1 /* 2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4 * 5 * Licensed under the OpenSSL license (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10 11 #include <limits.h> 12 #include <string.h> 13 #include <stdio.h> 14 #include "../ssl_locl.h" 15 #include "statem_locl.h" 16 #include "internal/cryptlib.h" 17 #include <openssl/buffer.h> 18 #include <openssl/objects.h> 19 #include <openssl/evp.h> 20 #include <openssl/x509.h> 21 22 /* 23 * Map error codes to TLS/SSL alart types. 24 */ 25 typedef struct x509err2alert_st { 26 int x509err; 27 int alert; 28 } X509ERR2ALERT; 29 30 /* Fixed value used in the ServerHello random field to identify an HRR */ 31 const unsigned char hrrrandom[] = { 32 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 33 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 34 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c 35 }; 36 37 /* 38 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or 39 * SSL3_RT_CHANGE_CIPHER_SPEC) 40 */ 41 int ssl3_do_write(SSL *s, int type) 42 { 43 int ret; 44 size_t written = 0; 45 46 ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off], 47 s->init_num, &written); 48 if (ret < 0) 49 return -1; 50 if (type == SSL3_RT_HANDSHAKE) 51 /* 52 * should not be done for 'Hello Request's, but in that case we'll 53 * ignore the result anyway 54 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added 55 */ 56 if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET 57 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE 58 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE)) 59 if (!ssl3_finish_mac(s, 60 (unsigned char *)&s->init_buf->data[s->init_off], 61 written)) 62 return -1; 63 if (written == s->init_num) { 64 if (s->msg_callback) 65 s->msg_callback(1, s->version, type, s->init_buf->data, 66 (size_t)(s->init_off + s->init_num), s, 67 s->msg_callback_arg); 68 return 1; 69 } 70 s->init_off += written; 71 s->init_num -= written; 72 return 0; 73 } 74 75 int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype) 76 { 77 size_t msglen; 78 79 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt)) 80 || !WPACKET_get_length(pkt, &msglen) 81 || msglen > INT_MAX) 82 return 0; 83 s->init_num = (int)msglen; 84 s->init_off = 0; 85 86 return 1; 87 } 88 89 int tls_setup_handshake(SSL *s) 90 { 91 if (!ssl3_init_finished_mac(s)) { 92 /* SSLfatal() already called */ 93 return 0; 94 } 95 96 /* Reset any extension flags */ 97 memset(s->ext.extflags, 0, sizeof(s->ext.extflags)); 98 99 if (s->server) { 100 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s); 101 int i, ver_min, ver_max, ok = 0; 102 103 /* 104 * Sanity check that the maximum version we accept has ciphers 105 * enabled. For clients we do this check during construction of the 106 * ClientHello. 107 */ 108 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) { 109 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_SETUP_HANDSHAKE, 110 ERR_R_INTERNAL_ERROR); 111 return 0; 112 } 113 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { 114 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i); 115 116 if (SSL_IS_DTLS(s)) { 117 if (DTLS_VERSION_GE(ver_max, c->min_dtls) && 118 DTLS_VERSION_LE(ver_max, c->max_dtls)) 119 ok = 1; 120 } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) { 121 ok = 1; 122 } 123 if (ok) 124 break; 125 } 126 if (!ok) { 127 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE, 128 SSL_R_NO_CIPHERS_AVAILABLE); 129 ERR_add_error_data(1, "No ciphers enabled for max supported " 130 "SSL/TLS version"); 131 return 0; 132 } 133 if (SSL_IS_FIRST_HANDSHAKE(s)) { 134 /* N.B. s->session_ctx == s->ctx here */ 135 tsan_counter(&s->session_ctx->stats.sess_accept); 136 } else { 137 /* N.B. s->ctx may not equal s->session_ctx */ 138 tsan_counter(&s->ctx->stats.sess_accept_renegotiate); 139 140 s->s3->tmp.cert_request = 0; 141 } 142 } else { 143 if (SSL_IS_FIRST_HANDSHAKE(s)) 144 tsan_counter(&s->session_ctx->stats.sess_connect); 145 else 146 tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate); 147 148 /* mark client_random uninitialized */ 149 memset(s->s3->client_random, 0, sizeof(s->s3->client_random)); 150 s->hit = 0; 151 152 s->s3->tmp.cert_req = 0; 153 154 if (SSL_IS_DTLS(s)) 155 s->statem.use_timer = 1; 156 } 157 158 return 1; 159 } 160 161 /* 162 * Size of the to-be-signed TLS13 data, without the hash size itself: 163 * 64 bytes of value 32, 33 context bytes, 1 byte separator 164 */ 165 #define TLS13_TBS_START_SIZE 64 166 #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1) 167 168 static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs, 169 void **hdata, size_t *hdatalen) 170 { 171 static const char *servercontext = "TLS 1.3, server CertificateVerify"; 172 static const char *clientcontext = "TLS 1.3, client CertificateVerify"; 173 174 if (SSL_IS_TLS13(s)) { 175 size_t hashlen; 176 177 /* Set the first 64 bytes of to-be-signed data to octet 32 */ 178 memset(tls13tbs, 32, TLS13_TBS_START_SIZE); 179 /* This copies the 33 bytes of context plus the 0 separator byte */ 180 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY 181 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY) 182 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext); 183 else 184 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext); 185 186 /* 187 * If we're currently reading then we need to use the saved handshake 188 * hash value. We can't use the current handshake hash state because 189 * that includes the CertVerify itself. 190 */ 191 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY 192 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) { 193 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash, 194 s->cert_verify_hash_len); 195 hashlen = s->cert_verify_hash_len; 196 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE, 197 EVP_MAX_MD_SIZE, &hashlen)) { 198 /* SSLfatal() already called */ 199 return 0; 200 } 201 202 *hdata = tls13tbs; 203 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen; 204 } else { 205 size_t retlen; 206 207 retlen = BIO_get_mem_data(s->s3->handshake_buffer, hdata); 208 if (retlen <= 0) { 209 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_GET_CERT_VERIFY_TBS_DATA, 210 ERR_R_INTERNAL_ERROR); 211 return 0; 212 } 213 *hdatalen = retlen; 214 } 215 216 return 1; 217 } 218 219 int tls_construct_cert_verify(SSL *s, WPACKET *pkt) 220 { 221 EVP_PKEY *pkey = NULL; 222 const EVP_MD *md = NULL; 223 EVP_MD_CTX *mctx = NULL; 224 EVP_PKEY_CTX *pctx = NULL; 225 size_t hdatalen = 0, siglen = 0; 226 void *hdata; 227 unsigned char *sig = NULL; 228 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; 229 const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg; 230 231 if (lu == NULL || s->s3->tmp.cert == NULL) { 232 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 233 ERR_R_INTERNAL_ERROR); 234 goto err; 235 } 236 pkey = s->s3->tmp.cert->privatekey; 237 238 if (pkey == NULL || !tls1_lookup_md(lu, &md)) { 239 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 240 ERR_R_INTERNAL_ERROR); 241 goto err; 242 } 243 244 mctx = EVP_MD_CTX_new(); 245 if (mctx == NULL) { 246 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 247 ERR_R_MALLOC_FAILURE); 248 goto err; 249 } 250 251 /* Get the data to be signed */ 252 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { 253 /* SSLfatal() already called */ 254 goto err; 255 } 256 257 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) { 258 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 259 ERR_R_INTERNAL_ERROR); 260 goto err; 261 } 262 siglen = EVP_PKEY_size(pkey); 263 sig = OPENSSL_malloc(siglen); 264 if (sig == NULL) { 265 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 266 ERR_R_MALLOC_FAILURE); 267 goto err; 268 } 269 270 if (EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey) <= 0) { 271 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 272 ERR_R_EVP_LIB); 273 goto err; 274 } 275 276 if (lu->sig == EVP_PKEY_RSA_PSS) { 277 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 278 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 279 RSA_PSS_SALTLEN_DIGEST) <= 0) { 280 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 281 ERR_R_EVP_LIB); 282 goto err; 283 } 284 } 285 if (s->version == SSL3_VERSION) { 286 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0 287 || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, 288 (int)s->session->master_key_length, 289 s->session->master_key) 290 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) { 291 292 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 293 ERR_R_EVP_LIB); 294 goto err; 295 } 296 } else if (EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) { 297 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 298 ERR_R_EVP_LIB); 299 goto err; 300 } 301 302 #ifndef OPENSSL_NO_GOST 303 { 304 int pktype = lu->sig; 305 306 if (pktype == NID_id_GostR3410_2001 307 || pktype == NID_id_GostR3410_2012_256 308 || pktype == NID_id_GostR3410_2012_512) 309 BUF_reverse(sig, NULL, siglen); 310 } 311 #endif 312 313 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) { 