1e71b7053SJung-uk Kim /*
2*0d0c8621SEnji Cooper * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
3e71b7053SJung-uk Kim * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4e71b7053SJung-uk Kim * Copyright 2005 Nokia. All rights reserved.
5e71b7053SJung-uk Kim *
6b077aed3SPierre Pronchery * Licensed under the Apache License 2.0 (the "License"). You may not use
7e71b7053SJung-uk Kim * this file except in compliance with the License. You can obtain a copy
8e71b7053SJung-uk Kim * in the file LICENSE in the source distribution or at
9e71b7053SJung-uk Kim * https://www.openssl.org/source/license.html
10e71b7053SJung-uk Kim */
11e71b7053SJung-uk Kim
12e71b7053SJung-uk Kim #include <stdio.h>
1317f01e99SJung-uk Kim #include "../ssl_local.h"
1417f01e99SJung-uk Kim #include "statem_local.h"
1517f01e99SJung-uk Kim #include "internal/constant_time.h"
16e71b7053SJung-uk Kim #include "internal/cryptlib.h"
17e71b7053SJung-uk Kim #include <openssl/buffer.h>
18e71b7053SJung-uk Kim #include <openssl/rand.h>
19e71b7053SJung-uk Kim #include <openssl/objects.h>
20e71b7053SJung-uk Kim #include <openssl/evp.h>
21e71b7053SJung-uk Kim #include <openssl/x509.h>
22e71b7053SJung-uk Kim #include <openssl/dh.h>
23b077aed3SPierre Pronchery #include <openssl/rsa.h>
24e71b7053SJung-uk Kim #include <openssl/bn.h>
25e71b7053SJung-uk Kim #include <openssl/md5.h>
26b077aed3SPierre Pronchery #include <openssl/trace.h>
27b077aed3SPierre Pronchery #include <openssl/core_names.h>
2817f01e99SJung-uk Kim #include <openssl/asn1t.h>
29e71b7053SJung-uk Kim
30e71b7053SJung-uk Kim #define TICKET_NONCE_SIZE 8
31e71b7053SJung-uk Kim
3217f01e99SJung-uk Kim typedef struct {
3317f01e99SJung-uk Kim ASN1_TYPE *kxBlob;
3417f01e99SJung-uk Kim ASN1_TYPE *opaqueBlob;
3517f01e99SJung-uk Kim } GOST_KX_MESSAGE;
3617f01e99SJung-uk Kim
3717f01e99SJung-uk Kim DECLARE_ASN1_FUNCTIONS(GOST_KX_MESSAGE)
3817f01e99SJung-uk Kim
3917f01e99SJung-uk Kim ASN1_SEQUENCE(GOST_KX_MESSAGE) = {
4017f01e99SJung-uk Kim ASN1_SIMPLE(GOST_KX_MESSAGE, kxBlob, ASN1_ANY),
4117f01e99SJung-uk Kim ASN1_OPT(GOST_KX_MESSAGE, opaqueBlob, ASN1_ANY),
4217f01e99SJung-uk Kim } ASN1_SEQUENCE_END(GOST_KX_MESSAGE)
4317f01e99SJung-uk Kim
4417f01e99SJung-uk Kim IMPLEMENT_ASN1_FUNCTIONS(GOST_KX_MESSAGE)
4517f01e99SJung-uk Kim
46e71b7053SJung-uk Kim static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt);
47e71b7053SJung-uk Kim
48e71b7053SJung-uk Kim /*
49e71b7053SJung-uk Kim * ossl_statem_server13_read_transition() encapsulates the logic for the allowed
50e71b7053SJung-uk Kim * handshake state transitions when a TLSv1.3 server is reading messages from
51e71b7053SJung-uk Kim * the client. The message type that the client has sent is provided in |mt|.
52e71b7053SJung-uk Kim * The current state is in |s->statem.hand_state|.
53e71b7053SJung-uk Kim *
54e71b7053SJung-uk Kim * Return values are 1 for success (transition allowed) and 0 on error
55e71b7053SJung-uk Kim * (transition not allowed)
56e71b7053SJung-uk Kim */
ossl_statem_server13_read_transition(SSL * s,int mt)57e71b7053SJung-uk Kim static int ossl_statem_server13_read_transition(SSL *s, int mt)
58e71b7053SJung-uk Kim {
59e71b7053SJung-uk Kim OSSL_STATEM *st = &s->statem;
60e71b7053SJung-uk Kim
61e71b7053SJung-uk Kim /*
62e71b7053SJung-uk Kim * Note: There is no case for TLS_ST_BEFORE because at that stage we have
63e71b7053SJung-uk Kim * not negotiated TLSv1.3 yet, so that case is handled by
64e71b7053SJung-uk Kim * ossl_statem_server_read_transition()
65e71b7053SJung-uk Kim */
66e71b7053SJung-uk Kim switch (st->hand_state) {
67e71b7053SJung-uk Kim default:
68e71b7053SJung-uk Kim break;
69e71b7053SJung-uk Kim
70e71b7053SJung-uk Kim case TLS_ST_EARLY_DATA:
71e71b7053SJung-uk Kim if (s->hello_retry_request == SSL_HRR_PENDING) {
72e71b7053SJung-uk Kim if (mt == SSL3_MT_CLIENT_HELLO) {
73e71b7053SJung-uk Kim st->hand_state = TLS_ST_SR_CLNT_HELLO;
74e71b7053SJung-uk Kim return 1;
75e71b7053SJung-uk Kim }
76e71b7053SJung-uk Kim break;
77e71b7053SJung-uk Kim } else if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
78e71b7053SJung-uk Kim if (mt == SSL3_MT_END_OF_EARLY_DATA) {
79e71b7053SJung-uk Kim st->hand_state = TLS_ST_SR_END_OF_EARLY_DATA;
80e71b7053SJung-uk Kim return 1;
81e71b7053SJung-uk Kim }
82e71b7053SJung-uk Kim break;
83e71b7053SJung-uk Kim }
84e71b7053SJung-uk Kim /* Fall through */
85e71b7053SJung-uk Kim
86e71b7053SJung-uk Kim case TLS_ST_SR_END_OF_EARLY_DATA:
87e71b7053SJung-uk Kim case TLS_ST_SW_FINISHED:
88b077aed3SPierre Pronchery if (s->s3.tmp.cert_request) {
89e71b7053SJung-uk Kim if (mt == SSL3_MT_CERTIFICATE) {
90e71b7053SJung-uk Kim st->hand_state = TLS_ST_SR_CERT;
91e71b7053SJung-uk Kim return 1;
92e71b7053SJung-uk Kim }
93e71b7053SJung-uk Kim } else {
94e71b7053SJung-uk Kim if (mt == SSL3_MT_FINISHED) {
95e71b7053SJung-uk Kim st->hand_state = TLS_ST_SR_FINISHED;
96e71b7053SJung-uk Kim return 1;
97e71b7053SJung-uk Kim }
98e71b7053SJung-uk Kim }
99e71b7053SJung-uk Kim break;
100e71b7053SJung-uk Kim
101e71b7053SJung-uk Kim case TLS_ST_SR_CERT:
102e71b7053SJung-uk Kim if (s->session->peer == NULL) {
103e71b7053SJung-uk Kim if (mt == SSL3_MT_FINISHED) {
104e71b7053SJung-uk Kim st->hand_state = TLS_ST_SR_FINISHED;
105e71b7053SJung-uk Kim return 1;
106e71b7053SJung-uk Kim }
107e71b7053SJung-uk Kim } else {
108e71b7053SJung-uk Kim if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
109e71b7053SJung-uk Kim st->hand_state = TLS_ST_SR_CERT_VRFY;
110e71b7053SJung-uk Kim return 1;
111e71b7053SJung-uk Kim }
112e71b7053SJung-uk Kim }
113e71b7053SJung-uk Kim break;
114e71b7053SJung-uk Kim
115e71b7053SJung-uk Kim case TLS_ST_SR_CERT_VRFY:
116e71b7053SJung-uk Kim if (mt == SSL3_MT_FINISHED) {
117e71b7053SJung-uk Kim st->hand_state = TLS_ST_SR_FINISHED;
118e71b7053SJung-uk Kim return 1;
119e71b7053SJung-uk Kim }
120e71b7053SJung-uk Kim break;
121e71b7053SJung-uk Kim
122e71b7053SJung-uk Kim case TLS_ST_OK:
123e71b7053SJung-uk Kim /*
124e71b7053SJung-uk Kim * Its never ok to start processing handshake messages in the middle of
125e71b7053SJung-uk Kim * early data (i.e. before we've received the end of early data alert)
126e71b7053SJung-uk Kim */
127e71b7053SJung-uk Kim if (s->early_data_state == SSL_EARLY_DATA_READING)
128e71b7053SJung-uk Kim break;
129e71b7053SJung-uk Kim
130e71b7053SJung-uk Kim if (mt == SSL3_MT_CERTIFICATE
131e71b7053SJung-uk Kim && s->post_handshake_auth == SSL_PHA_REQUESTED) {
132e71b7053SJung-uk Kim st->hand_state = TLS_ST_SR_CERT;
133e71b7053SJung-uk Kim return 1;
134e71b7053SJung-uk Kim }
135e71b7053SJung-uk Kim
136e71b7053SJung-uk Kim if (mt == SSL3_MT_KEY_UPDATE) {
137e71b7053SJung-uk Kim st->hand_state = TLS_ST_SR_KEY_UPDATE;
138e71b7053SJung-uk Kim return 1;
139e71b7053SJung-uk Kim }
140e71b7053SJung-uk Kim break;
141e71b7053SJung-uk Kim }
142e71b7053SJung-uk Kim
143e71b7053SJung-uk Kim /* No valid transition found */
144e71b7053SJung-uk Kim return 0;
145e71b7053SJung-uk Kim }
146e71b7053SJung-uk Kim
147e71b7053SJung-uk Kim /*
148e71b7053SJung-uk Kim * ossl_statem_server_read_transition() encapsulates the logic for the allowed
149e71b7053SJung-uk Kim * handshake state transitions when the server is reading messages from the
150e71b7053SJung-uk Kim * client. The message type that the client has sent is provided in |mt|. The
151e71b7053SJung-uk Kim * current state is in |s->statem.hand_state|.
152e71b7053SJung-uk Kim *
153e71b7053SJung-uk Kim * Return values are 1 for success (transition allowed) and 0 on error
154e71b7053SJung-uk Kim * (transition not allowed)
155e71b7053SJung-uk Kim */
ossl_statem_server_read_transition(SSL * s,int mt)156e71b7053SJung-uk Kim int ossl_statem_server_read_transition(SSL *s, int mt)
157e71b7053SJung-uk Kim {
158e71b7053SJung-uk Kim OSSL_STATEM *st = &s->statem;
159e71b7053SJung-uk Kim
160e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) {
161e71b7053SJung-uk Kim if (!ossl_statem_server13_read_transition(s, mt))
162e71b7053SJung-uk Kim goto err;
163e71b7053SJung-uk Kim return 1;
164e71b7053SJung-uk Kim }
165e71b7053SJung-uk Kim
166e71b7053SJung-uk Kim switch (st->hand_state) {
167e71b7053SJung-uk Kim default:
168e71b7053SJung-uk Kim break;
169e71b7053SJung-uk Kim
170e71b7053SJung-uk Kim case TLS_ST_BEFORE:
171e71b7053SJung-uk Kim case TLS_ST_OK:
172e71b7053SJung-uk Kim case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
173e71b7053SJung-uk Kim if (mt == SSL3_MT_CLIENT_HELLO) {
174e71b7053SJung-uk Kim st->hand_state = TLS_ST_SR_CLNT_HELLO;
175e71b7053SJung-uk Kim return 1;
176e71b7053SJung-uk Kim }
177e71b7053SJung-uk Kim break;
178e71b7053SJung-uk Kim
179e71b7053SJung-uk Kim case TLS_ST_SW_SRVR_DONE:
180e71b7053SJung-uk Kim /*
181e71b7053SJung-uk Kim * If we get a CKE message after a ServerDone then either
182e71b7053SJung-uk Kim * 1) We didn't request a Certificate
183e71b7053SJung-uk Kim * OR
184e71b7053SJung-uk Kim * 2) If we did request one then
185e71b7053SJung-uk Kim * a) We allow no Certificate to be returned
186e71b7053SJung-uk Kim * AND
187e71b7053SJung-uk Kim * b) We are running SSL3 (in TLS1.0+ the client must return a 0
188e71b7053SJung-uk Kim * list if we requested a certificate)
189e71b7053SJung-uk Kim */
190e71b7053SJung-uk Kim if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
191b077aed3SPierre Pronchery if (s->s3.tmp.cert_request) {
192e71b7053SJung-uk Kim if (s->version == SSL3_VERSION) {
193e71b7053SJung-uk Kim if ((s->verify_mode & SSL_VERIFY_PEER)
194e71b7053SJung-uk Kim && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
195e71b7053SJung-uk Kim /*
196e71b7053SJung-uk Kim * This isn't an unexpected message as such - we're just
197e71b7053SJung-uk Kim * not going to accept it because we require a client
198e71b7053SJung-uk Kim * cert.
199e71b7053SJung-uk Kim */
200e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
201e71b7053SJung-uk Kim SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
202e71b7053SJung-uk Kim return 0;
203e71b7053SJung-uk Kim }
204e71b7053SJung-uk Kim st->hand_state = TLS_ST_SR_KEY_EXCH;
205e71b7053SJung-uk Kim return 1;
206e71b7053SJung-uk Kim }
207e71b7053SJung-uk Kim } else {
208e71b7053SJung-uk Kim st->hand_state = TLS_ST_SR_KEY_EXCH;
209e71b7053SJung-uk Kim return 1;
210e71b7053SJung-uk Kim }
211b077aed3SPierre Pronchery } else if (s->s3.tmp.cert_request) {
212e71b7053SJung-uk Kim if (mt == SSL3_MT_CERTIFICATE) {
213e71b7053SJung-uk Kim st->hand_state = TLS_ST_SR_CERT;
214e71b7053SJung-uk Kim return 1;
215e71b7053SJung-uk Kim }
216e71b7053SJung-uk Kim }
217e71b7053SJung-uk Kim break;
218e71b7053SJung-uk Kim
219e71b7053SJung-uk Kim case TLS_ST_SR_CERT:
220e71b7053SJung-uk Kim if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
221e71b7053SJung-uk Kim st->hand_state = TLS_ST_SR_KEY_EXCH;
222e71b7053SJung-uk Kim return 1;
223e71b7053SJung-uk Kim }
224e71b7053SJung-uk Kim break;
225e71b7053SJung-uk Kim
226e71b7053SJung-uk Kim case TLS_ST_SR_KEY_EXCH:
227e71b7053SJung-uk Kim /*
228e71b7053SJung-uk Kim * We should only process a CertificateVerify message if we have
229e71b7053SJung-uk Kim * received a Certificate from the client. If so then |s->session->peer|
230e71b7053SJung-uk Kim * will be non NULL. In some instances a CertificateVerify message is
231e71b7053SJung-uk Kim * not required even if the peer has sent a Certificate (e.g. such as in
232e71b7053SJung-uk Kim * the case of static DH). In that case |st->no_cert_verify| should be
233e71b7053SJung-uk Kim * set.
234e71b7053SJung-uk Kim */
235e71b7053SJung-uk Kim if (s->session->peer == NULL || st->no_cert_verify) {
236e71b7053SJung-uk Kim if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
237e71b7053SJung-uk Kim /*
238e71b7053SJung-uk Kim * For the ECDH ciphersuites when the client sends its ECDH
239e71b7053SJung-uk Kim * pub key in a certificate, the CertificateVerify message is
240e71b7053SJung-uk Kim * not sent. Also for GOST ciphersuites when the client uses
241e71b7053SJung-uk Kim * its key from the certificate for key exchange.
242e71b7053SJung-uk Kim */
243e71b7053SJung-uk Kim st->hand_state = TLS_ST_SR_CHANGE;
244e71b7053SJung-uk Kim return 1;
245e71b7053SJung-uk Kim }
246e71b7053SJung-uk Kim } else {
247e71b7053SJung-uk Kim if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
248e71b7053SJung-uk Kim st->hand_state = TLS_ST_SR_CERT_VRFY;
249e71b7053SJung-uk Kim return 1;
250e71b7053SJung-uk Kim }
251e71b7053SJung-uk Kim }
252e71b7053SJung-uk Kim break;
253e71b7053SJung-uk Kim
254e71b7053SJung-uk Kim case TLS_ST_SR_CERT_VRFY:
255e71b7053SJung-uk Kim if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
256e71b7053SJung-uk Kim st->hand_state = TLS_ST_SR_CHANGE;
257e71b7053SJung-uk Kim return 1;
258e71b7053SJung-uk Kim }
259e71b7053SJung-uk Kim break;
260e71b7053SJung-uk Kim
261e71b7053SJung-uk Kim case TLS_ST_SR_CHANGE:
262e71b7053SJung-uk Kim #ifndef OPENSSL_NO_NEXTPROTONEG
263b077aed3SPierre Pronchery if (s->s3.npn_seen) {
264e71b7053SJung-uk Kim if (mt == SSL3_MT_NEXT_PROTO) {
265e71b7053SJung-uk Kim st->hand_state = TLS_ST_SR_NEXT_PROTO;
266e71b7053SJung-uk Kim return 1;
267e71b7053SJung-uk Kim }
268e71b7053SJung-uk Kim } else {
269e71b7053SJung-uk Kim #endif
270e71b7053SJung-uk Kim if (mt == SSL3_MT_FINISHED) {
271e71b7053SJung-uk Kim st->hand_state = TLS_ST_SR_FINISHED;
272e71b7053SJung-uk Kim return 1;
273e71b7053SJung-uk Kim }
274e71b7053SJung-uk Kim #ifndef OPENSSL_NO_NEXTPROTONEG
275e71b7053SJung-uk Kim }
276e71b7053SJung-uk Kim #endif
277e71b7053SJung-uk Kim break;
278e71b7053SJung-uk Kim
279e71b7053SJung-uk Kim #ifndef OPENSSL_NO_NEXTPROTONEG
280e71b7053SJung-uk Kim case TLS_ST_SR_NEXT_PROTO:
281e71b7053SJung-uk Kim if (mt == SSL3_MT_FINISHED) {
282e71b7053SJung-uk Kim st->hand_state = TLS_ST_SR_FINISHED;
283e71b7053SJung-uk Kim return 1;
284e71b7053SJung-uk Kim }
285e71b7053SJung-uk Kim break;
286e71b7053SJung-uk Kim #endif
287e71b7053SJung-uk Kim
288e71b7053SJung-uk Kim case TLS_ST_SW_FINISHED:
289e71b7053SJung-uk Kim if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
290e71b7053SJung-uk Kim st->hand_state = TLS_ST_SR_CHANGE;
291e71b7053SJung-uk Kim return 1;
292e71b7053SJung-uk Kim }
293e71b7053SJung-uk Kim break;
294e71b7053SJung-uk Kim }
295e71b7053SJung-uk Kim
296e71b7053SJung-uk Kim err:
297e71b7053SJung-uk Kim /* No valid transition found */
298e71b7053SJung-uk Kim if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
299e71b7053SJung-uk Kim BIO *rbio;
300e71b7053SJung-uk Kim
301e71b7053SJung-uk Kim /*
302e71b7053SJung-uk Kim * CCS messages don't have a message sequence number so this is probably
303e71b7053SJung-uk Kim * because of an out-of-order CCS. We'll just drop it.
304e71b7053SJung-uk Kim */
305e71b7053SJung-uk Kim s->init_num = 0;
306e71b7053SJung-uk Kim s->rwstate = SSL_READING;
307e71b7053SJung-uk Kim rbio = SSL_get_rbio(s);
308e71b7053SJung-uk Kim BIO_clear_retry_flags(rbio);
309e71b7053SJung-uk Kim BIO_set_retry_read(rbio);
310e71b7053SJung-uk Kim return 0;
311e71b7053SJung-uk Kim }
312b077aed3SPierre Pronchery SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
313e71b7053SJung-uk Kim return 0;
314e71b7053SJung-uk Kim }
315e71b7053SJung-uk Kim
316e71b7053SJung-uk Kim /*
317e71b7053SJung-uk Kim * Should we send a ServerKeyExchange message?
318e71b7053SJung-uk Kim *
319e71b7053SJung-uk Kim * Valid return values are:
320e71b7053SJung-uk Kim * 1: Yes
321e71b7053SJung-uk Kim * 0: No
322e71b7053SJung-uk Kim */
send_server_key_exchange(SSL * s)323e71b7053SJung-uk Kim static int send_server_key_exchange(SSL *s)
324e71b7053SJung-uk Kim {
325b077aed3SPierre Pronchery unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
326e71b7053SJung-uk Kim
327e71b7053SJung-uk Kim /*
328e71b7053SJung-uk Kim * only send a ServerKeyExchange if DH or fortezza but we have a
329e71b7053SJung-uk Kim * sign only certificate PSK: may send PSK identity hints For
330e71b7053SJung-uk Kim * ECC ciphersuites, we send a serverKeyExchange message only if
331e71b7053SJung-uk Kim * the cipher suite is either ECDH-anon or ECDHE. In other cases,
332e71b7053SJung-uk Kim * the server certificate contains the server's public key for
333e71b7053SJung-uk Kim * key exchange.
334e71b7053SJung-uk Kim */
335e71b7053SJung-uk Kim if (alg_k & (SSL_kDHE | SSL_kECDHE)
336e71b7053SJung-uk Kim /*
337e71b7053SJung-uk Kim * PSK: send ServerKeyExchange if PSK identity hint if
338e71b7053SJung-uk Kim * provided
339e71b7053SJung-uk Kim */
340e71b7053SJung-uk Kim #ifndef OPENSSL_NO_PSK
341e71b7053SJung-uk Kim /* Only send SKE if we have identity hint for plain PSK */
342e71b7053SJung-uk Kim || ((alg_k & (SSL_kPSK | SSL_kRSAPSK))
343e71b7053SJung-uk Kim && s->cert->psk_identity_hint)
344e71b7053SJung-uk Kim /* For other PSK always send SKE */
345e71b7053SJung-uk Kim || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK)))
346e71b7053SJung-uk Kim #endif
347e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SRP
348e71b7053SJung-uk Kim /* SRP: send ServerKeyExchange */
349e71b7053SJung-uk Kim || (alg_k & SSL_kSRP)
350e71b7053SJung-uk Kim #endif
351e71b7053SJung-uk Kim ) {
352e71b7053SJung-uk Kim return 1;
353e71b7053SJung-uk Kim }
354e71b7053SJung-uk Kim
355e71b7053SJung-uk Kim return 0;
356e71b7053SJung-uk Kim }
357e71b7053SJung-uk Kim
358e71b7053SJung-uk Kim /*
359e71b7053SJung-uk Kim * Should we send a CertificateRequest message?
