#include <openssl/bn.h>
#include <openssl/engine.h>
+static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt);
+
static ossl_inline int cert_req_allowed(SSL *s);
static int key_exchange_expected(SSL *s);
static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b);
return 0;
}
+/*
+ * ossl_statem_client_read_transition() encapsulates the logic for the allowed
+ * handshake state transitions when a TLS1.3 client is reading messages from the
+ * server. The message type that the server has sent is provided in |mt|. The
+ * current state is in |s->statem.hand_state|.
+ *
+ * Return values are 1 for success (transition allowed) and 0 on error
+ * (transition not allowed)
+ */
+static int ossl_statem_client13_read_transition(SSL *s, int mt)
+{
+ OSSL_STATEM *st = &s->statem;
+
+ /*
+ * TODO(TLS1.3): This is still based on the TLSv1.2 state machine. Over time
+ * we will update this to look more like real TLSv1.3
+ */
+
+ /*
+ * Note: There is no case for TLS_ST_CW_CLNT_HELLO, because we haven't
+ * yet negotiated TLSv1.3 at that point so that is handled by
+ * ossl_statem_client_read_transition()
+ */
+
+ switch (st->hand_state) {
+ default:
+ break;
+
+ case TLS_ST_CR_SRVR_HELLO:
+ if (mt == SSL3_MT_ENCRYPTED_EXTENSIONS) {
+ st->hand_state = TLS_ST_CR_ENCRYPTED_EXTENSIONS;
+ return 1;
+ }
+ break;
+
+ case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
+ if (s->hit) {
+ if (mt == SSL3_MT_FINISHED) {
+ st->hand_state = TLS_ST_CR_FINISHED;
+ return 1;
+ }
+ } else {
+ if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
+ st->hand_state = TLS_ST_CR_CERT_REQ;
+ return 1;
+ }
+ if (mt == SSL3_MT_CERTIFICATE) {
+ st->hand_state = TLS_ST_CR_CERT;
+ return 1;
+ }
+ }
+ break;
+
+ case TLS_ST_CR_CERT_REQ:
+ if (mt == SSL3_MT_CERTIFICATE) {
+ st->hand_state = TLS_ST_CR_CERT;
+ return 1;
+ }
+ break;
+
+ case TLS_ST_CR_CERT:
+ if (mt == SSL3_MT_FINISHED) {
+ st->hand_state = TLS_ST_CR_FINISHED;
+ return 1;
+ }
+ break;
+
+ }
+
+ /* No valid transition found */
+ return 0;
+}
+
/*
* ossl_statem_client_read_transition() encapsulates the logic for the allowed
* handshake state transitions when the client is reading messages from the
* server. The message type that the server has sent is provided in |mt|. The
* current state is in |s->statem.hand_state|.
*
- * Return values are:
- * 1: Success (transition allowed)
- * 0: Error (transition not allowed)
+ * Return values are 1 for success (transition allowed) and 0 on error
+ * (transition not allowed)
*/
int ossl_statem_client_read_transition(SSL *s, int mt)
{
OSSL_STATEM *st = &s->statem;
int ske_expected;
+ /*
+ * Note that after a ClientHello we don't know what version we are going
+ * to negotiate yet, so we don't take this branch until later
+ */
+ if (SSL_IS_TLS13(s)) {
+ if (!ossl_statem_client13_read_transition(s, mt))
+ goto err;
+ return 1;
+ }
+
switch (st->hand_state) {
default:
break;
}
/*
- * client_write_transition() works out what handshake state to move to next
- * when the client is writing messages to be sent to the server.
+ * ossl_statem_client13_write_transition() works out what handshake state to
+ * move to next when the TLSv1.3 client is writing messages to be sent to the
+ * server.
+ */
+static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s)
+{
+ OSSL_STATEM *st = &s->statem;
+
+ /*
+ * TODO(TLS1.3): This is still based on the TLSv1.2 state machine. Over time
+ * we will update this to look more like real TLSv1.3
+ */
+
+ /*
+ * Note: There are no cases for TLS_ST_BEFORE or TLS_ST_CW_CLNT_HELLO,
+ * because we haven't negotiated TLSv1.3 yet at that point. They are
+ * handled by ossl_statem_client_write_transition().
