1 /* 2 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4 * Copyright 2005 Nokia. All rights reserved. 5 * 6 * Licensed under the Apache License 2.0 (the "License"). You may not use 7 * this file except in compliance with the License. You can obtain a copy 8 * in the file LICENSE in the source distribution or at 9 * https://www.openssl.org/source/license.html 10 */ 11 12 #include <stdio.h> 13 #include <time.h> 14 #include <assert.h> 15 #include "../ssl_local.h" 16 #include "statem_local.h" 17 #include <openssl/buffer.h> 18 #include <openssl/rand.h> 19 #include <openssl/objects.h> 20 #include <openssl/evp.h> 21 #include <openssl/md5.h> 22 #include <openssl/dh.h> 23 #include <openssl/rsa.h> 24 #include <openssl/bn.h> 25 #include <openssl/engine.h> 26 #include <openssl/trace.h> 27 #include <openssl/core_names.h> 28 #include <openssl/param_build.h> 29 #include "internal/cryptlib.h" 30 #include "internal/comp.h" 31 #include "internal/ssl_unwrap.h" 32 33 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL_CONNECTION *s, 34 PACKET *pkt); 35 static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL_CONNECTION *s, 36 PACKET *pkt); 37 38 static ossl_inline int cert_req_allowed(SSL_CONNECTION *s); 39 static int key_exchange_expected(SSL_CONNECTION *s); 40 static int ssl_cipher_list_to_bytes(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *sk, 41 WPACKET *pkt); 42 43 static ossl_inline int received_server_cert(SSL_CONNECTION *sc) 44 { 45 return sc->session->peer_rpk != NULL || sc->session->peer != NULL; 46 } 47 48 /* 49 * Is a CertificateRequest message allowed at the moment or not? 50 * 51 * Return values are: 52 * 1: Yes 53 * 0: No 54 */ 55 static ossl_inline int cert_req_allowed(SSL_CONNECTION *s) 56 { 57 /* TLS does not like anon-DH with client cert */ 58 if ((s->version > SSL3_VERSION 59 && (s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL)) 60 || (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK))) 61 return 0; 62 63 return 1; 64 } 65 66 /* 67 * Should we expect the ServerKeyExchange message or not? 68 * 69 * Return values are: 70 * 1: Yes 71 * 0: No 72 */ 73 static int key_exchange_expected(SSL_CONNECTION *s) 74 { 75 long alg_k = s->s3.tmp.new_cipher->algorithm_mkey; 76 77 /* 78 * Can't skip server key exchange if this is an ephemeral 79 * ciphersuite or for SRP 80 */ 81 if (alg_k & (SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK 82 | SSL_kSRP)) { 83 return 1; 84 } 85 86 return 0; 87 } 88 89 /* 90 * ossl_statem_client_read_transition() encapsulates the logic for the allowed 91 * handshake state transitions when a TLS1.3 client is reading messages from the 92 * server. The message type that the server has sent is provided in |mt|. The 93 * current state is in |s->statem.hand_state|. 94 * 95 * Return values are 1 for success (transition allowed) and 0 on error 96 * (transition not allowed) 97 */ 98 static int ossl_statem_client13_read_transition(SSL_CONNECTION *s, int mt) 99 { 100 OSSL_STATEM *st = &s->statem; 101 102 /* 103 * Note: There is no case for TLS_ST_CW_CLNT_HELLO, because we haven't 104 * yet negotiated TLSv1.3 at that point so that is handled by 105 * ossl_statem_client_read_transition() 106 */ 107 108 switch (st->hand_state) { 109 default: 110 break; 111 112 case TLS_ST_CW_CLNT_HELLO: 113 /* 114 * This must a ClientHello following a HelloRetryRequest, so the only 115 * thing we can get now is a ServerHello. 116 */ 117 if (mt == SSL3_MT_SERVER_HELLO) { 118 st->hand_state = TLS_ST_CR_SRVR_HELLO; 119 return 1; 120 } 121 break; 122 123 case TLS_ST_CR_SRVR_HELLO: 124 if (mt == SSL3_MT_ENCRYPTED_EXTENSIONS) { 125 st->hand_state = TLS_ST_CR_ENCRYPTED_EXTENSIONS; 126 return 1; 127 } 128 break; 129 130 case TLS_ST_CR_ENCRYPTED_EXTENSIONS: 131 if (s->hit) { 132 if (mt == SSL3_MT_FINISHED) { 133 st->hand_state = TLS_ST_CR_FINISHED; 134 return 1; 135 } 136 } else { 137 if (mt == SSL3_MT_CERTIFICATE_REQUEST) { 138 st->hand_state = TLS_ST_CR_CERT_REQ; 139 return 1; 140 } 141 if (mt == SSL3_MT_CERTIFICATE) { 142 st->hand_state = TLS_ST_CR_CERT; 143 return 1; 144 } 145 #ifndef OPENSSL_NO_COMP_ALG 146 if (mt == SSL3_MT_COMPRESSED_CERTIFICATE 147 && s->ext.compress_certificate_sent) { 148 st->hand_state = TLS_ST_CR_COMP_CERT; 149 return 1; 150 } 151 #endif 152 } 153 break; 154 155 case TLS_ST_CR_CERT_REQ: 156 if (mt == SSL3_MT_CERTIFICATE) { 157 st->hand_state = TLS_ST_CR_CERT; 158 return 1; 159 } 160 #ifndef OPENSSL_NO_COMP_ALG 161 if (mt == SSL3_MT_COMPRESSED_CERTIFICATE 162 && s->ext.compress_certificate_sent) { 163 st->hand_state = TLS_ST_CR_COMP_CERT; 164 return 1; 165 } 166 #endif 167 break; 168 169 case TLS_ST_CR_CERT: 170 case TLS_ST_CR_COMP_CERT: 171 if (mt == SSL3_MT_CERTIFICATE_VERIFY) { 172 st->hand_state = TLS_ST_CR_CERT_VRFY; 173 return 1; 174 } 175 break; 176 177 case TLS_ST_CR_CERT_VRFY: 178 if (mt == SSL3_MT_FINISHED) { 179 st->hand_state = TLS_ST_CR_FINISHED; 180 return 1; 181 } 182 break; 183 184 case TLS_ST_OK: 185 if (mt == SSL3_MT_NEWSESSION_TICKET) { 186 st->hand_state = TLS_ST_CR_SESSION_TICKET; 187 return 1; 188 } 189 if (mt == SSL3_MT_KEY_UPDATE && !SSL_IS_QUIC_HANDSHAKE(s)) { 190 st->hand_state = TLS_ST_CR_KEY_UPDATE; 191 return 1; 192 } 193 if (mt == SSL3_MT_CERTIFICATE_REQUEST) { 194 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION 195 /* Restore digest for PHA before adding message.*/ 196 # error Internal DTLS version error 197 #endif 198 if (!SSL_CONNECTION_IS_DTLS(s) 199 && s->post_handshake_auth == SSL_PHA_EXT_SENT) { 200 s->post_handshake_auth = SSL_PHA_REQUESTED; 201 /* 202 * In TLS, this is called before the message is added to the 203 * digest. In DTLS, this is expected to be called after adding 204 * to the digest. Either move the digest restore, or add the 205 * message here after the swap, or do it after the clientFinished? 206 */ 207 if (!tls13_restore_handshake_digest_for_pha(s)) { 208 /* SSLfatal() already called */ 209 return 0; 210 } 211 st->hand_state = TLS_ST_CR_CERT_REQ; 212 return 1; 213 } 214 } 215 break; 216 } 217 218 /* No valid transition found */ 219 return 0; 220 } 221 222 /* 223 * ossl_statem_client_read_transition() encapsulates the logic for the allowed 224 * handshake state transitions when the client is reading messages from the 225 * server. The message type that the server has sent is provided in |mt|. The 226 * current state is in |s->statem.hand_state|. 227 * 228 * Return values are 1 for success (transition allowed) and 0 on error 229 * (transition not allowed) 230 */ 231 int ossl_statem_client_read_transition(SSL_CONNECTION *s, int mt) 232 { 233 OSSL_STATEM *st = &s->statem; 234 int ske_expected; 235 236 /* 237 * Note that after writing the first ClientHello we don't know what version 238 * we are going to negotiate yet, so we don't take this branch until later. 239 */ 240 if (SSL_CONNECTION_IS_TLS13(s)) { 241 if (!ossl_statem_client13_read_transition(s, mt)) 242 goto err; 243 return 1; 244 } 245 246 switch (st->hand_state) { 247 default: 248 break; 249 250 case TLS_ST_CW_CLNT_HELLO: 251 if (mt == SSL3_MT_SERVER_HELLO) { 252 st->hand_state = TLS_ST_CR_SRVR_HELLO; 253 return 1; 254 } 255 256 if (SSL_CONNECTION_IS_DTLS(s)) { 257 if (mt == DTLS1_MT_HELLO_VERIFY_REQUEST) { 258 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST; 259 return 1; 260 } 261 } 262 break; 263 264 case TLS_ST_EARLY_DATA: 265 /* 266 * We've not actually selected TLSv1.3 yet, but we have sent early 267 * data. The only thing allowed now is a ServerHello or a 268 * HelloRetryRequest. 269 */ 270 if (mt == SSL3_MT_SERVER_HELLO) { 271 st->hand_state = TLS_ST_CR_SRVR_HELLO; 272 return 1; 273 } 274 break; 275 276 case TLS_ST_CR_SRVR_HELLO: 277 if (s->hit) { 278 if (s->ext.ticket_expected) { 279 if (mt == SSL3_MT_NEWSESSION_TICKET) { 280 st->hand_state = TLS_ST_CR_SESSION_TICKET; 281 return 1; 282 } 283 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 284 st->hand_state = TLS_ST_CR_CHANGE; 285 return 1; 286 } 287 } else { 288 if (SSL_CONNECTION_IS_DTLS(s) 289 && mt == DTLS1_MT_HELLO_VERIFY_REQUEST) { 290 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST; 291 return 1; 292 } else if (s->version >= TLS1_VERSION 293 && s->ext.session_secret_cb != NULL 294 && s->session->ext.tick != NULL 295 && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 296 /* 297 * Normally, we can tell if the server is resuming the session 298 * from the session ID. EAP-FAST (RFC 4851), however, relies on 299 * the next server message after the ServerHello to determine if 300 * the server is resuming. 301 */ 302 s->hit = 1; 303 st->hand_state = TLS_ST_CR_CHANGE; 304 return 1; 305 } else if (!(s->s3.tmp.new_cipher->algorithm_auth 306 & (SSL_aNULL | SSL_aSRP | SSL_aPSK))) { 307 if (mt == SSL3_MT_CERTIFICATE) { 308 st->hand_state = TLS_ST_CR_CERT; 309 return 1; 310 } 311 } else { 312 ske_expected = key_exchange_expected(s); 313 /* SKE is optional for some PSK ciphersuites */ 314 if (ske_expected 315 || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK) 316 && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) { 317 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) { 318 st->hand_state = TLS_ST_CR_KEY_EXCH; 319 return 1; 320 } 321 } else if (mt == SSL3_MT_CERTIFICATE_REQUEST 322 && cert_req_allowed(s)) { 323 st->hand_state = TLS_ST_CR_CERT_REQ; 324 return 1; 325 } else if (mt == SSL3_MT_SERVER_DONE) { 326 st->hand_state = TLS_ST_CR_SRVR_DONE; 327 return 1; 328 } 329 } 330 } 331 break; 332 333 case TLS_ST_CR_CERT: 334 case TLS_ST_CR_COMP_CERT: 335 /* 336 * The CertificateStatus message is optional even if 337 * |ext.status_expected| is set 338 */ 339 if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) { 340 st->hand_state = TLS_ST_CR_CERT_STATUS; 341 return 1; 342 } 343 /* Fall through */ 344 345 case TLS_ST_CR_CERT_STATUS: 346 ske_expected = key_exchange_expected(s); 347 /* SKE is optional for some PSK ciphersuites */ 348 if (ske_expected || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK) 349 && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) { 350 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) { 351 st->hand_state = TLS_ST_CR_KEY_EXCH; 352 return 1; 353 } 354 goto err; 355 } 356 /* Fall through */ 357 358 case TLS_ST_CR_KEY_EXCH: 359 if (mt == SSL3_MT_CERTIFICATE_REQUEST) { 360 if (cert_req_allowed(s)) { 361 st->hand_state = TLS_ST_CR_CERT_REQ; 362 return 1; 363 } 364 goto err; 365 } 366 /* Fall through */ 367 368 case TLS_ST_CR_CERT_REQ: 369 if (mt == SSL3_MT_SERVER_DONE) { 370 st->hand_state = TLS_ST_CR_SRVR_DONE; 371 return 1; 372 } 373 break; 374 375 case TLS_ST_CW_FINISHED: 376 if (s->ext.ticket_expected) { 377 if (mt == SSL3_MT_NEWSESSION_TICKET) { 378 st->hand_state = TLS_ST_CR_SESSION_TICKET; 379 return 1; 380 } 381 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 382 st->hand_state = TLS_ST_CR_CHANGE; 383 return 1; 384 } 385 break; 386 387 case TLS_ST_CR_SESSION_TICKET: 388 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 389 st->hand_state = TLS_ST_CR_CHANGE; 390 return 1; 391 } 392 break; 393 394 case TLS_ST_CR_CHANGE: 395 if (mt == SSL3_MT_FINISHED) { 396 st->hand_state = TLS_ST_CR_FINISHED; 397 return 1; 398 } 399 break; 400 401 case TLS_ST_OK: 402 if (mt == SSL3_MT_HELLO_REQUEST) { 403 st->hand_state = TLS_ST_CR_HELLO_REQ; 404 return 1; 405 } 406 break; 407 } 408 409 err: 410 /* No valid transition found */ 411 if (SSL_CONNECTION_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 412 BIO *rbio; 413 414 /* 415 * CCS messages don't have a message sequence number so this is probably 416 * because of an out-of-order CCS. We'll just drop it. 417 */ 418 s->init_num = 0; 419 s->rwstate = SSL_READING; 420 rbio = SSL_get_rbio(SSL_CONNECTION_GET_SSL(s)); 421 BIO_clear_retry_flags(rbio); 422 BIO_set_retry_read(rbio); 423 return 0; 424 } 425 SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); 426 return 0; 427 } 428 429 static int do_compressed_cert(SSL_CONNECTION *sc) 430 { 431 /* If we negotiated RPK, we won't try to compress it */ 432 return sc->ext.client_cert_type == TLSEXT_cert_type_x509 433 && sc->ext.compress_certificate_from_peer[0] != TLSEXT_comp_cert_none; 434 } 435 436 /* 437 * ossl_statem_client13_write_transition() works out what handshake state to 438 * move to next when the TLSv1.3 client is writing messages to be sent to the 439 * server. 440 */ 441 static WRITE_TRAN ossl_statem_client13_write_transition(SSL_CONNECTION *s) 442 { 443 OSSL_STATEM *st = &s->statem; 444 445 /* 446 * Note: There are no cases for TLS_ST_BEFORE because we haven't negotiated 447 * TLSv1.3 yet at that point. They are handled by 448 * ossl_statem_client_write_transition(). 449 */ 450 switch (st->hand_state) { 451 default: 452 /* Shouldn't happen */ 453 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 454 return WRITE_TRAN_ERROR; 455 456 case TLS_ST_CR_CERT_REQ: 457 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { 458 if (do_compressed_cert(s)) 459 st->hand_state = TLS_ST_CW_COMP_CERT; 460 else 461 st->hand_state = TLS_ST_CW_CERT; 462 return WRITE_TRAN_CONTINUE; 463 } 464 /* 465 * We should only get here if we received a CertificateRequest after 466 * we already sent close_notify 467 */ 468 if (!ossl_assert((s->shutdown & SSL_SENT_SHUTDOWN) != 0)) { 469 /* Shouldn't happen - same as default case */ 470 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 471 return WRITE_TRAN_ERROR; 472 } 473 st->hand_state = TLS_ST_OK; 474 return WRITE_TRAN_CONTINUE; 475 476 case TLS_ST_CR_FINISHED: 477 if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY 478 || s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING) 479 st->hand_state = TLS_ST_PENDING_EARLY_DATA_END; 480 else if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 481 && s->hello_retry_request == SSL_HRR_NONE) 482 st->hand_state = TLS_ST_CW_CHANGE; 483 else if (s->s3.tmp.cert_req == 0) 484 st->hand_state = TLS_ST_CW_FINISHED; 485 else if (do_compressed_cert(s)) 486 st->hand_state = TLS_ST_CW_COMP_CERT; 487 else 488 st->hand_state = TLS_ST_CW_CERT; 489 490 s->ts_msg_read = ossl_time_now(); 491 return WRITE_TRAN_CONTINUE; 492 493 case TLS_ST_PENDING_EARLY_DATA_END: 494 if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED && !SSL_NO_EOED(s)) { 495 st->hand_state = TLS_ST_CW_END_OF_EARLY_DATA; 496 return WRITE_TRAN_CONTINUE; 497 } 498 /* Fall through */ 499 500 case TLS_ST_CW_END_OF_EARLY_DATA: 501 case TLS_ST_CW_CHANGE: 502 if (s->s3.tmp.cert_req == 0) 503 st->hand_state = TLS_ST_CW_FINISHED; 504 else if (do_compressed_cert(s)) 505 st->hand_state = TLS_ST_CW_COMP_CERT; 506 else 507 st->hand_state = TLS_ST_CW_CERT; 508 return WRITE_TRAN_CONTINUE; 509 510 case TLS_ST_CW_COMP_CERT: 511 case TLS_ST_CW_CERT: 512 /* If a non-empty Certificate we also send CertificateVerify */ 513 st->hand_state = (s->s3.tmp.cert_req == 1) ? TLS_ST_CW_CERT_VRFY 514 : TLS_ST_CW_FINISHED; 515 return WRITE_TRAN_CONTINUE; 516 517 case TLS_ST_CW_CERT_VRFY: 518 st->hand_state = TLS_ST_CW_FINISHED; 519 return WRITE_TRAN_CONTINUE; 520 521 case TLS_ST_CR_KEY_UPDATE: 522 case TLS_ST_CW_KEY_UPDATE: 523 case TLS_ST_CR_SESSION_TICKET: 524 case TLS_ST_CW_FINISHED: 525 st->hand_state = TLS_ST_OK; 526 return WRITE_TRAN_CONTINUE; 527 528 case TLS_ST_OK: 529 if (s->key_update != SSL_KEY_UPDATE_NONE) { 530 st->hand_state = TLS_ST_CW_KEY_UPDATE; 531 return WRITE_TRAN_CONTINUE; 532 } 533 534 /* Try to read from the server instead */ 535 return WRITE_TRAN_FINISHED; 536 } 537 } 538 539 /* 540 * ossl_statem_client_write_transition() works out what handshake state to 541 * move to next when the client is writing messages to be sent to the server. 