* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
- * Licensed under the OpenSSL license (the "License"). You may not use
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
#include <limits.h>
#include <string.h>
#include <stdio.h>
-#include "../ssl_locl.h"
-#include "statem_locl.h"
+#include "../ssl_local.h"
+#include "statem_local.h"
#include "internal/cryptlib.h"
#include <openssl/buffer.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
+#include <openssl/trace.h>
/*
* Map error codes to TLS/SSL alart types.
/* N.B. s->ctx may not equal s->session_ctx */
tsan_counter(&s->ctx->stats.sess_accept_renegotiate);
- s->s3->tmp.cert_request = 0;
+ s->s3.tmp.cert_request = 0;
}
} else {
if (SSL_IS_FIRST_HANDSHAKE(s))
tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate);
/* mark client_random uninitialized */
- memset(s->s3->client_random, 0, sizeof(s->s3->client_random));
+ memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
s->hit = 0;
- s->s3->tmp.cert_req = 0;
+ s->s3.tmp.cert_req = 0;
if (SSL_IS_DTLS(s))
s->statem.use_timer = 1;
static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
void **hdata, size_t *hdatalen)
{
- static const char *servercontext = "TLS 1.3, server CertificateVerify";
- static const char *clientcontext = "TLS 1.3, client CertificateVerify";
-
+#ifdef CHARSET_EBCDIC
+ static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
+ 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
+ 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
+ 0x69, 0x66, 0x79, 0x00 };
+ static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
+ 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
+ 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
+ 0x69, 0x66, 0x79, 0x00 };
+#else
+ static const char servercontext[] = "TLS 1.3, server CertificateVerify";
+ static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
+#endif
if (SSL_IS_TLS13(s)) {
size_t hashlen;
size_t retlen;
long retlen_l;
- retlen = retlen_l = BIO_get_mem_data(s->s3->handshake_buffer, hdata);
+ retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
if (retlen_l <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_GET_CERT_VERIFY_TBS_DATA,
ERR_R_INTERNAL_ERROR);
void *hdata;
unsigned char *sig = NULL;
unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
- const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg;
+ const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
- if (lu == NULL || s->s3->tmp.cert == NULL) {
+ if (lu == NULL || s->s3.tmp.cert == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
ERR_R_INTERNAL_ERROR);
goto err;
}
- pkey = s->s3->tmp.cert->privatekey;
+ pkey = s->s3.tmp.cert->privatekey;
- if (pkey == NULL || !tls1_lookup_md(lu, &md)) {
+ if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
ERR_R_INTERNAL_ERROR);
goto err;
ERR_R_INTERNAL_ERROR);
goto err;
}
- siglen = EVP_PKEY_size(pkey);
- sig = OPENSSL_malloc(siglen);
- if (sig == NULL) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
- ERR_R_MALLOC_FAILURE);
- goto err;
- }
- if (EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey) <= 0) {
+ if (EVP_DigestSignInit_ex(mctx, &pctx,
+ md == NULL ? NULL : EVP_MD_name(md),
+ s->ctx->propq, pkey, s->ctx->libctx) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
ERR_R_EVP_LIB);
goto err;
}
}
if (s->version == SSL3_VERSION) {
+ /*
+ * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
+ * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
+ */
if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
- || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
- (int)s->session->master_key_length,
- s->session->master_key)
- || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
+ /*
+ * TODO(3.0) Replace this when EVP_MD_CTX_ctrl() is deprecated
+ * with a call to ssl3_digest_master_key_set_params()
+ */
+ || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
+ (int)s->session->master_key_length,
+ s->session->master_key) <= 0
+ || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
ERR_R_EVP_LIB);
goto err;
}
- } else if (EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
- ERR_R_EVP_LIB);
- goto err;
+ sig = OPENSSL_malloc(siglen);
+ if (sig == NULL
+ || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
+ ERR_R_EVP_LIB);
+ goto err;
+ }
+ } else {
+ /*
+ * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not
+ * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
+ */
