2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
14 #include "../ssl_local.h"
15 #include "statem_local.h"
16 #include "internal/cryptlib.h"
17 #include <openssl/buffer.h>
18 #include <openssl/objects.h>
19 #include <openssl/evp.h>
20 #include <openssl/rsa.h>
21 #include <openssl/x509.h>
22 #include <openssl/trace.h>
25 * Map error codes to TLS/SSL alart types.
27 typedef struct x509err2alert_st {
32 /* Fixed value used in the ServerHello random field to identify an HRR */
33 const unsigned char hrrrandom[] = {
34 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
35 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
36 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
40 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
41 * SSL3_RT_CHANGE_CIPHER_SPEC)
43 int ssl3_do_write(SSL *s, int type)
48 ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
49 s->init_num, &written);
52 if (type == SSL3_RT_HANDSHAKE)
54 * should not be done for 'Hello Request's, but in that case we'll
55 * ignore the result anyway
56 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
58 if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
59 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
60 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
61 if (!ssl3_finish_mac(s,
62 (unsigned char *)&s->init_buf->data[s->init_off],
65 if (written == s->init_num) {
67 s->msg_callback(1, s->version, type, s->init_buf->data,
68 (size_t)(s->init_off + s->init_num), s,
72 s->init_off += written;
73 s->init_num -= written;
77 int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype)
81 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
82 || !WPACKET_get_length(pkt, &msglen)
85 s->init_num = (int)msglen;
91 int tls_setup_handshake(SSL *s)
93 int ver_min, ver_max, ok;
95 if (!ssl3_init_finished_mac(s)) {
96 /* SSLfatal() already called */
100 /* Reset any extension flags */
101 memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
103 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
104 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE);
108 /* Sanity check that we have MD5-SHA1 if we need it */
109 if (s->ctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) {
110 int md5sha1_needed = 0;
112 /* We don't have MD5-SHA1 - do we need it? */
113 if (SSL_IS_DTLS(s)) {
114 if (DTLS_VERSION_LE(ver_max, DTLS1_VERSION))
117 if (ver_max <= TLS1_1_VERSION)
120 if (md5sha1_needed) {
121 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
122 SSL_R_NO_SUITABLE_DIGEST_ALGORITHM,
123 "The max supported SSL/TLS version needs the"
124 " MD5-SHA1 digest but it is not available"
125 " in the loaded providers. Use (D)TLSv1.2 or"
126 " above, or load different providers");
131 /* Don't allow TLSv1.1 or below to be negotiated */
132 if (SSL_IS_DTLS(s)) {
133 if (DTLS_VERSION_LT(ver_min, DTLS1_2_VERSION))
134 ok = SSL_set_min_proto_version(s, DTLS1_2_VERSION);
136 if (ver_min < TLS1_2_VERSION)
137 ok = SSL_set_min_proto_version(s, TLS1_2_VERSION);
140 /* Shouldn't happen */
141 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
148 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
152 * Sanity check that the maximum version we accept has ciphers
153 * enabled. For clients we do this check during construction of the
156 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
157 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
159 if (SSL_IS_DTLS(s)) {
160 if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
161 DTLS_VERSION_LE(ver_max, c->max_dtls))
163 } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
170 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
171 SSL_R_NO_CIPHERS_AVAILABLE,
172 "No ciphers enabled for max supported "
176 if (SSL_IS_FIRST_HANDSHAKE(s)) {
177 /* N.B. s->session_ctx == s->ctx here */
178 tsan_counter(&s->session_ctx->stats.sess_accept);
180 /* N.B. s->ctx may not equal s->session_ctx */
181 tsan_counter(&s->ctx->stats.sess_accept_renegotiate);
183 s->s3.tmp.cert_request = 0;
186 if (SSL_IS_FIRST_HANDSHAKE(s))
187 tsan_counter(&s->session_ctx->stats.sess_connect);
189 tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate);
191 /* mark client_random uninitialized */
192 memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
195 s->s3.tmp.cert_req = 0;
198 s->statem.use_timer = 1;
205 * Size of the to-be-signed TLS13 data, without the hash size itself:
206 * 64 bytes of value 32, 33 context bytes, 1 byte separator
208 #define TLS13_TBS_START_SIZE 64
209 #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
211 static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
212 void **hdata, size_t *hdatalen)
214 #ifdef CHARSET_EBCDIC
215 static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
216 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
217 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
218 0x69, 0x66, 0x79, 0x00 };
219 static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
220 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
221 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
222 0x69, 0x66, 0x79, 0x00 };
224 static const char servercontext[] = "TLS 1.3, server CertificateVerify";
225 static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
227 if (SSL_IS_TLS13(s)) {
230 /* Set the first 64 bytes of to-be-signed data to octet 32 */
231 memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
232 /* This copies the 33 bytes of context plus the 0 separator byte */
233 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
234 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
235 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
237 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
240 * If we're currently reading then we need to use the saved handshake
241 * hash value. We can't use the current handshake hash state because
242 * that includes the CertVerify itself.
