2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
14 #include "../ssl_local.h"
15 #include "statem_local.h"
16 #include "internal/cryptlib.h"
17 #include "internal/evp.h"
18 #include <openssl/buffer.h>
19 #include <openssl/objects.h>
20 #include <openssl/evp.h>
21 #include <openssl/x509.h>
22 #include <openssl/trace.h>
25 * Map error codes to TLS/SSL alart types.
27 typedef struct x509err2alert_st {
32 /* Fixed value used in the ServerHello random field to identify an HRR */
33 const unsigned char hrrrandom[] = {
34 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
35 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
36 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
40 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
41 * SSL3_RT_CHANGE_CIPHER_SPEC)
43 int ssl3_do_write(SSL *s, int type)
48 ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
49 s->init_num, &written);
52 if (type == SSL3_RT_HANDSHAKE)
54 * should not be done for 'Hello Request's, but in that case we'll
55 * ignore the result anyway
56 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
58 if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
59 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
60 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
61 if (!ssl3_finish_mac(s,
62 (unsigned char *)&s->init_buf->data[s->init_off],
65 if (written == s->init_num) {
67 s->msg_callback(1, s->version, type, s->init_buf->data,
68 (size_t)(s->init_off + s->init_num), s,
72 s->init_off += written;
73 s->init_num -= written;
77 int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype)
81 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
82 || !WPACKET_get_length(pkt, &msglen)
85 s->init_num = (int)msglen;
91 int tls_setup_handshake(SSL *s)
93 int ver_min, ver_max, ok;
95 if (!ssl3_init_finished_mac(s)) {
96 /* SSLfatal() already called */
100 /* Reset any extension flags */
101 memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
103 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
104 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_TLS_SETUP_HANDSHAKE,
105 SSL_R_NO_PROTOCOLS_AVAILABLE);
109 /* Sanity check that we have MD5-SHA1 if we need it */
110 if (s->ctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) {
111 int md5sha1_needed = 0;
113 /* We don't have MD5-SHA1 - do we need it? */
114 if (SSL_IS_DTLS(s)) {
115 if (DTLS_VERSION_LE(ver_max, DTLS1_VERSION))
118 if (ver_max <= TLS1_1_VERSION)
121 if (md5sha1_needed) {
122 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE,
123 SSL_R_NO_SUITABLE_DIGEST_ALGORITHM);
124 ERR_add_error_data(1, "The max supported SSL/TLS version needs the"
125 " MD5-SHA1 digest but it is not available"
126 " in the loaded providers. Use (D)TLSv1.2 or"
127 " above, or load different providers");
132 /* Don't allow TLSv1.1 or below to be negotiated */
133 if (SSL_IS_DTLS(s)) {
134 if (DTLS_VERSION_LT(ver_min, DTLS1_2_VERSION))
135 ok = SSL_set_min_proto_version(s, DTLS1_2_VERSION);
137 if (ver_min < TLS1_2_VERSION)
138 ok = SSL_set_min_proto_version(s, TLS1_2_VERSION);
141 /* Shouldn't happen */
142 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE,
143 ERR_R_INTERNAL_ERROR);
150 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
154 * Sanity check that the maximum version we accept has ciphers
155 * enabled. For clients we do this check during construction of the
158 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
159 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
161 if (SSL_IS_DTLS(s)) {
162 if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
163 DTLS_VERSION_LE(ver_max, c->max_dtls))
165 } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
172 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE,
173 SSL_R_NO_CIPHERS_AVAILABLE);
174 ERR_add_error_data(1, "No ciphers enabled for max supported "
178 if (SSL_IS_FIRST_HANDSHAKE(s)) {
179 /* N.B. s->session_ctx == s->ctx here */
180 tsan_counter(&s->session_ctx->stats.sess_accept);
182 /* N.B. s->ctx may not equal s->session_ctx */
183 tsan_counter(&s->ctx->stats.sess_accept_renegotiate);
185 s->s3.tmp.cert_request = 0;
188 if (SSL_IS_FIRST_HANDSHAKE(s))
189 tsan_counter(&s->session_ctx->stats.sess_connect);
191 tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate);
193 /* mark client_random uninitialized */
194 memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
197 s->s3.tmp.cert_req = 0;
200 s->statem.use_timer = 1;
207 * Size of the to-be-signed TLS13 data, without the hash size itself:
208 * 64 bytes of value 32, 33 context bytes, 1 byte separator
210 #define TLS13_TBS_START_SIZE 64
211 #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
213 static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
214 void **hdata, size_t *hdatalen)
216 #ifdef CHARSET_EBCDIC
217 static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
218 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
219 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
220 0x69, 0x66, 0x79, 0x00 };
221 static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
222 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
223 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
224 0x69, 0x66, 0x79, 0x00 };
226 static const char servercontext[] = "TLS 1.3, server CertificateVerify";
227 static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
229 if (SSL_IS_TLS13(s)) {
232 /* Set the first 64 bytes of to-be-signed data to octet 32 */
233 memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
234 /* This copies the 33 bytes of context plus the 0 separator byte */
235 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
236 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
237 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
239 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
242 * If we're currently reading then we need to use the saved handshake
243 * hash value. We can't use the current handshake hash state because
244 * that includes the CertVerify itself.
