]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/statem_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add some API tests for TLSv1.3 record padding
[thirdparty/openssl.git] / ssl / statem / statem_lib.c
CommitLineData
846e33c7 1/*
fecb3aae 2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
aa8f3d76 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
3813046d 4 *
2c18d164 5 * Licensed under the Apache License 2.0 (the "License"). You may not use
846e33c7
RS		 6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
3813046d 9 */
846e33c7 10
48948d53 11#include <limits.h>
f2d9a32c 12#include <string.h>
d02b48c6 13#include <stdio.h>
706457b7
DMSP		 14#include "../ssl_local.h"
15#include "statem_local.h"
67dc995e 16#include "internal/cryptlib.h"
ec577822 17#include <openssl/buffer.h>
ec577822
BM		 18#include <openssl/objects.h>
19#include <openssl/evp.h>
d7e498ac 20#include <openssl/rsa.h>
ec577822 21#include <openssl/x509.h>
49b26f54 22#include <openssl/trace.h>
d02b48c6 23
c6d38183
RS		 24/*
25 * Map error codes to TLS/SSL alart types.
26 */
27typedef struct x509err2alert_st {
28 int x509err;
29 int alert;
30} X509ERR2ALERT;
31
597c51bc
MC		 32/* Fixed value used in the ServerHello random field to identify an HRR */
33const unsigned char hrrrandom[] = {
34 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
35 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
36 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
37};
38
0f113f3e
MC		 39/*
40 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
41 * SSL3_RT_CHANGE_CIPHER_SPEC)
42 */
38b051a1 43int ssl3_do_write(SSL_CONNECTION *s, int type)
0f113f3e
MC		 44{
45 int ret;
7ee8627f 46 size_t written = 0;
38b051a1 47 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
0f113f3e 48
38b051a1 49 ret = ssl3_write_bytes(ssl, type, &s->init_buf->data[s->init_off],
7ee8627f 50 s->init_num, &written);
0f113f3e 51 if (ret < 0)
26a7d938 52 return -1;
0f113f3e
MC		 53 if (type == SSL3_RT_HANDSHAKE)
54 /*
55 * should not be done for 'Hello Request's, but in that case we'll
56 * ignore the result anyway
9d75dce3 57 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
0f113f3e 58 */
38b051a1
TM		 59 if (!SSL_CONNECTION_IS_TLS13(s)
60 || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
9d75dce3
TS		 61 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
62 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
63 if (!ssl3_finish_mac(s,
64 (unsigned char *)&s->init_buf->data[s->init_off],
65 written))
66 return -1;
7ee8627f 67 if (written == s->init_num) {
0f113f3e
MC		 68 if (s->msg_callback)
69 s->msg_callback(1, s->version, type, s->init_buf->data,
38b051a1 70 (size_t)(s->init_off + s->init_num), ssl,
0f113f3e 71 s->msg_callback_arg);
208fb891 72 return 1;
0f113f3e 73 }
7ee8627f
MC		 74 s->init_off += written;
75 s->init_num -= written;
26a7d938 76 return 0;
0f113f3e 77}
e7ecc7d4 78
38b051a1 79int tls_close_construct_packet(SSL_CONNECTION *s, WPACKET *pkt, int htype)
2c7b4dbc
MC		 80{
81 size_t msglen;
82
4a01c59f 83 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
f1ec23c0 84 || !WPACKET_get_length(pkt, &msglen)
7cea05dc 85 || msglen > INT_MAX)
2c7b4dbc
MC		 86 return 0;
87 s->init_num = (int)msglen;
88 s->init_off = 0;
89
90 return 1;
91}
92
38b051a1 93int tls_setup_handshake(SSL_CONNECTION *s)
1f5b44e9 94{
8e32ea63 95 int ver_min, ver_max, ok;
38b051a1
TM		 96 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
97 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
8e32ea63 98
f63a17d6
MC		 99 if (!ssl3_init_finished_mac(s)) {
100 /* SSLfatal() already called */
c7f47786 101 return 0;
f63a17d6 102 }
c7f47786 103
b186a592
MC		 104 /* Reset any extension flags */
105 memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
106
8e32ea63 107 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
c48ffbcc 108 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE);
8e32ea63
MC		 109 return 0;
110 }
111
112 /* Sanity check that we have MD5-SHA1 if we need it */
38b051a1 113 if (sctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) {
8e32ea63
MC		 114 int md5sha1_needed = 0;
115
116 /* We don't have MD5-SHA1 - do we need it? */
38b051a1 117 if (SSL_CONNECTION_IS_DTLS(s)) {
8e32ea63
MC		 118 if (DTLS_VERSION_LE(ver_max, DTLS1_VERSION))
119 md5sha1_needed = 1;
120 } else {
121 if (ver_max <= TLS1_1_VERSION)
122 md5sha1_needed = 1;
123 }
124 if (md5sha1_needed) {
c48ffbcc
RL		 125 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
126 SSL_R_NO_SUITABLE_DIGEST_ALGORITHM,
127 "The max supported SSL/TLS version needs the"
128 " MD5-SHA1 digest but it is not available"
129 " in the loaded providers. Use (D)TLSv1.2 or"
130 " above, or load different providers");
8e32ea63
MC		 131 return 0;
132 }
133
134 ok = 1;
135 /* Don't allow TLSv1.1 or below to be negotiated */
38b051a1 136 if (SSL_CONNECTION_IS_DTLS(s)) {
8e32ea63 137 if (DTLS_VERSION_LT(ver_min, DTLS1_2_VERSION))
38b051a1 138 ok = SSL_set_min_proto_version(ssl, DTLS1_2_VERSION);
8e32ea63
MC		 139 } else {
140 if (ver_min < TLS1_2_VERSION)
38b051a1 141 ok = SSL_set_min_proto_version(ssl, TLS1_2_VERSION);
8e32ea63
MC		 142 }
143 if (!ok) {
144 /* Shouldn't happen */
c48ffbcc 145 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
8e32ea63
MC		 146 return 0;
147 }
148 }
149
150 ok = 0;
c7f47786 151 if (s->server) {
38b051a1 152 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(ssl);
8e32ea63 153 int i;
38a73150
MC		 154
155 /*
156 * Sanity check that the maximum version we accept has ciphers
157 * enabled. For clients we do this check during construction of the
158 * ClientHello.
159 */
38a73150
MC		 160 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
161 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
162
38b051a1 163 if (SSL_CONNECTION_IS_DTLS(s)) {
38a73150
MC		 164 if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
165 DTLS_VERSION_LE(ver_max, c->max_dtls))
166 ok = 1;
167 } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
168 ok = 1;
169 }
170 if (ok)
171 break;
172 }
173 if (!ok) {
c48ffbcc
RL		 174 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
175 SSL_R_NO_CIPHERS_AVAILABLE,
176 "No ciphers enabled for max supported "
177 "SSL/TLS version");
38a73150
MC		 178 return 0;
179 }
c7f47786 180 if (SSL_IS_FIRST_HANDSHAKE(s)) {
0e6161bc 181 /* N.B. s->session_ctx == s->ctx here */
acce0557 182 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_accept);
c7f47786 183 } else {
0e6161bc 184 /* N.B. s->ctx may not equal s->session_ctx */
38b051a1 185 ssl_tsan_counter(sctx, &sctx->stats.sess_accept_renegotiate);
c7f47786 186
555cbb32 187 s->s3.tmp.cert_request = 0;
c7f47786
MC		 188 }
189 } else {
190 if (SSL_IS_FIRST_HANDSHAKE(s))
acce0557 191 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_connect);
c7f47786 192 else
acce0557
P		 193 ssl_tsan_counter(s->session_ctx,
194 &s->session_ctx->stats.sess_connect_renegotiate);
c7f47786
MC		 195
196 /* mark client_random uninitialized */
555cbb32 197 memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
c7f47786
MC		 198 s->hit = 0;
199
555cbb32 200 s->s3.tmp.cert_req = 0;
c7f47786 201
38b051a1 202 if (SSL_CONNECTION_IS_DTLS(s))
c7f47786 203 s->statem.use_timer = 1;
c7f47786
MC		 204 }
205
206 return 1;
207}
208
2c5dfdc3
MC		 209/*
210 * Size of the to-be-signed TLS13 data, without the hash size itself:
211 * 64 bytes of value 32, 33 context bytes, 1 byte separator
212 */
213#define TLS13_TBS_START_SIZE 64
214#define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
215
38b051a1 216static int get_cert_verify_tbs_data(SSL_CONNECTION *s, unsigned char *tls13tbs,
2c5dfdc3
MC		 217 void **hdata, size_t *hdatalen)
218{
48102247 219#ifdef CHARSET_EBCDIC
99435164 220 static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
48102247 221 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
222 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
223 0x69, 0x66, 0x79, 0x00 };
99435164 224 static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
48102247 225 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
226 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
227 0x69, 0x66, 0x79, 0x00 };
228#else
99435164
AV		 229 static const char servercontext[] = "TLS 1.3, server CertificateVerify";
230 static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
48102247 231#endif
38b051a1
TM		 232
233 if (SSL_CONNECTION_IS_TLS13(s)) {
2c5dfdc3
MC		 234 size_t hashlen;
235
236 /* Set the first 64 bytes of to-be-signed data to octet 32 */
237 memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
238 /* This copies the 33 bytes of context plus the 0 separator byte */
239 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
240 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
241 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
242 else
243 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
244
245 /*
246 * If we're currently reading then we need to use the saved handshake
247 * hash value. We can't use the current handshake hash state because
248 * that includes the CertVerify itself.