314 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, 315 ERR_R_INTERNAL_ERROR); 316 goto err; 317 } 318 319 /* Digest cached records and discard handshake buffer */ 320 if (!ssl3_digest_cached_records(s, 0)) { 321 /* SSLfatal() already called */ 322 goto err; 323 } 324 325 OPENSSL_free(sig); 326 EVP_MD_CTX_free(mctx); 327 return 1; 328 err: 329 OPENSSL_free(sig); 330 EVP_MD_CTX_free(mctx); 331 return 0; 332 } 333 334 MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) 335 { 336 EVP_PKEY *pkey = NULL; 337 const unsigned char *data; 338 #ifndef OPENSSL_NO_GOST 339 unsigned char *gost_data = NULL; 340 #endif 341 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; 342 int j; 343 unsigned int len; 344 X509 *peer; 345 const EVP_MD *md = NULL; 346 size_t hdatalen = 0; 347 void *hdata; 348 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; 349 EVP_MD_CTX *mctx = EVP_MD_CTX_new(); 350 EVP_PKEY_CTX *pctx = NULL; 351 352 if (mctx == NULL) { 353 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 354 ERR_R_MALLOC_FAILURE); 355 goto err; 356 } 357 358 peer = s->session->peer; 359 pkey = X509_get0_pubkey(peer); 360 if (pkey == NULL) { 361 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 362 ERR_R_INTERNAL_ERROR); 363 goto err; 364 } 365 366 if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) { 367 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CERT_VERIFY, 368 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); 369 goto err; 370 } 371 372 if (SSL_USE_SIGALGS(s)) { 373 unsigned int sigalg; 374 375 if (!PACKET_get_net_2(pkt, &sigalg)) { 376 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 377 SSL_R_BAD_PACKET); 378 goto err; 379 } 380 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) { 381 /* SSLfatal() already called */ 382 goto err; 383 } 384 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { 385 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 386 ERR_R_INTERNAL_ERROR); 387 goto err; 388 } 389 390 if (!tls1_lookup_md(s->s3->tmp.peer_sigalg, &md)) { 391 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 392 ERR_R_INTERNAL_ERROR); 393 goto err; 394 } 395 396 #ifdef SSL_DEBUG 397 if (SSL_USE_SIGALGS(s)) 398 fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); 399 #endif 400 401 /* Check for broken implementations of GOST ciphersuites */ 402 /* 403 * If key is GOST and len is exactly 64 or 128, it is signature without 404 * length field (CryptoPro implementations at least till TLS 1.2) 405 */ 406 #ifndef OPENSSL_NO_GOST 407 if (!SSL_USE_SIGALGS(s) 408 && ((PACKET_remaining(pkt) == 64 409 && (EVP_PKEY_id(pkey) == NID_id_GostR3410_2001 410 || EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_256)) 411 || (PACKET_remaining(pkt) == 128 412 && EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_512))) { 413 len = PACKET_remaining(pkt); 414 } else 415 #endif 416 if (!PACKET_get_net_2(pkt, &len)) { 417 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 418 SSL_R_LENGTH_MISMATCH); 419 goto err; 420 } 421 422 j = EVP_PKEY_size(pkey); 423 if (((int)len > j) || ((int)PACKET_remaining(pkt) > j) 424 || (PACKET_remaining(pkt) == 0)) { 425 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 426 SSL_R_WRONG_SIGNATURE_SIZE); 427 goto err; 428 } 429 if (!PACKET_get_bytes(pkt, &data, len)) { 430 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 431 SSL_R_LENGTH_MISMATCH); 432 goto err; 433 } 434 435 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { 436 /* SSLfatal() already called */ 437 goto err; 438 } 439 440 #ifdef SSL_DEBUG 441 fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md)); 442 #endif 443 if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0) { 444 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 445 ERR_R_EVP_LIB); 446 goto err; 447 } 448 #ifndef OPENSSL_NO_GOST 449 { 450 int pktype = EVP_PKEY_id(pkey); 451 if (pktype == NID_id_GostR3410_2001 452 || pktype == NID_id_GostR3410_2012_256 453 || pktype == NID_id_GostR3410_2012_512) { 454 if ((gost_data = OPENSSL_malloc(len)) == NULL) { 455 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 456 SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE); 457 goto err; 458 } 459 BUF_reverse(gost_data, data, len); 460 data = gost_data; 461 } 462 } 463 #endif 464 465 if (SSL_USE_PSS(s)) { 466 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 467 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 468 RSA_PSS_SALTLEN_DIGEST) <= 0) { 469 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 470 ERR_R_EVP_LIB); 471 goto err; 472 } 473 } 474 if (s->version == SSL3_VERSION) { 475 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0 476 || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, 477 (int)s->session->master_key_length, 478 s->session->master_key)) { 479 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 480 ERR_R_EVP_LIB); 481 goto err; 482 } 483 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) { 484 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 485 SSL_R_BAD_SIGNATURE); 486 goto err; 487 } 488 } else { 489 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen); 490 if (j <= 0) { 491 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, 492 SSL_R_BAD_SIGNATURE); 493 goto err; 494 } 495 } 496 497 ret = MSG_PROCESS_CONTINUE_READING; 498 err: 499 BIO_free(s->s3->handshake_buffer); 500 s->s3->handshake_buffer = NULL; 501 EVP_MD_CTX_free(mctx); 502 #ifndef OPENSSL_NO_GOST 503 OPENSSL_free(gost_data); 504 #endif 505 return ret; 506 } 507 508 int tls_construct_finished(SSL *s, WPACKET *pkt) 509 { 510 size_t finish_md_len; 511 const char *sender; 512 size_t slen; 513 514 /* This is a real handshake so make sure we clean it up at the end */ 515 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED) 516 s->statem.cleanuphand = 1; 517 518 /* 519 * We only change the keys if we didn't already do this when we sent the 520 * client certificate 521 */ 522 if (SSL_IS_TLS13(s) 523 && !s->server 524 && s->s3->tmp.cert_req == 0 525 && (!s->method->ssl3_enc->change_cipher_state(s, 526 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {; 527 /* SSLfatal() already called */ 528 return 0; 529 } 530 531 if (s->server) { 532 sender = s->method->ssl3_enc->server_finished_label; 533 slen = s->method->ssl3_enc->server_finished_label_len; 534 } else { 535 sender = s->method->ssl3_enc->client_finished_label; 536 slen = s->method->ssl3_enc->client_finished_label_len; 537 } 538 539 finish_md_len = s->method->ssl3_enc->final_finish_mac(s, 540 sender, slen, 541 s->s3->tmp.finish_md); 542 if (finish_md_len == 0) { 543 /* SSLfatal() already called */ 544 return 0; 545 } 546 547 s->s3->tmp.finish_md_len = finish_md_len; 548 549 if (!WPACKET_memcpy(pkt, s->s3->tmp.finish_md, finish_md_len)) { 550 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED, 551 ERR_R_INTERNAL_ERROR); 552 return 0; 553 } 554 555 /* 556 * Log the master secret, if logging is enabled. We don't log it for 557 * TLSv1.3: there's a different key schedule for that. 558 */ 559 if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL, 560 s->session->master_key, 561 s->session->master_key_length)) { 562 /* SSLfatal() already called */ 563 return 0; 564 } 565 566 /* 567 * Copy the finished so we can use it for renegotiation checks 568 */ 569 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) { 570 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED, 571 ERR_R_INTERNAL_ERROR); 572 return 0; 573 } 574 if (!s->server) { 575 memcpy(s->s3->previous_client_finished, s->s3->tmp.finish_md, 576 finish_md_len); 577 s->s3->previous_client_finished_len = finish_md_len; 578 } else { 579 memcpy(s->s3->previous_server_finished, s->s3->tmp.finish_md, 580 finish_md_len); 581 s->s3->previous_server_finished_len = finish_md_len; 582 } 583 584 return 1; 585 } 586 587 int tls_construct_key_update(SSL *s, WPACKET *pkt) 588 { 589 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) { 590 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_KEY_UPDATE, 591 ERR_R_INTERNAL_ERROR); 592 return 0; 593 } 594 595 s->key_update = SSL_KEY_UPDATE_NONE; 596 return 1; 597 } 598 599 MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt) 600 { 601 unsigned int updatetype; 602 603 s->key_update_count++; 604 if (s->key_update_count > MAX_KEY_UPDATE_MESSAGES) { 605 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE, 606 SSL_R_TOO_MANY_KEY_UPDATES); 607 return MSG_PROCESS_ERROR; 608 } 609 610 /* 611 * A KeyUpdate message signals a key change so the end of the message must 612 * be on a record boundary. 613 */ 614 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { 615 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_UPDATE, 616 SSL_R_NOT_ON_RECORD_BOUNDARY); 617 return MSG_PROCESS_ERROR; 618 } 619 620 if (!PACKET_get_1(pkt, &updatetype) 621 || PACKET_remaining(pkt) != 0) { 622 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_UPDATE, 623 SSL_R_BAD_KEY_UPDATE); 624 return MSG_PROCESS_ERROR; 625 } 626 627 /* 628 * There are only two defined key update types. Fail if we get a value we 629 * didn't recognise. 