0; 569 } 570 571 s->s3->tmp.finish_md_len = finish_md_len; 572 573 if (!WPACKET_memcpy(pkt, s->s3->tmp.finish_md, finish_md_len)) { 574 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED, 575 ERR_R_INTERNAL_ERROR); 576 return 0; 577 } 578 579 /* 580 * Log the master secret, if logging is enabled. We don't log it for 581 * TLSv1.3: there's a different key schedule for that. 582 */ 583 if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL, 584 s->session->master_key, 585 s->session->master_key_length)) { 586 /* SSLfatal() already called */ 587 return 0; 588 } 589 590 /* 591 * Copy the finished so we can use it for renegotiation checks 592 */ 593 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) { 594 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED, 595 ERR_R_INTERNAL_ERROR); 596 return 0; 597 } 598 if (!s->server) { 599 memcpy(s->s3->previous_client_finished, s->s3->tmp.finish_md, 600 finish_md_len); 601 s->s3->previous_client_finished_len = finish_md_len; 602 } else { 603 memcpy(s->s3->previous_server_finished, s->s3->tmp.finish_md, 604 finish_md_len); 605 s->s3->previous_server_finished_len = finish_md_len; 606 } 607 608 return 1; 609 } 610 611 int tls_construct_key_update(SSL *s, WPACKET *pkt) 612 { 613 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) { 614 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_KEY_UPDATE, 615 ERR_R_INTERNAL_ERROR); 616 return 0; 617 } 618 619 s->key_update = SSL_KEY_UPDATE_NONE; 620 return 1; 621 } 622 623 MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt) 624 { 625 unsigned int updatetype; 626 627 /* 628 * A KeyUpdate message signals a key change so the end of the message must 629 * be on a record boundary. 630 */ 631 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { 632 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_UPDATE, 633 SSL_R_NOT_ON_RECORD_BOUNDARY); 634 return MSG_PROCESS_ERROR; 635 } 636 637 if (!PACKET_get_1(pkt, &updatetype) 638 || PACKET_remaining(pkt) != 0) { 639 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_UPDATE, 640 SSL_R_BAD_KEY_UPDATE); 641 return MSG_PROCESS_ERROR; 642 } 643 644 /* 645 * There are only two defined key update types. Fail if we get a value we 646 * didn't recognise. 647 */ 648 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED 649 && updatetype != SSL_KEY_UPDATE_REQUESTED) { 650 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE, 651 SSL_R_BAD_KEY_UPDATE); 652 return MSG_PROCESS_ERROR; 653 } 654 655 /* 656 * If we get a request for us to update our sending keys too then, we need 657 * to additionally send a KeyUpdate message. However that message should 658 * not also request an update (otherwise we get into an infinite loop). 659 */ 660 if (updatetype == SSL_KEY_UPDATE_REQUESTED) 661 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED; 662 663 if (!tls13_update_key(s, 0)) { 664 /* SSLfatal() already called */ 665 return MSG_PROCESS_ERROR; 666 } 667 668 return MSG_PROCESS_FINISHED_READING; 669 } 670 671 /* 672 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen 673 * to far. 674 */ 675 int ssl3_take_mac(SSL *s) 676 { 677 const char *sender; 678 size_t slen; 679 680 if (!s->server) { 681 sender = s->method->ssl3_enc->server_finished_label; 682 slen = s->method->ssl3_enc->server_finished_label_len; 683 } else { 684 sender = s->method->ssl3_enc->client_finished_label; 685 slen = s->method->ssl3_enc->client_finished_label_len; 686 } 687 688 s->s3->tmp.peer_finish_md_len = 689 s->method->ssl3_enc->final_finish_mac(s, sender, slen, 690 s->s3->tmp.peer_finish_md); 691 692 if (s->s3->tmp.peer_finish_md_len == 0) { 693 /* SSLfatal() already called */ 694 return 0; 695 } 696 697 return 1; 698 } 699 700 MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt) 701 { 702 size_t remain; 703 704 remain = PACKET_remaining(pkt); 705 /* 706 * 'Change Cipher Spec' is just a single byte, which should already have 707 * been consumed by ssl_get_message() so there should be no bytes left, 708 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes 709 */ 710 if (SSL_IS_DTLS(s)) { 711 if ((s->version == DTLS1_BAD_VER 712 && remain != DTLS1_CCS_HEADER_LENGTH + 1) 713 || (s->version != DTLS1_BAD_VER 714 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) { 715 SSLfatal(s, SSL_AD_DECODE_ERROR, 716 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, 717 SSL_R_BAD_CHANGE_CIPHER_SPEC); 718 return MSG_PROCESS_ERROR; 719 } 720 } else { 721 if (remain != 0) { 722 SSLfatal(s, SSL_AD_DECODE_ERROR, 723 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, 724 SSL_R_BAD_CHANGE_CIPHER_SPEC); 725 return MSG_PROCESS_ERROR; 726 } 727 } 728 729 /* Check we have a cipher to change to */ 730 if (s->s3->tmp.new_cipher == NULL) { 731 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 732 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY); 733 return MSG_PROCESS_ERROR; 734 } 735 736 s->s3->change_cipher_spec = 1; 737 if (!ssl3_do_change_cipher_spec(s)) { 738 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, 739 ERR_R_INTERNAL_ERROR); 740 return MSG_PROCESS_ERROR; 741 } 742 743 if (SSL_IS_DTLS(s)) { 744 dtls1_reset_seq_numbers(s, SSL3_CC_READ); 745 746 if (s->version == DTLS1_BAD_VER) 747 s->d1->handshake_read_seq++; 748 749 #ifndef OPENSSL_NO_SCTP 750 /* 751 * Remember that a CCS has been received, so that an old key of 752 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no 753 * SCTP is used 754 */ 755 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL); 756 #endif 757 } 758 759 return MSG_PROCESS_CONTINUE_READING; 760 } 761 762 MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) 763 { 764 size_t md_len; 765 766 767 /* This is a real handshake so make sure we clean it up at the end */ 768 if (s->server) { 769 /* 770 * To get this far we must have read encrypted data from the client. We 771 * no longer tolerate unencrypted alerts. This value is ignored if less 772 * than TLSv1.3 773 */ 774 s->statem.enc_read_state = ENC_READ_STATE_VALID; 775 if (s->post_handshake_auth != SSL_PHA_REQUESTED) 776 s->statem.cleanuphand = 1; 777 if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) { 778 /* SSLfatal() already called */ 779 return MSG_PROCESS_ERROR; 780 } 781 } 782 783 /* 784 * In TLSv1.3 a Finished message signals a key change so the end of the 785 * message must be on a record boundary. 