]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/statem_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
OSSL_STORE: Make sure the called OSSL_DECODER knows what to expect
[thirdparty/openssl.git] / ssl / statem / statem_lib.c
CommitLineData
846e33c7 1/*
33388b44 2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
aa8f3d76 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
3813046d 4 *
2c18d164 5 * Licensed under the Apache License 2.0 (the "License"). You may not use
846e33c7
RS		 6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
3813046d 9 */
846e33c7 10
48948d53 11#include <limits.h>
f2d9a32c 12#include <string.h>
d02b48c6 13#include <stdio.h>
706457b7
DMSP		 14#include "../ssl_local.h"
15#include "statem_local.h"
67dc995e 16#include "internal/cryptlib.h"
c2041da8 17#include "internal/evp.h"
ec577822 18#include <openssl/buffer.h>
ec577822
BM		 19#include <openssl/objects.h>
20#include <openssl/evp.h>
21#include <openssl/x509.h>
49b26f54 22#include <openssl/trace.h>
d02b48c6 23
c6d38183
RS		 24/*
25 * Map error codes to TLS/SSL alart types.
26 */
27typedef struct x509err2alert_st {
28 int x509err;
29 int alert;
30} X509ERR2ALERT;
31
597c51bc
MC		 32/* Fixed value used in the ServerHello random field to identify an HRR */
33const unsigned char hrrrandom[] = {
34 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
35 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
36 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
37};
38
0f113f3e
MC		 39/*
40 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
41 * SSL3_RT_CHANGE_CIPHER_SPEC)
42 */
e7ecc7d4 43int ssl3_do_write(SSL *s, int type)
0f113f3e
MC		 44{
45 int ret;
7ee8627f 46 size_t written = 0;
0f113f3e
MC		 47
48 ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
7ee8627f 49 s->init_num, &written);
0f113f3e 50 if (ret < 0)
26a7d938 51 return -1;
0f113f3e
MC		 52 if (type == SSL3_RT_HANDSHAKE)
53 /*
54 * should not be done for 'Hello Request's, but in that case we'll
55 * ignore the result anyway
9d75dce3 56 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
0f113f3e 57 */
9d75dce3
TS		 58 if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
59 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
60 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
61 if (!ssl3_finish_mac(s,
62 (unsigned char *)&s->init_buf->data[s->init_off],
63 written))
64 return -1;
7ee8627f 65 if (written == s->init_num) {
0f113f3e
MC		 66 if (s->msg_callback)
67 s->msg_callback(1, s->version, type, s->init_buf->data,
68 (size_t)(s->init_off + s->init_num), s,
69 s->msg_callback_arg);
208fb891 70 return 1;
0f113f3e 71 }
7ee8627f
MC		 72 s->init_off += written;
73 s->init_num -= written;
26a7d938 74 return 0;
0f113f3e 75}
e7ecc7d4 76
4a01c59f 77int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype)
2c7b4dbc
MC		 78{
79 size_t msglen;
80
4a01c59f 81 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
f1ec23c0 82 || !WPACKET_get_length(pkt, &msglen)
7cea05dc 83 || msglen > INT_MAX)
2c7b4dbc
MC		 84 return 0;
85 s->init_num = (int)msglen;
86 s->init_off = 0;
87
88 return 1;
89}
90
1f5b44e9
MC		 91int tls_setup_handshake(SSL *s)
92{
8e32ea63
MC		 93 int ver_min, ver_max, ok;
94
f63a17d6
MC		 95 if (!ssl3_init_finished_mac(s)) {
96 /* SSLfatal() already called */
c7f47786 97 return 0;
f63a17d6 98 }
c7f47786 99
b186a592
MC		 100 /* Reset any extension flags */
101 memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
102
8e32ea63 103 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
467dc325
BK		 104 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_TLS_SETUP_HANDSHAKE,
105 SSL_R_NO_PROTOCOLS_AVAILABLE);
8e32ea63
MC		 106 return 0;
107 }
108
109 /* Sanity check that we have MD5-SHA1 if we need it */
110 if (s->ctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) {
111 int md5sha1_needed = 0;
112
113 /* We don't have MD5-SHA1 - do we need it? */
114 if (SSL_IS_DTLS(s)) {
115 if (DTLS_VERSION_LE(ver_max, DTLS1_VERSION))
116 md5sha1_needed = 1;
117 } else {
118 if (ver_max <= TLS1_1_VERSION)
119 md5sha1_needed = 1;
120 }
121 if (md5sha1_needed) {
122 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE,
123 SSL_R_NO_SUITABLE_DIGEST_ALGORITHM);
124 ERR_add_error_data(1, "The max supported SSL/TLS version needs the"
125 " MD5-SHA1 digest but it is not available"
126 " in the loaded providers. Use (D)TLSv1.2 or"
127 " above, or load different providers");
128 return 0;
129 }
130
131 ok = 1;
132 /* Don't allow TLSv1.1 or below to be negotiated */
133 if (SSL_IS_DTLS(s)) {
134 if (DTLS_VERSION_LT(ver_min, DTLS1_2_VERSION))
135 ok = SSL_set_min_proto_version(s, DTLS1_2_VERSION);
136 } else {
137 if (ver_min < TLS1_2_VERSION)
138 ok = SSL_set_min_proto_version(s, TLS1_2_VERSION);
139 }
140 if (!ok) {
141 /* Shouldn't happen */
142 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE,
143 ERR_R_INTERNAL_ERROR);
144 return 0;
145 }
146 }
147
148 ok = 0;
c7f47786 149 if (s->server) {
38a73150 150 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
8e32ea63 151 int i;
38a73150
MC		 152
153 /*
154 * Sanity check that the maximum version we accept has ciphers
155 * enabled. For clients we do this check during construction of the
156 * ClientHello.
157 */
38a73150
MC		 158 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
159 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
160
161 if (SSL_IS_DTLS(s)) {
162 if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
163 DTLS_VERSION_LE(ver_max, c->max_dtls))
164 ok = 1;
165 } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
166 ok = 1;
167 }
168 if (ok)
169 break;
170 }
171 if (!ok) {
4752c5de
MC		 172 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE,
173 SSL_R_NO_CIPHERS_AVAILABLE);
38a73150
MC		 174 ERR_add_error_data(1, "No ciphers enabled for max supported "
175 "SSL/TLS version");
38a73150
MC		 176 return 0;
177 }
c7f47786 178 if (SSL_IS_FIRST_HANDSHAKE(s)) {
0e6161bc 179 /* N.B. s->session_ctx == s->ctx here */
9ef9088c 180 tsan_counter(&s->session_ctx->stats.sess_accept);
c7f47786 181 } else {
0e6161bc 182 /* N.B. s->ctx may not equal s->session_ctx */
9ef9088c 183 tsan_counter(&s->ctx->stats.sess_accept_renegotiate);
c7f47786 184
555cbb32 185 s->s3.tmp.cert_request = 0;
c7f47786
MC		 186 }
187 } else {
188 if (SSL_IS_FIRST_HANDSHAKE(s))
9ef9088c 189 tsan_counter(&s->session_ctx->stats.sess_connect);
c7f47786 190 else
9ef9088c 191 tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate);
c7f47786
MC		 192
193 /* mark client_random uninitialized */
555cbb32 194 memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
c7f47786
MC		 195 s->hit = 0;
196
555cbb32 197 s->s3.tmp.cert_req = 0;
c7f47786 198
1f5b44e9 199 if (SSL_IS_DTLS(s))
c7f47786 200 s->statem.use_timer = 1;
c7f47786
MC		 201 }
202
203 return 1;
204}
205
2c5dfdc3
MC		 206/*
207 * Size of the to-be-signed TLS13 data, without the hash size itself:
208 * 64 bytes of value 32, 33 context bytes, 1 byte separator
209 */
210#define TLS13_TBS_START_SIZE 64
211#define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
212
213static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
214 void **hdata, size_t *hdatalen)
215{
48102247 216#ifdef CHARSET_EBCDIC
99435164 217 static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
48102247 218 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
219 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
220 0x69, 0x66, 0x79, 0x00 };
99435164 221 static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
48102247 222 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
223 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
224 0x69, 0x66, 0x79, 0x00 };
225#else
99435164
AV		 226 static const char servercontext[] = "TLS 1.3, server CertificateVerify";
227 static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
48102247 228#endif
2c5dfdc3
MC		 229 if (SSL_IS_TLS13(s)) {
230 size_t hashlen;
231
232 /* Set the first 64 bytes of to-be-signed data to octet 32 */
233 memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
234 /* This copies the 33 bytes of context plus the 0 separator byte */
235 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
236 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
237 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
238 else
239 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
240
241 /*
242 * If we're currently reading then we need to use the saved handshake
243 * hash value. We can't use the current handshake hash state because
244 * that includes the CertVerify itself.
