]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/statem_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
remove unused initialisations
[thirdparty/openssl.git] / ssl / statem / statem_lib.c
CommitLineData
846e33c7 1/*
33388b44 2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
aa8f3d76 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
3813046d 4 *
2c18d164 5 * Licensed under the Apache License 2.0 (the "License"). You may not use
846e33c7
RS		 6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
3813046d 9 */
846e33c7 10
48948d53 11#include <limits.h>
f2d9a32c 12#include <string.h>
d02b48c6 13#include <stdio.h>
706457b7
DMSP		 14#include "../ssl_local.h"
15#include "statem_local.h"
67dc995e 16#include "internal/cryptlib.h"
c2041da8 17#include "internal/evp.h"
ec577822 18#include <openssl/buffer.h>
ec577822
BM		 19#include <openssl/objects.h>
20#include <openssl/evp.h>
d7e498ac 21#include <openssl/rsa.h>
ec577822 22#include <openssl/x509.h>
49b26f54 23#include <openssl/trace.h>
d02b48c6 24
c6d38183
RS		 25/*
26 * Map error codes to TLS/SSL alart types.
27 */
28typedef struct x509err2alert_st {
29 int x509err;
30 int alert;
31} X509ERR2ALERT;
32
597c51bc
MC		 33/* Fixed value used in the ServerHello random field to identify an HRR */
34const unsigned char hrrrandom[] = {
35 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
36 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
37 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
38};
39
0f113f3e
MC		 40/*
41 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
42 * SSL3_RT_CHANGE_CIPHER_SPEC)
43 */
e7ecc7d4 44int ssl3_do_write(SSL *s, int type)
0f113f3e
MC		 45{
46 int ret;
7ee8627f 47 size_t written = 0;
0f113f3e
MC		 48
49 ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
7ee8627f 50 s->init_num, &written);
0f113f3e 51 if (ret < 0)
26a7d938 52 return -1;
0f113f3e
MC		 53 if (type == SSL3_RT_HANDSHAKE)
54 /*
55 * should not be done for 'Hello Request's, but in that case we'll
56 * ignore the result anyway
9d75dce3 57 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
0f113f3e 58 */
9d75dce3
TS		 59 if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
60 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
61 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
62 if (!ssl3_finish_mac(s,
63 (unsigned char *)&s->init_buf->data[s->init_off],
64 written))
65 return -1;
7ee8627f 66 if (written == s->init_num) {
0f113f3e
MC		 67 if (s->msg_callback)
68 s->msg_callback(1, s->version, type, s->init_buf->data,
69 (size_t)(s->init_off + s->init_num), s,
70 s->msg_callback_arg);
208fb891 71 return 1;
0f113f3e 72 }
7ee8627f
MC		 73 s->init_off += written;
74 s->init_num -= written;
26a7d938 75 return 0;
0f113f3e 76}
e7ecc7d4 77
4a01c59f 78int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype)
2c7b4dbc
MC		 79{
80 size_t msglen;
81
4a01c59f 82 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
f1ec23c0 83 || !WPACKET_get_length(pkt, &msglen)
7cea05dc 84 || msglen > INT_MAX)
2c7b4dbc
MC		 85 return 0;
86 s->init_num = (int)msglen;
87 s->init_off = 0;
88
89 return 1;
90}
91
1f5b44e9
MC		 92int tls_setup_handshake(SSL *s)
93{
8e32ea63
MC		 94 int ver_min, ver_max, ok;
95
f63a17d6
MC		 96 if (!ssl3_init_finished_mac(s)) {
97 /* SSLfatal() already called */
c7f47786 98 return 0;
f63a17d6 99 }
c7f47786 100
b186a592
MC		 101 /* Reset any extension flags */
102 memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
103
8e32ea63 104 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
c48ffbcc 105 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE);
8e32ea63
MC		 106 return 0;
107 }
108
109 /* Sanity check that we have MD5-SHA1 if we need it */
110 if (s->ctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) {
111 int md5sha1_needed = 0;
112
113 /* We don't have MD5-SHA1 - do we need it? */
114 if (SSL_IS_DTLS(s)) {
115 if (DTLS_VERSION_LE(ver_max, DTLS1_VERSION))
116 md5sha1_needed = 1;
117 } else {
118 if (ver_max <= TLS1_1_VERSION)
119 md5sha1_needed = 1;
120 }
121 if (md5sha1_needed) {
c48ffbcc
RL		 122 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
123 SSL_R_NO_SUITABLE_DIGEST_ALGORITHM,
124 "The max supported SSL/TLS version needs the"
125 " MD5-SHA1 digest but it is not available"
126 " in the loaded providers. Use (D)TLSv1.2 or"
127 " above, or load different providers");
8e32ea63
MC		 128 return 0;
129 }
130
131 ok = 1;
132 /* Don't allow TLSv1.1 or below to be negotiated */
133 if (SSL_IS_DTLS(s)) {
134 if (DTLS_VERSION_LT(ver_min, DTLS1_2_VERSION))
135 ok = SSL_set_min_proto_version(s, DTLS1_2_VERSION);
136 } else {
137 if (ver_min < TLS1_2_VERSION)
138 ok = SSL_set_min_proto_version(s, TLS1_2_VERSION);
139 }
140 if (!ok) {
141 /* Shouldn't happen */
c48ffbcc 142 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
8e32ea63
MC		 143 return 0;
144 }
145 }
146
147 ok = 0;
c7f47786 148 if (s->server) {
38a73150 149 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
8e32ea63 150 int i;
38a73150
MC		 151
152 /*
153 * Sanity check that the maximum version we accept has ciphers
154 * enabled. For clients we do this check during construction of the
155 * ClientHello.
156 */
38a73150
MC		 157 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
158 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
159
160 if (SSL_IS_DTLS(s)) {
161 if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
162 DTLS_VERSION_LE(ver_max, c->max_dtls))
163 ok = 1;
164 } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
165 ok = 1;
166 }
167 if (ok)
168 break;
169 }
170 if (!ok) {
c48ffbcc
RL		 171 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
172 SSL_R_NO_CIPHERS_AVAILABLE,
173 "No ciphers enabled for max supported "
174 "SSL/TLS version");
38a73150
MC		 175 return 0;
176 }
c7f47786 177 if (SSL_IS_FIRST_HANDSHAKE(s)) {
0e6161bc 178 /* N.B. s->session_ctx == s->ctx here */
9ef9088c 179 tsan_counter(&s->session_ctx->stats.sess_accept);
c7f47786 180 } else {
0e6161bc 181 /* N.B. s->ctx may not equal s->session_ctx */
9ef9088c 182 tsan_counter(&s->ctx->stats.sess_accept_renegotiate);
c7f47786 183
555cbb32 184 s->s3.tmp.cert_request = 0;
c7f47786
MC		 185 }
186 } else {
187 if (SSL_IS_FIRST_HANDSHAKE(s))
9ef9088c 188 tsan_counter(&s->session_ctx->stats.sess_connect);
c7f47786 189 else
9ef9088c 190 tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate);
c7f47786
MC		 191
192 /* mark client_random uninitialized */
555cbb32 193 memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
c7f47786
MC		 194 s->hit = 0;
195
555cbb32 196 s->s3.tmp.cert_req = 0;
c7f47786 197
1f5b44e9 198 if (SSL_IS_DTLS(s))
c7f47786 199 s->statem.use_timer = 1;
c7f47786
MC		 200 }
201
202 return 1;
203}
204
2c5dfdc3
MC		 205/*
206 * Size of the to-be-signed TLS13 data, without the hash size itself:
207 * 64 bytes of value 32, 33 context bytes, 1 byte separator
208 */
209#define TLS13_TBS_START_SIZE 64
210#define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
211
212static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
213 void **hdata, size_t *hdatalen)
214{
48102247 215#ifdef CHARSET_EBCDIC
99435164 216 static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
48102247 217 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
218 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
219 0x69, 0x66, 0x79, 0x00 };
99435164 220 static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
48102247 221 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
222 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
223 0x69, 0x66, 0x79, 0x00 };
224#else
99435164
AV		 225 static const char servercontext[] = "TLS 1.3, server CertificateVerify";
226 static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
48102247 227#endif
2c5dfdc3
MC		 228 if (SSL_IS_TLS13(s)) {
229 size_t hashlen;
230
231 /* Set the first 64 bytes of to-be-signed data to octet 32 */
232 memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
233 /* This copies the 33 bytes of context plus the 0 separator byte */
234 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
235 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
236 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
237 else
238 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
239
240 /*
241 * If we're currently reading then we need to use the saved handshake
242 * hash value. We can't use the current handshake hash state because
243 * that includes the CertVerify itself.