249 */
250 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
251 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
252 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
253 s->cert_verify_hash_len);
254 hashlen = s->cert_verify_hash_len;
255 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
256 EVP_MAX_MD_SIZE, &hashlen)) {
f63a17d6 257 /* SSLfatal() already called */
2c5dfdc3
MC		 258 return 0;
259 }
260
261 *hdata = tls13tbs;
262 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
263 } else {
264 size_t retlen;
60690b5b 265 long retlen_l;
2c5dfdc3 266
555cbb32 267 retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
60690b5b 268 if (retlen_l <= 0) {
c48ffbcc 269 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2c5dfdc3 270 return 0;
f63a17d6 271 }
2c5dfdc3
MC		 272 *hdatalen = retlen;
273 }
274
275 return 1;
276}
277
38b051a1 278int tls_construct_cert_verify(SSL_CONNECTION *s, WPACKET *pkt)
d8bc1399 279{
ad4dd362
DSH		 280 EVP_PKEY *pkey = NULL;
281 const EVP_MD *md = NULL;
d8bc1399 282 EVP_MD_CTX *mctx = NULL;
5f9b64a2
MC		 283 EVP_PKEY_CTX *pctx = NULL;
284 size_t hdatalen = 0, siglen = 0;
d8bc1399
MC		 285 void *hdata;
286 unsigned char *sig = NULL;
2c5dfdc3 287 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
555cbb32 288 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
38b051a1 289 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
2c5dfdc3 290
555cbb32 291 if (lu == NULL || s->s3.tmp.cert == NULL) {
c48ffbcc 292 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
ad4dd362
DSH		 293 goto err;
294 }
555cbb32 295 pkey = s->s3.tmp.cert->privatekey;
ad4dd362 296
38b051a1 297 if (pkey == NULL || !tls1_lookup_md(sctx, lu, &md)) {
c48ffbcc 298 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
ad4dd362
DSH		 299 goto err;
300 }
d8bc1399
MC		 301
302 mctx = EVP_MD_CTX_new();
303 if (mctx == NULL) {
c48ffbcc 304 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
d8bc1399
MC		 305 goto err;
306 }
d8bc1399 307
2c5dfdc3
MC		 308 /* Get the data to be signed */
309 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
f63a17d6 310 /* SSLfatal() already called */
d8bc1399
MC		 311 goto err;
312 }
313
ad4dd362 314 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
c48ffbcc 315 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
d8bc1399
MC		 316 goto err;
317 }
5f9b64a2 318
ed576acd
TM		 319 if (EVP_DigestSignInit_ex(mctx, &pctx,
320 md == NULL ? NULL : EVP_MD_get0_name(md),
38b051a1 321 sctx->libctx, sctx->propq, pkey,
d38b6ae9 322 NULL) <= 0) {
c48ffbcc 323 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
5f9b64a2
MC		 324 goto err;
325 }
326
ad4dd362 327 if (lu->sig == EVP_PKEY_RSA_PSS) {
5f9b64a2 328 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
968ae5b3
DSH		 329 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
330 RSA_PSS_SALTLEN_DIGEST) <= 0) {
c48ffbcc 331 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
5f9b64a2
MC		 332 goto err;
333 }
caf2b6b5
DSH		 334 }
335 if (s->version == SSL3_VERSION) {
bddbfae1
MC		 336 /*
337 * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
338 * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
339 */
caf2b6b5 340 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
83b4a243
SL		 341 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
342 (int)s->session->master_key_length,
343 s->session->master_key) <= 0
bddbfae1 344 || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) {
caf2b6b5 345
c48ffbcc 346 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
5f9b64a2
MC		 347 goto err;
348 }
bddbfae1
MC		 349 sig = OPENSSL_malloc(siglen);
350 if (sig == NULL
351 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
c48ffbcc 352 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
bddbfae1
MC		 353 goto err;
354 }
355 } else {
356 /*
357 * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not
358 * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
359 */
360 if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) {
c48ffbcc 361 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
bddbfae1
MC		 362 goto err;
363 }
364 sig = OPENSSL_malloc(siglen);
365 if (sig == NULL
366 || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
c48ffbcc 367 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
bddbfae1
MC		 368 goto err;
369 }
d8bc1399 370 }
5f9b64a2 371
d8bc1399
MC		 372#ifndef OPENSSL_NO_GOST
373 {
ad4dd362
DSH		 374 int pktype = lu->sig;
375
d8bc1399
MC		 376 if (pktype == NID_id_GostR3410_2001
377 || pktype == NID_id_GostR3410_2012_256
378 || pktype == NID_id_GostR3410_2012_512)
5f9b64a2 379 BUF_reverse(sig, NULL, siglen);
d8bc1399
MC		 380 }
381#endif
382
5f9b64a2 383 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
c48ffbcc 384 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
d8bc1399
MC		 385 goto err;
386 }
387
388 /* Digest cached records and discard handshake buffer */
d4d2f3a4
MC		 389 if (!ssl3_digest_cached_records(s, 0)) {
390 /* SSLfatal() already called */
d8bc1399 391 goto err;
d4d2f3a4 392 }
d8bc1399
MC		 393
394 OPENSSL_free(sig);
395 EVP_MD_CTX_free(mctx);
396 return 1;
397 err:
398 OPENSSL_free(sig);
399 EVP_MD_CTX_free(mctx);
d8bc1399
MC		 400 return 0;
401}
402
38b051a1 403MSG_PROCESS_RETURN tls_process_cert_verify(SSL_CONNECTION *s, PACKET *pkt)
d8bc1399
MC		 404{
405 EVP_PKEY *pkey = NULL;
703bcee0 406 const unsigned char *data;
d8bc1399
MC		 407#ifndef OPENSSL_NO_GOST
408 unsigned char *gost_data = NULL;
409#endif
eb5fd03b 410 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
dd24857b 411 int j;
d8bc1399
MC		 412 unsigned int len;
413 X509 *peer;
414 const EVP_MD *md = NULL;
2c5dfdc3 415 size_t hdatalen = 0;
d8bc1399 416 void *hdata;
2c5dfdc3 417 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
d8bc1399 418 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
5f9b64a2 419 EVP_PKEY_CTX *pctx = NULL;
38b051a1 420 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
d8bc1399
MC		 421
422 if (mctx == NULL) {
c48ffbcc 423 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
f63a17d6 424 goto err;
d8bc1399
MC		 425 }
426
427 peer = s->session->peer;
428 pkey = X509_get0_pubkey(peer);
f63a17d6 429 if (pkey == NULL) {
c48ffbcc 430 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6
MC		 431 goto err;
432 }
83b4049a 433
dd24857b 434 if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
c48ffbcc 435 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
f63a17d6
MC		 436 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
437 goto err;
d8bc1399
MC		 438 }
439
f464f9c0 440 if (SSL_USE_SIGALGS(s)) {
f464f9c0
PD		 441 unsigned int sigalg;
442
443 if (!PACKET_get_net_2(pkt, &sigalg)) {
c48ffbcc 444 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET);
f63a17d6 445 goto err;
f464f9c0 446 }
f63a17d6
MC		 447 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
448 /* SSLfatal() already called */
449 goto err;
f464f9c0 450 }
f464f9c0 451 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
c48ffbcc 452 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6 453 goto err;
f464f9c0
PD		 454 }
455
38b051a1 456 if (!tls1_lookup_md(sctx, s->s3.tmp.peer_sigalg, &md)) {
c48ffbcc 457 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6 458 goto err;
168067b6 459 }
f464f9c0 460
572fa024 461 if (SSL_USE_SIGALGS(s))
49b26f54 462 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
ed576acd 463 md == NULL ? "n/a" : EVP_MD_get0_name(md));
572fa024 464
d8bc1399
MC		 465 /* Check for broken implementations of GOST ciphersuites */
466 /*
f464f9c0
PD		 467 * If key is GOST and len is exactly 64 or 128, it is signature without
468 * length field (CryptoPro implementations at least till TLS 1.2)
d8bc1399
MC		 469 */
470#ifndef OPENSSL_NO_GOST
f464f9c0
PD		 471 if (!SSL_USE_SIGALGS(s)
472 && ((PACKET_remaining(pkt) == 64
ed576acd
TM		 473 && (EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2001
474 || EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_256))
f464f9c0 475 || (PACKET_remaining(pkt) == 128
ed576acd 476 && EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_512))) {
f464f9c0 477 len = PACKET_remaining(pkt);
d8bc1399
MC		 478 } else
479#endif
f464f9c0 480 if (!PACKET_get_net_2(pkt, &len)) {
c48ffbcc 481 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
f63a17d6 482 goto err;
d8bc1399 483 }
f464f9c0 484
d8bc1399 485 if (!PACKET_get_bytes(pkt, &data, len)) {
c48ffbcc 486 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
f63a17d6 487 goto err;
d8bc1399
MC		 488 }
489
2c5dfdc3 490 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
f63a17d6
MC		 491 /* SSLfatal() already called */
492 goto err;
d8bc1399
MC		 493 }
494
49b26f54 495 OSSL_TRACE1(TLS, "Using client verify alg %s\n",
ed576acd 496 md == NULL ? "n/a" : EVP_MD_get0_name(md));
49b26f54 497
d8652be0 498 if (EVP_DigestVerifyInit_ex(mctx, &pctx,
ed576acd 499 md == NULL ? NULL : EVP_MD_get0_name(md),
38b051a1 500 sctx->libctx, sctx->propq, pkey,
d38b6ae9 501 NULL) <= 0) {
c48ffbcc 502 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
f63a17d6 503 goto err;
d8bc1399
MC		 504 }
505#ifndef OPENSSL_NO_GOST
506 {
ed576acd 507 int pktype = EVP_PKEY_get_id(pkey);
d8bc1399
MC		 508 if (pktype == NID_id_GostR3410_2001
509 || pktype == NID_id_GostR3410_2012_256
510 || pktype == NID_id_GostR3410_2012_512) {
511 if ((gost_data = OPENSSL_malloc(len)) == NULL) {
c48ffbcc 512 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
f63a17d6 513 goto err;
d8bc1399
MC		 514 }
515 BUF_reverse(gost_data, data, len);
516 data = gost_data;
517 }
518 }
519#endif
520
5554facb 521 if (SSL_USE_PSS(s)) {
5f9b64a2 522 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
968ae5b3
DSH		 523 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
524 RSA_PSS_SALTLEN_DIGEST) <= 0) {
c48ffbcc 525 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
f63a17d6 526 goto err;
5f9b64a2 527 }
d8bc1399 528 }
caf2b6b5
DSH		 529 if (s->version == SSL3_VERSION) {
530 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
83b4a243
SL		 531 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
532 (int)s->session->master_key_length,
533 s->session->master_key) <= 0) {
c48ffbcc 534 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
f63a17d6 535 goto err;
caf2b6b5
DSH		 536 }
537 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
c48ffbcc 538 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
f63a17d6 539 goto err;
caf2b6b5
DSH		 540 }
541 } else {
542 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
25ffeb11 543 if (j <= 0) {
c48ffbcc 544 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
f63a17d6 545 goto err;
caf2b6b5 546 }
d8bc1399
MC		 547 }
548
e4562014
MC		 549 /*
550 * In TLSv1.3 on the client side we make sure we prepare the client
551 * certificate after the CertVerify instead of when we get the
552 * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
553 * comes *before* the Certificate message. In TLSv1.2 it comes after. We
8c2bfd25 554 * want to make sure that SSL_get1_peer_certificate() will return the actual
e4562014
MC		 555 * server certificate from the client_cert_cb callback.
556 */
38b051a1 557 if (!s->server && SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
e4562014
MC		 558 ret = MSG_PROCESS_CONTINUE_PROCESSING;
559 else
560 ret = MSG_PROCESS_CONTINUE_READING;
f63a17d6 561 err:
555cbb32
TS		 562 BIO_free(s->s3.handshake_buffer);
563 s->s3.handshake_buffer = NULL;
d8bc1399
MC		 564 EVP_MD_CTX_free(mctx);
565#ifndef OPENSSL_NO_GOST
566 OPENSSL_free(gost_data);
567#endif
568 return ret;
569}
570
38b051a1 571int tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt)
0f113f3e 572{
12472b45 573 size_t finish_md_len;
229185e6 574 const char *sender;
8b0e934a 575 size_t slen;
38b051a1 576 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
229185e6 577
f7e393be 578 /* This is a real handshake so make sure we clean it up at the end */
9d75dce3 579 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
f7e393be
MC		 580 s->statem.cleanuphand = 1;
581
582 /*
583 * We only change the keys if we didn't already do this when we sent the
584 * client certificate
585 */
38b051a1 586 if (SSL_CONNECTION_IS_TLS13(s)
f7e393be 587 && !s->server
555cbb32 588 && s->s3.tmp.cert_req == 0
38b051a1 589 && (!ssl->method->ssl3_enc->change_cipher_state(s,
d4d2f3a4
MC		 590 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
591 /* SSLfatal() already called */
b43c3765 592 return 0;
f7e393be
MC		 593 }
594
229185e6 595 if (s->server) {
38b051a1
TM		 596 sender = ssl->method->ssl3_enc->server_finished_label;
597 slen = ssl->method->ssl3_enc->server_finished_label_len;
229185e6 598 } else {
38b051a1
TM		 599 sender = ssl->method->ssl3_enc->client_finished_label;
600 slen = ssl->method->ssl3_enc->client_finished_label_len;
229185e6 601 }
0f113f3e 602
38b051a1
TM		 603 finish_md_len = ssl->method->ssl3_enc->final_finish_mac(s,
604 sender, slen,
605 s->s3.tmp.finish_md);
12472b45 606 if (finish_md_len == 0) {
d4d2f3a4
MC		 607 /* SSLfatal() already called */
608 return 0;
4f89bfbf
MC		 609 }
610
555cbb32 611 s->s3.tmp.finish_md_len = finish_md_len;
4f89bfbf 612
555cbb32 613 if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
c48ffbcc 614 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
d4d2f3a4 615 return 0;
4f89bfbf 616 }
0f113f3e 617
2c7bd692
CB		 618 /*
619 * Log the master secret, if logging is enabled. We don't log it for
620 * TLSv1.3: there's a different key schedule for that.