244 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
245 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
246 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
247 s->cert_verify_hash_len);
248 hashlen = s->cert_verify_hash_len;
249 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
250 EVP_MAX_MD_SIZE, &hashlen)) {
251 /* SSLfatal() already called */
256 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
261 retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
263 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
272 int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
274 EVP_PKEY *pkey = NULL;
275 const EVP_MD *md = NULL;
276 EVP_MD_CTX *mctx = NULL;
277 EVP_PKEY_CTX *pctx = NULL;
278 size_t hdatalen = 0, siglen = 0;
280 unsigned char *sig = NULL;
281 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
282 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
284 if (lu == NULL || s->s3.tmp.cert == NULL) {
285 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
288 pkey = s->s3.tmp.cert->privatekey;
290 if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) {
291 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
295 mctx = EVP_MD_CTX_new();
297 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
301 /* Get the data to be signed */
302 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
303 /* SSLfatal() already called */
307 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
308 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
312 if (EVP_DigestSignInit_ex(mctx, &pctx, md == NULL ? NULL : EVP_MD_name(md),
313 s->ctx->libctx, s->ctx->propq, pkey,
315 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
319 if (lu->sig == EVP_PKEY_RSA_PSS) {
320 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
321 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
322 RSA_PSS_SALTLEN_DIGEST) <= 0) {
323 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
327 if (s->version == SSL3_VERSION) {
329 * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
330 * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
332 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
333 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
334 (int)s->session->master_key_length,
335 s->session->master_key) <= 0
336 || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) {
338 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
341 sig = OPENSSL_malloc(siglen);
343 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
344 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
349 * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not
350 * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
352 if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) {
353 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
356 sig = OPENSSL_malloc(siglen);
358 || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
359 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
364 #ifndef OPENSSL_NO_GOST
366 int pktype = lu->sig;
368 if (pktype == NID_id_GostR3410_2001
369 || pktype == NID_id_GostR3410_2012_256
370 || pktype == NID_id_GostR3410_2012_512)
371 BUF_reverse(sig, NULL, siglen);
375 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
376 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
380 /* Digest cached records and discard handshake buffer */
381 if (!ssl3_digest_cached_records(s, 0)) {
382 /* SSLfatal() already called */
387 EVP_MD_CTX_free(mctx);
391 EVP_MD_CTX_free(mctx);
395 MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
397 EVP_PKEY *pkey = NULL;
398 const unsigned char *data;
399 #ifndef OPENSSL_NO_GOST
400 unsigned char *gost_data = NULL;
402 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
406 const EVP_MD *md = NULL;
409 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
410 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
411 EVP_PKEY_CTX *pctx = NULL;
414 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
418 peer = s->session->peer;
419 pkey = X509_get0_pubkey(peer);
421 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
425 if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
426 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
427 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
431 if (SSL_USE_SIGALGS(s)) {
434 if (!PACKET_get_net_2(pkt, &sigalg)) {
435 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET);
438 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
439 /* SSLfatal() already called */
442 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
443 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
447 if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) {
448 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
452 if (SSL_USE_SIGALGS(s))
453 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
454 md == NULL ? "n/a" : EVP_MD_name(md));
456 /* Check for broken implementations of GOST ciphersuites */
458 * If key is GOST and len is exactly 64 or 128, it is signature without
459 * length field (CryptoPro implementations at least till TLS 1.2)
461 #ifndef OPENSSL_NO_GOST
462 if (!SSL_USE_SIGALGS(s)
463 && ((PACKET_remaining(pkt) == 64
464 && (EVP_PKEY_id(pkey) == NID_id_GostR3410_2001
465 || EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_256))
466 || (PACKET_remaining(pkt) == 128
467 && EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_512))) {
468 len = PACKET_remaining(pkt);
471 if (!PACKET_get_net_2(pkt, &len)) {
472 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
476 if (!PACKET_get_bytes(pkt, &data, len)) {
477 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
481 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
482 /* SSLfatal() already called */
486 OSSL_TRACE1(TLS, "Using client verify alg %s\n",
487 md == NULL ? "n/a" : EVP_MD_name(md));
489 if (EVP_DigestVerifyInit_ex(mctx, &pctx,
490 md == NULL ? NULL : EVP_MD_name(md),
491 s->ctx->libctx, s->ctx->propq, pkey,
493 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
496 #ifndef OPENSSL_NO_GOST
498 int pktype = EVP_PKEY_id(pkey);
499 if (pktype == NID_id_GostR3410_2001
500 || pktype == NID_id_GostR3410_2012_256
501 || pktype == NID_id_GostR3410_2012_512) {
502 if ((gost_data = OPENSSL_malloc(len)) == NULL) {
503 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
506 BUF_reverse(gost_data, data, len);
512 if (SSL_USE_PSS(s)) {
513 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
514 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
515 RSA_PSS_SALTLEN_DIGEST) <= 0) {
516 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
520 if (s->version == SSL3_VERSION) {
521 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
522 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
523 (int)s->session->master_key_length,
524 s->session->master_key) <= 0) {
525 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
528 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
529 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
533 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
535 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
541 * In TLSv1.3 on the client side we make sure we prepare the client
542 * certificate after the CertVerify instead of when we get the
543 * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
544 * comes *before* the Certificate message. In TLSv1.2 it comes after. We
545 * want to make sure that SSL_get1_peer_certificate() will return the actual
546 * server certificate from the client_cert_cb callback.
548 if (!s->server && SSL_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
549 ret = MSG_PROCESS_CONTINUE_PROCESSING;
551 ret = MSG_PROCESS_CONTINUE_READING;
553 BIO_free(s->s3.handshake_buffer);
554 s->s3.handshake_buffer = NULL;
555 EVP_MD_CTX_free(mctx);
556 #ifndef OPENSSL_NO_GOST
557 OPENSSL_free(gost_data);
562 int tls_construct_finished(SSL *s, WPACKET *pkt)
564 size_t finish_md_len;
568 /* This is a real handshake so make sure we clean it up at the end */
569 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
570 s->statem.cleanuphand = 1;
573 * We only change the keys if we didn't already do this when we sent the
578 && s->s3.tmp.cert_req == 0
579 && (!s->method->ssl3_enc->change_cipher_state(s,
580 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
581 /* SSLfatal() already called */
586 sender = s->method->ssl3_enc->server_finished_label;
587 slen = s->method->ssl3_enc->server_finished_label_len;
589 sender = s->method->ssl3_enc->client_finished_label;
590 slen = s->method->ssl3_enc->client_finished_label_len;
593 finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
595 s->s3.tmp.finish_md);
596 if (finish_md_len == 0) {
597 /* SSLfatal() already called */
601 s->s3.tmp.finish_md_len = finish_md_len;
603 if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
604 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
609 * Log the master secret, if logging is enabled. We don't log it for
610 * TLSv1.3: there's a different key schedule for that.
612 if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
613 s->session->master_key,
614 s->session->master_key_length)) {
615 /* SSLfatal() already called */
620 * Copy the finished so we can use it for renegotiation checks
622 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
623 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
627 memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
629 s->s3.previous_client_finished_len = finish_md_len;
631 memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
633 s->s3.previous_server_finished_len = finish_md_len;
639 int tls_construct_key_update(SSL *s, WPACKET *pkt)
641 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
642 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
646 s->key_update = SSL_KEY_UPDATE_NONE;
650 MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
652 unsigned int updatetype;
655 * A KeyUpdate message signals a key change so the end of the message must
656 * be on a record boundary.
658 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
659 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
660 return MSG_PROCESS_ERROR;
663 if (!PACKET_get_1(pkt, &updatetype)
664 || PACKET_remaining(pkt) != 0) {
665 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_KEY_UPDATE);
666 return MSG_PROCESS_ERROR;
670 * There are only two defined key update types. Fail if we get a value we
673 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
674 && updatetype != SSL_KEY_UPDATE_REQUESTED) {
675 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_UPDATE);
676 return MSG_PROCESS_ERROR;
680 * If we get a request for us to update our sending keys too then, we need
681 * to additionally send a KeyUpdate message. However that message should
682 * not also request an update (otherwise we get into an infinite loop).