630 */ 631 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED 632 && updatetype != SSL_KEY_UPDATE_REQUESTED) { 633 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE, 634 SSL_R_BAD_KEY_UPDATE); 635 return MSG_PROCESS_ERROR; 636 } 637 638 /* 639 * If we get a request for us to update our sending keys too then, we need 640 * to additionally send a KeyUpdate message. However that message should 641 * not also request an update (otherwise we get into an infinite loop). We 642 * ignore a request for us to update our sending keys too if we already 643 * sent close_notify. 644 */ 645 if (updatetype == SSL_KEY_UPDATE_REQUESTED 646 && (s->shutdown & SSL_SENT_SHUTDOWN) == 0) 647 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED; 648 649 if (!tls13_update_key(s, 0)) { 650 /* SSLfatal() already called */ 651 return MSG_PROCESS_ERROR; 652 } 653 654 return MSG_PROCESS_FINISHED_READING; 655 } 656 657 /* 658 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen 659 * to far. 660 */ 661 int ssl3_take_mac(SSL *s) 662 { 663 const char *sender; 664 size_t slen; 665 666 if (!s->server) { 667 sender = s->method->ssl3_enc->server_finished_label; 668 slen = s->method->ssl3_enc->server_finished_label_len; 669 } else { 670 sender = s->method->ssl3_enc->client_finished_label; 671 slen = s->method->ssl3_enc->client_finished_label_len; 672 } 673 674 s->s3->tmp.peer_finish_md_len = 675 s->method->ssl3_enc->final_finish_mac(s, sender, slen, 676 s->s3->tmp.peer_finish_md); 677 678 if (s->s3->tmp.peer_finish_md_len == 0) { 679 /* SSLfatal() already called */ 680 return 0; 681 } 682 683 return 1; 684 } 685 686 MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt) 687 { 688 size_t remain; 689 690 remain = PACKET_remaining(pkt); 691 /* 692 * 'Change Cipher Spec' is just a single byte, which should already have 693 * been consumed by ssl_get_message() so there should be no bytes left, 694 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes 695 */ 696 if (SSL_IS_DTLS(s)) { 697 if ((s->version == DTLS1_BAD_VER 698 && remain != DTLS1_CCS_HEADER_LENGTH + 1) 699 || (s->version != DTLS1_BAD_VER 700 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) { 701 SSLfatal(s, SSL_AD_DECODE_ERROR, 702 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, 703 SSL_R_BAD_CHANGE_CIPHER_SPEC); 704 return MSG_PROCESS_ERROR; 705 } 706 } else { 707 if (remain != 0) { 708 SSLfatal(s, SSL_AD_DECODE_ERROR, 709 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, 710 SSL_R_BAD_CHANGE_CIPHER_SPEC); 711 return MSG_PROCESS_ERROR; 712 } 713 } 714 715 /* Check we have a cipher to change to */ 716 if (s->s3->tmp.new_cipher == NULL) { 717 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 718 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY); 719 return MSG_PROCESS_ERROR; 720 } 721 722 s->s3->change_cipher_spec = 1; 723 if (!ssl3_do_change_cipher_spec(s)) { 724 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, 725 ERR_R_INTERNAL_ERROR); 726 return MSG_PROCESS_ERROR; 727 } 728 729 if (SSL_IS_DTLS(s)) { 730 dtls1_reset_seq_numbers(s, SSL3_CC_READ); 731 732 if (s->version == DTLS1_BAD_VER) 733 s->d1->handshake_read_seq++; 734 735 #ifndef OPENSSL_NO_SCTP 736 /* 737 * Remember that a CCS has been received, so that an old key of 738 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no 739 * SCTP is used 740 */ 741 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL); 742 #endif 743 } 744 745 return MSG_PROCESS_CONTINUE_READING; 746 } 747 748 MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) 749 { 750 size_t md_len; 751 752 753 /* This is a real handshake so make sure we clean it up at the end */ 754 if (s->server) { 755 /* 756 * To get this far we must have read encrypted data from the client. We 757 * no longer tolerate unencrypted alerts. This value is ignored if less 758 * than TLSv1.3 759 */ 760 s->statem.enc_read_state = ENC_READ_STATE_VALID; 761 if (s->post_handshake_auth != SSL_PHA_REQUESTED) 762 s->statem.cleanuphand = 1; 763 if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) { 764 /* SSLfatal() already called */ 765 return MSG_PROCESS_ERROR; 766 } 767 } 768 769 /* 770 * In TLSv1.3 a Finished message signals a key change so the end of the 771 * message must be on a record boundary. 772 */ 773 if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { 774 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED, 775 SSL_R_NOT_ON_RECORD_BOUNDARY); 776 return MSG_PROCESS_ERROR; 777 } 778 779 /* If this occurs, we have missed a message */ 780 if (!SSL_IS_TLS13(s) && !s->s3->change_cipher_spec) { 781 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED, 782 SSL_R_GOT_A_FIN_BEFORE_A_CCS); 783 return MSG_PROCESS_ERROR; 784 } 785 s->s3->change_cipher_spec = 0; 786 787 md_len = s->s3->tmp.peer_finish_md_len; 788 789 if (md_len != PACKET_remaining(pkt)) { 790 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_FINISHED, 791 SSL_R_BAD_DIGEST_LENGTH); 792 return MSG_PROCESS_ERROR; 793 } 794 795 if (CRYPTO_memcmp(PACKET_data(pkt), s->s3->tmp.peer_finish_md, 796 md_len) != 0) { 797 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_FINISHED, 798 SSL_R_DIGEST_CHECK_FAILED); 799 return MSG_PROCESS_ERROR; 800 } 801 802 /* 803 * Copy the finished so we can use it for renegotiation checks 804 */ 805 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) { 806 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_FINISHED, 807 ERR_R_INTERNAL_ERROR); 808 return MSG_PROCESS_ERROR; 809 } 810 if (s->server) { 811 memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md, 812 md_len); 813 s->s3->previous_client_finished_len = md_len; 814 } else { 815 memcpy(s->s3->previous_server_finished, s->s3->tmp.peer_finish_md, 816 md_len); 817 s->s3->previous_server_finished_len = md_len; 818 } 819 820 /* 821 * In TLS1.3 we also have to change cipher state and do any final processing 822 * of the initial server flight (if we are a client) 823 */ 824 if (SSL_IS_TLS13(s)) { 825 if (s->server) { 826 if (s->post_handshake_auth != SSL_PHA_REQUESTED && 827 !s->method->ssl3_enc->change_cipher_state(s, 828 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) { 829 /* SSLfatal() already called */ 830 return MSG_PROCESS_ERROR; 831 } 832 } else { 833 if (!s->method->ssl3_enc->generate_master_secret(s, 834 s->master_secret, s->handshake_secret, 0, 835 &s->session->master_key_length)) { 836 /* SSLfatal() already called */ 837 return MSG_PROCESS_ERROR; 838 } 839 if (!s->method->ssl3_enc->change_cipher_state(s, 840 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) { 841 /* SSLfatal() already called */ 842 return MSG_PROCESS_ERROR; 843 } 844 if (!tls_process_initial_server_flight(s)) { 845 /* SSLfatal() already called */ 846 return MSG_PROCESS_ERROR; 847 } 848 } 849 } 850 851 return MSG_PROCESS_FINISHED_READING; 852 } 853 854 int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt) 855 { 856 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) { 857 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 858 SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); 859 return 0; 860 } 861 862 return 1; 863 } 864 865 /* Add a certificate to the WPACKET */ 866 static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain) 867 { 868 int len; 869 unsigned char *outbytes; 870 871 len = i2d_X509(x, NULL); 872 if (len < 0) { 873 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET, 874 ERR_R_BUF_LIB); 875 return 0; 876 } 877 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes) 878 || i2d_X509(x, &outbytes) != len) { 879 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET, 880 ERR_R_INTERNAL_ERROR); 881 return 0; 882 } 883 884 if (SSL_IS_TLS13(s) 885 && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x, 886 chain)) { 887 /* SSLfatal() already called */ 888 return 0; 889 } 890 891 return 1; 892 } 893 894 /* Add certificate chain to provided WPACKET */ 895 static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk) 896 { 897 int i, chain_count; 898 X509 *x; 899 STACK_OF(X509) *extra_certs; 900 STACK_OF(X509) *chain = NULL; 901 X509_STORE *chain_store; 902 903 if (cpk == NULL || cpk->x509 == NULL) 904 return 1; 905 906 x = cpk->x509; 907 908 /* 909 * If we have a certificate specific chain use it, else use parent ctx. 910 */ 911 if (cpk->chain != NULL) 912 extra_certs = cpk->chain; 913 else 914 extra_certs = s->ctx->extra_certs; 915 916 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs) 917 chain_store = NULL; 918 else if (s->cert->chain_store) 919 chain_store = s->cert->chain_store; 920 else 921 chain_store = s->ctx->cert_store; 922 923 if (chain_store != NULL) { 924 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new(); 925 926 if (xs_ctx == NULL) { 927 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, 928 ERR_R_MALLOC_FAILURE); 929 return 0; 930 } 931 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) { 932 X509_STORE_CTX_free(xs_ctx); 933 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, 934 ERR_R_X509_LIB); 935 return 0; 936 } 937 /* 938 * It is valid for the chain not to be complete (because normally we 939 * don't include the root cert in the chain). Therefore we deliberately 940 * ignore the error return from this call. We're not actually verifying 941 * the cert - we're just building as much of the chain as we can 942 */ 943 (void)X509_verify_cert(xs_ctx); 944 /* Don't leave errors in the queue */ 945 ERR_clear_error(); 946 chain = X509_STORE_CTX_get0_chain(xs_ctx); 947 i = ssl_security_cert_chain(s, chain, NULL, 0); 948 if (i != 1) { 949 #if 0 950 /* Dummy error calls so mkerr generates them */ 951 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL); 952 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL); 953 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK); 954 #endif 955 X509_STORE_CTX_free(xs_ctx); 956 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i); 957 return 0; 958 } 959 chain_count = sk_X509_num(chain); 960 for (i = 0; i < chain_count; i++) { 961 x = sk_X509_value(chain, i); 962 963 if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) { 964 /* SSLfatal() already called */ 965 X509_STORE_CTX_free(xs_ctx); 966 return 0; 967 } 968 } 969 X509_STORE_CTX_free(xs_ctx); 970 } else { 971 i = ssl_security_cert_chain(s, extra_certs, x, 0); 972 if (i != 1) { 973 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i); 974 return 0; 975 } 976 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) { 977 /* SSLfatal() already called */ 978 return 0; 979 } 980 for (i = 0; i < sk_X509_num(extra_certs); i++) { 981 x = sk_X509_value(extra_certs, i); 982 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) { 983 /* SSLfatal() already called */ 984 return 0; 985 } 986 } 987 } 988 return 1; 989 } 990 991 unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk) 992 { 993 if (!WPACKET_start_sub_packet_u24(pkt)) { 994 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN, 995 ERR_R_INTERNAL_ERROR); 996 return 0; 997 } 998 999 if (!ssl_add_cert_chain(s, pkt, cpk)) 1000 return 0; 1001 1002 if (!WPACKET_close(pkt)) { 1003 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN, 1004 ERR_R_INTERNAL_ERROR); 1005 return 0; 1006 } 1007 1008 return 1; 1009 } 1010 1011 /* 1012 * Tidy up after the end of a handshake. In the case of SCTP this may result 1013 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is 1014 * freed up as well. 1015 */ 1016 WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop) 1017 { 1018 void (*cb) (const SSL *ssl, int type, int val) = NULL; 1019 1020 if (clearbufs) { 1021 if (!SSL_IS_DTLS(s)) { 1022 /* 1023 * We don't do this in DTLS because we may still need the init_buf 1024 * in case there are any unexpected retransmits 1025 */ 1026 BUF_MEM_free(s->init_buf); 1027 s->init_buf = NULL; 1028 } 1029 if (!ssl_free_wbio_buffer(s)) { 1030 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE, 1031 ERR_R_INTERNAL_ERROR); 1032 return WORK_ERROR; 1033 } 1034 s->init_num = 0; 1035 } 1036 1037 if (SSL_IS_TLS13(s) && !s->server 1038 && s->post_handshake_auth == SSL_PHA_REQUESTED) 1039 s->post_handshake_auth = SSL_PHA_EXT_SENT; 1040 1041 /* 1042 * Only set if there was a Finished message and this isn't after a TLSv1.3 1043 * post handshake exchange 1044 */ 1045 if (s->statem.cleanuphand) { 1046 /* skipped if we just sent a HelloRequest */ 1047 s->renegotiate = 0; 1048 s->new_session = 0; 1049 s->statem.cleanuphand = 0; 1050 s->ext.ticket_expected = 0; 1051 1052 ssl3_cleanup_key_block(s); 1053 1054 if (s->server) { 1055 /* 1056 * In TLSv1.3 we update the cache as part of constructing the 1057 * NewSessionTicket 1058 */ 1059 if (!SSL_IS_TLS13(s)) 1060 ssl_update_cache(s, SSL_SESS_CACHE_SERVER); 1061 1062 /* N.B. s->ctx may not equal s->session_ctx */ 1063 tsan_counter(&s->ctx->stats.sess_accept_good); 1064 s->handshake_func = ossl_statem_accept; 1065 1066 if (SSL_IS_DTLS(s) && !s->hit) { 1067 /* 1068 * We are finishing after the client. We start the timer going 1069 * in case there are any retransmits of our final flight 1070 * required. 1071 */ 1072 dtls1_start_timer(s); 1073 } 1074 } else { 1075 if (SSL_IS_TLS13(s)) { 1076 /* 1077 * We encourage applications to only use TLSv1.3 tickets once, 1078 * so we remove this one from the cache. 1079 */ 1080 if ((s->session_ctx->session_cache_mode 1081 & SSL_SESS_CACHE_CLIENT) != 0) 1082 SSL_CTX_remove_session(s->session_ctx, s->session); 1083 } else { 1084 /* 1085 * In TLSv1.3 we update the cache as part of processing the 1086 * NewSessionTicket 1087 */ 1088 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); 1089 } 1090 if (s->hit) 1091 tsan_counter(&s->session_ctx->stats.sess_hit); 1092 1093 s->handshake_func = ossl_statem_connect; 1094 tsan_counter(&s->session_ctx->stats.sess_connect_good); 1095 1096 if (SSL_IS_DTLS(s) && s->hit) { 1097 /* 1098 * We are finishing after the server. We start the timer going 1099 * in case there are any retransmits of our final flight 1100 * required. 1101 */ 1102 dtls1_start_timer(s); 1103 } 1104 } 1105 1106 if (SSL_IS_DTLS(s)) { 1107 /* done with handshaking */ 1108 s->d1->handshake_read_seq = 0; 1109 s->d1->handshake_write_seq = 0; 1110 s->d1->next_handshake_write_seq = 0; 1111 dtls1_clear_received_buffer(s); 1112 } 1113 } 1114 1115 if (s->info_callback != NULL) 1116 cb = s->info_callback; 1117 else if (s->ctx->info_callback != NULL) 1118 cb = s->ctx->info_callback; 1119 1120 /* The callback may expect us to not be in init at handshake done */ 1121 ossl_statem_set_in_init(s, 0); 1122 1123 if (cb != NULL) 1124 cb(s, SSL_CB_HANDSHAKE_DONE, 1); 1125 1126 if (!stop) { 1127 /* If we've got more work to do we go back into init */ 1128 ossl_statem_set_in_init(s, 1); 1129 return WORK_FINISHED_CONTINUE; 1130 } 1131 1132 return WORK_FINISHED_STOP; 1133 } 1134 1135 int tls_get_message_header(SSL *s, int *mt) 1136 { 1137 /* s->init_num < SSL3_HM_HEADER_LENGTH */ 1138 int skip_message, i, recvd_type; 1139 unsigned char *p; 1140 size_t l, readbytes; 1141 1142 p = (unsigned char *)s->init_buf->data; 1143 1144 do { 1145 while (s->init_num < SSL3_HM_HEADER_LENGTH) { 1146 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type, 1147 &p[s->init_num], 1148 SSL3_HM_HEADER_LENGTH - s->init_num, 1149 0, &readbytes); 1150 if (i <= 0) { 1151 s->rwstate = SSL_READING; 1152 return 0; 1153 } 1154 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) { 1155 /* 1156 * A ChangeCipherSpec must be a single byte and may not occur 1157 * in the middle of a handshake message. 1158 */ 1159 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) { 1160 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1161 SSL_F_TLS_GET_MESSAGE_HEADER, 1162 SSL_R_BAD_CHANGE_CIPHER_SPEC); 1163 return 0; 1164 } 1165 if (s->statem.hand_state == TLS_ST_BEFORE 1166 && (s->s3->flags & TLS1_FLAGS_STATELESS) != 0) { 1167 /* 1168 * We are stateless and we received a CCS. Probably this is 1169 * from a client between the first and second ClientHellos. 1170 * We should ignore this, but return an error because we do 1171 * not return success until we see the second ClientHello 1172 * with a valid cookie. 1173 */ 1174 return 0; 1175 } 1176 s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC; 1177 s->init_num = readbytes - 1; 1178 s->init_msg = s->init_buf->data; 1179 s->s3->tmp.message_size = readbytes; 1180 return 1; 1181 } else if (recvd_type != SSL3_RT_HANDSHAKE) { 1182 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1183 SSL_F_TLS_GET_MESSAGE_HEADER, 1184 SSL_R_CCS_RECEIVED_EARLY); 1185 return 0; 1186 } 1187 s->init_num += readbytes; 1188 } 1189 1190 skip_message = 0; 1191 if (!s->server) 1192 if (s->statem.hand_state != TLS_ST_OK 1193 && p[0] == SSL3_MT_HELLO_REQUEST) 1194 /* 1195 * The server may always send 'Hello Request' messages -- 1196 * we are doing a handshake anyway now, so ignore them if 1197 * their format is correct. Does not count for 'Finished' 1198 * MAC. 1199 */ 1200 if (p[1] == 0 && p[2] == 0 && p[3] == 0) { 1201 s->init_num = 0; 1202 skip_message = 1; 1203 1204 if (s->msg_callback) 1205 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 1206 p, SSL3_HM_HEADER_LENGTH, s, 1207 s->msg_callback_arg); 1208 } 1209 } while (skip_message); 1210 /* s->init_num == SSL3_HM_HEADER_LENGTH */ 1211 1212 *mt = *p; 1213 s->s3->tmp.message_type = *(p++); 1214 1215 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { 1216 /* 1217 * Only happens with SSLv3+ in an SSLv2 backward compatible 1218 * ClientHello 1219 * 1220 * Total message size is the remaining record bytes to read 1221 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read 1222 */ 1223 l = RECORD_LAYER_get_rrec_length(&s->rlayer) 1224 + SSL3_HM_HEADER_LENGTH; 1225 s->s3->tmp.message_size = l; 1226 1227 s->init_msg = s->init_buf->data; 1228 s->init_num = SSL3_HM_HEADER_LENGTH; 1229 } else { 1230 n2l3(p, l); 1231 /* BUF_MEM_grow takes an 'int' parameter */ 1232 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) { 1233 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_GET_MESSAGE_HEADER, 1234 SSL_R_EXCESSIVE_MESSAGE_SIZE); 1235 return 0; 1236 } 1237 s->s3->tmp.message_size = l; 1238 1239 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH; 1240 s->init_num = 0; 1241 } 1242 1243 return 1; 1244 } 1245 1246 int tls_get_message_body(SSL *s, size_t *len) 1247 { 1248 size_t n, readbytes; 1249 unsigned char *p; 1250 int i; 1251 1252 if (s->s3->tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) { 1253 /* We've already read everything in */ 1254 *len = (unsigned long)s->init_num; 1255 return 1; 1256 } 1257 1258 p = s->init_msg; 1259 n = s->s3->tmp.message_size - s->init_num; 1260 while (n > 0) { 1261 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, 1262 &p[s->init_num], n, 0, &readbytes); 1263 if (i <= 0) { 1264 s->rwstate = SSL_READING; 1265 *len = 0; 1266 return 0; 1267 } 1268 s->init_num += readbytes; 1269 n -= readbytes; 1270 } 1271 1272 /* 1273 * If receiving Finished, record MAC of prior handshake messages for 1274 * Finished verification. 