2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
14 #include "../ssl_locl.h"
15 #include "statem_locl.h"
16 #include "internal/cryptlib.h"
17 #include <openssl/buffer.h>
18 #include <openssl/objects.h>
19 #include <openssl/evp.h>
20 #include <openssl/x509.h>
21 #include <openssl/trace.h>
24 * Map error codes to TLS/SSL alart types.
26 typedef struct x509err2alert_st {
31 /* Fixed value used in the ServerHello random field to identify an HRR */
32 const unsigned char hrrrandom[] = {
33 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
34 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
35 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
39 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
40 * SSL3_RT_CHANGE_CIPHER_SPEC)
42 int ssl3_do_write(SSL *s, int type)
47 ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
48 s->init_num, &written);
51 if (type == SSL3_RT_HANDSHAKE)
53 * should not be done for 'Hello Request's, but in that case we'll
54 * ignore the result anyway
55 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
57 if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
58 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
59 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
60 if (!ssl3_finish_mac(s,
61 (unsigned char *)&s->init_buf->data[s->init_off],
64 if (written == s->init_num) {
66 s->msg_callback(1, s->version, type, s->init_buf->data,
67 (size_t)(s->init_off + s->init_num), s,
71 s->init_off += written;
72 s->init_num -= written;
76 int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype)
80 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
81 || !WPACKET_get_length(pkt, &msglen)
84 s->init_num = (int)msglen;
90 int tls_setup_handshake(SSL *s)
92 if (!ssl3_init_finished_mac(s)) {
93 /* SSLfatal() already called */
97 /* Reset any extension flags */
98 memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
101 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
102 int i, ver_min, ver_max, ok = 0;
105 * Sanity check that the maximum version we accept has ciphers
106 * enabled. For clients we do this check during construction of the
109 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
110 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_SETUP_HANDSHAKE,
111 ERR_R_INTERNAL_ERROR);
114 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
115 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
117 if (SSL_IS_DTLS(s)) {
118 if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
119 DTLS_VERSION_LE(ver_max, c->max_dtls))
121 } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
128 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE,
129 SSL_R_NO_CIPHERS_AVAILABLE);
130 ERR_add_error_data(1, "No ciphers enabled for max supported "
134 if (SSL_IS_FIRST_HANDSHAKE(s)) {
135 /* N.B. s->session_ctx == s->ctx here */
136 tsan_counter(&s->session_ctx->stats.sess_accept);
138 /* N.B. s->ctx may not equal s->session_ctx */
139 tsan_counter(&s->ctx->stats.sess_accept_renegotiate);
141 s->s3.tmp.cert_request = 0;
144 if (SSL_IS_FIRST_HANDSHAKE(s))
145 tsan_counter(&s->session_ctx->stats.sess_connect);
147 tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate);
149 /* mark client_random uninitialized */
150 memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
153 s->s3.tmp.cert_req = 0;
156 s->statem.use_timer = 1;
163 * Size of the to-be-signed TLS13 data, without the hash size itself:
164 * 64 bytes of value 32, 33 context bytes, 1 byte separator
166 #define TLS13_TBS_START_SIZE 64
167 #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
169 static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
170 void **hdata, size_t *hdatalen)
172 #ifdef CHARSET_EBCDIC
173 static const char *servercontext = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
174 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
175 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
176 0x69, 0x66, 0x79, 0x00 };
177 static const char *clientcontext = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
178 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
179 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
180 0x69, 0x66, 0x79, 0x00 };
182 static const char *servercontext = "TLS 1.3, server CertificateVerify";
183 static const char *clientcontext = "TLS 1.3, client CertificateVerify";
185 if (SSL_IS_TLS13(s)) {
188 /* Set the first 64 bytes of to-be-signed data to octet 32 */
189 memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
190 /* This copies the 33 bytes of context plus the 0 separator byte */
191 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
192 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
193 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
195 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
198 * If we're currently reading then we need to use the saved handshake
199 * hash value. We can't use the current handshake hash state because
200 * that includes the CertVerify itself.
202 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
203 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
204 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
205 s->cert_verify_hash_len);
206 hashlen = s->cert_verify_hash_len;
207 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
208 EVP_MAX_MD_SIZE, &hashlen)) {
209 /* SSLfatal() already called */
214 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
219 retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
221 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_GET_CERT_VERIFY_TBS_DATA,
222 ERR_R_INTERNAL_ERROR);
231 int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
233 EVP_PKEY *pkey = NULL;
234 const EVP_MD *md = NULL;
235 EVP_MD_CTX *mctx = NULL;
236 EVP_PKEY_CTX *pctx = NULL;
237 size_t hdatalen = 0, siglen = 0;
239 unsigned char *sig = NULL;
240 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
241 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
243 if (lu == NULL || s->s3.tmp.cert == NULL) {
244 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
245 ERR_R_INTERNAL_ERROR);
248 pkey = s->s3.tmp.cert->privatekey;
250 if (pkey == NULL || !tls1_lookup_md(lu, &md)) {
251 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
252 ERR_R_INTERNAL_ERROR);
256 mctx = EVP_MD_CTX_new();
258 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
259 ERR_R_MALLOC_FAILURE);
263 /* Get the data to be signed */
264 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
265 /* SSLfatal() already called */
269 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
270 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
271 ERR_R_INTERNAL_ERROR);
274 siglen = EVP_PKEY_size(pkey);
275 sig = OPENSSL_malloc(siglen);
277 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
278 ERR_R_MALLOC_FAILURE);
282 if (EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey) <= 0) {
283 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
288 if (lu->sig == EVP_PKEY_RSA_PSS) {
289 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
290 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
291 RSA_PSS_SALTLEN_DIGEST) <= 0) {
292 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
297 if (s->version == SSL3_VERSION) {
298 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
300 * TODO(3.0) Replace this when EVP_MD_CTX_ctrl() is deprecated
301 * with a call to ssl3_digest_master_key_set_params()
303 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
304 (int)s->session->master_key_length,
305 s->session->master_key) <= 0
306 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
308 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
312 } else if (EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
313 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
318 #ifndef OPENSSL_NO_GOST
320 int pktype = lu->sig;
322 if (pktype == NID_id_GostR3410_2001
323 || pktype == NID_id_GostR3410_2012_256
324 || pktype == NID_id_GostR3410_2012_512)
325 BUF_reverse(sig, NULL, siglen);
329 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
330 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
331 ERR_R_INTERNAL_ERROR);
335 /* Digest cached records and discard handshake buffer */
