1e71b7053SJung-uk Kim /* 2*a7148ab3SEnji Cooper * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. 3e71b7053SJung-uk Kim * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4e71b7053SJung-uk Kim * 5b077aed3SPierre Pronchery * Licensed under the Apache License 2.0 (the "License"). You may not use 6e71b7053SJung-uk Kim * this file except in compliance with the License. You can obtain a copy 7e71b7053SJung-uk Kim * in the file LICENSE in the source distribution or at 8e71b7053SJung-uk Kim * https://www.openssl.org/source/license.html 9e71b7053SJung-uk Kim */ 10e71b7053SJung-uk Kim 11e71b7053SJung-uk Kim #include <limits.h> 12e71b7053SJung-uk Kim #include <string.h> 13e71b7053SJung-uk Kim #include <stdio.h> 1417f01e99SJung-uk Kim #include "../ssl_local.h" 1517f01e99SJung-uk Kim #include "statem_local.h" 16e71b7053SJung-uk Kim #include "internal/cryptlib.h" 17e71b7053SJung-uk Kim #include <openssl/buffer.h> 18e71b7053SJung-uk Kim #include <openssl/objects.h> 19e71b7053SJung-uk Kim #include <openssl/evp.h> 20b077aed3SPierre Pronchery #include <openssl/rsa.h> 21e71b7053SJung-uk Kim #include <openssl/x509.h> 22b077aed3SPierre Pronchery #include <openssl/trace.h> 23e71b7053SJung-uk Kim 24e71b7053SJung-uk Kim /* 25e71b7053SJung-uk Kim * Map error codes to TLS/SSL alart types. 26e71b7053SJung-uk Kim */ 27e71b7053SJung-uk Kim typedef struct x509err2alert_st { 28e71b7053SJung-uk Kim int x509err; 29e71b7053SJung-uk Kim int alert; 30e71b7053SJung-uk Kim } X509ERR2ALERT; 31e71b7053SJung-uk Kim 32e71b7053SJung-uk Kim /* Fixed value used in the ServerHello random field to identify an HRR */ 33e71b7053SJung-uk Kim const unsigned char hrrrandom[] = { 34e71b7053SJung-uk Kim 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 35e71b7053SJung-uk Kim 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 36e71b7053SJung-uk Kim 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c 37e71b7053SJung-uk Kim }; 38e71b7053SJung-uk Kim 39e71b7053SJung-uk Kim /* 40e71b7053SJung-uk Kim * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or 41e71b7053SJung-uk Kim * SSL3_RT_CHANGE_CIPHER_SPEC) 42e71b7053SJung-uk Kim */ 43e71b7053SJung-uk Kim int ssl3_do_write(SSL *s, int type) 44e71b7053SJung-uk Kim { 45e71b7053SJung-uk Kim int ret; 46e71b7053SJung-uk Kim size_t written = 0; 47e71b7053SJung-uk Kim 48e71b7053SJung-uk Kim ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off], 49e71b7053SJung-uk Kim s->init_num, &written); 50aa795734SPierre Pronchery if (ret <= 0) 51e71b7053SJung-uk Kim return -1; 52e71b7053SJung-uk Kim if (type == SSL3_RT_HANDSHAKE) 53e71b7053SJung-uk Kim /* 54e71b7053SJung-uk Kim * should not be done for 'Hello Request's, but in that case we'll 55e71b7053SJung-uk Kim * ignore the result anyway 56e71b7053SJung-uk Kim * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added 57e71b7053SJung-uk Kim */ 58e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET 59e71b7053SJung-uk Kim && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE 60e71b7053SJung-uk Kim && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE)) 61e71b7053SJung-uk Kim if (!ssl3_finish_mac(s, 62e71b7053SJung-uk Kim (unsigned char *)&s->init_buf->data[s->init_off], 63e71b7053SJung-uk Kim written)) 64e71b7053SJung-uk Kim return -1; 65e71b7053SJung-uk Kim if (written == s->init_num) { 66e71b7053SJung-uk Kim if (s->msg_callback) 67e71b7053SJung-uk Kim s->msg_callback(1, s->version, type, s->init_buf->data, 68e71b7053SJung-uk Kim (size_t)(s->init_off + s->init_num), s, 69e71b7053SJung-uk Kim s->msg_callback_arg); 70e71b7053SJung-uk Kim return 1; 71e71b7053SJung-uk Kim } 72e71b7053SJung-uk Kim s->init_off += written; 73e71b7053SJung-uk Kim s->init_num -= written; 74e71b7053SJung-uk Kim return 0; 75e71b7053SJung-uk Kim } 76e71b7053SJung-uk Kim 77e71b7053SJung-uk Kim int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype) 78e71b7053SJung-uk Kim { 79e71b7053SJung-uk Kim size_t msglen; 80e71b7053SJung-uk Kim 81e71b7053SJung-uk Kim if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt)) 82e71b7053SJung-uk Kim || !WPACKET_get_length(pkt, &msglen) 83e71b7053SJung-uk Kim || msglen > INT_MAX) 84e71b7053SJung-uk Kim return 0; 85e71b7053SJung-uk Kim s->init_num = (int)msglen; 86e71b7053SJung-uk Kim s->init_off = 0; 87e71b7053SJung-uk Kim 88e71b7053SJung-uk Kim return 1; 89e71b7053SJung-uk Kim } 90e71b7053SJung-uk Kim 91e71b7053SJung-uk Kim int tls_setup_handshake(SSL *s) 92e71b7053SJung-uk Kim { 93b077aed3SPierre Pronchery int ver_min, ver_max, ok; 94b077aed3SPierre Pronchery 95e71b7053SJung-uk Kim if (!ssl3_init_finished_mac(s)) { 96e71b7053SJung-uk Kim /* SSLfatal() already called */ 97e71b7053SJung-uk Kim return 0; 98e71b7053SJung-uk Kim } 99e71b7053SJung-uk Kim 100e71b7053SJung-uk Kim /* Reset any extension flags */ 101e71b7053SJung-uk Kim memset(s->ext.extflags, 0, sizeof(s->ext.extflags)); 102e71b7053SJung-uk Kim 103b077aed3SPierre Pronchery if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) { 104b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE); 105b077aed3SPierre Pronchery return 0; 106b077aed3SPierre Pronchery } 107b077aed3SPierre Pronchery 108b077aed3SPierre Pronchery /* Sanity check that we have MD5-SHA1 if we need it */ 109b077aed3SPierre Pronchery if (s->ctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) { 110b077aed3SPierre Pronchery int md5sha1_needed = 0; 111b077aed3SPierre Pronchery 112b077aed3SPierre Pronchery /* We don't have MD5-SHA1 - do we need it? */ 113b077aed3SPierre Pronchery if (SSL_IS_DTLS(s)) { 114b077aed3SPierre Pronchery if (DTLS_VERSION_LE(ver_max, DTLS1_VERSION)) 115b077aed3SPierre Pronchery md5sha1_needed = 1; 116b077aed3SPierre Pronchery } else { 117b077aed3SPierre Pronchery if (ver_max <= TLS1_1_VERSION) 118b077aed3SPierre Pronchery md5sha1_needed = 1; 119b077aed3SPierre Pronchery } 120b077aed3SPierre Pronchery if (md5sha1_needed) { 121b077aed3SPierre Pronchery SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE, 122b077aed3SPierre Pronchery SSL_R_NO_SUITABLE_DIGEST_ALGORITHM, 123b077aed3SPierre Pronchery "The max supported SSL/TLS version needs the" 124b077aed3SPierre Pronchery " MD5-SHA1 digest but it is not available" 125b077aed3SPierre Pronchery " in the loaded providers. Use (D)TLSv1.2 or" 126b077aed3SPierre Pronchery " above, or load different providers"); 127b077aed3SPierre Pronchery return 0; 128b077aed3SPierre Pronchery } 129b077aed3SPierre Pronchery 130b077aed3SPierre Pronchery ok = 1; 131b077aed3SPierre Pronchery /* Don't allow TLSv1.1 or below to be negotiated */ 132b077aed3SPierre Pronchery if (SSL_IS_DTLS(s)) { 133b077aed3SPierre Pronchery if (DTLS_VERSION_LT(ver_min, DTLS1_2_VERSION)) 134b077aed3SPierre Pronchery ok = SSL_set_min_proto_version(s, DTLS1_2_VERSION); 135b077aed3SPierre Pronchery } else { 136b077aed3SPierre Pronchery if (ver_min < TLS1_2_VERSION) 137b077aed3SPierre Pronchery ok = SSL_set_min_proto_version(s, TLS1_2_VERSION); 138b077aed3SPierre Pronchery } 139b077aed3SPierre Pronchery if (!ok) { 140b077aed3SPierre Pronchery /* Shouldn't happen */ 141b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR); 142b077aed3SPierre Pronchery return 0; 143b077aed3SPierre Pronchery } 144b077aed3SPierre Pronchery } 145b077aed3SPierre Pronchery 146b077aed3SPierre Pronchery ok = 0; 147e71b7053SJung-uk Kim if (s->server) { 148e71b7053SJung-uk Kim STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s); 149b077aed3SPierre Pronchery int i; 150e71b7053SJung-uk Kim 151e71b7053SJung-uk Kim /* 152e71b7053SJung-uk Kim * Sanity check that the maximum version we accept has ciphers 153e71b7053SJung-uk Kim * enabled. For clients we do this check during construction of the 154e71b7053SJung-uk Kim * ClientHello. 155e71b7053SJung-uk Kim */ 156e71b7053SJung-uk Kim for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { 157e71b7053SJung-uk Kim const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i); 158e71b7053SJung-uk Kim 159e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) { 160e71b7053SJung-uk Kim if (DTLS_VERSION_GE(ver_max, c->min_dtls) && 161e71b7053SJung-uk Kim DTLS_VERSION_LE(ver_max, c->max_dtls)) 162e71b7053SJung-uk Kim ok = 1; 163e71b7053SJung-uk Kim } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) { 164e71b7053SJung-uk Kim ok = 1; 165e71b7053SJung-uk Kim } 166e71b7053SJung-uk Kim if (ok) 167e71b7053SJung-uk Kim break; 168e71b7053SJung-uk Kim } 169e71b7053SJung-uk Kim if (!ok) { 170b077aed3SPierre Pronchery SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE, 171b077aed3SPierre Pronchery SSL_R_NO_CIPHERS_AVAILABLE, 172b077aed3SPierre Pronchery "No ciphers enabled for max supported " 173e71b7053SJung-uk Kim "SSL/TLS version"); 174e71b7053SJung-uk Kim return 0; 175e71b7053SJung-uk Kim } 176e71b7053SJung-uk Kim if (SSL_IS_FIRST_HANDSHAKE(s)) { 177e71b7053SJung-uk Kim /* N.B. s->session_ctx == s->ctx here */ 178b077aed3SPierre Pronchery ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_accept); 179e71b7053SJung-uk Kim } else { 180e71b7053SJung-uk Kim /* N.B. s->ctx may not equal s->session_ctx */ 181b077aed3SPierre Pronchery ssl_tsan_counter(s->ctx, &s->ctx->stats.sess_accept_renegotiate); 182e71b7053SJung-uk Kim 183b077aed3SPierre Pronchery s->s3.tmp.cert_request = 0; 184e71b7053SJung-uk Kim } 185e71b7053SJung-uk Kim } else { 186e71b7053SJung-uk Kim if (SSL_IS_FIRST_HANDSHAKE(s)) 187b077aed3SPierre Pronchery ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_connect); 188e71b7053SJung-uk Kim else 189b077aed3SPierre Pronchery ssl_tsan_counter(s->session_ctx, 190b077aed3SPierre Pronchery &s->session_ctx->stats.sess_connect_renegotiate); 191e71b7053SJung-uk Kim 192e71b7053SJung-uk Kim /* mark client_random uninitialized */ 193b077aed3SPierre Pronchery memset(s->s3.client_random, 0, sizeof(s->s3.client_random)); 194e71b7053SJung-uk Kim s->hit = 0; 195e71b7053SJung-uk Kim 196b077aed3SPierre Pronchery s->s3.tmp.cert_req = 0; 197e71b7053SJung-uk Kim 198e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) 199e71b7053SJung-uk Kim s->statem.use_timer = 1; 200e71b7053SJung-uk Kim } 201e71b7053SJung-uk Kim 202e71b7053SJung-uk Kim return 1; 203e71b7053SJung-uk Kim } 204e71b7053SJung-uk Kim 205e71b7053SJung-uk Kim /* 206e71b7053SJung-uk Kim * Size of the to-be-signed TLS13 data, without the hash size itself: 207e71b7053SJung-uk Kim * 64 bytes of value 32, 33 context bytes, 1 byte separator 208e71b7053SJung-uk Kim */ 209e71b7053SJung-uk Kim #define TLS13_TBS_START_SIZE 64 210e71b7053SJung-uk Kim #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1) 211e71b7053SJung-uk Kim 212e71b7053SJung-uk Kim static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs, 213e71b7053SJung-uk Kim void **hdata, size_t *hdatalen) 214e71b7053SJung-uk Kim { 215da327cd2SJung-uk Kim #ifdef CHARSET_EBCDIC 21617f01e99SJung-uk Kim static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 217da327cd2SJung-uk Kim 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65, 218da327cd2SJung-uk Kim 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 219da327cd2SJung-uk Kim 0x69, 0x66, 0x79, 0x00 }; 22017f01e99SJung-uk Kim static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 221da327cd2SJung-uk Kim 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65, 222da327cd2SJung-uk Kim 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 223da327cd2SJung-uk Kim 0x69, 0x66, 0x79, 0x00 }; 224da327cd2SJung-uk Kim #else 22517f01e99SJung-uk Kim static const char servercontext[] = "TLS 1.3, server CertificateVerify"; 22617f01e99SJung-uk Kim static const char clientcontext[] = "TLS 1.3, client CertificateVerify"; 227da327cd2SJung-uk Kim #endif 228e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) { 229e71b7053SJung-uk Kim size_t hashlen; 230e71b7053SJung-uk Kim 231e71b7053SJung-uk Kim /* Set the first 64 bytes of to-be-signed data to octet 32 */ 232e71b7053SJung-uk Kim memset(tls13tbs, 32, TLS13_TBS_START_SIZE); 233e71b7053SJung-uk Kim /* This copies the 33 bytes of context plus the 0 separator byte */ 234e71b7053SJung-uk Kim if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY 235e71b7053SJung-uk Kim || s->statem.hand_state == TLS_ST_SW_CERT_VRFY) 236e71b7053SJung-uk Kim strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext); 237e71b7053SJung-uk Kim else 238e71b7053SJung-uk Kim strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext); 239e71b7053SJung-uk Kim 240e71b7053SJung-uk Kim /* 241e71b7053SJung-uk Kim * If we're currently reading then we need to use the saved handshake 242e71b7053SJung-uk Kim * hash value. We can't use the current handshake hash state because 243e71b7053SJung-uk Kim * that includes the CertVerify itself. 244e71b7053SJung-uk Kim */ 245e71b7053SJung-uk Kim if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY 246e71b7053SJung-uk Kim || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) { 247e71b7053SJung-uk Kim memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash, 248e71b7053SJung-uk Kim s->cert_verify_hash_len); 249e71b7053SJung-uk Kim hashlen = s->cert_verify_hash_len; 250e71b7053SJung-uk Kim } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE, 251e71b7053SJung-uk Kim EVP_MAX_MD_SIZE, &hashlen)) { 252e71b7053SJung-uk Kim /* SSLfatal() already called */ 253e71b7053SJung-uk Kim return 0; 254e71b7053SJung-uk Kim } 255e71b7053SJung-uk Kim 256e71b7053SJung-uk Kim *hdata = tls13tbs; 257e71b7053SJung-uk Kim *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen; 258e71b7053SJung-uk Kim } else { 259e71b7053SJung-uk Kim size_t retlen; 260c9cf7b5cSJung-uk Kim long retlen_l; 261e71b7053SJung-uk Kim 262b077aed3SPierre Pronchery retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata); 263c9cf7b5cSJung-uk Kim if (retlen_l <= 0) { 264b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 265e71b7053SJung-uk Kim return 0; 266e71b7053SJung-uk Kim } 267e71b7053SJung-uk Kim *hdatalen = retlen; 268e71b7053SJung-uk Kim } 269e71b7053SJung-uk Kim 270e71b7053SJung-uk Kim return 1; 271e71b7053SJung-uk Kim } 272e71b7053SJung-uk Kim 273e71b7053SJung-uk Kim int tls_construct_cert_verify(SSL *s, WPACKET *pkt) 274e71b7053SJung-uk Kim { 275e71b7053SJung-uk Kim EVP_PKEY *pkey = NULL; 276e71b7053SJung-uk Kim const EVP_MD *md = NULL; 277e71b7053SJung-uk Kim EVP_MD_CTX *mctx = NULL; 278e71b7053SJung-uk Kim EVP_PKEY_CTX *pctx = NULL; 279e71b7053SJung-uk Kim size_t hdatalen = 0, siglen = 0; 280e71b7053SJung-uk Kim void *hdata; 281e71b7053SJung-uk Kim unsigned char *sig = NULL; 282e71b7053SJung-uk Kim unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; 283b077aed3SPierre Pronchery const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg; 284e71b7053SJung-uk Kim 285b077aed3SPierre Pronchery if (lu == NULL || s->s3.tmp.cert == NULL) { 286b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 287e71b7053SJung-uk Kim goto err; 288e71b7053SJung-uk Kim } 289b077aed3SPierre Pronchery pkey = s->s3.tmp.cert->privatekey; 290e71b7053SJung-uk Kim 291b077aed3SPierre Pronchery if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) { 292b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 293e71b7053SJung-uk Kim goto err; 294e71b7053SJung-uk Kim } 295e71b7053SJung-uk Kim 296e71b7053SJung-uk Kim mctx = EVP_MD_CTX_new(); 297e71b7053SJung-uk Kim if (mctx == NULL) { 298b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 