244 */
245 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
246 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
247 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
248 s->cert_verify_hash_len);
249 hashlen = s->cert_verify_hash_len;
250 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
251 EVP_MAX_MD_SIZE, &hashlen)) {
f63a17d6 252 /* SSLfatal() already called */
2c5dfdc3
MC		 253 return 0;
254 }
255
256 *hdata = tls13tbs;
257 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
258 } else {
259 size_t retlen;
60690b5b 260 long retlen_l;
2c5dfdc3 261
555cbb32 262 retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
60690b5b 263 if (retlen_l <= 0) {
c48ffbcc 264 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2c5dfdc3 265 return 0;
f63a17d6 266 }
2c5dfdc3
MC		 267 *hdatalen = retlen;
268 }
269
270 return 1;
271}
272
d8bc1399
MC		 273int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
274{
ad4dd362
DSH		 275 EVP_PKEY *pkey = NULL;
276 const EVP_MD *md = NULL;
d8bc1399 277 EVP_MD_CTX *mctx = NULL;
5f9b64a2
MC		 278 EVP_PKEY_CTX *pctx = NULL;
279 size_t hdatalen = 0, siglen = 0;
d8bc1399
MC		 280 void *hdata;
281 unsigned char *sig = NULL;
2c5dfdc3 282 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
555cbb32 283 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
2c5dfdc3 284
555cbb32 285 if (lu == NULL || s->s3.tmp.cert == NULL) {
c48ffbcc 286 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
ad4dd362
DSH		 287 goto err;
288 }
555cbb32 289 pkey = s->s3.tmp.cert->privatekey;
ad4dd362 290
c8f6c28a 291 if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) {
c48ffbcc 292 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
ad4dd362
DSH		 293 goto err;
294 }
d8bc1399
MC		 295
296 mctx = EVP_MD_CTX_new();
297 if (mctx == NULL) {
c48ffbcc 298 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
d8bc1399
MC		 299 goto err;
300 }
d8bc1399 301
2c5dfdc3
MC		 302 /* Get the data to be signed */
303 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
f63a17d6 304 /* SSLfatal() already called */
d8bc1399
MC		 305 goto err;
306 }
307
ad4dd362 308 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
c48ffbcc 309 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
d8bc1399
MC		 310 goto err;
311 }
5f9b64a2 312
d8652be0
MC		 313 if (EVP_DigestSignInit_ex(mctx, &pctx, md == NULL ? NULL : EVP_MD_name(md),
314 s->ctx->libctx, s->ctx->propq, pkey) <= 0) {
c48ffbcc 315 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
5f9b64a2
MC		 316 goto err;
317 }
318
ad4dd362 319 if (lu->sig == EVP_PKEY_RSA_PSS) {
5f9b64a2 320 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
968ae5b3
DSH		 321 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
322 RSA_PSS_SALTLEN_DIGEST) <= 0) {
c48ffbcc 323 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
5f9b64a2
MC		 324 goto err;
325 }
caf2b6b5
DSH		 326 }
327 if (s->version == SSL3_VERSION) {
bddbfae1
MC		 328 /*
329 * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
330 * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
331 */
caf2b6b5 332 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
83b4a243
SL		 333 /*
334 * TODO(3.0) Replace this when EVP_MD_CTX_ctrl() is deprecated
335 * with a call to ssl3_digest_master_key_set_params()
336 */
337 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
338 (int)s->session->master_key_length,
339 s->session->master_key) <= 0
bddbfae1 340 || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) {
caf2b6b5 341
c48ffbcc 342 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
5f9b64a2
MC		 343 goto err;
344 }
bddbfae1
MC		 345 sig = OPENSSL_malloc(siglen);
346 if (sig == NULL
347 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
c48ffbcc 348 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
bddbfae1
MC		 349 goto err;
350 }
351 } else {
352 /*
353 * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not
354 * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
355 */
356 if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) {
c48ffbcc 357 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
bddbfae1
MC		 358 goto err;
359 }
360 sig = OPENSSL_malloc(siglen);
361 if (sig == NULL
362 || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
c48ffbcc 363 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
bddbfae1
MC		 364 goto err;
365 }
d8bc1399 366 }
5f9b64a2 367
d8bc1399
MC		 368#ifndef OPENSSL_NO_GOST
369 {
ad4dd362
DSH		 370 int pktype = lu->sig;
371
d8bc1399
MC		 372 if (pktype == NID_id_GostR3410_2001
373 || pktype == NID_id_GostR3410_2012_256
374 || pktype == NID_id_GostR3410_2012_512)
5f9b64a2 375 BUF_reverse(sig, NULL, siglen);
d8bc1399
MC		 376 }
377#endif
378
5f9b64a2 379 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
c48ffbcc 380 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
d8bc1399
MC		 381 goto err;
382 }
383
384 /* Digest cached records and discard handshake buffer */
d4d2f3a4
MC		 385 if (!ssl3_digest_cached_records(s, 0)) {
386 /* SSLfatal() already called */
d8bc1399 387 goto err;
d4d2f3a4 388 }
d8bc1399
MC		 389
390 OPENSSL_free(sig);
391 EVP_MD_CTX_free(mctx);
392 return 1;
393 err:
394 OPENSSL_free(sig);
395 EVP_MD_CTX_free(mctx);
d8bc1399
MC		 396 return 0;
397}
398
399MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
400{
401 EVP_PKEY *pkey = NULL;
703bcee0 402 const unsigned char *data;
d8bc1399
MC		 403#ifndef OPENSSL_NO_GOST
404 unsigned char *gost_data = NULL;
405#endif
eb5fd03b 406 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
dd24857b 407 int j;
d8bc1399
MC		 408 unsigned int len;
409 X509 *peer;
410 const EVP_MD *md = NULL;
2c5dfdc3 411 size_t hdatalen = 0;
d8bc1399 412 void *hdata;
2c5dfdc3 413 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
d8bc1399 414 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
5f9b64a2 415 EVP_PKEY_CTX *pctx = NULL;
d8bc1399
MC		 416
417 if (mctx == NULL) {
c48ffbcc 418 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
f63a17d6 419 goto err;
d8bc1399
MC		 420 }
421
422 peer = s->session->peer;
423 pkey = X509_get0_pubkey(peer);
f63a17d6 424 if (pkey == NULL) {
c48ffbcc 425 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6
MC		 426 goto err;
427 }
83b4049a 428
dd24857b 429 if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
c48ffbcc 430 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
f63a17d6
MC		 431 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
432 goto err;
d8bc1399
MC		 433 }
434
f464f9c0 435 if (SSL_USE_SIGALGS(s)) {
f464f9c0
PD		 436 unsigned int sigalg;
437
438 if (!PACKET_get_net_2(pkt, &sigalg)) {
c48ffbcc 439 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET);
f63a17d6 440 goto err;
f464f9c0 441 }
f63a17d6
MC		 442 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
443 /* SSLfatal() already called */
444 goto err;
f464f9c0 445 }
f464f9c0 446 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
c48ffbcc 447 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6 448 goto err;
f464f9c0
PD		 449 }
450
c8f6c28a 451 if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) {
c48ffbcc 452 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6 453 goto err;
168067b6 454 }
f464f9c0 455
572fa024 456 if (SSL_USE_SIGALGS(s))
49b26f54
RL		 457 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
458 md == NULL ? "n/a" : EVP_MD_name(md));
572fa024 459
d8bc1399
MC		 460 /* Check for broken implementations of GOST ciphersuites */
461 /*
f464f9c0
PD		 462 * If key is GOST and len is exactly 64 or 128, it is signature without
463 * length field (CryptoPro implementations at least till TLS 1.2)
d8bc1399
MC		 464 */
465#ifndef OPENSSL_NO_GOST
f464f9c0
PD		 466 if (!SSL_USE_SIGALGS(s)
467 && ((PACKET_remaining(pkt) == 64
468 && (EVP_PKEY_id(pkey) == NID_id_GostR3410_2001
469 || EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_256))
470 || (PACKET_remaining(pkt) == 128
471 && EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_512))) {
472 len = PACKET_remaining(pkt);
d8bc1399
MC		 473 } else
474#endif
f464f9c0 475 if (!PACKET_get_net_2(pkt, &len)) {
c48ffbcc 476 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
f63a17d6 477 goto err;
d8bc1399 478 }
f464f9c0 479
d8bc1399 480 if (!PACKET_get_bytes(pkt, &data, len)) {
c48ffbcc 481 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
f63a17d6 482 goto err;
d8bc1399
MC		 483 }
484
2c5dfdc3 485 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
f63a17d6
MC		 486 /* SSLfatal() already called */
487 goto err;
d8bc1399
MC		 488 }
489
49b26f54
RL		 490 OSSL_TRACE1(TLS, "Using client verify alg %s\n",
491 md == NULL ? "n/a" : EVP_MD_name(md));
492
d8652be0
MC		 493 if (EVP_DigestVerifyInit_ex(mctx, &pctx,
494 md == NULL ? NULL : EVP_MD_name(md),
495 s->ctx->libctx, s->ctx->propq, pkey) <= 0) {
c48ffbcc 496 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
f63a17d6 497 goto err;
d8bc1399
MC		 498 }
499#ifndef OPENSSL_NO_GOST
500 {
dc8da7b1 501 int pktype = EVP_PKEY_id(pkey);
d8bc1399
MC		 502 if (pktype == NID_id_GostR3410_2001
503 || pktype == NID_id_GostR3410_2012_256
504 || pktype == NID_id_GostR3410_2012_512) {
505 if ((gost_data = OPENSSL_malloc(len)) == NULL) {
c48ffbcc 506 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
f63a17d6 507 goto err;
d8bc1399
MC		 508 }
509 BUF_reverse(gost_data, data, len);
510 data = gost_data;
511 }
512 }
513#endif
514
5554facb 515 if (SSL_USE_PSS(s)) {
5f9b64a2 516 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
968ae5b3
DSH		 517 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
518 RSA_PSS_SALTLEN_DIGEST) <= 0) {
c48ffbcc 519 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
f63a17d6 520 goto err;
5f9b64a2 521 }
d8bc1399 522 }
caf2b6b5 523 if (s->version == SSL3_VERSION) {
83b4a243
SL		 524 /*
525 * TODO(3.0) Replace this when EVP_MD_CTX_ctrl() is deprecated
526 * with a call to ssl3_digest_master_key_set_params()
527 */
caf2b6b5 528 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
83b4a243
SL		 529 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
530 (int)s->session->master_key_length,
531 s->session->master_key) <= 0) {
c48ffbcc 532 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
f63a17d6 533 goto err;
caf2b6b5
DSH		 534 }
535 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
c48ffbcc 536 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
f63a17d6 537 goto err;
caf2b6b5
DSH		 538 }
539 } else {
540 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
25ffeb11 541 if (j <= 0) {
c48ffbcc 542 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
f63a17d6 543 goto err;
caf2b6b5 544 }
d8bc1399
MC		 545 }
546
e4562014
MC		 547 /*
548 * In TLSv1.3 on the client side we make sure we prepare the client
549 * certificate after the CertVerify instead of when we get the
550 * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
551 * comes *before* the Certificate message. In TLSv1.2 it comes after. We
8c2bfd25 552 * want to make sure that SSL_get1_peer_certificate() will return the actual
e4562014
MC		 553 * server certificate from the client_cert_cb callback.
554 */
555cbb32 555 if (!s->server && SSL_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
e4562014
MC		 556 ret = MSG_PROCESS_CONTINUE_PROCESSING;
557 else
558 ret = MSG_PROCESS_CONTINUE_READING;
f63a17d6 559 err:
555cbb32
TS		 560 BIO_free(s->s3.handshake_buffer);
561 s->s3.handshake_buffer = NULL;
d8bc1399
MC		 562 EVP_MD_CTX_free(mctx);
563#ifndef OPENSSL_NO_GOST
564 OPENSSL_free(gost_data);
565#endif
566 return ret;
567}
568
229185e6 569int tls_construct_finished(SSL *s, WPACKET *pkt)
0f113f3e 570{
12472b45 571 size_t finish_md_len;
229185e6 572 const char *sender;
8b0e934a 573 size_t slen;
229185e6 574
f7e393be 575 /* This is a real handshake so make sure we clean it up at the end */
9d75dce3 576 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
f7e393be
MC		 577 s->statem.cleanuphand = 1;
578
579 /*
580 * We only change the keys if we didn't already do this when we sent the
581 * client certificate
582 */
583 if (SSL_IS_TLS13(s)
584 && !s->server
555cbb32 585 && s->s3.tmp.cert_req == 0
f7e393be 586 && (!s->method->ssl3_enc->change_cipher_state(s,
d4d2f3a4
MC		 587 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
588 /* SSLfatal() already called */
b43c3765 589 return 0;
f7e393be
MC		 590 }
591
229185e6
MC		 592 if (s->server) {
593 sender = s->method->ssl3_enc->server_finished_label;
594 slen = s->method->ssl3_enc->server_finished_label_len;
595 } else {
596 sender = s->method->ssl3_enc->client_finished_label;
597 slen = s->method->ssl3_enc->client_finished_label_len;
598 }
0f113f3e 599
12472b45
MC		 600 finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
601 sender, slen,
555cbb32 602 s->s3.tmp.finish_md);
12472b45 603 if (finish_md_len == 0) {
d4d2f3a4
MC		 604 /* SSLfatal() already called */
605 return 0;
4f89bfbf
MC		 606 }
607
555cbb32 608 s->s3.tmp.finish_md_len = finish_md_len;
4f89bfbf 609
555cbb32 610 if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
c48ffbcc 611 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
d4d2f3a4 612 return 0;
4f89bfbf 613 }
0f113f3e 614
2c7bd692
CB		 615 /*
616 * Log the master secret, if logging is enabled. We don't log it for
617 * TLSv1.3: there's a different key schedule for that.
