statem_lib.c@ 91772

Last change on this file since 91772 was 91772, checked in by vboxsync, 3 years ago
openssl-1.1.1l: Applied and adjusted our OpenSSL changes to 1.1.1l. bugref:10126
File size: 79.6 KB

Line
1	/*
2	* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
3	* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4	*
5	* Licensed under the OpenSSL license (the "License"). You may not use
6	* this file except in compliance with the License. You can obtain a copy
7	* in the file LICENSE in the source distribution or at
8	* https://www.openssl.org/source/license.html
9	*/
10
11	#include <limits.h>
12	#include <string.h>
13	#include <stdio.h>
14	#include "../ssl_local.h"
15	#include "statem_local.h"
16	#include "internal/cryptlib.h"
17	#include <openssl/buffer.h>
18	#include <openssl/objects.h>
19	#include <openssl/evp.h>
20	#include <openssl/x509.h>
21
22	/*
23	* Map error codes to TLS/SSL alart types.
24	*/
25	typedef struct x509err2alert_st {
26	int x509err;
27	int alert;
28	} X509ERR2ALERT;
29
30	/* Fixed value used in the ServerHello random field to identify an HRR */
31	const unsigned char hrrrandom[] = {
32	0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
33	0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
34	0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
35	};
36
37	/*
38	* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
39	* SSL3_RT_CHANGE_CIPHER_SPEC)
40	*/
41	int ssl3_do_write(SSL *s, int type)
42	{
43	int ret;
44	size_t written = 0;
45
46	ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
47	s->init_num, &written);
48	if (ret < 0)
49	return -1;
50	if (type == SSL3_RT_HANDSHAKE)
51	/*
52	* should not be done for 'Hello Request's, but in that case we'll
53	* ignore the result anyway
54	* TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
55	*/
56	if (!SSL_IS_TLS13(s) \|\| (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
57	&& s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
58	&& s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
59	if (!ssl3_finish_mac(s,
60	(unsigned char *)&s->init_buf->data[s->init_off],
61	written))
62	return -1;
63	if (written == s->init_num) {
64	if (s->msg_callback)
65	s->msg_callback(1, s->version, type, s->init_buf->data,
66	(size_t)(s->init_off + s->init_num), s,
67	s->msg_callback_arg);
68	return 1;
69	}
70	s->init_off += written;
71	s->init_num -= written;
72	return 0;
73	}
74
75	int tls_close_construct_packet(SSL s, WPACKET pkt, int htype)
76	{
77	size_t msglen;
78
79	if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
80	\|\| !WPACKET_get_length(pkt, &msglen)
81	\|\| msglen > INT_MAX)
82	return 0;
83	s->init_num = (int)msglen;
84	s->init_off = 0;
85
86	return 1;
87	}
88
89	int tls_setup_handshake(SSL *s)
90	{
91	if (!ssl3_init_finished_mac(s)) {
92	/* SSLfatal() already called */
93	return 0;
94	}
95
96	/* Reset any extension flags */
97	memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
98
99	if (s->server) {
100	STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
101	int i, ver_min, ver_max, ok = 0;
102
103	/*
104	* Sanity check that the maximum version we accept has ciphers
105	* enabled. For clients we do this check during construction of the
106	* ClientHello.
107	*/
108	if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
109	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_SETUP_HANDSHAKE,
110	ERR_R_INTERNAL_ERROR);
111	return 0;
112	}
113	for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
114	const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
115
116	if (SSL_IS_DTLS(s)) {
117	if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
118	DTLS_VERSION_LE(ver_max, c->max_dtls))
119	ok = 1;
120	} else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
121	ok = 1;
122	}
123	if (ok)
124	break;
125	}
126	if (!ok) {
127	SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE,
128	SSL_R_NO_CIPHERS_AVAILABLE);
129	ERR_add_error_data(1, "No ciphers enabled for max supported "
130	"SSL/TLS version");
131	return 0;
132	}
133	if (SSL_IS_FIRST_HANDSHAKE(s)) {
134	/* N.B. s->session_ctx == s->ctx here */
135	tsan_counter(&s->session_ctx->stats.sess_accept);
136	} else {
137	/* N.B. s->ctx may not equal s->session_ctx */
138	tsan_counter(&s->ctx->stats.sess_accept_renegotiate);
139
140	s->s3->tmp.cert_request = 0;
141	}
142	} else {
143	if (SSL_IS_FIRST_HANDSHAKE(s))
144	tsan_counter(&s->session_ctx->stats.sess_connect);
145	else
146	tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate);
147
148	/* mark client_random uninitialized */
149	memset(s->s3->client_random, 0, sizeof(s->s3->client_random));
150	s->hit = 0;
151
152	s->s3->tmp.cert_req = 0;
153
154	if (SSL_IS_DTLS(s))
155	s->statem.use_timer = 1;
156	}
157
158	return 1;
159	}
160
161	/*
162	* Size of the to-be-signed TLS13 data, without the hash size itself:
163	* 64 bytes of value 32, 33 context bytes, 1 byte separator
164	*/
165	#define TLS13_TBS_START_SIZE 64
166	#define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
167
168	static int get_cert_verify_tbs_data(SSL s, unsigned char tls13tbs,
169	void *hdata, size_t hdatalen)
170	{
171	#ifdef CHARSET_EBCDIC
172	static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
173	0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
174	0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
175	0x69, 0x66, 0x79, 0x00 };
176	static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
177	0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
178	0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
179	0x69, 0x66, 0x79, 0x00 };
180	#else
181	static const char servercontext[] = "TLS 1.3, server CertificateVerify";
182	static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
183	#endif
184	if (SSL_IS_TLS13(s)) {
185	size_t hashlen;
186
187	/* Set the first 64 bytes of to-be-signed data to octet 32 */
188	memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
189	/* This copies the 33 bytes of context plus the 0 separator byte */
190	if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
191	\|\| s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
192	strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
193	else
194	strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
195
196	/*
197	* If we're currently reading then we need to use the saved handshake
198	* hash value. We can't use the current handshake hash state because
199	* that includes the CertVerify itself.
200	*/
201	if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
202	\|\| s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
203	memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
204	s->cert_verify_hash_len);
205	hashlen = s->cert_verify_hash_len;
206	} else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
207	EVP_MAX_MD_SIZE, &hashlen)) {
208	/* SSLfatal() already called */
209	return 0;
210	}
211
212	*hdata = tls13tbs;
213	*hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
214	} else {
215	size_t retlen;
216	long retlen_l;
217
218	retlen = retlen_l = BIO_get_mem_data(s->s3->handshake_buffer, hdata);
219	if (retlen_l <= 0) {
220	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_GET_CERT_VERIFY_TBS_DATA,
221	ERR_R_INTERNAL_ERROR);
222	return 0;
223	}
224	*hdatalen = retlen;
225	}
226
227	return 1;
228	}
229
230	int tls_construct_cert_verify(SSL s, WPACKET pkt)
231	{
232	EVP_PKEY *pkey = NULL;
233	const EVP_MD *md = NULL;
234	EVP_MD_CTX *mctx = NULL;
235	EVP_PKEY_CTX *pctx = NULL;
236	size_t hdatalen = 0, siglen = 0;
237	void *hdata;
238	unsigned char *sig = NULL;
239	unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
240	const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg;
241
242	if (lu == NULL \|\| s->s3->tmp.cert == NULL) {
243	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
244	ERR_R_INTERNAL_ERROR);
245	goto err;
246	}
247	pkey = s->s3->tmp.cert->privatekey;
248
249	if (pkey == NULL \|\| !tls1_lookup_md(lu, &md)) {
250	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
251	ERR_R_INTERNAL_ERROR);
252	goto err;
253	}
254
255	mctx = EVP_MD_CTX_new();
256	if (mctx == NULL) {
257	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
258	ERR_R_MALLOC_FAILURE);
259	goto err;
260	}
261
262	/* Get the data to be signed */
263	if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
264	/* SSLfatal() already called */
265	goto err;
266	}
267
268	if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
269	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
270	ERR_R_INTERNAL_ERROR);
271	goto err;
272	}
273	siglen = EVP_PKEY_size(pkey);
274	sig = OPENSSL_malloc(siglen);
275	if (sig == NULL) {
276	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
277	ERR_R_MALLOC_FAILURE);
278	goto err;
279	}
280
281	if (EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey) <= 0) {
282	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
283	ERR_R_EVP_LIB);
284	goto err;
285	}
286
287	if (lu->sig == EVP_PKEY_RSA_PSS) {
288	if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
289	\|\| EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
290	RSA_PSS_SALTLEN_DIGEST) <= 0) {
291	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
292	ERR_R_EVP_LIB);
293	goto err;
294	}
295	}
296	if (s->version == SSL3_VERSION) {
297	if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
298	\|\| !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
299	(int)s->session->master_key_length,
300	s->session->master_key)
301	\|\| EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
302
303	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
304	ERR_R_EVP_LIB);
305	goto err;
306	}
307	} else if (EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
308	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
309	ERR_R_EVP_LIB);
310	goto err;
311	}
312
