2
0

statem_lib.c 82 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479
  1. /*
  2. * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  4. *
  5. * Licensed under the Apache License 2.0 (the "License"). You may not use
  6. * this file except in compliance with the License. You can obtain a copy
  7. * in the file LICENSE in the source distribution or at
  8. * https://www.openssl.org/source/license.html
  9. */
  10. #include <limits.h>
  11. #include <string.h>
  12. #include <stdio.h>
  13. #include "../ssl_local.h"
  14. #include "statem_local.h"
  15. #include "internal/cryptlib.h"
  16. #include <openssl/buffer.h>
  17. #include <openssl/objects.h>
  18. #include <openssl/evp.h>
  19. #include <openssl/rsa.h>
  20. #include <openssl/x509.h>
  21. #include <openssl/trace.h>
  22. /*
  23. * Map error codes to TLS/SSL alart types.
  24. */
  25. typedef struct x509err2alert_st {
  26. int x509err;
  27. int alert;
  28. } X509ERR2ALERT;
  29. /* Fixed value used in the ServerHello random field to identify an HRR */
  30. const unsigned char hrrrandom[] = {
  31. 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
  32. 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
  33. 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
  34. };
  35. /*
  36. * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
  37. * SSL3_RT_CHANGE_CIPHER_SPEC)
  38. */
  39. int ssl3_do_write(SSL_CONNECTION *s, int type)
  40. {
  41. int ret;
  42. size_t written = 0;
  43. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  44. ret = ssl3_write_bytes(ssl, type, &s->init_buf->data[s->init_off],
  45. s->init_num, &written);
  46. if (ret < 0)
  47. return -1;
  48. if (type == SSL3_RT_HANDSHAKE)
  49. /*
  50. * should not be done for 'Hello Request's, but in that case we'll
  51. * ignore the result anyway
  52. * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
  53. */
  54. if (!SSL_CONNECTION_IS_TLS13(s)
  55. || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
  56. && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
  57. && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
  58. if (!ssl3_finish_mac(s,
  59. (unsigned char *)&s->init_buf->data[s->init_off],
  60. written))
  61. return -1;
  62. if (written == s->init_num) {
  63. if (s->msg_callback)
  64. s->msg_callback(1, s->version, type, s->init_buf->data,
  65. (size_t)(s->init_off + s->init_num), ssl,
  66. s->msg_callback_arg);
  67. return 1;
  68. }
  69. s->init_off += written;
  70. s->init_num -= written;
  71. return 0;
  72. }
  73. int tls_close_construct_packet(SSL_CONNECTION *s, WPACKET *pkt, int htype)
  74. {
  75. size_t msglen;
  76. if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
  77. || !WPACKET_get_length(pkt, &msglen)
  78. || msglen > INT_MAX)
  79. return 0;
  80. s->init_num = (int)msglen;
  81. s->init_off = 0;
  82. return 1;
  83. }
  84. int tls_setup_handshake(SSL_CONNECTION *s)
  85. {
  86. int ver_min, ver_max, ok;
  87. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  88. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  89. if (!ssl3_init_finished_mac(s)) {
  90. /* SSLfatal() already called */
  91. return 0;
  92. }
  93. /* Reset any extension flags */
  94. memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
  95. if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
  96. SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE);
  97. return 0;
  98. }
  99. /* Sanity check that we have MD5-SHA1 if we need it */
  100. if (sctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) {
  101. int md5sha1_needed = 0;
  102. /* We don't have MD5-SHA1 - do we need it? */
  103. if (SSL_CONNECTION_IS_DTLS(s)) {
  104. if (DTLS_VERSION_LE(ver_max, DTLS1_VERSION))
  105. md5sha1_needed = 1;
  106. } else {
  107. if (ver_max <= TLS1_1_VERSION)
  108. md5sha1_needed = 1;
  109. }
  110. if (md5sha1_needed) {
  111. SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
  112. SSL_R_NO_SUITABLE_DIGEST_ALGORITHM,
  113. "The max supported SSL/TLS version needs the"
  114. " MD5-SHA1 digest but it is not available"
  115. " in the loaded providers. Use (D)TLSv1.2 or"
  116. " above, or load different providers");
  117. return 0;
  118. }
  119. ok = 1;
  120. /* Don't allow TLSv1.1 or below to be negotiated */
  121. if (SSL_CONNECTION_IS_DTLS(s)) {
  122. if (DTLS_VERSION_LT(ver_min, DTLS1_2_VERSION))
  123. ok = SSL_set_min_proto_version(ssl, DTLS1_2_VERSION);
  124. } else {
  125. if (ver_min < TLS1_2_VERSION)
  126. ok = SSL_set_min_proto_version(ssl, TLS1_2_VERSION);
  127. }
  128. if (!ok) {
  129. /* Shouldn't happen */
  130. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
  131. return 0;
  132. }
  133. }
  134. ok = 0;
  135. if (s->server) {
  136. STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(ssl);
  137. int i;
  138. /*
  139. * Sanity check that the maximum version we accept has ciphers
  140. * enabled. For clients we do this check during construction of the
  141. * ClientHello.
  142. */
  143. for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
  144. const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
  145. if (SSL_CONNECTION_IS_DTLS(s)) {
  146. if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
  147. DTLS_VERSION_LE(ver_max, c->max_dtls))
  148. ok = 1;
  149. } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
  150. ok = 1;
  151. }
  152. if (ok)
  153. break;
  154. }
  155. if (!ok) {
  156. SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
  157. SSL_R_NO_CIPHERS_AVAILABLE,
  158. "No ciphers enabled for max supported "
  159. "SSL/TLS version");
  160. return 0;
  161. }
  162. if (SSL_IS_FIRST_HANDSHAKE(s)) {
  163. /* N.B. s->session_ctx == s->ctx here */
  164. ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_accept);
  165. } else {
  166. /* N.B. s->ctx may not equal s->session_ctx */
  167. ssl_tsan_counter(sctx, &sctx->stats.sess_accept_renegotiate);
  168. s->s3.tmp.cert_request = 0;
  169. }
  170. } else {
  171. if (SSL_IS_FIRST_HANDSHAKE(s))
  172. ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_connect);
  173. else
  174. ssl_tsan_counter(s->session_ctx,
  175. &s->session_ctx->stats.sess_connect_renegotiate);
  176. /* mark client_random uninitialized */
  177. memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
  178. s->hit = 0;
  179. s->s3.tmp.cert_req = 0;
  180. if (SSL_CONNECTION_IS_DTLS(s))
  181. s->statem.use_timer = 1;
  182. }
  183. return 1;
  184. }
  185. /*
  186. * Size of the to-be-signed TLS13 data, without the hash size itself:
  187. * 64 bytes of value 32, 33 context bytes, 1 byte separator
  188. */
  189. #define TLS13_TBS_START_SIZE 64
  190. #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
  191. static int get_cert_verify_tbs_data(SSL_CONNECTION *s, unsigned char *tls13tbs,
  192. void **hdata, size_t *hdatalen)
  193. {
  194. /* ASCII: "TLS 1.3, server CertificateVerify", in hex for EBCDIC compatibility */
  195. static const char servercontext[] = "\x54\x4c\x53\x20\x31\x2e\x33\x2c\x20\x73\x65\x72"
  196. "\x76\x65\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x56\x65\x72\x69\x66\x79";
  197. /* ASCII: "TLS 1.3, client CertificateVerify", in hex for EBCDIC compatibility */
  198. static const char clientcontext[] = "\x54\x4c\x53\x20\x31\x2e\x33\x2c\x20\x63\x6c\x69"
  199. "\x65\x6e\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x56\x65\x72\x69\x66\x79";
  200. if (SSL_CONNECTION_IS_TLS13(s)) {
  201. size_t hashlen;
  202. /* Set the first 64 bytes of to-be-signed data to octet 32 */
  203. memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
  204. /* This copies the 33 bytes of context plus the 0 separator byte */
  205. if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
  206. || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
  207. strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
  208. else
  209. strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
  210. /*
  211. * If we're currently reading then we need to use the saved handshake
  212. * hash value. We can't use the current handshake hash state because
  213. * that includes the CertVerify itself.