618 */
619 if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
620 s->session->master_key,
380a522f 621 s->session->master_key_length)) {
d4d2f3a4
MC		 622 /* SSLfatal() already called */
623 return 0;
380a522f 624 }
2faa1b48 625
b9908bf9
MC		 626 /*
627 * Copy the finished so we can use it for renegotiation checks
628 */
380a522f 629 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
c48ffbcc 630 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
d4d2f3a4 631 return 0;
380a522f 632 }
23a635c0 633 if (!s->server) {
555cbb32 634 memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
12472b45 635 finish_md_len);
555cbb32 636 s->s3.previous_client_finished_len = finish_md_len;
b9908bf9 637 } else {
555cbb32 638 memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
12472b45 639 finish_md_len);
555cbb32 640 s->s3.previous_server_finished_len = finish_md_len;
b9908bf9 641 }
0f113f3e 642
b9908bf9 643 return 1;
0f113f3e 644}
d02b48c6 645
44c04a2e
MC		 646int tls_construct_key_update(SSL *s, WPACKET *pkt)
647{
648 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
c48ffbcc 649 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
d4d2f3a4 650 return 0;
44c04a2e
MC		 651 }
652
9412b3ad 653 s->key_update = SSL_KEY_UPDATE_NONE;
44c04a2e 654 return 1;
44c04a2e
MC		 655}
656
e1c3de44
MC		 657MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
658{
659 unsigned int updatetype;
660
524420d8
MC		 661 /*
662 * A KeyUpdate message signals a key change so the end of the message must
663 * be on a record boundary.
664 */
665 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
c48ffbcc 666 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
f63a17d6 667 return MSG_PROCESS_ERROR;
524420d8
MC		 668 }
669
e1c3de44 670 if (!PACKET_get_1(pkt, &updatetype)
2d871227 671 || PACKET_remaining(pkt) != 0) {
c48ffbcc 672 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_KEY_UPDATE);
f63a17d6 673 return MSG_PROCESS_ERROR;
e1c3de44
MC		 674 }
675
9010b7bc
MC		 676 /*
677 * There are only two defined key update types. Fail if we get a value we
678 * didn't recognise.
679 */
2d871227
MC		 680 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
681 && updatetype != SSL_KEY_UPDATE_REQUESTED) {
c48ffbcc 682 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_UPDATE);
f63a17d6 683 return MSG_PROCESS_ERROR;
2d871227
MC		 684 }
685
5bf47933
MC		 686 /*
687 * If we get a request for us to update our sending keys too then, we need
688 * to additionally send a KeyUpdate message. However that message should
feb9e31c 689 * not also request an update (otherwise we get into an infinite loop).
5bf47933 690 */
feb9e31c 691 if (updatetype == SSL_KEY_UPDATE_REQUESTED)
5bf47933
MC		 692 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
693
57389a32 694 if (!tls13_update_key(s, 0)) {
f63a17d6
MC		 695 /* SSLfatal() already called */
696 return MSG_PROCESS_ERROR;
57389a32
MC		 697 }
698
e1c3de44
MC		 699 return MSG_PROCESS_FINISHED_READING;
700}
701
0f113f3e
MC		 702/*
703 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
704 * to far.
705 */
5d671101 706int ssl3_take_mac(SSL *s)
0f113f3e
MC		 707{
708 const char *sender;
8b0e934a 709 size_t slen;
5d671101 710
49ae7423 711 if (!s->server) {
0f113f3e
MC		 712 sender = s->method->ssl3_enc->server_finished_label;
713 slen = s->method->ssl3_enc->server_finished_label_len;
714 } else {
715 sender = s->method->ssl3_enc->client_finished_label;
716 slen = s->method->ssl3_enc->client_finished_label_len;
717 }
718
555cbb32 719 s->s3.tmp.peer_finish_md_len =
5d671101 720 s->method->ssl3_enc->final_finish_mac(s, sender, slen,
555cbb32 721 s->s3.tmp.peer_finish_md);
5d671101 722
555cbb32 723 if (s->s3.tmp.peer_finish_md_len == 0) {
5d671101
MC		 724 /* SSLfatal() already called */
725 return 0;
726 }
727
728 return 1;
0f113f3e 729}
ee2ffc27 730
be3583fa 731MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
b9908bf9 732{
348240c6 733 size_t remain;
4fa52141 734
73999b62 735 remain = PACKET_remaining(pkt);
657da85e
MC		 736 /*
737 * 'Change Cipher Spec' is just a single byte, which should already have
c69f2adf
MC		 738 * been consumed by ssl_get_message() so there should be no bytes left,
739 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
657da85e 740 */
c69f2adf 741 if (SSL_IS_DTLS(s)) {
73999b62 742 if ((s->version == DTLS1_BAD_VER
a230b26e
EK		 743 && remain != DTLS1_CCS_HEADER_LENGTH + 1)
744 || (s->version != DTLS1_BAD_VER
745 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
c48ffbcc 746 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
f63a17d6 747 return MSG_PROCESS_ERROR;
c69f2adf
MC		 748 }
749 } else {
73999b62 750 if (remain != 0) {
c48ffbcc 751 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
f63a17d6 752 return MSG_PROCESS_ERROR;
c69f2adf 753 }
657da85e
MC		 754 }
755
756 /* Check we have a cipher to change to */
555cbb32 757 if (s->s3.tmp.new_cipher == NULL) {
c48ffbcc 758 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY);
f63a17d6 759 return MSG_PROCESS_ERROR;
657da85e
MC		 760 }
761
555cbb32 762 s->s3.change_cipher_spec = 1;
657da85e 763 if (!ssl3_do_change_cipher_spec(s)) {
c48ffbcc 764 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6 765 return MSG_PROCESS_ERROR;
657da85e
MC		 766 }
767
c69f2adf
MC		 768 if (SSL_IS_DTLS(s)) {
769 dtls1_reset_seq_numbers(s, SSL3_CC_READ);
770
771 if (s->version == DTLS1_BAD_VER)
772 s->d1->handshake_read_seq++;
773
774#ifndef OPENSSL_NO_SCTP
775 /*
776 * Remember that a CCS has been received, so that an old key of
777 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
778 * SCTP is used
779 */
780 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
781#endif
782 }
783
b9908bf9 784 return MSG_PROCESS_CONTINUE_READING;
657da85e
MC		 785}
786
be3583fa 787MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
b9908bf9 788{
12472b45 789 size_t md_len;
b9908bf9 790
d781d247
MC		 791
792 /* This is a real handshake so make sure we clean it up at the end */
9d75dce3 793 if (s->server) {
de9e884b
MC		 794 /*
795 * To get this far we must have read encrypted data from the client. We
796 * no longer tolerate unencrypted alerts. This value is ignored if less
797 * than TLSv1.3
798 */
799 s->statem.enc_read_state = ENC_READ_STATE_VALID;
9d75dce3
TS		 800 if (s->post_handshake_auth != SSL_PHA_REQUESTED)
801 s->statem.cleanuphand = 1;
802 if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
803 /* SSLfatal() already called */
804 return MSG_PROCESS_ERROR;
805 }
806 }
d781d247 807
524420d8
MC		 808 /*
809 * In TLSv1.3 a Finished message signals a key change so the end of the
810 * message must be on a record boundary.
811 */
812 if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
c48ffbcc 813 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
f63a17d6 814 return MSG_PROCESS_ERROR;
524420d8
MC		 815 }
816
0f113f3e 817 /* If this occurs, we have missed a message */
555cbb32 818 if (!SSL_IS_TLS13(s) && !s->s3.change_cipher_spec) {
c48ffbcc 819 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
f63a17d6 820 return MSG_PROCESS_ERROR;
0f113f3e 821 }
555cbb32 822 s->s3.change_cipher_spec = 0;
0f113f3e 823
555cbb32 824 md_len = s->s3.tmp.peer_finish_md_len;
0f113f3e 825
12472b45 826 if (md_len != PACKET_remaining(pkt)) {
c48ffbcc 827 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DIGEST_LENGTH);
f63a17d6 828 return MSG_PROCESS_ERROR;
0f113f3e
MC		 829 }
830
555cbb32 831 if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
12472b45 832 md_len) != 0) {
c48ffbcc 833 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DIGEST_CHECK_FAILED);
f63a17d6 834 return MSG_PROCESS_ERROR;
0f113f3e
MC		 835 }
836
837 /*
838 * Copy the finished so we can use it for renegotiation checks
839 */
380a522f 840 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
c48ffbcc 841 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6 842 return MSG_PROCESS_ERROR;
380a522f 843 }
23a635c0 844 if (s->server) {
555cbb32 845 memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
12472b45 846 md_len);
555cbb32 847 s->s3.previous_client_finished_len = md_len;
0f113f3e 848 } else {
555cbb32 849 memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
12472b45 850 md_len);
555cbb32 851 s->s3.previous_server_finished_len = md_len;
0f113f3e
MC		 852 }
853
7776a36c
MC		 854 /*
855 * In TLS1.3 we also have to change cipher state and do any final processing
856 * of the initial server flight (if we are a client)
857 */
92760c21
MC		 858 if (SSL_IS_TLS13(s)) {
859 if (s->server) {
9d75dce3
TS		 860 if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
861 !s->method->ssl3_enc->change_cipher_state(s,
92760c21 862 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
f63a17d6
MC		 863 /* SSLfatal() already called */
864 return MSG_PROCESS_ERROR;
92760c21
MC		 865 }
866 } else {
d74014c4
BK		 867 /* TLS 1.3 gets the secret size from the handshake md */
868 size_t dummy;
92760c21 869 if (!s->method->ssl3_enc->generate_master_secret(s,
ec15acb6 870 s->master_secret, s->handshake_secret, 0,
d74014c4 871 &dummy)) {
f63a17d6
MC		 872 /* SSLfatal() already called */
873 return MSG_PROCESS_ERROR;
92760c21
MC		 874 }
875 if (!s->method->ssl3_enc->change_cipher_state(s,
876 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
f63a17d6
MC		 877 /* SSLfatal() already called */
878 return MSG_PROCESS_ERROR;
879 }
880 if (!tls_process_initial_server_flight(s)) {
881 /* SSLfatal() already called */
882 return MSG_PROCESS_ERROR;
92760c21
MC		 883 }
884 }
885 }
886
e6575156 887 return MSG_PROCESS_FINISHED_READING;
0f113f3e 888}
d02b48c6 889
7cea05dc 890int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
b9908bf9 891{
7cea05dc 892 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
c48ffbcc 893 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
85a7a5e6
MC		 894 return 0;
895 }
b9908bf9 896
b9908bf9
MC		 897 return 1;
898}
899
e96e0f8e 900/* Add a certificate to the WPACKET */
f63a17d6 901static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain)
0f113f3e 902{
e96e0f8e
MC		 903 int len;
904 unsigned char *outbytes;
905
906 len = i2d_X509(x, NULL);
907 if (len < 0) {
c48ffbcc 908 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB);
e96e0f8e
MC		 909 return 0;
910 }
911 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
912 || i2d_X509(x, &outbytes) != len) {
c48ffbcc 913 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
e96e0f8e
MC		 914 return 0;
915 }
916
917 if (SSL_IS_TLS13(s)
fe874d27 918 && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
f63a17d6
MC		 919 chain)) {
920 /* SSLfatal() already called */
e96e0f8e 921 return 0;
f63a17d6 922 }
e96e0f8e
MC		 923
924 return 1;
925}
926
927/* Add certificate chain to provided WPACKET */
f63a17d6 928static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
e96e0f8e
MC		 929{
930 int i, chain_count;
931 X509 *x;
932 STACK_OF(X509) *extra_certs;
933 STACK_OF(X509) *chain = NULL;
934 X509_STORE *chain_store;
e96e0f8e
MC		 935
936 if (cpk == NULL || cpk->x509 == NULL)
937 return 1;
938
939 x = cpk->x509;
940
941 /*
942 * If we have a certificate specific chain use it, else use parent ctx.