684 if (updatetype == SSL_KEY_UPDATE_REQUESTED)
685 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
687 if (!tls13_update_key(s, 0)) {
688 /* SSLfatal() already called */
689 return MSG_PROCESS_ERROR;
692 return MSG_PROCESS_FINISHED_READING;
696 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
699 int ssl3_take_mac(SSL *s)
705 sender = s->method->ssl3_enc->server_finished_label;
706 slen = s->method->ssl3_enc->server_finished_label_len;
708 sender = s->method->ssl3_enc->client_finished_label;
709 slen = s->method->ssl3_enc->client_finished_label_len;
712 s->s3.tmp.peer_finish_md_len =
713 s->method->ssl3_enc->final_finish_mac(s, sender, slen,
714 s->s3.tmp.peer_finish_md);
716 if (s->s3.tmp.peer_finish_md_len == 0) {
717 /* SSLfatal() already called */
724 MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
728 remain = PACKET_remaining(pkt);
730 * 'Change Cipher Spec' is just a single byte, which should already have
731 * been consumed by ssl_get_message() so there should be no bytes left,
732 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
734 if (SSL_IS_DTLS(s)) {
735 if ((s->version == DTLS1_BAD_VER
736 && remain != DTLS1_CCS_HEADER_LENGTH + 1)
737 || (s->version != DTLS1_BAD_VER
738 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
739 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
740 return MSG_PROCESS_ERROR;
744 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
745 return MSG_PROCESS_ERROR;
749 /* Check we have a cipher to change to */
750 if (s->s3.tmp.new_cipher == NULL) {
751 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY);
752 return MSG_PROCESS_ERROR;
755 s->s3.change_cipher_spec = 1;
756 if (!ssl3_do_change_cipher_spec(s)) {
757 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
758 return MSG_PROCESS_ERROR;
761 if (SSL_IS_DTLS(s)) {
762 dtls1_reset_seq_numbers(s, SSL3_CC_READ);
764 if (s->version == DTLS1_BAD_VER)
765 s->d1->handshake_read_seq++;
767 #ifndef OPENSSL_NO_SCTP
769 * Remember that a CCS has been received, so that an old key of
770 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
773 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
777 return MSG_PROCESS_CONTINUE_READING;
780 MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
785 /* This is a real handshake so make sure we clean it up at the end */
788 * To get this far we must have read encrypted data from the client. We
789 * no longer tolerate unencrypted alerts. This value is ignored if less
792 s->statem.enc_read_state = ENC_READ_STATE_VALID;
793 if (s->post_handshake_auth != SSL_PHA_REQUESTED)
794 s->statem.cleanuphand = 1;
795 if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
796 /* SSLfatal() already called */
797 return MSG_PROCESS_ERROR;
802 * In TLSv1.3 a Finished message signals a key change so the end of the
803 * message must be on a record boundary.
805 if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
806 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
807 return MSG_PROCESS_ERROR;
810 /* If this occurs, we have missed a message */
811 if (!SSL_IS_TLS13(s) && !s->s3.change_cipher_spec) {
812 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
813 return MSG_PROCESS_ERROR;
815 s->s3.change_cipher_spec = 0;
817 md_len = s->s3.tmp.peer_finish_md_len;
819 if (md_len != PACKET_remaining(pkt)) {
820 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DIGEST_LENGTH);
821 return MSG_PROCESS_ERROR;
824 if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
826 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DIGEST_CHECK_FAILED);
827 return MSG_PROCESS_ERROR;
831 * Copy the finished so we can use it for renegotiation checks
833 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
834 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
835 return MSG_PROCESS_ERROR;
838 memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
840 s->s3.previous_client_finished_len = md_len;
842 memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
844 s->s3.previous_server_finished_len = md_len;
848 * In TLS1.3 we also have to change cipher state and do any final processing
849 * of the initial server flight (if we are a client)
851 if (SSL_IS_TLS13(s)) {
853 if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
854 !s->method->ssl3_enc->change_cipher_state(s,
855 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
856 /* SSLfatal() already called */
857 return MSG_PROCESS_ERROR;
860 /* TLS 1.3 gets the secret size from the handshake md */
862 if (!s->method->ssl3_enc->generate_master_secret(s,
863 s->master_secret, s->handshake_secret, 0,
865 /* SSLfatal() already called */
866 return MSG_PROCESS_ERROR;
868 if (!s->method->ssl3_enc->change_cipher_state(s,
869 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
870 /* SSLfatal() already called */
871 return MSG_PROCESS_ERROR;
873 if (!tls_process_initial_server_flight(s)) {
874 /* SSLfatal() already called */
875 return MSG_PROCESS_ERROR;
880 return MSG_PROCESS_FINISHED_READING;
883 int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
885 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
886 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
893 /* Add a certificate to the WPACKET */
894 static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain)
897 unsigned char *outbytes;
899 len = i2d_X509(x, NULL);
901 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB);
904 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
905 || i2d_X509(x, &outbytes) != len) {
906 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
911 && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
913 /* SSLfatal() already called */
920 /* Add certificate chain to provided WPACKET */
921 static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
925 STACK_OF(X509) *extra_certs;
926 STACK_OF(X509) *chain = NULL;
927 X509_STORE *chain_store;
929 if (cpk == NULL || cpk->x509 == NULL)
935 * If we have a certificate specific chain use it, else use parent ctx.