313	#ifndef OPENSSL_NO_GOST
314	{
315	int pktype = lu->sig;
316
317	if (pktype == NID_id_GostR3410_2001
318	\|\| pktype == NID_id_GostR3410_2012_256
319	\|\| pktype == NID_id_GostR3410_2012_512)
320	BUF_reverse(sig, NULL, siglen);
321	}
322	#endif
323
324	if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
325	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
326	ERR_R_INTERNAL_ERROR);
327	goto err;
328	}
329
330	/* Digest cached records and discard handshake buffer */
331	if (!ssl3_digest_cached_records(s, 0)) {
332	/* SSLfatal() already called */
333	goto err;
334	}
335
336	OPENSSL_free(sig);
337	EVP_MD_CTX_free(mctx);
338	return 1;
339	err:
340	OPENSSL_free(sig);
341	EVP_MD_CTX_free(mctx);
342	return 0;
343	}
344
345	MSG_PROCESS_RETURN tls_process_cert_verify(SSL s, PACKET pkt)
346	{
347	EVP_PKEY *pkey = NULL;
348	const unsigned char *data;
349	#ifndef OPENSSL_NO_GOST
350	unsigned char *gost_data = NULL;
351	#endif
352	MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
353	int j;
354	unsigned int len;
355	X509 *peer;
356	const EVP_MD *md = NULL;
357	size_t hdatalen = 0;
358	void *hdata;
359	unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
360	EVP_MD_CTX *mctx = EVP_MD_CTX_new();
361	EVP_PKEY_CTX *pctx = NULL;
362
363	if (mctx == NULL) {
364	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
365	ERR_R_MALLOC_FAILURE);
366	goto err;
367	}
368
369	peer = s->session->peer;
370	pkey = X509_get0_pubkey(peer);
371	if (pkey == NULL) {
372	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
373	ERR_R_INTERNAL_ERROR);
374	goto err;
375	}
376
377	if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
378	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CERT_VERIFY,
379	SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
380	goto err;
381	}
382
383	if (SSL_USE_SIGALGS(s)) {
384	unsigned int sigalg;
385
386	if (!PACKET_get_net_2(pkt, &sigalg)) {
387	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
388	SSL_R_BAD_PACKET);
389	goto err;
390	}
391	if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
392	/* SSLfatal() already called */
393	goto err;
394	}
395	} else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
396	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
397	ERR_R_INTERNAL_ERROR);
398	goto err;
399	}
400
401	if (!tls1_lookup_md(s->s3->tmp.peer_sigalg, &md)) {
402	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
403	ERR_R_INTERNAL_ERROR);
404	goto err;
405	}
406
407	#ifdef SSL_DEBUG
408	if (SSL_USE_SIGALGS(s))
409	fprintf(stderr, "USING TLSv1.2 HASH %s\n",
410	md == NULL ? "n/a" : EVP_MD_name(md));
411	#endif
412
413	/* Check for broken implementations of GOST ciphersuites */
414	/*
415	* If key is GOST and len is exactly 64 or 128, it is signature without
416	* length field (CryptoPro implementations at least till TLS 1.2)
417	*/
418	#ifndef OPENSSL_NO_GOST
419	if (!SSL_USE_SIGALGS(s)
420	&& ((PACKET_remaining(pkt) == 64
421	&& (EVP_PKEY_id(pkey) == NID_id_GostR3410_2001
422	\|\| EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_256))
423	\|\| (PACKET_remaining(pkt) == 128
424	&& EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_512))) {
425	len = PACKET_remaining(pkt);
426	} else
427	#endif
428	if (!PACKET_get_net_2(pkt, &len)) {
429	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
430	SSL_R_LENGTH_MISMATCH);
431	goto err;
432	}
433
434	j = EVP_PKEY_size(pkey);
435	if (((int)len > j) \|\| ((int)PACKET_remaining(pkt) > j)
436	\|\| (PACKET_remaining(pkt) == 0)) {
437	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
438	SSL_R_WRONG_SIGNATURE_SIZE);
439	goto err;
440	}
441	if (!PACKET_get_bytes(pkt, &data, len)) {
442	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
443	SSL_R_LENGTH_MISMATCH);
444	goto err;
445	}
446
447	if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
448	/* SSLfatal() already called */
449	goto err;
450	}
451
452	#ifdef SSL_DEBUG
453	fprintf(stderr, "Using client verify alg %s\n",
454	md == NULL ? "n/a" : EVP_MD_name(md));
455	#endif
456	if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0) {
457	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
458	ERR_R_EVP_LIB);
459	goto err;
460	}
461	#ifndef OPENSSL_NO_GOST
462	{
463	int pktype = EVP_PKEY_id(pkey);
464	if (pktype == NID_id_GostR3410_2001
465	\|\| pktype == NID_id_GostR3410_2012_256
466	\|\| pktype == NID_id_GostR3410_2012_512) {
467	if ((gost_data = OPENSSL_malloc(len)) == NULL) {
468	SSLfatal(s, SSL_AD_INTERNAL_ERROR,
469	SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
470	goto err;
471	}
472	BUF_reverse(gost_data, data, len);
473	data = gost_data;
474	}
475	}
476	#endif
477
478	if (SSL_USE_PSS(s)) {
479	if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
480	\|\| EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
481	RSA_PSS_SALTLEN_DIGEST) <= 0) {
482	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
483	ERR_R_EVP_LIB);
484	goto err;
485	}
486	}
487	if (s->version == SSL3_VERSION) {
488	if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
489	\|\| !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
490	(int)s->session->master_key_length,
491	s->session->master_key)) {
492	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
493	ERR_R_EVP_LIB);
494	goto err;
495	}
496	if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
497	SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
498	SSL_R_BAD_SIGNATURE);
499	goto err;
500	}
501	} else {
502	j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
503	if (j <= 0) {
504	SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
505	SSL_R_BAD_SIGNATURE);
506	goto err;
507	}
508	}
509
510	/*
511	* In TLSv1.3 on the client side we make sure we prepare the client
512	* certificate after the CertVerify instead of when we get the
513	* CertificateRequest. This is because in TLSv1.3 the CertificateRequest
514	* comes before the Certificate message. In TLSv1.2 it comes after. We
515	* want to make sure that SSL_get_peer_certificate() will return the actual
516	* server certificate from the client_cert_cb callback.
517	*/
518	if (!s->server && SSL_IS_TLS13(s) && s->s3->tmp.cert_req == 1)
519	ret = MSG_PROCESS_CONTINUE_PROCESSING;
520	else
521	ret = MSG_PROCESS_CONTINUE_READING;
522	err:
523	BIO_free(s->s3->handshake_buffer);
524	s->s3->handshake_buffer = NULL;
525	EVP_MD_CTX_free(mctx);
526	#ifndef OPENSSL_NO_GOST
527	OPENSSL_free(gost_data);
528	#endif
529	return ret;
530	}
531
532	int tls_construct_finished(SSL s, WPACKET pkt)
533	{
534	size_t finish_md_len;
535	const char *sender;
536	size_t slen;
537
538	/* This is a real handshake so make sure we clean it up at the end */
539	if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
540	s->statem.cleanuphand = 1;
541
542	/*
543	* We only change the keys if we didn't already do this when we sent the
544	* client certificate
545	*/
546	if (SSL_IS_TLS13(s)
547	&& !s->server
548	&& s->s3->tmp.cert_req == 0
549	&& (!s->method->ssl3_enc->change_cipher_state(s,
550	SSL3_CC_HANDSHAKE \| SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
551	/* SSLfatal() already called */
552	return 0;
553	}
554
555	if (s->server) {
556	sender = s->method->ssl3_enc->server_finished_label;
557	slen = s->method->ssl3_enc->server_finished_label_len;
558	} else {
559	sender = s->method->ssl3_enc->client_finished_label;
560	slen = s->method->ssl3_enc->client_finished_label_len;
561	}
562
563	finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
564	sender, slen,
565	s->s3->tmp.finish_md);
566	if (finish_md_len == 0) {
567	/* SSLfatal() already called */
568	return 0;
569	}
570
571	s->s3->tmp.finish_md_len = finish_md_len;
572
573	if (!WPACKET_memcpy(pkt, s->s3->tmp.finish_md, finish_md_len)) {
574	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
575	ERR_R_INTERNAL_ERROR);
576	return 0;
577	}
578
579	/*
580	* Log the master secret, if logging is enabled. We don't log it for
581	* TLSv1.3: there's a different key schedule for that.
582	*/
583	if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
584	s->session->master_key,
585	s->session->master_key_length)) {
586	/* SSLfatal() already called */
587	return 0;
588	}
589
590	/*
591	* Copy the finished so we can use it for renegotiation checks
592	*/
593	if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
594	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
595	ERR_R_INTERNAL_ERROR);
596	return 0;
597	}
598	if (!s->server) {
599	memcpy(s->s3->previous_client_finished, s->s3->tmp.finish_md,
600	finish_md_len);
601	s->s3->previous_client_finished_len = finish_md_len;
602	} else {
603	memcpy(s->s3->previous_server_finished, s->s3->tmp.finish_md,
604	finish_md_len);
605	s->s3->previous_server_finished_len = finish_md_len;
606	}
607
608	return 1;
609	}
610
611	int tls_construct_key_update(SSL s, WPACKET pkt)
612	{
613	if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
614	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_KEY_UPDATE,
615	ERR_R_INTERNAL_ERROR);
616	return 0;
617	}
618
619	s->key_update = SSL_KEY_UPDATE_NONE;
620	return 1;
621	}
622
623	MSG_PROCESS_RETURN tls_process_key_update(SSL s, PACKET pkt)
624	{
625	unsigned int updatetype;
626
627	/*
628	* A KeyUpdate message signals a key change so the end of the message must
629	* be on a record boundary.
630	*/
631	if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
632	SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_UPDATE,
633	SSL_R_NOT_ON_RECORD_BOUNDARY);
634	return MSG_PROCESS_ERROR;
635	}
636
637	if (!PACKET_get_1(pkt, &updatetype)
638	\|\| PACKET_remaining(pkt) != 0) {
639	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_UPDATE,
640	SSL_R_BAD_KEY_UPDATE);
641	return MSG_PROCESS_ERROR;
642	}
643
644	/*
645	* There are only two defined key update types. Fail if we get a value we
646	* didn't recognise.