  214. */
  215. if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
  216. || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
  217. memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
  218. s->cert_verify_hash_len);
  219. hashlen = s->cert_verify_hash_len;
  220. } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
  221. EVP_MAX_MD_SIZE, &hashlen)) {
  222. /* SSLfatal() already called */
  223. return 0;
  224. }
  225. *hdata = tls13tbs;
  226. *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
  227. } else {
  228. size_t retlen;
  229. long retlen_l;
  230. retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
  231. if (retlen_l <= 0) {
  232. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  233. return 0;
  234. }
  235. *hdatalen = retlen;
  236. }
  237. return 1;
  238. }
  239. int tls_construct_cert_verify(SSL_CONNECTION *s, WPACKET *pkt)
  240. {
  241. EVP_PKEY *pkey = NULL;
  242. const EVP_MD *md = NULL;
  243. EVP_MD_CTX *mctx = NULL;
  244. EVP_PKEY_CTX *pctx = NULL;
  245. size_t hdatalen = 0, siglen = 0;
  246. void *hdata;
  247. unsigned char *sig = NULL;
  248. unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
  249. const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
  250. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  251. if (lu == NULL || s->s3.tmp.cert == NULL) {
  252. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  253. goto err;
  254. }
  255. pkey = s->s3.tmp.cert->privatekey;
  256. if (pkey == NULL || !tls1_lookup_md(sctx, lu, &md)) {
  257. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  258. goto err;
  259. }
  260. mctx = EVP_MD_CTX_new();
  261. if (mctx == NULL) {
  262. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  263. goto err;
  264. }
  265. /* Get the data to be signed */
  266. if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
  267. /* SSLfatal() already called */
  268. goto err;
  269. }
  270. if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
  271. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  272. goto err;
  273. }
  274. if (EVP_DigestSignInit_ex(mctx, &pctx,
  275. md == NULL ? NULL : EVP_MD_get0_name(md),
  276. sctx->libctx, sctx->propq, pkey,
  277. NULL) <= 0) {
  278. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  279. goto err;
  280. }
  281. if (lu->sig == EVP_PKEY_RSA_PSS) {
  282. if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
  283. || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
  284. RSA_PSS_SALTLEN_DIGEST) <= 0) {
  285. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  286. goto err;
  287. }
  288. }
  289. if (s->version == SSL3_VERSION) {
  290. /*
  291. * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
  292. * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
  293. */
  294. if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
  295. || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
  296. (int)s->session->master_key_length,
  297. s->session->master_key) <= 0
  298. || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) {
  299. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  300. goto err;
  301. }
  302. sig = OPENSSL_malloc(siglen);
  303. if (sig == NULL
  304. || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
  305. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  306. goto err;
  307. }
  308. } else {
  309. /*
  310. * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not
  311. * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
  312. */
  313. if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) {
  314. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  315. goto err;
  316. }
  317. sig = OPENSSL_malloc(siglen);
  318. if (sig == NULL
  319. || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
  320. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  321. goto err;
  322. }
  323. }
  324. #ifndef OPENSSL_NO_GOST
  325. {
  326. int pktype = lu->sig;
  327. if (pktype == NID_id_GostR3410_2001
  328. || pktype == NID_id_GostR3410_2012_256
  329. || pktype == NID_id_GostR3410_2012_512)
  330. BUF_reverse(sig, NULL, siglen);
  331. }
  332. #endif
  333. if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
  334. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  335. goto err;
  336. }
  337. /* Digest cached records and discard handshake buffer */
  338. if (!ssl3_digest_cached_records(s, 0)) {
  339. /* SSLfatal() already called */
  340. goto err;
  341. }
  342. OPENSSL_free(sig);
  343. EVP_MD_CTX_free(mctx);
  344. return 1;
  345. err:
  346. OPENSSL_free(sig);
  347. EVP_MD_CTX_free(mctx);
  348. return 0;
  349. }
  350. MSG_PROCESS_RETURN tls_process_cert_verify(SSL_CONNECTION *s, PACKET *pkt)
  351. {
  352. EVP_PKEY *pkey = NULL;
  353. const unsigned char *data;
  354. #ifndef OPENSSL_NO_GOST
  355. unsigned char *gost_data = NULL;
  356. #endif
  357. MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
  358. int j;
  359. unsigned int len;
  360. X509 *peer;
  361. const EVP_MD *md = NULL;
  362. size_t hdatalen = 0;
  363. void *hdata;
  364. unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
  365. EVP_MD_CTX *mctx = EVP_MD_CTX_new();
  366. EVP_PKEY_CTX *pctx = NULL;
  367. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  368. if (mctx == NULL) {
  369. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  370. goto err;
  371. }
  372. peer = s->session->peer;
  373. pkey = X509_get0_pubkey(peer);
  374. if (pkey == NULL) {
  375. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  376. goto err;
  377. }
  378. if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
  379. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  380. SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
  381. goto err;
  382. }
  383. if (SSL_USE_SIGALGS(s)) {
  384. unsigned int sigalg;
  385. if (!PACKET_get_net_2(pkt, &sigalg)) {
  386. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET);
  387. goto err;
  388. }
  389. if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
  390. /* SSLfatal() already called */
  391. goto err;
  392. }
  393. } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
  394. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  395. goto err;
  396. }
  397. if (!tls1_lookup_md(sctx, s->s3.tmp.peer_sigalg, &md)) {
  398. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  399. goto err;
  400. }
  401. if (SSL_USE_SIGALGS(s))
  402. OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
  403. md == NULL ? "n/a" : EVP_MD_get0_name(md));
  404. /* Check for broken implementations of GOST ciphersuites */
  405. /*
  406. * If key is GOST and len is exactly 64 or 128, it is signature without
  407. * length field (CryptoPro implementations at least till TLS 1.2)
  408. */
  409. #ifndef OPENSSL_NO_GOST
  410. if (!SSL_USE_SIGALGS(s)
  411. && ((PACKET_remaining(pkt) == 64
  412. && (EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2001
  413. || EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_256))
  414. || (PACKET_remaining(pkt) == 128
  415. && EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_512))) {
  416. len = PACKET_remaining(pkt);
  417. } else
  418. #endif
  419. if (!PACKET_get_net_2(pkt, &len)) {
  420. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  421. goto err;
  422. }
  423. if (!PACKET_get_bytes(pkt, &data, len)) {
  424. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  425. goto err;
  426. }
  427. if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
  428. /* SSLfatal() already called */
  429. goto err;
  430. }
  431. OSSL_TRACE1(TLS, "Using client verify alg %s\n",
  432. md == NULL ? "n/a" : EVP_MD_get0_name(md));
  433. if (EVP_DigestVerifyInit_ex(mctx, &pctx,
  434. md == NULL ? NULL : EVP_MD_get0_name(md),
  435. sctx->libctx, sctx->propq, pkey,
  436. NULL) <= 0) {
  437. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  438. goto err;
  439. }
  440. #ifndef OPENSSL_NO_GOST
  441. {
  442. int pktype = EVP_PKEY_get_id(pkey);
  443. if (pktype == NID_id_GostR3410_2001
  444. || pktype == NID_id_GostR3410_2012_256
  445. || pktype == NID_id_GostR3410_2012_512) {
  446. if ((gost_data = OPENSSL_malloc(len)) == NULL) {
  447. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  448. goto err;
  449. }
  450. BUF_reverse(gost_data, data, len);
  451. data = gost_data;
  452. }
  453. }
  454. #endif
  455. if (SSL_USE_PSS(s)) {
  456. if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
  457. || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
  458. RSA_PSS_SALTLEN_DIGEST) <= 0) {
  459. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  460. goto err;
  461. }
  462. }
  463. if (s->version == SSL3_VERSION) {
  464. if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
  465. || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
  466. (int)s->session->master_key_length,
  467. s->session->master_key) <= 0) {
  468. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  469. goto err;
  470. }
  471. if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
  472. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
  473. goto err;
  474. }
  475. } else {
  476. j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
  477. if (j <= 0) {
  478. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
  479. goto err;
  480. }
  481. }
  482. /*
  483. * In TLSv1.3 on the client side we make sure we prepare the client
  484. * certificate after the CertVerify instead of when we get the
  485. * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
  486. * comes *before* the Certificate message. In TLSv1.2 it comes after. We
  487. * want to make sure that SSL_get1_peer_certificate() will return the actual
  488. * server certificate from the client_cert_cb callback.
  489. */
  490. if (!s->server && SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
  491. ret = MSG_PROCESS_CONTINUE_PROCESSING;
  492. else
  493. ret = MSG_PROCESS_CONTINUE_READING;
  494. err:
  495. BIO_free(s->s3.handshake_buffer);
  496. s->s3.handshake_buffer = NULL;
  497. EVP_MD_CTX_free(mctx);
  498. #ifndef OPENSSL_NO_GOST
  499. OPENSSL_free(gost_data);
  500. #endif
  501. return ret;
  502. }
  503. int tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt)
  504. {
  505. size_t finish_md_len;
  506. const char *sender;
  507. size_t slen;
  508. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  509. /* This is a real handshake so make sure we clean it up at the end */
  510. if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
  511. s->statem.cleanuphand = 1;
  512. /*
  513. * We only change the keys if we didn't already do this when we sent the
  514. * client certificate
  515. */
  516. if (SSL_CONNECTION_IS_TLS13(s)
  517. && !s->server
  518. && s->s3.tmp.cert_req == 0
  519. && (!ssl->method->ssl3_enc->change_cipher_state(s,
  520. SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
  521. /* SSLfatal() already called */
  522. return 0;
  523. }
  524. if (s->server) {
  525. sender = ssl->method->ssl3_enc->server_finished_label;
  526. slen = ssl->method->ssl3_enc->server_finished_label_len;
  527. } else {
  528. sender = ssl->method->ssl3_enc->client_finished_label;
  529. slen = ssl->method->ssl3_enc->client_finished_label_len;
  530. }
  531. finish_md_len = ssl->method->ssl3_enc->final_finish_mac(s,
  532. sender, slen,
  533. s->s3.tmp.finish_md);
  534. if (finish_md_len == 0) {
  535. /* SSLfatal() already called */
  536. return 0;
  537. }
  538. s->s3.tmp.finish_md_len = finish_md_len;
  539. if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
  540. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  541. return 0;
  542. }
  543. /*
  544. * Log the master secret, if logging is enabled. We don't log it for
  545. * TLSv1.3: there's a different key schedule for that.
  546. */
  547. if (!SSL_CONNECTION_IS_TLS13(s)
  548. && !ssl_log_secret(s, MASTER_SECRET_LABEL, s->session->master_key,
  549. s->session->master_key_length)) {
  550. /* SSLfatal() already called */
  551. return 0;
  552. }
  553. /*
  554. * Copy the finished so we can use it for renegotiation checks
  555. */
  556. if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
  557. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  558. return 0;
  559. }
  560. if (!s->server) {
  561. memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
  562. finish_md_len);
  563. s->s3.previous_client_finished_len = finish_md_len;
  564. } else {
  565. memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
  566. finish_md_len);
  567. s->s3.previous_server_finished_len = finish_md_len;
  568. }
  569. return 1;
  570. }
  571. int tls_construct_key_update(SSL_CONNECTION *s, WPACKET *pkt)
  572. {
  573. if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
  574. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  575. return 0;
  576. }
  577. s->key_update = SSL_KEY_UPDATE_NONE;
  578. return 1;
  579. }
  580. MSG_PROCESS_RETURN tls_process_key_update(SSL_CONNECTION *s, PACKET *pkt)
  581. {
  582. unsigned int updatetype;
  583. /*
  584. * A KeyUpdate message signals a key change so the end of the message must
  585. * be on a record boundary.
