]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/statem_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Update copyright year
[thirdparty/openssl.git] / ssl / statem / statem_lib.c
CommitLineData
846e33c7 1/*
e7ff223a 2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
aa8f3d76 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
3813046d 4 *
846e33c7
RS		 5 * Licensed under the OpenSSL license (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
3813046d 9 */
846e33c7 10
48948d53 11#include <limits.h>
f2d9a32c 12#include <string.h>
d02b48c6 13#include <stdio.h>
b5acbf91
DMSP		 14#include "../ssl_local.h"
15#include "statem_local.h"
67dc995e 16#include "internal/cryptlib.h"
ec577822 17#include <openssl/buffer.h>
ec577822
BM		 18#include <openssl/objects.h>
19#include <openssl/evp.h>
20#include <openssl/x509.h>
d02b48c6 21
c6d38183
RS		 22/*
23 * Map error codes to TLS/SSL alart types.
24 */
25typedef struct x509err2alert_st {
26 int x509err;
27 int alert;
28} X509ERR2ALERT;
29
597c51bc
MC		 30/* Fixed value used in the ServerHello random field to identify an HRR */
31const unsigned char hrrrandom[] = {
32 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
33 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
34 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
35};
36
0f113f3e
MC		 37/*
38 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
39 * SSL3_RT_CHANGE_CIPHER_SPEC)
40 */
e7ecc7d4 41int ssl3_do_write(SSL *s, int type)
0f113f3e
MC		 42{
43 int ret;
7ee8627f 44 size_t written = 0;
0f113f3e
MC		 45
46 ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
7ee8627f 47 s->init_num, &written);
0f113f3e 48 if (ret < 0)
26a7d938 49 return -1;
0f113f3e
MC		 50 if (type == SSL3_RT_HANDSHAKE)
51 /*
52 * should not be done for 'Hello Request's, but in that case we'll
53 * ignore the result anyway
9d75dce3 54 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
0f113f3e 55 */
9d75dce3
TS		 56 if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
57 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
58 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
59 if (!ssl3_finish_mac(s,
60 (unsigned char *)&s->init_buf->data[s->init_off],
61 written))
62 return -1;
7ee8627f 63 if (written == s->init_num) {
0f113f3e
MC		 64 if (s->msg_callback)
65 s->msg_callback(1, s->version, type, s->init_buf->data,
66 (size_t)(s->init_off + s->init_num), s,
67 s->msg_callback_arg);
208fb891 68 return 1;
0f113f3e 69 }
7ee8627f
MC		 70 s->init_off += written;
71 s->init_num -= written;
26a7d938 72 return 0;
0f113f3e 73}
e7ecc7d4 74
4a01c59f 75int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype)
2c7b4dbc
MC		 76{
77 size_t msglen;
78
4a01c59f 79 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
f1ec23c0 80 || !WPACKET_get_length(pkt, &msglen)
7cea05dc 81 || msglen > INT_MAX)
2c7b4dbc
MC		 82 return 0;
83 s->init_num = (int)msglen;
84 s->init_off = 0;
85
86 return 1;
87}
88
1f5b44e9
MC		 89int tls_setup_handshake(SSL *s)
90{
f63a17d6
MC		 91 if (!ssl3_init_finished_mac(s)) {
92 /* SSLfatal() already called */
c7f47786 93 return 0;
f63a17d6 94 }
c7f47786 95
b186a592
MC		 96 /* Reset any extension flags */
97 memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
98
c7f47786 99 if (s->server) {
38a73150
MC		 100 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
101 int i, ver_min, ver_max, ok = 0;
102
103 /*
104 * Sanity check that the maximum version we accept has ciphers
105 * enabled. For clients we do this check during construction of the
106 * ClientHello.
107 */
b5b993b2 108 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
4752c5de
MC		 109 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_SETUP_HANDSHAKE,
110 ERR_R_INTERNAL_ERROR);
38a73150
MC		 111 return 0;
112 }
113 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
114 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
115
116 if (SSL_IS_DTLS(s)) {
117 if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
118 DTLS_VERSION_LE(ver_max, c->max_dtls))
119 ok = 1;
120 } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
121 ok = 1;
122 }
123 if (ok)
124 break;
125 }
126 if (!ok) {
4752c5de
MC		 127 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE,
128 SSL_R_NO_CIPHERS_AVAILABLE);
38a73150
MC		 129 ERR_add_error_data(1, "No ciphers enabled for max supported "
130 "SSL/TLS version");
38a73150
MC		 131 return 0;
132 }
c7f47786 133 if (SSL_IS_FIRST_HANDSHAKE(s)) {
0e6161bc 134 /* N.B. s->session_ctx == s->ctx here */
9ef9088c 135 tsan_counter(&s->session_ctx->stats.sess_accept);
c7f47786 136 } else {
0e6161bc 137 /* N.B. s->ctx may not equal s->session_ctx */
9ef9088c 138 tsan_counter(&s->ctx->stats.sess_accept_renegotiate);
c7f47786
MC		 139
140 s->s3->tmp.cert_request = 0;
141 }
142 } else {
143 if (SSL_IS_FIRST_HANDSHAKE(s))
9ef9088c 144 tsan_counter(&s->session_ctx->stats.sess_connect);
c7f47786 145 else
9ef9088c 146 tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate);
c7f47786
MC		 147
148 /* mark client_random uninitialized */
149 memset(s->s3->client_random, 0, sizeof(s->s3->client_random));
150 s->hit = 0;
151
152 s->s3->tmp.cert_req = 0;
153
1f5b44e9 154 if (SSL_IS_DTLS(s))
c7f47786 155 s->statem.use_timer = 1;
c7f47786
MC		 156 }
157
158 return 1;
159}
160
2c5dfdc3
MC		 161/*
162 * Size of the to-be-signed TLS13 data, without the hash size itself:
163 * 64 bytes of value 32, 33 context bytes, 1 byte separator
164 */
165#define TLS13_TBS_START_SIZE 64
166#define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
167
168static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
169 void **hdata, size_t *hdatalen)
170{
cd5e2b0a 171#ifdef CHARSET_EBCDIC
d8e8ed02 172 static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
cd5e2b0a 173 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
174 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
175 0x69, 0x66, 0x79, 0x00 };
d8e8ed02 176 static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
cd5e2b0a 177 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
178 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
179 0x69, 0x66, 0x79, 0x00 };
180#else
d8e8ed02
AV		 181 static const char servercontext[] = "TLS 1.3, server CertificateVerify";
182 static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
cd5e2b0a 183#endif
2c5dfdc3
MC		 184 if (SSL_IS_TLS13(s)) {
185 size_t hashlen;
186
187 /* Set the first 64 bytes of to-be-signed data to octet 32 */
188 memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
189 /* This copies the 33 bytes of context plus the 0 separator byte */
190 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
191 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
192 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
193 else
194 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
195
196 /*
197 * If we're currently reading then we need to use the saved handshake
198 * hash value. We can't use the current handshake hash state because
199 * that includes the CertVerify itself.
200 */
201 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
202 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
203 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
204 s->cert_verify_hash_len);
205 hashlen = s->cert_verify_hash_len;
206 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
207 EVP_MAX_MD_SIZE, &hashlen)) {
f63a17d6 208 /* SSLfatal() already called */
2c5dfdc3
MC		 209 return 0;
210 }
211
212 *hdata = tls13tbs;
213 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
214 } else {
215 size_t retlen;
7ccfce81 216 long retlen_l;
2c5dfdc3 217
7ccfce81
RL		 218 retlen = retlen_l = BIO_get_mem_data(s->s3->handshake_buffer, hdata);
219 if (retlen_l <= 0) {
f63a17d6
MC		 220 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_GET_CERT_VERIFY_TBS_DATA,
221 ERR_R_INTERNAL_ERROR);
2c5dfdc3 222 return 0;
f63a17d6 223 }
2c5dfdc3
MC		 224 *hdatalen = retlen;
225 }
226
227 return 1;
228}
229
d8bc1399
MC		 230int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
231{
ad4dd362
DSH		 232 EVP_PKEY *pkey = NULL;
233 const EVP_MD *md = NULL;
d8bc1399 234 EVP_MD_CTX *mctx = NULL;
5f9b64a2
MC		 235 EVP_PKEY_CTX *pctx = NULL;
236 size_t hdatalen = 0, siglen = 0;
d8bc1399
MC		 237 void *hdata;
238 unsigned char *sig = NULL;
2c5dfdc3 239 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
ad4dd362 240 const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg;
2c5dfdc3 241
ad4dd362 242 if (lu == NULL || s->s3->tmp.cert == NULL) {
d4d2f3a4
MC		 243 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
244 ERR_R_INTERNAL_ERROR);
ad4dd362
DSH		 245 goto err;
246 }
247 pkey = s->s3->tmp.cert->privatekey;
ad4dd362 248
168067b6 249 if (pkey == NULL || !tls1_lookup_md(lu, &md)) {
d4d2f3a4
MC		 250 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
251 ERR_R_INTERNAL_ERROR);
ad4dd362
DSH		 252 goto err;
253 }
d8bc1399
MC		 254
255 mctx = EVP_MD_CTX_new();
256 if (mctx == NULL) {
d4d2f3a4
MC		 257 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
258 ERR_R_MALLOC_FAILURE);
d8bc1399
MC		 259 goto err;
260 }
d8bc1399 261
2c5dfdc3
MC		 262 /* Get the data to be signed */
263 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
f63a17d6 264 /* SSLfatal() already called */
d8bc1399
MC		 265 goto err;
266 }
267
ad4dd362 268 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
d4d2f3a4
MC		 269 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
270 ERR_R_INTERNAL_ERROR);
d8bc1399
MC		 271 goto err;
272 }
5f9b64a2
MC		 273 siglen = EVP_PKEY_size(pkey);
274 sig = OPENSSL_malloc(siglen);
d8bc1399 275 if (sig == NULL) {
d4d2f3a4
MC		 276 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
277 ERR_R_MALLOC_FAILURE);
d8bc1399
MC		 278 goto err;
279 }
5f9b64a2 280
75394189 281 if (EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey) <= 0) {
d4d2f3a4
MC		 282 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
283 ERR_R_EVP_LIB);
5f9b64a2
MC		 284 goto err;
285 }
286
ad4dd362 287 if (lu->sig == EVP_PKEY_RSA_PSS) {
5f9b64a2 288 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
968ae5b3
