]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/statem_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Convert ssl3_get_record to tls_read_record
[thirdparty/openssl.git] / ssl / statem / statem_lib.c
CommitLineData
846e33c7 1/*
fecb3aae 2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
aa8f3d76 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
3813046d 4 *
2c18d164 5 * Licensed under the Apache License 2.0 (the "License"). You may not use
846e33c7
RS		 6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
3813046d 9 */
846e33c7 10
48948d53 11#include <limits.h>
f2d9a32c 12#include <string.h>
d02b48c6 13#include <stdio.h>
706457b7
DMSP		 14#include "../ssl_local.h"
15#include "statem_local.h"
67dc995e 16#include "internal/cryptlib.h"
ec577822 17#include <openssl/buffer.h>
ec577822
BM		 18#include <openssl/objects.h>
19#include <openssl/evp.h>
d7e498ac 20#include <openssl/rsa.h>
ec577822 21#include <openssl/x509.h>
49b26f54 22#include <openssl/trace.h>
d02b48c6 23
c6d38183
RS		 24/*
25 * Map error codes to TLS/SSL alart types.
26 */
27typedef struct x509err2alert_st {
28 int x509err;
29 int alert;
30} X509ERR2ALERT;
31
597c51bc
MC		 32/* Fixed value used in the ServerHello random field to identify an HRR */
33const unsigned char hrrrandom[] = {
34 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
35 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
36 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
37};
38
0f113f3e
MC		 39/*
40 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
41 * SSL3_RT_CHANGE_CIPHER_SPEC)
42 */
38b051a1 43int ssl3_do_write(SSL_CONNECTION *s, int type)
0f113f3e
MC		 44{
45 int ret;
7ee8627f 46 size_t written = 0;
38b051a1 47 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
0f113f3e 48
38b051a1 49 ret = ssl3_write_bytes(ssl, type, &s->init_buf->data[s->init_off],
7ee8627f 50 s->init_num, &written);
0f113f3e 51 if (ret < 0)
26a7d938 52 return -1;
0f113f3e
MC		 53 if (type == SSL3_RT_HANDSHAKE)
54 /*
55 * should not be done for 'Hello Request's, but in that case we'll
56 * ignore the result anyway
9d75dce3 57 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
0f113f3e 58 */
38b051a1
TM		 59 if (!SSL_CONNECTION_IS_TLS13(s)
60 || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
9d75dce3
TS		 61 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
62 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
63 if (!ssl3_finish_mac(s,
64 (unsigned char *)&s->init_buf->data[s->init_off],
65 written))
66 return -1;
7ee8627f 67 if (written == s->init_num) {
0f113f3e
MC		 68 if (s->msg_callback)
69 s->msg_callback(1, s->version, type, s->init_buf->data,
38b051a1 70 (size_t)(s->init_off + s->init_num), ssl,
0f113f3e 71 s->msg_callback_arg);
208fb891 72 return 1;
0f113f3e 73 }
7ee8627f
MC		 74 s->init_off += written;
75 s->init_num -= written;
26a7d938 76 return 0;
0f113f3e 77}
e7ecc7d4 78
38b051a1 79int tls_close_construct_packet(SSL_CONNECTION *s, WPACKET *pkt, int htype)
2c7b4dbc
MC		 80{
81 size_t msglen;
82
4a01c59f 83 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
f1ec23c0 84 || !WPACKET_get_length(pkt, &msglen)
7cea05dc 85 || msglen > INT_MAX)
2c7b4dbc
MC		 86 return 0;
87 s->init_num = (int)msglen;
88 s->init_off = 0;
89
90 return 1;
91}
92
38b051a1 93int tls_setup_handshake(SSL_CONNECTION *s)
1f5b44e9 94{
8e32ea63 95 int ver_min, ver_max, ok;
38b051a1
TM		 96 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
97 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
8e32ea63 98
f63a17d6
MC		 99 if (!ssl3_init_finished_mac(s)) {
100 /* SSLfatal() already called */
c7f47786 101 return 0;
f63a17d6 102 }
c7f47786 103
b186a592
MC		 104 /* Reset any extension flags */
105 memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
106
8e32ea63 107 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
c48ffbcc 108 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE);
8e32ea63
MC		 109 return 0;
110 }
111
112 /* Sanity check that we have MD5-SHA1 if we need it */
38b051a1 113 if (sctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) {
8e32ea63
MC		 114 int md5sha1_needed = 0;
115
116 /* We don't have MD5-SHA1 - do we need it? */
38b051a1 117 if (SSL_CONNECTION_IS_DTLS(s)) {
8e32ea63
MC		 118 if (DTLS_VERSION_LE(ver_max, DTLS1_VERSION))
119 md5sha1_needed = 1;
120 } else {
121 if (ver_max <= TLS1_1_VERSION)
122 md5sha1_needed = 1;
123 }
124 if (md5sha1_needed) {
c48ffbcc
RL		 125 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
126 SSL_R_NO_SUITABLE_DIGEST_ALGORITHM,
127 "The max supported SSL/TLS version needs the"
128 " MD5-SHA1 digest but it is not available"
129 " in the loaded providers. Use (D)TLSv1.2 or"
130 " above, or load different providers");
8e32ea63
MC		 131 return 0;
132 }
133
134 ok = 1;
135 /* Don't allow TLSv1.1 or below to be negotiated */
38b051a1 136 if (SSL_CONNECTION_IS_DTLS(s)) {
8e32ea63 137 if (DTLS_VERSION_LT(ver_min, DTLS1_2_VERSION))
38b051a1 138 ok = SSL_set_min_proto_version(ssl, DTLS1_2_VERSION);
8e32ea63
MC		 139 } else {
140 if (ver_min < TLS1_2_VERSION)
38b051a1 141 ok = SSL_set_min_proto_version(ssl, TLS1_2_VERSION);
8e32ea63
MC		 142 }
143 if (!ok) {
144 /* Shouldn't happen */
c48ffbcc 145 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
8e32ea63
MC		 146 return 0;
147 }
148 }
149
150 ok = 0;
c7f47786 151 if (s->server) {
38b051a1 152 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(ssl);
8e32ea63 153 int i;
38a73150
MC		 154
155 /*
156 * Sanity check that the maximum version we accept has ciphers
157 * enabled. For clients we do this check during construction of the
158 * ClientHello.
159 */
38a73150
MC		 160 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
161 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
162
38b051a1 163 if (SSL_CONNECTION_IS_DTLS(s)) {
38a73150
MC		 164 if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
165 DTLS_VERSION_LE(ver_max, c->max_dtls))
166 ok = 1;
167 } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
168 ok = 1;
169 }
170 if (ok)
171 break;
172 }
173 if (!ok) {
c48ffbcc
RL		 174 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
175 SSL_R_NO_CIPHERS_AVAILABLE,
176 "No ciphers enabled for max supported "
177 "SSL/TLS version");
38a73150
MC		 178 return 0;
179 }
c7f47786 180 if (SSL_IS_FIRST_HANDSHAKE(s)) {
0e6161bc 181 /* N.B. s->session_ctx == s->ctx here */
acce0557 182 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_accept);
c7f47786 183 } else {
0e6161bc 184 /* N.B. s->ctx may not equal s->session_ctx */
38b051a1 185 ssl_tsan_counter(sctx, &sctx->stats.sess_accept_renegotiate);
c7f47786 186
555cbb32 187 s->s3.tmp.cert_request = 0;
c7f47786
MC		 188 }
189 } else {
190 if (SSL_IS_FIRST_HANDSHAKE(s))
acce0557 191 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_connect);
c7f47786 192 else
acce0557
P		 193 ssl_tsan_counter(s->session_ctx,
194 &s->session_ctx->stats.sess_connect_renegotiate);
c7f47786
MC		 195
196 /* mark client_random uninitialized */
555cbb32 197 memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
c7f47786
MC		 198 s->hit = 0;
199
555cbb32 200 s->s3.tmp.cert_req = 0;
c7f47786 201
38b051a1 202 if (SSL_CONNECTION_IS_DTLS(s))
c7f47786 203 s->statem.use_timer = 1;
c7f47786
MC		 204 }
205
206 return 1;
207}
208
2c5dfdc3
MC		 209/*
210 * Size of the to-be-signed TLS13 data, without the hash size itself:
211 * 64 bytes of value 32, 33 context bytes, 1 byte separator
212 */
213#define TLS13_TBS_START_SIZE 64
214#define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
215
38b051a1 216static int get_cert_verify_tbs_data(SSL_CONNECTION *s, unsigned char *tls13tbs,
2c5dfdc3
MC		 217 void **hdata, size_t *hdatalen)
218{
48102247 219#ifdef CHARSET_EBCDIC
99435164 220 static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
48102247 221 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
222 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
223 0x69, 0x66, 0x79, 0x00 };
99435164 224 static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
48102247 225 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
226 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
227 0x69, 0x66, 0x79, 0x00 };
228#else
99435164
AV		 229 static const char servercontext[] = "TLS 1.3, server CertificateVerify";
230 static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
48102247 231#endif
38b051a1
TM		 232
233 if (SSL_CONNECTION_IS_TLS13(s)) {
2c5dfdc3
MC		 234 size_t hashlen;
235
236 /* Set the first 64 bytes of to-be-signed data to octet 32 */
237 memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
238 /* This copies the 33 bytes of context plus the 0 separator byte */
239 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
240 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
241 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
242 else
243 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
244
245 /*
246 * If we're currently reading then we need to use the saved handshake
247 * hash value. We can't use the current handshake hash state because
248 * that includes the CertVerify itself.