  586. */
  587. if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
  588. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
  589. return MSG_PROCESS_ERROR;
  590. }
  591. if (!PACKET_get_1(pkt, &updatetype)
  592. || PACKET_remaining(pkt) != 0) {
  593. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_KEY_UPDATE);
  594. return MSG_PROCESS_ERROR;
  595. }
  596. /*
  597. * There are only two defined key update types. Fail if we get a value we
  598. * didn't recognise.
  599. */
  600. if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
  601. && updatetype != SSL_KEY_UPDATE_REQUESTED) {
  602. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_UPDATE);
  603. return MSG_PROCESS_ERROR;
  604. }
  605. /*
  606. * If we get a request for us to update our sending keys too then, we need
  607. * to additionally send a KeyUpdate message. However that message should
  608. * not also request an update (otherwise we get into an infinite loop).
  609. */
  610. if (updatetype == SSL_KEY_UPDATE_REQUESTED)
  611. s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
  612. if (!tls13_update_key(s, 0)) {
  613. /* SSLfatal() already called */
  614. return MSG_PROCESS_ERROR;
  615. }
  616. return MSG_PROCESS_FINISHED_READING;
  617. }
  618. /*
  619. * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
  620. * to far.
  621. */
  622. int ssl3_take_mac(SSL_CONNECTION *s)
  623. {
  624. const char *sender;
  625. size_t slen;
  626. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  627. if (!s->server) {
  628. sender = ssl->method->ssl3_enc->server_finished_label;
  629. slen = ssl->method->ssl3_enc->server_finished_label_len;
  630. } else {
  631. sender = ssl->method->ssl3_enc->client_finished_label;
  632. slen = ssl->method->ssl3_enc->client_finished_label_len;
  633. }
  634. s->s3.tmp.peer_finish_md_len =
  635. ssl->method->ssl3_enc->final_finish_mac(s, sender, slen,
  636. s->s3.tmp.peer_finish_md);
  637. if (s->s3.tmp.peer_finish_md_len == 0) {
  638. /* SSLfatal() already called */
  639. return 0;
  640. }
  641. return 1;
  642. }
  643. MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL_CONNECTION *s,
  644. PACKET *pkt)
  645. {
  646. size_t remain;
  647. remain = PACKET_remaining(pkt);
  648. /*
  649. * 'Change Cipher Spec' is just a single byte, which should already have
  650. * been consumed by ssl_get_message() so there should be no bytes left,
  651. * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
  652. */
  653. if (SSL_CONNECTION_IS_DTLS(s)) {
  654. if ((s->version == DTLS1_BAD_VER
  655. && remain != DTLS1_CCS_HEADER_LENGTH + 1)
  656. || (s->version != DTLS1_BAD_VER
  657. && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
  658. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
  659. return MSG_PROCESS_ERROR;
  660. }
  661. } else {
  662. if (remain != 0) {
  663. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
  664. return MSG_PROCESS_ERROR;
  665. }
  666. }
  667. /* Check we have a cipher to change to */
  668. if (s->s3.tmp.new_cipher == NULL) {
  669. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY);
  670. return MSG_PROCESS_ERROR;
  671. }
  672. s->s3.change_cipher_spec = 1;
  673. if (!ssl3_do_change_cipher_spec(s)) {
  674. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  675. return MSG_PROCESS_ERROR;
  676. }
  677. if (SSL_CONNECTION_IS_DTLS(s)) {
  678. dtls1_reset_seq_numbers(s, SSL3_CC_READ);
  679. if (s->version == DTLS1_BAD_VER)
  680. s->d1->handshake_read_seq++;
  681. #ifndef OPENSSL_NO_SCTP
  682. /*
  683. * Remember that a CCS has been received, so that an old key of
  684. * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
  685. * SCTP is used
  686. */
  687. BIO_ctrl(SSL_get_wbio(SSL_CONNECTION_GET_SSL(s)),
  688. BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
  689. #endif
  690. }
  691. return MSG_PROCESS_CONTINUE_READING;
  692. }
  693. MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt)
  694. {
  695. size_t md_len;
  696. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  697. int was_first = SSL_IS_FIRST_HANDSHAKE(s);
  698. /* This is a real handshake so make sure we clean it up at the end */
  699. if (s->server) {
  700. /*
  701. * To get this far we must have read encrypted data from the client. We
  702. * no longer tolerate unencrypted alerts. This is ignored if less than
  703. * TLSv1.3
  704. */
  705. if (s->rlayer.rrlmethod->set_plain_alerts != NULL)
  706. s->rlayer.rrlmethod->set_plain_alerts(s->rlayer.rrl, 0);
  707. if (s->post_handshake_auth != SSL_PHA_REQUESTED)
  708. s->statem.cleanuphand = 1;
  709. if (SSL_CONNECTION_IS_TLS13(s)
  710. && !tls13_save_handshake_digest_for_pha(s)) {
  711. /* SSLfatal() already called */
  712. return MSG_PROCESS_ERROR;
  713. }
  714. }
  715. /*
  716. * In TLSv1.3 a Finished message signals a key change so the end of the
  717. * message must be on a record boundary.
  718. */
  719. if (SSL_CONNECTION_IS_TLS13(s)
  720. && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
  721. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
  722. return MSG_PROCESS_ERROR;
  723. }
  724. /* If this occurs, we have missed a message */
  725. if (!SSL_CONNECTION_IS_TLS13(s) && !s->s3.change_cipher_spec) {
  726. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
  727. return MSG_PROCESS_ERROR;
  728. }
  729. s->s3.change_cipher_spec = 0;
  730. md_len = s->s3.tmp.peer_finish_md_len;
  731. if (md_len != PACKET_remaining(pkt)) {
  732. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DIGEST_LENGTH);
  733. return MSG_PROCESS_ERROR;
  734. }
  735. if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
  736. md_len) != 0) {
  737. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DIGEST_CHECK_FAILED);
  738. return MSG_PROCESS_ERROR;
  739. }
  740. /*
  741. * Copy the finished so we can use it for renegotiation checks
  742. */
  743. if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
  744. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  745. return MSG_PROCESS_ERROR;
  746. }
  747. if (s->server) {
  748. memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
  749. md_len);
  750. s->s3.previous_client_finished_len = md_len;
  751. } else {
  752. memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
  753. md_len);
  754. s->s3.previous_server_finished_len = md_len;
  755. }
  756. /*
  757. * In TLS1.3 we also have to change cipher state and do any final processing
  758. * of the initial server flight (if we are a client)
  759. */
  760. if (SSL_CONNECTION_IS_TLS13(s)) {
  761. if (s->server) {
  762. if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
  763. !ssl->method->ssl3_enc->change_cipher_state(s,
  764. SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
  765. /* SSLfatal() already called */
  766. return MSG_PROCESS_ERROR;
  767. }
  768. } else {
  769. /* TLS 1.3 gets the secret size from the handshake md */
  770. size_t dummy;
  771. if (!ssl->method->ssl3_enc->generate_master_secret(s,
  772. s->master_secret, s->handshake_secret, 0,
  773. &dummy)) {
  774. /* SSLfatal() already called */
  775. return MSG_PROCESS_ERROR;
  776. }
  777. if (!ssl->method->ssl3_enc->change_cipher_state(s,
  778. SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
  779. /* SSLfatal() already called */
  780. return MSG_PROCESS_ERROR;
  781. }
  782. if (!tls_process_initial_server_flight(s)) {
  783. /* SSLfatal() already called */
  784. return MSG_PROCESS_ERROR;
  785. }
  786. }
  787. }
  788. if (was_first
  789. && !SSL_IS_FIRST_HANDSHAKE(s)
  790. && s->rlayer.rrlmethod->set_first_handshake != NULL)
  791. s->rlayer.rrlmethod->set_first_handshake(s->rlayer.rrl, 0);
  792. return MSG_PROCESS_FINISHED_READING;
  793. }
  794. int tls_construct_change_cipher_spec(SSL_CONNECTION *s, WPACKET *pkt)
  795. {
  796. if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
  797. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  798. return 0;
  799. }
  800. return 1;
  801. }
  802. /* Add a certificate to the WPACKET */
  803. static int ssl_add_cert_to_wpacket(SSL_CONNECTION *s, WPACKET *pkt,
  804. X509 *x, int chain)
  805. {
  806. int len;
  807. unsigned char *outbytes;
  808. len = i2d_X509(x, NULL);
  809. if (len < 0) {
  810. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB);
  811. return 0;
  812. }
  813. if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
  814. || i2d_X509(x, &outbytes) != len) {
  815. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  816. return 0;
  817. }
  818. if (SSL_CONNECTION_IS_TLS13(s)
  819. && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
  820. chain)) {
  821. /* SSLfatal() already called */
  822. return 0;
  823. }
  824. return 1;
  825. }
  826. /* Add certificate chain to provided WPACKET */
  827. static int ssl_add_cert_chain(SSL_CONNECTION *s, WPACKET *pkt, CERT_PKEY *cpk)
  828. {
  829. int i, chain_count;
  830. X509 *x;
  831. STACK_OF(X509) *extra_certs;
  832. STACK_OF(X509) *chain = NULL;
  833. X509_STORE *chain_store;
  834. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  835. if (cpk == NULL || cpk->x509 == NULL)
  836. return 1;
  837. x = cpk->x509;
  838. /*
  839. * If we have a certificate specific chain use it, else use parent ctx.
