statem_lib.c 78 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417
  1. /*
  2. * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  4. *
  5. * Licensed under the Apache License 2.0 (the "License"). You may not use
  6. * this file except in compliance with the License. You can obtain a copy
  7. * in the file LICENSE in the source distribution or at
  8. * https://www.openssl.org/source/license.html
  9. */
  10. #include <limits.h>
  11. #include <string.h>
  12. #include <stdio.h>
  13. #include "../ssl_local.h"
  14. #include "statem_local.h"
  15. #include "internal/cryptlib.h"
  16. #include <openssl/buffer.h>
  17. #include <openssl/objects.h>
  18. #include <openssl/evp.h>
  19. #include <openssl/rsa.h>
  20. #include <openssl/x509.h>
  21. #include <openssl/trace.h>
  22. /*
  23. * Map error codes to TLS/SSL alart types.
  24. */
  25. typedef struct x509err2alert_st {
  26. int x509err;
  27. int alert;
  28. } X509ERR2ALERT;
  29. /* Fixed value used in the ServerHello random field to identify an HRR */
  30. const unsigned char hrrrandom[] = {
  31. 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
  32. 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
  33. 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
  34. };
  35. /*
  36. * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
  37. * SSL3_RT_CHANGE_CIPHER_SPEC)
  38. */
  39. int ssl3_do_write(SSL *s, int type)
  40. {
  41. int ret;
  42. size_t written = 0;
  43. ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
  44. s->init_num, &written);
  45. if (ret < 0)
  46. return -1;
  47. if (type == SSL3_RT_HANDSHAKE)
  48. /*
  49. * should not be done for 'Hello Request's, but in that case we'll
  50. * ignore the result anyway
  51. * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
  52. */
  53. if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
  54. && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
  55. && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
  56. if (!ssl3_finish_mac(s,
  57. (unsigned char *)&s->init_buf->data[s->init_off],
  58. written))
  59. return -1;
  60. if (written == s->init_num) {
  61. if (s->msg_callback)
  62. s->msg_callback(1, s->version, type, s->init_buf->data,
  63. (size_t)(s->init_off + s->init_num), s,
  64. s->msg_callback_arg);
  65. return 1;
  66. }
  67. s->init_off += written;
  68. s->init_num -= written;
  69. return 0;
  70. }
  71. int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype)
  72. {
  73. size_t msglen;
  74. if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
  75. || !WPACKET_get_length(pkt, &msglen)
  76. || msglen > INT_MAX)
  77. return 0;
  78. s->init_num = (int)msglen;
  79. s->init_off = 0;
  80. return 1;
  81. }
  82. int tls_setup_handshake(SSL *s)
  83. {
  84. int ver_min, ver_max, ok;
  85. if (!ssl3_init_finished_mac(s)) {
  86. /* SSLfatal() already called */
  87. return 0;
  88. }
  89. /* Reset any extension flags */
  90. memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
  91. if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
  92. SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE);
  93. return 0;
  94. }
  95. /* Sanity check that we have MD5-SHA1 if we need it */
  96. if (s->ctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) {
  97. int md5sha1_needed = 0;
  98. /* We don't have MD5-SHA1 - do we need it? */
  99. if (SSL_IS_DTLS(s)) {
  100. if (DTLS_VERSION_LE(ver_max, DTLS1_VERSION))
  101. md5sha1_needed = 1;
  102. } else {
  103. if (ver_max <= TLS1_1_VERSION)
  104. md5sha1_needed = 1;
  105. }
  106. if (md5sha1_needed) {
  107. SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
  108. SSL_R_NO_SUITABLE_DIGEST_ALGORITHM,
  109. "The max supported SSL/TLS version needs the"
  110. " MD5-SHA1 digest but it is not available"
  111. " in the loaded providers. Use (D)TLSv1.2 or"
  112. " above, or load different providers");
  113. return 0;
  114. }
  115. ok = 1;
  116. /* Don't allow TLSv1.1 or below to be negotiated */
  117. if (SSL_IS_DTLS(s)) {
  118. if (DTLS_VERSION_LT(ver_min, DTLS1_2_VERSION))
  119. ok = SSL_set_min_proto_version(s, DTLS1_2_VERSION);
  120. } else {
  121. if (ver_min < TLS1_2_VERSION)
  122. ok = SSL_set_min_proto_version(s, TLS1_2_VERSION);
  123. }
  124. if (!ok) {
  125. /* Shouldn't happen */
  126. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
  127. return 0;
  128. }
  129. }
  130. ok = 0;
  131. if (s->server) {
  132. STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
  133. int i;
  134. /*
  135. * Sanity check that the maximum version we accept has ciphers
  136. * enabled. For clients we do this check during construction of the
  137. * ClientHello.
  138. */
  139. for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
  140. const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
  141. if (SSL_IS_DTLS(s)) {
  142. if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
  143. DTLS_VERSION_LE(ver_max, c->max_dtls))
  144. ok = 1;
  145. } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
  146. ok = 1;
  147. }
  148. if (ok)
  149. break;
  150. }
  151. if (!ok) {
  152. SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
  153. SSL_R_NO_CIPHERS_AVAILABLE,
  154. "No ciphers enabled for max supported "
  155. "SSL/TLS version");
  156. return 0;
  157. }
  158. if (SSL_IS_FIRST_HANDSHAKE(s)) {
  159. /* N.B. s->session_ctx == s->ctx here */
  160. ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_accept);
  161. } else {
  162. /* N.B. s->ctx may not equal s->session_ctx */
  163. ssl_tsan_counter(s->ctx, &s->ctx->stats.sess_accept_renegotiate);
  164. s->s3.tmp.cert_request = 0;
  165. }
  166. } else {
  167. if (SSL_IS_FIRST_HANDSHAKE(s))
  168. ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_connect);
  169. else
  170. ssl_tsan_counter(s->session_ctx,
  171. &s->session_ctx->stats.sess_connect_renegotiate);
  172. /* mark client_random uninitialized */
  173. memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
  174. s->hit = 0;
  175. s->s3.tmp.cert_req = 0;
  176. if (SSL_IS_DTLS(s))
  177. s->statem.use_timer = 1;
  178. }
  179. return 1;
  180. }
  181. /*
  182. * Size of the to-be-signed TLS13 data, without the hash size itself:
  183. * 64 bytes of value 32, 33 context bytes, 1 byte separator
  184. */
  185. #define TLS13_TBS_START_SIZE 64
  186. #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
  187. static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
  188. void **hdata, size_t *hdatalen)
  189. {
  190. #ifdef CHARSET_EBCDIC
  191. static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
  192. 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
  193. 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
  194. 0x69, 0x66, 0x79, 0x00 };
  195. static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
  196. 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
  197. 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
  198. 0x69, 0x66, 0x79, 0x00 };
  199. #else
  200. static const char servercontext[] = "TLS 1.3, server CertificateVerify";
  201. static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
  202. #endif
  203. if (SSL_IS_TLS13(s)) {
  204. size_t hashlen;
  205. /* Set the first 64 bytes of to-be-signed data to octet 32 */
  206. memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
  207. /* This copies the 33 bytes of context plus the 0 separator byte */
  208. if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
  209. || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
  210. strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
  211. else
  212. strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
  213. /*
  214. * If we're currently reading then we need to use the saved handshake
  215. * hash value. We can't use the current handshake hash state because
  216. * that includes the CertVerify itself.
