1 /* 2 * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4 * Copyright 2005 Nokia. All rights reserved. 5 * 6 * Licensed under the OpenSSL license (the "License"). You may not use 7 * this file except in compliance with the License. You can obtain a copy 8 * in the file LICENSE in the source distribution or at 9 * https://www.openssl.org/source/license.html 10 */ 11 12 #include <stdio.h> 13 #include <time.h> 14 #include <assert.h> 15 #include "../ssl_locl.h" 16 #include "statem_locl.h" 17 #include <openssl/buffer.h> 18 #include <openssl/rand.h> 19 #include <openssl/objects.h> 20 #include <openssl/evp.h> 21 #include <openssl/md5.h> 22 #include <openssl/dh.h> 23 #include <openssl/bn.h> 24 #include <openssl/engine.h> 25 #include <internal/cryptlib.h> 26 27 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, PACKET *pkt); 28 static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt); 29 30 static ossl_inline int cert_req_allowed(SSL *s); 31 static int key_exchange_expected(SSL *s); 32 static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, 33 WPACKET *pkt); 34 35 /* 36 * Is a CertificateRequest message allowed at the moment or not? 37 * 38 * Return values are: 39 * 1: Yes 40 * 0: No 41 */ 42 static ossl_inline int cert_req_allowed(SSL *s) 43 { 44 /* TLS does not like anon-DH with client cert */ 45 if ((s->version > SSL3_VERSION 46 && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) 47 || (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK))) 48 return 0; 49 50 return 1; 51 } 52 53 /* 54 * Should we expect the ServerKeyExchange message or not? 55 * 56 * Return values are: 57 * 1: Yes 58 * 0: No 59 */ 60 static int key_exchange_expected(SSL *s) 61 { 62 long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 63 64 /* 65 * Can't skip server key exchange if this is an ephemeral 66 * ciphersuite or for SRP 67 */ 68 if (alg_k & (SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK 69 | SSL_kSRP)) { 70 return 1; 71 } 72 73 return 0; 74 } 75 76 /* 77 * ossl_statem_client_read_transition() encapsulates the logic for the allowed 78 * handshake state transitions when a TLS1.3 client is reading messages from the 79 * server. The message type that the server has sent is provided in |mt|. The 80 * current state is in |s->statem.hand_state|. 81 * 82 * Return values are 1 for success (transition allowed) and 0 on error 83 * (transition not allowed) 84 */ 85 static int ossl_statem_client13_read_transition(SSL *s, int mt) 86 { 87 OSSL_STATEM *st = &s->statem; 88 89 /* 90 * Note: There is no case for TLS_ST_CW_CLNT_HELLO, because we haven't 91 * yet negotiated TLSv1.3 at that point so that is handled by 92 * ossl_statem_client_read_transition() 93 */ 94 95 switch (st->hand_state) { 96 default: 97 break; 98 99 case TLS_ST_CW_CLNT_HELLO: 100 /* 101 * This must a ClientHello following a HelloRetryRequest, so the only 102 * thing we can get now is a ServerHello. 103 */ 104 if (mt == SSL3_MT_SERVER_HELLO) { 105 st->hand_state = TLS_ST_CR_SRVR_HELLO; 106 return 1; 107 } 108 break; 109 110 case TLS_ST_CR_SRVR_HELLO: 111 if (mt == SSL3_MT_ENCRYPTED_EXTENSIONS) { 112 st->hand_state = TLS_ST_CR_ENCRYPTED_EXTENSIONS; 113 return 1; 114 } 115 break; 116 117 case TLS_ST_CR_ENCRYPTED_EXTENSIONS: 118 if (s->hit) { 119 if (mt == SSL3_MT_FINISHED) { 120 st->hand_state = TLS_ST_CR_FINISHED; 121 return 1; 122 } 123 } else { 124 if (mt == SSL3_MT_CERTIFICATE_REQUEST) { 125 st->hand_state = TLS_ST_CR_CERT_REQ; 126 return 1; 127 } 128 if (mt == SSL3_MT_CERTIFICATE) { 129 st->hand_state = TLS_ST_CR_CERT; 130 return 1; 131 } 132 } 133 break; 134 135 case TLS_ST_CR_CERT_REQ: 136 if (mt == SSL3_MT_CERTIFICATE) { 137 st->hand_state = TLS_ST_CR_CERT; 138 return 1; 139 } 140 break; 141 142 case TLS_ST_CR_CERT: 143 if (mt == SSL3_MT_CERTIFICATE_VERIFY) { 144 st->hand_state = TLS_ST_CR_CERT_VRFY; 145 return 1; 146 } 147 break; 148 149 case TLS_ST_CR_CERT_VRFY: 150 if (mt == SSL3_MT_FINISHED) { 151 st->hand_state = TLS_ST_CR_FINISHED; 152 return 1; 153 } 154 break; 155 156 case TLS_ST_OK: 157 if (mt == SSL3_MT_NEWSESSION_TICKET) { 158 st->hand_state = TLS_ST_CR_SESSION_TICKET; 159 return 1; 160 } 161 if (mt == SSL3_MT_KEY_UPDATE) { 162 st->hand_state = TLS_ST_CR_KEY_UPDATE; 163 return 1; 164 } 165 if (mt == SSL3_MT_CERTIFICATE_REQUEST) { 166 #if DTLS_MAX_VERSION != DTLS1_2_VERSION 167 # error TODO(DTLS1.3): Restore digest for PHA before adding message. 168 #endif 169 if (!SSL_IS_DTLS(s) && s->post_handshake_auth == SSL_PHA_EXT_SENT) { 170 s->post_handshake_auth = SSL_PHA_REQUESTED; 171 /* 172 * In TLS, this is called before the message is added to the 173 * digest. In DTLS, this is expected to be called after adding 174 * to the digest. Either move the digest restore, or add the 175 * message here after the swap, or do it after the clientFinished? 176 */ 177 if (!tls13_restore_handshake_digest_for_pha(s)) { 178 /* SSLfatal() already called */ 179 return 0; 180 } 181 st->hand_state = TLS_ST_CR_CERT_REQ; 182 return 1; 183 } 184 } 185 break; 186 } 187 188 /* No valid transition found */ 189 return 0; 190 } 191 192 /* 193 * ossl_statem_client_read_transition() encapsulates the logic for the allowed 194 * handshake state transitions when the client is reading messages from the 195 * server. The message type that the server has sent is provided in |mt|. The 196 * current state is in |s->statem.hand_state|. 197 * 198 * Return values are 1 for success (transition allowed) and 0 on error 199 * (transition not allowed) 200 */ 201 int ossl_statem_client_read_transition(SSL *s, int mt) 202 { 203 OSSL_STATEM *st = &s->statem; 204 int ske_expected; 205 206 /* 207 * Note that after writing the first ClientHello we don't know what version 208 * we are going to negotiate yet, so we don't take this branch until later. 209 */ 210 if (SSL_IS_TLS13(s)) { 211 if (!ossl_statem_client13_read_transition(s, mt)) 212 goto err; 213 return 1; 214 } 215 216 switch (st->hand_state) { 217 default: 218 break; 219 220 case TLS_ST_CW_CLNT_HELLO: 221 if (mt == SSL3_MT_SERVER_HELLO) { 222 st->hand_state = TLS_ST_CR_SRVR_HELLO; 223 return 1; 224 } 225 226 if (SSL_IS_DTLS(s)) { 227 if (mt == DTLS1_MT_HELLO_VERIFY_REQUEST) { 228 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST; 229 return 1; 230 } 231 } 232 break; 233 234 case TLS_ST_EARLY_DATA: 235 /* 236 * We've not actually selected TLSv1.3 yet, but we have sent early 237 * data. The only thing allowed now is a ServerHello or a 238 * HelloRetryRequest. 239 */ 240 if (mt == SSL3_MT_SERVER_HELLO) { 241 st->hand_state = TLS_ST_CR_SRVR_HELLO; 242 return 1; 243 } 244 break; 245 246 case TLS_ST_CR_SRVR_HELLO: 247 if (s->hit) { 248 if (s->ext.ticket_expected) { 249 if (mt == SSL3_MT_NEWSESSION_TICKET) { 250 st->hand_state = TLS_ST_CR_SESSION_TICKET; 251 return 1; 252 } 253 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 254 st->hand_state = TLS_ST_CR_CHANGE; 255 return 1; 256 } 257 } else { 258 if (SSL_IS_DTLS(s) && mt == DTLS1_MT_HELLO_VERIFY_REQUEST) { 259 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST; 260 return 1; 261 } else if (s->version >= TLS1_VERSION 262 && s->ext.session_secret_cb != NULL 263 && s->session->ext.tick != NULL 264 && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 265 /* 266 * Normally, we can tell if the server is resuming the session 267 * from the session ID. EAP-FAST (RFC 4851), however, relies on 268 * the next server message after the ServerHello to determine if 269 * the server is resuming. 270 */ 271 s->hit = 1; 272 st->hand_state = TLS_ST_CR_CHANGE; 273 return 1; 274 } else if (!(s->s3->tmp.new_cipher->algorithm_auth 275 & (SSL_aNULL | SSL_aSRP | SSL_aPSK))) { 276 if (mt == SSL3_MT_CERTIFICATE) { 277 st->hand_state = TLS_ST_CR_CERT; 278 return 1; 279 } 280 } else { 281 ske_expected = key_exchange_expected(s); 282 /* SKE is optional for some PSK ciphersuites */ 283 if (ske_expected 284 || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK) 285 && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) { 286 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) { 287 st->hand_state = TLS_ST_CR_KEY_EXCH; 288 return 1; 289 } 290 } else if (mt == SSL3_MT_CERTIFICATE_REQUEST 291 && cert_req_allowed(s)) { 292 st->hand_state = TLS_ST_CR_CERT_REQ; 293 return 1; 294 } else if (mt == SSL3_MT_SERVER_DONE) { 295 st->hand_state = TLS_ST_CR_SRVR_DONE; 296 return 1; 297 } 298 } 299 } 300 break; 301 302 case TLS_ST_CR_CERT: 303 /* 304 * The CertificateStatus message is optional even if 305 * |ext.status_expected| is set 306 */ 307 if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) { 308 st->hand_state = TLS_ST_CR_CERT_STATUS; 309 return 1; 310 } 311 /* Fall through */ 312 313 case TLS_ST_CR_CERT_STATUS: 314 ske_expected = key_exchange_expected(s); 315 /* SKE is optional for some PSK ciphersuites */ 316 if (ske_expected || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK) 317 && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) { 318 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) { 319 st->hand_state = TLS_ST_CR_KEY_EXCH; 320 return 1; 321 } 322 goto err; 323 } 324 /* Fall through */ 325 326 case TLS_ST_CR_KEY_EXCH: 327 if (mt == SSL3_MT_CERTIFICATE_REQUEST) { 328 if (cert_req_allowed(s)) { 329 st->hand_state = TLS_ST_CR_CERT_REQ; 330 return 1; 331 } 332 goto err; 333 } 334 /* Fall through */ 335 336 case TLS_ST_CR_CERT_REQ: 337 if (mt == SSL3_MT_SERVER_DONE) { 338 st->hand_state = TLS_ST_CR_SRVR_DONE; 339 return 1; 340 } 341 break; 342 343 case TLS_ST_CW_FINISHED: 344 if (s->ext.ticket_expected) { 345 if (mt == SSL3_MT_NEWSESSION_TICKET) { 346 st->hand_state = TLS_ST_CR_SESSION_TICKET; 347 return 1; 348 } 349 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 350 st->hand_state = TLS_ST_CR_CHANGE; 351 return 1; 352 } 353 break; 354 355 case TLS_ST_CR_SESSION_TICKET: 356 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 357 st->hand_state = TLS_ST_CR_CHANGE; 358 return 1; 359 } 360 break; 361 362 case TLS_ST_CR_CHANGE: 363 if (mt == SSL3_MT_FINISHED) { 364 st->hand_state = TLS_ST_CR_FINISHED; 365 return 1; 366 } 367 break; 368 369 case TLS_ST_OK: 370 if (mt == SSL3_MT_HELLO_REQUEST) { 371 st->hand_state = TLS_ST_CR_HELLO_REQ; 372 return 1; 373 } 374 break; 375 } 376 377 err: 378 /* No valid transition found */ 379 if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 380 BIO *rbio; 381 382 /* 383 * CCS messages don't have a message sequence number so this is probably 384 * because of an out-of-order CCS. We'll just drop it. 385 */ 386 s->init_num = 0; 387 s->rwstate = SSL_READING; 388 rbio = SSL_get_rbio(s); 389 BIO_clear_retry_flags(rbio); 390 BIO_set_retry_read(rbio); 391 return 0; 392 } 393 SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, 394 SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION, 395 SSL_R_UNEXPECTED_MESSAGE); 396 return 0; 397 } 398 399 /* 400 * ossl_statem_client13_write_transition() works out what handshake state to 401 * move to next when the TLSv1.3 client is writing messages to be sent to the 402 * server. 403 */ 404 static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s) 405 { 406 OSSL_STATEM *st = &s->statem; 407 408 /* 409 * Note: There are no cases for TLS_ST_BEFORE because we haven't negotiated 410 * TLSv1.3 yet at that point. They are handled by 411 * ossl_statem_client_write_transition(). 412 */ 413 switch (st->hand_state) { 414 default: 415 /* Shouldn't happen */ 416 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 417 SSL_F_OSSL_STATEM_CLIENT13_WRITE_TRANSITION, 418 ERR_R_INTERNAL_ERROR); 419 return WRITE_TRAN_ERROR; 420 421 case TLS_ST_CR_CERT_REQ: 422 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { 423 st->hand_state = TLS_ST_CW_CERT; 424 return WRITE_TRAN_CONTINUE; 425 } 426 /* 427 * We should only get here if we received a CertificateRequest after 428 * we already sent close_notify 429 */ 430 if (!ossl_assert((s->shutdown & SSL_SENT_SHUTDOWN) != 0)) { 431 /* Shouldn't happen - same as default case */ 432 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 433 SSL_F_OSSL_STATEM_CLIENT13_WRITE_TRANSITION, 434 ERR_R_INTERNAL_ERROR); 435 return WRITE_TRAN_ERROR; 436 } 437 st->hand_state = TLS_ST_OK; 438 return WRITE_TRAN_CONTINUE; 439 440 case TLS_ST_CR_FINISHED: 441 if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY 442 || s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING) 443 st->hand_state = TLS_ST_PENDING_EARLY_DATA_END; 444 else if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 445 && s->hello_retry_request == SSL_HRR_NONE) 446 st->hand_state = TLS_ST_CW_CHANGE; 447 else 448 st->hand_state = (s->s3->tmp.cert_req != 0) ? TLS_ST_CW_CERT 449 : TLS_ST_CW_FINISHED; 450 return WRITE_TRAN_CONTINUE; 451 452 case TLS_ST_PENDING_EARLY_DATA_END: 453 if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) { 454 st->hand_state = TLS_ST_CW_END_OF_EARLY_DATA; 455 return WRITE_TRAN_CONTINUE; 456 } 457 /* Fall through */ 458 459 case TLS_ST_CW_END_OF_EARLY_DATA: 460 case TLS_ST_CW_CHANGE: 461 st->hand_state = (s->s3->tmp.cert_req != 0) ? TLS_ST_CW_CERT 462 : TLS_ST_CW_FINISHED; 463 return WRITE_TRAN_CONTINUE; 464 465 case TLS_ST_CW_CERT: 466 /* If a non-empty Certificate we also send CertificateVerify */ 467 st->hand_state = (s->s3->tmp.cert_req == 1) ? TLS_ST_CW_CERT_VRFY 468 : TLS_ST_CW_FINISHED; 469 return WRITE_TRAN_CONTINUE; 470 471 case TLS_ST_CW_CERT_VRFY: 472 st->hand_state = TLS_ST_CW_FINISHED; 473 return WRITE_TRAN_CONTINUE; 474 475 case TLS_ST_CR_KEY_UPDATE: 476 case TLS_ST_CW_KEY_UPDATE: 477 case TLS_ST_CR_SESSION_TICKET: 478 case TLS_ST_CW_FINISHED: 479 st->hand_state = TLS_ST_OK; 480 return WRITE_TRAN_CONTINUE; 481 482 case TLS_ST_OK: 483 if (s->key_update != SSL_KEY_UPDATE_NONE) { 484 st->hand_state = TLS_ST_CW_KEY_UPDATE; 485 return WRITE_TRAN_CONTINUE; 486 } 487 488 /* Try to read from the server instead */ 489 return WRITE_TRAN_FINISHED; 490 } 491 } 492 493 /* 494 * ossl_statem_client_write_transition() works out what handshake state to 495 * move to next when the client is writing messages to be sent to the server. 