1 /* 2 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4 * 5 * Licensed under the Apache License 2.0 (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10 11 #include <limits.h> 12 #include <string.h> 13 #include <stdio.h> 14 #include "../ssl_local.h" 15 #include "statem_local.h" 16 #include "internal/cryptlib.h" 17 #include "internal/ssl_unwrap.h" 18 #include <openssl/buffer.h> 19 #include <openssl/objects.h> 20 #include <openssl/evp.h> 21 #include <openssl/rsa.h> 22 #include <openssl/x509.h> 23 #include <openssl/trace.h> 24 #include <openssl/encoder.h> 25 26 /* 27 * Map error codes to TLS/SSL alart types. 28 */ 29 typedef struct x509err2alert_st { 30 int x509err; 31 int alert; 32 } X509ERR2ALERT; 33 34 /* Fixed value used in the ServerHello random field to identify an HRR */ 35 const unsigned char hrrrandom[] = { 36 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 37 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 38 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c 39 }; 40 41 int ossl_statem_set_mutator(SSL *s, 42 ossl_statem_mutate_handshake_cb mutate_handshake_cb, 43 ossl_statem_finish_mutate_handshake_cb finish_mutate_handshake_cb, 44 void *mutatearg) 45 { 46 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); 47 48 if (sc == NULL) 49 return 0; 50 51 sc->statem.mutate_handshake_cb = mutate_handshake_cb; 52 sc->statem.mutatearg = mutatearg; 53 sc->statem.finish_mutate_handshake_cb = finish_mutate_handshake_cb; 54 55 return 1; 56 } 57 58 /* 59 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or 60 * SSL3_RT_CHANGE_CIPHER_SPEC) 61 */ 62 int ssl3_do_write(SSL_CONNECTION *s, uint8_t type) 63 { 64 int ret; 65 size_t written = 0; 66 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 67 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); 68 69 /* 70 * If we're running the test suite then we may need to mutate the message 71 * we've been asked to write. Does not happen in normal operation. 72 */ 73 if (s->statem.mutate_handshake_cb != NULL 74 && !s->statem.write_in_progress 75 && type == SSL3_RT_HANDSHAKE 76 && s->init_num >= SSL3_HM_HEADER_LENGTH) { 77 unsigned char *msg; 78 size_t msglen; 79 80 if (!s->statem.mutate_handshake_cb((unsigned char *)s->init_buf->data, 81 s->init_num, 82 &msg, &msglen, 83 s->statem.mutatearg)) 84 return -1; 85 if (msglen < SSL3_HM_HEADER_LENGTH 86 || !BUF_MEM_grow(s->init_buf, msglen)) 87 return -1; 88 memcpy(s->init_buf->data, msg, msglen); 89 s->init_num = msglen; 90 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH; 91 s->statem.finish_mutate_handshake_cb(s->statem.mutatearg); 92 s->statem.write_in_progress = 1; 93 } 94 95 ret = ssl3_write_bytes(ssl, type, &s->init_buf->data[s->init_off], 96 s->init_num, &written); 97 if (ret <= 0) 98 return -1; 99 if (type == SSL3_RT_HANDSHAKE) 100 /* 101 * should not be done for 'Hello Request's, but in that case we'll 102 * ignore the result anyway 103 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added 104 */ 105 if (!SSL_CONNECTION_IS_TLS13(s) 106 || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET 107 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE 108 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE)) 109 if (!ssl3_finish_mac(s, 110 (unsigned char *)&s->init_buf->data[s->init_off], 111 written)) 112 return -1; 113 if (written == s->init_num) { 114 s->statem.write_in_progress = 0; 115 if (s->msg_callback) 116 s->msg_callback(1, s->version, type, s->init_buf->data, 117 (size_t)(s->init_off + s->init_num), ussl, 118 s->msg_callback_arg); 119 return 1; 120 } 121 s->init_off += written; 122 s->init_num -= written; 123 return 0; 124 } 125 126 int tls_close_construct_packet(SSL_CONNECTION *s, WPACKET *pkt, int htype) 127 { 128 size_t msglen; 129 130 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt)) 131 || !WPACKET_get_length(pkt, &msglen) 132 || msglen > INT_MAX) 133 return 0; 134 s->init_num = (int)msglen; 135 s->init_off = 0; 136 137 return 1; 138 } 139 140 int tls_setup_handshake(SSL_CONNECTION *s) 141 { 142 int ver_min, ver_max, ok; 143 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 144 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 145 146 if (!ssl3_init_finished_mac(s)) { 147 /* SSLfatal() already called */ 148 return 0; 149 } 150 151 /* Reset any extension flags */ 152 memset(s->ext.extflags, 0, sizeof(s->ext.extflags)); 153 154 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) { 155 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE); 156 return 0; 157 } 158 159 /* Sanity check that we have MD5-SHA1 if we need it */ 160 if (sctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) { 161 int negotiated_minversion; 162 int md5sha1_needed_maxversion = SSL_CONNECTION_IS_DTLS(s) 163 ? DTLS1_VERSION : TLS1_1_VERSION; 164 165 /* We don't have MD5-SHA1 - do we need it? */ 166 if (ssl_version_cmp(s, ver_max, md5sha1_needed_maxversion) <= 0) { 167 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE, 168 SSL_R_NO_SUITABLE_DIGEST_ALGORITHM, 169 "The max supported SSL/TLS version needs the" 170 " MD5-SHA1 digest but it is not available" 171 " in the loaded providers. Use (D)TLSv1.2 or" 172 " above, or load different providers"); 173 return 0; 174 } 175 176 ok = 1; 177 178 /* Don't allow TLSv1.1 or below to be negotiated */ 179 negotiated_minversion = SSL_CONNECTION_IS_DTLS(s) ? 180 DTLS1_2_VERSION : TLS1_2_VERSION; 181 if (ssl_version_cmp(s, ver_min, negotiated_minversion) < 0) 182 ok = SSL_set_min_proto_version(ssl, negotiated_minversion); 183 if (!ok) { 184 /* Shouldn't happen */ 185 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR); 186 return 0; 187 } 188 } 189 190 ok = 0; 191 if (s->server) { 192 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(ssl); 193 int i; 194 195 /* 196 * Sanity check that the maximum version we accept has ciphers 197 * enabled. For clients we do this check during construction of the 198 * ClientHello. 199 */ 200 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { 201 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i); 202 int cipher_minprotover = SSL_CONNECTION_IS_DTLS(s) 203 ? c->min_dtls : c->min_tls; 204 int cipher_maxprotover = SSL_CONNECTION_IS_DTLS(s) 205 ? c->max_dtls : c->max_tls; 206 207 if (ssl_version_cmp(s, ver_max, cipher_minprotover) >= 0 208 && ssl_version_cmp(s, ver_max, cipher_maxprotover) <= 0) { 209 ok = 1; 210 break; 211 } 212 } 213 if (!ok) { 214 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE, 215 SSL_R_NO_CIPHERS_AVAILABLE, 216 "No ciphers enabled for max supported " 217 "SSL/TLS version"); 218 return 0; 219 } 220 if (SSL_IS_FIRST_HANDSHAKE(s)) { 221 /* N.B. s->session_ctx == s->ctx here */ 222 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_accept); 223 } else { 224 /* N.B. s->ctx may not equal s->session_ctx */ 225 ssl_tsan_counter(sctx, &sctx->stats.sess_accept_renegotiate); 226 227 s->s3.tmp.cert_request = 0; 228 } 229 } else { 230 if (SSL_IS_FIRST_HANDSHAKE(s)) 231 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_connect); 232 else 233 ssl_tsan_counter(s->session_ctx, 234 &s->session_ctx->stats.sess_connect_renegotiate); 235 236 /* mark client_random uninitialized */ 237 memset(s->s3.client_random, 0, sizeof(s->s3.client_random)); 238 s->hit = 0; 239 240 s->s3.tmp.cert_req = 0; 241 242 if (SSL_CONNECTION_IS_DTLS(s)) 243 s->statem.use_timer = 1; 244 } 245 246 return 1; 247 } 248 249 /* 250 * Size of the to-be-signed TLS13 data, without the hash size itself: 251 * 64 bytes of value 32, 33 context bytes, 1 byte separator 252 */ 253 #define TLS13_TBS_START_SIZE 64 254 #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1) 255 256 static int get_cert_verify_tbs_data(SSL_CONNECTION *s, unsigned char *tls13tbs, 257 void **hdata, size_t *hdatalen) 258 { 259 /* ASCII: "TLS 1.3, server CertificateVerify", in hex for EBCDIC compatibility */ 260 static const char servercontext[] = "\x54\x4c\x53\x20\x31\x2e\x33\x2c\x20\x73\x65\x72" 261 "\x76\x65\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x56\x65\x72\x69\x66\x79"; 262 /* ASCII: "TLS 1.3, client CertificateVerify", in hex for EBCDIC compatibility */ 263 static const char clientcontext[] = "\x54\x4c\x53\x20\x31\x2e\x33\x2c\x20\x63\x6c\x69" 264 "\x65\x6e\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x56\x65\x72\x69\x66\x79"; 265 266 if (SSL_CONNECTION_IS_TLS13(s)) { 267 size_t hashlen; 268 269 /* Set the first 64 bytes of to-be-signed data to octet 32 */ 270 memset(tls13tbs, 32, TLS13_TBS_START_SIZE); 271 /* This copies the 33 bytes of context plus the 0 separator byte */ 272 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY 273 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY) 274 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext); 275 else 276 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext); 277 278 /* 279 * If we're currently reading then we need to use the saved handshake 280 * hash value. We can't use the current handshake hash state because 281 * that includes the CertVerify itself. 282 */ 283 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY 284 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) { 285 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash, 286 s->cert_verify_hash_len); 287 hashlen = s->cert_verify_hash_len; 288 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE, 289 EVP_MAX_MD_SIZE, &hashlen)) { 290 /* SSLfatal() already called */ 291 return 0; 292 } 293 294 *hdata = tls13tbs; 295 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen; 296 } else { 297 size_t retlen; 298 long retlen_l; 299 300 retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata); 301 if (retlen_l <= 0) { 302 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 303 return 0; 304 } 305 *hdatalen = retlen; 306 } 307 308 return 1; 309 } 310 311 CON_FUNC_RETURN tls_construct_cert_verify(SSL_CONNECTION *s, WPACKET *pkt) 312 { 313 EVP_PKEY *pkey = NULL; 314 const EVP_MD *md = NULL; 315 EVP_MD_CTX *mctx = NULL; 316 EVP_PKEY_CTX *pctx = NULL; 317 size_t hdatalen = 0, siglen = 0; 318 void *hdata; 319 unsigned char *sig = NULL; 320 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; 321 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg; 322 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 323 324 if (lu == NULL || s->s3.tmp.cert == NULL) { 325 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 326 goto err; 327 } 328 pkey = s->s3.tmp.cert->privatekey; 329 330 if (pkey == NULL || !tls1_lookup_md(sctx, lu, &md)) { 331 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 332 goto err; 333 } 334 335 mctx = EVP_MD_CTX_new(); 336 if (mctx == NULL) { 337 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 338 goto err; 339 } 340 341 /* Get the data to be signed */ 342 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { 343 /* SSLfatal() already called */ 344 goto err; 345 } 346 347 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) { 348 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 349 goto err; 350 } 351 352 if (EVP_DigestSignInit_ex(mctx, &pctx, 353 md == NULL ? NULL : EVP_MD_get0_name(md), 354 sctx->libctx, sctx->propq, pkey, 355 NULL) <= 0) { 356 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 357 goto err; 358 } 359 360 if (lu->sig == EVP_PKEY_RSA_PSS) { 361 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 362 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 363 RSA_PSS_SALTLEN_DIGEST) <= 0) { 364 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 365 goto err; 366 } 367 } 368 if (s->version == SSL3_VERSION) { 369 /* 370 * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal 371 * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them. 372 */ 373 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0 374 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, 375 (int)s->session->master_key_length, 376 s->session->master_key) <= 0 377 || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) { 378 379 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 380 goto err; 381 } 382 sig = OPENSSL_malloc(siglen); 383 if (sig == NULL 384 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) { 385 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 386 goto err; 387 } 388 } else { 389 /* 390 * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not 391 * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal 392 */ 393 if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) { 394 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 395 goto err; 396 } 397 sig = OPENSSL_malloc(siglen); 398 if (sig == NULL 399 || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) { 400 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 401 goto err; 402 } 403 } 404 405 #ifndef OPENSSL_NO_GOST 406 { 407 int pktype = lu->sig; 408 409 if (pktype == NID_id_GostR3410_2001 410 || pktype == NID_id_GostR3410_2012_256 411 || pktype == NID_id_GostR3410_2012_512) 412 BUF_reverse(sig, NULL, siglen); 413 } 414 #endif 415 416 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) { 417 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 418 goto err; 419 } 420 421 /* Digest cached records and discard handshake buffer */ 422 if (!ssl3_digest_cached_records(s, 0)) { 423 /* SSLfatal() already called */ 424 goto err; 425 } 426 427 OPENSSL_free(sig); 428 EVP_MD_CTX_free(mctx); 429 return CON_FUNC_SUCCESS; 430 err: 431 OPENSSL_free(sig); 432 EVP_MD_CTX_free(mctx); 433 return CON_FUNC_ERROR; 434 } 435 436 MSG_PROCESS_RETURN tls_process_cert_verify(SSL_CONNECTION *s, PACKET *pkt) 437 { 438 EVP_PKEY *pkey = NULL; 439 const unsigned char *data; 440 #ifndef OPENSSL_NO_GOST 441 unsigned char *gost_data = NULL; 442 #endif 443 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; 444 int j; 445 unsigned int len; 446 const EVP_MD *md = NULL; 447 size_t hdatalen = 0; 448 void *hdata; 449 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; 450 EVP_MD_CTX *mctx = EVP_MD_CTX_new(); 451 EVP_PKEY_CTX *pctx = NULL; 452 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 453 454 if (mctx == NULL) { 455 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 456 goto err; 457 } 458 459 pkey = tls_get_peer_pkey(s); 460 if (pkey == NULL) { 461 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 462 goto err; 463 } 464 465 if (ssl_cert_lookup_by_pkey(pkey, NULL, sctx) == NULL) { 466 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 467 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); 468 goto err; 469 } 470 471 if (SSL_USE_SIGALGS(s)) { 472 unsigned int sigalg; 473 474 if (!PACKET_get_net_2(pkt, &sigalg)) { 475 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET); 476 goto err; 477 } 478 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) { 479 /* SSLfatal() already called */ 480 goto err; 481 } 482 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { 483 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 484 SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED); 485 goto err; 486 } 487 488 if (!tls1_lookup_md(sctx, s->s3.tmp.peer_sigalg, &md)) { 489 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 490 goto err; 491 } 492 493 if (SSL_USE_SIGALGS(s)) 494 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n", 495 md == NULL ? "n/a" : EVP_MD_get0_name(md)); 496 497 /* Check for broken implementations of GOST ciphersuites */ 498 /* 499 * If key is GOST and len is exactly 64 or 128, it is signature without 500 * length field (CryptoPro implementations at least till TLS 1.2) 501 */ 502 #ifndef OPENSSL_NO_GOST 503 if (!SSL_USE_SIGALGS(s) 504 && ((PACKET_remaining(pkt) == 64 505 && (EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2001 506 || EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_256)) 507 || (PACKET_remaining(pkt) == 128 508 && EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_512))) { 509 len = PACKET_remaining(pkt); 510 } else 511 #endif 512 if (!PACKET_get_net_2(pkt, &len)) { 513 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 514 goto err; 515 } 516 517 if (!PACKET_get_bytes(pkt, &data, len)) { 518 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 519 goto err; 520 } 521 if (PACKET_remaining(pkt) != 0) { 522 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 523 goto err; 524 } 525 526 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { 527 /* SSLfatal() already called */ 528 goto err; 529 } 530 531 OSSL_TRACE1(TLS, "Using client verify alg %s\n", 532 md == NULL ? "n/a" : EVP_MD_get0_name(md)); 533 534 if (EVP_DigestVerifyInit_ex(mctx, &pctx, 535 md == NULL ? NULL : EVP_MD_get0_name(md), 536 sctx->libctx, sctx->propq, pkey, 537 NULL) <= 0) { 538 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 539 goto err; 540 } 541 #ifndef OPENSSL_NO_GOST 542 { 543 int pktype = EVP_PKEY_get_id(pkey); 544 if (pktype == NID_id_GostR3410_2001 545 || pktype == NID_id_GostR3410_2012_256 546 || pktype == NID_id_GostR3410_2012_512) { 547 if ((gost_data = OPENSSL_malloc(len)) == NULL) 548 goto err; 549 BUF_reverse(gost_data, data, len); 550 data = gost_data; 551 } 552 } 553 #endif 554 555 if (SSL_USE_PSS(s)) { 556 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 557 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 558 RSA_PSS_SALTLEN_DIGEST) <= 0) { 559 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 560 goto err; 561 } 562 } 563 if (s->version == SSL3_VERSION) { 564 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0 565 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, 566 (int)s->session->master_key_length, 567 s->session->master_key) <= 0) { 568 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 569 goto err; 570 } 571 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) { 572 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE); 573 goto err; 574 } 575 } else { 576 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen); 577 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION 578 /* Ignore bad signatures when fuzzing */ 579 if (SSL_IS_QUIC_HANDSHAKE(s)) 580 j = 1; 581 #endif 582 if (j <= 0) { 583 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE); 584 goto err; 585 } 586 } 587 588 /* 589 * In TLSv1.3 on the client side we make sure we prepare the client 590 * certificate after the CertVerify instead of when we get the 591 * CertificateRequest. This is because in TLSv1.3 the CertificateRequest 592 * comes *before* the Certificate message. In TLSv1.2 it comes after. We 593 * want to make sure that SSL_get1_peer_certificate() will return the actual 594 * server certificate from the client_cert_cb callback. 595 */ 596 if (!s->server && SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.cert_req == 1) 597 ret = MSG_PROCESS_CONTINUE_PROCESSING; 598 else 599 ret = MSG_PROCESS_CONTINUE_READING; 600 err: 601 BIO_free(s->s3.handshake_buffer); 602 s->s3.handshake_buffer = NULL; 603 EVP_MD_CTX_free(mctx); 604 #ifndef OPENSSL_NO_GOST 605 OPENSSL_free(gost_data); 606 #endif 607 return ret; 608 } 609 610 CON_FUNC_RETURN tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt) 611 { 612 size_t finish_md_len; 613 const char *sender; 614 size_t slen; 615 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 616 617 /* This is a real handshake so make sure we clean it up at the end */ 618 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED) 619 s->statem.cleanuphand = 1; 620 621 /* 622 * If we attempted to write early data or we're in middlebox compat mode 623 * then we deferred changing the handshake write keys to the last possible 624 * moment. If we didn't already do this when we sent the client certificate 625 * then we need to do it now. 626 */ 627 if (SSL_CONNECTION_IS_TLS13(s) 628 && !s->server 629 && !SSL_IS_QUIC_HANDSHAKE(s) 630 && (s->early_data_state != SSL_EARLY_DATA_NONE 631 || (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) 632 && s->s3.tmp.cert_req == 0 633 && (!ssl->method->ssl3_enc->change_cipher_state(s, 634 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {; 635 /* SSLfatal() already called */ 636 return CON_FUNC_ERROR; 637 } 638 639 if (s->server) { 640 sender = ssl->method->ssl3_enc->server_finished_label; 641 slen = ssl->method->ssl3_enc->server_finished_label_len; 642 } else { 643 sender = ssl->method->ssl3_enc->client_finished_label; 644 slen = ssl->method->ssl3_enc->client_finished_label_len; 645 } 646 647 finish_md_len = ssl->method->ssl3_enc->final_finish_mac(s, 648 sender, slen, 649 s->s3.tmp.finish_md); 650 if (finish_md_len == 0) { 651 /* SSLfatal() already called */ 652 return CON_FUNC_ERROR; 653 } 654 655 s->s3.tmp.finish_md_len = finish_md_len; 656 657 if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) { 658 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 659 return CON_FUNC_ERROR; 660 } 661 662 /* 663 * Log the master secret, if logging is enabled. We don't log it for 664 * TLSv1.3: there's a different key schedule for that. 665 */ 666 if (!SSL_CONNECTION_IS_TLS13(s) 667 && !ssl_log_secret(s, MASTER_SECRET_LABEL, s->session->master_key, 668 s->session->master_key_length)) { 669 /* SSLfatal() already called */ 670 return CON_FUNC_ERROR; 671 } 672 673 /* 674 * Copy the finished so we can use it for renegotiation checks 675 */ 676 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) { 677 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 678 return CON_FUNC_ERROR; 679 } 680 if (!s->server) { 681 memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md, 682 finish_md_len); 683 s->s3.previous_client_finished_len = finish_md_len; 684 } else { 685 memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md, 686 finish_md_len); 687 s->s3.previous_server_finished_len = finish_md_len; 688 } 689 690 return CON_FUNC_SUCCESS; 691 } 692 693 CON_FUNC_RETURN tls_construct_key_update(SSL_CONNECTION *s, WPACKET *pkt) 694 { 695 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) { 696 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 697 return CON_FUNC_ERROR; 698 } 699 700 s->key_update = SSL_KEY_UPDATE_NONE; 701 return CON_FUNC_SUCCESS; 702 } 703 704 MSG_PROCESS_RETURN tls_process_key_update(SSL_CONNECTION *s, PACKET *pkt) 705 { 706 unsigned int updatetype; 707 708 /* 709 * A KeyUpdate message signals a key change so the end of the message must 710 * be on a record boundary. 711 */ 712 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { 713 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY); 714 return MSG_PROCESS_ERROR; 715 } 716 717 if (!PACKET_get_1(pkt, &updatetype) 718 || PACKET_remaining(pkt) != 0) { 719 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_KEY_UPDATE); 720 return MSG_PROCESS_ERROR; 721 } 722 723 /* 724 * There are only two defined key update types. Fail if we get a value we 725 * didn't recognise. 726 */ 727 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED 728 && updatetype != SSL_KEY_UPDATE_REQUESTED) { 729 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_UPDATE); 730 return MSG_PROCESS_ERROR; 731 } 732 733 /* 734 * If we get a request for us to update our sending keys too then, we need 735 * to additionally send a KeyUpdate message. However that message should 736 * not also request an update (otherwise we get into an infinite loop). 