2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
14 #include "../ssl_local.h"
15 #include "statem_local.h"
16 #include "internal/cryptlib.h"
17 #include "internal/evp.h"
18 #include <openssl/buffer.h>
19 #include <openssl/objects.h>
20 #include <openssl/evp.h>
21 #include <openssl/x509.h>
22 #include <openssl/trace.h>
25 DEFINE_STACK_OF(X509_NAME)
26 DEFINE_STACK_OF_CONST(SSL_CIPHER)
29 * Map error codes to TLS/SSL alart types.
31 typedef struct x509err2alert_st {
36 /* Fixed value used in the ServerHello random field to identify an HRR */
37 const unsigned char hrrrandom[] = {
38 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
39 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
40 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
44 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
45 * SSL3_RT_CHANGE_CIPHER_SPEC)
47 int ssl3_do_write(SSL *s, int type)
52 ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
53 s->init_num, &written);
56 if (type == SSL3_RT_HANDSHAKE)
58 * should not be done for 'Hello Request's, but in that case we'll
59 * ignore the result anyway
60 * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
62 if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
63 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
64 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
65 if (!ssl3_finish_mac(s,
66 (unsigned char *)&s->init_buf->data[s->init_off],
69 if (written == s->init_num) {
71 s->msg_callback(1, s->version, type, s->init_buf->data,
72 (size_t)(s->init_off + s->init_num), s,
76 s->init_off += written;
77 s->init_num -= written;
81 int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype)
85 if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
86 || !WPACKET_get_length(pkt, &msglen)
89 s->init_num = (int)msglen;
95 int tls_setup_handshake(SSL *s)
97 if (!ssl3_init_finished_mac(s)) {
98 /* SSLfatal() already called */
102 /* Reset any extension flags */
103 memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
106 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
107 int i, ver_min, ver_max, ok = 0;
110 * Sanity check that the maximum version we accept has ciphers
111 * enabled. For clients we do this check during construction of the
114 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
115 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_SETUP_HANDSHAKE,
116 ERR_R_INTERNAL_ERROR);
119 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
120 const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
122 if (SSL_IS_DTLS(s)) {
123 if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
124 DTLS_VERSION_LE(ver_max, c->max_dtls))
126 } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
133 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE,
134 SSL_R_NO_CIPHERS_AVAILABLE);
135 ERR_add_error_data(1, "No ciphers enabled for max supported "
139 if (SSL_IS_FIRST_HANDSHAKE(s)) {
140 /* N.B. s->session_ctx == s->ctx here */
141 tsan_counter(&s->session_ctx->stats.sess_accept);
143 /* N.B. s->ctx may not equal s->session_ctx */
144 tsan_counter(&s->ctx->stats.sess_accept_renegotiate);
146 s->s3.tmp.cert_request = 0;
149 if (SSL_IS_FIRST_HANDSHAKE(s))
150 tsan_counter(&s->session_ctx->stats.sess_connect);
152 tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate);
154 /* mark client_random uninitialized */
155 memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
158 s->s3.tmp.cert_req = 0;
161 s->statem.use_timer = 1;
168 * Size of the to-be-signed TLS13 data, without the hash size itself:
169 * 64 bytes of value 32, 33 context bytes, 1 byte separator
171 #define TLS13_TBS_START_SIZE 64
172 #define TLS13_TBS_PREAMBLE_SIZE (TLS13_TBS_START_SIZE + 33 + 1)
174 static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
175 void **hdata, size_t *hdatalen)
177 #ifdef CHARSET_EBCDIC
178 static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
179 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
180 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
181 0x69, 0x66, 0x79, 0x00 };
182 static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
183 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
184 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
185 0x69, 0x66, 0x79, 0x00 };
187 static const char servercontext[] = "TLS 1.3, server CertificateVerify";
188 static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
190 if (SSL_IS_TLS13(s)) {
193 /* Set the first 64 bytes of to-be-signed data to octet 32 */
194 memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
195 /* This copies the 33 bytes of context plus the 0 separator byte */
196 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
197 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
198 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
200 strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
203 * If we're currently reading then we need to use the saved handshake
204 * hash value. We can't use the current handshake hash state because
205 * that includes the CertVerify itself.
207 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
208 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
209 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
210 s->cert_verify_hash_len);
211 hashlen = s->cert_verify_hash_len;
212 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
213 EVP_MAX_MD_SIZE, &hashlen)) {
214 /* SSLfatal() already called */
219 *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
224 retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
226 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_GET_CERT_VERIFY_TBS_DATA,
227 ERR_R_INTERNAL_ERROR);
236 int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
238 EVP_PKEY *pkey = NULL;
239 const EVP_MD *md = NULL;
240 EVP_MD_CTX *mctx = NULL;
241 EVP_PKEY_CTX *pctx = NULL;
242 size_t hdatalen = 0, siglen = 0;
244 unsigned char *sig = NULL;
245 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
246 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
248 if (lu == NULL || s->s3.tmp.cert == NULL) {
249 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
250 ERR_R_INTERNAL_ERROR);
253 pkey = s->s3.tmp.cert->privatekey;
255 if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) {
256 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
257 ERR_R_INTERNAL_ERROR);
261 mctx = EVP_MD_CTX_new();
263 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
264 ERR_R_MALLOC_FAILURE);
268 /* Get the data to be signed */
269 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
270 /* SSLfatal() already called */
274 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
275 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
276 ERR_R_INTERNAL_ERROR);
280 if (EVP_DigestSignInit_ex(mctx, &pctx,
281 md == NULL ? NULL : EVP_MD_name(md),
282 s->ctx->propq, pkey, s->ctx->libctx) <= 0) {
283 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
288 if (lu->sig == EVP_PKEY_RSA_PSS) {
289 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
290 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
291 RSA_PSS_SALTLEN_DIGEST) <= 0) {
292 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
297 if (s->version == SSL3_VERSION) {
299 * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
300 * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
302 if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
304 * TODO(3.0) Replace this when EVP_MD_CTX_ctrl() is deprecated
305 * with a call to ssl3_digest_master_key_set_params()
307 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
308 (int)s->session->master_key_length,
309 s->session->master_key) <= 0
310 || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) {
312 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
316 sig = OPENSSL_malloc(siglen);
318 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
319 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
325 * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not
326 * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
328 if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) {
329 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
333 sig = OPENSSL_malloc(siglen);
335 || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
336 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
342 #ifndef OPENSSL_NO_GOST
344 int pktype = lu->sig;
346 if (pktype == NID_id_GostR3410_2001