246 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
247 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
248 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
249 s->cert_verify_hash_len);
250 hashlen = s->cert_verify_hash_len;
251 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
252 EVP_MAX_MD_SIZE, &hashlen)) {
253 /* SSLfatal() already called */
258 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
263 retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
265 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_GET_CERT_VERIFY_TBS_DATA,
266 ERR_R_INTERNAL_ERROR);
275 int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
277 EVP_PKEY *pkey = NULL;
278 const EVP_MD *md = NULL;
279 EVP_MD_CTX *mctx = NULL;
280 EVP_PKEY_CTX *pctx = NULL;
281 size_t hdatalen = 0, siglen = 0;
283 unsigned char *sig = NULL;
284 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
285 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
287 if (lu == NULL || s->s3.tmp.cert == NULL) {
288 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
289 ERR_R_INTERNAL_ERROR);
292 pkey = s->s3.tmp.cert->privatekey;
294 if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) {
295 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
296 ERR_R_INTERNAL_ERROR);
300 mctx = EVP_MD_CTX_new();
302 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
303 ERR_R_MALLOC_FAILURE);
307 /* Get the data to be signed */
308 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
309 /* SSLfatal() already called */
313 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
314 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
315 ERR_R_INTERNAL_ERROR);
319 if (EVP_DigestSignInit_ex(mctx, &pctx, md == NULL ? NULL : EVP_MD_name(md),
320 s->ctx->libctx, s->ctx->propq, pkey) <= 0) {
321 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
326 if (lu->sig == EVP_PKEY_RSA_PSS) {
327 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
328 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
329 RSA_PSS_SALTLEN_DIGEST) <= 0) {
330 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
335 if (s->version == SSL3_VERSION) {
337 * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
338 * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
340 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
342 * TODO(3.0) Replace this when EVP_MD_CTX_ctrl() is deprecated
343 * with a call to ssl3_digest_master_key_set_params()
345 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
346 (int)s->session->master_key_length,
347 s->session->master_key) <= 0
348 || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) {
350 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
354 sig = OPENSSL_malloc(siglen);
356 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
357 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
363 * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not
364 * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
366 if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) {
367 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
371 sig = OPENSSL_malloc(siglen);
373 || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
374 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
380 #ifndef OPENSSL_NO_GOST
382 int pktype = lu->sig;
384 if (pktype == NID_id_GostR3410_2001
385 || pktype == NID_id_GostR3410_2012_256
386 || pktype == NID_id_GostR3410_2012_512)
387 BUF_reverse(sig, NULL, siglen);
391 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
392 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
393 ERR_R_INTERNAL_ERROR);
397 /* Digest cached records and discard handshake buffer */
398 if (!ssl3_digest_cached_records(s, 0)) {
399 /* SSLfatal() already called */
404 EVP_MD_CTX_free(mctx);
408 EVP_MD_CTX_free(mctx);
412 MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
414 EVP_PKEY *pkey = NULL;
415 const unsigned char *data;
416 #ifndef OPENSSL_NO_GOST
417 unsigned char *gost_data = NULL;
419 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
423 const EVP_MD *md = NULL;
426 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
427 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
428 EVP_PKEY_CTX *pctx = NULL;
431 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
432 ERR_R_MALLOC_FAILURE);
436 peer = s->session->peer;
437 pkey = X509_get0_pubkey(peer);
439 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
440 ERR_R_INTERNAL_ERROR);
444 if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
445 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CERT_VERIFY,
446 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
450 if (SSL_USE_SIGALGS(s)) {
453 if (!PACKET_get_net_2(pkt, &sigalg)) {
454 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
458 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
459 /* SSLfatal() already called */
462 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
463 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
464 ERR_R_INTERNAL_ERROR);
468 if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) {
469 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
470 ERR_R_INTERNAL_ERROR);
474 if (SSL_USE_SIGALGS(s))
475 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
476 md == NULL ? "n/a" : EVP_MD_name(md));
478 /* Check for broken implementations of GOST ciphersuites */
480 * If key is GOST and len is exactly 64 or 128, it is signature without
481 * length field (CryptoPro implementations at least till TLS 1.2)
483 #ifndef OPENSSL_NO_GOST
484 if (!SSL_USE_SIGALGS(s)
485 && ((PACKET_remaining(pkt) == 64
486 && (EVP_PKEY_id(pkey) == NID_id_GostR3410_2001
487 || EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_256))
488 || (PACKET_remaining(pkt) == 128
489 && EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_512))) {
490 len = PACKET_remaining(pkt);
493 if (!PACKET_get_net_2(pkt, &len)) {
494 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
495 SSL_R_LENGTH_MISMATCH);
499 if (!PACKET_get_bytes(pkt, &data, len)) {
500 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
501 SSL_R_LENGTH_MISMATCH);
505 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
506 /* SSLfatal() already called */
510 OSSL_TRACE1(TLS, "Using client verify alg %s\n",
511 md == NULL ? "n/a" : EVP_MD_name(md));
513 if (EVP_DigestVerifyInit_ex(mctx, &pctx,
514 md == NULL ? NULL : EVP_MD_name(md),
515 s->ctx->libctx, s->ctx->propq, pkey) <= 0) {
516 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
520 #ifndef OPENSSL_NO_GOST
522 int pktype = EVP_PKEY_id(pkey);
523 if (pktype == NID_id_GostR3410_2001
524 || pktype == NID_id_GostR3410_2012_256
525 || pktype == NID_id_GostR3410_2012_512) {
526 if ((gost_data = OPENSSL_malloc(len)) == NULL) {
527 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
528 SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
531 BUF_reverse(gost_data, data, len);
537 if (SSL_USE_PSS(s)) {
538 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
539 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
540 RSA_PSS_SALTLEN_DIGEST) <= 0) {
541 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
546 if (s->version == SSL3_VERSION) {
548 * TODO(3.0) Replace this when EVP_MD_CTX_ctrl() is deprecated
549 * with a call to ssl3_digest_master_key_set_params()
551 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
552 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
553 (int)s->session->master_key_length,
554 s->session->master_key) <= 0) {
555 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
559 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
560 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
561 SSL_R_BAD_SIGNATURE);
565 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
567 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
568 SSL_R_BAD_SIGNATURE);
574 * In TLSv1.3 on the client side we make sure we prepare the client
575 * certificate after the CertVerify instead of when we get the
576 * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
577 * comes *before* the Certificate message. In TLSv1.2 it comes after. We
578 * want to make sure that SSL_get1_peer_certificate() will return the actual
579 * server certificate from the client_cert_cb callback.
581 if (!s->server && SSL_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
582 ret = MSG_PROCESS_CONTINUE_PROCESSING;
584 ret = MSG_PROCESS_CONTINUE_READING;
586 BIO_free(s->s3.handshake_buffer);
587 s->s3.handshake_buffer = NULL;
588 EVP_MD_CTX_free(mctx);
589 #ifndef OPENSSL_NO_GOST
590 OPENSSL_free(gost_data);
595 int tls_construct_finished(SSL *s, WPACKET *pkt)
597 size_t finish_md_len;
601 /* This is a real handshake so make sure we clean it up at the end */
602 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
603 s->statem.cleanuphand = 1;
606 * We only change the keys if we didn't already do this when we sent the
611 && s->s3.tmp.cert_req == 0
612 && (!s->method->ssl3_enc->change_cipher_state(s,
613 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
614 /* SSLfatal() already called */
619 sender = s->method->ssl3_enc->server_finished_label;
620 slen = s->method->ssl3_enc->server_finished_label_len;
622 sender = s->method->ssl3_enc->client_finished_label;
623 slen = s->method->ssl3_enc->client_finished_label_len;
626 finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
628 s->s3.tmp.finish_md);
629 if (finish_md_len == 0) {
630 /* SSLfatal() already called */
634 s->s3.tmp.finish_md_len = finish_md_len;
636 if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
637 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
638 ERR_R_INTERNAL_ERROR);
643 * Log the master secret, if logging is enabled. We don't log it for
644 * TLSv1.3: there's a different key schedule for that.
646 if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
647 s->session->master_key,
648 s->session->master_key_length)) {
649 /* SSLfatal() already called */
654 * Copy the finished so we can use it for renegotiation checks
656 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
657 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
658 ERR_R_INTERNAL_ERROR);
662 memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
664 s->s3.previous_client_finished_len = finish_md_len;
666 memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
668 s->s3.previous_server_finished_len = finish_md_len;
674 int tls_construct_key_update(SSL *s, WPACKET *pkt)
676 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
677 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_KEY_UPDATE,
678 ERR_R_INTERNAL_ERROR);
682 s->key_update = SSL_KEY_UPDATE_NONE;
686 MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
688 unsigned int updatetype;
691 * A KeyUpdate message signals a key change so the end of the message must
692 * be on a record boundary.
