1 1.1 christos /* 2 1.1.1.2 christos * Copyright 1995-2026 The OpenSSL Project Authors. All Rights Reserved. 3 1.1 christos * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4 1.1 christos * 5 1.1 christos * Licensed under the Apache License 2.0 (the "License"). You may not use 6 1.1 christos * this file except in compliance with the License. You can obtain a copy 7 1.1 christos * in the file LICENSE in the source distribution or at 8 1.1 christos * https://www.openssl.org/source/license.html 9 1.1 christos */ 10 1.1 christos 11 1.1 christos #include <limits.h> 12 1.1 christos #include <string.h> 13 1.1 christos #include <stdio.h> 14 1.1 christos #include "../ssl_local.h" 15 1.1 christos #include "statem_local.h" 16 1.1 christos #include "internal/cryptlib.h" 17 1.1 christos #include "internal/ssl_unwrap.h" 18 1.1 christos #include <openssl/buffer.h> 19 1.1 christos #include <openssl/objects.h> 20 1.1 christos #include <openssl/evp.h> 21 1.1 christos #include <openssl/rsa.h> 22 1.1 christos #include <openssl/x509.h> 23 1.1 christos #include <openssl/trace.h> 24 1.1 christos #include <openssl/encoder.h> 25 1.1 christos 26 1.1 christos /* 27 1.1 christos * Map error codes to TLS/SSL alart types. 28 1.1 christos */ 29 1.1 christos typedef struct x509err2alert_st { 30 1.1 christos int x509err; 31 1.1 christos int alert; 32 1.1 christos } X509ERR2ALERT; 33 1.1 christos 34 1.1 christos /* Fixed value used in the ServerHello random field to identify an HRR */ 35 1.1 christos const unsigned char hrrrandom[] = { 36 1.1 christos 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 37 1.1 christos 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 38 1.1 christos 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c 39 1.1 christos }; 40 1.1 christos 41 1.1 christos int ossl_statem_set_mutator(SSL *s, 42 1.1.1.2 christos ossl_statem_mutate_handshake_cb mutate_handshake_cb, 43 1.1.1.2 christos ossl_statem_finish_mutate_handshake_cb finish_mutate_handshake_cb, 44 1.1.1.2 christos void *mutatearg) 45 1.1 christos { 46 1.1 christos SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); 47 1.1 christos 48 1.1 christos if (sc == NULL) 49 1.1 christos return 0; 50 1.1 christos 51 1.1 christos sc->statem.mutate_handshake_cb = mutate_handshake_cb; 52 1.1 christos sc->statem.mutatearg = mutatearg; 53 1.1 christos sc->statem.finish_mutate_handshake_cb = finish_mutate_handshake_cb; 54 1.1 christos 55 1.1 christos return 1; 56 1.1 christos } 57 1.1 christos 58 1.1 christos /* 59 1.1 christos * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or 60 1.1 christos * SSL3_RT_CHANGE_CIPHER_SPEC) 61 1.1 christos */ 62 1.1 christos int ssl3_do_write(SSL_CONNECTION *s, uint8_t type) 63 1.1 christos { 64 1.1 christos int ret; 65 1.1 christos size_t written = 0; 66 1.1 christos SSL *ssl = SSL_CONNECTION_GET_SSL(s); 67 1.1 christos SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); 68 1.1 christos 69 1.1 christos /* 70 1.1 christos * If we're running the test suite then we may need to mutate the message 71 1.1 christos * we've been asked to write. Does not happen in normal operation. 72 1.1 christos */ 73 1.1 christos if (s->statem.mutate_handshake_cb != NULL 74 1.1.1.2 christos && !s->statem.write_in_progress 75 1.1.1.2 christos && type == SSL3_RT_HANDSHAKE 76 1.1.1.2 christos && s->init_num >= SSL3_HM_HEADER_LENGTH) { 77 1.1 christos unsigned char *msg; 78 1.1 christos size_t msglen; 79 1.1 christos 80 1.1 christos if (!s->statem.mutate_handshake_cb((unsigned char *)s->init_buf->data, 81 1.1.1.2 christos s->init_num, 82 1.1.1.2 christos &msg, &msglen, 83 1.1.1.2 christos s->statem.mutatearg)) 84 1.1 christos return -1; 85 1.1 christos if (msglen < SSL3_HM_HEADER_LENGTH 86 1.1.1.2 christos || !BUF_MEM_grow(s->init_buf, msglen)) 87 1.1 christos return -1; 88 1.1 christos memcpy(s->init_buf->data, msg, msglen); 89 1.1 christos s->init_num = msglen; 90 1.1 christos s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH; 91 1.1 christos s->statem.finish_mutate_handshake_cb(s->statem.mutatearg); 92 1.1 christos s->statem.write_in_progress = 1; 93 1.1 christos } 94 1.1 christos 95 1.1 christos ret = ssl3_write_bytes(ssl, type, &s->init_buf->data[s->init_off], 96 1.1.1.2 christos s->init_num, &written); 97 1.1 christos if (ret <= 0) 98 1.1 christos return -1; 99 1.1 christos if (type == SSL3_RT_HANDSHAKE) 100 1.1 christos /* 101 1.1 christos * should not be done for 'Hello Request's, but in that case we'll 102 1.1 christos * ignore the result anyway 103 1.1 christos * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added 104 1.1 christos */ 105 1.1 christos if (!SSL_CONNECTION_IS_TLS13(s) 106 1.1 christos || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET 107 1.1.1.2 christos && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE 108 1.1.1.2 christos && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE)) 109 1.1 christos if (!ssl3_finish_mac(s, 110 1.1.1.2 christos (unsigned char *)&s->init_buf->data[s->init_off], 111 1.1.1.2 christos written)) 112 1.1 christos return -1; 113 1.1 christos if (written == s->init_num) { 114 1.1 christos s->statem.write_in_progress = 0; 115 1.1 christos if (s->msg_callback) 116 1.1 christos s->msg_callback(1, s->version, type, s->init_buf->data, 117 1.1.1.2 christos (size_t)(s->init_off + s->init_num), ussl, 118 1.1.1.2 christos s->msg_callback_arg); 119 1.1 christos return 1; 120 1.1 christos } 121 1.1 christos s->init_off += written; 122 1.1 christos s->init_num -= written; 123 1.1 christos return 0; 124 1.1 christos } 125 1.1 christos 126 1.1 christos int tls_close_construct_packet(SSL_CONNECTION *s, WPACKET *pkt, int htype) 127 1.1 christos { 128 1.1 christos size_t msglen; 129 1.1 christos 130 1.1 christos if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt)) 131 1.1.1.2 christos || !WPACKET_get_length(pkt, &msglen) 132 1.1.1.2 christos || msglen > INT_MAX) 133 1.1 christos return 0; 134 1.1 christos s->init_num = (int)msglen; 135 1.1 christos s->init_off = 0; 136 1.1 christos 137 1.1 christos return 1; 138 1.1 christos } 139 1.1 christos 140 1.1 christos int tls_setup_handshake(SSL_CONNECTION *s) 141 1.1 christos { 142 1.1 christos int ver_min, ver_max, ok; 143 1.1 christos SSL *ssl = SSL_CONNECTION_GET_SSL(s); 144 1.1 christos SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 145 1.1 christos 146 1.1 christos if (!ssl3_init_finished_mac(s)) { 147 1.1 christos /* SSLfatal() already called */ 148 1.1 christos return 0; 149 1.1 christos } 150 1.1 christos 151 1.1 christos /* Reset any extension flags */ 152 1.1 christos memset(s->ext.extflags, 0, sizeof(s->ext.extflags)); 153 1.1 christos 154 1.1 christos if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) { 155 1.1 christos SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE); 156 1.1 christos return 0; 157 1.1 christos } 158 1.1 christos 159 1.1 christos /* Sanity check that we have MD5-SHA1 if we need it */ 160 1.1 christos if (sctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) { 161 1.1 christos int negotiated_minversion; 162 1.1 christos int md5sha1_needed_maxversion = SSL_CONNECTION_IS_DTLS(s) 163 1.1.1.2 christos ? DTLS1_VERSION 164 1.1.1.2 christos : TLS1_1_VERSION; 165 1.1 christos 166 1.1 christos /* We don't have MD5-SHA1 - do we need it? */ 167 1.1 christos if (ssl_version_cmp(s, ver_max, md5sha1_needed_maxversion) <= 0) { 168 1.1 christos SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE, 169 1.1.1.2 christos SSL_R_NO_SUITABLE_DIGEST_ALGORITHM, 170 1.1.1.2 christos "The max supported SSL/TLS version needs the" 171 1.1.1.2 christos " MD5-SHA1 digest but it is not available" 172 1.1.1.2 christos " in the loaded providers. Use (D)TLSv1.2 or" 173 1.1.1.2 christos " above, or load different providers"); 174 1.1 christos return 0; 175 1.1 christos } 176 1.1 christos 177 1.1 christos ok = 1; 178 1.1 christos 179 1.1 christos /* Don't allow TLSv1.1 or below to be negotiated */ 180 1.1.1.2 christos negotiated_minversion = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_2_VERSION : TLS1_2_VERSION; 181 1.1 christos if (ssl_version_cmp(s, ver_min, negotiated_minversion) < 0) 182 1.1.1.2 christos ok = SSL_set_min_proto_version(ssl, negotiated_minversion); 183 1.1 christos if (!ok) { 184 1.1 christos /* Shouldn't happen */ 185 1.1 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR); 186 1.1 christos return 0; 187 1.1 christos } 188 1.1 christos } 189 1.1 christos 190 1.1 christos ok = 0; 191 1.1 christos if (s->server) { 192 1.1 christos STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(ssl); 193 1.1 christos int i; 194 1.1 christos 195 1.1 christos /* 196 1.1 christos * Sanity check that the maximum version we accept has ciphers 197 1.1 christos * enabled. For clients we do this check during construction of the 198 1.1 christos * ClientHello. 199 1.1 christos */ 200 1.1 christos for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { 201 1.1 christos const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i); 202 1.1 christos int cipher_minprotover = SSL_CONNECTION_IS_DTLS(s) 203 1.1.1.2 christos ? c->min_dtls 204 1.1.1.2 christos : c->min_tls; 205 1.1 christos int cipher_maxprotover = SSL_CONNECTION_IS_DTLS(s) 206 1.1.1.2 christos ? c->max_dtls 207 1.1.1.2 christos : c->max_tls; 208 1.1 christos 209 1.1 christos if (ssl_version_cmp(s, ver_max, cipher_minprotover) >= 0 210 1.1.1.2 christos && ssl_version_cmp(s, ver_max, cipher_maxprotover) <= 0) { 211 1.1 christos ok = 1; 212 1.1 christos break; 213 1.1 christos } 214 1.1 christos } 215 1.1 christos if (!ok) { 216 1.1 christos SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE, 217 1.1.1.2 christos SSL_R_NO_CIPHERS_AVAILABLE, 218 1.1.1.2 christos "No ciphers enabled for max supported " 219 1.1.1.2 christos "SSL/TLS version"); 220 1.1 christos return 0; 221 1.1 christos } 222 1.1 christos if (SSL_IS_FIRST_HANDSHAKE(s)) { 223 1.1 christos /* N.B. s->session_ctx == s->ctx here */ 224 1.1 christos ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_accept); 225 1.1 christos } else { 226 1.1 christos /* N.B. s->ctx may not equal s->session_ctx */ 227 1.1 christos ssl_tsan_counter(sctx, &sctx->stats.sess_accept_renegotiate); 228 1.1 christos 229 1.1 christos s->s3.tmp.cert_request = 0; 230 1.1 christos } 231 1.1 christos } else { 232 1.1 christos if (SSL_IS_FIRST_HANDSHAKE(s)) 233 1.1 christos ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_connect); 234 1.1 christos else 235 1.1 christos ssl_tsan_counter(s->session_ctx, 236 1.1.1.2 christos &s->session_ctx->stats.sess_connect_renegotiate); 237 1.1 christos 238 1.1 christos /* mark client_random uninitialized */ 239 1.1 christos memset(s->s3.client_random, 0, sizeof(s->s3.client_random)); 240 1.1 christos s->hit = 0; 241 1.1 christos 242 1.1 christos s->s3.tmp.cert_req = 0; 243 1.1 christos 244 1.1 christos if (SSL_CONNECTION_IS_DTLS(s)) 245 1.1 christos s->statem.use_timer = 1; 246 1.1 christos } 247 1.1 christos 248 1.1 christos return 1; 249 1.1 christos } 250 1.1 christos 251 1.1 christos /* 252 1.1 christos * Size of the to-be-signed TLS13 data, without the hash size itself: 253 1.1 christos * 64 bytes of value 32, 33 context bytes, 1 byte separator 254 1.1 christos */ 255 1.1.1.2 christos #define TLS13_TBS_START_SIZE 64 256 1.1.1.2 christos #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1) 257 1.1 christos 258 1.1 christos static int get_cert_verify_tbs_data(SSL_CONNECTION *s, unsigned char *tls13tbs, 259 1.1.1.2 christos void **hdata, size_t *hdatalen) 260 1.1 christos { 261 1.1 christos /* ASCII: "TLS 1.3, server CertificateVerify", in hex for EBCDIC compatibility */ 262 1.1 christos static const char servercontext[] = "\x54\x4c\x53\x20\x31\x2e\x33\x2c\x20\x73\x65\x72" 263 1.1.1.2 christos "\x76\x65\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x56\x65\x72\x69\x66\x79"; 264 1.1 christos /* ASCII: "TLS 1.3, client CertificateVerify", in hex for EBCDIC compatibility */ 265 1.1 christos static const char clientcontext[] = "\x54\x4c\x53\x20\x31\x2e\x33\x2c\x20\x63\x6c\x69" 266 1.1.1.2 christos "\x65\x6e\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x56\x65\x72\x69\x66\x79"; 267 1.1 christos 268 1.1 christos if (SSL_CONNECTION_IS_TLS13(s)) { 269 1.1 christos size_t hashlen; 270 1.1 christos 271 1.1 christos /* Set the first 64 bytes of to-be-signed data to octet 32 */ 272 1.1 christos memset(tls13tbs, 32, TLS13_TBS_START_SIZE); 273 1.1 christos /* This copies the 33 bytes of context plus the 0 separator byte */ 274 1.1 christos if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY 275 1.1.1.2 christos || s->statem.hand_state == TLS_ST_SW_CERT_VRFY) 276 1.1 christos strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext); 277 1.1 christos else 278 1.1 christos strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext); 279 1.1 christos 280 1.1 christos /* 281 1.1 christos * If we're currently reading then we need to use the saved handshake 282 1.1 christos * hash value. We can't use the current handshake hash state because 283 1.1 christos * that includes the CertVerify itself. 284 1.1 christos */ 285 1.1 christos if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY 286 1.1.1.2 christos || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) { 287 1.1 christos memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash, 288 1.1.1.2 christos s->cert_verify_hash_len); 289 1.1 christos hashlen = s->cert_verify_hash_len; 290 1.1 christos } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE, 291 1.1.1.2 christos EVP_MAX_MD_SIZE, &hashlen)) { 292 1.1 christos /* SSLfatal() already called */ 293 1.1 christos return 0; 294 1.1 christos } 295 1.1 christos 296 1.1 christos *hdata = tls13tbs; 297 1.1 christos *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen; 298 1.1 christos } else { 299 1.1 christos size_t retlen; 300 1.1 christos long retlen_l; 301 1.1 christos 302 1.1 christos retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata); 303 1.1 christos if (retlen_l <= 0) { 304 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 305 1.1 christos return 0; 306 1.1 christos } 307 1.1 christos *hdatalen = retlen; 308 1.1 christos } 309 1.1 christos 310 1.1 christos return 1; 311 1.1 christos } 312 1.1 christos 313 1.1 christos CON_FUNC_RETURN tls_construct_cert_verify(SSL_CONNECTION *s, WPACKET *pkt) 314 1.1 christos { 315 1.1 christos EVP_PKEY *pkey = NULL; 316 1.1 christos const EVP_MD *md = NULL; 317 1.1 christos EVP_MD_CTX *mctx = NULL; 318 1.1 christos EVP_PKEY_CTX *pctx = NULL; 319 1.1 christos size_t hdatalen = 0, siglen = 0; 320 1.1 christos void *hdata; 321 1.1 christos unsigned char *sig = NULL; 322 1.1 christos unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; 323 1.1 christos const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg; 324 1.1 christos SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 325 1.1 christos 326 1.1 christos if (lu == NULL || s->s3.tmp.cert == NULL) { 327 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 328 1.1 christos goto err; 329 1.1 christos } 330 1.1 christos pkey = s->s3.tmp.cert->privatekey; 331 1.1 christos 332 1.1 christos if (pkey == NULL || !tls1_lookup_md(sctx, lu, &md)) { 333 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 334 1.1 christos goto err; 335 1.1 christos } 336 1.1 christos 337 1.1 christos mctx = EVP_MD_CTX_new(); 338 1.1 christos if (mctx == NULL) { 339 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 340 1.1 christos goto err; 341 1.1 christos } 342 1.1 christos 343 1.1 christos /* Get the data to be signed */ 344 1.1 christos if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { 345 1.1 christos /* SSLfatal() already called */ 346 1.1 christos goto err; 347 1.1 christos } 348 1.1 christos 349 1.1 christos if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) { 350 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 351 1.1 christos goto err; 352 1.1 christos } 353 1.1 christos 354 1.1 christos if (EVP_DigestSignInit_ex(mctx, &pctx, 355 1.1.1.2 christos md == NULL ? NULL : EVP_MD_get0_name(md), 356 1.1.1.2 christos sctx->libctx, sctx->propq, pkey, 357 1.1.1.2 christos NULL) 358 1.1.1.2 christos <= 0) { 359 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 360 1.1 christos goto err; 361 1.1 christos } 362 1.1 christos 363 1.1 christos if (lu->sig == EVP_PKEY_RSA_PSS) { 364 1.1 christos if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 365 1.1 christos || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 