647	*/
648	if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
649	&& updatetype != SSL_KEY_UPDATE_REQUESTED) {
650	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE,
651	SSL_R_BAD_KEY_UPDATE);
652	return MSG_PROCESS_ERROR;
653	}
654
655	/*
656	* If we get a request for us to update our sending keys too then, we need
657	* to additionally send a KeyUpdate message. However that message should
658	* not also request an update (otherwise we get into an infinite loop).
659	*/
660	if (updatetype == SSL_KEY_UPDATE_REQUESTED)
661	s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
662
663	if (!tls13_update_key(s, 0)) {
664	/* SSLfatal() already called */
665	return MSG_PROCESS_ERROR;
666	}
667
668	return MSG_PROCESS_FINISHED_READING;
669	}
670
671	/*
672	* ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
673	* to far.
674	*/
675	int ssl3_take_mac(SSL *s)
676	{
677	const char *sender;
678	size_t slen;
679
680	if (!s->server) {
681	sender = s->method->ssl3_enc->server_finished_label;
682	slen = s->method->ssl3_enc->server_finished_label_len;
683	} else {
684	sender = s->method->ssl3_enc->client_finished_label;
685	slen = s->method->ssl3_enc->client_finished_label_len;
686	}
687
688	s->s3->tmp.peer_finish_md_len =
689	s->method->ssl3_enc->final_finish_mac(s, sender, slen,
690	s->s3->tmp.peer_finish_md);
691
692	if (s->s3->tmp.peer_finish_md_len == 0) {
693	/* SSLfatal() already called */
694	return 0;
695	}
696
697	return 1;
698	}
699
700	MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL s, PACKET pkt)
701	{
702	size_t remain;
703
704	remain = PACKET_remaining(pkt);
705	/*
706	* 'Change Cipher Spec' is just a single byte, which should already have
707	* been consumed by ssl_get_message() so there should be no bytes left,
708	* unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
709	*/
710	if (SSL_IS_DTLS(s)) {
711	if ((s->version == DTLS1_BAD_VER
712	&& remain != DTLS1_CCS_HEADER_LENGTH + 1)
713	\|\| (s->version != DTLS1_BAD_VER
714	&& remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
715	SSLfatal(s, SSL_AD_DECODE_ERROR,
716	SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
717	SSL_R_BAD_CHANGE_CIPHER_SPEC);
718	return MSG_PROCESS_ERROR;
719	}
720	} else {
721	if (remain != 0) {
722	SSLfatal(s, SSL_AD_DECODE_ERROR,
723	SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
724	SSL_R_BAD_CHANGE_CIPHER_SPEC);
725	return MSG_PROCESS_ERROR;
726	}
727	}
728
729	/* Check we have a cipher to change to */
730	if (s->s3->tmp.new_cipher == NULL) {
731	SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
732	SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY);
733	return MSG_PROCESS_ERROR;
734	}
735
736	s->s3->change_cipher_spec = 1;
737	if (!ssl3_do_change_cipher_spec(s)) {
738	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
739	ERR_R_INTERNAL_ERROR);
740	return MSG_PROCESS_ERROR;
741	}
742
743	if (SSL_IS_DTLS(s)) {
744	dtls1_reset_seq_numbers(s, SSL3_CC_READ);
745
746	if (s->version == DTLS1_BAD_VER)
747	s->d1->handshake_read_seq++;
748
749	#ifndef OPENSSL_NO_SCTP
750	/*
751	* Remember that a CCS has been received, so that an old key of
752	* SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
753	* SCTP is used
754	*/
755	BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
756	#endif
757	}
758
759	return MSG_PROCESS_CONTINUE_READING;
760	}
761
762	MSG_PROCESS_RETURN tls_process_finished(SSL s, PACKET pkt)
763	{
764	size_t md_len;
765
766
767	/* This is a real handshake so make sure we clean it up at the end */
768	if (s->server) {
769	/*
770	* To get this far we must have read encrypted data from the client. We
771	* no longer tolerate unencrypted alerts. This value is ignored if less
772	* than TLSv1.3
773	*/
774	s->statem.enc_read_state = ENC_READ_STATE_VALID;
775	if (s->post_handshake_auth != SSL_PHA_REQUESTED)
776	s->statem.cleanuphand = 1;
777	if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
778	/* SSLfatal() already called */
779	return MSG_PROCESS_ERROR;
780	}
781	}
782
783	/*
784	* In TLSv1.3 a Finished message signals a key change so the end of the
785	* message must be on a record boundary.
786	*/
787	if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
788	SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
789	SSL_R_NOT_ON_RECORD_BOUNDARY);
790	return MSG_PROCESS_ERROR;
791	}
792
793	/* If this occurs, we have missed a message */
794	if (!SSL_IS_TLS13(s) && !s->s3->change_cipher_spec) {
795	SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
796	SSL_R_GOT_A_FIN_BEFORE_A_CCS);
797	return MSG_PROCESS_ERROR;
798	}
799	s->s3->change_cipher_spec = 0;
800
801	md_len = s->s3->tmp.peer_finish_md_len;
802
803	if (md_len != PACKET_remaining(pkt)) {
804	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_FINISHED,
805	SSL_R_BAD_DIGEST_LENGTH);
806	return MSG_PROCESS_ERROR;
807	}
808
809	if (CRYPTO_memcmp(PACKET_data(pkt), s->s3->tmp.peer_finish_md,
810	md_len) != 0) {
811	SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_FINISHED,
812	SSL_R_DIGEST_CHECK_FAILED);
813	return MSG_PROCESS_ERROR;
814	}
815
816	/*
817	* Copy the finished so we can use it for renegotiation checks
818	*/
819	if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
820	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_FINISHED,
821	ERR_R_INTERNAL_ERROR);
822	return MSG_PROCESS_ERROR;
823	}
824	if (s->server) {
825	memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md,
826	md_len);
827	s->s3->previous_client_finished_len = md_len;
828	} else {
829	memcpy(s->s3->previous_server_finished, s->s3->tmp.peer_finish_md,
830	md_len);
831	s->s3->previous_server_finished_len = md_len;
832	}
833
834	/*
835	* In TLS1.3 we also have to change cipher state and do any final processing
836	* of the initial server flight (if we are a client)
837	*/
838	if (SSL_IS_TLS13(s)) {
839	if (s->server) {
840	if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
841	!s->method->ssl3_enc->change_cipher_state(s,
842	SSL3_CC_APPLICATION \| SSL3_CHANGE_CIPHER_SERVER_READ)) {
843	/* SSLfatal() already called */
844	return MSG_PROCESS_ERROR;
845	}
846	} else {
847	/* TLS 1.3 gets the secret size from the handshake md */
848	size_t dummy;
849	if (!s->method->ssl3_enc->generate_master_secret(s,
850	s->master_secret, s->handshake_secret, 0,
851	&dummy)) {
852	/* SSLfatal() already called */
853	return MSG_PROCESS_ERROR;
854	}
855	if (!s->method->ssl3_enc->change_cipher_state(s,
856	SSL3_CC_APPLICATION \| SSL3_CHANGE_CIPHER_CLIENT_READ)) {
857	/* SSLfatal() already called */
858	return MSG_PROCESS_ERROR;
859	}
860	if (!tls_process_initial_server_flight(s)) {
861	/* SSLfatal() already called */
862	return MSG_PROCESS_ERROR;
863	}
864	}
865	}
866
867	return MSG_PROCESS_FINISHED_READING;
868	}
869
870	int tls_construct_change_cipher_spec(SSL s, WPACKET pkt)
871	{
872	if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
873	SSLfatal(s, SSL_AD_INTERNAL_ERROR,
874	SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
875	return 0;
876	}
877
878	return 1;
879	}
880
881	/* Add a certificate to the WPACKET */
882	static int ssl_add_cert_to_wpacket(SSL s, WPACKET pkt, X509 *x, int chain)
883	{
884	int len;
885	unsigned char *outbytes;
886
887	len = i2d_X509(x, NULL);
888	if (len < 0) {
889	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
890	ERR_R_BUF_LIB);
891	return 0;
892	}
893	if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
894	\|\| i2d_X509(x, &outbytes) != len) {
895	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
896	ERR_R_INTERNAL_ERROR);
897	return 0;
898	}
899
900	if (SSL_IS_TLS13(s)
901	&& !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
902	chain)) {
903	/* SSLfatal() already called */
904	return 0;
905	}
906
907	return 1;
908	}
909
910	/* Add certificate chain to provided WPACKET */
911	static int ssl_add_cert_chain(SSL s, WPACKET pkt, CERT_PKEY *cpk)
912	{
913	int i, chain_count;
914	X509 *x;
915	STACK_OF(X509) *extra_certs;
916	STACK_OF(X509) *chain = NULL;
917	X509_STORE *chain_store;
918
919	if (cpk == NULL \|\| cpk->x509 == NULL)
920	return 1;
921
922	x = cpk->x509;
923
924	/*
925	* If we have a certificate specific chain use it, else use parent ctx.
