1 /* 2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* ==================================================================== 11 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 12 * ECC cipher suite support in OpenSSL originally developed by 13 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 14 */ 15 16 #include <limits.h> 17 #include <string.h> 18 #include <stdio.h> 19 #include "../ssl_locl.h" 20 #include "statem_locl.h" 21 #include <openssl/buffer.h> 22 #include <openssl/objects.h> 23 #include <openssl/evp.h> 24 #include <openssl/x509.h> 25 26 /* 27 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or 28 * SSL3_RT_CHANGE_CIPHER_SPEC) 29 */ 30 int ssl3_do_write(SSL *s, int type) 31 { 32 int ret; 33 34 ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off], 35 s->init_num); 36 if (ret < 0) 37 return (-1); 38 if (type == SSL3_RT_HANDSHAKE) 39 /* 40 * should not be done for 'Hello Request's, but in that case we'll 41 * ignore the result anyway 42 */ 43 if (!ssl3_finish_mac(s, 44 (unsigned char *)&s->init_buf->data[s->init_off], 45 ret)) 46 return -1; 47 48 if (ret == s->init_num) { 49 if (s->msg_callback) 50 s->msg_callback(1, s->version, type, s->init_buf->data, 51 (size_t)(s->init_off + s->init_num), s, 52 s->msg_callback_arg); 53 return (1); 54 } 55 s->init_off += ret; 56 s->init_num -= ret; 57 return (0); 58 } 59 60 int tls_construct_finished(SSL *s, const char *sender, int slen) 61 { 62 unsigned char *p; 63 int i; 64 unsigned long l; 65 66 p = ssl_handshake_start(s); 67 68 i = s->method->ssl3_enc->final_finish_mac(s, 69 sender, slen, 70 s->s3->tmp.finish_md); 71 if (i <= 0) 72 return 0; 73 s->s3->tmp.finish_md_len = i; 74 memcpy(p, s->s3->tmp.finish_md, i); 75 l = i; 76 77 /* 78 * Copy the finished so we can use it for renegotiation checks 79 */ 80 if (!s->server) { 81 OPENSSL_assert(i <= EVP_MAX_MD_SIZE); 82 memcpy(s->s3->previous_client_finished, s->s3->tmp.finish_md, i); 83 s->s3->previous_client_finished_len = i; 84 } else { 85 OPENSSL_assert(i <= EVP_MAX_MD_SIZE); 86 memcpy(s->s3->previous_server_finished, s->s3->tmp.finish_md, i); 87 s->s3->previous_server_finished_len = i; 88 } 89 90 if (!ssl_set_handshake_header(s, SSL3_MT_FINISHED, l)) { 91 SSLerr(SSL_F_TLS_CONSTRUCT_FINISHED, ERR_R_INTERNAL_ERROR); 92 return 0; 93 } 94 95 return 1; 96 } 97 98 /* 99 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen 100 * to far. 101 */ 102 int ssl3_take_mac(SSL *s) 103 { 104 const char *sender; 105 int slen; 106 107 if (!s->server) { 108 sender = s->method->ssl3_enc->server_finished_label; 109 slen = s->method->ssl3_enc->server_finished_label_len; 110 } else { 111 sender = s->method->ssl3_enc->client_finished_label; 112 slen = s->method->ssl3_enc->client_finished_label_len; 113 } 114 115 s->s3->tmp.peer_finish_md_len = 116 s->method->ssl3_enc->final_finish_mac(s, sender, slen, 117 s->s3->tmp.peer_finish_md); 118 119 if (s->s3->tmp.peer_finish_md_len == 0) { 120 SSLerr(SSL_F_SSL3_TAKE_MAC, ERR_R_INTERNAL_ERROR); 121 return 0; 122 } 123 124 return 1; 125 } 126 127 MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt) 128 { 129 int al; 130 long remain; 131 132 remain = PACKET_remaining(pkt); 133 /* 134 * 'Change Cipher Spec' is just a single byte, which should already have 135 * been consumed by ssl_get_message() so there should be no bytes left, 136 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes 137 */ 138 if (SSL_IS_DTLS(s)) { 139 if ((s->version == DTLS1_BAD_VER 140 && remain != DTLS1_CCS_HEADER_LENGTH + 1) 141 || (s->version != DTLS1_BAD_VER 142 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) { 143 al = SSL_AD_ILLEGAL_PARAMETER; 144 SSLerr(SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, 145 SSL_R_BAD_CHANGE_CIPHER_SPEC); 146 goto f_err; 147 } 148 } else { 149 if (remain != 0) { 150 al = SSL_AD_ILLEGAL_PARAMETER; 151 SSLerr(SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, 152 SSL_R_BAD_CHANGE_CIPHER_SPEC); 