347 || pktype == NID_id_GostR3410_2012_256
348 || pktype == NID_id_GostR3410_2012_512)
349 BUF_reverse(sig, NULL, siglen);
353 if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
354 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
355 ERR_R_INTERNAL_ERROR);
359 /* Digest cached records and discard handshake buffer */
360 if (!ssl3_digest_cached_records(s, 0)) {
361 /* SSLfatal() already called */
366 EVP_MD_CTX_free(mctx);
370 EVP_MD_CTX_free(mctx);
374 MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
376 EVP_PKEY *pkey = NULL;
377 const unsigned char *data;
378 #ifndef OPENSSL_NO_GOST
379 unsigned char *gost_data = NULL;
381 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
385 const EVP_MD *md = NULL;
388 unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
389 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
390 EVP_PKEY_CTX *pctx = NULL;
393 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
394 ERR_R_MALLOC_FAILURE);
398 peer = s->session->peer;
399 pkey = X509_get0_pubkey(peer);
401 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
402 ERR_R_INTERNAL_ERROR);
406 if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
407 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CERT_VERIFY,
408 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
412 if (SSL_USE_SIGALGS(s)) {
415 if (!PACKET_get_net_2(pkt, &sigalg)) {
416 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
420 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
421 /* SSLfatal() already called */
424 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
425 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
426 ERR_R_INTERNAL_ERROR);
430 if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) {
431 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
432 ERR_R_INTERNAL_ERROR);
436 if (SSL_USE_SIGALGS(s))
437 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
438 md == NULL ? "n/a" : EVP_MD_name(md));
440 /* Check for broken implementations of GOST ciphersuites */
442 * If key is GOST and len is exactly 64 or 128, it is signature without
443 * length field (CryptoPro implementations at least till TLS 1.2)
445 #ifndef OPENSSL_NO_GOST
446 if (!SSL_USE_SIGALGS(s)
447 && ((PACKET_remaining(pkt) == 64
448 && (EVP_PKEY_id(pkey) == NID_id_GostR3410_2001
449 || EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_256))
450 || (PACKET_remaining(pkt) == 128
451 && EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_512))) {
452 len = PACKET_remaining(pkt);
455 if (!PACKET_get_net_2(pkt, &len)) {
456 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
457 SSL_R_LENGTH_MISMATCH);
461 if (!PACKET_get_bytes(pkt, &data, len)) {
462 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
463 SSL_R_LENGTH_MISMATCH);
467 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
468 /* SSLfatal() already called */
472 OSSL_TRACE1(TLS, "Using client verify alg %s\n",
473 md == NULL ? "n/a" : EVP_MD_name(md));
475 if (EVP_DigestVerifyInit_ex(mctx, &pctx,
476 md == NULL ? NULL : EVP_MD_name(md),
477 s->ctx->propq, pkey, s->ctx->libctx) <= 0) {
478 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
482 #ifndef OPENSSL_NO_GOST
484 int pktype = EVP_PKEY_id(pkey);
485 if (pktype == NID_id_GostR3410_2001
486 || pktype == NID_id_GostR3410_2012_256
487 || pktype == NID_id_GostR3410_2012_512) {
488 if ((gost_data = OPENSSL_malloc(len)) == NULL) {
489 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
490 SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
493 BUF_reverse(gost_data, data, len);
499 if (SSL_USE_PSS(s)) {
500 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
501 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
502 RSA_PSS_SALTLEN_DIGEST) <= 0) {
503 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
508 if (s->version == SSL3_VERSION) {
510 * TODO(3.0) Replace this when EVP_MD_CTX_ctrl() is deprecated
511 * with a call to ssl3_digest_master_key_set_params()
513 if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
514 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
515 (int)s->session->master_key_length,
516 s->session->master_key) <= 0) {
517 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
521 if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
522 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
523 SSL_R_BAD_SIGNATURE);
527 j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
529 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
530 SSL_R_BAD_SIGNATURE);
536 * In TLSv1.3 on the client side we make sure we prepare the client
537 * certificate after the CertVerify instead of when we get the
538 * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
539 * comes *before* the Certificate message. In TLSv1.2 it comes after. We
540 * want to make sure that SSL_get_peer_certificate() will return the actual
541 * server certificate from the client_cert_cb callback.
543 if (!s->server && SSL_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
544 ret = MSG_PROCESS_CONTINUE_PROCESSING;
546 ret = MSG_PROCESS_CONTINUE_READING;
548 BIO_free(s->s3.handshake_buffer);
549 s->s3.handshake_buffer = NULL;
550 EVP_MD_CTX_free(mctx);
551 #ifndef OPENSSL_NO_GOST
552 OPENSSL_free(gost_data);
557 int tls_construct_finished(SSL *s, WPACKET *pkt)
559 size_t finish_md_len;
563 /* This is a real handshake so make sure we clean it up at the end */
564 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
565 s->statem.cleanuphand = 1;
568 * We only change the keys if we didn't already do this when we sent the
573 && s->s3.tmp.cert_req == 0
574 && (!s->method->ssl3_enc->change_cipher_state(s,
575 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
576 /* SSLfatal() already called */
581 sender = s->method->ssl3_enc->server_finished_label;
582 slen = s->method->ssl3_enc->server_finished_label_len;
584 sender = s->method->ssl3_enc->client_finished_label;
585 slen = s->method->ssl3_enc->client_finished_label_len;
588 finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
590 s->s3.tmp.finish_md);
591 if (finish_md_len == 0) {
592 /* SSLfatal() already called */
596 s->s3.tmp.finish_md_len = finish_md_len;
598 if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
599 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
600 ERR_R_INTERNAL_ERROR);
605 * Log the master secret, if logging is enabled. We don't log it for
606 * TLSv1.3: there's a different key schedule for that.
608 if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
609 s->session->master_key,
610 s->session->master_key_length)) {
611 /* SSLfatal() already called */
616 * Copy the finished so we can use it for renegotiation checks
618 if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
619 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
620 ERR_R_INTERNAL_ERROR);
624 memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
626 s->s3.previous_client_finished_len = finish_md_len;
628 memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
630 s->s3.previous_server_finished_len = finish_md_len;
636 int tls_construct_key_update(SSL *s, WPACKET *pkt)
638 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
639 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_KEY_UPDATE,
640 ERR_R_INTERNAL_ERROR);
644 s->key_update = SSL_KEY_UPDATE_NONE;
648 MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
650 unsigned int updatetype;
653 * A KeyUpdate message signals a key change so the end of the message must
654 * be on a record boundary.
656 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
657 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_UPDATE,
658 SSL_R_NOT_ON_RECORD_BOUNDARY);
659 return MSG_PROCESS_ERROR;
662 if (!PACKET_get_1(pkt, &updatetype)
663 || PACKET_remaining(pkt) != 0) {
664 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_UPDATE,
665 SSL_R_BAD_KEY_UPDATE);
666 return MSG_PROCESS_ERROR;
670 * There are only two defined key update types. Fail if we get a value we
673 if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
674 && updatetype != SSL_KEY_UPDATE_REQUESTED) {
675 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE,
676 SSL_R_BAD_KEY_UPDATE);
677 return MSG_PROCESS_ERROR;
681 * If we get a request for us to update our sending keys too then, we need
682 * to additionally send a KeyUpdate message. However that message should
683 * not also request an update (otherwise we get into an infinite loop).
