]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/statem_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add a DTLSv1_listen() test
[thirdparty/openssl.git] / ssl / statem / statem_lib.c
CommitLineData
846e33c7 1/*
fecb3aae 2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
aa8f3d76 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
3813046d 4 *
2c18d164 5 * Licensed under the Apache License 2.0 (the "License"). You may not use
846e33c7
RS		 6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
3813046d 9 */
846e33c7 10
48948d53 11#include <limits.h>
f2d9a32c 12#include <string.h>
d02b48c6 13#include <stdio.h>
706457b7
DMSP		 14#include "../ssl_local.h"
15#include "statem_local.h"
67dc995e 16#include "internal/cryptlib.h"
ec577822 17#include <openssl/buffer.h>
ec577822
BM		 18#include <openssl/objects.h>
19#include <openssl/evp.h>
d7e498ac 20#include <openssl/rsa.h>
ec577822 21#include <openssl/x509.h>
49b26f54 22#include <openssl/trace.h>
d02b48c6 23
c6d38183
RS		 24/*
25 * Map error codes to TLS/SSL alart types.
26 */
27typedef struct x509err2alert_st {
28 int x509err;
29 int alert;
30} X509ERR2ALERT;
31
597c51bc
MC		 32/* Fixed value used in the ServerHello random field to identify an HRR */
33const unsigned char hrrrandom[] = {
34 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
35 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
36 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
37};
38
0f113f3e
MC		 39/*
40 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
41 * SSL3_RT_CHANGE_CIPHER_SPEC)
42 */
38b051a1 43int ssl3_do_write(SSL_CONNECTION *s, int type)
0f113f3e
MC		 44{
45 int ret;
7ee8627f 46 size_t written = 0;
38b051a1 47 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
0f113f3e 48
38b051a1 49 ret = ssl3_write_bytes(ssl, type, &s->init_buf->data[s->init_off],
7ee8627f 50 s->init_num, &written);
0f113f3e 51 if (ret < 0)
26a7d938 52 return -1;
0f113f3e
MC		 53 if (type == SSL3_RT_HANDSHAKE)
54 /*
55 * should not be done for 'Hello Request's, but in that case we'll
56 * ignore the result anyway
9d75dce3 57 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
0f113f3e 58 */
38b051a1
TM		 59 if (!SSL_CONNECTION_IS_TLS13(s)
60 || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
9d75dce3
TS		 61 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
62 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
63 if (!ssl3_finish_mac(s,
64 (unsigned char *)&s->init_buf->data[s->init_off],
65 written))
66 return -1;
7ee8627f 67 if (written == s->init_num) {
0f113f3e
MC		 68 if (s->msg_callback)
69 s->msg_callback(1, s->version, type, s->init_buf->data,
38b051a1 70 (size_t)(s->init_off + s->init_num), ssl,
0f113f3e 71 s->msg_callback_arg);
208fb891 72 return 1;
0f113f3e 73 }
7ee8627f
MC		 74 s->init_off += written;
75 s->init_num -= written;
26a7d938 76 return 0;
0f113f3e 77}
e7ecc7d4 78
38b051a1 79int tls_close_construct_packet(SSL_CONNECTION *s, WPACKET *pkt, int htype)
2c7b4dbc
MC		 80{
81 size_t msglen;
82
4a01c59f 83 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
f1ec23c0 84 || !WPACKET_get_length(pkt, &msglen)
7cea05dc 85 || msglen > INT_MAX)
2c7b4dbc
MC		 86 return 0;
87 s->init_num = (int)msglen;
88 s->init_off = 0;
89
90 return 1;
91}
92
38b051a1 93int tls_setup_handshake(SSL_CONNECTION *s)
1f5b44e9 94{
8e32ea63 95 int ver_min, ver_max, ok;
38b051a1
TM		 96 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
97 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
8e32ea63 98
f63a17d6
MC		 99 if (!ssl3_init_finished_mac(s)) {
100 /* SSLfatal() already called */
c7f47786 101 return 0;
f63a17d6 102 }
c7f47786 103
b186a592
MC		 104 /* Reset any extension flags */
105 memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
106
8e32ea63 107 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
c48ffbcc 108 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE);
8e32ea63
MC		 109 return 0;
110 }
111
112 /* Sanity check that we have MD5-SHA1 if we need it */
38b051a1 113 if (sctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) {
8e32ea63
MC		 114 int md5sha1_needed = 0;
115
116 /* We don't have MD5-SHA1 - do we need it? */
38b051a1 117 if (SSL_CONNECTION_IS_DTLS(s)) {
8e32ea63
MC		 118 if (DTLS_VERSION_LE(ver_max, DTLS1_VERSION))
119 md5sha1_needed = 1;
120 } else {
121 if (ver_max <= TLS1_1_VERSION)
122 md5sha1_needed = 1;
123 }
124 if (md5sha1_needed) {
c48ffbcc
RL		 125 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
126 SSL_R_NO_SUITABLE_DIGEST_ALGORITHM,
127 "The max supported SSL/TLS version needs the"
128 " MD5-SHA1 digest but it is not available"
129 " in the loaded providers. Use (D)TLSv1.2 or"
130 " above, or load different providers");
8e32ea63
MC		 131 return 0;
132 }
133
134 ok = 1;
135 /* Don't allow TLSv1.1 or below to be negotiated */
38b051a1 136 if (SSL_CONNECTION_IS_DTLS(s)) {
8e32ea63 137 if (DTLS_VERSION_LT(ver_min, DTLS1_2_VERSION))
38b051a1 138 ok = SSL_set_min_proto_version(ssl, DTLS1_2_VERSION);
8e32ea63
MC		 139 } else {
140 if (ver_min < TLS1_2_VERSION)
38b051a1 141 ok = SSL_set_min_proto_version(ssl, TLS1_2_VERSION);
8e32ea63
MC		 142 }
143 if (!ok) {
144 /* Shouldn't happen */
c48ffbcc 145 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
8e32ea63
MC		 146 return 0;
147 }
148 }
149
150 ok = 0;
c7f47786 151 if (s->server) {
38b051a1 152 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(ssl);
8e32ea63 153 int i;
38a73150
MC		 154
155 /*
156 * Sanity check that the maximum version we accept has ciphers
157 * enabled. For clients we do this check during construction of the
158 * ClientHello.
159 */
38a73150
MC		 160 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
161 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
162
38b051a1 163 if (SSL_CONNECTION_IS_DTLS(s)) {
38a73150
MC		 164 if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
165 DTLS_VERSION_LE(ver_max, c->max_dtls))
166 ok = 1;
167 } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
168 ok = 1;
169 }
170 if (ok)
171 break;
172 }
173 if (!ok) {
c48ffbcc
RL		 174 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
175 SSL_R_NO_CIPHERS_AVAILABLE,
176 "No ciphers enabled for max supported "
177 "SSL/TLS version");
38a73150
MC		 178 return 0;
179 }
c7f47786 180 if (SSL_IS_FIRST_HANDSHAKE(s)) {
0e6161bc 181 /* N.B. s->session_ctx == s->ctx here */
acce0557 182 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_accept);
c7f47786 183 } else {
0e6161bc 184 /* N.B. s->ctx may not equal s->session_ctx */
38b051a1 185 ssl_tsan_counter(sctx, &sctx->stats.sess_accept_renegotiate);
c7f47786 186
555cbb32 187 s->s3.tmp.cert_request = 0;
c7f47786
MC		 188 }
189 } else {
190 if (SSL_IS_FIRST_HANDSHAKE(s))
acce0557 191 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_connect);
c7f47786 192 else
acce0557
P		 193 ssl_tsan_counter(s->session_ctx,
194 &s->session_ctx->stats.sess_connect_renegotiate);
c7f47786
MC		 195
196 /* mark client_random uninitialized */
555cbb32 197 memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
c7f47786
MC		 198 s->hit = 0;
199
555cbb32 200 s->s3.tmp.cert_req = 0;
c7f47786 201
38b051a1 202 if (SSL_CONNECTION_IS_DTLS(s))
c7f47786 203 s->statem.use_timer = 1;
c7f47786
MC		 204 }
205
206 return 1;
207}
208
2c5dfdc3
MC		 209/*
210 * Size of the to-be-signed TLS13 data, without the hash size itself:
211 * 64 bytes of value 32, 33 context bytes, 1 byte separator
212 */
213#define TLS13_TBS_START_SIZE 64
214#define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
215
38b051a1 216static int get_cert_verify_tbs_data(SSL_CONNECTION *s, unsigned char *tls13tbs,
2c5dfdc3
MC		 217 void **hdata, size_t *hdatalen)
218{
48102247 219#ifdef CHARSET_EBCDIC
99435164 220 static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
48102247 221 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
222 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
223 0x69, 0x66, 0x79, 0x00 };
99435164 224 static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
48102247 225 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
226 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
227 0x69, 0x66, 0x79, 0x00 };
228#else
99435164
AV		 229 static const char servercontext[] = "TLS 1.3, server CertificateVerify";
230 static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
48102247 231#endif
38b051a1
TM		 232
233 if (SSL_CONNECTION_IS_TLS13(s)) {
2c5dfdc3
MC		 234 size_t hashlen;
235
236 /* Set the first 64 bytes of to-be-signed data to octet 32 */
237 memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
238 /* This copies the 33 bytes of context plus the 0 separator byte */
239 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
240 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
241 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
242 else
243 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
244
245 /*
246 * If we're currently reading then we need to use the saved handshake
247 * hash value. We can't use the current handshake hash state because
248 * that includes the CertVerify itself.