943 */
d805a57b 944 if (cpk->chain != NULL)
e96e0f8e
MC		 945 extra_certs = cpk->chain;
946 else
947 extra_certs = s->ctx->extra_certs;
948
949 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
950 chain_store = NULL;
951 else if (s->cert->chain_store)
952 chain_store = s->cert->chain_store;
953 else
954 chain_store = s->ctx->cert_store;
955
d805a57b 956 if (chain_store != NULL) {
d8652be0
MC		 957 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(s->ctx->libctx,
958 s->ctx->propq);
e96e0f8e
MC		 959
960 if (xs_ctx == NULL) {
c48ffbcc 961 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
f63a17d6 962 return 0;
e96e0f8e
MC		 963 }
964 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
965 X509_STORE_CTX_free(xs_ctx);
c48ffbcc 966 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB);
f63a17d6 967 return 0;
e96e0f8e
MC		 968 }
969 /*
970 * It is valid for the chain not to be complete (because normally we
971 * don't include the root cert in the chain). Therefore we deliberately
972 * ignore the error return from this call. We're not actually verifying
973 * the cert - we're just building as much of the chain as we can
974 */
975 (void)X509_verify_cert(xs_ctx);
976 /* Don't leave errors in the queue */
977 ERR_clear_error();
978 chain = X509_STORE_CTX_get0_chain(xs_ctx);
979 i = ssl_security_cert_chain(s, chain, NULL, 0);
980 if (i != 1) {
981#if 0
982 /* Dummy error calls so mkerr generates them */
6849b73c
RL		 983 ERR_raise(ERR_LIB_SSL, SSL_R_EE_KEY_TOO_SMALL);
984 ERR_raise(ERR_LIB_SSL, SSL_R_CA_KEY_TOO_SMALL);
985 ERR_raise(ERR_LIB_SSL, SSL_R_CA_MD_TOO_WEAK);
e96e0f8e
MC		 986#endif
987 X509_STORE_CTX_free(xs_ctx);
c48ffbcc 988 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
f63a17d6 989 return 0;
e96e0f8e
MC		 990 }
991 chain_count = sk_X509_num(chain);
992 for (i = 0; i < chain_count; i++) {
993 x = sk_X509_value(chain, i);
994
f63a17d6
MC		 995 if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
996 /* SSLfatal() already called */
e96e0f8e 997 X509_STORE_CTX_free(xs_ctx);
f63a17d6 998 return 0;
e96e0f8e
MC		 999 }
1000 }
1001 X509_STORE_CTX_free(xs_ctx);
1002 } else {
1003 i = ssl_security_cert_chain(s, extra_certs, x, 0);
1004 if (i != 1) {
c48ffbcc 1005 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
f63a17d6
MC		 1006 return 0;
1007 }
1008 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
1009 /* SSLfatal() already called */
1010 return 0;
e96e0f8e 1011 }
e96e0f8e
MC		 1012 for (i = 0; i < sk_X509_num(extra_certs); i++) {
1013 x = sk_X509_value(extra_certs, i);
f63a17d6
MC		 1014 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
1015 /* SSLfatal() already called */
1016 return 0;
1017 }
e96e0f8e
MC		 1018 }
1019 }
1020 return 1;
e96e0f8e
MC		 1021}
1022
f63a17d6 1023unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
e96e0f8e 1024{
f63a17d6 1025 if (!WPACKET_start_sub_packet_u24(pkt)) {
c48ffbcc 1026 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6
MC		 1027 return 0;
1028 }
e96e0f8e 1029
f63a17d6
MC		 1030 if (!ssl_add_cert_chain(s, pkt, cpk))
1031 return 0;
1032
1033 if (!WPACKET_close(pkt)) {
c48ffbcc 1034 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
7cea05dc 1035 return 0;
77d514c5 1036 }
f63a17d6 1037
c49e1912 1038 return 1;
0f113f3e
MC		 1039}
1040
30f05b19
MC		 1041/*
1042 * Tidy up after the end of a handshake. In the case of SCTP this may result
1043 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1044 * freed up as well.
1045 */
2a8db717 1046WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
8723588e
MC		 1047{
1048 void (*cb) (const SSL *ssl, int type, int val) = NULL;
4af5836b 1049 int cleanuphand = s->statem.cleanuphand;
8723588e 1050
30f05b19 1051 if (clearbufs) {
e7c27a6c
N		 1052 if (!SSL_IS_DTLS(s)
1053#ifndef OPENSSL_NO_SCTP
30f05b19 1054 /*
e7c27a6c
N		 1055 * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1056 * messages that require it. Therefore, DTLS procedures for retransmissions
1057 * MUST NOT be used.
1058 * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1059 */
1060 || BIO_dgram_is_sctp(SSL_get_wbio(s))
1061#endif
1062 ) {
1063 /*
1064 * We don't do this in DTLS over UDP because we may still need the init_buf
30f05b19
MC		 1065 * in case there are any unexpected retransmits
1066 */
1067 BUF_MEM_free(s->init_buf);
1068 s->init_buf = NULL;
1069 }
e7c27a6c 1070
a2c2e000 1071 if (!ssl_free_wbio_buffer(s)) {
c48ffbcc 1072 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b77f3ed1 1073 return WORK_ERROR;
a2c2e000 1074 }
30f05b19 1075 s->init_num = 0;
473483d4 1076 }
8723588e 1077
9d75dce3
TS		 1078 if (SSL_IS_TLS13(s) && !s->server
1079 && s->post_handshake_auth == SSL_PHA_REQUESTED)
1080 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1081
c2c1d8a4
MC		 1082 /*
1083 * Only set if there was a Finished message and this isn't after a TLSv1.3
1084 * post handshake exchange
1085 */
4af5836b 1086 if (cleanuphand) {
8723588e
MC		 1087 /* skipped if we just sent a HelloRequest */
1088 s->renegotiate = 0;
1089 s->new_session = 0;
c7f47786 1090 s->statem.cleanuphand = 0;
c0638ade 1091 s->ext.ticket_expected = 0;
8723588e 1092
30f05b19
MC		 1093 ssl3_cleanup_key_block(s);
1094
8723588e 1095 if (s->server) {
16ff1342
MC		 1096 /*
1097 * In TLSv1.3 we update the cache as part of constructing the
1098 * NewSessionTicket
1099 */
1100 if (!SSL_IS_TLS13(s))
1101 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
8723588e 1102
0e6161bc 1103 /* N.B. s->ctx may not equal s->session_ctx */
9ef9088c 1104 tsan_counter(&s->ctx->stats.sess_accept_good);
fe3a3291 1105 s->handshake_func = ossl_statem_accept;
8723588e 1106 } else {
4cb00457
MC		 1107 if (SSL_IS_TLS13(s)) {
1108 /*
1109 * We encourage applications to only use TLSv1.3 tickets once,
1110 * so we remove this one from the cache.
1111 */
1112 if ((s->session_ctx->session_cache_mode
1113 & SSL_SESS_CACHE_CLIENT) != 0)
1114 SSL_CTX_remove_session(s->session_ctx, s->session);
1115 } else {
1116 /*
1117 * In TLSv1.3 we update the cache as part of processing the
1118 * NewSessionTicket
1119 */
5d61491c 1120 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
4cb00457 1121 }
8723588e 1122 if (s->hit)
9ef9088c 1123 tsan_counter(&s->session_ctx->stats.sess_hit);
8723588e 1124
fe3a3291 1125 s->handshake_func = ossl_statem_connect;
9ef9088c 1126 tsan_counter(&s->session_ctx->stats.sess_connect_good);
8723588e
MC		 1127 }
1128
8723588e
MC		 1129 if (SSL_IS_DTLS(s)) {
1130 /* done with handshaking */
1131 s->d1->handshake_read_seq = 0;
1132 s->d1->handshake_write_seq = 0;
1133 s->d1->next_handshake_write_seq = 0;
f5c7f5df 1134 dtls1_clear_received_buffer(s);
8723588e
MC		 1135 }
1136 }
1137
c2c1d8a4
MC		 1138 if (s->info_callback != NULL)
1139 cb = s->info_callback;
1140 else if (s->ctx->info_callback != NULL)
1141 cb = s->ctx->info_callback;
1142
4ce787b9
MC		 1143 /* The callback may expect us to not be in init at handshake done */
1144 ossl_statem_set_in_init(s, 0);
1145
4af5836b
MC		 1146 if (cb != NULL) {
1147 if (cleanuphand
1148 || !SSL_IS_TLS13(s)
1149 || SSL_IS_FIRST_HANDSHAKE(s))
1150 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
1151 }
c2c1d8a4 1152
4ce787b9
MC		 1153 if (!stop) {
1154 /* If we've got more work to do we go back into init */
1155 ossl_statem_set_in_init(s, 1);
30f05b19 1156 return WORK_FINISHED_CONTINUE;
4ce787b9 1157 }
30f05b19 1158
8723588e
MC		 1159 return WORK_FINISHED_STOP;
1160}
1161
9ab930b2
MC		 1162int tls_get_message_header(SSL *s, int *mt)
1163{
1164 /* s->init_num < SSL3_HM_HEADER_LENGTH */
d4d2f3a4 1165 int skip_message, i, recvd_type;
9ab930b2 1166 unsigned char *p;
54105ddd 1167 size_t l, readbytes;
9ab930b2
MC		 1168
1169 p = (unsigned char *)s->init_buf->data;
1170
1171 do {
1172 while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1173 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
a230b26e
EK		 1174 &p[s->init_num],
1175 SSL3_HM_HEADER_LENGTH - s->init_num,
54105ddd 1176 0, &readbytes);
9ab930b2
MC		 1177 if (i <= 0) {
1178 s->rwstate = SSL_READING;
1179 return 0;
32ec4153 1180 }
9ab930b2 1181 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1257adec 1182 /*
a230b26e
EK		 1183 * A ChangeCipherSpec must be a single byte and may not occur
1184 * in the middle of a handshake message.