249 */
250 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
251 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
252 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
253 s->cert_verify_hash_len);
254 hashlen = s->cert_verify_hash_len;
255 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
256 EVP_MAX_MD_SIZE, &hashlen)) {
f63a17d6 257 /* SSLfatal() already called */
2c5dfdc3
MC		 258 return 0;
259 }
260
261 *hdata = tls13tbs;
262 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
263 } else {
264 size_t retlen;
60690b5b 265 long retlen_l;
2c5dfdc3 266
555cbb32 267 retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
60690b5b 268 if (retlen_l <= 0) {
c48ffbcc 269 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2c5dfdc3 270 return 0;
f63a17d6 271 }
2c5dfdc3
MC		 272 *hdatalen = retlen;
273 }
274
275 return 1;
276}
277
38b051a1 278int tls_construct_cert_verify(SSL_CONNECTION *s, WPACKET *pkt)
d8bc1399 279{
ad4dd362
DSH		 280 EVP_PKEY *pkey = NULL;
281 const EVP_MD *md = NULL;
d8bc1399 282 EVP_MD_CTX *mctx = NULL;
5f9b64a2
MC		 283 EVP_PKEY_CTX *pctx = NULL;
284 size_t hdatalen = 0, siglen = 0;
d8bc1399
MC		 285 void *hdata;
286 unsigned char *sig = NULL;
2c5dfdc3 287 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
555cbb32 288 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
38b051a1 289 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
2c5dfdc3 290
555cbb32 291 if (lu == NULL || s->s3.tmp.cert == NULL) {
c48ffbcc 292 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
ad4dd362
DSH		 293 goto err;
294 }
555cbb32 295 pkey = s->s3.tmp.cert->privatekey;
ad4dd362 296
38b051a1 297 if (pkey == NULL || !tls1_lookup_md(sctx, lu, &md)) {
c48ffbcc 298 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
ad4dd362
DSH		 299 goto err;
300 }
d8bc1399
MC		 301
302 mctx = EVP_MD_CTX_new();
303 if (mctx == NULL) {
c48ffbcc 304 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
d8bc1399
MC		 305 goto err;
306 }
d8bc1399 307
2c5dfdc3
MC		 308 /* Get the data to be signed */
309 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
f63a17d6 310 /* SSLfatal() already called */
d8bc1399
MC		 311 goto err;
312 }
313
ad4dd362 314 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
c48ffbcc 315 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
d8bc1399
MC		 316 goto err;
317 }
5f9b64a2 318
ed576acd
TM		 319 if (EVP_DigestSignInit_ex(mctx, &pctx,
320 md == NULL ? NULL : EVP_MD_get0_name(md),
38b051a1 321 sctx->libctx, sctx->propq, pkey,
d38b6ae9 322 NULL) <= 0) {
c48ffbcc 323 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
5f9b64a2
MC		 324 goto err;
325 }
326
ad4dd362 327 if (lu->sig == EVP_PKEY_RSA_PSS) {
5f9b64a2 328 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
968ae5b3
DSH		 329 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
330 RSA_PSS_SALTLEN_DIGEST) <= 0) {
c48ffbcc 331 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
5f9b64a2
MC		 332 goto err;
333 }
caf2b6b5
DSH		 334 }
335 if (s->version == SSL3_VERSION) {
bddbfae1
MC		 336 /*
337 * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
338 * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
339 */
caf2b6b5 340 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
83b4a243
SL		 341 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
342 (int)s->session->master_key_length,
343 s->session->master_key) <= 0
bddbfae1 344 || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) {
caf2b6b5 345
c48ffbcc 346 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
5f9b64a2
MC		 347 goto err;
348 }
bddbfae1
MC		 349 sig = OPENSSL_malloc(siglen);
350 if (sig == NULL
351 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
c48ffbcc 352 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
bddbfae1
MC		 353 goto err;
354 }
355 } else {
356 /*
357 * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not
358 * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
359 */
360 if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) {
c48ffbcc 361 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
bddbfae1
MC		 362 goto err;
363 }
364 sig = OPENSSL_malloc(siglen);
365 if (sig == NULL
366 || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
c48ffbcc 367 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
bddbfae1
MC		 368 goto err;
369 }
d8bc1399 370 }
5f9b64a2 371
d8bc1399
MC		 372#ifndef OPENSSL_NO_GOST
373 {
ad4dd362
DSH		 374 int pktype = lu->sig;
375
d8bc1399
MC		 376 if (pktype == NID_id_GostR3410_2001
377 || pktype == NID_id_GostR3410_2012_256
378 || pktype == NID_id_GostR3410_2012_512)
5f9b64a2 379 BUF_reverse(sig, NULL, siglen);
d8bc1399
MC		 380 }
381#endif
382
5f9b64a2 383 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
c48ffbcc 384 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
d8bc1399
MC		 385 goto err;
386 }
387
388 /* Digest cached records and discard handshake buffer */
d4d2f3a4
MC		 389 if (!ssl3_digest_cached_records(s, 0)) {
390 /* SSLfatal() already called */
d8bc1399 391 goto err;
d4d2f3a4 392 }
d8bc1399
MC		 393
394 OPENSSL_free(sig);
395 EVP_MD_CTX_free(mctx);
396 return 1;
397 err:
398 OPENSSL_free(sig);
399 EVP_MD_CTX_free(mctx);
d8bc1399
MC		 400 return 0;
401}
402
38b051a1 403MSG_PROCESS_RETURN tls_process_cert_verify(SSL_CONNECTION *s, PACKET *pkt)
d8bc1399
MC		 404{
405 EVP_PKEY *pkey = NULL;
703bcee0 406 const unsigned char *data;
d8bc1399
MC		 407#ifndef OPENSSL_NO_GOST
408 unsigned char *gost_data = NULL;
409#endif
eb5fd03b 410 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
dd24857b 411 int j;
d8bc1399
MC		 412 unsigned int len;
413 X509 *peer;
414 const EVP_MD *md = NULL;
2c5dfdc3 415 size_t hdatalen = 0;
d8bc1399 416 void *hdata;
2c5dfdc3 417 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
d8bc1399 418 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
5f9b64a2 419 EVP_PKEY_CTX *pctx = NULL;
38b051a1 420 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
d8bc1399
MC		 421
422 if (mctx == NULL) {
c48ffbcc 423 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
f63a17d6 424 goto err;
d8bc1399
MC		 425 }
426
427 peer = s->session->peer;
428 pkey = X509_get0_pubkey(peer);
f63a17d6 429 if (pkey == NULL) {
c48ffbcc 430 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6
MC		 431 goto err;
432 }
83b4049a 433
dd24857b 434 if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
c48ffbcc 435 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
f63a17d6
MC		 436 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
437 goto err;
d8bc1399
MC		 438 }
439
f464f9c0 440 if (SSL_USE_SIGALGS(s)) {
f464f9c0
PD		 441 unsigned int sigalg;
442
443 if (!PACKET_get_net_2(pkt, &sigalg)) {
c48ffbcc 444 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET);
f63a17d6 445 goto err;
f464f9c0 446 }
f63a17d6
MC		 447 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
448 /* SSLfatal() already called */
449 goto err;
f464f9c0 450 }
f464f9c0 451 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
c48ffbcc 452 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6 453 goto err;
f464f9c0
PD		 454 }
455
38b051a1 456 if (!tls1_lookup_md(sctx, s->s3.tmp.peer_sigalg, &md)) {
c48ffbcc 457 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6 458 goto err;
168067b6 459 }
f464f9c0 460
572fa024 461 if (SSL_USE_SIGALGS(s))
49b26f54 462 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
ed576acd 463 md == NULL ? "n/a" : EVP_MD_get0_name(md));
572fa024 464
d8bc1399
MC		 465 /* Check for broken implementations of GOST ciphersuites */
466 /*
f464f9c0
PD		 467 * If key is GOST and len is exactly 64 or 128, it is signature without
468 * length field (CryptoPro implementations at least till TLS 1.2)
d8bc1399
MC		 469 */
470#ifndef OPENSSL_NO_GOST
f464f9c0
PD		 471 if (!SSL_USE_SIGALGS(s)
472 && ((PACKET_remaining(pkt) == 64
ed576acd
TM		 473 && (EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2001
474 || EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_256))
f464f9c0 475 || (PACKET_remaining(pkt) == 128
ed576acd 476 && EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_512))) {
f464f9c0 477 len = PACKET_remaining(pkt);
d8bc1399
MC		 478 } else
479#endif
f464f9c0 480 if (!PACKET_get_net_2(pkt, &len)) {
c48ffbcc 481 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
f63a17d6 482 goto err;
d8bc1399 483 }
f464f9c0 484
d8bc1399 485 if (!PACKET_get_bytes(pkt, &data, len)) {
c48ffbcc 486 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
f63a17d6 487 goto err;
d8bc1399
MC		 488 }
489
2c5dfdc3 490 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
f63a17d6
MC		 491 /* SSLfatal() already called */
492 goto err;
d8bc1399
MC		 493 }
494
49b26f54 495 OSSL_TRACE1(TLS, "Using client verify alg %s\n",
ed576acd 496 md == NULL ? "n/a" : EVP_MD_get0_name(md));
49b26f54 497
d8652be0 498 if (EVP_DigestVerifyInit_ex(mctx, &pctx,
ed576acd 499 md == NULL ? NULL : EVP_MD_get0_name(md),
38b051a1 500 sctx->libctx, sctx->propq, pkey,
d38b6ae9 501 NULL) <= 0) {
c48ffbcc 502 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
f63a17d6 503 goto err;
d8bc1399
MC		 504 }
505#ifndef OPENSSL_NO_GOST
506 {
ed576acd 507 int pktype = EVP_PKEY_get_id(pkey);
d8bc1399
MC		 508 if (pktype == NID_id_GostR3410_2001
509 || pktype == NID_id_GostR3410_2012_256
510 || pktype == NID_id_GostR3410_2012_512) {
511 if ((gost_data = OPENSSL_malloc(len)) == NULL) {
c48ffbcc 512 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
f63a17d6 513 goto err;
d8bc1399
MC		 514 }
515 BUF_reverse(gost_data, data, len);
516 data = gost_data;
517 }
518 }
519#endif
520
5554facb 521 if (SSL_USE_PSS(s)) {
5f9b64a2 522 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
968ae5b3
DSH		 523 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
524 RSA_PSS_SALTLEN_DIGEST) <= 0) {
c48ffbcc 525 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
f63a17d6 526 goto err;
5f9b64a2 527 }
d8bc1399 528 }
caf2b6b5
DSH		 529 if (s->version == SSL3_VERSION) {
530 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
83b4a243
SL		 531 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
532 (int)s->session->master_key_length,
533 s->session->master_key) <= 0) {
c48ffbcc 534 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
f63a17d6 535 goto err;
caf2b6b5
DSH		 536 }
537 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
c48ffbcc 538 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
f63a17d6 539 goto err;
caf2b6b5
DSH		 540 }
541 } else {
542 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
25ffeb11 543 if (j <= 0) {
c48ffbcc 544 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
f63a17d6 545 goto err;
caf2b6b5 546 }
d8bc1399
MC		 547 }
548
e4562014
MC		 549 /*
550 * In TLSv1.3 on the client side we make sure we prepare the client
551 * certificate after the CertVerify instead of when we get the
552 * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
553 * comes *before* the Certificate message. In TLSv1.2 it comes after. We
8c2bfd25 554 * want to make sure that SSL_get1_peer_certificate() will return the actual
e4562014
MC		 555 * server certificate from the client_cert_cb callback.
556 */
38b051a1 557 if (!s->server && SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
e4562014
MC		 558 ret = MSG_PROCESS_CONTINUE_PROCESSING;
559 else
560 ret = MSG_PROCESS_CONTINUE_READING;
f63a17d6 561 err:
555cbb32
TS		 562 BIO_free(s->s3.handshake_buffer);
563 s->s3.handshake_buffer = NULL;
d8bc1399
MC		 564 EVP_MD_CTX_free(mctx);
565#ifndef OPENSSL_NO_GOST
566 OPENSSL_free(gost_data);
567#endif
568 return ret;
569}
570
38b051a1 571int tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt)
0f113f3e 572{
12472b45 573 size_t finish_md_len;
229185e6 574 const char *sender;
8b0e934a 575 size_t slen;
38b051a1 576 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
229185e6 577
f7e393be 578 /* This is a real handshake so make sure we clean it up at the end */
9d75dce3 579 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
f7e393be
MC		 580 s->statem.cleanuphand = 1;
581
582 /*
583 * We only change the keys if we didn't already do this when we sent the
584 * client certificate
585 */
38b051a1 586 if (SSL_CONNECTION_IS_TLS13(s)
f7e393be 587 && !s->server
555cbb32 588 && s->s3.tmp.cert_req == 0
38b051a1 589 && (!ssl->method->ssl3_enc->change_cipher_state(s,
d4d2f3a4
MC		 590 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
591 /* SSLfatal() already called */
b43c3765 592 return 0;
f7e393be
MC		 593 }
594
229185e6 595 if (s->server) {
38b051a1
TM		 596 sender = ssl->method->ssl3_enc->server_finished_label;
597 slen = ssl->method->ssl3_enc->server_finished_label_len;
229185e6 598 } else {
38b051a1
TM		 599 sender = ssl->method->ssl3_enc->client_finished_label;
600 slen = ssl->method->ssl3_enc->client_finished_label_len;
229185e6 601 }
0f113f3e 602
38b051a1
TM		 603 finish_md_len = ssl->method->ssl3_enc->final_finish_mac(s,
604 sender, slen,
605 s->s3.tmp.finish_md);
12472b45 606 if (finish_md_len == 0) {
d4d2f3a4
MC		 607 /* SSLfatal() already called */
608 return 0;
4f89bfbf
MC		 609 }
610
555cbb32 611 s->s3.tmp.finish_md_len = finish_md_len;
4f89bfbf 612
555cbb32 613 if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
c48ffbcc 614 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
d4d2f3a4 615 return 0;
4f89bfbf 616 }
0f113f3e 617
2c7bd692
CB		 618 /*
619 * Log the master secret, if logging is enabled. We don't log it for
620 * TLSv1.3: there's a different key schedule for that.