249 */
250 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
251 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
252 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
253 s->cert_verify_hash_len);
254 hashlen = s->cert_verify_hash_len;
255 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
256 EVP_MAX_MD_SIZE, &hashlen)) {
f63a17d6 257 /* SSLfatal() already called */
2c5dfdc3
MC		 258 return 0;
259 }
260
261 *hdata = tls13tbs;
262 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
263 } else {
264 size_t retlen;
60690b5b 265 long retlen_l;
2c5dfdc3 266
555cbb32 267 retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
60690b5b 268 if (retlen_l <= 0) {
c48ffbcc 269 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2c5dfdc3 270 return 0;
f63a17d6 271 }
2c5dfdc3
MC		 272 *hdatalen = retlen;
273 }
274
275 return 1;
276}
277
38b051a1 278int tls_construct_cert_verify(SSL_CONNECTION *s, WPACKET *pkt)
d8bc1399 279{
ad4dd362
DSH		 280 EVP_PKEY *pkey = NULL;
281 const EVP_MD *md = NULL;
d8bc1399 282 EVP_MD_CTX *mctx = NULL;
5f9b64a2
MC		 283 EVP_PKEY_CTX *pctx = NULL;
284 size_t hdatalen = 0, siglen = 0;
d8bc1399
MC		 285 void *hdata;
286 unsigned char *sig = NULL;
2c5dfdc3 287 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
555cbb32 288 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
38b051a1 289 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
2c5dfdc3 290
555cbb32 291 if (lu == NULL || s->s3.tmp.cert == NULL) {
c48ffbcc 292 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
ad4dd362
DSH		 293 goto err;
294 }
555cbb32 295 pkey = s->s3.tmp.cert->privatekey;
ad4dd362 296
38b051a1 297 if (pkey == NULL || !tls1_lookup_md(sctx, lu, &md)) {
c48ffbcc 298 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
ad4dd362
DSH		 299 goto err;
300 }
d8bc1399
MC		 301
302 mctx = EVP_MD_CTX_new();
303 if (mctx == NULL) {
c48ffbcc 304 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
d8bc1399
MC		 305 goto err;
306 }
d8bc1399 307
2c5dfdc3
MC		 308 /* Get the data to be signed */
309 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
f63a17d6 310 /* SSLfatal() already called */
d8bc1399
MC		 311 goto err;
312 }
313
ad4dd362 314 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
c48ffbcc 315 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
d8bc1399
MC		 316 goto err;
317 }
5f9b64a2 318
ed576acd
TM		 319 if (EVP_DigestSignInit_ex(mctx, &pctx,
320 md == NULL ? NULL : EVP_MD_get0_name(md),
38b051a1 321 sctx->libctx, sctx->propq, pkey,
d38b6ae9 322 NULL) <= 0) {
c48ffbcc 323 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
5f9b64a2
MC		 324 goto err;
325 }
326
ad4dd362 327 if (lu->sig == EVP_PKEY_RSA_PSS) {
5f9b64a2 328 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
968ae5b3
DSH		 329 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
330 RSA_PSS_SALTLEN_DIGEST) <= 0) {
c48ffbcc 331 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
5f9b64a2
MC		 332 goto err;
333 }
caf2b6b5
DSH		 334 }
335 if (s->version == SSL3_VERSION) {
bddbfae1
MC		 336 /*
337 * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
338 * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
339 */
caf2b6b5 340 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
83b4a243
SL		 341 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
342 (int)s->session->master_key_length,
343 s->session->master_key) <= 0
bddbfae1 344 || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) {
caf2b6b5 345
c48ffbcc 346 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
5f9b64a2
MC		 347 goto err;
348 }
bddbfae1
MC		 349 sig = OPENSSL_malloc(siglen);
350 if (sig == NULL
351 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
c48ffbcc 352 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
bddbfae1
MC		 353 goto err;
354 }
355 } else {
356 /*
357 * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not
358 * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
359 */
360 if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) {
c48ffbcc 361 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
bddbfae1
MC		 362 goto err;
363 }
364 sig = OPENSSL_malloc(siglen);
365 if (sig == NULL
366 || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
c48ffbcc 367 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
bddbfae1
MC		 368 goto err;
369 }
d8bc1399 370 }
5f9b64a2 371
d8bc1399
MC		 372#ifndef OPENSSL_NO_GOST
373 {
ad4dd362
DSH		 374 int pktype = lu->sig;
375
d8bc1399
MC		 376 if (pktype == NID_id_GostR3410_2001
377 || pktype == NID_id_GostR3410_2012_256
378 || pktype == NID_id_GostR3410_2012_512)
5f9b64a2 379 BUF_reverse(sig, NULL, siglen);
d8bc1399
MC		 380 }
381#endif
382
5f9b64a2 383 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
c48ffbcc 384 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
d8bc1399
MC		 385 goto err;
386 }
387
388 /* Digest cached records and discard handshake buffer */
d4d2f3a4
MC		 389 if (!ssl3_digest_cached_records(s, 0)) {
390 /* SSLfatal() already called */
d8bc1399 391 goto err;
d4d2f3a4 392 }
d8bc1399
MC		 393
394 OPENSSL_free(sig);
395 EVP_MD_CTX_free(mctx);
396 return 1;
397 err:
398 OPENSSL_free(sig);
399 EVP_MD_CTX_free(mctx);
d8bc1399
MC		 400 return 0;
401}
402
38b051a1 403MSG_PROCESS_RETURN tls_process_cert_verify(SSL_CONNECTION *s, PACKET *pkt)
d8bc1399
MC		 404{
405 EVP_PKEY *pkey = NULL;
703bcee0 406 const unsigned char *data;
d8bc1399
MC		 407#ifndef OPENSSL_NO_GOST
408 unsigned char *gost_data = NULL;
409#endif
eb5fd03b 410 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
dd24857b 411 int j;
d8bc1399
MC		 412 unsigned int len;
413 X509 *peer;
414 const EVP_MD *md = NULL;
2c5dfdc3 415 size_t hdatalen = 0;
d8bc1399 416 void *hdata;
2c5dfdc3 417 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
d8bc1399 418 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
5f9b64a2 419 EVP_PKEY_CTX *pctx = NULL;
38b051a1 420 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
d8bc1399
MC		 421
422 if (mctx == NULL) {
c48ffbcc 423 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
f63a17d6 424 goto err;
d8bc1399
MC		 425 }
426
427 peer = s->session->peer;
428 pkey = X509_get0_pubkey(peer);
f63a17d6 429 if (pkey == NULL) {
c48ffbcc 430 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6
MC		 431 goto err;
432 }
83b4049a 433
dd24857b 434 if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
c48ffbcc 435 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
f63a17d6
MC		 436 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
437 goto err;
d8bc1399
MC		 438 }
439
f464f9c0 440 if (SSL_USE_SIGALGS(s)) {
f464f9c0
PD		 441 unsigned int sigalg;
442
443 if (!PACKET_get_net_2(pkt, &sigalg)) {
c48ffbcc 444 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET);
f63a17d6 445 goto err;
f464f9c0 446 }
f63a17d6
MC		 447 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
448 /* SSLfatal() already called */
449 goto err;
f464f9c0 450 }
f464f9c0 451 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
c48ffbcc 452 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6 453 goto err;
f464f9c0
PD		 454 }
455
38b051a1 456 if (!tls1_lookup_md(sctx, s->s3.tmp.peer_sigalg, &md)) {
c48ffbcc 457 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6 458 goto err;
168067b6 459 }
f464f9c0 460
572fa024 461 if (SSL_USE_SIGALGS(s))
49b26f54 462 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
ed576acd 463 md == NULL ? "n/a" : EVP_MD_get0_name(md));
572fa024 464
d8bc1399
MC		 465 /* Check for broken implementations of GOST ciphersuites */
466 /*
f464f9c0
PD		 467 * If key is GOST and len is exactly 64 or 128, it is signature without
468 * length field (CryptoPro implementations at least till TLS 1.2)
d8bc1399
MC		 469 */
470#ifndef OPENSSL_NO_GOST
f464f9c0
PD		 471 if (!SSL_USE_SIGALGS(s)
472 && ((PACKET_remaining(pkt) == 64
ed576acd
TM		 473 && (EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2001
474 || EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_256))
f464f9c0 475 || (PACKET_remaining(pkt) == 128
ed576acd 476 && EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_512))) {
f464f9c0 477 len = PACKET_remaining(pkt);
d8bc1399
MC		 478 } else
479#endif
f464f9c0 480 if (!PACKET_get_net_2(pkt, &len)) {
c48ffbcc 481 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
f63a17d6 482 goto err;
d8bc1399 483 }
f464f9c0 484
d8bc1399 485 if (!PACKET_get_bytes(pkt, &data, len)) {
c48ffbcc 486 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
f63a17d6 487 goto err;
d8bc1399
MC		 488 }
489
2c5dfdc3 490 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
f63a17d6
MC		 491 /* SSLfatal() already called */
492 goto err;
d8bc1399
MC		 493 }
494
49b26f54 495 OSSL_TRACE1(TLS, "Using client verify alg %s\n",
ed576acd 496 md == NULL ? "n/a" : EVP_MD_get0_name(md));
49b26f54 497
d8652be0 498 if (EVP_DigestVerifyInit_ex(mctx, &pctx,
ed576acd 499 md == NULL ? NULL : EVP_MD_get0_name(md),
38b051a1 500 sctx->libctx, sctx->propq, pkey,
d38b6ae9 501 NULL) <= 0) {
c48ffbcc 502 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
f63a17d6 503 goto err;
d8bc1399
MC		 504 }
505#ifndef OPENSSL_NO_GOST
506 {
ed576acd 507 int pktype = EVP_PKEY_get_id(pkey);
d8bc1399
MC		 508 if (pktype == NID_id_GostR3410_2001
509 || pktype == NID_id_GostR3410_2012_256
510 || pktype == NID_id_GostR3410_2012_512) {
511 if ((gost_data = OPENSSL_malloc(len)) == NULL) {
c48ffbcc 512 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
f63a17d6 513 goto err;
d8bc1399
MC		 514 }
515 BUF_reverse(gost_data, data, len);
516 data = gost_data;
517 }
518 }
519#endif
520
5554facb 521 if (SSL_USE_PSS(s)) {
5f9b64a2 522 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
968ae5b3
DSH		 523 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
524 RSA_PSS_SALTLEN_DIGEST) <= 0) {
c48ffbcc 525 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
f63a17d6 526 goto err;
5f9b64a2 527 }
d8bc1399 528 }
caf2b6b5
DSH		 529 if (s->version == SSL3_VERSION) {
530 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
83b4a243
SL		 531 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
532 (int)s->session->master_key_length,
533 s->session->master_key) <= 0) {
c48ffbcc 534 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
f63a17d6 535 goto err;
caf2b6b5
DSH		 536 }
537 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
c48ffbcc 538 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
f63a17d6 539 goto err;
caf2b6b5
DSH		 540 }
541 } else {
542 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
25ffeb11 543 if (j <= 0) {
c48ffbcc 544 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
f63a17d6 545 goto err;
caf2b6b5 546 }
d8bc1399
MC		 547 }
548
e4562014
MC		 549 /*
550 * In TLSv1.3 on the client side we make sure we prepare the client
551 * certificate after the CertVerify instead of when we get the
552 * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
553 * comes *before* the Certificate message. In TLSv1.2 it comes after. We
8c2bfd25 554 * want to make sure that SSL_get1_peer_certificate() will return the actual
e4562014
MC		 555 * server certificate from the client_cert_cb callback.
556 */
38b051a1 557 if (!s->server && SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
e4562014
MC		 558 ret = MSG_PROCESS_CONTINUE_PROCESSING;
559 else
560 ret = MSG_PROCESS_CONTINUE_READING;
f63a17d6 561 err:
555cbb32
TS		 562 BIO_free(s->s3.handshake_buffer);
563 s->s3.handshake_buffer = NULL;
d8bc1399
MC		 564 EVP_MD_CTX_free(mctx);
565#ifndef OPENSSL_NO_GOST
566 OPENSSL_free(gost_data);
567#endif
568 return ret;
569}
570
38b051a1 571int tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt)
0f113f3e 572{
12472b45 573 size_t finish_md_len;
229185e6 574 const char *sender;
8b0e934a 575 size_t slen;
38b051a1 576 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
229185e6 577
f7e393be 578 /* This is a real handshake so make sure we clean it up at the end */
9d75dce3 579 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
f7e393be
MC		 580 s->statem.cleanuphand = 1;
581
582 /*
583 * We only change the keys if we didn't already do this when we sent the
584 * client certificate
585 */
38b051a1 586 if (SSL_CONNECTION_IS_TLS13(s)
f7e393be 587 && !s->server
555cbb32 588 && s->s3.tmp.cert_req == 0
38b051a1 589 && (!ssl->method->ssl3_enc->change_cipher_state(s,
d4d2f3a4
MC		 590 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
591 /* SSLfatal() already called */
b43c3765 592 return 0;
f7e393be
MC		 593 }
594
229185e6 595 if (s->server) {
38b051a1
TM		 596 sender = ssl->method->ssl3_enc->server_finished_label;
597 slen = ssl->method->ssl3_enc->server_finished_label_len;
229185e6 598 } else {
38b051a1
TM		 599 sender = ssl->method->ssl3_enc->client_finished_label;
600 slen = ssl->method->ssl3_enc->client_finished_label_len;
229185e6 601 }
0f113f3e 602
38b051a1
TM		 603 finish_md_len = ssl->method->ssl3_enc->final_finish_mac(s,
604 sender, slen,
605 s->s3.tmp.finish_md);
12472b45 606 if (finish_md_len == 0) {
d4d2f3a4
MC		 607 /* SSLfatal() already called */
608 return 0;
4f89bfbf
MC		 609 }
610
555cbb32 611 s->s3.tmp.finish_md_len = finish_md_len;
4f89bfbf 612
555cbb32 613 if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
c48ffbcc 614 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
d4d2f3a4 615 return 0;
4f89bfbf 616 }
0f113f3e 617
2c7bd692
CB		 618 /*
619 * Log the master secret, if logging is enabled. We don't log it for
620 * TLSv1.3: there's a different key schedule for that.