  840. */
  841. if (cpk->chain != NULL)
  842. extra_certs = cpk->chain;
  843. else
  844. extra_certs = sctx->extra_certs;
  845. if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
  846. chain_store = NULL;
  847. else if (s->cert->chain_store)
  848. chain_store = s->cert->chain_store;
  849. else
  850. chain_store = sctx->cert_store;
  851. if (chain_store != NULL) {
  852. X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(sctx->libctx,
  853. sctx->propq);
  854. if (xs_ctx == NULL) {
  855. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  856. return 0;
  857. }
  858. if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
  859. X509_STORE_CTX_free(xs_ctx);
  860. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB);
  861. return 0;
  862. }
  863. /*
  864. * It is valid for the chain not to be complete (because normally we
  865. * don't include the root cert in the chain). Therefore we deliberately
  866. * ignore the error return from this call. We're not actually verifying
  867. * the cert - we're just building as much of the chain as we can
  868. */
  869. (void)X509_verify_cert(xs_ctx);
  870. /* Don't leave errors in the queue */
  871. ERR_clear_error();
  872. chain = X509_STORE_CTX_get0_chain(xs_ctx);
  873. i = ssl_security_cert_chain(s, chain, NULL, 0);
  874. if (i != 1) {
  875. #if 0
  876. /* Dummy error calls so mkerr generates them */
  877. ERR_raise(ERR_LIB_SSL, SSL_R_EE_KEY_TOO_SMALL);
  878. ERR_raise(ERR_LIB_SSL, SSL_R_CA_KEY_TOO_SMALL);
  879. ERR_raise(ERR_LIB_SSL, SSL_R_CA_MD_TOO_WEAK);
  880. #endif
  881. X509_STORE_CTX_free(xs_ctx);
  882. SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
  883. return 0;
  884. }
  885. chain_count = sk_X509_num(chain);
  886. for (i = 0; i < chain_count; i++) {
  887. x = sk_X509_value(chain, i);
  888. if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
  889. /* SSLfatal() already called */
  890. X509_STORE_CTX_free(xs_ctx);
  891. return 0;
  892. }
  893. }
  894. X509_STORE_CTX_free(xs_ctx);
  895. } else {
  896. i = ssl_security_cert_chain(s, extra_certs, x, 0);
  897. if (i != 1) {
  898. SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
  899. return 0;
  900. }
  901. if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
  902. /* SSLfatal() already called */
  903. return 0;
  904. }
  905. for (i = 0; i < sk_X509_num(extra_certs); i++) {
  906. x = sk_X509_value(extra_certs, i);
  907. if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
  908. /* SSLfatal() already called */
  909. return 0;
  910. }
  911. }
  912. }
  913. return 1;
  914. }
  915. unsigned long ssl3_output_cert_chain(SSL_CONNECTION *s, WPACKET *pkt,
  916. CERT_PKEY *cpk)
  917. {
  918. if (!WPACKET_start_sub_packet_u24(pkt)) {
  919. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  920. return 0;
  921. }
  922. if (!ssl_add_cert_chain(s, pkt, cpk))
  923. return 0;
  924. if (!WPACKET_close(pkt)) {
  925. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  926. return 0;
  927. }
  928. return 1;
  929. }
  930. /*
  931. * Tidy up after the end of a handshake. In the case of SCTP this may result
  932. * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
  933. * freed up as well.
  934. */
  935. WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst,
  936. int clearbufs, int stop)
  937. {
  938. void (*cb) (const SSL *ssl, int type, int val) = NULL;
  939. int cleanuphand = s->statem.cleanuphand;
  940. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  941. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  942. if (clearbufs) {
  943. if (!SSL_CONNECTION_IS_DTLS(s)
  944. #ifndef OPENSSL_NO_SCTP
  945. /*
  946. * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
  947. * messages that require it. Therefore, DTLS procedures for retransmissions
  948. * MUST NOT be used.
  949. * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
  950. */
  951. || BIO_dgram_is_sctp(SSL_get_wbio(ssl))
  952. #endif
  953. ) {
  954. /*
  955. * We don't do this in DTLS over UDP because we may still need the init_buf
  956. * in case there are any unexpected retransmits
  957. */
  958. BUF_MEM_free(s->init_buf);
  959. s->init_buf = NULL;
  960. }
  961. if (!ssl_free_wbio_buffer(s)) {
  962. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  963. return WORK_ERROR;
  964. }
  965. s->init_num = 0;
  966. }
  967. if (SSL_CONNECTION_IS_TLS13(s) && !s->server
  968. && s->post_handshake_auth == SSL_PHA_REQUESTED)
  969. s->post_handshake_auth = SSL_PHA_EXT_SENT;
  970. /*
  971. * Only set if there was a Finished message and this isn't after a TLSv1.3
  972. * post handshake exchange
  973. */
  974. if (cleanuphand) {
  975. /* skipped if we just sent a HelloRequest */
  976. s->renegotiate = 0;
  977. s->new_session = 0;
  978. s->statem.cleanuphand = 0;
  979. s->ext.ticket_expected = 0;
  980. ssl3_cleanup_key_block(s);
  981. if (s->server) {
  982. /*
  983. * In TLSv1.3 we update the cache as part of constructing the
  984. * NewSessionTicket
  985. */
  986. if (!SSL_CONNECTION_IS_TLS13(s))
  987. ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
  988. /* N.B. s->ctx may not equal s->session_ctx */
  989. ssl_tsan_counter(sctx, &sctx->stats.sess_accept_good);
  990. s->handshake_func = ossl_statem_accept;
  991. } else {
  992. if (SSL_CONNECTION_IS_TLS13(s)) {
  993. /*
  994. * We encourage applications to only use TLSv1.3 tickets once,
  995. * so we remove this one from the cache.
  996. */
  997. if ((s->session_ctx->session_cache_mode
  998. & SSL_SESS_CACHE_CLIENT) != 0)
  999. SSL_CTX_remove_session(s->session_ctx, s->session);
  1000. } else {
  1001. /*
  1002. * In TLSv1.3 we update the cache as part of processing the
  1003. * NewSessionTicket
  1004. */
  1005. ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
  1006. }
  1007. if (s->hit)
  1008. ssl_tsan_counter(s->session_ctx,
  1009. &s->session_ctx->stats.sess_hit);
  1010. s->handshake_func = ossl_statem_connect;
  1011. ssl_tsan_counter(s->session_ctx,
  1012. &s->session_ctx->stats.sess_connect_good);
  1013. }
  1014. if (SSL_CONNECTION_IS_DTLS(s)) {
  1015. /* done with handshaking */
  1016. s->d1->handshake_read_seq = 0;
  1017. s->d1->handshake_write_seq = 0;
  1018. s->d1->next_handshake_write_seq = 0;
  1019. dtls1_clear_received_buffer(s);
  1020. }
  1021. }
  1022. if (s->info_callback != NULL)
  1023. cb = s->info_callback;
  1024. else if (sctx->info_callback != NULL)
  1025. cb = sctx->info_callback;
  1026. /* The callback may expect us to not be in init at handshake done */
  1027. ossl_statem_set_in_init(s, 0);
  1028. if (cb != NULL) {
  1029. if (cleanuphand
  1030. || !SSL_CONNECTION_IS_TLS13(s)
  1031. || SSL_IS_FIRST_HANDSHAKE(s))
  1032. cb(ssl, SSL_CB_HANDSHAKE_DONE, 1);
  1033. }
  1034. if (!stop) {
  1035. /* If we've got more work to do we go back into init */
  1036. ossl_statem_set_in_init(s, 1);
  1037. return WORK_FINISHED_CONTINUE;
  1038. }
  1039. return WORK_FINISHED_STOP;
  1040. }
  1041. int tls_get_message_header(SSL_CONNECTION *s, int *mt)
  1042. {
  1043. /* s->init_num < SSL3_HM_HEADER_LENGTH */
  1044. int skip_message, i, recvd_type;
  1045. unsigned char *p;
  1046. size_t l, readbytes;
  1047. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  1048. p = (unsigned char *)s->init_buf->data;
  1049. do {
  1050. while (s->init_num < SSL3_HM_HEADER_LENGTH) {
  1051. i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, &recvd_type,
  1052. &p[s->init_num],
  1053. SSL3_HM_HEADER_LENGTH - s->init_num,
  1054. 0, &readbytes);
  1055. if (i <= 0) {
  1056. s->rwstate = SSL_READING;
  1057. return 0;
  1058. }
  1059. if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
  1060. /*
  1061. * A ChangeCipherSpec must be a single byte and may not occur
  1062. * in the middle of a handshake message.
  1063. */
  1064. if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
  1065. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
  1066. SSL_R_BAD_CHANGE_CIPHER_SPEC);
  1067. return 0;
  1068. }
  1069. if (s->statem.hand_state == TLS_ST_BEFORE
  1070. && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
  1071. /*
  1072. * We are stateless and we received a CCS. Probably this is
  1073. * from a client between the first and second ClientHellos.
  1074. * We should ignore this, but return an error because we do
  1075. * not return success until we see the second ClientHello
  1076. * with a valid cookie.
  1077. */
  1078. return 0;
  1079. }
  1080. s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
  1081. s->init_num = readbytes - 1;
  1082. s->init_msg = s->init_buf->data;
  1083. s->s3.tmp.message_size = readbytes;
  1084. return 1;
  1085. } else if (recvd_type != SSL3_RT_HANDSHAKE) {
  1086. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
  1087. SSL_R_CCS_RECEIVED_EARLY);
  1088. return 0;
  1089. }
  1090. s->init_num += readbytes;
  1091. }
  1092. skip_message = 0;
  1093. if (!s->server)
  1094. if (s->statem.hand_state != TLS_ST_OK
  1095. && p[0] == SSL3_MT_HELLO_REQUEST)
  1096. /*
  1097. * The server may always send 'Hello Request' messages --
  1098. * we are doing a handshake anyway now, so ignore them if
  1099. * their format is correct. Does not count for 'Finished'
  1100. * MAC.