621 */
38b051a1
TM		 622 if (!SSL_CONNECTION_IS_TLS13(s)
623 && !ssl_log_secret(s, MASTER_SECRET_LABEL, s->session->master_key,
624 s->session->master_key_length)) {
d4d2f3a4
MC		 625 /* SSLfatal() already called */
626 return 0;
380a522f 627 }
2faa1b48 628
b9908bf9
MC		 629 /*
630 * Copy the finished so we can use it for renegotiation checks
631 */
380a522f 632 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
c48ffbcc 633 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
d4d2f3a4 634 return 0;
380a522f 635 }
23a635c0 636 if (!s->server) {
555cbb32 637 memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
12472b45 638 finish_md_len);
555cbb32 639 s->s3.previous_client_finished_len = finish_md_len;
b9908bf9 640 } else {
555cbb32 641 memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
12472b45 642 finish_md_len);
555cbb32 643 s->s3.previous_server_finished_len = finish_md_len;
b9908bf9 644 }
0f113f3e 645
b9908bf9 646 return 1;
0f113f3e 647}
d02b48c6 648
38b051a1 649int tls_construct_key_update(SSL_CONNECTION *s, WPACKET *pkt)
44c04a2e
MC		 650{
651 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
c48ffbcc 652 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
d4d2f3a4 653 return 0;
44c04a2e
MC		 654 }
655
9412b3ad 656 s->key_update = SSL_KEY_UPDATE_NONE;
44c04a2e 657 return 1;
44c04a2e
MC		 658}
659
38b051a1 660MSG_PROCESS_RETURN tls_process_key_update(SSL_CONNECTION *s, PACKET *pkt)
e1c3de44
MC		 661{
662 unsigned int updatetype;
663
524420d8
MC		 664 /*
665 * A KeyUpdate message signals a key change so the end of the message must
666 * be on a record boundary.
667 */
668 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
c48ffbcc 669 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
f63a17d6 670 return MSG_PROCESS_ERROR;
524420d8
MC		 671 }
672
e1c3de44 673 if (!PACKET_get_1(pkt, &updatetype)
2d871227 674 || PACKET_remaining(pkt) != 0) {
c48ffbcc 675 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_KEY_UPDATE);
f63a17d6 676 return MSG_PROCESS_ERROR;
e1c3de44
MC		 677 }
678
9010b7bc
MC		 679 /*
680 * There are only two defined key update types. Fail if we get a value we
681 * didn't recognise.
682 */
2d871227
MC		 683 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
684 && updatetype != SSL_KEY_UPDATE_REQUESTED) {
c48ffbcc 685 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_UPDATE);
f63a17d6 686 return MSG_PROCESS_ERROR;
2d871227
MC		 687 }
688
5bf47933
MC		 689 /*
690 * If we get a request for us to update our sending keys too then, we need
691 * to additionally send a KeyUpdate message. However that message should
feb9e31c 692 * not also request an update (otherwise we get into an infinite loop).
5bf47933 693 */
feb9e31c 694 if (updatetype == SSL_KEY_UPDATE_REQUESTED)
5bf47933
MC		 695 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
696
57389a32 697 if (!tls13_update_key(s, 0)) {
f63a17d6
MC		 698 /* SSLfatal() already called */
699 return MSG_PROCESS_ERROR;
57389a32
MC		 700 }
701
e1c3de44
MC		 702 return MSG_PROCESS_FINISHED_READING;
703}
704
0f113f3e
MC		 705/*
706 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
707 * to far.
708 */
38b051a1 709int ssl3_take_mac(SSL_CONNECTION *s)
0f113f3e
MC		 710{
711 const char *sender;
8b0e934a 712 size_t slen;
38b051a1 713 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
5d671101 714
49ae7423 715 if (!s->server) {
38b051a1
TM		 716 sender = ssl->method->ssl3_enc->server_finished_label;
717 slen = ssl->method->ssl3_enc->server_finished_label_len;
0f113f3e 718 } else {
38b051a1
TM		 719 sender = ssl->method->ssl3_enc->client_finished_label;
720 slen = ssl->method->ssl3_enc->client_finished_label_len;
0f113f3e
MC		 721 }
722
555cbb32 723 s->s3.tmp.peer_finish_md_len =
38b051a1
TM		 724 ssl->method->ssl3_enc->final_finish_mac(s, sender, slen,
725 s->s3.tmp.peer_finish_md);
5d671101 726
555cbb32 727 if (s->s3.tmp.peer_finish_md_len == 0) {
5d671101
MC		 728 /* SSLfatal() already called */
729 return 0;
730 }
731
732 return 1;
0f113f3e 733}
ee2ffc27 734
38b051a1
TM		 735MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL_CONNECTION *s,
736 PACKET *pkt)
b9908bf9 737{
348240c6 738 size_t remain;
4fa52141 739
73999b62 740 remain = PACKET_remaining(pkt);
657da85e
MC		 741 /*
742 * 'Change Cipher Spec' is just a single byte, which should already have
c69f2adf
MC		 743 * been consumed by ssl_get_message() so there should be no bytes left,
744 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
657da85e 745 */
38b051a1 746 if (SSL_CONNECTION_IS_DTLS(s)) {
73999b62 747 if ((s->version == DTLS1_BAD_VER
a230b26e
EK		 748 && remain != DTLS1_CCS_HEADER_LENGTH + 1)
749 || (s->version != DTLS1_BAD_VER
750 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
c48ffbcc 751 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
f63a17d6 752 return MSG_PROCESS_ERROR;
c69f2adf
MC		 753 }
754 } else {
73999b62 755 if (remain != 0) {
c48ffbcc 756 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
f63a17d6 757 return MSG_PROCESS_ERROR;
c69f2adf 758 }
657da85e
MC		 759 }
760
761 /* Check we have a cipher to change to */
555cbb32 762 if (s->s3.tmp.new_cipher == NULL) {
c48ffbcc 763 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY);
f63a17d6 764 return MSG_PROCESS_ERROR;
657da85e
MC		 765 }
766
555cbb32 767 s->s3.change_cipher_spec = 1;
657da85e 768 if (!ssl3_do_change_cipher_spec(s)) {
c48ffbcc 769 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6 770 return MSG_PROCESS_ERROR;
657da85e
MC		 771 }
772
38b051a1 773 if (SSL_CONNECTION_IS_DTLS(s)) {
c69f2adf
MC		 774 dtls1_reset_seq_numbers(s, SSL3_CC_READ);
775
776 if (s->version == DTLS1_BAD_VER)
777 s->d1->handshake_read_seq++;
778
779#ifndef OPENSSL_NO_SCTP
780 /*
781 * Remember that a CCS has been received, so that an old key of
782 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
783 * SCTP is used
784 */
38b051a1
TM		 785 BIO_ctrl(SSL_get_wbio(SSL_CONNECTION_GET_SSL(s)),
786 BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
c69f2adf
MC		 787#endif
788 }
789
b9908bf9 790 return MSG_PROCESS_CONTINUE_READING;
657da85e
MC		 791}
792
38b051a1 793MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt)
b9908bf9 794{
12472b45 795 size_t md_len;
38b051a1 796 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
b9908bf9 797
d781d247
MC		 798
799 /* This is a real handshake so make sure we clean it up at the end */
9d75dce3 800 if (s->server) {
de9e884b
MC		 801 /*
802 * To get this far we must have read encrypted data from the client. We
803 * no longer tolerate unencrypted alerts. This value is ignored if less
804 * than TLSv1.3
805 */
806 s->statem.enc_read_state = ENC_READ_STATE_VALID;
9d75dce3
TS		 807 if (s->post_handshake_auth != SSL_PHA_REQUESTED)
808 s->statem.cleanuphand = 1;
38b051a1
TM		 809 if (SSL_CONNECTION_IS_TLS13(s)
810 && !tls13_save_handshake_digest_for_pha(s)) {
9d75dce3
TS		 811 /* SSLfatal() already called */
812 return MSG_PROCESS_ERROR;
813 }
814 }
d781d247 815
524420d8
MC		 816 /*
817 * In TLSv1.3 a Finished message signals a key change so the end of the
818 * message must be on a record boundary.
819 */
38b051a1
TM		 820 if (SSL_CONNECTION_IS_TLS13(s)
821 && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
c48ffbcc 822 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
f63a17d6 823 return MSG_PROCESS_ERROR;
524420d8
MC		 824 }
825
0f113f3e 826 /* If this occurs, we have missed a message */
38b051a1 827 if (!SSL_CONNECTION_IS_TLS13(s) && !s->s3.change_cipher_spec) {
c48ffbcc 828 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
f63a17d6 829 return MSG_PROCESS_ERROR;
0f113f3e 830 }
555cbb32 831 s->s3.change_cipher_spec = 0;
0f113f3e 832
555cbb32 833 md_len = s->s3.tmp.peer_finish_md_len;
0f113f3e 834
12472b45 835 if (md_len != PACKET_remaining(pkt)) {
c48ffbcc 836 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DIGEST_LENGTH);
f63a17d6 837 return MSG_PROCESS_ERROR;
0f113f3e
MC		 838 }
839
555cbb32 840 if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
12472b45 841 md_len) != 0) {
c48ffbcc 842 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DIGEST_CHECK_FAILED);
f63a17d6 843 return MSG_PROCESS_ERROR;
0f113f3e
MC		 844 }
845
846 /*
847 * Copy the finished so we can use it for renegotiation checks
848 */
380a522f 849 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
c48ffbcc 850 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6 851 return MSG_PROCESS_ERROR;
380a522f 852 }
23a635c0 853 if (s->server) {
555cbb32 854 memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
12472b45 855 md_len);
555cbb32 856 s->s3.previous_client_finished_len = md_len;
0f113f3e 857 } else {
555cbb32 858 memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
12472b45 859 md_len);
555cbb32 860 s->s3.previous_server_finished_len = md_len;
0f113f3e
MC		 861 }
862
7776a36c
MC		 863 /*
864 * In TLS1.3 we also have to change cipher state and do any final processing
865 * of the initial server flight (if we are a client)
866 */
38b051a1 867 if (SSL_CONNECTION_IS_TLS13(s)) {
92760c21 868 if (s->server) {
9d75dce3 869 if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
38b051a1
TM		 870 !ssl->method->ssl3_enc->change_cipher_state(s,
871 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
f63a17d6
MC		 872 /* SSLfatal() already called */
873 return MSG_PROCESS_ERROR;
92760c21
MC		 874 }
875 } else {
d74014c4
BK		 876 /* TLS 1.3 gets the secret size from the handshake md */
877 size_t dummy;
38b051a1 878 if (!ssl->method->ssl3_enc->generate_master_secret(s,
ec15acb6 879 s->master_secret, s->handshake_secret, 0,
d74014c4 880 &dummy)) {
f63a17d6
MC		 881 /* SSLfatal() already called */
882 return MSG_PROCESS_ERROR;
92760c21 883 }
38b051a1 884 if (!ssl->method->ssl3_enc->change_cipher_state(s,
92760c21 885 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
f63a17d6
MC		 886 /* SSLfatal() already called */
887 return MSG_PROCESS_ERROR;
888 }
889 if (!tls_process_initial_server_flight(s)) {
890 /* SSLfatal() already called */
891 return MSG_PROCESS_ERROR;
92760c21
MC		 892 }
893 }
894 }
895
e6575156 896 return MSG_PROCESS_FINISHED_READING;
0f113f3e 897}
d02b48c6 898
38b051a1 899int tls_construct_change_cipher_spec(SSL_CONNECTION *s, WPACKET *pkt)
b9908bf9 900{
7cea05dc 901 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
c48ffbcc 902 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
85a7a5e6
MC		 903 return 0;
904 }
b9908bf9 905
b9908bf9
MC		 906 return 1;
907}
908
e96e0f8e 909/* Add a certificate to the WPACKET */
38b051a1
TM		 910static int ssl_add_cert_to_wpacket(SSL_CONNECTION *s, WPACKET *pkt,
911 X509 *x, int chain)
0f113f3e 912{
e96e0f8e
MC		 913 int len;
914 unsigned char *outbytes;
915
916 len = i2d_X509(x, NULL);
917 if (len < 0) {
c48ffbcc 918 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB);
e96e0f8e
MC		 919 return 0;
920 }
921 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
922 || i2d_X509(x, &outbytes) != len) {
c48ffbcc 923 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
e96e0f8e
MC		 924 return 0;
925 }
926
38b051a1 927 if (SSL_CONNECTION_IS_TLS13(s)
fe874d27 928 && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
f63a17d6
MC		 929 chain)) {
930 /* SSLfatal() already called */
e96e0f8e 931 return 0;
f63a17d6 932 }
e96e0f8e
MC		 933
934 return 1;
935}
936
937/* Add certificate chain to provided WPACKET */
38b051a1 938static int ssl_add_cert_chain(SSL_CONNECTION *s, WPACKET *pkt, CERT_PKEY *cpk)
e96e0f8e
MC		 939{
940 int i, chain_count;
941 X509 *x;
942 STACK_OF(X509) *extra_certs;
943 STACK_OF(X509) *chain = NULL;
944 X509_STORE *chain_store;
38b051a1 945 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
e96e0f8e
MC		 946
947 if (cpk == NULL || cpk->x509 == NULL)
948 return 1;
949
950 x = cpk->x509;
951
952 /*
953 * If we have a certificate specific chain use it, else use parent ctx.