299e71b7053SJung-uk Kim goto err; 300e71b7053SJung-uk Kim } 301e71b7053SJung-uk Kim 302e71b7053SJung-uk Kim /* Get the data to be signed */ 303e71b7053SJung-uk Kim if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { 304e71b7053SJung-uk Kim /* SSLfatal() already called */ 305e71b7053SJung-uk Kim goto err; 306e71b7053SJung-uk Kim } 307e71b7053SJung-uk Kim 308e71b7053SJung-uk Kim if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) { 309b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 310e71b7053SJung-uk Kim goto err; 311e71b7053SJung-uk Kim } 312e71b7053SJung-uk Kim 313b077aed3SPierre Pronchery if (EVP_DigestSignInit_ex(mctx, &pctx, 314b077aed3SPierre Pronchery md == NULL ? NULL : EVP_MD_get0_name(md), 315b077aed3SPierre Pronchery s->ctx->libctx, s->ctx->propq, pkey, 316b077aed3SPierre Pronchery NULL) <= 0) { 317b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 318e71b7053SJung-uk Kim goto err; 319e71b7053SJung-uk Kim } 320e71b7053SJung-uk Kim 321e71b7053SJung-uk Kim if (lu->sig == EVP_PKEY_RSA_PSS) { 322e71b7053SJung-uk Kim if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 323e71b7053SJung-uk Kim || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 324e71b7053SJung-uk Kim RSA_PSS_SALTLEN_DIGEST) <= 0) { 325b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 326e71b7053SJung-uk Kim goto err; 327e71b7053SJung-uk Kim } 328e71b7053SJung-uk Kim } 329e71b7053SJung-uk Kim if (s->version == SSL3_VERSION) { 330b077aed3SPierre Pronchery /* 331b077aed3SPierre Pronchery * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal 332b077aed3SPierre Pronchery * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them. 333b077aed3SPierre Pronchery */ 334e71b7053SJung-uk Kim if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0 335b077aed3SPierre Pronchery || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, 336e71b7053SJung-uk Kim (int)s->session->master_key_length, 337b077aed3SPierre Pronchery s->session->master_key) <= 0 338b077aed3SPierre Pronchery || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) { 339e71b7053SJung-uk Kim 340b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 341e71b7053SJung-uk Kim goto err; 342e71b7053SJung-uk Kim } 343b077aed3SPierre Pronchery sig = OPENSSL_malloc(siglen); 344b077aed3SPierre Pronchery if (sig == NULL 345b077aed3SPierre Pronchery || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) { 346b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 347e71b7053SJung-uk Kim goto err; 348e71b7053SJung-uk Kim } 349b077aed3SPierre Pronchery } else { 350b077aed3SPierre Pronchery /* 351b077aed3SPierre Pronchery * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not 352b077aed3SPierre Pronchery * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal 353b077aed3SPierre Pronchery */ 354b077aed3SPierre Pronchery if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) { 355b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 356b077aed3SPierre Pronchery goto err; 357b077aed3SPierre Pronchery } 358b077aed3SPierre Pronchery sig = OPENSSL_malloc(siglen); 359b077aed3SPierre Pronchery if (sig == NULL 360b077aed3SPierre Pronchery || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) { 361b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 362b077aed3SPierre Pronchery goto err; 363b077aed3SPierre Pronchery } 364b077aed3SPierre Pronchery } 365e71b7053SJung-uk Kim 366e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST 367e71b7053SJung-uk Kim { 368e71b7053SJung-uk Kim int pktype = lu->sig; 369e71b7053SJung-uk Kim 370e71b7053SJung-uk Kim if (pktype == NID_id_GostR3410_2001 371e71b7053SJung-uk Kim || pktype == NID_id_GostR3410_2012_256 372e71b7053SJung-uk Kim || pktype == NID_id_GostR3410_2012_512) 373e71b7053SJung-uk Kim BUF_reverse(sig, NULL, siglen); 374e71b7053SJung-uk Kim } 375e71b7053SJung-uk Kim #endif 376e71b7053SJung-uk Kim 377e71b7053SJung-uk Kim if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) { 378b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 379e71b7053SJung-uk Kim goto err; 380e71b7053SJung-uk Kim } 381e71b7053SJung-uk Kim 382e71b7053SJung-uk Kim /* Digest cached records and discard handshake buffer */ 383e71b7053SJung-uk Kim if (!ssl3_digest_cached_records(s, 0)) { 384e71b7053SJung-uk Kim /* SSLfatal() already called */ 385e71b7053SJung-uk Kim goto err; 386e71b7053SJung-uk Kim } 387e71b7053SJung-uk Kim 388e71b7053SJung-uk Kim OPENSSL_free(sig); 389e71b7053SJung-uk Kim EVP_MD_CTX_free(mctx); 390e71b7053SJung-uk Kim return 1; 391e71b7053SJung-uk Kim err: 392e71b7053SJung-uk Kim OPENSSL_free(sig); 393e71b7053SJung-uk Kim EVP_MD_CTX_free(mctx); 394e71b7053SJung-uk Kim return 0; 395e71b7053SJung-uk Kim } 396e71b7053SJung-uk Kim 397e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) 398e71b7053SJung-uk Kim { 399e71b7053SJung-uk Kim EVP_PKEY *pkey = NULL; 400e71b7053SJung-uk Kim const unsigned char *data; 401e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST 402e71b7053SJung-uk Kim unsigned char *gost_data = NULL; 403e71b7053SJung-uk Kim #endif 404e71b7053SJung-uk Kim MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; 405e71b7053SJung-uk Kim int j; 406e71b7053SJung-uk Kim unsigned int len; 407e71b7053SJung-uk Kim X509 *peer; 408e71b7053SJung-uk Kim const EVP_MD *md = NULL; 409e71b7053SJung-uk Kim size_t hdatalen = 0; 410e71b7053SJung-uk Kim void *hdata; 411e71b7053SJung-uk Kim unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; 412e71b7053SJung-uk Kim EVP_MD_CTX *mctx = EVP_MD_CTX_new(); 413e71b7053SJung-uk Kim EVP_PKEY_CTX *pctx = NULL; 414e71b7053SJung-uk Kim 415e71b7053SJung-uk Kim if (mctx == NULL) { 416b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 417e71b7053SJung-uk Kim goto err; 418e71b7053SJung-uk Kim } 419e71b7053SJung-uk Kim 420e71b7053SJung-uk Kim peer = s->session->peer; 421e71b7053SJung-uk Kim pkey = X509_get0_pubkey(peer); 422e71b7053SJung-uk Kim if (pkey == NULL) { 423b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 424e71b7053SJung-uk Kim goto err; 425e71b7053SJung-uk Kim } 426e71b7053SJung-uk Kim 427e71b7053SJung-uk Kim if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) { 428b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 429e71b7053SJung-uk Kim SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); 430e71b7053SJung-uk Kim goto err; 431e71b7053SJung-uk Kim } 432e71b7053SJung-uk Kim 433e71b7053SJung-uk Kim if (SSL_USE_SIGALGS(s)) { 434e71b7053SJung-uk Kim unsigned int sigalg; 435e71b7053SJung-uk Kim 436e71b7053SJung-uk Kim if (!PACKET_get_net_2(pkt, &sigalg)) { 437b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET); 438e71b7053SJung-uk Kim goto err; 439e71b7053SJung-uk Kim } 440e71b7053SJung-uk Kim if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) { 441e71b7053SJung-uk Kim /* SSLfatal() already called */ 442e71b7053SJung-uk Kim goto err; 443e71b7053SJung-uk Kim } 444e71b7053SJung-uk Kim } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { 445b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, 446b077aed3SPierre Pronchery SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED); 447e71b7053SJung-uk Kim goto err; 448e71b7053SJung-uk Kim } 449e71b7053SJung-uk Kim 450b077aed3SPierre Pronchery if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) { 451b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 452e71b7053SJung-uk Kim goto err; 453e71b7053SJung-uk Kim } 454e71b7053SJung-uk Kim 455e71b7053SJung-uk Kim if (SSL_USE_SIGALGS(s)) 456b077aed3SPierre Pronchery OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n", 457b077aed3SPierre Pronchery md == NULL ? "n/a" : EVP_MD_get0_name(md)); 458e71b7053SJung-uk Kim 459e71b7053SJung-uk Kim /* Check for broken implementations of GOST ciphersuites */ 460e71b7053SJung-uk Kim /* 461e71b7053SJung-uk Kim * If key is GOST and len is exactly 64 or 128, it is signature without 462e71b7053SJung-uk Kim * length field (CryptoPro implementations at least till TLS 1.2) 463e71b7053SJung-uk Kim */ 464e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST 465e71b7053SJung-uk Kim if (!SSL_USE_SIGALGS(s) 466e71b7053SJung-uk Kim && ((PACKET_remaining(pkt) == 64 467b077aed3SPierre Pronchery && (EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2001 468b077aed3SPierre Pronchery || EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_256)) 469e71b7053SJung-uk Kim || (PACKET_remaining(pkt) == 128 470b077aed3SPierre Pronchery && EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_512))) { 471e71b7053SJung-uk Kim len = PACKET_remaining(pkt); 472e71b7053SJung-uk Kim } else 473e71b7053SJung-uk Kim #endif 474e71b7053SJung-uk Kim if (!PACKET_get_net_2(pkt, &len)) { 475b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 476e71b7053SJung-uk Kim goto err; 477e71b7053SJung-uk Kim } 478e71b7053SJung-uk Kim 479e71b7053SJung-uk Kim if (!PACKET_get_bytes(pkt, &data, len)) { 480b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 481e71b7053SJung-uk Kim goto err; 482e71b7053SJung-uk Kim } 483*a7148ab3SEnji Cooper if (PACKET_remaining(pkt) != 0) { 484*a7148ab3SEnji Cooper SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 485*a7148ab3SEnji Cooper goto err; 486*a7148ab3SEnji Cooper } 487e71b7053SJung-uk Kim 488e71b7053SJung-uk Kim if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { 489e71b7053SJung-uk Kim /* SSLfatal() already called */ 490e71b7053SJung-uk Kim goto err; 491e71b7053SJung-uk Kim } 492e71b7053SJung-uk Kim 493b077aed3SPierre Pronchery OSSL_TRACE1(TLS, "Using client verify alg %s\n", 494b077aed3SPierre Pronchery md == NULL ? "n/a" : EVP_MD_get0_name(md)); 495b077aed3SPierre Pronchery 496b077aed3SPierre Pronchery if (EVP_DigestVerifyInit_ex(mctx, &pctx, 497b077aed3SPierre Pronchery md == NULL ? NULL : EVP_MD_get0_name(md), 498b077aed3SPierre Pronchery s->ctx->libctx, s->ctx->propq, pkey, 499b077aed3SPierre Pronchery NULL) <= 0) { 500b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 501e71b7053SJung-uk Kim goto err; 502e71b7053SJung-uk Kim } 503e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST 504e71b7053SJung-uk Kim { 505b077aed3SPierre Pronchery int pktype = EVP_PKEY_get_id(pkey); 506e71b7053SJung-uk Kim if (pktype == NID_id_GostR3410_2001 507e71b7053SJung-uk Kim || pktype == NID_id_GostR3410_2012_256 508e71b7053SJung-uk Kim || pktype == NID_id_GostR3410_2012_512) { 509e71b7053SJung-uk Kim if ((gost_data = OPENSSL_malloc(len)) == NULL) { 510b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 511e71b7053SJung-uk Kim goto err; 512e71b7053SJung-uk Kim } 513e71b7053SJung-uk Kim BUF_reverse(gost_data, data, len); 514e71b7053SJung-uk Kim data = gost_data; 515e71b7053SJung-uk Kim } 516e71b7053SJung-uk Kim } 517e71b7053SJung-uk Kim #endif 518e71b7053SJung-uk Kim 519e71b7053SJung-uk Kim if (SSL_USE_PSS(s)) { 520e71b7053SJung-uk Kim if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 521e71b7053SJung-uk Kim || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 522e71b7053SJung-uk Kim RSA_PSS_SALTLEN_DIGEST) <= 0) { 523b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 524e71b7053SJung-uk Kim goto err; 525e71b7053SJung-uk Kim } 526e71b7053SJung-uk Kim } 527e71b7053SJung-uk Kim if (s->version == SSL3_VERSION) { 528e71b7053SJung-uk Kim if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0 529b077aed3SPierre Pronchery || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, 530e71b7053SJung-uk Kim (int)s->session->master_key_length, 531b077aed3SPierre Pronchery s->session->master_key) <= 0) { 532b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 533e71b7053SJung-uk Kim goto err; 534e71b7053SJung-uk Kim } 535e71b7053SJung-uk Kim if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) { 536b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE); 537e71b7053SJung-uk Kim goto err; 538e71b7053SJung-uk Kim } 539e71b7053SJung-uk Kim } else { 540e71b7053SJung-uk Kim j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen); 541e71b7053SJung-uk Kim if (j <= 0) { 542b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE); 543e71b7053SJung-uk Kim goto err; 544e71b7053SJung-uk Kim } 545e71b7053SJung-uk Kim } 546e71b7053SJung-uk Kim 547c9cf7b5cSJung-uk Kim /* 548c9cf7b5cSJung-uk Kim * In TLSv1.3 on the client side we make sure we prepare the client 549c9cf7b5cSJung-uk Kim * certificate after the CertVerify instead of when we get the 550c9cf7b5cSJung-uk Kim * CertificateRequest. This is because in TLSv1.3 the CertificateRequest 551c9cf7b5cSJung-uk Kim * comes *before* the Certificate message. In TLSv1.2 it comes after. We 552b077aed3SPierre Pronchery * want to make sure that SSL_get1_peer_certificate() will return the actual 553c9cf7b5cSJung-uk Kim * server certificate from the client_cert_cb callback. 554c9cf7b5cSJung-uk Kim */ 555b077aed3SPierre Pronchery if (!s->server && SSL_IS_TLS13(s) && s->s3.tmp.cert_req == 1) 556c9cf7b5cSJung-uk Kim ret = MSG_PROCESS_CONTINUE_PROCESSING; 557c9cf7b5cSJung-uk Kim else 558e71b7053SJung-uk Kim ret = MSG_PROCESS_CONTINUE_READING; 559e71b7053SJung-uk Kim err: 560b077aed3SPierre Pronchery BIO_free(s->s3.handshake_buffer); 561b077aed3SPierre Pronchery s->s3.handshake_buffer = NULL; 562e71b7053SJung-uk Kim EVP_MD_CTX_free(mctx); 563e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST 564e71b7053SJung-uk Kim OPENSSL_free(gost_data); 565e71b7053SJung-uk Kim #endif 566e71b7053SJung-uk Kim return ret; 567e71b7053SJung-uk Kim } 568e71b7053SJung-uk Kim 569e71b7053SJung-uk Kim int tls_construct_finished(SSL *s, WPACKET *pkt) 570e71b7053SJung-uk Kim { 571e71b7053SJung-uk Kim size_t finish_md_len; 572e71b7053SJung-uk Kim const char *sender; 573e71b7053SJung-uk Kim size_t slen; 574e71b7053SJung-uk Kim 575e71b7053SJung-uk Kim /* This is a real handshake so make sure we clean it up at the end */ 576e71b7053SJung-uk Kim if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED) 577e71b7053SJung-uk Kim s->statem.cleanuphand = 1; 578e71b7053SJung-uk Kim 579e71b7053SJung-uk Kim /* 580e71b7053SJung-uk Kim * We only change the keys if we didn't already do this when we sent the 581e71b7053SJung-uk Kim * client certificate 582e71b7053SJung-uk Kim */ 583e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) 584e71b7053SJung-uk Kim && !s->server 585b077aed3SPierre Pronchery && s->s3.tmp.cert_req == 0 586e71b7053SJung-uk Kim && (!s->method->ssl3_enc->change_cipher_state(s, 587e71b7053SJung-uk Kim SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {; 588e71b7053SJung-uk Kim /* SSLfatal() already called */ 589e71b7053SJung-uk Kim return 0; 590e71b7053SJung-uk Kim } 591e71b7053SJung-uk Kim 592e71b7053SJung-uk Kim if (s->server) { 593e71b7053SJung-uk Kim sender = s->method->ssl3_enc->server_finished_label; 594e71b7053SJung-uk Kim slen = s->method->ssl3_enc->server_finished_label_len; 595e71b7053SJung-uk Kim } else { 596e71b7053SJung-uk Kim sender = s->method->ssl3_enc->client_finished_label; 597e71b7053SJung-uk Kim slen = s->method->ssl3_enc->client_finished_label_len; 598e71b7053SJung-uk Kim } 599e71b7053SJung-uk Kim 600e71b7053SJung-uk Kim finish_md_len = s->method->ssl3_enc->final_finish_mac(s, 601e71b7053SJung-uk Kim sender, slen, 602b077aed3SPierre Pronchery s->s3.tmp.finish_md); 603e71b7053SJung-uk Kim if (finish_md_len == 0) { 604e71b7053SJung-uk Kim /* SSLfatal() already called */ 605e71b7053SJung-uk