786 */ 787 if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { 788 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED, 789 SSL_R_NOT_ON_RECORD_BOUNDARY); 790 return MSG_PROCESS_ERROR; 791 } 792 793 /* If this occurs, we have missed a message */ 794 if (!SSL_IS_TLS13(s) && !s->s3->change_cipher_spec) { 795 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED, 796 SSL_R_GOT_A_FIN_BEFORE_A_CCS); 797 return MSG_PROCESS_ERROR; 798 } 799 s->s3->change_cipher_spec = 0; 800 801 md_len = s->s3->tmp.peer_finish_md_len; 802 803 if (md_len != PACKET_remaining(pkt)) { 804 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_FINISHED, 805 SSL_R_BAD_DIGEST_LENGTH); 806 return MSG_PROCESS_ERROR; 807 } 808 809 if (CRYPTO_memcmp(PACKET_data(pkt), s->s3->tmp.peer_finish_md, 810 md_len) != 0) { 811 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_FINISHED, 812 SSL_R_DIGEST_CHECK_FAILED); 813 return MSG_PROCESS_ERROR; 814 } 815 816 /* 817 * Copy the finished so we can use it for renegotiation checks 818 */ 819 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) { 820 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_FINISHED, 821 ERR_R_INTERNAL_ERROR); 822 return MSG_PROCESS_ERROR; 823 } 824 if (s->server) { 825 memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md, 826 md_len); 827 s->s3->previous_client_finished_len = md_len; 828 } else { 829 memcpy(s->s3->previous_server_finished, s->s3->tmp.peer_finish_md, 830 md_len); 831 s->s3->previous_server_finished_len = md_len; 832 } 833 834 /* 835 * In TLS1.3 we also have to change cipher state and do any final processing 836 * of the initial server flight (if we are a client) 837 */ 838 if (SSL_IS_TLS13(s)) { 839 if (s->server) { 840 if (s->post_handshake_auth != SSL_PHA_REQUESTED && 841 !s->method->ssl3_enc->change_cipher_state(s, 842 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) { 843 /* SSLfatal() already called */ 844 return MSG_PROCESS_ERROR; 845 } 846 } else { 847 /* TLS 1.3 gets the secret size from the handshake md */ 848 size_t dummy; 849 if (!s->method->ssl3_enc->generate_master_secret(s, 850 s->master_secret, s->handshake_secret, 0, 851 &dummy)) { 852 /* SSLfatal() already called */ 853 return MSG_PROCESS_ERROR; 854 } 855 if (!s->method->ssl3_enc->change_cipher_state(s, 856 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) { 857 /* SSLfatal() already called */ 858 return MSG_PROCESS_ERROR; 859 } 860 if (!tls_process_initial_server_flight(s)) { 861 /* SSLfatal() already called */ 862 return MSG_PROCESS_ERROR; 863 } 864 } 865 } 866 867 return MSG_PROCESS_FINISHED_READING; 868 } 869 870 int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt) 871 { 872 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) { 873 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 874 SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); 875 return 0; 876 } 877 878 return 1; 879 } 880 881 /* Add a certificate to the WPACKET */ 882 static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain) 883 { 884 int len; 885 unsigned char *outbytes; 886 887 len = i2d_X509(x, NULL); 888 if (len < 0) { 889 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET, 890 ERR_R_BUF_LIB); 891 return 0; 892 } 893 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes) 894 || i2d_X509(x, &outbytes) != len) { 895 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET, 896 ERR_R_INTERNAL_ERROR); 897 return 0; 898 } 899 900 if (SSL_IS_TLS13(s) 901 && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x, 902 chain)) { 903 /* SSLfatal() already called */ 904 return 0; 905 } 906 907 return 1; 908 } 909 910 /* Add certificate chain to provided WPACKET */ 911 static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk) 912 { 913 int i, chain_count; 914 X509 *x; 915 STACK_OF(X509) *extra_certs; 916 STACK_OF(X509) *chain = NULL; 917 X509_STORE *chain_store; 918 919 if (cpk == NULL || cpk->x509 == NULL) 920 return 1; 921 922 x = cpk->x509; 923 924 /* 925 * If we have a certificate specific chain use it, else use parent ctx. 926 */ 927 if (cpk->chain != NULL) 928 extra_certs = cpk->chain; 929 else 930 extra_certs = s->ctx->extra_certs; 931 932 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs) 933 chain_store = NULL; 934 else if (s->cert->chain_store) 935 chain_store = s->cert->chain_store; 936 else 937 chain_store = s->ctx->cert_store; 938 939 if (chain_store != NULL) { 940 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new(); 941 942 if (xs_ctx == NULL) { 943 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, 944 ERR_R_MALLOC_FAILURE); 945 return 0; 946 } 947 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) { 948 X509_STORE_CTX_free(xs_ctx); 949 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, 950 ERR_R_X509_LIB); 951 return 0; 952 } 953 /* 954 * It is valid for the chain not to be complete (because normally we 955 * don't include the root cert in the chain). Therefore we deliberately 956 * ignore the error return from this call. We're not actually verifying 957 * the cert - we're just building as much of the chain as we can 958 */ 959 (void)X509_verify_cert(xs_ctx); 960 /* Don't leave errors in the queue */ 961 ERR_clear_error(); 962 chain = X509_STORE_CTX_get0_chain(xs_ctx); 963 i = ssl_security_cert_chain(s, chain, NULL, 0); 964 if (i != 1) { 965 #if 0 966 /* Dummy error calls so mkerr generates them */ 967 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL); 968 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL); 969 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK); 970 #endif 971 X509_STORE_CTX_free(xs_ctx); 972 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i); 973 return 0; 974 } 975 chain_count = sk_X509_num(chain); 976 for (i = 0; i < chain_count; i++) { 977 x = sk_X509_value(chain, i); 978 979 if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) { 980 /* SSLfatal() already called */ 981 X509_STORE_CTX_free(xs_ctx); 982 return 0; 983 } 984 } 985 X509_STORE_CTX_free(xs_ctx); 986 } else { 987 i = ssl_security_cert_chain(s, extra_certs, x, 0); 988 if (i != 1) { 989 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i); 990 return 0; 991 } 992 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) { 993 /* SSLfatal() already called */ 994 return 0; 995 } 996 for (i = 0; i < sk_X509_num(extra_certs); i++) { 997 x = sk_X509_value(extra_certs, i); 998 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) { 999 /* SSLfatal() already called */ 1000 return 0; 1001 } 1002 } 1003 } 1004 return 1; 1005 } 1006 1007 unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk) 1008 { 1009 if (!WPACKET_start_sub_packet_u24(pkt)) { 1010 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN, 1011 ERR_R_INTERNAL_ERROR); 1012 return 0; 1013 } 1014 1015 if (!ssl_add_cert_chain(s, pkt, cpk)) 1016 return 0; 1017 1018 if (!WPACKET_close(pkt)) { 1019 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN, 1020 ERR_R_INTERNAL_ERROR); 1021 return 0; 1022 } 1023 1024 return 1; 1025 } 1026 1027 /* 1028 * Tidy up after the end of a handshake. In the case of SCTP this may result 1029 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is 1030 * freed up as well. 1031 */ 1032 WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop) 1033 { 1034 void (*cb) (const SSL *ssl, int type, int val) = NULL; 1035 int cleanuphand = s->statem.cleanuphand; 1036 1037 if (clearbufs) { 1038 if (!SSL_IS_DTLS(s) 1039 #ifndef OPENSSL_NO_SCTP 1040 /* 1041 * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS 1042 * messages that require it. Therefore, DTLS procedures for retransmissions 1043 * MUST NOT be used. 1044 * Hence the init_buf can be cleared when DTLS over SCTP as transport is used. 1045 */ 1046 || BIO_dgram_is_sctp(SSL_get_wbio(s)) 1047 #endif 1048 ) { 1049 /* 1050 * We don't do this in DTLS over UDP because we may still need the init_buf 1051 * in case there are any unexpected retransmits 1052 */ 1053 BUF_MEM_free(s->init_buf); 1054 s->init_buf = NULL; 1055 } 1056 1057 if (!ssl_free_wbio_buffer(s)) { 1058 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE, 1059 ERR_R_INTERNAL_ERROR); 1060 return WORK_ERROR; 1061 } 1062 s->init_num = 0; 1063 } 1064 1065 if (SSL_IS_TLS13(s) && !s->server 1066 && s->post_handshake_auth == SSL_PHA_REQUESTED) 1067 s->post_handshake_auth = SSL_PHA_EXT_SENT; 1068 1069 /* 1070 * Only set if there was a Finished message and this isn't after a TLSv1.3 1071 * post handshake exchange 1072 */ 1073 if (cleanuphand) { 1074 /* skipped if we just sent a HelloRequest */ 1075 s->renegotiate = 0; 1076 s->new_session = 0; 1077 s->statem.cleanuphand = 0; 1078 s->ext.ticket_expected = 0; 1079 1080 ssl3_cleanup_key_block(s); 1081 1082 if (s->server) { 1083 /* 1084 * In TLSv1.3 we update the cache as part of constructing the 1085 * NewSessionTicket 1086 */ 1087 if (!SSL_IS_TLS13(s)) 1088 ssl_update_cache(s, SSL_SESS_CACHE_SERVER); 1089 1090 /* N.B. s->ctx may not equal s->session_ctx */ 1091 tsan_counter(&s->ctx->stats.sess_accept_good); 1092 s->handshake_func = ossl_statem_accept; 1093 } else { 1094 if (SSL_IS_TLS13(s)) { 1095 /* 1096 * We encourage applications to only use TLSv1.3 tickets once, 1097 * so we remove this one from the cache. 1098 */ 1099 if ((s->session_ctx->session_cache_mode 1100 & SSL_SESS_CACHE_CLIENT) != 0) 1101 SSL_CTX_remove_session(s->session_ctx, s->session); 1102 } else { 1103 /* 1104 * In TLSv1.3 we update the cache as part of processing the 1105 * NewSessionTicket 1106 */ 1107 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); 1108 } 1109 if (s->hit) 1110 tsan_counter(&s->session_ctx->stats.sess_hit); 1111 1112 s->handshake_func = ossl_statem_connect; 1113 tsan_counter(&s->session_ctx->stats.sess_connect_good); 1114 } 1115 1116 if (SSL_IS_DTLS(s)) { 1117 /* done with handshaking */ 1118 s->d1->handshake_read_seq = 0; 1119 s->d1->handshake_write_seq = 0; 1120 s->d1->next_handshake_write_seq = 0; 1121 dtls1_clear_received_buffer(s); 1122 } 1123 } 1124 1125 if (s->info_callback != NULL) 1126 cb = s->info_callback; 1127 else if (s->ctx->info_callback != NULL) 1128 cb = s->ctx->info_callback; 1129 1130 /* The callback may expect us to not be in init at handshake done */ 1131 ossl_statem_set_in_init(s, 0); 1132 1133 if (cb != NULL) { 1134 if (cleanuphand 1135 || !SSL_IS_TLS13(s) 1136 || SSL_IS_FIRST_HANDSHAKE(s)) 1137 cb(s, SSL_CB_HANDSHAKE_DONE, 1); 1138 } 1139 1140 if (!stop) { 1141 /* If we've got more work to do we go back into init */ 1142 ossl_statem_set_in_init(s, 1); 1143 return WORK_FINISHED_CONTINUE; 1144 } 1145 1146 return WORK_FINISHED_STOP; 1147 } 1148 1149 int tls_get_message_header(SSL *s, int *mt) 1150 { 1151 /* s->init_num < SSL3_HM_HEADER_LENGTH */ 1152 int skip_message, i, recvd_type; 1153 unsigned char *p; 1154 size_t l, readbytes; 1155 1156 p = (unsigned char *)s->init_buf->data; 1157 1158 do { 1159 while (s->init_num < SSL3_HM_HEADER_LENGTH) { 1160 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type, 1161 &p[s->init_num], 1162 SSL3_HM_HEADER_LENGTH - s->init_num, 1163 0, &readbytes); 1164 if (i <= 0) { 1165 s->rwstate = SSL_READING; 1166 return 0; 1167 } 1168 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) { 1169 /* 1170 * A ChangeCipherSpec must be a single byte and may not occur 1171 * in the middle of a handshake message. 1172 */ 1173 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) { 1174 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1175 SSL_F_TLS_GET_MESSAGE_HEADER, 1176 SSL_R_BAD_CHANGE_CIPHER_SPEC); 1177 return 0; 1178 } 1179 if (s->statem.hand_state == TLS_ST_BEFORE 1180 && (s->s3->flags & TLS1_FLAGS_STATELESS) != 0) { 1181 /* 1182 * We are stateless and we received a CCS. Probably this is 1183 * from a client between the first and second ClientHellos. 1184 * We should ignore this, but return an error because we do 1185 * not return success until we see the second ClientHello 1186 * with a valid cookie. 1187 */ 1188 return 0; 1189 } 1190 s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC; 1191 s->init_num = readbytes - 1; 1192 s->init_msg = s->init_buf->data; 1193 s->s3->tmp.message_size = readbytes; 1194 return 1; 1195 } else if (recvd_type != SSL3_RT_HANDSHAKE) { 1196 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1197 SSL_F_TLS_GET_MESSAGE_HEADER, 1198 SSL_R_CCS_RECEIVED_EARLY); 1199 return 0; 1200 } 1201 s->init_num += readbytes; 1202 } 1203 1204 skip_message = 0; 1205 if (!s->server) 1206 if (s->statem.hand_state != TLS_ST_OK 1207 && p[0] == SSL3_MT_HELLO_REQUEST) 1208 /* 1209 * The server may always send 'Hello Request' messages -- 1210 * we are doing a handshake anyway now, so ignore them if 1211 * their format is correct. Does not count for 'Finished' 1212 * MAC. 1213 */ 1214 if (p[1] == 0 && p[2] == 0 && p[3] == 0) { 1215 s->init_num = 0; 1216 skip_message = 1; 1217 1218 if (s->msg_callback) 1219 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 1220 p, SSL3_HM_HEADER_LENGTH, s, 1221 s->msg_callback_arg); 1222 } 1223 } while (skip_message); 1224 /* s->init_num == SSL3_HM_HEADER_LENGTH */ 1225 1226 *mt = *p; 1227 s->s3->tmp.message_type = *(p++); 1228 1229 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { 1230 /* 1231 * Only happens with SSLv3+ in an SSLv2 backward compatible 1232 * ClientHello 1233 * 1234 * Total message size is the remaining record bytes to read 1235 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read 1236 */ 1237 l = RECORD_LAYER_get_rrec_length(&s->rlayer) 1238 + SSL3_HM_HEADER_LENGTH; 1239 s->s3->tmp.message_size = l; 1240 1241 s->init_msg = s->init_buf->data; 1242 s->init_num = SSL3_HM_HEADER_LENGTH; 1243 } else { 1244 n2l3(p, l); 1245 /* BUF_MEM_grow takes an 'int' parameter */ 1246 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) { 1247 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_GET_MESSAGE_HEADER, 1248 SSL_R_EXCESSIVE_MESSAGE_SIZE); 1249 return 0; 1250 } 1251 s->s3->tmp.message_size = l; 1252 1253 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH; 1254 s->init_num = 0; 1255 } 1256 1257 return 1; 1258 } 1259 1260 int tls_get_message_body(SSL *s, size_t *len) 1261 { 1262 size_t n, readbytes; 1263 unsigned char *p; 1264 int i; 1265 1266 if (s->s3->tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) { 1267 /* We've already read everything in */ 1268 *len = (unsigned long)s->init_num; 1269 return 1; 1270 } 1271 1272 p = s->init_msg; 1273 n = s->s3->tmp.message_size - s->init_num; 1274 while (n > 0) { 1275 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, 1276 &p[s->init_num], n, 0, &readbytes); 1277 if (i <= 0) { 1278 s->rwstate = SSL_READING; 1279 *len = 0; 1280 return 0; 1281 } 1282 s->init_num += readbytes; 1283 n -= readbytes; 1284 } 1285 1286 /* 1287 * If receiving Finished, record MAC of prior handshake messages for 1288 * Finished verification. 