DSH		 289 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
290 RSA_PSS_SALTLEN_DIGEST) <= 0) {
d4d2f3a4
MC		 291 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
292 ERR_R_EVP_LIB);
5f9b64a2
MC		 293 goto err;
294 }
caf2b6b5
DSH		 295 }
296 if (s->version == SSL3_VERSION) {
297 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
298 || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
299 (int)s->session->master_key_length,
300 s->session->master_key)
301 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
302
d4d2f3a4
MC		 303 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
304 ERR_R_EVP_LIB);
5f9b64a2
MC		 305 goto err;
306 }
caf2b6b5 307 } else if (EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
d4d2f3a4
MC		 308 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
309 ERR_R_EVP_LIB);
d8bc1399
MC		 310 goto err;
311 }
5f9b64a2 312
d8bc1399
MC		 313#ifndef OPENSSL_NO_GOST
314 {
ad4dd362
DSH		 315 int pktype = lu->sig;
316
d8bc1399
MC		 317 if (pktype == NID_id_GostR3410_2001
318 || pktype == NID_id_GostR3410_2012_256
319 || pktype == NID_id_GostR3410_2012_512)
5f9b64a2 320 BUF_reverse(sig, NULL, siglen);
d8bc1399
MC		 321 }
322#endif
323
5f9b64a2 324 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
d4d2f3a4
MC		 325 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
326 ERR_R_INTERNAL_ERROR);
d8bc1399
MC		 327 goto err;
328 }
329
330 /* Digest cached records and discard handshake buffer */
d4d2f3a4
MC		 331 if (!ssl3_digest_cached_records(s, 0)) {
332 /* SSLfatal() already called */
d8bc1399 333 goto err;
d4d2f3a4 334 }
d8bc1399
MC		 335
336 OPENSSL_free(sig);
337 EVP_MD_CTX_free(mctx);
338 return 1;
339 err:
340 OPENSSL_free(sig);
341 EVP_MD_CTX_free(mctx);
d8bc1399
MC		 342 return 0;
343}
344
345MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
346{
347 EVP_PKEY *pkey = NULL;
703bcee0 348 const unsigned char *data;
d8bc1399
MC		 349#ifndef OPENSSL_NO_GOST
350 unsigned char *gost_data = NULL;
351#endif
eb5fd03b 352 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
dd24857b 353 int j;
d8bc1399
MC		 354 unsigned int len;
355 X509 *peer;
356 const EVP_MD *md = NULL;
2c5dfdc3 357 size_t hdatalen = 0;
d8bc1399 358 void *hdata;
2c5dfdc3 359 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
d8bc1399 360 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
5f9b64a2 361 EVP_PKEY_CTX *pctx = NULL;
d8bc1399
MC		 362
363 if (mctx == NULL) {
f63a17d6
MC		 364 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
365 ERR_R_MALLOC_FAILURE);
366 goto err;
d8bc1399
MC		 367 }
368
369 peer = s->session->peer;
370 pkey = X509_get0_pubkey(peer);
f63a17d6
MC		 371 if (pkey == NULL) {
372 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
373 ERR_R_INTERNAL_ERROR);
374 goto err;
375 }
83b4049a 376
dd24857b 377 if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
f63a17d6
MC		 378 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CERT_VERIFY,
379 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
380 goto err;
d8bc1399
MC		 381 }
382
f464f9c0 383 if (SSL_USE_SIGALGS(s)) {
f464f9c0
PD		 384 unsigned int sigalg;
385
386 if (!PACKET_get_net_2(pkt, &sigalg)) {
f63a17d6
MC		 387 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
388 SSL_R_BAD_PACKET);
389 goto err;
f464f9c0 390 }
f63a17d6
MC		 391 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
392 /* SSLfatal() already called */
393 goto err;
f464f9c0 394 }
f464f9c0 395 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
f63a17d6
MC		 396 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
397 ERR_R_INTERNAL_ERROR);
398 goto err;
f464f9c0
PD		 399 }
400
168067b6 401 if (!tls1_lookup_md(s->s3->tmp.peer_sigalg, &md)) {
f63a17d6
MC		 402 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
403 ERR_R_INTERNAL_ERROR);
404 goto err;
168067b6 405 }
f464f9c0 406
572fa024
DY		 407#ifdef SSL_DEBUG
408 if (SSL_USE_SIGALGS(s))
9465e716
PY		 409 fprintf(stderr, "USING TLSv1.2 HASH %s\n",
410 md == NULL ? "n/a" : EVP_MD_name(md));
572fa024
DY		 411#endif
412
d8bc1399
MC		 413 /* Check for broken implementations of GOST ciphersuites */
414 /*
f464f9c0
PD		 415 * If key is GOST and len is exactly 64 or 128, it is signature without
416 * length field (CryptoPro implementations at least till TLS 1.2)
d8bc1399
MC		 417 */
418#ifndef OPENSSL_NO_GOST
f464f9c0
PD		 419 if (!SSL_USE_SIGALGS(s)
420 && ((PACKET_remaining(pkt) == 64
421 && (EVP_PKEY_id(pkey) == NID_id_GostR3410_2001
422 || EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_256))
423 || (PACKET_remaining(pkt) == 128
424 && EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_512))) {
425 len = PACKET_remaining(pkt);
d8bc1399
MC		 426 } else
427#endif
f464f9c0 428 if (!PACKET_get_net_2(pkt, &len)) {
f63a17d6
MC		 429 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
430 SSL_R_LENGTH_MISMATCH);
431 goto err;
d8bc1399 432 }
f464f9c0 433
d8bc1399
MC		 434 j = EVP_PKEY_size(pkey);
435 if (((int)len > j) || ((int)PACKET_remaining(pkt) > j)
436 || (PACKET_remaining(pkt) == 0)) {
f63a17d6
MC		 437 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
438 SSL_R_WRONG_SIGNATURE_SIZE);
439 goto err;
d8bc1399
MC		 440 }
441 if (!PACKET_get_bytes(pkt, &data, len)) {
f63a17d6
MC		 442 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
443 SSL_R_LENGTH_MISMATCH);
444 goto err;
d8bc1399
MC		 445 }
446
2c5dfdc3 447 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
f63a17d6
MC		 448 /* SSLfatal() already called */
449 goto err;
d8bc1399
MC		 450 }
451
452#ifdef SSL_DEBUG
9465e716
PY		 453 fprintf(stderr, "Using client verify alg %s\n",
454 md == NULL ? "n/a" : EVP_MD_name(md));
d8bc1399 455#endif
75394189 456 if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0) {
f63a17d6
MC		 457 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
458 ERR_R_EVP_LIB);
459 goto err;
d8bc1399
MC		 460 }
461#ifndef OPENSSL_NO_GOST
462 {
dc8da7b1 463 int pktype = EVP_PKEY_id(pkey);
d8bc1399
MC		 464 if (pktype == NID_id_GostR3410_2001
465 || pktype == NID_id_GostR3410_2012_256
466 || pktype == NID_id_GostR3410_2012_512) {
467 if ((gost_data = OPENSSL_malloc(len)) == NULL) {
f63a17d6
MC		 468 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
469 SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
470 goto err;
d8bc1399
MC		 471 }
472 BUF_reverse(gost_data, data, len);
473 data = gost_data;
474 }
475 }
476#endif
477
5554facb 478 if (SSL_USE_PSS(s)) {
5f9b64a2 479 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
968ae5b3
DSH		 480 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
481 RSA_PSS_SALTLEN_DIGEST) <= 0) {
f63a17d6
MC		 482 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
483 ERR_R_EVP_LIB);
484 goto err;
5f9b64a2 485 }
d8bc1399 486 }
caf2b6b5
DSH		 487 if (s->version == SSL3_VERSION) {
488 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
489 || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
490 (int)s->session->master_key_length,
491 s->session->master_key)) {
f63a17d6
MC		 492 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
493 ERR_R_EVP_LIB);
494 goto err;
caf2b6b5
DSH		 495 }
496 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
f63a17d6
MC		 497 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
498 SSL_R_BAD_SIGNATURE);
499 goto err;
caf2b6b5
DSH		 500 }
501 } else {
502 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
25ffeb11 503 if (j <= 0) {
f63a17d6
MC		 504 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
505 SSL_R_BAD_SIGNATURE);
506 goto err;
caf2b6b5 507 }
d8bc1399
MC		 508 }
509
a2388b50
MC		 510 /*
511 * In TLSv1.3 on the client side we make sure we prepare the client
512 * certificate after the CertVerify instead of when we get the
513 * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
514 * comes *before* the Certificate message. In TLSv1.2 it comes after. We
515 * want to make sure that SSL_get_peer_certificate() will return the actual
516 * server certificate from the client_cert_cb callback.
517 */
518 if (!s->server && SSL_IS_TLS13(s) && s->s3->tmp.cert_req == 1)
519 ret = MSG_PROCESS_CONTINUE_PROCESSING;
520 else
521 ret = MSG_PROCESS_CONTINUE_READING;
f63a17d6 522 err:
d8bc1399
MC		 523 BIO_free(s->s3->handshake_buffer);
524 s->s3->handshake_buffer = NULL;
525 EVP_MD_CTX_free(mctx);
526#ifndef OPENSSL_NO_GOST
527 OPENSSL_free(gost_data);
528#endif
529 return ret;
530}
531
229185e6 532int tls_construct_finished(SSL *s, WPACKET *pkt)
0f113f3e 533{
12472b45 534 size_t finish_md_len;
229185e6 535 const char *sender;
8b0e934a 536 size_t slen;
229185e6 537
f7e393be 538 /* This is a real handshake so make sure we clean it up at the end */
9d75dce3 539 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
f7e393be
MC		 540 s->statem.cleanuphand = 1;
541
542 /*
543 * We only change the keys if we didn't already do this when we sent the
544 * client certificate
545 */
546 if (SSL_IS_TLS13(s)
547 && !s->server
548 && s->s3->tmp.cert_req == 0
549 && (!s->method->ssl3_enc->change_cipher_state(s,
d4d2f3a4
MC		 550 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
551 /* SSLfatal() already called */
b43c3765 552 return 0;
f7e393be
MC		 553 }
554
229185e6
MC		 555 if (s->server) {
556 sender = s->method->ssl3_enc->server_finished_label;
557 slen = s->method->ssl3_enc->server_finished_label_len;
558 } else {
559 sender = s->method->ssl3_enc->client_finished_label;
560 slen = s->method->ssl3_enc->client_finished_label_len;
561 }
0f113f3e 562
12472b45
MC		 563 finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
564 sender, slen,
565 s->s3->tmp.finish_md);
566 if (finish_md_len == 0) {
d4d2f3a4
MC		 567 /* SSLfatal() already called */
568 return 0;
4f89bfbf
MC		 569 }
570
12472b45 571 s->s3->tmp.finish_md_len = finish_md_len;
4f89bfbf 572
12472b45 573 if (!WPACKET_memcpy(pkt, s->s3->tmp.finish_md, finish_md_len)) {
d4d2f3a4
MC		 574 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
575 ERR_R_INTERNAL_ERROR);
576 return 0;
4f89bfbf 577 }
0f113f3e 578
2c7bd692
CB		 579 /*
580 * Log the master secret, if logging is enabled. We don't log it for
581 * TLSv1.3: there's a different key schedule for that.