+ */
+ switch (st->hand_state) {
+ default:
+ /* Shouldn't happen */
+ return WRITE_TRAN_ERROR;
+
+ case TLS_ST_CR_FINISHED:
+ st->hand_state = (s->s3->tmp.cert_req != 0) ? TLS_ST_CW_CERT
+ : TLS_ST_CW_FINISHED;
+ return WRITE_TRAN_CONTINUE;
+
+ case TLS_ST_CW_CERT:
+ /* If a non-empty Certificate we also send CertificateVerify */
+ st->hand_state = (s->s3->tmp.cert_req == 1) ? TLS_ST_CW_CERT_VRFY
+ : TLS_ST_CW_FINISHED;
+ return WRITE_TRAN_CONTINUE;
+
+ case TLS_ST_CW_CERT_VRFY:
+ st->hand_state = TLS_ST_CW_FINISHED;
+ return WRITE_TRAN_CONTINUE;
+
+ case TLS_ST_CW_FINISHED:
+ st->hand_state = TLS_ST_OK;
+ ossl_statem_set_in_init(s, 0);
+ return WRITE_TRAN_CONTINUE;
+ }
+}
+
+/*
+ * ossl_statem_client_write_transition() works out what handshake state to
+ * move to next when the client is writing messages to be sent to the server.
*/
WRITE_TRAN ossl_statem_client_write_transition(SSL *s)
{
OSSL_STATEM *st = &s->statem;
+ /*
+ * Note that immediately before/after a ClientHello we don't know what
+ * version we are going to negotiate yet, so we don't take this branch until
+ * later
+ */
+ if (SSL_IS_TLS13(s))
+ return ossl_statem_client13_write_transition(s);
+
switch (st->hand_state) {
default:
/* Shouldn't happen */
#endif
if (statem_flush(s) != 1)
return WORK_MORE_B;
+
+ if (SSL_IS_TLS13(s)) {
+ if (!s->method->ssl3_enc->change_cipher_state(s,
+ SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_WRITE))
+ return WORK_ERROR;
+ }
break;
}
* Returns the maximum allowed length for the current message that we are
* reading. Excludes the message header.
*/
-unsigned long ossl_statem_client_max_message_size(SSL *s)
+size_t ossl_statem_client_max_message_size(SSL *s)
{
OSSL_STATEM *st = &s->statem;
case TLS_ST_CR_FINISHED:
return FINISHED_MAX_LENGTH;
+
+ case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
+ return ENCRYPTED_EXTENSIONS_MAX_LENGTH;
}
}
case TLS_ST_CR_FINISHED:
return tls_process_finished(s, pkt);
+
+ case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
+ return tls_process_encrypted_extensions(s, pkt);
}
}
int tls_construct_client_hello(SSL *s, WPACKET *pkt)
{
unsigned char *p;
- int i;
- int protverr;
+ size_t sess_id_len;
+ int i, protverr;
int al = SSL_AD_HANDSHAKE_FAILURE;
#ifndef OPENSSL_NO_COMP
SSL_COMP *comp;
* TLS 1.0 and renegotiating with TLS 1.2. We do this by using
* client_version in client hello and not resetting it to
* the negotiated version.
+ *
+ * For TLS 1.3 we always set the ClientHello version to 1.2 and rely on the
+ * supported_versions extension for the real supported versions.
