statem_lib.c source code [ClickHouse/contrib/openssl/ssl/statem/statem_lib.c]

1	/*
2	* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
3	* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4	*
5	* Licensed under the Apache License 2.0 (the "License"). You may not use
6	* this file except in compliance with the License. You can obtain a copy
7	* in the file LICENSE in the source distribution or at
8	* https://www.openssl.org/source/license.html
9	*/
10
11	#include <limits.h>
12	#include <string.h>
13	#include <stdio.h>
14	#include "../ssl_local.h"
15	#include "statem_local.h"
16	#include "internal/cryptlib.h"
17	#include <openssl/buffer.h>
18	#include <openssl/objects.h>
19	#include <openssl/evp.h>
20	#include <openssl/x509.h>
21	#include <openssl/trace.h>
22
23	/*
24	* Map error codes to TLS/SSL alart types.
25	*/
26	typedef struct x509err2alert_st {
27	int x509err;
28	int alert;
29	} X509ERR2ALERT;
30
31	/ Fixed value used in the ServerHello random field to identify an HRR /
32	const unsigned char hrrrandom[] = {
33	`0xcf`, `0x21`, `0xad`, `0x74`, `0xe5`, `0x9a`, `0x61`, `0x11`, `0xbe`, `0x1d`, `0x8c`, `0x02`,
34	`0x1e`, `0x65`, `0xb8`, `0x91`, `0xc2`, `0xa2`, `0x11`, `0x16`, `0x7a`, `0xbb`, `0x8c`, `0x5e`,
35	`0x07`, `0x9e`, `0x09`, `0xe2`, `0xc8`, `0xa8`, `0x33`, `0x9c`
36	};
37
38	/*
39	* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
40	* SSL3_RT_CHANGE_CIPHER_SPEC)
41	*/
42	int ssl3_do_write(SSL s, int* type)
43	{
44	int ret;
45	size_t written = `0`;
46
47	ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
48	s->init_num, &written);
49	if (ret < `0`)
50	return -`1`;
51	if (type == SSL3_RT_HANDSHAKE)
52	/*
53	* should not be done for 'Hello Request's, but in that case we'll
54	* ignore the result anyway
55	* TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
56	*/
57	if (!SSL_IS_TLS13(s) \|\| (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
58	&& s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
59	&& s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
60	if (!ssl3_finish_mac(s,
61	(unsigned char *)&s->init_buf->data[s->init_off],
62	written))
63	return -`1`;
64	if (written == s->init_num) {
65	if (s->msg_callback)
66	s->msg_callback(`1`, s->version, type, s->init_buf->data,
67	(size_t)(s->init_off + s->init_num), s,
68	s->msg_callback_arg);
69	return `1`;
70	}
71	s->init_off += written;
72	s->init_num -= written;
73	return `0`;
74	}
75
76	int tls_close_construct_packet(SSL s, WPACKET pkt, int htype)
77	{
78	size_t msglen;
79
80	if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
81	\|\| !WPACKET_get_length(pkt, &msglen)
82	\|\| msglen > INT_MAX)
83	return `0`;
84	s->init_num = (int)msglen;
85	s->init_off = `0`;
86
87	return `1`;
88	}
89
90	int tls_setup_handshake(SSL *s)
91	{
92	if (!ssl3_init_finished_mac(s)) {
93	/ SSLfatal() already called /
94	return `0`;
95	}
96
97	/ Reset any extension flags /
98	memset(s->ext.extflags, `0`, sizeof(s->ext.extflags));
99
100	if (s->server) {
101	STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
102	int i, ver_min, ver_max, ok = `0`;
103
104	/*
105	* Sanity check that the maximum version we accept has ciphers
106	* enabled. For clients we do this check during construction of the
107	* ClientHello.
108	*/
109	if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != `0`) {
110	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_SETUP_HANDSHAKE,
111	ERR_R_INTERNAL_ERROR);
112	return `0`;
113	}
114	for (i = `0`; i < sk_SSL_CIPHER_num(ciphers); i++) {
115	const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
116
117	if (SSL_IS_DTLS(s)) {
118	if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
119	DTLS_VERSION_LE(ver_max, c->max_dtls))
120	ok = `1`;
121	} else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
122	ok = `1`;
123	}
124	if (ok)
125	break;
126	}
127	if (!ok) {
128	SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE,
129	SSL_R_NO_CIPHERS_AVAILABLE);
130	ERR_add_error_data(`1`, "No ciphers enabled for max supported "
131	"SSL/TLS version");
132	return `0`;
133	}
134	if (SSL_IS_FIRST_HANDSHAKE(s)) {
135	/ N.B. s->session_ctx == s->ctx here /
136	tsan_counter(&s->session_ctx->stats.sess_accept);
137	} else {
138	/ N.B. s->ctx may not equal s->session_ctx /
139	tsan_counter(&s->ctx->stats.sess_accept_renegotiate);
140
141	s->s3.tmp.cert_request = `0`;
142	}
143	} else {
144	if (SSL_IS_FIRST_HANDSHAKE(s))
145	tsan_counter(&s->session_ctx->stats.sess_connect);
146	else
147	tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate);
148
149	/ mark client_random uninitialized /
150	memset(s->s3.client_random, `0`, sizeof(s->s3.client_random));
151	s->hit = `0`;
152
153	s->s3.tmp.cert_req = `0`;
154
155	if (SSL_IS_DTLS(s))
156	s->statem.use_timer = `1`;
157	}
158
159	return `1`;
160	}
161
162	/*
163	* Size of the to-be-signed TLS13 data, without the hash size itself:
164	* 64 bytes of value 32, 33 context bytes, 1 byte separator
165	*/
166	#define TLS13_TBS_START_SIZE 64
167	#define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
168
169	static int get_cert_verify_tbs_data(SSL s, unsigned* char *tls13tbs,
170	void *hdata, size_t hdatalen)
171	{
172	#ifdef CHARSET_EBCDIC
173	static const char servercontext[] = { `0x54`, `0x4c`, `0x53`, `0x20`, `0x31`, `0x2e`,
174	`0x33`, `0x2c`, `0x20`, `0x73`, `0x65`, `0x72`, `0x76`, `0x65`, `0x72`, `0x20`, `0x43`, `0x65`,
175	`0x72`, `0x74`, `0x69`, `0x66`, `0x69`, `0x63`, `0x61`, `0x74`, `0x65`, `0x56`, `0x65`, `0x72`,
176	`0x69`, `0x66`, `0x79`, `0x00` };
177	static const char clientcontext[] = { `0x54`, `0x4c`, `0x53`, `0x20`, `0x31`, `0x2e`,
178	`0x33`, `0x2c`, `0x20`, `0x63`, `0x6c`, `0x69`, `0x65`, `0x6e`, `0x74`, `0x20`, `0x43`, `0x65`,
179	`0x72`, `0x74`, `0x69`, `0x66`, `0x69`, `0x63`, `0x61`, `0x74`, `0x65`, `0x56`, `0x65`, `0x72`,
180	`0x69`, `0x66`, `0x79`, `0x00` };
181	#else
182	static const char servercontext[] = "TLS 1.3, server CertificateVerify";
183	static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
184	#endif
185	if (SSL_IS_TLS13(s)) {
186	size_t hashlen;
187
188	/ Set the first 64 bytes of to-be-signed data to octet 32 /
189	memset(tls13tbs, `32`, TLS13_TBS_START_SIZE);
190	/ This copies the 33 bytes of context plus the 0 separator byte /
191	if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
192	\|\| s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
193	strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
194	else
195	strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
196
197	/*
198	* If we're currently reading then we need to use the saved handshake
199	* hash value. We can't use the current handshake hash state because
200	* that includes the CertVerify itself.