926	*/
927	if (cpk->chain != NULL)
928	extra_certs = cpk->chain;
929	else
930	extra_certs = s->ctx->extra_certs;
931
932	if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) \|\| extra_certs)
933	chain_store = NULL;
934	else if (s->cert->chain_store)
935	chain_store = s->cert->chain_store;
936	else
937	chain_store = s->ctx->cert_store;
938
939	if (chain_store != NULL) {
940	X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new();
941
942	if (xs_ctx == NULL) {
943	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
944	ERR_R_MALLOC_FAILURE);
945	return 0;
946	}
947	if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
948	X509_STORE_CTX_free(xs_ctx);
949	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
950	ERR_R_X509_LIB);
951	return 0;
952	}
953	/*
954	* It is valid for the chain not to be complete (because normally we
955	* don't include the root cert in the chain). Therefore we deliberately
956	* ignore the error return from this call. We're not actually verifying
957	* the cert - we're just building as much of the chain as we can
958	*/
959	(void)X509_verify_cert(xs_ctx);
960	/* Don't leave errors in the queue */
961	ERR_clear_error();
962	chain = X509_STORE_CTX_get0_chain(xs_ctx);
963	i = ssl_security_cert_chain(s, chain, NULL, 0);
964	if (i != 1) {
965	#if 0
966	/* Dummy error calls so mkerr generates them */
967	SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL);
968	SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL);
969	SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK);
970	#endif
971	X509_STORE_CTX_free(xs_ctx);
972	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
973	return 0;
974	}
975	chain_count = sk_X509_num(chain);
976	for (i = 0; i < chain_count; i++) {
977	x = sk_X509_value(chain, i);
978
979	if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
980	/* SSLfatal() already called */
981	X509_STORE_CTX_free(xs_ctx);
982	return 0;
983	}
984	}
985	X509_STORE_CTX_free(xs_ctx);
986	} else {
987	i = ssl_security_cert_chain(s, extra_certs, x, 0);
988	if (i != 1) {
989	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
990	return 0;
991	}
992	if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
993	/* SSLfatal() already called */
994	return 0;
995	}
996	for (i = 0; i < sk_X509_num(extra_certs); i++) {
997	x = sk_X509_value(extra_certs, i);
998	if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
999	/* SSLfatal() already called */
1000	return 0;
1001	}
1002	}
1003	}
1004	return 1;
1005	}
1006
1007	unsigned long ssl3_output_cert_chain(SSL s, WPACKET pkt, CERT_PKEY *cpk)
1008	{
1009	if (!WPACKET_start_sub_packet_u24(pkt)) {
1010	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1011	ERR_R_INTERNAL_ERROR);
1012	return 0;
1013	}
1014
1015	if (!ssl_add_cert_chain(s, pkt, cpk))
1016	return 0;
1017
1018	if (!WPACKET_close(pkt)) {
1019	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1020	ERR_R_INTERNAL_ERROR);
1021	return 0;
1022	}
1023
1024	return 1;
1025	}
1026
1027	/*
1028	* Tidy up after the end of a handshake. In the case of SCTP this may result
1029	* in NBIO events. If \|clearbufs\| is set then init_buf and the wbio buffer is
1030	* freed up as well.
1031	*/
1032	WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
1033	{
1034	void (cb) (const SSL ssl, int type, int val) = NULL;
1035	int cleanuphand = s->statem.cleanuphand;
1036
1037	if (clearbufs) {
1038	if (!SSL_IS_DTLS(s)
1039	#ifndef OPENSSL_NO_SCTP
1040	/*
1041	* RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1042	* messages that require it. Therefore, DTLS procedures for retransmissions
1043	* MUST NOT be used.
1044	* Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1045	*/
1046	\|\| BIO_dgram_is_sctp(SSL_get_wbio(s))
1047	#endif
1048	) {
1049	/*
1050	* We don't do this in DTLS over UDP because we may still need the init_buf
1051	* in case there are any unexpected retransmits
1052	*/
1053	BUF_MEM_free(s->init_buf);
1054	s->init_buf = NULL;
1055	}
1056
1057	if (!ssl_free_wbio_buffer(s)) {
1058	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE,
1059	ERR_R_INTERNAL_ERROR);
1060	return WORK_ERROR;
1061	}
1062	s->init_num = 0;
1063	}
1064
1065	if (SSL_IS_TLS13(s) && !s->server
1066	&& s->post_handshake_auth == SSL_PHA_REQUESTED)
1067	s->post_handshake_auth = SSL_PHA_EXT_SENT;
1068
1069	/*
1070	* Only set if there was a Finished message and this isn't after a TLSv1.3
1071	* post handshake exchange
1072	*/
1073	if (cleanuphand) {
1074	/* skipped if we just sent a HelloRequest */
1075	s->renegotiate = 0;
1076	s->new_session = 0;
1077	s->statem.cleanuphand = 0;
1078	s->ext.ticket_expected = 0;
1079
1080	ssl3_cleanup_key_block(s);
1081
1082	if (s->server) {
1083	/*
1084	* In TLSv1.3 we update the cache as part of constructing the
1085	* NewSessionTicket
1086	*/
1087	if (!SSL_IS_TLS13(s))
1088	ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
1089
1090	/* N.B. s->ctx may not equal s->session_ctx */
1091	tsan_counter(&s->ctx->stats.sess_accept_good);
1092	s->handshake_func = ossl_statem_accept;
1093	} else {
1094	if (SSL_IS_TLS13(s)) {
1095	/*
1096	* We encourage applications to only use TLSv1.3 tickets once,
1097	* so we remove this one from the cache.
1098	*/
1099	if ((s->session_ctx->session_cache_mode
1100	& SSL_SESS_CACHE_CLIENT) != 0)
1101	SSL_CTX_remove_session(s->session_ctx, s->session);
1102	} else {
1103	/*
1104	* In TLSv1.3 we update the cache as part of processing the
1105	* NewSessionTicket
1106	*/
1107	ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
1108	}
1109	if (s->hit)
1110	tsan_counter(&s->session_ctx->stats.sess_hit);
1111
1112	s->handshake_func = ossl_statem_connect;
1113	tsan_counter(&s->session_ctx->stats.sess_connect_good);
1114	}
1115
1116	if (SSL_IS_DTLS(s)) {
1117	/* done with handshaking */
1118	s->d1->handshake_read_seq = 0;
1119	s->d1->handshake_write_seq = 0;
1120	s->d1->next_handshake_write_seq = 0;
1121	dtls1_clear_received_buffer(s);
1122	}
1123	}
1124
1125	if (s->info_callback != NULL)
1126	cb = s->info_callback;
1127	else if (s->ctx->info_callback != NULL)
1128	cb = s->ctx->info_callback;
1129
1130	/* The callback may expect us to not be in init at handshake done */
1131	ossl_statem_set_in_init(s, 0);
1132
1133	if (cb != NULL) {
1134	if (cleanuphand
1135	\|\| !SSL_IS_TLS13(s)
1136	\|\| SSL_IS_FIRST_HANDSHAKE(s))
1137	cb(s, SSL_CB_HANDSHAKE_DONE, 1);
1138	}
1139
1140	if (!stop) {
1141	/* If we've got more work to do we go back into init */
1142	ossl_statem_set_in_init(s, 1);
1143	return WORK_FINISHED_CONTINUE;
1144	}
1145
1146	return WORK_FINISHED_STOP;
1147	}
1148
1149	int tls_get_message_header(SSL s, int mt)
1150	{
1151	/* s->init_num < SSL3_HM_HEADER_LENGTH */
1152	int skip_message, i, recvd_type;
1153	unsigned char *p;
1154	size_t l, readbytes;
1155
1156	p = (unsigned char *)s->init_buf->data;
1157
1158	do {
1159	while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1160	i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
1161	&p[s->init_num],
1162	SSL3_HM_HEADER_LENGTH - s->init_num,
1163	0, &readbytes);
1164	if (i <= 0) {
1165	s->rwstate = SSL_READING;
1166	return 0;
1167	}
1168	if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1169	/*
1170	* A ChangeCipherSpec must be a single byte and may not occur
1171	* in the middle of a handshake message.
1172	*/
1173	if (s->init_num != 0 \|\| readbytes != 1 \|\| p[0] != SSL3_MT_CCS) {
1174	SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1175	SSL_F_TLS_GET_MESSAGE_HEADER,
1176	SSL_R_BAD_CHANGE_CIPHER_SPEC);
1177	return 0;
1178	}
1179	if (s->statem.hand_state == TLS_ST_BEFORE
1180	&& (s->s3->flags & TLS1_FLAGS_STATELESS) != 0) {
1181	/*
1182	* We are stateless and we received a CCS. Probably this is
1183	* from a client between the first and second ClientHellos.
1184	* We should ignore this, but return an error because we do
1185	* not return success until we see the second ClientHello
1186	* with a valid cookie.
1187	*/
1188	return 0;
1189	}
1190	s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
1191	s->init_num = readbytes - 1;
1192	s->init_msg = s->init_buf->data;
1193	s->s3->tmp.message_size = readbytes;
1194	return 1;
1195	} else if (recvd_type != SSL3_RT_HANDSHAKE) {
1196	SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1197	SSL_F_TLS_GET_MESSAGE_HEADER,
1198	SSL_R_CCS_RECEIVED_EARLY);
1199	return 0;
1200	}
1201	s->init_num += readbytes;
1202	}
1203
1204	skip_message = 0;
1205	if (!s->server)
1206	if (s->statem.hand_state != TLS_ST_OK
1207	&& p[0] == SSL3_MT_HELLO_REQUEST)
1208	/*
1209	* The server may always send 'Hello Request' messages --
1210	* we are doing a handshake anyway now, so ignore them if
1211	* their format is correct. Does not count for 'Finished'
1212	* MAC.