1185 */
54105ddd 1186 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
d4d2f3a4 1187 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
d4d2f3a4
MC		 1188 SSL_R_BAD_CHANGE_CIPHER_SPEC);
1189 return 0;
1257adec 1190 }
e9359719 1191 if (s->statem.hand_state == TLS_ST_BEFORE
555cbb32 1192 && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
e9359719
MC		 1193 /*
1194 * We are stateless and we received a CCS. Probably this is
1195 * from a client between the first and second ClientHellos.
1196 * We should ignore this, but return an error because we do
1197 * not return success until we see the second ClientHello
1198 * with a valid cookie.
1199 */
1200 return 0;
1201 }
555cbb32 1202 s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
54105ddd 1203 s->init_num = readbytes - 1;
c4377574 1204 s->init_msg = s->init_buf->data;
555cbb32 1205 s->s3.tmp.message_size = readbytes;
9ab930b2
MC		 1206 return 1;
1207 } else if (recvd_type != SSL3_RT_HANDSHAKE) {
d4d2f3a4 1208 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
d4d2f3a4
MC		 1209 SSL_R_CCS_RECEIVED_EARLY);
1210 return 0;
32ec4153 1211 }
54105ddd 1212 s->init_num += readbytes;
9ab930b2
MC		 1213 }
1214
1215 skip_message = 0;
1216 if (!s->server)
c7f47786
MC		 1217 if (s->statem.hand_state != TLS_ST_OK
1218 && p[0] == SSL3_MT_HELLO_REQUEST)
9ab930b2
MC		 1219 /*
1220 * The server may always send 'Hello Request' messages --
1221 * we are doing a handshake anyway now, so ignore them if
1222 * their format is correct. Does not count for 'Finished'
1223 * MAC.
1224 */
1225 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1226 s->init_num = 0;
1227 skip_message = 1;
1228
1229 if (s->msg_callback)
1230 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1231 p, SSL3_HM_HEADER_LENGTH, s,
1232 s->msg_callback_arg);
1233 }
1234 } while (skip_message);
1235 /* s->init_num == SSL3_HM_HEADER_LENGTH */
1236
1237 *mt = *p;
555cbb32 1238 s->s3.tmp.message_type = *(p++);
32ec4153 1239
e8aa8b6c 1240 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
9ab930b2
MC		 1241 /*
1242 * Only happens with SSLv3+ in an SSLv2 backward compatible
1243 * ClientHello
e8aa8b6c
F		 1244 *
1245 * Total message size is the remaining record bytes to read
1246 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
9ab930b2 1247 */
9ab930b2
MC		 1248 l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1249 + SSL3_HM_HEADER_LENGTH;
555cbb32 1250 s->s3.tmp.message_size = l;
9ab930b2
MC		 1251
1252 s->init_msg = s->init_buf->data;
1253 s->init_num = SSL3_HM_HEADER_LENGTH;
1254 } else {
1255 n2l3(p, l);
1256 /* BUF_MEM_grow takes an 'int' parameter */
1257 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
c48ffbcc 1258 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
d4d2f3a4
MC		 1259 SSL_R_EXCESSIVE_MESSAGE_SIZE);
1260 return 0;
32ec4153 1261 }
555cbb32 1262 s->s3.tmp.message_size = l;
9ab930b2
MC		 1263
1264 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1265 s->init_num = 0;
1266 }
1267
1268 return 1;
9ab930b2
MC		 1269}
1270
eda75751 1271int tls_get_message_body(SSL *s, size_t *len)
9ab930b2 1272{
54105ddd 1273 size_t n, readbytes;
9ab930b2
MC		 1274 unsigned char *p;
1275 int i;
1276
555cbb32 1277 if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
9ab930b2
MC		 1278 /* We've already read everything in */
1279 *len = (unsigned long)s->init_num;
1280 return 1;
0f113f3e
MC		 1281 }
1282
0f113f3e 1283 p = s->init_msg;
555cbb32 1284 n = s->s3.tmp.message_size - s->init_num;
0f113f3e 1285 while (n > 0) {
657da85e 1286 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
54105ddd 1287 &p[s->init_num], n, 0, &readbytes);
0f113f3e
MC		 1288 if (i <= 0) {
1289 s->rwstate = SSL_READING;
9ab930b2
MC		 1290 *len = 0;
1291 return 0;
0f113f3e 1292 }
54105ddd
MC		 1293 s->init_num += readbytes;
1294 n -= readbytes;
0f113f3e 1295 }
ee2ffc27 1296
0f113f3e
MC		 1297 /*
1298 * If receiving Finished, record MAC of prior handshake messages for
1299 * Finished verification.
1300 */
5d671101
MC		 1301 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1302 /* SSLfatal() already called */
1303 *len = 0;
1304 return 0;
1305 }
ee2ffc27 1306
0f113f3e 1307 /* Feed this message into MAC computation. */
e8aa8b6c 1308 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
d166ed8c
DSH		 1309 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1310 s->init_num)) {
d4d2f3a4 1311 /* SSLfatal() already called */
d166ed8c
DSH		 1312 *len = 0;
1313 return 0;
1314 }
32ec4153 1315 if (s->msg_callback)
a230b26e 1316 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
32ec4153
MC		 1317 (size_t)s->init_num, s, s->msg_callback_arg);
1318 } else {
11c67eea
MC		 1319 /*
1320 * We defer feeding in the HRR until later. We'll do it as part of
1321 * processing the message
9d75dce3
TS		 1322 * The TLsv1.3 handshake transcript stops at the ClientFinished
1323 * message.
11c67eea 1324 */
597c51bc 1325#define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
9d75dce3 1326 /* KeyUpdate and NewSessionTicket do not need to be added */
555cbb32
TS		 1327 if (!SSL_IS_TLS13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1328 && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1329 if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
9d75dce3
TS		 1330 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1331 || memcmp(hrrrandom,
1332 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1333 SSL3_RANDOM_SIZE) != 0) {
1334 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1335 s->init_num + SSL3_HM_HEADER_LENGTH)) {
1336 /* SSLfatal() already called */
1337 *len = 0;
1338 return 0;
1339 }
597c51bc 1340 }
d166ed8c 1341 }
32ec4153
MC		 1342 if (s->msg_callback)
1343 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1344 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
1345 s->msg_callback_arg);
1346 }
1347
eda75751 1348 *len = s->init_num;
9ab930b2 1349 return 1;
0f113f3e 1350}
d02b48c6 1351
c6d38183
RS		 1352static const X509ERR2ALERT x509table[] = {
1353 {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1354 {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
cccf532f 1355 {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
c6d38183
RS		 1356 {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1357 {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1358 {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1359 {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1360 {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1361 {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1362 {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1363 {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1364 {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1365 {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1366 {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1367 {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1368 {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1369 {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1370 {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1371 {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1372 {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1373 {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1374 {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1375 {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1376 {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1377 {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1378 {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1379 {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1380 {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1381 {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1382 {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1383 {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1384 {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1385 {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1386 {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1387 {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1388 {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1389 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1390 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1391 {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1392 {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1393
1394 /* Last entry; return this if we don't find the value above. */
1395 {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1396};
1397
1398int ssl_x509err2alert(int x509err)
0f113f3e 1399{
c6d38183
RS		 1400 const X509ERR2ALERT *tp;
1401
1402 for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1403 if (tp->x509err == x509err)
1404 break;
1405 return tp->alert;
0f113f3e 1406}
d02b48c6 1407
b362ccab 1408int ssl_allow_compression(SSL *s)
0f113f3e
MC		 1409{
1410 if (s->options & SSL_OP_NO_COMPRESSION)
1411 return 0;
1412 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1413}
4fa52141 1414
068c358a 1415static int version_cmp(const SSL *s, int a, int b)
4fa52141
VD		 1416{
1417 int dtls = SSL_IS_DTLS(s);
1418
1419 if (a == b)
1420 return 0;
1421 if (!dtls)
1422 return a < b ? -1 : 1;
1423 return DTLS_VERSION_LT(a, b) ? -1 : 1;
1424}
1425
1426typedef struct {
1427 int version;
a230b26e
EK		 1428 const SSL_METHOD *(*cmeth) (void);
1429 const SSL_METHOD *(*smeth) (void);
4fa52141
VD		 1430} version_info;
1431
5c587fb6 1432#if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
582a17d6 1433# error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
4fa52141
VD		 1434#endif
1435
f7f2a01d 1436/* Must be in order high to low */
4fa52141 1437static const version_info tls_version_table[] = {
582a17d6
MC		 1438#ifndef OPENSSL_NO_TLS1_3
1439 {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1440#else
1441 {TLS1_3_VERSION, NULL, NULL},
1442#endif
6b01bed2 1443#ifndef OPENSSL_NO_TLS1_2
a230b26e 1444 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
6b01bed2 1445#else
a230b26e 1446 {TLS1_2_VERSION, NULL, NULL},
6b01bed2
VD		 1447#endif
1448#ifndef OPENSSL_NO_TLS1_1
a230b26e 1449 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
6b01bed2 1450#else
a230b26e 1451 {TLS1_1_VERSION, NULL, NULL},
6b01bed2
VD		 1452#endif
1453#ifndef OPENSSL_NO_TLS1
a230b26e 1454 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
6b01bed2 1455#else
a230b26e 1456 {TLS1_VERSION, NULL, NULL},
6b01bed2 1457#endif
4fa52141 1458#ifndef OPENSSL_NO_SSL3
a230b26e 1459 {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
6b01bed2 1460#else
a230b26e 1461 {SSL3_VERSION, NULL, NULL},
4fa52141 1462#endif
a230b26e 1463 {0, NULL, NULL},
4fa52141
VD		 1464};
1465
5c587fb6 1466#if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
4fa52141
VD		 1467# error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1468#endif
1469
f7f2a01d 1470/* Must be in order high to low */
4fa52141 1471static const version_info dtls_version_table[] = {
6b01bed2 1472#ifndef OPENSSL_NO_DTLS1_2
a230b26e 1473 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
6b01bed2 1474#else
a230b26e 1475 {DTLS1_2_VERSION, NULL, NULL},
6b01bed2
VD		 1476#endif
1477#ifndef OPENSSL_NO_DTLS1
a230b26e
EK		 1478 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1479 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
6b01bed2 1480#else
a230b26e
EK		 1481 {DTLS1_VERSION, NULL, NULL},
1482 {DTLS1_BAD_VER, NULL, NULL},
6b01bed2 1483#endif
a230b26e 1484 {0, NULL, NULL},
4fa52141
VD		 1485};
1486
1487/*
1488 * ssl_method_error - Check whether an SSL_METHOD is enabled.
1489 *
1490 * @s: The SSL handle for the candidate method
1491 * @method: the intended method.
1492 *
1493 * Returns 0 on success, or an SSL error reason on failure.