1275 */ 1276 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) { 1277 /* SSLfatal() already called */ 1278 *len = 0; 1279 return 0; 1280 } 1281 1282 /* Feed this message into MAC computation. */ 1283 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { 1284 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 1285 s->init_num)) { 1286 /* SSLfatal() already called */ 1287 *len = 0; 1288 return 0; 1289 } 1290 if (s->msg_callback) 1291 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data, 1292 (size_t)s->init_num, s, s->msg_callback_arg); 1293 } else { 1294 /* 1295 * We defer feeding in the HRR until later. We'll do it as part of 1296 * processing the message 1297 * The TLsv1.3 handshake transcript stops at the ClientFinished 1298 * message. 1299 */ 1300 #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2) 1301 /* KeyUpdate and NewSessionTicket do not need to be added */ 1302 if (!SSL_IS_TLS13(s) || (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET 1303 && s->s3->tmp.message_type != SSL3_MT_KEY_UPDATE)) { 1304 if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO 1305 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE 1306 || memcmp(hrrrandom, 1307 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET, 1308 SSL3_RANDOM_SIZE) != 0) { 1309 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 1310 s->init_num + SSL3_HM_HEADER_LENGTH)) { 1311 /* SSLfatal() already called */ 1312 *len = 0; 1313 return 0; 1314 } 1315 } 1316 } 1317 if (s->msg_callback) 1318 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, 1319 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s, 1320 s->msg_callback_arg); 1321 } 1322 1323 *len = s->init_num; 1324 return 1; 1325 } 1326 1327 static const X509ERR2ALERT x509table[] = { 1328 {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE}, 1329 {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE}, 1330 {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE}, 1331 {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA}, 1332 {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED}, 1333 {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE}, 1334 {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE}, 1335 {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED}, 1336 {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR}, 1337 {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE}, 1338 {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED}, 1339 {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE}, 1340 {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR}, 1341 {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE}, 1342 {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA}, 1343 {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE}, 1344 {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE}, 1345 {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE}, 1346 {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE}, 1347 {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE}, 1348 {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE}, 1349 {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE}, 1350 {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA}, 1351 {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR}, 1352 {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE}, 1353 {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE}, 1354 {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR}, 1355 {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA}, 1356 {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA}, 1357 {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR}, 1358 {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE}, 1359 {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE}, 1360 {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE}, 1361 {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA}, 1362 {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA}, 1363 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA}, 1364 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA}, 1365 {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA}, 1366 {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR}, 1367 1368 /* Last entry; return this if we don't find the value above. */ 1369 {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN} 1370 }; 1371 1372 int ssl_x509err2alert(int x509err) 1373 { 1374 const X509ERR2ALERT *tp; 1375 1376 for (tp = x509table; tp->x509err != X509_V_OK; ++tp) 1377 if (tp->x509err == x509err) 1378 break; 1379 return tp->alert; 1380 } 1381 1382 int ssl_allow_compression(SSL *s) 1383 { 1384 if (s->options & SSL_OP_NO_COMPRESSION) 1385 return 0; 1386 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL); 1387 } 1388 1389 static int version_cmp(const SSL *s, int a, int b) 1390 { 1391 int dtls = SSL_IS_DTLS(s); 1392 1393 if (a == b) 1394 return 0; 1395 if (!dtls) 1396 return a < b ? -1 : 1; 1397 return DTLS_VERSION_LT(a, b) ? -1 : 1; 1398 } 1399 1400 typedef struct { 1401 int version; 1402 const SSL_METHOD *(*cmeth) (void); 1403 const SSL_METHOD *(*smeth) (void); 1404 } version_info; 1405 1406 #if TLS_MAX_VERSION != TLS1_3_VERSION 1407 # error Code needs update for TLS_method() support beyond TLS1_3_VERSION. 1408 #endif 1409 1410 /* Must be in order high to low */ 1411 static const version_info tls_version_table[] = { 1412 #ifndef OPENSSL_NO_TLS1_3 1413 {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method}, 1414 #else 1415 {TLS1_3_VERSION, NULL, NULL}, 1416 #endif 1417 #ifndef OPENSSL_NO_TLS1_2 1418 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method}, 1419 #else 1420 {TLS1_2_VERSION, NULL, NULL}, 1421 #endif 1422 #ifndef OPENSSL_NO_TLS1_1 1423 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method}, 1424 #else 1425 {TLS1_1_VERSION, NULL, NULL}, 1426 #endif 1427 #ifndef OPENSSL_NO_TLS1 1428 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method}, 1429 #else 1430 {TLS1_VERSION, NULL, NULL}, 1431 #endif 1432 #ifndef OPENSSL_NO_SSL3 1433 {SSL3_VERSION, sslv3_client_method, sslv3_server_method}, 1434 #else 1435 {SSL3_VERSION, NULL, NULL}, 1436 #endif 1437 {0, NULL, NULL}, 1438 }; 1439 1440 #if DTLS_MAX_VERSION != DTLS1_2_VERSION 1441 # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION. 1442 #endif 1443 1444 /* Must be in order high to low */ 1445 static const version_info dtls_version_table[] = { 1446 #ifndef OPENSSL_NO_DTLS1_2 1447 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method}, 1448 #else 1449 {DTLS1_2_VERSION, NULL, NULL}, 1450 #endif 1451 #ifndef OPENSSL_NO_DTLS1 1452 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method}, 1453 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL}, 1454 #else 1455 {DTLS1_VERSION, NULL, NULL}, 1456 {DTLS1_BAD_VER, NULL, NULL}, 1457 #endif 1458 {0, NULL, NULL}, 1459 }; 1460 1461 /* 1462 * ssl_method_error - Check whether an SSL_METHOD is enabled. 1463 * 1464 * @s: The SSL handle for the candidate method 1465 * @method: the intended method. 1466 * 1467 * Returns 0 on success, or an SSL error reason on failure. 1468 */ 1469 static int ssl_method_error(const SSL *s, const SSL_METHOD *method) 1470 { 1471 int version = method->version; 1472 1473 if ((s->min_proto_version != 0 && 1474 version_cmp(s, version, s->min_proto_version) < 0) || 1475 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0) 1476 return SSL_R_VERSION_TOO_LOW; 1477 1478 if (s->max_proto_version != 0 && 1479 version_cmp(s, version, s->max_proto_version) > 0) 1480 return SSL_R_VERSION_TOO_HIGH; 1481 1482 if ((s->options & method->mask) != 0) 1483 return SSL_R_UNSUPPORTED_PROTOCOL; 1484 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s)) 1485 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE; 1486 1487 return 0; 1488 } 1489 1490 /* 1491 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable 1492 * certificate type, or has PSK or a certificate callback configured. Otherwise 1493 * returns 0. 