xref: /freebsd/crypto/openssl/ssl/statem/statem_lib.c (revision e71b70530d95c4f34d8bdbd78d1242df1ba4a945)
1*e71b7053SJung-uk Kim /*
2*e71b7053SJung-uk Kim  * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
3*e71b7053SJung-uk Kim  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4*e71b7053SJung-uk Kim  *
5*e71b7053SJung-uk Kim  * Licensed under the OpenSSL license (the "License").  You may not use
6*e71b7053SJung-uk Kim  * this file except in compliance with the License.  You can obtain a copy
7*e71b7053SJung-uk Kim  * in the file LICENSE in the source distribution or at
8*e71b7053SJung-uk Kim  * https://www.openssl.org/source/license.html
9*e71b7053SJung-uk Kim  */
10*e71b7053SJung-uk Kim 
11*e71b7053SJung-uk Kim #include <limits.h>
12*e71b7053SJung-uk Kim #include <string.h>
13*e71b7053SJung-uk Kim #include <stdio.h>
14*e71b7053SJung-uk Kim #include "../ssl_locl.h"
15*e71b7053SJung-uk Kim #include "statem_locl.h"
16*e71b7053SJung-uk Kim #include "internal/cryptlib.h"
17*e71b7053SJung-uk Kim #include <openssl/buffer.h>
18*e71b7053SJung-uk Kim #include <openssl/objects.h>
19*e71b7053SJung-uk Kim #include <openssl/evp.h>
20*e71b7053SJung-uk Kim #include <openssl/x509.h>
21*e71b7053SJung-uk Kim 
22*e71b7053SJung-uk Kim /*
23*e71b7053SJung-uk Kim  * Map error codes to TLS/SSL alart types.
24*e71b7053SJung-uk Kim  */
25*e71b7053SJung-uk Kim typedef struct x509err2alert_st {
26*e71b7053SJung-uk Kim     int x509err;
27*e71b7053SJung-uk Kim     int alert;
28*e71b7053SJung-uk Kim } X509ERR2ALERT;
29*e71b7053SJung-uk Kim 
30*e71b7053SJung-uk Kim /* Fixed value used in the ServerHello random field to identify an HRR */
31*e71b7053SJung-uk Kim const unsigned char hrrrandom[] = {
32*e71b7053SJung-uk Kim     0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
33*e71b7053SJung-uk Kim     0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
34*e71b7053SJung-uk Kim     0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
35*e71b7053SJung-uk Kim };
36*e71b7053SJung-uk Kim 
37*e71b7053SJung-uk Kim /*
38*e71b7053SJung-uk Kim  * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
39*e71b7053SJung-uk Kim  * SSL3_RT_CHANGE_CIPHER_SPEC)
40*e71b7053SJung-uk Kim  */
41*e71b7053SJung-uk Kim int ssl3_do_write(SSL *s, int type)
42*e71b7053SJung-uk Kim {
43*e71b7053SJung-uk Kim     int ret;
44*e71b7053SJung-uk Kim     size_t written = 0;
45*e71b7053SJung-uk Kim 
46*e71b7053SJung-uk Kim     ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
47*e71b7053SJung-uk Kim                            s->init_num, &written);
48*e71b7053SJung-uk Kim     if (ret < 0)
49*e71b7053SJung-uk Kim         return -1;
50*e71b7053SJung-uk Kim     if (type == SSL3_RT_HANDSHAKE)
51*e71b7053SJung-uk Kim         /*
52*e71b7053SJung-uk Kim          * should not be done for 'Hello Request's, but in that case we'll
53*e71b7053SJung-uk Kim          * ignore the result anyway
54*e71b7053SJung-uk Kim          * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
55*e71b7053SJung-uk Kim          */
56*e71b7053SJung-uk Kim         if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
57*e71b7053SJung-uk Kim                                  && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
58*e71b7053SJung-uk Kim                                  && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
59*e71b7053SJung-uk Kim             if (!ssl3_finish_mac(s,
60*e71b7053SJung-uk Kim                                  (unsigned char *)&s->init_buf->data[s->init_off],
61*e71b7053SJung-uk Kim                                  written))
62*e71b7053SJung-uk Kim                 return -1;
63*e71b7053SJung-uk Kim     if (written == s->init_num) {
64*e71b7053SJung-uk Kim         if (s->msg_callback)
65*e71b7053SJung-uk Kim             s->msg_callback(1, s->version, type, s->init_buf->data,
66*e71b7053SJung-uk Kim                             (size_t)(s->init_off + s->init_num), s,
67*e71b7053SJung-uk Kim                             s->msg_callback_arg);
68*e71b7053SJung-uk Kim         return 1;
69*e71b7053SJung-uk Kim     }
70*e71b7053SJung-uk Kim     s->init_off += written;
71*e71b7053SJung-uk Kim     s->init_num -= written;
72*e71b7053SJung-uk Kim     return 0;
73*e71b7053SJung-uk Kim }
74*e71b7053SJung-uk Kim 
75*e71b7053SJung-uk Kim int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype)
76*e71b7053SJung-uk Kim {
77*e71b7053SJung-uk Kim     size_t msglen;
78*e71b7053SJung-uk Kim 
79*e71b7053SJung-uk Kim     if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
80*e71b7053SJung-uk Kim             || !WPACKET_get_length(pkt, &msglen)
81*e71b7053SJung-uk Kim             || msglen > INT_MAX)
82*e71b7053SJung-uk Kim         return 0;
83*e71b7053SJung-uk Kim     s->init_num = (int)msglen;
84*e71b7053SJung-uk Kim     s->init_off = 0;
85*e71b7053SJung-uk Kim 
86*e71b7053SJung-uk Kim     return 1;
87*e71b7053SJung-uk Kim }
88*e71b7053SJung-uk Kim 
89*e71b7053SJung-uk Kim int tls_setup_handshake(SSL *s)
90*e71b7053SJung-uk Kim {
91*e71b7053SJung-uk Kim     if (!ssl3_init_finished_mac(s)) {
92*e71b7053SJung-uk Kim         /* SSLfatal() already called */
93*e71b7053SJung-uk Kim         return 0;
94*e71b7053SJung-uk Kim     }
95*e71b7053SJung-uk Kim 
96*e71b7053SJung-uk Kim     /* Reset any extension flags */
97*e71b7053SJung-uk Kim     memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
98*e71b7053SJung-uk Kim 
99*e71b7053SJung-uk Kim     if (s->server) {
100*e71b7053SJung-uk Kim         STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
101*e71b7053SJung-uk Kim         int i, ver_min, ver_max, ok = 0;
102*e71b7053SJung-uk Kim 
103*e71b7053SJung-uk Kim         /*
104*e71b7053SJung-uk Kim          * Sanity check that the maximum version we accept has ciphers
105*e71b7053SJung-uk Kim          * enabled. For clients we do this check during construction of the
106*e71b7053SJung-uk Kim          * ClientHello.
107*e71b7053SJung-uk Kim          */
108*e71b7053SJung-uk Kim         if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
109*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_SETUP_HANDSHAKE,
110*e71b7053SJung-uk Kim                      ERR_R_INTERNAL_ERROR);
111*e71b7053SJung-uk Kim             return 0;
112*e71b7053SJung-uk Kim         }
113*e71b7053SJung-uk Kim         for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
114*e71b7053SJung-uk Kim             const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
115*e71b7053SJung-uk Kim 
116*e71b7053SJung-uk Kim             if (SSL_IS_DTLS(s)) {
117*e71b7053SJung-uk Kim                 if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
118*e71b7053SJung-uk Kim                         DTLS_VERSION_LE(ver_max, c->max_dtls))
119*e71b7053SJung-uk Kim                     ok = 1;
120*e71b7053SJung-uk Kim             } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
121*e71b7053SJung-uk Kim                 ok = 1;
122*e71b7053SJung-uk Kim             }
123*e71b7053SJung-uk Kim             if (ok)
124*e71b7053SJung-uk Kim                 break;
125*e71b7053SJung-uk Kim         }
126*e71b7053SJung-uk Kim         if (!ok) {
127*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE,
128*e71b7053SJung-uk Kim                      SSL_R_NO_CIPHERS_AVAILABLE);
129*e71b7053SJung-uk Kim             ERR_add_error_data(1, "No ciphers enabled for max supported "
130*e71b7053SJung-uk Kim                                   "SSL/TLS version");
131*e71b7053SJung-uk Kim             return 0;
132*e71b7053SJung-uk Kim         }
133*e71b7053SJung-uk Kim         if (SSL_IS_FIRST_HANDSHAKE(s)) {
134*e71b7053SJung-uk Kim             /* N.B. s->session_ctx == s->ctx here */
135*e71b7053SJung-uk Kim             tsan_counter(&s->session_ctx->stats.sess_accept);
136*e71b7053SJung-uk Kim         } else {
137*e71b7053SJung-uk Kim             /* N.B. s->ctx may not equal s->session_ctx */
138*e71b7053SJung-uk Kim             tsan_counter(&s->ctx->stats.sess_accept_renegotiate);
139*e71b7053SJung-uk Kim 
140*e71b7053SJung-uk Kim             s->s3->tmp.cert_request = 0;
141*e71b7053SJung-uk Kim         }
142*e71b7053SJung-uk Kim     } else {
143*e71b7053SJung-uk Kim         if (SSL_IS_FIRST_HANDSHAKE(s))
144*e71b7053SJung-uk Kim             tsan_counter(&s->session_ctx->stats.sess_connect);
145*e71b7053SJung-uk Kim         else
146*e71b7053SJung-uk Kim             tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate);
147*e71b7053SJung-uk Kim 
148*e71b7053SJung-uk Kim         /* mark client_random uninitialized */
149*e71b7053SJung-uk Kim         memset(s->s3->client_random, 0, sizeof(s->s3->client_random));
150*e71b7053SJung-uk Kim         s->hit = 0;
151*e71b7053SJung-uk Kim 
152*e71b7053SJung-uk Kim         s->s3->tmp.cert_req = 0;
153*e71b7053SJung-uk Kim 
154*e71b7053SJung-uk Kim         if (SSL_IS_DTLS(s))
155*e71b7053SJung-uk Kim             s->statem.use_timer = 1;
156*e71b7053SJung-uk Kim     }
157*e71b7053SJung-uk Kim 
158*e71b7053SJung-uk Kim     return 1;
159*e71b7053SJung-uk Kim }
160*e71b7053SJung-uk Kim 
161*e71b7053SJung-uk Kim /*
162*e71b7053SJung-uk Kim  * Size of the to-be-signed TLS13 data, without the hash size itself:
163*e71b7053SJung-uk Kim  * 64 bytes of value 32, 33 context bytes, 1 byte separator
164*e71b7053SJung-uk Kim  */
165*e71b7053SJung-uk Kim #define TLS13_TBS_START_SIZE            64
166*e71b7053SJung-uk Kim #define TLS13_TBS_PREAMBLE_SIZE         (TLS13_TBS_START_SIZE + 33 + 1)
167*e71b7053SJung-uk Kim 
168*e71b7053SJung-uk Kim static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
169*e71b7053SJung-uk Kim                                     void **hdata, size_t *hdatalen)
170*e71b7053SJung-uk Kim {
171*e71b7053SJung-uk Kim     static const char *servercontext = "TLS 1.3, server CertificateVerify";
172*e71b7053SJung-uk Kim     static const char *clientcontext = "TLS 1.3, client CertificateVerify";
173*e71b7053SJung-uk Kim 
174*e71b7053SJung-uk Kim     if (SSL_IS_TLS13(s)) {
175*e71b7053SJung-uk Kim         size_t hashlen;
176*e71b7053SJung-uk Kim 
177*e71b7053SJung-uk Kim         /* Set the first 64 bytes of to-be-signed data to octet 32 */
178*e71b7053SJung-uk Kim         memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
179*e71b7053SJung-uk Kim         /* This copies the 33 bytes of context plus the 0 separator byte */
180*e71b7053SJung-uk Kim         if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
181*e71b7053SJung-uk Kim                  || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
182*e71b7053SJung-uk Kim             strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
183*e71b7053SJung-uk Kim         else
184*e71b7053SJung-uk Kim             strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
185*e71b7053SJung-uk Kim 
186*e71b7053SJung-uk Kim         /*
187*e71b7053SJung-uk Kim          * If we're currently reading then we need to use the saved handshake
188*e71b7053SJung-uk Kim          * hash value. We can't use the current handshake hash state because
189*e71b7053SJung-uk Kim          * that includes the CertVerify itself.
190*e71b7053SJung-uk Kim          */
191*e71b7053SJung-uk Kim         if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
192*e71b7053SJung-uk Kim                 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
193*e71b7053SJung-uk Kim             memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
194*e71b7053SJung-uk Kim                    s->cert_verify_hash_len);
195*e71b7053SJung-uk Kim             hashlen = s->cert_verify_hash_len;
196*e71b7053SJung-uk Kim         } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
197*e71b7053SJung-uk Kim                                        EVP_MAX_MD_SIZE, &hashlen)) {
198*e71b7053SJung-uk Kim             /* SSLfatal() already called */
199*e71b7053SJung-uk Kim             return 0;
200*e71b7053SJung-uk Kim         }
201*e71b7053SJung-uk Kim 
202*e71b7053SJung-uk Kim         *hdata = tls13tbs;
203*e71b7053SJung-uk Kim         *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
204*e71b7053SJung-uk Kim     } else {
205*e71b7053SJung-uk Kim         size_t retlen;
206*e71b7053SJung-uk Kim 
207*e71b7053SJung-uk Kim         retlen = BIO_get_mem_data(s->s3->handshake_buffer, hdata);
208*e71b7053SJung-uk Kim         if (retlen <= 0) {
209*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_GET_CERT_VERIFY_TBS_DATA,
210*e71b7053SJung-uk Kim                      ERR_R_INTERNAL_ERROR);
211*e71b7053SJung-uk Kim             return 0;
212*e71b7053SJung-uk Kim         }
213*e71b7053SJung-uk Kim         *hdatalen = retlen;
214*e71b7053SJung-uk Kim     }
215*e71b7053SJung-uk Kim 
216*e71b7053SJung-uk Kim     return 1;
217*e71b7053SJung-uk Kim }
218*e71b7053SJung-uk Kim 
219*e71b7053SJung-uk Kim int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
220*e71b7053SJung-uk Kim {
221*e71b7053SJung-uk Kim     EVP_PKEY *pkey = NULL;
222*e71b7053SJung-uk Kim     const EVP_MD *md = NULL;
223*e71b7053SJung-uk Kim     EVP_MD_CTX *mctx = NULL;
224*e71b7053SJung-uk Kim     EVP_PKEY_CTX *pctx = NULL;
225*e71b7053SJung-uk Kim     size_t hdatalen = 0, siglen = 0;
226*e71b7053SJung-uk Kim     void *hdata;
227*e71b7053SJung-uk Kim     unsigned char *sig = NULL;
228*e71b7053SJung-uk Kim     unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
229*e71b7053SJung-uk Kim     const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg;
230*e71b7053SJung-uk Kim 
231*e71b7053SJung-uk Kim     if (lu == NULL || s->s3->tmp.cert == NULL) {
232*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
233*e71b7053SJung-uk Kim                  ERR_R_INTERNAL_ERROR);
234*e71b7053SJung-uk Kim         goto err;
235*e71b7053SJung-uk Kim     }
236*e71b7053SJung-uk Kim     pkey = s->s3->tmp.cert->privatekey;
237*e71b7053SJung-uk Kim 
238*e71b7053SJung-uk Kim     if (pkey == NULL || !tls1_lookup_md(lu, &md)) {
239*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
240*e71b7053SJung-uk Kim                  ERR_R_INTERNAL_ERROR);
241*e71b7053SJung-uk Kim         goto err;
242*e71b7053SJung-uk Kim     }
243*e71b7053SJung-uk Kim 
244*e71b7053SJung-uk Kim     mctx = EVP_MD_CTX_new();
245*e71b7053SJung-uk Kim     if (mctx == NULL) {
246*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
247*e71b7053SJung-uk Kim                  ERR_R_MALLOC_FAILURE);
248*e71b7053SJung-uk Kim         goto err;
249*e71b7053SJung-uk Kim     }
250*e71b7053SJung-uk Kim 
251*e71b7053SJung-uk Kim     /* Get the data to be signed */
252*e71b7053SJung-uk Kim     if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
253*e71b7053SJung-uk Kim         /* SSLfatal() already called */
254*e71b7053SJung-uk Kim         goto err;
255*e71b7053SJung-uk Kim     }
256*e71b7053SJung-uk Kim 
257*e71b7053SJung-uk Kim     if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
258*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
259*e71b7053SJung-uk Kim                  ERR_R_INTERNAL_ERROR);
260*e71b7053SJung-uk Kim         goto err;
261*e71b7053SJung-uk Kim     }
262*e71b7053SJung-uk Kim     siglen = EVP_PKEY_size(pkey);
263*e71b7053SJung-uk Kim     sig = OPENSSL_malloc(siglen);
264*e71b7053SJung-uk Kim     if (sig == NULL) {
265*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
266*e71b7053SJung-uk Kim                  ERR_R_MALLOC_FAILURE);
267*e71b7053SJung-uk Kim         goto err;
268*e71b7053SJung-uk Kim     }
269*e71b7053SJung-uk Kim 
270*e71b7053SJung-uk Kim     if (EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey) <= 0) {
271*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
272*e71b7053SJung-uk Kim                  ERR_R_EVP_LIB);
273*e71b7053SJung-uk Kim         goto err;
274*e71b7053SJung-uk Kim     }
275*e71b7053SJung-uk Kim 
276*e71b7053SJung-uk Kim     if (lu->sig == EVP_PKEY_RSA_PSS) {
277*e71b7053SJung-uk Kim         if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
278*e71b7053SJung-uk Kim             || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
279*e71b7053SJung-uk Kim                                                 RSA_PSS_SALTLEN_DIGEST) <= 0) {
280*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
281*e71b7053SJung-uk Kim                      ERR_R_EVP_LIB);
282*e71b7053SJung-uk Kim             goto err;
283*e71b7053SJung-uk Kim         }
284*e71b7053SJung-uk Kim     }
285*e71b7053SJung-uk Kim     if (s->version == SSL3_VERSION) {
286*e71b7053SJung-uk Kim         if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
287*e71b7053SJung-uk Kim             || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
288*e71b7053SJung-uk Kim                                 (int)s->session->master_key_length,
289*e71b7053SJung-uk Kim                                 s->session->master_key)
290*e71b7053SJung-uk Kim             || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
291*e71b7053SJung-uk Kim 
292*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
293*e71b7053SJung-uk Kim                      ERR_R_EVP_LIB);
294*e71b7053SJung-uk Kim             goto err;
295*e71b7053SJung-uk Kim         }
296*e71b7053SJung-uk Kim     } else if (EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
297*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