542 */ 543 WRITE_TRAN ossl_statem_client_write_transition(SSL_CONNECTION *s) 544 { 545 OSSL_STATEM *st = &s->statem; 546 547 /* 548 * Note that immediately before/after a ClientHello we don't know what 549 * version we are going to negotiate yet, so we don't take this branch until 550 * later 551 */ 552 if (SSL_CONNECTION_IS_TLS13(s)) 553 return ossl_statem_client13_write_transition(s); 554 555 switch (st->hand_state) { 556 default: 557 /* Shouldn't happen */ 558 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 559 return WRITE_TRAN_ERROR; 560 561 case TLS_ST_OK: 562 if (!s->renegotiate) { 563 /* 564 * We haven't requested a renegotiation ourselves so we must have 565 * received a message from the server. Better read it. 566 */ 567 return WRITE_TRAN_FINISHED; 568 } 569 /* Renegotiation */ 570 /* fall thru */ 571 case TLS_ST_BEFORE: 572 st->hand_state = TLS_ST_CW_CLNT_HELLO; 573 return WRITE_TRAN_CONTINUE; 574 575 case TLS_ST_CW_CLNT_HELLO: 576 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING 577 && !SSL_IS_QUIC_HANDSHAKE(s)) { 578 /* 579 * We are assuming this is a TLSv1.3 connection, although we haven't 580 * actually selected a version yet. 581 */ 582 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) 583 st->hand_state = TLS_ST_CW_CHANGE; 584 else 585 st->hand_state = TLS_ST_EARLY_DATA; 586 return WRITE_TRAN_CONTINUE; 587 } 588 /* 589 * No transition at the end of writing because we don't know what 590 * we will be sent 591 */ 592 s->ts_msg_write = ossl_time_now(); 593 return WRITE_TRAN_FINISHED; 594 595 case TLS_ST_CR_SRVR_HELLO: 596 /* 597 * We only get here in TLSv1.3. We just received an HRR, so issue a 598 * CCS unless middlebox compat mode is off, or we already issued one 599 * because we did early data. 600 */ 601 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 602 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) 603 st->hand_state = TLS_ST_CW_CHANGE; 604 else 605 st->hand_state = TLS_ST_CW_CLNT_HELLO; 606 return WRITE_TRAN_CONTINUE; 607 608 case TLS_ST_EARLY_DATA: 609 s->ts_msg_write = ossl_time_now(); 610 return WRITE_TRAN_FINISHED; 611 612 case DTLS_ST_CR_HELLO_VERIFY_REQUEST: 613 st->hand_state = TLS_ST_CW_CLNT_HELLO; 614 return WRITE_TRAN_CONTINUE; 615 616 case TLS_ST_CR_SRVR_DONE: 617 s->ts_msg_read = ossl_time_now(); 618 if (s->s3.tmp.cert_req) 619 st->hand_state = TLS_ST_CW_CERT; 620 else 621 st->hand_state = TLS_ST_CW_KEY_EXCH; 622 return WRITE_TRAN_CONTINUE; 623 624 case TLS_ST_CW_CERT: 625 st->hand_state = TLS_ST_CW_KEY_EXCH; 626 return WRITE_TRAN_CONTINUE; 627 628 case TLS_ST_CW_KEY_EXCH: 629 /* 630 * For TLS, cert_req is set to 2, so a cert chain of nothing is 631 * sent, but no verify packet is sent 632 */ 633 /* 634 * XXX: For now, we do not support client authentication in ECDH 635 * cipher suites with ECDH (rather than ECDSA) certificates. We 636 * need to skip the certificate verify message when client's 637 * ECDH public key is sent inside the client certificate. 638 */ 639 if (s->s3.tmp.cert_req == 1) { 640 st->hand_state = TLS_ST_CW_CERT_VRFY; 641 } else { 642 st->hand_state = TLS_ST_CW_CHANGE; 643 } 644 if (s->s3.flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { 645 st->hand_state = TLS_ST_CW_CHANGE; 646 } 647 return WRITE_TRAN_CONTINUE; 648 649 case TLS_ST_CW_CERT_VRFY: 650 st->hand_state = TLS_ST_CW_CHANGE; 651 return WRITE_TRAN_CONTINUE; 652 653 case TLS_ST_CW_CHANGE: 654 if (s->hello_retry_request == SSL_HRR_PENDING) { 655 st->hand_state = TLS_ST_CW_CLNT_HELLO; 656 } else if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) { 657 st->hand_state = TLS_ST_EARLY_DATA; 658 } else { 659 #if defined(OPENSSL_NO_NEXTPROTONEG) 660 st->hand_state = TLS_ST_CW_FINISHED; 661 #else 662 if (!SSL_CONNECTION_IS_DTLS(s) && s->s3.npn_seen) 663 st->hand_state = TLS_ST_CW_NEXT_PROTO; 664 else 665 st->hand_state = TLS_ST_CW_FINISHED; 666 #endif 667 } 668 return WRITE_TRAN_CONTINUE; 669 670 #if !defined(OPENSSL_NO_NEXTPROTONEG) 671 case TLS_ST_CW_NEXT_PROTO: 672 st->hand_state = TLS_ST_CW_FINISHED; 673 return WRITE_TRAN_CONTINUE; 674 #endif 675 676 case TLS_ST_CW_FINISHED: 677 if (s->hit) { 678 st->hand_state = TLS_ST_OK; 679 return WRITE_TRAN_CONTINUE; 680 } else { 681 return WRITE_TRAN_FINISHED; 682 } 683 684 case TLS_ST_CR_FINISHED: 685 if (s->hit) { 686 st->hand_state = TLS_ST_CW_CHANGE; 687 return WRITE_TRAN_CONTINUE; 688 } else { 689 st->hand_state = TLS_ST_OK; 690 return WRITE_TRAN_CONTINUE; 691 } 692 693 case TLS_ST_CR_HELLO_REQ: 694 /* 695 * If we can renegotiate now then do so, otherwise wait for a more 696 * convenient time. 697 */ 698 if (ssl3_renegotiate_check(SSL_CONNECTION_GET_SSL(s), 1)) { 699 if (!tls_setup_handshake(s)) { 700 /* SSLfatal() already called */ 701 return WRITE_TRAN_ERROR; 702 } 703 st->hand_state = TLS_ST_CW_CLNT_HELLO; 704 return WRITE_TRAN_CONTINUE; 705 } 706 st->hand_state = TLS_ST_OK; 707 return WRITE_TRAN_CONTINUE; 708 } 709 } 710 711 /* 712 * Perform any pre work that needs to be done prior to sending a message from 713 * the client to the server. 714 */ 715 WORK_STATE ossl_statem_client_pre_work(SSL_CONNECTION *s, WORK_STATE wst) 716 { 717 OSSL_STATEM *st = &s->statem; 718 719 switch (st->hand_state) { 720 default: 721 /* No pre work to be done */ 722 break; 723 724 case TLS_ST_CW_CLNT_HELLO: 725 s->shutdown = 0; 726 if (SSL_CONNECTION_IS_DTLS(s)) { 727 /* every DTLS ClientHello resets Finished MAC */ 728 if (!ssl3_init_finished_mac(s)) { 729 /* SSLfatal() already called */ 730 return WORK_ERROR; 731 } 732 } else if (s->ext.early_data == SSL_EARLY_DATA_REJECTED) { 733 /* 734 * This must be a second ClientHello after an HRR following an 735 * earlier rejected attempt to send early data. Since we were 736 * previously encrypting the early data we now need to reset the 737 * write record layer in order to write in plaintext again. 738 */ 739 if (!ssl_set_new_record_layer(s, 740 TLS_ANY_VERSION, 741 OSSL_RECORD_DIRECTION_WRITE, 742 OSSL_RECORD_PROTECTION_LEVEL_NONE, 743 NULL, 0, NULL, 0, NULL, 0, NULL, 0, 744 NULL, 0, NID_undef, NULL, NULL, 745 NULL)) { 746 /* SSLfatal already called */ 747 return WORK_ERROR; 748 } 749 } 750 break; 751 752 case TLS_ST_CW_CHANGE: 753 if (SSL_CONNECTION_IS_DTLS(s)) { 754 if (s->hit) { 755 /* 756 * We're into the last flight so we don't retransmit these 757 * messages unless we need to. 758 */ 759 st->use_timer = 0; 760 } 761 #ifndef OPENSSL_NO_SCTP 762 if (BIO_dgram_is_sctp(SSL_get_wbio(SSL_CONNECTION_GET_SSL(s)))) { 763 /* Calls SSLfatal() as required */ 764 return dtls_wait_for_dry(s); 765 } 766 #endif 767 } 768 break; 769 770 case TLS_ST_PENDING_EARLY_DATA_END: 771 /* 772 * If we've been called by SSL_do_handshake()/SSL_write(), or we did not 773 * attempt to write early data before calling SSL_read() then we press 774 * on with the handshake. Otherwise we pause here. 775 */ 776 if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING 777 || s->early_data_state == SSL_EARLY_DATA_NONE) 778 return WORK_FINISHED_CONTINUE; 779 /* Fall through */ 780 781 case TLS_ST_EARLY_DATA: 782 return tls_finish_handshake(s, wst, 0, 1); 783 784 case TLS_ST_OK: 785 /* Calls SSLfatal() as required */ 786 return tls_finish_handshake(s, wst, 1, 1); 787 } 788 789 return WORK_FINISHED_CONTINUE; 790 } 791 792 /* 793 * Perform any work that needs to be done after sending a message from the 794 * client to the server. 795 */ 796 WORK_STATE ossl_statem_client_post_work(SSL_CONNECTION *s, WORK_STATE wst) 797 { 798 OSSL_STATEM *st = &s->statem; 799 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 800 801 s->init_num = 0; 802 803 switch (st->hand_state) { 804 default: 805 /* No post work to be done */ 806 break; 807 808 case TLS_ST_CW_CLNT_HELLO: 809 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING 810 && s->max_early_data > 0) { 811 /* 812 * We haven't selected TLSv1.3 yet so we don't call the change 813 * cipher state function associated with the SSL_METHOD. Instead 814 * we call tls13_change_cipher_state() directly. 815 */ 816 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) { 817 if (!tls13_change_cipher_state(s, 818 SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { 819 /* SSLfatal() already called */ 820 return WORK_ERROR; 821 } 822 } 823 /* else we're in compat mode so we delay flushing until after CCS */ 824 } else if (!statem_flush(s)) { 825 return WORK_MORE_A; 826 } 827 828 if (SSL_CONNECTION_IS_DTLS(s)) { 829 /* Treat the next message as the first packet */ 830 s->first_packet = 1; 831 } 832 break; 833 834 case TLS_ST_CW_KEY_EXCH: 835 if (tls_client_key_exchange_post_work(s) == 0) { 836 /* SSLfatal() already called */ 837 return WORK_ERROR; 838 } 839 break; 840 841 case TLS_ST_CW_CHANGE: 842 if (SSL_CONNECTION_IS_TLS13(s) 843 || s->hello_retry_request == SSL_HRR_PENDING) 844 break; 845 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING 846 && s->max_early_data > 0) { 847 /* 848 * We haven't selected TLSv1.3 yet so we don't call the change 849 * cipher state function associated with the SSL_METHOD. Instead 850 * we call tls13_change_cipher_state() directly. 851 */ 852 if (!tls13_change_cipher_state(s, 853 SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 854 return WORK_ERROR; 855 break; 856 } 857 s->session->cipher = s->s3.tmp.new_cipher; 858 #ifdef OPENSSL_NO_COMP 859 s->session->compress_meth = 0; 860 #else 861 if (s->s3.tmp.new_compression == NULL) 862 s->session->compress_meth = 0; 863 else 864 s->session->compress_meth = s->s3.tmp.new_compression->id; 865 #endif 866 if (!ssl->method->ssl3_enc->setup_key_block(s)) { 867 /* SSLfatal() already called */ 868 return WORK_ERROR; 869 } 870 871 if (!ssl->method->ssl3_enc->change_cipher_state(s, 872 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { 873 /* SSLfatal() already called */ 874 return WORK_ERROR; 875 } 876 877 #ifndef OPENSSL_NO_SCTP 878 if (SSL_CONNECTION_IS_DTLS(s) && s->hit) { 879 /* 880 * Change to new shared key of SCTP-Auth, will be ignored if 881 * no SCTP used. 882 */ 883 BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 884 0, NULL); 885 } 886 #endif 887 break; 888 889 case TLS_ST_CW_FINISHED: 890 #ifndef OPENSSL_NO_SCTP 891 if (wst == WORK_MORE_A && SSL_CONNECTION_IS_DTLS(s) && s->hit == 0) { 892 /* 893 * Change to new shared key of SCTP-Auth, will be ignored if 894 * no SCTP used. 895 */ 896 BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 897 0, NULL); 898 } 899 #endif 900 if (statem_flush(s) != 1) 901 return WORK_MORE_B; 902 903 if (SSL_CONNECTION_IS_TLS13(s)) { 904 if (!tls13_save_handshake_digest_for_pha(s)) { 905 /* SSLfatal() already called */ 906 return WORK_ERROR; 907 } 908 if (s->post_handshake_auth != SSL_PHA_REQUESTED) { 909 if (!ssl->method->ssl3_enc->change_cipher_state(s, 910 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { 911 /* SSLfatal() already called */ 912 return WORK_ERROR; 913 } 914 /* 915 * For QUIC we deferred setting up these keys until now so 916 * that we can ensure write keys are always set up before read 917 * keys. 918 */ 919 if (SSL_IS_QUIC_HANDSHAKE(s) 920 && !ssl->method->ssl3_enc->change_cipher_state(s, 921 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) { 922 /* SSLfatal() already called */ 923 return WORK_ERROR; 924 } 925 } 926 } 927 break; 928 929 case TLS_ST_CW_KEY_UPDATE: 930 if (statem_flush(s) != 1) 931 return WORK_MORE_A; 932 if (!tls13_update_key(s, 1)) { 933 /* SSLfatal() already called */ 934 return WORK_ERROR; 935 } 936 break; 937 } 938 939 return WORK_FINISHED_CONTINUE; 940 } 941 942 /* 943 * Get the message construction function and message type for sending from the 944 * client 945 * 946 * Valid return values are: 947 * 1: Success 948 * 0: Error 949 */ 950 int ossl_statem_client_construct_message(SSL_CONNECTION *s, 951 confunc_f *confunc, int *mt) 952 { 953 OSSL_STATEM *st = &s->statem; 954 955 switch (st->hand_state) { 956 default: 957 /* Shouldn't happen */ 958 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE); 959 return 0; 960 961 case TLS_ST_CW_CHANGE: 962 if (SSL_CONNECTION_IS_DTLS(s)) 963 *confunc = dtls_construct_change_cipher_spec; 964 else 965 *confunc = tls_construct_change_cipher_spec; 966 *mt = SSL3_MT_CHANGE_CIPHER_SPEC; 967 break; 968 969 case TLS_ST_CW_CLNT_HELLO: 970 *confunc = tls_construct_client_hello; 971 *mt = SSL3_MT_CLIENT_HELLO; 972 break; 973 974 case TLS_ST_CW_END_OF_EARLY_DATA: 975 *confunc = tls_construct_end_of_early_data; 976 *mt = SSL3_MT_END_OF_EARLY_DATA; 977 break; 978 979 case TLS_ST_PENDING_EARLY_DATA_END: 980 *confunc = NULL; 981 *mt = SSL3_MT_DUMMY; 982 break; 983 984 case TLS_ST_CW_CERT: 985 *confunc = tls_construct_client_certificate; 986 *mt = SSL3_MT_CERTIFICATE; 987 break; 988 989 #ifndef OPENSSL_NO_COMP_ALG 990 case TLS_ST_CW_COMP_CERT: 991 *confunc = tls_construct_client_compressed_certificate; 992 *mt = SSL3_MT_COMPRESSED_CERTIFICATE; 993 break; 994 #endif 995 996 case TLS_ST_CW_KEY_EXCH: 997 *confunc = tls_construct_client_key_exchange; 998 *mt = SSL3_MT_CLIENT_KEY_EXCHANGE; 999 break; 1000 1001 case TLS_ST_CW_CERT_VRFY: 1002 *confunc = tls_construct_cert_verify; 1003 *mt = SSL3_MT_CERTIFICATE_VERIFY; 1004 break; 1005 1006 #if !defined(OPENSSL_NO_NEXTPROTONEG) 1007 case TLS_ST_CW_NEXT_PROTO: 1008 *confunc = tls_construct_next_proto; 1009 *mt = SSL3_MT_NEXT_PROTO; 1010 break; 1011 #endif 1012 case TLS_ST_CW_FINISHED: 1013 *confunc = tls_construct_finished; 1014 *mt = SSL3_MT_FINISHED; 1015 break; 1016 1017 case TLS_ST_CW_KEY_UPDATE: 1018 *confunc = tls_construct_key_update; 1019 *mt = SSL3_MT_KEY_UPDATE; 1020 break; 1021 } 1022 1023 return 1; 1024 } 1025 1026 /* 1027 * Returns the maximum allowed length for the current message that we are 1028 * reading. Excludes the message header. 1029 */ 1030 size_t ossl_statem_client_max_message_size(SSL_CONNECTION *s) 1031 { 1032 OSSL_STATEM *st = &s->statem; 1033 1034 switch (st->hand_state) { 1035 default: 1036 /* Shouldn't happen */ 1037 return 0; 1038 1039 case TLS_ST_CR_SRVR_HELLO: 1040 return SERVER_HELLO_MAX_LENGTH; 1041 1042 case DTLS_ST_CR_HELLO_VERIFY_REQUEST: 1043 return HELLO_VERIFY_REQUEST_MAX_LENGTH; 1044 1045 case TLS_ST_CR_COMP_CERT: 1046 case TLS_ST_CR_CERT: 1047 return s->max_cert_list; 1048 1049 case TLS_ST_CR_CERT_VRFY: 1050 return CERTIFICATE_VERIFY_MAX_LENGTH; 1051 1052 case TLS_ST_CR_CERT_STATUS: 1053 return SSL3_RT_MAX_PLAIN_LENGTH; 1054 1055 case TLS_ST_CR_KEY_EXCH: 1056 return SERVER_KEY_EXCH_MAX_LENGTH; 1057 1058 case TLS_ST_CR_CERT_REQ: 1059 /* 1060 * Set to s->max_cert_list for compatibility with previous releases. In 1061 * practice these messages can get quite long if servers are configured 1062 * to provide a long list of acceptable CAs 1063 */ 1064 return s->max_cert_list; 1065 1066 case TLS_ST_CR_SRVR_DONE: 1067 return SERVER_HELLO_DONE_MAX_LENGTH; 1068 1069 case TLS_ST_CR_CHANGE: 1070 if (s->version == DTLS1_BAD_VER) 1071 return 3; 1072 return CCS_MAX_LENGTH; 1073 1074 case TLS_ST_CR_SESSION_TICKET: 1075 return (SSL_CONNECTION_IS_TLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13 1076 : SESSION_TICKET_MAX_LENGTH_TLS12; 1077 1078 case TLS_ST_CR_FINISHED: 1079 return FINISHED_MAX_LENGTH; 1080 1081 case TLS_ST_CR_ENCRYPTED_EXTENSIONS: 1082 return ENCRYPTED_EXTENSIONS_MAX_LENGTH; 1083 1084 case TLS_ST_CR_KEY_UPDATE: 1085 return KEY_UPDATE_MAX_LENGTH; 1086 } 1087 } 1088 1089 /* 1090 * Process a message that the client has received from the server. 