336 if (!ssl3_digest_cached_records(s, 0)) {
337 /* SSLfatal() already called */
342 EVP_MD_CTX_free(mctx);
346 EVP_MD_CTX_free(mctx);
350 MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
352 EVP_PKEY *pkey = NULL;
353 const unsigned char *data;
354 #ifndef OPENSSL_NO_GOST
355 unsigned char *gost_data = NULL;
357 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
361 const EVP_MD *md = NULL;
364 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
365 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
366 EVP_PKEY_CTX *pctx = NULL;
369 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
370 ERR_R_MALLOC_FAILURE);
374 peer = s->session->peer;
375 pkey = X509_get0_pubkey(peer);
377 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
378 ERR_R_INTERNAL_ERROR);
382 if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
383 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CERT_VERIFY,
384 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
388 if (SSL_USE_SIGALGS(s)) {
391 if (!PACKET_get_net_2(pkt, &sigalg)) {
392 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
396 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
397 /* SSLfatal() already called */
400 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
401 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
402 ERR_R_INTERNAL_ERROR);
406 if (!tls1_lookup_md(s->s3.tmp.peer_sigalg, &md)) {
407 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
408 ERR_R_INTERNAL_ERROR);
412 if (SSL_USE_SIGALGS(s))
413 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
414 md == NULL ? "n/a" : EVP_MD_name(md));
416 /* Check for broken implementations of GOST ciphersuites */
418 * If key is GOST and len is exactly 64 or 128, it is signature without
419 * length field (CryptoPro implementations at least till TLS 1.2)
421 #ifndef OPENSSL_NO_GOST
422 if (!SSL_USE_SIGALGS(s)
423 && ((PACKET_remaining(pkt) == 64
424 && (EVP_PKEY_id(pkey) == NID_id_GostR3410_2001
425 || EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_256))
426 || (PACKET_remaining(pkt) == 128
427 && EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_512))) {
428 len = PACKET_remaining(pkt);
431 if (!PACKET_get_net_2(pkt, &len)) {
432 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
433 SSL_R_LENGTH_MISMATCH);
437 j = EVP_PKEY_size(pkey);
438 if (((int)len > j) || ((int)PACKET_remaining(pkt) > j)
439 || (PACKET_remaining(pkt) == 0)) {
440 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
441 SSL_R_WRONG_SIGNATURE_SIZE);
444 if (!PACKET_get_bytes(pkt, &data, len)) {
445 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
446 SSL_R_LENGTH_MISMATCH);
450 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
451 /* SSLfatal() already called */
455 OSSL_TRACE1(TLS, "Using client verify alg %s\n",
456 md == NULL ? "n/a" : EVP_MD_name(md));
458 if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0) {
459 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
463 #ifndef OPENSSL_NO_GOST
465 int pktype = EVP_PKEY_id(pkey);
466 if (pktype == NID_id_GostR3410_2001
467 || pktype == NID_id_GostR3410_2012_256
468 || pktype == NID_id_GostR3410_2012_512) {
469 if ((gost_data = OPENSSL_malloc(len)) == NULL) {
470 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
471 SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
474 BUF_reverse(gost_data, data, len);
480 if (SSL_USE_PSS(s)) {
481 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
482 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
483 RSA_PSS_SALTLEN_DIGEST) <= 0) {
484 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
489 if (s->version == SSL3_VERSION) {
491 * TODO(3.0) Replace this when EVP_MD_CTX_ctrl() is deprecated
492 * with a call to ssl3_digest_master_key_set_params()
494 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
495 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
496 (int)s->session->master_key_length,
497 s->session->master_key) <= 0) {
498 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
502 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
503 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
504 SSL_R_BAD_SIGNATURE);
508 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
510 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
511 SSL_R_BAD_SIGNATURE);
517 * In TLSv1.3 on the client side we make sure we prepare the client
518 * certificate after the CertVerify instead of when we get the
519 * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
520 * comes *before* the Certificate message. In TLSv1.2 it comes after. We
521 * want to make sure that SSL_get_peer_certificate() will return the actual
522 * server certificate from the client_cert_cb callback.
524 if (!s->server && SSL_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
525 ret = MSG_PROCESS_CONTINUE_PROCESSING;
527 ret = MSG_PROCESS_CONTINUE_READING;
529 BIO_free(s->s3.handshake_buffer);
530 s->s3.handshake_buffer = NULL;
531 EVP_MD_CTX_free(mctx);
532 #ifndef OPENSSL_NO_GOST
533 OPENSSL_free(gost_data);
538 int tls_construct_finished(SSL *s, WPACKET *pkt)
540 size_t finish_md_len;
544 /* This is a real handshake so make sure we clean it up at the end */
545 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
546 s->statem.cleanuphand = 1;
549 * We only change the keys if we didn't already do this when we sent the
554 && s->s3.tmp.cert_req == 0
555 && (!s->method->ssl3_enc->change_cipher_state(s,
556 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
557 /* SSLfatal() already called */
562 sender = s->method->ssl3_enc->server_finished_label;
563 slen = s->method->ssl3_enc->server_finished_label_len;
565 sender = s->method->ssl3_enc->client_finished_label;
566 slen = s->method->ssl3_enc->client_finished_label_len;
569 finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
571 s->s3.tmp.finish_md);
572 if (finish_md_len == 0) {
573 /* SSLfatal() already called */
577 s->s3.tmp.finish_md_len = finish_md_len;
579 if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
580 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
581 ERR_R_INTERNAL_ERROR);
586 * Log the master secret, if logging is enabled. We don't log it for
587 * TLSv1.3: there's a different key schedule for that.
589 if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
590 s->session->master_key,
591 s->session->master_key_length)) {
592 /* SSLfatal() already called */
597 * Copy the finished so we can use it for renegotiation checks
599 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
600 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
601 ERR_R_INTERNAL_ERROR);
605 memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
607 s->s3.previous_client_finished_len = finish_md_len;
609 memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
611 s->s3.previous_server_finished_len = finish_md_len;
617 int tls_construct_key_update(SSL *s, WPACKET *pkt)
619 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
620 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_KEY_UPDATE,
621 ERR_R_INTERNAL_ERROR);
625 s->key_update = SSL_KEY_UPDATE_NONE;
629 MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
631 unsigned int updatetype;
634 * A KeyUpdate message signals a key change so the end of the message must
635 * be on a record boundary.
637 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
638 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_UPDATE,
639 SSL_R_NOT_ON_RECORD_BOUNDARY);
640 return MSG_PROCESS_ERROR;
643 if (!PACKET_get_1(pkt, &updatetype)
644 || PACKET_remaining(pkt) != 0) {
645 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_UPDATE,
646 SSL_R_BAD_KEY_UPDATE);
647 return MSG_PROCESS_ERROR;
651 * There are only two defined key update types. Fail if we get a value we
654 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
655 && updatetype != SSL_KEY_UPDATE_REQUESTED) {
656 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE,
657 SSL_R_BAD_KEY_UPDATE);
658 return MSG_PROCESS_ERROR;
662 * If we get a request for us to update our sending keys too then, we need
663 * to additionally send a KeyUpdate message. However that message should
664 * not also request an update (otherwise we get into an infinite loop).
