diff options
Diffstat (limited to 'src/lib/libssl/ssl_clnt.c')
| -rw-r--r-- | src/lib/libssl/ssl_clnt.c | 194 |
1 files changed, 172 insertions, 22 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index 0e50285898..8b2f209a79 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_clnt.c,v 1.153 2022/08/17 07:39:19 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_clnt.c,v 1.154 2022/10/01 16:23:15 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -176,6 +176,25 @@ | |||
| 176 | 176 | ||
| 177 | static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b); | 177 | static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b); |
| 178 | 178 | ||
| 179 | static int ssl3_send_client_hello(SSL *s); | ||
| 180 | static int ssl3_get_dtls_hello_verify(SSL *s); | ||
| 181 | static int ssl3_get_server_hello(SSL *s); | ||
| 182 | static int ssl3_get_certificate_request(SSL *s); | ||
| 183 | static int ssl3_get_new_session_ticket(SSL *s); | ||
| 184 | static int ssl3_get_cert_status(SSL *s); | ||
| 185 | static int ssl3_get_server_done(SSL *s); | ||
| 186 | static int ssl3_send_client_verify(SSL *s); | ||
| 187 | static int ssl3_send_client_certificate(SSL *s); | ||
| 188 | static int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey); | ||
| 189 | static int ssl3_send_client_key_exchange(SSL *s); | ||
| 190 | static int ssl3_get_server_key_exchange(SSL *s); | ||
| 191 | static int ssl3_get_server_certificate(SSL *s); | ||
| 192 | static int ssl3_check_cert_and_algorithm(SSL *s); | ||
| 193 | static int ssl3_check_finished(SSL *s); | ||
| 194 | static int ssl3_send_client_change_cipher_spec(SSL *s); | ||
| 195 | static int ssl3_send_client_finished(SSL *s); | ||
| 196 | static int ssl3_get_server_finished(SSL *s); | ||
| 197 | |||
| 179 | int | 198 | int |
| 180 | ssl3_connect(SSL *s) | 199 | ssl3_connect(SSL *s) |
| 181 | { | 200 | { |
| @@ -469,8 +488,7 @@ ssl3_connect(SSL *s) | |||
| 469 | case SSL3_ST_CW_CHANGE_B: | 488 | case SSL3_ST_CW_CHANGE_B: |
| 470 | if (SSL_is_dtls(s) && !s->internal->hit) | 489 | if (SSL_is_dtls(s) && !s->internal->hit) |
| 471 | dtls1_start_timer(s); | 490 | dtls1_start_timer(s); |
| 472 | ret = ssl3_send_change_cipher_spec(s, | 491 | ret = ssl3_send_client_change_cipher_spec(s); |
| 473 | SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B); | ||
| 474 | if (ret <= 0) | 492 | if (ret <= 0) |
| 475 | goto end; | 493 | goto end; |
| 476 | 494 | ||
| @@ -492,8 +510,7 @@ ssl3_connect(SSL *s) | |||
| 492 | case SSL3_ST_CW_FINISHED_B: | 510 | case SSL3_ST_CW_FINISHED_B: |
| 493 | if (SSL_is_dtls(s) && !s->internal->hit) | 511 | if (SSL_is_dtls(s) && !s->internal->hit) |
| 494 | dtls1_start_timer(s); | 512 | dtls1_start_timer(s); |
| 495 | ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A, | 513 | ret = ssl3_send_client_finished(s); |
| 496 | SSL3_ST_CW_FINISHED_B); | ||