201	*/
202	if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
203	\|\| s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
204	memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
205	s->cert_verify_hash_len);
206	hashlen = s->cert_verify_hash_len;
207	} else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
208	EVP_MAX_MD_SIZE, &hashlen)) {
209	/ SSLfatal() already called /
210	return `0`;
211	}
212
213	*hdata = tls13tbs;
214	*hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
215	} else {
216	size_t retlen;
217	long retlen_l;
218
219	retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
220	if (retlen_l <= `0`) {
221	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_GET_CERT_VERIFY_TBS_DATA,
222	ERR_R_INTERNAL_ERROR);
223	return `0`;
224	}
225	*hdatalen = retlen;
226	}
227
228	return `1`;
229	}
230
231	int tls_construct_cert_verify(SSL s, WPACKET pkt)
232	{
233	EVP_PKEY *pkey = NULL;
234	const EVP_MD *md = NULL;
235	EVP_MD_CTX *mctx = NULL;
236	EVP_PKEY_CTX *pctx = NULL;
237	size_t hdatalen = `0`, siglen = `0`;
238	void *hdata;
239	unsigned char *sig = NULL;
240	unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
241	const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
242
243	if (lu == NULL \|\| s->s3.tmp.cert == NULL) {
244	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
245	ERR_R_INTERNAL_ERROR);
246	goto err;
247	}
248	pkey = s->s3.tmp.cert->privatekey;
249
250	if (pkey == NULL \|\| !tls1_lookup_md(lu, &md)) {
251	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
252	ERR_R_INTERNAL_ERROR);
253	goto err;
254	}
255
256	mctx = EVP_MD_CTX_new();
257	if (mctx == NULL) {
258	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
259	ERR_R_MALLOC_FAILURE);
260	goto err;
261	}
262
263	/ Get the data to be signed /
264	if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
265	/ SSLfatal() already called /
266	goto err;
267	}
268
269	if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
270	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
271	ERR_R_INTERNAL_ERROR);
272	goto err;
273	}
274	siglen = EVP_PKEY_size(pkey);
275	sig = OPENSSL_malloc(siglen);
276	if (sig == NULL) {
277	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
278	ERR_R_MALLOC_FAILURE);
279	goto err;
280	}
281
282	if (EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey) <= `0`) {
283	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
284	ERR_R_EVP_LIB);
285	goto err;
286	}
287
288	if (lu->sig == EVP_PKEY_RSA_PSS) {
289	if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= `0`
290	\|\| EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
291	RSA_PSS_SALTLEN_DIGEST) <= `0`) {
292	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
293	ERR_R_EVP_LIB);
294	goto err;
295	}
296	}
297	if (s->version == SSL3_VERSION) {
298	if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= `0`
299	/*
300	* TODO(3.0) Replace this when EVP_MD_CTX_ctrl() is deprecated
301	* with a call to ssl3_digest_master_key_set_params()
302	*/
303	\|\| EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
304	(int)s->session->master_key_length,
305	s->session->master_key) <= `0`
306	\|\| EVP_DigestSignFinal(mctx, sig, &siglen) <= `0`) {
307
308	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
309	ERR_R_EVP_LIB);
310	goto err;
311	}
312	} else if (EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= `0`) {
313	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
314	ERR_R_EVP_LIB);
315	goto err;
316	}
317
318	#ifndef OPENSSL_NO_GOST
319	{
320	int pktype = lu->sig;
321
322	if (pktype == NID_id_GostR3410_2001
323	\|\| pktype == NID_id_GostR3410_2012_256
324	\|\| pktype == NID_id_GostR3410_2012_512)
325	BUF_reverse(sig, NULL, siglen);
326	}
327	#endif
328
329	if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
330	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
331	ERR_R_INTERNAL_ERROR);
332	goto err;
333	}
334
335	/ Digest cached records and discard handshake buffer /
336	if (!ssl3_digest_cached_records(s, `0`)) {
337	/ SSLfatal() already called /
338	goto err;
339	}
340
341	OPENSSL_free(sig);
342	EVP_MD_CTX_free(mctx);
343	return `1`;
344	err:
345	OPENSSL_free(sig);
346	EVP_MD_CTX_free(mctx);
347	return `0`;
348	}
349
350	MSG_PROCESS_RETURN tls_process_cert_verify(SSL s, PACKET pkt)
351	{
352	EVP_PKEY *pkey = NULL;
353	const unsigned char *data;
354	#ifndef OPENSSL_NO_GOST
355	unsigned char *gost_data = NULL;
356	#endif
357	MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
358	int j;
359	unsigned int len;
360	X509 *peer;
361	const EVP_MD *md = NULL;
362	size_t hdatalen = `0`;
363	void *hdata;
364	unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
365	EVP_MD_CTX *mctx = EVP_MD_CTX_new();
366	EVP_PKEY_CTX *pctx = NULL;
367
368	if (mctx == NULL) {
369	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
370	ERR_R_MALLOC_FAILURE);
371	goto err;
372	}
373
374	peer = s->session->peer;
375	pkey = X509_get0_pubkey(peer);
376	if (pkey == NULL) {
377	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
378	ERR_R_INTERNAL_ERROR);
379	goto err;
380	}
381
382	if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
383	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CERT_VERIFY,
384	SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
385	goto err;
386	}
387
388	if (SSL_USE_SIGALGS(s)) {
389	unsigned int sigalg;
390
391	if (!PACKET_get_net_2(pkt, &sigalg)) {
392	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
393	SSL_R_BAD_PACKET);
394	goto err;
395	}
396	if (tls12_check_peer_sigalg(s, sigalg, pkey) <= `0`) {
397	/ SSLfatal() already called /
398	goto err;
399	}
400	} else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
401	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
402	ERR_R_INTERNAL_ERROR);
403	goto err;
404	}
405
406	if (!tls1_lookup_md(s->s3.tmp.peer_sigalg, &md)) {
407	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
408	ERR_R_INTERNAL_ERROR);
409	goto err;
410	}
411
412	if (SSL_USE_SIGALGS(s))
413	OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
414	md == NULL ? "n/a" : EVP_MD_name(md));
415
416	/ Check for broken implementations of GOST ciphersuites /
417	/*
418	* If key is GOST and len is exactly 64 or 128, it is signature without
419	* length field (CryptoPro implementations at least till TLS 1.2)
420	*/
421	#ifndef OPENSSL_NO_GOST
422	if (!SSL_USE_SIGALGS(s)
423	&& ((PACKET_remaining(pkt) == `64`
424	&& (EVP_PKEY_id(pkey) == NID_id_GostR3410_2001
425	\|\| EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_256))
426	\|\| (PACKET_remaining(pkt) == `128`
427	&& EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_512))) {
428	len = PACKET_remaining(pkt);
429	} else
430	#endif
431	if (!PACKET_get_net_2(pkt, &len)) {
432	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
433	SSL_R_LENGTH_MISMATCH);
434	goto err;
435	}
436
437	j = EVP_PKEY_size(pkey);
438	if (((int)len > j) \|\| ((int)PACKET_remaining(pkt) > j)
439	\|\| (PACKET_remaining(pkt) == `0`)) {
440	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
441	SSL_R_WRONG_SIGNATURE_SIZE);
442	goto err;
443	}
444	if (!PACKET_get_bytes(pkt, &data, len)) {
445	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
446	SSL_R_LENGTH_MISMATCH);
447	goto err;
448	}
449
450	if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
451	/ SSLfatal() already called /
452	goto err;
453	}
454
455	OSSL_TRACE1(TLS, "Using client verify alg %s\n",
456	md == NULL ? "n/a" : EVP_MD_name(md));
457
458	if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= `0`) {
459	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
460	ERR_R_EVP_LIB);
461	goto err;
462	}
463	#ifndef OPENSSL_NO_GOST
464	{
465	int pktype = EVP_PKEY_id(pkey);
466	if (pktype == NID_id_GostR3410_2001
467	\|\| pktype == NID_id_GostR3410_2012_256
468	\|\| pktype == NID_id_GostR3410_2012_512) {
469	if ((gost_data = OPENSSL_malloc(len)) == NULL) {
470	SSLfatal(s, SSL_AD_INTERNAL_ERROR,
471	SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
472	goto err;
473	}
474	BUF_reverse(gost_data, data, len);
475	data = gost_data;
476	}
477	}
478	#endif
479
480	if (SSL_USE_PSS(s)) {
481	if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= `0`
482	\|\| EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
483	RSA_PSS_SALTLEN_DIGEST) <= `0`) {
484	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
485	ERR_R_EVP_LIB);
486	goto err;
487	}
488	}
489	if (s->version == SSL3_VERSION) {
490	/*
491	* TODO(3.0) Replace this when EVP_MD_CTX_ctrl() is deprecated
492	* with a call to ssl3_digest_master_key_set_params()
493	*/
494	if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= `0`
495	\|\| EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
496	(int)s->session->master_key_length,
497	s->session->master_key) <= `0`) {
498	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
499	ERR_R_EVP_LIB);
500	goto err;
501	}
502	if (EVP_DigestVerifyFinal(mctx, data, len) <= `0`) {
503	SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
504	SSL_R_BAD_SIGNATURE);
505	goto err;
506	}
507	} else {
508	j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
509	if (j <= `0`) {
510	SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
511	SSL_R_BAD_SIGNATURE);
512	goto err;
513	}
514	}
515
516	/*
517	* In TLSv1.3 on the client side we make sure we prepare the client
518	* certificate after the CertVerify instead of when we get the
519	* CertificateRequest. This is because in TLSv1.3 the CertificateRequest
520	* comes before the Certificate message. In TLSv1.2 it comes after. We
521	* want to make sure that SSL_get_peer_certificate() will return the actual
522	* server certificate from the client_cert_cb callback.
523	*/
524	if (!s->server && SSL_IS_TLS13(s) && s->s3.tmp.cert_req == `1`)
525	ret = MSG_PROCESS_CONTINUE_PROCESSING;
526	else
527	ret = MSG_PROCESS_CONTINUE_READING;
528	err:
529	BIO_free(s->s3.handshake_buffer);
530	s->s3.handshake_buffer = NULL;
531	EVP_MD_CTX_free(mctx);
532	#ifndef OPENSSL_NO_GOST
533	OPENSSL_free(gost_data);
534	#endif
535	return ret;
536	}
537
538	int tls_construct_finished(SSL s, WPACKET pkt)
539	{
540	size_t finish_md_len;
541	const char *sender;
542	size_t slen;
543
544	/ This is a real handshake so make sure we clean it up at the end /
545	if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
546	s->statem.cleanuphand = `1`;
547
548	/*
549	* We only change the keys if we didn't already do this when we sent the
550	* client certificate
551	*/
552	if (SSL_IS_TLS13(s)
553	&& !s->server
554	&& s->s3.tmp.cert_req == `0`
555	&& (!s->method->ssl3_enc->change_cipher_state(s,
556	SSL3_CC_HANDSHAKE \| SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
557	/ SSLfatal() already called /
558	return `0`;
559	}
560
561	if (s->server) {
562	sender = s->method->ssl3_enc->server_finished_label;
563	slen = s->method->ssl3_enc->server_finished_label_len;
564	} else {
565	sender = s->method->ssl3_enc->client_finished_label;
566	slen = s->method->ssl3_enc->client_finished_label_len;
567	}
568
569	finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
570	sender, slen,
571	s->s3.tmp.finish_md);
572	if (finish_md_len == `0`) {
573	/ SSLfatal() already called /
574	return `0`;
575	}
576
577	s->s3.tmp.finish_md_len = finish_md_len;
578
579	if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
580	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
581	ERR_R_INTERNAL_ERROR);
582	return `0`;
583	}
584
585	/*
586	* Log the master secret, if logging is enabled. We don't log it for
587	* TLSv1.3: there's a different key schedule for that.