298*e71b7053SJung-uk Kim                  ERR_R_EVP_LIB);
299*e71b7053SJung-uk Kim         goto err;
300*e71b7053SJung-uk Kim     }
301*e71b7053SJung-uk Kim 
302*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST
303*e71b7053SJung-uk Kim     {
304*e71b7053SJung-uk Kim         int pktype = lu->sig;
305*e71b7053SJung-uk Kim 
306*e71b7053SJung-uk Kim         if (pktype == NID_id_GostR3410_2001
307*e71b7053SJung-uk Kim             || pktype == NID_id_GostR3410_2012_256
308*e71b7053SJung-uk Kim             || pktype == NID_id_GostR3410_2012_512)
309*e71b7053SJung-uk Kim             BUF_reverse(sig, NULL, siglen);
310*e71b7053SJung-uk Kim     }
311*e71b7053SJung-uk Kim #endif
312*e71b7053SJung-uk Kim 
313*e71b7053SJung-uk Kim     if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
314*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
315*e71b7053SJung-uk Kim                  ERR_R_INTERNAL_ERROR);
316*e71b7053SJung-uk Kim         goto err;
317*e71b7053SJung-uk Kim     }
318*e71b7053SJung-uk Kim 
319*e71b7053SJung-uk Kim     /* Digest cached records and discard handshake buffer */
320*e71b7053SJung-uk Kim     if (!ssl3_digest_cached_records(s, 0)) {
321*e71b7053SJung-uk Kim         /* SSLfatal() already called */
322*e71b7053SJung-uk Kim         goto err;
323*e71b7053SJung-uk Kim     }
324*e71b7053SJung-uk Kim 
325*e71b7053SJung-uk Kim     OPENSSL_free(sig);
326*e71b7053SJung-uk Kim     EVP_MD_CTX_free(mctx);
327*e71b7053SJung-uk Kim     return 1;
328*e71b7053SJung-uk Kim  err:
329*e71b7053SJung-uk Kim     OPENSSL_free(sig);
330*e71b7053SJung-uk Kim     EVP_MD_CTX_free(mctx);
331*e71b7053SJung-uk Kim     return 0;
332*e71b7053SJung-uk Kim }
333*e71b7053SJung-uk Kim 
334*e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
335*e71b7053SJung-uk Kim {
336*e71b7053SJung-uk Kim     EVP_PKEY *pkey = NULL;
337*e71b7053SJung-uk Kim     const unsigned char *data;
338*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST
339*e71b7053SJung-uk Kim     unsigned char *gost_data = NULL;
340*e71b7053SJung-uk Kim #endif
341*e71b7053SJung-uk Kim     MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
342*e71b7053SJung-uk Kim     int j;
343*e71b7053SJung-uk Kim     unsigned int len;
344*e71b7053SJung-uk Kim     X509 *peer;
345*e71b7053SJung-uk Kim     const EVP_MD *md = NULL;
346*e71b7053SJung-uk Kim     size_t hdatalen = 0;
347*e71b7053SJung-uk Kim     void *hdata;
348*e71b7053SJung-uk Kim     unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
349*e71b7053SJung-uk Kim     EVP_MD_CTX *mctx = EVP_MD_CTX_new();
350*e71b7053SJung-uk Kim     EVP_PKEY_CTX *pctx = NULL;
351*e71b7053SJung-uk Kim 
352*e71b7053SJung-uk Kim     if (mctx == NULL) {
353*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
354*e71b7053SJung-uk Kim                  ERR_R_MALLOC_FAILURE);
355*e71b7053SJung-uk Kim         goto err;
356*e71b7053SJung-uk Kim     }
357*e71b7053SJung-uk Kim 
358*e71b7053SJung-uk Kim     peer = s->session->peer;
359*e71b7053SJung-uk Kim     pkey = X509_get0_pubkey(peer);
360*e71b7053SJung-uk Kim     if (pkey == NULL) {
361*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
362*e71b7053SJung-uk Kim                  ERR_R_INTERNAL_ERROR);
363*e71b7053SJung-uk Kim         goto err;
364*e71b7053SJung-uk Kim     }
365*e71b7053SJung-uk Kim 
366*e71b7053SJung-uk Kim     if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
367*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CERT_VERIFY,
368*e71b7053SJung-uk Kim                  SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
369*e71b7053SJung-uk Kim         goto err;
370*e71b7053SJung-uk Kim     }
371*e71b7053SJung-uk Kim 
372*e71b7053SJung-uk Kim     if (SSL_USE_SIGALGS(s)) {
373*e71b7053SJung-uk Kim         unsigned int sigalg;
374*e71b7053SJung-uk Kim 
375*e71b7053SJung-uk Kim         if (!PACKET_get_net_2(pkt, &sigalg)) {
376*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
377*e71b7053SJung-uk Kim                      SSL_R_BAD_PACKET);
378*e71b7053SJung-uk Kim             goto err;
379*e71b7053SJung-uk Kim         }
380*e71b7053SJung-uk Kim         if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
381*e71b7053SJung-uk Kim             /* SSLfatal() already called */
382*e71b7053SJung-uk Kim             goto err;
383*e71b7053SJung-uk Kim         }
384*e71b7053SJung-uk Kim     } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
385*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
386*e71b7053SJung-uk Kim                      ERR_R_INTERNAL_ERROR);
387*e71b7053SJung-uk Kim             goto err;
388*e71b7053SJung-uk Kim     }
389*e71b7053SJung-uk Kim 
390*e71b7053SJung-uk Kim     if (!tls1_lookup_md(s->s3->tmp.peer_sigalg, &md)) {
391*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
392*e71b7053SJung-uk Kim                  ERR_R_INTERNAL_ERROR);
393*e71b7053SJung-uk Kim         goto err;
394*e71b7053SJung-uk Kim     }
395*e71b7053SJung-uk Kim 
396*e71b7053SJung-uk Kim #ifdef SSL_DEBUG
397*e71b7053SJung-uk Kim     if (SSL_USE_SIGALGS(s))
398*e71b7053SJung-uk Kim         fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
399*e71b7053SJung-uk Kim #endif
400*e71b7053SJung-uk Kim 
401*e71b7053SJung-uk Kim     /* Check for broken implementations of GOST ciphersuites */
402*e71b7053SJung-uk Kim     /*
403*e71b7053SJung-uk Kim      * If key is GOST and len is exactly 64 or 128, it is signature without
404*e71b7053SJung-uk Kim      * length field (CryptoPro implementations at least till TLS 1.2)
405*e71b7053SJung-uk Kim      */
406*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST
407*e71b7053SJung-uk Kim     if (!SSL_USE_SIGALGS(s)
408*e71b7053SJung-uk Kim         && ((PACKET_remaining(pkt) == 64
409*e71b7053SJung-uk Kim              && (EVP_PKEY_id(pkey) == NID_id_GostR3410_2001
410*e71b7053SJung-uk Kim                  || EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_256))
411*e71b7053SJung-uk Kim             || (PACKET_remaining(pkt) == 128
412*e71b7053SJung-uk Kim                 && EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_512))) {
413*e71b7053SJung-uk Kim         len = PACKET_remaining(pkt);
414*e71b7053SJung-uk Kim     } else
415*e71b7053SJung-uk Kim #endif
416*e71b7053SJung-uk Kim     if (!PACKET_get_net_2(pkt, &len)) {
417*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
418*e71b7053SJung-uk Kim                  SSL_R_LENGTH_MISMATCH);
419*e71b7053SJung-uk Kim         goto err;
420*e71b7053SJung-uk Kim     }
421*e71b7053SJung-uk Kim 
422*e71b7053SJung-uk Kim     j = EVP_PKEY_size(pkey);
423*e71b7053SJung-uk Kim     if (((int)len > j) || ((int)PACKET_remaining(pkt) > j)
424*e71b7053SJung-uk Kim         || (PACKET_remaining(pkt) == 0)) {
425*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
426*e71b7053SJung-uk Kim                  SSL_R_WRONG_SIGNATURE_SIZE);
427*e71b7053SJung-uk Kim         goto err;
428*e71b7053SJung-uk Kim     }
429*e71b7053SJung-uk Kim     if (!PACKET_get_bytes(pkt, &data, len)) {
430*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
431*e71b7053SJung-uk Kim                  SSL_R_LENGTH_MISMATCH);
432*e71b7053SJung-uk Kim         goto err;
433*e71b7053SJung-uk Kim     }
434*e71b7053SJung-uk Kim 
435*e71b7053SJung-uk Kim     if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
436*e71b7053SJung-uk Kim         /* SSLfatal() already called */
437*e71b7053SJung-uk Kim         goto err;
438*e71b7053SJung-uk Kim     }
439*e71b7053SJung-uk Kim 
440*e71b7053SJung-uk Kim #ifdef SSL_DEBUG
441*e71b7053SJung-uk Kim     fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md));
442*e71b7053SJung-uk Kim #endif
443*e71b7053SJung-uk Kim     if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0) {
444*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
445*e71b7053SJung-uk Kim                  ERR_R_EVP_LIB);
446*e71b7053SJung-uk Kim         goto err;
447*e71b7053SJung-uk Kim     }
448*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST
449*e71b7053SJung-uk Kim     {
450*e71b7053SJung-uk Kim         int pktype = EVP_PKEY_id(pkey);
451*e71b7053SJung-uk Kim         if (pktype == NID_id_GostR3410_2001
452*e71b7053SJung-uk Kim             || pktype == NID_id_GostR3410_2012_256
453*e71b7053SJung-uk Kim             || pktype == NID_id_GostR3410_2012_512) {
454*e71b7053SJung-uk Kim             if ((gost_data = OPENSSL_malloc(len)) == NULL) {
455*e71b7053SJung-uk Kim                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
456*e71b7053SJung-uk Kim                          SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
457*e71b7053SJung-uk Kim                 goto err;
458*e71b7053SJung-uk Kim             }
459*e71b7053SJung-uk Kim             BUF_reverse(gost_data, data, len);
460*e71b7053SJung-uk Kim             data = gost_data;
461*e71b7053SJung-uk Kim         }
462*e71b7053SJung-uk Kim     }
463*e71b7053SJung-uk Kim #endif
464*e71b7053SJung-uk Kim 
465*e71b7053SJung-uk Kim     if (SSL_USE_PSS(s)) {
466*e71b7053SJung-uk Kim         if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
467*e71b7053SJung-uk Kim             || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
468*e71b7053SJung-uk Kim                                                 RSA_PSS_SALTLEN_DIGEST) <= 0) {
469*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
470*e71b7053SJung-uk Kim                      ERR_R_EVP_LIB);
471*e71b7053SJung-uk Kim             goto err;
472*e71b7053SJung-uk Kim         }
473*e71b7053SJung-uk Kim     }
474*e71b7053SJung-uk Kim     if (s->version == SSL3_VERSION) {
475*e71b7053SJung-uk Kim         if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
476*e71b7053SJung-uk Kim                 || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
477*e71b7053SJung-uk Kim                                     (int)s->session->master_key_length,
478*e71b7053SJung-uk Kim                                     s->session->master_key)) {
479*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
480*e71b7053SJung-uk Kim                      ERR_R_EVP_LIB);
481*e71b7053SJung-uk Kim             goto err;
482*e71b7053SJung-uk Kim         }
483*e71b7053SJung-uk Kim         if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
484*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
485*e71b7053SJung-uk Kim                      SSL_R_BAD_SIGNATURE);
486*e71b7053SJung-uk Kim             goto err;
487*e71b7053SJung-uk Kim         }
488*e71b7053SJung-uk Kim     } else {
489*e71b7053SJung-uk Kim         j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
490*e71b7053SJung-uk Kim         if (j <= 0) {
491*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
492*e71b7053SJung-uk Kim                      SSL_R_BAD_SIGNATURE);
493*e71b7053SJung-uk Kim             goto err;
494*e71b7053SJung-uk Kim         }
495*e71b7053SJung-uk Kim     }
496*e71b7053SJung-uk Kim 
497*e71b7053SJung-uk Kim     ret = MSG_PROCESS_CONTINUE_READING;
498*e71b7053SJung-uk Kim  err:
499*e71b7053SJung-uk Kim     BIO_free(s->s3->handshake_buffer);
500*e71b7053SJung-uk Kim     s->s3->handshake_buffer = NULL;
501*e71b7053SJung-uk Kim     EVP_MD_CTX_free(mctx);
502*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST
503*e71b7053SJung-uk Kim     OPENSSL_free(gost_data);
504*e71b7053SJung-uk Kim #endif
505*e71b7053SJung-uk Kim     return ret;
506*e71b7053SJung-uk Kim }
507*e71b7053SJung-uk Kim 
508*e71b7053SJung-uk Kim int tls_construct_finished(SSL *s, WPACKET *pkt)
509*e71b7053SJung-uk Kim {
510*e71b7053SJung-uk Kim     size_t finish_md_len;
511*e71b7053SJung-uk Kim     const char *sender;
512*e71b7053SJung-uk Kim     size_t slen;
513*e71b7053SJung-uk Kim 
514*e71b7053SJung-uk Kim     /* This is a real handshake so make sure we clean it up at the end */
515*e71b7053SJung-uk Kim     if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
516*e71b7053SJung-uk Kim         s->statem.cleanuphand = 1;
517*e71b7053SJung-uk Kim 
518*e71b7053SJung-uk Kim     /*
519*e71b7053SJung-uk Kim      * We only change the keys if we didn't already do this when we sent the
520*e71b7053SJung-uk Kim      * client certificate
521*e71b7053SJung-uk Kim      */
522*e71b7053SJung-uk Kim     if (SSL_IS_TLS13(s)
523*e71b7053SJung-uk Kim             && !s->server
524*e71b7053SJung-uk Kim             && s->s3->tmp.cert_req == 0
525*e71b7053SJung-uk Kim             && (!s->method->ssl3_enc->change_cipher_state(s,
526*e71b7053SJung-uk Kim                     SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
527*e71b7053SJung-uk Kim         /* SSLfatal() already called */
528*e71b7053SJung-uk Kim         return 0;
529*e71b7053SJung-uk Kim     }
530*e71b7053SJung-uk Kim 
531*e71b7053SJung-uk Kim     if (s->server) {
532*e71b7053SJung-uk Kim         sender = s->method->ssl3_enc->server_finished_label;
533*e71b7053SJung-uk Kim         slen = s->method->ssl3_enc->server_finished_label_len;
534*e71b7053SJung-uk Kim     } else {
535*e71b7053SJung-uk Kim         sender = s->method->ssl3_enc->client_finished_label;
536*e71b7053SJung-uk Kim         slen = s->method->ssl3_enc->client_finished_label_len;
537*e71b7053SJung-uk Kim     }
538*e71b7053SJung-uk Kim 
539*e71b7053SJung-uk Kim     finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
540*e71b7053SJung-uk Kim                                                           sender, slen,
541*e71b7053SJung-uk Kim                                                           s->s3->tmp.finish_md);
542*e71b7053SJung-uk Kim     if (finish_md_len == 0) {
543*e71b7053SJung-uk Kim         /* SSLfatal() already called */
544*e71b7053SJung-uk Kim         return 0;
545*e71b7053SJung-uk Kim     }
546*e71b7053SJung-uk Kim 
547*e71b7053SJung-uk Kim     s->s3->tmp.finish_md_len = finish_md_len;
548*e71b7053SJung-uk Kim 
549*e71b7053SJung-uk Kim     if (!WPACKET_memcpy(pkt, s->s3->tmp.finish_md, finish_md_len)) {
550*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
551*e71b7053SJung-uk Kim                  ERR_R_INTERNAL_ERROR);
552*e71b7053SJung-uk Kim         return 0;
553*e71b7053SJung-uk Kim     }
554*e71b7053SJung-uk Kim 
555*e71b7053SJung-uk Kim     /*
556*e71b7053SJung-uk Kim      * Log the master secret, if logging is enabled. We don't log it for
557*e71b7053SJung-uk Kim      * TLSv1.3: there's a different key schedule for that.
558*e71b7053SJung-uk Kim      */
559*e71b7053SJung-uk Kim     if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
560*e71b7053SJung-uk Kim                                             s->session->master_key,
561*e71b7053SJung-uk Kim                                             s->session->master_key_length)) {
562*e71b7053SJung-uk Kim         /* SSLfatal() already called */
563*e71b7053SJung-uk Kim         return 0;
564*e71b7053SJung-uk Kim     }
565*e71b7053SJung-uk Kim 
566*e71b7053SJung-uk Kim     /*
567*e71b7053SJung-uk Kim      * Copy the finished so we can use it for renegotiation checks
568*e71b7053SJung-uk Kim      */
569*e71b7053SJung-uk Kim     if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
570*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
571*e71b7053SJung-uk Kim                  ERR_R_INTERNAL_ERROR);
572*e71b7053SJung-uk Kim         return 0;
573*e71b7053SJung-uk Kim     }
574*e71b7053SJung-uk Kim     if (!s->server) {
575*e71b7053SJung-uk Kim         memcpy(s->s3->previous_client_finished, s->s3->tmp.finish_md,
576*e71b7053SJung-uk Kim                finish_md_len);
577*e71b7053SJung-uk Kim         s->s3->previous_client_finished_len = finish_md_len;
578*e71b7053SJung-uk Kim     } else {
579*e71b7053SJung-uk Kim         memcpy(s->s3->previous_server_finished, s->s3->tmp.finish_md,
580*e71b7053SJung-uk Kim                finish_md_len);
581*e71b7053SJung-uk Kim         s->s3->previous_server_finished_len = finish_md_len;
582*e71b7053SJung-uk Kim     }
583*e71b7053SJung-uk Kim 
584*e71b7053SJung-uk Kim     return 1;
585*e71b7053SJung-uk Kim }
586*e71b7053SJung-uk Kim 
587*e71b7053SJung-uk Kim int tls_construct_key_update(SSL *s, WPACKET *pkt)
588*e71b7053SJung-uk Kim {
589*e71b7053SJung-uk Kim     if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
590*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_KEY_UPDATE,
591*e71b7053SJung-uk Kim                  ERR_R_INTERNAL_ERROR);
592*e71b7053SJung-uk Kim         return 0;
593*e71b7053SJung-uk Kim     }
594*e71b7053SJung-uk Kim 
595*e71b7053SJung-uk Kim     s->key_update = SSL_KEY_UPDATE_NONE;
596*e71b7053SJung-uk Kim     return 1;
597*e71b7053SJung-uk Kim }
598*e71b7053SJung-uk Kim 
599*e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
600*e71b7053SJung-uk Kim {
601*e71b7053SJung-uk Kim     unsigned int updatetype;
602*e71b7053SJung-uk Kim 
603*e71b7053SJung-uk Kim     s->key_update_count++;
604*e71b7053SJung-uk Kim     if (s->key_update_count > MAX_KEY_UPDATE_MESSAGES) {
605*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE,
606*e71b7053SJung-uk Kim                  SSL_R_TOO_MANY_KEY_UPDATES);
607*e71b7053SJung-uk Kim         return MSG_PROCESS_ERROR;
608*e71b7053SJung-uk Kim     }
609*e71b7053SJung-uk Kim 
610*e71b7053SJung-uk Kim     /*
611*e71b7053SJung-uk Kim      * A KeyUpdate message signals a key change so the end of the message must
612*e71b7053SJung-uk Kim      * be on a record boundary.