360e71b7053SJung-uk Kim *
361e71b7053SJung-uk Kim * Valid return values are:
362e71b7053SJung-uk Kim * 1: Yes
363e71b7053SJung-uk Kim * 0: No
364e71b7053SJung-uk Kim */
send_certificate_request(SSL * s)365e71b7053SJung-uk Kim int send_certificate_request(SSL *s)
366e71b7053SJung-uk Kim {
367e71b7053SJung-uk Kim if (
368e71b7053SJung-uk Kim /* don't request cert unless asked for it: */
369e71b7053SJung-uk Kim s->verify_mode & SSL_VERIFY_PEER
370e71b7053SJung-uk Kim /*
371e71b7053SJung-uk Kim * don't request if post-handshake-only unless doing
372e71b7053SJung-uk Kim * post-handshake in TLSv1.3:
373e71b7053SJung-uk Kim */
374e71b7053SJung-uk Kim && (!SSL_IS_TLS13(s) || !(s->verify_mode & SSL_VERIFY_POST_HANDSHAKE)
375e71b7053SJung-uk Kim || s->post_handshake_auth == SSL_PHA_REQUEST_PENDING)
376e71b7053SJung-uk Kim /*
377e71b7053SJung-uk Kim * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
378e71b7053SJung-uk Kim * a second time:
379e71b7053SJung-uk Kim */
380e71b7053SJung-uk Kim && (s->certreqs_sent < 1 ||
381e71b7053SJung-uk Kim !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE))
382e71b7053SJung-uk Kim /*
383e71b7053SJung-uk Kim * never request cert in anonymous ciphersuites (see
384e71b7053SJung-uk Kim * section "Certificate request" in SSL 3 drafts and in
385e71b7053SJung-uk Kim * RFC 2246):
386e71b7053SJung-uk Kim */
387b077aed3SPierre Pronchery && (!(s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL)
388e71b7053SJung-uk Kim /*
389e71b7053SJung-uk Kim * ... except when the application insists on
390e71b7053SJung-uk Kim * verification (against the specs, but statem_clnt.c accepts
391e71b7053SJung-uk Kim * this for SSL 3)
392e71b7053SJung-uk Kim */
393e71b7053SJung-uk Kim || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
394e71b7053SJung-uk Kim /* don't request certificate for SRP auth */
395b077aed3SPierre Pronchery && !(s->s3.tmp.new_cipher->algorithm_auth & SSL_aSRP)
396e71b7053SJung-uk Kim /*
397e71b7053SJung-uk Kim * With normal PSK Certificates and Certificate Requests
398e71b7053SJung-uk Kim * are omitted
399e71b7053SJung-uk Kim */
400b077aed3SPierre Pronchery && !(s->s3.tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
401e71b7053SJung-uk Kim return 1;
402e71b7053SJung-uk Kim }
403e71b7053SJung-uk Kim
404e71b7053SJung-uk Kim return 0;
405e71b7053SJung-uk Kim }
406e71b7053SJung-uk Kim
407e71b7053SJung-uk Kim /*
408e71b7053SJung-uk Kim * ossl_statem_server13_write_transition() works out what handshake state to
409e71b7053SJung-uk Kim * move to next when a TLSv1.3 server is writing messages to be sent to the
410e71b7053SJung-uk Kim * client.
411e71b7053SJung-uk Kim */
ossl_statem_server13_write_transition(SSL * s)412e71b7053SJung-uk Kim static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
413e71b7053SJung-uk Kim {
414e71b7053SJung-uk Kim OSSL_STATEM *st = &s->statem;
415e71b7053SJung-uk Kim
416e71b7053SJung-uk Kim /*
417e71b7053SJung-uk Kim * No case for TLS_ST_BEFORE, because at that stage we have not negotiated
418e71b7053SJung-uk Kim * TLSv1.3 yet, so that is handled by ossl_statem_server_write_transition()
419e71b7053SJung-uk Kim */
420e71b7053SJung-uk Kim
421e71b7053SJung-uk Kim switch (st->hand_state) {
422e71b7053SJung-uk Kim default:
423e71b7053SJung-uk Kim /* Shouldn't happen */
424b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
425e71b7053SJung-uk Kim return WRITE_TRAN_ERROR;
426e71b7053SJung-uk Kim
427e71b7053SJung-uk Kim case TLS_ST_OK:
428e71b7053SJung-uk Kim if (s->key_update != SSL_KEY_UPDATE_NONE) {
429e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_KEY_UPDATE;
430e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
431e71b7053SJung-uk Kim }
432e71b7053SJung-uk Kim if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
433e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_CERT_REQ;
434e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
435e71b7053SJung-uk Kim }
436b077aed3SPierre Pronchery if (s->ext.extra_tickets_expected > 0) {
437b077aed3SPierre Pronchery st->hand_state = TLS_ST_SW_SESSION_TICKET;
438b077aed3SPierre Pronchery return WRITE_TRAN_CONTINUE;
439b077aed3SPierre Pronchery }
440e71b7053SJung-uk Kim /* Try to read from the client instead */
441e71b7053SJung-uk Kim return WRITE_TRAN_FINISHED;
442e71b7053SJung-uk Kim
443e71b7053SJung-uk Kim case TLS_ST_SR_CLNT_HELLO:
444e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_SRVR_HELLO;
445e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
446e71b7053SJung-uk Kim
447e71b7053SJung-uk Kim case TLS_ST_SW_SRVR_HELLO:
448e71b7053SJung-uk Kim if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
449e71b7053SJung-uk Kim && s->hello_retry_request != SSL_HRR_COMPLETE)
450e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_CHANGE;
451e71b7053SJung-uk Kim else if (s->hello_retry_request == SSL_HRR_PENDING)
452e71b7053SJung-uk Kim st->hand_state = TLS_ST_EARLY_DATA;
453e71b7053SJung-uk Kim else
454e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
455e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
456e71b7053SJung-uk Kim
457e71b7053SJung-uk Kim case TLS_ST_SW_CHANGE:
458e71b7053SJung-uk Kim if (s->hello_retry_request == SSL_HRR_PENDING)
459e71b7053SJung-uk Kim st->hand_state = TLS_ST_EARLY_DATA;
460e71b7053SJung-uk Kim else
461e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
462e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
463e71b7053SJung-uk Kim
464e71b7053SJung-uk Kim case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
465e71b7053SJung-uk Kim if (s->hit)
466e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_FINISHED;
467e71b7053SJung-uk Kim else if (send_certificate_request(s))
468e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_CERT_REQ;
469e71b7053SJung-uk Kim else
470e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_CERT;
471e71b7053SJung-uk Kim
472e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
473e71b7053SJung-uk Kim
474e71b7053SJung-uk Kim case TLS_ST_SW_CERT_REQ:
475e71b7053SJung-uk Kim if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
476e71b7053SJung-uk Kim s->post_handshake_auth = SSL_PHA_REQUESTED;
477e71b7053SJung-uk Kim st->hand_state = TLS_ST_OK;
478e71b7053SJung-uk Kim } else {
479e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_CERT;
480e71b7053SJung-uk Kim }
481e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
482e71b7053SJung-uk Kim
483e71b7053SJung-uk Kim case TLS_ST_SW_CERT:
484e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_CERT_VRFY;
485e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
486e71b7053SJung-uk Kim
487e71b7053SJung-uk Kim case TLS_ST_SW_CERT_VRFY:
488e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_FINISHED;
489e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
490e71b7053SJung-uk Kim
491e71b7053SJung-uk Kim case TLS_ST_SW_FINISHED:
492e71b7053SJung-uk Kim st->hand_state = TLS_ST_EARLY_DATA;
493e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
494e71b7053SJung-uk Kim
495e71b7053SJung-uk Kim case TLS_ST_EARLY_DATA:
496e71b7053SJung-uk Kim return WRITE_TRAN_FINISHED;
497e71b7053SJung-uk Kim
498e71b7053SJung-uk Kim case TLS_ST_SR_FINISHED:
499e71b7053SJung-uk Kim /*
500e71b7053SJung-uk Kim * Technically we have finished the handshake at this point, but we're
501e71b7053SJung-uk Kim * going to remain "in_init" for now and write out any session tickets
502e71b7053SJung-uk Kim * immediately.
503e71b7053SJung-uk Kim */
504e71b7053SJung-uk Kim if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
505e71b7053SJung-uk Kim s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
506e71b7053SJung-uk Kim } else if (!s->ext.ticket_expected) {
507e71b7053SJung-uk Kim /*
508e71b7053SJung-uk Kim * If we're not going to renew the ticket then we just finish the
509e71b7053SJung-uk Kim * handshake at this point.
510e71b7053SJung-uk Kim */
511e71b7053SJung-uk Kim st->hand_state = TLS_ST_OK;
512e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
513e71b7053SJung-uk Kim }
514e71b7053SJung-uk Kim if (s->num_tickets > s->sent_tickets)
515e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_SESSION_TICKET;
516e71b7053SJung-uk Kim else
517e71b7053SJung-uk Kim st->hand_state = TLS_ST_OK;
518e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
519e71b7053SJung-uk Kim
520e71b7053SJung-uk Kim case TLS_ST_SR_KEY_UPDATE:
521e71b7053SJung-uk Kim case TLS_ST_SW_KEY_UPDATE:
522e71b7053SJung-uk Kim st->hand_state = TLS_ST_OK;
523e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
524e71b7053SJung-uk Kim
525e71b7053SJung-uk Kim case TLS_ST_SW_SESSION_TICKET:
526e71b7053SJung-uk Kim /* In a resumption we only ever send a maximum of one new ticket.
527e71b7053SJung-uk Kim * Following an initial handshake we send the number of tickets we have
528e71b7053SJung-uk Kim * been configured for.
529e71b7053SJung-uk Kim */
530b077aed3SPierre Pronchery if (!SSL_IS_FIRST_HANDSHAKE(s) && s->ext.extra_tickets_expected > 0) {
531b077aed3SPierre Pronchery return WRITE_TRAN_CONTINUE;
532b077aed3SPierre Pronchery } else if (s->hit || s->num_tickets <= s->sent_tickets) {
533e71b7053SJung-uk Kim /* We've written enough tickets out. */
534e71b7053SJung-uk Kim st->hand_state = TLS_ST_OK;
535e71b7053SJung-uk Kim }
536e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
537e71b7053SJung-uk Kim }
538e71b7053SJung-uk Kim }
539e71b7053SJung-uk Kim
540e71b7053SJung-uk Kim /*
541e71b7053SJung-uk Kim * ossl_statem_server_write_transition() works out what handshake state to move
542e71b7053SJung-uk Kim * to next when the server is writing messages to be sent to the client.
543e71b7053SJung-uk Kim */
ossl_statem_server_write_transition(SSL * s)544e71b7053SJung-uk Kim WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
545e71b7053SJung-uk Kim {
546e71b7053SJung-uk Kim OSSL_STATEM *st = &s->statem;
547e71b7053SJung-uk Kim
548e71b7053SJung-uk Kim /*
549e71b7053SJung-uk Kim * Note that before the ClientHello we don't know what version we are going
550e71b7053SJung-uk Kim * to negotiate yet, so we don't take this branch until later
551e71b7053SJung-uk Kim */
552e71b7053SJung-uk Kim
553e71b7053SJung-uk Kim if (SSL_IS_TLS13(s))
554e71b7053SJung-uk Kim return ossl_statem_server13_write_transition(s);
555e71b7053SJung-uk Kim
556e71b7053SJung-uk Kim switch (st->hand_state) {
557e71b7053SJung-uk Kim default:
558e71b7053SJung-uk Kim /* Shouldn't happen */
559b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
560e71b7053SJung-uk Kim return WRITE_TRAN_ERROR;
561e71b7053SJung-uk Kim
562e71b7053SJung-uk Kim case TLS_ST_OK:
563e71b7053SJung-uk Kim if (st->request_state == TLS_ST_SW_HELLO_REQ) {
564e71b7053SJung-uk Kim /* We must be trying to renegotiate */
565e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_HELLO_REQ;
566e71b7053SJung-uk Kim st->request_state = TLS_ST_BEFORE;
567e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
568e71b7053SJung-uk Kim }
569e71b7053SJung-uk Kim /* Must be an incoming ClientHello */
570e71b7053SJung-uk Kim if (!tls_setup_handshake(s)) {
571e71b7053SJung-uk Kim /* SSLfatal() already called */
572e71b7053SJung-uk Kim return WRITE_TRAN_ERROR;
573e71b7053SJung-uk Kim }
574e71b7053SJung-uk Kim /* Fall through */
575e71b7053SJung-uk Kim
576e71b7053SJung-uk Kim case TLS_ST_BEFORE:
577e71b7053SJung-uk Kim /* Just go straight to trying to read from the client */
578e71b7053SJung-uk Kim return WRITE_TRAN_FINISHED;
579e71b7053SJung-uk Kim
580e71b7053SJung-uk Kim case TLS_ST_SW_HELLO_REQ:
581e71b7053SJung-uk Kim st->hand_state = TLS_ST_OK;
582e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
583e71b7053SJung-uk Kim
584e71b7053SJung-uk Kim case TLS_ST_SR_CLNT_HELLO:
585e71b7053SJung-uk Kim if (SSL_IS_DTLS(s) && !s->d1->cookie_verified
586e71b7053SJung-uk Kim && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) {
587e71b7053SJung-uk Kim st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
588e71b7053SJung-uk Kim } else if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
589e71b7053SJung-uk Kim /* We must have rejected the renegotiation */
590e71b7053SJung-uk Kim st->hand_state = TLS_ST_OK;
591e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
592e71b7053SJung-uk Kim } else {
593e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_SRVR_HELLO;
594e71b7053SJung-uk Kim }
595e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
596e71b7053SJung-uk Kim
597e71b7053SJung-uk Kim case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
598e71b7053SJung-uk Kim return WRITE_TRAN_FINISHED;
599e71b7053SJung-uk Kim
600e71b7053SJung-uk Kim case TLS_ST_SW_SRVR_HELLO:
601e71b7053SJung-uk Kim if (s->hit) {
602e71b7053SJung-uk Kim if (s->ext.ticket_expected)
603e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_SESSION_TICKET;
604e71b7053SJung-uk Kim else
605e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_CHANGE;
606e71b7053SJung-uk Kim } else {
607e71b7053SJung-uk Kim /* Check if it is anon DH or anon ECDH, */
608e71b7053SJung-uk Kim /* normal PSK or SRP */
609b077aed3SPierre Pronchery if (!(s->s3.tmp.new_cipher->algorithm_auth &
610e71b7053SJung-uk Kim (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
611e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_CERT;
612e71b7053SJung-uk Kim } else if (send_server_key_exchange(s)) {
613e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_KEY_EXCH;
614e71b7053SJung-uk Kim } else if (send_certificate_request(s)) {
615e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_CERT_REQ;
616e71b7053SJung-uk Kim } else {
617e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_SRVR_DONE;
618e71b7053SJung-uk Kim }
619e71b7053SJung-uk Kim }
620e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
621e71b7053SJung-uk Kim
622e71b7053SJung-uk Kim case TLS_ST_SW_CERT:
623e71b7053SJung-uk Kim if (s->ext.status_expected) {
624e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_CERT_STATUS;
625e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
626e71b7053SJung-uk Kim }
627e71b7053SJung-uk Kim /* Fall through */
628e71b7053SJung-uk Kim
629e71b7053SJung-uk Kim case TLS_ST_SW_CERT_STATUS:
630e71b7053SJung-uk Kim if (send_server_key_exchange(s)) {
631e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_KEY_EXCH;
632e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
633e71b7053SJung-uk Kim }
634e71b7053SJung-uk Kim /* Fall through */
635e71b7053SJung-uk Kim
636e71b7053SJung-uk Kim case TLS_ST_SW_KEY_EXCH:
637e71b7053SJung-uk Kim if (send_certificate_request(s)) {
638e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_CERT_REQ;
639e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
640e71b7053SJung-uk Kim }
641e71b7053SJung-uk Kim /* Fall through */
642e71b7053SJung-uk Kim
643e71b7053SJung-uk Kim case TLS_ST_SW_CERT_REQ:
644e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_SRVR_DONE;
645e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
646e71b7053SJung-uk Kim
647e71b7053SJung-uk Kim case TLS_ST_SW_SRVR_DONE:
648e71b7053SJung-uk Kim return WRITE_TRAN_FINISHED;
649e71b7053SJung-uk Kim
650e71b7053SJung-uk Kim case TLS_ST_SR_FINISHED:
651e71b7053SJung-uk Kim if (s->hit) {
652e71b7053SJung-uk Kim st->hand_state = TLS_ST_OK;
653e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
654e71b7053SJung-uk Kim } else if (s->ext.ticket_expected) {
655e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_SESSION_TICKET;
656e71b7053SJung-uk Kim } else {
657e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_CHANGE;
658e71b7053SJung-uk Kim }
659e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
660e71b7053SJung-uk Kim
661e71b7053SJung-uk Kim case TLS_ST_SW_SESSION_TICKET:
662e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_CHANGE;
663e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
664e71b7053SJung-uk Kim
665e71b7053SJung-uk Kim case TLS_ST_SW_CHANGE:
666e71b7053SJung-uk Kim st->hand_state = TLS_ST_SW_FINISHED;
667e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
668e71b7053SJung-uk Kim
669e71b7053SJung-uk Kim case TLS_ST_SW_FINISHED:
670e71b7053SJung-uk Kim if (s->hit) {
671e71b7053SJung-uk Kim return WRITE_TRAN_FINISHED;
672e71b7053SJung-uk Kim }
673e71b7053SJung-uk Kim st->hand_state = TLS_ST_OK;
674e71b7053SJung-uk Kim return WRITE_TRAN_CONTINUE;
675e71b7053SJung-uk Kim }
676e71b7053SJung-uk Kim }
677e71b7053SJung-uk Kim
678e71b7053SJung-uk Kim /*
679e71b7053SJung-uk Kim * Perform any pre work that needs to be done prior to sending a message from
680e71b7053SJung-uk Kim * the server to the client.
681e71b7053SJung-uk Kim */
ossl_statem_server_pre_work(SSL * s,WORK_STATE wst)682e71b7053SJung-uk Kim WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
683e71b7053SJung-uk Kim {
684e71b7053SJung-uk Kim OSSL_STATEM *st = &s->statem;
685e71b7053SJung-uk Kim
686e71b7053SJung-uk Kim switch (st->hand_state) {
687e71b7053SJung-uk Kim default:
688e71b7053SJung-uk Kim /* No pre work to be done */
689e71b7053SJung-uk Kim break;
690e71b7053SJung-uk Kim
691e71b7053SJung-uk Kim case TLS_ST_SW_HELLO_REQ:
692e71b7053SJung-uk Kim s->shutdown = 0;
693e71b7053SJung-uk Kim if (SSL_IS_DTLS(s))
694e71b7053SJung-uk Kim dtls1_clear_sent_buffer(s);
695e71b7053SJung-uk Kim break;
696e71b7053SJung-uk Kim
697e71b7053SJung-uk Kim case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
698e71b7053SJung-uk Kim s->shutdown = 0;
699e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) {
700e71b7053SJung-uk Kim dtls1_clear_sent_buffer(s);
701e71b7053SJung-uk Kim /* We don't buffer this message so don't use the timer */
702e71b7053SJung-uk Kim st->use_timer = 0;
703e71b7053SJung-uk Kim }
704e71b7053SJung-uk Kim break;
705e71b7053SJung-uk Kim
706e71b7053SJung-uk Kim case TLS_ST_SW_SRVR_HELLO:
707e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) {
708e71b7053SJung-uk Kim /*
709e71b7053SJung-uk Kim * Messages we write from now on should be buffered and
710e71b7053SJung-uk Kim * retransmitted if necessary, so we need to use the timer now
711e71b7053SJung-uk Kim */
712e71b7053SJung-uk Kim st->use_timer = 1;
713e71b7053SJung-uk Kim }
714e71b7053SJung-uk Kim break;
715e71b7053SJung-uk Kim
716e71b7053SJung-uk Kim case TLS_ST_SW_SRVR_DONE:
717e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SCTP
718e71b7053SJung-uk Kim if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) {
719e71b7053SJung-uk Kim /* Calls SSLfatal() as required */
720e71b7053SJung-uk Kim return dtls_wait_for_dry(s);
721e71b7053SJung-uk Kim }
722e71b7053SJung-uk Kim #endif
723e71b7053SJung-uk Kim return WORK_FINISHED_CONTINUE;
724e71b7053SJung-uk Kim
725e71b7053SJung-uk Kim case TLS_ST_SW_SESSION_TICKET:
726b077aed3SPierre Pronchery if (SSL_IS_TLS13(s) && s->sent_tickets == 0
727b077aed3SPierre Pronchery && s->ext.extra_tickets_expected == 0) {
728e71b7053SJung-uk Kim /*
729e71b7053SJung-uk Kim * Actually this is the end of the handshake, but we're going
730e71b7053SJung-uk Kim * straight into writing the session ticket out. So we finish off
731e71b7053SJung-uk Kim * the handshake, but keep the various buffers active.
732e71b7053SJung-uk Kim *
733e71b7053SJung-uk Kim * Calls SSLfatal as required.
734e71b7053SJung-uk Kim */
735e71b7053SJung-uk Kim return tls_finish_handshake(s, wst, 0, 0);
736b077aed3SPierre Pronchery }
737b077aed3SPierre Pronchery if (SSL_IS_DTLS(s)) {
738e71b7053SJung-uk Kim /*
739e71b7053SJung-uk Kim * We're into the last flight. We don't retransmit the last flight
740e71b7053SJung-uk Kim * unless we need to, so we don't use the timer
741e71b7053SJung-uk Kim */
742e71b7053SJung-uk Kim st->use_timer = 0;
743e71b7053SJung-uk Kim }
744e71b7053SJung-uk Kim break;
745e71b7053SJung-uk Kim
746e71b7053SJung-uk Kim case TLS_ST_SW_CHANGE:
747e71b7053SJung-uk Kim if (SSL_IS_TLS13(s))
748e71b7053SJung-uk Kim break;
74917f01e99SJung-uk Kim /* Writes to s->session are only safe for initial handshakes */
75017f01e99SJung-uk Kim if (s->session->cipher == NULL) {
751b077aed3SPierre Pronchery s->session->cipher = s->s3.tmp.new_cipher;
752b077aed3SPierre Pronchery } else if (s->session->cipher != s->s3.tmp.new_cipher) {
753b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
75417f01e99SJung-uk Kim return WORK_ERROR;
75517f01e99SJung-uk Kim }
756e71b7053SJung-uk Kim if (!s->method->ssl3_enc->setup_key_block(s)) {
757e71b7053SJung-uk Kim /* SSLfatal() already called */
758e71b7053SJung-uk Kim return WORK_ERROR;
759e71b7053SJung-uk Kim }
760e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) {
761e71b7053SJung-uk Kim /*
762e71b7053SJung-uk Kim * We're into the last flight. We don't retransmit the last flight
763e71b7053SJung-uk Kim * unless we need to, so we don't use the timer. This might have
764e71b7053SJung-uk Kim * already been set to 0 if we sent a NewSessionTicket message,
765e71b7053SJung-uk Kim * but we'll set it again here in case we didn't.
766e71b7053SJung-uk Kim */
767e71b7053SJung-uk Kim st->use_timer = 0;
768e71b7053SJung-uk Kim }
769e71b7053SJung-uk Kim return WORK_FINISHED_CONTINUE;
770e71b7053SJung-uk Kim
771e71b7053SJung-uk Kim case TLS_ST_EARLY_DATA:
772e71b7053SJung-uk Kim if (s->early_data_state != SSL_EARLY_DATA_ACCEPTING
773b077aed3SPierre Pronchery && (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
774e71b7053SJung-uk Kim return WORK_FINISHED_CONTINUE;
775e71b7053SJung-uk Kim /* Fall through */
776e71b7053SJung-uk Kim
777e71b7053SJung-uk Kim case TLS_ST_OK:
778e71b7053SJung-uk Kim /* Calls SSLfatal() as required */
779e71b7053SJung-uk Kim return tls_finish_handshake(s, wst, 1, 1);
780e71b7053SJung-uk Kim }
781e71b7053SJung-uk Kim
782e71b7053SJung-uk Kim return WORK_FINISHED_CONTINUE;
783e71b7053SJung-uk Kim }
784e71b7053SJung-uk Kim
conn_is_closed(void)785e71b7053SJung-uk Kim static ossl_inline int conn_is_closed(void)
786e71b7053SJung-uk Kim {
787e71b7053SJung-uk Kim switch (get_last_sys_error()) {
788e71b7053SJung-uk Kim #if defined(EPIPE)
789e71b7053SJung-uk Kim case EPIPE:
790e71b7053SJung-uk Kim return 1;
791e71b7053SJung-uk Kim #endif
792e71b7053SJung-uk Kim #if defined(ECONNRESET)
793e71b7053SJung-uk Kim case ECONNRESET:
794e71b7053SJung-uk Kim return 1;
795e71b7053SJung-uk Kim #endif
796610a21fdSJung-uk Kim #if defined(WSAECONNRESET)
797610a21fdSJung-uk Kim case WSAECONNRESET:
798610a21fdSJung-uk Kim return 1;
799610a21fdSJung-uk Kim #endif
800e71b7053SJung-uk Kim default:
801e71b7053SJung-uk Kim return 0;
802e71b7053SJung-uk Kim }
803e71b7053SJung-uk Kim }
804e71b7053SJung-uk Kim
805e71b7053SJung-uk Kim /*
806e71b7053SJung-uk Kim * Perform any work that needs to be done after sending a message from the
807e71b7053SJung-uk Kim * server to the client.