*/
if (!WPACKET_put_bytes_u16(pkt, s->client_version)
|| !WPACKET_memcpy(pkt, s->s3->client_random, SSL3_RANDOM_SIZE)) {
/* Session ID */
if (s->new_session)
- i = 0;
+ sess_id_len = 0;
else
- i = s->session->session_id_length;
- if (i > (int)sizeof(s->session->session_id)
+ sess_id_len = s->session->session_id_length;
+ if (sess_id_len > sizeof(s->session->session_id)
|| !WPACKET_start_sub_packet_u8(pkt)
- || (i != 0 && !WPACKET_memcpy(pkt, s->session->session_id, i))
+ || (sess_id_len != 0 && !WPACKET_memcpy(pkt, s->session->session_id,
+ sess_id_len))
|| !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
return 0;
}
/* TLS extensions */
- if (ssl_prepare_clienthello_tlsext(s) <= 0) {
- SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
- return 0;
- }
- if (!WPACKET_start_sub_packet_u16(pkt)
- /*
- * If extensions are of zero length then we don't even add the
- * extensions length bytes
- */
- || !WPACKET_set_flags(pkt, WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH)
- || !ssl_add_clienthello_tlsext(s, pkt, &al)
- || !WPACKET_close(pkt)) {
+ if (!tls_construct_extensions(s, pkt, EXT_CLIENT_HELLO, NULL, 0, &al)) {
ssl3_send_alert(s, SSL3_AL_FATAL, al);
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
return 0;
MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt)
{
int al;
- unsigned int cookie_len;
+ size_t cookie_len;
PACKET cookiepkt;
if (!PACKET_forward(pkt, 2)
{
STACK_OF(SSL_CIPHER) *sk;
const SSL_CIPHER *c;
- PACKET session_id;
+ PACKET session_id, extpkt;
size_t session_id_len;
const unsigned char *cipherchars;
int i, al = SSL_AD_INTERNAL_ERROR;
unsigned int compression;
unsigned int sversion;
+ unsigned int context;
int protverr;
+ RAW_EXTENSION *extensions = NULL;
#ifndef OPENSSL_NO_COMP
SSL_COMP *comp;
#endif
s->hit = 0;
/* Get the session-id. */
- if (!PACKET_get_length_prefixed_1(pkt, &session_id)) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
- goto f_err;
- }
- session_id_len = PACKET_remaining(&session_id);
- if (session_id_len > sizeof s->session->session_id
- || session_id_len > SSL3_SESSION_ID_SIZE) {
- al = SSL_AD_ILLEGAL_PARAMETER;
- SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_SSL3_SESSION_ID_TOO_LONG);
- goto f_err;
+ if (!SSL_IS_TLS13(s)) {
+ if (!PACKET_get_length_prefixed_1(pkt, &session_id)) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
+ goto f_err;
+ }
+ session_id_len = PACKET_remaining(&session_id);
+ if (session_id_len > sizeof s->session->session_id
+ || session_id_len > SSL3_SESSION_ID_SIZE) {
+ al = SSL_AD_ILLEGAL_PARAMETER;
+ SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
+ SSL_R_SSL3_SESSION_ID_TOO_LONG);
+ goto f_err;
+ }
+ } else {
+ PACKET_null_init(&session_id);
+ session_id_len = 0;
}
if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) {
* we can resume, and later peek at the next handshake message to see if the
* server wants to resume.
*/
- if (s->version >= TLS1_VERSION && s->tls_session_secret_cb &&
- s->session->tlsext_tick) {
+ if (s->version >= TLS1_VERSION && !SSL_IS_TLS13(s)
+ && s->tls_session_secret_cb != NULL && s->session->tlsext_tick) {
const SSL_CIPHER *pref_cipher = NULL;
- s->session->master_key_length = sizeof(s->session->master_key);
+ /*
+ * s->session->master_key_length is a size_t, but this is an int for
+ * backwards compat reasons
+ */
+ int master_key_length;
+ master_key_length = sizeof(s->session->master_key);
if (s->tls_session_secret_cb(s, s->session->master_key,
- &s->session->master_key_length,
+ &master_key_length,
NULL, &pref_cipher,
- s->tls_session_secret_cb_arg)) {
+ s->tls_session_secret_cb_arg)
+ && master_key_length > 0) {
+ s->session->master_key_length = master_key_length;
s->session->cipher = pref_cipher ?