+ if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
+ ERR_R_EVP_LIB);
+ goto err;
+ }
+ sig = OPENSSL_malloc(siglen);
+ if (sig == NULL
+ || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
+ ERR_R_EVP_LIB);
+ goto err;
+ }
}
#ifndef OPENSSL_NO_GOST
goto err;
}
- if (!tls1_lookup_md(s->s3->tmp.peer_sigalg, &md)) {
+ if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
ERR_R_INTERNAL_ERROR);
goto err;
}
-#ifdef SSL_DEBUG
if (SSL_USE_SIGALGS(s))
- fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
-#endif
+ OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
+ md == NULL ? "n/a" : EVP_MD_name(md));
/* Check for broken implementations of GOST ciphersuites */
/*
goto err;
}
- j = EVP_PKEY_size(pkey);
- if (((int)len > j) || ((int)PACKET_remaining(pkt) > j)
- || (PACKET_remaining(pkt) == 0)) {
- SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
- SSL_R_WRONG_SIGNATURE_SIZE);
- goto err;
- }
if (!PACKET_get_bytes(pkt, &data, len)) {
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
SSL_R_LENGTH_MISMATCH);
goto err;
}
-#ifdef SSL_DEBUG
- fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md));
-#endif
- if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0) {
+ OSSL_TRACE1(TLS, "Using client verify alg %s\n",
+ md == NULL ? "n/a" : EVP_MD_name(md));
+
+ if (EVP_DigestVerifyInit_ex(mctx, &pctx,
+ md == NULL ? NULL : EVP_MD_name(md),
+ s->ctx->propq, pkey, s->ctx->libctx) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
ERR_R_EVP_LIB);
goto err;
}
}
if (s->version == SSL3_VERSION) {
+ /*
+ * TODO(3.0) Replace this when EVP_MD_CTX_ctrl() is deprecated
+ * with a call to ssl3_digest_master_key_set_params()
+ */
if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
- || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
- (int)s->session->master_key_length,
- s->session->master_key)) {
+ || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
+ (int)s->session->master_key_length,
+ s->session->master_key) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
ERR_R_EVP_LIB);
goto err;
}
}
- ret = MSG_PROCESS_CONTINUE_READING;
+ /*
+ * In TLSv1.3 on the client side we make sure we prepare the client
+ * certificate after the CertVerify instead of when we get the
+ * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
+ * comes *before* the Certificate message. In TLSv1.2 it comes after. We
+ * want to make sure that SSL_get_peer_certificate() will return the actual
+ * server certificate from the client_cert_cb callback.
+ */
+ if (!s->server && SSL_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
+ ret = MSG_PROCESS_CONTINUE_PROCESSING;
+ else
+ ret = MSG_PROCESS_CONTINUE_READING;
err:
- BIO_free(s->s3->handshake_buffer);
- s->s3->handshake_buffer = NULL;
+ BIO_free(s->s3.handshake_buffer);
+ s->s3.handshake_buffer = NULL;
EVP_MD_CTX_free(mctx);
#ifndef OPENSSL_NO_GOST
OPENSSL_free(gost_data);
*/
if (SSL_IS_TLS13(s)
&& !s->server
- && s->s3->tmp.cert_req == 0
+ && s->s3.tmp.cert_req == 0
&& (!s->method->ssl3_enc->change_cipher_state(s,
SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
/* SSLfatal() already called */
finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
sender, slen,
- s->s3->tmp.finish_md);
+ s->s3.tmp.finish_md);
if (finish_md_len == 0) {
/* SSLfatal() already called */
return 0;
}
- s->s3->tmp.finish_md_len = finish_md_len;
+ s->s3.tmp.finish_md_len = finish_md_len;
- if (!WPACKET_memcpy(pkt, s->s3->tmp.finish_md, finish_md_len)) {
+ if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
ERR_R_INTERNAL_ERROR);
return 0;
return 0;
}
if (!s->server) {
- memcpy(s->s3->previous_client_finished, s->s3->tmp.finish_md,
+ memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
finish_md_len);
- s->s3->previous_client_finished_len = finish_md_len;
+ s->s3.previous_client_finished_len = finish_md_len;
} else {
- memcpy(s->s3->previous_server_finished, s->s3->tmp.finish_md,
+ memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
finish_md_len);
- s->s3->previous_server_finished_len = finish_md_len;
+ s->s3.previous_server_finished_len = finish_md_len;
}
return 1;
{
unsigned int updatetype;
- s->key_update_count++;
- if (s->key_update_count > MAX_KEY_UPDATE_MESSAGES) {
- SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE,
- SSL_R_TOO_MANY_KEY_UPDATES);
- return MSG_PROCESS_ERROR;
- }
-
/*
* A KeyUpdate message signals a key change so the end of the message must
* be on a record boundary.