588	*/
589	if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
590	s->session->master_key,
591	s->session->master_key_length)) {
592	/ SSLfatal() already called /
593	return `0`;
594	}
595
596	/*
597	* Copy the finished so we can use it for renegotiation checks
598	*/
599	if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
600	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
601	ERR_R_INTERNAL_ERROR);
602	return `0`;
603	}
604	if (!s->server) {
605	memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
606	finish_md_len);
607	s->s3.previous_client_finished_len = finish_md_len;
608	} else {
609	memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
610	finish_md_len);
611	s->s3.previous_server_finished_len = finish_md_len;
612	}
613
614	return `1`;
615	}
616
617	int tls_construct_key_update(SSL s, WPACKET pkt)
618	{
619	if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
620	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_KEY_UPDATE,
621	ERR_R_INTERNAL_ERROR);
622	return `0`;
623	}
624
625	s->key_update = SSL_KEY_UPDATE_NONE;
626	return `1`;
627	}
628
629	MSG_PROCESS_RETURN tls_process_key_update(SSL s, PACKET pkt)
630	{
631	unsigned int updatetype;
632
633	/*
634	* A KeyUpdate message signals a key change so the end of the message must
635	* be on a record boundary.
636	*/
637	if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
638	SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_UPDATE,
639	SSL_R_NOT_ON_RECORD_BOUNDARY);
640	return MSG_PROCESS_ERROR;
641	}
642
643	if (!PACKET_get_1(pkt, &updatetype)
644	\|\| PACKET_remaining(pkt) != `0`) {
645	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_UPDATE,
646	SSL_R_BAD_KEY_UPDATE);
647	return MSG_PROCESS_ERROR;
648	}
649
650	/*
651	* There are only two defined key update types. Fail if we get a value we
652	* didn't recognise.
653	*/
654	if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
655	&& updatetype != SSL_KEY_UPDATE_REQUESTED) {
656	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE,
657	SSL_R_BAD_KEY_UPDATE);
658	return MSG_PROCESS_ERROR;
659	}
660
661	/*
662	* If we get a request for us to update our sending keys too then, we need
663	* to additionally send a KeyUpdate message. However that message should
664	* not also request an update (otherwise we get into an infinite loop).
665	*/
666	if (updatetype == SSL_KEY_UPDATE_REQUESTED)
667	s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
668
669	if (!tls13_update_key(s, `0`)) {
670	/ SSLfatal() already called /
671	return MSG_PROCESS_ERROR;
672	}
673
674	return MSG_PROCESS_FINISHED_READING;
675	}
676
677	/*
678	* ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
679	* to far.
680	*/
681	int ssl3_take_mac(SSL *s)
682	{
683	const char *sender;
684	size_t slen;
685
686	if (!s->server) {
687	sender = s->method->ssl3_enc->server_finished_label;
688	slen = s->method->ssl3_enc->server_finished_label_len;
689	} else {
690	sender = s->method->ssl3_enc->client_finished_label;
691	slen = s->method->ssl3_enc->client_finished_label_len;
692	}
693
694	s->s3.tmp.peer_finish_md_len =
695	s->method->ssl3_enc->final_finish_mac(s, sender, slen,
696	s->s3.tmp.peer_finish_md);
697
698	if (s->s3.tmp.peer_finish_md_len == `0`) {
699	/ SSLfatal() already called /
700	return `0`;
701	}
702
703	return `1`;
704	}
705
706	MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL s, PACKET pkt)
707	{
708	size_t remain;
709
710	remain = PACKET_remaining(pkt);
711	/*
712	* 'Change Cipher Spec' is just a single byte, which should already have
713	* been consumed by ssl_get_message() so there should be no bytes left,
714	* unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
715	*/
716	if (SSL_IS_DTLS(s)) {
717	if ((s->version == DTLS1_BAD_VER
718	&& remain != DTLS1_CCS_HEADER_LENGTH + `1`)
719	\|\| (s->version != DTLS1_BAD_VER
720	&& remain != DTLS1_CCS_HEADER_LENGTH - `1`)) {
721	SSLfatal(s, SSL_AD_DECODE_ERROR,
722	SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
723	SSL_R_BAD_CHANGE_CIPHER_SPEC);
724	return MSG_PROCESS_ERROR;
725	}
726	} else {
727	if (remain != `0`) {
728	SSLfatal(s, SSL_AD_DECODE_ERROR,
729	SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
730	SSL_R_BAD_CHANGE_CIPHER_SPEC);
731	return MSG_PROCESS_ERROR;
732	}
733	}
734
735	/ Check we have a cipher to change to /
736	if (s->s3.tmp.new_cipher == NULL) {
737	SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
738	SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY);
739	return MSG_PROCESS_ERROR;
740	}
741
742	s->s3.change_cipher_spec = `1`;
743	if (!ssl3_do_change_cipher_spec(s)) {
744	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
745	ERR_R_INTERNAL_ERROR);
746	return MSG_PROCESS_ERROR;
747	}
748
749	if (SSL_IS_DTLS(s)) {
750	dtls1_reset_seq_numbers(s, SSL3_CC_READ);
751
752	if (s->version == DTLS1_BAD_VER)
753	s->d1->handshake_read_seq++;
754
755	#ifndef OPENSSL_NO_SCTP
756	/*
757	* Remember that a CCS has been received, so that an old key of
758	* SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
759	* SCTP is used
760	*/
761	BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, `1`, NULL);
762	#endif
763	}
764
765	return MSG_PROCESS_CONTINUE_READING;
766	}
767
768	MSG_PROCESS_RETURN tls_process_finished(SSL s, PACKET pkt)
769	{
770	size_t md_len;
771
772
773	/ This is a real handshake so make sure we clean it up at the end /
774	if (s->server) {
775	/*
776	* To get this far we must have read encrypted data from the client. We
777	* no longer tolerate unencrypted alerts. This value is ignored if less
778	* than TLSv1.3
779	*/
780	s->statem.enc_read_state = ENC_READ_STATE_VALID;
781	if (s->post_handshake_auth != SSL_PHA_REQUESTED)
782	s->statem.cleanuphand = `1`;
783	if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
784	/ SSLfatal() already called /
785	return MSG_PROCESS_ERROR;
786	}
787	}
788
789	/*
790	* In TLSv1.3 a Finished message signals a key change so the end of the
791	* message must be on a record boundary.
792	*/
793	if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
794	SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
795	SSL_R_NOT_ON_RECORD_BOUNDARY);
796	return MSG_PROCESS_ERROR;
797	}
798
799	/ If this occurs, we have missed a message /
800	if (!SSL_IS_TLS13(s) && !s->s3.change_cipher_spec) {
801	SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
802	SSL_R_GOT_A_FIN_BEFORE_A_CCS);
803	return MSG_PROCESS_ERROR;
804	}
805	s->s3.change_cipher_spec = `0`;
806
807	md_len = s->s3.tmp.peer_finish_md_len;
808
809	if (md_len != PACKET_remaining(pkt)) {
810	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_FINISHED,
811	SSL_R_BAD_DIGEST_LENGTH);
812	return MSG_PROCESS_ERROR;
813	}
814
815	if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
816	md_len) != `0`) {
817	SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_FINISHED,
818	SSL_R_DIGEST_CHECK_FAILED);
819	return MSG_PROCESS_ERROR;
820	}
821
822	/*
823	* Copy the finished so we can use it for renegotiation checks
824	*/
825	if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
826	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_FINISHED,
827	ERR_R_INTERNAL_ERROR);
828	return MSG_PROCESS_ERROR;
829	}
830	if (s->server) {
831	memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
832	md_len);
833	s->s3.previous_client_finished_len = md_len;
834	} else {
835	memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
836	md_len);
837	s->s3.previous_server_finished_len = md_len;
838	}
839
840	/*
841	* In TLS1.3 we also have to change cipher state and do any final processing
842	* of the initial server flight (if we are a client)
843	*/
844	if (SSL_IS_TLS13(s)) {
845	if (s->server) {
846	if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
847	!s->method->ssl3_enc->change_cipher_state(s,
848	SSL3_CC_APPLICATION \| SSL3_CHANGE_CIPHER_SERVER_READ)) {
849	/ SSLfatal() already called /
850	return MSG_PROCESS_ERROR;
851	}
852	} else {
853	if (!s->method->ssl3_enc->generate_master_secret(s,
854	s->master_secret, s->handshake_secret, `0`,
855	&s->session->master_key_length)) {
856	/ SSLfatal() already called /
857	return MSG_PROCESS_ERROR;
858	}
859	if (!s->method->ssl3_enc->change_cipher_state(s,
860	SSL3_CC_APPLICATION \| SSL3_CHANGE_CIPHER_CLIENT_READ)) {
861	/ SSLfatal() already called /
862	return MSG_PROCESS_ERROR;
863	}
864	if (!tls_process_initial_server_flight(s)) {
865	/ SSLfatal() already called /
866	return MSG_PROCESS_ERROR;
867	}
868	}
869	}
870
871	return MSG_PROCESS_FINISHED_READING;
872	}
873
874	int tls_construct_change_cipher_spec(SSL s, WPACKET pkt)
875	{
876	if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
877	SSLfatal(s, SSL_AD_INTERNAL_ERROR,
878	SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
879	return `0`;
880	}
881
882	return `1`;
883	}
884
885	/ Add a certificate to the WPACKET /
886	static int ssl_add_cert_to_wpacket(SSL s, WPACKET pkt, X509 x, int* chain)
887	{
888	int len;
889	unsigned char *outbytes;
890
891	len = i2d_X509(x, NULL);
892	if (len < `0`) {
893	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
894	ERR_R_BUF_LIB);
895	return `0`;
896	}
897	if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
898	\|\| i2d_X509(x, &outbytes) != len) {
899	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
900	ERR_R_INTERNAL_ERROR);
901	return `0`;
902	}
903
904	if (SSL_IS_TLS13(s)
905	&& !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
906	chain)) {
907	/ SSLfatal() already called /
908	return `0`;
909	}
910
911	return `1`;
912	}
913
914	/ Add certificate chain to provided WPACKET /
915	static int ssl_add_cert_chain(SSL s, WPACKET pkt, CERT_PKEY *cpk)
916	{
917	int i, chain_count;
918	X509 *x;
919	STACK_OF(X509) *extra_certs;
920	STACK_OF(X509) *chain = NULL;
921	X509_STORE *chain_store;
922
923	if (cpk == NULL \|\| cpk->x509 == NULL)
924	return `1`;
925
926	x = cpk->x509;
927
928	/*
929	* If we have a certificate specific chain use it, else use parent ctx.