153 goto f_err; 154 } 155 } 156 157 /* Check we have a cipher to change to */ 158 if (s->s3->tmp.new_cipher == NULL) { 159 al = SSL_AD_UNEXPECTED_MESSAGE; 160 SSLerr(SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY); 161 goto f_err; 162 } 163 164 s->s3->change_cipher_spec = 1; 165 if (!ssl3_do_change_cipher_spec(s)) { 166 al = SSL_AD_INTERNAL_ERROR; 167 SSLerr(SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); 168 goto f_err; 169 } 170 171 if (SSL_IS_DTLS(s)) { 172 dtls1_reset_seq_numbers(s, SSL3_CC_READ); 173 174 if (s->version == DTLS1_BAD_VER) 175 s->d1->handshake_read_seq++; 176 177 #ifndef OPENSSL_NO_SCTP 178 /* 179 * Remember that a CCS has been received, so that an old key of 180 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no 181 * SCTP is used 182 */ 183 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL); 184 #endif 185 } 186 187 return MSG_PROCESS_CONTINUE_READING; 188 f_err: 189 ssl3_send_alert(s, SSL3_AL_FATAL, al); 190 ossl_statem_set_error(s); 191 return MSG_PROCESS_ERROR; 192 } 193 194 MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) 195 { 196 int al, i; 197 198 /* If this occurs, we have missed a message */ 199 if (!s->s3->change_cipher_spec) { 200 al = SSL_AD_UNEXPECTED_MESSAGE; 201 SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_GOT_A_FIN_BEFORE_A_CCS); 202 goto f_err; 203 } 204 s->s3->change_cipher_spec = 0; 205 206 i = s->s3->tmp.peer_finish_md_len; 207 208 if ((unsigned long)i != PACKET_remaining(pkt)) { 209 al = SSL_AD_DECODE_ERROR; 210 SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_BAD_DIGEST_LENGTH); 211 goto f_err; 212 } 213 214 if (CRYPTO_memcmp(PACKET_data(pkt), s->s3->tmp.peer_finish_md, i) != 0) { 215 al = SSL_AD_DECRYPT_ERROR; 216 SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_DIGEST_CHECK_FAILED); 217 goto f_err; 218 } 219 220 /* 221 * Copy the finished so we can use it for renegotiation checks 222 */ 223 if (s->server) { 224 OPENSSL_assert(i <= EVP_MAX_MD_SIZE); 225 memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md, i); 226 s->s3->previous_client_finished_len = i; 227 } else { 228 OPENSSL_assert(i <= EVP_MAX_MD_SIZE); 229 memcpy(s->s3->previous_server_finished, s->s3->tmp.peer_finish_md, i); 230 s->s3->previous_server_finished_len = i; 231 } 232 233 return MSG_PROCESS_FINISHED_READING; 234 f_err: 235 ssl3_send_alert(s, SSL3_AL_FATAL, al); 236 ossl_statem_set_error(s); 237 return MSG_PROCESS_ERROR; 238 } 239 240 int tls_construct_change_cipher_spec(SSL *s) 241 { 242 unsigned char *p; 243 244 p = (unsigned char *)s->init_buf->data; 245 *p = SSL3_MT_CCS; 246 s->init_num = 1; 247 s->init_off = 0; 248 249 return 1; 250 } 251 252 unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk) 253 { 254 unsigned char *p; 255 unsigned long l = 3 + SSL_HM_HEADER_LENGTH(s); 256 257 if (!ssl_add_cert_chain(s, cpk, &l)) 258 return 0; 259 260 l -= 3 + SSL_HM_HEADER_LENGTH(s); 261 p = ssl_handshake_start(s); 262 l2n3(l, p); 263 l += 3; 264 265 if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE, l)) { 266 SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN, ERR_R_INTERNAL_ERROR); 267 return 0; 268 } 269 return l + SSL_HM_HEADER_LENGTH(s); 270 } 271 272 WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst) 273 { 274 void (*cb) (const SSL *ssl, int type, int val) = NULL; 275 276 /* clean a few things up */ 277 ssl3_cleanup_key_block(s); 278 279 if (!SSL_IS_DTLS(s)) { 280 /* 281 * We don't do this in DTLS because we may still need the init_buf 282 * in case there are any unexpected retransmits 283 */ 284 BUF_MEM_free(s->init_buf); 285 s->init_buf = NULL; 286 } 287 288 ssl_free_wbio_buffer(s); 289 290 s->init_num = 0; 291 292 if (!s->server || s->renegotiate == 2) { 293 /* skipped if we just sent a HelloRequest */ 294 s->renegotiate = 0; 295 s->new_session = 0; 296 297 if (s->server) { 298 ssl_update_cache(s, SSL_SESS_CACHE_SERVER); 299 300 