666 if (updatetype == SSL_KEY_UPDATE_REQUESTED)
667 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
669 if (!tls13_update_key(s, 0)) {
670 /* SSLfatal() already called */
671 return MSG_PROCESS_ERROR;
674 return MSG_PROCESS_FINISHED_READING;
678 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
681 int ssl3_take_mac(SSL *s)
687 sender = s->method->ssl3_enc->server_finished_label;
688 slen = s->method->ssl3_enc->server_finished_label_len;
690 sender = s->method->ssl3_enc->client_finished_label;
691 slen = s->method->ssl3_enc->client_finished_label_len;
694 s->s3.tmp.peer_finish_md_len =
695 s->method->ssl3_enc->final_finish_mac(s, sender, slen,
696 s->s3.tmp.peer_finish_md);
698 if (s->s3.tmp.peer_finish_md_len == 0) {
699 /* SSLfatal() already called */
706 MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
710 remain = PACKET_remaining(pkt);
712 * 'Change Cipher Spec' is just a single byte, which should already have
713 * been consumed by ssl_get_message() so there should be no bytes left,
714 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
716 if (SSL_IS_DTLS(s)) {
717 if ((s->version == DTLS1_BAD_VER
718 && remain != DTLS1_CCS_HEADER_LENGTH + 1)
719 || (s->version != DTLS1_BAD_VER
720 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
721 SSLfatal(s, SSL_AD_DECODE_ERROR,
722 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
723 SSL_R_BAD_CHANGE_CIPHER_SPEC);
724 return MSG_PROCESS_ERROR;
728 SSLfatal(s, SSL_AD_DECODE_ERROR,
729 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
730 SSL_R_BAD_CHANGE_CIPHER_SPEC);
731 return MSG_PROCESS_ERROR;
735 /* Check we have a cipher to change to */
736 if (s->s3.tmp.new_cipher == NULL) {
737 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
738 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY);
739 return MSG_PROCESS_ERROR;
742 s->s3.change_cipher_spec = 1;
743 if (!ssl3_do_change_cipher_spec(s)) {
744 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
745 ERR_R_INTERNAL_ERROR);
746 return MSG_PROCESS_ERROR;
749 if (SSL_IS_DTLS(s)) {
750 dtls1_reset_seq_numbers(s, SSL3_CC_READ);
752 if (s->version == DTLS1_BAD_VER)
753 s->d1->handshake_read_seq++;
755 #ifndef OPENSSL_NO_SCTP
757 * Remember that a CCS has been received, so that an old key of
758 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
761 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
765 return MSG_PROCESS_CONTINUE_READING;
768 MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
773 /* This is a real handshake so make sure we clean it up at the end */
776 * To get this far we must have read encrypted data from the client. We
777 * no longer tolerate unencrypted alerts. This value is ignored if less
780 s->statem.enc_read_state = ENC_READ_STATE_VALID;
781 if (s->post_handshake_auth != SSL_PHA_REQUESTED)
782 s->statem.cleanuphand = 1;
783 if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
784 /* SSLfatal() already called */
785 return MSG_PROCESS_ERROR;
790 * In TLSv1.3 a Finished message signals a key change so the end of the
791 * message must be on a record boundary.
793 if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
794 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
795 SSL_R_NOT_ON_RECORD_BOUNDARY);
796 return MSG_PROCESS_ERROR;
799 /* If this occurs, we have missed a message */
800 if (!SSL_IS_TLS13(s) && !s->s3.change_cipher_spec) {
801 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
802 SSL_R_GOT_A_FIN_BEFORE_A_CCS);
803 return MSG_PROCESS_ERROR;
805 s->s3.change_cipher_spec = 0;
807 md_len = s->s3.tmp.peer_finish_md_len;
809 if (md_len != PACKET_remaining(pkt)) {
810 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_FINISHED,
811 SSL_R_BAD_DIGEST_LENGTH);
812 return MSG_PROCESS_ERROR;
815 if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
817 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_FINISHED,
818 SSL_R_DIGEST_CHECK_FAILED);
819 return MSG_PROCESS_ERROR;
823 * Copy the finished so we can use it for renegotiation checks
825 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
826 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_FINISHED,
827 ERR_R_INTERNAL_ERROR);
828 return MSG_PROCESS_ERROR;
831 memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
833 s->s3.previous_client_finished_len = md_len;
835 memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
837 s->s3.previous_server_finished_len = md_len;
841 * In TLS1.3 we also have to change cipher state and do any final processing
842 * of the initial server flight (if we are a client)
844 if (SSL_IS_TLS13(s)) {
846 if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
847 !s->method->ssl3_enc->change_cipher_state(s,
848 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
849 /* SSLfatal() already called */
850 return MSG_PROCESS_ERROR;
853 if (!s->method->ssl3_enc->generate_master_secret(s,
854 s->master_secret, s->handshake_secret, 0,
855 &s->session->master_key_length)) {
856 /* SSLfatal() already called */
857 return MSG_PROCESS_ERROR;
859 if (!s->method->ssl3_enc->change_cipher_state(s,
860 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
861 /* SSLfatal() already called */
862 return MSG_PROCESS_ERROR;
864 if (!tls_process_initial_server_flight(s)) {
865 /* SSLfatal() already called */
866 return MSG_PROCESS_ERROR;
871 return MSG_PROCESS_FINISHED_READING;
874 int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
876 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
877 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
878 SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
885 /* Add a certificate to the WPACKET */
886 static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain)
889 unsigned char *outbytes;
891 len = i2d_X509(x, NULL);
893 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
897 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
898 || i2d_X509(x, &outbytes) != len) {
899 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
900 ERR_R_INTERNAL_ERROR);
905 && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
907 /* SSLfatal() already called */
914 /* Add certificate chain to provided WPACKET */
915 static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
919 STACK_OF(X509) *extra_certs;
920 STACK_OF(X509) *chain = NULL;
921 X509_STORE *chain_store;
923 if (cpk == NULL || cpk->x509 == NULL)
929 * If we have a certificate specific chain use it, else use parent ctx.