930	*/
931	if (cpk->chain != NULL)
932	extra_certs = cpk->chain;
933	else
934	extra_certs = s->ctx->extra_certs;
935
936	if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) \|\| extra_certs)
937	chain_store = NULL;
938	else if (s->cert->chain_store)
939	chain_store = s->cert->chain_store;
940	else
941	chain_store = s->ctx->cert_store;
942
943	if (chain_store != NULL) {
944	X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new();
945
946	if (xs_ctx == NULL) {
947	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
948	ERR_R_MALLOC_FAILURE);
949	return `0`;
950	}
951	if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
952	X509_STORE_CTX_free(xs_ctx);
953	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
954	ERR_R_X509_LIB);
955	return `0`;
956	}
957	/*
958	* It is valid for the chain not to be complete (because normally we
959	* don't include the root cert in the chain). Therefore we deliberately
960	* ignore the error return from this call. We're not actually verifying
961	* the cert - we're just building as much of the chain as we can
962	*/
963	(void)X509_verify_cert(xs_ctx);
964	/ Don't leave errors in the queue /
965	ERR_clear_error();
966	chain = X509_STORE_CTX_get0_chain(xs_ctx);
967	i = ssl_security_cert_chain(s, chain, NULL, `0`);
968	if (i != `1`) {
969	#if 0
970	/ Dummy error calls so mkerr generates them /
971	SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL);
972	SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL);
973	SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK);
974	#endif
975	X509_STORE_CTX_free(xs_ctx);
976	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
977	return `0`;
978	}
979	chain_count = sk_X509_num(chain);
980	for (i = `0`; i < chain_count; i++) {
981	x = sk_X509_value(chain, i);
982
983	if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
984	/ SSLfatal() already called /
985	X509_STORE_CTX_free(xs_ctx);
986	return `0`;
987	}
988	}
989	X509_STORE_CTX_free(xs_ctx);
990	} else {
991	i = ssl_security_cert_chain(s, extra_certs, x, `0`);
992	if (i != `1`) {
993	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
994	return `0`;
995	}
996	if (!ssl_add_cert_to_wpacket(s, pkt, x, `0`)) {
997	/ SSLfatal() already called /
998	return `0`;
999	}
1000	for (i = `0`; i < sk_X509_num(extra_certs); i++) {
1001	x = sk_X509_value(extra_certs, i);
1002	if (!ssl_add_cert_to_wpacket(s, pkt, x, i + `1`)) {
1003	/ SSLfatal() already called /
1004	return `0`;
1005	}
1006	}
1007	}
1008	return `1`;
1009	}
1010
1011	unsigned long ssl3_output_cert_chain(SSL s, WPACKET pkt, CERT_PKEY *cpk)
1012	{
1013	if (!WPACKET_start_sub_packet_u24(pkt)) {
1014	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1015	ERR_R_INTERNAL_ERROR);
1016	return `0`;
1017	}
1018
1019	if (!ssl_add_cert_chain(s, pkt, cpk))
1020	return `0`;
1021
1022	if (!WPACKET_close(pkt)) {
1023	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1024	ERR_R_INTERNAL_ERROR);
1025	return `0`;
1026	}
1027
1028	return `1`;
1029	}
1030
1031	/*
1032	* Tidy up after the end of a handshake. In the case of SCTP this may result
1033	* in NBIO events. If \|clearbufs\| is set then init_buf and the wbio buffer is
1034	* freed up as well.
1035	*/
1036	WORK_STATE tls_finish_handshake(SSL s, WORK_STATE wst, int* clearbufs, int stop)
1037	{
1038	void (cb) (const* SSL ssl, int* type, int val) = NULL;
1039	int cleanuphand = s->statem.cleanuphand;
1040
1041	if (clearbufs) {
1042	if (!SSL_IS_DTLS(s)
1043	#ifndef OPENSSL_NO_SCTP
1044	/*
1045	* RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1046	* messages that require it. Therefore, DTLS procedures for retransmissions
1047	* MUST NOT be used.
1048	* Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1049	*/
1050	\|\| BIO_dgram_is_sctp(SSL_get_wbio(s))
1051	#endif
1052	) {
1053	/*
1054	* We don't do this in DTLS over UDP because we may still need the init_buf
1055	* in case there are any unexpected retransmits
1056	*/
1057	BUF_MEM_free(s->init_buf);
1058	s->init_buf = NULL;
1059	}
1060
1061	if (!ssl_free_wbio_buffer(s)) {
1062	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE,
1063	ERR_R_INTERNAL_ERROR);
1064	return WORK_ERROR;
1065	}
1066	s->init_num = `0`;
1067	}
1068
1069	if (SSL_IS_TLS13(s) && !s->server
1070	&& s->post_handshake_auth == SSL_PHA_REQUESTED)
1071	s->post_handshake_auth = SSL_PHA_EXT_SENT;
1072
1073	/*
1074	* Only set if there was a Finished message and this isn't after a TLSv1.3
1075	* post handshake exchange
1076	*/
1077	if (cleanuphand) {
1078	/ skipped if we just sent a HelloRequest /
1079	s->renegotiate = `0`;
1080	s->new_session = `0`;
1081	s->statem.cleanuphand = `0`;
1082	s->ext.ticket_expected = `0`;
1083
1084	ssl3_cleanup_key_block(s);
1085
1086	if (s->server) {
1087	/*
1088	* In TLSv1.3 we update the cache as part of constructing the
1089	* NewSessionTicket
1090	*/
1091	if (!SSL_IS_TLS13(s))
1092	ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
1093
1094	/ N.B. s->ctx may not equal s->session_ctx /
1095	tsan_counter(&s->ctx->stats.sess_accept_good);
1096	s->handshake_func = ossl_statem_accept;
1097	} else {
1098	if (SSL_IS_TLS13(s)) {
1099	/*
1100	* We encourage applications to only use TLSv1.3 tickets once,
1101	* so we remove this one from the cache.
1102	*/
1103	if ((s->session_ctx->session_cache_mode
1104	& SSL_SESS_CACHE_CLIENT) != `0`)
1105	SSL_CTX_remove_session(s->session_ctx, s->session);
1106	} else {
1107	/*
1108	* In TLSv1.3 we update the cache as part of processing the
1109	* NewSessionTicket
1110	*/
1111	ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
1112	}
1113	if (s->hit)
1114	tsan_counter(&s->session_ctx->stats.sess_hit);
1115
1116	s->handshake_func = ossl_statem_connect;
1117	tsan_counter(&s->session_ctx->stats.sess_connect_good);
1118	}
1119
1120	if (SSL_IS_DTLS(s)) {
1121	/ done with handshaking /
1122	s->d1->handshake_read_seq = `0`;
1123	s->d1->handshake_write_seq = `0`;
1124	s->d1->next_handshake_write_seq = `0`;
1125	dtls1_clear_received_buffer(s);
1126	}
1127	}
1128
1129	if (s->info_callback != NULL)
1130	cb = s->info_callback;
1131	else if (s->ctx->info_callback != NULL)
1132	cb = s->ctx->info_callback;
1133
1134	/ The callback may expect us to not be in init at handshake done /
1135	ossl_statem_set_in_init(s, `0`);
1136
1137	if (cb != NULL) {
1138	if (cleanuphand
1139	\|\| !SSL_IS_TLS13(s)
1140	\|\| SSL_IS_FIRST_HANDSHAKE(s))
1141	cb(s, SSL_CB_HANDSHAKE_DONE, `1`);
1142	}
1143
1144	if (!stop) {
1145	/ If we've got more work to do we go back into init /
1146	ossl_statem_set_in_init(s, `1`);
1147	return WORK_FINISHED_CONTINUE;
1148	}
1149
1150	return WORK_FINISHED_STOP;
1151	}
1152
1153	int tls_get_message_header(SSL s, int* *mt)
1154	{
1155	/ s->init_num < SSL3_HM_HEADER_LENGTH /
1156	int skip_message, i, recvd_type;
1157	unsigned char *p;
1158	size_t l, readbytes;
1159
1160	p = (unsigned char *)s->init_buf->data;
1161
1162	do {
1163	while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1164	i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
1165	&p[s->init_num],
1166	SSL3_HM_HEADER_LENGTH - s->init_num,
1167	`0`, &readbytes);
1168	if (i <= `0`) {
1169	s->rwstate = SSL_READING;
1170	return `0`;
1171	}
1172	if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1173	/*
1174	* A ChangeCipherSpec must be a single byte and may not occur
1175	* in the middle of a handshake message.
1176	*/
1177	if (s->init_num != `0` \|\| readbytes != `1` \|\| p[`0`] != SSL3_MT_CCS) {
1178	SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1179	SSL_F_TLS_GET_MESSAGE_HEADER,
1180	SSL_R_BAD_CHANGE_CIPHER_SPEC);
1181	return `0`;
1182	}
1183	if (s->statem.hand_state == TLS_ST_BEFORE
1184	&& (s->s3.flags & TLS1_FLAGS_STATELESS) != `0`) {
1185	/*
1186	* We are stateless and we received a CCS. Probably this is
1187	* from a client between the first and second ClientHellos.
1188	* We should ignore this, but return an error because we do
1189	* not return success until we see the second ClientHello
1190	* with a valid cookie.
1191	*/
1192	return `0`;
1193	}
1194	s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
1195	s->init_num = readbytes - `1`;
1196	s->init_msg = s->init_buf->data;
1197	s->s3.tmp.message_size = readbytes;
1198	return `1`;
1199	} else if (recvd_type != SSL3_RT_HANDSHAKE) {
1200	SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1201	SSL_F_TLS_GET_MESSAGE_HEADER,
1202	SSL_R_CCS_RECEIVED_EARLY);
1203	return `0`;
1204	}
1205	s->init_num += readbytes;
1206	}
1207
1208	skip_message = `0`;
1209	if (!s->server)
1210	if (s->statem.hand_state != TLS_ST_OK
1211	&& p[`0`] == SSL3_MT_HELLO_REQUEST)
1212	/*
1213	* The server may always send 'Hello Request' messages --
1214	* we are doing a handshake anyway now, so ignore them if
1215	* their format is correct. Does not count for 'Finished'
1216	* MAC.