| 497 | if (ret <= 0) | 514 | if (ret <= 0) |
| 498 | goto end; | 515 | goto end; |
| 499 | if (!SSL_is_dtls(s)) | 516 | if (!SSL_is_dtls(s)) |
| @@ -539,8 +556,7 @@ ssl3_connect(SSL *s) | |||
| 539 | s->d1->change_cipher_spec_ok = 1; | 556 | s->d1->change_cipher_spec_ok = 1; |
| 540 | else | 557 | else |
| 541 | s->s3->flags |= SSL3_FLAGS_CCS_OK; | 558 | s->s3->flags |= SSL3_FLAGS_CCS_OK; |
| 542 | ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A, | 559 | ret = ssl3_get_server_finished(s); |
| 543 | SSL3_ST_CR_FINISHED_B); | ||
| 544 | if (ret <= 0) | 560 | if (ret <= 0) |
| 545 | goto end; | 561 | goto end; |
| 546 | if (SSL_is_dtls(s)) | 562 | if (SSL_is_dtls(s)) |
| @@ -640,7 +656,7 @@ ssl3_connect(SSL *s) | |||
| 640 | return (ret); | 656 | return (ret); |
| 641 | } | 657 | } |
| 642 | 658 | ||
| 643 | int | 659 | static int |
| 644 | ssl3_send_client_hello(SSL *s) | 660 | ssl3_send_client_hello(SSL *s) |
| 645 | { | 661 | { |
| 646 | CBB cbb, client_hello, session_id, cookie, cipher_suites; | 662 | CBB cbb, client_hello, session_id, cookie, cipher_suites; |
| @@ -752,7 +768,7 @@ ssl3_send_client_hello(SSL *s) | |||
| 752 | return (-1); | 768 | return (-1); |
| 753 | } | 769 | } |
| 754 | 770 | ||
| 755 | int | 771 | static int |
| 756 | ssl3_get_dtls_hello_verify(SSL *s) | 772 | ssl3_get_dtls_hello_verify(SSL *s) |
| 757 | { | 773 | { |
| 758 | CBS hello_verify_request, cookie; | 774 | CBS hello_verify_request, cookie; |
| @@ -813,7 +829,7 @@ ssl3_get_dtls_hello_verify(SSL *s) | |||
| 813 | return -1; | 829 | return -1; |
| 814 | } | 830 | } |
| 815 | 831 | ||
| 816 | int | 832 | static int |
| 817 | ssl3_get_server_hello(SSL *s) | 833 | ssl3_get_server_hello(SSL *s) |
| 818 | { | 834 | { |
| 819 | CBS cbs, server_random, session_id; | 835 | CBS cbs, server_random, session_id; |
| @@ -1083,7 +1099,7 @@ ssl3_get_server_hello(SSL *s) | |||
| 1083 | return (-1); | 1099 | return (-1); |
| 1084 | } | 1100 | } |
| 1085 | 1101 | ||
| 1086 | int | 1102 | static int |
| 1087 | ssl3_get_server_certificate(SSL *s) | 1103 | ssl3_get_server_certificate(SSL *s) |
| 1088 | { | 1104 | { |
| 1089 | CBS cbs, cert_list, cert_data; | 1105 | CBS cbs, cert_list, cert_data; |
| @@ -1280,7 +1296,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, CBS *cbs) | |||
| 1280 | return 0; | 1296 | return 0; |
| 1281 | } | 1297 | } |
| 1282 | 1298 | ||
| 1283 | int | 1299 | static int |
| 1284 | ssl3_get_server_key_exchange(SSL *s) | 1300 | ssl3_get_server_key_exchange(SSL *s) |
| 1285 | { | 1301 | { |
| 1286 | CBS cbs, signature; | 1302 | CBS cbs, signature; |
| @@ -1428,7 +1444,7 @@ ssl3_get_server_key_exchange(SSL *s) | |||
| 1428 | return (-1); | 1444 | return (-1); |
| 1429 | } | 1445 | } |
| 1430 | 1446 | ||
| 1431 | int | 1447 | static int |
| 1432 | ssl3_get_certificate_request(SSL *s) | 1448 | ssl3_get_certificate_request(SSL *s) |