1289 */ 1290 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) { 1291 /* SSLfatal() already called */ 1292 *len = 0; 1293 return 0; 1294 } 1295 1296 /* Feed this message into MAC computation. */ 1297 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { 1298 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 1299 s->init_num)) { 1300 /* SSLfatal() already called */ 1301 *len = 0; 1302 return 0; 1303 } 1304 if (s->msg_callback) 1305 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data, 1306 (size_t)s->init_num, s, s->msg_callback_arg); 1307 } else { 1308 /* 1309 * We defer feeding in the HRR until later. We'll do it as part of 1310 * processing the message 1311 * The TLsv1.3 handshake transcript stops at the ClientFinished 1312 * message. 1313 */ 1314 #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2) 1315 /* KeyUpdate and NewSessionTicket do not need to be added */ 1316 if (!SSL_IS_TLS13(s) || (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET 1317 && s->s3->tmp.message_type != SSL3_MT_KEY_UPDATE)) { 1318 if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO 1319 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE 1320 || memcmp(hrrrandom, 1321 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET, 1322 SSL3_RANDOM_SIZE) != 0) { 1323 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 1324 s->init_num + SSL3_HM_HEADER_LENGTH)) { 1325 /* SSLfatal() already called */ 1326 *len = 0; 1327 return 0; 1328 } 1329 } 1330 } 1331 if (s->msg_callback) 1332 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, 1333 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s, 1334 s->msg_callback_arg); 1335 } 1336 1337 *len = s->init_num; 1338 return 1; 1339 } 1340 1341 static const X509ERR2ALERT x509table[] = { 1342 {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE}, 1343 {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE}, 1344 {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE}, 1345 {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE}, 1346 {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA}, 1347 {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED}, 1348 {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE}, 1349 {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE}, 1350 {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED}, 1351 {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR}, 1352 {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE}, 1353 {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED}, 1354 {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE}, 1355 {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR}, 1356 {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE}, 1357 {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA}, 1358 {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE}, 1359 {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE}, 1360 {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE}, 1361 {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE}, 1362 {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE}, 1363 {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE}, 1364 {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE}, 1365 {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA}, 1366 {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR}, 1367 {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE}, 1368 {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE}, 1369 {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR}, 1370 {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA}, 1371 {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA}, 1372 {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR}, 1373 {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE}, 1374 {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE}, 1375 {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE}, 1376 {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA}, 1377 {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA}, 1378 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA}, 1379 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA}, 1380 {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA}, 1381 {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR}, 1382 1383 /* Last entry; return this if we don't find the value above. */ 1384 {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN} 1385 }; 1386 1387 int ssl_x509err2alert(int x509err) 1388 { 1389 const X509ERR2ALERT *tp; 1390 1391 for (tp = x509table; tp->x509err != X509_V_OK; ++tp) 1392 if (tp->x509err == x509err) 1393 break; 1394 return tp->alert; 1395 } 1396 1397 int ssl_allow_compression(SSL *s) 1398 { 1399 if (s->options & SSL_OP_NO_COMPRESSION) 1400 return 0; 1401 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL); 1402 } 1403 1404 static int version_cmp(const SSL *s, int a, int b) 1405 { 1406 int dtls = SSL_IS_DTLS(s); 1407 1408 if (a == b) 1409 return 0; 1410 if (!dtls) 1411 return a < b ? -1 : 1; 1412 return DTLS_VERSION_LT(a, b) ? -1 : 1; 1413 } 1414 1415 typedef struct { 1416 int version; 1417 const SSL_METHOD *(*cmeth) (void); 1418 const SSL_METHOD *(*smeth) (void); 1419 } version_info; 1420 1421 #if TLS_MAX_VERSION != TLS1_3_VERSION 1422 # error Code needs update for TLS_method() support beyond TLS1_3_VERSION. 1423 #endif 1424 1425 /* Must be in order high to low */ 1426 static const version_info tls_version_table[] = { 1427 #ifndef OPENSSL_NO_TLS1_3 1428 {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method}, 1429 #else 1430 {TLS1_3_VERSION, NULL, NULL}, 1431 #endif 1432 #ifndef OPENSSL_NO_TLS1_2 1433 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method}, 1434 #else 1435 {TLS1_2_VERSION, NULL, NULL}, 1436 #endif 1437 #ifndef OPENSSL_NO_TLS1_1 1438 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method}, 1439 #else 1440 {TLS1_1_VERSION, NULL, NULL}, 1441 #endif 1442 #ifndef OPENSSL_NO_TLS1 1443 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method}, 1444 #else 1445 {TLS1_VERSION, NULL, NULL}, 1446 #endif 1447 #ifndef OPENSSL_NO_SSL3 1448 {SSL3_VERSION, sslv3_client_method, sslv3_server_method}, 1449 #else 1450 {SSL3_VERSION, NULL, NULL}, 1451 #endif 1452 {0, NULL, NULL}, 1453 }; 1454 1455 #if DTLS_MAX_VERSION != DTLS1_2_VERSION 1456 # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION. 1457 #endif 1458 1459 /* Must be in order high to low */ 1460 static const version_info dtls_version_table[] = { 1461 #ifndef OPENSSL_NO_DTLS1_2 1462 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method}, 1463 #else 1464 {DTLS1_2_VERSION, NULL, NULL}, 1465 #endif 1466 #ifndef OPENSSL_NO_DTLS1 1467 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method}, 1468 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL}, 1469 #else 1470 {DTLS1_VERSION, NULL, NULL}, 1471 {DTLS1_BAD_VER, NULL, NULL}, 1472 #endif 1473 {0, NULL, NULL}, 1474 }; 1475 1476 /* 1477 * ssl_method_error - Check whether an SSL_METHOD is enabled. 1478 * 1479 * @s: The SSL handle for the candidate method 1480 * @method: the intended method. 1481 * 1482 * Returns 0 on success, or an SSL error reason on failure. 