1 /* 2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4 * Copyright 2005 Nokia. All rights reserved. 5 * 6 * Licensed under the OpenSSL license (the "License"). You may not use 7 * this file except in compliance with the License. You can obtain a copy 8 * in the file LICENSE in the source distribution or at 9 * https://www.openssl.org/source/license.html 10 */ 11 12 #include <stdio.h> 13 #include <time.h> 14 #include <assert.h> 15 #include "../ssl_local.h" 16 #include "statem_local.h" 17 #include <openssl/buffer.h> 18 #include <openssl/rand.h> 19 #include <openssl/objects.h> 20 #include <openssl/evp.h> 21 #include <openssl/md5.h> 22 #include <openssl/dh.h> 23 #include <openssl/bn.h> 24 #include <openssl/engine.h> 25 #include <internal/cryptlib.h> 26 27 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, PACKET *pkt); 28 static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt); 29 30 static ossl_inline int cert_req_allowed(SSL *s); 31 static int key_exchange_expected(SSL *s); 32 static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, 33 WPACKET *pkt); 34 35 /* 36 * Is a CertificateRequest message allowed at the moment or not? 37 * 38 * Return values are: 39 * 1: Yes 40 * 0: No 41 */ 42 static ossl_inline int cert_req_allowed(SSL *s) 43 { 44 /* TLS does not like anon-DH with client cert */ 45 if ((s->version > SSL3_VERSION 46 && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) 47 || (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK))) 48 return 0; 49 50 return 1; 51 } 52 53 /* 54 * Should we expect the ServerKeyExchange message or not? 55 * 56 * Return values are: 57 * 1: Yes 58 * 0: No 59 */ 60 static int key_exchange_expected(SSL *s) 61 { 62 long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 63 64 /* 65 * Can't skip server key exchange if this is an ephemeral 66 * ciphersuite or for SRP 67 */ 68 if (alg_k & (SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK 69 | SSL_kSRP)) { 70 return 1; 71 } 72 73 return 0; 74 } 75 76 /* 77 * ossl_statem_client_read_transition() encapsulates the logic for the allowed 78 * handshake state transitions when a TLS1.3 client is reading messages from the 79 * server. The message type that the server has sent is provided in |mt|. The 80 * current state is in |s->statem.hand_state|. 81 * 82 * Return values are 1 for success (transition allowed) and 0 on error 83 * (transition not allowed) 84 */ 85 static int ossl_statem_client13_read_transition(SSL *s, int mt) 86 { 87 OSSL_STATEM *st = &s->statem; 88 89 /* 90 * Note: There is no case for TLS_ST_CW_CLNT_HELLO, because we haven't 91 * yet negotiated TLSv1.3 at that point so that is handled by 92 * ossl_statem_client_read_transition() 93 */ 94 95 switch (st->hand_state) { 96 default: 97 break; 98 99 case TLS_ST_CW_CLNT_HELLO: 100 /* 101 * This must a ClientHello following a HelloRetryRequest, so the only 102 * thing we can get now is a ServerHello. 103 */ 104 if (mt == SSL3_MT_SERVER_HELLO) { 105 st->hand_state = TLS_ST_CR_SRVR_HELLO; 106 return 1; 107 } 108 break; 109 110 case TLS_ST_CR_SRVR_HELLO: 111 if (mt == SSL3_MT_ENCRYPTED_EXTENSIONS) { 112 st->hand_state = TLS_ST_CR_ENCRYPTED_EXTENSIONS; 113 return 1; 114 } 115 break; 116 117 case TLS_ST_CR_ENCRYPTED_EXTENSIONS: 118 if (s->hit) { 119 if (mt == SSL3_MT_FINISHED) { 120 st->hand_state = TLS_ST_CR_FINISHED; 121 return 1; 122 } 123 } else { 124 if (mt == SSL3_MT_CERTIFICATE_REQUEST) { 125 st->hand_state = TLS_ST_CR_CERT_REQ; 126 return 1; 127 } 128 if (mt == SSL3_MT_CERTIFICATE) { 129 st->hand_state = TLS_ST_CR_CERT; 130 return 1; 131 } 132 } 133 break; 134 135 case TLS_ST_CR_CERT_REQ: 136 if (mt == SSL3_MT_CERTIFICATE) { 137 st->hand_state = TLS_ST_CR_CERT; 138 return 1; 139 } 140 break; 141 142 case TLS_ST_CR_CERT: 143 if (mt == SSL3_MT_CERTIFICATE_VERIFY) { 144 st->hand_state = TLS_ST_CR_CERT_VRFY; 145 return 1; 146 } 147 break; 148 149 case TLS_ST_CR_CERT_VRFY: 150 if (mt == SSL3_MT_FINISHED) { 151 st->hand_state = TLS_ST_CR_FINISHED; 152 return 1; 153 } 154 break; 155 156 case TLS_ST_OK: 157 if (mt == SSL3_MT_NEWSESSION_TICKET) { 158 st->hand_state = TLS_ST_CR_SESSION_TICKET; 159 return 1; 160 } 161 if (mt == SSL3_MT_KEY_UPDATE) { 162 st->hand_state = TLS_ST_CR_KEY_UPDATE; 163 return 1; 164 } 165 if (mt == SSL3_MT_CERTIFICATE_REQUEST) { 166 #if DTLS_MAX_VERSION != DTLS1_2_VERSION 167 # error TODO(DTLS1.3): Restore digest for PHA before adding message. 168 #endif 169 if (!SSL_IS_DTLS(s) && s->post_handshake_auth == SSL_PHA_EXT_SENT) { 170 s->post_handshake_auth = SSL_PHA_REQUESTED; 171 /* 172 * In TLS, this is called before the message is added to the 173 * digest. In DTLS, this is expected to be called after adding 174 * to the digest. Either move the digest restore, or add the 175 * message here after the swap, or do it after the clientFinished? 176 */ 177 if (!tls13_restore_handshake_digest_for_pha(s)) { 178 /* SSLfatal() already called */ 179 return 0; 180 } 181 st->hand_state = TLS_ST_CR_CERT_REQ; 182 return 1; 183 } 184 } 185 break; 186 } 187 188 /* No valid transition found */ 189 return 0; 190 } 191 192 /* 193 * ossl_statem_client_read_transition() encapsulates the logic for the allowed 194 * handshake state transitions when the client is reading messages from the 195 * server. The message type that the server has sent is provided in |mt|. The 196 * current state is in |s->statem.hand_state|. 197 * 198 * Return values are 1 for success (transition allowed) and 0 on error 199 * (transition not allowed) 200 */ 201 int ossl_statem_client_read_transition(SSL *s, int mt) 202 { 203 OSSL_STATEM *st = &s->statem; 204 int ske_expected; 205 206 /* 207 * Note that after writing the first ClientHello we don't know what version 208 * we are going to negotiate yet, so we don't take this branch until later. 209 */ 210 if (SSL_IS_TLS13(s)) { 211 if (!ossl_statem_client13_read_transition(s, mt)) 212 goto err; 213 return 1; 214 } 215 216 switch (st->hand_state) { 217 default: 218 break; 219 220 case TLS_ST_CW_CLNT_HELLO: 221 if (mt == SSL3_MT_SERVER_HELLO) { 222 st->hand_state = TLS_ST_CR_SRVR_HELLO; 223 return 1; 224 } 225 226 if (SSL_IS_DTLS(s)) { 227 if (mt == DTLS1_MT_HELLO_VERIFY_REQUEST) { 228 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST; 229 return 1; 230 } 231 } 232 break; 233 234 case TLS_ST_EARLY_DATA: 235 /* 236 * We've not actually selected TLSv1.3 yet, but we have sent early 237 * data. The only thing allowed now is a ServerHello or a 238 * HelloRetryRequest. 239 */ 240 if (mt == SSL3_MT_SERVER_HELLO) { 241 st->hand_state = TLS_ST_CR_SRVR_HELLO; 242 return 1; 243 } 244 break; 245 246 case TLS_ST_CR_SRVR_HELLO: 247 if (s->hit) { 248 if (s->ext.ticket_expected) { 249 if (mt == SSL3_MT_NEWSESSION_TICKET) { 250 st->hand_state = TLS_ST_CR_SESSION_TICKET; 251 return 1; 252 } 253 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 254 st->hand_state = TLS_ST_CR_CHANGE; 255 return 1; 256 } 257 } else { 258 if (SSL_IS_DTLS(s) && mt == DTLS1_MT_HELLO_VERIFY_REQUEST) { 259 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST; 260 return 1; 261 } else if (s->version >= TLS1_VERSION 262 && s->ext.session_secret_cb != NULL 263 && s->session->ext.tick != NULL 264 && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 265 /* 266 * Normally, we can tell if the server is resuming the session 267 * from the session ID. EAP-FAST (RFC 4851), however, relies on 268 * the next server message after the ServerHello to determine if 269 * the server is resuming. 270 */ 271 s->hit = 1; 272 st->hand_state = TLS_ST_CR_CHANGE; 273 return 1; 274 } else if (!(s->s3->tmp.new_cipher->algorithm_auth 275 & (SSL_aNULL | SSL_aSRP | SSL_aPSK))) { 276 if (mt == SSL3_MT_CERTIFICATE) { 277 st->hand_state = TLS_ST_CR_CERT; 278 return 1; 279 } 280 } else { 281 ske_expected = key_exchange_expected(s); 282 /* SKE is optional for some PSK ciphersuites */ 283 if (ske_expected 284 || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK) 285 && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) { 286 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) { 287 st->hand_state = TLS_ST_CR_KEY_EXCH; 288 return 1; 289 } 290 } else if (mt == SSL3_MT_CERTIFICATE_REQUEST 291 && cert_req_allowed(s)) { 292 st->hand_state = TLS_ST_CR_CERT_REQ; 293 return 1; 294 } else if (mt == SSL3_MT_SERVER_DONE) { 295 st->hand_state = TLS_ST_CR_SRVR_DONE; 296 return 1; 297 } 298 } 299 } 300 break; 301 302 case TLS_ST_CR_CERT: 303 /* 304 * The CertificateStatus message is optional even if 305 * |ext.status_expected| is set 306 */ 307 if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) { 308 st->hand_state = TLS_ST_CR_CERT_STATUS; 309 return 1; 310 } 311 /* Fall through */ 312 313 case TLS_ST_CR_CERT_STATUS: 314 ske_expected = key_exchange_expected(s); 315 /* SKE is optional for some PSK ciphersuites */ 316 if (ske_expected || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK) 317 && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) { 318 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) { 319 st->hand_state = TLS_ST_CR_KEY_EXCH; 320 return 1; 321 } 322 goto err; 323 } 324 /* Fall through */ 325 326 case TLS_ST_CR_KEY_EXCH: 327 if (mt == SSL3_MT_CERTIFICATE_REQUEST) { 328 if (cert_req_allowed(s)) { 329 st->hand_state = TLS_ST_CR_CERT_REQ; 330 return 1; 331 } 332 goto err; 333 } 334 /* Fall through */ 335 336 case TLS_ST_CR_CERT_REQ: 337 if (mt == SSL3_MT_SERVER_DONE) { 338 st->hand_state = TLS_ST_CR_SRVR_DONE; 339 return 1; 340 } 341 break; 342 343 case TLS_ST_CW_FINISHED: 344 if (s->ext.ticket_expected) { 345 if (mt == SSL3_MT_NEWSESSION_TICKET) { 346 st->hand_state = TLS_ST_CR_SESSION_TICKET; 347 return 1; 348 } 349 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 350 st->hand_state = TLS_ST_CR_CHANGE; 351 return 1; 352 } 353 break; 354 355 case TLS_ST_CR_SESSION_TICKET: 356 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 357 st->hand_state = TLS_ST_CR_CHANGE; 358 return 1; 359 } 360 break; 361 362 case TLS_ST_CR_CHANGE: 363 if (mt == SSL3_MT_FINISHED) { 364 st->hand_state = TLS_ST_CR_FINISHED; 365 return 1; 366 } 367 break; 368 369 case TLS_ST_OK: 370 if (mt == SSL3_MT_HELLO_REQUEST) { 371 st->hand_state = TLS_ST_CR_HELLO_REQ; 372 return 1; 373 } 374 break; 375 } 376 377 err: 378 /* No valid transition found */ 379 if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 380 BIO *rbio; 381 382 /* 383 * CCS messages don't have a message sequence number so this is probably 384 * because of an out-of-order CCS. We'll just drop it. 385 */ 386 s->init_num = 0; 387 s->rwstate = SSL_READING; 388 rbio = SSL_get_rbio(s); 389 BIO_clear_retry_flags(rbio); 390 BIO_set_retry_read(rbio); 391 return 0; 392 } 393 SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, 394 SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION, 395 SSL_R_UNEXPECTED_MESSAGE); 396 return 0; 397 } 398 399 /* 400 * ossl_statem_client13_write_transition() works out what handshake state to 401 * move to next when the TLSv1.3 client is writing messages to be sent to the 402 * server. 403 */ 404 static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s) 405 { 406 OSSL_STATEM *st = &s->statem; 407 408 /* 409 * Note: There are no cases for TLS_ST_BEFORE because we haven't negotiated 410 * TLSv1.3 yet at that point. They are handled by 411 * ossl_statem_client_write_transition(). 412 */ 413 switch (st->hand_state) { 414 default: 415 /* Shouldn't happen */ 416 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 417 SSL_F_OSSL_STATEM_CLIENT13_WRITE_TRANSITION, 418 ERR_R_INTERNAL_ERROR); 419 return WRITE_TRAN_ERROR; 420 421 case TLS_ST_CR_CERT_REQ: 422 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { 423 st->hand_state = TLS_ST_CW_CERT; 424 return WRITE_TRAN_CONTINUE; 425 } 426 /* 427 * We should only get here if we received a CertificateRequest after 428 * we already sent close_notify 429 */ 430 if (!ossl_assert((s->shutdown & SSL_SENT_SHUTDOWN) != 0)) { 431 /* Shouldn't happen - same as default case */ 432 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 433 SSL_F_OSSL_STATEM_CLIENT13_WRITE_TRANSITION, 434 ERR_R_INTERNAL_ERROR); 435 return WRITE_TRAN_ERROR; 436 } 437 st->hand_state = TLS_ST_OK; 438 return WRITE_TRAN_CONTINUE; 439 440 case TLS_ST_CR_FINISHED: 441 if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY 442 || s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING) 443 st->hand_state = TLS_ST_PENDING_EARLY_DATA_END; 444 else if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 445 && s->hello_retry_request == SSL_HRR_NONE) 446 st->hand_state = TLS_ST_CW_CHANGE; 447 else 448 st->hand_state = (s->s3->tmp.cert_req != 0) ? TLS_ST_CW_CERT 449 : TLS_ST_CW_FINISHED; 450 return WRITE_TRAN_CONTINUE; 451 452 case TLS_ST_PENDING_EARLY_DATA_END: 453 if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) { 454 st->hand_state = TLS_ST_CW_END_OF_EARLY_DATA; 455 return WRITE_TRAN_CONTINUE; 456 } 457 /* Fall through */ 458 459 case TLS_ST_CW_END_OF_EARLY_DATA: 460 case TLS_ST_CW_CHANGE: 461 st->hand_state = (s->s3->tmp.cert_req != 0) ? TLS_ST_CW_CERT 462 : TLS_ST_CW_FINISHED; 463 return WRITE_TRAN_CONTINUE; 464 465 case TLS_ST_CW_CERT: 466 /* If a non-empty Certificate we also send CertificateVerify */ 467 st->hand_state = (s->s3->tmp.cert_req == 1) ? TLS_ST_CW_CERT_VRFY 468 : TLS_ST_CW_FINISHED; 469 return WRITE_TRAN_CONTINUE; 470 471 case TLS_ST_CW_CERT_VRFY: 472 st->hand_state = TLS_ST_CW_FINISHED; 473 return WRITE_TRAN_CONTINUE; 474 475 case TLS_ST_CR_KEY_UPDATE: 476 case TLS_ST_CW_KEY_UPDATE: 477 case TLS_ST_CR_SESSION_TICKET: 478 case TLS_ST_CW_FINISHED: 479 st->hand_state = TLS_ST_OK; 480 return WRITE_TRAN_CONTINUE; 481 482 case TLS_ST_OK: 483 if (s->key_update != SSL_KEY_UPDATE_NONE) { 484 st->hand_state = TLS_ST_CW_KEY_UPDATE; 485 return WRITE_TRAN_CONTINUE; 486 } 487 488 /* Try to read from the server instead */ 489 return WRITE_TRAN_FINISHED; 490 } 491 } 492 493 /* 494 * ossl_statem_client_write_transition() works out what handshake state to 495 * move to next when the client is writing messages to be sent to the server. 