1217	*/
1218	if (p[`1`] == `0` && p[`2`] == `0` && p[`3`] == `0`) {
1219	s->init_num = `0`;
1220	skip_message = `1`;
1221
1222	if (s->msg_callback)
1223	s->msg_callback(`0`, s->version, SSL3_RT_HANDSHAKE,
1224	p, SSL3_HM_HEADER_LENGTH, s,
1225	s->msg_callback_arg);
1226	}
1227	} while (skip_message);
1228	/ s->init_num == SSL3_HM_HEADER_LENGTH /
1229
1230	mt = p;
1231	s->s3.tmp.message_type = *(p++);
1232
1233	if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1234	/*
1235	* Only happens with SSLv3+ in an SSLv2 backward compatible
1236	* ClientHello
1237	*
1238	* Total message size is the remaining record bytes to read
1239	* plus the SSL3_HM_HEADER_LENGTH bytes that we already read
1240	*/
1241	l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1242	+ SSL3_HM_HEADER_LENGTH;
1243	s->s3.tmp.message_size = l;
1244
1245	s->init_msg = s->init_buf->data;
1246	s->init_num = SSL3_HM_HEADER_LENGTH;
1247	} else {
1248	n2l3(p, l);
1249	/ BUF_MEM_grow takes an 'int' parameter /
1250	if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
1251	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_GET_MESSAGE_HEADER,
1252	SSL_R_EXCESSIVE_MESSAGE_SIZE);
1253	return `0`;
1254	}
1255	s->s3.tmp.message_size = l;
1256
1257	s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1258	s->init_num = `0`;
1259	}
1260
1261	return `1`;
1262	}
1263
1264	int tls_get_message_body(SSL s, size_t len)
1265	{
1266	size_t n, readbytes;
1267	unsigned char *p;
1268	int i;
1269
1270	if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
1271	/ We've already read everything in /
1272	len = (unsigned* long)s->init_num;
1273	return `1`;
1274	}
1275
1276	p = s->init_msg;
1277	n = s->s3.tmp.message_size - s->init_num;
1278	while (n > `0`) {
1279	i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
1280	&p[s->init_num], n, `0`, &readbytes);
1281	if (i <= `0`) {
1282	s->rwstate = SSL_READING;
1283	*len = `0`;
1284	return `0`;
1285	}
1286	s->init_num += readbytes;
1287	n -= readbytes;
1288	}
1289
1290	/*
1291	* If receiving Finished, record MAC of prior handshake messages for
1292	* Finished verification.
1293	*/
1294	if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1295	/ SSLfatal() already called /
1296	*len = `0`;
1297	return `0`;
1298	}
1299
1300	/ Feed this message into MAC computation. /
1301	if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1302	if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1303	s->init_num)) {
1304	/ SSLfatal() already called /
1305	*len = `0`;
1306	return `0`;
1307	}
1308	if (s->msg_callback)
1309	s->msg_callback(`0`, SSL2_VERSION, `0`, s->init_buf->data,
1310	(size_t)s->init_num, s, s->msg_callback_arg);
1311	} else {
1312	/*
1313	* We defer feeding in the HRR until later. We'll do it as part of
1314	* processing the message
1315	* The TLsv1.3 handshake transcript stops at the ClientFinished
1316	* message.
1317	*/
1318	#define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
1319	/ KeyUpdate and NewSessionTicket do not need to be added /
1320	if (!SSL_IS_TLS13(s) \|\| (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1321	&& s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1322	if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
1323	\|\| s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1324	\|\| memcmp(hrrrandom,
1325	s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1326	SSL3_RANDOM_SIZE) != `0`) {
1327	if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1328	s->init_num + SSL3_HM_HEADER_LENGTH)) {
1329	/ SSLfatal() already called /
1330	*len = `0`;
1331	return `0`;
1332	}
1333	}
1334	}
1335	if (s->msg_callback)
1336	s->msg_callback(`0`, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1337	(size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
1338	s->msg_callback_arg);
1339	}
1340
1341	*len = s->init_num;
1342	return `1`;
1343	}
1344
1345	static const X509ERR2ALERT x509table[] = {
1346	{X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1347	{X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1348	{X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1349	{X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1350	{X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1351	{X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1352	{X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1353	{X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1354	{X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1355	{X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1356	{X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1357	{X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1358	{X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1359	{X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1360	{X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1361	{X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1362	{X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1363	{X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1364	{X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1365	{X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1366	{X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1367	{X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1368	{X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1369	{X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1370	{X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1371	{X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1372	{X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1373	{X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1374	{X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1375	{X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1376	{X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1377	{X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1378	{X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1379	{X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1380	{X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1381	{X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1382	{X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1383	{X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1384	{X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1385
1386	/ Last entry; return this if we don't find the value above. /
1387	{X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1388	};
1389
1390	int ssl_x509err2alert(int x509err)
1391	{
1392	const X509ERR2ALERT *tp;
1393
1394	for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1395	if (tp->x509err == x509err)
1396	break;
1397	return tp->alert;
1398	}
1399
1400	int ssl_allow_compression(SSL *s)
1401	{
1402	if (s->options & SSL_OP_NO_COMPRESSION)
1403	return `0`;
1404	return ssl_security(s, SSL_SECOP_COMPRESSION, `0`, `0`, NULL);
1405	}
1406
1407	static int version_cmp(const SSL s, int* a, int b)
1408	{
1409	int dtls = SSL_IS_DTLS(s);
1410
1411	if (a == b)
1412	return `0`;
1413	if (!dtls)
1414	return a < b ? -`1` : `1`;
1415	return DTLS_VERSION_LT(a, b) ? -`1` : `1`;
1416	}
1417
1418	typedef struct {
1419	int version;
1420	const SSL_METHOD (cmeth) (void);
1421	const SSL_METHOD (smeth) (void);
1422	} version_info;
1423
1424	#if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
1425	# error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
1426	#endif
1427
1428	/ Must be in order high to low /
1429	static const version_info tls_version_table[] = {
1430	#ifndef OPENSSL_NO_TLS1_3
1431	{TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1432	#else
1433	{TLS1_3_VERSION, NULL, NULL},
1434	#endif
1435	#ifndef OPENSSL_NO_TLS1_2
1436	{TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
1437	#else
1438	{TLS1_2_VERSION, NULL, NULL},
1439	#endif
1440	#ifndef OPENSSL_NO_TLS1_1
1441	{TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
1442	#else
1443	{TLS1_1_VERSION, NULL, NULL},
1444	#endif
1445	#ifndef OPENSSL_NO_TLS1
1446	{TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
1447	#else
1448	{TLS1_VERSION, NULL, NULL},
1449	#endif
1450	#ifndef OPENSSL_NO_SSL3
1451	{SSL3_VERSION, sslv3_client_method, sslv3_server_method},
1452	#else
1453	{SSL3_VERSION, NULL, NULL},
1454	#endif
1455	{`0`, NULL, NULL},
1456	};
1457
1458	#if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
1459	# error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1460	#endif
1461
1462	/ Must be in order high to low /
1463	static const version_info dtls_version_table[] = {
1464	#ifndef OPENSSL_NO_DTLS1_2
1465	{DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
1466	#else
1467	{DTLS1_2_VERSION, NULL, NULL},
1468	#endif
1469	#ifndef OPENSSL_NO_DTLS1
1470	{DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1471	{DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
1472	#else
1473	{DTLS1_VERSION, NULL, NULL},
1474	{DTLS1_BAD_VER, NULL, NULL},
1475	#endif
1476	{`0`, NULL, NULL},
1477	};
1478
1479	/*
1480	* ssl_method_error - Check whether an SSL_METHOD is enabled.
1481	*
1482	* @s: The SSL handle for the candidate method
1483	* @method: the intended method.
1484	*
1485	* Returns 0 on success, or an SSL error reason on failure.
1486	*/
1487	static int ssl_method_error(const SSL s, const* SSL_METHOD *method)
1488	{
1489	int version = method->version;
1490
1491	if ((s->min_proto_version != `0` &&
1492	version_cmp(s, version, s->min_proto_version) < `0`) \|\|
1493	ssl_security(s, SSL_SECOP_VERSION, `0`, version, NULL) == `0`)
1494	return SSL_R_VERSION_TOO_LOW;
1495
1496	if (s->max_proto_version != `0` &&
1497	version_cmp(s, version, s->max_proto_version) > `0`)
1498	return SSL_R_VERSION_TOO_HIGH;
1499
1500	if ((s->options & method->mask) != `0`)
1501	return SSL_R_UNSUPPORTED_PROTOCOL;
1502	if ((method->flags & SSL_METHOD_NO_SUITEB) != `0` && tls1_suiteb(s))
1503	return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
1504
1505	return `0`;
1506	}
1507
1508	/*
1509	* Only called by servers. Returns 1 if the server has a TLSv1.3 capable
1510	* certificate type, or has PSK or a certificate callback configured. Otherwise
1511	* returns 0.
1512	*/
1513	static int is_tls13_capable(const SSL *s)
1514	{
1515	int i;
1516	#ifndef OPENSSL_NO_EC
1517	int curve;
1518	EC_KEY *eckey;
1519	#endif
1520
1521	#ifndef OPENSSL_NO_PSK
1522	if (s->psk_server_callback != NULL)
1523	return `1`;
1524	#endif
1525
1526	if (s->psk_find_session_cb != NULL \|\| s->cert->cert_cb != NULL)
1527	return `1`;
1528
1529	for (i = `0`; i < SSL_PKEY_NUM; i++) {
1530	/ Skip over certs disallowed for TLSv1.3 /
1531	switch (i) {
1532	case SSL_PKEY_DSA_SIGN:
1533	case SSL_PKEY_GOST01:
1534	case SSL_PKEY_GOST12_256:
1535	case SSL_PKEY_GOST12_512:
1536	continue;
1537	default:
1538	break;
1539	}
1540	if (!ssl_has_cert(s, i))
1541	continue;
1542	#ifndef OPENSSL_NO_EC
1543	if (i != SSL_PKEY_ECC)
1544	return `1`;
1545	/*
1546	* Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1547	* more restrictive so check that our sig algs are consistent with this
1548	* EC cert. See section 4.2.3 of RFC8446.