1091 */ 1092 MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL_CONNECTION *s, 1093 PACKET *pkt) 1094 { 1095 OSSL_STATEM *st = &s->statem; 1096 1097 switch (st->hand_state) { 1098 default: 1099 /* Shouldn't happen */ 1100 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1101 return MSG_PROCESS_ERROR; 1102 1103 case TLS_ST_CR_SRVR_HELLO: 1104 return tls_process_server_hello(s, pkt); 1105 1106 case DTLS_ST_CR_HELLO_VERIFY_REQUEST: 1107 return dtls_process_hello_verify(s, pkt); 1108 1109 case TLS_ST_CR_CERT: 1110 return tls_process_server_certificate(s, pkt); 1111 1112 #ifndef OPENSSL_NO_COMP_ALG 1113 case TLS_ST_CR_COMP_CERT: 1114 return tls_process_server_compressed_certificate(s, pkt); 1115 #endif 1116 1117 case TLS_ST_CR_CERT_VRFY: 1118 return tls_process_cert_verify(s, pkt); 1119 1120 case TLS_ST_CR_CERT_STATUS: 1121 return tls_process_cert_status(s, pkt); 1122 1123 case TLS_ST_CR_KEY_EXCH: 1124 return tls_process_key_exchange(s, pkt); 1125 1126 case TLS_ST_CR_CERT_REQ: 1127 return tls_process_certificate_request(s, pkt); 1128 1129 case TLS_ST_CR_SRVR_DONE: 1130 return tls_process_server_done(s, pkt); 1131 1132 case TLS_ST_CR_CHANGE: 1133 return tls_process_change_cipher_spec(s, pkt); 1134 1135 case TLS_ST_CR_SESSION_TICKET: 1136 return tls_process_new_session_ticket(s, pkt); 1137 1138 case TLS_ST_CR_FINISHED: 1139 return tls_process_finished(s, pkt); 1140 1141 case TLS_ST_CR_HELLO_REQ: 1142 return tls_process_hello_req(s, pkt); 1143 1144 case TLS_ST_CR_ENCRYPTED_EXTENSIONS: 1145 return tls_process_encrypted_extensions(s, pkt); 1146 1147 case TLS_ST_CR_KEY_UPDATE: 1148 return tls_process_key_update(s, pkt); 1149 } 1150 } 1151 1152 /* 1153 * Perform any further processing required following the receipt of a message 1154 * from the server 1155 */ 1156 WORK_STATE ossl_statem_client_post_process_message(SSL_CONNECTION *s, 1157 WORK_STATE wst) 1158 { 1159 OSSL_STATEM *st = &s->statem; 1160 1161 switch (st->hand_state) { 1162 default: 1163 /* Shouldn't happen */ 1164 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1165 return WORK_ERROR; 1166 1167 case TLS_ST_CR_CERT: 1168 case TLS_ST_CR_COMP_CERT: 1169 return tls_post_process_server_certificate(s, wst); 1170 1171 case TLS_ST_CR_CERT_VRFY: 1172 case TLS_ST_CR_CERT_REQ: 1173 return tls_prepare_client_certificate(s, wst); 1174 } 1175 } 1176 1177 CON_FUNC_RETURN tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt) 1178 { 1179 unsigned char *p; 1180 size_t sess_id_len; 1181 int i, protverr; 1182 #ifndef OPENSSL_NO_COMP 1183 SSL_COMP *comp; 1184 #endif 1185 SSL_SESSION *sess = s->session; 1186 unsigned char *session_id; 1187 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 1188 1189 /* Work out what SSL/TLS/DTLS version to use */ 1190 protverr = ssl_set_client_hello_version(s); 1191 if (protverr != 0) { 1192 SSLfatal(s, SSL_AD_INTERNAL_ERROR, protverr); 1193 return CON_FUNC_ERROR; 1194 } 1195 1196 if (sess == NULL 1197 || !ssl_version_supported(s, sess->ssl_version, NULL) 1198 || !SSL_SESSION_is_resumable(sess)) { 1199 if (s->hello_retry_request == SSL_HRR_NONE 1200 && !ssl_get_new_session(s, 0)) { 1201 /* SSLfatal() already called */ 1202 return CON_FUNC_ERROR; 1203 } 1204 } 1205 /* else use the pre-loaded session */ 1206 1207 p = s->s3.client_random; 1208 1209 /* 1210 * for DTLS if client_random is initialized, reuse it, we are 1211 * required to use same upon reply to HelloVerify 1212 */ 1213 if (SSL_CONNECTION_IS_DTLS(s)) { 1214 size_t idx; 1215 i = 1; 1216 for (idx = 0; idx < sizeof(s->s3.client_random); idx++) { 1217 if (p[idx]) { 1218 i = 0; 1219 break; 1220 } 1221 } 1222 } else { 1223 i = (s->hello_retry_request == SSL_HRR_NONE); 1224 } 1225 1226 if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3.client_random), 1227 DOWNGRADE_NONE) <= 0) { 1228 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1229 return CON_FUNC_ERROR; 1230 } 1231 1232 /*- 1233 * version indicates the negotiated version: for example from 1234 * an SSLv2/v3 compatible client hello). The client_version 1235 * field is the maximum version we permit and it is also 1236 * used in RSA encrypted premaster secrets. Some servers can 1237 * choke if we initially report a higher version then 1238 * renegotiate to a lower one in the premaster secret. This 1239 * didn't happen with TLS 1.0 as most servers supported it 1240 * but it can with TLS 1.1 or later if the server only supports 1241 * 1.0. 1242 * 1243 * Possible scenario with previous logic: 1244 * 1. Client hello indicates TLS 1.2 1245 * 2. Server hello says TLS 1.0 1246 * 3. RSA encrypted premaster secret uses 1.2. 1247 * 4. Handshake proceeds using TLS 1.0. 1248 * 5. Server sends hello request to renegotiate. 1249 * 6. Client hello indicates TLS v1.0 as we now 1250 * know that is maximum server supports. 1251 * 7. Server chokes on RSA encrypted premaster secret 1252 * containing version 1.0. 1253 * 1254 * For interoperability it should be OK to always use the 1255 * maximum version we support in client hello and then rely 1256 * on the checking of version to ensure the servers isn't 1257 * being inconsistent: for example initially negotiating with 1258 * TLS 1.0 and renegotiating with TLS 1.2. We do this by using 1259 * client_version in client hello and not resetting it to 1260 * the negotiated version. 1261 * 1262 * For TLS 1.3 we always set the ClientHello version to 1.2 and rely on the 1263 * supported_versions extension for the real supported versions. 1264 */ 1265 if (!WPACKET_put_bytes_u16(pkt, s->client_version) 1266 || !WPACKET_memcpy(pkt, s->s3.client_random, SSL3_RANDOM_SIZE)) { 1267 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1268 return CON_FUNC_ERROR; 1269 } 1270 1271 /* Session ID */ 1272 session_id = s->session->session_id; 1273 if (s->new_session || s->session->ssl_version == TLS1_3_VERSION) { 1274 if (s->version == TLS1_3_VERSION 1275 && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) { 1276 sess_id_len = sizeof(s->tmp_session_id); 1277 s->tmp_session_id_len = sess_id_len; 1278 session_id = s->tmp_session_id; 1279 if (s->hello_retry_request == SSL_HRR_NONE 1280 && RAND_bytes_ex(sctx->libctx, s->tmp_session_id, 1281 sess_id_len, 0) <= 0) { 1282 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1283 return CON_FUNC_ERROR; 1284 } 1285 } else { 1286 sess_id_len = 0; 1287 } 1288 } else { 1289 assert(s->session->session_id_length <= sizeof(s->session->session_id)); 1290 sess_id_len = s->session->session_id_length; 1291 if (s->version == TLS1_3_VERSION) { 1292 s->tmp_session_id_len = sess_id_len; 1293 memcpy(s->tmp_session_id, s->session->session_id, sess_id_len); 1294 } 1295 } 1296 if (!WPACKET_start_sub_packet_u8(pkt) 1297 || (sess_id_len != 0 && !WPACKET_memcpy(pkt, session_id, 1298 sess_id_len)) 1299 || !WPACKET_close(pkt)) { 1300 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1301 return CON_FUNC_ERROR; 1302 } 1303 1304 /* cookie stuff for DTLS */ 1305 if (SSL_CONNECTION_IS_DTLS(s)) { 1306 if (s->d1->cookie_len > sizeof(s->d1->cookie) 1307 || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie, 1308 s->d1->cookie_len)) { 1309 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1310 return CON_FUNC_ERROR; 1311 } 1312 } 1313 1314 /* Ciphers supported */ 1315 if (!WPACKET_start_sub_packet_u16(pkt)) { 1316 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1317 return CON_FUNC_ERROR; 1318 } 1319 1320 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(SSL_CONNECTION_GET_SSL(s)), 1321 pkt)) { 1322 /* SSLfatal() already called */ 1323 return CON_FUNC_ERROR; 1324 } 1325 if (!WPACKET_close(pkt)) { 1326 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1327 return CON_FUNC_ERROR; 1328 } 1329 1330 /* COMPRESSION */ 1331 if (!WPACKET_start_sub_packet_u8(pkt)) { 1332 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1333 return CON_FUNC_ERROR; 1334 } 1335 #ifndef OPENSSL_NO_COMP 1336 if (ssl_allow_compression(s) 1337 && sctx->comp_methods 1338 && (SSL_CONNECTION_IS_DTLS(s) 1339 || s->s3.tmp.max_ver < TLS1_3_VERSION)) { 1340 int compnum = sk_SSL_COMP_num(sctx->comp_methods); 1341 for (i = 0; i < compnum; i++) { 1342 comp = sk_SSL_COMP_value(sctx->comp_methods, i); 1343 if (!WPACKET_put_bytes_u8(pkt, comp->id)) { 1344 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1345 return CON_FUNC_ERROR; 1346 } 1347 } 1348 } 1349 #endif 1350 /* Add the NULL method */ 1351 if (!WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_close(pkt)) { 1352 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1353 return CON_FUNC_ERROR; 1354 } 1355 1356 /* TLS extensions */ 1357 if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0)) { 1358 /* SSLfatal() already called */ 1359 return CON_FUNC_ERROR; 1360 } 1361 1362 return CON_FUNC_SUCCESS; 1363 } 1364 1365 MSG_PROCESS_RETURN dtls_process_hello_verify(SSL_CONNECTION *s, PACKET *pkt) 1366 { 1367 size_t cookie_len; 1368 PACKET cookiepkt; 1369 1370 if (!PACKET_forward(pkt, 2) 1371 || !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) { 1372 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1373 return MSG_PROCESS_ERROR; 1374 } 1375 1376 cookie_len = PACKET_remaining(&cookiepkt); 1377 if (cookie_len > sizeof(s->d1->cookie)) { 1378 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_LENGTH_TOO_LONG); 1379 return MSG_PROCESS_ERROR; 1380 } 1381 1382 if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) { 1383 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1384 return MSG_PROCESS_ERROR; 1385 } 1386 s->d1->cookie_len = cookie_len; 1387 1388 return MSG_PROCESS_FINISHED_READING; 1389 } 1390 1391 static int set_client_ciphersuite(SSL_CONNECTION *s, 1392 const unsigned char *cipherchars) 1393 { 1394 STACK_OF(SSL_CIPHER) *sk; 1395 const SSL_CIPHER *c; 1396 int i; 1397 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 1398 1399 c = ssl_get_cipher_by_char(s, cipherchars, 0); 1400 if (c == NULL) { 1401 /* unknown cipher */ 1402 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CIPHER_RETURNED); 1403 return 0; 1404 } 1405 /* 1406 * If it is a disabled cipher we either didn't send it in client hello, 1407 * or it's not allowed for the selected protocol. So we return an error. 1408 */ 1409 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) { 1410 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); 1411 return 0; 1412 } 1413 1414 sk = ssl_get_ciphers_by_id(s); 1415 i = sk_SSL_CIPHER_find(sk, c); 1416 if (i < 0) { 1417 /* we did not say we would use this cipher */ 1418 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); 1419 return 0; 1420 } 1421 1422 if (SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.new_cipher != NULL 1423 && s->s3.tmp.new_cipher->id != c->id) { 1424 /* ServerHello selected a different ciphersuite to that in the HRR */ 1425 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); 1426 return 0; 1427 } 1428 1429 /* 1430 * Depending on the session caching (internal/external), the cipher 1431 * and/or cipher_id values may not be set. Make sure that cipher_id is 1432 * set and use it for comparison. 1433 */ 1434 if (s->session->cipher != NULL) 1435 s->session->cipher_id = s->session->cipher->id; 1436 if (s->hit && (s->session->cipher_id != c->id)) { 1437 if (SSL_CONNECTION_IS_TLS13(s)) { 1438 const EVP_MD *md = ssl_md(sctx, c->algorithm2); 1439 1440 if (!ossl_assert(s->session->cipher != NULL)) { 1441 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1442 return 0; 1443 } 1444 /* 1445 * In TLSv1.3 it is valid for the server to select a different 1446 * ciphersuite as long as the hash is the same. 1447 */ 1448 if (md == NULL 1449 || md != ssl_md(sctx, s->session->cipher->algorithm2)) { 1450 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1451 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED); 1452 return 0; 1453 } 1454 } else { 1455 /* 1456 * Prior to TLSv1.3 resuming a session always meant using the same 1457 * ciphersuite. 1458 */ 1459 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1460 SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); 1461 return 0; 1462 } 1463 } 1464 s->s3.tmp.new_cipher = c; 1465 1466 return 1; 1467 } 1468 1469 MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt) 1470 { 1471 PACKET session_id, extpkt; 1472 size_t session_id_len; 1473 const unsigned char *cipherchars; 1474 int hrr = 0; 1475 unsigned int compression; 1476 unsigned int sversion; 1477 unsigned int context; 1478 RAW_EXTENSION *extensions = NULL; 1479 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 1480 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); 1481 #ifndef OPENSSL_NO_COMP 1482 SSL_COMP *comp; 1483 #endif 1484 1485 if (!PACKET_get_net_2(pkt, &sversion)) { 1486 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1487 goto err; 1488 } 1489 1490 /* load the server random */ 1491 if (s->version == TLS1_3_VERSION 1492 && sversion == TLS1_2_VERSION 1493 && PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE 1494 && memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) { 1495 if (s->hello_retry_request != SSL_HRR_NONE) { 1496 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); 1497 goto err; 1498 } 1499 s->hello_retry_request = SSL_HRR_PENDING; 1500 /* Tell the record layer that we know we're going to get TLSv1.3 */ 1501 if (!ssl_set_record_protocol_version(s, s->version)) { 1502 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1503 goto err; 1504 } 1505 hrr = 1; 1506 if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) { 1507 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1508 goto err; 1509 } 1510 } else { 1511 if (!PACKET_copy_bytes(pkt, s->s3.server_random, SSL3_RANDOM_SIZE)) { 1512 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1513 goto err; 1514 } 1515 } 1516 1517 /* Get the session-id. */ 1518 if (!PACKET_get_length_prefixed_1(pkt, &session_id)) { 1519 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1520 goto err; 1521 } 1522 session_id_len = PACKET_remaining(&session_id); 1523 if (session_id_len > sizeof(s->session->session_id) 1524 || session_id_len > SSL3_SESSION_ID_SIZE) { 1525 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_SSL3_SESSION_ID_TOO_LONG); 1526 goto err; 1527 } 1528 1529 if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) { 1530 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1531 goto err; 1532 } 1533 1534 if (!PACKET_get_1(pkt, &compression)) { 1535 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1536 goto err; 1537 } 1538 1539 /* TLS extensions */ 1540 if (PACKET_remaining(pkt) == 0 && !hrr) { 1541 PACKET_null_init(&extpkt); 1542 } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt) 1543 || PACKET_remaining(pkt) != 0) { 1544 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); 1545 goto err; 1546 } 1547 1548 if (!hrr) { 1549 if (!tls_collect_extensions(s, &extpkt, 1550 SSL_EXT_TLS1_2_SERVER_HELLO 1551 | SSL_EXT_TLS1_3_SERVER_HELLO, 1552 &extensions, NULL, 1)) { 1553 /* SSLfatal() already called */ 1554 goto err; 1555 } 1556 1557 if (!ssl_choose_client_version(s, sversion, extensions)) { 1558 /* SSLfatal() already called */ 1559 goto err; 1560 } 1561 } 1562 1563 if (SSL_CONNECTION_IS_TLS13(s) || hrr) { 1564 if (compression != 0) { 1565 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1566 SSL_R_INVALID_COMPRESSION_ALGORITHM); 1567 goto err; 1568 } 1569 1570 if (session_id_len != s->tmp_session_id_len 1571 || memcmp(PACKET_data(&session_id), s->tmp_session_id, 1572 session_id_len) != 0) { 1573 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_SESSION_ID); 1574 goto err; 1575 } 1576 } 1577 1578 if (hrr) { 1579 if (!set_client_ciphersuite(s, cipherchars)) { 1580 /* SSLfatal() already called */ 1581 goto err; 1582 } 1583 1584 return tls_process_as_hello_retry_request(s, &extpkt); 1585 } 1586 1587 /* 1588 * Now we have chosen the version we need to check again that the extensions 1589 * are appropriate for this version. 1590 */ 1591 context = SSL_CONNECTION_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO 1592 : SSL_EXT_TLS1_2_SERVER_HELLO; 1593 if (!tls_validate_all_contexts(s, context, extensions)) { 1594 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION); 1595 goto err; 1596 } 1597 1598 s->hit = 0; 1599 1600 if (SSL_CONNECTION_IS_TLS13(s)) { 1601 /* 1602 * In TLSv1.3 a ServerHello message signals a key change so the end of 1603 * the message must be on a record boundary. 1604 */ 1605 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { 1606 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1607 SSL_R_NOT_ON_RECORD_BOUNDARY); 1608 goto err; 1609 } 1610 1611 /* This will set s->hit if we are resuming */ 1612 if (!tls_parse_extension(s, TLSEXT_IDX_psk, 1613 SSL_EXT_TLS1_3_SERVER_HELLO, 1614 extensions, NULL, 0)) { 1615 /* SSLfatal() already called */ 1616 goto err; 1617 } 1618 } else { 1619 /* 1620 * Check if we can resume the session based on external pre-shared 1621 * secret. EAP-FAST (RFC 4851) supports two types of session resumption. 1622 * Resumption based on server-side state works with session IDs. 1623 * Resumption based on pre-shared Protected Access Credentials (PACs) 1624 * works by overriding the SessionTicket extension at the application 1625 * layer, and does not send a session ID. (We do not know whether 1626 * EAP-FAST servers would honour the session ID.) Therefore, the session 1627 * ID alone is not a reliable indicator of session resumption, so we 1628 * first check if we can resume, and later peek at the next handshake 1629 * message to see if the server wants to resume. 