* enabled. For clients we do this check during construction of the
* ClientHello.
*/
- if (ssl_get_min_max_version(s, &ver_min, &ver_max) != 0) {
+ if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_SETUP_HANDSHAKE,
ERR_R_INTERNAL_ERROR);
return 0;
*hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
} else {
size_t retlen;
+ long retlen_l;
- retlen = BIO_get_mem_data(s->s3->handshake_buffer, hdata);
- if (retlen <= 0) {
+ retlen = retlen_l = BIO_get_mem_data(s->s3->handshake_buffer, hdata);
+ if (retlen_l <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_GET_CERT_VERIFY_TBS_DATA,
ERR_R_INTERNAL_ERROR);
return 0;
/*
* If we get a request for us to update our sending keys too then, we need
* to additionally send a KeyUpdate message. However that message should
- * not also request an update (otherwise we get into an infinite loop).
+ * not also request an update (otherwise we get into an infinite loop). We
+ * ignore a request for us to update our sending keys too if we already
+ * sent close_notify.
*/
- if (updatetype == SSL_KEY_UPDATE_REQUESTED)
+ if (updatetype == SSL_KEY_UPDATE_REQUESTED
+ && (s->shutdown & SSL_SENT_SHUTDOWN) == 0)
s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
if (!tls13_update_key(s, 0)) {
/*
* Only called by servers. Returns 1 if the server has a TLSv1.3 capable
- * certificate type, or has PSK configured. Otherwise returns 0.
+ * certificate type, or has PSK or a certificate callback configured. Otherwise
+ * returns 0.
*/
static int is_tls13_capable(const SSL *s)
{
return 1;
#endif
- if (s->psk_find_session_cb != NULL)
+ if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
return 1;
for (i = 0; i < SSL_PKEY_NUM; i++) {
if (vers == TLS1_2_VERSION
&& ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
*dgrd = DOWNGRADE_TO_1_2;
- } else if (!SSL_IS_DTLS(s) && vers < TLS1_2_VERSION
- && (ssl_version_supported(s, TLS1_2_VERSION, NULL)
- || ssl_version_supported(s, TLS1_3_VERSION, NULL))) {
+ } else if (!SSL_IS_DTLS(s)
+ && vers < TLS1_2_VERSION
+ /*
+ * We need to ensure that a server that disables TLSv1.2
+ * (creating a hole between TLSv1.3 and TLSv1.1) can still
+ * complete handshakes with clients that support TLSv1.2 and
+ * below. Therefore we do not enable the sentinel if TLSv1.3 is
+ * enabled and TLSv1.2 is not.
+ */
+ && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
*dgrd = DOWNGRADE_TO_1_1;
} else {
*dgrd = DOWNGRADE_NONE;
unsigned int best_vers = 0;
const SSL_METHOD *best_method = NULL;
PACKET versionslist;
- /* TODO(TLS1.3): Remove this before release */
- unsigned int orig_candidate = 0;
suppversions->parsed = 1;
return SSL_R_BAD_LEGACY_VERSION;
while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
- /* TODO(TLS1.3): Remove this before release */
- if (candidate_vers == TLS1_3_VERSION_DRAFT
- || candidate_vers == TLS1_3_VERSION_DRAFT_27
- || candidate_vers == TLS1_3_VERSION_DRAFT_26) {
- if (best_vers == TLS1_3_VERSION
- && orig_candidate > candidate_vers)
- continue;
- orig_candidate = candidate_vers;
- candidate_vers = TLS1_3_VERSION;
- } else if (candidate_vers == TLS1_3_VERSION) {
- /* Don't actually accept real TLSv1.3 */
- continue;
- }
- /*
- * TODO(TLS1.3): There is some discussion on the TLS list about
- * whether to ignore versions <TLS1.2 in supported_versions. At the
- * moment we honour them if present. To be reviewed later
- */
if (version_cmp(s, candidate_vers, best_vers) <= 0)
continue;
if (ssl_version_supported(s, candidate_vers, &best_method))
}
check_for_downgrade(s, best_vers, dgrd);
s->version = best_vers;
- /* TODO(TLS1.3): Remove this before release */
- if (best_vers == TLS1_3_VERSION)
- s->version_draft = orig_candidate;
s->method = best_method;
return 0;
}
{
const version_info *vent;
const version_info *table;
- int highver = 0;
- int origv;
+ int ret, ver_min, ver_max, real_max, origv;
origv = s->version;
s->version = version;
break;
}
- for (vent = table; vent->version != 0; ++vent) {
- const SSL_METHOD *method;
- int err;
-
- if (vent->cmeth == NULL)
- continue;
-
- if (highver != 0 && s->version != vent->version)
- continue;
-
- if (highver == 0 && (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) != 0)
- highver = vent->version;
+ ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
+ if (ret != 0) {
+ s->version = origv;
+ SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
+ SSL_F_SSL_CHOOSE_CLIENT_VERSION, ret);
+ return 0;
+ }
+ if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
+ : s->version < ver_min) {
+ s->version = origv;
+ SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
+ SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
+ return 0;
+ } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
+ : s->version > ver_max) {
+ s->version = origv;
+ SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
+ SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
+ return 0;
+ }
- method = vent->cmeth();
- err = ssl_method_error(s, method);
- if (err != 0) {
- if (s->version == vent->version) {
- s->version = origv;
- SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
- SSL_F_SSL_CHOOSE_CLIENT_VERSION, err);
- return 0;
- }
+ if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
+ real_max = ver_max;
- continue;
+ /* Check for downgrades */
+ if (s->version == TLS1_2_VERSION && real_max > s->version) {
+ if (memcmp(tls12downgrade,
+ s->s3->server_random + SSL3_RANDOM_SIZE
+ - sizeof(tls12downgrade),
+ sizeof(tls12downgrade)) == 0) {
+ s->version = origv;
+ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
+ SSL_F_SSL_CHOOSE_CLIENT_VERSION,
+ SSL_R_INAPPROPRIATE_FALLBACK);
+ return 0;
}
- if (highver == 0)
- highver = vent->version;
+ } else if (!SSL_IS_DTLS(s)
+ && s->version < TLS1_2_VERSION
+ && real_max > s->version) {
+ if (memcmp(tls11downgrade,
+ s->s3->server_random + SSL3_RANDOM_SIZE
+ - sizeof(tls11downgrade),
+ sizeof(tls11downgrade)) == 0) {
+ s->version = origv;
+ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
+ SSL_F_SSL_CHOOSE_CLIENT_VERSION,
+ SSL_R_INAPPROPRIATE_FALLBACK);
+ return 0;
+ }
+ }
- if (s->version != vent->version)
+ for (vent = table; vent->version != 0; ++vent) {
+ if (vent->cmeth == NULL || s->version != vent->version)
continue;
-#ifndef OPENSSL_NO_TLS13DOWNGRADE
- /* Check for downgrades */
- if (s->version == TLS1_2_VERSION && highver > s->version) {
- if (memcmp(tls12downgrade,
- s->s3->server_random + SSL3_RANDOM_SIZE
- - sizeof(tls12downgrade),
- sizeof(tls12downgrade)) == 0) {
- s->version = origv;
- SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
- SSL_F_SSL_CHOOSE_CLIENT_VERSION,
- SSL_R_INAPPROPRIATE_FALLBACK);
- return 0;
- }
- } else if (!SSL_IS_DTLS(s)
- && s->version < TLS1_2_VERSION
- && highver > s->version) {
- if (memcmp(tls11downgrade,
- s->s3->server_random + SSL3_RANDOM_SIZE
- - sizeof(tls11downgrade),
- sizeof(tls11downgrade)) == 0) {
- s->version = origv;
- SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
- SSL_F_SSL_CHOOSE_CLIENT_VERSION,
- SSL_R_INAPPROPRIATE_FALLBACK);
- return 0;
- }
- }
-#endif
-
- s->method = method;
+ s->method = vent->cmeth();
return 1;
}
* @s: The SSL connection
* @min_version: The minimum supported version
* @max_version: The maximum supported version
+ * @real_max: The highest version below the lowest compile time version hole
+ * where that hole lies above at least one run-time enabled
+ * protocol.
*
* Work out what version we should be using for the initial ClientHello if the
* version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
* Returns 0 on success or an SSL error reason number on failure. On failure
* min_version and max_version will also be set to 0.
*/
-int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version)
+int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version,
+ int *real_max)
{
- int version;
+ int version, tmp_real_max;
int hole;
const SSL_METHOD *single = NULL;
const SSL_METHOD *method;
* ssl_method_error(s, s->method)
*/
*min_version = *max_version = s->version;
+ /*
+ * Providing a real_max only makes sense where we're using a version
+ * flexible method.
+ */
+ if (!ossl_assert(real_max == NULL))
+ return ERR_R_INTERNAL_ERROR;
return 0;
case TLS_ANY_VERSION:
table = tls_version_table;
*/
*min_version = version = 0;
hole = 1;
+ if (real_max != NULL)
+ *real_max = 0;
+ tmp_real_max = 0;
for (vent = table; vent->version != 0; ++vent) {
/*
* A table entry with a NULL client method is still a hole in the
*/
if (vent->cmeth == NULL) {
hole = 1;
+ tmp_real_max = 0;
continue;
}
method = vent->cmeth();
+
+ if (hole == 1 && tmp_real_max == 0)
+ tmp_real_max = vent->version;
+
if (ssl_method_error(s, method) != 0) {
hole = 1;
} else if (!hole) {
single = NULL;
*min_version = method->version;
} else {
+ if (real_max != NULL && tmp_real_max != 0)
+ *real_max = tmp_real_max;
version = (single = method)->version;
*min_version = version;
hole = 0;
if (!SSL_IS_FIRST_HANDSHAKE(s))
return 0;
- ret = ssl_get_min_max_version(s, &ver_min, &ver_max);
+ ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
if (ret != 0)
return ret;