Kim return 0; 606e71b7053SJung-uk Kim } 607e71b7053SJung-uk Kim 608b077aed3SPierre Pronchery s->s3.tmp.finish_md_len = finish_md_len; 609e71b7053SJung-uk Kim 610b077aed3SPierre Pronchery if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) { 611b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 612e71b7053SJung-uk Kim return 0; 613e71b7053SJung-uk Kim } 614e71b7053SJung-uk Kim 615e71b7053SJung-uk Kim /* 616e71b7053SJung-uk Kim * Log the master secret, if logging is enabled. We don't log it for 617e71b7053SJung-uk Kim * TLSv1.3: there's a different key schedule for that. 618e71b7053SJung-uk Kim */ 619e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL, 620e71b7053SJung-uk Kim s->session->master_key, 621e71b7053SJung-uk Kim s->session->master_key_length)) { 622e71b7053SJung-uk Kim /* SSLfatal() already called */ 623e71b7053SJung-uk Kim return 0; 624e71b7053SJung-uk Kim } 625e71b7053SJung-uk Kim 626e71b7053SJung-uk Kim /* 627e71b7053SJung-uk Kim * Copy the finished so we can use it for renegotiation checks 628e71b7053SJung-uk Kim */ 629e71b7053SJung-uk Kim if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) { 630b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 631e71b7053SJung-uk Kim return 0; 632e71b7053SJung-uk Kim } 633e71b7053SJung-uk Kim if (!s->server) { 634b077aed3SPierre Pronchery memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md, 635e71b7053SJung-uk Kim finish_md_len); 636b077aed3SPierre Pronchery s->s3.previous_client_finished_len = finish_md_len; 637e71b7053SJung-uk Kim } else { 638b077aed3SPierre Pronchery memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md, 639e71b7053SJung-uk Kim finish_md_len); 640b077aed3SPierre Pronchery s->s3.previous_server_finished_len = finish_md_len; 641e71b7053SJung-uk Kim } 642e71b7053SJung-uk Kim 643e71b7053SJung-uk Kim return 1; 644e71b7053SJung-uk Kim } 645e71b7053SJung-uk Kim 646e71b7053SJung-uk Kim int tls_construct_key_update(SSL *s, WPACKET *pkt) 647e71b7053SJung-uk Kim { 648e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u8(pkt, s->key_update)) { 649b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 650e71b7053SJung-uk Kim return 0; 651e71b7053SJung-uk Kim } 652e71b7053SJung-uk Kim 653e71b7053SJung-uk Kim s->key_update = SSL_KEY_UPDATE_NONE; 654e71b7053SJung-uk Kim return 1; 655e71b7053SJung-uk Kim } 656e71b7053SJung-uk Kim 657e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt) 658e71b7053SJung-uk Kim { 659e71b7053SJung-uk Kim unsigned int updatetype; 660e71b7053SJung-uk Kim 661e71b7053SJung-uk Kim /* 662e71b7053SJung-uk Kim * A KeyUpdate message signals a key change so the end of the message must 663e71b7053SJung-uk Kim * be on a record boundary. 664e71b7053SJung-uk Kim */ 665e71b7053SJung-uk Kim if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { 666b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY); 667e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 668e71b7053SJung-uk Kim } 669e71b7053SJung-uk Kim 670e71b7053SJung-uk Kim if (!PACKET_get_1(pkt, &updatetype) 671e71b7053SJung-uk Kim || PACKET_remaining(pkt) != 0) { 672b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_KEY_UPDATE); 673e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 674e71b7053SJung-uk Kim } 675e71b7053SJung-uk Kim 676e71b7053SJung-uk Kim /* 677e71b7053SJung-uk Kim * There are only two defined key update types. Fail if we get a value we 678e71b7053SJung-uk Kim * didn't recognise. 679e71b7053SJung-uk Kim */ 680e71b7053SJung-uk Kim if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED 681e71b7053SJung-uk Kim && updatetype != SSL_KEY_UPDATE_REQUESTED) { 682b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_UPDATE); 683e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 684e71b7053SJung-uk Kim } 685e71b7053SJung-uk Kim 686e71b7053SJung-uk Kim /* 687e71b7053SJung-uk Kim * If we get a request for us to update our sending keys too then, we need 688e71b7053SJung-uk Kim * to additionally send a KeyUpdate message. However that message should 689da327cd2SJung-uk Kim * not also request an update (otherwise we get into an infinite loop). 690e71b7053SJung-uk Kim */ 691da327cd2SJung-uk Kim if (updatetype == SSL_KEY_UPDATE_REQUESTED) 692e71b7053SJung-uk Kim s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED; 693e71b7053SJung-uk Kim 694e71b7053SJung-uk Kim if (!tls13_update_key(s, 0)) { 695e71b7053SJung-uk Kim /* SSLfatal() already called */ 696e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 697e71b7053SJung-uk Kim } 698e71b7053SJung-uk Kim 699e71b7053SJung-uk Kim return MSG_PROCESS_FINISHED_READING; 700e71b7053SJung-uk Kim } 701e71b7053SJung-uk Kim 702e71b7053SJung-uk Kim /* 703e71b7053SJung-uk Kim * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen 704e71b7053SJung-uk Kim * to far. 705e71b7053SJung-uk Kim */ 706e71b7053SJung-uk Kim int ssl3_take_mac(SSL *s) 707e71b7053SJung-uk Kim { 708e71b7053SJung-uk Kim const char *sender; 709e71b7053SJung-uk Kim size_t slen; 710e71b7053SJung-uk Kim 711e71b7053SJung-uk Kim if (!s->server) { 712e71b7053SJung-uk Kim sender = s->method->ssl3_enc->server_finished_label; 713e71b7053SJung-uk Kim slen = s->method->ssl3_enc->server_finished_label_len; 714e71b7053SJung-uk Kim } else { 715e71b7053SJung-uk Kim sender = s->method->ssl3_enc->client_finished_label; 716e71b7053SJung-uk Kim slen = s->method->ssl3_enc->client_finished_label_len; 717e71b7053SJung-uk Kim } 718e71b7053SJung-uk Kim 719b077aed3SPierre Pronchery s->s3.tmp.peer_finish_md_len = 720e71b7053SJung-uk Kim s->method->ssl3_enc->final_finish_mac(s, sender, slen, 721b077aed3SPierre Pronchery s->s3.tmp.peer_finish_md); 722e71b7053SJung-uk Kim 723b077aed3SPierre Pronchery if (s->s3.tmp.peer_finish_md_len == 0) { 724e71b7053SJung-uk Kim /* SSLfatal() already called */ 725e71b7053SJung-uk Kim return 0; 726e71b7053SJung-uk Kim } 727e71b7053SJung-uk Kim 728e71b7053SJung-uk Kim return 1; 729e71b7053SJung-uk Kim } 730e71b7053SJung-uk Kim 731e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt) 732e71b7053SJung-uk Kim { 733e71b7053SJung-uk Kim size_t remain; 734e71b7053SJung-uk Kim 735e71b7053SJung-uk Kim remain = PACKET_remaining(pkt); 736e71b7053SJung-uk Kim /* 737e71b7053SJung-uk Kim * 'Change Cipher Spec' is just a single byte, which should already have 738e71b7053SJung-uk Kim * been consumed by ssl_get_message() so there should be no bytes left, 739e71b7053SJung-uk Kim * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes 740e71b7053SJung-uk Kim */ 741e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) { 742e71b7053SJung-uk Kim if ((s->version == DTLS1_BAD_VER 743e71b7053SJung-uk Kim && remain != DTLS1_CCS_HEADER_LENGTH + 1) 744e71b7053SJung-uk Kim || (s->version != DTLS1_BAD_VER 745e71b7053SJung-uk Kim && remain != DTLS1_CCS_HEADER_LENGTH - 1)) { 746b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC); 747e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 748e71b7053SJung-uk Kim } 749e71b7053SJung-uk Kim } else { 750e71b7053SJung-uk Kim if (remain != 0) { 751b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC); 752e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 753e71b7053SJung-uk Kim } 754e71b7053SJung-uk Kim } 755e71b7053SJung-uk Kim 756e71b7053SJung-uk Kim /* Check we have a cipher to change to */ 757b077aed3SPierre Pronchery if (s->s3.tmp.new_cipher == NULL) { 758b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY); 759e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 760e71b7053SJung-uk Kim } 761e71b7053SJung-uk Kim 762b077aed3SPierre Pronchery s->s3.change_cipher_spec = 1; 763e71b7053SJung-uk Kim if (!ssl3_do_change_cipher_spec(s)) { 764b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 765e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 766e71b7053SJung-uk Kim } 767e71b7053SJung-uk Kim 768e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) { 769e71b7053SJung-uk Kim dtls1_reset_seq_numbers(s, SSL3_CC_READ); 770e71b7053SJung-uk Kim 771e71b7053SJung-uk Kim if (s->version == DTLS1_BAD_VER) 772e71b7053SJung-uk Kim s->d1->handshake_read_seq++; 773e71b7053SJung-uk Kim 774e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SCTP 775e71b7053SJung-uk Kim /* 776e71b7053SJung-uk Kim * Remember that a CCS has been received, so that an old key of 777e71b7053SJung-uk Kim * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no 778e71b7053SJung-uk Kim * SCTP is used 779e71b7053SJung-uk Kim */ 780e71b7053SJung-uk Kim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL); 781e71b7053SJung-uk Kim #endif 782e71b7053SJung-uk Kim } 783e71b7053SJung-uk Kim 784e71b7053SJung-uk Kim return MSG_PROCESS_CONTINUE_READING; 785e71b7053SJung-uk Kim } 786e71b7053SJung-uk Kim 787e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) 788e71b7053SJung-uk Kim { 789e71b7053SJung-uk Kim size_t md_len; 790e71b7053SJung-uk Kim 791e71b7053SJung-uk Kim 792e71b7053SJung-uk Kim /* This is a real handshake so make sure we clean it up at the end */ 793e71b7053SJung-uk Kim if (s->server) { 794e71b7053SJung-uk Kim /* 795e71b7053SJung-uk Kim * To get this far we must have read encrypted data from the client. We 796e71b7053SJung-uk Kim * no longer tolerate unencrypted alerts. This value is ignored if less 797e71b7053SJung-uk Kim * than TLSv1.3 798e71b7053SJung-uk Kim */ 799e71b7053SJung-uk Kim s->statem.enc_read_state = ENC_READ_STATE_VALID; 800e71b7053SJung-uk Kim if (s->post_handshake_auth != SSL_PHA_REQUESTED) 801e71b7053SJung-uk Kim s->statem.cleanuphand = 1; 802e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) { 803e71b7053SJung-uk Kim /* SSLfatal() already called */ 804e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 805e71b7053SJung-uk Kim } 806e71b7053SJung-uk Kim } 807e71b7053SJung-uk Kim 808e71b7053SJung-uk Kim /* 809e71b7053SJung-uk Kim * In TLSv1.3 a Finished message signals a key change so the end of the 810e71b7053SJung-uk Kim * message must be on a record boundary. 811e71b7053SJung-uk Kim */ 812e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { 813b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY); 814e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 815e71b7053SJung-uk Kim } 816e71b7053SJung-uk Kim 817e71b7053SJung-uk Kim /* If this occurs, we have missed a message */ 818b077aed3SPierre Pronchery if (!SSL_IS_TLS13(s) && !s->s3.change_cipher_spec) { 819b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS); 820e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 821e71b7053SJung-uk Kim } 822b077aed3SPierre Pronchery s->s3.change_cipher_spec = 0; 823e71b7053SJung-uk Kim 824b077aed3SPierre Pronchery md_len = s->s3.tmp.peer_finish_md_len; 825e71b7053SJung-uk Kim 826e71b7053SJung-uk Kim if (md_len != PACKET_remaining(pkt)) { 827b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DIGEST_LENGTH); 828e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 829e71b7053SJung-uk Kim } 830e71b7053SJung-uk Kim 831b077aed3SPierre Pronchery if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md, 832e71b7053SJung-uk Kim md_len) != 0) { 833b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DIGEST_CHECK_FAILED); 834e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 835e71b7053SJung-uk Kim } 836e71b7053SJung-uk Kim 837e71b7053SJung-uk Kim /* 838e71b7053SJung-uk Kim * Copy the finished so we can use it for renegotiation checks 839e71b7053SJung-uk Kim */ 840e71b7053SJung-uk Kim if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) { 841b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 842e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 843e71b7053SJung-uk Kim } 844e71b7053SJung-uk Kim if (s->server) { 845b077aed3SPierre Pronchery memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md, 846e71b7053SJung-uk Kim md_len); 847b077aed3SPierre Pronchery s->s3.previous_client_finished_len = md_len; 848e71b7053SJung-uk Kim } else { 849b077aed3SPierre Pronchery memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md, 850e71b7053SJung-uk Kim md_len); 851b077aed3SPierre Pronchery s->s3.previous_server_finished_len = md_len; 852e71b7053SJung-uk Kim } 853e71b7053SJung-uk Kim 854e71b7053SJung-uk Kim /* 855e71b7053SJung-uk Kim * In TLS1.3 we also have to change cipher state and do any final processing 856e71b7053SJung-uk Kim * of the initial server flight (if we are a client) 857e71b7053SJung-uk Kim */ 858e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) { 859e71b7053SJung-uk Kim if (s->server) { 860e71b7053SJung-uk Kim if (s->post_handshake_auth != SSL_PHA_REQUESTED && 861e71b7053SJung-uk Kim !s->method->ssl3_enc->change_cipher_state(s, 862e71b7053SJung-uk Kim SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) { 863e71b7053SJung-uk Kim /* SSLfatal() already called */ 864e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 865e71b7053SJung-uk Kim } 866e71b7053SJung-uk Kim } else { 86717f01e99SJung-uk Kim /* TLS 1.3 gets the secret size from the handshake md */ 86817f01e99SJung-uk Kim size_t dummy; 869e71b7053SJung-uk Kim if (!s->method->ssl3_enc->generate_master_secret(s, 870e71b7053SJung-uk Kim s->master_secret, s->handshake_secret, 0, 87117f01e99SJung-uk Kim &dummy)) { 872e71b7053SJung-uk Kim /* SSLfatal() already called */ 873e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 874e71b7053SJung-uk Kim } 875e71b7053SJung-uk Kim if (!s->method->ssl3_enc->change_cipher_state(s, 876e71b7053SJung-uk Kim SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) { 877e71b7053SJung-uk Kim /* SSLfatal() already called */ 878e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 879e71b7053SJung-uk Kim } 880e71b7053SJung-uk Kim if (!tls_process_initial_server_flight(s)) { 881e71b7053SJung-uk Kim /* SSLfatal() already called */ 882e71b7053SJung-uk Kim return MSG_PROCESS_ERROR; 883e71b7053SJung-uk Kim } 884e71b7053SJung-uk Kim } 885e71b7053SJung-uk Kim } 886e71b7053SJung-uk Kim 887e71b7053SJung-uk Kim return MSG_PROCESS_FINISHED_READING; 888e71b7053SJung-uk Kim } 889e71b7053SJung-uk Kim 890e71b7053SJung-uk Kim int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt) 891e71b7053SJung-uk Kim { 892e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) { 893b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 894e71b7053SJung-uk Kim return 0; 895e71b7053SJung-uk Kim } 896e71b7053SJung-uk Kim 897e71b7053SJung-uk Kim return 1; 898e71b7053SJung-uk Kim } 899e71b7053SJung-uk Kim 900e71b7053SJung-uk Kim /* Add a certificate to the WPACKET */ 901e71b7053SJung-uk Kim static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain) 902e71b7053SJung-uk Kim { 903e71b7053SJung-uk Kim int len; 904e71b7053SJung-uk Kim unsigned char *outbytes; 905e71b7053SJung-uk Kim 906e71b7053SJung-uk Kim len = i2d_X509(x, NULL); 907e71b7053SJung-uk Kim if (len < 0) { 908b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB); 909e71b7053SJung-uk Kim return 0; 910e71b7053SJung-uk Kim } 911e71b7053SJung-uk Kim if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes) 912e71b7053SJung-uk Kim || i2d_X509(x, &outbytes) != len) { 913b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 914e71b7053SJung-uk Kim return 0; 915e71b7053SJung-uk Kim } 916e71b7053SJung-uk Kim 917e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) 918e71b7053SJung-uk Kim && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x, 919e71b7053SJung-uk Kim chain)) { 