]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/statem_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
EC_KEY: add EC_KEY_decoded_from_explicit_params()
[thirdparty/openssl.git] / ssl / statem / statem_lib.c
CommitLineData
846e33c7 1/*
33388b44 2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
aa8f3d76 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
3813046d 4 *
2c18d164 5 * Licensed under the Apache License 2.0 (the "License"). You may not use
846e33c7
RS		 6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
3813046d 9 */
846e33c7 10
48948d53 11#include <limits.h>
f2d9a32c 12#include <string.h>
d02b48c6 13#include <stdio.h>
706457b7
DMSP		 14#include "../ssl_local.h"
15#include "statem_local.h"
67dc995e 16#include "internal/cryptlib.h"
c2041da8 17#include "internal/evp.h"
ec577822 18#include <openssl/buffer.h>
ec577822
BM		 19#include <openssl/objects.h>
20#include <openssl/evp.h>
21#include <openssl/x509.h>
49b26f54 22#include <openssl/trace.h>
d02b48c6 23
c6d38183
RS		 24/*
25 * Map error codes to TLS/SSL alart types.
26 */
27typedef struct x509err2alert_st {
28 int x509err;
29 int alert;
30} X509ERR2ALERT;
31
597c51bc
MC		 32/* Fixed value used in the ServerHello random field to identify an HRR */
33const unsigned char hrrrandom[] = {
34 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
35 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
36 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
37};
38
0f113f3e
MC		 39/*
40 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
41 * SSL3_RT_CHANGE_CIPHER_SPEC)
42 */
e7ecc7d4 43int ssl3_do_write(SSL *s, int type)
0f113f3e
MC		 44{
45 int ret;
7ee8627f 46 size_t written = 0;
0f113f3e
MC		 47
48 ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
7ee8627f 49 s->init_num, &written);
0f113f3e 50 if (ret < 0)
26a7d938 51 return -1;
0f113f3e
MC		 52 if (type == SSL3_RT_HANDSHAKE)
53 /*
54 * should not be done for 'Hello Request's, but in that case we'll
55 * ignore the result anyway
9d75dce3 56 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
0f113f3e 57 */
9d75dce3
TS		 58 if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
59 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
60 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
61 if (!ssl3_finish_mac(s,
62 (unsigned char *)&s->init_buf->data[s->init_off],
63 written))
64 return -1;
7ee8627f 65 if (written == s->init_num) {
0f113f3e
MC		 66 if (s->msg_callback)
67 s->msg_callback(1, s->version, type, s->init_buf->data,
68 (size_t)(s->init_off + s->init_num), s,
69 s->msg_callback_arg);
208fb891 70 return 1;
0f113f3e 71 }
7ee8627f
MC		 72 s->init_off += written;
73 s->init_num -= written;
26a7d938 74 return 0;
0f113f3e 75}
e7ecc7d4 76
4a01c59f 77int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype)
2c7b4dbc
MC		 78{
79 size_t msglen;
80
4a01c59f 81 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
f1ec23c0 82 || !WPACKET_get_length(pkt, &msglen)
7cea05dc 83 || msglen > INT_MAX)
2c7b4dbc
MC		 84 return 0;
85 s->init_num = (int)msglen;
86 s->init_off = 0;
87
88 return 1;
89}
90
1f5b44e9
MC		 91int tls_setup_handshake(SSL *s)
92{
8e32ea63
MC		 93 int ver_min, ver_max, ok;
94
f63a17d6
MC		 95 if (!ssl3_init_finished_mac(s)) {
96 /* SSLfatal() already called */
c7f47786 97 return 0;
f63a17d6 98 }
c7f47786 99
b186a592
MC		 100 /* Reset any extension flags */
101 memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
102
8e32ea63
MC		 103 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
104 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_SETUP_HANDSHAKE,
105 ERR_R_INTERNAL_ERROR);
106 return 0;
107 }
108
109 /* Sanity check that we have MD5-SHA1 if we need it */
110 if (s->ctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) {
111 int md5sha1_needed = 0;
112
113 /* We don't have MD5-SHA1 - do we need it? */
114 if (SSL_IS_DTLS(s)) {
115 if (DTLS_VERSION_LE(ver_max, DTLS1_VERSION))
116 md5sha1_needed = 1;
117 } else {
118 if (ver_max <= TLS1_1_VERSION)
119 md5sha1_needed = 1;
120 }
121 if (md5sha1_needed) {
122 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE,
123 SSL_R_NO_SUITABLE_DIGEST_ALGORITHM);
124 ERR_add_error_data(1, "The max supported SSL/TLS version needs the"
125 " MD5-SHA1 digest but it is not available"
126 " in the loaded providers. Use (D)TLSv1.2 or"
127 " above, or load different providers");
128 return 0;
129 }
130
131 ok = 1;
132 /* Don't allow TLSv1.1 or below to be negotiated */
133 if (SSL_IS_DTLS(s)) {
134 if (DTLS_VERSION_LT(ver_min, DTLS1_2_VERSION))
135 ok = SSL_set_min_proto_version(s, DTLS1_2_VERSION);
136 } else {
137 if (ver_min < TLS1_2_VERSION)
138 ok = SSL_set_min_proto_version(s, TLS1_2_VERSION);
139 }
140 if (!ok) {
141 /* Shouldn't happen */
142 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE,
143 ERR_R_INTERNAL_ERROR);
144 return 0;
145 }
146 }
147
148 ok = 0;
c7f47786 149 if (s->server) {
38a73150 150 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
8e32ea63 151 int i;
38a73150
MC		 152
153 /*
154 * Sanity check that the maximum version we accept has ciphers
155 * enabled. For clients we do this check during construction of the
156 * ClientHello.
157 */
38a73150
MC		 158 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
159 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
160
161 if (SSL_IS_DTLS(s)) {
162 if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
163 DTLS_VERSION_LE(ver_max, c->max_dtls))
164 ok = 1;
165 } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
166 ok = 1;
167 }
168 if (ok)
169 break;
170 }
171 if (!ok) {
4752c5de
MC		 172 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE,
173 SSL_R_NO_CIPHERS_AVAILABLE);
38a73150
MC		 174 ERR_add_error_data(1, "No ciphers enabled for max supported "
175 "SSL/TLS version");
38a73150
MC		 176 return 0;
177 }
c7f47786 178 if (SSL_IS_FIRST_HANDSHAKE(s)) {
0e6161bc 179 /* N.B. s->session_ctx == s->ctx here */
9ef9088c 180 tsan_counter(&s->session_ctx->stats.sess_accept);
c7f47786 181 } else {
0e6161bc 182 /* N.B. s->ctx may not equal s->session_ctx */
9ef9088c 183 tsan_counter(&s->ctx->stats.sess_accept_renegotiate);
c7f47786 184
555cbb32 185 s->s3.tmp.cert_request = 0;
c7f47786
MC		 186 }
187 } else {
188 if (SSL_IS_FIRST_HANDSHAKE(s))
9ef9088c 189 tsan_counter(&s->session_ctx->stats.sess_connect);
c7f47786 190 else
9ef9088c 191 tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate);
c7f47786
MC		 192
193 /* mark client_random uninitialized */
555cbb32 194 memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
c7f47786
MC		 195 s->hit = 0;
196
555cbb32 197 s->s3.tmp.cert_req = 0;
c7f47786 198
1f5b44e9 199 if (SSL_IS_DTLS(s))
c7f47786 200 s->statem.use_timer = 1;
c7f47786
MC		 201 }
202
203 return 1;
204}
205
2c5dfdc3
MC		 206/*
207 * Size of the to-be-signed TLS13 data, without the hash size itself:
208 * 64 bytes of value 32, 33 context bytes, 1 byte separator
209 */
210#define TLS13_TBS_START_SIZE 64
211#define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
212
213static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
214 void **hdata, size_t *hdatalen)
215{
48102247 216#ifdef CHARSET_EBCDIC
99435164 217 static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
48102247 218 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
219 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
220 0x69, 0x66, 0x79, 0x00 };
99435164 221 static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
48102247 222 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
223 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
224 0x69, 0x66, 0x79, 0x00 };
225#else
99435164
AV		 226 static const char servercontext[] = "TLS 1.3, server CertificateVerify";
227 static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
48102247 228#endif
2c5dfdc3
MC		 229 if (SSL_IS_TLS13(s)) {
230 size_t hashlen;
231
232 /* Set the first 64 bytes of to-be-signed data to octet 32 */
233 memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
234 /* This copies the 33 bytes of context plus the 0 separator byte */
235 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
236 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
237 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
238 else
239 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
240
241 /*
242 * If we're currently reading then we need to use the saved handshake
243 * hash value. We can't use the current handshake hash state because
244 * that includes the CertVerify itself.