621 */
38b051a1
TM		 622 if (!SSL_CONNECTION_IS_TLS13(s)
623 && !ssl_log_secret(s, MASTER_SECRET_LABEL, s->session->master_key,
624 s->session->master_key_length)) {
d4d2f3a4
MC		 625 /* SSLfatal() already called */
626 return 0;
380a522f 627 }
2faa1b48 628
b9908bf9
MC		 629 /*
630 * Copy the finished so we can use it for renegotiation checks
631 */
380a522f 632 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
c48ffbcc 633 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
d4d2f3a4 634 return 0;
380a522f 635 }
23a635c0 636 if (!s->server) {
555cbb32 637 memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
12472b45 638 finish_md_len);
555cbb32 639 s->s3.previous_client_finished_len = finish_md_len;
b9908bf9 640 } else {
555cbb32 641 memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
12472b45 642 finish_md_len);
555cbb32 643 s->s3.previous_server_finished_len = finish_md_len;
b9908bf9 644 }
0f113f3e 645
b9908bf9 646 return 1;
0f113f3e 647}
d02b48c6 648
38b051a1 649int tls_construct_key_update(SSL_CONNECTION *s, WPACKET *pkt)
44c04a2e
MC		 650{
651 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
c48ffbcc 652 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
d4d2f3a4 653 return 0;
44c04a2e
MC		 654 }
655
9412b3ad 656 s->key_update = SSL_KEY_UPDATE_NONE;
44c04a2e 657 return 1;
44c04a2e
MC		 658}
659
38b051a1 660MSG_PROCESS_RETURN tls_process_key_update(SSL_CONNECTION *s, PACKET *pkt)
e1c3de44
MC		 661{
662 unsigned int updatetype;
663
524420d8
MC		 664 /*
665 * A KeyUpdate message signals a key change so the end of the message must
666 * be on a record boundary.
667 */
668 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
c48ffbcc 669 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
f63a17d6 670 return MSG_PROCESS_ERROR;
524420d8
MC		 671 }
672
e1c3de44 673 if (!PACKET_get_1(pkt, &updatetype)
2d871227 674 || PACKET_remaining(pkt) != 0) {
c48ffbcc 675 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_KEY_UPDATE);
f63a17d6 676 return MSG_PROCESS_ERROR;
e1c3de44
MC		 677 }
678
9010b7bc
MC		 679 /*
680 * There are only two defined key update types. Fail if we get a value we
681 * didn't recognise.
682 */
2d871227
MC		 683 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
684 && updatetype != SSL_KEY_UPDATE_REQUESTED) {
c48ffbcc 685 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_UPDATE);
f63a17d6 686 return MSG_PROCESS_ERROR;
2d871227
MC		 687 }
688
5bf47933
MC		 689 /*
690 * If we get a request for us to update our sending keys too then, we need
691 * to additionally send a KeyUpdate message. However that message should
feb9e31c 692 * not also request an update (otherwise we get into an infinite loop).
5bf47933 693 */
feb9e31c 694 if (updatetype == SSL_KEY_UPDATE_REQUESTED)
5bf47933
MC		 695 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
696
57389a32 697 if (!tls13_update_key(s, 0)) {
f63a17d6
MC		 698 /* SSLfatal() already called */
699 return MSG_PROCESS_ERROR;
57389a32
MC		 700 }
701
e1c3de44
MC		 702 return MSG_PROCESS_FINISHED_READING;
703}
704
0f113f3e
MC		 705/*
706 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
707 * to far.
708 */
38b051a1 709int ssl3_take_mac(SSL_CONNECTION *s)
0f113f3e
MC		 710{
711 const char *sender;
8b0e934a 712 size_t slen;
38b051a1 713 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
5d671101 714
49ae7423 715 if (!s->server) {
38b051a1
TM		 716 sender = ssl->method->ssl3_enc->server_finished_label;
717 slen = ssl->method->ssl3_enc->server_finished_label_len;
0f113f3e 718 } else {
38b051a1
TM		 719 sender = ssl->method->ssl3_enc->client_finished_label;
720 slen = ssl->method->ssl3_enc->client_finished_label_len;
0f113f3e
MC		 721 }
722
555cbb32 723 s->s3.tmp.peer_finish_md_len =
38b051a1
TM		 724 ssl->method->ssl3_enc->final_finish_mac(s, sender, slen,
725 s->s3.tmp.peer_finish_md);
5d671101 726
555cbb32 727 if (s->s3.tmp.peer_finish_md_len == 0) {
5d671101
MC		 728 /* SSLfatal() already called */
729 return 0;
730 }
731
732 return 1;
0f113f3e 733}
ee2ffc27 734
38b051a1
TM		 735MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL_CONNECTION *s,
736 PACKET *pkt)
b9908bf9 737{
348240c6 738 size_t remain;
4fa52141 739
73999b62 740 remain = PACKET_remaining(pkt);
657da85e
MC		 741 /*
742 * 'Change Cipher Spec' is just a single byte, which should already have
c69f2adf
MC		 743 * been consumed by ssl_get_message() so there should be no bytes left,
744 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
657da85e 745 */
38b051a1 746 if (SSL_CONNECTION_IS_DTLS(s)) {
73999b62 747 if ((s->version == DTLS1_BAD_VER
a230b26e
EK		 748 && remain != DTLS1_CCS_HEADER_LENGTH + 1)
749 || (s->version != DTLS1_BAD_VER
750 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
c48ffbcc 751 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
f63a17d6 752 return MSG_PROCESS_ERROR;
c69f2adf
MC		 753 }
754 } else {
73999b62 755 if (remain != 0) {
c48ffbcc 756 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
f63a17d6 757 return MSG_PROCESS_ERROR;
c69f2adf 758 }
657da85e
MC		 759 }
760
761 /* Check we have a cipher to change to */
555cbb32 762 if (s->s3.tmp.new_cipher == NULL) {
c48ffbcc 763 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY);
f63a17d6 764 return MSG_PROCESS_ERROR;
657da85e
MC		 765 }
766
555cbb32 767 s->s3.change_cipher_spec = 1;
657da85e 768 if (!ssl3_do_change_cipher_spec(s)) {
c48ffbcc 769 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6 770 return MSG_PROCESS_ERROR;
657da85e
MC		 771 }
772
38b051a1 773 if (SSL_CONNECTION_IS_DTLS(s)) {
c69f2adf
MC		 774 dtls1_reset_seq_numbers(s, SSL3_CC_READ);
775
776 if (s->version == DTLS1_BAD_VER)
777 s->d1->handshake_read_seq++;
778
779#ifndef OPENSSL_NO_SCTP
780 /*
781 * Remember that a CCS has been received, so that an old key of
782 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
783 * SCTP is used
784 */
38b051a1
TM		 785 BIO_ctrl(SSL_get_wbio(SSL_CONNECTION_GET_SSL(s)),
786 BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
c69f2adf
MC		 787#endif
788 }
789
b9908bf9 790 return MSG_PROCESS_CONTINUE_READING;
657da85e
MC		 791}
792
38b051a1 793MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt)
b9908bf9 794{
12472b45 795 size_t md_len;
38b051a1 796 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1853d20a 797 int was_first = SSL_IS_FIRST_HANDSHAKE(s);
b9908bf9 798
d781d247
MC		 799
800 /* This is a real handshake so make sure we clean it up at the end */
9d75dce3 801 if (s->server) {
de9e884b
MC		 802 /*
803 * To get this far we must have read encrypted data from the client. We
1853d20a
MC		 804 * no longer tolerate unencrypted alerts. This is ignored if less than
805 * TLSv1.3
de9e884b 806 */
cffafb5f
MC		 807 if (s->rlayer.rrlmethod->set_plain_alerts != NULL)
808 s->rlayer.rrlmethod->set_plain_alerts(s->rlayer.rrl, 0);
9d75dce3
TS		 809 if (s->post_handshake_auth != SSL_PHA_REQUESTED)
810 s->statem.cleanuphand = 1;
38b051a1
TM		 811 if (SSL_CONNECTION_IS_TLS13(s)
812 && !tls13_save_handshake_digest_for_pha(s)) {
9d75dce3
TS		 813 /* SSLfatal() already called */
814 return MSG_PROCESS_ERROR;
815 }
816 }
d781d247 817
524420d8
MC		 818 /*
819 * In TLSv1.3 a Finished message signals a key change so the end of the
820 * message must be on a record boundary.
821 */
38b051a1
TM		 822 if (SSL_CONNECTION_IS_TLS13(s)
823 && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
c48ffbcc 824 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
f63a17d6 825 return MSG_PROCESS_ERROR;
524420d8
MC		 826 }
827
0f113f3e 828 /* If this occurs, we have missed a message */
38b051a1 829 if (!SSL_CONNECTION_IS_TLS13(s) && !s->s3.change_cipher_spec) {
c48ffbcc 830 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
f63a17d6 831 return MSG_PROCESS_ERROR;
0f113f3e 832 }
555cbb32 833 s->s3.change_cipher_spec = 0;
0f113f3e 834
555cbb32 835 md_len = s->s3.tmp.peer_finish_md_len;
0f113f3e 836
12472b45 837 if (md_len != PACKET_remaining(pkt)) {
c48ffbcc 838 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DIGEST_LENGTH);
f63a17d6 839 return MSG_PROCESS_ERROR;
0f113f3e
MC		 840 }
841
555cbb32 842 if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
12472b45 843 md_len) != 0) {
c48ffbcc 844 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DIGEST_CHECK_FAILED);
f63a17d6 845 return MSG_PROCESS_ERROR;
0f113f3e
MC		 846 }
847
848 /*
849 * Copy the finished so we can use it for renegotiation checks
850 */
380a522f 851 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
c48ffbcc 852 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6 853 return MSG_PROCESS_ERROR;
380a522f 854 }
23a635c0 855 if (s->server) {
555cbb32 856 memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
12472b45 857 md_len);
555cbb32 858 s->s3.previous_client_finished_len = md_len;
0f113f3e 859 } else {
555cbb32 860 memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
12472b45 861 md_len);
555cbb32 862 s->s3.previous_server_finished_len = md_len;
0f113f3e
MC		 863 }
864
7776a36c
MC		 865 /*
866 * In TLS1.3 we also have to change cipher state and do any final processing
867 * of the initial server flight (if we are a client)
868 */
38b051a1 869 if (SSL_CONNECTION_IS_TLS13(s)) {
92760c21 870 if (s->server) {
9d75dce3 871 if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
38b051a1
TM		 872 !ssl->method->ssl3_enc->change_cipher_state(s,
873 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
f63a17d6
MC		 874 /* SSLfatal() already called */
875 return MSG_PROCESS_ERROR;
92760c21
MC		 876 }
877 } else {
d74014c4
BK		 878 /* TLS 1.3 gets the secret size from the handshake md */
879 size_t dummy;
38b051a1 880 if (!ssl->method->ssl3_enc->generate_master_secret(s,
ec15acb6 881 s->master_secret, s->handshake_secret, 0,
d74014c4 882 &dummy)) {
f63a17d6
MC		 883 /* SSLfatal() already called */
884 return MSG_PROCESS_ERROR;
92760c21 885 }
38b051a1 886 if (!ssl->method->ssl3_enc->change_cipher_state(s,
92760c21 887 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
f63a17d6
MC		 888 /* SSLfatal() already called */
889 return MSG_PROCESS_ERROR;
890 }
891 if (!tls_process_initial_server_flight(s)) {
892 /* SSLfatal() already called */
893 return MSG_PROCESS_ERROR;
92760c21
MC		 894 }
895 }
896 }
897
1853d20a
MC		 898 if (was_first
899 && !SSL_IS_FIRST_HANDSHAKE(s)
cffafb5f
MC		 900 && s->rlayer.rrlmethod->set_first_handshake != NULL)
901 s->rlayer.rrlmethod->set_first_handshake(s->rlayer.rrl, 0);
1853d20a 902
e6575156 903 return MSG_PROCESS_FINISHED_READING;
0f113f3e 904}
d02b48c6 905
38b051a1 906int tls_construct_change_cipher_spec(SSL_CONNECTION *s, WPACKET *pkt)
b9908bf9 907{
7cea05dc 908 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
c48ffbcc 909 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
85a7a5e6
MC		 910 return 0;
911 }
b9908bf9 912
b9908bf9
MC		 913 return 1;
914}
915
e96e0f8e 916/* Add a certificate to the WPACKET */
38b051a1
TM		 917static int ssl_add_cert_to_wpacket(SSL_CONNECTION *s, WPACKET *pkt,
918 X509 *x, int chain)
0f113f3e 919{
e96e0f8e
MC		 920 int len;
921 unsigned char *outbytes;
922
923 len = i2d_X509(x, NULL);
924 if (len < 0) {
c48ffbcc 925 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB);
e96e0f8e
MC		 926 return 0;
927 }
928 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
929 || i2d_X509(x, &outbytes) != len) {
c48ffbcc 930 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
e96e0f8e
MC		 931 return 0;
932 }
933
38b051a1 934 if (SSL_CONNECTION_IS_TLS13(s)
fe874d27 935 && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
f63a17d6
MC		 936 chain)) {
937 /* SSLfatal() already called */
e96e0f8e 938 return 0;
f63a17d6 939 }
e96e0f8e
MC		 940
941 return 1;
942}
943
944/* Add certificate chain to provided WPACKET */
38b051a1 945static int ssl_add_cert_chain(SSL_CONNECTION *s, WPACKET *pkt, CERT_PKEY *cpk)
e96e0f8e
MC		 946{
947 int i, chain_count;
948 X509 *x;
949 STACK_OF(X509) *extra_certs;
950 STACK_OF(X509) *chain = NULL;
951 X509_STORE *chain_store;
38b051a1 952 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
e96e0f8e
MC		 953
954 if (cpk == NULL || cpk->x509 == NULL)
955 return 1;
956
957 x = cpk->x509;
958
959 /*
960 * If we have a certificate specific chain use it, else use parent ctx.