245 */
246 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
247 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
248 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
249 s->cert_verify_hash_len);
250 hashlen = s->cert_verify_hash_len;
251 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
252 EVP_MAX_MD_SIZE, &hashlen)) {
f63a17d6 253 /* SSLfatal() already called */
2c5dfdc3
MC		 254 return 0;
255 }
256
257 *hdata = tls13tbs;
258 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
259 } else {
260 size_t retlen;
60690b5b 261 long retlen_l;
2c5dfdc3 262
555cbb32 263 retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
60690b5b 264 if (retlen_l <= 0) {
f63a17d6
MC		 265 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_GET_CERT_VERIFY_TBS_DATA,
266 ERR_R_INTERNAL_ERROR);
2c5dfdc3 267 return 0;
f63a17d6 268 }
2c5dfdc3
MC		 269 *hdatalen = retlen;
270 }
271
272 return 1;
273}
274
d8bc1399
MC		 275int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
276{
ad4dd362
DSH		 277 EVP_PKEY *pkey = NULL;
278 const EVP_MD *md = NULL;
d8bc1399 279 EVP_MD_CTX *mctx = NULL;
5f9b64a2
MC		 280 EVP_PKEY_CTX *pctx = NULL;
281 size_t hdatalen = 0, siglen = 0;
d8bc1399
MC		 282 void *hdata;
283 unsigned char *sig = NULL;
2c5dfdc3 284 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
555cbb32 285 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
2c5dfdc3 286
555cbb32 287 if (lu == NULL || s->s3.tmp.cert == NULL) {
d4d2f3a4
MC		 288 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
289 ERR_R_INTERNAL_ERROR);
ad4dd362
DSH		 290 goto err;
291 }
555cbb32 292 pkey = s->s3.tmp.cert->privatekey;
ad4dd362 293
c8f6c28a 294 if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) {
d4d2f3a4
MC		 295 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
296 ERR_R_INTERNAL_ERROR);
ad4dd362
DSH		 297 goto err;
298 }
d8bc1399
MC		 299
300 mctx = EVP_MD_CTX_new();
301 if (mctx == NULL) {
d4d2f3a4
MC		 302 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
303 ERR_R_MALLOC_FAILURE);
d8bc1399
MC		 304 goto err;
305 }
d8bc1399 306
2c5dfdc3
MC		 307 /* Get the data to be signed */
308 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
f63a17d6 309 /* SSLfatal() already called */
d8bc1399
MC		 310 goto err;
311 }
312
ad4dd362 313 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
d4d2f3a4
MC		 314 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
315 ERR_R_INTERNAL_ERROR);
d8bc1399
MC		 316 goto err;
317 }
5f9b64a2 318
d8652be0
MC		 319 if (EVP_DigestSignInit_ex(mctx, &pctx, md == NULL ? NULL : EVP_MD_name(md),
320 s->ctx->libctx, s->ctx->propq, pkey) <= 0) {
d4d2f3a4
MC		 321 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
322 ERR_R_EVP_LIB);
5f9b64a2
MC		 323 goto err;
324 }
325
ad4dd362 326 if (lu->sig == EVP_PKEY_RSA_PSS) {
5f9b64a2 327 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
968ae5b3
DSH		 328 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
329 RSA_PSS_SALTLEN_DIGEST) <= 0) {
d4d2f3a4
MC		 330 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
331 ERR_R_EVP_LIB);
5f9b64a2
MC		 332 goto err;
333 }
caf2b6b5
DSH		 334 }
335 if (s->version == SSL3_VERSION) {
bddbfae1
MC		 336 /*
337 * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
338 * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
339 */
caf2b6b5 340 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
83b4a243
SL		 341 /*
342 * TODO(3.0) Replace this when EVP_MD_CTX_ctrl() is deprecated
343 * with a call to ssl3_digest_master_key_set_params()
344 */
345 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
346 (int)s->session->master_key_length,
347 s->session->master_key) <= 0
bddbfae1 348 || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) {
caf2b6b5 349
d4d2f3a4
MC		 350 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
351 ERR_R_EVP_LIB);
5f9b64a2
MC		 352 goto err;
353 }
bddbfae1
MC		 354 sig = OPENSSL_malloc(siglen);
355 if (sig == NULL
356 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
357 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
358 ERR_R_EVP_LIB);
359 goto err;
360 }
361 } else {
362 /*
363 * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not
364 * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
365 */
366 if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) {
367 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
368 ERR_R_EVP_LIB);
369 goto err;
370 }
371 sig = OPENSSL_malloc(siglen);
372 if (sig == NULL
373 || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
374 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
375 ERR_R_EVP_LIB);
376 goto err;
377 }
d8bc1399 378 }
5f9b64a2 379
d8bc1399
MC		 380#ifndef OPENSSL_NO_GOST
381 {
ad4dd362
DSH		 382 int pktype = lu->sig;
383
d8bc1399
MC		 384 if (pktype == NID_id_GostR3410_2001
385 || pktype == NID_id_GostR3410_2012_256
386 || pktype == NID_id_GostR3410_2012_512)
5f9b64a2 387 BUF_reverse(sig, NULL, siglen);
d8bc1399
MC		 388 }
389#endif
390
5f9b64a2 391 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
d4d2f3a4
MC		 392 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
393 ERR_R_INTERNAL_ERROR);
d8bc1399
MC		 394 goto err;
395 }
396
397 /* Digest cached records and discard handshake buffer */
d4d2f3a4
MC		 398 if (!ssl3_digest_cached_records(s, 0)) {
399 /* SSLfatal() already called */
d8bc1399 400 goto err;
d4d2f3a4 401 }
d8bc1399
MC		 402
403 OPENSSL_free(sig);
404 EVP_MD_CTX_free(mctx);
405 return 1;
406 err:
407 OPENSSL_free(sig);
408 EVP_MD_CTX_free(mctx);
d8bc1399
MC		 409 return 0;
410}
411
412MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
413{
414 EVP_PKEY *pkey = NULL;
703bcee0 415 const unsigned char *data;
d8bc1399
MC		 416#ifndef OPENSSL_NO_GOST
417 unsigned char *gost_data = NULL;
418#endif
eb5fd03b 419 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
dd24857b 420 int j;
d8bc1399
MC		 421 unsigned int len;
422 X509 *peer;
423 const EVP_MD *md = NULL;
2c5dfdc3 424 size_t hdatalen = 0;
d8bc1399 425 void *hdata;
2c5dfdc3 426 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
d8bc1399 427 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
5f9b64a2 428 EVP_PKEY_CTX *pctx = NULL;
d8bc1399
MC		 429
430 if (mctx == NULL) {
f63a17d6
MC		 431 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
432 ERR_R_MALLOC_FAILURE);
433 goto err;
d8bc1399
MC		 434 }
435
436 peer = s->session->peer;
437 pkey = X509_get0_pubkey(peer);
f63a17d6
MC		 438 if (pkey == NULL) {
439 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
440 ERR_R_INTERNAL_ERROR);
441 goto err;
442 }
83b4049a 443
dd24857b 444 if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
f63a17d6
MC		 445 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CERT_VERIFY,
446 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
447 goto err;
d8bc1399
MC		 448 }
449
f464f9c0 450 if (SSL_USE_SIGALGS(s)) {
f464f9c0
PD		 451 unsigned int sigalg;
452
453 if (!PACKET_get_net_2(pkt, &sigalg)) {
f63a17d6
MC		 454 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
455 SSL_R_BAD_PACKET);
456 goto err;
f464f9c0 457 }
f63a17d6
MC		 458 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
459 /* SSLfatal() already called */
460 goto err;
f464f9c0 461 }
f464f9c0 462 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
f63a17d6
MC		 463 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
464 ERR_R_INTERNAL_ERROR);
465 goto err;
f464f9c0
PD		 466 }
467
c8f6c28a 468 if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) {
f63a17d6
MC		 469 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
470 ERR_R_INTERNAL_ERROR);
471 goto err;
168067b6 472 }
f464f9c0 473
572fa024 474 if (SSL_USE_SIGALGS(s))
49b26f54
RL		 475 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
476 md == NULL ? "n/a" : EVP_MD_name(md));
572fa024 477
d8bc1399
MC		 478 /* Check for broken implementations of GOST ciphersuites */
479 /*
f464f9c0
PD		 480 * If key is GOST and len is exactly 64 or 128, it is signature without
481 * length field (CryptoPro implementations at least till TLS 1.2)
d8bc1399
MC		 482 */
483#ifndef OPENSSL_NO_GOST
f464f9c0
PD		 484 if (!SSL_USE_SIGALGS(s)
485 && ((PACKET_remaining(pkt) == 64
486 && (EVP_PKEY_id(pkey) == NID_id_GostR3410_2001
487 || EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_256))
488 || (PACKET_remaining(pkt) == 128
489 && EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_512))) {
490 len = PACKET_remaining(pkt);
d8bc1399
MC		 491 } else
492#endif
f464f9c0 493 if (!PACKET_get_net_2(pkt, &len)) {
f63a17d6
MC		 494 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
495 SSL_R_LENGTH_MISMATCH);
496 goto err;
d8bc1399 497 }
f464f9c0 498
d8bc1399 499 if (!PACKET_get_bytes(pkt, &data, len)) {
f63a17d6
MC		 500 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
501 SSL_R_LENGTH_MISMATCH);
502 goto err;
d8bc1399
MC		 503 }
504
2c5dfdc3 505 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
f63a17d6
MC		 506 /* SSLfatal() already called */
507 goto err;
d8bc1399
MC		 508 }
509
49b26f54
RL		 510 OSSL_TRACE1(TLS, "Using client verify alg %s\n",
511 md == NULL ? "n/a" : EVP_MD_name(md));
512
d8652be0
MC		 513 if (EVP_DigestVerifyInit_ex(mctx, &pctx,
514 md == NULL ? NULL : EVP_MD_name(md),
515 s->ctx->libctx, s->ctx->propq, pkey) <= 0) {
f63a17d6
MC		 516 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
517 ERR_R_EVP_LIB);
518 goto err;
d8bc1399
MC		 519 }
520#ifndef OPENSSL_NO_GOST
521 {
dc8da7b1 522 int pktype = EVP_PKEY_id(pkey);
d8bc1399
MC		 523 if (pktype == NID_id_GostR3410_2001
524 || pktype == NID_id_GostR3410_2012_256
525 || pktype == NID_id_GostR3410_2012_512) {
526 if ((gost_data = OPENSSL_malloc(len)) == NULL) {
f63a17d6
MC		 527 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
528 SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
529 goto err;
d8bc1399
MC		 530 }
531 BUF_reverse(gost_data, data, len);
532 data = gost_data;
533 }
534 }
535#endif
536
5554facb 537 if (SSL_USE_PSS(s)) {
5f9b64a2 538 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
968ae5b3
DSH		 539 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
540 RSA_PSS_SALTLEN_DIGEST) <= 0) {
f63a17d6
MC		 541 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
542 ERR_R_EVP_LIB);
543 goto err;
5f9b64a2 544 }
d8bc1399 545 }
caf2b6b5 546 if (s->version == SSL3_VERSION) {
83b4a243
SL		 547 /*
548 * TODO(3.0) Replace this when EVP_MD_CTX_ctrl() is deprecated
549 * with a call to ssl3_digest_master_key_set_params()
550 */
caf2b6b5 551 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
83b4a243
SL		 552 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
553 (int)s->session->master_key_length,
554 s->session->master_key) <= 0) {
f63a17d6
MC		 555 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
556 ERR_R_EVP_LIB);
557 goto err;
caf2b6b5
DSH		 558 }
559 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
f63a17d6
MC		 560 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
561 SSL_R_BAD_SIGNATURE);
562 goto err;
caf2b6b5
DSH		 563 }
564 } else {
565 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
25ffeb11 566 if (j <= 0) {
f63a17d6
MC		 567 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
568 SSL_R_BAD_SIGNATURE);
569 goto err;
caf2b6b5 570 }
d8bc1399
MC		 571 }
572
e4562014
MC		 573 /*
574 * In TLSv1.3 on the client side we make sure we prepare the client
575 * certificate after the CertVerify instead of when we get the
576 * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
577 * comes *before* the Certificate message. In TLSv1.2 it comes after. We
8c2bfd25 578 * want to make sure that SSL_get1_peer_certificate() will return the actual
e4562014
MC		 579 * server certificate from the client_cert_cb callback.
580 */
555cbb32 581 if (!s->server && SSL_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
e4562014
MC		 582 ret = MSG_PROCESS_CONTINUE_PROCESSING;
583 else
584 ret = MSG_PROCESS_CONTINUE_READING;
f63a17d6 585 err:
555cbb32
TS		 586 BIO_free(s->s3.handshake_buffer);
587 s->s3.handshake_buffer = NULL;
d8bc1399
MC		 588 EVP_MD_CTX_free(mctx);
589#ifndef OPENSSL_NO_GOST
590 OPENSSL_free(gost_data);
591#endif
592 return ret;
593}
594
229185e6 595int tls_construct_finished(SSL *s, WPACKET *pkt)
0f113f3e 596{
12472b45 597 size_t finish_md_len;
229185e6 598 const char *sender;
8b0e934a 599 size_t slen;
229185e6 600
f7e393be 601 /* This is a real handshake so make sure we clean it up at the end */
9d75dce3 602 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
f7e393be
MC		 603 s->statem.cleanuphand = 1;
604
605 /*
606 * We only change the keys if we didn't already do this when we sent the
607 * client certificate
608 */
609 if (SSL_IS_TLS13(s)
610 && !s->server
555cbb32 611 && s->s3.tmp.cert_req == 0
f7e393be 612 && (!s->method->ssl3_enc->change_cipher_state(s,
d4d2f3a4
MC		 613 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
614 /* SSLfatal() already called */
b43c3765 615 return 0;
f7e393be
MC		 616 }
617
229185e6
MC		 618 if (s->server) {
619 sender = s->method->ssl3_enc->server_finished_label;
620 slen = s->method->ssl3_enc->server_finished_label_len;
621 } else {
622 sender = s->method->ssl3_enc->client_finished_label;
623 slen = s->method->ssl3_enc->client_finished_label_len;
624 }
0f113f3e 625
12472b45
MC		 626 finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
627 sender, slen,
555cbb32 628 s->s3.tmp.finish_md);
12472b45 629 if (finish_md_len == 0) {
d4d2f3a4
MC		 630 /* SSLfatal() already called */
631 return 0;
4f89bfbf
MC		 632 }
633
555cbb32 634 s->s3.tmp.finish_md_len = finish_md_len;
4f89bfbf 635
555cbb32 636 if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
d4d2f3a4
MC		 637 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
638 ERR_R_INTERNAL_ERROR);
639 return 0;
4f89bfbf 640 }
0f113f3e 641
2c7bd692
CB		 642 /*
643 * Log the master secret, if logging is enabled. We don't log it for
644 * TLSv1.3: there's a different key schedule for that.