245 */
246 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
247 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
248 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
249 s->cert_verify_hash_len);
250 hashlen = s->cert_verify_hash_len;
251 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
252 EVP_MAX_MD_SIZE, &hashlen)) {
f63a17d6 253 /* SSLfatal() already called */
2c5dfdc3
MC		 254 return 0;
255 }
256
257 *hdata = tls13tbs;
258 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
259 } else {
260 size_t retlen;
60690b5b 261 long retlen_l;
2c5dfdc3 262
555cbb32 263 retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
60690b5b 264 if (retlen_l <= 0) {
f63a17d6
MC		 265 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_GET_CERT_VERIFY_TBS_DATA,
266 ERR_R_INTERNAL_ERROR);
2c5dfdc3 267 return 0;
f63a17d6 268 }
2c5dfdc3
MC		 269 *hdatalen = retlen;
270 }
271
272 return 1;
273}
274
d8bc1399
MC		 275int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
276{
ad4dd362
DSH		 277 EVP_PKEY *pkey = NULL;
278 const EVP_MD *md = NULL;
d8bc1399 279 EVP_MD_CTX *mctx = NULL;
5f9b64a2
MC		 280 EVP_PKEY_CTX *pctx = NULL;
281 size_t hdatalen = 0, siglen = 0;
d8bc1399
MC		 282 void *hdata;
283 unsigned char *sig = NULL;
2c5dfdc3 284 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
555cbb32 285 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
2c5dfdc3 286
555cbb32 287 if (lu == NULL || s->s3.tmp.cert == NULL) {
d4d2f3a4
MC		 288 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
289 ERR_R_INTERNAL_ERROR);
ad4dd362
DSH		 290 goto err;
291 }
555cbb32 292 pkey = s->s3.tmp.cert->privatekey;
ad4dd362 293
c8f6c28a 294 if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) {
d4d2f3a4
MC		 295 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
296 ERR_R_INTERNAL_ERROR);
ad4dd362
DSH		 297 goto err;
298 }
d8bc1399
MC		 299
300 mctx = EVP_MD_CTX_new();
301 if (mctx == NULL) {
d4d2f3a4
MC		 302 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
303 ERR_R_MALLOC_FAILURE);
d8bc1399
MC		 304 goto err;
305 }
d8bc1399 306
2c5dfdc3
MC		 307 /* Get the data to be signed */
308 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
f63a17d6 309 /* SSLfatal() already called */
d8bc1399
MC		 310 goto err;
311 }
312
ad4dd362 313 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
d4d2f3a4
MC		 314 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
315 ERR_R_INTERNAL_ERROR);
d8bc1399
MC		 316 goto err;
317 }
5f9b64a2 318
0ab18e79
SL		 319 if (EVP_DigestSignInit_with_libctx(mctx, &pctx,
320 md == NULL ? NULL : EVP_MD_name(md),
321 s->ctx->libctx, s->ctx->propq,
322 pkey) <= 0) {
d4d2f3a4
MC		 323 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
324 ERR_R_EVP_LIB);
5f9b64a2
MC		 325 goto err;
326 }
327
ad4dd362 328 if (lu->sig == EVP_PKEY_RSA_PSS) {
5f9b64a2 329 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
968ae5b3
DSH		 330 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
331 RSA_PSS_SALTLEN_DIGEST) <= 0) {
d4d2f3a4
MC		 332 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
333 ERR_R_EVP_LIB);
5f9b64a2
MC		 334 goto err;
335 }
caf2b6b5
DSH		 336 }
337 if (s->version == SSL3_VERSION) {
bddbfae1
MC		 338 /*
339 * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
340 * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
341 */
caf2b6b5 342 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
83b4a243
SL		 343 /*
344 * TODO(3.0) Replace this when EVP_MD_CTX_ctrl() is deprecated
345 * with a call to ssl3_digest_master_key_set_params()
346 */
347 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
348 (int)s->session->master_key_length,
349 s->session->master_key) <= 0
bddbfae1 350 || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) {
caf2b6b5 351
d4d2f3a4
MC		 352 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
353 ERR_R_EVP_LIB);
5f9b64a2
MC		 354 goto err;
355 }
bddbfae1
MC		 356 sig = OPENSSL_malloc(siglen);
357 if (sig == NULL
358 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
359 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
360 ERR_R_EVP_LIB);
361 goto err;
362 }
363 } else {
364 /*
365 * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not
366 * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
367 */
368 if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) {
369 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
370 ERR_R_EVP_LIB);
371 goto err;
372 }
373 sig = OPENSSL_malloc(siglen);
374 if (sig == NULL
375 || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
376 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
377 ERR_R_EVP_LIB);
378 goto err;
379 }
d8bc1399 380 }
5f9b64a2 381
d8bc1399
MC		 382#ifndef OPENSSL_NO_GOST
383 {
ad4dd362
DSH		 384 int pktype = lu->sig;
385
d8bc1399
MC		 386 if (pktype == NID_id_GostR3410_2001
387 || pktype == NID_id_GostR3410_2012_256
388 || pktype == NID_id_GostR3410_2012_512)
5f9b64a2 389 BUF_reverse(sig, NULL, siglen);
d8bc1399
MC		 390 }
391#endif
392
5f9b64a2 393 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
d4d2f3a4
MC		 394 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
395 ERR_R_INTERNAL_ERROR);
d8bc1399
MC		 396 goto err;
397 }
398
399 /* Digest cached records and discard handshake buffer */
d4d2f3a4
MC		 400 if (!ssl3_digest_cached_records(s, 0)) {
401 /* SSLfatal() already called */
d8bc1399 402 goto err;
d4d2f3a4 403 }
d8bc1399
MC		 404
405 OPENSSL_free(sig);
406 EVP_MD_CTX_free(mctx);
407 return 1;
408 err:
409 OPENSSL_free(sig);
410 EVP_MD_CTX_free(mctx);
d8bc1399
MC		 411 return 0;
412}
413
414MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
415{
416 EVP_PKEY *pkey = NULL;
703bcee0 417 const unsigned char *data;
d8bc1399
MC		 418#ifndef OPENSSL_NO_GOST
419 unsigned char *gost_data = NULL;
420#endif
eb5fd03b 421 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
dd24857b 422 int j;
d8bc1399
MC		 423 unsigned int len;
424 X509 *peer;
425 const EVP_MD *md = NULL;
2c5dfdc3 426 size_t hdatalen = 0;
d8bc1399 427 void *hdata;
2c5dfdc3 428 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
d8bc1399 429 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
5f9b64a2 430 EVP_PKEY_CTX *pctx = NULL;
d8bc1399
MC		 431
432 if (mctx == NULL) {
f63a17d6
MC		 433 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
434 ERR_R_MALLOC_FAILURE);
435 goto err;
d8bc1399
MC		 436 }
437
438 peer = s->session->peer;
439 pkey = X509_get0_pubkey(peer);
f63a17d6
MC		 440 if (pkey == NULL) {
441 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
442 ERR_R_INTERNAL_ERROR);
443 goto err;
444 }
83b4049a 445
dd24857b 446 if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
f63a17d6
MC		 447 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CERT_VERIFY,
448 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
449 goto err;
d8bc1399
MC		 450 }
451
f464f9c0 452 if (SSL_USE_SIGALGS(s)) {
f464f9c0
PD		 453 unsigned int sigalg;
454
455 if (!PACKET_get_net_2(pkt, &sigalg)) {
f63a17d6
MC		 456 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
457 SSL_R_BAD_PACKET);
458 goto err;
f464f9c0 459 }
f63a17d6
MC		 460 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
461 /* SSLfatal() already called */
462 goto err;
f464f9c0 463 }
f464f9c0 464 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
f63a17d6
MC		 465 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
466 ERR_R_INTERNAL_ERROR);
467 goto err;
f464f9c0
PD		 468 }
469
c8f6c28a 470 if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) {
f63a17d6
MC		 471 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
472 ERR_R_INTERNAL_ERROR);
473 goto err;
168067b6 474 }
f464f9c0 475
572fa024 476 if (SSL_USE_SIGALGS(s))
49b26f54
RL		 477 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
478 md == NULL ? "n/a" : EVP_MD_name(md));
572fa024 479
d8bc1399
MC		 480 /* Check for broken implementations of GOST ciphersuites */
481 /*
f464f9c0
PD		 482 * If key is GOST and len is exactly 64 or 128, it is signature without
483 * length field (CryptoPro implementations at least till TLS 1.2)
d8bc1399
MC		 484 */
485#ifndef OPENSSL_NO_GOST
f464f9c0
PD		 486 if (!SSL_USE_SIGALGS(s)
487 && ((PACKET_remaining(pkt) == 64
488 && (EVP_PKEY_id(pkey) == NID_id_GostR3410_2001
489 || EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_256))
490 || (PACKET_remaining(pkt) == 128
491 && EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_512))) {
492 len = PACKET_remaining(pkt);
d8bc1399
MC		 493 } else
494#endif
f464f9c0 495 if (!PACKET_get_net_2(pkt, &len)) {
f63a17d6
MC		 496 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
497 SSL_R_LENGTH_MISMATCH);
498 goto err;
d8bc1399 499 }
f464f9c0 500
d8bc1399 501 if (!PACKET_get_bytes(pkt, &data, len)) {
f63a17d6
MC		 502 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
503 SSL_R_LENGTH_MISMATCH);
504 goto err;
d8bc1399
MC		 505 }
506
2c5dfdc3 507 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
f63a17d6
MC		 508 /* SSLfatal() already called */
509 goto err;
d8bc1399
MC		 510 }
511
49b26f54
RL		 512 OSSL_TRACE1(TLS, "Using client verify alg %s\n",
513 md == NULL ? "n/a" : EVP_MD_name(md));
514
0ab18e79
SL		 515 if (EVP_DigestVerifyInit_with_libctx(mctx, &pctx,
516 md == NULL ? NULL : EVP_MD_name(md),
517 s->ctx->libctx, s->ctx->propq,
518 pkey) <= 0) {
f63a17d6
MC		 519 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
520 ERR_R_EVP_LIB);
521 goto err;
d8bc1399
MC		 522 }
523#ifndef OPENSSL_NO_GOST
524 {
dc8da7b1 525 int pktype = EVP_PKEY_id(pkey);
d8bc1399
MC		 526 if (pktype == NID_id_GostR3410_2001
527 || pktype == NID_id_GostR3410_2012_256
528 || pktype == NID_id_GostR3410_2012_512) {
529 if ((gost_data = OPENSSL_malloc(len)) == NULL) {
f63a17d6
MC		 530 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
531 SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
532 goto err;
d8bc1399
MC		 533 }
534 BUF_reverse(gost_data, data, len);
535 data = gost_data;
536 }
537 }
538#endif
539
5554facb 540 if (SSL_USE_PSS(s)) {
5f9b64a2 541 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
968ae5b3
DSH		 542 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
543 RSA_PSS_SALTLEN_DIGEST) <= 0) {
f63a17d6
MC		 544 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
545 ERR_R_EVP_LIB);
546 goto err;
5f9b64a2 547 }
d8bc1399 548 }
caf2b6b5 549 if (s->version == SSL3_VERSION) {
83b4a243
SL		 550 /*
551 * TODO(3.0) Replace this when EVP_MD_CTX_ctrl() is deprecated
552 * with a call to ssl3_digest_master_key_set_params()
553 */
caf2b6b5 554 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
83b4a243
SL		 555 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
556 (int)s->session->master_key_length,
557 s->session->master_key) <= 0) {
f63a17d6
MC		 558 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
559 ERR_R_EVP_LIB);
560 goto err;
caf2b6b5
DSH		 561 }
562 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
f63a17d6
MC		 563 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
564 SSL_R_BAD_SIGNATURE);
565 goto err;
caf2b6b5
DSH		 566 }
567 } else {
568 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
25ffeb11 569 if (j <= 0) {
f63a17d6
MC		 570 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
571 SSL_R_BAD_SIGNATURE);
572 goto err;
caf2b6b5 573 }
d8bc1399
MC		 574 }
575
e4562014
MC		 576 /*
577 * In TLSv1.3 on the client side we make sure we prepare the client
578 * certificate after the CertVerify instead of when we get the
579 * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
580 * comes *before* the Certificate message. In TLSv1.2 it comes after. We
8c2bfd25 581 * want to make sure that SSL_get1_peer_certificate() will return the actual
e4562014
MC		 582 * server certificate from the client_cert_cb callback.
583 */
555cbb32 584 if (!s->server && SSL_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
e4562014
MC		 585 ret = MSG_PROCESS_CONTINUE_PROCESSING;
586 else
587 ret = MSG_PROCESS_CONTINUE_READING;
f63a17d6 588 err:
555cbb32
TS		 589 BIO_free(s->s3.handshake_buffer);
590 s->s3.handshake_buffer = NULL;
d8bc1399
MC		 591 EVP_MD_CTX_free(mctx);
592#ifndef OPENSSL_NO_GOST
593 OPENSSL_free(gost_data);
594#endif
595 return ret;
596}
597
229185e6 598int tls_construct_finished(SSL *s, WPACKET *pkt)
0f113f3e 599{
12472b45 600 size_t finish_md_len;
229185e6 601 const char *sender;
8b0e934a 602 size_t slen;
229185e6 603
f7e393be 604 /* This is a real handshake so make sure we clean it up at the end */
9d75dce3 605 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
f7e393be
MC		 606 s->statem.cleanuphand = 1;
607
608 /*
609 * We only change the keys if we didn't already do this when we sent the
610 * client certificate
611 */
612 if (SSL_IS_TLS13(s)
613 && !s->server
555cbb32 614 && s->s3.tmp.cert_req == 0
f7e393be 615 && (!s->method->ssl3_enc->change_cipher_state(s,
d4d2f3a4
MC		 616 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
617 /* SSLfatal() already called */
b43c3765 618 return 0;
f7e393be
MC		 619 }
620
229185e6
MC		 621 if (s->server) {
622 sender = s->method->ssl3_enc->server_finished_label;
623 slen = s->method->ssl3_enc->server_finished_label_len;
624 } else {
625 sender = s->method->ssl3_enc->client_finished_label;
626 slen = s->method->ssl3_enc->client_finished_label_len;
627 }
0f113f3e 628
12472b45
MC		 629 finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
630 sender, slen,
555cbb32 631 s->s3.tmp.finish_md);
12472b45 632 if (finish_md_len == 0) {
d4d2f3a4
MC		 633 /* SSLfatal() already called */
634 return 0;
4f89bfbf
MC		 635 }
636
555cbb32 637 s->s3.tmp.finish_md_len = finish_md_len;
4f89bfbf 638
555cbb32 639 if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
d4d2f3a4
MC		 640 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
641 ERR_R_INTERNAL_ERROR);
642 return 0;
4f89bfbf 643 }
0f113f3e 644
2c7bd692
CB		 645 /*
646 * Log the master secret, if logging is enabled. We don't log it for
647 * TLSv1.3: there's a different key schedule for that.