961 */
d805a57b 962 if (cpk->chain != NULL)
e96e0f8e
MC		 963 extra_certs = cpk->chain;
964 else
38b051a1 965 extra_certs = sctx->extra_certs;
e96e0f8e
MC		 966
967 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
968 chain_store = NULL;
969 else if (s->cert->chain_store)
970 chain_store = s->cert->chain_store;
971 else
38b051a1 972 chain_store = sctx->cert_store;
e96e0f8e 973
d805a57b 974 if (chain_store != NULL) {
38b051a1
TM		 975 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(sctx->libctx,
976 sctx->propq);
e96e0f8e
MC		 977
978 if (xs_ctx == NULL) {
c48ffbcc 979 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
f63a17d6 980 return 0;
e96e0f8e
MC		 981 }
982 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
983 X509_STORE_CTX_free(xs_ctx);
c48ffbcc 984 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB);
f63a17d6 985 return 0;
e96e0f8e
MC		 986 }
987 /*
988 * It is valid for the chain not to be complete (because normally we
989 * don't include the root cert in the chain). Therefore we deliberately
990 * ignore the error return from this call. We're not actually verifying
991 * the cert - we're just building as much of the chain as we can
992 */
993 (void)X509_verify_cert(xs_ctx);
994 /* Don't leave errors in the queue */
995 ERR_clear_error();
996 chain = X509_STORE_CTX_get0_chain(xs_ctx);
997 i = ssl_security_cert_chain(s, chain, NULL, 0);
998 if (i != 1) {
999#if 0
1000 /* Dummy error calls so mkerr generates them */
6849b73c
RL		 1001 ERR_raise(ERR_LIB_SSL, SSL_R_EE_KEY_TOO_SMALL);
1002 ERR_raise(ERR_LIB_SSL, SSL_R_CA_KEY_TOO_SMALL);
1003 ERR_raise(ERR_LIB_SSL, SSL_R_CA_MD_TOO_WEAK);
e96e0f8e
MC		 1004#endif
1005 X509_STORE_CTX_free(xs_ctx);
c48ffbcc 1006 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
f63a17d6 1007 return 0;
e96e0f8e
MC		 1008 }
1009 chain_count = sk_X509_num(chain);
1010 for (i = 0; i < chain_count; i++) {
1011 x = sk_X509_value(chain, i);
1012
f63a17d6
MC		 1013 if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
1014 /* SSLfatal() already called */
e96e0f8e 1015 X509_STORE_CTX_free(xs_ctx);
f63a17d6 1016 return 0;
e96e0f8e
MC		 1017 }
1018 }
1019 X509_STORE_CTX_free(xs_ctx);
1020 } else {
1021 i = ssl_security_cert_chain(s, extra_certs, x, 0);
1022 if (i != 1) {
c48ffbcc 1023 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
f63a17d6
MC		 1024 return 0;
1025 }
1026 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
1027 /* SSLfatal() already called */
1028 return 0;
e96e0f8e 1029 }
e96e0f8e
MC		 1030 for (i = 0; i < sk_X509_num(extra_certs); i++) {
1031 x = sk_X509_value(extra_certs, i);
f63a17d6
MC		 1032 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
1033 /* SSLfatal() already called */
1034 return 0;
1035 }
e96e0f8e
MC		 1036 }
1037 }
1038 return 1;
e96e0f8e
MC		 1039}
1040
38b051a1
TM		 1041unsigned long ssl3_output_cert_chain(SSL_CONNECTION *s, WPACKET *pkt,
1042 CERT_PKEY *cpk)
e96e0f8e 1043{
f63a17d6 1044 if (!WPACKET_start_sub_packet_u24(pkt)) {
c48ffbcc 1045 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6
MC		 1046 return 0;
1047 }
e96e0f8e 1048
f63a17d6
MC		 1049 if (!ssl_add_cert_chain(s, pkt, cpk))
1050 return 0;
1051
1052 if (!WPACKET_close(pkt)) {
c48ffbcc 1053 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
7cea05dc 1054 return 0;
77d514c5 1055 }
f63a17d6 1056
c49e1912 1057 return 1;
0f113f3e
MC		 1058}
1059
30f05b19
MC		 1060/*
1061 * Tidy up after the end of a handshake. In the case of SCTP this may result
1062 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1063 * freed up as well.
1064 */
38b051a1 1065WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst,
a7e6a3d8 1066 int clearbufs, int stop)
8723588e
MC		 1067{
1068 void (*cb) (const SSL *ssl, int type, int val) = NULL;
4af5836b 1069 int cleanuphand = s->statem.cleanuphand;
38b051a1
TM		 1070 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1071 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
8723588e 1072
30f05b19 1073 if (clearbufs) {
38b051a1 1074 if (!SSL_CONNECTION_IS_DTLS(s)
e7c27a6c 1075#ifndef OPENSSL_NO_SCTP
30f05b19 1076 /*
e7c27a6c
N		 1077 * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1078 * messages that require it. Therefore, DTLS procedures for retransmissions
1079 * MUST NOT be used.
1080 * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1081 */
38b051a1 1082 || BIO_dgram_is_sctp(SSL_get_wbio(ssl))
e7c27a6c
N		 1083#endif
1084 ) {
1085 /*
1086 * We don't do this in DTLS over UDP because we may still need the init_buf
30f05b19
MC		 1087 * in case there are any unexpected retransmits
1088 */
1089 BUF_MEM_free(s->init_buf);
1090 s->init_buf = NULL;
1091 }
e7c27a6c 1092
a2c2e000 1093 if (!ssl_free_wbio_buffer(s)) {
c48ffbcc 1094 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b77f3ed1 1095 return WORK_ERROR;
a2c2e000 1096 }
30f05b19 1097 s->init_num = 0;
473483d4 1098 }
8723588e 1099
38b051a1 1100 if (SSL_CONNECTION_IS_TLS13(s) && !s->server
9d75dce3
TS		 1101 && s->post_handshake_auth == SSL_PHA_REQUESTED)
1102 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1103
c2c1d8a4
MC		 1104 /*
1105 * Only set if there was a Finished message and this isn't after a TLSv1.3
1106 * post handshake exchange
1107 */
4af5836b 1108 if (cleanuphand) {
8723588e
MC		 1109 /* skipped if we just sent a HelloRequest */
1110 s->renegotiate = 0;
1111 s->new_session = 0;
c7f47786 1112 s->statem.cleanuphand = 0;
c0638ade 1113 s->ext.ticket_expected = 0;
8723588e 1114
30f05b19
MC		 1115 ssl3_cleanup_key_block(s);
1116
8723588e 1117 if (s->server) {
16ff1342
MC		 1118 /*
1119 * In TLSv1.3 we update the cache as part of constructing the
1120 * NewSessionTicket
1121 */
38b051a1 1122 if (!SSL_CONNECTION_IS_TLS13(s))
16ff1342 1123 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
8723588e 1124
0e6161bc 1125 /* N.B. s->ctx may not equal s->session_ctx */
38b051a1 1126 ssl_tsan_counter(sctx, &sctx->stats.sess_accept_good);
fe3a3291 1127 s->handshake_func = ossl_statem_accept;
8723588e 1128 } else {
38b051a1 1129 if (SSL_CONNECTION_IS_TLS13(s)) {
4cb00457
MC		 1130 /*
1131 * We encourage applications to only use TLSv1.3 tickets once,
1132 * so we remove this one from the cache.
1133 */
1134 if ((s->session_ctx->session_cache_mode
1135 & SSL_SESS_CACHE_CLIENT) != 0)
1136 SSL_CTX_remove_session(s->session_ctx, s->session);
1137 } else {
1138 /*
1139 * In TLSv1.3 we update the cache as part of processing the
1140 * NewSessionTicket
1141 */
5d61491c 1142 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
4cb00457 1143 }
8723588e 1144 if (s->hit)
acce0557
P		 1145 ssl_tsan_counter(s->session_ctx,
1146 &s->session_ctx->stats.sess_hit);
8723588e 1147
fe3a3291 1148 s->handshake_func = ossl_statem_connect;
acce0557
P		 1149 ssl_tsan_counter(s->session_ctx,
1150 &s->session_ctx->stats.sess_connect_good);
8723588e
MC		 1151 }
1152
38b051a1 1153 if (SSL_CONNECTION_IS_DTLS(s)) {
8723588e
MC		 1154 /* done with handshaking */
1155 s->d1->handshake_read_seq = 0;
1156 s->d1->handshake_write_seq = 0;
1157 s->d1->next_handshake_write_seq = 0;
f5c7f5df 1158 dtls1_clear_received_buffer(s);
8723588e
MC		 1159 }
1160 }
1161
c2c1d8a4
MC		 1162 if (s->info_callback != NULL)
1163 cb = s->info_callback;
38b051a1
TM		 1164 else if (sctx->info_callback != NULL)
1165 cb = sctx->info_callback;
c2c1d8a4 1166
4ce787b9
MC		 1167 /* The callback may expect us to not be in init at handshake done */
1168 ossl_statem_set_in_init(s, 0);
1169
4af5836b
MC		 1170 if (cb != NULL) {
1171 if (cleanuphand
38b051a1 1172 || !SSL_CONNECTION_IS_TLS13(s)
4af5836b 1173 || SSL_IS_FIRST_HANDSHAKE(s))
38b051a1 1174 cb(ssl, SSL_CB_HANDSHAKE_DONE, 1);
4af5836b 1175 }
c2c1d8a4 1176
4ce787b9
MC		 1177 if (!stop) {
1178 /* If we've got more work to do we go back into init */
1179 ossl_statem_set_in_init(s, 1);
30f05b19 1180 return WORK_FINISHED_CONTINUE;
4ce787b9 1181 }
30f05b19 1182
8723588e
MC		 1183 return WORK_FINISHED_STOP;
1184}
1185
38b051a1 1186int tls_get_message_header(SSL_CONNECTION *s, int *mt)
9ab930b2
MC		 1187{
1188 /* s->init_num < SSL3_HM_HEADER_LENGTH */
d4d2f3a4 1189 int skip_message, i, recvd_type;
9ab930b2 1190 unsigned char *p;
54105ddd 1191 size_t l, readbytes;
38b051a1 1192 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
9ab930b2
MC		 1193
1194 p = (unsigned char *)s->init_buf->data;
1195
1196 do {
1197 while (s->init_num < SSL3_HM_HEADER_LENGTH) {
38b051a1
TM		 1198 i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, &recvd_type,
1199 &p[s->init_num],
1200 SSL3_HM_HEADER_LENGTH - s->init_num,
1201 0, &readbytes);
9ab930b2
MC		 1202 if (i <= 0) {
1203 s->rwstate = SSL_READING;
1204 return 0;
32ec4153 1205 }
9ab930b2 1206 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1257adec 1207 /*
a230b26e
EK		 1208 * A ChangeCipherSpec must be a single byte and may not occur
1209 * in the middle of a handshake message.