645 */
646 if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
647 s->session->master_key,
380a522f 648 s->session->master_key_length)) {
d4d2f3a4
MC		 649 /* SSLfatal() already called */
650 return 0;
380a522f 651 }
2faa1b48 652
b9908bf9
MC		 653 /*
654 * Copy the finished so we can use it for renegotiation checks
655 */
380a522f 656 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
d4d2f3a4
MC		 657 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
658 ERR_R_INTERNAL_ERROR);
659 return 0;
380a522f 660 }
23a635c0 661 if (!s->server) {
555cbb32 662 memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
12472b45 663 finish_md_len);
555cbb32 664 s->s3.previous_client_finished_len = finish_md_len;
b9908bf9 665 } else {
555cbb32 666 memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
12472b45 667 finish_md_len);
555cbb32 668 s->s3.previous_server_finished_len = finish_md_len;
b9908bf9 669 }
0f113f3e 670
b9908bf9 671 return 1;
0f113f3e 672}
d02b48c6 673
44c04a2e
MC		 674int tls_construct_key_update(SSL *s, WPACKET *pkt)
675{
676 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
d4d2f3a4
MC		 677 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_KEY_UPDATE,
678 ERR_R_INTERNAL_ERROR);
679 return 0;
44c04a2e
MC		 680 }
681
9412b3ad 682 s->key_update = SSL_KEY_UPDATE_NONE;
44c04a2e 683 return 1;
44c04a2e
MC		 684}
685
e1c3de44
MC		 686MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
687{
688 unsigned int updatetype;
689
524420d8
MC		 690 /*
691 * A KeyUpdate message signals a key change so the end of the message must
692 * be on a record boundary.
693 */
694 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
f63a17d6
MC		 695 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_UPDATE,
696 SSL_R_NOT_ON_RECORD_BOUNDARY);
697 return MSG_PROCESS_ERROR;
524420d8
MC		 698 }
699
e1c3de44 700 if (!PACKET_get_1(pkt, &updatetype)
2d871227 701 || PACKET_remaining(pkt) != 0) {
f63a17d6
MC		 702 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_UPDATE,
703 SSL_R_BAD_KEY_UPDATE);
704 return MSG_PROCESS_ERROR;
e1c3de44
MC		 705 }
706
9010b7bc
MC		 707 /*
708 * There are only two defined key update types. Fail if we get a value we
709 * didn't recognise.
710 */
2d871227
MC		 711 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
712 && updatetype != SSL_KEY_UPDATE_REQUESTED) {
f63a17d6
MC		 713 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE,
714 SSL_R_BAD_KEY_UPDATE);
715 return MSG_PROCESS_ERROR;
2d871227
MC		 716 }
717
5bf47933
MC		 718 /*
719 * If we get a request for us to update our sending keys too then, we need
720 * to additionally send a KeyUpdate message. However that message should
feb9e31c 721 * not also request an update (otherwise we get into an infinite loop).
5bf47933 722 */
feb9e31c 723 if (updatetype == SSL_KEY_UPDATE_REQUESTED)
5bf47933
MC		 724 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
725
57389a32 726 if (!tls13_update_key(s, 0)) {
f63a17d6
MC		 727 /* SSLfatal() already called */
728 return MSG_PROCESS_ERROR;
57389a32
MC		 729 }
730
e1c3de44
MC		 731 return MSG_PROCESS_FINISHED_READING;
732}
733
0f113f3e
MC		 734/*
735 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
736 * to far.
737 */
5d671101 738int ssl3_take_mac(SSL *s)
0f113f3e
MC		 739{
740 const char *sender;
8b0e934a 741 size_t slen;
5d671101 742
49ae7423 743 if (!s->server) {
0f113f3e
MC		 744 sender = s->method->ssl3_enc->server_finished_label;
745 slen = s->method->ssl3_enc->server_finished_label_len;
746 } else {
747 sender = s->method->ssl3_enc->client_finished_label;
748 slen = s->method->ssl3_enc->client_finished_label_len;
749 }
750
555cbb32 751 s->s3.tmp.peer_finish_md_len =
5d671101 752 s->method->ssl3_enc->final_finish_mac(s, sender, slen,
555cbb32 753 s->s3.tmp.peer_finish_md);
5d671101 754
555cbb32 755 if (s->s3.tmp.peer_finish_md_len == 0) {
5d671101
MC		 756 /* SSLfatal() already called */
757 return 0;
758 }
759
760 return 1;
0f113f3e 761}
ee2ffc27 762
be3583fa 763MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
b9908bf9 764{
348240c6 765 size_t remain;
4fa52141 766
73999b62 767 remain = PACKET_remaining(pkt);
657da85e
MC		 768 /*
769 * 'Change Cipher Spec' is just a single byte, which should already have
c69f2adf
MC		 770 * been consumed by ssl_get_message() so there should be no bytes left,
771 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
657da85e 772 */
c69f2adf 773 if (SSL_IS_DTLS(s)) {
73999b62 774 if ((s->version == DTLS1_BAD_VER
a230b26e
EK		 775 && remain != DTLS1_CCS_HEADER_LENGTH + 1)
776 || (s->version != DTLS1_BAD_VER
777 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
f63a17d6
MC		 778 SSLfatal(s, SSL_AD_DECODE_ERROR,
779 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
780 SSL_R_BAD_CHANGE_CIPHER_SPEC);
781 return MSG_PROCESS_ERROR;
c69f2adf
MC		 782 }
783 } else {
73999b62 784 if (remain != 0) {
f63a17d6
MC		 785 SSLfatal(s, SSL_AD_DECODE_ERROR,
786 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
787 SSL_R_BAD_CHANGE_CIPHER_SPEC);
788 return MSG_PROCESS_ERROR;
c69f2adf 789 }
657da85e
MC		 790 }
791
792 /* Check we have a cipher to change to */
555cbb32 793 if (s->s3.tmp.new_cipher == NULL) {
f63a17d6
MC		 794 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
795 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY);
796 return MSG_PROCESS_ERROR;
657da85e
MC		 797 }
798
555cbb32 799 s->s3.change_cipher_spec = 1;
657da85e 800 if (!ssl3_do_change_cipher_spec(s)) {
f63a17d6
MC		 801 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
802 ERR_R_INTERNAL_ERROR);
803 return MSG_PROCESS_ERROR;
657da85e
MC		 804 }
805
c69f2adf
MC		 806 if (SSL_IS_DTLS(s)) {
807 dtls1_reset_seq_numbers(s, SSL3_CC_READ);
808
809 if (s->version == DTLS1_BAD_VER)
810 s->d1->handshake_read_seq++;
811
812#ifndef OPENSSL_NO_SCTP
813 /*
814 * Remember that a CCS has been received, so that an old key of
815 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
816 * SCTP is used
817 */
818 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
819#endif
820 }
821
b9908bf9 822 return MSG_PROCESS_CONTINUE_READING;
657da85e
MC		 823}
824
be3583fa 825MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
b9908bf9 826{
12472b45 827 size_t md_len;
b9908bf9 828
d781d247
MC		 829
830 /* This is a real handshake so make sure we clean it up at the end */
9d75dce3 831 if (s->server) {
de9e884b
MC		 832 /*
833 * To get this far we must have read encrypted data from the client. We
834 * no longer tolerate unencrypted alerts. This value is ignored if less
835 * than TLSv1.3
836 */
837 s->statem.enc_read_state = ENC_READ_STATE_VALID;
9d75dce3
TS		 838 if (s->post_handshake_auth != SSL_PHA_REQUESTED)
839 s->statem.cleanuphand = 1;
840 if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
841 /* SSLfatal() already called */
842 return MSG_PROCESS_ERROR;
843 }
844 }
d781d247 845
524420d8
MC		 846 /*
847 * In TLSv1.3 a Finished message signals a key change so the end of the
848 * message must be on a record boundary.
849 */
850 if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
f63a17d6
MC		 851 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
852 SSL_R_NOT_ON_RECORD_BOUNDARY);
853 return MSG_PROCESS_ERROR;
524420d8
MC		 854 }
855
0f113f3e 856 /* If this occurs, we have missed a message */
555cbb32 857 if (!SSL_IS_TLS13(s) && !s->s3.change_cipher_spec) {
f63a17d6
MC		 858 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
859 SSL_R_GOT_A_FIN_BEFORE_A_CCS);
860 return MSG_PROCESS_ERROR;
0f113f3e 861 }
555cbb32 862 s->s3.change_cipher_spec = 0;
0f113f3e 863
555cbb32 864 md_len = s->s3.tmp.peer_finish_md_len;
0f113f3e 865
12472b45 866 if (md_len != PACKET_remaining(pkt)) {
f63a17d6
MC		 867 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_FINISHED,
868 SSL_R_BAD_DIGEST_LENGTH);
869 return MSG_PROCESS_ERROR;
0f113f3e
MC		 870 }
871
555cbb32 872 if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
12472b45 873 md_len) != 0) {
f63a17d6
MC		 874 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_FINISHED,
875 SSL_R_DIGEST_CHECK_FAILED);
876 return MSG_PROCESS_ERROR;
0f113f3e
MC		 877 }
878
879 /*
880 * Copy the finished so we can use it for renegotiation checks
881 */
380a522f 882 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
f63a17d6
MC		 883 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_FINISHED,
884 ERR_R_INTERNAL_ERROR);
885 return MSG_PROCESS_ERROR;
380a522f 886 }
23a635c0 887 if (s->server) {
555cbb32 888 memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
12472b45 889 md_len);
555cbb32 890 s->s3.previous_client_finished_len = md_len;
0f113f3e 891 } else {
555cbb32 892 memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
12472b45 893 md_len);
555cbb32 894 s->s3.previous_server_finished_len = md_len;
0f113f3e
MC		 895 }
896
7776a36c
MC		 897 /*
898 * In TLS1.3 we also have to change cipher state and do any final processing
899 * of the initial server flight (if we are a client)
900 */
92760c21
MC		 901 if (SSL_IS_TLS13(s)) {
902 if (s->server) {
9d75dce3
TS		 903 if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
904 !s->method->ssl3_enc->change_cipher_state(s,
92760c21 905 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
f63a17d6
MC		 906 /* SSLfatal() already called */
907 return MSG_PROCESS_ERROR;
92760c21
MC		 908 }
909 } else {
d74014c4
BK		 910 /* TLS 1.3 gets the secret size from the handshake md */
911 size_t dummy;
92760c21 912 if (!s->method->ssl3_enc->generate_master_secret(s,
ec15acb6 913 s->master_secret, s->handshake_secret, 0,
d74014c4 914 &dummy)) {
f63a17d6
MC		 915 /* SSLfatal() already called */
916 return MSG_PROCESS_ERROR;
92760c21
MC		 917 }
918 if (!s->method->ssl3_enc->change_cipher_state(s,
919 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
f63a17d6
MC		 920 /* SSLfatal() already called */
921 return MSG_PROCESS_ERROR;
922 }
923 if (!tls_process_initial_server_flight(s)) {
924 /* SSLfatal() already called */
925 return MSG_PROCESS_ERROR;
92760c21
MC		 926 }
927 }
928 }
929
e6575156 930 return MSG_PROCESS_FINISHED_READING;
0f113f3e 931}
d02b48c6 932
7cea05dc 933int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
b9908bf9 934{
7cea05dc 935 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
d4d2f3a4
MC		 936 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
937 SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
85a7a5e6
MC		 938 return 0;
939 }
b9908bf9 940
b9908bf9
MC		 941 return 1;
942}
943
e96e0f8e 944/* Add a certificate to the WPACKET */
f63a17d6 945static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain)
0f113f3e 946{
e96e0f8e
MC		 947 int len;
948 unsigned char *outbytes;
949
950 len = i2d_X509(x, NULL);
951 if (len < 0) {
f63a17d6
MC		 952 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
953 ERR_R_BUF_LIB);
e96e0f8e
MC		 954 return 0;
955 }
956 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
957 || i2d_X509(x, &outbytes) != len) {
f63a17d6
MC		 958 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
959 ERR_R_INTERNAL_ERROR);
e96e0f8e
MC		 960 return 0;
961 }
962
963 if (SSL_IS_TLS13(s)
fe874d27 964 && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
f63a17d6
MC		 965 chain)) {
966 /* SSLfatal() already called */
e96e0f8e 967 return 0;
f63a17d6 968 }
e96e0f8e
MC		 969
970 return 1;
971}
972
973/* Add certificate chain to provided WPACKET */
f63a17d6 974static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
e96e0f8e
MC		 975{
976 int i, chain_count;
977 X509 *x;
978 STACK_OF(X509) *extra_certs;
979 STACK_OF(X509) *chain = NULL;
980 X509_STORE *chain_store;
e96e0f8e
MC		 981
982 if (cpk == NULL || cpk->x509 == NULL)
983 return 1;
984
985 x = cpk->x509;
986
987 /*
988 * If we have a certificate specific chain use it, else use parent ctx.