1494 */ 1495 static int is_tls13_capable(const SSL *s) 1496 { 1497 int i; 1498 1499 #ifndef OPENSSL_NO_PSK 1500 if (s->psk_server_callback != NULL) 1501 return 1; 1502 #endif 1503 1504 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL) 1505 return 1; 1506 1507 for (i = 0; i < SSL_PKEY_NUM; i++) { 1508 /* Skip over certs disallowed for TLSv1.3 */ 1509 switch (i) { 1510 case SSL_PKEY_DSA_SIGN: 1511 case SSL_PKEY_GOST01: 1512 case SSL_PKEY_GOST12_256: 1513 case SSL_PKEY_GOST12_512: 1514 continue; 1515 default: 1516 break; 1517 } 1518 if (ssl_has_cert(s, i)) 1519 return 1; 1520 } 1521 1522 return 0; 1523 } 1524 1525 /* 1526 * ssl_version_supported - Check that the specified `version` is supported by 1527 * `SSL *` instance 1528 * 1529 * @s: The SSL handle for the candidate method 1530 * @version: Protocol version to test against 1531 * 1532 * Returns 1 when supported, otherwise 0 1533 */ 1534 int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth) 1535 { 1536 const version_info *vent; 1537 const version_info *table; 1538 1539 switch (s->method->version) { 1540 default: 1541 /* Version should match method version for non-ANY method */ 1542 return version_cmp(s, version, s->version) == 0; 1543 case TLS_ANY_VERSION: 1544 table = tls_version_table; 1545 break; 1546 case DTLS_ANY_VERSION: 1547 table = dtls_version_table; 1548 break; 1549 } 1550 1551 for (vent = table; 1552 vent->version != 0 && version_cmp(s, version, vent->version) <= 0; 1553 ++vent) { 1554 if (vent->cmeth != NULL 1555 && version_cmp(s, version, vent->version) == 0 1556 && ssl_method_error(s, vent->cmeth()) == 0 1557 && (!s->server 1558 || version != TLS1_3_VERSION 1559 || is_tls13_capable(s))) { 1560 if (meth != NULL) 1561 *meth = vent->cmeth(); 1562 return 1; 1563 } 1564 } 1565 return 0; 1566 } 1567 1568 /* 1569 * ssl_check_version_downgrade - In response to RFC7507 SCSV version 1570 * fallback indication from a client check whether we're using the highest 1571 * supported protocol version. 1572 * 1573 * @s server SSL handle. 1574 * 1575 * Returns 1 when using the highest enabled version, 0 otherwise. 1576 */ 1577 int ssl_check_version_downgrade(SSL *s) 1578 { 1579 const version_info *vent; 1580 const version_info *table; 1581 1582 /* 1583 * Check that the current protocol is the highest enabled version 1584 * (according to s->ctx->method, as version negotiation may have changed 1585 * s->method). 1586 */ 1587 if (s->version == s->ctx->method->version) 1588 return 1; 1589 1590 /* 1591 * Apparently we're using a version-flexible SSL_METHOD (not at its 1592 * highest protocol version). 1593 */ 1594 if (s->ctx->method->version == TLS_method()->version) 1595 table = tls_version_table; 1596 else if (s->ctx->method->version == DTLS_method()->version) 1597 table = dtls_version_table; 1598 else { 1599 /* Unexpected state; fail closed. */ 1600 return 0; 1601 } 1602 1603 for (vent = table; vent->version != 0; ++vent) { 1604 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0) 1605 return s->version == vent->version; 1606 } 1607 return 0; 1608 } 1609 1610 /* 1611 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS 1612 * protocols, provided the initial (D)TLS method is version-flexible. This 1613 * function sanity-checks the proposed value and makes sure the method is 1614 * version-flexible, then sets the limit if all is well. 1615 * 1616 * @method_version: The version of the current SSL_METHOD. 1617 * @version: the intended limit. 1618 * @bound: pointer to limit to be updated. 1619 * 1620 * Returns 1 on success, 0 on failure. 1621 */ 1622 int ssl_set_version_bound(int method_version, int version, int *bound) 1623 { 1624 if (version == 0) { 1625 *bound = version; 1626 return 1; 1627 } 1628 1629 /*- 1630 * Restrict TLS methods to TLS protocol versions. 1631 * Restrict DTLS methods to DTLS protocol versions. 1632 * Note, DTLS version numbers are decreasing, use comparison macros. 1633 * 1634 * Note that for both lower-bounds we use explicit versions, not 1635 * (D)TLS_MIN_VERSION. This is because we don't want to break user 1636 * configurations. If the MIN (supported) version ever rises, the user's 1637 * "floor" remains valid even if no longer available. We don't expect the 1638 * MAX ceiling to ever get lower, so making that variable makes sense. 1639 */ 1640 switch (method_version) { 1641 default: 1642 /* 1643 * XXX For fixed version methods, should we always fail and not set any 1644 * bounds, always succeed and not set any bounds, or set the bounds and 1645 * arrange to fail later if they are not met? At present fixed-version 1646 * methods are not subject to controls that disable individual protocol 1647 * versions. 1648 */ 1649 return 0; 1650 1651 case TLS_ANY_VERSION: 1652 if (version < SSL3_VERSION || version > TLS_MAX_VERSION) 1653 return 0; 1654 break; 1655 1656 case DTLS_ANY_VERSION: 1657 if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION) || 1658 DTLS_VERSION_LT(version, DTLS1_BAD_VER)) 1659 return 0; 1660 break; 1661 } 1662 1663 *bound = version; 1664 return 1; 1665 } 1666 1667 static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd) 1668 { 1669 if (vers == TLS1_2_VERSION 1670 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) { 1671 *dgrd = DOWNGRADE_TO_1_2; 1672 } else if (!SSL_IS_DTLS(s) 1673 && vers < TLS1_2_VERSION 1674 /* 1675 * We need to ensure that a server that disables TLSv1.2 1676 * (creating a hole between TLSv1.3 and TLSv1.1) can still 1677 * complete handshakes with clients that support TLSv1.2 and 1678 * below. Therefore we do not enable the sentinel if TLSv1.3 is 1679 * enabled and TLSv1.2 is not. 1680 */ 1681 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) { 1682 *dgrd = DOWNGRADE_TO_1_1; 1683 } else { 1684 *dgrd = DOWNGRADE_NONE; 1685 } 1686 } 1687 1688 /* 1689 * ssl_choose_server_version - Choose server (D)TLS version. Called when the 1690 * client HELLO is received to select the final server protocol version and 1691 * the version specific method. 1692 * 1693 * @s: server SSL handle. 1694 * 1695 * Returns 0 on success or an SSL error reason number on failure. 1696 */ 1697 int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd) 1698 { 1699 /*- 1700 * With version-flexible methods we have an initial state with: 1701 * 1702 * s->method->version == (D)TLS_ANY_VERSION, 1703 * s->version == (D)TLS_MAX_VERSION. 1704 * 1705 * So we detect version-flexible methods via the method version, not the 1706 * handle version. 1707 */ 1708 int server_version = s->method->version; 1709 int client_version = hello->legacy_version; 1710 const version_info *vent; 1711 const version_info *table; 1712 int disabled = 0; 1713 RAW_EXTENSION *suppversions; 1714 1715 s->client_version = client_version; 1716 1717 switch (server_version) { 1718 default: 1719 if (!SSL_IS_TLS13(s)) { 1720 if (version_cmp(s, client_version, s->version) < 0) 1721 return SSL_R_WRONG_SSL_VERSION; 1722 *dgrd = DOWNGRADE_NONE; 1723 /* 1724 * If this SSL handle is not from a version flexible method we don't 1725 * (and never did) check min/max FIPS or Suite B constraints. Hope 1726 * that's OK. It is up to the caller to not choose fixed protocol 1727 * versions they don't want. If not, then easy to fix, just return 1728 * ssl_method_error(s, s->method) 1729 */ 1730 return 0; 1731 } 1732 /* 1733 * Fall through if we are TLSv1.3 already (this means we must be after 1734 * a HelloRetryRequest 1735 */ 1736 /* fall thru */ 1737 case TLS_ANY_VERSION: 1738 table = tls_version_table; 1739 break; 1740 case DTLS_ANY_VERSION: 1741 table = dtls_version_table; 1742 break; 1743 } 1744 1745 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions]; 1746 1747 /* If we did an HRR then supported versions is mandatory */ 1748 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE) 1749 return SSL_R_UNSUPPORTED_PROTOCOL; 1750 1751 if (suppversions->present && !SSL_IS_DTLS(s)) { 1752 unsigned int candidate_vers = 0; 1753 unsigned int best_vers = 0; 1754 const SSL_METHOD *best_method = NULL; 1755 PACKET versionslist; 1756 1757 suppversions->parsed = 1; 1758 1759 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) { 1760 /* Trailing or invalid data? */ 1761 return SSL_R_LENGTH_MISMATCH; 1762 } 1763 1764 /* 1765 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION. 1766 * The spec only requires servers to check that it isn't SSLv3: 1767 * "Any endpoint receiving a Hello message with 1768 * ClientHello.legacy_version or ServerHello.legacy_version set to 1769 * 0x0300 MUST abort the handshake with a "protocol_version" alert." 1770 * We are slightly stricter and require that it isn't SSLv3 or lower. 1771 * We tolerate TLSv1 and TLSv1.1. 