582 */
583 if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
584 s->session->master_key,
380a522f 585 s->session->master_key_length)) {
d4d2f3a4
MC		 586 /* SSLfatal() already called */
587 return 0;
380a522f 588 }
2faa1b48 589
b9908bf9
MC		 590 /*
591 * Copy the finished so we can use it for renegotiation checks
592 */
380a522f 593 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
d4d2f3a4
MC		 594 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
595 ERR_R_INTERNAL_ERROR);
596 return 0;
380a522f 597 }
23a635c0 598 if (!s->server) {
12472b45
MC		 599 memcpy(s->s3->previous_client_finished, s->s3->tmp.finish_md,
600 finish_md_len);
601 s->s3->previous_client_finished_len = finish_md_len;
b9908bf9 602 } else {
12472b45
MC		 603 memcpy(s->s3->previous_server_finished, s->s3->tmp.finish_md,
604 finish_md_len);
605 s->s3->previous_server_finished_len = finish_md_len;
b9908bf9 606 }
0f113f3e 607
b9908bf9 608 return 1;
0f113f3e 609}
d02b48c6 610
44c04a2e
MC		 611int tls_construct_key_update(SSL *s, WPACKET *pkt)
612{
613 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
d4d2f3a4
MC		 614 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_KEY_UPDATE,
615 ERR_R_INTERNAL_ERROR);
616 return 0;
44c04a2e
MC		 617 }
618
9412b3ad 619 s->key_update = SSL_KEY_UPDATE_NONE;
44c04a2e 620 return 1;
44c04a2e
MC		 621}
622
e1c3de44
MC		 623MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
624{
625 unsigned int updatetype;
626
524420d8
MC		 627 /*
628 * A KeyUpdate message signals a key change so the end of the message must
629 * be on a record boundary.
630 */
631 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
f63a17d6
MC		 632 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_UPDATE,
633 SSL_R_NOT_ON_RECORD_BOUNDARY);
634 return MSG_PROCESS_ERROR;
524420d8
MC		 635 }
636
e1c3de44 637 if (!PACKET_get_1(pkt, &updatetype)
2d871227 638 || PACKET_remaining(pkt) != 0) {
f63a17d6
MC		 639 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_UPDATE,
640 SSL_R_BAD_KEY_UPDATE);
641 return MSG_PROCESS_ERROR;
e1c3de44
MC		 642 }
643
9010b7bc
MC		 644 /*
645 * There are only two defined key update types. Fail if we get a value we
646 * didn't recognise.
647 */
2d871227
MC		 648 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
649 && updatetype != SSL_KEY_UPDATE_REQUESTED) {
f63a17d6
MC		 650 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE,
651 SSL_R_BAD_KEY_UPDATE);
652 return MSG_PROCESS_ERROR;
2d871227
MC		 653 }
654
5bf47933
MC		 655 /*
656 * If we get a request for us to update our sending keys too then, we need
657 * to additionally send a KeyUpdate message. However that message should
6c2f347c 658 * not also request an update (otherwise we get into an infinite loop).
5bf47933 659 */
6c2f347c 660 if (updatetype == SSL_KEY_UPDATE_REQUESTED)
5bf47933
MC		 661 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
662
57389a32 663 if (!tls13_update_key(s, 0)) {
f63a17d6
MC		 664 /* SSLfatal() already called */
665 return MSG_PROCESS_ERROR;
57389a32
MC		 666 }
667
e1c3de44
MC		 668 return MSG_PROCESS_FINISHED_READING;
669}
670
0f113f3e
MC		 671/*
672 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
673 * to far.
674 */
5d671101 675int ssl3_take_mac(SSL *s)
0f113f3e
MC		 676{
677 const char *sender;
8b0e934a 678 size_t slen;
5d671101 679
49ae7423 680 if (!s->server) {
0f113f3e
MC		 681 sender = s->method->ssl3_enc->server_finished_label;
682 slen = s->method->ssl3_enc->server_finished_label_len;
683 } else {
684 sender = s->method->ssl3_enc->client_finished_label;
685 slen = s->method->ssl3_enc->client_finished_label_len;
686 }
687
5d671101
MC		 688 s->s3->tmp.peer_finish_md_len =
689 s->method->ssl3_enc->final_finish_mac(s, sender, slen,
690 s->s3->tmp.peer_finish_md);
691
692 if (s->s3->tmp.peer_finish_md_len == 0) {
693 /* SSLfatal() already called */
694 return 0;
695 }
696
697 return 1;
0f113f3e 698}
ee2ffc27 699
be3583fa 700MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
b9908bf9 701{
348240c6 702 size_t remain;
4fa52141 703
73999b62 704 remain = PACKET_remaining(pkt);
657da85e
MC		 705 /*
706 * 'Change Cipher Spec' is just a single byte, which should already have
c69f2adf
MC		 707 * been consumed by ssl_get_message() so there should be no bytes left,
708 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
657da85e 709 */
c69f2adf 710 if (SSL_IS_DTLS(s)) {
73999b62 711 if ((s->version == DTLS1_BAD_VER
a230b26e
EK		 712 && remain != DTLS1_CCS_HEADER_LENGTH + 1)
713 || (s->version != DTLS1_BAD_VER
714 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
f63a17d6
MC		 715 SSLfatal(s, SSL_AD_DECODE_ERROR,
716 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
717 SSL_R_BAD_CHANGE_CIPHER_SPEC);
718 return MSG_PROCESS_ERROR;
c69f2adf
MC		 719 }
720 } else {
73999b62 721 if (remain != 0) {
f63a17d6
MC		 722 SSLfatal(s, SSL_AD_DECODE_ERROR,
723 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
724 SSL_R_BAD_CHANGE_CIPHER_SPEC);
725 return MSG_PROCESS_ERROR;
c69f2adf 726 }
657da85e
MC		 727 }
728
729 /* Check we have a cipher to change to */
730 if (s->s3->tmp.new_cipher == NULL) {
f63a17d6
MC		 731 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
732 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY);
733 return MSG_PROCESS_ERROR;
657da85e
MC		 734 }
735
736 s->s3->change_cipher_spec = 1;
737 if (!ssl3_do_change_cipher_spec(s)) {
f63a17d6
MC		 738 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
739 ERR_R_INTERNAL_ERROR);
740 return MSG_PROCESS_ERROR;
657da85e
MC		 741 }
742
c69f2adf
MC		 743 if (SSL_IS_DTLS(s)) {
744 dtls1_reset_seq_numbers(s, SSL3_CC_READ);
745
746 if (s->version == DTLS1_BAD_VER)
747 s->d1->handshake_read_seq++;
748
749#ifndef OPENSSL_NO_SCTP
750 /*
751 * Remember that a CCS has been received, so that an old key of
752 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
753 * SCTP is used
754 */
755 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
756#endif
757 }
758
b9908bf9 759 return MSG_PROCESS_CONTINUE_READING;
657da85e
MC		 760}
761
be3583fa 762MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
b9908bf9 763{
12472b45 764 size_t md_len;
b9908bf9 765
d781d247
MC		 766
767 /* This is a real handshake so make sure we clean it up at the end */
9d75dce3 768 if (s->server) {
de9e884b
MC		 769 /*
770 * To get this far we must have read encrypted data from the client. We
771 * no longer tolerate unencrypted alerts. This value is ignored if less
772 * than TLSv1.3
773 */
774 s->statem.enc_read_state = ENC_READ_STATE_VALID;
9d75dce3
TS		 775 if (s->post_handshake_auth != SSL_PHA_REQUESTED)
776 s->statem.cleanuphand = 1;
777 if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
778 /* SSLfatal() already called */
779 return MSG_PROCESS_ERROR;
780 }
781 }
d781d247 782
524420d8
MC		 783 /*
784 * In TLSv1.3 a Finished message signals a key change so the end of the
785 * message must be on a record boundary.
786 */
787 if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
f63a17d6
MC		 788 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
789 SSL_R_NOT_ON_RECORD_BOUNDARY);
790 return MSG_PROCESS_ERROR;
524420d8
MC		 791 }
792
0f113f3e 793 /* If this occurs, we have missed a message */
92760c21 794 if (!SSL_IS_TLS13(s) && !s->s3->change_cipher_spec) {
f63a17d6
MC		 795 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
796 SSL_R_GOT_A_FIN_BEFORE_A_CCS);
797 return MSG_PROCESS_ERROR;
0f113f3e
MC		 798 }
799 s->s3->change_cipher_spec = 0;
800
12472b45 801 md_len = s->s3->tmp.peer_finish_md_len;
0f113f3e 802
12472b45 803 if (md_len != PACKET_remaining(pkt)) {
f63a17d6
MC		 804 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_FINISHED,
805 SSL_R_BAD_DIGEST_LENGTH);
806 return MSG_PROCESS_ERROR;
0f113f3e
MC		 807 }
808
12472b45
MC		 809 if (CRYPTO_memcmp(PACKET_data(pkt), s->s3->tmp.peer_finish_md,
810 md_len) != 0) {
f63a17d6
MC		 811 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_FINISHED,
812 SSL_R_DIGEST_CHECK_FAILED);
813 return MSG_PROCESS_ERROR;
0f113f3e
MC		 814 }
815
816 /*
817 * Copy the finished so we can use it for renegotiation checks
818 */
380a522f 819 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
f63a17d6
MC		 820 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_FINISHED,
821 ERR_R_INTERNAL_ERROR);
822 return MSG_PROCESS_ERROR;
380a522f 823 }
23a635c0 824 if (s->server) {
12472b45
MC		 825 memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md,
826 md_len);
827 s->s3->previous_client_finished_len = md_len;
0f113f3e 828 } else {
12472b45
MC		 829 memcpy(s->s3->previous_server_finished, s->s3->tmp.peer_finish_md,
830 md_len);
831 s->s3->previous_server_finished_len = md_len;
0f113f3e
MC		 832 }
833
7776a36c
MC		 834 /*
835 * In TLS1.3 we also have to change cipher state and do any final processing
836 * of the initial server flight (if we are a client)
837 */
92760c21
MC		 838 if (SSL_IS_TLS13(s)) {
839 if (s->server) {
9d75dce3
TS		 840 if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
841 !s->method->ssl3_enc->change_cipher_state(s,
92760c21 842 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
f63a17d6
MC		 843 /* SSLfatal() already called */
844 return MSG_PROCESS_ERROR;
92760c21
MC		 845 }
846 } else {
910c8ffa
BK		 847 /* TLS 1.3 gets the secret size from the handshake md */
848 size_t dummy;
92760c21 849 if (!s->method->ssl3_enc->generate_master_secret(s,
ec15acb6 850 s->master_secret, s->handshake_secret, 0,
910c8ffa 851 &dummy)) {
f63a17d6
MC		 852 /* SSLfatal() already called */
853 return MSG_PROCESS_ERROR;
92760c21
MC		 854 }
855 if (!s->method->ssl3_enc->change_cipher_state(s,
856 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
f63a17d6
MC		 857 /* SSLfatal() already called */
858 return MSG_PROCESS_ERROR;
859 }
860 if (!tls_process_initial_server_flight(s)) {
861 /* SSLfatal() already called */
862 return MSG_PROCESS_ERROR;
92760c21
MC		 863 }
864 }
865 }
866
e6575156 867 return MSG_PROCESS_FINISHED_READING;
0f113f3e 868}
d02b48c6 869
7cea05dc 870int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
b9908bf9 871{
7cea05dc 872 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
d4d2f3a4
MC		 873 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
874 SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
85a7a5e6
MC		 875 return 0;
876 }
b9908bf9 877
b9908bf9
MC		 878 return 1;
879}
880
e96e0f8e 881/* Add a certificate to the WPACKET */
f63a17d6 882static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain)
0f113f3e 883{
e96e0f8e
MC		 884 int len;
885 unsigned char *outbytes;
886
887 len = i2d_X509(x, NULL);
888 if (len < 0) {
f63a17d6
MC		 889 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
890 ERR_R_BUF_LIB);
e96e0f8e
MC		 891 return 0;
892 }
893 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
894 || i2d_X509(x, &outbytes) != len) {
f63a17d6
MC		 895 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
896 ERR_R_INTERNAL_ERROR);
e96e0f8e
MC		 897 return 0;
898 }
899
900 if (SSL_IS_TLS13(s)
fe874d27 901 && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
f63a17d6
MC		 902 chain)) {
903 /* SSLfatal() already called */
e96e0f8e 904 return 0;
f63a17d6 905 }
e96e0f8e
MC		 906
907 return 1;
908}
909
910/* Add certificate chain to provided WPACKET */
f63a17d6 911static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
e96e0f8e
MC		 912{
913 int i, chain_count;
914 X509 *x;
915 STACK_OF(X509) *extra_certs;
916 STACK_OF(X509) *chain = NULL;
917 X509_STORE *chain_store;
e96e0f8e
MC		 918
919 if (cpk == NULL || cpk->x509 == NULL)
920 return 1;
921
922 x = cpk->x509;
923
924 /*
925 * If we have a certificate specific chain use it, else use parent ctx.