989 */
d805a57b 990 if (cpk->chain != NULL)
e96e0f8e
MC		 991 extra_certs = cpk->chain;
992 else
993 extra_certs = s->ctx->extra_certs;
994
995 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
996 chain_store = NULL;
997 else if (s->cert->chain_store)
998 chain_store = s->cert->chain_store;
999 else
1000 chain_store = s->ctx->cert_store;
1001
d805a57b 1002 if (chain_store != NULL) {
d8652be0
MC		 1003 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(s->ctx->libctx,
1004 s->ctx->propq);
e96e0f8e
MC		 1005
1006 if (xs_ctx == NULL) {
f63a17d6
MC		 1007 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
1008 ERR_R_MALLOC_FAILURE);
1009 return 0;
e96e0f8e
MC		 1010 }
1011 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
1012 X509_STORE_CTX_free(xs_ctx);
f63a17d6
MC		 1013 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
1014 ERR_R_X509_LIB);
1015 return 0;
e96e0f8e
MC		 1016 }
1017 /*
1018 * It is valid for the chain not to be complete (because normally we
1019 * don't include the root cert in the chain). Therefore we deliberately
1020 * ignore the error return from this call. We're not actually verifying
1021 * the cert - we're just building as much of the chain as we can
1022 */
1023 (void)X509_verify_cert(xs_ctx);
1024 /* Don't leave errors in the queue */
1025 ERR_clear_error();
1026 chain = X509_STORE_CTX_get0_chain(xs_ctx);
1027 i = ssl_security_cert_chain(s, chain, NULL, 0);
1028 if (i != 1) {
1029#if 0
1030 /* Dummy error calls so mkerr generates them */
1031 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL);
1032 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL);
1033 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK);
1034#endif
1035 X509_STORE_CTX_free(xs_ctx);
f63a17d6
MC		 1036 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
1037 return 0;
e96e0f8e
MC		 1038 }
1039 chain_count = sk_X509_num(chain);
1040 for (i = 0; i < chain_count; i++) {
1041 x = sk_X509_value(chain, i);
1042
f63a17d6
MC		 1043 if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
1044 /* SSLfatal() already called */
e96e0f8e 1045 X509_STORE_CTX_free(xs_ctx);
f63a17d6 1046 return 0;
e96e0f8e
MC		 1047 }
1048 }
1049 X509_STORE_CTX_free(xs_ctx);
1050 } else {
1051 i = ssl_security_cert_chain(s, extra_certs, x, 0);
1052 if (i != 1) {
f63a17d6
MC		 1053 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
1054 return 0;
1055 }
1056 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
1057 /* SSLfatal() already called */
1058 return 0;
e96e0f8e 1059 }
e96e0f8e
MC		 1060 for (i = 0; i < sk_X509_num(extra_certs); i++) {
1061 x = sk_X509_value(extra_certs, i);
f63a17d6
MC		 1062 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
1063 /* SSLfatal() already called */
1064 return 0;
1065 }
e96e0f8e
MC		 1066 }
1067 }
1068 return 1;
e96e0f8e
MC		 1069}
1070
f63a17d6 1071unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
e96e0f8e 1072{
f63a17d6
MC		 1073 if (!WPACKET_start_sub_packet_u24(pkt)) {
1074 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1075 ERR_R_INTERNAL_ERROR);
1076 return 0;
1077 }
e96e0f8e 1078
f63a17d6
MC		 1079 if (!ssl_add_cert_chain(s, pkt, cpk))
1080 return 0;
1081
1082 if (!WPACKET_close(pkt)) {
1083 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1084 ERR_R_INTERNAL_ERROR);
7cea05dc 1085 return 0;
77d514c5 1086 }
f63a17d6 1087
c49e1912 1088 return 1;
0f113f3e
MC		 1089}
1090
30f05b19
MC		 1091/*
1092 * Tidy up after the end of a handshake. In the case of SCTP this may result
1093 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1094 * freed up as well.
1095 */
2a8db717 1096WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
8723588e
MC		 1097{
1098 void (*cb) (const SSL *ssl, int type, int val) = NULL;
4af5836b 1099 int cleanuphand = s->statem.cleanuphand;
8723588e 1100
30f05b19 1101 if (clearbufs) {
e7c27a6c
N		 1102 if (!SSL_IS_DTLS(s)
1103#ifndef OPENSSL_NO_SCTP
30f05b19 1104 /*
e7c27a6c
N		 1105 * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1106 * messages that require it. Therefore, DTLS procedures for retransmissions
1107 * MUST NOT be used.
1108 * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1109 */
1110 || BIO_dgram_is_sctp(SSL_get_wbio(s))
1111#endif
1112 ) {
1113 /*
1114 * We don't do this in DTLS over UDP because we may still need the init_buf
30f05b19
MC		 1115 * in case there are any unexpected retransmits
1116 */
1117 BUF_MEM_free(s->init_buf);
1118 s->init_buf = NULL;
1119 }
e7c27a6c 1120
a2c2e000
MC		 1121 if (!ssl_free_wbio_buffer(s)) {
1122 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE,
1123 ERR_R_INTERNAL_ERROR);
b77f3ed1 1124 return WORK_ERROR;
a2c2e000 1125 }
30f05b19 1126 s->init_num = 0;
473483d4 1127 }
8723588e 1128
9d75dce3
TS		 1129 if (SSL_IS_TLS13(s) && !s->server
1130 && s->post_handshake_auth == SSL_PHA_REQUESTED)
1131 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1132
c2c1d8a4
MC		 1133 /*
1134 * Only set if there was a Finished message and this isn't after a TLSv1.3
1135 * post handshake exchange
1136 */
4af5836b 1137 if (cleanuphand) {
8723588e
MC		 1138 /* skipped if we just sent a HelloRequest */
1139 s->renegotiate = 0;
1140 s->new_session = 0;
c7f47786 1141 s->statem.cleanuphand = 0;
c0638ade 1142 s->ext.ticket_expected = 0;
8723588e 1143
30f05b19
MC		 1144 ssl3_cleanup_key_block(s);
1145
8723588e 1146 if (s->server) {
16ff1342
MC		 1147 /*
1148 * In TLSv1.3 we update the cache as part of constructing the
1149 * NewSessionTicket
1150 */
1151 if (!SSL_IS_TLS13(s))
1152 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
8723588e 1153
0e6161bc 1154 /* N.B. s->ctx may not equal s->session_ctx */
9ef9088c 1155 tsan_counter(&s->ctx->stats.sess_accept_good);
fe3a3291 1156 s->handshake_func = ossl_statem_accept;
8723588e 1157 } else {
4cb00457
MC		 1158 if (SSL_IS_TLS13(s)) {
1159 /*
1160 * We encourage applications to only use TLSv1.3 tickets once,
1161 * so we remove this one from the cache.
1162 */
1163 if ((s->session_ctx->session_cache_mode
1164 & SSL_SESS_CACHE_CLIENT) != 0)
1165 SSL_CTX_remove_session(s->session_ctx, s->session);
1166 } else {
1167 /*
1168 * In TLSv1.3 we update the cache as part of processing the
1169 * NewSessionTicket
1170 */
5d61491c 1171 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
4cb00457 1172 }
8723588e 1173 if (s->hit)
9ef9088c 1174 tsan_counter(&s->session_ctx->stats.sess_hit);
8723588e 1175
fe3a3291 1176 s->handshake_func = ossl_statem_connect;
9ef9088c 1177 tsan_counter(&s->session_ctx->stats.sess_connect_good);
8723588e
MC		 1178 }
1179
8723588e
MC		 1180 if (SSL_IS_DTLS(s)) {
1181 /* done with handshaking */
1182 s->d1->handshake_read_seq = 0;
1183 s->d1->handshake_write_seq = 0;
1184 s->d1->next_handshake_write_seq = 0;
f5c7f5df 1185 dtls1_clear_received_buffer(s);
8723588e
MC		 1186 }
1187 }
1188
c2c1d8a4
MC		 1189 if (s->info_callback != NULL)
1190 cb = s->info_callback;
1191 else if (s->ctx->info_callback != NULL)
1192 cb = s->ctx->info_callback;
1193
4ce787b9
MC		 1194 /* The callback may expect us to not be in init at handshake done */
1195 ossl_statem_set_in_init(s, 0);
1196
4af5836b
MC		 1197 if (cb != NULL) {
1198 if (cleanuphand
1199 || !SSL_IS_TLS13(s)
1200 || SSL_IS_FIRST_HANDSHAKE(s))
1201 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
1202 }
c2c1d8a4 1203
4ce787b9
MC		 1204 if (!stop) {
1205 /* If we've got more work to do we go back into init */
1206 ossl_statem_set_in_init(s, 1);
30f05b19 1207 return WORK_FINISHED_CONTINUE;
4ce787b9 1208 }
30f05b19 1209
8723588e
MC		 1210 return WORK_FINISHED_STOP;
1211}
1212
9ab930b2
MC		 1213int tls_get_message_header(SSL *s, int *mt)
1214{
1215 /* s->init_num < SSL3_HM_HEADER_LENGTH */
d4d2f3a4 1216 int skip_message, i, recvd_type;
9ab930b2 1217 unsigned char *p;
54105ddd 1218 size_t l, readbytes;
9ab930b2
MC		 1219
1220 p = (unsigned char *)s->init_buf->data;
1221
1222 do {
1223 while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1224 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
a230b26e
EK		 1225 &p[s->init_num],
1226 SSL3_HM_HEADER_LENGTH - s->init_num,
54105ddd 1227 0, &readbytes);
9ab930b2
MC		 1228 if (i <= 0) {
1229 s->rwstate = SSL_READING;
1230 return 0;
32ec4153 1231 }
9ab930b2 1232 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1257adec 1233 /*
a230b26e
EK		 1234 * A ChangeCipherSpec must be a single byte and may not occur
1235 * in the middle of a handshake message.