pref_cipher : ssl_get_cipher_by_char(s, cipherchars);
} else {
s->session->ssl_version = s->version;
s->session->session_id_length = session_id_len;
/* session_id_len could be 0 */
- memcpy(s->session->session_id, PACKET_data(&session_id),
- session_id_len);
+ if (session_id_len > 0)
+ memcpy(s->session->session_id, PACKET_data(&session_id),
+ session_id_len);
}
/* Session version and negotiated protocol version should match */
s->s3->tmp.new_cipher = c;
/* lets get the compression algorithm */
/* COMPRESSION */
- if (!PACKET_get_1(pkt, &compression)) {
- SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
- al = SSL_AD_DECODE_ERROR;
- goto f_err;
+ if (!SSL_IS_TLS13(s)) {
+ if (!PACKET_get_1(pkt, &compression)) {
+ SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
+ al = SSL_AD_DECODE_ERROR;
+ goto f_err;
+ }
+ } else {
+ compression = 0;
}
+
#ifdef OPENSSL_NO_COMP
if (compression != 0) {
al = SSL_AD_ILLEGAL_PARAMETER;
#endif
/* TLS extensions */
- if (!ssl_parse_serverhello_tlsext(s, pkt)) {
- SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_PARSE_TLSEXT);
- goto err;
- }
-
- if (PACKET_remaining(pkt) != 0) {
- /* wrong packet length */
+ if (PACKET_remaining(pkt) == 0) {
+ PACKET_null_init(&extpkt);
+ } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt)) {
al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_BAD_PACKET_LENGTH);
+ SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_BAD_LENGTH);
goto f_err;
}
+
+ context = SSL_IS_TLS13(s) ? EXT_TLS1_3_SERVER_HELLO
+ : EXT_TLS1_2_SERVER_HELLO;
+ if (!tls_collect_extensions(s, &extpkt, context, &extensions, &al)
+ || !tls_parse_all_extensions(s, context, extensions, NULL, 0, &al))
+ goto f_err;
+
#ifndef OPENSSL_NO_SCTP
if (SSL_IS_DTLS(s) && s->hit) {
unsigned char sctpauthkey[64];
sizeof(sctpauthkey),
labelbuffer,
sizeof(labelbuffer), NULL, 0, 0) <= 0)
- goto err;
+ goto f_err;
BIO_ctrl(SSL_get_wbio(s),
BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
}
#endif
+ /*
+ * In TLSv1.3 we have some post-processing to change cipher state, otherwise
+ * we're done with this message
+ */
+ if (SSL_IS_TLS13(s)
+ && (!s->method->ssl3_enc->setup_key_block(s)
+ || !s->method->ssl3_enc->change_cipher_state(s,
+ SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE)
+ || !s->method->ssl3_enc->change_cipher_state(s,
+ SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ))) {
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_CANNOT_CHANGE_CIPHER);
+ goto f_err;
+ }
+
+ OPENSSL_free(extensions);
return MSG_PROCESS_CONTINUE_READING;
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
- err:
ossl_statem_set_error(s);
+ OPENSSL_free(extensions);
return MSG_PROCESS_ERROR;
}
const unsigned char *certstart, *certbytes;
STACK_OF(X509) *sk = NULL;
EVP_PKEY *pkey = NULL;
+ size_t chain;
+ unsigned int context = 0;
if ((sk = sk_X509_new_null()) == NULL) {
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);
goto err;
}
- if (!PACKET_get_net_3(pkt, &cert_list_len)
- || PACKET_remaining(pkt) != cert_list_len) {
+ if ((SSL_IS_TLS13(s) && !PACKET_get_1(pkt, &context))
+ || context != 0
+ || !PACKET_get_net_3(pkt, &cert_list_len)
+ || PACKET_remaining(pkt) != cert_list_len) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
goto f_err;
}
- while (PACKET_remaining(pkt)) {
+ for (chain = 0; PACKET_remaining(pkt); chain++) {
if (!PACKET_get_net_3(pkt, &cert_len)
|| !PACKET_get_bytes(pkt, &certbytes, cert_len)) {
al = SSL_AD_DECODE_ERROR;
SSL_R_CERT_LENGTH_MISMATCH);
goto f_err;
}
+
+ if (SSL_IS_TLS13(s)) {
+ RAW_EXTENSION *rawexts = NULL;
+ PACKET extensions;
+
+ if (!PACKET_get_length_prefixed_2(pkt, &extensions)) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_BAD_LENGTH);
+ goto f_err;
+ }
+ if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_CERTIFICATE,
+ &rawexts, &al)
+ || !tls_parse_all_extensions(s, EXT_TLS1_3_CERTIFICATE,
+ rawexts, x, chain, &al))
+ goto f_err;
+ }
+
if (!sk_X509_push(sk, x)) {
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);
goto err;
}
i = ssl_verify_cert_chain(s, sk);
- if ((s->verify_mode & SSL_VERIFY_PEER) && i <= 0) {
+ /*
+ * The documented interface is that SSL_VERIFY_PEER should be set in order
+ * for client side verification of the server certificate to take place.
+ * However, historically the code has only checked that *any* flag is set
+ * to cause server verification to take place. Use of the other flags makes
+ * no sense in client mode. An attempt to clean up the semantics was
+ * reverted because at least one application *only* set
+ * SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Prior to the clean up this still caused
+ * server verification to take place, after the clean up it silently did
+ * nothing. SSL_CTX_set_verify()/SSL_set_verify() cannot validate the flags
+ * sent to them because they are void functions. Therefore, we now use the
+ * (less clean) historic behaviour of performing validation if any flag is
+ * set. The *documented* interface remains the same.