1549	*/
1550	eckey = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
1551	if (eckey == NULL)
1552	continue;
1553	curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
1554	if (tls_check_sigalg_curve(s, curve))
1555	return `1`;
1556	#else
1557	return `1`;
1558	#endif
1559	}
1560
1561	return `0`;
1562	}
1563
1564	/*
1565	* ssl_version_supported - Check that the specified `version` is supported by
1566	* `SSL *` instance
1567	*
1568	* @s: The SSL handle for the candidate method
1569	* @version: Protocol version to test against
1570	*
1571	* Returns 1 when supported, otherwise 0
1572	*/
1573	int ssl_version_supported(const SSL s, int* version, const SSL_METHOD **meth)
1574	{
1575	const version_info *vent;
1576	const version_info *table;
1577
1578	switch (s->method->version) {
1579	default:
1580	/ Version should match method version for non-ANY method /
1581	return version_cmp(s, version, s->version) == `0`;
1582	case TLS_ANY_VERSION:
1583	table = tls_version_table;
1584	break;
1585	case DTLS_ANY_VERSION:
1586	table = dtls_version_table;
1587	break;
1588	}
1589
1590	for (vent = table;
1591	vent->version != `0` && version_cmp(s, version, vent->version) <= `0`;
1592	++vent) {
1593	if (vent->cmeth != NULL
1594	&& version_cmp(s, version, vent->version) == `0`
1595	&& ssl_method_error(s, vent->cmeth()) == `0`
1596	&& (!s->server
1597	\|\| version != TLS1_3_VERSION
1598	\|\| is_tls13_capable(s))) {
1599	if (meth != NULL)
1600	*meth = vent->cmeth();
1601	return `1`;
1602	}
1603	}
1604	return `0`;
1605	}
1606
1607	/*
1608	* ssl_check_version_downgrade - In response to RFC7507 SCSV version
1609	* fallback indication from a client check whether we're using the highest
1610	* supported protocol version.
1611	*
1612	* @s server SSL handle.
1613	*
1614	* Returns 1 when using the highest enabled version, 0 otherwise.
1615	*/
1616	int ssl_check_version_downgrade(SSL *s)
1617	{
1618	const version_info *vent;
1619	const version_info *table;
1620
1621	/*
1622	* Check that the current protocol is the highest enabled version
1623	* (according to s->ctx->method, as version negotiation may have changed
1624	* s->method).
1625	*/
1626	if (s->version == s->ctx->method->version)
1627	return `1`;
1628
1629	/*
1630	* Apparently we're using a version-flexible SSL_METHOD (not at its
1631	* highest protocol version).
1632	*/
1633	if (s->ctx->method->version == TLS_method()->version)
1634	table = tls_version_table;
1635	else if (s->ctx->method->version == DTLS_method()->version)
1636	table = dtls_version_table;
1637	else {
1638	/ Unexpected state; fail closed. /
1639	return `0`;
1640	}
1641
1642	for (vent = table; vent->version != `0`; ++vent) {
1643	if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == `0`)
1644	return s->version == vent->version;
1645	}
1646	return `0`;
1647	}
1648
1649	/*
1650	* ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1651	* protocols, provided the initial (D)TLS method is version-flexible. This
1652	* function sanity-checks the proposed value and makes sure the method is
1653	* version-flexible, then sets the limit if all is well.
1654	*
1655	* @method_version: The version of the current SSL_METHOD.
1656	* @version: the intended limit.
1657	* @bound: pointer to limit to be updated.
1658	*
1659	* Returns 1 on success, 0 on failure.
1660	*/
1661	int ssl_set_version_bound(int method_version, int version, int *bound)
1662	{
1663	if (version == `0`) {
1664	*bound = version;
1665	return `1`;
1666	}
1667
1668	/-*
1669	* Restrict TLS methods to TLS protocol versions.
1670	* Restrict DTLS methods to DTLS protocol versions.
1671	* Note, DTLS version numbers are decreasing, use comparison macros.
1672	*
1673	* Note that for both lower-bounds we use explicit versions, not
1674	* (D)TLS_MIN_VERSION. This is because we don't want to break user
1675	* configurations. If the MIN (supported) version ever rises, the user's
1676	* "floor" remains valid even if no longer available. We don't expect the
1677	* MAX ceiling to ever get lower, so making that variable makes sense.
1678	*/
1679	switch (method_version) {
1680	default:
1681	/*
1682	* XXX For fixed version methods, should we always fail and not set any
1683	* bounds, always succeed and not set any bounds, or set the bounds and
1684	* arrange to fail later if they are not met? At present fixed-version
1685	* methods are not subject to controls that disable individual protocol
1686	* versions.
1687	*/
1688	return `0`;
1689
1690	case TLS_ANY_VERSION:
1691	if (version < SSL3_VERSION \|\| version > TLS_MAX_VERSION_INTERNAL)
1692	return `0`;
1693	break;
1694
1695	case DTLS_ANY_VERSION:
1696	if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION_INTERNAL) \|\|
1697	DTLS_VERSION_LT(version, DTLS1_BAD_VER))
1698	return `0`;
1699	break;
1700	}
1701
1702	*bound = version;
1703	return `1`;
1704	}
1705
1706	static void check_for_downgrade(SSL s, int* vers, DOWNGRADE *dgrd)
1707	{
1708	if (vers == TLS1_2_VERSION
1709	&& ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
1710	*dgrd = DOWNGRADE_TO_1_2;
1711	} else if (!SSL_IS_DTLS(s)
1712	&& vers < TLS1_2_VERSION
1713	/*
1714	* We need to ensure that a server that disables TLSv1.2
1715	* (creating a hole between TLSv1.3 and TLSv1.1) can still
1716	* complete handshakes with clients that support TLSv1.2 and
1717	* below. Therefore we do not enable the sentinel if TLSv1.3 is
1718	* enabled and TLSv1.2 is not.
1719	*/
1720	&& ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
1721	*dgrd = DOWNGRADE_TO_1_1;
1722	} else {
1723	*dgrd = DOWNGRADE_NONE;
1724	}
1725	}
1726
1727	/*
1728	* ssl_choose_server_version - Choose server (D)TLS version. Called when the
1729	* client HELLO is received to select the final server protocol version and
1730	* the version specific method.
1731	*
1732	* @s: server SSL handle.
1733	*
1734	* Returns 0 on success or an SSL error reason number on failure.
1735	*/
1736	int ssl_choose_server_version(SSL s, CLIENTHELLO_MSG hello, DOWNGRADE *dgrd)
1737	{
1738	/-*
1739	* With version-flexible methods we have an initial state with:
1740	*
1741	* s->method->version == (D)TLS_ANY_VERSION,
1742	* s->version == (D)TLS_MAX_VERSION_INTERNAL.
1743	*
1744	* So we detect version-flexible methods via the method version, not the
1745	* handle version.
1746	*/
1747	int server_version = s->method->version;
1748	int client_version = hello->legacy_version;
1749	const version_info *vent;
1750	const version_info *table;
1751	int disabled = `0`;
1752	RAW_EXTENSION *suppversions;
1753
1754	s->client_version = client_version;
1755
1756	switch (server_version) {
1757	default:
1758	if (!SSL_IS_TLS13(s)) {
1759	if (version_cmp(s, client_version, s->version) < `0`)
1760	return SSL_R_WRONG_SSL_VERSION;
1761	*dgrd = DOWNGRADE_NONE;
1762	/*
1763	* If this SSL handle is not from a version flexible method we don't
1764	* (and never did) check min/max FIPS or Suite B constraints. Hope
1765	* that's OK. It is up to the caller to not choose fixed protocol
1766	* versions they don't want. If not, then easy to fix, just return
1767	* ssl_method_error(s, s->method)
1768	*/
1769	return `0`;
1770	}
1771	/*
1772	* Fall through if we are TLSv1.3 already (this means we must be after
1773	* a HelloRetryRequest
1774	*/
1775	/ fall thru /
1776	case TLS_ANY_VERSION:
1777	table = tls_version_table;
1778	break;
1779	case DTLS_ANY_VERSION:
1780	table = dtls_version_table;
1781	break;
1782	}
1783
1784	suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
1785
1786	/ If we did an HRR then supported versions is mandatory /
1787	if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
1788	return SSL_R_UNSUPPORTED_PROTOCOL;
1789
1790	if (suppversions->present && !SSL_IS_DTLS(s)) {
1791	unsigned int candidate_vers = `0`;
1792	unsigned int best_vers = `0`;
1793	const SSL_METHOD *best_method = NULL;
1794	PACKET versionslist;
1795
1796	suppversions->parsed = `1`;
1797
1798	if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
1799	/ Trailing or invalid data? /
1800	return SSL_R_LENGTH_MISMATCH;
1801	}
1802
1803	/*
1804	* The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1805	* The spec only requires servers to check that it isn't SSLv3:
1806	* "Any endpoint receiving a Hello message with
1807	* ClientHello.legacy_version or ServerHello.legacy_version set to
1808	* 0x0300 MUST abort the handshake with a "protocol_version" alert."
1809	* We are slightly stricter and require that it isn't SSLv3 or lower.
1810	* We tolerate TLSv1 and TLSv1.1.