931 if (cpk->chain != NULL)
932 extra_certs = cpk->chain;
934 extra_certs = s->ctx->extra_certs;
936 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
938 else if (s->cert->chain_store)
939 chain_store = s->cert->chain_store;
941 chain_store = s->ctx->cert_store;
943 if (chain_store != NULL) {
944 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new();
946 if (xs_ctx == NULL) {
947 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
948 ERR_R_MALLOC_FAILURE);
951 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
952 X509_STORE_CTX_free(xs_ctx);
953 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
958 * It is valid for the chain not to be complete (because normally we
959 * don't include the root cert in the chain). Therefore we deliberately
960 * ignore the error return from this call. We're not actually verifying
961 * the cert - we're just building as much of the chain as we can
963 (void)X509_verify_cert(xs_ctx);
964 /* Don't leave errors in the queue */
966 chain = X509_STORE_CTX_get0_chain(xs_ctx);
967 i = ssl_security_cert_chain(s, chain, NULL, 0);
970 /* Dummy error calls so mkerr generates them */
971 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL);
972 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL);
973 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK);
975 X509_STORE_CTX_free(xs_ctx);
976 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
979 chain_count = sk_X509_num(chain);
980 for (i = 0; i < chain_count; i++) {
981 x = sk_X509_value(chain, i);
983 if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
984 /* SSLfatal() already called */
985 X509_STORE_CTX_free(xs_ctx);
989 X509_STORE_CTX_free(xs_ctx);
991 i = ssl_security_cert_chain(s, extra_certs, x, 0);
993 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
996 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
997 /* SSLfatal() already called */
1000 for (i = 0; i < sk_X509_num(extra_certs); i++) {
1001 x = sk_X509_value(extra_certs, i);
1002 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
1003 /* SSLfatal() already called */
1011 unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
1013 if (!WPACKET_start_sub_packet_u24(pkt)) {
1014 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1015 ERR_R_INTERNAL_ERROR);
1019 if (!ssl_add_cert_chain(s, pkt, cpk))
1022 if (!WPACKET_close(pkt)) {
1023 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1024 ERR_R_INTERNAL_ERROR);
1032 * Tidy up after the end of a handshake. In the case of SCTP this may result
1033 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1036 WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
1038 void (*cb) (const SSL *ssl, int type, int val) = NULL;
1039 int cleanuphand = s->statem.cleanuphand;
1042 if (!SSL_IS_DTLS(s)) {
1044 * We don't do this in DTLS because we may still need the init_buf
1045 * in case there are any unexpected retransmits
1047 BUF_MEM_free(s->init_buf);
1050 if (!ssl_free_wbio_buffer(s)) {
1051 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE,
1052 ERR_R_INTERNAL_ERROR);
1058 if (SSL_IS_TLS13(s) && !s->server
1059 && s->post_handshake_auth == SSL_PHA_REQUESTED)
1060 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1063 * Only set if there was a Finished message and this isn't after a TLSv1.3
1064 * post handshake exchange
1067 /* skipped if we just sent a HelloRequest */
1070 s->statem.cleanuphand = 0;
1071 s->ext.ticket_expected = 0;
1073 ssl3_cleanup_key_block(s);
1077 * In TLSv1.3 we update the cache as part of constructing the
1080 if (!SSL_IS_TLS13(s))
1081 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
1083 /* N.B. s->ctx may not equal s->session_ctx */
1084 tsan_counter(&s->ctx->stats.sess_accept_good);
1085 s->handshake_func = ossl_statem_accept;
1087 if (SSL_IS_TLS13(s)) {
1089 * We encourage applications to only use TLSv1.3 tickets once,
1090 * so we remove this one from the cache.
1092 if ((s->session_ctx->session_cache_mode
1093 & SSL_SESS_CACHE_CLIENT) != 0)
1094 SSL_CTX_remove_session(s->session_ctx, s->session);
1097 * In TLSv1.3 we update the cache as part of processing the
1100 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
1103 tsan_counter(&s->session_ctx->stats.sess_hit);
1105 s->handshake_func = ossl_statem_connect;
1106 tsan_counter(&s->session_ctx->stats.sess_connect_good);
1109 if (SSL_IS_DTLS(s)) {
1110 /* done with handshaking */
1111 s->d1->handshake_read_seq = 0;
1112 s->d1->handshake_write_seq = 0;
1113 s->d1->next_handshake_write_seq = 0;
1114 dtls1_clear_received_buffer(s);
1118 if (s->info_callback != NULL)
1119 cb = s->info_callback;
1120 else if (s->ctx->info_callback != NULL)
1121 cb = s->ctx->info_callback;
1123 /* The callback may expect us to not be in init at handshake done */
1124 ossl_statem_set_in_init(s, 0);
1129 || SSL_IS_FIRST_HANDSHAKE(s))
1130 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
1134 /* If we've got more work to do we go back into init */
1135 ossl_statem_set_in_init(s, 1);
1136 return WORK_FINISHED_CONTINUE;
1139 return WORK_FINISHED_STOP;
1142 int tls_get_message_header(SSL *s, int *mt)
1144 /* s->init_num < SSL3_HM_HEADER_LENGTH */
1145 int skip_message, i, recvd_type;
1147 size_t l, readbytes;
1149 p = (unsigned char *)s->init_buf->data;
1152 while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1153 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
1155 SSL3_HM_HEADER_LENGTH - s->init_num,
1158 s->rwstate = SSL_READING;
1161 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1163 * A ChangeCipherSpec must be a single byte and may not occur
1164 * in the middle of a handshake message.
1166 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
1167 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1168 SSL_F_TLS_GET_MESSAGE_HEADER,
1169 SSL_R_BAD_CHANGE_CIPHER_SPEC);
1172 if (s->statem.hand_state == TLS_ST_BEFORE
1173 && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
1175 * We are stateless and we received a CCS. Probably this is
1176 * from a client between the first and second ClientHellos.
1177 * We should ignore this, but return an error because we do
1178 * not return success until we see the second ClientHello
1179 * with a valid cookie.
1183 s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
1184 s->init_num = readbytes - 1;
1185 s->init_msg = s->init_buf->data;
1186 s->s3.tmp.message_size = readbytes;
1188 } else if (recvd_type != SSL3_RT_HANDSHAKE) {
1189 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1190 SSL_F_TLS_GET_MESSAGE_HEADER,
1191 SSL_R_CCS_RECEIVED_EARLY);
1194 s->init_num += readbytes;
1199 if (s->statem.hand_state != TLS_ST_OK
1200 && p[0] == SSL3_MT_HELLO_REQUEST)
1202 * The server may always send 'Hello Request' messages --
1203 * we are doing a handshake anyway now, so ignore them if
1204 * their format is correct. Does not count for 'Finished'
1207 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1211 if (s->msg_callback)
1212 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1213 p, SSL3_HM_HEADER_LENGTH, s,
1214 s->msg_callback_arg);
1216 } while (skip_message);
1217 /* s->init_num == SSL3_HM_HEADER_LENGTH */
1220 s->s3.tmp.message_type = *(p++);
1222 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1224 * Only happens with SSLv3+ in an SSLv2 backward compatible
1227 * Total message size is the remaining record bytes to read
1228 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
1230 l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1231 + SSL3_HM_HEADER_LENGTH;
1232 s->s3.tmp.message_size = l;
1234 s->init_msg = s->init_buf->data;
1235 s->init_num = SSL3_HM_HEADER_LENGTH;
1238 /* BUF_MEM_grow takes an 'int' parameter */
1239 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
1240 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_GET_MESSAGE_HEADER,
1241 SSL_R_EXCESSIVE_MESSAGE_SIZE);
1244 s->s3.tmp.message_size = l;
1246 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1253 int tls_get_message_body(SSL *s, size_t *len)
1255 size_t n, readbytes;
1259 if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
1260 /* We've already read everything in */
1261 *len = (unsigned long)s->init_num;
1266 n = s->s3.tmp.message_size - s->init_num;
1268 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
1269 &p[s->init_num], n, 0, &readbytes);
1271 s->rwstate = SSL_READING;
1275 s->init_num += readbytes;
1280 * If receiving Finished, record MAC of prior handshake messages for
1281 * Finished verification.