1630 */ 1631 if (s->version >= TLS1_VERSION 1632 && s->ext.session_secret_cb != NULL && s->session->ext.tick) { 1633 const SSL_CIPHER *pref_cipher = NULL; 1634 /* 1635 * s->session->master_key_length is a size_t, but this is an int for 1636 * backwards compat reasons 1637 */ 1638 int master_key_length; 1639 1640 master_key_length = sizeof(s->session->master_key); 1641 if (s->ext.session_secret_cb(ussl, s->session->master_key, 1642 &master_key_length, 1643 NULL, &pref_cipher, 1644 s->ext.session_secret_cb_arg) 1645 && master_key_length > 0) { 1646 s->session->master_key_length = master_key_length; 1647 s->session->cipher = pref_cipher ? 1648 pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0); 1649 } else { 1650 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1651 goto err; 1652 } 1653 } 1654 1655 if (session_id_len != 0 1656 && session_id_len == s->session->session_id_length 1657 && memcmp(PACKET_data(&session_id), s->session->session_id, 1658 session_id_len) == 0) 1659 s->hit = 1; 1660 } 1661 1662 if (s->hit) { 1663 if (s->sid_ctx_length != s->session->sid_ctx_length 1664 || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) { 1665 /* actually a client application bug */ 1666 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1667 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); 1668 goto err; 1669 } 1670 } else { 1671 /* 1672 * If we were trying for session-id reuse but the server 1673 * didn't resume, make a new SSL_SESSION. 1674 * In the case of EAP-FAST and PAC, we do not send a session ID, 1675 * so the PAC-based session secret is always preserved. It'll be 1676 * overwritten if the server refuses resumption. 1677 */ 1678 if (s->session->session_id_length > 0) { 1679 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_miss); 1680 if (!ssl_get_new_session(s, 0)) { 1681 /* SSLfatal() already called */ 1682 goto err; 1683 } 1684 } 1685 1686 s->session->ssl_version = s->version; 1687 /* 1688 * In TLSv1.2 and below we save the session id we were sent so we can 1689 * resume it later. In TLSv1.3 the session id we were sent is just an 1690 * echo of what we originally sent in the ClientHello and should not be 1691 * used for resumption. 1692 */ 1693 if (!SSL_CONNECTION_IS_TLS13(s)) { 1694 s->session->session_id_length = session_id_len; 1695 /* session_id_len could be 0 */ 1696 if (session_id_len > 0) 1697 memcpy(s->session->session_id, PACKET_data(&session_id), 1698 session_id_len); 1699 } 1700 } 1701 1702 /* Session version and negotiated protocol version should match */ 1703 if (s->version != s->session->ssl_version) { 1704 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 1705 SSL_R_SSL_SESSION_VERSION_MISMATCH); 1706 goto err; 1707 } 1708 /* 1709 * Now that we know the version, update the check to see if it's an allowed 1710 * version. 1711 */ 1712 s->s3.tmp.min_ver = s->version; 1713 s->s3.tmp.max_ver = s->version; 1714 1715 if (!set_client_ciphersuite(s, cipherchars)) { 1716 /* SSLfatal() already called */ 1717 goto err; 1718 } 1719 1720 #ifdef OPENSSL_NO_COMP 1721 if (compression != 0) { 1722 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1723 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 1724 goto err; 1725 } 1726 /* 1727 * If compression is disabled we'd better not try to resume a session 1728 * using compression. 1729 */ 1730 if (s->session->compress_meth != 0) { 1731 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_COMPRESSION); 1732 goto err; 1733 } 1734 #else 1735 if (s->hit && compression != s->session->compress_meth) { 1736 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1737 SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED); 1738 goto err; 1739 } 1740 if (compression == 0) 1741 comp = NULL; 1742 else if (!ssl_allow_compression(s)) { 1743 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COMPRESSION_DISABLED); 1744 goto err; 1745 } else { 1746 comp = ssl3_comp_find(SSL_CONNECTION_GET_CTX(s)->comp_methods, 1747 compression); 1748 } 1749 1750 if (compression != 0 && comp == NULL) { 1751 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1752 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 1753 goto err; 1754 } else { 1755 s->s3.tmp.new_compression = comp; 1756 } 1757 #endif 1758 1759 if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, 1)) { 1760 /* SSLfatal() already called */ 1761 goto err; 1762 } 1763 1764 #ifndef OPENSSL_NO_SCTP 1765 if (SSL_CONNECTION_IS_DTLS(s) && s->hit) { 1766 unsigned char sctpauthkey[64]; 1767 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; 1768 size_t labellen; 1769 1770 /* 1771 * Add new shared key for SCTP-Auth, will be ignored if 1772 * no SCTP used. 1773 */ 1774 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL, 1775 sizeof(DTLS1_SCTP_AUTH_LABEL)); 1776 1777 /* Don't include the terminating zero. */ 1778 labellen = sizeof(labelbuffer) - 1; 1779 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) 1780 labellen += 1; 1781 1782 if (SSL_export_keying_material(ssl, sctpauthkey, 1783 sizeof(sctpauthkey), 1784 labelbuffer, 1785 labellen, NULL, 0, 0) <= 0) { 1786 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1787 goto err; 1788 } 1789 1790 BIO_ctrl(SSL_get_wbio(ssl), 1791 BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 1792 sizeof(sctpauthkey), sctpauthkey); 1793 } 1794 #endif 1795 1796 /* 1797 * In TLSv1.3 we have some post-processing to change cipher state, otherwise 1798 * we're done with this message 1799 */ 1800 if (SSL_CONNECTION_IS_TLS13(s)) { 1801 if (!ssl->method->ssl3_enc->setup_key_block(s) 1802 || !tls13_store_handshake_traffic_hash(s)) { 1803 /* SSLfatal() already called */ 1804 goto err; 1805 } 1806 /* 1807 * If we're not doing early-data and we're not going to send a dummy CCS 1808 * (i.e. no middlebox compat mode) then we can change the write keys 1809 * immediately. Otherwise we have to defer this until after all possible 1810 * early data is written. We could just always defer until the last 1811 * moment except QUIC needs it done at the same time as the read keys 1812 * are changed. Since QUIC doesn't do TLS early data or need middlebox 1813 * compat this doesn't cause a problem. 1814 */ 1815 if (SSL_IS_QUIC_HANDSHAKE(s) 1816 || (s->early_data_state == SSL_EARLY_DATA_NONE 1817 && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0)) { 1818 if (!ssl->method->ssl3_enc->change_cipher_state(s, 1819 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { 1820 /* SSLfatal() already called */ 1821 goto err; 1822 } 1823 } 1824 if (!ssl->method->ssl3_enc->change_cipher_state(s, 1825 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ)) { 1826 /* SSLfatal() already called */ 1827 goto err; 1828 } 1829 } 1830 1831 OPENSSL_free(extensions); 1832 return MSG_PROCESS_CONTINUE_READING; 1833 err: 1834 OPENSSL_free(extensions); 1835 return MSG_PROCESS_ERROR; 1836 } 1837 1838 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL_CONNECTION *s, 1839 PACKET *extpkt) 1840 { 1841 RAW_EXTENSION *extensions = NULL; 1842 1843 /* 1844 * If we were sending early_data then any alerts should not be sent using 1845 * the old wrlmethod. 1846 */ 1847 if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING 1848 && !ssl_set_new_record_layer(s, 1849 TLS_ANY_VERSION, 1850 OSSL_RECORD_DIRECTION_WRITE, 1851 OSSL_RECORD_PROTECTION_LEVEL_NONE, 1852 NULL, 0, NULL, 0, NULL, 0, NULL, 0, 1853 NULL, 0, NID_undef, NULL, NULL, NULL)) { 1854 /* SSLfatal already called */ 1855 goto err; 1856 } 1857 /* We are definitely going to be using TLSv1.3 */ 1858 s->rlayer.wrlmethod->set_protocol_version(s->rlayer.wrl, TLS1_3_VERSION); 1859 1860 if (!tls_collect_extensions(s, extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, 1861 &extensions, NULL, 1) 1862 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, 1863 extensions, NULL, 0, 1)) { 1864 /* SSLfatal() already called */ 1865 goto err; 1866 } 1867 1868 OPENSSL_free(extensions); 1869 extensions = NULL; 1870 1871 if (s->ext.tls13_cookie_len == 0 && s->s3.tmp.pkey != NULL) { 1872 /* 1873 * We didn't receive a cookie or a new key_share so the next 1874 * ClientHello will not change 1875 */ 1876 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_NO_CHANGE_FOLLOWING_HRR); 1877 goto err; 1878 } 1879 1880 /* 1881 * Re-initialise the Transcript Hash. We're going to prepopulate it with 1882 * a synthetic message_hash in place of ClientHello1. 1883 */ 1884 if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) { 1885 /* SSLfatal() already called */ 1886 goto err; 1887 } 1888 1889 /* 1890 * Add this message to the Transcript Hash. Normally this is done 1891 * automatically prior to the message processing stage. However due to the 1892 * need to create the synthetic message hash, we defer that step until now 1893 * for HRR messages. 1894 */ 1895 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 1896 s->init_num + SSL3_HM_HEADER_LENGTH)) { 1897 /* SSLfatal() already called */ 1898 goto err; 1899 } 1900 1901 return MSG_PROCESS_FINISHED_READING; 1902 err: 1903 OPENSSL_free(extensions); 1904 return MSG_PROCESS_ERROR; 1905 } 1906 1907 MSG_PROCESS_RETURN tls_process_server_rpk(SSL_CONNECTION *sc, PACKET *pkt) 1908 { 1909 EVP_PKEY *peer_rpk = NULL; 1910 1911 if (!tls_process_rpk(sc, pkt, &peer_rpk)) { 1912 /* SSLfatal() already called */ 1913 return MSG_PROCESS_ERROR; 1914 } 1915 1916 if (peer_rpk == NULL) { 1917 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_CERTIFICATE); 1918 return MSG_PROCESS_ERROR; 1919 } 1920 1921 EVP_PKEY_free(sc->session->peer_rpk); 1922 sc->session->peer_rpk = peer_rpk; 1923 1924 return MSG_PROCESS_CONTINUE_PROCESSING; 1925 } 1926 1927 static WORK_STATE tls_post_process_server_rpk(SSL_CONNECTION *sc, 1928 WORK_STATE wst) 1929 { 1930 size_t certidx; 1931 const SSL_CERT_LOOKUP *clu; 1932 int v_ok; 1933 1934 if (sc->session->peer_rpk == NULL) { 1935 SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, 1936 SSL_R_INVALID_RAW_PUBLIC_KEY); 1937 return WORK_ERROR; 1938 } 1939 1940 if (sc->rwstate == SSL_RETRY_VERIFY) 1941 sc->rwstate = SSL_NOTHING; 1942 1943 ERR_set_mark(); 1944 v_ok = ssl_verify_rpk(sc, sc->session->peer_rpk); 1945 if (v_ok <= 0 && sc->verify_mode != SSL_VERIFY_NONE) { 1946 ERR_clear_last_mark(); 1947 SSLfatal(sc, ssl_x509err2alert(sc->verify_result), 1948 SSL_R_CERTIFICATE_VERIFY_FAILED); 1949 return WORK_ERROR; 1950 } 1951 ERR_pop_to_mark(); /* but we keep s->verify_result */ 1952 if (v_ok > 0 && sc->rwstate == SSL_RETRY_VERIFY) { 1953 return WORK_MORE_A; 1954 } 1955 1956 if ((clu = ssl_cert_lookup_by_pkey(sc->session->peer_rpk, &certidx, 1957 SSL_CONNECTION_GET_CTX(sc))) == NULL) { 1958 SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CERTIFICATE_TYPE); 1959 return WORK_ERROR; 1960 } 1961 1962 /* 1963 * Check certificate type is consistent with ciphersuite. For TLS 1.3 1964 * skip check since TLS 1.3 ciphersuites can be used with any certificate 1965 * type. 1966 */ 1967 if (!SSL_CONNECTION_IS_TLS13(sc)) { 1968 if ((clu->amask & sc->s3.tmp.new_cipher->algorithm_auth) == 0) { 1969 SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_RPK_TYPE); 1970 return WORK_ERROR; 1971 } 1972 } 1973 1974 /* Ensure there is no peer/peer_chain */ 1975 X509_free(sc->session->peer); 1976 sc->session->peer = NULL; 1977 sk_X509_pop_free(sc->session->peer_chain, X509_free); 1978 sc->session->peer_chain = NULL; 1979 sc->session->verify_result = sc->verify_result; 1980 1981 /* Save the current hash state for when we receive the CertificateVerify */ 1982 if (SSL_CONNECTION_IS_TLS13(sc) 1983 && !ssl_handshake_hash(sc, sc->cert_verify_hash, 1984 sizeof(sc->cert_verify_hash), 1985 &sc->cert_verify_hash_len)) { 1986 /* SSLfatal() already called */ 1987 return WORK_ERROR; 1988 } 1989 1990 return WORK_FINISHED_CONTINUE; 1991 } 1992 1993 /* prepare server cert verification by setting s->session->peer_chain from pkt */ 1994 MSG_PROCESS_RETURN tls_process_server_certificate(SSL_CONNECTION *s, 1995 PACKET *pkt) 1996 { 1997 unsigned long cert_list_len, cert_len; 1998 X509 *x = NULL; 1999 const unsigned char *certstart, *certbytes; 2000 size_t chainidx; 2001 unsigned int context = 0; 2002 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 2003 2004 if (s->ext.server_cert_type == TLSEXT_cert_type_rpk) 2005 return tls_process_server_rpk(s, pkt); 2006 if (s->ext.server_cert_type != TLSEXT_cert_type_x509) { 2007 SSLfatal(s, SSL_AD_UNSUPPORTED_CERTIFICATE, 2008 SSL_R_UNKNOWN_CERTIFICATE_TYPE); 2009 goto err; 2010 } 2011 2012 if ((s->session->peer_chain = sk_X509_new_null()) == NULL) { 2013 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 2014 goto err; 2015 } 2016 2017 if ((SSL_CONNECTION_IS_TLS13(s) && !PACKET_get_1(pkt, &context)) 2018 || context != 0 2019 || !PACKET_get_net_3(pkt, &cert_list_len) 2020 || PACKET_remaining(pkt) != cert_list_len 2021 || PACKET_remaining(pkt) == 0) { 2022 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2023 goto err; 2024 } 2025 for (chainidx = 0; PACKET_remaining(pkt); chainidx++) { 2026 if (!PACKET_get_net_3(pkt, &cert_len) 2027 || !PACKET_get_bytes(pkt, &certbytes, cert_len)) { 2028 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH); 2029 goto err; 2030 } 2031 2032 certstart = certbytes; 2033 x = X509_new_ex(sctx->libctx, sctx->propq); 2034 if (x == NULL) { 2035 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB); 2036 goto err; 2037 } 2038 if (d2i_X509(&x, (const unsigned char **)&certbytes, 2039 cert_len) == NULL) { 2040 SSLfatal(s, SSL_AD_BAD_CERTIFICATE, ERR_R_ASN1_LIB); 2041 goto err; 2042 } 2043 2044 if (certbytes != (certstart + cert_len)) { 2045 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH); 2046 goto err; 2047 } 2048 2049 if (SSL_CONNECTION_IS_TLS13(s)) { 2050 RAW_EXTENSION *rawexts = NULL; 2051 PACKET extensions; 2052 2053 if (!PACKET_get_length_prefixed_2(pkt, &extensions)) { 2054 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); 2055 goto err; 2056 } 2057 if (!tls_collect_extensions(s, &extensions, 2058 SSL_EXT_TLS1_3_CERTIFICATE, &rawexts, 2059 NULL, chainidx == 0) 2060 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE, 2061 rawexts, x, chainidx, 2062 PACKET_remaining(pkt) == 0)) { 2063 OPENSSL_free(rawexts); 2064 /* SSLfatal already called */ 2065 goto err; 2066 } 2067 OPENSSL_free(rawexts); 2068 } 2069 2070 if (!sk_X509_push(s->session->peer_chain, x)) { 2071 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 2072 goto err; 2073 } 2074 x = NULL; 2075 } 2076 return MSG_PROCESS_CONTINUE_PROCESSING; 2077 2078 err: 2079 X509_free(x); 2080 OSSL_STACK_OF_X509_free(s->session->peer_chain); 2081 s->session->peer_chain = NULL; 2082 return MSG_PROCESS_ERROR; 2083 } 2084 2085 /* 2086 * Verify the s->session->peer_chain and check server cert type. 2087 * On success set s->session->peer and s->session->verify_result. 2088 * Else the peer certificate verification callback may request retry. 2089 */ 2090 WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s, 2091 WORK_STATE wst) 2092 { 2093 X509 *x; 2094 EVP_PKEY *pkey = NULL; 2095 const SSL_CERT_LOOKUP *clu; 2096 size_t certidx; 2097 int i; 2098 2099 if (s->ext.server_cert_type == TLSEXT_cert_type_rpk) 2100 return tls_post_process_server_rpk(s, wst); 2101 2102 if (s->rwstate == SSL_RETRY_VERIFY) 2103 s->rwstate = SSL_NOTHING; 2104 2105 /* 2106 * The documented interface is that SSL_VERIFY_PEER should be set in order 2107 * for client side verification of the server certificate to take place. 