648 */
649 if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
650 s->session->master_key,
380a522f 651 s->session->master_key_length)) {
d4d2f3a4
MC		 652 /* SSLfatal() already called */
653 return 0;
380a522f 654 }
2faa1b48 655
b9908bf9
MC		 656 /*
657 * Copy the finished so we can use it for renegotiation checks
658 */
380a522f 659 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
d4d2f3a4
MC		 660 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
661 ERR_R_INTERNAL_ERROR);
662 return 0;
380a522f 663 }
23a635c0 664 if (!s->server) {
555cbb32 665 memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
12472b45 666 finish_md_len);
555cbb32 667 s->s3.previous_client_finished_len = finish_md_len;
b9908bf9 668 } else {
555cbb32 669 memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
12472b45 670 finish_md_len);
555cbb32 671 s->s3.previous_server_finished_len = finish_md_len;
b9908bf9 672 }
0f113f3e 673
b9908bf9 674 return 1;
0f113f3e 675}
d02b48c6 676
44c04a2e
MC		 677int tls_construct_key_update(SSL *s, WPACKET *pkt)
678{
679 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
d4d2f3a4
MC		 680 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_KEY_UPDATE,
681 ERR_R_INTERNAL_ERROR);
682 return 0;
44c04a2e
MC		 683 }
684
9412b3ad 685 s->key_update = SSL_KEY_UPDATE_NONE;
44c04a2e 686 return 1;
44c04a2e
MC		 687}
688
e1c3de44
MC		 689MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
690{
691 unsigned int updatetype;
692
524420d8
MC		 693 /*
694 * A KeyUpdate message signals a key change so the end of the message must
695 * be on a record boundary.
696 */
697 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
f63a17d6
MC		 698 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_UPDATE,
699 SSL_R_NOT_ON_RECORD_BOUNDARY);
700 return MSG_PROCESS_ERROR;
524420d8
MC		 701 }
702
e1c3de44 703 if (!PACKET_get_1(pkt, &updatetype)
2d871227 704 || PACKET_remaining(pkt) != 0) {
f63a17d6
MC		 705 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_UPDATE,
706 SSL_R_BAD_KEY_UPDATE);
707 return MSG_PROCESS_ERROR;
e1c3de44
MC		 708 }
709
9010b7bc
MC		 710 /*
711 * There are only two defined key update types. Fail if we get a value we
712 * didn't recognise.
713 */
2d871227
MC		 714 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
715 && updatetype != SSL_KEY_UPDATE_REQUESTED) {
f63a17d6
MC		 716 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE,
717 SSL_R_BAD_KEY_UPDATE);
718 return MSG_PROCESS_ERROR;
2d871227
MC		 719 }
720
5bf47933
MC		 721 /*
722 * If we get a request for us to update our sending keys too then, we need
723 * to additionally send a KeyUpdate message. However that message should
feb9e31c 724 * not also request an update (otherwise we get into an infinite loop).
5bf47933 725 */
feb9e31c 726 if (updatetype == SSL_KEY_UPDATE_REQUESTED)
5bf47933
MC		 727 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
728
57389a32 729 if (!tls13_update_key(s, 0)) {
f63a17d6
MC		 730 /* SSLfatal() already called */
731 return MSG_PROCESS_ERROR;
57389a32
MC		 732 }
733
e1c3de44
MC		 734 return MSG_PROCESS_FINISHED_READING;
735}
736
0f113f3e
MC		 737/*
738 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
739 * to far.
740 */
5d671101 741int ssl3_take_mac(SSL *s)
0f113f3e
MC		 742{
743 const char *sender;
8b0e934a 744 size_t slen;
5d671101 745
49ae7423 746 if (!s->server) {
0f113f3e
MC		 747 sender = s->method->ssl3_enc->server_finished_label;
748 slen = s->method->ssl3_enc->server_finished_label_len;
749 } else {
750 sender = s->method->ssl3_enc->client_finished_label;
751 slen = s->method->ssl3_enc->client_finished_label_len;
752 }
753
555cbb32 754 s->s3.tmp.peer_finish_md_len =
5d671101 755 s->method->ssl3_enc->final_finish_mac(s, sender, slen,
555cbb32 756 s->s3.tmp.peer_finish_md);
5d671101 757
555cbb32 758 if (s->s3.tmp.peer_finish_md_len == 0) {
5d671101
MC		 759 /* SSLfatal() already called */
760 return 0;
761 }
762
763 return 1;
0f113f3e 764}
ee2ffc27 765
be3583fa 766MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
b9908bf9 767{
348240c6 768 size_t remain;
4fa52141 769
73999b62 770 remain = PACKET_remaining(pkt);
657da85e
MC		 771 /*
772 * 'Change Cipher Spec' is just a single byte, which should already have
c69f2adf
MC		 773 * been consumed by ssl_get_message() so there should be no bytes left,
774 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
657da85e 775 */
c69f2adf 776 if (SSL_IS_DTLS(s)) {
73999b62 777 if ((s->version == DTLS1_BAD_VER
a230b26e
EK		 778 && remain != DTLS1_CCS_HEADER_LENGTH + 1)
779 || (s->version != DTLS1_BAD_VER
780 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
f63a17d6
MC		 781 SSLfatal(s, SSL_AD_DECODE_ERROR,
782 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
783 SSL_R_BAD_CHANGE_CIPHER_SPEC);
784 return MSG_PROCESS_ERROR;
c69f2adf
MC		 785 }
786 } else {
73999b62 787 if (remain != 0) {
f63a17d6
MC		 788 SSLfatal(s, SSL_AD_DECODE_ERROR,
789 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
790 SSL_R_BAD_CHANGE_CIPHER_SPEC);
791 return MSG_PROCESS_ERROR;
c69f2adf 792 }
657da85e
MC		 793 }
794
795 /* Check we have a cipher to change to */
555cbb32 796 if (s->s3.tmp.new_cipher == NULL) {
f63a17d6
MC		 797 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
798 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY);
799 return MSG_PROCESS_ERROR;
657da85e
MC		 800 }
801
555cbb32 802 s->s3.change_cipher_spec = 1;
657da85e 803 if (!ssl3_do_change_cipher_spec(s)) {
f63a17d6
MC		 804 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
805 ERR_R_INTERNAL_ERROR);
806 return MSG_PROCESS_ERROR;
657da85e
MC		 807 }
808
c69f2adf
MC		 809 if (SSL_IS_DTLS(s)) {
810 dtls1_reset_seq_numbers(s, SSL3_CC_READ);
811
812 if (s->version == DTLS1_BAD_VER)
813 s->d1->handshake_read_seq++;
814
815#ifndef OPENSSL_NO_SCTP
816 /*
817 * Remember that a CCS has been received, so that an old key of
818 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
819 * SCTP is used
820 */
821 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
822#endif
823 }
824
b9908bf9 825 return MSG_PROCESS_CONTINUE_READING;
657da85e
MC		 826}
827
be3583fa 828MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
b9908bf9 829{
12472b45 830 size_t md_len;
b9908bf9 831
d781d247
MC		 832
833 /* This is a real handshake so make sure we clean it up at the end */
9d75dce3 834 if (s->server) {
de9e884b
MC		 835 /*
836 * To get this far we must have read encrypted data from the client. We
837 * no longer tolerate unencrypted alerts. This value is ignored if less
838 * than TLSv1.3
839 */
840 s->statem.enc_read_state = ENC_READ_STATE_VALID;
9d75dce3
TS		 841 if (s->post_handshake_auth != SSL_PHA_REQUESTED)
842 s->statem.cleanuphand = 1;
843 if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
844 /* SSLfatal() already called */
845 return MSG_PROCESS_ERROR;
846 }
847 }
d781d247 848
524420d8
MC		 849 /*
850 * In TLSv1.3 a Finished message signals a key change so the end of the
851 * message must be on a record boundary.
852 */
853 if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
f63a17d6
MC		 854 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
855 SSL_R_NOT_ON_RECORD_BOUNDARY);
856 return MSG_PROCESS_ERROR;
524420d8
MC		 857 }
858
0f113f3e 859 /* If this occurs, we have missed a message */
555cbb32 860 if (!SSL_IS_TLS13(s) && !s->s3.change_cipher_spec) {
f63a17d6
MC		 861 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
862 SSL_R_GOT_A_FIN_BEFORE_A_CCS);
863 return MSG_PROCESS_ERROR;
0f113f3e 864 }
555cbb32 865 s->s3.change_cipher_spec = 0;
0f113f3e 866
555cbb32 867 md_len = s->s3.tmp.peer_finish_md_len;
0f113f3e 868
12472b45 869 if (md_len != PACKET_remaining(pkt)) {
f63a17d6
MC		 870 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_FINISHED,
871 SSL_R_BAD_DIGEST_LENGTH);
872 return MSG_PROCESS_ERROR;
0f113f3e
MC		 873 }
874
555cbb32 875 if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
12472b45 876 md_len) != 0) {
f63a17d6
MC		 877 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_FINISHED,
878 SSL_R_DIGEST_CHECK_FAILED);
879 return MSG_PROCESS_ERROR;
0f113f3e
MC		 880 }
881
882 /*
883 * Copy the finished so we can use it for renegotiation checks
884 */
380a522f 885 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
f63a17d6
MC		 886 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_FINISHED,
887 ERR_R_INTERNAL_ERROR);
888 return MSG_PROCESS_ERROR;
380a522f 889 }
23a635c0 890 if (s->server) {
555cbb32 891 memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
12472b45 892 md_len);
555cbb32 893 s->s3.previous_client_finished_len = md_len;
0f113f3e 894 } else {
555cbb32 895 memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
12472b45 896 md_len);
555cbb32 897 s->s3.previous_server_finished_len = md_len;
0f113f3e
MC		 898 }
899
7776a36c
MC		 900 /*
901 * In TLS1.3 we also have to change cipher state and do any final processing
902 * of the initial server flight (if we are a client)
903 */
92760c21
MC		 904 if (SSL_IS_TLS13(s)) {
905 if (s->server) {
9d75dce3
TS		 906 if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
907 !s->method->ssl3_enc->change_cipher_state(s,
92760c21 908 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
f63a17d6
MC		 909 /* SSLfatal() already called */
910 return MSG_PROCESS_ERROR;
92760c21
MC		 911 }
912 } else {
d74014c4
BK		 913 /* TLS 1.3 gets the secret size from the handshake md */
914 size_t dummy;
92760c21 915 if (!s->method->ssl3_enc->generate_master_secret(s,
ec15acb6 916 s->master_secret, s->handshake_secret, 0,
d74014c4 917 &dummy)) {
f63a17d6
MC		 918 /* SSLfatal() already called */
919 return MSG_PROCESS_ERROR;
92760c21
MC		 920 }
921 if (!s->method->ssl3_enc->change_cipher_state(s,
922 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
f63a17d6
MC		 923 /* SSLfatal() already called */
924 return MSG_PROCESS_ERROR;
925 }
926 if (!tls_process_initial_server_flight(s)) {
927 /* SSLfatal() already called */
928 return MSG_PROCESS_ERROR;
92760c21
MC		 929 }
930 }
931 }
932
e6575156 933 return MSG_PROCESS_FINISHED_READING;
0f113f3e 934}
d02b48c6 935
7cea05dc 936int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
b9908bf9 937{
7cea05dc 938 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
d4d2f3a4
MC		 939 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
940 SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
85a7a5e6
MC		 941 return 0;
942 }
b9908bf9 943
b9908bf9
MC		 944 return 1;
945}
946
e96e0f8e 947/* Add a certificate to the WPACKET */
f63a17d6 948static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain)
0f113f3e 949{
e96e0f8e
MC		 950 int len;
951 unsigned char *outbytes;
952
953 len = i2d_X509(x, NULL);
954 if (len < 0) {
f63a17d6
MC		 955 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
956 ERR_R_BUF_LIB);
e96e0f8e
MC		 957 return 0;
958 }
959 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
960 || i2d_X509(x, &outbytes) != len) {
f63a17d6
MC		 961 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
962 ERR_R_INTERNAL_ERROR);
e96e0f8e
MC		 963 return 0;
964 }
965
966 if (SSL_IS_TLS13(s)
fe874d27 967 && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
f63a17d6
MC		 968 chain)) {
969 /* SSLfatal() already called */
e96e0f8e 970 return 0;
f63a17d6 971 }
e96e0f8e
MC		 972
973 return 1;
974}
975
976/* Add certificate chain to provided WPACKET */
f63a17d6 977static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
e96e0f8e
MC		 978{
979 int i, chain_count;
980 X509 *x;
981 STACK_OF(X509) *extra_certs;
982 STACK_OF(X509) *chain = NULL;
983 X509_STORE *chain_store;
e96e0f8e
MC		 984
985 if (cpk == NULL || cpk->x509 == NULL)
986 return 1;
987
988 x = cpk->x509;
989
990 /*
991 * If we have a certificate specific chain use it, else use parent ctx.