/*
* If we get a request for us to update our sending keys too then, we need
* to additionally send a KeyUpdate message. However that message should
- * not also request an update (otherwise we get into an infinite loop). We
- * ignore a request for us to update our sending keys too if we already
- * sent close_notify.
+ * not also request an update (otherwise we get into an infinite loop).
*/
- if (updatetype == SSL_KEY_UPDATE_REQUESTED
- && (s->shutdown & SSL_SENT_SHUTDOWN) == 0)
+ if (updatetype == SSL_KEY_UPDATE_REQUESTED)
s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
if (!tls13_update_key(s, 0)) {
slen = s->method->ssl3_enc->client_finished_label_len;
}
- s->s3->tmp.peer_finish_md_len =
+ s->s3.tmp.peer_finish_md_len =
s->method->ssl3_enc->final_finish_mac(s, sender, slen,
- s->s3->tmp.peer_finish_md);
+ s->s3.tmp.peer_finish_md);
- if (s->s3->tmp.peer_finish_md_len == 0) {
+ if (s->s3.tmp.peer_finish_md_len == 0) {
/* SSLfatal() already called */
return 0;
}
}
/* Check we have a cipher to change to */
- if (s->s3->tmp.new_cipher == NULL) {
+ if (s->s3.tmp.new_cipher == NULL) {
SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY);
return MSG_PROCESS_ERROR;
}
- s->s3->change_cipher_spec = 1;
+ s->s3.change_cipher_spec = 1;
if (!ssl3_do_change_cipher_spec(s)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
ERR_R_INTERNAL_ERROR);
}
/* If this occurs, we have missed a message */
- if (!SSL_IS_TLS13(s) && !s->s3->change_cipher_spec) {
+ if (!SSL_IS_TLS13(s) && !s->s3.change_cipher_spec) {
SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
SSL_R_GOT_A_FIN_BEFORE_A_CCS);
return MSG_PROCESS_ERROR;
}
- s->s3->change_cipher_spec = 0;
+ s->s3.change_cipher_spec = 0;
- md_len = s->s3->tmp.peer_finish_md_len;
+ md_len = s->s3.tmp.peer_finish_md_len;
if (md_len != PACKET_remaining(pkt)) {
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_FINISHED,
return MSG_PROCESS_ERROR;
}
- if (CRYPTO_memcmp(PACKET_data(pkt), s->s3->tmp.peer_finish_md,
+ if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
md_len) != 0) {
SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_FINISHED,
SSL_R_DIGEST_CHECK_FAILED);
return MSG_PROCESS_ERROR;
}
if (s->server) {
- memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md,
+ memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
md_len);
- s->s3->previous_client_finished_len = md_len;
+ s->s3.previous_client_finished_len = md_len;
} else {
- memcpy(s->s3->previous_server_finished, s->s3->tmp.peer_finish_md,
+ memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
md_len);
- s->s3->previous_server_finished_len = md_len;
+ s->s3.previous_server_finished_len = md_len;
}
/*
return MSG_PROCESS_ERROR;
}
} else {
+ /* TLS 1.3 gets the secret size from the handshake md */
+ size_t dummy;
if (!s->method->ssl3_enc->generate_master_secret(s,
s->master_secret, s->handshake_secret, 0,
- &s->session->master_key_length)) {
+ &dummy)) {
/* SSLfatal() already called */
return MSG_PROCESS_ERROR;
}
WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
{
void (*cb) (const SSL *ssl, int type, int val) = NULL;
+ int cleanuphand = s->statem.cleanuphand;
if (clearbufs) {
- if (!SSL_IS_DTLS(s)) {
+ if (!SSL_IS_DTLS(s)
+#ifndef OPENSSL_NO_SCTP
/*
- * We don't do this in DTLS because we may still need the init_buf
+ * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
+ * messages that require it. Therefore, DTLS procedures for retransmissions
+ * MUST NOT be used.
+ * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
+ */
+ || BIO_dgram_is_sctp(SSL_get_wbio(s))
+#endif
+ ) {
+ /*
+ * We don't do this in DTLS over UDP because we may still need the init_buf
* in case there are any unexpected retransmits
*/
BUF_MEM_free(s->init_buf);
s->init_buf = NULL;
}
+
if (!ssl_free_wbio_buffer(s)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE,
ERR_R_INTERNAL_ERROR);
* Only set if there was a Finished message and this isn't after a TLSv1.3
* post handshake exchange
*/
- if (s->statem.cleanuphand) {
+ if (cleanuphand) {
/* skipped if we just sent a HelloRequest */
s->renegotiate = 0;
s->new_session = 0;
/* N.B. s->ctx may not equal s->session_ctx */
tsan_counter(&s->ctx->stats.sess_accept_good);
s->handshake_func = ossl_statem_accept;
-
- if (SSL_IS_DTLS(s) && !s->hit) {
- /*
- * We are finishing after the client. We start the timer going
- * in case there are any retransmits of our final flight
- * required.
- */
- dtls1_start_timer(s);
- }
} else {
if (SSL_IS_TLS13(s)) {
/*
s->handshake_func = ossl_statem_connect;
tsan_counter(&s->session_ctx->stats.sess_connect_good);
-
- if (SSL_IS_DTLS(s) && s->hit) {
- /*
- * We are finishing after the server. We start the timer going
- * in case there are any retransmits of our final flight
- * required.
- */
- dtls1_start_timer(s);
- }
}
if (SSL_IS_DTLS(s)) {
/* The callback may expect us to not be in init at handshake done */
ossl_statem_set_in_init(s, 0);
- if (cb != NULL)
- cb(s, SSL_CB_HANDSHAKE_DONE, 1);
+ if (cb != NULL) {
+ if (cleanuphand
+ || !SSL_IS_TLS13(s)
+ || SSL_IS_FIRST_HANDSHAKE(s))
+ cb(s, SSL_CB_HANDSHAKE_DONE, 1);
+ }
if (!stop) {
/* If we've got more work to do we go back into init */
return 0;
}
if (s->statem.hand_state == TLS_ST_BEFORE
- && (s->s3->flags & TLS1_FLAGS_STATELESS) != 0) {
+ && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
/*
* We are stateless and we received a CCS. Probably this is
* from a client between the first and second ClientHellos.
*/
return 0;
}
- s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
+ s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
s->init_num = readbytes - 1;
s->init_msg = s->init_buf->data;
- s->s3->tmp.message_size = readbytes;
+ s->s3.tmp.message_size = readbytes;
return 1;
} else if (recvd_type != SSL3_RT_HANDSHAKE) {
SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
/* s->init_num == SSL3_HM_HEADER_LENGTH */
*mt = *p;
- s->s3->tmp.message_type = *(p++);
+ s->s3.tmp.message_type = *(p++);
if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
/*
*/
l = RECORD_LAYER_get_rrec_length(&s->rlayer)
+ SSL3_HM_HEADER_LENGTH;
- s->s3->tmp.message_size = l;
+ s->s3.tmp.message_size = l;
s->init_msg = s->init_buf->data;
s->init_num = SSL3_HM_HEADER_LENGTH;
SSL_R_EXCESSIVE_MESSAGE_SIZE);
return 0;
}
- s->s3->tmp.message_size = l;
+ s->s3.tmp.message_size = l;
s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
s->init_num = 0;
unsigned char *p;
int i;
- if (s->s3->tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
+ if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
/* We've already read everything in */
*len = (unsigned long)s->init_num;
return 1;
}
p = s->init_msg;
- n = s->s3->tmp.message_size - s->init_num;
+ n = s->s3.tmp.message_size - s->init_num;
while (n > 0) {
i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
&p[s->init_num], n, 0, &readbytes);
*/
#define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
/* KeyUpdate and NewSessionTicket do not need to be added */
- if (!SSL_IS_TLS13(s) || (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET
- && s->s3->tmp.message_type != SSL3_MT_KEY_UPDATE)) {
- if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO
+ if (!SSL_IS_TLS13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
+ && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
+ if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
|| s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
|| memcmp(hrrrandom,
s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
const SSL_METHOD *(*smeth) (void);
} version_info;
-#if TLS_MAX_VERSION != TLS1_3_VERSION
+#if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
# error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
#endif
{0, NULL, NULL},
};
-#if DTLS_MAX_VERSION != DTLS1_2_VERSION
+#if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
# error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
#endif
static int is_tls13_capable(const SSL *s)
{
int i;
+#ifndef OPENSSL_NO_EC
+ int curve;
+ EC_KEY *eckey;
+#endif
#ifndef OPENSSL_NO_PSK
if (s->psk_server_callback != NULL)
default:
break;
}
- if (ssl_has_cert(s, i))
+ if (!ssl_has_cert(s, i))
+ continue;
+#ifndef OPENSSL_NO_EC
+ if (i != SSL_PKEY_ECC)
+ return 1;
+ /*
+ * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
+ * more restrictive so check that our sig algs are consistent with this
+ * EC cert. See section 4.2.3 of RFC8446.