954 */
d805a57b 955 if (cpk->chain != NULL)
e96e0f8e
MC		 956 extra_certs = cpk->chain;
957 else
38b051a1 958 extra_certs = sctx->extra_certs;
e96e0f8e
MC		 959
960 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
961 chain_store = NULL;
962 else if (s->cert->chain_store)
963 chain_store = s->cert->chain_store;
964 else
38b051a1 965 chain_store = sctx->cert_store;
e96e0f8e 966
d805a57b 967 if (chain_store != NULL) {
38b051a1
TM		 968 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(sctx->libctx,
969 sctx->propq);
e96e0f8e
MC		 970
971 if (xs_ctx == NULL) {
c48ffbcc 972 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
f63a17d6 973 return 0;
e96e0f8e
MC		 974 }
975 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
976 X509_STORE_CTX_free(xs_ctx);
c48ffbcc 977 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB);
f63a17d6 978 return 0;
e96e0f8e
MC		 979 }
980 /*
981 * It is valid for the chain not to be complete (because normally we
982 * don't include the root cert in the chain). Therefore we deliberately
983 * ignore the error return from this call. We're not actually verifying
984 * the cert - we're just building as much of the chain as we can
985 */
986 (void)X509_verify_cert(xs_ctx);
987 /* Don't leave errors in the queue */
988 ERR_clear_error();
989 chain = X509_STORE_CTX_get0_chain(xs_ctx);
990 i = ssl_security_cert_chain(s, chain, NULL, 0);
991 if (i != 1) {
992#if 0
993 /* Dummy error calls so mkerr generates them */
6849b73c
RL		 994 ERR_raise(ERR_LIB_SSL, SSL_R_EE_KEY_TOO_SMALL);
995 ERR_raise(ERR_LIB_SSL, SSL_R_CA_KEY_TOO_SMALL);
996 ERR_raise(ERR_LIB_SSL, SSL_R_CA_MD_TOO_WEAK);
e96e0f8e
MC		 997#endif
998 X509_STORE_CTX_free(xs_ctx);
c48ffbcc 999 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
f63a17d6 1000 return 0;
e96e0f8e
MC		 1001 }
1002 chain_count = sk_X509_num(chain);
1003 for (i = 0; i < chain_count; i++) {
1004 x = sk_X509_value(chain, i);
1005
f63a17d6
MC		 1006 if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
1007 /* SSLfatal() already called */
e96e0f8e 1008 X509_STORE_CTX_free(xs_ctx);
f63a17d6 1009 return 0;
e96e0f8e
MC		 1010 }
1011 }
1012 X509_STORE_CTX_free(xs_ctx);
1013 } else {
1014 i = ssl_security_cert_chain(s, extra_certs, x, 0);
1015 if (i != 1) {
c48ffbcc 1016 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
f63a17d6
MC		 1017 return 0;
1018 }
1019 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
1020 /* SSLfatal() already called */
1021 return 0;
e96e0f8e 1022 }
e96e0f8e
MC		 1023 for (i = 0; i < sk_X509_num(extra_certs); i++) {
1024 x = sk_X509_value(extra_certs, i);
f63a17d6
MC		 1025 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
1026 /* SSLfatal() already called */
1027 return 0;
1028 }
e96e0f8e
MC		 1029 }
1030 }
1031 return 1;
e96e0f8e
MC		 1032}
1033
38b051a1
TM		 1034unsigned long ssl3_output_cert_chain(SSL_CONNECTION *s, WPACKET *pkt,
1035 CERT_PKEY *cpk)
e96e0f8e 1036{
f63a17d6 1037 if (!WPACKET_start_sub_packet_u24(pkt)) {
c48ffbcc 1038 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6
MC		 1039 return 0;
1040 }
e96e0f8e 1041
f63a17d6
MC		 1042 if (!ssl_add_cert_chain(s, pkt, cpk))
1043 return 0;
1044
1045 if (!WPACKET_close(pkt)) {
c48ffbcc 1046 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
7cea05dc 1047 return 0;
77d514c5 1048 }
f63a17d6 1049
c49e1912 1050 return 1;
0f113f3e
MC		 1051}
1052
30f05b19
MC		 1053/*
1054 * Tidy up after the end of a handshake. In the case of SCTP this may result
1055 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1056 * freed up as well.
1057 */
38b051a1 1058WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst,
a7e6a3d8 1059 int clearbufs, int stop)
8723588e
MC		 1060{
1061 void (*cb) (const SSL *ssl, int type, int val) = NULL;
4af5836b 1062 int cleanuphand = s->statem.cleanuphand;
38b051a1
TM		 1063 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1064 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
8723588e 1065
30f05b19 1066 if (clearbufs) {
38b051a1 1067 if (!SSL_CONNECTION_IS_DTLS(s)
e7c27a6c 1068#ifndef OPENSSL_NO_SCTP
30f05b19 1069 /*
e7c27a6c
N		 1070 * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1071 * messages that require it. Therefore, DTLS procedures for retransmissions
1072 * MUST NOT be used.
1073 * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1074 */
38b051a1 1075 || BIO_dgram_is_sctp(SSL_get_wbio(ssl))
e7c27a6c
N		 1076#endif
1077 ) {
1078 /*
1079 * We don't do this in DTLS over UDP because we may still need the init_buf
30f05b19
MC		 1080 * in case there are any unexpected retransmits
1081 */
1082 BUF_MEM_free(s->init_buf);
1083 s->init_buf = NULL;
1084 }
e7c27a6c 1085
a2c2e000 1086 if (!ssl_free_wbio_buffer(s)) {
c48ffbcc 1087 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b77f3ed1 1088 return WORK_ERROR;
a2c2e000 1089 }
30f05b19 1090 s->init_num = 0;
473483d4 1091 }
8723588e 1092
38b051a1 1093 if (SSL_CONNECTION_IS_TLS13(s) && !s->server
9d75dce3
TS		 1094 && s->post_handshake_auth == SSL_PHA_REQUESTED)
1095 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1096
c2c1d8a4
MC		 1097 /*
1098 * Only set if there was a Finished message and this isn't after a TLSv1.3
1099 * post handshake exchange
1100 */
4af5836b 1101 if (cleanuphand) {
8723588e
MC		 1102 /* skipped if we just sent a HelloRequest */
1103 s->renegotiate = 0;
1104 s->new_session = 0;
c7f47786 1105 s->statem.cleanuphand = 0;
c0638ade 1106 s->ext.ticket_expected = 0;
8723588e 1107
30f05b19
MC		 1108 ssl3_cleanup_key_block(s);
1109
8723588e 1110 if (s->server) {
16ff1342
MC		 1111 /*
1112 * In TLSv1.3 we update the cache as part of constructing the
1113 * NewSessionTicket
1114 */
38b051a1 1115 if (!SSL_CONNECTION_IS_TLS13(s))
16ff1342 1116 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
8723588e 1117
0e6161bc 1118 /* N.B. s->ctx may not equal s->session_ctx */
38b051a1 1119 ssl_tsan_counter(sctx, &sctx->stats.sess_accept_good);
fe3a3291 1120 s->handshake_func = ossl_statem_accept;
8723588e 1121 } else {
38b051a1 1122 if (SSL_CONNECTION_IS_TLS13(s)) {
4cb00457
MC		 1123 /*
1124 * We encourage applications to only use TLSv1.3 tickets once,
1125 * so we remove this one from the cache.
1126 */
1127 if ((s->session_ctx->session_cache_mode
1128 & SSL_SESS_CACHE_CLIENT) != 0)
1129 SSL_CTX_remove_session(s->session_ctx, s->session);
1130 } else {
1131 /*
1132 * In TLSv1.3 we update the cache as part of processing the
1133 * NewSessionTicket
1134 */
5d61491c 1135 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
4cb00457 1136 }
8723588e 1137 if (s->hit)
acce0557
P		 1138 ssl_tsan_counter(s->session_ctx,
1139 &s->session_ctx->stats.sess_hit);
8723588e 1140
fe3a3291 1141 s->handshake_func = ossl_statem_connect;
acce0557
P		 1142 ssl_tsan_counter(s->session_ctx,
1143 &s->session_ctx->stats.sess_connect_good);
8723588e
MC		 1144 }
1145
38b051a1 1146 if (SSL_CONNECTION_IS_DTLS(s)) {
8723588e
MC		 1147 /* done with handshaking */
1148 s->d1->handshake_read_seq = 0;
1149 s->d1->handshake_write_seq = 0;
1150 s->d1->next_handshake_write_seq = 0;
f5c7f5df 1151 dtls1_clear_received_buffer(s);
8723588e
MC		 1152 }
1153 }
1154
c2c1d8a4
MC		 1155 if (s->info_callback != NULL)
1156 cb = s->info_callback;
38b051a1
TM		 1157 else if (sctx->info_callback != NULL)
1158 cb = sctx->info_callback;
c2c1d8a4 1159
4ce787b9
MC		 1160 /* The callback may expect us to not be in init at handshake done */
1161 ossl_statem_set_in_init(s, 0);
1162
4af5836b
MC		 1163 if (cb != NULL) {
1164 if (cleanuphand
38b051a1 1165 || !SSL_CONNECTION_IS_TLS13(s)
4af5836b 1166 || SSL_IS_FIRST_HANDSHAKE(s))
38b051a1 1167 cb(ssl, SSL_CB_HANDSHAKE_DONE, 1);
4af5836b 1168 }
c2c1d8a4 1169
4ce787b9
MC		 1170 if (!stop) {
1171 /* If we've got more work to do we go back into init */
1172 ossl_statem_set_in_init(s, 1);
30f05b19 1173 return WORK_FINISHED_CONTINUE;
4ce787b9 1174 }
30f05b19 1175
8723588e
MC		 1176 return WORK_FINISHED_STOP;
1177}
1178
38b051a1 1179int tls_get_message_header(SSL_CONNECTION *s, int *mt)
9ab930b2
MC		 1180{
1181 /* s->init_num < SSL3_HM_HEADER_LENGTH */
d4d2f3a4 1182 int skip_message, i, recvd_type;
9ab930b2 1183 unsigned char *p;
54105ddd 1184 size_t l, readbytes;
38b051a1 1185 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
9ab930b2
MC		 1186
1187 p = (unsigned char *)s->init_buf->data;
1188
1189 do {
1190 while (s->init_num < SSL3_HM_HEADER_LENGTH) {
38b051a1
TM		 1191 i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, &recvd_type,
1192 &p[s->init_num],
1193 SSL3_HM_HEADER_LENGTH - s->init_num,
1194 0, &readbytes);
9ab930b2
MC		 1195 if (i <= 0) {
1196 s->rwstate = SSL_READING;
1197 return 0;
32ec4153 1198 }
9ab930b2 1199 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1257adec 1200 /*
a230b26e
EK		 1201 * A ChangeCipherSpec must be a single byte and may not occur
1202 * in the middle of a handshake message.