496 */ 497 WRITE_TRAN ossl_statem_client_write_transition(SSL *s) 498 { 499 OSSL_STATEM *st = &s->statem; 500 501 /* 502 * Note that immediately before/after a ClientHello we don't know what 503 * version we are going to negotiate yet, so we don't take this branch until 504 * later 505 */ 506 if (SSL_IS_TLS13(s)) 507 return ossl_statem_client13_write_transition(s); 508 509 switch (st->hand_state) { 510 default: 511 /* Shouldn't happen */ 512 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 513 SSL_F_OSSL_STATEM_CLIENT_WRITE_TRANSITION, 514 ERR_R_INTERNAL_ERROR); 515 return WRITE_TRAN_ERROR; 516 517 case TLS_ST_OK: 518 if (!s->renegotiate) { 519 /* 520 * We haven't requested a renegotiation ourselves so we must have 521 * received a message from the server. Better read it. 522 */ 523 return WRITE_TRAN_FINISHED; 524 } 525 /* Renegotiation */ 526 /* fall thru */ 527 case TLS_ST_BEFORE: 528 st->hand_state = TLS_ST_CW_CLNT_HELLO; 529 return WRITE_TRAN_CONTINUE; 530 531 case TLS_ST_CW_CLNT_HELLO: 532 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) { 533 /* 534 * We are assuming this is a TLSv1.3 connection, although we haven't 535 * actually selected a version yet. 536 */ 537 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) 538 st->hand_state = TLS_ST_CW_CHANGE; 539 else 540 st->hand_state = TLS_ST_EARLY_DATA; 541 return WRITE_TRAN_CONTINUE; 542 } 543 /* 544 * No transition at the end of writing because we don't know what 545 * we will be sent 546 */ 547 return WRITE_TRAN_FINISHED; 548 549 case TLS_ST_CR_SRVR_HELLO: 550 /* 551 * We only get here in TLSv1.3. We just received an HRR, so issue a 552 * CCS unless middlebox compat mode is off, or we already issued one 553 * because we did early data. 554 */ 555 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 556 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) 557 st->hand_state = TLS_ST_CW_CHANGE; 558 else 559 st->hand_state = TLS_ST_CW_CLNT_HELLO; 560 return WRITE_TRAN_CONTINUE; 561 562 case TLS_ST_EARLY_DATA: 563 return WRITE_TRAN_FINISHED; 564 565 case DTLS_ST_CR_HELLO_VERIFY_REQUEST: 566 st->hand_state = TLS_ST_CW_CLNT_HELLO; 567 return WRITE_TRAN_CONTINUE; 568 569 case TLS_ST_CR_SRVR_DONE: 570 if (s->s3->tmp.cert_req) 571 st->hand_state = TLS_ST_CW_CERT; 572 else 573 st->hand_state = TLS_ST_CW_KEY_EXCH; 574 return WRITE_TRAN_CONTINUE; 575 576 case TLS_ST_CW_CERT: 577 st->hand_state = TLS_ST_CW_KEY_EXCH; 578 return WRITE_TRAN_CONTINUE; 579 580 case TLS_ST_CW_KEY_EXCH: 581 /* 582 * For TLS, cert_req is set to 2, so a cert chain of nothing is 583 * sent, but no verify packet is sent 584 */ 585 /* 586 * XXX: For now, we do not support client authentication in ECDH 587 * cipher suites with ECDH (rather than ECDSA) certificates. We 588 * need to skip the certificate verify message when client's 589 * ECDH public key is sent inside the client certificate. 590 */ 591 if (s->s3->tmp.cert_req == 1) { 592 st->hand_state = TLS_ST_CW_CERT_VRFY; 593 } else { 594 st->hand_state = TLS_ST_CW_CHANGE; 595 } 596 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { 597 st->hand_state = TLS_ST_CW_CHANGE; 598 } 599 return WRITE_TRAN_CONTINUE; 600 601 case TLS_ST_CW_CERT_VRFY: 602 st->hand_state = TLS_ST_CW_CHANGE; 603 return WRITE_TRAN_CONTINUE; 604 605 case TLS_ST_CW_CHANGE: 606 if (s->hello_retry_request == SSL_HRR_PENDING) { 607 st->hand_state = TLS_ST_CW_CLNT_HELLO; 608 } else if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) { 609 st->hand_state = TLS_ST_EARLY_DATA; 610 } else { 611 #if defined(OPENSSL_NO_NEXTPROTONEG) 612 st->hand_state = TLS_ST_CW_FINISHED; 613 #else 614 if (!SSL_IS_DTLS(s) && s->s3->npn_seen) 615 st->hand_state = TLS_ST_CW_NEXT_PROTO; 616 else 617 st->hand_state = TLS_ST_CW_FINISHED; 618 #endif 619 } 620 return WRITE_TRAN_CONTINUE; 621 622 #if !defined(OPENSSL_NO_NEXTPROTONEG) 623 case TLS_ST_CW_NEXT_PROTO: 624 st->hand_state = TLS_ST_CW_FINISHED; 625 return WRITE_TRAN_CONTINUE; 626 #endif 627 628 case TLS_ST_CW_FINISHED: 629 if (s->hit) { 630 st->hand_state = TLS_ST_OK; 631 return WRITE_TRAN_CONTINUE; 632 } else { 633 return WRITE_TRAN_FINISHED; 634 } 635 636 case TLS_ST_CR_FINISHED: 637 if (s->hit) { 638 st->hand_state = TLS_ST_CW_CHANGE; 639 return WRITE_TRAN_CONTINUE; 640 } else { 641 st->hand_state = TLS_ST_OK; 642 return WRITE_TRAN_CONTINUE; 643 } 644 645 case TLS_ST_CR_HELLO_REQ: 646 /* 647 * If we can renegotiate now then do so, otherwise wait for a more 648 * convenient time. 649 */ 650 if (ssl3_renegotiate_check(s, 1)) { 651 if (!tls_setup_handshake(s)) { 652 /* SSLfatal() already called */ 653 return WRITE_TRAN_ERROR; 654 } 655 st->hand_state = TLS_ST_CW_CLNT_HELLO; 656 return WRITE_TRAN_CONTINUE; 657 } 658 st->hand_state = TLS_ST_OK; 659 return WRITE_TRAN_CONTINUE; 660 } 661 } 662 663 /* 664 * Perform any pre work that needs to be done prior to sending a message from 665 * the client to the server. 666 */ 667 WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst) 668 { 669 OSSL_STATEM *st = &s->statem; 670 671 switch (st->hand_state) { 672 default: 673 /* No pre work to be done */ 674 break; 675 676 case TLS_ST_CW_CLNT_HELLO: 677 s->shutdown = 0; 678 if (SSL_IS_DTLS(s)) { 679 /* every DTLS ClientHello resets Finished MAC */ 680 if (!ssl3_init_finished_mac(s)) { 681 /* SSLfatal() already called */ 682 return WORK_ERROR; 683 } 684 } 685 break; 686 687 case TLS_ST_CW_CHANGE: 688 if (SSL_IS_DTLS(s)) { 689 if (s->hit) { 690 /* 691 * We're into the last flight so we don't retransmit these 692 * messages unless we need to. 693 */ 694 st->use_timer = 0; 695 } 696 #ifndef OPENSSL_NO_SCTP 697 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { 698 /* Calls SSLfatal() as required */ 699 return dtls_wait_for_dry(s); 700 } 701 #endif 702 } 703 break; 704 705 case TLS_ST_PENDING_EARLY_DATA_END: 706 /* 707 * If we've been called by SSL_do_handshake()/SSL_write(), or we did not 708 * attempt to write early data before calling SSL_read() then we press 709 * on with the handshake. Otherwise we pause here. 710 */ 711 if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING 712 || s->early_data_state == SSL_EARLY_DATA_NONE) 713 return WORK_FINISHED_CONTINUE; 714 /* Fall through */ 715 716 case TLS_ST_EARLY_DATA: 717 return tls_finish_handshake(s, wst, 0, 1); 718 719 case TLS_ST_OK: 720 /* Calls SSLfatal() as required */ 721 return tls_finish_handshake(s, wst, 1, 1); 722 } 723 724 return WORK_FINISHED_CONTINUE; 725 } 726 727 /* 728 * Perform any work that needs to be done after sending a message from the 729 * client to the server. 730 */ 731 WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst) 732 { 733 OSSL_STATEM *st = &s->statem; 734 735 s->init_num = 0; 736 737 switch (st->hand_state) { 738 default: 739 /* No post work to be done */ 740 break; 741 742 case TLS_ST_CW_CLNT_HELLO: 743 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING 744 && s->max_early_data > 0) { 745 /* 746 * We haven't selected TLSv1.3 yet so we don't call the change 747 * cipher state function associated with the SSL_METHOD. Instead 748 * we call tls13_change_cipher_state() directly. 749 */ 750 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) { 751 if (!tls13_change_cipher_state(s, 752 SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { 753 /* SSLfatal() already called */ 754 return WORK_ERROR; 755 } 756 } 757 /* else we're in compat mode so we delay flushing until after CCS */ 758 } else if (!statem_flush(s)) { 759 return WORK_MORE_A; 760 } 761 762 if (SSL_IS_DTLS(s)) { 763 /* Treat the next message as the first packet */ 764 s->first_packet = 1; 765 } 766 break; 767 768 case TLS_ST_CW_END_OF_EARLY_DATA: 769 /* 770 * We set the enc_write_ctx back to NULL because we may end up writing 771 * in cleartext again if we get a HelloRetryRequest from the server. 772 */ 773 EVP_CIPHER_CTX_free(s->enc_write_ctx); 774 s->enc_write_ctx = NULL; 775 break; 776 777 case TLS_ST_CW_KEY_EXCH: 778 if (tls_client_key_exchange_post_work(s) == 0) { 779 /* SSLfatal() already called */ 780 return WORK_ERROR; 781 } 782 break; 783 784 case TLS_ST_CW_CHANGE: 785 if (SSL_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING) 786 break; 787 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING 788 && s->max_early_data > 0) { 789 /* 790 * We haven't selected TLSv1.3 yet so we don't call the change 791 * cipher state function associated with the SSL_METHOD. Instead 792 * we call tls13_change_cipher_state() directly. 793 */ 794 if (!tls13_change_cipher_state(s, 795 SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 796 return WORK_ERROR; 797 break; 798 } 799 s->session->cipher = s->s3->tmp.new_cipher; 800 #ifdef OPENSSL_NO_COMP 801 s->session->compress_meth = 0; 802 #else 803 if (s->s3->tmp.new_compression == NULL) 804 s->session->compress_meth = 0; 805 else 806 s->session->compress_meth = s->s3->tmp.new_compression->id; 807 #endif 808 if (!s->method->ssl3_enc->setup_key_block(s)) { 809 /* SSLfatal() already called */ 810 return WORK_ERROR; 811 } 812 813 if (!s->method->ssl3_enc->change_cipher_state(s, 814 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { 815 /* SSLfatal() already called */ 816 return WORK_ERROR; 817 } 818 819 if (SSL_IS_DTLS(s)) { 820 #ifndef OPENSSL_NO_SCTP 821 if (s->hit) { 822 /* 823 * Change to new shared key of SCTP-Auth, will be ignored if 824 * no SCTP used. 825 */ 826 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 827 0, NULL); 828 } 829 #endif 830 831 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); 832 } 833 break; 834 835 case TLS_ST_CW_FINISHED: 836 #ifndef OPENSSL_NO_SCTP 837 if (wst == WORK_MORE_A && SSL_IS_DTLS(s) && s->hit == 0) { 838 /* 839 * Change to new shared key of SCTP-Auth, will be ignored if 840 * no SCTP used. 841 */ 842 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 843 0, NULL); 844 } 845 #endif 846 if (statem_flush(s) != 1) 847 return WORK_MORE_B; 848 849 if (SSL_IS_TLS13(s)) { 850 if (!tls13_save_handshake_digest_for_pha(s)) { 851 /* SSLfatal() already called */ 852 return WORK_ERROR; 853 } 854 if (s->post_handshake_auth != SSL_PHA_REQUESTED) { 855 if (!s->method->ssl3_enc->change_cipher_state(s, 856 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { 857 /* SSLfatal() already called */ 858 return WORK_ERROR; 859 } 860 } 861 } 862 break; 863 864 case TLS_ST_CW_KEY_UPDATE: 865 if (statem_flush(s) != 1) 866 return WORK_MORE_A; 867 if (!tls13_update_key(s, 1)) { 868 /* SSLfatal() already called */ 869 return WORK_ERROR; 870 } 871 break; 872 } 873 874 return WORK_FINISHED_CONTINUE; 875 } 876 877 /* 878 * Get the message construction function and message type for sending from the 879 * client 880 * 881 * Valid return values are: 882 * 1: Success 883 * 0: Error 884 */ 885 int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt, 886 confunc_f *confunc, int *mt) 887 { 888 OSSL_STATEM *st = &s->statem; 889 890 switch (st->hand_state) { 891 default: 892 /* Shouldn't happen */ 893 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 894 SSL_F_OSSL_STATEM_CLIENT_CONSTRUCT_MESSAGE, 895 SSL_R_BAD_HANDSHAKE_STATE); 896 return 0; 897 898 case TLS_ST_CW_CHANGE: 899 if (SSL_IS_DTLS(s)) 900 *confunc = dtls_construct_change_cipher_spec; 901 else 902 *confunc = tls_construct_change_cipher_spec; 903 *mt = SSL3_MT_CHANGE_CIPHER_SPEC; 904 break; 905 906 case TLS_ST_CW_CLNT_HELLO: 907 *confunc = tls_construct_client_hello; 908 *mt = SSL3_MT_CLIENT_HELLO; 909 break; 910 911 case TLS_ST_CW_END_OF_EARLY_DATA: 912 *confunc = tls_construct_end_of_early_data; 913 *mt = SSL3_MT_END_OF_EARLY_DATA; 914 break; 915 916 case TLS_ST_PENDING_EARLY_DATA_END: 917 *confunc = NULL; 918 *mt = SSL3_MT_DUMMY; 919 break; 920 921 case TLS_ST_CW_CERT: 922 *confunc = tls_construct_client_certificate; 923 *mt = SSL3_MT_CERTIFICATE; 924 break; 925 926 case TLS_ST_CW_KEY_EXCH: 927 *confunc = tls_construct_client_key_exchange; 928 *mt = SSL3_MT_CLIENT_KEY_EXCHANGE; 929 break; 930 931 case TLS_ST_CW_CERT_VRFY: 932 *confunc = tls_construct_cert_verify; 933 *mt = SSL3_MT_CERTIFICATE_VERIFY; 934 break; 935 936 #if !defined(OPENSSL_NO_NEXTPROTONEG) 937 case TLS_ST_CW_NEXT_PROTO: 938 *confunc = tls_construct_next_proto; 939 *mt = SSL3_MT_NEXT_PROTO; 940 break; 941 #endif 942 case TLS_ST_CW_FINISHED: 943 *confunc = tls_construct_finished; 944 *mt = SSL3_MT_FINISHED; 945 break; 946 947 case TLS_ST_CW_KEY_UPDATE: 948 *confunc = tls_construct_key_update; 949 *mt = SSL3_MT_KEY_UPDATE; 950 break; 951 } 952 953 return 1; 954 } 955 956 /* 957 * Returns the maximum allowed length for the current message that we are 958 * reading. Excludes the message header. 959 */ 960 size_t ossl_statem_client_max_message_size(SSL *s) 961 { 962 OSSL_STATEM *st = &s->statem; 963 964 switch (st->hand_state) { 965 default: 966 /* Shouldn't happen */ 967 return 0; 968 969 case TLS_ST_CR_SRVR_HELLO: 970 return SERVER_HELLO_MAX_LENGTH; 971 972 case DTLS_ST_CR_HELLO_VERIFY_REQUEST: 973 return HELLO_VERIFY_REQUEST_MAX_LENGTH; 974 975 case TLS_ST_CR_CERT: 976 return s->max_cert_list; 977 978 case TLS_ST_CR_CERT_VRFY: 979 return SSL3_RT_MAX_PLAIN_LENGTH; 980 981 case TLS_ST_CR_CERT_STATUS: 982 return SSL3_RT_MAX_PLAIN_LENGTH; 983 984 case TLS_ST_CR_KEY_EXCH: 985 return SERVER_KEY_EXCH_MAX_LENGTH; 986 987 case TLS_ST_CR_CERT_REQ: 988 /* 989 * Set to s->max_cert_list for compatibility with previous releases. In 990 * practice these messages can get quite long if servers are configured 991 * to provide a long list of acceptable CAs 992 */ 993 return s->max_cert_list; 994 995 case TLS_ST_CR_SRVR_DONE: 996 return SERVER_HELLO_DONE_MAX_LENGTH; 997 998 case TLS_ST_CR_CHANGE: 999 if (s->version == DTLS1_BAD_VER) 1000 return 3; 1001 return CCS_MAX_LENGTH; 1002 1003 case TLS_ST_CR_SESSION_TICKET: 1004 return SSL3_RT_MAX_PLAIN_LENGTH; 1005 1006 case TLS_ST_CR_FINISHED: 1007 return FINISHED_MAX_LENGTH; 1008 1009 case TLS_ST_CR_ENCRYPTED_EXTENSIONS: 1010 return ENCRYPTED_EXTENSIONS_MAX_LENGTH; 1011 1012 case TLS_ST_CR_KEY_UPDATE: 1013 return KEY_UPDATE_MAX_LENGTH; 1014 } 1015 } 1016 1017 /* 1018 * Process a message that the client has been received from the server. 