| 1433 | { | 1449 | { |
| 1434 | CBS cert_request, cert_types, rdn_list; | 1450 | CBS cert_request, cert_types, rdn_list; |
| @@ -1572,7 +1588,7 @@ ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b) | |||
| 1572 | return (X509_NAME_cmp(*a, *b)); | 1588 | return (X509_NAME_cmp(*a, *b)); |
| 1573 | } | 1589 | } |
| 1574 | 1590 | ||
| 1575 | int | 1591 | static int |
| 1576 | ssl3_get_new_session_ticket(SSL *s) | 1592 | ssl3_get_new_session_ticket(SSL *s) |
| 1577 | { | 1593 | { |
| 1578 | uint32_t lifetime_hint; | 1594 | uint32_t lifetime_hint; |
| @@ -1647,7 +1663,7 @@ ssl3_get_new_session_ticket(SSL *s) | |||
| 1647 | return (-1); | 1663 | return (-1); |
| 1648 | } | 1664 | } |
| 1649 | 1665 | ||
| 1650 | int | 1666 | static int |
| 1651 | ssl3_get_cert_status(SSL *s) | 1667 | ssl3_get_cert_status(SSL *s) |
| 1652 | { | 1668 | { |
| 1653 | CBS cert_status, response; | 1669 | CBS cert_status, response; |
| @@ -1748,7 +1764,7 @@ ssl3_get_cert_status(SSL *s) | |||
| 1748 | return (-1); | 1764 | return (-1); |
| 1749 | } | 1765 | } |
| 1750 | 1766 | ||
| 1751 | int | 1767 | static int |
| 1752 | ssl3_get_server_done(SSL *s) | 1768 | ssl3_get_server_done(SSL *s) |
| 1753 | { | 1769 | { |
| 1754 | int ret; | 1770 | int ret; |
| @@ -2024,7 +2040,7 @@ ssl3_send_client_kex_gost(SSL *s, CBB *cbb) | |||
| 2024 | return ret; | 2040 | return ret; |
| 2025 | } | 2041 | } |
| 2026 | 2042 | ||
| 2027 | int | 2043 | static int |
| 2028 | ssl3_send_client_key_exchange(SSL *s) | 2044 | ssl3_send_client_key_exchange(SSL *s) |
| 2029 | { | 2045 | { |
| 2030 | unsigned long alg_k; | 2046 | unsigned long alg_k; |
| @@ -2283,7 +2299,7 @@ ssl3_send_client_verify_gost(SSL *s, EVP_PKEY *pkey, CBB *cert_verify) | |||
| 2283 | } | 2299 | } |
| 2284 | #endif | 2300 | #endif |
| 2285 | 2301 | ||
| 2286 | int | 2302 | static int |
| 2287 | ssl3_send_client_verify(SSL *s) | 2303 | ssl3_send_client_verify(SSL *s) |
| 2288 | { | 2304 | { |
| 2289 | const struct ssl_sigalg *sigalg; | 2305 | const struct ssl_sigalg *sigalg; |
| @@ -2345,7 +2361,7 @@ ssl3_send_client_verify(SSL *s) | |||
| 2345 | return (-1); | 2361 | return (-1); |
| 2346 | } | 2362 | } |
| 2347 | 2363 | ||
| 2348 | int | 2364 | static int |
| 2349 | ssl3_send_client_certificate(SSL *s) | 2365 | ssl3_send_client_certificate(SSL *s) |
| 2350 | { | 2366 | { |
| 2351 | EVP_PKEY *pkey = NULL; | 2367 | EVP_PKEY *pkey = NULL; |
| @@ -2423,7 +2439,7 @@ ssl3_send_client_certificate(SSL *s) | |||
| 2423 | 2439 | ||
| 2424 | #define has_bits(i,m) (((i)&(m)) == (m)) | 2440 | #define has_bits(i,m) (((i)&(m)) == (m)) |
| 2425 | 2441 | ||
| 2426 | int | 2442 | static int |
| 2427 | ssl3_check_cert_and_algorithm(SSL *s) | 2443 | ssl3_check_cert_and_algorithm(SSL *s) |
| 2428 | { | 2444 | { |
| 2429 | long alg_k, alg_a; | 2445 | long alg_k, alg_a; |