937 if (cpk->chain != NULL)
938 extra_certs = cpk->chain;
940 extra_certs = s->ctx->extra_certs;
942 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
944 else if (s->cert->chain_store)
945 chain_store = s->cert->chain_store;
947 chain_store = s->ctx->cert_store;
949 if (chain_store != NULL) {
950 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(s->ctx->libctx,
953 if (xs_ctx == NULL) {
954 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
957 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
958 X509_STORE_CTX_free(xs_ctx);
959 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB);
963 * It is valid for the chain not to be complete (because normally we
964 * don't include the root cert in the chain). Therefore we deliberately
965 * ignore the error return from this call. We're not actually verifying
966 * the cert - we're just building as much of the chain as we can
968 (void)X509_verify_cert(xs_ctx);
969 /* Don't leave errors in the queue */
971 chain = X509_STORE_CTX_get0_chain(xs_ctx);
972 i = ssl_security_cert_chain(s, chain, NULL, 0);
975 /* Dummy error calls so mkerr generates them */
976 ERR_raise(ERR_LIB_SSL, SSL_R_EE_KEY_TOO_SMALL);
977 ERR_raise(ERR_LIB_SSL, SSL_R_CA_KEY_TOO_SMALL);
978 ERR_raise(ERR_LIB_SSL, SSL_R_CA_MD_TOO_WEAK);
980 X509_STORE_CTX_free(xs_ctx);
981 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
984 chain_count = sk_X509_num(chain);
985 for (i = 0; i < chain_count; i++) {
986 x = sk_X509_value(chain, i);
988 if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
989 /* SSLfatal() already called */
990 X509_STORE_CTX_free(xs_ctx);
994 X509_STORE_CTX_free(xs_ctx);
996 i = ssl_security_cert_chain(s, extra_certs, x, 0);
998 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
1001 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
1002 /* SSLfatal() already called */
1005 for (i = 0; i < sk_X509_num(extra_certs); i++) {
1006 x = sk_X509_value(extra_certs, i);
1007 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
1008 /* SSLfatal() already called */
1016 unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
1018 if (!WPACKET_start_sub_packet_u24(pkt)) {
1019 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1023 if (!ssl_add_cert_chain(s, pkt, cpk))
1026 if (!WPACKET_close(pkt)) {
1027 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1035 * Tidy up after the end of a handshake. In the case of SCTP this may result
1036 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1039 WORK_STATE tls_finish_handshake(SSL *s, ossl_unused WORK_STATE wst,
1040 int clearbufs, int stop)
1042 void (*cb) (const SSL *ssl, int type, int val) = NULL;
1043 int cleanuphand = s->statem.cleanuphand;
1047 #ifndef OPENSSL_NO_SCTP
1049 * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1050 * messages that require it. Therefore, DTLS procedures for retransmissions
1052 * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1054 || BIO_dgram_is_sctp(SSL_get_wbio(s))
1058 * We don't do this in DTLS over UDP because we may still need the init_buf
1059 * in case there are any unexpected retransmits
1061 BUF_MEM_free(s->init_buf);
1065 if (!ssl_free_wbio_buffer(s)) {
1066 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1072 if (SSL_IS_TLS13(s) && !s->server
1073 && s->post_handshake_auth == SSL_PHA_REQUESTED)
1074 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1077 * Only set if there was a Finished message and this isn't after a TLSv1.3
1078 * post handshake exchange
1081 /* skipped if we just sent a HelloRequest */
1084 s->statem.cleanuphand = 0;
1085 s->ext.ticket_expected = 0;
1087 ssl3_cleanup_key_block(s);
1091 * In TLSv1.3 we update the cache as part of constructing the
1094 if (!SSL_IS_TLS13(s))
1095 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
1097 /* N.B. s->ctx may not equal s->session_ctx */
1098 tsan_counter(&s->ctx->stats.sess_accept_good);
1099 s->handshake_func = ossl_statem_accept;
1101 if (SSL_IS_TLS13(s)) {
1103 * We encourage applications to only use TLSv1.3 tickets once,
1104 * so we remove this one from the cache.
1106 if ((s->session_ctx->session_cache_mode
1107 & SSL_SESS_CACHE_CLIENT) != 0)
1108 SSL_CTX_remove_session(s->session_ctx, s->session);
1111 * In TLSv1.3 we update the cache as part of processing the
1114 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
1117 tsan_counter(&s->session_ctx->stats.sess_hit);
1119 s->handshake_func = ossl_statem_connect;
1120 tsan_counter(&s->session_ctx->stats.sess_connect_good);
1123 if (SSL_IS_DTLS(s)) {
1124 /* done with handshaking */
1125 s->d1->handshake_read_seq = 0;
1126 s->d1->handshake_write_seq = 0;
1127 s->d1->next_handshake_write_seq = 0;
1128 dtls1_clear_received_buffer(s);
1132 if (s->info_callback != NULL)
1133 cb = s->info_callback;
1134 else if (s->ctx->info_callback != NULL)
1135 cb = s->ctx->info_callback;
1137 /* The callback may expect us to not be in init at handshake done */
1138 ossl_statem_set_in_init(s, 0);
1143 || SSL_IS_FIRST_HANDSHAKE(s))
1144 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
1148 /* If we've got more work to do we go back into init */
1149 ossl_statem_set_in_init(s, 1);
1150 return WORK_FINISHED_CONTINUE;
1153 return WORK_FINISHED_STOP;
1156 int tls_get_message_header(SSL *s, int *mt)
1158 /* s->init_num < SSL3_HM_HEADER_LENGTH */
1159 int skip_message, i, recvd_type;
1161 size_t l, readbytes;
1163 p = (unsigned char *)s->init_buf->data;
1166 while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1167 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
1169 SSL3_HM_HEADER_LENGTH - s->init_num,
1172 s->rwstate = SSL_READING;
1175 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1177 * A ChangeCipherSpec must be a single byte and may not occur
1178 * in the middle of a handshake message.
1180 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
1181 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1182 SSL_R_BAD_CHANGE_CIPHER_SPEC);
1185 if (s->statem.hand_state == TLS_ST_BEFORE
1186 && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
1188 * We are stateless and we received a CCS. Probably this is
1189 * from a client between the first and second ClientHellos.
1190 * We should ignore this, but return an error because we do
1191 * not return success until we see the second ClientHello
1192 * with a valid cookie.