621 */
38b051a1
TM		 622 if (!SSL_CONNECTION_IS_TLS13(s)
623 && !ssl_log_secret(s, MASTER_SECRET_LABEL, s->session->master_key,
624 s->session->master_key_length)) {
d4d2f3a4
MC		 625 /* SSLfatal() already called */
626 return 0;
380a522f 627 }
2faa1b48 628
b9908bf9
MC		 629 /*
630 * Copy the finished so we can use it for renegotiation checks
631 */
380a522f 632 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
c48ffbcc 633 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
d4d2f3a4 634 return 0;
380a522f 635 }
23a635c0 636 if (!s->server) {
555cbb32 637 memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
12472b45 638 finish_md_len);
555cbb32 639 s->s3.previous_client_finished_len = finish_md_len;
b9908bf9 640 } else {
555cbb32 641 memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
12472b45 642 finish_md_len);
555cbb32 643 s->s3.previous_server_finished_len = finish_md_len;
b9908bf9 644 }
0f113f3e 645
b9908bf9 646 return 1;
0f113f3e 647}
d02b48c6 648
38b051a1 649int tls_construct_key_update(SSL_CONNECTION *s, WPACKET *pkt)
44c04a2e
MC		 650{
651 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
c48ffbcc 652 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
d4d2f3a4 653 return 0;
44c04a2e
MC		 654 }
655
9412b3ad 656 s->key_update = SSL_KEY_UPDATE_NONE;
44c04a2e 657 return 1;
44c04a2e
MC		 658}
659
38b051a1 660MSG_PROCESS_RETURN tls_process_key_update(SSL_CONNECTION *s, PACKET *pkt)
e1c3de44
MC		 661{
662 unsigned int updatetype;
663
524420d8
MC		 664 /*
665 * A KeyUpdate message signals a key change so the end of the message must
666 * be on a record boundary.
667 */
668 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
c48ffbcc 669 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
f63a17d6 670 return MSG_PROCESS_ERROR;
524420d8
MC		 671 }
672
e1c3de44 673 if (!PACKET_get_1(pkt, &updatetype)
2d871227 674 || PACKET_remaining(pkt) != 0) {
c48ffbcc 675 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_KEY_UPDATE);
f63a17d6 676 return MSG_PROCESS_ERROR;
e1c3de44
MC		 677 }
678
9010b7bc
MC		 679 /*
680 * There are only two defined key update types. Fail if we get a value we
681 * didn't recognise.
682 */
2d871227
MC		 683 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
684 && updatetype != SSL_KEY_UPDATE_REQUESTED) {
c48ffbcc 685 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_UPDATE);
f63a17d6 686 return MSG_PROCESS_ERROR;
2d871227
MC		 687 }
688
5bf47933
MC		 689 /*
690 * If we get a request for us to update our sending keys too then, we need
691 * to additionally send a KeyUpdate message. However that message should
feb9e31c 692 * not also request an update (otherwise we get into an infinite loop).
5bf47933 693 */
feb9e31c 694 if (updatetype == SSL_KEY_UPDATE_REQUESTED)
5bf47933
MC		 695 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
696
57389a32 697 if (!tls13_update_key(s, 0)) {
f63a17d6
MC		 698 /* SSLfatal() already called */
699 return MSG_PROCESS_ERROR;
57389a32
MC		 700 }
701
e1c3de44
MC		 702 return MSG_PROCESS_FINISHED_READING;
703}
704
0f113f3e
MC		 705/*
706 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
707 * to far.
708 */
38b051a1 709int ssl3_take_mac(SSL_CONNECTION *s)
0f113f3e
MC		 710{
711 const char *sender;
8b0e934a 712 size_t slen;
38b051a1 713 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
5d671101 714
49ae7423 715 if (!s->server) {
38b051a1
TM		 716 sender = ssl->method->ssl3_enc->server_finished_label;
717 slen = ssl->method->ssl3_enc->server_finished_label_len;
0f113f3e 718 } else {
38b051a1
TM		 719 sender = ssl->method->ssl3_enc->client_finished_label;
720 slen = ssl->method->ssl3_enc->client_finished_label_len;
0f113f3e
MC		 721 }
722
555cbb32 723 s->s3.tmp.peer_finish_md_len =
38b051a1
TM		 724 ssl->method->ssl3_enc->final_finish_mac(s, sender, slen,
725 s->s3.tmp.peer_finish_md);
5d671101 726
555cbb32 727 if (s->s3.tmp.peer_finish_md_len == 0) {
5d671101
MC		 728 /* SSLfatal() already called */
729 return 0;
730 }
731
732 return 1;
0f113f3e 733}
ee2ffc27 734
38b051a1
TM		 735MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL_CONNECTION *s,
736 PACKET *pkt)
b9908bf9 737{
348240c6 738 size_t remain;
4fa52141 739
73999b62 740 remain = PACKET_remaining(pkt);
657da85e
MC		 741 /*
742 * 'Change Cipher Spec' is just a single byte, which should already have
c69f2adf
MC		 743 * been consumed by ssl_get_message() so there should be no bytes left,
744 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
657da85e 745 */
38b051a1 746 if (SSL_CONNECTION_IS_DTLS(s)) {
73999b62 747 if ((s->version == DTLS1_BAD_VER
a230b26e
EK		 748 && remain != DTLS1_CCS_HEADER_LENGTH + 1)
749 || (s->version != DTLS1_BAD_VER
750 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
c48ffbcc 751 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
f63a17d6 752 return MSG_PROCESS_ERROR;
c69f2adf
MC		 753 }
754 } else {
73999b62 755 if (remain != 0) {
c48ffbcc 756 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
f63a17d6 757 return MSG_PROCESS_ERROR;
c69f2adf 758 }
657da85e
MC		 759 }
760
761 /* Check we have a cipher to change to */
555cbb32 762 if (s->s3.tmp.new_cipher == NULL) {
c48ffbcc 763 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY);
f63a17d6 764 return MSG_PROCESS_ERROR;
657da85e
MC		 765 }
766
555cbb32 767 s->s3.change_cipher_spec = 1;
657da85e 768 if (!ssl3_do_change_cipher_spec(s)) {
c48ffbcc 769 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6 770 return MSG_PROCESS_ERROR;
657da85e
MC		 771 }
772
38b051a1 773 if (SSL_CONNECTION_IS_DTLS(s)) {
c69f2adf
MC		 774 dtls1_reset_seq_numbers(s, SSL3_CC_READ);
775
776 if (s->version == DTLS1_BAD_VER)
777 s->d1->handshake_read_seq++;
778
779#ifndef OPENSSL_NO_SCTP
780 /*
781 * Remember that a CCS has been received, so that an old key of
782 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
783 * SCTP is used
784 */
38b051a1
TM		 785 BIO_ctrl(SSL_get_wbio(SSL_CONNECTION_GET_SSL(s)),
786 BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
c69f2adf
MC		 787#endif
788 }
789
b9908bf9 790 return MSG_PROCESS_CONTINUE_READING;
657da85e
MC		 791}
792
38b051a1 793MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt)
b9908bf9 794{
12472b45 795 size_t md_len;
38b051a1 796 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
b9908bf9 797
d781d247
MC		 798
799 /* This is a real handshake so make sure we clean it up at the end */
9d75dce3 800 if (s->server) {
de9e884b
MC		 801 /*
802 * To get this far we must have read encrypted data from the client. We
803 * no longer tolerate unencrypted alerts. This value is ignored if less
804 * than TLSv1.3
805 */
806 s->statem.enc_read_state = ENC_READ_STATE_VALID;
9d75dce3
TS		 807 if (s->post_handshake_auth != SSL_PHA_REQUESTED)
808 s->statem.cleanuphand = 1;
38b051a1
TM		 809 if (SSL_CONNECTION_IS_TLS13(s)
810 && !tls13_save_handshake_digest_for_pha(s)) {
9d75dce3
TS		 811 /* SSLfatal() already called */
812 return MSG_PROCESS_ERROR;
813 }
814 }
d781d247 815
524420d8
MC		 816 /*
817 * In TLSv1.3 a Finished message signals a key change so the end of the
818 * message must be on a record boundary.
819 */
38b051a1
TM		 820 if (SSL_CONNECTION_IS_TLS13(s)
821 && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
c48ffbcc 822 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
f63a17d6 823 return MSG_PROCESS_ERROR;
524420d8
MC		 824 }
825
0f113f3e 826 /* If this occurs, we have missed a message */
38b051a1 827 if (!SSL_CONNECTION_IS_TLS13(s) && !s->s3.change_cipher_spec) {
c48ffbcc 828 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
f63a17d6 829 return MSG_PROCESS_ERROR;
0f113f3e 830 }
555cbb32 831 s->s3.change_cipher_spec = 0;
0f113f3e 832
555cbb32 833 md_len = s->s3.tmp.peer_finish_md_len;
0f113f3e 834
12472b45 835 if (md_len != PACKET_remaining(pkt)) {
c48ffbcc 836 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DIGEST_LENGTH);
f63a17d6 837 return MSG_PROCESS_ERROR;
0f113f3e
MC		 838 }
839
555cbb32 840 if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
12472b45 841 md_len) != 0) {
c48ffbcc 842 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DIGEST_CHECK_FAILED);
f63a17d6 843 return MSG_PROCESS_ERROR;
0f113f3e
MC		 844 }
845
846 /*
847 * Copy the finished so we can use it for renegotiation checks
848 */
380a522f 849 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
c48ffbcc 850 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6 851 return MSG_PROCESS_ERROR;
380a522f 852 }
23a635c0 853 if (s->server) {
555cbb32 854 memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
12472b45 855 md_len);
555cbb32 856 s->s3.previous_client_finished_len = md_len;
0f113f3e 857 } else {
555cbb32 858 memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
12472b45 859 md_len);
555cbb32 860 s->s3.previous_server_finished_len = md_len;
0f113f3e
MC		 861 }
862
7776a36c
MC		 863 /*
864 * In TLS1.3 we also have to change cipher state and do any final processing
865 * of the initial server flight (if we are a client)
866 */
38b051a1 867 if (SSL_CONNECTION_IS_TLS13(s)) {
92760c21 868 if (s->server) {
9d75dce3 869 if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
38b051a1
TM		 870 !ssl->method->ssl3_enc->change_cipher_state(s,
871 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
f63a17d6
MC		 872 /* SSLfatal() already called */
873 return MSG_PROCESS_ERROR;
92760c21
MC		 874 }
875 } else {
d74014c4
BK		 876 /* TLS 1.3 gets the secret size from the handshake md */
877 size_t dummy;
38b051a1 878 if (!ssl->method->ssl3_enc->generate_master_secret(s,
ec15acb6 879 s->master_secret, s->handshake_secret, 0,
d74014c4 880 &dummy)) {
f63a17d6
MC		 881 /* SSLfatal() already called */
882 return MSG_PROCESS_ERROR;
92760c21 883 }
38b051a1 884 if (!ssl->method->ssl3_enc->change_cipher_state(s,
92760c21 885 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
f63a17d6
MC		 886 /* SSLfatal() already called */
887 return MSG_PROCESS_ERROR;
888 }
889 if (!tls_process_initial_server_flight(s)) {
890 /* SSLfatal() already called */
891 return MSG_PROCESS_ERROR;
92760c21
MC		 892 }
893 }
894 }
895
e6575156 896 return MSG_PROCESS_FINISHED_READING;
0f113f3e 897}
d02b48c6 898
38b051a1 899int tls_construct_change_cipher_spec(SSL_CONNECTION *s, WPACKET *pkt)
b9908bf9 900{
7cea05dc 901 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
c48ffbcc 902 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
85a7a5e6
MC		 903 return 0;
904 }
b9908bf9 905
b9908bf9
MC		 906 return 1;
907}
908
e96e0f8e 909/* Add a certificate to the WPACKET */
38b051a1
TM		 910static int ssl_add_cert_to_wpacket(SSL_CONNECTION *s, WPACKET *pkt,
911 X509 *x, int chain)
0f113f3e 912{
e96e0f8e
MC		 913 int len;
914 unsigned char *outbytes;
915
916 len = i2d_X509(x, NULL);
917 if (len < 0) {
c48ffbcc 918 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB);
e96e0f8e
MC		 919 return 0;
920 }
921 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
922 || i2d_X509(x, &outbytes) != len) {
c48ffbcc 923 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
e96e0f8e
MC		 924 return 0;
925 }
926
38b051a1 927 if (SSL_CONNECTION_IS_TLS13(s)
fe874d27 928 && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
f63a17d6
MC		 929 chain)) {
930 /* SSLfatal() already called */
e96e0f8e 931 return 0;
f63a17d6 932 }
e96e0f8e
MC		 933
934 return 1;
935}
936
937/* Add certificate chain to provided WPACKET */
38b051a1 938static int ssl_add_cert_chain(SSL_CONNECTION *s, WPACKET *pkt, CERT_PKEY *cpk)
e96e0f8e
MC		 939{
940 int i, chain_count;
941 X509 *x;
942 STACK_OF(X509) *extra_certs;
943 STACK_OF(X509) *chain = NULL;
944 X509_STORE *chain_store;
38b051a1 945 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
e96e0f8e
MC		 946
947 if (cpk == NULL || cpk->x509 == NULL)
948 return 1;
949
950 x = cpk->x509;
951
952 /*
953 * If we have a certificate specific chain use it, else use parent ctx.