808e71b7053SJung-uk Kim */
ossl_statem_server_post_work(SSL * s,WORK_STATE wst)809e71b7053SJung-uk Kim WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
810e71b7053SJung-uk Kim {
811e71b7053SJung-uk Kim OSSL_STATEM *st = &s->statem;
812e71b7053SJung-uk Kim
813e71b7053SJung-uk Kim s->init_num = 0;
814e71b7053SJung-uk Kim
815e71b7053SJung-uk Kim switch (st->hand_state) {
816e71b7053SJung-uk Kim default:
817e71b7053SJung-uk Kim /* No post work to be done */
818e71b7053SJung-uk Kim break;
819e71b7053SJung-uk Kim
820e71b7053SJung-uk Kim case TLS_ST_SW_HELLO_REQ:
821e71b7053SJung-uk Kim if (statem_flush(s) != 1)
822e71b7053SJung-uk Kim return WORK_MORE_A;
823e71b7053SJung-uk Kim if (!ssl3_init_finished_mac(s)) {
824e71b7053SJung-uk Kim /* SSLfatal() already called */
825e71b7053SJung-uk Kim return WORK_ERROR;
826e71b7053SJung-uk Kim }
827e71b7053SJung-uk Kim break;
828e71b7053SJung-uk Kim
829e71b7053SJung-uk Kim case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
830e71b7053SJung-uk Kim if (statem_flush(s) != 1)
831e71b7053SJung-uk Kim return WORK_MORE_A;
832e71b7053SJung-uk Kim /* HelloVerifyRequest resets Finished MAC */
833e71b7053SJung-uk Kim if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) {
834e71b7053SJung-uk Kim /* SSLfatal() already called */
835e71b7053SJung-uk Kim return WORK_ERROR;
836e71b7053SJung-uk Kim }
837e71b7053SJung-uk Kim /*
838e71b7053SJung-uk Kim * The next message should be another ClientHello which we need to
839e71b7053SJung-uk Kim * treat like it was the first packet
840e71b7053SJung-uk Kim */
841e71b7053SJung-uk Kim s->first_packet = 1;
842e71b7053SJung-uk Kim break;
843e71b7053SJung-uk Kim
844e71b7053SJung-uk Kim case TLS_ST_SW_SRVR_HELLO:
845e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) && s->hello_retry_request == SSL_HRR_PENDING) {
846e71b7053SJung-uk Kim if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0
847e71b7053SJung-uk Kim && statem_flush(s) != 1)
848e71b7053SJung-uk Kim return WORK_MORE_A;
849e71b7053SJung-uk Kim break;
850e71b7053SJung-uk Kim }
851e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SCTP
852e71b7053SJung-uk Kim if (SSL_IS_DTLS(s) && s->hit) {
853e71b7053SJung-uk Kim unsigned char sctpauthkey[64];
854e71b7053SJung-uk Kim char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
8556935a639SJung-uk Kim size_t labellen;
856e71b7053SJung-uk Kim
857e71b7053SJung-uk Kim /*
858e71b7053SJung-uk Kim * Add new shared key for SCTP-Auth, will be ignored if no
859e71b7053SJung-uk Kim * SCTP used.
860e71b7053SJung-uk Kim */
861e71b7053SJung-uk Kim memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
862e71b7053SJung-uk Kim sizeof(DTLS1_SCTP_AUTH_LABEL));
863e71b7053SJung-uk Kim
8646935a639SJung-uk Kim /* Don't include the terminating zero. */
8656935a639SJung-uk Kim labellen = sizeof(labelbuffer) - 1;
8666935a639SJung-uk Kim if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
8676935a639SJung-uk Kim labellen += 1;
8686935a639SJung-uk Kim
869e71b7053SJung-uk Kim if (SSL_export_keying_material(s, sctpauthkey,
870e71b7053SJung-uk Kim sizeof(sctpauthkey), labelbuffer,
8716935a639SJung-uk Kim labellen, NULL, 0,
872e71b7053SJung-uk Kim 0) <= 0) {
873b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
874e71b7053SJung-uk Kim return WORK_ERROR;
875e71b7053SJung-uk Kim }
876e71b7053SJung-uk Kim
877e71b7053SJung-uk Kim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
878e71b7053SJung-uk Kim sizeof(sctpauthkey), sctpauthkey);
879e71b7053SJung-uk Kim }
880e71b7053SJung-uk Kim #endif
881e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s)
882e71b7053SJung-uk Kim || ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
883e71b7053SJung-uk Kim && s->hello_retry_request != SSL_HRR_COMPLETE))
884e71b7053SJung-uk Kim break;
885e71b7053SJung-uk Kim /* Fall through */
886e71b7053SJung-uk Kim
887e71b7053SJung-uk Kim case TLS_ST_SW_CHANGE:
888e71b7053SJung-uk Kim if (s->hello_retry_request == SSL_HRR_PENDING) {
889e71b7053SJung-uk Kim if (!statem_flush(s))
890e71b7053SJung-uk Kim return WORK_MORE_A;
891e71b7053SJung-uk Kim break;
892e71b7053SJung-uk Kim }
893e71b7053SJung-uk Kim
894e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) {
895e71b7053SJung-uk Kim if (!s->method->ssl3_enc->setup_key_block(s)
896e71b7053SJung-uk Kim || !s->method->ssl3_enc->change_cipher_state(s,
897e71b7053SJung-uk Kim SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
898e71b7053SJung-uk Kim /* SSLfatal() already called */
899e71b7053SJung-uk Kim return WORK_ERROR;
900e71b7053SJung-uk Kim }
901e71b7053SJung-uk Kim
902e71b7053SJung-uk Kim if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED
903e71b7053SJung-uk Kim && !s->method->ssl3_enc->change_cipher_state(s,
904e71b7053SJung-uk Kim SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ)) {
905e71b7053SJung-uk Kim /* SSLfatal() already called */
906e71b7053SJung-uk Kim return WORK_ERROR;
907e71b7053SJung-uk Kim }
908e71b7053SJung-uk Kim /*
909e71b7053SJung-uk Kim * We don't yet know whether the next record we are going to receive
910e71b7053SJung-uk Kim * is an unencrypted alert, an encrypted alert, or an encrypted
911e71b7053SJung-uk Kim * handshake message. We temporarily tolerate unencrypted alerts.
912e71b7053SJung-uk Kim */
913e71b7053SJung-uk Kim s->statem.enc_read_state = ENC_READ_STATE_ALLOW_PLAIN_ALERTS;
914e71b7053SJung-uk Kim break;
915e71b7053SJung-uk Kim }
916e71b7053SJung-uk Kim
917e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SCTP
918e71b7053SJung-uk Kim if (SSL_IS_DTLS(s) && !s->hit) {
919e71b7053SJung-uk Kim /*
920e71b7053SJung-uk Kim * Change to new shared key of SCTP-Auth, will be ignored if
921e71b7053SJung-uk Kim * no SCTP used.
922e71b7053SJung-uk Kim */
923e71b7053SJung-uk Kim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
924e71b7053SJung-uk Kim 0, NULL);
925e71b7053SJung-uk Kim }
926e71b7053SJung-uk Kim #endif
927e71b7053SJung-uk Kim if (!s->method->ssl3_enc->change_cipher_state(s,
928e71b7053SJung-uk Kim SSL3_CHANGE_CIPHER_SERVER_WRITE))
929e71b7053SJung-uk Kim {
930e71b7053SJung-uk Kim /* SSLfatal() already called */
931e71b7053SJung-uk Kim return WORK_ERROR;
932e71b7053SJung-uk Kim }
933e71b7053SJung-uk Kim
934e71b7053SJung-uk Kim if (SSL_IS_DTLS(s))
935e71b7053SJung-uk Kim dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
936e71b7053SJung-uk Kim break;
937e71b7053SJung-uk Kim
938e71b7053SJung-uk Kim case TLS_ST_SW_SRVR_DONE:
939e71b7053SJung-uk Kim if (statem_flush(s) != 1)
940e71b7053SJung-uk Kim return WORK_MORE_A;
941e71b7053SJung-uk Kim break;
942e71b7053SJung-uk Kim
943e71b7053SJung-uk Kim case TLS_ST_SW_FINISHED:
944e71b7053SJung-uk Kim if (statem_flush(s) != 1)
945e71b7053SJung-uk Kim return WORK_MORE_A;
946e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SCTP
947e71b7053SJung-uk Kim if (SSL_IS_DTLS(s) && s->hit) {
948e71b7053SJung-uk Kim /*
949e71b7053SJung-uk Kim * Change to new shared key of SCTP-Auth, will be ignored if
950e71b7053SJung-uk Kim * no SCTP used.
951e71b7053SJung-uk Kim */
952e71b7053SJung-uk Kim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
953e71b7053SJung-uk Kim 0, NULL);
954e71b7053SJung-uk Kim }
955e71b7053SJung-uk Kim #endif
956e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) {
95717f01e99SJung-uk Kim /* TLS 1.3 gets the secret size from the handshake md */
95817f01e99SJung-uk Kim size_t dummy;
959e71b7053SJung-uk Kim if (!s->method->ssl3_enc->generate_master_secret(s,
960e71b7053SJung-uk Kim s->master_secret, s->handshake_secret, 0,
96117f01e99SJung-uk Kim &dummy)
962e71b7053SJung-uk Kim || !s->method->ssl3_enc->change_cipher_state(s,
963e71b7053SJung-uk Kim SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE))
964e71b7053SJung-uk Kim /* SSLfatal() already called */
965e71b7053SJung-uk Kim return WORK_ERROR;
966e71b7053SJung-uk Kim }
967e71b7053SJung-uk Kim break;
968e71b7053SJung-uk Kim
969e71b7053SJung-uk Kim case TLS_ST_SW_CERT_REQ:
970e71b7053SJung-uk Kim if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
971e71b7053SJung-uk Kim if (statem_flush(s) != 1)
972e71b7053SJung-uk Kim return WORK_MORE_A;
973e71b7053SJung-uk Kim }
974e71b7053SJung-uk Kim break;
975e71b7053SJung-uk Kim
976e71b7053SJung-uk Kim case TLS_ST_SW_KEY_UPDATE:
977e71b7053SJung-uk Kim if (statem_flush(s) != 1)
978e71b7053SJung-uk Kim return WORK_MORE_A;
979e71b7053SJung-uk Kim if (!tls13_update_key(s, 1)) {
980e71b7053SJung-uk Kim /* SSLfatal() already called */
981e71b7053SJung-uk Kim return WORK_ERROR;
982e71b7053SJung-uk Kim }
983e71b7053SJung-uk Kim break;
984e71b7053SJung-uk Kim
985e71b7053SJung-uk Kim case TLS_ST_SW_SESSION_TICKET:
986e71b7053SJung-uk Kim clear_sys_error();
987e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) && statem_flush(s) != 1) {
988e71b7053SJung-uk Kim if (SSL_get_error(s, 0) == SSL_ERROR_SYSCALL
989e71b7053SJung-uk Kim && conn_is_closed()) {
990e71b7053SJung-uk Kim /*
991e71b7053SJung-uk Kim * We ignore connection closed errors in TLSv1.3 when sending a
992e71b7053SJung-uk Kim * NewSessionTicket and behave as if we were successful. This is
993e71b7053SJung-uk Kim * so that we are still able to read data sent to us by a client
994e71b7053SJung-uk Kim * that closes soon after the end of the handshake without
995e71b7053SJung-uk Kim * waiting to read our post-handshake NewSessionTickets.
996e71b7053SJung-uk Kim */
997e71b7053SJung-uk Kim s->rwstate = SSL_NOTHING;
998e71b7053SJung-uk Kim break;
999e71b7053SJung-uk Kim }
1000e71b7053SJung-uk Kim
1001e71b7053SJung-uk Kim return WORK_MORE_A;
1002e71b7053SJung-uk Kim }
1003e71b7053SJung-uk Kim break;
1004e71b7053SJung-uk Kim }
1005e71b7053SJung-uk Kim
1006e71b7053SJung-uk Kim return WORK_FINISHED_CONTINUE;
1007e71b7053SJung-uk Kim }
1008e71b7053SJung-uk Kim
1009e71b7053SJung-uk Kim /*
1010e71b7053SJung-uk Kim * Get the message construction function and message type for sending from the
1011e71b7053SJung-uk Kim * server
1012e71b7053SJung-uk Kim *
1013e71b7053SJung-uk Kim * Valid return values are:
1014e71b7053SJung-uk Kim * 1: Success
1015e71b7053SJung-uk Kim * 0: Error
1016e71b7053SJung-uk Kim */
ossl_statem_server_construct_message(SSL * s,WPACKET * pkt,confunc_f * confunc,int * mt)1017e71b7053SJung-uk Kim int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt,
1018e71b7053SJung-uk Kim confunc_f *confunc, int *mt)
1019e71b7053SJung-uk Kim {
1020e71b7053SJung-uk Kim OSSL_STATEM *st = &s->statem;
1021e71b7053SJung-uk Kim
1022e71b7053SJung-uk Kim switch (st->hand_state) {
1023e71b7053SJung-uk Kim default:
1024e71b7053SJung-uk Kim /* Shouldn't happen */
1025b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE);
1026e71b7053SJung-uk Kim return 0;
1027e71b7053SJung-uk Kim
1028e71b7053SJung-uk Kim case TLS_ST_SW_CHANGE:
1029e71b7053SJung-uk Kim if (SSL_IS_DTLS(s))
1030e71b7053SJung-uk Kim *confunc = dtls_construct_change_cipher_spec;
1031e71b7053SJung-uk Kim else
1032e71b7053SJung-uk Kim *confunc = tls_construct_change_cipher_spec;
1033e71b7053SJung-uk Kim *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
1034e71b7053SJung-uk Kim break;
1035e71b7053SJung-uk Kim
1036e71b7053SJung-uk Kim case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
1037e71b7053SJung-uk Kim *confunc = dtls_construct_hello_verify_request;
1038e71b7053SJung-uk Kim *mt = DTLS1_MT_HELLO_VERIFY_REQUEST;
1039e71b7053SJung-uk Kim break;
1040e71b7053SJung-uk Kim
1041e71b7053SJung-uk Kim case TLS_ST_SW_HELLO_REQ:
1042e71b7053SJung-uk Kim /* No construction function needed */
1043e71b7053SJung-uk Kim *confunc = NULL;
1044e71b7053SJung-uk Kim *mt = SSL3_MT_HELLO_REQUEST;
1045e71b7053SJung-uk Kim break;
1046e71b7053SJung-uk Kim
1047e71b7053SJung-uk Kim case TLS_ST_SW_SRVR_HELLO:
1048e71b7053SJung-uk Kim *confunc = tls_construct_server_hello;
1049e71b7053SJung-uk Kim *mt = SSL3_MT_SERVER_HELLO;
1050e71b7053SJung-uk Kim break;
1051e71b7053SJung-uk Kim
1052e71b7053SJung-uk Kim case TLS_ST_SW_CERT:
1053e71b7053SJung-uk Kim *confunc = tls_construct_server_certificate;
1054e71b7053SJung-uk Kim *mt = SSL3_MT_CERTIFICATE;
1055e71b7053SJung-uk Kim break;
1056e71b7053SJung-uk Kim
1057e71b7053SJung-uk Kim case TLS_ST_SW_CERT_VRFY:
1058e71b7053SJung-uk Kim *confunc = tls_construct_cert_verify;
1059e71b7053SJung-uk Kim *mt = SSL3_MT_CERTIFICATE_VERIFY;
1060e71b7053SJung-uk Kim break;
1061e71b7053SJung-uk Kim
1062e71b7053SJung-uk Kim
1063e71b7053SJung-uk Kim case TLS_ST_SW_KEY_EXCH:
1064e71b7053SJung-uk Kim *confunc = tls_construct_server_key_exchange;
1065e71b7053SJung-uk Kim *mt = SSL3_MT_SERVER_KEY_EXCHANGE;
1066e71b7053SJung-uk Kim break;
1067e71b7053SJung-uk Kim
1068e71b7053SJung-uk Kim case TLS_ST_SW_CERT_REQ:
1069e71b7053SJung-uk Kim *confunc = tls_construct_certificate_request;
1070e71b7053SJung-uk Kim *mt = SSL3_MT_CERTIFICATE_REQUEST;
1071e71b7053SJung-uk Kim break;
1072e71b7053SJung-uk Kim
1073e71b7053SJung-uk Kim case TLS_ST_SW_SRVR_DONE:
1074e71b7053SJung-uk Kim *confunc = tls_construct_server_done;
1075e71b7053SJung-uk Kim *mt = SSL3_MT_SERVER_DONE;
1076e71b7053SJung-uk Kim break;
1077e71b7053SJung-uk Kim
1078e71b7053SJung-uk Kim case TLS_ST_SW_SESSION_TICKET:
1079e71b7053SJung-uk Kim *confunc = tls_construct_new_session_ticket;
1080e71b7053SJung-uk Kim *mt = SSL3_MT_NEWSESSION_TICKET;
1081e71b7053SJung-uk Kim break;
1082e71b7053SJung-uk Kim
1083e71b7053SJung-uk Kim case TLS_ST_SW_CERT_STATUS:
1084e71b7053SJung-uk Kim *confunc = tls_construct_cert_status;
1085e71b7053SJung-uk Kim *mt = SSL3_MT_CERTIFICATE_STATUS;
1086e71b7053SJung-uk Kim break;
1087e71b7053SJung-uk Kim
1088e71b7053SJung-uk Kim case TLS_ST_SW_FINISHED:
1089e71b7053SJung-uk Kim *confunc = tls_construct_finished;
1090e71b7053SJung-uk Kim *mt = SSL3_MT_FINISHED;
1091e71b7053SJung-uk Kim break;
1092e71b7053SJung-uk Kim
1093e71b7053SJung-uk Kim case TLS_ST_EARLY_DATA:
1094e71b7053SJung-uk Kim *confunc = NULL;
1095e71b7053SJung-uk Kim *mt = SSL3_MT_DUMMY;
1096e71b7053SJung-uk Kim break;
1097e71b7053SJung-uk Kim
1098e71b7053SJung-uk Kim case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
1099e71b7053SJung-uk Kim *confunc = tls_construct_encrypted_extensions;
1100e71b7053SJung-uk Kim *mt = SSL3_MT_ENCRYPTED_EXTENSIONS;
1101e71b7053SJung-uk Kim break;
1102e71b7053SJung-uk Kim
1103e71b7053SJung-uk Kim case TLS_ST_SW_KEY_UPDATE:
1104e71b7053SJung-uk Kim *confunc = tls_construct_key_update;
1105e71b7053SJung-uk Kim *mt = SSL3_MT_KEY_UPDATE;
1106e71b7053SJung-uk Kim break;
1107e71b7053SJung-uk Kim }
1108e71b7053SJung-uk Kim
1109e71b7053SJung-uk Kim return 1;
1110e71b7053SJung-uk Kim }
1111e71b7053SJung-uk Kim
1112e71b7053SJung-uk Kim /*
1113e71b7053SJung-uk Kim * Maximum size (excluding the Handshake header) of a ClientHello message,
1114e71b7053SJung-uk Kim * calculated as follows:
1115e71b7053SJung-uk Kim *
1116e71b7053SJung-uk Kim * 2 + # client_version
1117e71b7053SJung-uk Kim * 32 + # only valid length for random
1118e71b7053SJung-uk Kim * 1 + # length of session_id
1119e71b7053SJung-uk Kim * 32 + # maximum size for session_id
1120e71b7053SJung-uk Kim * 2 + # length of cipher suites
1121e71b7053SJung-uk Kim * 2^16-2 + # maximum length of cipher suites array
1122e71b7053SJung-uk Kim * 1 + # length of compression_methods
1123e71b7053SJung-uk Kim * 2^8-1 + # maximum length of compression methods
1124e71b7053SJung-uk Kim * 2 + # length of extensions
1125e71b7053SJung-uk Kim * 2^16-1 # maximum length of extensions
1126e71b7053SJung-uk Kim */
1127e71b7053SJung-uk Kim #define CLIENT_HELLO_MAX_LENGTH 131396
1128e71b7053SJung-uk Kim
1129e71b7053SJung-uk Kim #define CLIENT_KEY_EXCH_MAX_LENGTH 2048
1130e71b7053SJung-uk Kim #define NEXT_PROTO_MAX_LENGTH 514
1131e71b7053SJung-uk Kim
1132e71b7053SJung-uk Kim /*
1133e71b7053SJung-uk Kim * Returns the maximum allowed length for the current message that we are
1134e71b7053SJung-uk Kim * reading. Excludes the message header.
1135e71b7053SJung-uk Kim */
ossl_statem_server_max_message_size(SSL * s)1136e71b7053SJung-uk Kim size_t ossl_statem_server_max_message_size(SSL *s)
1137e71b7053SJung-uk Kim {
1138e71b7053SJung-uk Kim OSSL_STATEM *st = &s->statem;
1139e71b7053SJung-uk Kim
1140e71b7053SJung-uk Kim switch (st->hand_state) {
1141e71b7053SJung-uk Kim default:
1142e71b7053SJung-uk Kim /* Shouldn't happen */
1143e71b7053SJung-uk Kim return 0;
1144e71b7053SJung-uk Kim
1145e71b7053SJung-uk Kim case TLS_ST_SR_CLNT_HELLO:
1146e71b7053SJung-uk Kim return CLIENT_HELLO_MAX_LENGTH;
1147e71b7053SJung-uk Kim
1148e71b7053SJung-uk Kim case TLS_ST_SR_END_OF_EARLY_DATA:
1149e71b7053SJung-uk Kim return END_OF_EARLY_DATA_MAX_LENGTH;
1150e71b7053SJung-uk Kim
1151e71b7053SJung-uk Kim case TLS_ST_SR_CERT:
1152e71b7053SJung-uk Kim return s->max_cert_list;
1153e71b7053SJung-uk Kim
1154e71b7053SJung-uk Kim case TLS_ST_SR_KEY_EXCH:
1155e71b7053SJung-uk Kim return CLIENT_KEY_EXCH_MAX_LENGTH;
1156e71b7053SJung-uk Kim
1157e71b7053SJung-uk Kim case TLS_ST_SR_CERT_VRFY:
1158e71b7053SJung-uk Kim return SSL3_RT_MAX_PLAIN_LENGTH;
1159e71b7053SJung-uk Kim
1160e71b7053SJung-uk Kim #ifndef OPENSSL_NO_NEXTPROTONEG
1161e71b7053SJung-uk Kim case TLS_ST_SR_NEXT_PROTO:
1162e71b7053SJung-uk Kim return NEXT_PROTO_MAX_LENGTH;
1163e71b7053SJung-uk Kim #endif
1164e71b7053SJung-uk Kim
1165e71b7053SJung-uk Kim case TLS_ST_SR_CHANGE:
1166e71b7053SJung-uk Kim return CCS_MAX_LENGTH;
1167e71b7053SJung-uk Kim
1168e71b7053SJung-uk Kim case TLS_ST_SR_FINISHED:
1169e71b7053SJung-uk Kim return FINISHED_MAX_LENGTH;
1170e71b7053SJung-uk Kim
1171e71b7053SJung-uk Kim case TLS_ST_SR_KEY_UPDATE:
1172e71b7053SJung-uk Kim return KEY_UPDATE_MAX_LENGTH;
1173e71b7053SJung-uk Kim }
1174e71b7053SJung-uk Kim }
1175e71b7053SJung-uk Kim
1176e71b7053SJung-uk Kim /*
1177e71b7053SJung-uk Kim * Process a message that the server has received from the client.
