X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fstatem%2Fstatem_clnt.c;h=a8bb5663f099f5a0de62ec0a23581197f7258516;hp=bc35a3ea25bb96da176b70c81b4aad3b6c549586;hb=26fb4b033c664df7e220db1960f1cdad73bbba06;hpb=60d685d196e8d594d754751e4852f01d80d8c0cc diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index bc35a3ea25..a8bb5663f0 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -65,7 +65,6 @@ static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt); static ossl_inline int cert_req_allowed(SSL *s); static int key_exchange_expected(SSL *s); -static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b); static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt); @@ -123,11 +122,6 @@ static int ossl_statem_client13_read_transition(SSL *s, int mt) { OSSL_STATEM *st = &s->statem; - /* - * TODO(TLS1.3): This is still based on the TLSv1.2 state machine. Over time - * we will update this to look more like real TLSv1.3 - */ - /* * Note: There is no case for TLS_ST_CW_CLNT_HELLO, because we haven't * yet negotiated TLSv1.3 at that point so that is handled by @@ -258,6 +252,22 @@ int ossl_statem_client_read_transition(SSL *s, int mt) } break; + case TLS_ST_EARLY_DATA: + /* + * We've not actually selected TLSv1.3 yet, but we have sent early + * data. The only thing allowed now is a ServerHello or a + * HelloRetryRequest. + */ + if (mt == SSL3_MT_SERVER_HELLO) { + st->hand_state = TLS_ST_CR_SRVR_HELLO; + return 1; + } + if (mt == SSL3_MT_HELLO_RETRY_REQUEST) { + st->hand_state = TLS_ST_CR_HELLO_RETRY_REQUEST; + return 1; + } + break; + case TLS_ST_CR_SRVR_HELLO: if (s->hit) { if (s->ext.ticket_expected) { @@ -424,6 +434,22 @@ static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s) return WRITE_TRAN_CONTINUE; case TLS_ST_CR_FINISHED: + if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY + || s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING) + st->hand_state = TLS_ST_PENDING_EARLY_DATA_END; + else + st->hand_state = (s->s3->tmp.cert_req != 0) ? TLS_ST_CW_CERT + : TLS_ST_CW_FINISHED; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_PENDING_EARLY_DATA_END: + if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) { + st->hand_state = TLS_ST_CW_END_OF_EARLY_DATA; + return WRITE_TRAN_CONTINUE; + } + /* Fall through */ + + case TLS_ST_CW_END_OF_EARLY_DATA: st->hand_state = (s->s3->tmp.cert_req != 0) ? TLS_ST_CW_CERT : TLS_ST_CW_FINISHED; return WRITE_TRAN_CONTINUE; @@ -449,7 +475,6 @@ static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s) case TLS_ST_CR_SESSION_TICKET: case TLS_ST_CW_FINISHED: st->hand_state = TLS_ST_OK; - ossl_statem_set_in_init(s, 0); return WRITE_TRAN_CONTINUE; case TLS_ST_OK: @@ -498,12 +523,23 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL *s) return WRITE_TRAN_CONTINUE; case TLS_ST_CW_CLNT_HELLO: + if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) { + /* + * We are assuming this is a TLSv1.3 connection, although we haven't + * actually selected a version yet. + */ + st->hand_state = TLS_ST_EARLY_DATA; + return WRITE_TRAN_CONTINUE; + } /* * No transition at the end of writing because we don't know what * we will be sent */ return WRITE_TRAN_FINISHED; + case TLS_ST_EARLY_DATA: + return WRITE_TRAN_FINISHED; + case DTLS_ST_CR_HELLO_VERIFY_REQUEST: st->hand_state = TLS_ST_CW_CLNT_HELLO; return WRITE_TRAN_CONTINUE; @@ -546,7 +582,8 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL *s) case TLS_ST_CW_CHANGE: #if defined(OPENSSL_NO_NEXTPROTONEG) - st->hand_state = TLS_ST_CW_FINISHED; + st-> + hand_state = TLS_ST_CW_FINISHED; #else if (!SSL_IS_DTLS(s) && s->s3->npn_seen) st->hand_state = TLS_ST_CW_NEXT_PROTO; @@ -564,7 +601,6 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL *s) case TLS_ST_CW_FINISHED: if (s->hit) { st->hand_state = TLS_ST_OK; - ossl_statem_set_in_init(s, 0); return WRITE_TRAN_CONTINUE; } else { return WRITE_TRAN_FINISHED; @@ -576,7 +612,6 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL *s) return WRITE_TRAN_CONTINUE; } else { st->hand_state = TLS_ST_OK; - ossl_statem_set_in_init(s, 0); return WRITE_TRAN_CONTINUE; } @@ -594,7 +629,6 