  1101. */
  1102. if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
  1103. s->init_num = 0;
  1104. skip_message = 1;
  1105. if (s->msg_callback)
  1106. s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
  1107. p, SSL3_HM_HEADER_LENGTH, ssl,
  1108. s->msg_callback_arg);
  1109. }
  1110. } while (skip_message);
  1111. /* s->init_num == SSL3_HM_HEADER_LENGTH */
  1112. *mt = *p;
  1113. s->s3.tmp.message_type = *(p++);
  1114. if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
  1115. /*
  1116. * Only happens with SSLv3+ in an SSLv2 backward compatible
  1117. * ClientHello
  1118. *
  1119. * Total message size is the remaining record bytes to read
  1120. * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
  1121. */
  1122. l = s->rlayer.tlsrecs[0].length + SSL3_HM_HEADER_LENGTH;
  1123. s->s3.tmp.message_size = l;
  1124. s->init_msg = s->init_buf->data;
  1125. s->init_num = SSL3_HM_HEADER_LENGTH;
  1126. } else {
  1127. n2l3(p, l);
  1128. /* BUF_MEM_grow takes an 'int' parameter */
  1129. if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
  1130. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1131. SSL_R_EXCESSIVE_MESSAGE_SIZE);
  1132. return 0;
  1133. }
  1134. s->s3.tmp.message_size = l;
  1135. s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
  1136. s->init_num = 0;
  1137. }
  1138. return 1;
  1139. }
  1140. int tls_get_message_body(SSL_CONNECTION *s, size_t *len)
  1141. {
  1142. size_t n, readbytes;
  1143. unsigned char *p;
  1144. int i;
  1145. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  1146. if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
  1147. /* We've already read everything in */
  1148. *len = (unsigned long)s->init_num;
  1149. return 1;
  1150. }
  1151. p = s->init_msg;
  1152. n = s->s3.tmp.message_size - s->init_num;
  1153. while (n > 0) {
  1154. i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, NULL,
  1155. &p[s->init_num], n, 0, &readbytes);
  1156. if (i <= 0) {
  1157. s->rwstate = SSL_READING;
  1158. *len = 0;
  1159. return 0;
  1160. }
  1161. s->init_num += readbytes;
  1162. n -= readbytes;
  1163. }
  1164. /*
  1165. * If receiving Finished, record MAC of prior handshake messages for
  1166. * Finished verification.
  1167. */
  1168. if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
  1169. /* SSLfatal() already called */
  1170. *len = 0;
  1171. return 0;
  1172. }
  1173. /* Feed this message into MAC computation. */
  1174. if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
  1175. if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
  1176. s->init_num)) {
  1177. /* SSLfatal() already called */
  1178. *len = 0;
  1179. return 0;
  1180. }
  1181. if (s->msg_callback)
  1182. s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
  1183. (size_t)s->init_num, ssl, s->msg_callback_arg);
  1184. } else {
  1185. /*
  1186. * We defer feeding in the HRR until later. We'll do it as part of
  1187. * processing the message
  1188. * The TLsv1.3 handshake transcript stops at the ClientFinished
  1189. * message.
  1190. */
  1191. #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
  1192. /* KeyUpdate and NewSessionTicket do not need to be added */
  1193. if (!SSL_CONNECTION_IS_TLS13(s)
  1194. || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
  1195. && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
  1196. if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
  1197. || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
  1198. || memcmp(hrrrandom,
  1199. s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
  1200. SSL3_RANDOM_SIZE) != 0) {
  1201. if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
  1202. s->init_num + SSL3_HM_HEADER_LENGTH)) {
  1203. /* SSLfatal() already called */
  1204. *len = 0;
  1205. return 0;
  1206. }
  1207. }
  1208. }
  1209. if (s->msg_callback)
  1210. s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
  1211. (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, ssl,
  1212. s->msg_callback_arg);
  1213. }
  1214. *len = s->init_num;
  1215. return 1;
  1216. }
  1217. static const X509ERR2ALERT x509table[] = {
  1218. {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
  1219. {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
  1220. {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
  1221. {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
  1222. {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
  1223. {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
  1224. {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
  1225. {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
  1226. {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
  1227. {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
  1228. {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
  1229. {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
  1230. {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
  1231. {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
  1232. {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
  1233. {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
  1234. {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
  1235. {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
  1236. {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
  1237. {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
  1238. {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
  1239. {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
  1240. {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
  1241. {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
  1242. {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
  1243. {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
  1244. {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
  1245. {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
  1246. {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
  1247. {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
  1248. {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
  1249. {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
  1250. {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
  1251. {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
  1252. {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
  1253. {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
  1254. {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
  1255. {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
  1256. {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
  1257. {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
  1258. /* Last entry; return this if we don't find the value above. */
  1259. {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
  1260. };
  1261. int ssl_x509err2alert(int x509err)
  1262. {
  1263. const X509ERR2ALERT *tp;
  1264. for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
  1265. if (tp->x509err == x509err)
  1266. break;
  1267. return tp->alert;
  1268. }
  1269. int ssl_allow_compression(SSL_CONNECTION *s)
  1270. {
  1271. if (s->options & SSL_OP_NO_COMPRESSION)
  1272. return 0;
  1273. return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
  1274. }
  1275. static int version_cmp(const SSL_CONNECTION *s, int a, int b)
  1276. {
  1277. int dtls = SSL_CONNECTION_IS_DTLS(s);
  1278. if (a == b)
  1279. return 0;
  1280. if (!dtls)
  1281. return a < b ? -1 : 1;
  1282. return DTLS_VERSION_LT(a, b) ? -1 : 1;
  1283. }
  1284. typedef struct {
  1285. int version;
  1286. const SSL_METHOD *(*cmeth) (void);
  1287. const SSL_METHOD *(*smeth) (void);
  1288. } version_info;
  1289. #if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
  1290. # error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
  1291. #endif
  1292. /* Must be in order high to low */
  1293. static const version_info tls_version_table[] = {
  1294. #ifndef OPENSSL_NO_TLS1_3
  1295. {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
  1296. #else
  1297. {TLS1_3_VERSION, NULL, NULL},
  1298. #endif
  1299. #ifndef OPENSSL_NO_TLS1_2
  1300. {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
  1301. #else
  1302. {TLS1_2_VERSION, NULL, NULL},
  1303. #endif
  1304. #ifndef OPENSSL_NO_TLS1_1
  1305. {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
  1306. #else
  1307. {TLS1_1_VERSION, NULL, NULL},
  1308. #endif
  1309. #ifndef OPENSSL_NO_TLS1
  1310. {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
  1311. #else
  1312. {TLS1_VERSION, NULL, NULL},
  1313. #endif
  1314. #ifndef OPENSSL_NO_SSL3
  1315. {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
  1316. #else
  1317. {SSL3_VERSION, NULL, NULL},
  1318. #endif
  1319. {0, NULL, NULL},
  1320. };
  1321. #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
  1322. # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
  1323. #endif
  1324. /* Must be in order high to low */
  1325. static const version_info dtls_version_table[] = {
  1326. #ifndef OPENSSL_NO_DTLS1_2
  1327. {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
  1328. #else
  1329. {DTLS1_2_VERSION, NULL, NULL},
  1330. #endif
  1331. #ifndef OPENSSL_NO_DTLS1
  1332. {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
  1333. {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
  1334. #else
  1335. {DTLS1_VERSION, NULL, NULL},
  1336. {DTLS1_BAD_VER, NULL, NULL},
  1337. #endif
  1338. {0, NULL, NULL},
  1339. };
  1340. /*
  1341. * ssl_method_error - Check whether an SSL_METHOD is enabled.
  1342. *
  1343. * @s: The SSL handle for the candidate method
  1344. * @method: the intended method.
  1345. *
  1346. * Returns 0 on success, or an SSL error reason on failure.
  1347. */
  1348. static int ssl_method_error(const SSL_CONNECTION *s, const SSL_METHOD *method)
  1349. {
  1350. int version = method->version;
  1351. if ((s->min_proto_version != 0 &&
  1352. version_cmp(s, version, s->min_proto_version) < 0) ||
  1353. ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
  1354. return SSL_R_VERSION_TOO_LOW;
  1355. if (s->max_proto_version != 0 &&
  1356. version_cmp(s, version, s->max_proto_version) > 0)
  1357. return SSL_R_VERSION_TOO_HIGH;
  1358. if ((s->options & method->mask) != 0)
  1359. return SSL_R_UNSUPPORTED_PROTOCOL;
  1360. if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
  1361. return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
  1362. return 0;
  1363. }
  1364. /*
  1365. * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
  1366. * certificate type, or has PSK or a certificate callback configured, or has
  1367. * a servername callback configure. Otherwise returns 0.
  1368. */
  1369. static int is_tls13_capable(const SSL_CONNECTION *s)
  1370. {
  1371. int i;
  1372. int curve;
  1373. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1374. if (!ossl_assert(sctx != NULL) || !ossl_assert(s->session_ctx != NULL))
  1375. return 0;
  1376. /*
  1377. * A servername callback can change the available certs, so if a servername
  1378. * cb is set then we just assume TLSv1.3 will be ok
  1379. */
  1380. if (sctx->ext.servername_cb != NULL
  1381. || s->session_ctx->ext.servername_cb != NULL)
  1382. return 1;
  1383. #ifndef OPENSSL_NO_PSK
  1384. if (s->psk_server_callback != NULL)
  1385. return 1;
  1386. #endif
  1387. if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
  1388. return 1;
  1389. for (i = 0; i < SSL_PKEY_NUM; i++) {
  1390. /* Skip over certs disallowed for TLSv1.3 */
  1391. switch (i) {
  1392. case SSL_PKEY_DSA_SIGN:
  1393. case SSL_PKEY_GOST01:
  1394. case SSL_PKEY_GOST12_256:
  1395. case SSL_PKEY_GOST12_512:
  1396. continue;
  1397. default:
  1398. break;
  1399. }
  1400. if (!ssl_has_cert(s, i))
  1401. continue;
  1402. if (i != SSL_PKEY_ECC)
  1403. return 1;
  1404. /*
  1405. * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
  1406. * more restrictive so check that our sig algs are consistent with this
  1407. * EC cert. See section 4.2.3 of RFC8446.