496 */ 497 WRITE_TRAN ossl_statem_client_write_transition(SSL *s) 498 { 499 OSSL_STATEM *st = &s->statem; 500 501 /* 502 * Note that immediately before/after a ClientHello we don't know what 503 * version we are going to negotiate yet, so we don't take this branch until 504 * later 505 */ 506 if (SSL_IS_TLS13(s)) 507 return ossl_statem_client13_write_transition(s); 508 509 switch (st->hand_state) { 510 default: 511 /* Shouldn't happen */ 512 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 513 SSL_F_OSSL_STATEM_CLIENT_WRITE_TRANSITION, 514 ERR_R_INTERNAL_ERROR); 515 return WRITE_TRAN_ERROR; 516 517 case TLS_ST_OK: 518 if (!s->renegotiate) { 519 /* 520 * We haven't requested a renegotiation ourselves so we must have 521 * received a message from the server. Better read it. 522 */ 523 return WRITE_TRAN_FINISHED; 524 } 525 /* Renegotiation */ 526 /* fall thru */ 527 case TLS_ST_BEFORE: 528 st->hand_state = TLS_ST_CW_CLNT_HELLO; 529 return WRITE_TRAN_CONTINUE; 530 531 case TLS_ST_CW_CLNT_HELLO: 532 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) { 533 /* 534 * We are assuming this is a TLSv1.3 connection, although we haven't 535 * actually selected a version yet. 536 */ 537 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) 538 st->hand_state = TLS_ST_CW_CHANGE; 539 else 540 st->hand_state = TLS_ST_EARLY_DATA; 541 return WRITE_TRAN_CONTINUE; 542 } 543 /* 544 * No transition at the end of writing because we don't know what 545 * we will be sent 546 */ 547 return WRITE_TRAN_FINISHED; 548 549 case TLS_ST_CR_SRVR_HELLO: 550 /* 551 * We only get here in TLSv1.3. We just received an HRR, so issue a 552 * CCS unless middlebox compat mode is off, or we already issued one 553 * because we did early data. 554 */ 555 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 556 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) 557 st->hand_state = TLS_ST_CW_CHANGE; 558 else 559 st->hand_state = TLS_ST_CW_CLNT_HELLO; 560 return WRITE_TRAN_CONTINUE; 561 562 case TLS_ST_EARLY_DATA: 563 return WRITE_TRAN_FINISHED; 564 565 case DTLS_ST_CR_HELLO_VERIFY_REQUEST: 566 st->hand_state = TLS_ST_CW_CLNT_HELLO; 567 return WRITE_TRAN_CONTINUE; 568 569 case TLS_ST_CR_SRVR_DONE: 570 if (s->s3->tmp.cert_req) 571 st->hand_state = TLS_ST_CW_CERT; 572 else 573 st->hand_state = TLS_ST_CW_KEY_EXCH; 574 return WRITE_TRAN_CONTINUE; 575 576 case TLS_ST_CW_CERT: 577 st->hand_state = TLS_ST_CW_KEY_EXCH; 578 return WRITE_TRAN_CONTINUE; 579 580 case TLS_ST_CW_KEY_EXCH: 581 /* 582 * For TLS, cert_req is set to 2, so a cert chain of nothing is 583 * sent, but no verify packet is sent 584 */ 585 /* 586 * XXX: For now, we do not support client authentication in ECDH 587 * cipher suites with ECDH (rather than ECDSA) certificates. We 588 * need to skip the certificate verify message when client's 589 * ECDH public key is sent inside the client certificate. 590 */ 591 if (s->s3->tmp.cert_req == 1) { 592 st->hand_state = TLS_ST_CW_CERT_VRFY; 593 } else { 594 st->hand_state = TLS_ST_CW_CHANGE; 595 } 596 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { 597 st->hand_state = TLS_ST_CW_CHANGE; 598 } 599 return WRITE_TRAN_CONTINUE; 600 601 case TLS_ST_CW_CERT_VRFY: 602 st->hand_state = TLS_ST_CW_CHANGE; 603 return WRITE_TRAN_CONTINUE; 604 605 case TLS_ST_CW_CHANGE: 606 if (s->hello_retry_request == SSL_HRR_PENDING) { 607 st->hand_state = TLS_ST_CW_CLNT_HELLO; 608 } else if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) { 609 st->hand_state = TLS_ST_EARLY_DATA; 610 } else { 611 #if defined(OPENSSL_NO_NEXTPROTONEG) 612 st->hand_state = TLS_ST_CW_FINISHED; 613 #else 614 if (!SSL_IS_DTLS(s) && s->s3->npn_seen) 615 st->hand_state = TLS_ST_CW_NEXT_PROTO; 616 else 617 st->hand_state = TLS_ST_CW_FINISHED; 618 #endif 619 } 620 return WRITE_TRAN_CONTINUE; 621 622 #if !defined(OPENSSL_NO_NEXTPROTONEG) 623 case TLS_ST_CW_NEXT_PROTO: 624 st->hand_state = TLS_ST_CW_FINISHED; 625 return WRITE_TRAN_CONTINUE; 626 #endif 627 628 case TLS_ST_CW_FINISHED: 629 if (s->hit) { 630 st->hand_state = TLS_ST_OK; 631 return WRITE_TRAN_CONTINUE; 632 } else { 633 return WRITE_TRAN_FINISHED; 634 } 635 636 case TLS_ST_CR_FINISHED: 637 if (s->hit) { 638 st->hand_state = TLS_ST_CW_CHANGE; 639 return WRITE_TRAN_CONTINUE; 640 } else { 641 st->hand_state = TLS_ST_OK; 642 return WRITE_TRAN_CONTINUE; 643 } 644 645 case TLS_ST_CR_HELLO_REQ: 646 /* 647 * If we can renegotiate now then do so, otherwise wait for a more 648 * convenient time. 649 */ 650 if (ssl3_renegotiate_check(s, 1)) { 651 if (!tls_setup_handshake(s)) { 652 /* SSLfatal() already called */ 653 return WRITE_TRAN_ERROR; 654 } 655 st->hand_state = TLS_ST_CW_CLNT_HELLO; 656 return WRITE_TRAN_CONTINUE; 657 } 658 st->hand_state = TLS_ST_OK; 659 return WRITE_TRAN_CONTINUE; 660 } 661 } 662 663 /* 664 * Perform any pre work that needs to be done prior to sending a message from 665 * the client to the server. 666 */ 667 WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst) 668 { 669 OSSL_STATEM *st = &s->statem; 670 671 switch (st->hand_state) { 672 default: 673 /* No pre work to be done */ 674 break; 675 676 case TLS_ST_CW_CLNT_HELLO: 677 s->shutdown = 0; 678 if (SSL_IS_DTLS(s)) { 679 /* every DTLS ClientHello resets Finished MAC */ 680 if (!ssl3_init_finished_mac(s)) { 681 /* SSLfatal() already called */ 682 return WORK_ERROR; 683 } 684 } 685 break; 686 687 case TLS_ST_CW_CHANGE: 688 if (SSL_IS_DTLS(s)) { 689 if (s->hit) { 690 /* 691 * We're into the last flight so we don't retransmit these 692 * messages unless we need to. 693 */ 694 st->use_timer = 0; 695 } 696 #ifndef OPENSSL_NO_SCTP 697 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { 698 /* Calls SSLfatal() as required */ 699 return dtls_wait_for_dry(s); 700 } 701 #endif 702 } 703 break; 704 705 case TLS_ST_PENDING_EARLY_DATA_END: 706 /* 707 * If we've been called by SSL_do_handshake()/SSL_write(), or we did not 708 * attempt to write early data before calling SSL_read() then we press 709 * on with the handshake. Otherwise we pause here. 710 */ 711 if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING 712 || s->early_data_state == SSL_EARLY_DATA_NONE) 713 return WORK_FINISHED_CONTINUE; 714 /* Fall through */ 715 716 case TLS_ST_EARLY_DATA: 717 return tls_finish_handshake(s, wst, 0, 1); 718 719 case TLS_ST_OK: 720 /* Calls SSLfatal() as required */ 721 return tls_finish_handshake(s, wst, 1, 1); 722 } 723 724 return WORK_FINISHED_CONTINUE; 725 } 726 727 /* 728 * Perform any work that needs to be done after sending a message from the 729 * client to the server. 730 */ 731 WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst) 732 { 733 OSSL_STATEM *st = &s->statem; 734 735 s->init_num = 0; 736 737 switch (st->hand_state) { 738 default: 739 /* No post work to be done */ 740 break; 741 742 case TLS_ST_CW_CLNT_HELLO: 743 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING 744 && s->max_early_data > 0) { 745 /* 746 * We haven't selected TLSv1.3 yet so we don't call the change 747 * cipher state function associated with the SSL_METHOD. Instead 748 * we call tls13_change_cipher_state() directly. 749 */ 750 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) { 751 if (!tls13_change_cipher_state(s, 752 SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { 753 /* SSLfatal() already called */ 754 return WORK_ERROR; 755 } 756 } 757 /* else we're in compat mode so we delay flushing until after CCS */ 758 } else if (!statem_flush(s)) { 759 return WORK_MORE_A; 760 } 761 762 if (SSL_IS_DTLS(s)) { 763 /* Treat the next message as the first packet */ 764 s->first_packet = 1; 765 } 766 break; 767 768 case TLS_ST_CW_END_OF_EARLY_DATA: 769 /* 770 * We set the enc_write_ctx back to NULL because we may end up writing 771 * in cleartext again if we get a HelloRetryRequest from the server. 772 */ 773 EVP_CIPHER_CTX_free(s->enc_write_ctx); 774 s->enc_write_ctx = NULL; 775 break; 776 777 case TLS_ST_CW_KEY_EXCH: 778 if (tls_client_key_exchange_post_work(s) == 0) { 779 /* SSLfatal() already called */ 780 return WORK_ERROR; 781 } 782 break; 783 784 case TLS_ST_CW_CHANGE: 785 if (SSL_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING) 786 break; 787 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING 788 && s->max_early_data > 0) { 789 /* 790 * We haven't selected TLSv1.3 yet so we don't call the change 791 * cipher state function associated with the SSL_METHOD. Instead 792 * we call tls13_change_cipher_state() directly. 793 */ 794 if (!tls13_change_cipher_state(s, 795 SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 796 return WORK_ERROR; 797 break; 798 } 799 s->session->cipher = s->s3->tmp.new_cipher; 800 #ifdef OPENSSL_NO_COMP 801 s->session->compress_meth = 0; 802 #else 803 if (s->s3->tmp.new_compression == NULL) 804 s->session->compress_meth = 0; 805 else 806 s->session->compress_meth = s->s3->tmp.new_compression->id; 807 #endif 808 if (!s->method->ssl3_enc->setup_key_block(s)) { 809 /* SSLfatal() already called */ 810 return WORK_ERROR; 811 } 812 813 if (!s->method->ssl3_enc->change_cipher_state(s, 814 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { 815 /* SSLfatal() already called */ 816 return WORK_ERROR; 817 } 818 819 if (SSL_IS_DTLS(s)) { 820 #ifndef OPENSSL_NO_SCTP 821 if (s->hit) { 822 /* 823 * Change to new shared key of SCTP-Auth, will be ignored if 824 * no SCTP used. 825 */ 826 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 827 0, NULL); 828 } 829 #endif 830 831 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); 832 } 833 break; 834 835 case TLS_ST_CW_FINISHED: 836 #ifndef OPENSSL_NO_SCTP 837 if (wst == WORK_MORE_A && SSL_IS_DTLS(s) && s->hit == 0) { 838 /* 839 * Change to new shared key of SCTP-Auth, will be ignored if 840 * no SCTP used. 841 */ 842 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 843 0, NULL); 844 } 845 #endif 846 if (statem_flush(s) != 1) 847 return WORK_MORE_B; 848 849 if (SSL_IS_TLS13(s)) { 850 if (!tls13_save_handshake_digest_for_pha(s)) { 851 /* SSLfatal() already called */ 852 return WORK_ERROR; 853 } 854 if (s->post_handshake_auth != SSL_PHA_REQUESTED) { 855 if (!s->method->ssl3_enc->change_cipher_state(s, 856 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { 857 /* SSLfatal() already called */ 858 return WORK_ERROR; 859 } 860 } 861 } 862 break; 863 864 case TLS_ST_CW_KEY_UPDATE: 865 if (statem_flush(s) != 1) 866 return WORK_MORE_A; 867 if (!tls13_update_key(s, 1)) { 868 /* SSLfatal() already called */ 869 return WORK_ERROR; 870 } 871 break; 872 } 873 874 return WORK_FINISHED_CONTINUE; 875 } 876 877 /* 878 * Get the message construction function and message type for sending from the 879 * client 880 * 881 * Valid return values are: 882 * 1: Success 883 * 0: Error 884 */ 885 int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt, 886 confunc_f *confunc, int *mt) 887 { 888 OSSL_STATEM *st = &s->statem; 889 890 switch (st->hand_state) { 891 default: 892 /* Shouldn't happen */ 893 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 894 SSL_F_OSSL_STATEM_CLIENT_CONSTRUCT_MESSAGE, 895 SSL_R_BAD_HANDSHAKE_STATE); 896 return 0; 897 898 case TLS_ST_CW_CHANGE: 899 if (SSL_IS_DTLS(s)) 900 *confunc = dtls_construct_change_cipher_spec; 901 else 902 *confunc = tls_construct_change_cipher_spec; 903 *mt = SSL3_MT_CHANGE_CIPHER_SPEC; 904 break; 905 906 case TLS_ST_CW_CLNT_HELLO: 907 *confunc = tls_construct_client_hello; 908 *mt = SSL3_MT_CLIENT_HELLO; 909 break; 910 911 case TLS_ST_CW_END_OF_EARLY_DATA: 912 *confunc = tls_construct_end_of_early_data; 913 *mt = SSL3_MT_END_OF_EARLY_DATA; 914 break; 915 916 case TLS_ST_PENDING_EARLY_DATA_END: 917 *confunc = NULL; 918 *mt = SSL3_MT_DUMMY; 919 break; 920 921 case TLS_ST_CW_CERT: 922 *confunc = tls_construct_client_certificate; 923 *mt = SSL3_MT_CERTIFICATE; 924 break; 925 926 case TLS_ST_CW_KEY_EXCH: 927 *confunc = tls_construct_client_key_exchange; 928 *mt = SSL3_MT_CLIENT_KEY_EXCHANGE; 929 break; 930 931 case TLS_ST_CW_CERT_VRFY: 932 *confunc = tls_construct_cert_verify; 933 *mt = SSL3_MT_CERTIFICATE_VERIFY; 934 break; 935 936 #if !defined(OPENSSL_NO_NEXTPROTONEG) 937 case TLS_ST_CW_NEXT_PROTO: 938 *confunc = tls_construct_next_proto; 939 *mt = SSL3_MT_NEXT_PROTO; 940 break; 941 #endif 942 case TLS_ST_CW_FINISHED: 943 *confunc = tls_construct_finished; 944 *mt = SSL3_MT_FINISHED; 945 break; 946 947 case TLS_ST_CW_KEY_UPDATE: 948 *confunc = tls_construct_key_update; 949 *mt = SSL3_MT_KEY_UPDATE; 950 break; 951 } 952 953 return 1; 954 } 955 956 /* 957 * Returns the maximum allowed length for the current message that we are 958 * reading. Excludes the message header. 959 */ 960 size_t ossl_statem_client_max_message_size(SSL *s) 961 { 962 OSSL_STATEM *st = &s->statem; 963 964 switch (st->hand_state) { 965 default: 966 /* Shouldn't happen */ 967 return 0; 968 969 case TLS_ST_CR_SRVR_HELLO: 970 return SERVER_HELLO_MAX_LENGTH; 971 972 case DTLS_ST_CR_HELLO_VERIFY_REQUEST: 973 return HELLO_VERIFY_REQUEST_MAX_LENGTH; 974 975 case TLS_ST_CR_CERT: 976 return s->max_cert_list; 977 978 case TLS_ST_CR_CERT_VRFY: 979 return SSL3_RT_MAX_PLAIN_LENGTH; 980 981 case TLS_ST_CR_CERT_STATUS: 982 return SSL3_RT_MAX_PLAIN_LENGTH; 983 984 case TLS_ST_CR_KEY_EXCH: 985 return SERVER_KEY_EXCH_MAX_LENGTH; 986 987 case TLS_ST_CR_CERT_REQ: 988 /* 989 * Set to s->max_cert_list for compatibility with previous releases. In 990 * practice these messages can get quite long if servers are configured 991 * to provide a long list of acceptable CAs 992 */ 993 return s->max_cert_list; 994 995 case TLS_ST_CR_SRVR_DONE: 996 return SERVER_HELLO_DONE_MAX_LENGTH; 997 998 case TLS_ST_CR_CHANGE: 999 if (s->version == DTLS1_BAD_VER) 1000 return 3; 1001 return CCS_MAX_LENGTH; 1002 1003 case TLS_ST_CR_SESSION_TICKET: 1004 return SSL3_RT_MAX_PLAIN_LENGTH; 1005 1006 case TLS_ST_CR_FINISHED: 1007 return FINISHED_MAX_LENGTH; 1008 1009 case TLS_ST_CR_ENCRYPTED_EXTENSIONS: 1010 return ENCRYPTED_EXTENSIONS_MAX_LENGTH; 1011 1012 case TLS_ST_CR_KEY_UPDATE: 1013 return KEY_UPDATE_MAX_LENGTH; 1014 } 1015 } 1016 1017 /* 1018 * Process a message that the client has been received from the server. 