1203 */
54105ddd 1204 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
d4d2f3a4 1205 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
d4d2f3a4
MC		 1206 SSL_R_BAD_CHANGE_CIPHER_SPEC);
1207 return 0;
1257adec 1208 }
e9359719 1209 if (s->statem.hand_state == TLS_ST_BEFORE
555cbb32 1210 && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
e9359719
MC		 1211 /*
1212 * We are stateless and we received a CCS. Probably this is
1213 * from a client between the first and second ClientHellos.
1214 * We should ignore this, but return an error because we do
1215 * not return success until we see the second ClientHello
1216 * with a valid cookie.
1217 */
1218 return 0;
1219 }
555cbb32 1220 s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
54105ddd 1221 s->init_num = readbytes - 1;
c4377574 1222 s->init_msg = s->init_buf->data;
555cbb32 1223 s->s3.tmp.message_size = readbytes;
9ab930b2
MC		 1224 return 1;
1225 } else if (recvd_type != SSL3_RT_HANDSHAKE) {
d4d2f3a4 1226 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
d4d2f3a4
MC		 1227 SSL_R_CCS_RECEIVED_EARLY);
1228 return 0;
32ec4153 1229 }
54105ddd 1230 s->init_num += readbytes;
9ab930b2
MC		 1231 }
1232
1233 skip_message = 0;
1234 if (!s->server)
c7f47786
MC		 1235 if (s->statem.hand_state != TLS_ST_OK
1236 && p[0] == SSL3_MT_HELLO_REQUEST)
9ab930b2
MC		 1237 /*
1238 * The server may always send 'Hello Request' messages --
1239 * we are doing a handshake anyway now, so ignore them if
1240 * their format is correct. Does not count for 'Finished'
1241 * MAC.
1242 */
1243 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1244 s->init_num = 0;
1245 skip_message = 1;
1246
1247 if (s->msg_callback)
1248 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
38b051a1 1249 p, SSL3_HM_HEADER_LENGTH, ssl,
9ab930b2
MC		 1250 s->msg_callback_arg);
1251 }
1252 } while (skip_message);
1253 /* s->init_num == SSL3_HM_HEADER_LENGTH */
1254
1255 *mt = *p;
555cbb32 1256 s->s3.tmp.message_type = *(p++);
32ec4153 1257
e8aa8b6c 1258 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
9ab930b2
MC		 1259 /*
1260 * Only happens with SSLv3+ in an SSLv2 backward compatible
1261 * ClientHello
e8aa8b6c
F		 1262 *
1263 * Total message size is the remaining record bytes to read
1264 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
9ab930b2 1265 */
4030869d 1266 l = s->rlayer.tlsrecs[0].length + SSL3_HM_HEADER_LENGTH;
555cbb32 1267 s->s3.tmp.message_size = l;
9ab930b2
MC		 1268
1269 s->init_msg = s->init_buf->data;
1270 s->init_num = SSL3_HM_HEADER_LENGTH;
1271 } else {
1272 n2l3(p, l);
1273 /* BUF_MEM_grow takes an 'int' parameter */
1274 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
c48ffbcc 1275 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
d4d2f3a4
MC		 1276 SSL_R_EXCESSIVE_MESSAGE_SIZE);
1277 return 0;
32ec4153 1278 }
555cbb32 1279 s->s3.tmp.message_size = l;
9ab930b2
MC		 1280
1281 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1282 s->init_num = 0;
1283 }
1284
1285 return 1;
9ab930b2
MC		 1286}
1287
38b051a1 1288int tls_get_message_body(SSL_CONNECTION *s, size_t *len)
9ab930b2 1289{
54105ddd 1290 size_t n, readbytes;
9ab930b2
MC		 1291 unsigned char *p;
1292 int i;
38b051a1 1293 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
9ab930b2 1294
555cbb32 1295 if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
9ab930b2
MC		 1296 /* We've already read everything in */
1297 *len = (unsigned long)s->init_num;
1298 return 1;
0f113f3e
MC		 1299 }
1300
0f113f3e 1301 p = s->init_msg;
555cbb32 1302 n = s->s3.tmp.message_size - s->init_num;
0f113f3e 1303 while (n > 0) {
38b051a1
TM		 1304 i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, NULL,
1305 &p[s->init_num], n, 0, &readbytes);
0f113f3e
MC		 1306 if (i <= 0) {
1307 s->rwstate = SSL_READING;
9ab930b2
MC		 1308 *len = 0;
1309 return 0;
0f113f3e 1310 }
54105ddd
MC		 1311 s->init_num += readbytes;
1312 n -= readbytes;
0f113f3e 1313 }
ee2ffc27 1314
0f113f3e
MC		 1315 /*
1316 * If receiving Finished, record MAC of prior handshake messages for
1317 * Finished verification.
1318 */
5d671101
MC		 1319 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1320 /* SSLfatal() already called */
1321 *len = 0;
1322 return 0;
1323 }
ee2ffc27 1324
0f113f3e 1325 /* Feed this message into MAC computation. */
e8aa8b6c 1326 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
d166ed8c
DSH		 1327 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1328 s->init_num)) {
d4d2f3a4 1329 /* SSLfatal() already called */
d166ed8c
DSH		 1330 *len = 0;
1331 return 0;
1332 }
32ec4153 1333 if (s->msg_callback)
a230b26e 1334 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
38b051a1 1335 (size_t)s->init_num, ssl, s->msg_callback_arg);
32ec4153 1336 } else {
11c67eea
MC		 1337 /*
1338 * We defer feeding in the HRR until later. We'll do it as part of
1339 * processing the message
9d75dce3
TS		 1340 * The TLsv1.3 handshake transcript stops at the ClientFinished
1341 * message.
11c67eea 1342 */
597c51bc 1343#define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
9d75dce3 1344 /* KeyUpdate and NewSessionTicket do not need to be added */
38b051a1
TM		 1345 if (!SSL_CONNECTION_IS_TLS13(s)
1346 || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1347 && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
555cbb32 1348 if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
9d75dce3
TS		 1349 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1350 || memcmp(hrrrandom,
1351 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1352 SSL3_RANDOM_SIZE) != 0) {
1353 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1354 s->init_num + SSL3_HM_HEADER_LENGTH)) {
1355 /* SSLfatal() already called */
1356 *len = 0;
1357 return 0;
1358 }
597c51bc 1359 }
d166ed8c 1360 }
32ec4153
MC		 1361 if (s->msg_callback)
1362 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
38b051a1 1363 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, ssl,
32ec4153
MC		 1364 s->msg_callback_arg);
1365 }
1366
eda75751 1367 *len = s->init_num;
9ab930b2 1368 return 1;
0f113f3e 1369}
d02b48c6 1370
c6d38183
RS		 1371static const X509ERR2ALERT x509table[] = {
1372 {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1373 {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
cccf532f 1374 {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
c6d38183
RS		 1375 {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1376 {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1377 {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1378 {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1379 {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1380 {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1381 {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1382 {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1383 {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1384 {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1385 {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1386 {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1387 {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1388 {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1389 {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1390 {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1391 {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1392 {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1393 {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1394 {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1395 {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1396 {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1397 {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1398 {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1399 {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1400 {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1401 {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1402 {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1403 {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1404 {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1405 {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1406 {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1407 {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1408 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1409 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1410 {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1411 {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1412
1413 /* Last entry; return this if we don't find the value above. */
1414 {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1415};
1416
1417int ssl_x509err2alert(int x509err)
0f113f3e 1418{
c6d38183
RS		 1419 const X509ERR2ALERT *tp;
1420
1421 for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1422 if (tp->x509err == x509err)
1423 break;
1424 return tp->alert;
0f113f3e 1425}
d02b48c6 1426
38b051a1 1427int ssl_allow_compression(SSL_CONNECTION *s)
0f113f3e
MC		 1428{
1429 if (s->options & SSL_OP_NO_COMPRESSION)
1430 return 0;
1431 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1432}
4fa52141 1433
38b051a1 1434static int version_cmp(const SSL_CONNECTION *s, int a, int b)
4fa52141 1435{
38b051a1 1436 int dtls = SSL_CONNECTION_IS_DTLS(s);
4fa52141
VD		 1437
1438 if (a == b)
1439 return 0;
1440 if (!dtls)
1441 return a < b ? -1 : 1;
1442 return DTLS_VERSION_LT(a, b) ? -1 : 1;
1443}
1444
1445typedef struct {
1446 int version;
a230b26e
EK		 1447 const SSL_METHOD *(*cmeth) (void);
1448 const SSL_METHOD *(*smeth) (void);
4fa52141
VD		 1449} version_info;
1450
5c587fb6 1451#if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
582a17d6 1452# error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
4fa52141
VD		 1453#endif
1454
f7f2a01d 1455/* Must be in order high to low */
4fa52141 1456static const version_info tls_version_table[] = {
582a17d6
MC		 1457#ifndef OPENSSL_NO_TLS1_3
1458 {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1459#else
1460 {TLS1_3_VERSION, NULL, NULL},
1461#endif
6b01bed2 1462#ifndef OPENSSL_NO_TLS1_2
a230b26e 1463 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
6b01bed2 1464#else
a230b26e 1465 {TLS1_2_VERSION, NULL, NULL},
6b01bed2
VD		 1466#endif
1467#ifndef OPENSSL_NO_TLS1_1
a230b26e 1468 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
6b01bed2 1469#else
a230b26e 1470 {TLS1_1_VERSION, NULL, NULL},
6b01bed2
VD		 1471#endif
1472#ifndef OPENSSL_NO_TLS1
a230b26e 1473 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
6b01bed2 1474#else
a230b26e 1475 {TLS1_VERSION, NULL, NULL},
6b01bed2 1476#endif
4fa52141 1477#ifndef OPENSSL_NO_SSL3
a230b26e 1478 {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
6b01bed2 1479#else
a230b26e 1480 {SSL3_VERSION, NULL, NULL},
4fa52141 1481#endif
a230b26e 1482 {0, NULL, NULL},
4fa52141
VD		 1483};
1484
5c587fb6 1485#if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
4fa52141
VD		 1486# error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1487#endif
1488
f7f2a01d 1489/* Must be in order high to low */
4fa52141 1490static const version_info dtls_version_table[] = {
6b01bed2 1491#ifndef OPENSSL_NO_DTLS1_2
a230b26e 1492 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
6b01bed2 1493#else
a230b26e 1494 {DTLS1_2_VERSION, NULL, NULL},
6b01bed2
VD		 1495#endif
1496#ifndef OPENSSL_NO_DTLS1
a230b26e
EK		 1497 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1498 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
6b01bed2 1499#else
a230b26e
EK		 1500 {DTLS1_VERSION, NULL, NULL},
1501 {DTLS1_BAD_VER, NULL, NULL},
6b01bed2 1502#endif
a230b26e 1503 {0, NULL, NULL},
4fa52141
VD		 1504};
1505
1506/*
1507 * ssl_method_error - Check whether an SSL_METHOD is enabled.
1508 *
1509 * @s: The SSL handle for the candidate method
1510 * @method: the intended method.
1511 *
1512 * Returns 0 on success, or an SSL error reason on failure.