  1408. */
  1409. curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
  1410. if (tls_check_sigalg_curve(s, curve))
  1411. return 1;
  1412. }
  1413. return 0;
  1414. }
  1415. /*
  1416. * ssl_version_supported - Check that the specified `version` is supported by
  1417. * `SSL *` instance
  1418. *
  1419. * @s: The SSL handle for the candidate method
  1420. * @version: Protocol version to test against
  1421. *
  1422. * Returns 1 when supported, otherwise 0
  1423. */
  1424. int ssl_version_supported(const SSL_CONNECTION *s, int version,
  1425. const SSL_METHOD **meth)
  1426. {
  1427. const version_info *vent;
  1428. const version_info *table;
  1429. switch (SSL_CONNECTION_GET_SSL(s)->method->version) {
  1430. default:
  1431. /* Version should match method version for non-ANY method */
  1432. return version_cmp(s, version, s->version) == 0;
  1433. case TLS_ANY_VERSION:
  1434. table = tls_version_table;
  1435. break;
  1436. case DTLS_ANY_VERSION:
  1437. table = dtls_version_table;
  1438. break;
  1439. }
  1440. for (vent = table;
  1441. vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
  1442. ++vent) {
  1443. if (vent->cmeth != NULL
  1444. && version_cmp(s, version, vent->version) == 0
  1445. && ssl_method_error(s, vent->cmeth()) == 0
  1446. && (!s->server
  1447. || version != TLS1_3_VERSION
  1448. || is_tls13_capable(s))) {
  1449. if (meth != NULL)
  1450. *meth = vent->cmeth();
  1451. return 1;
  1452. }
  1453. }
  1454. return 0;
  1455. }
  1456. /*
  1457. * ssl_check_version_downgrade - In response to RFC7507 SCSV version
  1458. * fallback indication from a client check whether we're using the highest
  1459. * supported protocol version.
  1460. *
  1461. * @s server SSL handle.
  1462. *
  1463. * Returns 1 when using the highest enabled version, 0 otherwise.
  1464. */
  1465. int ssl_check_version_downgrade(SSL_CONNECTION *s)
  1466. {
  1467. const version_info *vent;
  1468. const version_info *table;
  1469. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1470. /*
  1471. * Check that the current protocol is the highest enabled version
  1472. * (according to s->ctx->method, as version negotiation may have changed
  1473. * s->method).
  1474. */
  1475. if (s->version == sctx->method->version)
  1476. return 1;
  1477. /*
  1478. * Apparently we're using a version-flexible SSL_METHOD (not at its
  1479. * highest protocol version).
  1480. */
  1481. if (sctx->method->version == TLS_method()->version)
  1482. table = tls_version_table;
  1483. else if (sctx->method->version == DTLS_method()->version)
  1484. table = dtls_version_table;
  1485. else {
  1486. /* Unexpected state; fail closed. */
  1487. return 0;
  1488. }
  1489. for (vent = table; vent->version != 0; ++vent) {
  1490. if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
  1491. return s->version == vent->version;
  1492. }
  1493. return 0;
  1494. }
  1495. /*
  1496. * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
  1497. * protocols, provided the initial (D)TLS method is version-flexible. This
  1498. * function sanity-checks the proposed value and makes sure the method is
  1499. * version-flexible, then sets the limit if all is well.
  1500. *
  1501. * @method_version: The version of the current SSL_METHOD.
  1502. * @version: the intended limit.
  1503. * @bound: pointer to limit to be updated.
  1504. *
  1505. * Returns 1 on success, 0 on failure.
  1506. */
  1507. int ssl_set_version_bound(int method_version, int version, int *bound)
  1508. {
  1509. int valid_tls;
  1510. int valid_dtls;
  1511. if (version == 0) {
  1512. *bound = version;
  1513. return 1;
  1514. }
  1515. valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
  1516. valid_dtls =
  1517. DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) &&
  1518. DTLS_VERSION_GE(version, DTLS1_BAD_VER);
  1519. if (!valid_tls && !valid_dtls)
  1520. return 0;
  1521. /*-
  1522. * Restrict TLS methods to TLS protocol versions.
  1523. * Restrict DTLS methods to DTLS protocol versions.
  1524. * Note, DTLS version numbers are decreasing, use comparison macros.
  1525. *
  1526. * Note that for both lower-bounds we use explicit versions, not
  1527. * (D)TLS_MIN_VERSION. This is because we don't want to break user
  1528. * configurations. If the MIN (supported) version ever rises, the user's
  1529. * "floor" remains valid even if no longer available. We don't expect the
  1530. * MAX ceiling to ever get lower, so making that variable makes sense.
  1531. *
  1532. * We ignore attempts to set bounds on version-inflexible methods,
  1533. * returning success.
  1534. */
  1535. switch (method_version) {
  1536. default:
  1537. break;
  1538. case TLS_ANY_VERSION:
  1539. if (valid_tls)
  1540. *bound = version;
  1541. break;
  1542. case DTLS_ANY_VERSION:
  1543. if (valid_dtls)
  1544. *bound = version;
  1545. break;
  1546. }
  1547. return 1;
  1548. }
  1549. static void check_for_downgrade(SSL_CONNECTION *s, int vers, DOWNGRADE *dgrd)
  1550. {
  1551. if (vers == TLS1_2_VERSION
  1552. && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
  1553. *dgrd = DOWNGRADE_TO_1_2;
  1554. } else if (!SSL_CONNECTION_IS_DTLS(s)
  1555. && vers < TLS1_2_VERSION
  1556. /*
  1557. * We need to ensure that a server that disables TLSv1.2
  1558. * (creating a hole between TLSv1.3 and TLSv1.1) can still
  1559. * complete handshakes with clients that support TLSv1.2 and
  1560. * below. Therefore we do not enable the sentinel if TLSv1.3 is
  1561. * enabled and TLSv1.2 is not.
  1562. */
  1563. && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
  1564. *dgrd = DOWNGRADE_TO_1_1;
  1565. } else {
  1566. *dgrd = DOWNGRADE_NONE;
  1567. }
  1568. }
  1569. /*
  1570. * ssl_choose_server_version - Choose server (D)TLS version. Called when the
  1571. * client HELLO is received to select the final server protocol version and
  1572. * the version specific method.
  1573. *
  1574. * @s: server SSL handle.
  1575. *
  1576. * Returns 0 on success or an SSL error reason number on failure.
  1577. */
  1578. int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello,
  1579. DOWNGRADE *dgrd)
  1580. {
  1581. /*-
  1582. * With version-flexible methods we have an initial state with:
  1583. *
  1584. * s->method->version == (D)TLS_ANY_VERSION,
  1585. * s->version == (D)TLS_MAX_VERSION_INTERNAL.
  1586. *
  1587. * So we detect version-flexible methods via the method version, not the
  1588. * handle version.
  1589. */
  1590. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  1591. int server_version = ssl->method->version;
  1592. int client_version = hello->legacy_version;
  1593. const version_info *vent;
  1594. const version_info *table;
  1595. int disabled = 0;
  1596. RAW_EXTENSION *suppversions;
  1597. s->client_version = client_version;
  1598. switch (server_version) {
  1599. default:
  1600. if (!SSL_CONNECTION_IS_TLS13(s)) {
  1601. if (version_cmp(s, client_version, s->version) < 0)
  1602. return SSL_R_WRONG_SSL_VERSION;
  1603. *dgrd = DOWNGRADE_NONE;
  1604. /*
  1605. * If this SSL handle is not from a version flexible method we don't
  1606. * (and never did) check min/max FIPS or Suite B constraints. Hope
  1607. * that's OK. It is up to the caller to not choose fixed protocol
  1608. * versions they don't want. If not, then easy to fix, just return
  1609. * ssl_method_error(s, s->method)
  1610. */
  1611. return 0;
  1612. }
  1613. /*
  1614. * Fall through if we are TLSv1.3 already (this means we must be after
  1615. * a HelloRetryRequest
  1616. */
  1617. /* fall thru */
  1618. case TLS_ANY_VERSION:
  1619. table = tls_version_table;
  1620. break;
  1621. case DTLS_ANY_VERSION:
  1622. table = dtls_version_table;
  1623. break;
  1624. }
  1625. suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
  1626. /* If we did an HRR then supported versions is mandatory */
  1627. if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
  1628. return SSL_R_UNSUPPORTED_PROTOCOL;
  1629. if (suppversions->present && !SSL_CONNECTION_IS_DTLS(s)) {
  1630. unsigned int candidate_vers = 0;
  1631. unsigned int best_vers = 0;
  1632. const SSL_METHOD *best_method = NULL;
  1633. PACKET versionslist;
  1634. suppversions->parsed = 1;
  1635. if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
  1636. /* Trailing or invalid data? */
  1637. return SSL_R_LENGTH_MISMATCH;
  1638. }
  1639. /*
  1640. * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
  1641. * The spec only requires servers to check that it isn't SSLv3:
  1642. * "Any endpoint receiving a Hello message with
  1643. * ClientHello.legacy_version or ServerHello.legacy_version set to
  1644. * 0x0300 MUST abort the handshake with a "protocol_version" alert."
  1645. * We are slightly stricter and require that it isn't SSLv3 or lower.
  1646. * We tolerate TLSv1 and TLSv1.1.
  1647. */
  1648. if (client_version <= SSL3_VERSION)
  1649. return SSL_R_BAD_LEGACY_VERSION;
  1650. while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
  1651. if (version_cmp(s, candidate_vers, best_vers) <= 0)
  1652. continue;
  1653. if (ssl_version_supported(s, candidate_vers, &best_method))
  1654. best_vers = candidate_vers;
  1655. }
  1656. if (PACKET_remaining(&versionslist) != 0) {
  1657. /* Trailing data? */
  1658. return SSL_R_LENGTH_MISMATCH;
  1659. }
  1660. if (best_vers > 0) {
  1661. if (s->hello_retry_request != SSL_HRR_NONE) {
  1662. /*
  1663. * This is after a HelloRetryRequest so we better check that we
  1664. * negotiated TLSv1.3
  1665. */
  1666. if (best_vers != TLS1_3_VERSION)
  1667. return SSL_R_UNSUPPORTED_PROTOCOL;
  1668. return 0;
  1669. }
  1670. check_for_downgrade(s, best_vers, dgrd);
  1671. s->version = best_vers;
  1672. ssl->method = best_method;
  1673. if (!s->rlayer.rrlmethod->set_protocol_version(s->rlayer.rrl,
  1674. best_vers))
  1675. return ERR_R_INTERNAL_ERROR;
  1676. return 0;
  1677. }
  1678. return SSL_R_UNSUPPORTED_PROTOCOL;
  1679. }
  1680. /*
  1681. * If the supported versions extension isn't present, then the highest
  1682. * version we can negotiate is TLSv1.2
  1683. */
  1684. if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
  1685. client_version = TLS1_2_VERSION;
  1686. /*
  1687. * No supported versions extension, so we just use the version supplied in
  1688. * the ClientHello.