613*e71b7053SJung-uk Kim      */
614*e71b7053SJung-uk Kim     if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
615*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_UPDATE,
616*e71b7053SJung-uk Kim                  SSL_R_NOT_ON_RECORD_BOUNDARY);
617*e71b7053SJung-uk Kim         return MSG_PROCESS_ERROR;
618*e71b7053SJung-uk Kim     }
619*e71b7053SJung-uk Kim 
620*e71b7053SJung-uk Kim     if (!PACKET_get_1(pkt, &updatetype)
621*e71b7053SJung-uk Kim             || PACKET_remaining(pkt) != 0) {
622*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_UPDATE,
623*e71b7053SJung-uk Kim                  SSL_R_BAD_KEY_UPDATE);
624*e71b7053SJung-uk Kim         return MSG_PROCESS_ERROR;
625*e71b7053SJung-uk Kim     }
626*e71b7053SJung-uk Kim 
627*e71b7053SJung-uk Kim     /*
628*e71b7053SJung-uk Kim      * There are only two defined key update types. Fail if we get a value we
629*e71b7053SJung-uk Kim      * didn't recognise.
630*e71b7053SJung-uk Kim      */
631*e71b7053SJung-uk Kim     if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
632*e71b7053SJung-uk Kim             && updatetype != SSL_KEY_UPDATE_REQUESTED) {
633*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE,
634*e71b7053SJung-uk Kim                  SSL_R_BAD_KEY_UPDATE);
635*e71b7053SJung-uk Kim         return MSG_PROCESS_ERROR;
636*e71b7053SJung-uk Kim     }
637*e71b7053SJung-uk Kim 
638*e71b7053SJung-uk Kim     /*
639*e71b7053SJung-uk Kim      * If we get a request for us to update our sending keys too then, we need
640*e71b7053SJung-uk Kim      * to additionally send a KeyUpdate message. However that message should
641*e71b7053SJung-uk Kim      * not also request an update (otherwise we get into an infinite loop). We
642*e71b7053SJung-uk Kim      * ignore a request for us to update our sending keys too if we already
643*e71b7053SJung-uk Kim      * sent close_notify.
644*e71b7053SJung-uk Kim      */
645*e71b7053SJung-uk Kim     if (updatetype == SSL_KEY_UPDATE_REQUESTED
646*e71b7053SJung-uk Kim             && (s->shutdown & SSL_SENT_SHUTDOWN) == 0)
647*e71b7053SJung-uk Kim         s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
648*e71b7053SJung-uk Kim 
649*e71b7053SJung-uk Kim     if (!tls13_update_key(s, 0)) {
650*e71b7053SJung-uk Kim         /* SSLfatal() already called */
651*e71b7053SJung-uk Kim         return MSG_PROCESS_ERROR;
652*e71b7053SJung-uk Kim     }
653*e71b7053SJung-uk Kim 
654*e71b7053SJung-uk Kim     return MSG_PROCESS_FINISHED_READING;
655*e71b7053SJung-uk Kim }
656*e71b7053SJung-uk Kim 
657*e71b7053SJung-uk Kim /*
658*e71b7053SJung-uk Kim  * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
659*e71b7053SJung-uk Kim  * to far.
660*e71b7053SJung-uk Kim  */
661*e71b7053SJung-uk Kim int ssl3_take_mac(SSL *s)
662*e71b7053SJung-uk Kim {
663*e71b7053SJung-uk Kim     const char *sender;
664*e71b7053SJung-uk Kim     size_t slen;
665*e71b7053SJung-uk Kim 
666*e71b7053SJung-uk Kim     if (!s->server) {
667*e71b7053SJung-uk Kim         sender = s->method->ssl3_enc->server_finished_label;
668*e71b7053SJung-uk Kim         slen = s->method->ssl3_enc->server_finished_label_len;
669*e71b7053SJung-uk Kim     } else {
670*e71b7053SJung-uk Kim         sender = s->method->ssl3_enc->client_finished_label;
671*e71b7053SJung-uk Kim         slen = s->method->ssl3_enc->client_finished_label_len;
672*e71b7053SJung-uk Kim     }
673*e71b7053SJung-uk Kim 
674*e71b7053SJung-uk Kim     s->s3->tmp.peer_finish_md_len =
675*e71b7053SJung-uk Kim         s->method->ssl3_enc->final_finish_mac(s, sender, slen,
676*e71b7053SJung-uk Kim                                               s->s3->tmp.peer_finish_md);
677*e71b7053SJung-uk Kim 
678*e71b7053SJung-uk Kim     if (s->s3->tmp.peer_finish_md_len == 0) {
679*e71b7053SJung-uk Kim         /* SSLfatal() already called */
680*e71b7053SJung-uk Kim         return 0;
681*e71b7053SJung-uk Kim     }
682*e71b7053SJung-uk Kim 
683*e71b7053SJung-uk Kim     return 1;
684*e71b7053SJung-uk Kim }
685*e71b7053SJung-uk Kim 
686*e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
687*e71b7053SJung-uk Kim {
688*e71b7053SJung-uk Kim     size_t remain;
689*e71b7053SJung-uk Kim 
690*e71b7053SJung-uk Kim     remain = PACKET_remaining(pkt);
691*e71b7053SJung-uk Kim     /*
692*e71b7053SJung-uk Kim      * 'Change Cipher Spec' is just a single byte, which should already have
693*e71b7053SJung-uk Kim      * been consumed by ssl_get_message() so there should be no bytes left,
694*e71b7053SJung-uk Kim      * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
695*e71b7053SJung-uk Kim      */
696*e71b7053SJung-uk Kim     if (SSL_IS_DTLS(s)) {
697*e71b7053SJung-uk Kim         if ((s->version == DTLS1_BAD_VER
698*e71b7053SJung-uk Kim              && remain != DTLS1_CCS_HEADER_LENGTH + 1)
699*e71b7053SJung-uk Kim             || (s->version != DTLS1_BAD_VER
700*e71b7053SJung-uk Kim                 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
701*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_DECODE_ERROR,
702*e71b7053SJung-uk Kim                      SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
703*e71b7053SJung-uk Kim                     SSL_R_BAD_CHANGE_CIPHER_SPEC);
704*e71b7053SJung-uk Kim             return MSG_PROCESS_ERROR;
705*e71b7053SJung-uk Kim         }
706*e71b7053SJung-uk Kim     } else {
707*e71b7053SJung-uk Kim         if (remain != 0) {
708*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_DECODE_ERROR,
709*e71b7053SJung-uk Kim                      SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
710*e71b7053SJung-uk Kim                      SSL_R_BAD_CHANGE_CIPHER_SPEC);
711*e71b7053SJung-uk Kim             return MSG_PROCESS_ERROR;
712*e71b7053SJung-uk Kim         }
713*e71b7053SJung-uk Kim     }
714*e71b7053SJung-uk Kim 
715*e71b7053SJung-uk Kim     /* Check we have a cipher to change to */
716*e71b7053SJung-uk Kim     if (s->s3->tmp.new_cipher == NULL) {
717*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
718*e71b7053SJung-uk Kim                  SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY);
719*e71b7053SJung-uk Kim         return MSG_PROCESS_ERROR;
720*e71b7053SJung-uk Kim     }
721*e71b7053SJung-uk Kim 
722*e71b7053SJung-uk Kim     s->s3->change_cipher_spec = 1;
723*e71b7053SJung-uk Kim     if (!ssl3_do_change_cipher_spec(s)) {
724*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
725*e71b7053SJung-uk Kim                  ERR_R_INTERNAL_ERROR);
726*e71b7053SJung-uk Kim         return MSG_PROCESS_ERROR;
727*e71b7053SJung-uk Kim     }
728*e71b7053SJung-uk Kim 
729*e71b7053SJung-uk Kim     if (SSL_IS_DTLS(s)) {
730*e71b7053SJung-uk Kim         dtls1_reset_seq_numbers(s, SSL3_CC_READ);
731*e71b7053SJung-uk Kim 
732*e71b7053SJung-uk Kim         if (s->version == DTLS1_BAD_VER)
733*e71b7053SJung-uk Kim             s->d1->handshake_read_seq++;
734*e71b7053SJung-uk Kim 
735*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SCTP
736*e71b7053SJung-uk Kim         /*
737*e71b7053SJung-uk Kim          * Remember that a CCS has been received, so that an old key of
738*e71b7053SJung-uk Kim          * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
739*e71b7053SJung-uk Kim          * SCTP is used
740*e71b7053SJung-uk Kim          */
741*e71b7053SJung-uk Kim         BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
742*e71b7053SJung-uk Kim #endif
743*e71b7053SJung-uk Kim     }
744*e71b7053SJung-uk Kim 
745*e71b7053SJung-uk Kim     return MSG_PROCESS_CONTINUE_READING;
746*e71b7053SJung-uk Kim }
747*e71b7053SJung-uk Kim 
748*e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
749*e71b7053SJung-uk Kim {
750*e71b7053SJung-uk Kim     size_t md_len;
751*e71b7053SJung-uk Kim 
752*e71b7053SJung-uk Kim 
753*e71b7053SJung-uk Kim     /* This is a real handshake so make sure we clean it up at the end */
754*e71b7053SJung-uk Kim     if (s->server) {
755*e71b7053SJung-uk Kim         /*
756*e71b7053SJung-uk Kim         * To get this far we must have read encrypted data from the client. We
757*e71b7053SJung-uk Kim         * no longer tolerate unencrypted alerts. This value is ignored if less
758*e71b7053SJung-uk Kim         * than TLSv1.3
759*e71b7053SJung-uk Kim         */
760*e71b7053SJung-uk Kim         s->statem.enc_read_state = ENC_READ_STATE_VALID;
761*e71b7053SJung-uk Kim         if (s->post_handshake_auth != SSL_PHA_REQUESTED)
762*e71b7053SJung-uk Kim             s->statem.cleanuphand = 1;
763*e71b7053SJung-uk Kim         if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
764*e71b7053SJung-uk Kim                 /* SSLfatal() already called */
765*e71b7053SJung-uk Kim                 return MSG_PROCESS_ERROR;
766*e71b7053SJung-uk Kim         }
767*e71b7053SJung-uk Kim     }
768*e71b7053SJung-uk Kim 
769*e71b7053SJung-uk Kim     /*
770*e71b7053SJung-uk Kim      * In TLSv1.3 a Finished message signals a key change so the end of the
771*e71b7053SJung-uk Kim      * message must be on a record boundary.
772*e71b7053SJung-uk Kim      */
773*e71b7053SJung-uk Kim     if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
774*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
775*e71b7053SJung-uk Kim                  SSL_R_NOT_ON_RECORD_BOUNDARY);
776*e71b7053SJung-uk Kim         return MSG_PROCESS_ERROR;
777*e71b7053SJung-uk Kim     }
778*e71b7053SJung-uk Kim 
779*e71b7053SJung-uk Kim     /* If this occurs, we have missed a message */
780*e71b7053SJung-uk Kim     if (!SSL_IS_TLS13(s) && !s->s3->change_cipher_spec) {
781*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
782*e71b7053SJung-uk Kim                  SSL_R_GOT_A_FIN_BEFORE_A_CCS);
783*e71b7053SJung-uk Kim         return MSG_PROCESS_ERROR;
784*e71b7053SJung-uk Kim     }
785*e71b7053SJung-uk Kim     s->s3->change_cipher_spec = 0;
786*e71b7053SJung-uk Kim 
787*e71b7053SJung-uk Kim     md_len = s->s3->tmp.peer_finish_md_len;
788*e71b7053SJung-uk Kim 
789*e71b7053SJung-uk Kim     if (md_len != PACKET_remaining(pkt)) {
790*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_FINISHED,
791*e71b7053SJung-uk Kim                  SSL_R_BAD_DIGEST_LENGTH);
792*e71b7053SJung-uk Kim         return MSG_PROCESS_ERROR;
793*e71b7053SJung-uk Kim     }
794*e71b7053SJung-uk Kim 
795*e71b7053SJung-uk Kim     if (CRYPTO_memcmp(PACKET_data(pkt), s->s3->tmp.peer_finish_md,
796*e71b7053SJung-uk Kim                       md_len) != 0) {
797*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_FINISHED,
798*e71b7053SJung-uk Kim                  SSL_R_DIGEST_CHECK_FAILED);
799*e71b7053SJung-uk Kim         return MSG_PROCESS_ERROR;
800*e71b7053SJung-uk Kim     }
801*e71b7053SJung-uk Kim 
802*e71b7053SJung-uk Kim     /*
803*e71b7053SJung-uk Kim      * Copy the finished so we can use it for renegotiation checks
804*e71b7053SJung-uk Kim      */
805*e71b7053SJung-uk Kim     if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
806*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_FINISHED,
807*e71b7053SJung-uk Kim                  ERR_R_INTERNAL_ERROR);
808*e71b7053SJung-uk Kim         return MSG_PROCESS_ERROR;
809*e71b7053SJung-uk Kim     }
810*e71b7053SJung-uk Kim     if (s->server) {
811*e71b7053SJung-uk Kim         memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md,
812*e71b7053SJung-uk Kim                md_len);
813*e71b7053SJung-uk Kim         s->s3->previous_client_finished_len = md_len;
814*e71b7053SJung-uk Kim     } else {
815*e71b7053SJung-uk Kim         memcpy(s->s3->previous_server_finished, s->s3->tmp.peer_finish_md,
816*e71b7053SJung-uk Kim                md_len);
817*e71b7053SJung-uk Kim         s->s3->previous_server_finished_len = md_len;
818*e71b7053SJung-uk Kim     }
819*e71b7053SJung-uk Kim 
820*e71b7053SJung-uk Kim     /*
821*e71b7053SJung-uk Kim      * In TLS1.3 we also have to change cipher state and do any final processing
822*e71b7053SJung-uk Kim      * of the initial server flight (if we are a client)
823*e71b7053SJung-uk Kim      */
824*e71b7053SJung-uk Kim     if (SSL_IS_TLS13(s)) {
825*e71b7053SJung-uk Kim         if (s->server) {
826*e71b7053SJung-uk Kim             if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
827*e71b7053SJung-uk Kim                     !s->method->ssl3_enc->change_cipher_state(s,
828*e71b7053SJung-uk Kim                     SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
829*e71b7053SJung-uk Kim                 /* SSLfatal() already called */
830*e71b7053SJung-uk Kim                 return MSG_PROCESS_ERROR;
831*e71b7053SJung-uk Kim             }
832*e71b7053SJung-uk Kim         } else {
833*e71b7053SJung-uk Kim             if (!s->method->ssl3_enc->generate_master_secret(s,
834*e71b7053SJung-uk Kim                     s->master_secret, s->handshake_secret, 0,
835*e71b7053SJung-uk Kim                     &s->session->master_key_length)) {
836*e71b7053SJung-uk Kim                 /* SSLfatal() already called */
837*e71b7053SJung-uk Kim                 return MSG_PROCESS_ERROR;
838*e71b7053SJung-uk Kim             }
839*e71b7053SJung-uk Kim             if (!s->method->ssl3_enc->change_cipher_state(s,
840*e71b7053SJung-uk Kim                     SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
841*e71b7053SJung-uk Kim                 /* SSLfatal() already called */
842*e71b7053SJung-uk Kim                 return MSG_PROCESS_ERROR;
843*e71b7053SJung-uk Kim             }
844*e71b7053SJung-uk Kim             if (!tls_process_initial_server_flight(s)) {
845*e71b7053SJung-uk Kim                 /* SSLfatal() already called */
846*e71b7053SJung-uk Kim                 return MSG_PROCESS_ERROR;
847*e71b7053SJung-uk Kim             }
848*e71b7053SJung-uk Kim         }
849*e71b7053SJung-uk Kim     }
850*e71b7053SJung-uk Kim 
851*e71b7053SJung-uk Kim     return MSG_PROCESS_FINISHED_READING;
852*e71b7053SJung-uk Kim }
853*e71b7053SJung-uk Kim 
854*e71b7053SJung-uk Kim int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
855*e71b7053SJung-uk Kim {
856*e71b7053SJung-uk Kim     if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
857*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
858*e71b7053SJung-uk Kim                  SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
859*e71b7053SJung-uk Kim         return 0;
860*e71b7053SJung-uk Kim     }
861*e71b7053SJung-uk Kim 
862*e71b7053SJung-uk Kim     return 1;
863*e71b7053SJung-uk Kim }
864*e71b7053SJung-uk Kim 
865*e71b7053SJung-uk Kim /* Add a certificate to the WPACKET */
866*e71b7053SJung-uk Kim static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain)
867*e71b7053SJung-uk Kim {
868*e71b7053SJung-uk Kim     int len;
869*e71b7053SJung-uk Kim     unsigned char *outbytes;
870*e71b7053SJung-uk Kim 
871*e71b7053SJung-uk Kim     len = i2d_X509(x, NULL);
872*e71b7053SJung-uk Kim     if (len < 0) {
873*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
874*e71b7053SJung-uk Kim                  ERR_R_BUF_LIB);
875*e71b7053SJung-uk Kim         return 0;
876*e71b7053SJung-uk Kim     }
877*e71b7053SJung-uk Kim     if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
878*e71b7053SJung-uk Kim             || i2d_X509(x, &outbytes) != len) {
879*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
880*e71b7053SJung-uk Kim                  ERR_R_INTERNAL_ERROR);
881*e71b7053SJung-uk Kim         return 0;
882*e71b7053SJung-uk Kim     }
883*e71b7053SJung-uk Kim 
884*e71b7053SJung-uk Kim     if (SSL_IS_TLS13(s)
885*e71b7053SJung-uk Kim             && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
886*e71b7053SJung-uk Kim                                          chain)) {
887*e71b7053SJung-uk Kim         /* SSLfatal() already called */
888*e71b7053SJung-uk Kim         return 0;
889*e71b7053SJung-uk Kim     }
890*e71b7053SJung-uk Kim 
891*e71b7053SJung-uk Kim     return 1;
892*e71b7053SJung-uk Kim }
893*e71b7053SJung-uk Kim 
894*e71b7053SJung-uk Kim /* Add certificate chain to provided WPACKET */
895*e71b7053SJung-uk Kim static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
896*e71b7053SJung-uk Kim {
897*e71b7053SJung-uk Kim     int i, chain_count;
898*e71b7053SJung-uk Kim     X509 *x;
899*e71b7053SJung-uk Kim     STACK_OF(X509) *extra_certs;
900*e71b7053SJung-uk Kim     STACK_OF(X509) *chain = NULL;
901*e71b7053SJung-uk Kim     X509_STORE *chain_store;
902*e71b7053SJung-uk Kim 
903*e71b7053SJung-uk Kim     if (cpk == NULL || cpk->x509 == NULL)
904*e71b7053SJung-uk Kim         return 1;
905*e71b7053SJung-uk Kim 
906*e71b7053SJung-uk Kim     x = cpk->x509;
907*e71b7053SJung-uk Kim 
908*e71b7053SJung-uk Kim     /*
909*e71b7053SJung-uk Kim      * If we have a certificate specific chain use it, else use parent ctx.