2108 * However, historically the code has only checked that *any* flag is set 2109 * to cause server verification to take place. Use of the other flags makes 2110 * no sense in client mode. An attempt to clean up the semantics was 2111 * reverted because at least one application *only* set 2112 * SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Prior to the clean up this still caused 2113 * server verification to take place, after the clean up it silently did 2114 * nothing. SSL_CTX_set_verify()/SSL_set_verify() cannot validate the flags 2115 * sent to them because they are void functions. Therefore, we now use the 2116 * (less clean) historic behaviour of performing validation if any flag is 2117 * set. The *documented* interface remains the same. 2118 */ 2119 ERR_set_mark(); 2120 i = ssl_verify_cert_chain(s, s->session->peer_chain); 2121 if (i <= 0 && s->verify_mode != SSL_VERIFY_NONE) { 2122 ERR_clear_last_mark(); 2123 SSLfatal(s, ssl_x509err2alert(s->verify_result), 2124 SSL_R_CERTIFICATE_VERIFY_FAILED); 2125 return WORK_ERROR; 2126 } 2127 ERR_pop_to_mark(); /* but we keep s->verify_result */ 2128 if (i > 0 && s->rwstate == SSL_RETRY_VERIFY) 2129 return WORK_MORE_A; 2130 2131 /* 2132 * Inconsistency alert: cert_chain does include the peer's certificate, 2133 * which we don't include in statem_srvr.c 2134 */ 2135 x = sk_X509_value(s->session->peer_chain, 0); 2136 2137 pkey = X509_get0_pubkey(x); 2138 2139 if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) { 2140 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2141 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); 2142 return WORK_ERROR; 2143 } 2144 2145 if ((clu = ssl_cert_lookup_by_pkey(pkey, &certidx, 2146 SSL_CONNECTION_GET_CTX(s))) == NULL) { 2147 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CERTIFICATE_TYPE); 2148 return WORK_ERROR; 2149 } 2150 /* 2151 * Check certificate type is consistent with ciphersuite. For TLS 1.3 2152 * skip check since TLS 1.3 ciphersuites can be used with any certificate 2153 * type. 2154 */ 2155 if (!SSL_CONNECTION_IS_TLS13(s)) { 2156 if ((clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0) { 2157 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CERTIFICATE_TYPE); 2158 return WORK_ERROR; 2159 } 2160 } 2161 2162 if (!X509_up_ref(x)) { 2163 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2164 return WORK_ERROR; 2165 } 2166 2167 X509_free(s->session->peer); 2168 s->session->peer = x; 2169 s->session->verify_result = s->verify_result; 2170 /* Ensure there is no RPK */ 2171 EVP_PKEY_free(s->session->peer_rpk); 2172 s->session->peer_rpk = NULL; 2173 2174 /* Save the current hash state for when we receive the CertificateVerify */ 2175 if (SSL_CONNECTION_IS_TLS13(s) 2176 && !ssl_handshake_hash(s, s->cert_verify_hash, 2177 sizeof(s->cert_verify_hash), 2178 &s->cert_verify_hash_len)) { 2179 /* SSLfatal() already called */; 2180 return WORK_ERROR; 2181 } 2182 return WORK_FINISHED_CONTINUE; 2183 } 2184 2185 #ifndef OPENSSL_NO_COMP_ALG 2186 MSG_PROCESS_RETURN tls_process_server_compressed_certificate(SSL_CONNECTION *sc, PACKET *pkt) 2187 { 2188 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; 2189 PACKET tmppkt; 2190 BUF_MEM *buf = BUF_MEM_new(); 2191 2192 if (tls13_process_compressed_certificate(sc, pkt, &tmppkt, buf) != MSG_PROCESS_ERROR) 2193 ret = tls_process_server_certificate(sc, &tmppkt); 2194 2195 BUF_MEM_free(buf); 2196 return ret; 2197 } 2198 #endif 2199 2200 static int tls_process_ske_psk_preamble(SSL_CONNECTION *s, PACKET *pkt) 2201 { 2202 #ifndef OPENSSL_NO_PSK 2203 PACKET psk_identity_hint; 2204 2205 /* PSK ciphersuites are preceded by an identity hint */ 2206 2207 if (!PACKET_get_length_prefixed_2(pkt, &psk_identity_hint)) { 2208 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2209 return 0; 2210 } 2211 2212 /* 2213 * Store PSK identity hint for later use, hint is used in 2214 * tls_construct_client_key_exchange. Assume that the maximum length of 2215 * a PSK identity hint can be as long as the maximum length of a PSK 2216 * identity. 2217 */ 2218 if (PACKET_remaining(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN) { 2219 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DATA_LENGTH_TOO_LONG); 2220 return 0; 2221 } 2222 2223 if (PACKET_remaining(&psk_identity_hint) == 0) { 2224 OPENSSL_free(s->session->psk_identity_hint); 2225 s->session->psk_identity_hint = NULL; 2226 } else if (!PACKET_strndup(&psk_identity_hint, 2227 &s->session->psk_identity_hint)) { 2228 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2229 return 0; 2230 } 2231 2232 return 1; 2233 #else 2234 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2235 return 0; 2236 #endif 2237 } 2238 2239 static int tls_process_ske_srp(SSL_CONNECTION *s, PACKET *pkt, EVP_PKEY **pkey) 2240 { 2241 #ifndef OPENSSL_NO_SRP 2242 PACKET prime, generator, salt, server_pub; 2243 2244 if (!PACKET_get_length_prefixed_2(pkt, &prime) 2245 || !PACKET_get_length_prefixed_2(pkt, &generator) 2246 || !PACKET_get_length_prefixed_1(pkt, &salt) 2247 || !PACKET_get_length_prefixed_2(pkt, &server_pub)) { 2248 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2249 return 0; 2250 } 2251 2252 if ((s->srp_ctx.N = 2253 BN_bin2bn(PACKET_data(&prime), 2254 (int)PACKET_remaining(&prime), NULL)) == NULL 2255 || (s->srp_ctx.g = 2256 BN_bin2bn(PACKET_data(&generator), 2257 (int)PACKET_remaining(&generator), NULL)) == NULL 2258 || (s->srp_ctx.s = 2259 BN_bin2bn(PACKET_data(&salt), 2260 (int)PACKET_remaining(&salt), NULL)) == NULL 2261 || (s->srp_ctx.B = 2262 BN_bin2bn(PACKET_data(&server_pub), 2263 (int)PACKET_remaining(&server_pub), NULL)) == NULL) { 2264 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB); 2265 return 0; 2266 } 2267 2268 if (!srp_verify_server_param(s)) { 2269 /* SSLfatal() already called */ 2270 return 0; 2271 } 2272 2273 /* We must check if there is a certificate */ 2274 if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS)) 2275 *pkey = tls_get_peer_pkey(s); 2276 2277 return 1; 2278 #else 2279 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2280 return 0; 2281 #endif 2282 } 2283 2284 static int tls_process_ske_dhe(SSL_CONNECTION *s, PACKET *pkt, EVP_PKEY **pkey) 2285 { 2286 PACKET prime, generator, pub_key; 2287 EVP_PKEY *peer_tmp = NULL; 2288 BIGNUM *p = NULL, *g = NULL, *bnpub_key = NULL; 2289 EVP_PKEY_CTX *pctx = NULL; 2290 OSSL_PARAM *params = NULL; 2291 OSSL_PARAM_BLD *tmpl = NULL; 2292 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 2293 int ret = 0; 2294 2295 if (!PACKET_get_length_prefixed_2(pkt, &prime) 2296 || !PACKET_get_length_prefixed_2(pkt, &generator) 2297 || !PACKET_get_length_prefixed_2(pkt, &pub_key)) { 2298 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2299 return 0; 2300 } 2301 2302 p = BN_bin2bn(PACKET_data(&prime), (int)PACKET_remaining(&prime), NULL); 2303 g = BN_bin2bn(PACKET_data(&generator), (int)PACKET_remaining(&generator), 2304 NULL); 2305 bnpub_key = BN_bin2bn(PACKET_data(&pub_key), 2306 (int)PACKET_remaining(&pub_key), NULL); 2307 if (p == NULL || g == NULL || bnpub_key == NULL) { 2308 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB); 2309 goto err; 2310 } 2311 2312 tmpl = OSSL_PARAM_BLD_new(); 2313 if (tmpl == NULL 2314 || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p) 2315 || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_G, g) 2316 || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_PUB_KEY, 2317 bnpub_key) 2318 || (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) { 2319 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2320 goto err; 2321 } 2322 2323 pctx = EVP_PKEY_CTX_new_from_name(sctx->libctx, "DH", sctx->propq); 2324 if (pctx == NULL) { 2325 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2326 goto err; 2327 } 2328 if (EVP_PKEY_fromdata_init(pctx) <= 0 2329 || EVP_PKEY_fromdata(pctx, &peer_tmp, EVP_PKEY_KEYPAIR, params) <= 0) { 2330 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_DH_VALUE); 2331 goto err; 2332 } 2333 2334 EVP_PKEY_CTX_free(pctx); 2335 pctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, peer_tmp, sctx->propq); 2336 if (pctx == NULL 2337 /* 2338 * EVP_PKEY_param_check() will verify that the DH params are using 2339 * a safe prime. In this context, because we're using ephemeral DH, 2340 * we're ok with it not being a safe prime. 2341 * EVP_PKEY_param_check_quick() skips the safe prime check. 2342 */ 2343 || EVP_PKEY_param_check_quick(pctx) != 1 2344 || EVP_PKEY_public_check(pctx) != 1) { 2345 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DH_VALUE); 2346 goto err; 2347 } 2348 2349 if (!ssl_security(s, SSL_SECOP_TMP_DH, 2350 EVP_PKEY_get_security_bits(peer_tmp), 2351 0, peer_tmp)) { 2352 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL); 2353 goto err; 2354 } 2355 2356 s->s3.peer_tmp = peer_tmp; 2357 peer_tmp = NULL; 2358 2359 /* 2360 * FIXME: This makes assumptions about which ciphersuites come with 2361 * public keys. We should have a less ad-hoc way of doing this 2362 */ 2363 if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS)) 2364 *pkey = tls_get_peer_pkey(s); 2365 /* else anonymous DH, so no certificate or pkey. */ 2366 2367 ret = 1; 2368 2369 err: 2370 OSSL_PARAM_BLD_free(tmpl); 2371 OSSL_PARAM_free(params); 2372 EVP_PKEY_free(peer_tmp); 2373 EVP_PKEY_CTX_free(pctx); 2374 BN_free(p); 2375 BN_free(g); 2376 BN_free(bnpub_key); 2377 2378 return ret; 2379 } 2380 2381 static int tls_process_ske_ecdhe(SSL_CONNECTION *s, PACKET *pkt, EVP_PKEY **pkey) 2382 { 2383 PACKET encoded_pt; 2384 unsigned int curve_type, curve_id; 2385 2386 /* 2387 * Extract elliptic curve parameters and the server's ephemeral ECDH 2388 * public key. We only support named (not generic) curves and 2389 * ECParameters in this case is just three bytes. 2390 */ 2391 if (!PACKET_get_1(pkt, &curve_type) || !PACKET_get_net_2(pkt, &curve_id)) { 2392 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); 2393 return 0; 2394 } 2395 /* 2396 * Check curve is named curve type and one of our preferences, if not 2397 * server has sent an invalid curve. 2398 */ 2399 if (curve_type != NAMED_CURVE_TYPE 2400 || !tls1_check_group_id(s, curve_id, 1)) { 2401 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); 2402 return 0; 2403 } 2404 2405 if ((s->s3.peer_tmp = ssl_generate_param_group(s, curve_id)) == NULL) { 2406 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2407 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); 2408 return 0; 2409 } 2410 2411 if (!PACKET_get_length_prefixed_1(pkt, &encoded_pt)) { 2412 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2413 return 0; 2414 } 2415 2416 if (EVP_PKEY_set1_encoded_public_key(s->s3.peer_tmp, 2417 PACKET_data(&encoded_pt), 2418 PACKET_remaining(&encoded_pt)) <= 0) { 2419 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT); 2420 return 0; 2421 } 2422 2423 /* 2424 * The ECC/TLS specification does not mention the use of DSA to sign 2425 * ECParameters in the server key exchange message. We do support RSA 2426 * and ECDSA. 2427 */ 2428 if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aECDSA) 2429 *pkey = tls_get_peer_pkey(s); 2430 else if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aRSA) 2431 *pkey = tls_get_peer_pkey(s); 2432 /* else anonymous ECDH, so no certificate or pkey. */ 2433 2434 /* Cache the agreed upon group in the SSL_SESSION */ 2435 s->session->kex_group = curve_id; 2436 return 1; 2437 } 2438 2439 MSG_PROCESS_RETURN tls_process_key_exchange(SSL_CONNECTION *s, PACKET *pkt) 2440 { 2441 long alg_k; 2442 EVP_PKEY *pkey = NULL; 2443 EVP_MD_CTX *md_ctx = NULL; 2444 EVP_PKEY_CTX *pctx = NULL; 2445 PACKET save_param_start, signature; 2446 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 2447 2448 alg_k = s->s3.tmp.new_cipher->algorithm_mkey; 2449 2450 save_param_start = *pkt; 2451 2452 EVP_PKEY_free(s->s3.peer_tmp); 2453 s->s3.peer_tmp = NULL; 2454 2455 if (alg_k & SSL_PSK) { 2456 if (!tls_process_ske_psk_preamble(s, pkt)) { 2457 /* SSLfatal() already called */ 2458 goto err; 2459 } 2460 } 2461 2462 /* Nothing else to do for plain PSK or RSAPSK */ 2463 if (alg_k & (SSL_kPSK | SSL_kRSAPSK)) { 2464 } else if (alg_k & SSL_kSRP) { 2465 if (!tls_process_ske_srp(s, pkt, &pkey)) { 2466 /* SSLfatal() already called */ 2467 goto err; 2468 } 2469 } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) { 2470 if (!tls_process_ske_dhe(s, pkt, &pkey)) { 2471 /* SSLfatal() already called */ 2472 goto err; 2473 } 2474 } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) { 2475 if (!tls_process_ske_ecdhe(s, pkt, &pkey)) { 2476 /* SSLfatal() already called */ 2477 goto err; 2478 } 2479 } else if (alg_k) { 2480 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); 2481 goto err; 2482 } 2483 2484 /* if it was signed, check the signature */ 2485 if (pkey != NULL) { 2486 PACKET params; 2487 const EVP_MD *md = NULL; 2488 unsigned char *tbs; 2489 size_t tbslen; 2490 int rv; 2491 2492 /* 2493 * |pkt| now points to the beginning of the signature, so the difference 2494 * equals the length of the parameters. 2495 */ 2496 if (!PACKET_get_sub_packet(&save_param_start, ¶ms, 2497 PACKET_remaining(&save_param_start) - 2498 PACKET_remaining(pkt))) { 2499 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR); 2500 goto err; 2501 } 2502 2503 if (SSL_USE_SIGALGS(s)) { 2504 unsigned int sigalg; 2505 2506 if (!PACKET_get_net_2(pkt, &sigalg)) { 2507 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); 2508 goto err; 2509 } 2510 if (tls12_check_peer_sigalg(s, sigalg, pkey) <=0) { 2511 /* SSLfatal() already called */ 2512 goto err; 2513 } 2514 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { 2515 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2516 SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED); 2517 goto err; 2518 } 2519 2520 if (!tls1_lookup_md(sctx, s->s3.tmp.peer_sigalg, &md)) { 2521 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2522 SSL_R_NO_SUITABLE_DIGEST_ALGORITHM); 2523 goto err; 2524 } 2525 if (SSL_USE_SIGALGS(s)) 2526 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n", 2527 md == NULL ? "n/a" : EVP_MD_get0_name(md)); 2528 2529 if (!PACKET_get_length_prefixed_2(pkt, &signature) 2530 || PACKET_remaining(pkt) != 0) { 2531 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2532 goto err; 2533 } 2534 2535 md_ctx = EVP_MD_CTX_new(); 2536 if (md_ctx == NULL) { 2537 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 2538 goto err; 2539 } 2540 2541 if (EVP_DigestVerifyInit_ex(md_ctx, &pctx, 2542 md == NULL ? NULL : EVP_MD_get0_name(md), 2543 sctx->libctx, sctx->propq, pkey, 2544 NULL) <= 0) { 2545 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 2546 goto err; 2547 } 2548 if (SSL_USE_PSS(s)) { 2549 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 2550 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 2551 RSA_PSS_SALTLEN_DIGEST) <= 0) { 2552 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 2553 goto err; 2554 } 2555 } 2556 tbslen = construct_key_exchange_tbs(s, &tbs, PACKET_data(¶ms), 2557 PACKET_remaining(¶ms)); 2558 if (tbslen == 0) { 2559 /* SSLfatal() already called */ 2560 goto err; 2561 } 2562 2563 rv = EVP_DigestVerify(md_ctx, PACKET_data(&signature), 2564 PACKET_remaining(&signature), tbs, tbslen); 2565 OPENSSL_free(tbs); 2566 if (rv <= 0) { 2567 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE); 2568 goto err; 2569 } 2570 EVP_MD_CTX_free(md_ctx); 2571 md_ctx = NULL; 2572 } else { 2573 /* aNULL, aSRP or PSK do not need public keys */ 2574 if (!(s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) 2575 && !(alg_k & SSL_PSK)) { 2576 /* Might be wrong key type, check it */ 2577 if (ssl3_check_cert_and_algorithm(s)) { 2578 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DATA); 2579 } 2580 /* else this shouldn't happen, SSLfatal() already called */ 2581 goto err; 2582 } 2583 /* still data left over */ 2584 if (PACKET_remaining(pkt) != 0) { 2585 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_EXTRA_DATA_IN_MESSAGE); 2586 goto err; 2587 } 2588 } 2589 2590 return MSG_PROCESS_CONTINUE_READING; 2591 err: 2592 EVP_MD_CTX_free(md_ctx); 2593 return MSG_PROCESS_ERROR; 2594 } 2595 2596 MSG_PROCESS_RETURN tls_process_certificate_request(SSL_CONNECTION *s, 2597 PACKET *pkt) 2598 { 2599 /* Clear certificate validity flags */ 2600 if (s->s3.tmp.valid_flags != NULL) 2601 memset(s->s3.tmp.valid_flags, 0, s->ssl_pkey_num * sizeof(uint32_t)); 2602 else 2603 s->s3.tmp.valid_flags = OPENSSL_zalloc(s->ssl_pkey_num * sizeof(uint32_t)); 2604 2605 /* Give up for good if allocation didn't work */ 2606 if (s->s3.tmp.valid_flags == NULL) 2607 return 0; 2608 2609 if (SSL_CONNECTION_IS_TLS13(s)) { 2610 PACKET reqctx, extensions; 2611 RAW_EXTENSION *rawexts = NULL; 2612 2613 if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) { 2614 /* 2615 * We already sent close_notify. This can only happen in TLSv1.3 2616 * post-handshake messages. We can't reasonably respond to this, so 2617 * we just ignore it 2618 */ 2619 return MSG_PROCESS_FINISHED_READING; 2620 } 2621 2622 /* Free and zero certificate types: it is not present in TLS 1.3 */ 2623 OPENSSL_free(s->s3.tmp.ctype); 2624 s->s3.tmp.ctype = NULL; 2625 s->s3.tmp.ctype_len = 0; 2626 OPENSSL_free(s->pha_context); 2627 s->pha_context = NULL; 2628 s->pha_context_len = 0; 2629 2630 if (!PACKET_get_length_prefixed_1(pkt, &reqctx) || 2631 !PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) { 2632 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2633 return MSG_PROCESS_ERROR; 2634 } 2635 2636 if (!PACKET_get_length_prefixed_2(pkt, &extensions)) { 2637 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); 2638 return MSG_PROCESS_ERROR; 2639 } 2640 if (!tls_collect_extensions(s, &extensions, 2641 SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 2642 &rawexts, NULL, 1) 2643 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 2644 rawexts, NULL, 0, 1)) { 2645 /* SSLfatal() already called */ 2646 OPENSSL_free(rawexts); 2647 return MSG_PROCESS_ERROR; 2648 } 2649 OPENSSL_free(rawexts); 2650 if (!tls1_process_sigalgs(s)) { 2651 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_LENGTH); 2652 return MSG_PROCESS_ERROR; 2653 } 2654 } else { 2655 PACKET ctypes; 2656 2657 /* get the certificate types */ 2658 if (!PACKET_get_length_prefixed_1(pkt, &ctypes)) { 2659 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2660 return MSG_PROCESS_ERROR; 2661 } 2662 2663 if (!PACKET_memdup(&ctypes, &s->s3.tmp.ctype, &s->s3.tmp.ctype_len)) { 2664 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2665 return MSG_PROCESS_ERROR; 2666 } 2667 2668 if (SSL_USE_SIGALGS(s)) { 2669 PACKET sigalgs; 2670 2671 if (!PACKET_get_length_prefixed_2(pkt, &sigalgs)) { 2672 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2673 return MSG_PROCESS_ERROR; 2674 } 2675 2676 /* 2677 * Despite this being for certificates, preserve compatibility 2678 * with pre-TLS 1.3 and use the regular sigalgs field. 