954 */
d805a57b 955 if (cpk->chain != NULL)
e96e0f8e
MC		 956 extra_certs = cpk->chain;
957 else
38b051a1 958 extra_certs = sctx->extra_certs;
e96e0f8e
MC		 959
960 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
961 chain_store = NULL;
962 else if (s->cert->chain_store)
963 chain_store = s->cert->chain_store;
964 else
38b051a1 965 chain_store = sctx->cert_store;
e96e0f8e 966
d805a57b 967 if (chain_store != NULL) {
38b051a1
TM		 968 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(sctx->libctx,
969 sctx->propq);
e96e0f8e
MC		 970
971 if (xs_ctx == NULL) {
c48ffbcc 972 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
f63a17d6 973 return 0;
e96e0f8e
MC		 974 }
975 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
976 X509_STORE_CTX_free(xs_ctx);
c48ffbcc 977 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB);
f63a17d6 978 return 0;
e96e0f8e
MC		 979 }
980 /*
981 * It is valid for the chain not to be complete (because normally we
982 * don't include the root cert in the chain). Therefore we deliberately
983 * ignore the error return from this call. We're not actually verifying
984 * the cert - we're just building as much of the chain as we can
985 */
986 (void)X509_verify_cert(xs_ctx);
987 /* Don't leave errors in the queue */
988 ERR_clear_error();
989 chain = X509_STORE_CTX_get0_chain(xs_ctx);
990 i = ssl_security_cert_chain(s, chain, NULL, 0);
991 if (i != 1) {
992#if 0
993 /* Dummy error calls so mkerr generates them */
6849b73c
RL		 994 ERR_raise(ERR_LIB_SSL, SSL_R_EE_KEY_TOO_SMALL);
995 ERR_raise(ERR_LIB_SSL, SSL_R_CA_KEY_TOO_SMALL);
996 ERR_raise(ERR_LIB_SSL, SSL_R_CA_MD_TOO_WEAK);
e96e0f8e
MC		 997#endif
998 X509_STORE_CTX_free(xs_ctx);
c48ffbcc 999 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
f63a17d6 1000 return 0;
e96e0f8e
MC		 1001 }
1002 chain_count = sk_X509_num(chain);
1003 for (i = 0; i < chain_count; i++) {
1004 x = sk_X509_value(chain, i);
1005
f63a17d6
MC		 1006 if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
1007 /* SSLfatal() already called */
e96e0f8e 1008 X509_STORE_CTX_free(xs_ctx);
f63a17d6 1009 return 0;
e96e0f8e
MC		 1010 }
1011 }
1012 X509_STORE_CTX_free(xs_ctx);
1013 } else {
1014 i = ssl_security_cert_chain(s, extra_certs, x, 0);
1015 if (i != 1) {
c48ffbcc 1016 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
f63a17d6
MC		 1017 return 0;
1018 }
1019 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
1020 /* SSLfatal() already called */
1021 return 0;
e96e0f8e 1022 }
e96e0f8e
MC		 1023 for (i = 0; i < sk_X509_num(extra_certs); i++) {
1024 x = sk_X509_value(extra_certs, i);
f63a17d6
MC		 1025 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
1026 /* SSLfatal() already called */
1027 return 0;
1028 }
e96e0f8e
MC		 1029 }
1030 }
1031 return 1;
e96e0f8e
MC		 1032}
1033
38b051a1
TM		 1034unsigned long ssl3_output_cert_chain(SSL_CONNECTION *s, WPACKET *pkt,
1035 CERT_PKEY *cpk)
e96e0f8e 1036{
f63a17d6 1037 if (!WPACKET_start_sub_packet_u24(pkt)) {
c48ffbcc 1038 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6
MC		 1039 return 0;
1040 }
e96e0f8e 1041
f63a17d6
MC		 1042 if (!ssl_add_cert_chain(s, pkt, cpk))
1043 return 0;
1044
1045 if (!WPACKET_close(pkt)) {
c48ffbcc 1046 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
7cea05dc 1047 return 0;
77d514c5 1048 }
f63a17d6 1049
c49e1912 1050 return 1;
0f113f3e
MC		 1051}
1052
30f05b19
MC		 1053/*
1054 * Tidy up after the end of a handshake. In the case of SCTP this may result
1055 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1056 * freed up as well.
1057 */
38b051a1 1058WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst,
a7e6a3d8 1059 int clearbufs, int stop)
8723588e
MC		 1060{
1061 void (*cb) (const SSL *ssl, int type, int val) = NULL;
4af5836b 1062 int cleanuphand = s->statem.cleanuphand;
38b051a1
TM		 1063 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1064 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
8723588e 1065
30f05b19 1066 if (clearbufs) {
38b051a1 1067 if (!SSL_CONNECTION_IS_DTLS(s)
e7c27a6c 1068#ifndef OPENSSL_NO_SCTP
30f05b19 1069 /*
e7c27a6c
N		 1070 * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1071 * messages that require it. Therefore, DTLS procedures for retransmissions
1072 * MUST NOT be used.
1073 * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1074 */
38b051a1 1075 || BIO_dgram_is_sctp(SSL_get_wbio(ssl))
e7c27a6c
N		 1076#endif
1077 ) {
1078 /*
1079 * We don't do this in DTLS over UDP because we may still need the init_buf
30f05b19
MC		 1080 * in case there are any unexpected retransmits
1081 */
1082 BUF_MEM_free(s->init_buf);
1083 s->init_buf = NULL;
1084 }
e7c27a6c 1085
a2c2e000 1086 if (!ssl_free_wbio_buffer(s)) {
c48ffbcc 1087 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b77f3ed1 1088 return WORK_ERROR;
a2c2e000 1089 }
30f05b19 1090 s->init_num = 0;
473483d4 1091 }
8723588e 1092
38b051a1 1093 if (SSL_CONNECTION_IS_TLS13(s) && !s->server
9d75dce3
TS		 1094 && s->post_handshake_auth == SSL_PHA_REQUESTED)
1095 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1096
c2c1d8a4
MC		 1097 /*
1098 * Only set if there was a Finished message and this isn't after a TLSv1.3
1099 * post handshake exchange
1100 */
4af5836b 1101 if (cleanuphand) {
8723588e
MC		 1102 /* skipped if we just sent a HelloRequest */
1103 s->renegotiate = 0;
1104 s->new_session = 0;
c7f47786 1105 s->statem.cleanuphand = 0;
c0638ade 1106 s->ext.ticket_expected = 0;
8723588e 1107
30f05b19
MC		 1108 ssl3_cleanup_key_block(s);
1109
8723588e 1110 if (s->server) {
16ff1342
MC		 1111 /*
1112 * In TLSv1.3 we update the cache as part of constructing the
1113 * NewSessionTicket
1114 */
38b051a1 1115 if (!SSL_CONNECTION_IS_TLS13(s))
16ff1342 1116 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
8723588e 1117
0e6161bc 1118 /* N.B. s->ctx may not equal s->session_ctx */
38b051a1 1119 ssl_tsan_counter(sctx, &sctx->stats.sess_accept_good);
fe3a3291 1120 s->handshake_func = ossl_statem_accept;
8723588e 1121 } else {
38b051a1 1122 if (SSL_CONNECTION_IS_TLS13(s)) {
4cb00457
MC		 1123 /*
1124 * We encourage applications to only use TLSv1.3 tickets once,
1125 * so we remove this one from the cache.
1126 */
1127 if ((s->session_ctx->session_cache_mode
1128 & SSL_SESS_CACHE_CLIENT) != 0)
1129 SSL_CTX_remove_session(s->session_ctx, s->session);
1130 } else {
1131 /*
1132 * In TLSv1.3 we update the cache as part of processing the
1133 * NewSessionTicket
1134 */
5d61491c 1135 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
4cb00457 1136 }
8723588e 1137 if (s->hit)
acce0557
P		 1138 ssl_tsan_counter(s->session_ctx,
1139 &s->session_ctx->stats.sess_hit);
8723588e 1140
fe3a3291 1141 s->handshake_func = ossl_statem_connect;
acce0557
P		 1142 ssl_tsan_counter(s->session_ctx,
1143 &s->session_ctx->stats.sess_connect_good);
8723588e
MC		 1144 }
1145
38b051a1 1146 if (SSL_CONNECTION_IS_DTLS(s)) {
8723588e
MC		 1147 /* done with handshaking */
1148 s->d1->handshake_read_seq = 0;
1149 s->d1->handshake_write_seq = 0;
1150 s->d1->next_handshake_write_seq = 0;
f5c7f5df 1151 dtls1_clear_received_buffer(s);
8723588e
MC		 1152 }
1153 }
1154
c2c1d8a4
MC		 1155 if (s->info_callback != NULL)
1156 cb = s->info_callback;
38b051a1
TM		 1157 else if (sctx->info_callback != NULL)
1158 cb = sctx->info_callback;
c2c1d8a4 1159
4ce787b9
MC		 1160 /* The callback may expect us to not be in init at handshake done */
1161 ossl_statem_set_in_init(s, 0);
1162
4af5836b
MC		 1163 if (cb != NULL) {
1164 if (cleanuphand
38b051a1 1165 || !SSL_CONNECTION_IS_TLS13(s)
4af5836b 1166 || SSL_IS_FIRST_HANDSHAKE(s))
38b051a1 1167 cb(ssl, SSL_CB_HANDSHAKE_DONE, 1);
4af5836b 1168 }
c2c1d8a4 1169
4ce787b9
MC		 1170 if (!stop) {
1171 /* If we've got more work to do we go back into init */
1172 ossl_statem_set_in_init(s, 1);
30f05b19 1173 return WORK_FINISHED_CONTINUE;
4ce787b9 1174 }
30f05b19 1175
8723588e
MC		 1176 return WORK_FINISHED_STOP;
1177}
1178
38b051a1 1179int tls_get_message_header(SSL_CONNECTION *s, int *mt)
9ab930b2
MC		 1180{
1181 /* s->init_num < SSL3_HM_HEADER_LENGTH */
d4d2f3a4 1182 int skip_message, i, recvd_type;
9ab930b2 1183 unsigned char *p;
54105ddd 1184 size_t l, readbytes;
38b051a1 1185 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
9ab930b2
MC		 1186
1187 p = (unsigned char *)s->init_buf->data;
1188
1189 do {
1190 while (s->init_num < SSL3_HM_HEADER_LENGTH) {
38b051a1
TM		 1191 i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, &recvd_type,
1192 &p[s->init_num],
1193 SSL3_HM_HEADER_LENGTH - s->init_num,
1194 0, &readbytes);
9ab930b2
MC		 1195 if (i <= 0) {
1196 s->rwstate = SSL_READING;
1197 return 0;
32ec4153 1198 }
9ab930b2 1199 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1257adec 1200 /*
a230b26e
EK		 1201 * A ChangeCipherSpec must be a single byte and may not occur
1202 * in the middle of a handshake message.