1019 */ 1020 MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt) 1021 { 1022 OSSL_STATEM *st = &s->statem; 1023 1024 switch (st->hand_state) { 1025 default: 1026 /* Shouldn't happen */ 1027 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1028 SSL_F_OSSL_STATEM_CLIENT_PROCESS_MESSAGE, 1029 ERR_R_INTERNAL_ERROR); 1030 return MSG_PROCESS_ERROR; 1031 1032 case TLS_ST_CR_SRVR_HELLO: 1033 return tls_process_server_hello(s, pkt); 1034 1035 case DTLS_ST_CR_HELLO_VERIFY_REQUEST: 1036 return dtls_process_hello_verify(s, pkt); 1037 1038 case TLS_ST_CR_CERT: 1039 return tls_process_server_certificate(s, pkt); 1040 1041 case TLS_ST_CR_CERT_VRFY: 1042 return tls_process_cert_verify(s, pkt); 1043 1044 case TLS_ST_CR_CERT_STATUS: 1045 return tls_process_cert_status(s, pkt); 1046 1047 case TLS_ST_CR_KEY_EXCH: 1048 return tls_process_key_exchange(s, pkt); 1049 1050 case TLS_ST_CR_CERT_REQ: 1051 return tls_process_certificate_request(s, pkt); 1052 1053 case TLS_ST_CR_SRVR_DONE: 1054 return tls_process_server_done(s, pkt); 1055 1056 case TLS_ST_CR_CHANGE: 1057 return tls_process_change_cipher_spec(s, pkt); 1058 1059 case TLS_ST_CR_SESSION_TICKET: 1060 return tls_process_new_session_ticket(s, pkt); 1061 1062 case TLS_ST_CR_FINISHED: 1063 return tls_process_finished(s, pkt); 1064 1065 case TLS_ST_CR_HELLO_REQ: 1066 return tls_process_hello_req(s, pkt); 1067 1068 case TLS_ST_CR_ENCRYPTED_EXTENSIONS: 1069 return tls_process_encrypted_extensions(s, pkt); 1070 1071 case TLS_ST_CR_KEY_UPDATE: 1072 return tls_process_key_update(s, pkt); 1073 } 1074 } 1075 1076 /* 1077 * Perform any further processing required following the receipt of a message 1078 * from the server 1079 */ 1080 WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst) 1081 { 1082 OSSL_STATEM *st = &s->statem; 1083 1084 switch (st->hand_state) { 1085 default: 1086 /* Shouldn't happen */ 1087 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1088 SSL_F_OSSL_STATEM_CLIENT_POST_PROCESS_MESSAGE, 1089 ERR_R_INTERNAL_ERROR); 1090 return WORK_ERROR; 1091 1092 case TLS_ST_CR_CERT_VRFY: 1093 case TLS_ST_CR_CERT_REQ: 1094 return tls_prepare_client_certificate(s, wst); 1095 } 1096 } 1097 1098 int tls_construct_client_hello(SSL *s, WPACKET *pkt) 1099 { 1100 unsigned char *p; 1101 size_t sess_id_len; 1102 int i, protverr; 1103 #ifndef OPENSSL_NO_COMP 1104 SSL_COMP *comp; 1105 #endif 1106 SSL_SESSION *sess = s->session; 1107 unsigned char *session_id; 1108 1109 /* Work out what SSL/TLS/DTLS version to use */ 1110 protverr = ssl_set_client_hello_version(s); 1111 if (protverr != 0) { 1112 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1113 protverr); 1114 return 0; 1115 } 1116 1117 if (sess == NULL 1118 || !ssl_version_supported(s, sess->ssl_version, NULL) 1119 || !SSL_SESSION_is_resumable(sess)) { 1120 if (s->hello_retry_request == SSL_HRR_NONE 1121 && !ssl_get_new_session(s, 0)) { 1122 /* SSLfatal() already called */ 1123 return 0; 1124 } 1125 } 1126 /* else use the pre-loaded session */ 1127 1128 p = s->s3->client_random; 1129 1130 /* 1131 * for DTLS if client_random is initialized, reuse it, we are 1132 * required to use same upon reply to HelloVerify 1133 */ 1134 if (SSL_IS_DTLS(s)) { 1135 size_t idx; 1136 i = 1; 1137 for (idx = 0; idx < sizeof(s->s3->client_random); idx++) { 1138 if (p[idx]) { 1139 i = 0; 1140 break; 1141 } 1142 } 1143 } else { 1144 i = (s->hello_retry_request == SSL_HRR_NONE); 1145 } 1146 1147 if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random), 1148 DOWNGRADE_NONE) <= 0) { 1149 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1150 ERR_R_INTERNAL_ERROR); 1151 return 0; 1152 } 1153 1154 /*- 1155 * version indicates the negotiated version: for example from 1156 * an SSLv2/v3 compatible client hello). The client_version 1157 * field is the maximum version we permit and it is also 1158 * used in RSA encrypted premaster secrets. Some servers can 1159 * choke if we initially report a higher version then 1160 * renegotiate to a lower one in the premaster secret. This 1161 * didn't happen with TLS 1.0 as most servers supported it 1162 * but it can with TLS 1.1 or later if the server only supports 1163 * 1.0. 1164 * 1165 * Possible scenario with previous logic: 1166 * 1. Client hello indicates TLS 1.2 1167 * 2. Server hello says TLS 1.0 1168 * 3. RSA encrypted premaster secret uses 1.2. 1169 * 4. Handshake proceeds using TLS 1.0. 1170 * 5. Server sends hello request to renegotiate. 1171 * 6. Client hello indicates TLS v1.0 as we now 1172 * know that is maximum server supports. 1173 * 7. Server chokes on RSA encrypted premaster secret 1174 * containing version 1.0. 1175 * 1176 * For interoperability it should be OK to always use the 1177 * maximum version we support in client hello and then rely 1178 * on the checking of version to ensure the servers isn't 1179 * being inconsistent: for example initially negotiating with 1180 * TLS 1.0 and renegotiating with TLS 1.2. We do this by using 1181 * client_version in client hello and not resetting it to 1182 * the negotiated version. 1183 * 1184 * For TLS 1.3 we always set the ClientHello version to 1.2 and rely on the 1185 * supported_versions extension for the real supported versions. 1186 */ 1187 if (!WPACKET_put_bytes_u16(pkt, s->client_version) 1188 || !WPACKET_memcpy(pkt, s->s3->client_random, SSL3_RANDOM_SIZE)) { 1189 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1190 ERR_R_INTERNAL_ERROR); 1191 return 0; 1192 } 1193 1194 /* Session ID */ 1195 session_id = s->session->session_id; 1196 if (s->new_session || s->session->ssl_version == TLS1_3_VERSION) { 1197 if (s->version == TLS1_3_VERSION 1198 && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) { 1199 sess_id_len = sizeof(s->tmp_session_id); 1200 s->tmp_session_id_len = sess_id_len; 1201 session_id = s->tmp_session_id; 1202 if (s->hello_retry_request == SSL_HRR_NONE 1203 && RAND_bytes(s->tmp_session_id, sess_id_len) <= 0) { 1204 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1205 SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1206 ERR_R_INTERNAL_ERROR); 1207 return 0; 1208 } 1209 } else { 1210 sess_id_len = 0; 1211 } 1212 } else { 1213 assert(s->session->session_id_length <= sizeof(s->session->session_id)); 1214 sess_id_len = s->session->session_id_length; 1215 if (s->version == TLS1_3_VERSION) { 1216 s->tmp_session_id_len = sess_id_len; 1217 memcpy(s->tmp_session_id, s->session->session_id, sess_id_len); 1218 } 1219 } 1220 if (!WPACKET_start_sub_packet_u8(pkt) 1221 || (sess_id_len != 0 && !WPACKET_memcpy(pkt, session_id, 1222 sess_id_len)) 1223 || !WPACKET_close(pkt)) { 1224 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1225 ERR_R_INTERNAL_ERROR); 1226 return 0; 1227 } 1228 1229 /* cookie stuff for DTLS */ 1230 if (SSL_IS_DTLS(s)) { 1231 if (s->d1->cookie_len > sizeof(s->d1->cookie) 1232 || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie, 1233 s->d1->cookie_len)) { 1234 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1235 ERR_R_INTERNAL_ERROR); 1236 return 0; 1237 } 1238 } 1239 1240 /* Ciphers supported */ 1241 if (!WPACKET_start_sub_packet_u16(pkt)) { 1242 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1243 ERR_R_INTERNAL_ERROR); 1244 return 0; 1245 } 1246 1247 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), pkt)) { 1248 /* SSLfatal() already called */ 1249 return 0; 1250 } 1251 if (!WPACKET_close(pkt)) { 1252 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1253 ERR_R_INTERNAL_ERROR); 1254 return 0; 1255 } 1256 1257 /* COMPRESSION */ 1258 if (!WPACKET_start_sub_packet_u8(pkt)) { 1259 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1260 ERR_R_INTERNAL_ERROR); 1261 return 0; 1262 } 1263 #ifndef OPENSSL_NO_COMP 1264 if (ssl_allow_compression(s) 1265 && s->ctx->comp_methods 1266 && (SSL_IS_DTLS(s) || s->s3->tmp.max_ver < TLS1_3_VERSION)) { 1267 int compnum = sk_SSL_COMP_num(s->ctx->comp_methods); 1268 for (i = 0; i < compnum; i++) { 1269 comp = sk_SSL_COMP_value(s->ctx->comp_methods, i); 1270 if (!WPACKET_put_bytes_u8(pkt, comp->id)) { 1271 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1272 SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1273 ERR_R_INTERNAL_ERROR); 1274 return 0; 1275 } 1276 } 1277 } 1278 #endif 1279 /* Add the NULL method */ 1280 if (!WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_close(pkt)) { 1281 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, 1282 ERR_R_INTERNAL_ERROR); 1283 return 0; 1284 } 1285 1286 /* TLS extensions */ 1287 if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0)) { 1288 /* SSLfatal() already called */ 1289 return 0; 1290 } 1291 1292 return 1; 1293 } 1294 1295 MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt) 1296 { 1297 size_t cookie_len; 1298 PACKET cookiepkt; 1299 1300 if (!PACKET_forward(pkt, 2) 1301 || !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) { 1302 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS_PROCESS_HELLO_VERIFY, 1303 SSL_R_LENGTH_MISMATCH); 1304 return MSG_PROCESS_ERROR; 1305 } 1306 1307 cookie_len = PACKET_remaining(&cookiepkt); 1308 if (cookie_len > sizeof(s->d1->cookie)) { 1309 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_DTLS_PROCESS_HELLO_VERIFY, 1310 SSL_R_LENGTH_TOO_LONG); 1311 return MSG_PROCESS_ERROR; 1312 } 1313 1314 if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) { 1315 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS_PROCESS_HELLO_VERIFY, 1316 SSL_R_LENGTH_MISMATCH); 1317 return MSG_PROCESS_ERROR; 1318 } 1319 s->d1->cookie_len = cookie_len; 1320 1321 return MSG_PROCESS_FINISHED_READING; 1322 } 1323 1324 static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars) 1325 { 1326 STACK_OF(SSL_CIPHER) *sk; 1327 const SSL_CIPHER *c; 1328 int i; 1329 1330 c = ssl_get_cipher_by_char(s, cipherchars, 0); 1331 if (c == NULL) { 1332 /* unknown cipher */ 1333 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, 1334 SSL_R_UNKNOWN_CIPHER_RETURNED); 1335 return 0; 1336 } 1337 /* 1338 * If it is a disabled cipher we either didn't send it in client hello, 1339 * or it's not allowed for the selected protocol. So we return an error. 1340 */ 1341 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) { 1342 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, 1343 SSL_R_WRONG_CIPHER_RETURNED); 1344 return 0; 1345 } 1346 1347 sk = ssl_get_ciphers_by_id(s); 1348 i = sk_SSL_CIPHER_find(sk, c); 1349 if (i < 0) { 1350 /* we did not say we would use this cipher */ 1351 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, 1352 SSL_R_WRONG_CIPHER_RETURNED); 1353 return 0; 1354 } 1355 1356 if (SSL_IS_TLS13(s) && s->s3->tmp.new_cipher != NULL 1357 && s->s3->tmp.new_cipher->id != c->id) { 1358 /* ServerHello selected a different ciphersuite to that in the HRR */ 1359 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, 1360 SSL_R_WRONG_CIPHER_RETURNED); 1361 return 0; 1362 } 1363 1364 /* 1365 * Depending on the session caching (internal/external), the cipher 1366 * and/or cipher_id values may not be set. Make sure that cipher_id is 1367 * set and use it for comparison. 1368 */ 1369 if (s->session->cipher != NULL) 1370 s->session->cipher_id = s->session->cipher->id; 1371 if (s->hit && (s->session->cipher_id != c->id)) { 1372 if (SSL_IS_TLS13(s)) { 1373 /* 1374 * In TLSv1.3 it is valid for the server to select a different 1375 * ciphersuite as long as the hash is the same. 1376 */ 1377 if (ssl_md(c->algorithm2) 1378 != ssl_md(s->session->cipher->algorithm2)) { 1379 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1380 SSL_F_SET_CLIENT_CIPHERSUITE, 1381 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED); 1382 return 0; 1383 } 1384 } else { 1385 /* 1386 * Prior to TLSv1.3 resuming a session always meant using the same 1387 * ciphersuite. 1388 */ 1389 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, 1390 SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); 1391 return 0; 1392 } 1393 } 1394 s->s3->tmp.new_cipher = c; 1395 1396 return 1; 1397 } 1398 1399 MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) 1400 { 1401 PACKET session_id, extpkt; 1402 size_t session_id_len; 1403 const unsigned char *cipherchars; 1404 int hrr = 0; 1405 unsigned int compression; 1406 unsigned int sversion; 1407 unsigned int context; 1408 RAW_EXTENSION *extensions = NULL; 1409 #ifndef OPENSSL_NO_COMP 1410 SSL_COMP *comp; 1411 #endif 1412 1413 if (!PACKET_get_net_2(pkt, &sversion)) { 1414 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1415 SSL_R_LENGTH_MISMATCH); 1416 goto err; 1417 } 1418 1419 /* load the server random */ 1420 if (s->version == TLS1_3_VERSION 1421 && sversion == TLS1_2_VERSION 1422 && PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE 1423 && memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) { 1424 s->hello_retry_request = SSL_HRR_PENDING; 1425 hrr = 1; 1426 if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) { 1427 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1428 SSL_R_LENGTH_MISMATCH); 1429 goto err; 1430 } 1431 } else { 1432 if (!PACKET_copy_bytes(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) { 1433 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1434 SSL_R_LENGTH_MISMATCH); 1435 goto err; 1436 } 1437 } 1438 1439 /* Get the session-id. */ 1440 if (!PACKET_get_length_prefixed_1(pkt, &session_id)) { 1441 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1442 SSL_R_LENGTH_MISMATCH); 1443 goto err; 1444 } 1445 session_id_len = PACKET_remaining(&session_id); 1446 if (session_id_len > sizeof(s->session->session_id) 1447 || session_id_len > SSL3_SESSION_ID_SIZE) { 1448 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, 1449 SSL_R_SSL3_SESSION_ID_TOO_LONG); 1450 goto err; 1451 } 1452 1453 if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) { 1454 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1455 SSL_R_LENGTH_MISMATCH); 1456 goto err; 1457 } 1458 1459 if (!PACKET_get_1(pkt, &compression)) { 1460 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1461 SSL_R_LENGTH_MISMATCH); 1462 goto err; 1463 } 1464 1465 /* TLS extensions */ 1466 if (PACKET_remaining(pkt) == 0 && !hrr) { 1467 PACKET_null_init(&extpkt); 1468 } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt) 1469 || PACKET_remaining(pkt) != 0) { 1470 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1471 SSL_R_BAD_LENGTH); 1472 goto err; 1473 } 1474 1475 if (!hrr) { 1476 if (!tls_collect_extensions(s, &extpkt, 1477 SSL_EXT_TLS1_2_SERVER_HELLO 1478 | SSL_EXT_TLS1_3_SERVER_HELLO, 1479 &extensions, NULL, 1)) { 1480 /* SSLfatal() already called */ 1481 goto err; 1482 } 1483 1484 if (!ssl_choose_client_version(s, sversion, extensions)) { 1485 /* SSLfatal() already called */ 1486 goto err; 1487 } 1488 } 1489 1490 if (SSL_IS_TLS13(s) || hrr) { 1491 if (compression != 0) { 1492 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1493 SSL_F_TLS_PROCESS_SERVER_HELLO, 1494 SSL_R_INVALID_COMPRESSION_ALGORITHM); 1495 goto err; 1496 } 1497 1498 if (session_id_len != s->tmp_session_id_len 1499 || memcmp(PACKET_data(&session_id), s->tmp_session_id, 1500 session_id_len) != 0) { 1501 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1502 SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_INVALID_SESSION_ID); 1503 goto err; 1504 } 1505 } 1506 1507 if (hrr) { 1508 if (!set_client_ciphersuite(s, cipherchars)) { 1509 /* SSLfatal() already called */ 1510 goto err; 1511 } 1512 1513 return tls_process_as_hello_retry_request(s, &extpkt); 1514 } 1515 1516 /* 1517 * Now we have chosen the version we need to check again that the extensions 1518 * are appropriate for this version. 