1196 s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
1197 s->init_num = readbytes - 1;
1198 s->init_msg = s->init_buf->data;
1199 s->s3.tmp.message_size = readbytes;
1201 } else if (recvd_type != SSL3_RT_HANDSHAKE) {
1202 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1203 SSL_R_CCS_RECEIVED_EARLY);
1206 s->init_num += readbytes;
1211 if (s->statem.hand_state != TLS_ST_OK
1212 && p[0] == SSL3_MT_HELLO_REQUEST)
1214 * The server may always send 'Hello Request' messages --
1215 * we are doing a handshake anyway now, so ignore them if
1216 * their format is correct. Does not count for 'Finished'
1219 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1223 if (s->msg_callback)
1224 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1225 p, SSL3_HM_HEADER_LENGTH, s,
1226 s->msg_callback_arg);
1228 } while (skip_message);
1229 /* s->init_num == SSL3_HM_HEADER_LENGTH */
1232 s->s3.tmp.message_type = *(p++);
1234 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1236 * Only happens with SSLv3+ in an SSLv2 backward compatible
1239 * Total message size is the remaining record bytes to read
1240 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
1242 l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1243 + SSL3_HM_HEADER_LENGTH;
1244 s->s3.tmp.message_size = l;
1246 s->init_msg = s->init_buf->data;
1247 s->init_num = SSL3_HM_HEADER_LENGTH;
1250 /* BUF_MEM_grow takes an 'int' parameter */
1251 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
1252 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1253 SSL_R_EXCESSIVE_MESSAGE_SIZE);
1256 s->s3.tmp.message_size = l;
1258 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1265 int tls_get_message_body(SSL *s, size_t *len)
1267 size_t n, readbytes;
1271 if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
1272 /* We've already read everything in */
1273 *len = (unsigned long)s->init_num;
1278 n = s->s3.tmp.message_size - s->init_num;
1280 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
1281 &p[s->init_num], n, 0, &readbytes);
1283 s->rwstate = SSL_READING;
1287 s->init_num += readbytes;
1292 * If receiving Finished, record MAC of prior handshake messages for
1293 * Finished verification.
1295 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1296 /* SSLfatal() already called */
1301 /* Feed this message into MAC computation. */
1302 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1303 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1305 /* SSLfatal() already called */
1309 if (s->msg_callback)
1310 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
1311 (size_t)s->init_num, s, s->msg_callback_arg);
1314 * We defer feeding in the HRR until later. We'll do it as part of
1315 * processing the message
1316 * The TLsv1.3 handshake transcript stops at the ClientFinished
1319 #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
1320 /* KeyUpdate and NewSessionTicket do not need to be added */
1321 if (!SSL_IS_TLS13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1322 && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1323 if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
1324 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1325 || memcmp(hrrrandom,
1326 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1327 SSL3_RANDOM_SIZE) != 0) {
1328 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1329 s->init_num + SSL3_HM_HEADER_LENGTH)) {
1330 /* SSLfatal() already called */
1336 if (s->msg_callback)
1337 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1338 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
1339 s->msg_callback_arg);
1346 static const X509ERR2ALERT x509table[] = {
1347 {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1348 {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1349 {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
1350 {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1351 {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1352 {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1353 {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1354 {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1355 {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1356 {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1357 {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1358 {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1359 {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1360 {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1361 {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1362 {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1363 {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1364 {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1365 {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1366 {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1367 {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1368 {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1369 {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1370 {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1371 {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1372 {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1373 {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1374 {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1375 {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1376 {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1377 {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1378 {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1379 {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1380 {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1381 {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1382 {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1383 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1384 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1385 {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1386 {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1388 /* Last entry; return this if we don't find the value above. */
1389 {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1392 int ssl_x509err2alert(int x509err)
1394 const X509ERR2ALERT *tp;
1396 for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1397 if (tp->x509err == x509err)
1402 int ssl_allow_compression(SSL *s)
1404 if (s->options & SSL_OP_NO_COMPRESSION)
1406 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1409 static int version_cmp(const SSL *s, int a, int b)
1411 int dtls = SSL_IS_DTLS(s);
1416 return a < b ? -1 : 1;
1417 return DTLS_VERSION_LT(a, b) ? -1 : 1;
1422 const SSL_METHOD *(*cmeth) (void);
1423 const SSL_METHOD *(*smeth) (void);
1426 #if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
1427 # error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
1430 /* Must be in order high to low */
1431 static const version_info tls_version_table[] = {
1432 #ifndef OPENSSL_NO_TLS1_3
1433 {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1435 {TLS1_3_VERSION, NULL, NULL},
1437 #ifndef OPENSSL_NO_TLS1_2
1438 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
1440 {TLS1_2_VERSION, NULL, NULL},
1442 #ifndef OPENSSL_NO_TLS1_1
1443 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
1445 {TLS1_1_VERSION, NULL, NULL},
1447 #ifndef OPENSSL_NO_TLS1
1448 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
1450 {TLS1_VERSION, NULL, NULL},
1452 #ifndef OPENSSL_NO_SSL3
1453 {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
1455 {SSL3_VERSION, NULL, NULL},
1460 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
1461 # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1464 /* Must be in order high to low */
1465 static const version_info dtls_version_table[] = {
1466 #ifndef OPENSSL_NO_DTLS1_2
1467 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
1469 {DTLS1_2_VERSION, NULL, NULL},
1471 #ifndef OPENSSL_NO_DTLS1
1472 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1473 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
1475 {DTLS1_VERSION, NULL, NULL},
1476 {DTLS1_BAD_VER, NULL, NULL},
1482 * ssl_method_error - Check whether an SSL_METHOD is enabled.
1484 * @s: The SSL handle for the candidate method
1485 * @method: the intended method.
1487 * Returns 0 on success, or an SSL error reason on failure.
1489 static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
1491 int version = method->version;
1493 if ((s->min_proto_version != 0 &&
1494 version_cmp(s, version, s->min_proto_version) < 0) ||
1495 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1496 return SSL_R_VERSION_TOO_LOW;
1498 if (s->max_proto_version != 0 &&
1499 version_cmp(s, version, s->max_proto_version) > 0)
1500 return SSL_R_VERSION_TOO_HIGH;
1502 if ((s->options & method->mask) != 0)
1503 return SSL_R_UNSUPPORTED_PROTOCOL;
1504 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1505 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
1511 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
1512 * certificate type, or has PSK or a certificate callback configured, or has
1513 * a servername callback configure. Otherwise returns 0.
1515 static int is_tls13_capable(const SSL *s)
1520 if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL))
1524 * A servername callback can change the available certs, so if a servername
1525 * cb is set then we just assume TLSv1.3 will be ok
1527 if (s->ctx->ext.servername_cb != NULL
1528 || s->session_ctx->ext.servername_cb != NULL)
1531 #ifndef OPENSSL_NO_PSK
1532 if (s->psk_server_callback != NULL)
1536 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
1539 for (i = 0; i < SSL_PKEY_NUM; i++) {
1540 /* Skip over certs disallowed for TLSv1.3 */
1542 case SSL_PKEY_DSA_SIGN:
1543 case SSL_PKEY_GOST01:
1544 case SSL_PKEY_GOST12_256:
1545 case SSL_PKEY_GOST12_512:
1550 if (!ssl_has_cert(s, i))
1552 if (i != SSL_PKEY_ECC)
1555 * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1556 * more restrictive so check that our sig algs are consistent with this
1557 * EC cert. See section 4.2.3 of RFC8446.