s->ctx->stats.sess_accept_good++; 301 s->handshake_func = ossl_statem_accept; 302 } else { 303 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); 304 if (s->hit) 305 s->ctx->stats.sess_hit++; 306 307 s->handshake_func = ossl_statem_connect; 308 s->ctx->stats.sess_connect_good++; 309 } 310 311 if (s->info_callback != NULL) 312 cb = s->info_callback; 313 else if (s->ctx->info_callback != NULL) 314 cb = s->ctx->info_callback; 315 316 if (cb != NULL) 317 cb(s, SSL_CB_HANDSHAKE_DONE, 1); 318 319 if (SSL_IS_DTLS(s)) { 320 /* done with handshaking */ 321 s->d1->handshake_read_seq = 0; 322 s->d1->handshake_write_seq = 0; 323 s->d1->next_handshake_write_seq = 0; 324 dtls1_clear_received_buffer(s); 325 } 326 } 327 328 return WORK_FINISHED_STOP; 329 } 330 331 int tls_get_message_header(SSL *s, int *mt) 332 { 333 /* s->init_num < SSL3_HM_HEADER_LENGTH */ 334 int skip_message, i, recvd_type, al; 335 unsigned char *p; 336 unsigned long l; 337 338 p = (unsigned char *)s->init_buf->data; 339 340 do { 341 while (s->init_num < SSL3_HM_HEADER_LENGTH) { 342 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type, 343 &p[s->init_num], 344 SSL3_HM_HEADER_LENGTH - s->init_num, 345 0); 346 if (i <= 0) { 347 s->rwstate = SSL_READING; 348 return 0; 349 } 350 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) { 351 /* 352 * A ChangeCipherSpec must be a single byte and may not occur 353 * in the middle of a handshake message. 354 */ 355 if (s->init_num != 0 || i != 1 || p[0] != SSL3_MT_CCS) { 356 al = SSL_AD_UNEXPECTED_MESSAGE; 357 SSLerr(SSL_F_TLS_GET_MESSAGE_HEADER, 358 SSL_R_BAD_CHANGE_CIPHER_SPEC); 359 goto f_err; 360 } 361 s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC; 362 s->init_num = i - 1; 363 s->init_msg = s->init_buf->data; 364 s->s3->tmp.message_size = i; 365 return 1; 366 } else if (recvd_type != SSL3_RT_HANDSHAKE) { 367 al = SSL_AD_UNEXPECTED_MESSAGE; 368 SSLerr(SSL_F_TLS_GET_MESSAGE_HEADER, SSL_R_CCS_RECEIVED_EARLY); 369 goto f_err; 370 } 371 s->init_num += i; 372 } 373 374 skip_message = 0; 375 if (!s->server) 376 if (p[0] == SSL3_MT_HELLO_REQUEST) 377 /* 378 * The server may always send 'Hello Request' messages -- 379 * we are doing a handshake anyway now, so ignore them if 380 * their format is correct. Does not count for 'Finished' 381 * MAC. 382 */ 383 if (p[1] == 0 && p[2] == 0 && p[3] == 0) { 384 s->init_num = 0; 385 skip_message = 1; 386 387 if (s->msg_callback) 388 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 389 p, SSL3_HM_HEADER_LENGTH, s, 390 s->msg_callback_arg); 391 } 392 } while (skip_message); 393 /* s->init_num == SSL3_HM_HEADER_LENGTH */ 394 395 *mt = *p; 396 s->s3->tmp.message_type = *(p++); 397 398 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { 399 /* 400 * Only happens with SSLv3+ in an SSLv2 backward compatible 401 * ClientHello 402 * 403 * Total message size is the remaining record bytes to read 404 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read 405 */ 406 l = RECORD_LAYER_get_rrec_length(&s->rlayer) 407 + SSL3_HM_HEADER_LENGTH; 408 s->s3->tmp.message_size = l; 409 410 s->init_msg = s->init_buf->data; 411 s->init_num = SSL3_HM_HEADER_LENGTH; 412 } else { 413 n2l3(p, l); 414 /* BUF_MEM_grow takes an 'int' parameter */ 415 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) { 416 al = SSL_AD_ILLEGAL_PARAMETER; 417 SSLerr(SSL_F_TLS_GET_MESSAGE_HEADER, SSL_R_EXCESSIVE_MESSAGE_SIZE); 418 goto f_err; 419 } 420 s->s3->tmp.message_size = l; 421 422 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH; 423 s->init_num = 0; 424 } 425 426 return 1; 427 f_err: 428 ssl3_send_alert(s, SSL3_AL_FATAL, al); 429 return 0; 430 } 431 432 int tls_get_message_body(SSL *s, unsigned long *len) 433 { 434 long n; 435 unsigned char *p; 436 int i; 437 438 if (s->s3->tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) { 439 /* We've already read everything in */ 440 *len = (unsigned long)s->init_num; 441 return 1; 442 } 443 444 p = s->init_msg; 445 n = s->s3->tmp.message_size - s->init_num; 446 while (n > 0) { 447 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, 448 &p[s->init_num], n, 0); 449 if (i <= 0) { 450 s->rwstate = SSL_READING; 451 *len = 0; 452 return 0; 453 } 454 s->init_num += i; 455 n -= i; 456 } 457 458 /* 459 * If receiving Finished, record MAC of prior handshake messages for 460 * Finished verification. 