694 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
695 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_UPDATE,
696 SSL_R_NOT_ON_RECORD_BOUNDARY);
697 return MSG_PROCESS_ERROR;
700 if (!PACKET_get_1(pkt, &updatetype)
701 || PACKET_remaining(pkt) != 0) {
702 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_UPDATE,
703 SSL_R_BAD_KEY_UPDATE);
704 return MSG_PROCESS_ERROR;
708 * There are only two defined key update types. Fail if we get a value we
711 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
712 && updatetype != SSL_KEY_UPDATE_REQUESTED) {
713 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE,
714 SSL_R_BAD_KEY_UPDATE);
715 return MSG_PROCESS_ERROR;
719 * If we get a request for us to update our sending keys too then, we need
720 * to additionally send a KeyUpdate message. However that message should
721 * not also request an update (otherwise we get into an infinite loop).
723 if (updatetype == SSL_KEY_UPDATE_REQUESTED)
724 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
726 if (!tls13_update_key(s, 0)) {
727 /* SSLfatal() already called */
728 return MSG_PROCESS_ERROR;
731 return MSG_PROCESS_FINISHED_READING;
735 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
738 int ssl3_take_mac(SSL *s)
744 sender = s->method->ssl3_enc->server_finished_label;
745 slen = s->method->ssl3_enc->server_finished_label_len;
747 sender = s->method->ssl3_enc->client_finished_label;
748 slen = s->method->ssl3_enc->client_finished_label_len;
751 s->s3.tmp.peer_finish_md_len =
752 s->method->ssl3_enc->final_finish_mac(s, sender, slen,
753 s->s3.tmp.peer_finish_md);
755 if (s->s3.tmp.peer_finish_md_len == 0) {
756 /* SSLfatal() already called */
763 MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
767 remain = PACKET_remaining(pkt);
769 * 'Change Cipher Spec' is just a single byte, which should already have
770 * been consumed by ssl_get_message() so there should be no bytes left,
771 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
773 if (SSL_IS_DTLS(s)) {
774 if ((s->version == DTLS1_BAD_VER
775 && remain != DTLS1_CCS_HEADER_LENGTH + 1)
776 || (s->version != DTLS1_BAD_VER
777 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
778 SSLfatal(s, SSL_AD_DECODE_ERROR,
779 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
780 SSL_R_BAD_CHANGE_CIPHER_SPEC);
781 return MSG_PROCESS_ERROR;
785 SSLfatal(s, SSL_AD_DECODE_ERROR,
786 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
787 SSL_R_BAD_CHANGE_CIPHER_SPEC);
788 return MSG_PROCESS_ERROR;
792 /* Check we have a cipher to change to */
793 if (s->s3.tmp.new_cipher == NULL) {
794 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
795 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY);
796 return MSG_PROCESS_ERROR;
799 s->s3.change_cipher_spec = 1;
800 if (!ssl3_do_change_cipher_spec(s)) {
801 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
802 ERR_R_INTERNAL_ERROR);
803 return MSG_PROCESS_ERROR;
806 if (SSL_IS_DTLS(s)) {
807 dtls1_reset_seq_numbers(s, SSL3_CC_READ);
809 if (s->version == DTLS1_BAD_VER)
810 s->d1->handshake_read_seq++;
812 #ifndef OPENSSL_NO_SCTP
814 * Remember that a CCS has been received, so that an old key of
815 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
818 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
822 return MSG_PROCESS_CONTINUE_READING;
825 MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
830 /* This is a real handshake so make sure we clean it up at the end */
833 * To get this far we must have read encrypted data from the client. We
834 * no longer tolerate unencrypted alerts. This value is ignored if less
837 s->statem.enc_read_state = ENC_READ_STATE_VALID;
838 if (s->post_handshake_auth != SSL_PHA_REQUESTED)
839 s->statem.cleanuphand = 1;
840 if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
841 /* SSLfatal() already called */
842 return MSG_PROCESS_ERROR;
847 * In TLSv1.3 a Finished message signals a key change so the end of the
848 * message must be on a record boundary.
850 if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
851 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
852 SSL_R_NOT_ON_RECORD_BOUNDARY);
853 return MSG_PROCESS_ERROR;
856 /* If this occurs, we have missed a message */
857 if (!SSL_IS_TLS13(s) && !s->s3.change_cipher_spec) {
858 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
859 SSL_R_GOT_A_FIN_BEFORE_A_CCS);
860 return MSG_PROCESS_ERROR;
862 s->s3.change_cipher_spec = 0;
864 md_len = s->s3.tmp.peer_finish_md_len;
866 if (md_len != PACKET_remaining(pkt)) {
867 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_FINISHED,
868 SSL_R_BAD_DIGEST_LENGTH);
869 return MSG_PROCESS_ERROR;
872 if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
874 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_FINISHED,
875 SSL_R_DIGEST_CHECK_FAILED);
876 return MSG_PROCESS_ERROR;
880 * Copy the finished so we can use it for renegotiation checks
882 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
883 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_FINISHED,
884 ERR_R_INTERNAL_ERROR);
885 return MSG_PROCESS_ERROR;
888 memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
890 s->s3.previous_client_finished_len = md_len;
892 memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
894 s->s3.previous_server_finished_len = md_len;
898 * In TLS1.3 we also have to change cipher state and do any final processing
899 * of the initial server flight (if we are a client)
901 if (SSL_IS_TLS13(s)) {
903 if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
904 !s->method->ssl3_enc->change_cipher_state(s,
905 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
906 /* SSLfatal() already called */
907 return MSG_PROCESS_ERROR;
910 /* TLS 1.3 gets the secret size from the handshake md */
912 if (!s->method->ssl3_enc->generate_master_secret(s,
913 s->master_secret, s->handshake_secret, 0,
915 /* SSLfatal() already called */
916 return MSG_PROCESS_ERROR;
918 if (!s->method->ssl3_enc->change_cipher_state(s,
919 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
920 /* SSLfatal() already called */
921 return MSG_PROCESS_ERROR;
923 if (!tls_process_initial_server_flight(s)) {
924 /* SSLfatal() already called */
925 return MSG_PROCESS_ERROR;
930 return MSG_PROCESS_FINISHED_READING;
933 int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
935 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
936 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
937 SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
944 /* Add a certificate to the WPACKET */
945 static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain)
948 unsigned char *outbytes;
950 len = i2d_X509(x, NULL);
952 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
956 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
957 || i2d_X509(x, &outbytes) != len) {
958 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
959 ERR_R_INTERNAL_ERROR);
964 && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
966 /* SSLfatal() already called */
973 /* Add certificate chain to provided WPACKET */
974 static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
978 STACK_OF(X509) *extra_certs;
979 STACK_OF(X509) *chain = NULL;
980 X509_STORE *chain_store;
982 if (cpk == NULL || cpk->x509 == NULL)
988 * If we have a certificate specific chain use it, else use parent ctx.