1178e71b7053SJung-uk Kim */
ossl_statem_server_process_message(SSL * s,PACKET * pkt)1179e71b7053SJung-uk Kim MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt)
1180e71b7053SJung-uk Kim {
1181e71b7053SJung-uk Kim OSSL_STATEM *st = &s->statem;
1182e71b7053SJung-uk Kim
1183e71b7053SJung-uk Kim switch (st->hand_state) {
1184e71b7053SJung-uk Kim default:
1185e71b7053SJung-uk Kim /* Shouldn't happen */
1186b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1187e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
1188e71b7053SJung-uk Kim
1189e71b7053SJung-uk Kim case TLS_ST_SR_CLNT_HELLO:
1190e71b7053SJung-uk Kim return tls_process_client_hello(s, pkt);
1191e71b7053SJung-uk Kim
1192e71b7053SJung-uk Kim case TLS_ST_SR_END_OF_EARLY_DATA:
1193e71b7053SJung-uk Kim return tls_process_end_of_early_data(s, pkt);
1194e71b7053SJung-uk Kim
1195e71b7053SJung-uk Kim case TLS_ST_SR_CERT:
1196e71b7053SJung-uk Kim return tls_process_client_certificate(s, pkt);
1197e71b7053SJung-uk Kim
1198e71b7053SJung-uk Kim case TLS_ST_SR_KEY_EXCH:
1199e71b7053SJung-uk Kim return tls_process_client_key_exchange(s, pkt);
1200e71b7053SJung-uk Kim
1201e71b7053SJung-uk Kim case TLS_ST_SR_CERT_VRFY:
1202e71b7053SJung-uk Kim return tls_process_cert_verify(s, pkt);
1203e71b7053SJung-uk Kim
1204e71b7053SJung-uk Kim #ifndef OPENSSL_NO_NEXTPROTONEG
1205e71b7053SJung-uk Kim case TLS_ST_SR_NEXT_PROTO:
1206e71b7053SJung-uk Kim return tls_process_next_proto(s, pkt);
1207e71b7053SJung-uk Kim #endif
1208e71b7053SJung-uk Kim
1209e71b7053SJung-uk Kim case TLS_ST_SR_CHANGE:
1210e71b7053SJung-uk Kim return tls_process_change_cipher_spec(s, pkt);
1211e71b7053SJung-uk Kim
1212e71b7053SJung-uk Kim case TLS_ST_SR_FINISHED:
1213e71b7053SJung-uk Kim return tls_process_finished(s, pkt);
1214e71b7053SJung-uk Kim
1215e71b7053SJung-uk Kim case TLS_ST_SR_KEY_UPDATE:
1216e71b7053SJung-uk Kim return tls_process_key_update(s, pkt);
1217e71b7053SJung-uk Kim
1218e71b7053SJung-uk Kim }
1219e71b7053SJung-uk Kim }
1220e71b7053SJung-uk Kim
1221e71b7053SJung-uk Kim /*
1222e71b7053SJung-uk Kim * Perform any further processing required following the receipt of a message
1223e71b7053SJung-uk Kim * from the client
1224e71b7053SJung-uk Kim */
ossl_statem_server_post_process_message(SSL * s,WORK_STATE wst)1225e71b7053SJung-uk Kim WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst)
1226e71b7053SJung-uk Kim {
1227e71b7053SJung-uk Kim OSSL_STATEM *st = &s->statem;
1228e71b7053SJung-uk Kim
1229e71b7053SJung-uk Kim switch (st->hand_state) {
1230e71b7053SJung-uk Kim default:
1231e71b7053SJung-uk Kim /* Shouldn't happen */
1232b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1233e71b7053SJung-uk Kim return WORK_ERROR;
1234e71b7053SJung-uk Kim
1235e71b7053SJung-uk Kim case TLS_ST_SR_CLNT_HELLO:
1236e71b7053SJung-uk Kim return tls_post_process_client_hello(s, wst);
1237e71b7053SJung-uk Kim
1238e71b7053SJung-uk Kim case TLS_ST_SR_KEY_EXCH:
1239e71b7053SJung-uk Kim return tls_post_process_client_key_exchange(s, wst);
1240e71b7053SJung-uk Kim }
1241e71b7053SJung-uk Kim }
1242e71b7053SJung-uk Kim
1243e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SRP
1244e71b7053SJung-uk Kim /* Returns 1 on success, 0 for retryable error, -1 for fatal error */
ssl_check_srp_ext_ClientHello(SSL * s)1245e71b7053SJung-uk Kim static int ssl_check_srp_ext_ClientHello(SSL *s)
1246e71b7053SJung-uk Kim {
1247e71b7053SJung-uk Kim int ret;
1248e71b7053SJung-uk Kim int al = SSL_AD_UNRECOGNIZED_NAME;
1249e71b7053SJung-uk Kim
1250b077aed3SPierre Pronchery if ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
1251e71b7053SJung-uk Kim (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
1252e71b7053SJung-uk Kim if (s->srp_ctx.login == NULL) {
1253e71b7053SJung-uk Kim /*
1254e71b7053SJung-uk Kim * RFC 5054 says SHOULD reject, we do so if There is no srp
1255e71b7053SJung-uk Kim * login name
1256e71b7053SJung-uk Kim */
1257e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY,
1258e71b7053SJung-uk Kim SSL_R_PSK_IDENTITY_NOT_FOUND);
1259e71b7053SJung-uk Kim return -1;
1260e71b7053SJung-uk Kim } else {
1261b077aed3SPierre Pronchery ret = ssl_srp_server_param_with_username_intern(s, &al);
1262e71b7053SJung-uk Kim if (ret < 0)
1263e71b7053SJung-uk Kim return 0;
1264e71b7053SJung-uk Kim if (ret == SSL3_AL_FATAL) {
1265b077aed3SPierre Pronchery SSLfatal(s, al,
1266e71b7053SJung-uk Kim al == SSL_AD_UNKNOWN_PSK_IDENTITY
1267e71b7053SJung-uk Kim ? SSL_R_PSK_IDENTITY_NOT_FOUND
1268e71b7053SJung-uk Kim : SSL_R_CLIENTHELLO_TLSEXT);
1269e71b7053SJung-uk Kim return -1;
1270e71b7053SJung-uk Kim }
1271e71b7053SJung-uk Kim }
1272e71b7053SJung-uk Kim }
1273e71b7053SJung-uk Kim return 1;
1274e71b7053SJung-uk Kim }
1275e71b7053SJung-uk Kim #endif
1276e71b7053SJung-uk Kim
dtls_raw_hello_verify_request(WPACKET * pkt,unsigned char * cookie,size_t cookie_len)1277e71b7053SJung-uk Kim int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
1278e71b7053SJung-uk Kim size_t cookie_len)
1279e71b7053SJung-uk Kim {
1280e71b7053SJung-uk Kim /* Always use DTLS 1.0 version: see RFC 6347 */
1281e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION)
1282e71b7053SJung-uk Kim || !WPACKET_sub_memcpy_u8(pkt, cookie, cookie_len))
1283e71b7053SJung-uk Kim return 0;
1284e71b7053SJung-uk Kim
1285e71b7053SJung-uk Kim return 1;
1286e71b7053SJung-uk Kim }
1287e71b7053SJung-uk Kim
dtls_construct_hello_verify_request(SSL * s,WPACKET * pkt)1288e71b7053SJung-uk Kim int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt)
1289e71b7053SJung-uk Kim {
1290e71b7053SJung-uk Kim unsigned int cookie_leni;
1291e71b7053SJung-uk Kim if (s->ctx->app_gen_cookie_cb == NULL ||
1292e71b7053SJung-uk Kim s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
1293e71b7053SJung-uk Kim &cookie_leni) == 0 ||
1294b077aed3SPierre Pronchery cookie_leni > DTLS1_COOKIE_LENGTH) {
1295b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1296e71b7053SJung-uk Kim return 0;
1297e71b7053SJung-uk Kim }
1298e71b7053SJung-uk Kim s->d1->cookie_len = cookie_leni;
1299e71b7053SJung-uk Kim
1300e71b7053SJung-uk Kim if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie,
1301e71b7053SJung-uk Kim s->d1->cookie_len)) {
1302b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR);
1303e71b7053SJung-uk Kim return 0;
1304e71b7053SJung-uk Kim }
1305e71b7053SJung-uk Kim
1306e71b7053SJung-uk Kim return 1;
1307e71b7053SJung-uk Kim }
1308e71b7053SJung-uk Kim
1309e71b7053SJung-uk Kim /*-
1310e71b7053SJung-uk Kim * ssl_check_for_safari attempts to fingerprint Safari using OS X
1311e71b7053SJung-uk Kim * SecureTransport using the TLS extension block in |hello|.
1312e71b7053SJung-uk Kim * Safari, since 10.6, sends exactly these extensions, in this order:
1313e71b7053SJung-uk Kim * SNI,
1314e71b7053SJung-uk Kim * elliptic_curves
1315e71b7053SJung-uk Kim * ec_point_formats
1316e71b7053SJung-uk Kim * signature_algorithms (for TLSv1.2 only)
1317e71b7053SJung-uk Kim *
1318e71b7053SJung-uk Kim * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1319e71b7053SJung-uk Kim * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1320e71b7053SJung-uk Kim * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1321e71b7053SJung-uk Kim * 10.8..10.8.3 (which don't work).
1322e71b7053SJung-uk Kim */
ssl_check_for_safari(SSL * s,const CLIENTHELLO_MSG * hello)1323e71b7053SJung-uk Kim static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello)
1324e71b7053SJung-uk Kim {
1325e71b7053SJung-uk Kim static const unsigned char kSafariExtensionsBlock[] = {
1326e71b7053SJung-uk Kim 0x00, 0x0a, /* elliptic_curves extension */
1327e71b7053SJung-uk Kim 0x00, 0x08, /* 8 bytes */
1328e71b7053SJung-uk Kim 0x00, 0x06, /* 6 bytes of curve ids */
1329e71b7053SJung-uk Kim 0x00, 0x17, /* P-256 */
1330e71b7053SJung-uk Kim 0x00, 0x18, /* P-384 */
1331e71b7053SJung-uk Kim 0x00, 0x19, /* P-521 */
1332e71b7053SJung-uk Kim
1333e71b7053SJung-uk Kim 0x00, 0x0b, /* ec_point_formats */
1334e71b7053SJung-uk Kim 0x00, 0x02, /* 2 bytes */
1335e71b7053SJung-uk Kim 0x01, /* 1 point format */
1336e71b7053SJung-uk Kim 0x00, /* uncompressed */
1337e71b7053SJung-uk Kim /* The following is only present in TLS 1.2 */
1338e71b7053SJung-uk Kim 0x00, 0x0d, /* signature_algorithms */
1339e71b7053SJung-uk Kim 0x00, 0x0c, /* 12 bytes */
1340e71b7053SJung-uk Kim 0x00, 0x0a, /* 10 bytes */
1341e71b7053SJung-uk Kim 0x05, 0x01, /* SHA-384/RSA */
1342e71b7053SJung-uk Kim 0x04, 0x01, /* SHA-256/RSA */
1343e71b7053SJung-uk Kim 0x02, 0x01, /* SHA-1/RSA */
1344e71b7053SJung-uk Kim 0x04, 0x03, /* SHA-256/ECDSA */
1345e71b7053SJung-uk Kim 0x02, 0x03, /* SHA-1/ECDSA */
1346e71b7053SJung-uk Kim };
1347e71b7053SJung-uk Kim /* Length of the common prefix (first two extensions). */
1348e71b7053SJung-uk Kim static const size_t kSafariCommonExtensionsLength = 18;
1349e71b7053SJung-uk Kim unsigned int type;
1350e71b7053SJung-uk Kim PACKET sni, tmppkt;
1351e71b7053SJung-uk Kim size_t ext_len;
1352e71b7053SJung-uk Kim
1353e71b7053SJung-uk Kim tmppkt = hello->extensions;
1354e71b7053SJung-uk Kim
1355e71b7053SJung-uk Kim if (!PACKET_forward(&tmppkt, 2)
1356e71b7053SJung-uk Kim || !PACKET_get_net_2(&tmppkt, &type)
1357e71b7053SJung-uk Kim || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
1358e71b7053SJung-uk Kim return;
1359e71b7053SJung-uk Kim }
1360e71b7053SJung-uk Kim
1361e71b7053SJung-uk Kim if (type != TLSEXT_TYPE_server_name)
1362e71b7053SJung-uk Kim return;
1363e71b7053SJung-uk Kim
1364e71b7053SJung-uk Kim ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
1365e71b7053SJung-uk Kim sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;
1366e71b7053SJung-uk Kim
1367b077aed3SPierre Pronchery s->s3.is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
1368e71b7053SJung-uk Kim ext_len);
1369e71b7053SJung-uk Kim }
1370b077aed3SPierre Pronchery
1371b077aed3SPierre Pronchery #define RENEG_OPTIONS_OK(options) \
1372b077aed3SPierre Pronchery ((options & SSL_OP_NO_RENEGOTIATION) == 0 \
1373b077aed3SPierre Pronchery && (options & SSL_OP_ALLOW_CLIENT_RENEGOTIATION) != 0)
1374e71b7053SJung-uk Kim
tls_process_client_hello(SSL * s,PACKET * pkt)1375e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
1376e71b7053SJung-uk Kim {
1377e71b7053SJung-uk Kim /* |cookie| will only be initialized for DTLS. */
1378e71b7053SJung-uk Kim PACKET session_id, compression, extensions, cookie;
1379e71b7053SJung-uk Kim static const unsigned char null_compression = 0;
1380e71b7053SJung-uk Kim CLIENTHELLO_MSG *clienthello = NULL;
1381e71b7053SJung-uk Kim
1382e71b7053SJung-uk Kim /* Check if this is actually an unexpected renegotiation ClientHello */
1383e71b7053SJung-uk Kim if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
1384e71b7053SJung-uk Kim if (!ossl_assert(!SSL_IS_TLS13(s))) {
1385b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1386e71b7053SJung-uk Kim goto err;
1387e71b7053SJung-uk Kim }
1388b077aed3SPierre Pronchery if (!RENEG_OPTIONS_OK(s->options)
1389b077aed3SPierre Pronchery || (!s->s3.send_connection_binding
1390e71b7053SJung-uk Kim && (s->options
1391e71b7053SJung-uk Kim & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) == 0)) {
1392e71b7053SJung-uk Kim ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
1393e71b7053SJung-uk Kim return MSG_PROCESS_FINISHED_READING;
1394e71b7053SJung-uk Kim }
1395e71b7053SJung-uk Kim s->renegotiate = 1;
1396e71b7053SJung-uk Kim s->new_session = 1;
1397e71b7053SJung-uk Kim }
1398e71b7053SJung-uk Kim
1399e71b7053SJung-uk Kim clienthello = OPENSSL_zalloc(sizeof(*clienthello));
1400e71b7053SJung-uk Kim if (clienthello == NULL) {
1401b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1402e71b7053SJung-uk Kim goto err;
1403e71b7053SJung-uk Kim }
1404e71b7053SJung-uk Kim
1405e71b7053SJung-uk Kim /*
1406e71b7053SJung-uk Kim * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure.
1407e71b7053SJung-uk Kim */
1408e71b7053SJung-uk Kim clienthello->isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer);
1409e71b7053SJung-uk Kim PACKET_null_init(&cookie);
1410e71b7053SJung-uk Kim
1411e71b7053SJung-uk Kim if (clienthello->isv2) {
1412e71b7053SJung-uk Kim unsigned int mt;
1413e71b7053SJung-uk Kim
1414e71b7053SJung-uk Kim if (!SSL_IS_FIRST_HANDSHAKE(s)
1415e71b7053SJung-uk Kim || s->hello_retry_request != SSL_HRR_NONE) {
1416b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
1417e71b7053SJung-uk Kim goto err;
1418e71b7053SJung-uk Kim }
1419e71b7053SJung-uk Kim
1420e71b7053SJung-uk Kim /*-
1421e71b7053SJung-uk Kim * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
1422e71b7053SJung-uk Kim * header is sent directly on the wire, not wrapped as a TLS
1423e71b7053SJung-uk Kim * record. Our record layer just processes the message length and passes
1424e71b7053SJung-uk Kim * the rest right through. Its format is:
1425e71b7053SJung-uk Kim * Byte Content
1426e71b7053SJung-uk Kim * 0-1 msg_length - decoded by the record layer
1427e71b7053SJung-uk Kim * 2 msg_type - s->init_msg points here
1428e71b7053SJung-uk Kim * 3-4 version
1429e71b7053SJung-uk Kim * 5-6 cipher_spec_length
1430e71b7053SJung-uk Kim * 7-8 session_id_length
1431e71b7053SJung-uk Kim * 9-10 challenge_length
1432e71b7053SJung-uk Kim * ... ...
1433e71b7053SJung-uk Kim */
1434e71b7053SJung-uk Kim
1435e71b7053SJung-uk Kim if (!PACKET_get_1(pkt, &mt)
1436e71b7053SJung-uk Kim || mt != SSL2_MT_CLIENT_HELLO) {
1437e71b7053SJung-uk Kim /*
1438e71b7053SJung-uk Kim * Should never happen. We should have tested this in the record
1439e71b7053SJung-uk Kim * layer in order to have determined that this is a SSLv2 record
1440e71b7053SJung-uk Kim * in the first place
1441e71b7053SJung-uk Kim */
1442b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1443e71b7053SJung-uk Kim goto err;
1444e71b7053SJung-uk Kim }
1445e71b7053SJung-uk Kim }
1446e71b7053SJung-uk Kim
1447e71b7053SJung-uk Kim if (!PACKET_get_net_2(pkt, &clienthello->legacy_version)) {
1448b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
1449e71b7053SJung-uk Kim goto err;
1450e71b7053SJung-uk Kim }
1451e71b7053SJung-uk Kim
1452e71b7053SJung-uk Kim /* Parse the message and load client random. */
1453e71b7053SJung-uk Kim if (clienthello->isv2) {
1454e71b7053SJung-uk Kim /*
1455e71b7053SJung-uk Kim * Handle an SSLv2 backwards compatible ClientHello
1456e71b7053SJung-uk Kim * Note, this is only for SSLv3+ using the backward compatible format.
1457e71b7053SJung-uk Kim * Real SSLv2 is not supported, and is rejected below.
1458e71b7053SJung-uk Kim */
1459e71b7053SJung-uk Kim unsigned int ciphersuite_len, session_id_len, challenge_len;
1460e71b7053SJung-uk Kim PACKET challenge;
1461e71b7053SJung-uk Kim
1462e71b7053SJung-uk Kim if (!PACKET_get_net_2(pkt, &ciphersuite_len)
1463e71b7053SJung-uk Kim || !PACKET_get_net_2(pkt, &session_id_len)
1464e71b7053SJung-uk Kim || !PACKET_get_net_2(pkt, &challenge_len)) {
1465b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RECORD_LENGTH_MISMATCH);
1466e71b7053SJung-uk Kim goto err;
1467e71b7053SJung-uk Kim }
1468e71b7053SJung-uk Kim
1469e71b7053SJung-uk Kim if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
1470b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_LENGTH_MISMATCH);
1471e71b7053SJung-uk Kim goto err;
1472e71b7053SJung-uk Kim }
1473e71b7053SJung-uk Kim
1474e71b7053SJung-uk Kim if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites,
1475e71b7053SJung-uk Kim ciphersuite_len)
1476e71b7053SJung-uk Kim || !PACKET_copy_bytes(pkt, clienthello->session_id, session_id_len)
1477e71b7053SJung-uk Kim || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
1478e71b7053SJung-uk Kim /* No extensions. */
1479e71b7053SJung-uk Kim || PACKET_remaining(pkt) != 0) {
1480b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RECORD_LENGTH_MISMATCH);
1481e71b7053SJung-uk Kim goto err;
1482e71b7053SJung-uk Kim }
1483e71b7053SJung-uk Kim clienthello->session_id_len = session_id_len;
1484e71b7053SJung-uk Kim
1485e71b7053SJung-uk Kim /* Load the client random and compression list. We use SSL3_RANDOM_SIZE
1486e71b7053SJung-uk Kim * here rather than sizeof(clienthello->random) because that is the limit
1487e71b7053SJung-uk Kim * for SSLv3 and it is fixed. It won't change even if
1488e71b7053SJung-uk Kim * sizeof(clienthello->random) does.
1489e71b7053SJung-uk Kim */
1490e71b7053SJung-uk Kim challenge_len = challenge_len > SSL3_RANDOM_SIZE
1491e71b7053SJung-uk Kim ? SSL3_RANDOM_SIZE : challenge_len;
1492e71b7053SJung-uk Kim memset(clienthello->random, 0, SSL3_RANDOM_SIZE);
1493e71b7053SJung-uk Kim if (!PACKET_copy_bytes(&challenge,
1494e71b7053SJung-uk Kim clienthello->random + SSL3_RANDOM_SIZE -
1495e71b7053SJung-uk Kim challenge_len, challenge_len)
1496e71b7053SJung-uk Kim /* Advertise only null compression. */
1497e71b7053SJung-uk Kim || !PACKET_buf_init(&compression, &null_compression, 1)) {
1498b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1499e71b7053SJung-uk Kim goto err;
1500e71b7053SJung-uk Kim }
1501e71b7053SJung-uk Kim
1502e71b7053SJung-uk Kim PACKET_null_init(&clienthello->extensions);
1503e71b7053SJung-uk Kim } else {
1504e71b7053SJung-uk Kim /* Regular ClientHello. */
1505e71b7053SJung-uk Kim if (!PACKET_copy_bytes(pkt, clienthello->random, SSL3_RANDOM_SIZE)
1506e71b7053SJung-uk Kim || !PACKET_get_length_prefixed_1(pkt, &session_id)
1507e71b7053SJung-uk Kim || !PACKET_copy_all(&session_id, clienthello->session_id,
1508e71b7053SJung-uk Kim SSL_MAX_SSL_SESSION_ID_LENGTH,
1509e71b7053SJung-uk Kim &clienthello->session_id_len)) {
1510b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1511e71b7053SJung-uk Kim goto err;
1512e71b7053SJung-uk Kim }
1513e71b7053SJung-uk Kim
1514e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) {
1515e71b7053SJung-uk Kim if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
1516b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1517e71b7053SJung-uk Kim goto err;
1518e71b7053SJung-uk Kim }
1519e71b7053SJung-uk Kim if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie,
1520e71b7053SJung-uk Kim DTLS1_COOKIE_LENGTH,
1521e71b7053SJung-uk Kim &clienthello->dtls_cookie_len)) {
1522b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1523e71b7053SJung-uk Kim goto err;
1524e71b7053SJung-uk Kim }
1525e71b7053SJung-uk Kim /*
1526e71b7053SJung-uk Kim * If we require cookies and this ClientHello doesn't contain one,
1527e71b7053SJung-uk Kim * just return since we do not want to allocate any memory yet.
1528e71b7053SJung-uk Kim * So check cookie length...