1203 */
54105ddd 1204 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
d4d2f3a4 1205 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
d4d2f3a4
MC		 1206 SSL_R_BAD_CHANGE_CIPHER_SPEC);
1207 return 0;
1257adec 1208 }
e9359719 1209 if (s->statem.hand_state == TLS_ST_BEFORE
555cbb32 1210 && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
e9359719
MC		 1211 /*
1212 * We are stateless and we received a CCS. Probably this is
1213 * from a client between the first and second ClientHellos.
1214 * We should ignore this, but return an error because we do
1215 * not return success until we see the second ClientHello
1216 * with a valid cookie.
1217 */
1218 return 0;
1219 }
555cbb32 1220 s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
54105ddd 1221 s->init_num = readbytes - 1;
c4377574 1222 s->init_msg = s->init_buf->data;
555cbb32 1223 s->s3.tmp.message_size = readbytes;
9ab930b2
MC		 1224 return 1;
1225 } else if (recvd_type != SSL3_RT_HANDSHAKE) {
d4d2f3a4 1226 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
d4d2f3a4
MC		 1227 SSL_R_CCS_RECEIVED_EARLY);
1228 return 0;
32ec4153 1229 }
54105ddd 1230 s->init_num += readbytes;
9ab930b2
MC		 1231 }
1232
1233 skip_message = 0;
1234 if (!s->server)
c7f47786
MC		 1235 if (s->statem.hand_state != TLS_ST_OK
1236 && p[0] == SSL3_MT_HELLO_REQUEST)
9ab930b2
MC		 1237 /*
1238 * The server may always send 'Hello Request' messages --
1239 * we are doing a handshake anyway now, so ignore them if
1240 * their format is correct. Does not count for 'Finished'
1241 * MAC.
1242 */
1243 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1244 s->init_num = 0;
1245 skip_message = 1;
1246
1247 if (s->msg_callback)
1248 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
38b051a1 1249 p, SSL3_HM_HEADER_LENGTH, ssl,
9ab930b2
MC		 1250 s->msg_callback_arg);
1251 }
1252 } while (skip_message);
1253 /* s->init_num == SSL3_HM_HEADER_LENGTH */
1254
1255 *mt = *p;
555cbb32 1256 s->s3.tmp.message_type = *(p++);
32ec4153 1257
e8aa8b6c 1258 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
9ab930b2
MC		 1259 /*
1260 * Only happens with SSLv3+ in an SSLv2 backward compatible
1261 * ClientHello
e8aa8b6c
F		 1262 *
1263 * Total message size is the remaining record bytes to read
1264 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
9ab930b2 1265 */
9ab930b2
MC		 1266 l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1267 + SSL3_HM_HEADER_LENGTH;
555cbb32 1268 s->s3.tmp.message_size = l;
9ab930b2
MC		 1269
1270 s->init_msg = s->init_buf->data;
1271 s->init_num = SSL3_HM_HEADER_LENGTH;
1272 } else {
1273 n2l3(p, l);
1274 /* BUF_MEM_grow takes an 'int' parameter */
1275 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
c48ffbcc 1276 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
d4d2f3a4
MC		 1277 SSL_R_EXCESSIVE_MESSAGE_SIZE);
1278 return 0;
32ec4153 1279 }
555cbb32 1280 s->s3.tmp.message_size = l;
9ab930b2
MC		 1281
1282 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1283 s->init_num = 0;
1284 }
1285
1286 return 1;
9ab930b2
MC		 1287}
1288
38b051a1 1289int tls_get_message_body(SSL_CONNECTION *s, size_t *len)
9ab930b2 1290{
54105ddd 1291 size_t n, readbytes;
9ab930b2
MC		 1292 unsigned char *p;
1293 int i;
38b051a1 1294 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
9ab930b2 1295
555cbb32 1296 if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
9ab930b2
MC		 1297 /* We've already read everything in */
1298 *len = (unsigned long)s->init_num;
1299 return 1;
0f113f3e
MC		 1300 }
1301
0f113f3e 1302 p = s->init_msg;
555cbb32 1303 n = s->s3.tmp.message_size - s->init_num;
0f113f3e 1304 while (n > 0) {
38b051a1
TM		 1305 i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, NULL,
1306 &p[s->init_num], n, 0, &readbytes);
0f113f3e
MC		 1307 if (i <= 0) {
1308 s->rwstate = SSL_READING;
9ab930b2
MC		 1309 *len = 0;
1310 return 0;
0f113f3e 1311 }
54105ddd
MC		 1312 s->init_num += readbytes;
1313 n -= readbytes;
0f113f3e 1314 }
ee2ffc27 1315
0f113f3e
MC		 1316 /*
1317 * If receiving Finished, record MAC of prior handshake messages for
1318 * Finished verification.
1319 */
5d671101
MC		 1320 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1321 /* SSLfatal() already called */
1322 *len = 0;
1323 return 0;
1324 }
ee2ffc27 1325
0f113f3e 1326 /* Feed this message into MAC computation. */
e8aa8b6c 1327 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
d166ed8c
DSH		 1328 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1329 s->init_num)) {
d4d2f3a4 1330 /* SSLfatal() already called */
d166ed8c
DSH		 1331 *len = 0;
1332 return 0;
1333 }
32ec4153 1334 if (s->msg_callback)
a230b26e 1335 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
38b051a1 1336 (size_t)s->init_num, ssl, s->msg_callback_arg);
32ec4153 1337 } else {
11c67eea
MC		 1338 /*
1339 * We defer feeding in the HRR until later. We'll do it as part of
1340 * processing the message
9d75dce3
TS		 1341 * The TLsv1.3 handshake transcript stops at the ClientFinished
1342 * message.
11c67eea 1343 */
597c51bc 1344#define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
9d75dce3 1345 /* KeyUpdate and NewSessionTicket do not need to be added */
38b051a1
TM		 1346 if (!SSL_CONNECTION_IS_TLS13(s)
1347 || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1348 && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
555cbb32 1349 if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
9d75dce3
TS		 1350 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1351 || memcmp(hrrrandom,
1352 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1353 SSL3_RANDOM_SIZE) != 0) {
1354 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1355 s->init_num + SSL3_HM_HEADER_LENGTH)) {
1356 /* SSLfatal() already called */
1357 *len = 0;
1358 return 0;
1359 }
597c51bc 1360 }
d166ed8c 1361 }
32ec4153
MC		 1362 if (s->msg_callback)
1363 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
38b051a1 1364 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, ssl,
32ec4153
MC		 1365 s->msg_callback_arg);
1366 }
1367
eda75751 1368 *len = s->init_num;
9ab930b2 1369 return 1;
0f113f3e 1370}
d02b48c6 1371
c6d38183
RS		 1372static const X509ERR2ALERT x509table[] = {
1373 {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1374 {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
cccf532f 1375 {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
c6d38183
RS		 1376 {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1377 {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1378 {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1379 {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1380 {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1381 {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1382 {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1383 {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1384 {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1385 {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1386 {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1387 {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1388 {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1389 {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1390 {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1391 {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1392 {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1393 {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1394 {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1395 {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1396 {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1397 {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1398 {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1399 {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1400 {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1401 {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1402 {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1403 {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1404 {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1405 {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1406 {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1407 {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1408 {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1409 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1410 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1411 {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1412 {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1413
1414 /* Last entry; return this if we don't find the value above. */
1415 {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1416};
1417
1418int ssl_x509err2alert(int x509err)
0f113f3e 1419{
c6d38183
RS		 1420 const X509ERR2ALERT *tp;
1421
1422 for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1423 if (tp->x509err == x509err)
1424 break;
1425 return tp->alert;
0f113f3e 1426}
d02b48c6 1427
38b051a1 1428int ssl_allow_compression(SSL_CONNECTION *s)
0f113f3e
MC		 1429{
1430 if (s->options & SSL_OP_NO_COMPRESSION)
1431 return 0;
1432 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1433}
4fa52141 1434
38b051a1 1435static int version_cmp(const SSL_CONNECTION *s, int a, int b)
4fa52141 1436{
38b051a1 1437 int dtls = SSL_CONNECTION_IS_DTLS(s);
4fa52141
VD		 1438
1439 if (a == b)
1440 return 0;
1441 if (!dtls)
1442 return a < b ? -1 : 1;
1443 return DTLS_VERSION_LT(a, b) ? -1 : 1;
1444}
1445
1446typedef struct {
1447 int version;
a230b26e
EK		 1448 const SSL_METHOD *(*cmeth) (void);
1449 const SSL_METHOD *(*smeth) (void);
4fa52141
VD		 1450} version_info;
1451
5c587fb6 1452#if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
582a17d6 1453# error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
4fa52141
VD		 1454#endif
1455
f7f2a01d 1456/* Must be in order high to low */
4fa52141 1457static const version_info tls_version_table[] = {
582a17d6
MC		 1458#ifndef OPENSSL_NO_TLS1_3
1459 {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1460#else
1461 {TLS1_3_VERSION, NULL, NULL},
1462#endif
6b01bed2 1463#ifndef OPENSSL_NO_TLS1_2
a230b26e 1464 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
6b01bed2 1465#else
a230b26e 1466 {TLS1_2_VERSION, NULL, NULL},
6b01bed2
VD		 1467#endif
1468#ifndef OPENSSL_NO_TLS1_1
a230b26e 1469 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
6b01bed2 1470#else
a230b26e 1471 {TLS1_1_VERSION, NULL, NULL},
6b01bed2
VD		 1472#endif
1473#ifndef OPENSSL_NO_TLS1
a230b26e 1474 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
6b01bed2 1475#else
a230b26e 1476 {TLS1_VERSION, NULL, NULL},
6b01bed2 1477#endif
4fa52141 1478#ifndef OPENSSL_NO_SSL3
a230b26e 1479 {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
6b01bed2 1480#else
a230b26e 1481 {SSL3_VERSION, NULL, NULL},
4fa52141 1482#endif
a230b26e 1483 {0, NULL, NULL},
4fa52141
VD		 1484};
1485
5c587fb6 1486#if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
4fa52141
VD		 1487# error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1488#endif
1489
f7f2a01d 1490/* Must be in order high to low */
4fa52141 1491static const version_info dtls_version_table[] = {
6b01bed2 1492#ifndef OPENSSL_NO_DTLS1_2
a230b26e 1493 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
6b01bed2 1494#else
a230b26e 1495 {DTLS1_2_VERSION, NULL, NULL},
6b01bed2
VD		 1496#endif
1497#ifndef OPENSSL_NO_DTLS1
a230b26e
EK		 1498 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1499 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
6b01bed2 1500#else
a230b26e
EK		 1501 {DTLS1_VERSION, NULL, NULL},
1502 {DTLS1_BAD_VER, NULL, NULL},
6b01bed2 1503#endif
a230b26e 1504 {0, NULL, NULL},
4fa52141
VD		 1505};
1506
1507/*
1508 * ssl_method_error - Check whether an SSL_METHOD is enabled.
1509 *
1510 * @s: The SSL handle for the candidate method
1511 * @method: the intended method.
1512 *
1513 * Returns 0 on success, or an SSL error reason on failure.