1772 */ 1773 if (client_version <= SSL3_VERSION) 1774 return SSL_R_BAD_LEGACY_VERSION; 1775 1776 while (PACKET_get_net_2(&versionslist, &candidate_vers)) { 1777 if (version_cmp(s, candidate_vers, best_vers) <= 0) 1778 continue; 1779 if (ssl_version_supported(s, candidate_vers, &best_method)) 1780 best_vers = candidate_vers; 1781 } 1782 if (PACKET_remaining(&versionslist) != 0) { 1783 /* Trailing data? */ 1784 return SSL_R_LENGTH_MISMATCH; 1785 } 1786 1787 if (best_vers > 0) { 1788 if (s->hello_retry_request != SSL_HRR_NONE) { 1789 /* 1790 * This is after a HelloRetryRequest so we better check that we 1791 * negotiated TLSv1.3 1792 */ 1793 if (best_vers != TLS1_3_VERSION) 1794 return SSL_R_UNSUPPORTED_PROTOCOL; 1795 return 0; 1796 } 1797 check_for_downgrade(s, best_vers, dgrd); 1798 s->version = best_vers; 1799 s->method = best_method; 1800 return 0; 1801 } 1802 return SSL_R_UNSUPPORTED_PROTOCOL; 1803 } 1804 1805 /* 1806 * If the supported versions extension isn't present, then the highest 1807 * version we can negotiate is TLSv1.2 1808 */ 1809 if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0) 1810 client_version = TLS1_2_VERSION; 1811 1812 /* 1813 * No supported versions extension, so we just use the version supplied in 1814 * the ClientHello. 1815 */ 1816 for (vent = table; vent->version != 0; ++vent) { 1817 const SSL_METHOD *method; 1818 1819 if (vent->smeth == NULL || 1820 version_cmp(s, client_version, vent->version) < 0) 1821 continue; 1822 method = vent->smeth(); 1823 if (ssl_method_error(s, method) == 0) { 1824 check_for_downgrade(s, vent->version, dgrd); 1825 s->version = vent->version; 1826 s->method = method; 1827 return 0; 1828 } 1829 disabled = 1; 1830 } 1831 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW; 1832 } 1833 1834 /* 1835 * ssl_choose_client_version - Choose client (D)TLS version. Called when the 1836 * server HELLO is received to select the final client protocol version and 1837 * the version specific method. 1838 * 1839 * @s: client SSL handle. 1840 * @version: The proposed version from the server's HELLO. 1841 * @extensions: The extensions received 1842 * 1843 * Returns 1 on success or 0 on error. 1844 */ 1845 int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions) 1846 { 1847 const version_info *vent; 1848 const version_info *table; 1849 int ret, ver_min, ver_max, real_max, origv; 1850 1851 origv = s->version; 1852 s->version = version; 1853 1854 /* This will overwrite s->version if the extension is present */ 1855 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions, 1856 SSL_EXT_TLS1_2_SERVER_HELLO 1857 | SSL_EXT_TLS1_3_SERVER_HELLO, extensions, 1858 NULL, 0)) { 1859 s->version = origv; 1860 return 0; 1861 } 1862 1863 if (s->hello_retry_request != SSL_HRR_NONE 1864 && s->version != TLS1_3_VERSION) { 1865 s->version = origv; 1866 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION, 1867 SSL_R_WRONG_SSL_VERSION); 1868 return 0; 1869 } 1870 1871 switch (s->method->version) { 1872 default: 1873 if (s->version != s->method->version) { 1874 s->version = origv; 1875 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 1876 SSL_F_SSL_CHOOSE_CLIENT_VERSION, 1877 SSL_R_WRONG_SSL_VERSION); 1878 return 0; 1879 } 1880 /* 1881 * If this SSL handle is not from a version flexible method we don't 1882 * (and never did) check min/max, FIPS or Suite B constraints. Hope 1883 * that's OK. It is up to the caller to not choose fixed protocol 1884 * versions they don't want. If not, then easy to fix, just return 1885 * ssl_method_error(s, s->method) 1886 */ 1887 return 1; 1888 case TLS_ANY_VERSION: 1889 table = tls_version_table; 1890 break; 1891 case DTLS_ANY_VERSION: 1892 table = dtls_version_table; 1893 break; 1894 } 1895 1896 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max); 1897 if (ret != 0) { 1898 s->version = origv; 1899 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 1900 SSL_F_SSL_CHOOSE_CLIENT_VERSION, ret); 1901 return 0; 1902 } 1903 if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min) 1904 : s->version < ver_min) { 1905 s->version = origv; 1906 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 1907 SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); 1908 return 0; 1909 } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max) 1910 : s->version > ver_max) { 1911 s->version = origv; 1912 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 1913 SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); 1914 return 0; 1915 } 1916 1917 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0) 1918 real_max = ver_max; 1919 1920 /* Check for downgrades */ 1921 if (s->version == TLS1_2_VERSION && real_max > s->version) { 1922 if (memcmp(tls12downgrade, 1923 s->s3->server_random + SSL3_RANDOM_SIZE 1924 - sizeof(tls12downgrade), 1925 sizeof(tls12downgrade)) == 0) { 1926 s->version = origv; 1927 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1928 SSL_F_SSL_CHOOSE_CLIENT_VERSION, 1929 SSL_R_INAPPROPRIATE_FALLBACK); 1930 return 0; 1931 } 1932 } else if (!SSL_IS_DTLS(s) 1933 && s->version < TLS1_2_VERSION 1934 && real_max > s->version) { 1935 if (memcmp(tls11downgrade, 1936 s->s3->server_random + SSL3_RANDOM_SIZE 1937 - sizeof(tls11downgrade), 1938 sizeof(tls11downgrade)) == 0) { 1939 s->version = origv; 1940 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1941 SSL_F_SSL_CHOOSE_CLIENT_VERSION, 1942 SSL_R_INAPPROPRIATE_FALLBACK); 1943 return 0; 1944 } 1945 } 1946 1947 for (vent = table; vent->version != 0; ++vent) { 1948 if (vent->cmeth == NULL || s->version != vent->version) 1949 continue; 1950 1951 s->method = vent->cmeth(); 1952 return 1; 1953 } 1954 1955 s->version = origv; 1956 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION, 1957 SSL_R_UNSUPPORTED_PROTOCOL); 1958 return 0; 1959 } 1960 1961 /* 1962 * ssl_get_min_max_version - get minimum and maximum protocol version 1963 * @s: The SSL connection 1964 * @min_version: The minimum supported version 1965 * @max_version: The maximum supported version 1966 * @real_max: The highest version below the lowest compile time version hole 1967 * where that hole lies above at least one run-time enabled 1968 * protocol. 1969 * 1970 * Work out what version we should be using for the initial ClientHello if the 1971 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx 1972 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B 1973 * constraints and any floor imposed by the security level here, 1974 * so we don't advertise the wrong protocol version to only reject the outcome later. 1975 * 1976 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled, 1977 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol 1978 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1. 1979 * 1980 * Returns 0 on success or an SSL error reason number on failure. On failure 1981 * min_version and max_version will also be set to 0. 1982 */ 1983 int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version, 1984 int *real_max) 1985 { 1986 int version, tmp_real_max; 1987 int hole; 1988 const SSL_METHOD *single = NULL; 1989 const SSL_METHOD *method; 1990 const version_info *table; 1991 const version_info *vent; 1992 1993 switch (s->method->version) { 1994 default: 1995 /* 1996 * If this SSL handle is not from a version flexible method we don't 1997 * (and never did) check min/max FIPS or Suite B constraints. Hope 1998 * that's OK. It is up to the caller to not choose fixed protocol 1999 * versions they don't want. If not, then easy to fix, just return 2000 * ssl_method_error(s, s->method) 2001 */ 2002 *min_version = *max_version = s->version; 2003 /* 2004 * Providing a real_max only makes sense where we're using a version 2005 * flexible method. 2006 */ 2007 if (!ossl_assert(real_max == NULL)) 2008 return ERR_R_INTERNAL_ERROR; 2009 return 0; 2010 case TLS_ANY_VERSION: 2011 table = tls_version_table; 2012 break; 2013 case DTLS_ANY_VERSION: 2014 table = dtls_version_table; 2015 break; 2016 } 2017 2018 /* 2019 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols 2020 * below X enabled. This is required in order to maintain the "version 2021 * capability" vector contiguous. Any versions with a NULL client method 2022 * (protocol version client is disabled at compile-time) is also a "hole". 2023 * 2024 * Our initial state is hole == 1, version == 0. That is, versions above 2025 * the first version in the method table are disabled (a "hole" above 2026 * the valid protocol entries) and we don't have a selected version yet. 2027 * 2028 * Whenever "hole == 1", and we hit an enabled method, its version becomes 2029 * the selected version, and the method becomes a candidate "single" 2030 * method. We're no longer in a hole, so "hole" becomes 0. 2031 * 2032 * If "hole == 0" and we hit an enabled method, then "single" is cleared, 2033 * as we support a contiguous range of at least two methods. If we hit 2034 * a disabled method, then hole becomes true again, but nothing else 2035 * changes yet, because all the remaining methods may be disabled too. 2036 * If we again hit an enabled method after the new hole, it becomes 2037 * selected, as we start from scratch. 2038 */ 2039 *min_version = version = 0; 2040 hole = 1; 2041 if (real_max != NULL) 2042 *real_max = 0; 2043 tmp_real_max = 0; 2044 for (vent = table; vent->version != 0; ++vent) { 2045 /* 2046 * A table entry with a NULL client method is still a hole in the 2047 * "version capability" vector. 