910*e71b7053SJung-uk Kim      */
911*e71b7053SJung-uk Kim     if (cpk->chain != NULL)
912*e71b7053SJung-uk Kim         extra_certs = cpk->chain;
913*e71b7053SJung-uk Kim     else
914*e71b7053SJung-uk Kim         extra_certs = s->ctx->extra_certs;
915*e71b7053SJung-uk Kim 
916*e71b7053SJung-uk Kim     if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
917*e71b7053SJung-uk Kim         chain_store = NULL;
918*e71b7053SJung-uk Kim     else if (s->cert->chain_store)
919*e71b7053SJung-uk Kim         chain_store = s->cert->chain_store;
920*e71b7053SJung-uk Kim     else
921*e71b7053SJung-uk Kim         chain_store = s->ctx->cert_store;
922*e71b7053SJung-uk Kim 
923*e71b7053SJung-uk Kim     if (chain_store != NULL) {
924*e71b7053SJung-uk Kim         X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new();
925*e71b7053SJung-uk Kim 
926*e71b7053SJung-uk Kim         if (xs_ctx == NULL) {
927*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
928*e71b7053SJung-uk Kim                      ERR_R_MALLOC_FAILURE);
929*e71b7053SJung-uk Kim             return 0;
930*e71b7053SJung-uk Kim         }
931*e71b7053SJung-uk Kim         if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
932*e71b7053SJung-uk Kim             X509_STORE_CTX_free(xs_ctx);
933*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
934*e71b7053SJung-uk Kim                      ERR_R_X509_LIB);
935*e71b7053SJung-uk Kim             return 0;
936*e71b7053SJung-uk Kim         }
937*e71b7053SJung-uk Kim         /*
938*e71b7053SJung-uk Kim          * It is valid for the chain not to be complete (because normally we
939*e71b7053SJung-uk Kim          * don't include the root cert in the chain). Therefore we deliberately
940*e71b7053SJung-uk Kim          * ignore the error return from this call. We're not actually verifying
941*e71b7053SJung-uk Kim          * the cert - we're just building as much of the chain as we can
942*e71b7053SJung-uk Kim          */
943*e71b7053SJung-uk Kim         (void)X509_verify_cert(xs_ctx);
944*e71b7053SJung-uk Kim         /* Don't leave errors in the queue */
945*e71b7053SJung-uk Kim         ERR_clear_error();
946*e71b7053SJung-uk Kim         chain = X509_STORE_CTX_get0_chain(xs_ctx);
947*e71b7053SJung-uk Kim         i = ssl_security_cert_chain(s, chain, NULL, 0);
948*e71b7053SJung-uk Kim         if (i != 1) {
949*e71b7053SJung-uk Kim #if 0
950*e71b7053SJung-uk Kim             /* Dummy error calls so mkerr generates them */
951*e71b7053SJung-uk Kim             SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL);
952*e71b7053SJung-uk Kim             SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL);
953*e71b7053SJung-uk Kim             SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK);
954*e71b7053SJung-uk Kim #endif
955*e71b7053SJung-uk Kim             X509_STORE_CTX_free(xs_ctx);
956*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
957*e71b7053SJung-uk Kim             return 0;
958*e71b7053SJung-uk Kim         }
959*e71b7053SJung-uk Kim         chain_count = sk_X509_num(chain);
960*e71b7053SJung-uk Kim         for (i = 0; i < chain_count; i++) {
961*e71b7053SJung-uk Kim             x = sk_X509_value(chain, i);
962*e71b7053SJung-uk Kim 
963*e71b7053SJung-uk Kim             if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
964*e71b7053SJung-uk Kim                 /* SSLfatal() already called */
965*e71b7053SJung-uk Kim                 X509_STORE_CTX_free(xs_ctx);
966*e71b7053SJung-uk Kim                 return 0;
967*e71b7053SJung-uk Kim             }
968*e71b7053SJung-uk Kim         }
969*e71b7053SJung-uk Kim         X509_STORE_CTX_free(xs_ctx);
970*e71b7053SJung-uk Kim     } else {
971*e71b7053SJung-uk Kim         i = ssl_security_cert_chain(s, extra_certs, x, 0);
972*e71b7053SJung-uk Kim         if (i != 1) {
973*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
974*e71b7053SJung-uk Kim             return 0;
975*e71b7053SJung-uk Kim         }
976*e71b7053SJung-uk Kim         if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
977*e71b7053SJung-uk Kim             /* SSLfatal() already called */
978*e71b7053SJung-uk Kim             return 0;
979*e71b7053SJung-uk Kim         }
980*e71b7053SJung-uk Kim         for (i = 0; i < sk_X509_num(extra_certs); i++) {
981*e71b7053SJung-uk Kim             x = sk_X509_value(extra_certs, i);
982*e71b7053SJung-uk Kim             if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
983*e71b7053SJung-uk Kim                 /* SSLfatal() already called */
984*e71b7053SJung-uk Kim                 return 0;
985*e71b7053SJung-uk Kim             }
986*e71b7053SJung-uk Kim         }
987*e71b7053SJung-uk Kim     }
988*e71b7053SJung-uk Kim     return 1;
989*e71b7053SJung-uk Kim }
990*e71b7053SJung-uk Kim 
991*e71b7053SJung-uk Kim unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
992*e71b7053SJung-uk Kim {
993*e71b7053SJung-uk Kim     if (!WPACKET_start_sub_packet_u24(pkt)) {
994*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
995*e71b7053SJung-uk Kim                  ERR_R_INTERNAL_ERROR);
996*e71b7053SJung-uk Kim         return 0;
997*e71b7053SJung-uk Kim     }
998*e71b7053SJung-uk Kim 
999*e71b7053SJung-uk Kim     if (!ssl_add_cert_chain(s, pkt, cpk))
1000*e71b7053SJung-uk Kim         return 0;
1001*e71b7053SJung-uk Kim 
1002*e71b7053SJung-uk Kim     if (!WPACKET_close(pkt)) {
1003*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1004*e71b7053SJung-uk Kim                  ERR_R_INTERNAL_ERROR);
1005*e71b7053SJung-uk Kim         return 0;
1006*e71b7053SJung-uk Kim     }
1007*e71b7053SJung-uk Kim 
1008*e71b7053SJung-uk Kim     return 1;
1009*e71b7053SJung-uk Kim }
1010*e71b7053SJung-uk Kim 
1011*e71b7053SJung-uk Kim /*
1012*e71b7053SJung-uk Kim  * Tidy up after the end of a handshake. In the case of SCTP this may result
1013*e71b7053SJung-uk Kim  * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1014*e71b7053SJung-uk Kim  * freed up as well.
1015*e71b7053SJung-uk Kim  */
1016*e71b7053SJung-uk Kim WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
1017*e71b7053SJung-uk Kim {
1018*e71b7053SJung-uk Kim     void (*cb) (const SSL *ssl, int type, int val) = NULL;
1019*e71b7053SJung-uk Kim 
1020*e71b7053SJung-uk Kim     if (clearbufs) {
1021*e71b7053SJung-uk Kim         if (!SSL_IS_DTLS(s)) {
1022*e71b7053SJung-uk Kim             /*
1023*e71b7053SJung-uk Kim              * We don't do this in DTLS because we may still need the init_buf
1024*e71b7053SJung-uk Kim              * in case there are any unexpected retransmits
1025*e71b7053SJung-uk Kim              */
1026*e71b7053SJung-uk Kim             BUF_MEM_free(s->init_buf);
1027*e71b7053SJung-uk Kim             s->init_buf = NULL;
1028*e71b7053SJung-uk Kim         }
1029*e71b7053SJung-uk Kim         if (!ssl_free_wbio_buffer(s)) {
1030*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE,
1031*e71b7053SJung-uk Kim                      ERR_R_INTERNAL_ERROR);
1032*e71b7053SJung-uk Kim             return WORK_ERROR;
1033*e71b7053SJung-uk Kim         }
1034*e71b7053SJung-uk Kim         s->init_num = 0;
1035*e71b7053SJung-uk Kim     }
1036*e71b7053SJung-uk Kim 
1037*e71b7053SJung-uk Kim     if (SSL_IS_TLS13(s) && !s->server
1038*e71b7053SJung-uk Kim             && s->post_handshake_auth == SSL_PHA_REQUESTED)
1039*e71b7053SJung-uk Kim         s->post_handshake_auth = SSL_PHA_EXT_SENT;
1040*e71b7053SJung-uk Kim 
1041*e71b7053SJung-uk Kim     /*
1042*e71b7053SJung-uk Kim      * Only set if there was a Finished message and this isn't after a TLSv1.3
1043*e71b7053SJung-uk Kim      * post handshake exchange
1044*e71b7053SJung-uk Kim      */
1045*e71b7053SJung-uk Kim     if (s->statem.cleanuphand) {
1046*e71b7053SJung-uk Kim         /* skipped if we just sent a HelloRequest */
1047*e71b7053SJung-uk Kim         s->renegotiate = 0;
1048*e71b7053SJung-uk Kim         s->new_session = 0;
1049*e71b7053SJung-uk Kim         s->statem.cleanuphand = 0;
1050*e71b7053SJung-uk Kim         s->ext.ticket_expected = 0;
1051*e71b7053SJung-uk Kim 
1052*e71b7053SJung-uk Kim         ssl3_cleanup_key_block(s);
1053*e71b7053SJung-uk Kim 
1054*e71b7053SJung-uk Kim         if (s->server) {
1055*e71b7053SJung-uk Kim             /*
1056*e71b7053SJung-uk Kim              * In TLSv1.3 we update the cache as part of constructing the
1057*e71b7053SJung-uk Kim              * NewSessionTicket
1058*e71b7053SJung-uk Kim              */
1059*e71b7053SJung-uk Kim             if (!SSL_IS_TLS13(s))
1060*e71b7053SJung-uk Kim                 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
1061*e71b7053SJung-uk Kim 
1062*e71b7053SJung-uk Kim             /* N.B. s->ctx may not equal s->session_ctx */
1063*e71b7053SJung-uk Kim             tsan_counter(&s->ctx->stats.sess_accept_good);
1064*e71b7053SJung-uk Kim             s->handshake_func = ossl_statem_accept;
1065*e71b7053SJung-uk Kim 
1066*e71b7053SJung-uk Kim             if (SSL_IS_DTLS(s) && !s->hit) {
1067*e71b7053SJung-uk Kim                 /*
1068*e71b7053SJung-uk Kim                  * We are finishing after the client. We start the timer going
1069*e71b7053SJung-uk Kim                  * in case there are any retransmits of our final flight
1070*e71b7053SJung-uk Kim                  * required.
1071*e71b7053SJung-uk Kim                  */
1072*e71b7053SJung-uk Kim                 dtls1_start_timer(s);
1073*e71b7053SJung-uk Kim             }
1074*e71b7053SJung-uk Kim         } else {
1075*e71b7053SJung-uk Kim             if (SSL_IS_TLS13(s)) {
1076*e71b7053SJung-uk Kim                 /*
1077*e71b7053SJung-uk Kim                  * We encourage applications to only use TLSv1.3 tickets once,
1078*e71b7053SJung-uk Kim                  * so we remove this one from the cache.
1079*e71b7053SJung-uk Kim                  */
1080*e71b7053SJung-uk Kim                 if ((s->session_ctx->session_cache_mode
1081*e71b7053SJung-uk Kim                      & SSL_SESS_CACHE_CLIENT) != 0)
1082*e71b7053SJung-uk Kim                     SSL_CTX_remove_session(s->session_ctx, s->session);
1083*e71b7053SJung-uk Kim             } else {
1084*e71b7053SJung-uk Kim                 /*
1085*e71b7053SJung-uk Kim                  * In TLSv1.3 we update the cache as part of processing the
1086*e71b7053SJung-uk Kim                  * NewSessionTicket
1087*e71b7053SJung-uk Kim                  */
1088*e71b7053SJung-uk Kim                 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
1089*e71b7053SJung-uk Kim             }
1090*e71b7053SJung-uk Kim             if (s->hit)
1091*e71b7053SJung-uk Kim                 tsan_counter(&s->session_ctx->stats.sess_hit);
1092*e71b7053SJung-uk Kim 
1093*e71b7053SJung-uk Kim             s->handshake_func = ossl_statem_connect;
1094*e71b7053SJung-uk Kim             tsan_counter(&s->session_ctx->stats.sess_connect_good);
1095*e71b7053SJung-uk Kim 
1096*e71b7053SJung-uk Kim             if (SSL_IS_DTLS(s) && s->hit) {
1097*e71b7053SJung-uk Kim                 /*
1098*e71b7053SJung-uk Kim                  * We are finishing after the server. We start the timer going
1099*e71b7053SJung-uk Kim                  * in case there are any retransmits of our final flight
1100*e71b7053SJung-uk Kim                  * required.
1101*e71b7053SJung-uk Kim                  */
1102*e71b7053SJung-uk Kim                 dtls1_start_timer(s);
1103*e71b7053SJung-uk Kim             }
1104*e71b7053SJung-uk Kim         }
1105*e71b7053SJung-uk Kim 
1106*e71b7053SJung-uk Kim         if (SSL_IS_DTLS(s)) {
1107*e71b7053SJung-uk Kim             /* done with handshaking */
1108*e71b7053SJung-uk Kim             s->d1->handshake_read_seq = 0;
1109*e71b7053SJung-uk Kim             s->d1->handshake_write_seq = 0;
1110*e71b7053SJung-uk Kim             s->d1->next_handshake_write_seq = 0;
1111*e71b7053SJung-uk Kim             dtls1_clear_received_buffer(s);
1112*e71b7053SJung-uk Kim         }
1113*e71b7053SJung-uk Kim     }
1114*e71b7053SJung-uk Kim 
1115*e71b7053SJung-uk Kim     if (s->info_callback != NULL)
1116*e71b7053SJung-uk Kim         cb = s->info_callback;
1117*e71b7053SJung-uk Kim     else if (s->ctx->info_callback != NULL)
1118*e71b7053SJung-uk Kim         cb = s->ctx->info_callback;
1119*e71b7053SJung-uk Kim 
1120*e71b7053SJung-uk Kim     /* The callback may expect us to not be in init at handshake done */
1121*e71b7053SJung-uk Kim     ossl_statem_set_in_init(s, 0);
1122*e71b7053SJung-uk Kim 
1123*e71b7053SJung-uk Kim     if (cb != NULL)
1124*e71b7053SJung-uk Kim         cb(s, SSL_CB_HANDSHAKE_DONE, 1);
1125*e71b7053SJung-uk Kim 
1126*e71b7053SJung-uk Kim     if (!stop) {
1127*e71b7053SJung-uk Kim         /* If we've got more work to do we go back into init */
1128*e71b7053SJung-uk Kim         ossl_statem_set_in_init(s, 1);
1129*e71b7053SJung-uk Kim         return WORK_FINISHED_CONTINUE;
1130*e71b7053SJung-uk Kim     }
1131*e71b7053SJung-uk Kim 
1132*e71b7053SJung-uk Kim     return WORK_FINISHED_STOP;
1133*e71b7053SJung-uk Kim }
1134*e71b7053SJung-uk Kim 
1135*e71b7053SJung-uk Kim int tls_get_message_header(SSL *s, int *mt)
1136*e71b7053SJung-uk Kim {
1137*e71b7053SJung-uk Kim     /* s->init_num < SSL3_HM_HEADER_LENGTH */
1138*e71b7053SJung-uk Kim     int skip_message, i, recvd_type;
1139*e71b7053SJung-uk Kim     unsigned char *p;
1140*e71b7053SJung-uk Kim     size_t l, readbytes;
1141*e71b7053SJung-uk Kim 
1142*e71b7053SJung-uk Kim     p = (unsigned char *)s->init_buf->data;
1143*e71b7053SJung-uk Kim 
1144*e71b7053SJung-uk Kim     do {
1145*e71b7053SJung-uk Kim         while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1146*e71b7053SJung-uk Kim             i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
1147*e71b7053SJung-uk Kim                                           &p[s->init_num],
1148*e71b7053SJung-uk Kim                                           SSL3_HM_HEADER_LENGTH - s->init_num,
1149*e71b7053SJung-uk Kim                                           0, &readbytes);
1150*e71b7053SJung-uk Kim             if (i <= 0) {
1151*e71b7053SJung-uk Kim                 s->rwstate = SSL_READING;
1152*e71b7053SJung-uk Kim                 return 0;
1153*e71b7053SJung-uk Kim             }
1154*e71b7053SJung-uk Kim             if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1155*e71b7053SJung-uk Kim                 /*
1156*e71b7053SJung-uk Kim                  * A ChangeCipherSpec must be a single byte and may not occur
1157*e71b7053SJung-uk Kim                  * in the middle of a handshake message.
1158*e71b7053SJung-uk Kim                  */
1159*e71b7053SJung-uk Kim                 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
1160*e71b7053SJung-uk Kim                     SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1161*e71b7053SJung-uk Kim                              SSL_F_TLS_GET_MESSAGE_HEADER,
1162*e71b7053SJung-uk Kim                              SSL_R_BAD_CHANGE_CIPHER_SPEC);
1163*e71b7053SJung-uk Kim                     return 0;
1164*e71b7053SJung-uk Kim                 }
1165*e71b7053SJung-uk Kim                 if (s->statem.hand_state == TLS_ST_BEFORE
1166*e71b7053SJung-uk Kim                         && (s->s3->flags & TLS1_FLAGS_STATELESS) != 0) {
1167*e71b7053SJung-uk Kim                     /*
1168*e71b7053SJung-uk Kim                      * We are stateless and we received a CCS. Probably this is
1169*e71b7053SJung-uk Kim                      * from a client between the first and second ClientHellos.
1170*e71b7053SJung-uk Kim                      * We should ignore this, but return an error because we do
1171*e71b7053SJung-uk Kim                      * not return success until we see the second ClientHello
1172*e71b7053SJung-uk Kim                      * with a valid cookie.
1173*e71b7053SJung-uk Kim                      */
1174*e71b7053SJung-uk Kim                     return 0;
1175*e71b7053SJung-uk Kim                 }
1176*e71b7053SJung-uk Kim                 s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
1177*e71b7053SJung-uk Kim                 s->init_num = readbytes - 1;
1178*e71b7053SJung-uk Kim                 s->init_msg = s->init_buf->data;
1179*e71b7053SJung-uk Kim                 s->s3->tmp.message_size = readbytes;
1180*e71b7053SJung-uk Kim                 return 1;
1181*e71b7053SJung-uk Kim             } else if (recvd_type != SSL3_RT_HANDSHAKE) {
1182*e71b7053SJung-uk Kim                 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1183*e71b7053SJung-uk Kim                          SSL_F_TLS_GET_MESSAGE_HEADER,
1184*e71b7053SJung-uk Kim                          SSL_R_CCS_RECEIVED_EARLY);
1185*e71b7053SJung-uk Kim                 return 0;
1186*e71b7053SJung-uk Kim             }
1187*e71b7053SJung-uk Kim             s->init_num += readbytes;
1188*e71b7053SJung-uk Kim         }
1189*e71b7053SJung-uk Kim 
1190*e71b7053SJung-uk Kim         skip_message = 0;
1191*e71b7053SJung-uk Kim         if (!s->server)
1192*e71b7053SJung-uk Kim             if (s->statem.hand_state != TLS_ST_OK
1193*e71b7053SJung-uk Kim                     && p[0] == SSL3_MT_HELLO_REQUEST)
1194*e71b7053SJung-uk Kim                 /*
1195*e71b7053SJung-uk Kim                  * The server may always send 'Hello Request' messages --
1196*e71b7053SJung-uk Kim                  * we are doing a handshake anyway now, so ignore them if
1197*e71b7053SJung-uk Kim                  * their format is correct. Does not count for 'Finished'
1198*e71b7053SJung-uk Kim                  * MAC.