1559 curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
1560 if (tls_check_sigalg_curve(s, curve))
1568 * ssl_version_supported - Check that the specified `version` is supported by
1571 * @s: The SSL handle for the candidate method
1572 * @version: Protocol version to test against
1574 * Returns 1 when supported, otherwise 0
1576 int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth)
1578 const version_info *vent;
1579 const version_info *table;
1581 switch (s->method->version) {
1583 /* Version should match method version for non-ANY method */
1584 return version_cmp(s, version, s->version) == 0;
1585 case TLS_ANY_VERSION:
1586 table = tls_version_table;
1588 case DTLS_ANY_VERSION:
1589 table = dtls_version_table;
1594 vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1596 if (vent->cmeth != NULL
1597 && version_cmp(s, version, vent->version) == 0
1598 && ssl_method_error(s, vent->cmeth()) == 0
1600 || version != TLS1_3_VERSION
1601 || is_tls13_capable(s))) {
1603 *meth = vent->cmeth();
1611 * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1612 * fallback indication from a client check whether we're using the highest
1613 * supported protocol version.
1615 * @s server SSL handle.
1617 * Returns 1 when using the highest enabled version, 0 otherwise.
1619 int ssl_check_version_downgrade(SSL *s)
1621 const version_info *vent;
1622 const version_info *table;
1625 * Check that the current protocol is the highest enabled version
1626 * (according to s->ctx->method, as version negotiation may have changed
1629 if (s->version == s->ctx->method->version)
1633 * Apparently we're using a version-flexible SSL_METHOD (not at its
1634 * highest protocol version).
1636 if (s->ctx->method->version == TLS_method()->version)
1637 table = tls_version_table;
1638 else if (s->ctx->method->version == DTLS_method()->version)
1639 table = dtls_version_table;
1641 /* Unexpected state; fail closed. */
1645 for (vent = table; vent->version != 0; ++vent) {
1646 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
1647 return s->version == vent->version;
1653 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1654 * protocols, provided the initial (D)TLS method is version-flexible. This
1655 * function sanity-checks the proposed value and makes sure the method is
1656 * version-flexible, then sets the limit if all is well.
1658 * @method_version: The version of the current SSL_METHOD.
1659 * @version: the intended limit.
1660 * @bound: pointer to limit to be updated.
1662 * Returns 1 on success, 0 on failure.
1664 int ssl_set_version_bound(int method_version, int version, int *bound)
1674 valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
1676 DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) &&
1677 DTLS_VERSION_GE(version, DTLS1_BAD_VER);
1679 if (!valid_tls && !valid_dtls)
1683 * Restrict TLS methods to TLS protocol versions.
1684 * Restrict DTLS methods to DTLS protocol versions.
1685 * Note, DTLS version numbers are decreasing, use comparison macros.
1687 * Note that for both lower-bounds we use explicit versions, not
1688 * (D)TLS_MIN_VERSION. This is because we don't want to break user
1689 * configurations. If the MIN (supported) version ever rises, the user's
1690 * "floor" remains valid even if no longer available. We don't expect the
1691 * MAX ceiling to ever get lower, so making that variable makes sense.
1693 * We ignore attempts to set bounds on version-inflexible methods,
1694 * returning success.
1696 switch (method_version) {
1700 case TLS_ANY_VERSION:
1705 case DTLS_ANY_VERSION:
1713 static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
1715 if (vers == TLS1_2_VERSION
1716 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
1717 *dgrd = DOWNGRADE_TO_1_2;
1718 } else if (!SSL_IS_DTLS(s)
1719 && vers < TLS1_2_VERSION
1721 * We need to ensure that a server that disables TLSv1.2
1722 * (creating a hole between TLSv1.3 and TLSv1.1) can still
1723 * complete handshakes with clients that support TLSv1.2 and
1724 * below. Therefore we do not enable the sentinel if TLSv1.3 is
1725 * enabled and TLSv1.2 is not.
1727 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
1728 *dgrd = DOWNGRADE_TO_1_1;
1730 *dgrd = DOWNGRADE_NONE;
1735 * ssl_choose_server_version - Choose server (D)TLS version. Called when the
1736 * client HELLO is received to select the final server protocol version and
1737 * the version specific method.
1739 * @s: server SSL handle.
1741 * Returns 0 on success or an SSL error reason number on failure.
1743 int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1746 * With version-flexible methods we have an initial state with:
1748 * s->method->version == (D)TLS_ANY_VERSION,
1749 * s->version == (D)TLS_MAX_VERSION_INTERNAL.
1751 * So we detect version-flexible methods via the method version, not the
1754 int server_version = s->method->version;
1755 int client_version = hello->legacy_version;
1756 const version_info *vent;
1757 const version_info *table;
1759 RAW_EXTENSION *suppversions;
1761 s->client_version = client_version;
1763 switch (server_version) {
1765 if (!SSL_IS_TLS13(s)) {
1766 if (version_cmp(s, client_version, s->version) < 0)
1767 return SSL_R_WRONG_SSL_VERSION;
1768 *dgrd = DOWNGRADE_NONE;
1770 * If this SSL handle is not from a version flexible method we don't
1771 * (and never did) check min/max FIPS or Suite B constraints. Hope
1772 * that's OK. It is up to the caller to not choose fixed protocol
1773 * versions they don't want. If not, then easy to fix, just return
1774 * ssl_method_error(s, s->method)
1779 * Fall through if we are TLSv1.3 already (this means we must be after
1780 * a HelloRetryRequest
1783 case TLS_ANY_VERSION:
1784 table = tls_version_table;
1786 case DTLS_ANY_VERSION:
1787 table = dtls_version_table;
1791 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
1793 /* If we did an HRR then supported versions is mandatory */
1794 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
1795 return SSL_R_UNSUPPORTED_PROTOCOL;
1797 if (suppversions->present && !SSL_IS_DTLS(s)) {
1798 unsigned int candidate_vers = 0;
1799 unsigned int best_vers = 0;
1800 const SSL_METHOD *best_method = NULL;
1801 PACKET versionslist;
1803 suppversions->parsed = 1;
1805 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
1806 /* Trailing or invalid data? */
1807 return SSL_R_LENGTH_MISMATCH;
1811 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1812 * The spec only requires servers to check that it isn't SSLv3:
1813 * "Any endpoint receiving a Hello message with
1814 * ClientHello.legacy_version or ServerHello.legacy_version set to
1815 * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1816 * We are slightly stricter and require that it isn't SSLv3 or lower.