1213	*/
1214	if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1215	s->init_num = 0;
1216	skip_message = 1;
1217
1218	if (s->msg_callback)
1219	s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1220	p, SSL3_HM_HEADER_LENGTH, s,
1221	s->msg_callback_arg);
1222	}
1223	} while (skip_message);
1224	/* s->init_num == SSL3_HM_HEADER_LENGTH */
1225
1226	mt = p;
1227	s->s3->tmp.message_type = *(p++);
1228
1229	if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1230	/*
1231	* Only happens with SSLv3+ in an SSLv2 backward compatible
1232	* ClientHello
1233	*
1234	* Total message size is the remaining record bytes to read
1235	* plus the SSL3_HM_HEADER_LENGTH bytes that we already read
1236	*/
1237	l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1238	+ SSL3_HM_HEADER_LENGTH;
1239	s->s3->tmp.message_size = l;
1240
1241	s->init_msg = s->init_buf->data;
1242	s->init_num = SSL3_HM_HEADER_LENGTH;
1243	} else {
1244	n2l3(p, l);
1245	/* BUF_MEM_grow takes an 'int' parameter */
1246	if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
1247	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_GET_MESSAGE_HEADER,
1248	SSL_R_EXCESSIVE_MESSAGE_SIZE);
1249	return 0;
1250	}
1251	s->s3->tmp.message_size = l;
1252
1253	s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1254	s->init_num = 0;
1255	}
1256
1257	return 1;
1258	}
1259
1260	int tls_get_message_body(SSL s, size_t len)
1261	{
1262	size_t n, readbytes;
1263	unsigned char *p;
1264	int i;
1265
1266	if (s->s3->tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
1267	/* We've already read everything in */
1268	*len = (unsigned long)s->init_num;
1269	return 1;
1270	}
1271
1272	p = s->init_msg;
1273	n = s->s3->tmp.message_size - s->init_num;
1274	while (n > 0) {
1275	i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
1276	&p[s->init_num], n, 0, &readbytes);
1277	if (i <= 0) {
1278	s->rwstate = SSL_READING;
1279	*len = 0;
1280	return 0;
1281	}
1282	s->init_num += readbytes;
1283	n -= readbytes;
1284	}
1285
1286	/*
1287	* If receiving Finished, record MAC of prior handshake messages for
1288	* Finished verification.
1289	*/
1290	if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1291	/* SSLfatal() already called */
1292	*len = 0;
1293	return 0;
1294	}
1295
1296	/* Feed this message into MAC computation. */
1297	if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1298	if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1299	s->init_num)) {
1300	/* SSLfatal() already called */
1301	*len = 0;
1302	return 0;
1303	}
1304	if (s->msg_callback)
1305	s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
1306	(size_t)s->init_num, s, s->msg_callback_arg);
1307	} else {
1308	/*
1309	* We defer feeding in the HRR until later. We'll do it as part of
1310	* processing the message
1311	* The TLsv1.3 handshake transcript stops at the ClientFinished
1312	* message.
1313	*/
1314	#define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
1315	/* KeyUpdate and NewSessionTicket do not need to be added */
1316	if (!SSL_IS_TLS13(s) \|\| (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1317	&& s->s3->tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1318	if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO
1319	\|\| s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1320	\|\| memcmp(hrrrandom,
1321	s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1322	SSL3_RANDOM_SIZE) != 0) {
1323	if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1324	s->init_num + SSL3_HM_HEADER_LENGTH)) {
1325	/* SSLfatal() already called */
1326	*len = 0;
1327	return 0;
1328	}
1329	}
1330	}
1331	if (s->msg_callback)
1332	s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1333	(size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
1334	s->msg_callback_arg);
1335	}
1336
1337	*len = s->init_num;
1338	return 1;
1339	}
1340
1341	static const X509ERR2ALERT x509table[] = {
1342	{X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1343	{X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1344	{X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
1345	{X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1346	{X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1347	{X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1348	{X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1349	{X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1350	{X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1351	{X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1352	{X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1353	{X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1354	{X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1355	{X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1356	{X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1357	{X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1358	{X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1359	{X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1360	{X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1361	{X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1362	{X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1363	{X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1364	{X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1365	{X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1366	{X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1367	{X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1368	{X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1369	{X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1370	{X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1371	{X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1372	{X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1373	{X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1374	{X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1375	{X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1376	{X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1377	{X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1378	{X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1379	{X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1380	{X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1381	{X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1382
1383	/* Last entry; return this if we don't find the value above. */
1384	{X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1385	};
1386
1387	int ssl_x509err2alert(int x509err)
1388	{
1389	const X509ERR2ALERT *tp;
1390
1391	for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1392	if (tp->x509err == x509err)
1393	break;
1394	return tp->alert;
1395	}
1396
1397	int ssl_allow_compression(SSL *s)
1398	{
1399	if (s->options & SSL_OP_NO_COMPRESSION)
1400	return 0;
1401	return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1402	}
1403
1404	static int version_cmp(const SSL *s, int a, int b)
1405	{
1406	int dtls = SSL_IS_DTLS(s);
1407
1408	if (a == b)
1409	return 0;
1410	if (!dtls)
1411	return a < b ? -1 : 1;
1412	return DTLS_VERSION_LT(a, b) ? -1 : 1;
1413	}
1414
1415	typedef struct {
1416	int version;
1417	const SSL_METHOD (cmeth) (void);
1418	const SSL_METHOD (smeth) (void);
1419	} version_info;
1420
1421	#if TLS_MAX_VERSION != TLS1_3_VERSION
1422	# error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
1423	#endif
1424
1425	/* Must be in order high to low */
1426	static const version_info tls_version_table[] = {
1427	#ifndef OPENSSL_NO_TLS1_3
1428	{TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1429	#else
1430	{TLS1_3_VERSION, NULL, NULL},
1431	#endif
1432	#ifndef OPENSSL_NO_TLS1_2
1433	{TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
1434	#else
1435	{TLS1_2_VERSION, NULL, NULL},
1436	#endif
1437	#ifndef OPENSSL_NO_TLS1_1
1438	{TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
1439	#else
1440	{TLS1_1_VERSION, NULL, NULL},
1441	#endif
1442	#ifndef OPENSSL_NO_TLS1
1443	{TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
1444	#else
1445	{TLS1_VERSION, NULL, NULL},
1446	#endif
1447	#ifndef OPENSSL_NO_SSL3
1448	{SSL3_VERSION, sslv3_client_method, sslv3_server_method},
1449	#else
1450	{SSL3_VERSION, NULL, NULL},
1451	#endif
1452	{0, NULL, NULL},
1453	};
1454
1455	#if DTLS_MAX_VERSION != DTLS1_2_VERSION
1456	# error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1457	#endif
1458
1459	/* Must be in order high to low */
1460	static const version_info dtls_version_table[] = {
1461	#ifndef OPENSSL_NO_DTLS1_2
1462	{DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
1463	#else
1464	{DTLS1_2_VERSION, NULL, NULL},
1465	#endif
1466	#ifndef OPENSSL_NO_DTLS1
1467	{DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1468	{DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
1469	#else
1470	{DTLS1_VERSION, NULL, NULL},
1471	{DTLS1_BAD_VER, NULL, NULL},
1472	#endif
1473	{0, NULL, NULL},
1474	};
1475
1476	/*
1477	* ssl_method_error - Check whether an SSL_METHOD is enabled.
1478	*
1479	* @s: The SSL handle for the candidate method
1480	* @method: the intended method.
1481	*
1482	* Returns 0 on success, or an SSL error reason on failure.
1483	*/
1484	static int ssl_method_error(const SSL s, const SSL_METHOD method)
1485	{
1486	int version = method->version;
1487
1488	if ((s->min_proto_version != 0 &&
1489	version_cmp(s, version, s->min_proto_version) < 0) \|\|
1490	ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1491	return SSL_R_VERSION_TOO_LOW;
1492
1493	if (s->max_proto_version != 0 &&
1494	version_cmp(s, version, s->max_proto_version) > 0)
1495	return SSL_R_VERSION_TOO_HIGH;
1496
1497	if ((s->options & method->mask) != 0)
1498	return SSL_R_UNSUPPORTED_PROTOCOL;
1499	if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1500	return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
1501
1502	return 0;
1503	}
1504
1505	/*
1506	* Only called by servers. Returns 1 if the server has a TLSv1.3 capable
1507	* certificate type, or has PSK or a certificate callback configured, or has
1508	* a servername callback configured. Otherwise returns 0.
1509	*/
1510	static int is_tls13_capable(const SSL *s)
1511	{
1512	int i;
1513	#ifndef OPENSSL_NO_EC
1514	int curve;
1515	EC_KEY *eckey;
1516	#endif
1517
1518	if (!ossl_assert(s->ctx != NULL) \|\| !ossl_assert(s->session_ctx != NULL))
1519	return 0;
1520
1521	/*
1522	* A servername callback can change the available certs, so if a servername
1523	* cb is set then we just assume TLSv1.3 will be ok
1524	*/
1525	if (s->ctx->ext.servername_cb != NULL
1526	\|\| s->session_ctx->ext.servername_cb != NULL)
1527	return 1;
1528
1529	#ifndef OPENSSL_NO_PSK
1530	if (s->psk_server_callback != NULL)
1531	return 1;
1532	#endif
1533
1534	if (s->psk_find_session_cb != NULL \|\| s->cert->cert_cb != NULL)
1535	return 1;
1536
1537	for (i = 0; i < SSL_PKEY_NUM; i++) {
1538	/* Skip over certs disallowed for TLSv1.3 */
1539	switch (i) {
1540	case SSL_PKEY_DSA_SIGN:
1541	case SSL_PKEY_GOST01:
1542	case SSL_PKEY_GOST12_256:
1543	case SSL_PKEY_GOST12_512:
1544	continue;
1545	default:
1546	break;
1547	}
1548	if (!ssl_has_cert(s, i))
1549	continue;
1550	#ifndef OPENSSL_NO_EC
1551	if (i != SSL_PKEY_ECC)
1552	return 1;
1553	/*
1554	* Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1555	* more restrictive so check that our sig algs are consistent with this
1556	* EC cert. See section 4.2.3 of RFC8446.