1283 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1284 /* SSLfatal() already called */
1289 /* Feed this message into MAC computation. */
1290 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1291 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1293 /* SSLfatal() already called */
1297 if (s->msg_callback)
1298 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
1299 (size_t)s->init_num, s, s->msg_callback_arg);
1302 * We defer feeding in the HRR until later. We'll do it as part of
1303 * processing the message
1304 * The TLsv1.3 handshake transcript stops at the ClientFinished
1307 #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
1308 /* KeyUpdate and NewSessionTicket do not need to be added */
1309 if (!SSL_IS_TLS13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1310 && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1311 if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
1312 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1313 || memcmp(hrrrandom,
1314 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1315 SSL3_RANDOM_SIZE) != 0) {
1316 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1317 s->init_num + SSL3_HM_HEADER_LENGTH)) {
1318 /* SSLfatal() already called */
1324 if (s->msg_callback)
1325 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1326 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
1327 s->msg_callback_arg);
1334 static const X509ERR2ALERT x509table[] = {
1335 {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1336 {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1337 {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1338 {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1339 {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1340 {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1341 {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1342 {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1343 {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1344 {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1345 {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1346 {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1347 {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1348 {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1349 {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1350 {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1351 {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1352 {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1353 {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1354 {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1355 {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1356 {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1357 {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1358 {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1359 {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1360 {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1361 {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1362 {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1363 {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1364 {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1365 {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1366 {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1367 {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1368 {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1369 {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1370 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1371 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1372 {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1373 {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1375 /* Last entry; return this if we don't find the value above. */
1376 {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1379 int ssl_x509err2alert(int x509err)
1381 const X509ERR2ALERT *tp;
1383 for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1384 if (tp->x509err == x509err)
1389 int ssl_allow_compression(SSL *s)
1391 if (s->options & SSL_OP_NO_COMPRESSION)
1393 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1396 static int version_cmp(const SSL *s, int a, int b)
1398 int dtls = SSL_IS_DTLS(s);
1403 return a < b ? -1 : 1;
1404 return DTLS_VERSION_LT(a, b) ? -1 : 1;
1409 const SSL_METHOD *(*cmeth) (void);
1410 const SSL_METHOD *(*smeth) (void);
1413 #if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
1414 # error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
1417 /* Must be in order high to low */
1418 static const version_info tls_version_table[] = {
1419 #ifndef OPENSSL_NO_TLS1_3
1420 {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1422 {TLS1_3_VERSION, NULL, NULL},
1424 #ifndef OPENSSL_NO_TLS1_2
1425 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
1427 {TLS1_2_VERSION, NULL, NULL},
1429 #ifndef OPENSSL_NO_TLS1_1
1430 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
1432 {TLS1_1_VERSION, NULL, NULL},
1434 #ifndef OPENSSL_NO_TLS1
1435 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
1437 {TLS1_VERSION, NULL, NULL},
1439 #ifndef OPENSSL_NO_SSL3
1440 {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
1442 {SSL3_VERSION, NULL, NULL},
1447 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
1448 # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1451 /* Must be in order high to low */
1452 static const version_info dtls_version_table[] = {
1453 #ifndef OPENSSL_NO_DTLS1_2
1454 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
1456 {DTLS1_2_VERSION, NULL, NULL},
1458 #ifndef OPENSSL_NO_DTLS1
1459 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1460 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
1462 {DTLS1_VERSION, NULL, NULL},
1463 {DTLS1_BAD_VER, NULL, NULL},
1469 * ssl_method_error - Check whether an SSL_METHOD is enabled.
1471 * @s: The SSL handle for the candidate method
1472 * @method: the intended method.
1474 * Returns 0 on success, or an SSL error reason on failure.
1476 static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
1478 int version = method->version;
1480 if ((s->min_proto_version != 0 &&
1481 version_cmp(s, version, s->min_proto_version) < 0) ||
1482 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1483 return SSL_R_VERSION_TOO_LOW;
1485 if (s->max_proto_version != 0 &&
1486 version_cmp(s, version, s->max_proto_version) > 0)
1487 return SSL_R_VERSION_TOO_HIGH;
1489 if ((s->options & method->mask) != 0)
1490 return SSL_R_UNSUPPORTED_PROTOCOL;
1491 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1492 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
1498 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
1499 * certificate type, or has PSK or a certificate callback configured. Otherwise
1502 static int is_tls13_capable(const SSL *s)
1505 #ifndef OPENSSL_NO_EC
1510 #ifndef OPENSSL_NO_PSK
1511 if (s->psk_server_callback != NULL)
1515 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
1518 for (i = 0; i < SSL_PKEY_NUM; i++) {
1519 /* Skip over certs disallowed for TLSv1.3 */
1521 case SSL_PKEY_DSA_SIGN:
1522 case SSL_PKEY_GOST01:
1523 case SSL_PKEY_GOST12_256:
1524 case SSL_PKEY_GOST12_512:
1529 if (!ssl_has_cert(s, i))
1531 #ifndef OPENSSL_NO_EC
1532 if (i != SSL_PKEY_ECC)
1535 * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1536 * more restrictive so check that our sig algs are consistent with this
1537 * EC cert. See section 4.2.3 of RFC8446.