685 if (updatetype == SSL_KEY_UPDATE_REQUESTED)
686 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
688 if (!tls13_update_key(s, 0)) {
689 /* SSLfatal() already called */
690 return MSG_PROCESS_ERROR;
693 return MSG_PROCESS_FINISHED_READING;
697 * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
700 int ssl3_take_mac(SSL *s)
706 sender = s->method->ssl3_enc->server_finished_label;
707 slen = s->method->ssl3_enc->server_finished_label_len;
709 sender = s->method->ssl3_enc->client_finished_label;
710 slen = s->method->ssl3_enc->client_finished_label_len;
713 s->s3.tmp.peer_finish_md_len =
714 s->method->ssl3_enc->final_finish_mac(s, sender, slen,
715 s->s3.tmp.peer_finish_md);
717 if (s->s3.tmp.peer_finish_md_len == 0) {
718 /* SSLfatal() already called */
725 MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
729 remain = PACKET_remaining(pkt);
731 * 'Change Cipher Spec' is just a single byte, which should already have
732 * been consumed by ssl_get_message() so there should be no bytes left,
733 * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
735 if (SSL_IS_DTLS(s)) {
736 if ((s->version == DTLS1_BAD_VER
737 && remain != DTLS1_CCS_HEADER_LENGTH + 1)
738 || (s->version != DTLS1_BAD_VER
739 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
740 SSLfatal(s, SSL_AD_DECODE_ERROR,
741 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
742 SSL_R_BAD_CHANGE_CIPHER_SPEC);
743 return MSG_PROCESS_ERROR;
747 SSLfatal(s, SSL_AD_DECODE_ERROR,
748 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
749 SSL_R_BAD_CHANGE_CIPHER_SPEC);
750 return MSG_PROCESS_ERROR;
754 /* Check we have a cipher to change to */
755 if (s->s3.tmp.new_cipher == NULL) {
756 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
757 SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY);
758 return MSG_PROCESS_ERROR;
761 s->s3.change_cipher_spec = 1;
762 if (!ssl3_do_change_cipher_spec(s)) {
763 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
764 ERR_R_INTERNAL_ERROR);
765 return MSG_PROCESS_ERROR;
768 if (SSL_IS_DTLS(s)) {
769 dtls1_reset_seq_numbers(s, SSL3_CC_READ);
771 if (s->version == DTLS1_BAD_VER)
772 s->d1->handshake_read_seq++;
774 #ifndef OPENSSL_NO_SCTP
776 * Remember that a CCS has been received, so that an old key of
777 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
780 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
784 return MSG_PROCESS_CONTINUE_READING;
787 MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
792 /* This is a real handshake so make sure we clean it up at the end */
795 * To get this far we must have read encrypted data from the client. We
796 * no longer tolerate unencrypted alerts. This value is ignored if less
799 s->statem.enc_read_state = ENC_READ_STATE_VALID;
800 if (s->post_handshake_auth != SSL_PHA_REQUESTED)
801 s->statem.cleanuphand = 1;
802 if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
803 /* SSLfatal() already called */
804 return MSG_PROCESS_ERROR;
809 * In TLSv1.3 a Finished message signals a key change so the end of the
810 * message must be on a record boundary.
812 if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
813 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
814 SSL_R_NOT_ON_RECORD_BOUNDARY);
815 return MSG_PROCESS_ERROR;
818 /* If this occurs, we have missed a message */
819 if (!SSL_IS_TLS13(s) && !s->s3.change_cipher_spec) {
820 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
821 SSL_R_GOT_A_FIN_BEFORE_A_CCS);
822 return MSG_PROCESS_ERROR;
824 s->s3.change_cipher_spec = 0;
826 md_len = s->s3.tmp.peer_finish_md_len;
828 if (md_len != PACKET_remaining(pkt)) {
829 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_FINISHED,
830 SSL_R_BAD_DIGEST_LENGTH);
831 return MSG_PROCESS_ERROR;
834 if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
836 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_FINISHED,
837 SSL_R_DIGEST_CHECK_FAILED);
838 return MSG_PROCESS_ERROR;
842 * Copy the finished so we can use it for renegotiation checks
844 if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
845 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_FINISHED,
846 ERR_R_INTERNAL_ERROR);
847 return MSG_PROCESS_ERROR;
850 memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
852 s->s3.previous_client_finished_len = md_len;
854 memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
856 s->s3.previous_server_finished_len = md_len;
860 * In TLS1.3 we also have to change cipher state and do any final processing
861 * of the initial server flight (if we are a client)
863 if (SSL_IS_TLS13(s)) {
865 if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
866 !s->method->ssl3_enc->change_cipher_state(s,
867 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
868 /* SSLfatal() already called */
869 return MSG_PROCESS_ERROR;
872 /* TLS 1.3 gets the secret size from the handshake md */
874 if (!s->method->ssl3_enc->generate_master_secret(s,
875 s->master_secret, s->handshake_secret, 0,
877 /* SSLfatal() already called */
878 return MSG_PROCESS_ERROR;
880 if (!s->method->ssl3_enc->change_cipher_state(s,
881 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
882 /* SSLfatal() already called */
883 return MSG_PROCESS_ERROR;
885 if (!tls_process_initial_server_flight(s)) {
886 /* SSLfatal() already called */
887 return MSG_PROCESS_ERROR;
892 return MSG_PROCESS_FINISHED_READING;
895 int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
897 if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
898 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
899 SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
906 /* Add a certificate to the WPACKET */
907 static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain)
910 unsigned char *outbytes;
912 len = i2d_X509(x, NULL);
914 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
918 if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
919 || i2d_X509(x, &outbytes) != len) {
920 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
921 ERR_R_INTERNAL_ERROR);
926 && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
928 /* SSLfatal() already called */
935 /* Add certificate chain to provided WPACKET */
936 static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
940 STACK_OF(X509) *extra_certs;
941 STACK_OF(X509) *chain = NULL;
942 X509_STORE *chain_store;
944 if (cpk == NULL || cpk->x509 == NULL)
950 * If we have a certificate specific chain use it, else use parent ctx.