1019 */ 1020 MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt) 1021 { 1022 OSSL_STATEM *st = &s->statem; 1023 1024 switch (st->hand_state) { 1025 default: 1026 /* Shouldn't happen */ 1027 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1028 SSL_F_OSSL_STATEM_CLIENT_PROCESS_MESSAGE, 1029 ERR_R_INTERNAL_ERROR); 1030 return MSG_PROCESS_ERROR; 1031 1032 case TLS_ST_CR_SRVR_HELLO: 1033 return tls_process_server_hello(s, pkt); 1034 1035 case DTLS_ST_CR_HELLO_VERIFY_REQUEST: 1036 return dtls_process_hello_verify(s, pkt); 1037 1038 case TLS_ST_CR_CERT: 1039 return tls_process_server_certificate(s, pkt); 1040 1041 case TLS_ST_CR_CERT_VRFY: 1042 return tls_process_cert_verify(s, pkt); 1043 1044 case TLS_ST_CR_CERT_STATUS: 1045 return tls_process_cert_status(s, pkt); 1046 1047 case TLS_ST_CR_KEY_EXCH: 1048 return tls_process_key_exchange(s, pkt); 1049 1050 case TLS_ST_CR_CERT_REQ: 1051 return tls_process_certificate_request(s, pkt); 1052 1053 case TLS_ST_CR_SRVR_DONE: 1054 return tls_process_server_done(s, pkt); 1055 1056 case TLS_ST_CR_CHANGE: 1057 return tls_process_change_cipher_spec(s, pkt); 1058 1059 case TLS_ST_CR_SESSION_TICKET: 1060 return tls_process_new_session_ticket(s, pkt); 1061 1062 case TLS_ST_CR_FINISHED: 1063 return tls_process_finished(s, pkt); 1064 1065 case TLS_ST_CR_HELLO_REQ: 1066 return tls_process_hello_req(s, pkt); 1067 1068 case TLS_ST_CR_ENCRYPTED_EXTENSIONS: 1069 return tls_process_encrypted_extensions(s, pkt); 1070 1071 case TLS_ST_CR_KEY_UPDATE: 1072 return tls_process_key_update(s, pkt); 1073 } 1074 } 1075 1076 /* 1077 * Perform any further processing required following the receipt of a message 1078 * from the server 1079 */ 1080 WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst) 1081 { 1082 OSSL_STATEM *st = &s->statem; 1083 1084 switch (st->hand_state) { 1085 default: 1086 /* Shouldn't happen */ 1087 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1088 SSL_F_OSSL_STATEM_CLIENT_POST_PROCESS_MESSAGE, 1089 ERR_R_INTERNAL_ERROR); 1090 return WORK_ERROR; 1091 1092 case TLS_ST_CR_CERT_VRFY: 1093 case TLS_ST_CR_CERT_REQ: 1094 return tls_prepare_client_certificate(s, wst); 1095 } 1096 } 1097 1098 int tls_construct_client_hello(SSL *s, WPACKET *pkt) 1099 { 1100 unsigned char *p; 1101 size_t sess_id_len; 1102 int i, protverr; 1103 #ifndef OPENSSL_NO_COMP 1104 SSL_COMP *comp; 1105 #endif 1106 SSL_SESSION *sess = s->session; 1107 unsigned char *session_id; 1108 1109 /* Work out what SSL/TLS/DTLS version to use */ 1110 protverr = ssl_set_client_hello_version(s); 1111 if (protverr != 0) { 1112 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1113 protverr); 1114 return 0; 1115 } 1116 1117 if (sess == NULL 1118 || !ssl_version_supported(s, sess->ssl_version, NULL) 1119 || !SSL_SESSION_is_resumable(sess)) { 1120 if (s->hello_retry_request == SSL_HRR_NONE 1121 && !ssl_get_new_session(s, 0)) { 1122 /* SSLfatal() already called */ 1123 return 0; 1124 } 1125 } 1126 /* else use the pre-loaded session */ 1127 1128 p = s->s3->client_random; 1129 1130 /* 1131 * for DTLS if client_random is initialized, reuse it, we are 1132 * required to use same upon reply to HelloVerify 1133 */ 1134 if (SSL_IS_DTLS(s)) { 1135 size_t idx; 1136 i = 1; 1137 for (idx = 0; idx < sizeof(s->s3->client_random); idx++) { 1138 if (p[idx]) { 1139 i = 0; 1140 break; 1141 } 1142 } 1143 } else { 1144 i = (s->hello_retry_request == SSL_HRR_NONE); 1145 } 1146 1147 if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random), 1148 DOWNGRADE_NONE) <= 0) { 1149 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1150 ERR_R_INTERNAL_ERROR); 1151 return 0; 1152 } 1153 1154 /*- 1155 * version indicates the negotiated version: for example from 1156 * an SSLv2/v3 compatible client hello). The client_version 1157 * field is the maximum version we permit and it is also 1158 * used in RSA encrypted premaster secrets. Some servers can 1159 * choke if we initially report a higher version then 1160 * renegotiate to a lower one in the premaster secret. This 1161 * didn't happen with TLS 1.0 as most servers supported it 1162 * but it can with TLS 1.1 or later if the server only supports 1163 * 1.0. 1164 * 1165 * Possible scenario with previous logic: 1166 * 1. Client hello indicates TLS 1.2 1167 * 2. Server hello says TLS 1.0 1168 * 3. RSA encrypted premaster secret uses 1.2. 1169 * 4. Handshake proceeds using TLS 1.0. 1170 * 5. Server sends hello request to renegotiate. 1171 * 6. Client hello indicates TLS v1.0 as we now 1172 * know that is maximum server supports. 1173 * 7. Server chokes on RSA encrypted premaster secret 1174 * containing version 1.0. 1175 * 1176 * For interoperability it should be OK to always use the 1177 * maximum version we support in client hello and then rely 1178 * on the checking of version to ensure the servers isn't 1179 * being inconsistent: for example initially negotiating with 1180 * TLS 1.0 and renegotiating with TLS 1.2. We do this by using 1181 * client_version in client hello and not resetting it to 1182 * the negotiated version. 1183 * 1184 * For TLS 1.3 we always set the ClientHello version to 1.2 and rely on the 1185 * supported_versions extension for the real supported versions. 1186 */ 1187 if (!WPACKET_put_bytes_u16(pkt, s->client_version) 1188 || !WPACKET_memcpy(pkt, s->s3->client_random, SSL3_RANDOM_SIZE)) { 1189 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1190 ERR_R_INTERNAL_ERROR); 1191 return 0; 1192 } 1193 1194 /* Session ID */ 1195 session_id = s->session->session_id; 1196 if (s->new_session || s->session->ssl_version == TLS1_3_VERSION) { 1197 if (s->version == TLS1_3_VERSION 1198 && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) { 1199 sess_id_len = sizeof(s->tmp_session_id); 1200 s->tmp_session_id_len = sess_id_len; 1201 session_id = s->tmp_session_id; 1202 if (s->hello_retry_request == SSL_HRR_NONE 1203 && RAND_bytes(s->tmp_session_id, sess_id_len) <= 0) { 1204 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1205 SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1206 ERR_R_INTERNAL_ERROR); 1207 return 0; 1208 } 1209 } else { 1210 sess_id_len = 0; 1211 } 1212 } else { 1213 assert(s->session->session_id_length <= sizeof(s->session->session_id)); 1214 sess_id_len = s->session->session_id_length; 1215 if (s->version == TLS1_3_VERSION) { 1216 s->tmp_session_id_len = sess_id_len; 1217 memcpy(s->tmp_session_id, s->session->session_id, sess_id_len); 1218 } 1219 } 1220 if (!WPACKET_start_sub_packet_u8(pkt) 1221 || (sess_id_len != 0 && !WPACKET_memcpy(pkt, session_id, 1222 sess_id_len)) 1223 || !WPACKET_close(pkt)) { 1224 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1225 ERR_R_INTERNAL_ERROR); 1226 return 0; 1227 } 1228 1229 /* cookie stuff for DTLS */ 1230 if (SSL_IS_DTLS(s)) { 1231 if (s->d1->cookie_len > sizeof(s->d1->cookie) 1232 || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie, 1233 s->d1->cookie_len)) { 1234 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1235 ERR_R_INTERNAL_ERROR); 1236 return 0; 1237 } 1238 } 1239 1240 /* Ciphers supported */ 1241 if (!WPACKET_start_sub_packet_u16(pkt)) { 1242 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1243 ERR_R_INTERNAL_ERROR); 1244 return 0; 1245 } 1246 1247 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), pkt)) { 1248 /* SSLfatal() already called */ 1249 return 0; 1250 } 1251 if (!WPACKET_close(pkt)) { 1252 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1253 ERR_R_INTERNAL_ERROR); 1254 return 0; 1255 } 1256 1257 /* COMPRESSION */ 1258 if (!WPACKET_start_sub_packet_u8(pkt)) { 1259 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1260 ERR_R_INTERNAL_ERROR); 1261 return 0; 1262 } 1263 #ifndef OPENSSL_NO_COMP 1264 if (ssl_allow_compression(s) 1265 && s->ctx->comp_methods 1266 && (SSL_IS_DTLS(s) || s->s3->tmp.max_ver < TLS1_3_VERSION)) { 1267 int compnum = sk_SSL_COMP_num(s->ctx->comp_methods); 1268 for (i = 0; i < compnum; i++) { 1269 comp = sk_SSL_COMP_value(s->ctx->comp_methods, i); 1270 if (!WPACKET_put_bytes_u8(pkt, comp->id)) { 1271 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1272 SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1273 ERR_R_INTERNAL_ERROR); 1274 return 0; 1275 } 1276 } 1277 } 1278 #endif 1279 /* Add the NULL method */ 1280 if (!WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_close(pkt)) { 1281 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1282 ERR_R_INTERNAL_ERROR); 1283 return 0; 1284 } 1285 1286 /* TLS extensions */ 1287 if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0)) { 1288 /* SSLfatal() already called */ 1289 return 0; 1290 } 1291 1292 return 1; 1293 } 1294 1295 MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt) 1296 { 1297 size_t cookie_len; 1298 PACKET cookiepkt; 1299 1300 if (!PACKET_forward(pkt, 2) 1301 || !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) { 1302 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS_PROCESS_HELLO_VERIFY, 1303 SSL_R_LENGTH_MISMATCH); 1304 return MSG_PROCESS_ERROR; 1305 } 1306 1307 cookie_len = PACKET_remaining(&cookiepkt); 1308 if (cookie_len > sizeof(s->d1->cookie)) { 1309 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_DTLS_PROCESS_HELLO_VERIFY, 1310 SSL_R_LENGTH_TOO_LONG); 1311 return MSG_PROCESS_ERROR; 1312 } 1313 1314 if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) { 1315 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS_PROCESS_HELLO_VERIFY, 1316 SSL_R_LENGTH_MISMATCH); 1317 return MSG_PROCESS_ERROR; 1318 } 1319 s->d1->cookie_len = cookie_len; 1320 1321 return MSG_PROCESS_FINISHED_READING; 1322 } 1323 1324 static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars) 1325 { 1326 STACK_OF(SSL_CIPHER) *sk; 1327 const SSL_CIPHER *c; 1328 int i; 1329 1330 c = ssl_get_cipher_by_char(s, cipherchars, 0); 1331 if (c == NULL) { 1332 /* unknown cipher */ 1333 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, 1334 SSL_R_UNKNOWN_CIPHER_RETURNED); 1335 return 0; 1336 } 1337 /* 1338 * If it is a disabled cipher we either didn't send it in client hello, 1339 * or it's not allowed for the selected protocol. So we return an error. 1340 */ 1341 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) { 1342 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, 1343 SSL_R_WRONG_CIPHER_RETURNED); 1344 return 0; 1345 } 1346 1347 sk = ssl_get_ciphers_by_id(s); 1348 i = sk_SSL_CIPHER_find(sk, c); 1349 if (i < 0) { 1350 /* we did not say we would use this cipher */ 1351 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, 1352 SSL_R_WRONG_CIPHER_RETURNED); 1353 return 0; 1354 } 1355 1356 if (SSL_IS_TLS13(s) && s->s3->tmp.new_cipher != NULL 1357 && s->s3->tmp.new_cipher->id != c->id) { 1358 /* ServerHello selected a different ciphersuite to that in the HRR */ 1359 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, 1360 SSL_R_WRONG_CIPHER_RETURNED); 1361 return 0; 1362 } 1363 1364 /* 1365 * Depending on the session caching (internal/external), the cipher 1366 * and/or cipher_id values may not be set. Make sure that cipher_id is 1367 * set and use it for comparison. 1368 */ 1369 if (s->session->cipher != NULL) 1370 s->session->cipher_id = s->session->cipher->id; 1371 if (s->hit && (s->session->cipher_id != c->id)) { 1372 if (SSL_IS_TLS13(s)) { 1373 /* 1374 * In TLSv1.3 it is valid for the server to select a different 1375 * ciphersuite as long as the hash is the same. 1376 */ 1377 if (ssl_md(c->algorithm2) 1378 != ssl_md(s->session->cipher->algorithm2)) { 1379 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1380 SSL_F_SET_CLIENT_CIPHERSUITE, 1381 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED); 1382 return 0; 1383 } 1384 } else { 1385 /* 1386 * Prior to TLSv1.3 resuming a session always meant using the same 1387 * ciphersuite. 1388 */ 1389 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, 1390 SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); 1391 return 0; 1392 } 1393 } 1394 s->s3->tmp.new_cipher = c; 1395 1396 return 1; 1397 } 1398 1399 MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) 1400 { 1401 PACKET session_id, extpkt; 1402 size_t session_id_len; 1403 const unsigned char *cipherchars; 1404 int hrr = 0; 1405 unsigned int compression; 1406 unsigned int sversion; 1407 unsigned int context; 1408 RAW_EXTENSION *extensions = NULL; 1409 #ifndef OPENSSL_NO_COMP 1410 SSL_COMP *comp; 1411 #endif 1412 1413 if (!PACKET_get_net_2(pkt, &sversion)) { 1414 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1415 SSL_R_LENGTH_MISMATCH); 1416 goto err; 1417 } 1418 1419 /* load the server random */ 1420 if (s->version == TLS1_3_VERSION 1421 && sversion == TLS1_2_VERSION 1422 && PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE 1423 && memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) { 1424 s->hello_retry_request = SSL_HRR_PENDING; 1425 hrr = 1; 1426 if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) { 1427 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1428 SSL_R_LENGTH_MISMATCH); 1429 goto err; 1430 } 1431 } else { 1432 if (!PACKET_copy_bytes(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) { 1433 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1434 SSL_R_LENGTH_MISMATCH); 1435 goto err; 1436 } 1437 } 1438 1439 /* Get the session-id. */ 1440 if (!PACKET_get_length_prefixed_1(pkt, &session_id)) { 1441 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1442 SSL_R_LENGTH_MISMATCH); 1443 goto err; 1444 } 1445 session_id_len = PACKET_remaining(&session_id); 1446 if (session_id_len > sizeof(s->session->session_id) 1447 || session_id_len > SSL3_SESSION_ID_SIZE) { 1448 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, 1449 SSL_R_SSL3_SESSION_ID_TOO_LONG); 1450 goto err; 1451 } 1452 1453 if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) { 1454 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1455 SSL_R_LENGTH_MISMATCH); 1456 goto err; 1457 } 1458 1459 if (!PACKET_get_1(pkt, &compression)) { 1460 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1461 SSL_R_LENGTH_MISMATCH); 1462 goto err; 1463 } 1464 1465 /* TLS extensions */ 1466 if (PACKET_remaining(pkt) == 0 && !hrr) { 1467 PACKET_null_init(&extpkt); 1468 } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt) 1469 || PACKET_remaining(pkt) != 0) { 1470 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1471 SSL_R_BAD_LENGTH); 1472 goto err; 1473 } 1474 1475 if (!hrr) { 1476 if (!tls_collect_extensions(s, &extpkt, 1477 SSL_EXT_TLS1_2_SERVER_HELLO 1478 | SSL_EXT_TLS1_3_SERVER_HELLO, 1479 &extensions, NULL, 1)) { 1480 /* SSLfatal() already called */ 1481 goto err; 1482 } 1483 1484 if (!ssl_choose_client_version(s, sversion, extensions)) { 1485 /* SSLfatal() already called */ 1486 goto err; 1487 } 1488 } 1489 1490 if (SSL_IS_TLS13(s) || hrr) { 1491 if (compression != 0) { 1492 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1493 SSL_F_TLS_PROCESS_SERVER_HELLO, 1494 SSL_R_INVALID_COMPRESSION_ALGORITHM); 1495 goto err; 1496 } 1497 1498 if (session_id_len != s->tmp_session_id_len 1499 || memcmp(PACKET_data(&session_id), s->tmp_session_id, 1500 session_id_len) != 0) { 1501 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1502 SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_INVALID_SESSION_ID); 1503 goto err; 1504 } 1505 } 1506 1507 if (hrr) { 1508 if (!set_client_ciphersuite(s, cipherchars)) { 1509 /* SSLfatal() already called */ 1510 goto err; 1511 } 1512 1513 return tls_process_as_hello_retry_request(s, &extpkt); 1514 } 1515 1516 /* 1517 * Now we have chosen the version we need to check again that the extensions 1518 * are appropriate for this version. 