1539 eckey = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
1542 curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
1543 if (tls_check_sigalg_curve(s, curve))
1554 * ssl_version_supported - Check that the specified `version` is supported by
1557 * @s: The SSL handle for the candidate method
1558 * @version: Protocol version to test against
1560 * Returns 1 when supported, otherwise 0
1562 int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth)
1564 const version_info *vent;
1565 const version_info *table;
1567 switch (s->method->version) {
1569 /* Version should match method version for non-ANY method */
1570 return version_cmp(s, version, s->version) == 0;
1571 case TLS_ANY_VERSION:
1572 table = tls_version_table;
1574 case DTLS_ANY_VERSION:
1575 table = dtls_version_table;
1580 vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1582 if (vent->cmeth != NULL
1583 && version_cmp(s, version, vent->version) == 0
1584 && ssl_method_error(s, vent->cmeth()) == 0
1586 || version != TLS1_3_VERSION
1587 || is_tls13_capable(s))) {
1589 *meth = vent->cmeth();
1597 * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1598 * fallback indication from a client check whether we're using the highest
1599 * supported protocol version.
1601 * @s server SSL handle.
1603 * Returns 1 when using the highest enabled version, 0 otherwise.
1605 int ssl_check_version_downgrade(SSL *s)
1607 const version_info *vent;
1608 const version_info *table;
1611 * Check that the current protocol is the highest enabled version
1612 * (according to s->ctx->method, as version negotiation may have changed
1615 if (s->version == s->ctx->method->version)
1619 * Apparently we're using a version-flexible SSL_METHOD (not at its
1620 * highest protocol version).
1622 if (s->ctx->method->version == TLS_method()->version)
1623 table = tls_version_table;
1624 else if (s->ctx->method->version == DTLS_method()->version)
1625 table = dtls_version_table;
1627 /* Unexpected state; fail closed. */
1631 for (vent = table; vent->version != 0; ++vent) {
1632 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
1633 return s->version == vent->version;
1639 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1640 * protocols, provided the initial (D)TLS method is version-flexible. This
1641 * function sanity-checks the proposed value and makes sure the method is
1642 * version-flexible, then sets the limit if all is well.
1644 * @method_version: The version of the current SSL_METHOD.
1645 * @version: the intended limit.
1646 * @bound: pointer to limit to be updated.
1648 * Returns 1 on success, 0 on failure.
1650 int ssl_set_version_bound(int method_version, int version, int *bound)
1658 * Restrict TLS methods to TLS protocol versions.
1659 * Restrict DTLS methods to DTLS protocol versions.
1660 * Note, DTLS version numbers are decreasing, use comparison macros.
1662 * Note that for both lower-bounds we use explicit versions, not
1663 * (D)TLS_MIN_VERSION. This is because we don't want to break user
1664 * configurations. If the MIN (supported) version ever rises, the user's
1665 * "floor" remains valid even if no longer available. We don't expect the
1666 * MAX ceiling to ever get lower, so making that variable makes sense.
1668 switch (method_version) {
1671 * XXX For fixed version methods, should we always fail and not set any
1672 * bounds, always succeed and not set any bounds, or set the bounds and
1673 * arrange to fail later if they are not met? At present fixed-version
1674 * methods are not subject to controls that disable individual protocol
1679 case TLS_ANY_VERSION:
1680 if (version < SSL3_VERSION || version > TLS_MAX_VERSION_INTERNAL)
1684 case DTLS_ANY_VERSION:
1685 if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION_INTERNAL) ||
1686 DTLS_VERSION_LT(version, DTLS1_BAD_VER))
1695 static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
1697 if (vers == TLS1_2_VERSION
1698 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
1699 *dgrd = DOWNGRADE_TO_1_2;
1700 } else if (!SSL_IS_DTLS(s)
1701 && vers < TLS1_2_VERSION
1703 * We need to ensure that a server that disables TLSv1.2
1704 * (creating a hole between TLSv1.3 and TLSv1.1) can still
1705 * complete handshakes with clients that support TLSv1.2 and
1706 * below. Therefore we do not enable the sentinel if TLSv1.3 is
1707 * enabled and TLSv1.2 is not.
1709 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
1710 *dgrd = DOWNGRADE_TO_1_1;
1712 *dgrd = DOWNGRADE_NONE;
1717 * ssl_choose_server_version - Choose server (D)TLS version. Called when the
1718 * client HELLO is received to select the final server protocol version and
1719 * the version specific method.
1721 * @s: server SSL handle.
1723 * Returns 0 on success or an SSL error reason number on failure.
1725 int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1728 * With version-flexible methods we have an initial state with:
1730 * s->method->version == (D)TLS_ANY_VERSION,
1731 * s->version == (D)TLS_MAX_VERSION_INTERNAL.
1733 * So we detect version-flexible methods via the method version, not the
1736 int server_version = s->method->version;
1737 int client_version = hello->legacy_version;
1738 const version_info *vent;
1739 const version_info *table;
1741 RAW_EXTENSION *suppversions;
1743 s->client_version = client_version;
1745 switch (server_version) {
1747 if (!SSL_IS_TLS13(s)) {
1748 if (version_cmp(s, client_version, s->version) < 0)
1749 return SSL_R_WRONG_SSL_VERSION;
1750 *dgrd = DOWNGRADE_NONE;
1752 * If this SSL handle is not from a version flexible method we don't
1753 * (and never did) check min/max FIPS or Suite B constraints. Hope
1754 * that's OK. It is up to the caller to not choose fixed protocol
1755 * versions they don't want. If not, then easy to fix, just return
1756 * ssl_method_error(s, s->method)
1761 * Fall through if we are TLSv1.3 already (this means we must be after
1762 * a HelloRetryRequest
1765 case TLS_ANY_VERSION:
1766 table = tls_version_table;
1768 case DTLS_ANY_VERSION:
1769 table = dtls_version_table;
1773 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
1775 /* If we did an HRR then supported versions is mandatory */
1776 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
1777 return SSL_R_UNSUPPORTED_PROTOCOL;
1779 if (suppversions->present && !SSL_IS_DTLS(s)) {
1780 unsigned int candidate_vers = 0;
1781 unsigned int best_vers = 0;
1782 const SSL_METHOD *best_method = NULL;
1783 PACKET versionslist;
1785 suppversions->parsed = 1;
1787 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
1788 /* Trailing or invalid data? */
1789 return SSL_R_LENGTH_MISMATCH;
1793 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1794 * The spec only requires servers to check that it isn't SSLv3:
1795 * "Any endpoint receiving a Hello message with
1796 * ClientHello.legacy_version or ServerHello.legacy_version set to
1797 * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1798 * We are slightly stricter and require that it isn't SSLv3 or lower.
1799 * We tolerate TLSv1 and TLSv1.1.