992 */
d805a57b 993 if (cpk->chain != NULL)
e96e0f8e
MC		 994 extra_certs = cpk->chain;
995 else
996 extra_certs = s->ctx->extra_certs;
997
998 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
999 chain_store = NULL;
1000 else if (s->cert->chain_store)
1001 chain_store = s->cert->chain_store;
1002 else
1003 chain_store = s->ctx->cert_store;
1004
d805a57b 1005 if (chain_store != NULL) {
a959b4fa
MC		 1006 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_with_libctx(s->ctx->libctx,
1007 s->ctx->propq);
e96e0f8e
MC		 1008
1009 if (xs_ctx == NULL) {
f63a17d6
MC		 1010 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
1011 ERR_R_MALLOC_FAILURE);
1012 return 0;
e96e0f8e
MC		 1013 }
1014 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
1015 X509_STORE_CTX_free(xs_ctx);
f63a17d6
MC		 1016 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
1017 ERR_R_X509_LIB);
1018 return 0;
e96e0f8e
MC		 1019 }
1020 /*
1021 * It is valid for the chain not to be complete (because normally we
1022 * don't include the root cert in the chain). Therefore we deliberately
1023 * ignore the error return from this call. We're not actually verifying
1024 * the cert - we're just building as much of the chain as we can
1025 */
1026 (void)X509_verify_cert(xs_ctx);
1027 /* Don't leave errors in the queue */
1028 ERR_clear_error();
1029 chain = X509_STORE_CTX_get0_chain(xs_ctx);
1030 i = ssl_security_cert_chain(s, chain, NULL, 0);
1031 if (i != 1) {
1032#if 0
1033 /* Dummy error calls so mkerr generates them */
1034 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL);
1035 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL);
1036 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK);
1037#endif
1038 X509_STORE_CTX_free(xs_ctx);
f63a17d6
MC		 1039 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
1040 return 0;
e96e0f8e
MC		 1041 }
1042 chain_count = sk_X509_num(chain);
1043 for (i = 0; i < chain_count; i++) {
1044 x = sk_X509_value(chain, i);
1045
f63a17d6
MC		 1046 if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
1047 /* SSLfatal() already called */
e96e0f8e 1048 X509_STORE_CTX_free(xs_ctx);
f63a17d6 1049 return 0;
e96e0f8e
MC		 1050 }
1051 }
1052 X509_STORE_CTX_free(xs_ctx);
1053 } else {
1054 i = ssl_security_cert_chain(s, extra_certs, x, 0);
1055 if (i != 1) {
f63a17d6
MC		 1056 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
1057 return 0;
1058 }
1059 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
1060 /* SSLfatal() already called */
1061 return 0;
e96e0f8e 1062 }
e96e0f8e
MC		 1063 for (i = 0; i < sk_X509_num(extra_certs); i++) {
1064 x = sk_X509_value(extra_certs, i);
f63a17d6
MC		 1065 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
1066 /* SSLfatal() already called */
1067 return 0;
1068 }
e96e0f8e
MC		 1069 }
1070 }
1071 return 1;
e96e0f8e
MC		 1072}
1073
f63a17d6 1074unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
e96e0f8e 1075{
f63a17d6
MC		 1076 if (!WPACKET_start_sub_packet_u24(pkt)) {
1077 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1078 ERR_R_INTERNAL_ERROR);
1079 return 0;
1080 }
e96e0f8e 1081
f63a17d6
MC		 1082 if (!ssl_add_cert_chain(s, pkt, cpk))
1083 return 0;
1084
1085 if (!WPACKET_close(pkt)) {
1086 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1087 ERR_R_INTERNAL_ERROR);
7cea05dc 1088 return 0;
77d514c5 1089 }
f63a17d6 1090
c49e1912 1091 return 1;
0f113f3e
MC		 1092}
1093
30f05b19
MC		 1094/*
1095 * Tidy up after the end of a handshake. In the case of SCTP this may result
1096 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1097 * freed up as well.
1098 */
2a8db717 1099WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
8723588e
MC		 1100{
1101 void (*cb) (const SSL *ssl, int type, int val) = NULL;
4af5836b 1102 int cleanuphand = s->statem.cleanuphand;
8723588e 1103
30f05b19 1104 if (clearbufs) {
e7c27a6c
N		 1105 if (!SSL_IS_DTLS(s)
1106#ifndef OPENSSL_NO_SCTP
30f05b19 1107 /*
e7c27a6c
N		 1108 * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1109 * messages that require it. Therefore, DTLS procedures for retransmissions
1110 * MUST NOT be used.
1111 * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1112 */
1113 || BIO_dgram_is_sctp(SSL_get_wbio(s))
1114#endif
1115 ) {
1116 /*
1117 * We don't do this in DTLS over UDP because we may still need the init_buf
30f05b19
MC		 1118 * in case there are any unexpected retransmits
1119 */
1120 BUF_MEM_free(s->init_buf);
1121 s->init_buf = NULL;
1122 }
e7c27a6c 1123
a2c2e000
MC		 1124 if (!ssl_free_wbio_buffer(s)) {
1125 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE,
1126 ERR_R_INTERNAL_ERROR);
b77f3ed1 1127 return WORK_ERROR;
a2c2e000 1128 }
30f05b19 1129 s->init_num = 0;
473483d4 1130 }
8723588e 1131
9d75dce3
TS		 1132 if (SSL_IS_TLS13(s) && !s->server
1133 && s->post_handshake_auth == SSL_PHA_REQUESTED)
1134 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1135
c2c1d8a4
MC		 1136 /*
1137 * Only set if there was a Finished message and this isn't after a TLSv1.3
1138 * post handshake exchange
1139 */
4af5836b 1140 if (cleanuphand) {
8723588e
MC		 1141 /* skipped if we just sent a HelloRequest */
1142 s->renegotiate = 0;
1143 s->new_session = 0;
c7f47786 1144 s->statem.cleanuphand = 0;
c0638ade 1145 s->ext.ticket_expected = 0;
8723588e 1146
30f05b19
MC		 1147 ssl3_cleanup_key_block(s);
1148
8723588e 1149 if (s->server) {
16ff1342
MC		 1150 /*
1151 * In TLSv1.3 we update the cache as part of constructing the
1152 * NewSessionTicket
1153 */
1154 if (!SSL_IS_TLS13(s))
1155 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
8723588e 1156
0e6161bc 1157 /* N.B. s->ctx may not equal s->session_ctx */
9ef9088c 1158 tsan_counter(&s->ctx->stats.sess_accept_good);
fe3a3291 1159 s->handshake_func = ossl_statem_accept;
8723588e 1160 } else {
4cb00457
MC		 1161 if (SSL_IS_TLS13(s)) {
1162 /*
1163 * We encourage applications to only use TLSv1.3 tickets once,
1164 * so we remove this one from the cache.
1165 */
1166 if ((s->session_ctx->session_cache_mode
1167 & SSL_SESS_CACHE_CLIENT) != 0)
1168 SSL_CTX_remove_session(s->session_ctx, s->session);
1169 } else {
1170 /*
1171 * In TLSv1.3 we update the cache as part of processing the
1172 * NewSessionTicket
1173 */
5d61491c 1174 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
4cb00457 1175 }
8723588e 1176 if (s->hit)
9ef9088c 1177 tsan_counter(&s->session_ctx->stats.sess_hit);
8723588e 1178
fe3a3291 1179 s->handshake_func = ossl_statem_connect;
9ef9088c 1180 tsan_counter(&s->session_ctx->stats.sess_connect_good);
8723588e
MC		 1181 }
1182
8723588e
MC		 1183 if (SSL_IS_DTLS(s)) {
1184 /* done with handshaking */
1185 s->d1->handshake_read_seq = 0;
1186 s->d1->handshake_write_seq = 0;
1187 s->d1->next_handshake_write_seq = 0;
f5c7f5df 1188 dtls1_clear_received_buffer(s);
8723588e
MC		 1189 }
1190 }
1191
c2c1d8a4
MC		 1192 if (s->info_callback != NULL)
1193 cb = s->info_callback;
1194 else if (s->ctx->info_callback != NULL)
1195 cb = s->ctx->info_callback;
1196
4ce787b9
MC		 1197 /* The callback may expect us to not be in init at handshake done */
1198 ossl_statem_set_in_init(s, 0);
1199
4af5836b
MC		 1200 if (cb != NULL) {
1201 if (cleanuphand
1202 || !SSL_IS_TLS13(s)
1203 || SSL_IS_FIRST_HANDSHAKE(s))
1204 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
1205 }
c2c1d8a4 1206
4ce787b9
MC		 1207 if (!stop) {
1208 /* If we've got more work to do we go back into init */
1209 ossl_statem_set_in_init(s, 1);
30f05b19 1210 return WORK_FINISHED_CONTINUE;
4ce787b9 1211 }
30f05b19 1212
8723588e
MC		 1213 return WORK_FINISHED_STOP;
1214}
1215
9ab930b2
MC		 1216int tls_get_message_header(SSL *s, int *mt)
1217{
1218 /* s->init_num < SSL3_HM_HEADER_LENGTH */
d4d2f3a4 1219 int skip_message, i, recvd_type;
9ab930b2 1220 unsigned char *p;
54105ddd 1221 size_t l, readbytes;
9ab930b2
MC		 1222
1223 p = (unsigned char *)s->init_buf->data;
1224
1225 do {
1226 while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1227 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
a230b26e
EK		 1228 &p[s->init_num],
1229 SSL3_HM_HEADER_LENGTH - s->init_num,
54105ddd 1230 0, &readbytes);
9ab930b2
MC		 1231 if (i <= 0) {
1232 s->rwstate = SSL_READING;
1233 return 0;
32ec4153 1234 }
9ab930b2 1235 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1257adec 1236 /*
a230b26e
EK		 1237 * A ChangeCipherSpec must be a single byte and may not occur
1238 * in the middle of a handshake message.