920e71b7053SJung-uk Kim /* SSLfatal() already called */ 921e71b7053SJung-uk Kim return 0; 922e71b7053SJung-uk Kim } 923e71b7053SJung-uk Kim 924e71b7053SJung-uk Kim return 1; 925e71b7053SJung-uk Kim } 926e71b7053SJung-uk Kim 927e71b7053SJung-uk Kim /* Add certificate chain to provided WPACKET */ 928e71b7053SJung-uk Kim static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk) 929e71b7053SJung-uk Kim { 930e71b7053SJung-uk Kim int i, chain_count; 931e71b7053SJung-uk Kim X509 *x; 932e71b7053SJung-uk Kim STACK_OF(X509) *extra_certs; 933e71b7053SJung-uk Kim STACK_OF(X509) *chain = NULL; 934e71b7053SJung-uk Kim X509_STORE *chain_store; 935e71b7053SJung-uk Kim 936e71b7053SJung-uk Kim if (cpk == NULL || cpk->x509 == NULL) 937e71b7053SJung-uk Kim return 1; 938e71b7053SJung-uk Kim 939e71b7053SJung-uk Kim x = cpk->x509; 940e71b7053SJung-uk Kim 941e71b7053SJung-uk Kim /* 942e71b7053SJung-uk Kim * If we have a certificate specific chain use it, else use parent ctx. 943e71b7053SJung-uk Kim */ 944e71b7053SJung-uk Kim if (cpk->chain != NULL) 945e71b7053SJung-uk Kim extra_certs = cpk->chain; 946e71b7053SJung-uk Kim else 947e71b7053SJung-uk Kim extra_certs = s->ctx->extra_certs; 948e71b7053SJung-uk Kim 949e71b7053SJung-uk Kim if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs) 950e71b7053SJung-uk Kim chain_store = NULL; 951e71b7053SJung-uk Kim else if (s->cert->chain_store) 952e71b7053SJung-uk Kim chain_store = s->cert->chain_store; 953e71b7053SJung-uk Kim else 954e71b7053SJung-uk Kim chain_store = s->ctx->cert_store; 955e71b7053SJung-uk Kim 956e71b7053SJung-uk Kim if (chain_store != NULL) { 957b077aed3SPierre Pronchery X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(s->ctx->libctx, 958b077aed3SPierre Pronchery s->ctx->propq); 959e71b7053SJung-uk Kim 960e71b7053SJung-uk Kim if (xs_ctx == NULL) { 961b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 962e71b7053SJung-uk Kim return 0; 963e71b7053SJung-uk Kim } 964e71b7053SJung-uk Kim if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) { 965e71b7053SJung-uk Kim X509_STORE_CTX_free(xs_ctx); 966b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB); 967e71b7053SJung-uk Kim return 0; 968e71b7053SJung-uk Kim } 969e71b7053SJung-uk Kim /* 970e71b7053SJung-uk Kim * It is valid for the chain not to be complete (because normally we 971e71b7053SJung-uk Kim * don't include the root cert in the chain). Therefore we deliberately 972e71b7053SJung-uk Kim * ignore the error return from this call. We're not actually verifying 973e71b7053SJung-uk Kim * the cert - we're just building as much of the chain as we can 974e71b7053SJung-uk Kim */ 975e71b7053SJung-uk Kim (void)X509_verify_cert(xs_ctx); 976e71b7053SJung-uk Kim /* Don't leave errors in the queue */ 977e71b7053SJung-uk Kim ERR_clear_error(); 978e71b7053SJung-uk Kim chain = X509_STORE_CTX_get0_chain(xs_ctx); 979e71b7053SJung-uk Kim i = ssl_security_cert_chain(s, chain, NULL, 0); 980e71b7053SJung-uk Kim if (i != 1) { 981e71b7053SJung-uk Kim #if 0 982e71b7053SJung-uk Kim /* Dummy error calls so mkerr generates them */ 983b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, SSL_R_EE_KEY_TOO_SMALL); 984b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, SSL_R_CA_KEY_TOO_SMALL); 985b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, SSL_R_CA_MD_TOO_WEAK); 986e71b7053SJung-uk Kim #endif 987e71b7053SJung-uk Kim X509_STORE_CTX_free(xs_ctx); 988b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, i); 989e71b7053SJung-uk Kim return 0; 990e71b7053SJung-uk Kim } 991e71b7053SJung-uk Kim chain_count = sk_X509_num(chain); 992e71b7053SJung-uk Kim for (i = 0; i < chain_count; i++) { 993e71b7053SJung-uk Kim x = sk_X509_value(chain, i); 994e71b7053SJung-uk Kim 995e71b7053SJung-uk Kim if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) { 996e71b7053SJung-uk Kim /* SSLfatal() already called */ 997e71b7053SJung-uk Kim X509_STORE_CTX_free(xs_ctx); 998e71b7053SJung-uk Kim return 0; 999e71b7053SJung-uk Kim } 1000e71b7053SJung-uk Kim } 1001e71b7053SJung-uk Kim X509_STORE_CTX_free(xs_ctx); 1002e71b7053SJung-uk Kim } else { 1003e71b7053SJung-uk Kim i = ssl_security_cert_chain(s, extra_certs, x, 0); 1004e71b7053SJung-uk Kim if (i != 1) { 1005b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, i); 1006e71b7053SJung-uk Kim return 0; 1007e71b7053SJung-uk Kim } 1008e71b7053SJung-uk Kim if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) { 1009e71b7053SJung-uk Kim /* SSLfatal() already called */ 1010e71b7053SJung-uk Kim return 0; 1011e71b7053SJung-uk Kim } 1012e71b7053SJung-uk Kim for (i = 0; i < sk_X509_num(extra_certs); i++) { 1013e71b7053SJung-uk Kim x = sk_X509_value(extra_certs, i); 1014e71b7053SJung-uk Kim if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) { 1015e71b7053SJung-uk Kim /* SSLfatal() already called */ 1016e71b7053SJung-uk Kim return 0; 1017e71b7053SJung-uk Kim } 1018e71b7053SJung-uk Kim } 1019e71b7053SJung-uk Kim } 1020e71b7053SJung-uk Kim return 1; 1021e71b7053SJung-uk Kim } 1022e71b7053SJung-uk Kim 1023e71b7053SJung-uk Kim unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk) 1024e71b7053SJung-uk Kim { 1025e71b7053SJung-uk Kim if (!WPACKET_start_sub_packet_u24(pkt)) { 1026b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1027e71b7053SJung-uk Kim return 0; 1028e71b7053SJung-uk Kim } 1029e71b7053SJung-uk Kim 1030e71b7053SJung-uk Kim if (!ssl_add_cert_chain(s, pkt, cpk)) 1031e71b7053SJung-uk Kim return 0; 1032e71b7053SJung-uk Kim 1033e71b7053SJung-uk Kim if (!WPACKET_close(pkt)) { 1034b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1035e71b7053SJung-uk Kim return 0; 1036e71b7053SJung-uk Kim } 1037e71b7053SJung-uk Kim 1038e71b7053SJung-uk Kim return 1; 1039e71b7053SJung-uk Kim } 1040e71b7053SJung-uk Kim 1041e71b7053SJung-uk Kim /* 1042e71b7053SJung-uk Kim * Tidy up after the end of a handshake. In the case of SCTP this may result 1043e71b7053SJung-uk Kim * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is 1044e71b7053SJung-uk Kim * freed up as well. 1045e71b7053SJung-uk Kim */ 1046b077aed3SPierre Pronchery WORK_STATE tls_finish_handshake(SSL *s, ossl_unused WORK_STATE wst, 1047b077aed3SPierre Pronchery int clearbufs, int stop) 1048e71b7053SJung-uk Kim { 1049e71b7053SJung-uk Kim void (*cb) (const SSL *ssl, int type, int val) = NULL; 10506935a639SJung-uk Kim int cleanuphand = s->statem.cleanuphand; 1051e71b7053SJung-uk Kim 1052e71b7053SJung-uk Kim if (clearbufs) { 105317f01e99SJung-uk Kim if (!SSL_IS_DTLS(s) 105417f01e99SJung-uk Kim #ifndef OPENSSL_NO_SCTP 1055e71b7053SJung-uk Kim /* 105617f01e99SJung-uk Kim * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS 105717f01e99SJung-uk Kim * messages that require it. Therefore, DTLS procedures for retransmissions 105817f01e99SJung-uk Kim * MUST NOT be used. 105917f01e99SJung-uk Kim * Hence the init_buf can be cleared when DTLS over SCTP as transport is used. 106017f01e99SJung-uk Kim */ 106117f01e99SJung-uk Kim || BIO_dgram_is_sctp(SSL_get_wbio(s)) 106217f01e99SJung-uk Kim #endif 106317f01e99SJung-uk Kim ) { 106417f01e99SJung-uk Kim /* 106517f01e99SJung-uk Kim * We don't do this in DTLS over UDP because we may still need the init_buf 1066e71b7053SJung-uk Kim * in case there are any unexpected retransmits 1067e71b7053SJung-uk Kim */ 1068e71b7053SJung-uk Kim BUF_MEM_free(s->init_buf); 1069e71b7053SJung-uk Kim s->init_buf = NULL; 1070e71b7053SJung-uk Kim } 107117f01e99SJung-uk Kim 1072e71b7053SJung-uk Kim if (!ssl_free_wbio_buffer(s)) { 1073b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1074e71b7053SJung-uk Kim return WORK_ERROR; 1075e71b7053SJung-uk Kim } 1076e71b7053SJung-uk Kim s->init_num = 0; 1077e71b7053SJung-uk Kim } 1078e71b7053SJung-uk Kim 1079e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) && !s->server 1080e71b7053SJung-uk Kim && s->post_handshake_auth == SSL_PHA_REQUESTED) 1081e71b7053SJung-uk Kim s->post_handshake_auth = SSL_PHA_EXT_SENT; 1082e71b7053SJung-uk Kim 1083e71b7053SJung-uk Kim /* 1084e71b7053SJung-uk Kim * Only set if there was a Finished message and this isn't after a TLSv1.3 1085e71b7053SJung-uk Kim * post handshake exchange 1086e71b7053SJung-uk Kim */ 10876935a639SJung-uk Kim if (cleanuphand) { 1088e71b7053SJung-uk Kim /* skipped if we just sent a HelloRequest */ 1089e71b7053SJung-uk Kim s->renegotiate = 0; 1090e71b7053SJung-uk Kim s->new_session = 0; 1091e71b7053SJung-uk Kim s->statem.cleanuphand = 0; 1092e71b7053SJung-uk Kim s->ext.ticket_expected = 0; 1093e71b7053SJung-uk Kim 1094e71b7053SJung-uk Kim ssl3_cleanup_key_block(s); 1095e71b7053SJung-uk Kim 1096e71b7053SJung-uk Kim if (s->server) { 1097e71b7053SJung-uk Kim /* 1098e71b7053SJung-uk Kim * In TLSv1.3 we update the cache as part of constructing the 1099e71b7053SJung-uk Kim * NewSessionTicket 1100e71b7053SJung-uk Kim */ 1101e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s)) 1102e71b7053SJung-uk Kim ssl_update_cache(s, SSL_SESS_CACHE_SERVER); 1103e71b7053SJung-uk Kim 1104e71b7053SJung-uk Kim /* N.B. s->ctx may not equal s->session_ctx */ 1105b077aed3SPierre Pronchery ssl_tsan_counter(s->ctx, &s->ctx->stats.sess_accept_good); 1106e71b7053SJung-uk Kim s->handshake_func = ossl_statem_accept; 1107e71b7053SJung-uk Kim } else { 1108e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) { 1109e71b7053SJung-uk Kim /* 1110e71b7053SJung-uk Kim * We encourage applications to only use TLSv1.3 tickets once, 1111e71b7053SJung-uk Kim * so we remove this one from the cache. 1112e71b7053SJung-uk Kim */ 1113e71b7053SJung-uk Kim if ((s->session_ctx->session_cache_mode 1114e71b7053SJung-uk Kim & SSL_SESS_CACHE_CLIENT) != 0) 1115e71b7053SJung-uk Kim SSL_CTX_remove_session(s->session_ctx, s->session); 1116e71b7053SJung-uk Kim } else { 1117e71b7053SJung-uk Kim /* 1118e71b7053SJung-uk Kim * In TLSv1.3 we update the cache as part of processing the 1119e71b7053SJung-uk Kim * NewSessionTicket 1120e71b7053SJung-uk Kim */ 1121e71b7053SJung-uk Kim ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); 1122e71b7053SJung-uk Kim } 1123e71b7053SJung-uk Kim if (s->hit) 1124b077aed3SPierre Pronchery ssl_tsan_counter(s->session_ctx, 1125b077aed3SPierre Pronchery &s->session_ctx->stats.sess_hit); 1126e71b7053SJung-uk Kim 1127e71b7053SJung-uk Kim s->handshake_func = ossl_statem_connect; 1128b077aed3SPierre Pronchery ssl_tsan_counter(s->session_ctx, 1129b077aed3SPierre Pronchery &s->session_ctx->stats.sess_connect_good); 1130e71b7053SJung-uk Kim } 1131e71b7053SJung-uk Kim 1132e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) { 1133e71b7053SJung-uk Kim /* done with handshaking */ 1134e71b7053SJung-uk Kim s->d1->handshake_read_seq = 0; 1135e71b7053SJung-uk Kim s->d1->handshake_write_seq = 0; 1136e71b7053SJung-uk Kim s->d1->next_handshake_write_seq = 0; 1137e71b7053SJung-uk Kim dtls1_clear_received_buffer(s); 1138e71b7053SJung-uk Kim } 1139e71b7053SJung-uk Kim } 1140e71b7053SJung-uk Kim 1141e71b7053SJung-uk Kim if (s->info_callback != NULL) 1142e71b7053SJung-uk Kim cb = s->info_callback; 1143e71b7053SJung-uk Kim else if (s->ctx->info_callback != NULL) 1144e71b7053SJung-uk Kim cb = s->ctx->info_callback; 1145e71b7053SJung-uk Kim 1146e71b7053SJung-uk Kim /* The callback may expect us to not be in init at handshake done */ 1147e71b7053SJung-uk Kim ossl_statem_set_in_init(s, 0); 1148e71b7053SJung-uk Kim 11496935a639SJung-uk Kim if (cb != NULL) { 11506935a639SJung-uk Kim if (cleanuphand 11516935a639SJung-uk Kim || !SSL_IS_TLS13(s) 11526935a639SJung-uk Kim || SSL_IS_FIRST_HANDSHAKE(s)) 1153e71b7053SJung-uk Kim cb(s, SSL_CB_HANDSHAKE_DONE, 1); 11546935a639SJung-uk Kim } 1155e71b7053SJung-uk Kim 1156e71b7053SJung-uk Kim if (!stop) { 1157e71b7053SJung-uk Kim /* If we've got more work to do we go back into init */ 1158e71b7053SJung-uk Kim ossl_statem_set_in_init(s, 1); 1159e71b7053SJung-uk Kim return WORK_FINISHED_CONTINUE; 1160e71b7053SJung-uk Kim } 1161e71b7053SJung-uk Kim 1162e71b7053SJung-uk Kim return WORK_FINISHED_STOP; 1163e71b7053SJung-uk Kim } 1164e71b7053SJung-uk Kim 1165e71b7053SJung-uk Kim int tls_get_message_header(SSL *s, int *mt) 1166e71b7053SJung-uk Kim { 1167e71b7053SJung-uk Kim /* s->init_num < SSL3_HM_HEADER_LENGTH */ 1168e71b7053SJung-uk Kim int skip_message, i, recvd_type; 1169e71b7053SJung-uk Kim unsigned char *p; 1170e71b7053SJung-uk Kim size_t l, readbytes; 1171e71b7053SJung-uk Kim 1172e71b7053SJung-uk Kim p = (unsigned char *)s->init_buf->data; 1173e71b7053SJung-uk Kim 1174e71b7053SJung-uk Kim do { 1175e71b7053SJung-uk Kim while (s->init_num < SSL3_HM_HEADER_LENGTH) { 1176e71b7053SJung-uk Kim i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type, 1177e71b7053SJung-uk Kim &p[s->init_num], 1178e71b7053SJung-uk Kim SSL3_HM_HEADER_LENGTH - s->init_num, 1179e71b7053SJung-uk Kim 0, &readbytes); 1180e71b7053SJung-uk Kim if (i <= 0) { 1181e71b7053SJung-uk Kim s->rwstate = SSL_READING; 1182e71b7053SJung-uk Kim return 0; 1183e71b7053SJung-uk Kim } 1184e71b7053SJung-uk Kim if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) { 1185e71b7053SJung-uk Kim /* 1186e71b7053SJung-uk Kim * A ChangeCipherSpec must be a single byte and may not occur 1187e71b7053SJung-uk Kim * in the middle of a handshake message. 1188e71b7053SJung-uk Kim */ 1189e71b7053SJung-uk Kim if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) { 1190e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1191e71b7053SJung-uk Kim SSL_R_BAD_CHANGE_CIPHER_SPEC); 1192e71b7053SJung-uk Kim return 0; 1193e71b7053SJung-uk Kim } 1194e71b7053SJung-uk Kim if (s->statem.hand_state == TLS_ST_BEFORE 1195b077aed3SPierre Pronchery && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) { 1196e71b7053SJung-uk Kim /* 1197e71b7053SJung-uk Kim * We are stateless and we received a CCS. Probably this is 1198e71b7053SJung-uk Kim * from a client between the first and second ClientHellos. 1199e71b7053SJung-uk Kim * We should ignore this, but return an error because we do 1200e71b7053SJung-uk Kim * not return success until we see the second ClientHello 1201e71b7053SJung-uk Kim * with a valid cookie. 