1801 if (client_version <= SSL3_VERSION)
1802 return SSL_R_BAD_LEGACY_VERSION;
1804 while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1805 if (version_cmp(s, candidate_vers, best_vers) <= 0)
1807 if (ssl_version_supported(s, candidate_vers, &best_method))
1808 best_vers = candidate_vers;
1810 if (PACKET_remaining(&versionslist) != 0) {
1811 /* Trailing data? */
1812 return SSL_R_LENGTH_MISMATCH;
1815 if (best_vers > 0) {
1816 if (s->hello_retry_request != SSL_HRR_NONE) {
1818 * This is after a HelloRetryRequest so we better check that we
1819 * negotiated TLSv1.3
1821 if (best_vers != TLS1_3_VERSION)
1822 return SSL_R_UNSUPPORTED_PROTOCOL;
1825 check_for_downgrade(s, best_vers, dgrd);
1826 s->version = best_vers;
1827 s->method = best_method;
1830 return SSL_R_UNSUPPORTED_PROTOCOL;
1834 * If the supported versions extension isn't present, then the highest
1835 * version we can negotiate is TLSv1.2
1837 if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1838 client_version = TLS1_2_VERSION;
1841 * No supported versions extension, so we just use the version supplied in
1844 for (vent = table; vent->version != 0; ++vent) {
1845 const SSL_METHOD *method;
1847 if (vent->smeth == NULL ||
1848 version_cmp(s, client_version, vent->version) < 0)
1850 method = vent->smeth();
1851 if (ssl_method_error(s, method) == 0) {
1852 check_for_downgrade(s, vent->version, dgrd);
1853 s->version = vent->version;
1859 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1863 * ssl_choose_client_version - Choose client (D)TLS version. Called when the
1864 * server HELLO is received to select the final client protocol version and
1865 * the version specific method.
1867 * @s: client SSL handle.
1868 * @version: The proposed version from the server's HELLO.
1869 * @extensions: The extensions received
1871 * Returns 1 on success or 0 on error.
1873 int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)
1875 const version_info *vent;
1876 const version_info *table;
1877 int ret, ver_min, ver_max, real_max, origv;
1880 s->version = version;
1882 /* This will overwrite s->version if the extension is present */
1883 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1884 SSL_EXT_TLS1_2_SERVER_HELLO
1885 | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1891 if (s->hello_retry_request != SSL_HRR_NONE
1892 && s->version != TLS1_3_VERSION) {
1894 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1895 SSL_R_WRONG_SSL_VERSION);
1899 switch (s->method->version) {
1901 if (s->version != s->method->version) {
1903 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1904 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1905 SSL_R_WRONG_SSL_VERSION);
1909 * If this SSL handle is not from a version flexible method we don't
1910 * (and never did) check min/max, FIPS or Suite B constraints. Hope
1911 * that's OK. It is up to the caller to not choose fixed protocol
1912 * versions they don't want. If not, then easy to fix, just return
1913 * ssl_method_error(s, s->method)
1916 case TLS_ANY_VERSION:
1917 table = tls_version_table;
1919 case DTLS_ANY_VERSION:
1920 table = dtls_version_table;
1924 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1927 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1928 SSL_F_SSL_CHOOSE_CLIENT_VERSION, ret);
1931 if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
1932 : s->version < ver_min) {
1934 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1935 SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1937 } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
1938 : s->version > ver_max) {
1940 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1941 SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1945 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
1948 /* Check for downgrades */
1949 if (s->version == TLS1_2_VERSION && real_max > s->version) {
1950 if (memcmp(tls12downgrade,
1951 s->s3.server_random + SSL3_RANDOM_SIZE
1952 - sizeof(tls12downgrade),
1953 sizeof(tls12downgrade)) == 0) {
1955 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1956 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1957 SSL_R_INAPPROPRIATE_FALLBACK);
1960 } else if (!SSL_IS_DTLS(s)
1961 && s->version < TLS1_2_VERSION
1962 && real_max > s->version) {
1963 if (memcmp(tls11downgrade,
1964 s->s3.server_random + SSL3_RANDOM_SIZE
1965 - sizeof(tls11downgrade),
1966 sizeof(tls11downgrade)) == 0) {
1968 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1969 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1970 SSL_R_INAPPROPRIATE_FALLBACK);
1975 for (vent = table; vent->version != 0; ++vent) {
1976 if (vent->cmeth == NULL || s->version != vent->version)
1979 s->method = vent->cmeth();
1984 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1985 SSL_R_UNSUPPORTED_PROTOCOL);
1990 * ssl_get_min_max_version - get minimum and maximum protocol version
1991 * @s: The SSL connection
1992 * @min_version: The minimum supported version
1993 * @max_version: The maximum supported version
1994 * @real_max: The highest version below the lowest compile time version hole
1995 * where that hole lies above at least one run-time enabled
1998 * Work out what version we should be using for the initial ClientHello if the
1999 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2000 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
2001 * constraints and any floor imposed by the security level here,
2002 * so we don't advertise the wrong protocol version to only reject the outcome later.
2004 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
2005 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2006 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2008 * Returns 0 on success or an SSL error reason number on failure. On failure
2009 * min_version and max_version will also be set to 0.
2011 int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version,
2014 int version, tmp_real_max;
2016 const SSL_METHOD *single = NULL;
2017 const SSL_METHOD *method;
2018 const version_info *table;
2019 const version_info *vent;
2021 switch (s->method->version) {
2024 * If this SSL handle is not from a version flexible method we don't
2025 * (and never did) check min/max FIPS or Suite B constraints. Hope
2026 * that's OK. It is up to the caller to not choose fixed protocol
2027 * versions they don't want. If not, then easy to fix, just return
2028 * ssl_method_error(s, s->method)
2030 *min_version = *max_version = s->version;
2032 * Providing a real_max only makes sense where we're using a version
2035 if (!ossl_assert(real_max == NULL))
2036 return ERR_R_INTERNAL_ERROR;
2038 case TLS_ANY_VERSION:
2039 table = tls_version_table;
2041 case DTLS_ANY_VERSION:
2042 table = dtls_version_table;
2047 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2048 * below X enabled. This is required in order to maintain the "version
2049 * capability" vector contiguous. Any versions with a NULL client method
2050 * (protocol version client is disabled at compile-time) is also a "hole".
2052 * Our initial state is hole == 1, version == 0. That is, versions above
2053 * the first version in the method table are disabled (a "hole" above
2054 * the valid protocol entries) and we don't have a selected version yet.
2056 * Whenever "hole == 1", and we hit an enabled method, its version becomes
2057 * the selected version, and the method becomes a candidate "single"
2058 * method. We're no longer in a hole, so "hole" becomes 0.
2060 * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2061 * as we support a contiguous range of at least two methods. If we hit
2062 * a disabled method, then hole becomes true again, but nothing else
2063 * changes yet, because all the remaining methods may be disabled too.
2064 * If we again hit an enabled method after the new hole, it becomes
2065 * selected, as we start from scratch.
2067 *min_version = version = 0;
2069 if (real_max != NULL)
2072 for (vent = table; vent->version != 0; ++vent) {
2074 * A table entry with a NULL client method is still a hole in the
2075 * "version capability" vector.