1239 */
54105ddd 1240 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
d4d2f3a4
MC		 1241 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1242 SSL_F_TLS_GET_MESSAGE_HEADER,
1243 SSL_R_BAD_CHANGE_CIPHER_SPEC);
1244 return 0;
1257adec 1245 }
e9359719 1246 if (s->statem.hand_state == TLS_ST_BEFORE
555cbb32 1247 && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
e9359719
MC		 1248 /*
1249 * We are stateless and we received a CCS. Probably this is
1250 * from a client between the first and second ClientHellos.
1251 * We should ignore this, but return an error because we do
1252 * not return success until we see the second ClientHello
1253 * with a valid cookie.
1254 */
1255 return 0;
1256 }
555cbb32 1257 s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
54105ddd 1258 s->init_num = readbytes - 1;
c4377574 1259 s->init_msg = s->init_buf->data;
555cbb32 1260 s->s3.tmp.message_size = readbytes;
9ab930b2
MC		 1261 return 1;
1262 } else if (recvd_type != SSL3_RT_HANDSHAKE) {
d4d2f3a4
MC		 1263 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1264 SSL_F_TLS_GET_MESSAGE_HEADER,
1265 SSL_R_CCS_RECEIVED_EARLY);
1266 return 0;
32ec4153 1267 }
54105ddd 1268 s->init_num += readbytes;
9ab930b2
MC		 1269 }
1270
1271 skip_message = 0;
1272 if (!s->server)
c7f47786
MC		 1273 if (s->statem.hand_state != TLS_ST_OK
1274 && p[0] == SSL3_MT_HELLO_REQUEST)
9ab930b2
MC		 1275 /*
1276 * The server may always send 'Hello Request' messages --
1277 * we are doing a handshake anyway now, so ignore them if
1278 * their format is correct. Does not count for 'Finished'
1279 * MAC.
1280 */
1281 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1282 s->init_num = 0;
1283 skip_message = 1;
1284
1285 if (s->msg_callback)
1286 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1287 p, SSL3_HM_HEADER_LENGTH, s,
1288 s->msg_callback_arg);
1289 }
1290 } while (skip_message);
1291 /* s->init_num == SSL3_HM_HEADER_LENGTH */
1292
1293 *mt = *p;
555cbb32 1294 s->s3.tmp.message_type = *(p++);
32ec4153 1295
e8aa8b6c 1296 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
9ab930b2
MC		 1297 /*
1298 * Only happens with SSLv3+ in an SSLv2 backward compatible
1299 * ClientHello
e8aa8b6c
F		 1300 *
1301 * Total message size is the remaining record bytes to read
1302 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
9ab930b2 1303 */
9ab930b2
MC		 1304 l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1305 + SSL3_HM_HEADER_LENGTH;
555cbb32 1306 s->s3.tmp.message_size = l;
9ab930b2
MC		 1307
1308 s->init_msg = s->init_buf->data;
1309 s->init_num = SSL3_HM_HEADER_LENGTH;
1310 } else {
1311 n2l3(p, l);
1312 /* BUF_MEM_grow takes an 'int' parameter */
1313 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
d4d2f3a4
MC		 1314 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_GET_MESSAGE_HEADER,
1315 SSL_R_EXCESSIVE_MESSAGE_SIZE);
1316 return 0;
32ec4153 1317 }
555cbb32 1318 s->s3.tmp.message_size = l;
9ab930b2
MC		 1319
1320 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1321 s->init_num = 0;
1322 }
1323
1324 return 1;
9ab930b2
MC		 1325}
1326
eda75751 1327int tls_get_message_body(SSL *s, size_t *len)
9ab930b2 1328{
54105ddd 1329 size_t n, readbytes;
9ab930b2
MC		 1330 unsigned char *p;
1331 int i;
1332
555cbb32 1333 if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
9ab930b2
MC		 1334 /* We've already read everything in */
1335 *len = (unsigned long)s->init_num;
1336 return 1;
0f113f3e
MC		 1337 }
1338
0f113f3e 1339 p = s->init_msg;
555cbb32 1340 n = s->s3.tmp.message_size - s->init_num;
0f113f3e 1341 while (n > 0) {
657da85e 1342 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
54105ddd 1343 &p[s->init_num], n, 0, &readbytes);
0f113f3e
MC		 1344 if (i <= 0) {
1345 s->rwstate = SSL_READING;
9ab930b2
MC		 1346 *len = 0;
1347 return 0;
0f113f3e 1348 }
54105ddd
MC		 1349 s->init_num += readbytes;
1350 n -= readbytes;
0f113f3e 1351 }
ee2ffc27 1352
0f113f3e
MC		 1353 /*
1354 * If receiving Finished, record MAC of prior handshake messages for
1355 * Finished verification.
1356 */
5d671101
MC		 1357 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1358 /* SSLfatal() already called */
1359 *len = 0;
1360 return 0;
1361 }
ee2ffc27 1362
0f113f3e 1363 /* Feed this message into MAC computation. */
e8aa8b6c 1364 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
d166ed8c
DSH		 1365 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1366 s->init_num)) {
d4d2f3a4 1367 /* SSLfatal() already called */
d166ed8c
DSH		 1368 *len = 0;
1369 return 0;
1370 }
32ec4153 1371 if (s->msg_callback)
a230b26e 1372 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
32ec4153
MC		 1373 (size_t)s->init_num, s, s->msg_callback_arg);
1374 } else {
11c67eea
MC		 1375 /*
1376 * We defer feeding in the HRR until later. We'll do it as part of
1377 * processing the message
9d75dce3
TS		 1378 * The TLsv1.3 handshake transcript stops at the ClientFinished
1379 * message.
11c67eea 1380 */
597c51bc 1381#define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
9d75dce3 1382 /* KeyUpdate and NewSessionTicket do not need to be added */
555cbb32
TS		 1383 if (!SSL_IS_TLS13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1384 && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1385 if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
9d75dce3
TS		 1386 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1387 || memcmp(hrrrandom,
1388 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1389 SSL3_RANDOM_SIZE) != 0) {
1390 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1391 s->init_num + SSL3_HM_HEADER_LENGTH)) {
1392 /* SSLfatal() already called */
1393 *len = 0;
1394 return 0;
1395 }
597c51bc 1396 }
d166ed8c 1397 }
32ec4153
MC		 1398 if (s->msg_callback)
1399 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1400 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
1401 s->msg_callback_arg);
1402 }
1403
eda75751 1404 *len = s->init_num;
9ab930b2 1405 return 1;
0f113f3e 1406}
d02b48c6 1407
c6d38183
RS		 1408static const X509ERR2ALERT x509table[] = {
1409 {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1410 {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1411 {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1412 {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1413 {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1414 {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1415 {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1416 {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1417 {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1418 {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1419 {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1420 {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1421 {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1422 {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1423 {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1424 {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1425 {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1426 {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1427 {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1428 {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1429 {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1430 {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1431 {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1432 {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1433 {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1434 {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1435 {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1436 {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1437 {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1438 {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1439 {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1440 {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1441 {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1442 {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1443 {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1444 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1445 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1446 {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1447 {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1448
1449 /* Last entry; return this if we don't find the value above. */
1450 {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1451};
1452
1453int ssl_x509err2alert(int x509err)
0f113f3e 1454{
c6d38183
RS		 1455 const X509ERR2ALERT *tp;
1456
1457 for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1458 if (tp->x509err == x509err)
1459 break;
1460 return tp->alert;
0f113f3e 1461}
d02b48c6 1462
b362ccab 1463int ssl_allow_compression(SSL *s)
0f113f3e
MC		 1464{
1465 if (s->options & SSL_OP_NO_COMPRESSION)
1466 return 0;
1467 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1468}
4fa52141 1469
068c358a 1470static int version_cmp(const SSL *s, int a, int b)
4fa52141
VD		 1471{
1472 int dtls = SSL_IS_DTLS(s);
1473
1474 if (a == b)
1475 return 0;
1476 if (!dtls)
1477 return a < b ? -1 : 1;
1478 return DTLS_VERSION_LT(a, b) ? -1 : 1;
1479}
1480
1481typedef struct {
1482 int version;
a230b26e
EK		 1483 const SSL_METHOD *(*cmeth) (void);
1484 const SSL_METHOD *(*smeth) (void);
4fa52141
VD		 1485} version_info;
1486
5c587fb6 1487#if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
582a17d6 1488# error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
4fa52141
VD		 1489#endif
1490
f7f2a01d 1491/* Must be in order high to low */
4fa52141 1492static const version_info tls_version_table[] = {
582a17d6
MC		 1493#ifndef OPENSSL_NO_TLS1_3
1494 {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1495#else
1496 {TLS1_3_VERSION, NULL, NULL},
1497#endif
6b01bed2 1498#ifndef OPENSSL_NO_TLS1_2
a230b26e 1499 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
6b01bed2 1500#else
a230b26e 1501 {TLS1_2_VERSION, NULL, NULL},
6b01bed2
VD		 1502#endif
1503#ifndef OPENSSL_NO_TLS1_1
a230b26e 1504 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
6b01bed2 1505#else
a230b26e 1506 {TLS1_1_VERSION, NULL, NULL},
6b01bed2
VD		 1507#endif
1508#ifndef OPENSSL_NO_TLS1
a230b26e 1509 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
6b01bed2 1510#else
a230b26e 1511 {TLS1_VERSION, NULL, NULL},
6b01bed2 1512#endif
4fa52141 1513#ifndef OPENSSL_NO_SSL3
a230b26e 1514 {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
6b01bed2 1515#else
a230b26e 1516 {SSL3_VERSION, NULL, NULL},
4fa52141 1517#endif
a230b26e 1518 {0, NULL, NULL},
4fa52141
VD		 1519};
1520
5c587fb6 1521#if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
4fa52141
VD		 1522# error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1523#endif
1524
f7f2a01d 1525/* Must be in order high to low */
4fa52141 1526static const version_info dtls_version_table[] = {
6b01bed2 1527#ifndef OPENSSL_NO_DTLS1_2
a230b26e 1528 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
6b01bed2 1529#else
a230b26e 1530 {DTLS1_2_VERSION, NULL, NULL},
6b01bed2
VD		 1531#endif
1532#ifndef OPENSSL_NO_DTLS1
a230b26e
EK		 1533 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1534 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
6b01bed2 1535#else
a230b26e
EK		 1536 {DTLS1_VERSION, NULL, NULL},
1537 {DTLS1_BAD_VER, NULL, NULL},
6b01bed2 1538#endif
a230b26e 1539 {0, NULL, NULL},
4fa52141
VD		 1540};
1541
1542/*
1543 * ssl_method_error - Check whether an SSL_METHOD is enabled.