1236 */
54105ddd 1237 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
d4d2f3a4
MC		 1238 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1239 SSL_F_TLS_GET_MESSAGE_HEADER,
1240 SSL_R_BAD_CHANGE_CIPHER_SPEC);
1241 return 0;
1257adec 1242 }
e9359719 1243 if (s->statem.hand_state == TLS_ST_BEFORE
555cbb32 1244 && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
e9359719
MC		 1245 /*
1246 * We are stateless and we received a CCS. Probably this is
1247 * from a client between the first and second ClientHellos.
1248 * We should ignore this, but return an error because we do
1249 * not return success until we see the second ClientHello
1250 * with a valid cookie.
1251 */
1252 return 0;
1253 }
555cbb32 1254 s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
54105ddd 1255 s->init_num = readbytes - 1;
c4377574 1256 s->init_msg = s->init_buf->data;
555cbb32 1257 s->s3.tmp.message_size = readbytes;
9ab930b2
MC		 1258 return 1;
1259 } else if (recvd_type != SSL3_RT_HANDSHAKE) {
d4d2f3a4
MC		 1260 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1261 SSL_F_TLS_GET_MESSAGE_HEADER,
1262 SSL_R_CCS_RECEIVED_EARLY);
1263 return 0;
32ec4153 1264 }
54105ddd 1265 s->init_num += readbytes;
9ab930b2
MC		 1266 }
1267
1268 skip_message = 0;
1269 if (!s->server)
c7f47786
MC		 1270 if (s->statem.hand_state != TLS_ST_OK
1271 && p[0] == SSL3_MT_HELLO_REQUEST)
9ab930b2
MC		 1272 /*
1273 * The server may always send 'Hello Request' messages --
1274 * we are doing a handshake anyway now, so ignore them if
1275 * their format is correct. Does not count for 'Finished'
1276 * MAC.
1277 */
1278 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1279 s->init_num = 0;
1280 skip_message = 1;
1281
1282 if (s->msg_callback)
1283 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1284 p, SSL3_HM_HEADER_LENGTH, s,
1285 s->msg_callback_arg);
1286 }
1287 } while (skip_message);
1288 /* s->init_num == SSL3_HM_HEADER_LENGTH */
1289
1290 *mt = *p;
555cbb32 1291 s->s3.tmp.message_type = *(p++);
32ec4153 1292
e8aa8b6c 1293 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
9ab930b2
MC		 1294 /*
1295 * Only happens with SSLv3+ in an SSLv2 backward compatible
1296 * ClientHello
e8aa8b6c
F		 1297 *
1298 * Total message size is the remaining record bytes to read
1299 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
9ab930b2 1300 */
9ab930b2
MC		 1301 l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1302 + SSL3_HM_HEADER_LENGTH;
555cbb32 1303 s->s3.tmp.message_size = l;
9ab930b2
MC		 1304
1305 s->init_msg = s->init_buf->data;
1306 s->init_num = SSL3_HM_HEADER_LENGTH;
1307 } else {
1308 n2l3(p, l);
1309 /* BUF_MEM_grow takes an 'int' parameter */
1310 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
d4d2f3a4
MC		 1311 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_GET_MESSAGE_HEADER,
1312 SSL_R_EXCESSIVE_MESSAGE_SIZE);
1313 return 0;
32ec4153 1314 }
555cbb32 1315 s->s3.tmp.message_size = l;
9ab930b2
MC		 1316
1317 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1318 s->init_num = 0;
1319 }
1320
1321 return 1;
9ab930b2
MC		 1322}
1323
eda75751 1324int tls_get_message_body(SSL *s, size_t *len)
9ab930b2 1325{
54105ddd 1326 size_t n, readbytes;
9ab930b2
MC		 1327 unsigned char *p;
1328 int i;
1329
555cbb32 1330 if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
9ab930b2
MC		 1331 /* We've already read everything in */
1332 *len = (unsigned long)s->init_num;
1333 return 1;
0f113f3e
MC		 1334 }
1335
0f113f3e 1336 p = s->init_msg;
555cbb32 1337 n = s->s3.tmp.message_size - s->init_num;
0f113f3e 1338 while (n > 0) {
657da85e 1339 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
54105ddd 1340 &p[s->init_num], n, 0, &readbytes);
0f113f3e
MC		 1341 if (i <= 0) {
1342 s->rwstate = SSL_READING;
9ab930b2
MC		 1343 *len = 0;
1344 return 0;
0f113f3e 1345 }
54105ddd
MC		 1346 s->init_num += readbytes;
1347 n -= readbytes;
0f113f3e 1348 }
ee2ffc27 1349
0f113f3e
MC		 1350 /*
1351 * If receiving Finished, record MAC of prior handshake messages for
1352 * Finished verification.
1353 */
5d671101
MC		 1354 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1355 /* SSLfatal() already called */
1356 *len = 0;
1357 return 0;
1358 }
ee2ffc27 1359
0f113f3e 1360 /* Feed this message into MAC computation. */
e8aa8b6c 1361 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
d166ed8c
DSH		 1362 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1363 s->init_num)) {
d4d2f3a4 1364 /* SSLfatal() already called */
d166ed8c
DSH		 1365 *len = 0;
1366 return 0;
1367 }
32ec4153 1368 if (s->msg_callback)
a230b26e 1369 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
32ec4153
MC		 1370 (size_t)s->init_num, s, s->msg_callback_arg);
1371 } else {
11c67eea
MC		 1372 /*
1373 * We defer feeding in the HRR until later. We'll do it as part of
1374 * processing the message
9d75dce3
TS		 1375 * The TLsv1.3 handshake transcript stops at the ClientFinished
1376 * message.
11c67eea 1377 */
597c51bc 1378#define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
9d75dce3 1379 /* KeyUpdate and NewSessionTicket do not need to be added */
555cbb32
TS		 1380 if (!SSL_IS_TLS13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1381 && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1382 if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
9d75dce3
TS		 1383 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1384 || memcmp(hrrrandom,
1385 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1386 SSL3_RANDOM_SIZE) != 0) {
1387 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1388 s->init_num + SSL3_HM_HEADER_LENGTH)) {
1389 /* SSLfatal() already called */
1390 *len = 0;
1391 return 0;
1392 }
597c51bc 1393 }
d166ed8c 1394 }
32ec4153
MC		 1395 if (s->msg_callback)
1396 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1397 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
1398 s->msg_callback_arg);
1399 }
1400
eda75751 1401 *len = s->init_num;
9ab930b2 1402 return 1;
0f113f3e 1403}
d02b48c6 1404
c6d38183
RS		 1405static const X509ERR2ALERT x509table[] = {
1406 {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1407 {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
cccf532f 1408 {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
c6d38183
RS		 1409 {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1410 {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1411 {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1412 {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1413 {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1414 {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1415 {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1416 {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1417 {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1418 {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1419 {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1420 {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1421 {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1422 {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1423 {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1424 {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1425 {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1426 {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1427 {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1428 {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1429 {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1430 {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1431 {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1432 {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1433 {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1434 {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1435 {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1436 {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1437 {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1438 {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1439 {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1440 {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1441 {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1442 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1443 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1444 {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1445 {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1446
1447 /* Last entry; return this if we don't find the value above. */
1448 {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1449};
1450
1451int ssl_x509err2alert(int x509err)
0f113f3e 1452{
c6d38183
RS		 1453 const X509ERR2ALERT *tp;
1454
1455 for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1456 if (tp->x509err == x509err)
1457 break;
1458 return tp->alert;
0f113f3e 1459}
d02b48c6 1460
b362ccab 1461int ssl_allow_compression(SSL *s)
0f113f3e
MC		 1462{
1463 if (s->options & SSL_OP_NO_COMPRESSION)
1464 return 0;
1465 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1466}
4fa52141 1467
068c358a 1468static int version_cmp(const SSL *s, int a, int b)
4fa52141
VD		 1469{
1470 int dtls = SSL_IS_DTLS(s);
1471
1472 if (a == b)
1473 return 0;
1474 if (!dtls)
1475 return a < b ? -1 : 1;
1476 return DTLS_VERSION_LT(a, b) ? -1 : 1;
1477}
1478
1479typedef struct {
1480 int version;
a230b26e
EK		 1481 const SSL_METHOD *(*cmeth) (void);
1482 const SSL_METHOD *(*smeth) (void);
4fa52141
VD		 1483} version_info;
1484
5c587fb6 1485#if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
582a17d6 1486# error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
4fa52141
VD		 1487#endif
1488
f7f2a01d 1489/* Must be in order high to low */
4fa52141 1490static const version_info tls_version_table[] = {
582a17d6
MC		 1491#ifndef OPENSSL_NO_TLS1_3
1492 {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1493#else
1494 {TLS1_3_VERSION, NULL, NULL},
1495#endif
6b01bed2 1496#ifndef OPENSSL_NO_TLS1_2
a230b26e 1497 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
6b01bed2 1498#else
a230b26e 1499 {TLS1_2_VERSION, NULL, NULL},
6b01bed2
VD		 1500#endif
1501#ifndef OPENSSL_NO_TLS1_1
a230b26e 1502 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
6b01bed2 1503#else
a230b26e 1504 {TLS1_1_VERSION, NULL, NULL},
6b01bed2
VD		 1505#endif
1506#ifndef OPENSSL_NO_TLS1
a230b26e 1507 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
6b01bed2 1508#else
a230b26e 1509 {TLS1_VERSION, NULL, NULL},
6b01bed2 1510#endif
4fa52141 1511#ifndef OPENSSL_NO_SSL3
a230b26e 1512 {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
6b01bed2 1513#else
a230b26e 1514 {SSL3_VERSION, NULL, NULL},
4fa52141 1515#endif
a230b26e 1516 {0, NULL, NULL},
4fa52141
VD		 1517};
1518
5c587fb6 1519#if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
4fa52141
VD		 1520# error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1521#endif
1522
f7f2a01d 1523/* Must be in order high to low */
4fa52141 1524static const version_info dtls_version_table[] = {
6b01bed2 1525#ifndef OPENSSL_NO_DTLS1_2
a230b26e 1526 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
6b01bed2 1527#else
a230b26e 1528 {DTLS1_2_VERSION, NULL, NULL},
6b01bed2
VD		 1529#endif
1530#ifndef OPENSSL_NO_DTLS1
a230b26e
EK		 1531 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1532 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
6b01bed2 1533#else
a230b26e
EK		 1534 {DTLS1_VERSION, NULL, NULL},
1535 {DTLS1_BAD_VER, NULL, NULL},
6b01bed2 1536#endif
a230b26e 1537 {0, NULL, NULL},
4fa52141
VD		 1538};
1539
1540/*
1541 * ssl_method_error - Check whether an SSL_METHOD is enabled.