1811	*/
1812	if (client_version <= SSL3_VERSION)
1813	return SSL_R_BAD_LEGACY_VERSION;
1814
1815	while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1816	if (version_cmp(s, candidate_vers, best_vers) <= `0`)
1817	continue;
1818	if (ssl_version_supported(s, candidate_vers, &best_method))
1819	best_vers = candidate_vers;
1820	}
1821	if (PACKET_remaining(&versionslist) != `0`) {
1822	/ Trailing data? /
1823	return SSL_R_LENGTH_MISMATCH;
1824	}
1825
1826	if (best_vers > `0`) {
1827	if (s->hello_retry_request != SSL_HRR_NONE) {
1828	/*
1829	* This is after a HelloRetryRequest so we better check that we
1830	* negotiated TLSv1.3
1831	*/
1832	if (best_vers != TLS1_3_VERSION)
1833	return SSL_R_UNSUPPORTED_PROTOCOL;
1834	return `0`;
1835	}
1836	check_for_downgrade(s, best_vers, dgrd);
1837	s->version = best_vers;
1838	s->method = best_method;
1839	return `0`;
1840	}
1841	return SSL_R_UNSUPPORTED_PROTOCOL;
1842	}
1843
1844	/*
1845	* If the supported versions extension isn't present, then the highest
1846	* version we can negotiate is TLSv1.2
1847	*/
1848	if (version_cmp(s, client_version, TLS1_3_VERSION) >= `0`)
1849	client_version = TLS1_2_VERSION;
1850
1851	/*
1852	* No supported versions extension, so we just use the version supplied in
1853	* the ClientHello.
1854	*/
1855	for (vent = table; vent->version != `0`; ++vent) {
1856	const SSL_METHOD *method;
1857
1858	if (vent->smeth == NULL \|\|
1859	version_cmp(s, client_version, vent->version) < `0`)
1860	continue;
1861	method = vent->smeth();
1862	if (ssl_method_error(s, method) == `0`) {
1863	check_for_downgrade(s, vent->version, dgrd);
1864	s->version = vent->version;
1865	s->method = method;
1866	return `0`;
1867	}
1868	disabled = `1`;
1869	}
1870	return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1871	}
1872
1873	/*
1874	* ssl_choose_client_version - Choose client (D)TLS version. Called when the
1875	* server HELLO is received to select the final client protocol version and
1876	* the version specific method.
1877	*
1878	* @s: client SSL handle.
1879	* @version: The proposed version from the server's HELLO.
1880	* @extensions: The extensions received
1881	*
1882	* Returns 1 on success or 0 on error.
1883	*/
1884	int ssl_choose_client_version(SSL s, int* version, RAW_EXTENSION *extensions)
1885	{
1886	const version_info *vent;
1887	const version_info *table;
1888	int ret, ver_min, ver_max, real_max, origv;
1889
1890	origv = s->version;
1891	s->version = version;
1892
1893	/ This will overwrite s->version if the extension is present /
1894	if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1895	SSL_EXT_TLS1_2_SERVER_HELLO
1896	\| SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1897	NULL, `0`)) {
1898	s->version = origv;
1899	return `0`;
1900	}
1901
1902	if (s->hello_retry_request != SSL_HRR_NONE
1903	&& s->version != TLS1_3_VERSION) {
1904	s->version = origv;
1905	SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1906	SSL_R_WRONG_SSL_VERSION);
1907	return `0`;
1908	}
1909
1910	switch (s->method->version) {
1911	default:
1912	if (s->version != s->method->version) {
1913	s->version = origv;
1914	SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1915	SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1916	SSL_R_WRONG_SSL_VERSION);
1917	return `0`;
1918	}
1919	/*
1920	* If this SSL handle is not from a version flexible method we don't
1921	* (and never did) check min/max, FIPS or Suite B constraints. Hope
1922	* that's OK. It is up to the caller to not choose fixed protocol
1923	* versions they don't want. If not, then easy to fix, just return
1924	* ssl_method_error(s, s->method)
1925	*/
1926	return `1`;
1927	case TLS_ANY_VERSION:
1928	table = tls_version_table;
1929	break;
1930	case DTLS_ANY_VERSION:
1931	table = dtls_version_table;
1932	break;
1933	}
1934
1935	ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1936	if (ret != `0`) {
1937	s->version = origv;
1938	SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1939	SSL_F_SSL_CHOOSE_CLIENT_VERSION, ret);
1940	return `0`;
1941	}
1942	if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
1943	: s->version < ver_min) {
1944	s->version = origv;
1945	SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1946	SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1947	return `0`;
1948	} else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
1949	: s->version > ver_max) {
1950	s->version = origv;
1951	SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1952	SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1953	return `0`;
1954	}
1955
1956	if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == `0`)
1957	real_max = ver_max;
1958
1959	/ Check for downgrades /
1960	if (s->version == TLS1_2_VERSION && real_max > s->version) {
1961	if (memcmp(tls12downgrade,
1962	s->s3.server_random + SSL3_RANDOM_SIZE
1963	- sizeof(tls12downgrade),
1964	sizeof(tls12downgrade)) == `0`) {
1965	s->version = origv;
1966	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1967	SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1968	SSL_R_INAPPROPRIATE_FALLBACK);
1969	return `0`;
1970	}
1971	} else if (!SSL_IS_DTLS(s)
1972	&& s->version < TLS1_2_VERSION
1973	&& real_max > s->version) {
1974	if (memcmp(tls11downgrade,
1975	s->s3.server_random + SSL3_RANDOM_SIZE
1976	- sizeof(tls11downgrade),
1977	sizeof(tls11downgrade)) == `0`) {
1978	s->version = origv;
1979	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1980	SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1981	SSL_R_INAPPROPRIATE_FALLBACK);
1982	return `0`;
1983	}
1984	}
1985
1986	for (vent = table; vent->version != `0`; ++vent) {
1987	if (vent->cmeth == NULL \|\| s->version != vent->version)
1988	continue;
1989
1990	s->method = vent->cmeth();
1991	return `1`;
1992	}
1993
1994	s->version = origv;
1995	SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1996	SSL_R_UNSUPPORTED_PROTOCOL);
1997	return `0`;
1998	}
1999
2000	/*
2001	* ssl_get_min_max_version - get minimum and maximum protocol version
2002	* @s: The SSL connection
2003	* @min_version: The minimum supported version
2004	* @max_version: The maximum supported version
2005	* @real_max: The highest version below the lowest compile time version hole
2006	* where that hole lies above at least one run-time enabled
2007	* protocol.
2008	*
2009	* Work out what version we should be using for the initial ClientHello if the
2010	* version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2011	* options, the MinProtocol and MaxProtocol configuration commands, any Suite B
2012	* constraints and any floor imposed by the security level here,
2013	* so we don't advertise the wrong protocol version to only reject the outcome later.
2014	*
2015	* Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
2016	* TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2017	* only allow TLS 1.2, we want to advertise TLS1.2, not TLS1.
2018	*
2019	* Returns 0 on success or an SSL error reason number on failure. On failure
2020	* min_version and max_version will also be set to 0.
2021	*/
2022	int ssl_get_min_max_version(const SSL s, int* min_version, int* *max_version,
2023	int *real_max)
2024	{
2025	int version, tmp_real_max;
2026	int hole;
2027	const SSL_METHOD *single = NULL;
2028	const SSL_METHOD *method;
2029	const version_info *table;
2030	const version_info *vent;
2031
2032	switch (s->method->version) {
2033	default:
2034	/*
2035	* If this SSL handle is not from a version flexible method we don't
2036	* (and never did) check min/max FIPS or Suite B constraints. Hope
2037	* that's OK. It is up to the caller to not choose fixed protocol
2038	* versions they don't want. If not, then easy to fix, just return
2039	* ssl_method_error(s, s->method)
2040	*/
2041	min_version = max_version = s->version;
2042	/*
2043	* Providing a real_max only makes sense where we're using a version
2044	* flexible method.
2045	*/
2046	if (!ossl_assert(real_max == NULL))
2047	return ERR_R_INTERNAL_ERROR;
2048	return `0`;
2049	case TLS_ANY_VERSION:
2050	table = tls_version_table;
2051	break;
2052	case DTLS_ANY_VERSION:
2053	table = dtls_version_table;
2054	break;
2055	}
2056
2057	/*
2058	* SSL_OP_NO_X disables all protocols above X if there are some protocols
2059	* below X enabled. This is required in order to maintain the "version
2060	* capability" vector contiguous. Any versions with a NULL client method
2061	* (protocol version client is disabled at compile-time) is also a "hole".
2062	*
2063	* Our initial state is hole == 1, version == 0. That is, versions above
2064	* the first version in the method table are disabled (a "hole" above
2065	* the valid protocol entries) and we don't have a selected version yet.
2066	*
2067	* Whenever "hole == 1", and we hit an enabled method, its version becomes
2068	* the selected version, and the method becomes a candidate "single"
2069	* method. We're no longer in a hole, so "hole" becomes 0.
2070	*
2071	* If "hole == 0" and we hit an enabled method, then "single" is cleared,
2072	* as we support a contiguous range of at least two methods. If we hit
2073	* a disabled method, then hole becomes true again, but nothing else
2074	* changes yet, because all the remaining methods may be disabled too.
2075	* If we again hit an enabled method after the new hole, it becomes
2076	* selected, as we start from scratch.
2077	*/
2078	*min_version = version = `0`;
2079	hole = `1`;
2080	if (real_max != NULL)
2081	*real_max = `0`;
2082	tmp_real_max = `0`;
2083	for (vent = table; vent->version != `0`; ++vent) {
2084	/*
2085	* A table entry with a NULL client method is still a hole in the
2086	* "version capability" vector.
2087	*/
2088	if (vent->cmeth == NULL) {
2089	hole = `1`;
2090	tmp_real_max = `0`;
2091	continue;
2092	}
2093	method = vent->cmeth();
2094
2095	if (hole == `1` && tmp_real_max == `0`)
2096	tmp_real_max = vent->version;
2097
2098	if (ssl_method_error(s, method) != `0`) {
2099	hole = `1`;
2100	} else if (!hole) {
2101	single = NULL;
2102	*min_version = method->version;
2103	} else {
2104	if (real_max != NULL && tmp_real_max != `0`)
2105	*real_max = tmp_real_max;
2106	version = (single = method)->version;
2107	*min_version = version;
2108	hole = `0`;
2109	}
2110	}
2111
2112	*max_version = version;
2113
2114	/ Fail if everything is disabled /
2115	if (version == `0`)
2116	return SSL_R_NO_PROTOCOLS_AVAILABLE;
2117
2118	return `0`;
2119	}
2120
2121	/*
2122	* ssl_set_client_hello_version - Work out what version we should be using for
2123	* the initial ClientHello.legacy_version field.