1210 */
54105ddd 1211 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
d4d2f3a4 1212 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
d4d2f3a4
MC		 1213 SSL_R_BAD_CHANGE_CIPHER_SPEC);
1214 return 0;
1257adec 1215 }
e9359719 1216 if (s->statem.hand_state == TLS_ST_BEFORE
555cbb32 1217 && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
e9359719
MC		 1218 /*
1219 * We are stateless and we received a CCS. Probably this is
1220 * from a client between the first and second ClientHellos.
1221 * We should ignore this, but return an error because we do
1222 * not return success until we see the second ClientHello
1223 * with a valid cookie.
1224 */
1225 return 0;
1226 }
555cbb32 1227 s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
54105ddd 1228 s->init_num = readbytes - 1;
c4377574 1229 s->init_msg = s->init_buf->data;
555cbb32 1230 s->s3.tmp.message_size = readbytes;
9ab930b2
MC		 1231 return 1;
1232 } else if (recvd_type != SSL3_RT_HANDSHAKE) {
d4d2f3a4 1233 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
d4d2f3a4
MC		 1234 SSL_R_CCS_RECEIVED_EARLY);
1235 return 0;
32ec4153 1236 }
54105ddd 1237 s->init_num += readbytes;
9ab930b2
MC		 1238 }
1239
1240 skip_message = 0;
1241 if (!s->server)
c7f47786
MC		 1242 if (s->statem.hand_state != TLS_ST_OK
1243 && p[0] == SSL3_MT_HELLO_REQUEST)
9ab930b2
MC		 1244 /*
1245 * The server may always send 'Hello Request' messages --
1246 * we are doing a handshake anyway now, so ignore them if
1247 * their format is correct. Does not count for 'Finished'
1248 * MAC.
1249 */
1250 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1251 s->init_num = 0;
1252 skip_message = 1;
1253
1254 if (s->msg_callback)
1255 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
38b051a1 1256 p, SSL3_HM_HEADER_LENGTH, ssl,
9ab930b2
MC		 1257 s->msg_callback_arg);
1258 }
1259 } while (skip_message);
1260 /* s->init_num == SSL3_HM_HEADER_LENGTH */
1261
1262 *mt = *p;
555cbb32 1263 s->s3.tmp.message_type = *(p++);
32ec4153 1264
e8aa8b6c 1265 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
9ab930b2
MC		 1266 /*
1267 * Only happens with SSLv3+ in an SSLv2 backward compatible
1268 * ClientHello
e8aa8b6c
F		 1269 *
1270 * Total message size is the remaining record bytes to read
1271 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
9ab930b2 1272 */
4030869d 1273 l = s->rlayer.tlsrecs[0].length + SSL3_HM_HEADER_LENGTH;
555cbb32 1274 s->s3.tmp.message_size = l;
9ab930b2
MC		 1275
1276 s->init_msg = s->init_buf->data;
1277 s->init_num = SSL3_HM_HEADER_LENGTH;
1278 } else {
1279 n2l3(p, l);
1280 /* BUF_MEM_grow takes an 'int' parameter */
1281 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
c48ffbcc 1282 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
d4d2f3a4
MC		 1283 SSL_R_EXCESSIVE_MESSAGE_SIZE);
1284 return 0;
32ec4153 1285 }
555cbb32 1286 s->s3.tmp.message_size = l;
9ab930b2
MC		 1287
1288 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1289 s->init_num = 0;
1290 }
1291
1292 return 1;
9ab930b2
MC		 1293}
1294
38b051a1 1295int tls_get_message_body(SSL_CONNECTION *s, size_t *len)
9ab930b2 1296{
54105ddd 1297 size_t n, readbytes;
9ab930b2
MC		 1298 unsigned char *p;
1299 int i;
38b051a1 1300 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
9ab930b2 1301
555cbb32 1302 if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
9ab930b2
MC		 1303 /* We've already read everything in */
1304 *len = (unsigned long)s->init_num;
1305 return 1;
0f113f3e
MC		 1306 }
1307
0f113f3e 1308 p = s->init_msg;
555cbb32 1309 n = s->s3.tmp.message_size - s->init_num;
0f113f3e 1310 while (n > 0) {
38b051a1
TM		 1311 i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, NULL,
1312 &p[s->init_num], n, 0, &readbytes);
0f113f3e
MC		 1313 if (i <= 0) {
1314 s->rwstate = SSL_READING;
9ab930b2
MC		 1315 *len = 0;
1316 return 0;
0f113f3e 1317 }
54105ddd
MC		 1318 s->init_num += readbytes;
1319 n -= readbytes;
0f113f3e 1320 }
ee2ffc27 1321
0f113f3e
MC		 1322 /*
1323 * If receiving Finished, record MAC of prior handshake messages for
1324 * Finished verification.
1325 */
5d671101
MC		 1326 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1327 /* SSLfatal() already called */
1328 *len = 0;
1329 return 0;
1330 }
ee2ffc27 1331
0f113f3e 1332 /* Feed this message into MAC computation. */
e8aa8b6c 1333 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
d166ed8c
DSH		 1334 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1335 s->init_num)) {
d4d2f3a4 1336 /* SSLfatal() already called */
d166ed8c
DSH		 1337 *len = 0;
1338 return 0;
1339 }
32ec4153 1340 if (s->msg_callback)
a230b26e 1341 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
38b051a1 1342 (size_t)s->init_num, ssl, s->msg_callback_arg);
32ec4153 1343 } else {
11c67eea
MC		 1344 /*
1345 * We defer feeding in the HRR until later. We'll do it as part of
1346 * processing the message
9d75dce3
TS		 1347 * The TLsv1.3 handshake transcript stops at the ClientFinished
1348 * message.
11c67eea 1349 */
597c51bc 1350#define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
9d75dce3 1351 /* KeyUpdate and NewSessionTicket do not need to be added */
38b051a1
TM		 1352 if (!SSL_CONNECTION_IS_TLS13(s)
1353 || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1354 && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
555cbb32 1355 if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
9d75dce3
TS		 1356 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1357 || memcmp(hrrrandom,
1358 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1359 SSL3_RANDOM_SIZE) != 0) {
1360 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1361 s->init_num + SSL3_HM_HEADER_LENGTH)) {
1362 /* SSLfatal() already called */
1363 *len = 0;
1364 return 0;
1365 }
597c51bc 1366 }
d166ed8c 1367 }
32ec4153
MC		 1368 if (s->msg_callback)
1369 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
38b051a1 1370 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, ssl,
32ec4153
MC		 1371 s->msg_callback_arg);
1372 }
1373
eda75751 1374 *len = s->init_num;
9ab930b2 1375 return 1;
0f113f3e 1376}
d02b48c6 1377
c6d38183
RS		 1378static const X509ERR2ALERT x509table[] = {
1379 {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1380 {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
cccf532f 1381 {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
c6d38183
RS		 1382 {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1383 {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1384 {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1385 {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1386 {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1387 {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1388 {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1389 {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1390 {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1391 {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1392 {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1393 {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1394 {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1395 {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1396 {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1397 {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1398 {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1399 {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1400 {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1401 {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1402 {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1403 {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1404 {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1405 {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1406 {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1407 {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1408 {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1409 {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1410 {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1411 {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1412 {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1413 {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1414 {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1415 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1416 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1417 {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1418 {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1419
1420 /* Last entry; return this if we don't find the value above. */
1421 {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1422};
1423
1424int ssl_x509err2alert(int x509err)
0f113f3e 1425{
c6d38183
RS		 1426 const X509ERR2ALERT *tp;
1427
1428 for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1429 if (tp->x509err == x509err)
1430 break;
1431 return tp->alert;
0f113f3e 1432}
d02b48c6 1433
38b051a1 1434int ssl_allow_compression(SSL_CONNECTION *s)
0f113f3e
MC		 1435{
1436 if (s->options & SSL_OP_NO_COMPRESSION)
1437 return 0;
1438 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1439}
4fa52141 1440
38b051a1 1441static int version_cmp(const SSL_CONNECTION *s, int a, int b)
4fa52141 1442{
38b051a1 1443 int dtls = SSL_CONNECTION_IS_DTLS(s);
4fa52141
VD		 1444
1445 if (a == b)
1446 return 0;
1447 if (!dtls)
1448 return a < b ? -1 : 1;
1449 return DTLS_VERSION_LT(a, b) ? -1 : 1;
1450}
1451
1452typedef struct {
1453 int version;
a230b26e
EK		 1454 const SSL_METHOD *(*cmeth) (void);
1455 const SSL_METHOD *(*smeth) (void);
4fa52141
VD		 1456} version_info;
1457
5c587fb6 1458#if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
582a17d6 1459# error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
4fa52141
VD		 1460#endif
1461
f7f2a01d 1462/* Must be in order high to low */
4fa52141 1463static const version_info tls_version_table[] = {
582a17d6
MC		 1464#ifndef OPENSSL_NO_TLS1_3
1465 {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1466#else
1467 {TLS1_3_VERSION, NULL, NULL},
1468#endif
6b01bed2 1469#ifndef OPENSSL_NO_TLS1_2
a230b26e 1470 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
6b01bed2 1471#else
a230b26e 1472 {TLS1_2_VERSION, NULL, NULL},
6b01bed2
VD		 1473#endif
1474#ifndef OPENSSL_NO_TLS1_1
a230b26e 1475 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
6b01bed2 1476#else
a230b26e 1477 {TLS1_1_VERSION, NULL, NULL},
6b01bed2
VD		 1478#endif
1479#ifndef OPENSSL_NO_TLS1
a230b26e 1480 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
6b01bed2 1481#else
a230b26e 1482 {TLS1_VERSION, NULL, NULL},
6b01bed2 1483#endif
4fa52141 1484#ifndef OPENSSL_NO_SSL3
a230b26e 1485 {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
6b01bed2 1486#else
a230b26e 1487 {SSL3_VERSION, NULL, NULL},
4fa52141 1488#endif
a230b26e 1489 {0, NULL, NULL},
4fa52141
VD		 1490};
1491
5c587fb6 1492#if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
4fa52141
VD		 1493# error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1494#endif
1495
f7f2a01d 1496/* Must be in order high to low */
4fa52141 1497static const version_info dtls_version_table[] = {
6b01bed2 1498#ifndef OPENSSL_NO_DTLS1_2
a230b26e 1499 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
6b01bed2 1500#else
a230b26e 1501 {DTLS1_2_VERSION, NULL, NULL},
6b01bed2
VD		 1502#endif
1503#ifndef OPENSSL_NO_DTLS1
a230b26e
EK		 1504 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1505 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
6b01bed2 1506#else
a230b26e
EK		 1507 {DTLS1_VERSION, NULL, NULL},
1508 {DTLS1_BAD_VER, NULL, NULL},
6b01bed2 1509#endif
a230b26e 1510 {0, NULL, NULL},
4fa52141
VD		 1511};
1512
1513/*
1514 * ssl_method_error - Check whether an SSL_METHOD is enabled.
1515 *
1516 * @s: The SSL handle for the candidate method
1517 * @method: the intended method.
1518 *
1519 * Returns 0 on success, or an SSL error reason on failure.