1494 */
068c358a 1495static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
4fa52141
VD		 1496{
1497 int version = method->version;
1498
1499 if ((s->min_proto_version != 0 &&
1500 version_cmp(s, version, s->min_proto_version) < 0) ||
1501 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1502 return SSL_R_VERSION_TOO_LOW;
1503
1504 if (s->max_proto_version != 0 &&
a230b26e 1505 version_cmp(s, version, s->max_proto_version) > 0)
4fa52141
VD		 1506 return SSL_R_VERSION_TOO_HIGH;
1507
1508 if ((s->options & method->mask) != 0)
1509 return SSL_R_UNSUPPORTED_PROTOCOL;
1510 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1511 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
4fa52141
VD		 1512
1513 return 0;
1514}
1515
baa45c3e
MC		 1516/*
1517 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
cd3b53b8
MC		 1518 * certificate type, or has PSK or a certificate callback configured. Otherwise
1519 * returns 0.
baa45c3e
MC		 1520 */
1521static int is_tls13_capable(const SSL *s)
1522{
65d2c16c
MC		 1523 int i;
1524#ifndef OPENSSL_NO_EC
1525 int curve;
65d2c16c 1526#endif
baa45c3e 1527
d162340d
MC		 1528#ifndef OPENSSL_NO_PSK
1529 if (s->psk_server_callback != NULL)
1530 return 1;
1531#endif
1532
cd3b53b8 1533 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
baa45c3e
MC		 1534 return 1;
1535
1536 for (i = 0; i < SSL_PKEY_NUM; i++) {
1537 /* Skip over certs disallowed for TLSv1.3 */
1538 switch (i) {
1539 case SSL_PKEY_DSA_SIGN:
1540 case SSL_PKEY_GOST01:
1541 case SSL_PKEY_GOST12_256:
1542 case SSL_PKEY_GOST12_512:
1543 continue;
1544 default:
1545 break;
1546 }
de4dc598
MC		 1547 if (!ssl_has_cert(s, i))
1548 continue;
65d2c16c 1549#ifndef OPENSSL_NO_EC
de4dc598
MC		 1550 if (i != SSL_PKEY_ECC)
1551 return 1;
1552 /*
1553 * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1554 * more restrictive so check that our sig algs are consistent with this
1555 * EC cert. See section 4.2.3 of RFC8446.
1556 */
c2041da8
RL		 1557 curve = evp_pkey_get_EC_KEY_curve_nid(s->cert->pkeys[SSL_PKEY_ECC]
1558 .privatekey);
de4dc598 1559 if (tls_check_sigalg_curve(s, curve))
baa45c3e 1560 return 1;
65d2c16c
MC		 1561#else
1562 return 1;
1563#endif
baa45c3e
MC		 1564 }
1565
1566 return 0;
1567}
1568
ccae4a15
FI		 1569/*
1570 * ssl_version_supported - Check that the specified `version` is supported by
1571 * `SSL *` instance
1572 *
1573 * @s: The SSL handle for the candidate method
1574 * @version: Protocol version to test against
1575 *
1576 * Returns 1 when supported, otherwise 0
1577 */
4fd12788 1578int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth)
ccae4a15
FI		 1579{
1580 const version_info *vent;
1581 const version_info *table;
1582
1583 switch (s->method->version) {
1584 default:
1585 /* Version should match method version for non-ANY method */
1586 return version_cmp(s, version, s->version) == 0;
1587 case TLS_ANY_VERSION:
1588 table = tls_version_table;
1589 break;
1590 case DTLS_ANY_VERSION:
1591 table = dtls_version_table;
1592 break;
1593 }
1594
1595 for (vent = table;
1596 vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1597 ++vent) {
baa45c3e
MC		 1598 if (vent->cmeth != NULL
1599 && version_cmp(s, version, vent->version) == 0
1600 && ssl_method_error(s, vent->cmeth()) == 0
1601 && (!s->server
1602 || version != TLS1_3_VERSION
1603 || is_tls13_capable(s))) {
4fd12788
MC		 1604 if (meth != NULL)
1605 *meth = vent->cmeth();
ccae4a15
FI		 1606 return 1;
1607 }
1608 }
1609 return 0;
1610}
1611
4fa52141
VD		 1612/*
1613 * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1614 * fallback indication from a client check whether we're using the highest
1615 * supported protocol version.
1616 *
1617 * @s server SSL handle.
1618 *
1619 * Returns 1 when using the highest enabled version, 0 otherwise.
1620 */
1621int ssl_check_version_downgrade(SSL *s)
1622{
1623 const version_info *vent;
1624 const version_info *table;
1625
1626 /*
1627 * Check that the current protocol is the highest enabled version
1628 * (according to s->ctx->method, as version negotiation may have changed
1629 * s->method).
1630 */
1631 if (s->version == s->ctx->method->version)
1632 return 1;
1633
1634 /*
1635 * Apparently we're using a version-flexible SSL_METHOD (not at its
1636 * highest protocol version).
1637 */
1638 if (s->ctx->method->version == TLS_method()->version)
1639 table = tls_version_table;
1640 else if (s->ctx->method->version == DTLS_method()->version)
1641 table = dtls_version_table;
1642 else {
1643 /* Unexpected state; fail closed. */
1644 return 0;
1645 }
1646
1647 for (vent = table; vent->version != 0; ++vent) {
a230b26e 1648 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
4fa52141
VD		 1649 return s->version == vent->version;
1650 }
1651 return 0;
1652}
1653
1654/*
1655 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1656 * protocols, provided the initial (D)TLS method is version-flexible. This
1657 * function sanity-checks the proposed value and makes sure the method is
1658 * version-flexible, then sets the limit if all is well.
1659 *
1660 * @method_version: The version of the current SSL_METHOD.
1661 * @version: the intended limit.
1662 * @bound: pointer to limit to be updated.
1663 *
1664 * Returns 1 on success, 0 on failure.
1665 */
1666int ssl_set_version_bound(int method_version, int version, int *bound)
1667{
77174598
VD		 1668 int valid_tls;
1669 int valid_dtls;
1670
869e978c
KR		 1671 if (version == 0) {
1672 *bound = version;
1673 return 1;
1674 }
1675
77174598
VD		 1676 valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
1677 valid_dtls =
1678 DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) &&
1679 DTLS_VERSION_GE(version, DTLS1_BAD_VER);
1680
1681 if (!valid_tls && !valid_dtls)
1682 return 0;
1683
4fa52141
VD		 1684 /*-
1685 * Restrict TLS methods to TLS protocol versions.
1686 * Restrict DTLS methods to DTLS protocol versions.
1687 * Note, DTLS version numbers are decreasing, use comparison macros.
1688 *
1689 * Note that for both lower-bounds we use explicit versions, not
1690 * (D)TLS_MIN_VERSION. This is because we don't want to break user
1691 * configurations. If the MIN (supported) version ever rises, the user's
1692 * "floor" remains valid even if no longer available. We don't expect the
1693 * MAX ceiling to ever get lower, so making that variable makes sense.
77174598
VD		 1694 *
1695 * We ignore attempts to set bounds on version-inflexible methods,
1696 * returning success.
4fa52141
VD		 1697 */
1698 switch (method_version) {
1699 default:
77174598 1700 break;
4fa52141
VD		 1701
1702 case TLS_ANY_VERSION:
77174598
VD		 1703 if (valid_tls)
1704 *bound = version;
4fa52141
VD		 1705 break;
1706
1707 case DTLS_ANY_VERSION:
77174598
VD		 1708 if (valid_dtls)
1709 *bound = version;
4fa52141
VD		 1710 break;
1711 }
4fa52141
VD		 1712 return 1;
1713}
1714
f7f2a01d
MC		 1715static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
1716{
1717 if (vers == TLS1_2_VERSION
4fd12788 1718 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
f7f2a01d 1719 *dgrd = DOWNGRADE_TO_1_2;
5627f9f2
MC		 1720 } else if (!SSL_IS_DTLS(s)
1721 && vers < TLS1_2_VERSION
1722 /*
1723 * We need to ensure that a server that disables TLSv1.2
1724 * (creating a hole between TLSv1.3 and TLSv1.1) can still
1725 * complete handshakes with clients that support TLSv1.2 and
1726 * below. Therefore we do not enable the sentinel if TLSv1.3 is
1727 * enabled and TLSv1.2 is not.
1728 */
1729 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
f7f2a01d
MC		 1730 *dgrd = DOWNGRADE_TO_1_1;
1731 } else {
1732 *dgrd = DOWNGRADE_NONE;
1733 }
1734}
1735
4fa52141
VD		 1736/*
1737 * ssl_choose_server_version - Choose server (D)TLS version. Called when the
1738 * client HELLO is received to select the final server protocol version and
1739 * the version specific method.
1740 *
1741 * @s: server SSL handle.
1742 *
1743 * Returns 0 on success or an SSL error reason number on failure.
1744 */
f7f2a01d 1745int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
4fa52141
VD		 1746{
1747 /*-
1748 * With version-flexible methods we have an initial state with:
1749 *
1750 * s->method->version == (D)TLS_ANY_VERSION,
5c587fb6 1751 * s->version == (D)TLS_MAX_VERSION_INTERNAL.
4fa52141
VD		 1752 *
1753 * So we detect version-flexible methods via the method version, not the
1754 * handle version.
1755 */
1756 int server_version = s->method->version;
df7ce507 1757 int client_version = hello->legacy_version;
4fa52141
VD		 1758 const version_info *vent;
1759 const version_info *table;
1760 int disabled = 0;
cd998837 1761 RAW_EXTENSION *suppversions;
4fa52141 1762
1ab3836b
MC		 1763 s->client_version = client_version;
1764
4fa52141
VD		 1765 switch (server_version) {
1766 default:
7d061fce
MC		 1767 if (!SSL_IS_TLS13(s)) {
1768 if (version_cmp(s, client_version, s->version) < 0)
1769 return SSL_R_WRONG_SSL_VERSION;
f7f2a01d 1770 *dgrd = DOWNGRADE_NONE;
7d061fce
MC		 1771 /*
1772 * If this SSL handle is not from a version flexible method we don't
1773 * (and never did) check min/max FIPS or Suite B constraints. Hope
1774 * that's OK. It is up to the caller to not choose fixed protocol
1775 * versions they don't want. If not, then easy to fix, just return
1776 * ssl_method_error(s, s->method)
1777 */
1778 return 0;
1779 }
d2f42576 1780 /*
7d061fce
MC		 1781 * Fall through if we are TLSv1.3 already (this means we must be after
1782 * a HelloRetryRequest
4fa52141 1783 */
018fcbec 1784 /* fall thru */
4fa52141
VD		 1785 case TLS_ANY_VERSION:
1786 table = tls_version_table;
1787 break;
1788 case DTLS_ANY_VERSION:
1789 table = dtls_version_table;
1790 break;
1791 }
1792
70af3d8e 1793 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
cd998837 1794
6f40214f 1795 /* If we did an HRR then supported versions is mandatory */
fc7129dc 1796 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
6f40214f
MC		 1797 return SSL_R_UNSUPPORTED_PROTOCOL;
1798
70af3d8e 1799 if (suppversions->present && !SSL_IS_DTLS(s)) {
cd998837
MC		 1800 unsigned int candidate_vers = 0;
1801 unsigned int best_vers = 0;
1802 const SSL_METHOD *best_method = NULL;
1803 PACKET versionslist;
1804
6b473aca
MC		 1805 suppversions->parsed = 1;
1806
16bce0e0 1807 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
cd998837
MC		 1808 /* Trailing or invalid data? */
1809 return SSL_R_LENGTH_MISMATCH;
1810 }
1811
d8434cf8
MC		 1812 /*
1813 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1814 * The spec only requires servers to check that it isn't SSLv3:
1815 * "Any endpoint receiving a Hello message with
1816 * ClientHello.legacy_version or ServerHello.legacy_version set to
1817 * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1818 * We are slightly stricter and require that it isn't SSLv3 or lower.