366 1.1.1.2 christos RSA_PSS_SALTLEN_DIGEST) 367 1.1.1.2 christos <= 0) { 368 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 369 1.1 christos goto err; 370 1.1 christos } 371 1.1 christos } 372 1.1 christos if (s->version == SSL3_VERSION) { 373 1.1 christos /* 374 1.1 christos * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal 375 1.1 christos * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them. 376 1.1 christos */ 377 1.1 christos if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0 378 1.1 christos || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, 379 1.1.1.2 christos (int)s->session->master_key_length, 380 1.1.1.2 christos s->session->master_key) 381 1.1.1.2 christos <= 0 382 1.1 christos || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) { 383 1.1 christos 384 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 385 1.1 christos goto err; 386 1.1 christos } 387 1.1 christos sig = OPENSSL_malloc(siglen); 388 1.1 christos if (sig == NULL 389 1.1.1.2 christos || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) { 390 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 391 1.1 christos goto err; 392 1.1 christos } 393 1.1 christos } else { 394 1.1 christos /* 395 1.1 christos * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not 396 1.1 christos * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal 397 1.1 christos */ 398 1.1 christos if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) { 399 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 400 1.1 christos goto err; 401 1.1 christos } 402 1.1 christos sig = OPENSSL_malloc(siglen); 403 1.1 christos if (sig == NULL 404 1.1.1.2 christos || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) { 405 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 406 1.1 christos goto err; 407 1.1 christos } 408 1.1 christos } 409 1.1 christos 410 1.1 christos #ifndef OPENSSL_NO_GOST 411 1.1 christos { 412 1.1 christos int pktype = lu->sig; 413 1.1 christos 414 1.1 christos if (pktype == NID_id_GostR3410_2001 415 1.1 christos || pktype == NID_id_GostR3410_2012_256 416 1.1 christos || pktype == NID_id_GostR3410_2012_512) 417 1.1 christos BUF_reverse(sig, NULL, siglen); 418 1.1 christos } 419 1.1 christos #endif 420 1.1 christos 421 1.1 christos if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) { 422 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 423 1.1 christos goto err; 424 1.1 christos } 425 1.1 christos 426 1.1 christos /* Digest cached records and discard handshake buffer */ 427 1.1 christos if (!ssl3_digest_cached_records(s, 0)) { 428 1.1 christos /* SSLfatal() already called */ 429 1.1 christos goto err; 430 1.1 christos } 431 1.1 christos 432 1.1 christos OPENSSL_free(sig); 433 1.1 christos EVP_MD_CTX_free(mctx); 434 1.1 christos return CON_FUNC_SUCCESS; 435 1.1.1.2 christos err: 436 1.1 christos OPENSSL_free(sig); 437 1.1 christos EVP_MD_CTX_free(mctx); 438 1.1 christos return CON_FUNC_ERROR; 439 1.1 christos } 440 1.1 christos 441 1.1 christos MSG_PROCESS_RETURN tls_process_cert_verify(SSL_CONNECTION *s, PACKET *pkt) 442 1.1 christos { 443 1.1 christos EVP_PKEY *pkey = NULL; 444 1.1 christos const unsigned char *data; 445 1.1 christos #ifndef OPENSSL_NO_GOST 446 1.1 christos unsigned char *gost_data = NULL; 447 1.1 christos #endif 448 1.1 christos MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; 449 1.1 christos int j; 450 1.1 christos unsigned int len; 451 1.1 christos const EVP_MD *md = NULL; 452 1.1 christos size_t hdatalen = 0; 453 1.1 christos void *hdata; 454 1.1 christos unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; 455 1.1 christos EVP_MD_CTX *mctx = EVP_MD_CTX_new(); 456 1.1 christos EVP_PKEY_CTX *pctx = NULL; 457 1.1 christos SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 458 1.1 christos 459 1.1 christos if (mctx == NULL) { 460 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 461 1.1 christos goto err; 462 1.1 christos } 463 1.1 christos 464 1.1 christos pkey = tls_get_peer_pkey(s); 465 1.1 christos if (pkey == NULL) { 466 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 467 1.1 christos goto err; 468 1.1 christos } 469 1.1 christos 470 1.1 christos if (ssl_cert_lookup_by_pkey(pkey, NULL, sctx) == NULL) { 471 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 472 1.1.1.2 christos SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); 473 1.1 christos goto err; 474 1.1 christos } 475 1.1 christos 476 1.1 christos if (SSL_USE_SIGALGS(s)) { 477 1.1 christos unsigned int sigalg; 478 1.1 christos 479 1.1 christos if (!PACKET_get_net_2(pkt, &sigalg)) { 480 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET); 481 1.1 christos goto err; 482 1.1 christos } 483 1.1 christos if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) { 484 1.1 christos /* SSLfatal() already called */ 485 1.1 christos goto err; 486 1.1 christos } 487 1.1 christos } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { 488 1.1.1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, 489 1.1.1.2 christos SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED); 490 1.1.1.2 christos goto err; 491 1.1 christos } 492 1.1 christos 493 1.1 christos if (!tls1_lookup_md(sctx, s->s3.tmp.peer_sigalg, &md)) { 494 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 495 1.1 christos goto err; 496 1.1 christos } 497 1.1 christos 498 1.1 christos if (SSL_USE_SIGALGS(s)) 499 1.1 christos OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n", 500 1.1.1.2 christos md == NULL ? "n/a" : EVP_MD_get0_name(md)); 501 1.1 christos 502 1.1 christos /* Check for broken implementations of GOST ciphersuites */ 503 1.1 christos /* 504 1.1 christos * If key is GOST and len is exactly 64 or 128, it is signature without 505 1.1 christos * length field (CryptoPro implementations at least till TLS 1.2) 506 1.1 christos */ 507 1.1 christos #ifndef OPENSSL_NO_GOST 508 1.1 christos if (!SSL_USE_SIGALGS(s) 509 1.1 christos && ((PACKET_remaining(pkt) == 64 510 1.1.1.2 christos && (EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2001 511 1.1.1.2 christos || EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_256)) 512 1.1 christos || (PACKET_remaining(pkt) == 128 513 1.1 christos && EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_512))) { 514 1.1 christos len = PACKET_remaining(pkt); 515 1.1 christos } else 516 1.1 christos #endif 517 1.1.1.2 christos if (!PACKET_get_net_2(pkt, &len)) { 518 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 519 1.1 christos goto err; 520 1.1 christos } 521 1.1 christos 522 1.1 christos if (!PACKET_get_bytes(pkt, &data, len)) { 523 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 524 1.1 christos goto err; 525 1.1 christos } 526 1.1 christos if (PACKET_remaining(pkt) != 0) { 527 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 528 1.1 christos goto err; 529 1.1 christos } 530 1.1 christos 531 1.1 christos if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { 532 1.1 christos /* SSLfatal() already called */ 533 1.1 christos goto err; 534 1.1 christos } 535 1.1 christos 536 1.1 christos OSSL_TRACE1(TLS, "Using client verify alg %s\n", 537 1.1.1.2 christos md == NULL ? "n/a" : EVP_MD_get0_name(md)); 538 1.1 christos 539 1.1 christos if (EVP_DigestVerifyInit_ex(mctx, &pctx, 540 1.1.1.2 christos md == NULL ? NULL : EVP_MD_get0_name(md), 541 1.1.1.2 christos sctx->libctx, sctx->propq, pkey, 542 1.1.1.2 christos NULL) 543 1.1.1.2 christos <= 0) { 544 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 545 1.1 christos goto err; 546 1.1 christos } 547 1.1 christos #ifndef OPENSSL_NO_GOST 548 1.1 christos { 549 1.1 christos int pktype = EVP_PKEY_get_id(pkey); 550 1.1 christos if (pktype == NID_id_GostR3410_2001 551 1.1 christos || pktype == NID_id_GostR3410_2012_256 552 1.1 christos || pktype == NID_id_GostR3410_2012_512) { 553 1.1 christos if ((gost_data = OPENSSL_malloc(len)) == NULL) 554 1.1 christos goto err; 555 1.1 christos BUF_reverse(gost_data, data, len); 556 1.1 christos data = gost_data; 557 1.1 christos } 558 1.1 christos } 559 1.1 christos #endif 560 1.1 christos 561 1.1 christos if (SSL_USE_PSS(s)) { 562 1.1 christos if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 563 1.1 christos || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 564 1.1.1.2 christos RSA_PSS_SALTLEN_DIGEST) 565 1.1.1.2 christos <= 0) { 566 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 567 1.1 christos goto err; 568 1.1 christos } 569 1.1 christos } 570 1.1 christos if (s->version == SSL3_VERSION) { 571 1.1 christos if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0 572 1.1.1.2 christos || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, 573 1.1.1.2 christos (int)s->session->master_key_length, 574 1.1.1.2 christos s->session->master_key) 575 1.1.1.2 christos <= 0) { 576 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 577 1.1 christos goto err; 578 1.1 christos } 579 1.1 christos if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) { 580 1.1 christos SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE); 581 1.1 christos goto err; 582 1.1 christos } 583 1.1 christos } else { 584 1.1 christos j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen); 585 1.1 christos #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION 586 1.1 christos /* Ignore bad signatures when fuzzing */ 587 1.1 christos if (SSL_IS_QUIC_HANDSHAKE(s)) 588 1.1 christos j = 1; 589 1.1 christos #endif 590 1.1 christos if (j <= 0) { 591 1.1 christos SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE); 592 1.1 christos goto err; 593 1.1 christos } 594 1.1 christos } 595 1.1 christos 596 1.1 christos /* 597 1.1 christos * In TLSv1.3 on the client side we make sure we prepare the client 598 1.1 christos * certificate after the CertVerify instead of when we get the 599 1.1 christos * CertificateRequest. This is because in TLSv1.3 the CertificateRequest 600 1.1 christos * comes *before* the Certificate message. In TLSv1.2 it comes after. We 601 1.1 christos * want to make sure that SSL_get1_peer_certificate() will return the actual 602 1.1 christos * server certificate from the client_cert_cb callback. 603 1.1 christos */ 604 1.1 christos if (!s->server && SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.cert_req == 1) 605 1.1 christos ret = MSG_PROCESS_CONTINUE_PROCESSING; 606 1.1 christos else 607 1.1 christos ret = MSG_PROCESS_CONTINUE_READING; 608 1.1.1.2 christos err: 609 1.1 christos BIO_free(s->s3.handshake_buffer); 610 1.1 christos s->s3.handshake_buffer = NULL; 611 1.1 christos EVP_MD_CTX_free(mctx); 612 1.1 christos #ifndef OPENSSL_NO_GOST 613 1.1 christos OPENSSL_free(gost_data); 614 1.1 christos #endif 615 1.1 christos return ret; 616 1.1 christos } 617 1.1 christos 618 1.1 christos CON_FUNC_RETURN tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt) 619 1.1 christos { 620 1.1 christos size_t finish_md_len; 621 1.1 christos const char *sender; 622 1.1 christos size_t slen; 623 1.1 christos SSL *ssl = SSL_CONNECTION_GET_SSL(s); 624 1.1 christos 625 1.1 christos /* This is a real handshake so make sure we clean it up at the end */ 626 1.1 christos if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED) 627 1.1 christos s->statem.cleanuphand = 1; 628 1.1 christos 629 1.1 christos /* 630 1.1 christos * If we attempted to write early data or we're in middlebox compat mode 631 1.1 christos * then we deferred changing the handshake write keys to the last possible 632 1.1 christos * moment. If we didn't already do this when we sent the client certificate 633 1.1 christos * then we need to do it now. 634 1.1 christos */ 635 1.1 christos if (SSL_CONNECTION_IS_TLS13(s) 636 1.1.1.2 christos && !s->server 637 1.1.1.2 christos && !SSL_IS_QUIC_HANDSHAKE(s) 638 1.1.1.2 christos && (s->early_data_state != SSL_EARLY_DATA_NONE 639 1.1.1.2 christos || (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) 640 1.1.1.2 christos && s->s3.tmp.cert_req == 0 641 1.1.1.2 christos && (!ssl->method->ssl3_enc->change_cipher_state(s, 642 1.1.1.2 christos SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) { 643 1.1.1.2 christos ; 644 1.1 christos /* SSLfatal() already called */ 645 1.1 christos return CON_FUNC_ERROR; 646 1.1 christos } 647 1.1 christos 648 1.1 christos if (s->server) { 649 1.1 christos sender = ssl->method->ssl3_enc->server_finished_label; 650 1.1 christos slen = ssl->method->ssl3_enc->server_finished_label_len; 651 1.1 christos } else { 652 1.1 christos sender = ssl->method->ssl3_enc->client_finished_label; 653 1.1 christos slen = ssl->method->ssl3_enc->client_finished_label_len; 654 1.1 christos } 655 1.1 christos 656 1.1 christos finish_md_len = ssl->method->ssl3_enc->final_finish_mac(s, 657 1.1.1.2 christos sender, slen, 658 1.1.1.2 christos s->s3.tmp.finish_md); 659 1.1 christos if (finish_md_len == 0) { 660 1.1 christos /* SSLfatal() already called */ 661 1.1 christos return CON_FUNC_ERROR; 662 1.1 christos } 663 1.1 christos 664 1.1 christos s->s3.tmp.finish_md_len = finish_md_len; 665 1.1 christos 666 1.1 christos if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) { 667 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 668 1.1 christos return CON_FUNC_ERROR; 669 1.1 christos } 670 1.1 christos 671 1.1 christos /* 672 1.1 christos * Log the master secret, if logging is enabled. We don't log it for 673 1.1 christos * TLSv1.3: there's a different key schedule for that. 674 1.1 christos */ 675 1.1 christos if (!SSL_CONNECTION_IS_TLS13(s) 676 1.1 christos && !ssl_log_secret(s, MASTER_SECRET_LABEL, s->session->master_key, 677 1.1.1.2 christos s->session->master_key_length)) { 678 1.1 christos /* SSLfatal() already called */ 679 1.1 christos return CON_FUNC_ERROR; 680 1.1 christos } 681 1.1 christos 682 1.1 christos /* 683 1.1 christos * Copy the finished so we can use it for renegotiation checks 684 1.1 christos */ 685 1.1 christos if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) { 686 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 687 1.1 christos return CON_FUNC_ERROR; 688 1.1 christos } 689 1.1 christos if (!s->server) { 690 1.1 christos memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md, 691 1.1.1.2 christos finish_md_len); 692 1.1 christos s->s3.previous_client_finished_len = finish_md_len; 693 1.1 christos } else { 694 1.1 christos memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md, 695 1.1.1.2 christos finish_md_len); 696 1.1 christos s->s3.previous_server_finished_len = finish_md_len; 697 1.1 christos } 698 1.1 christos 699 1.1 christos return CON_FUNC_SUCCESS; 700 1.1 christos } 701 1.1 christos 702 1.1 christos CON_FUNC_RETURN tls_construct_key_update(SSL_CONNECTION *s, WPACKET *pkt) 703 1.1 christos { 704 1.1 christos if (!WPACKET_put_bytes_u8(pkt, s->key_update)) { 705 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 706 1.1 christos return CON_FUNC_ERROR; 707 1.1 christos } 708 1.1 christos 709 1.1 christos s->key_update = SSL_KEY_UPDATE_NONE; 710 1.1 christos return CON_FUNC_SUCCESS; 711 1.1 christos } 712 1.1 christos 713 1.1 christos MSG_PROCESS_RETURN tls_process_key_update(SSL_CONNECTION *s, PACKET *pkt) 714 1.1 christos { 715 1.1 christos unsigned int updatetype; 716 1.1 christos 717 1.1 christos /* 718 1.1 christos * A KeyUpdate message signals a key change so the end of the message must 719 1.1 christos * be on a record boundary. 720 1.1 christos */ 721 1.1 christos if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { 722 1.1 christos SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY); 723 1.1 christos return MSG_PROCESS_ERROR; 724 1.1 christos } 725 1.1 christos 726 1.1 christos if (!PACKET_get_1(pkt, &updatetype) 727 1.1.1.2 christos || PACKET_remaining(pkt) != 0) { 728 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_KEY_UPDATE); 729 1.1 christos return MSG_PROCESS_ERROR; 730 1.1 christos } 731 1.1 christos 732 1.1 christos /* 733 1.1 christos * There are only two defined key update types. Fail if we get a value we 734 1.1 christos * didn't recognise. 735 1.1 christos */ 736 1.1 christos if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED 737 1.1.1.2 christos && updatetype != SSL_KEY_UPDATE_REQUESTED) { 738 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_UPDATE); 739 1.1 christos return MSG_PROCESS_ERROR; 740 1.1 christos } 741 1.1 christos 742 1.1 christos /* 743 1.1 christos * If we get a request for us to update our sending keys too then, we need 744 1.1 christos * to additionally send a KeyUpdate message. However that message should 745 1.1 christos * not also request an update (otherwise we get into an infinite loop). 