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL *s) return WRITE_TRAN_CONTINUE; } st->hand_state = TLS_ST_OK; - ossl_statem_set_in_init(s, 0); return WRITE_TRAN_CONTINUE; } } @@ -639,6 +673,18 @@ WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst) } break; + case TLS_ST_PENDING_EARLY_DATA_END: + /* + * If we've been called by SSL_do_handshake()/SSL_write(), or we did not + * attempt to write early data before calling SSL_read() then we press + * on with the handshake. Otherwise we pause here. + */ + if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING + || s->early_data_state == SSL_EARLY_DATA_NONE) + return WORK_FINISHED_CONTINUE; + /* Fall through */ + + case TLS_ST_EARLY_DATA: case TLS_ST_OK: return tls_finish_handshake(s, wst, 1); } @@ -649,8 +695,6 @@ WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst) /* * Perform any work that needs to be done after sending a message from the * client to the server. - case TLS_ST_SR_CERT_VRFY: - return SSL3_RT_MAX_PLAIN_LENGTH; */ WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst) { @@ -671,6 +715,27 @@ WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst) /* Treat the next message as the first packet */ s->first_packet = 1; } + + if (s->early_data_state == SSL_EARLY_DATA_CONNECTING + && s->max_early_data > 0) { + /* + * We haven't selected TLSv1.3 yet so we don't call the change + * cipher state function associated with the SSL_METHOD. Instead + * we call tls13_change_cipher_state() directly. + */ + if (!tls13_change_cipher_state(s, + SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) + return WORK_ERROR; + } + break; + + case TLS_ST_CW_END_OF_EARLY_DATA: + /* + * We set the enc_write_ctx back to NULL because we may end up writing + * in cleartext again if we get a HelloRetryRequest from the server. + */ + EVP_CIPHER_CTX_free(s->enc_write_ctx); + s->enc_write_ctx = NULL; break; case TLS_ST_CW_KEY_EXCH: @@ -774,6 +839,16 @@ int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt, *mt = SSL3_MT_CLIENT_HELLO; break; + case TLS_ST_CW_END_OF_EARLY_DATA: + *confunc = tls_construct_end_of_early_data; + *mt = SSL3_MT_END_OF_EARLY_DATA; + break; + + case TLS_ST_PENDING_EARLY_DATA_END: + *confunc = NULL; + *mt = SSL3_MT_DUMMY; + break; + case TLS_ST_CW_CERT: *confunc = tls_construct_client_certificate; *mt = SSL3_MT_CERTIFICATE; @@ -1001,9 +1076,6 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) } /* else use the pre-loaded session */ - /* This is a real handshake so make sure we clean it up at the end */ - s->statem.cleanuphand = 1; - p = s->s3->client_random; /* @@ -1022,7 +1094,8 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) } else i = 1; - if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random)) <= 0) + if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random), + DOWNGRADE_NONE) <= 0) return 0; /*- @@ -1107,7 +1180,9 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) return 0; } #ifndef OPENSSL_NO_COMP - if (ssl_allow_compression(s) && s->ctx->comp_methods) { + if (ssl_allow_compression(s) + && s->ctx->comp_methods + && (SSL_IS_DTLS(s) || s->s3->tmp.max_ver < TLS1_3_VERSION)) { int compnum = sk_SSL_COMP_num(s->ctx->comp_methods); for (i = 0; i < compnum; i++) { comp = sk_SSL_COMP_value(s->ctx->comp_methods, i); @@ -1125,7 +1200,7 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) } /* TLS extensions */ - if (!tls_construct_extensions(s, pkt, EXT_CLIENT_HELLO, NULL, 0, &al)) { + if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0, &al)) { ssl3_send_alert(s, SSL3_AL_FATAL, al); SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); return 0; @@ -1168,14 +1243,65 @@ MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt) return MSG_PROCESS_ERROR; } -MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) +static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars) { STACK_OF(SSL_CIPHER) *sk; const SSL_CIPHER *c; + int i; + + c = ssl_get_cipher_by_char(s, cipherchars, 0); + if (c == NULL) { + /* unknown cipher */ + SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE, SSL_R_UNKNOWN_CIPHER_RETURNED); + return 0; + } + /* + * If