1520 */
38b051a1 1521static int ssl_method_error(const SSL_CONNECTION *s, const SSL_METHOD *method)
4fa52141
VD		 1522{
1523 int version = method->version;
1524
1525 if ((s->min_proto_version != 0 &&
1526 version_cmp(s, version, s->min_proto_version) < 0) ||
1527 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1528 return SSL_R_VERSION_TOO_LOW;
1529
1530 if (s->max_proto_version != 0 &&
a230b26e 1531 version_cmp(s, version, s->max_proto_version) > 0)
4fa52141
VD		 1532 return SSL_R_VERSION_TOO_HIGH;
1533
1534 if ((s->options & method->mask) != 0)
1535 return SSL_R_UNSUPPORTED_PROTOCOL;
1536 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1537 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
4fa52141
VD		 1538
1539 return 0;
1540}
1541
baa45c3e
MC		 1542/*
1543 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
ebda646d
MC		 1544 * certificate type, or has PSK or a certificate callback configured, or has
1545 * a servername callback configure. Otherwise returns 0.
baa45c3e 1546 */
38b051a1 1547static int is_tls13_capable(const SSL_CONNECTION *s)
baa45c3e 1548{
65d2c16c 1549 int i;
65d2c16c 1550 int curve;
38b051a1 1551 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
baa45c3e 1552
38b051a1 1553 if (!ossl_assert(sctx != NULL) || !ossl_assert(s->session_ctx != NULL))
ebda646d
MC		 1554 return 0;
1555
1556 /*
1557 * A servername callback can change the available certs, so if a servername
1558 * cb is set then we just assume TLSv1.3 will be ok
1559 */
38b051a1 1560 if (sctx->ext.servername_cb != NULL
ebda646d
MC		 1561 || s->session_ctx->ext.servername_cb != NULL)
1562 return 1;
1563
d162340d
MC		 1564#ifndef OPENSSL_NO_PSK
1565 if (s->psk_server_callback != NULL)
1566 return 1;
1567#endif
1568
cd3b53b8 1569 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
baa45c3e
MC		 1570 return 1;
1571
1572 for (i = 0; i < SSL_PKEY_NUM; i++) {
1573 /* Skip over certs disallowed for TLSv1.3 */
1574 switch (i) {
1575 case SSL_PKEY_DSA_SIGN:
1576 case SSL_PKEY_GOST01:
1577 case SSL_PKEY_GOST12_256:
1578 case SSL_PKEY_GOST12_512:
1579 continue;
1580 default:
1581 break;
1582 }
de4dc598
MC		 1583 if (!ssl_has_cert(s, i))
1584 continue;
1585 if (i != SSL_PKEY_ECC)
1586 return 1;
1587 /*
1588 * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1589 * more restrictive so check that our sig algs are consistent with this
1590 * EC cert. See section 4.2.3 of RFC8446.
1591 */
d8975dec 1592 curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
de4dc598 1593 if (tls_check_sigalg_curve(s, curve))
baa45c3e
MC		 1594 return 1;
1595 }
1596
1597 return 0;
1598}
1599
ccae4a15
FI		 1600/*
1601 * ssl_version_supported - Check that the specified `version` is supported by
1602 * `SSL *` instance
1603 *
1604 * @s: The SSL handle for the candidate method
1605 * @version: Protocol version to test against
1606 *
1607 * Returns 1 when supported, otherwise 0
1608 */
38b051a1
TM		 1609int ssl_version_supported(const SSL_CONNECTION *s, int version,
1610 const SSL_METHOD **meth)
ccae4a15
FI		 1611{
1612 const version_info *vent;
1613 const version_info *table;
1614
38b051a1 1615 switch (SSL_CONNECTION_GET_SSL(s)->method->version) {
ccae4a15
FI		 1616 default:
1617 /* Version should match method version for non-ANY method */
1618 return version_cmp(s, version, s->version) == 0;
1619 case TLS_ANY_VERSION:
1620 table = tls_version_table;
1621 break;
1622 case DTLS_ANY_VERSION:
1623 table = dtls_version_table;
1624 break;
1625 }
1626
1627 for (vent = table;
1628 vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1629 ++vent) {
baa45c3e
MC		 1630 if (vent->cmeth != NULL
1631 && version_cmp(s, version, vent->version) == 0
1632 && ssl_method_error(s, vent->cmeth()) == 0
1633 && (!s->server
1634 || version != TLS1_3_VERSION
1635 || is_tls13_capable(s))) {
4fd12788
MC		 1636 if (meth != NULL)
1637 *meth = vent->cmeth();
ccae4a15
FI		 1638 return 1;
1639 }
1640 }
1641 return 0;
1642}
1643
4fa52141
VD		 1644/*
1645 * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1646 * fallback indication from a client check whether we're using the highest
1647 * supported protocol version.
1648 *
1649 * @s server SSL handle.
1650 *
1651 * Returns 1 when using the highest enabled version, 0 otherwise.
1652 */
38b051a1 1653int ssl_check_version_downgrade(SSL_CONNECTION *s)
4fa52141
VD		 1654{
1655 const version_info *vent;
1656 const version_info *table;
38b051a1 1657 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
4fa52141
VD		 1658
1659 /*
1660 * Check that the current protocol is the highest enabled version
1661 * (according to s->ctx->method, as version negotiation may have changed
1662 * s->method).
1663 */
38b051a1 1664 if (s->version == sctx->method->version)
4fa52141
VD		 1665 return 1;
1666
1667 /*
1668 * Apparently we're using a version-flexible SSL_METHOD (not at its
1669 * highest protocol version).
1670 */
38b051a1 1671 if (sctx->method->version == TLS_method()->version)
4fa52141 1672 table = tls_version_table;
38b051a1 1673 else if (sctx->method->version == DTLS_method()->version)
4fa52141
VD		 1674 table = dtls_version_table;
1675 else {
1676 /* Unexpected state; fail closed. */
1677 return 0;
1678 }
1679
1680 for (vent = table; vent->version != 0; ++vent) {
a230b26e 1681 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
4fa52141
VD		 1682 return s->version == vent->version;
1683 }
1684 return 0;
1685}
1686
1687/*
1688 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1689 * protocols, provided the initial (D)TLS method is version-flexible. This
1690 * function sanity-checks the proposed value and makes sure the method is
1691 * version-flexible, then sets the limit if all is well.
1692 *
1693 * @method_version: The version of the current SSL_METHOD.
1694 * @version: the intended limit.
1695 * @bound: pointer to limit to be updated.
1696 *
1697 * Returns 1 on success, 0 on failure.
1698 */
1699int ssl_set_version_bound(int method_version, int version, int *bound)
1700{
77174598
VD		 1701 int valid_tls;
1702 int valid_dtls;
1703
869e978c
KR		 1704 if (version == 0) {
1705 *bound = version;
1706 return 1;
1707 }
1708
77174598
VD		 1709 valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
1710 valid_dtls =
1711 DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) &&
1712 DTLS_VERSION_GE(version, DTLS1_BAD_VER);
1713
1714 if (!valid_tls && !valid_dtls)
1715 return 0;
1716
4fa52141
VD		 1717 /*-
1718 * Restrict TLS methods to TLS protocol versions.
1719 * Restrict DTLS methods to DTLS protocol versions.
1720 * Note, DTLS version numbers are decreasing, use comparison macros.
1721 *
1722 * Note that for both lower-bounds we use explicit versions, not
1723 * (D)TLS_MIN_VERSION. This is because we don't want to break user
1724 * configurations. If the MIN (supported) version ever rises, the user's
1725 * "floor" remains valid even if no longer available. We don't expect the
1726 * MAX ceiling to ever get lower, so making that variable makes sense.
77174598
VD		 1727 *
1728 * We ignore attempts to set bounds on version-inflexible methods,
1729 * returning success.
4fa52141
VD		 1730 */
1731 switch (method_version) {
1732 default:
77174598 1733 break;
4fa52141
VD		 1734
1735 case TLS_ANY_VERSION:
77174598
VD		 1736 if (valid_tls)
1737 *bound = version;
4fa52141
VD		 1738 break;
1739
1740 case DTLS_ANY_VERSION:
77174598
VD		 1741 if (valid_dtls)
1742 *bound = version;
4fa52141
VD		 1743 break;
1744 }
4fa52141
VD		 1745 return 1;
1746}
1747
38b051a1 1748static void check_for_downgrade(SSL_CONNECTION *s, int vers, DOWNGRADE *dgrd)
f7f2a01d
MC		 1749{
1750 if (vers == TLS1_2_VERSION
4fd12788 1751 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
f7f2a01d 1752 *dgrd = DOWNGRADE_TO_1_2;
38b051a1 1753 } else if (!SSL_CONNECTION_IS_DTLS(s)
5627f9f2
MC		 1754 && vers < TLS1_2_VERSION
1755 /*
1756 * We need to ensure that a server that disables TLSv1.2
1757 * (creating a hole between TLSv1.3 and TLSv1.1) can still
1758 * complete handshakes with clients that support TLSv1.2 and
1759 * below. Therefore we do not enable the sentinel if TLSv1.3 is
1760 * enabled and TLSv1.2 is not.
1761 */
1762 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
f7f2a01d
MC		 1763 *dgrd = DOWNGRADE_TO_1_1;
1764 } else {
1765 *dgrd = DOWNGRADE_NONE;
1766 }
1767}
1768
4fa52141
VD		 1769/*
1770 * ssl_choose_server_version - Choose server (D)TLS version. Called when the
1771 * client HELLO is received to select the final server protocol version and
1772 * the version specific method.
1773 *
1774 * @s: server SSL handle.
1775 *
1776 * Returns 0 on success or an SSL error reason number on failure.
1777 */
38b051a1
TM		 1778int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello,
1779 DOWNGRADE *dgrd)
4fa52141
VD		 1780{
1781 /*-
1782 * With version-flexible methods we have an initial state with:
1783 *
1784 * s->method->version == (D)TLS_ANY_VERSION,
5c587fb6 1785 * s->version == (D)TLS_MAX_VERSION_INTERNAL.
4fa52141
VD		 1786 *
1787 * So we detect version-flexible methods via the method version, not the
1788 * handle version.
1789 */
38b051a1
TM		 1790 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1791 int server_version = ssl->method->version;
df7ce507 1792 int client_version = hello->legacy_version;
4fa52141
VD		 1793 const version_info *vent;
1794 const version_info *table;
1795 int disabled = 0;
cd998837 1796 RAW_EXTENSION *suppversions;
4fa52141 1797
1ab3836b
MC		 1798 s->client_version = client_version;
1799
4fa52141
VD		 1800 switch (server_version) {
1801 default:
38b051a1 1802 if (!SSL_CONNECTION_IS_TLS13(s)) {
7d061fce
MC		 1803 if (version_cmp(s, client_version, s->version) < 0)
1804 return SSL_R_WRONG_SSL_VERSION;
f7f2a01d 1805 *dgrd = DOWNGRADE_NONE;
7d061fce
MC		 1806 /*
1807 * If this SSL handle is not from a version flexible method we don't
1808 * (and never did) check min/max FIPS or Suite B constraints. Hope
1809 * that's OK. It is up to the caller to not choose fixed protocol
1810 * versions they don't want. If not, then easy to fix, just return
1811 * ssl_method_error(s, s->method)
1812 */
1813 return 0;
1814 }
d2f42576 1815 /*
7d061fce
MC		 1816 * Fall through if we are TLSv1.3 already (this means we must be after
1817 * a HelloRetryRequest
4fa52141 1818 */
018fcbec 1819 /* fall thru */
4fa52141
VD		 1820 case TLS_ANY_VERSION:
1821 table = tls_version_table;
1822 break;
1823 case DTLS_ANY_VERSION:
1824 table = dtls_version_table;
1825 break;
1826 }
1827
70af3d8e 1828 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
cd998837 1829
6f40214f 1830 /* If we did an HRR then supported versions is mandatory */
fc7129dc 1831 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
6f40214f
MC		 1832 return SSL_R_UNSUPPORTED_PROTOCOL;
1833
38b051a1 1834 if (suppversions->present && !SSL_CONNECTION_IS_DTLS(s)) {
cd998837
MC		 1835 unsigned int candidate_vers = 0;
1836 unsigned int best_vers = 0;
1837 const SSL_METHOD *best_method = NULL;
1838 PACKET versionslist;
1839
6b473aca
MC		 1840 suppversions->parsed = 1;
1841
16bce0e0 1842 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
cd998837
MC		 1843 /* Trailing or invalid data? */
1844 return SSL_R_LENGTH_MISMATCH;
1845 }
1846
d8434cf8
MC		 1847 /*
1848 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1849 * The spec only requires servers to check that it isn't SSLv3:
1850 * "Any endpoint receiving a Hello message with
1851 * ClientHello.legacy_version or ServerHello.legacy_version set to
1852 * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1853 * We are slightly stricter and require that it isn't SSLv3 or lower.
1854 * We tolerate TLSv1 and TLSv1.1.