1544 *
1545 * @s: The SSL handle for the candidate method
1546 * @method: the intended method.
1547 *
1548 * Returns 0 on success, or an SSL error reason on failure.
1549 */
068c358a 1550static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
4fa52141
VD		 1551{
1552 int version = method->version;
1553
1554 if ((s->min_proto_version != 0 &&
1555 version_cmp(s, version, s->min_proto_version) < 0) ||
1556 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1557 return SSL_R_VERSION_TOO_LOW;
1558
1559 if (s->max_proto_version != 0 &&
a230b26e 1560 version_cmp(s, version, s->max_proto_version) > 0)
4fa52141
VD		 1561 return SSL_R_VERSION_TOO_HIGH;
1562
1563 if ((s->options & method->mask) != 0)
1564 return SSL_R_UNSUPPORTED_PROTOCOL;
1565 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1566 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
4fa52141
VD		 1567
1568 return 0;
1569}
1570
baa45c3e
MC		 1571/*
1572 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
cd3b53b8
MC		 1573 * certificate type, or has PSK or a certificate callback configured. Otherwise
1574 * returns 0.
baa45c3e
MC		 1575 */
1576static int is_tls13_capable(const SSL *s)
1577{
65d2c16c
MC		 1578 int i;
1579#ifndef OPENSSL_NO_EC
1580 int curve;
65d2c16c 1581#endif
baa45c3e 1582
d162340d
MC		 1583#ifndef OPENSSL_NO_PSK
1584 if (s->psk_server_callback != NULL)
1585 return 1;
1586#endif
1587
cd3b53b8 1588 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
baa45c3e
MC		 1589 return 1;
1590
1591 for (i = 0; i < SSL_PKEY_NUM; i++) {
1592 /* Skip over certs disallowed for TLSv1.3 */
1593 switch (i) {
1594 case SSL_PKEY_DSA_SIGN:
1595 case SSL_PKEY_GOST01:
1596 case SSL_PKEY_GOST12_256:
1597 case SSL_PKEY_GOST12_512:
1598 continue;
1599 default:
1600 break;
1601 }
de4dc598
MC		 1602 if (!ssl_has_cert(s, i))
1603 continue;
65d2c16c 1604#ifndef OPENSSL_NO_EC
de4dc598
MC		 1605 if (i != SSL_PKEY_ECC)
1606 return 1;
1607 /*
1608 * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1609 * more restrictive so check that our sig algs are consistent with this
1610 * EC cert. See section 4.2.3 of RFC8446.
1611 */
c2041da8
RL		 1612 curve = evp_pkey_get_EC_KEY_curve_nid(s->cert->pkeys[SSL_PKEY_ECC]
1613 .privatekey);
de4dc598 1614 if (tls_check_sigalg_curve(s, curve))
baa45c3e 1615 return 1;
65d2c16c
MC		 1616#else
1617 return 1;
1618#endif
baa45c3e
MC		 1619 }
1620
1621 return 0;
1622}
1623
ccae4a15
FI		 1624/*
1625 * ssl_version_supported - Check that the specified `version` is supported by
1626 * `SSL *` instance
1627 *
1628 * @s: The SSL handle for the candidate method
1629 * @version: Protocol version to test against
1630 *
1631 * Returns 1 when supported, otherwise 0
1632 */
4fd12788 1633int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth)
ccae4a15
FI		 1634{
1635 const version_info *vent;
1636 const version_info *table;
1637
1638 switch (s->method->version) {
1639 default:
1640 /* Version should match method version for non-ANY method */
1641 return version_cmp(s, version, s->version) == 0;
1642 case TLS_ANY_VERSION:
1643 table = tls_version_table;
1644 break;
1645 case DTLS_ANY_VERSION:
1646 table = dtls_version_table;
1647 break;
1648 }
1649
1650 for (vent = table;
1651 vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1652 ++vent) {
baa45c3e
MC		 1653 if (vent->cmeth != NULL
1654 && version_cmp(s, version, vent->version) == 0
1655 && ssl_method_error(s, vent->cmeth()) == 0
1656 && (!s->server
1657 || version != TLS1_3_VERSION
1658 || is_tls13_capable(s))) {
4fd12788
MC		 1659 if (meth != NULL)
1660 *meth = vent->cmeth();
ccae4a15
FI		 1661 return 1;
1662 }
1663 }
1664 return 0;
1665}
1666
4fa52141
VD		 1667/*
1668 * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1669 * fallback indication from a client check whether we're using the highest
1670 * supported protocol version.
1671 *
1672 * @s server SSL handle.
1673 *
1674 * Returns 1 when using the highest enabled version, 0 otherwise.
1675 */
1676int ssl_check_version_downgrade(SSL *s)
1677{
1678 const version_info *vent;
1679 const version_info *table;
1680
1681 /*
1682 * Check that the current protocol is the highest enabled version
1683 * (according to s->ctx->method, as version negotiation may have changed
1684 * s->method).
1685 */
1686 if (s->version == s->ctx->method->version)
1687 return 1;
1688
1689 /*
1690 * Apparently we're using a version-flexible SSL_METHOD (not at its
1691 * highest protocol version).
1692 */
1693 if (s->ctx->method->version == TLS_method()->version)
1694 table = tls_version_table;
1695 else if (s->ctx->method->version == DTLS_method()->version)
1696 table = dtls_version_table;
1697 else {
1698 /* Unexpected state; fail closed. */
1699 return 0;
1700 }
1701
1702 for (vent = table; vent->version != 0; ++vent) {
a230b26e 1703 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
4fa52141
VD		 1704 return s->version == vent->version;
1705 }
1706 return 0;
1707}
1708
1709/*
1710 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1711 * protocols, provided the initial (D)TLS method is version-flexible. This
1712 * function sanity-checks the proposed value and makes sure the method is
1713 * version-flexible, then sets the limit if all is well.
1714 *
1715 * @method_version: The version of the current SSL_METHOD.
1716 * @version: the intended limit.
1717 * @bound: pointer to limit to be updated.
1718 *
1719 * Returns 1 on success, 0 on failure.
1720 */
1721int ssl_set_version_bound(int method_version, int version, int *bound)
1722{
77174598
VD		 1723 int valid_tls;
1724 int valid_dtls;
1725
869e978c
KR		 1726 if (version == 0) {
1727 *bound = version;
1728 return 1;
1729 }
1730
77174598
VD		 1731 valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
1732 valid_dtls =
1733 DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) &&
1734 DTLS_VERSION_GE(version, DTLS1_BAD_VER);
1735
1736 if (!valid_tls && !valid_dtls)
1737 return 0;
1738
4fa52141
VD		 1739 /*-
1740 * Restrict TLS methods to TLS protocol versions.
1741 * Restrict DTLS methods to DTLS protocol versions.
1742 * Note, DTLS version numbers are decreasing, use comparison macros.
1743 *
1744 * Note that for both lower-bounds we use explicit versions, not
1745 * (D)TLS_MIN_VERSION. This is because we don't want to break user
1746 * configurations. If the MIN (supported) version ever rises, the user's
1747 * "floor" remains valid even if no longer available. We don't expect the
1748 * MAX ceiling to ever get lower, so making that variable makes sense.
77174598
VD		 1749 *
1750 * We ignore attempts to set bounds on version-inflexible methods,
1751 * returning success.
4fa52141
VD		 1752 */
1753 switch (method_version) {
1754 default:
77174598 1755 break;
4fa52141
VD		 1756
1757 case TLS_ANY_VERSION:
77174598
VD		 1758 if (valid_tls)
1759 *bound = version;
4fa52141
VD		 1760 break;
1761
1762 case DTLS_ANY_VERSION:
77174598
VD		 1763 if (valid_dtls)
1764 *bound = version;
4fa52141
VD		 1765 break;
1766 }
4fa52141
VD		 1767 return 1;
1768}
1769
f7f2a01d
MC		 1770static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
1771{
1772 if (vers == TLS1_2_VERSION
4fd12788 1773 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
f7f2a01d 1774 *dgrd = DOWNGRADE_TO_1_2;
5627f9f2
MC		 1775 } else if (!SSL_IS_DTLS(s)
1776 && vers < TLS1_2_VERSION
1777 /*
1778 * We need to ensure that a server that disables TLSv1.2
1779 * (creating a hole between TLSv1.3 and TLSv1.1) can still
1780 * complete handshakes with clients that support TLSv1.2 and
1781 * below. Therefore we do not enable the sentinel if TLSv1.3 is
1782 * enabled and TLSv1.2 is not.
1783 */
1784 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
f7f2a01d
MC		 1785 *dgrd = DOWNGRADE_TO_1_1;
1786 } else {
1787 *dgrd = DOWNGRADE_NONE;
1788 }
1789}
1790
4fa52141
VD		 1791/*
1792 * ssl_choose_server_version - Choose server (D)TLS version. Called when the
1793 * client HELLO is received to select the final server protocol version and
1794 * the version specific method.
1795 *
1796 * @s: server SSL handle.
1797 *
1798 * Returns 0 on success or an SSL error reason number on failure.
1799 */
f7f2a01d 1800int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
4fa52141
VD		 1801{
1802 /*-
1803 * With version-flexible methods we have an initial state with:
1804 *
1805 * s->method->version == (D)TLS_ANY_VERSION,
5c587fb6 1806 * s->version == (D)TLS_MAX_VERSION_INTERNAL.
4fa52141
VD		 1807 *
1808 * So we detect version-flexible methods via the method version, not the
1809 * handle version.
1810 */
1811 int server_version = s->method->version;
df7ce507 1812 int client_version = hello->legacy_version;
4fa52141
VD		 1813 const version_info *vent;
1814 const version_info *table;
1815 int disabled = 0;
cd998837 1816 RAW_EXTENSION *suppversions;
4fa52141 1817
1ab3836b
MC		 1818 s->client_version = client_version;
1819
4fa52141
VD		 1820 switch (server_version) {
1821 default:
7d061fce
MC		 1822 if (!SSL_IS_TLS13(s)) {
1823 if (version_cmp(s, client_version, s->version) < 0)
1824 return SSL_R_WRONG_SSL_VERSION;
f7f2a01d 1825 *dgrd = DOWNGRADE_NONE;
7d061fce
MC		 1826 /*
1827 * If this SSL handle is not from a version flexible method we don't
1828 * (and never did) check min/max FIPS or Suite B constraints. Hope
1829 * that's OK. It is up to the caller to not choose fixed protocol
1830 * versions they don't want. If not, then easy to fix, just return
1831 * ssl_method_error(s, s->method)
1832 */
1833 return 0;
1834 }
d2f42576 1835 /*
7d061fce
MC		 1836 * Fall through if we are TLSv1.3 already (this means we must be after
1837 * a HelloRetryRequest
4fa52141 1838 */
018fcbec 1839 /* fall thru */
4fa52141
VD		 1840 case TLS_ANY_VERSION:
1841 table = tls_version_table;
1842 break;
1843 case DTLS_ANY_VERSION:
1844 table = dtls_version_table;
1845 break;
1846 }
1847
70af3d8e 1848 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
cd998837 1849
6f40214f 1850 /* If we did an HRR then supported versions is mandatory */
fc7129dc 1851 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
6f40214f
MC		 1852 return SSL_R_UNSUPPORTED_PROTOCOL;
1853
70af3d8e 1854 if (suppversions->present && !SSL_IS_DTLS(s)) {
cd998837
MC		 1855 unsigned int candidate_vers = 0;
1856 unsigned int best_vers = 0;
1857 const SSL_METHOD *best_method = NULL;
1858 PACKET versionslist;
1859
6b473aca
MC		 1860 suppversions->parsed = 1;
1861
16bce0e0 1862 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
cd998837
MC		 1863 /* Trailing or invalid data? */
1864 return SSL_R_LENGTH_MISMATCH;
1865 }
1866
d8434cf8
MC		 1867 /*
1868 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1869 * The spec only requires servers to check that it isn't SSLv3:
1870 * "Any endpoint receiving a Hello message with
1871 * ClientHello.legacy_version or ServerHello.legacy_version set to
1872 * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1873 * We are slightly stricter and require that it isn't SSLv3 or lower.