1199*e71b7053SJung-uk Kim                  */
1200*e71b7053SJung-uk Kim                 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1201*e71b7053SJung-uk Kim                     s->init_num = 0;
1202*e71b7053SJung-uk Kim                     skip_message = 1;
1203*e71b7053SJung-uk Kim 
1204*e71b7053SJung-uk Kim                     if (s->msg_callback)
1205*e71b7053SJung-uk Kim                         s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1206*e71b7053SJung-uk Kim                                         p, SSL3_HM_HEADER_LENGTH, s,
1207*e71b7053SJung-uk Kim                                         s->msg_callback_arg);
1208*e71b7053SJung-uk Kim                 }
1209*e71b7053SJung-uk Kim     } while (skip_message);
1210*e71b7053SJung-uk Kim     /* s->init_num == SSL3_HM_HEADER_LENGTH */
1211*e71b7053SJung-uk Kim 
1212*e71b7053SJung-uk Kim     *mt = *p;
1213*e71b7053SJung-uk Kim     s->s3->tmp.message_type = *(p++);
1214*e71b7053SJung-uk Kim 
1215*e71b7053SJung-uk Kim     if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1216*e71b7053SJung-uk Kim         /*
1217*e71b7053SJung-uk Kim          * Only happens with SSLv3+ in an SSLv2 backward compatible
1218*e71b7053SJung-uk Kim          * ClientHello
1219*e71b7053SJung-uk Kim          *
1220*e71b7053SJung-uk Kim          * Total message size is the remaining record bytes to read
1221*e71b7053SJung-uk Kim          * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
1222*e71b7053SJung-uk Kim          */
1223*e71b7053SJung-uk Kim         l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1224*e71b7053SJung-uk Kim             + SSL3_HM_HEADER_LENGTH;
1225*e71b7053SJung-uk Kim         s->s3->tmp.message_size = l;
1226*e71b7053SJung-uk Kim 
1227*e71b7053SJung-uk Kim         s->init_msg = s->init_buf->data;
1228*e71b7053SJung-uk Kim         s->init_num = SSL3_HM_HEADER_LENGTH;
1229*e71b7053SJung-uk Kim     } else {
1230*e71b7053SJung-uk Kim         n2l3(p, l);
1231*e71b7053SJung-uk Kim         /* BUF_MEM_grow takes an 'int' parameter */
1232*e71b7053SJung-uk Kim         if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
1233*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_GET_MESSAGE_HEADER,
1234*e71b7053SJung-uk Kim                      SSL_R_EXCESSIVE_MESSAGE_SIZE);
1235*e71b7053SJung-uk Kim             return 0;
1236*e71b7053SJung-uk Kim         }
1237*e71b7053SJung-uk Kim         s->s3->tmp.message_size = l;
1238*e71b7053SJung-uk Kim 
1239*e71b7053SJung-uk Kim         s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1240*e71b7053SJung-uk Kim         s->init_num = 0;
1241*e71b7053SJung-uk Kim     }
1242*e71b7053SJung-uk Kim 
1243*e71b7053SJung-uk Kim     return 1;
1244*e71b7053SJung-uk Kim }
1245*e71b7053SJung-uk Kim 
1246*e71b7053SJung-uk Kim int tls_get_message_body(SSL *s, size_t *len)
1247*e71b7053SJung-uk Kim {
1248*e71b7053SJung-uk Kim     size_t n, readbytes;
1249*e71b7053SJung-uk Kim     unsigned char *p;
1250*e71b7053SJung-uk Kim     int i;
1251*e71b7053SJung-uk Kim 
1252*e71b7053SJung-uk Kim     if (s->s3->tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
1253*e71b7053SJung-uk Kim         /* We've already read everything in */
1254*e71b7053SJung-uk Kim         *len = (unsigned long)s->init_num;
1255*e71b7053SJung-uk Kim         return 1;
1256*e71b7053SJung-uk Kim     }
1257*e71b7053SJung-uk Kim 
1258*e71b7053SJung-uk Kim     p = s->init_msg;
1259*e71b7053SJung-uk Kim     n = s->s3->tmp.message_size - s->init_num;
1260*e71b7053SJung-uk Kim     while (n > 0) {
1261*e71b7053SJung-uk Kim         i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
1262*e71b7053SJung-uk Kim                                       &p[s->init_num], n, 0, &readbytes);
1263*e71b7053SJung-uk Kim         if (i <= 0) {
1264*e71b7053SJung-uk Kim             s->rwstate = SSL_READING;
1265*e71b7053SJung-uk Kim             *len = 0;
1266*e71b7053SJung-uk Kim             return 0;
1267*e71b7053SJung-uk Kim         }
1268*e71b7053SJung-uk Kim         s->init_num += readbytes;
1269*e71b7053SJung-uk Kim         n -= readbytes;
1270*e71b7053SJung-uk Kim     }
1271*e71b7053SJung-uk Kim 
1272*e71b7053SJung-uk Kim     /*
1273*e71b7053SJung-uk Kim      * If receiving Finished, record MAC of prior handshake messages for
1274*e71b7053SJung-uk Kim      * Finished verification.
1275*e71b7053SJung-uk Kim      */
1276*e71b7053SJung-uk Kim     if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1277*e71b7053SJung-uk Kim         /* SSLfatal() already called */
1278*e71b7053SJung-uk Kim         *len = 0;
1279*e71b7053SJung-uk Kim         return 0;
1280*e71b7053SJung-uk Kim     }
1281*e71b7053SJung-uk Kim 
1282*e71b7053SJung-uk Kim     /* Feed this message into MAC computation. */
1283*e71b7053SJung-uk Kim     if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1284*e71b7053SJung-uk Kim         if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1285*e71b7053SJung-uk Kim                              s->init_num)) {
1286*e71b7053SJung-uk Kim             /* SSLfatal() already called */
1287*e71b7053SJung-uk Kim             *len = 0;
1288*e71b7053SJung-uk Kim             return 0;
1289*e71b7053SJung-uk Kim         }
1290*e71b7053SJung-uk Kim         if (s->msg_callback)
1291*e71b7053SJung-uk Kim             s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
1292*e71b7053SJung-uk Kim                             (size_t)s->init_num, s, s->msg_callback_arg);
1293*e71b7053SJung-uk Kim     } else {
1294*e71b7053SJung-uk Kim         /*
1295*e71b7053SJung-uk Kim          * We defer feeding in the HRR until later. We'll do it as part of
1296*e71b7053SJung-uk Kim          * processing the message
1297*e71b7053SJung-uk Kim          * The TLsv1.3 handshake transcript stops at the ClientFinished
1298*e71b7053SJung-uk Kim          * message.
1299*e71b7053SJung-uk Kim          */
1300*e71b7053SJung-uk Kim #define SERVER_HELLO_RANDOM_OFFSET  (SSL3_HM_HEADER_LENGTH + 2)
1301*e71b7053SJung-uk Kim         /* KeyUpdate and NewSessionTicket do not need to be added */
1302*e71b7053SJung-uk Kim         if (!SSL_IS_TLS13(s) || (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1303*e71b7053SJung-uk Kim                                  && s->s3->tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1304*e71b7053SJung-uk Kim             if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO
1305*e71b7053SJung-uk Kim                     || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1306*e71b7053SJung-uk Kim                     || memcmp(hrrrandom,
1307*e71b7053SJung-uk Kim                               s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1308*e71b7053SJung-uk Kim                               SSL3_RANDOM_SIZE) != 0) {
1309*e71b7053SJung-uk Kim                 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1310*e71b7053SJung-uk Kim                                      s->init_num + SSL3_HM_HEADER_LENGTH)) {
1311*e71b7053SJung-uk Kim                     /* SSLfatal() already called */
1312*e71b7053SJung-uk Kim                     *len = 0;
1313*e71b7053SJung-uk Kim                     return 0;
1314*e71b7053SJung-uk Kim                 }
1315*e71b7053SJung-uk Kim             }
1316*e71b7053SJung-uk Kim         }
1317*e71b7053SJung-uk Kim         if (s->msg_callback)
1318*e71b7053SJung-uk Kim             s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1319*e71b7053SJung-uk Kim                             (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
1320*e71b7053SJung-uk Kim                             s->msg_callback_arg);
1321*e71b7053SJung-uk Kim     }
1322*e71b7053SJung-uk Kim 
1323*e71b7053SJung-uk Kim     *len = s->init_num;
1324*e71b7053SJung-uk Kim     return 1;
1325*e71b7053SJung-uk Kim }
1326*e71b7053SJung-uk Kim 
1327*e71b7053SJung-uk Kim static const X509ERR2ALERT x509table[] = {
1328*e71b7053SJung-uk Kim     {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1329*e71b7053SJung-uk Kim     {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1330*e71b7053SJung-uk Kim     {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1331*e71b7053SJung-uk Kim     {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1332*e71b7053SJung-uk Kim     {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1333*e71b7053SJung-uk Kim     {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1334*e71b7053SJung-uk Kim     {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1335*e71b7053SJung-uk Kim     {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1336*e71b7053SJung-uk Kim     {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1337*e71b7053SJung-uk Kim     {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1338*e71b7053SJung-uk Kim     {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1339*e71b7053SJung-uk Kim     {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1340*e71b7053SJung-uk Kim     {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1341*e71b7053SJung-uk Kim     {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1342*e71b7053SJung-uk Kim     {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1343*e71b7053SJung-uk Kim     {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1344*e71b7053SJung-uk Kim     {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1345*e71b7053SJung-uk Kim     {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1346*e71b7053SJung-uk Kim     {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1347*e71b7053SJung-uk Kim     {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1348*e71b7053SJung-uk Kim     {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1349*e71b7053SJung-uk Kim     {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1350*e71b7053SJung-uk Kim     {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1351*e71b7053SJung-uk Kim     {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1352*e71b7053SJung-uk Kim     {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1353*e71b7053SJung-uk Kim     {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1354*e71b7053SJung-uk Kim     {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1355*e71b7053SJung-uk Kim     {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1356*e71b7053SJung-uk Kim     {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1357*e71b7053SJung-uk Kim     {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1358*e71b7053SJung-uk Kim     {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1359*e71b7053SJung-uk Kim     {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1360*e71b7053SJung-uk Kim     {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1361*e71b7053SJung-uk Kim     {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1362*e71b7053SJung-uk Kim     {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1363*e71b7053SJung-uk Kim     {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1364*e71b7053SJung-uk Kim     {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1365*e71b7053SJung-uk Kim     {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1366*e71b7053SJung-uk Kim     {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1367*e71b7053SJung-uk Kim 
1368*e71b7053SJung-uk Kim     /* Last entry; return this if we don't find the value above. */
1369*e71b7053SJung-uk Kim     {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1370*e71b7053SJung-uk Kim };
1371*e71b7053SJung-uk Kim 
1372*e71b7053SJung-uk Kim int ssl_x509err2alert(int x509err)
1373*e71b7053SJung-uk Kim {
1374*e71b7053SJung-uk Kim     const X509ERR2ALERT *tp;
1375*e71b7053SJung-uk Kim 
1376*e71b7053SJung-uk Kim     for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1377*e71b7053SJung-uk Kim         if (tp->x509err == x509err)
1378*e71b7053SJung-uk Kim             break;
1379*e71b7053SJung-uk Kim     return tp->alert;
1380*e71b7053SJung-uk Kim }
1381*e71b7053SJung-uk Kim 
1382*e71b7053SJung-uk Kim int ssl_allow_compression(SSL *s)
1383*e71b7053SJung-uk Kim {
1384*e71b7053SJung-uk Kim     if (s->options & SSL_OP_NO_COMPRESSION)
1385*e71b7053SJung-uk Kim         return 0;
1386*e71b7053SJung-uk Kim     return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1387*e71b7053SJung-uk Kim }
1388*e71b7053SJung-uk Kim 
1389*e71b7053SJung-uk Kim static int version_cmp(const SSL *s, int a, int b)
1390*e71b7053SJung-uk Kim {
1391*e71b7053SJung-uk Kim     int dtls = SSL_IS_DTLS(s);
1392*e71b7053SJung-uk Kim 
1393*e71b7053SJung-uk Kim     if (a == b)
1394*e71b7053SJung-uk Kim         return 0;
1395*e71b7053SJung-uk Kim     if (!dtls)
1396*e71b7053SJung-uk Kim         return a < b ? -1 : 1;
1397*e71b7053SJung-uk Kim     return DTLS_VERSION_LT(a, b) ? -1 : 1;
1398*e71b7053SJung-uk Kim }
1399*e71b7053SJung-uk Kim 
1400*e71b7053SJung-uk Kim typedef struct {
1401*e71b7053SJung-uk Kim     int version;
1402*e71b7053SJung-uk Kim     const SSL_METHOD *(*cmeth) (void);
1403*e71b7053SJung-uk Kim     const SSL_METHOD *(*smeth) (void);
1404*e71b7053SJung-uk Kim } version_info;
1405*e71b7053SJung-uk Kim 
1406*e71b7053SJung-uk Kim #if TLS_MAX_VERSION != TLS1_3_VERSION
1407*e71b7053SJung-uk Kim # error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
1408*e71b7053SJung-uk Kim #endif
1409*e71b7053SJung-uk Kim 
1410*e71b7053SJung-uk Kim /* Must be in order high to low */
1411*e71b7053SJung-uk Kim static const version_info tls_version_table[] = {
1412*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1_3
1413*e71b7053SJung-uk Kim     {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1414*e71b7053SJung-uk Kim #else
1415*e71b7053SJung-uk Kim     {TLS1_3_VERSION, NULL, NULL},
1416*e71b7053SJung-uk Kim #endif
1417*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1_2
1418*e71b7053SJung-uk Kim     {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
1419*e71b7053SJung-uk Kim #else
1420*e71b7053SJung-uk Kim     {TLS1_2_VERSION, NULL, NULL},
1421*e71b7053SJung-uk Kim #endif
1422*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1_1
1423*e71b7053SJung-uk Kim     {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
1424*e71b7053SJung-uk Kim #else
1425*e71b7053SJung-uk Kim     {TLS1_1_VERSION, NULL, NULL},
1426*e71b7053SJung-uk Kim #endif
1427*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1
1428*e71b7053SJung-uk Kim     {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
1429*e71b7053SJung-uk Kim #else
1430*e71b7053SJung-uk Kim     {TLS1_VERSION, NULL, NULL},
1431*e71b7053SJung-uk Kim #endif
1432*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SSL3
1433*e71b7053SJung-uk Kim     {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
1434*e71b7053SJung-uk Kim #else
1435*e71b7053SJung-uk Kim     {SSL3_VERSION, NULL, NULL},
1436*e71b7053SJung-uk Kim #endif
1437*e71b7053SJung-uk Kim     {0, NULL, NULL},
1438*e71b7053SJung-uk Kim };
1439*e71b7053SJung-uk Kim 
1440*e71b7053SJung-uk Kim #if DTLS_MAX_VERSION != DTLS1_2_VERSION
1441*e71b7053SJung-uk Kim # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1442*e71b7053SJung-uk Kim #endif
1443*e71b7053SJung-uk Kim 
1444*e71b7053SJung-uk Kim /* Must be in order high to low */
1445*e71b7053SJung-uk Kim static const version_info dtls_version_table[] = {
1446*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_DTLS1_2
1447*e71b7053SJung-uk Kim     {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
1448*e71b7053SJung-uk Kim #else
1449*e71b7053SJung-uk Kim     {DTLS1_2_VERSION, NULL, NULL},
1450*e71b7053SJung-uk Kim #endif
1451*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_DTLS1
1452*e71b7053SJung-uk Kim     {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1453*e71b7053SJung-uk Kim     {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
1454*e71b7053SJung-uk Kim #else
1455*e71b7053SJung-uk Kim     {DTLS1_VERSION, NULL, NULL},
1456*e71b7053SJung-uk Kim     {DTLS1_BAD_VER, NULL, NULL},
1457*e71b7053SJung-uk Kim #endif
1458*e71b7053SJung-uk Kim     {0, NULL, NULL},
1459*e71b7053SJung-uk Kim };
1460*e71b7053SJung-uk Kim 
1461*e71b7053SJung-uk Kim /*
1462*e71b7053SJung-uk Kim  * ssl_method_error - Check whether an SSL_METHOD is enabled.
1463*e71b7053SJung-uk Kim  *
1464*e71b7053SJung-uk Kim  * @s: The SSL handle for the candidate method
1465*e71b7053SJung-uk Kim  * @method: the intended method.
1466*e71b7053SJung-uk Kim  *
1467*e71b7053SJung-uk Kim  * Returns 0 on success, or an SSL error reason on failure.
1468*e71b7053SJung-uk Kim  */
1469*e71b7053SJung-uk Kim static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
1470*e71b7053SJung-uk Kim {
1471*e71b7053SJung-uk Kim     int version = method->version;
1472*e71b7053SJung-uk Kim 
1473*e71b7053SJung-uk Kim     if ((s->min_proto_version != 0 &&
1474*e71b7053SJung-uk Kim          version_cmp(s, version, s->min_proto_version) < 0) ||
1475*e71b7053SJung-uk Kim         ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1476*e71b7053SJung-uk Kim         return SSL_R_VERSION_TOO_LOW;
1477*e71b7053SJung-uk Kim 
1478*e71b7053SJung-uk Kim     if (s->max_proto_version != 0 &&
1479*e71b7053SJung-uk Kim         version_cmp(s, version, s->max_proto_version) > 0)
1480*e71b7053SJung-uk Kim         return SSL_R_VERSION_TOO_HIGH;
1481*e71b7053SJung-uk Kim 
1482*e71b7053SJung-uk Kim     if ((s->options & method->mask) != 0)
1483*e71b7053SJung-uk Kim         return SSL_R_UNSUPPORTED_PROTOCOL;
1484*e71b7053SJung-uk Kim     if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1485*e71b7053SJung-uk Kim         return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
1486*e71b7053SJung-uk Kim 
1487*e71b7053SJung-uk Kim     return 0;
1488*e71b7053SJung-uk Kim }
1489*e71b7053SJung-uk Kim 
1490*e71b7053SJung-uk Kim /*
1491*e71b7053SJung-uk Kim  * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
1492*e71b7053SJung-uk Kim  * certificate type, or has PSK or a certificate callback configured. Otherwise
1493*e71b7053SJung-uk Kim  * returns 0.