1513 */
38b051a1 1514static int ssl_method_error(const SSL_CONNECTION *s, const SSL_METHOD *method)
4fa52141
VD		 1515{
1516 int version = method->version;
1517
1518 if ((s->min_proto_version != 0 &&
1519 version_cmp(s, version, s->min_proto_version) < 0) ||
1520 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1521 return SSL_R_VERSION_TOO_LOW;
1522
1523 if (s->max_proto_version != 0 &&
a230b26e 1524 version_cmp(s, version, s->max_proto_version) > 0)
4fa52141
VD		 1525 return SSL_R_VERSION_TOO_HIGH;
1526
1527 if ((s->options & method->mask) != 0)
1528 return SSL_R_UNSUPPORTED_PROTOCOL;
1529 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1530 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
4fa52141
VD		 1531
1532 return 0;
1533}
1534
baa45c3e
MC		 1535/*
1536 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
ebda646d
MC		 1537 * certificate type, or has PSK or a certificate callback configured, or has
1538 * a servername callback configure. Otherwise returns 0.
baa45c3e 1539 */
38b051a1 1540static int is_tls13_capable(const SSL_CONNECTION *s)
baa45c3e 1541{
65d2c16c 1542 int i;
65d2c16c 1543 int curve;
38b051a1 1544 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
baa45c3e 1545
38b051a1 1546 if (!ossl_assert(sctx != NULL) || !ossl_assert(s->session_ctx != NULL))
ebda646d
MC		 1547 return 0;
1548
1549 /*
1550 * A servername callback can change the available certs, so if a servername
1551 * cb is set then we just assume TLSv1.3 will be ok
1552 */
38b051a1 1553 if (sctx->ext.servername_cb != NULL
ebda646d
MC		 1554 || s->session_ctx->ext.servername_cb != NULL)
1555 return 1;
1556
d162340d
MC		 1557#ifndef OPENSSL_NO_PSK
1558 if (s->psk_server_callback != NULL)
1559 return 1;
1560#endif
1561
cd3b53b8 1562 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
baa45c3e
MC		 1563 return 1;
1564
1565 for (i = 0; i < SSL_PKEY_NUM; i++) {
1566 /* Skip over certs disallowed for TLSv1.3 */
1567 switch (i) {
1568 case SSL_PKEY_DSA_SIGN:
1569 case SSL_PKEY_GOST01:
1570 case SSL_PKEY_GOST12_256:
1571 case SSL_PKEY_GOST12_512:
1572 continue;
1573 default:
1574 break;
1575 }
de4dc598
MC		 1576 if (!ssl_has_cert(s, i))
1577 continue;
1578 if (i != SSL_PKEY_ECC)
1579 return 1;
1580 /*
1581 * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1582 * more restrictive so check that our sig algs are consistent with this
1583 * EC cert. See section 4.2.3 of RFC8446.
1584 */
d8975dec 1585 curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
de4dc598 1586 if (tls_check_sigalg_curve(s, curve))
baa45c3e
MC		 1587 return 1;
1588 }
1589
1590 return 0;
1591}
1592
ccae4a15
FI		 1593/*
1594 * ssl_version_supported - Check that the specified `version` is supported by
1595 * `SSL *` instance
1596 *
1597 * @s: The SSL handle for the candidate method
1598 * @version: Protocol version to test against
1599 *
1600 * Returns 1 when supported, otherwise 0
1601 */
38b051a1
TM		 1602int ssl_version_supported(const SSL_CONNECTION *s, int version,
1603 const SSL_METHOD **meth)
ccae4a15
FI		 1604{
1605 const version_info *vent;
1606 const version_info *table;
1607
38b051a1 1608 switch (SSL_CONNECTION_GET_SSL(s)->method->version) {
ccae4a15
FI		 1609 default:
1610 /* Version should match method version for non-ANY method */
1611 return version_cmp(s, version, s->version) == 0;
1612 case TLS_ANY_VERSION:
1613 table = tls_version_table;
1614 break;
1615 case DTLS_ANY_VERSION:
1616 table = dtls_version_table;
1617 break;
1618 }
1619
1620 for (vent = table;
1621 vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1622 ++vent) {
baa45c3e
MC		 1623 if (vent->cmeth != NULL
1624 && version_cmp(s, version, vent->version) == 0
1625 && ssl_method_error(s, vent->cmeth()) == 0
1626 && (!s->server
1627 || version != TLS1_3_VERSION
1628 || is_tls13_capable(s))) {
4fd12788
MC		 1629 if (meth != NULL)
1630 *meth = vent->cmeth();
ccae4a15
FI		 1631 return 1;
1632 }
1633 }
1634 return 0;
1635}
1636
4fa52141
VD		 1637/*
1638 * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1639 * fallback indication from a client check whether we're using the highest
1640 * supported protocol version.
1641 *
1642 * @s server SSL handle.
1643 *
1644 * Returns 1 when using the highest enabled version, 0 otherwise.
1645 */
38b051a1 1646int ssl_check_version_downgrade(SSL_CONNECTION *s)
4fa52141
VD		 1647{
1648 const version_info *vent;
1649 const version_info *table;
38b051a1 1650 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
4fa52141
VD		 1651
1652 /*
1653 * Check that the current protocol is the highest enabled version
1654 * (according to s->ctx->method, as version negotiation may have changed
1655 * s->method).
1656 */
38b051a1 1657 if (s->version == sctx->method->version)
4fa52141
VD		 1658 return 1;
1659
1660 /*
1661 * Apparently we're using a version-flexible SSL_METHOD (not at its
1662 * highest protocol version).
1663 */
38b051a1 1664 if (sctx->method->version == TLS_method()->version)
4fa52141 1665 table = tls_version_table;
38b051a1 1666 else if (sctx->method->version == DTLS_method()->version)
4fa52141
VD		 1667 table = dtls_version_table;
1668 else {
1669 /* Unexpected state; fail closed. */
1670 return 0;
1671 }
1672
1673 for (vent = table; vent->version != 0; ++vent) {
a230b26e 1674 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
4fa52141
VD		 1675 return s->version == vent->version;
1676 }
1677 return 0;
1678}
1679
1680/*
1681 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1682 * protocols, provided the initial (D)TLS method is version-flexible. This
1683 * function sanity-checks the proposed value and makes sure the method is
1684 * version-flexible, then sets the limit if all is well.
1685 *
1686 * @method_version: The version of the current SSL_METHOD.
1687 * @version: the intended limit.
1688 * @bound: pointer to limit to be updated.
1689 *
1690 * Returns 1 on success, 0 on failure.
1691 */
1692int ssl_set_version_bound(int method_version, int version, int *bound)
1693{
77174598
VD		 1694 int valid_tls;
1695 int valid_dtls;
1696
869e978c
KR		 1697 if (version == 0) {
1698 *bound = version;
1699 return 1;
1700 }
1701
77174598
VD		 1702 valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
1703 valid_dtls =
1704 DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) &&
1705 DTLS_VERSION_GE(version, DTLS1_BAD_VER);
1706
1707 if (!valid_tls && !valid_dtls)
1708 return 0;
1709
4fa52141
VD		 1710 /*-
1711 * Restrict TLS methods to TLS protocol versions.
1712 * Restrict DTLS methods to DTLS protocol versions.
1713 * Note, DTLS version numbers are decreasing, use comparison macros.
1714 *
1715 * Note that for both lower-bounds we use explicit versions, not
1716 * (D)TLS_MIN_VERSION. This is because we don't want to break user
1717 * configurations. If the MIN (supported) version ever rises, the user's
1718 * "floor" remains valid even if no longer available. We don't expect the
1719 * MAX ceiling to ever get lower, so making that variable makes sense.
77174598
VD		 1720 *
1721 * We ignore attempts to set bounds on version-inflexible methods,
1722 * returning success.
4fa52141
VD		 1723 */
1724 switch (method_version) {
1725 default:
77174598 1726 break;
4fa52141
VD		 1727
1728 case TLS_ANY_VERSION:
77174598
VD		 1729 if (valid_tls)
1730 *bound = version;
4fa52141
VD		 1731 break;
1732
1733 case DTLS_ANY_VERSION:
77174598
VD		 1734 if (valid_dtls)
1735 *bound = version;
4fa52141
VD		 1736 break;
1737 }
4fa52141
VD		 1738 return 1;
1739}
1740
38b051a1 1741static void check_for_downgrade(SSL_CONNECTION *s, int vers, DOWNGRADE *dgrd)
f7f2a01d
MC		 1742{
1743 if (vers == TLS1_2_VERSION
4fd12788 1744 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
f7f2a01d 1745 *dgrd = DOWNGRADE_TO_1_2;
38b051a1 1746 } else if (!SSL_CONNECTION_IS_DTLS(s)
5627f9f2
MC		 1747 && vers < TLS1_2_VERSION
1748 /*
1749 * We need to ensure that a server that disables TLSv1.2
1750 * (creating a hole between TLSv1.3 and TLSv1.1) can still
1751 * complete handshakes with clients that support TLSv1.2 and
1752 * below. Therefore we do not enable the sentinel if TLSv1.3 is
1753 * enabled and TLSv1.2 is not.
1754 */
1755 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
f7f2a01d
MC		 1756 *dgrd = DOWNGRADE_TO_1_1;
1757 } else {
1758 *dgrd = DOWNGRADE_NONE;
1759 }
1760}
1761
4fa52141
VD		 1762/*
1763 * ssl_choose_server_version - Choose server (D)TLS version. Called when the
1764 * client HELLO is received to select the final server protocol version and
1765 * the version specific method.
1766 *
1767 * @s: server SSL handle.
1768 *
1769 * Returns 0 on success or an SSL error reason number on failure.
1770 */
38b051a1
TM		 1771int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello,
1772 DOWNGRADE *dgrd)
4fa52141
VD		 1773{
1774 /*-
1775 * With version-flexible methods we have an initial state with:
1776 *
1777 * s->method->version == (D)TLS_ANY_VERSION,
5c587fb6 1778 * s->version == (D)TLS_MAX_VERSION_INTERNAL.
4fa52141
VD		 1779 *
1780 * So we detect version-flexible methods via the method version, not the
1781 * handle version.
1782 */
38b051a1
TM		 1783 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1784 int server_version = ssl->method->version;
df7ce507 1785 int client_version = hello->legacy_version;
4fa52141
VD		 1786 const version_info *vent;
1787 const version_info *table;
1788 int disabled = 0;
cd998837 1789 RAW_EXTENSION *suppversions;
4fa52141 1790
1ab3836b
MC		 1791 s->client_version = client_version;
1792
4fa52141
VD		 1793 switch (server_version) {
1794 default:
38b051a1 1795 if (!SSL_CONNECTION_IS_TLS13(s)) {
7d061fce
MC		 1796 if (version_cmp(s, client_version, s->version) < 0)
1797 return SSL_R_WRONG_SSL_VERSION;
f7f2a01d 1798 *dgrd = DOWNGRADE_NONE;
7d061fce
MC		 1799 /*
1800 * If this SSL handle is not from a version flexible method we don't
1801 * (and never did) check min/max FIPS or Suite B constraints. Hope
1802 * that's OK. It is up to the caller to not choose fixed protocol
1803 * versions they don't want. If not, then easy to fix, just return
1804 * ssl_method_error(s, s->method)
1805 */
1806 return 0;
1807 }
d2f42576 1808 /*
7d061fce
MC		 1809 * Fall through if we are TLSv1.3 already (this means we must be after
1810 * a HelloRetryRequest
4fa52141 1811 */
018fcbec 1812 /* fall thru */
4fa52141
VD		 1813 case TLS_ANY_VERSION:
1814 table = tls_version_table;
1815 break;
1816 case DTLS_ANY_VERSION:
1817 table = dtls_version_table;
1818 break;
1819 }
1820
70af3d8e 1821 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
cd998837 1822
6f40214f 1823 /* If we did an HRR then supported versions is mandatory */
fc7129dc 1824 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
6f40214f
MC		 1825 return SSL_R_UNSUPPORTED_PROTOCOL;
1826
38b051a1 1827 if (suppversions->present && !SSL_CONNECTION_IS_DTLS(s)) {
cd998837
MC		 1828 unsigned int candidate_vers = 0;
1829 unsigned int best_vers = 0;
1830 const SSL_METHOD *best_method = NULL;
1831 PACKET versionslist;
1832
6b473aca
MC		 1833 suppversions->parsed = 1;
1834
16bce0e0 1835 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
cd998837
MC		 1836 /* Trailing or invalid data? */
1837 return SSL_R_LENGTH_MISMATCH;
1838 }
1839
d8434cf8
MC		 1840 /*
1841 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1842 * The spec only requires servers to check that it isn't SSLv3:
1843 * "Any endpoint receiving a Hello message with
1844 * ClientHello.legacy_version or ServerHello.legacy_version set to
1845 * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1846 * We are slightly stricter and require that it isn't SSLv3 or lower.