461 */ 462 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) { 463 /* SSLfatal() already called */ 464 *len = 0; 465 return 0; 466 } 467 468 /* Feed this message into MAC computation. */ 469 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { 470 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 471 s->init_num)) { 472 SSLerr(SSL_F_TLS_GET_MESSAGE_BODY, ERR_R_EVP_LIB); 473 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 474 *len = 0; 475 return 0; 476 } 477 if (s->msg_callback) 478 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data, 479 (size_t)s->init_num, s, s->msg_callback_arg); 480 } else { 481 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 482 s->init_num + SSL3_HM_HEADER_LENGTH)) { 483 SSLerr(SSL_F_TLS_GET_MESSAGE_BODY, ERR_R_EVP_LIB); 484 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 485 *len = 0; 486 return 0; 487 } 488 if (s->msg_callback) 489 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, 490 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s, 491 s->msg_callback_arg); 492 } 493 494 /* 495 * init_num should never be negative...should probably be declared 496 * unsigned 497 */ 498 if (s->init_num < 0) { 499 SSLerr(SSL_F_TLS_GET_MESSAGE_BODY, ERR_R_INTERNAL_ERROR); 500 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 501 *len = 0; 502 return 0; 503 } 504 *len = (unsigned long)s->init_num; 505 return 1; 506 } 507 508 int ssl_cert_type(const X509 *x, const EVP_PKEY *pk) 509 { 510 if (pk == NULL && (pk = X509_get0_pubkey(x)) == NULL) 511 return -1; 512 513 switch (EVP_PKEY_id(pk)) { 514 default: 515 return -1; 516 case EVP_PKEY_RSA: 517 return SSL_PKEY_RSA_ENC; 518 case EVP_PKEY_DSA: 519 return SSL_PKEY_DSA_SIGN; 520 #ifndef OPENSSL_NO_EC 521 case EVP_PKEY_EC: 522 return SSL_PKEY_ECC; 523 #endif 524 #ifndef OPENSSL_NO_GOST 525 case NID_id_GostR3410_2001: 526 return SSL_PKEY_GOST01; 527 case NID_id_GostR3410_2012_256: 528 return SSL_PKEY_GOST12_256; 529 case NID_id_GostR3410_2012_512: 530 return SSL_PKEY_GOST12_512; 531 #endif 532 } 533 } 534 535 int ssl_verify_alarm_type(long type) 536 { 537 int al; 538 539 switch (type) { 540 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: 541 case X509_V_ERR_UNABLE_TO_GET_CRL: 542 case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: 543 al = SSL_AD_UNKNOWN_CA; 544 break; 545 case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: 546 case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: 547 case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: 548 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: 549 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: 550 case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: 551 case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: 552 case X509_V_ERR_CERT_NOT_YET_VALID: 553 case X509_V_ERR_CRL_NOT_YET_VALID: 554 case X509_V_ERR_CERT_UNTRUSTED: 555 case X509_V_ERR_CERT_REJECTED: 556 case X509_V_ERR_HOSTNAME_MISMATCH: 557 case X509_V_ERR_EMAIL_MISMATCH: 558 case X509_V_ERR_IP_ADDRESS_MISMATCH: 559 case X509_V_ERR_DANE_NO_MATCH: 560 case X509_V_ERR_EE_KEY_TOO_SMALL: 561 case X509_V_ERR_CA_KEY_TOO_SMALL: 562 case X509_V_ERR_CA_MD_TOO_WEAK: 563 al = SSL_AD_BAD_CERTIFICATE; 564 break; 565 case X509_V_ERR_CERT_SIGNATURE_FAILURE: 566 case X509_V_ERR_CRL_SIGNATURE_FAILURE: 567 al = SSL_AD_DECRYPT_ERROR; 568 break; 569 case X509_V_ERR_CERT_HAS_EXPIRED: 570 case X509_V_ERR_CRL_HAS_EXPIRED: 571 al = SSL_AD_CERTIFICATE_EXPIRED; 572 break; 573 case X509_V_ERR_CERT_REVOKED: 574 al = SSL_AD_CERTIFICATE_REVOKED; 575 break; 576 case X509_V_ERR_UNSPECIFIED: 577 case X509_V_ERR_OUT_OF_MEM: 578 case X509_V_ERR_INVALID_CALL: 579 case X509_V_ERR_STORE_LOOKUP: 580 al = SSL_AD_INTERNAL_ERROR; 581 break; 582 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: 583 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: 584 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: 585 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: 586 case X509_V_ERR_CERT_CHAIN_TOO_LONG: 587 case X509_V_ERR_PATH_LENGTH_EXCEEDED: 588 case X509_V_ERR_INVALID_CA: 589 al = SSL_AD_UNKNOWN_CA; 590 break; 591 case X509_V_ERR_APPLICATION_VERIFICATION: 592 al = SSL_AD_HANDSHAKE_FAILURE; 593 break; 594 case X509_V_ERR_INVALID_PURPOSE: 595 al = SSL_AD_UNSUPPORTED_CERTIFICATE; 596 break; 597 default: 598 al = SSL_AD_CERTIFICATE_UNKNOWN; 599 break; 600 } 601 return (al); 602 } 603 604 int ssl_allow_compression(SSL *s) 605 { 606 if (s->options & SSL_OP_NO_COMPRESSION) 607 return 0; 608 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL); 609 } 610 611 static int version_cmp(const SSL *s, int a, int b) 612 { 613 int dtls = SSL_IS_DTLS(s); 614 615 if (a == b) 616 return 0; 617 if (!dtls) 618 return a < b ? -1 : 1; 619 return DTLS_VERSION_LT(a, b) ? -1 : 1; 620 } 621 622 typedef struct { 623 int version; 624 const SSL_METHOD *(*cmeth) (void); 625 const SSL_METHOD *(*smeth) (void); 626 } version_info; 627 628 #if TLS_MAX_VERSION != TLS1_2_VERSION 629 # error Code needs update for TLS_method() support beyond TLS1_2_VERSION. 630 #endif 631 632 static const version_info tls_version_table[] = { 633 #ifndef OPENSSL_NO_TLS1_2 634 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method}, 635 #else 636 {TLS1_2_VERSION, NULL, NULL}, 637 #endif 638 #ifndef OPENSSL_NO_TLS1_1 639 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method}, 640 #else 641 {TLS1_1_VERSION, NULL, NULL}, 642 #endif 643 #ifndef OPENSSL_NO_TLS1 644 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method}, 645 #else 646 {TLS1_VERSION, NULL, NULL}, 647 #endif 648 #ifndef OPENSSL_NO_SSL3 649 {SSL3_VERSION, sslv3_client_method, sslv3_server_method}, 650 #else 651 {SSL3_VERSION, NULL, NULL}, 652 #endif 653 {0, NULL, NULL}, 654 }; 655 656 #if DTLS_MAX_VERSION != DTLS1_2_VERSION 657 # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION. 658 #endif 659 660 static const version_info dtls_version_table[] = { 661 #ifndef OPENSSL_NO_DTLS1_2 662 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method}, 663 #else 664 {DTLS1_2_VERSION, NULL, NULL}, 665 #endif 666 #ifndef OPENSSL_NO_DTLS1 667 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method}, 668 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL}, 669 #else 670 {DTLS1_VERSION, NULL, NULL}, 671 {DTLS1_BAD_VER, NULL, NULL}, 672 #endif 673 {0, NULL, NULL}, 674 }; 675 676 /* 677 * ssl_method_error - Check whether an SSL_METHOD is enabled. 678 * 679 * @s: The SSL handle for the candidate method 680 * @method: the intended method. 681 * 682 * Returns 0 on success, or an SSL error reason on failure. 683 */ 684 static int ssl_method_error(const SSL *s, const SSL_METHOD *method) 685 { 686 int version = method->version; 687 688 if ((s->min_proto_version != 0 && 689 version_cmp(s, version, s->min_proto_version) < 0) || 690 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0) 691 return SSL_R_VERSION_TOO_LOW; 692 693 if (s->max_proto_version != 0 && 694 version_cmp(s, version, s->max_proto_version) > 0) 695 return SSL_R_VERSION_TOO_HIGH; 696 697 if ((s->options & method->mask) != 0) 698 return SSL_R_UNSUPPORTED_PROTOCOL; 699 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s)) 700 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE; 701 else if ((method->flags & SSL_METHOD_NO_FIPS) != 0 && FIPS_mode()) 702 return SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE; 703 704 return 0; 705 } 706 707 /* 708 * ssl_version_supported - Check that