summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/libssl/ssl_both.c148
-rw-r--r--src/lib/libssl/ssl_clnt.c194
-rw-r--r--src/lib/libssl/ssl_locl.h37
-rw-r--r--src/lib/libssl/ssl_srvr.c188
4 files changed, 342 insertions, 225 deletions
diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c
index cfd32387d6..801b5bea29 100644
--- a/src/lib/libssl/ssl_both.c
+++ b/src/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_both.c,v 1.42 2022/02/05 14:54:10 jsing Exp $ */ 1/* $OpenBSD: ssl_both.c,v 1.43 2022/10/01 16:23:15 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -161,152 +161,6 @@ ssl3_do_write(SSL *s, int type)
161 return (0); 161 return (0);
162} 162}
163 163
164int
165ssl3_send_finished(SSL *s, int state_a, int state_b)
166{
167 CBB cbb, finished;
168
169 memset(&cbb, 0, sizeof(cbb));
170
171 if (s->s3->hs.state == state_a) {
172 if (!tls12_derive_finished(s))
173 goto err;
174
175 /* Copy finished so we can use it for renegotiation checks. */
176 if (!s->server) {
177 memcpy(s->s3->previous_client_finished,
178 s->s3->hs.finished, s->s3->hs.finished_len);
179 s->s3->previous_client_finished_len =
180 s->s3->hs.finished_len;
181 } else {
182 memcpy(s->s3->previous_server_finished,
183 s->s3->hs.finished, s->s3->hs.finished_len);
184 s->s3->previous_server_finished_len =
185 s->s3->hs.finished_len;
186 }
187
188 if (!ssl3_handshake_msg_start(s, &cbb, &finished,
189 SSL3_MT_FINISHED))
190 goto err;
191 if (!CBB_add_bytes(&finished, s->s3->hs.finished,
192 s->s3->hs.finished_len))
193 goto err;
194 if (!ssl3_handshake_msg_finish(s, &cbb))
195 goto err;
196
197 s->s3->hs.state = state_b;
198 }
199
200 return (ssl3_handshake_write(s));
201
202 err:
203 CBB_cleanup(&cbb);
204
205 return (-1);
206}
207
208int
209ssl3_get_finished(SSL *s, int a, int b)
210{
211 int al, md_len, ret;
212 CBS cbs;
213
214 /* should actually be 36+4 :-) */
215 if ((ret = ssl3_get_message(s, a, b, SSL3_MT_FINISHED, 64)) <= 0)
216 return ret;
217
218 /* If this occurs, we have missed a message */
219 if (!s->s3->change_cipher_spec) {
220 al = SSL_AD_UNEXPECTED_MESSAGE;
221 SSLerror(s, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
222 goto fatal_err;
223 }
224 s->s3->change_cipher_spec = 0;
225
226 md_len = TLS1_FINISH_MAC_LENGTH;
227
228 if (s->internal->init_num < 0) {
229 al = SSL_AD_DECODE_ERROR;
230 SSLerror(s, SSL_R_BAD_DIGEST_LENGTH);
231 goto fatal_err;
232 }
233
234 CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
235
236 if (s->s3->hs.peer_finished_len != md_len ||
237 CBS_len(&cbs) != md_len) {
238 al = SSL_AD_DECODE_ERROR;
239 SSLerror(s, SSL_R_BAD_DIGEST_LENGTH);
240 goto fatal_err;
241 }
242
243 if (!CBS_mem_equal(&cbs, s->s3->hs.peer_finished, CBS_len(&cbs))) {
244 al = SSL_AD_DECRYPT_ERROR;
245 SSLerror(s, SSL_R_DIGEST_CHECK_FAILED);
246 goto fatal_err;
247 }
248
249 /* Copy finished so we can use it for renegotiation checks. */
250 OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE);
251 if (s->server) {
252 memcpy(s->s3->previous_client_finished,
253 s->s3->hs.peer_finished, md_len);
254 s->s3->previous_client_finished_len = md_len;
255 } else {
256 memcpy(s->s3->previous_server_finished,
257 s->s3->hs.peer_finished, md_len);
258 s->s3->previous_server_finished_len = md_len;
259 }
260
261 return (1);
262 fatal_err:
263 ssl3_send_alert(s, SSL3_AL_FATAL, al);
264 return (0);
265}
266
267int
268ssl3_send_change_cipher_spec(SSL *s, int a, int b)
269{
270 size_t outlen;
271 CBB cbb;
272
273 memset(&cbb, 0, sizeof(cbb));
274
275 if (s->s3->hs.state == a) {
276 if (!CBB_init_fixed(&cbb, s->internal->init_buf->data,
277 s->internal->init_buf->length))
278 goto err;
279 if (!CBB_add_u8(&cbb, SSL3_MT_CCS))
280 goto err;
281 if (!CBB_finish(&cbb, NULL, &outlen))
282 goto err;
283
284 if (outlen > INT_MAX)
285 goto err;