990 if (cpk->chain != NULL)
991 extra_certs = cpk->chain;
993 extra_certs = s->ctx->extra_certs;
995 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
997 else if (s->cert->chain_store)
998 chain_store = s->cert->chain_store;
1000 chain_store = s->ctx->cert_store;
1002 if (chain_store != NULL) {
1003 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(s->ctx->libctx,
1006 if (xs_ctx == NULL) {
1007 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
1008 ERR_R_MALLOC_FAILURE);
1011 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
1012 X509_STORE_CTX_free(xs_ctx);
1013 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
1018 * It is valid for the chain not to be complete (because normally we
1019 * don't include the root cert in the chain). Therefore we deliberately
1020 * ignore the error return from this call. We're not actually verifying
1021 * the cert - we're just building as much of the chain as we can
1023 (void)X509_verify_cert(xs_ctx);
1024 /* Don't leave errors in the queue */
1026 chain = X509_STORE_CTX_get0_chain(xs_ctx);
1027 i = ssl_security_cert_chain(s, chain, NULL, 0);
1030 /* Dummy error calls so mkerr generates them */
1031 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL);
1032 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL);
1033 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK);
1035 X509_STORE_CTX_free(xs_ctx);
1036 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
1039 chain_count = sk_X509_num(chain);
1040 for (i = 0; i < chain_count; i++) {
1041 x = sk_X509_value(chain, i);
1043 if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
1044 /* SSLfatal() already called */
1045 X509_STORE_CTX_free(xs_ctx);
1049 X509_STORE_CTX_free(xs_ctx);
1051 i = ssl_security_cert_chain(s, extra_certs, x, 0);
1053 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
1056 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
1057 /* SSLfatal() already called */
1060 for (i = 0; i < sk_X509_num(extra_certs); i++) {
1061 x = sk_X509_value(extra_certs, i);
1062 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
1063 /* SSLfatal() already called */
1071 unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
1073 if (!WPACKET_start_sub_packet_u24(pkt)) {
1074 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1075 ERR_R_INTERNAL_ERROR);
1079 if (!ssl_add_cert_chain(s, pkt, cpk))
1082 if (!WPACKET_close(pkt)) {
1083 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1084 ERR_R_INTERNAL_ERROR);
1092 * Tidy up after the end of a handshake. In the case of SCTP this may result
1093 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1096 WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
1098 void (*cb) (const SSL *ssl, int type, int val) = NULL;
1099 int cleanuphand = s->statem.cleanuphand;
1103 #ifndef OPENSSL_NO_SCTP
1105 * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1106 * messages that require it. Therefore, DTLS procedures for retransmissions
1108 * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1110 || BIO_dgram_is_sctp(SSL_get_wbio(s))
1114 * We don't do this in DTLS over UDP because we may still need the init_buf
1115 * in case there are any unexpected retransmits
1117 BUF_MEM_free(s->init_buf);
1121 if (!ssl_free_wbio_buffer(s)) {
1122 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE,
1123 ERR_R_INTERNAL_ERROR);
1129 if (SSL_IS_TLS13(s) && !s->server
1130 && s->post_handshake_auth == SSL_PHA_REQUESTED)
1131 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1134 * Only set if there was a Finished message and this isn't after a TLSv1.3
1135 * post handshake exchange
1138 /* skipped if we just sent a HelloRequest */
1141 s->statem.cleanuphand = 0;
1142 s->ext.ticket_expected = 0;
1144 ssl3_cleanup_key_block(s);
1148 * In TLSv1.3 we update the cache as part of constructing the
1151 if (!SSL_IS_TLS13(s))
1152 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
1154 /* N.B. s->ctx may not equal s->session_ctx */
1155 tsan_counter(&s->ctx->stats.sess_accept_good);
1156 s->handshake_func = ossl_statem_accept;
1158 if (SSL_IS_TLS13(s)) {
1160 * We encourage applications to only use TLSv1.3 tickets once,
1161 * so we remove this one from the cache.
1163 if ((s->session_ctx->session_cache_mode
1164 & SSL_SESS_CACHE_CLIENT) != 0)
1165 SSL_CTX_remove_session(s->session_ctx, s->session);
1168 * In TLSv1.3 we update the cache as part of processing the
1171 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
1174 tsan_counter(&s->session_ctx->stats.sess_hit);
1176 s->handshake_func = ossl_statem_connect;
1177 tsan_counter(&s->session_ctx->stats.sess_connect_good);
1180 if (SSL_IS_DTLS(s)) {
1181 /* done with handshaking */
1182 s->d1->handshake_read_seq = 0;
1183 s->d1->handshake_write_seq = 0;
1184 s->d1->next_handshake_write_seq = 0;
1185 dtls1_clear_received_buffer(s);
1189 if (s->info_callback != NULL)
1190 cb = s->info_callback;
1191 else if (s->ctx->info_callback != NULL)
1192 cb = s->ctx->info_callback;
1194 /* The callback may expect us to not be in init at handshake done */
1195 ossl_statem_set_in_init(s, 0);
1200 || SSL_IS_FIRST_HANDSHAKE(s))
1201 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
1205 /* If we've got more work to do we go back into init */
1206 ossl_statem_set_in_init(s, 1);
1207 return WORK_FINISHED_CONTINUE;
1210 return WORK_FINISHED_STOP;
1213 int tls_get_message_header(SSL *s, int *mt)
1215 /* s->init_num < SSL3_HM_HEADER_LENGTH */
1216 int skip_message, i, recvd_type;
1218 size_t l, readbytes;
1220 p = (unsigned char *)s->init_buf->data;
1223 while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1224 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
1226 SSL3_HM_HEADER_LENGTH - s->init_num,
1229 s->rwstate = SSL_READING;
1232 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1234 * A ChangeCipherSpec must be a single byte and may not occur
1235 * in the middle of a handshake message.
1237 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
1238 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1239 SSL_F_TLS_GET_MESSAGE_HEADER,
1240 SSL_R_BAD_CHANGE_CIPHER_SPEC);
1243 if (s->statem.hand_state == TLS_ST_BEFORE
1244 && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
1246 * We are stateless and we received a CCS. Probably this is
1247 * from a client between the first and second ClientHellos.
1248 * We should ignore this, but return an error because we do
1249 * not return success until we see the second ClientHello
1250 * with a valid cookie.