1483 */ 1484 static int ssl_method_error(const SSL *s, const SSL_METHOD *method) 1485 { 1486 int version = method->version; 1487 1488 if ((s->min_proto_version != 0 && 1489 version_cmp(s, version, s->min_proto_version) < 0) || 1490 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0) 1491 return SSL_R_VERSION_TOO_LOW; 1492 1493 if (s->max_proto_version != 0 && 1494 version_cmp(s, version, s->max_proto_version) > 0) 1495 return SSL_R_VERSION_TOO_HIGH; 1496 1497 if ((s->options & method->mask) != 0) 1498 return SSL_R_UNSUPPORTED_PROTOCOL; 1499 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s)) 1500 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE; 1501 1502 return 0; 1503 } 1504 1505 /* 1506 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable 1507 * certificate type, or has PSK or a certificate callback configured. Otherwise 1508 * returns 0. 1509 */ 1510 static int is_tls13_capable(const SSL *s) 1511 { 1512 int i; 1513 #ifndef OPENSSL_NO_EC 1514 int curve; 1515 EC_KEY *eckey; 1516 #endif 1517 1518 #ifndef OPENSSL_NO_PSK 1519 if (s->psk_server_callback != NULL) 1520 return 1; 1521 #endif 1522 1523 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL) 1524 return 1; 1525 1526 for (i = 0; i < SSL_PKEY_NUM; i++) { 1527 /* Skip over certs disallowed for TLSv1.3 */ 1528 switch (i) { 1529 case SSL_PKEY_DSA_SIGN: 1530 case SSL_PKEY_GOST01: 1531 case SSL_PKEY_GOST12_256: 1532 case SSL_PKEY_GOST12_512: 1533 continue; 1534 default: 1535 break; 1536 } 1537 if (!ssl_has_cert(s, i)) 1538 continue; 1539 #ifndef OPENSSL_NO_EC 1540 if (i != SSL_PKEY_ECC) 1541 return 1; 1542 /* 1543 * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is 1544 * more restrictive so check that our sig algs are consistent with this 1545 * EC cert. See section 4.2.3 of RFC8446. 1546 */ 1547 eckey = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey); 1548 if (eckey == NULL) 1549 continue; 1550 curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)); 1551 if (tls_check_sigalg_curve(s, curve)) 1552 return 1; 1553 #else 1554 return 1; 1555 #endif 1556 } 1557 1558 return 0; 1559 } 1560 1561 /* 1562 * ssl_version_supported - Check that the specified `version` is supported by 1563 * `SSL *` instance 1564 * 1565 * @s: The SSL handle for the candidate method 1566 * @version: Protocol version to test against 1567 * 1568 * Returns 1 when supported, otherwise 0 1569 */ 1570 int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth) 1571 { 1572 const version_info *vent; 1573 const version_info *table; 1574 1575 switch (s->method->version) { 1576 default: 1577 /* Version should match method version for non-ANY method */ 1578 return version_cmp(s, version, s->version) == 0; 1579 case TLS_ANY_VERSION: 1580 table = tls_version_table; 1581 break; 1582 case DTLS_ANY_VERSION: 1583 table = dtls_version_table; 1584 break; 1585 } 1586 1587 for (vent = table; 1588 vent->version != 0 && version_cmp(s, version, vent->version) <= 0; 1589 ++vent) { 1590 if (vent->cmeth != NULL 1591 && version_cmp(s, version, vent->version) == 0 1592 && ssl_method_error(s, vent->cmeth()) == 0 1593 && (!s->server 1594 || version != TLS1_3_VERSION 1595 || is_tls13_capable(s))) { 1596 if (meth != NULL) 1597 *meth = vent->cmeth(); 1598 return 1; 1599 } 1600 } 1601 return 0; 1602 } 1603 1604 /* 1605 * ssl_check_version_downgrade - In response to RFC7507 SCSV version 1606 * fallback indication from a client check whether we're using the highest 1607 * supported protocol version. 1608 * 1609 * @s server SSL handle. 1610 * 1611 * Returns 1 when using the highest enabled version, 0 otherwise. 1612 */ 1613 int ssl_check_version_downgrade(SSL *s) 1614 { 1615 const version_info *vent; 1616 const version_info *table; 1617 1618 /* 1619 * Check that the current protocol is the highest enabled version 1620 * (according to s->ctx->method, as version negotiation may have changed 1621 * s->method). 1622 */ 1623 if (s->version == s->ctx->method->version) 1624 return 1; 1625 1626 /* 1627 * Apparently we're using a version-flexible SSL_METHOD (not at its 1628 * highest protocol version). 1629 */ 1630 if (s->ctx->method->version == TLS_method()->version) 1631 table = tls_version_table; 1632 else if (s->ctx->method->version == DTLS_method()->version) 1633 table = dtls_version_table; 1634 else { 1635 /* Unexpected state; fail closed. */ 1636 return 0; 1637 } 1638 1639 for (vent = table; vent->version != 0; ++vent) { 1640 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0) 1641 return s->version == vent->version; 1642 } 1643 return 0; 1644 } 1645 1646 /* 1647 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS 1648 * protocols, provided the initial (D)TLS method is version-flexible. This 1649 * function sanity-checks the proposed value and makes sure the method is 1650 * version-flexible, then sets the limit if all is well. 1651 * 1652 * @method_version: The version of the current SSL_METHOD. 1653 * @version: the intended limit. 1654 * @bound: pointer to limit to be updated. 1655 * 1656 * Returns 1 on success, 0 on failure. 1657 */ 1658 int ssl_set_version_bound(int method_version, int version, int *bound) 1659 { 1660 int valid_tls; 1661 int valid_dtls; 1662 1663 if (version == 0) { 1664 *bound = version; 1665 return 1; 1666 } 1667 1668 valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION; 1669 valid_dtls = 1670 DTLS_VERSION_LE(version, DTLS_MAX_VERSION) && 1671 DTLS_VERSION_GE(version, DTLS1_BAD_VER); 1672 1673 if (!valid_tls && !valid_dtls) 1674 return 0; 1675 1676 /*- 1677 * Restrict TLS methods to TLS protocol versions. 1678 * Restrict DTLS methods to DTLS protocol versions. 1679 * Note, DTLS version numbers are decreasing, use comparison macros. 1680 * 1681 * Note that for both lower-bounds we use explicit versions, not 1682 * (D)TLS_MIN_VERSION. This is because we don't want to break user 1683 * configurations. If the MIN (supported) version ever rises, the user's 1684 * "floor" remains valid even if no longer available. We don't expect the 1685 * MAX ceiling to ever get lower, so making that variable makes sense. 1686 * 1687 * We ignore attempts to set bounds on version-inflexible methods, 1688 * returning success. 1689 */ 1690 switch (method_version) { 1691 default: 1692 break; 1693 1694 case TLS_ANY_VERSION: 1695 if (valid_tls) 1696 *bound = version; 1697 break; 1698 1699 case DTLS_ANY_VERSION: 1700 if (valid_dtls) 1701 *bound = version; 1702 break; 1703 } 1704 return 1; 1705 } 1706 1707 static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd) 1708 { 1709 if (vers == TLS1_2_VERSION 1710 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) { 1711 *dgrd = DOWNGRADE_TO_1_2; 1712 } else if (!SSL_IS_DTLS(s) 1713 && vers < TLS1_2_VERSION 1714 /* 1715 * We need to ensure that a server that disables TLSv1.2 1716 * (creating a hole between TLSv1.3 and TLSv1.1) can still 1717 * complete handshakes with clients that support TLSv1.2 and 1718 * below. Therefore we do not enable the sentinel if TLSv1.3 is 1719 * enabled and TLSv1.2 is not. 1720 */ 1721 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) { 1722 *dgrd = DOWNGRADE_TO_1_1; 1723 } else { 1724 *dgrd = DOWNGRADE_NONE; 1725 } 1726 } 1727 1728 /* 1729 * ssl_choose_server_version - Choose server (D)TLS version. Called when the 1730 * client HELLO is received to select the final server protocol version and 1731 * the version specific method. 1732 * 1733 * @s: server SSL handle. 1734 * 1735 * Returns 0 on success or an SSL error reason number on failure. 