1557	*/
1558	eckey = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
1559	if (eckey == NULL)
1560	continue;
1561	curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
1562	if (tls_check_sigalg_curve(s, curve))
1563	return 1;
1564	#else
1565	return 1;
1566	#endif
1567	}
1568
1569	return 0;
1570	}
1571
1572	/*
1573	* ssl_version_supported - Check that the specified `version` is supported by
1574	* `SSL *` instance
1575	*
1576	* @s: The SSL handle for the candidate method
1577	* @version: Protocol version to test against
1578	*
1579	* Returns 1 when supported, otherwise 0
1580	*/
1581	int ssl_version_supported(const SSL s, int version, const SSL_METHOD *meth)
1582	{
1583	const version_info *vent;
1584	const version_info *table;
1585
1586	switch (s->method->version) {
1587	default:
1588	/* Version should match method version for non-ANY method */
1589	return version_cmp(s, version, s->version) == 0;
1590	case TLS_ANY_VERSION:
1591	table = tls_version_table;
1592	break;
1593	case DTLS_ANY_VERSION:
1594	table = dtls_version_table;
1595	break;
1596	}
1597
1598	for (vent = table;
1599	vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1600	++vent) {
1601	if (vent->cmeth != NULL
1602	&& version_cmp(s, version, vent->version) == 0
1603	&& ssl_method_error(s, vent->cmeth()) == 0
1604	&& (!s->server
1605	\|\| version != TLS1_3_VERSION
1606	\|\| is_tls13_capable(s))) {
1607	if (meth != NULL)
1608	*meth = vent->cmeth();
1609	return 1;
1610	}
1611	}
1612	return 0;
1613	}
1614
1615	/*
1616	* ssl_check_version_downgrade - In response to RFC7507 SCSV version
1617	* fallback indication from a client check whether we're using the highest
1618	* supported protocol version.
1619	*
1620	* @s server SSL handle.
1621	*
1622	* Returns 1 when using the highest enabled version, 0 otherwise.
1623	*/
1624	int ssl_check_version_downgrade(SSL *s)
1625	{
1626	const version_info *vent;
1627	const version_info *table;
1628
1629	/*
1630	* Check that the current protocol is the highest enabled version
1631	* (according to s->ctx->method, as version negotiation may have changed
1632	* s->method).
1633	*/
1634	if (s->version == s->ctx->method->version)
1635	return 1;
1636
1637	/*
1638	* Apparently we're using a version-flexible SSL_METHOD (not at its
1639	* highest protocol version).
1640	*/
1641	if (s->ctx->method->version == TLS_method()->version)
1642	table = tls_version_table;
1643	else if (s->ctx->method->version == DTLS_method()->version)
1644	table = dtls_version_table;
1645	else {
1646	/* Unexpected state; fail closed. */
1647	return 0;
1648	}
1649
1650	for (vent = table; vent->version != 0; ++vent) {
1651	if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
1652	return s->version == vent->version;
1653	}
1654	return 0;
1655	}
1656
1657	/*
1658	* ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1659	* protocols, provided the initial (D)TLS method is version-flexible. This
1660	* function sanity-checks the proposed value and makes sure the method is
1661	* version-flexible, then sets the limit if all is well.
1662	*
1663	* @method_version: The version of the current SSL_METHOD.
1664	* @version: the intended limit.
1665	* @bound: pointer to limit to be updated.
1666	*
1667	* Returns 1 on success, 0 on failure.
1668	*/
1669	int ssl_set_version_bound(int method_version, int version, int *bound)
1670	{
1671	int valid_tls;
1672	int valid_dtls;
1673
1674	if (version == 0) {
1675	*bound = version;
1676	return 1;
1677	}
1678
1679	valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION;
1680	valid_dtls =
1681	DTLS_VERSION_LE(version, DTLS_MAX_VERSION) &&
1682	DTLS_VERSION_GE(version, DTLS1_BAD_VER);
1683
1684	if (!valid_tls && !valid_dtls)
1685	return 0;
1686
1687	/*-
1688	* Restrict TLS methods to TLS protocol versions.
1689	* Restrict DTLS methods to DTLS protocol versions.
1690	* Note, DTLS version numbers are decreasing, use comparison macros.
1691	*
1692	* Note that for both lower-bounds we use explicit versions, not
1693	* (D)TLS_MIN_VERSION. This is because we don't want to break user
1694	* configurations. If the MIN (supported) version ever rises, the user's
1695	* "floor" remains valid even if no longer available. We don't expect the
1696	* MAX ceiling to ever get lower, so making that variable makes sense.
1697	*
1698	* We ignore attempts to set bounds on version-inflexible methods,
1699	* returning success.
1700	*/
1701	switch (method_version) {
1702	default:
1703	break;
1704
1705	case TLS_ANY_VERSION:
1706	if (valid_tls)
1707	*bound = version;
1708	break;
1709
1710	case DTLS_ANY_VERSION:
1711	if (valid_dtls)
1712	*bound = version;
1713	break;
1714	}
1715	return 1;
1716	}
1717
1718	static void check_for_downgrade(SSL s, int vers, DOWNGRADE dgrd)
1719	{
1720	if (vers == TLS1_2_VERSION
1721	&& ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
1722	*dgrd = DOWNGRADE_TO_1_2;
1723	} else if (!SSL_IS_DTLS(s)
1724	&& vers < TLS1_2_VERSION
1725	/*
1726	* We need to ensure that a server that disables TLSv1.2
1727	* (creating a hole between TLSv1.3 and TLSv1.1) can still
1728	* complete handshakes with clients that support TLSv1.2 and
1729	* below. Therefore we do not enable the sentinel if TLSv1.3 is
1730	* enabled and TLSv1.2 is not.
1731	*/
1732	&& ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
1733	*dgrd = DOWNGRADE_TO_1_1;
1734	} else {
1735	*dgrd = DOWNGRADE_NONE;
1736	}
1737	}
1738
1739	/*
1740	* ssl_choose_server_version - Choose server (D)TLS version. Called when the
1741	* client HELLO is received to select the final server protocol version and
1742	* the version specific method.
1743	*
1744	* @s: server SSL handle.
1745	*
1746	* Returns 0 on success or an SSL error reason number on failure.
1747	*/
1748	int ssl_choose_server_version(SSL s, CLIENTHELLO_MSG hello, DOWNGRADE *dgrd)
1749	{
1750	/*-
1751	* With version-flexible methods we have an initial state with:
1752	*
1753	* s->method->version == (D)TLS_ANY_VERSION,
1754	* s->version == (D)TLS_MAX_VERSION.
1755	*
1756	* So we detect version-flexible methods via the method version, not the
1757	* handle version.
1758	*/
1759	int server_version = s->method->version;
1760	int client_version = hello->legacy_version;
1761	const version_info *vent;
1762	const version_info *table;
1763	int disabled = 0;
1764	RAW_EXTENSION *suppversions;
1765
1766	s->client_version = client_version;
1767
1768	switch (server_version) {
1769	default:
1770	if (!SSL_IS_TLS13(s)) {
1771	if (version_cmp(s, client_version, s->version) < 0)
1772	return SSL_R_WRONG_SSL_VERSION;
1773	*dgrd = DOWNGRADE_NONE;
1774	/*
1775	* If this SSL handle is not from a version flexible method we don't
1776	* (and never did) check min/max FIPS or Suite B constraints. Hope
1777	* that's OK. It is up to the caller to not choose fixed protocol
1778	* versions they don't want. If not, then easy to fix, just return
1779	* ssl_method_error(s, s->method)
1780	*/
1781	return 0;
1782	}
1783	/*
1784	* Fall through if we are TLSv1.3 already (this means we must be after
1785	* a HelloRetryRequest
1786	*/
1787	/* fall thru */
1788	case TLS_ANY_VERSION:
1789	table = tls_version_table;
1790	break;
1791	case DTLS_ANY_VERSION:
1792	table = dtls_version_table;
1793	break;
1794	}
1795
1796	suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
1797
1798	/* If we did an HRR then supported versions is mandatory */
1799	if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
1800	return SSL_R_UNSUPPORTED_PROTOCOL;
1801
1802	if (suppversions->present && !SSL_IS_DTLS(s)) {
1803	unsigned int candidate_vers = 0;
1804	unsigned int best_vers = 0;
1805	const SSL_METHOD *best_method = NULL;
1806	PACKET versionslist;
1807
1808	suppversions->parsed = 1;
1809
1810	if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
1811	/* Trailing or invalid data? */
1812	return SSL_R_LENGTH_MISMATCH;
1813	}
1814
1815	/*
1816	* The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1817	* The spec only requires servers to check that it isn't SSLv3:
1818	* "Any endpoint receiving a Hello message with
1819	* ClientHello.legacy_version or ServerHello.legacy_version set to
1820	* 0x0300 MUST abort the handshake with a "protocol_version" alert."
1821	* We are slightly stricter and require that it isn't SSLv3 or lower.
1822	* We tolerate TLSv1 and TLSv1.1.