1254 s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
1255 s->init_num = readbytes - 1;
1256 s->init_msg = s->init_buf->data;
1257 s->s3.tmp.message_size = readbytes;
1259 } else if (recvd_type != SSL3_RT_HANDSHAKE) {
1260 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1261 SSL_F_TLS_GET_MESSAGE_HEADER,
1262 SSL_R_CCS_RECEIVED_EARLY);
1265 s->init_num += readbytes;
1270 if (s->statem.hand_state != TLS_ST_OK
1271 && p[0] == SSL3_MT_HELLO_REQUEST)
1273 * The server may always send 'Hello Request' messages --
1274 * we are doing a handshake anyway now, so ignore them if
1275 * their format is correct. Does not count for 'Finished'
1278 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1282 if (s->msg_callback)
1283 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1284 p, SSL3_HM_HEADER_LENGTH, s,
1285 s->msg_callback_arg);
1287 } while (skip_message);
1288 /* s->init_num == SSL3_HM_HEADER_LENGTH */
1291 s->s3.tmp.message_type = *(p++);
1293 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1295 * Only happens with SSLv3+ in an SSLv2 backward compatible
1298 * Total message size is the remaining record bytes to read
1299 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
1301 l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1302 + SSL3_HM_HEADER_LENGTH;
1303 s->s3.tmp.message_size = l;
1305 s->init_msg = s->init_buf->data;
1306 s->init_num = SSL3_HM_HEADER_LENGTH;
1309 /* BUF_MEM_grow takes an 'int' parameter */
1310 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
1311 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_GET_MESSAGE_HEADER,
1312 SSL_R_EXCESSIVE_MESSAGE_SIZE);
1315 s->s3.tmp.message_size = l;
1317 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1324 int tls_get_message_body(SSL *s, size_t *len)
1326 size_t n, readbytes;
1330 if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
1331 /* We've already read everything in */
1332 *len = (unsigned long)s->init_num;
1337 n = s->s3.tmp.message_size - s->init_num;
1339 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
1340 &p[s->init_num], n, 0, &readbytes);
1342 s->rwstate = SSL_READING;
1346 s->init_num += readbytes;
1351 * If receiving Finished, record MAC of prior handshake messages for
1352 * Finished verification.
1354 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1355 /* SSLfatal() already called */
1360 /* Feed this message into MAC computation. */
1361 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1362 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1364 /* SSLfatal() already called */
1368 if (s->msg_callback)
1369 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
1370 (size_t)s->init_num, s, s->msg_callback_arg);
1373 * We defer feeding in the HRR until later. We'll do it as part of
1374 * processing the message
1375 * The TLsv1.3 handshake transcript stops at the ClientFinished
1378 #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
1379 /* KeyUpdate and NewSessionTicket do not need to be added */
1380 if (!SSL_IS_TLS13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1381 && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1382 if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
1383 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1384 || memcmp(hrrrandom,
1385 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1386 SSL3_RANDOM_SIZE) != 0) {
1387 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1388 s->init_num + SSL3_HM_HEADER_LENGTH)) {
1389 /* SSLfatal() already called */
1395 if (s->msg_callback)
1396 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1397 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
1398 s->msg_callback_arg);
1405 static const X509ERR2ALERT x509table[] = {
1406 {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1407 {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1408 {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
1409 {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1410 {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1411 {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1412 {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1413 {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1414 {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1415 {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1416 {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1417 {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1418 {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1419 {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1420 {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1421 {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1422 {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1423 {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1424 {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1425 {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1426 {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1427 {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1428 {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1429 {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1430 {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1431 {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1432 {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1433 {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1434 {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1435 {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1436 {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1437 {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1438 {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1439 {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1440 {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1441 {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1442 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1443 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1444 {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1445 {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1447 /* Last entry; return this if we don't find the value above. */
1448 {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1451 int ssl_x509err2alert(int x509err)
1453 const X509ERR2ALERT *tp;
1455 for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1456 if (tp->x509err == x509err)
1461 int ssl_allow_compression(SSL *s)
1463 if (s->options & SSL_OP_NO_COMPRESSION)
1465 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1468 static int version_cmp(const SSL *s, int a, int b)
1470 int dtls = SSL_IS_DTLS(s);
1475 return a < b ? -1 : 1;
1476 return DTLS_VERSION_LT(a, b) ? -1 : 1;
1481 const SSL_METHOD *(*cmeth) (void);
1482 const SSL_METHOD *(*smeth) (void);
1485 #if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
1486 # error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
1489 /* Must be in order high to low */
1490 static const version_info tls_version_table[] = {
1491 #ifndef OPENSSL_NO_TLS1_3
1492 {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1494 {TLS1_3_VERSION, NULL, NULL},
1496 #ifndef OPENSSL_NO_TLS1_2
1497 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
1499 {TLS1_2_VERSION, NULL, NULL},
1501 #ifndef OPENSSL_NO_TLS1_1
1502 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
1504 {TLS1_1_VERSION, NULL, NULL},
1506 #ifndef OPENSSL_NO_TLS1
1507 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
1509 {TLS1_VERSION, NULL, NULL},
1511 #ifndef OPENSSL_NO_SSL3
1512 {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
1514 {SSL3_VERSION, NULL, NULL},
1519 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
1520 # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1523 /* Must be in order high to low */
1524 static const version_info dtls_version_table[] = {
1525 #ifndef OPENSSL_NO_DTLS1_2
1526 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
1528 {DTLS1_2_VERSION, NULL, NULL},
1530 #ifndef OPENSSL_NO_DTLS1
1531 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1532 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
1534 {DTLS1_VERSION, NULL, NULL},
1535 {DTLS1_BAD_VER, NULL, NULL},
1541 * ssl_method_error - Check whether an SSL_METHOD is enabled.
1543 * @s: The SSL handle for the candidate method
1544 * @method: the intended method.
1546 * Returns 0 on success, or an SSL error reason on failure.
1548 static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
1550 int version = method->version;
1552 if ((s->min_proto_version != 0 &&
1553 version_cmp(s, version, s->min_proto_version) < 0) ||
1554 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1555 return SSL_R_VERSION_TOO_LOW;
1557 if (s->max_proto_version != 0 &&
1558 version_cmp(s, version, s->max_proto_version) > 0)
1559 return SSL_R_VERSION_TOO_HIGH;
1561 if ((s->options & method->mask) != 0)
1562 return SSL_R_UNSUPPORTED_PROTOCOL;
1563 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1564 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
1570 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
1571 * certificate type, or has PSK or a certificate callback configured. Otherwise
1574 static int is_tls13_capable(const SSL *s)
1577 #ifndef OPENSSL_NO_EC
1581 #ifndef OPENSSL_NO_PSK
1582 if (s->psk_server_callback != NULL)
1586 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
1589 for (i = 0; i < SSL_PKEY_NUM; i++) {
1590 /* Skip over certs disallowed for TLSv1.3 */
1592 case SSL_PKEY_DSA_SIGN:
1593 case SSL_PKEY_GOST01:
1594 case SSL_PKEY_GOST12_256:
1595 case SSL_PKEY_GOST12_512:
1600 if (!ssl_has_cert(s, i))
1602 #ifndef OPENSSL_NO_EC
1603 if (i != SSL_PKEY_ECC)
1606 * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1607 * more restrictive so check that our sig algs are consistent with this
1608 * EC cert. See section 4.2.3 of RFC8446.