+ */
+ if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) {
al = ssl_verify_alarm_type(s->verify_result);
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
SSL_R_CERTIFICATE_VERIFY_FAILED);
return 0;
}
+ /* TODO(size_t): Convert BN_bin2bn() calls */
if ((s->srp_ctx.N =
BN_bin2bn(PACKET_data(&prime),
- PACKET_remaining(&prime), NULL)) == NULL
+ (int)PACKET_remaining(&prime), NULL)) == NULL
|| (s->srp_ctx.g =
BN_bin2bn(PACKET_data(&generator),
- PACKET_remaining(&generator), NULL)) == NULL
+ (int)PACKET_remaining(&generator), NULL)) == NULL
|| (s->srp_ctx.s =
BN_bin2bn(PACKET_data(&salt),
- PACKET_remaining(&salt), NULL)) == NULL
+ (int)PACKET_remaining(&salt), NULL)) == NULL
|| (s->srp_ctx.B =
BN_bin2bn(PACKET_data(&server_pub),
- PACKET_remaining(&server_pub), NULL)) == NULL) {
+ (int)PACKET_remaining(&server_pub), NULL)) == NULL) {
*al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_PROCESS_SKE_SRP, ERR_R_BN_LIB);
return 0;
goto err;
}
- p = BN_bin2bn(PACKET_data(&prime), PACKET_remaining(&prime), NULL);
- g = BN_bin2bn(PACKET_data(&generator), PACKET_remaining(&generator), NULL);
- bnpub_key = BN_bin2bn(PACKET_data(&pub_key), PACKET_remaining(&pub_key),
- NULL);
+ /* TODO(size_t): Convert these calls */
+ p = BN_bin2bn(PACKET_data(&prime), (int)PACKET_remaining(&prime), NULL);
+ g = BN_bin2bn(PACKET_data(&generator), (int)PACKET_remaining(&generator),
+ NULL);
+ bnpub_key = BN_bin2bn(PACKET_data(&pub_key),
+ (int)PACKET_remaining(&pub_key), NULL);
if (p == NULL || g == NULL || bnpub_key == NULL) {
*al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_BN_LIB);
SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB);
goto err;
}
+ /* TODO(size_t): Convert this call */
if (EVP_VerifyFinal(md_ctx, PACKET_data(&signature),
- PACKET_remaining(&signature), pkey) <= 0) {
+ (unsigned int)PACKET_remaining(&signature),
+ pkey) <= 0) {
/* bad signature */
EVP_MD_CTX_free(md_ctx);
al = SSL_AD_DECRYPT_ERROR;
goto err;
}
memcpy(s->cert->ctypes, data, ctype_num);
- s->cert->ctype_num = (size_t)ctype_num;
+ s->cert->ctype_num = ctype_num;
ctype_num = SSL3_CT_NUMBER;
}
for (i = 0; i < ctype_num; i++)
int al;
unsigned int ticklen;
unsigned long ticket_lifetime_hint;
+ unsigned int sess_len;
if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint)
|| !PACKET_get_net_2(pkt, &ticklen)
* elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is
* SHA256 is disabled) hash of the ticket.
*/
+ /*
+ * TODO(size_t): we use sess_len here because EVP_Digest expects an int
+ * but s->session->session_id_length is a size_t
+ */
if (!EVP_Digest(s->session->tlsext_tick, ticklen,
- s->session->session_id, &s->session->session_id_length,
+ s->session->session_id, &sess_len,
EVP_sha256(), NULL)) {
SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_EVP_LIB);
goto err;
}
+ s->session->session_id_length = sess_len;
return MSG_PROCESS_CONTINUE_READING;
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
return MSG_PROCESS_ERROR;
}
-MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt)
+/*
+ * In TLSv1.3 this is called from the extensions code, otherwise it is used to
+ * parse a separate message. Returns 1 on success or 0 on failure. On failure
+ * |*al| is populated with a suitable alert code.
+ */
+int tls_process_cert_status_body(SSL *s, PACKET *pkt, int *al)
{
- int al;
- unsigned long resplen;
+ size_t resplen;
unsigned int type;
if (!PACKET_get_1(pkt, &type)
|| type != TLSEXT_STATUSTYPE_ocsp) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS, SSL_R_UNSUPPORTED_STATUS_TYPE);
- goto f_err;
+ *al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY,
+ SSL_R_UNSUPPORTED_STATUS_TYPE);
+ return 0;
}
- if (!PACKET_get_net_3(pkt, &resplen)
+ if (!PACKET_get_net_3_len(pkt, &resplen)
|| PACKET_remaining(pkt) != resplen) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS, SSL_R_LENGTH_MISMATCH);
- goto f_err;
+ *al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY, SSL_R_LENGTH_MISMATCH);
+ return 0;
}
s->tlsext_ocsp_resp = OPENSSL_malloc(resplen);
if (s->tlsext_ocsp_resp == NULL) {
- al = SSL_AD_INTERNAL_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS, ERR_R_MALLOC_FAILURE);
- goto f_err;
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY, ERR_R_MALLOC_FAILURE);
+ return 0;
}
if (!PACKET_copy_bytes(pkt, s->tlsext_ocsp_resp, resplen)) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS, SSL_R_LENGTH_MISMATCH);
- goto f_err;
+ *al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY, SSL_R_LENGTH_MISMATCH);
+ return 0;
}
s->tlsext_ocsp_resplen = resplen;
- return MSG_PROCESS_CONTINUE_READING;
- f_err:
- ssl3_send_alert(s, SSL3_AL_FATAL, al);
- ossl_statem_set_error(s);
- return MSG_PROCESS_ERROR;
+
+ return 1;
}
+
-MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt)
+MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt)
{
- if (PACKET_remaining(pkt) > 0) {
- /* should contain no data */
- ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE, SSL_R_LENGTH_MISMATCH);
+ int al;
+
+ if (!tls_process_cert_status_body(s, pkt, &al)) {
+ ssl3_send_alert(s, SSL3_AL_FATAL, al);
ossl_statem_set_error(s);
return MSG_PROCESS_ERROR;
}
-#ifndef OPENSSL_NO_SRP
- if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
- if (SRP_Calc_A_param(s) <= 0) {
- SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE, SSL_R_SRP_A_CALC);
- ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
- ossl_statem_set_error(s);
- return MSG_PROCESS_ERROR;
- }
- }
-#endif
+ return MSG_PROCESS_CONTINUE_READING;
+}
+
+/*
+ * Perform miscellaneous checks and processing after we have received the
+ * server's initial flight. In TLS1.3 this is after the Server Finished message.
+ * In <=TLS1.2 this is after the ServerDone message. Returns 1 on success or 0
+ * on failure.
+ */
+int tls_process_initial_server_flight(SSL *s, int *al)
+{
/*
* at this point we check that we have the required stuff from
* the server
*/
if (!ssl3_check_cert_and_algorithm(s)) {
- ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
- ossl_statem_set_error(s);
- return MSG_PROCESS_ERROR;
+ *al = SSL_AD_HANDSHAKE_FAILURE;
+ return 0;
}
/*
* |tlsext_ocsp_resplen| values will be set if we actually received a status
* message, or NULL and -1 otherwise
*/
- if (s->tlsext_status_type != -1 && s->ctx->tlsext_status_cb != NULL) {
+ if (s->tlsext_status_type != TLSEXT_STATUSTYPE_nothing
+ && s->ctx->tlsext_status_cb != NULL) {
int ret;
ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
if (ret == 0) {
- ssl3_send_alert(s, SSL3_AL_FATAL,
- SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
- SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE,
+ *al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
+ SSLerr(SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT,
SSL_R_INVALID_STATUS_RESPONSE);
- return MSG_PROCESS_ERROR;
+ return 0;
}
if (ret < 0) {
- ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
- SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE, ERR_R_MALLOC_FAILURE);
- return MSG_PROCESS_ERROR;
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT,
+ ERR_R_MALLOC_FAILURE);
+ return 0;
}
}
#ifndef OPENSSL_NO_CT
if (s->ct_validation_callback != NULL) {
/* Note we validate the SCTs whether or not we abort on error */
if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) {
- ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
- return MSG_PROCESS_ERROR;
+ *al = SSL_AD_HANDSHAKE_FAILURE;