1542 *
1543 * @s: The SSL handle for the candidate method
1544 * @method: the intended method.
1545 *
1546 * Returns 0 on success, or an SSL error reason on failure.
1547 */
068c358a 1548static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
4fa52141
VD		 1549{
1550 int version = method->version;
1551
1552 if ((s->min_proto_version != 0 &&
1553 version_cmp(s, version, s->min_proto_version) < 0) ||
1554 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1555 return SSL_R_VERSION_TOO_LOW;
1556
1557 if (s->max_proto_version != 0 &&
a230b26e 1558 version_cmp(s, version, s->max_proto_version) > 0)
4fa52141
VD		 1559 return SSL_R_VERSION_TOO_HIGH;
1560
1561 if ((s->options & method->mask) != 0)
1562 return SSL_R_UNSUPPORTED_PROTOCOL;
1563 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1564 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
4fa52141
VD		 1565
1566 return 0;
1567}
1568
baa45c3e
MC		 1569/*
1570 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
cd3b53b8
MC		 1571 * certificate type, or has PSK or a certificate callback configured. Otherwise
1572 * returns 0.
baa45c3e
MC		 1573 */
1574static int is_tls13_capable(const SSL *s)
1575{
65d2c16c
MC		 1576 int i;
1577#ifndef OPENSSL_NO_EC
1578 int curve;
65d2c16c 1579#endif
baa45c3e 1580
d162340d
MC		 1581#ifndef OPENSSL_NO_PSK
1582 if (s->psk_server_callback != NULL)
1583 return 1;
1584#endif
1585
cd3b53b8 1586 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
baa45c3e
MC		 1587 return 1;
1588
1589 for (i = 0; i < SSL_PKEY_NUM; i++) {
1590 /* Skip over certs disallowed for TLSv1.3 */
1591 switch (i) {
1592 case SSL_PKEY_DSA_SIGN:
1593 case SSL_PKEY_GOST01:
1594 case SSL_PKEY_GOST12_256:
1595 case SSL_PKEY_GOST12_512:
1596 continue;
1597 default:
1598 break;
1599 }
de4dc598
MC		 1600 if (!ssl_has_cert(s, i))
1601 continue;
65d2c16c 1602#ifndef OPENSSL_NO_EC
de4dc598
MC		 1603 if (i != SSL_PKEY_ECC)
1604 return 1;
1605 /*
1606 * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1607 * more restrictive so check that our sig algs are consistent with this
1608 * EC cert. See section 4.2.3 of RFC8446.
1609 */
c2041da8
RL		 1610 curve = evp_pkey_get_EC_KEY_curve_nid(s->cert->pkeys[SSL_PKEY_ECC]
1611 .privatekey);
de4dc598 1612 if (tls_check_sigalg_curve(s, curve))
baa45c3e 1613 return 1;
65d2c16c
MC		 1614#else
1615 return 1;
1616#endif
baa45c3e
MC		 1617 }
1618
1619 return 0;
1620}
1621
ccae4a15
FI		 1622/*
1623 * ssl_version_supported - Check that the specified `version` is supported by
1624 * `SSL *` instance
1625 *
1626 * @s: The SSL handle for the candidate method
1627 * @version: Protocol version to test against
1628 *
1629 * Returns 1 when supported, otherwise 0
1630 */
4fd12788 1631int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth)
ccae4a15
FI		 1632{
1633 const version_info *vent;
1634 const version_info *table;
1635
1636 switch (s->method->version) {
1637 default:
1638 /* Version should match method version for non-ANY method */
1639 return version_cmp(s, version, s->version) == 0;
1640 case TLS_ANY_VERSION:
1641 table = tls_version_table;
1642 break;
1643 case DTLS_ANY_VERSION:
1644 table = dtls_version_table;
1645 break;
1646 }
1647
1648 for (vent = table;
1649 vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1650 ++vent) {
baa45c3e
MC		 1651 if (vent->cmeth != NULL
1652 && version_cmp(s, version, vent->version) == 0
1653 && ssl_method_error(s, vent->cmeth()) == 0
1654 && (!s->server
1655 || version != TLS1_3_VERSION
1656 || is_tls13_capable(s))) {
4fd12788
MC		 1657 if (meth != NULL)
1658 *meth = vent->cmeth();
ccae4a15
FI		 1659 return 1;
1660 }
1661 }
1662 return 0;
1663}
1664
4fa52141
VD		 1665/*
1666 * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1667 * fallback indication from a client check whether we're using the highest
1668 * supported protocol version.
1669 *
1670 * @s server SSL handle.
1671 *
1672 * Returns 1 when using the highest enabled version, 0 otherwise.
1673 */
1674int ssl_check_version_downgrade(SSL *s)
1675{
1676 const version_info *vent;
1677 const version_info *table;
1678
1679 /*
1680 * Check that the current protocol is the highest enabled version
1681 * (according to s->ctx->method, as version negotiation may have changed
1682 * s->method).
1683 */
1684 if (s->version == s->ctx->method->version)
1685 return 1;
1686
1687 /*
1688 * Apparently we're using a version-flexible SSL_METHOD (not at its
1689 * highest protocol version).
1690 */
1691 if (s->ctx->method->version == TLS_method()->version)
1692 table = tls_version_table;
1693 else if (s->ctx->method->version == DTLS_method()->version)
1694 table = dtls_version_table;
1695 else {
1696 /* Unexpected state; fail closed. */
1697 return 0;
1698 }
1699
1700 for (vent = table; vent->version != 0; ++vent) {
a230b26e 1701 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
4fa52141
VD		 1702 return s->version == vent->version;
1703 }
1704 return 0;
1705}
1706
1707/*
1708 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1709 * protocols, provided the initial (D)TLS method is version-flexible. This
1710 * function sanity-checks the proposed value and makes sure the method is
1711 * version-flexible, then sets the limit if all is well.
1712 *
1713 * @method_version: The version of the current SSL_METHOD.
1714 * @version: the intended limit.
1715 * @bound: pointer to limit to be updated.
1716 *
1717 * Returns 1 on success, 0 on failure.
1718 */
1719int ssl_set_version_bound(int method_version, int version, int *bound)
1720{
77174598
VD		 1721 int valid_tls;
1722 int valid_dtls;
1723
869e978c
KR		 1724 if (version == 0) {
1725 *bound = version;
1726 return 1;
1727 }
1728
77174598
VD		 1729 valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
1730 valid_dtls =
1731 DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) &&
1732 DTLS_VERSION_GE(version, DTLS1_BAD_VER);
1733
1734 if (!valid_tls && !valid_dtls)
1735 return 0;
1736
4fa52141
VD		 1737 /*-
1738 * Restrict TLS methods to TLS protocol versions.
1739 * Restrict DTLS methods to DTLS protocol versions.
1740 * Note, DTLS version numbers are decreasing, use comparison macros.
1741 *
1742 * Note that for both lower-bounds we use explicit versions, not
1743 * (D)TLS_MIN_VERSION. This is because we don't want to break user
1744 * configurations. If the MIN (supported) version ever rises, the user's
1745 * "floor" remains valid even if no longer available. We don't expect the
1746 * MAX ceiling to ever get lower, so making that variable makes sense.
77174598
VD		 1747 *
1748 * We ignore attempts to set bounds on version-inflexible methods,
1749 * returning success.
4fa52141
VD		 1750 */
1751 switch (method_version) {
1752 default:
77174598 1753 break;
4fa52141
VD		 1754
1755 case TLS_ANY_VERSION:
77174598
VD		 1756 if (valid_tls)
1757 *bound = version;
4fa52141
VD		 1758 break;
1759
1760 case DTLS_ANY_VERSION:
77174598
VD		 1761 if (valid_dtls)
1762 *bound = version;
4fa52141
VD		 1763 break;
1764 }
4fa52141
VD		 1765 return 1;
1766}
1767
f7f2a01d
MC		 1768static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
1769{
1770 if (vers == TLS1_2_VERSION
4fd12788 1771 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
f7f2a01d 1772 *dgrd = DOWNGRADE_TO_1_2;
5627f9f2
MC		 1773 } else if (!SSL_IS_DTLS(s)
1774 && vers < TLS1_2_VERSION
1775 /*
1776 * We need to ensure that a server that disables TLSv1.2
1777 * (creating a hole between TLSv1.3 and TLSv1.1) can still
1778 * complete handshakes with clients that support TLSv1.2 and
1779 * below. Therefore we do not enable the sentinel if TLSv1.3 is
1780 * enabled and TLSv1.2 is not.
1781 */
1782 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
f7f2a01d
MC		 1783 *dgrd = DOWNGRADE_TO_1_1;
1784 } else {
1785 *dgrd = DOWNGRADE_NONE;
1786 }
1787}
1788
4fa52141
VD		 1789/*
1790 * ssl_choose_server_version - Choose server (D)TLS version. Called when the
1791 * client HELLO is received to select the final server protocol version and
1792 * the version specific method.
1793 *
1794 * @s: server SSL handle.
1795 *
1796 * Returns 0 on success or an SSL error reason number on failure.
1797 */
f7f2a01d 1798int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
4fa52141
VD		 1799{
1800 /*-
1801 * With version-flexible methods we have an initial state with:
1802 *
1803 * s->method->version == (D)TLS_ANY_VERSION,
5c587fb6 1804 * s->version == (D)TLS_MAX_VERSION_INTERNAL.
4fa52141
VD		 1805 *
1806 * So we detect version-flexible methods via the method version, not the
1807 * handle version.
1808 */
1809 int server_version = s->method->version;
df7ce507 1810 int client_version = hello->legacy_version;
4fa52141
VD		 1811 const version_info *vent;
1812 const version_info *table;
1813 int disabled = 0;
cd998837 1814 RAW_EXTENSION *suppversions;
4fa52141 1815
1ab3836b
MC		 1816 s->client_version = client_version;
1817
4fa52141
VD		 1818 switch (server_version) {
1819 default:
7d061fce
MC		 1820 if (!SSL_IS_TLS13(s)) {
1821 if (version_cmp(s, client_version, s->version) < 0)
1822 return SSL_R_WRONG_SSL_VERSION;
f7f2a01d 1823 *dgrd = DOWNGRADE_NONE;
7d061fce
MC		 1824 /*
1825 * If this SSL handle is not from a version flexible method we don't
1826 * (and never did) check min/max FIPS or Suite B constraints. Hope
1827 * that's OK. It is up to the caller to not choose fixed protocol
1828 * versions they don't want. If not, then easy to fix, just return
1829 * ssl_method_error(s, s->method)
1830 */
1831 return 0;
1832 }
d2f42576 1833 /*
7d061fce
MC		 1834 * Fall through if we are TLSv1.3 already (this means we must be after
1835 * a HelloRetryRequest
4fa52141 1836 */
018fcbec 1837 /* fall thru */
4fa52141
VD		 1838 case TLS_ANY_VERSION:
1839 table = tls_version_table;
1840 break;
1841 case DTLS_ANY_VERSION:
1842 table = dtls_version_table;
1843 break;
1844 }
1845
70af3d8e 1846 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
cd998837 1847
6f40214f 1848 /* If we did an HRR then supported versions is mandatory */
fc7129dc 1849 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
6f40214f
MC		 1850 return SSL_R_UNSUPPORTED_PROTOCOL;
1851
70af3d8e 1852 if (suppversions->present && !SSL_IS_DTLS(s)) {
cd998837
MC		 1853 unsigned int candidate_vers = 0;
1854 unsigned int best_vers = 0;
1855 const SSL_METHOD *best_method = NULL;
1856 PACKET versionslist;
1857
6b473aca
MC		 1858 suppversions->parsed = 1;
1859
16bce0e0 1860 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
cd998837
MC		 1861 /* Trailing or invalid data? */
1862 return SSL_R_LENGTH_MISMATCH;
1863 }
1864
d8434cf8
MC		 1865 /*
1866 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1867 * The spec only requires servers to check that it isn't SSLv3:
1868 * "Any endpoint receiving a Hello message with
1869 * ClientHello.legacy_version or ServerHello.legacy_version set to
1870 * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1871 * We are slightly stricter and require that it isn't SSLv3 or lower.