2679 */ 2680 if (!tls1_save_sigalgs(s, &sigalgs, 0)) { 2681 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2682 SSL_R_SIGNATURE_ALGORITHMS_ERROR); 2683 return MSG_PROCESS_ERROR; 2684 } 2685 if (!tls1_process_sigalgs(s)) { 2686 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB); 2687 return MSG_PROCESS_ERROR; 2688 } 2689 } 2690 2691 /* get the CA RDNs */ 2692 if (!parse_ca_names(s, pkt)) { 2693 /* SSLfatal() already called */ 2694 return MSG_PROCESS_ERROR; 2695 } 2696 } 2697 2698 if (PACKET_remaining(pkt) != 0) { 2699 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2700 return MSG_PROCESS_ERROR; 2701 } 2702 2703 /* we should setup a certificate to return.... */ 2704 s->s3.tmp.cert_req = 1; 2705 2706 /* 2707 * In TLSv1.3 we don't prepare the client certificate yet. We wait until 2708 * after the CertificateVerify message has been received. This is because 2709 * in TLSv1.3 the CertificateRequest arrives before the Certificate message 2710 * but in TLSv1.2 it is the other way around. We want to make sure that 2711 * SSL_get1_peer_certificate() returns something sensible in 2712 * client_cert_cb. 2713 */ 2714 if (SSL_CONNECTION_IS_TLS13(s) 2715 && s->post_handshake_auth != SSL_PHA_REQUESTED) 2716 return MSG_PROCESS_CONTINUE_READING; 2717 2718 return MSG_PROCESS_CONTINUE_PROCESSING; 2719 } 2720 2721 MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s, 2722 PACKET *pkt) 2723 { 2724 unsigned int ticklen; 2725 unsigned long ticket_lifetime_hint, age_add = 0; 2726 unsigned int sess_len; 2727 RAW_EXTENSION *exts = NULL; 2728 PACKET nonce; 2729 EVP_MD *sha256 = NULL; 2730 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 2731 2732 PACKET_null_init(&nonce); 2733 2734 if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint) 2735 || (SSL_CONNECTION_IS_TLS13(s) 2736 && (!PACKET_get_net_4(pkt, &age_add) 2737 || !PACKET_get_length_prefixed_1(pkt, &nonce))) 2738 || !PACKET_get_net_2(pkt, &ticklen) 2739 || (SSL_CONNECTION_IS_TLS13(s) ? (ticklen == 0 2740 || PACKET_remaining(pkt) < ticklen) 2741 : PACKET_remaining(pkt) != ticklen)) { 2742 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2743 goto err; 2744 } 2745 2746 /* 2747 * Server is allowed to change its mind (in <=TLSv1.2) and send an empty 2748 * ticket. We already checked this TLSv1.3 case above, so it should never 2749 * be 0 here in that instance 2750 */ 2751 if (ticklen == 0) 2752 return MSG_PROCESS_CONTINUE_READING; 2753 2754 /* 2755 * Sessions must be immutable once they go into the session cache. Otherwise 2756 * we can get multi-thread problems. Therefore we don't "update" sessions, 2757 * we replace them with a duplicate. In TLSv1.3 we need to do this every 2758 * time a NewSessionTicket arrives because those messages arrive 2759 * post-handshake and the session may have already gone into the session 2760 * cache. 2761 */ 2762 if (SSL_CONNECTION_IS_TLS13(s) || s->session->session_id_length > 0) { 2763 SSL_SESSION *new_sess; 2764 2765 /* 2766 * We reused an existing session, so we need to replace it with a new 2767 * one 2768 */ 2769 if ((new_sess = ssl_session_dup(s->session, 0)) == 0) { 2770 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB); 2771 goto err; 2772 } 2773 2774 if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0 2775 && !SSL_CONNECTION_IS_TLS13(s)) { 2776 /* 2777 * In TLSv1.2 and below the arrival of a new tickets signals that 2778 * any old ticket we were using is now out of date, so we remove the 2779 * old session from the cache. We carry on if this fails 2780 */ 2781 SSL_CTX_remove_session(s->session_ctx, s->session); 2782 } 2783 2784 SSL_SESSION_free(s->session); 2785 s->session = new_sess; 2786 } 2787 2788 s->session->time = ossl_time_now(); 2789 ssl_session_calculate_timeout(s->session); 2790 2791 OPENSSL_free(s->session->ext.tick); 2792 s->session->ext.tick = NULL; 2793 s->session->ext.ticklen = 0; 2794 2795 s->session->ext.tick = OPENSSL_malloc(ticklen); 2796 if (s->session->ext.tick == NULL) { 2797 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 2798 goto err; 2799 } 2800 if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) { 2801 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2802 goto err; 2803 } 2804 2805 s->session->ext.tick_lifetime_hint = ticket_lifetime_hint; 2806 s->session->ext.tick_age_add = age_add; 2807 s->session->ext.ticklen = ticklen; 2808 2809 if (SSL_CONNECTION_IS_TLS13(s)) { 2810 PACKET extpkt; 2811 2812 if (!PACKET_as_length_prefixed_2(pkt, &extpkt) 2813 || PACKET_remaining(pkt) != 0) { 2814 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2815 goto err; 2816 } 2817 2818 if (!tls_collect_extensions(s, &extpkt, 2819 SSL_EXT_TLS1_3_NEW_SESSION_TICKET, &exts, 2820 NULL, 1) 2821 || !tls_parse_all_extensions(s, 2822 SSL_EXT_TLS1_3_NEW_SESSION_TICKET, 2823 exts, NULL, 0, 1)) { 2824 /* SSLfatal() already called */ 2825 goto err; 2826 } 2827 } 2828 2829 /* 2830 * There are two ways to detect a resumed ticket session. One is to set 2831 * an appropriate session ID and then the server must return a match in 2832 * ServerHello. This allows the normal client session ID matching to work 2833 * and we know much earlier that the ticket has been accepted. The 2834 * other way is to set zero length session ID when the ticket is 2835 * presented and rely on the handshake to determine session resumption. 2836 * We choose the former approach because this fits in with assumptions 2837 * elsewhere in OpenSSL. The session ID is set to the SHA256 hash of the 2838 * ticket. 2839 */ 2840 sha256 = EVP_MD_fetch(sctx->libctx, "SHA2-256", sctx->propq); 2841 if (sha256 == NULL) { 2842 /* Error is already recorded */ 2843 SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); 2844 goto err; 2845 } 2846 /* 2847 * We use sess_len here because EVP_Digest expects an int 2848 * but s->session->session_id_length is a size_t 2849 */ 2850 if (!EVP_Digest(s->session->ext.tick, ticklen, 2851 s->session->session_id, &sess_len, 2852 sha256, NULL)) { 2853 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 2854 goto err; 2855 } 2856 EVP_MD_free(sha256); 2857 sha256 = NULL; 2858 s->session->session_id_length = sess_len; 2859 s->session->not_resumable = 0; 2860 2861 /* This is a standalone message in TLSv1.3, so there is no more to read */ 2862 if (SSL_CONNECTION_IS_TLS13(s)) { 2863 const EVP_MD *md = ssl_handshake_md(s); 2864 int hashleni = EVP_MD_get_size(md); 2865 size_t hashlen; 2866 static const unsigned char nonce_label[] = "resumption"; 2867 2868 /* Ensure cast to size_t is safe */ 2869 if (!ossl_assert(hashleni > 0)) { 2870 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2871 goto err; 2872 } 2873 hashlen = (size_t)hashleni; 2874 2875 if (!tls13_hkdf_expand(s, md, s->resumption_master_secret, 2876 nonce_label, 2877 sizeof(nonce_label) - 1, 2878 PACKET_data(&nonce), 2879 PACKET_remaining(&nonce), 2880 s->session->master_key, 2881 hashlen, 1)) { 2882 /* SSLfatal() already called */ 2883 goto err; 2884 } 2885 s->session->master_key_length = hashlen; 2886 2887 OPENSSL_free(exts); 2888 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); 2889 return MSG_PROCESS_FINISHED_READING; 2890 } 2891 2892 return MSG_PROCESS_CONTINUE_READING; 2893 err: 2894 EVP_MD_free(sha256); 2895 OPENSSL_free(exts); 2896 return MSG_PROCESS_ERROR; 2897 } 2898 2899 /* 2900 * In TLSv1.3 this is called from the extensions code, otherwise it is used to 2901 * parse a separate message. Returns 1 on success or 0 on failure 2902 */ 2903 int tls_process_cert_status_body(SSL_CONNECTION *s, PACKET *pkt) 2904 { 2905 size_t resplen; 2906 unsigned int type; 2907 2908 if (!PACKET_get_1(pkt, &type) 2909 || type != TLSEXT_STATUSTYPE_ocsp) { 2910 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_UNSUPPORTED_STATUS_TYPE); 2911 return 0; 2912 } 2913 if (!PACKET_get_net_3_len(pkt, &resplen) 2914 || PACKET_remaining(pkt) != resplen) { 2915 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2916 return 0; 2917 } 2918 s->ext.ocsp.resp = OPENSSL_malloc(resplen); 2919 if (s->ext.ocsp.resp == NULL) { 2920 s->ext.ocsp.resp_len = 0; 2921 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 2922 return 0; 2923 } 2924 s->ext.ocsp.resp_len = resplen; 2925 if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) { 2926 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2927 return 0; 2928 } 2929 2930 return 1; 2931 } 2932 2933 2934 MSG_PROCESS_RETURN tls_process_cert_status(SSL_CONNECTION *s, PACKET *pkt) 2935 { 2936 if (!tls_process_cert_status_body(s, pkt)) { 2937 /* SSLfatal() already called */ 2938 return MSG_PROCESS_ERROR; 2939 } 2940 2941 return MSG_PROCESS_CONTINUE_READING; 2942 } 2943 2944 /* 2945 * Perform miscellaneous checks and processing after we have received the 2946 * server's initial flight. In TLS1.3 this is after the Server Finished message. 2947 * In <=TLS1.2 this is after the ServerDone message. Returns 1 on success or 0 2948 * on failure. 2949 */ 2950 int tls_process_initial_server_flight(SSL_CONNECTION *s) 2951 { 2952 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 2953 2954 /* 2955 * at this point we check that we have the required stuff from 2956 * the server 2957 */ 2958 if (!ssl3_check_cert_and_algorithm(s)) { 2959 /* SSLfatal() already called */ 2960 return 0; 2961 } 2962 2963 /* 2964 * Call the ocsp status callback if needed. The |ext.ocsp.resp| and 2965 * |ext.ocsp.resp_len| values will be set if we actually received a status 2966 * message, or NULL and -1 otherwise 2967 */ 2968 if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing 2969 && sctx->ext.status_cb != NULL) { 2970 int ret = sctx->ext.status_cb(SSL_CONNECTION_GET_USER_SSL(s), 2971 sctx->ext.status_arg); 2972 2973 if (ret == 0) { 2974 SSLfatal(s, SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE, 2975 SSL_R_INVALID_STATUS_RESPONSE); 2976 return 0; 2977 } 2978 if (ret < 0) { 2979 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2980 SSL_R_OCSP_CALLBACK_FAILURE); 2981 return 0; 2982 } 2983 } 2984 #ifndef OPENSSL_NO_CT 2985 if (s->ct_validation_callback != NULL) { 2986 /* Note we validate the SCTs whether or not we abort on error */ 2987 if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) { 2988 /* SSLfatal() already called */ 2989 return 0; 2990 } 2991 } 2992 #endif 2993 2994 return 1; 2995 } 2996 2997 MSG_PROCESS_RETURN tls_process_server_done(SSL_CONNECTION *s, PACKET *pkt) 2998 { 2999 if (PACKET_remaining(pkt) > 0) { 3000 /* should contain no data */ 3001 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 3002 return MSG_PROCESS_ERROR; 3003 } 3004 #ifndef OPENSSL_NO_SRP 3005 if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) { 3006 if (ssl_srp_calc_a_param_intern(s) <= 0) { 3007 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_SRP_A_CALC); 3008 return MSG_PROCESS_ERROR; 3009 } 3010 } 3011 #endif 3012 3013 if (!tls_process_initial_server_flight(s)) { 3014 /* SSLfatal() already called */ 3015 return MSG_PROCESS_ERROR; 3016 } 3017 3018 return MSG_PROCESS_FINISHED_READING; 3019 } 3020 3021 static int tls_construct_cke_psk_preamble(SSL_CONNECTION *s, WPACKET *pkt) 3022 { 3023 #ifndef OPENSSL_NO_PSK 3024 int ret = 0; 3025 /* 3026 * The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes to return a 3027 * \0-terminated identity. The last byte is for us for simulating 3028 * strnlen. 3029 */ 3030 char identity[PSK_MAX_IDENTITY_LEN + 1]; 3031 size_t identitylen = 0; 3032 unsigned char psk[PSK_MAX_PSK_LEN]; 3033 unsigned char *tmppsk = NULL; 3034 char *tmpidentity = NULL; 3035 size_t psklen = 0; 3036 3037 if (s->psk_client_callback == NULL) { 3038 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_PSK_NO_CLIENT_CB); 3039 goto err; 3040 } 3041 3042 memset(identity, 0, sizeof(identity)); 3043 3044 psklen = s->psk_client_callback(SSL_CONNECTION_GET_USER_SSL(s), 3045 s->session->psk_identity_hint, 3046 identity, sizeof(identity) - 1, 3047 psk, sizeof(psk)); 3048 3049 if (psklen > PSK_MAX_PSK_LEN) { 3050 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR); 3051 psklen = PSK_MAX_PSK_LEN; /* Avoid overrunning the array on cleanse */ 3052 goto err; 3053 } else if (psklen == 0) { 3054 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_PSK_IDENTITY_NOT_FOUND); 3055 goto err; 3056 } 3057 3058 identitylen = strlen(identity); 3059 if (identitylen > PSK_MAX_IDENTITY_LEN) { 3060 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3061 goto err; 3062 } 3063 3064 tmppsk = OPENSSL_memdup(psk, psklen); 3065 tmpidentity = OPENSSL_strdup(identity); 3066 if (tmppsk == NULL || tmpidentity == NULL) { 3067 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 3068 goto err; 3069 } 3070 3071 OPENSSL_free(s->s3.tmp.psk); 3072 s->s3.tmp.psk = tmppsk; 3073 s->s3.tmp.psklen = psklen; 3074 tmppsk = NULL; 3075 OPENSSL_free(s->session->psk_identity); 3076 s->session->psk_identity = tmpidentity; 3077 tmpidentity = NULL; 3078 3079 if (!WPACKET_sub_memcpy_u16(pkt, identity, identitylen)) { 3080 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3081 goto err; 3082 } 3083 3084 ret = 1; 3085 3086 err: 3087 OPENSSL_cleanse(psk, psklen); 3088 OPENSSL_cleanse(identity, sizeof(identity)); 3089 OPENSSL_clear_free(tmppsk, psklen); 3090 OPENSSL_clear_free(tmpidentity, identitylen); 3091 3092 return ret; 3093 #else 3094 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3095 return 0; 3096 #endif 3097 } 3098 3099 static int tls_construct_cke_rsa(SSL_CONNECTION *s, WPACKET *pkt) 3100 { 3101 unsigned char *encdata = NULL; 3102 EVP_PKEY *pkey = NULL; 3103 EVP_PKEY_CTX *pctx = NULL; 3104 size_t enclen; 3105 unsigned char *pms = NULL; 3106 size_t pmslen = 0; 3107 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 3108 3109 if (!received_server_cert(s)) { 3110 /* 3111 * We should always have a server certificate with SSL_kRSA. 3112 */ 3113 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3114 return 0; 3115 } 3116 3117 if ((pkey = tls_get_peer_pkey(s)) == NULL) { 3118 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3119 return 0; 3120 } 3121 3122 if (!EVP_PKEY_is_a(pkey, "RSA")) { 3123 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3124 return 0; 3125 } 3126 3127 pmslen = SSL_MAX_MASTER_KEY_LENGTH; 3128 pms = OPENSSL_malloc(pmslen); 3129 if (pms == NULL) { 3130 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 3131 return 0; 3132 } 3133 3134 pms[0] = s->client_version >> 8; 3135 pms[1] = s->client_version & 0xff; 3136 if (RAND_bytes_ex(sctx->libctx, pms + 2, pmslen - 2, 0) <= 0) { 3137 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_RAND_LIB); 3138 goto err; 3139 } 3140 3141 /* Fix buf for TLS and beyond */ 3142 if (s->version > SSL3_VERSION && !WPACKET_start_sub_packet_u16(pkt)) { 3143 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3144 goto err; 3145 } 3146 3147 pctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, pkey, sctx->propq); 3148 if (pctx == NULL || EVP_PKEY_encrypt_init(pctx) <= 0 3149 || EVP_PKEY_encrypt(pctx, NULL, &enclen, pms, pmslen) <= 0) { 3150 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 3151 goto err; 3152 } 3153 if (!WPACKET_allocate_bytes(pkt, enclen, &encdata) 3154 || EVP_PKEY_encrypt(pctx, encdata, &enclen, pms, pmslen) <= 0) { 3155 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_RSA_ENCRYPT); 3156 goto err; 3157 } 3158 EVP_PKEY_CTX_free(pctx); 3159 pctx = NULL; 3160 3161 /* Fix buf for TLS and beyond */ 3162 if (s->version > SSL3_VERSION && !WPACKET_close(pkt)) { 3163 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3164 goto err; 3165 } 3166 3167 /* Log the premaster secret, if logging is enabled. */ 3168 if (!ssl_log_rsa_client_key_exchange(s, encdata, enclen, pms, pmslen)) { 3169 /* SSLfatal() already called */ 3170 goto err; 3171 } 3172 3173 s->s3.tmp.pms = pms; 3174 s->s3.tmp.pmslen = pmslen; 3175 3176 return 1; 3177 err: 3178 OPENSSL_clear_free(pms, pmslen); 3179 EVP_PKEY_CTX_free(pctx); 3180 3181 return 0; 3182 } 3183 3184 static int tls_construct_cke_dhe(SSL_CONNECTION *s, WPACKET *pkt) 3185 { 3186 EVP_PKEY *ckey = NULL, *skey = NULL; 3187 unsigned char *keybytes = NULL; 3188 int prime_len; 3189 unsigned char *encoded_pub = NULL; 3190 size_t encoded_pub_len, pad_len; 3191 int ret = 0; 3192 3193 skey = s->s3.peer_tmp; 3194 if (skey == NULL) { 3195 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3196 goto err; 3197 } 3198 3199 ckey = ssl_generate_pkey(s, skey); 3200 if (ckey == NULL) { 3201 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3202 goto err; 3203 } 3204 3205 if (ssl_derive(s, ckey, skey, 0) == 0) { 3206 /* SSLfatal() already called */ 3207 goto err; 3208 } 3209 3210 /* send off the data */ 3211 3212 /* Generate encoding of server key */ 3213 encoded_pub_len = EVP_PKEY_get1_encoded_public_key(ckey, &encoded_pub); 3214 if (encoded_pub_len == 0) { 3215 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3216 EVP_PKEY_free(ckey); 3217 return EXT_RETURN_FAIL; 3218 } 3219 3220 /* 3221 * For interoperability with some versions of the Microsoft TLS 3222 * stack, we need to zero pad the DHE pub key to the same length 3223 * as the prime. 