1610 curve = evp_pkey_get_EC_KEY_curve_nid(s->cert->pkeys[SSL_PKEY_ECC]
1612 if (tls_check_sigalg_curve(s, curve))
1623 * ssl_version_supported - Check that the specified `version` is supported by
1626 * @s: The SSL handle for the candidate method
1627 * @version: Protocol version to test against
1629 * Returns 1 when supported, otherwise 0
1631 int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth)
1633 const version_info *vent;
1634 const version_info *table;
1636 switch (s->method->version) {
1638 /* Version should match method version for non-ANY method */
1639 return version_cmp(s, version, s->version) == 0;
1640 case TLS_ANY_VERSION:
1641 table = tls_version_table;
1643 case DTLS_ANY_VERSION:
1644 table = dtls_version_table;
1649 vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1651 if (vent->cmeth != NULL
1652 && version_cmp(s, version, vent->version) == 0
1653 && ssl_method_error(s, vent->cmeth()) == 0
1655 || version != TLS1_3_VERSION
1656 || is_tls13_capable(s))) {
1658 *meth = vent->cmeth();
1666 * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1667 * fallback indication from a client check whether we're using the highest
1668 * supported protocol version.
1670 * @s server SSL handle.
1672 * Returns 1 when using the highest enabled version, 0 otherwise.
1674 int ssl_check_version_downgrade(SSL *s)
1676 const version_info *vent;
1677 const version_info *table;
1680 * Check that the current protocol is the highest enabled version
1681 * (according to s->ctx->method, as version negotiation may have changed
1684 if (s->version == s->ctx->method->version)
1688 * Apparently we're using a version-flexible SSL_METHOD (not at its
1689 * highest protocol version).
1691 if (s->ctx->method->version == TLS_method()->version)
1692 table = tls_version_table;
1693 else if (s->ctx->method->version == DTLS_method()->version)
1694 table = dtls_version_table;
1696 /* Unexpected state; fail closed. */
1700 for (vent = table; vent->version != 0; ++vent) {
1701 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
1702 return s->version == vent->version;
1708 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1709 * protocols, provided the initial (D)TLS method is version-flexible. This
1710 * function sanity-checks the proposed value and makes sure the method is
1711 * version-flexible, then sets the limit if all is well.
1713 * @method_version: The version of the current SSL_METHOD.
1714 * @version: the intended limit.
1715 * @bound: pointer to limit to be updated.
1717 * Returns 1 on success, 0 on failure.
1719 int ssl_set_version_bound(int method_version, int version, int *bound)
1729 valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
1731 DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) &&
1732 DTLS_VERSION_GE(version, DTLS1_BAD_VER);
1734 if (!valid_tls && !valid_dtls)
1738 * Restrict TLS methods to TLS protocol versions.
1739 * Restrict DTLS methods to DTLS protocol versions.
1740 * Note, DTLS version numbers are decreasing, use comparison macros.
1742 * Note that for both lower-bounds we use explicit versions, not
1743 * (D)TLS_MIN_VERSION. This is because we don't want to break user
1744 * configurations. If the MIN (supported) version ever rises, the user's
1745 * "floor" remains valid even if no longer available. We don't expect the
1746 * MAX ceiling to ever get lower, so making that variable makes sense.
1748 * We ignore attempts to set bounds on version-inflexible methods,
1749 * returning success.
1751 switch (method_version) {
1755 case TLS_ANY_VERSION:
1760 case DTLS_ANY_VERSION:
1768 static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
1770 if (vers == TLS1_2_VERSION
1771 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
1772 *dgrd = DOWNGRADE_TO_1_2;
1773 } else if (!SSL_IS_DTLS(s)
1774 && vers < TLS1_2_VERSION
1776 * We need to ensure that a server that disables TLSv1.2
1777 * (creating a hole between TLSv1.3 and TLSv1.1) can still
1778 * complete handshakes with clients that support TLSv1.2 and
1779 * below. Therefore we do not enable the sentinel if TLSv1.3 is
1780 * enabled and TLSv1.2 is not.
1782 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
1783 *dgrd = DOWNGRADE_TO_1_1;
1785 *dgrd = DOWNGRADE_NONE;
1790 * ssl_choose_server_version - Choose server (D)TLS version. Called when the
1791 * client HELLO is received to select the final server protocol version and
1792 * the version specific method.
1794 * @s: server SSL handle.
1796 * Returns 0 on success or an SSL error reason number on failure.
1798 int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1801 * With version-flexible methods we have an initial state with:
1803 * s->method->version == (D)TLS_ANY_VERSION,
1804 * s->version == (D)TLS_MAX_VERSION_INTERNAL.
1806 * So we detect version-flexible methods via the method version, not the
1809 int server_version = s->method->version;
1810 int client_version = hello->legacy_version;
1811 const version_info *vent;
1812 const version_info *table;
1814 RAW_EXTENSION *suppversions;
1816 s->client_version = client_version;
1818 switch (server_version) {
1820 if (!SSL_IS_TLS13(s)) {
1821 if (version_cmp(s, client_version, s->version) < 0)
1822 return SSL_R_WRONG_SSL_VERSION;
1823 *dgrd = DOWNGRADE_NONE;
1825 * If this SSL handle is not from a version flexible method we don't
1826 * (and never did) check min/max FIPS or Suite B constraints. Hope
1827 * that's OK. It is up to the caller to not choose fixed protocol
1828 * versions they don't want. If not, then easy to fix, just return
1829 * ssl_method_error(s, s->method)
1834 * Fall through if we are TLSv1.3 already (this means we must be after
1835 * a HelloRetryRequest
1838 case TLS_ANY_VERSION:
1839 table = tls_version_table;
1841 case DTLS_ANY_VERSION:
1842 table = dtls_version_table;
1846 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
1848 /* If we did an HRR then supported versions is mandatory */
1849 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
1850 return SSL_R_UNSUPPORTED_PROTOCOL;
1852 if (suppversions->present && !SSL_IS_DTLS(s)) {
1853 unsigned int candidate_vers = 0;
1854 unsigned int best_vers = 0;
1855 const SSL_METHOD *best_method = NULL;
1856 PACKET versionslist;
1858 suppversions->parsed = 1;
1860 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
1861 /* Trailing or invalid data? */
1862 return SSL_R_LENGTH_MISMATCH;
1866 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1867 * The spec only requires servers to check that it isn't SSLv3:
1868 * "Any endpoint receiving a Hello message with
1869 * ClientHello.legacy_version or ServerHello.legacy_version set to
1870 * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1871 * We are slightly stricter and require that it isn't SSLv3 or lower.
1872 * We tolerate TLSv1 and TLSv1.1.