2048 */ 2049 if (vent->cmeth == NULL) { 2050 hole = 1; 2051 tmp_real_max = 0; 2052 continue; 2053 } 2054 method = vent->cmeth(); 2055 2056 if (hole == 1 && tmp_real_max == 0) 2057 tmp_real_max = vent->version; 2058 2059 if (ssl_method_error(s, method) != 0) { 2060 hole = 1; 2061 } else if (!hole) { 2062 single = NULL; 2063 *min_version = method->version; 2064 } else { 2065 if (real_max != NULL && tmp_real_max != 0) 2066 *real_max = tmp_real_max; 2067 version = (single = method)->version; 2068 *min_version = version; 2069 hole = 0; 2070 } 2071 } 2072 2073 *max_version = version; 2074 2075 /* Fail if everything is disabled */ 2076 if (version == 0) 2077 return SSL_R_NO_PROTOCOLS_AVAILABLE; 2078 2079 return 0; 2080 } 2081 2082 /* 2083 * ssl_set_client_hello_version - Work out what version we should be using for 2084 * the initial ClientHello.legacy_version field. 2085 * 2086 * @s: client SSL handle. 2087 * 2088 * Returns 0 on success or an SSL error reason number on failure. 2089 */ 2090 int ssl_set_client_hello_version(SSL *s) 2091 { 2092 int ver_min, ver_max, ret; 2093 2094 /* 2095 * In a renegotiation we always send the same client_version that we sent 2096 * last time, regardless of which version we eventually negotiated. 2097 */ 2098 if (!SSL_IS_FIRST_HANDSHAKE(s)) 2099 return 0; 2100 2101 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL); 2102 2103 if (ret != 0) 2104 return ret; 2105 2106 s->version = ver_max; 2107 2108 /* TLS1.3 always uses TLS1.2 in the legacy_version field */ 2109 if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION) 2110 ver_max = TLS1_2_VERSION; 2111 2112 s->client_version = ver_max; 2113 return 0; 2114 } 2115 2116 /* 2117 * Checks a list of |groups| to determine if the |group_id| is in it. If it is 2118 * and |checkallow| is 1 then additionally check if the group is allowed to be 2119 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is 2120 * 1) or 0 otherwise. 2121 */ 2122 #ifndef OPENSSL_NO_EC 2123 int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups, 2124 size_t num_groups, int checkallow) 2125 { 2126 size_t i; 2127 2128 if (groups == NULL || num_groups == 0) 2129 return 0; 2130 2131 for (i = 0; i < num_groups; i++) { 2132 uint16_t group = groups[i]; 2133 2134 if (group_id == group 2135 && (!checkallow 2136 || tls_curve_allowed(s, group, SSL_SECOP_CURVE_CHECK))) { 2137 return 1; 2138 } 2139 } 2140 2141 return 0; 2142 } 2143 #endif 2144 2145 /* Replace ClientHello1 in the transcript hash with a synthetic message */ 2146 int create_synthetic_message_hash(SSL *s, const unsigned char *hashval, 2147 size_t hashlen, const unsigned char *hrr, 2148 size_t hrrlen) 2149 { 2150 unsigned char hashvaltmp[EVP_MAX_MD_SIZE]; 2151 unsigned char msghdr[SSL3_HM_HEADER_LENGTH]; 2152 2153 memset(msghdr, 0, sizeof(msghdr)); 2154 2155 if (hashval == NULL) { 2156 hashval = hashvaltmp; 2157 hashlen = 0; 2158 /* Get the hash of the initial ClientHello */ 2159 if (!ssl3_digest_cached_records(s, 0) 2160 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp), 2161 &hashlen)) { 2162 /* SSLfatal() already called */ 2163 return 0; 2164 } 2165 } 2166 2167 /* Reinitialise the transcript hash */ 2168 if (!ssl3_init_finished_mac(s)) { 2169 /* SSLfatal() already called */ 2170 return 0; 2171 } 2172 2173 /* Inject the synthetic message_hash message */ 2174 msghdr[0] = SSL3_MT_MESSAGE_HASH; 2175 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen; 2176 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH) 2177 || !ssl3_finish_mac(s, hashval, hashlen)) { 2178 /* SSLfatal() already called */ 2179 return 0; 2180 } 2181 2182 /* 2183 * Now re-inject the HRR and current message if appropriate (we just deleted 2184 * it when we reinitialised the transcript hash above). Only necessary after 2185 * receiving a ClientHello2 with a cookie. 2186 */ 2187 if (hrr != NULL 2188 && (!ssl3_finish_mac(s, hrr, hrrlen) 2189 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 2190 s->s3->tmp.message_size 2191 + SSL3_HM_HEADER_LENGTH))) { 2192 /* SSLfatal() already called */ 2193 return 0; 2194 } 2195 2196 return 1; 2197 } 2198 2199 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b) 2200 { 2201 return X509_NAME_cmp(*a, *b); 2202 } 2203 2204 int parse_ca_names(SSL *s, PACKET *pkt) 2205 { 2206 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp); 2207 X509_NAME *xn = NULL; 2208 PACKET cadns; 2209 2210 if (ca_sk == NULL) { 2211 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES, 2212 ERR_R_MALLOC_FAILURE); 2213 goto err; 2214 } 2215 /* get the CA RDNs */ 2216 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) { 2217 SSLfatal(s, SSL_AD_DECODE_ERROR,SSL_F_PARSE_CA_NAMES, 2218 SSL_R_LENGTH_MISMATCH); 2219 goto err; 2220 } 2221 2222 while (PACKET_remaining(&cadns)) { 2223 const unsigned char *namestart, *namebytes; 2224 unsigned int name_len; 2225 2226 if (!PACKET_get_net_2(&cadns, &name_len) 2227 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) { 2228 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES, 2229 SSL_R_LENGTH_MISMATCH); 2230 goto err; 2231 } 2232 2233 namestart = namebytes; 2234 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) { 2235 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES, 2236 ERR_R_ASN1_LIB); 2237 goto err; 2238 } 2239 if (namebytes != (namestart + name_len)) { 2240 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES, 2241 SSL_R_CA_DN_LENGTH_MISMATCH); 2242 goto err; 2243 } 2244 2245 if (!sk_X509_NAME_push(ca_sk, xn)) { 2246 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES, 2247 ERR_R_MALLOC_FAILURE); 2248 goto err; 2249 } 2250 xn = NULL; 2251 } 2252 2253 sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free); 2254 s->s3->tmp.peer_ca_names = ca_sk; 2255 2256 return 1; 2257 2258 err: 2259 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); 2260 X509_NAME_free(xn); 2261 return 0; 2262 } 2263 2264 int construct_ca_names(SSL *s, WPACKET *pkt) 2265 { 2266 const STACK_OF(X509_NAME) *ca_sk = SSL_get0_CA_list(s); 2267 2268 /* Start sub-packet for client CA list */ 2269 if (!WPACKET_start_sub_packet_u16(pkt)) { 2270 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES, 2271 ERR_R_INTERNAL_ERROR); 2272 return 0; 2273 } 2274 2275 if (ca_sk != NULL) { 2276 int i; 2277 2278 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) { 2279 unsigned char *namebytes; 2280 X509_NAME *name = sk_X509_NAME_value(ca_sk, i); 2281 int namelen; 2282 2283 if (name == NULL 2284 || (namelen = i2d_X509_NAME(name, NULL)) < 0 2285 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen, 2286 &namebytes) 2287 || i2d_X509_NAME(name, &namebytes) != namelen) { 2288 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES, 2289 ERR_R_INTERNAL_ERROR); 2290 return 0; 2291 } 2292 } 2293 } 2294 2295 if (!WPACKET_close(pkt)) { 2296 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES, 2297 ERR_R_INTERNAL_ERROR); 2298 return 0; 2299 } 2300 2301 return 1; 2302 } 2303 2304 /* Create a buffer containing data to be signed for server key exchange */ 2305 size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs, 2306 const void *param, size_t paramlen) 2307 { 2308 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen; 2309 unsigned char *tbs = OPENSSL_malloc(tbslen); 2310 2311 if (tbs == NULL) { 2312 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS, 2313 ERR_R_MALLOC_FAILURE); 2314 return 0; 2315 } 2316 memcpy(tbs, s->s3->client_random, SSL3_RANDOM_SIZE); 2317 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3->server_random, SSL3_RANDOM_SIZE); 2318 2319 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen); 2320 2321 *ptbs = tbs; 2322 return tbslen; 2323 } 2324 2325 /* 2326 * Saves the current handshake digest for Post-Handshake Auth, 2327 * Done after ClientFinished is processed, done exactly once 2328 */ 2329 int tls13_save_handshake_digest_for_pha(SSL *s) 2330 { 2331 if (s->pha_dgst == NULL) { 2332 if (!ssl3_digest_cached_records(s, 1)) 2333 /* SSLfatal() already called */ 2334 return 0; 2335 2336 s->pha_dgst = EVP_MD_CTX_new(); 2337 if (s->pha_dgst == NULL) { 2338 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2339 SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA, 2340 ERR_R_INTERNAL_ERROR); 2341 return 0; 2342 } 2343 if (!EVP_MD_CTX_copy_ex(s->pha_dgst, 2344 s->s3->handshake_dgst)) { 2345 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2346 SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA, 2347 ERR_R_INTERNAL_ERROR); 2348 return 0; 2349 } 2350 } 2351 return 1; 2352 } 2353 2354 /* 2355 * Restores the Post-Handshake Auth handshake digest 2356 * Done just before sending/processing the Cert Request 2357 */ 2358 int tls13_restore_handshake_digest_for_pha(SSL *s) 2359 { 2360 if (s->pha_dgst == NULL) { 2361 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2362 SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA, 2363 ERR_R_INTERNAL_ERROR); 2364 return 0; 2365 } 2366 if (!EVP_MD_CTX_copy_ex(s->s3->handshake_dgst, 2367 s->pha_dgst)) { 2368 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2369 SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA, 2370 ERR_R_INTERNAL_ERROR); 2371 return 0; 2372 } 2373 return 1; 2374 } 2375