1519 */ 1520 context = SSL_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO 1521 : SSL_EXT_TLS1_2_SERVER_HELLO; 1522 if (!tls_validate_all_contexts(s, context, extensions)) { 1523 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, 1524 SSL_R_BAD_EXTENSION); 1525 goto err; 1526 } 1527 1528 s->hit = 0; 1529 1530 if (SSL_IS_TLS13(s)) { 1531 /* 1532 * In TLSv1.3 a ServerHello message signals a key change so the end of 1533 * the message must be on a record boundary. 1534 */ 1535 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { 1536 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1537 SSL_F_TLS_PROCESS_SERVER_HELLO, 1538 SSL_R_NOT_ON_RECORD_BOUNDARY); 1539 goto err; 1540 } 1541 1542 /* This will set s->hit if we are resuming */ 1543 if (!tls_parse_extension(s, TLSEXT_IDX_psk, 1544 SSL_EXT_TLS1_3_SERVER_HELLO, 1545 extensions, NULL, 0)) { 1546 /* SSLfatal() already called */ 1547 goto err; 1548 } 1549 } else { 1550 /* 1551 * Check if we can resume the session based on external pre-shared 1552 * secret. EAP-FAST (RFC 4851) supports two types of session resumption. 1553 * Resumption based on server-side state works with session IDs. 1554 * Resumption based on pre-shared Protected Access Credentials (PACs) 1555 * works by overriding the SessionTicket extension at the application 1556 * layer, and does not send a session ID. (We do not know whether 1557 * EAP-FAST servers would honour the session ID.) Therefore, the session 1558 * ID alone is not a reliable indicator of session resumption, so we 1559 * first check if we can resume, and later peek at the next handshake 1560 * message to see if the server wants to resume. 1561 */ 1562 if (s->version >= TLS1_VERSION 1563 && s->ext.session_secret_cb != NULL && s->session->ext.tick) { 1564 const SSL_CIPHER *pref_cipher = NULL; 1565 /* 1566 * s->session->master_key_length is a size_t, but this is an int for 1567 * backwards compat reasons 1568 */ 1569 int master_key_length; 1570 master_key_length = sizeof(s->session->master_key); 1571 if (s->ext.session_secret_cb(s, s->session->master_key, 1572 &master_key_length, 1573 NULL, &pref_cipher, 1574 s->ext.session_secret_cb_arg) 1575 && master_key_length > 0) { 1576 s->session->master_key_length = master_key_length; 1577 s->session->cipher = pref_cipher ? 1578 pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0); 1579 } else { 1580 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1581 SSL_F_TLS_PROCESS_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 1582 goto err; 1583 } 1584 } 1585 1586 if (session_id_len != 0 1587 && session_id_len == s->session->session_id_length 1588 && memcmp(PACKET_data(&session_id), s->session->session_id, 1589 session_id_len) == 0) 1590 s->hit = 1; 1591 } 1592 1593 if (s->hit) { 1594 if (s->sid_ctx_length != s->session->sid_ctx_length 1595 || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) { 1596 /* actually a client application bug */ 1597 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1598 SSL_F_TLS_PROCESS_SERVER_HELLO, 1599 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); 1600 goto err; 1601 } 1602 } else { 1603 /* 1604 * If we were trying for session-id reuse but the server 1605 * didn't resume, make a new SSL_SESSION. 1606 * In the case of EAP-FAST and PAC, we do not send a session ID, 1607 * so the PAC-based session secret is always preserved. It'll be 1608 * overwritten if the server refuses resumption. 1609 */ 1610 if (s->session->session_id_length > 0) { 1611 tsan_counter(&s->session_ctx->stats.sess_miss); 1612 if (!ssl_get_new_session(s, 0)) { 1613 /* SSLfatal() already called */ 1614 goto err; 1615 } 1616 } 1617 1618 s->session->ssl_version = s->version; 1619 /* 1620 * In TLSv1.2 and below we save the session id we were sent so we can 1621 * resume it later. In TLSv1.3 the session id we were sent is just an 1622 * echo of what we originally sent in the ClientHello and should not be 1623 * used for resumption. 1624 */ 1625 if (!SSL_IS_TLS13(s)) { 1626 s->session->session_id_length = session_id_len; 1627 /* session_id_len could be 0 */ 1628 if (session_id_len > 0) 1629 memcpy(s->session->session_id, PACKET_data(&session_id), 1630 session_id_len); 1631 } 1632 } 1633 1634 /* Session version and negotiated protocol version should match */ 1635 if (s->version != s->session->ssl_version) { 1636 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_TLS_PROCESS_SERVER_HELLO, 1637 SSL_R_SSL_SESSION_VERSION_MISMATCH); 1638 goto err; 1639 } 1640 /* 1641 * Now that we know the version, update the check to see if it's an allowed 1642 * version. 1643 */ 1644 s->s3->tmp.min_ver = s->version; 1645 s->s3->tmp.max_ver = s->version; 1646 1647 if (!set_client_ciphersuite(s, cipherchars)) { 1648 /* SSLfatal() already called */ 1649 goto err; 1650 } 1651 1652 #ifdef OPENSSL_NO_COMP 1653 if (compression != 0) { 1654 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, 1655 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 1656 goto err; 1657 } 1658 /* 1659 * If compression is disabled we'd better not try to resume a session 1660 * using compression. 1661 */ 1662 if (s->session->compress_meth != 0) { 1663 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SERVER_HELLO, 1664 SSL_R_INCONSISTENT_COMPRESSION); 1665 goto err; 1666 } 1667 #else 1668 if (s->hit && compression != s->session->compress_meth) { 1669 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, 1670 SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED); 1671 goto err; 1672 } 1673 if (compression == 0) 1674 comp = NULL; 1675 else if (!ssl_allow_compression(s)) { 1676 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, 1677 SSL_R_COMPRESSION_DISABLED); 1678 goto err; 1679 } else { 1680 comp = ssl3_comp_find(s->ctx->comp_methods, compression); 1681 } 1682 1683 if (compression != 0 && comp == NULL) { 1684 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, 1685 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 1686 goto err; 1687 } else { 1688 s->s3->tmp.new_compression = comp; 1689 } 1690 #endif 1691 1692 if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, 1)) { 1693 /* SSLfatal() already called */ 1694 goto err; 1695 } 1696 1697 #ifndef OPENSSL_NO_SCTP 1698 if (SSL_IS_DTLS(s) && s->hit) { 1699 unsigned char sctpauthkey[64]; 1700 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; 1701 size_t labellen; 1702 1703 /* 1704 * Add new shared key for SCTP-Auth, will be ignored if 1705 * no SCTP used. 1706 */ 1707 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL, 1708 sizeof(DTLS1_SCTP_AUTH_LABEL)); 1709 1710 /* Don't include the terminating zero. */ 1711 labellen = sizeof(labelbuffer) - 1; 1712 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) 1713 labellen += 1; 1714 1715 if (SSL_export_keying_material(s, sctpauthkey, 1716 sizeof(sctpauthkey), 1717 labelbuffer, 1718 labellen, NULL, 0, 0) <= 0) { 1719 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, 1720 ERR_R_INTERNAL_ERROR); 1721 goto err; 1722 } 1723 1724 BIO_ctrl(SSL_get_wbio(s), 1725 BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 1726 sizeof(sctpauthkey), sctpauthkey); 1727 } 1728 #endif 1729 1730 /* 1731 * In TLSv1.3 we have some post-processing to change cipher state, otherwise 1732 * we're done with this message 1733 */ 1734 if (SSL_IS_TLS13(s) 1735 && (!s->method->ssl3_enc->setup_key_block(s) 1736 || !s->method->ssl3_enc->change_cipher_state(s, 1737 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ))) { 1738 /* SSLfatal() already called */ 1739 goto err; 1740 } 1741 1742 OPENSSL_free(extensions); 1743 return MSG_PROCESS_CONTINUE_READING; 1744 err: 1745 OPENSSL_free(extensions); 1746 return MSG_PROCESS_ERROR; 1747 } 1748 1749 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, 1750 PACKET *extpkt) 1751 { 1752 RAW_EXTENSION *extensions = NULL; 1753 1754 /* 1755 * If we were sending early_data then the enc_write_ctx is now invalid and 1756 * should not be used. 1757 */ 1758 EVP_CIPHER_CTX_free(s->enc_write_ctx); 1759 s->enc_write_ctx = NULL; 1760 1761 if (!tls_collect_extensions(s, extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, 1762 &extensions, NULL, 1) 1763 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, 1764 extensions, NULL, 0, 1)) { 1765 /* SSLfatal() already called */ 1766 goto err; 1767 } 1768 1769 OPENSSL_free(extensions); 1770 extensions = NULL; 1771 1772 if (s->ext.tls13_cookie_len == 0 1773 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) 1774 && s->s3->tmp.pkey != NULL 1775 #endif 1776 ) { 1777 /* 1778 * We didn't receive a cookie or a new key_share so the next 1779 * ClientHello will not change 1780 */ 1781 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1782 SSL_F_TLS_PROCESS_AS_HELLO_RETRY_REQUEST, 1783 SSL_R_NO_CHANGE_FOLLOWING_HRR); 1784 goto err; 1785 } 1786 1787 /* 1788 * Re-initialise the Transcript Hash. We're going to prepopulate it with 1789 * a synthetic message_hash in place of ClientHello1. 1790 */ 1791 if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) { 1792 /* SSLfatal() already called */ 1793 goto err; 1794 } 1795 1796 /* 1797 * Add this message to the Transcript Hash. Normally this is done 1798 * automatically prior to the message processing stage. However due to the 1799 * need to create the synthetic message hash, we defer that step until now 1800 * for HRR messages. 1801 */ 1802 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 1803 s->init_num + SSL3_HM_HEADER_LENGTH)) { 1804 /* SSLfatal() already called */ 1805 goto err; 1806 } 1807 1808 return MSG_PROCESS_FINISHED_READING; 1809 err: 1810 OPENSSL_free(extensions); 1811 return MSG_PROCESS_ERROR; 1812 } 1813 1814 MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) 1815 { 1816 int i; 1817 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; 1818 unsigned long cert_list_len, cert_len; 1819 X509 *x = NULL; 1820 const unsigned char *certstart, *certbytes; 1821 STACK_OF(X509) *sk = NULL; 1822 EVP_PKEY *pkey = NULL; 1823 size_t chainidx, certidx; 1824 unsigned int context = 0; 1825 const SSL_CERT_LOOKUP *clu; 1826 1827 if ((sk = sk_X509_new_null()) == NULL) { 1828 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1829 ERR_R_MALLOC_FAILURE); 1830 goto err; 1831 } 1832 1833 if ((SSL_IS_TLS13(s) && !PACKET_get_1(pkt, &context)) 1834 || context != 0 1835 || !PACKET_get_net_3(pkt, &cert_list_len) 1836 || PACKET_remaining(pkt) != cert_list_len 1837 || PACKET_remaining(pkt) == 0) { 1838 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1839 SSL_R_LENGTH_MISMATCH); 1840 goto err; 1841 } 1842 for (chainidx = 0; PACKET_remaining(pkt); chainidx++) { 1843 if (!PACKET_get_net_3(pkt, &cert_len) 1844 || !PACKET_get_bytes(pkt, &certbytes, cert_len)) { 1845 SSLfatal(s, SSL_AD_DECODE_ERROR, 1846 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1847 SSL_R_CERT_LENGTH_MISMATCH); 1848 goto err; 1849 } 1850 1851 certstart = certbytes; 1852 x = d2i_X509(NULL, (const unsigned char **)&certbytes, cert_len); 1853 if (x == NULL) { 1854 SSLfatal(s, SSL_AD_BAD_CERTIFICATE, 1855 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_ASN1_LIB); 1856 goto err; 1857 } 1858 if (certbytes != (certstart + cert_len)) { 1859 SSLfatal(s, SSL_AD_DECODE_ERROR, 1860 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1861 SSL_R_CERT_LENGTH_MISMATCH); 1862 goto err; 1863 } 1864 1865 if (SSL_IS_TLS13(s)) { 1866 RAW_EXTENSION *rawexts = NULL; 1867 PACKET extensions; 1868 1869 if (!PACKET_get_length_prefixed_2(pkt, &extensions)) { 1870 SSLfatal(s, SSL_AD_DECODE_ERROR, 1871 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1872 SSL_R_BAD_LENGTH); 1873 goto err; 1874 } 1875 if (!tls_collect_extensions(s, &extensions, 1876 SSL_EXT_TLS1_3_CERTIFICATE, &rawexts, 1877 NULL, chainidx == 0) 1878 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE, 1879 rawexts, x, chainidx, 1880 PACKET_remaining(pkt) == 0)) { 1881 OPENSSL_free(rawexts); 1882 /* SSLfatal already called */ 1883 goto err; 1884 } 1885 OPENSSL_free(rawexts); 1886 } 1887 1888 if (!sk_X509_push(sk, x)) { 1889 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1890 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1891 ERR_R_MALLOC_FAILURE); 1892 goto err; 1893 } 1894 x = NULL; 1895 } 1896 1897 i = ssl_verify_cert_chain(s, sk); 1898 /* 1899 * The documented interface is that SSL_VERIFY_PEER should be set in order 1900 * for client side verification of the server certificate to take place. 