1736 */ 1737 int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd) 1738 { 1739 /*- 1740 * With version-flexible methods we have an initial state with: 1741 * 1742 * s->method->version == (D)TLS_ANY_VERSION, 1743 * s->version == (D)TLS_MAX_VERSION. 1744 * 1745 * So we detect version-flexible methods via the method version, not the 1746 * handle version. 1747 */ 1748 int server_version = s->method->version; 1749 int client_version = hello->legacy_version; 1750 const version_info *vent; 1751 const version_info *table; 1752 int disabled = 0; 1753 RAW_EXTENSION *suppversions; 1754 1755 s->client_version = client_version; 1756 1757 switch (server_version) { 1758 default: 1759 if (!SSL_IS_TLS13(s)) { 1760 if (version_cmp(s, client_version, s->version) < 0) 1761 return SSL_R_WRONG_SSL_VERSION; 1762 *dgrd = DOWNGRADE_NONE; 1763 /* 1764 * If this SSL handle is not from a version flexible method we don't 1765 * (and never did) check min/max FIPS or Suite B constraints. Hope 1766 * that's OK. It is up to the caller to not choose fixed protocol 1767 * versions they don't want. If not, then easy to fix, just return 1768 * ssl_method_error(s, s->method) 1769 */ 1770 return 0; 1771 } 1772 /* 1773 * Fall through if we are TLSv1.3 already (this means we must be after 1774 * a HelloRetryRequest 1775 */ 1776 /* fall thru */ 1777 case TLS_ANY_VERSION: 1778 table = tls_version_table; 1779 break; 1780 case DTLS_ANY_VERSION: 1781 table = dtls_version_table; 1782 break; 1783 } 1784 1785 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions]; 1786 1787 /* If we did an HRR then supported versions is mandatory */ 1788 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE) 1789 return SSL_R_UNSUPPORTED_PROTOCOL; 1790 1791 if (suppversions->present && !SSL_IS_DTLS(s)) { 1792 unsigned int candidate_vers = 0; 1793 unsigned int best_vers = 0; 1794 const SSL_METHOD *best_method = NULL; 1795 PACKET versionslist; 1796 1797 suppversions->parsed = 1; 1798 1799 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) { 1800 /* Trailing or invalid data? */ 1801 return SSL_R_LENGTH_MISMATCH; 1802 } 1803 1804 /* 1805 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION. 1806 * The spec only requires servers to check that it isn't SSLv3: 1807 * "Any endpoint receiving a Hello message with 1808 * ClientHello.legacy_version or ServerHello.legacy_version set to 1809 * 0x0300 MUST abort the handshake with a "protocol_version" alert." 1810 * We are slightly stricter and require that it isn't SSLv3 or lower. 1811 * We tolerate TLSv1 and TLSv1.1. 1812 */ 1813 if (client_version <= SSL3_VERSION) 1814 return SSL_R_BAD_LEGACY_VERSION; 1815 1816 while (PACKET_get_net_2(&versionslist, &candidate_vers)) { 1817 if (version_cmp(s, candidate_vers, best_vers) <= 0) 1818 continue; 1819 if (ssl_version_supported(s, candidate_vers, &best_method)) 1820 best_vers = candidate_vers; 1821 } 1822 if (PACKET_remaining(&versionslist) != 0) { 1823 /* Trailing data? */ 1824 return SSL_R_LENGTH_MISMATCH; 1825 } 1826 1827 if (best_vers > 0) { 1828 if (s->hello_retry_request != SSL_HRR_NONE) { 1829 /* 1830 * This is after a HelloRetryRequest so we better check that we 1831 * negotiated TLSv1.3 1832 */ 1833 if (best_vers != TLS1_3_VERSION) 1834 return SSL_R_UNSUPPORTED_PROTOCOL; 1835 return 0; 1836 } 1837 check_for_downgrade(s, best_vers, dgrd); 1838 s->version = best_vers; 1839 s->method = best_method; 1840 return 0; 1841 } 1842 return SSL_R_UNSUPPORTED_PROTOCOL; 1843 } 1844 1845 /* 1846 * If the supported versions extension isn't present, then the highest 1847 * version we can negotiate is TLSv1.2 1848 */ 1849 if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0) 1850 client_version = TLS1_2_VERSION; 1851 1852 /* 1853 * No supported versions extension, so we just use the version supplied in 1854 * the ClientHello. 1855 */ 1856 for (vent = table; vent->version != 0; ++vent) { 1857 const SSL_METHOD *method; 1858 1859 if (vent->smeth == NULL || 1860 version_cmp(s, client_version, vent->version) < 0) 1861 continue; 1862 method = vent->smeth(); 1863 if (ssl_method_error(s, method) == 0) { 1864 check_for_downgrade(s, vent->version, dgrd); 1865 s->version = vent->version; 1866 s->method = method; 1867 return 0; 1868 } 1869 disabled = 1; 1870 } 1871 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW; 1872 } 1873 1874 /* 1875 * ssl_choose_client_version - Choose client (D)TLS version. Called when the 1876 * server HELLO is received to select the final client protocol version and 1877 * the version specific method. 1878 * 1879 * @s: client SSL handle. 1880 * @version: The proposed version from the server's HELLO. 1881 * @extensions: The extensions received 1882 * 1883 * Returns 1 on success or 0 on error. 1884 */ 1885 int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions) 1886 { 1887 const version_info *vent; 1888 const version_info *table; 1889 int ret, ver_min, ver_max, real_max, origv; 1890 1891 origv = s->version; 1892 s->version = version; 1893 1894 /* This will overwrite s->version if the extension is present */ 1895 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions, 1896 SSL_EXT_TLS1_2_SERVER_HELLO 1897 | SSL_EXT_TLS1_3_SERVER_HELLO, extensions, 1898 NULL, 0)) { 1899 s->version = origv; 1900 return 0; 1901 } 1902 1903 if (s->hello_retry_request != SSL_HRR_NONE 1904 && s->version != TLS1_3_VERSION) { 1905 s->version = origv; 1906 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION, 1907 SSL_R_WRONG_SSL_VERSION); 1908 return 0; 1909 } 1910 1911 switch (s->method->version) { 1912 default: 1913 if (s->version != s->method->version) { 1914 s->version = origv; 1915 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 1916 SSL_F_SSL_CHOOSE_CLIENT_VERSION, 1917 SSL_R_WRONG_SSL_VERSION); 1918 return 0; 1919 } 1920 /* 1921 * If this SSL handle is not from a version flexible method we don't 1922 * (and never did) check min/max, FIPS or Suite B constraints. Hope 1923 * that's OK. It is up to the caller to not choose fixed protocol 1924 * versions they don't want. If not, then easy to fix, just return 1925 * ssl_method_error(s, s->method) 1926 */ 1927 return 1; 1928 case TLS_ANY_VERSION: 1929 table = tls_version_table; 1930 break; 1931 case DTLS_ANY_VERSION: 1932 table = dtls_version_table; 1933 break; 1934 } 1935 1936 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max); 1937 if (ret != 0) { 1938 s->version = origv; 1939 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 1940 SSL_F_SSL_CHOOSE_CLIENT_VERSION, ret); 1941 return 0; 1942 } 1943 if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min) 1944 : s->version < ver_min) { 1945 s->version = origv; 1946 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 1947 SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); 1948 return 0; 1949 } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max) 1950 : s->version > ver_max) { 1951 s->version = origv; 1952 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 1953 SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); 1954 return 0; 1955 } 1956 1957 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0) 1958 real_max = ver_max; 1959 1960 /* Check for downgrades */ 1961 if (s->version == TLS1_2_VERSION && real_max > s->version) { 1962 if (memcmp(tls12downgrade, 1963 s->s3->server_random + SSL3_RANDOM_SIZE 1964 - sizeof(tls12downgrade), 1965 sizeof(tls12downgrade)) == 0) { 1966 s->version = origv; 1967 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1968 SSL_F_SSL_CHOOSE_CLIENT_VERSION, 1969 SSL_R_INAPPROPRIATE_FALLBACK); 1970 return 0; 1971 } 1972 } else if (!SSL_IS_DTLS(s) 1973 && s->version < TLS1_2_VERSION 1974 && real_max > s->version) { 1975 if (memcmp(tls11downgrade, 1976 s->s3->server_random + SSL3_RANDOM_SIZE 1977 - sizeof(tls11downgrade), 1978 sizeof(tls11downgrade)) == 0) { 1979 s->version = origv; 1980 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1981 SSL_F_SSL_CHOOSE_CLIENT_VERSION, 1982 SSL_R_INAPPROPRIATE_FALLBACK); 1983 return 0; 1984 } 1985 } 1986 1987 for (vent = table; vent->version != 0; ++vent) { 1988 if (vent->cmeth == NULL || s->version != vent->version) 1989 continue; 1990 1991 s->method = vent->cmeth(); 1992 return 1; 1993 } 1994 1995 s->version = origv; 1996 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION, 1997 SSL_R_UNSUPPORTED_PROTOCOL); 1998 return 0; 1999 } 2000 2001 /* 2002 * ssl_get_min_max_version - get minimum and maximum protocol version 2003 * @s: The SSL connection 2004 * @min_version: The minimum supported version 2005 * @max_version: The maximum supported version 2006 * @real_max: The highest version below the lowest compile time version hole 2007 * where that hole lies above at least one run-time enabled 2008 * protocol. 2009 * 2010 * Work out what version we should be using for the initial ClientHello if the 2011 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx 2012 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B 2013 * constraints and any floor imposed by the security level here, 2014 * so we don't advertise the wrong protocol version to only reject the outcome later. 2015 * 2016 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled, 2017 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol 2018 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1. 2019 * 2020 * Returns 0 on success or an SSL error reason number on failure. On failure 2021 * min_version and max_version will also be set to 0. 2022 */ 2023 int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version, 2024 int *real_max) 2025 { 2026 int version, tmp_real_max; 2027 int hole; 2028 const SSL_METHOD *single = NULL; 2029 const SSL_METHOD *method; 2030 const version_info *table; 2031 const version_info *vent; 2032 2033 switch (s->method->version) { 2034 default: 2035 /* 2036 * If this SSL handle is not from a version flexible method we don't 2037 * (and never did) check min/max FIPS or Suite B constraints. Hope 2038 * that's OK. It is up to the caller to not choose fixed protocol 2039 * versions they don't want. If not, then easy to fix, just return 2040 * ssl_method_error(s, s->method) 2041 */ 2042 *min_version = *max_version = s->version; 2043 /* 2044 * Providing a real_max only makes sense where we're using a version 2045 * flexible method. 2046 */ 2047 if (!ossl_assert(real_max == NULL)) 2048 return ERR_R_INTERNAL_ERROR; 2049 return 0; 2050 case TLS_ANY_VERSION: 2051 table = tls_version_table; 2052 break; 2053 case DTLS_ANY_VERSION: 2054 table = dtls_version_table; 2055 break; 2056 } 2057 2058 /* 2059 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols 2060 * below X enabled. This is required in order to maintain the "version 2061 * capability" vector contiguous. Any versions with a NULL client method 2062 * (protocol version client is disabled at compile-time) is also a "hole". 2063 * 2064 * Our initial state is hole == 1, version == 0. That is, versions above 2065 * the first version in the method table are disabled (a "hole" above 2066 * the valid protocol entries) and we don't have a selected version yet. 2067 * 2068 * Whenever "hole == 1", and we hit an enabled method, its version becomes 2069 * the selected version, and the method becomes a candidate "single" 2070 * method. We're no longer in a hole, so "hole" becomes 0. 2071 * 2072 * If "hole == 0" and we hit an enabled method, then "single" is cleared, 2073 * as we support a contiguous range of at least two methods. If we hit 2074 * a disabled method, then hole becomes true again, but nothing else 2075 * changes yet, because all the remaining methods may be disabled too. 2076 * If we again hit an enabled method after the new hole, it becomes 2077 * selected, as we start from scratch. 2078 */ 2079 *min_version = version = 0; 2080 hole = 1; 2081 if (real_max != NULL) 2082 *real_max = 0; 2083 tmp_real_max = 0; 2084 for (vent = table; vent->version != 0; ++vent) { 2085 /* 2086 * A table entry with a NULL client method is still a hole in the 2087 * "version capability" vector. 2088 */ 2089 if (vent->cmeth == NULL) { 2090 hole = 1; 2091 tmp_real_max = 0; 2092 continue; 2093 } 2094 method = vent->cmeth(); 2095 2096 if (hole == 1 && tmp_real_max == 0) 2097 tmp_real_max = vent->version; 2098 2099 if (ssl_method_error(s, method) != 0) { 2100 hole = 1; 2101 } else if (!hole) { 2102 single = NULL; 2103 *min_version = method->version; 2104 } else { 2105 if (real_max != NULL && tmp_real_max != 0) 2106 *real_max = tmp_real_max; 2107 version = (single = method)->version; 2108 *min_version = version; 2109 hole = 0; 2110 } 2111 } 2112 2113 *max_version = version; 2114 2115 /* Fail if everything is disabled */ 2116 if (version == 0) 2117 return SSL_R_NO_PROTOCOLS_AVAILABLE; 2118 2119 return 0; 2120 } 2121 2122 /* 2123 * ssl_set_client_hello_version - Work out what version we should be using for 2124 * the initial ClientHello.legacy_version field. 2125 * 2126 * @s: client SSL handle. 2127 * 2128 * Returns 0 on success or an SSL error reason number on failure. 2129 */ 2130 int ssl_set_client_hello_version(SSL *s) 2131 { 2132 int ver_min, ver_max, ret; 2133 2134 /* 2135 * In a renegotiation we always send the same client_version that we sent 2136 * last time, regardless of which version we eventually negotiated. 2137 */ 2138 if (!SSL_IS_FIRST_HANDSHAKE(s)) 2139 return 0; 2140 2141 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL); 2142 2143 if (ret != 0) 2144 return ret; 2145 2146 s->version = ver_max; 2147 2148 /* TLS1.3 always uses TLS1.2 in the legacy_version field */ 2149 if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION) 2150 ver_max = TLS1_2_VERSION; 2151 2152 s->client_version = ver_max; 2153 return 0; 2154 } 2155 2156 /* 2157 * Checks a list of |groups| to determine if the |group_id| is in it. If it is 2158 * and |checkallow| is 1 then additionally check if the group is allowed to be 2159 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is 2160 * 1) or 0 otherwise. 