1519 */ 1520 context = SSL_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO 1521 : SSL_EXT_TLS1_2_SERVER_HELLO; 1522 if (!tls_validate_all_contexts(s, context, extensions)) { 1523 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, 1524 SSL_R_BAD_EXTENSION); 1525 goto err; 1526 } 1527 1528 s->hit = 0; 1529 1530 if (SSL_IS_TLS13(s)) { 1531 /* 1532 * In TLSv1.3 a ServerHello message signals a key change so the end of 1533 * the message must be on a record boundary. 1534 */ 1535 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { 1536 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1537 SSL_F_TLS_PROCESS_SERVER_HELLO, 1538 SSL_R_NOT_ON_RECORD_BOUNDARY); 1539 goto err; 1540 } 1541 1542 /* This will set s->hit if we are resuming */ 1543 if (!tls_parse_extension(s, TLSEXT_IDX_psk, 1544 SSL_EXT_TLS1_3_SERVER_HELLO, 1545 extensions, NULL, 0)) { 1546 /* SSLfatal() already called */ 1547 goto err; 1548 } 1549 } else { 1550 /* 1551 * Check if we can resume the session based on external pre-shared 1552 * secret. EAP-FAST (RFC 4851) supports two types of session resumption. 1553 * Resumption based on server-side state works with session IDs. 1554 * Resumption based on pre-shared Protected Access Credentials (PACs) 1555 * works by overriding the SessionTicket extension at the application 1556 * layer, and does not send a session ID. (We do not know whether 1557 * EAP-FAST servers would honour the session ID.) Therefore, the session 1558 * ID alone is not a reliable indicator of session resumption, so we 1559 * first check if we can resume, and later peek at the next handshake 1560 * message to see if the server wants to resume. 1561 */ 1562 if (s->version >= TLS1_VERSION 1563 && s->ext.session_secret_cb != NULL && s->session->ext.tick) { 1564 const SSL_CIPHER *pref_cipher = NULL; 1565 /* 1566 * s->session->master_key_length is a size_t, but this is an int for 1567 * backwards compat reasons 1568 */ 1569 int master_key_length; 1570 master_key_length = sizeof(s->session->master_key); 1571 if (s->ext.session_secret_cb(s, s->session->master_key, 1572 &master_key_length, 1573 NULL, &pref_cipher, 1574 s->ext.session_secret_cb_arg) 1575 && master_key_length > 0) { 1576 s->session->master_key_length = master_key_length; 1577 s->session->cipher = pref_cipher ? 1578 pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0); 1579 } else { 1580 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1581 SSL_F_TLS_PROCESS_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 1582 goto err; 1583 } 1584 } 1585 1586 if (session_id_len != 0 1587 && session_id_len == s->session->session_id_length 1588 && memcmp(PACKET_data(&session_id), s->session->session_id, 1589 session_id_len) == 0) 1590 s->hit = 1; 1591 } 1592 1593 if (s->hit) { 1594 if (s->sid_ctx_length != s->session->sid_ctx_length 1595 || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) { 1596 /* actually a client application bug */ 1597 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1598 SSL_F_TLS_PROCESS_SERVER_HELLO, 1599 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); 1600 goto err; 1601 } 1602 } else { 1603 /* 1604 * If we were trying for session-id reuse but the server 1605 * didn't resume, make a new SSL_SESSION. 1606 * In the case of EAP-FAST and PAC, we do not send a session ID, 1607 * so the PAC-based session secret is always preserved. It'll be 1608 * overwritten if the server refuses resumption. 1609 */ 1610 if (s->session->session_id_length > 0) { 1611 tsan_counter(&s->session_ctx->stats.sess_miss); 1612 if (!ssl_get_new_session(s, 0)) { 1613 /* SSLfatal() already called */ 1614 goto err; 1615 } 1616 } 1617 1618 s->session->ssl_version = s->version; 1619 /* 1620 * In TLSv1.2 and below we save the session id we were sent so we can 1621 * resume it later. In TLSv1.3 the session id we were sent is just an 1622 * echo of what we originally sent in the ClientHello and should not be 1623 * used for resumption. 1624 */ 1625 if (!SSL_IS_TLS13(s)) { 1626 s->session->session_id_length = session_id_len; 1627 /* session_id_len could be 0 */ 1628 if (session_id_len > 0) 1629 memcpy(s->session->session_id, PACKET_data(&session_id), 1630 session_id_len); 1631 } 1632 } 1633 1634 /* Session version and negotiated protocol version should match */ 1635 if (s->version != s->session->ssl_version) { 1636 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_TLS_PROCESS_SERVER_HELLO, 1637 SSL_R_SSL_SESSION_VERSION_MISMATCH); 1638 goto err; 1639 } 1640 /* 1641 * Now that we know the version, update the check to see if it's an allowed 1642 * version. 1643 */ 1644 s->s3->tmp.min_ver = s->version; 1645 s->s3->tmp.max_ver = s->version; 1646 1647 if (!set_client_ciphersuite(s, cipherchars)) { 1648 /* SSLfatal() already called */ 1649 goto err; 1650 } 1651 1652 #ifdef OPENSSL_NO_COMP 1653 if (compression != 0) { 1654 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, 1655 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 1656 goto err; 1657 } 1658 /* 1659 * If compression is disabled we'd better not try to resume a session 1660 * using compression. 1661 */ 1662 if (s->session->compress_meth != 0) { 1663 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SERVER_HELLO, 1664 SSL_R_INCONSISTENT_COMPRESSION); 1665 goto err; 1666 } 1667 #else 1668 if (s->hit && compression != s->session->compress_meth) { 1669 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, 1670 SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED); 1671 goto err; 1672 } 1673 if (compression == 0) 1674 comp = NULL; 1675 else if (!ssl_allow_compression(s)) { 1676 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, 1677 SSL_R_COMPRESSION_DISABLED); 1678 goto err; 1679 } else { 1680 comp = ssl3_comp_find(s->ctx->comp_methods, compression); 1681 } 1682 1683 if (compression != 0 && comp == NULL) { 1684 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, 1685 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 1686 goto err; 1687 } else { 1688 s->s3->tmp.new_compression = comp; 1689 } 1690 #endif 1691 1692 if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, 1)) { 1693 /* SSLfatal() already called */ 1694 goto err; 1695 } 1696 1697 #ifndef OPENSSL_NO_SCTP 1698 if (SSL_IS_DTLS(s) && s->hit) { 1699 unsigned char sctpauthkey[64]; 1700 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; 1701 size_t labellen; 1702 1703 /* 1704 * Add new shared key for SCTP-Auth, will be ignored if 1705 * no SCTP used. 1706 */ 1707 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL, 1708 sizeof(DTLS1_SCTP_AUTH_LABEL)); 1709 1710 /* Don't include the terminating zero. */ 1711 labellen = sizeof(labelbuffer) - 1; 1712 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) 1713 labellen += 1; 1714 1715 if (SSL_export_keying_material(s, sctpauthkey, 1716 sizeof(sctpauthkey), 1717 labelbuffer, 1718 labellen, NULL, 0, 0) <= 0) { 1719 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1720 ERR_R_INTERNAL_ERROR); 1721 goto err; 1722 } 1723 1724 BIO_ctrl(SSL_get_wbio(s), 1725 BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 1726 sizeof(sctpauthkey), sctpauthkey); 1727 } 1728 #endif 1729 1730 /* 1731 * In TLSv1.3 we have some post-processing to change cipher state, otherwise 1732 * we're done with this message 1733 */ 1734 if (SSL_IS_TLS13(s) 1735 && (!s->method->ssl3_enc->setup_key_block(s) 1736 || !s->method->ssl3_enc->change_cipher_state(s, 1737 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ))) { 1738 /* SSLfatal() already called */ 1739 goto err; 1740 } 1741 1742 OPENSSL_free(extensions); 1743 return MSG_PROCESS_CONTINUE_READING; 1744 err: 1745 OPENSSL_free(extensions); 1746 return MSG_PROCESS_ERROR; 1747 } 1748 1749 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, 1750 PACKET *extpkt) 1751 { 1752 RAW_EXTENSION *extensions = NULL; 1753 1754 /* 1755 * If we were sending early_data then the enc_write_ctx is now invalid and 1756 * should not be used. 1757 */ 1758 EVP_CIPHER_CTX_free(s->enc_write_ctx); 1759 s->enc_write_ctx = NULL; 1760 1761 if (!tls_collect_extensions(s, extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, 1762 &extensions, NULL, 1) 1763 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, 1764 extensions, NULL, 0, 1)) { 1765 /* SSLfatal() already called */ 1766 goto err; 1767 } 1768 1769 OPENSSL_free(extensions); 1770 extensions = NULL; 1771 1772 if (s->ext.tls13_cookie_len == 0 1773 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) 1774 && s->s3->tmp.pkey != NULL 1775 #endif 1776 ) { 1777 /* 1778 * We didn't receive a cookie or a new key_share so the next 1779 * ClientHello will not change 1780 */ 1781 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1782 SSL_F_TLS_PROCESS_AS_HELLO_RETRY_REQUEST, 1783 SSL_R_NO_CHANGE_FOLLOWING_HRR); 1784 goto err; 1785 } 1786 1787 /* 1788 * Re-initialise the Transcript Hash. We're going to prepopulate it with 1789 * a synthetic message_hash in place of ClientHello1. 1790 */ 1791 if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) { 1792 /* SSLfatal() already called */ 1793 goto err; 1794 } 1795 1796 /* 1797 * Add this message to the Transcript Hash. Normally this is done 1798 * automatically prior to the message processing stage. However due to the 1799 * need to create the synthetic message hash, we defer that step until now 1800 * for HRR messages. 1801 */ 1802 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 1803 s->init_num + SSL3_HM_HEADER_LENGTH)) { 1804 /* SSLfatal() already called */ 1805 goto err; 1806 } 1807 1808 return MSG_PROCESS_FINISHED_READING; 1809 err: 1810 OPENSSL_free(extensions); 1811 return MSG_PROCESS_ERROR; 1812 } 1813 1814 MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) 1815 { 1816 int i; 1817 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; 1818 unsigned long cert_list_len, cert_len; 1819 X509 *x = NULL; 1820 const unsigned char *certstart, *certbytes; 1821 STACK_OF(X509) *sk = NULL; 1822 EVP_PKEY *pkey = NULL; 1823 size_t chainidx, certidx; 1824 unsigned int context = 0; 1825 const SSL_CERT_LOOKUP *clu; 1826 1827 if ((sk = sk_X509_new_null()) == NULL) { 1828 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1829 ERR_R_MALLOC_FAILURE); 1830 goto err; 1831 } 1832 1833 if ((SSL_IS_TLS13(s) && !PACKET_get_1(pkt, &context)) 1834 || context != 0 1835 || !PACKET_get_net_3(pkt, &cert_list_len) 1836 || PACKET_remaining(pkt) != cert_list_len 1837 || PACKET_remaining(pkt) == 0) { 1838 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1839 SSL_R_LENGTH_MISMATCH); 1840 goto err; 1841 } 1842 for (chainidx = 0; PACKET_remaining(pkt); chainidx++) { 1843 if (!PACKET_get_net_3(pkt, &cert_len) 1844 || !PACKET_get_bytes(pkt, &certbytes, cert_len)) { 1845 SSLfatal(s, SSL_AD_DECODE_ERROR, 1846 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1847 SSL_R_CERT_LENGTH_MISMATCH); 1848 goto err; 1849 } 1850 1851 certstart = certbytes; 1852 x = d2i_X509(NULL, (const unsigned char **)&certbytes, cert_len); 1853 if (x == NULL) { 1854 SSLfatal(s, SSL_AD_BAD_CERTIFICATE, 1855 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_ASN1_LIB); 1856 goto err; 1857 } 1858 if (certbytes != (certstart + cert_len)) { 1859 SSLfatal(s, SSL_AD_DECODE_ERROR, 1860 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1861 SSL_R_CERT_LENGTH_MISMATCH); 1862 goto err; 1863 } 1864 1865 if (SSL_IS_TLS13(s)) { 1866 RAW_EXTENSION *rawexts = NULL; 1867 PACKET extensions; 1868 1869 if (!PACKET_get_length_prefixed_2(pkt, &extensions)) { 1870 SSLfatal(s, SSL_AD_DECODE_ERROR, 1871 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1872 SSL_R_BAD_LENGTH); 1873 goto err; 1874 } 1875 if (!tls_collect_extensions(s, &extensions, 1876 SSL_EXT_TLS1_3_CERTIFICATE, &rawexts, 1877 NULL, chainidx == 0) 1878 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE, 1879 rawexts, x, chainidx, 1880 PACKET_remaining(pkt) == 0)) { 1881 OPENSSL_free(rawexts); 1882 /* SSLfatal already called */ 1883 goto err; 1884 } 1885 OPENSSL_free(rawexts); 1886 } 1887 1888 if (!sk_X509_push(sk, x)) { 1889 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1890 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1891 ERR_R_MALLOC_FAILURE); 1892 goto err; 1893 } 1894 x = NULL; 1895 } 1896 1897 i = ssl_verify_cert_chain(s, sk); 1898 /* 1899 * The documented interface is that SSL_VERIFY_PEER should be set in order 1900 * for client side verification of the server certificate to take place. 