926 */
d805a57b 927 if (cpk->chain != NULL)
e96e0f8e
MC		 928 extra_certs = cpk->chain;
929 else
930 extra_certs = s->ctx->extra_certs;
931
932 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
933 chain_store = NULL;
934 else if (s->cert->chain_store)
935 chain_store = s->cert->chain_store;
936 else
937 chain_store = s->ctx->cert_store;
938
d805a57b 939 if (chain_store != NULL) {
e96e0f8e
MC		 940 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new();
941
942 if (xs_ctx == NULL) {
f63a17d6
MC		 943 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
944 ERR_R_MALLOC_FAILURE);
945 return 0;
e96e0f8e
MC		 946 }
947 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
948 X509_STORE_CTX_free(xs_ctx);
f63a17d6
MC		 949 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
950 ERR_R_X509_LIB);
951 return 0;
e96e0f8e
MC		 952 }
953 /*
954 * It is valid for the chain not to be complete (because normally we
955 * don't include the root cert in the chain). Therefore we deliberately
956 * ignore the error return from this call. We're not actually verifying
957 * the cert - we're just building as much of the chain as we can
958 */
959 (void)X509_verify_cert(xs_ctx);
960 /* Don't leave errors in the queue */
961 ERR_clear_error();
962 chain = X509_STORE_CTX_get0_chain(xs_ctx);
963 i = ssl_security_cert_chain(s, chain, NULL, 0);
964 if (i != 1) {
965#if 0
966 /* Dummy error calls so mkerr generates them */
967 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL);
968 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL);
969 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK);
970#endif
971 X509_STORE_CTX_free(xs_ctx);
f63a17d6
MC		 972 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
973 return 0;
e96e0f8e
MC		 974 }
975 chain_count = sk_X509_num(chain);
976 for (i = 0; i < chain_count; i++) {
977 x = sk_X509_value(chain, i);
978
f63a17d6
MC		 979 if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
980 /* SSLfatal() already called */
e96e0f8e 981 X509_STORE_CTX_free(xs_ctx);
f63a17d6 982 return 0;
e96e0f8e
MC		 983 }
984 }
985 X509_STORE_CTX_free(xs_ctx);
986 } else {
987 i = ssl_security_cert_chain(s, extra_certs, x, 0);
988 if (i != 1) {
f63a17d6
MC		 989 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
990 return 0;
991 }
992 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
993 /* SSLfatal() already called */
994 return 0;
e96e0f8e 995 }
e96e0f8e
MC		 996 for (i = 0; i < sk_X509_num(extra_certs); i++) {
997 x = sk_X509_value(extra_certs, i);
f63a17d6
MC		 998 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
999 /* SSLfatal() already called */
1000 return 0;
1001 }
e96e0f8e
MC		 1002 }
1003 }
1004 return 1;
e96e0f8e
MC		 1005}
1006
f63a17d6 1007unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
e96e0f8e 1008{
f63a17d6
MC		 1009 if (!WPACKET_start_sub_packet_u24(pkt)) {
1010 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1011 ERR_R_INTERNAL_ERROR);
1012 return 0;
1013 }
e96e0f8e 1014
f63a17d6
MC		 1015 if (!ssl_add_cert_chain(s, pkt, cpk))
1016 return 0;
1017
1018 if (!WPACKET_close(pkt)) {
1019 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1020 ERR_R_INTERNAL_ERROR);
7cea05dc 1021 return 0;
77d514c5 1022 }
f63a17d6 1023
c49e1912 1024 return 1;
0f113f3e
MC		 1025}
1026
30f05b19
MC		 1027/*
1028 * Tidy up after the end of a handshake. In the case of SCTP this may result
1029 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1030 * freed up as well.
1031 */
2a8db717 1032WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
8723588e
MC		 1033{
1034 void (*cb) (const SSL *ssl, int type, int val) = NULL;
37857e9b 1035 int cleanuphand = s->statem.cleanuphand;
8723588e 1036
30f05b19 1037 if (clearbufs) {
a80de34b
N		 1038 if (!SSL_IS_DTLS(s)
1039#ifndef OPENSSL_NO_SCTP
30f05b19 1040 /*
a80de34b
N		 1041 * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1042 * messages that require it. Therefore, DTLS procedures for retransmissions
1043 * MUST NOT be used.
1044 * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1045 */
1046 || BIO_dgram_is_sctp(SSL_get_wbio(s))
1047#endif
1048 ) {
1049 /*
1050 * We don't do this in DTLS over UDP because we may still need the init_buf
30f05b19
MC		 1051 * in case there are any unexpected retransmits
1052 */
1053 BUF_MEM_free(s->init_buf);
1054 s->init_buf = NULL;
1055 }
a80de34b 1056
a2c2e000
MC		 1057 if (!ssl_free_wbio_buffer(s)) {
1058 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE,
1059 ERR_R_INTERNAL_ERROR);
b77f3ed1 1060 return WORK_ERROR;
a2c2e000 1061 }
30f05b19 1062 s->init_num = 0;
473483d4 1063 }
8723588e 1064
9d75dce3
TS		 1065 if (SSL_IS_TLS13(s) && !s->server
1066 && s->post_handshake_auth == SSL_PHA_REQUESTED)
1067 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1068
c2c1d8a4
MC		 1069 /*
1070 * Only set if there was a Finished message and this isn't after a TLSv1.3
1071 * post handshake exchange
1072 */
37857e9b 1073 if (cleanuphand) {
8723588e
MC		 1074 /* skipped if we just sent a HelloRequest */
1075 s->renegotiate = 0;
1076 s->new_session = 0;
c7f47786 1077 s->statem.cleanuphand = 0;
c0638ade 1078 s->ext.ticket_expected = 0;
8723588e 1079
30f05b19
MC		 1080 ssl3_cleanup_key_block(s);
1081
8723588e 1082 if (s->server) {
16ff1342
MC		 1083 /*
1084 * In TLSv1.3 we update the cache as part of constructing the
1085 * NewSessionTicket
1086 */
1087 if (!SSL_IS_TLS13(s))
1088 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
8723588e 1089
0e6161bc 1090 /* N.B. s->ctx may not equal s->session_ctx */
9ef9088c 1091 tsan_counter(&s->ctx->stats.sess_accept_good);
fe3a3291 1092 s->handshake_func = ossl_statem_accept;
8723588e 1093 } else {
4cb00457
MC		 1094 if (SSL_IS_TLS13(s)) {
1095 /*
1096 * We encourage applications to only use TLSv1.3 tickets once,
1097 * so we remove this one from the cache.
1098 */
1099 if ((s->session_ctx->session_cache_mode
1100 & SSL_SESS_CACHE_CLIENT) != 0)
1101 SSL_CTX_remove_session(s->session_ctx, s->session);
1102 } else {
1103 /*
1104 * In TLSv1.3 we update the cache as part of processing the
1105 * NewSessionTicket
1106 */
5d61491c 1107 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
4cb00457 1108 }
8723588e 1109 if (s->hit)
9ef9088c 1110 tsan_counter(&s->session_ctx->stats.sess_hit);
8723588e 1111
fe3a3291 1112 s->handshake_func = ossl_statem_connect;
9ef9088c 1113 tsan_counter(&s->session_ctx->stats.sess_connect_good);
8723588e
MC		 1114 }
1115
8723588e
MC		 1116 if (SSL_IS_DTLS(s)) {
1117 /* done with handshaking */
1118 s->d1->handshake_read_seq = 0;
1119 s->d1->handshake_write_seq = 0;
1120 s->d1->next_handshake_write_seq = 0;
f5c7f5df 1121 dtls1_clear_received_buffer(s);
8723588e
MC		 1122 }
1123 }
1124
c2c1d8a4
MC		 1125 if (s->info_callback != NULL)
1126 cb = s->info_callback;
1127 else if (s->ctx->info_callback != NULL)
1128 cb = s->ctx->info_callback;
1129
4ce787b9
MC		 1130 /* The callback may expect us to not be in init at handshake done */
1131 ossl_statem_set_in_init(s, 0);
1132
37857e9b
MC		 1133 if (cb != NULL) {
1134 if (cleanuphand
1135 || !SSL_IS_TLS13(s)
1136 || SSL_IS_FIRST_HANDSHAKE(s))
1137 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
1138 }
c2c1d8a4 1139
4ce787b9
MC		 1140 if (!stop) {
1141 /* If we've got more work to do we go back into init */
1142 ossl_statem_set_in_init(s, 1);
30f05b19 1143 return WORK_FINISHED_CONTINUE;
4ce787b9 1144 }
30f05b19 1145
8723588e
MC		 1146 return WORK_FINISHED_STOP;
1147}
1148
9ab930b2
MC		 1149int tls_get_message_header(SSL *s, int *mt)
1150{
1151 /* s->init_num < SSL3_HM_HEADER_LENGTH */
d4d2f3a4 1152 int skip_message, i, recvd_type;
9ab930b2 1153 unsigned char *p;
54105ddd 1154 size_t l, readbytes;
9ab930b2
MC		 1155
1156 p = (unsigned char *)s->init_buf->data;
1157
1158 do {
1159 while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1160 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
a230b26e
EK		 1161 &p[s->init_num],
1162 SSL3_HM_HEADER_LENGTH - s->init_num,
54105ddd 1163 0, &readbytes);
9ab930b2
MC		 1164 if (i <= 0) {
1165 s->rwstate = SSL_READING;
1166 return 0;
32ec4153 1167 }
9ab930b2 1168 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1257adec 1169 /*
a230b26e
EK		 1170 * A ChangeCipherSpec must be a single byte and may not occur
1171 * in the middle of a handshake message.