2161 */ 2162 #ifndef OPENSSL_NO_EC 2163 int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups, 2164 size_t num_groups, int checkallow) 2165 { 2166 size_t i; 2167 2168 if (groups == NULL || num_groups == 0) 2169 return 0; 2170 2171 for (i = 0; i < num_groups; i++) { 2172 uint16_t group = groups[i]; 2173 2174 if (group_id == group 2175 && (!checkallow 2176 || tls_curve_allowed(s, group, SSL_SECOP_CURVE_CHECK))) { 2177 return 1; 2178 } 2179 } 2180 2181 return 0; 2182 } 2183 #endif 2184 2185 /* Replace ClientHello1 in the transcript hash with a synthetic message */ 2186 int create_synthetic_message_hash(SSL *s, const unsigned char *hashval, 2187 size_t hashlen, const unsigned char *hrr, 2188 size_t hrrlen) 2189 { 2190 unsigned char hashvaltmp[EVP_MAX_MD_SIZE]; 2191 unsigned char msghdr[SSL3_HM_HEADER_LENGTH]; 2192 2193 memset(msghdr, 0, sizeof(msghdr)); 2194 2195 if (hashval == NULL) { 2196 hashval = hashvaltmp; 2197 hashlen = 0; 2198 /* Get the hash of the initial ClientHello */ 2199 if (!ssl3_digest_cached_records(s, 0) 2200 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp), 2201 &hashlen)) { 2202 /* SSLfatal() already called */ 2203 return 0; 2204 } 2205 } 2206 2207 /* Reinitialise the transcript hash */ 2208 if (!ssl3_init_finished_mac(s)) { 2209 /* SSLfatal() already called */ 2210 return 0; 2211 } 2212 2213 /* Inject the synthetic message_hash message */ 2214 msghdr[0] = SSL3_MT_MESSAGE_HASH; 2215 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen; 2216 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH) 2217 || !ssl3_finish_mac(s, hashval, hashlen)) { 2218 /* SSLfatal() already called */ 2219 return 0; 2220 } 2221 2222 /* 2223 * Now re-inject the HRR and current message if appropriate (we just deleted 2224 * it when we reinitialised the transcript hash above). Only necessary after 2225 * receiving a ClientHello2 with a cookie. 2226 */ 2227 if (hrr != NULL 2228 && (!ssl3_finish_mac(s, hrr, hrrlen) 2229 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 2230 s->s3->tmp.message_size 2231 + SSL3_HM_HEADER_LENGTH))) { 2232 /* SSLfatal() already called */ 2233 return 0; 2234 } 2235 2236 return 1; 2237 } 2238 2239 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b) 2240 { 2241 return X509_NAME_cmp(*a, *b); 2242 } 2243 2244 int parse_ca_names(SSL *s, PACKET *pkt) 2245 { 2246 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp); 2247 X509_NAME *xn = NULL; 2248 PACKET cadns; 2249 2250 if (ca_sk == NULL) { 2251 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES, 2252 ERR_R_MALLOC_FAILURE); 2253 goto err; 2254 } 2255 /* get the CA RDNs */ 2256 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) { 2257 SSLfatal(s, SSL_AD_DECODE_ERROR,SSL_F_PARSE_CA_NAMES, 2258 SSL_R_LENGTH_MISMATCH); 2259 goto err; 2260 } 2261 2262 while (PACKET_remaining(&cadns)) { 2263 const unsigned char *namestart, *namebytes; 2264 unsigned int name_len; 2265 2266 if (!PACKET_get_net_2(&cadns, &name_len) 2267 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) { 2268 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES, 2269 SSL_R_LENGTH_MISMATCH); 2270 goto err; 2271 } 2272 2273 namestart = namebytes; 2274 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) { 2275 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES, 2276 ERR_R_ASN1_LIB); 2277 goto err; 2278 } 2279 if (namebytes != (namestart + name_len)) { 2280 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES, 2281 SSL_R_CA_DN_LENGTH_MISMATCH); 2282 goto err; 2283 } 2284 2285 if (!sk_X509_NAME_push(ca_sk, xn)) { 2286 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES, 2287 ERR_R_MALLOC_FAILURE); 2288 goto err; 2289 } 2290 xn = NULL; 2291 } 2292 2293 sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free); 2294 s->s3->tmp.peer_ca_names = ca_sk; 2295 2296 return 1; 2297 2298 err: 2299 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); 2300 X509_NAME_free(xn); 2301 return 0; 2302 } 2303 2304 const STACK_OF(X509_NAME) *get_ca_names(SSL *s) 2305 { 2306 const STACK_OF(X509_NAME) *ca_sk = NULL;; 2307 2308 if (s->server) { 2309 ca_sk = SSL_get_client_CA_list(s); 2310 if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0) 2311 ca_sk = NULL; 2312 } 2313 2314 if (ca_sk == NULL) 2315 ca_sk = SSL_get0_CA_list(s); 2316 2317 return ca_sk; 2318 } 2319 2320 int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt) 2321 { 2322 /* Start sub-packet for client CA list */ 2323 if (!WPACKET_start_sub_packet_u16(pkt)) { 2324 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES, 2325 ERR_R_INTERNAL_ERROR); 2326 return 0; 2327 } 2328 2329 if (ca_sk != NULL) { 2330 int i; 2331 2332 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) { 2333 unsigned char *namebytes; 2334 X509_NAME *name = sk_X509_NAME_value(ca_sk, i); 2335 int namelen; 2336 2337 if (name == NULL 2338 || (namelen = i2d_X509_NAME(name, NULL)) < 0 2339 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen, 2340 &namebytes) 2341 || i2d_X509_NAME(name, &namebytes) != namelen) { 2342 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES, 2343 ERR_R_INTERNAL_ERROR); 2344 return 0; 2345 } 2346 } 2347 } 2348 2349 if (!WPACKET_close(pkt)) { 2350 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES, 2351 ERR_R_INTERNAL_ERROR); 2352 return 0; 2353 } 2354 2355 return 1; 2356 } 2357 2358 /* Create a buffer containing data to be signed for server key exchange */ 2359 size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs, 2360 const void *param, size_t paramlen) 2361 { 2362 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen; 2363 unsigned char *tbs = OPENSSL_malloc(tbslen); 2364 2365 if (tbs == NULL) { 2366 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS, 2367 ERR_R_MALLOC_FAILURE); 2368 return 0; 2369 } 2370 memcpy(tbs, s->s3->client_random, SSL3_RANDOM_SIZE); 2371 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3->server_random, SSL3_RANDOM_SIZE); 2372 2373 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen); 2374 2375 *ptbs = tbs; 2376 return tbslen; 2377 } 2378 2379 /* 2380 * Saves the current handshake digest for Post-Handshake Auth, 2381 * Done after ClientFinished is processed, done exactly once 2382 */ 2383 int tls13_save_handshake_digest_for_pha(SSL *s) 2384 { 2385 if (s->pha_dgst == NULL) { 2386 if (!ssl3_digest_cached_records(s, 1)) 2387 /* SSLfatal() already called */ 2388 return 0; 2389 2390 s->pha_dgst = EVP_MD_CTX_new(); 2391 if (s->pha_dgst == NULL) { 2392 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2393 SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA, 2394 ERR_R_INTERNAL_ERROR); 2395 return 0; 2396 } 2397 if (!EVP_MD_CTX_copy_ex(s->pha_dgst, 2398 s->s3->handshake_dgst)) { 2399 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2400 SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA, 2401 ERR_R_INTERNAL_ERROR); 2402 return 0; 2403 } 2404 } 2405 return 1; 2406 } 2407 2408 /* 2409 * Restores the Post-Handshake Auth handshake digest 2410 * Done just before sending/processing the Cert Request 2411 */ 2412 int tls13_restore_handshake_digest_for_pha(SSL *s) 2413 { 2414 if (s->pha_dgst == NULL) { 2415 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2416 SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA, 2417 ERR_R_INTERNAL_ERROR); 2418 return 0; 2419 } 2420 if (!EVP_MD_CTX_copy_ex(s->s3->handshake_dgst, 2421 s->pha_dgst)) { 2422 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2423 SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA, 2424 ERR_R_INTERNAL_ERROR); 2425 return 0; 2426 } 2427 return 1; 2428 } 2429