1819 * We tolerate TLSv1 and TLSv1.1.
1820 */
1821 if (client_version <= SSL3_VERSION)
1822 return SSL_R_BAD_LEGACY_VERSION;
1823
cd998837 1824 while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
cd998837
MC		 1825 if (version_cmp(s, candidate_vers, best_vers) <= 0)
1826 continue;
4fd12788
MC		 1827 if (ssl_version_supported(s, candidate_vers, &best_method))
1828 best_vers = candidate_vers;
cd998837
MC		 1829 }
1830 if (PACKET_remaining(&versionslist) != 0) {
1831 /* Trailing data? */
1832 return SSL_R_LENGTH_MISMATCH;
1833 }
1834
1835 if (best_vers > 0) {
fc7129dc 1836 if (s->hello_retry_request != SSL_HRR_NONE) {
7d061fce 1837 /*
6f40214f
MC		 1838 * This is after a HelloRetryRequest so we better check that we
1839 * negotiated TLSv1.3
7d061fce
MC		 1840 */
1841 if (best_vers != TLS1_3_VERSION)
1842 return SSL_R_UNSUPPORTED_PROTOCOL;
1843 return 0;
1844 }
f7f2a01d 1845 check_for_downgrade(s, best_vers, dgrd);
cd998837
MC		 1846 s->version = best_vers;
1847 s->method = best_method;
1848 return 0;
1849 }
1850 return SSL_R_UNSUPPORTED_PROTOCOL;
1851 }
1852
1853 /*
1854 * If the supported versions extension isn't present, then the highest
1855 * version we can negotiate is TLSv1.2
1856 */
1857 if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1858 client_version = TLS1_2_VERSION;
1859
1860 /*
1861 * No supported versions extension, so we just use the version supplied in
1862 * the ClientHello.
1863 */
4fa52141
VD		 1864 for (vent = table; vent->version != 0; ++vent) {
1865 const SSL_METHOD *method;
1866
1867 if (vent->smeth == NULL ||
1868 version_cmp(s, client_version, vent->version) < 0)
1869 continue;
1870 method = vent->smeth();
1871 if (ssl_method_error(s, method) == 0) {
f7f2a01d 1872 check_for_downgrade(s, vent->version, dgrd);
4fa52141
VD		 1873 s->version = vent->version;
1874 s->method = method;
1875 return 0;
1876 }
1877 disabled = 1;
1878 }
1879 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1880}
1881
1882/*
1883 * ssl_choose_client_version - Choose client (D)TLS version. Called when the
1884 * server HELLO is received to select the final client protocol version and
1885 * the version specific method.
1886 *
1887 * @s: client SSL handle.
1888 * @version: The proposed version from the server's HELLO.
88050dd1 1889 * @extensions: The extensions received
4fa52141 1890 *
29bfd5b7 1891 * Returns 1 on success or 0 on error.
4fa52141 1892 */
88050dd1 1893int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)
4fa52141
VD		 1894{
1895 const version_info *vent;
1896 const version_info *table;
b5b993b2 1897 int ret, ver_min, ver_max, real_max, origv;
4fa52141 1898
88050dd1
MC		 1899 origv = s->version;
1900 s->version = version;
b97667ce 1901
88050dd1
MC		 1902 /* This will overwrite s->version if the extension is present */
1903 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1904 SSL_EXT_TLS1_2_SERVER_HELLO
1905 | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1906 NULL, 0)) {
1907 s->version = origv;
1908 return 0;
1909 }
1910
fc7129dc
MC		 1911 if (s->hello_retry_request != SSL_HRR_NONE
1912 && s->version != TLS1_3_VERSION) {
88050dd1 1913 s->version = origv;
c48ffbcc 1914 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
29bfd5b7 1915 return 0;
c3043dcd
MC		 1916 }
1917
4fa52141
VD		 1918 switch (s->method->version) {
1919 default:
88050dd1
MC		 1920 if (s->version != s->method->version) {
1921 s->version = origv;
c48ffbcc 1922 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
29bfd5b7 1923 return 0;
c3043dcd 1924 }
4fa52141
VD		 1925 /*
1926 * If this SSL handle is not from a version flexible method we don't
1927 * (and never did) check min/max, FIPS or Suite B constraints. Hope
1928 * that's OK. It is up to the caller to not choose fixed protocol
1929 * versions they don't want. If not, then easy to fix, just return
1930 * ssl_method_error(s, s->method)
1931 */
29bfd5b7 1932 return 1;
4fa52141
VD		 1933 case TLS_ANY_VERSION:
1934 table = tls_version_table;
1935 break;
1936 case DTLS_ANY_VERSION:
1937 table = dtls_version_table;
1938 break;
1939 }
1940
b5b993b2
MC		 1941 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1942 if (ret != 0) {
1943 s->version = origv;
c48ffbcc 1944 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, ret);
b5b993b2
MC		 1945 return 0;
1946 }
1947 if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
1948 : s->version < ver_min) {
1949 s->version = origv;
c48ffbcc 1950 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
b5b993b2
MC		 1951 return 0;
1952 } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
1953 : s->version > ver_max) {
1954 s->version = origv;
c48ffbcc 1955 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
b5b993b2
MC		 1956 return 0;
1957 }
5df22060 1958
b5b993b2
MC		 1959 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
1960 real_max = ver_max;
c3043dcd 1961
b5b993b2
MC		 1962 /* Check for downgrades */
1963 if (s->version == TLS1_2_VERSION && real_max > s->version) {
1964 if (memcmp(tls12downgrade,
555cbb32 1965 s->s3.server_random + SSL3_RANDOM_SIZE
b5b993b2
MC		 1966 - sizeof(tls12downgrade),
1967 sizeof(tls12downgrade)) == 0) {
1968 s->version = origv;
1969 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
b5b993b2
MC		 1970 SSL_R_INAPPROPRIATE_FALLBACK);
1971 return 0;
1972 }
1973 } else if (!SSL_IS_DTLS(s)
1974 && s->version < TLS1_2_VERSION
1975 && real_max > s->version) {
1976 if (memcmp(tls11downgrade,
555cbb32 1977 s->s3.server_random + SSL3_RANDOM_SIZE
b5b993b2
MC		 1978 - sizeof(tls11downgrade),
1979 sizeof(tls11downgrade)) == 0) {
1980 s->version = origv;
1981 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
b5b993b2
MC		 1982 SSL_R_INAPPROPRIATE_FALLBACK);
1983 return 0;
c3043dcd 1984 }
b5b993b2 1985 }
c3043dcd 1986
b5b993b2
MC		 1987 for (vent = table; vent->version != 0; ++vent) {
1988 if (vent->cmeth == NULL || s->version != vent->version)
c3043dcd
MC		 1989 continue;
1990
b5b993b2 1991 s->method = vent->cmeth();
29bfd5b7 1992 return 1;
4fa52141
VD		 1993 }
1994
88050dd1 1995 s->version = origv;
c48ffbcc 1996 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
29bfd5b7 1997 return 0;
4fa52141
VD		 1998}
1999
068c358a 2000/*
38a73150 2001 * ssl_get_min_max_version - get minimum and maximum protocol version
068c358a
KR		 2002 * @s: The SSL connection
2003 * @min_version: The minimum supported version
2004 * @max_version: The maximum supported version
b5b993b2
MC		 2005 * @real_max: The highest version below the lowest compile time version hole
2006 * where that hole lies above at least one run-time enabled
2007 * protocol.
068c358a
KR		 2008 *
2009 * Work out what version we should be using for the initial ClientHello if the
2010 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2011 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
b53338cb 2012 * constraints and any floor imposed by the security level here,
068c358a 2013 * so we don't advertise the wrong protocol version to only reject the outcome later.
4fa52141 2014 *
0485d540 2015 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
4fa52141
VD		 2016 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2017 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2018 *
068c358a
KR		 2019 * Returns 0 on success or an SSL error reason number on failure. On failure
2020 * min_version and max_version will also be set to 0.
4fa52141 2021 */
b5b993b2
MC		 2022int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version,
2023 int *real_max)
4fa52141 2024{
b5b993b2 2025 int version, tmp_real_max;
4fa52141
VD		 2026 int hole;
2027 const SSL_METHOD *single = NULL;
2028 const SSL_METHOD *method;
2029 const version_info *table;
2030 const version_info *vent;
2031
2032 switch (s->method->version) {
2033 default:
2034 /*
2035 * If this SSL handle is not from a version flexible method we don't
2036 * (and never did) check min/max FIPS or Suite B constraints. Hope
2037 * that's OK. It is up to the caller to not choose fixed protocol
2038 * versions they don't want. If not, then easy to fix, just return
2039 * ssl_method_error(s, s->method)
2040 */
068c358a 2041 *min_version = *max_version = s->version;
b5b993b2
MC		 2042 /*
2043 * Providing a real_max only makes sense where we're using a version
2044 * flexible method.
2045 */
2046 if (!ossl_assert(real_max == NULL))
2047 return ERR_R_INTERNAL_ERROR;
4fa52141
VD		 2048 return 0;
2049 case TLS_ANY_VERSION:
2050 table = tls_version_table;
2051 break;
2052 case DTLS_ANY_VERSION:
2053 table = dtls_version_table;
2054 break;
2055 }
2056
2057 /*
2058 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2059 * below X enabled. This is required in order to maintain the "version
2060 * capability" vector contiguous. Any versions with a NULL client method
2061 * (protocol version client is disabled at compile-time) is also a "hole".
2062 *
2063 * Our initial state is hole == 1, version == 0. That is, versions above
2064 * the first version in the method table are disabled (a "hole" above
2065 * the valid protocol entries) and we don't have a selected version yet.
2066 *
2067 * Whenever "hole == 1", and we hit an enabled method, its version becomes
2068 * the selected version, and the method becomes a candidate "single"
2069 * method. We're no longer in a hole, so "hole" becomes 0.
2070 *
2071 * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2072 * as we support a contiguous range of at least two methods. If we hit
2073 * a disabled method, then hole becomes true again, but nothing else
2074 * changes yet, because all the remaining methods may be disabled too.
2075 * If we again hit an enabled method after the new hole, it becomes
2076 * selected, as we start from scratch.