737 */ 738 if (updatetype == SSL_KEY_UPDATE_REQUESTED) 739 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED; 740 741 if (!tls13_update_key(s, 0)) { 742 /* SSLfatal() already called */ 743 return MSG_PROCESS_ERROR; 744 } 745 746 return MSG_PROCESS_FINISHED_READING; 747 } 748 749 /* 750 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen 751 * to far. 752 */ 753 int ssl3_take_mac(SSL_CONNECTION *s) 754 { 755 const char *sender; 756 size_t slen; 757 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 758 759 if (!s->server) { 760 sender = ssl->method->ssl3_enc->server_finished_label; 761 slen = ssl->method->ssl3_enc->server_finished_label_len; 762 } else { 763 sender = ssl->method->ssl3_enc->client_finished_label; 764 slen = ssl->method->ssl3_enc->client_finished_label_len; 765 } 766 767 s->s3.tmp.peer_finish_md_len = 768 ssl->method->ssl3_enc->final_finish_mac(s, sender, slen, 769 s->s3.tmp.peer_finish_md); 770 771 if (s->s3.tmp.peer_finish_md_len == 0) { 772 /* SSLfatal() already called */ 773 return 0; 774 } 775 776 return 1; 777 } 778 779 MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL_CONNECTION *s, 780 PACKET *pkt) 781 { 782 size_t remain; 783 784 remain = PACKET_remaining(pkt); 785 /* 786 * 'Change Cipher Spec' is just a single byte, which should already have 787 * been consumed by ssl_get_message() so there should be no bytes left, 788 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes 789 */ 790 if (SSL_CONNECTION_IS_DTLS(s)) { 791 if ((s->version == DTLS1_BAD_VER 792 && remain != DTLS1_CCS_HEADER_LENGTH + 1) 793 || (s->version != DTLS1_BAD_VER 794 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) { 795 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC); 796 return MSG_PROCESS_ERROR; 797 } 798 } else { 799 if (remain != 0) { 800 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC); 801 return MSG_PROCESS_ERROR; 802 } 803 } 804 805 /* Check we have a cipher to change to */ 806 if (s->s3.tmp.new_cipher == NULL) { 807 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY); 808 return MSG_PROCESS_ERROR; 809 } 810 811 s->s3.change_cipher_spec = 1; 812 if (!ssl3_do_change_cipher_spec(s)) { 813 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 814 return MSG_PROCESS_ERROR; 815 } 816 817 if (SSL_CONNECTION_IS_DTLS(s)) { 818 if (s->version == DTLS1_BAD_VER) 819 s->d1->handshake_read_seq++; 820 821 #ifndef OPENSSL_NO_SCTP 822 /* 823 * Remember that a CCS has been received, so that an old key of 824 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no 825 * SCTP is used 826 */ 827 BIO_ctrl(SSL_get_wbio(SSL_CONNECTION_GET_SSL(s)), 828 BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL); 829 #endif 830 } 831 832 return MSG_PROCESS_CONTINUE_READING; 833 } 834 835 MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt) 836 { 837 size_t md_len; 838 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 839 int was_first = SSL_IS_FIRST_HANDSHAKE(s); 840 int ok; 841 842 843 /* This is a real handshake so make sure we clean it up at the end */ 844 if (s->server) { 845 /* 846 * To get this far we must have read encrypted data from the client. We 847 * no longer tolerate unencrypted alerts. This is ignored if less than 848 * TLSv1.3 849 */ 850 if (s->rlayer.rrlmethod->set_plain_alerts != NULL) 851 s->rlayer.rrlmethod->set_plain_alerts(s->rlayer.rrl, 0); 852 if (s->post_handshake_auth != SSL_PHA_REQUESTED) 853 s->statem.cleanuphand = 1; 854 if (SSL_CONNECTION_IS_TLS13(s) 855 && !tls13_save_handshake_digest_for_pha(s)) { 856 /* SSLfatal() already called */ 857 return MSG_PROCESS_ERROR; 858 } 859 } 860 861 /* 862 * In TLSv1.3 a Finished message signals a key change so the end of the 863 * message must be on a record boundary. 864 */ 865 if (SSL_CONNECTION_IS_TLS13(s) 866 && RECORD_LAYER_processed_read_pending(&s->rlayer)) { 867 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY); 868 return MSG_PROCESS_ERROR; 869 } 870 871 /* If this occurs, we have missed a message */ 872 if (!SSL_CONNECTION_IS_TLS13(s) && !s->s3.change_cipher_spec) { 873 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS); 874 return MSG_PROCESS_ERROR; 875 } 876 s->s3.change_cipher_spec = 0; 877 878 md_len = s->s3.tmp.peer_finish_md_len; 879 880 if (md_len != PACKET_remaining(pkt)) { 881 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DIGEST_LENGTH); 882 return MSG_PROCESS_ERROR; 883 } 884 885 ok = CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md, 886 md_len); 887 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION 888 if (ok != 0) { 889 if ((PACKET_data(pkt)[0] ^ s->s3.tmp.peer_finish_md[0]) != 0xFF) { 890 ok = 0; 891 } 892 } 893 #endif 894 if (ok != 0) { 895 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DIGEST_CHECK_FAILED); 896 return MSG_PROCESS_ERROR; 897 } 898 899 /* 900 * Copy the finished so we can use it for renegotiation checks 901 */ 902 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) { 903 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 904 return MSG_PROCESS_ERROR; 905 } 906 if (s->server) { 907 memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md, 908 md_len); 909 s->s3.previous_client_finished_len = md_len; 910 } else { 911 memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md, 912 md_len); 913 s->s3.previous_server_finished_len = md_len; 914 } 915 916 /* 917 * In TLS1.3 we also have to change cipher state and do any final processing 918 * of the initial server flight (if we are a client) 919 */ 920 if (SSL_CONNECTION_IS_TLS13(s)) { 921 if (s->server) { 922 if (s->post_handshake_auth != SSL_PHA_REQUESTED && 923 !ssl->method->ssl3_enc->change_cipher_state(s, 924 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) { 925 /* SSLfatal() already called */ 926 return MSG_PROCESS_ERROR; 927 } 928 } else { 929 /* TLS 1.3 gets the secret size from the handshake md */ 930 size_t dummy; 931 if (!ssl->method->ssl3_enc->generate_master_secret(s, 932 s->master_secret, s->handshake_secret, 0, 933 &dummy)) { 934 /* SSLfatal() already called */ 935 return MSG_PROCESS_ERROR; 936 } 937 if (!tls13_store_server_finished_hash(s)) { 938 /* SSLfatal() already called */ 939 return MSG_PROCESS_ERROR; 940 } 941 942 /* 943 * For non-QUIC we set up the client's app data read keys now, so 944 * that we can go straight into reading 0.5RTT data from the server. 945 * For QUIC we don't do that, and instead defer setting up the keys 946 * until after we have set up the write keys in order to ensure that 947 * write keys are always set up before read keys (so that if we read 948 * a message we have the correct keys in place to ack it) 949 */ 950 if (!SSL_IS_QUIC_HANDSHAKE(s) 951 && !ssl->method->ssl3_enc->change_cipher_state(s, 952 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) { 953 /* SSLfatal() already called */ 954 return MSG_PROCESS_ERROR; 955 } 956 if (!tls_process_initial_server_flight(s)) { 957 /* SSLfatal() already called */ 958 return MSG_PROCESS_ERROR; 959 } 960 } 961 } 962 963 if (was_first 964 && !SSL_IS_FIRST_HANDSHAKE(s) 965 && s->rlayer.rrlmethod->set_first_handshake != NULL) 966 s->rlayer.rrlmethod->set_first_handshake(s->rlayer.rrl, 0); 967 968 return MSG_PROCESS_FINISHED_READING; 969 } 970 971 CON_FUNC_RETURN tls_construct_change_cipher_spec(SSL_CONNECTION *s, WPACKET *pkt) 972 { 973 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) { 974 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 975 return CON_FUNC_ERROR; 976 } 977 978 return CON_FUNC_SUCCESS; 979 } 980 981 /* Add a certificate to the WPACKET */ 982 static int ssl_add_cert_to_wpacket(SSL_CONNECTION *s, WPACKET *pkt, 983 X509 *x, int chain, int for_comp) 984 { 985 int len; 986 unsigned char *outbytes; 987 int context = SSL_EXT_TLS1_3_CERTIFICATE; 988 989 if (for_comp) 990 context |= SSL_EXT_TLS1_3_CERTIFICATE_COMPRESSION; 991 992 len = i2d_X509(x, NULL); 993 if (len < 0) { 994 if (!for_comp) 995 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB); 996 return 0; 997 } 998 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes) 999 || i2d_X509(x, &outbytes) != len) { 1000 if (!for_comp) 1001 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1002 return 0; 1003 } 1004 1005 if ((SSL_CONNECTION_IS_TLS13(s) || for_comp) 1006 && !tls_construct_extensions(s, pkt, context, x, chain)) { 1007 /* SSLfatal() already called */ 1008 return 0; 1009 } 1010 1011 return 1; 1012 } 1013 1014 /* Add certificate chain to provided WPACKET */ 1015 static int ssl_add_cert_chain(SSL_CONNECTION *s, WPACKET *pkt, CERT_PKEY *cpk, int for_comp) 1016 { 1017 int i, chain_count; 1018 X509 *x; 1019 STACK_OF(X509) *extra_certs; 1020 STACK_OF(X509) *chain = NULL; 1021 X509_STORE *chain_store; 1022 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 1023 1024 if (cpk == NULL || cpk->x509 == NULL) 1025 return 1; 1026 1027 x = cpk->x509; 1028 1029 /* 1030 * If we have a certificate specific chain use it, else use parent ctx. 1031 */ 1032 if (cpk->chain != NULL) 1033 extra_certs = cpk->chain; 1034 else 1035 extra_certs = sctx->extra_certs; 1036 1037 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs) 1038 chain_store = NULL; 1039 else if (s->cert->chain_store) 1040 chain_store = s->cert->chain_store; 1041 else 1042 chain_store = sctx->cert_store; 1043 1044 if (chain_store != NULL) { 1045 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(sctx->libctx, 1046 sctx->propq); 1047 1048 if (xs_ctx == NULL) { 1049 if (!for_comp) 1050 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB); 1051 return 0; 1052 } 1053 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) { 1054 X509_STORE_CTX_free(xs_ctx); 1055 if (!for_comp) 1056 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB); 1057 return 0; 1058 } 1059 /* 1060 * It is valid for the chain not to be complete (because normally we 1061 * don't include the root cert in the chain). Therefore we deliberately 1062 * ignore the error return from this call. We're not actually verifying 1063 * the cert - we're just building as much of the chain as we can 1064 */ 1065 (void)X509_verify_cert(xs_ctx); 1066 /* Don't leave errors in the queue */ 1067 ERR_clear_error(); 1068 chain = X509_STORE_CTX_get0_chain(xs_ctx); 1069 i = ssl_security_cert_chain(s, chain, NULL, 0); 1070 if (i != 1) { 1071 #if 0 1072 /* Dummy error calls so mkerr generates them */ 1073 ERR_raise(ERR_LIB_SSL, SSL_R_EE_KEY_TOO_SMALL); 1074 ERR_raise(ERR_LIB_SSL, SSL_R_CA_KEY_TOO_SMALL); 1075 ERR_raise(ERR_LIB_SSL, SSL_R_CA_MD_TOO_WEAK); 1076 #endif 1077 X509_STORE_CTX_free(xs_ctx); 1078 if (!for_comp) 1079 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i); 1080 return 0; 1081 } 1082 chain_count = sk_X509_num(chain); 1083 for (i = 0; i < chain_count; i++) { 1084 x = sk_X509_value(chain, i); 1085 1086 if (!ssl_add_cert_to_wpacket(s, pkt, x, i, for_comp)) { 1087 /* SSLfatal() already called */ 1088 X509_STORE_CTX_free(xs_ctx); 1089 return 0; 1090 } 1091 } 1092 X509_STORE_CTX_free(xs_ctx); 1093 } else { 1094 i = ssl_security_cert_chain(s, extra_certs, x, 0); 1095 if (i != 1) { 1096 if (!for_comp) 1097 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i); 1098 return 0; 1099 } 1100 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0, for_comp)) { 1101 /* SSLfatal() already called */ 1102 return 0; 1103 } 1104 for (i = 0; i < sk_X509_num(extra_certs); i++) { 1105 x = sk_X509_value(extra_certs, i); 1106 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1, for_comp)) { 1107 /* SSLfatal() already called */ 1108 return 0; 1109 } 1110 } 1111 } 1112 return 1; 1113 } 1114 1115 EVP_PKEY* tls_get_peer_pkey(const SSL_CONNECTION *sc) 1116 { 1117 if (sc->session->peer_rpk != NULL) 1118 return sc->session->peer_rpk; 1119 if (sc->session->peer != NULL) 1120 return X509_get0_pubkey(sc->session->peer); 1121 return NULL; 1122 } 1123 1124 int tls_process_rpk(SSL_CONNECTION *sc, PACKET *pkt, EVP_PKEY **peer_rpk) 1125 { 1126 EVP_PKEY *pkey = NULL; 1127 int ret = 0; 1128 RAW_EXTENSION *rawexts = NULL; 1129 PACKET extensions; 1130 PACKET context; 1131 unsigned long cert_len = 0, spki_len = 0; 1132 const unsigned char *spki, *spkistart; 1133 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(sc); 1134 1135 /*- 1136 * ---------------------------- 1137 * TLS 1.3 Certificate message: 1138 * ---------------------------- 1139 * https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2 1140 * 1141 * enum { 1142 * X509(0), 1143 * RawPublicKey(2), 1144 * (255) 1145 * } CertificateType; 1146 * 1147 * struct { 1148 * select (certificate_type) { 1149 * case RawPublicKey: 1150 * // From RFC 7250 ASN.1_subjectPublicKeyInfo 1151 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>; 1152 * 1153 * case X509: 1154 * opaque cert_data<1..2^24-1>; 1155 * }; 1156 * Extension extensions<0..2^16-1>; 1157 * } CertificateEntry; 1158 * 1159 * struct { 1160 * opaque certificate_request_context<0..2^8-1>; 1161 * CertificateEntry certificate_list<0..2^24-1>; 1162 * } Certificate; 1163 * 1164 * The client MUST send a Certificate message if and only if the server 1165 * has requested client authentication via a CertificateRequest message 1166 * (Section 4.3.2). If the server requests client authentication but no 1167 * suitable certificate is available, the client MUST send a Certificate 1168 * message containing no certificates (i.e., with the "certificate_list" 1169 * field having length 0). 1170 * 1171 * ---------------------------- 1172 * TLS 1.2 Certificate message: 1173 * ---------------------------- 1174 * https://datatracker.ietf.org/doc/html/rfc7250#section-3 1175 * 1176 * opaque ASN.1Cert<1..2^24-1>; 1177 * 1178 * struct { 1179 * select(certificate_type){ 1180 * 1181 * // certificate type defined in this document. 1182 * case RawPublicKey: 1183 * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>; 1184 * 1185 * // X.509 certificate defined in RFC 5246 1186 * case X.509: 1187 * ASN.1Cert certificate_list<0..2^24-1>; 1188 * 1189 * // Additional certificate type based on 1190 * // "TLS Certificate Types" subregistry 1191 * }; 1192 * } Certificate; 1193 * 1194 * ------------- 1195 * Consequently: 1196 * ------------- 1197 * After the (TLS 1.3 only) context octet string (1 byte length + data) the 1198 * Certificate message has a 3-byte length that is zero in the client to 1199 * server message when the client has no RPK to send. In that case, there 1200 * are no (TLS 1.3 only) per-certificate extensions either, because the 1201 * [CertificateEntry] list is empty. 1202 * 1203 * In the server to client direction, or when the client had an RPK to send, 1204 * the TLS 1.3 message just prepends the length of the RPK+extensions, 1205 * while TLS <= 1.2 sends just the RPK (octet-string). 1206 * 1207 * The context must be zero-length in the server to client direction, and 1208 * must match the value recorded in the certificate request in the client 1209 * to server direction. 1210 */ 1211 if (SSL_CONNECTION_IS_TLS13(sc)) { 1212 if (!PACKET_get_length_prefixed_1(pkt, &context)) { 1213 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT); 1214 goto err; 1215 } 1216 if (sc->server) { 1217 if (sc->pha_context == NULL) { 1218 if (PACKET_remaining(&context) != 0) { 1219 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT); 1220 goto err; 1221 } 1222 } else { 1223 if (!PACKET_equal(&context, sc->pha_context, sc->pha_context_len)) { 1224 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT); 1225 goto err; 1226 } 1227 } 1228 } else { 1229 if (PACKET_remaining(&context) != 0) { 1230 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT); 1231 goto err; 1232 } 1233 } 1234 } 1235 1236 if (!PACKET_get_net_3(pkt, &cert_len) 1237 || PACKET_remaining(pkt) != cert_len) { 1238 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1239 goto err; 1240 } 1241 1242 /* 1243 * The list length may be zero when there is no RPK. In the case of TLS 1244 * 1.2 this is actually the RPK length, which cannot be zero as specified, 1245 * but that breaks the ability of the client to decline client auth. We 1246 * overload the 0 RPK length to mean "no RPK". This interpretation is 1247 * also used some other (reference?) implementations, but is not supported 1248 * by the verbatim RFC7250 text. 1249 */ 1250 if (cert_len == 0) 1251 return 1; 1252 1253 if (SSL_CONNECTION_IS_TLS13(sc)) { 1254 /* 1255 * With TLS 1.3, a non-empty explicit-length RPK octet-string followed 1256 * by a possibly empty extension block. 1257 */ 1258 if (!PACKET_get_net_3(pkt, &spki_len)) { 1259 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1260 goto err; 1261 } 1262 if (spki_len == 0) { 1263 /* empty RPK */ 1264 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_EMPTY_RAW_PUBLIC_KEY); 1265 goto err; 1266 } 1267 } else { 1268 spki_len = cert_len; 1269 } 1270 1271 if (!PACKET_get_bytes(pkt, &spki, spki_len)) { 1272 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1273 goto err; 1274 } 1275 spkistart = spki; 1276 if ((pkey = d2i_PUBKEY_ex(NULL, &spki, spki_len, sctx->libctx, sctx->propq)) == NULL 1277 || spki != (spkistart + spki_len)) { 1278 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1279 goto err; 1280 } 1281 if (EVP_PKEY_missing_parameters(pkey)) { 1282 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, 1283 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); 1284 goto err; 1285 } 1286 1287 /* Process the Extensions block */ 1288 if (SSL_CONNECTION_IS_TLS13(sc)) { 1289 if (PACKET_remaining(pkt) != (cert_len - 3 - spki_len)) { 1290 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); 1291 goto err; 1292 } 1293 if (!PACKET_as_length_prefixed_2(pkt, &extensions) 1294 || PACKET_remaining(pkt) != 0) { 1295 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1296 goto err; 1297 } 1298 if (!tls_collect_extensions(sc, &extensions, SSL_EXT_TLS1_3_RAW_PUBLIC_KEY, 1299 &rawexts, NULL, 1)) { 1300 /* SSLfatal already called */ 1301 goto err; 1302 } 1303 /* chain index is always zero and fin always 1 for RPK */ 1304 if (!tls_parse_all_extensions(sc, SSL_EXT_TLS1_3_RAW_PUBLIC_KEY, 1305 rawexts, NULL, 0, 1)) { 1306 /* SSLfatal already called */ 1307 goto err; 1308 } 1309 } 1310 ret = 1; 1311 if (peer_rpk != NULL) { 1312 *peer_rpk = pkey; 1313 pkey = NULL; 1314 } 1315 1316 err: 1317 OPENSSL_free(rawexts); 1318 EVP_PKEY_free(pkey); 1319 return ret; 1320 } 1321 1322 unsigned long tls_output_rpk(SSL_CONNECTION *sc, WPACKET *pkt, CERT_PKEY *cpk) 1323 { 1324 int pdata_len = 0; 1325 unsigned char *pdata = NULL; 1326 X509_PUBKEY *xpk = NULL; 1327 unsigned long ret = 0; 1328 X509 *x509 = NULL; 1329 1330 if (cpk != NULL && cpk->x509 != NULL) { 1331 x509 = cpk->x509; 1332 /* Get the RPK from the certificate */ 1333 xpk = X509_get_X509_PUBKEY(cpk->x509); 1334 if (xpk == NULL) { 1335 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1336 goto err; 1337 } 1338 pdata_len = i2d_X509_PUBKEY(xpk, &pdata); 1339 } else if (cpk != NULL && cpk->privatekey != NULL) { 1340 /* Get the RPK from the private key */ 1341 pdata_len = i2d_PUBKEY(cpk->privatekey, &pdata); 1342 } else { 1343 /* The server RPK is not optional */ 1344 if (sc->server) { 1345 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1346 goto err; 1347 } 1348 /* The client can send a zero length certificate list */ 1349 if (!WPACKET_sub_memcpy_u24(pkt, pdata, pdata_len)) { 1350 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1351 goto err; 1352 } 1353 return 1; 1354 } 1355 1356 if (pdata_len <= 0) { 1357 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1358 goto err; 1359 } 1360 1361 /* 1362 * TLSv1.2 is _just_ the raw public key 1363 * TLSv1.3 includes extensions, so there's a length wrapper 1364 */ 1365 if (SSL_CONNECTION_IS_TLS13(sc)) { 1366 if (!WPACKET_start_sub_packet_u24(pkt)) { 1367 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1368 goto err; 1369 } 1370 } 1371 1372 if (!WPACKET_sub_memcpy_u24(pkt, pdata, pdata_len)) { 1373 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1374 goto err; 1375 } 1376 1377 if (SSL_CONNECTION_IS_TLS13(sc)) { 1378 /* 1379 * Only send extensions relevant to raw public keys. Until such 1380 * extensions are defined, this will be an empty set of extensions. 1381 * |x509| may be NULL, which raw public-key extensions need to handle. 1382 */ 1383 if (!tls_construct_extensions(sc, pkt, SSL_EXT_TLS1_3_RAW_PUBLIC_KEY, 1384 x509, 0)) { 1385 /* SSLfatal() already called */ 1386 goto err; 1387 } 1388 if (!WPACKET_close(pkt)) { 1389 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1390 goto err; 1391 } 1392 } 1393 1394 ret = 1; 1395 err: 1396 OPENSSL_free(pdata); 1397 return ret; 1398 } 1399 1400 unsigned long ssl3_output_cert_chain(SSL_CONNECTION *s, WPACKET *pkt, 1401 CERT_PKEY *cpk, int for_comp) 1402 { 1403 if (!WPACKET_start_sub_packet_u24(pkt)) { 1404 if (!for_comp) 1405 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1406 return 0; 1407 } 1408 1409 if (!ssl_add_cert_chain(s, pkt, cpk, for_comp)) 1410 return 0; 1411 1412 if (!WPACKET_close(pkt)) { 1413 if (!for_comp) 1414 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1415 return 0; 1416 } 1417 1418 return 1; 1419 } 1420 1421 /* 1422 * Tidy up after the end of a handshake. In the case of SCTP this may result 1423 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is 1424 * freed up as well. 1425 */ 1426 WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst, 1427 int clearbufs, int stop) 1428 { 1429 void (*cb) (const SSL *ssl, int type, int val) = NULL; 1430 int cleanuphand = s->statem.cleanuphand; 1431 SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s); 1432 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 1433 1434 if (clearbufs) { 1435 if (!SSL_CONNECTION_IS_DTLS(s) 1436 #ifndef OPENSSL_NO_SCTP 1437 /* 1438 * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS 1439 * messages that require it. Therefore, DTLS procedures for retransmissions 1440 * MUST NOT be used. 1441 * Hence the init_buf can be cleared when DTLS over SCTP as transport is used. 1442 */ 1443 || BIO_dgram_is_sctp(SSL_get_wbio(SSL_CONNECTION_GET_SSL(s))) 1444 #endif 1445 ) { 1446 /* 1447 * We don't do this in DTLS over UDP because we may still need the init_buf 1448 * in case there are any unexpected retransmits 1449 */ 1450 BUF_MEM_free(s->init_buf); 1451 s->init_buf = NULL; 1452 } 1453 1454 if (!ssl_free_wbio_buffer(s)) { 1455 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1456 return WORK_ERROR; 1457 } 1458 s->init_num = 0; 1459 } 1460 1461 if (SSL_CONNECTION_IS_TLS13(s) && !s->server 1462 && s->post_handshake_auth == SSL_PHA_REQUESTED) 1463 s->post_handshake_auth = SSL_PHA_EXT_SENT; 1464 1465 /* 1466 * Only set if there was a Finished message and this isn't after a TLSv1.3 1467 * post handshake exchange 1468 */ 1469 if (cleanuphand) { 1470 /* skipped if we just sent a HelloRequest */ 1471 s->renegotiate = 0; 1472 s->new_session = 0; 1473 s->statem.cleanuphand = 0; 1474 s->ext.ticket_expected = 0; 1475 1476 ssl3_cleanup_key_block(s); 1477 1478 if (s->server) { 1479 /* 1480 * In TLSv1.3 we update the cache as part of constructing the 1481 * NewSessionTicket 1482 */ 1483 if (!SSL_CONNECTION_IS_TLS13(s)) 1484 ssl_update_cache(s, SSL_SESS_CACHE_SERVER); 1485 1486 /* N.B. s->ctx may not equal s->session_ctx */ 1487 ssl_tsan_counter(sctx, &sctx->stats.sess_accept_good); 1488 s->handshake_func = ossl_statem_accept; 1489 } else { 1490 if (SSL_CONNECTION_IS_TLS13(s)) { 1491 /* 1492 * We encourage applications to only use TLSv1.3 tickets once, 1493 * so we remove this one from the cache. 