1494*e71b7053SJung-uk Kim  */
1495*e71b7053SJung-uk Kim static int is_tls13_capable(const SSL *s)
1496*e71b7053SJung-uk Kim {
1497*e71b7053SJung-uk Kim     int i;
1498*e71b7053SJung-uk Kim 
1499*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_PSK
1500*e71b7053SJung-uk Kim     if (s->psk_server_callback != NULL)
1501*e71b7053SJung-uk Kim         return 1;
1502*e71b7053SJung-uk Kim #endif
1503*e71b7053SJung-uk Kim 
1504*e71b7053SJung-uk Kim     if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
1505*e71b7053SJung-uk Kim         return 1;
1506*e71b7053SJung-uk Kim 
1507*e71b7053SJung-uk Kim     for (i = 0; i < SSL_PKEY_NUM; i++) {
1508*e71b7053SJung-uk Kim         /* Skip over certs disallowed for TLSv1.3 */
1509*e71b7053SJung-uk Kim         switch (i) {
1510*e71b7053SJung-uk Kim         case SSL_PKEY_DSA_SIGN:
1511*e71b7053SJung-uk Kim         case SSL_PKEY_GOST01:
1512*e71b7053SJung-uk Kim         case SSL_PKEY_GOST12_256:
1513*e71b7053SJung-uk Kim         case SSL_PKEY_GOST12_512:
1514*e71b7053SJung-uk Kim             continue;
1515*e71b7053SJung-uk Kim         default:
1516*e71b7053SJung-uk Kim             break;
1517*e71b7053SJung-uk Kim         }
1518*e71b7053SJung-uk Kim         if (ssl_has_cert(s, i))
1519*e71b7053SJung-uk Kim             return 1;
1520*e71b7053SJung-uk Kim     }
1521*e71b7053SJung-uk Kim 
1522*e71b7053SJung-uk Kim     return 0;
1523*e71b7053SJung-uk Kim }
1524*e71b7053SJung-uk Kim 
1525*e71b7053SJung-uk Kim /*
1526*e71b7053SJung-uk Kim  * ssl_version_supported - Check that the specified `version` is supported by
1527*e71b7053SJung-uk Kim  * `SSL *` instance
1528*e71b7053SJung-uk Kim  *
1529*e71b7053SJung-uk Kim  * @s: The SSL handle for the candidate method
1530*e71b7053SJung-uk Kim  * @version: Protocol version to test against
1531*e71b7053SJung-uk Kim  *
1532*e71b7053SJung-uk Kim  * Returns 1 when supported, otherwise 0
1533*e71b7053SJung-uk Kim  */
1534*e71b7053SJung-uk Kim int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth)
1535*e71b7053SJung-uk Kim {
1536*e71b7053SJung-uk Kim     const version_info *vent;
1537*e71b7053SJung-uk Kim     const version_info *table;
1538*e71b7053SJung-uk Kim 
1539*e71b7053SJung-uk Kim     switch (s->method->version) {
1540*e71b7053SJung-uk Kim     default:
1541*e71b7053SJung-uk Kim         /* Version should match method version for non-ANY method */
1542*e71b7053SJung-uk Kim         return version_cmp(s, version, s->version) == 0;
1543*e71b7053SJung-uk Kim     case TLS_ANY_VERSION:
1544*e71b7053SJung-uk Kim         table = tls_version_table;
1545*e71b7053SJung-uk Kim         break;
1546*e71b7053SJung-uk Kim     case DTLS_ANY_VERSION:
1547*e71b7053SJung-uk Kim         table = dtls_version_table;
1548*e71b7053SJung-uk Kim         break;
1549*e71b7053SJung-uk Kim     }
1550*e71b7053SJung-uk Kim 
1551*e71b7053SJung-uk Kim     for (vent = table;
1552*e71b7053SJung-uk Kim          vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1553*e71b7053SJung-uk Kim          ++vent) {
1554*e71b7053SJung-uk Kim         if (vent->cmeth != NULL
1555*e71b7053SJung-uk Kim                 && version_cmp(s, version, vent->version) == 0
1556*e71b7053SJung-uk Kim                 && ssl_method_error(s, vent->cmeth()) == 0
1557*e71b7053SJung-uk Kim                 && (!s->server
1558*e71b7053SJung-uk Kim                     || version != TLS1_3_VERSION
1559*e71b7053SJung-uk Kim                     || is_tls13_capable(s))) {
1560*e71b7053SJung-uk Kim             if (meth != NULL)
1561*e71b7053SJung-uk Kim                 *meth = vent->cmeth();
1562*e71b7053SJung-uk Kim             return 1;
1563*e71b7053SJung-uk Kim         }
1564*e71b7053SJung-uk Kim     }
1565*e71b7053SJung-uk Kim     return 0;
1566*e71b7053SJung-uk Kim }
1567*e71b7053SJung-uk Kim 
1568*e71b7053SJung-uk Kim /*
1569*e71b7053SJung-uk Kim  * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1570*e71b7053SJung-uk Kim  * fallback indication from a client check whether we're using the highest
1571*e71b7053SJung-uk Kim  * supported protocol version.
1572*e71b7053SJung-uk Kim  *
1573*e71b7053SJung-uk Kim  * @s server SSL handle.
1574*e71b7053SJung-uk Kim  *
1575*e71b7053SJung-uk Kim  * Returns 1 when using the highest enabled version, 0 otherwise.
1576*e71b7053SJung-uk Kim  */
1577*e71b7053SJung-uk Kim int ssl_check_version_downgrade(SSL *s)
1578*e71b7053SJung-uk Kim {
1579*e71b7053SJung-uk Kim     const version_info *vent;
1580*e71b7053SJung-uk Kim     const version_info *table;
1581*e71b7053SJung-uk Kim 
1582*e71b7053SJung-uk Kim     /*
1583*e71b7053SJung-uk Kim      * Check that the current protocol is the highest enabled version
1584*e71b7053SJung-uk Kim      * (according to s->ctx->method, as version negotiation may have changed
1585*e71b7053SJung-uk Kim      * s->method).
1586*e71b7053SJung-uk Kim      */
1587*e71b7053SJung-uk Kim     if (s->version == s->ctx->method->version)
1588*e71b7053SJung-uk Kim         return 1;
1589*e71b7053SJung-uk Kim 
1590*e71b7053SJung-uk Kim     /*
1591*e71b7053SJung-uk Kim      * Apparently we're using a version-flexible SSL_METHOD (not at its
1592*e71b7053SJung-uk Kim      * highest protocol version).
1593*e71b7053SJung-uk Kim      */
1594*e71b7053SJung-uk Kim     if (s->ctx->method->version == TLS_method()->version)
1595*e71b7053SJung-uk Kim         table = tls_version_table;
1596*e71b7053SJung-uk Kim     else if (s->ctx->method->version == DTLS_method()->version)
1597*e71b7053SJung-uk Kim         table = dtls_version_table;
1598*e71b7053SJung-uk Kim     else {
1599*e71b7053SJung-uk Kim         /* Unexpected state; fail closed. */
1600*e71b7053SJung-uk Kim         return 0;
1601*e71b7053SJung-uk Kim     }
1602*e71b7053SJung-uk Kim 
1603*e71b7053SJung-uk Kim     for (vent = table; vent->version != 0; ++vent) {
1604*e71b7053SJung-uk Kim         if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
1605*e71b7053SJung-uk Kim             return s->version == vent->version;
1606*e71b7053SJung-uk Kim     }
1607*e71b7053SJung-uk Kim     return 0;
1608*e71b7053SJung-uk Kim }
1609*e71b7053SJung-uk Kim 
1610*e71b7053SJung-uk Kim /*
1611*e71b7053SJung-uk Kim  * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1612*e71b7053SJung-uk Kim  * protocols, provided the initial (D)TLS method is version-flexible.  This
1613*e71b7053SJung-uk Kim  * function sanity-checks the proposed value and makes sure the method is
1614*e71b7053SJung-uk Kim  * version-flexible, then sets the limit if all is well.
1615*e71b7053SJung-uk Kim  *
1616*e71b7053SJung-uk Kim  * @method_version: The version of the current SSL_METHOD.
1617*e71b7053SJung-uk Kim  * @version: the intended limit.
1618*e71b7053SJung-uk Kim  * @bound: pointer to limit to be updated.
1619*e71b7053SJung-uk Kim  *
1620*e71b7053SJung-uk Kim  * Returns 1 on success, 0 on failure.
1621*e71b7053SJung-uk Kim  */
1622*e71b7053SJung-uk Kim int ssl_set_version_bound(int method_version, int version, int *bound)
1623*e71b7053SJung-uk Kim {
1624*e71b7053SJung-uk Kim     if (version == 0) {
1625*e71b7053SJung-uk Kim         *bound = version;
1626*e71b7053SJung-uk Kim         return 1;
1627*e71b7053SJung-uk Kim     }
1628*e71b7053SJung-uk Kim 
1629*e71b7053SJung-uk Kim     /*-
1630*e71b7053SJung-uk Kim      * Restrict TLS methods to TLS protocol versions.
1631*e71b7053SJung-uk Kim      * Restrict DTLS methods to DTLS protocol versions.
1632*e71b7053SJung-uk Kim      * Note, DTLS version numbers are decreasing, use comparison macros.
1633*e71b7053SJung-uk Kim      *
1634*e71b7053SJung-uk Kim      * Note that for both lower-bounds we use explicit versions, not
1635*e71b7053SJung-uk Kim      * (D)TLS_MIN_VERSION.  This is because we don't want to break user
1636*e71b7053SJung-uk Kim      * configurations.  If the MIN (supported) version ever rises, the user's
1637*e71b7053SJung-uk Kim      * "floor" remains valid even if no longer available.  We don't expect the
1638*e71b7053SJung-uk Kim      * MAX ceiling to ever get lower, so making that variable makes sense.
1639*e71b7053SJung-uk Kim      */
1640*e71b7053SJung-uk Kim     switch (method_version) {
1641*e71b7053SJung-uk Kim     default:
1642*e71b7053SJung-uk Kim         /*
1643*e71b7053SJung-uk Kim          * XXX For fixed version methods, should we always fail and not set any
1644*e71b7053SJung-uk Kim          * bounds, always succeed and not set any bounds, or set the bounds and
1645*e71b7053SJung-uk Kim          * arrange to fail later if they are not met?  At present fixed-version
1646*e71b7053SJung-uk Kim          * methods are not subject to controls that disable individual protocol
1647*e71b7053SJung-uk Kim          * versions.
1648*e71b7053SJung-uk Kim          */
1649*e71b7053SJung-uk Kim         return 0;
1650*e71b7053SJung-uk Kim 
1651*e71b7053SJung-uk Kim     case TLS_ANY_VERSION:
1652*e71b7053SJung-uk Kim         if (version < SSL3_VERSION || version > TLS_MAX_VERSION)
1653*e71b7053SJung-uk Kim             return 0;
1654*e71b7053SJung-uk Kim         break;
1655*e71b7053SJung-uk Kim 
1656*e71b7053SJung-uk Kim     case DTLS_ANY_VERSION:
1657*e71b7053SJung-uk Kim         if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION) ||
1658*e71b7053SJung-uk Kim             DTLS_VERSION_LT(version, DTLS1_BAD_VER))
1659*e71b7053SJung-uk Kim             return 0;
1660*e71b7053SJung-uk Kim         break;
1661*e71b7053SJung-uk Kim     }
1662*e71b7053SJung-uk Kim 
1663*e71b7053SJung-uk Kim     *bound = version;
1664*e71b7053SJung-uk Kim     return 1;
1665*e71b7053SJung-uk Kim }
1666*e71b7053SJung-uk Kim 
1667*e71b7053SJung-uk Kim static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
1668*e71b7053SJung-uk Kim {
1669*e71b7053SJung-uk Kim     if (vers == TLS1_2_VERSION
1670*e71b7053SJung-uk Kim             && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
1671*e71b7053SJung-uk Kim         *dgrd = DOWNGRADE_TO_1_2;
1672*e71b7053SJung-uk Kim     } else if (!SSL_IS_DTLS(s)
1673*e71b7053SJung-uk Kim             && vers < TLS1_2_VERSION
1674*e71b7053SJung-uk Kim                /*
1675*e71b7053SJung-uk Kim                 * We need to ensure that a server that disables TLSv1.2
1676*e71b7053SJung-uk Kim                 * (creating a hole between TLSv1.3 and TLSv1.1) can still
1677*e71b7053SJung-uk Kim                 * complete handshakes with clients that support TLSv1.2 and
1678*e71b7053SJung-uk Kim                 * below. Therefore we do not enable the sentinel if TLSv1.3 is
1679*e71b7053SJung-uk Kim                 * enabled and TLSv1.2 is not.
1680*e71b7053SJung-uk Kim                 */
1681*e71b7053SJung-uk Kim             && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
1682*e71b7053SJung-uk Kim         *dgrd = DOWNGRADE_TO_1_1;
1683*e71b7053SJung-uk Kim     } else {
1684*e71b7053SJung-uk Kim         *dgrd = DOWNGRADE_NONE;
1685*e71b7053SJung-uk Kim     }
1686*e71b7053SJung-uk Kim }
1687*e71b7053SJung-uk Kim 
1688*e71b7053SJung-uk Kim /*
1689*e71b7053SJung-uk Kim  * ssl_choose_server_version - Choose server (D)TLS version.  Called when the
1690*e71b7053SJung-uk Kim  * client HELLO is received to select the final server protocol version and
1691*e71b7053SJung-uk Kim  * the version specific method.
1692*e71b7053SJung-uk Kim  *
1693*e71b7053SJung-uk Kim  * @s: server SSL handle.
1694*e71b7053SJung-uk Kim  *
1695*e71b7053SJung-uk Kim  * Returns 0 on success or an SSL error reason number on failure.
1696*e71b7053SJung-uk Kim  */
1697*e71b7053SJung-uk Kim int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1698*e71b7053SJung-uk Kim {
1699*e71b7053SJung-uk Kim     /*-
1700*e71b7053SJung-uk Kim      * With version-flexible methods we have an initial state with:
1701*e71b7053SJung-uk Kim      *
1702*e71b7053SJung-uk Kim      *   s->method->version == (D)TLS_ANY_VERSION,
1703*e71b7053SJung-uk Kim      *   s->version == (D)TLS_MAX_VERSION.
1704*e71b7053SJung-uk Kim      *
1705*e71b7053SJung-uk Kim      * So we detect version-flexible methods via the method version, not the
1706*e71b7053SJung-uk Kim      * handle version.
1707*e71b7053SJung-uk Kim      */
1708*e71b7053SJung-uk Kim     int server_version = s->method->version;
1709*e71b7053SJung-uk Kim     int client_version = hello->legacy_version;
1710*e71b7053SJung-uk Kim     const version_info *vent;
1711*e71b7053SJung-uk Kim     const version_info *table;
1712*e71b7053SJung-uk Kim     int disabled = 0;
1713*e71b7053SJung-uk Kim     RAW_EXTENSION *suppversions;
1714*e71b7053SJung-uk Kim 
1715*e71b7053SJung-uk Kim     s->client_version = client_version;
1716*e71b7053SJung-uk Kim 
1717*e71b7053SJung-uk Kim     switch (server_version) {
1718*e71b7053SJung-uk Kim     default:
1719*e71b7053SJung-uk Kim         if (!SSL_IS_TLS13(s)) {
1720*e71b7053SJung-uk Kim             if (version_cmp(s, client_version, s->version) < 0)
1721*e71b7053SJung-uk Kim                 return SSL_R_WRONG_SSL_VERSION;
1722*e71b7053SJung-uk Kim             *dgrd = DOWNGRADE_NONE;
1723*e71b7053SJung-uk Kim             /*
1724*e71b7053SJung-uk Kim              * If this SSL handle is not from a version flexible method we don't
1725*e71b7053SJung-uk Kim              * (and never did) check min/max FIPS or Suite B constraints.  Hope
1726*e71b7053SJung-uk Kim              * that's OK.  It is up to the caller to not choose fixed protocol
1727*e71b7053SJung-uk Kim              * versions they don't want.  If not, then easy to fix, just return
1728*e71b7053SJung-uk Kim              * ssl_method_error(s, s->method)
1729*e71b7053SJung-uk Kim              */
1730*e71b7053SJung-uk Kim             return 0;
1731*e71b7053SJung-uk Kim         }
1732*e71b7053SJung-uk Kim         /*
1733*e71b7053SJung-uk Kim          * Fall through if we are TLSv1.3 already (this means we must be after
1734*e71b7053SJung-uk Kim          * a HelloRetryRequest
1735*e71b7053SJung-uk Kim          */
1736*e71b7053SJung-uk Kim         /* fall thru */
1737*e71b7053SJung-uk Kim     case TLS_ANY_VERSION:
1738*e71b7053SJung-uk Kim         table = tls_version_table;
1739*e71b7053SJung-uk Kim         break;
1740*e71b7053SJung-uk Kim     case DTLS_ANY_VERSION:
1741*e71b7053SJung-uk Kim         table = dtls_version_table;
1742*e71b7053SJung-uk Kim         break;
1743*e71b7053SJung-uk Kim     }
1744*e71b7053SJung-uk Kim 
1745*e71b7053SJung-uk Kim     suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
1746*e71b7053SJung-uk Kim 
1747*e71b7053SJung-uk Kim     /* If we did an HRR then supported versions is mandatory */
1748*e71b7053SJung-uk Kim     if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
1749*e71b7053SJung-uk Kim         return SSL_R_UNSUPPORTED_PROTOCOL;
1750*e71b7053SJung-uk Kim 
1751*e71b7053SJung-uk Kim     if (suppversions->present && !SSL_IS_DTLS(s)) {
1752*e71b7053SJung-uk Kim         unsigned int candidate_vers = 0;
1753*e71b7053SJung-uk Kim         unsigned int best_vers = 0;
1754*e71b7053SJung-uk Kim         const SSL_METHOD *best_method = NULL;
1755*e71b7053SJung-uk Kim         PACKET versionslist;
1756*e71b7053SJung-uk Kim 
1757*e71b7053SJung-uk Kim         suppversions->parsed = 1;
1758*e71b7053SJung-uk Kim 
1759*e71b7053SJung-uk Kim         if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
1760*e71b7053SJung-uk Kim             /* Trailing or invalid data? */
1761*e71b7053SJung-uk Kim             return SSL_R_LENGTH_MISMATCH;
1762*e71b7053SJung-uk Kim         }
1763*e71b7053SJung-uk Kim 
1764*e71b7053SJung-uk Kim         /*
1765*e71b7053SJung-uk Kim          * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1766*e71b7053SJung-uk Kim          * The spec only requires servers to check that it isn't SSLv3:
1767*e71b7053SJung-uk Kim          * "Any endpoint receiving a Hello message with
1768*e71b7053SJung-uk Kim          * ClientHello.legacy_version or ServerHello.legacy_version set to
1769*e71b7053SJung-uk Kim          * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1770*e71b7053SJung-uk Kim          * We are slightly stricter and require that it isn't SSLv3 or lower.
1771*e71b7053SJung-uk Kim          * We tolerate TLSv1 and TLSv1.1.