286
287 s->internal->init_num = (int)outlen;
288 s->internal->init_off = 0;
289
290 if (SSL_is_dtls(s)) {
291 s->d1->handshake_write_seq =
292 s->d1->next_handshake_write_seq;
293 dtls1_set_message_header_int(s, SSL3_MT_CCS, 0,
294 s->d1->handshake_write_seq, 0, 0);
295 dtls1_buffer_message(s, 1);
296 }
297
298 s->s3->hs.state = b;
299 }
300
301 /* SSL3_ST_CW_CHANGE_B */
302 return ssl3_record_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
303
304 err:
305 CBB_cleanup(&cbb);
306
307 return -1;
308}
309
310static int 164static int
311ssl3_add_cert(CBB *cbb, X509 *x) 165ssl3_add_cert(CBB *cbb, X509 *x)
312{ 166{
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 0e50285898..8b2f209a79 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_clnt.c,v 1.153 2022/08/17 07:39:19 jsing Exp $ */ 1/* $OpenBSD: ssl_clnt.c,v 1.154 2022/10/01 16:23:15 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -176,6 +176,25 @@
176 176
177static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b); 177static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b);
178 178
179static int ssl3_send_client_hello(SSL *s);
180static int ssl3_get_dtls_hello_verify(SSL *s);
181static int ssl3_get_server_hello(SSL *s);
182static int ssl3_get_certificate_request(SSL *s);
183static int ssl3_get_new_session_ticket(SSL *s);
184static int ssl3_get_cert_status(SSL *s);
185static int ssl3_get_server_done(SSL *s);
186static int ssl3_send_client_verify(SSL *s);
187static int ssl3_send_client_certificate(SSL *s);
188static int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey);
189static int ssl3_send_client_key_exchange(SSL *s);
190static int ssl3_get_server_key_exchange(SSL *s);
191static int ssl3_get_server_certificate(SSL *s);
192static int ssl3_check_cert_and_algorithm(SSL *s);
193static int ssl3_check_finished(SSL *s);
194static int ssl3_send_client_change_cipher_spec(SSL *s);
195static int ssl3_send_client_finished(SSL *s);
196static int ssl3_get_server_finished(SSL *s);
197
179int 198int
180ssl3_connect(SSL *s) 199ssl3_connect(SSL *s)
181{ 200{
@@ -469,8 +488,7 @@ ssl3_connect(SSL *s)
469 case SSL3_ST_CW_CHANGE_B: 488 case SSL3_ST_CW_CHANGE_B:
470 if (SSL_is_dtls(s) && !s->internal->hit) 489 if (SSL_is_dtls(s) && !s->internal->hit)
471 dtls1_start_timer(s); 490 dtls1_start_timer(s);
472 ret = ssl3_send_change_cipher_spec(s, 491 ret = ssl3_send_client_change_cipher_spec(s);
473 SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B);
474 if (ret <= 0) 492 if (ret <= 0)
475 goto end; 493 goto end;
476 494
@@ -492,8 +510,7 @@ ssl3_connect(SSL *s)
492 case SSL3_ST_CW_FINISHED_B: 510 case SSL3_ST_CW_FINISHED_B:
493 if (SSL_is_dtls(s) && !s->internal->hit) 511 if (SSL_is_dtls(s) && !s->internal->hit)
494 dtls1_start_timer(s); 512 dtls1_start_timer(s);
495 ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A, 513 ret = ssl3_send_client_finished(s);
496 SSL3_ST_CW_FINISHED_B);
497 if (ret <= 0) 514 if (ret <= 0)
498 goto end; 515 goto end;
499 if (!SSL_is_dtls(s)) 516 if (!SSL_is_dtls(s))
@@ -539,8 +556,7 @@ ssl3_connect(SSL *s)
539 s->d1->change_cipher_spec_ok = 1; 556 s->d1->change_cipher_spec_ok = 1;
540 else 557 else
541 s->s3->flags |= SSL3_FLAGS_CCS_OK; 558 s->s3->flags |= SSL3_FLAGS_CCS_OK;
542 ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A, 559 ret = ssl3_get_server_finished(s);
543 SSL3_ST_CR_FINISHED_B);
544 if (ret <= 0) 560 if (ret <= 0)
545 goto end; 561 goto end;
546 if (SSL_is_dtls(s)) 562 if (SSL_is_dtls(s))
@@ -640,7 +656,7 @@ ssl3_connect(SSL *s)
640 return (ret); 656 return (ret);
641} 657}
642 658
643int 659static int
644ssl3_send_client_hello(SSL *s) 660ssl3_send_client_hello(SSL *s)
645{ 661{
646 CBB cbb, client_hello, session_id, cookie, cipher_suites; 662 CBB cbb, client_hello, session_id, cookie, cipher_suites;