1817 * We tolerate TLSv1 and TLSv1.1.
1819 if (client_version <= SSL3_VERSION)
1820 return SSL_R_BAD_LEGACY_VERSION;
1822 while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1823 if (version_cmp(s, candidate_vers, best_vers) <= 0)
1825 if (ssl_version_supported(s, candidate_vers, &best_method))
1826 best_vers = candidate_vers;
1828 if (PACKET_remaining(&versionslist) != 0) {
1829 /* Trailing data? */
1830 return SSL_R_LENGTH_MISMATCH;
1833 if (best_vers > 0) {
1834 if (s->hello_retry_request != SSL_HRR_NONE) {
1836 * This is after a HelloRetryRequest so we better check that we
1837 * negotiated TLSv1.3
1839 if (best_vers != TLS1_3_VERSION)
1840 return SSL_R_UNSUPPORTED_PROTOCOL;
1843 check_for_downgrade(s, best_vers, dgrd);
1844 s->version = best_vers;
1845 s->method = best_method;
1848 return SSL_R_UNSUPPORTED_PROTOCOL;
1852 * If the supported versions extension isn't present, then the highest
1853 * version we can negotiate is TLSv1.2
1855 if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1856 client_version = TLS1_2_VERSION;
1859 * No supported versions extension, so we just use the version supplied in
1862 for (vent = table; vent->version != 0; ++vent) {
1863 const SSL_METHOD *method;
1865 if (vent->smeth == NULL ||
1866 version_cmp(s, client_version, vent->version) < 0)
1868 method = vent->smeth();
1869 if (ssl_method_error(s, method) == 0) {
1870 check_for_downgrade(s, vent->version, dgrd);
1871 s->version = vent->version;
1877 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1881 * ssl_choose_client_version - Choose client (D)TLS version. Called when the
1882 * server HELLO is received to select the final client protocol version and
1883 * the version specific method.
1885 * @s: client SSL handle.
1886 * @version: The proposed version from the server's HELLO.
1887 * @extensions: The extensions received
1889 * Returns 1 on success or 0 on error.
1891 int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)
1893 const version_info *vent;
1894 const version_info *table;
1895 int ret, ver_min, ver_max, real_max, origv;
1898 s->version = version;
1900 /* This will overwrite s->version if the extension is present */
1901 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1902 SSL_EXT_TLS1_2_SERVER_HELLO
1903 | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1909 if (s->hello_retry_request != SSL_HRR_NONE
1910 && s->version != TLS1_3_VERSION) {
1912 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
1916 switch (s->method->version) {
1918 if (s->version != s->method->version) {
1920 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
1924 * If this SSL handle is not from a version flexible method we don't
1925 * (and never did) check min/max, FIPS or Suite B constraints. Hope
1926 * that's OK. It is up to the caller to not choose fixed protocol
1927 * versions they don't want. If not, then easy to fix, just return
1928 * ssl_method_error(s, s->method)
1931 case TLS_ANY_VERSION:
1932 table = tls_version_table;
1934 case DTLS_ANY_VERSION:
1935 table = dtls_version_table;
1939 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1942 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, ret);
1945 if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
1946 : s->version < ver_min) {
1948 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1950 } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
1951 : s->version > ver_max) {
1953 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1957 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
1960 /* Check for downgrades */
1961 if (s->version == TLS1_2_VERSION && real_max > s->version) {
1962 if (memcmp(tls12downgrade,
1963 s->s3.server_random + SSL3_RANDOM_SIZE
1964 - sizeof(tls12downgrade),
1965 sizeof(tls12downgrade)) == 0) {
1967 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1968 SSL_R_INAPPROPRIATE_FALLBACK);
1971 } else if (!SSL_IS_DTLS(s)
1972 && s->version < TLS1_2_VERSION
1973 && real_max > s->version) {
1974 if (memcmp(tls11downgrade,
1975 s->s3.server_random + SSL3_RANDOM_SIZE
1976 - sizeof(tls11downgrade),
1977 sizeof(tls11downgrade)) == 0) {
1979 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1980 SSL_R_INAPPROPRIATE_FALLBACK);
1985 for (vent = table; vent->version != 0; ++vent) {
1986 if (vent->cmeth == NULL || s->version != vent->version)
1989 s->method = vent->cmeth();
1994 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1999 * ssl_get_min_max_version - get minimum and maximum protocol version
2000 * @s: The SSL connection
2001 * @min_version: The minimum supported version
2002 * @max_version: The maximum supported version
2003 * @real_max: The highest version below the lowest compile time version hole
2004 * where that hole lies above at least one run-time enabled
2007 * Work out what version we should be using for the initial ClientHello if the
2008 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2009 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
2010 * constraints and any floor imposed by the security level here,
2011 * so we don't advertise the wrong protocol version to only reject the outcome later.
2013 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
2014 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2015 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2017 * Returns 0 on success or an SSL error reason number on failure. On failure
2018 * min_version and max_version will also be set to 0.
2020 int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version,
2023 int version, tmp_real_max;
2025 const SSL_METHOD *single = NULL;
2026 const SSL_METHOD *method;
2027 const version_info *table;
2028 const version_info *vent;
2030 switch (s->method->version) {
2033 * If this SSL handle is not from a version flexible method we don't
2034 * (and never did) check min/max FIPS or Suite B constraints. Hope
2035 * that's OK. It is up to the caller to not choose fixed protocol
2036 * versions they don't want. If not, then easy to fix, just return
2037 * ssl_method_error(s, s->method)
2039 *min_version = *max_version = s->version;
2041 * Providing a real_max only makes sense where we're using a version
2044 if (!ossl_assert(real_max == NULL))
2045 return ERR_R_INTERNAL_ERROR;
2047 case TLS_ANY_VERSION:
2048 table = tls_version_table;
2050 case DTLS_ANY_VERSION:
2051 table = dtls_version_table;
2056 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2057 * below X enabled. This is required in order to maintain the "version
2058 * capability" vector contiguous. Any versions with a NULL client method
2059 * (protocol version client is disabled at compile-time) is also a "hole".
2061 * Our initial state is hole == 1, version == 0. That is, versions above
2062 * the first version in the method table are disabled (a "hole" above
2063 * the valid protocol entries) and we don't have a selected version yet.