| @@ -2481,7 +2497,7 @@ ssl3_check_cert_and_algorithm(SSL *s) | |||
| 2481 | * session tickets we have to check the next message to be sure. | 2497 | * session tickets we have to check the next message to be sure. |
| 2482 | */ | 2498 | */ |
| 2483 | 2499 | ||
| 2484 | int | 2500 | static int |
| 2485 | ssl3_check_finished(SSL *s) | 2501 | ssl3_check_finished(SSL *s) |
| 2486 | { | 2502 | { |
| 2487 | int ret; | 2503 | int ret; |
| @@ -2503,7 +2519,7 @@ ssl3_check_finished(SSL *s) | |||
| 2503 | return (1); | 2519 | return (1); |
| 2504 | } | 2520 | } |
| 2505 | 2521 | ||
| 2506 | int | 2522 | static int |
| 2507 | ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) | 2523 | ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) |
| 2508 | { | 2524 | { |
| 2509 | int i = 0; | 2525 | int i = 0; |
| @@ -2521,3 +2537,137 @@ ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) | |||
| 2521 | i = s->ctx->internal->client_cert_cb(s, px509, ppkey); | 2537 | i = s->ctx->internal->client_cert_cb(s, px509, ppkey); |
| 2522 | return (i); | 2538 | return (i); |
| 2523 | } | 2539 | } |
| 2540 | |||
| 2541 | static int | ||
| 2542 | ssl3_send_client_change_cipher_spec(SSL *s) | ||
| 2543 | { | ||
| 2544 | size_t outlen; | ||
| 2545 | CBB cbb; | ||
| 2546 | |||
| 2547 | memset(&cbb, 0, sizeof(cbb)); | ||
| 2548 | |||
| 2549 | if (s->s3->hs.state == SSL3_ST_CW_CHANGE_A) { | ||
| 2550 | if (!CBB_init_fixed(&cbb, s->internal->init_buf->data, | ||
| 2551 | s->internal->init_buf->length)) | ||
| 2552 | goto err; | ||
| 2553 | if (!CBB_add_u8(&cbb, SSL3_MT_CCS)) | ||
| 2554 | goto err; | ||
| 2555 | if (!CBB_finish(&cbb, NULL, &outlen)) | ||
| 2556 | goto err; | ||
| 2557 | |||
| 2558 | if (outlen > INT_MAX) | ||
| 2559 | goto err; | ||
| 2560 | |||
| 2561 | s->internal->init_num = (int)outlen; | ||
| 2562 | s->internal->init_off = 0; | ||
| 2563 | |||
| 2564 | if (SSL_is_dtls(s)) { | ||
| 2565 | s->d1->handshake_write_seq = | ||
| 2566 | s->d1->next_handshake_write_seq; | ||
| 2567 | dtls1_set_message_header_int(s, SSL3_MT_CCS, 0, | ||
| 2568 | s->d1->handshake_write_seq, 0, 0); | ||
| 2569 | dtls1_buffer_message(s, 1); | ||
| 2570 | } | ||
| 2571 | |||
| 2572 | s->s3->hs.state = SSL3_ST_CW_CHANGE_B; | ||
| 2573 | } | ||
| 2574 | |||
| 2575 | /* SSL3_ST_CW_CHANGE_B */ | ||
| 2576 | return ssl3_record_write(s, SSL3_RT_CHANGE_CIPHER_SPEC); | ||
| 2577 | |||
| 2578 | err: | ||
| 2579 | CBB_cleanup(&cbb); | ||
| 2580 | |||
| 2581 | return -1; | ||
| 2582 | } | ||
| 2583 | |||
| 2584 | static int | ||
| 2585 | ssl3_send_client_finished(SSL *s) | ||
| 2586 | { | ||
| 2587 | CBB cbb, finished; | ||
| 2588 | |||
| 2589 | memset(&cbb, 0, sizeof(cbb)); | ||
| 2590 | |||
| 2591 | if (s->s3->hs.state == SSL3_ST_CW_FINISHED_A) { | ||
| 2592 | if (!tls12_derive_finished(s)) | ||
| 2593 | goto err; | ||
| 2594 | |||
| 2595 | /* Copy finished so we can use it for renegotiation checks. */ | ||
| 2596 | memcpy(s->s3->previous_client_finished, | ||
| 2597 | s->s3->hs.finished, s->s3->hs.finished_len); | ||
| 2598 | s->s3->previous_client_finished_len = | ||
| 2599 | s->s3->hs.finished_len; | ||
| 2600 | |||
| 2601 | if (!ssl3_handshake_msg_start(s, &cbb, &finished, | ||
| 2602 | SSL3_MT_FINISHED)) | ||
| 2603 | goto err; | ||
| 2604 | if (!CBB_add_bytes(&finished, s->s3->hs.finished, | ||
| 2605 | s->s3->hs.finished_len)) | ||
| 2606 | goto err; | ||
| 2607 | if (!ssl3_handshake_msg_finish(s, &cbb)) | ||
| 2608 | goto err; | ||
| 2609 | |||
| 2610 | s->s3->hs.state = SSL3_ST_CW_FINISHED_B; | ||
| 2611 | } | ||
| 2612 | |||
| 2613 | return (ssl3_handshake_write(s)); | ||
| 2614 | |||
| 2615 | err: | ||
| 2616 | CBB_cleanup(&cbb); | ||
| 2617 | |||
| 2618 | return (-1); | ||
| 2619 | } | ||
| 2620 | |||
| 2621 | static int | ||
| 2622 | ssl3_get_server_finished(SSL *s) | ||
| 2623 | { | ||
| 2624 | int al, md_len, ret; | ||
| 2625 | CBS cbs; | ||
| 2626 | |||
| 2627 | /* should actually be 36+4 :-) */ | ||
| 2628 | if ((ret = ssl3_get_message(s, SSL3_ST_CR_FINISHED_A, | ||
| 2629 | SSL3_ST_CR_FINISHED_B, SSL3_MT_FINISHED, 64)) <= 0) | ||
| 2630 | return ret; | ||
| 2631 | |||
| 2632 | /* If this occurs, we have missed a message */ | ||
| 2633 | if (!s->s3->change_cipher_spec) { | ||
| 2634 | al = SSL_AD_UNEXPECTED_MESSAGE; | ||
| 2635 | SSLerror(s, SSL_R_GOT_A_FIN_BEFORE_A_CCS); | ||
| 2636 | goto fatal_err; | ||
| 2637 | } | ||
| 2638 | s->s3->change_cipher_spec = 0; | ||
| 2639 | |||
| 2640 | md_len = TLS1_FINISH_MAC_LENGTH; | ||
| 2641 | |||
| 2642 | if (s->internal->init_num < 0) { | ||
| 2643 | al = SSL_AD_DECODE_ERROR; | ||
| 2644 | SSLerror(s, SSL_R_BAD_DIGEST_LENGTH); | ||
| 2645 | goto fatal_err; | ||
| 2646 | } | ||
| 2647 | |||
| 2648 | CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); | ||
| 2649 | |||
| 2650 | if (s->s3->hs.peer_finished_len != md_len || | ||
| 2651 | CBS_len(&cbs) != md_len) { | ||
| 2652 | al = SSL_AD_DECODE_ERROR; | ||
| 2653 | SSLerror(s, SSL_R_BAD_DIGEST_LENGTH); | ||
| 2654 | goto fatal_err; | ||
| 2655 | } | ||
| 2656 | |||
| 2657 | if (!CBS_mem_equal(&cbs, s->s3->hs.peer_finished, CBS_len(&cbs))) { | ||
| 2658 | al = SSL_AD_DECRYPT_ERROR; | ||
| 2659 | SSLerror(s, SSL_R_DIGEST_CHECK_FAILED); | ||
| 2660 | goto fatal_err; | ||
| 2661 | } | ||
| 2662 | |||
| 2663 | /* Copy finished so we can use it for renegotiation checks. */ | ||
| 2664 | OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE); | ||
| 2665 | memcpy(s->s3->previous_server_finished, | ||
| 2666 | s->s3->hs.peer_finished, md_len); | ||
| 2667 | s->s3->previous_server_finished_len = md_len; | ||
| 2668 | |||
| 2669 | return (1); | ||
| 2670 | fatal_err: | ||
| 2671 | ssl3_send_alert(s, SSL3_AL_FATAL, al); | ||
| 2672 | return (0); | ||
| 2673 | } | ||