1529e71b7053SJung-uk Kim */
1530e71b7053SJung-uk Kim if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
1531c9cf7b5cSJung-uk Kim if (clienthello->dtls_cookie_len == 0) {
1532c9cf7b5cSJung-uk Kim OPENSSL_free(clienthello);
1533e71b7053SJung-uk Kim return MSG_PROCESS_FINISHED_READING;
1534e71b7053SJung-uk Kim }
1535e71b7053SJung-uk Kim }
1536c9cf7b5cSJung-uk Kim }
1537e71b7053SJung-uk Kim
1538e71b7053SJung-uk Kim if (!PACKET_get_length_prefixed_2(pkt, &clienthello->ciphersuites)) {
1539b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1540e71b7053SJung-uk Kim goto err;
1541e71b7053SJung-uk Kim }
1542e71b7053SJung-uk Kim
1543e71b7053SJung-uk Kim if (!PACKET_get_length_prefixed_1(pkt, &compression)) {
1544b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1545e71b7053SJung-uk Kim goto err;
1546e71b7053SJung-uk Kim }
1547e71b7053SJung-uk Kim
1548e71b7053SJung-uk Kim /* Could be empty. */
1549e71b7053SJung-uk Kim if (PACKET_remaining(pkt) == 0) {
1550e71b7053SJung-uk Kim PACKET_null_init(&clienthello->extensions);
1551e71b7053SJung-uk Kim } else {
1552e71b7053SJung-uk Kim if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions)
1553e71b7053SJung-uk Kim || PACKET_remaining(pkt) != 0) {
1554b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1555e71b7053SJung-uk Kim goto err;
1556e71b7053SJung-uk Kim }
1557e71b7053SJung-uk Kim }
1558e71b7053SJung-uk Kim }
1559e71b7053SJung-uk Kim
1560e71b7053SJung-uk Kim if (!PACKET_copy_all(&compression, clienthello->compressions,
1561e71b7053SJung-uk Kim MAX_COMPRESSIONS_SIZE,
1562e71b7053SJung-uk Kim &clienthello->compressions_len)) {
1563b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1564e71b7053SJung-uk Kim goto err;
1565e71b7053SJung-uk Kim }
1566e71b7053SJung-uk Kim
1567e71b7053SJung-uk Kim /* Preserve the raw extensions PACKET for later use */
1568e71b7053SJung-uk Kim extensions = clienthello->extensions;
1569e71b7053SJung-uk Kim if (!tls_collect_extensions(s, &extensions, SSL_EXT_CLIENT_HELLO,
1570e71b7053SJung-uk Kim &clienthello->pre_proc_exts,
1571e71b7053SJung-uk Kim &clienthello->pre_proc_exts_len, 1)) {
1572e71b7053SJung-uk Kim /* SSLfatal already been called */
1573e71b7053SJung-uk Kim goto err;
1574e71b7053SJung-uk Kim }
1575e71b7053SJung-uk Kim s->clienthello = clienthello;
1576e71b7053SJung-uk Kim
1577e71b7053SJung-uk Kim return MSG_PROCESS_CONTINUE_PROCESSING;
1578e71b7053SJung-uk Kim
1579e71b7053SJung-uk Kim err:
1580e71b7053SJung-uk Kim if (clienthello != NULL)
1581e71b7053SJung-uk Kim OPENSSL_free(clienthello->pre_proc_exts);
1582e71b7053SJung-uk Kim OPENSSL_free(clienthello);
1583e71b7053SJung-uk Kim
1584e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
1585e71b7053SJung-uk Kim }
1586e71b7053SJung-uk Kim
tls_early_post_process_client_hello(SSL * s)1587e71b7053SJung-uk Kim static int tls_early_post_process_client_hello(SSL *s)
1588e71b7053SJung-uk Kim {
1589e71b7053SJung-uk Kim unsigned int j;
1590e71b7053SJung-uk Kim int i, al = SSL_AD_INTERNAL_ERROR;
1591e71b7053SJung-uk Kim int protverr;
1592e71b7053SJung-uk Kim size_t loop;
1593e71b7053SJung-uk Kim unsigned long id;
1594e71b7053SJung-uk Kim #ifndef OPENSSL_NO_COMP
1595e71b7053SJung-uk Kim SSL_COMP *comp = NULL;
1596e71b7053SJung-uk Kim #endif
1597e71b7053SJung-uk Kim const SSL_CIPHER *c;
1598e71b7053SJung-uk Kim STACK_OF(SSL_CIPHER) *ciphers = NULL;
1599e71b7053SJung-uk Kim STACK_OF(SSL_CIPHER) *scsvs = NULL;
1600e71b7053SJung-uk Kim CLIENTHELLO_MSG *clienthello = s->clienthello;
1601e71b7053SJung-uk Kim DOWNGRADE dgrd = DOWNGRADE_NONE;
1602e71b7053SJung-uk Kim
1603e71b7053SJung-uk Kim /* Finished parsing the ClientHello, now we can start processing it */
1604e71b7053SJung-uk Kim /* Give the ClientHello callback a crack at things */
1605e71b7053SJung-uk Kim if (s->ctx->client_hello_cb != NULL) {
1606e71b7053SJung-uk Kim /* A failure in the ClientHello callback terminates the connection. */
1607e71b7053SJung-uk Kim switch (s->ctx->client_hello_cb(s, &al, s->ctx->client_hello_cb_arg)) {
1608e71b7053SJung-uk Kim case SSL_CLIENT_HELLO_SUCCESS:
1609e71b7053SJung-uk Kim break;
1610e71b7053SJung-uk Kim case SSL_CLIENT_HELLO_RETRY:
1611e71b7053SJung-uk Kim s->rwstate = SSL_CLIENT_HELLO_CB;
1612e71b7053SJung-uk Kim return -1;
1613e71b7053SJung-uk Kim case SSL_CLIENT_HELLO_ERROR:
1614e71b7053SJung-uk Kim default:
1615b077aed3SPierre Pronchery SSLfatal(s, al, SSL_R_CALLBACK_FAILED);
1616e71b7053SJung-uk Kim goto err;
1617e71b7053SJung-uk Kim }
1618e71b7053SJung-uk Kim }
1619e71b7053SJung-uk Kim
1620e71b7053SJung-uk Kim /* Set up the client_random */
1621b077aed3SPierre Pronchery memcpy(s->s3.client_random, clienthello->random, SSL3_RANDOM_SIZE);
1622e71b7053SJung-uk Kim
1623e71b7053SJung-uk Kim /* Choose the version */
1624e71b7053SJung-uk Kim
1625e71b7053SJung-uk Kim if (clienthello->isv2) {
1626e71b7053SJung-uk Kim if (clienthello->legacy_version == SSL2_VERSION
1627e71b7053SJung-uk Kim || (clienthello->legacy_version & 0xff00)
1628e71b7053SJung-uk Kim != (SSL3_VERSION_MAJOR << 8)) {
1629e71b7053SJung-uk Kim /*
1630e71b7053SJung-uk Kim * This is real SSLv2 or something completely unknown. We don't
1631e71b7053SJung-uk Kim * support it.
1632e71b7053SJung-uk Kim */
1633b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNKNOWN_PROTOCOL);
1634e71b7053SJung-uk Kim goto err;
1635e71b7053SJung-uk Kim }
1636e71b7053SJung-uk Kim /* SSLv3/TLS */
1637e71b7053SJung-uk Kim s->client_version = clienthello->legacy_version;
1638e71b7053SJung-uk Kim }
1639e71b7053SJung-uk Kim /*
1640e71b7053SJung-uk Kim * Do SSL/TLS version negotiation if applicable. For DTLS we just check
1641e71b7053SJung-uk Kim * versions are potentially compatible. Version negotiation comes later.
1642e71b7053SJung-uk Kim */
1643e71b7053SJung-uk Kim if (!SSL_IS_DTLS(s)) {
1644e71b7053SJung-uk Kim protverr = ssl_choose_server_version(s, clienthello, &dgrd);
1645e71b7053SJung-uk Kim } else if (s->method->version != DTLS_ANY_VERSION &&
1646e71b7053SJung-uk Kim DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) {
1647e71b7053SJung-uk Kim protverr = SSL_R_VERSION_TOO_LOW;
1648e71b7053SJung-uk Kim } else {
1649e71b7053SJung-uk Kim protverr = 0;
1650e71b7053SJung-uk Kim }
1651e71b7053SJung-uk Kim
1652e71b7053SJung-uk Kim if (protverr) {
1653e71b7053SJung-uk Kim if (SSL_IS_FIRST_HANDSHAKE(s)) {
1654e71b7053SJung-uk Kim /* like ssl3_get_record, send alert using remote version number */
1655e71b7053SJung-uk Kim s->version = s->client_version = clienthello->legacy_version;
1656e71b7053SJung-uk Kim }
1657b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_PROTOCOL_VERSION, protverr);
1658e71b7053SJung-uk Kim goto err;
1659e71b7053SJung-uk Kim }
1660e71b7053SJung-uk Kim
1661e71b7053SJung-uk Kim /* TLSv1.3 specifies that a ClientHello must end on a record boundary */
1662e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
1663b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
1664e71b7053SJung-uk Kim goto err;
1665e71b7053SJung-uk Kim }
1666e71b7053SJung-uk Kim
1667e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) {
1668e71b7053SJung-uk Kim /* Empty cookie was already handled above by returning early. */
1669e71b7053SJung-uk Kim if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
1670e71b7053SJung-uk Kim if (s->ctx->app_verify_cookie_cb != NULL) {
1671e71b7053SJung-uk Kim if (s->ctx->app_verify_cookie_cb(s, clienthello->dtls_cookie,
1672e71b7053SJung-uk Kim clienthello->dtls_cookie_len) == 0) {
1673e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1674e71b7053SJung-uk Kim SSL_R_COOKIE_MISMATCH);
1675e71b7053SJung-uk Kim goto err;
1676e71b7053SJung-uk Kim /* else cookie verification succeeded */
1677e71b7053SJung-uk Kim }
1678e71b7053SJung-uk Kim /* default verification */
1679e71b7053SJung-uk Kim } else if (s->d1->cookie_len != clienthello->dtls_cookie_len
1680e71b7053SJung-uk Kim || memcmp(clienthello->dtls_cookie, s->d1->cookie,
1681e71b7053SJung-uk Kim s->d1->cookie_len) != 0) {
1682b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_COOKIE_MISMATCH);
1683e71b7053SJung-uk Kim goto err;
1684e71b7053SJung-uk Kim }
1685e71b7053SJung-uk Kim s->d1->cookie_verified = 1;
1686e71b7053SJung-uk Kim }
1687e71b7053SJung-uk Kim if (s->method->version == DTLS_ANY_VERSION) {
1688e71b7053SJung-uk Kim protverr = ssl_choose_server_version(s, clienthello, &dgrd);
1689e71b7053SJung-uk Kim if (protverr != 0) {
1690e71b7053SJung-uk Kim s->version = s->client_version;
1691b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_PROTOCOL_VERSION, protverr);
1692e71b7053SJung-uk Kim goto err;
1693e71b7053SJung-uk Kim }
1694e71b7053SJung-uk Kim }
1695e71b7053SJung-uk Kim }
1696e71b7053SJung-uk Kim
1697e71b7053SJung-uk Kim s->hit = 0;
1698e71b7053SJung-uk Kim
1699e71b7053SJung-uk Kim if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites,
1700e71b7053SJung-uk Kim clienthello->isv2) ||
1701e71b7053SJung-uk Kim !bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, &scsvs,
1702e71b7053SJung-uk Kim clienthello->isv2, 1)) {
1703e71b7053SJung-uk Kim /* SSLfatal() already called */
1704e71b7053SJung-uk Kim goto err;
1705e71b7053SJung-uk Kim }
1706e71b7053SJung-uk Kim
1707b077aed3SPierre Pronchery s->s3.send_connection_binding = 0;
1708e71b7053SJung-uk Kim /* Check what signalling cipher-suite values were received. */
1709e71b7053SJung-uk Kim if (scsvs != NULL) {
1710e71b7053SJung-uk Kim for(i = 0; i < sk_SSL_CIPHER_num(scsvs); i++) {
1711e71b7053SJung-uk Kim c = sk_SSL_CIPHER_value(scsvs, i);
1712e71b7053SJung-uk Kim if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) {
1713e71b7053SJung-uk Kim if (s->renegotiate) {
1714e71b7053SJung-uk Kim /* SCSV is fatal if renegotiating */
1715e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1716e71b7053SJung-uk Kim SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
1717e71b7053SJung-uk Kim goto err;
1718e71b7053SJung-uk Kim }
1719b077aed3SPierre Pronchery s->s3.send_connection_binding = 1;
1720e71b7053SJung-uk Kim } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV &&
1721e71b7053SJung-uk Kim !ssl_check_version_downgrade(s)) {
1722e71b7053SJung-uk Kim /*
1723e71b7053SJung-uk Kim * This SCSV indicates that the client previously tried
1724e71b7053SJung-uk Kim * a higher version. We should fail if the current version
1725e71b7053SJung-uk Kim * is an unexpected downgrade, as that indicates that the first
1726e71b7053SJung-uk Kim * connection may have been tampered with in order to trigger
1727e71b7053SJung-uk Kim * an insecure downgrade.
1728e71b7053SJung-uk Kim */
1729e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INAPPROPRIATE_FALLBACK,
1730e71b7053SJung-uk Kim SSL_R_INAPPROPRIATE_FALLBACK);
1731e71b7053SJung-uk Kim goto err;
1732e71b7053SJung-uk Kim }
1733e71b7053SJung-uk Kim }
1734e71b7053SJung-uk Kim }
1735e71b7053SJung-uk Kim
1736e71b7053SJung-uk Kim /* For TLSv1.3 we must select the ciphersuite *before* session resumption */
1737e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) {
1738e71b7053SJung-uk Kim const SSL_CIPHER *cipher =
1739e71b7053SJung-uk Kim ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));
1740e71b7053SJung-uk Kim
1741e71b7053SJung-uk Kim if (cipher == NULL) {
1742b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_SHARED_CIPHER);
1743e71b7053SJung-uk Kim goto err;
1744e71b7053SJung-uk Kim }
1745e71b7053SJung-uk Kim if (s->hello_retry_request == SSL_HRR_PENDING
1746b077aed3SPierre Pronchery && (s->s3.tmp.new_cipher == NULL
1747b077aed3SPierre Pronchery || s->s3.tmp.new_cipher->id != cipher->id)) {
1748e71b7053SJung-uk Kim /*
1749e71b7053SJung-uk Kim * A previous HRR picked a different ciphersuite to the one we
1750e71b7053SJung-uk Kim * just selected. Something must have changed.
1751e71b7053SJung-uk Kim */
1752b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER);
1753e71b7053SJung-uk Kim goto err;
1754e71b7053SJung-uk Kim }
1755b077aed3SPierre Pronchery s->s3.tmp.new_cipher = cipher;
1756e71b7053SJung-uk Kim }
1757e71b7053SJung-uk Kim
1758e71b7053SJung-uk Kim /* We need to do this before getting the session */
1759e71b7053SJung-uk Kim if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret,
1760e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO,
1761e71b7053SJung-uk Kim clienthello->pre_proc_exts, NULL, 0)) {
1762e71b7053SJung-uk Kim /* SSLfatal() already called */
1763e71b7053SJung-uk Kim goto err;
1764e71b7053SJung-uk Kim }
1765e71b7053SJung-uk Kim
1766e71b7053SJung-uk Kim /*
1767e71b7053SJung-uk Kim * We don't allow resumption in a backwards compatible ClientHello.
1768b077aed3SPierre Pronchery * In TLS1.1+, session_id MUST be empty.
1769e71b7053SJung-uk Kim *
1770e71b7053SJung-uk Kim * Versions before 0.9.7 always allow clients to resume sessions in
1771e71b7053SJung-uk Kim * renegotiation. 0.9.7 and later allow this by default, but optionally
1772e71b7053SJung-uk Kim * ignore resumption requests with flag
1773e71b7053SJung-uk Kim * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
1774e71b7053SJung-uk Kim * than a change to default behavior so that applications relying on
1775e71b7053SJung-uk Kim * this for security won't even compile against older library versions).
1776e71b7053SJung-uk Kim * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
1777e71b7053SJung-uk Kim * request renegotiation but not a new session (s->new_session remains
1778e71b7053SJung-uk Kim * unset): for servers, this essentially just means that the
1779e71b7053SJung-uk Kim * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
1780e71b7053SJung-uk Kim * ignored.
1781e71b7053SJung-uk Kim */
1782e71b7053SJung-uk Kim if (clienthello->isv2 ||
1783e71b7053SJung-uk Kim (s->new_session &&
1784e71b7053SJung-uk Kim (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
1785e71b7053SJung-uk Kim if (!ssl_get_new_session(s, 1)) {
1786e71b7053SJung-uk Kim /* SSLfatal() already called */
1787e71b7053SJung-uk Kim goto err;
1788e71b7053SJung-uk Kim }
1789e71b7053SJung-uk Kim } else {
1790e71b7053SJung-uk Kim i = ssl_get_prev_session(s, clienthello);
1791e71b7053SJung-uk Kim if (i == 1) {
1792e71b7053SJung-uk Kim /* previous session */
1793e71b7053SJung-uk Kim s->hit = 1;
1794e71b7053SJung-uk Kim } else if (i == -1) {
1795e71b7053SJung-uk Kim /* SSLfatal() already called */
1796e71b7053SJung-uk Kim goto err;
1797e71b7053SJung-uk Kim } else {
1798e71b7053SJung-uk Kim /* i == 0 */
1799e71b7053SJung-uk Kim if (!ssl_get_new_session(s, 1)) {
1800e71b7053SJung-uk Kim /* SSLfatal() already called */
1801e71b7053SJung-uk Kim goto err;
1802e71b7053SJung-uk Kim }
1803e71b7053SJung-uk Kim }
1804e71b7053SJung-uk Kim }
1805e71b7053SJung-uk Kim
1806e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) {
1807e71b7053SJung-uk Kim memcpy(s->tmp_session_id, s->clienthello->session_id,
1808e71b7053SJung-uk Kim s->clienthello->session_id_len);
1809e71b7053SJung-uk Kim s->tmp_session_id_len = s->clienthello->session_id_len;
1810e71b7053SJung-uk Kim }
1811e71b7053SJung-uk Kim
1812e71b7053SJung-uk Kim /*
1813e71b7053SJung-uk Kim * If it is a hit, check that the cipher is in the list. In TLSv1.3 we check
1814e71b7053SJung-uk Kim * ciphersuite compatibility with the session as part of resumption.
1815e71b7053SJung-uk Kim */
1816e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s) && s->hit) {
1817e71b7053SJung-uk Kim j = 0;
1818e71b7053SJung-uk Kim id = s->session->cipher->id;
1819e71b7053SJung-uk Kim
1820b077aed3SPierre Pronchery OSSL_TRACE_BEGIN(TLS_CIPHER) {
1821b077aed3SPierre Pronchery BIO_printf(trc_out, "client sent %d ciphers\n",
1822b077aed3SPierre Pronchery sk_SSL_CIPHER_num(ciphers));
1823b077aed3SPierre Pronchery }
1824e71b7053SJung-uk Kim for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
1825e71b7053SJung-uk Kim c = sk_SSL_CIPHER_value(ciphers, i);
1826b077aed3SPierre Pronchery if (trc_out != NULL)
1827b077aed3SPierre Pronchery BIO_printf(trc_out, "client [%2d of %2d]:%s\n", i,
1828b077aed3SPierre Pronchery sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
1829e71b7053SJung-uk Kim if (c->id == id) {
1830e71b7053SJung-uk Kim j = 1;
1831e71b7053SJung-uk Kim break;
1832e71b7053SJung-uk Kim }
1833e71b7053SJung-uk Kim }
1834e71b7053SJung-uk Kim if (j == 0) {
1835e71b7053SJung-uk Kim /*
1836e71b7053SJung-uk Kim * we need to have the cipher in the cipher list if we are asked
1837e71b7053SJung-uk Kim * to reuse it
1838e71b7053SJung-uk Kim */
1839e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1840e71b7053SJung-uk Kim SSL_R_REQUIRED_CIPHER_MISSING);
1841b077aed3SPierre Pronchery OSSL_TRACE_CANCEL(TLS_CIPHER);
1842e71b7053SJung-uk Kim goto err;
1843e71b7053SJung-uk Kim }
1844b077aed3SPierre Pronchery OSSL_TRACE_END(TLS_CIPHER);
1845e71b7053SJung-uk Kim }
1846e71b7053SJung-uk Kim
1847e71b7053SJung-uk Kim for (loop = 0; loop < clienthello->compressions_len; loop++) {
1848e71b7053SJung-uk Kim if (clienthello->compressions[loop] == 0)
1849e71b7053SJung-uk Kim break;
1850e71b7053SJung-uk Kim }
1851e71b7053SJung-uk Kim
1852e71b7053SJung-uk Kim if (loop >= clienthello->compressions_len) {
1853e71b7053SJung-uk Kim /* no compress */
1854b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_COMPRESSION_SPECIFIED);
1855e71b7053SJung-uk Kim goto err;
1856e71b7053SJung-uk Kim }
1857e71b7053SJung-uk Kim
1858e71b7053SJung-uk Kim if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1859e71b7053SJung-uk Kim ssl_check_for_safari(s, clienthello);
1860e71b7053SJung-uk Kim
1861e71b7053SJung-uk Kim /* TLS extensions */
1862e71b7053SJung-uk Kim if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO,
1863e71b7053SJung-uk Kim clienthello->pre_proc_exts, NULL, 0, 1)) {
1864e71b7053SJung-uk Kim /* SSLfatal() already called */
1865e71b7053SJung-uk Kim goto err;
1866e71b7053SJung-uk Kim }
1867e71b7053SJung-uk Kim
1868e71b7053SJung-uk Kim /*
1869e71b7053SJung-uk Kim * Check if we want to use external pre-shared secret for this handshake
1870e71b7053SJung-uk Kim * for not reused session only. We need to generate server_random before
1871e71b7053SJung-uk Kim * calling tls_session_secret_cb in order to allow SessionTicket
1872e71b7053SJung-uk Kim * processing to use it in key derivation.
1873e71b7053SJung-uk Kim */
1874e71b7053SJung-uk Kim {
1875e71b7053SJung-uk Kim unsigned char *pos;
1876b077aed3SPierre Pronchery pos = s->s3.server_random;
1877e71b7053SJung-uk Kim if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE, dgrd) <= 0) {
1878b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1879e71b7053SJung-uk Kim goto err;
1880e71b7053SJung-uk Kim }
1881e71b7053SJung-uk Kim }
1882e71b7053SJung-uk Kim
1883e71b7053SJung-uk Kim if (!s->hit
1884e71b7053SJung-uk Kim && s->version >= TLS1_VERSION
1885e71b7053SJung-uk Kim && !SSL_IS_TLS13(s)
1886e71b7053SJung-uk Kim && !SSL_IS_DTLS(s)
1887e71b7053SJung-uk Kim && s->ext.session_secret_cb) {
1888e71b7053SJung-uk Kim const SSL_CIPHER *pref_cipher = NULL;
1889e71b7053SJung-uk Kim /*
1890e71b7053SJung-uk Kim * s->session->master_key_length is a size_t, but this is an int for
1891e71b7053SJung-uk Kim * backwards compat reasons
1892e71b7053SJung-uk Kim */
1893e71b7053SJung-uk Kim int master_key_length;
1894e71b7053SJung-uk Kim
1895e71b7053SJung-uk Kim master_key_length = sizeof(s->session->master_key);
1896e71b7053SJung-uk Kim if (s->ext.session_secret_cb(s, s->session->master_key,
1897e71b7053SJung-uk Kim &master_key_length, ciphers,
1898e71b7053SJung-uk Kim &pref_cipher,
1899e71b7053SJung-uk Kim s->ext.session_secret_cb_arg)
1900e71b7053SJung-uk Kim && master_key_length > 0) {
1901e71b7053SJung-uk Kim s->session->master_key_length = master_key_length;
1902e71b7053SJung-uk Kim s->hit = 1;
1903da327cd2SJung-uk Kim s->peer_ciphers = ciphers;
1904e71b7053SJung-uk Kim s->session->verify_result = X509_V_OK;
1905e71b7053SJung-uk Kim
1906e71b7053SJung-uk Kim ciphers = NULL;
1907e71b7053SJung-uk Kim
1908e71b7053SJung-uk Kim /* check if some cipher was preferred by call back */
1909e71b7053SJung-uk Kim if (pref_cipher == NULL)
1910da327cd2SJung-uk Kim pref_cipher = ssl3_choose_cipher(s, s->peer_ciphers,
1911e71b7053SJung-uk Kim SSL_get_ciphers(s));
1912e71b7053SJung-uk Kim if (pref_cipher == NULL) {
1913b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_SHARED_CIPHER);
1914e71b7053SJung-uk Kim goto err;
1915e71b7053SJung-uk Kim }
1916e71b7053SJung-uk Kim
1917e71b7053SJung-uk Kim s->session->cipher = pref_cipher;
1918e71b7053SJung-uk Kim sk_SSL_CIPHER_free(s->cipher_list);
1919da327cd2SJung-uk Kim s->cipher_list = sk_SSL_CIPHER_dup(s->peer_ciphers);
1920e71b7053SJung-uk Kim sk_SSL_CIPHER_free(s->cipher_list_by_id);
1921da327cd2SJung-uk Kim s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->peer_ciphers);
1922e71b7053SJung-uk Kim }
1923e71b7053SJung-uk Kim }
1924e71b7053SJung-uk Kim
1925e71b7053SJung-uk Kim /*
1926e71b7053SJung-uk Kim * Worst case, we will use the NULL compression, but if we have other
1927e71b7053SJung-uk Kim * options, we will now look for them. We have complen-1 compression
1928e71b7053SJung-uk Kim * algorithms from the client, starting at q.
1929e71b7053SJung-uk Kim */
1930b077aed3SPierre Pronchery s->s3.tmp.new_compression = NULL;
1931e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) {
1932e71b7053SJung-uk Kim /*
1933e71b7053SJung-uk Kim * We already checked above that the NULL compression method appears in
1934e71b7053SJung-uk Kim * the list. Now we check there aren't any others (which is illegal in
1935e71b7053SJung-uk Kim * a TLSv1.3 ClientHello.
1936e71b7053SJung-uk Kim */
1937e71b7053SJung-uk Kim if (clienthello->compressions_len != 1) {
1938e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1939e71b7053SJung-uk Kim SSL_R_INVALID_COMPRESSION_ALGORITHM);
1940e71b7053SJung-uk Kim goto err;
1941e71b7053SJung-uk Kim }
1942e71b7053SJung-uk Kim }
1943e71b7053SJung-uk Kim #ifndef OPENSSL_NO_COMP
1944e71b7053SJung-uk Kim /* This only happens if we have a cache hit */
1945e71b7053SJung-uk Kim else if (s->session->compress_meth != 0) {
1946e71b7053SJung-uk Kim int m, comp_id = s->session->compress_meth;
1947e71b7053SJung-uk Kim unsigned int k;
1948e71b7053SJung-uk Kim /* Perform sanity checks on resumed compression algorithm */
1949e71b7053SJung-uk Kim /* Can't disable compression */
1950e71b7053SJung-uk Kim if (!ssl_allow_compression(s)) {
1951e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1952e71b7053SJung-uk Kim SSL_R_INCONSISTENT_COMPRESSION);
1953e71b7053SJung-uk Kim goto err;
1954e71b7053SJung-uk Kim }
1955e71b7053SJung-uk Kim /* Look for resumed compression method */
1956e71b7053SJung-uk Kim for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
1957e71b7053SJung-uk Kim comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
1958e71b7053SJung-uk Kim if (comp_id == comp->id) {
1959b077aed3SPierre Pronchery s->s3.tmp.new_compression = comp;
1960e71b7053SJung-uk Kim break;
1961e71b7053SJung-uk Kim }
1962e71b7053SJung-uk Kim }
1963b077aed3SPierre Pronchery if (s->s3.tmp.new_compression == NULL) {
1964e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1965e71b7053SJung-uk Kim SSL_R_INVALID_COMPRESSION_ALGORITHM);
1966e71b7053SJung-uk Kim goto err;
1967e71b7053SJung-uk Kim }
1968e71b7053SJung-uk Kim /* Look for resumed method in compression list */
1969e71b7053SJung-uk Kim for (k = 0; k < clienthello->compressions_len; k++) {
1970e71b7053SJung-uk Kim if (clienthello->compressions[k] == comp_id)
1971e71b7053SJung-uk Kim break;
1972e71b7053SJung-uk Kim }
1973e71b7053SJung-uk Kim if (k >= clienthello->compressions_len) {
1974e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1975e71b7053SJung-uk Kim SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
1976e71b7053SJung-uk Kim goto err;
1977e71b7053SJung-uk Kim }
1978e71b7053SJung-uk Kim } else if (s->hit) {
1979e71b7053SJung-uk Kim comp = NULL;
1980e71b7053SJung-uk Kim } else if (ssl_allow_compression(s) && s->ctx->comp_methods) {
1981e71b7053SJung-uk Kim /* See if we have a match */
1982e71b7053SJung-uk Kim int m, nn, v, done = 0;
1983e71b7053SJung-uk Kim unsigned int o;
1984e71b7053SJung-uk Kim
1985e71b7053SJung-uk Kim nn = sk_SSL_COMP_num(s->ctx->comp_methods);
1986e71b7053SJung-uk Kim for (m = 0; m < nn; m++) {
1987e71b7053SJung-uk Kim comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
1988e71b7053SJung-uk Kim v = comp->id;
1989e71b7053SJung-uk Kim for (o = 0; o < clienthello->compressions_len; o++) {
1990e71b7053SJung-uk Kim if (v == clienthello->compressions[o]) {
1991e71b7053SJung-uk Kim done = 1;
1992e71b7053SJung-uk Kim break;
1993e71b7053SJung-uk Kim }
1994e71b7053SJung-uk Kim }
1995e71b7053SJung-uk Kim if (done)
1996e71b7053SJung-uk Kim break;
1997e71b7053SJung-uk Kim }
1998e71b7053SJung-uk Kim if (done)
1999b077aed3SPierre Pronchery s->s3.tmp.new_compression = comp;
2000e71b7053SJung-uk Kim else
2001e71b7053SJung-uk Kim comp = NULL;
2002e71b7053SJung-uk Kim }
2003e71b7053SJung-uk Kim #else
2004e71b7053SJung-uk Kim /*
2005e71b7053SJung-uk Kim * If compression is disabled we'd better not try to resume a session
2006e71b7053SJung-uk Kim * using compression.
2007e71b7053SJung-uk Kim */
2008e71b7053SJung-uk Kim if (s->session->compress_meth != 0) {
2009b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_COMPRESSION);
2010e71b7053SJung-uk Kim goto err;
2011e71b7053SJung-uk Kim }
2012e71b7053SJung-uk Kim #endif
2013e71b7053SJung-uk Kim
2014e71b7053SJung-uk Kim /*
2015da327cd2SJung-uk Kim * Given s->peer_ciphers and SSL_get_ciphers, we must pick a cipher
2016e71b7053SJung-uk Kim */
2017e71b7053SJung-uk Kim
2018e71b7053SJung-uk Kim if (!s->hit || SSL_IS_TLS13(s)) {
2019da327cd2SJung-uk Kim sk_SSL_CIPHER_free(s->peer_ciphers);
2020da327cd2SJung-uk Kim s->peer_ciphers = ciphers;
2021e71b7053SJung-uk Kim if (ciphers == NULL) {
2022b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2023e71b7053SJung-uk Kim goto err;
2024e71b7053SJung-uk Kim }
2025e71b7053SJung-uk Kim ciphers = NULL;
2026e71b7053SJung-uk Kim }
2027e71b7053SJung-uk Kim
2028e71b7053SJung-uk Kim if (!s->hit) {
2029e71b7053SJung-uk Kim #ifdef OPENSSL_NO_COMP
2030e71b7053SJung-uk Kim s->session->compress_meth = 0;
2031e71b7053SJung-uk Kim #else
2032e71b7053SJung-uk Kim s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
2033e71b7053SJung-uk Kim #endif
2034da327cd2SJung-uk Kim if (!tls1_set_server_sigalgs(s)) {
2035da327cd2SJung-uk Kim /* SSLfatal() already called */
2036da327cd2SJung-uk Kim goto err;
2037da327cd2SJung-uk Kim }
2038e71b7053SJung-uk Kim }
2039e71b7053SJung-uk Kim
2040e71b7053SJung-uk Kim sk_SSL_CIPHER_free(ciphers);
2041e71b7053SJung-uk Kim sk_SSL_CIPHER_free(scsvs);
2042e71b7053SJung-uk Kim OPENSSL_free(clienthello->pre_proc_exts);
2043e71b7053SJung-uk Kim OPENSSL_free(s->clienthello);
2044e71b7053SJung-uk Kim s->clienthello = NULL;
2045e71b7053SJung-uk Kim return 1;
2046e71b7053SJung-uk Kim err:
2047e71b7053SJung-uk Kim sk_SSL_CIPHER_free(ciphers);
2048e71b7053SJung-uk Kim sk_SSL_CIPHER_free(scsvs);
2049e71b7053SJung-uk Kim OPENSSL_free(clienthello->pre_proc_exts);
2050e71b7053SJung-uk Kim OPENSSL_free(s->clienthello);
2051e71b7053SJung-uk Kim s->clienthello = NULL;
2052e71b7053SJung-uk Kim
2053e71b7053SJung-uk Kim return 0;
2054e71b7053SJung-uk Kim }
2055e71b7053SJung-uk Kim
2056e71b7053SJung-uk Kim /*
2057e71b7053SJung-uk Kim * Call the status request callback if needed. Upon success, returns 1.
2058e71b7053SJung-uk Kim * Upon failure, returns 0.
2059e71b7053SJung-uk Kim */
tls_handle_status_request(SSL * s)2060e71b7053SJung-uk Kim static int tls_handle_status_request(SSL *s)
2061e71b7053SJung-uk Kim {
2062e71b7053SJung-uk Kim s->ext.status_expected = 0;
2063e71b7053SJung-uk Kim
2064e71b7053SJung-uk Kim /*
2065e71b7053SJung-uk Kim * If status request then ask callback what to do. Note: this must be
2066e71b7053SJung-uk Kim * called after servername callbacks in case the certificate has changed,
2067e71b7053SJung-uk Kim * and must be called after the cipher has been chosen because this may
2068e71b7053SJung-uk Kim * influence which certificate is sent
2069e71b7053SJung-uk Kim */
2070e71b7053SJung-uk Kim if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL
2071e71b7053SJung-uk Kim && s->ctx->ext.status_cb != NULL) {
2072e71b7053SJung-uk Kim int ret;
2073e71b7053SJung-uk Kim
2074e71b7053SJung-uk Kim /* If no certificate can't return certificate status */
2075b077aed3SPierre Pronchery if (s->s3.tmp.cert != NULL) {
2076e71b7053SJung-uk Kim /*
2077e71b7053SJung-uk Kim * Set current certificate to one we will use so SSL_get_certificate
2078e71b7053SJung-uk Kim * et al can pick it up.
2079e71b7053SJung-uk Kim */
2080b077aed3SPierre Pronchery s->cert->key = s->s3.tmp.cert;
2081e71b7053SJung-uk Kim ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
2082e71b7053SJung-uk Kim switch (ret) {
2083e71b7053SJung-uk Kim /* We don't want to send a status request response */
2084e71b7053SJung-uk Kim case SSL_TLSEXT_ERR_NOACK:
2085e71b7053SJung-uk Kim s->ext.status_expected = 0;
2086e71b7053SJung-uk Kim break;
2087e71b7053SJung-uk Kim /* status request response should be sent */
2088e71b7053SJung-uk Kim case SSL_TLSEXT_ERR_OK:
2089e71b7053SJung-uk Kim if (s->ext.ocsp.resp)
2090e71b7053SJung-uk Kim s->ext.status_expected = 1;
2091e71b7053SJung-uk Kim break;
2092e71b7053SJung-uk Kim /* something bad happened */
2093e71b7053SJung-uk Kim case SSL_TLSEXT_ERR_ALERT_FATAL:
2094e71b7053SJung-uk Kim default:
2095b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CLIENTHELLO_TLSEXT);
2096e71b7053SJung-uk Kim return 0;
2097e71b7053SJung-uk Kim }
2098e71b7053SJung-uk Kim }
2099e71b7053SJung-uk Kim }
2100e71b7053SJung-uk Kim
2101e71b7053SJung-uk Kim return 1;
2102e71b7053SJung-uk Kim }
2103e71b7053SJung-uk Kim
2104e71b7053SJung-uk Kim /*
2105e71b7053SJung-uk Kim * Call the alpn_select callback if needed. Upon success, returns 1.
2106e71b7053SJung-uk Kim * Upon failure, returns 0.
2107e71b7053SJung-uk Kim */
tls_handle_alpn(SSL * s)2108e71b7053SJung-uk Kim int tls_handle_alpn(SSL *s)
2109e71b7053SJung-uk Kim {
2110e71b7053SJung-uk Kim const unsigned char *selected = NULL;
2111e71b7053SJung-uk Kim unsigned char selected_len = 0;
2112e71b7053SJung-uk Kim
2113b077aed3SPierre Pronchery if (s->ctx->ext.alpn_select_cb != NULL && s->s3.alpn_proposed != NULL) {
2114e71b7053SJung-uk Kim int r = s->ctx->ext.alpn_select_cb(s, &selected, &selected_len,
2115b077aed3SPierre Pronchery s->s3.alpn_proposed,
2116b077aed3SPierre Pronchery (unsigned int)s->s3.alpn_proposed_len,
2117e71b7053SJung-uk Kim s->ctx->ext.alpn_select_cb_arg);
2118e71b7053SJung-uk Kim
2119e71b7053SJung-uk Kim if (r == SSL_TLSEXT_ERR_OK) {
2120b077aed3SPierre Pronchery OPENSSL_free(s->s3.alpn_selected);
2121b077aed3SPierre Pronchery s->s3.alpn_selected = OPENSSL_memdup(selected, selected_len);
2122b077aed3SPierre Pronchery if (s->s3.alpn_selected == NULL) {
2123b077aed3SPierre Pronchery s->s3.alpn_selected_len = 0;
2124b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2125e71b7053SJung-uk Kim return 0;
2126e71b7053SJung-uk Kim }
2127b077aed3SPierre Pronchery s->s3.alpn_selected_len = selected_len;
2128e71b7053SJung-uk Kim #ifndef OPENSSL_NO_NEXTPROTONEG
2129e71b7053SJung-uk Kim /* ALPN takes precedence over NPN. */
2130b077aed3SPierre Pronchery s->s3.npn_seen = 0;
2131e71b7053SJung-uk Kim #endif
2132e71b7053SJung-uk Kim
2133e71b7053SJung-uk Kim /* Check ALPN is consistent with session */
2134e71b7053SJung-uk Kim if (s->session->ext.alpn_selected == NULL
2135e71b7053SJung-uk Kim || selected_len != s->session->ext.alpn_selected_len
2136e71b7053SJung-uk Kim || memcmp(selected, s->session->ext.alpn_selected,
2137e71b7053SJung-uk Kim selected_len) != 0) {
2138e71b7053SJung-uk Kim /* Not consistent so can't be used for early_data */
2139e71b7053SJung-uk Kim s->ext.early_data_ok = 0;
2140e71b7053SJung-uk Kim
2141e71b7053SJung-uk Kim if (!s->hit) {
2142e71b7053SJung-uk Kim /*
2143e71b7053SJung-uk Kim * This is a new session and so alpn_selected should have
2144e71b7053SJung-uk Kim * been initialised to NULL. We should update it with the
2145e71b7053SJung-uk Kim * selected ALPN.
2146e71b7053SJung-uk Kim */
2147e71b7053SJung-uk Kim if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
2148e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2149e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR);
2150e71b7053SJung-uk Kim return 0;
2151e71b7053SJung-uk Kim }
2152e71b7053SJung-uk Kim s->session->ext.alpn_selected = OPENSSL_memdup(selected,
2153e71b7053SJung-uk Kim selected_len);
2154e71b7053SJung-uk Kim if (s->session->ext.alpn_selected == NULL) {
2155e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2156e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR);
2157e71b7053SJung-uk Kim return 0;
2158e71b7053SJung-uk Kim }
2159e71b7053SJung-uk Kim s->session->ext.alpn_selected_len = selected_len;
2160e71b7053SJung-uk Kim }
2161e71b7053SJung-uk Kim }
2162e71b7053SJung-uk Kim
2163e71b7053SJung-uk Kim return 1;
2164e71b7053SJung-uk Kim } else if (r != SSL_TLSEXT_ERR_NOACK) {
2165b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_NO_APPLICATION_PROTOCOL,
2166e71b7053SJung-uk Kim SSL_R_NO_APPLICATION_PROTOCOL);
2167e71b7053SJung-uk Kim return 0;
2168e71b7053SJung-uk Kim }
2169e71b7053SJung-uk Kim /*
2170e71b7053SJung-uk Kim * If r == SSL_TLSEXT_ERR_NOACK then behave as if no callback was
2171e71b7053SJung-uk Kim * present.
2172e71b7053SJung-uk Kim */
2173e71b7053SJung-uk Kim }
2174e71b7053SJung-uk Kim
2175e71b7053SJung-uk Kim /* Check ALPN is consistent with session */
2176e71b7053SJung-uk Kim if (s->session->ext.alpn_selected != NULL) {
2177e71b7053SJung-uk Kim /* Not consistent so can't be used for early_data */
2178e71b7053SJung-uk Kim s->ext.early_data_ok = 0;
2179e71b7053SJung-uk Kim }
2180e71b7053SJung-uk Kim
2181e71b7053SJung-uk Kim return 1;
2182e71b7053SJung-uk Kim }
2183e71b7053SJung-uk Kim
tls_post_process_client_hello(SSL * s,WORK_STATE wst)2184e71b7053SJung-uk Kim WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
2185e71b7053SJung-uk Kim {
2186e71b7053SJung-uk Kim const SSL_CIPHER *cipher;
2187e71b7053SJung-uk Kim
2188e71b7053SJung-uk Kim if (wst == WORK_MORE_A) {
2189e71b7053SJung-uk Kim int rv = tls_early_post_process_client_hello(s);
2190e71b7053SJung-uk Kim if (rv == 0) {
2191e71b7053SJung-uk Kim /* SSLfatal() was already called */
2192e71b7053SJung-uk Kim goto err;
2193e71b7053SJung-uk Kim }
2194e71b7053SJung-uk Kim if (rv < 0)
2195e71b7053SJung-uk Kim return WORK_MORE_A;
2196e71b7053SJung-uk Kim wst = WORK_MORE_B;
2197e71b7053SJung-uk Kim }
2198e71b7053SJung-uk Kim if (wst == WORK_MORE_B) {
2199e71b7053SJung-uk Kim if (!s->hit || SSL_IS_TLS13(s)) {
2200e71b7053SJung-uk Kim /* Let cert callback update server certificates if required */
2201da327cd2SJung-uk Kim if (!s->hit && s->cert->cert_cb != NULL) {
2202e71b7053SJung-uk Kim int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
2203e71b7053SJung-uk Kim if (rv == 0) {
2204b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CERT_CB_ERROR);
2205e71b7053SJung-uk Kim goto err;
2206e71b7053SJung-uk Kim }
2207e71b7053SJung-uk Kim if (rv < 0) {
2208e71b7053SJung-uk Kim s->rwstate = SSL_X509_LOOKUP;
2209e71b7053SJung-uk Kim return WORK_MORE_B;
2210e71b7053SJung-uk Kim }
2211e71b7053SJung-uk Kim s->rwstate = SSL_NOTHING;
2212e71b7053SJung-uk Kim }
2213e71b7053SJung-uk Kim
2214e71b7053SJung-uk Kim /* In TLSv1.3 we selected the ciphersuite before resumption */
2215e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s)) {
2216e71b7053SJung-uk Kim cipher =
2217da327cd2SJung-uk Kim ssl3_choose_cipher(s, s->peer_ciphers, SSL_get_ciphers(s));
2218e71b7053SJung-uk Kim
2219e71b7053SJung-uk Kim if (cipher == NULL) {
2220e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
2221e71b7053SJung-uk Kim SSL_R_NO_SHARED_CIPHER);
2222e71b7053SJung-uk Kim goto err;
2223e71b7053SJung-uk Kim }
2224b077aed3SPierre Pronchery s->s3.tmp.new_cipher = cipher;
2225e71b7053SJung-uk Kim }
2226e71b7053SJung-uk Kim if (!s->hit) {
2227e71b7053SJung-uk Kim if (!tls_choose_sigalg(s, 1)) {
2228e71b7053SJung-uk Kim /* SSLfatal already called */
2229e71b7053SJung-uk Kim goto err;
2230e71b7053SJung-uk Kim }
2231e71b7053SJung-uk Kim /* check whether we should disable session resumption */
2232e71b7053SJung-uk Kim if (s->not_resumable_session_cb != NULL)
2233e71b7053SJung-uk Kim s->session->not_resumable =
2234e71b7053SJung-uk Kim s->not_resumable_session_cb(s,
2235b077aed3SPierre Pronchery ((s->s3.tmp.new_cipher->algorithm_mkey
2236e71b7053SJung-uk Kim & (SSL_kDHE | SSL_kECDHE)) != 0));
2237e71b7053SJung-uk Kim if (s->session->not_resumable)
2238e71b7053SJung-uk Kim /* do not send a session ticket */
2239e71b7053SJung-uk Kim s->ext.ticket_expected = 0;
2240e71b7053SJung-uk Kim }
2241e71b7053SJung-uk Kim } else {
2242e71b7053SJung-uk Kim /* Session-id reuse */
2243b077aed3SPierre Pronchery s->s3.tmp.new_cipher = s->session->cipher;
2244e71b7053SJung-uk Kim }
2245e71b7053SJung-uk Kim
2246e71b7053SJung-uk Kim /*-
2247e71b7053SJung-uk Kim * we now have the following setup.
2248e71b7053SJung-uk Kim * client_random
2249e71b7053SJung-uk Kim * cipher_list - our preferred list of ciphers
2250e71b7053SJung-uk Kim * ciphers - the clients preferred list of ciphers
2251e71b7053SJung-uk Kim * compression - basically ignored right now
2252e71b7053SJung-uk Kim * ssl version is set - sslv3
2253e71b7053SJung-uk Kim * s->session - The ssl session has been setup.
2254e71b7053SJung-uk Kim * s->hit - session reuse flag
2255b077aed3SPierre Pronchery * s->s3.tmp.new_cipher - the new cipher to use.
2256e71b7053SJung-uk Kim */
2257e71b7053SJung-uk Kim
2258e71b7053SJung-uk Kim /*
2259e71b7053SJung-uk Kim * Call status_request callback if needed. Has to be done after the
2260e71b7053SJung-uk Kim * certificate callbacks etc above.
2261e71b7053SJung-uk Kim */
2262e71b7053SJung-uk Kim if (!tls_handle_status_request(s)) {
2263e71b7053SJung-uk Kim /* SSLfatal() already called */
2264e71b7053SJung-uk Kim goto err;
2265e71b7053SJung-uk Kim }
2266e71b7053SJung-uk Kim /*
2267e71b7053SJung-uk Kim * Call alpn_select callback if needed. Has to be done after SNI and
2268e71b7053SJung-uk Kim * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
2269e71b7053SJung-uk Kim * we already did this because cipher negotiation happens earlier, and
2270e71b7053SJung-uk Kim * we must handle ALPN before we decide whether to accept early_data.
2271e71b7053SJung-uk Kim */
2272e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s) && !tls_handle_alpn(s)) {
2273e71b7053SJung-uk Kim /* SSLfatal() already called */
2274e71b7053SJung-uk Kim goto err;
2275e71b7053SJung-uk Kim }
2276e71b7053SJung-uk Kim
2277e71b7053SJung-uk Kim wst = WORK_MORE_C;
2278e71b7053SJung-uk Kim }
2279e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SRP
2280e71b7053SJung-uk Kim if (wst == WORK_MORE_C) {
2281e71b7053SJung-uk Kim int ret;
2282e71b7053SJung-uk Kim if ((ret = ssl_check_srp_ext_ClientHello(s)) == 0) {
2283e71b7053SJung-uk Kim /*
2284e71b7053SJung-uk Kim * callback indicates further work to be done
2285e71b7053SJung-uk Kim */
2286e71b7053SJung-uk Kim s->rwstate = SSL_X509_LOOKUP;
2287e71b7053SJung-uk Kim return WORK_MORE_C;
2288e71b7053SJung-uk Kim }
2289e71b7053SJung-uk Kim if (ret < 0) {
2290e71b7053SJung-uk Kim /* SSLfatal() already called */
2291e71b7053SJung-uk Kim goto err;
2292e71b7053SJung-uk Kim }
2293e71b7053SJung-uk Kim }
2294e71b7053SJung-uk Kim #endif
2295e71b7053SJung-uk Kim
2296e71b7053SJung-uk Kim return WORK_FINISHED_STOP;
2297e71b7053SJung-uk Kim err:
2298e71b7053SJung-uk Kim return WORK_ERROR;
2299e71b7053SJung-uk Kim }
2300e71b7053SJung-uk Kim
tls_construct_server_hello(SSL * s,WPACKET * pkt)2301e71b7053SJung-uk Kim int tls_construct_server_hello(SSL *s, WPACKET *pkt)
2302e71b7053SJung-uk Kim {
2303e71b7053SJung-uk Kim int compm;
2304e71b7053SJung-uk Kim size_t sl, len;
2305e71b7053SJung-uk Kim int version;
2306e71b7053SJung-uk Kim unsigned char *session_id;
2307e71b7053SJung-uk Kim int usetls13 = SSL_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING;
2308e71b7053SJung-uk Kim
2309e71b7053SJung-uk Kim version = usetls13 ? TLS1_2_VERSION : s->version;
2310e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, version)
2311e71b7053SJung-uk Kim /*
2312e71b7053SJung-uk Kim * Random stuff. Filling of the server_random takes place in
2313e71b7053SJung-uk Kim * tls_process_client_hello()
2314e71b7053SJung-uk Kim */
2315e71b7053SJung-uk Kim || !WPACKET_memcpy(pkt,
2316e71b7053SJung-uk Kim s->hello_retry_request == SSL_HRR_PENDING
2317b077aed3SPierre Pronchery ? hrrrandom : s->s3.server_random,
2318e71b7053SJung-uk Kim SSL3_RANDOM_SIZE)) {
2319b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2320e71b7053SJung-uk Kim return 0;
2321e71b7053SJung-uk Kim }
2322e71b7053SJung-uk Kim
2323e71b7053SJung-uk Kim /*-
2324e71b7053SJung-uk Kim * There are several cases for the session ID to send
2325e71b7053SJung-uk Kim * back in the server hello:
2326e71b7053SJung-uk Kim * - For session reuse from the session cache,
2327e71b7053SJung-uk Kim * we send back the old session ID.
2328e71b7053SJung-uk Kim * - If stateless session reuse (using a session ticket)
2329e71b7053SJung-uk Kim * is successful, we send back the client's "session ID"
2330e71b7053SJung-uk Kim * (which doesn't actually identify the session).
2331e71b7053SJung-uk Kim * - If it is a new session, we send back the new
2332e71b7053SJung-uk Kim * session ID.
2333e71b7053SJung-uk Kim * - However, if we want the new session to be single-use,
2334e71b7053SJung-uk Kim * we send back a 0-length session ID.
2335e71b7053SJung-uk Kim * - In TLSv1.3 we echo back the session id sent to us by the client
2336e71b7053SJung-uk Kim * regardless
2337e71b7053SJung-uk Kim * s->hit is non-zero in either case of session reuse,
2338e71b7053SJung-uk Kim * so the following won't overwrite an ID that we're supposed
2339e71b7053SJung-uk Kim * to send back.
2340e71b7053SJung-uk Kim */
234144096ebdSEnji Cooper if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
234244096ebdSEnji Cooper && !s->hit)
2343e71b7053SJung-uk Kim s->session->session_id_length = 0;
2344e71b7053SJung-uk Kim
2345e71b7053SJung-uk Kim if (usetls13) {
2346e71b7053SJung-uk Kim sl = s->tmp_session_id_len;
2347e71b7053SJung-uk Kim session_id = s->tmp_session_id;
2348e71b7053SJung-uk Kim } else {
2349e71b7053SJung-uk Kim sl = s->session->session_id_length;
2350e71b7053SJung-uk Kim session_id = s->session->session_id;
2351e71b7053SJung-uk Kim }
2352e71b7053SJung-uk Kim
2353e71b7053SJung-uk Kim if (sl > sizeof(s->session->session_id)) {
2354b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2355e71b7053SJung-uk Kim return 0;
2356e71b7053SJung-uk Kim }
2357e71b7053SJung-uk Kim
2358e71b7053SJung-uk Kim /* set up the compression method */
2359e71b7053SJung-uk Kim #ifdef OPENSSL_NO_COMP
2360e71b7053SJung-uk Kim compm = 0;
2361e71b7053SJung-uk Kim #else
2362b077aed3SPierre Pronchery if (usetls13 || s->s3.tmp.new_compression == NULL)
2363e71b7053SJung-uk Kim compm = 0;
2364e71b7053SJung-uk Kim else
2365b077aed3SPierre Pronchery compm = s->s3.tmp.new_compression->id;
2366e71b7053SJung-uk Kim #endif
2367e71b7053SJung-uk Kim
2368e71b7053SJung-uk Kim if (!WPACKET_sub_memcpy_u8(pkt, session_id, sl)
2369b077aed3SPierre Pronchery || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt, &len)
2370e71b7053SJung-uk Kim || !WPACKET_put_bytes_u8(pkt, compm)) {
2371b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2372e71b7053SJung-uk Kim return 0;
2373e71b7053SJung-uk Kim }
2374e71b7053SJung-uk Kim
2375e71b7053SJung-uk Kim if (!tls_construct_extensions(s, pkt,
2376e71b7053SJung-uk Kim s->hello_retry_request == SSL_HRR_PENDING
2377e71b7053SJung-uk Kim ? SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
2378e71b7053SJung-uk Kim : (SSL_IS_TLS13(s)
2379e71b7053SJung-uk Kim ? SSL_EXT_TLS1_3_SERVER_HELLO
2380e71b7053SJung-uk Kim : SSL_EXT_TLS1_2_SERVER_HELLO),
2381e71b7053SJung-uk Kim NULL, 0)) {
2382e71b7053SJung-uk Kim /* SSLfatal() already called */
2383e71b7053SJung-uk Kim return 0;
2384e71b7053SJung-uk Kim }
2385e71b7053SJung-uk Kim
2386e71b7053SJung-uk Kim if (s->hello_retry_request == SSL_HRR_PENDING) {
2387e71b7053SJung-uk Kim /* Ditch the session. We'll create a new one next time around */
2388e71b7053SJung-uk Kim SSL_SESSION_free(s->session);
2389e71b7053SJung-uk Kim s->session = NULL;
2390e71b7053SJung-uk Kim s->hit = 0;
2391e71b7053SJung-uk Kim
2392e71b7053SJung-uk Kim /*
2393e71b7053SJung-uk Kim * Re-initialise the Transcript Hash. We're going to prepopulate it with
2394e71b7053SJung-uk Kim * a synthetic message_hash in place of ClientHello1.
2395e71b7053SJung-uk Kim */
2396e71b7053SJung-uk Kim if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) {
2397e71b7053SJung-uk Kim /* SSLfatal() already called */
2398e71b7053SJung-uk Kim return 0;
2399e71b7053SJung-uk Kim }
2400e71b7053SJung-uk Kim } else if (!(s->verify_mode & SSL_VERIFY_PEER)
2401e71b7053SJung-uk Kim && !ssl3_digest_cached_records(s, 0)) {
2402e71b7053SJung-uk Kim /* SSLfatal() already called */;
2403e71b7053SJung-uk Kim return 0;
2404e71b7053SJung-uk Kim }
2405e71b7053SJung-uk Kim
2406e71b7053SJung-uk Kim return 1;
2407e71b7053SJung-uk Kim }
2408e71b7053SJung-uk Kim
tls_construct_server_done(SSL * s,WPACKET * pkt)2409e71b7053SJung-uk Kim int tls_construct_server_done(SSL *s, WPACKET *pkt)
2410e71b7053SJung-uk Kim {
2411b077aed3SPierre Pronchery if (!s->s3.tmp.cert_request) {
2412e71b7053SJung-uk Kim if (!ssl3_digest_cached_records(s, 0)) {
2413e71b7053SJung-uk Kim /* SSLfatal() already called */
2414e71b7053SJung-uk Kim return 0;
2415e71b7053SJung-uk Kim }
2416e71b7053SJung-uk Kim }
2417e71b7053SJung-uk Kim return 1;
2418e71b7053SJung-uk Kim }
2419e71b7053SJung-uk Kim
tls_construct_server_key_exchange(SSL * s,WPACKET * pkt)2420e71b7053SJung-uk Kim int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
2421e71b7053SJung-uk Kim {
2422e71b7053SJung-uk Kim EVP_PKEY *pkdh = NULL;
2423e71b7053SJung-uk Kim unsigned char *encodedPoint = NULL;
2424e71b7053SJung-uk Kim size_t encodedlen = 0;
2425e71b7053SJung-uk Kim int curve_id = 0;
2426b077aed3SPierre Pronchery const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
2427e71b7053SJung-uk Kim int i;
2428e71b7053SJung-uk Kim unsigned long type;
2429b077aed3SPierre Pronchery BIGNUM *r[4];
2430e71b7053SJung-uk Kim EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
2431e71b7053SJung-uk Kim EVP_PKEY_CTX *pctx = NULL;
2432e71b7053SJung-uk Kim size_t paramlen, paramoffset;
2433b077aed3SPierre Pronchery int freer = 0, ret = 0;
2434e71b7053SJung-uk Kim
2435e71b7053SJung-uk Kim if (!WPACKET_get_total_written(pkt, ¶moffset)) {
2436b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2437e71b7053SJung-uk Kim goto err;
2438e71b7053SJung-uk Kim }
2439e71b7053SJung-uk Kim
2440e71b7053SJung-uk Kim if (md_ctx == NULL) {
2441b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2442e71b7053SJung-uk Kim goto err;
2443e71b7053SJung-uk Kim }
2444e71b7053SJung-uk Kim
2445b077aed3SPierre Pronchery type = s->s3.tmp.new_cipher->algorithm_mkey;
2446e71b7053SJung-uk Kim
2447e71b7053SJung-uk Kim r[0] = r[1] = r[2] = r[3] = NULL;
2448e71b7053SJung-uk Kim #ifndef OPENSSL_NO_PSK
2449e71b7053SJung-uk Kim /* Plain PSK or RSAPSK nothing to do */
2450e71b7053SJung-uk Kim if (type & (SSL_kPSK | SSL_kRSAPSK)) {
2451e71b7053SJung-uk Kim } else
2452e71b7053SJung-uk Kim #endif /* !OPENSSL_NO_PSK */
2453e71b7053SJung-uk Kim if (type & (SSL_kDHE | SSL_kDHEPSK)) {
2454e71b7053SJung-uk Kim CERT *cert = s->cert;
2455e71b7053SJung-uk Kim EVP_PKEY *pkdhp = NULL;
2456e71b7053SJung-uk Kim
2457e71b7053SJung-uk Kim if (s->cert->dh_tmp_auto) {
2458b077aed3SPierre Pronchery pkdh = ssl_get_auto_dh(s);
2459b077aed3SPierre Pronchery if (pkdh == NULL) {
2460b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2461e71b7053SJung-uk Kim goto err;
2462e71b7053SJung-uk Kim }
2463e71b7053SJung-uk Kim pkdhp = pkdh;
2464e71b7053SJung-uk Kim } else {
2465e71b7053SJung-uk Kim pkdhp = cert->dh_tmp;
2466e71b7053SJung-uk Kim }
2467b077aed3SPierre Pronchery #if !defined(OPENSSL_NO_DEPRECATED_3_0)
2468e71b7053SJung-uk Kim if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
2469b077aed3SPierre Pronchery pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(s, 0, 1024));
2470e71b7053SJung-uk Kim if (pkdh == NULL) {
2471b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2472e71b7053SJung-uk Kim goto err;
2473e71b7053SJung-uk Kim }
2474e71b7053SJung-uk Kim pkdhp = pkdh;
2475e71b7053SJung-uk Kim }
2476b077aed3SPierre Pronchery #endif
2477e71b7053SJung-uk Kim if (pkdhp == NULL) {
2478b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_DH_KEY);
2479e71b7053SJung-uk Kim goto err;
2480e71b7053SJung-uk Kim }
2481e71b7053SJung-uk Kim if (!ssl_security(s, SSL_SECOP_TMP_DH,
2482b077aed3SPierre Pronchery EVP_PKEY_get_security_bits(pkdhp), 0, pkdhp)) {
2483b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL);
2484e71b7053SJung-uk Kim goto err;
2485e71b7053SJung-uk Kim }
2486b077aed3SPierre Pronchery if (s->s3.tmp.pkey != NULL) {
2487b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2488e71b7053SJung-uk Kim goto err;
2489e71b7053SJung-uk Kim }
2490e71b7053SJung-uk Kim
2491b077aed3SPierre Pronchery s->s3.tmp.pkey = ssl_generate_pkey(s, pkdhp);
2492b077aed3SPierre Pronchery if (s->s3.tmp.pkey == NULL) {
2493b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2494e71b7053SJung-uk Kim goto err;
2495e71b7053SJung-uk Kim }
2496e71b7053SJung-uk Kim
2497e71b7053SJung-uk Kim EVP_PKEY_free(pkdh);
2498e71b7053SJung-uk Kim pkdh = NULL;
2499e71b7053SJung-uk Kim
2500b077aed3SPierre Pronchery /* These BIGNUMs need to be freed when we're finished */
2501b077aed3SPierre Pronchery freer = 1;
2502b077aed3SPierre Pronchery if (!EVP_PKEY_get_bn_param(s->s3.tmp.pkey, OSSL_PKEY_PARAM_FFC_P,
2503b077aed3SPierre Pronchery &r[0])
2504b077aed3SPierre Pronchery || !EVP_PKEY_get_bn_param(s->s3.tmp.pkey, OSSL_PKEY_PARAM_FFC_G,
2505b077aed3SPierre Pronchery &r[1])
2506b077aed3SPierre Pronchery || !EVP_PKEY_get_bn_param(s->s3.tmp.pkey,
2507b077aed3SPierre Pronchery OSSL_PKEY_PARAM_PUB_KEY, &r[2])) {
2508b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2509b077aed3SPierre Pronchery goto err;
2510b077aed3SPierre Pronchery }
2511b077aed3SPierre Pronchery } else if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
2512e71b7053SJung-uk Kim
2513b077aed3SPierre Pronchery if (s->s3.tmp.pkey != NULL) {
2514b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2515e71b7053SJung-uk Kim goto err;
2516e71b7053SJung-uk Kim }
2517e71b7053SJung-uk Kim
2518e71b7053SJung-uk Kim /* Get NID of appropriate shared curve */
2519e71b7053SJung-uk Kim curve_id = tls1_shared_group(s, -2);
2520e71b7053SJung-uk Kim if (curve_id == 0) {
2521e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
2522e71b7053SJung-uk Kim SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
2523e71b7053SJung-uk Kim goto err;
2524e71b7053SJung-uk Kim }
2525b077aed3SPierre Pronchery /* Cache the group used in the SSL_SESSION */
2526b077aed3SPierre Pronchery s->session->kex_group = curve_id;
2527e71b7053SJung-uk Kim /* Generate a new key for this curve */
2528b077aed3SPierre Pronchery s->s3.tmp.pkey = ssl_generate_pkey_group(s, curve_id);
2529b077aed3SPierre Pronchery if (s->s3.tmp.pkey == NULL) {
2530e71b7053SJung-uk Kim /* SSLfatal() already called */
2531e71b7053SJung-uk Kim goto err;
2532e71b7053SJung-uk Kim }
2533e71b7053SJung-uk Kim
2534e71b7053SJung-uk Kim /* Encode the public key. */
2535b077aed3SPierre Pronchery encodedlen = EVP_PKEY_get1_encoded_public_key(s->s3.tmp.pkey,
2536e71b7053SJung-uk Kim &encodedPoint);
2537e71b7053SJung-uk Kim if (encodedlen == 0) {
2538b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
2539e71b7053SJung-uk Kim goto err;
2540e71b7053SJung-uk Kim }
2541e71b7053SJung-uk Kim
2542e71b7053SJung-uk Kim /*
2543e71b7053SJung-uk Kim * We'll generate the serverKeyExchange message explicitly so we
2544e71b7053SJung-uk Kim * can set these to NULLs
2545e71b7053SJung-uk Kim */
2546e71b7053SJung-uk Kim r[0] = NULL;
2547e71b7053SJung-uk Kim r[1] = NULL;
2548e71b7053SJung-uk Kim r[2] = NULL;
2549e71b7053SJung-uk Kim r[3] = NULL;
2550e71b7053SJung-uk Kim } else
2551e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SRP
2552e71b7053SJung-uk Kim if (type & SSL_kSRP) {
2553e71b7053SJung-uk Kim if ((s->srp_ctx.N == NULL) ||
2554e71b7053SJung-uk Kim (s->srp_ctx.g == NULL) ||
2555e71b7053SJung-uk Kim (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
2556b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_SRP_PARAM);
2557e71b7053SJung-uk Kim goto err;
2558e71b7053SJung-uk Kim }
2559e71b7053SJung-uk Kim r[0] = s->srp_ctx.N;
2560e71b7053SJung-uk Kim r[1] = s->srp_ctx.g;
2561e71b7053SJung-uk Kim r[2] = s->srp_ctx.s;
2562e71b7053SJung-uk Kim r[3] = s->srp_ctx.B;
2563e71b7053SJung-uk Kim } else
2564e71b7053SJung-uk Kim #endif
2565e71b7053SJung-uk Kim {
2566b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
2567e71b7053SJung-uk Kim goto err;
2568e71b7053SJung-uk Kim }
2569e71b7053SJung-uk Kim
2570b077aed3SPierre Pronchery if (((s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0)
2571b077aed3SPierre Pronchery || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) {
2572e71b7053SJung-uk Kim lu = NULL;
2573e71b7053SJung-uk Kim } else if (lu == NULL) {
2574b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
2575e71b7053SJung-uk Kim goto err;
2576e71b7053SJung-uk Kim }
2577e71b7053SJung-uk Kim
2578e71b7053SJung-uk Kim #ifndef OPENSSL_NO_PSK
2579e71b7053SJung-uk Kim if (type & SSL_PSK) {
2580e71b7053SJung-uk Kim size_t len = (s->cert->psk_identity_hint == NULL)
2581e71b7053SJung-uk Kim ? 0 : strlen(s->cert->psk_identity_hint);
2582e71b7053SJung-uk Kim
2583e71b7053SJung-uk Kim /*
2584e71b7053SJung-uk Kim * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already
2585e71b7053SJung-uk Kim * checked this when we set the identity hint - but just in case
2586e71b7053SJung-uk Kim */
2587e71b7053SJung-uk Kim if (len > PSK_MAX_IDENTITY_LEN
2588e71b7053SJung-uk Kim || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint,
2589e71b7053SJung-uk Kim len)) {
2590b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2591e71b7053SJung-uk Kim goto err;
2592e71b7053SJung-uk Kim }
2593e71b7053SJung-uk Kim }
2594e71b7053SJung-uk Kim #endif
2595e71b7053SJung-uk Kim
2596e71b7053SJung-uk Kim for (i = 0; i < 4 && r[i] != NULL; i++) {
2597e71b7053SJung-uk Kim unsigned char *binval;
2598e71b7053SJung-uk Kim int res;
2599e71b7053SJung-uk Kim
2600e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SRP
2601e71b7053SJung-uk Kim if ((i == 2) && (type & SSL_kSRP)) {
2602e71b7053SJung-uk Kim res = WPACKET_start_sub_packet_u8(pkt);
2603e71b7053SJung-uk Kim } else
2604e71b7053SJung-uk Kim #endif
2605e71b7053SJung-uk Kim res = WPACKET_start_sub_packet_u16(pkt);
2606e71b7053SJung-uk Kim
2607e71b7053SJung-uk Kim if (!res) {
2608b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2609e71b7053SJung-uk Kim goto err;
2610e71b7053SJung-uk Kim }
2611e71b7053SJung-uk Kim
2612e71b7053SJung-uk Kim /*-
2613e71b7053SJung-uk Kim * for interoperability with some versions of the Microsoft TLS
2614e71b7053SJung-uk Kim * stack, we need to zero pad the DHE pub key to the same length
2615e71b7053SJung-uk Kim * as the prime
2616e71b7053SJung-uk Kim */
2617e71b7053SJung-uk Kim if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) {
2618e71b7053SJung-uk Kim size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]);
2619e71b7053SJung-uk Kim
2620e71b7053SJung-uk Kim if (len > 0) {
2621e71b7053SJung-uk Kim if (!WPACKET_allocate_bytes(pkt, len, &binval)) {
2622b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2623e71b7053SJung-uk Kim goto err;
2624e71b7053SJung-uk Kim }
2625e71b7053SJung-uk Kim memset(binval, 0, len);
2626e71b7053SJung-uk Kim }
2627e71b7053SJung-uk Kim }
2628b077aed3SPierre Pronchery
2629e71b7053SJung-uk Kim if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval)
2630e71b7053SJung-uk Kim || !WPACKET_close(pkt)) {
2631b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2632e71b7053SJung-uk Kim goto err;
2633e71b7053SJung-uk Kim }
2634e71b7053SJung-uk Kim
2635e71b7053SJung-uk Kim BN_bn2bin(r[i], binval);
2636e71b7053SJung-uk Kim }
2637e71b7053SJung-uk Kim
2638e71b7053SJung-uk Kim if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
2639e71b7053SJung-uk Kim /*
2640e71b7053SJung-uk Kim * We only support named (not generic) curves. In this situation, the
2641e71b7053SJung-uk Kim * ServerKeyExchange message has: [1 byte CurveType], [2 byte CurveName]
2642e71b7053SJung-uk Kim * [1 byte length of encoded point], followed by the actual encoded
2643e71b7053SJung-uk Kim * point itself
2644e71b7053SJung-uk Kim */
2645e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE)
2646e71b7053SJung-uk Kim || !WPACKET_put_bytes_u8(pkt, 0)
2647e71b7053SJung-uk Kim || !WPACKET_put_bytes_u8(pkt, curve_id)
2648e71b7053SJung-uk Kim || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) {
2649b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2650e71b7053SJung-uk Kim goto err;
2651e71b7053SJung-uk Kim }
2652e71b7053SJung-uk Kim OPENSSL_free(encodedPoint);
2653e71b7053SJung-uk Kim encodedPoint = NULL;
2654e71b7053SJung-uk Kim }
2655e71b7053SJung-uk Kim
2656e71b7053SJung-uk Kim /* not anonymous */
2657e71b7053SJung-uk Kim if (lu != NULL) {
2658b077aed3SPierre Pronchery EVP_PKEY *pkey = s->s3.tmp.cert->privatekey;
2659e71b7053SJung-uk Kim const EVP_MD *md;
2660e71b7053SJung-uk Kim unsigned char *sigbytes1, *sigbytes2, *tbs;
2661b077aed3SPierre Pronchery size_t siglen = 0, tbslen;
2662e71b7053SJung-uk Kim
2663b077aed3SPierre Pronchery if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) {
2664e71b7053SJung-uk Kim /* Should never happen */
2665b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2666e71b7053SJung-uk Kim goto err;
2667e71b7053SJung-uk Kim }
2668e71b7053SJung-uk Kim /* Get length of the parameters we have written above */
2669e71b7053SJung-uk Kim if (!WPACKET_get_length(pkt, ¶mlen)) {
2670b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2671e71b7053SJung-uk Kim goto err;
2672e71b7053SJung-uk Kim }
2673e71b7053SJung-uk Kim /* send signature algorithm */
2674e71b7053SJung-uk Kim if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
2675b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2676e71b7053SJung-uk Kim goto err;
2677e71b7053SJung-uk Kim }
2678b077aed3SPierre Pronchery
2679b077aed3SPierre Pronchery if (EVP_DigestSignInit_ex(md_ctx, &pctx,
2680b077aed3SPierre Pronchery md == NULL ? NULL : EVP_MD_get0_name(md),
2681b077aed3SPierre Pronchery s->ctx->libctx, s->ctx->propq, pkey,
2682b077aed3SPierre Pronchery NULL) <= 0) {
2683b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2684e71b7053SJung-uk Kim goto err;
2685e71b7053SJung-uk Kim }
2686e71b7053SJung-uk Kim if (lu->sig == EVP_PKEY_RSA_PSS) {
2687e71b7053SJung-uk Kim if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
2688e71b7053SJung-uk Kim || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) {
2689b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
2690e71b7053SJung-uk Kim goto err;
2691e71b7053SJung-uk Kim }
2692e71b7053SJung-uk Kim }
2693e71b7053SJung-uk Kim tbslen = construct_key_exchange_tbs(s, &tbs,
2694e71b7053SJung-uk Kim s->init_buf->data + paramoffset,
2695e71b7053SJung-uk Kim paramlen);
2696e71b7053SJung-uk Kim if (tbslen == 0) {
2697e71b7053SJung-uk Kim /* SSLfatal() already called */
2698e71b7053SJung-uk Kim goto err;
2699e71b7053SJung-uk Kim }
2700b077aed3SPierre Pronchery
2701b077aed3SPierre Pronchery if (EVP_DigestSign(md_ctx, NULL, &siglen, tbs, tbslen) <=0
2702b077aed3SPierre Pronchery || !WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1)
2703b077aed3SPierre Pronchery || EVP_DigestSign(md_ctx, sigbytes1, &siglen, tbs, tbslen) <= 0
2704b077aed3SPierre Pronchery || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2)
2705e71b7053SJung-uk Kim || sigbytes1 != sigbytes2) {
2706b077aed3SPierre Pronchery OPENSSL_free(tbs);
2707b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2708e71b7053SJung-uk Kim goto err;
2709e71b7053SJung-uk Kim }
2710b077aed3SPierre Pronchery OPENSSL_free(tbs);