1855 */
1856 if (client_version <= SSL3_VERSION)
1857 return SSL_R_BAD_LEGACY_VERSION;
1858
cd998837 1859 while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
cd998837
MC		 1860 if (version_cmp(s, candidate_vers, best_vers) <= 0)
1861 continue;
4fd12788
MC		 1862 if (ssl_version_supported(s, candidate_vers, &best_method))
1863 best_vers = candidate_vers;
cd998837
MC		 1864 }
1865 if (PACKET_remaining(&versionslist) != 0) {
1866 /* Trailing data? */
1867 return SSL_R_LENGTH_MISMATCH;
1868 }
1869
1870 if (best_vers > 0) {
fc7129dc 1871 if (s->hello_retry_request != SSL_HRR_NONE) {
7d061fce 1872 /*
6f40214f
MC		 1873 * This is after a HelloRetryRequest so we better check that we
1874 * negotiated TLSv1.3
7d061fce
MC		 1875 */
1876 if (best_vers != TLS1_3_VERSION)
1877 return SSL_R_UNSUPPORTED_PROTOCOL;
1878 return 0;
1879 }
f7f2a01d 1880 check_for_downgrade(s, best_vers, dgrd);
cd998837 1881 s->version = best_vers;
38b051a1 1882 ssl->method = best_method;
cffafb5f
MC		 1883 if (!s->rlayer.rrlmethod->set_protocol_version(s->rlayer.rrl,
1884 best_vers))
1853d20a
MC		 1885 return ERR_R_INTERNAL_ERROR;
1886
cd998837
MC		 1887 return 0;
1888 }
1889 return SSL_R_UNSUPPORTED_PROTOCOL;
1890 }
1891
1892 /*
1893 * If the supported versions extension isn't present, then the highest
1894 * version we can negotiate is TLSv1.2
1895 */
1896 if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1897 client_version = TLS1_2_VERSION;
1898
1899 /*
1900 * No supported versions extension, so we just use the version supplied in
1901 * the ClientHello.
1902 */
4fa52141
VD		 1903 for (vent = table; vent->version != 0; ++vent) {
1904 const SSL_METHOD *method;
1905
1906 if (vent->smeth == NULL ||
1907 version_cmp(s, client_version, vent->version) < 0)
1908 continue;
1909 method = vent->smeth();
1910 if (ssl_method_error(s, method) == 0) {
f7f2a01d 1911 check_for_downgrade(s, vent->version, dgrd);
4fa52141 1912 s->version = vent->version;
38b051a1 1913 ssl->method = method;
cffafb5f
MC		 1914 if (!s->rlayer.rrlmethod->set_protocol_version(s->rlayer.rrl,
1915 s->version))
1853d20a
MC		 1916 return ERR_R_INTERNAL_ERROR;
1917
4fa52141
VD		 1918 return 0;
1919 }
1920 disabled = 1;
1921 }
1922 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1923}
1924
1925/*
1926 * ssl_choose_client_version - Choose client (D)TLS version. Called when the
1927 * server HELLO is received to select the final client protocol version and
1928 * the version specific method.
1929 *
1930 * @s: client SSL handle.
1931 * @version: The proposed version from the server's HELLO.
88050dd1 1932 * @extensions: The extensions received
4fa52141 1933 *
29bfd5b7 1934 * Returns 1 on success or 0 on error.
4fa52141 1935 */
38b051a1
TM		 1936int ssl_choose_client_version(SSL_CONNECTION *s, int version,
1937 RAW_EXTENSION *extensions)
4fa52141
VD		 1938{
1939 const version_info *vent;
1940 const version_info *table;
b5b993b2 1941 int ret, ver_min, ver_max, real_max, origv;
38b051a1 1942 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
4fa52141 1943
88050dd1
MC		 1944 origv = s->version;
1945 s->version = version;
b97667ce 1946
88050dd1
MC		 1947 /* This will overwrite s->version if the extension is present */
1948 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1949 SSL_EXT_TLS1_2_SERVER_HELLO
1950 | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1951 NULL, 0)) {
1952 s->version = origv;
1953 return 0;
1954 }
1955
fc7129dc
MC		 1956 if (s->hello_retry_request != SSL_HRR_NONE
1957 && s->version != TLS1_3_VERSION) {
88050dd1 1958 s->version = origv;
c48ffbcc 1959 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
29bfd5b7 1960 return 0;
c3043dcd
MC		 1961 }
1962
38b051a1 1963 switch (ssl->method->version) {
4fa52141 1964 default:
38b051a1 1965 if (s->version != ssl->method->version) {
88050dd1 1966 s->version = origv;
c48ffbcc 1967 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
29bfd5b7 1968 return 0;
c3043dcd 1969 }
4fa52141
VD		 1970 /*
1971 * If this SSL handle is not from a version flexible method we don't
1972 * (and never did) check min/max, FIPS or Suite B constraints. Hope
1973 * that's OK. It is up to the caller to not choose fixed protocol
1974 * versions they don't want. If not, then easy to fix, just return
1975 * ssl_method_error(s, s->method)
1976 */
cffafb5f
MC		 1977 if (!s->rlayer.rrlmethod->set_protocol_version(s->rlayer.rrl,
1978 s->version)) {
1853d20a
MC		 1979 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1980 return 0;
1981 }
29bfd5b7 1982 return 1;
4fa52141
VD		 1983 case TLS_ANY_VERSION:
1984 table = tls_version_table;
1985 break;
1986 case DTLS_ANY_VERSION:
1987 table = dtls_version_table;
1988 break;
1989 }
1990
b5b993b2
MC		 1991 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1992 if (ret != 0) {
1993 s->version = origv;
c48ffbcc 1994 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, ret);
b5b993b2
MC		 1995 return 0;
1996 }
38b051a1
TM		 1997 if (SSL_CONNECTION_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
1998 : s->version < ver_min) {
b5b993b2 1999 s->version = origv;
c48ffbcc 2000 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
b5b993b2 2001 return 0;
38b051a1
TM		 2002 } else if (SSL_CONNECTION_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
2003 : s->version > ver_max) {
b5b993b2 2004 s->version = origv;
c48ffbcc 2005 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
b5b993b2
MC		 2006 return 0;
2007 }
5df22060 2008
b5b993b2
MC		 2009 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
2010 real_max = ver_max;
c3043dcd 2011
b5b993b2
MC		 2012 /* Check for downgrades */
2013 if (s->version == TLS1_2_VERSION && real_max > s->version) {
2014 if (memcmp(tls12downgrade,
555cbb32 2015 s->s3.server_random + SSL3_RANDOM_SIZE
b5b993b2
MC		 2016 - sizeof(tls12downgrade),
2017 sizeof(tls12downgrade)) == 0) {
2018 s->version = origv;
2019 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
b5b993b2
MC		 2020 SSL_R_INAPPROPRIATE_FALLBACK);
2021 return 0;
2022 }
38b051a1 2023 } else if (!SSL_CONNECTION_IS_DTLS(s)
b5b993b2
MC		 2024 && s->version < TLS1_2_VERSION
2025 && real_max > s->version) {
2026 if (memcmp(tls11downgrade,
555cbb32 2027 s->s3.server_random + SSL3_RANDOM_SIZE
b5b993b2
MC		 2028 - sizeof(tls11downgrade),
2029 sizeof(tls11downgrade)) == 0) {
2030 s->version = origv;
2031 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
b5b993b2
MC		 2032 SSL_R_INAPPROPRIATE_FALLBACK);
2033 return 0;
c3043dcd 2034 }
b5b993b2 2035 }
c3043dcd 2036
b5b993b2
MC		 2037 for (vent = table; vent->version != 0; ++vent) {
2038 if (vent->cmeth == NULL || s->version != vent->version)
c3043dcd
MC		 2039 continue;
2040
38b051a1 2041 ssl->method = vent->cmeth();
cffafb5f
MC		 2042 if (!s->rlayer.rrlmethod->set_protocol_version(s->rlayer.rrl,
2043 s->version)) {
1853d20a
MC		 2044 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2045 return 0;
2046 }
29bfd5b7 2047 return 1;
4fa52141
VD		 2048 }
2049
88050dd1 2050 s->version = origv;
c48ffbcc 2051 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
29bfd5b7 2052 return 0;
4fa52141
VD		 2053}
2054
068c358a 2055/*
38a73150 2056 * ssl_get_min_max_version - get minimum and maximum protocol version
068c358a
KR		 2057 * @s: The SSL connection
2058 * @min_version: The minimum supported version
2059 * @max_version: The maximum supported version
b5b993b2
MC		 2060 * @real_max: The highest version below the lowest compile time version hole
2061 * where that hole lies above at least one run-time enabled
2062 * protocol.
068c358a
KR		 2063 *
2064 * Work out what version we should be using for the initial ClientHello if the
2065 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2066 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
b53338cb 2067 * constraints and any floor imposed by the security level here,
068c358a 2068 * so we don't advertise the wrong protocol version to only reject the outcome later.
4fa52141 2069 *
0485d540 2070 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
4fa52141
VD		 2071 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2072 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2073 *
068c358a
KR		 2074 * Returns 0 on success or an SSL error reason number on failure. On failure
2075 * min_version and max_version will also be set to 0.
4fa52141 2076 */
38b051a1
TM		 2077int ssl_get_min_max_version(const SSL_CONNECTION *s, int *min_version,
2078 int *max_version, int *real_max)
4fa52141 2079{
b5b993b2 2080 int version, tmp_real_max;
4fa52141
VD		 2081 int hole;
2082 const SSL_METHOD *single = NULL;
2083 const SSL_METHOD *method;
2084 const version_info *table;
2085 const version_info *vent;
38b051a1 2086 const SSL *ssl = SSL_CONNECTION_GET_SSL(s);
4fa52141 2087
38b051a1 2088 switch (ssl->method->version) {
4fa52141
VD		 2089 default:
2090 /*
2091 * If this SSL handle is not from a version flexible method we don't
2092 * (and never did) check min/max FIPS or Suite B constraints. Hope
2093 * that's OK. It is up to the caller to not choose fixed protocol
2094 * versions they don't want. If not, then easy to fix, just return
2095 * ssl_method_error(s, s->method)
2096 */
068c358a 2097 *min_version = *max_version = s->version;
b5b993b2
MC		 2098 /*
2099 * Providing a real_max only makes sense where we're using a version
2100 * flexible method.
2101 */
2102 if (!ossl_assert(real_max == NULL))
2103 return ERR_R_INTERNAL_ERROR;
4fa52141
VD		 2104 return 0;
2105 case TLS_ANY_VERSION:
2106 table = tls_version_table;
2107 break;
2108 case DTLS_ANY_VERSION:
2109 table = dtls_version_table;
2110 break;
2111 }
2112
2113 /*
2114 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2115 * below X enabled. This is required in order to maintain the "version
2116 * capability" vector contiguous. Any versions with a NULL client method
2117 * (protocol version client is disabled at compile-time) is also a "hole".
2118 *
2119 * Our initial state is hole == 1, version == 0. That is, versions above
2120 * the first version in the method table are disabled (a "hole" above
2121 * the valid protocol entries) and we don't have a selected version yet.
2122 *
2123 * Whenever "hole == 1", and we hit an enabled method, its version becomes
2124 * the selected version, and the method becomes a candidate "single"
2125 * method. We're no longer in a hole, so "hole" becomes 0.
2126 *
2127 * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2128 * as we support a contiguous range of at least two methods. If we hit
2129 * a disabled method, then hole becomes true again, but nothing else
2130 * changes yet, because all the remaining methods may be disabled too.
2131 * If we again hit an enabled method after the new hole, it becomes
2132 * selected, as we start from scratch.
2133 */
068c358a 2134 *min_version = version = 0;
4fa52141 2135 hole = 1;
b5b993b2
MC		 2136 if (real_max != NULL)
2137 *real_max = 0;
2138 tmp_real_max = 0;
4fa52141
VD		 2139 for (vent = table; vent->version != 0; ++vent) {
2140 /*
2141 * A table entry with a NULL client method is still a hole in the
2142 * "version capability" vector.