1901 * However, historically the code has only checked that *any* flag is set 1902 * to cause server verification to take place. Use of the other flags makes 1903 * no sense in client mode. An attempt to clean up the semantics was 1904 * reverted because at least one application *only* set 1905 * SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Prior to the clean up this still caused 1906 * server verification to take place, after the clean up it silently did 1907 * nothing. SSL_CTX_set_verify()/SSL_set_verify() cannot validate the flags 1908 * sent to them because they are void functions. Therefore, we now use the 1909 * (less clean) historic behaviour of performing validation if any flag is 1910 * set. The *documented* interface remains the same. 1911 */ 1912 if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) { 1913 SSLfatal(s, ssl_x509err2alert(s->verify_result), 1914 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1915 SSL_R_CERTIFICATE_VERIFY_FAILED); 1916 goto err; 1917 } 1918 ERR_clear_error(); /* but we keep s->verify_result */ 1919 if (i > 1) { 1920 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1921 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, i); 1922 goto err; 1923 } 1924 1925 s->session->peer_chain = sk; 1926 /* 1927 * Inconsistency alert: cert_chain does include the peer's certificate, 1928 * which we don't include in statem_srvr.c 1929 */ 1930 x = sk_X509_value(sk, 0); 1931 sk = NULL; 1932 1933 pkey = X509_get0_pubkey(x); 1934 1935 if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) { 1936 x = NULL; 1937 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1938 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); 1939 goto err; 1940 } 1941 1942 if ((clu = ssl_cert_lookup_by_pkey(pkey, &certidx)) == NULL) { 1943 x = NULL; 1944 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1945 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1946 SSL_R_UNKNOWN_CERTIFICATE_TYPE); 1947 goto err; 1948 } 1949 /* 1950 * Check certificate type is consistent with ciphersuite. For TLS 1.3 1951 * skip check since TLS 1.3 ciphersuites can be used with any certificate 1952 * type. 1953 */ 1954 if (!SSL_IS_TLS13(s)) { 1955 if ((clu->amask & s->s3->tmp.new_cipher->algorithm_auth) == 0) { 1956 x = NULL; 1957 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1958 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1959 SSL_R_WRONG_CERTIFICATE_TYPE); 1960 goto err; 1961 } 1962 } 1963 s->session->peer_type = certidx; 1964 1965 X509_free(s->session->peer); 1966 X509_up_ref(x); 1967 s->session->peer = x; 1968 s->session->verify_result = s->verify_result; 1969 x = NULL; 1970 1971 /* Save the current hash state for when we receive the CertificateVerify */ 1972 if (SSL_IS_TLS13(s) 1973 && !ssl_handshake_hash(s, s->cert_verify_hash, 1974 sizeof(s->cert_verify_hash), 1975 &s->cert_verify_hash_len)) { 1976 /* SSLfatal() already called */; 1977 goto err; 1978 } 1979 1980 ret = MSG_PROCESS_CONTINUE_READING; 1981 1982 err: 1983 X509_free(x); 1984 sk_X509_pop_free(sk, X509_free); 1985 return ret; 1986 } 1987 1988 static int tls_process_ske_psk_preamble(SSL *s, PACKET *pkt) 1989 { 1990 #ifndef OPENSSL_NO_PSK 1991 PACKET psk_identity_hint; 1992 1993 /* PSK ciphersuites are preceded by an identity hint */ 1994 1995 if (!PACKET_get_length_prefixed_2(pkt, &psk_identity_hint)) { 1996 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, 1997 SSL_R_LENGTH_MISMATCH); 1998 return 0; 1999 } 2000 2001 /* 2002 * Store PSK identity hint for later use, hint is used in 2003 * tls_construct_client_key_exchange. Assume that the maximum length of 2004 * a PSK identity hint can be as long as the maximum length of a PSK 2005 * identity. 2006 */ 2007 if (PACKET_remaining(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN) { 2008 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 2009 SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, 2010 SSL_R_DATA_LENGTH_TOO_LONG); 2011 return 0; 2012 } 2013 2014 if (PACKET_remaining(&psk_identity_hint) == 0) { 2015 OPENSSL_free(s->session->psk_identity_hint); 2016 s->session->psk_identity_hint = NULL; 2017 } else if (!PACKET_strndup(&psk_identity_hint, 2018 &s->session->psk_identity_hint)) { 2019 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, 2020 ERR_R_INTERNAL_ERROR); 2021 return 0; 2022 } 2023 2024 return 1; 2025 #else 2026 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, 2027 ERR_R_INTERNAL_ERROR); 2028 return 0; 2029 #endif 2030 } 2031 2032 static int tls_process_ske_srp(SSL *s, PACKET *pkt, EVP_PKEY **pkey) 2033 { 2034 #ifndef OPENSSL_NO_SRP 2035 PACKET prime, generator, salt, server_pub; 2036 2037 if (!PACKET_get_length_prefixed_2(pkt, &prime) 2038 || !PACKET_get_length_prefixed_2(pkt, &generator) 2039 || !PACKET_get_length_prefixed_1(pkt, &salt) 2040 || !PACKET_get_length_prefixed_2(pkt, &server_pub)) { 2041 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_SRP, 2042 SSL_R_LENGTH_MISMATCH); 2043 return 0; 2044 } 2045 2046 /* TODO(size_t): Convert BN_bin2bn() calls */ 2047 if ((s->srp_ctx.N = 2048 BN_bin2bn(PACKET_data(&prime), 2049 (int)PACKET_remaining(&prime), NULL)) == NULL 2050 || (s->srp_ctx.g = 2051 BN_bin2bn(PACKET_data(&generator), 2052 (int)PACKET_remaining(&generator), NULL)) == NULL 2053 || (s->srp_ctx.s = 2054 BN_bin2bn(PACKET_data(&salt), 2055 (int)PACKET_remaining(&salt), NULL)) == NULL 2056 || (s->srp_ctx.B = 2057 BN_bin2bn(PACKET_data(&server_pub), 2058 (int)PACKET_remaining(&server_pub), NULL)) == NULL) { 2059 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_SRP, 2060 ERR_R_BN_LIB); 2061 return 0; 2062 } 2063 2064 if (!srp_verify_server_param(s)) { 2065 /* SSLfatal() already called */ 2066 return 0; 2067 } 2068 2069 /* We must check if there is a certificate */ 2070 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS)) 2071 *pkey = X509_get0_pubkey(s->session->peer); 2072 2073 return 1; 2074 #else 2075 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_SRP, 2076 ERR_R_INTERNAL_ERROR); 2077 return 0; 2078 #endif 2079 } 2080 2081 static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) 2082 { 2083 #ifndef OPENSSL_NO_DH 2084 PACKET prime, generator, pub_key; 2085 EVP_PKEY *peer_tmp = NULL; 2086 2087 DH *dh = NULL; 2088 BIGNUM *p = NULL, *g = NULL, *bnpub_key = NULL; 2089 2090 int check_bits = 0; 2091 2092 if (!PACKET_get_length_prefixed_2(pkt, &prime) 2093 || !PACKET_get_length_prefixed_2(pkt, &generator) 2094 || !PACKET_get_length_prefixed_2(pkt, &pub_key)) { 2095 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, 2096 SSL_R_LENGTH_MISMATCH); 2097 return 0; 2098 } 2099 2100 peer_tmp = EVP_PKEY_new(); 2101 dh = DH_new(); 2102 2103 if (peer_tmp == NULL || dh == NULL) { 2104 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, 2105 ERR_R_MALLOC_FAILURE); 2106 goto err; 2107 } 2108 2109 /* TODO(size_t): Convert these calls */ 2110 p = BN_bin2bn(PACKET_data(&prime), (int)PACKET_remaining(&prime), NULL); 2111 g = BN_bin2bn(PACKET_data(&generator), (int)PACKET_remaining(&generator), 2112 NULL); 2113 bnpub_key = BN_bin2bn(PACKET_data(&pub_key), 2114 (int)PACKET_remaining(&pub_key), NULL); 2115 if (p == NULL || g == NULL || bnpub_key == NULL) { 2116 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, 2117 ERR_R_BN_LIB); 2118 goto err; 2119 } 2120 2121 /* test non-zero pubkey */ 2122 if (BN_is_zero(bnpub_key)) { 2123 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_DHE, 2124 SSL_R_BAD_DH_VALUE); 2125 goto err; 2126 } 2127 2128 if (!DH_set0_pqg(dh, p, NULL, g)) { 2129 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, 2130 ERR_R_BN_LIB); 2131 goto err; 2132 } 2133 p = g = NULL; 2134 2135 if (DH_check_params(dh, &check_bits) == 0 || check_bits != 0) { 2136 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_DHE, 2137 SSL_R_BAD_DH_VALUE); 2138 goto err; 2139 } 2140 2141 if (!DH_set0_key(dh, bnpub_key, NULL)) { 2142 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, 2143 ERR_R_BN_LIB); 2144 goto err; 2145 } 2146 bnpub_key = NULL; 2147 2148 if (EVP_PKEY_assign_DH(peer_tmp, dh) == 0) { 2149 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, 2150 ERR_R_EVP_LIB); 2151 goto err; 2152 } 2153 dh = NULL; 2154 2155 if (!ssl_security(s, SSL_SECOP_TMP_DH, EVP_PKEY_security_bits(peer_tmp), 2156 0, peer_tmp)) { 2157 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE, 2158 SSL_R_DH_KEY_TOO_SMALL); 2159 goto err; 2160 } 2161 2162 s->s3->peer_tmp = peer_tmp; 2163 2164 /* 2165 * FIXME: This makes assumptions about which ciphersuites come with 2166 * public keys. We should have a less ad-hoc way of doing this 2167 */ 2168 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS)) 2169 *pkey = X509_get0_pubkey(s->session->peer); 2170 /* else anonymous DH, so no certificate or pkey. */ 2171 2172 return 1; 2173 2174 err: 2175 BN_free(p); 2176 BN_free(g); 2177 BN_free(bnpub_key); 2178 DH_free(dh); 2179 EVP_PKEY_free(peer_tmp); 2180 2181 return 0; 2182 #else 2183 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, 2184 ERR_R_INTERNAL_ERROR); 2185 return 0; 2186 #endif 2187 } 2188 2189 static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) 2190 { 2191 #ifndef OPENSSL_NO_EC 2192 PACKET encoded_pt; 2193 unsigned int curve_type, curve_id; 2194 2195 /* 2196 * Extract elliptic curve parameters and the server's ephemeral ECDH 2197 * public key. We only support named (not generic) curves and 2198 * ECParameters in this case is just three bytes. 2199 */ 2200 if (!PACKET_get_1(pkt, &curve_type) || !PACKET_get_net_2(pkt, &curve_id)) { 2201 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE, 2202 SSL_R_LENGTH_TOO_SHORT); 2203 return 0; 2204 } 2205 /* 2206 * Check curve is named curve type and one of our preferences, if not 2207 * server has sent an invalid curve. 2208 */ 2209 if (curve_type != NAMED_CURVE_TYPE 2210 || !tls1_check_group_id(s, curve_id, 1)) { 2211 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_ECDHE, 2212 SSL_R_WRONG_CURVE); 2213 return 0; 2214 } 2215 2216 if ((s->s3->peer_tmp = ssl_generate_param_group(curve_id)) == NULL) { 2217 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE, 2218 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); 2219 return 0; 2220 } 2221 2222 if (!PACKET_get_length_prefixed_1(pkt, &encoded_pt)) { 2223 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE, 2224 SSL_R_LENGTH_MISMATCH); 2225 return 0; 2226 } 2227 2228 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp, 2229 PACKET_data(&encoded_pt), 2230 PACKET_remaining(&encoded_pt))) { 2231 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_ECDHE, 2232 SSL_R_BAD_ECPOINT); 2233 return 0; 2234 } 2235 2236 /* 2237 * The ECC/TLS specification does not mention the use of DSA to sign 2238 * ECParameters in the server key exchange message. We do support RSA 2239 * and ECDSA. 2240 */ 2241 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aECDSA) 2242 *pkey = X509_get0_pubkey(s->session->peer); 2243 else if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aRSA) 2244 *pkey = X509_get0_pubkey(s->session->peer); 2245 /* else anonymous ECDH, so no certificate or pkey. */ 2246 2247 return 1; 2248 #else 2249 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE, 2250 ERR_R_INTERNAL_ERROR); 2251 return 0; 2252 #endif 2253 } 2254 2255 MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) 2256 { 2257 long alg_k; 2258 EVP_PKEY *pkey = NULL; 2259 EVP_MD_CTX *md_ctx = NULL; 2260 EVP_PKEY_CTX *pctx = NULL; 2261 PACKET save_param_start, signature; 2262 2263 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 2264 2265 save_param_start = *pkt; 2266 2267 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) 2268 EVP_PKEY_free(s->s3->peer_tmp); 2269 s->s3->peer_tmp = NULL; 2270 #endif 2271 2272 if (alg_k & SSL_PSK) { 2273 if (!tls_process_ske_psk_preamble(s, pkt)) { 2274 /* SSLfatal() already called */ 2275 goto err; 2276 } 2277 } 2278 2279 /* Nothing else to do for plain PSK or RSAPSK */ 2280 if (alg_k & (SSL_kPSK | SSL_kRSAPSK)) { 2281 } else if (alg_k & SSL_kSRP) { 2282 if (!tls_process_ske_srp(s, pkt, &pkey)) { 2283 /* SSLfatal() already called */ 2284 goto err; 2285 } 2286 } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) { 2287 if (!tls_process_ske_dhe(s, pkt, &pkey)) { 2288 /* SSLfatal() already called */ 2289 goto err; 2290 } 2291 } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) { 2292 if (!tls_process_ske_ecdhe(s, pkt, &pkey)) { 2293 /* SSLfatal() already called */ 2294 goto err; 2295 } 2296 } else if (alg_k) { 2297 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2298 SSL_R_UNEXPECTED_MESSAGE); 2299 goto err; 2300 } 2301 2302 /* if it was signed, check the signature */ 2303 if (pkey != NULL) { 2304 PACKET params; 2305 int maxsig; 2306 const EVP_MD *md = NULL; 2307 unsigned char *tbs; 2308 size_t tbslen; 2309 int rv; 2310 2311 /* 2312 * |pkt| now points to the beginning of the signature, so the difference 2313 * equals the length of the parameters. 2314 */ 2315 if (!PACKET_get_sub_packet(&save_param_start, ¶ms, 2316 PACKET_remaining(&save_param_start) - 2317 PACKET_remaining(pkt))) { 2318 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2319 ERR_R_INTERNAL_ERROR); 2320 goto err; 2321 } 2322 2323 if (SSL_USE_SIGALGS(s)) { 2324 unsigned int sigalg; 2325 2326 if (!PACKET_get_net_2(pkt, &sigalg)) { 2327 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2328 SSL_R_LENGTH_TOO_SHORT); 2329 goto err; 2330 } 2331 if (tls12_check_peer_sigalg(s, sigalg, pkey) <=0) { 2332 /* SSLfatal() already called */ 2333 goto err; 2334 } 2335 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { 2336 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2337 ERR_R_INTERNAL_ERROR); 2338 goto err; 2339 } 2340 2341 if (!tls1_lookup_md(s->s3->tmp.peer_sigalg, &md)) { 2342 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2343 ERR_R_INTERNAL_ERROR); 2344 goto err; 2345 } 2346 #ifdef SSL_DEBUG 2347 if (SSL_USE_SIGALGS(s)) 2348 fprintf(stderr, "USING TLSv1.2 HASH %s\n", 2349 md == NULL ? "n/a" : EVP_MD_name(md)); 2350 #endif 2351 2352 if (!PACKET_get_length_prefixed_2(pkt, &signature) 2353 || PACKET_remaining(pkt) != 0) { 2354 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2355 SSL_R_LENGTH_MISMATCH); 2356 goto err; 2357 } 2358 maxsig = EVP_PKEY_size(pkey); 2359 if (maxsig < 0) { 2360 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2361 ERR_R_INTERNAL_ERROR); 2362 goto err; 2363 } 2364 2365 /* 2366 * Check signature length 2367 */ 2368 if (PACKET_remaining(&signature) > (size_t)maxsig) { 2369 /* wrong packet length */ 2370 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2371 SSL_R_WRONG_SIGNATURE_LENGTH); 2372 goto err; 2373 } 2374 2375 md_ctx = EVP_MD_CTX_new(); 2376 if (md_ctx == NULL) { 2377 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2378 ERR_R_MALLOC_FAILURE); 2379 goto err; 2380 } 2381 2382 if (EVP_DigestVerifyInit(md_ctx, &pctx, md, NULL, pkey) <= 0) { 2383 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2384 ERR_R_EVP_LIB); 2385 goto err; 2386 } 2387 if (SSL_USE_PSS(s)) { 2388 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 2389 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 2390 RSA_PSS_SALTLEN_DIGEST) <= 0) { 2391 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2392 SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB); 2393 goto err; 2394 } 2395 } 2396 tbslen = construct_key_exchange_tbs(s, &tbs, PACKET_data(¶ms), 2397 PACKET_remaining(¶ms)); 2398 if (tbslen == 0) { 2399 /* SSLfatal() already called */ 2400 goto err; 2401 } 2402 2403 rv = EVP_DigestVerify(md_ctx, PACKET_data(&signature), 2404 PACKET_remaining(&signature), tbs, tbslen); 2405 OPENSSL_free(tbs); 2406 if (rv <= 0) { 2407 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2408 SSL_R_BAD_SIGNATURE); 2409 goto err; 2410 } 2411 EVP_MD_CTX_free(md_ctx); 2412 md_ctx = NULL; 2413 } else { 2414 /* aNULL, aSRP or PSK do not need public keys */ 2415 if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) 2416 && !