2077 if (vent->cmeth == NULL) {
2082 method = vent->cmeth();
2084 if (hole == 1 && tmp_real_max == 0)
2085 tmp_real_max = vent->version;
2087 if (ssl_method_error(s, method) != 0) {
2091 *min_version = method->version;
2093 if (real_max != NULL && tmp_real_max != 0)
2094 *real_max = tmp_real_max;
2095 version = (single = method)->version;
2096 *min_version = version;
2101 *max_version = version;
2103 /* Fail if everything is disabled */
2105 return SSL_R_NO_PROTOCOLS_AVAILABLE;
2111 * ssl_set_client_hello_version - Work out what version we should be using for
2112 * the initial ClientHello.legacy_version field.
2114 * @s: client SSL handle.
2116 * Returns 0 on success or an SSL error reason number on failure.
2118 int ssl_set_client_hello_version(SSL *s)
2120 int ver_min, ver_max, ret;
2123 * In a renegotiation we always send the same client_version that we sent
2124 * last time, regardless of which version we eventually negotiated.
2126 if (!SSL_IS_FIRST_HANDSHAKE(s))
2129 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
2134 s->version = ver_max;
2136 /* TLS1.3 always uses TLS1.2 in the legacy_version field */
2137 if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
2138 ver_max = TLS1_2_VERSION;
2140 s->client_version = ver_max;
2145 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2146 * and |checkallow| is 1 then additionally check if the group is allowed to be
2147 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2148 * 1) or 0 otherwise.
2150 int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
2151 size_t num_groups, int checkallow)
2155 if (groups == NULL || num_groups == 0)
2158 for (i = 0; i < num_groups; i++) {
2159 uint16_t group = groups[i];
2161 if (group_id == group
2163 || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
2171 /* Replace ClientHello1 in the transcript hash with a synthetic message */
2172 int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,
2173 size_t hashlen, const unsigned char *hrr,
2176 unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
2177 unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2179 memset(msghdr, 0, sizeof(msghdr));
2181 if (hashval == NULL) {
2182 hashval = hashvaltmp;
2184 /* Get the hash of the initial ClientHello */
2185 if (!ssl3_digest_cached_records(s, 0)
2186 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2188 /* SSLfatal() already called */
2193 /* Reinitialise the transcript hash */
2194 if (!ssl3_init_finished_mac(s)) {
2195 /* SSLfatal() already called */
2199 /* Inject the synthetic message_hash message */
2200 msghdr[0] = SSL3_MT_MESSAGE_HASH;
2201 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
2202 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2203 || !ssl3_finish_mac(s, hashval, hashlen)) {
2204 /* SSLfatal() already called */
2209 * Now re-inject the HRR and current message if appropriate (we just deleted
2210 * it when we reinitialised the transcript hash above). Only necessary after
2211 * receiving a ClientHello2 with a cookie.
2214 && (!ssl3_finish_mac(s, hrr, hrrlen)
2215 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
2216 s->s3.tmp.message_size
2217 + SSL3_HM_HEADER_LENGTH))) {
2218 /* SSLfatal() already called */
2225 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2227 return X509_NAME_cmp(*a, *b);
2230 int parse_ca_names(SSL *s, PACKET *pkt)
2232 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2233 X509_NAME *xn = NULL;
2236 if (ca_sk == NULL) {
2237 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2238 ERR_R_MALLOC_FAILURE);
2241 /* get the CA RDNs */
2242 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
2243 SSLfatal(s, SSL_AD_DECODE_ERROR,SSL_F_PARSE_CA_NAMES,
2244 SSL_R_LENGTH_MISMATCH);
2248 while (PACKET_remaining(&cadns)) {
2249 const unsigned char *namestart, *namebytes;
2250 unsigned int name_len;
2252 if (!PACKET_get_net_2(&cadns, &name_len)
2253 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
2254 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2255 SSL_R_LENGTH_MISMATCH);
2259 namestart = namebytes;
2260 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
2261 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2265 if (namebytes != (namestart + name_len)) {
2266 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2267 SSL_R_CA_DN_LENGTH_MISMATCH);
2271 if (!sk_X509_NAME_push(ca_sk, xn)) {
2272 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2273 ERR_R_MALLOC_FAILURE);
2279 sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
2280 s->s3.tmp.peer_ca_names = ca_sk;
2285 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2290 const STACK_OF(X509_NAME) *get_ca_names(SSL *s)
2292 const STACK_OF(X509_NAME) *ca_sk = NULL;;
2295 ca_sk = SSL_get_client_CA_list(s);
2296 if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2301 ca_sk = SSL_get0_CA_list(s);
2306 int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt)
2308 /* Start sub-packet for client CA list */
2309 if (!WPACKET_start_sub_packet_u16(pkt)) {
2310 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2311 ERR_R_INTERNAL_ERROR);
2315 if (ca_sk != NULL) {
2318 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2319 unsigned char *namebytes;
2320 X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2324 || (namelen = i2d_X509_NAME(name, NULL)) < 0
2325 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2327 || i2d_X509_NAME(name, &namebytes) != namelen) {
2328 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2329 ERR_R_INTERNAL_ERROR);
2335 if (!WPACKET_close(pkt)) {
2336 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2337 ERR_R_INTERNAL_ERROR);
2344 /* Create a buffer containing data to be signed for server key exchange */
2345 size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
2346 const void *param, size_t paramlen)
2348 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2349 unsigned char *tbs = OPENSSL_malloc(tbslen);
2352 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS,
2353 ERR_R_MALLOC_FAILURE);
2356 memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
2357 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
2359 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2366 * Saves the current handshake digest for Post-Handshake Auth,
2367 * Done after ClientFinished is processed, done exactly once
2369 int tls13_save_handshake_digest_for_pha(SSL *s)
2371 if (s->pha_dgst == NULL) {
2372 if (!ssl3_digest_cached_records(s, 1))
2373 /* SSLfatal() already called */
2376 s->pha_dgst = EVP_MD_CTX_new();
2377 if (s->pha_dgst == NULL) {
2378 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2379 SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2380 ERR_R_INTERNAL_ERROR);
2383 if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
2384 s->s3.handshake_dgst)) {
2385 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2386 SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2387 ERR_R_INTERNAL_ERROR);
2395 * Restores the Post-Handshake Auth handshake digest
2396 * Done just before sending/processing the Cert Request
2398 int tls13_restore_handshake_digest_for_pha(SSL *s)
2400 if (s->pha_dgst == NULL) {
2401 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2402 SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2403 ERR_R_INTERNAL_ERROR);
2406 if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
2408 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2409 SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2410 ERR_R_INTERNAL_ERROR);