1847 * We tolerate TLSv1 and TLSv1.1.
1848 */
1849 if (client_version <= SSL3_VERSION)
1850 return SSL_R_BAD_LEGACY_VERSION;
1851
cd998837 1852 while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
cd998837
MC		 1853 if (version_cmp(s, candidate_vers, best_vers) <= 0)
1854 continue;
4fd12788
MC		 1855 if (ssl_version_supported(s, candidate_vers, &best_method))
1856 best_vers = candidate_vers;
cd998837
MC		 1857 }
1858 if (PACKET_remaining(&versionslist) != 0) {
1859 /* Trailing data? */
1860 return SSL_R_LENGTH_MISMATCH;
1861 }
1862
1863 if (best_vers > 0) {
fc7129dc 1864 if (s->hello_retry_request != SSL_HRR_NONE) {
7d061fce 1865 /*
6f40214f
MC		 1866 * This is after a HelloRetryRequest so we better check that we
1867 * negotiated TLSv1.3
7d061fce
MC		 1868 */
1869 if (best_vers != TLS1_3_VERSION)
1870 return SSL_R_UNSUPPORTED_PROTOCOL;
1871 return 0;
1872 }
f7f2a01d 1873 check_for_downgrade(s, best_vers, dgrd);
cd998837 1874 s->version = best_vers;
38b051a1 1875 ssl->method = best_method;
cd998837
MC		 1876 return 0;
1877 }
1878 return SSL_R_UNSUPPORTED_PROTOCOL;
1879 }
1880
1881 /*
1882 * If the supported versions extension isn't present, then the highest
1883 * version we can negotiate is TLSv1.2
1884 */
1885 if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1886 client_version = TLS1_2_VERSION;
1887
1888 /*
1889 * No supported versions extension, so we just use the version supplied in
1890 * the ClientHello.
1891 */
4fa52141
VD		 1892 for (vent = table; vent->version != 0; ++vent) {
1893 const SSL_METHOD *method;
1894
1895 if (vent->smeth == NULL ||
1896 version_cmp(s, client_version, vent->version) < 0)
1897 continue;
1898 method = vent->smeth();
1899 if (ssl_method_error(s, method) == 0) {
f7f2a01d 1900 check_for_downgrade(s, vent->version, dgrd);
4fa52141 1901 s->version = vent->version;
38b051a1 1902 ssl->method = method;
4fa52141
VD		 1903 return 0;
1904 }
1905 disabled = 1;
1906 }
1907 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1908}
1909
1910/*
1911 * ssl_choose_client_version - Choose client (D)TLS version. Called when the
1912 * server HELLO is received to select the final client protocol version and
1913 * the version specific method.
1914 *
1915 * @s: client SSL handle.
1916 * @version: The proposed version from the server's HELLO.
88050dd1 1917 * @extensions: The extensions received
4fa52141 1918 *
29bfd5b7 1919 * Returns 1 on success or 0 on error.
4fa52141 1920 */
38b051a1
TM		 1921int ssl_choose_client_version(SSL_CONNECTION *s, int version,
1922 RAW_EXTENSION *extensions)
4fa52141
VD		 1923{
1924 const version_info *vent;
1925 const version_info *table;
b5b993b2 1926 int ret, ver_min, ver_max, real_max, origv;
38b051a1 1927 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
4fa52141 1928
88050dd1
MC		 1929 origv = s->version;
1930 s->version = version;
b97667ce 1931
88050dd1
MC		 1932 /* This will overwrite s->version if the extension is present */
1933 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1934 SSL_EXT_TLS1_2_SERVER_HELLO
1935 | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1936 NULL, 0)) {
1937 s->version = origv;
1938 return 0;
1939 }
1940
fc7129dc
MC		 1941 if (s->hello_retry_request != SSL_HRR_NONE
1942 && s->version != TLS1_3_VERSION) {
88050dd1 1943 s->version = origv;
c48ffbcc 1944 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
29bfd5b7 1945 return 0;
c3043dcd
MC		 1946 }
1947
38b051a1 1948 switch (ssl->method->version) {
4fa52141 1949 default:
38b051a1 1950 if (s->version != ssl->method->version) {
88050dd1 1951 s->version = origv;
c48ffbcc 1952 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
29bfd5b7 1953 return 0;
c3043dcd 1954 }
4fa52141
VD		 1955 /*
1956 * If this SSL handle is not from a version flexible method we don't
1957 * (and never did) check min/max, FIPS or Suite B constraints. Hope
1958 * that's OK. It is up to the caller to not choose fixed protocol
1959 * versions they don't want. If not, then easy to fix, just return
1960 * ssl_method_error(s, s->method)
1961 */
29bfd5b7 1962 return 1;
4fa52141
VD		 1963 case TLS_ANY_VERSION:
1964 table = tls_version_table;
1965 break;
1966 case DTLS_ANY_VERSION:
1967 table = dtls_version_table;
1968 break;
1969 }
1970
b5b993b2
MC		 1971 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1972 if (ret != 0) {
1973 s->version = origv;
c48ffbcc 1974 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, ret);
b5b993b2
MC		 1975 return 0;
1976 }
38b051a1
TM		 1977 if (SSL_CONNECTION_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
1978 : s->version < ver_min) {
b5b993b2 1979 s->version = origv;
c48ffbcc 1980 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
b5b993b2 1981 return 0;
38b051a1
TM		 1982 } else if (SSL_CONNECTION_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
1983 : s->version > ver_max) {
b5b993b2 1984 s->version = origv;
c48ffbcc 1985 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
b5b993b2
MC		 1986 return 0;
1987 }
5df22060 1988
b5b993b2
MC		 1989 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
1990 real_max = ver_max;
c3043dcd 1991
b5b993b2
MC		 1992 /* Check for downgrades */
1993 if (s->version == TLS1_2_VERSION && real_max > s->version) {
1994 if (memcmp(tls12downgrade,
555cbb32 1995 s->s3.server_random + SSL3_RANDOM_SIZE
b5b993b2
MC		 1996 - sizeof(tls12downgrade),
1997 sizeof(tls12downgrade)) == 0) {
1998 s->version = origv;
1999 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
b5b993b2
MC		 2000 SSL_R_INAPPROPRIATE_FALLBACK);
2001 return 0;
2002 }
38b051a1 2003 } else if (!SSL_CONNECTION_IS_DTLS(s)
b5b993b2
MC		 2004 && s->version < TLS1_2_VERSION
2005 && real_max > s->version) {
2006 if (memcmp(tls11downgrade,
555cbb32 2007 s->s3.server_random + SSL3_RANDOM_SIZE
b5b993b2
MC		 2008 - sizeof(tls11downgrade),
2009 sizeof(tls11downgrade)) == 0) {
2010 s->version = origv;
2011 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
b5b993b2
MC		 2012 SSL_R_INAPPROPRIATE_FALLBACK);
2013 return 0;
c3043dcd 2014 }
b5b993b2 2015 }
c3043dcd 2016
b5b993b2
MC		 2017 for (vent = table; vent->version != 0; ++vent) {
2018 if (vent->cmeth == NULL || s->version != vent->version)
c3043dcd
MC		 2019 continue;
2020
38b051a1 2021 ssl->method = vent->cmeth();
29bfd5b7 2022 return 1;
4fa52141
VD		 2023 }
2024
88050dd1 2025 s->version = origv;
c48ffbcc 2026 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
29bfd5b7 2027 return 0;
4fa52141
VD		 2028}
2029
068c358a 2030/*
38a73150 2031 * ssl_get_min_max_version - get minimum and maximum protocol version
068c358a
KR		 2032 * @s: The SSL connection
2033 * @min_version: The minimum supported version
2034 * @max_version: The maximum supported version
b5b993b2
MC		 2035 * @real_max: The highest version below the lowest compile time version hole
2036 * where that hole lies above at least one run-time enabled
2037 * protocol.
068c358a
KR		 2038 *
2039 * Work out what version we should be using for the initial ClientHello if the
2040 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2041 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
b53338cb 2042 * constraints and any floor imposed by the security level here,
068c358a 2043 * so we don't advertise the wrong protocol version to only reject the outcome later.
4fa52141 2044 *
0485d540 2045 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
4fa52141
VD		 2046 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2047 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2048 *
068c358a
KR		 2049 * Returns 0 on success or an SSL error reason number on failure. On failure
2050 * min_version and max_version will also be set to 0.
4fa52141 2051 */
38b051a1
TM		 2052int ssl_get_min_max_version(const SSL_CONNECTION *s, int *min_version,
2053 int *max_version, int *real_max)
4fa52141 2054{
b5b993b2 2055 int version, tmp_real_max;
4fa52141
VD		 2056 int hole;
2057 const SSL_METHOD *single = NULL;
2058 const SSL_METHOD *method;
2059 const version_info *table;
2060 const version_info *vent;
38b051a1 2061 const SSL *ssl = SSL_CONNECTION_GET_SSL(s);
4fa52141 2062
38b051a1 2063 switch (ssl->method->version) {
4fa52141
VD		 2064 default:
2065 /*
2066 * If this SSL handle is not from a version flexible method we don't
2067 * (and never did) check min/max FIPS or Suite B constraints. Hope
2068 * that's OK. It is up to the caller to not choose fixed protocol
2069 * versions they don't want. If not, then easy to fix, just return
2070 * ssl_method_error(s, s->method)
2071 */
068c358a 2072 *min_version = *max_version = s->version;
b5b993b2
MC		 2073 /*
2074 * Providing a real_max only makes sense where we're using a version
2075 * flexible method.
2076 */
2077 if (!ossl_assert(real_max == NULL))
2078 return ERR_R_INTERNAL_ERROR;
4fa52141
VD		 2079 return 0;
2080 case TLS_ANY_VERSION:
2081 table = tls_version_table;
2082 break;
2083 case DTLS_ANY_VERSION:
2084 table = dtls_version_table;
2085 break;
2086 }
2087
2088 /*
2089 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2090 * below X enabled. This is required in order to maintain the "version
2091 * capability" vector contiguous. Any versions with a NULL client method
2092 * (protocol version client is disabled at compile-time) is also a "hole".
2093 *
2094 * Our initial state is hole == 1, version == 0. That is, versions above
2095 * the first version in the method table are disabled (a "hole" above
2096 * the valid protocol entries) and we don't have a selected version yet.
2097 *
2098 * Whenever "hole == 1", and we hit an enabled method, its version becomes
2099 * the selected version, and the method becomes a candidate "single"
2100 * method. We're no longer in a hole, so "hole" becomes 0.
2101 *
2102 * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2103 * as we support a contiguous range of at least two methods. If we hit
2104 * a disabled method, then hole becomes true again, but nothing else
2105 * changes yet, because all the remaining methods may be disabled too.
2106 * If we again hit an enabled method after the new hole, it becomes
2107 * selected, as we start from scratch.
2108 */
068c358a 2109 *min_version = version = 0;
4fa52141 2110 hole = 1;
b5b993b2
MC		 2111 if (real_max != NULL)
2112 *real_max = 0;
2113 tmp_real_max = 0;
4fa52141
VD		 2114 for (vent = table; vent->version != 0; ++vent) {
2115 /*
2116 * A table entry with a NULL client method is still a hole in the
2117 * "version capability" vector.