2065 * Whenever "hole == 1", and we hit an enabled method, its version becomes
2066 * the selected version, and the method becomes a candidate "single"
2067 * method. We're no longer in a hole, so "hole" becomes 0.
2069 * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2070 * as we support a contiguous range of at least two methods. If we hit
2071 * a disabled method, then hole becomes true again, but nothing else
2072 * changes yet, because all the remaining methods may be disabled too.
2073 * If we again hit an enabled method after the new hole, it becomes
2074 * selected, as we start from scratch.
2076 *min_version = version = 0;
2078 if (real_max != NULL)
2081 for (vent = table; vent->version != 0; ++vent) {
2083 * A table entry with a NULL client method is still a hole in the
2084 * "version capability" vector.
2086 if (vent->cmeth == NULL) {
2091 method = vent->cmeth();
2093 if (hole == 1 && tmp_real_max == 0)
2094 tmp_real_max = vent->version;
2096 if (ssl_method_error(s, method) != 0) {
2100 *min_version = method->version;
2102 if (real_max != NULL && tmp_real_max != 0)
2103 *real_max = tmp_real_max;
2104 version = (single = method)->version;
2105 *min_version = version;
2110 *max_version = version;
2112 /* Fail if everything is disabled */
2114 return SSL_R_NO_PROTOCOLS_AVAILABLE;
2120 * ssl_set_client_hello_version - Work out what version we should be using for
2121 * the initial ClientHello.legacy_version field.
2123 * @s: client SSL handle.
2125 * Returns 0 on success or an SSL error reason number on failure.
2127 int ssl_set_client_hello_version(SSL *s)
2129 int ver_min, ver_max, ret;
2132 * In a renegotiation we always send the same client_version that we sent
2133 * last time, regardless of which version we eventually negotiated.
2135 if (!SSL_IS_FIRST_HANDSHAKE(s))
2138 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
2143 s->version = ver_max;
2145 /* TLS1.3 always uses TLS1.2 in the legacy_version field */
2146 if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
2147 ver_max = TLS1_2_VERSION;
2149 s->client_version = ver_max;
2154 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2155 * and |checkallow| is 1 then additionally check if the group is allowed to be
2156 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2157 * 1) or 0 otherwise.
2159 int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
2160 size_t num_groups, int checkallow)
2164 if (groups == NULL || num_groups == 0)
2167 for (i = 0; i < num_groups; i++) {
2168 uint16_t group = groups[i];
2170 if (group_id == group
2172 || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
2180 /* Replace ClientHello1 in the transcript hash with a synthetic message */
2181 int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,
2182 size_t hashlen, const unsigned char *hrr,
2185 unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
2186 unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2188 memset(msghdr, 0, sizeof(msghdr));
2190 if (hashval == NULL) {
2191 hashval = hashvaltmp;
2193 /* Get the hash of the initial ClientHello */
2194 if (!ssl3_digest_cached_records(s, 0)
2195 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2197 /* SSLfatal() already called */
2202 /* Reinitialise the transcript hash */
2203 if (!ssl3_init_finished_mac(s)) {
2204 /* SSLfatal() already called */
2208 /* Inject the synthetic message_hash message */
2209 msghdr[0] = SSL3_MT_MESSAGE_HASH;
2210 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
2211 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2212 || !ssl3_finish_mac(s, hashval, hashlen)) {
2213 /* SSLfatal() already called */
2218 * Now re-inject the HRR and current message if appropriate (we just deleted
2219 * it when we reinitialised the transcript hash above). Only necessary after
2220 * receiving a ClientHello2 with a cookie.
2223 && (!ssl3_finish_mac(s, hrr, hrrlen)
2224 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
2225 s->s3.tmp.message_size
2226 + SSL3_HM_HEADER_LENGTH))) {
2227 /* SSLfatal() already called */
2234 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2236 return X509_NAME_cmp(*a, *b);
2239 int parse_ca_names(SSL *s, PACKET *pkt)
2241 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2242 X509_NAME *xn = NULL;
2245 if (ca_sk == NULL) {
2246 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2249 /* get the CA RDNs */
2250 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
2251 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2255 while (PACKET_remaining(&cadns)) {
2256 const unsigned char *namestart, *namebytes;
2257 unsigned int name_len;
2259 if (!PACKET_get_net_2(&cadns, &name_len)
2260 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
2261 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2265 namestart = namebytes;
2266 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
2267 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB);
2270 if (namebytes != (namestart + name_len)) {
2271 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CA_DN_LENGTH_MISMATCH);
2275 if (!sk_X509_NAME_push(ca_sk, xn)) {
2276 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2282 sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
2283 s->s3.tmp.peer_ca_names = ca_sk;
2288 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2293 const STACK_OF(X509_NAME) *get_ca_names(SSL *s)
2295 const STACK_OF(X509_NAME) *ca_sk = NULL;;
2298 ca_sk = SSL_get_client_CA_list(s);
2299 if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2304 ca_sk = SSL_get0_CA_list(s);
2309 int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt)
2311 /* Start sub-packet for client CA list */
2312 if (!WPACKET_start_sub_packet_u16(pkt)) {
2313 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2317 if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) {
2320 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2321 unsigned char *namebytes;
2322 X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2326 || (namelen = i2d_X509_NAME(name, NULL)) < 0
2327 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2329 || i2d_X509_NAME(name, &namebytes) != namelen) {
2330 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2336 if (!WPACKET_close(pkt)) {
2337 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2344 /* Create a buffer containing data to be signed for server key exchange */
2345 size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
2346 const void *param, size_t paramlen)
2348 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2349 unsigned char *tbs = OPENSSL_malloc(tbslen);
2352 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2355 memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
2356 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
2358 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2365 * Saves the current handshake digest for Post-Handshake Auth,
2366 * Done after ClientFinished is processed, done exactly once
2368 int tls13_save_handshake_digest_for_pha(SSL *s)
2370 if (s->pha_dgst == NULL) {
2371 if (!ssl3_digest_cached_records(s, 1))
2372 /* SSLfatal() already called */
2375 s->pha_dgst = EVP_MD_CTX_new();
2376 if (s->pha_dgst == NULL) {
2377 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2380 if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
2381 s->s3.handshake_dgst)) {
2382 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2390 * Restores the Post-Handshake Auth handshake digest
2391 * Done just before sending/processing the Cert Request
2393 int tls13_restore_handshake_digest_for_pha(SSL *s)
2395 if (s->pha_dgst == NULL) {
2396 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2399 if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
2401 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);