(alg_k & SSL_PSK)) { 2417 /* Might be wrong key type, check it */ 2418 if (ssl3_check_cert_and_algorithm(s)) { 2419 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2420 SSL_R_BAD_DATA); 2421 } 2422 /* else this shouldn't happen, SSLfatal() already called */ 2423 goto err; 2424 } 2425 /* still data left over */ 2426 if (PACKET_remaining(pkt) != 0) { 2427 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2428 SSL_R_EXTRA_DATA_IN_MESSAGE); 2429 goto err; 2430 } 2431 } 2432 2433 return MSG_PROCESS_CONTINUE_READING; 2434 err: 2435 EVP_MD_CTX_free(md_ctx); 2436 return MSG_PROCESS_ERROR; 2437 } 2438 2439 MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt) 2440 { 2441 size_t i; 2442 2443 /* Clear certificate validity flags */ 2444 for (i = 0; i < SSL_PKEY_NUM; i++) 2445 s->s3->tmp.valid_flags[i] = 0; 2446 2447 if (SSL_IS_TLS13(s)) { 2448 PACKET reqctx, extensions; 2449 RAW_EXTENSION *rawexts = NULL; 2450 2451 if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) { 2452 /* 2453 * We already sent close_notify. This can only happen in TLSv1.3 2454 * post-handshake messages. We can't reasonably respond to this, so 2455 * we just ignore it 2456 */ 2457 return MSG_PROCESS_FINISHED_READING; 2458 } 2459 2460 /* Free and zero certificate types: it is not present in TLS 1.3 */ 2461 OPENSSL_free(s->s3->tmp.ctype); 2462 s->s3->tmp.ctype = NULL; 2463 s->s3->tmp.ctype_len = 0; 2464 OPENSSL_free(s->pha_context); 2465 s->pha_context = NULL; 2466 2467 if (!PACKET_get_length_prefixed_1(pkt, &reqctx) || 2468 !PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) { 2469 SSLfatal(s, SSL_AD_DECODE_ERROR, 2470 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2471 SSL_R_LENGTH_MISMATCH); 2472 return MSG_PROCESS_ERROR; 2473 } 2474 2475 if (!PACKET_get_length_prefixed_2(pkt, &extensions)) { 2476 SSLfatal(s, SSL_AD_DECODE_ERROR, 2477 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2478 SSL_R_BAD_LENGTH); 2479 return MSG_PROCESS_ERROR; 2480 } 2481 if (!tls_collect_extensions(s, &extensions, 2482 SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 2483 &rawexts, NULL, 1) 2484 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 2485 rawexts, NULL, 0, 1)) { 2486 /* SSLfatal() already called */ 2487 OPENSSL_free(rawexts); 2488 return MSG_PROCESS_ERROR; 2489 } 2490 OPENSSL_free(rawexts); 2491 if (!tls1_process_sigalgs(s)) { 2492 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2493 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2494 SSL_R_BAD_LENGTH); 2495 return MSG_PROCESS_ERROR; 2496 } 2497 } else { 2498 PACKET ctypes; 2499 2500 /* get the certificate types */ 2501 if (!PACKET_get_length_prefixed_1(pkt, &ctypes)) { 2502 SSLfatal(s, SSL_AD_DECODE_ERROR, 2503 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2504 SSL_R_LENGTH_MISMATCH); 2505 return MSG_PROCESS_ERROR; 2506 } 2507 2508 if (!PACKET_memdup(&ctypes, &s->s3->tmp.ctype, &s->s3->tmp.ctype_len)) { 2509 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2510 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2511 ERR_R_INTERNAL_ERROR); 2512 return MSG_PROCESS_ERROR; 2513 } 2514 2515 if (SSL_USE_SIGALGS(s)) { 2516 PACKET sigalgs; 2517 2518 if (!PACKET_get_length_prefixed_2(pkt, &sigalgs)) { 2519 SSLfatal(s, SSL_AD_DECODE_ERROR, 2520 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2521 SSL_R_LENGTH_MISMATCH); 2522 return MSG_PROCESS_ERROR; 2523 } 2524 2525 /* 2526 * Despite this being for certificates, preserve compatibility 2527 * with pre-TLS 1.3 and use the regular sigalgs field. 2528 */ 2529 if (!tls1_save_sigalgs(s, &sigalgs, 0)) { 2530 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2531 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2532 SSL_R_SIGNATURE_ALGORITHMS_ERROR); 2533 return MSG_PROCESS_ERROR; 2534 } 2535 if (!tls1_process_sigalgs(s)) { 2536 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2537 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2538 ERR_R_MALLOC_FAILURE); 2539 return MSG_PROCESS_ERROR; 2540 } 2541 } 2542 2543 /* get the CA RDNs */ 2544 if (!parse_ca_names(s, pkt)) { 2545 /* SSLfatal() already called */ 2546 return MSG_PROCESS_ERROR; 2547 } 2548 } 2549 2550 if (PACKET_remaining(pkt) != 0) { 2551 SSLfatal(s, SSL_AD_DECODE_ERROR, 2552 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2553 SSL_R_LENGTH_MISMATCH); 2554 return MSG_PROCESS_ERROR; 2555 } 2556 2557 /* we should setup a certificate to return.... */ 2558 s->s3->tmp.cert_req = 1; 2559 2560 /* 2561 * In TLSv1.3 we don't prepare the client certificate yet. We wait until 2562 * after the CertificateVerify message has been received. This is because 2563 * in TLSv1.3 the CertificateRequest arrives before the Certificate message 2564 * but in TLSv1.2 it is the other way around. We want to make sure that 2565 * SSL_get_peer_certificate() returns something sensible in 2566 * client_cert_cb. 2567 */ 2568 if (SSL_IS_TLS13(s) && s->post_handshake_auth != SSL_PHA_REQUESTED) 2569 return MSG_PROCESS_CONTINUE_READING; 2570 2571 return MSG_PROCESS_CONTINUE_PROCESSING; 2572 } 2573 2574 MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) 2575 { 2576 unsigned int ticklen; 2577 unsigned long ticket_lifetime_hint, age_add = 0; 2578 unsigned int sess_len; 2579 RAW_EXTENSION *exts = NULL; 2580 PACKET nonce; 2581 2582 PACKET_null_init(&nonce); 2583 2584 if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint) 2585 || (SSL_IS_TLS13(s) 2586 && (!PACKET_get_net_4(pkt, &age_add) 2587 || !PACKET_get_length_prefixed_1(pkt, &nonce))) 2588 || !PACKET_get_net_2(pkt, &ticklen) 2589 || (SSL_IS_TLS13(s) ? (ticklen == 0 || PACKET_remaining(pkt) < ticklen) 2590 : PACKET_remaining(pkt) != ticklen)) { 2591 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, 2592 SSL_R_LENGTH_MISMATCH); 2593 goto err; 2594 } 2595 2596 /* 2597 * Server is allowed to change its mind (in <=TLSv1.2) and send an empty 2598 * ticket. We already checked this TLSv1.3 case above, so it should never 2599 * be 0 here in that instance 2600 */ 2601 if (ticklen == 0) 2602 return MSG_PROCESS_CONTINUE_READING; 2603 2604 /* 2605 * Sessions must be immutable once they go into the session cache. Otherwise 2606 * we can get multi-thread problems. Therefore we don't "update" sessions, 2607 * we replace them with a duplicate. In TLSv1.3 we need to do this every 2608 * time a NewSessionTicket arrives because those messages arrive 2609 * post-handshake and the session may have already gone into the session 2610 * cache. 2611 */ 2612 if (SSL_IS_TLS13(s) || s->session->session_id_length > 0) { 2613 SSL_SESSION *new_sess; 2614 2615 /* 2616 * We reused an existing session, so we need to replace it with a new 2617 * one 2618 */ 2619 if ((new_sess = ssl_session_dup(s->session, 0)) == 0) { 2620 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2621 SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, 2622 ERR_R_MALLOC_FAILURE); 2623 goto err; 2624 } 2625 2626 if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0 2627 && !SSL_IS_TLS13(s)) { 2628 /* 2629 * In TLSv1.2 and below the arrival of a new tickets signals that 2630 * any old ticket we were using is now out of date, so we remove the 2631 * old session from the cache. We carry on if this fails 2632 */ 2633 SSL_CTX_remove_session(s->session_ctx, s->session); 2634 } 2635 2636 SSL_SESSION_free(s->session); 2637 s->session = new_sess; 2638 } 2639 2640 /* 2641 * Technically the cast to long here is not guaranteed by the C standard - 2642 * but we use it elsewhere, so this should be ok. 2643 */ 2644 s->session->time = (long)time(NULL); 2645 2646 OPENSSL_free(s->session->ext.tick); 2647 s->session->ext.tick = NULL; 2648 s->session->ext.ticklen = 0; 2649 2650 s->session->ext.tick = OPENSSL_malloc(ticklen); 2651 if (s->session->ext.tick == NULL) { 2652 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, 2653 ERR_R_MALLOC_FAILURE); 2654 goto err; 2655 } 2656 if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) { 2657 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, 2658 SSL_R_LENGTH_MISMATCH); 2659 goto err; 2660 } 2661 2662 s->session->ext.tick_lifetime_hint = ticket_lifetime_hint; 2663 s->session->ext.tick_age_add = age_add; 2664 s->session->ext.ticklen = ticklen; 2665 2666 if (SSL_IS_TLS13(s)) { 2667 PACKET extpkt; 2668 2669 if (!PACKET_as_length_prefixed_2(pkt, &extpkt) 2670 || PACKET_remaining(pkt) != 0) { 2671 SSLfatal(s, SSL_AD_DECODE_ERROR, 2672 SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, 2673 SSL_R_LENGTH_MISMATCH); 2674 goto err; 2675 } 2676 2677 if (!tls_collect_extensions(s, &extpkt, 2678 SSL_EXT_TLS1_3_NEW_SESSION_TICKET, &exts, 2679 NULL, 1) 2680 || !tls_parse_all_extensions(s, 2681 SSL_EXT_TLS1_3_NEW_SESSION_TICKET, 2682 exts, NULL, 0, 1)) { 2683 /* SSLfatal() already called */ 2684 goto err; 2685 } 2686 } 2687 2688 /* 2689 * There are two ways to detect a resumed ticket session. One is to set 2690 * an appropriate session ID and then the server must return a match in 2691 * ServerHello. This allows the normal client session ID matching to work 2692 * and we know much earlier that the ticket has been accepted. The 2693 * other way is to set zero length session ID when the ticket is 2694 * presented and rely on the handshake to determine session resumption. 2695 * We choose the former approach because this fits in with assumptions 2696 * elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is 2697 * SHA256 is disabled) hash of the ticket. 2698 */ 2699 /* 2700 * TODO(size_t): we use sess_len here because EVP_Digest expects an int 2701 * but s->session->session_id_length is a size_t 2702 */ 2703 if (!EVP_Digest(s->session->ext.tick, ticklen, 2704 s->session->session_id, &sess_len, 2705 EVP_sha256(), NULL)) { 2706 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, 2707 ERR_R_EVP_LIB); 2708 goto err; 2709 } 2710 s->session->session_id_length = sess_len; 2711 s->session->not_resumable = 0; 2712 2713 /* This is a standalone message in TLSv1.3, so there is no more to read */ 2714 if (SSL_IS_TLS13(s)) { 2715 const EVP_MD *md = ssl_handshake_md(s); 2716 int hashleni = EVP_MD_size(md); 2717 size_t hashlen; 2718 static const unsigned char nonce_label[] = "resumption"; 2719 2720 /* Ensure cast to size_t is safe */ 2721 if (!ossl_assert(hashleni >= 0)) { 2722 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2723 SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, 2724 ERR_R_INTERNAL_ERROR); 2725 goto err; 2726 } 2727 hashlen = (size_t)hashleni; 2728 2729 if (!tls13_hkdf_expand(s, md, s->resumption_master_secret, 2730 nonce_label, 2731 sizeof(nonce_label) - 1, 2732 PACKET_data(&nonce), 2733 PACKET_remaining(&nonce), 2734 s->session->master_key, 2735 hashlen, 1)) { 2736 /* SSLfatal() already called */ 2737 goto err; 2738 } 2739 s->session->master_key_length = hashlen; 2740 2741 OPENSSL_free(exts); 2742 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); 2743 return MSG_PROCESS_FINISHED_READING; 2744 } 2745 2746 return MSG_PROCESS_CONTINUE_READING; 2747 err: 2748 OPENSSL_free(exts); 2749 return MSG_PROCESS_ERROR; 2750 } 2751 2752 /* 2753 * In TLSv1.3 this is called from the extensions code, otherwise it is used to 2754 * parse a separate message. Returns 1 on success or 0 on failure 2755 */ 2756 int tls_process_cert_status_body(SSL *s, PACKET *pkt) 2757 { 2758 size_t resplen; 2759 unsigned int type; 2760 2761 if (!PACKET_get_1(pkt, &type) 2762 || type != TLSEXT_STATUSTYPE_ocsp) { 2763 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY, 2764 SSL_R_UNSUPPORTED_STATUS_TYPE); 2765 return 0; 2766 } 2767 if (!PACKET_get_net_3_len(pkt, &resplen) 2768 || PACKET_remaining(pkt) != resplen) { 2769 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY, 2770 SSL_R_LENGTH_MISMATCH); 2771 return 0; 2772 } 2773 s->ext.ocsp.resp = OPENSSL_malloc(resplen); 2774 if (s->ext.ocsp.resp == NULL) { 2775 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY, 2776 ERR_R_MALLOC_FAILURE); 2777 return 0; 2778 } 2779 if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) { 2780 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY, 2781 SSL_R_LENGTH_MISMATCH); 2782 return 0; 2783 } 2784 s->ext.ocsp.resp_len = resplen; 2785 2786 return 1; 2787 } 2788 2789 2790 MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt) 2791 { 2792 if (!tls_process_cert_status_body(s, pkt)) { 2793 /* SSLfatal() already called */ 2794 return MSG_PROCESS_ERROR; 2795 } 2796 2797 return MSG_PROCESS_CONTINUE_READING; 2798 } 2799 2800 /* 2801 * Perform miscellaneous checks and processing after we have received the 2802 * server's initial flight. In TLS1.3 this is after the Server Finished message. 2803 * In <=TLS1.2 this is after the ServerDone message. Returns 1 on success or 0 2804 * on failure. 2805 */ 2806 int tls_process_initial_server_flight(SSL *s) 2807 { 2808 /* 2809 * at this point we check that we have the required stuff from 2810 * the server 2811 */ 2812 if (!ssl3_check_cert_and_algorithm(s)) { 2813 /* SSLfatal() already called */ 2814 return 0; 2815 } 2816 2817 /* 2818 * Call the ocsp status callback if needed. The |ext.ocsp.resp| and 2819 * |ext.ocsp.resp_len| values will be set if we actually received a status 2820 * message, or NULL and -1 otherwise 2821 */ 2822 if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing 2823 && s->ctx->ext.status_cb != NULL) { 2824 int ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg); 2825 2826 if (ret == 0) { 2827 SSLfatal(s, SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE, 2828 SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT, 2829 SSL_R_INVALID_STATUS_RESPONSE); 2830 return 0; 2831 } 2832 if (ret < 0) { 2833 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2834 SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT, 2835 ERR_R_MALLOC_FAILURE); 2836 return 0; 2837 } 2838 } 2839 #ifndef OPENSSL_NO_CT 2840 if (s->ct_validation_callback != NULL) { 2841 /* Note we validate the SCTs whether or not we abort on error */ 2842 if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) { 2843 /* SSLfatal() already called */ 2844 return 0; 2845 } 2846 } 2847 #endif 2848 2849 return 1; 2850 } 2851 2852 MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt) 2853 { 2854 if (PACKET_remaining(pkt) > 0) { 2855 /* should contain no data */ 2856 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_DONE, 2857 SSL_R_LENGTH_MISMATCH); 2858 return MSG_PROCESS_ERROR; 2859 } 2860 #ifndef OPENSSL_NO_SRP 2861 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) { 2862 if (SRP_Calc_A_param(s) <= 0) { 2863 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_DONE, 2864 SSL_R_SRP_A_CALC); 2865 return MSG_PROCESS_ERROR; 2866 } 2867 } 2868 #endif 2869 2870 if (!tls_process_initial_server_flight(s)) { 2871 /* SSLfatal() already called */ 2872 return MSG_PROCESS_ERROR; 2873 } 2874 2875 return MSG_PROCESS_FINISHED_READING; 2876 } 2877 2878 static int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt) 2879 { 2880 #ifndef OPENSSL_NO_PSK 2881 int ret = 0; 2882 /* 2883 * The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes to return a 2884 * \0-terminated identity. The last byte is for us for simulating 2885 * strnlen. 