1202e71b7053SJung-uk Kim */ 1203e71b7053SJung-uk Kim return 0; 1204e71b7053SJung-uk Kim } 1205b077aed3SPierre Pronchery s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC; 1206e71b7053SJung-uk Kim s->init_num = readbytes - 1; 1207e71b7053SJung-uk Kim s->init_msg = s->init_buf->data; 1208b077aed3SPierre Pronchery s->s3.tmp.message_size = readbytes; 1209e71b7053SJung-uk Kim return 1; 1210e71b7053SJung-uk Kim } else if (recvd_type != SSL3_RT_HANDSHAKE) { 1211e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1212e71b7053SJung-uk Kim SSL_R_CCS_RECEIVED_EARLY); 1213e71b7053SJung-uk Kim return 0; 1214e71b7053SJung-uk Kim } 1215e71b7053SJung-uk Kim s->init_num += readbytes; 1216e71b7053SJung-uk Kim } 1217e71b7053SJung-uk Kim 1218e71b7053SJung-uk Kim skip_message = 0; 1219e71b7053SJung-uk Kim if (!s->server) 1220e71b7053SJung-uk Kim if (s->statem.hand_state != TLS_ST_OK 1221e71b7053SJung-uk Kim && p[0] == SSL3_MT_HELLO_REQUEST) 1222e71b7053SJung-uk Kim /* 1223e71b7053SJung-uk Kim * The server may always send 'Hello Request' messages -- 1224e71b7053SJung-uk Kim * we are doing a handshake anyway now, so ignore them if 1225e71b7053SJung-uk Kim * their format is correct. Does not count for 'Finished' 1226e71b7053SJung-uk Kim * MAC. 1227e71b7053SJung-uk Kim */ 1228e71b7053SJung-uk Kim if (p[1] == 0 && p[2] == 0 && p[3] == 0) { 1229e71b7053SJung-uk Kim s->init_num = 0; 1230e71b7053SJung-uk Kim skip_message = 1; 1231e71b7053SJung-uk Kim 1232e71b7053SJung-uk Kim if (s->msg_callback) 1233e71b7053SJung-uk Kim s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 1234e71b7053SJung-uk Kim p, SSL3_HM_HEADER_LENGTH, s, 1235e71b7053SJung-uk Kim s->msg_callback_arg); 1236e71b7053SJung-uk Kim } 1237e71b7053SJung-uk Kim } while (skip_message); 1238e71b7053SJung-uk Kim /* s->init_num == SSL3_HM_HEADER_LENGTH */ 1239e71b7053SJung-uk Kim 1240e71b7053SJung-uk Kim *mt = *p; 1241b077aed3SPierre Pronchery s->s3.tmp.message_type = *(p++); 1242e71b7053SJung-uk Kim 1243e71b7053SJung-uk Kim if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { 1244e71b7053SJung-uk Kim /* 1245e71b7053SJung-uk Kim * Only happens with SSLv3+ in an SSLv2 backward compatible 1246e71b7053SJung-uk Kim * ClientHello 1247e71b7053SJung-uk Kim * 1248e71b7053SJung-uk Kim * Total message size is the remaining record bytes to read 1249e71b7053SJung-uk Kim * plus the SSL3_HM_HEADER_LENGTH bytes that we already read 1250e71b7053SJung-uk Kim */ 1251e71b7053SJung-uk Kim l = RECORD_LAYER_get_rrec_length(&s->rlayer) 1252e71b7053SJung-uk Kim + SSL3_HM_HEADER_LENGTH; 1253b077aed3SPierre Pronchery s->s3.tmp.message_size = l; 1254e71b7053SJung-uk Kim 1255e71b7053SJung-uk Kim s->init_msg = s->init_buf->data; 1256e71b7053SJung-uk Kim s->init_num = SSL3_HM_HEADER_LENGTH; 1257e71b7053SJung-uk Kim } else { 1258e71b7053SJung-uk Kim n2l3(p, l); 1259e71b7053SJung-uk Kim /* BUF_MEM_grow takes an 'int' parameter */ 1260e71b7053SJung-uk Kim if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) { 1261b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1262e71b7053SJung-uk Kim SSL_R_EXCESSIVE_MESSAGE_SIZE); 1263e71b7053SJung-uk Kim return 0; 1264e71b7053SJung-uk Kim } 1265b077aed3SPierre Pronchery s->s3.tmp.message_size = l; 1266e71b7053SJung-uk Kim 1267e71b7053SJung-uk Kim s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH; 1268e71b7053SJung-uk Kim s->init_num = 0; 1269e71b7053SJung-uk Kim } 1270e71b7053SJung-uk Kim 1271e71b7053SJung-uk Kim return 1; 1272e71b7053SJung-uk Kim } 1273e71b7053SJung-uk Kim 1274e71b7053SJung-uk Kim int tls_get_message_body(SSL *s, size_t *len) 1275e71b7053SJung-uk Kim { 1276e71b7053SJung-uk Kim size_t n, readbytes; 1277e71b7053SJung-uk Kim unsigned char *p; 1278e71b7053SJung-uk Kim int i; 1279e71b7053SJung-uk Kim 1280b077aed3SPierre Pronchery if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) { 1281e71b7053SJung-uk Kim /* We've already read everything in */ 1282e71b7053SJung-uk Kim *len = (unsigned long)s->init_num; 1283e71b7053SJung-uk Kim return 1; 1284e71b7053SJung-uk Kim } 1285e71b7053SJung-uk Kim 1286e71b7053SJung-uk Kim p = s->init_msg; 1287b077aed3SPierre Pronchery n = s->s3.tmp.message_size - s->init_num; 1288e71b7053SJung-uk Kim while (n > 0) { 1289e71b7053SJung-uk Kim i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, 1290e71b7053SJung-uk Kim &p[s->init_num], n, 0, &readbytes); 1291e71b7053SJung-uk Kim if (i <= 0) { 1292e71b7053SJung-uk Kim s->rwstate = SSL_READING; 1293e71b7053SJung-uk Kim *len = 0; 1294e71b7053SJung-uk Kim return 0; 1295e71b7053SJung-uk Kim } 1296e71b7053SJung-uk Kim s->init_num += readbytes; 1297e71b7053SJung-uk Kim n -= readbytes; 1298e71b7053SJung-uk Kim } 1299e71b7053SJung-uk Kim 1300e71b7053SJung-uk Kim /* 1301e71b7053SJung-uk Kim * If receiving Finished, record MAC of prior handshake messages for 1302e71b7053SJung-uk Kim * Finished verification. 1303e71b7053SJung-uk Kim */ 1304e71b7053SJung-uk Kim if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) { 1305e71b7053SJung-uk Kim /* SSLfatal() already called */ 1306e71b7053SJung-uk Kim *len = 0; 1307e71b7053SJung-uk Kim return 0; 1308e71b7053SJung-uk Kim } 1309e71b7053SJung-uk Kim 1310e71b7053SJung-uk Kim /* Feed this message into MAC computation. */ 1311e71b7053SJung-uk Kim if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { 1312e71b7053SJung-uk Kim if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 1313e71b7053SJung-uk Kim s->init_num)) { 1314e71b7053SJung-uk Kim /* SSLfatal() already called */ 1315e71b7053SJung-uk Kim *len = 0; 1316e71b7053SJung-uk Kim return 0; 1317e71b7053SJung-uk Kim } 1318e71b7053SJung-uk Kim if (s->msg_callback) 1319e71b7053SJung-uk Kim s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data, 1320e71b7053SJung-uk Kim (size_t)s->init_num, s, s->msg_callback_arg); 1321e71b7053SJung-uk Kim } else { 1322e71b7053SJung-uk Kim /* 1323e71b7053SJung-uk Kim * We defer feeding in the HRR until later. We'll do it as part of 1324e71b7053SJung-uk Kim * processing the message 1325e71b7053SJung-uk Kim * The TLsv1.3 handshake transcript stops at the ClientFinished 1326e71b7053SJung-uk Kim * message. 1327e71b7053SJung-uk Kim */ 1328e71b7053SJung-uk Kim #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2) 1329e71b7053SJung-uk Kim /* KeyUpdate and NewSessionTicket do not need to be added */ 1330b077aed3SPierre Pronchery if (!SSL_IS_TLS13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET 1331b077aed3SPierre Pronchery && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) { 1332b077aed3SPierre Pronchery if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO 1333e71b7053SJung-uk Kim || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE 1334e71b7053SJung-uk Kim || memcmp(hrrrandom, 1335e71b7053SJung-uk Kim s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET, 1336e71b7053SJung-uk Kim SSL3_RANDOM_SIZE) != 0) { 1337e71b7053SJung-uk Kim if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 1338e71b7053SJung-uk Kim s->init_num + SSL3_HM_HEADER_LENGTH)) { 1339e71b7053SJung-uk Kim /* SSLfatal() already called */ 1340e71b7053SJung-uk Kim *len = 0; 1341e71b7053SJung-uk Kim return 0; 1342e71b7053SJung-uk Kim } 1343e71b7053SJung-uk Kim } 1344e71b7053SJung-uk Kim } 1345e71b7053SJung-uk Kim if (s->msg_callback) 1346e71b7053SJung-uk Kim s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, 1347e71b7053SJung-uk Kim (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s, 1348e71b7053SJung-uk Kim s->msg_callback_arg); 1349e71b7053SJung-uk Kim } 1350e71b7053SJung-uk Kim 1351e71b7053SJung-uk Kim *len = s->init_num; 1352e71b7053SJung-uk Kim return 1; 1353e71b7053SJung-uk Kim } 1354e71b7053SJung-uk Kim 1355e71b7053SJung-uk Kim static const X509ERR2ALERT x509table[] = { 1356e71b7053SJung-uk Kim {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE}, 1357e71b7053SJung-uk Kim {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE}, 135858f35182SJung-uk Kim {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE}, 1359e71b7053SJung-uk Kim {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE}, 1360e71b7053SJung-uk Kim {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA}, 1361e71b7053SJung-uk Kim {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED}, 1362e71b7053SJung-uk Kim {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE}, 1363e71b7053SJung-uk Kim {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE}, 1364e71b7053SJung-uk Kim {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED}, 1365e71b7053SJung-uk Kim {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR}, 1366e71b7053SJung-uk Kim {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE}, 1367e71b7053SJung-uk Kim {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED}, 1368e71b7053SJung-uk Kim {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE}, 1369e71b7053SJung-uk Kim {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR}, 1370e71b7053SJung-uk Kim {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE}, 1371e71b7053SJung-uk Kim {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA}, 1372e71b7053SJung-uk Kim {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE}, 1373e71b7053SJung-uk Kim {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE}, 1374e71b7053SJung-uk Kim {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE}, 1375e71b7053SJung-uk Kim {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE}, 1376e71b7053SJung-uk Kim {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE}, 1377e71b7053SJung-uk Kim {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE}, 1378e71b7053SJung-uk Kim {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE}, 1379e71b7053SJung-uk Kim {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA}, 1380e71b7053SJung-uk Kim {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR}, 1381e71b7053SJung-uk Kim {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE}, 1382e71b7053SJung-uk Kim {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE}, 1383e71b7053SJung-uk Kim {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR}, 1384e71b7053SJung-uk Kim {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA}, 1385e71b7053SJung-uk Kim {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA}, 1386e71b7053SJung-uk Kim {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR}, 1387e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE}, 1388e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE}, 1389e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE}, 1390e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA}, 1391e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA}, 1392e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA}, 1393e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA}, 1394e71b7053SJung-uk Kim {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA}, 1395e71b7053SJung-uk Kim {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR}, 1396e71b7053SJung-uk Kim 1397e71b7053SJung-uk Kim /* Last entry; return this if we don't find the value above. */ 1398e71b7053SJung-uk Kim {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN} 1399e71b7053SJung-uk Kim }; 1400e71b7053SJung-uk Kim 1401e71b7053SJung-uk Kim int ssl_x509err2alert(int x509err) 1402e71b7053SJung-uk Kim { 1403e71b7053SJung-uk Kim const X509ERR2ALERT *tp; 1404e71b7053SJung-uk Kim 1405e71b7053SJung-uk Kim for (tp = x509table; tp->x509err != X509_V_OK; ++tp) 1406e71b7053SJung-uk Kim if (tp->x509err == x509err) 1407e71b7053SJung-uk Kim break; 1408e71b7053SJung-uk Kim return tp->alert; 1409e71b7053SJung-uk Kim } 1410e71b7053SJung-uk Kim 1411e71b7053SJung-uk Kim int ssl_allow_compression(SSL *s) 1412e71b7053SJung-uk Kim { 1413e71b7053SJung-uk Kim if (s->options & SSL_OP_NO_COMPRESSION) 1414e71b7053SJung-uk Kim return 0; 1415e71b7053SJung-uk Kim return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL); 1416e71b7053SJung-uk Kim } 1417e71b7053SJung-uk Kim 1418e71b7053SJung-uk Kim static int version_cmp(const SSL *s, int a, int b) 1419e71b7053SJung-uk Kim { 1420e71b7053SJung-uk Kim int dtls = SSL_IS_DTLS(s); 1421e71b7053SJung-uk Kim 1422e71b7053SJung-uk Kim if (a == b) 1423e71b7053SJung-uk Kim return 0; 1424e71b7053SJung-uk Kim if (!dtls) 1425e71b7053SJung-uk Kim return a < b ? -1 : 1; 1426e71b7053SJung-uk Kim return DTLS_VERSION_LT(a, b) ? -1 : 1; 1427e71b7053SJung-uk Kim } 1428e71b7053SJung-uk Kim 1429e71b7053SJung-uk Kim typedef struct { 1430e71b7053SJung-uk Kim int version; 1431e71b7053SJung-uk Kim const SSL_METHOD *(*cmeth) (void); 1432e71b7053SJung-uk Kim const SSL_METHOD *(*smeth) (void); 1433e71b7053SJung-uk Kim } version_info; 1434e71b7053SJung-uk Kim 1435b077aed3SPierre Pronchery #if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION 1436e71b7053SJung-uk Kim # error Code needs update for TLS_method() support beyond TLS1_3_VERSION. 1437e71b7053SJung-uk Kim #endif 1438e71b7053SJung-uk Kim 1439e71b7053SJung-uk Kim /* Must be in order high to low */ 1440e71b7053SJung-uk Kim static const version_info tls_version_table[] = { 1441e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1_3 1442e71b7053SJung-uk Kim {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method}, 1443e71b7053SJung-uk Kim #else 1444e71b7053SJung-uk Kim {TLS1_3_VERSION, NULL, NULL}, 1445e71b7053SJung-uk Kim #endif 1446e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1_2 1447e71b7053SJung-uk Kim {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method}, 1448e71b7053SJung-uk Kim #else 1449e71b7053SJung-uk Kim {TLS1_2_VERSION, NULL, NULL}, 1450e71b7053SJung-uk Kim #endif 1451e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1_1 1452e71b7053SJung-uk Kim {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method}, 1453e71b7053SJung-uk Kim #else 1454e71b7053SJung-uk Kim {TLS1_1_VERSION, NULL, NULL}, 1455e71b7053SJung-uk Kim #endif 1456e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1 1457e71b7053SJung-uk Kim {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method}, 1458e71b7053SJung-uk Kim #else 1459e71b7053SJung-uk Kim {TLS1_VERSION, NULL, NULL}, 1460e71b7053SJung-uk Kim #endif 1461e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SSL3 1462e71b7053SJung-uk Kim {SSL3_VERSION, sslv3_client_method, sslv3_server_method}, 1463e71b7053SJung-uk Kim #else 1464e71b7053SJung-uk Kim {SSL3_VERSION, NULL, NULL}, 1465e71b7053SJung-uk Kim #endif 1466e71b7053SJung-uk Kim {0, NULL, NULL}, 1467e71b7053SJung-uk Kim }; 1468e71b7053SJung-uk Kim 1469b077aed3SPierre Pronchery #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION 1470e71b7053SJung-uk Kim # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION. 1471e71b7053SJung-uk Kim #endif 1472e71b7053SJung-uk Kim 1473e71b7053SJung-uk Kim /* Must be in order high to low */ 1474e71b7053SJung-uk Kim static const version_info dtls_version_table[] = { 1475e71b7053SJung-uk Kim #ifndef OPENSSL_NO_DTLS1_2 1476e71b7053SJung-uk Kim {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method}, 1477e71b7053SJung-uk Kim #else 1478e71b7053SJung-uk Kim {DTLS1_2_VERSION, NULL, NULL}, 1479e71b7053SJung-uk Kim #endif 1480e71b7053SJung-uk Kim #ifndef OPENSSL_NO_DTLS1 1481e71b7053SJung-uk Kim {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method}, 1482e71b7053SJung-uk Kim {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL}, 1483e71b7053SJung-uk Kim #else 1484e71b7053SJung-uk Kim {DTLS1_VERSION, NULL, NULL}, 1485e71b7053SJung-uk Kim {DTLS1_BAD_VER, NULL, NULL}, 1486e71b7053SJung-uk Kim #endif 1487e71b7053SJung-uk Kim {0, NULL, NULL}, 1488e71b7053SJung-uk Kim }; 1489e71b7053SJung-uk Kim 1490e71b7053SJung-uk Kim /* 1491e71b7053SJung-uk Kim * ssl_method_error - Check whether an SSL_METHOD is enabled. 1492e71b7053SJung-uk Kim * 1493e71b7053SJung-uk Kim * @s: The SSL handle for the candidate method 1494e71b7053SJung-uk Kim * @method: the intended method. 1495e71b7053SJung-uk Kim * 1496e71b7053SJung-uk Kim * Returns 0 on success, or an SSL error reason on failure. 