3224 */ 3225 prime_len = EVP_PKEY_get_size(ckey); 3226 pad_len = prime_len - encoded_pub_len; 3227 if (pad_len > 0) { 3228 if (!WPACKET_sub_allocate_bytes_u16(pkt, pad_len, &keybytes)) { 3229 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3230 goto err; 3231 } 3232 memset(keybytes, 0, pad_len); 3233 } 3234 3235 if (!WPACKET_sub_memcpy_u16(pkt, encoded_pub, encoded_pub_len)) { 3236 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3237 goto err; 3238 } 3239 3240 ret = 1; 3241 err: 3242 OPENSSL_free(encoded_pub); 3243 EVP_PKEY_free(ckey); 3244 return ret; 3245 } 3246 3247 static int tls_construct_cke_ecdhe(SSL_CONNECTION *s, WPACKET *pkt) 3248 { 3249 unsigned char *encodedPoint = NULL; 3250 size_t encoded_pt_len = 0; 3251 EVP_PKEY *ckey = NULL, *skey = NULL; 3252 int ret = 0; 3253 3254 skey = s->s3.peer_tmp; 3255 if (skey == NULL) { 3256 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3257 return 0; 3258 } 3259 3260 ckey = ssl_generate_pkey(s, skey); 3261 if (ckey == NULL) { 3262 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB); 3263 goto err; 3264 } 3265 3266 if (ssl_derive(s, ckey, skey, 0) == 0) { 3267 /* SSLfatal() already called */ 3268 goto err; 3269 } 3270 3271 /* Generate encoding of client key */ 3272 encoded_pt_len = EVP_PKEY_get1_encoded_public_key(ckey, &encodedPoint); 3273 3274 if (encoded_pt_len == 0) { 3275 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB); 3276 goto err; 3277 } 3278 3279 if (!WPACKET_sub_memcpy_u8(pkt, encodedPoint, encoded_pt_len)) { 3280 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3281 goto err; 3282 } 3283 3284 ret = 1; 3285 err: 3286 OPENSSL_free(encodedPoint); 3287 EVP_PKEY_free(ckey); 3288 return ret; 3289 } 3290 3291 static int tls_construct_cke_gost(SSL_CONNECTION *s, WPACKET *pkt) 3292 { 3293 #ifndef OPENSSL_NO_GOST 3294 /* GOST key exchange message creation */ 3295 EVP_PKEY_CTX *pkey_ctx = NULL; 3296 EVP_PKEY *pkey = NULL; 3297 size_t msglen; 3298 unsigned int md_len; 3299 unsigned char shared_ukm[32], tmp[256]; 3300 EVP_MD_CTX *ukm_hash = NULL; 3301 int dgst_nid = NID_id_GostR3411_94; 3302 unsigned char *pms = NULL; 3303 size_t pmslen = 0; 3304 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 3305 3306 if ((s->s3.tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0) 3307 dgst_nid = NID_id_GostR3411_2012_256; 3308 3309 /* 3310 * Get server certificate PKEY and create ctx from it 3311 */ 3312 if ((pkey = tls_get_peer_pkey(s)) == NULL) { 3313 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3314 SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); 3315 return 0; 3316 } 3317 3318 pkey_ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, 3319 pkey, 3320 sctx->propq); 3321 if (pkey_ctx == NULL) { 3322 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 3323 return 0; 3324 } 3325 /* 3326 * If we have send a certificate, and certificate key 3327 * parameters match those of server certificate, use 3328 * certificate key for key exchange 3329 */ 3330 3331 /* Otherwise, generate ephemeral key pair */ 3332 pmslen = 32; 3333 pms = OPENSSL_malloc(pmslen); 3334 if (pms == NULL) { 3335 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 3336 goto err; 3337 } 3338 3339 if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0 3340 /* Generate session key 3341 */ 3342 || RAND_bytes_ex(sctx->libctx, pms, pmslen, 0) <= 0) { 3343 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3344 goto err; 3345 }; 3346 /* 3347 * Compute shared IV and store it in algorithm-specific context 3348 * data 3349 */ 3350 ukm_hash = EVP_MD_CTX_new(); 3351 if (ukm_hash == NULL 3352 || EVP_DigestInit(ukm_hash, EVP_get_digestbynid(dgst_nid)) <= 0 3353 || EVP_DigestUpdate(ukm_hash, s->s3.client_random, 3354 SSL3_RANDOM_SIZE) <= 0 3355 || EVP_DigestUpdate(ukm_hash, s->s3.server_random, 3356 SSL3_RANDOM_SIZE) <= 0 3357 || EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) { 3358 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3359 goto err; 3360 } 3361 EVP_MD_CTX_free(ukm_hash); 3362 ukm_hash = NULL; 3363 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, 3364 EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) <= 0) { 3365 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); 3366 goto err; 3367 } 3368 /* Make GOST keytransport blob message */ 3369 /* 3370 * Encapsulate it into sequence 3371 */ 3372 msglen = 255; 3373 if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) { 3374 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); 3375 goto err; 3376 } 3377 3378 if (!WPACKET_put_bytes_u8(pkt, V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED) 3379 || (msglen >= 0x80 && !WPACKET_put_bytes_u8(pkt, 0x81)) 3380 || !WPACKET_sub_memcpy_u8(pkt, tmp, msglen)) { 3381 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3382 goto err; 3383 } 3384 3385 EVP_PKEY_CTX_free(pkey_ctx); 3386 s->s3.tmp.pms = pms; 3387 s->s3.tmp.pmslen = pmslen; 3388 3389 return 1; 3390 err: 3391 EVP_PKEY_CTX_free(pkey_ctx); 3392 OPENSSL_clear_free(pms, pmslen); 3393 EVP_MD_CTX_free(ukm_hash); 3394 return 0; 3395 #else 3396 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3397 return 0; 3398 #endif 3399 } 3400 3401 #ifndef OPENSSL_NO_GOST 3402 int ossl_gost18_cke_cipher_nid(const SSL_CONNECTION *s) 3403 { 3404 if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_MAGMA) != 0) 3405 return NID_magma_ctr; 3406 else if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_KUZNYECHIK) != 0) 3407 return NID_kuznyechik_ctr; 3408 3409 return NID_undef; 3410 } 3411 3412 int ossl_gost_ukm(const SSL_CONNECTION *s, unsigned char *dgst_buf) 3413 { 3414 EVP_MD_CTX *hash = NULL; 3415 unsigned int md_len; 3416 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 3417 const EVP_MD *md = ssl_evp_md_fetch(sctx->libctx, NID_id_GostR3411_2012_256, 3418 sctx->propq); 3419 3420 if (md == NULL) 3421 return 0; 3422 3423 if ((hash = EVP_MD_CTX_new()) == NULL 3424 || EVP_DigestInit(hash, md) <= 0 3425 || EVP_DigestUpdate(hash, s->s3.client_random, SSL3_RANDOM_SIZE) <= 0 3426 || EVP_DigestUpdate(hash, s->s3.server_random, SSL3_RANDOM_SIZE) <= 0 3427 || EVP_DigestFinal_ex(hash, dgst_buf, &md_len) <= 0) { 3428 EVP_MD_CTX_free(hash); 3429 ssl_evp_md_free(md); 3430 return 0; 3431 } 3432 3433 EVP_MD_CTX_free(hash); 3434 ssl_evp_md_free(md); 3435 return 1; 3436 } 3437 #endif 3438 3439 static int tls_construct_cke_gost18(SSL_CONNECTION *s, WPACKET *pkt) 3440 { 3441 #ifndef OPENSSL_NO_GOST 3442 /* GOST 2018 key exchange message creation */ 3443 unsigned char rnd_dgst[32]; 3444 unsigned char *encdata = NULL; 3445 EVP_PKEY_CTX *pkey_ctx = NULL; 3446 EVP_PKEY *pkey; 3447 unsigned char *pms = NULL; 3448 size_t pmslen = 0; 3449 size_t msglen; 3450 int cipher_nid = ossl_gost18_cke_cipher_nid(s); 3451 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 3452 3453 if (cipher_nid == NID_undef) { 3454 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3455 return 0; 3456 } 3457 3458 if (ossl_gost_ukm(s, rnd_dgst) <= 0) { 3459 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3460 goto err; 3461 } 3462 3463 /* Pre-master secret - random bytes */ 3464 pmslen = 32; 3465 pms = OPENSSL_malloc(pmslen); 3466 if (pms == NULL) { 3467 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 3468 goto err; 3469 } 3470 3471 if (RAND_bytes_ex(sctx->libctx, pms, pmslen, 0) <= 0) { 3472 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3473 goto err; 3474 } 3475 3476 /* Get server certificate PKEY and create ctx from it */ 3477 if ((pkey = tls_get_peer_pkey(s)) == NULL) { 3478 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3479 SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); 3480 goto err; 3481 } 3482 3483 pkey_ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, 3484 pkey, 3485 sctx->propq); 3486 if (pkey_ctx == NULL) { 3487 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 3488 goto err; 3489 } 3490 3491 if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0) { 3492 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3493 goto err; 3494 }; 3495 3496 /* Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code */ 3497 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, 3498 EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) <= 0) { 3499 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); 3500 goto err; 3501 } 3502 3503 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, 3504 EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) <= 0) { 3505 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); 3506 goto err; 3507 } 3508 3509 if (EVP_PKEY_encrypt(pkey_ctx, NULL, &msglen, pms, pmslen) <= 0) { 3510 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 3511 goto err; 3512 } 3513 3514 if (!WPACKET_allocate_bytes(pkt, msglen, &encdata) 3515 || EVP_PKEY_encrypt(pkey_ctx, encdata, &msglen, pms, pmslen) <= 0) { 3516 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 3517 goto err; 3518 } 3519 3520 EVP_PKEY_CTX_free(pkey_ctx); 3521 pkey_ctx = NULL; 3522 s->s3.tmp.pms = pms; 3523 s->s3.tmp.pmslen = pmslen; 3524 3525 return 1; 3526 err: 3527 EVP_PKEY_CTX_free(pkey_ctx); 3528 OPENSSL_clear_free(pms, pmslen); 3529 return 0; 3530 #else 3531 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3532 return 0; 3533 #endif 3534 } 3535 3536 static int tls_construct_cke_srp(SSL_CONNECTION *s, WPACKET *pkt) 3537 { 3538 #ifndef OPENSSL_NO_SRP 3539 unsigned char *abytes = NULL; 3540 3541 if (s->srp_ctx.A == NULL 3542 || !WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(s->srp_ctx.A), 3543 &abytes)) { 3544 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3545 return 0; 3546 } 3547 BN_bn2bin(s->srp_ctx.A, abytes); 3548 3549 OPENSSL_free(s->session->srp_username); 3550 s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login); 3551 if (s->session->srp_username == NULL) { 3552 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 3553 return 0; 3554 } 3555 3556 return 1; 3557 #else 3558 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3559 return 0; 3560 #endif 3561 } 3562 3563 CON_FUNC_RETURN tls_construct_client_key_exchange(SSL_CONNECTION *s, 3564 WPACKET *pkt) 3565 { 3566 unsigned long alg_k; 3567 3568 alg_k = s->s3.tmp.new_cipher->algorithm_mkey; 3569 3570 /* 3571 * All of the construct functions below call SSLfatal() if necessary so 3572 * no need to do so here. 3573 */ 3574 if ((alg_k & SSL_PSK) 3575 && !tls_construct_cke_psk_preamble(s, pkt)) 3576 goto err; 3577 3578 if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) { 3579 if (!tls_construct_cke_rsa(s, pkt)) 3580 goto err; 3581 } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) { 3582 if (!tls_construct_cke_dhe(s, pkt)) 3583 goto err; 3584 } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) { 3585 if (!tls_construct_cke_ecdhe(s, pkt)) 3586 goto err; 3587 } else if (alg_k & SSL_kGOST) { 3588 if (!tls_construct_cke_gost(s, pkt)) 3589 goto err; 3590 } else if (alg_k & SSL_kGOST18) { 3591 if (!tls_construct_cke_gost18(s, pkt)) 3592 goto err; 3593 } else if (alg_k & SSL_kSRP) { 3594 if (!tls_construct_cke_srp(s, pkt)) 3595 goto err; 3596 } else if (!(alg_k & SSL_kPSK)) { 3597 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3598 goto err; 3599 } 3600 3601 return CON_FUNC_SUCCESS; 3602 err: 3603 OPENSSL_clear_free(s->s3.tmp.pms, s->s3.tmp.pmslen); 3604 s->s3.tmp.pms = NULL; 3605 s->s3.tmp.pmslen = 0; 3606 #ifndef OPENSSL_NO_PSK 3607 OPENSSL_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen); 3608 s->s3.tmp.psk = NULL; 3609 s->s3.tmp.psklen = 0; 3610 #endif 3611 return CON_FUNC_ERROR; 3612 } 3613 3614 int tls_client_key_exchange_post_work(SSL_CONNECTION *s) 3615 { 3616 unsigned char *pms = NULL; 3617 size_t pmslen = 0; 3618 3619 pms = s->s3.tmp.pms; 3620 pmslen = s->s3.tmp.pmslen; 3621 3622 #ifndef OPENSSL_NO_SRP 3623 /* Check for SRP */ 3624 if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) { 3625 if (!srp_generate_client_master_secret(s)) { 3626 /* SSLfatal() already called */ 3627 goto err; 3628 } 3629 return 1; 3630 } 3631 #endif 3632 3633 if (pms == NULL && !(s->s3.tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { 3634 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_PASSED_INVALID_ARGUMENT); 3635 goto err; 3636 } 3637 if (!ssl_generate_master_secret(s, pms, pmslen, 1)) { 3638 /* SSLfatal() already called */ 3639 /* ssl_generate_master_secret frees the pms even on error */ 3640 pms = NULL; 3641 pmslen = 0; 3642 goto err; 3643 } 3644 pms = NULL; 3645 pmslen = 0; 3646 3647 #ifndef OPENSSL_NO_SCTP 3648 if (SSL_CONNECTION_IS_DTLS(s)) { 3649 unsigned char sctpauthkey[64]; 3650 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; 3651 size_t labellen; 3652 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 3653 3654 /* 3655 * Add new shared key for SCTP-Auth, will be ignored if no SCTP 3656 * used. 3657 */ 3658 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL, 3659 sizeof(DTLS1_SCTP_AUTH_LABEL)); 3660 3661 /* Don't include the terminating zero. */ 3662 labellen = sizeof(labelbuffer) - 1; 3663 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) 3664 labellen += 1; 3665 3666 if (SSL_export_keying_material(ssl, sctpauthkey, 3667 sizeof(sctpauthkey), labelbuffer, 3668 labellen, NULL, 0, 0) <= 0) { 3669 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3670 goto err; 3671 } 3672 3673 BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 3674 sizeof(sctpauthkey), sctpauthkey); 3675 } 3676 #endif 3677 3678 return 1; 3679 err: 3680 OPENSSL_clear_free(pms, pmslen); 3681 s->s3.tmp.pms = NULL; 3682 s->s3.tmp.pmslen = 0; 3683 return 0; 3684 } 3685 3686 /* 3687 * Check a certificate can be used for client authentication. Currently check 3688 * cert exists, if we have a suitable digest for TLS 1.2 if static DH client 3689 * certificates can be used and optionally checks suitability for Suite B. 3690 */ 3691 static int ssl3_check_client_certificate(SSL_CONNECTION *s) 3692 { 3693 /* If no suitable signature algorithm can't use certificate */ 3694 if (!tls_choose_sigalg(s, 0) || s->s3.tmp.sigalg == NULL) 3695 return 0; 3696 /* 3697 * If strict mode check suitability of chain before using it. This also 3698 * adjusts suite B digest if necessary. 