1494 */ 1495 if ((s->session_ctx->session_cache_mode 1496 & SSL_SESS_CACHE_CLIENT) != 0) 1497 SSL_CTX_remove_session(s->session_ctx, s->session); 1498 } else { 1499 /* 1500 * In TLSv1.3 we update the cache as part of processing the 1501 * NewSessionTicket 1502 */ 1503 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); 1504 } 1505 if (s->hit) 1506 ssl_tsan_counter(s->session_ctx, 1507 &s->session_ctx->stats.sess_hit); 1508 1509 s->handshake_func = ossl_statem_connect; 1510 ssl_tsan_counter(s->session_ctx, 1511 &s->session_ctx->stats.sess_connect_good); 1512 } 1513 1514 if (SSL_CONNECTION_IS_DTLS(s)) { 1515 /* done with handshaking */ 1516 s->d1->handshake_read_seq = 0; 1517 s->d1->handshake_write_seq = 0; 1518 s->d1->next_handshake_write_seq = 0; 1519 dtls1_clear_received_buffer(s); 1520 } 1521 } 1522 1523 if (s->info_callback != NULL) 1524 cb = s->info_callback; 1525 else if (sctx->info_callback != NULL) 1526 cb = sctx->info_callback; 1527 1528 /* The callback may expect us to not be in init at handshake done */ 1529 ossl_statem_set_in_init(s, 0); 1530 1531 if (cb != NULL) { 1532 if (cleanuphand 1533 || !SSL_CONNECTION_IS_TLS13(s) 1534 || SSL_IS_FIRST_HANDSHAKE(s)) 1535 cb(ssl, SSL_CB_HANDSHAKE_DONE, 1); 1536 } 1537 1538 if (!stop) { 1539 /* If we've got more work to do we go back into init */ 1540 ossl_statem_set_in_init(s, 1); 1541 return WORK_FINISHED_CONTINUE; 1542 } 1543 1544 return WORK_FINISHED_STOP; 1545 } 1546 1547 int tls_get_message_header(SSL_CONNECTION *s, int *mt) 1548 { 1549 /* s->init_num < SSL3_HM_HEADER_LENGTH */ 1550 int skip_message, i; 1551 uint8_t recvd_type; 1552 unsigned char *p; 1553 size_t l, readbytes; 1554 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 1555 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); 1556 1557 p = (unsigned char *)s->init_buf->data; 1558 1559 do { 1560 while (s->init_num < SSL3_HM_HEADER_LENGTH) { 1561 i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, &recvd_type, 1562 &p[s->init_num], 1563 SSL3_HM_HEADER_LENGTH - s->init_num, 1564 0, &readbytes); 1565 if (i <= 0) { 1566 s->rwstate = SSL_READING; 1567 return 0; 1568 } 1569 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) { 1570 /* 1571 * A ChangeCipherSpec must be a single byte and may not occur 1572 * in the middle of a handshake message. 1573 */ 1574 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) { 1575 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1576 SSL_R_BAD_CHANGE_CIPHER_SPEC); 1577 return 0; 1578 } 1579 if (s->statem.hand_state == TLS_ST_BEFORE 1580 && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) { 1581 /* 1582 * We are stateless and we received a CCS. Probably this is 1583 * from a client between the first and second ClientHellos. 1584 * We should ignore this, but return an error because we do 1585 * not return success until we see the second ClientHello 1586 * with a valid cookie. 1587 */ 1588 return 0; 1589 } 1590 s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC; 1591 s->init_num = readbytes - 1; 1592 s->init_msg = s->init_buf->data; 1593 s->s3.tmp.message_size = readbytes; 1594 return 1; 1595 } else if (recvd_type != SSL3_RT_HANDSHAKE) { 1596 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1597 SSL_R_CCS_RECEIVED_EARLY); 1598 return 0; 1599 } 1600 s->init_num += readbytes; 1601 } 1602 1603 skip_message = 0; 1604 if (!s->server) 1605 if (s->statem.hand_state != TLS_ST_OK 1606 && p[0] == SSL3_MT_HELLO_REQUEST) 1607 /* 1608 * The server may always send 'Hello Request' messages -- 1609 * we are doing a handshake anyway now, so ignore them if 1610 * their format is correct. Does not count for 'Finished' 1611 * MAC. 1612 */ 1613 if (p[1] == 0 && p[2] == 0 && p[3] == 0) { 1614 s->init_num = 0; 1615 skip_message = 1; 1616 1617 if (s->msg_callback) 1618 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 1619 p, SSL3_HM_HEADER_LENGTH, ussl, 1620 s->msg_callback_arg); 1621 } 1622 } while (skip_message); 1623 /* s->init_num == SSL3_HM_HEADER_LENGTH */ 1624 1625 *mt = *p; 1626 s->s3.tmp.message_type = *(p++); 1627 1628 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { 1629 /* 1630 * Only happens with SSLv3+ in an SSLv2 backward compatible 1631 * ClientHello 1632 * 1633 * Total message size is the remaining record bytes to read 1634 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read 1635 */ 1636 l = s->rlayer.tlsrecs[0].length + SSL3_HM_HEADER_LENGTH; 1637 s->s3.tmp.message_size = l; 1638 1639 s->init_msg = s->init_buf->data; 1640 s->init_num = SSL3_HM_HEADER_LENGTH; 1641 } else { 1642 n2l3(p, l); 1643 /* BUF_MEM_grow takes an 'int' parameter */ 1644 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) { 1645 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1646 SSL_R_EXCESSIVE_MESSAGE_SIZE); 1647 return 0; 1648 } 1649 s->s3.tmp.message_size = l; 1650 1651 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH; 1652 s->init_num = 0; 1653 } 1654 1655 return 1; 1656 } 1657 1658 int tls_get_message_body(SSL_CONNECTION *s, size_t *len) 1659 { 1660 size_t n, readbytes; 1661 unsigned char *p; 1662 int i; 1663 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 1664 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); 1665 1666 if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) { 1667 /* We've already read everything in */ 1668 *len = (unsigned long)s->init_num; 1669 return 1; 1670 } 1671 1672 p = s->init_msg; 1673 n = s->s3.tmp.message_size - s->init_num; 1674 while (n > 0) { 1675 i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, NULL, 1676 &p[s->init_num], n, 0, &readbytes); 1677 if (i <= 0) { 1678 s->rwstate = SSL_READING; 1679 *len = 0; 1680 return 0; 1681 } 1682 s->init_num += readbytes; 1683 n -= readbytes; 1684 } 1685 1686 /* 1687 * If receiving Finished, record MAC of prior handshake messages for 1688 * Finished verification. 1689 */ 1690 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) { 1691 /* SSLfatal() already called */ 1692 *len = 0; 1693 return 0; 1694 } 1695 1696 /* Feed this message into MAC computation. */ 1697 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { 1698 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 1699 s->init_num)) { 1700 /* SSLfatal() already called */ 1701 *len = 0; 1702 return 0; 1703 } 1704 if (s->msg_callback) 1705 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data, 1706 (size_t)s->init_num, ussl, s->msg_callback_arg); 1707 } else { 1708 /* 1709 * We defer feeding in the HRR until later. We'll do it as part of 1710 * processing the message 1711 * The TLsv1.3 handshake transcript stops at the ClientFinished 1712 * message. 1713 */ 1714 #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2) 1715 /* KeyUpdate and NewSessionTicket do not need to be added */ 1716 if (!SSL_CONNECTION_IS_TLS13(s) 1717 || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET 1718 && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) { 1719 if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO 1720 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE 1721 || memcmp(hrrrandom, 1722 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET, 1723 SSL3_RANDOM_SIZE) != 0) { 1724 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 1725 s->init_num + SSL3_HM_HEADER_LENGTH)) { 1726 /* SSLfatal() already called */ 1727 *len = 0; 1728 return 0; 1729 } 1730 } 1731 } 1732 if (s->msg_callback) 1733 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, 1734 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, ussl, 1735 s->msg_callback_arg); 1736 } 1737 1738 *len = s->init_num; 1739 return 1; 1740 } 1741 1742 static const X509ERR2ALERT x509table[] = { 1743 {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE}, 1744 {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE}, 1745 {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE}, 1746 {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE}, 1747 {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA}, 1748 {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED}, 1749 {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE}, 1750 {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE}, 1751 {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED}, 1752 {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR}, 1753 {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE}, 1754 {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED}, 1755 {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE}, 1756 {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR}, 1757 {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE}, 1758 {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA}, 1759 {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE}, 1760 {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE}, 1761 {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE}, 1762 {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE}, 1763 {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE}, 1764 {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE}, 1765 {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE}, 1766 {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA}, 1767 {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR}, 1768 {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE}, 1769 {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE}, 1770 {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR}, 1771 {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA}, 1772 {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA}, 1773 {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR}, 1774 {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE}, 1775 {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE}, 1776 {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE}, 1777 {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA}, 1778 {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA}, 1779 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA}, 1780 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA}, 1781 {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA}, 1782 {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR}, 1783 1784 /* Last entry; return this if we don't find the value above. */ 1785 {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN} 1786 }; 1787 1788 int ssl_x509err2alert(int x509err) 1789 { 1790 const X509ERR2ALERT *tp; 1791 1792 for (tp = x509table; tp->x509err != X509_V_OK; ++tp) 1793 if (tp->x509err == x509err) 1794 break; 1795 return tp->alert; 1796 } 1797 1798 int ssl_allow_compression(SSL_CONNECTION *s) 1799 { 1800 if (s->options & SSL_OP_NO_COMPRESSION) 1801 return 0; 1802 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL); 1803 } 1804 1805 /* 1806 * SSL/TLS/DTLS version comparison 1807 * 1808 * Returns 1809 * 0 if versiona is equal to versionb 1810 * 1 if versiona is greater than versionb 1811 * -1 if versiona is less than versionb 1812 */ 1813 int ssl_version_cmp(const SSL_CONNECTION *s, int versiona, int versionb) 1814 { 1815 int dtls = SSL_CONNECTION_IS_DTLS(s); 1816 1817 if (versiona == versionb) 1818 return 0; 1819 if (!dtls) 1820 return versiona < versionb ? -1 : 1; 1821 return DTLS_VERSION_LT(versiona, versionb) ? -1 : 1; 1822 } 1823 1824 typedef struct { 1825 int version; 1826 const SSL_METHOD *(*cmeth) (void); 1827 const SSL_METHOD *(*smeth) (void); 1828 } version_info; 1829 1830 #if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION 1831 # error Code needs update for TLS_method() support beyond TLS1_3_VERSION. 