1514 */
38b051a1 1515static int ssl_method_error(const SSL_CONNECTION *s, const SSL_METHOD *method)
4fa52141
VD		 1516{
1517 int version = method->version;
1518
1519 if ((s->min_proto_version != 0 &&
1520 version_cmp(s, version, s->min_proto_version) < 0) ||
1521 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1522 return SSL_R_VERSION_TOO_LOW;
1523
1524 if (s->max_proto_version != 0 &&
a230b26e 1525 version_cmp(s, version, s->max_proto_version) > 0)
4fa52141
VD		 1526 return SSL_R_VERSION_TOO_HIGH;
1527
1528 if ((s->options & method->mask) != 0)
1529 return SSL_R_UNSUPPORTED_PROTOCOL;
1530 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1531 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
4fa52141
VD		 1532
1533 return 0;
1534}
1535
baa45c3e
MC		 1536/*
1537 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
ebda646d
MC		 1538 * certificate type, or has PSK or a certificate callback configured, or has
1539 * a servername callback configure. Otherwise returns 0.
baa45c3e 1540 */
38b051a1 1541static int is_tls13_capable(const SSL_CONNECTION *s)
baa45c3e 1542{
65d2c16c 1543 int i;
65d2c16c 1544 int curve;
38b051a1 1545 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
baa45c3e 1546
38b051a1 1547 if (!ossl_assert(sctx != NULL) || !ossl_assert(s->session_ctx != NULL))
ebda646d
MC		 1548 return 0;
1549
1550 /*
1551 * A servername callback can change the available certs, so if a servername
1552 * cb is set then we just assume TLSv1.3 will be ok
1553 */
38b051a1 1554 if (sctx->ext.servername_cb != NULL
ebda646d
MC		 1555 || s->session_ctx->ext.servername_cb != NULL)
1556 return 1;
1557
d162340d
MC		 1558#ifndef OPENSSL_NO_PSK
1559 if (s->psk_server_callback != NULL)
1560 return 1;
1561#endif
1562
cd3b53b8 1563 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
baa45c3e
MC		 1564 return 1;
1565
1566 for (i = 0; i < SSL_PKEY_NUM; i++) {
1567 /* Skip over certs disallowed for TLSv1.3 */
1568 switch (i) {
1569 case SSL_PKEY_DSA_SIGN:
1570 case SSL_PKEY_GOST01:
1571 case SSL_PKEY_GOST12_256:
1572 case SSL_PKEY_GOST12_512:
1573 continue;
1574 default:
1575 break;
1576 }
de4dc598
MC		 1577 if (!ssl_has_cert(s, i))
1578 continue;
1579 if (i != SSL_PKEY_ECC)
1580 return 1;
1581 /*
1582 * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1583 * more restrictive so check that our sig algs are consistent with this
1584 * EC cert. See section 4.2.3 of RFC8446.
1585 */
d8975dec 1586 curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
de4dc598 1587 if (tls_check_sigalg_curve(s, curve))
baa45c3e
MC		 1588 return 1;
1589 }
1590
1591 return 0;
1592}
1593
ccae4a15
FI		 1594/*
1595 * ssl_version_supported - Check that the specified `version` is supported by
1596 * `SSL *` instance
1597 *
1598 * @s: The SSL handle for the candidate method
1599 * @version: Protocol version to test against
1600 *
1601 * Returns 1 when supported, otherwise 0
1602 */
38b051a1
TM		 1603int ssl_version_supported(const SSL_CONNECTION *s, int version,
1604 const SSL_METHOD **meth)
ccae4a15
FI		 1605{
1606 const version_info *vent;
1607 const version_info *table;
1608
38b051a1 1609 switch (SSL_CONNECTION_GET_SSL(s)->method->version) {
ccae4a15
FI		 1610 default:
1611 /* Version should match method version for non-ANY method */
1612 return version_cmp(s, version, s->version) == 0;
1613 case TLS_ANY_VERSION:
1614 table = tls_version_table;
1615 break;
1616 case DTLS_ANY_VERSION:
1617 table = dtls_version_table;
1618 break;
1619 }
1620
1621 for (vent = table;
1622 vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1623 ++vent) {
baa45c3e
MC		 1624 if (vent->cmeth != NULL
1625 && version_cmp(s, version, vent->version) == 0
1626 && ssl_method_error(s, vent->cmeth()) == 0
1627 && (!s->server
1628 || version != TLS1_3_VERSION
1629 || is_tls13_capable(s))) {
4fd12788
MC		 1630 if (meth != NULL)
1631 *meth = vent->cmeth();
ccae4a15
FI		 1632 return 1;
1633 }
1634 }
1635 return 0;
1636}
1637
4fa52141
VD		 1638/*
1639 * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1640 * fallback indication from a client check whether we're using the highest
1641 * supported protocol version.
1642 *
1643 * @s server SSL handle.
1644 *
1645 * Returns 1 when using the highest enabled version, 0 otherwise.
1646 */
38b051a1 1647int ssl_check_version_downgrade(SSL_CONNECTION *s)
4fa52141
VD		 1648{
1649 const version_info *vent;
1650 const version_info *table;
38b051a1 1651 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
4fa52141
VD		 1652
1653 /*
1654 * Check that the current protocol is the highest enabled version
1655 * (according to s->ctx->method, as version negotiation may have changed
1656 * s->method).
1657 */
38b051a1 1658 if (s->version == sctx->method->version)
4fa52141
VD		 1659 return 1;
1660
1661 /*
1662 * Apparently we're using a version-flexible SSL_METHOD (not at its
1663 * highest protocol version).
1664 */
38b051a1 1665 if (sctx->method->version == TLS_method()->version)
4fa52141 1666 table = tls_version_table;
38b051a1 1667 else if (sctx->method->version == DTLS_method()->version)
4fa52141
VD		 1668 table = dtls_version_table;
1669 else {
1670 /* Unexpected state; fail closed. */
1671 return 0;
1672 }
1673
1674 for (vent = table; vent->version != 0; ++vent) {
a230b26e 1675 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
4fa52141
VD		 1676 return s->version == vent->version;
1677 }
1678 return 0;
1679}
1680
1681/*
1682 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1683 * protocols, provided the initial (D)TLS method is version-flexible. This
1684 * function sanity-checks the proposed value and makes sure the method is
1685 * version-flexible, then sets the limit if all is well.
1686 *
1687 * @method_version: The version of the current SSL_METHOD.
1688 * @version: the intended limit.
1689 * @bound: pointer to limit to be updated.
1690 *
1691 * Returns 1 on success, 0 on failure.
1692 */
1693int ssl_set_version_bound(int method_version, int version, int *bound)
1694{
77174598
VD		 1695 int valid_tls;
1696 int valid_dtls;
1697
869e978c
KR		 1698 if (version == 0) {
1699 *bound = version;
1700 return 1;
1701 }
1702
77174598
VD		 1703 valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
1704 valid_dtls =
1705 DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) &&
1706 DTLS_VERSION_GE(version, DTLS1_BAD_VER);
1707
1708 if (!valid_tls && !valid_dtls)
1709 return 0;
1710
4fa52141
VD		 1711 /*-
1712 * Restrict TLS methods to TLS protocol versions.
1713 * Restrict DTLS methods to DTLS protocol versions.
1714 * Note, DTLS version numbers are decreasing, use comparison macros.
1715 *
1716 * Note that for both lower-bounds we use explicit versions, not
1717 * (D)TLS_MIN_VERSION. This is because we don't want to break user
1718 * configurations. If the MIN (supported) version ever rises, the user's
1719 * "floor" remains valid even if no longer available. We don't expect the
1720 * MAX ceiling to ever get lower, so making that variable makes sense.
77174598
VD		 1721 *
1722 * We ignore attempts to set bounds on version-inflexible methods,
1723 * returning success.
4fa52141
VD		 1724 */
1725 switch (method_version) {
1726 default:
77174598 1727 break;
4fa52141
VD		 1728
1729 case TLS_ANY_VERSION:
77174598
VD		 1730 if (valid_tls)
1731 *bound = version;
4fa52141
VD		 1732 break;
1733
1734 case DTLS_ANY_VERSION:
77174598
VD		 1735 if (valid_dtls)
1736 *bound = version;
4fa52141
VD		 1737 break;
1738 }
4fa52141
VD		 1739 return 1;
1740}
1741
38b051a1 1742static void check_for_downgrade(SSL_CONNECTION *s, int vers, DOWNGRADE *dgrd)
f7f2a01d
MC		 1743{
1744 if (vers == TLS1_2_VERSION
4fd12788 1745 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
f7f2a01d 1746 *dgrd = DOWNGRADE_TO_1_2;
38b051a1 1747 } else if (!SSL_CONNECTION_IS_DTLS(s)
5627f9f2
MC		 1748 && vers < TLS1_2_VERSION
1749 /*
1750 * We need to ensure that a server that disables TLSv1.2
1751 * (creating a hole between TLSv1.3 and TLSv1.1) can still
1752 * complete handshakes with clients that support TLSv1.2 and
1753 * below. Therefore we do not enable the sentinel if TLSv1.3 is
1754 * enabled and TLSv1.2 is not.
1755 */
1756 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
f7f2a01d
MC		 1757 *dgrd = DOWNGRADE_TO_1_1;
1758 } else {
1759 *dgrd = DOWNGRADE_NONE;
1760 }
1761}
1762
4fa52141
VD		 1763/*
1764 * ssl_choose_server_version - Choose server (D)TLS version. Called when the
1765 * client HELLO is received to select the final server protocol version and
1766 * the version specific method.
1767 *
1768 * @s: server SSL handle.
1769 *
1770 * Returns 0 on success or an SSL error reason number on failure.
1771 */
38b051a1
TM		 1772int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello,
1773 DOWNGRADE *dgrd)
4fa52141
VD		 1774{
1775 /*-
1776 * With version-flexible methods we have an initial state with:
1777 *
1778 * s->method->version == (D)TLS_ANY_VERSION,
5c587fb6 1779 * s->version == (D)TLS_MAX_VERSION_INTERNAL.
4fa52141
VD		 1780 *
1781 * So we detect version-flexible methods via the method version, not the
1782 * handle version.
1783 */
38b051a1
TM		 1784 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1785 int server_version = ssl->method->version;
df7ce507 1786 int client_version = hello->legacy_version;
4fa52141
VD		 1787 const version_info *vent;
1788 const version_info *table;
1789 int disabled = 0;
cd998837 1790 RAW_EXTENSION *suppversions;
4fa52141 1791
1ab3836b
MC		 1792 s->client_version = client_version;
1793
4fa52141
VD		 1794 switch (server_version) {
1795 default:
38b051a1 1796 if (!SSL_CONNECTION_IS_TLS13(s)) {
7d061fce
MC		 1797 if (version_cmp(s, client_version, s->version) < 0)
1798 return SSL_R_WRONG_SSL_VERSION;
f7f2a01d 1799 *dgrd = DOWNGRADE_NONE;
7d061fce
MC		 1800 /*
1801 * If this SSL handle is not from a version flexible method we don't
1802 * (and never did) check min/max FIPS or Suite B constraints. Hope
1803 * that's OK. It is up to the caller to not choose fixed protocol
1804 * versions they don't want. If not, then easy to fix, just return
1805 * ssl_method_error(s, s->method)
1806 */
1807 return 0;
1808 }
d2f42576 1809 /*
7d061fce
MC		 1810 * Fall through if we are TLSv1.3 already (this means we must be after
1811 * a HelloRetryRequest
4fa52141 1812 */
018fcbec 1813 /* fall thru */
4fa52141
VD		 1814 case TLS_ANY_VERSION:
1815 table = tls_version_table;
1816 break;
1817 case DTLS_ANY_VERSION:
1818 table = dtls_version_table;
1819 break;
1820 }
1821
70af3d8e 1822 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
cd998837 1823
6f40214f 1824 /* If we did an HRR then supported versions is mandatory */
fc7129dc 1825 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
6f40214f
MC		 1826 return SSL_R_UNSUPPORTED_PROTOCOL;
1827
38b051a1 1828 if (suppversions->present && !SSL_CONNECTION_IS_DTLS(s)) {
cd998837
MC		 1829 unsigned int candidate_vers = 0;
1830 unsigned int best_vers = 0;
1831 const SSL_METHOD *best_method = NULL;
1832 PACKET versionslist;
1833
6b473aca
MC		 1834 suppversions->parsed = 1;
1835
16bce0e0 1836 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
cd998837
MC		 1837 /* Trailing or invalid data? */
1838 return SSL_R_LENGTH_MISMATCH;
1839 }
1840
d8434cf8
MC		 1841 /*
1842 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1843 * The spec only requires servers to check that it isn't SSLv3:
1844 * "Any endpoint receiving a Hello message with
1845 * ClientHello.legacy_version or ServerHello.legacy_version set to
1846 * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1847 * We are slightly stricter and require that it isn't SSLv3 or lower.