2118 */
2119 if (vent->cmeth == NULL) {
2120 hole = 1;
b5b993b2 2121 tmp_real_max = 0;
4fa52141
VD		 2122 continue;
2123 }
2124 method = vent->cmeth();
b5b993b2
MC		 2125
2126 if (hole == 1 && tmp_real_max == 0)
2127 tmp_real_max = vent->version;
2128
4fa52141
VD		 2129 if (ssl_method_error(s, method) != 0) {
2130 hole = 1;
2131 } else if (!hole) {
2132 single = NULL;
068c358a 2133 *min_version = method->version;
4fa52141 2134 } else {
b5b993b2
MC		 2135 if (real_max != NULL && tmp_real_max != 0)
2136 *real_max = tmp_real_max;
4fa52141 2137 version = (single = method)->version;
068c358a 2138 *min_version = version;
4fa52141
VD		 2139 hole = 0;
2140 }
2141 }
2142
068c358a
KR		 2143 *max_version = version;
2144
4fa52141
VD		 2145 /* Fail if everything is disabled */
2146 if (version == 0)
2147 return SSL_R_NO_PROTOCOLS_AVAILABLE;
2148
068c358a
KR		 2149 return 0;
2150}
2151
2152/*
2153 * ssl_set_client_hello_version - Work out what version we should be using for
7acb8b64 2154 * the initial ClientHello.legacy_version field.
068c358a
KR		 2155 *
2156 * @s: client SSL handle.
2157 *
2158 * Returns 0 on success or an SSL error reason number on failure.
2159 */
38b051a1 2160int ssl_set_client_hello_version(SSL_CONNECTION *s)
068c358a 2161{
3eb2aff4 2162 int ver_min, ver_max, ret;
068c358a 2163
447cc0ad
MC		 2164 /*
2165 * In a renegotiation we always send the same client_version that we sent
2166 * last time, regardless of which version we eventually negotiated.
2167 */
2168 if (!SSL_IS_FIRST_HANDSHAKE(s))
2169 return 0;
2170
b5b993b2 2171 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
068c358a
KR		 2172
2173 if (ret != 0)
2174 return ret;
2175
7acb8b64
MC		 2176 s->version = ver_max;
2177
2178 /* TLS1.3 always uses TLS1.2 in the legacy_version field */
38b051a1 2179 if (!SSL_CONNECTION_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
7acb8b64
MC		 2180 ver_max = TLS1_2_VERSION;
2181
2182 s->client_version = ver_max;
4fa52141
VD		 2183 return 0;
2184}
aff9929b
MC		 2185
2186/*
2187 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2188 * and |checkallow| is 1 then additionally check if the group is allowed to be
2189 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2190 * 1) or 0 otherwise.
2191 */
38b051a1 2192int check_in_list(SSL_CONNECTION *s, uint16_t group_id, const uint16_t *groups,
aff9929b
MC		 2193 size_t num_groups, int checkallow)
2194{
2195 size_t i;
2196
2197 if (groups == NULL || num_groups == 0)
2198 return 0;
2199
0a10825a
BE		 2200 if (checkallow == 1)
2201 group_id = ssl_group_id_tls13_to_internal(group_id);
2202
9e84a42d
DSH		 2203 for (i = 0; i < num_groups; i++) {
2204 uint16_t group = groups[i];
2205
0a10825a
BE		 2206 if (checkallow == 2)
2207 group = ssl_group_id_tls13_to_internal(group);
2208
9e84a42d 2209 if (group_id == group
aff9929b 2210 && (!checkallow
dbc6268f 2211 || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
0acee504 2212 return 1;
aff9929b
MC		 2213 }
2214 }
2215
0acee504 2216 return 0;
aff9929b 2217}
11c67eea
MC		 2218
2219/* Replace ClientHello1 in the transcript hash with a synthetic message */
38b051a1
TM		 2220int create_synthetic_message_hash(SSL_CONNECTION *s,
2221 const unsigned char *hashval,
43054d3d
MC		 2222 size_t hashlen, const unsigned char *hrr,
2223 size_t hrrlen)
11c67eea 2224{
43054d3d 2225 unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
635b7d3f
MC		 2226 unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2227
2228 memset(msghdr, 0, sizeof(msghdr));
11c67eea 2229
43054d3d
MC		 2230 if (hashval == NULL) {
2231 hashval = hashvaltmp;
2232 hashlen = 0;
2233 /* Get the hash of the initial ClientHello */
2234 if (!ssl3_digest_cached_records(s, 0)
2235 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2236 &hashlen)) {
2237 /* SSLfatal() already called */
2238 return 0;
2239 }
11c67eea
MC		 2240 }
2241
2242 /* Reinitialise the transcript hash */
f63a17d6
MC		 2243 if (!ssl3_init_finished_mac(s)) {
2244 /* SSLfatal() already called */
11c67eea 2245 return 0;
f63a17d6 2246 }
11c67eea
MC		 2247
2248 /* Inject the synthetic message_hash message */
635b7d3f 2249 msghdr[0] = SSL3_MT_MESSAGE_HASH;
3a63c0ed 2250 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
11c67eea
MC		 2251 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2252 || !ssl3_finish_mac(s, hashval, hashlen)) {
f63a17d6 2253 /* SSLfatal() already called */
11c67eea
MC		 2254 return 0;
2255 }
2256
43054d3d
MC		 2257 /*
2258 * Now re-inject the HRR and current message if appropriate (we just deleted
2259 * it when we reinitialised the transcript hash above). Only necessary after
2260 * receiving a ClientHello2 with a cookie.
2261 */
2262 if (hrr != NULL
2263 && (!ssl3_finish_mac(s, hrr, hrrlen)
2264 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
555cbb32 2265 s->s3.tmp.message_size
43054d3d
MC		 2266 + SSL3_HM_HEADER_LENGTH))) {
2267 /* SSLfatal() already called */
2268 return 0;
2269 }
2270
11c67eea
MC		 2271 return 1;
2272}
5d6cca05
DSH		 2273
2274static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2275{
2276 return X509_NAME_cmp(*a, *b);
2277}
2278
38b051a1 2279int parse_ca_names(SSL_CONNECTION *s, PACKET *pkt)
5d6cca05
DSH		 2280{
2281 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2282 X509_NAME *xn = NULL;
2283 PACKET cadns;
2284
2285 if (ca_sk == NULL) {
c48ffbcc 2286 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
f63a17d6 2287 goto err;
5d6cca05
DSH		 2288 }
2289 /* get the CA RDNs */
2290 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
c48ffbcc 2291 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
f63a17d6 2292 goto err;
5d6cca05
DSH		 2293 }
2294
2295 while (PACKET_remaining(&cadns)) {
2296 const unsigned char *namestart, *namebytes;
2297 unsigned int name_len;
2298
2299 if (!PACKET_get_net_2(&cadns, &name_len)
2300 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
c48ffbcc 2301 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
f63a17d6 2302 goto err;
5d6cca05
DSH		 2303 }
2304
2305 namestart = namebytes;
2306 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
c48ffbcc 2307 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB);
f63a17d6 2308 goto err;
5d6cca05
DSH		 2309 }
2310 if (namebytes != (namestart + name_len)) {
c48ffbcc 2311 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CA_DN_LENGTH_MISMATCH);
f63a17d6 2312 goto err;
5d6cca05
DSH		 2313 }
2314
2315 if (!sk_X509_NAME_push(ca_sk, xn)) {
c48ffbcc 2316 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
5d6cca05
DSH		 2317 goto err;
2318 }
2319 xn = NULL;
2320 }
2321
555cbb32
TS		 2322 sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
2323 s->s3.tmp.peer_ca_names = ca_sk;
5d6cca05
DSH		 2324
2325 return 1;
2326
5d6cca05
DSH		 2327 err:
2328 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2329 X509_NAME_free(xn);
2330 return 0;
2331}
2332
38b051a1 2333const STACK_OF(X509_NAME) *get_ca_names(SSL_CONNECTION *s)
5d6cca05 2334{
1e331727 2335 const STACK_OF(X509_NAME) *ca_sk = NULL;
38b051a1 2336 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
5d6cca05 2337
98732979 2338 if (s->server) {
38b051a1 2339 ca_sk = SSL_get_client_CA_list(ssl);
98732979
MC		 2340 if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2341 ca_sk = NULL;
2342 }
2343
2344 if (ca_sk == NULL)
38b051a1 2345 ca_sk = SSL_get0_CA_list(ssl);
98732979
MC		 2346
2347 return ca_sk;
2348}
2349
38b051a1
TM		 2350int construct_ca_names(SSL_CONNECTION *s, const STACK_OF(X509_NAME) *ca_sk,
2351 WPACKET *pkt)
98732979 2352{
5d6cca05 2353 /* Start sub-packet for client CA list */
f63a17d6 2354 if (!WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 2355 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
5d6cca05 2356 return 0;
f63a17d6 2357 }
5d6cca05 2358
90fc2c26 2359 if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) {
5d6cca05
DSH		 2360 int i;
2361
2362 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2363 unsigned char *namebytes;
2364 X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2365 int namelen;
2366
2367 if (name == NULL
2368 || (namelen = i2d_X509_NAME(name, NULL)) < 0
2369 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2370 &namebytes)
2371 || i2d_X509_NAME(name, &namebytes) != namelen) {
c48ffbcc 2372 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
5d6cca05
DSH		 2373 return 0;
2374 }
2375 }
2376 }
2377
f63a17d6 2378 if (!WPACKET_close(pkt)) {
c48ffbcc 2379 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
5d6cca05 2380 return 0;
f63a17d6 2381 }
5d6cca05
DSH		 2382
2383 return 1;
2384}
72ceb6a6
DSH		 2385
2386/* Create a buffer containing data to be signed for server key exchange */
38b051a1 2387size_t construct_key_exchange_tbs(SSL_CONNECTION *s, unsigned char **ptbs,
72ceb6a6
DSH		 2388 const void *param, size_t paramlen)
2389{
2390 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2391 unsigned char *tbs = OPENSSL_malloc(tbslen);
2392
f63a17d6 2393 if (tbs == NULL) {
c48ffbcc 2394 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
72ceb6a6 2395 return 0;
f63a17d6 2396 }
555cbb32
TS		 2397 memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
2398 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
72ceb6a6
DSH		 2399
2400 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2401
2402 *ptbs = tbs;
2403 return tbslen;
2404}
9d75dce3
TS		 2405
2406/*
2407 * Saves the current handshake digest for Post-Handshake Auth,
2408 * Done after ClientFinished is processed, done exactly once
2409 */
38b051a1 2410int tls13_save_handshake_digest_for_pha(SSL_CONNECTION *s)
9d75dce3
TS		 2411{
2412 if (s->pha_dgst == NULL) {
2413 if (!ssl3_digest_cached_records(s, 1))
2414 /* SSLfatal() already called */
2415 return 0;
2416
2417 s->pha_dgst = EVP_MD_CTX_new();
2418 if (s->pha_dgst == NULL) {
c48ffbcc 2419 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
9d75dce3
TS		 2420 return 0;
2421 }
2422 if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
555cbb32 2423 s->s3.handshake_dgst)) {
c48ffbcc 2424 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
963eb12d 2425 EVP_MD_CTX_free(s->pha_dgst);
2426 s->pha_dgst = NULL;
9d75dce3
TS		 2427 return 0;
2428 }
2429 }
2430 return 1;
2431}
2432
2433/*
2434 * Restores the Post-Handshake Auth handshake digest
2435 * Done just before sending/processing the Cert Request
2436 */
38b051a1 2437int tls13_restore_handshake_digest_for_pha(SSL_CONNECTION *s)
9d75dce3
TS		 2438{
2439 if (s->pha_dgst == NULL) {
c48ffbcc 2440 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
9d75dce3
TS		 2441 return 0;
2442 }
555cbb32 2443 if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
9d75dce3 2444 s->pha_dgst)) {
c48ffbcc 2445 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
9d75dce3
TS		 2446 return 0;
2447 }
2448 return 1;
2449}
A mirror of the official openssl repository