1172 */
54105ddd 1173 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
d4d2f3a4
MC		 1174 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1175 SSL_F_TLS_GET_MESSAGE_HEADER,
1176 SSL_R_BAD_CHANGE_CIPHER_SPEC);
1177 return 0;
1257adec 1178 }
e9359719
MC		 1179 if (s->statem.hand_state == TLS_ST_BEFORE
1180 && (s->s3->flags & TLS1_FLAGS_STATELESS) != 0) {
1181 /*
1182 * We are stateless and we received a CCS. Probably this is
1183 * from a client between the first and second ClientHellos.
1184 * We should ignore this, but return an error because we do
1185 * not return success until we see the second ClientHello
1186 * with a valid cookie.
1187 */
1188 return 0;
1189 }
9ab930b2 1190 s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
54105ddd 1191 s->init_num = readbytes - 1;
c4377574 1192 s->init_msg = s->init_buf->data;
54105ddd 1193 s->s3->tmp.message_size = readbytes;
9ab930b2
MC		 1194 return 1;
1195 } else if (recvd_type != SSL3_RT_HANDSHAKE) {
d4d2f3a4
MC		 1196 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1197 SSL_F_TLS_GET_MESSAGE_HEADER,
1198 SSL_R_CCS_RECEIVED_EARLY);
1199 return 0;
32ec4153 1200 }
54105ddd 1201 s->init_num += readbytes;
9ab930b2
MC		 1202 }
1203
1204 skip_message = 0;
1205 if (!s->server)
c7f47786
MC		 1206 if (s->statem.hand_state != TLS_ST_OK
1207 && p[0] == SSL3_MT_HELLO_REQUEST)
9ab930b2
MC		 1208 /*
1209 * The server may always send 'Hello Request' messages --
1210 * we are doing a handshake anyway now, so ignore them if
1211 * their format is correct. Does not count for 'Finished'
1212 * MAC.
1213 */
1214 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1215 s->init_num = 0;
1216 skip_message = 1;
1217
1218 if (s->msg_callback)
1219 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1220 p, SSL3_HM_HEADER_LENGTH, s,
1221 s->msg_callback_arg);
1222 }
1223 } while (skip_message);
1224 /* s->init_num == SSL3_HM_HEADER_LENGTH */
1225
1226 *mt = *p;
1227 s->s3->tmp.message_type = *(p++);
32ec4153 1228
e8aa8b6c 1229 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
9ab930b2
MC		 1230 /*
1231 * Only happens with SSLv3+ in an SSLv2 backward compatible
1232 * ClientHello
e8aa8b6c
F		 1233 *
1234 * Total message size is the remaining record bytes to read
1235 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
9ab930b2 1236 */
9ab930b2
MC		 1237 l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1238 + SSL3_HM_HEADER_LENGTH;
9ab930b2
MC		 1239 s->s3->tmp.message_size = l;
1240
1241 s->init_msg = s->init_buf->data;
1242 s->init_num = SSL3_HM_HEADER_LENGTH;
1243 } else {
1244 n2l3(p, l);
1245 /* BUF_MEM_grow takes an 'int' parameter */
1246 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
d4d2f3a4
MC		 1247 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_GET_MESSAGE_HEADER,
1248 SSL_R_EXCESSIVE_MESSAGE_SIZE);
1249 return 0;
32ec4153 1250 }
9ab930b2
MC		 1251 s->s3->tmp.message_size = l;
1252
1253 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1254 s->init_num = 0;
1255 }
1256
1257 return 1;
9ab930b2
MC		 1258}
1259
eda75751 1260int tls_get_message_body(SSL *s, size_t *len)
9ab930b2 1261{
54105ddd 1262 size_t n, readbytes;
9ab930b2
MC		 1263 unsigned char *p;
1264 int i;
1265
1266 if (s->s3->tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
1267 /* We've already read everything in */
1268 *len = (unsigned long)s->init_num;
1269 return 1;
0f113f3e
MC		 1270 }
1271
0f113f3e
MC		 1272 p = s->init_msg;
1273 n = s->s3->tmp.message_size - s->init_num;
1274 while (n > 0) {
657da85e 1275 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
54105ddd 1276 &p[s->init_num], n, 0, &readbytes);
0f113f3e
MC		 1277 if (i <= 0) {
1278 s->rwstate = SSL_READING;
9ab930b2
MC		 1279 *len = 0;
1280 return 0;
0f113f3e 1281 }
54105ddd
MC		 1282 s->init_num += readbytes;
1283 n -= readbytes;
0f113f3e 1284 }
ee2ffc27 1285
0f113f3e
MC		 1286 /*
1287 * If receiving Finished, record MAC of prior handshake messages for
1288 * Finished verification.
1289 */
5d671101
MC		 1290 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1291 /* SSLfatal() already called */
1292 *len = 0;
1293 return 0;
1294 }
ee2ffc27 1295
0f113f3e 1296 /* Feed this message into MAC computation. */
e8aa8b6c 1297 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
d166ed8c
DSH		 1298 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1299 s->init_num)) {
d4d2f3a4 1300 /* SSLfatal() already called */
d166ed8c
DSH		 1301 *len = 0;
1302 return 0;
1303 }
32ec4153 1304 if (s->msg_callback)
a230b26e 1305 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
32ec4153
MC		 1306 (size_t)s->init_num, s, s->msg_callback_arg);
1307 } else {
11c67eea
MC		 1308 /*
1309 * We defer feeding in the HRR until later. We'll do it as part of
1310 * processing the message
9d75dce3
TS		 1311 * The TLsv1.3 handshake transcript stops at the ClientFinished
1312 * message.
11c67eea 1313 */
597c51bc 1314#define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
9d75dce3
TS		 1315 /* KeyUpdate and NewSessionTicket do not need to be added */
1316 if (!SSL_IS_TLS13(s) || (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1317 && s->s3->tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1318 if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO
1319 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1320 || memcmp(hrrrandom,
1321 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1322 SSL3_RANDOM_SIZE) != 0) {
1323 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1324 s->init_num + SSL3_HM_HEADER_LENGTH)) {
1325 /* SSLfatal() already called */
1326 *len = 0;
1327 return 0;
1328 }
597c51bc 1329 }
d166ed8c 1330 }
32ec4153
MC		 1331 if (s->msg_callback)
1332 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1333 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
1334 s->msg_callback_arg);
1335 }
1336
eda75751 1337 *len = s->init_num;
9ab930b2 1338 return 1;
0f113f3e 1339}
d02b48c6 1340
c6d38183
RS		 1341static const X509ERR2ALERT x509table[] = {
1342 {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1343 {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1344 {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1345 {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1346 {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1347 {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1348 {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1349 {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1350 {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1351 {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1352 {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1353 {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1354 {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1355 {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1356 {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1357 {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1358 {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1359 {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1360 {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1361 {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1362 {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1363 {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1364 {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1365 {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1366 {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1367 {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1368 {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1369 {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1370 {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1371 {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1372 {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1373 {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1374 {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1375 {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1376 {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1377 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1378 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1379 {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1380 {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1381
1382 /* Last entry; return this if we don't find the value above. */
1383 {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1384};
1385
1386int ssl_x509err2alert(int x509err)
0f113f3e 1387{
c6d38183
RS		 1388 const X509ERR2ALERT *tp;
1389
1390 for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1391 if (tp->x509err == x509err)
1392 break;
1393 return tp->alert;
0f113f3e 1394}
d02b48c6 1395
b362ccab 1396int ssl_allow_compression(SSL *s)
0f113f3e
MC		 1397{
1398 if (s->options & SSL_OP_NO_COMPRESSION)
1399 return 0;
1400 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1401}
4fa52141 1402
068c358a 1403static int version_cmp(const SSL *s, int a, int b)
4fa52141
VD		 1404{
1405 int dtls = SSL_IS_DTLS(s);
1406
1407 if (a == b)
1408 return 0;
1409 if (!dtls)
1410 return a < b ? -1 : 1;
1411 return DTLS_VERSION_LT(a, b) ? -1 : 1;
1412}
1413
1414typedef struct {
1415 int version;
a230b26e
EK		 1416 const SSL_METHOD *(*cmeth) (void);
1417 const SSL_METHOD *(*smeth) (void);
4fa52141
VD		 1418} version_info;
1419
582a17d6
MC		 1420#if TLS_MAX_VERSION != TLS1_3_VERSION
1421# error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
4fa52141
VD		 1422#endif
1423
f7f2a01d 1424/* Must be in order high to low */
4fa52141 1425static const version_info tls_version_table[] = {
582a17d6
MC		 1426#ifndef OPENSSL_NO_TLS1_3
1427 {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1428#else
1429 {TLS1_3_VERSION, NULL, NULL},
1430#endif
6b01bed2 1431#ifndef OPENSSL_NO_TLS1_2
a230b26e 1432 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
6b01bed2 1433#else
a230b26e 1434 {TLS1_2_VERSION, NULL, NULL},
6b01bed2
VD		 1435#endif
1436#ifndef OPENSSL_NO_TLS1_1
a230b26e 1437 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
6b01bed2 1438#else
a230b26e 1439 {TLS1_1_VERSION, NULL, NULL},
6b01bed2
VD		 1440#endif
1441#ifndef OPENSSL_NO_TLS1
a230b26e 1442 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
6b01bed2 1443#else
a230b26e 1444 {TLS1_VERSION, NULL, NULL},
6b01bed2 1445#endif
4fa52141 1446#ifndef OPENSSL_NO_SSL3
a230b26e 1447 {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
6b01bed2 1448#else
a230b26e 1449 {SSL3_VERSION, NULL, NULL},
4fa52141 1450#endif
a230b26e 1451 {0, NULL, NULL},
4fa52141
VD		 1452};
1453
1454#if DTLS_MAX_VERSION != DTLS1_2_VERSION
1455# error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1456#endif
1457
f7f2a01d 1458/* Must be in order high to low */
4fa52141 1459static const version_info dtls_version_table[] = {
6b01bed2 1460#ifndef OPENSSL_NO_DTLS1_2
a230b26e 1461 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
6b01bed2 1462#else
a230b26e 1463 {DTLS1_2_VERSION, NULL, NULL},
6b01bed2
VD		 1464#endif
1465#ifndef OPENSSL_NO_DTLS1
a230b26e
EK		 1466 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1467 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
6b01bed2 1468#else
a230b26e
EK		 1469 {DTLS1_VERSION, NULL, NULL},
1470 {DTLS1_BAD_VER, NULL, NULL},
6b01bed2 1471#endif
a230b26e 1472 {0, NULL, NULL},
4fa52141
VD		 1473};
1474
1475/*
1476 * ssl_method_error - Check whether an SSL_METHOD is enabled.
1477 *
1478 * @s: The SSL handle for the candidate method
1479 * @method: the intended method.
1480 *
1481 * Returns 0 on success, or an SSL error reason on failure.