952 if (cpk->chain != NULL)
953 extra_certs = cpk->chain;
955 extra_certs = s->ctx->extra_certs;
957 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
959 else if (s->cert->chain_store)
960 chain_store = s->cert->chain_store;
962 chain_store = s->ctx->cert_store;
964 if (chain_store != NULL) {
965 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_with_libctx(s->ctx->libctx,
968 if (xs_ctx == NULL) {
969 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
970 ERR_R_MALLOC_FAILURE);
973 if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
974 X509_STORE_CTX_free(xs_ctx);
975 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
980 * It is valid for the chain not to be complete (because normally we
981 * don't include the root cert in the chain). Therefore we deliberately
982 * ignore the error return from this call. We're not actually verifying
983 * the cert - we're just building as much of the chain as we can
985 (void)X509_verify_cert(xs_ctx);
986 /* Don't leave errors in the queue */
988 chain = X509_STORE_CTX_get0_chain(xs_ctx);
989 i = ssl_security_cert_chain(s, chain, NULL, 0);
992 /* Dummy error calls so mkerr generates them */
993 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL);
994 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL);
995 SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK);
997 X509_STORE_CTX_free(xs_ctx);
998 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
1001 chain_count = sk_X509_num(chain);
1002 for (i = 0; i < chain_count; i++) {
1003 x = sk_X509_value(chain, i);
1005 if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
1006 /* SSLfatal() already called */
1007 X509_STORE_CTX_free(xs_ctx);
1011 X509_STORE_CTX_free(xs_ctx);
1013 i = ssl_security_cert_chain(s, extra_certs, x, 0);
1015 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
1018 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
1019 /* SSLfatal() already called */
1022 for (i = 0; i < sk_X509_num(extra_certs); i++) {
1023 x = sk_X509_value(extra_certs, i);
1024 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
1025 /* SSLfatal() already called */
1033 unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
1035 if (!WPACKET_start_sub_packet_u24(pkt)) {
1036 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1037 ERR_R_INTERNAL_ERROR);
1041 if (!ssl_add_cert_chain(s, pkt, cpk))
1044 if (!WPACKET_close(pkt)) {
1045 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1046 ERR_R_INTERNAL_ERROR);
1054 * Tidy up after the end of a handshake. In the case of SCTP this may result
1055 * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1058 WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
1060 void (*cb) (const SSL *ssl, int type, int val) = NULL;
1061 int cleanuphand = s->statem.cleanuphand;
1065 #ifndef OPENSSL_NO_SCTP
1067 * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1068 * messages that require it. Therefore, DTLS procedures for retransmissions
1070 * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1072 || BIO_dgram_is_sctp(SSL_get_wbio(s))
1076 * We don't do this in DTLS over UDP because we may still need the init_buf
1077 * in case there are any unexpected retransmits
1079 BUF_MEM_free(s->init_buf);
1083 if (!ssl_free_wbio_buffer(s)) {
1084 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE,
1085 ERR_R_INTERNAL_ERROR);
1091 if (SSL_IS_TLS13(s) && !s->server
1092 && s->post_handshake_auth == SSL_PHA_REQUESTED)
1093 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1096 * Only set if there was a Finished message and this isn't after a TLSv1.3
1097 * post handshake exchange
1100 /* skipped if we just sent a HelloRequest */
1103 s->statem.cleanuphand = 0;
1104 s->ext.ticket_expected = 0;
1106 ssl3_cleanup_key_block(s);
1110 * In TLSv1.3 we update the cache as part of constructing the
1113 if (!SSL_IS_TLS13(s))
1114 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
1116 /* N.B. s->ctx may not equal s->session_ctx */
1117 tsan_counter(&s->ctx->stats.sess_accept_good);
1118 s->handshake_func = ossl_statem_accept;
1120 if (SSL_IS_TLS13(s)) {
1122 * We encourage applications to only use TLSv1.3 tickets once,
1123 * so we remove this one from the cache.
1125 if ((s->session_ctx->session_cache_mode
1126 & SSL_SESS_CACHE_CLIENT) != 0)
1127 SSL_CTX_remove_session(s->session_ctx, s->session);
1130 * In TLSv1.3 we update the cache as part of processing the
1133 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
1136 tsan_counter(&s->session_ctx->stats.sess_hit);
1138 s->handshake_func = ossl_statem_connect;
1139 tsan_counter(&s->session_ctx->stats.sess_connect_good);
1142 if (SSL_IS_DTLS(s)) {
1143 /* done with handshaking */
1144 s->d1->handshake_read_seq = 0;
1145 s->d1->handshake_write_seq = 0;
1146 s->d1->next_handshake_write_seq = 0;
1147 dtls1_clear_received_buffer(s);
1151 if (s->info_callback != NULL)
1152 cb = s->info_callback;
1153 else if (s->ctx->info_callback != NULL)
1154 cb = s->ctx->info_callback;
1156 /* The callback may expect us to not be in init at handshake done */
1157 ossl_statem_set_in_init(s, 0);
1162 || SSL_IS_FIRST_HANDSHAKE(s))
1163 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
1167 /* If we've got more work to do we go back into init */
1168 ossl_statem_set_in_init(s, 1);
1169 return WORK_FINISHED_CONTINUE;
1172 return WORK_FINISHED_STOP;
1175 int tls_get_message_header(SSL *s, int *mt)
1177 /* s->init_num < SSL3_HM_HEADER_LENGTH */
1178 int skip_message, i, recvd_type;
1180 size_t l, readbytes;
1182 p = (unsigned char *)s->init_buf->data;
1185 while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1186 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
1188 SSL3_HM_HEADER_LENGTH - s->init_num,
1191 s->rwstate = SSL_READING;
1194 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1196 * A ChangeCipherSpec must be a single byte and may not occur
1197 * in the middle of a handshake message.
1199 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
1200 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1201 SSL_F_TLS_GET_MESSAGE_HEADER,
1202 SSL_R_BAD_CHANGE_CIPHER_SPEC);
1205 if (s->statem.hand_state == TLS_ST_BEFORE
1206 && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
1208 * We are stateless and we received a CCS. Probably this is
1209 * from a client between the first and second ClientHellos.
1210 * We should ignore this, but return an error because we do
1211 * not return success until we see the second ClientHello
1212 * with a valid cookie.
1216 s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
1217 s->init_num = readbytes - 1;
1218 s->init_msg = s->init_buf->data;
1219 s->s3.tmp.message_size = readbytes;
1221 } else if (recvd_type != SSL3_RT_HANDSHAKE) {
1222 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1223 SSL_F_TLS_GET_MESSAGE_HEADER,
1224 SSL_R_CCS_RECEIVED_EARLY);
1227 s->init_num += readbytes;
1232 if (s->statem.hand_state != TLS_ST_OK
1233 && p[0] == SSL3_MT_HELLO_REQUEST)
1235 * The server may always send 'Hello Request' messages --
1236 * we are doing a handshake anyway now, so ignore them if
1237 * their format is correct. Does not count for 'Finished'
1240 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1244 if (s->msg_callback)
1245 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1246 p, SSL3_HM_HEADER_LENGTH, s,
1247 s->msg_callback_arg);
1249 } while (skip_message);
1250 /* s->init_num == SSL3_HM_HEADER_LENGTH */
1253 s->s3.tmp.message_type = *(p++);
1255 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1257 * Only happens with SSLv3+ in an SSLv2 backward compatible
1260 * Total message size is the remaining record bytes to read
1261 * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
1263 l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1264 + SSL3_HM_HEADER_LENGTH;
1265 s->s3.tmp.message_size = l;
1267 s->init_msg = s->init_buf->data;
1268 s->init_num = SSL3_HM_HEADER_LENGTH;
1271 /* BUF_MEM_grow takes an 'int' parameter */
1272 if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
1273 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_GET_MESSAGE_HEADER,
1274 SSL_R_EXCESSIVE_MESSAGE_SIZE);
1277 s->s3.tmp.message_size = l;
1279 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1286 int tls_get_message_body(SSL *s, size_t *len)
1288 size_t n, readbytes;
1292 if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
1293 /* We've already read everything in */
1294 *len = (unsigned long)s->init_num;
1299 n = s->s3.tmp.message_size - s->init_num;
1301 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
1302 &p[s->init_num], n, 0, &readbytes);
1304 s->rwstate = SSL_READING;
1308 s->init_num += readbytes;
1313 * If receiving Finished, record MAC of prior handshake messages for
1314 * Finished verification.
1316 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1317 /* SSLfatal() already called */
1322 /* Feed this message into MAC computation. */
1323 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1324 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1326 /* SSLfatal() already called */
1330 if (s->msg_callback)
1331 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
1332 (size_t)s->init_num, s, s->msg_callback_arg);
1335 * We defer feeding in the HRR until later. We'll do it as part of
1336 * processing the message
1337 * The TLsv1.3 handshake transcript stops at the ClientFinished
1340 #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
1341 /* KeyUpdate and NewSessionTicket do not need to be added */
1342 if (!SSL_IS_TLS13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1343 && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1344 if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
1345 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1346 || memcmp(hrrrandom,
1347 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1348 SSL3_RANDOM_SIZE) != 0) {
1349 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1350 s->init_num + SSL3_HM_HEADER_LENGTH)) {
1351 /* SSLfatal() already called */
1357 if (s->msg_callback)
1358 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1359 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
1360 s->msg_callback_arg);
1367 static const X509ERR2ALERT x509table[] = {
1368 {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1369 {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1370 {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1371 {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1372 {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1373 {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1374 {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1375 {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1376 {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1377 {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1378 {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1379 {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1380 {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1381 {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1382 {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1383 {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1384 {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1385 {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1386 {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1387 {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1388 {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1389 {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1390 {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1391 {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1392 {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1393 {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1394 {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1395 {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1396 {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1397 {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1398 {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1399 {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1400 {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1401 {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1402 {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1403 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1404 {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1405 {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1406 {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1408 /* Last entry; return this if we don't find the value above. */
1409 {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1412 int ssl_x509err2alert(int x509err)
1414 const X509ERR2ALERT *tp;
1416 for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1417 if (tp->x509err == x509err)
1422 int ssl_allow_compression(SSL *s)
1424 if (s->options & SSL_OP_NO_COMPRESSION)
1426 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1429 static int version_cmp(const SSL *s, int a, int b)
1431 int dtls = SSL_IS_DTLS(s);
1436 return a < b ? -1 : 1;
1437 return DTLS_VERSION_LT(a, b) ? -1 : 1;
1442 const SSL_METHOD *(*cmeth) (void);
1443 const SSL_METHOD *(*smeth) (void);
1446 #if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
1447 # error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
1450 /* Must be in order high to low */
1451 static const version_info tls_version_table[] = {
1452 #ifndef OPENSSL_NO_TLS1_3
1453 {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1455 {TLS1_3_VERSION, NULL, NULL},
1457 #ifndef OPENSSL_NO_TLS1_2
1458 {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
1460 {TLS1_2_VERSION, NULL, NULL},
1462 #ifndef OPENSSL_NO_TLS1_1
1463 {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
1465 {TLS1_1_VERSION, NULL, NULL},
1467 #ifndef OPENSSL_NO_TLS1
1468 {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
1470 {TLS1_VERSION, NULL, NULL},
1472 #ifndef OPENSSL_NO_SSL3
1473 {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
1475 {SSL3_VERSION, NULL, NULL},
1480 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
1481 # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1484 /* Must be in order high to low */
1485 static const version_info dtls_version_table[] = {
1486 #ifndef OPENSSL_NO_DTLS1_2
1487 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
1489 {DTLS1_2_VERSION, NULL, NULL},
1491 #ifndef OPENSSL_NO_DTLS1
1492 {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1493 {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
1495 {DTLS1_VERSION, NULL, NULL},
1496 {DTLS1_BAD_VER, NULL, NULL},
1502 * ssl_method_error - Check whether an SSL_METHOD is enabled.
1504 * @s: The SSL handle for the candidate method
1505 * @method: the intended method.
1507 * Returns 0 on success, or an SSL error reason on failure.
1509 static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
1511 int version = method->version;
1513 if ((s->min_proto_version != 0 &&
1514 version_cmp(s, version, s->min_proto_version) < 0) ||
1515 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1516 return SSL_R_VERSION_TOO_LOW;
1518 if (s->max_proto_version != 0 &&
1519 version_cmp(s, version, s->max_proto_version) > 0)
1520 return SSL_R_VERSION_TOO_HIGH;
1522 if ((s->options & method->mask) != 0)
1523 return SSL_R_UNSUPPORTED_PROTOCOL;
1524 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1525 return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
1531 * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
1532 * certificate type, or has PSK or a certificate callback configured. Otherwise
1535 static int is_tls13_capable(const SSL *s)
1538 #ifndef OPENSSL_NO_EC
1542 #ifndef OPENSSL_NO_PSK
1543 if (s->psk_server_callback != NULL)
1547 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
1550 for (i = 0; i < SSL_PKEY_NUM; i++) {
1551 /* Skip over certs disallowed for TLSv1.3 */
1553 case SSL_PKEY_DSA_SIGN:
1554 case SSL_PKEY_GOST01:
1555 case SSL_PKEY_GOST12_256:
1556 case SSL_PKEY_GOST12_512:
1561 if (!ssl_has_cert(s, i))
1563 #ifndef OPENSSL_NO_EC
1564 if (i != SSL_PKEY_ECC)
1567 * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1568 * more restrictive so check that our sig algs are consistent with this
1569 * EC cert. See section 4.2.3 of RFC8446.
1571 curve = evp_pkey_get_EC_KEY_curve_nid(s->cert->pkeys[SSL_PKEY_ECC]
1573 if (tls_check_sigalg_curve(s, curve))
1584 * ssl_version_supported - Check that the specified `version` is supported by
1587 * @s: The SSL handle for the candidate method
1588 * @version: Protocol version to test against
1590 * Returns 1 when supported, otherwise 0
1592 int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth)
1594 const version_info *vent;
1595 const version_info *table;
1597 switch (s->method->version) {
1599 /* Version should match method version for non-ANY method */
1600 return version_cmp(s, version, s->version) == 0;
1601 case TLS_ANY_VERSION:
1602 table = tls_version_table;
1604 case DTLS_ANY_VERSION:
1605 table = dtls_version_table;
1610 vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1612 if (vent->cmeth != NULL
1613 && version_cmp(s, version, vent->version) == 0
1614 && ssl_method_error(s, vent->cmeth()) == 0
1616 || version != TLS1_3_VERSION
1617 || is_tls13_capable(s))) {
1619 *meth = vent->cmeth();
1627 * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1628 * fallback indication from a client check whether we're using the highest
1629 * supported protocol version.
1631 * @s server SSL handle.
1633 * Returns 1 when using the highest enabled version, 0 otherwise.
1635 int ssl_check_version_downgrade(SSL *s)
1637 const version_info *vent;
1638 const version_info *table;
1641 * Check that the current protocol is the highest enabled version
1642 * (according to s->ctx->method, as version negotiation may have changed
1645 if (s->version == s->ctx->method->version)
1649 * Apparently we're using a version-flexible SSL_METHOD (not at its
1650 * highest protocol version).
1652 if (s->ctx->method->version == TLS_method()->version)
1653 table = tls_version_table;
1654 else if (s->ctx->method->version == DTLS_method()->version)
1655 table = dtls_version_table;
1657 /* Unexpected state; fail closed. */
1661 for (vent = table; vent->version != 0; ++vent) {
1662 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
1663 return s->version == vent->version;
1669 * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1670 * protocols, provided the initial (D)TLS method is version-flexible. This
1671 * function sanity-checks the proposed value and makes sure the method is
1672 * version-flexible, then sets the limit if all is well.
1674 * @method_version: The version of the current SSL_METHOD.
1675 * @version: the intended limit.
1676 * @bound: pointer to limit to be updated.
1678 * Returns 1 on success, 0 on failure.
1680 int ssl_set_version_bound(int method_version, int version, int *bound)
1688 * Restrict TLS methods to TLS protocol versions.
1689 * Restrict DTLS methods to DTLS protocol versions.
1690 * Note, DTLS version numbers are decreasing, use comparison macros.
1692 * Note that for both lower-bounds we use explicit versions, not
1693 * (D)TLS_MIN_VERSION. This is because we don't want to break user
1694 * configurations. If the MIN (supported) version ever rises, the user's
1695 * "floor" remains valid even if no longer available. We don't expect the
1696 * MAX ceiling to ever get lower, so making that variable makes sense.
1698 switch (method_version) {
1701 * XXX For fixed version methods, should we always fail and not set any
1702 * bounds, always succeed and not set any bounds, or set the bounds and
1703 * arrange to fail later if they are not met? At present fixed-version
1704 * methods are not subject to controls that disable individual protocol
1709 case TLS_ANY_VERSION:
1710 if (version < SSL3_VERSION || version > TLS_MAX_VERSION_INTERNAL)
1714 case DTLS_ANY_VERSION:
1715 if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION_INTERNAL) ||
1716 DTLS_VERSION_LT(version, DTLS1_BAD_VER))
1725 static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
1727 if (vers == TLS1_2_VERSION
1728 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
1729 *dgrd = DOWNGRADE_TO_1_2;
1730 } else if (!SSL_IS_DTLS(s)
1731 && vers < TLS1_2_VERSION
1733 * We need to ensure that a server that disables TLSv1.2
1734 * (creating a hole between TLSv1.3 and TLSv1.1) can still
1735 * complete handshakes with clients that support TLSv1.2 and
1736 * below. Therefore we do not enable the sentinel if TLSv1.3 is
1737 * enabled and TLSv1.2 is not.
1739 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
1740 *dgrd = DOWNGRADE_TO_1_1;
1742 *dgrd = DOWNGRADE_NONE;
1747 * ssl_choose_server_version - Choose server (D)TLS version. Called when the
1748 * client HELLO is received to select the final server protocol version and
1749 * the version specific method.
1751 * @s: server SSL handle.
1753 * Returns 0 on success or an SSL error reason number on failure.
1755 int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1758 * With version-flexible methods we have an initial state with:
1760 * s->method->version == (D)TLS_ANY_VERSION,
1761 * s->version == (D)TLS_MAX_VERSION_INTERNAL.
1763 * So we detect version-flexible methods via the method version, not the
1766 int server_version = s->method->version;
1767 int client_version = hello->legacy_version;
1768 const version_info *vent;
1769 const version_info *table;
1771 RAW_EXTENSION *suppversions;
1773 s->client_version = client_version;
1775 switch (server_version) {
1777 if (!SSL_IS_TLS13(s)) {
1778 if (version_cmp(s, client_version, s->version) < 0)
1779 return SSL_R_WRONG_SSL_VERSION;
1780 *dgrd = DOWNGRADE_NONE;
1782 * If this SSL handle is not from a version flexible method we don't
1783 * (and never did) check min/max FIPS or Suite B constraints. Hope
1784 * that's OK. It is up to the caller to not choose fixed protocol
1785 * versions they don't want. If not, then easy to fix, just return
1786 * ssl_method_error(s, s->method)
1791 * Fall through if we are TLSv1.3 already (this means we must be after
1792 * a HelloRetryRequest
1795 case TLS_ANY_VERSION:
1796 table = tls_version_table;
1798 case DTLS_ANY_VERSION:
1799 table = dtls_version_table;
1803 suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
1805 /* If we did an HRR then supported versions is mandatory */
1806 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
1807 return SSL_R_UNSUPPORTED_PROTOCOL;
1809 if (suppversions->present && !SSL_IS_DTLS(s)) {
1810 unsigned int candidate_vers = 0;
1811 unsigned int best_vers = 0;
1812 const SSL_METHOD *best_method = NULL;
1813 PACKET versionslist;
1815 suppversions->parsed = 1;
1817 if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
1818 /* Trailing or invalid data? */
1819 return SSL_R_LENGTH_MISMATCH;
1823 * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1824 * The spec only requires servers to check that it isn't SSLv3:
1825 * "Any endpoint receiving a Hello message with
1826 * ClientHello.legacy_version or ServerHello.legacy_version set to
1827 * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1828 * We are slightly stricter and require that it isn't SSLv3 or lower.
1829 * We tolerate TLSv1 and TLSv1.1.