1874 if (client_version <= SSL3_VERSION)
1875 return SSL_R_BAD_LEGACY_VERSION;
1877 while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1878 if (version_cmp(s, candidate_vers, best_vers) <= 0)
1880 if (ssl_version_supported(s, candidate_vers, &best_method))
1881 best_vers = candidate_vers;
1883 if (PACKET_remaining(&versionslist) != 0) {
1884 /* Trailing data? */
1885 return SSL_R_LENGTH_MISMATCH;
1888 if (best_vers > 0) {
1889 if (s->hello_retry_request != SSL_HRR_NONE) {
1891 * This is after a HelloRetryRequest so we better check that we
1892 * negotiated TLSv1.3
1894 if (best_vers != TLS1_3_VERSION)
1895 return SSL_R_UNSUPPORTED_PROTOCOL;
1898 check_for_downgrade(s, best_vers, dgrd);
1899 s->version = best_vers;
1900 s->method = best_method;
1903 return SSL_R_UNSUPPORTED_PROTOCOL;
1907 * If the supported versions extension isn't present, then the highest
1908 * version we can negotiate is TLSv1.2
1910 if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1911 client_version = TLS1_2_VERSION;
1914 * No supported versions extension, so we just use the version supplied in
1917 for (vent = table; vent->version != 0; ++vent) {
1918 const SSL_METHOD *method;
1920 if (vent->smeth == NULL ||
1921 version_cmp(s, client_version, vent->version) < 0)
1923 method = vent->smeth();
1924 if (ssl_method_error(s, method) == 0) {
1925 check_for_downgrade(s, vent->version, dgrd);
1926 s->version = vent->version;
1932 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1936 * ssl_choose_client_version - Choose client (D)TLS version. Called when the
1937 * server HELLO is received to select the final client protocol version and
1938 * the version specific method.
1940 * @s: client SSL handle.
1941 * @version: The proposed version from the server's HELLO.
1942 * @extensions: The extensions received
1944 * Returns 1 on success or 0 on error.
1946 int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)
1948 const version_info *vent;
1949 const version_info *table;
1950 int ret, ver_min, ver_max, real_max, origv;
1953 s->version = version;
1955 /* This will overwrite s->version if the extension is present */
1956 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1957 SSL_EXT_TLS1_2_SERVER_HELLO
1958 | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1964 if (s->hello_retry_request != SSL_HRR_NONE
1965 && s->version != TLS1_3_VERSION) {
1967 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1968 SSL_R_WRONG_SSL_VERSION);
1972 switch (s->method->version) {
1974 if (s->version != s->method->version) {
1976 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1977 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1978 SSL_R_WRONG_SSL_VERSION);
1982 * If this SSL handle is not from a version flexible method we don't
1983 * (and never did) check min/max, FIPS or Suite B constraints. Hope
1984 * that's OK. It is up to the caller to not choose fixed protocol
1985 * versions they don't want. If not, then easy to fix, just return
1986 * ssl_method_error(s, s->method)
1989 case TLS_ANY_VERSION:
1990 table = tls_version_table;
1992 case DTLS_ANY_VERSION:
1993 table = dtls_version_table;
1997 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
2000 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
2001 SSL_F_SSL_CHOOSE_CLIENT_VERSION, ret);
2004 if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
2005 : s->version < ver_min) {
2007 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
2008 SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
2010 } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
2011 : s->version > ver_max) {
2013 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
2014 SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
2018 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
2021 /* Check for downgrades */
2022 if (s->version == TLS1_2_VERSION && real_max > s->version) {
2023 if (memcmp(tls12downgrade,
2024 s->s3.server_random + SSL3_RANDOM_SIZE
2025 - sizeof(tls12downgrade),
2026 sizeof(tls12downgrade)) == 0) {
2028 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
2029 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
2030 SSL_R_INAPPROPRIATE_FALLBACK);
2033 } else if (!SSL_IS_DTLS(s)
2034 && s->version < TLS1_2_VERSION
2035 && real_max > s->version) {
2036 if (memcmp(tls11downgrade,
2037 s->s3.server_random + SSL3_RANDOM_SIZE
2038 - sizeof(tls11downgrade),
2039 sizeof(tls11downgrade)) == 0) {
2041 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
2042 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
2043 SSL_R_INAPPROPRIATE_FALLBACK);
2048 for (vent = table; vent->version != 0; ++vent) {
2049 if (vent->cmeth == NULL || s->version != vent->version)
2052 s->method = vent->cmeth();
2057 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
2058 SSL_R_UNSUPPORTED_PROTOCOL);
2063 * ssl_get_min_max_version - get minimum and maximum protocol version
2064 * @s: The SSL connection
2065 * @min_version: The minimum supported version
2066 * @max_version: The maximum supported version
2067 * @real_max: The highest version below the lowest compile time version hole
2068 * where that hole lies above at least one run-time enabled
2071 * Work out what version we should be using for the initial ClientHello if the
2072 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2073 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
2074 * constraints and any floor imposed by the security level here,
2075 * so we don't advertise the wrong protocol version to only reject the outcome later.
2077 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
2078 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2079 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2081 * Returns 0 on success or an SSL error reason number on failure. On failure
2082 * min_version and max_version will also be set to 0.
2084 int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version,
2087 int version, tmp_real_max;
2089 const SSL_METHOD *single = NULL;
2090 const SSL_METHOD *method;
2091 const version_info *table;
2092 const version_info *vent;
2094 switch (s->method->version) {
2097 * If this SSL handle is not from a version flexible method we don't
2098 * (and never did) check min/max FIPS or Suite B constraints. Hope
2099 * that's OK. It is up to the caller to not choose fixed protocol
2100 * versions they don't want. If not, then easy to fix, just return
2101 * ssl_method_error(s, s->method)
2103 *min_version = *max_version = s->version;
2105 * Providing a real_max only makes sense where we're using a version
2108 if (!ossl_assert(real_max == NULL))
2109 return ERR_R_INTERNAL_ERROR;
2111 case TLS_ANY_VERSION:
2112 table = tls_version_table;
2114 case DTLS_ANY_VERSION:
2115 table = dtls_version_table;
2120 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2121 * below X enabled. This is required in order to maintain the "version
2122 * capability" vector contiguous. Any versions with a NULL client method
2123 * (protocol version client is disabled at compile-time) is also a "hole".
2125 * Our initial state is hole == 1, version == 0. That is, versions above
2126 * the first version in the method table are disabled (a "hole" above
2127 * the valid protocol entries) and we don't have a selected version yet.
2129 * Whenever "hole == 1", and we hit an enabled method, its version becomes
2130 * the selected version, and the method becomes a candidate "single"
2131 * method. We're no longer in a hole, so "hole" becomes 0.
2133 * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2134 * as we support a contiguous range of at least two methods. If we hit
2135 * a disabled method, then hole becomes true again, but nothing else
2136 * changes yet, because all the remaining methods may be disabled too.