1482 */
068c358a 1483static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
4fa52141
VD		 1484{
1485 int version = method->version;
1486
1487 if ((s->min_proto_version != 0 &&
1488 version_cmp(s, version, s->min_proto_version) < 0) ||
1489 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1490 return SSL_R_VERSION_TOO_LOW;
1491
1492 if (s->max_proto_version != 0 &&
a230b26e 1493 version_cmp(s, version, s->max_proto_version) > 0)
4fa52141
VD		 1494 return SSL_R_VERSION_TOO_HIGH;
1495
1496 if ((s->options & method->mask) != 0)
1497 return SSL_R_UNSUPPORTED_PROTOCOL;
1498 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1499 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
4fa52141
VD		 1500
1501 return 0;
1502}
1503
baa45c3e
MC		 1504/*
1505 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
cd3b53b8
MC		 1506 * certificate type, or has PSK or a certificate callback configured. Otherwise
1507 * returns 0.
baa45c3e
MC		 1508 */
1509static int is_tls13_capable(const SSL *s)
1510{
eaa32f36
MC		 1511 int i;
1512#ifndef OPENSSL_NO_EC
1513 int curve;
6f54ae7a 1514 EC_KEY *eckey;
eaa32f36 1515#endif
baa45c3e 1516
d162340d
MC		 1517#ifndef OPENSSL_NO_PSK
1518 if (s->psk_server_callback != NULL)
1519 return 1;
1520#endif
1521
cd3b53b8 1522 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
baa45c3e
MC		 1523 return 1;
1524
1525 for (i = 0; i < SSL_PKEY_NUM; i++) {
1526 /* Skip over certs disallowed for TLSv1.3 */
1527 switch (i) {
1528 case SSL_PKEY_DSA_SIGN:
1529 case SSL_PKEY_GOST01:
1530 case SSL_PKEY_GOST12_256:
1531 case SSL_PKEY_GOST12_512:
1532 continue;
1533 default:
1534 break;
1535 }
6f54ae7a
MC		 1536 if (!ssl_has_cert(s, i))
1537 continue;
eaa32f36 1538#ifndef OPENSSL_NO_EC
6f54ae7a
MC		 1539 if (i != SSL_PKEY_ECC)
1540 return 1;
1541 /*
1542 * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1543 * more restrictive so check that our sig algs are consistent with this
1544 * EC cert. See section 4.2.3 of RFC8446.
1545 */
1546 eckey = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
1547 if (eckey == NULL)
1548 continue;
1549 curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
1550 if (tls_check_sigalg_curve(s, curve))
baa45c3e 1551 return 1;
eaa32f36
MC		 1552#else
1553 return 1;
1554#endif
baa45c3e
MC		 1555 }
1556
1557 return 0;
1558}
1559
ccae4a15
FI		 1560/*
1561 * ssl_version_supported - Check that the specified `version` is supported by
1562 * `SSL *` instance
1563 *
1564 * @s: The SSL handle for the candidate method
1565 * @version: Protocol version to test against
1566 *
1567 * Returns 1 when supported, otherwise 0
1568 */
4fd12788 1569int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth)
ccae4a15
FI		 1570{
1571 const version_info *vent;
1572 const version_info *table;
1573
1574 switch (s->method->version) {
1575 default:
1576 /* Version should match method version for non-ANY method */
1577 return version_cmp(s, version, s->version) == 0;
1578 case TLS_ANY_VERSION:
1579 table = tls_version_table;
1580 break;
1581 case DTLS_ANY_VERSION:
1582 table = dtls_version_table;
1583 break;
1584 }
1585
1586 for (vent = table;
1587 vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1588 ++vent) {
baa45c3e
MC		 1589 if (vent->cmeth != NULL
1590 && version_cmp(s, version, vent->version) == 0
1591 && ssl_method_error(s, vent->cmeth()) == 0
1592 && (!s->server
1593 || version != TLS1_3_VERSION
1594 || is_tls13_capable(s))) {
4fd12788
MC		 1595 if (meth != NULL)
1596 *meth = vent->cmeth();
ccae4a15
FI		 1597 return 1;
1598 }
1599 }
1600 return 0;
1601}
1602
4fa52141
VD		 1603/*
1604 * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1605 * fallback indication from a client check whether we're using the highest
1606 * supported protocol version.
1607 *
1608 * @s server SSL handle.
1609 *
1610 * Returns 1 when using the highest enabled version, 0 otherwise.
1611 */
1612int ssl_check_version_downgrade(SSL *s)
1613{
1614 const version_info *vent;
1615 const version_info *table;
1616
1617 /*
1618 * Check that the current protocol is the highest enabled version
1619 * (according to s->ctx->method, as version negotiation may have changed
1620 * s->method).
1621 */
1622 if (s->version == s->ctx->method->version)
1623 return 1;
1624
1625 /*
1626 * Apparently we're using a version-flexible SSL_METHOD (not at its
1627 * highest protocol version).
1628 */
1629 if (s->ctx->method->version == TLS_method()->version)
1630 table = tls_version_table;
1631 else if (s->ctx->method->version == DTLS_method()->version)
1632 table = dtls_version_table;
1633 else {
1634 /* Unexpected state; fail closed. */
1635 return 0;
1636 }
1637
1638 for (vent = table; vent->version != 0; ++vent) {
a230b26e 1639 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
4fa52141
VD		 1640 return s->version == vent->version;
1641 }
1642 return 0;
1643}
1644
1645/*
1646 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1647 * protocols, provided the initial (D)TLS method is version-flexible. This
1648 * function sanity-checks the proposed value and makes sure the method is
1649 * version-flexible, then sets the limit if all is well.
1650 *
1651 * @method_version: The version of the current SSL_METHOD.
1652 * @version: the intended limit.
1653 * @bound: pointer to limit to be updated.
1654 *
1655 * Returns 1 on success, 0 on failure.
1656 */
1657int ssl_set_version_bound(int method_version, int version, int *bound)
1658{
869e978c
KR		 1659 if (version == 0) {
1660 *bound = version;
1661 return 1;
1662 }
1663
4fa52141
VD		 1664 /*-
1665 * Restrict TLS methods to TLS protocol versions.
1666 * Restrict DTLS methods to DTLS protocol versions.
1667 * Note, DTLS version numbers are decreasing, use comparison macros.
1668 *
1669 * Note that for both lower-bounds we use explicit versions, not
1670 * (D)TLS_MIN_VERSION. This is because we don't want to break user
1671 * configurations. If the MIN (supported) version ever rises, the user's
1672 * "floor" remains valid even if no longer available. We don't expect the
1673 * MAX ceiling to ever get lower, so making that variable makes sense.
1674 */
1675 switch (method_version) {
1676 default:
1677 /*
1678 * XXX For fixed version methods, should we always fail and not set any
1679 * bounds, always succeed and not set any bounds, or set the bounds and
1680 * arrange to fail later if they are not met? At present fixed-version
1681 * methods are not subject to controls that disable individual protocol
1682 * versions.
1683 */
1684 return 0;
1685
1686 case TLS_ANY_VERSION:
1687 if (version < SSL3_VERSION || version > TLS_MAX_VERSION)
1688 return 0;
1689 break;
1690
1691 case DTLS_ANY_VERSION:
1692 if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION) ||
032924c4 1693 DTLS_VERSION_LT(version, DTLS1_BAD_VER))
4fa52141
VD		 1694 return 0;
1695 break;
1696 }
1697
1698 *bound = version;
1699 return 1;
1700}
1701
f7f2a01d
MC		 1702static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
1703{
1704 if (vers == TLS1_2_VERSION
4fd12788 1705 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
f7f2a01d 1706 *dgrd = DOWNGRADE_TO_1_2;
5627f9f2
MC		 1707 } else if (!SSL_IS_DTLS(s)
1708 && vers < TLS1_2_VERSION
1709 /*
1710 * We need to ensure that a server that disables TLSv1.2
1711 * (creating a hole between TLSv1.3 and TLSv1.1) can still
1712 * complete handshakes with clients that support TLSv1.2 and
1713 * below. Therefore we do not enable the sentinel if TLSv1.3 is
1714 * enabled and TLSv1.2 is not.
1715 */
1716 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
f7f2a01d
MC		 1717 *dgrd = DOWNGRADE_TO_1_1;
1718 } else {
1719 *dgrd = DOWNGRADE_NONE;
1720 }
1721}
1722
4fa52141
VD		 1723/*
1724 * ssl_choose_server_version - Choose server (D)TLS version. Called when the
1725 * client HELLO is received to select the final server protocol version and
1726 * the version specific method.
1727 *
1728 * @s: server SSL handle.
1729 *
1730 * Returns 0 on success or an SSL error reason number on failure.
1731 */
f7f2a01d 1732int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
4fa52141
VD		 1733{
1734 /*-
1735 * With version-flexible methods we have an initial state with:
1736 *
1737 * s->method->version == (D)TLS_ANY_VERSION,
1738 * s->version == (D)TLS_MAX_VERSION.
1739 *
1740 * So we detect version-flexible methods via the method version, not the
1741 * handle version.
1742 */
1743 int server_version = s->method->version;
df7ce507 1744 int client_version = hello->legacy_version;
4fa52141
VD		 1745 const version_info *vent;
1746 const version_info *table;
1747 int disabled = 0;
cd998837 1748 RAW_EXTENSION *suppversions;
4fa52141 1749
1ab3836b
MC		 1750 s->client_version = client_version;
1751
4fa52141
VD		 1752 switch (server_version) {
1753 default:
7d061fce
MC		 1754 if (!SSL_IS_TLS13(s)) {
1755 if (version_cmp(s, client_version, s->version) < 0)
1756 return SSL_R_WRONG_SSL_VERSION;
f7f2a01d 1757 *dgrd = DOWNGRADE_NONE;
7d061fce
MC		 1758 /*
1759 * If this SSL handle is not from a version flexible method we don't
1760 * (and never did) check min/max FIPS or Suite B constraints. Hope
1761 * that's OK. It is up to the caller to not choose fixed protocol
1762 * versions they don't want. If not, then easy to fix, just return
1763 * ssl_method_error(s, s->method)
1764 */
1765 return 0;
1766 }
d2f42576 1767 /*
7d061fce
MC		 1768 * Fall through if we are TLSv1.3 already (this means we must be after
1769 * a HelloRetryRequest
4fa52141 1770 */
018fcbec 1771 /* fall thru */
4fa52141
VD		 1772 case TLS_ANY_VERSION:
1773 table = tls_version_table;
1774 break;
1775 case DTLS_ANY_VERSION:
1776 table = dtls_version_table;
1777 break;
1778 }
1779
70af3d8e 1780 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
cd998837 1781
6f40214f 1782 /* If we did an HRR then supported versions is mandatory */
fc7129dc 1783 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
6f40214f
MC		 1784 return SSL_R_UNSUPPORTED_PROTOCOL;
1785
70af3d8e 1786 if (suppversions->present && !SSL_IS_DTLS(s)) {
cd998837
MC		 1787 unsigned int candidate_vers = 0;
1788 unsigned int best_vers = 0;
1789 const SSL_METHOD *best_method = NULL;
1790 PACKET versionslist;
1791
6b473aca
MC		 1792 suppversions->parsed = 1;
1793
16bce0e0 1794 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
cd998837
MC		 1795 /* Trailing or invalid data? */
1796 return SSL_R_LENGTH_MISMATCH;
1797 }
1798
d8434cf8
MC		 1799 /*
1800 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1801 * The spec only requires servers to check that it isn't SSLv3:
1802 * "Any endpoint receiving a Hello message with
1803 * ClientHello.legacy_version or ServerHello.legacy_version set to
1804 * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1805 * We are slightly stricter and require that it isn't SSLv3 or lower.