1497e71b7053SJung-uk Kim */ 1498e71b7053SJung-uk Kim static int ssl_method_error(const SSL *s, const SSL_METHOD *method) 1499e71b7053SJung-uk Kim { 1500e71b7053SJung-uk Kim int version = method->version; 1501e71b7053SJung-uk Kim 1502e71b7053SJung-uk Kim if ((s->min_proto_version != 0 && 1503e71b7053SJung-uk Kim version_cmp(s, version, s->min_proto_version) < 0) || 1504e71b7053SJung-uk Kim ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0) 1505e71b7053SJung-uk Kim return SSL_R_VERSION_TOO_LOW; 1506e71b7053SJung-uk Kim 1507e71b7053SJung-uk Kim if (s->max_proto_version != 0 && 1508e71b7053SJung-uk Kim version_cmp(s, version, s->max_proto_version) > 0) 1509e71b7053SJung-uk Kim return SSL_R_VERSION_TOO_HIGH; 1510e71b7053SJung-uk Kim 1511e71b7053SJung-uk Kim if ((s->options & method->mask) != 0) 1512e71b7053SJung-uk Kim return SSL_R_UNSUPPORTED_PROTOCOL; 1513e71b7053SJung-uk Kim if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s)) 1514e71b7053SJung-uk Kim return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE; 1515e71b7053SJung-uk Kim 1516e71b7053SJung-uk Kim return 0; 1517e71b7053SJung-uk Kim } 1518e71b7053SJung-uk Kim 1519e71b7053SJung-uk Kim /* 1520e71b7053SJung-uk Kim * Only called by servers. Returns 1 if the server has a TLSv1.3 capable 152188e852c0SJung-uk Kim * certificate type, or has PSK or a certificate callback configured, or has 1522b077aed3SPierre Pronchery * a servername callback configure. Otherwise returns 0. 1523e71b7053SJung-uk Kim */ 1524e71b7053SJung-uk Kim static int is_tls13_capable(const SSL *s) 1525e71b7053SJung-uk Kim { 1526e71b7053SJung-uk Kim int i; 1527c9cf7b5cSJung-uk Kim int curve; 1528e71b7053SJung-uk Kim 152988e852c0SJung-uk Kim if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL)) 153088e852c0SJung-uk Kim return 0; 153188e852c0SJung-uk Kim 153288e852c0SJung-uk Kim /* 153388e852c0SJung-uk Kim * A servername callback can change the available certs, so if a servername 153488e852c0SJung-uk Kim * cb is set then we just assume TLSv1.3 will be ok 153588e852c0SJung-uk Kim */ 153688e852c0SJung-uk Kim if (s->ctx->ext.servername_cb != NULL 153788e852c0SJung-uk Kim || s->session_ctx->ext.servername_cb != NULL) 153888e852c0SJung-uk Kim return 1; 153988e852c0SJung-uk Kim 1540e71b7053SJung-uk Kim #ifndef OPENSSL_NO_PSK 1541e71b7053SJung-uk Kim if (s->psk_server_callback != NULL) 1542e71b7053SJung-uk Kim return 1; 1543e71b7053SJung-uk Kim #endif 1544e71b7053SJung-uk Kim 1545e71b7053SJung-uk Kim if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL) 1546e71b7053SJung-uk Kim return 1; 1547e71b7053SJung-uk Kim 1548e71b7053SJung-uk Kim for (i = 0; i < SSL_PKEY_NUM; i++) { 1549e71b7053SJung-uk Kim /* Skip over certs disallowed for TLSv1.3 */ 1550e71b7053SJung-uk Kim switch (i) { 1551e71b7053SJung-uk Kim case SSL_PKEY_DSA_SIGN: 1552e71b7053SJung-uk Kim case SSL_PKEY_GOST01: 1553e71b7053SJung-uk Kim case SSL_PKEY_GOST12_256: 1554e71b7053SJung-uk Kim case SSL_PKEY_GOST12_512: 1555e71b7053SJung-uk Kim continue; 1556e71b7053SJung-uk Kim default: 1557e71b7053SJung-uk Kim break; 1558e71b7053SJung-uk Kim } 1559c9cf7b5cSJung-uk Kim if (!ssl_has_cert(s, i)) 1560c9cf7b5cSJung-uk Kim continue; 1561c9cf7b5cSJung-uk Kim if (i != SSL_PKEY_ECC) 1562e71b7053SJung-uk Kim return 1; 1563c9cf7b5cSJung-uk Kim /* 1564c9cf7b5cSJung-uk Kim * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is 1565c9cf7b5cSJung-uk Kim * more restrictive so check that our sig algs are consistent with this 1566c9cf7b5cSJung-uk Kim * EC cert. See section 4.2.3 of RFC8446. 1567c9cf7b5cSJung-uk Kim */ 1568b077aed3SPierre Pronchery curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC].privatekey); 1569c9cf7b5cSJung-uk Kim if (tls_check_sigalg_curve(s, curve)) 1570c9cf7b5cSJung-uk Kim return 1; 1571e71b7053SJung-uk Kim } 1572e71b7053SJung-uk Kim 1573e71b7053SJung-uk Kim return 0; 1574e71b7053SJung-uk Kim } 1575e71b7053SJung-uk Kim 1576e71b7053SJung-uk Kim /* 1577e71b7053SJung-uk Kim * ssl_version_supported - Check that the specified `version` is supported by 1578e71b7053SJung-uk Kim * `SSL *` instance 1579e71b7053SJung-uk Kim * 1580e71b7053SJung-uk Kim * @s: The SSL handle for the candidate method 1581e71b7053SJung-uk Kim * @version: Protocol version to test against 1582e71b7053SJung-uk Kim * 1583e71b7053SJung-uk Kim * Returns 1 when supported, otherwise 0 1584e71b7053SJung-uk Kim */ 1585e71b7053SJung-uk Kim int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth) 1586e71b7053SJung-uk Kim { 1587e71b7053SJung-uk Kim const version_info *vent; 1588e71b7053SJung-uk Kim const version_info *table; 1589e71b7053SJung-uk Kim 1590e71b7053SJung-uk Kim switch (s->method->version) { 1591e71b7053SJung-uk Kim default: 1592e71b7053SJung-uk Kim /* Version should match method version for non-ANY method */ 1593e71b7053SJung-uk Kim return version_cmp(s, version, s->version) == 0; 1594e71b7053SJung-uk Kim case TLS_ANY_VERSION: 1595e71b7053SJung-uk Kim table = tls_version_table; 1596e71b7053SJung-uk Kim break; 1597e71b7053SJung-uk Kim case DTLS_ANY_VERSION: 1598e71b7053SJung-uk Kim table = dtls_version_table; 1599e71b7053SJung-uk Kim break; 1600e71b7053SJung-uk Kim } 1601e71b7053SJung-uk Kim 1602e71b7053SJung-uk Kim for (vent = table; 1603e71b7053SJung-uk Kim vent->version != 0 && version_cmp(s, version, vent->version) <= 0; 1604e71b7053SJung-uk Kim ++vent) { 1605e71b7053SJung-uk Kim if (vent->cmeth != NULL 1606e71b7053SJung-uk Kim && version_cmp(s, version, vent->version) == 0 1607e71b7053SJung-uk Kim && ssl_method_error(s, vent->cmeth()) == 0 1608e71b7053SJung-uk Kim && (!s->server 1609e71b7053SJung-uk Kim || version != TLS1_3_VERSION 1610e71b7053SJung-uk Kim || is_tls13_capable(s))) { 1611e71b7053SJung-uk Kim if (meth != NULL) 1612e71b7053SJung-uk Kim *meth = vent->cmeth(); 1613e71b7053SJung-uk Kim return 1; 1614e71b7053SJung-uk Kim } 1615e71b7053SJung-uk Kim } 1616e71b7053SJung-uk Kim return 0; 1617e71b7053SJung-uk Kim } 1618e71b7053SJung-uk Kim 1619e71b7053SJung-uk Kim /* 1620e71b7053SJung-uk Kim * ssl_check_version_downgrade - In response to RFC7507 SCSV version 1621e71b7053SJung-uk Kim * fallback indication from a client check whether we're using the highest 1622e71b7053SJung-uk Kim * supported protocol version. 1623e71b7053SJung-uk Kim * 1624e71b7053SJung-uk Kim * @s server SSL handle. 1625e71b7053SJung-uk Kim * 1626e71b7053SJung-uk Kim * Returns 1 when using the highest enabled version, 0 otherwise. 1627e71b7053SJung-uk Kim */ 1628e71b7053SJung-uk Kim int ssl_check_version_downgrade(SSL *s) 1629e71b7053SJung-uk Kim { 1630e71b7053SJung-uk Kim const version_info *vent; 1631e71b7053SJung-uk Kim const version_info *table; 1632e71b7053SJung-uk Kim 1633e71b7053SJung-uk Kim /* 1634e71b7053SJung-uk Kim * Check that the current protocol is the highest enabled version 1635e71b7053SJung-uk Kim * (according to s->ctx->method, as version negotiation may have changed 1636e71b7053SJung-uk Kim * s->method). 1637e71b7053SJung-uk Kim */ 1638e71b7053SJung-uk Kim if (s->version == s->ctx->method->version) 1639e71b7053SJung-uk Kim return 1; 1640e71b7053SJung-uk Kim 1641e71b7053SJung-uk Kim /* 1642e71b7053SJung-uk Kim * Apparently we're using a version-flexible SSL_METHOD (not at its 1643e71b7053SJung-uk Kim * highest protocol version). 1644e71b7053SJung-uk Kim */ 1645e71b7053SJung-uk Kim if (s->ctx->method->version == TLS_method()->version) 1646e71b7053SJung-uk Kim table = tls_version_table; 1647e71b7053SJung-uk Kim else if (s->ctx->method->version == DTLS_method()->version) 1648e71b7053SJung-uk Kim table = dtls_version_table; 1649e71b7053SJung-uk Kim else { 1650e71b7053SJung-uk Kim /* Unexpected state; fail closed. */ 1651e71b7053SJung-uk Kim return 0; 1652e71b7053SJung-uk Kim } 1653e71b7053SJung-uk Kim 1654e71b7053SJung-uk Kim for (vent = table; vent->version != 0; ++vent) { 1655e71b7053SJung-uk Kim if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0) 1656e71b7053SJung-uk Kim return s->version == vent->version; 1657e71b7053SJung-uk Kim } 1658e71b7053SJung-uk Kim return 0; 1659e71b7053SJung-uk Kim } 1660e71b7053SJung-uk Kim 1661e71b7053SJung-uk Kim /* 1662e71b7053SJung-uk Kim * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS 1663e71b7053SJung-uk Kim * protocols, provided the initial (D)TLS method is version-flexible. This 1664e71b7053SJung-uk Kim * function sanity-checks the proposed value and makes sure the method is 1665e71b7053SJung-uk Kim * version-flexible, then sets the limit if all is well. 1666e71b7053SJung-uk Kim * 1667e71b7053SJung-uk Kim * @method_version: The version of the current SSL_METHOD. 1668e71b7053SJung-uk Kim * @version: the intended limit. 1669e71b7053SJung-uk Kim * @bound: pointer to limit to be updated. 1670e71b7053SJung-uk Kim * 1671e71b7053SJung-uk Kim * Returns 1 on success, 0 on failure. 1672e71b7053SJung-uk Kim */ 1673e71b7053SJung-uk Kim int ssl_set_version_bound(int method_version, int version, int *bound) 1674e71b7053SJung-uk Kim { 167558f35182SJung-uk Kim int valid_tls; 167658f35182SJung-uk Kim int valid_dtls; 167758f35182SJung-uk Kim 1678e71b7053SJung-uk Kim if (version == 0) { 1679e71b7053SJung-uk Kim *bound = version; 1680e71b7053SJung-uk Kim return 1; 1681e71b7053SJung-uk Kim } 1682e71b7053SJung-uk Kim 1683b077aed3SPierre Pronchery valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL; 168458f35182SJung-uk Kim valid_dtls = 1685b077aed3SPierre Pronchery DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) && 168658f35182SJung-uk Kim DTLS_VERSION_GE(version, DTLS1_BAD_VER); 168758f35182SJung-uk Kim 168858f35182SJung-uk Kim if (!valid_tls && !valid_dtls) 168958f35182SJung-uk Kim return 0; 169058f35182SJung-uk Kim 1691e71b7053SJung-uk Kim /*- 1692e71b7053SJung-uk Kim * Restrict TLS methods to TLS protocol versions. 1693e71b7053SJung-uk Kim * Restrict DTLS methods to DTLS protocol versions. 1694e71b7053SJung-uk Kim * Note, DTLS version numbers are decreasing, use comparison macros. 1695e71b7053SJung-uk Kim * 1696e71b7053SJung-uk Kim * Note that for both lower-bounds we use explicit versions, not 1697e71b7053SJung-uk Kim * (D)TLS_MIN_VERSION. This is because we don't want to break user 1698e71b7053SJung-uk Kim * configurations. If the MIN (supported) version ever rises, the user's 1699e71b7053SJung-uk Kim * "floor" remains valid even if no longer available. We don't expect the 1700e71b7053SJung-uk Kim * MAX ceiling to ever get lower, so making that variable makes sense. 170158f35182SJung-uk Kim * 170258f35182SJung-uk Kim * We ignore attempts to set bounds on version-inflexible methods, 170358f35182SJung-uk Kim * returning success. 1704e71b7053SJung-uk Kim */ 1705e71b7053SJung-uk Kim switch (method_version) { 1706e71b7053SJung-uk Kim default: 170758f35182SJung-uk Kim break; 1708e71b7053SJung-uk Kim 1709e71b7053SJung-uk Kim case TLS_ANY_VERSION: 171058f35182SJung-uk Kim if (valid_tls) 171158f35182SJung-uk Kim *bound = version; 1712e71b7053SJung-uk Kim break; 1713e71b7053SJung-uk Kim 1714e71b7053SJung-uk Kim case DTLS_ANY_VERSION: 171558f35182SJung-uk Kim if (valid_dtls) 171658f35182SJung-uk Kim *bound = version; 1717e71b7053SJung-uk Kim break; 1718e71b7053SJung-uk Kim } 1719e71b7053SJung-uk Kim return 1; 1720e71b7053SJung-uk Kim } 1721e71b7053SJung-uk Kim 1722e71b7053SJung-uk Kim static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd) 1723e71b7053SJung-uk Kim { 1724e71b7053SJung-uk Kim if (vers == TLS1_2_VERSION 1725e71b7053SJung-uk Kim && ssl_version_supported(s, TLS1_3_VERSION, NULL)) { 1726e71b7053SJung-uk Kim *dgrd = DOWNGRADE_TO_1_2; 1727e71b7053SJung-uk Kim } else if (!SSL_IS_DTLS(s) 1728e71b7053SJung-uk Kim && vers < TLS1_2_VERSION 1729e71b7053SJung-uk Kim /* 1730e71b7053SJung-uk Kim * We need to ensure that a server that disables TLSv1.2 1731e71b7053SJung-uk Kim * (creating a hole between TLSv1.3 and TLSv1.1) can still 1732e71b7053SJung-uk Kim * complete handshakes with clients that support TLSv1.2 and 1733e71b7053SJung-uk Kim * below. Therefore we do not enable the sentinel if TLSv1.3 is 1734e71b7053SJung-uk Kim * enabled and TLSv1.2 is not. 1735e71b7053SJung-uk Kim */ 1736e71b7053SJung-uk Kim && ssl_version_supported(s, TLS1_2_VERSION, NULL)) { 1737e71b7053SJung-uk Kim *dgrd = DOWNGRADE_TO_1_1; 1738e71b7053SJung-uk Kim } else { 1739e71b7053SJung-uk Kim *dgrd = DOWNGRADE_NONE; 1740e71b7053SJung-uk Kim } 1741e71b7053SJung-uk Kim } 1742e71b7053SJung-uk Kim 1743e71b7053SJung-uk Kim /* 1744e71b7053SJung-uk Kim * ssl_choose_server_version - Choose server (D)TLS version. Called when the 1745e71b7053SJung-uk Kim * client HELLO is received to select the final server protocol version and 1746e71b7053SJung-uk Kim * the version specific method. 1747e71b7053SJung-uk Kim * 1748e71b7053SJung-uk Kim * @s: server SSL handle. 1749e71b7053SJung-uk Kim * 1750e71b7053SJung-uk Kim * Returns 0 on success or an SSL error reason number on failure. 1751e71b7053SJung-uk Kim */ 1752e71b7053SJung-uk Kim int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd) 1753e71b7053SJung-uk Kim { 1754e71b7053SJung-uk Kim /*- 1755e71b7053SJung-uk Kim * With version-flexible methods we have an initial state with: 1756e71b7053SJung-uk Kim * 1757e71b7053SJung-uk Kim * s->method->version == (D)TLS_ANY_VERSION, 1758b077aed3SPierre Pronchery * s->version == (D)TLS_MAX_VERSION_INTERNAL. 1759e71b7053SJung-uk Kim * 1760e71b7053SJung-uk Kim * So we detect version-flexible methods via the method version, not the 1761e71b7053SJung-uk Kim * handle version. 1762e71b7053SJung-uk Kim */ 1763e71b7053SJung-uk Kim int server_version = s->method->version; 1764e71b7053SJung-uk Kim int client_version = hello->legacy_version; 1765e71b7053SJung-uk Kim const version_info *vent; 1766e71b7053SJung-uk Kim const version_info *table; 1767e71b7053SJung-uk Kim int disabled = 0; 1768e71b7053SJung-uk Kim RAW_EXTENSION *suppversions; 1769e71b7053SJung-uk Kim 1770e71b7053SJung-uk Kim s->client_version = client_version; 1771e71b7053SJung-uk Kim 1772e71b7053SJung-uk Kim switch (server_version) { 1773e71b7053SJung-uk Kim default: 1774e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s)) { 1775e71b7053SJung-uk Kim if (version_cmp(s, client_version, s->version) < 0) 1776e71b7053SJung-uk Kim return SSL_R_WRONG_SSL_VERSION; 1777e71b7053SJung-uk Kim *dgrd = DOWNGRADE_NONE; 1778e71b7053SJung-uk Kim /* 1779e71b7053SJung-uk Kim * If this SSL handle is not from a version flexible method we don't 1780e71b7053SJung-uk Kim * (and never did) check min/max FIPS or Suite B constraints. Hope 1781e71b7053SJung-uk Kim * that's OK. It is up to the caller to not choose fixed protocol 1782e71b7053SJung-uk Kim * versions they don't want. If not, then easy to fix, just return 1783e71b7053SJung-uk Kim * ssl_method_error(s, s->method) 1784e71b7053SJung-uk Kim */ 1785e71b7053SJung-uk Kim return 0; 1786e71b7053SJung-uk Kim } 1787e71b7053SJung-uk Kim /* 1788e71b7053SJung-uk Kim * Fall through if we are TLSv1.3 already (this means we must be after 1789e71b7053SJung-uk Kim * a HelloRetryRequest 1790e71b7053SJung-uk Kim */ 1791e71b7053SJung-uk Kim /* fall thru */ 1792e71b7053SJung-uk Kim case TLS_ANY_VERSION: 1793e71b7053SJung-uk Kim table = tls_version_table; 1794e71b7053SJung-uk Kim break; 1795e71b7053SJung-uk Kim case DTLS_ANY_VERSION: 1796e71b7053SJung-uk Kim table = dtls_version_table; 1797e71b7053SJung-uk Kim break; 1798e71b7053SJung-uk Kim } 1799e71b7053SJung-uk Kim 1800e71b7053SJung-uk Kim suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions]; 1801e71b7053SJung-uk Kim 1802e71b7053SJung-uk Kim /* If we did an HRR then supported versions is mandatory */ 1803e71b7053SJung-uk Kim if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE) 1804e71b7053SJung-uk Kim return SSL_R_UNSUPPORTED_PROTOCOL; 1805e71b7053SJung-uk Kim 1806e71b7053SJung-uk Kim if (suppversions->present && !SSL_IS_DTLS(s)) { 1807e71b7053SJung-uk Kim unsigned int candidate_vers = 0; 1808e71b7053SJung-uk Kim unsigned int best_vers = 0; 1809e71b7053SJung-uk Kim const SSL_METHOD *best_method = NULL; 1810e71b7053SJung-uk Kim PACKET versionslist; 1811e71b7053SJung-uk Kim 1812e71b7053SJung-uk Kim suppversions->parsed = 1; 1813e71b7053SJung-uk Kim 1814e71b7053SJung-uk Kim if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) { 1815e71b7053SJung-uk Kim /* Trailing or invalid data? */ 1816e71b7053SJung-uk Kim return SSL_R_LENGTH_MISMATCH; 1817e71b7053SJung-uk Kim } 1818e71b7053SJung-uk Kim 1819e71b7053SJung-uk Kim /* 1820e71b7053SJung-uk Kim * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION. 1821e71b7053SJung-uk Kim * The spec only requires servers to check that it isn't SSLv3: 1822e71b7053SJung-uk Kim * "Any endpoint receiving a Hello message with 1823e71b7053SJung-uk Kim * ClientHello.legacy_version or ServerHello.legacy_version set to 1824e71b7053SJung-uk Kim * 0x0300 MUST abort the handshake with a "protocol_version" alert." 