the specified `version` is supported by 709 * `SSL *` instance 710 * 711 * @s: The SSL handle for the candidate method 712 * @version: Protocol version to test against 713 * 714 * Returns 1 when supported, otherwise 0 715 */ 716 int ssl_version_supported(const SSL *s, int version) 717 { 718 const version_info *vent; 719 const version_info *table; 720 721 switch (s->method->version) { 722 default: 723 /* Version should match method version for non-ANY method */ 724 return version_cmp(s, version, s->version) == 0; 725 case TLS_ANY_VERSION: 726 table = tls_version_table; 727 break; 728 case DTLS_ANY_VERSION: 729 table = dtls_version_table; 730 break; 731 } 732 733 for (vent = table; 734 vent->version != 0 && version_cmp(s, version, vent->version) <= 0; 735 ++vent) { 736 if (vent->cmeth != NULL && 737 version_cmp(s, version, vent->version) == 0 && 738 ssl_method_error(s, vent->cmeth()) == 0) { 739 return 1; 740 } 741 } 742 return 0; 743 } 744 745 /* 746 * ssl_check_version_downgrade - In response to RFC7507 SCSV version 747 * fallback indication from a client check whether we're using the highest 748 * supported protocol version. 749 * 750 * @s server SSL handle. 751 * 752 * Returns 1 when using the highest enabled version, 0 otherwise. 753 */ 754 int ssl_check_version_downgrade(SSL *s) 755 { 756 const version_info *vent; 757 const version_info *table; 758 759 /* 760 * Check that the current protocol is the highest enabled version 761 * (according to s->ctx->method, as version negotiation may have changed 762 * s->method). 763 */ 764 if (s->version == s->ctx->method->version) 765 return 1; 766 767 /* 768 * Apparently we're using a version-flexible SSL_METHOD (not at its 769 * highest protocol version). 770 */ 771 if (s->ctx->method->version == TLS_method()->version) 772 table = tls_version_table; 773 else if (s->ctx->method->version == DTLS_method()->version) 774 table = dtls_version_table; 775 else { 776 /* Unexpected state; fail closed. */ 777 return 0; 778 } 779 780 for (vent = table; vent->version != 0; ++vent) { 781 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0) 782 return s->version == vent->version; 783 } 784 return 0; 785 } 786 787 /* 788 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS 789 * protocols, provided the initial (D)TLS method is version-flexible. This 790 * function sanity-checks the proposed value and makes sure the method is 791 * version-flexible, then sets the limit if all is well. 792 * 793 * @method_version: The version of the current SSL_METHOD. 794 * @version: the intended limit. 795 * @bound: pointer to limit to be updated. 796 * 797 * Returns 1 on success, 0 on failure. 798 */ 799 int ssl_set_version_bound(int method_version, int version, int *bound) 800 { 801 if (version == 0) { 802 *bound = version; 803 return 1; 804 } 805 806 /*- 807 * Restrict TLS methods to TLS protocol versions. 808 * Restrict DTLS methods to DTLS protocol versions. 809 * Note, DTLS version numbers are decreasing, use comparison macros. 810 * 811 * Note that for both lower-bounds we use explicit versions, not 812 * (D)TLS_MIN_VERSION. This is because we don't want to break user 813 * configurations. If the MIN (supported) version ever rises, the user's 814 * "floor" remains valid even if no longer available. We don't expect the 815 * MAX ceiling to ever get lower, so making that variable makes sense. 816 */ 817 switch (method_version) { 818 default: 819 /* 820 * XXX For fixed version methods, should we always fail and not set any 821 * bounds, always succeed and not set any bounds, or set the bounds and 822 * arrange to fail later if they are not met? At present fixed-version 823 * methods are not subject to controls that disable individual protocol 824 * versions. 