2886 */ 2887 char identity[PSK_MAX_IDENTITY_LEN + 1]; 2888 size_t identitylen = 0; 2889 unsigned char psk[PSK_MAX_PSK_LEN]; 2890 unsigned char *tmppsk = NULL; 2891 char *tmpidentity = NULL; 2892 size_t psklen = 0; 2893 2894 if (s->psk_client_callback == NULL) { 2895 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, 2896 SSL_R_PSK_NO_CLIENT_CB); 2897 goto err; 2898 } 2899 2900 memset(identity, 0, sizeof(identity)); 2901 2902 psklen = s->psk_client_callback(s, s->session->psk_identity_hint, 2903 identity, sizeof(identity) - 1, 2904 psk, sizeof(psk)); 2905 2906 if (psklen > PSK_MAX_PSK_LEN) { 2907 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 2908 SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR); 2909 goto err; 2910 } else if (psklen == 0) { 2911 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 2912 SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, 2913 SSL_R_PSK_IDENTITY_NOT_FOUND); 2914 goto err; 2915 } 2916 2917 identitylen = strlen(identity); 2918 if (identitylen > PSK_MAX_IDENTITY_LEN) { 2919 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, 2920 ERR_R_INTERNAL_ERROR); 2921 goto err; 2922 } 2923 2924 tmppsk = OPENSSL_memdup(psk, psklen); 2925 tmpidentity = OPENSSL_strdup(identity); 2926 if (tmppsk == NULL || tmpidentity == NULL) { 2927 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, 2928 ERR_R_MALLOC_FAILURE); 2929 goto err; 2930 } 2931 2932 OPENSSL_free(s->s3->tmp.psk); 2933 s->s3->tmp.psk = tmppsk; 2934 s->s3->tmp.psklen = psklen; 2935 tmppsk = NULL; 2936 OPENSSL_free(s->session->psk_identity); 2937 s->session->psk_identity = tmpidentity; 2938 tmpidentity = NULL; 2939 2940 if (!WPACKET_sub_memcpy_u16(pkt, identity, identitylen)) { 2941 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, 2942 ERR_R_INTERNAL_ERROR); 2943 goto err; 2944 } 2945 2946 ret = 1; 2947 2948 err: 2949 OPENSSL_cleanse(psk, psklen); 2950 OPENSSL_cleanse(identity, sizeof(identity)); 2951 OPENSSL_clear_free(tmppsk, psklen); 2952 OPENSSL_clear_free(tmpidentity, identitylen); 2953 2954 return ret; 2955 #else 2956 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, 2957 ERR_R_INTERNAL_ERROR); 2958 return 0; 2959 #endif 2960 } 2961 2962 static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt) 2963 { 2964 #ifndef OPENSSL_NO_RSA 2965 unsigned char *encdata = NULL; 2966 EVP_PKEY *pkey = NULL; 2967 EVP_PKEY_CTX *pctx = NULL; 2968 size_t enclen; 2969 unsigned char *pms = NULL; 2970 size_t pmslen = 0; 2971 2972 if (s->session->peer == NULL) { 2973 /* 2974 * We should always have a server certificate with SSL_kRSA. 2975 */ 2976 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 2977 ERR_R_INTERNAL_ERROR); 2978 return 0; 2979 } 2980 2981 pkey = X509_get0_pubkey(s->session->peer); 2982 if (EVP_PKEY_get0_RSA(pkey) == NULL) { 2983 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 2984 ERR_R_INTERNAL_ERROR); 2985 return 0; 2986 } 2987 2988 pmslen = SSL_MAX_MASTER_KEY_LENGTH; 2989 pms = OPENSSL_malloc(pmslen); 2990 if (pms == NULL) { 2991 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 2992 ERR_R_MALLOC_FAILURE); 2993 return 0; 2994 } 2995 2996 pms[0] = s->client_version >> 8; 2997 pms[1] = s->client_version & 0xff; 2998 /* TODO(size_t): Convert this function */ 2999 if (RAND_bytes(pms + 2, (int)(pmslen - 2)) <= 0) { 3000 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 3001 ERR_R_MALLOC_FAILURE); 3002 goto err; 3003 } 3004 3005 /* Fix buf for TLS and beyond */ 3006 if (s->version > SSL3_VERSION && !WPACKET_start_sub_packet_u16(pkt)) { 3007 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 3008 ERR_R_INTERNAL_ERROR); 3009 goto err; 3010 } 3011 pctx = EVP_PKEY_CTX_new(pkey, NULL); 3012 if (pctx == NULL || EVP_PKEY_encrypt_init(pctx) <= 0 3013 || EVP_PKEY_encrypt(pctx, NULL, &enclen, pms, pmslen) <= 0) { 3014 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 3015 ERR_R_EVP_LIB); 3016 goto err; 3017 } 3018 if (!WPACKET_allocate_bytes(pkt, enclen, &encdata) 3019 || EVP_PKEY_encrypt(pctx, encdata, &enclen, pms, pmslen) <= 0) { 3020 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 3021 SSL_R_BAD_RSA_ENCRYPT); 3022 goto err; 3023 } 3024 EVP_PKEY_CTX_free(pctx); 3025 pctx = NULL; 3026 3027 /* Fix buf for TLS and beyond */ 3028 if (s->version > SSL3_VERSION && !WPACKET_close(pkt)) { 3029 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 3030 ERR_R_INTERNAL_ERROR); 3031 goto err; 3032 } 3033 3034 /* Log the premaster secret, if logging is enabled. */ 3035 if (!ssl_log_rsa_client_key_exchange(s, encdata, enclen, pms, pmslen)) { 3036 /* SSLfatal() already called */ 3037 goto err; 3038 } 3039 3040 s->s3->tmp.pms = pms; 3041 s->s3->tmp.pmslen = pmslen; 3042 3043 return 1; 3044 err: 3045 OPENSSL_clear_free(pms, pmslen); 3046 EVP_PKEY_CTX_free(pctx); 3047 3048 return 0; 3049 #else 3050 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 3051 ERR_R_INTERNAL_ERROR); 3052 return 0; 3053 #endif 3054 } 3055 3056 static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt) 3057 { 3058 #ifndef OPENSSL_NO_DH 3059 DH *dh_clnt = NULL; 3060 const BIGNUM *pub_key; 3061 EVP_PKEY *ckey = NULL, *skey = NULL; 3062 unsigned char *keybytes = NULL; 3063 3064 skey = s->s3->peer_tmp; 3065 if (skey == NULL) { 3066 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, 3067 ERR_R_INTERNAL_ERROR); 3068 goto err; 3069 } 3070 3071 ckey = ssl_generate_pkey(skey); 3072 if (ckey == NULL) { 3073 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, 3074 ERR_R_INTERNAL_ERROR); 3075 goto err; 3076 } 3077 3078 dh_clnt = EVP_PKEY_get0_DH(ckey); 3079 3080 if (dh_clnt == NULL) { 3081 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, 3082 ERR_R_INTERNAL_ERROR); 3083 goto err; 3084 } 3085 3086 if (ssl_derive(s, ckey, skey, 0) == 0) { 3087 /* SSLfatal() already called */ 3088 goto err; 3089 } 3090 3091 /* send off the data */ 3092 DH_get0_key(dh_clnt, &pub_key, NULL); 3093 if (!WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(pub_key), 3094 &keybytes)) { 3095 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, 3096 ERR_R_INTERNAL_ERROR); 3097 goto err; 3098 } 3099 3100 BN_bn2bin(pub_key, keybytes); 3101 EVP_PKEY_free(ckey); 3102 3103 return 1; 3104 err: 3105 EVP_PKEY_free(ckey); 3106 return 0; 3107 #else 3108 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, 3109 ERR_R_INTERNAL_ERROR); 3110 return 0; 3111 #endif 3112 } 3113 3114 static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt) 3115 { 3116 #ifndef OPENSSL_NO_EC 3117 unsigned char *encodedPoint = NULL; 3118 size_t encoded_pt_len = 0; 3119 EVP_PKEY *ckey = NULL, *skey = NULL; 3120 int ret = 0; 3121 3122 skey = s->s3->peer_tmp; 3123 if (skey == NULL) { 3124 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE, 3125 ERR_R_INTERNAL_ERROR); 3126 return 0; 3127 } 3128 3129 ckey = ssl_generate_pkey(skey); 3130 if (ckey == NULL) { 3131 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE, 3132 ERR_R_MALLOC_FAILURE); 3133 goto err; 3134 } 3135 3136 if (ssl_derive(s, ckey, skey, 0) == 0) { 3137 /* SSLfatal() already called */ 3138 goto err; 3139 } 3140 3141 /* Generate encoding of client key */ 3142 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(ckey, &encodedPoint); 3143 3144 if (encoded_pt_len == 0) { 3145 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE, 3146 ERR_R_EC_LIB); 3147 goto err; 3148 } 3149 3150 if (!WPACKET_sub_memcpy_u8(pkt, encodedPoint, encoded_pt_len)) { 3151 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE, 3152 ERR_R_INTERNAL_ERROR); 3153 goto err; 3154 } 3155 3156 ret = 1; 3157 err: 3158 OPENSSL_free(encodedPoint); 3159 EVP_PKEY_free(ckey); 3160 return ret; 3161 #else 3162 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE, 3163 ERR_R_INTERNAL_ERROR); 3164 return 0; 3165 #endif 3166 } 3167 3168 static int tls_construct_cke_gost(SSL *s, WPACKET *pkt) 3169 { 3170 #ifndef OPENSSL_NO_GOST 3171 /* GOST key exchange message creation */ 3172 EVP_PKEY_CTX *pkey_ctx = NULL; 3173 X509 *peer_cert; 3174 size_t msglen; 3175 unsigned int md_len; 3176 unsigned char shared_ukm[32], tmp[256]; 3177 EVP_MD_CTX *ukm_hash = NULL; 3178 int dgst_nid = NID_id_GostR3411_94; 3179 unsigned char *pms = NULL; 3180 size_t pmslen = 0; 3181 3182 if ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0) 3183 dgst_nid = NID_id_GostR3411_2012_256; 3184 3185 /* 3186 * Get server certificate PKEY and create ctx from it 3187 */ 3188 peer_cert = s->session->peer; 3189 if (!peer_cert) { 3190 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3191 SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); 3192 return 0; 3193 } 3194 3195 pkey_ctx = EVP_PKEY_CTX_new(X509_get0_pubkey(peer_cert), NULL); 3196 if (pkey_ctx == NULL) { 3197 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3198 ERR_R_MALLOC_FAILURE); 3199 return 0; 3200 } 3201 /* 3202 * If we have send a certificate, and certificate key 3203 * parameters match those of server certificate, use 3204 * certificate key for key exchange 3205 */ 3206 3207 /* Otherwise, generate ephemeral key pair */ 3208 pmslen = 32; 3209 pms = OPENSSL_malloc(pmslen); 3210 if (pms == NULL) { 3211 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3212 ERR_R_MALLOC_FAILURE); 3213 goto err; 3214 } 3215 3216 if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0 3217 /* Generate session key 3218 * TODO(size_t): Convert this function 3219 */ 3220 || RAND_bytes(pms, (int)pmslen) <= 0) { 3221 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3222 ERR_R_INTERNAL_ERROR); 3223 goto err; 3224 }; 3225 /* 3226 * Compute shared IV and store it in algorithm-specific context 3227 * data 3228 */ 3229 ukm_hash = EVP_MD_CTX_new(); 3230 if (ukm_hash == NULL 3231 || EVP_DigestInit(ukm_hash, EVP_get_digestbynid(dgst_nid)) <= 0 3232 || EVP_DigestUpdate(ukm_hash, s->s3->client_random, 3233 SSL3_RANDOM_SIZE) <= 0 3234 || EVP_DigestUpdate(ukm_hash, s->s3->server_random, 3235 SSL3_RANDOM_SIZE) <= 0 3236 || EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) { 3237 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3238 ERR_R_INTERNAL_ERROR); 3239 goto err; 3240 } 3241 EVP_MD_CTX_free(ukm_hash); 3242 ukm_hash = NULL; 3243 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, 3244 EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) { 3245 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3246 SSL_R_LIBRARY_BUG); 3247 goto err; 3248 } 3249 /* Make GOST keytransport blob message */ 3250 /* 3251 * Encapsulate it into sequence 3252 */ 3253 msglen = 255; 3254 if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) { 3255 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3256 SSL_R_LIBRARY_BUG); 3257 goto err; 3258 } 3259 3260 if (!WPACKET_put_bytes_u8(pkt, V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED) 3261 || (msglen >= 0x80 && !WPACKET_put_bytes_u8(pkt, 0x81)) 3262 || !WPACKET_sub_memcpy_u8(pkt, tmp, msglen)) { 3263 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3264 ERR_R_INTERNAL_ERROR); 3265 goto err; 3266 } 3267 3268 EVP_PKEY_CTX_free(pkey_ctx); 3269 s->s3->tmp.pms = pms; 3270 s->s3->tmp.pmslen = pmslen; 3271 3272 return 1; 3273 err: 3274 EVP_PKEY_CTX_free(pkey_ctx); 3275 OPENSSL_clear_free(pms, pmslen); 3276 EVP_MD_CTX_free(ukm_hash); 3277 return 0; 3278 #else 3279 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3280 ERR_R_INTERNAL_ERROR); 3281 return 0; 3282 #endif 3283 } 3284 3285 static int tls_construct_cke_srp(SSL *s, WPACKET *pkt) 3286 { 3287 #ifndef OPENSSL_NO_SRP 3288 unsigned char *abytes = NULL; 3289 3290 if (s->srp_ctx.A == NULL 3291 || !WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(s->srp_ctx.A), 3292 &abytes)) { 3293 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_SRP, 3294 ERR_R_INTERNAL_ERROR); 3295 return 0; 3296 } 3297 BN_bn2bin(s->srp_ctx.A, abytes); 3298 3299 OPENSSL_free(s->session->srp_username); 3300 s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login); 3301 if (s->session->srp_username == NULL) { 3302 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_SRP, 3303 ERR_R_MALLOC_FAILURE); 3304 return 0; 3305 } 3306 3307 return 1; 3308 #else 3309 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_SRP, 3310 ERR_R_INTERNAL_ERROR); 3311 return 0; 3312 #endif 3313 } 3314 3315 int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt) 3316 { 3317 unsigned long alg_k; 3318 3319 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 3320 3321 /* 3322 * All of the construct functions below call SSLfatal() if necessary so 3323 * no need to do so here. 3324 */ 3325 if ((alg_k & SSL_PSK) 3326 && !tls_construct_cke_psk_preamble(s, pkt)) 3327 goto err; 3328 3329 if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) { 3330 if (!tls_construct_cke_rsa(s, pkt)) 3331 goto err; 3332 } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) { 3333 if (!tls_construct_cke_dhe(s, pkt)) 3334 goto err; 3335 } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) { 3336 if (!tls_construct_cke_ecdhe(s, pkt)) 3337 goto err; 3338 } else if (alg_k & SSL_kGOST) { 3339 if (!tls_construct_cke_gost(s, pkt)) 3340 goto err; 3341 } else if (alg_k & SSL_kSRP) { 3342 if (!tls_construct_cke_srp(s, pkt)) 3343 goto err; 3344 } else if (!