1874 * We tolerate TLSv1 and TLSv1.1.
1875 */
1876 if (client_version <= SSL3_VERSION)
1877 return SSL_R_BAD_LEGACY_VERSION;
1878
cd998837 1879 while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
cd998837
MC		 1880 if (version_cmp(s, candidate_vers, best_vers) <= 0)
1881 continue;
4fd12788
MC		 1882 if (ssl_version_supported(s, candidate_vers, &best_method))
1883 best_vers = candidate_vers;
cd998837
MC		 1884 }
1885 if (PACKET_remaining(&versionslist) != 0) {
1886 /* Trailing data? */
1887 return SSL_R_LENGTH_MISMATCH;
1888 }
1889
1890 if (best_vers > 0) {
fc7129dc 1891 if (s->hello_retry_request != SSL_HRR_NONE) {
7d061fce 1892 /*
6f40214f
MC		 1893 * This is after a HelloRetryRequest so we better check that we
1894 * negotiated TLSv1.3
7d061fce
MC		 1895 */
1896 if (best_vers != TLS1_3_VERSION)
1897 return SSL_R_UNSUPPORTED_PROTOCOL;
1898 return 0;
1899 }
f7f2a01d 1900 check_for_downgrade(s, best_vers, dgrd);
cd998837
MC		 1901 s->version = best_vers;
1902 s->method = best_method;
1903 return 0;
1904 }
1905 return SSL_R_UNSUPPORTED_PROTOCOL;
1906 }
1907
1908 /*
1909 * If the supported versions extension isn't present, then the highest
1910 * version we can negotiate is TLSv1.2
1911 */
1912 if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1913 client_version = TLS1_2_VERSION;
1914
1915 /*
1916 * No supported versions extension, so we just use the version supplied in
1917 * the ClientHello.
1918 */
4fa52141
VD		 1919 for (vent = table; vent->version != 0; ++vent) {
1920 const SSL_METHOD *method;
1921
1922 if (vent->smeth == NULL ||
1923 version_cmp(s, client_version, vent->version) < 0)
1924 continue;
1925 method = vent->smeth();
1926 if (ssl_method_error(s, method) == 0) {
f7f2a01d 1927 check_for_downgrade(s, vent->version, dgrd);
4fa52141
VD		 1928 s->version = vent->version;
1929 s->method = method;
1930 return 0;
1931 }
1932 disabled = 1;
1933 }
1934 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1935}
1936
1937/*
1938 * ssl_choose_client_version - Choose client (D)TLS version. Called when the
1939 * server HELLO is received to select the final client protocol version and
1940 * the version specific method.
1941 *
1942 * @s: client SSL handle.
1943 * @version: The proposed version from the server's HELLO.
88050dd1 1944 * @extensions: The extensions received
4fa52141 1945 *
29bfd5b7 1946 * Returns 1 on success or 0 on error.
4fa52141 1947 */
88050dd1 1948int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)
4fa52141
VD		 1949{
1950 const version_info *vent;
1951 const version_info *table;
b5b993b2 1952 int ret, ver_min, ver_max, real_max, origv;
4fa52141 1953
88050dd1
MC		 1954 origv = s->version;
1955 s->version = version;
b97667ce 1956
88050dd1
MC		 1957 /* This will overwrite s->version if the extension is present */
1958 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1959 SSL_EXT_TLS1_2_SERVER_HELLO
1960 | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1961 NULL, 0)) {
1962 s->version = origv;
1963 return 0;
1964 }
1965
fc7129dc
MC		 1966 if (s->hello_retry_request != SSL_HRR_NONE
1967 && s->version != TLS1_3_VERSION) {
88050dd1 1968 s->version = origv;
29bfd5b7
MC		 1969 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1970 SSL_R_WRONG_SSL_VERSION);
1971 return 0;
c3043dcd
MC		 1972 }
1973
4fa52141
VD		 1974 switch (s->method->version) {
1975 default:
88050dd1
MC		 1976 if (s->version != s->method->version) {
1977 s->version = origv;
29bfd5b7
MC		 1978 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1979 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1980 SSL_R_WRONG_SSL_VERSION);
1981 return 0;
c3043dcd 1982 }
4fa52141
VD		 1983 /*
1984 * If this SSL handle is not from a version flexible method we don't
1985 * (and never did) check min/max, FIPS or Suite B constraints. Hope
1986 * that's OK. It is up to the caller to not choose fixed protocol
1987 * versions they don't want. If not, then easy to fix, just return
1988 * ssl_method_error(s, s->method)
1989 */
29bfd5b7 1990 return 1;
4fa52141
VD		 1991 case TLS_ANY_VERSION:
1992 table = tls_version_table;
1993 break;
1994 case DTLS_ANY_VERSION:
1995 table = dtls_version_table;
1996 break;
1997 }
1998
b5b993b2
MC		 1999 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
2000 if (ret != 0) {
2001 s->version = origv;
2002 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
2003 SSL_F_SSL_CHOOSE_CLIENT_VERSION, ret);
2004 return 0;
2005 }
2006 if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
2007 : s->version < ver_min) {
2008 s->version = origv;
2009 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
2010 SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
2011 return 0;
2012 } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
2013 : s->version > ver_max) {
2014 s->version = origv;
2015 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
2016 SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
2017 return 0;
2018 }
5df22060 2019
b5b993b2
MC		 2020 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
2021 real_max = ver_max;
c3043dcd 2022
b5b993b2
MC		 2023 /* Check for downgrades */
2024 if (s->version == TLS1_2_VERSION && real_max > s->version) {
2025 if (memcmp(tls12downgrade,
555cbb32 2026 s->s3.server_random + SSL3_RANDOM_SIZE
b5b993b2
MC		 2027 - sizeof(tls12downgrade),
2028 sizeof(tls12downgrade)) == 0) {
2029 s->version = origv;
2030 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
2031 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
2032 SSL_R_INAPPROPRIATE_FALLBACK);
2033 return 0;
2034 }
2035 } else if (!SSL_IS_DTLS(s)
2036 && s->version < TLS1_2_VERSION
2037 && real_max > s->version) {
2038 if (memcmp(tls11downgrade,
555cbb32 2039 s->s3.server_random + SSL3_RANDOM_SIZE
b5b993b2
MC		 2040 - sizeof(tls11downgrade),
2041 sizeof(tls11downgrade)) == 0) {
2042 s->version = origv;
2043 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
2044 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
2045 SSL_R_INAPPROPRIATE_FALLBACK);
2046 return 0;
c3043dcd 2047 }
b5b993b2 2048 }
c3043dcd 2049
b5b993b2
MC		 2050 for (vent = table; vent->version != 0; ++vent) {
2051 if (vent->cmeth == NULL || s->version != vent->version)
c3043dcd
MC		 2052 continue;
2053
b5b993b2 2054 s->method = vent->cmeth();
29bfd5b7 2055 return 1;
4fa52141
VD		 2056 }
2057
88050dd1 2058 s->version = origv;
29bfd5b7
MC		 2059 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
2060 SSL_R_UNSUPPORTED_PROTOCOL);
2061 return 0;
4fa52141
VD		 2062}
2063
068c358a 2064/*
38a73150 2065 * ssl_get_min_max_version - get minimum and maximum protocol version
068c358a
KR		 2066 * @s: The SSL connection
2067 * @min_version: The minimum supported version
2068 * @max_version: The maximum supported version
b5b993b2
MC		 2069 * @real_max: The highest version below the lowest compile time version hole
2070 * where that hole lies above at least one run-time enabled
2071 * protocol.
068c358a
KR		 2072 *
2073 * Work out what version we should be using for the initial ClientHello if the
2074 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2075 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
b53338cb 2076 * constraints and any floor imposed by the security level here,
068c358a 2077 * so we don't advertise the wrong protocol version to only reject the outcome later.
4fa52141 2078 *
0485d540 2079 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
4fa52141
VD		 2080 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2081 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2082 *
068c358a
KR		 2083 * Returns 0 on success or an SSL error reason number on failure. On failure
2084 * min_version and max_version will also be set to 0.
4fa52141 2085 */
b5b993b2
MC		 2086int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version,
2087 int *real_max)
4fa52141 2088{
b5b993b2 2089 int version, tmp_real_max;
4fa52141
VD		 2090 int hole;
2091 const SSL_METHOD *single = NULL;
2092 const SSL_METHOD *method;
2093 const version_info *table;
2094 const version_info *vent;
2095
2096 switch (s->method->version) {
2097 default:
2098 /*
2099 * If this SSL handle is not from a version flexible method we don't
2100 * (and never did) check min/max FIPS or Suite B constraints. Hope
2101 * that's OK. It is up to the caller to not choose fixed protocol
2102 * versions they don't want. If not, then easy to fix, just return
2103 * ssl_method_error(s, s->method)
2104 */
068c358a 2105 *min_version = *max_version = s->version;
b5b993b2
MC		 2106 /*
2107 * Providing a real_max only makes sense where we're using a version
2108 * flexible method.
2109 */
2110 if (!ossl_assert(real_max == NULL))
2111 return ERR_R_INTERNAL_ERROR;
4fa52141
VD		 2112 return 0;
2113 case TLS_ANY_VERSION:
2114 table = tls_version_table;
2115 break;
2116 case DTLS_ANY_VERSION:
2117 table = dtls_version_table;
2118 break;
2119 }
2120
2121 /*
2122 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2123 * below X enabled. This is required in order to maintain the "version
2124 * capability" vector contiguous. Any versions with a NULL client method
2125 * (protocol version client is disabled at compile-time) is also a "hole".
2126 *
2127 * Our initial state is hole == 1, version == 0. That is, versions above
2128 * the first version in the method table are disabled (a "hole" above
2129 * the valid protocol entries) and we don't have a selected version yet.
2130 *
2131 * Whenever "hole == 1", and we hit an enabled method, its version becomes
2132 * the selected version, and the method becomes a candidate "single"
2133 * method. We're no longer in a hole, so "hole" becomes 0.
2134 *
2135 * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2136 * as we support a contiguous range of at least two methods. If we hit
2137 * a disabled method, then hole becomes true again, but nothing else
2138 * changes yet, because all the remaining methods may be disabled too.
2139 * If we again hit an enabled method after the new hole, it becomes
2140 * selected, as we start from scratch.
2141 */
068c358a 2142 *min_version = version = 0;
4fa52141 2143 hole = 1;
b5b993b2
MC		 2144 if (real_max != NULL)
2145 *real_max = 0;
2146 tmp_real_max = 0;
4fa52141
VD		 2147 for (vent = table; vent->version != 0; ++vent) {
2148 /*
2149 * A table entry with a NULL client method is still a hole in the
2150 * "version capability" vector.