825 */ 826 return 0; 827 828 case TLS_ANY_VERSION: 829 if (version < SSL3_VERSION || version > TLS_MAX_VERSION) 830 return 0; 831 break; 832 833 case DTLS_ANY_VERSION: 834 if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION) || 835 DTLS_VERSION_LT(version, DTLS1_BAD_VER)) 836 return 0; 837 break; 838 } 839 840 *bound = version; 841 return 1; 842 } 843 844 /* 845 * ssl_choose_server_version - Choose server (D)TLS version. Called when the 846 * client HELLO is received to select the final server protocol version and 847 * the version specific method. 848 * 849 * @s: server SSL handle. 850 * 851 * Returns 0 on success or an SSL error reason number on failure. 852 */ 853 int ssl_choose_server_version(SSL *s) 854 { 855 /*- 856 * With version-flexible methods we have an initial state with: 857 * 858 * s->method->version == (D)TLS_ANY_VERSION, 859 * s->version == (D)TLS_MAX_VERSION. 860 * 861 * So we detect version-flexible methods via the method version, not the 862 * handle version. 863 */ 864 int server_version = s->method->version; 865 int client_version = s->client_version; 866 const version_info *vent; 867 const version_info *table; 868 int disabled = 0; 869 870 switch (server_version) { 871 default: 872 if (version_cmp(s, client_version, s->version) < 0) 873 return SSL_R_WRONG_SSL_VERSION; 874 /* 875 * If this SSL handle is not from a version flexible method we don't 876 * (and never did) check min/max FIPS or Suite B constraints. Hope 877 * that's OK. It is up to the caller to not choose fixed protocol 878 * versions they don't want. If not, then easy to fix, just return 879 * ssl_method_error(s, s->method) 880 */ 881 return 0; 882 case TLS_ANY_VERSION: 883 table = tls_version_table; 884 break; 885 case DTLS_ANY_VERSION: 886 table = dtls_version_table; 887 break; 888 } 889 890 for (vent = table; vent->version != 0; ++vent) { 891 const SSL_METHOD *method; 892 893 if (vent->smeth == NULL || 894 version_cmp(s, client_version, vent->version) < 0) 895 continue; 896 method = vent->smeth(); 897 if (ssl_method_error(s, method) == 0) { 898 s->version = vent->version; 899 s->method = method; 900 return 0; 901 } 902 disabled = 1; 903 } 904 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW; 905 } 906 907 /* 908 * ssl_choose_client_version - Choose client (D)TLS version. Called when the 909 * server HELLO is received to select the final client protocol version and 910 * the version specific method. 911 * 912 * @s: client SSL handle. 913 * @version: The proposed version from the server's HELLO. 914 * 915 * Returns 0 on success or an SSL error reason number on failure. 916 */ 917 int ssl_choose_client_version(SSL *s, int version) 918 { 919 const version_info *vent; 920 const version_info *table; 921 922 switch (s->method->version) { 923 default: 924 if (version != s->version) 925 return SSL_R_WRONG_SSL_VERSION; 926 /* 927 * If this SSL handle is not from a version flexible method we don't 928 * (and never did) check min/max, FIPS or Suite B constraints. Hope 929 * that's OK. It is up to the caller to not choose fixed protocol 930 * versions they don't want. If not, then easy to fix, just return 931 * ssl_method_error(s, s->method) 932 */ 933 return 0; 934 case TLS_ANY_VERSION: 935 table = tls_version_table; 936 break; 937 case DTLS_ANY_VERSION: 938 table = dtls_version_table; 939 break; 940 } 941 942 for (vent = table; vent->version != 0; ++vent) { 943 const SSL_METHOD *method; 944 int err; 945 946 if (version != vent->version) 947 continue; 948 if (vent->cmeth == NULL) 949 break; 950 method = vent->cmeth(); 951 err = ssl_method_error(s, method); 952 if (err != 0) 953 return err; 954 s->method = method; 955 s->version = version; 956 return 0; 957 } 958 959 return SSL_R_UNSUPPORTED_PROTOCOL; 960 } 961 962 /* 963 * ssl_get_client_min_max_version - get minimum and maximum client version 964 * @s: The SSL connection 965 * @min_version: The minimum supported version 966 * @max_version: The maximum supported version 967 * 968 * Work out what version we should be using for the initial ClientHello if the 969 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx 970 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B 971 * or FIPS_mode() constraints and any floor imposed by the security level here, 972 * so we don't advertise the wrong protocol version to only reject the outcome later. 