(alg_k & SSL_kPSK)) { 3345 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3346 SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 3347 goto err; 3348 } 3349 3350 return 1; 3351 err: 3352 OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen); 3353 s->s3->tmp.pms = NULL; 3354 #ifndef OPENSSL_NO_PSK 3355 OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen); 3356 s->s3->tmp.psk = NULL; 3357 #endif 3358 return 0; 3359 } 3360 3361 int tls_client_key_exchange_post_work(SSL *s) 3362 { 3363 unsigned char *pms = NULL; 3364 size_t pmslen = 0; 3365 3366 pms = s->s3->tmp.pms; 3367 pmslen = s->s3->tmp.pmslen; 3368 3369 #ifndef OPENSSL_NO_SRP 3370 /* Check for SRP */ 3371 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) { 3372 if (!srp_generate_client_master_secret(s)) { 3373 /* SSLfatal() already called */ 3374 goto err; 3375 } 3376 return 1; 3377 } 3378 #endif 3379 3380 if (pms == NULL && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { 3381 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3382 SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK, ERR_R_MALLOC_FAILURE); 3383 goto err; 3384 } 3385 if (!ssl_generate_master_secret(s, pms, pmslen, 1)) { 3386 /* SSLfatal() already called */ 3387 /* ssl_generate_master_secret frees the pms even on error */ 3388 pms = NULL; 3389 pmslen = 0; 3390 goto err; 3391 } 3392 pms = NULL; 3393 pmslen = 0; 3394 3395 #ifndef OPENSSL_NO_SCTP 3396 if (SSL_IS_DTLS(s)) { 3397 unsigned char sctpauthkey[64]; 3398 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; 3399 size_t labellen; 3400 3401 /* 3402 * Add new shared key for SCTP-Auth, will be ignored if no SCTP 3403 * used. 3404 */ 3405 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL, 3406 sizeof(DTLS1_SCTP_AUTH_LABEL)); 3407 3408 /* Don't include the terminating zero. */ 3409 labellen = sizeof(labelbuffer) - 1; 3410 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) 3411 labellen += 1; 3412 3413 if (SSL_export_keying_material(s, sctpauthkey, 3414 sizeof(sctpauthkey), labelbuffer, 3415 labellen, NULL, 0, 0) <= 0) { 3416 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3417 SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK, 3418 ERR_R_INTERNAL_ERROR); 3419 goto err; 3420 } 3421 3422 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 3423 sizeof(sctpauthkey), sctpauthkey); 3424 } 3425 #endif 3426 3427 return 1; 3428 err: 3429 OPENSSL_clear_free(pms, pmslen); 3430 s->s3->tmp.pms = NULL; 3431 return 0; 3432 } 3433 3434 /* 3435 * Check a certificate can be used for client authentication. Currently check 3436 * cert exists, if we have a suitable digest for TLS 1.2 if static DH client 3437 * certificates can be used and optionally checks suitability for Suite B. 3438 */ 3439 static int ssl3_check_client_certificate(SSL *s) 3440 { 3441 /* If no suitable signature algorithm can't use certificate */ 3442 if (!tls_choose_sigalg(s, 0) || s->s3->tmp.sigalg == NULL) 3443 return 0; 3444 /* 3445 * If strict mode check suitability of chain before using it. This also 3446 * adjusts suite B digest if necessary. 3447 */ 3448 if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT && 3449 !tls1_check_chain(s, NULL, NULL, NULL, -2)) 3450 return 0; 3451 return 1; 3452 } 3453 3454 WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst) 3455 { 3456 X509 *x509 = NULL; 3457 EVP_PKEY *pkey = NULL; 3458 int i; 3459 3460 if (wst == WORK_MORE_A) { 3461 /* Let cert callback update client certificates if required */ 3462 if (s->cert->cert_cb) { 3463 i = s->cert->cert_cb(s, s->cert->cert_cb_arg); 3464 if (i < 0) { 3465 s->rwstate = SSL_X509_LOOKUP; 3466 return WORK_MORE_A; 3467 } 3468 if (i == 0) { 3469 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3470 SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE, 3471 SSL_R_CALLBACK_FAILED); 3472 return WORK_ERROR; 3473 } 3474 s->rwstate = SSL_NOTHING; 3475 } 3476 if (ssl3_check_client_certificate(s)) { 3477 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { 3478 return WORK_FINISHED_STOP; 3479 } 3480 return WORK_FINISHED_CONTINUE; 3481 } 3482 3483 /* Fall through to WORK_MORE_B */ 3484 wst = WORK_MORE_B; 3485 } 3486 3487 /* We need to get a client cert */ 3488 if (wst == WORK_MORE_B) { 3489 /* 3490 * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP; 3491 * return(-1); We then get retied later 3492 */ 3493 i = ssl_do_client_cert_cb(s, &x509, &pkey); 3494 if (i < 0) { 3495 s->rwstate = SSL_X509_LOOKUP; 3496 return WORK_MORE_B; 3497 } 3498 s->rwstate = SSL_NOTHING; 3499 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) { 3500 if (!SSL_use_certificate(s, x509) || !SSL_use_PrivateKey(s, pkey)) 3501 i = 0; 3502 } else if (i == 1) { 3503 i = 0; 3504 SSLerr(SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE, 3505 SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 3506 } 3507 3508 X509_free(x509); 3509 EVP_PKEY_free(pkey); 3510 if (i && !ssl3_check_client_certificate(s)) 3511 i = 0; 3512 if (i == 0) { 3513 if (s->version == SSL3_VERSION) { 3514 s->s3->tmp.cert_req = 0; 3515 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE); 3516 return WORK_FINISHED_CONTINUE; 3517 } else { 3518 s->s3->tmp.cert_req = 2; 3519 if (!ssl3_digest_cached_records(s, 0)) { 3520 /* SSLfatal() already called */ 3521 return WORK_ERROR; 3522 } 3523 } 3524 } 3525 3526 if (s->post_handshake_auth == SSL_PHA_REQUESTED) 3527 return WORK_FINISHED_STOP; 3528 return WORK_FINISHED_CONTINUE; 3529 } 3530 3531 /* Shouldn't ever get here */ 3532 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE, 3533 ERR_R_INTERNAL_ERROR); 3534 return WORK_ERROR; 3535 } 3536 3537 int tls_construct_client_certificate(SSL *s, WPACKET *pkt) 3538 { 3539 if (SSL_IS_TLS13(s)) { 3540 if (s->pha_context == NULL) { 3541 /* no context available, add 0-length context */ 3542 if (!WPACKET_put_bytes_u8(pkt, 0)) { 3543 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3544 SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR); 3545 return 0; 3546 } 3547 } else if (!WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) { 3548 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3549 SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR); 3550 return 0; 3551 } 3552 } 3553 if (!ssl3_output_cert_chain(s, pkt, 3554 (s->s3->tmp.cert_req == 2) ? NULL 3555 : s->cert->key)) { 3556 /* SSLfatal() already called */ 3557 return 0; 3558 } 3559 3560 if (SSL_IS_TLS13(s) 3561 && SSL_IS_FIRST_HANDSHAKE(s) 3562 && (!s->method->ssl3_enc->change_cipher_state(s, 3563 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) { 3564 /* 3565 * This is a fatal error, which leaves enc_write_ctx in an inconsistent 3566 * state and thus ssl3_send_alert may crash. 3567 */ 3568 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, 3569 SSL_R_CANNOT_CHANGE_CIPHER); 3570 return 0; 3571 } 3572 3573 return 1; 3574 } 3575 3576 int ssl3_check_cert_and_algorithm(SSL *s) 3577 { 3578 const SSL_CERT_LOOKUP *clu; 3579 size_t idx; 3580 long alg_k, alg_a; 3581 3582 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 3583 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 3584 3585 /* we don't have a certificate */ 3586 if (!(alg_a & SSL_aCERT)) 3587 return 1; 3588 3589 /* This is the passed certificate */ 3590 clu = ssl_cert_lookup_by_pkey(X509_get0_pubkey(s->session->peer), &idx); 3591 3592 /* Check certificate is recognised and suitable for cipher */ 3593 if (clu == NULL || (alg_a & clu->amask) == 0) { 3594 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3595 SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, 3596 SSL_R_MISSING_SIGNING_CERT); 3597 return 0; 3598 } 3599 3600 #ifndef OPENSSL_NO_EC 3601 if (clu->amask & SSL_aECDSA) { 3602 if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s)) 3603 return 1; 3604 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3605 SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT); 3606 return 0; 3607 } 3608 #endif 3609 #ifndef OPENSSL_NO_RSA 3610 if (alg_k & (SSL_kRSA | SSL_kRSAPSK) && idx != SSL_PKEY_RSA) { 3611 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3612 SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, 3613 SSL_R_MISSING_RSA_ENCRYPTING_CERT); 3614 return 0; 3615 } 3616 #endif 3617 #ifndef OPENSSL_NO_DH 3618 if ((alg_k & SSL_kDHE) && (s->s3->peer_tmp == NULL)) { 3619 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, 3620 ERR_R_INTERNAL_ERROR); 3621 return 0; 3622 } 3623 #endif 3624 3625 return 1; 3626 } 3627 3628 #ifndef OPENSSL_NO_NEXTPROTONEG 3629 int tls_construct_next_proto(SSL *s, WPACKET *pkt) 3630 { 3631 size_t len, padding_len; 3632 unsigned char *padding = NULL; 3633 3634 len = s->ext.npn_len; 3635 padding_len = 32 - ((len + 2) % 32); 3636 3637 if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len) 3638 || !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)) { 3639 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_NEXT_PROTO, 3640 ERR_R_INTERNAL_ERROR); 3641 return 0; 3642 } 3643 3644 memset(padding, 0, padding_len); 3645 3646 return 1; 3647 } 3648 #endif 3649 3650 MSG_PROCESS_RETURN tls_process_hello_req(SSL *s, PACKET *pkt) 3651 { 3652 if (PACKET_remaining(pkt) > 0) { 3653 /* should contain no data */ 3654 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_HELLO_REQ, 3655 SSL_R_LENGTH_MISMATCH); 3656 return MSG_PROCESS_ERROR; 3657 } 3658 3659 if ((s->options & SSL_OP_NO_RENEGOTIATION)) { 3660 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); 3661 return MSG_PROCESS_FINISHED_READING; 3662 } 3663 3664 /* 3665 * This is a historical discrepancy (not in the RFC) maintained for 3666 * compatibility reasons. If a TLS client receives a HelloRequest it will 3667 * attempt an abbreviated handshake. However if a DTLS client receives a 3668 * HelloRequest it will do a full handshake. Either behaviour is reasonable 3669 * but doing one for TLS and another for DTLS is odd. 3670 */ 3671 if (SSL_IS_DTLS(s)) 3672 SSL_renegotiate(s); 3673 else 3674 SSL_renegotiate_abbreviated(s); 3675 3676 return MSG_PROCESS_FINISHED_READING; 3677 } 3678 3679 static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt) 3680 { 3681 PACKET extensions; 3682 RAW_EXTENSION *rawexts = NULL; 3683 3684 if (!PACKET_as_length_prefixed_2(pkt, &extensions) 3685 || PACKET_remaining(pkt) != 0) { 3686 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_ENCRYPTED_EXTENSIONS, 3687 SSL_R_LENGTH_MISMATCH); 3688 goto err; 3689 } 3690 3691 if (!tls_collect_extensions(s, &extensions, 3692 SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, &rawexts, 3693 NULL, 1) 3694 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, 3695 rawexts, NULL, 0, 1)) { 3696 /* SSLfatal() already called */ 3697 goto err; 3698 } 3699 3700 OPENSSL_free(rawexts); 3701 return MSG_PROCESS_CONTINUE_READING; 3702 3703 err: 3704 OPENSSL_free(rawexts); 3705 return MSG_PROCESS_ERROR; 3706 } 3707 3708 int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) 3709 { 3710 int i = 0; 3711 #ifndef OPENSSL_NO_ENGINE 3712 if (s->ctx->client_cert_engine) { 3713 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s, 3714 SSL_get_client_CA_list(s), 3715 px509, ppkey, NULL, NULL, NULL); 3716 if (i != 0) 3717 return i; 3718 } 3719 #endif 3720 if (s->ctx->client_cert_cb) 3721 i = s->ctx->client_cert_cb(s, px509, ppkey); 3722 return i; 3723 } 3724 3725 int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt) 3726 { 3727 int i; 3728 size_t totlen = 0, len, maxlen, maxverok = 0; 3729 int empty_reneg_info_scsv = !s->renegotiate; 3730 3731 /* Set disabled masks for this session */ 3732 if (!ssl_set_client_disabled(s)) { 3733 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES, 3734 SSL_R_NO_PROTOCOLS_AVAILABLE); 3735 return 0; 3736 } 3737 3738 if (sk == NULL) { 3739 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES, 3740 ERR_R_INTERNAL_ERROR); 3741 return 0; 3742 } 3743 3744 #ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH 3745 # if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6 3746 # error Max cipher length too short 3747 # endif 3748 /* 3749 * Some servers hang if client hello > 256 bytes as hack workaround 3750 * chop number of supported ciphers to keep it well below this if we 3751 * use TLS v1.2 3752 */ 3753 if (TLS1_get_version(s) >= TLS1_2_VERSION) 3754 maxlen = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; 3755 else 3756 #endif 3757 /* Maximum length that can be stored in 2 bytes. Length must be even */ 3758 maxlen = 0xfffe; 3759 3760 if (empty_reneg_info_scsv) 3761 maxlen -= 2; 3762 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) 3763 maxlen -= 2; 3764 3765 for (i = 0; i < sk_SSL_CIPHER_num(sk) && totlen < maxlen; i++) { 3766 const SSL_CIPHER *c; 3767 3768 c = sk_SSL_CIPHER_value(sk, i); 3769 /* Skip disabled ciphers */ 3770 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) 3771 continue; 3772 3773 if (!s->method->put_cipher_by_char(c, pkt, &len)) { 3774 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES, 3775 ERR_R_INTERNAL_ERROR); 3776 return 0; 3777 } 3778 3779 /* Sanity check that the maximum version we offer has ciphers enabled */ 3780 if (!maxverok) { 3781 if (SSL_IS_DTLS(s)) { 3782 if (DTLS_VERSION_GE(c->max_dtls, s->s3->tmp.max_ver) 3783 && DTLS_VERSION_LE(c->min_dtls, s->s3->tmp.max_ver)) 3784 maxverok = 1; 3785 } else { 3786 if (c->max_tls >= s->s3->tmp.max_ver 3787 && c->min_tls <= s->s3->tmp.max_ver) 3788 maxverok = 1; 3789 } 3790 } 3791 3792 totlen += len; 3793 } 3794 3795 if (totlen == 0 || !maxverok) { 3796 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES, 3797 SSL_R_NO_CIPHERS_AVAILABLE); 3798 3799 if (!maxverok) 3800 ERR_add_error_data(1, "No ciphers enabled for max supported " 3801 "SSL/TLS version"); 3802 3803 return 0; 3804 } 3805 3806 if (totlen != 0) { 3807 if (empty_reneg_info_scsv) { 3808 static SSL_CIPHER scsv = { 3809 0, NULL, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 3810 }; 3811 if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) { 3812 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3813 SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR); 3814 return 0; 3815 } 3816 } 3817 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) { 3818 static SSL_CIPHER scsv = { 3819 0, NULL, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 3820 }; 3821 if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) { 3822 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3823 SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR); 3824 return 0; 3825 } 3826 } 3827 } 3828 3829 return 1; 3830 } 3831 3832 int tls_construct_end_of_early_data(SSL *s, WPACKET *pkt) 3833 { 3834 if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY 3835 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) { 3836 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3837 SSL_F_TLS_CONSTRUCT_END_OF_EARLY_DATA, 3838 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 3839 return 0; 3840 } 3841 3842 s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; 3843 return 1; 3844 } 3845