1901 * However, historically the code has only checked that *any* flag is set 1902 * to cause server verification to take place. Use of the other flags makes 1903 * no sense in client mode. An attempt to clean up the semantics was 1904 * reverted because at least one application *only* set 1905 * SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Prior to the clean up this still caused 1906 * server verification to take place, after the clean up it silently did 1907 * nothing. SSL_CTX_set_verify()/SSL_set_verify() cannot validate the flags 1908 * sent to them because they are void functions. Therefore, we now use the 1909 * (less clean) historic behaviour of performing validation if any flag is 1910 * set. The *documented* interface remains the same. 1911 */ 1912 if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) { 1913 SSLfatal(s, ssl_x509err2alert(s->verify_result), 1914 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1915 SSL_R_CERTIFICATE_VERIFY_FAILED); 1916 goto err; 1917 } 1918 ERR_clear_error(); /* but we keep s->verify_result */ 1919 if (i > 1) { 1920 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1921 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, i); 1922 goto err; 1923 } 1924 1925 s->session->peer_chain = sk; 1926 /* 1927 * Inconsistency alert: cert_chain does include the peer's certificate, 1928 * which we don't include in statem_srvr.c 1929 */ 1930 x = sk_X509_value(sk, 0); 1931 sk = NULL; 1932 1933 pkey = X509_get0_pubkey(x); 1934 1935 if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) { 1936 x = NULL; 1937 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1938 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); 1939 goto err; 1940 } 1941 1942 if ((clu = ssl_cert_lookup_by_pkey(pkey, &certidx)) == NULL) { 1943 x = NULL; 1944 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1945 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1946 SSL_R_UNKNOWN_CERTIFICATE_TYPE); 1947 goto err; 1948 } 1949 /* 1950 * Check certificate type is consistent with ciphersuite. For TLS 1.3 1951 * skip check since TLS 1.3 ciphersuites can be used with any certificate 1952 * type. 1953 */ 1954 if (!SSL_IS_TLS13(s)) { 1955 if ((clu->amask & s->s3->tmp.new_cipher->algorithm_auth) == 0) { 1956 x = NULL; 1957 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1958 SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, 1959 SSL_R_WRONG_CERTIFICATE_TYPE); 1960 goto err; 1961 } 1962 } 1963 s->session->peer_type = certidx; 1964 1965 X509_free(s->session->peer); 1966 X509_up_ref(x); 1967 s->session->peer = x; 1968 s->session->verify_result = s->verify_result; 1969 x = NULL; 1970 1971 /* Save the current hash state for when we receive the CertificateVerify */ 1972 if (SSL_IS_TLS13(s) 1973 && !ssl_handshake_hash(s, s->cert_verify_hash, 1974 sizeof(s->cert_verify_hash), 1975 &s->cert_verify_hash_len)) { 1976 /* SSLfatal() already called */; 1977 goto err; 1978 } 1979 1980 ret = MSG_PROCESS_CONTINUE_READING; 1981 1982 err: 1983 X509_free(x); 1984 sk_X509_pop_free(sk, X509_free); 1985 return ret; 1986 } 1987 1988 static int tls_process_ske_psk_preamble(SSL *s, PACKET *pkt) 1989 { 1990 #ifndef OPENSSL_NO_PSK 1991 PACKET psk_identity_hint; 1992 1993 /* PSK ciphersuites are preceded by an identity hint */ 1994 1995 if (!PACKET_get_length_prefixed_2(pkt, &psk_identity_hint)) { 1996 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, 1997 SSL_R_LENGTH_MISMATCH); 1998 return 0; 1999 } 2000 2001 /* 2002 * Store PSK identity hint for later use, hint is used in 2003 * tls_construct_client_key_exchange. Assume that the maximum length of 2004 * a PSK identity hint can be as long as the maximum length of a PSK 2005 * identity. 2006 */ 2007 if (PACKET_remaining(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN) { 2008 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 2009 SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, 2010 SSL_R_DATA_LENGTH_TOO_LONG); 2011 return 0; 2012 } 2013 2014 if (PACKET_remaining(&psk_identity_hint) == 0) { 2015 OPENSSL_free(s->session->psk_identity_hint); 2016 s->session->psk_identity_hint = NULL; 2017 } else if (!PACKET_strndup(&psk_identity_hint, 2018 &s->session->psk_identity_hint)) { 2019 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, 2020 ERR_R_INTERNAL_ERROR); 2021 return 0; 2022 } 2023 2024 return 1; 2025 #else 2026 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, 2027 ERR_R_INTERNAL_ERROR); 2028 return 0; 2029 #endif 2030 } 2031 2032 static int tls_process_ske_srp(SSL *s, PACKET *pkt, EVP_PKEY **pkey) 2033 { 2034 #ifndef OPENSSL_NO_SRP 2035 PACKET prime, generator, salt, server_pub; 2036 2037 if (!PACKET_get_length_prefixed_2(pkt, &prime) 2038 || !PACKET_get_length_prefixed_2(pkt, &generator) 2039 || !PACKET_get_length_prefixed_1(pkt, &salt) 2040 || !PACKET_get_length_prefixed_2(pkt, &server_pub)) { 2041 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_SRP, 2042 SSL_R_LENGTH_MISMATCH); 2043 return 0; 2044 } 2045 2046 /* TODO(size_t): Convert BN_bin2bn() calls */ 2047 if ((s->srp_ctx.N = 2048 BN_bin2bn(PACKET_data(&prime), 2049 (int)PACKET_remaining(&prime), NULL)) == NULL 2050 || (s->srp_ctx.g = 2051 BN_bin2bn(PACKET_data(&generator), 2052 (int)PACKET_remaining(&generator), NULL)) == NULL 2053 || (s->srp_ctx.s = 2054 BN_bin2bn(PACKET_data(&salt), 2055 (int)PACKET_remaining(&salt), NULL)) == NULL 2056 || (s->srp_ctx.B = 2057 BN_bin2bn(PACKET_data(&server_pub), 2058 (int)PACKET_remaining(&server_pub), NULL)) == NULL) { 2059 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_SRP, 2060 ERR_R_BN_LIB); 2061 return 0; 2062 } 2063 2064 if (!srp_verify_server_param(s)) { 2065 /* SSLfatal() already called */ 2066 return 0; 2067 } 2068 2069 /* We must check if there is a certificate */ 2070 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS)) 2071 *pkey = X509_get0_pubkey(s->session->peer); 2072 2073 return 1; 2074 #else 2075 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_SRP, 2076 ERR_R_INTERNAL_ERROR); 2077 return 0; 2078 #endif 2079 } 2080 2081 static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) 2082 { 2083 #ifndef OPENSSL_NO_DH 2084 PACKET prime, generator, pub_key; 2085 EVP_PKEY *peer_tmp = NULL; 2086 2087 DH *dh = NULL; 2088 BIGNUM *p = NULL, *g = NULL, *bnpub_key = NULL; 2089 2090 int check_bits = 0; 2091 2092 if (!PACKET_get_length_prefixed_2(pkt, &prime) 2093 || !PACKET_get_length_prefixed_2(pkt, &generator) 2094 || !PACKET_get_length_prefixed_2(pkt, &pub_key)) { 2095 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, 2096 SSL_R_LENGTH_MISMATCH); 2097 return 0; 2098 } 2099 2100 peer_tmp = EVP_PKEY_new(); 2101 dh = DH_new(); 2102 2103 if (peer_tmp == NULL || dh == NULL) { 2104 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, 2105 ERR_R_MALLOC_FAILURE); 2106 goto err; 2107 } 2108 2109 /* TODO(size_t): Convert these calls */ 2110 p = BN_bin2bn(PACKET_data(&prime), (int)PACKET_remaining(&prime), NULL); 2111 g = BN_bin2bn(PACKET_data(&generator), (int)PACKET_remaining(&generator), 2112 NULL); 2113 bnpub_key = BN_bin2bn(PACKET_data(&pub_key), 2114 (int)PACKET_remaining(&pub_key), NULL); 2115 if (p == NULL || g == NULL || bnpub_key == NULL) { 2116 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, 2117 ERR_R_BN_LIB); 2118 goto err; 2119 } 2120 2121 /* test non-zero pubkey */ 2122 if (BN_is_zero(bnpub_key)) { 2123 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_DHE, 2124 SSL_R_BAD_DH_VALUE); 2125 goto err; 2126 } 2127 2128 if (!DH_set0_pqg(dh, p, NULL, g)) { 2129 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, 2130 ERR_R_BN_LIB); 2131 goto err; 2132 } 2133 p = g = NULL; 2134 2135 if (DH_check_params(dh, &check_bits) == 0 || check_bits != 0) { 2136 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_DHE, 2137 SSL_R_BAD_DH_VALUE); 2138 goto err; 2139 } 2140 2141 if (!DH_set0_key(dh, bnpub_key, NULL)) { 2142 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, 2143 ERR_R_BN_LIB); 2144 goto err; 2145 } 2146 bnpub_key = NULL; 2147 2148 if (!ssl_security(s, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh)) { 2149 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE, 2150 SSL_R_DH_KEY_TOO_SMALL); 2151 goto err; 2152 } 2153 2154 if (EVP_PKEY_assign_DH(peer_tmp, dh) == 0) { 2155 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, 2156 ERR_R_EVP_LIB); 2157 goto err; 2158 } 2159 2160 s->s3->peer_tmp = peer_tmp; 2161 2162 /* 2163 * FIXME: This makes assumptions about which ciphersuites come with 2164 * public keys. We should have a less ad-hoc way of doing this 2165 */ 2166 if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS)) 2167 *pkey = X509_get0_pubkey(s->session->peer); 2168 /* else anonymous DH, so no certificate or pkey. */ 2169 2170 return 1; 2171 2172 err: 2173 BN_free(p); 2174 BN_free(g); 2175 BN_free(bnpub_key); 2176 DH_free(dh); 2177 EVP_PKEY_free(peer_tmp); 2178 2179 return 0; 2180 #else 2181 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, 2182 ERR_R_INTERNAL_ERROR); 2183 return 0; 2184 #endif 2185 } 2186 2187 static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) 2188 { 2189 #ifndef OPENSSL_NO_EC 2190 PACKET encoded_pt; 2191 unsigned int curve_type, curve_id; 2192 2193 /* 2194 * Extract elliptic curve parameters and the server's ephemeral ECDH 2195 * public key. We only support named (not generic) curves and 2196 * ECParameters in this case is just three bytes. 2197 */ 2198 if (!PACKET_get_1(pkt, &curve_type) || !PACKET_get_net_2(pkt, &curve_id)) { 2199 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE, 2200 SSL_R_LENGTH_TOO_SHORT); 2201 return 0; 2202 } 2203 /* 2204 * Check curve is named curve type and one of our preferences, if not 2205 * server has sent an invalid curve. 2206 */ 2207 if (curve_type != NAMED_CURVE_TYPE 2208 || !tls1_check_group_id(s, curve_id, 1)) { 2209 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_ECDHE, 2210 SSL_R_WRONG_CURVE); 2211 return 0; 2212 } 2213 2214 if ((s->s3->peer_tmp = ssl_generate_param_group(curve_id)) == NULL) { 2215 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE, 2216 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); 2217 return 0; 2218 } 2219 2220 if (!PACKET_get_length_prefixed_1(pkt, &encoded_pt)) { 2221 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE, 2222 SSL_R_LENGTH_MISMATCH); 2223 return 0; 2224 } 2225 2226 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp, 2227 PACKET_data(&encoded_pt), 2228 PACKET_remaining(&encoded_pt))) { 2229 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_ECDHE, 2230 SSL_R_BAD_ECPOINT); 2231 return 0; 2232 } 2233 2234 /* 2235 * The ECC/TLS specification does not mention the use of DSA to sign 2236 * ECParameters in the server key exchange message. We do support RSA 2237 * and ECDSA. 2238 */ 2239 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aECDSA) 2240 *pkey = X509_get0_pubkey(s->session->peer); 2241 else if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aRSA) 2242 *pkey = X509_get0_pubkey(s->session->peer); 2243 /* else anonymous ECDH, so no certificate or pkey. */ 2244 2245 return 1; 2246 #else 2247 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE, 2248 ERR_R_INTERNAL_ERROR); 2249 return 0; 2250 #endif 2251 } 2252 2253 MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) 2254 { 2255 long alg_k; 2256 EVP_PKEY *pkey = NULL; 2257 EVP_MD_CTX *md_ctx = NULL; 2258 EVP_PKEY_CTX *pctx = NULL; 2259 PACKET save_param_start, signature; 2260 2261 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 2262 2263 save_param_start = *pkt; 2264 2265 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) 2266 EVP_PKEY_free(s->s3->peer_tmp); 2267 s->s3->peer_tmp = NULL; 2268 #endif 2269 2270 if (alg_k & SSL_PSK) { 2271 if (!tls_process_ske_psk_preamble(s, pkt)) { 2272 /* SSLfatal() already called */ 2273 goto err; 2274 } 2275 } 2276 2277 /* Nothing else to do for plain PSK or RSAPSK */ 2278 if (alg_k & (SSL_kPSK | SSL_kRSAPSK)) { 2279 } else if (alg_k & SSL_kSRP) { 2280 if (!tls_process_ske_srp(s, pkt, &pkey)) { 2281 /* SSLfatal() already called */ 2282 goto err; 2283 } 2284 } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) { 2285 if (!tls_process_ske_dhe(s, pkt, &pkey)) { 2286 /* SSLfatal() already called */ 2287 goto err; 2288 } 2289 } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) { 2290 if (!tls_process_ske_ecdhe(s, pkt, &pkey)) { 2291 /* SSLfatal() already called */ 2292 goto err; 2293 } 2294 } else if (alg_k) { 2295 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2296 SSL_R_UNEXPECTED_MESSAGE); 2297 goto err; 2298 } 2299 2300 /* if it was signed, check the signature */ 2301 if (pkey != NULL) { 2302 PACKET params; 2303 int maxsig; 2304 const EVP_MD *md = NULL; 2305 unsigned char *tbs; 2306 size_t tbslen; 2307 int rv; 2308 2309 /* 2310 * |pkt| now points to the beginning of the signature, so the difference 2311 * equals the length of the parameters. 2312 */ 2313 if (!PACKET_get_sub_packet(&save_param_start, ¶ms, 2314 PACKET_remaining(&save_param_start) - 2315 PACKET_remaining(pkt))) { 2316 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2317 ERR_R_INTERNAL_ERROR); 2318 goto err; 2319 } 2320 2321 if (SSL_USE_SIGALGS(s)) { 2322 unsigned int sigalg; 2323 2324 if (!PACKET_get_net_2(pkt, &sigalg)) { 2325 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2326 SSL_R_LENGTH_TOO_SHORT); 2327 goto err; 2328 } 2329 if (tls12_check_peer_sigalg(s, sigalg, pkey) <=0) { 2330 /* SSLfatal() already called */ 2331 goto err; 2332 } 2333 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { 2334 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2335 ERR_R_INTERNAL_ERROR); 2336 goto err; 2337 } 2338 2339 if (!tls1_lookup_md(s->s3->tmp.peer_sigalg, &md)) { 2340 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2341 ERR_R_INTERNAL_ERROR); 2342 goto err; 2343 } 2344 #ifdef SSL_DEBUG 2345 if (SSL_USE_SIGALGS(s)) 2346 fprintf(stderr, "USING TLSv1.2 HASH %s\n", 2347 md == NULL ? "n/a" : EVP_MD_name(md)); 2348 #endif 2349 2350 if (!PACKET_get_length_prefixed_2(pkt, &signature) 2351 || PACKET_remaining(pkt) != 0) { 2352 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2353 SSL_R_LENGTH_MISMATCH); 2354 goto err; 2355 } 2356 maxsig = EVP_PKEY_size(pkey); 2357 if (maxsig < 0) { 2358 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2359 ERR_R_INTERNAL_ERROR); 2360 goto err; 2361 } 2362 2363 /* 2364 * Check signature length 2365 */ 2366 if (PACKET_remaining(&signature) > (size_t)maxsig) { 2367 /* wrong packet length */ 2368 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2369 SSL_R_WRONG_SIGNATURE_LENGTH); 2370 goto err; 2371 } 2372 2373 md_ctx = EVP_MD_CTX_new(); 2374 if (md_ctx == NULL) { 2375 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2376 ERR_R_MALLOC_FAILURE); 2377 goto err; 2378 } 2379 2380 if (EVP_DigestVerifyInit(md_ctx, &pctx, md, NULL, pkey) <= 0) { 2381 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2382 ERR_R_EVP_LIB); 2383 goto err; 2384 } 2385 if (SSL_USE_PSS(s)) { 2386 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 2387 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 2388 RSA_PSS_SALTLEN_DIGEST) <= 0) { 2389 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2390 SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB); 2391 goto err; 2392 } 2393 } 2394 tbslen = construct_key_exchange_tbs(s, &tbs, PACKET_data(¶ms), 2395 PACKET_remaining(¶ms)); 2396 if (tbslen == 0) { 2397 /* SSLfatal() already called */ 2398 goto err; 2399 } 2400 2401 rv = EVP_DigestVerify(md_ctx, PACKET_data(&signature), 2402 PACKET_remaining(&signature), tbs, tbslen); 2403 OPENSSL_free(tbs); 2404 if (rv <= 0) { 2405 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2406 SSL_R_BAD_SIGNATURE); 2407 goto err; 2408 } 2409 EVP_MD_CTX_free(md_ctx); 2410 md_ctx = NULL; 2411 } else { 2412 /* aNULL, aSRP or PSK do not need public keys */ 2413 if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) 2414 && !