2124	*
2125	* @s: client SSL handle.
2126	*
2127	* Returns 0 on success or an SSL error reason number on failure.
2128	*/
2129	int ssl_set_client_hello_version(SSL *s)
2130	{
2131	int ver_min, ver_max, ret;
2132
2133	/*
2134	* In a renegotiation we always send the same client_version that we sent
2135	* last time, regardless of which version we eventually negotiated.
2136	*/
2137	if (!SSL_IS_FIRST_HANDSHAKE(s))
2138	return `0`;
2139
2140	ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
2141
2142	if (ret != `0`)
2143	return ret;
2144
2145	s->version = ver_max;
2146
2147	/ TLS1.3 always uses TLS1.2 in the legacy_version field /
2148	if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
2149	ver_max = TLS1_2_VERSION;
2150
2151	s->client_version = ver_max;
2152	return `0`;
2153	}
2154
2155	/*
2156	* Checks a list of \|groups\| to determine if the \|group_id\| is in it. If it is
2157	* and \|checkallow\| is 1 then additionally check if the group is allowed to be
2158	* used. Returns 1 if the group is in the list (and allowed if \|checkallow\| is
2159	* 1) or 0 otherwise.
2160	*/
2161	int check_in_list(SSL s, uint16_t group_id, const* uint16_t *groups,
2162	size_t num_groups, int checkallow)
2163	{
2164	size_t i;
2165
2166	if (groups == NULL \|\| num_groups == `0`)
2167	return `0`;
2168
2169	for (i = `0`; i < num_groups; i++) {
2170	uint16_t group = groups[i];
2171
2172	if (group_id == group
2173	&& (!checkallow
2174	\|\| tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
2175	return `1`;
2176	}
2177	}
2178
2179	return `0`;
2180	}
2181
2182	/ Replace ClientHello1 in the transcript hash with a synthetic message /
2183	int create_synthetic_message_hash(SSL s, const* unsigned char *hashval,
2184	size_t hashlen, const unsigned char *hrr,
2185	size_t hrrlen)
2186	{
2187	unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
2188	unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2189
2190	memset(msghdr, `0`, sizeof(msghdr));
2191
2192	if (hashval == NULL) {
2193	hashval = hashvaltmp;
2194	hashlen = `0`;
2195	/ Get the hash of the initial ClientHello /
2196	if (!ssl3_digest_cached_records(s, `0`)
2197	\|\| !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2198	&hashlen)) {
2199	/ SSLfatal() already called /
2200	return `0`;
2201	}
2202	}
2203
2204	/ Reinitialise the transcript hash /
2205	if (!ssl3_init_finished_mac(s)) {
2206	/ SSLfatal() already called /
2207	return `0`;
2208	}
2209
2210	/ Inject the synthetic message_hash message /
2211	msghdr[`0`] = SSL3_MT_MESSAGE_HASH;
2212	msghdr[SSL3_HM_HEADER_LENGTH - `1`] = (unsigned char)hashlen;
2213	if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2214	\|\| !ssl3_finish_mac(s, hashval, hashlen)) {
2215	/ SSLfatal() already called /
2216	return `0`;
2217	}
2218
2219	/*
2220	* Now re-inject the HRR and current message if appropriate (we just deleted
2221	* it when we reinitialised the transcript hash above). Only necessary after
2222	* receiving a ClientHello2 with a cookie.
2223	*/
2224	if (hrr != NULL
2225	&& (!ssl3_finish_mac(s, hrr, hrrlen)
2226	\|\| !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
2227	s->s3.tmp.message_size
2228	+ SSL3_HM_HEADER_LENGTH))) {
2229	/ SSLfatal() already called /
2230	return `0`;
2231	}
2232
2233	return `1`;
2234	}
2235
2236	static int ca_dn_cmp(const X509_NAME *const a, const* X509_NAME *const *b)
2237	{
2238	return X509_NAME_cmp(a, b);
2239	}
2240
2241	int parse_ca_names(SSL s, PACKET pkt)
2242	{
2243	STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2244	X509_NAME *xn = NULL;
2245	PACKET cadns;
2246
2247	if (ca_sk == NULL) {
2248	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2249	ERR_R_MALLOC_FAILURE);
2250	goto err;
2251	}
2252	/ get the CA RDNs /
2253	if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
2254	SSLfatal(s, SSL_AD_DECODE_ERROR,SSL_F_PARSE_CA_NAMES,
2255	SSL_R_LENGTH_MISMATCH);
2256	goto err;
2257	}
2258
2259	while (PACKET_remaining(&cadns)) {
2260	const unsigned char namestart, namebytes;
2261	unsigned int name_len;
2262
2263	if (!PACKET_get_net_2(&cadns, &name_len)
2264	\|\| !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
2265	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2266	SSL_R_LENGTH_MISMATCH);
2267	goto err;
2268	}
2269
2270	namestart = namebytes;
2271	if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
2272	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2273	ERR_R_ASN1_LIB);
2274	goto err;
2275	}
2276	if (namebytes != (namestart + name_len)) {
2277	SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2278	SSL_R_CA_DN_LENGTH_MISMATCH);
2279	goto err;
2280	}
2281
2282	if (!sk_X509_NAME_push(ca_sk, xn)) {
2283	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2284	ERR_R_MALLOC_FAILURE);
2285	goto err;
2286	}
2287	xn = NULL;
2288	}
2289
2290	sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
2291	s->s3.tmp.peer_ca_names = ca_sk;
2292
2293	return `1`;
2294
2295	err:
2296	sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2297	X509_NAME_free(xn);
2298	return `0`;
2299	}
2300
2301	const STACK_OF(X509_NAME) get_ca_names(SSL s)
2302	{
2303	const STACK_OF(X509_NAME) *ca_sk = NULL;;
2304
2305	if (s->server) {
2306	ca_sk = SSL_get_client_CA_list(s);
2307	if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == `0`)
2308	ca_sk = NULL;
2309	}
2310
2311	if (ca_sk == NULL)
2312	ca_sk = SSL_get0_CA_list(s);
2313
2314	return ca_sk;
2315	}
2316
2317	int construct_ca_names(SSL s, const* STACK_OF(X509_NAME) ca_sk, WPACKET pkt)
2318	{
2319	/ Start sub-packet for client CA list /
2320	if (!WPACKET_start_sub_packet_u16(pkt)) {
2321	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2322	ERR_R_INTERNAL_ERROR);
2323	return `0`;
2324	}
2325
2326	if (ca_sk != NULL) {
2327	int i;
2328
2329	for (i = `0`; i < sk_X509_NAME_num(ca_sk); i++) {
2330	unsigned char *namebytes;
2331	X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2332	int namelen;
2333
2334	if (name == NULL
2335	\|\| (namelen = i2d_X509_NAME(name, NULL)) < `0`
2336	\|\| !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2337	&namebytes)
2338	\|\| i2d_X509_NAME(name, &namebytes) != namelen) {
2339	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2340	ERR_R_INTERNAL_ERROR);
2341	return `0`;
2342	}
2343	}
2344	}
2345
2346	if (!WPACKET_close(pkt)) {
2347	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2348	ERR_R_INTERNAL_ERROR);
2349	return `0`;
2350	}
2351
2352	return `1`;
2353	}
2354
2355	/ Create a buffer containing data to be signed for server key exchange /
2356	size_t construct_key_exchange_tbs(SSL s, unsigned* char **ptbs,
2357	const void *param, size_t paramlen)
2358	{
2359	size_t tbslen = `2` * SSL3_RANDOM_SIZE + paramlen;
2360	unsigned char *tbs = OPENSSL_malloc(tbslen);
2361
2362	if (tbs == NULL) {
2363	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS,
2364	ERR_R_MALLOC_FAILURE);
2365	return `0`;
2366	}
2367	memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
2368	memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
2369
2370	memcpy(tbs + SSL3_RANDOM_SIZE * `2`, param, paramlen);
2371
2372	*ptbs = tbs;
2373	return tbslen;
2374	}
2375
2376	/*
2377	* Saves the current handshake digest for Post-Handshake Auth,
2378	* Done after ClientFinished is processed, done exactly once
2379	*/
2380	int tls13_save_handshake_digest_for_pha(SSL *s)
2381	{
2382	if (s->pha_dgst == NULL) {
2383	if (!ssl3_digest_cached_records(s, `1`))
2384	/ SSLfatal() already called /
2385	return `0`;
2386
2387	s->pha_dgst = EVP_MD_CTX_new();
2388	if (s->pha_dgst == NULL) {
2389	SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2390	SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2391	ERR_R_INTERNAL_ERROR);
2392	return `0`;
2393	}
2394	if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
2395	s->s3.handshake_dgst)) {
2396	SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2397	SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2398	ERR_R_INTERNAL_ERROR);
2399	return `0`;
2400	}
2401	}
2402	return `1`;
2403	}
2404
2405	/*
2406	* Restores the Post-Handshake Auth handshake digest
2407	* Done just before sending/processing the Cert Request
2408	*/
2409	int tls13_restore_handshake_digest_for_pha(SSL *s)
2410	{
2411	if (s->pha_dgst == NULL) {
2412	SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2413	SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2414	ERR_R_INTERNAL_ERROR);
2415	return `0`;
2416	}
2417	if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
2418	s->pha_dgst)) {
2419	SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2420	SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2421	ERR_R_INTERNAL_ERROR);
2422	return `0`;
2423	}
2424	return `1`;
2425	}
2426

Browse the source code of ClickHouse/contrib/openssl/ssl/statem/statem_lib.c