it is a disabled cipher we either didn't send it in client hello, + * or it's not allowed for the selected protocol. So we return an error. + */ + if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK)) { + SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE, SSL_R_WRONG_CIPHER_RETURNED); + return 0; + } + + sk = ssl_get_ciphers_by_id(s); + i = sk_SSL_CIPHER_find(sk, c); + if (i < 0) { + /* we did not say we would use this cipher */ + SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE, SSL_R_WRONG_CIPHER_RETURNED); + return 0; + } + + if (SSL_IS_TLS13(s) && s->s3->tmp.new_cipher != NULL + && s->s3->tmp.new_cipher->id != c->id) { + /* ServerHello selected a different ciphersuite to that in the HRR */ + SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE, SSL_R_WRONG_CIPHER_RETURNED); + return 0; + } + + /* + * Depending on the session caching (internal/external), the cipher + * and/or cipher_id values may not be set. Make sure that cipher_id is + * set and use it for comparison. + */ + if (s->session->cipher != NULL) + s->session->cipher_id = s->session->cipher->id; + if (s->hit && (s->session->cipher_id != c->id)) { + SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE, + SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); + return 0; + } + s->s3->tmp.new_cipher = c; + + return 1; +} + +MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) +{ PACKET session_id, extpkt; size_t session_id_len; const unsigned char *cipherchars; - int i, al = SSL_AD_INTERNAL_ERROR; + int al = SSL_AD_INTERNAL_ERROR; unsigned int compression; unsigned int sversion; unsigned int context; @@ -1191,19 +1317,31 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) goto f_err; } - /* We do this immediately so we know what format the ServerHello is in */ - protverr = ssl_choose_client_version(s, sversion); + /* load the server random */ + if (!PACKET_copy_bytes(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); + goto f_err; + } + + /* + * We do this immediately so we know what format the ServerHello is in. + * Must be done after reading the random data so we can check for the + * TLSv1.3 downgrade sentinels + */ + protverr = ssl_choose_client_version(s, sversion, 1, &al); if (protverr != 0) { - al = SSL_AD_PROTOCOL_VERSION; SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, protverr); goto f_err; } - /* load the server hello data */ - /* load the server random */ - if (!PACKET_copy_bytes(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); + /* + * In TLSv1.3 a ServerHello message signals a key change so the end of the + * message must be on a record boundary. + */ + if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { + al = SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_NOT_ON_RECORD_BOUNDARY); goto f_err; } @@ -1252,8 +1390,8 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) goto f_err; } - context = SSL_IS_TLS13(s) ? EXT_TLS1_3_SERVER_HELLO - : EXT_TLS1_2_SERVER_HELLO; + context = SSL_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO + : SSL_EXT_TLS1_2_SERVER_HELLO; if (!tls_collect_extensions(s, &extpkt, context, &extensions, &al, NULL)) goto f_err; @@ -1262,7 +1400,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) if (SSL_IS_TLS13(s)) { /* This will set s->hit if we are resuming */ if (!tls_parse_extension(s, TLSEXT_IDX_psk, - EXT_TLS1_3_SERVER_HELLO, + SSL_EXT_TLS1_3_SERVER_HELLO, extensions, NULL, 0, &al)) goto f_err; } else { @@ -1352,53 +1490,17 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) SSL_R_SSL_SESSION_VERSION_MISMATCH); goto f_err; } - - c = ssl_get_cipher_by_char(s, cipherchars, 0); - if (c == NULL) { - /* unknown cipher */ - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_UNKNOWN_CIPHER_RETURNED); - goto f_err; - } /* * Now that we know the version, update the check to see if it's an allowed * version. */ s->s3->tmp.min_ver = s->version; s->s3->tmp.max_ver = s->version; - /* - * If it is a disabled cipher we either didn't send it in client hello, - * or it's not allowed for the selected protocol. So we return an error. - */ - if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK)) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED); - goto f_err; - } - sk = ssl_get_ciphers_by_id(s); - i = sk_SSL_CIPHER_find(sk, c); - if (i < 0) { - /* we did not say we would use this cipher */ - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED); - goto f_err; - } - - /* - * Depending on the session caching (internal/external), the cipher - * and/or cipher_id values may not be set. Make sure that cipher_id is - * set and use it for comparison. - */ - if (s->session->cipher) - s->session->cipher_id = s->session->cipher->id; - if (s->hit && (s->session->cipher_id != c->id)) { + if (!set_client_ciphersuite(s, cipherchars)) { al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, - SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); goto f_err; } - s->s3->tmp.new_cipher = c; #ifdef OPENSSL_NO_COMP if (compression != 0) { @@ -1475,8 +1577,6 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) */ if (SSL_IS_TLS13(s) && (!s->method->ssl3_enc->setup_key_block(s) - || !s->method->ssl3_enc->change_cipher_state(s, - SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE) || !s->method->ssl3_enc->change_cipher_state(s, SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ))) { al = SSL_AD_INTERNAL_ERROR; @@ -1497,6 +1597,7 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt) { unsigned int sversion; int errorcode; + const unsigned char *cipherchars; RAW_EXTENSION *extensions = NULL; int al; PACKET extpkt; @@ -1510,27 +1611,59 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt) s->hello_retry_request = 1; /* This will fail if it doesn't choose TLSv1.3+ */ - errorcode = ssl_choose_client_version(s, sversion); + errorcode = ssl_choose_client_version(s, sversion, 0, &al); if (errorcode != 0) { - al = SSL_AD_PROTOCOL_VERSION; SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, errorcode); goto f_err; } + if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) { + SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, SSL_R_LENGTH_MISMATCH); + al = SSL_AD_DECODE_ERROR; + goto f_err; + } + + if (!set_client_ciphersuite(s, cipherchars)) { + al = SSL_AD_ILLEGAL_PARAMETER; + goto f_err; + } + if (!PACKET_as_length_prefixed_2(pkt, &extpkt)) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, SSL_R_BAD_LENGTH); goto f_err; } - if (!tls_collect_extensions(s, &extpkt, EXT_TLS1_3_HELLO_RETRY_REQUEST, + if (!tls_collect_extensions(s, &extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, &extensions, &al, NULL) - || !tls_parse_all_extensions(s, EXT_TLS1_3_HELLO_RETRY_REQUEST, + || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, extensions, NULL, 0, &al)) goto f_err; OPENSSL_free(extensions); + /* + * Re-initialise the Transcript Hash. We're going to prepopulate it with + * a synthetic message_hash in place of ClientHello1. + */ + if (!create_synthetic_message_hash(s)) { + al = SSL_AD_INTERNAL_ERROR; + goto f_err; + } + + /* + * Add this message to the Transcript Hash. Normally this is done + * automatically prior to the message processing stage. However due to the + * need to create the synthetic message hash, we defer that step until now + * for HRR messages. + */ + if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, + s->init_num + SSL3_HM_HEADER_LENGTH)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, ERR_R_INTERNAL_ERROR); + goto f_err; + } + return MSG_PROCESS_FINISHED_READING; f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); @@ -1595,9 +1728,10 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_BAD_LENGTH); goto f_err; } - if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_CERTIFICATE, - &rawexts, &al, NULL) - || !tls_parse_all_extensions(s, EXT_TLS1_3_CERTIFICATE, + if (!tls_collect_extensions(s, &extensions, + SSL_EXT_TLS1_3_CERTIFICATE, &rawexts, + &al, NULL) + || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE, rawexts, x, chainidx, &al)) { OPENSSL_free(rawexts); goto f_err; @@ -1850,7 +1984,7 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al) goto err; } - /* test non-zero pupkey */ + /* test non-zero pubkey */ if (BN_is_zero(bnpub_key)) { *al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, SSL_R_BAD_DH_VALUE); @@ -2196,127 +2330,107 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt) { int ret = MSG_PROCESS_ERROR; - unsigned int list_len, ctype_num, i, name_len; - X509_NAME *xn = NULL; - const unsigned char *data; - const unsigned char *namestart, *namebytes; - STACK_OF(X509_NAME) *ca_sk = NULL; - - if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) { - SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE); - goto err; - } + int al = SSL_AD_DECODE_ERROR; + size_t i; - /* get the certificate types */ - if (!PACKET_get_1(pkt, &ctype_num) - || !PACKET_get_bytes(pkt, &data, ctype_num)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH); - goto err; - } - OPENSSL_free(s->cert->ctypes); - s->cert->ctypes = NULL; - if (ctype_num > SSL3_CT_NUMBER) { - /* If we exceed static buffer copy all to cert structure */ - s->cert->ctypes = OPENSSL_malloc(ctype_num); - if (s->cert->ctypes == NULL) { - SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE); - goto err; - } - memcpy(s->cert->ctypes, data, ctype_num); - s->cert->ctype_num = ctype_num; - ctype_num = SSL3_CT_NUMBER; - } - for (i = 0; i < ctype_num; i++) - s->s3->tmp.ctype[i] = data[i]; + /* Clear certificate validity flags */ + for (i = 0; i < SSL_PKEY_NUM; i++) + s->s3->tmp.valid_flags[i] = 0; - if (SSL_USE_SIGALGS(s)) { - PACKET sigalgs; + if (SSL_IS_TLS13(s)) { + PACKET reqctx, extensions; + RAW_EXTENSION *rawexts = NULL; + + /* Free and zero certificate types: it is not present in TLS 1.3 */ + OPENSSL_free(s->s3->tmp.ctype); + s->s3->tmp.ctype = NULL; + s->s3->tmp.ctype_len = 0; - if (!PACKET_get_length_prefixed_2(pkt, &sigalgs)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); + /* TODO(TLS1.3) need to process request context, for now ignore */ + if (!PACKET_get_length_prefixed_1(pkt, &reqctx)) { SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH); goto err; } - /* Clear certificate validity flags */ - for (i = 0; i < SSL_PKEY_NUM; i++) - s->s3->tmp.valid_flags[i] = 0; - if (!tls1_save_sigalgs(s, &sigalgs)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, - SSL_R_SIGNATURE_ALGORITHMS_ERROR); + if (!PACKET_get_length_prefixed_2(pkt, &extensions)) { + SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSL_R_BAD_LENGTH); + goto err; + } + if (!tls_collect_extensions(s, &extensions, + SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, + &rawexts, &al, NULL) + || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, + rawexts, NULL, 0, &al)) { + OPENSSL_free(rawexts); goto err; } + OPENSSL_free(rawexts); if (!tls1_process_sigalgs(s)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE); goto err; } - } - - /* get the CA RDNs */ - if (!PACKET_get_net_2(pkt, &list_len) - || PACKET_remaining(pkt) != list_len) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH); - goto err; - } + } else { + PACKET ctypes; - while (PACKET_remaining(pkt)) { - if (!PACKET_get_net_2(pkt, &name_len) - || !PACKET_get_bytes(pkt, &namebytes, name_len)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); + /* get the certificate types */ + if (!PACKET_get_length_prefixed_1(pkt, &ctypes)) { SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH); goto err; } - namestart = namebytes; - - if ((xn = d2i_X509_NAME(NULL, (const unsigned char **)&namebytes, - name_len)) == NULL) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB); + if (!PACKET_memdup(&ctypes, &s->s3->tmp.ctype, &s->s3->tmp.ctype_len)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); goto err; } - if (namebytes != (namestart + name_len)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, - SSL_R_CA_DN_LENGTH_MISMATCH); - goto err; + if (SSL_USE_SIGALGS(s)) { + PACKET sigalgs; + + if (!PACKET_get_length_prefixed_2(pkt, &sigalgs)) { + SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, + SSL_R_LENGTH_MISMATCH); + goto err; + } + + if (!tls1_save_sigalgs(s, &sigalgs)) { + SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, + SSL_R_SIGNATURE_ALGORITHMS_ERROR); + goto err; + } + if (!tls1_process_sigalgs(s)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, + ERR_R_MALLOC_FAILURE); + goto err; + } } - if (!sk_X509_NAME_push(ca_sk, xn)) { - SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE); + + /* get the CA RDNs */ + if (!parse_ca_names(s, pkt, &al)) goto err; - } - xn = NULL; + } + + if (PACKET_remaining(pkt) != 0) { + SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH); + goto err; } /* we should setup a certificate to return.... */ s->s3->tmp.cert_req = 1; - s->s3->tmp.ctype_num = ctype_num; - sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); - s->s3->tmp.ca_names = ca_sk; - ca_sk = NULL; ret = MSG_PROCESS_CONTINUE_PROCESSING; goto done; err: + ssl3_send_alert(s, SSL3_AL_FATAL, al); ossl_statem_set_error(s); done: - X509_NAME_free(xn); - sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); return ret; } -static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b) -{ - return (X509_NAME_cmp(*a, *b)); -} - MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) { int al = SSL_AD_DECODE_ERROR; @@ -2398,9 +2512,10 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) if (!PACKET_as_length_prefixed_2(pkt, &extpkt) || !tls_collect_extensions(s, &extpkt, - EXT_TLS1_3_NEW_SESSION_TICKET, + SSL_EXT_TLS1_3_NEW_SESSION_TICKET, &exts, &al, NULL) - || !tls_parse_all_extensions(s, EXT_TLS1_3_NEW_SESSION_TICKET, + || !tls_parse_all_extensions(s, + SSL_EXT_TLS1_3_NEW_SESSION_TICKET, exts, NULL, 0, &al)) { SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_BAD_EXTENSION); goto f_err; @@ -2732,12 +2847,6 @@ static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt, int *al) } EVP_PKEY_CTX_free(pctx); pctx = NULL; -# ifdef PKCS1_CHECK - if (s->options & SSL_OP_PKCS1_CHECK_1) - (*p)[1]++; - if (s->options & SSL_OP_PKCS1_CHECK_2) - tmp_buf[0] = 0x70; -# endif /* Fix buf for TLS and beyond */ if (s->version > SSL3_VERSION && !WPACKET_close(pkt)) { @@ -2745,13 +2854,13 @@ static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt, int *al) goto err; } - s->s3->tmp.pms = pms; - s->s3->tmp.pmslen = pmslen; - /* Log the premaster secret, if logging is enabled. */ if (!ssl_log_rsa_client_key_exchange(s, encdata, enclen, pms, pmslen)) goto err; + s->s3->tmp.pms = pms; + s->s3->tmp.pmslen = pmslen; + return 1; err: OPENSSL_clear_free(pms, pmslen); @@ -2871,7 +2980,7 @@ static int tls_construct_cke_gost(SSL *s, WPACKET *pkt, int *al) dgst_nid = NID_id_GostR3411_2012_256; /* - * Get server sertificate PKEY and create ctx from it + * Get server certificate PKEY and create ctx from it */ peer_cert = s->session->peer; if (!peer_cert) { @@ -3218,11 +3327,22 @@ int tls_construct_client_certificate(SSL *s, WPACKET *pkt) : s->cert->key, &al)) { SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR); - ssl3_send_alert(s, SSL3_AL_FATAL, al); - return 0; + goto err; + } + + if (SSL_IS_TLS13(s) + && SSL_IS_FIRST_HANDSHAKE(s) + && (!s->method->ssl3_enc->change_cipher_state(s, + SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) { + SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, + SSL_R_CANNOT_CHANGE_CIPHER); + goto err; } return 1; + err: + ssl3_send_alert(s, SSL3_AL_FATAL, al); + return 0; } #define has_bits(i,m) (((i)&(m)) == (m)) @@ -3361,9 +3481,10 @@ static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt) goto err; } - if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_ENCRYPTED_EXTENSIONS, - &rawexts, &al, NULL) - || !tls_parse_all_extensions(s, EXT_TLS1_3_ENCRYPTED_EXTENSIONS, + if (!tls_collect_extensions(s, &extensions, + SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, &rawexts, + &al, NULL) + || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, rawexts, NULL, 0, &al)) goto err; @@ -3470,3 +3591,16 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt) return 1; } + +int tls_construct_end_of_early_data(SSL *s, WPACKET *pkt) +{ + if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY + && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) { + SSLerr(SSL_F_TLS_CONSTRUCT_END_OF_EARLY_DATA, + ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + + s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; + return 1; +}