1832 #endif 1833 1834 /* Must be in order high to low */ 1835 static const version_info tls_version_table[] = { 1836 #ifndef OPENSSL_NO_TLS1_3 1837 {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method}, 1838 #else 1839 {TLS1_3_VERSION, NULL, NULL}, 1840 #endif 1841 #ifndef OPENSSL_NO_TLS1_2 1842 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method}, 1843 #else 1844 {TLS1_2_VERSION, NULL, NULL}, 1845 #endif 1846 #ifndef OPENSSL_NO_TLS1_1 1847 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method}, 1848 #else 1849 {TLS1_1_VERSION, NULL, NULL}, 1850 #endif 1851 #ifndef OPENSSL_NO_TLS1 1852 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method}, 1853 #else 1854 {TLS1_VERSION, NULL, NULL}, 1855 #endif 1856 #ifndef OPENSSL_NO_SSL3 1857 {SSL3_VERSION, sslv3_client_method, sslv3_server_method}, 1858 #else 1859 {SSL3_VERSION, NULL, NULL}, 1860 #endif 1861 {0, NULL, NULL}, 1862 }; 1863 1864 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION 1865 # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION. 1866 #endif 1867 1868 /* Must be in order high to low */ 1869 static const version_info dtls_version_table[] = { 1870 #ifndef OPENSSL_NO_DTLS1_2 1871 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method}, 1872 #else 1873 {DTLS1_2_VERSION, NULL, NULL}, 1874 #endif 1875 #ifndef OPENSSL_NO_DTLS1 1876 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method}, 1877 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL}, 1878 #else 1879 {DTLS1_VERSION, NULL, NULL}, 1880 {DTLS1_BAD_VER, NULL, NULL}, 1881 #endif 1882 {0, NULL, NULL}, 1883 }; 1884 1885 /* 1886 * ssl_method_error - Check whether an SSL_METHOD is enabled. 1887 * 1888 * @s: The SSL handle for the candidate method 1889 * @method: the intended method. 1890 * 1891 * Returns 0 on success, or an SSL error reason on failure. 1892 */ 1893 static int ssl_method_error(const SSL_CONNECTION *s, const SSL_METHOD *method) 1894 { 1895 int version = method->version; 1896 1897 if ((s->min_proto_version != 0 && 1898 ssl_version_cmp(s, version, s->min_proto_version) < 0) || 1899 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0) 1900 return SSL_R_VERSION_TOO_LOW; 1901 1902 if (s->max_proto_version != 0 && 1903 ssl_version_cmp(s, version, s->max_proto_version) > 0) 1904 return SSL_R_VERSION_TOO_HIGH; 1905 1906 if ((s->options & method->mask) != 0) 1907 return SSL_R_UNSUPPORTED_PROTOCOL; 1908 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s)) 1909 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE; 1910 1911 return 0; 1912 } 1913 1914 /* 1915 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable 1916 * certificate type, or has PSK or a certificate callback configured, or has 1917 * a servername callback configure. Otherwise returns 0. 1918 */ 1919 static int is_tls13_capable(const SSL_CONNECTION *s) 1920 { 1921 size_t i; 1922 int curve; 1923 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 1924 1925 if (!ossl_assert(sctx != NULL) || !ossl_assert(s->session_ctx != NULL)) 1926 return 0; 1927 1928 /* 1929 * A servername callback can change the available certs, so if a servername 1930 * cb is set then we just assume TLSv1.3 will be ok 1931 */ 1932 if (sctx->ext.servername_cb != NULL 1933 || s->session_ctx->ext.servername_cb != NULL) 1934 return 1; 1935 1936 #ifndef OPENSSL_NO_PSK 1937 if (s->psk_server_callback != NULL) 1938 return 1; 1939 #endif 1940 1941 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL) 1942 return 1; 1943 1944 /* All provider-based sig algs are required to support at least TLS1.3 */ 1945 for (i = 0; i < s->ssl_pkey_num; i++) { 1946 /* Skip over certs disallowed for TLSv1.3 */ 1947 switch (i) { 1948 case SSL_PKEY_DSA_SIGN: 1949 case SSL_PKEY_GOST01: 1950 case SSL_PKEY_GOST12_256: 1951 case SSL_PKEY_GOST12_512: 1952 continue; 1953 default: 1954 break; 1955 } 1956 if (!ssl_has_cert(s, i)) 1957 continue; 1958 if (i != SSL_PKEY_ECC) 1959 return 1; 1960 /* 1961 * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is 1962 * more restrictive so check that our sig algs are consistent with this 1963 * EC cert. See section 4.2.3 of RFC8446. 1964 */ 1965 curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC].privatekey); 1966 if (tls_check_sigalg_curve(s, curve)) 1967 return 1; 1968 } 1969 1970 return 0; 1971 } 1972 1973 /* 1974 * ssl_version_supported - Check that the specified `version` is supported by 1975 * `SSL *` instance 1976 * 1977 * @s: The SSL handle for the candidate method 1978 * @version: Protocol version to test against 1979 * 1980 * Returns 1 when supported, otherwise 0 1981 */ 1982 int ssl_version_supported(const SSL_CONNECTION *s, int version, 1983 const SSL_METHOD **meth) 1984 { 1985 const version_info *vent; 1986 const version_info *table; 1987 1988 switch (SSL_CONNECTION_GET_SSL(s)->method->version) { 1989 default: 1990 /* Version should match method version for non-ANY method */ 1991 return ssl_version_cmp(s, version, s->version) == 0; 1992 case TLS_ANY_VERSION: 1993 table = tls_version_table; 1994 break; 1995 case DTLS_ANY_VERSION: 1996 table = dtls_version_table; 1997 break; 1998 } 1999 2000 for (vent = table; 2001 vent->version != 0 && ssl_version_cmp(s, version, vent->version) <= 0; 2002 ++vent) { 2003 const SSL_METHOD *(*thismeth)(void) = s->server ? vent->smeth 2004 : vent->cmeth; 2005 2006 if (thismeth != NULL 2007 && ssl_version_cmp(s, version, vent->version) == 0 2008 && ssl_method_error(s, thismeth()) == 0 2009 && (!s->server 2010 || version != TLS1_3_VERSION 2011 || is_tls13_capable(s))) { 2012 if (meth != NULL) 2013 *meth = thismeth(); 2014 return 1; 2015 } 2016 } 2017 return 0; 2018 } 2019 2020 /* 2021 * ssl_check_version_downgrade - In response to RFC7507 SCSV version 2022 * fallback indication from a client check whether we're using the highest 2023 * supported protocol version. 2024 * 2025 * @s server SSL handle. 2026 * 2027 * Returns 1 when using the highest enabled version, 0 otherwise. 2028 */ 2029 int ssl_check_version_downgrade(SSL_CONNECTION *s) 2030 { 2031 const version_info *vent; 2032 const version_info *table; 2033 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 2034 2035 /* 2036 * Check that the current protocol is the highest enabled version 2037 * (according to ssl->defltmethod, as version negotiation may have changed 2038 * s->method). 2039 */ 2040 if (s->version == ssl->defltmeth->version) 2041 return 1; 2042 2043 /* 2044 * Apparently we're using a version-flexible SSL_METHOD (not at its 2045 * highest protocol version). 2046 */ 2047 if (ssl->defltmeth->version == TLS_method()->version) 2048 table = tls_version_table; 2049 else if (ssl->defltmeth->version == DTLS_method()->version) 2050 table = dtls_version_table; 2051 else { 2052 /* Unexpected state; fail closed. */ 2053 return 0; 2054 } 2055 2056 for (vent = table; vent->version != 0; ++vent) { 2057 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0) 2058 return s->version == vent->version; 2059 } 2060 return 0; 2061 } 2062 2063 /* 2064 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS 2065 * protocols, provided the initial (D)TLS method is version-flexible. This 2066 * function sanity-checks the proposed value and makes sure the method is 2067 * version-flexible, then sets the limit if all is well. 2068 * 2069 * @method_version: The version of the current SSL_METHOD. 2070 * @version: the intended limit. 2071 * @bound: pointer to limit to be updated. 2072 * 2073 * Returns 1 on success, 0 on failure. 2074 */ 2075 int ssl_set_version_bound(int method_version, int version, int *bound) 2076 { 2077 int valid_tls; 2078 int valid_dtls; 2079 2080 if (version == 0) { 2081 *bound = version; 2082 return 1; 2083 } 2084 2085 valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL; 2086 valid_dtls = 2087 /* We support client side pre-standardisation version of DTLS */ 2088 (version == DTLS1_BAD_VER) 2089 || (DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) 2090 && DTLS_VERSION_GE(version, DTLS1_VERSION)); 2091 2092 if (!valid_tls && !valid_dtls) 2093 return 0; 2094 2095 /*- 2096 * Restrict TLS methods to TLS protocol versions. 2097 * Restrict DTLS methods to DTLS protocol versions. 2098 * Note, DTLS version numbers are decreasing, use comparison macros. 2099 * 2100 * Note that for both lower-bounds we use explicit versions, not 2101 * (D)TLS_MIN_VERSION. This is because we don't want to break user 2102 * configurations. If the MIN (supported) version ever rises, the user's 2103 * "floor" remains valid even if no longer available. We don't expect the 2104 * MAX ceiling to ever get lower, so making that variable makes sense. 2105 * 2106 * We ignore attempts to set bounds on version-inflexible methods, 2107 * returning success. 2108 */ 2109 switch (method_version) { 2110 default: 2111 break; 2112 2113 case TLS_ANY_VERSION: 2114 if (valid_tls) 2115 *bound = version; 2116 break; 2117 2118 case DTLS_ANY_VERSION: 2119 if (valid_dtls) 2120 *bound = version; 2121 break; 2122 } 2123 return 1; 2124 } 2125 2126 static void check_for_downgrade(SSL_CONNECTION *s, int vers, DOWNGRADE *dgrd) 2127 { 2128 if (vers == TLS1_2_VERSION 2129 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) { 2130 *dgrd = DOWNGRADE_TO_1_2; 2131 } else if (!SSL_CONNECTION_IS_DTLS(s) 2132 && vers < TLS1_2_VERSION 2133 /* 2134 * We need to ensure that a server that disables TLSv1.2 2135 * (creating a hole between TLSv1.3 and TLSv1.1) can still 2136 * complete handshakes with clients that support TLSv1.2 and 2137 * below. Therefore we do not enable the sentinel if TLSv1.3 is 2138 * enabled and TLSv1.2 is not. 2139 */ 2140 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) { 2141 *dgrd = DOWNGRADE_TO_1_1; 2142 } else { 2143 *dgrd = DOWNGRADE_NONE; 2144 } 2145 } 2146 2147 /* 2148 * ssl_choose_server_version - Choose server (D)TLS version. Called when the 2149 * client HELLO is received to select the final server protocol version and 2150 * the version specific method. 2151 * 2152 * @s: server SSL handle. 2153 * 2154 * Returns 0 on success or an SSL error reason number on failure. 2155 */ 2156 int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello, 2157 DOWNGRADE *dgrd) 2158 { 2159 /*- 2160 * With version-flexible methods we have an initial state with: 2161 * 2162 * s->method->version == (D)TLS_ANY_VERSION, 2163 * s->version == (D)TLS_MAX_VERSION_INTERNAL. 2164 * 2165 * So we detect version-flexible methods via the method version, not the 2166 * handle version. 