2143 */
2144 if (vent->cmeth == NULL) {
2145 hole = 1;
b5b993b2 2146 tmp_real_max = 0;
4fa52141
VD		 2147 continue;
2148 }
2149 method = vent->cmeth();
b5b993b2
MC		 2150
2151 if (hole == 1 && tmp_real_max == 0)
2152 tmp_real_max = vent->version;
2153
4fa52141
VD		 2154 if (ssl_method_error(s, method) != 0) {
2155 hole = 1;
2156 } else if (!hole) {
2157 single = NULL;
068c358a 2158 *min_version = method->version;
4fa52141 2159 } else {
b5b993b2
MC		 2160 if (real_max != NULL && tmp_real_max != 0)
2161 *real_max = tmp_real_max;
4fa52141 2162 version = (single = method)->version;
068c358a 2163 *min_version = version;
4fa52141
VD		 2164 hole = 0;
2165 }
2166 }
2167
068c358a
KR		 2168 *max_version = version;
2169
4fa52141
VD		 2170 /* Fail if everything is disabled */
2171 if (version == 0)
2172 return SSL_R_NO_PROTOCOLS_AVAILABLE;
2173
068c358a
KR		 2174 return 0;
2175}
2176
2177/*
2178 * ssl_set_client_hello_version - Work out what version we should be using for
7acb8b64 2179 * the initial ClientHello.legacy_version field.
068c358a
KR		 2180 *
2181 * @s: client SSL handle.
2182 *
2183 * Returns 0 on success or an SSL error reason number on failure.
2184 */
38b051a1 2185int ssl_set_client_hello_version(SSL_CONNECTION *s)
068c358a 2186{
3eb2aff4 2187 int ver_min, ver_max, ret;
068c358a 2188
447cc0ad
MC		 2189 /*
2190 * In a renegotiation we always send the same client_version that we sent
2191 * last time, regardless of which version we eventually negotiated.
2192 */
2193 if (!SSL_IS_FIRST_HANDSHAKE(s))
2194 return 0;
2195
b5b993b2 2196 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
068c358a
KR		 2197
2198 if (ret != 0)
2199 return ret;
2200
7acb8b64
MC		 2201 s->version = ver_max;
2202
222cf410
MC		 2203 if (SSL_CONNECTION_IS_DTLS(s)) {
2204 if (ver_max == DTLS1_BAD_VER) {
2205 /*
2206 * Even though this is technically before version negotiation,
2207 * because we have asked for DTLS1_BAD_VER we will never negotiate
2208 * anything else, and this has impacts on the record layer for when
2209 * we read the ServerHello. So we need to tell the record layer
2210 * about this immediately.
2211 */
cffafb5f 2212 s->rlayer.rrlmethod->set_protocol_version(s->rlayer.rrl, ver_max);
222cf410
MC		 2213 }
2214 } else if (ver_max > TLS1_2_VERSION) {
2215 /* TLS1.3 always uses TLS1.2 in the legacy_version field */
7acb8b64 2216 ver_max = TLS1_2_VERSION;
222cf410 2217 }
7acb8b64
MC		 2218
2219 s->client_version = ver_max;
4fa52141
VD		 2220 return 0;
2221}
aff9929b
MC		 2222
2223/*
2224 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2225 * and |checkallow| is 1 then additionally check if the group is allowed to be
2226 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2227 * 1) or 0 otherwise.
2228 */
38b051a1 2229int check_in_list(SSL_CONNECTION *s, uint16_t group_id, const uint16_t *groups,
aff9929b
MC		 2230 size_t num_groups, int checkallow)
2231{
2232 size_t i;
2233
2234 if (groups == NULL || num_groups == 0)
2235 return 0;
2236
0a10825a
BE		 2237 if (checkallow == 1)
2238 group_id = ssl_group_id_tls13_to_internal(group_id);
2239
9e84a42d
DSH		 2240 for (i = 0; i < num_groups; i++) {
2241 uint16_t group = groups[i];
2242
0a10825a
BE		 2243 if (checkallow == 2)
2244 group = ssl_group_id_tls13_to_internal(group);
2245
9e84a42d 2246 if (group_id == group
aff9929b 2247 && (!checkallow
dbc6268f 2248 || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
0acee504 2249 return 1;
aff9929b
MC		 2250 }
2251 }
2252
0acee504 2253 return 0;
aff9929b 2254}
11c67eea
MC		 2255
2256/* Replace ClientHello1 in the transcript hash with a synthetic message */
38b051a1
TM		 2257int create_synthetic_message_hash(SSL_CONNECTION *s,
2258 const unsigned char *hashval,
43054d3d
MC		 2259 size_t hashlen, const unsigned char *hrr,
2260 size_t hrrlen)
11c67eea 2261{
43054d3d 2262 unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
635b7d3f
MC		 2263 unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2264
2265 memset(msghdr, 0, sizeof(msghdr));
11c67eea 2266
43054d3d
MC		 2267 if (hashval == NULL) {
2268 hashval = hashvaltmp;
2269 hashlen = 0;
2270 /* Get the hash of the initial ClientHello */
2271 if (!ssl3_digest_cached_records(s, 0)
2272 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2273 &hashlen)) {
2274 /* SSLfatal() already called */
2275 return 0;
2276 }
11c67eea
MC		 2277 }
2278
2279 /* Reinitialise the transcript hash */
f63a17d6
MC		 2280 if (!ssl3_init_finished_mac(s)) {
2281 /* SSLfatal() already called */
11c67eea 2282 return 0;
f63a17d6 2283 }
11c67eea
MC		 2284
2285 /* Inject the synthetic message_hash message */
635b7d3f 2286 msghdr[0] = SSL3_MT_MESSAGE_HASH;
3a63c0ed 2287 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
11c67eea
MC		 2288 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2289 || !ssl3_finish_mac(s, hashval, hashlen)) {
f63a17d6 2290 /* SSLfatal() already called */
11c67eea
MC		 2291 return 0;
2292 }
2293
43054d3d
MC		 2294 /*
2295 * Now re-inject the HRR and current message if appropriate (we just deleted
2296 * it when we reinitialised the transcript hash above). Only necessary after
2297 * receiving a ClientHello2 with a cookie.
2298 */
2299 if (hrr != NULL
2300 && (!ssl3_finish_mac(s, hrr, hrrlen)
2301 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
555cbb32 2302 s->s3.tmp.message_size
43054d3d
MC		 2303 + SSL3_HM_HEADER_LENGTH))) {
2304 /* SSLfatal() already called */
2305 return 0;
2306 }
2307
11c67eea
MC		 2308 return 1;
2309}
5d6cca05
DSH		 2310
2311static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2312{
2313 return X509_NAME_cmp(*a, *b);
2314}
2315
38b051a1 2316int parse_ca_names(SSL_CONNECTION *s, PACKET *pkt)
5d6cca05
DSH		 2317{
2318 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2319 X509_NAME *xn = NULL;
2320 PACKET cadns;
2321
2322 if (ca_sk == NULL) {
c48ffbcc 2323 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
f63a17d6 2324 goto err;
5d6cca05
DSH		 2325 }
2326 /* get the CA RDNs */
2327 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
c48ffbcc 2328 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
f63a17d6 2329 goto err;
5d6cca05
DSH		 2330 }
2331
2332 while (PACKET_remaining(&cadns)) {
2333 const unsigned char *namestart, *namebytes;
2334 unsigned int name_len;
2335
2336 if (!PACKET_get_net_2(&cadns, &name_len)
2337 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
c48ffbcc 2338 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
f63a17d6 2339 goto err;
5d6cca05
DSH		 2340 }
2341
2342 namestart = namebytes;
2343 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
c48ffbcc 2344 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB);
f63a17d6 2345 goto err;
5d6cca05
DSH		 2346 }
2347 if (namebytes != (namestart + name_len)) {
c48ffbcc 2348 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CA_DN_LENGTH_MISMATCH);
f63a17d6 2349 goto err;
5d6cca05
DSH		 2350 }
2351
2352 if (!sk_X509_NAME_push(ca_sk, xn)) {
c48ffbcc 2353 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
5d6cca05
DSH		 2354 goto err;
2355 }
2356 xn = NULL;
2357 }
2358
555cbb32
TS		 2359 sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
2360 s->s3.tmp.peer_ca_names = ca_sk;
5d6cca05
DSH		 2361
2362 return 1;
2363
5d6cca05
DSH		 2364 err:
2365 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2366 X509_NAME_free(xn);
2367 return 0;
2368}
2369
38b051a1 2370const STACK_OF(X509_NAME) *get_ca_names(SSL_CONNECTION *s)
5d6cca05 2371{
1e331727 2372 const STACK_OF(X509_NAME) *ca_sk = NULL;
38b051a1 2373 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
5d6cca05 2374
98732979 2375 if (s->server) {
38b051a1 2376 ca_sk = SSL_get_client_CA_list(ssl);
98732979
MC		 2377 if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2378 ca_sk = NULL;
2379 }
2380
2381 if (ca_sk == NULL)
38b051a1 2382 ca_sk = SSL_get0_CA_list(ssl);
98732979
MC		 2383
2384 return ca_sk;
2385}
2386
38b051a1
TM		 2387int construct_ca_names(SSL_CONNECTION *s, const STACK_OF(X509_NAME) *ca_sk,
2388 WPACKET *pkt)
98732979 2389{
5d6cca05 2390 /* Start sub-packet for client CA list */
f63a17d6 2391 if (!WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 2392 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
5d6cca05 2393 return 0;
f63a17d6 2394 }
5d6cca05 2395
90fc2c26 2396 if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) {
5d6cca05
DSH		 2397 int i;
2398
2399 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2400 unsigned char *namebytes;
2401 X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2402 int namelen;
2403
2404 if (name == NULL
2405 || (namelen = i2d_X509_NAME(name, NULL)) < 0
2406 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2407 &namebytes)
2408 || i2d_X509_NAME(name, &namebytes) != namelen) {
c48ffbcc 2409 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
5d6cca05
DSH		 2410 return 0;
2411 }
2412 }
2413 }
2414
f63a17d6 2415 if (!WPACKET_close(pkt)) {
c48ffbcc 2416 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
5d6cca05 2417 return 0;
f63a17d6 2418 }
5d6cca05
DSH		 2419
2420 return 1;
2421}
72ceb6a6
DSH		 2422
2423/* Create a buffer containing data to be signed for server key exchange */
38b051a1 2424size_t construct_key_exchange_tbs(SSL_CONNECTION *s, unsigned char **ptbs,
72ceb6a6
DSH		 2425 const void *param, size_t paramlen)
2426{
2427 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2428 unsigned char *tbs = OPENSSL_malloc(tbslen);
2429
f63a17d6 2430 if (tbs == NULL) {
c48ffbcc 2431 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
72ceb6a6 2432 return 0;
f63a17d6 2433 }
555cbb32
TS		 2434 memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
2435 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
72ceb6a6
DSH		 2436
2437 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2438
2439 *ptbs = tbs;
2440 return tbslen;
2441}
9d75dce3
TS		 2442
2443/*
2444 * Saves the current handshake digest for Post-Handshake Auth,
2445 * Done after ClientFinished is processed, done exactly once
2446 */
38b051a1 2447int tls13_save_handshake_digest_for_pha(SSL_CONNECTION *s)
9d75dce3
TS		 2448{
2449 if (s->pha_dgst == NULL) {
2450 if (!ssl3_digest_cached_records(s, 1))
2451 /* SSLfatal() already called */
2452 return 0;
2453
2454 s->pha_dgst = EVP_MD_CTX_new();
2455 if (s->pha_dgst == NULL) {
c48ffbcc 2456 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
9d75dce3
TS		 2457 return 0;
2458 }
2459 if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
555cbb32 2460 s->s3.handshake_dgst)) {
c48ffbcc 2461 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
963eb12d 2462 EVP_MD_CTX_free(s->pha_dgst);
2463 s->pha_dgst = NULL;
9d75dce3
TS		 2464 return 0;
2465 }
2466 }
2467 return 1;
2468}
2469
2470/*
2471 * Restores the Post-Handshake Auth handshake digest
2472 * Done just before sending/processing the Cert Request
2473 */
38b051a1 2474int tls13_restore_handshake_digest_for_pha(SSL_CONNECTION *s)
9d75dce3
TS		 2475{
2476 if (s->pha_dgst == NULL) {
c48ffbcc 2477 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
9d75dce3
TS		 2478 return 0;
2479 }
555cbb32 2480 if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
9d75dce3 2481 s->pha_dgst)) {
c48ffbcc 2482 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
9d75dce3
TS		 2483 return 0;
2484 }
2485 return 1;
2486}
A mirror of the official openssl repository