1848 * We tolerate TLSv1 and TLSv1.1.
1849 */
1850 if (client_version <= SSL3_VERSION)
1851 return SSL_R_BAD_LEGACY_VERSION;
1852
cd998837 1853 while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
cd998837
MC		 1854 if (version_cmp(s, candidate_vers, best_vers) <= 0)
1855 continue;
4fd12788
MC		 1856 if (ssl_version_supported(s, candidate_vers, &best_method))
1857 best_vers = candidate_vers;
cd998837
MC		 1858 }
1859 if (PACKET_remaining(&versionslist) != 0) {
1860 /* Trailing data? */
1861 return SSL_R_LENGTH_MISMATCH;
1862 }
1863
1864 if (best_vers > 0) {
fc7129dc 1865 if (s->hello_retry_request != SSL_HRR_NONE) {
7d061fce 1866 /*
6f40214f
MC		 1867 * This is after a HelloRetryRequest so we better check that we
1868 * negotiated TLSv1.3
7d061fce
MC		 1869 */
1870 if (best_vers != TLS1_3_VERSION)
1871 return SSL_R_UNSUPPORTED_PROTOCOL;
1872 return 0;
1873 }
f7f2a01d 1874 check_for_downgrade(s, best_vers, dgrd);
cd998837 1875 s->version = best_vers;
38b051a1 1876 ssl->method = best_method;
cd998837
MC		 1877 return 0;
1878 }
1879 return SSL_R_UNSUPPORTED_PROTOCOL;
1880 }
1881
1882 /*
1883 * If the supported versions extension isn't present, then the highest
1884 * version we can negotiate is TLSv1.2
1885 */
1886 if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1887 client_version = TLS1_2_VERSION;
1888
1889 /*
1890 * No supported versions extension, so we just use the version supplied in
1891 * the ClientHello.
1892 */
4fa52141
VD		 1893 for (vent = table; vent->version != 0; ++vent) {
1894 const SSL_METHOD *method;
1895
1896 if (vent->smeth == NULL ||
1897 version_cmp(s, client_version, vent->version) < 0)
1898 continue;
1899 method = vent->smeth();
1900 if (ssl_method_error(s, method) == 0) {
f7f2a01d 1901 check_for_downgrade(s, vent->version, dgrd);
4fa52141 1902 s->version = vent->version;
38b051a1 1903 ssl->method = method;
4fa52141
VD		 1904 return 0;
1905 }
1906 disabled = 1;
1907 }
1908 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1909}
1910
1911/*
1912 * ssl_choose_client_version - Choose client (D)TLS version. Called when the
1913 * server HELLO is received to select the final client protocol version and
1914 * the version specific method.
1915 *
1916 * @s: client SSL handle.
1917 * @version: The proposed version from the server's HELLO.
88050dd1 1918 * @extensions: The extensions received
4fa52141 1919 *
29bfd5b7 1920 * Returns 1 on success or 0 on error.
4fa52141 1921 */
38b051a1
TM		 1922int ssl_choose_client_version(SSL_CONNECTION *s, int version,
1923 RAW_EXTENSION *extensions)
4fa52141
VD		 1924{
1925 const version_info *vent;
1926 const version_info *table;
b5b993b2 1927 int ret, ver_min, ver_max, real_max, origv;
38b051a1 1928 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
4fa52141 1929
88050dd1
MC		 1930 origv = s->version;
1931 s->version = version;
b97667ce 1932
88050dd1
MC		 1933 /* This will overwrite s->version if the extension is present */
1934 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1935 SSL_EXT_TLS1_2_SERVER_HELLO
1936 | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1937 NULL, 0)) {
1938 s->version = origv;
1939 return 0;
1940 }
1941
fc7129dc
MC		 1942 if (s->hello_retry_request != SSL_HRR_NONE
1943 && s->version != TLS1_3_VERSION) {
88050dd1 1944 s->version = origv;
c48ffbcc 1945 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
29bfd5b7 1946 return 0;
c3043dcd
MC		 1947 }
1948
38b051a1 1949 switch (ssl->method->version) {
4fa52141 1950 default:
38b051a1 1951 if (s->version != ssl->method->version) {
88050dd1 1952 s->version = origv;
c48ffbcc 1953 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
29bfd5b7 1954 return 0;
c3043dcd 1955 }
4fa52141
VD		 1956 /*
1957 * If this SSL handle is not from a version flexible method we don't
1958 * (and never did) check min/max, FIPS or Suite B constraints. Hope
1959 * that's OK. It is up to the caller to not choose fixed protocol
1960 * versions they don't want. If not, then easy to fix, just return
1961 * ssl_method_error(s, s->method)
1962 */
29bfd5b7 1963 return 1;
4fa52141
VD		 1964 case TLS_ANY_VERSION:
1965 table = tls_version_table;
1966 break;
1967 case DTLS_ANY_VERSION:
1968 table = dtls_version_table;
1969 break;
1970 }
1971
b5b993b2
MC		 1972 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1973 if (ret != 0) {
1974 s->version = origv;
c48ffbcc 1975 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, ret);
b5b993b2
MC		 1976 return 0;
1977 }
38b051a1
TM		 1978 if (SSL_CONNECTION_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
1979 : s->version < ver_min) {
b5b993b2 1980 s->version = origv;
c48ffbcc 1981 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
b5b993b2 1982 return 0;
38b051a1
TM		 1983 } else if (SSL_CONNECTION_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
1984 : s->version > ver_max) {
b5b993b2 1985 s->version = origv;
c48ffbcc 1986 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
b5b993b2
MC		 1987 return 0;
1988 }
5df22060 1989
b5b993b2
MC		 1990 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
1991 real_max = ver_max;
c3043dcd 1992
b5b993b2
MC		 1993 /* Check for downgrades */
1994 if (s->version == TLS1_2_VERSION && real_max > s->version) {
1995 if (memcmp(tls12downgrade,
555cbb32 1996 s->s3.server_random + SSL3_RANDOM_SIZE
b5b993b2
MC		 1997 - sizeof(tls12downgrade),
1998 sizeof(tls12downgrade)) == 0) {
1999 s->version = origv;
2000 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
b5b993b2
MC		 2001 SSL_R_INAPPROPRIATE_FALLBACK);
2002 return 0;
2003 }
38b051a1 2004 } else if (!SSL_CONNECTION_IS_DTLS(s)
b5b993b2
MC		 2005 && s->version < TLS1_2_VERSION
2006 && real_max > s->version) {
2007 if (memcmp(tls11downgrade,
555cbb32 2008 s->s3.server_random + SSL3_RANDOM_SIZE
b5b993b2
MC		 2009 - sizeof(tls11downgrade),
2010 sizeof(tls11downgrade)) == 0) {
2011 s->version = origv;
2012 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
b5b993b2
MC		 2013 SSL_R_INAPPROPRIATE_FALLBACK);
2014 return 0;
c3043dcd 2015 }
b5b993b2 2016 }
c3043dcd 2017
b5b993b2
MC		 2018 for (vent = table; vent->version != 0; ++vent) {
2019 if (vent->cmeth == NULL || s->version != vent->version)
c3043dcd
MC		 2020 continue;
2021
38b051a1 2022 ssl->method = vent->cmeth();
29bfd5b7 2023 return 1;
4fa52141
VD		 2024 }
2025
88050dd1 2026 s->version = origv;
c48ffbcc 2027 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
29bfd5b7 2028 return 0;
4fa52141
VD		 2029}
2030
068c358a 2031/*
38a73150 2032 * ssl_get_min_max_version - get minimum and maximum protocol version
068c358a
KR		 2033 * @s: The SSL connection
2034 * @min_version: The minimum supported version
2035 * @max_version: The maximum supported version
b5b993b2
MC		 2036 * @real_max: The highest version below the lowest compile time version hole
2037 * where that hole lies above at least one run-time enabled
2038 * protocol.
068c358a
KR		 2039 *
2040 * Work out what version we should be using for the initial ClientHello if the
2041 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2042 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
b53338cb 2043 * constraints and any floor imposed by the security level here,
068c358a 2044 * so we don't advertise the wrong protocol version to only reject the outcome later.
4fa52141 2045 *
0485d540 2046 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
4fa52141
VD		 2047 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2048 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2049 *
068c358a
KR		 2050 * Returns 0 on success or an SSL error reason number on failure. On failure
2051 * min_version and max_version will also be set to 0.
4fa52141 2052 */
38b051a1
TM		 2053int ssl_get_min_max_version(const SSL_CONNECTION *s, int *min_version,
2054 int *max_version, int *real_max)
4fa52141 2055{
b5b993b2 2056 int version, tmp_real_max;
4fa52141
VD		 2057 int hole;
2058 const SSL_METHOD *single = NULL;
2059 const SSL_METHOD *method;
2060 const version_info *table;
2061 const version_info *vent;
38b051a1 2062 const SSL *ssl = SSL_CONNECTION_GET_SSL(s);
4fa52141 2063
38b051a1 2064 switch (ssl->method->version) {
4fa52141
VD		 2065 default:
2066 /*
2067 * If this SSL handle is not from a version flexible method we don't
2068 * (and never did) check min/max FIPS or Suite B constraints. Hope
2069 * that's OK. It is up to the caller to not choose fixed protocol
2070 * versions they don't want. If not, then easy to fix, just return
2071 * ssl_method_error(s, s->method)
2072 */
068c358a 2073 *min_version = *max_version = s->version;
b5b993b2
MC		 2074 /*
2075 * Providing a real_max only makes sense where we're using a version
2076 * flexible method.
2077 */
2078 if (!ossl_assert(real_max == NULL))
2079 return ERR_R_INTERNAL_ERROR;
4fa52141
VD		 2080 return 0;
2081 case TLS_ANY_VERSION:
2082 table = tls_version_table;
2083 break;
2084 case DTLS_ANY_VERSION:
2085 table = dtls_version_table;
2086 break;
2087 }
2088
2089 /*
2090 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2091 * below X enabled. This is required in order to maintain the "version
2092 * capability" vector contiguous. Any versions with a NULL client method
2093 * (protocol version client is disabled at compile-time) is also a "hole".
2094 *
2095 * Our initial state is hole == 1, version == 0. That is, versions above
2096 * the first version in the method table are disabled (a "hole" above
2097 * the valid protocol entries) and we don't have a selected version yet.
2098 *
2099 * Whenever "hole == 1", and we hit an enabled method, its version becomes
2100 * the selected version, and the method becomes a candidate "single"
2101 * method. We're no longer in a hole, so "hole" becomes 0.
2102 *
2103 * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2104 * as we support a contiguous range of at least two methods. If we hit
2105 * a disabled method, then hole becomes true again, but nothing else
2106 * changes yet, because all the remaining methods may be disabled too.
2107 * If we again hit an enabled method after the new hole, it becomes
2108 * selected, as we start from scratch.
2109 */
068c358a 2110 *min_version = version = 0;
4fa52141 2111 hole = 1;
b5b993b2
MC		 2112 if (real_max != NULL)
2113 *real_max = 0;
2114 tmp_real_max = 0;
4fa52141
VD		 2115 for (vent = table; vent->version != 0; ++vent) {
2116 /*
2117 * A table entry with a NULL client method is still a hole in the
2118 * "version capability" vector.