(alg_k & SSL_PSK)) { 2415 /* Might be wrong key type, check it */ 2416 if (ssl3_check_cert_and_algorithm(s)) { 2417 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2418 SSL_R_BAD_DATA); 2419 } 2420 /* else this shouldn't happen, SSLfatal() already called */ 2421 goto err; 2422 } 2423 /* still data left over */ 2424 if (PACKET_remaining(pkt) != 0) { 2425 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE, 2426 SSL_R_EXTRA_DATA_IN_MESSAGE); 2427 goto err; 2428 } 2429 } 2430 2431 return MSG_PROCESS_CONTINUE_READING; 2432 err: 2433 EVP_MD_CTX_free(md_ctx); 2434 return MSG_PROCESS_ERROR; 2435 } 2436 2437 MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt) 2438 { 2439 size_t i; 2440 2441 /* Clear certificate validity flags */ 2442 for (i = 0; i < SSL_PKEY_NUM; i++) 2443 s->s3->tmp.valid_flags[i] = 0; 2444 2445 if (SSL_IS_TLS13(s)) { 2446 PACKET reqctx, extensions; 2447 RAW_EXTENSION *rawexts = NULL; 2448 2449 if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) { 2450 /* 2451 * We already sent close_notify. This can only happen in TLSv1.3 2452 * post-handshake messages. We can't reasonably respond to this, so 2453 * we just ignore it 2454 */ 2455 return MSG_PROCESS_FINISHED_READING; 2456 } 2457 2458 /* Free and zero certificate types: it is not present in TLS 1.3 */ 2459 OPENSSL_free(s->s3->tmp.ctype); 2460 s->s3->tmp.ctype = NULL; 2461 s->s3->tmp.ctype_len = 0; 2462 OPENSSL_free(s->pha_context); 2463 s->pha_context = NULL; 2464 2465 if (!PACKET_get_length_prefixed_1(pkt, &reqctx) || 2466 !PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) { 2467 SSLfatal(s, SSL_AD_DECODE_ERROR, 2468 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2469 SSL_R_LENGTH_MISMATCH); 2470 return MSG_PROCESS_ERROR; 2471 } 2472 2473 if (!PACKET_get_length_prefixed_2(pkt, &extensions)) { 2474 SSLfatal(s, SSL_AD_DECODE_ERROR, 2475 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2476 SSL_R_BAD_LENGTH); 2477 return MSG_PROCESS_ERROR; 2478 } 2479 if (!tls_collect_extensions(s, &extensions, 2480 SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 2481 &rawexts, NULL, 1) 2482 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 2483 rawexts, NULL, 0, 1)) { 2484 /* SSLfatal() already called */ 2485 OPENSSL_free(rawexts); 2486 return MSG_PROCESS_ERROR; 2487 } 2488 OPENSSL_free(rawexts); 2489 if (!tls1_process_sigalgs(s)) { 2490 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2491 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2492 SSL_R_BAD_LENGTH); 2493 return MSG_PROCESS_ERROR; 2494 } 2495 } else { 2496 PACKET ctypes; 2497 2498 /* get the certificate types */ 2499 if (!PACKET_get_length_prefixed_1(pkt, &ctypes)) { 2500 SSLfatal(s, SSL_AD_DECODE_ERROR, 2501 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2502 SSL_R_LENGTH_MISMATCH); 2503 return MSG_PROCESS_ERROR; 2504 } 2505 2506 if (!PACKET_memdup(&ctypes, &s->s3->tmp.ctype, &s->s3->tmp.ctype_len)) { 2507 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2508 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2509 ERR_R_INTERNAL_ERROR); 2510 return MSG_PROCESS_ERROR; 2511 } 2512 2513 if (SSL_USE_SIGALGS(s)) { 2514 PACKET sigalgs; 2515 2516 if (!PACKET_get_length_prefixed_2(pkt, &sigalgs)) { 2517 SSLfatal(s, SSL_AD_DECODE_ERROR, 2518 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2519 SSL_R_LENGTH_MISMATCH); 2520 return MSG_PROCESS_ERROR; 2521 } 2522 2523 /* 2524 * Despite this being for certificates, preserve compatibility 2525 * with pre-TLS 1.3 and use the regular sigalgs field. 2526 */ 2527 if (!tls1_save_sigalgs(s, &sigalgs, 0)) { 2528 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2529 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2530 SSL_R_SIGNATURE_ALGORITHMS_ERROR); 2531 return MSG_PROCESS_ERROR; 2532 } 2533 if (!tls1_process_sigalgs(s)) { 2534 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2535 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2536 ERR_R_MALLOC_FAILURE); 2537 return MSG_PROCESS_ERROR; 2538 } 2539 } 2540 2541 /* get the CA RDNs */ 2542 if (!parse_ca_names(s, pkt)) { 2543 /* SSLfatal() already called */ 2544 return MSG_PROCESS_ERROR; 2545 } 2546 } 2547 2548 if (PACKET_remaining(pkt) != 0) { 2549 SSLfatal(s, SSL_AD_DECODE_ERROR, 2550 SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, 2551 SSL_R_LENGTH_MISMATCH); 2552 return MSG_PROCESS_ERROR; 2553 } 2554 2555 /* we should setup a certificate to return.... */ 2556 s->s3->tmp.cert_req = 1; 2557 2558 /* 2559 * In TLSv1.3 we don't prepare the client certificate yet. We wait until 2560 * after the CertificateVerify message has been received. This is because 2561 * in TLSv1.3 the CertificateRequest arrives before the Certificate message 2562 * but in TLSv1.2 it is the other way around. We want to make sure that 2563 * SSL_get_peer_certificate() returns something sensible in 2564 * client_cert_cb. 2565 */ 2566 if (SSL_IS_TLS13(s) && s->post_handshake_auth != SSL_PHA_REQUESTED) 2567 return MSG_PROCESS_CONTINUE_READING; 2568 2569 return MSG_PROCESS_CONTINUE_PROCESSING; 2570 } 2571 2572 MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) 2573 { 2574 unsigned int ticklen; 2575 unsigned long ticket_lifetime_hint, age_add = 0; 2576 unsigned int sess_len; 2577 RAW_EXTENSION *exts = NULL; 2578 PACKET nonce; 2579 2580 PACKET_null_init(&nonce); 2581 2582 if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint) 2583 || (SSL_IS_TLS13(s) 2584 && (!PACKET_get_net_4(pkt, &age_add) 2585 || !PACKET_get_length_prefixed_1(pkt, &nonce))) 2586 || !PACKET_get_net_2(pkt, &ticklen) 2587 || (SSL_IS_TLS13(s) ? (ticklen == 0 || PACKET_remaining(pkt) < ticklen) 2588 : PACKET_remaining(pkt) != ticklen)) { 2589 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, 2590 SSL_R_LENGTH_MISMATCH); 2591 goto err; 2592 } 2593 2594 /* 2595 * Server is allowed to change its mind (in <=TLSv1.2) and send an empty 2596 * ticket. We already checked this TLSv1.3 case above, so it should never 2597 * be 0 here in that instance 2598 */ 2599 if (ticklen == 0) 2600 return MSG_PROCESS_CONTINUE_READING; 2601 2602 /* 2603 * Sessions must be immutable once they go into the session cache. Otherwise 2604 * we can get multi-thread problems. Therefore we don't "update" sessions, 2605 * we replace them with a duplicate. In TLSv1.3 we need to do this every 2606 * time a NewSessionTicket arrives because those messages arrive 2607 * post-handshake and the session may have already gone into the session 2608 * cache. 2609 */ 2610 if (SSL_IS_TLS13(s) || s->session->session_id_length > 0) { 2611 SSL_SESSION *new_sess; 2612 2613 /* 2614 * We reused an existing session, so we need to replace it with a new 2615 * one 2616 */ 2617 if ((new_sess = ssl_session_dup(s->session, 0)) == 0) { 2618 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2619 SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, 2620 ERR_R_MALLOC_FAILURE); 2621 goto err; 2622 } 2623 2624 if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0 2625 && !SSL_IS_TLS13(s)) { 2626 /* 2627 * In TLSv1.2 and below the arrival of a new tickets signals that 2628 * any old ticket we were using is now out of date, so we remove the 2629 * old session from the cache. We carry on if this fails 2630 */ 2631 SSL_CTX_remove_session(s->session_ctx, s->session); 2632 } 2633 2634 SSL_SESSION_free(s->session); 2635 s->session = new_sess; 2636 } 2637 2638 /* 2639 * Technically the cast to long here is not guaranteed by the C standard - 2640 * but we use it elsewhere, so this should be ok. 2641 */ 2642 s->session->time = (long)time(NULL); 2643 2644 OPENSSL_free(s->session->ext.tick); 2645 s->session->ext.tick = NULL; 2646 s->session->ext.ticklen = 0; 2647 2648 s->session->ext.tick = OPENSSL_malloc(ticklen); 2649 if (s->session->ext.tick == NULL) { 2650 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, 2651 ERR_R_MALLOC_FAILURE); 2652 goto err; 2653 } 2654 if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) { 2655 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, 2656 SSL_R_LENGTH_MISMATCH); 2657 goto err; 2658 } 2659 2660 s->session->ext.tick_lifetime_hint = ticket_lifetime_hint; 2661 s->session->ext.tick_age_add = age_add; 2662 s->session->ext.ticklen = ticklen; 2663 2664 if (SSL_IS_TLS13(s)) { 2665 PACKET extpkt; 2666 2667 if (!PACKET_as_length_prefixed_2(pkt, &extpkt) 2668 || PACKET_remaining(pkt) != 0) { 2669 SSLfatal(s, SSL_AD_DECODE_ERROR, 2670 SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, 2671 SSL_R_LENGTH_MISMATCH); 2672 goto err; 2673 } 2674 2675 if (!tls_collect_extensions(s, &extpkt, 2676 SSL_EXT_TLS1_3_NEW_SESSION_TICKET, &exts, 2677 NULL, 1) 2678 || !tls_parse_all_extensions(s, 2679 SSL_EXT_TLS1_3_NEW_SESSION_TICKET, 2680 exts, NULL, 0, 1)) { 2681 /* SSLfatal() already called */ 2682 goto err; 2683 } 2684 } 2685 2686 /* 2687 * There are two ways to detect a resumed ticket session. One is to set 2688 * an appropriate session ID and then the server must return a match in 2689 * ServerHello. This allows the normal client session ID matching to work 2690 * and we know much earlier that the ticket has been accepted. The 2691 * other way is to set zero length session ID when the ticket is 2692 * presented and rely on the handshake to determine session resumption. 2693 * We choose the former approach because this fits in with assumptions 2694 * elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is 2695 * SHA256 is disabled) hash of the ticket. 2696 */ 2697 /* 2698 * TODO(size_t): we use sess_len here because EVP_Digest expects an int 2699 * but s->session->session_id_length is a size_t 2700 */ 2701 if (!EVP_Digest(s->session->ext.tick, ticklen, 2702 s->session->session_id, &sess_len, 2703 EVP_sha256(), NULL)) { 2704 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, 2705 ERR_R_EVP_LIB); 2706 goto err; 2707 } 2708 s->session->session_id_length = sess_len; 2709 s->session->not_resumable = 0; 2710 2711 /* This is a standalone message in TLSv1.3, so there is no more to read */ 2712 if (SSL_IS_TLS13(s)) { 2713 const EVP_MD *md = ssl_handshake_md(s); 2714 int hashleni = EVP_MD_size(md); 2715 size_t hashlen; 2716 static const unsigned char nonce_label[] = "resumption"; 2717 2718 /* Ensure cast to size_t is safe */ 2719 if (!ossl_assert(hashleni >= 0)) { 2720 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2721 SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, 2722 ERR_R_INTERNAL_ERROR); 2723 goto err; 2724 } 2725 hashlen = (size_t)hashleni; 2726 2727 if (!tls13_hkdf_expand(s, md, s->resumption_master_secret, 2728 nonce_label, 2729 sizeof(nonce_label) - 1, 2730 PACKET_data(&nonce), 2731 PACKET_remaining(&nonce), 2732 s->session->master_key, 2733 hashlen, 1)) { 2734 /* SSLfatal() already called */ 2735 goto err; 2736 } 2737 s->session->master_key_length = hashlen; 2738 2739 OPENSSL_free(exts); 2740 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); 2741 return MSG_PROCESS_FINISHED_READING; 2742 } 2743 2744 return MSG_PROCESS_CONTINUE_READING; 2745 err: 2746 OPENSSL_free(exts); 2747 return MSG_PROCESS_ERROR; 2748 } 2749 2750 /* 2751 * In TLSv1.3 this is called from the extensions code, otherwise it is used to 2752 * parse a separate message. Returns 1 on success or 0 on failure 2753 */ 2754 int tls_process_cert_status_body(SSL *s, PACKET *pkt) 2755 { 2756 size_t resplen; 2757 unsigned int type; 2758 2759 if (!PACKET_get_1(pkt, &type) 2760 || type != TLSEXT_STATUSTYPE_ocsp) { 2761 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY, 2762 SSL_R_UNSUPPORTED_STATUS_TYPE); 2763 return 0; 2764 } 2765 if (!PACKET_get_net_3_len(pkt, &resplen) 2766 || PACKET_remaining(pkt) != resplen) { 2767 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY, 2768 SSL_R_LENGTH_MISMATCH); 2769 return 0; 2770 } 2771 s->ext.ocsp.resp = OPENSSL_malloc(resplen); 2772 if (s->ext.ocsp.resp == NULL) { 2773 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY, 2774 ERR_R_MALLOC_FAILURE); 2775 return 0; 2776 } 2777 if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) { 2778 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY, 2779 SSL_R_LENGTH_MISMATCH); 2780 return 0; 2781 } 2782 s->ext.ocsp.resp_len = resplen; 2783 2784 return 1; 2785 } 2786 2787 2788 MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt) 2789 { 2790 if (!tls_process_cert_status_body(s, pkt)) { 2791 /* SSLfatal() already called */ 2792 return MSG_PROCESS_ERROR; 2793 } 2794 2795 return MSG_PROCESS_CONTINUE_READING; 2796 } 2797 2798 /* 2799 * Perform miscellaneous checks and processing after we have received the 2800 * server's initial flight. In TLS1.3 this is after the Server Finished message. 2801 * In <=TLS1.2 this is after the ServerDone message. Returns 1 on success or 0 2802 * on failure. 2803 */ 2804 int tls_process_initial_server_flight(SSL *s) 2805 { 2806 /* 2807 * at this point we check that we have the required stuff from 2808 * the server 2809 */ 2810 if (!ssl3_check_cert_and_algorithm(s)) { 2811 /* SSLfatal() already called */ 2812 return 0; 2813 } 2814 2815 /* 2816 * Call the ocsp status callback if needed. The |ext.ocsp.resp| and 2817 * |ext.ocsp.resp_len| values will be set if we actually received a status 2818 * message, or NULL and -1 otherwise 2819 */ 2820 if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing 2821 && s->ctx->ext.status_cb != NULL) { 2822 int ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg); 2823 2824 if (ret == 0) { 2825 SSLfatal(s, SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE, 2826 SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT, 2827 SSL_R_INVALID_STATUS_RESPONSE); 2828 return 0; 2829 } 2830 if (ret < 0) { 2831 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2832 SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT, 2833 ERR_R_MALLOC_FAILURE); 2834 return 0; 2835 } 2836 } 2837 #ifndef OPENSSL_NO_CT 2838 if (s->ct_validation_callback != NULL) { 2839 /* Note we validate the SCTs whether or not we abort on error */ 2840 if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) { 2841 /* SSLfatal() already called */ 2842 return 0; 2843 } 2844 } 2845 #endif 2846 2847 return 1; 2848 } 2849 2850 MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt) 2851 { 2852 if (PACKET_remaining(pkt) > 0) { 2853 /* should contain no data */ 2854 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_DONE, 2855 SSL_R_LENGTH_MISMATCH); 2856 return MSG_PROCESS_ERROR; 2857 } 2858 #ifndef OPENSSL_NO_SRP 2859 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) { 2860 if (SRP_Calc_A_param(s) <= 0) { 2861 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_DONE, 2862 SSL_R_SRP_A_CALC); 2863 return MSG_PROCESS_ERROR; 2864 } 2865 } 2866 #endif 2867 2868 if (!tls_process_initial_server_flight(s)) { 2869 /* SSLfatal() already called */ 2870 return MSG_PROCESS_ERROR; 2871 } 2872 2873 return MSG_PROCESS_FINISHED_READING; 2874 } 2875 2876 static int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt) 2877 { 2878 #ifndef OPENSSL_NO_PSK 2879 int ret = 0; 2880 /* 2881 * The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes to return a 2882 * \0-terminated identity. The last byte is for us for simulating 2883 * strnlen. 