  217. */
  218. if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
  219. || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
  220. memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
  221. s->cert_verify_hash_len);
  222. hashlen = s->cert_verify_hash_len;
  223. } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
  224. EVP_MAX_MD_SIZE, &hashlen)) {
  225. /* SSLfatal() already called */
  226. return 0;
  227. }
  228. *hdata = tls13tbs;
  229. *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
  230. } else {
  231. size_t retlen;
  232. long retlen_l;
  233. retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
  234. if (retlen_l <= 0) {
  235. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  236. return 0;
  237. }
  238. *hdatalen = retlen;
  239. }
  240. return 1;
  241. }
  242. int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
  243. {
  244. EVP_PKEY *pkey = NULL;
  245. const EVP_MD *md = NULL;
  246. EVP_MD_CTX *mctx = NULL;
  247. EVP_PKEY_CTX *pctx = NULL;
  248. size_t hdatalen = 0, siglen = 0;
  249. void *hdata;
  250. unsigned char *sig = NULL;
  251. unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
  252. const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
  253. if (lu == NULL || s->s3.tmp.cert == NULL) {
  254. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  255. goto err;
  256. }
  257. pkey = s->s3.tmp.cert->privatekey;
  258. if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) {
  259. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  260. goto err;
  261. }
  262. mctx = EVP_MD_CTX_new();
  263. if (mctx == NULL) {
  264. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  265. goto err;
  266. }
  267. /* Get the data to be signed */
  268. if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
  269. /* SSLfatal() already called */
  270. goto err;
  271. }
  272. if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
  273. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  274. goto err;
  275. }
  276. if (EVP_DigestSignInit_ex(mctx, &pctx,
  277. md == NULL ? NULL : EVP_MD_get0_name(md),
  278. s->ctx->libctx, s->ctx->propq, pkey,
  279. NULL) <= 0) {
  280. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  281. goto err;
  282. }
  283. if (lu->sig == EVP_PKEY_RSA_PSS) {
  284. if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
  285. || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
  286. RSA_PSS_SALTLEN_DIGEST) <= 0) {
  287. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  288. goto err;
  289. }
  290. }
  291. if (s->version == SSL3_VERSION) {
  292. /*
  293. * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
  294. * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
  295. */
  296. if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
  297. || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
  298. (int)s->session->master_key_length,
  299. s->session->master_key) <= 0
  300. || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) {
  301. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  302. goto err;
  303. }
  304. sig = OPENSSL_malloc(siglen);
  305. if (sig == NULL
  306. || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
  307. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  308. goto err;
  309. }
  310. } else {
  311. /*
  312. * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not
  313. * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
  314. */
  315. if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) {
  316. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  317. goto err;
  318. }
  319. sig = OPENSSL_malloc(siglen);
  320. if (sig == NULL
  321. || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
  322. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  323. goto err;
  324. }
  325. }
  326. #ifndef OPENSSL_NO_GOST
  327. {
  328. int pktype = lu->sig;
  329. if (pktype == NID_id_GostR3410_2001
  330. || pktype == NID_id_GostR3410_2012_256
  331. || pktype == NID_id_GostR3410_2012_512)
  332. BUF_reverse(sig, NULL, siglen);
  333. }
  334. #endif
  335. if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
  336. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  337. goto err;
  338. }
  339. /* Digest cached records and discard handshake buffer */
  340. if (!ssl3_digest_cached_records(s, 0)) {
  341. /* SSLfatal() already called */
  342. goto err;
  343. }
  344. OPENSSL_free(sig);
  345. EVP_MD_CTX_free(mctx);
  346. return 1;
  347. err:
  348. OPENSSL_free(sig);
  349. EVP_MD_CTX_free(mctx);
  350. return 0;
  351. }
  352. MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
  353. {
  354. EVP_PKEY *pkey = NULL;
  355. const unsigned char *data;
  356. #ifndef OPENSSL_NO_GOST
  357. unsigned char *gost_data = NULL;
  358. #endif
  359. MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
  360. int j;
  361. unsigned int len;
  362. X509 *peer;
  363. const EVP_MD *md = NULL;
  364. size_t hdatalen = 0;
  365. void *hdata;
  366. unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
  367. EVP_MD_CTX *mctx = EVP_MD_CTX_new();
  368. EVP_PKEY_CTX *pctx = NULL;
  369. if (mctx == NULL) {
  370. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  371. goto err;
  372. }
  373. peer = s->session->peer;
  374. pkey = X509_get0_pubkey(peer);
  375. if (pkey == NULL) {
  376. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  377. goto err;
  378. }
  379. if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
  380. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  381. SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
  382. goto err;
  383. }
  384. if (SSL_USE_SIGALGS(s)) {
  385. unsigned int sigalg;
  386. if (!PACKET_get_net_2(pkt, &sigalg)) {
  387. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET);
  388. goto err;
  389. }
  390. if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
  391. /* SSLfatal() already called */
  392. goto err;
  393. }
  394. } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
  395. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  396. goto err;
  397. }
  398. if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) {
  399. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  400. goto err;
  401. }
  402. if (SSL_USE_SIGALGS(s))
  403. OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
  404. md == NULL ? "n/a" : EVP_MD_get0_name(md));
  405. /* Check for broken implementations of GOST ciphersuites */
  406. /*
  407. * If key is GOST and len is exactly 64 or 128, it is signature without
  408. * length field (CryptoPro implementations at least till TLS 1.2)
  409. */
  410. #ifndef OPENSSL_NO_GOST
  411. if (!SSL_USE_SIGALGS(s)
  412. && ((PACKET_remaining(pkt) == 64
  413. && (EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2001
  414. || EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_256))
  415. || (PACKET_remaining(pkt) == 128
  416. && EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_512))) {
  417. len = PACKET_remaining(pkt);
  418. } else
  419. #endif
  420. if (!PACKET_get_net_2(pkt, &len)) {
  421. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  422. goto err;
  423. }
  424. if (!PACKET_get_bytes(pkt, &data, len)) {
  425. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  426. goto err;
  427. }
  428. if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
  429. /* SSLfatal() already called */
  430. goto err;
  431. }
  432. OSSL_TRACE1(TLS, "Using client verify alg %s\n",
  433. md == NULL ? "n/a" : EVP_MD_get0_name(md));
  434. if (EVP_DigestVerifyInit_ex(mctx, &pctx,
  435. md == NULL ? NULL : EVP_MD_get0_name(md),
  436. s->ctx->libctx, s->ctx->propq, pkey,
  437. NULL) <= 0) {
  438. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  439. goto err;
  440. }
  441. #ifndef OPENSSL_NO_GOST
  442. {
  443. int pktype = EVP_PKEY_get_id(pkey);
  444. if (pktype == NID_id_GostR3410_2001
  445. || pktype == NID_id_GostR3410_2012_256
  446. || pktype == NID_id_GostR3410_2012_512) {
  447. if ((gost_data = OPENSSL_malloc(len)) == NULL) {
  448. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  449. goto err;
  450. }
  451. BUF_reverse(gost_data, data, len);
  452. data = gost_data;
  453. }
  454. }
  455. #endif
  456. if (SSL_USE_PSS(s)) {
  457. if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
  458. || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
  459. RSA_PSS_SALTLEN_DIGEST) <= 0) {
  460. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  461. goto err;
  462. }
  463. }
  464. if (s->version == SSL3_VERSION) {
  465. if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
  466. || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
  467. (int)s->session->master_key_length,
  468. s->session->master_key) <= 0) {
  469. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  470. goto err;
  471. }
  472. if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
  473. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
  474. goto err;
  475. }
  476. } else {
  477. j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
  478. if (j <= 0) {
  479. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
  480. goto err;
  481. }
  482. }
  483. /*
  484. * In TLSv1.3 on the client side we make sure we prepare the client
  485. * certificate after the CertVerify instead of when we get the
  486. * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
  487. * comes *before* the Certificate message. In TLSv1.2 it comes after. We
  488. * want to make sure that SSL_get1_peer_certificate() will return the actual
  489. * server certificate from the client_cert_cb callback.
  490. */
  491. if (!s->server && SSL_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
  492. ret = MSG_PROCESS_CONTINUE_PROCESSING;
  493. else
  494. ret = MSG_PROCESS_CONTINUE_READING;
  495. err:
  496. BIO_free(s->s3.handshake_buffer);
  497. s->s3.handshake_buffer = NULL;
  498. EVP_MD_CTX_free(mctx);
  499. #ifndef OPENSSL_NO_GOST
  500. OPENSSL_free(gost_data);
  501. #endif
  502. return ret;
  503. }
  504. int tls_construct_finished(SSL *s, WPACKET *pkt)
  505. {
  506. size_t finish_md_len;
  507. const char *sender;
  508. size_t slen;
  509. /* This is a real handshake so make sure we clean it up at the end */
  510. if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
  511. s->statem.cleanuphand = 1;
  512. /*
  513. * We only change the keys if we didn't already do this when we sent the
  514. * client certificate
  515. */
  516. if (SSL_IS_TLS13(s)
  517. && !s->server
  518. && s->s3.tmp.cert_req == 0
  519. && (!s->method->ssl3_enc->change_cipher_state(s,
  520. SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
  521. /* SSLfatal() already called */
  522. return 0;
  523. }
  524. if (s->server) {
  525. sender = s->method->ssl3_enc->server_finished_label;
  526. slen = s->method->ssl3_enc->server_finished_label_len;
  527. } else {
  528. sender = s->method->ssl3_enc->client_finished_label;
  529. slen = s->method->ssl3_enc->client_finished_label_len;
  530. }
  531. finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
  532. sender, slen,
  533. s->s3.tmp.finish_md);
  534. if (finish_md_len == 0) {
  535. /* SSLfatal() already called */
  536. return 0;
  537. }
  538. s->s3.tmp.finish_md_len = finish_md_len;
  539. if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
  540. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  541. return 0;
  542. }
  543. /*
  544. * Log the master secret, if logging is enabled. We don't log it for
  545. * TLSv1.3: there's a different key schedule for that.
  546. */
  547. if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
  548. s->session->master_key,
  549. s->session->master_key_length)) {
  550. /* SSLfatal() already called */
  551. return 0;
  552. }
  553. /*
  554. * Copy the finished so we can use it for renegotiation checks
  555. */
  556. if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
  557. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  558. return 0;
  559. }
  560. if (!s->server) {
  561. memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
  562. finish_md_len);
  563. s->s3.previous_client_finished_len = finish_md_len;
  564. } else {
  565. memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
  566. finish_md_len);
  567. s->s3.previous_server_finished_len = finish_md_len;
  568. }
  569. return 1;
  570. }
  571. int tls_construct_key_update(SSL *s, WPACKET *pkt)
  572. {
  573. if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
  574. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  575. return 0;
  576. }
  577. s->key_update = SSL_KEY_UPDATE_NONE;
  578. return 1;
  579. }
  580. MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
  581. {
  582. unsigned int updatetype;
  583. /*
  584. * A KeyUpdate message signals a key change so the end of the message must
  585. * be on a record boundary.