2077 */
068c358a 2078 *min_version = version = 0;
4fa52141 2079 hole = 1;
b5b993b2
MC		 2080 if (real_max != NULL)
2081 *real_max = 0;
2082 tmp_real_max = 0;
4fa52141
VD		 2083 for (vent = table; vent->version != 0; ++vent) {
2084 /*
2085 * A table entry with a NULL client method is still a hole in the
2086 * "version capability" vector.
2087 */
2088 if (vent->cmeth == NULL) {
2089 hole = 1;
b5b993b2 2090 tmp_real_max = 0;
4fa52141
VD		 2091 continue;
2092 }
2093 method = vent->cmeth();
b5b993b2
MC		 2094
2095 if (hole == 1 && tmp_real_max == 0)
2096 tmp_real_max = vent->version;
2097
4fa52141
VD		 2098 if (ssl_method_error(s, method) != 0) {
2099 hole = 1;
2100 } else if (!hole) {
2101 single = NULL;
068c358a 2102 *min_version = method->version;
4fa52141 2103 } else {
b5b993b2
MC		 2104 if (real_max != NULL && tmp_real_max != 0)
2105 *real_max = tmp_real_max;
4fa52141 2106 version = (single = method)->version;
068c358a 2107 *min_version = version;
4fa52141
VD		 2108 hole = 0;
2109 }
2110 }
2111
068c358a
KR		 2112 *max_version = version;
2113
4fa52141
VD		 2114 /* Fail if everything is disabled */
2115 if (version == 0)
2116 return SSL_R_NO_PROTOCOLS_AVAILABLE;
2117
068c358a
KR		 2118 return 0;
2119}
2120
2121/*
2122 * ssl_set_client_hello_version - Work out what version we should be using for
7acb8b64 2123 * the initial ClientHello.legacy_version field.
068c358a
KR		 2124 *
2125 * @s: client SSL handle.
2126 *
2127 * Returns 0 on success or an SSL error reason number on failure.
2128 */
2129int ssl_set_client_hello_version(SSL *s)
2130{
3eb2aff4 2131 int ver_min, ver_max, ret;
068c358a 2132
447cc0ad
MC		 2133 /*
2134 * In a renegotiation we always send the same client_version that we sent
2135 * last time, regardless of which version we eventually negotiated.
2136 */
2137 if (!SSL_IS_FIRST_HANDSHAKE(s))
2138 return 0;
2139
b5b993b2 2140 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
068c358a
KR		 2141
2142 if (ret != 0)
2143 return ret;
2144
7acb8b64
MC		 2145 s->version = ver_max;
2146
2147 /* TLS1.3 always uses TLS1.2 in the legacy_version field */
2148 if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
2149 ver_max = TLS1_2_VERSION;
2150
2151 s->client_version = ver_max;
4fa52141
VD		 2152 return 0;
2153}
aff9929b
MC		 2154
2155/*
2156 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2157 * and |checkallow| is 1 then additionally check if the group is allowed to be
2158 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2159 * 1) or 0 otherwise.
2160 */
9e84a42d 2161int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
aff9929b
MC		 2162 size_t num_groups, int checkallow)
2163{
2164 size_t i;
2165
2166 if (groups == NULL || num_groups == 0)
2167 return 0;
2168
9e84a42d
DSH		 2169 for (i = 0; i < num_groups; i++) {
2170 uint16_t group = groups[i];
2171
2172 if (group_id == group
aff9929b 2173 && (!checkallow
dbc6268f 2174 || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
0acee504 2175 return 1;
aff9929b
MC		 2176 }
2177 }
2178
0acee504 2179 return 0;
aff9929b 2180}
11c67eea
MC		 2181
2182/* Replace ClientHello1 in the transcript hash with a synthetic message */
43054d3d
MC		 2183int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,
2184 size_t hashlen, const unsigned char *hrr,
2185 size_t hrrlen)
11c67eea 2186{
43054d3d 2187 unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
635b7d3f
MC		 2188 unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2189
2190 memset(msghdr, 0, sizeof(msghdr));
11c67eea 2191
43054d3d
MC		 2192 if (hashval == NULL) {
2193 hashval = hashvaltmp;
2194 hashlen = 0;
2195 /* Get the hash of the initial ClientHello */
2196 if (!ssl3_digest_cached_records(s, 0)
2197 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2198 &hashlen)) {
2199 /* SSLfatal() already called */
2200 return 0;
2201 }
11c67eea
MC		 2202 }
2203
2204 /* Reinitialise the transcript hash */
f63a17d6
MC		 2205 if (!ssl3_init_finished_mac(s)) {
2206 /* SSLfatal() already called */
11c67eea 2207 return 0;
f63a17d6 2208 }
11c67eea
MC		 2209
2210 /* Inject the synthetic message_hash message */
635b7d3f 2211 msghdr[0] = SSL3_MT_MESSAGE_HASH;
3a63c0ed 2212 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
11c67eea
MC		 2213 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2214 || !ssl3_finish_mac(s, hashval, hashlen)) {
f63a17d6 2215 /* SSLfatal() already called */
11c67eea
MC		 2216 return 0;
2217 }
2218
43054d3d
MC		 2219 /*
2220 * Now re-inject the HRR and current message if appropriate (we just deleted
2221 * it when we reinitialised the transcript hash above). Only necessary after
2222 * receiving a ClientHello2 with a cookie.
2223 */
2224 if (hrr != NULL
2225 && (!ssl3_finish_mac(s, hrr, hrrlen)
2226 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
555cbb32 2227 s->s3.tmp.message_size
43054d3d
MC		 2228 + SSL3_HM_HEADER_LENGTH))) {
2229 /* SSLfatal() already called */
2230 return 0;
2231 }
2232
11c67eea
MC		 2233 return 1;
2234}
5d6cca05
DSH		 2235
2236static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2237{
2238 return X509_NAME_cmp(*a, *b);
2239}
2240
f63a17d6 2241int parse_ca_names(SSL *s, PACKET *pkt)
5d6cca05
DSH		 2242{
2243 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2244 X509_NAME *xn = NULL;
2245 PACKET cadns;
2246
2247 if (ca_sk == NULL) {
c48ffbcc 2248 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
f63a17d6 2249 goto err;
5d6cca05
DSH		 2250 }
2251 /* get the CA RDNs */
2252 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
c48ffbcc 2253 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
f63a17d6 2254 goto err;
5d6cca05
DSH		 2255 }
2256
2257 while (PACKET_remaining(&cadns)) {
2258 const unsigned char *namestart, *namebytes;
2259 unsigned int name_len;
2260
2261 if (!PACKET_get_net_2(&cadns, &name_len)
2262 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
c48ffbcc 2263 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
f63a17d6 2264 goto err;
5d6cca05
DSH		 2265 }
2266
2267 namestart = namebytes;
2268 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
c48ffbcc 2269 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB);
f63a17d6 2270 goto err;
5d6cca05
DSH		 2271 }
2272 if (namebytes != (namestart + name_len)) {
c48ffbcc 2273 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CA_DN_LENGTH_MISMATCH);
f63a17d6 2274 goto err;
5d6cca05
DSH		 2275 }
2276
2277 if (!sk_X509_NAME_push(ca_sk, xn)) {
c48ffbcc 2278 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
5d6cca05
DSH		 2279 goto err;
2280 }
2281 xn = NULL;
2282 }
2283
555cbb32
TS		 2284 sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
2285 s->s3.tmp.peer_ca_names = ca_sk;
5d6cca05
DSH		 2286
2287 return 1;
2288
5d6cca05
DSH		 2289 err:
2290 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2291 X509_NAME_free(xn);
2292 return 0;
2293}
2294
98732979 2295const STACK_OF(X509_NAME) *get_ca_names(SSL *s)
5d6cca05 2296{
98732979 2297 const STACK_OF(X509_NAME) *ca_sk = NULL;;
5d6cca05 2298
98732979
MC		 2299 if (s->server) {
2300 ca_sk = SSL_get_client_CA_list(s);
2301 if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2302 ca_sk = NULL;
2303 }
2304
2305 if (ca_sk == NULL)
2306 ca_sk = SSL_get0_CA_list(s);
2307
2308 return ca_sk;
2309}
2310
2311int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt)
2312{
5d6cca05 2313 /* Start sub-packet for client CA list */
f63a17d6 2314 if (!WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 2315 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
5d6cca05 2316 return 0;
f63a17d6 2317 }
5d6cca05 2318
90fc2c26 2319 if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) {
5d6cca05
DSH		 2320 int i;
2321
2322 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2323 unsigned char *namebytes;
2324 X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2325 int namelen;
2326
2327 if (name == NULL
2328 || (namelen = i2d_X509_NAME(name, NULL)) < 0
2329 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2330 &namebytes)
2331 || i2d_X509_NAME(name, &namebytes) != namelen) {
c48ffbcc 2332 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
5d6cca05
DSH		 2333 return 0;
2334 }
2335 }
2336 }
2337
f63a17d6 2338 if (!WPACKET_close(pkt)) {
c48ffbcc 2339 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
5d6cca05 2340 return 0;
f63a17d6 2341 }
5d6cca05
DSH		 2342
2343 return 1;
2344}
72ceb6a6
DSH		 2345
2346/* Create a buffer containing data to be signed for server key exchange */
f63a17d6 2347size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
72ceb6a6
DSH		 2348 const void *param, size_t paramlen)
2349{
2350 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2351 unsigned char *tbs = OPENSSL_malloc(tbslen);
2352
f63a17d6 2353 if (tbs == NULL) {
c48ffbcc 2354 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
72ceb6a6 2355 return 0;
f63a17d6 2356 }
555cbb32
TS		 2357 memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
2358 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
72ceb6a6
DSH		 2359
2360 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2361
2362 *ptbs = tbs;
2363 return tbslen;
2364}
9d75dce3
TS		 2365
2366/*
2367 * Saves the current handshake digest for Post-Handshake Auth,
2368 * Done after ClientFinished is processed, done exactly once
2369 */
2370int tls13_save_handshake_digest_for_pha(SSL *s)
2371{
2372 if (s->pha_dgst == NULL) {
2373 if (!ssl3_digest_cached_records(s, 1))
2374 /* SSLfatal() already called */
2375 return 0;
2376
2377 s->pha_dgst = EVP_MD_CTX_new();
2378 if (s->pha_dgst == NULL) {
c48ffbcc 2379 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
9d75dce3
TS		 2380 return 0;
2381 }
2382 if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
555cbb32 2383 s->s3.handshake_dgst)) {
c48ffbcc 2384 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
9d75dce3
TS		 2385 return 0;
2386 }
2387 }
2388 return 1;
2389}
2390
2391/*
2392 * Restores the Post-Handshake Auth handshake digest
2393 * Done just before sending/processing the Cert Request
2394 */
2395int tls13_restore_handshake_digest_for_pha(SSL *s)
2396{
2397 if (s->pha_dgst == NULL) {
c48ffbcc 2398 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
9d75dce3
TS		 2399 return 0;
2400 }
555cbb32 2401 if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
9d75dce3 2402 s->pha_dgst)) {
c48ffbcc 2403 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
9d75dce3
TS		 2404 return 0;
2405 }
2406 return 1;
2407}
A mirror of the official openssl repository