+ return 0;
+ }
+ }
+#endif
+
+ return 1;
+}
+
+MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt)
+{
+ int al = SSL_AD_INTERNAL_ERROR;
+
+ if (PACKET_remaining(pkt) > 0) {
+ /* should contain no data */
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE, SSL_R_LENGTH_MISMATCH);
+ goto err;
+ }
+#ifndef OPENSSL_NO_SRP
+ if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
+ if (SRP_Calc_A_param(s) <= 0) {
+ SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE, SSL_R_SRP_A_CALC);
+ goto err;
}
}
#endif
+ /*
+ * Error queue messages are generated directly by this function
+ */
+ if (!tls_process_initial_server_flight(s, &al))
+ goto err;
+
#ifndef OPENSSL_NO_SCTP
/* Only applies to renegotiation */
if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))
else
#endif
return MSG_PROCESS_FINISHED_READING;
+
+ err:
+ ssl3_send_alert(s, SSL3_AL_FATAL, al);
+ ossl_statem_set_error(s);
+ return MSG_PROCESS_ERROR;
}
static int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt, int *al)
pms[0] = s->client_version >> 8;
pms[1] = s->client_version & 0xff;
- if (RAND_bytes(pms + 2, pmslen - 2) <= 0) {
+ /* TODO(size_t): Convert this function */
+ if (RAND_bytes(pms + 2, (int)(pmslen - 2)) <= 0) {
goto err;
}
goto err;
ckey = ssl_generate_pkey(skey);
+ if (ckey == NULL)
+ goto err;
+
dh_clnt = EVP_PKEY_get0_DH(ckey);
- if (dh_clnt == NULL || ssl_derive(s, ckey, skey) == 0)
+ if (dh_clnt == NULL || ssl_derive(s, ckey, skey, 0) == 0)
goto err;
/* send off the data */
{
#ifndef OPENSSL_NO_EC
unsigned char *encodedPoint = NULL;
- int encoded_pt_len = 0;
+ size_t encoded_pt_len = 0;
EVP_PKEY *ckey = NULL, *skey = NULL;
int ret = 0;
}
ckey = ssl_generate_pkey(skey);
+ if (ckey == NULL) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
- if (ssl_derive(s, ckey, skey) == 0) {
+ if (ssl_derive(s, ckey, skey, 0) == 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_EVP_LIB);
goto err;
}
}
if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0
- /* Generate session key */
- || RAND_bytes(pms, pmslen) <= 0) {
+ /* Generate session key
+ * TODO(size_t): Convert this function
+ */
+ || RAND_bytes(pms, (int)pmslen) <= 0) {
*al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR);
goto err;
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
goto err;
}
+
if (SSL_USE_SIGALGS(s)&& !tls12_get_sigandhash(pkt, pkey, md)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
goto err;
|| !EVP_SignUpdate(mctx, hdata, hdatalen)
|| (s->version == SSL3_VERSION
&& !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
- s->session->master_key_length,
+ (int)s->session->master_key_length,
s->session->master_key))
|| !EVP_SignFinal(mctx, sig, &u, pkey)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_EVP_LIB);
int tls_construct_client_certificate(SSL *s, WPACKET *pkt)
{
- if (!ssl3_output_cert_chain(s, pkt,
+ int al = SSL_AD_INTERNAL_ERROR;
+
+ /*
+ * TODO(TLS1.3): For now we must put an empty context. Needs to be filled in
+ * later
+ */
+ if ((SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0))
+ || !ssl3_output_cert_chain(s, pkt,
(s->s3->tmp.cert_req == 2) ? NULL
- : s->cert->key)) {
+ : s->cert->key,
+ &al)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
- ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+ ssl3_send_alert(s, SSL3_AL_FATAL, al);
return 0;
}
}
#endif
+static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt)
+{
+ int al = SSL_AD_INTERNAL_ERROR;
+ PACKET extensions;
+ RAW_EXTENSION *rawexts = NULL;
+
+ if (!PACKET_as_length_prefixed_2(pkt, &extensions)) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_ENCRYPTED_EXTENSIONS, SSL_R_LENGTH_MISMATCH);
+ goto err;
+ }
+
+ if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
+ &rawexts, &al)
+ || !tls_parse_all_extensions(s, EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
+ rawexts, NULL, 0, &al))
+ goto err;
+
+ OPENSSL_free(rawexts);
+ return MSG_PROCESS_CONTINUE_READING;
+
+ err:
+ ssl3_send_alert(s, SSL3_AL_FATAL, al);
+ ossl_statem_set_error(s);
+ OPENSSL_free(rawexts);
+ return MSG_PROCESS_ERROR;
+}
+
int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
{
int i = 0;