1825e71b7053SJung-uk Kim * We are slightly stricter and require that it isn't SSLv3 or lower. 1826e71b7053SJung-uk Kim * We tolerate TLSv1 and TLSv1.1. 1827e71b7053SJung-uk Kim */ 1828e71b7053SJung-uk Kim if (client_version <= SSL3_VERSION) 1829e71b7053SJung-uk Kim return SSL_R_BAD_LEGACY_VERSION; 1830e71b7053SJung-uk Kim 1831e71b7053SJung-uk Kim while (PACKET_get_net_2(&versionslist, &candidate_vers)) { 1832e71b7053SJung-uk Kim if (version_cmp(s, candidate_vers, best_vers) <= 0) 1833e71b7053SJung-uk Kim continue; 1834e71b7053SJung-uk Kim if (ssl_version_supported(s, candidate_vers, &best_method)) 1835e71b7053SJung-uk Kim best_vers = candidate_vers; 1836e71b7053SJung-uk Kim } 1837e71b7053SJung-uk Kim if (PACKET_remaining(&versionslist) != 0) { 1838e71b7053SJung-uk Kim /* Trailing data? */ 1839e71b7053SJung-uk Kim return SSL_R_LENGTH_MISMATCH; 1840e71b7053SJung-uk Kim } 1841e71b7053SJung-uk Kim 1842e71b7053SJung-uk Kim if (best_vers > 0) { 1843e71b7053SJung-uk Kim if (s->hello_retry_request != SSL_HRR_NONE) { 1844e71b7053SJung-uk Kim /* 1845e71b7053SJung-uk Kim * This is after a HelloRetryRequest so we better check that we 1846e71b7053SJung-uk Kim * negotiated TLSv1.3 1847e71b7053SJung-uk Kim */ 1848e71b7053SJung-uk Kim if (best_vers != TLS1_3_VERSION) 1849e71b7053SJung-uk Kim return SSL_R_UNSUPPORTED_PROTOCOL; 1850e71b7053SJung-uk Kim return 0; 1851e71b7053SJung-uk Kim } 1852e71b7053SJung-uk Kim check_for_downgrade(s, best_vers, dgrd); 1853e71b7053SJung-uk Kim s->version = best_vers; 1854e71b7053SJung-uk Kim s->method = best_method; 1855e71b7053SJung-uk Kim return 0; 1856e71b7053SJung-uk Kim } 1857e71b7053SJung-uk Kim return SSL_R_UNSUPPORTED_PROTOCOL; 1858e71b7053SJung-uk Kim } 1859e71b7053SJung-uk Kim 1860e71b7053SJung-uk Kim /* 1861e71b7053SJung-uk Kim * If the supported versions extension isn't present, then the highest 1862e71b7053SJung-uk Kim * version we can negotiate is TLSv1.2 1863e71b7053SJung-uk Kim */ 1864e71b7053SJung-uk Kim if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0) 1865e71b7053SJung-uk Kim client_version = TLS1_2_VERSION; 1866e71b7053SJung-uk Kim 1867e71b7053SJung-uk Kim /* 1868e71b7053SJung-uk Kim * No supported versions extension, so we just use the version supplied in 1869e71b7053SJung-uk Kim * the ClientHello. 1870e71b7053SJung-uk Kim */ 1871e71b7053SJung-uk Kim for (vent = table; vent->version != 0; ++vent) { 1872e71b7053SJung-uk Kim const SSL_METHOD *method; 1873e71b7053SJung-uk Kim 1874e71b7053SJung-uk Kim if (vent->smeth == NULL || 1875e71b7053SJung-uk Kim version_cmp(s, client_version, vent->version) < 0) 1876e71b7053SJung-uk Kim continue; 1877e71b7053SJung-uk Kim method = vent->smeth(); 1878e71b7053SJung-uk Kim if (ssl_method_error(s, method) == 0) { 1879e71b7053SJung-uk Kim check_for_downgrade(s, vent->version, dgrd); 1880e71b7053SJung-uk Kim s->version = vent->version; 1881e71b7053SJung-uk Kim s->method = method; 1882e71b7053SJung-uk Kim return 0; 1883e71b7053SJung-uk Kim } 1884e71b7053SJung-uk Kim disabled = 1; 1885e71b7053SJung-uk Kim } 1886e71b7053SJung-uk Kim return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW; 1887e71b7053SJung-uk Kim } 1888e71b7053SJung-uk Kim 1889e71b7053SJung-uk Kim /* 1890e71b7053SJung-uk Kim * ssl_choose_client_version - Choose client (D)TLS version. Called when the 1891e71b7053SJung-uk Kim * server HELLO is received to select the final client protocol version and 1892e71b7053SJung-uk Kim * the version specific method. 1893e71b7053SJung-uk Kim * 1894e71b7053SJung-uk Kim * @s: client SSL handle. 1895e71b7053SJung-uk Kim * @version: The proposed version from the server's HELLO. 1896e71b7053SJung-uk Kim * @extensions: The extensions received 1897e71b7053SJung-uk Kim * 1898e71b7053SJung-uk Kim * Returns 1 on success or 0 on error. 1899e71b7053SJung-uk Kim */ 1900e71b7053SJung-uk Kim int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions) 1901e71b7053SJung-uk Kim { 1902e71b7053SJung-uk Kim const version_info *vent; 1903e71b7053SJung-uk Kim const version_info *table; 1904e71b7053SJung-uk Kim int ret, ver_min, ver_max, real_max, origv; 1905e71b7053SJung-uk Kim 1906e71b7053SJung-uk Kim origv = s->version; 1907e71b7053SJung-uk Kim s->version = version; 1908e71b7053SJung-uk Kim 1909e71b7053SJung-uk Kim /* This will overwrite s->version if the extension is present */ 1910e71b7053SJung-uk Kim if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions, 1911e71b7053SJung-uk Kim SSL_EXT_TLS1_2_SERVER_HELLO 1912e71b7053SJung-uk Kim | SSL_EXT_TLS1_3_SERVER_HELLO, extensions, 1913e71b7053SJung-uk Kim NULL, 0)) { 1914e71b7053SJung-uk Kim s->version = origv; 1915e71b7053SJung-uk Kim return 0; 1916e71b7053SJung-uk Kim } 1917e71b7053SJung-uk Kim 1918e71b7053SJung-uk Kim if (s->hello_retry_request != SSL_HRR_NONE 1919e71b7053SJung-uk Kim && s->version != TLS1_3_VERSION) { 1920e71b7053SJung-uk Kim s->version = origv; 1921b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION); 1922e71b7053SJung-uk Kim return 0; 1923e71b7053SJung-uk Kim } 1924e71b7053SJung-uk Kim 1925e71b7053SJung-uk Kim switch (s->method->version) { 1926e71b7053SJung-uk Kim default: 1927e71b7053SJung-uk Kim if (s->version != s->method->version) { 1928e71b7053SJung-uk Kim s->version = origv; 1929b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION); 1930e71b7053SJung-uk Kim return 0; 1931e71b7053SJung-uk Kim } 1932e71b7053SJung-uk Kim /* 1933e71b7053SJung-uk Kim * If this SSL handle is not from a version flexible method we don't 1934e71b7053SJung-uk Kim * (and never did) check min/max, FIPS or Suite B constraints. Hope 1935e71b7053SJung-uk Kim * that's OK. It is up to the caller to not choose fixed protocol 1936e71b7053SJung-uk Kim * versions they don't want. If not, then easy to fix, just return 1937e71b7053SJung-uk Kim * ssl_method_error(s, s->method) 1938e71b7053SJung-uk Kim */ 1939e71b7053SJung-uk Kim return 1; 1940e71b7053SJung-uk Kim case TLS_ANY_VERSION: 1941e71b7053SJung-uk Kim table = tls_version_table; 1942e71b7053SJung-uk Kim break; 1943e71b7053SJung-uk Kim case DTLS_ANY_VERSION: 1944e71b7053SJung-uk Kim table = dtls_version_table; 1945e71b7053SJung-uk Kim break; 1946e71b7053SJung-uk Kim } 1947e71b7053SJung-uk Kim 1948e71b7053SJung-uk Kim ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max); 1949e71b7053SJung-uk Kim if (ret != 0) { 1950e71b7053SJung-uk Kim s->version = origv; 1951b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_PROTOCOL_VERSION, ret); 1952e71b7053SJung-uk Kim return 0; 1953e71b7053SJung-uk Kim } 1954e71b7053SJung-uk Kim if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min) 1955e71b7053SJung-uk Kim : s->version < ver_min) { 1956e71b7053SJung-uk Kim s->version = origv; 1957b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); 1958e71b7053SJung-uk Kim return 0; 1959e71b7053SJung-uk Kim } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max) 1960e71b7053SJung-uk Kim : s->version > ver_max) { 1961e71b7053SJung-uk Kim s->version = origv; 1962b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); 1963e71b7053SJung-uk Kim return 0; 1964e71b7053SJung-uk Kim } 1965e71b7053SJung-uk Kim 1966e71b7053SJung-uk Kim if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0) 1967e71b7053SJung-uk Kim real_max = ver_max; 1968e71b7053SJung-uk Kim 1969e71b7053SJung-uk Kim /* Check for downgrades */ 1970e71b7053SJung-uk Kim if (s->version == TLS1_2_VERSION && real_max > s->version) { 1971e71b7053SJung-uk Kim if (memcmp(tls12downgrade, 1972b077aed3SPierre Pronchery s->s3.server_random + SSL3_RANDOM_SIZE 1973e71b7053SJung-uk Kim - sizeof(tls12downgrade), 1974e71b7053SJung-uk Kim sizeof(tls12downgrade)) == 0) { 1975e71b7053SJung-uk Kim s->version = origv; 1976e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1977e71b7053SJung-uk Kim SSL_R_INAPPROPRIATE_FALLBACK); 1978e71b7053SJung-uk Kim return 0; 1979e71b7053SJung-uk Kim } 1980e71b7053SJung-uk Kim } else if (!SSL_IS_DTLS(s) 1981e71b7053SJung-uk Kim && s->version < TLS1_2_VERSION 1982e71b7053SJung-uk Kim && real_max > s->version) { 1983e71b7053SJung-uk Kim if (memcmp(tls11downgrade, 1984b077aed3SPierre Pronchery s->s3.server_random + SSL3_RANDOM_SIZE 1985e71b7053SJung-uk Kim - sizeof(tls11downgrade), 1986e71b7053SJung-uk Kim sizeof(tls11downgrade)) == 0) { 1987e71b7053SJung-uk Kim s->version = origv; 1988e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1989e71b7053SJung-uk Kim SSL_R_INAPPROPRIATE_FALLBACK); 1990e71b7053SJung-uk Kim return 0; 1991e71b7053SJung-uk Kim } 1992e71b7053SJung-uk Kim } 1993e71b7053SJung-uk Kim 1994e71b7053SJung-uk Kim for (vent = table; vent->version != 0; ++vent) { 1995e71b7053SJung-uk Kim if (vent->cmeth == NULL || s->version != vent->version) 1996e71b7053SJung-uk Kim continue; 1997e71b7053SJung-uk Kim 1998e71b7053SJung-uk Kim s->method = vent->cmeth(); 1999e71b7053SJung-uk Kim return 1; 2000e71b7053SJung-uk Kim } 2001e71b7053SJung-uk Kim 2002e71b7053SJung-uk Kim s->version = origv; 2003b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); 2004e71b7053SJung-uk Kim return 0; 2005e71b7053SJung-uk Kim } 2006e71b7053SJung-uk Kim 2007e71b7053SJung-uk Kim /* 2008e71b7053SJung-uk Kim * ssl_get_min_max_version - get minimum and maximum protocol version 2009e71b7053SJung-uk Kim * @s: The SSL connection 2010e71b7053SJung-uk Kim * @min_version: The minimum supported version 2011e71b7053SJung-uk Kim * @max_version: The maximum supported version 2012e71b7053SJung-uk Kim * @real_max: The highest version below the lowest compile time version hole 2013e71b7053SJung-uk Kim * where that hole lies above at least one run-time enabled 2014e71b7053SJung-uk Kim * protocol. 2015e71b7053SJung-uk Kim * 2016e71b7053SJung-uk Kim * Work out what version we should be using for the initial ClientHello if the 2017e71b7053SJung-uk Kim * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx 2018e71b7053SJung-uk Kim * options, the MinProtocol and MaxProtocol configuration commands, any Suite B 2019e71b7053SJung-uk Kim * constraints and any floor imposed by the security level here, 2020e71b7053SJung-uk Kim * so we don't advertise the wrong protocol version to only reject the outcome later. 2021e71b7053SJung-uk Kim * 2022e71b7053SJung-uk Kim * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled, 2023e71b7053SJung-uk Kim * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol 2024e71b7053SJung-uk Kim * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1. 2025e71b7053SJung-uk Kim * 2026e71b7053SJung-uk Kim * Returns 0 on success or an SSL error reason number on failure. On failure 2027e71b7053SJung-uk Kim * min_version and max_version will also be set to 0. 2028e71b7053SJung-uk Kim */ 2029e71b7053SJung-uk Kim int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version, 2030e71b7053SJung-uk Kim int *real_max) 2031e71b7053SJung-uk Kim { 2032e71b7053SJung-uk Kim int version, tmp_real_max; 2033e71b7053SJung-uk Kim int hole; 2034e71b7053SJung-uk Kim const SSL_METHOD *single = NULL; 2035e71b7053SJung-uk Kim const SSL_METHOD *method; 2036e71b7053SJung-uk Kim const version_info *table; 2037e71b7053SJung-uk Kim const version_info *vent; 2038e71b7053SJung-uk Kim 2039e71b7053SJung-uk Kim switch (s->method->version) { 2040e71b7053SJung-uk Kim default: 2041e71b7053SJung-uk Kim /* 2042e71b7053SJung-uk Kim * If this SSL handle is not from a version flexible method we don't 2043e71b7053SJung-uk Kim * (and never did) check min/max FIPS or Suite B constraints. Hope 2044e71b7053SJung-uk Kim * that's OK. It is up to the caller to not choose fixed protocol 2045e71b7053SJung-uk Kim * versions they don't want. If not, then easy to fix, just return 2046e71b7053SJung-uk Kim * ssl_method_error(s, s->method) 2047e71b7053SJung-uk Kim */ 2048e71b7053SJung-uk Kim *min_version = *max_version = s->version; 2049e71b7053SJung-uk Kim /* 2050e71b7053SJung-uk Kim * Providing a real_max only makes sense where we're using a version 2051e71b7053SJung-uk Kim * flexible method. 2052e71b7053SJung-uk Kim */ 2053e71b7053SJung-uk Kim if (!ossl_assert(real_max == NULL)) 2054e71b7053SJung-uk Kim return ERR_R_INTERNAL_ERROR; 2055e71b7053SJung-uk Kim return 0; 2056e71b7053SJung-uk Kim case TLS_ANY_VERSION: 2057e71b7053SJung-uk Kim table = tls_version_table; 2058e71b7053SJung-uk Kim break; 2059e71b7053SJung-uk Kim case DTLS_ANY_VERSION: 2060e71b7053SJung-uk Kim table = dtls_version_table; 2061e71b7053SJung-uk Kim break; 2062e71b7053SJung-uk Kim } 2063e71b7053SJung-uk Kim 2064e71b7053SJung-uk Kim /* 2065e71b7053SJung-uk Kim * SSL_OP_NO_X disables all protocols above X *if* there are some protocols 2066e71b7053SJung-uk Kim * below X enabled. This is required in order to maintain the "version 2067e71b7053SJung-uk Kim * capability" vector contiguous. Any versions with a NULL client method 2068e71b7053SJung-uk Kim * (protocol version client is disabled at compile-time) is also a "hole". 2069e71b7053SJung-uk Kim * 2070e71b7053SJung-uk Kim * Our initial state is hole == 1, version == 0. That is, versions above 2071e71b7053SJung-uk Kim * the first version in the method table are disabled (a "hole" above 2072e71b7053SJung-uk Kim * the valid protocol entries) and we don't have a selected version yet. 2073e71b7053SJung-uk Kim * 2074e71b7053SJung-uk Kim * Whenever "hole == 1", and we hit an enabled method, its version becomes 2075e71b7053SJung-uk Kim * the selected version, and the method becomes a candidate "single" 2076e71b7053SJung-uk Kim * method. We're no longer in a hole, so "hole" becomes 0. 2077e71b7053SJung-uk Kim * 2078e71b7053SJung-uk Kim * If "hole == 0" and we hit an enabled method, then "single" is cleared, 2079e71b7053SJung-uk Kim * as we support a contiguous range of at least two methods. If we hit 2080e71b7053SJung-uk Kim * a disabled method, then hole becomes true again, but nothing else 2081e71b7053SJung-uk Kim * changes yet, because all the remaining methods may be disabled too. 2082e71b7053SJung-uk Kim * If we again hit an enabled method after the new hole, it becomes 2083e71b7053SJung-uk Kim * selected, as we start from scratch. 2084e71b7053SJung-uk Kim */ 2085e71b7053SJung-uk Kim *min_version = version = 0; 2086e71b7053SJung-uk Kim hole = 1; 2087e71b7053SJung-uk Kim if (real_max != NULL) 2088e71b7053SJung-uk Kim *real_max = 0; 2089e71b7053SJung-uk Kim tmp_real_max = 0; 2090e71b7053SJung-uk Kim for (vent = table; vent->version != 0; ++vent) { 2091e71b7053SJung-uk Kim /* 2092e71b7053SJung-uk Kim * A table entry with a NULL client method is still a hole in the 2093e71b7053SJung-uk Kim * "version capability" vector. 