+ */
+ eckey = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
+ if (eckey == NULL)
+ continue;
+ curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
+ if (tls_check_sigalg_curve(s, curve))
return 1;
+#else
+ return 1;
+#endif
}
return 0;
return 0;
case TLS_ANY_VERSION:
- if (version < SSL3_VERSION || version > TLS_MAX_VERSION)
+ if (version < SSL3_VERSION || version > TLS_MAX_VERSION_INTERNAL)
return 0;
break;
case DTLS_ANY_VERSION:
- if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION) ||
+ if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION_INTERNAL) ||
DTLS_VERSION_LT(version, DTLS1_BAD_VER))
return 0;
break;
* With version-flexible methods we have an initial state with:
*
* s->method->version == (D)TLS_ANY_VERSION,
- * s->version == (D)TLS_MAX_VERSION.
+ * s->version == (D)TLS_MAX_VERSION_INTERNAL.
*
* So we detect version-flexible methods via the method version, not the
* handle version.
/* Check for downgrades */
if (s->version == TLS1_2_VERSION && real_max > s->version) {
if (memcmp(tls12downgrade,
- s->s3->server_random + SSL3_RANDOM_SIZE
+ s->s3.server_random + SSL3_RANDOM_SIZE
- sizeof(tls12downgrade),
sizeof(tls12downgrade)) == 0) {
s->version = origv;
&& s->version < TLS1_2_VERSION
&& real_max > s->version) {
if (memcmp(tls11downgrade,
- s->s3->server_random + SSL3_RANDOM_SIZE
+ s->s3.server_random + SSL3_RANDOM_SIZE
- sizeof(tls11downgrade),
sizeof(tls11downgrade)) == 0) {
s->version = origv;
* used. Returns 1 if the group is in the list (and allowed if |checkallow| is
* 1) or 0 otherwise.
*/
-#ifndef OPENSSL_NO_EC
int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
size_t num_groups, int checkallow)
{
if (group_id == group
&& (!checkallow
- || tls_curve_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
+ || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
return 1;
}
}
return 0;
}
-#endif
/* Replace ClientHello1 in the transcript hash with a synthetic message */
int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,
if (hrr != NULL
&& (!ssl3_finish_mac(s, hrr, hrrlen)
|| !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
- s->s3->tmp.message_size
+ s->s3.tmp.message_size
+ SSL3_HM_HEADER_LENGTH))) {
/* SSLfatal() already called */
return 0;
xn = NULL;
}
- sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
- s->s3->tmp.peer_ca_names = ca_sk;
+ sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
+ s->s3.tmp.peer_ca_names = ca_sk;
return 1;
return 0;
}
-int construct_ca_names(SSL *s, WPACKET *pkt)
+const STACK_OF(X509_NAME) *get_ca_names(SSL *s)
{
- const STACK_OF(X509_NAME) *ca_sk = SSL_get0_CA_list(s);
+ const STACK_OF(X509_NAME) *ca_sk = NULL;;
+
+ if (s->server) {
+ ca_sk = SSL_get_client_CA_list(s);
+ if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
+ ca_sk = NULL;
+ }
+ if (ca_sk == NULL)
+ ca_sk = SSL_get0_CA_list(s);
+
+ return ca_sk;
+}
+
+int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt)
+{
/* Start sub-packet for client CA list */
if (!WPACKET_start_sub_packet_u16(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
ERR_R_MALLOC_FAILURE);
return 0;
}
- memcpy(tbs, s->s3->client_random, SSL3_RANDOM_SIZE);
- memcpy(tbs + SSL3_RANDOM_SIZE, s->s3->server_random, SSL3_RANDOM_SIZE);
+ memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
+ memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
return 0;
}
if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
- s->s3->handshake_dgst)) {
+ s->s3.handshake_dgst)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
ERR_R_INTERNAL_ERROR);
ERR_R_INTERNAL_ERROR);
return 0;
}
- if (!EVP_MD_CTX_copy_ex(s->s3->handshake_dgst,
+ if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
s->pha_dgst)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
projects / openssl.git / blobdiff