1823	*/
1824	if (client_version <= SSL3_VERSION)
1825	return SSL_R_BAD_LEGACY_VERSION;
1826
1827	while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1828	if (version_cmp(s, candidate_vers, best_vers) <= 0)
1829	continue;
1830	if (ssl_version_supported(s, candidate_vers, &best_method))
1831	best_vers = candidate_vers;
1832	}
1833	if (PACKET_remaining(&versionslist) != 0) {
1834	/* Trailing data? */
1835	return SSL_R_LENGTH_MISMATCH;
1836	}
1837
1838	if (best_vers > 0) {
1839	if (s->hello_retry_request != SSL_HRR_NONE) {
1840	/*
1841	* This is after a HelloRetryRequest so we better check that we
1842	* negotiated TLSv1.3
1843	*/
1844	if (best_vers != TLS1_3_VERSION)
1845	return SSL_R_UNSUPPORTED_PROTOCOL;
1846	return 0;
1847	}
1848	check_for_downgrade(s, best_vers, dgrd);
1849	s->version = best_vers;
1850	s->method = best_method;
1851	return 0;
1852	}
1853	return SSL_R_UNSUPPORTED_PROTOCOL;
1854	}
1855
1856	/*
1857	* If the supported versions extension isn't present, then the highest
1858	* version we can negotiate is TLSv1.2
1859	*/
1860	if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1861	client_version = TLS1_2_VERSION;
1862
1863	/*
1864	* No supported versions extension, so we just use the version supplied in
1865	* the ClientHello.
1866	*/
1867	for (vent = table; vent->version != 0; ++vent) {
1868	const SSL_METHOD *method;
1869
1870	if (vent->smeth == NULL \|\|
1871	version_cmp(s, client_version, vent->version) < 0)
1872	continue;
1873	method = vent->smeth();
1874	if (ssl_method_error(s, method) == 0) {
1875	check_for_downgrade(s, vent->version, dgrd);
1876	s->version = vent->version;
1877	s->method = method;
1878	return 0;
1879	}
1880	disabled = 1;
1881	}
1882	return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1883	}
1884
1885	/*
1886	* ssl_choose_client_version - Choose client (D)TLS version. Called when the
1887	* server HELLO is received to select the final client protocol version and
1888	* the version specific method.
1889	*
1890	* @s: client SSL handle.
1891	* @version: The proposed version from the server's HELLO.
1892	* @extensions: The extensions received
1893	*
1894	* Returns 1 on success or 0 on error.
1895	*/
1896	int ssl_choose_client_version(SSL s, int version, RAW_EXTENSION extensions)
1897	{
1898	const version_info *vent;
1899	const version_info *table;
1900	int ret, ver_min, ver_max, real_max, origv;
1901
1902	origv = s->version;
1903	s->version = version;
1904
1905	/* This will overwrite s->version if the extension is present */
1906	if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1907	SSL_EXT_TLS1_2_SERVER_HELLO
1908	\| SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1909	NULL, 0)) {
1910	s->version = origv;
1911	return 0;
1912	}
1913
1914	if (s->hello_retry_request != SSL_HRR_NONE
1915	&& s->version != TLS1_3_VERSION) {
1916	s->version = origv;
1917	SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1918	SSL_R_WRONG_SSL_VERSION);
1919	return 0;
1920	}
1921
1922	switch (s->method->version) {
1923	default:
1924	if (s->version != s->method->version) {
1925	s->version = origv;
1926	SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1927	SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1928	SSL_R_WRONG_SSL_VERSION);
1929	return 0;
1930	}
1931	/*
1932	* If this SSL handle is not from a version flexible method we don't
1933	* (and never did) check min/max, FIPS or Suite B constraints. Hope
1934	* that's OK. It is up to the caller to not choose fixed protocol
1935	* versions they don't want. If not, then easy to fix, just return
1936	* ssl_method_error(s, s->method)
1937	*/
1938	return 1;
1939	case TLS_ANY_VERSION:
1940	table = tls_version_table;
1941	break;
1942	case DTLS_ANY_VERSION:
1943	table = dtls_version_table;
1944	break;
1945	}
1946
1947	ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1948	if (ret != 0) {
1949	s->version = origv;
1950	SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1951	SSL_F_SSL_CHOOSE_CLIENT_VERSION, ret);
1952	return 0;
1953	}
1954	if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
1955	: s->version < ver_min) {
1956	s->version = origv;
1957	SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1958	SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1959	return 0;
1960	} else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
1961	: s->version > ver_max) {
1962	s->version = origv;
1963	SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1964	SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1965	return 0;
1966	}
1967
1968	if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
1969	real_max = ver_max;
1970
1971	/* Check for downgrades */
1972	if (s->version == TLS1_2_VERSION && real_max > s->version) {
1973	if (memcmp(tls12downgrade,
1974	s->s3->server_random + SSL3_RANDOM_SIZE
1975	- sizeof(tls12downgrade),
1976	sizeof(tls12downgrade)) == 0) {
1977	s->version = origv;
1978	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1979	SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1980	SSL_R_INAPPROPRIATE_FALLBACK);
1981	return 0;
1982	}
1983	} else if (!SSL_IS_DTLS(s)
1984	&& s->version < TLS1_2_VERSION
1985	&& real_max > s->version) {
1986	if (memcmp(tls11downgrade,
1987	s->s3->server_random + SSL3_RANDOM_SIZE
1988	- sizeof(tls11downgrade),
1989	sizeof(tls11downgrade)) == 0) {
1990	s->version = origv;
1991	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1992	SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1993	SSL_R_INAPPROPRIATE_FALLBACK);
1994	return 0;
1995	}
1996	}
1997
1998	for (vent = table; vent->version != 0; ++vent) {
1999	if (vent->cmeth == NULL \|\| s->version != vent->version)
2000	continue;
2001
2002	s->method = vent->cmeth();
2003	return 1;
2004	}
2005
2006	s->version = origv;
2007	SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
2008	SSL_R_UNSUPPORTED_PROTOCOL);
2009	return 0;
2010	}
2011
2012	/*
2013	* ssl_get_min_max_version - get minimum and maximum protocol version
2014	* @s: The SSL connection
2015	* @min_version: The minimum supported version
2016	* @max_version: The maximum supported version
2017	* @real_max: The highest version below the lowest compile time version hole
2018	* where that hole lies above at least one run-time enabled
2019	* protocol.
2020	*
2021	* Work out what version we should be using for the initial ClientHello if the
2022	* version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2023	* options, the MinProtocol and MaxProtocol configuration commands, any Suite B
2024	* constraints and any floor imposed by the security level here,
2025	* so we don't advertise the wrong protocol version to only reject the outcome later.
2026	*
2027	* Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
2028	* TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2029	* only allow TLS 1.2, we want to advertise TLS1.2, not TLS1.
2030	*
2031	* Returns 0 on success or an SSL error reason number on failure. On failure
2032	* min_version and max_version will also be set to 0.
2033	*/
2034	int ssl_get_min_max_version(const SSL s, int min_version, int *max_version,
2035	int *real_max)
2036	{
2037	int version, tmp_real_max;
2038	int hole;
2039	const SSL_METHOD *single = NULL;
2040	const SSL_METHOD *method;
2041	const version_info *table;
2042	const version_info *vent;
2043
2044	switch (s->method->version) {
2045	default:
2046	/*
2047	* If this SSL handle is not from a version flexible method we don't
2048	* (and never did) check min/max FIPS or Suite B constraints. Hope
2049	* that's OK. It is up to the caller to not choose fixed protocol
2050	* versions they don't want. If not, then easy to fix, just return
2051	* ssl_method_error(s, s->method)
2052	*/
2053	min_version = max_version = s->version;
2054	/*
2055	* Providing a real_max only makes sense where we're using a version
2056	* flexible method.
2057	*/
2058	if (!ossl_assert(real_max == NULL))
2059	return ERR_R_INTERNAL_ERROR;
2060	return 0;
2061	case TLS_ANY_VERSION:
2062	table = tls_version_table;
2063	break;
2064	case DTLS_ANY_VERSION:
2065	table = dtls_version_table;
2066	break;
2067	}
2068
2069	/*
2070	* SSL_OP_NO_X disables all protocols above X if there are some protocols
2071	* below X enabled. This is required in order to maintain the "version
2072	* capability" vector contiguous. Any versions with a NULL client method
2073	* (protocol version client is disabled at compile-time) is also a "hole".
2074	*
2075	* Our initial state is hole == 1, version == 0. That is, versions above
2076	* the first version in the method table are disabled (a "hole" above
2077	* the valid protocol entries) and we don't have a selected version yet.
2078	*
2079	* Whenever "hole == 1", and we hit an enabled method, its version becomes
2080	* the selected version, and the method becomes a candidate "single"
2081	* method. We're no longer in a hole, so "hole" becomes 0.
2082	*
2083	* If "hole == 0" and we hit an enabled method, then "single" is cleared,
2084	* as we support a contiguous range of at least two methods. If we hit
2085	* a disabled method, then hole becomes true again, but nothing else
2086	* changes yet, because all the remaining methods may be disabled too.
2087	* If we again hit an enabled method after the new hole, it becomes
2088	* selected, as we start from scratch.
2089	*/
2090	*min_version = version = 0;
2091	hole = 1;
2092	if (real_max != NULL)
2093	*real_max = 0;
2094	tmp_real_max = 0;
2095	for (vent = table; vent->version != 0; ++vent) {
2096	/*
2097	* A table entry with a NULL client method is still a hole in the
2098	* "version capability" vector.
2099	*/
2100	if (vent->cmeth == NULL) {
2101	hole = 1;
2102	tmp_real_max = 0;
2103	continue;
2104	}
2105	method = vent->cmeth();
2106
2107	if (hole == 1 && tmp_real_max == 0)
2108	tmp_real_max = vent->version;
2109
2110	if (ssl_method_error(s, method) != 0) {
2111	hole = 1;
2112	} else if (!hole) {
2113	single = NULL;
2114	*min_version = method->version;
2115	} else {
2116	if (real_max != NULL && tmp_real_max != 0)
2117	*real_max = tmp_real_max;
2118	version = (single = method)->version;
2119	*min_version = version;
2120	hole = 0;
2121	}
2122	}
2123
2124	*max_version = version;
2125
2126	/* Fail if everything is disabled */
2127	if (version == 0)
2128	return SSL_R_NO_PROTOCOLS_AVAILABLE;
2129
2130	return 0;
2131	}
2132
2133	/*
2134	* ssl_set_client_hello_version - Work out what version we should be using for
2135	* the initial ClientHello.legacy_version field.