973 * 974 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled, 975 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol 976 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1. 977 * 978 * Returns 0 on success or an SSL error reason number on failure. On failure 979 * min_version and max_version will also be set to 0. 980 */ 981 int ssl_get_client_min_max_version(const SSL *s, int *min_version, 982 int *max_version) 983 { 984 int version; 985 int hole; 986 const SSL_METHOD *single = NULL; 987 const SSL_METHOD *method; 988 const version_info *table; 989 const version_info *vent; 990 991 switch (s->method->version) { 992 default: 993 /* 994 * If this SSL handle is not from a version flexible method we don't 995 * (and never did) check min/max FIPS or Suite B constraints. Hope 996 * that's OK. It is up to the caller to not choose fixed protocol 997 * versions they don't want. If not, then easy to fix, just return 998 * ssl_method_error(s, s->method) 999 */ 1000 *min_version = *max_version = s->version; 1001 return 0; 1002 case TLS_ANY_VERSION: 1003 table = tls_version_table; 1004 break; 1005 case DTLS_ANY_VERSION: 1006 table = dtls_version_table; 1007 break; 1008 } 1009 1010 /* 1011 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols 1012 * below X enabled. This is required in order to maintain the "version 1013 * capability" vector contiguous. Any versions with a NULL client method 1014 * (protocol version client is disabled at compile-time) is also a "hole". 1015 * 1016 * Our initial state is hole == 1, version == 0. That is, versions above 1017 * the first version in the method table are disabled (a "hole" above 1018 * the valid protocol entries) and we don't have a selected version yet. 1019 * 1020 * Whenever "hole == 1", and we hit an enabled method, its version becomes 1021 * the selected version, and the method becomes a candidate "single" 1022 * method. We're no longer in a hole, so "hole" becomes 0. 1023 * 1024 * If "hole == 0" and we hit an enabled method, then "single" is cleared, 1025 * as we support a contiguous range of at least two methods. If we hit 1026 * a disabled method, then hole becomes true again, but nothing else 1027 * changes yet, because all the remaining methods may be disabled too. 1028 * If we again hit an enabled method after the new hole, it becomes 1029 * selected, as we start from scratch. 1030 */ 1031 *min_version = version = 0; 1032 hole = 1; 1033 for (vent = table; vent->version != 0; ++vent) { 1034 /* 1035 * A table entry with a NULL client method is still a hole in the 1036 * "version capability" vector. 1037 */ 1038 if (vent->cmeth == NULL) { 1039 hole = 1; 1040 continue; 1041 } 1042 method = vent->cmeth(); 1043 if (ssl_method_error(s, method) != 0) { 1044 hole = 1; 1045 } else if (!hole) { 1046 single = NULL; 1047 *min_version = method->version; 1048 } else { 1049 version = (single = method)->version; 1050 *min_version = version; 1051 hole = 0; 1052 } 1053 } 1054 1055 *max_version = version; 1056 1057 /* Fail if everything is disabled */ 1058 if (version == 0) 1059 return SSL_R_NO_PROTOCOLS_AVAILABLE; 1060 1061 return 0; 1062 } 1063 1064 /* 1065 * ssl_set_client_hello_version - Work out what version we should be using for 1066 * the initial ClientHello. 1067 * 1068 * @s: client SSL handle. 1069 * 1070 * Returns 0 on success or an SSL error reason number on failure. 1071 */ 1072 int ssl_set_client_hello_version(SSL *s) 1073 { 1074 int ver_min, ver_max, ret; 1075 1076 ret = ssl_get_client_min_max_version(s, &ver_min, &ver_max); 1077 1078 if (ret != 0) 1079 return ret; 1080 1081 s->client_version = s->version = ver_max; 1082 return 0; 1083 } 1084