1872 * We tolerate TLSv1 and TLSv1.1.
1873 */
1874 if (client_version <= SSL3_VERSION)
1875 return SSL_R_BAD_LEGACY_VERSION;
1876
cd998837 1877 while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
cd998837
MC		 1878 if (version_cmp(s, candidate_vers, best_vers) <= 0)
1879 continue;
4fd12788
MC		 1880 if (ssl_version_supported(s, candidate_vers, &best_method))
1881 best_vers = candidate_vers;
cd998837
MC		 1882 }
1883 if (PACKET_remaining(&versionslist) != 0) {
1884 /* Trailing data? */
1885 return SSL_R_LENGTH_MISMATCH;
1886 }
1887
1888 if (best_vers > 0) {
fc7129dc 1889 if (s->hello_retry_request != SSL_HRR_NONE) {
7d061fce 1890 /*
6f40214f
MC		 1891 * This is after a HelloRetryRequest so we better check that we
1892 * negotiated TLSv1.3
7d061fce
MC		 1893 */
1894 if (best_vers != TLS1_3_VERSION)
1895 return SSL_R_UNSUPPORTED_PROTOCOL;
1896 return 0;
1897 }
f7f2a01d 1898 check_for_downgrade(s, best_vers, dgrd);
cd998837
MC		 1899 s->version = best_vers;
1900 s->method = best_method;
1901 return 0;
1902 }
1903 return SSL_R_UNSUPPORTED_PROTOCOL;
1904 }
1905
1906 /*
1907 * If the supported versions extension isn't present, then the highest
1908 * version we can negotiate is TLSv1.2
1909 */
1910 if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1911 client_version = TLS1_2_VERSION;
1912
1913 /*
1914 * No supported versions extension, so we just use the version supplied in
1915 * the ClientHello.
1916 */
4fa52141
VD		 1917 for (vent = table; vent->version != 0; ++vent) {
1918 const SSL_METHOD *method;
1919
1920 if (vent->smeth == NULL ||
1921 version_cmp(s, client_version, vent->version) < 0)
1922 continue;
1923 method = vent->smeth();
1924 if (ssl_method_error(s, method) == 0) {
f7f2a01d 1925 check_for_downgrade(s, vent->version, dgrd);
4fa52141
VD		 1926 s->version = vent->version;
1927 s->method = method;
1928 return 0;
1929 }
1930 disabled = 1;
1931 }
1932 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1933}
1934
1935/*
1936 * ssl_choose_client_version - Choose client (D)TLS version. Called when the
1937 * server HELLO is received to select the final client protocol version and
1938 * the version specific method.
1939 *
1940 * @s: client SSL handle.
1941 * @version: The proposed version from the server's HELLO.
88050dd1 1942 * @extensions: The extensions received
4fa52141 1943 *
29bfd5b7 1944 * Returns 1 on success or 0 on error.
4fa52141 1945 */
88050dd1 1946int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)
4fa52141
VD		 1947{
1948 const version_info *vent;
1949 const version_info *table;
b5b993b2 1950 int ret, ver_min, ver_max, real_max, origv;
4fa52141 1951
88050dd1
MC		 1952 origv = s->version;
1953 s->version = version;
b97667ce 1954
88050dd1
MC		 1955 /* This will overwrite s->version if the extension is present */
1956 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1957 SSL_EXT_TLS1_2_SERVER_HELLO
1958 | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1959 NULL, 0)) {
1960 s->version = origv;
1961 return 0;
1962 }
1963
fc7129dc
MC		 1964 if (s->hello_retry_request != SSL_HRR_NONE
1965 && s->version != TLS1_3_VERSION) {
88050dd1 1966 s->version = origv;
29bfd5b7
MC		 1967 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1968 SSL_R_WRONG_SSL_VERSION);
1969 return 0;
c3043dcd
MC		 1970 }
1971
4fa52141
VD		 1972 switch (s->method->version) {
1973 default:
88050dd1
MC		 1974 if (s->version != s->method->version) {
1975 s->version = origv;
29bfd5b7
MC		 1976 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1977 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1978 SSL_R_WRONG_SSL_VERSION);
1979 return 0;
c3043dcd 1980 }
4fa52141
VD		 1981 /*
1982 * If this SSL handle is not from a version flexible method we don't
1983 * (and never did) check min/max, FIPS or Suite B constraints. Hope
1984 * that's OK. It is up to the caller to not choose fixed protocol
1985 * versions they don't want. If not, then easy to fix, just return
1986 * ssl_method_error(s, s->method)
1987 */
29bfd5b7 1988 return 1;
4fa52141
VD		 1989 case TLS_ANY_VERSION:
1990 table = tls_version_table;
1991 break;
1992 case DTLS_ANY_VERSION:
1993 table = dtls_version_table;
1994 break;
1995 }
1996
b5b993b2
MC		 1997 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1998 if (ret != 0) {
1999 s->version = origv;
2000 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
2001 SSL_F_SSL_CHOOSE_CLIENT_VERSION, ret);
2002 return 0;
2003 }
2004 if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
2005 : s->version < ver_min) {
2006 s->version = origv;
2007 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
2008 SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
2009 return 0;
2010 } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
2011 : s->version > ver_max) {
2012 s->version = origv;
2013 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
2014 SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
2015 return 0;
2016 }
5df22060 2017
b5b993b2
MC		 2018 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
2019 real_max = ver_max;
c3043dcd 2020
b5b993b2
MC		 2021 /* Check for downgrades */
2022 if (s->version == TLS1_2_VERSION && real_max > s->version) {
2023 if (memcmp(tls12downgrade,
555cbb32 2024 s->s3.server_random + SSL3_RANDOM_SIZE
b5b993b2
MC		 2025 - sizeof(tls12downgrade),
2026 sizeof(tls12downgrade)) == 0) {
2027 s->version = origv;
2028 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
2029 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
2030 SSL_R_INAPPROPRIATE_FALLBACK);
2031 return 0;
2032 }
2033 } else if (!SSL_IS_DTLS(s)
2034 && s->version < TLS1_2_VERSION
2035 && real_max > s->version) {
2036 if (memcmp(tls11downgrade,
555cbb32 2037 s->s3.server_random + SSL3_RANDOM_SIZE
b5b993b2
MC		 2038 - sizeof(tls11downgrade),
2039 sizeof(tls11downgrade)) == 0) {
2040 s->version = origv;
2041 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
2042 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
2043 SSL_R_INAPPROPRIATE_FALLBACK);
2044 return 0;
c3043dcd 2045 }
b5b993b2 2046 }
c3043dcd 2047
b5b993b2
MC		 2048 for (vent = table; vent->version != 0; ++vent) {
2049 if (vent->cmeth == NULL || s->version != vent->version)
c3043dcd
MC		 2050 continue;
2051
b5b993b2 2052 s->method = vent->cmeth();
29bfd5b7 2053 return 1;
4fa52141
VD		 2054 }
2055
88050dd1 2056 s->version = origv;
29bfd5b7
MC		 2057 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
2058 SSL_R_UNSUPPORTED_PROTOCOL);
2059 return 0;
4fa52141
VD		 2060}
2061
068c358a 2062/*
38a73150 2063 * ssl_get_min_max_version - get minimum and maximum protocol version
068c358a
KR		 2064 * @s: The SSL connection
2065 * @min_version: The minimum supported version
2066 * @max_version: The maximum supported version
b5b993b2
MC		 2067 * @real_max: The highest version below the lowest compile time version hole
2068 * where that hole lies above at least one run-time enabled
2069 * protocol.
068c358a
KR		 2070 *
2071 * Work out what version we should be using for the initial ClientHello if the
2072 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2073 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
b53338cb 2074 * constraints and any floor imposed by the security level here,
068c358a 2075 * so we don't advertise the wrong protocol version to only reject the outcome later.
4fa52141 2076 *
0485d540 2077 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
4fa52141
VD		 2078 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2079 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2080 *
068c358a
KR		 2081 * Returns 0 on success or an SSL error reason number on failure. On failure
2082 * min_version and max_version will also be set to 0.
4fa52141 2083 */
b5b993b2
MC		 2084int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version,
2085 int *real_max)
4fa52141 2086{
b5b993b2 2087 int version, tmp_real_max;
4fa52141
VD		 2088 int hole;
2089 const SSL_METHOD *single = NULL;
2090 const SSL_METHOD *method;
2091 const version_info *table;
2092 const version_info *vent;
2093
2094 switch (s->method->version) {
2095 default:
2096 /*
2097 * If this SSL handle is not from a version flexible method we don't
2098 * (and never did) check min/max FIPS or Suite B constraints. Hope
2099 * that's OK. It is up to the caller to not choose fixed protocol
2100 * versions they don't want. If not, then easy to fix, just return
2101 * ssl_method_error(s, s->method)
2102 */
068c358a 2103 *min_version = *max_version = s->version;
b5b993b2
MC		 2104 /*
2105 * Providing a real_max only makes sense where we're using a version
2106 * flexible method.
2107 */
2108 if (!ossl_assert(real_max == NULL))
2109 return ERR_R_INTERNAL_ERROR;
4fa52141
VD		 2110 return 0;
2111 case TLS_ANY_VERSION:
2112 table = tls_version_table;
2113 break;
2114 case DTLS_ANY_VERSION:
2115 table = dtls_version_table;
2116 break;
2117 }
2118
2119 /*
2120 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2121 * below X enabled. This is required in order to maintain the "version
2122 * capability" vector contiguous. Any versions with a NULL client method
2123 * (protocol version client is disabled at compile-time) is also a "hole".
2124 *
2125 * Our initial state is hole == 1, version == 0. That is, versions above
2126 * the first version in the method table are disabled (a "hole" above
2127 * the valid protocol entries) and we don't have a selected version yet.
2128 *
2129 * Whenever "hole == 1", and we hit an enabled method, its version becomes
2130 * the selected version, and the method becomes a candidate "single"
2131 * method. We're no longer in a hole, so "hole" becomes 0.
2132 *
2133 * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2134 * as we support a contiguous range of at least two methods. If we hit
2135 * a disabled method, then hole becomes true again, but nothing else
2136 * changes yet, because all the remaining methods may be disabled too.
2137 * If we again hit an enabled method after the new hole, it becomes
2138 * selected, as we start from scratch.
2139 */
068c358a 2140 *min_version = version = 0;
4fa52141 2141 hole = 1;
b5b993b2
MC		 2142 if (real_max != NULL)
2143 *real_max = 0;
2144 tmp_real_max = 0;
4fa52141
VD		 2145 for (vent = table; vent->version != 0; ++vent) {
2146 /*
2147 * A table entry with a NULL client method is still a hole in the
2148 * "version capability" vector.