2136	*
2137	* @s: client SSL handle.
2138	*
2139	* Returns 0 on success or an SSL error reason number on failure.
2140	*/
2141	int ssl_set_client_hello_version(SSL *s)
2142	{
2143	int ver_min, ver_max, ret;
2144
2145	/*
2146	* In a renegotiation we always send the same client_version that we sent
2147	* last time, regardless of which version we eventually negotiated.
2148	*/
2149	if (!SSL_IS_FIRST_HANDSHAKE(s))
2150	return 0;
2151
2152	ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
2153
2154	if (ret != 0)
2155	return ret;
2156
2157	s->version = ver_max;
2158
2159	/* TLS1.3 always uses TLS1.2 in the legacy_version field */
2160	if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
2161	ver_max = TLS1_2_VERSION;
2162
2163	s->client_version = ver_max;
2164	return 0;
2165	}
2166
2167	/*
2168	* Checks a list of \|groups\| to determine if the \|group_id\| is in it. If it is
2169	* and \|checkallow\| is 1 then additionally check if the group is allowed to be
2170	* used. Returns 1 if the group is in the list (and allowed if \|checkallow\| is
2171	* 1) or 0 otherwise.
2172	*/
2173	#ifndef OPENSSL_NO_EC
2174	int check_in_list(SSL s, uint16_t group_id, const uint16_t groups,
2175	size_t num_groups, int checkallow)
2176	{
2177	size_t i;
2178
2179	if (groups == NULL \|\| num_groups == 0)
2180	return 0;
2181
2182	for (i = 0; i < num_groups; i++) {
2183	uint16_t group = groups[i];
2184
2185	if (group_id == group
2186	&& (!checkallow
2187	\|\| tls_curve_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
2188	return 1;
2189	}
2190	}
2191
2192	return 0;
2193	}
2194	#endif
2195
2196	/* Replace ClientHello1 in the transcript hash with a synthetic message */
2197	int create_synthetic_message_hash(SSL s, const unsigned char hashval,
2198	size_t hashlen, const unsigned char *hrr,
2199	size_t hrrlen)
2200	{
2201	unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
2202	unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2203
2204	memset(msghdr, 0, sizeof(msghdr));
2205
2206	if (hashval == NULL) {
2207	hashval = hashvaltmp;
2208	hashlen = 0;
2209	/* Get the hash of the initial ClientHello */
2210	if (!ssl3_digest_cached_records(s, 0)
2211	\|\| !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2212	&hashlen)) {
2213	/* SSLfatal() already called */
2214	return 0;
2215	}
2216	}
2217
2218	/* Reinitialise the transcript hash */
2219	if (!ssl3_init_finished_mac(s)) {
2220	/* SSLfatal() already called */
2221	return 0;
2222	}
2223
2224	/* Inject the synthetic message_hash message */
2225	msghdr[0] = SSL3_MT_MESSAGE_HASH;
2226	msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
2227	if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2228	\|\| !ssl3_finish_mac(s, hashval, hashlen)) {
2229	/* SSLfatal() already called */
2230	return 0;
2231	}
2232
2233	/*
2234	* Now re-inject the HRR and current message if appropriate (we just deleted
2235	* it when we reinitialised the transcript hash above). Only necessary after
2236	* receiving a ClientHello2 with a cookie.
2237	*/
2238	if (hrr != NULL
2239	&& (!ssl3_finish_mac(s, hrr, hrrlen)
2240	\|\| !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
2241	s->s3->tmp.message_size
2242	+ SSL3_HM_HEADER_LENGTH))) {
2243	/* SSLfatal() already called */
2244	return 0;
2245	}
2246
2247	return 1;
2248	}
2249
2250	static int ca_dn_cmp(const X509_NAME const a, const X509_NAME const b)
2251	{
2252	return X509_NAME_cmp(a, b);
2253	}
2254
2255	int parse_ca_names(SSL s, PACKET pkt)
2256	{
2257	STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2258	X509_NAME *xn = NULL;
2259	PACKET cadns;
2260
2261	if (ca_sk == NULL) {
2262	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2263	ERR_R_MALLOC_FAILURE);
2264	goto err;
2265	}
2266	/* get the CA RDNs */
2267	if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
2268	SSLfatal(s, SSL_AD_DECODE_ERROR,SSL_F_PARSE_CA_NAMES,
2269	SSL_R_LENGTH_MISMATCH);
2270	goto err;
2271	}
2272
2273	while (PACKET_remaining(&cadns)) {
2274	const unsigned char namestart, namebytes;
2275	unsigned int name_len;
2276
2277	if (!PACKET_get_net_2(&cadns, &name_len)
2278	\|\| !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
2279	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2280	SSL_R_LENGTH_MISMATCH);
2281	goto err;
2282	}
2283
2284	namestart = namebytes;
2285	if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
2286	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2287	ERR_R_ASN1_LIB);
2288	goto err;
2289	}
2290	if (namebytes != (namestart + name_len)) {
2291	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2292	SSL_R_CA_DN_LENGTH_MISMATCH);
2293	goto err;
2294	}
2295
2296	if (!sk_X509_NAME_push(ca_sk, xn)) {
2297	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2298	ERR_R_MALLOC_FAILURE);
2299	goto err;
2300	}
2301	xn = NULL;
2302	}
2303
2304	sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
2305	s->s3->tmp.peer_ca_names = ca_sk;
2306
2307	return 1;
2308
2309	err:
2310	sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2311	X509_NAME_free(xn);
2312	return 0;
2313	}
2314
2315	const STACK_OF(X509_NAME) get_ca_names(SSL s)
2316	{
2317	const STACK_OF(X509_NAME) *ca_sk = NULL;;
2318
2319	if (s->server) {
2320	ca_sk = SSL_get_client_CA_list(s);
2321	if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2322	ca_sk = NULL;
2323	}
2324
2325	if (ca_sk == NULL)
2326	ca_sk = SSL_get0_CA_list(s);
2327
2328	return ca_sk;
2329	}
2330
2331	int construct_ca_names(SSL s, const STACK_OF(X509_NAME) ca_sk, WPACKET *pkt)
2332	{
2333	/* Start sub-packet for client CA list */
2334	if (!WPACKET_start_sub_packet_u16(pkt)) {
2335	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2336	ERR_R_INTERNAL_ERROR);
2337	return 0;
2338	}
2339
2340	if (ca_sk != NULL) {
2341	int i;
2342
2343	for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2344	unsigned char *namebytes;
2345	X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2346	int namelen;
2347
2348	if (name == NULL
2349	\|\| (namelen = i2d_X509_NAME(name, NULL)) < 0
2350	\|\| !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2351	&namebytes)
2352	\|\| i2d_X509_NAME(name, &namebytes) != namelen) {
2353	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2354	ERR_R_INTERNAL_ERROR);
2355	return 0;
2356	}
2357	}
2358	}
2359
2360	if (!WPACKET_close(pkt)) {
2361	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2362	ERR_R_INTERNAL_ERROR);
2363	return 0;
2364	}
2365
2366	return 1;
2367	}
2368
2369	/* Create a buffer containing data to be signed for server key exchange */
2370	size_t construct_key_exchange_tbs(SSL s, unsigned char *ptbs,
2371	const void *param, size_t paramlen)
2372	{
2373	size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2374	unsigned char *tbs = OPENSSL_malloc(tbslen);
2375
2376	if (tbs == NULL) {
2377	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS,
2378	ERR_R_MALLOC_FAILURE);
2379	return 0;
2380	}
2381	memcpy(tbs, s->s3->client_random, SSL3_RANDOM_SIZE);
2382	memcpy(tbs + SSL3_RANDOM_SIZE, s->s3->server_random, SSL3_RANDOM_SIZE);
2383
2384	memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2385
2386	*ptbs = tbs;
2387	return tbslen;
2388	}
2389
2390	/*
2391	* Saves the current handshake digest for Post-Handshake Auth,
2392	* Done after ClientFinished is processed, done exactly once
2393	*/
2394	int tls13_save_handshake_digest_for_pha(SSL *s)
2395	{
2396	if (s->pha_dgst == NULL) {
2397	if (!ssl3_digest_cached_records(s, 1))
2398	/* SSLfatal() already called */
2399	return 0;
2400
2401	s->pha_dgst = EVP_MD_CTX_new();
2402	if (s->pha_dgst == NULL) {
2403	SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2404	SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2405	ERR_R_INTERNAL_ERROR);
2406	return 0;
2407	}
2408	if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
2409	s->s3->handshake_dgst)) {
2410	SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2411	SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2412	ERR_R_INTERNAL_ERROR);
2413	return 0;
2414	}
2415	}
2416	return 1;
2417	}
2418
2419	/*
2420	* Restores the Post-Handshake Auth handshake digest
2421	* Done just before sending/processing the Cert Request
2422	*/
2423	int tls13_restore_handshake_digest_for_pha(SSL *s)
2424	{
2425	if (s->pha_dgst == NULL) {
2426	SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2427	SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2428	ERR_R_INTERNAL_ERROR);
2429	return 0;
2430	}
2431	if (!EVP_MD_CTX_copy_ex(s->s3->handshake_dgst,
2432	s->pha_dgst)) {
2433	SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2434	SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2435	ERR_R_INTERNAL_ERROR);
2436	return 0;
2437	}
2438	return 1;
2439	}

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/libs/openssl-1.1.1l/ssl/statem/statem_lib.c@ 91772

Download in other formats: