1 /* 2 * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4 * Copyright 2005 Nokia. All rights reserved. 5 * 6 * Licensed under the OpenSSL license (the "License"). You may not use 7 * this file except in compliance with the License. You can obtain a copy 8 * in the file LICENSE in the source distribution or at 9 * https://www.openssl.org/source/license.html 10 */ 11 12 #include <stdio.h> 13 #include <time.h> 14 #include <assert.h> 15 #include "../ssl_locl.h" 16 #include "statem_locl.h" 17 #include <openssl/buffer.h> 18 #include <openssl/rand.h> 19 #include <openssl/objects.h> 20 #include <openssl/evp.h> 21 #include <openssl/md5.h> 22 #include <openssl/dh.h> 23 #include <openssl/bn.h> 24 #include <openssl/engine.h> 25 #include <internal/cryptlib.h> 26 27 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, PACKET *pkt); 28 static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt); 29 30 static ossl_inline int cert_req_allowed(SSL *s); 31 static int key_exchange_expected(SSL *s); 32 static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, 33 WPACKET *pkt); 34 35 /* 36 * Is a CertificateRequest message allowed at the moment or not? 37 * 38 * Return values are: 39 * 1: Yes 40 * 0: No 41 */ 42 static ossl_inline int cert_req_allowed(SSL *s) 43 { 44 /* TLS does not like anon-DH with client cert */ 45 if ((s->version > SSL3_VERSION 46 && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) 47 || (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK))) 48 return 0; 49 50 return 1; 51 } 52 53 /* 54 * Should we expect the ServerKeyExchange message or not? 55 * 56 * Return values are: 57 * 1: Yes 58 * 0: No 59 */ 60 static int key_exchange_expected(SSL *s) 61 { 62 long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 63 64 /* 65 * Can't skip server key exchange if this is an ephemeral 66 * ciphersuite or for SRP 67 */ 68 if (alg_k & (SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK 69 | SSL_kSRP)) { 70 return 1; 71 } 72 73 return 0; 74 } 75 76 /* 77 * ossl_statem_client_read_transition() encapsulates the logic for the allowed 78 * handshake state transitions when a TLS1.3 client is reading messages from the 79 * server. The message type that the server has sent is provided in |mt|. The 80 * current state is in |s->statem.hand_state|. 81 * 82 * Return values are 1 for success (transition allowed) and 0 on error 83 * (transition not allowed) 84 */ 85 static int ossl_statem_client13_read_transition(SSL *s, int mt) 86 { 87 OSSL_STATEM *st = &s->statem; 88 89 /* 90 * Note: There is no case for TLS_ST_CW_CLNT_HELLO, because we haven't 91 * yet negotiated TLSv1.3 at that point so that is handled by 92 * ossl_statem_client_read_transition() 93 */ 94 95 switch (st->hand_state) { 96 default: 97 break; 98 99 case TLS_ST_CW_CLNT_HELLO: 100 /* 101 * This must a ClientHello following a HelloRetryRequest, so the only 102 * thing we can get now is a ServerHello. 103 */ 104 if (mt == SSL3_MT_SERVER_HELLO) { 105 st->hand_state = TLS_ST_CR_SRVR_HELLO; 106 return 1; 107 } 108 break; 109 110 case TLS_ST_CR_SRVR_HELLO: 111 if (mt == SSL3_MT_ENCRYPTED_EXTENSIONS) { 112 st->hand_state = TLS_ST_CR_ENCRYPTED_EXTENSIONS; 113 return 1; 114 } 115 break; 116 117 case TLS_ST_CR_ENCRYPTED_EXTENSIONS: 118 if (s->hit) { 119 if (mt == SSL3_MT_FINISHED) { 120 st->hand_state = TLS_ST_CR_FINISHED; 121 return 1; 122 } 123 } else { 124 if (mt == SSL3_MT_CERTIFICATE_REQUEST) { 125 st->hand_state = TLS_ST_CR_CERT_REQ; 126 return 1; 127 } 128 if (mt == SSL3_MT_CERTIFICATE) { 129 st->hand_state = TLS_ST_CR_CERT; 130 return 1; 131 } 132 } 133 break; 134 135 case TLS_ST_CR_CERT_REQ: 136 if (mt == SSL3_MT_CERTIFICATE) { 137 st->hand_state = TLS_ST_CR_CERT; 138 return 1; 139 } 140 break; 141 142 case TLS_ST_CR_CERT: 143 if (mt == SSL3_MT_CERTIFICATE_VERIFY) { 144 st->hand_state = TLS_ST_CR_CERT_VRFY; 145 return 1; 146 } 147 break; 148 149 case TLS_ST_CR_CERT_VRFY: 150 if (mt == SSL3_MT_FINISHED) { 151 st->hand_state = TLS_ST_CR_FINISHED; 152 return 1; 153 } 154 break; 155 156 case TLS_ST_OK: 157 if (mt == SSL3_MT_NEWSESSION_TICKET) { 158 st->hand_state = TLS_ST_CR_SESSION_TICKET; 159 return 1; 160 } 161 if (mt == SSL3_MT_KEY_UPDATE) { 162 st->hand_state = TLS_ST_CR_KEY_UPDATE; 163 return 1; 164 } 165 if (mt == SSL3_MT_CERTIFICATE_REQUEST) { 166 #if DTLS_MAX_VERSION != DTLS1_2_VERSION 167 # error TODO(DTLS1.3): Restore digest for PHA before adding message. 168 #endif 169 if (!SSL_IS_DTLS(s) && s->post_handshake_auth == SSL_PHA_EXT_SENT) { 170 s->post_handshake_auth = SSL_PHA_REQUESTED; 171 /* 172 * In TLS, this is called before the message is added to the 173 * digest. In DTLS, this is expected to be called after adding 174 * to the digest. Either move the digest restore, or add the 175 * message here after the swap, or do it after the clientFinished? 176 */ 177 if (!tls13_restore_handshake_digest_for_pha(s)) { 178 /* SSLfatal() already called */ 179 return 0; 180 } 181 st->hand_state = TLS_ST_CR_CERT_REQ; 182 return 1; 183 } 184 } 185 break; 186 } 187 188 /* No valid transition found */ 189 return 0; 190 } 191 192 /* 193 * ossl_statem_client_read_transition() encapsulates the logic for the allowed 194 * handshake state transitions when the client is reading messages from the 195 * server. The message type that the server has sent is provided in |mt|. The 196 * current state is in |s->statem.hand_state|. 197 * 198 * Return values are 1 for success (transition allowed) and 0 on error 199 * (transition not allowed) 200 */ 201 int ossl_statem_client_read_transition(SSL *s, int mt) 202 { 203 OSSL_STATEM *st = &s->statem; 204 int ske_expected; 205 206 /* 207 * Note that after writing the first ClientHello we don't know what version 208 * we are going to negotiate yet, so we don't take this branch until later. 209 */ 210 if (SSL_IS_TLS13(s)) { 211 if (!ossl_statem_client13_read_transition(s, mt)) 212 goto err; 213 return 1; 214 } 215 216 switch (st->hand_state) { 217 default: 218 break; 219 220 case TLS_ST_CW_CLNT_HELLO: 221 if (mt == SSL3_MT_SERVER_HELLO) { 222 st->hand_state = TLS_ST_CR_SRVR_HELLO; 223 return 1; 224 } 225 226 if (SSL_IS_DTLS(s)) { 227 if (mt == DTLS1_MT_HELLO_VERIFY_REQUEST) { 228 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST; 229 return 1; 230 } 231 } 232 break; 233 234 case TLS_ST_EARLY_DATA: 235 /* 236 * We've not actually selected TLSv1.3 yet, but we have sent early 237 * data. The only thing allowed now is a ServerHello or a 238 * HelloRetryRequest. 239 */ 240 if (mt == SSL3_MT_SERVER_HELLO) { 241 st->hand_state = TLS_ST_CR_SRVR_HELLO; 242 return 1; 243 } 244 break; 245 246 case TLS_ST_CR_SRVR_HELLO: 247 if (s->hit) { 248 if (s->ext.ticket_expected) { 249 if (mt == SSL3_MT_NEWSESSION_TICKET) { 250 st->hand_state = TLS_ST_CR_SESSION_TICKET; 251 return 1; 252 } 253 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 254 st->hand_state = TLS_ST_CR_CHANGE; 255 return 1; 256 } 257 } else { 258 if (SSL_IS_DTLS(s) && mt == DTLS1_MT_HELLO_VERIFY_REQUEST) { 259 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST; 260 return 1; 261 } else if (s->version >= TLS1_VERSION 262 && s->ext.session_secret_cb != NULL 263 && s->session->ext.tick != NULL 264 && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 265 /* 266 * Normally, we can tell if the server is resuming the session 267 * from the session ID. EAP-FAST (RFC 4851), however, relies on 268 * the next server message after the ServerHello to determine if 269 * the server is resuming. 270 */ 271 s->hit = 1; 272 st->hand_state = TLS_ST_CR_CHANGE; 273 return 1; 274 } else if (!(s->s3->tmp.new_cipher->algorithm_auth 275 & (SSL_aNULL | SSL_aSRP | SSL_aPSK))) { 276 if (mt == SSL3_MT_CERTIFICATE) { 277 st->hand_state = TLS_ST_CR_CERT; 278 return 1; 279 } 280 } else { 281 ske_expected = key_exchange_expected(s); 282 /* SKE is optional for some PSK ciphersuites */ 283 if (ske_expected 284 || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK) 285 && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) { 286 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) { 287 st->hand_state = TLS_ST_CR_KEY_EXCH; 288 return 1; 289 } 290 } else if (mt == SSL3_MT_CERTIFICATE_REQUEST 291 && cert_req_allowed(s)) { 292 st->hand_state = TLS_ST_CR_CERT_REQ; 293 return 1; 294 } else if (mt == SSL3_MT_SERVER_DONE) { 295 st->hand_state = TLS_ST_CR_SRVR_DONE; 296 return 1; 297 } 298 } 299 } 300 break; 301 302 case TLS_ST_CR_CERT: 303 /* 304 * The CertificateStatus message is optional even if 305 * |ext.status_expected| is set 306 */ 307 if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) { 308 st->hand_state = TLS_ST_CR_CERT_STATUS; 309 return 1; 310 } 311 /* Fall through */ 312 313 case TLS_ST_CR_CERT_STATUS: 314 ske_expected = key_exchange_expected(s); 315 /* SKE is optional for some PSK ciphersuites */ 316 if (ske_expected || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK) 317 && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) { 318 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) { 319 st->hand_state = TLS_ST_CR_KEY_EXCH; 320 return 1; 321 } 322 goto err; 323 } 324 /* Fall through */ 325 326 case TLS_ST_CR_KEY_EXCH: 327 if (mt == SSL3_MT_CERTIFICATE_REQUEST) { 328 if (cert_req_allowed(s)) { 329 st->hand_state = TLS_ST_CR_CERT_REQ; 330 return 1; 331 } 332 goto err; 333 } 334 /* Fall through */ 335 336 case TLS_ST_CR_CERT_REQ: 337 if (mt == SSL3_MT_SERVER_DONE) { 338 st->hand_state = TLS_ST_CR_SRVR_DONE; 339 return 1; 340 } 341 break; 342 343 case TLS_ST_CW_FINISHED: 344 if (s->ext.ticket_expected) { 345 if (mt == SSL3_MT_NEWSESSION_TICKET) { 346 st->hand_state = TLS_ST_CR_SESSION_TICKET; 347 return 1; 348 } 349 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 350 st->hand_state = TLS_ST_CR_CHANGE; 351 return 1; 352 } 353 break; 354 355 case TLS_ST_CR_SESSION_TICKET: 356 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 357 st->hand_state = TLS_ST_CR_CHANGE; 358 return 1; 359 } 360 break; 361 362 case TLS_ST_CR_CHANGE: 363 if (mt == SSL3_MT_FINISHED) { 364 st->hand_state = TLS_ST_CR_FINISHED; 365 return 1; 366 } 367 break; 368 369 case TLS_ST_OK: 370 if (mt == SSL3_MT_HELLO_REQUEST) { 371 st->hand_state = TLS_ST_CR_HELLO_REQ; 372 return 1; 373 } 374 break; 375 } 376 377 err: 378 /* No valid transition found */ 379 if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 380 BIO *rbio; 381 382 /* 383 * CCS messages don't have a message sequence number so this is probably 384 * because of an out-of-order CCS. We'll just drop it. 385 */ 386 s->init_num = 0; 387 s->rwstate = SSL_READING; 388 rbio = SSL_get_rbio(s); 389 BIO_clear_retry_flags(rbio); 390 BIO_set_retry_read(rbio); 391 return 0; 392 } 393 SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, 394 SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION, 395 SSL_R_UNEXPECTED_MESSAGE); 396 return 0; 397 } 398 399 /* 400 * ossl_statem_client13_write_transition() works out what handshake state to 401 * move to next when the TLSv1.3 client is writing messages to be sent to the 402 * server. 403 */ 404 static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s) 405 { 406 OSSL_STATEM *st = &s->statem; 407 408 /* 409 * Note: There are no cases for TLS_ST_BEFORE because we haven't negotiated 410 * TLSv1.3 yet at that point. They are handled by 411 * ossl_statem_client_write_transition(). 412 */ 413 switch (st->hand_state) { 414 default: 415 /* Shouldn't happen */ 416 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 417 SSL_F_OSSL_STATEM_CLIENT13_WRITE_TRANSITION, 418 ERR_R_INTERNAL_ERROR); 419 return WRITE_TRAN_ERROR; 420 421 case TLS_ST_CR_CERT_REQ: 422 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { 423 st->hand_state = TLS_ST_CW_CERT; 424 return WRITE_TRAN_CONTINUE; 425 } 426 /* 427 * We should only get here if we received a CertificateRequest after 428 * we already sent close_notify 429 */ 430 if (!ossl_assert((s->shutdown & SSL_SENT_SHUTDOWN) != 0)) { 431 /* Shouldn't happen - same as default case */ 432 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 433 SSL_F_OSSL_STATEM_CLIENT13_WRITE_TRANSITION, 434 ERR_R_INTERNAL_ERROR); 435 return WRITE_TRAN_ERROR; 436 } 437 st->hand_state = TLS_ST_OK; 438 return WRITE_TRAN_CONTINUE; 439 440 case TLS_ST_CR_FINISHED: 441 if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY 442 || s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING) 443 st->hand_state = TLS_ST_PENDING_EARLY_DATA_END; 444 else if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 445 && s->hello_retry_request == SSL_HRR_NONE) 446 st->hand_state = TLS_ST_CW_CHANGE; 447 else 448 st->hand_state = (s->s3->tmp.cert_req != 0) ? TLS_ST_CW_CERT 449 : TLS_ST_CW_FINISHED; 450 return WRITE_TRAN_CONTINUE; 451 452 case TLS_ST_PENDING_EARLY_DATA_END: 453 if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) { 454 st->hand_state = TLS_ST_CW_END_OF_EARLY_DATA; 455 return WRITE_TRAN_CONTINUE; 456 } 457 /* Fall through */ 458 459 case TLS_ST_CW_END_OF_EARLY_DATA: 460 case TLS_ST_CW_CHANGE: 461 st->hand_state = (s->s3->tmp.cert_req != 0) ? TLS_ST_CW_CERT 462 : TLS_ST_CW_FINISHED; 463 return WRITE_TRAN_CONTINUE; 464 465 case TLS_ST_CW_CERT: 466 /* If a non-empty Certificate we also send CertificateVerify */ 467 st->hand_state = (s->s3->tmp.cert_req == 1) ? TLS_ST_CW_CERT_VRFY 468 : TLS_ST_CW_FINISHED; 469 return WRITE_TRAN_CONTINUE; 470 471 case TLS_ST_CW_CERT_VRFY: 472 st->hand_state = TLS_ST_CW_FINISHED; 473 return WRITE_TRAN_CONTINUE; 474 475 case TLS_ST_CR_KEY_UPDATE: 476 if (s->key_update != SSL_KEY_UPDATE_NONE) { 477 st->hand_state = TLS_ST_CW_KEY_UPDATE; 478 return WRITE_TRAN_CONTINUE; 479 } 480 /* Fall through */ 481 482 case TLS_ST_CW_KEY_UPDATE: 483 case TLS_ST_CR_SESSION_TICKET: 484 case TLS_ST_CW_FINISHED: 485 st->hand_state = TLS_ST_OK; 486 return WRITE_TRAN_CONTINUE; 487 488 case TLS_ST_OK: 489 if (s->key_update != SSL_KEY_UPDATE_NONE) { 490 st->hand_state = TLS_ST_CW_KEY_UPDATE; 491 return WRITE_TRAN_CONTINUE; 492 } 493 494 /* Try to read from the server instead */ 495 return WRITE_TRAN_FINISHED; 496 } 497 } 498 499 /* 500 * ossl_statem_client_write_transition() works out what handshake state to 501 * move to next when the client is writing messages to be sent to the server. 502 */ 503 WRITE_TRAN ossl_statem_client_write_transition(SSL *s) 504 { 505 OSSL_STATEM *st = &s->statem; 506 507 /* 508 * Note that immediately before/after a ClientHello we don't know what 509 * version we are going to negotiate yet, so we don't take this branch until 510 * later 511 */ 512 if (SSL_IS_TLS13(s)) 513 return ossl_statem_client13_write_transition(s); 514 515 switch (st->hand_state) { 516 default: 517 /* Shouldn't happen */ 518 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 519 SSL_F_OSSL_STATEM_CLIENT_WRITE_TRANSITION, 520 ERR_R_INTERNAL_ERROR); 521 return WRITE_TRAN_ERROR; 522 523 case TLS_ST_OK: 524 if (!s->renegotiate) { 525 /* 526 * We haven't requested a renegotiation ourselves so we must have 527 * received a message from the server. Better read it. 528 */ 529 return WRITE_TRAN_FINISHED; 530 } 531 /* Renegotiation */ 532 /* fall thru */ 533 case TLS_ST_BEFORE: 534 st->hand_state = TLS_ST_CW_CLNT_HELLO; 535 return WRITE_TRAN_CONTINUE; 536 537 case TLS_ST_CW_CLNT_HELLO: 538 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) { 539 /* 540 * We are assuming this is a TLSv1.3 connection, although we haven't 541 * actually selected a version yet. 542 */ 543 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) 544 st->hand_state = TLS_ST_CW_CHANGE; 545 else 546 st->hand_state = TLS_ST_EARLY_DATA; 547 return WRITE_TRAN_CONTINUE; 548 } 549 /* 550 * No transition at the end of writing because we don't know what 551 * we will be sent 552 */ 553 return WRITE_TRAN_FINISHED; 554 555 case TLS_ST_CR_SRVR_HELLO: 556 /* 557 * We only get here in TLSv1.3. We just received an HRR, so issue a 558 * CCS unless middlebox compat mode is off, or we already issued one 559 * because we did early data. 560 */ 561 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 562 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) 563 st->hand_state = TLS_ST_CW_CHANGE; 564 else 565 st->hand_state = TLS_ST_CW_CLNT_HELLO; 566 return WRITE_TRAN_CONTINUE; 567 568 case TLS_ST_EARLY_DATA: 569 return WRITE_TRAN_FINISHED; 570 571 case DTLS_ST_CR_HELLO_VERIFY_REQUEST: 572 st->hand_state = TLS_ST_CW_CLNT_HELLO; 573 return WRITE_TRAN_CONTINUE; 574 575 case TLS_ST_CR_SRVR_DONE: 576 if (s->s3->tmp.cert_req) 577 st->hand_state = TLS_ST_CW_CERT; 578 else 579 st->hand_state = TLS_ST_CW_KEY_EXCH; 580 return WRITE_TRAN_CONTINUE; 581 582 case TLS_ST_CW_CERT: 583 st->hand_state = TLS_ST_CW_KEY_EXCH; 584 return WRITE_TRAN_CONTINUE; 585 586 case TLS_ST_CW_KEY_EXCH: 587 /* 588 * For TLS, cert_req is set to 2, so a cert chain of nothing is 589 * sent, but no verify packet is sent 590 */ 591 /* 592 * XXX: For now, we do not support client authentication in ECDH 593 * cipher suites with ECDH (rather than ECDSA) certificates. We 594 * need to skip the certificate verify message when client's 595 * ECDH public key is sent inside the client certificate. 596 */ 597 if (s->s3->tmp.cert_req == 1) { 598 st->hand_state = TLS_ST_CW_CERT_VRFY; 599 } else { 600 st->hand_state = TLS_ST_CW_CHANGE; 601 } 602 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { 603 st->hand_state = TLS_ST_CW_CHANGE; 604 } 605 return WRITE_TRAN_CONTINUE; 606 607 case TLS_ST_CW_CERT_VRFY: 608 st->hand_state = TLS_ST_CW_CHANGE; 609 return WRITE_TRAN_CONTINUE; 610 611 case TLS_ST_CW_CHANGE: 612 if (s->hello_retry_request == SSL_HRR_PENDING) { 613 st->hand_state = TLS_ST_CW_CLNT_HELLO; 614 } else if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) { 615 st->hand_state = TLS_ST_EARLY_DATA; 616 } else { 617 #if defined(OPENSSL_NO_NEXTPROTONEG) 618 st->hand_state = TLS_ST_CW_FINISHED; 619 #else 620 if (!SSL_IS_DTLS(s) && s->s3->npn_seen) 621 st->hand_state = TLS_ST_CW_NEXT_PROTO; 622 else 623 st->hand_state = TLS_ST_CW_FINISHED; 624 #endif 625 } 626 return WRITE_TRAN_CONTINUE; 627 628 #if !defined(OPENSSL_NO_NEXTPROTONEG) 629 case TLS_ST_CW_NEXT_PROTO: 630 st->hand_state = TLS_ST_CW_FINISHED; 631 return WRITE_TRAN_CONTINUE; 632 #endif 633 634 case TLS_ST_CW_FINISHED: 635 if (s->hit) { 636 st->hand_state = TLS_ST_OK; 637 return WRITE_TRAN_CONTINUE; 638 } else { 639 return WRITE_TRAN_FINISHED; 640 } 641 642 case TLS_ST_CR_FINISHED: 643 if (s->hit) { 644 st->hand_state = TLS_ST_CW_CHANGE; 645 return WRITE_TRAN_CONTINUE; 646 } else { 647 st->hand_state = TLS_ST_OK; 648 return WRITE_TRAN_CONTINUE; 649 } 650 651 case TLS_ST_CR_HELLO_REQ: 652 /* 653 * If we can renegotiate now then do so, otherwise wait for a more 654 * convenient time. 655 */ 656 if (ssl3_renegotiate_check(s, 1)) { 657 if (!tls_setup_handshake(s)) { 658 /* SSLfatal() already called */ 659 return WRITE_TRAN_ERROR; 660 } 661 st->hand_state = TLS_ST_CW_CLNT_HELLO; 662 return WRITE_TRAN_CONTINUE; 663 } 664 st->hand_state = TLS_ST_OK; 665 return WRITE_TRAN_CONTINUE; 666 } 667 } 668 669 /* 670 * Perform any pre work that needs to be done prior to sending a message from 671 * the client to the server. 672 */ 673 WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst) 674 { 675 OSSL_STATEM *st = &s->statem; 676 677 switch (st->hand_state) { 678 default: 679 /* No pre work to be done */ 680 break; 681 682 case TLS_ST_CW_CLNT_HELLO: 683 s->shutdown = 0; 684 if (SSL_IS_DTLS(s)) { 685 /* every DTLS ClientHello resets Finished MAC */ 686 if (!ssl3_init_finished_mac(s)) { 687 /* SSLfatal() already called */ 688 return WORK_ERROR; 689 } 690 } 691 break; 692 693 case TLS_ST_CW_CHANGE: 694 if (SSL_IS_DTLS(s)) { 695 if (s->hit) { 696 /* 697 * We're into the last flight so we don't retransmit these 698 * messages unless we need to. 699 */ 700 st->use_timer = 0; 701 } 702 #ifndef OPENSSL_NO_SCTP 703 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { 704 /* Calls SSLfatal() as required */ 705 return dtls_wait_for_dry(s); 706 } 707 #endif 708 } 709 break; 710 711 case TLS_ST_PENDING_EARLY_DATA_END: 712 /* 713 * If we've been called by SSL_do_handshake()/SSL_write(), or we did not 714 * attempt to write early data before calling SSL_read() then we press 715 * on with the handshake. Otherwise we pause here. 716 */ 717 if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING 718 || s->early_data_state == SSL_EARLY_DATA_NONE) 719 return WORK_FINISHED_CONTINUE; 720 /* Fall through */ 721 722 case TLS_ST_EARLY_DATA: 723 return tls_finish_handshake(s, wst, 0, 1); 724 725 case TLS_ST_OK: 726 /* Calls SSLfatal() as required */ 727 return tls_finish_handshake(s, wst, 1, 1); 728 } 729 730 return WORK_FINISHED_CONTINUE; 731 } 732 733 /* 734 * Perform any work that needs to be done after sending a message from the 735 * client to the server. 736 */ 737 WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst) 738 { 739 OSSL_STATEM *st = &s->statem; 740 741 s->init_num = 0; 742 743 switch (st->hand_state) { 744 default: 745 /* No post work to be done */ 746 break; 747 748 case TLS_ST_CW_CLNT_HELLO: 749 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING 750 && s->max_early_data > 0) { 751 /* 752 * We haven't selected TLSv1.3 yet so we don't call the change 753 * cipher state function associated with the SSL_METHOD. Instead 754 * we call tls13_change_cipher_state() directly. 755 */ 756 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) { 757 if (!tls13_change_cipher_state(s, 758 SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { 759 /* SSLfatal() already called */ 760 return WORK_ERROR; 761 } 762 } 763 /* else we're in compat mode so we delay flushing until after CCS */ 764 } else if (!statem_flush(s)) { 765 return WORK_MORE_A; 766 } 767 768 if (SSL_IS_DTLS(s)) { 769 /* Treat the next message as the first packet */ 770 s->first_packet = 1; 771 } 772 break; 773 774 case TLS_ST_CW_END_OF_EARLY_DATA: 775 /* 776 * We set the enc_write_ctx back to NULL because we may end up writing 777 * in cleartext again if we get a HelloRetryRequest from the server. 778 */ 779 EVP_CIPHER_CTX_free(s->enc_write_ctx); 780 s->enc_write_ctx = NULL; 781 break; 782 783 case TLS_ST_CW_KEY_EXCH: 784 if (tls_client_key_exchange_post_work(s) == 0) { 785 /* SSLfatal() already called */ 786 return WORK_ERROR; 787 } 788 break; 789 790 case TLS_ST_CW_CHANGE: 791 if (SSL_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING) 792 break; 793 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING 794 && s->max_early_data > 0) { 795 /* 796 * We haven't selected TLSv1.3 yet so we don't call the change 797 * cipher state function associated with the SSL_METHOD. Instead 798 * we call tls13_change_cipher_state() directly. 799 */ 800 if (!tls13_change_cipher_state(s, 801 SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 802 return WORK_ERROR; 803 break; 804 } 805 s->session->cipher = s->s3->tmp.new_cipher; 806 #ifdef OPENSSL_NO_COMP 807 s->session->compress_meth = 0; 808 #else 809 if (s->s3->tmp.new_compression == NULL) 810 s->session->compress_meth = 0; 811 else 812 s->session->compress_meth = s->s3->tmp.new_compression->id; 813 #endif 814 if (!s->method->ssl3_enc->setup_key_block(s)) { 815 /* SSLfatal() already called */ 816 return WORK_ERROR; 817 } 818 819 if (!s->method->ssl3_enc->change_cipher_state(s, 820 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { 821 /* SSLfatal() already called */ 822 return WORK_ERROR; 823 } 824 825 if (SSL_IS_DTLS(s)) { 826 #ifndef OPENSSL_NO_SCTP 827 if (s->hit) { 828 /* 829 * Change to new shared key of SCTP-Auth, will be ignored if 830 * no SCTP used. 831 */ 832 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 833 0, NULL); 834 } 835 #endif 836 837 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); 838 } 839 break; 840 841 case TLS_ST_CW_FINISHED: 842 #ifndef OPENSSL_NO_SCTP 843 if (wst == WORK_MORE_A && SSL_IS_DTLS(s) && s->hit == 0) { 844 /* 845 * Change to new shared key of SCTP-Auth, will be ignored if 846 * no SCTP used. 847 */ 848 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 849 0, NULL); 850 } 851 #endif 852 if (statem_flush(s) != 1) 853 return WORK_MORE_B; 854 855 if (SSL_IS_TLS13(s)) { 856 if (!tls13_save_handshake_digest_for_pha(s)) { 857 /* SSLfatal() already called */ 858 return WORK_ERROR; 859 } 860 if (s->post_handshake_auth != SSL_PHA_REQUESTED) { 861 if (!s->method->ssl3_enc->change_cipher_state(s, 862 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { 863 /* SSLfatal() already called */ 864 return WORK_ERROR; 865 } 866 } 867 } 868 break; 869 870 case TLS_ST_CW_KEY_UPDATE: 871 if (statem_flush(s) != 1) 872 return WORK_MORE_A; 873 if (!tls13_update_key(s, 1)) { 874 /* SSLfatal() already called */ 875 return WORK_ERROR; 876 } 877 break; 878 } 879 880 return WORK_FINISHED_CONTINUE; 881 } 882 883 /* 884 * Get the message construction function and message type for sending from the 885 * client 886 * 887 * Valid return values are: 888 * 1: Success 889 * 0: Error 890 */ 891 int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt, 892 confunc_f *confunc, int *mt) 893 { 894 OSSL_STATEM *st = &s->statem; 895 896 switch (st->hand_state) { 897 default: 898 /* Shouldn't happen */ 899 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 900 SSL_F_OSSL_STATEM_CLIENT_CONSTRUCT_MESSAGE, 901 SSL_R_BAD_HANDSHAKE_STATE); 902 return 0; 903 904 case TLS_ST_CW_CHANGE: 905 if (SSL_IS_DTLS(s)) 906 *confunc = dtls_construct_change_cipher_spec; 907 else 908 *confunc = tls_construct_change_cipher_spec; 909 *mt = SSL3_MT_CHANGE_CIPHER_SPEC; 910 break; 911 912 case TLS_ST_CW_CLNT_HELLO: 913 *confunc = tls_construct_client_hello; 914 *mt = SSL3_MT_CLIENT_HELLO; 915 break; 916 917 case TLS_ST_CW_END_OF_EARLY_DATA: 918 *confunc = tls_construct_end_of_early_data; 919 *mt = SSL3_MT_END_OF_EARLY_DATA; 920 break; 921 922 case TLS_ST_PENDING_EARLY_DATA_END: 923 *confunc = NULL; 924 *mt = SSL3_MT_DUMMY; 925 break; 926 927 case TLS_ST_CW_CERT: 928 *confunc = tls_construct_client_certificate; 929 *mt = SSL3_MT_CERTIFICATE; 930 break; 931 932 case TLS_ST_CW_KEY_EXCH: 933 *confunc = tls_construct_client_key_exchange; 934 *mt = SSL3_MT_CLIENT_KEY_EXCHANGE; 935 break; 936 937 case TLS_ST_CW_CERT_VRFY: 938 *confunc = tls_construct_cert_verify; 939 *mt = SSL3_MT_CERTIFICATE_VERIFY; 940 break; 941 942 #if !defined(OPENSSL_NO_NEXTPROTONEG) 943 case TLS_ST_CW_NEXT_PROTO: 944 *confunc = tls_construct_next_proto; 945 *mt = SSL3_MT_NEXT_PROTO; 946 break; 947 #endif 948 case TLS_ST_CW_FINISHED: 949 *confunc = tls_construct_finished; 950 *mt = SSL3_MT_FINISHED; 951 break; 952 953 case TLS_ST_CW_KEY_UPDATE: 954 *confunc = tls_construct_key_update; 955 *mt = SSL3_MT_KEY_UPDATE; 956 break; 957 } 958 959 return 1; 960 } 961 962 /* 963 * Returns the maximum allowed length for the current message that we are 964 * reading. Excludes the message header. 965 */ 966 size_t ossl_statem_client_max_message_size(SSL *s) 967 { 968 OSSL_STATEM *st = &s->statem; 969 970 switch (st->hand_state) { 971 default: 972 /* Shouldn't happen */ 973 return 0; 974 975 case TLS_ST_CR_SRVR_HELLO: 976 return SERVER_HELLO_MAX_LENGTH; 977 978 case DTLS_ST_CR_HELLO_VERIFY_REQUEST: 979 return HELLO_VERIFY_REQUEST_MAX_LENGTH; 980 981 case TLS_ST_CR_CERT: 982 return s->max_cert_list; 983 984 case TLS_ST_CR_CERT_VRFY: 985 return SSL3_RT_MAX_PLAIN_LENGTH; 986 987 case TLS_ST_CR_CERT_STATUS: 988 return SSL3_RT_MAX_PLAIN_LENGTH; 989 990 case TLS_ST_CR_KEY_EXCH: 991 return SERVER_KEY_EXCH_MAX_LENGTH; 992 993 case TLS_ST_CR_CERT_REQ: 994 /* 995 * Set to s->max_cert_list for compatibility with previous releases. In 996 * practice these messages can get quite long if servers are configured 997 * to provide a long list of acceptable CAs 998 */ 999 return s->max_cert_list; 1000 1001 case TLS_ST_CR_SRVR_DONE: 1002 return SERVER_HELLO_DONE_MAX_LENGTH; 1003 1004 case TLS_ST_CR_CHANGE: 1005 if (s->version == DTLS1_BAD_VER) 1006 return 3; 1007 return CCS_MAX_LENGTH; 1008 1009 case TLS_ST_CR_SESSION_TICKET: 1010 return SSL3_RT_MAX_PLAIN_LENGTH; 1011 1012 case TLS_ST_CR_FINISHED: 1013 return FINISHED_MAX_LENGTH; 1014 1015 case TLS_ST_CR_ENCRYPTED_EXTENSIONS: 1016 return ENCRYPTED_EXTENSIONS_MAX_LENGTH; 1017 1018 case TLS_ST_CR_KEY_UPDATE: 1019 return KEY_UPDATE_MAX_LENGTH; 1020 } 1021 } 1022 1023 /* 1024 * Process a message that the client has been received from the server. 1025 */ 1026 MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt) 1027 { 1028 OSSL_STATEM *st = &s->statem; 1029 1030 switch (st->hand_state) { 1031 default: 1032 /* Shouldn't happen */ 1033 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1034 SSL_F_OSSL_STATEM_CLIENT_PROCESS_MESSAGE, 1035 ERR_R_INTERNAL_ERROR); 1036 return MSG_PROCESS_ERROR; 1037 1038 case TLS_ST_CR_SRVR_HELLO: 1039 return tls_process_server_hello(s, pkt); 1040 1041 case DTLS_ST_CR_HELLO_VERIFY_REQUEST: 1042 return dtls_process_hello_verify(s, pkt); 1043 1044 case TLS_ST_CR_CERT: 1045 return tls_process_server_certificate(s, pkt); 1046 1047 case TLS_ST_CR_CERT_VRFY: 1048 return tls_process_cert_verify(s, pkt); 1049 1050 case TLS_ST_CR_CERT_STATUS: 1051 return tls_process_cert_status(s, pkt); 1052 1053 case TLS_ST_CR_KEY_EXCH: 1054 return tls_process_key_exchange(s, pkt); 1055 1056 case TLS_ST_CR_CERT_REQ: 1057 return tls_process_certificate_request(s, pkt); 1058 1059 case TLS_ST_CR_SRVR_DONE: 1060 return tls_process_server_done(s, pkt); 1061 1062 case TLS_ST_CR_CHANGE: 1063 return tls_process_change_cipher_spec(s, pkt); 1064 1065 case TLS_ST_CR_SESSION_TICKET: 1066 return tls_process_new_session_ticket(s, pkt); 1067 1068 case TLS_ST_CR_FINISHED: 1069 return tls_process_finished(s, pkt); 1070 1071 case TLS_ST_CR_HELLO_REQ: 1072 return tls_process_hello_req(s, pkt); 1073 1074 case TLS_ST_CR_ENCRYPTED_EXTENSIONS: 1075 return tls_process_encrypted_extensions(s, pkt); 1076 1077 case TLS_ST_CR_KEY_UPDATE: 1078 return tls_process_key_update(s, pkt); 1079 } 1080 } 1081 1082 /* 1083 * Perform any further processing required following the receipt of a message 1084 * from the server 1085 */ 1086 WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst) 1087 { 1088 OSSL_STATEM *st = &s->statem; 1089 1090 switch (st->hand_state) { 1091 default: 1092 /* Shouldn't happen */ 1093 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1094 SSL_F_OSSL_STATEM_CLIENT_POST_PROCESS_MESSAGE, 1095 ERR_R_INTERNAL_ERROR); 1096 return WORK_ERROR; 1097 1098 case TLS_ST_CR_CERT_VRFY: 1099 case TLS_ST_CR_CERT_REQ: 1100 return tls_prepare_client_certificate(s, wst); 1101 } 1102 } 1103 1104 int tls_construct_client_hello(SSL *s, WPACKET *pkt) 1105 { 1106 unsigned char *p; 1107 size_t sess_id_len; 1108 int i, protverr; 1109 #ifndef OPENSSL_NO_COMP 1110 SSL_COMP *comp; 1111 #endif 1112 SSL_SESSION *sess = s->session; 1113 unsigned char *session_id; 1114 1115 /* Work out what SSL/TLS/DTLS version to use */ 1116 protverr = ssl_set_client_hello_version(s); 1117 if (protverr != 0) { 1118 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1119 protverr); 1120 return 0; 1121 } 1122 1123 if (sess == NULL 1124 || !ssl_version_supported(s, sess->ssl_version, NULL) 1125 || !SSL_SESSION_is_resumable(sess)) { 1126 if (s->hello_retry_request == SSL_HRR_NONE 1127 && !ssl_get_new_session(s, 0)) { 1128 /* SSLfatal() already called */ 1129 return 0; 1130 } 1131 } 1132 /* else use the pre-loaded session */ 1133 1134 p = s->s3->client_random; 1135 1136 /* 1137 * for DTLS if client_random is initialized, reuse it, we are 1138 * required to use same upon reply to HelloVerify 1139 */ 1140 if (SSL_IS_DTLS(s)) { 1141 size_t idx; 1142 i = 1; 1143 for (idx = 0; idx < sizeof(s->s3->client_random); idx++) { 1144 if (p[idx]) { 1145 i = 0; 1146 break; 1147 } 1148 } 1149 } else { 1150 i = (s->hello_retry_request == SSL_HRR_NONE); 1151 } 1152 1153 if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random), 1154 DOWNGRADE_NONE) <= 0) { 1155 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1156 ERR_R_INTERNAL_ERROR); 1157 return 0; 1158 } 1159 1160 /*- 1161 * version indicates the negotiated version: for example from 1162 * an SSLv2/v3 compatible client hello). The client_version 1163 * field is the maximum version we permit and it is also 1164 * used in RSA encrypted premaster secrets. Some servers can 1165 * choke if we initially report a higher version then 1166 * renegotiate to a lower one in the premaster secret. This 1167 * didn't happen with TLS 1.0 as most servers supported it 1168 * but it can with TLS 1.1 or later if the server only supports 1169 * 1.0. 1170 * 1171 * Possible scenario with previous logic: 1172 * 1. Client hello indicates TLS 1.2 1173 * 2. Server hello says TLS 1.0 1174 * 3. RSA encrypted premaster secret uses 1.2. 1175 * 4. Handshake proceeds using TLS 1.0. 1176 * 5. Server sends hello request to renegotiate. 1177 * 6. Client hello indicates TLS v1.0 as we now 1178 * know that is maximum server supports. 1179 * 7. Server chokes on RSA encrypted premaster secret 1180 * containing version 1.0. 1181 * 1182 * For interoperability it should be OK to always use the 1183 * maximum version we support in client hello and then rely 1184 * on the checking of version to ensure the servers isn't 1185 * being inconsistent: for example initially negotiating with 1186 * TLS 1.0 and renegotiating with TLS 1.2. We do this by using 1187 * client_version in client hello and not resetting it to 1188 * the negotiated version. 1189 * 1190 * For TLS 1.3 we always set the ClientHello version to 1.2 and rely on the 1191 * supported_versions extension for the real supported versions. 1192 */ 1193 if (!WPACKET_put_bytes_u16(pkt, s->client_version) 1194 || !WPACKET_memcpy(pkt, s->s3->client_random, SSL3_RANDOM_SIZE)) { 1195 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1196 ERR_R_INTERNAL_ERROR); 1197 return 0; 1198 } 1199 1200 /* Session ID */ 1201 session_id = s->session->session_id; 1202 if (s->new_session || s->session->ssl_version == TLS1_3_VERSION) { 1203 if (s->version == TLS1_3_VERSION 1204 && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) { 1205 sess_id_len = sizeof(s->tmp_session_id); 1206 s->tmp_session_id_len = sess_id_len; 1207 session_id = s->tmp_session_id; 1208 if (s->hello_retry_request == SSL_HRR_NONE 1209 && RAND_bytes(s->tmp_session_id, sess_id_len) <= 0) { 1210 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1211 SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1212 ERR_R_INTERNAL_ERROR); 1213 return 0; 1214 } 1215 } else { 1216 sess_id_len = 0; 1217 } 1218 } else { 1219 assert(s->session->session_id_length <= sizeof(s->session->session_id)); 1220 sess_id_len = s->session->session_id_length; 1221 if (s->version == TLS1_3_VERSION) { 1222 s->tmp_session_id_len = sess_id_len; 1223 memcpy(s->tmp_session_id, s->session->session_id, sess_id_len); 1224 } 1225 } 1226 if (!WPACKET_start_sub_packet_u8(pkt) 1227 || (sess_id_len != 0 && !WPACKET_memcpy(pkt, session_id, 1228 sess_id_len)) 1229 || !WPACKET_close(pkt)) { 1230 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1231 ERR_R_INTERNAL_ERROR); 1232 return 0; 1233 } 1234 1235 /* cookie stuff for DTLS */ 1236 if (SSL_IS_DTLS(s)) { 1237 if (s->d1->cookie_len > sizeof(s->d1->cookie) 1238 || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie, 1239 s->d1->cookie_len)) { 1240 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1241 ERR_R_INTERNAL_ERROR); 1242 return 0; 1243 } 1244 } 1245 1246 /* Ciphers supported */ 1247 if (!WPACKET_start_sub_packet_u16(pkt)) { 1248 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1249 ERR_R_INTERNAL_ERROR); 1250 return 0; 1251 } 1252 1253 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), pkt)) { 1254 /* SSLfatal() already called */ 1255 return 0; 1256 } 1257 if (!WPACKET_close(pkt)) { 1258 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1259 ERR_R_INTERNAL_ERROR); 1260 return 0; 1261 } 1262 1263 /* COMPRESSION */ 1264 if (!WPACKET_start_sub_packet_u8(pkt)) { 1265 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1266 ERR_R_INTERNAL_ERROR); 1267 return 0; 1268 } 1269 #ifndef OPENSSL_NO_COMP 1270 if (ssl_allow_compression(s) 1271 && s->ctx->comp_methods 1272 && (SSL_IS_DTLS(s) || s->s3->tmp.max_ver < TLS1_3_VERSION)) { 1273 int compnum = sk_SSL_COMP_num(s->ctx->comp_methods); 1274 for (i = 0; i < compnum; i++) { 1275 comp = sk_SSL_COMP_value(s->ctx->comp_methods, i); 1276 if (!WPACKET_put_bytes_u8(pkt, comp->id)) { 1277 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1278 SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1279 ERR_R_INTERNAL_ERROR); 1280 return 0; 1281 } 1282 } 1283 } 1284 #endif 1285 /* Add the NULL method */ 1286 if (!WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_close(pkt)) { 1287 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1288 ERR_R_INTERNAL_ERROR); 1289 return 0; 1290 } 1291 1292 /* TLS extensions */ 1293 if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0)) { 1294 /* SSLfatal() already called */ 1295 return 0; 1296 } 1297 1298 return 1; 1299 } 1300 1301 MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt) 1302 { 1303 size_t cookie_len; 1304 PACKET cookiepkt; 1305 1306 if (!PACKET_forward(pkt, 2) 1307 || !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) { 1308 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS_PROCESS_HELLO_VERIFY, 1309 SSL_R_LENGTH_MISMATCH); 1310 return MSG_PROCESS_ERROR; 1311 } 1312 1313 cookie_len = PACKET_remaining(&cookiepkt); 1314 if (cookie_len > sizeof(s->d1->cookie)) { 1315 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_DTLS_PROCESS_HELLO_VERIFY, 1316 SSL_R_LENGTH_TOO_LONG); 1317 return MSG_PROCESS_ERROR; 1318 } 1319 1320 if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) { 1321 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS_PROCESS_HELLO_VERIFY, 1322 SSL_R_LENGTH_MISMATCH); 1323 return MSG_PROCESS_ERROR; 1324 } 1325 s->d1->cookie_len = cookie_len; 1326 1327 return MSG_PROCESS_FINISHED_READING; 1328 } 1329 1330 static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars) 1331 { 1332 STACK_OF(SSL_CIPHER) *sk; 1333 const SSL_CIPHER *c; 1334 int i; 1335 1336 c = ssl_get_cipher_by_char(s, cipherchars, 0); 1337 if (c == NULL) { 1338 /* unknown cipher */ 1339 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, 1340 SSL_R_UNKNOWN_CIPHER_RETURNED); 1341 return 0; 1342 } 1343 /* 1344 * If it is a disabled cipher we either didn't send it in client hello, 1345 * or it's not allowed for the selected protocol. So we return an error. 1346 */ 1347 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) { 1348 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, 1349 SSL_R_WRONG_CIPHER_RETURNED); 1350 return 0; 1351 } 1352 1353 sk = ssl_get_ciphers_by_id(s); 1354 i = sk_SSL_CIPHER_find(sk, c); 1355 if (i < 0) { 1356 /* we did not say we would use this cipher */ 1357 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, 1358 SSL_R_WRONG_CIPHER_RETURNED); 1359 return 0; 1360 } 1361 1362 if (SSL_IS_TLS13(s) && s->s3->tmp.new_cipher != NULL 1363 && s->s3->tmp.new_cipher->id != c->id) { 1364 /* ServerHello selected a different ciphersuite to that in the HRR */ 1365 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, 1366 SSL_R_WRONG_CIPHER_RETURNED); 1367 return 0; 1368 } 1369 1370 /* 1371 * Depending on the session caching (internal/external), the cipher 1372 * and/or cipher_id values may not be set. Make sure that cipher_id is 1373 * set and use it for comparison. 1374 */ 1375 if (s->session->cipher != NULL) 1376 s->session->cipher_id = s->session->cipher->id; 1377 if (s->hit && (s->session->cipher_id != c->id)) { 1378 if (SSL_IS_TLS13(s)) { 1379 /* 1380 * In TLSv1.3 it is valid for the server to select a different 1381 * ciphersuite as long as the hash is the same. 1382 */ 1383 if (ssl_md(c->algorithm2) 1384 != ssl_md(s->session->cipher->algorithm2)) { 1385 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1386 SSL_F_SET_CLIENT_CIPHERSUITE, 1387 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED); 1388 return 0; 1389 } 1390 } else { 1391 /* 1392 * Prior to TLSv1.3 resuming a session always meant using the same 1393 * ciphersuite. 1394 */ 1395 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, 1396 SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); 1397 return 0; 1398 } 1399 } 1400 s->s3->tmp.new_cipher = c; 1401 1402 return 1; 1403 } 1404 1405 MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) 1406 { 1407 PACKET session_id, extpkt; 1408 size_t session_id_len; 1409 const unsigned char *cipherchars; 1410 int hrr = 0; 1411 unsigned int compression; 1412 unsigned int sversion; 1413 unsigned int context; 1414 RAW_EXTENSION *extensions = NULL; 1415 #ifndef OPENSSL_NO_COMP 1416 SSL_COMP *comp; 1417 #endif 1418 1419 if (!PACKET_get_net_2(pkt, &sversion)) { 1420 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1421 SSL_R_LENGTH_MISMATCH); 1422 goto err; 1423 } 1424 1425 /* load the server random */ 1426 if (s->version == TLS1_3_VERSION 1427 && sversion == TLS1_2_VERSION 1428 && PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE 1429 && memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) { 1430 s->hello_retry_request = SSL_HRR_PENDING; 1431 hrr = 1; 1432 if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) { 1433 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1434 SSL_R_LENGTH_MISMATCH); 1435 goto err; 1436 } 1437 } else { 1438 if (!PACKET_copy_bytes(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) { 1439 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1440 SSL_R_LENGTH_MISMATCH); 1441 goto err; 1442 } 1443 } 1444 1445 /* Get the session-id. */ 1446 if (!PACKET_get_length_prefixed_1(pkt, &session_id)) { 1447 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1448 SSL_R_LENGTH_MISMATCH); 1449 goto err; 1450 } 1451 session_id_len = PACKET_remaining(&session_id); 1452 if (session_id_len > sizeof(s->session->session_id) 1453 || session_id_len > SSL3_SESSION_ID_SIZE) { 1454 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, 1455 SSL_R_SSL3_SESSION_ID_TOO_LONG); 1456 goto err; 1457 } 1458 1459 if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) { 1460 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1461 SSL_R_LENGTH_MISMATCH); 1462 goto err; 1463 } 1464 1465 if (!PACKET_get_1(pkt, &compression)) { 1466 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1467 SSL_R_LENGTH_MISMATCH); 1468 goto err; 1469 } 1470 1471 /* TLS extensions */ 1472 if (PACKET_remaining(pkt) == 0 && !hrr) { 1473 PACKET_null_init(&extpkt); 1474 } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt) 1475 || PACKET_remaining(pkt) != 0) { 1476 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1477 SSL_R_BAD_LENGTH); 1478 goto err; 1479 } 1480 1481 if (!hrr) { 1482 if (!tls_collect_extensions(s, &extpkt, 1483 SSL_EXT_TLS1_2_SERVER_HELLO 1484 | SSL_EXT_TLS1_3_SERVER_HELLO, 1485 &extensions, NULL, 1)) { 1486 /* SSLfatal() already called */ 1487 goto err; 1488 } 1489 1490 if (!ssl_choose_client_version(s, sversion, extensions)) { 1491 /* SSLfatal() already called */ 1492 goto err; 1493 } 1494 } 1495 1496 if (SSL_IS_TLS13(s) || hrr) { 1497 if (compression != 0) { 1498 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1499 SSL_F_TLS_PROCESS_SERVER_HELLO, 1500 SSL_R_INVALID_COMPRESSION_ALGORITHM); 1501 goto err; 1502 } 1503 1504 if (session_id_len != s->tmp_session_id_len 1505 || memcmp(PACKET_data(&session_id), s->tmp_session_id, 1506 session_id_len) != 0) { 1507 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1508 SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_INVALID_SESSION_ID); 1509 goto err; 1510 } 1511 } 1512 1513 if (hrr) { 1514 if (!set_client_ciphersuite(s, cipherchars)) { 1515 /* SSLfatal() already called */ 1516 goto err; 1517 } 1518 1519 return tls_process_as_hello_retry_request(s, &extpkt); 1520 } 1521 1522 /* 1523 * Now we have chosen the version we need to check again that the extensions 1524 * are appropriate for this version. 1525 */ 1526 context = SSL_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO 1527 : SSL_EXT_TLS1_2_SERVER_HELLO; 1528 if (!tls_validate_all_contexts(s, context, extensions)) { 1529 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, 1530 SSL_R_BAD_EXTENSION); 1531 goto err; 1532 } 1533 1534 s->hit = 0; 1535 1536 if (SSL_IS_TLS13(s)) { 1537 /* 1538 * In TLSv1.3 a ServerHello message signals a key change so the end of 1539 * the message must be on a record boundary. 1540 */ 1541 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { 1542 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1543 SSL_F_TLS_PROCESS_SERVER_HELLO, 1544 SSL_R_NOT_ON_RECORD_BOUNDARY); 1545 goto err; 1546 } 1547 1548 /* This will set s->hit if we are resuming */ 1549 if (!tls_parse_extension(s, TLSEXT_IDX_psk, 1550 SSL_EXT_TLS1_3_SERVER_HELLO, 1551 extensions, NULL, 0)) { 1552 /* SSLfatal() already called */ 1553 goto err; 1554 } 1555 } else { 1556 /* 1557 * Check if we can resume the session based on external pre-shared 1558 * secret. EAP-FAST (RFC 4851) supports two types of session resumption. 1559 * Resumption based on server-side state works with session IDs. 1560 * Resumption based on pre-shared Protected Access Credentials (PACs) 1561 * works by overriding the SessionTicket extension at the application 1562 * layer, and does not send a session ID. (We do not know whether 1563 * EAP-FAST servers would honour the session ID.) Therefore, the session 1564 * ID alone is not a reliable indicator of session resumption, so we 1565 * first check if we can resume, and later peek at the next handshake 1566 * message to see if the server wants to resume. 1567 */ 1568 if (s->version >= TLS1_VERSION 1569 && s->ext.session_secret_cb != NULL && s->session->ext.tick) { 1570 const SSL_CIPHER *pref_cipher = NULL; 1571 /* 1572 * s->session->master_key_length is a size_t, but this is an int for 1573 * backwards compat reasons 1574 */ 1575 int master_key_length; 1576 master_key_length = sizeof(s->session->master_key); 1577 if (s->ext.session_secret_cb(s, s->session->master_key, 1578 &master_key_length, 1579 NULL, &pref_cipher, 1580 s->ext.session_secret_cb_arg) 1581 && master_key_length > 0) { 1582 s->session->master_key_length = master_key_length; 1583 s->session->cipher = pref_cipher ? 1584 pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0); 1585 } else { 1586 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1587 SSL_F_TLS_PROCESS_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 1588 goto err; 1589 } 1590 } 1591 1592 if (session_id_len != 0 1593 && session_id_len == s->session->session_id_length 1594 && memcmp(PACKET_data(&session_id), s->session->session_id, 1595 session_id_len) == 0) 1596 s->hit = 1; 1597 } 1598 1599 if (s->hit) { 1600 if (s->sid_ctx_length != s->session->sid_ctx_length 1601 || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) { 1602 /* actually a client application bug */ 1603 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1604 SSL_F_TLS_PROCESS_SERVER_HELLO, 1605 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); 1606 goto err; 1607 } 1608 } else { 1609 /* 1610 * If we were trying for session-id reuse but the server 1611 * didn't resume, make a new SSL_SESSION. 1612 * In the case of EAP-FAST and PAC, we do not send a session ID, 1613 * so the PAC-based session secret is always preserved. It'll be 1614 * overwritten if the server refuses resumption. 1615 */ 1616 if (s->session->session_id_length > 0 1617 || (SSL_IS_TLS13(s) 1618 && s->session->ext.tick_identity 1619 != TLSEXT_PSK_BAD_IDENTITY)) { 1620 tsan_counter(&s->session_ctx->stats.sess_miss); 1621 if (!ssl_get_new_session(s, 0)) { 1622 /* SSLfatal() already called */ 1623 goto err; 1624 } 1625 } 1626 1627 s->session->ssl_version = s->version; 1628 /* 1629 * In TLSv1.2 and below we save the session id we were sent so we can 1630 * resume it later. In TLSv1.3 the session id we were sent is just an 1631 * echo of what we originally sent in the ClientHello and should not be 1632 * used for resumption. 1633 */ 1634 if (!SSL_IS_TLS13(s)) { 1635 s->session->session_id_length = session_id_len; 1636 /* session_id_len could be 0 */ 1637 if (session_id_len > 0) 1638 memcpy(s->session->session_id, PACKET_data(&session_id), 1639 session_id_len); 1640 } 1641 } 1642 1643 /* Session version and negotiated protocol version should match */ 1644 if (s->version != s->session->ssl_version) { 1645 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_TLS_PROCESS_SERVER_HELLO, 1646 SSL_R_SSL_SESSION_VERSION_MISMATCH); 1647 goto err; 1648 } 1649 /* 1650 * Now that we know the version, update the check to see if it's an allowed 1651 * version. 1652 */ 1653 s->s3->tmp.min_ver = s->version; 1654 s->s3->tmp.max_ver = s->version; 1655 1656 if (!set_client_ciphersuite(s, cipherchars)) { 1657 /* SSLfatal() already called */ 1658 goto err; 1659 } 1660 1661 #ifdef OPENSSL_NO_COMP 1662 if (compression != 0) { 1663 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, 1664 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 1665 goto err; 1666 } 1667 /* 1668 * If compression is disabled we'd better not try to resume a session 1669 * using compression. 1670 */ 1671 if (s->session->compress_meth != 0) { 1672 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SERVER_HELLO, 1673 SSL_R_INCONSISTENT_COMPRESSION); 1674 goto err; 1675 } 1676 #else 1677 if (s->hit && compression != s->session->compress_meth) { 1678 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, 1679 SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED); 1680 goto err; 1681 } 1682 if (compression == 0) 1683 comp = NULL; 1684 else if (!ssl_allow_compression(s)) { 1685 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, 1686 SSL_R_COMPRESSION_DISABLED); 1687 goto err; 1688 } else { 1689 comp = ssl3_comp_find(s->ctx->comp_methods, compression); 1690 } 1691 1692 if (compression != 0 && comp == NULL) { 1693 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, 1694 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 1695 goto err; 1696 } else { 1697 s->s3->tmp.new_compression = comp; 1698 } 1699 #endif 1700 1701 if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, 1)) { 1702 /* SSLfatal() already called */ 1703 goto err; 1704 } 1705 1706 #ifndef OPENSSL_NO_SCTP 1707 if (SSL_IS_DTLS(s) && s->hit) { 1708 unsigned char sctpauthkey[64]; 1709 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; 1710 size_t labellen; 1711 1712 /* 1713 * Add new shared key for SCTP-Auth, will be ignored if 1714 * no SCTP used. 1715 */ 1716 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL, 1717 sizeof(DTLS1_SCTP_AUTH_LABEL)); 1718 1719 /* Don't include the terminating zero. */ 1720 labellen = sizeof(labelbuffer) - 1; 1721 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) 1722 labellen += 1; 1723 1724 if (SSL_export_keying_material(s, sctpauthkey, 1725 sizeof(sctpauthkey), 1726 labelbuffer, 1727 labellen, NULL, 0, 0) <= 0) { 1728 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1729 ERR_R_INTERNAL_ERROR); 1730 goto err; 1731 } 1732 1733 BIO_ctrl(SSL_get_wbio(s), 1734 BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 1735 sizeof(sctpauthkey), sctpauthkey); 1736 } 1737 #endif 1738 1739 /* 1740 * In TLSv1.3 we have some post-processing to change cipher state, otherwise 1741 * we're done with this message 1742 */ 1743 if (SSL_IS_TLS13(s) 1744 && (!s->method->ssl3_enc->setup_key_block(s) 1745 || !s->method->ssl3_enc->change_cipher_state(s, 1746 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ))) { 1747 /* SSLfatal() already called */ 1748 goto err; 1749 } 1750 1751 OPENSSL_free(extensions); 1752 return MSG_PROCESS_CONTINUE_READING; 1753 err: 1754 OPENSSL_free(extensions); 1755 return MSG_PROCESS_ERROR; 1756 } 1757 1758 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, 1759 PACKET *extpkt) 1760 { 1761 RAW_EXTENSION *extensions = NULL; 1762 1763 /* 1764 * If we were sending early_data then the enc_write_ctx is now invalid and 1765 * should not be used. 1766 */ 1767 EVP_CIPHER_CTX_free(s->enc_write_ctx); 1768 s->enc_write_ctx = NULL; 1769 1770 if (!tls_collect_extensions(s, extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, 1771 &extensions, NULL, 1) 1772 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, 1773 extensions, NULL, 0, 1)) { 1774 /* SSLfatal() already called */ 1775 goto err; 1776 } 1777 1778 OPENSSL_free(extensions); 1779 extensions = NULL; 1780 1781 if (s->ext.tls13_cookie_len == 0 1782 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) 1783 && s->s3->tmp.pkey != NULL 1784 #endif 1785 ) { 1786 /* 1787 * We didn't receive a cookie or a new key_share so the next 1788 * ClientHello will not change 1789 */ 1790 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1791 SSL_F_TLS_PROCESS_AS_HELLO_RETRY_REQUEST, 1792 SSL_R_NO_CHANGE_FOLLOWING_HRR); 1793 goto err; 1794 } 1795 1796 /* 1797 * Re-initialise the Transcript Hash. We're going to prepopulate it with 1798 * a synthetic message_hash in place of ClientHello1. 1799 */ 1800 if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) { 1801 /* SSLfatal() already called */ 1802 goto err; 1803 } 1804 1805 /* 1806 * Add this message to the Transcript Hash. Normally this is done 1807 * automatically prior to the message processing stage. However due to the 1808 * need to create the synthetic message hash, we defer that step until now 1809 * for HRR messages. 1810 */ 1811 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 1812 s->init_num + SSL3_HM_HEADER_LENGTH)) { 1813 /* SSLfatal() already called */ 1814 goto err; 1815 } 1816 1817 return MSG_PROCESS_FINISHED_READING; 1818 err: 1819 OPENSSL_free(extensions); 1820 return MSG_PROCESS_ERROR; 1821 } 1822 1823 MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) 1824 { 1825 int i; 1826 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; 1827 unsigned long cert_list_len, cert_len; 1828 X509 *x = NULL; 1829 const unsigned char *certstart, *certbytes; 1830 STACK_OF(X509) *sk = NULL; 1831 EVP_PKEY *pkey = NULL; 1832 size_t chainidx, certidx; 1833 unsigned int context = 0; 1834 const SSL_CERT_LOOKUP *clu; 1835 1836 if ((sk = sk_X509_new_null()) == NULL) { 1837 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1838 ERR_R_MALLOC_FAILURE); 1839 goto err; 1840 } 1841 1842 if ((SSL_IS_TLS13(s) && !PACKET_get_1(pkt, &context)) 1843 || context != 0 1844 || !PACKET_get_net_3(pkt, &cert_list_len) 1845 || PACKET_remaining(pkt) != cert_list_len 1846 || PACKET_remaining(pkt) == 0) { 1847 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1848 SSL_R_LENGTH_MISMATCH); 1849 goto err; 1850 } 1851 for (chainidx = 0; PACKET_remaining(pkt); chainidx++) { 1852 if (!PACKET_get_net_3(pkt, &cert_len) 1853 || !PACKET_get_bytes(pkt, &certbytes, cert_len)) { 1854 SSLfatal(s, SSL_AD_DECODE_ERROR, 1855 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1856 SSL_R_CERT_LENGTH_MISMATCH); 1857 goto err; 1858 } 1859 1860 certstart = certbytes; 1861 x = d2i_X509(NULL, (const unsigned char **)&certbytes, cert_len); 1862 if (x == NULL) { 1863 SSLfatal(s, SSL_AD_BAD_CERTIFICATE, 1864 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_ASN1_LIB); 1865 goto err; 1866 } 1867 if (certbytes != (certstart + cert_len)) { 1868 SSLfatal(s, SSL_AD_DECODE_ERROR, 1869 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1870 SSL_R_CERT_LENGTH_MISMATCH); 1871 goto err; 1872 } 1873 1874 if (SSL_IS_TLS13(s)) { 1875 RAW_EXTENSION *rawexts = NULL; 1876 PACKET extensions; 1877 1878 if (!PACKET_get_length_prefixed_2(pkt, &extensions)) { 1879 SSLfatal(s, SSL_AD_DECODE_ERROR, 1880 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1881 SSL_R_BAD_LENGTH); 1882 goto err; 1883 } 1884 if (!tls_collect_extensions(s, &extensions, 1885 SSL_EXT_TLS1_3_CERTIFICATE, &rawexts, 1886 NULL, chainidx == 0) 1887 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE, 1888 rawexts, x, chainidx, 1889 PACKET_remaining(pkt) == 0)) { 1890 OPENSSL_free(rawexts); 1891 /* SSLfatal already called */ 1892 goto err; 1893 } 1894 OPENSSL_free(rawexts); 1895 } 1896 1897 if (!sk_X509_push(sk, x)) { 1898 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1899 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1900 ERR_R_MALLOC_FAILURE); 1901 goto err; 1902 } 1903 x = NULL; 1904 } 1905 1906 i = ssl_verify_cert_chain(s, sk); 1907 /* 1908 * The documented interface is that SSL_VERIFY_PEER should be set in order 1909 * for client side verification of the server certificate to take place. 1910 * However, historically the code has only checked that *any* flag is set 1911 * to cause server verification to take place. Use of the other flags makes 1912 * no sense in client mode. An attempt to clean up the semantics was 1913 * reverted because at least one application *only* set 1914 * SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Prior to the clean up this still caused 1915 * server verification to take place, after the clean up it silently did 1916 * nothing. SSL_CTX_set_verify()/SSL_set_verify() cannot validate the flags 1917 * sent to them because they are void functions. Therefore, we now use the 1918 * (less clean) historic behaviour of performing validation if any flag is 1919 * set. The *documented* interface remains the same. 1920 */ 1921 if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) { 1922 SSLfatal(s, ssl_x509err2alert(s->verify_result), 1923 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1924 SSL_R_CERTIFICATE_VERIFY_FAILED); 1925 goto err; 1926 } 1927 ERR_clear_error(); /* but we keep s->verify_result */ 1928 if (i > 1) { 1929 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1930 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, i); 1931 goto err; 1932 } 1933 1934 s->session->peer_chain = sk; 1935 /* 1936 * Inconsistency alert: cert_chain does include the peer's certificate, 1937 * which we don't include in statem_srvr.c 1938 */ 1939 x = sk_X509_value(sk, 0); 1940 sk = NULL; 1941 1942 pkey = X509_get0_pubkey(x); 1943 1944 if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) { 1945 x = NULL; 1946 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1947 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); 1948 goto err; 1949 } 1950 1951 if ((clu = ssl_cert_lookup_by_pkey(pkey, &certidx)) == NULL) { 1952 x = NULL; 1953 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1954 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1955 SSL_R_UNKNOWN_CERTIFICATE_TYPE); 1956 goto err; 1957 } 1958 /* 1959 * Check certificate type is consistent with ciphersuite. For TLS 1.3 1960 * skip check since TLS 1.3 ciphersuites can be used with any certificate 1961 * type. 1962 */ 1963 if (!SSL_IS_TLS13(s)) { 1964 if ((clu->amask & s->s3->tmp.new_cipher->algorithm_auth) == 0) { 1965 x = NULL; 1966 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1967 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1968 SSL_R_WRONG_CERTIFICATE_TYPE); 1969 goto err; 1970 } 1971 } 1972 s->session->peer_type = certidx; 1973 1974 X509_free(s->session->peer); 1975 X509_up_ref(x); 1976 s->session->peer = x; 1977 s->session->verify_result = s->verify_result; 1978 x = NULL; 1979 1980 /* Save the current hash state for when we receive the CertificateVerify */ 1981 if (SSL_IS_TLS13(s) 1982 && !ssl_handshake_hash(s, s->cert_verify_hash, 1983 sizeof(s->cert_verify_hash), 1984 &s->cert_verify_hash_len)) { 1985 /* SSLfatal() already called */; 1986 goto err; 1987 } 1988 1989 ret = MSG_PROCESS_CONTINUE_READING; 1990 1991 err: 1992 X509_free(x); 1993 sk_X509_pop_free(sk, X509_free); 1994 return ret; 1995 } 1996 1997 static int tls_process_ske_psk_preamble(SSL *s, PACKET *pkt) 1998 { 1999 #ifndef OPENSSL_NO_PSK 2000 PACKET psk_identity_hint; 2001 2002 /* PSK ciphersuites are preceded by an identity hint */ 2003 2004 if (!PACKET_get_length_prefixed_2(pkt, &psk_identity_hint)) { 2005 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, 2006 SSL_R_LENGTH_MISMATCH); 2007 return 0; 2008 } 2009 2010 /* 2011 * Store PSK identity hint for later use, hint is used in 2012 * tls_construct_client_key_exchange. Assume that the maximum length of 2013 * a PSK identity hint can be as long as the maximum length of a PSK 2014 * identity. 2015 */ 2016 if (PACKET_remaining(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN) { 2017 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 2018 SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, 2019 SSL_R_DATA_LENGTH_TOO_LONG); 2020 return 0; 2021 } 2022 2023 if (PACKET_remaining(&psk_identity_hint) == 0) { 2024 OPENSSL_free(s->session->psk_identity_hint); 2025 s->session->psk_identity_hint = NULL; 2026 } else if (!PACKET_strndup(&psk_identity_hint, 2027 &s->session->psk_identity_hint)) { 2028 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, 2029 ERR_R_INTERNAL_ERROR); 2030 return 0; 2031 } 2032 2033 return 1; 2034 #else 2035 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, 2036 ERR_R_INTERNAL_ERROR); 2037 return 0; 2038 #endif 2039 } 2040 2041 static int tls_process_ske_srp(SSL *s, PACKET *pkt, EVP_PKEY **pkey) 2042 { 2043 #ifndef OPENSSL_NO_SRP 2044 PACKET prime, generator, salt, server_pub; 2045 2046 if (!PACKET_get_length_prefixed_2(pkt, &prime) 2047 || !PACKET_get_length_prefixed_2(pkt, &generator) 2048 || !PACKET_get_length_prefixed_1(pkt, &salt) 2049 || !PACKET_get_length_prefixed_2(pkt, &server_pub)) { 2050 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_SRP, 2051 SSL_R_LENGTH_MISMATCH); 2052 return 0; 2053 } 2054 2055 /* TODO(size_t): Convert BN_bin2bn() calls */ 2056 if ((s->srp_ctx.N = 2057 BN_bin2bn(PACKET_data(&prime), 2058 (int)PACKET_remaining(&prime), NULL)) == NULL 2059 || (s->srp_ctx.g = 2060 BN_bin2bn(PACKET_data(&generator), 2061 (int)PACKET_remaining(&generator), NULL)) == NULL 2062 || (s->srp_ctx.s = 2063 BN_bin2bn(PACKET_data(&salt), 2064 (int)PACKET_remaining(&salt), NULL)) == NULL 2065 || (s->srp_ctx.B = 2066 BN_bin2bn(PACKET_data(&server_pub), 2067 (int)PACKET_remaining(&server_pub), NULL)) == NULL) { 2068 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_SRP, 2069 ERR_R_BN_LIB); 2070 return 0; 2071 } 2072 2073 if (!srp_verify_server_param(s)) { 2074 /* SSLfatal() already called */ 2075 return 0; 2076 } 2077 2078 /* We must check if there is a certificate */ 2079 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS)) 2080 *pkey = X509_get0_pubkey(s->session->peer); 2081 2082 return 1; 2083 #else 2084 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_SRP, 2085 ERR_R_INTERNAL_ERROR); 2086 return 0; 2087 #endif 2088 } 2089 2090 static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) 2091 { 2092 #ifndef OPENSSL_NO_DH 2093 PACKET prime, generator, pub_key; 2094 EVP_PKEY *peer_tmp = NULL; 2095 2096 DH *dh = NULL; 2097 BIGNUM *p = NULL, *g = NULL, *bnpub_key = NULL; 2098 2099 int check_bits = 0; 2100 2101 if (!PACKET_get_length_prefixed_2(pkt, &prime) 2102 || !PACKET_get_length_prefixed_2(pkt, &generator) 2103 || !PACKET_get_length_prefixed_2(pkt, &pub_key)) { 2104 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, 2105 SSL_R_LENGTH_MISMATCH); 2106 return 0; 2107 } 2108 2109 peer_tmp = EVP_PKEY_new(); 2110 dh = DH_new(); 2111 2112 if (peer_tmp == NULL || dh == NULL) { 2113 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, 2114 ERR_R_MALLOC_FAILURE); 2115 goto err; 2116 } 2117 2118 /* TODO(size_t): Convert these calls */ 2119 p = BN_bin2bn(PACKET_data(&prime), (int)PACKET_remaining(&prime), NULL); 2120 g = BN_bin2bn(PACKET_data(&generator), (int)PACKET_remaining(&generator), 2121 NULL); 2122 bnpub_key = BN_bin2bn(PACKET_data(&pub_key), 2123 (int)PACKET_remaining(&pub_key), NULL); 2124 if (p == NULL || g == NULL || bnpub_key == NULL) { 2125 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, 2126 ERR_R_BN_LIB); 2127 goto err; 2128 } 2129 2130 /* test non-zero pubkey */ 2131 if (BN_is_zero(bnpub_key)) { 2132 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_DHE, 2133 SSL_R_BAD_DH_VALUE); 2134 goto err; 2135 } 2136 2137 if (!DH_set0_pqg(dh, p, NULL, g)) { 2138 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, 2139 ERR_R_BN_LIB); 2140 goto err; 2141 } 2142 p = g = NULL; 2143 2144 if (DH_check_params(dh, &check_bits) == 0 || check_bits != 0) { 2145 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_DHE, 2146 SSL_R_BAD_DH_VALUE); 2147 goto err; 2148 } 2149 2150 if (!DH_set0_key(dh, bnpub_key, NULL)) { 2151 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, 2152 ERR_R_BN_LIB); 2153 goto err; 2154 } 2155 bnpub_key = NULL; 2156 2157 if (!ssl_security(s, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh)) { 2158 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE, 2159 SSL_R_DH_KEY_TOO_SMALL); 2160 goto err; 2161 } 2162 2163 if (EVP_PKEY_assign_DH(peer_tmp, dh) == 0) { 2164 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, 2165 ERR_R_EVP_LIB); 2166 goto err; 2167 } 2168 2169 s->s3->peer_tmp = peer_tmp; 2170 2171 /* 2172 * FIXME: This makes assumptions about which ciphersuites come with 2173 * public keys. We should have a less ad-hoc way of doing this 2174 */ 2175 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS)) 2176 *pkey = X509_get0_pubkey(s->session->peer); 2177 /* else anonymous DH, so no certificate or pkey. */ 2178 2179 return 1; 2180 2181 err: 2182 BN_free(p); 2183 BN_free(g); 2184 BN_free(bnpub_key); 2185 DH_free(dh); 2186 EVP_PKEY_free(peer_tmp); 2187 2188 return 0; 2189 #else 2190 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, 2191 ERR_R_INTERNAL_ERROR); 2192 return 0; 2193 #endif 2194 } 2195 2196 static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) 2197 { 2198 #ifndef OPENSSL_NO_EC 2199 PACKET encoded_pt; 2200 unsigned int curve_type, curve_id; 2201 2202 /* 2203 * Extract elliptic curve parameters and the server's ephemeral ECDH 2204 * public key. We only support named (not generic) curves and 2205 * ECParameters in this case is just three bytes. 2206 */ 2207 if (!PACKET_get_1(pkt, &curve_type) || !PACKET_get_net_2(pkt, &curve_id)) { 2208 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE, 2209 SSL_R_LENGTH_TOO_SHORT); 2210 return 0; 2211 } 2212 /* 2213 * Check curve is named curve type and one of our preferences, if not 2214 * server has sent an invalid curve. 2215 */ 2216 if (curve_type != NAMED_CURVE_TYPE 2217 || !tls1_check_group_id(s, curve_id, 1)) { 2218 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_ECDHE, 2219 SSL_R_WRONG_CURVE); 2220 return 0; 2221 } 2222 2223 if ((s->s3->peer_tmp = ssl_generate_param_group(curve_id)) == NULL) { 2224 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE, 2225 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); 2226 return 0; 2227 } 2228 2229 if (!PACKET_get_length_prefixed_1(pkt, &encoded_pt)) { 2230 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE, 2231 SSL_R_LENGTH_MISMATCH); 2232 return 0; 2233 } 2234 2235 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp, 2236 PACKET_data(&encoded_pt), 2237 PACKET_remaining(&encoded_pt))) { 2238 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_ECDHE, 2239 SSL_R_BAD_ECPOINT); 2240 return 0; 2241 } 2242 2243 /* 2244 * The ECC/TLS specification does not mention the use of DSA to sign 2245 * ECParameters in the server key exchange message. We do support RSA 2246 * and ECDSA. 2247 */ 2248 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aECDSA) 2249 *pkey = X509_get0_pubkey(s->session->peer); 2250 else if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aRSA) 2251 *pkey = X509_get0_pubkey(s->session->peer); 2252 /* else anonymous ECDH, so no certificate or pkey. */ 2253 2254 return 1; 2255 #else 2256 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE, 2257 ERR_R_INTERNAL_ERROR); 2258 return 0; 2259 #endif 2260 } 2261 2262 MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) 2263 { 2264 long alg_k; 2265 EVP_PKEY *pkey = NULL; 2266 EVP_MD_CTX *md_ctx = NULL; 2267 EVP_PKEY_CTX *pctx = NULL; 2268 PACKET save_param_start, signature; 2269 2270 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 2271 2272 save_param_start = *pkt; 2273 2274 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) 2275 EVP_PKEY_free(s->s3->peer_tmp); 2276 s->s3->peer_tmp = NULL; 2277 #endif 2278 2279 if (alg_k & SSL_PSK) { 2280 if (!tls_process_ske_psk_preamble(s, pkt)) { 2281 /* SSLfatal() already called */ 2282 goto err; 2283 } 2284 } 2285 2286 /* Nothing else to do for plain PSK or RSAPSK */ 2287 if (alg_k & (SSL_kPSK | SSL_kRSAPSK)) { 2288 } else if (alg_k & SSL_kSRP) { 2289 if (!tls_process_ske_srp(s, pkt, &pkey)) { 2290 /* SSLfatal() already called */ 2291 goto err; 2292 } 2293 } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) { 2294 if (!tls_process_ske_dhe(s, pkt, &pkey)) { 2295 /* SSLfatal() already called */ 2296 goto err; 2297 } 2298 } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) { 2299 if (!tls_process_ske_ecdhe(s, pkt, &pkey)) { 2300 /* SSLfatal() already called */ 2301 goto err; 2302 } 2303 } else if (alg_k) { 2304 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2305 SSL_R_UNEXPECTED_MESSAGE); 2306 goto err; 2307 } 2308 2309 /* if it was signed, check the signature */ 2310 if (pkey != NULL) { 2311 PACKET params; 2312 int maxsig; 2313 const EVP_MD *md = NULL; 2314 unsigned char *tbs; 2315 size_t tbslen; 2316 int rv; 2317 2318 /* 2319 * |pkt| now points to the beginning of the signature, so the difference 2320 * equals the length of the parameters. 2321 */ 2322 if (!PACKET_get_sub_packet(&save_param_start, ¶ms, 2323 PACKET_remaining(&save_param_start) - 2324 PACKET_remaining(pkt))) { 2325 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2326 ERR_R_INTERNAL_ERROR); 2327 goto err; 2328 } 2329 2330 if (SSL_USE_SIGALGS(s)) { 2331 unsigned int sigalg; 2332 2333 if (!PACKET_get_net_2(pkt, &sigalg)) { 2334 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2335 SSL_R_LENGTH_TOO_SHORT); 2336 goto err; 2337 } 2338 if (tls12_check_peer_sigalg(s, sigalg, pkey) <=0) { 2339 /* SSLfatal() already called */ 2340 goto err; 2341 } 2342 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { 2343 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2344 ERR_R_INTERNAL_ERROR); 2345 goto err; 2346 } 2347 2348 if (!tls1_lookup_md(s->s3->tmp.peer_sigalg, &md)) { 2349 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2350 ERR_R_INTERNAL_ERROR); 2351 goto err; 2352 } 2353 #ifdef SSL_DEBUG 2354 if (SSL_USE_SIGALGS(s)) 2355 fprintf(stderr, "USING TLSv1.2 HASH %s\n", 2356 md == NULL ? "n/a" : EVP_MD_name(md)); 2357 #endif 2358 2359 if (!PACKET_get_length_prefixed_2(pkt, &signature) 2360 || PACKET_remaining(pkt) != 0) { 2361 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2362 SSL_R_LENGTH_MISMATCH); 2363 goto err; 2364 } 2365 maxsig = EVP_PKEY_size(pkey); 2366 if (maxsig < 0) { 2367 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2368 ERR_R_INTERNAL_ERROR); 2369 goto err; 2370 } 2371 2372 /* 2373 * Check signature length 2374 */ 2375 if (PACKET_remaining(&signature) > (size_t)maxsig) { 2376 /* wrong packet length */ 2377 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2378 SSL_R_WRONG_SIGNATURE_LENGTH); 2379 goto err; 2380 } 2381 2382 md_ctx = EVP_MD_CTX_new(); 2383 if (md_ctx == NULL) { 2384 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2385 ERR_R_MALLOC_FAILURE); 2386 goto err; 2387 } 2388 2389 if (EVP_DigestVerifyInit(md_ctx, &pctx, md, NULL, pkey) <= 0) { 2390 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2391 ERR_R_EVP_LIB); 2392 goto err; 2393 } 2394 if (SSL_USE_PSS(s)) { 2395 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 2396 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 2397 RSA_PSS_SALTLEN_DIGEST) <= 0) { 2398 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2399 SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB); 2400 goto err; 2401 } 2402 } 2403 tbslen = construct_key_exchange_tbs(s, &tbs, PACKET_data(¶ms), 2404 PACKET_remaining(¶ms)); 2405 if (tbslen == 0) { 2406 /* SSLfatal() already called */ 2407 goto err; 2408 } 2409 2410 rv = EVP_DigestVerify(md_ctx, PACKET_data(&signature), 2411 PACKET_remaining(&signature), tbs, tbslen); 2412 OPENSSL_free(tbs); 2413 if (rv <= 0) { 2414 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2415 SSL_R_BAD_SIGNATURE); 2416 goto err; 2417 } 2418 EVP_MD_CTX_free(md_ctx); 2419 md_ctx = NULL; 2420 } else { 2421 /* aNULL, aSRP or PSK do not need public keys */ 2422 if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) 2423 && !(alg_k & SSL_PSK)) { 2424 /* Might be wrong key type, check it */ 2425 if (ssl3_check_cert_and_algorithm(s)) { 2426 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2427 SSL_R_BAD_DATA); 2428 } 2429 /* else this shouldn't happen, SSLfatal() already called */ 2430 goto err; 2431 } 2432 /* still data left over */ 2433 if (PACKET_remaining(pkt) != 0) { 2434 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2435 SSL_R_EXTRA_DATA_IN_MESSAGE); 2436 goto err; 2437 } 2438 } 2439 2440 return MSG_PROCESS_CONTINUE_READING; 2441 err: 2442 EVP_MD_CTX_free(md_ctx); 2443 return MSG_PROCESS_ERROR; 2444 } 2445 2446 MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt) 2447 { 2448 size_t i; 2449 2450 /* Clear certificate validity flags */ 2451 for (i = 0; i < SSL_PKEY_NUM; i++) 2452 s->s3->tmp.valid_flags[i] = 0; 2453 2454 if (SSL_IS_TLS13(s)) { 2455 PACKET reqctx, extensions; 2456 RAW_EXTENSION *rawexts = NULL; 2457 2458 if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) { 2459 /* 2460 * We already sent close_notify. This can only happen in TLSv1.3 2461 * post-handshake messages. We can't reasonably respond to this, so 2462 * we just ignore it 2463 */ 2464 return MSG_PROCESS_FINISHED_READING; 2465 } 2466 2467 /* Free and zero certificate types: it is not present in TLS 1.3 */ 2468 OPENSSL_free(s->s3->tmp.ctype); 2469 s->s3->tmp.ctype = NULL; 2470 s->s3->tmp.ctype_len = 0; 2471 OPENSSL_free(s->pha_context); 2472 s->pha_context = NULL; 2473 2474 if (!PACKET_get_length_prefixed_1(pkt, &reqctx) || 2475 !PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) { 2476 SSLfatal(s, SSL_AD_DECODE_ERROR, 2477 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2478 SSL_R_LENGTH_MISMATCH); 2479 return MSG_PROCESS_ERROR; 2480 } 2481 2482 if (!PACKET_get_length_prefixed_2(pkt, &extensions)) { 2483 SSLfatal(s, SSL_AD_DECODE_ERROR, 2484 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2485 SSL_R_BAD_LENGTH); 2486 return MSG_PROCESS_ERROR; 2487 } 2488 if (!tls_collect_extensions(s, &extensions, 2489 SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 2490 &rawexts, NULL, 1) 2491 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 2492 rawexts, NULL, 0, 1)) { 2493 /* SSLfatal() already called */ 2494 OPENSSL_free(rawexts); 2495 return MSG_PROCESS_ERROR; 2496 } 2497 OPENSSL_free(rawexts); 2498 if (!tls1_process_sigalgs(s)) { 2499 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2500 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2501 SSL_R_BAD_LENGTH); 2502 return MSG_PROCESS_ERROR; 2503 } 2504 } else { 2505 PACKET ctypes; 2506 2507 /* get the certificate types */ 2508 if (!PACKET_get_length_prefixed_1(pkt, &ctypes)) { 2509 SSLfatal(s, SSL_AD_DECODE_ERROR, 2510 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2511 SSL_R_LENGTH_MISMATCH); 2512 return MSG_PROCESS_ERROR; 2513 } 2514 2515 if (!PACKET_memdup(&ctypes, &s->s3->tmp.ctype, &s->s3->tmp.ctype_len)) { 2516 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2517 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2518 ERR_R_INTERNAL_ERROR); 2519 return MSG_PROCESS_ERROR; 2520 } 2521 2522 if (SSL_USE_SIGALGS(s)) { 2523 PACKET sigalgs; 2524 2525 if (!PACKET_get_length_prefixed_2(pkt, &sigalgs)) { 2526 SSLfatal(s, SSL_AD_DECODE_ERROR, 2527 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2528 SSL_R_LENGTH_MISMATCH); 2529 return MSG_PROCESS_ERROR; 2530 } 2531 2532 /* 2533 * Despite this being for certificates, preserve compatibility 2534 * with pre-TLS 1.3 and use the regular sigalgs field. 2535 */ 2536 if (!tls1_save_sigalgs(s, &sigalgs, 0)) { 2537 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2538 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2539 SSL_R_SIGNATURE_ALGORITHMS_ERROR); 2540 return MSG_PROCESS_ERROR; 2541 } 2542 if (!tls1_process_sigalgs(s)) { 2543 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2544 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2545 ERR_R_MALLOC_FAILURE); 2546 return MSG_PROCESS_ERROR; 2547 } 2548 } 2549 2550 /* get the CA RDNs */ 2551 if (!parse_ca_names(s, pkt)) { 2552 /* SSLfatal() already called */ 2553 return MSG_PROCESS_ERROR; 2554 } 2555 } 2556 2557 if (PACKET_remaining(pkt) != 0) { 2558 SSLfatal(s, SSL_AD_DECODE_ERROR, 2559 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2560 SSL_R_LENGTH_MISMATCH); 2561 return MSG_PROCESS_ERROR; 2562 } 2563 2564 /* we should setup a certificate to return.... */ 2565 s->s3->tmp.cert_req = 1; 2566 2567 /* 2568 * In TLSv1.3 we don't prepare the client certificate yet. We wait until 2569 * after the CertificateVerify message has been received. This is because 2570 * in TLSv1.3 the CertificateRequest arrives before the Certificate message 2571 * but in TLSv1.2 it is the other way around. We want to make sure that 2572 * SSL_get_peer_certificate() returns something sensible in 2573 * client_cert_cb. 2574 */ 2575 if (SSL_IS_TLS13(s) && s->post_handshake_auth != SSL_PHA_REQUESTED) 2576 return MSG_PROCESS_CONTINUE_READING; 2577 2578 return MSG_PROCESS_CONTINUE_PROCESSING; 2579 } 2580 2581 MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) 2582 { 2583 unsigned int ticklen; 2584 unsigned long ticket_lifetime_hint, age_add = 0; 2585 unsigned int sess_len; 2586 RAW_EXTENSION *exts = NULL; 2587 PACKET nonce; 2588 2589 PACKET_null_init(&nonce); 2590 2591 if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint) 2592 || (SSL_IS_TLS13(s) 2593 && (!PACKET_get_net_4(pkt, &age_add) 2594 || !PACKET_get_length_prefixed_1(pkt, &nonce))) 2595 || !PACKET_get_net_2(pkt, &ticklen) 2596 || (SSL_IS_TLS13(s) ? (ticklen == 0 || PACKET_remaining(pkt) < ticklen) 2597 : PACKET_remaining(pkt) != ticklen)) { 2598 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, 2599 SSL_R_LENGTH_MISMATCH); 2600 goto err; 2601 } 2602 2603 /* 2604 * Server is allowed to change its mind (in <=TLSv1.2) and send an empty 2605 * ticket. We already checked this TLSv1.3 case above, so it should never 2606 * be 0 here in that instance 2607 */ 2608 if (ticklen == 0) 2609 return MSG_PROCESS_CONTINUE_READING; 2610 2611 /* 2612 * Sessions must be immutable once they go into the session cache. Otherwise 2613 * we can get multi-thread problems. Therefore we don't "update" sessions, 2614 * we replace them with a duplicate. In TLSv1.3 we need to do this every 2615 * time a NewSessionTicket arrives because those messages arrive 2616 * post-handshake and the session may have already gone into the session 2617 * cache. 2618 */ 2619 if (SSL_IS_TLS13(s) || s->session->session_id_length > 0) { 2620 SSL_SESSION *new_sess; 2621 2622 /* 2623 * We reused an existing session, so we need to replace it with a new 2624 * one 2625 */ 2626 if ((new_sess = ssl_session_dup(s->session, 0)) == 0) { 2627 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2628 SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, 2629 ERR_R_MALLOC_FAILURE); 2630 goto err; 2631 } 2632 2633 if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0 2634 && !SSL_IS_TLS13(s)) { 2635 /* 2636 * In TLSv1.2 and below the arrival of a new tickets signals that 2637 * any old ticket we were using is now out of date, so we remove the 2638 * old session from the cache. We carry on if this fails 2639 */ 2640 SSL_CTX_remove_session(s->session_ctx, s->session); 2641 } 2642 2643 SSL_SESSION_free(s->session); 2644 s->session = new_sess; 2645 } 2646 2647 /* 2648 * Technically the cast to long here is not guaranteed by the C standard - 2649 * but we use it elsewhere, so this should be ok. 2650 */ 2651 s->session->time = (long)time(NULL); 2652 2653 OPENSSL_free(s->session->ext.tick); 2654 s->session->ext.tick = NULL; 2655 s->session->ext.ticklen = 0; 2656 2657 s->session->ext.tick = OPENSSL_malloc(ticklen); 2658 if (s->session->ext.tick == NULL) { 2659 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, 2660 ERR_R_MALLOC_FAILURE); 2661 goto err; 2662 } 2663 if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) { 2664 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, 2665 SSL_R_LENGTH_MISMATCH); 2666 goto err; 2667 } 2668 2669 s->session->ext.tick_lifetime_hint = ticket_lifetime_hint; 2670 s->session->ext.tick_age_add = age_add; 2671 s->session->ext.ticklen = ticklen; 2672 2673 if (SSL_IS_TLS13(s)) { 2674 PACKET extpkt; 2675 2676 if (!PACKET_as_length_prefixed_2(pkt, &extpkt) 2677 || PACKET_remaining(pkt) != 0) { 2678 SSLfatal(s, SSL_AD_DECODE_ERROR, 2679 SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, 2680 SSL_R_LENGTH_MISMATCH); 2681 goto err; 2682 } 2683 2684 if (!tls_collect_extensions(s, &extpkt, 2685 SSL_EXT_TLS1_3_NEW_SESSION_TICKET, &exts, 2686 NULL, 1) 2687 || !tls_parse_all_extensions(s, 2688 SSL_EXT_TLS1_3_NEW_SESSION_TICKET, 2689 exts, NULL, 0, 1)) { 2690 /* SSLfatal() already called */ 2691 goto err; 2692 } 2693 } 2694 2695 /* 2696 * There are two ways to detect a resumed ticket session. One is to set 2697 * an appropriate session ID and then the server must return a match in 2698 * ServerHello. This allows the normal client session ID matching to work 2699 * and we know much earlier that the ticket has been accepted. The 2700 * other way is to set zero length session ID when the ticket is 2701 * presented and rely on the handshake to determine session resumption. 2702 * We choose the former approach because this fits in with assumptions 2703 * elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is 2704 * SHA256 is disabled) hash of the ticket. 2705 */ 2706 /* 2707 * TODO(size_t): we use sess_len here because EVP_Digest expects an int 2708 * but s->session->session_id_length is a size_t 2709 */ 2710 if (!EVP_Digest(s->session->ext.tick, ticklen, 2711 s->session->session_id, &sess_len, 2712 EVP_sha256(), NULL)) { 2713 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, 2714 ERR_R_EVP_LIB); 2715 goto err; 2716 } 2717 s->session->session_id_length = sess_len; 2718 s->session->not_resumable = 0; 2719 2720 /* This is a standalone message in TLSv1.3, so there is no more to read */ 2721 if (SSL_IS_TLS13(s)) { 2722 const EVP_MD *md = ssl_handshake_md(s); 2723 int hashleni = EVP_MD_size(md); 2724 size_t hashlen; 2725 static const unsigned char nonce_label[] = "resumption"; 2726 2727 /* Ensure cast to size_t is safe */ 2728 if (!ossl_assert(hashleni >= 0)) { 2729 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2730 SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, 2731 ERR_R_INTERNAL_ERROR); 2732 goto err; 2733 } 2734 hashlen = (size_t)hashleni; 2735 2736 if (!tls13_hkdf_expand(s, md, s->resumption_master_secret, 2737 nonce_label, 2738 sizeof(nonce_label) - 1, 2739 PACKET_data(&nonce), 2740 PACKET_remaining(&nonce), 2741 s->session->master_key, 2742 hashlen, 1)) { 2743 /* SSLfatal() already called */ 2744 goto err; 2745 } 2746 s->session->master_key_length = hashlen; 2747 2748 OPENSSL_free(exts); 2749 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); 2750 return MSG_PROCESS_FINISHED_READING; 2751 } 2752 2753 return MSG_PROCESS_CONTINUE_READING; 2754 err: 2755 OPENSSL_free(exts); 2756 return MSG_PROCESS_ERROR; 2757 } 2758 2759 /* 2760 * In TLSv1.3 this is called from the extensions code, otherwise it is used to 2761 * parse a separate message. Returns 1 on success or 0 on failure 2762 */ 2763 int tls_process_cert_status_body(SSL *s, PACKET *pkt) 2764 { 2765 size_t resplen; 2766 unsigned int type; 2767 2768 if (!PACKET_get_1(pkt, &type) 2769 || type != TLSEXT_STATUSTYPE_ocsp) { 2770 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY, 2771 SSL_R_UNSUPPORTED_STATUS_TYPE); 2772 return 0; 2773 } 2774 if (!PACKET_get_net_3_len(pkt, &resplen) 2775 || PACKET_remaining(pkt) != resplen) { 2776 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY, 2777 SSL_R_LENGTH_MISMATCH); 2778 return 0; 2779 } 2780 s->ext.ocsp.resp = OPENSSL_malloc(resplen); 2781 if (s->ext.ocsp.resp == NULL) { 2782 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY, 2783 ERR_R_MALLOC_FAILURE); 2784 return 0; 2785 } 2786 if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) { 2787 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY, 2788 SSL_R_LENGTH_MISMATCH); 2789 return 0; 2790 } 2791 s->ext.ocsp.resp_len = resplen; 2792 2793 return 1; 2794 } 2795 2796 2797 MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt) 2798 { 2799 if (!tls_process_cert_status_body(s, pkt)) { 2800 /* SSLfatal() already called */ 2801 return MSG_PROCESS_ERROR; 2802 } 2803 2804 return MSG_PROCESS_CONTINUE_READING; 2805 } 2806 2807 /* 2808 * Perform miscellaneous checks and processing after we have received the 2809 * server's initial flight. In TLS1.3 this is after the Server Finished message. 2810 * In <=TLS1.2 this is after the ServerDone message. Returns 1 on success or 0 2811 * on failure. 2812 */ 2813 int tls_process_initial_server_flight(SSL *s) 2814 { 2815 /* 2816 * at this point we check that we have the required stuff from 2817 * the server 2818 */ 2819 if (!ssl3_check_cert_and_algorithm(s)) { 2820 /* SSLfatal() already called */ 2821 return 0; 2822 } 2823 2824 /* 2825 * Call the ocsp status callback if needed. The |ext.ocsp.resp| and 2826 * |ext.ocsp.resp_len| values will be set if we actually received a status 2827 * message, or NULL and -1 otherwise 2828 */ 2829 if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing 2830 && s->ctx->ext.status_cb != NULL) { 2831 int ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg); 2832 2833 if (ret == 0) { 2834 SSLfatal(s, SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE, 2835 SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT, 2836 SSL_R_INVALID_STATUS_RESPONSE); 2837 return 0; 2838 } 2839 if (ret < 0) { 2840 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2841 SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT, 2842 ERR_R_MALLOC_FAILURE); 2843 return 0; 2844 } 2845 } 2846 #ifndef OPENSSL_NO_CT 2847 if (s->ct_validation_callback != NULL) { 2848 /* Note we validate the SCTs whether or not we abort on error */ 2849 if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) { 2850 /* SSLfatal() already called */ 2851 return 0; 2852 } 2853 } 2854 #endif 2855 2856 return 1; 2857 } 2858 2859 MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt) 2860 { 2861 if (PACKET_remaining(pkt) > 0) { 2862 /* should contain no data */ 2863 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_DONE, 2864 SSL_R_LENGTH_MISMATCH); 2865 return MSG_PROCESS_ERROR; 2866 } 2867 #ifndef OPENSSL_NO_SRP 2868 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) { 2869 if (SRP_Calc_A_param(s) <= 0) { 2870 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_DONE, 2871 SSL_R_SRP_A_CALC); 2872 return MSG_PROCESS_ERROR; 2873 } 2874 } 2875 #endif 2876 2877 if (!tls_process_initial_server_flight(s)) { 2878 /* SSLfatal() already called */ 2879 return MSG_PROCESS_ERROR; 2880 } 2881 2882 return MSG_PROCESS_FINISHED_READING; 2883 } 2884 2885 static int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt) 2886 { 2887 #ifndef OPENSSL_NO_PSK 2888 int ret = 0; 2889 /* 2890 * The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes to return a 2891 * \0-terminated identity. The last byte is for us for simulating 2892 * strnlen. 2893 */ 2894 char identity[PSK_MAX_IDENTITY_LEN + 1]; 2895 size_t identitylen = 0; 2896 unsigned char psk[PSK_MAX_PSK_LEN]; 2897 unsigned char *tmppsk = NULL; 2898 char *tmpidentity = NULL; 2899 size_t psklen = 0; 2900 2901 if (s->psk_client_callback == NULL) { 2902 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, 2903 SSL_R_PSK_NO_CLIENT_CB); 2904 goto err; 2905 } 2906 2907 memset(identity, 0, sizeof(identity)); 2908 2909 psklen = s->psk_client_callback(s, s->session->psk_identity_hint, 2910 identity, sizeof(identity) - 1, 2911 psk, sizeof(psk)); 2912 2913 if (psklen > PSK_MAX_PSK_LEN) { 2914 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 2915 SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR); 2916 goto err; 2917 } else if (psklen == 0) { 2918 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 2919 SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, 2920 SSL_R_PSK_IDENTITY_NOT_FOUND); 2921 goto err; 2922 } 2923 2924 identitylen = strlen(identity); 2925 if (identitylen > PSK_MAX_IDENTITY_LEN) { 2926 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, 2927 ERR_R_INTERNAL_ERROR); 2928 goto err; 2929 } 2930 2931 tmppsk = OPENSSL_memdup(psk, psklen); 2932 tmpidentity = OPENSSL_strdup(identity); 2933 if (tmppsk == NULL || tmpidentity == NULL) { 2934 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, 2935 ERR_R_MALLOC_FAILURE); 2936 goto err; 2937 } 2938 2939 OPENSSL_free(s->s3->tmp.psk); 2940 s->s3->tmp.psk = tmppsk; 2941 s->s3->tmp.psklen = psklen; 2942 tmppsk = NULL; 2943 OPENSSL_free(s->session->psk_identity); 2944 s->session->psk_identity = tmpidentity; 2945 tmpidentity = NULL; 2946 2947 if (!WPACKET_sub_memcpy_u16(pkt, identity, identitylen)) { 2948 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, 2949 ERR_R_INTERNAL_ERROR); 2950 goto err; 2951 } 2952 2953 ret = 1; 2954 2955 err: 2956 OPENSSL_cleanse(psk, psklen); 2957 OPENSSL_cleanse(identity, sizeof(identity)); 2958 OPENSSL_clear_free(tmppsk, psklen); 2959 OPENSSL_clear_free(tmpidentity, identitylen); 2960 2961 return ret; 2962 #else 2963 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, 2964 ERR_R_INTERNAL_ERROR); 2965 return 0; 2966 #endif 2967 } 2968 2969 static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt) 2970 { 2971 #ifndef OPENSSL_NO_RSA 2972 unsigned char *encdata = NULL; 2973 EVP_PKEY *pkey = NULL; 2974 EVP_PKEY_CTX *pctx = NULL; 2975 size_t enclen; 2976 unsigned char *pms = NULL; 2977 size_t pmslen = 0; 2978 2979 if (s->session->peer == NULL) { 2980 /* 2981 * We should always have a server certificate with SSL_kRSA. 2982 */ 2983 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 2984 ERR_R_INTERNAL_ERROR); 2985 return 0; 2986 } 2987 2988 pkey = X509_get0_pubkey(s->session->peer); 2989 if (EVP_PKEY_get0_RSA(pkey) == NULL) { 2990 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 2991 ERR_R_INTERNAL_ERROR); 2992 return 0; 2993 } 2994 2995 pmslen = SSL_MAX_MASTER_KEY_LENGTH; 2996 pms = OPENSSL_malloc(pmslen); 2997 if (pms == NULL) { 2998 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 2999 ERR_R_MALLOC_FAILURE); 3000 return 0; 3001 } 3002 3003 pms[0] = s->client_version >> 8; 3004 pms[1] = s->client_version & 0xff; 3005 /* TODO(size_t): Convert this function */ 3006 if (RAND_bytes(pms + 2, (int)(pmslen - 2)) <= 0) { 3007 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 3008 ERR_R_MALLOC_FAILURE); 3009 goto err; 3010 } 3011 3012 /* Fix buf for TLS and beyond */ 3013 if (s->version > SSL3_VERSION && !WPACKET_start_sub_packet_u16(pkt)) { 3014 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 3015 ERR_R_INTERNAL_ERROR); 3016 goto err; 3017 } 3018 pctx = EVP_PKEY_CTX_new(pkey, NULL); 3019 if (pctx == NULL || EVP_PKEY_encrypt_init(pctx) <= 0 3020 || EVP_PKEY_encrypt(pctx, NULL, &enclen, pms, pmslen) <= 0) { 3021 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 3022 ERR_R_EVP_LIB); 3023 goto err; 3024 } 3025 if (!WPACKET_allocate_bytes(pkt, enclen, &encdata) 3026 || EVP_PKEY_encrypt(pctx, encdata, &enclen, pms, pmslen) <= 0) { 3027 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 3028 SSL_R_BAD_RSA_ENCRYPT); 3029 goto err; 3030 } 3031 EVP_PKEY_CTX_free(pctx); 3032 pctx = NULL; 3033 3034 /* Fix buf for TLS and beyond */ 3035 if (s->version > SSL3_VERSION && !WPACKET_close(pkt)) { 3036 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 3037 ERR_R_INTERNAL_ERROR); 3038 goto err; 3039 } 3040 3041 /* Log the premaster secret, if logging is enabled. */ 3042 if (!ssl_log_rsa_client_key_exchange(s, encdata, enclen, pms, pmslen)) { 3043 /* SSLfatal() already called */ 3044 goto err; 3045 } 3046 3047 s->s3->tmp.pms = pms; 3048 s->s3->tmp.pmslen = pmslen; 3049 3050 return 1; 3051 err: 3052 OPENSSL_clear_free(pms, pmslen); 3053 EVP_PKEY_CTX_free(pctx); 3054 3055 return 0; 3056 #else 3057 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 3058 ERR_R_INTERNAL_ERROR); 3059 return 0; 3060 #endif 3061 } 3062 3063 static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt) 3064 { 3065 #ifndef OPENSSL_NO_DH 3066 DH *dh_clnt = NULL; 3067 const BIGNUM *pub_key; 3068 EVP_PKEY *ckey = NULL, *skey = NULL; 3069 unsigned char *keybytes = NULL; 3070 3071 skey = s->s3->peer_tmp; 3072 if (skey == NULL) { 3073 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, 3074 ERR_R_INTERNAL_ERROR); 3075 goto err; 3076 } 3077 3078 ckey = ssl_generate_pkey(skey); 3079 if (ckey == NULL) { 3080 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, 3081 ERR_R_INTERNAL_ERROR); 3082 goto err; 3083 } 3084 3085 dh_clnt = EVP_PKEY_get0_DH(ckey); 3086 3087 if (dh_clnt == NULL) { 3088 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, 3089 ERR_R_INTERNAL_ERROR); 3090 goto err; 3091 } 3092 3093 if (ssl_derive(s, ckey, skey, 0) == 0) { 3094 /* SSLfatal() already called */ 3095 goto err; 3096 } 3097 3098 /* send off the data */ 3099 DH_get0_key(dh_clnt, &pub_key, NULL); 3100 if (!WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(pub_key), 3101 &keybytes)) { 3102 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, 3103 ERR_R_INTERNAL_ERROR); 3104 goto err; 3105 } 3106 3107 BN_bn2bin(pub_key, keybytes); 3108 EVP_PKEY_free(ckey); 3109 3110 return 1; 3111 err: 3112 EVP_PKEY_free(ckey); 3113 return 0; 3114 #else 3115 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, 3116 ERR_R_INTERNAL_ERROR); 3117 return 0; 3118 #endif 3119 } 3120 3121 static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt) 3122 { 3123 #ifndef OPENSSL_NO_EC 3124 unsigned char *encodedPoint = NULL; 3125 size_t encoded_pt_len = 0; 3126 EVP_PKEY *ckey = NULL, *skey = NULL; 3127 int ret = 0; 3128 3129 skey = s->s3->peer_tmp; 3130 if (skey == NULL) { 3131 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE, 3132 ERR_R_INTERNAL_ERROR); 3133 return 0; 3134 } 3135 3136 ckey = ssl_generate_pkey(skey); 3137 if (ckey == NULL) { 3138 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE, 3139 ERR_R_MALLOC_FAILURE); 3140 goto err; 3141 } 3142 3143 if (ssl_derive(s, ckey, skey, 0) == 0) { 3144 /* SSLfatal() already called */ 3145 goto err; 3146 } 3147 3148 /* Generate encoding of client key */ 3149 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(ckey, &encodedPoint); 3150 3151 if (encoded_pt_len == 0) { 3152 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE, 3153 ERR_R_EC_LIB); 3154 goto err; 3155 } 3156 3157 if (!WPACKET_sub_memcpy_u8(pkt, encodedPoint, encoded_pt_len)) { 3158 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE, 3159 ERR_R_INTERNAL_ERROR); 3160 goto err; 3161 } 3162 3163 ret = 1; 3164 err: 3165 OPENSSL_free(encodedPoint); 3166 EVP_PKEY_free(ckey); 3167 return ret; 3168 #else 3169 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE, 3170 ERR_R_INTERNAL_ERROR); 3171 return 0; 3172 #endif 3173 } 3174 3175 static int tls_construct_cke_gost(SSL *s, WPACKET *pkt) 3176 { 3177 #ifndef OPENSSL_NO_GOST 3178 /* GOST key exchange message creation */ 3179 EVP_PKEY_CTX *pkey_ctx = NULL; 3180 X509 *peer_cert; 3181 size_t msglen; 3182 unsigned int md_len; 3183 unsigned char shared_ukm[32], tmp[256]; 3184 EVP_MD_CTX *ukm_hash = NULL; 3185 int dgst_nid = NID_id_GostR3411_94; 3186 unsigned char *pms = NULL; 3187 size_t pmslen = 0; 3188 3189 if ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0) 3190 dgst_nid = NID_id_GostR3411_2012_256; 3191 3192 /* 3193 * Get server certificate PKEY and create ctx from it 3194 */ 3195 peer_cert = s->session->peer; 3196 if (!peer_cert) { 3197 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3198 SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); 3199 return 0; 3200 } 3201 3202 pkey_ctx = EVP_PKEY_CTX_new(X509_get0_pubkey(peer_cert), NULL); 3203 if (pkey_ctx == NULL) { 3204 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3205 ERR_R_MALLOC_FAILURE); 3206 return 0; 3207 } 3208 /* 3209 * If we have send a certificate, and certificate key 3210 * parameters match those of server certificate, use 3211 * certificate key for key exchange 3212 */ 3213 3214 /* Otherwise, generate ephemeral key pair */ 3215 pmslen = 32; 3216 pms = OPENSSL_malloc(pmslen); 3217 if (pms == NULL) { 3218 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3219 ERR_R_MALLOC_FAILURE); 3220 goto err; 3221 } 3222 3223 if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0 3224 /* Generate session key 3225 * TODO(size_t): Convert this function 3226 */ 3227 || RAND_bytes(pms, (int)pmslen) <= 0) { 3228 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3229 ERR_R_INTERNAL_ERROR); 3230 goto err; 3231 }; 3232 /* 3233 * Compute shared IV and store it in algorithm-specific context 3234 * data 3235 */ 3236 ukm_hash = EVP_MD_CTX_new(); 3237 if (ukm_hash == NULL 3238 || EVP_DigestInit(ukm_hash, EVP_get_digestbynid(dgst_nid)) <= 0 3239 || EVP_DigestUpdate(ukm_hash, s->s3->client_random, 3240 SSL3_RANDOM_SIZE) <= 0 3241 || EVP_DigestUpdate(ukm_hash, s->s3->server_random, 3242 SSL3_RANDOM_SIZE) <= 0 3243 || EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) { 3244 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3245 ERR_R_INTERNAL_ERROR); 3246 goto err; 3247 } 3248 EVP_MD_CTX_free(ukm_hash); 3249 ukm_hash = NULL; 3250 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, 3251 EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) { 3252 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3253 SSL_R_LIBRARY_BUG); 3254 goto err; 3255 } 3256 /* Make GOST keytransport blob message */ 3257 /* 3258 * Encapsulate it into sequence 3259 */ 3260 msglen = 255; 3261 if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) { 3262 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3263 SSL_R_LIBRARY_BUG); 3264 goto err; 3265 } 3266 3267 if (!WPACKET_put_bytes_u8(pkt, V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED) 3268 || (msglen >= 0x80 && !WPACKET_put_bytes_u8(pkt, 0x81)) 3269 || !WPACKET_sub_memcpy_u8(pkt, tmp, msglen)) { 3270 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3271 ERR_R_INTERNAL_ERROR); 3272 goto err; 3273 } 3274 3275 EVP_PKEY_CTX_free(pkey_ctx); 3276 s->s3->tmp.pms = pms; 3277 s->s3->tmp.pmslen = pmslen; 3278 3279 return 1; 3280 err: 3281 EVP_PKEY_CTX_free(pkey_ctx); 3282 OPENSSL_clear_free(pms, pmslen); 3283 EVP_MD_CTX_free(ukm_hash); 3284 return 0; 3285 #else 3286 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3287 ERR_R_INTERNAL_ERROR); 3288 return 0; 3289 #endif 3290 } 3291 3292 static int tls_construct_cke_srp(SSL *s, WPACKET *pkt) 3293 { 3294 #ifndef OPENSSL_NO_SRP 3295 unsigned char *abytes = NULL; 3296 3297 if (s->srp_ctx.A == NULL 3298 || !WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(s->srp_ctx.A), 3299 &abytes)) { 3300 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_SRP, 3301 ERR_R_INTERNAL_ERROR); 3302 return 0; 3303 } 3304 BN_bn2bin(s->srp_ctx.A, abytes); 3305 3306 OPENSSL_free(s->session->srp_username); 3307 s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login); 3308 if (s->session->srp_username == NULL) { 3309 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_SRP, 3310 ERR_R_MALLOC_FAILURE); 3311 return 0; 3312 } 3313 3314 return 1; 3315 #else 3316 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_SRP, 3317 ERR_R_INTERNAL_ERROR); 3318 return 0; 3319 #endif 3320 } 3321 3322 int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt) 3323 { 3324 unsigned long alg_k; 3325 3326 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 3327 3328 /* 3329 * All of the construct functions below call SSLfatal() if necessary so 3330 * no need to do so here. 3331 */ 3332 if ((alg_k & SSL_PSK) 3333 && !tls_construct_cke_psk_preamble(s, pkt)) 3334 goto err; 3335 3336 if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) { 3337 if (!tls_construct_cke_rsa(s, pkt)) 3338 goto err; 3339 } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) { 3340 if (!tls_construct_cke_dhe(s, pkt)) 3341 goto err; 3342 } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) { 3343 if (!tls_construct_cke_ecdhe(s, pkt)) 3344 goto err; 3345 } else if (alg_k & SSL_kGOST) { 3346 if (!tls_construct_cke_gost(s, pkt)) 3347 goto err; 3348 } else if (alg_k & SSL_kSRP) { 3349 if (!tls_construct_cke_srp(s, pkt)) 3350 goto err; 3351 } else if (!(alg_k & SSL_kPSK)) { 3352 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3353 SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 3354 goto err; 3355 } 3356 3357 return 1; 3358 err: 3359 OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen); 3360 s->s3->tmp.pms = NULL; 3361 #ifndef OPENSSL_NO_PSK 3362 OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen); 3363 s->s3->tmp.psk = NULL; 3364 #endif 3365 return 0; 3366 } 3367 3368 int tls_client_key_exchange_post_work(SSL *s) 3369 { 3370 unsigned char *pms = NULL; 3371 size_t pmslen = 0; 3372 3373 pms = s->s3->tmp.pms; 3374 pmslen = s->s3->tmp.pmslen; 3375 3376 #ifndef OPENSSL_NO_SRP 3377 /* Check for SRP */ 3378 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) { 3379 if (!srp_generate_client_master_secret(s)) { 3380 /* SSLfatal() already called */ 3381 goto err; 3382 } 3383 return 1; 3384 } 3385 #endif 3386 3387 if (pms == NULL && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { 3388 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3389 SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK, ERR_R_MALLOC_FAILURE); 3390 goto err; 3391 } 3392 if (!ssl_generate_master_secret(s, pms, pmslen, 1)) { 3393 /* SSLfatal() already called */ 3394 /* ssl_generate_master_secret frees the pms even on error */ 3395 pms = NULL; 3396 pmslen = 0; 3397 goto err; 3398 } 3399 pms = NULL; 3400 pmslen = 0; 3401 3402 #ifndef OPENSSL_NO_SCTP 3403 if (SSL_IS_DTLS(s)) { 3404 unsigned char sctpauthkey[64]; 3405 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; 3406 size_t labellen; 3407 3408 /* 3409 * Add new shared key for SCTP-Auth, will be ignored if no SCTP 3410 * used. 3411 */ 3412 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL, 3413 sizeof(DTLS1_SCTP_AUTH_LABEL)); 3414 3415 /* Don't include the terminating zero. */ 3416 labellen = sizeof(labelbuffer) - 1; 3417 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) 3418 labellen += 1; 3419 3420 if (SSL_export_keying_material(s, sctpauthkey, 3421 sizeof(sctpauthkey), labelbuffer, 3422 labellen, NULL, 0, 0) <= 0) { 3423 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3424 SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK, 3425 ERR_R_INTERNAL_ERROR); 3426 goto err; 3427 } 3428 3429 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 3430 sizeof(sctpauthkey), sctpauthkey); 3431 } 3432 #endif 3433 3434 return 1; 3435 err: 3436 OPENSSL_clear_free(pms, pmslen); 3437 s->s3->tmp.pms = NULL; 3438 return 0; 3439 } 3440 3441 /* 3442 * Check a certificate can be used for client authentication. Currently check 3443 * cert exists, if we have a suitable digest for TLS 1.2 if static DH client 3444 * certificates can be used and optionally checks suitability for Suite B. 3445 */ 3446 static int ssl3_check_client_certificate(SSL *s) 3447 { 3448 /* If no suitable signature algorithm can't use certificate */ 3449 if (!tls_choose_sigalg(s, 0) || s->s3->tmp.sigalg == NULL) 3450 return 0; 3451 /* 3452 * If strict mode check suitability of chain before using it. This also 3453 * adjusts suite B digest if necessary. 3454 */ 3455 if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT && 3456 !tls1_check_chain(s, NULL, NULL, NULL, -2)) 3457 return 0; 3458 return 1; 3459 } 3460 3461 WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst) 3462 { 3463 X509 *x509 = NULL; 3464 EVP_PKEY *pkey = NULL; 3465 int i; 3466 3467 if (wst == WORK_MORE_A) { 3468 /* Let cert callback update client certificates if required */ 3469 if (s->cert->cert_cb) { 3470 i = s->cert->cert_cb(s, s->cert->cert_cb_arg); 3471 if (i < 0) { 3472 s->rwstate = SSL_X509_LOOKUP; 3473 return WORK_MORE_A; 3474 } 3475 if (i == 0) { 3476 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3477 SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE, 3478 SSL_R_CALLBACK_FAILED); 3479 return WORK_ERROR; 3480 } 3481 s->rwstate = SSL_NOTHING; 3482 } 3483 if (ssl3_check_client_certificate(s)) { 3484 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { 3485 return WORK_FINISHED_STOP; 3486 } 3487 return WORK_FINISHED_CONTINUE; 3488 } 3489 3490 /* Fall through to WORK_MORE_B */ 3491 wst = WORK_MORE_B; 3492 } 3493 3494 /* We need to get a client cert */ 3495 if (wst == WORK_MORE_B) { 3496 /* 3497 * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP; 3498 * return(-1); We then get retied later 3499 */ 3500 i = ssl_do_client_cert_cb(s, &x509, &pkey); 3501 if (i < 0) { 3502 s->rwstate = SSL_X509_LOOKUP; 3503 return WORK_MORE_B; 3504 } 3505 s->rwstate = SSL_NOTHING; 3506 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) { 3507 if (!SSL_use_certificate(s, x509) || !SSL_use_PrivateKey(s, pkey)) 3508 i = 0; 3509 } else if (i == 1) { 3510 i = 0; 3511 SSLerr(SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE, 3512 SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 3513 } 3514 3515 X509_free(x509); 3516 EVP_PKEY_free(pkey); 3517 if (i && !ssl3_check_client_certificate(s)) 3518 i = 0; 3519 if (i == 0) { 3520 if (s->version == SSL3_VERSION) { 3521 s->s3->tmp.cert_req = 0; 3522 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE); 3523 return WORK_FINISHED_CONTINUE; 3524 } else { 3525 s->s3->tmp.cert_req = 2; 3526 if (!ssl3_digest_cached_records(s, 0)) { 3527 /* SSLfatal() already called */ 3528 return WORK_ERROR; 3529 } 3530 } 3531 } 3532 3533 if (s->post_handshake_auth == SSL_PHA_REQUESTED) 3534 return WORK_FINISHED_STOP; 3535 return WORK_FINISHED_CONTINUE; 3536 } 3537 3538 /* Shouldn't ever get here */ 3539 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE, 3540 ERR_R_INTERNAL_ERROR); 3541 return WORK_ERROR; 3542 } 3543 3544 int tls_construct_client_certificate(SSL *s, WPACKET *pkt) 3545 { 3546 if (SSL_IS_TLS13(s)) { 3547 if (s->pha_context == NULL) { 3548 /* no context available, add 0-length context */ 3549 if (!WPACKET_put_bytes_u8(pkt, 0)) { 3550 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3551 SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR); 3552 return 0; 3553 } 3554 } else if (!WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) { 3555 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3556 SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR); 3557 return 0; 3558 } 3559 } 3560 if (!ssl3_output_cert_chain(s, pkt, 3561 (s->s3->tmp.cert_req == 2) ? NULL 3562 : s->cert->key)) { 3563 /* SSLfatal() already called */ 3564 return 0; 3565 } 3566 3567 if (SSL_IS_TLS13(s) 3568 && SSL_IS_FIRST_HANDSHAKE(s) 3569 && (!s->method->ssl3_enc->change_cipher_state(s, 3570 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) { 3571 /* 3572 * This is a fatal error, which leaves enc_write_ctx in an inconsistent 3573 * state and thus ssl3_send_alert may crash. 3574 */ 3575 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, 3576 SSL_R_CANNOT_CHANGE_CIPHER); 3577 return 0; 3578 } 3579 3580 return 1; 3581 } 3582 3583 int ssl3_check_cert_and_algorithm(SSL *s) 3584 { 3585 const SSL_CERT_LOOKUP *clu; 3586 size_t idx; 3587 long alg_k, alg_a; 3588 3589 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 3590 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 3591 3592 /* we don't have a certificate */ 3593 if (!(alg_a & SSL_aCERT)) 3594 return 1; 3595 3596 /* This is the passed certificate */ 3597 clu = ssl_cert_lookup_by_pkey(X509_get0_pubkey(s->session->peer), &idx); 3598 3599 /* Check certificate is recognised and suitable for cipher */ 3600 if (clu == NULL || (alg_a & clu->amask) == 0) { 3601 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3602 SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, 3603 SSL_R_MISSING_SIGNING_CERT); 3604 return 0; 3605 } 3606 3607 #ifndef OPENSSL_NO_EC 3608 if (clu->amask & SSL_aECDSA) { 3609 if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s)) 3610 return 1; 3611 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3612 SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT); 3613 return 0; 3614 } 3615 #endif 3616 #ifndef OPENSSL_NO_RSA 3617 if (alg_k & (SSL_kRSA | SSL_kRSAPSK) && idx != SSL_PKEY_RSA) { 3618 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3619 SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, 3620 SSL_R_MISSING_RSA_ENCRYPTING_CERT); 3621 return 0; 3622 } 3623 #endif 3624 #ifndef OPENSSL_NO_DH 3625 if ((alg_k & SSL_kDHE) && (s->s3->peer_tmp == NULL)) { 3626 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, 3627 ERR_R_INTERNAL_ERROR); 3628 return 0; 3629 } 3630 #endif 3631 3632 return 1; 3633 } 3634 3635 #ifndef OPENSSL_NO_NEXTPROTONEG 3636 int tls_construct_next_proto(SSL *s, WPACKET *pkt) 3637 { 3638 size_t len, padding_len; 3639 unsigned char *padding = NULL; 3640 3641 len = s->ext.npn_len; 3642 padding_len = 32 - ((len + 2) % 32); 3643 3644 if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len) 3645 || !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)) { 3646 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_NEXT_PROTO, 3647 ERR_R_INTERNAL_ERROR); 3648 return 0; 3649 } 3650 3651 memset(padding, 0, padding_len); 3652 3653 return 1; 3654 } 3655 #endif 3656 3657 MSG_PROCESS_RETURN tls_process_hello_req(SSL *s, PACKET *pkt) 3658 { 3659 if (PACKET_remaining(pkt) > 0) { 3660 /* should contain no data */ 3661 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_HELLO_REQ, 3662 SSL_R_LENGTH_MISMATCH); 3663 return MSG_PROCESS_ERROR; 3664 } 3665 3666 if ((s->options & SSL_OP_NO_RENEGOTIATION)) { 3667 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); 3668 return MSG_PROCESS_FINISHED_READING; 3669 } 3670 3671 /* 3672 * This is a historical discrepancy (not in the RFC) maintained for 3673 * compatibility reasons. If a TLS client receives a HelloRequest it will 3674 * attempt an abbreviated handshake. However if a DTLS client receives a 3675 * HelloRequest it will do a full handshake. Either behaviour is reasonable 3676 * but doing one for TLS and another for DTLS is odd. 3677 */ 3678 if (SSL_IS_DTLS(s)) 3679 SSL_renegotiate(s); 3680 else 3681 SSL_renegotiate_abbreviated(s); 3682 3683 return MSG_PROCESS_FINISHED_READING; 3684 } 3685 3686 static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt) 3687 { 3688 PACKET extensions; 3689 RAW_EXTENSION *rawexts = NULL; 3690 3691 if (!PACKET_as_length_prefixed_2(pkt, &extensions) 3692 || PACKET_remaining(pkt) != 0) { 3693 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_ENCRYPTED_EXTENSIONS, 3694 SSL_R_LENGTH_MISMATCH); 3695 goto err; 3696 } 3697 3698 if (!tls_collect_extensions(s, &extensions, 3699 SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, &rawexts, 3700 NULL, 1) 3701 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, 3702 rawexts, NULL, 0, 1)) { 3703 /* SSLfatal() already called */ 3704 goto err; 3705 } 3706 3707 OPENSSL_free(rawexts); 3708 return MSG_PROCESS_CONTINUE_READING; 3709 3710 err: 3711 OPENSSL_free(rawexts); 3712 return MSG_PROCESS_ERROR; 3713 } 3714 3715 int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) 3716 { 3717 int i = 0; 3718 #ifndef OPENSSL_NO_ENGINE 3719 if (s->ctx->client_cert_engine) { 3720 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s, 3721 SSL_get_client_CA_list(s), 3722 px509, ppkey, NULL, NULL, NULL); 3723 if (i != 0) 3724 return i; 3725 } 3726 #endif 3727 if (s->ctx->client_cert_cb) 3728 i = s->ctx->client_cert_cb(s, px509, ppkey); 3729 return i; 3730 } 3731 3732 int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt) 3733 { 3734 int i; 3735 size_t totlen = 0, len, maxlen, maxverok = 0; 3736 int empty_reneg_info_scsv = !s->renegotiate; 3737 3738 /* Set disabled masks for this session */ 3739 if (!ssl_set_client_disabled(s)) { 3740 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES, 3741 SSL_R_NO_PROTOCOLS_AVAILABLE); 3742 return 0; 3743 } 3744 3745 if (sk == NULL) { 3746 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES, 3747 ERR_R_INTERNAL_ERROR); 3748 return 0; 3749 } 3750 3751 #ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH 3752 # if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6 3753 # error Max cipher length too short 3754 # endif 3755 /* 3756 * Some servers hang if client hello > 256 bytes as hack workaround 3757 * chop number of supported ciphers to keep it well below this if we 3758 * use TLS v1.2 3759 */ 3760 if (TLS1_get_version(s) >= TLS1_2_VERSION) 3761 maxlen = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; 3762 else 3763 #endif 3764 /* Maximum length that can be stored in 2 bytes. Length must be even */ 3765 maxlen = 0xfffe; 3766 3767 if (empty_reneg_info_scsv) 3768 maxlen -= 2; 3769 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) 3770 maxlen -= 2; 3771 3772 for (i = 0; i < sk_SSL_CIPHER_num(sk) && totlen < maxlen; i++) { 3773 const SSL_CIPHER *c; 3774 3775 c = sk_SSL_CIPHER_value(sk, i); 3776 /* Skip disabled ciphers */ 3777 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) 3778 continue; 3779 3780 if (!s->method->put_cipher_by_char(c, pkt, &len)) { 3781 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES, 3782 ERR_R_INTERNAL_ERROR); 3783 return 0; 3784 } 3785 3786 /* Sanity check that the maximum version we offer has ciphers enabled */ 3787 if (!maxverok) { 3788 if (SSL_IS_DTLS(s)) { 3789 if (DTLS_VERSION_GE(c->max_dtls, s->s3->tmp.max_ver) 3790 && DTLS_VERSION_LE(c->min_dtls, s->s3->tmp.max_ver)) 3791 maxverok = 1; 3792 } else { 3793 if (c->max_tls >= s->s3->tmp.max_ver 3794 && c->min_tls <= s->s3->tmp.max_ver) 3795 maxverok = 1; 3796 } 3797 } 3798 3799 totlen += len; 3800 } 3801 3802 if (totlen == 0 || !maxverok) { 3803 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES, 3804 SSL_R_NO_CIPHERS_AVAILABLE); 3805 3806 if (!maxverok) 3807 ERR_add_error_data(1, "No ciphers enabled for max supported " 3808 "SSL/TLS version"); 3809 3810 return 0; 3811 } 3812 3813 if (totlen != 0) { 3814 if (empty_reneg_info_scsv) { 3815 static SSL_CIPHER scsv = { 3816 0, NULL, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 3817 }; 3818 if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) { 3819 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3820 SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR); 3821 return 0; 3822 } 3823 } 3824 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) { 3825 static SSL_CIPHER scsv = { 3826 0, NULL, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 3827 }; 3828 if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) { 3829 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3830 SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR); 3831 return 0; 3832 } 3833 } 3834 } 3835 3836 return 1; 3837 } 3838 3839 int tls_construct_end_of_early_data(SSL *s, WPACKET *pkt) 3840 { 3841 if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY 3842 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) { 3843 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3844 SSL_F_TLS_CONSTRUCT_END_OF_EARLY_DATA, 3845 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 3846 return 0; 3847 } 3848 3849 s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; 3850 return 1; 3851 } 3852