2167 */ 2168 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 2169 int server_version = ssl->method->version; 2170 int client_version = hello->legacy_version; 2171 const version_info *vent; 2172 const version_info *table; 2173 int disabled = 0; 2174 RAW_EXTENSION *suppversions; 2175 2176 s->client_version = client_version; 2177 2178 switch (server_version) { 2179 default: 2180 if (!SSL_CONNECTION_IS_TLS13(s)) { 2181 if (ssl_version_cmp(s, client_version, s->version) < 0) 2182 return SSL_R_WRONG_SSL_VERSION; 2183 *dgrd = DOWNGRADE_NONE; 2184 /* 2185 * If this SSL handle is not from a version flexible method we don't 2186 * (and never did) check min/max FIPS or Suite B constraints. Hope 2187 * that's OK. It is up to the caller to not choose fixed protocol 2188 * versions they don't want. If not, then easy to fix, just return 2189 * ssl_method_error(s, s->method) 2190 */ 2191 return 0; 2192 } 2193 /* 2194 * Fall through if we are TLSv1.3 already (this means we must be after 2195 * a HelloRetryRequest 2196 */ 2197 /* fall thru */ 2198 case TLS_ANY_VERSION: 2199 table = tls_version_table; 2200 break; 2201 case DTLS_ANY_VERSION: 2202 table = dtls_version_table; 2203 break; 2204 } 2205 2206 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions]; 2207 2208 /* If we did an HRR then supported versions is mandatory */ 2209 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE) 2210 return SSL_R_UNSUPPORTED_PROTOCOL; 2211 2212 if (suppversions->present && !SSL_CONNECTION_IS_DTLS(s)) { 2213 unsigned int candidate_vers = 0; 2214 unsigned int best_vers = 0; 2215 const SSL_METHOD *best_method = NULL; 2216 PACKET versionslist; 2217 2218 suppversions->parsed = 1; 2219 2220 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) { 2221 /* Trailing or invalid data? */ 2222 return SSL_R_LENGTH_MISMATCH; 2223 } 2224 2225 /* 2226 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION. 2227 * The spec only requires servers to check that it isn't SSLv3: 2228 * "Any endpoint receiving a Hello message with 2229 * ClientHello.legacy_version or ServerHello.legacy_version set to 2230 * 0x0300 MUST abort the handshake with a "protocol_version" alert." 2231 * We are slightly stricter and require that it isn't SSLv3 or lower. 2232 * We tolerate TLSv1 and TLSv1.1. 2233 */ 2234 if (client_version <= SSL3_VERSION) 2235 return SSL_R_BAD_LEGACY_VERSION; 2236 2237 while (PACKET_get_net_2(&versionslist, &candidate_vers)) { 2238 if (ssl_version_cmp(s, candidate_vers, best_vers) <= 0) 2239 continue; 2240 if (ssl_version_supported(s, candidate_vers, &best_method)) 2241 best_vers = candidate_vers; 2242 } 2243 if (PACKET_remaining(&versionslist) != 0) { 2244 /* Trailing data? */ 2245 return SSL_R_LENGTH_MISMATCH; 2246 } 2247 2248 if (best_vers > 0) { 2249 if (s->hello_retry_request != SSL_HRR_NONE) { 2250 /* 2251 * This is after a HelloRetryRequest so we better check that we 2252 * negotiated TLSv1.3 2253 */ 2254 if (best_vers != TLS1_3_VERSION) 2255 return SSL_R_UNSUPPORTED_PROTOCOL; 2256 return 0; 2257 } 2258 check_for_downgrade(s, best_vers, dgrd); 2259 s->version = best_vers; 2260 ssl->method = best_method; 2261 if (!ssl_set_record_protocol_version(s, best_vers)) 2262 return ERR_R_INTERNAL_ERROR; 2263 2264 return 0; 2265 } 2266 return SSL_R_UNSUPPORTED_PROTOCOL; 2267 } 2268 2269 /* 2270 * If the supported versions extension isn't present, then the highest 2271 * version we can negotiate is TLSv1.2 2272 */ 2273 if (ssl_version_cmp(s, client_version, TLS1_3_VERSION) >= 0) 2274 client_version = TLS1_2_VERSION; 2275 2276 /* 2277 * No supported versions extension, so we just use the version supplied in 2278 * the ClientHello. 2279 */ 2280 for (vent = table; vent->version != 0; ++vent) { 2281 const SSL_METHOD *method; 2282 2283 if (vent->smeth == NULL || 2284 ssl_version_cmp(s, client_version, vent->version) < 0) 2285 continue; 2286 method = vent->smeth(); 2287 if (ssl_method_error(s, method) == 0) { 2288 check_for_downgrade(s, vent->version, dgrd); 2289 s->version = vent->version; 2290 ssl->method = method; 2291 if (!ssl_set_record_protocol_version(s, s->version)) 2292 return ERR_R_INTERNAL_ERROR; 2293 2294 return 0; 2295 } 2296 disabled = 1; 2297 } 2298 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW; 2299 } 2300 2301 /* 2302 * ssl_choose_client_version - Choose client (D)TLS version. Called when the 2303 * server HELLO is received to select the final client protocol version and 2304 * the version specific method. 2305 * 2306 * @s: client SSL handle. 2307 * @version: The proposed version from the server's HELLO. 2308 * @extensions: The extensions received 2309 * 2310 * Returns 1 on success or 0 on error. 2311 */ 2312 int ssl_choose_client_version(SSL_CONNECTION *s, int version, 2313 RAW_EXTENSION *extensions) 2314 { 2315 const version_info *vent; 2316 const version_info *table; 2317 int ret, ver_min, ver_max, real_max, origv; 2318 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 2319 2320 origv = s->version; 2321 s->version = version; 2322 2323 /* This will overwrite s->version if the extension is present */ 2324 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions, 2325 SSL_EXT_TLS1_2_SERVER_HELLO 2326 | SSL_EXT_TLS1_3_SERVER_HELLO, extensions, 2327 NULL, 0)) { 2328 s->version = origv; 2329 return 0; 2330 } 2331 2332 if (s->hello_retry_request != SSL_HRR_NONE 2333 && s->version != TLS1_3_VERSION) { 2334 s->version = origv; 2335 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION); 2336 return 0; 2337 } 2338 2339 switch (ssl->method->version) { 2340 default: 2341 if (s->version != ssl->method->version) { 2342 s->version = origv; 2343 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION); 2344 return 0; 2345 } 2346 /* 2347 * If this SSL handle is not from a version flexible method we don't 2348 * (and never did) check min/max, FIPS or Suite B constraints. Hope 2349 * that's OK. It is up to the caller to not choose fixed protocol 2350 * versions they don't want. If not, then easy to fix, just return 2351 * ssl_method_error(s, s->method) 2352 */ 2353 if (!ssl_set_record_protocol_version(s, s->version)) { 2354 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2355 return 0; 2356 } 2357 return 1; 2358 case TLS_ANY_VERSION: 2359 table = tls_version_table; 2360 break; 2361 case DTLS_ANY_VERSION: 2362 table = dtls_version_table; 2363 break; 2364 } 2365 2366 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max); 2367 if (ret != 0) { 2368 s->version = origv; 2369 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, ret); 2370 return 0; 2371 } 2372 if (ssl_version_cmp(s, s->version, ver_min) < 0 2373 || ssl_version_cmp(s, s->version, ver_max) > 0) { 2374 s->version = origv; 2375 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); 2376 return 0; 2377 } 2378 2379 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0) 2380 real_max = ver_max; 2381 2382 /* Check for downgrades */ 2383 /* TODO(DTLSv1.3): Update this code for DTLSv1.3 */ 2384 if (!SSL_CONNECTION_IS_DTLS(s) && real_max > s->version) { 2385 /* Signal applies to all versions */ 2386 if (memcmp(tls11downgrade, 2387 s->s3.server_random + SSL3_RANDOM_SIZE 2388 - sizeof(tls11downgrade), 2389 sizeof(tls11downgrade)) == 0) { 2390 s->version = origv; 2391 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 2392 SSL_R_INAPPROPRIATE_FALLBACK); 2393 return 0; 2394 } 2395 /* Only when accepting TLS1.3 */ 2396 if (real_max == TLS1_3_VERSION 2397 && memcmp(tls12downgrade, 2398 s->s3.server_random + SSL3_RANDOM_SIZE 2399 - sizeof(tls12downgrade), 2400 sizeof(tls12downgrade)) == 0) { 2401 s->version = origv; 2402 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 2403 SSL_R_INAPPROPRIATE_FALLBACK); 2404 return 0; 2405 } 2406 } 2407 2408 for (vent = table; vent->version != 0; ++vent) { 2409 if (vent->cmeth == NULL || s->version != vent->version) 2410 continue; 2411 2412 ssl->method = vent->cmeth(); 2413 if (!ssl_set_record_protocol_version(s, s->version)) { 2414 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2415 return 0; 2416 } 2417 return 1; 2418 } 2419 2420 s->version = origv; 2421 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); 2422 return 0; 2423 } 2424 2425 /* 2426 * ssl_get_min_max_version - get minimum and maximum protocol version 2427 * @s: The SSL connection 2428 * @min_version: The minimum supported version 2429 * @max_version: The maximum supported version 2430 * @real_max: The highest version below the lowest compile time version hole 2431 * where that hole lies above at least one run-time enabled 2432 * protocol. 2433 * 2434 * Work out what version we should be using for the initial ClientHello if the 2435 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx 2436 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B 2437 * constraints and any floor imposed by the security level here, 2438 * so we don't advertise the wrong protocol version to only reject the outcome later. 2439 * 2440 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled, 2441 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol 2442 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1. 2443 * 2444 * Returns 0 on success or an SSL error reason number on failure. On failure 2445 * min_version and max_version will also be set to 0. 2446 */ 2447 int ssl_get_min_max_version(const SSL_CONNECTION *s, int *min_version, 2448 int *max_version, int *real_max) 2449 { 2450 int version, tmp_real_max; 2451 int hole; 2452 const SSL_METHOD *method; 2453 const version_info *table; 2454 const version_info *vent; 2455 const SSL *ssl = SSL_CONNECTION_GET_SSL(s); 2456 2457 switch (ssl->method->version) { 2458 default: 2459 /* 2460 * If this SSL handle is not from a version flexible method we don't 2461 * (and never did) check min/max FIPS or Suite B constraints. Hope 2462 * that's OK. It is up to the caller to not choose fixed protocol 2463 * versions they don't want. If not, then easy to fix, just return 2464 * ssl_method_error(s, s->method) 2465 */ 2466 *min_version = *max_version = s->version; 2467 /* 2468 * Providing a real_max only makes sense where we're using a version 2469 * flexible method. 2470 */ 2471 if (!ossl_assert(real_max == NULL)) 2472 return ERR_R_INTERNAL_ERROR; 2473 return 0; 2474 case TLS_ANY_VERSION: 2475 table = tls_version_table; 2476 break; 2477 case DTLS_ANY_VERSION: 2478 table = dtls_version_table; 2479 break; 2480 } 2481 2482 /* 2483 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols 2484 * below X enabled. This is required in order to maintain the "version 2485 * capability" vector contiguous. Any versions with a NULL client method 2486 * (protocol version client is disabled at compile-time) is also a "hole". 2487 * 2488 * Our initial state is hole == 1, version == 0. That is, versions above 2489 * the first version in the method table are disabled (a "hole" above 2490 * the valid protocol entries) and we don't have a selected version yet. 2491 * 2492 * Whenever "hole == 1", and we hit an enabled method, its version becomes 2493 * the selected version. We're no longer in a hole, so "hole" becomes 0. 2494 * 2495 * If "hole == 0" and we hit an enabled method, we support a contiguous 2496 * range of at least two methods. If we hit a disabled method, 2497 * then hole becomes true again, but nothing else changes yet, 2498 * because all the remaining methods may be disabled too. 2499 * If we again hit an enabled method after the new hole, it becomes 2500 * selected, as we start from scratch. 2501 */ 2502 *min_version = version = 0; 2503 hole = 1; 2504 if (real_max != NULL) 2505 *real_max = 0; 2506 tmp_real_max = 0; 2507 for (vent = table; vent->version != 0; ++vent) { 2508 /* 2509 * A table entry with a NULL client method is still a hole in the 2510 * "version capability" vector. 2511 */ 2512 if (vent->cmeth == NULL) { 2513 hole = 1; 2514 tmp_real_max = 0; 2515 continue; 2516 } 2517 method = vent->cmeth(); 2518 2519 if (hole == 1 && tmp_real_max == 0) 2520 tmp_real_max = vent->version; 2521 2522 if (ssl_method_error(s, method) != 0) { 2523 hole = 1; 2524 } else if (!hole) { 2525 *min_version = method->version; 2526 } else { 2527 if (real_max != NULL && tmp_real_max != 0) 2528 *real_max = tmp_real_max; 2529 version = method->version; 2530 *min_version = version; 2531 hole = 0; 2532 } 2533 } 2534 2535 *max_version = version; 2536 2537 /* Fail if everything is disabled */ 2538 if (version == 0) 2539 return SSL_R_NO_PROTOCOLS_AVAILABLE; 2540 2541 return 0; 2542 } 2543 2544 /* 2545 * ssl_set_client_hello_version - Work out what version we should be using for 2546 * the initial ClientHello.legacy_version field. 