3699 */ 3700 if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT && 3701 !tls1_check_chain(s, NULL, NULL, NULL, -2)) 3702 return 0; 3703 return 1; 3704 } 3705 3706 WORK_STATE tls_prepare_client_certificate(SSL_CONNECTION *s, WORK_STATE wst) 3707 { 3708 X509 *x509 = NULL; 3709 EVP_PKEY *pkey = NULL; 3710 int i; 3711 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 3712 3713 if (wst == WORK_MORE_A) { 3714 /* Let cert callback update client certificates if required */ 3715 if (s->cert->cert_cb) { 3716 i = s->cert->cert_cb(ssl, s->cert->cert_cb_arg); 3717 if (i < 0) { 3718 s->rwstate = SSL_X509_LOOKUP; 3719 return WORK_MORE_A; 3720 } 3721 if (i == 0) { 3722 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED); 3723 return WORK_ERROR; 3724 } 3725 s->rwstate = SSL_NOTHING; 3726 } 3727 if (ssl3_check_client_certificate(s)) { 3728 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { 3729 return WORK_FINISHED_STOP; 3730 } 3731 return WORK_FINISHED_CONTINUE; 3732 } 3733 3734 /* Fall through to WORK_MORE_B */ 3735 wst = WORK_MORE_B; 3736 } 3737 3738 /* We need to get a client cert */ 3739 if (wst == WORK_MORE_B) { 3740 /* 3741 * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP; 3742 * return(-1); We then get retied later 3743 */ 3744 i = ssl_do_client_cert_cb(s, &x509, &pkey); 3745 if (i < 0) { 3746 s->rwstate = SSL_X509_LOOKUP; 3747 return WORK_MORE_B; 3748 } 3749 s->rwstate = SSL_NOTHING; 3750 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) { 3751 if (!SSL_use_certificate(ssl, x509) 3752 || !SSL_use_PrivateKey(ssl, pkey)) 3753 i = 0; 3754 } else if (i == 1) { 3755 i = 0; 3756 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 3757 } 3758 3759 X509_free(x509); 3760 EVP_PKEY_free(pkey); 3761 if (i && !ssl3_check_client_certificate(s)) 3762 i = 0; 3763 if (i == 0) { 3764 if (s->version == SSL3_VERSION) { 3765 s->s3.tmp.cert_req = 0; 3766 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE); 3767 return WORK_FINISHED_CONTINUE; 3768 } else { 3769 s->s3.tmp.cert_req = 2; 3770 s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none; 3771 if (!ssl3_digest_cached_records(s, 0)) { 3772 /* SSLfatal() already called */ 3773 return WORK_ERROR; 3774 } 3775 } 3776 } 3777 3778 if (!SSL_CONNECTION_IS_TLS13(s) 3779 || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0) 3780 s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none; 3781 3782 if (s->post_handshake_auth == SSL_PHA_REQUESTED) 3783 return WORK_FINISHED_STOP; 3784 return WORK_FINISHED_CONTINUE; 3785 } 3786 3787 /* Shouldn't ever get here */ 3788 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3789 return WORK_ERROR; 3790 } 3791 3792 CON_FUNC_RETURN tls_construct_client_certificate(SSL_CONNECTION *s, 3793 WPACKET *pkt) 3794 { 3795 CERT_PKEY *cpk = NULL; 3796 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 3797 3798 if (SSL_CONNECTION_IS_TLS13(s)) { 3799 if (s->pha_context == NULL) { 3800 /* no context available, add 0-length context */ 3801 if (!WPACKET_put_bytes_u8(pkt, 0)) { 3802 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3803 return CON_FUNC_ERROR; 3804 } 3805 } else if (!WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) { 3806 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3807 return CON_FUNC_ERROR; 3808 } 3809 } 3810 if (s->s3.tmp.cert_req != 2) 3811 cpk = s->cert->key; 3812 switch (s->ext.client_cert_type) { 3813 case TLSEXT_cert_type_rpk: 3814 if (!tls_output_rpk(s, pkt, cpk)) { 3815 /* SSLfatal() already called */ 3816 return CON_FUNC_ERROR; 3817 } 3818 break; 3819 case TLSEXT_cert_type_x509: 3820 if (!ssl3_output_cert_chain(s, pkt, cpk, 0)) { 3821 /* SSLfatal() already called */ 3822 return CON_FUNC_ERROR; 3823 } 3824 break; 3825 default: 3826 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3827 return CON_FUNC_ERROR; 3828 } 3829 3830 /* 3831 * If we attempted to write early data or we're in middlebox compat mode 3832 * then we deferred changing the handshake write keys to the last possible 3833 * moment. We need to do it now. 3834 */ 3835 if (SSL_CONNECTION_IS_TLS13(s) 3836 && !SSL_IS_QUIC_HANDSHAKE(s) 3837 && SSL_IS_FIRST_HANDSHAKE(s) 3838 && (s->early_data_state != SSL_EARLY_DATA_NONE 3839 || (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) 3840 && (!ssl->method->ssl3_enc->change_cipher_state(s, 3841 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) { 3842 /* 3843 * This is a fatal error, which leaves enc_write_ctx in an inconsistent 3844 * state and thus ssl3_send_alert may crash. 3845 */ 3846 SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_CANNOT_CHANGE_CIPHER); 3847 return CON_FUNC_ERROR; 3848 } 3849 3850 return CON_FUNC_SUCCESS; 3851 } 3852 3853 #ifndef OPENSSL_NO_COMP_ALG 3854 CON_FUNC_RETURN tls_construct_client_compressed_certificate(SSL_CONNECTION *sc, 3855 WPACKET *pkt) 3856 { 3857 SSL *ssl = SSL_CONNECTION_GET_SSL(sc); 3858 WPACKET tmppkt; 3859 BUF_MEM *buf = NULL; 3860 size_t length; 3861 size_t max_length; 3862 COMP_METHOD *method; 3863 COMP_CTX *comp = NULL; 3864 int comp_len; 3865 int ret = 0; 3866 int alg = sc->ext.compress_certificate_from_peer[0]; 3867 3868 /* Note that sc->s3.tmp.cert_req == 2 is checked in write transition */ 3869 3870 if ((buf = BUF_MEM_new()) == NULL || !WPACKET_init(&tmppkt, buf)) 3871 goto err; 3872 3873 /* Use the |tmppkt| for the to-be-compressed data */ 3874 if (sc->pha_context == NULL) { 3875 /* no context available, add 0-length context */ 3876 if (!WPACKET_put_bytes_u8(&tmppkt, 0)) 3877 goto err; 3878 } else if (!WPACKET_sub_memcpy_u8(&tmppkt, sc->pha_context, sc->pha_context_len)) 3879 goto err; 3880 3881 if (!ssl3_output_cert_chain(sc, &tmppkt, sc->cert->key, 0)) { 3882 /* SSLfatal() already called */ 3883 goto out; 3884 } 3885 3886 /* continue with the real |pkt| */ 3887 if (!WPACKET_put_bytes_u16(pkt, alg) 3888 || !WPACKET_get_total_written(&tmppkt, &length) 3889 || !WPACKET_put_bytes_u24(pkt, length)) 3890 goto err; 3891 3892 switch (alg) { 3893 case TLSEXT_comp_cert_zlib: 3894 method = COMP_zlib_oneshot(); 3895 break; 3896 case TLSEXT_comp_cert_brotli: 3897 method = COMP_brotli_oneshot(); 3898 break; 3899 case TLSEXT_comp_cert_zstd: 3900 method = COMP_zstd_oneshot(); 3901 break; 3902 default: 3903 goto err; 3904 } 3905 max_length = ossl_calculate_comp_expansion(alg, length); 3906 3907 if ((comp = COMP_CTX_new(method)) == NULL 3908 || !WPACKET_start_sub_packet_u24(pkt) 3909 || !WPACKET_reserve_bytes(pkt, max_length, NULL)) 3910 goto err; 3911 3912 comp_len = COMP_compress_block(comp, WPACKET_get_curr(pkt), max_length, 3913 (unsigned char *)buf->data, length); 3914 if (comp_len <= 0) 3915 goto err; 3916 3917 if (!WPACKET_allocate_bytes(pkt, comp_len, NULL) 3918 || !WPACKET_close(pkt)) 3919 goto err; 3920 3921 /* 3922 * If we attempted to write early data or we're in middlebox compat mode 3923 * then we deferred changing the handshake write keys to the last possible 3924 * moment. We need to do it now. 3925 */ 3926 if (SSL_IS_FIRST_HANDSHAKE(sc) 3927 && !SSL_IS_QUIC_HANDSHAKE(sc) 3928 && (sc->early_data_state != SSL_EARLY_DATA_NONE 3929 || (sc->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) 3930 && (!ssl->method->ssl3_enc->change_cipher_state(sc, 3931 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) { 3932 /* 3933 * This is a fatal error, which leaves sc->enc_write_ctx in an 3934 * inconsistent state and thus ssl3_send_alert may crash. 3935 */ 3936 SSLfatal(sc, SSL_AD_NO_ALERT, SSL_R_CANNOT_CHANGE_CIPHER); 3937 goto out; 3938 } 3939 ret = 1; 3940 goto out; 3941 3942 err: 3943 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3944 out: 3945 if (buf != NULL) { 3946 /* If |buf| is NULL, then |tmppkt| could not have been initialized */ 3947 WPACKET_cleanup(&tmppkt); 3948 } 3949 BUF_MEM_free(buf); 3950 COMP_CTX_free(comp); 3951 return ret; 3952 } 3953 #endif 3954 3955 int ssl3_check_cert_and_algorithm(SSL_CONNECTION *s) 3956 { 3957 const SSL_CERT_LOOKUP *clu; 3958 size_t idx; 3959 long alg_k, alg_a; 3960 EVP_PKEY *pkey; 3961 3962 alg_k = s->s3.tmp.new_cipher->algorithm_mkey; 3963 alg_a = s->s3.tmp.new_cipher->algorithm_auth; 3964 3965 /* we don't have a certificate */ 3966 if (!(alg_a & SSL_aCERT)) 3967 return 1; 3968 3969 /* This is the passed certificate */ 3970 pkey = tls_get_peer_pkey(s); 3971 clu = ssl_cert_lookup_by_pkey(pkey, &idx, SSL_CONNECTION_GET_CTX(s)); 3972 3973 /* Check certificate is recognised and suitable for cipher */ 3974 if (clu == NULL || (alg_a & clu->amask) == 0) { 3975 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_MISSING_SIGNING_CERT); 3976 return 0; 3977 } 3978 3979 if (alg_k & (SSL_kRSA | SSL_kRSAPSK) && idx != SSL_PKEY_RSA) { 3980 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3981 SSL_R_MISSING_RSA_ENCRYPTING_CERT); 3982 return 0; 3983 } 3984 3985 if ((alg_k & SSL_kDHE) && (s->s3.peer_tmp == NULL)) { 3986 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 3987 return 0; 3988 } 3989 3990 /* Early out to skip the checks below */ 3991 if (s->session->peer_rpk != NULL) 3992 return 1; 3993 3994 if (clu->amask & SSL_aECDSA) { 3995 if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s)) 3996 return 1; 3997 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_ECC_CERT); 3998 return 0; 3999 } 4000 4001 return 1; 4002 } 4003 4004 #ifndef OPENSSL_NO_NEXTPROTONEG 4005 CON_FUNC_RETURN tls_construct_next_proto(SSL_CONNECTION *s, WPACKET *pkt) 4006 { 4007 size_t len, padding_len; 4008 unsigned char *padding = NULL; 4009 4010 len = s->ext.npn_len; 4011 padding_len = 32 - ((len + 2) % 32); 4012 4013 if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len) 4014 || !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)) { 4015 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 4016 return CON_FUNC_ERROR; 4017 } 4018 4019 memset(padding, 0, padding_len); 4020 4021 return CON_FUNC_SUCCESS; 4022 } 4023 #endif 4024 4025 MSG_PROCESS_RETURN tls_process_hello_req(SSL_CONNECTION *s, PACKET *pkt) 4026 { 4027 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 4028 4029 if (PACKET_remaining(pkt) > 0) { 4030 /* should contain no data */ 4031 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 4032 return MSG_PROCESS_ERROR; 4033 } 4034 4035 if ((s->options & SSL_OP_NO_RENEGOTIATION)) { 4036 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); 4037 return MSG_PROCESS_FINISHED_READING; 4038 } 4039 4040 /* 4041 * This is a historical discrepancy (not in the RFC) maintained for 4042 * compatibility reasons. If a TLS client receives a HelloRequest it will 4043 * attempt an abbreviated handshake. However if a DTLS client receives a 4044 * HelloRequest it will do a full handshake. Either behaviour is reasonable 4045 * but doing one for TLS and another for DTLS is odd. 4046 */ 4047 if (SSL_CONNECTION_IS_DTLS(s)) 4048 SSL_renegotiate(ssl); 4049 else 4050 SSL_renegotiate_abbreviated(ssl); 4051 4052 return MSG_PROCESS_FINISHED_READING; 4053 } 4054 4055 static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL_CONNECTION *s, 4056 PACKET *pkt) 4057 { 4058 PACKET extensions; 4059 RAW_EXTENSION *rawexts = NULL; 4060 4061 if (!PACKET_as_length_prefixed_2(pkt, &extensions) 4062 || PACKET_remaining(pkt) != 0) { 4063 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 4064 goto err; 4065 } 4066 4067 if (!tls_collect_extensions(s, &extensions, 4068 SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, &rawexts, 4069 NULL, 1) 4070 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, 4071 rawexts, NULL, 0, 1)) { 4072 /* SSLfatal() already called */ 4073 goto err; 4074 } 4075 4076 OPENSSL_free(rawexts); 4077 return MSG_PROCESS_CONTINUE_READING; 4078 4079 err: 4080 OPENSSL_free(rawexts); 4081 return MSG_PROCESS_ERROR; 4082 } 4083 4084 int ssl_do_client_cert_cb(SSL_CONNECTION *s, X509 **px509, EVP_PKEY **ppkey) 4085 { 4086 int i = 0; 4087 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 4088 4089 #ifndef OPENSSL_NO_ENGINE 4090 if (sctx->client_cert_engine) { 4091 i = tls_engine_load_ssl_client_cert(s, px509, ppkey); 4092 if (i != 0) 4093 return i; 4094 } 4095 #endif 4096 if (sctx->client_cert_cb) 4097 i = sctx->client_cert_cb(SSL_CONNECTION_GET_USER_SSL(s), px509, ppkey); 4098 return i; 4099 } 4100 4101 int ssl_cipher_list_to_bytes(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *sk, 4102 WPACKET *pkt) 4103 { 4104 int i; 4105 size_t totlen = 0, len, maxlen, maxverok = 0; 4106 int empty_reneg_info_scsv = !s->renegotiate 4107 && !SSL_CONNECTION_IS_DTLS(s) 4108 && ssl_security(s, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL) 4109 && s->min_proto_version <= TLS1_VERSION; 4110 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 4111 4112 /* Set disabled masks for this session */ 4113 if (!ssl_set_client_disabled(s)) { 4114 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_PROTOCOLS_AVAILABLE); 4115 return 0; 4116 } 4117 4118 if (sk == NULL) { 4119 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 4120 return 0; 4121 } 4122 4123 #ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH 4124 # if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6 4125 # error Max cipher length too short 4126 # endif 4127 /* 4128 * Some servers hang if client hello > 256 bytes as hack workaround 4129 * chop number of supported ciphers to keep it well below this if we 4130 * use TLS v1.2 4131 */ 4132 if (TLS1_get_version(ssl) >= TLS1_2_VERSION) 4133 maxlen = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; 4134 else 4135 #endif 4136 /* Maximum length that can be stored in 2 bytes. Length must be even */ 4137 maxlen = 0xfffe; 4138 4139 if (empty_reneg_info_scsv) 4140 maxlen -= 2; 4141 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) 4142 maxlen -= 2; 4143 4144 for (i = 0; i < sk_SSL_CIPHER_num(sk) && totlen < maxlen; i++) { 4145 const SSL_CIPHER *c; 4146 4147 c = sk_SSL_CIPHER_value(sk, i); 4148 /* Skip disabled ciphers */ 4149 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) 4150 continue; 4151 4152 if (!ssl->method->put_cipher_by_char(c, pkt, &len)) { 4153 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 4154 return 0; 4155 } 4156 4157 /* Sanity check that the maximum version we offer has ciphers enabled */ 4158 if (!maxverok) { 4159 int minproto = SSL_CONNECTION_IS_DTLS(s) ? c->min_dtls : c->min_tls; 4160 int maxproto = SSL_CONNECTION_IS_DTLS(s) ? c->max_dtls : c->max_tls; 4161 4162 if (ssl_version_cmp(s, maxproto, s->s3.tmp.max_ver) >= 0 4163 && ssl_version_cmp(s, minproto, s->s3.tmp.max_ver) <= 0) 4164 maxverok = 1; 4165 } 4166 4167 totlen += len; 4168 } 4169 4170 if (totlen == 0 || !maxverok) { 4171 const char *maxvertext = 4172 !maxverok 4173 ? "No ciphers enabled for max supported SSL/TLS version" 4174 : NULL; 4175 4176 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_CIPHERS_AVAILABLE, 4177 maxvertext); 4178 return 0; 4179 } 4180 4181 if (totlen != 0) { 4182 if (empty_reneg_info_scsv) { 4183 static const SSL_CIPHER scsv = { 4184 0, NULL, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 4185 }; 4186 if (!ssl->method->put_cipher_by_char(&scsv, pkt, &len)) { 4187 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 4188 return 0; 4189 } 4190 } 4191 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) { 4192 static const SSL_CIPHER scsv = { 4193 0, NULL, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 4194 }; 4195 if (!ssl->method->put_cipher_by_char(&scsv, pkt, &len)) { 4196 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 4197 return 0; 4198 } 4199 } 4200 } 4201 4202 return 1; 4203 } 4204 4205 CON_FUNC_RETURN tls_construct_end_of_early_data(SSL_CONNECTION *s, WPACKET *pkt) 4206 { 4207 if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY 4208 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) { 4209 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 4210 return CON_FUNC_ERROR; 4211 } 4212 4213 s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; 4214 return CON_FUNC_SUCCESS; 4215 } 4216