2884 */ 2885 char identity[PSK_MAX_IDENTITY_LEN + 1]; 2886 size_t identitylen = 0; 2887 unsigned char psk[PSK_MAX_PSK_LEN]; 2888 unsigned char *tmppsk = NULL; 2889 char *tmpidentity = NULL; 2890 size_t psklen = 0; 2891 2892 if (s->psk_client_callback == NULL) { 2893 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, 2894 SSL_R_PSK_NO_CLIENT_CB); 2895 goto err; 2896 } 2897 2898 memset(identity, 0, sizeof(identity)); 2899 2900 psklen = s->psk_client_callback(s, s->session->psk_identity_hint, 2901 identity, sizeof(identity) - 1, 2902 psk, sizeof(psk)); 2903 2904 if (psklen > PSK_MAX_PSK_LEN) { 2905 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 2906 SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR); 2907 goto err; 2908 } else if (psklen == 0) { 2909 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 2910 SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, 2911 SSL_R_PSK_IDENTITY_NOT_FOUND); 2912 goto err; 2913 } 2914 2915 identitylen = strlen(identity); 2916 if (identitylen > PSK_MAX_IDENTITY_LEN) { 2917 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, 2918 ERR_R_INTERNAL_ERROR); 2919 goto err; 2920 } 2921 2922 tmppsk = OPENSSL_memdup(psk, psklen); 2923 tmpidentity = OPENSSL_strdup(identity); 2924 if (tmppsk == NULL || tmpidentity == NULL) { 2925 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, 2926 ERR_R_MALLOC_FAILURE); 2927 goto err; 2928 } 2929 2930 OPENSSL_free(s->s3->tmp.psk); 2931 s->s3->tmp.psk = tmppsk; 2932 s->s3->tmp.psklen = psklen; 2933 tmppsk = NULL; 2934 OPENSSL_free(s->session->psk_identity); 2935 s->session->psk_identity = tmpidentity; 2936 tmpidentity = NULL; 2937 2938 if (!WPACKET_sub_memcpy_u16(pkt, identity, identitylen)) { 2939 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, 2940 ERR_R_INTERNAL_ERROR); 2941 goto err; 2942 } 2943 2944 ret = 1; 2945 2946 err: 2947 OPENSSL_cleanse(psk, psklen); 2948 OPENSSL_cleanse(identity, sizeof(identity)); 2949 OPENSSL_clear_free(tmppsk, psklen); 2950 OPENSSL_clear_free(tmpidentity, identitylen); 2951 2952 return ret; 2953 #else 2954 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, 2955 ERR_R_INTERNAL_ERROR); 2956 return 0; 2957 #endif 2958 } 2959 2960 static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt) 2961 { 2962 #ifndef OPENSSL_NO_RSA 2963 unsigned char *encdata = NULL; 2964 EVP_PKEY *pkey = NULL; 2965 EVP_PKEY_CTX *pctx = NULL; 2966 size_t enclen; 2967 unsigned char *pms = NULL; 2968 size_t pmslen = 0; 2969 2970 if (s->session->peer == NULL) { 2971 /* 2972 * We should always have a server certificate with SSL_kRSA. 2973 */ 2974 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 2975 ERR_R_INTERNAL_ERROR); 2976 return 0; 2977 } 2978 2979 pkey = X509_get0_pubkey(s->session->peer); 2980 if (EVP_PKEY_get0_RSA(pkey) == NULL) { 2981 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 2982 ERR_R_INTERNAL_ERROR); 2983 return 0; 2984 } 2985 2986 pmslen = SSL_MAX_MASTER_KEY_LENGTH; 2987 pms = OPENSSL_malloc(pmslen); 2988 if (pms == NULL) { 2989 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 2990 ERR_R_MALLOC_FAILURE); 2991 return 0; 2992 } 2993 2994 pms[0] = s->client_version >> 8; 2995 pms[1] = s->client_version & 0xff; 2996 /* TODO(size_t): Convert this function */ 2997 if (RAND_bytes(pms + 2, (int)(pmslen - 2)) <= 0) { 2998 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 2999 ERR_R_MALLOC_FAILURE); 3000 goto err; 3001 } 3002 3003 /* Fix buf for TLS and beyond */ 3004 if (s->version > SSL3_VERSION && !WPACKET_start_sub_packet_u16(pkt)) { 3005 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 3006 ERR_R_INTERNAL_ERROR); 3007 goto err; 3008 } 3009 pctx = EVP_PKEY_CTX_new(pkey, NULL); 3010 if (pctx == NULL || EVP_PKEY_encrypt_init(pctx) <= 0 3011 || EVP_PKEY_encrypt(pctx, NULL, &enclen, pms, pmslen) <= 0) { 3012 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 3013 ERR_R_EVP_LIB); 3014 goto err; 3015 } 3016 if (!WPACKET_allocate_bytes(pkt, enclen, &encdata) 3017 || EVP_PKEY_encrypt(pctx, encdata, &enclen, pms, pmslen) <= 0) { 3018 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 3019 SSL_R_BAD_RSA_ENCRYPT); 3020 goto err; 3021 } 3022 EVP_PKEY_CTX_free(pctx); 3023 pctx = NULL; 3024 3025 /* Fix buf for TLS and beyond */ 3026 if (s->version > SSL3_VERSION && !WPACKET_close(pkt)) { 3027 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 3028 ERR_R_INTERNAL_ERROR); 3029 goto err; 3030 } 3031 3032 /* Log the premaster secret, if logging is enabled. */ 3033 if (!ssl_log_rsa_client_key_exchange(s, encdata, enclen, pms, pmslen)) { 3034 /* SSLfatal() already called */ 3035 goto err; 3036 } 3037 3038 s->s3->tmp.pms = pms; 3039 s->s3->tmp.pmslen = pmslen; 3040 3041 return 1; 3042 err: 3043 OPENSSL_clear_free(pms, pmslen); 3044 EVP_PKEY_CTX_free(pctx); 3045 3046 return 0; 3047 #else 3048 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, 3049 ERR_R_INTERNAL_ERROR); 3050 return 0; 3051 #endif 3052 } 3053 3054 static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt) 3055 { 3056 #ifndef OPENSSL_NO_DH 3057 DH *dh_clnt = NULL; 3058 const BIGNUM *pub_key; 3059 EVP_PKEY *ckey = NULL, *skey = NULL; 3060 unsigned char *keybytes = NULL; 3061 3062 skey = s->s3->peer_tmp; 3063 if (skey == NULL) { 3064 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, 3065 ERR_R_INTERNAL_ERROR); 3066 goto err; 3067 } 3068 3069 ckey = ssl_generate_pkey(skey); 3070 if (ckey == NULL) { 3071 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, 3072 ERR_R_INTERNAL_ERROR); 3073 goto err; 3074 } 3075 3076 dh_clnt = EVP_PKEY_get0_DH(ckey); 3077 3078 if (dh_clnt == NULL) { 3079 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, 3080 ERR_R_INTERNAL_ERROR); 3081 goto err; 3082 } 3083 3084 if (ssl_derive(s, ckey, skey, 0) == 0) { 3085 /* SSLfatal() already called */ 3086 goto err; 3087 } 3088 3089 /* send off the data */ 3090 DH_get0_key(dh_clnt, &pub_key, NULL); 3091 if (!WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(pub_key), 3092 &keybytes)) { 3093 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, 3094 ERR_R_INTERNAL_ERROR); 3095 goto err; 3096 } 3097 3098 BN_bn2bin(pub_key, keybytes); 3099 EVP_PKEY_free(ckey); 3100 3101 return 1; 3102 err: 3103 EVP_PKEY_free(ckey); 3104 return 0; 3105 #else 3106 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE, 3107 ERR_R_INTERNAL_ERROR); 3108 return 0; 3109 #endif 3110 } 3111 3112 static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt) 3113 { 3114 #ifndef OPENSSL_NO_EC 3115 unsigned char *encodedPoint = NULL; 3116 size_t encoded_pt_len = 0; 3117 EVP_PKEY *ckey = NULL, *skey = NULL; 3118 int ret = 0; 3119 3120 skey = s->s3->peer_tmp; 3121 if (skey == NULL) { 3122 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE, 3123 ERR_R_INTERNAL_ERROR); 3124 return 0; 3125 } 3126 3127 ckey = ssl_generate_pkey(skey); 3128 if (ckey == NULL) { 3129 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE, 3130 ERR_R_MALLOC_FAILURE); 3131 goto err; 3132 } 3133 3134 if (ssl_derive(s, ckey, skey, 0) == 0) { 3135 /* SSLfatal() already called */ 3136 goto err; 3137 } 3138 3139 /* Generate encoding of client key */ 3140 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(ckey, &encodedPoint); 3141 3142 if (encoded_pt_len == 0) { 3143 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE, 3144 ERR_R_EC_LIB); 3145 goto err; 3146 } 3147 3148 if (!WPACKET_sub_memcpy_u8(pkt, encodedPoint, encoded_pt_len)) { 3149 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE, 3150 ERR_R_INTERNAL_ERROR); 3151 goto err; 3152 } 3153 3154 ret = 1; 3155 err: 3156 OPENSSL_free(encodedPoint); 3157 EVP_PKEY_free(ckey); 3158 return ret; 3159 #else 3160 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE, 3161 ERR_R_INTERNAL_ERROR); 3162 return 0; 3163 #endif 3164 } 3165 3166 static int tls_construct_cke_gost(SSL *s, WPACKET *pkt) 3167 { 3168 #ifndef OPENSSL_NO_GOST 3169 /* GOST key exchange message creation */ 3170 EVP_PKEY_CTX *pkey_ctx = NULL; 3171 X509 *peer_cert; 3172 size_t msglen; 3173 unsigned int md_len; 3174 unsigned char shared_ukm[32], tmp[256]; 3175 EVP_MD_CTX *ukm_hash = NULL; 3176 int dgst_nid = NID_id_GostR3411_94; 3177 unsigned char *pms = NULL; 3178 size_t pmslen = 0; 3179 3180 if ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0) 3181 dgst_nid = NID_id_GostR3411_2012_256; 3182 3183 /* 3184 * Get server certificate PKEY and create ctx from it 3185 */ 3186 peer_cert = s->session->peer; 3187 if (!peer_cert) { 3188 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3189 SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); 3190 return 0; 3191 } 3192 3193 pkey_ctx = EVP_PKEY_CTX_new(X509_get0_pubkey(peer_cert), NULL); 3194 if (pkey_ctx == NULL) { 3195 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3196 ERR_R_MALLOC_FAILURE); 3197 return 0; 3198 } 3199 /* 3200 * If we have send a certificate, and certificate key 3201 * parameters match those of server certificate, use 3202 * certificate key for key exchange 3203 */ 3204 3205 /* Otherwise, generate ephemeral key pair */ 3206 pmslen = 32; 3207 pms = OPENSSL_malloc(pmslen); 3208 if (pms == NULL) { 3209 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3210 ERR_R_MALLOC_FAILURE); 3211 goto err; 3212 } 3213 3214 if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0 3215 /* Generate session key 3216 * TODO(size_t): Convert this function 3217 */ 3218 || RAND_bytes(pms, (int)pmslen) <= 0) { 3219 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3220 ERR_R_INTERNAL_ERROR); 3221 goto err; 3222 }; 3223 /* 3224 * Compute shared IV and store it in algorithm-specific context 3225 * data 3226 */ 3227 ukm_hash = EVP_MD_CTX_new(); 3228 if (ukm_hash == NULL 3229 || EVP_DigestInit(ukm_hash, EVP_get_digestbynid(dgst_nid)) <= 0 3230 || EVP_DigestUpdate(ukm_hash, s->s3->client_random, 3231 SSL3_RANDOM_SIZE) <= 0 3232 || EVP_DigestUpdate(ukm_hash, s->s3->server_random, 3233 SSL3_RANDOM_SIZE) <= 0 3234 || EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) { 3235 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3236 ERR_R_INTERNAL_ERROR); 3237 goto err; 3238 } 3239 EVP_MD_CTX_free(ukm_hash); 3240 ukm_hash = NULL; 3241 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, 3242 EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) { 3243 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3244 SSL_R_LIBRARY_BUG); 3245 goto err; 3246 } 3247 /* Make GOST keytransport blob message */ 3248 /* 3249 * Encapsulate it into sequence 3250 */ 3251 msglen = 255; 3252 if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) { 3253 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3254 SSL_R_LIBRARY_BUG); 3255 goto err; 3256 } 3257 3258 if (!WPACKET_put_bytes_u8(pkt, V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED) 3259 || (msglen >= 0x80 && !WPACKET_put_bytes_u8(pkt, 0x81)) 3260 || !WPACKET_sub_memcpy_u8(pkt, tmp, msglen)) { 3261 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3262 ERR_R_INTERNAL_ERROR); 3263 goto err; 3264 } 3265 3266 EVP_PKEY_CTX_free(pkey_ctx); 3267 s->s3->tmp.pms = pms; 3268 s->s3->tmp.pmslen = pmslen; 3269 3270 return 1; 3271 err: 3272 EVP_PKEY_CTX_free(pkey_ctx); 3273 OPENSSL_clear_free(pms, pmslen); 3274 EVP_MD_CTX_free(ukm_hash); 3275 return 0; 3276 #else 3277 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, 3278 ERR_R_INTERNAL_ERROR); 3279 return 0; 3280 #endif 3281 } 3282 3283 static int tls_construct_cke_srp(SSL *s, WPACKET *pkt) 3284 { 3285 #ifndef OPENSSL_NO_SRP 3286 unsigned char *abytes = NULL; 3287 3288 if (s->srp_ctx.A == NULL 3289 || !WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(s->srp_ctx.A), 3290 &abytes)) { 3291 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_SRP, 3292 ERR_R_INTERNAL_ERROR); 3293 return 0; 3294 } 3295 BN_bn2bin(s->srp_ctx.A, abytes); 3296 3297 OPENSSL_free(s->session->srp_username); 3298 s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login); 3299 if (s->session->srp_username == NULL) { 3300 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_SRP, 3301 ERR_R_MALLOC_FAILURE); 3302 return 0; 3303 } 3304 3305 return 1; 3306 #else 3307 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_SRP, 3308 ERR_R_INTERNAL_ERROR); 3309 return 0; 3310 #endif 3311 } 3312 3313 int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt) 3314 { 3315 unsigned long alg_k; 3316 3317 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 3318 3319 /* 3320 * All of the construct functions below call SSLfatal() if necessary so 3321 * no need to do so here. 3322 */ 3323 if ((alg_k & SSL_PSK) 3324 && !tls_construct_cke_psk_preamble(s, pkt)) 3325 goto err; 3326 3327 if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) { 3328 if (!tls_construct_cke_rsa(s, pkt)) 3329 goto err; 3330 } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) { 3331 if (!tls_construct_cke_dhe(s, pkt)) 3332 goto err; 3333 } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) { 3334 if (!tls_construct_cke_ecdhe(s, pkt)) 3335 goto err; 3336 } else if (alg_k & SSL_kGOST) { 3337 if (!tls_construct_cke_gost(s, pkt)) 3338 goto err; 3339 } else if (alg_k & SSL_kSRP) { 3340 if (!tls_construct_cke_srp(s, pkt)) 3341 goto err; 3342 } else if (!