2547 * 2548 * @s: client SSL handle. 2549 * 2550 * Returns 0 on success or an SSL error reason number on failure. 2551 */ 2552 int ssl_set_client_hello_version(SSL_CONNECTION *s) 2553 { 2554 int ver_min, ver_max, ret; 2555 2556 /* 2557 * In a renegotiation we always send the same client_version that we sent 2558 * last time, regardless of which version we eventually negotiated. 2559 */ 2560 if (!SSL_IS_FIRST_HANDSHAKE(s)) 2561 return 0; 2562 2563 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL); 2564 2565 if (ret != 0) 2566 return ret; 2567 2568 s->version = ver_max; 2569 2570 if (SSL_CONNECTION_IS_DTLS(s)) { 2571 if (ver_max == DTLS1_BAD_VER) { 2572 /* 2573 * Even though this is technically before version negotiation, 2574 * because we have asked for DTLS1_BAD_VER we will never negotiate 2575 * anything else, and this has impacts on the record layer for when 2576 * we read the ServerHello. So we need to tell the record layer 2577 * about this immediately. 2578 */ 2579 if (!ssl_set_record_protocol_version(s, ver_max)) 2580 return 0; 2581 } 2582 } else if (ver_max > TLS1_2_VERSION) { 2583 /* TLS1.3 always uses TLS1.2 in the legacy_version field */ 2584 ver_max = TLS1_2_VERSION; 2585 } 2586 2587 s->client_version = ver_max; 2588 return 0; 2589 } 2590 2591 /* 2592 * Checks a list of |groups| to determine if the |group_id| is in it. If it is 2593 * and |checkallow| is 1 then additionally check if the group is allowed to be 2594 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is 2595 * 1) or 0 otherwise. If provided a pointer it will also return the position 2596 * where the group was found. 2597 */ 2598 int check_in_list(SSL_CONNECTION *s, uint16_t group_id, const uint16_t *groups, 2599 size_t num_groups, int checkallow, size_t *pos) 2600 { 2601 size_t i; 2602 2603 if (groups == NULL || num_groups == 0) 2604 return 0; 2605 2606 for (i = 0; i < num_groups; i++) { 2607 uint16_t group = groups[i]; 2608 2609 if (group_id == group 2610 && (!checkallow 2611 || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) { 2612 if (pos != NULL) 2613 *pos = i; 2614 return 1; 2615 } 2616 } 2617 2618 return 0; 2619 } 2620 2621 /* Replace ClientHello1 in the transcript hash with a synthetic message */ 2622 int create_synthetic_message_hash(SSL_CONNECTION *s, 2623 const unsigned char *hashval, 2624 size_t hashlen, const unsigned char *hrr, 2625 size_t hrrlen) 2626 { 2627 unsigned char hashvaltmp[EVP_MAX_MD_SIZE]; 2628 unsigned char msghdr[SSL3_HM_HEADER_LENGTH]; 2629 2630 memset(msghdr, 0, sizeof(msghdr)); 2631 2632 if (hashval == NULL) { 2633 hashval = hashvaltmp; 2634 hashlen = 0; 2635 /* Get the hash of the initial ClientHello */ 2636 if (!ssl3_digest_cached_records(s, 0) 2637 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp), 2638 &hashlen)) { 2639 /* SSLfatal() already called */ 2640 return 0; 2641 } 2642 } 2643 2644 /* Reinitialise the transcript hash */ 2645 if (!ssl3_init_finished_mac(s)) { 2646 /* SSLfatal() already called */ 2647 return 0; 2648 } 2649 2650 /* Inject the synthetic message_hash message */ 2651 msghdr[0] = SSL3_MT_MESSAGE_HASH; 2652 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen; 2653 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH) 2654 || !ssl3_finish_mac(s, hashval, hashlen)) { 2655 /* SSLfatal() already called */ 2656 return 0; 2657 } 2658 2659 /* 2660 * Now re-inject the HRR and current message if appropriate (we just deleted 2661 * it when we reinitialised the transcript hash above). Only necessary after 2662 * receiving a ClientHello2 with a cookie. 2663 */ 2664 if (hrr != NULL 2665 && (!ssl3_finish_mac(s, hrr, hrrlen) 2666 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 2667 s->s3.tmp.message_size 2668 + SSL3_HM_HEADER_LENGTH))) { 2669 /* SSLfatal() already called */ 2670 return 0; 2671 } 2672 2673 return 1; 2674 } 2675 2676 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b) 2677 { 2678 return X509_NAME_cmp(*a, *b); 2679 } 2680 2681 int parse_ca_names(SSL_CONNECTION *s, PACKET *pkt) 2682 { 2683 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp); 2684 X509_NAME *xn = NULL; 2685 PACKET cadns; 2686 2687 if (ca_sk == NULL) { 2688 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 2689 goto err; 2690 } 2691 /* get the CA RDNs */ 2692 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) { 2693 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2694 goto err; 2695 } 2696 2697 while (PACKET_remaining(&cadns)) { 2698 const unsigned char *namestart, *namebytes; 2699 unsigned int name_len; 2700 2701 if (!PACKET_get_net_2(&cadns, &name_len) 2702 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) { 2703 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2704 goto err; 2705 } 2706 2707 namestart = namebytes; 2708 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) { 2709 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB); 2710 goto err; 2711 } 2712 if (namebytes != (namestart + name_len)) { 2713 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CA_DN_LENGTH_MISMATCH); 2714 goto err; 2715 } 2716 2717 if (!sk_X509_NAME_push(ca_sk, xn)) { 2718 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 2719 goto err; 2720 } 2721 xn = NULL; 2722 } 2723 2724 sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free); 2725 s->s3.tmp.peer_ca_names = ca_sk; 2726 2727 return 1; 2728 2729 err: 2730 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); 2731 X509_NAME_free(xn); 2732 return 0; 2733 } 2734 2735 const STACK_OF(X509_NAME) *get_ca_names(SSL_CONNECTION *s) 2736 { 2737 const STACK_OF(X509_NAME) *ca_sk = NULL; 2738 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 2739 2740 if (s->server) { 2741 ca_sk = SSL_get_client_CA_list(ssl); 2742 if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0) 2743 ca_sk = NULL; 2744 } 2745 2746 if (ca_sk == NULL) 2747 ca_sk = SSL_get0_CA_list(ssl); 2748 2749 return ca_sk; 2750 } 2751 2752 int construct_ca_names(SSL_CONNECTION *s, const STACK_OF(X509_NAME) *ca_sk, 2753 WPACKET *pkt) 2754 { 2755 /* Start sub-packet for client CA list */ 2756 if (!WPACKET_start_sub_packet_u16(pkt)) { 2757 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2758 return 0; 2759 } 2760 2761 if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) { 2762 int i; 2763 2764 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) { 2765 unsigned char *namebytes; 2766 X509_NAME *name = sk_X509_NAME_value(ca_sk, i); 2767 int namelen; 2768 2769 if (name == NULL 2770 || (namelen = i2d_X509_NAME(name, NULL)) < 0 2771 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen, 2772 &namebytes) 2773 || i2d_X509_NAME(name, &namebytes) != namelen) { 2774 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2775 return 0; 2776 } 2777 } 2778 } 2779 2780 if (!WPACKET_close(pkt)) { 2781 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2782 return 0; 2783 } 2784 2785 return 1; 2786 } 2787 2788 /* Create a buffer containing data to be signed for server key exchange */ 2789 size_t construct_key_exchange_tbs(SSL_CONNECTION *s, unsigned char **ptbs, 2790 const void *param, size_t paramlen) 2791 { 2792 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen; 2793 unsigned char *tbs = OPENSSL_malloc(tbslen); 2794 2795 if (tbs == NULL) { 2796 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 2797 return 0; 2798 } 2799 memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE); 2800 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE); 2801 2802 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen); 2803 2804 *ptbs = tbs; 2805 return tbslen; 2806 } 2807 2808 /* 2809 * Saves the current handshake digest for Post-Handshake Auth, 2810 * Done after ClientFinished is processed, done exactly once 2811 */ 2812 int tls13_save_handshake_digest_for_pha(SSL_CONNECTION *s) 2813 { 2814 if (s->pha_dgst == NULL) { 2815 if (!ssl3_digest_cached_records(s, 1)) 2816 /* SSLfatal() already called */ 2817 return 0; 2818 2819 s->pha_dgst = EVP_MD_CTX_new(); 2820 if (s->pha_dgst == NULL) { 2821 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2822 return 0; 2823 } 2824 if (!EVP_MD_CTX_copy_ex(s->pha_dgst, 2825 s->s3.handshake_dgst)) { 2826 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2827 EVP_MD_CTX_free(s->pha_dgst); 2828 s->pha_dgst = NULL; 2829 return 0; 2830 } 2831 } 2832 return 1; 2833 } 2834 2835 /* 2836 * Restores the Post-Handshake Auth handshake digest 2837 * Done just before sending/processing the Cert Request 2838 */ 2839 int tls13_restore_handshake_digest_for_pha(SSL_CONNECTION *s) 2840 { 2841 if (s->pha_dgst == NULL) { 2842 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2843 return 0; 2844 } 2845 if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst, 2846 s->pha_dgst)) { 2847 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2848 return 0; 2849 } 2850 return 1; 2851 } 2852 2853 #ifndef OPENSSL_NO_COMP_ALG 2854 MSG_PROCESS_RETURN tls13_process_compressed_certificate(SSL_CONNECTION *sc, 2855 PACKET *pkt, 2856 PACKET *tmppkt, 2857 BUF_MEM *buf) 2858 { 2859 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; 2860 int comp_alg; 2861 COMP_METHOD *method = NULL; 2862 COMP_CTX *comp = NULL; 2863 size_t expected_length; 2864 size_t comp_length; 2865 int i; 2866 int found = 0; 2867 2868 if (buf == NULL) { 2869 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2870 goto err; 2871 } 2872 if (!PACKET_get_net_2(pkt, (unsigned int*)&comp_alg)) { 2873 SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, ERR_R_INTERNAL_ERROR); 2874 goto err; 2875 } 2876 /* If we have a prefs list, make sure the algorithm is in it */ 2877 if (sc->cert_comp_prefs[0] != TLSEXT_comp_cert_none) { 2878 for (i = 0; sc->cert_comp_prefs[i] != TLSEXT_comp_cert_none; i++) { 2879 if (sc->cert_comp_prefs[i] == comp_alg) { 2880 found = 1; 2881 break; 2882 } 2883 } 2884 if (!found) { 2885 SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_COMPRESSION_ALGORITHM); 2886 goto err; 2887 } 2888 } 2889 if (!ossl_comp_has_alg(comp_alg)) { 2890 SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, SSL_R_BAD_COMPRESSION_ALGORITHM); 2891 goto err; 2892 } 2893 switch (comp_alg) { 2894 case TLSEXT_comp_cert_zlib: 2895 method = COMP_zlib_oneshot(); 2896 break; 2897 case TLSEXT_comp_cert_brotli: 2898 method = COMP_brotli_oneshot(); 2899 break; 2900 case TLSEXT_comp_cert_zstd: 2901 method = COMP_zstd_oneshot(); 2902 break; 2903 default: 2904 SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, SSL_R_BAD_COMPRESSION_ALGORITHM); 2905 goto err; 2906 } 2907 2908 if ((comp = COMP_CTX_new(method)) == NULL 2909 || !PACKET_get_net_3_len(pkt, &expected_length) 2910 || !PACKET_get_net_3_len(pkt, &comp_length)) { 2911 SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, SSL_R_BAD_DECOMPRESSION); 2912 goto err; 2913 } 2914 2915 if (PACKET_remaining(pkt) != comp_length || comp_length == 0) { 2916 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_DECOMPRESSION); 2917 goto err; 2918 } 2919 2920 if (!BUF_MEM_grow(buf, expected_length) 2921 || !PACKET_buf_init(tmppkt, (unsigned char *)buf->data, expected_length) 2922 || COMP_expand_block(comp, (unsigned char *)buf->data, expected_length, 2923 (unsigned char*)PACKET_data(pkt), comp_length) != (int)expected_length) { 2924 SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, SSL_R_BAD_DECOMPRESSION); 2925 goto err; 2926 } 2927 ret = MSG_PROCESS_CONTINUE_PROCESSING; 2928 err: 2929 COMP_CTX_free(comp); 2930 return ret; 2931 } 2932 #endif 2933