1831 if (client_version <= SSL3_VERSION)
1832 return SSL_R_BAD_LEGACY_VERSION;
1834 while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1835 if (version_cmp(s, candidate_vers, best_vers) <= 0)
1837 if (ssl_version_supported(s, candidate_vers, &best_method))
1838 best_vers = candidate_vers;
1840 if (PACKET_remaining(&versionslist) != 0) {
1841 /* Trailing data? */
1842 return SSL_R_LENGTH_MISMATCH;
1845 if (best_vers > 0) {
1846 if (s->hello_retry_request != SSL_HRR_NONE) {
1848 * This is after a HelloRetryRequest so we better check that we
1849 * negotiated TLSv1.3
1851 if (best_vers != TLS1_3_VERSION)
1852 return SSL_R_UNSUPPORTED_PROTOCOL;
1855 check_for_downgrade(s, best_vers, dgrd);
1856 s->version = best_vers;
1857 s->method = best_method;
1860 return SSL_R_UNSUPPORTED_PROTOCOL;
1864 * If the supported versions extension isn't present, then the highest
1865 * version we can negotiate is TLSv1.2
1867 if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1868 client_version = TLS1_2_VERSION;
1871 * No supported versions extension, so we just use the version supplied in
1874 for (vent = table; vent->version != 0; ++vent) {
1875 const SSL_METHOD *method;
1877 if (vent->smeth == NULL ||
1878 version_cmp(s, client_version, vent->version) < 0)
1880 method = vent->smeth();
1881 if (ssl_method_error(s, method) == 0) {
1882 check_for_downgrade(s, vent->version, dgrd);
1883 s->version = vent->version;
1889 return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1893 * ssl_choose_client_version - Choose client (D)TLS version. Called when the
1894 * server HELLO is received to select the final client protocol version and
1895 * the version specific method.
1897 * @s: client SSL handle.
1898 * @version: The proposed version from the server's HELLO.
1899 * @extensions: The extensions received
1901 * Returns 1 on success or 0 on error.
1903 int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)
1905 const version_info *vent;
1906 const version_info *table;
1907 int ret, ver_min, ver_max, real_max, origv;
1910 s->version = version;
1912 /* This will overwrite s->version if the extension is present */
1913 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1914 SSL_EXT_TLS1_2_SERVER_HELLO
1915 | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1921 if (s->hello_retry_request != SSL_HRR_NONE
1922 && s->version != TLS1_3_VERSION) {
1924 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1925 SSL_R_WRONG_SSL_VERSION);
1929 switch (s->method->version) {
1931 if (s->version != s->method->version) {
1933 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1934 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1935 SSL_R_WRONG_SSL_VERSION);
1939 * If this SSL handle is not from a version flexible method we don't
1940 * (and never did) check min/max, FIPS or Suite B constraints. Hope
1941 * that's OK. It is up to the caller to not choose fixed protocol
1942 * versions they don't want. If not, then easy to fix, just return
1943 * ssl_method_error(s, s->method)
1946 case TLS_ANY_VERSION:
1947 table = tls_version_table;
1949 case DTLS_ANY_VERSION:
1950 table = dtls_version_table;
1954 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1957 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1958 SSL_F_SSL_CHOOSE_CLIENT_VERSION, ret);
1961 if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
1962 : s->version < ver_min) {
1964 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1965 SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1967 } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
1968 : s->version > ver_max) {
1970 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1971 SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1975 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
1978 /* Check for downgrades */
1979 if (s->version == TLS1_2_VERSION && real_max > s->version) {
1980 if (memcmp(tls12downgrade,
1981 s->s3.server_random + SSL3_RANDOM_SIZE
1982 - sizeof(tls12downgrade),
1983 sizeof(tls12downgrade)) == 0) {
1985 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1986 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1987 SSL_R_INAPPROPRIATE_FALLBACK);
1990 } else if (!SSL_IS_DTLS(s)
1991 && s->version < TLS1_2_VERSION
1992 && real_max > s->version) {
1993 if (memcmp(tls11downgrade,
1994 s->s3.server_random + SSL3_RANDOM_SIZE
1995 - sizeof(tls11downgrade),
1996 sizeof(tls11downgrade)) == 0) {
1998 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1999 SSL_F_SSL_CHOOSE_CLIENT_VERSION,
2000 SSL_R_INAPPROPRIATE_FALLBACK);
2005 for (vent = table; vent->version != 0; ++vent) {
2006 if (vent->cmeth == NULL || s->version != vent->version)
2009 s->method = vent->cmeth();
2014 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
2015 SSL_R_UNSUPPORTED_PROTOCOL);
2020 * ssl_get_min_max_version - get minimum and maximum protocol version
2021 * @s: The SSL connection
2022 * @min_version: The minimum supported version
2023 * @max_version: The maximum supported version
2024 * @real_max: The highest version below the lowest compile time version hole
2025 * where that hole lies above at least one run-time enabled
2028 * Work out what version we should be using for the initial ClientHello if the
2029 * version is initially (D)TLS_ANY_VERSION. We apply any explicit SSL_OP_NO_xxx
2030 * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
2031 * constraints and any floor imposed by the security level here,
2032 * so we don't advertise the wrong protocol version to only reject the outcome later.
2034 * Computing the right floor matters. If, e.g., TLS 1.0 and 1.2 are enabled,
2035 * TLS 1.1 is disabled, but the security level, Suite-B and/or MinProtocol
2036 * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2038 * Returns 0 on success or an SSL error reason number on failure. On failure
2039 * min_version and max_version will also be set to 0.
2041 int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version,
2044 int version, tmp_real_max;
2046 const SSL_METHOD *single = NULL;
2047 const SSL_METHOD *method;
2048 const version_info *table;
2049 const version_info *vent;
2051 switch (s->method->version) {
2054 * If this SSL handle is not from a version flexible method we don't
2055 * (and never did) check min/max FIPS or Suite B constraints. Hope
2056 * that's OK. It is up to the caller to not choose fixed protocol
2057 * versions they don't want. If not, then easy to fix, just return
2058 * ssl_method_error(s, s->method)
2060 *min_version = *max_version = s->version;
2062 * Providing a real_max only makes sense where we're using a version
2065 if (!ossl_assert(real_max == NULL))
2066 return ERR_R_INTERNAL_ERROR;
2068 case TLS_ANY_VERSION:
2069 table = tls_version_table;
2071 case DTLS_ANY_VERSION:
2072 table = dtls_version_table;
2077 * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2078 * below X enabled. This is required in order to maintain the "version
2079 * capability" vector contiguous. Any versions with a NULL client method
2080 * (protocol version client is disabled at compile-time) is also a "hole".
2082 * Our initial state is hole == 1, version == 0. That is, versions above
2083 * the first version in the method table are disabled (a "hole" above
2084 * the valid protocol entries) and we don't have a selected version yet.
2086 * Whenever "hole == 1", and we hit an enabled method, its version becomes
2087 * the selected version, and the method becomes a candidate "single"
2088 * method. We're no longer in a hole, so "hole" becomes 0.
2090 * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2091 * as we support a contiguous range of at least two methods. If we hit
2092 * a disabled method, then hole becomes true again, but nothing else
2093 * changes yet, because all the remaining methods may be disabled too.
2094 * If we again hit an enabled method after the new hole, it becomes
2095 * selected, as we start from scratch.