2149 */
2150 if (vent->cmeth == NULL) {
2151 hole = 1;
b5b993b2 2152 tmp_real_max = 0;
4fa52141
VD		 2153 continue;
2154 }
2155 method = vent->cmeth();
b5b993b2
MC		 2156
2157 if (hole == 1 && tmp_real_max == 0)
2158 tmp_real_max = vent->version;
2159
4fa52141
VD		 2160 if (ssl_method_error(s, method) != 0) {
2161 hole = 1;
2162 } else if (!hole) {
2163 single = NULL;
068c358a 2164 *min_version = method->version;
4fa52141 2165 } else {
b5b993b2
MC		 2166 if (real_max != NULL && tmp_real_max != 0)
2167 *real_max = tmp_real_max;
4fa52141 2168 version = (single = method)->version;
068c358a 2169 *min_version = version;
4fa52141
VD		 2170 hole = 0;
2171 }
2172 }
2173
068c358a
KR		 2174 *max_version = version;
2175
4fa52141
VD		 2176 /* Fail if everything is disabled */
2177 if (version == 0)
2178 return SSL_R_NO_PROTOCOLS_AVAILABLE;
2179
068c358a
KR		 2180 return 0;
2181}
2182
2183/*
2184 * ssl_set_client_hello_version - Work out what version we should be using for
7acb8b64 2185 * the initial ClientHello.legacy_version field.
068c358a
KR		 2186 *
2187 * @s: client SSL handle.
2188 *
2189 * Returns 0 on success or an SSL error reason number on failure.
2190 */
2191int ssl_set_client_hello_version(SSL *s)
2192{
3eb2aff4 2193 int ver_min, ver_max, ret;
068c358a 2194
447cc0ad
MC		 2195 /*
2196 * In a renegotiation we always send the same client_version that we sent
2197 * last time, regardless of which version we eventually negotiated.
2198 */
2199 if (!SSL_IS_FIRST_HANDSHAKE(s))
2200 return 0;
2201
b5b993b2 2202 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
068c358a
KR		 2203
2204 if (ret != 0)
2205 return ret;
2206
7acb8b64
MC		 2207 s->version = ver_max;
2208
2209 /* TLS1.3 always uses TLS1.2 in the legacy_version field */
2210 if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
2211 ver_max = TLS1_2_VERSION;
2212
2213 s->client_version = ver_max;
4fa52141
VD		 2214 return 0;
2215}
aff9929b
MC		 2216
2217/*
2218 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2219 * and |checkallow| is 1 then additionally check if the group is allowed to be
2220 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2221 * 1) or 0 otherwise.
2222 */
9e84a42d 2223int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
aff9929b
MC		 2224 size_t num_groups, int checkallow)
2225{
2226 size_t i;
2227
2228 if (groups == NULL || num_groups == 0)
2229 return 0;
2230
9e84a42d
DSH		 2231 for (i = 0; i < num_groups; i++) {
2232 uint16_t group = groups[i];
2233
2234 if (group_id == group
aff9929b 2235 && (!checkallow
dbc6268f 2236 || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
0acee504 2237 return 1;
aff9929b
MC		 2238 }
2239 }
2240
0acee504 2241 return 0;
aff9929b 2242}
11c67eea
MC		 2243
2244/* Replace ClientHello1 in the transcript hash with a synthetic message */
43054d3d
MC		 2245int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,
2246 size_t hashlen, const unsigned char *hrr,
2247 size_t hrrlen)
11c67eea 2248{
43054d3d 2249 unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
635b7d3f
MC		 2250 unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2251
2252 memset(msghdr, 0, sizeof(msghdr));
11c67eea 2253
43054d3d
MC		 2254 if (hashval == NULL) {
2255 hashval = hashvaltmp;
2256 hashlen = 0;
2257 /* Get the hash of the initial ClientHello */
2258 if (!ssl3_digest_cached_records(s, 0)
2259 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2260 &hashlen)) {
2261 /* SSLfatal() already called */
2262 return 0;
2263 }
11c67eea
MC		 2264 }
2265
2266 /* Reinitialise the transcript hash */
f63a17d6
MC		 2267 if (!ssl3_init_finished_mac(s)) {
2268 /* SSLfatal() already called */
11c67eea 2269 return 0;
f63a17d6 2270 }
11c67eea
MC		 2271
2272 /* Inject the synthetic message_hash message */
635b7d3f 2273 msghdr[0] = SSL3_MT_MESSAGE_HASH;
3a63c0ed 2274 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
11c67eea
MC		 2275 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2276 || !ssl3_finish_mac(s, hashval, hashlen)) {
f63a17d6 2277 /* SSLfatal() already called */
11c67eea
MC		 2278 return 0;
2279 }
2280
43054d3d
MC		 2281 /*
2282 * Now re-inject the HRR and current message if appropriate (we just deleted
2283 * it when we reinitialised the transcript hash above). Only necessary after
2284 * receiving a ClientHello2 with a cookie.
2285 */
2286 if (hrr != NULL
2287 && (!ssl3_finish_mac(s, hrr, hrrlen)
2288 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
555cbb32 2289 s->s3.tmp.message_size
43054d3d
MC		 2290 + SSL3_HM_HEADER_LENGTH))) {
2291 /* SSLfatal() already called */
2292 return 0;
2293 }
2294
11c67eea
MC		 2295 return 1;
2296}
5d6cca05
DSH		 2297
2298static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2299{
2300 return X509_NAME_cmp(*a, *b);
2301}
2302
f63a17d6 2303int parse_ca_names(SSL *s, PACKET *pkt)
5d6cca05
DSH		 2304{
2305 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2306 X509_NAME *xn = NULL;
2307 PACKET cadns;
2308
2309 if (ca_sk == NULL) {
f63a17d6
MC		 2310 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2311 ERR_R_MALLOC_FAILURE);
2312 goto err;
5d6cca05
DSH		 2313 }
2314 /* get the CA RDNs */
2315 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
f63a17d6
MC		 2316 SSLfatal(s, SSL_AD_DECODE_ERROR,SSL_F_PARSE_CA_NAMES,
2317 SSL_R_LENGTH_MISMATCH);
2318 goto err;
5d6cca05
DSH		 2319 }
2320
2321 while (PACKET_remaining(&cadns)) {
2322 const unsigned char *namestart, *namebytes;
2323 unsigned int name_len;
2324
2325 if (!PACKET_get_net_2(&cadns, &name_len)
2326 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
f63a17d6
MC		 2327 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2328 SSL_R_LENGTH_MISMATCH);
2329 goto err;
5d6cca05
DSH		 2330 }
2331
2332 namestart = namebytes;
2333 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
f63a17d6
MC		 2334 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2335 ERR_R_ASN1_LIB);
2336 goto err;
5d6cca05
DSH		 2337 }
2338 if (namebytes != (namestart + name_len)) {
f63a17d6
MC		 2339 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2340 SSL_R_CA_DN_LENGTH_MISMATCH);
2341 goto err;
5d6cca05
DSH		 2342 }
2343
2344 if (!sk_X509_NAME_push(ca_sk, xn)) {
f63a17d6
MC		 2345 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2346 ERR_R_MALLOC_FAILURE);
5d6cca05
DSH		 2347 goto err;
2348 }
2349 xn = NULL;
2350 }
2351
555cbb32
TS		 2352 sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
2353 s->s3.tmp.peer_ca_names = ca_sk;
5d6cca05
DSH		 2354
2355 return 1;
2356
5d6cca05
DSH		 2357 err:
2358 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2359 X509_NAME_free(xn);
2360 return 0;
2361}
2362
98732979 2363const STACK_OF(X509_NAME) *get_ca_names(SSL *s)
5d6cca05 2364{
98732979 2365 const STACK_OF(X509_NAME) *ca_sk = NULL;;
5d6cca05 2366
98732979
MC		 2367 if (s->server) {
2368 ca_sk = SSL_get_client_CA_list(s);
2369 if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2370 ca_sk = NULL;
2371 }
2372
2373 if (ca_sk == NULL)
2374 ca_sk = SSL_get0_CA_list(s);
2375
2376 return ca_sk;
2377}
2378
2379int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt)
2380{
5d6cca05 2381 /* Start sub-packet for client CA list */
f63a17d6
MC		 2382 if (!WPACKET_start_sub_packet_u16(pkt)) {
2383 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2384 ERR_R_INTERNAL_ERROR);
5d6cca05 2385 return 0;
f63a17d6 2386 }
5d6cca05 2387
90fc2c26 2388 if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) {
5d6cca05
DSH		 2389 int i;
2390
2391 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2392 unsigned char *namebytes;
2393 X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2394 int namelen;
2395
2396 if (name == NULL
2397 || (namelen = i2d_X509_NAME(name, NULL)) < 0
2398 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2399 &namebytes)
2400 || i2d_X509_NAME(name, &namebytes) != namelen) {
f63a17d6
MC		 2401 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2402 ERR_R_INTERNAL_ERROR);
5d6cca05
DSH		 2403 return 0;
2404 }
2405 }
2406 }
2407
f63a17d6
MC		 2408 if (!WPACKET_close(pkt)) {
2409 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2410 ERR_R_INTERNAL_ERROR);
5d6cca05 2411 return 0;
f63a17d6 2412 }
5d6cca05
DSH		 2413
2414 return 1;
2415}
72ceb6a6
DSH		 2416
2417/* Create a buffer containing data to be signed for server key exchange */
f63a17d6 2418size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
72ceb6a6
DSH		 2419 const void *param, size_t paramlen)
2420{
2421 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2422 unsigned char *tbs = OPENSSL_malloc(tbslen);
2423
f63a17d6
MC		 2424 if (tbs == NULL) {
2425 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS,
2426 ERR_R_MALLOC_FAILURE);
72ceb6a6 2427 return 0;
f63a17d6 2428 }
555cbb32
TS		 2429 memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
2430 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
72ceb6a6
DSH		 2431
2432 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2433
2434 *ptbs = tbs;
2435 return tbslen;
2436}
9d75dce3
TS		 2437
2438/*
2439 * Saves the current handshake digest for Post-Handshake Auth,
2440 * Done after ClientFinished is processed, done exactly once
2441 */
2442int tls13_save_handshake_digest_for_pha(SSL *s)
2443{
2444 if (s->pha_dgst == NULL) {
2445 if (!ssl3_digest_cached_records(s, 1))
2446 /* SSLfatal() already called */
2447 return 0;
2448
2449 s->pha_dgst = EVP_MD_CTX_new();
2450 if (s->pha_dgst == NULL) {
2451 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2452 SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2453 ERR_R_INTERNAL_ERROR);
2454 return 0;
2455 }
2456 if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
555cbb32 2457 s->s3.handshake_dgst)) {
9d75dce3
TS		 2458 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2459 SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2460 ERR_R_INTERNAL_ERROR);
2461 return 0;
2462 }
2463 }
2464 return 1;
2465}
2466
2467/*
2468 * Restores the Post-Handshake Auth handshake digest
2469 * Done just before sending/processing the Cert Request
2470 */
2471int tls13_restore_handshake_digest_for_pha(SSL *s)
2472{
2473 if (s->pha_dgst == NULL) {
2474 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2475 SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2476 ERR_R_INTERNAL_ERROR);
2477 return 0;
2478 }
555cbb32 2479 if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
9d75dce3
TS		 2480 s->pha_dgst)) {
2481 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2482 SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2483 ERR_R_INTERNAL_ERROR);
2484 return 0;
2485 }
2486 return 1;
2487}
A mirror of the official openssl repository