int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
{
- EVP_PKEY *pkey;
- const EVP_MD *md;
+ EVP_PKEY *pkey = NULL;
+ const EVP_MD *md = NULL;
EVP_MD_CTX *mctx = NULL;
EVP_PKEY_CTX *pctx = NULL;
size_t hdatalen = 0, siglen = 0;
void *hdata;
unsigned char *sig = NULL;
unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
- int pktype, ispss = 0;
+ const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg;
- if (s->server) {
- /* Only happens in TLSv1.3 */
- /*
- * TODO(TLS1.3): This needs to change. We should not get this from the
- * cipher. However, for now, we have not done the work to separate the
- * certificate type from the ciphersuite
- */
- pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md);
- if (pkey == NULL)
- goto err;
- } else {
- md = s->s3->tmp.md[s->cert->key - s->cert->pkeys];
- pkey = s->cert->key->privatekey;
+ if (lu == NULL || s->s3->tmp.cert == NULL) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ pkey = s->s3->tmp.cert->privatekey;
+ md = ssl_md(lu->hash_idx);
+
+ if (pkey == NULL || md == NULL) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
+ goto err;
}
- pktype = EVP_PKEY_id(pkey);
mctx = EVP_MD_CTX_new();
if (mctx == NULL) {
goto err;
}
- if (SSL_USE_SIGALGS(s) && !tls12_get_sigandhash(s, pkt, pkey, md, &ispss)) {
+ if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
goto err;
}
-#ifdef SSL_DEBUG
- fprintf(stderr, "Using client alg %s\n", EVP_MD_name(md));
-#endif
siglen = EVP_PKEY_size(pkey);
sig = OPENSSL_malloc(siglen);
if (sig == NULL) {
goto err;
}
- if (ispss) {
+ if (lu->sig == EVP_PKEY_RSA_PSS) {
if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
|| EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
RSA_PSS_SALTLEN_DIGEST) <= 0) {
#ifndef OPENSSL_NO_GOST
{
+ int pktype = lu->sig;
+
if (pktype == NID_id_GostR3410_2001
|| pktype == NID_id_GostR3410_2012_256
|| pktype == NID_id_GostR3410_2012_512)
peer = s->session->peer;
pkey = X509_get0_pubkey(peer);
+ if (pkey == NULL) {
+ al = SSL_AD_INTERNAL_ERROR;
+ goto f_err;
+ }
+
pktype = EVP_PKEY_id(pkey);
type = X509_certificate_type(peer, pkey);
al = SSL_AD_DECODE_ERROR;
goto f_err;
}
- md = ssl_md(s->s3->tmp.peer_sigalg->hash_idx);
#ifdef SSL_DEBUG
fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
#endif
- } else {
- /* Use default digest for this key type */
- int idx = ssl_cert_type(NULL, pkey);
- if (idx >= 0)
- md = s->s3->tmp.md[idx];
- if (md == NULL) {
+ } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
al = SSL_AD_INTERNAL_ERROR;
goto f_err;
- }
}
+ md = ssl_md(s->s3->tmp.peer_sigalg->hash_idx);
+
if (!PACKET_get_net_2(pkt, &len)) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
al = SSL_AD_DECODE_ERROR;
return 0;
}
+int tls_construct_key_update(SSL *s, WPACKET *pkt)
+{
+ if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_KEY_UPDATE, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+
+ s->key_update = SSL_KEY_UPDATE_NONE;
+ return 1;
+
+ err:
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+ return 0;
+}
+
+MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
+{
+ int al;
+ unsigned int updatetype;
+
+ s->key_update_count++;
+ if (s->key_update_count > MAX_KEY_UPDATE_MESSAGES) {
+ al = SSL_AD_ILLEGAL_PARAMETER;
+ SSLerr(SSL_F_TLS_PROCESS_KEY_UPDATE, SSL_R_TOO_MANY_KEY_UPDATES);
+ goto err;
+ }
+
+ if (!PACKET_get_1(pkt, &updatetype)
+ || PACKET_remaining(pkt) != 0
+ || (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
+ && updatetype != SSL_KEY_UPDATE_REQUESTED)) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_KEY_UPDATE, SSL_R_BAD_KEY_UPDATE);
+ goto err;
+ }
+
+ /*
+ * If we get a request for us to update our sending keys too then, we need
+ * to additionally send a KeyUpdate message. However that message should
+ * not also request an update (otherwise we get into an infinite loop).