2097 *min_version = version = 0;
2099 if (real_max != NULL)
2102 for (vent = table; vent->version != 0; ++vent) {
2104 * A table entry with a NULL client method is still a hole in the
2105 * "version capability" vector.
2107 if (vent->cmeth == NULL) {
2112 method = vent->cmeth();
2114 if (hole == 1 && tmp_real_max == 0)
2115 tmp_real_max = vent->version;
2117 if (ssl_method_error(s, method) != 0) {
2121 *min_version = method->version;
2123 if (real_max != NULL && tmp_real_max != 0)
2124 *real_max = tmp_real_max;
2125 version = (single = method)->version;
2126 *min_version = version;
2131 *max_version = version;
2133 /* Fail if everything is disabled */
2135 return SSL_R_NO_PROTOCOLS_AVAILABLE;
2141 * ssl_set_client_hello_version - Work out what version we should be using for
2142 * the initial ClientHello.legacy_version field.
2144 * @s: client SSL handle.
2146 * Returns 0 on success or an SSL error reason number on failure.
2148 int ssl_set_client_hello_version(SSL *s)
2150 int ver_min, ver_max, ret;
2153 * In a renegotiation we always send the same client_version that we sent
2154 * last time, regardless of which version we eventually negotiated.
2156 if (!SSL_IS_FIRST_HANDSHAKE(s))
2159 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
2164 s->version = ver_max;
2166 /* TLS1.3 always uses TLS1.2 in the legacy_version field */
2167 if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
2168 ver_max = TLS1_2_VERSION;
2170 s->client_version = ver_max;
2175 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2176 * and |checkallow| is 1 then additionally check if the group is allowed to be
2177 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2178 * 1) or 0 otherwise.
2180 int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
2181 size_t num_groups, int checkallow)
2185 if (groups == NULL || num_groups == 0)
2188 for (i = 0; i < num_groups; i++) {
2189 uint16_t group = groups[i];
2191 if (group_id == group
2193 || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
2201 /* Replace ClientHello1 in the transcript hash with a synthetic message */
2202 int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,
2203 size_t hashlen, const unsigned char *hrr,
2206 unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
2207 unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2209 memset(msghdr, 0, sizeof(msghdr));
2211 if (hashval == NULL) {
2212 hashval = hashvaltmp;
2214 /* Get the hash of the initial ClientHello */
2215 if (!ssl3_digest_cached_records(s, 0)
2216 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2218 /* SSLfatal() already called */
2223 /* Reinitialise the transcript hash */
2224 if (!ssl3_init_finished_mac(s)) {
2225 /* SSLfatal() already called */
2229 /* Inject the synthetic message_hash message */
2230 msghdr[0] = SSL3_MT_MESSAGE_HASH;
2231 msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
2232 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2233 || !ssl3_finish_mac(s, hashval, hashlen)) {
2234 /* SSLfatal() already called */
2239 * Now re-inject the HRR and current message if appropriate (we just deleted
2240 * it when we reinitialised the transcript hash above). Only necessary after
2241 * receiving a ClientHello2 with a cookie.
2244 && (!ssl3_finish_mac(s, hrr, hrrlen)
2245 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
2246 s->s3.tmp.message_size
2247 + SSL3_HM_HEADER_LENGTH))) {
2248 /* SSLfatal() already called */
2255 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2257 return X509_NAME_cmp(*a, *b);
2260 int parse_ca_names(SSL *s, PACKET *pkt)
2262 STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2263 X509_NAME *xn = NULL;
2266 if (ca_sk == NULL) {
2267 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2268 ERR_R_MALLOC_FAILURE);
2271 /* get the CA RDNs */
2272 if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
2273 SSLfatal(s, SSL_AD_DECODE_ERROR,SSL_F_PARSE_CA_NAMES,
2274 SSL_R_LENGTH_MISMATCH);
2278 while (PACKET_remaining(&cadns)) {
2279 const unsigned char *namestart, *namebytes;
2280 unsigned int name_len;
2282 if (!PACKET_get_net_2(&cadns, &name_len)
2283 || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
2284 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2285 SSL_R_LENGTH_MISMATCH);
2289 namestart = namebytes;
2290 if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
2291 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2295 if (namebytes != (namestart + name_len)) {
2296 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2297 SSL_R_CA_DN_LENGTH_MISMATCH);
2301 if (!sk_X509_NAME_push(ca_sk, xn)) {
2302 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2303 ERR_R_MALLOC_FAILURE);
2309 sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
2310 s->s3.tmp.peer_ca_names = ca_sk;
2315 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2320 const STACK_OF(X509_NAME) *get_ca_names(SSL *s)
2322 const STACK_OF(X509_NAME) *ca_sk = NULL;;
2325 ca_sk = SSL_get_client_CA_list(s);
2326 if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2331 ca_sk = SSL_get0_CA_list(s);
2336 int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt)
2338 /* Start sub-packet for client CA list */
2339 if (!WPACKET_start_sub_packet_u16(pkt)) {
2340 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2341 ERR_R_INTERNAL_ERROR);
2345 if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) {
2348 for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2349 unsigned char *namebytes;
2350 X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2354 || (namelen = i2d_X509_NAME(name, NULL)) < 0
2355 || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2357 || i2d_X509_NAME(name, &namebytes) != namelen) {
2358 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2359 ERR_R_INTERNAL_ERROR);
2365 if (!WPACKET_close(pkt)) {
2366 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2367 ERR_R_INTERNAL_ERROR);
2374 /* Create a buffer containing data to be signed for server key exchange */
2375 size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
2376 const void *param, size_t paramlen)
2378 size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2379 unsigned char *tbs = OPENSSL_malloc(tbslen);
2382 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS,
2383 ERR_R_MALLOC_FAILURE);
2386 memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
2387 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
2389 memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2396 * Saves the current handshake digest for Post-Handshake Auth,
2397 * Done after ClientFinished is processed, done exactly once
2399 int tls13_save_handshake_digest_for_pha(SSL *s)
2401 if (s->pha_dgst == NULL) {
2402 if (!ssl3_digest_cached_records(s, 1))
2403 /* SSLfatal() already called */
2406 s->pha_dgst = EVP_MD_CTX_new();
2407 if (s->pha_dgst == NULL) {
2408 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2409 SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2410 ERR_R_INTERNAL_ERROR);
2413 if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
2414 s->s3.handshake_dgst)) {
2415 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2416 SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2417 ERR_R_INTERNAL_ERROR);
2425 * Restores the Post-Handshake Auth handshake digest
2426 * Done just before sending/processing the Cert Request
2428 int tls13_restore_handshake_digest_for_pha(SSL *s)
2430 if (s->pha_dgst == NULL) {
2431 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2432 SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2433 ERR_R_INTERNAL_ERROR);
2436 if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
2438 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2439 SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2440 ERR_R_INTERNAL_ERROR);