1772*e71b7053SJung-uk Kim          */
1773*e71b7053SJung-uk Kim         if (client_version <= SSL3_VERSION)
1774*e71b7053SJung-uk Kim             return SSL_R_BAD_LEGACY_VERSION;
1775*e71b7053SJung-uk Kim 
1776*e71b7053SJung-uk Kim         while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1777*e71b7053SJung-uk Kim             if (version_cmp(s, candidate_vers, best_vers) <= 0)
1778*e71b7053SJung-uk Kim                 continue;
1779*e71b7053SJung-uk Kim             if (ssl_version_supported(s, candidate_vers, &best_method))
1780*e71b7053SJung-uk Kim                 best_vers = candidate_vers;
1781*e71b7053SJung-uk Kim         }
1782*e71b7053SJung-uk Kim         if (PACKET_remaining(&versionslist) != 0) {
1783*e71b7053SJung-uk Kim             /* Trailing data? */
1784*e71b7053SJung-uk Kim             return SSL_R_LENGTH_MISMATCH;
1785*e71b7053SJung-uk Kim         }
1786*e71b7053SJung-uk Kim 
1787*e71b7053SJung-uk Kim         if (best_vers > 0) {
1788*e71b7053SJung-uk Kim             if (s->hello_retry_request != SSL_HRR_NONE) {
1789*e71b7053SJung-uk Kim                 /*
1790*e71b7053SJung-uk Kim                  * This is after a HelloRetryRequest so we better check that we
1791*e71b7053SJung-uk Kim                  * negotiated TLSv1.3
1792*e71b7053SJung-uk Kim                  */
1793*e71b7053SJung-uk Kim                 if (best_vers != TLS1_3_VERSION)
1794*e71b7053SJung-uk Kim                     return SSL_R_UNSUPPORTED_PROTOCOL;
1795*e71b7053SJung-uk Kim                 return 0;
1796*e71b7053SJung-uk Kim             }
1797*e71b7053SJung-uk Kim             check_for_downgrade(s, best_vers, dgrd);
1798*e71b7053SJung-uk Kim             s->version = best_vers;
1799*e71b7053SJung-uk Kim             s->method = best_method;
1800*e71b7053SJung-uk Kim             return 0;
1801*e71b7053SJung-uk Kim         }
1802*e71b7053SJung-uk Kim         return SSL_R_UNSUPPORTED_PROTOCOL;
1803*e71b7053SJung-uk Kim     }
1804*e71b7053SJung-uk Kim 
1805*e71b7053SJung-uk Kim     /*
1806*e71b7053SJung-uk Kim      * If the supported versions extension isn't present, then the highest
1807*e71b7053SJung-uk Kim      * version we can negotiate is TLSv1.2
1808*e71b7053SJung-uk Kim      */
1809*e71b7053SJung-uk Kim     if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1810*e71b7053SJung-uk Kim         client_version = TLS1_2_VERSION;
1811*e71b7053SJung-uk Kim 
1812*e71b7053SJung-uk Kim     /*
1813*e71b7053SJung-uk Kim      * No supported versions extension, so we just use the version supplied in
1814*e71b7053SJung-uk Kim      * the ClientHello.
1815*e71b7053SJung-uk Kim      */
1816*e71b7053SJung-uk Kim     for (vent = table; vent->version != 0; ++vent) {
1817*e71b7053SJung-uk Kim         const SSL_METHOD *method;
1818*e71b7053SJung-uk Kim 
1819*e71b7053SJung-uk Kim         if (vent->smeth == NULL ||
1820*e71b7053SJung-uk Kim             version_cmp(s, client_version, vent->version) < 0)
1821*e71b7053SJung-uk Kim             continue;
1822*e71b7053SJung-uk Kim         method = vent->smeth();
1823*e71b7053SJung-uk Kim         if (ssl_method_error(s, method) == 0) {
1824*e71b7053SJung-uk Kim             check_for_downgrade(s, vent->version, dgrd);
1825*e71b7053SJung-uk Kim             s->version = vent->version;
1826*e71b7053SJung-uk Kim             s->method = method;
1827*e71b7053SJung-uk Kim             return 0;
1828*e71b7053SJung-uk Kim         }
1829*e71b7053SJung-uk Kim         disabled = 1;
1830*e71b7053SJung-uk Kim     }
1831*e71b7053SJung-uk Kim     return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1832*e71b7053SJung-uk Kim }
1833*e71b7053SJung-uk Kim 
1834*e71b7053SJung-uk Kim /*
1835*e71b7053SJung-uk Kim  * ssl_choose_client_version - Choose client (D)TLS version.  Called when the
1836*e71b7053SJung-uk Kim  * server HELLO is received to select the final client protocol version and
1837*e71b7053SJung-uk Kim  * the version specific method.
1838*e71b7053SJung-uk Kim  *
1839*e71b7053SJung-uk Kim  * @s: client SSL handle.
1840*e71b7053SJung-uk Kim  * @version: The proposed version from the server's HELLO.
1841*e71b7053SJung-uk Kim  * @extensions: The extensions received
1842*e71b7053SJung-uk Kim  *
1843*e71b7053SJung-uk Kim  * Returns 1 on success or 0 on error.
1844*e71b7053SJung-uk Kim  */
1845*e71b7053SJung-uk Kim int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)
1846*e71b7053SJung-uk Kim {
1847*e71b7053SJung-uk Kim     const version_info *vent;
1848*e71b7053SJung-uk Kim     const version_info *table;
1849*e71b7053SJung-uk Kim     int ret, ver_min, ver_max, real_max, origv;
1850*e71b7053SJung-uk Kim 
1851*e71b7053SJung-uk Kim     origv = s->version;
1852*e71b7053SJung-uk Kim     s->version = version;
1853*e71b7053SJung-uk Kim 
1854*e71b7053SJung-uk Kim     /* This will overwrite s->version if the extension is present */
1855*e71b7053SJung-uk Kim     if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1856*e71b7053SJung-uk Kim                              SSL_EXT_TLS1_2_SERVER_HELLO
1857*e71b7053SJung-uk Kim                              | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1858*e71b7053SJung-uk Kim                              NULL, 0)) {
1859*e71b7053SJung-uk Kim         s->version = origv;
1860*e71b7053SJung-uk Kim         return 0;
1861*e71b7053SJung-uk Kim     }
1862*e71b7053SJung-uk Kim 
1863*e71b7053SJung-uk Kim     if (s->hello_retry_request != SSL_HRR_NONE
1864*e71b7053SJung-uk Kim             && s->version != TLS1_3_VERSION) {
1865*e71b7053SJung-uk Kim         s->version = origv;
1866*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1867*e71b7053SJung-uk Kim                  SSL_R_WRONG_SSL_VERSION);
1868*e71b7053SJung-uk Kim         return 0;
1869*e71b7053SJung-uk Kim     }
1870*e71b7053SJung-uk Kim 
1871*e71b7053SJung-uk Kim     switch (s->method->version) {
1872*e71b7053SJung-uk Kim     default:
1873*e71b7053SJung-uk Kim         if (s->version != s->method->version) {
1874*e71b7053SJung-uk Kim             s->version = origv;
1875*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1876*e71b7053SJung-uk Kim                      SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1877*e71b7053SJung-uk Kim                      SSL_R_WRONG_SSL_VERSION);
1878*e71b7053SJung-uk Kim             return 0;
1879*e71b7053SJung-uk Kim         }
1880*e71b7053SJung-uk Kim         /*
1881*e71b7053SJung-uk Kim          * If this SSL handle is not from a version flexible method we don't
1882*e71b7053SJung-uk Kim          * (and never did) check min/max, FIPS or Suite B constraints.  Hope
1883*e71b7053SJung-uk Kim          * that's OK.  It is up to the caller to not choose fixed protocol
1884*e71b7053SJung-uk Kim          * versions they don't want.  If not, then easy to fix, just return
1885*e71b7053SJung-uk Kim          * ssl_method_error(s, s->method)
1886*e71b7053SJung-uk Kim          */
1887*e71b7053SJung-uk Kim         return 1;
1888*e71b7053SJung-uk Kim     case TLS_ANY_VERSION:
1889*e71b7053SJung-uk Kim         table = tls_version_table;
1890*e71b7053SJung-uk Kim         break;
1891*e71b7053SJung-uk Kim     case DTLS_ANY_VERSION:
1892*e71b7053SJung-uk Kim         table = dtls_version_table;
1893*e71b7053SJung-uk Kim         break;
1894*e71b7053SJung-uk Kim     }
1895*e71b7053SJung-uk Kim 
1896*e71b7053SJung-uk Kim     ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1897*e71b7053SJung-uk Kim     if (ret != 0) {
1898*e71b7053SJung-uk Kim         s->version = origv;
1899*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1900*e71b7053SJung-uk Kim                  SSL_F_SSL_CHOOSE_CLIENT_VERSION, ret);
1901*e71b7053SJung-uk Kim         return 0;
1902*e71b7053SJung-uk Kim     }
1903*e71b7053SJung-uk Kim     if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
1904*e71b7053SJung-uk Kim                        : s->version < ver_min) {
1905*e71b7053SJung-uk Kim         s->version = origv;
1906*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1907*e71b7053SJung-uk Kim                  SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1908*e71b7053SJung-uk Kim         return 0;
1909*e71b7053SJung-uk Kim     } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
1910*e71b7053SJung-uk Kim                               : s->version > ver_max) {
1911*e71b7053SJung-uk Kim         s->version = origv;
1912*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1913*e71b7053SJung-uk Kim                  SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1914*e71b7053SJung-uk Kim         return 0;
1915*e71b7053SJung-uk Kim     }
1916*e71b7053SJung-uk Kim 
1917*e71b7053SJung-uk Kim     if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
1918*e71b7053SJung-uk Kim         real_max = ver_max;
1919*e71b7053SJung-uk Kim 
1920*e71b7053SJung-uk Kim     /* Check for downgrades */
1921*e71b7053SJung-uk Kim     if (s->version == TLS1_2_VERSION && real_max > s->version) {
1922*e71b7053SJung-uk Kim         if (memcmp(tls12downgrade,
1923*e71b7053SJung-uk Kim                    s->s3->server_random + SSL3_RANDOM_SIZE
1924*e71b7053SJung-uk Kim                                         - sizeof(tls12downgrade),
1925*e71b7053SJung-uk Kim                    sizeof(tls12downgrade)) == 0) {
1926*e71b7053SJung-uk Kim             s->version = origv;
1927*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1928*e71b7053SJung-uk Kim                      SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1929*e71b7053SJung-uk Kim                      SSL_R_INAPPROPRIATE_FALLBACK);
1930*e71b7053SJung-uk Kim             return 0;
1931*e71b7053SJung-uk Kim         }
1932*e71b7053SJung-uk Kim     } else if (!SSL_IS_DTLS(s)
1933*e71b7053SJung-uk Kim                && s->version < TLS1_2_VERSION
1934*e71b7053SJung-uk Kim                && real_max > s->version) {
1935*e71b7053SJung-uk Kim         if (memcmp(tls11downgrade,
1936*e71b7053SJung-uk Kim                    s->s3->server_random + SSL3_RANDOM_SIZE
1937*e71b7053SJung-uk Kim                                         - sizeof(tls11downgrade),
1938*e71b7053SJung-uk Kim                    sizeof(tls11downgrade)) == 0) {
1939*e71b7053SJung-uk Kim             s->version = origv;
1940*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1941*e71b7053SJung-uk Kim                      SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1942*e71b7053SJung-uk Kim                      SSL_R_INAPPROPRIATE_FALLBACK);
1943*e71b7053SJung-uk Kim             return 0;
1944*e71b7053SJung-uk Kim         }
1945*e71b7053SJung-uk Kim     }
1946*e71b7053SJung-uk Kim 
1947*e71b7053SJung-uk Kim     for (vent = table; vent->version != 0; ++vent) {
1948*e71b7053SJung-uk Kim         if (vent->cmeth == NULL || s->version != vent->version)
1949*e71b7053SJung-uk Kim             continue;
1950*e71b7053SJung-uk Kim 
1951*e71b7053SJung-uk Kim         s->method = vent->cmeth();
1952*e71b7053SJung-uk Kim         return 1;
1953*e71b7053SJung-uk Kim     }
1954*e71b7053SJung-uk Kim 
1955*e71b7053SJung-uk Kim     s->version = origv;
1956*e71b7053SJung-uk Kim     SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1957*e71b7053SJung-uk Kim              SSL_R_UNSUPPORTED_PROTOCOL);
1958*e71b7053SJung-uk Kim     return 0;
1959*e71b7053SJung-uk Kim }
1960*e71b7053SJung-uk Kim 
1961*e71b7053SJung-uk Kim /*
1962*e71b7053SJung-uk Kim  * ssl_get_min_max_version - get minimum and maximum protocol version
1963*e71b7053SJung-uk Kim  * @s: The SSL connection
1964*e71b7053SJung-uk Kim  * @min_version: The minimum supported version
1965*e71b7053SJung-uk Kim  * @max_version: The maximum supported version
1966*e71b7053SJung-uk Kim  * @real_max:    The highest version below the lowest compile time version hole
1967*e71b7053SJung-uk Kim  *               where that hole lies above at least one run-time enabled
1968*e71b7053SJung-uk Kim  *               protocol.
1969*e71b7053SJung-uk Kim  *
1970*e71b7053SJung-uk Kim  * Work out what version we should be using for the initial ClientHello if the
1971*e71b7053SJung-uk Kim  * version is initially (D)TLS_ANY_VERSION.  We apply any explicit SSL_OP_NO_xxx
1972*e71b7053SJung-uk Kim  * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
1973*e71b7053SJung-uk Kim  * constraints and any floor imposed by the security level here,
1974*e71b7053SJung-uk Kim  * so we don't advertise the wrong protocol version to only reject the outcome later.
1975*e71b7053SJung-uk Kim  *
1976*e71b7053SJung-uk Kim  * Computing the right floor matters.  If, e.g., TLS 1.0 and 1.2 are enabled,
1977*e71b7053SJung-uk Kim  * TLS 1.1 is disabled, but the security level, Suite-B  and/or MinProtocol
1978*e71b7053SJung-uk Kim  * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
1979*e71b7053SJung-uk Kim  *
1980*e71b7053SJung-uk Kim  * Returns 0 on success or an SSL error reason number on failure.  On failure
1981*e71b7053SJung-uk Kim  * min_version and max_version will also be set to 0.
1982*e71b7053SJung-uk Kim  */
1983*e71b7053SJung-uk Kim int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version,
1984*e71b7053SJung-uk Kim                             int *real_max)
1985*e71b7053SJung-uk Kim {
1986*e71b7053SJung-uk Kim     int version, tmp_real_max;
1987*e71b7053SJung-uk Kim     int hole;
1988*e71b7053SJung-uk Kim     const SSL_METHOD *single = NULL;
1989*e71b7053SJung-uk Kim     const SSL_METHOD *method;
1990*e71b7053SJung-uk Kim     const version_info *table;
1991*e71b7053SJung-uk Kim     const version_info *vent;
1992*e71b7053SJung-uk Kim 
1993*e71b7053SJung-uk Kim     switch (s->method->version) {
1994*e71b7053SJung-uk Kim     default:
1995*e71b7053SJung-uk Kim         /*
1996*e71b7053SJung-uk Kim          * If this SSL handle is not from a version flexible method we don't
1997*e71b7053SJung-uk Kim          * (and never did) check min/max FIPS or Suite B constraints.  Hope
1998*e71b7053SJung-uk Kim          * that's OK.  It is up to the caller to not choose fixed protocol
1999*e71b7053SJung-uk Kim          * versions they don't want.  If not, then easy to fix, just return
2000*e71b7053SJung-uk Kim          * ssl_method_error(s, s->method)
2001*e71b7053SJung-uk Kim          */
2002*e71b7053SJung-uk Kim         *min_version = *max_version = s->version;
2003*e71b7053SJung-uk Kim         /*
2004*e71b7053SJung-uk Kim          * Providing a real_max only makes sense where we're using a version
2005*e71b7053SJung-uk Kim          * flexible method.
2006*e71b7053SJung-uk Kim          */
2007*e71b7053SJung-uk Kim         if (!ossl_assert(real_max == NULL))
2008*e71b7053SJung-uk Kim             return ERR_R_INTERNAL_ERROR;
2009*e71b7053SJung-uk Kim         return 0;
2010*e71b7053SJung-uk Kim     case TLS_ANY_VERSION:
2011*e71b7053SJung-uk Kim         table = tls_version_table;
2012*e71b7053SJung-uk Kim         break;
2013*e71b7053SJung-uk Kim     case DTLS_ANY_VERSION:
2014*e71b7053SJung-uk Kim         table = dtls_version_table;
2015*e71b7053SJung-uk Kim         break;
2016*e71b7053SJung-uk Kim     }
2017*e71b7053SJung-uk Kim 
2018*e71b7053SJung-uk Kim     /*
2019*e71b7053SJung-uk Kim      * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2020*e71b7053SJung-uk Kim      * below X enabled. This is required in order to maintain the "version
2021*e71b7053SJung-uk Kim      * capability" vector contiguous. Any versions with a NULL client method
2022*e71b7053SJung-uk Kim      * (protocol version client is disabled at compile-time) is also a "hole".
2023*e71b7053SJung-uk Kim      *
2024*e71b7053SJung-uk Kim      * Our initial state is hole == 1, version == 0.  That is, versions above
2025*e71b7053SJung-uk Kim      * the first version in the method table are disabled (a "hole" above
2026*e71b7053SJung-uk Kim      * the valid protocol entries) and we don't have a selected version yet.
2027*e71b7053SJung-uk Kim      *
2028*e71b7053SJung-uk Kim      * Whenever "hole == 1", and we hit an enabled method, its version becomes
2029*e71b7053SJung-uk Kim      * the selected version, and the method becomes a candidate "single"
2030*e71b7053SJung-uk Kim      * method.  We're no longer in a hole, so "hole" becomes 0.
2031*e71b7053SJung-uk Kim      *
2032*e71b7053SJung-uk Kim      * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2033*e71b7053SJung-uk Kim      * as we support a contiguous range of at least two methods.  If we hit
2034*e71b7053SJung-uk Kim      * a disabled method, then hole becomes true again, but nothing else
2035*e71b7053SJung-uk Kim      * changes yet, because all the remaining methods may be disabled too.
2036*e71b7053SJung-uk Kim      * If we again hit an enabled method after the new hole, it becomes
2037*e71b7053SJung-uk Kim      * selected, as we start from scratch.
2038*e71b7053SJung-uk Kim      */
2039*e71b7053SJung-uk Kim     *min_version = version = 0;
2040*e71b7053SJung-uk Kim     hole = 1;
2041*e71b7053SJung-uk Kim     if (real_max != NULL)
2042*e71b7053SJung-uk Kim         *real_max = 0;
2043*e71b7053SJung-uk Kim     tmp_real_max = 0;
2044*e71b7053SJung-uk Kim     for (vent = table; vent->version != 0; ++vent) {
2045*e71b7053SJung-uk Kim         /*
2046*e71b7053SJung-uk Kim          * A table entry with a NULL client method is still a hole in the
2047*e71b7053SJung-uk Kim          * "version capability" vector.
2048*e71b7053SJung-uk Kim          */
2049*e71b7053SJung-uk Kim         if (vent->cmeth == NULL) {
2050*e71b7053SJung-uk Kim             hole = 1;
2051*e71b7053SJung-uk Kim             tmp_real_max = 0;
2052*e71b7053SJung-uk Kim             continue;
2053*e71b7053SJung-uk Kim         }
2054*e71b7053SJung-uk Kim         method = vent->cmeth();
2055*e71b7053SJung-uk Kim 
2056*e71b7053SJung-uk Kim         if (hole == 1 && tmp_real_max == 0)
2057*e71b7053SJung-uk Kim             tmp_real_max = vent->version;
2058*e71b7053SJung-uk Kim 
2059*e71b7053SJung-uk Kim         if (ssl_method_error(s, method) != 0) {
2060*e71b7053SJung-uk Kim             hole = 1;
2061*e71b7053SJung-uk Kim         } else if (!hole) {
2062*e71b7053SJung-uk Kim             single = NULL;
2063*e71b7053SJung-uk Kim             *min_version = method->version;
2064*e71b7053SJung-uk Kim         } else {
2065*e71b7053SJung-uk Kim             if (real_max != NULL && tmp_real_max != 0)
2066*e71b7053SJung-uk Kim                 *real_max = tmp_real_max;
2067*e71b7053SJung-uk Kim             version = (single = method)->version;
2068*e71b7053SJung-uk Kim             *min_version = version;
2069*e71b7053SJung-uk Kim             hole = 0;
2070*e71b7053SJung-uk Kim         }
2071*e71b7053SJung-uk Kim     }
2072*e71b7053SJung-uk Kim 
2073*e71b7053SJung-uk Kim     *max_version = version;
2074*e71b7053SJung-uk Kim 
2075*e71b7053SJung-uk Kim     /* Fail if everything is disabled */
2076*e71b7053SJung-uk Kim     if (version == 0)
2077*e71b7053SJung-uk Kim         return SSL_R_NO_PROTOCOLS_AVAILABLE;
2078*e71b7053SJung-uk Kim 
2079*e71b7053SJung-uk Kim     return 0;
2080*e71b7053SJung-uk Kim }
2081*e71b7053SJung-uk Kim 
2082*e71b7053SJung-uk Kim /*
2083*e71b7053SJung-uk Kim  * ssl_set_client_hello_version - Work out what version we should be using for
2084*e71b7053SJung-uk Kim  * the initial ClientHello.legacy_version field.