2119 */
2120 if (vent->cmeth == NULL) {
2121 hole = 1;
b5b993b2 2122 tmp_real_max = 0;
4fa52141
VD		 2123 continue;
2124 }
2125 method = vent->cmeth();
b5b993b2
MC		 2126
2127 if (hole == 1 && tmp_real_max == 0)
2128 tmp_real_max = vent->version;
2129
4fa52141
VD		 2130 if (ssl_method_error(s, method) != 0) {
2131 hole = 1;
2132 } else if (!hole) {
2133 single = NULL;
068c358a 2134 *min_version = method->version;
4fa52141 2135 } else {
b5b993b2
MC		 2136 if (real_max != NULL && tmp_real_max != 0)
2137 *real_max = tmp_real_max;
4fa52141 2138 version = (single = method)->version;
068c358a 2139 *min_version = version;
4fa52141
VD		 2140 hole = 0;
2141 }
2142 }
2143
068c358a
KR		 2144 *max_version = version;
2145
4fa52141
VD		 2146 /* Fail if everything is disabled */
2147 if (version == 0)
2148 return SSL_R_NO_PROTOCOLS_AVAILABLE;
2149
068c358a
KR		 2150 return 0;
2151}
2152
2153/*
2154 * ssl_set_client_hello_version - Work out what version we should be using for
7acb8b64 2155 * the initial ClientHello.legacy_version field.
068c358a
KR		 2156 *
2157 * @s: client SSL handle.
2158 *
2159 * Returns 0 on success or an SSL error reason number on failure.
2160 */
38b051a1 2161int ssl_set_client_hello_version(SSL_CONNECTION *s)
068c358a 2162{
3eb2aff4 2163 int ver_min, ver_max, ret;
068c358a 2164
447cc0ad
MC		 2165 /*
2166 * In a renegotiation we always send the same client_version that we sent
2167 * last time, regardless of which version we eventually negotiated.
2168 */
2169 if (!SSL_IS_FIRST_HANDSHAKE(s))
2170 return 0;
2171
b5b993b2 2172 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
068c358a
KR		 2173
2174 if (ret != 0)
2175 return ret;
2176
7acb8b64
MC		 2177 s->version = ver_max;
2178
2179 /* TLS1.3 always uses TLS1.2 in the legacy_version field */
38b051a1 2180 if (!SSL_CONNECTION_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
7acb8b64
MC		 2181 ver_max = TLS1_2_VERSION;
2182
2183 s->client_version = ver_max;
4fa52141
VD		 2184 return 0;
2185}
aff9929b
MC		 2186
2187/*
2188 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2189 * and |checkallow| is 1 then additionally check if the group is allowed to be
2190 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2191 * 1) or 0 otherwise.
2192 */
38b051a1 2193int check_in_list(SSL_CONNECTION *s, uint16_t group_id, const uint16_t *groups,
aff9929b
MC		 2194 size_t num_groups, int checkallow)
2195{
2196 size_t i;
2197
2198 if (groups == NULL || num_groups == 0)
2199 return 0;
2200
0a10825a
BE		 2201 if (checkallow == 1)
2202 group_id = ssl_group_id_tls13_to_internal(group_id);
2203
9e84a42d
DSH		 2204 for (i = 0; i < num_groups; i++) {
2205 uint16_t group = groups[i];
2206
0a10825a
BE		 2207 if (checkallow == 2)
2208 group = ssl_group_id_tls13_to_internal(group);
2209
9e84a42d 2210 if (group_id == group
aff9929b 2211 && (!checkallow
dbc6268f 2212 || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
0acee504 2213 return 1;
aff9929b
MC		 2214 }
2215 }
2216
0acee504 2217 return 0;
aff9929b 2218}
11c67eea
MC		 2219
2220/* Replace ClientHello1 in the transcript hash with a synthetic message */
38b051a1
TM		 2221int create_synthetic_message_hash(SSL_CONNECTION *s,
2222 const unsigned char *hashval,
43054d3d
MC		 2223 size_t hashlen, const unsigned char *hrr,
2224 size_t hrrlen)
11c67eea 2225{
43054d3d 2226 unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
635b7d3f
MC		 2227 unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2228
2229 memset(msghdr, 0, sizeof(msghdr));
11c67eea 2230
43054d3d
MC		 2231 if (hashval == NULL) {
2232 hashval = hashvaltmp;
2233 hashlen = 0;
2234 /* Get the hash of the initial ClientHello */
2235 if (!ssl3_digest_cached_records(s, 0)
2236 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2237 &hashlen)) {
2238 /* SSLfatal() already called */
2239 return 0;
2240 }
11c67eea
MC		 2241 }
2242
2243 /* Reinitialise the transcript hash */
f63a17d6
MC		 2244 if (!ssl3_init_finished_mac(s)) {
2245 /* SSLfatal() already called */
11c67eea 2246 return 0;
f63a17d6 2247 }
11c67eea
MC		 2248
2249 /* Inject the synthetic message_hash message */
635b7d3f 2250 msghdr[0] = SSL3_MT_MESSAGE_HASH;
3a63c0ed 2251 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
11c67eea
MC		 2252 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2253 || !ssl3_finish_mac(s, hashval, hashlen)) {
f63a17d6 2254 /* SSLfatal() already called */
11c67eea
MC		 2255 return 0;
2256 }
2257
43054d3d
MC		 2258 /*
2259 * Now re-inject the HRR and current message if appropriate (we just deleted
2260 * it when we reinitialised the transcript hash above). Only necessary after
2261 * receiving a ClientHello2 with a cookie.
2262 */
2263 if (hrr != NULL
2264 && (!ssl3_finish_mac(s, hrr, hrrlen)
2265 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
555cbb32 2266 s->s3.tmp.message_size
43054d3d
MC		 2267 + SSL3_HM_HEADER_LENGTH))) {
2268 /* SSLfatal() already called */
2269 return 0;
2270 }
2271
11c67eea
MC		 2272 return 1;
2273}
5d6cca05
DSH		 2274
2275static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2276{
2277 return X509_NAME_cmp(*a, *b);
2278}
2279
38b051a1 2280int parse_ca_names(SSL_CONNECTION *s, PACKET *pkt)
5d6cca05
DSH		 2281{
2282 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2283 X509_NAME *xn = NULL;
2284 PACKET cadns;
2285
2286 if (ca_sk == NULL) {
c48ffbcc 2287 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
f63a17d6 2288 goto err;
5d6cca05
DSH		 2289 }
2290 /* get the CA RDNs */
2291 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
c48ffbcc 2292 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
f63a17d6 2293 goto err;
5d6cca05
DSH		 2294 }
2295
2296 while (PACKET_remaining(&cadns)) {
2297 const unsigned char *namestart, *namebytes;
2298 unsigned int name_len;
2299
2300 if (!PACKET_get_net_2(&cadns, &name_len)
2301 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
c48ffbcc 2302 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
f63a17d6 2303 goto err;
5d6cca05
DSH		 2304 }
2305
2306 namestart = namebytes;
2307 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
c48ffbcc 2308 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB);
f63a17d6 2309 goto err;
5d6cca05
DSH		 2310 }
2311 if (namebytes != (namestart + name_len)) {
c48ffbcc 2312 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CA_DN_LENGTH_MISMATCH);
f63a17d6 2313 goto err;
5d6cca05
DSH		 2314 }
2315
2316 if (!sk_X509_NAME_push(ca_sk, xn)) {
c48ffbcc 2317 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
5d6cca05
DSH		 2318 goto err;
2319 }
2320 xn = NULL;
2321 }
2322
555cbb32
TS		 2323 sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
2324 s->s3.tmp.peer_ca_names = ca_sk;
5d6cca05
DSH		 2325
2326 return 1;
2327
5d6cca05
DSH		 2328 err:
2329 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2330 X509_NAME_free(xn);
2331 return 0;
2332}
2333
38b051a1 2334const STACK_OF(X509_NAME) *get_ca_names(SSL_CONNECTION *s)
5d6cca05 2335{
1e331727 2336 const STACK_OF(X509_NAME) *ca_sk = NULL;
38b051a1 2337 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
5d6cca05 2338
98732979 2339 if (s->server) {
38b051a1 2340 ca_sk = SSL_get_client_CA_list(ssl);
98732979
MC		 2341 if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2342 ca_sk = NULL;
2343 }
2344
2345 if (ca_sk == NULL)
38b051a1 2346 ca_sk = SSL_get0_CA_list(ssl);
98732979
MC		 2347
2348 return ca_sk;
2349}
2350
38b051a1
TM		 2351int construct_ca_names(SSL_CONNECTION *s, const STACK_OF(X509_NAME) *ca_sk,
2352 WPACKET *pkt)
98732979 2353{
5d6cca05 2354 /* Start sub-packet for client CA list */
f63a17d6 2355 if (!WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 2356 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
5d6cca05 2357 return 0;
f63a17d6 2358 }
5d6cca05 2359
90fc2c26 2360 if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) {
5d6cca05
DSH		 2361 int i;
2362
2363 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2364 unsigned char *namebytes;
2365 X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2366 int namelen;
2367
2368 if (name == NULL
2369 || (namelen = i2d_X509_NAME(name, NULL)) < 0
2370 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2371 &namebytes)
2372 || i2d_X509_NAME(name, &namebytes) != namelen) {
c48ffbcc 2373 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
5d6cca05
DSH		 2374 return 0;
2375 }
2376 }
2377 }
2378
f63a17d6 2379 if (!WPACKET_close(pkt)) {
c48ffbcc 2380 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
5d6cca05 2381 return 0;
f63a17d6 2382 }
5d6cca05
DSH		 2383
2384 return 1;
2385}
72ceb6a6
DSH		 2386
2387/* Create a buffer containing data to be signed for server key exchange */
38b051a1 2388size_t construct_key_exchange_tbs(SSL_CONNECTION *s, unsigned char **ptbs,
72ceb6a6
DSH		 2389 const void *param, size_t paramlen)
2390{
2391 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2392 unsigned char *tbs = OPENSSL_malloc(tbslen);
2393
f63a17d6 2394 if (tbs == NULL) {
c48ffbcc 2395 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
72ceb6a6 2396 return 0;
f63a17d6 2397 }
555cbb32
TS		 2398 memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
2399 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
72ceb6a6
DSH		 2400
2401 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2402
2403 *ptbs = tbs;
2404 return tbslen;
2405}
9d75dce3
TS		 2406
2407/*
2408 * Saves the current handshake digest for Post-Handshake Auth,
2409 * Done after ClientFinished is processed, done exactly once
2410 */
38b051a1 2411int tls13_save_handshake_digest_for_pha(SSL_CONNECTION *s)
9d75dce3
TS		 2412{
2413 if (s->pha_dgst == NULL) {
2414 if (!ssl3_digest_cached_records(s, 1))
2415 /* SSLfatal() already called */
2416 return 0;
2417
2418 s->pha_dgst = EVP_MD_CTX_new();
2419 if (s->pha_dgst == NULL) {
c48ffbcc 2420 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
9d75dce3
TS		 2421 return 0;
2422 }
2423 if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
555cbb32 2424 s->s3.handshake_dgst)) {
c48ffbcc 2425 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
963eb12d 2426 EVP_MD_CTX_free(s->pha_dgst);
2427 s->pha_dgst = NULL;
9d75dce3
TS		 2428 return 0;
2429 }
2430 }
2431 return 1;
2432}
2433
2434/*
2435 * Restores the Post-Handshake Auth handshake digest
2436 * Done just before sending/processing the Cert Request
2437 */
38b051a1 2438int tls13_restore_handshake_digest_for_pha(SSL_CONNECTION *s)
9d75dce3
TS		 2439{
2440 if (s->pha_dgst == NULL) {
c48ffbcc 2441 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
9d75dce3
TS		 2442 return 0;
2443 }
555cbb32 2444 if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
9d75dce3 2445 s->pha_dgst)) {
c48ffbcc 2446 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
9d75dce3
TS		 2447 return 0;
2448 }
2449 return 1;
2450}
A mirror of the official openssl repository