746 1.1 christos */ 747 1.1 christos if (updatetype == SSL_KEY_UPDATE_REQUESTED) 748 1.1 christos s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED; 749 1.1 christos 750 1.1 christos if (!tls13_update_key(s, 0)) { 751 1.1 christos /* SSLfatal() already called */ 752 1.1 christos return MSG_PROCESS_ERROR; 753 1.1 christos } 754 1.1 christos 755 1.1 christos return MSG_PROCESS_FINISHED_READING; 756 1.1 christos } 757 1.1 christos 758 1.1 christos /* 759 1.1 christos * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen 760 1.1 christos * to far. 761 1.1 christos */ 762 1.1 christos int ssl3_take_mac(SSL_CONNECTION *s) 763 1.1 christos { 764 1.1 christos const char *sender; 765 1.1 christos size_t slen; 766 1.1 christos SSL *ssl = SSL_CONNECTION_GET_SSL(s); 767 1.1 christos 768 1.1 christos if (!s->server) { 769 1.1 christos sender = ssl->method->ssl3_enc->server_finished_label; 770 1.1 christos slen = ssl->method->ssl3_enc->server_finished_label_len; 771 1.1 christos } else { 772 1.1 christos sender = ssl->method->ssl3_enc->client_finished_label; 773 1.1 christos slen = ssl->method->ssl3_enc->client_finished_label_len; 774 1.1 christos } 775 1.1 christos 776 1.1.1.2 christos s->s3.tmp.peer_finish_md_len = ssl->method->ssl3_enc->final_finish_mac(s, sender, slen, 777 1.1.1.2 christos s->s3.tmp.peer_finish_md); 778 1.1 christos 779 1.1 christos if (s->s3.tmp.peer_finish_md_len == 0) { 780 1.1 christos /* SSLfatal() already called */ 781 1.1 christos return 0; 782 1.1 christos } 783 1.1 christos 784 1.1 christos return 1; 785 1.1 christos } 786 1.1 christos 787 1.1 christos MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL_CONNECTION *s, 788 1.1.1.2 christos PACKET *pkt) 789 1.1 christos { 790 1.1 christos size_t remain; 791 1.1 christos 792 1.1 christos remain = PACKET_remaining(pkt); 793 1.1 christos /* 794 1.1 christos * 'Change Cipher Spec' is just a single byte, which should already have 795 1.1 christos * been consumed by ssl_get_message() so there should be no bytes left, 796 1.1 christos * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes 797 1.1 christos */ 798 1.1 christos if (SSL_CONNECTION_IS_DTLS(s)) { 799 1.1 christos if ((s->version == DTLS1_BAD_VER 800 1.1.1.2 christos && remain != DTLS1_CCS_HEADER_LENGTH + 1) 801 1.1 christos || (s->version != DTLS1_BAD_VER 802 1.1 christos && remain != DTLS1_CCS_HEADER_LENGTH - 1)) { 803 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC); 804 1.1 christos return MSG_PROCESS_ERROR; 805 1.1 christos } 806 1.1 christos } else { 807 1.1 christos if (remain != 0) { 808 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC); 809 1.1 christos return MSG_PROCESS_ERROR; 810 1.1 christos } 811 1.1 christos } 812 1.1 christos 813 1.1 christos /* Check we have a cipher to change to */ 814 1.1 christos if (s->s3.tmp.new_cipher == NULL) { 815 1.1 christos SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY); 816 1.1 christos return MSG_PROCESS_ERROR; 817 1.1 christos } 818 1.1 christos 819 1.1 christos s->s3.change_cipher_spec = 1; 820 1.1 christos if (!ssl3_do_change_cipher_spec(s)) { 821 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 822 1.1 christos return MSG_PROCESS_ERROR; 823 1.1 christos } 824 1.1 christos 825 1.1 christos if (SSL_CONNECTION_IS_DTLS(s)) { 826 1.1 christos if (s->version == DTLS1_BAD_VER) 827 1.1 christos s->d1->handshake_read_seq++; 828 1.1 christos 829 1.1 christos #ifndef OPENSSL_NO_SCTP 830 1.1 christos /* 831 1.1 christos * Remember that a CCS has been received, so that an old key of 832 1.1 christos * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no 833 1.1 christos * SCTP is used 834 1.1 christos */ 835 1.1 christos BIO_ctrl(SSL_get_wbio(SSL_CONNECTION_GET_SSL(s)), 836 1.1.1.2 christos BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL); 837 1.1 christos #endif 838 1.1 christos } 839 1.1 christos 840 1.1 christos return MSG_PROCESS_CONTINUE_READING; 841 1.1 christos } 842 1.1 christos 843 1.1 christos MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt) 844 1.1 christos { 845 1.1 christos size_t md_len; 846 1.1 christos SSL *ssl = SSL_CONNECTION_GET_SSL(s); 847 1.1 christos int was_first = SSL_IS_FIRST_HANDSHAKE(s); 848 1.1 christos int ok; 849 1.1 christos 850 1.1 christos /* This is a real handshake so make sure we clean it up at the end */ 851 1.1 christos if (s->server) { 852 1.1 christos /* 853 1.1.1.2 christos * To get this far we must have read encrypted data from the client. We 854 1.1.1.2 christos * no longer tolerate unencrypted alerts. This is ignored if less than 855 1.1.1.2 christos * TLSv1.3 856 1.1.1.2 christos */ 857 1.1 christos if (s->rlayer.rrlmethod->set_plain_alerts != NULL) 858 1.1 christos s->rlayer.rrlmethod->set_plain_alerts(s->rlayer.rrl, 0); 859 1.1 christos if (s->post_handshake_auth != SSL_PHA_REQUESTED) 860 1.1 christos s->statem.cleanuphand = 1; 861 1.1 christos if (SSL_CONNECTION_IS_TLS13(s) 862 1.1 christos && !tls13_save_handshake_digest_for_pha(s)) { 863 1.1.1.2 christos /* SSLfatal() already called */ 864 1.1.1.2 christos return MSG_PROCESS_ERROR; 865 1.1 christos } 866 1.1 christos } 867 1.1 christos 868 1.1 christos /* 869 1.1 christos * In TLSv1.3 a Finished message signals a key change so the end of the 870 1.1 christos * message must be on a record boundary. 871 1.1 christos */ 872 1.1 christos if (SSL_CONNECTION_IS_TLS13(s) 873 1.1 christos && RECORD_LAYER_processed_read_pending(&s->rlayer)) { 874 1.1 christos SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY); 875 1.1 christos return MSG_PROCESS_ERROR; 876 1.1 christos } 877 1.1 christos 878 1.1 christos /* If this occurs, we have missed a message */ 879 1.1 christos if (!SSL_CONNECTION_IS_TLS13(s) && !s->s3.change_cipher_spec) { 880 1.1 christos SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS); 881 1.1 christos return MSG_PROCESS_ERROR; 882 1.1 christos } 883 1.1 christos s->s3.change_cipher_spec = 0; 884 1.1 christos 885 1.1 christos md_len = s->s3.tmp.peer_finish_md_len; 886 1.1 christos 887 1.1 christos if (md_len != PACKET_remaining(pkt)) { 888 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DIGEST_LENGTH); 889 1.1 christos return MSG_PROCESS_ERROR; 890 1.1 christos } 891 1.1 christos 892 1.1 christos ok = CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md, 893 1.1.1.2 christos md_len); 894 1.1 christos #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION 895 1.1 christos if (ok != 0) { 896 1.1 christos if ((PACKET_data(pkt)[0] ^ s->s3.tmp.peer_finish_md[0]) != 0xFF) { 897 1.1 christos ok = 0; 898 1.1 christos } 899 1.1 christos } 900 1.1 christos #endif 901 1.1 christos if (ok != 0) { 902 1.1 christos SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DIGEST_CHECK_FAILED); 903 1.1 christos return MSG_PROCESS_ERROR; 904 1.1 christos } 905 1.1 christos 906 1.1 christos /* 907 1.1 christos * Copy the finished so we can use it for renegotiation checks 908 1.1 christos */ 909 1.1 christos if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) { 910 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 911 1.1 christos return MSG_PROCESS_ERROR; 912 1.1 christos } 913 1.1 christos if (s->server) { 914 1.1 christos memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md, 915 1.1.1.2 christos md_len); 916 1.1 christos s->s3.previous_client_finished_len = md_len; 917 1.1 christos } else { 918 1.1 christos memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md, 919 1.1.1.2 christos md_len); 920 1.1 christos s->s3.previous_server_finished_len = md_len; 921 1.1 christos } 922 1.1 christos 923 1.1 christos /* 924 1.1 christos * In TLS1.3 we also have to change cipher state and do any final processing 925 1.1 christos * of the initial server flight (if we are a client) 926 1.1 christos */ 927 1.1 christos if (SSL_CONNECTION_IS_TLS13(s)) { 928 1.1 christos if (s->server) { 929 1.1.1.2 christos if (s->post_handshake_auth != SSL_PHA_REQUESTED && !ssl->method->ssl3_enc->change_cipher_state(s, SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) { 930 1.1 christos /* SSLfatal() already called */ 931 1.1 christos return MSG_PROCESS_ERROR; 932 1.1 christos } 933 1.1 christos } else { 934 1.1 christos /* TLS 1.3 gets the secret size from the handshake md */ 935 1.1 christos size_t dummy; 936 1.1 christos if (!ssl->method->ssl3_enc->generate_master_secret(s, 937 1.1 christos s->master_secret, s->handshake_secret, 0, 938 1.1 christos &dummy)) { 939 1.1 christos /* SSLfatal() already called */ 940 1.1 christos return MSG_PROCESS_ERROR; 941 1.1 christos } 942 1.1 christos if (!tls13_store_server_finished_hash(s)) { 943 1.1 christos /* SSLfatal() already called */ 944 1.1 christos return MSG_PROCESS_ERROR; 945 1.1 christos } 946 1.1 christos 947 1.1 christos /* 948 1.1 christos * For non-QUIC we set up the client's app data read keys now, so 949 1.1 christos * that we can go straight into reading 0.5RTT data from the server. 950 1.1 christos * For QUIC we don't do that, and instead defer setting up the keys 951 1.1 christos * until after we have set up the write keys in order to ensure that 952 1.1 christos * write keys are always set up before read keys (so that if we read 953 1.1 christos * a message we have the correct keys in place to ack it) 954 1.1 christos */ 955 1.1 christos if (!SSL_IS_QUIC_HANDSHAKE(s) 956 1.1.1.2 christos && !ssl->method->ssl3_enc->change_cipher_state(s, 957 1.1.1.2 christos SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) { 958 1.1 christos /* SSLfatal() already called */ 959 1.1 christos return MSG_PROCESS_ERROR; 960 1.1 christos } 961 1.1 christos if (!tls_process_initial_server_flight(s)) { 962 1.1 christos /* SSLfatal() already called */ 963 1.1 christos return MSG_PROCESS_ERROR; 964 1.1 christos } 965 1.1 christos } 966 1.1 christos } 967 1.1 christos 968 1.1 christos if (was_first 969 1.1.1.2 christos && !SSL_IS_FIRST_HANDSHAKE(s) 970 1.1.1.2 christos && s->rlayer.rrlmethod->set_first_handshake != NULL) 971 1.1 christos s->rlayer.rrlmethod->set_first_handshake(s->rlayer.rrl, 0); 972 1.1 christos 973 1.1 christos return MSG_PROCESS_FINISHED_READING; 974 1.1 christos } 975 1.1 christos 976 1.1 christos CON_FUNC_RETURN tls_construct_change_cipher_spec(SSL_CONNECTION *s, WPACKET *pkt) 977 1.1 christos { 978 1.1 christos if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) { 979 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 980 1.1 christos return CON_FUNC_ERROR; 981 1.1 christos } 982 1.1 christos 983 1.1 christos return CON_FUNC_SUCCESS; 984 1.1 christos } 985 1.1 christos 986 1.1 christos /* Add a certificate to the WPACKET */ 987 1.1 christos static int ssl_add_cert_to_wpacket(SSL_CONNECTION *s, WPACKET *pkt, 988 1.1.1.2 christos X509 *x, int chain, int for_comp) 989 1.1 christos { 990 1.1 christos int len; 991 1.1 christos unsigned char *outbytes; 992 1.1 christos int context = SSL_EXT_TLS1_3_CERTIFICATE; 993 1.1 christos 994 1.1 christos if (for_comp) 995 1.1 christos context |= SSL_EXT_TLS1_3_CERTIFICATE_COMPRESSION; 996 1.1 christos 997 1.1 christos len = i2d_X509(x, NULL); 998 1.1 christos if (len < 0) { 999 1.1 christos if (!for_comp) 1000 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB); 1001 1.1 christos return 0; 1002 1.1 christos } 1003 1.1 christos if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes) 1004 1.1.1.2 christos || i2d_X509(x, &outbytes) != len) { 1005 1.1 christos if (!for_comp) 1006 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1007 1.1 christos return 0; 1008 1.1 christos } 1009 1.1 christos 1010 1.1 christos if ((SSL_CONNECTION_IS_TLS13(s) || for_comp) 1011 1.1.1.2 christos && !tls_construct_extensions(s, pkt, context, x, chain)) { 1012 1.1 christos /* SSLfatal() already called */ 1013 1.1 christos return 0; 1014 1.1 christos } 1015 1.1 christos 1016 1.1 christos return 1; 1017 1.1 christos } 1018 1.1 christos 1019 1.1 christos /* Add certificate chain to provided WPACKET */ 1020 1.1 christos static int ssl_add_cert_chain(SSL_CONNECTION *s, WPACKET *pkt, CERT_PKEY *cpk, int for_comp) 1021 1.1 christos { 1022 1.1 christos int i, chain_count; 1023 1.1 christos X509 *x; 1024 1.1 christos STACK_OF(X509) *extra_certs; 1025 1.1 christos STACK_OF(X509) *chain = NULL; 1026 1.1 christos X509_STORE *chain_store; 1027 1.1 christos SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 1028 1.1 christos 1029 1.1 christos if (cpk == NULL || cpk->x509 == NULL) 1030 1.1 christos return 1; 1031 1.1 christos 1032 1.1 christos x = cpk->x509; 1033 1.1 christos 1034 1.1 christos /* 1035 1.1 christos * If we have a certificate specific chain use it, else use parent ctx. 1036 1.1 christos */ 1037 1.1 christos if (cpk->chain != NULL) 1038 1.1 christos extra_certs = cpk->chain; 1039 1.1 christos else 1040 1.1 christos extra_certs = sctx->extra_certs; 1041 1.1 christos 1042 1.1 christos if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs) 1043 1.1 christos chain_store = NULL; 1044 1.1 christos else if (s->cert->chain_store) 1045 1.1 christos chain_store = s->cert->chain_store; 1046 1.1 christos else 1047 1.1 christos chain_store = sctx->cert_store; 1048 1.1 christos 1049 1.1 christos if (chain_store != NULL) { 1050 1.1 christos X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(sctx->libctx, 1051 1.1.1.2 christos sctx->propq); 1052 1.1 christos 1053 1.1 christos if (xs_ctx == NULL) { 1054 1.1 christos if (!for_comp) 1055 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB); 1056 1.1 christos return 0; 1057 1.1 christos } 1058 1.1 christos if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) { 1059 1.1 christos X509_STORE_CTX_free(xs_ctx); 1060 1.1 christos if (!for_comp) 1061 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB); 1062 1.1 christos return 0; 1063 1.1 christos } 1064 1.1 christos /* 1065 1.1 christos * It is valid for the chain not to be complete (because normally we 1066 1.1 christos * don't include the root cert in the chain). Therefore we deliberately 1067 1.1 christos * ignore the error return from this call. We're not actually verifying 1068 1.1 christos * the cert - we're just building as much of the chain as we can 1069 1.1 christos */ 1070 1.1 christos (void)X509_verify_cert(xs_ctx); 1071 1.1 christos /* Don't leave errors in the queue */ 1072 1.1 christos ERR_clear_error(); 1073 1.1 christos chain = X509_STORE_CTX_get0_chain(xs_ctx); 1074 1.1 christos i = ssl_security_cert_chain(s, chain, NULL, 0); 1075 1.1 christos if (i != 1) { 1076 1.1 christos #if 0 1077 1.1 christos /* Dummy error calls so mkerr generates them */ 1078 1.1 christos ERR_raise(ERR_LIB_SSL, SSL_R_EE_KEY_TOO_SMALL); 1079 1.1 christos ERR_raise(ERR_LIB_SSL, SSL_R_CA_KEY_TOO_SMALL); 1080 1.1 christos ERR_raise(ERR_LIB_SSL, SSL_R_CA_MD_TOO_WEAK); 1081 1.1 christos #endif 1082 1.1 christos X509_STORE_CTX_free(xs_ctx); 1083 1.1 christos if (!for_comp) 1084 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, i); 1085 1.1 christos return 0; 1086 1.1 christos } 1087 1.1 christos chain_count = sk_X509_num(chain); 1088 1.1 christos for (i = 0; i < chain_count; i++) { 1089 1.1 christos x = sk_X509_value(chain, i); 1090 1.1 christos 1091 1.1 christos if (!ssl_add_cert_to_wpacket(s, pkt, x, i, for_comp)) { 1092 1.1 christos /* SSLfatal() already called */ 1093 1.1 christos X509_STORE_CTX_free(xs_ctx); 1094 1.1 christos return 0; 1095 1.1 christos } 1096 1.1 christos } 1097 1.1 christos X509_STORE_CTX_free(xs_ctx); 1098 1.1 christos } else { 1099 1.1 christos i = ssl_security_cert_chain(s, extra_certs, x, 0); 1100 1.1 christos if (i != 1) { 1101 1.1 christos if (!for_comp) 1102 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, i); 1103 1.1 christos return 0; 1104 1.1 christos } 1105 1.1 christos if (!ssl_add_cert_to_wpacket(s, pkt, x, 0, for_comp)) { 1106 1.1 christos /* SSLfatal() already called */ 1107 1.1 christos return 0; 1108 1.1 christos } 1109 1.1 christos for (i = 0; i < sk_X509_num(extra_certs); i++) { 1110 1.1 christos x = sk_X509_value(extra_certs, i); 1111 1.1 christos if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1, for_comp)) { 1112 1.1 christos /* SSLfatal() already called */ 1113 1.1 christos return 0; 1114 1.1 christos } 1115 1.1 christos } 1116 1.1 christos } 1117 1.1 christos return 1; 1118 1.1 christos } 1119 1.1 christos 1120 1.1.1.2 christos EVP_PKEY *tls_get_peer_pkey(const SSL_CONNECTION *sc) 1121 1.1 christos { 1122 1.1 christos if (sc->session->peer_rpk != NULL) 1123 1.1 christos return sc->session->peer_rpk; 1124 1.1 christos if (sc->session->peer != NULL) 1125 1.1 christos return X509_get0_pubkey(sc->session->peer); 1126 1.1 christos return NULL; 1127 1.1 christos } 1128 1.1 christos 1129 1.1 christos int tls_process_rpk(SSL_CONNECTION *sc, PACKET *pkt, EVP_PKEY **peer_rpk) 1130 1.1 christos { 1131 1.1 christos EVP_PKEY *pkey = NULL; 1132 1.1 christos int ret = 0; 1133 1.1 christos RAW_EXTENSION *rawexts = NULL; 1134 1.1 christos PACKET extensions; 1135 1.1 christos PACKET context; 1136 1.1 christos unsigned long cert_len = 0, spki_len = 0; 1137 1.1 christos const unsigned char *spki, *spkistart; 1138 1.1 christos SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(sc); 1139 1.1 christos 1140 1.1 christos /*- 1141 1.1 christos * ---------------------------- 1142 1.1 christos * TLS 1.3 Certificate message: 1143 1.1 christos * ---------------------------- 1144 1.1 christos * https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2 1145 1.1 christos * 1146 1.1 christos * enum { 1147 1.1 christos * X509(0), 1148 1.1 christos * RawPublicKey(2), 1149 1.1 christos * (255) 1150 1.1 christos * } CertificateType; 1151 1.1 christos * 1152 1.1 christos * struct { 1153 1.1 christos * select (certificate_type) { 1154 1.1 christos * case RawPublicKey: 1155 1.1 christos * // From RFC 7250 ASN.1_subjectPublicKeyInfo 1156 1.1 christos * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>; 1157 1.1 christos * 1158 1.1 christos * case X509: 1159 1.1 christos * opaque cert_data<1..2^24-1>; 1160 1.1 christos * }; 1161 1.1 christos * Extension extensions<0..2^16-1>; 1162 1.1 christos * } CertificateEntry; 1163 1.1 christos * 1164 1.1 christos * struct { 1165 1.1 christos * opaque certificate_request_context<0..2^8-1>; 1166 1.1 christos * CertificateEntry certificate_list<0..2^24-1>; 1167 1.1 christos * } Certificate; 1168 1.1 christos * 1169 1.1 christos * The client MUST send a Certificate message if and only if the server 1170 1.1 christos * has requested client authentication via a CertificateRequest message 1171 1.1 christos * (Section 4.3.2). If the server requests client authentication but no 1172 1.1 christos * suitable certificate is available, the client MUST send a Certificate 1173 1.1 christos * message containing no certificates (i.e., with the "certificate_list" 1174 1.1 christos * field having length 0). 1175 1.1 christos * 1176 1.1 christos * ---------------------------- 1177 1.1 christos * TLS 1.2 Certificate message: 1178 1.1 christos * ---------------------------- 1179 1.1 christos * https://datatracker.ietf.org/doc/html/rfc7250#section-3 1180 1.1 christos * 1181 1.1 christos * opaque ASN.1Cert<1..2^24-1>; 1182 1.1 christos * 1183 1.1 christos * struct { 1184 1.1 christos * select(certificate_type){ 1185 1.1 christos * 1186 1.1 christos * // certificate type defined in this document. 1187 1.1 christos * case RawPublicKey: 1188 1.1 christos * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>; 1189 1.1 christos * 1190 1.1 christos * // X.509 certificate defined in RFC 5246 1191 1.1 christos * case X.509: 1192 1.1 christos * ASN.1Cert certificate_list<0..2^24-1>; 1193 1.1 christos * 1194 1.1 christos * // Additional certificate type based on 1195 1.1 christos * // "TLS Certificate Types" subregistry 1196 1.1 christos * }; 1197 1.1 christos * } Certificate; 1198 1.1 christos * 1199 1.1 christos * ------------- 1200 1.1 christos * Consequently: 1201 1.1 christos * ------------- 1202 1.1 christos * After the (TLS 1.3 only) context octet string (1 byte length + data) the 1203 1.1 christos * Certificate message has a 3-byte length that is zero in the client to 1204 1.1 christos * server message when the client has no RPK to send. In that case, there 1205 1.1 christos * are no (TLS 1.3 only) per-certificate extensions either, because the 1206 1.1 christos * [CertificateEntry] list is empty. 1207 1.1 christos * 1208 1.1 christos * In the server to client direction, or when the client had an RPK to send, 1209 1.1 christos * the TLS 1.3 message just prepends the length of the RPK+extensions, 1210 1.1 christos * while TLS <= 1.2 sends just the RPK (octet-string). 1211 1.1 christos * 1212 1.1 christos * The context must be zero-length in the server to client direction, and 1213 1.1 christos * must match the value recorded in the certificate request in the client 1214 1.1 christos * to server direction. 1215 1.1 christos */ 1216 1.1 christos if (SSL_CONNECTION_IS_TLS13(sc)) { 1217 1.1 christos if (!PACKET_get_length_prefixed_1(pkt, &context)) { 1218 1.1 christos SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT); 1219 1.1 christos goto err; 1220 1.1 christos } 1221 1.1 christos if (sc->server) { 1222 1.1 christos if (sc->pha_context == NULL) { 1223 1.1 christos if (PACKET_remaining(&context) != 0) { 1224 1.1 christos SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT); 1225 1.1 christos goto err; 1226 1.1 christos } 1227 1.1 christos } else { 1228 1.1 christos if (!PACKET_equal(&context, sc->pha_context, sc->pha_context_len)) { 1229 1.1 christos SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT); 1230 1.1 christos goto err; 1231 1.1 christos } 1232 1.1 christos } 1233 1.1 christos } else { 1234 1.1 christos if (PACKET_remaining(&context) != 0) { 1235 1.1 christos SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT); 1236 1.1 christos goto err; 1237 1.1 christos } 1238 1.1 christos } 1239 1.1 christos } 1240 1.1 christos 1241 1.1 christos if (!PACKET_get_net_3(pkt, &cert_len) 1242 1.1 christos || PACKET_remaining(pkt) != cert_len) { 1243 1.1 christos SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1244 1.1 christos goto err; 1245 1.1 christos } 1246 1.1 christos 1247 1.1 christos /* 1248 1.1 christos * The list length may be zero when there is no RPK. In the case of TLS 1249 1.1 christos * 1.2 this is actually the RPK length, which cannot be zero as specified, 1250 1.1 christos * but that breaks the ability of the client to decline client auth. We 1251 1.1 christos * overload the 0 RPK length to mean "no RPK". This interpretation is 1252 1.1 christos * also used some other (reference?) implementations, but is not supported 1253 1.1 christos * by the verbatim RFC7250 text. 1254 1.1 christos */ 1255 1.1 christos if (cert_len == 0) 1256 1.1 christos return 1; 1257 1.1 christos 1258 1.1 christos if (SSL_CONNECTION_IS_TLS13(sc)) { 1259 1.1 christos /* 1260 1.1 christos * With TLS 1.3, a non-empty explicit-length RPK octet-string followed 1261 1.1 christos * by a possibly empty extension block. 1262 1.1 christos */ 1263 1.1 christos if (!PACKET_get_net_3(pkt, &spki_len)) { 1264 1.1 christos SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1265 1.1 christos goto err; 1266 1.1 christos } 1267 1.1 christos if (spki_len == 0) { 1268 1.1 christos /* empty RPK */ 1269 1.1 christos SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_EMPTY_RAW_PUBLIC_KEY); 1270 1.1 christos goto err; 1271 1.1 christos } 1272 1.1 christos } else { 1273 1.1 christos spki_len = cert_len; 1274 1.1 christos } 1275 1.1 christos 1276 1.1 christos if (!PACKET_get_bytes(pkt, &spki, spki_len)) { 1277 1.1 christos SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1278 1.1 christos goto err; 1279 1.1 christos } 1280 1.1 christos spkistart = spki; 1281 1.1 christos if ((pkey = d2i_PUBKEY_ex(NULL, &spki, spki_len, sctx->libctx, sctx->propq)) == NULL 1282 1.1.1.2 christos || spki != (spkistart + spki_len)) { 1283 1.1 christos SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1284 1.1 christos goto err; 1285 1.1 christos } 1286 1.1 christos if (EVP_PKEY_missing_parameters(pkey)) { 1287 1.1 christos SSLfatal(sc, SSL_AD_INTERNAL_ERROR, 1288 1.1.1.2 christos SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); 1289 1.1 christos goto err; 1290 1.1 christos } 1291 1.1 christos 1292 1.1 christos /* Process the Extensions block */ 1293 1.1 christos if (SSL_CONNECTION_IS_TLS13(sc)) { 1294 1.1 christos if (PACKET_remaining(pkt) != (cert_len - 3 - spki_len)) { 1295 1.1 christos SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); 1296 1.1 christos goto err; 1297 1.1 christos } 1298 1.1 christos if (!PACKET_as_length_prefixed_2(pkt, &extensions) 1299 1.1.1.2 christos || PACKET_remaining(pkt) != 0) { 1300 1.1 christos SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1301 1.1 christos goto err; 1302 1.1 christos } 1303 1.1 christos if (!tls_collect_extensions(sc, &extensions, SSL_EXT_TLS1_3_RAW_PUBLIC_KEY, 1304 1.1.1.2 christos &rawexts, NULL, 1)) { 1305 1.1 christos /* SSLfatal already called */ 1306 1.1 christos goto err; 1307 1.1 christos } 1308 1.1 christos /* chain index is always zero and fin always 1 for RPK */ 1309 1.1 christos if (!tls_parse_all_extensions(sc, SSL_EXT_TLS1_3_RAW_PUBLIC_KEY, 1310 1.1.1.2 christos rawexts, NULL, 0, 1)) { 1311 1.1 christos /* SSLfatal already called */ 1312 1.1 christos goto err; 1313 1.1 christos } 1314 1.1 christos } 1315 1.1 christos ret = 1; 1316 1.1 christos if (peer_rpk != NULL) { 1317 1.1 christos *peer_rpk = pkey; 1318 1.1 christos pkey = NULL; 1319 1.1 christos } 1320 1.1 christos 1321 1.1.1.2 christos err: 1322 1.1 christos OPENSSL_free(rawexts); 1323 1.1 christos EVP_PKEY_free(pkey); 1324 1.1 christos return ret; 1325 1.1 christos } 1326 1.1 christos 1327 1.1 christos unsigned long tls_output_rpk(SSL_CONNECTION *sc, WPACKET *pkt, CERT_PKEY *cpk) 1328 1.1 christos { 1329 1.1 christos int pdata_len = 0; 1330 1.1 christos unsigned char *pdata = NULL; 1331 1.1 christos X509_PUBKEY *xpk = NULL; 1332 1.1 christos unsigned long ret = 0; 1333 1.1 christos X509 *x509 = NULL; 1334 1.1 christos 1335 1.1 christos if (cpk != NULL && cpk->x509 != NULL) { 1336 1.1 christos x509 = cpk->x509; 1337 1.1 christos /* Get the RPK from the certificate */ 1338 1.1 christos xpk = X509_get_X509_PUBKEY(cpk->x509); 1339 1.1 christos if (xpk == NULL) { 1340 1.1 christos SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1341 1.1 christos goto err; 1342 1.1 christos } 1343 1.1 christos pdata_len = i2d_X509_PUBKEY(xpk, &pdata); 1344 1.1 christos } else if (cpk != NULL && cpk->privatekey != NULL) { 1345 1.1 christos /* Get the RPK from the private key */ 1346 1.1 christos pdata_len = i2d_PUBKEY(cpk->privatekey, &pdata); 1347 1.1 christos } else { 1348 1.1 christos /* The server RPK is not optional */ 1349 1.1 christos if (sc->server) { 1350 1.1 christos SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1351 1.1 christos goto err; 1352 1.1 christos } 1353 1.1 christos /* The client can send a zero length certificate list */ 1354 1.1 christos if (!WPACKET_sub_memcpy_u24(pkt, pdata, pdata_len)) { 1355 1.1 christos SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1356 1.1 christos goto err; 1357 1.1 christos } 1358 1.1 christos return 1; 1359 1.1 christos } 1360 1.1 christos 1361 1.1 christos if (pdata_len <= 0) { 1362 1.1 christos SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1363 1.1 christos goto err; 1364 1.1 christos } 1365 1.1 christos 1366 1.1 christos /* 1367 1.1 christos * TLSv1.2 is _just_ the raw public key 1368 1.1 christos * TLSv1.3 includes extensions, so there's a length wrapper 1369 1.1 christos */ 1370 1.1 christos if (SSL_CONNECTION_IS_TLS13(sc)) { 1371 1.1 christos if (!WPACKET_start_sub_packet_u24(pkt)) { 1372 1.1 christos SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1373 1.1 christos goto err; 1374 1.1 christos } 1375 1.1 christos } 1376 1.1 christos 1377 1.1 christos if (!WPACKET_sub_memcpy_u24(pkt, pdata, pdata_len)) { 1378 1.1 christos SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1379 1.1 christos goto err; 1380 1.1 christos } 1381 1.1 christos 1382 1.1 christos if (SSL_CONNECTION_IS_TLS13(sc)) { 1383 1.1 christos /* 1384 1.1 christos * Only send extensions relevant to raw public keys. Until such 1385 1.1 christos * extensions are defined, this will be an empty set of extensions. 1386 1.1 christos * |x509| may be NULL, which raw public-key extensions need to handle. 1387 1.1 christos */ 1388 1.1 christos if (!tls_construct_extensions(sc, pkt, SSL_EXT_TLS1_3_RAW_PUBLIC_KEY, 1389 1.1.1.2 christos x509, 0)) { 1390 1.1 christos /* SSLfatal() already called */ 1391 1.1 christos goto err; 1392 1.1 christos } 1393 1.1 christos if (!WPACKET_close(pkt)) { 1394 1.1 christos SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1395 1.1 christos goto err; 1396 1.1 christos } 1397 1.1 christos } 1398 1.1 christos 1399 1.1 christos ret = 1; 1400 1.1.1.2 christos err: 1401 1.1 christos OPENSSL_free(pdata); 1402 1.1 christos return ret; 1403 1.1 christos } 1404 1.1 christos 1405 1.1 christos unsigned long ssl3_output_cert_chain(SSL_CONNECTION *s, WPACKET *pkt, 1406 1.1.1.2 christos CERT_PKEY *cpk, int for_comp) 1407 1.1 christos { 1408 1.1 christos if (!WPACKET_start_sub_packet_u24(pkt)) { 1409 1.1 christos if (!for_comp) 1410 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1411 1.1 christos return 0; 1412 1.1 christos } 1413 1.1 christos 1414 1.1 christos if (!ssl_add_cert_chain(s, pkt, cpk, for_comp)) 1415 1.1 christos return 0; 1416 1.1 christos 1417 1.1 christos if (!WPACKET_close(pkt)) { 1418 1.1 christos if (!for_comp) 1419 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1420 1.1 christos return 0; 1421 1.1 christos } 1422 1.1 christos 1423 1.1 christos return 1; 1424 1.1 christos } 1425 1.1 christos 1426 1.1 christos /* 1427 1.1 christos * Tidy up after the end of a handshake. In the case of SCTP this may result 1428 1.1 christos * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is 1429 1.1 christos * freed up as well. 1430 1.1 christos */ 1431 1.1 christos WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst, 1432 1.1.1.2 christos int clearbufs, int stop) 1433 1.1 christos { 1434 1.1.1.2 christos void (*cb)(const SSL *ssl, int type, int val) = NULL; 1435 1.1 christos int cleanuphand = s->statem.cleanuphand; 1436 1.1 christos SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s); 1437 1.1 christos SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 1438 1.1 christos 1439 1.1 christos if (clearbufs) { 1440 1.1 christos if (!SSL_CONNECTION_IS_DTLS(s) 1441 1.1 christos #ifndef OPENSSL_NO_SCTP 1442 1.1 christos /* 1443 1.1 christos * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS 1444 1.1 christos * messages that require it. Therefore, DTLS procedures for retransmissions 1445 1.1 christos * MUST NOT be used. 1446 1.1 christos * Hence the init_buf can be cleared when DTLS over SCTP as transport is used. 1447 1.1 christos */ 1448 1.1 christos || BIO_dgram_is_sctp(SSL_get_wbio(SSL_CONNECTION_GET_SSL(s))) 1449 1.1 christos #endif 1450 1.1.1.2 christos ) { 1451 1.1 christos /* 1452 1.1 christos * We don't do this in DTLS over UDP because we may still need the init_buf 1453 1.1 christos * in case there are any unexpected retransmits 1454 1.1 christos */ 1455 1.1 christos BUF_MEM_free(s->init_buf); 1456 1.1 christos s->init_buf = NULL; 1457 1.1 christos } 1458 1.1 christos 1459 1.1 christos if (!ssl_free_wbio_buffer(s)) { 1460 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1461 1.1 christos return WORK_ERROR; 1462 1.1 christos } 1463 1.1 christos s->init_num = 0; 1464 1.1 christos } 1465 1.1 christos 1466 1.1 christos if (SSL_CONNECTION_IS_TLS13(s) && !s->server 1467 1.1.1.2 christos && s->post_handshake_auth == SSL_PHA_REQUESTED) 1468 1.1 christos s->post_handshake_auth = SSL_PHA_EXT_SENT; 1469 1.1 christos 1470 1.1 christos /* 1471 1.1 christos * Only set if there was a Finished message and this isn't after a TLSv1.3 1472 1.1 christos * post handshake exchange 1473 1.1 christos */ 1474 1.1 christos if (cleanuphand) { 1475 1.1 christos /* skipped if we just sent a HelloRequest */ 1476 1.1 christos s->renegotiate = 0; 1477 1.1 christos s->new_session = 0; 1478 1.1 christos s->statem.cleanuphand = 0; 1479 1.1 christos s->ext.ticket_expected = 0; 1480 1.1 christos 1481 1.1 christos ssl3_cleanup_key_block(s); 1482 1.1 christos 1483 1.1 christos if (s->server) { 1484 1.1 christos /* 1485 1.1 christos * In TLSv1.3 we update the cache as part of constructing the 1486 1.1 christos * NewSessionTicket 1487 1.1 christos */ 1488 1.1 christos if (!SSL_CONNECTION_IS_TLS13(s)) 1489 1.1 christos ssl_update_cache(s, SSL_SESS_CACHE_SERVER); 1490 1.1 christos 1491 1.1 christos /* N.B. s->ctx may not equal s->session_ctx */ 1492 1.1 christos ssl_tsan_counter(sctx, &sctx->stats.sess_accept_good); 1493 1.1 christos s->handshake_func = ossl_statem_accept; 1494 1.1 christos } else { 1495 1.1 christos if (SSL_CONNECTION_IS_TLS13(s)) { 1496 1.1 christos /* 1497 1.1 christos * We encourage applications to only use TLSv1.3 tickets once, 1498 1.1 christos * so we remove this one from the cache. 1499 1.1 christos */ 1500 1.1 christos if ((s->session_ctx->session_cache_mode 1501 1.1.1.2 christos & SSL_SESS_CACHE_CLIENT) 1502 1.1.1.2 christos != 0) 1503 1.1 christos SSL_CTX_remove_session(s->session_ctx, s->session); 1504 1.1 christos } else { 1505 1.1 christos /* 1506 1.1 christos * In TLSv1.3 we update the cache as part of processing the 1507 1.1 christos * NewSessionTicket 1508 1.1 christos */ 1509 1.1 christos ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); 1510 1.1 christos } 1511 1.1 christos if (s->hit) 1512 1.1 christos ssl_tsan_counter(s->session_ctx, 1513 1.1.1.2 christos &s->session_ctx->stats.sess_hit); 1514 1.1 christos 1515 1.1 christos s->handshake_func = ossl_statem_connect; 1516 1.1 christos ssl_tsan_counter(s->session_ctx, 1517 1.1.1.2 christos &s->session_ctx->stats.sess_connect_good); 1518 1.1 christos } 1519 1.1 christos 1520 1.1 christos if (SSL_CONNECTION_IS_DTLS(s)) { 1521 1.1 christos /* done with handshaking */ 1522 1.1 christos s->d1->handshake_read_seq = 0; 1523 1.1 christos s->d1->handshake_write_seq = 0; 1524 1.1 christos s->d1->next_handshake_write_seq = 0; 1525 1.1 christos dtls1_clear_received_buffer(s); 1526 1.1 christos } 1527 1.1 christos } 1528 1.1 christos 1529 1.1 christos if (s->info_callback != NULL) 1530 1.1 christos cb = s->info_callback; 1531 1.1 christos else if (sctx->info_callback != NULL) 1532 1.1 christos cb = sctx->info_callback; 1533 1.1 christos 1534 1.1 christos /* The callback may expect us to not be in init at handshake done */ 1535 1.1 christos ossl_statem_set_in_init(s, 0); 1536 1.1 christos 1537 1.1 christos if (cb != NULL) { 1538 1.1 christos if (cleanuphand 1539 1.1.1.2 christos || !SSL_CONNECTION_IS_TLS13(s) 1540 1.1.1.2 christos || SSL_IS_FIRST_HANDSHAKE(s)) 1541 1.1 christos cb(ssl, SSL_CB_HANDSHAKE_DONE, 1); 1542 1.1 christos } 1543 1.1 christos 1544 1.1 christos if (!stop) { 1545 1.1 christos /* If we've got more work to do we go back into init */ 1546 1.1 christos ossl_statem_set_in_init(s, 1); 1547 1.1 christos return WORK_FINISHED_CONTINUE; 1548 1.1 christos } 1549 1.1 christos 1550 1.1 christos return WORK_FINISHED_STOP; 1551 1.1 christos } 1552 1.1 christos 1553 1.1 christos int tls_get_message_header(SSL_CONNECTION *s, int *mt) 1554 1.1 christos { 1555 1.1 christos /* s->init_num < SSL3_HM_HEADER_LENGTH */ 1556 1.1 christos int skip_message, i; 1557 1.1 christos uint8_t recvd_type; 1558 1.1 christos unsigned char *p; 1559 1.1 christos size_t l, readbytes; 1560 1.1 christos SSL *ssl = SSL_CONNECTION_GET_SSL(s); 1561 1.1 christos SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); 1562 1.1 christos 1563 1.1 christos p = (unsigned char *)s->init_buf->data; 1564 1.1 christos 1565 1.1 christos do { 1566 1.1 christos while (s->init_num < SSL3_HM_HEADER_LENGTH) { 1567 1.1 christos i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, &recvd_type, 1568 1.1.1.2 christos &p[s->init_num], 1569 1.1.1.2 christos SSL3_HM_HEADER_LENGTH - s->init_num, 1570 1.1.1.2 christos 0, &readbytes); 1571 1.1 christos if (i <= 0) { 1572 1.1 christos s->rwstate = SSL_READING; 1573 1.1 christos return 0; 1574 1.1 christos } 1575 1.1 christos if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) { 1576 1.1 christos /* 1577 1.1 christos * A ChangeCipherSpec must be a single byte and may not occur 1578 1.1 christos * in the middle of a handshake message. 1579 1.1 christos */ 1580 1.1 christos if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) { 1581 1.1 christos SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1582 1.1.1.2 christos SSL_R_BAD_CHANGE_CIPHER_SPEC); 1583 1.1 christos return 0; 1584 1.1 christos } 1585 1.1 christos if (s->statem.hand_state == TLS_ST_BEFORE 1586 1.1.1.2 christos && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) { 1587 1.1 christos /* 1588 1.1 christos * We are stateless and we received a CCS. Probably this is 1589 1.1 christos * from a client between the first and second ClientHellos. 1590 1.1 christos * We should ignore this, but return an error because we do 1591 1.1 christos * not return success until we see the second ClientHello 1592 1.1 christos * with a valid cookie. 1593 1.1 christos */ 1594 1.1 christos return 0; 1595 1.1 christos } 1596 1.1 christos s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC; 1597 1.1 christos s->init_num = readbytes - 1; 1598 1.1 christos s->init_msg = s->init_buf->data; 1599 1.1 christos s->s3.tmp.message_size = readbytes; 1600 1.1 christos return 1; 1601 1.1 christos } else if (recvd_type != SSL3_RT_HANDSHAKE) { 1602 1.1 christos SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1603 1.1.1.2 christos SSL_R_CCS_RECEIVED_EARLY); 1604 1.1 christos return 0; 1605 1.1 christos } 1606 1.1 christos s->init_num += readbytes; 1607 1.1 christos } 1608 1.1 christos 1609 1.1 christos skip_message = 0; 1610 1.1 christos if (!s->server) 1611 1.1 christos if (s->statem.hand_state != TLS_ST_OK 1612 1.1.1.2 christos && p[0] == SSL3_MT_HELLO_REQUEST) 1613 1.1 christos /* 1614 1.1 christos * The server may always send 'Hello Request' messages -- 1615 1.1 christos * we are doing a handshake anyway now, so ignore them if 1616 1.1 christos * their format is correct. Does not count for 'Finished' 1617 1.1 christos * MAC. 1618 1.1 christos */ 1619 1.1 christos if (p[1] == 0 && p[2] == 0 && p[3] == 0) { 1620 1.1 christos s->init_num = 0; 1621 1.1 christos skip_message = 1; 1622 1.1 christos 1623 1.1 christos if (s->msg_callback) 1624 1.1 christos s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 1625 1.1.1.2 christos p, SSL3_HM_HEADER_LENGTH, ussl, 1626 1.1.1.2 christos s->msg_callback_arg); 1627 1.1 christos } 1628 1.1 christos } while (skip_message); 1629 1.1 christos /* s->init_num == SSL3_HM_HEADER_LENGTH */ 1630 1.1 christos 1631 1.1 christos *mt = *p; 1632 1.1 christos s->s3.tmp.message_type = *(p++); 1633 1.1 christos 1634 1.1 christos if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { 1635 1.1 christos /* 1636 1.1 christos * Only happens with SSLv3+ in an SSLv2 backward compatible 1637 1.1 christos * ClientHello 1638 1.1 christos * 1639 1.1 christos * Total message size is the remaining record bytes to read 1640 1.1 christos * plus the SSL3_HM_HEADER_LENGTH bytes that we already read 1641 1.1 christos */ 1642 1.1 christos l = s->rlayer.tlsrecs[0].length + SSL3_HM_HEADER_LENGTH; 1643 1.1 christos s->s3.tmp.message_size = l; 1644 1.1 christos 1645 1.1 christos s->init_msg = s->init_buf->data; 1646 1.1 christos s->init_num = SSL3_HM_HEADER_LENGTH; 1647 1.1 christos } else { 1648 1.1 christos n2l3(p, l); 1649 1.1 christos /* BUF_MEM_grow takes an 'int' parameter */ 1650 1.1 christos if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) { 1651 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1652 1.1.1.2 christos SSL_R_EXCESSIVE_MESSAGE_SIZE); 1653 1.1 christos return 0; 1654 1.1 christos } 1655 1.1 christos s->s3.tmp.message_size = l; 1656 1.1 christos 1657 1.1 christos s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH; 1658 1.1 christos s->init_num = 0; 1659 1.1 christos } 1660 1.1 christos 1661 1.1 christos return 1; 1662 1.1 christos } 1663 1.1 christos 1664 1.1 christos int tls_get_message_body(SSL_CONNECTION *s, size_t *len) 1665 1.1 christos { 1666 1.1 christos size_t n, readbytes; 1667 1.1 christos unsigned char *p; 1668 1.1 christos int i; 1669 1.1 christos SSL *ssl = SSL_CONNECTION_GET_SSL(s); 1670 1.1 christos SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); 1671 1.1 christos 1672 1.1 christos if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) { 1673 1.1 christos /* We've already read everything in */ 1674 1.1 christos *len = (unsigned long)s->init_num; 1675 1.1 christos return 1; 1676 1.1 christos } 1677 1.1 christos 1678 1.1 christos p = s->init_msg; 1679 1.1 christos n = s->s3.tmp.message_size - s->init_num; 1680 1.1 christos while (n > 0) { 1681 1.1 christos i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, NULL, 1682 1.1.1.2 christos &p[s->init_num], n, 0, &readbytes); 1683 1.1 christos if (i <= 0) { 1684 1.1 christos s->rwstate = SSL_READING; 1685 1.1 christos *len = 0; 1686 1.1 christos return 0; 1687 1.1 christos } 1688 1.1 christos s->init_num += readbytes; 1689 1.1 christos n -= readbytes; 1690 1.1 christos } 1691 1.1 christos 1692 1.1 christos /* 1693 1.1 christos * If receiving Finished, record MAC of prior handshake messages for 1694 1.1 christos * Finished verification. 1695 1.1 christos */ 1696 1.1 christos if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) { 1697 1.1 christos /* SSLfatal() already called */ 1698 1.1 christos *len = 0; 1699 1.1 christos return 0; 1700 1.1 christos } 1701 1.1 christos 1702 1.1 christos /* Feed this message into MAC computation. */ 1703 1.1 christos if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { 1704 1.1 christos if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 1705 1.1.1.2 christos s->init_num)) { 1706 1.1 christos /* SSLfatal() already called */ 1707 1.1 christos *len = 0; 1708 1.1 christos return 0; 1709 1.1 christos } 1710 1.1 christos if (s->msg_callback) 1711 1.1 christos s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data, 1712 1.1.1.2 christos (size_t)s->init_num, ussl, s->msg_callback_arg); 1713 1.1 christos } else { 1714 1.1 christos /* 1715 1.1 christos * We defer feeding in the HRR until later. We'll do it as part of 1716 1.1 christos * processing the message 1717 1.1 christos * The TLsv1.3 handshake transcript stops at the ClientFinished 1718 1.1 christos * message. 1719 1.1 christos */ 1720 1.1.1.2 christos #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2) 1721 1.1 christos /* KeyUpdate and NewSessionTicket do not need to be added */ 1722 1.1 christos if (!SSL_CONNECTION_IS_TLS13(s) 1723 1.1 christos || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET 1724 1.1.1.2 christos && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) { 1725 1.1 christos if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO 1726 1.1.1.2 christos || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE 1727 1.1.1.2 christos || memcmp(hrrrandom, 1728 1.1.1.2 christos s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET, 1729 1.1.1.2 christos SSL3_RANDOM_SIZE) 1730 1.1.1.2 christos != 0) { 1731 1.1 christos if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 1732 1.1.1.2 christos s->init_num + SSL3_HM_HEADER_LENGTH)) { 1733 1.1 christos /* SSLfatal() already called */ 1734 1.1 christos *len = 0; 1735 1.1 christos return 0; 1736 1.1 christos } 1737 1.1 christos } 1738 1.1 christos } 1739 1.1 christos if (s->msg_callback) 1740 1.1 christos s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, 1741 1.1.1.2 christos (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, ussl, 1742 1.1.1.2 christos s->msg_callback_arg); 1743 1.1 christos } 1744 1.1 christos 1745 1.1 christos *len = s->init_num; 1746 1.1 christos return 1; 1747 1.1 christos } 1748 1.1 christos 1749 1.1 christos static const X509ERR2ALERT x509table[] = { 1750 1.1.1.2 christos { X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE }, 1751 1.1.1.2 christos { X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE }, 1752 1.1.1.2 christos { X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE }, 1753 1.1.1.2 christos { X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE }, 1754 1.1.1.2 christos { X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA }, 1755 1.1.1.2 christos { X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED }, 1756 1.1.1.2 christos { X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE }, 1757 1.1.1.2 christos { X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE }, 1758 1.1.1.2 christos { X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED }, 1759 1.1.1.2 christos { X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR }, 1760 1.1.1.2 christos { X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE }, 1761 1.1.1.2 christos { X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED }, 1762 1.1.1.2 christos { X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE }, 1763 1.1.1.2 christos { X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR }, 1764 1.1.1.2 christos { X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE }, 1765 1.1.1.2 christos { X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA }, 1766 1.1.1.2 christos { X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE }, 1767 1.1.1.2 christos { X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE }, 1768 1.1.1.2 christos { X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE }, 1769 1.1.1.2 christos { X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE }, 1770 1.1.1.2 christos { X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE }, 1771 1.1.1.2 christos { X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE }, 1772 1.1.1.2 christos { X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE }, 1773 1.1.1.2 christos { X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA }, 1774 1.1.1.2 christos { X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR }, 1775 1.1.1.2 christos { X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE }, 1776 1.1.1.2 christos { X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE }, 1777 1.1.1.2 christos { X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR }, 1778 1.1.1.2 christos { X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA }, 1779 1.1.1.2 christos { X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA }, 1780 1.1.1.2 christos { X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR }, 1781 1.1.1.2 christos { X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE }, 1782 1.1.1.2 christos { X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE }, 1783 1.1.1.2 christos { X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE }, 1784 1.1.1.2 christos { X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA }, 1785 1.1.1.2 christos { X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA }, 1786 1.1.1.2 christos { X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA }, 1787 1.1.1.2 christos { X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA }, 1788 1.1.1.2 christos { X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA }, 1789 1.1.1.2 christos { X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR }, 1790 1.1 christos 1791 1.1 christos /* Last entry; return this if we don't find the value above. */ 1792 1.1.1.2 christos { X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN } 1793 1.1 christos }; 1794 1.1 christos 1795 1.1 christos int ssl_x509err2alert(int x509err) 1796 1.1 christos { 1797 1.1 christos const X509ERR2ALERT *tp; 1798 1.1 christos 1799 1.1 christos for (tp = x509table; tp->x509err != X509_V_OK; ++tp) 1800 1.1 christos if (tp->x509err == x509err) 1801 1.1 christos break; 1802 1.1 christos return tp->alert; 1803 1.1 christos } 1804 1.1 christos 1805 1.1 christos int ssl_allow_compression(SSL_CONNECTION *s) 1806 1.1 christos { 1807 1.1 christos if (s->options & SSL_OP_NO_COMPRESSION) 1808 1.1 christos return 0; 1809 1.1 christos return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL); 1810 1.1 christos } 1811 1.1 christos 1812 1.1 christos /* 1813 1.1 christos * SSL/TLS/DTLS version comparison 1814 1.1 christos * 1815 1.1 christos * Returns 1816 1.1 christos * 0 if versiona is equal to versionb 1817 1.1 christos * 1 if versiona is greater than versionb 1818 1.1 christos * -1 if versiona is less than versionb 1819 1.1 christos */ 1820 1.1 christos int ssl_version_cmp(const SSL_CONNECTION *s, int versiona, int versionb) 1821 1.1 christos { 1822 1.1 christos int dtls = SSL_CONNECTION_IS_DTLS(s); 1823 1.1 christos 1824 1.1 christos if (versiona == versionb) 1825 1.1 christos return 0; 1826 1.1 christos if (!dtls) 1827 1.1 christos return versiona < versionb ? -1 : 1; 1828 1.1 christos return DTLS_VERSION_LT(versiona, versionb) ? -1 : 1; 1829 1.1 christos } 1830 1.1 christos 1831 1.1 christos typedef struct { 1832 1.1 christos int version; 1833 1.1.1.2 christos const SSL_METHOD *(*cmeth)(void); 1834 1.1.1.2 christos const SSL_METHOD *(*smeth)(void); 1835 1.1 christos } version_info; 1836 1.1 christos 1837 1.1 christos #if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION 1838 1.1.1.2 christos #error Code needs update for TLS_method() support beyond TLS1_3_VERSION. 1839 1.1 christos #endif 1840 1.1 christos 1841 1.1 christos /* Must be in order high to low */ 1842 1.1 christos static const version_info tls_version_table[] = { 1843 1.1 christos #ifndef OPENSSL_NO_TLS1_3 1844 1.1.1.2 christos { TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method }, 1845 1.1 christos #else 1846 1.1.1.2 christos { TLS1_3_VERSION, NULL, NULL }, 1847 1.1 christos #endif 1848 1.1 christos #ifndef OPENSSL_NO_TLS1_2 1849 1.1.1.2 christos { TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method }, 1850 1.1 christos #else 1851 1.1.1.2 christos { TLS1_2_VERSION, NULL, NULL }, 1852 1.1 christos #endif 1853 1.1 christos #ifndef OPENSSL_NO_TLS1_1 1854 1.1.1.2 christos { TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method }, 1855 1.1 christos #else 1856 1.1.1.2 christos { TLS1_1_VERSION, NULL, NULL }, 1857 1.1 christos #endif 1858 1.1 christos #ifndef OPENSSL_NO_TLS1 1859 1.1.1.2 christos { TLS1_VERSION, tlsv1_client_method, tlsv1_server_method }, 1860 1.1 christos #else 1861 1.1.1.2 christos { TLS1_VERSION, NULL, NULL }, 1862 1.1 christos #endif 1863 1.1 christos #ifndef OPENSSL_NO_SSL3 1864 1.1.1.2 christos { SSL3_VERSION, sslv3_client_method, sslv3_server_method }, 1865 1.1 christos #else 1866 1.1.1.2 christos { SSL3_VERSION, NULL, NULL }, 1867 1.1 christos #endif 1868 1.1.1.2 christos { 0, NULL, NULL }, 1869 1.1 christos }; 1870 1.1 christos 1871 1.1 christos #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION 1872 1.1.1.2 christos #error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION. 1873 1.1 christos #endif 1874 1.1 christos 1875 1.1 christos /* Must be in order high to low */ 1876 1.1 christos static const version_info dtls_version_table[] = { 1877 1.1 christos #ifndef OPENSSL_NO_DTLS1_2 1878 1.1.1.2 christos { DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method }, 1879 1.1 christos #else 1880 1.1.1.2 christos { DTLS1_2_VERSION, NULL, NULL }, 1881 1.1 christos #endif 1882 1.1 christos #ifndef OPENSSL_NO_DTLS1 1883 1.1.1.2 christos { DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method }, 1884 1.1.1.2 christos { DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL }, 1885 1.1 christos #else 1886 1.1.1.2 christos { DTLS1_VERSION, NULL, NULL }, 1887 1.1.1.2 christos { DTLS1_BAD_VER, NULL, NULL }, 1888 1.1 christos #endif 1889 1.1.1.2 christos { 0, NULL, NULL }, 1890 1.1 christos }; 1891 1.1 christos 1892 1.1 christos /* 1893 1.1 christos * ssl_method_error - Check whether an SSL_METHOD is enabled. 1894 1.1 christos * 1895 1.1 christos * @s: The SSL handle for the candidate method 1896 1.1 christos * @method: the intended method. 1897 1.1 christos * 1898 1.1 christos * Returns 0 on success, or an SSL error reason on failure. 1899 1.1 christos */ 1900 1.1 christos static int ssl_method_error(const SSL_CONNECTION *s, const SSL_METHOD *method) 1901 1.1 christos { 1902 1.1 christos int version = method->version; 1903 1.1 christos 1904 1.1.1.2 christos if ((s->min_proto_version != 0 && ssl_version_cmp(s, version, s->min_proto_version) < 0) || ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0) 1905 1.1 christos return SSL_R_VERSION_TOO_LOW; 1906 1.1 christos 1907 1.1.1.2 christos if (s->max_proto_version != 0 && ssl_version_cmp(s, version, s->max_proto_version) > 0) 1908 1.1 christos return SSL_R_VERSION_TOO_HIGH; 1909 1.1 christos 1910 1.1 christos if ((s->options & method->mask) != 0) 1911 1.1 christos return SSL_R_UNSUPPORTED_PROTOCOL; 1912 1.1 christos if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s)) 1913 1.1 christos return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE; 1914 1.1 christos 1915 1.1 christos return 0; 1916 1.1 christos } 1917 1.1 christos 1918 1.1 christos /* 1919 1.1 christos * Only called by servers. Returns 1 if the server has a TLSv1.3 capable 1920 1.1 christos * certificate type, or has PSK or a certificate callback configured, or has 1921 1.1 christos * a servername callback configure. Otherwise returns 0. 1922 1.1 christos */ 1923 1.1 christos static int is_tls13_capable(const SSL_CONNECTION *s) 1924 1.1 christos { 1925 1.1 christos size_t i; 1926 1.1 christos int curve; 1927 1.1 christos SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 1928 1.1 christos 1929 1.1 christos if (!ossl_assert(sctx != NULL) || !ossl_assert(s->session_ctx != NULL)) 1930 1.1 christos return 0; 1931 1.1 christos 1932 1.1 christos /* 1933 1.1 christos * A servername callback can change the available certs, so if a servername 1934 1.1 christos * cb is set then we just assume TLSv1.3 will be ok 1935 1.1 christos */ 1936 1.1 christos if (sctx->ext.servername_cb != NULL 1937 1.1.1.2 christos || s->session_ctx->ext.servername_cb != NULL) 1938 1.1 christos return 1; 1939 1.1 christos 1940 1.1 christos #ifndef OPENSSL_NO_PSK 1941 1.1 christos if (s->psk_server_callback != NULL) 1942 1.1 christos return 1; 1943 1.1 christos #endif 1944 1.1 christos 1945 1.1 christos if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL) 1946 1.1 christos return 1; 1947 1.1 christos 1948 1.1 christos /* All provider-based sig algs are required to support at least TLS1.3 */ 1949 1.1 christos for (i = 0; i < s->ssl_pkey_num; i++) { 1950 1.1 christos /* Skip over certs disallowed for TLSv1.3 */ 1951 1.1 christos switch (i) { 1952 1.1 christos case SSL_PKEY_DSA_SIGN: 1953 1.1 christos case SSL_PKEY_GOST01: 1954 1.1 christos case SSL_PKEY_GOST12_256: 1955 1.1 christos case SSL_PKEY_GOST12_512: 1956 1.1 christos continue; 1957 1.1 christos default: 1958 1.1 christos break; 1959 1.1 christos } 1960 1.1 christos if (!ssl_has_cert(s, i)) 1961 1.1 christos continue; 1962 1.1 christos if (i != SSL_PKEY_ECC) 1963 1.1 christos return 1; 1964 1.1 christos /* 1965 1.1 christos * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is 1966 1.1 christos * more restrictive so check that our sig algs are consistent with this 1967 1.1 christos * EC cert. See section 4.2.3 of RFC8446. 1968 1.1 christos */ 1969 1.1 christos curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC].privatekey); 1970 1.1 christos if (tls_check_sigalg_curve(s, curve)) 1971 1.1 christos return 1; 1972 1.1 christos } 1973 1.1 christos 1974 1.1 christos return 0; 1975 1.1 christos } 1976 1.1 christos 1977 1.1 christos /* 1978 1.1 christos * ssl_version_supported - Check that the specified `version` is supported by 1979 1.1 christos * `SSL *` instance 1980 1.1 christos * 1981 1.1 christos * @s: The SSL handle for the candidate method 1982 1.1 christos * @version: Protocol version to test against 1983 1.1 christos * 1984 1.1 christos * Returns 1 when supported, otherwise 0 1985 1.1 christos */ 1986 1.1 christos int ssl_version_supported(const SSL_CONNECTION *s, int version, 1987 1.1.1.2 christos const SSL_METHOD **meth) 1988 1.1 christos { 1989 1.1 christos const version_info *vent; 1990 1.1 christos const version_info *table; 1991 1.1 christos 1992 1.1 christos switch (SSL_CONNECTION_GET_SSL(s)->method->version) { 1993 1.1 christos default: 1994 1.1 christos /* Version should match method version for non-ANY method */ 1995 1.1 christos return ssl_version_cmp(s, version, s->version) == 0; 1996 1.1 christos case TLS_ANY_VERSION: 1997 1.1 christos table = tls_version_table; 1998 1.1 christos break; 1999 1.1 christos case DTLS_ANY_VERSION: 2000 1.1 christos table = dtls_version_table; 2001 1.1 christos break; 2002 1.1 christos } 2003 1.1 christos 2004 1.1 christos for (vent = table; 2005 1.1.1.2 christos vent->version != 0 && ssl_version_cmp(s, version, vent->version) <= 0; 2006 1.1.1.2 christos ++vent) { 2007 1.1 christos const SSL_METHOD *(*thismeth)(void) = s->server ? vent->smeth 2008 1.1 christos : vent->cmeth; 2009 1.1 christos 2010 1.1 christos if (thismeth != NULL 2011 1.1.1.2 christos && ssl_version_cmp(s, version, vent->version) == 0 2012 1.1.1.2 christos && ssl_method_error(s, thismeth()) == 0 2013 1.1.1.2 christos && (!s->server 2014 1.1.1.2 christos || version != TLS1_3_VERSION 2015 1.1.1.2 christos || is_tls13_capable(s))) { 2016 1.1 christos if (meth != NULL) 2017 1.1 christos *meth = thismeth(); 2018 1.1 christos return 1; 2019 1.1 christos } 2020 1.1 christos } 2021 1.1 christos return 0; 2022 1.1 christos } 2023 1.1 christos 2024 1.1 christos /* 2025 1.1 christos * ssl_check_version_downgrade - In response to RFC7507 SCSV version 2026 1.1 christos * fallback indication from a client check whether we're using the highest 2027 1.1 christos * supported protocol version. 2028 1.1 christos * 2029 1.1 christos * @s server SSL handle. 2030 1.1 christos * 2031 1.1 christos * Returns 1 when using the highest enabled version, 0 otherwise. 2032 1.1 christos */ 2033 1.1 christos int ssl_check_version_downgrade(SSL_CONNECTION *s) 2034 1.1 christos { 2035 1.1 christos const version_info *vent; 2036 1.1 christos const version_info *table; 2037 1.1 christos SSL *ssl = SSL_CONNECTION_GET_SSL(s); 2038 1.1 christos 2039 1.1 christos /* 2040 1.1 christos * Check that the current protocol is the highest enabled version 2041 1.1 christos * (according to ssl->defltmethod, as version negotiation may have changed 2042 1.1 christos * s->method). 2043 1.1 christos */ 2044 1.1 christos if (s->version == ssl->defltmeth->version) 2045 1.1 christos return 1; 2046 1.1 christos 2047 1.1 christos /* 2048 1.1 christos * Apparently we're using a version-flexible SSL_METHOD (not at its 2049 1.1 christos * highest protocol version). 2050 1.1 christos */ 2051 1.1 christos if (ssl->defltmeth->version == TLS_method()->version) 2052 1.1 christos table = tls_version_table; 2053 1.1 christos else if (ssl->defltmeth->version == DTLS_method()->version) 2054 1.1 christos table = dtls_version_table; 2055 1.1 christos else { 2056 1.1 christos /* Unexpected state; fail closed. */ 2057 1.1 christos return 0; 2058 1.1 christos } 2059 1.1 christos 2060 1.1 christos for (vent = table; vent->version != 0; ++vent) { 2061 1.1 christos if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0) 2062 1.1 christos return s->version == vent->version; 2063 1.1 christos } 2064 1.1 christos return 0; 2065 1.1 christos } 2066 1.1 christos 2067 1.1 christos /* 2068 1.1 christos * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS 2069 1.1 christos * protocols, provided the initial (D)TLS method is version-flexible. This 2070 1.1 christos * function sanity-checks the proposed value and makes sure the method is 2071 1.1 christos * version-flexible, then sets the limit if all is well. 2072 1.1 christos * 2073 1.1 christos * @method_version: The version of the current SSL_METHOD. 2074 1.1 christos * @version: the intended limit. 2075 1.1 christos * @bound: pointer to limit to be updated. 2076 1.1 christos * 2077 1.1 christos * Returns 1 on success, 0 on failure. 2078 1.1 christos */ 2079 1.1 christos int ssl_set_version_bound(int method_version, int version, int *bound) 2080 1.1 christos { 2081 1.1 christos int valid_tls; 2082 1.1 christos int valid_dtls; 2083 1.1 christos 2084 1.1 christos if (version == 0) { 2085 1.1 christos *bound = version; 2086 1.1 christos return 1; 2087 1.1 christos } 2088 1.1 christos 2089 1.1 christos valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL; 2090 1.1 christos valid_dtls = 2091 1.1 christos /* We support client side pre-standardisation version of DTLS */ 2092 1.1 christos (version == DTLS1_BAD_VER) 2093 1.1 christos || (DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) 2094 1.1 christos && DTLS_VERSION_GE(version, DTLS1_VERSION)); 2095 1.1 christos 2096 1.1 christos if (!valid_tls && !valid_dtls) 2097 1.1 christos return 0; 2098 1.1 christos 2099 1.1 christos /*- 2100 1.1 christos * Restrict TLS methods to TLS protocol versions. 2101 1.1 christos * Restrict DTLS methods to DTLS protocol versions. 2102 1.1 christos * Note, DTLS version numbers are decreasing, use comparison macros. 2103 1.1 christos * 2104 1.1 christos * Note that for both lower-bounds we use explicit versions, not 2105 1.1 christos * (D)TLS_MIN_VERSION. This is because we don't want to break user 2106 1.1 christos * configurations. If the MIN (supported) version ever rises, the user's 2107 1.1 christos * "floor" remains valid even if no longer available. We don't expect the 2108 1.1 christos * MAX ceiling to ever get lower, so making that variable makes sense. 2109 1.1 christos * 2110 1.1 christos * We ignore attempts to set bounds on version-inflexible methods, 2111 1.1 christos * returning success. 2112 1.1 christos */ 2113 1.1 christos switch (method_version) { 2114 1.1 christos default: 2115 1.1 christos break; 2116 1.1 christos 2117 1.1 christos case TLS_ANY_VERSION: 2118 1.1 christos if (valid_tls) 2119 1.1 christos *bound = version; 2120 1.1 christos break; 2121 1.1 christos 2122 1.1 christos case DTLS_ANY_VERSION: 2123 1.1 christos if (valid_dtls) 2124 1.1 christos *bound = version; 2125 1.1 christos break; 2126 1.1 christos } 2127 1.1 christos return 1; 2128 1.1 christos } 2129 1.1 christos 2130 1.1 christos static void check_for_downgrade(SSL_CONNECTION *s, int vers, DOWNGRADE *dgrd) 2131 1.1 christos { 2132 1.1 christos if (vers == TLS1_2_VERSION 2133 1.1.1.2 christos && ssl_version_supported(s, TLS1_3_VERSION, NULL)) { 2134 1.1 christos *dgrd = DOWNGRADE_TO_1_2; 2135 1.1 christos } else if (!SSL_CONNECTION_IS_DTLS(s) 2136 1.1.1.2 christos && vers < TLS1_2_VERSION 2137 1.1.1.2 christos /* 2138 1.1.1.2 christos * We need to ensure that a server that disables TLSv1.2 2139 1.1.1.2 christos * (creating a hole between TLSv1.3 and TLSv1.1) can still 2140 1.1.1.2 christos * complete handshakes with clients that support TLSv1.2 and 2141 1.1.1.2 christos * below. Therefore we do not enable the sentinel if TLSv1.3 is 2142 1.1.1.2 christos * enabled and TLSv1.2 is not. 2143 1.1.1.2 christos */ 2144 1.1.1.2 christos && ssl_version_supported(s, TLS1_2_VERSION, NULL)) { 2145 1.1 christos *dgrd = DOWNGRADE_TO_1_1; 2146 1.1 christos } else { 2147 1.1 christos *dgrd = DOWNGRADE_NONE; 2148 1.1 christos } 2149 1.1 christos } 2150 1.1 christos 2151 1.1 christos /* 2152 1.1 christos * ssl_choose_server_version - Choose server (D)TLS version. Called when the 2153 1.1 christos * client HELLO is received to select the final server protocol version and 2154 1.1 christos * the version specific method. 2155 1.1 christos * 2156 1.1 christos * @s: server SSL handle. 2157 1.1 christos * 2158 1.1 christos * Returns 0 on success or an SSL error reason number on failure. 2159 1.1 christos */ 2160 1.1 christos int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello, 2161 1.1.1.2 christos DOWNGRADE *dgrd) 2162 1.1 christos { 2163 1.1 christos /*- 2164 1.1 christos * With version-flexible methods we have an initial state with: 2165 1.1 christos * 2166 1.1 christos * s->method->version == (D)TLS_ANY_VERSION, 2167 1.1 christos * s->version == (D)TLS_MAX_VERSION_INTERNAL. 2168 1.1 christos * 2169 1.1 christos * So we detect version-flexible methods via the method version, not the 2170 1.1 christos * handle version. 2171 1.1 christos */ 2172 1.1 christos SSL *ssl = SSL_CONNECTION_GET_SSL(s); 2173 1.1 christos int server_version = ssl->method->version; 2174 1.1 christos int client_version = hello->legacy_version; 2175 1.1 christos const version_info *vent; 2176 1.1 christos const version_info *table; 2177 1.1 christos int disabled = 0; 2178 1.1 christos RAW_EXTENSION *suppversions; 2179 1.1 christos 2180 1.1 christos s->client_version = client_version; 2181 1.1 christos 2182 1.1 christos switch (server_version) { 2183 1.1 christos default: 2184 1.1 christos if (!SSL_CONNECTION_IS_TLS13(s)) { 2185 1.1 christos if (ssl_version_cmp(s, client_version, s->version) < 0) 2186 1.1 christos return SSL_R_WRONG_SSL_VERSION; 2187 1.1 christos *dgrd = DOWNGRADE_NONE; 2188 1.1 christos /* 2189 1.1 christos * If this SSL handle is not from a version flexible method we don't 2190 1.1 christos * (and never did) check min/max FIPS or Suite B constraints. Hope 2191 1.1 christos * that's OK. It is up to the caller to not choose fixed protocol 2192 1.1 christos * versions they don't want. If not, then easy to fix, just return 2193 1.1 christos * ssl_method_error(s, s->method) 2194 1.1 christos */ 2195 1.1 christos return 0; 2196 1.1 christos } 2197 1.1 christos /* 2198 1.1 christos * Fall through if we are TLSv1.3 already (this means we must be after 2199 1.1 christos * a HelloRetryRequest 2200 1.1 christos */ 2201 1.1 christos /* fall thru */ 2202 1.1 christos case TLS_ANY_VERSION: 2203 1.1 christos table = tls_version_table; 2204 1.1 christos break; 2205 1.1 christos case DTLS_ANY_VERSION: 2206 1.1 christos table = dtls_version_table; 2207 1.1 christos break; 2208 1.1 christos } 2209 1.1 christos 2210 1.1 christos suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions]; 2211 1.1 christos 2212 1.1 christos /* If we did an HRR then supported versions is mandatory */ 2213 1.1 christos if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE) 2214 1.1 christos return SSL_R_UNSUPPORTED_PROTOCOL; 2215 1.1 christos 2216 1.1 christos if (suppversions->present && !SSL_CONNECTION_IS_DTLS(s)) { 2217 1.1 christos unsigned int candidate_vers = 0; 2218 1.1 christos unsigned int best_vers = 0; 2219 1.1 christos const SSL_METHOD *best_method = NULL; 2220 1.1 christos PACKET versionslist; 2221 1.1 christos 2222 1.1 christos suppversions->parsed = 1; 2223 1.1 christos 2224 1.1 christos if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) { 2225 1.1 christos /* Trailing or invalid data? */ 2226 1.1 christos return SSL_R_LENGTH_MISMATCH; 2227 1.1 christos } 2228 1.1 christos 2229 1.1 christos /* 2230 1.1 christos * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION. 2231 1.1 christos * The spec only requires servers to check that it isn't SSLv3: 2232 1.1 christos * "Any endpoint receiving a Hello message with 2233 1.1 christos * ClientHello.legacy_version or ServerHello.legacy_version set to 2234 1.1 christos * 0x0300 MUST abort the handshake with a "protocol_version" alert." 2235 1.1 christos * We are slightly stricter and require that it isn't SSLv3 or lower. 2236 1.1 christos * We tolerate TLSv1 and TLSv1.1. 2237 1.1 christos */ 2238 1.1 christos if (client_version <= SSL3_VERSION) 2239 1.1 christos return SSL_R_BAD_LEGACY_VERSION; 2240 1.1 christos 2241 1.1 christos while (PACKET_get_net_2(&versionslist, &candidate_vers)) { 2242 1.1 christos if (ssl_version_cmp(s, candidate_vers, best_vers) <= 0) 2243 1.1 christos continue; 2244 1.1 christos if (ssl_version_supported(s, candidate_vers, &best_method)) 2245 1.1 christos best_vers = candidate_vers; 2246 1.1 christos } 2247 1.1 christos if (PACKET_remaining(&versionslist) != 0) { 2248 1.1 christos /* Trailing data? */ 2249 1.1 christos return SSL_R_LENGTH_MISMATCH; 2250 1.1 christos } 2251 1.1 christos 2252 1.1 christos if (best_vers > 0) { 2253 1.1 christos if (s->hello_retry_request != SSL_HRR_NONE) { 2254 1.1 christos /* 2255 1.1 christos * This is after a HelloRetryRequest so we better check that we 2256 1.1 christos * negotiated TLSv1.3 2257 1.1 christos */ 2258 1.1 christos if (best_vers != TLS1_3_VERSION) 2259 1.1 christos return SSL_R_UNSUPPORTED_PROTOCOL; 2260 1.1 christos return 0; 2261 1.1 christos } 2262 1.1 christos check_for_downgrade(s, best_vers, dgrd); 2263 1.1 christos s->version = best_vers; 2264 1.1 christos ssl->method = best_method; 2265 1.1 christos if (!ssl_set_record_protocol_version(s, best_vers)) 2266 1.1 christos return ERR_R_INTERNAL_ERROR; 2267 1.1 christos 2268 1.1 christos return 0; 2269 1.1 christos } 2270 1.1 christos return SSL_R_UNSUPPORTED_PROTOCOL; 2271 1.1 christos } 2272 1.1 christos 2273 1.1 christos /* 2274 1.1 christos * If the supported versions extension isn't present, then the highest 2275 1.1 christos * version we can negotiate is TLSv1.2 2276 1.1 christos */ 2277 1.1 christos if (ssl_version_cmp(s, client_version, TLS1_3_VERSION) >= 0) 2278 1.1 christos client_version = TLS1_2_VERSION; 2279 1.1 christos 2280 1.1 christos /* 2281 1.1 christos * No supported versions extension, so we just use the version supplied in 2282 1.1 christos * the ClientHello. 2283 1.1 christos */ 2284 1.1 christos for (vent = table; vent->version != 0; ++vent) { 2285 1.1 christos const SSL_METHOD *method; 2286 1.1 christos 2287 1.1.1.2 christos if (vent->smeth == NULL || ssl_version_cmp(s, client_version, vent->version) < 0) 2288 1.1 christos continue; 2289 1.1 christos method = vent->smeth(); 2290 1.1 christos if (ssl_method_error(s, method) == 0) { 2291 1.1 christos check_for_downgrade(s, vent->version, dgrd); 2292 1.1 christos s->version = vent->version; 2293 1.1 christos ssl->method = method; 2294 1.1 christos if (!ssl_set_record_protocol_version(s, s->version)) 2295 1.1 christos return ERR_R_INTERNAL_ERROR; 2296 1.1 christos 2297 1.1 christos return 0; 2298 1.1 christos } 2299 1.1 christos disabled = 1; 2300 1.1 christos } 2301 1.1 christos return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW; 2302 1.1 christos } 2303 1.1 christos 2304 1.1 christos /* 2305 1.1 christos * ssl_choose_client_version - Choose client (D)TLS version. Called when the 2306 1.1 christos * server HELLO is received to select the final client protocol version and 2307 1.1 christos * the version specific method. 2308 1.1 christos * 2309 1.1 christos * @s: client SSL handle. 2310 1.1 christos * @version: The proposed version from the server's HELLO. 2311 1.1 christos * @extensions: The extensions received 2312 1.1 christos * 2313 1.1 christos * Returns 1 on success or 0 on error. 2314 1.1 christos */ 2315 1.1 christos int ssl_choose_client_version(SSL_CONNECTION *s, int version, 2316 1.1.1.2 christos RAW_EXTENSION *extensions) 2317 1.1 christos { 2318 1.1 christos const version_info *vent; 2319 1.1 christos const version_info *table; 2320 1.1 christos int ret, ver_min, ver_max, real_max, origv; 2321 1.1 christos SSL *ssl = SSL_CONNECTION_GET_SSL(s); 2322 1.1 christos 2323 1.1 christos origv = s->version; 2324 1.1 christos s->version = version; 2325 1.1 christos 2326 1.1 christos /* This will overwrite s->version if the extension is present */ 2327 1.1 christos if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions, 2328 1.1.1.2 christos SSL_EXT_TLS1_2_SERVER_HELLO 2329 1.1.1.2 christos | SSL_EXT_TLS1_3_SERVER_HELLO, 2330 1.1.1.2 christos extensions, 2331 1.1.1.2 christos NULL, 0)) { 2332 1.1 christos s->version = origv; 2333 1.1 christos return 0; 2334 1.1 christos } 2335 1.1 christos 2336 1.1 christos if (s->hello_retry_request != SSL_HRR_NONE 2337 1.1.1.2 christos && s->version != TLS1_3_VERSION) { 2338 1.1 christos s->version = origv; 2339 1.1 christos SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION); 2340 1.1 christos return 0; 2341 1.1 christos } 2342 1.1 christos 2343 1.1 christos switch (ssl->method->version) { 2344 1.1 christos default: 2345 1.1 christos if (s->version != ssl->method->version) { 2346 1.1 christos s->version = origv; 2347 1.1 christos SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION); 2348 1.1 christos return 0; 2349 1.1 christos } 2350 1.1 christos /* 2351 1.1 christos * If this SSL handle is not from a version flexible method we don't 2352 1.1 christos * (and never did) check min/max, FIPS or Suite B constraints. Hope 2353 1.1 christos * that's OK. It is up to the caller to not choose fixed protocol 2354 1.1 christos * versions they don't want. If not, then easy to fix, just return 2355 1.1 christos * ssl_method_error(s, s->method) 2356 1.1 christos */ 2357 1.1 christos if (!ssl_set_record_protocol_version(s, s->version)) { 2358 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2359 1.1 christos return 0; 2360 1.1 christos } 2361 1.1 christos return 1; 2362 1.1 christos case TLS_ANY_VERSION: 2363 1.1 christos table = tls_version_table; 2364 1.1 christos break; 2365 1.1 christos case DTLS_ANY_VERSION: 2366 1.1 christos table = dtls_version_table; 2367 1.1 christos break; 2368 1.1 christos } 2369 1.1 christos 2370 1.1 christos ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max); 2371 1.1 christos if (ret != 0) { 2372 1.1 christos s->version = origv; 2373 1.1 christos SSLfatal(s, SSL_AD_PROTOCOL_VERSION, ret); 2374 1.1 christos return 0; 2375 1.1 christos } 2376 1.1 christos if (ssl_version_cmp(s, s->version, ver_min) < 0 2377 1.1 christos || ssl_version_cmp(s, s->version, ver_max) > 0) { 2378 1.1 christos s->version = origv; 2379 1.1 christos SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); 2380 1.1 christos return 0; 2381 1.1 christos } 2382 1.1 christos 2383 1.1 christos if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0) 2384 1.1 christos real_max = ver_max; 2385 1.1 christos 2386 1.1 christos /* Check for downgrades */ 2387 1.1 christos /* TODO(DTLSv1.3): Update this code for DTLSv1.3 */ 2388 1.1 christos if (!SSL_CONNECTION_IS_DTLS(s) && real_max > s->version) { 2389 1.1 christos /* Signal applies to all versions */ 2390 1.1 christos if (memcmp(tls11downgrade, 2391 1.1.1.2 christos s->s3.server_random + SSL3_RANDOM_SIZE 2392 1.1.1.2 christos - sizeof(tls11downgrade), 2393 1.1.1.2 christos sizeof(tls11downgrade)) 2394 1.1.1.2 christos == 0) { 2395 1.1 christos s->version = origv; 2396 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 2397 1.1.1.2 christos SSL_R_INAPPROPRIATE_FALLBACK); 2398 1.1 christos return 0; 2399 1.1 christos } 2400 1.1 christos /* Only when accepting TLS1.3 */ 2401 1.1 christos if (real_max == TLS1_3_VERSION 2402 1.1 christos && memcmp(tls12downgrade, 2403 1.1.1.2 christos s->s3.server_random + SSL3_RANDOM_SIZE 2404 1.1.1.2 christos - sizeof(tls12downgrade), 2405 1.1.1.2 christos sizeof(tls12downgrade)) 2406 1.1.1.2 christos == 0) { 2407 1.1 christos s->version = origv; 2408 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 2409 1.1.1.2 christos SSL_R_INAPPROPRIATE_FALLBACK); 2410 1.1 christos return 0; 2411 1.1 christos } 2412 1.1 christos } 2413 1.1 christos 2414 1.1 christos for (vent = table; vent->version != 0; ++vent) { 2415 1.1 christos if (vent->cmeth == NULL || s->version != vent->version) 2416 1.1 christos continue; 2417 1.1 christos 2418 1.1 christos ssl->method = vent->cmeth(); 2419 1.1 christos if (!ssl_set_record_protocol_version(s, s->version)) { 2420 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2421 1.1 christos return 0; 2422 1.1 christos } 2423 1.1 christos return 1; 2424 1.1 christos } 2425 1.1 christos 2426 1.1 christos s->version = origv; 2427 1.1 christos SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); 2428 1.1 christos return 0; 2429 1.1 christos } 2430 1.1 christos 2431 1.1 christos /* 2432 1.1 christos * ssl_get_min_max_version - get minimum and maximum protocol version 2433 1.1 christos * @s: The SSL connection 2434 1.1 christos * @min_version: The minimum supported version 2435 1.1 christos * @max_version: The maximum supported version 2436 1.1 christos * @real_max: The highest version below the lowest compile time version hole 2437 1.1 christos * where that hole lies above at least one run-time enabled 2438 1.1 christos * protocol. 2439 1.1 christos * 2440 1.1 christos * Work out what version we should be using for the initial ClientHello if the 2441 1.1 christos * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx 2442 1.1 christos * options, the MinProtocol and MaxProtocol configuration commands, any Suite B 2443 1.1 christos * constraints and any floor imposed by the security level here, 2444 1.1 christos * so we don't advertise the wrong protocol version to only reject the outcome later. 2445 1.1 christos * 2446 1.1 christos * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled, 2447 1.1 christos * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol 2448 1.1 christos * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1. 2449 1.1 christos * 2450 1.1 christos * Returns 0 on success or an SSL error reason number on failure. On failure 2451 1.1 christos * min_version and max_version will also be set to 0. 2452 1.1 christos */ 2453 1.1 christos int ssl_get_min_max_version(const SSL_CONNECTION *s, int *min_version, 2454 1.1.1.2 christos int *max_version, int *real_max) 2455 1.1 christos { 2456 1.1 christos int version, tmp_real_max; 2457 1.1 christos int hole; 2458 1.1 christos const SSL_METHOD *method; 2459 1.1 christos const version_info *table; 2460 1.1 christos const version_info *vent; 2461 1.1 christos const SSL *ssl = SSL_CONNECTION_GET_SSL(s); 2462 1.1 christos 2463 1.1 christos switch (ssl->method->version) { 2464 1.1 christos default: 2465 1.1 christos /* 2466 1.1 christos * If this SSL handle is not from a version flexible method we don't 2467 1.1 christos * (and never did) check min/max FIPS or Suite B constraints. Hope 2468 1.1 christos * that's OK. It is up to the caller to not choose fixed protocol 2469 1.1 christos * versions they don't want. If not, then easy to fix, just return 2470 1.1 christos * ssl_method_error(s, s->method) 2471 1.1 christos */ 2472 1.1 christos *min_version = *max_version = s->version; 2473 1.1 christos /* 2474 1.1 christos * Providing a real_max only makes sense where we're using a version 2475 1.1 christos * flexible method. 2476 1.1 christos */ 2477 1.1 christos if (!ossl_assert(real_max == NULL)) 2478 1.1 christos return ERR_R_INTERNAL_ERROR; 2479 1.1 christos return 0; 2480 1.1 christos case TLS_ANY_VERSION: 2481 1.1 christos table = tls_version_table; 2482 1.1 christos break; 2483 1.1 christos case DTLS_ANY_VERSION: 2484 1.1 christos table = dtls_version_table; 2485 1.1 christos break; 2486 1.1 christos } 2487 1.1 christos 2488 1.1 christos /* 2489 1.1 christos * SSL_OP_NO_X disables all protocols above X *if* there are some protocols 2490 1.1 christos * below X enabled. This is required in order to maintain the "version 2491 1.1 christos * capability" vector contiguous. Any versions with a NULL client method 2492 1.1 christos * (protocol version client is disabled at compile-time) is also a "hole". 2493 1.1 christos * 2494 1.1 christos * Our initial state is hole == 1, version == 0. That is, versions above 2495 1.1 christos * the first version in the method table are disabled (a "hole" above 2496 1.1 christos * the valid protocol entries) and we don't have a selected version yet. 2497 1.1 christos * 2498 1.1 christos * Whenever "hole == 1", and we hit an enabled method, its version becomes 2499 1.1 christos * the selected version. We're no longer in a hole, so "hole" becomes 0. 2500 1.1 christos * 2501 1.1 christos * If "hole == 0" and we hit an enabled method, we support a contiguous 2502 1.1 christos * range of at least two methods. If we hit a disabled method, 2503 1.1 christos * then hole becomes true again, but nothing else changes yet, 2504 1.1 christos * because all the remaining methods may be disabled too. 2505 1.1 christos * If we again hit an enabled method after the new hole, it becomes 2506 1.1 christos * selected, as we start from scratch. 2507 1.1 christos */ 2508 1.1 christos *min_version = version = 0; 2509 1.1 christos hole = 1; 2510 1.1 christos if (real_max != NULL) 2511 1.1 christos *real_max = 0; 2512 1.1 christos tmp_real_max = 0; 2513 1.1 christos for (vent = table; vent->version != 0; ++vent) { 2514 1.1 christos /* 2515 1.1 christos * A table entry with a NULL client method is still a hole in the 2516 1.1 christos * "version capability" vector. 2517 1.1 christos */ 2518 1.1 christos if (vent->cmeth == NULL) { 2519 1.1 christos hole = 1; 2520 1.1 christos tmp_real_max = 0; 2521 1.1 christos continue; 2522 1.1 christos } 2523 1.1 christos method = vent->cmeth(); 2524 1.1 christos 2525 1.1 christos if (hole == 1 && tmp_real_max == 0) 2526 1.1 christos tmp_real_max = vent->version; 2527 1.1 christos 2528 1.1 christos if (ssl_method_error(s, method) != 0) { 2529 1.1 christos hole = 1; 2530 1.1 christos } else if (!hole) { 2531 1.1 christos *min_version = method->version; 2532 1.1 christos } else { 2533 1.1 christos if (real_max != NULL && tmp_real_max != 0) 2534 1.1 christos *real_max = tmp_real_max; 2535 1.1 christos version = method->version; 2536 1.1 christos *min_version = version; 2537 1.1 christos hole = 0; 2538 1.1 christos } 2539 1.1 christos } 2540 1.1 christos 2541 1.1 christos *max_version = version; 2542 1.1 christos 2543 1.1 christos /* Fail if everything is disabled */ 2544 1.1 christos if (version == 0) 2545 1.1 christos return SSL_R_NO_PROTOCOLS_AVAILABLE; 2546 1.1 christos 2547 1.1 christos return 0; 2548 1.1 christos } 2549 1.1 christos 2550 1.1 christos /* 2551 1.1 christos * ssl_set_client_hello_version - Work out what version we should be using for 2552 1.1 christos * the initial ClientHello.legacy_version field. 2553 1.1 christos * 2554 1.1 christos * @s: client SSL handle. 2555 1.1 christos * 2556 1.1 christos * Returns 0 on success or an SSL error reason number on failure. 2557 1.1 christos */ 2558 1.1 christos int ssl_set_client_hello_version(SSL_CONNECTION *s) 2559 1.1 christos { 2560 1.1 christos int ver_min, ver_max, ret; 2561 1.1 christos 2562 1.1 christos /* 2563 1.1 christos * In a renegotiation we always send the same client_version that we sent 2564 1.1 christos * last time, regardless of which version we eventually negotiated. 2565 1.1 christos */ 2566 1.1 christos if (!SSL_IS_FIRST_HANDSHAKE(s)) 2567 1.1 christos return 0; 2568 1.1 christos 2569 1.1 christos ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL); 2570 1.1 christos 2571 1.1 christos if (ret != 0) 2572 1.1 christos return ret; 2573 1.1 christos 2574 1.1 christos s->version = ver_max; 2575 1.1 christos 2576 1.1 christos if (SSL_CONNECTION_IS_DTLS(s)) { 2577 1.1 christos if (ver_max == DTLS1_BAD_VER) { 2578 1.1 christos /* 2579 1.1 christos * Even though this is technically before version negotiation, 2580 1.1 christos * because we have asked for DTLS1_BAD_VER we will never negotiate 2581 1.1 christos * anything else, and this has impacts on the record layer for when 2582 1.1 christos * we read the ServerHello. So we need to tell the record layer 2583 1.1 christos * about this immediately. 2584 1.1 christos */ 2585 1.1 christos if (!ssl_set_record_protocol_version(s, ver_max)) 2586 1.1 christos return 0; 2587 1.1 christos } 2588 1.1 christos } else if (ver_max > TLS1_2_VERSION) { 2589 1.1 christos /* TLS1.3 always uses TLS1.2 in the legacy_version field */ 2590 1.1 christos ver_max = TLS1_2_VERSION; 2591 1.1 christos } 2592 1.1 christos 2593 1.1 christos s->client_version = ver_max; 2594 1.1 christos return 0; 2595 1.1 christos } 2596 1.1 christos 2597 1.1 christos /* 2598 1.1 christos * Checks a list of |groups| to determine if the |group_id| is in it. If it is 2599 1.1 christos * and |checkallow| is 1 then additionally check if the group is allowed to be 2600 1.1 christos * used. Returns 1 if the group is in the list (and allowed if |checkallow| is 2601 1.1 christos * 1) or 0 otherwise. If provided a pointer it will also return the position 2602 1.1 christos * where the group was found. 2603 1.1 christos */ 2604 1.1 christos int check_in_list(SSL_CONNECTION *s, uint16_t group_id, const uint16_t *groups, 2605 1.1.1.2 christos size_t num_groups, int checkallow, size_t *pos) 2606 1.1 christos { 2607 1.1 christos size_t i; 2608 1.1 christos 2609 1.1 christos if (groups == NULL || num_groups == 0) 2610 1.1 christos return 0; 2611 1.1 christos 2612 1.1 christos for (i = 0; i < num_groups; i++) { 2613 1.1 christos uint16_t group = groups[i]; 2614 1.1 christos 2615 1.1 christos if (group_id == group 2616 1.1.1.2 christos && (!checkallow 2617 1.1.1.2 christos || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) { 2618 1.1 christos if (pos != NULL) 2619 1.1 christos *pos = i; 2620 1.1 christos return 1; 2621 1.1 christos } 2622 1.1 christos } 2623 1.1 christos 2624 1.1 christos return 0; 2625 1.1 christos } 2626 1.1 christos 2627 1.1 christos /* Replace ClientHello1 in the transcript hash with a synthetic message */ 2628 1.1 christos int create_synthetic_message_hash(SSL_CONNECTION *s, 2629 1.1.1.2 christos const unsigned char *hashval, 2630 1.1.1.2 christos size_t hashlen, const unsigned char *hrr, 2631 1.1.1.2 christos size_t hrrlen) 2632 1.1 christos { 2633 1.1 christos unsigned char hashvaltmp[EVP_MAX_MD_SIZE]; 2634 1.1 christos unsigned char msghdr[SSL3_HM_HEADER_LENGTH]; 2635 1.1 christos 2636 1.1 christos memset(msghdr, 0, sizeof(msghdr)); 2637 1.1 christos 2638 1.1 christos if (hashval == NULL) { 2639 1.1 christos hashval = hashvaltmp; 2640 1.1 christos hashlen = 0; 2641 1.1 christos /* Get the hash of the initial ClientHello */ 2642 1.1 christos if (!ssl3_digest_cached_records(s, 0) 2643 1.1.1.2 christos || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp), 2644 1.1.1.2 christos &hashlen)) { 2645 1.1 christos /* SSLfatal() already called */ 2646 1.1 christos return 0; 2647 1.1 christos } 2648 1.1 christos } 2649 1.1 christos 2650 1.1 christos /* Reinitialise the transcript hash */ 2651 1.1 christos if (!ssl3_init_finished_mac(s)) { 2652 1.1 christos /* SSLfatal() already called */ 2653 1.1 christos return 0; 2654 1.1 christos } 2655 1.1 christos 2656 1.1 christos /* Inject the synthetic message_hash message */ 2657 1.1 christos msghdr[0] = SSL3_MT_MESSAGE_HASH; 2658 1.1 christos msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen; 2659 1.1 christos if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH) 2660 1.1.1.2 christos || !ssl3_finish_mac(s, hashval, hashlen)) { 2661 1.1 christos /* SSLfatal() already called */ 2662 1.1 christos return 0; 2663 1.1 christos } 2664 1.1 christos 2665 1.1 christos /* 2666 1.1 christos * Now re-inject the HRR and current message if appropriate (we just deleted 2667 1.1 christos * it when we reinitialised the transcript hash above). Only necessary after 2668 1.1 christos * receiving a ClientHello2 with a cookie. 2669 1.1 christos */ 2670 1.1 christos if (hrr != NULL 2671 1.1.1.2 christos && (!ssl3_finish_mac(s, hrr, hrrlen) 2672 1.1.1.2 christos || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 2673 1.1.1.2 christos s->s3.tmp.message_size 2674 1.1.1.2 christos + SSL3_HM_HEADER_LENGTH))) { 2675 1.1 christos /* SSLfatal() already called */ 2676 1.1 christos return 0; 2677 1.1 christos } 2678 1.1 christos 2679 1.1 christos return 1; 2680 1.1 christos } 2681 1.1 christos 2682 1.1 christos static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b) 2683 1.1 christos { 2684 1.1 christos return X509_NAME_cmp(*a, *b); 2685 1.1 christos } 2686 1.1 christos 2687 1.1 christos int parse_ca_names(SSL_CONNECTION *s, PACKET *pkt) 2688 1.1 christos { 2689 1.1 christos STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp); 2690 1.1 christos X509_NAME *xn = NULL; 2691 1.1 christos PACKET cadns; 2692 1.1 christos 2693 1.1 christos if (ca_sk == NULL) { 2694 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 2695 1.1 christos goto err; 2696 1.1 christos } 2697 1.1 christos /* get the CA RDNs */ 2698 1.1 christos if (!PACKET_get_length_prefixed_2(pkt, &cadns)) { 2699 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2700 1.1 christos goto err; 2701 1.1 christos } 2702 1.1 christos 2703 1.1 christos while (PACKET_remaining(&cadns)) { 2704 1.1 christos const unsigned char *namestart, *namebytes; 2705 1.1 christos unsigned int name_len; 2706 1.1 christos 2707 1.1 christos if (!PACKET_get_net_2(&cadns, &name_len) 2708 1.1 christos || !PACKET_get_bytes(&cadns, &namebytes, name_len)) { 2709 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2710 1.1 christos goto err; 2711 1.1 christos } 2712 1.1 christos 2713 1.1 christos namestart = namebytes; 2714 1.1 christos if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) { 2715 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB); 2716 1.1 christos goto err; 2717 1.1 christos } 2718 1.1 christos if (namebytes != (namestart + name_len)) { 2719 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CA_DN_LENGTH_MISMATCH); 2720 1.1 christos goto err; 2721 1.1 christos } 2722 1.1 christos 2723 1.1 christos if (!sk_X509_NAME_push(ca_sk, xn)) { 2724 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 2725 1.1 christos goto err; 2726 1.1 christos } 2727 1.1 christos xn = NULL; 2728 1.1 christos } 2729 1.1 christos 2730 1.1 christos sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free); 2731 1.1 christos s->s3.tmp.peer_ca_names = ca_sk; 2732 1.1 christos 2733 1.1 christos return 1; 2734 1.1 christos 2735 1.1.1.2 christos err: 2736 1.1 christos sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); 2737 1.1 christos X509_NAME_free(xn); 2738 1.1 christos return 0; 2739 1.1 christos } 2740 1.1 christos 2741 1.1 christos const STACK_OF(X509_NAME) *get_ca_names(SSL_CONNECTION *s) 2742 1.1 christos { 2743 1.1 christos const STACK_OF(X509_NAME) *ca_sk = NULL; 2744 1.1 christos SSL *ssl = SSL_CONNECTION_GET_SSL(s); 2745 1.1 christos 2746 1.1 christos if (s->server) { 2747 1.1 christos ca_sk = SSL_get_client_CA_list(ssl); 2748 1.1 christos if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0) 2749 1.1 christos ca_sk = NULL; 2750 1.1 christos } 2751 1.1 christos 2752 1.1 christos if (ca_sk == NULL) 2753 1.1 christos ca_sk = SSL_get0_CA_list(ssl); 2754 1.1 christos 2755 1.1 christos return ca_sk; 2756 1.1 christos } 2757 1.1 christos 2758 1.1 christos int construct_ca_names(SSL_CONNECTION *s, const STACK_OF(X509_NAME) *ca_sk, 2759 1.1.1.2 christos WPACKET *pkt) 2760 1.1 christos { 2761 1.1 christos /* Start sub-packet for client CA list */ 2762 1.1 christos if (!WPACKET_start_sub_packet_u16(pkt)) { 2763 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2764 1.1 christos return 0; 2765 1.1 christos } 2766 1.1 christos 2767 1.1 christos if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) { 2768 1.1 christos int i; 2769 1.1 christos 2770 1.1 christos for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) { 2771 1.1 christos unsigned char *namebytes; 2772 1.1 christos X509_NAME *name = sk_X509_NAME_value(ca_sk, i); 2773 1.1 christos int namelen; 2774 1.1 christos 2775 1.1 christos if (name == NULL 2776 1.1.1.2 christos || (namelen = i2d_X509_NAME(name, NULL)) < 0 2777 1.1.1.2 christos || !WPACKET_sub_allocate_bytes_u16(pkt, namelen, 2778 1.1.1.2 christos &namebytes) 2779 1.1.1.2 christos || i2d_X509_NAME(name, &namebytes) != namelen) { 2780 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2781 1.1 christos return 0; 2782 1.1 christos } 2783 1.1 christos } 2784 1.1 christos } 2785 1.1 christos 2786 1.1 christos if (!WPACKET_close(pkt)) { 2787 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2788 1.1 christos return 0; 2789 1.1 christos } 2790 1.1 christos 2791 1.1 christos return 1; 2792 1.1 christos } 2793 1.1 christos 2794 1.1 christos /* Create a buffer containing data to be signed for server key exchange */ 2795 1.1 christos size_t construct_key_exchange_tbs(SSL_CONNECTION *s, unsigned char **ptbs, 2796 1.1.1.2 christos const void *param, size_t paramlen) 2797 1.1 christos { 2798 1.1 christos size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen; 2799 1.1 christos unsigned char *tbs = OPENSSL_malloc(tbslen); 2800 1.1 christos 2801 1.1 christos if (tbs == NULL) { 2802 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 2803 1.1 christos return 0; 2804 1.1 christos } 2805 1.1 christos memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE); 2806 1.1 christos memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE); 2807 1.1 christos 2808 1.1 christos memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen); 2809 1.1 christos 2810 1.1 christos *ptbs = tbs; 2811 1.1 christos return tbslen; 2812 1.1 christos } 2813 1.1 christos 2814 1.1 christos /* 2815 1.1 christos * Saves the current handshake digest for Post-Handshake Auth, 2816 1.1 christos * Done after ClientFinished is processed, done exactly once 2817 1.1 christos */ 2818 1.1 christos int tls13_save_handshake_digest_for_pha(SSL_CONNECTION *s) 2819 1.1 christos { 2820 1.1 christos if (s->pha_dgst == NULL) { 2821 1.1 christos if (!ssl3_digest_cached_records(s, 1)) 2822 1.1 christos /* SSLfatal() already called */ 2823 1.1 christos return 0; 2824 1.1 christos 2825 1.1 christos s->pha_dgst = EVP_MD_CTX_new(); 2826 1.1 christos if (s->pha_dgst == NULL) { 2827 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2828 1.1 christos return 0; 2829 1.1 christos } 2830 1.1 christos if (!EVP_MD_CTX_copy_ex(s->pha_dgst, 2831 1.1.1.2 christos s->s3.handshake_dgst)) { 2832 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2833 1.1 christos EVP_MD_CTX_free(s->pha_dgst); 2834 1.1 christos s->pha_dgst = NULL; 2835 1.1 christos return 0; 2836 1.1 christos } 2837 1.1 christos } 2838 1.1 christos return 1; 2839 1.1 christos } 2840 1.1 christos 2841 1.1 christos /* 2842 1.1 christos * Restores the Post-Handshake Auth handshake digest 2843 1.1 christos * Done just before sending/processing the Cert Request 2844 1.1 christos */ 2845 1.1 christos int tls13_restore_handshake_digest_for_pha(SSL_CONNECTION *s) 2846 1.1 christos { 2847 1.1 christos if (s->pha_dgst == NULL) { 2848 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2849 1.1 christos return 0; 2850 1.1 christos } 2851 1.1 christos if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst, 2852 1.1.1.2 christos s->pha_dgst)) { 2853 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2854 1.1 christos return 0; 2855 1.1 christos } 2856 1.1 christos return 1; 2857 1.1 christos } 2858 1.1 christos 2859 1.1 christos #ifndef OPENSSL_NO_COMP_ALG 2860 1.1 christos MSG_PROCESS_RETURN tls13_process_compressed_certificate(SSL_CONNECTION *sc, 2861 1.1.1.2 christos PACKET *pkt, 2862 1.1.1.2 christos PACKET *tmppkt, 2863 1.1.1.2 christos BUF_MEM *buf) 2864 1.1 christos { 2865 1.1 christos MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; 2866 1.1 christos int comp_alg; 2867 1.1 christos COMP_METHOD *method = NULL; 2868 1.1 christos COMP_CTX *comp = NULL; 2869 1.1 christos size_t expected_length; 2870 1.1 christos size_t comp_length; 2871 1.1 christos int i; 2872 1.1 christos int found = 0; 2873 1.1 christos 2874 1.1 christos if (buf == NULL) { 2875 1.1 christos SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2876 1.1 christos goto err; 2877 1.1 christos } 2878 1.1.1.2 christos if (!PACKET_get_net_2(pkt, (unsigned int *)&comp_alg)) { 2879 1.1 christos SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, ERR_R_INTERNAL_ERROR); 2880 1.1 christos goto err; 2881 1.1 christos } 2882 1.1 christos /* If we have a prefs list, make sure the algorithm is in it */ 2883 1.1 christos if (sc->cert_comp_prefs[0] != TLSEXT_comp_cert_none) { 2884 1.1 christos for (i = 0; sc->cert_comp_prefs[i] != TLSEXT_comp_cert_none; i++) { 2885 1.1 christos if (sc->cert_comp_prefs[i] == comp_alg) { 2886 1.1 christos found = 1; 2887 1.1 christos break; 2888 1.1 christos } 2889 1.1 christos } 2890 1.1 christos if (!found) { 2891 1.1 christos SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_COMPRESSION_ALGORITHM); 2892 1.1 christos goto err; 2893 1.1 christos } 2894 1.1 christos } 2895 1.1 christos if (!ossl_comp_has_alg(comp_alg)) { 2896 1.1 christos SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, SSL_R_BAD_COMPRESSION_ALGORITHM); 2897 1.1 christos goto err; 2898 1.1 christos } 2899 1.1 christos switch (comp_alg) { 2900 1.1 christos case TLSEXT_comp_cert_zlib: 2901 1.1 christos method = COMP_zlib_oneshot(); 2902 1.1 christos break; 2903 1.1 christos case TLSEXT_comp_cert_brotli: 2904 1.1 christos method = COMP_brotli_oneshot(); 2905 1.1 christos break; 2906 1.1 christos case TLSEXT_comp_cert_zstd: 2907 1.1 christos method = COMP_zstd_oneshot(); 2908 1.1 christos break; 2909 1.1 christos default: 2910 1.1 christos SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, SSL_R_BAD_COMPRESSION_ALGORITHM); 2911 1.1 christos goto err; 2912 1.1 christos } 2913 1.1 christos 2914 1.1 christos if ((comp = COMP_CTX_new(method)) == NULL 2915 1.1 christos || !PACKET_get_net_3_len(pkt, &expected_length) 2916 1.1 christos || !PACKET_get_net_3_len(pkt, &comp_length)) { 2917 1.1 christos SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, SSL_R_BAD_DECOMPRESSION); 2918 1.1 christos goto err; 2919 1.1 christos } 2920 1.1 christos 2921 1.1.1.2 christos /* Prevent excessive pre-decompression allocation */ 2922 1.1.1.2 christos if (expected_length > sc->max_cert_list) { 2923 1.1.1.2 christos SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, SSL_R_EXCESSIVE_MESSAGE_SIZE); 2924 1.1.1.2 christos goto err; 2925 1.1.1.2 christos } 2926 1.1.1.2 christos 2927 1.1 christos if (PACKET_remaining(pkt) != comp_length || comp_length == 0) { 2928 1.1 christos SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_DECOMPRESSION); 2929 1.1 christos goto err; 2930 1.1 christos } 2931 1.1 christos 2932 1.1 christos if (!BUF_MEM_grow(buf, expected_length) 2933 1.1 christos || !PACKET_buf_init(tmppkt, (unsigned char *)buf->data, expected_length) 2934 1.1 christos || COMP_expand_block(comp, (unsigned char *)buf->data, expected_length, 2935 1.1.1.2 christos (unsigned char *)PACKET_data(pkt), comp_length) 2936 1.1.1.2 christos != (int)expected_length) { 2937 1.1 christos SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, SSL_R_BAD_DECOMPRESSION); 2938 1.1 christos goto err; 2939 1.1 christos } 2940 1.1 christos ret = MSG_PROCESS_CONTINUE_PROCESSING; 2941 1.1.1.2 christos err: 2942 1.1 christos COMP_CTX_free(comp); 2943 1.1 christos return ret; 2944 1.1 christos } 2945 1.1 christos #endif 2946
Indexes created Sun Mar 01 05:31:48 UTC 2026