2151 */
2152 if (vent->cmeth == NULL) {
2153 hole = 1;
b5b993b2 2154 tmp_real_max = 0;
4fa52141
VD		 2155 continue;
2156 }
2157 method = vent->cmeth();
b5b993b2
MC		 2158
2159 if (hole == 1 && tmp_real_max == 0)
2160 tmp_real_max = vent->version;
2161
4fa52141
VD		 2162 if (ssl_method_error(s, method) != 0) {
2163 hole = 1;
2164 } else if (!hole) {
2165 single = NULL;
068c358a 2166 *min_version = method->version;
4fa52141 2167 } else {
b5b993b2
MC		 2168 if (real_max != NULL && tmp_real_max != 0)
2169 *real_max = tmp_real_max;
4fa52141 2170 version = (single = method)->version;
068c358a 2171 *min_version = version;
4fa52141
VD		 2172 hole = 0;
2173 }
2174 }
2175
068c358a
KR		 2176 *max_version = version;
2177
4fa52141
VD		 2178 /* Fail if everything is disabled */
2179 if (version == 0)
2180 return SSL_R_NO_PROTOCOLS_AVAILABLE;
2181
068c358a
KR		 2182 return 0;
2183}
2184
2185/*
2186 * ssl_set_client_hello_version - Work out what version we should be using for
7acb8b64 2187 * the initial ClientHello.legacy_version field.
068c358a
KR		 2188 *
2189 * @s: client SSL handle.
2190 *
2191 * Returns 0 on success or an SSL error reason number on failure.
2192 */
2193int ssl_set_client_hello_version(SSL *s)
2194{
3eb2aff4 2195 int ver_min, ver_max, ret;
068c358a 2196
447cc0ad
MC		 2197 /*
2198 * In a renegotiation we always send the same client_version that we sent
2199 * last time, regardless of which version we eventually negotiated.
2200 */
2201 if (!SSL_IS_FIRST_HANDSHAKE(s))
2202 return 0;
2203
b5b993b2 2204 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
068c358a
KR		 2205
2206 if (ret != 0)
2207 return ret;
2208
7acb8b64
MC		 2209 s->version = ver_max;
2210
2211 /* TLS1.3 always uses TLS1.2 in the legacy_version field */
2212 if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
2213 ver_max = TLS1_2_VERSION;
2214
2215 s->client_version = ver_max;
4fa52141
VD		 2216 return 0;
2217}
aff9929b
MC		 2218
2219/*
2220 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2221 * and |checkallow| is 1 then additionally check if the group is allowed to be
2222 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2223 * 1) or 0 otherwise.
2224 */
9e84a42d 2225int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
aff9929b
MC		 2226 size_t num_groups, int checkallow)
2227{
2228 size_t i;
2229
2230 if (groups == NULL || num_groups == 0)
2231 return 0;
2232
9e84a42d
DSH		 2233 for (i = 0; i < num_groups; i++) {
2234 uint16_t group = groups[i];
2235
2236 if (group_id == group
aff9929b 2237 && (!checkallow
dbc6268f 2238 || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
0acee504 2239 return 1;
aff9929b
MC		 2240 }
2241 }
2242
0acee504 2243 return 0;
aff9929b 2244}
11c67eea
MC		 2245
2246/* Replace ClientHello1 in the transcript hash with a synthetic message */
43054d3d
MC		 2247int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,
2248 size_t hashlen, const unsigned char *hrr,
2249 size_t hrrlen)
11c67eea 2250{
43054d3d 2251 unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
635b7d3f
MC		 2252 unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2253
2254 memset(msghdr, 0, sizeof(msghdr));
11c67eea 2255
43054d3d
MC		 2256 if (hashval == NULL) {
2257 hashval = hashvaltmp;
2258 hashlen = 0;
2259 /* Get the hash of the initial ClientHello */
2260 if (!ssl3_digest_cached_records(s, 0)
2261 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2262 &hashlen)) {
2263 /* SSLfatal() already called */
2264 return 0;
2265 }
11c67eea
MC		 2266 }
2267
2268 /* Reinitialise the transcript hash */
f63a17d6
MC		 2269 if (!ssl3_init_finished_mac(s)) {
2270 /* SSLfatal() already called */
11c67eea 2271 return 0;
f63a17d6 2272 }
11c67eea
MC		 2273
2274 /* Inject the synthetic message_hash message */
635b7d3f 2275 msghdr[0] = SSL3_MT_MESSAGE_HASH;
3a63c0ed 2276 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
11c67eea
MC		 2277 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2278 || !ssl3_finish_mac(s, hashval, hashlen)) {
f63a17d6 2279 /* SSLfatal() already called */
11c67eea
MC		 2280 return 0;
2281 }
2282
43054d3d
MC		 2283 /*
2284 * Now re-inject the HRR and current message if appropriate (we just deleted
2285 * it when we reinitialised the transcript hash above). Only necessary after
2286 * receiving a ClientHello2 with a cookie.
2287 */
2288 if (hrr != NULL
2289 && (!ssl3_finish_mac(s, hrr, hrrlen)
2290 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
555cbb32 2291 s->s3.tmp.message_size
43054d3d
MC		 2292 + SSL3_HM_HEADER_LENGTH))) {
2293 /* SSLfatal() already called */
2294 return 0;
2295 }
2296
11c67eea
MC		 2297 return 1;
2298}
5d6cca05
DSH		 2299
2300static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2301{
2302 return X509_NAME_cmp(*a, *b);
2303}
2304
f63a17d6 2305int parse_ca_names(SSL *s, PACKET *pkt)
5d6cca05
DSH		 2306{
2307 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2308 X509_NAME *xn = NULL;
2309 PACKET cadns;
2310
2311 if (ca_sk == NULL) {
f63a17d6
MC		 2312 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2313 ERR_R_MALLOC_FAILURE);
2314 goto err;
5d6cca05
DSH		 2315 }
2316 /* get the CA RDNs */
2317 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
f63a17d6
MC		 2318 SSLfatal(s, SSL_AD_DECODE_ERROR,SSL_F_PARSE_CA_NAMES,
2319 SSL_R_LENGTH_MISMATCH);
2320 goto err;
5d6cca05
DSH		 2321 }
2322
2323 while (PACKET_remaining(&cadns)) {
2324 const unsigned char *namestart, *namebytes;
2325 unsigned int name_len;
2326
2327 if (!PACKET_get_net_2(&cadns, &name_len)
2328 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
f63a17d6
MC		 2329 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2330 SSL_R_LENGTH_MISMATCH);
2331 goto err;
5d6cca05
DSH		 2332 }
2333
2334 namestart = namebytes;
2335 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
f63a17d6
MC		 2336 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2337 ERR_R_ASN1_LIB);
2338 goto err;
5d6cca05
DSH		 2339 }
2340 if (namebytes != (namestart + name_len)) {
f63a17d6
MC		 2341 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2342 SSL_R_CA_DN_LENGTH_MISMATCH);
2343 goto err;
5d6cca05
DSH		 2344 }
2345
2346 if (!sk_X509_NAME_push(ca_sk, xn)) {
f63a17d6
MC		 2347 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2348 ERR_R_MALLOC_FAILURE);
5d6cca05
DSH		 2349 goto err;
2350 }
2351 xn = NULL;
2352 }
2353
555cbb32
TS		 2354 sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
2355 s->s3.tmp.peer_ca_names = ca_sk;
5d6cca05
DSH		 2356
2357 return 1;
2358
5d6cca05
DSH		 2359 err:
2360 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2361 X509_NAME_free(xn);
2362 return 0;
2363}
2364
98732979 2365const STACK_OF(X509_NAME) *get_ca_names(SSL *s)
5d6cca05 2366{
98732979 2367 const STACK_OF(X509_NAME) *ca_sk = NULL;;
5d6cca05 2368
98732979
MC		 2369 if (s->server) {
2370 ca_sk = SSL_get_client_CA_list(s);
2371 if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2372 ca_sk = NULL;
2373 }
2374
2375 if (ca_sk == NULL)
2376 ca_sk = SSL_get0_CA_list(s);
2377
2378 return ca_sk;
2379}
2380
2381int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt)
2382{
5d6cca05 2383 /* Start sub-packet for client CA list */
f63a17d6
MC		 2384 if (!WPACKET_start_sub_packet_u16(pkt)) {
2385 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2386 ERR_R_INTERNAL_ERROR);
5d6cca05 2387 return 0;
f63a17d6 2388 }
5d6cca05 2389
90fc2c26 2390 if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) {
5d6cca05
DSH		 2391 int i;
2392
2393 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2394 unsigned char *namebytes;
2395 X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2396 int namelen;
2397
2398 if (name == NULL
2399 || (namelen = i2d_X509_NAME(name, NULL)) < 0
2400 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2401 &namebytes)
2402 || i2d_X509_NAME(name, &namebytes) != namelen) {
f63a17d6
MC		 2403 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2404 ERR_R_INTERNAL_ERROR);
5d6cca05
DSH		 2405 return 0;
2406 }
2407 }
2408 }
2409
f63a17d6
MC		 2410 if (!WPACKET_close(pkt)) {
2411 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2412 ERR_R_INTERNAL_ERROR);
5d6cca05 2413 return 0;
f63a17d6 2414 }
5d6cca05
DSH		 2415
2416 return 1;
2417}
72ceb6a6
DSH		 2418
2419/* Create a buffer containing data to be signed for server key exchange */
f63a17d6 2420size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
72ceb6a6
DSH		 2421 const void *param, size_t paramlen)
2422{
2423 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2424 unsigned char *tbs = OPENSSL_malloc(tbslen);
2425
f63a17d6
MC		 2426 if (tbs == NULL) {
2427 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS,
2428 ERR_R_MALLOC_FAILURE);
72ceb6a6 2429 return 0;
f63a17d6 2430 }
555cbb32
TS		 2431 memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
2432 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
72ceb6a6
DSH		 2433
2434 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2435
2436 *ptbs = tbs;
2437 return tbslen;
2438}
9d75dce3
TS		 2439
2440/*
2441 * Saves the current handshake digest for Post-Handshake Auth,
2442 * Done after ClientFinished is processed, done exactly once
2443 */
2444int tls13_save_handshake_digest_for_pha(SSL *s)
2445{
2446 if (s->pha_dgst == NULL) {
2447 if (!ssl3_digest_cached_records(s, 1))
2448 /* SSLfatal() already called */
2449 return 0;
2450
2451 s->pha_dgst = EVP_MD_CTX_new();
2452 if (s->pha_dgst == NULL) {
2453 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2454 SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2455 ERR_R_INTERNAL_ERROR);
2456 return 0;
2457 }
2458 if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
555cbb32 2459 s->s3.handshake_dgst)) {
9d75dce3
TS		 2460 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2461 SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2462 ERR_R_INTERNAL_ERROR);
2463 return 0;
2464 }
2465 }
2466 return 1;
2467}
2468
2469/*
2470 * Restores the Post-Handshake Auth handshake digest
2471 * Done just before sending/processing the Cert Request
2472 */
2473int tls13_restore_handshake_digest_for_pha(SSL *s)
2474{
2475 if (s->pha_dgst == NULL) {
2476 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2477 SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2478 ERR_R_INTERNAL_ERROR);
2479 return 0;
2480 }
555cbb32 2481 if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
9d75dce3
TS		 2482 s->pha_dgst)) {
2483 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2484 SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2485 ERR_R_INTERNAL_ERROR);
2486 return 0;
2487 }
2488 return 1;
2489}
A mirror of the official openssl repository