@@ -752,7 +768,7 @@ ssl3_send_client_hello(SSL *s)
752 return (-1); 768 return (-1);
753} 769}
754 770
755int 771static int
756ssl3_get_dtls_hello_verify(SSL *s) 772ssl3_get_dtls_hello_verify(SSL *s)
757{ 773{
758 CBS hello_verify_request, cookie; 774 CBS hello_verify_request, cookie;
@@ -813,7 +829,7 @@ ssl3_get_dtls_hello_verify(SSL *s)
813 return -1; 829 return -1;
814} 830}
815 831
816int 832static int
817ssl3_get_server_hello(SSL *s) 833ssl3_get_server_hello(SSL *s)
818{ 834{
819 CBS cbs, server_random, session_id; 835 CBS cbs, server_random, session_id;
@@ -1083,7 +1099,7 @@ ssl3_get_server_hello(SSL *s)
1083 return (-1); 1099 return (-1);
1084} 1100}
1085 1101
1086int 1102static int
1087ssl3_get_server_certificate(SSL *s) 1103ssl3_get_server_certificate(SSL *s)
1088{ 1104{
1089 CBS cbs, cert_list, cert_data; 1105 CBS cbs, cert_list, cert_data;
@@ -1280,7 +1296,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, CBS *cbs)
1280 return 0; 1296 return 0;
1281} 1297}
1282 1298
1283int 1299static int
1284ssl3_get_server_key_exchange(SSL *s) 1300ssl3_get_server_key_exchange(SSL *s)
1285{ 1301{
1286 CBS cbs, signature; 1302 CBS cbs, signature;
@@ -1428,7 +1444,7 @@ ssl3_get_server_key_exchange(SSL *s)
1428 return (-1); 1444 return (-1);
1429} 1445}
1430 1446
1431int 1447static int
1432ssl3_get_certificate_request(SSL *s) 1448ssl3_get_certificate_request(SSL *s)
1433{ 1449{
1434 CBS cert_request, cert_types, rdn_list; 1450 CBS cert_request, cert_types, rdn_list;
@@ -1572,7 +1588,7 @@ ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
1572 return (X509_NAME_cmp(*a, *b)); 1588 return (X509_NAME_cmp(*a, *b));
1573} 1589}
1574 1590
1575int 1591static int
1576ssl3_get_new_session_ticket(SSL *s) 1592ssl3_get_new_session_ticket(SSL *s)
1577{ 1593{
1578 uint32_t lifetime_hint; 1594 uint32_t lifetime_hint;
@@ -1647,7 +1663,7 @@ ssl3_get_new_session_ticket(SSL *s)
1647 return (-1); 1663 return (-1);
1648} 1664}
1649 1665
1650int 1666static int
1651ssl3_get_cert_status(SSL *s) 1667ssl3_get_cert_status(SSL *s)
1652{ 1668{
1653 CBS cert_status, response; 1669 CBS cert_status, response;
@@ -1748,7 +1764,7 @@ ssl3_get_cert_status(SSL *s)
1748 return (-1); 1764 return (-1);
1749} 1765}
1750 1766
1751int 1767static int
1752ssl3_get_server_done(SSL *s) 1768ssl3_get_server_done(SSL *s)
1753{ 1769{
1754 int ret; 1770 int ret;
@@ -2024,7 +2040,7 @@ ssl3_send_client_kex_gost(SSL *s, CBB *cbb)
2024 return ret; 2040 return ret;
2025} 2041}
2026 2042
2027int 2043static int
2028ssl3_send_client_key_exchange(SSL *s) 2044ssl3_send_client_key_exchange(SSL *s)
2029{ 2045{
2030 unsigned long alg_k; 2046 unsigned long alg_k;
@@ -2283,7 +2299,7 @@ ssl3_send_client_verify_gost(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
2283} 2299}
2284#endif 2300#endif
2285 2301
2286int 2302static int
2287ssl3_send_client_verify(SSL *s) 2303ssl3_send_client_verify(SSL *s)
2288{ 2304{
2289 const struct ssl_sigalg *sigalg; 2305 const struct ssl_sigalg *sigalg;
@@ -2345,7 +2361,7 @@ ssl3_send_client_verify(SSL *s)
2345 return (-1); 2361 return (-1);
2346} 2362}
2347 2363
2348int 2364static int
2349ssl3_send_client_certificate(SSL *s) 2365ssl3_send_client_certificate(SSL *s)
2350{ 2366{
2351 EVP_PKEY *pkey = NULL; 2367 EVP_PKEY *pkey = NULL;
@@ -2423,7 +2439,7 @@ ssl3_send_client_certificate(SSL *s)
2423 2439
2424#define has_bits(i,m) (((i)&(m)) == (m)) 2440#define has_bits(i,m) (((i)&(m)) == (m))
2425 2441
2426int 2442static int
2427ssl3_check_cert_and_algorithm(SSL *s) 2443ssl3_check_cert_and_algorithm(SSL *s)
2428{ 2444{
2429 long alg_k, alg_a; 2445 long alg_k, alg_a;
@@ -2481,7 +2497,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
2481 * session tickets we have to check the next message to be sure. 2497 * session tickets we have to check the next message to be sure.