2094e71b7053SJung-uk Kim */ 2095e71b7053SJung-uk Kim if (vent->cmeth == NULL) { 2096e71b7053SJung-uk Kim hole = 1; 2097e71b7053SJung-uk Kim tmp_real_max = 0; 2098e71b7053SJung-uk Kim continue; 2099e71b7053SJung-uk Kim } 2100e71b7053SJung-uk Kim method = vent->cmeth(); 2101e71b7053SJung-uk Kim 2102e71b7053SJung-uk Kim if (hole == 1 && tmp_real_max == 0) 2103e71b7053SJung-uk Kim tmp_real_max = vent->version; 2104e71b7053SJung-uk Kim 2105e71b7053SJung-uk Kim if (ssl_method_error(s, method) != 0) { 2106e71b7053SJung-uk Kim hole = 1; 2107e71b7053SJung-uk Kim } else if (!hole) { 2108e71b7053SJung-uk Kim single = NULL; 2109e71b7053SJung-uk Kim *min_version = method->version; 2110e71b7053SJung-uk Kim } else { 2111e71b7053SJung-uk Kim if (real_max != NULL && tmp_real_max != 0) 2112e71b7053SJung-uk Kim *real_max = tmp_real_max; 2113e71b7053SJung-uk Kim version = (single = method)->version; 2114e71b7053SJung-uk Kim *min_version = version; 2115e71b7053SJung-uk Kim hole = 0; 2116e71b7053SJung-uk Kim } 2117e71b7053SJung-uk Kim } 2118e71b7053SJung-uk Kim 2119e71b7053SJung-uk Kim *max_version = version; 2120e71b7053SJung-uk Kim 2121e71b7053SJung-uk Kim /* Fail if everything is disabled */ 2122e71b7053SJung-uk Kim if (version == 0) 2123e71b7053SJung-uk Kim return SSL_R_NO_PROTOCOLS_AVAILABLE; 2124e71b7053SJung-uk Kim 2125e71b7053SJung-uk Kim return 0; 2126e71b7053SJung-uk Kim } 2127e71b7053SJung-uk Kim 2128e71b7053SJung-uk Kim /* 2129e71b7053SJung-uk Kim * ssl_set_client_hello_version - Work out what version we should be using for 2130e71b7053SJung-uk Kim * the initial ClientHello.legacy_version field. 2131e71b7053SJung-uk Kim * 2132e71b7053SJung-uk Kim * @s: client SSL handle. 2133e71b7053SJung-uk Kim * 2134e71b7053SJung-uk Kim * Returns 0 on success or an SSL error reason number on failure. 2135e71b7053SJung-uk Kim */ 2136e71b7053SJung-uk Kim int ssl_set_client_hello_version(SSL *s) 2137e71b7053SJung-uk Kim { 2138e71b7053SJung-uk Kim int ver_min, ver_max, ret; 2139e71b7053SJung-uk Kim 2140e71b7053SJung-uk Kim /* 2141e71b7053SJung-uk Kim * In a renegotiation we always send the same client_version that we sent 2142e71b7053SJung-uk Kim * last time, regardless of which version we eventually negotiated. 2143e71b7053SJung-uk Kim */ 2144e71b7053SJung-uk Kim if (!SSL_IS_FIRST_HANDSHAKE(s)) 2145e71b7053SJung-uk Kim return 0; 2146e71b7053SJung-uk Kim 2147e71b7053SJung-uk Kim ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL); 2148e71b7053SJung-uk Kim 2149e71b7053SJung-uk Kim if (ret != 0) 2150e71b7053SJung-uk Kim return ret; 2151e71b7053SJung-uk Kim 2152e71b7053SJung-uk Kim s->version = ver_max; 2153e71b7053SJung-uk Kim 2154e71b7053SJung-uk Kim /* TLS1.3 always uses TLS1.2 in the legacy_version field */ 2155e71b7053SJung-uk Kim if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION) 2156e71b7053SJung-uk Kim ver_max = TLS1_2_VERSION; 2157e71b7053SJung-uk Kim 2158e71b7053SJung-uk Kim s->client_version = ver_max; 2159e71b7053SJung-uk Kim return 0; 2160e71b7053SJung-uk Kim } 2161e71b7053SJung-uk Kim 2162e71b7053SJung-uk Kim /* 2163e71b7053SJung-uk Kim * Checks a list of |groups| to determine if the |group_id| is in it. If it is 2164e71b7053SJung-uk Kim * and |checkallow| is 1 then additionally check if the group is allowed to be 2165e71b7053SJung-uk Kim * used. Returns 1 if the group is in the list (and allowed if |checkallow| is 2166e71b7053SJung-uk Kim * 1) or 0 otherwise. 2167e71b7053SJung-uk Kim */ 2168e71b7053SJung-uk Kim int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups, 2169e71b7053SJung-uk Kim size_t num_groups, int checkallow) 2170e71b7053SJung-uk Kim { 2171e71b7053SJung-uk Kim size_t i; 2172e71b7053SJung-uk Kim 2173e71b7053SJung-uk Kim if (groups == NULL || num_groups == 0) 2174e71b7053SJung-uk Kim return 0; 2175e71b7053SJung-uk Kim 2176e71b7053SJung-uk Kim for (i = 0; i < num_groups; i++) { 2177e71b7053SJung-uk Kim uint16_t group = groups[i]; 2178e71b7053SJung-uk Kim 2179e71b7053SJung-uk Kim if (group_id == group 2180e71b7053SJung-uk Kim && (!checkallow 2181b077aed3SPierre Pronchery || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) { 2182e71b7053SJung-uk Kim return 1; 2183e71b7053SJung-uk Kim } 2184e71b7053SJung-uk Kim } 2185e71b7053SJung-uk Kim 2186e71b7053SJung-uk Kim return 0; 2187e71b7053SJung-uk Kim } 2188e71b7053SJung-uk Kim 2189e71b7053SJung-uk Kim /* Replace ClientHello1 in the transcript hash with a synthetic message */ 2190e71b7053SJung-uk Kim int create_synthetic_message_hash(SSL *s, const unsigned char *hashval, 2191e71b7053SJung-uk Kim size_t hashlen, const unsigned char *hrr, 2192e71b7053SJung-uk Kim size_t hrrlen) 2193e71b7053SJung-uk Kim { 2194e71b7053SJung-uk Kim unsigned char hashvaltmp[EVP_MAX_MD_SIZE]; 2195e71b7053SJung-uk Kim unsigned char msghdr[SSL3_HM_HEADER_LENGTH]; 2196e71b7053SJung-uk Kim 2197e71b7053SJung-uk Kim memset(msghdr, 0, sizeof(msghdr)); 2198e71b7053SJung-uk Kim 2199e71b7053SJung-uk Kim if (hashval == NULL) { 2200e71b7053SJung-uk Kim hashval = hashvaltmp; 2201e71b7053SJung-uk Kim hashlen = 0; 2202e71b7053SJung-uk Kim /* Get the hash of the initial ClientHello */ 2203e71b7053SJung-uk Kim if (!ssl3_digest_cached_records(s, 0) 2204e71b7053SJung-uk Kim || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp), 2205e71b7053SJung-uk Kim &hashlen)) { 2206e71b7053SJung-uk Kim /* SSLfatal() already called */ 2207e71b7053SJung-uk Kim return 0; 2208e71b7053SJung-uk Kim } 2209e71b7053SJung-uk Kim } 2210e71b7053SJung-uk Kim 2211e71b7053SJung-uk Kim /* Reinitialise the transcript hash */ 2212e71b7053SJung-uk Kim if (!ssl3_init_finished_mac(s)) { 2213e71b7053SJung-uk Kim /* SSLfatal() already called */ 2214e71b7053SJung-uk Kim return 0; 2215e71b7053SJung-uk Kim } 2216e71b7053SJung-uk Kim 2217e71b7053SJung-uk Kim /* Inject the synthetic message_hash message */ 2218e71b7053SJung-uk Kim msghdr[0] = SSL3_MT_MESSAGE_HASH; 2219e71b7053SJung-uk Kim msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen; 2220e71b7053SJung-uk Kim if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH) 2221e71b7053SJung-uk Kim || !ssl3_finish_mac(s, hashval, hashlen)) { 2222e71b7053SJung-uk Kim /* SSLfatal() already called */ 2223e71b7053SJung-uk Kim return 0; 2224e71b7053SJung-uk Kim } 2225e71b7053SJung-uk Kim 2226e71b7053SJung-uk Kim /* 2227e71b7053SJung-uk Kim * Now re-inject the HRR and current message if appropriate (we just deleted 2228e71b7053SJung-uk Kim * it when we reinitialised the transcript hash above). Only necessary after 2229e71b7053SJung-uk Kim * receiving a ClientHello2 with a cookie. 2230e71b7053SJung-uk Kim */ 2231e71b7053SJung-uk Kim if (hrr != NULL 2232e71b7053SJung-uk Kim && (!ssl3_finish_mac(s, hrr, hrrlen) 2233e71b7053SJung-uk Kim || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 2234b077aed3SPierre Pronchery s->s3.tmp.message_size 2235e71b7053SJung-uk Kim + SSL3_HM_HEADER_LENGTH))) { 2236e71b7053SJung-uk Kim /* SSLfatal() already called */ 2237e71b7053SJung-uk Kim return 0; 2238e71b7053SJung-uk Kim } 2239e71b7053SJung-uk Kim 2240e71b7053SJung-uk Kim return 1; 2241e71b7053SJung-uk Kim } 2242e71b7053SJung-uk Kim 2243e71b7053SJung-uk Kim static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b) 2244e71b7053SJung-uk Kim { 2245e71b7053SJung-uk Kim return X509_NAME_cmp(*a, *b); 2246e71b7053SJung-uk Kim } 2247e71b7053SJung-uk Kim 2248e71b7053SJung-uk Kim int parse_ca_names(SSL *s, PACKET *pkt) 2249e71b7053SJung-uk Kim { 2250e71b7053SJung-uk Kim STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp); 2251e71b7053SJung-uk Kim X509_NAME *xn = NULL; 2252e71b7053SJung-uk Kim PACKET cadns; 2253e71b7053SJung-uk Kim 2254e71b7053SJung-uk Kim if (ca_sk == NULL) { 2255b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 2256e71b7053SJung-uk Kim goto err; 2257e71b7053SJung-uk Kim } 2258e71b7053SJung-uk Kim /* get the CA RDNs */ 2259e71b7053SJung-uk Kim if (!PACKET_get_length_prefixed_2(pkt, &cadns)) { 2260b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2261e71b7053SJung-uk Kim goto err; 2262e71b7053SJung-uk Kim } 2263e71b7053SJung-uk Kim 2264e71b7053SJung-uk Kim while (PACKET_remaining(&cadns)) { 2265e71b7053SJung-uk Kim const unsigned char *namestart, *namebytes; 2266e71b7053SJung-uk Kim unsigned int name_len; 2267e71b7053SJung-uk Kim 2268e71b7053SJung-uk Kim if (!PACKET_get_net_2(&cadns, &name_len) 2269e71b7053SJung-uk Kim || !PACKET_get_bytes(&cadns, &namebytes, name_len)) { 2270b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2271e71b7053SJung-uk Kim goto err; 2272e71b7053SJung-uk Kim } 2273e71b7053SJung-uk Kim 2274e71b7053SJung-uk Kim namestart = namebytes; 2275e71b7053SJung-uk Kim if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) { 2276b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB); 2277e71b7053SJung-uk Kim goto err; 2278e71b7053SJung-uk Kim } 2279e71b7053SJung-uk Kim if (namebytes != (namestart + name_len)) { 2280b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CA_DN_LENGTH_MISMATCH); 2281e71b7053SJung-uk Kim goto err; 2282e71b7053SJung-uk Kim } 2283e71b7053SJung-uk Kim 2284e71b7053SJung-uk Kim if (!sk_X509_NAME_push(ca_sk, xn)) { 2285b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 2286e71b7053SJung-uk Kim goto err; 2287e71b7053SJung-uk Kim } 2288e71b7053SJung-uk Kim xn = NULL; 2289e71b7053SJung-uk Kim } 2290e71b7053SJung-uk Kim 2291b077aed3SPierre Pronchery sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free); 2292b077aed3SPierre Pronchery s->s3.tmp.peer_ca_names = ca_sk; 2293e71b7053SJung-uk Kim 2294e71b7053SJung-uk Kim return 1; 2295e71b7053SJung-uk Kim 2296e71b7053SJung-uk Kim err: 2297e71b7053SJung-uk Kim sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); 2298e71b7053SJung-uk Kim X509_NAME_free(xn); 2299e71b7053SJung-uk Kim return 0; 2300e71b7053SJung-uk Kim } 2301e71b7053SJung-uk Kim 2302c9cf7b5cSJung-uk Kim const STACK_OF(X509_NAME) *get_ca_names(SSL *s) 2303e71b7053SJung-uk Kim { 2304c9cf7b5cSJung-uk Kim const STACK_OF(X509_NAME) *ca_sk = NULL;; 2305e71b7053SJung-uk Kim 2306c9cf7b5cSJung-uk Kim if (s->server) { 2307c9cf7b5cSJung-uk Kim ca_sk = SSL_get_client_CA_list(s); 2308c9cf7b5cSJung-uk Kim if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0) 2309c9cf7b5cSJung-uk Kim ca_sk = NULL; 2310c9cf7b5cSJung-uk Kim } 2311c9cf7b5cSJung-uk Kim 2312c9cf7b5cSJung-uk Kim if (ca_sk == NULL) 2313c9cf7b5cSJung-uk Kim ca_sk = SSL_get0_CA_list(s); 2314c9cf7b5cSJung-uk Kim 2315c9cf7b5cSJung-uk Kim return ca_sk; 2316c9cf7b5cSJung-uk Kim } 2317c9cf7b5cSJung-uk Kim 2318c9cf7b5cSJung-uk Kim int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt) 2319c9cf7b5cSJung-uk Kim { 2320e71b7053SJung-uk Kim /* Start sub-packet for client CA list */ 2321e71b7053SJung-uk Kim if (!WPACKET_start_sub_packet_u16(pkt)) { 2322b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2323e71b7053SJung-uk Kim return 0; 2324e71b7053SJung-uk Kim } 2325e71b7053SJung-uk Kim 2326b077aed3SPierre Pronchery if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) { 2327e71b7053SJung-uk Kim int i; 2328e71b7053SJung-uk Kim 2329e71b7053SJung-uk Kim for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) { 2330e71b7053SJung-uk Kim unsigned char *namebytes; 2331e71b7053SJung-uk Kim X509_NAME *name = sk_X509_NAME_value(ca_sk, i); 2332e71b7053SJung-uk Kim int namelen; 2333e71b7053SJung-uk Kim 2334e71b7053SJung-uk Kim if (name == NULL 2335e71b7053SJung-uk Kim || (namelen = i2d_X509_NAME(name, NULL)) < 0 2336e71b7053SJung-uk Kim || !WPACKET_sub_allocate_bytes_u16(pkt, namelen, 2337e71b7053SJung-uk Kim &namebytes) 2338e71b7053SJung-uk Kim || i2d_X509_NAME(name, &namebytes) != namelen) { 2339b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2340e71b7053SJung-uk Kim return 0; 2341e71b7053SJung-uk Kim } 2342e71b7053SJung-uk Kim } 2343e71b7053SJung-uk Kim } 2344e71b7053SJung-uk Kim 2345e71b7053SJung-uk Kim if (!WPACKET_close(pkt)) { 2346b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2347e71b7053SJung-uk Kim return 0; 2348e71b7053SJung-uk Kim } 2349e71b7053SJung-uk Kim 2350e71b7053SJung-uk Kim return 1; 2351e71b7053SJung-uk Kim } 2352e71b7053SJung-uk Kim 2353e71b7053SJung-uk Kim /* Create a buffer containing data to be signed for server key exchange */ 2354e71b7053SJung-uk Kim size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs, 2355e71b7053SJung-uk Kim const void *param, size_t paramlen) 2356e71b7053SJung-uk Kim { 2357e71b7053SJung-uk Kim size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen; 2358e71b7053SJung-uk Kim unsigned char *tbs = OPENSSL_malloc(tbslen); 2359e71b7053SJung-uk Kim 2360e71b7053SJung-uk Kim if (tbs == NULL) { 2361b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 2362e71b7053SJung-uk Kim return 0; 2363e71b7053SJung-uk Kim } 2364b077aed3SPierre Pronchery memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE); 2365b077aed3SPierre Pronchery memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE); 2366e71b7053SJung-uk Kim 2367e71b7053SJung-uk Kim memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen); 2368e71b7053SJung-uk Kim 2369e71b7053SJung-uk Kim *ptbs = tbs; 2370e71b7053SJung-uk Kim return tbslen; 2371e71b7053SJung-uk Kim } 2372e71b7053SJung-uk Kim 2373e71b7053SJung-uk Kim /* 2374e71b7053SJung-uk Kim * Saves the current handshake digest for Post-Handshake Auth, 2375e71b7053SJung-uk Kim * Done after ClientFinished is processed, done exactly once 2376e71b7053SJung-uk Kim */ 2377e71b7053SJung-uk Kim int tls13_save_handshake_digest_for_pha(SSL *s) 2378e71b7053SJung-uk Kim { 2379e71b7053SJung-uk Kim if (s->pha_dgst == NULL) { 2380e71b7053SJung-uk Kim if (!ssl3_digest_cached_records(s, 1)) 2381e71b7053SJung-uk Kim /* SSLfatal() already called */ 2382e71b7053SJung-uk Kim return 0; 2383e71b7053SJung-uk Kim 2384e71b7053SJung-uk Kim s->pha_dgst = EVP_MD_CTX_new(); 2385e71b7053SJung-uk Kim if (s->pha_dgst == NULL) { 2386b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2387e71b7053SJung-uk Kim return 0; 2388e71b7053SJung-uk Kim } 2389e71b7053SJung-uk Kim if (!EVP_MD_CTX_copy_ex(s->pha_dgst, 2390b077aed3SPierre Pronchery s->s3.handshake_dgst)) { 2391b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2392b2bf0c7eSJung-uk Kim EVP_MD_CTX_free(s->pha_dgst); 2393b2bf0c7eSJung-uk Kim s->pha_dgst = NULL; 2394e71b7053SJung-uk Kim return 0; 2395e71b7053SJung-uk Kim } 2396e71b7053SJung-uk Kim } 2397e71b7053SJung-uk Kim return 1; 2398e71b7053SJung-uk Kim } 2399e71b7053SJung-uk Kim 2400e71b7053SJung-uk Kim /* 2401e71b7053SJung-uk Kim * Restores the Post-Handshake Auth handshake digest 2402e71b7053SJung-uk Kim * Done just before sending/processing the Cert Request 2403e71b7053SJung-uk Kim */ 2404e71b7053SJung-uk Kim int tls13_restore_handshake_digest_for_pha(SSL *s) 2405e71b7053SJung-uk Kim { 2406e71b7053SJung-uk Kim if (s->pha_dgst == NULL) { 2407b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2408e71b7053SJung-uk Kim return 0; 2409e71b7053SJung-uk Kim } 2410b077aed3SPierre Pronchery if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst, 2411e71b7053SJung-uk Kim s->pha_dgst)) { 2412b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2413e71b7053SJung-uk Kim return 0; 2414e71b7053SJung-uk Kim } 2415e71b7053SJung-uk Kim return 1; 2416e71b7053SJung-uk Kim } 2417