(alg_k & SSL_kPSK)) { 3343 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3344 SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 3345 goto err; 3346 } 3347 3348 return 1; 3349 err: 3350 OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen); 3351 s->s3->tmp.pms = NULL; 3352 #ifndef OPENSSL_NO_PSK 3353 OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen); 3354 s->s3->tmp.psk = NULL; 3355 #endif 3356 return 0; 3357 } 3358 3359 int tls_client_key_exchange_post_work(SSL *s) 3360 { 3361 unsigned char *pms = NULL; 3362 size_t pmslen = 0; 3363 3364 pms = s->s3->tmp.pms; 3365 pmslen = s->s3->tmp.pmslen; 3366 3367 #ifndef OPENSSL_NO_SRP 3368 /* Check for SRP */ 3369 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) { 3370 if (!srp_generate_client_master_secret(s)) { 3371 /* SSLfatal() already called */ 3372 goto err; 3373 } 3374 return 1; 3375 } 3376 #endif 3377 3378 if (pms == NULL && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { 3379 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3380 SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK, ERR_R_MALLOC_FAILURE); 3381 goto err; 3382 } 3383 if (!ssl_generate_master_secret(s, pms, pmslen, 1)) { 3384 /* SSLfatal() already called */ 3385 /* ssl_generate_master_secret frees the pms even on error */ 3386 pms = NULL; 3387 pmslen = 0; 3388 goto err; 3389 } 3390 pms = NULL; 3391 pmslen = 0; 3392 3393 #ifndef OPENSSL_NO_SCTP 3394 if (SSL_IS_DTLS(s)) { 3395 unsigned char sctpauthkey[64]; 3396 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; 3397 size_t labellen; 3398 3399 /* 3400 * Add new shared key for SCTP-Auth, will be ignored if no SCTP 3401 * used. 3402 */ 3403 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL, 3404 sizeof(DTLS1_SCTP_AUTH_LABEL)); 3405 3406 /* Don't include the terminating zero. */ 3407 labellen = sizeof(labelbuffer) - 1; 3408 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) 3409 labellen += 1; 3410 3411 if (SSL_export_keying_material(s, sctpauthkey, 3412 sizeof(sctpauthkey), labelbuffer, 3413 labellen, NULL, 0, 0) <= 0) { 3414 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3415 SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK, 3416 ERR_R_INTERNAL_ERROR); 3417 goto err; 3418 } 3419 3420 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 3421 sizeof(sctpauthkey), sctpauthkey); 3422 } 3423 #endif 3424 3425 return 1; 3426 err: 3427 OPENSSL_clear_free(pms, pmslen); 3428 s->s3->tmp.pms = NULL; 3429 return 0; 3430 } 3431 3432 /* 3433 * Check a certificate can be used for client authentication. Currently check 3434 * cert exists, if we have a suitable digest for TLS 1.2 if static DH client 3435 * certificates can be used and optionally checks suitability for Suite B. 3436 */ 3437 static int ssl3_check_client_certificate(SSL *s) 3438 { 3439 /* If no suitable signature algorithm can't use certificate */ 3440 if (!tls_choose_sigalg(s, 0) || s->s3->tmp.sigalg == NULL) 3441 return 0; 3442 /* 3443 * If strict mode check suitability of chain before using it. This also 3444 * adjusts suite B digest if necessary. 3445 */ 3446 if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT && 3447 !tls1_check_chain(s, NULL, NULL, NULL, -2)) 3448 return 0; 3449 return 1; 3450 } 3451 3452 WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst) 3453 { 3454 X509 *x509 = NULL; 3455 EVP_PKEY *pkey = NULL; 3456 int i; 3457 3458 if (wst == WORK_MORE_A) { 3459 /* Let cert callback update client certificates if required */ 3460 if (s->cert->cert_cb) { 3461 i = s->cert->cert_cb(s, s->cert->cert_cb_arg); 3462 if (i < 0) { 3463 s->rwstate = SSL_X509_LOOKUP; 3464 return WORK_MORE_A; 3465 } 3466 if (i == 0) { 3467 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3468 SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE, 3469 SSL_R_CALLBACK_FAILED); 3470 return WORK_ERROR; 3471 } 3472 s->rwstate = SSL_NOTHING; 3473 } 3474 if (ssl3_check_client_certificate(s)) { 3475 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { 3476 return WORK_FINISHED_STOP; 3477 } 3478 return WORK_FINISHED_CONTINUE; 3479 } 3480 3481 /* Fall through to WORK_MORE_B */ 3482 wst = WORK_MORE_B; 3483 } 3484 3485 /* We need to get a client cert */ 3486 if (wst == WORK_MORE_B) { 3487 /* 3488 * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP; 3489 * return(-1); We then get retied later 3490 */ 3491 i = ssl_do_client_cert_cb(s, &x509, &pkey); 3492 if (i < 0) { 3493 s->rwstate = SSL_X509_LOOKUP; 3494 return WORK_MORE_B; 3495 } 3496 s->rwstate = SSL_NOTHING; 3497 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) { 3498 if (!SSL_use_certificate(s, x509) || !SSL_use_PrivateKey(s, pkey)) 3499 i = 0; 3500 } else if (i == 1) { 3501 i = 0; 3502 SSLerr(SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE, 3503 SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 3504 } 3505 3506 X509_free(x509); 3507 EVP_PKEY_free(pkey); 3508 if (i && !ssl3_check_client_certificate(s)) 3509 i = 0; 3510 if (i == 0) { 3511 if (s->version == SSL3_VERSION) { 3512 s->s3->tmp.cert_req = 0; 3513 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE); 3514 return WORK_FINISHED_CONTINUE; 3515 } else { 3516 s->s3->tmp.cert_req = 2; 3517 if (!ssl3_digest_cached_records(s, 0)) { 3518 /* SSLfatal() already called */ 3519 return WORK_ERROR; 3520 } 3521 } 3522 } 3523 3524 if (s->post_handshake_auth == SSL_PHA_REQUESTED) 3525 return WORK_FINISHED_STOP; 3526 return WORK_FINISHED_CONTINUE; 3527 } 3528 3529 /* Shouldn't ever get here */ 3530 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE, 3531 ERR_R_INTERNAL_ERROR); 3532 return WORK_ERROR; 3533 } 3534 3535 int tls_construct_client_certificate(SSL *s, WPACKET *pkt) 3536 { 3537 if (SSL_IS_TLS13(s)) { 3538 if (s->pha_context == NULL) { 3539 /* no context available, add 0-length context */ 3540 if (!WPACKET_put_bytes_u8(pkt, 0)) { 3541 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3542 SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR); 3543 return 0; 3544 } 3545 } else if (!WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) { 3546 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3547 SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR); 3548 return 0; 3549 } 3550 } 3551 if (!ssl3_output_cert_chain(s, pkt, 3552 (s->s3->tmp.cert_req == 2) ? NULL 3553 : s->cert->key)) { 3554 /* SSLfatal() already called */ 3555 return 0; 3556 } 3557 3558 if (SSL_IS_TLS13(s) 3559 && SSL_IS_FIRST_HANDSHAKE(s) 3560 && (!s->method->ssl3_enc->change_cipher_state(s, 3561 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) { 3562 /* 3563 * This is a fatal error, which leaves enc_write_ctx in an inconsistent 3564 * state and thus ssl3_send_alert may crash. 3565 */ 3566 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, 3567 SSL_R_CANNOT_CHANGE_CIPHER); 3568 return 0; 3569 } 3570 3571 return 1; 3572 } 3573 3574 int ssl3_check_cert_and_algorithm(SSL *s) 3575 { 3576 const SSL_CERT_LOOKUP *clu; 3577 size_t idx; 3578 long alg_k, alg_a; 3579 3580 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 3581 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 3582 3583 /* we don't have a certificate */ 3584 if (!(alg_a & SSL_aCERT)) 3585 return 1; 3586 3587 /* This is the passed certificate */ 3588 clu = ssl_cert_lookup_by_pkey(X509_get0_pubkey(s->session->peer), &idx); 3589 3590 /* Check certificate is recognised and suitable for cipher */ 3591 if (clu == NULL || (alg_a & clu->amask) == 0) { 3592 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3593 SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, 3594 SSL_R_MISSING_SIGNING_CERT); 3595 return 0; 3596 } 3597 3598 #ifndef OPENSSL_NO_EC 3599 if (clu->amask & SSL_aECDSA) { 3600 if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s)) 3601 return 1; 3602 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3603 SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT); 3604 return 0; 3605 } 3606 #endif 3607 #ifndef OPENSSL_NO_RSA 3608 if (alg_k & (SSL_kRSA | SSL_kRSAPSK) && idx != SSL_PKEY_RSA) { 3609 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3610 SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, 3611 SSL_R_MISSING_RSA_ENCRYPTING_CERT); 3612 return 0; 3613 } 3614 #endif 3615 #ifndef OPENSSL_NO_DH 3616 if ((alg_k & SSL_kDHE) && (s->s3->peer_tmp == NULL)) { 3617 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, 3618 ERR_R_INTERNAL_ERROR); 3619 return 0; 3620 } 3621 #endif 3622 3623 return 1; 3624 } 3625 3626 #ifndef OPENSSL_NO_NEXTPROTONEG 3627 int tls_construct_next_proto(SSL *s, WPACKET *pkt) 3628 { 3629 size_t len, padding_len; 3630 unsigned char *padding = NULL; 3631 3632 len = s->ext.npn_len; 3633 padding_len = 32 - ((len + 2) % 32); 3634 3635 if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len) 3636 || !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)) { 3637 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_NEXT_PROTO, 3638 ERR_R_INTERNAL_ERROR); 3639 return 0; 3640 } 3641 3642 memset(padding, 0, padding_len); 3643 3644 return 1; 3645 } 3646 #endif 3647 3648 MSG_PROCESS_RETURN tls_process_hello_req(SSL *s, PACKET *pkt) 3649 { 3650 if (PACKET_remaining(pkt) > 0) { 3651 /* should contain no data */ 3652 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_HELLO_REQ, 3653 SSL_R_LENGTH_MISMATCH); 3654 return MSG_PROCESS_ERROR; 3655 } 3656 3657 if ((s->options & SSL_OP_NO_RENEGOTIATION)) { 3658 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); 3659 return MSG_PROCESS_FINISHED_READING; 3660 } 3661 3662 /* 3663 * This is a historical discrepancy (not in the RFC) maintained for 3664 * compatibility reasons. If a TLS client receives a HelloRequest it will 3665 * attempt an abbreviated handshake. However if a DTLS client receives a 3666 * HelloRequest it will do a full handshake. Either behaviour is reasonable 3667 * but doing one for TLS and another for DTLS is odd. 3668 */ 3669 if (SSL_IS_DTLS(s)) 3670 SSL_renegotiate(s); 3671 else 3672 SSL_renegotiate_abbreviated(s); 3673 3674 return MSG_PROCESS_FINISHED_READING; 3675 } 3676 3677 static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt) 3678 { 3679 PACKET extensions; 3680 RAW_EXTENSION *rawexts = NULL; 3681 3682 if (!PACKET_as_length_prefixed_2(pkt, &extensions) 3683 || PACKET_remaining(pkt) != 0) { 3684 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_ENCRYPTED_EXTENSIONS, 3685 SSL_R_LENGTH_MISMATCH); 3686 goto err; 3687 } 3688 3689 if (!tls_collect_extensions(s, &extensions, 3690 SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, &rawexts, 3691 NULL, 1) 3692 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, 3693 rawexts, NULL, 0, 1)) { 3694 /* SSLfatal() already called */ 3695 goto err; 3696 } 3697 3698 OPENSSL_free(rawexts); 3699 return MSG_PROCESS_CONTINUE_READING; 3700 3701 err: 3702 OPENSSL_free(rawexts); 3703 return MSG_PROCESS_ERROR; 3704 } 3705 3706 int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) 3707 { 3708 int i = 0; 3709 #ifndef OPENSSL_NO_ENGINE 3710 if (s->ctx->client_cert_engine) { 3711 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s, 3712 SSL_get_client_CA_list(s), 3713 px509, ppkey, NULL, NULL, NULL); 3714 if (i != 0) 3715 return i; 3716 } 3717 #endif 3718 if (s->ctx->client_cert_cb) 3719 i = s->ctx->client_cert_cb(s, px509, ppkey); 3720 return i; 3721 } 3722 3723 int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt) 3724 { 3725 int i; 3726 size_t totlen = 0, len, maxlen, maxverok = 0; 3727 int empty_reneg_info_scsv = !s->renegotiate; 3728 3729 /* Set disabled masks for this session */ 3730 if (!ssl_set_client_disabled(s)) { 3731 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES, 3732 SSL_R_NO_PROTOCOLS_AVAILABLE); 3733 return 0; 3734 } 3735 3736 if (sk == NULL) { 3737 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES, 3738 ERR_R_INTERNAL_ERROR); 3739 return 0; 3740 } 3741 3742 #ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH 3743 # if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6 3744 # error Max cipher length too short 3745 # endif 3746 /* 3747 * Some servers hang if client hello > 256 bytes as hack workaround 3748 * chop number of supported ciphers to keep it well below this if we 3749 * use TLS v1.2 3750 */ 3751 if (TLS1_get_version(s) >= TLS1_2_VERSION) 3752 maxlen = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; 3753 else 3754 #endif 3755 /* Maximum length that can be stored in 2 bytes. Length must be even */ 3756 maxlen = 0xfffe; 3757 3758 if (empty_reneg_info_scsv) 3759 maxlen -= 2; 3760 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) 3761 maxlen -= 2; 3762 3763 for (i = 0; i < sk_SSL_CIPHER_num(sk) && totlen < maxlen; i++) { 3764 const SSL_CIPHER *c; 3765 3766 c = sk_SSL_CIPHER_value(sk, i); 3767 /* Skip disabled ciphers */ 3768 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) 3769 continue; 3770 3771 if (!s->method->put_cipher_by_char(c, pkt, &len)) { 3772 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES, 3773 ERR_R_INTERNAL_ERROR); 3774 return 0; 3775 } 3776 3777 /* Sanity check that the maximum version we offer has ciphers enabled */ 3778 if (!maxverok) { 3779 if (SSL_IS_DTLS(s)) { 3780 if (DTLS_VERSION_GE(c->max_dtls, s->s3->tmp.max_ver) 3781 && DTLS_VERSION_LE(c->min_dtls, s->s3->tmp.max_ver)) 3782 maxverok = 1; 3783 } else { 3784 if (c->max_tls >= s->s3->tmp.max_ver 3785 && c->min_tls <= s->s3->tmp.max_ver) 3786 maxverok = 1; 3787 } 3788 } 3789 3790 totlen += len; 3791 } 3792 3793 if (totlen == 0 || !maxverok) { 3794 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES, 3795 SSL_R_NO_CIPHERS_AVAILABLE); 3796 3797 if (!maxverok) 3798 ERR_add_error_data(1, "No ciphers enabled for max supported " 3799 "SSL/TLS version"); 3800 3801 return 0; 3802 } 3803 3804 if (totlen != 0) { 3805 if (empty_reneg_info_scsv) { 3806 static SSL_CIPHER scsv = { 3807 0, NULL, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 3808 }; 3809 if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) { 3810 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3811 SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR); 3812 return 0; 3813 } 3814 } 3815 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) { 3816 static SSL_CIPHER scsv = { 3817 0, NULL, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 3818 }; 3819 if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) { 3820 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3821 SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR); 3822 return 0; 3823 } 3824 } 3825 } 3826 3827 return 1; 3828 } 3829 3830 int tls_construct_end_of_early_data(SSL *s, WPACKET *pkt) 3831 { 3832 if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY 3833 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) { 3834 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3835 SSL_F_TLS_CONSTRUCT_END_OF_EARLY_DATA, 3836 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 3837 return 0; 3838 } 3839 3840 s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; 3841 return 1; 3842 } 3843