2137 * If we again hit an enabled method after the new hole, it becomes
2138 * selected, as we start from scratch.
2140 *min_version = version = 0;
2142 if (real_max != NULL)
2145 for (vent = table; vent->version != 0; ++vent) {
2147 * A table entry with a NULL client method is still a hole in the
2148 * "version capability" vector.
2150 if (vent->cmeth == NULL) {
2155 method = vent->cmeth();
2157 if (hole == 1 && tmp_real_max == 0)
2158 tmp_real_max = vent->version;
2160 if (ssl_method_error(s, method) != 0) {
2164 *min_version = method->version;
2166 if (real_max != NULL && tmp_real_max != 0)
2167 *real_max = tmp_real_max;
2168 version = (single = method)->version;
2169 *min_version = version;
2174 *max_version = version;
2176 /* Fail if everything is disabled */
2178 return SSL_R_NO_PROTOCOLS_AVAILABLE;
2184 * ssl_set_client_hello_version - Work out what version we should be using for
2185 * the initial ClientHello.legacy_version field.
2187 * @s: client SSL handle.
2189 * Returns 0 on success or an SSL error reason number on failure.
2191 int ssl_set_client_hello_version(SSL *s)
2193 int ver_min, ver_max, ret;
2196 * In a renegotiation we always send the same client_version that we sent
2197 * last time, regardless of which version we eventually negotiated.
2199 if (!SSL_IS_FIRST_HANDSHAKE(s))
2202 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
2207 s->version = ver_max;
2209 /* TLS1.3 always uses TLS1.2 in the legacy_version field */
2210 if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
2211 ver_max = TLS1_2_VERSION;
2213 s->client_version = ver_max;
2218 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2219 * and |checkallow| is 1 then additionally check if the group is allowed to be
2220 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2221 * 1) or 0 otherwise.
2223 int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
2224 size_t num_groups, int checkallow)
2228 if (groups == NULL || num_groups == 0)
2231 for (i = 0; i < num_groups; i++) {
2232 uint16_t group = groups[i];
2234 if (group_id == group
2236 || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
2244 /* Replace ClientHello1 in the transcript hash with a synthetic message */
2245 int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,
2246 size_t hashlen, const unsigned char *hrr,
2249 unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
2250 unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2252 memset(msghdr, 0, sizeof(msghdr));
2254 if (hashval == NULL) {
2255 hashval = hashvaltmp;
2257 /* Get the hash of the initial ClientHello */
2258 if (!ssl3_digest_cached_records(s, 0)
2259 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2261 /* SSLfatal() already called */
2266 /* Reinitialise the transcript hash */
2267 if (!ssl3_init_finished_mac(s)) {
2268 /* SSLfatal() already called */
2272 /* Inject the synthetic message_hash message */
2273 msghdr[0] = SSL3_MT_MESSAGE_HASH;
2274 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
2275 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2276 || !ssl3_finish_mac(s, hashval, hashlen)) {
2277 /* SSLfatal() already called */
2282 * Now re-inject the HRR and current message if appropriate (we just deleted
2283 * it when we reinitialised the transcript hash above). Only necessary after
2284 * receiving a ClientHello2 with a cookie.
2287 && (!ssl3_finish_mac(s, hrr, hrrlen)
2288 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
2289 s->s3.tmp.message_size
2290 + SSL3_HM_HEADER_LENGTH))) {
2291 /* SSLfatal() already called */
2298 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2300 return X509_NAME_cmp(*a, *b);
2303 int parse_ca_names(SSL *s, PACKET *pkt)
2305 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2306 X509_NAME *xn = NULL;
2309 if (ca_sk == NULL) {
2310 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2311 ERR_R_MALLOC_FAILURE);
2314 /* get the CA RDNs */
2315 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
2316 SSLfatal(s, SSL_AD_DECODE_ERROR,SSL_F_PARSE_CA_NAMES,
2317 SSL_R_LENGTH_MISMATCH);
2321 while (PACKET_remaining(&cadns)) {
2322 const unsigned char *namestart, *namebytes;
2323 unsigned int name_len;
2325 if (!PACKET_get_net_2(&cadns, &name_len)
2326 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
2327 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2328 SSL_R_LENGTH_MISMATCH);
2332 namestart = namebytes;
2333 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
2334 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2338 if (namebytes != (namestart + name_len)) {
2339 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2340 SSL_R_CA_DN_LENGTH_MISMATCH);
2344 if (!sk_X509_NAME_push(ca_sk, xn)) {
2345 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2346 ERR_R_MALLOC_FAILURE);
2352 sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
2353 s->s3.tmp.peer_ca_names = ca_sk;
2358 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2363 const STACK_OF(X509_NAME) *get_ca_names(SSL *s)
2365 const STACK_OF(X509_NAME) *ca_sk = NULL;;
2368 ca_sk = SSL_get_client_CA_list(s);
2369 if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2374 ca_sk = SSL_get0_CA_list(s);
2379 int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt)
2381 /* Start sub-packet for client CA list */
2382 if (!WPACKET_start_sub_packet_u16(pkt)) {
2383 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2384 ERR_R_INTERNAL_ERROR);
2388 if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) {
2391 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2392 unsigned char *namebytes;
2393 X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2397 || (namelen = i2d_X509_NAME(name, NULL)) < 0
2398 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2400 || i2d_X509_NAME(name, &namebytes) != namelen) {
2401 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2402 ERR_R_INTERNAL_ERROR);
2408 if (!WPACKET_close(pkt)) {
2409 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2410 ERR_R_INTERNAL_ERROR);
2417 /* Create a buffer containing data to be signed for server key exchange */
2418 size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
2419 const void *param, size_t paramlen)
2421 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2422 unsigned char *tbs = OPENSSL_malloc(tbslen);
2425 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS,
2426 ERR_R_MALLOC_FAILURE);
2429 memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
2430 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
2432 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2439 * Saves the current handshake digest for Post-Handshake Auth,
2440 * Done after ClientFinished is processed, done exactly once
2442 int tls13_save_handshake_digest_for_pha(SSL *s)
2444 if (s->pha_dgst == NULL) {
2445 if (!ssl3_digest_cached_records(s, 1))
2446 /* SSLfatal() already called */
2449 s->pha_dgst = EVP_MD_CTX_new();
2450 if (s->pha_dgst == NULL) {
2451 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2452 SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2453 ERR_R_INTERNAL_ERROR);
2456 if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
2457 s->s3.handshake_dgst)) {
2458 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2459 SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2460 ERR_R_INTERNAL_ERROR);
2468 * Restores the Post-Handshake Auth handshake digest
2469 * Done just before sending/processing the Cert Request
2471 int tls13_restore_handshake_digest_for_pha(SSL *s)
2473 if (s->pha_dgst == NULL) {
2474 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2475 SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2476 ERR_R_INTERNAL_ERROR);
2479 if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
2481 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2482 SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2483 ERR_R_INTERNAL_ERROR);