2482 */ 2498 */
2483 2499
2484int 2500static int
2485ssl3_check_finished(SSL *s) 2501ssl3_check_finished(SSL *s)
2486{ 2502{
2487 int ret; 2503 int ret;
@@ -2503,7 +2519,7 @@ ssl3_check_finished(SSL *s)
2503 return (1); 2519 return (1);
2504} 2520}
2505 2521
2506int 2522static int
2507ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) 2523ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
2508{ 2524{
2509 int i = 0; 2525 int i = 0;
@@ -2521,3 +2537,137 @@ ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
2521 i = s->ctx->internal->client_cert_cb(s, px509, ppkey); 2537 i = s->ctx->internal->client_cert_cb(s, px509, ppkey);
2522 return (i); 2538 return (i);
2523} 2539}
2540
2541static int
2542ssl3_send_client_change_cipher_spec(SSL *s)
2543{
2544 size_t outlen;
2545 CBB cbb;
2546
2547 memset(&cbb, 0, sizeof(cbb));
2548
2549 if (s->s3->hs.state == SSL3_ST_CW_CHANGE_A) {
2550 if (!CBB_init_fixed(&cbb, s->internal->init_buf->data,
2551 s->internal->init_buf->length))
2552 goto err;
2553 if (!CBB_add_u8(&cbb, SSL3_MT_CCS))
2554 goto err;
2555 if (!CBB_finish(&cbb, NULL, &outlen))
2556 goto err;
2557
2558 if (outlen > INT_MAX)
2559 goto err;
2560
2561 s->internal->init_num = (int)outlen;
2562 s->internal->init_off = 0;
2563
2564 if (SSL_is_dtls(s)) {
2565 s->d1->handshake_write_seq =
2566 s->d1->next_handshake_write_seq;
2567 dtls1_set_message_header_int(s, SSL3_MT_CCS, 0,
2568 s->d1->handshake_write_seq, 0, 0);
2569 dtls1_buffer_message(s, 1);
2570 }
2571
2572 s->s3->hs.state = SSL3_ST_CW_CHANGE_B;
2573 }
2574
2575 /* SSL3_ST_CW_CHANGE_B */
2576 return ssl3_record_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
2577
2578 err:
2579 CBB_cleanup(&cbb);
2580
2581 return -1;
2582}
2583
2584static int
2585ssl3_send_client_finished(SSL *s)
2586{
2587 CBB cbb, finished;
2588
2589 memset(&cbb, 0, sizeof(cbb));
2590
2591 if (s->s3->hs.state == SSL3_ST_CW_FINISHED_A) {
2592 if (!tls12_derive_finished(s))
2593 goto err;
2594
2595 /* Copy finished so we can use it for renegotiation checks. */
2596 memcpy(s->s3->previous_client_finished,
2597 s->s3->hs.finished, s->s3->hs.finished_len);
2598 s->s3->previous_client_finished_len =
2599 s->s3->hs.finished_len;
2600
2601 if (!ssl3_handshake_msg_start(s, &cbb, &finished,
2602 SSL3_MT_FINISHED))
2603 goto err;
2604 if (!CBB_add_bytes(&finished, s->s3->hs.finished,
2605 s->s3->hs.finished_len))
2606 goto err;
2607 if (!ssl3_handshake_msg_finish(s, &cbb))
2608 goto err;
2609
2610 s->s3->hs.state = SSL3_ST_CW_FINISHED_B;
2611 }
2612
2613 return (ssl3_handshake_write(s));
2614
2615 err:
2616 CBB_cleanup(&cbb);
2617
2618 return (-1);
2619}
2620
2621static int
2622ssl3_get_server_finished(SSL *s)
2623{
2624 int al, md_len, ret;
2625 CBS cbs;
2626
2627 /* should actually be 36+4 :-) */
2628 if ((ret = ssl3_get_message(s, SSL3_ST_CR_FINISHED_A,
2629 SSL3_ST_CR_FINISHED_B, SSL3_MT_FINISHED, 64)) <= 0)
2630 return ret;
2631
2632 /* If this occurs, we have missed a message */
2633 if (!s->s3->change_cipher_spec) {
2634 al = SSL_AD_UNEXPECTED_MESSAGE;
2635 SSLerror(s, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
2636 goto fatal_err;
2637 }
2638 s->s3->change_cipher_spec = 0;
2639
2640 md_len = TLS1_FINISH_MAC_LENGTH;
2641
2642 if (s->internal->init_num < 0) {
2643 al = SSL_AD_DECODE_ERROR;
2644 SSLerror(s, SSL_R_BAD_DIGEST_LENGTH);
2645 goto fatal_err;
2646 }
2647
2648 CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
2649
2650 if (s->s3->hs.peer_finished_len != md_len ||
2651 CBS_len(&cbs) != md_len) {
2652 al = SSL_AD_DECODE_ERROR;
2653 SSLerror(s, SSL_R_BAD_DIGEST_LENGTH);
2654 goto fatal_err;
2655 }
2656
2657 if (!CBS_mem_equal(&cbs, s->s3->hs.peer_finished, CBS_len(&cbs))) {
2658 al = SSL_AD_DECRYPT_ERROR;
2659 SSLerror(s, SSL_R_DIGEST_CHECK_FAILED);
2660 goto fatal_err;
2661 }
2662
2663 /* Copy finished so we can use it for renegotiation checks. */
2664 OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE);
2665 memcpy(s->s3->previous_server_finished,
2666 s->s3->hs.peer_finished, md_len);