1806 * We tolerate TLSv1 and TLSv1.1.
1807 */
1808 if (client_version <= SSL3_VERSION)
1809 return SSL_R_BAD_LEGACY_VERSION;
1810
cd998837 1811 while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
cd998837
MC		 1812 if (version_cmp(s, candidate_vers, best_vers) <= 0)
1813 continue;
4fd12788
MC		 1814 if (ssl_version_supported(s, candidate_vers, &best_method))
1815 best_vers = candidate_vers;
cd998837
MC		 1816 }
1817 if (PACKET_remaining(&versionslist) != 0) {
1818 /* Trailing data? */
1819 return SSL_R_LENGTH_MISMATCH;
1820 }
1821
1822 if (best_vers > 0) {
fc7129dc 1823 if (s->hello_retry_request != SSL_HRR_NONE) {
7d061fce 1824 /*
6f40214f
MC		 1825 * This is after a HelloRetryRequest so we better check that we
1826 * negotiated TLSv1.3
7d061fce
MC		 1827 */
1828 if (best_vers != TLS1_3_VERSION)
1829 return SSL_R_UNSUPPORTED_PROTOCOL;
1830 return 0;
1831 }
f7f2a01d 1832 check_for_downgrade(s, best_vers, dgrd);
cd998837
MC		 1833 s->version = best_vers;
1834 s->method = best_method;
1835 return 0;
1836 }
1837 return SSL_R_UNSUPPORTED_PROTOCOL;
1838 }
1839
1840 /*
1841 * If the supported versions extension isn't present, then the highest
1842 * version we can negotiate is TLSv1.2
1843 */
1844 if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1845 client_version = TLS1_2_VERSION;
1846
1847 /*
1848 * No supported versions extension, so we just use the version supplied in
1849 * the ClientHello.
1850 */
4fa52141
VD		 1851 for (vent = table; vent->version != 0; ++vent) {
1852 const SSL_METHOD *method;
1853
1854 if (vent->smeth == NULL ||
1855 version_cmp(s, client_version, vent->version) < 0)
1856 continue;
1857 method = vent->smeth();
1858 if (ssl_method_error(s, method) == 0) {
f7f2a01d 1859 check_for_downgrade(s, vent->version, dgrd);
4fa52141
VD		 1860 s->version = vent->version;
1861 s->method = method;
1862 return 0;
1863 }
1864 disabled = 1;
1865 }
1866 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1867}
1868
1869/*
1870 * ssl_choose_client_version - Choose client (D)TLS version. Called when the
1871 * server HELLO is received to select the final client protocol version and
1872 * the version specific method.
1873 *
1874 * @s: client SSL handle.
1875 * @version: The proposed version from the server's HELLO.
88050dd1 1876 * @extensions: The extensions received
4fa52141 1877 *
29bfd5b7 1878 * Returns 1 on success or 0 on error.
4fa52141 1879 */
88050dd1 1880int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)
4fa52141
VD		 1881{
1882 const version_info *vent;
1883 const version_info *table;
b5b993b2 1884 int ret, ver_min, ver_max, real_max, origv;
4fa52141 1885
88050dd1
MC		 1886 origv = s->version;
1887 s->version = version;
b97667ce 1888
88050dd1
MC		 1889 /* This will overwrite s->version if the extension is present */
1890 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1891 SSL_EXT_TLS1_2_SERVER_HELLO
1892 | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1893 NULL, 0)) {
1894 s->version = origv;
1895 return 0;
1896 }
1897
fc7129dc
MC		 1898 if (s->hello_retry_request != SSL_HRR_NONE
1899 && s->version != TLS1_3_VERSION) {
88050dd1 1900 s->version = origv;
29bfd5b7
MC		 1901 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1902 SSL_R_WRONG_SSL_VERSION);
1903 return 0;
c3043dcd
MC		 1904 }
1905
4fa52141
VD		 1906 switch (s->method->version) {
1907 default:
88050dd1
MC		 1908 if (s->version != s->method->version) {
1909 s->version = origv;
29bfd5b7
MC		 1910 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1911 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1912 SSL_R_WRONG_SSL_VERSION);
1913 return 0;
c3043dcd 1914 }
4fa52141
VD		 1915 /*
1916 * If this SSL handle is not from a version flexible method we don't
1917 * (and never did) check min/max, FIPS or Suite B constraints. Hope
1918 * that's OK. It is up to the caller to not choose fixed protocol
1919 * versions they don't want. If not, then easy to fix, just return
1920 * ssl_method_error(s, s->method)
1921 */
29bfd5b7 1922 return 1;
4fa52141
VD		 1923 case TLS_ANY_VERSION:
1924 table = tls_version_table;
1925 break;
1926 case DTLS_ANY_VERSION:
1927 table = dtls_version_table;
1928 break;
1929 }
1930
b5b993b2
MC		 1931 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1932 if (ret != 0) {
1933 s->version = origv;
1934 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1935 SSL_F_SSL_CHOOSE_CLIENT_VERSION, ret);
1936 return 0;
1937 }
1938 if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
1939 : s->version < ver_min) {
1940 s->version = origv;
1941 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1942 SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1943 return 0;
1944 } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
1945 : s->version > ver_max) {
1946 s->version = origv;
1947 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1948 SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1949 return 0;
1950 }
5df22060 1951
b5b993b2
MC		 1952 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
1953 real_max = ver_max;
c3043dcd 1954
b5b993b2
MC		 1955 /* Check for downgrades */
1956 if (s->version == TLS1_2_VERSION && real_max > s->version) {
1957 if (memcmp(tls12downgrade,
1958 s->s3->server_random + SSL3_RANDOM_SIZE
1959 - sizeof(tls12downgrade),
1960 sizeof(tls12downgrade)) == 0) {
1961 s->version = origv;
1962 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1963 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1964 SSL_R_INAPPROPRIATE_FALLBACK);
1965 return 0;
1966 }
1967 } else if (!SSL_IS_DTLS(s)
1968 && s->version < TLS1_2_VERSION
1969 && real_max > s->version) {
1970 if (memcmp(tls11downgrade,
1971 s->s3->server_random + SSL3_RANDOM_SIZE
1972 - sizeof(tls11downgrade),
1973 sizeof(tls11downgrade)) == 0) {
1974 s->version = origv;
1975 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1976 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1977 SSL_R_INAPPROPRIATE_FALLBACK);
1978 return 0;
c3043dcd 1979 }
b5b993b2 1980 }
c3043dcd 1981
b5b993b2
MC		 1982 for (vent = table; vent->version != 0; ++vent) {
1983 if (vent->cmeth == NULL || s->version != vent->version)
c3043dcd
MC		 1984 continue;
1985
b5b993b2 1986 s->method = vent->cmeth();
29bfd5b7 1987 return 1;
4fa52141
VD		 1988 }
1989
88050dd1 1990 s->version = origv;
29bfd5b7
MC		 1991 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1992 SSL_R_UNSUPPORTED_PROTOCOL);
1993 return 0;
4fa52141
VD		 1994}
1995
068c358a 1996/*
38a73150 1997 * ssl_get_min_max_version - get minimum and maximum protocol version
068c358a
KR		 1998 * @s: The SSL connection
1999 * @min_version: The minimum supported version
2000 * @max_version: The maximum supported version
b5b993b2
MC		 2001 * @real_max: The highest version below the lowest compile time version hole
2002 * where that hole lies above at least one run-time enabled
2003 * protocol.
068c358a
KR		 2004 *
2005 * Work out what version we should be using for the initial ClientHello if the
2006 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2007 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
b53338cb 2008 * constraints and any floor imposed by the security level here,
068c358a 2009 * so we don't advertise the wrong protocol version to only reject the outcome later.
4fa52141 2010 *
0485d540 2011 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
4fa52141
VD		 2012 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2013 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2014 *
068c358a
KR		 2015 * Returns 0 on success or an SSL error reason number on failure. On failure
2016 * min_version and max_version will also be set to 0.
4fa52141 2017 */
b5b993b2
MC		 2018int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version,
2019 int *real_max)
4fa52141 2020{
b5b993b2 2021 int version, tmp_real_max;
4fa52141
VD		 2022 int hole;
2023 const SSL_METHOD *single = NULL;
2024 const SSL_METHOD *method;
2025 const version_info *table;
2026 const version_info *vent;
2027
2028 switch (s->method->version) {
2029 default:
2030 /*
2031 * If this SSL handle is not from a version flexible method we don't
2032 * (and never did) check min/max FIPS or Suite B constraints. Hope
2033 * that's OK. It is up to the caller to not choose fixed protocol
2034 * versions they don't want. If not, then easy to fix, just return
2035 * ssl_method_error(s, s->method)
2036 */
068c358a 2037 *min_version = *max_version = s->version;
b5b993b2
MC		 2038 /*
2039 * Providing a real_max only makes sense where we're using a version
2040 * flexible method.
2041 */
2042 if (!ossl_assert(real_max == NULL))
2043 return ERR_R_INTERNAL_ERROR;
4fa52141
VD		 2044 return 0;
2045 case TLS_ANY_VERSION:
2046 table = tls_version_table;
2047 break;
2048 case DTLS_ANY_VERSION:
2049 table = dtls_version_table;
2050 break;
2051 }
2052
2053 /*
2054 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2055 * below X enabled. This is required in order to maintain the "version
2056 * capability" vector contiguous. Any versions with a NULL client method
2057 * (protocol version client is disabled at compile-time) is also a "hole".
2058 *
2059 * Our initial state is hole == 1, version == 0. That is, versions above
2060 * the first version in the method table are disabled (a "hole" above
2061 * the valid protocol entries) and we don't have a selected version yet.
2062 *
2063 * Whenever "hole == 1", and we hit an enabled method, its version becomes
2064 * the selected version, and the method becomes a candidate "single"
2065 * method. We're no longer in a hole, so "hole" becomes 0.
2066 *
2067 * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2068 * as we support a contiguous range of at least two methods. If we hit
2069 * a disabled method, then hole becomes true again, but nothing else
2070 * changes yet, because all the remaining methods may be disabled too.
2071 * If we again hit an enabled method after the new hole, it becomes
2072 * selected, as we start from scratch.
2073 */
068c358a 2074 *min_version = version = 0;
4fa52141 2075 hole = 1;
b5b993b2
MC		 2076 if (real_max != NULL)
2077 *real_max = 0;
2078 tmp_real_max = 0;
4fa52141
VD		 2079 for (vent = table; vent->version != 0; ++vent) {
2080 /*
2081 * A table entry with a NULL client method is still a hole in the
2082 * "version capability" vector.