+ */
+ if (updatetype == SSL_KEY_UPDATE_REQUESTED)
+ s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
+
+ if (!tls13_update_key(s, 0)) {
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_KEY_UPDATE, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+
+ return MSG_PROCESS_FINISHED_READING;
+ err:
+ ssl3_send_alert(s, SSL3_AL_FATAL, al);
+ ossl_statem_set_error(s);
+ return MSG_PROCESS_ERROR;
+}
+
#ifndef OPENSSL_NO_NEXTPROTONEG
/*
* ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
default:
return -1;
case EVP_PKEY_RSA:
- return SSL_PKEY_RSA_ENC;
+ return SSL_PKEY_RSA;
case EVP_PKEY_DSA:
return SSL_PKEY_DSA_SIGN;
#ifndef OPENSSL_NO_EC
return SSL_R_UNSUPPORTED_PROTOCOL;
if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
- else if ((method->flags & SSL_METHOD_NO_FIPS) != 0 && FIPS_mode())
- return SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE;
return 0;
}
switch (server_version) {
default:
+ if (!SSL_IS_TLS13(s)) {
+ if (version_cmp(s, client_version, s->version) < 0)
+ return SSL_R_WRONG_SSL_VERSION;
+ /*
+ * If this SSL handle is not from a version flexible method we don't
+ * (and never did) check min/max FIPS or Suite B constraints. Hope
+ * that's OK. It is up to the caller to not choose fixed protocol
+ * versions they don't want. If not, then easy to fix, just return
+ * ssl_method_error(s, s->method)
+ */
+ return 0;
+ }
/*
- * TODO(TLS1.3): This check will fail if someone attempts to do
- * renegotiation in TLS1.3 at the moment. We need to ensure we disable
- * renegotiation for TLS1.3
+ * Fall through if we are TLSv1.3 already (this means we must be after
+ * a HelloRetryRequest
*/
- if (version_cmp(s, client_version, s->version) < 0)
- return SSL_R_WRONG_SSL_VERSION;
- /*
- * If this SSL handle is not from a version flexible method we don't
- * (and never did) check min/max FIPS or Suite B constraints. Hope
- * that's OK. It is up to the caller to not choose fixed protocol
- * versions they don't want. If not, then easy to fix, just return
- * ssl_method_error(s, s->method)
- */
- return 0;
case TLS_ANY_VERSION:
table = tls_version_table;
break;
}
if (best_vers > 0) {
+ if (SSL_IS_TLS13(s)) {
+ /*
+ * We get here if this is after a HelloRetryRequest. In this
+ * case we just check that we still negotiated TLSv1.3
+ */
+ if (best_vers != TLS1_3_VERSION)
+ return SSL_R_UNSUPPORTED_PROTOCOL;
+ return 0;
+ }
s->version = best_vers;
s->method = best_method;
return 0;
continue;
if (vent->cmeth == NULL)
break;
+ if (s->hello_retry_request && version != TLS1_3_VERSION)
+ return SSL_R_WRONG_SSL_VERSION;
+
method = vent->cmeth();
err = ssl_method_error(s, method);
if (err != 0)
* Work out what version we should be using for the initial ClientHello if the
* version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
* options, the MinProtocol and MaxProtocol configuration commands, any Suite B
- * or FIPS_mode() constraints and any floor imposed by the security level here,
+ * constraints and any floor imposed by the security level here,
* so we don't advertise the wrong protocol version to only reject the outcome later.
*
* Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
s->client_version = ver_max;
return 0;
}
+
+/*
+ * Checks a list of |groups| to determine if the |group_id| is in it. If it is
+ * and |checkallow| is 1 then additionally check if the group is allowed to be
+ * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
+ * 1) or 0 otherwise.
+ */
+#ifndef OPENSSL_NO_EC
+int check_in_list(SSL *s, unsigned int group_id, const unsigned char *groups,
+ size_t num_groups, int checkallow)
+{
+ size_t i;
+
+ if (groups == NULL || num_groups == 0)
+ return 0;
+
+ for (i = 0; i < num_groups; i++, groups += 2) {
+ unsigned int share_id = (groups[0] << 8) | (groups[1]);
+
+ if (group_id == share_id
+ && (!checkallow
+ || tls_curve_allowed(s, groups, SSL_SECOP_CURVE_CHECK))) {
+ break;
+ }
+ }
+
+ /* If i == num_groups then not in the list */
+ return i < num_groups;
+}
+#endif