2667 s->s3->previous_server_finished_len = md_len;
2668
2669 return (1);
2670 fatal_err:
2671 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2672 return (0);
2673}
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index a6fc6eaa32..a8d5308e8c 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.425 2022/09/10 15:29:33 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.426 2022/10/01 16:23:15 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1357,16 +1357,10 @@ int ssl_verify_alarm_type(long type);
1357int SSL_SESSION_ticket(SSL_SESSION *ss, unsigned char **out, size_t *out_len); 1357int SSL_SESSION_ticket(SSL_SESSION *ss, unsigned char **out, size_t *out_len);
1358 1358
1359const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p); 1359const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
1360int ssl3_send_server_certificate(SSL *s);
1361int ssl3_send_newsession_ticket(SSL *s);
1362int ssl3_send_cert_status(SSL *s);
1363int ssl3_get_finished(SSL *s, int state_a, int state_b);
1364int ssl3_send_change_cipher_spec(SSL *s, int state_a, int state_b);
1365int ssl3_do_write(SSL *s, int type); 1360int ssl3_do_write(SSL *s, int type);
1366int ssl3_send_alert(SSL *s, int level, int desc); 1361int ssl3_send_alert(SSL *s, int level, int desc);
1367int ssl3_get_req_cert_types(SSL *s, CBB *cbb); 1362int ssl3_get_req_cert_types(SSL *s, CBB *cbb);
1368int ssl3_get_message(SSL *s, int st1, int stn, int mt, long max); 1363int ssl3_get_message(SSL *s, int st1, int stn, int mt, long max);
1369int ssl3_send_finished(SSL *s, int state_a, int state_b);
1370int ssl3_num_ciphers(void); 1364int ssl3_num_ciphers(void);
1371const SSL_CIPHER *ssl3_get_cipher(unsigned int u); 1365const SSL_CIPHER *ssl3_get_cipher(unsigned int u);
1372const SSL_CIPHER *ssl3_get_cipher_by_id(unsigned int id); 1366const SSL_CIPHER *ssl3_get_cipher_by_id(unsigned int id);
@@ -1424,35 +1418,6 @@ int ssl_server_legacy_first_packet(SSL *s);
1424int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, 1418int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
1425 unsigned int len); 1419 unsigned int len);
1426 1420
1427/* some client-only functions */
1428int ssl3_send_client_hello(SSL *s);
1429int ssl3_get_dtls_hello_verify(SSL *s);
1430int ssl3_get_server_hello(SSL *s);
1431int ssl3_get_certificate_request(SSL *s);
1432int ssl3_get_new_session_ticket(SSL *s);
1433int ssl3_get_cert_status(SSL *s);
1434int ssl3_get_server_done(SSL *s);
1435int ssl3_send_client_verify(SSL *s);
1436int ssl3_send_client_certificate(SSL *s);
1437int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey);
1438int ssl3_send_client_key_exchange(SSL *s);
1439int ssl3_get_server_key_exchange(SSL *s);
1440int ssl3_get_server_certificate(SSL *s);
1441int ssl3_check_cert_and_algorithm(SSL *s);
1442int ssl3_check_finished(SSL *s);
1443
1444/* some server-only functions */
1445int ssl3_get_client_hello(SSL *s);
1446int ssl3_send_dtls_hello_verify_request(SSL *s);
1447int ssl3_send_server_hello(SSL *s);
1448int ssl3_send_hello_request(SSL *s);
1449int ssl3_send_server_key_exchange(SSL *s);
1450int ssl3_send_certificate_request(SSL *s);
1451int ssl3_send_server_done(SSL *s);
1452int ssl3_get_client_certificate(SSL *s);
1453int ssl3_get_client_key_exchange(SSL *s);
1454int ssl3_get_cert_verify(SSL *s);
1455
1456int ssl_kex_generate_dhe(DH *dh, DH *dh_params); 1421int ssl_kex_generate_dhe(DH *dh, DH *dh_params);
1457int ssl_kex_generate_dhe_params_auto(DH *dh, size_t key_len); 1422int ssl_kex_generate_dhe_params_auto(DH *dh, size_t key_len);
1458int ssl_kex_params_dhe(DH *dh, CBB *cbb); 1423int ssl_kex_params_dhe(DH *dh, CBB *cbb);
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index acdcb15398..821006af81 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_srvr.c,v 1.149 2022/08/17 07:39:19 jsing Exp $ */ 1/* $OpenBSD: ssl_srvr.c,v 1.150 2022/10/01 16:23:15 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -148,6 +148,7 @@
148 * OTHERWISE. 148 * OTHERWISE.
149 */ 149 */
150 150
151#include <limits.h>
151#include <stdio.h> 152#include <stdio.h>
152 153
153#include <openssl/bn.h> 154#include <openssl/bn.h>
@@ -171,6 +172,23 @@
171#include "ssl_sigalgs.h" 172#include "ssl_sigalgs.h"
172#include "ssl_tlsext.h" 173#include "ssl_tlsext.h"
173 174
175static int ssl3_get_client_hello(SSL *s);
176static int ssl3_send_dtls_hello_verify_request(SSL *s);
177static int ssl3_send_server_hello(SSL *s);
178static int ssl3_send_hello_request(SSL *s);
179static int ssl3_send_server_certificate(SSL *s);
180static int ssl3_send_server_key_exchange(SSL *s);
181static int ssl3_send_certificate_request(SSL *s);
182static int ssl3_send_server_done(SSL *s);
183static int ssl3_get_client_certificate(SSL *s);
184static int ssl3_get_client_key_exchange(SSL *s);
185static int ssl3_get_cert_verify(SSL *s);
186static int ssl3_send_newsession_ticket(SSL *s);
187static int ssl3_send_cert_status(SSL *s);
188static int ssl3_send_server_change_cipher_spec(SSL *s);
189static int ssl3_send_server_finished(SSL *s);
190static int ssl3_get_client_finished(SSL *s);
191
174int 192int
175ssl3_accept(SSL *s) 193ssl3_accept(SSL *s)
176{ 194{
@@ -605,8 +623,7 @@ ssl3_accept(SSL *s)
605 s->d1->change_cipher_spec_ok = 1; 623 s->d1->change_cipher_spec_ok = 1;
606 else 624 else
607 s->s3->flags |= SSL3_FLAGS_CCS_OK; 625 s->s3->flags |= SSL3_FLAGS_CCS_OK;
608 ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A, 626 ret = ssl3_get_client_finished(s);
609 SSL3_ST_SR_FINISHED_B);
610 if (ret <= 0) 627 if (ret <= 0)
611 goto end; 628 goto end;
612 if (SSL_is_dtls(s)) 629 if (SSL_is_dtls(s))
@@ -640,8 +657,7 @@ ssl3_accept(SSL *s)
640 657
641 case SSL3_ST_SW_CHANGE_A: 658 case SSL3_ST_SW_CHANGE_A:
642 case SSL3_ST_SW_CHANGE_B: 659 case SSL3_ST_SW_CHANGE_B:
643 ret = ssl3_send_change_cipher_spec(s, 660 ret = ssl3_send_server_change_cipher_spec(s);
644 SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B);
645 if (ret <= 0) 661 if (ret <= 0)
646 goto end; 662 goto end;
647 s->s3->hs.state = SSL3_ST_SW_FINISHED_A; 663 s->s3->hs.state = SSL3_ST_SW_FINISHED_A;
@@ -660,8 +676,7 @@ ssl3_accept(SSL *s)
660 676
661 case SSL3_ST_SW_FINISHED_A: 677 case SSL3_ST_SW_FINISHED_A:
662 case SSL3_ST_SW_FINISHED_B: 678 case SSL3_ST_SW_FINISHED_B:
663 ret = ssl3_send_finished(s, SSL3_ST_SW_FINISHED_A, 679 ret = ssl3_send_server_finished(s);
664 SSL3_ST_SW_FINISHED_B);
665 if (ret <= 0) 680 if (ret <= 0)
666 goto end; 681 goto end;
667 s->s3->hs.state = SSL3_ST_SW_FLUSH; 682 s->s3->hs.state = SSL3_ST_SW_FLUSH;
@@ -748,7 +763,7 @@ ssl3_accept(SSL *s)
748 return (ret); 763 return (ret);
749} 764}
750 765
751int 766static int
752ssl3_send_hello_request(SSL *s) 767ssl3_send_hello_request(SSL *s)
753{ 768{
754 CBB cbb, hello; 769 CBB cbb, hello;
@@ -774,7 +789,7 @@ ssl3_send_hello_request(SSL *s)
774 return (-1); 789 return (-1);
775} 790}
776 791
777int 792static int
778ssl3_get_client_hello(SSL *s) 793ssl3_get_client_hello(SSL *s)
779{ 794{
780 CBS cbs, client_random, session_id, cookie, cipher_suites; 795 CBS cbs, client_random, session_id, cookie, cipher_suites;
@@ -1167,7 +1182,7 @@ ssl3_get_client_hello(SSL *s)
1167 return (ret); 1182 return (ret);
1168} 1183}
1169 1184
1170int 1185static int
1171ssl3_send_dtls_hello_verify_request(SSL *s) 1186ssl3_send_dtls_hello_verify_request(SSL *s)
1172{ 1187{
1173 CBB cbb, verify, cookie; 1188 CBB cbb, verify, cookie;
@@ -1211,7 +1226,7 @@ ssl3_send_dtls_hello_verify_request(SSL *s)
1211 return (-1); 1226 return (-1);
1212} 1227}
1213 1228
1214int 1229static int
1215ssl3_send_server_hello(SSL *s) 1230ssl3_send_server_hello(SSL *s)
1216{ 1231{
1217 CBB cbb, server_hello, session_id; 1232 CBB cbb, server_hello, session_id;
@@ -1290,7 +1305,7 @@ ssl3_send_server_hello(SSL *s)
1290 return (-1); 1305 return (-1);
1291} 1306}
1292 1307
1293int 1308static int
1294ssl3_send_server_done(SSL *s) 1309ssl3_send_server_done(SSL *s)
1295{ 1310{
1296 CBB cbb, done; 1311 CBB cbb, done;
@@ -1413,7 +1428,7 @@ ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb)
1413 return 0; 1428 return 0;
1414} 1429}
1415 1430
1416int 1431static int
1417ssl3_send_server_key_exchange(SSL *s) 1432ssl3_send_server_key_exchange(SSL *s)
1418{ 1433{
1419 CBB cbb, cbb_params, cbb_signature, server_kex; 1434 CBB cbb, cbb_params, cbb_signature, server_kex;
@@ -1552,7 +1567,7 @@ ssl3_send_server_key_exchange(SSL *s)
1552 return (-1); 1567 return (-1);
1553} 1568}
1554 1569
1555int 1570static int
1556ssl3_send_certificate_request(SSL *s) 1571ssl3_send_certificate_request(SSL *s)
1557{ 1572{
1558 CBB cbb, cert_request, cert_types, sigalgs, cert_auth, dn; 1573 CBB cbb, cert_request, cert_types, sigalgs, cert_auth, dn;
@@ -1868,7 +1883,7 @@ ssl3_get_client_kex_gost(SSL *s, CBS *cbs)
1868 return 0; 1883 return 0;
1869} 1884}
1870 1885
1871int 1886static int
1872ssl3_get_client_key_exchange(SSL *s) 1887ssl3_get_client_key_exchange(SSL *s)
1873{ 1888{
1874 unsigned long alg_k; 1889 unsigned long alg_k;
@@ -1919,7 +1934,7 @@ ssl3_get_client_key_exchange(SSL *s)
1919 return (-1); 1934 return (-1);
1920} 1935}
1921 1936
1922int 1937static int
1923ssl3_get_cert_verify(SSL *s) 1938ssl3_get_cert_verify(SSL *s)
1924{ 1939{
1925 CBS cbs, signature; 1940 CBS cbs, signature;
@@ -2153,7 +2168,7 @@ ssl3_get_cert_verify(SSL *s)
2153 return (ret); 2168 return (ret);
2154} 2169}
2155 2170
2156int 2171static int
2157ssl3_get_client_certificate(SSL *s) 2172ssl3_get_client_certificate(SSL *s)
2158{ 2173{
2159 CBS cbs, cert_list, cert_data; 2174 CBS cbs, cert_list, cert_data;
@@ -2271,7 +2286,7 @@ ssl3_get_client_certificate(SSL *s)
2271 return (ret); 2286 return (ret);
2272} 2287}
2273 2288
2274int 2289static int
2275ssl3_send_server_certificate(SSL *s) 2290ssl3_send_server_certificate(SSL *s)
2276{ 2291{
2277 CBB cbb, server_cert; 2292 CBB cbb, server_cert;
@@ -2310,7 +2325,7 @@ ssl3_send_server_certificate(SSL *s)
2310} 2325}
2311 2326
2312/* send a new session ticket (not necessarily for a new session) */ 2327/* send a new session ticket (not necessarily for a new session) */
2313int 2328static int
2314ssl3_send_newsession_ticket(SSL *s) 2329ssl3_send_newsession_ticket(SSL *s)
2315{ 2330{
2316 CBB cbb, session_ticket, ticket; 2331 CBB cbb, session_ticket, ticket;
@@ -2443,7 +2458,7 @@ ssl3_send_newsession_ticket(SSL *s)
2443 return (-1); 2458 return (-1);
2444} 2459}
2445 2460
2446int 2461static int
2447ssl3_send_cert_status(SSL *s) 2462ssl3_send_cert_status(SSL *s)
2448{ 2463{
2449 CBB cbb, certstatus, ocspresp; 2464 CBB cbb, certstatus, ocspresp;
@@ -2475,3 +2490,136 @@ ssl3_send_cert_status(SSL *s)
2475 2490
2476 return (-1); 2491 return (-1);
2477} 2492}
2493
2494static int
2495ssl3_send_server_change_cipher_spec(SSL *s)
2496{
2497 size_t outlen;
2498 CBB cbb;
2499
2500 memset(&cbb, 0, sizeof(cbb));
2501
2502 if (s->s3->hs.state == SSL3_ST_SW_CHANGE_A) {
2503 if (!CBB_init_fixed(&cbb, s->internal->init_buf->data,
2504 s->internal->init_buf->length))
2505 goto err;
2506 if (!CBB_add_u8(&cbb, SSL3_MT_CCS))
2507 goto err;
2508 if (!CBB_finish(&cbb, NULL, &outlen))
2509 goto err;
2510
2511 if (outlen > INT_MAX)
2512 goto err;
2513
2514 s->internal->init_num = (int)outlen;
2515 s->internal->init_off = 0;
2516
2517 if (SSL_is_dtls(s)) {
2518 s->d1->handshake_write_seq =
2519 s->d1->next_handshake_write_seq;
2520 dtls1_set_message_header_int(s, SSL3_MT_CCS, 0,
2521 s->d1->handshake_write_seq, 0, 0);
2522 dtls1_buffer_message(s, 1);
2523 }
2524
2525 s->s3->hs.state = SSL3_ST_SW_CHANGE_B;
2526 }
2527
2528 /* SSL3_ST_SW_CHANGE_B */
2529 return ssl3_record_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
2530
2531 err:
2532 CBB_cleanup(&cbb);
2533
2534 return -1;
2535}
2536
2537static int
2538ssl3_get_client_finished(SSL *s)
2539{
2540 int al, md_len, ret;
2541 CBS cbs;
2542
2543 /* should actually be 36+4 :-) */
2544 if ((ret = ssl3_get_message(s, SSL3_ST_SR_FINISHED_A,
2545 SSL3_ST_SR_FINISHED_B, SSL3_MT_FINISHED, 64)) <= 0)
2546 return ret;
2547
2548 /* If this occurs, we have missed a message */
2549 if (!s->s3->change_cipher_spec) {
2550 al = SSL_AD_UNEXPECTED_MESSAGE;
2551 SSLerror(s, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
2552 goto fatal_err;
2553 }
2554 s->s3->change_cipher_spec = 0;
2555
2556 md_len = TLS1_FINISH_MAC_LENGTH;
2557
2558 if (s->internal->init_num < 0) {
2559 al = SSL_AD_DECODE_ERROR;
2560 SSLerror(s, SSL_R_BAD_DIGEST_LENGTH);
2561 goto fatal_err;
2562 }
2563
2564 CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
2565
2566 if (s->s3->hs.peer_finished_len != md_len ||
2567 CBS_len(&cbs) != md_len) {
2568 al = SSL_AD_DECODE_ERROR;
2569 SSLerror(s, SSL_R_BAD_DIGEST_LENGTH);
2570 goto fatal_err;
2571 }
2572
2573 if (!CBS_mem_equal(&cbs, s->s3->hs.peer_finished, CBS_len(&cbs))) {
2574 al = SSL_AD_DECRYPT_ERROR;
2575 SSLerror(s, SSL_R_DIGEST_CHECK_FAILED);
2576 goto fatal_err;
2577 }
2578
2579 /* Copy finished so we can use it for renegotiation checks. */
2580 OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE);
2581 memcpy(s->s3->previous_client_finished,
2582 s->s3->hs.peer_finished, md_len);
2583 s->s3->previous_client_finished_len = md_len;
2584
2585 return (1);
2586 fatal_err:
2587 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2588 return (0);
2589}
2590
2591static int
2592ssl3_send_server_finished(SSL *s)
2593{
2594 CBB cbb, finished;
2595
2596 memset(&cbb, 0, sizeof(cbb));
2597
2598 if (s->s3->hs.state == SSL3_ST_SW_FINISHED_A) {
2599 if (!tls12_derive_finished(s))
2600 goto err;
2601
2602 /* Copy finished so we can use it for renegotiation checks. */
2603 memcpy(s->s3->previous_server_finished,
2604 s->s3->hs.finished, s->s3->hs.finished_len);
2605 s->s3->previous_server_finished_len = s->s3->hs.finished_len;
2606
2607 if (!ssl3_handshake_msg_start(s, &cbb, &finished,
2608 SSL3_MT_FINISHED))
2609 goto err;
2610 if (!CBB_add_bytes(&finished, s->s3->hs.finished,
2611 s->s3->hs.finished_len))
2612 goto err;
2613 if (!ssl3_handshake_msg_finish(s, &cbb))
2614 goto err;
2615
2616 s->s3->hs.state = SSL3_ST_SW_FINISHED_B;
2617 }
2618
2619 return (ssl3_handshake_write(s));
2620
2621 err:
2622 CBB_cleanup(&cbb);
2623
2624 return (-1);
2625}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-23 12:20:05 +0000