2083 */
2084 if (vent->cmeth == NULL) {
2085 hole = 1;
b5b993b2 2086 tmp_real_max = 0;
4fa52141
VD		 2087 continue;
2088 }
2089 method = vent->cmeth();
b5b993b2
MC		 2090
2091 if (hole == 1 && tmp_real_max == 0)
2092 tmp_real_max = vent->version;
2093
4fa52141
VD		 2094 if (ssl_method_error(s, method) != 0) {
2095 hole = 1;
2096 } else if (!hole) {
2097 single = NULL;
068c358a 2098 *min_version = method->version;
4fa52141 2099 } else {
b5b993b2
MC		 2100 if (real_max != NULL && tmp_real_max != 0)
2101 *real_max = tmp_real_max;
4fa52141 2102 version = (single = method)->version;
068c358a 2103 *min_version = version;
4fa52141
VD		 2104 hole = 0;
2105 }
2106 }
2107
068c358a
KR		 2108 *max_version = version;
2109
4fa52141
VD		 2110 /* Fail if everything is disabled */
2111 if (version == 0)
2112 return SSL_R_NO_PROTOCOLS_AVAILABLE;
2113
068c358a
KR		 2114 return 0;
2115}
2116
2117/*
2118 * ssl_set_client_hello_version - Work out what version we should be using for
7acb8b64 2119 * the initial ClientHello.legacy_version field.
068c358a
KR		 2120 *
2121 * @s: client SSL handle.
2122 *
2123 * Returns 0 on success or an SSL error reason number on failure.
2124 */
2125int ssl_set_client_hello_version(SSL *s)
2126{
3eb2aff4 2127 int ver_min, ver_max, ret;
068c358a 2128
447cc0ad
MC		 2129 /*
2130 * In a renegotiation we always send the same client_version that we sent
2131 * last time, regardless of which version we eventually negotiated.
2132 */
2133 if (!SSL_IS_FIRST_HANDSHAKE(s))
2134 return 0;
2135
b5b993b2 2136 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
068c358a
KR		 2137
2138 if (ret != 0)
2139 return ret;
2140
7acb8b64
MC		 2141 s->version = ver_max;
2142
2143 /* TLS1.3 always uses TLS1.2 in the legacy_version field */
2144 if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
2145 ver_max = TLS1_2_VERSION;
2146
2147 s->client_version = ver_max;
4fa52141
VD		 2148 return 0;
2149}
aff9929b
MC		 2150
2151/*
2152 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2153 * and |checkallow| is 1 then additionally check if the group is allowed to be
2154 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2155 * 1) or 0 otherwise.
2156 */
deb2d5e7 2157#ifndef OPENSSL_NO_EC
9e84a42d 2158int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
aff9929b
MC		 2159 size_t num_groups, int checkallow)
2160{
2161 size_t i;
2162
2163 if (groups == NULL || num_groups == 0)
2164 return 0;
2165
9e84a42d
DSH		 2166 for (i = 0; i < num_groups; i++) {
2167 uint16_t group = groups[i];
2168
2169 if (group_id == group
aff9929b 2170 && (!checkallow
9e84a42d 2171 || tls_curve_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
0acee504 2172 return 1;
aff9929b
MC		 2173 }
2174 }
2175
0acee504 2176 return 0;
aff9929b 2177}
deb2d5e7 2178#endif
11c67eea
MC		 2179
2180/* Replace ClientHello1 in the transcript hash with a synthetic message */
43054d3d
MC		 2181int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,
2182 size_t hashlen, const unsigned char *hrr,
2183 size_t hrrlen)
11c67eea 2184{
43054d3d 2185 unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
635b7d3f
MC		 2186 unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2187
2188 memset(msghdr, 0, sizeof(msghdr));
11c67eea 2189
43054d3d
MC		 2190 if (hashval == NULL) {
2191 hashval = hashvaltmp;
2192 hashlen = 0;
2193 /* Get the hash of the initial ClientHello */
2194 if (!ssl3_digest_cached_records(s, 0)
2195 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2196 &hashlen)) {
2197 /* SSLfatal() already called */
2198 return 0;
2199 }
11c67eea
MC		 2200 }
2201
2202 /* Reinitialise the transcript hash */
f63a17d6
MC		 2203 if (!ssl3_init_finished_mac(s)) {
2204 /* SSLfatal() already called */
11c67eea 2205 return 0;
f63a17d6 2206 }
11c67eea
MC		 2207
2208 /* Inject the synthetic message_hash message */
635b7d3f 2209 msghdr[0] = SSL3_MT_MESSAGE_HASH;
3a63c0ed 2210 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
11c67eea
MC		 2211 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2212 || !ssl3_finish_mac(s, hashval, hashlen)) {
f63a17d6 2213 /* SSLfatal() already called */
11c67eea
MC		 2214 return 0;
2215 }
2216
43054d3d
MC		 2217 /*
2218 * Now re-inject the HRR and current message if appropriate (we just deleted
2219 * it when we reinitialised the transcript hash above). Only necessary after
2220 * receiving a ClientHello2 with a cookie.
2221 */
2222 if (hrr != NULL
2223 && (!ssl3_finish_mac(s, hrr, hrrlen)
2224 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
2225 s->s3->tmp.message_size
2226 + SSL3_HM_HEADER_LENGTH))) {
2227 /* SSLfatal() already called */
2228 return 0;
2229 }
2230
11c67eea
MC		 2231 return 1;
2232}
5d6cca05
DSH		 2233
2234static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2235{
2236 return X509_NAME_cmp(*a, *b);
2237}
2238
f63a17d6 2239int parse_ca_names(SSL *s, PACKET *pkt)
5d6cca05
DSH		 2240{
2241 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2242 X509_NAME *xn = NULL;
2243 PACKET cadns;
2244
2245 if (ca_sk == NULL) {
f63a17d6
MC		 2246 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2247 ERR_R_MALLOC_FAILURE);
2248 goto err;
5d6cca05
DSH		 2249 }
2250 /* get the CA RDNs */
2251 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
f63a17d6
MC		 2252 SSLfatal(s, SSL_AD_DECODE_ERROR,SSL_F_PARSE_CA_NAMES,
2253 SSL_R_LENGTH_MISMATCH);
2254 goto err;
5d6cca05
DSH		 2255 }
2256
2257 while (PACKET_remaining(&cadns)) {
2258 const unsigned char *namestart, *namebytes;
2259 unsigned int name_len;
2260
2261 if (!PACKET_get_net_2(&cadns, &name_len)
2262 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
f63a17d6
MC		 2263 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2264 SSL_R_LENGTH_MISMATCH);
2265 goto err;
5d6cca05
DSH		 2266 }
2267
2268 namestart = namebytes;
2269 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
f63a17d6
MC		 2270 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2271 ERR_R_ASN1_LIB);
2272 goto err;
5d6cca05
DSH		 2273 }
2274 if (namebytes != (namestart + name_len)) {
f63a17d6
MC		 2275 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2276 SSL_R_CA_DN_LENGTH_MISMATCH);
2277 goto err;
5d6cca05
DSH		 2278 }
2279
2280 if (!sk_X509_NAME_push(ca_sk, xn)) {
f63a17d6
MC		 2281 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2282 ERR_R_MALLOC_FAILURE);
5d6cca05
DSH		 2283 goto err;
2284 }
2285 xn = NULL;
2286 }
2287
fa7c2637
DSH		 2288 sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
2289 s->s3->tmp.peer_ca_names = ca_sk;
5d6cca05
DSH		 2290
2291 return 1;
2292
5d6cca05
DSH		 2293 err:
2294 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2295 X509_NAME_free(xn);
2296 return 0;
2297}
2298
b4970e8b 2299const STACK_OF(X509_NAME) *get_ca_names(SSL *s)
5d6cca05 2300{
b4970e8b 2301 const STACK_OF(X509_NAME) *ca_sk = NULL;;
5d6cca05 2302
b4970e8b
MC		 2303 if (s->server) {
2304 ca_sk = SSL_get_client_CA_list(s);
2305 if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2306 ca_sk = NULL;
2307 }
2308
2309 if (ca_sk == NULL)
2310 ca_sk = SSL_get0_CA_list(s);
2311
2312 return ca_sk;
2313}
2314
2315int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt)
2316{
5d6cca05 2317 /* Start sub-packet for client CA list */
f63a17d6
MC		 2318 if (!WPACKET_start_sub_packet_u16(pkt)) {
2319 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2320 ERR_R_INTERNAL_ERROR);
5d6cca05 2321 return 0;
f63a17d6 2322 }
5d6cca05
DSH		 2323
2324 if (ca_sk != NULL) {
2325 int i;
2326
2327 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2328 unsigned char *namebytes;
2329 X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2330 int namelen;
2331
2332 if (name == NULL
2333 || (namelen = i2d_X509_NAME(name, NULL)) < 0
2334 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2335 &namebytes)
2336 || i2d_X509_NAME(name, &namebytes) != namelen) {
f63a17d6
MC		 2337 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2338 ERR_R_INTERNAL_ERROR);
5d6cca05
DSH		 2339 return 0;
2340 }
2341 }
2342 }
2343
f63a17d6
MC		 2344 if (!WPACKET_close(pkt)) {
2345 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2346 ERR_R_INTERNAL_ERROR);
5d6cca05 2347 return 0;
f63a17d6 2348 }
5d6cca05
DSH		 2349
2350 return 1;
2351}
72ceb6a6
DSH		 2352
2353/* Create a buffer containing data to be signed for server key exchange */
f63a17d6 2354size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
72ceb6a6
DSH		 2355 const void *param, size_t paramlen)
2356{
2357 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2358 unsigned char *tbs = OPENSSL_malloc(tbslen);
2359
f63a17d6
MC		 2360 if (tbs == NULL) {
2361 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS,
2362 ERR_R_MALLOC_FAILURE);
72ceb6a6 2363 return 0;
f63a17d6 2364 }
72ceb6a6
DSH		 2365 memcpy(tbs, s->s3->client_random, SSL3_RANDOM_SIZE);
2366 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3->server_random, SSL3_RANDOM_SIZE);
2367
2368 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2369
2370 *ptbs = tbs;
2371 return tbslen;
2372}
9d75dce3
TS		 2373
2374/*
2375 * Saves the current handshake digest for Post-Handshake Auth,
2376 * Done after ClientFinished is processed, done exactly once
2377 */
2378int tls13_save_handshake_digest_for_pha(SSL *s)
2379{
2380 if (s->pha_dgst == NULL) {
2381 if (!ssl3_digest_cached_records(s, 1))
2382 /* SSLfatal() already called */
2383 return 0;
2384
2385 s->pha_dgst = EVP_MD_CTX_new();
2386 if (s->pha_dgst == NULL) {
2387 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2388 SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2389 ERR_R_INTERNAL_ERROR);
2390 return 0;
2391 }
2392 if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
2393 s->s3->handshake_dgst)) {
2394 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2395 SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2396 ERR_R_INTERNAL_ERROR);
2397 return 0;
2398 }
2399 }
2400 return 1;
2401}
2402
2403/*
2404 * Restores the Post-Handshake Auth handshake digest
2405 * Done just before sending/processing the Cert Request
2406 */
2407int tls13_restore_handshake_digest_for_pha(SSL *s)
2408{
2409 if (s->pha_dgst == NULL) {
2410 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2411 SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2412 ERR_R_INTERNAL_ERROR);
2413 return 0;
2414 }
2415 if (!EVP_MD_CTX_copy_ex(s->s3->handshake_dgst,
2416 s->pha_dgst)) {
2417 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2418 SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2419 ERR_R_INTERNAL_ERROR);
2420 return 0;
2421 }
2422 return 1;
2423}
A mirror of the official openssl repository