2085*e71b7053SJung-uk Kim  *
2086*e71b7053SJung-uk Kim  * @s: client SSL handle.
2087*e71b7053SJung-uk Kim  *
2088*e71b7053SJung-uk Kim  * Returns 0 on success or an SSL error reason number on failure.
2089*e71b7053SJung-uk Kim  */
2090*e71b7053SJung-uk Kim int ssl_set_client_hello_version(SSL *s)
2091*e71b7053SJung-uk Kim {
2092*e71b7053SJung-uk Kim     int ver_min, ver_max, ret;
2093*e71b7053SJung-uk Kim 
2094*e71b7053SJung-uk Kim     /*
2095*e71b7053SJung-uk Kim      * In a renegotiation we always send the same client_version that we sent
2096*e71b7053SJung-uk Kim      * last time, regardless of which version we eventually negotiated.
2097*e71b7053SJung-uk Kim      */
2098*e71b7053SJung-uk Kim     if (!SSL_IS_FIRST_HANDSHAKE(s))
2099*e71b7053SJung-uk Kim         return 0;
2100*e71b7053SJung-uk Kim 
2101*e71b7053SJung-uk Kim     ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
2102*e71b7053SJung-uk Kim 
2103*e71b7053SJung-uk Kim     if (ret != 0)
2104*e71b7053SJung-uk Kim         return ret;
2105*e71b7053SJung-uk Kim 
2106*e71b7053SJung-uk Kim     s->version = ver_max;
2107*e71b7053SJung-uk Kim 
2108*e71b7053SJung-uk Kim     /* TLS1.3 always uses TLS1.2 in the legacy_version field */
2109*e71b7053SJung-uk Kim     if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
2110*e71b7053SJung-uk Kim         ver_max = TLS1_2_VERSION;
2111*e71b7053SJung-uk Kim 
2112*e71b7053SJung-uk Kim     s->client_version = ver_max;
2113*e71b7053SJung-uk Kim     return 0;
2114*e71b7053SJung-uk Kim }
2115*e71b7053SJung-uk Kim 
2116*e71b7053SJung-uk Kim /*
2117*e71b7053SJung-uk Kim  * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2118*e71b7053SJung-uk Kim  * and |checkallow| is 1 then additionally check if the group is allowed to be
2119*e71b7053SJung-uk Kim  * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2120*e71b7053SJung-uk Kim  * 1) or 0 otherwise.
2121*e71b7053SJung-uk Kim  */
2122*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_EC
2123*e71b7053SJung-uk Kim int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
2124*e71b7053SJung-uk Kim                   size_t num_groups, int checkallow)
2125*e71b7053SJung-uk Kim {
2126*e71b7053SJung-uk Kim     size_t i;
2127*e71b7053SJung-uk Kim 
2128*e71b7053SJung-uk Kim     if (groups == NULL || num_groups == 0)
2129*e71b7053SJung-uk Kim         return 0;
2130*e71b7053SJung-uk Kim 
2131*e71b7053SJung-uk Kim     for (i = 0; i < num_groups; i++) {
2132*e71b7053SJung-uk Kim         uint16_t group = groups[i];
2133*e71b7053SJung-uk Kim 
2134*e71b7053SJung-uk Kim         if (group_id == group
2135*e71b7053SJung-uk Kim                 && (!checkallow
2136*e71b7053SJung-uk Kim                     || tls_curve_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
2137*e71b7053SJung-uk Kim             return 1;
2138*e71b7053SJung-uk Kim         }
2139*e71b7053SJung-uk Kim     }
2140*e71b7053SJung-uk Kim 
2141*e71b7053SJung-uk Kim     return 0;
2142*e71b7053SJung-uk Kim }
2143*e71b7053SJung-uk Kim #endif
2144*e71b7053SJung-uk Kim 
2145*e71b7053SJung-uk Kim /* Replace ClientHello1 in the transcript hash with a synthetic message */
2146*e71b7053SJung-uk Kim int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,
2147*e71b7053SJung-uk Kim                                   size_t hashlen, const unsigned char *hrr,
2148*e71b7053SJung-uk Kim                                   size_t hrrlen)
2149*e71b7053SJung-uk Kim {
2150*e71b7053SJung-uk Kim     unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
2151*e71b7053SJung-uk Kim     unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2152*e71b7053SJung-uk Kim 
2153*e71b7053SJung-uk Kim     memset(msghdr, 0, sizeof(msghdr));
2154*e71b7053SJung-uk Kim 
2155*e71b7053SJung-uk Kim     if (hashval == NULL) {
2156*e71b7053SJung-uk Kim         hashval = hashvaltmp;
2157*e71b7053SJung-uk Kim         hashlen = 0;
2158*e71b7053SJung-uk Kim         /* Get the hash of the initial ClientHello */
2159*e71b7053SJung-uk Kim         if (!ssl3_digest_cached_records(s, 0)
2160*e71b7053SJung-uk Kim                 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2161*e71b7053SJung-uk Kim                                        &hashlen)) {
2162*e71b7053SJung-uk Kim             /* SSLfatal() already called */
2163*e71b7053SJung-uk Kim             return 0;
2164*e71b7053SJung-uk Kim         }
2165*e71b7053SJung-uk Kim     }
2166*e71b7053SJung-uk Kim 
2167*e71b7053SJung-uk Kim     /* Reinitialise the transcript hash */
2168*e71b7053SJung-uk Kim     if (!ssl3_init_finished_mac(s)) {
2169*e71b7053SJung-uk Kim         /* SSLfatal() already called */
2170*e71b7053SJung-uk Kim         return 0;
2171*e71b7053SJung-uk Kim     }
2172*e71b7053SJung-uk Kim 
2173*e71b7053SJung-uk Kim     /* Inject the synthetic message_hash message */
2174*e71b7053SJung-uk Kim     msghdr[0] = SSL3_MT_MESSAGE_HASH;
2175*e71b7053SJung-uk Kim     msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
2176*e71b7053SJung-uk Kim     if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2177*e71b7053SJung-uk Kim             || !ssl3_finish_mac(s, hashval, hashlen)) {
2178*e71b7053SJung-uk Kim         /* SSLfatal() already called */
2179*e71b7053SJung-uk Kim         return 0;
2180*e71b7053SJung-uk Kim     }
2181*e71b7053SJung-uk Kim 
2182*e71b7053SJung-uk Kim     /*
2183*e71b7053SJung-uk Kim      * Now re-inject the HRR and current message if appropriate (we just deleted
2184*e71b7053SJung-uk Kim      * it when we reinitialised the transcript hash above). Only necessary after
2185*e71b7053SJung-uk Kim      * receiving a ClientHello2 with a cookie.
2186*e71b7053SJung-uk Kim      */
2187*e71b7053SJung-uk Kim     if (hrr != NULL
2188*e71b7053SJung-uk Kim             && (!ssl3_finish_mac(s, hrr, hrrlen)
2189*e71b7053SJung-uk Kim                 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
2190*e71b7053SJung-uk Kim                                     s->s3->tmp.message_size
2191*e71b7053SJung-uk Kim                                     + SSL3_HM_HEADER_LENGTH))) {
2192*e71b7053SJung-uk Kim         /* SSLfatal() already called */
2193*e71b7053SJung-uk Kim         return 0;
2194*e71b7053SJung-uk Kim     }
2195*e71b7053SJung-uk Kim 
2196*e71b7053SJung-uk Kim     return 1;
2197*e71b7053SJung-uk Kim }
2198*e71b7053SJung-uk Kim 
2199*e71b7053SJung-uk Kim static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2200*e71b7053SJung-uk Kim {
2201*e71b7053SJung-uk Kim     return X509_NAME_cmp(*a, *b);
2202*e71b7053SJung-uk Kim }
2203*e71b7053SJung-uk Kim 
2204*e71b7053SJung-uk Kim int parse_ca_names(SSL *s, PACKET *pkt)
2205*e71b7053SJung-uk Kim {
2206*e71b7053SJung-uk Kim     STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2207*e71b7053SJung-uk Kim     X509_NAME *xn = NULL;
2208*e71b7053SJung-uk Kim     PACKET cadns;
2209*e71b7053SJung-uk Kim 
2210*e71b7053SJung-uk Kim     if (ca_sk == NULL) {
2211*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2212*e71b7053SJung-uk Kim                  ERR_R_MALLOC_FAILURE);
2213*e71b7053SJung-uk Kim         goto err;
2214*e71b7053SJung-uk Kim     }
2215*e71b7053SJung-uk Kim     /* get the CA RDNs */
2216*e71b7053SJung-uk Kim     if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
2217*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_DECODE_ERROR,SSL_F_PARSE_CA_NAMES,
2218*e71b7053SJung-uk Kim                  SSL_R_LENGTH_MISMATCH);
2219*e71b7053SJung-uk Kim         goto err;
2220*e71b7053SJung-uk Kim     }
2221*e71b7053SJung-uk Kim 
2222*e71b7053SJung-uk Kim     while (PACKET_remaining(&cadns)) {
2223*e71b7053SJung-uk Kim         const unsigned char *namestart, *namebytes;
2224*e71b7053SJung-uk Kim         unsigned int name_len;
2225*e71b7053SJung-uk Kim 
2226*e71b7053SJung-uk Kim         if (!PACKET_get_net_2(&cadns, &name_len)
2227*e71b7053SJung-uk Kim             || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
2228*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2229*e71b7053SJung-uk Kim                      SSL_R_LENGTH_MISMATCH);
2230*e71b7053SJung-uk Kim             goto err;
2231*e71b7053SJung-uk Kim         }
2232*e71b7053SJung-uk Kim 
2233*e71b7053SJung-uk Kim         namestart = namebytes;
2234*e71b7053SJung-uk Kim         if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
2235*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2236*e71b7053SJung-uk Kim                      ERR_R_ASN1_LIB);
2237*e71b7053SJung-uk Kim             goto err;
2238*e71b7053SJung-uk Kim         }
2239*e71b7053SJung-uk Kim         if (namebytes != (namestart + name_len)) {
2240*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2241*e71b7053SJung-uk Kim                      SSL_R_CA_DN_LENGTH_MISMATCH);
2242*e71b7053SJung-uk Kim             goto err;
2243*e71b7053SJung-uk Kim         }
2244*e71b7053SJung-uk Kim 
2245*e71b7053SJung-uk Kim         if (!sk_X509_NAME_push(ca_sk, xn)) {
2246*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2247*e71b7053SJung-uk Kim                      ERR_R_MALLOC_FAILURE);
2248*e71b7053SJung-uk Kim             goto err;
2249*e71b7053SJung-uk Kim         }
2250*e71b7053SJung-uk Kim         xn = NULL;
2251*e71b7053SJung-uk Kim     }
2252*e71b7053SJung-uk Kim 
2253*e71b7053SJung-uk Kim     sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
2254*e71b7053SJung-uk Kim     s->s3->tmp.peer_ca_names = ca_sk;
2255*e71b7053SJung-uk Kim 
2256*e71b7053SJung-uk Kim     return 1;
2257*e71b7053SJung-uk Kim 
2258*e71b7053SJung-uk Kim  err:
2259*e71b7053SJung-uk Kim     sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2260*e71b7053SJung-uk Kim     X509_NAME_free(xn);
2261*e71b7053SJung-uk Kim     return 0;
2262*e71b7053SJung-uk Kim }
2263*e71b7053SJung-uk Kim 
2264*e71b7053SJung-uk Kim int construct_ca_names(SSL *s, WPACKET *pkt)
2265*e71b7053SJung-uk Kim {
2266*e71b7053SJung-uk Kim     const STACK_OF(X509_NAME) *ca_sk = SSL_get0_CA_list(s);
2267*e71b7053SJung-uk Kim 
2268*e71b7053SJung-uk Kim     /* Start sub-packet for client CA list */
2269*e71b7053SJung-uk Kim     if (!WPACKET_start_sub_packet_u16(pkt)) {
2270*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2271*e71b7053SJung-uk Kim                  ERR_R_INTERNAL_ERROR);
2272*e71b7053SJung-uk Kim         return 0;
2273*e71b7053SJung-uk Kim     }
2274*e71b7053SJung-uk Kim 
2275*e71b7053SJung-uk Kim     if (ca_sk != NULL) {
2276*e71b7053SJung-uk Kim         int i;
2277*e71b7053SJung-uk Kim 
2278*e71b7053SJung-uk Kim         for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2279*e71b7053SJung-uk Kim             unsigned char *namebytes;
2280*e71b7053SJung-uk Kim             X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2281*e71b7053SJung-uk Kim             int namelen;
2282*e71b7053SJung-uk Kim 
2283*e71b7053SJung-uk Kim             if (name == NULL
2284*e71b7053SJung-uk Kim                     || (namelen = i2d_X509_NAME(name, NULL)) < 0
2285*e71b7053SJung-uk Kim                     || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2286*e71b7053SJung-uk Kim                                                        &namebytes)
2287*e71b7053SJung-uk Kim                     || i2d_X509_NAME(name, &namebytes) != namelen) {
2288*e71b7053SJung-uk Kim                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2289*e71b7053SJung-uk Kim                          ERR_R_INTERNAL_ERROR);
2290*e71b7053SJung-uk Kim                 return 0;
2291*e71b7053SJung-uk Kim             }
2292*e71b7053SJung-uk Kim         }
2293*e71b7053SJung-uk Kim     }
2294*e71b7053SJung-uk Kim 
2295*e71b7053SJung-uk Kim     if (!WPACKET_close(pkt)) {
2296*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2297*e71b7053SJung-uk Kim                  ERR_R_INTERNAL_ERROR);
2298*e71b7053SJung-uk Kim         return 0;
2299*e71b7053SJung-uk Kim     }
2300*e71b7053SJung-uk Kim 
2301*e71b7053SJung-uk Kim     return 1;
2302*e71b7053SJung-uk Kim }
2303*e71b7053SJung-uk Kim 
2304*e71b7053SJung-uk Kim /* Create a buffer containing data to be signed for server key exchange */
2305*e71b7053SJung-uk Kim size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
2306*e71b7053SJung-uk Kim                                   const void *param, size_t paramlen)
2307*e71b7053SJung-uk Kim {
2308*e71b7053SJung-uk Kim     size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2309*e71b7053SJung-uk Kim     unsigned char *tbs = OPENSSL_malloc(tbslen);
2310*e71b7053SJung-uk Kim 
2311*e71b7053SJung-uk Kim     if (tbs == NULL) {
2312*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS,
2313*e71b7053SJung-uk Kim                  ERR_R_MALLOC_FAILURE);
2314*e71b7053SJung-uk Kim         return 0;
2315*e71b7053SJung-uk Kim     }
2316*e71b7053SJung-uk Kim     memcpy(tbs, s->s3->client_random, SSL3_RANDOM_SIZE);
2317*e71b7053SJung-uk Kim     memcpy(tbs + SSL3_RANDOM_SIZE, s->s3->server_random, SSL3_RANDOM_SIZE);
2318*e71b7053SJung-uk Kim 
2319*e71b7053SJung-uk Kim     memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2320*e71b7053SJung-uk Kim 
2321*e71b7053SJung-uk Kim     *ptbs = tbs;
2322*e71b7053SJung-uk Kim     return tbslen;
2323*e71b7053SJung-uk Kim }
2324*e71b7053SJung-uk Kim 
2325*e71b7053SJung-uk Kim /*
2326*e71b7053SJung-uk Kim  * Saves the current handshake digest for Post-Handshake Auth,
2327*e71b7053SJung-uk Kim  * Done after ClientFinished is processed, done exactly once
2328*e71b7053SJung-uk Kim  */
2329*e71b7053SJung-uk Kim int tls13_save_handshake_digest_for_pha(SSL *s)
2330*e71b7053SJung-uk Kim {
2331*e71b7053SJung-uk Kim     if (s->pha_dgst == NULL) {
2332*e71b7053SJung-uk Kim         if (!ssl3_digest_cached_records(s, 1))
2333*e71b7053SJung-uk Kim             /* SSLfatal() already called */
2334*e71b7053SJung-uk Kim             return 0;
2335*e71b7053SJung-uk Kim 
2336*e71b7053SJung-uk Kim         s->pha_dgst = EVP_MD_CTX_new();
2337*e71b7053SJung-uk Kim         if (s->pha_dgst == NULL) {
2338*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2339*e71b7053SJung-uk Kim                      SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2340*e71b7053SJung-uk Kim                      ERR_R_INTERNAL_ERROR);
2341*e71b7053SJung-uk Kim             return 0;
2342*e71b7053SJung-uk Kim         }
2343*e71b7053SJung-uk Kim         if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
2344*e71b7053SJung-uk Kim                                 s->s3->handshake_dgst)) {
2345*e71b7053SJung-uk Kim             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2346*e71b7053SJung-uk Kim                      SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2347*e71b7053SJung-uk Kim                      ERR_R_INTERNAL_ERROR);
2348*e71b7053SJung-uk Kim             return 0;
2349*e71b7053SJung-uk Kim         }
2350*e71b7053SJung-uk Kim     }
2351*e71b7053SJung-uk Kim     return 1;
2352*e71b7053SJung-uk Kim }
2353*e71b7053SJung-uk Kim 
2354*e71b7053SJung-uk Kim /*
2355*e71b7053SJung-uk Kim  * Restores the Post-Handshake Auth handshake digest
2356*e71b7053SJung-uk Kim  * Done just before sending/processing the Cert Request
2357*e71b7053SJung-uk Kim  */
2358*e71b7053SJung-uk Kim int tls13_restore_handshake_digest_for_pha(SSL *s)
2359*e71b7053SJung-uk Kim {
2360*e71b7053SJung-uk Kim     if (s->pha_dgst == NULL) {
2361*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2362*e71b7053SJung-uk Kim                  SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2363*e71b7053SJung-uk Kim                  ERR_R_INTERNAL_ERROR);
2364*e71b7053SJung-uk Kim         return 0;
2365*e71b7053SJung-uk Kim     }
2366*e71b7053SJung-uk Kim     if (!EVP_MD_CTX_copy_ex(s->s3->handshake_dgst,
2367*e71b7053SJung-uk Kim                             s->pha_dgst)) {
2368*e71b7053SJung-uk Kim         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2369*e71b7053SJung-uk Kim                  SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2370*e71b7053SJung-uk Kim                  ERR_R_INTERNAL_ERROR);
2371*e71b7053SJung-uk Kim         return 0;
2372*e71b7053SJung-uk Kim     }
2373*e71b7053SJung-uk Kim     return 1;
2374*e71b7053SJung-uk Kim }
2375