  586. */
  587. if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
  588. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
  589. return MSG_PROCESS_ERROR;
  590. }
  591. if (!PACKET_get_1(pkt, &updatetype)
  592. || PACKET_remaining(pkt) != 0) {
  593. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_KEY_UPDATE);
  594. return MSG_PROCESS_ERROR;
  595. }
  596. /*
  597. * There are only two defined key update types. Fail if we get a value we
  598. * didn't recognise.
  599. */
  600. if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
  601. && updatetype != SSL_KEY_UPDATE_REQUESTED) {
  602. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_UPDATE);
  603. return MSG_PROCESS_ERROR;
  604. }
  605. /*
  606. * If we get a request for us to update our sending keys too then, we need
  607. * to additionally send a KeyUpdate message. However that message should
  608. * not also request an update (otherwise we get into an infinite loop).
  609. */
  610. if (updatetype == SSL_KEY_UPDATE_REQUESTED)
  611. s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
  612. if (!tls13_update_key(s, 0)) {
  613. /* SSLfatal() already called */
  614. return MSG_PROCESS_ERROR;
  615. }
  616. return MSG_PROCESS_FINISHED_READING;
  617. }
  618. /*
  619. * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
  620. * to far.
  621. */
  622. int ssl3_take_mac(SSL *s)
  623. {
  624. const char *sender;
  625. size_t slen;
  626. if (!s->server) {
  627. sender = s->method->ssl3_enc->server_finished_label;
  628. slen = s->method->ssl3_enc->server_finished_label_len;
  629. } else {
  630. sender = s->method->ssl3_enc->client_finished_label;
  631. slen = s->method->ssl3_enc->client_finished_label_len;
  632. }
  633. s->s3.tmp.peer_finish_md_len =
  634. s->method->ssl3_enc->final_finish_mac(s, sender, slen,
  635. s->s3.tmp.peer_finish_md);
  636. if (s->s3.tmp.peer_finish_md_len == 0) {
  637. /* SSLfatal() already called */
  638. return 0;
  639. }
  640. return 1;
  641. }
  642. MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
  643. {
  644. size_t remain;
  645. remain = PACKET_remaining(pkt);
  646. /*
  647. * 'Change Cipher Spec' is just a single byte, which should already have
  648. * been consumed by ssl_get_message() so there should be no bytes left,
  649. * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
  650. */
  651. if (SSL_IS_DTLS(s)) {
  652. if ((s->version == DTLS1_BAD_VER
  653. && remain != DTLS1_CCS_HEADER_LENGTH + 1)
  654. || (s->version != DTLS1_BAD_VER
  655. && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
  656. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
  657. return MSG_PROCESS_ERROR;
  658. }
  659. } else {
  660. if (remain != 0) {
  661. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
  662. return MSG_PROCESS_ERROR;
  663. }
  664. }
  665. /* Check we have a cipher to change to */
  666. if (s->s3.tmp.new_cipher == NULL) {
  667. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY);
  668. return MSG_PROCESS_ERROR;
  669. }
  670. s->s3.change_cipher_spec = 1;
  671. if (!ssl3_do_change_cipher_spec(s)) {
  672. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  673. return MSG_PROCESS_ERROR;
  674. }
  675. if (SSL_IS_DTLS(s)) {
  676. dtls1_reset_seq_numbers(s, SSL3_CC_READ);
  677. if (s->version == DTLS1_BAD_VER)
  678. s->d1->handshake_read_seq++;
  679. #ifndef OPENSSL_NO_SCTP
  680. /*
  681. * Remember that a CCS has been received, so that an old key of
  682. * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
  683. * SCTP is used
  684. */
  685. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
  686. #endif
  687. }
  688. return MSG_PROCESS_CONTINUE_READING;
  689. }
  690. MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
  691. {
  692. size_t md_len;
  693. /* This is a real handshake so make sure we clean it up at the end */
  694. if (s->server) {
  695. /*
  696. * To get this far we must have read encrypted data from the client. We
  697. * no longer tolerate unencrypted alerts. This value is ignored if less
  698. * than TLSv1.3
  699. */
  700. s->statem.enc_read_state = ENC_READ_STATE_VALID;
  701. if (s->post_handshake_auth != SSL_PHA_REQUESTED)
  702. s->statem.cleanuphand = 1;
  703. if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
  704. /* SSLfatal() already called */
  705. return MSG_PROCESS_ERROR;
  706. }
  707. }
  708. /*
  709. * In TLSv1.3 a Finished message signals a key change so the end of the
  710. * message must be on a record boundary.
  711. */
  712. if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
  713. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
  714. return MSG_PROCESS_ERROR;
  715. }
  716. /* If this occurs, we have missed a message */
  717. if (!SSL_IS_TLS13(s) && !s->s3.change_cipher_spec) {
  718. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
  719. return MSG_PROCESS_ERROR;
  720. }
  721. s->s3.change_cipher_spec = 0;
  722. md_len = s->s3.tmp.peer_finish_md_len;
  723. if (md_len != PACKET_remaining(pkt)) {
  724. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DIGEST_LENGTH);
  725. return MSG_PROCESS_ERROR;
  726. }
  727. if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
  728. md_len) != 0) {
  729. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DIGEST_CHECK_FAILED);
  730. return MSG_PROCESS_ERROR;
  731. }
  732. /*
  733. * Copy the finished so we can use it for renegotiation checks
  734. */
  735. if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
  736. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  737. return MSG_PROCESS_ERROR;
  738. }
  739. if (s->server) {
  740. memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
  741. md_len);
  742. s->s3.previous_client_finished_len = md_len;
  743. } else {
  744. memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
  745. md_len);
  746. s->s3.previous_server_finished_len = md_len;
  747. }
  748. /*
  749. * In TLS1.3 we also have to change cipher state and do any final processing
  750. * of the initial server flight (if we are a client)
  751. */
  752. if (SSL_IS_TLS13(s)) {
  753. if (s->server) {
  754. if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
  755. !s->method->ssl3_enc->change_cipher_state(s,
  756. SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
  757. /* SSLfatal() already called */
  758. return MSG_PROCESS_ERROR;
  759. }
  760. } else {
  761. /* TLS 1.3 gets the secret size from the handshake md */
  762. size_t dummy;
  763. if (!s->method->ssl3_enc->generate_master_secret(s,
  764. s->master_secret, s->handshake_secret, 0,
  765. &dummy)) {
  766. /* SSLfatal() already called */
  767. return MSG_PROCESS_ERROR;
  768. }
  769. if (!s->method->ssl3_enc->change_cipher_state(s,
  770. SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
  771. /* SSLfatal() already called */
  772. return MSG_PROCESS_ERROR;
  773. }
  774. if (!tls_process_initial_server_flight(s)) {
  775. /* SSLfatal() already called */
  776. return MSG_PROCESS_ERROR;
  777. }
  778. }
  779. }
  780. return MSG_PROCESS_FINISHED_READING;
  781. }
  782. int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
  783. {
  784. if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
  785. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  786. return 0;
  787. }
  788. return 1;
  789. }
  790. /* Add a certificate to the WPACKET */
  791. static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain)
  792. {
  793. int len;
  794. unsigned char *outbytes;
  795. len = i2d_X509(x, NULL);
  796. if (len < 0) {
  797. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB);
  798. return 0;
  799. }
  800. if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
  801. || i2d_X509(x, &outbytes) != len) {
  802. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  803. return 0;
  804. }
  805. if (SSL_IS_TLS13(s)
  806. && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
  807. chain)) {
  808. /* SSLfatal() already called */
  809. return 0;
  810. }
  811. return 1;
  812. }
  813. /* Add certificate chain to provided WPACKET */
  814. static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
  815. {
  816. int i, chain_count;
  817. X509 *x;
  818. STACK_OF(X509) *extra_certs;
  819. STACK_OF(X509) *chain = NULL;
  820. X509_STORE *chain_store;
  821. if (cpk == NULL || cpk->x509 == NULL)
  822. return 1;
  823. x = cpk->x509;
  824. /*
  825. * If we have a certificate specific chain use it, else use parent ctx.
  826. */
  827. if (cpk->chain != NULL)
  828. extra_certs = cpk->chain;
  829. else
  830. extra_certs = s->ctx->extra_certs;
  831. if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
  832. chain_store = NULL;
  833. else if (s->cert->chain_store)
  834. chain_store = s->cert->chain_store;
  835. else
  836. chain_store = s->ctx->cert_store;
  837. if (chain_store != NULL) {
  838. X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(s->ctx->libctx,
  839. s->ctx->propq);
  840. if (xs_ctx == NULL) {
  841. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  842. return 0;
  843. }
  844. if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
  845. X509_STORE_CTX_free(xs_ctx);
  846. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB);
  847. return 0;
  848. }
  849. /*
  850. * It is valid for the chain not to be complete (because normally we
  851. * don't include the root cert in the chain). Therefore we deliberately
  852. * ignore the error return from this call. We're not actually verifying
  853. * the cert - we're just building as much of the chain as we can
  854. */
  855. (void)X509_verify_cert(xs_ctx);
  856. /* Don't leave errors in the queue */
  857. ERR_clear_error();
  858. chain = X509_STORE_CTX_get0_chain(xs_ctx);
  859. i = ssl_security_cert_chain(s, chain, NULL, 0);
  860. if (i != 1) {
  861. #if 0
  862. /* Dummy error calls so mkerr generates them */
  863. ERR_raise(ERR_LIB_SSL, SSL_R_EE_KEY_TOO_SMALL);
  864. ERR_raise(ERR_LIB_SSL, SSL_R_CA_KEY_TOO_SMALL);
  865. ERR_raise(ERR_LIB_SSL, SSL_R_CA_MD_TOO_WEAK);
  866. #endif
  867. X509_STORE_CTX_free(xs_ctx);
  868. SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
  869. return 0;
  870. }
  871. chain_count = sk_X509_num(chain);
  872. for (i = 0; i < chain_count; i++) {
  873. x = sk_X509_value(chain, i);
  874. if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
  875. /* SSLfatal() already called */
  876. X509_STORE_CTX_free(xs_ctx);
  877. return 0;
  878. }
  879. }
  880. X509_STORE_CTX_free(xs_ctx);
  881. } else {
  882. i = ssl_security_cert_chain(s, extra_certs, x, 0);
  883. if (i != 1) {
  884. SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
  885. return 0;
  886. }
  887. if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
  888. /* SSLfatal() already called */
  889. return 0;
  890. }
  891. for (i = 0; i < sk_X509_num(extra_certs); i++) {
  892. x = sk_X509_value(extra_certs, i);
  893. if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
  894. /* SSLfatal() already called */
  895. return 0;
  896. }
  897. }
  898. }
  899. return 1;
  900. }
  901. unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
  902. {
  903. if (!WPACKET_start_sub_packet_u24(pkt)) {
  904. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  905. return 0;
  906. }
  907. if (!ssl_add_cert_chain(s, pkt, cpk))
  908. return 0;
  909. if (!WPACKET_close(pkt)) {
  910. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  911. return 0;
  912. }
  913. return 1;
  914. }
  915. /*
  916. * Tidy up after the end of a handshake. In the case of SCTP this may result
  917. * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
  918. * freed up as well.
  919. */
  920. WORK_STATE tls_finish_handshake(SSL *s, ossl_unused WORK_STATE wst,
  921. int clearbufs, int stop)
  922. {
  923. void (*cb) (const SSL *ssl, int type, int val) = NULL;
  924. int cleanuphand = s->statem.cleanuphand;
  925. if (clearbufs) {
  926. if (!SSL_IS_DTLS(s)
  927. #ifndef OPENSSL_NO_SCTP
  928. /*
  929. * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
  930. * messages that require it. Therefore, DTLS procedures for retransmissions
  931. * MUST NOT be used.
  932. * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
  933. */
  934. || BIO_dgram_is_sctp(SSL_get_wbio(s))
  935. #endif
  936. ) {
  937. /*
  938. * We don't do this in DTLS over UDP because we may still need the init_buf
  939. * in case there are any unexpected retransmits
  940. */
  941. BUF_MEM_free(s->init_buf);
  942. s->init_buf = NULL;
  943. }
  944. if (!ssl_free_wbio_buffer(s)) {
  945. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  946. return WORK_ERROR;
  947. }
  948. s->init_num = 0;
  949. }
  950. if (SSL_IS_TLS13(s) && !s->server
  951. && s->post_handshake_auth == SSL_PHA_REQUESTED)
  952. s->post_handshake_auth = SSL_PHA_EXT_SENT;
  953. /*
  954. * Only set if there was a Finished message and this isn't after a TLSv1.3
  955. * post handshake exchange
  956. */
  957. if (cleanuphand) {
  958. /* skipped if we just sent a HelloRequest */
  959. s->renegotiate = 0;
  960. s->new_session = 0;
  961. s->statem.cleanuphand = 0;
  962. s->ext.ticket_expected = 0;
  963. ssl3_cleanup_key_block(s);
  964. if (s->server) {
  965. /*
  966. * In TLSv1.3 we update the cache as part of constructing the
  967. * NewSessionTicket
  968. */
  969. if (!SSL_IS_TLS13(s))
  970. ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
  971. /* N.B. s->ctx may not equal s->session_ctx */
  972. ssl_tsan_counter(s->ctx, &s->ctx->stats.sess_accept_good);
  973. s->handshake_func = ossl_statem_accept;
  974. } else {
  975. if (SSL_IS_TLS13(s)) {
  976. /*
  977. * We encourage applications to only use TLSv1.3 tickets once,
  978. * so we remove this one from the cache.
  979. */
  980. if ((s->session_ctx->session_cache_mode
  981. & SSL_SESS_CACHE_CLIENT) != 0)
  982. SSL_CTX_remove_session(s->session_ctx, s->session);
  983. } else {
  984. /*
  985. * In TLSv1.3 we update the cache as part of processing the
  986. * NewSessionTicket
  987. */
  988. ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
  989. }
  990. if (s->hit)
  991. ssl_tsan_counter(s->session_ctx,
  992. &s->session_ctx->stats.sess_hit);
  993. s->handshake_func = ossl_statem_connect;
  994. ssl_tsan_counter(s->session_ctx,
  995. &s->session_ctx->stats.sess_connect_good);
  996. }
  997. if (SSL_IS_DTLS(s)) {
  998. /* done with handshaking */
  999. s->d1->handshake_read_seq = 0;
  1000. s->d1->handshake_write_seq = 0;
  1001. s->d1->next_handshake_write_seq = 0;
  1002. dtls1_clear_received_buffer(s);
  1003. }
  1004. }
  1005. if (s->info_callback != NULL)
  1006. cb = s->info_callback;
  1007. else if (s->ctx->info_callback != NULL)
  1008. cb = s->ctx->info_callback;
  1009. /* The callback may expect us to not be in init at handshake done */
  1010. ossl_statem_set_in_init(s, 0);
  1011. if (cb != NULL) {
  1012. if (cleanuphand
  1013. || !SSL_IS_TLS13(s)
  1014. || SSL_IS_FIRST_HANDSHAKE(s))
  1015. cb(s, SSL_CB_HANDSHAKE_DONE, 1);
  1016. }
  1017. if (!stop) {
  1018. /* If we've got more work to do we go back into init */
  1019. ossl_statem_set_in_init(s, 1);
  1020. return WORK_FINISHED_CONTINUE;
  1021. }
  1022. return WORK_FINISHED_STOP;
  1023. }
  1024. int tls_get_message_header(SSL *s, int *mt)
  1025. {
  1026. /* s->init_num < SSL3_HM_HEADER_LENGTH */
  1027. int skip_message, i, recvd_type;
  1028. unsigned char *p;
  1029. size_t l, readbytes;
  1030. p = (unsigned char *)s->init_buf->data;
  1031. do {
  1032. while (s->init_num < SSL3_HM_HEADER_LENGTH) {
  1033. i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
  1034. &p[s->init_num],
  1035. SSL3_HM_HEADER_LENGTH - s->init_num,
  1036. 0, &readbytes);
  1037. if (i <= 0) {
  1038. s->rwstate = SSL_READING;
  1039. return 0;
  1040. }
  1041. if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
  1042. /*
  1043. * A ChangeCipherSpec must be a single byte and may not occur
  1044. * in the middle of a handshake message.
  1045. */
  1046. if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
  1047. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
  1048. SSL_R_BAD_CHANGE_CIPHER_SPEC);
  1049. return 0;
  1050. }
  1051. if (s->statem.hand_state == TLS_ST_BEFORE
  1052. && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
  1053. /*
  1054. * We are stateless and we received a CCS. Probably this is
  1055. * from a client between the first and second ClientHellos.
  1056. * We should ignore this, but return an error because we do
  1057. * not return success until we see the second ClientHello
  1058. * with a valid cookie.
  1059. */
  1060. return 0;
  1061. }
  1062. s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
  1063. s->init_num = readbytes - 1;
  1064. s->init_msg = s->init_buf->data;
  1065. s->s3.tmp.message_size = readbytes;
  1066. return 1;
  1067. } else if (recvd_type != SSL3_RT_HANDSHAKE) {
  1068. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
  1069. SSL_R_CCS_RECEIVED_EARLY);
  1070. return 0;
  1071. }
  1072. s->init_num += readbytes;
  1073. }
  1074. skip_message = 0;
  1075. if (!s->server)
  1076. if (s->statem.hand_state != TLS_ST_OK
  1077. && p[0] == SSL3_MT_HELLO_REQUEST)
  1078. /*
  1079. * The server may always send 'Hello Request' messages --
  1080. * we are doing a handshake anyway now, so ignore them if
  1081. * their format is correct. Does not count for 'Finished'
  1082. * MAC.
  1083. */
  1084. if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
  1085. s->init_num = 0;
  1086. skip_message = 1;
  1087. if (s->msg_callback)
  1088. s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
  1089. p, SSL3_HM_HEADER_LENGTH, s,
  1090. s->msg_callback_arg);
  1091. }
  1092. } while (skip_message);
  1093. /* s->init_num == SSL3_HM_HEADER_LENGTH */
  1094. *mt = *p;
  1095. s->s3.tmp.message_type = *(p++);
  1096. if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
  1097. /*
  1098. * Only happens with SSLv3+ in an SSLv2 backward compatible
  1099. * ClientHello
  1100. *
  1101. * Total message size is the remaining record bytes to read
  1102. * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
  1103. */
  1104. l = RECORD_LAYER_get_rrec_length(&s->rlayer)
  1105. + SSL3_HM_HEADER_LENGTH;
  1106. s->s3.tmp.message_size = l;
  1107. s->init_msg = s->init_buf->data;
  1108. s->init_num = SSL3_HM_HEADER_LENGTH;
  1109. } else {
  1110. n2l3(p, l);
  1111. /* BUF_MEM_grow takes an 'int' parameter */
  1112. if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
  1113. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1114. SSL_R_EXCESSIVE_MESSAGE_SIZE);
  1115. return 0;
  1116. }
  1117. s->s3.tmp.message_size = l;
  1118. s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
  1119. s->init_num = 0;
  1120. }
  1121. return 1;
  1122. }
  1123. int tls_get_message_body(SSL *s, size_t *len)
  1124. {
  1125. size_t n, readbytes;
  1126. unsigned char *p;
  1127. int i;
  1128. if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
  1129. /* We've already read everything in */
  1130. *len = (unsigned long)s->init_num;
  1131. return 1;
  1132. }
  1133. p = s->init_msg;
  1134. n = s->s3.tmp.message_size - s->init_num;
  1135. while (n > 0) {
  1136. i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
  1137. &p[s->init_num], n, 0, &readbytes);
  1138. if (i <= 0) {
  1139. s->rwstate = SSL_READING;
  1140. *len = 0;
  1141. return 0;
  1142. }
  1143. s->init_num += readbytes;
  1144. n -= readbytes;
  1145. }
  1146. /*
  1147. * If receiving Finished, record MAC of prior handshake messages for
  1148. * Finished verification.
  1149. */
  1150. if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
  1151. /* SSLfatal() already called */
  1152. *len = 0;
  1153. return 0;
  1154. }
  1155. /* Feed this message into MAC computation. */
  1156. if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
  1157. if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
  1158. s->init_num)) {
  1159. /* SSLfatal() already called */
  1160. *len = 0;
  1161. return 0;
  1162. }
  1163. if (s->msg_callback)
  1164. s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
  1165. (size_t)s->init_num, s, s->msg_callback_arg);
  1166. } else {
  1167. /*
  1168. * We defer feeding in the HRR until later. We'll do it as part of
  1169. * processing the message
  1170. * The TLsv1.3 handshake transcript stops at the ClientFinished
  1171. * message.
  1172. */
  1173. #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
  1174. /* KeyUpdate and NewSessionTicket do not need to be added */
  1175. if (!SSL_IS_TLS13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
  1176. && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
  1177. if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
  1178. || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
  1179. || memcmp(hrrrandom,
  1180. s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
  1181. SSL3_RANDOM_SIZE) != 0) {
  1182. if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
  1183. s->init_num + SSL3_HM_HEADER_LENGTH)) {
  1184. /* SSLfatal() already called */
  1185. *len = 0;
  1186. return 0;
  1187. }
  1188. }
  1189. }
  1190. if (s->msg_callback)
  1191. s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
  1192. (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
  1193. s->msg_callback_arg);
  1194. }
  1195. *len = s->init_num;
  1196. return 1;
  1197. }
  1198. static const X509ERR2ALERT x509table[] = {
  1199. {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
  1200. {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
  1201. {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
  1202. {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
  1203. {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
  1204. {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
  1205. {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
  1206. {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
  1207. {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
  1208. {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
  1209. {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
  1210. {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
  1211. {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
  1212. {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
  1213. {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
  1214. {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
  1215. {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
  1216. {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
  1217. {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
  1218. {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
  1219. {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
  1220. {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
  1221. {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
  1222. {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
  1223. {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
  1224. {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
  1225. {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
  1226. {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
  1227. {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
  1228. {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
  1229. {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
  1230. {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
  1231. {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
  1232. {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
  1233. {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
  1234. {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
  1235. {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
  1236. {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
  1237. {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
  1238. {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
  1239. /* Last entry; return this if we don't find the value above. */
  1240. {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
  1241. };
  1242. int ssl_x509err2alert(int x509err)
  1243. {
  1244. const X509ERR2ALERT *tp;
  1245. for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
  1246. if (tp->x509err == x509err)
  1247. break;
  1248. return tp->alert;
  1249. }
  1250. int ssl_allow_compression(SSL *s)
  1251. {
  1252. if (s->options & SSL_OP_NO_COMPRESSION)
  1253. return 0;
  1254. return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
  1255. }
  1256. static int version_cmp(const SSL *s, int a, int b)
  1257. {
  1258. int dtls = SSL_IS_DTLS(s);
  1259. if (a == b)
  1260. return 0;
  1261. if (!dtls)
  1262. return a < b ? -1 : 1;
  1263. return DTLS_VERSION_LT(a, b) ? -1 : 1;
  1264. }
  1265. typedef struct {
  1266. int version;
  1267. const SSL_METHOD *(*cmeth) (void);
  1268. const SSL_METHOD *(*smeth) (void);
  1269. } version_info;
  1270. #if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
  1271. # error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
  1272. #endif
  1273. /* Must be in order high to low */
  1274. static const version_info tls_version_table[] = {
  1275. #ifndef OPENSSL_NO_TLS1_3
  1276. {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
  1277. #else
  1278. {TLS1_3_VERSION, NULL, NULL},
  1279. #endif
  1280. #ifndef OPENSSL_NO_TLS1_2
  1281. {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
  1282. #else
  1283. {TLS1_2_VERSION, NULL, NULL},
  1284. #endif
  1285. #ifndef OPENSSL_NO_TLS1_1
  1286. {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
  1287. #else
  1288. {TLS1_1_VERSION, NULL, NULL},
  1289. #endif
  1290. #ifndef OPENSSL_NO_TLS1
  1291. {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
  1292. #else
  1293. {TLS1_VERSION, NULL, NULL},
  1294. #endif
  1295. #ifndef OPENSSL_NO_SSL3
  1296. {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
  1297. #else
  1298. {SSL3_VERSION, NULL, NULL},
  1299. #endif
  1300. {0, NULL, NULL},
  1301. };
  1302. #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
  1303. # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
  1304. #endif
  1305. /* Must be in order high to low */
  1306. static const version_info dtls_version_table[] = {
  1307. #ifndef OPENSSL_NO_DTLS1_2
  1308. {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
  1309. #else
  1310. {DTLS1_2_VERSION, NULL, NULL},
  1311. #endif
  1312. #ifndef OPENSSL_NO_DTLS1
  1313. {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
  1314. {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
  1315. #else
  1316. {DTLS1_VERSION, NULL, NULL},
  1317. {DTLS1_BAD_VER, NULL, NULL},
  1318. #endif
  1319. {0, NULL, NULL},
  1320. };
  1321. /*
  1322. * ssl_method_error - Check whether an SSL_METHOD is enabled.
  1323. *
  1324. * @s: The SSL handle for the candidate method
  1325. * @method: the intended method.
  1326. *
  1327. * Returns 0 on success, or an SSL error reason on failure.
  1328. */
  1329. static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
  1330. {
  1331. int version = method->version;
  1332. if ((s->min_proto_version != 0 &&
  1333. version_cmp(s, version, s->min_proto_version) < 0) ||
  1334. ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
  1335. return SSL_R_VERSION_TOO_LOW;
  1336. if (s->max_proto_version != 0 &&
  1337. version_cmp(s, version, s->max_proto_version) > 0)
  1338. return SSL_R_VERSION_TOO_HIGH;
  1339. if ((s->options & method->mask) != 0)
  1340. return SSL_R_UNSUPPORTED_PROTOCOL;
  1341. if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
  1342. return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
  1343. return 0;
  1344. }
  1345. /*
  1346. * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
  1347. * certificate type, or has PSK or a certificate callback configured, or has
  1348. * a servername callback configure. Otherwise returns 0.
  1349. */
  1350. static int is_tls13_capable(const SSL *s)
  1351. {
  1352. int i;
  1353. int curve;
  1354. if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL))
  1355. return 0;
  1356. /*
  1357. * A servername callback can change the available certs, so if a servername
  1358. * cb is set then we just assume TLSv1.3 will be ok
  1359. */
  1360. if (s->ctx->ext.servername_cb != NULL
  1361. || s->session_ctx->ext.servername_cb != NULL)
  1362. return 1;
  1363. #ifndef OPENSSL_NO_PSK
  1364. if (s->psk_server_callback != NULL)
  1365. return 1;
  1366. #endif
  1367. if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
  1368. return 1;
  1369. for (i = 0; i < SSL_PKEY_NUM; i++) {
  1370. /* Skip over certs disallowed for TLSv1.3 */
  1371. switch (i) {
  1372. case SSL_PKEY_DSA_SIGN:
  1373. case SSL_PKEY_GOST01:
  1374. case SSL_PKEY_GOST12_256:
  1375. case SSL_PKEY_GOST12_512:
  1376. continue;
  1377. default:
  1378. break;
  1379. }
  1380. if (!ssl_has_cert(s, i))
  1381. continue;
  1382. if (i != SSL_PKEY_ECC)
  1383. return 1;
  1384. /*
  1385. * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
  1386. * more restrictive so check that our sig algs are consistent with this
  1387. * EC cert. See section 4.2.3 of RFC8446.
  1388. */
  1389. curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
  1390. if (tls_check_sigalg_curve(s, curve))
  1391. return 1;
  1392. }
  1393. return 0;
  1394. }
  1395. /*
  1396. * ssl_version_supported - Check that the specified `version` is supported by
  1397. * `SSL *` instance
  1398. *
  1399. * @s: The SSL handle for the candidate method
  1400. * @version: Protocol version to test against
  1401. *
  1402. * Returns 1 when supported, otherwise 0
  1403. */
  1404. int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth)
  1405. {
  1406. const version_info *vent;
  1407. const version_info *table;
  1408. switch (s->method->version) {
  1409. default:
  1410. /* Version should match method version for non-ANY method */
  1411. return version_cmp(s, version, s->version) == 0;
  1412. case TLS_ANY_VERSION:
  1413. table = tls_version_table;
  1414. break;
  1415. case DTLS_ANY_VERSION:
  1416. table = dtls_version_table;
  1417. break;
  1418. }
  1419. for (vent = table;
  1420. vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
  1421. ++vent) {
  1422. if (vent->cmeth != NULL
  1423. && version_cmp(s, version, vent->version) == 0
  1424. && ssl_method_error(s, vent->cmeth()) == 0
  1425. && (!s->server
  1426. || version != TLS1_3_VERSION
  1427. || is_tls13_capable(s))) {
  1428. if (meth != NULL)
  1429. *meth = vent->cmeth();
  1430. return 1;
  1431. }
  1432. }
  1433. return 0;
  1434. }
  1435. /*
  1436. * ssl_check_version_downgrade - In response to RFC7507 SCSV version
  1437. * fallback indication from a client check whether we're using the highest
  1438. * supported protocol version.
  1439. *
  1440. * @s server SSL handle.
  1441. *
  1442. * Returns 1 when using the highest enabled version, 0 otherwise.
  1443. */
  1444. int ssl_check_version_downgrade(SSL *s)
  1445. {
  1446. const version_info *vent;
  1447. const version_info *table;
  1448. /*
  1449. * Check that the current protocol is the highest enabled version
  1450. * (according to s->ctx->method, as version negotiation may have changed
  1451. * s->method).
  1452. */
  1453. if (s->version == s->ctx->method->version)
  1454. return 1;
  1455. /*
  1456. * Apparently we're using a version-flexible SSL_METHOD (not at its
  1457. * highest protocol version).
  1458. */
  1459. if (s->ctx->method->version == TLS_method()->version)
  1460. table = tls_version_table;
  1461. else if (s->ctx->method->version == DTLS_method()->version)
  1462. table = dtls_version_table;
  1463. else {
  1464. /* Unexpected state; fail closed. */
  1465. return 0;
  1466. }
  1467. for (vent = table; vent->version != 0; ++vent) {
  1468. if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
  1469. return s->version == vent->version;
  1470. }
  1471. return 0;
  1472. }
  1473. /*
  1474. * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
  1475. * protocols, provided the initial (D)TLS method is version-flexible. This
  1476. * function sanity-checks the proposed value and makes sure the method is
  1477. * version-flexible, then sets the limit if all is well.
  1478. *
  1479. * @method_version: The version of the current SSL_METHOD.
  1480. * @version: the intended limit.
  1481. * @bound: pointer to limit to be updated.
  1482. *
  1483. * Returns 1 on success, 0 on failure.
  1484. */
  1485. int ssl_set_version_bound(int method_version, int version, int *bound)
  1486. {
  1487. int valid_tls;
  1488. int valid_dtls;
  1489. if (version == 0) {
  1490. *bound = version;
  1491. return 1;
  1492. }
  1493. valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
  1494. valid_dtls =
  1495. DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) &&
  1496. DTLS_VERSION_GE(version, DTLS1_BAD_VER);
  1497. if (!valid_tls && !valid_dtls)
  1498. return 0;
  1499. /*-
  1500. * Restrict TLS methods to TLS protocol versions.
  1501. * Restrict DTLS methods to DTLS protocol versions.
  1502. * Note, DTLS version numbers are decreasing, use comparison macros.
  1503. *
  1504. * Note that for both lower-bounds we use explicit versions, not
  1505. * (D)TLS_MIN_VERSION. This is because we don't want to break user
  1506. * configurations. If the MIN (supported) version ever rises, the user's
  1507. * "floor" remains valid even if no longer available. We don't expect the
  1508. * MAX ceiling to ever get lower, so making that variable makes sense.
  1509. *
  1510. * We ignore attempts to set bounds on version-inflexible methods,
  1511. * returning success.
  1512. */
  1513. switch (method_version) {
  1514. default:
  1515. break;
  1516. case TLS_ANY_VERSION:
  1517. if (valid_tls)
  1518. *bound = version;
  1519. break;
  1520. case DTLS_ANY_VERSION:
  1521. if (valid_dtls)
  1522. *bound = version;
  1523. break;
  1524. }
  1525. return 1;
  1526. }
  1527. static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
  1528. {
  1529. if (vers == TLS1_2_VERSION
  1530. && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
  1531. *dgrd = DOWNGRADE_TO_1_2;
  1532. } else if (!SSL_IS_DTLS(s)
  1533. && vers < TLS1_2_VERSION
  1534. /*
  1535. * We need to ensure that a server that disables TLSv1.2
  1536. * (creating a hole between TLSv1.3 and TLSv1.1) can still
  1537. * complete handshakes with clients that support TLSv1.2 and
  1538. * below. Therefore we do not enable the sentinel if TLSv1.3 is
  1539. * enabled and TLSv1.2 is not.
  1540. */
  1541. && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
  1542. *dgrd = DOWNGRADE_TO_1_1;
  1543. } else {
  1544. *dgrd = DOWNGRADE_NONE;
  1545. }
  1546. }
  1547. /*
  1548. * ssl_choose_server_version - Choose server (D)TLS version. Called when the
  1549. * client HELLO is received to select the final server protocol version and
  1550. * the version specific method.
  1551. *
  1552. * @s: server SSL handle.
  1553. *
  1554. * Returns 0 on success or an SSL error reason number on failure.
  1555. */
  1556. int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
  1557. {
  1558. /*-
  1559. * With version-flexible methods we have an initial state with:
  1560. *
  1561. * s->method->version == (D)TLS_ANY_VERSION,
  1562. * s->version == (D)TLS_MAX_VERSION_INTERNAL.
  1563. *
  1564. * So we detect version-flexible methods via the method version, not the
  1565. * handle version.
  1566. */
  1567. int server_version = s->method->version;
  1568. int client_version = hello->legacy_version;
  1569. const version_info *vent;
  1570. const version_info *table;
  1571. int disabled = 0;
  1572. RAW_EXTENSION *suppversions;
  1573. s->client_version = client_version;
  1574. switch (server_version) {
  1575. default:
  1576. if (!SSL_IS_TLS13(s)) {
  1577. if (version_cmp(s, client_version, s->version) < 0)
  1578. return SSL_R_WRONG_SSL_VERSION;
  1579. *dgrd = DOWNGRADE_NONE;
  1580. /*
  1581. * If this SSL handle is not from a version flexible method we don't
  1582. * (and never did) check min/max FIPS or Suite B constraints. Hope
  1583. * that's OK. It is up to the caller to not choose fixed protocol
  1584. * versions they don't want. If not, then easy to fix, just return
  1585. * ssl_method_error(s, s->method)
  1586. */
  1587. return 0;
  1588. }
  1589. /*
  1590. * Fall through if we are TLSv1.3 already (this means we must be after
  1591. * a HelloRetryRequest
  1592. */
  1593. /* fall thru */
  1594. case TLS_ANY_VERSION:
  1595. table = tls_version_table;
  1596. break;
  1597. case DTLS_ANY_VERSION:
  1598. table = dtls_version_table;
  1599. break;
  1600. }
  1601. suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
  1602. /* If we did an HRR then supported versions is mandatory */
  1603. if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
  1604. return SSL_R_UNSUPPORTED_PROTOCOL;
  1605. if (suppversions->present && !SSL_IS_DTLS(s)) {
  1606. unsigned int candidate_vers = 0;
  1607. unsigned int best_vers = 0;
  1608. const SSL_METHOD *best_method = NULL;
  1609. PACKET versionslist;
  1610. suppversions->parsed = 1;
  1611. if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
  1612. /* Trailing or invalid data? */
  1613. return SSL_R_LENGTH_MISMATCH;
  1614. }
  1615. /*
  1616. * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
  1617. * The spec only requires servers to check that it isn't SSLv3:
  1618. * "Any endpoint receiving a Hello message with
  1619. * ClientHello.legacy_version or ServerHello.legacy_version set to
  1620. * 0x0300 MUST abort the handshake with a "protocol_version" alert."
  1621. * We are slightly stricter and require that it isn't SSLv3 or lower.
  1622. * We tolerate TLSv1 and TLSv1.1.
  1623. */
  1624. if (client_version <= SSL3_VERSION)
  1625. return SSL_R_BAD_LEGACY_VERSION;
  1626. while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
  1627. if (version_cmp(s, candidate_vers, best_vers) <= 0)
  1628. continue;
  1629. if (ssl_version_supported(s, candidate_vers, &best_method))
  1630. best_vers = candidate_vers;
  1631. }
  1632. if (PACKET_remaining(&versionslist) != 0) {
  1633. /* Trailing data? */
  1634. return SSL_R_LENGTH_MISMATCH;
  1635. }
  1636. if (best_vers > 0) {
  1637. if (s->hello_retry_request != SSL_HRR_NONE) {
  1638. /*
  1639. * This is after a HelloRetryRequest so we better check that we
  1640. * negotiated TLSv1.3
  1641. */
  1642. if (best_vers != TLS1_3_VERSION)
  1643. return SSL_R_UNSUPPORTED_PROTOCOL;
  1644. return 0;
  1645. }
  1646. check_for_downgrade(s, best_vers, dgrd);
  1647. s->version = best_vers;
  1648. s->method = best_method;
  1649. return 0;
  1650. }
  1651. return SSL_R_UNSUPPORTED_PROTOCOL;
  1652. }
  1653. /*
  1654. * If the supported versions extension isn't present, then the highest
  1655. * version we can negotiate is TLSv1.2
  1656. */
  1657. if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
  1658. client_version = TLS1_2_VERSION;
  1659. /*
  1660. * No supported versions extension, so we just use the version supplied in
  1661. * the ClientHello.
  1662. */
  1663. for (vent = table; vent->version != 0; ++vent) {
  1664. const SSL_METHOD *method;
  1665. if (vent->smeth == NULL ||
  1666. version_cmp(s, client_version, vent->version) < 0)
  1667. continue;
  1668. method = vent->smeth();
  1669. if (ssl_method_error(s, method) == 0) {
  1670. check_for_downgrade(s, vent->version, dgrd);
  1671. s->version = vent->version;
  1672. s->method = method;
  1673. return 0;
  1674. }
  1675. disabled = 1;
  1676. }
  1677. return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
  1678. }
  1679. /*
  1680. * ssl_choose_client_version - Choose client (D)TLS version. Called when the
  1681. * server HELLO is received to select the final client protocol version and
  1682. * the version specific method.
  1683. *
  1684. * @s: client SSL handle.
  1685. * @version: The proposed version from the server's HELLO.
  1686. * @extensions: The extensions received
  1687. *
  1688. * Returns 1 on success or 0 on error.
  1689. */
  1690. int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)
  1691. {
  1692. const version_info *vent;
  1693. const version_info *table;
  1694. int ret, ver_min, ver_max, real_max, origv;
  1695. origv = s->version;
  1696. s->version = version;
  1697. /* This will overwrite s->version if the extension is present */
  1698. if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
  1699. SSL_EXT_TLS1_2_SERVER_HELLO
  1700. | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
  1701. NULL, 0)) {
  1702. s->version = origv;
  1703. return 0;
  1704. }
  1705. if (s->hello_retry_request != SSL_HRR_NONE
  1706. && s->version != TLS1_3_VERSION) {
  1707. s->version = origv;
  1708. SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
  1709. return 0;
  1710. }
  1711. switch (s->method->version) {
  1712. default:
  1713. if (s->version != s->method->version) {
  1714. s->version = origv;
  1715. SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
  1716. return 0;
  1717. }
  1718. /*
  1719. * If this SSL handle is not from a version flexible method we don't
  1720. * (and never did) check min/max, FIPS or Suite B constraints. Hope
  1721. * that's OK. It is up to the caller to not choose fixed protocol
  1722. * versions they don't want. If not, then easy to fix, just return
  1723. * ssl_method_error(s, s->method)
  1724. */
  1725. return 1;
  1726. case TLS_ANY_VERSION:
  1727. table = tls_version_table;
  1728. break;
  1729. case DTLS_ANY_VERSION:
  1730. table = dtls_version_table;
  1731. break;
  1732. }
  1733. ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
  1734. if (ret != 0) {
  1735. s->version = origv;
  1736. SSLfatal(s, SSL_AD_PROTOCOL_VERSION, ret);
  1737. return 0;
  1738. }
  1739. if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
  1740. : s->version < ver_min) {
  1741. s->version = origv;
  1742. SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
  1743. return 0;
  1744. } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
  1745. : s->version > ver_max) {
  1746. s->version = origv;
  1747. SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
  1748. return 0;
  1749. }
  1750. if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
  1751. real_max = ver_max;
  1752. /* Check for downgrades */
  1753. if (s->version == TLS1_2_VERSION && real_max > s->version) {
  1754. if (memcmp(tls12downgrade,
  1755. s->s3.server_random + SSL3_RANDOM_SIZE
  1756. - sizeof(tls12downgrade),
  1757. sizeof(tls12downgrade)) == 0) {
  1758. s->version = origv;
  1759. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1760. SSL_R_INAPPROPRIATE_FALLBACK);
  1761. return 0;
  1762. }
  1763. } else if (!SSL_IS_DTLS(s)
  1764. && s->version < TLS1_2_VERSION
  1765. && real_max > s->version) {
  1766. if (memcmp(tls11downgrade,
  1767. s->s3.server_random + SSL3_RANDOM_SIZE
  1768. - sizeof(tls11downgrade),
  1769. sizeof(tls11downgrade)) == 0) {
  1770. s->version = origv;
  1771. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1772. SSL_R_INAPPROPRIATE_FALLBACK);
  1773. return 0;
  1774. }
  1775. }
  1776. for (vent = table; vent->version != 0; ++vent) {
  1777. if (vent->cmeth == NULL || s->version != vent->version)
  1778. continue;
  1779. s->method = vent->cmeth();
  1780. return 1;
  1781. }
  1782. s->version = origv;
  1783. SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
  1784. return 0;
  1785. }
  1786. /*
  1787. * ssl_get_min_max_version - get minimum and maximum protocol version
  1788. * @s: The SSL connection
  1789. * @min_version: The minimum supported version
  1790. * @max_version: The maximum supported version
  1791. * @real_max: The highest version below the lowest compile time version hole
  1792. * where that hole lies above at least one run-time enabled
  1793. * protocol.
  1794. *
  1795. * Work out what version we should be using for the initial ClientHello if the
  1796. * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
  1797. * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
  1798. * constraints and any floor imposed by the security level here,
  1799. * so we don't advertise the wrong protocol version to only reject the outcome later.
  1800. *
  1801. * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
  1802. * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
  1803. * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
  1804. *
  1805. * Returns 0 on success or an SSL error reason number on failure. On failure
  1806. * min_version and max_version will also be set to 0.
  1807. */
  1808. int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version,
  1809. int *real_max)
  1810. {
  1811. int version, tmp_real_max;
  1812. int hole;
  1813. const SSL_METHOD *single = NULL;
  1814. const SSL_METHOD *method;
  1815. const version_info *table;
  1816. const version_info *vent;
  1817. switch (s->method->version) {
  1818. default:
  1819. /*
  1820. * If this SSL handle is not from a version flexible method we don't
  1821. * (and never did) check min/max FIPS or Suite B constraints. Hope
  1822. * that's OK. It is up to the caller to not choose fixed protocol
  1823. * versions they don't want. If not, then easy to fix, just return
  1824. * ssl_method_error(s, s->method)
  1825. */
  1826. *min_version = *max_version = s->version;
  1827. /*
  1828. * Providing a real_max only makes sense where we're using a version
  1829. * flexible method.
  1830. */
  1831. if (!ossl_assert(real_max == NULL))
  1832. return ERR_R_INTERNAL_ERROR;
  1833. return 0;
  1834. case TLS_ANY_VERSION:
  1835. table = tls_version_table;
  1836. break;
  1837. case DTLS_ANY_VERSION:
  1838. table = dtls_version_table;
  1839. break;
  1840. }
  1841. /*
  1842. * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
  1843. * below X enabled. This is required in order to maintain the "version
  1844. * capability" vector contiguous. Any versions with a NULL client method
  1845. * (protocol version client is disabled at compile-time) is also a "hole".
  1846. *
  1847. * Our initial state is hole == 1, version == 0. That is, versions above
  1848. * the first version in the method table are disabled (a "hole" above
  1849. * the valid protocol entries) and we don't have a selected version yet.
  1850. *
  1851. * Whenever "hole == 1", and we hit an enabled method, its version becomes
  1852. * the selected version, and the method becomes a candidate "single"
  1853. * method. We're no longer in a hole, so "hole" becomes 0.
  1854. *
  1855. * If "hole == 0" and we hit an enabled method, then "single" is cleared,
  1856. * as we support a contiguous range of at least two methods. If we hit
  1857. * a disabled method, then hole becomes true again, but nothing else
  1858. * changes yet, because all the remaining methods may be disabled too.
  1859. * If we again hit an enabled method after the new hole, it becomes
  1860. * selected, as we start from scratch.
  1861. */
  1862. *min_version = version = 0;
  1863. hole = 1;
  1864. if (real_max != NULL)
  1865. *real_max = 0;
  1866. tmp_real_max = 0;
  1867. for (vent = table; vent->version != 0; ++vent) {
  1868. /*
  1869. * A table entry with a NULL client method is still a hole in the
  1870. * "version capability" vector.
  1871. */
  1872. if (vent->cmeth == NULL) {
  1873. hole = 1;
  1874. tmp_real_max = 0;
  1875. continue;
  1876. }
  1877. method = vent->cmeth();
  1878. if (hole == 1 && tmp_real_max == 0)
  1879. tmp_real_max = vent->version;
  1880. if (ssl_method_error(s, method) != 0) {
  1881. hole = 1;
  1882. } else if (!hole) {
  1883. single = NULL;
  1884. *min_version = method->version;
  1885. } else {
  1886. if (real_max != NULL && tmp_real_max != 0)
  1887. *real_max = tmp_real_max;
  1888. version = (single = method)->version;
  1889. *min_version = version;
  1890. hole = 0;
  1891. }
  1892. }
  1893. *max_version = version;
  1894. /* Fail if everything is disabled */
  1895. if (version == 0)
  1896. return SSL_R_NO_PROTOCOLS_AVAILABLE;
  1897. return 0;
  1898. }
  1899. /*
  1900. * ssl_set_client_hello_version - Work out what version we should be using for
  1901. * the initial ClientHello.legacy_version field.
  1902. *
  1903. * @s: client SSL handle.
  1904. *
  1905. * Returns 0 on success or an SSL error reason number on failure.
  1906. */
  1907. int ssl_set_client_hello_version(SSL *s)
  1908. {
  1909. int ver_min, ver_max, ret;
  1910. /*
  1911. * In a renegotiation we always send the same client_version that we sent
  1912. * last time, regardless of which version we eventually negotiated.
  1913. */
  1914. if (!SSL_IS_FIRST_HANDSHAKE(s))
  1915. return 0;
  1916. ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
  1917. if (ret != 0)
  1918. return ret;
  1919. s->version = ver_max;
  1920. /* TLS1.3 always uses TLS1.2 in the legacy_version field */
  1921. if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
  1922. ver_max = TLS1_2_VERSION;
  1923. s->client_version = ver_max;
  1924. return 0;
  1925. }
  1926. /*
  1927. * Checks a list of |groups| to determine if the |group_id| is in it. If it is
  1928. * and |checkallow| is 1 then additionally check if the group is allowed to be
  1929. * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
  1930. * 1) or 0 otherwise.
  1931. */
  1932. int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
  1933. size_t num_groups, int checkallow)
  1934. {
  1935. size_t i;
  1936. if (groups == NULL || num_groups == 0)
  1937. return 0;
  1938. if (checkallow == 1)
  1939. group_id = ssl_group_id_tls13_to_internal(group_id);
  1940. for (i = 0; i < num_groups; i++) {
  1941. uint16_t group = groups[i];
  1942. if (checkallow == 2)
  1943. group = ssl_group_id_tls13_to_internal(group);
  1944. if (group_id == group
  1945. && (!checkallow
  1946. || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
  1947. return 1;
  1948. }
  1949. }
  1950. return 0;
  1951. }
  1952. /* Replace ClientHello1 in the transcript hash with a synthetic message */
  1953. int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,
  1954. size_t hashlen, const unsigned char *hrr,
  1955. size_t hrrlen)
  1956. {
  1957. unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
  1958. unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
  1959. memset(msghdr, 0, sizeof(msghdr));
  1960. if (hashval == NULL) {
  1961. hashval = hashvaltmp;
  1962. hashlen = 0;
  1963. /* Get the hash of the initial ClientHello */
  1964. if (!ssl3_digest_cached_records(s, 0)
  1965. || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
  1966. &hashlen)) {
  1967. /* SSLfatal() already called */
  1968. return 0;
  1969. }
  1970. }
  1971. /* Reinitialise the transcript hash */
  1972. if (!ssl3_init_finished_mac(s)) {
  1973. /* SSLfatal() already called */
  1974. return 0;
  1975. }
  1976. /* Inject the synthetic message_hash message */
  1977. msghdr[0] = SSL3_MT_MESSAGE_HASH;
  1978. msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
  1979. if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
  1980. || !ssl3_finish_mac(s, hashval, hashlen)) {
  1981. /* SSLfatal() already called */
  1982. return 0;
  1983. }
  1984. /*
  1985. * Now re-inject the HRR and current message if appropriate (we just deleted
  1986. * it when we reinitialised the transcript hash above). Only necessary after
  1987. * receiving a ClientHello2 with a cookie.
  1988. */
  1989. if (hrr != NULL
  1990. && (!ssl3_finish_mac(s, hrr, hrrlen)
  1991. || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
  1992. s->s3.tmp.message_size
  1993. + SSL3_HM_HEADER_LENGTH))) {
  1994. /* SSLfatal() already called */
  1995. return 0;
  1996. }
  1997. return 1;
  1998. }
  1999. static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
  2000. {
  2001. return X509_NAME_cmp(*a, *b);
  2002. }
  2003. int parse_ca_names(SSL *s, PACKET *pkt)
  2004. {
  2005. STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
  2006. X509_NAME *xn = NULL;
  2007. PACKET cadns;
  2008. if (ca_sk == NULL) {
  2009. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2010. goto err;
  2011. }
  2012. /* get the CA RDNs */
  2013. if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
  2014. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2015. goto err;
  2016. }
  2017. while (PACKET_remaining(&cadns)) {
  2018. const unsigned char *namestart, *namebytes;
  2019. unsigned int name_len;
  2020. if (!PACKET_get_net_2(&cadns, &name_len)
  2021. || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
  2022. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2023. goto err;
  2024. }
  2025. namestart = namebytes;
  2026. if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
  2027. SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB);
  2028. goto err;
  2029. }
  2030. if (namebytes != (namestart + name_len)) {
  2031. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CA_DN_LENGTH_MISMATCH);
  2032. goto err;
  2033. }
  2034. if (!sk_X509_NAME_push(ca_sk, xn)) {
  2035. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2036. goto err;
  2037. }
  2038. xn = NULL;
  2039. }
  2040. sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
  2041. s->s3.tmp.peer_ca_names = ca_sk;
  2042. return 1;
  2043. err:
  2044. sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
  2045. X509_NAME_free(xn);
  2046. return 0;
  2047. }
  2048. const STACK_OF(X509_NAME) *get_ca_names(SSL *s)
  2049. {
  2050. const STACK_OF(X509_NAME) *ca_sk = NULL;
  2051. if (s->server) {
  2052. ca_sk = SSL_get_client_CA_list(s);
  2053. if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
  2054. ca_sk = NULL;
  2055. }
  2056. if (ca_sk == NULL)
  2057. ca_sk = SSL_get0_CA_list(s);
  2058. return ca_sk;
  2059. }
  2060. int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt)
  2061. {
  2062. /* Start sub-packet for client CA list */
  2063. if (!WPACKET_start_sub_packet_u16(pkt)) {
  2064. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2065. return 0;
  2066. }
  2067. if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) {
  2068. int i;
  2069. for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
  2070. unsigned char *namebytes;
  2071. X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
  2072. int namelen;
  2073. if (name == NULL
  2074. || (namelen = i2d_X509_NAME(name, NULL)) < 0
  2075. || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
  2076. &namebytes)
  2077. || i2d_X509_NAME(name, &namebytes) != namelen) {
  2078. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2079. return 0;
  2080. }
  2081. }
  2082. }
  2083. if (!WPACKET_close(pkt)) {
  2084. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2085. return 0;
  2086. }
  2087. return 1;
  2088. }
  2089. /* Create a buffer containing data to be signed for server key exchange */
  2090. size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
  2091. const void *param, size_t paramlen)
  2092. {
  2093. size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
  2094. unsigned char *tbs = OPENSSL_malloc(tbslen);
  2095. if (tbs == NULL) {
  2096. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  2097. return 0;
  2098. }
  2099. memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
  2100. memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
  2101. memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
  2102. *ptbs = tbs;
  2103. return tbslen;
  2104. }
  2105. /*
  2106. * Saves the current handshake digest for Post-Handshake Auth,
  2107. * Done after ClientFinished is processed, done exactly once
  2108. */
  2109. int tls13_save_handshake_digest_for_pha(SSL *s)
  2110. {
  2111. if (s->pha_dgst == NULL) {
  2112. if (!ssl3_digest_cached_records(s, 1))
  2113. /* SSLfatal() already called */
  2114. return 0;
  2115. s->pha_dgst = EVP_MD_CTX_new();
  2116. if (s->pha_dgst == NULL) {
  2117. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2118. return 0;
  2119. }
  2120. if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
  2121. s->s3.handshake_dgst)) {
  2122. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2123. EVP_MD_CTX_free(s->pha_dgst);
  2124. s->pha_dgst = NULL;
  2125. return 0;
  2126. }
  2127. }
  2128. return 1;
  2129. }
  2130. /*
  2131. * Restores the Post-Handshake Auth handshake digest
  2132. * Done just before sending/processing the Cert Request
  2133. */
  2134. int tls13_restore_handshake_digest_for_pha(SSL *s)
  2135. {
  2136. if (s->pha_dgst == NULL) {
  2137. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2138. return 0;
  2139. }
  2140. if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
  2141. s->pha_dgst)) {
  2142. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2143. return 0;
  2144. }
  2145. return 1;
  2146. }