  1689. */
  1690. for (vent = table; vent->version != 0; ++vent) {
  1691. const SSL_METHOD *method;
  1692. if (vent->smeth == NULL ||
  1693. version_cmp(s, client_version, vent->version) < 0)
  1694. continue;
  1695. method = vent->smeth();
  1696. if (ssl_method_error(s, method) == 0) {
  1697. check_for_downgrade(s, vent->version, dgrd);
  1698. s->version = vent->version;
  1699. ssl->method = method;
  1700. if (!s->rlayer.rrlmethod->set_protocol_version(s->rlayer.rrl,
  1701. s->version))
  1702. return ERR_R_INTERNAL_ERROR;
  1703. return 0;
  1704. }
  1705. disabled = 1;
  1706. }
  1707. return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
  1708. }
  1709. /*
  1710. * ssl_choose_client_version - Choose client (D)TLS version. Called when the
  1711. * server HELLO is received to select the final client protocol version and
  1712. * the version specific method.
  1713. *
  1714. * @s: client SSL handle.
  1715. * @version: The proposed version from the server's HELLO.
  1716. * @extensions: The extensions received
  1717. *
  1718. * Returns 1 on success or 0 on error.
  1719. */
  1720. int ssl_choose_client_version(SSL_CONNECTION *s, int version,
  1721. RAW_EXTENSION *extensions)
  1722. {
  1723. const version_info *vent;
  1724. const version_info *table;
  1725. int ret, ver_min, ver_max, real_max, origv;
  1726. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  1727. origv = s->version;
  1728. s->version = version;
  1729. /* This will overwrite s->version if the extension is present */
  1730. if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
  1731. SSL_EXT_TLS1_2_SERVER_HELLO
  1732. | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
  1733. NULL, 0)) {
  1734. s->version = origv;
  1735. return 0;
  1736. }
  1737. if (s->hello_retry_request != SSL_HRR_NONE
  1738. && s->version != TLS1_3_VERSION) {
  1739. s->version = origv;
  1740. SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
  1741. return 0;
  1742. }
  1743. switch (ssl->method->version) {
  1744. default:
  1745. if (s->version != ssl->method->version) {
  1746. s->version = origv;
  1747. SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
  1748. return 0;
  1749. }
  1750. /*
  1751. * If this SSL handle is not from a version flexible method we don't
  1752. * (and never did) check min/max, FIPS or Suite B constraints. Hope
  1753. * that's OK. It is up to the caller to not choose fixed protocol
  1754. * versions they don't want. If not, then easy to fix, just return
  1755. * ssl_method_error(s, s->method)
  1756. */
  1757. if (!s->rlayer.rrlmethod->set_protocol_version(s->rlayer.rrl,
  1758. s->version)) {
  1759. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1760. return 0;
  1761. }
  1762. return 1;
  1763. case TLS_ANY_VERSION:
  1764. table = tls_version_table;
  1765. break;
  1766. case DTLS_ANY_VERSION:
  1767. table = dtls_version_table;
  1768. break;
  1769. }
  1770. ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
  1771. if (ret != 0) {
  1772. s->version = origv;
  1773. SSLfatal(s, SSL_AD_PROTOCOL_VERSION, ret);
  1774. return 0;
  1775. }
  1776. if (SSL_CONNECTION_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
  1777. : s->version < ver_min) {
  1778. s->version = origv;
  1779. SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
  1780. return 0;
  1781. } else if (SSL_CONNECTION_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
  1782. : s->version > ver_max) {
  1783. s->version = origv;
  1784. SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
  1785. return 0;
  1786. }
  1787. if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
  1788. real_max = ver_max;
  1789. /* Check for downgrades */
  1790. if (s->version == TLS1_2_VERSION && real_max > s->version) {
  1791. if (memcmp(tls12downgrade,
  1792. s->s3.server_random + SSL3_RANDOM_SIZE
  1793. - sizeof(tls12downgrade),
  1794. sizeof(tls12downgrade)) == 0) {
  1795. s->version = origv;
  1796. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1797. SSL_R_INAPPROPRIATE_FALLBACK);
  1798. return 0;
  1799. }
  1800. } else if (!SSL_CONNECTION_IS_DTLS(s)
  1801. && s->version < TLS1_2_VERSION
  1802. && real_max > s->version) {
  1803. if (memcmp(tls11downgrade,
  1804. s->s3.server_random + SSL3_RANDOM_SIZE
  1805. - sizeof(tls11downgrade),
  1806. sizeof(tls11downgrade)) == 0) {
  1807. s->version = origv;
  1808. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1809. SSL_R_INAPPROPRIATE_FALLBACK);
  1810. return 0;
  1811. }
  1812. }
  1813. for (vent = table; vent->version != 0; ++vent) {
  1814. if (vent->cmeth == NULL || s->version != vent->version)
  1815. continue;
  1816. ssl->method = vent->cmeth();
  1817. if (!s->rlayer.rrlmethod->set_protocol_version(s->rlayer.rrl,
  1818. s->version)) {
  1819. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1820. return 0;
  1821. }
  1822. return 1;
  1823. }
  1824. s->version = origv;
  1825. SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
  1826. return 0;
  1827. }
  1828. /*
  1829. * ssl_get_min_max_version - get minimum and maximum protocol version
  1830. * @s: The SSL connection
  1831. * @min_version: The minimum supported version
  1832. * @max_version: The maximum supported version
  1833. * @real_max: The highest version below the lowest compile time version hole
  1834. * where that hole lies above at least one run-time enabled
  1835. * protocol.
  1836. *
  1837. * Work out what version we should be using for the initial ClientHello if the
  1838. * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
  1839. * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
  1840. * constraints and any floor imposed by the security level here,
  1841. * so we don't advertise the wrong protocol version to only reject the outcome later.
  1842. *
  1843. * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
  1844. * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
  1845. * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
  1846. *
  1847. * Returns 0 on success or an SSL error reason number on failure. On failure
  1848. * min_version and max_version will also be set to 0.
  1849. */
  1850. int ssl_get_min_max_version(const SSL_CONNECTION *s, int *min_version,
  1851. int *max_version, int *real_max)
  1852. {
  1853. int version, tmp_real_max;
  1854. int hole;
  1855. const SSL_METHOD *single = NULL;
  1856. const SSL_METHOD *method;
  1857. const version_info *table;
  1858. const version_info *vent;
  1859. const SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  1860. switch (ssl->method->version) {
  1861. default:
  1862. /*
  1863. * If this SSL handle is not from a version flexible method we don't
  1864. * (and never did) check min/max FIPS or Suite B constraints. Hope
  1865. * that's OK. It is up to the caller to not choose fixed protocol
  1866. * versions they don't want. If not, then easy to fix, just return
  1867. * ssl_method_error(s, s->method)
  1868. */
  1869. *min_version = *max_version = s->version;
  1870. /*
  1871. * Providing a real_max only makes sense where we're using a version
  1872. * flexible method.
  1873. */
  1874. if (!ossl_assert(real_max == NULL))
  1875. return ERR_R_INTERNAL_ERROR;
  1876. return 0;
  1877. case TLS_ANY_VERSION:
  1878. table = tls_version_table;
  1879. break;
  1880. case DTLS_ANY_VERSION:
  1881. table = dtls_version_table;
  1882. break;
  1883. }
  1884. /*
  1885. * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
  1886. * below X enabled. This is required in order to maintain the "version
  1887. * capability" vector contiguous. Any versions with a NULL client method
  1888. * (protocol version client is disabled at compile-time) is also a "hole".
  1889. *
  1890. * Our initial state is hole == 1, version == 0. That is, versions above
  1891. * the first version in the method table are disabled (a "hole" above
  1892. * the valid protocol entries) and we don't have a selected version yet.
  1893. *
  1894. * Whenever "hole == 1", and we hit an enabled method, its version becomes
  1895. * the selected version, and the method becomes a candidate "single"
  1896. * method. We're no longer in a hole, so "hole" becomes 0.
  1897. *
  1898. * If "hole == 0" and we hit an enabled method, then "single" is cleared,
  1899. * as we support a contiguous range of at least two methods. If we hit
  1900. * a disabled method, then hole becomes true again, but nothing else
  1901. * changes yet, because all the remaining methods may be disabled too.
  1902. * If we again hit an enabled method after the new hole, it becomes
  1903. * selected, as we start from scratch.
  1904. */
  1905. *min_version = version = 0;
  1906. hole = 1;
  1907. if (real_max != NULL)
  1908. *real_max = 0;
  1909. tmp_real_max = 0;
  1910. for (vent = table; vent->version != 0; ++vent) {
  1911. /*
  1912. * A table entry with a NULL client method is still a hole in the
  1913. * "version capability" vector.
  1914. */
  1915. if (vent->cmeth == NULL) {
  1916. hole = 1;
  1917. tmp_real_max = 0;
  1918. continue;
  1919. }
  1920. method = vent->cmeth();
  1921. if (hole == 1 && tmp_real_max == 0)
  1922. tmp_real_max = vent->version;
  1923. if (ssl_method_error(s, method) != 0) {
  1924. hole = 1;
  1925. } else if (!hole) {
  1926. single = NULL;
  1927. *min_version = method->version;
  1928. } else {
  1929. if (real_max != NULL && tmp_real_max != 0)
  1930. *real_max = tmp_real_max;
  1931. version = (single = method)->version;
  1932. *min_version = version;
  1933. hole = 0;
  1934. }
  1935. }
  1936. *max_version = version;
  1937. /* Fail if everything is disabled */
  1938. if (version == 0)
  1939. return SSL_R_NO_PROTOCOLS_AVAILABLE;
  1940. return 0;
  1941. }
  1942. /*
  1943. * ssl_set_client_hello_version - Work out what version we should be using for
  1944. * the initial ClientHello.legacy_version field.
  1945. *
  1946. * @s: client SSL handle.
  1947. *
  1948. * Returns 0 on success or an SSL error reason number on failure.
  1949. */
  1950. int ssl_set_client_hello_version(SSL_CONNECTION *s)
  1951. {
  1952. int ver_min, ver_max, ret;
  1953. /*
  1954. * In a renegotiation we always send the same client_version that we sent
  1955. * last time, regardless of which version we eventually negotiated.
  1956. */
  1957. if (!SSL_IS_FIRST_HANDSHAKE(s))
  1958. return 0;
  1959. ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
  1960. if (ret != 0)
  1961. return ret;
  1962. s->version = ver_max;
  1963. if (SSL_CONNECTION_IS_DTLS(s)) {
  1964. if (ver_max == DTLS1_BAD_VER) {
  1965. /*
  1966. * Even though this is technically before version negotiation,
  1967. * because we have asked for DTLS1_BAD_VER we will never negotiate
  1968. * anything else, and this has impacts on the record layer for when
  1969. * we read the ServerHello. So we need to tell the record layer
  1970. * about this immediately.
  1971. */
  1972. s->rlayer.rrlmethod->set_protocol_version(s->rlayer.rrl, ver_max);
  1973. }
  1974. } else if (ver_max > TLS1_2_VERSION) {
  1975. /* TLS1.3 always uses TLS1.2 in the legacy_version field */
  1976. ver_max = TLS1_2_VERSION;
  1977. }
  1978. s->client_version = ver_max;
  1979. return 0;
  1980. }
  1981. /*
  1982. * Checks a list of |groups| to determine if the |group_id| is in it. If it is
  1983. * and |checkallow| is 1 then additionally check if the group is allowed to be
  1984. * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
  1985. * 1) or 0 otherwise.
  1986. */
  1987. int check_in_list(SSL_CONNECTION *s, uint16_t group_id, const uint16_t *groups,
  1988. size_t num_groups, int checkallow)
  1989. {
  1990. size_t i;
  1991. if (groups == NULL || num_groups == 0)
  1992. return 0;
  1993. if (checkallow == 1)
  1994. group_id = ssl_group_id_tls13_to_internal(group_id);
  1995. for (i = 0; i < num_groups; i++) {
  1996. uint16_t group = groups[i];
  1997. if (checkallow == 2)
  1998. group = ssl_group_id_tls13_to_internal(group);
  1999. if (group_id == group
  2000. && (!checkallow
  2001. || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
  2002. return 1;
  2003. }
  2004. }
  2005. return 0;
  2006. }
  2007. /* Replace ClientHello1 in the transcript hash with a synthetic message */
  2008. int create_synthetic_message_hash(SSL_CONNECTION *s,
  2009. const unsigned char *hashval,
  2010. size_t hashlen, const unsigned char *hrr,
  2011. size_t hrrlen)
  2012. {
  2013. unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
  2014. unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
  2015. memset(msghdr, 0, sizeof(msghdr));
  2016. if (hashval == NULL) {
  2017. hashval = hashvaltmp;
  2018. hashlen = 0;
  2019. /* Get the hash of the initial ClientHello */
  2020. if (!ssl3_digest_cached_records(s, 0)
  2021. || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
  2022. &hashlen)) {
  2023. /* SSLfatal() already called */
  2024. return 0;
  2025. }
  2026. }
  2027. /* Reinitialise the transcript hash */
  2028. if (!ssl3_init_finished_mac(s)) {
  2029. /* SSLfatal() already called */
  2030. return 0;
  2031. }
  2032. /* Inject the synthetic message_hash message */
  2033. msghdr[0] = SSL3_MT_MESSAGE_HASH;
  2034. msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
  2035. if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
  2036. || !ssl3_finish_mac(s, hashval, hashlen)) {
  2037. /* SSLfatal() already called */
  2038. return 0;
  2039. }
  2040. /*
  2041. * Now re-inject the HRR and current message if appropriate (we just deleted
  2042. * it when we reinitialised the transcript hash above). Only necessary after
  2043. * receiving a ClientHello2 with a cookie.
  2044. */
  2045. if (hrr != NULL
  2046. && (!ssl3_finish_mac(s, hrr, hrrlen)
  2047. || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
  2048. s->s3.tmp.message_size
  2049. + SSL3_HM_HEADER_LENGTH))) {
  2050. /* SSLfatal() already called */
  2051. return 0;
  2052. }
  2053. return 1;
  2054. }
  2055. static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
  2056. {
  2057. return X509_NAME_cmp(*a, *b);
  2058. }
  2059. int parse_ca_names(SSL_CONNECTION *s, PACKET *pkt)
  2060. {
  2061. STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
  2062. X509_NAME *xn = NULL;
  2063. PACKET cadns;
  2064. if (ca_sk == NULL) {
  2065. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2066. goto err;
  2067. }
  2068. /* get the CA RDNs */
  2069. if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
  2070. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2071. goto err;
  2072. }
  2073. while (PACKET_remaining(&cadns)) {
  2074. const unsigned char *namestart, *namebytes;
  2075. unsigned int name_len;
  2076. if (!PACKET_get_net_2(&cadns, &name_len)
  2077. || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
  2078. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2079. goto err;
  2080. }
  2081. namestart = namebytes;
  2082. if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
  2083. SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB);
  2084. goto err;
  2085. }
  2086. if (namebytes != (namestart + name_len)) {
  2087. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CA_DN_LENGTH_MISMATCH);
  2088. goto err;
  2089. }
  2090. if (!sk_X509_NAME_push(ca_sk, xn)) {
  2091. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2092. goto err;
  2093. }
  2094. xn = NULL;
  2095. }
  2096. sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
  2097. s->s3.tmp.peer_ca_names = ca_sk;
  2098. return 1;
  2099. err:
  2100. sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
  2101. X509_NAME_free(xn);
  2102. return 0;
  2103. }
  2104. const STACK_OF(X509_NAME) *get_ca_names(SSL_CONNECTION *s)
  2105. {
  2106. const STACK_OF(X509_NAME) *ca_sk = NULL;
  2107. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  2108. if (s->server) {
  2109. ca_sk = SSL_get_client_CA_list(ssl);
  2110. if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
  2111. ca_sk = NULL;
  2112. }
  2113. if (ca_sk == NULL)
  2114. ca_sk = SSL_get0_CA_list(ssl);
  2115. return ca_sk;
  2116. }
  2117. int construct_ca_names(SSL_CONNECTION *s, const STACK_OF(X509_NAME) *ca_sk,
  2118. WPACKET *pkt)
  2119. {
  2120. /* Start sub-packet for client CA list */
  2121. if (!WPACKET_start_sub_packet_u16(pkt)) {
  2122. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2123. return 0;
  2124. }
  2125. if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) {
  2126. int i;
  2127. for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
  2128. unsigned char *namebytes;
  2129. X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
  2130. int namelen;
  2131. if (name == NULL
  2132. || (namelen = i2d_X509_NAME(name, NULL)) < 0
  2133. || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
  2134. &namebytes)
  2135. || i2d_X509_NAME(name, &namebytes) != namelen) {
  2136. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2137. return 0;
  2138. }
  2139. }
  2140. }
  2141. if (!WPACKET_close(pkt)) {
  2142. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2143. return 0;
  2144. }
  2145. return 1;
  2146. }
  2147. /* Create a buffer containing data to be signed for server key exchange */
  2148. size_t construct_key_exchange_tbs(SSL_CONNECTION *s, unsigned char **ptbs,
  2149. const void *param, size_t paramlen)
  2150. {
  2151. size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
  2152. unsigned char *tbs = OPENSSL_malloc(tbslen);
  2153. if (tbs == NULL) {
  2154. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2155. return 0;
  2156. }
  2157. memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
  2158. memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
  2159. memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
  2160. *ptbs = tbs;
  2161. return tbslen;
  2162. }
  2163. /*
  2164. * Saves the current handshake digest for Post-Handshake Auth,
  2165. * Done after ClientFinished is processed, done exactly once
  2166. */
  2167. int tls13_save_handshake_digest_for_pha(SSL_CONNECTION *s)
  2168. {
  2169. if (s->pha_dgst == NULL) {
  2170. if (!ssl3_digest_cached_records(s, 1))
  2171. /* SSLfatal() already called */
  2172. return 0;
  2173. s->pha_dgst = EVP_MD_CTX_new();
  2174. if (s->pha_dgst == NULL) {
  2175. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2176. return 0;
  2177. }
  2178. if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
  2179. s->s3.handshake_dgst)) {
  2180. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2181. EVP_MD_CTX_free(s->pha_dgst);
  2182. s->pha_dgst = NULL;
  2183. return 0;
  2184. }
  2185. }
  2186. return 1;
  2187. }
  2188. /*
  2189. * Restores the Post-Handshake Auth handshake digest
  2190. * Done just before sending/processing the Cert Request
  2191. */
  2192. int tls13_restore_handshake_digest_for_pha(SSL_CONNECTION *s)
  2193. {
  2194. if (s->pha_dgst == NULL) {
  2195. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2196. return 0;
  2197. }
  2198. if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
  2199. s->pha_dgst)) {
  2200. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2201. return 0;
  2202. }
  2203. return 1;
  2204. }