2711e71b7053SJung-uk Kim }
2712e71b7053SJung-uk Kim
2713b077aed3SPierre Pronchery ret = 1;
2714e71b7053SJung-uk Kim err:
2715e71b7053SJung-uk Kim EVP_PKEY_free(pkdh);
2716e71b7053SJung-uk Kim OPENSSL_free(encodedPoint);
2717e71b7053SJung-uk Kim EVP_MD_CTX_free(md_ctx);
2718b077aed3SPierre Pronchery if (freer) {
2719b077aed3SPierre Pronchery BN_free(r[0]);
2720b077aed3SPierre Pronchery BN_free(r[1]);
2721b077aed3SPierre Pronchery BN_free(r[2]);
2722b077aed3SPierre Pronchery BN_free(r[3]);
2723b077aed3SPierre Pronchery }
2724b077aed3SPierre Pronchery return ret;
2725e71b7053SJung-uk Kim }
2726e71b7053SJung-uk Kim
tls_construct_certificate_request(SSL * s,WPACKET * pkt)2727e71b7053SJung-uk Kim int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
2728e71b7053SJung-uk Kim {
2729e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) {
2730e71b7053SJung-uk Kim /* Send random context when doing post-handshake auth */
2731e71b7053SJung-uk Kim if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
2732e71b7053SJung-uk Kim OPENSSL_free(s->pha_context);
2733e71b7053SJung-uk Kim s->pha_context_len = 32;
2734b6c1fdcdSJung-uk Kim if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL) {
2735b6c1fdcdSJung-uk Kim s->pha_context_len = 0;
2736b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2737b6c1fdcdSJung-uk Kim return 0;
2738b6c1fdcdSJung-uk Kim }
2739b077aed3SPierre Pronchery if (RAND_bytes_ex(s->ctx->libctx, s->pha_context,
2740b077aed3SPierre Pronchery s->pha_context_len, 0) <= 0
2741b6c1fdcdSJung-uk Kim || !WPACKET_sub_memcpy_u8(pkt, s->pha_context,
2742b6c1fdcdSJung-uk Kim s->pha_context_len)) {
2743b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2744e71b7053SJung-uk Kim return 0;
2745e71b7053SJung-uk Kim }
2746e71b7053SJung-uk Kim /* reset the handshake hash back to just after the ClientFinished */
2747e71b7053SJung-uk Kim if (!tls13_restore_handshake_digest_for_pha(s)) {
2748e71b7053SJung-uk Kim /* SSLfatal() already called */
2749e71b7053SJung-uk Kim return 0;
2750e71b7053SJung-uk Kim }
2751e71b7053SJung-uk Kim } else {
2752e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u8(pkt, 0)) {
2753b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2754e71b7053SJung-uk Kim return 0;
2755e71b7053SJung-uk Kim }
2756e71b7053SJung-uk Kim }
2757e71b7053SJung-uk Kim
2758e71b7053SJung-uk Kim if (!tls_construct_extensions(s, pkt,
2759e71b7053SJung-uk Kim SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL,
2760e71b7053SJung-uk Kim 0)) {
2761e71b7053SJung-uk Kim /* SSLfatal() already called */
2762e71b7053SJung-uk Kim return 0;
2763e71b7053SJung-uk Kim }
2764e71b7053SJung-uk Kim goto done;
2765e71b7053SJung-uk Kim }
2766e71b7053SJung-uk Kim
2767e71b7053SJung-uk Kim /* get the list of acceptable cert types */
2768e71b7053SJung-uk Kim if (!WPACKET_start_sub_packet_u8(pkt)
2769e71b7053SJung-uk Kim || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) {
2770b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2771e71b7053SJung-uk Kim return 0;
2772e71b7053SJung-uk Kim }
2773e71b7053SJung-uk Kim
2774e71b7053SJung-uk Kim if (SSL_USE_SIGALGS(s)) {
2775e71b7053SJung-uk Kim const uint16_t *psigs;
2776e71b7053SJung-uk Kim size_t nl = tls12_get_psigalgs(s, 1, &psigs);
2777e71b7053SJung-uk Kim
2778e71b7053SJung-uk Kim if (!WPACKET_start_sub_packet_u16(pkt)
2779e71b7053SJung-uk Kim || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
2780e71b7053SJung-uk Kim || !tls12_copy_sigalgs(s, pkt, psigs, nl)
2781e71b7053SJung-uk Kim || !WPACKET_close(pkt)) {
2782b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2783e71b7053SJung-uk Kim return 0;
2784e71b7053SJung-uk Kim }
2785e71b7053SJung-uk Kim }
2786e71b7053SJung-uk Kim
2787c9cf7b5cSJung-uk Kim if (!construct_ca_names(s, get_ca_names(s), pkt)) {
2788e71b7053SJung-uk Kim /* SSLfatal() already called */
2789e71b7053SJung-uk Kim return 0;
2790e71b7053SJung-uk Kim }
2791e71b7053SJung-uk Kim
2792e71b7053SJung-uk Kim done:
2793e71b7053SJung-uk Kim s->certreqs_sent++;
2794b077aed3SPierre Pronchery s->s3.tmp.cert_request = 1;
2795e71b7053SJung-uk Kim return 1;
2796e71b7053SJung-uk Kim }
2797e71b7053SJung-uk Kim
tls_process_cke_psk_preamble(SSL * s,PACKET * pkt)2798e71b7053SJung-uk Kim static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt)
2799e71b7053SJung-uk Kim {
2800e71b7053SJung-uk Kim #ifndef OPENSSL_NO_PSK
2801e71b7053SJung-uk Kim unsigned char psk[PSK_MAX_PSK_LEN];
2802e71b7053SJung-uk Kim size_t psklen;
2803e71b7053SJung-uk Kim PACKET psk_identity;
2804e71b7053SJung-uk Kim
2805e71b7053SJung-uk Kim if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) {
2806b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2807e71b7053SJung-uk Kim return 0;
2808e71b7053SJung-uk Kim }
2809e71b7053SJung-uk Kim if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
2810b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DATA_LENGTH_TOO_LONG);
2811e71b7053SJung-uk Kim return 0;
2812e71b7053SJung-uk Kim }
2813e71b7053SJung-uk Kim if (s->psk_server_callback == NULL) {
2814b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_PSK_NO_SERVER_CB);
2815e71b7053SJung-uk Kim return 0;
2816e71b7053SJung-uk Kim }
2817e71b7053SJung-uk Kim
2818e71b7053SJung-uk Kim if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
2819b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2820e71b7053SJung-uk Kim return 0;
2821e71b7053SJung-uk Kim }
2822e71b7053SJung-uk Kim
2823e71b7053SJung-uk Kim psklen = s->psk_server_callback(s, s->session->psk_identity,
2824e71b7053SJung-uk Kim psk, sizeof(psk));
2825e71b7053SJung-uk Kim
2826e71b7053SJung-uk Kim if (psklen > PSK_MAX_PSK_LEN) {
2827b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2828e71b7053SJung-uk Kim return 0;
2829e71b7053SJung-uk Kim } else if (psklen == 0) {
2830e71b7053SJung-uk Kim /*
2831e71b7053SJung-uk Kim * PSK related to the given identity not found
2832e71b7053SJung-uk Kim */
2833b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY, SSL_R_PSK_IDENTITY_NOT_FOUND);
2834e71b7053SJung-uk Kim return 0;
2835e71b7053SJung-uk Kim }
2836e71b7053SJung-uk Kim
2837b077aed3SPierre Pronchery OPENSSL_free(s->s3.tmp.psk);
2838b077aed3SPierre Pronchery s->s3.tmp.psk = OPENSSL_memdup(psk, psklen);
2839e71b7053SJung-uk Kim OPENSSL_cleanse(psk, psklen);
2840e71b7053SJung-uk Kim
2841b077aed3SPierre Pronchery if (s->s3.tmp.psk == NULL) {
2842b077aed3SPierre Pronchery s->s3.tmp.psklen = 0;
2843b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2844e71b7053SJung-uk Kim return 0;
2845e71b7053SJung-uk Kim }
2846e71b7053SJung-uk Kim
2847b077aed3SPierre Pronchery s->s3.tmp.psklen = psklen;
2848e71b7053SJung-uk Kim
2849e71b7053SJung-uk Kim return 1;
2850e71b7053SJung-uk Kim #else
2851e71b7053SJung-uk Kim /* Should never happen */
2852b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2853e71b7053SJung-uk Kim return 0;
2854e71b7053SJung-uk Kim #endif
2855e71b7053SJung-uk Kim }
2856e71b7053SJung-uk Kim
tls_process_cke_rsa(SSL * s,PACKET * pkt)2857e71b7053SJung-uk Kim static int tls_process_cke_rsa(SSL *s, PACKET *pkt)
2858e71b7053SJung-uk Kim {
2859b077aed3SPierre Pronchery size_t outlen;
2860e71b7053SJung-uk Kim PACKET enc_premaster;
2861b077aed3SPierre Pronchery EVP_PKEY *rsa = NULL;
2862e71b7053SJung-uk Kim unsigned char *rsa_decrypt = NULL;
2863e71b7053SJung-uk Kim int ret = 0;
2864b077aed3SPierre Pronchery EVP_PKEY_CTX *ctx = NULL;
2865b077aed3SPierre Pronchery OSSL_PARAM params[3], *p = params;
2866e71b7053SJung-uk Kim
2867b077aed3SPierre Pronchery rsa = s->cert->pkeys[SSL_PKEY_RSA].privatekey;
2868e71b7053SJung-uk Kim if (rsa == NULL) {
2869b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_RSA_CERTIFICATE);
2870e71b7053SJung-uk Kim return 0;
2871e71b7053SJung-uk Kim }
2872e71b7053SJung-uk Kim
2873e71b7053SJung-uk Kim /* SSLv3 and pre-standard DTLS omit the length bytes. */
2874e71b7053SJung-uk Kim if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
2875e71b7053SJung-uk Kim enc_premaster = *pkt;
2876e71b7053SJung-uk Kim } else {
2877e71b7053SJung-uk Kim if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
2878e71b7053SJung-uk Kim || PACKET_remaining(pkt) != 0) {
2879b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2880e71b7053SJung-uk Kim return 0;
2881e71b7053SJung-uk Kim }
2882e71b7053SJung-uk Kim }
2883e71b7053SJung-uk Kim
2884b077aed3SPierre Pronchery outlen = SSL_MAX_MASTER_KEY_LENGTH;
2885b077aed3SPierre Pronchery rsa_decrypt = OPENSSL_malloc(outlen);
2886e71b7053SJung-uk Kim if (rsa_decrypt == NULL) {
2887b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2888e71b7053SJung-uk Kim return 0;
2889e71b7053SJung-uk Kim }
2890e71b7053SJung-uk Kim
2891b077aed3SPierre Pronchery ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, rsa, s->ctx->propq);
2892b077aed3SPierre Pronchery if (ctx == NULL) {
2893b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2894b077aed3SPierre Pronchery goto err;
2895b077aed3SPierre Pronchery }
2896b077aed3SPierre Pronchery
2897e71b7053SJung-uk Kim /*
2898e71b7053SJung-uk Kim * We must not leak whether a decryption failure occurs because of
2899e71b7053SJung-uk Kim * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
2900b077aed3SPierre Pronchery * section 7.4.7.1). We use the special padding type
2901b077aed3SPierre Pronchery * RSA_PKCS1_WITH_TLS_PADDING to do that. It will automaticaly decrypt the
2902b077aed3SPierre Pronchery * RSA, check the padding and check that the client version is as expected
2903b077aed3SPierre Pronchery * in the premaster secret. If any of that fails then the function appears
2904b077aed3SPierre Pronchery * to return successfully but with a random result. The call below could
2905b077aed3SPierre Pronchery * still fail if the input is publicly invalid.
2906b077aed3SPierre Pronchery * See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
2907e71b7053SJung-uk Kim */
2908b077aed3SPierre Pronchery if (EVP_PKEY_decrypt_init(ctx) <= 0
2909b077aed3SPierre Pronchery || EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_WITH_TLS_PADDING) <= 0) {
2910b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DECRYPTION_FAILED);
2911e71b7053SJung-uk Kim goto err;
2912e71b7053SJung-uk Kim }
2913e71b7053SJung-uk Kim
2914b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION,
2915b077aed3SPierre Pronchery (unsigned int *)&s->client_version);
2916b077aed3SPierre Pronchery if ((s->options & SSL_OP_TLS_ROLLBACK_BUG) != 0)
2917b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_uint(
2918b077aed3SPierre Pronchery OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION,
2919b077aed3SPierre Pronchery (unsigned int *)&s->version);
2920b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_end();
2921b077aed3SPierre Pronchery
2922b077aed3SPierre Pronchery if (!EVP_PKEY_CTX_set_params(ctx, params)
2923b077aed3SPierre Pronchery || EVP_PKEY_decrypt(ctx, rsa_decrypt, &outlen,
2924e71b7053SJung-uk Kim PACKET_data(&enc_premaster),
2925b077aed3SPierre Pronchery PACKET_remaining(&enc_premaster)) <= 0) {
2926b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DECRYPTION_FAILED);
2927e71b7053SJung-uk Kim goto err;
2928e71b7053SJung-uk Kim }
2929e71b7053SJung-uk Kim
2930e71b7053SJung-uk Kim /*
2931b077aed3SPierre Pronchery * This test should never fail (otherwise we should have failed above) but
2932b077aed3SPierre Pronchery * we double check anyway.
2933e71b7053SJung-uk Kim */
2934b077aed3SPierre Pronchery if (outlen != SSL_MAX_MASTER_KEY_LENGTH) {
2935b077aed3SPierre Pronchery OPENSSL_cleanse(rsa_decrypt, SSL_MAX_MASTER_KEY_LENGTH);
2936b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DECRYPTION_FAILED);
2937e71b7053SJung-uk Kim goto err;
2938e71b7053SJung-uk Kim }
2939e71b7053SJung-uk Kim
2940b077aed3SPierre Pronchery /* Also cleanses rsa_decrypt (on success or failure) */
2941b077aed3SPierre Pronchery if (!ssl_generate_master_secret(s, rsa_decrypt,
2942b077aed3SPierre Pronchery SSL_MAX_MASTER_KEY_LENGTH, 0)) {
2943e71b7053SJung-uk Kim /* SSLfatal() already called */
2944e71b7053SJung-uk Kim goto err;
2945e71b7053SJung-uk Kim }
2946e71b7053SJung-uk Kim
2947e71b7053SJung-uk Kim ret = 1;
2948e71b7053SJung-uk Kim err:
2949e71b7053SJung-uk Kim OPENSSL_free(rsa_decrypt);
2950b077aed3SPierre Pronchery EVP_PKEY_CTX_free(ctx);
2951e71b7053SJung-uk Kim return ret;
2952e71b7053SJung-uk Kim }
2953e71b7053SJung-uk Kim
tls_process_cke_dhe(SSL * s,PACKET * pkt)2954e71b7053SJung-uk Kim static int tls_process_cke_dhe(SSL *s, PACKET *pkt)
2955e71b7053SJung-uk Kim {
2956e71b7053SJung-uk Kim EVP_PKEY *skey = NULL;
2957e71b7053SJung-uk Kim unsigned int i;
2958e71b7053SJung-uk Kim const unsigned char *data;
2959e71b7053SJung-uk Kim EVP_PKEY *ckey = NULL;
2960e71b7053SJung-uk Kim int ret = 0;
2961e71b7053SJung-uk Kim
2962e71b7053SJung-uk Kim if (!PACKET_get_net_2(pkt, &i) || PACKET_remaining(pkt) != i) {
2963b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
2964e71b7053SJung-uk Kim goto err;
2965e71b7053SJung-uk Kim }
2966b077aed3SPierre Pronchery skey = s->s3.tmp.pkey;
2967e71b7053SJung-uk Kim if (skey == NULL) {
2968b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_DH_KEY);
2969e71b7053SJung-uk Kim goto err;
2970e71b7053SJung-uk Kim }
2971e71b7053SJung-uk Kim
2972e71b7053SJung-uk Kim if (PACKET_remaining(pkt) == 0L) {
2973b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_MISSING_TMP_DH_KEY);
2974e71b7053SJung-uk Kim goto err;
2975e71b7053SJung-uk Kim }
2976e71b7053SJung-uk Kim if (!PACKET_get_bytes(pkt, &data, i)) {
2977e71b7053SJung-uk Kim /* We already checked we have enough data */
2978b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2979e71b7053SJung-uk Kim goto err;
2980e71b7053SJung-uk Kim }
2981e71b7053SJung-uk Kim ckey = EVP_PKEY_new();
2982e71b7053SJung-uk Kim if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) {
2983b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED);
2984e71b7053SJung-uk Kim goto err;
2985e71b7053SJung-uk Kim }
2986e71b7053SJung-uk Kim
2987b077aed3SPierre Pronchery if (!EVP_PKEY_set1_encoded_public_key(ckey, data, i)) {
2988*0d0c8621SEnji Cooper SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
2989e71b7053SJung-uk Kim goto err;
2990e71b7053SJung-uk Kim }
2991e71b7053SJung-uk Kim
2992e71b7053SJung-uk Kim if (ssl_derive(s, skey, ckey, 1) == 0) {
2993e71b7053SJung-uk Kim /* SSLfatal() already called */
2994e71b7053SJung-uk Kim goto err;
2995e71b7053SJung-uk Kim }
2996e71b7053SJung-uk Kim
2997e71b7053SJung-uk Kim ret = 1;
2998b077aed3SPierre Pronchery EVP_PKEY_free(s->s3.tmp.pkey);
2999b077aed3SPierre Pronchery s->s3.tmp.pkey = NULL;
3000e71b7053SJung-uk Kim err:
3001e71b7053SJung-uk Kim EVP_PKEY_free(ckey);
3002e71b7053SJung-uk Kim return ret;
3003e71b7053SJung-uk Kim }
3004e71b7053SJung-uk Kim
tls_process_cke_ecdhe(SSL * s,PACKET * pkt)3005e71b7053SJung-uk Kim static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt)
3006e71b7053SJung-uk Kim {
3007b077aed3SPierre Pronchery EVP_PKEY *skey = s->s3.tmp.pkey;
3008e71b7053SJung-uk Kim EVP_PKEY *ckey = NULL;
3009e71b7053SJung-uk Kim int ret = 0;
3010e71b7053SJung-uk Kim
3011e71b7053SJung-uk Kim if (PACKET_remaining(pkt) == 0L) {
3012e71b7053SJung-uk Kim /* We don't support ECDH client auth */
3013b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_MISSING_TMP_ECDH_KEY);
3014e71b7053SJung-uk Kim goto err;
3015e71b7053SJung-uk Kim } else {
3016e71b7053SJung-uk Kim unsigned int i;
3017e71b7053SJung-uk Kim const unsigned char *data;
3018e71b7053SJung-uk Kim
3019e71b7053SJung-uk Kim /*
3020e71b7053SJung-uk Kim * Get client's public key from encoded point in the
3021e71b7053SJung-uk Kim * ClientKeyExchange message.
3022e71b7053SJung-uk Kim */
3023e71b7053SJung-uk Kim
3024e71b7053SJung-uk Kim /* Get encoded point length */
3025e71b7053SJung-uk Kim if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i)
3026e71b7053SJung-uk Kim || PACKET_remaining(pkt) != 0) {
3027b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
3028e71b7053SJung-uk Kim goto err;
3029e71b7053SJung-uk Kim }
3030c9cf7b5cSJung-uk Kim if (skey == NULL) {
3031b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_ECDH_KEY);
3032c9cf7b5cSJung-uk Kim goto err;
3033c9cf7b5cSJung-uk Kim }
3034c9cf7b5cSJung-uk Kim
3035e71b7053SJung-uk Kim ckey = EVP_PKEY_new();
3036e71b7053SJung-uk Kim if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
3037b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED);
3038e71b7053SJung-uk Kim goto err;
3039e71b7053SJung-uk Kim }
3040b077aed3SPierre Pronchery
3041b077aed3SPierre Pronchery if (EVP_PKEY_set1_encoded_public_key(ckey, data, i) <= 0) {
3042*0d0c8621SEnji Cooper SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
3043e71b7053SJung-uk Kim goto err;
3044e71b7053SJung-uk Kim }
3045e71b7053SJung-uk Kim }
3046e71b7053SJung-uk Kim
3047e71b7053SJung-uk Kim if (ssl_derive(s, skey, ckey, 1) == 0) {
3048e71b7053SJung-uk Kim /* SSLfatal() already called */
3049e71b7053SJung-uk Kim goto err;
3050e71b7053SJung-uk Kim }
3051e71b7053SJung-uk Kim
3052e71b7053SJung-uk Kim ret = 1;
3053b077aed3SPierre Pronchery EVP_PKEY_free(s->s3.tmp.pkey);
3054b077aed3SPierre Pronchery s->s3.tmp.pkey = NULL;
3055e71b7053SJung-uk Kim err:
3056e71b7053SJung-uk Kim EVP_PKEY_free(ckey);
3057e71b7053SJung-uk Kim
3058e71b7053SJung-uk Kim return ret;
3059e71b7053SJung-uk Kim }
3060e71b7053SJung-uk Kim
tls_process_cke_srp(SSL * s,PACKET * pkt)3061e71b7053SJung-uk Kim static int tls_process_cke_srp(SSL *s, PACKET *pkt)
3062e71b7053SJung-uk Kim {
3063e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SRP
3064e71b7053SJung-uk Kim unsigned int i;
3065e71b7053SJung-uk Kim const unsigned char *data;
3066e71b7053SJung-uk Kim
3067e71b7053SJung-uk Kim if (!PACKET_get_net_2(pkt, &i)
3068e71b7053SJung-uk Kim || !PACKET_get_bytes(pkt, &data, i)) {
3069b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRP_A_LENGTH);
3070e71b7053SJung-uk Kim return 0;
3071e71b7053SJung-uk Kim }
3072e71b7053SJung-uk Kim if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
3073b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB);
3074e71b7053SJung-uk Kim return 0;
3075e71b7053SJung-uk Kim }
3076e71b7053SJung-uk Kim if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) {
3077b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRP_PARAMETERS);
3078e71b7053SJung-uk Kim return 0;
3079e71b7053SJung-uk Kim }
3080e71b7053SJung-uk Kim OPENSSL_free(s->session->srp_username);
3081e71b7053SJung-uk Kim s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
3082e71b7053SJung-uk Kim if (s->session->srp_username == NULL) {
3083b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
3084e71b7053SJung-uk Kim return 0;
3085e71b7053SJung-uk Kim }
3086e71b7053SJung-uk Kim
3087e71b7053SJung-uk Kim if (!srp_generate_server_master_secret(s)) {
3088e71b7053SJung-uk Kim /* SSLfatal() already called */
3089e71b7053SJung-uk Kim return 0;
3090e71b7053SJung-uk Kim }
3091e71b7053SJung-uk Kim
3092e71b7053SJung-uk Kim return 1;
3093e71b7053SJung-uk Kim #else
3094e71b7053SJung-uk Kim /* Should never happen */
3095b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3096e71b7053SJung-uk Kim return 0;
3097e71b7053SJung-uk Kim #endif
3098e71b7053SJung-uk Kim }
3099e71b7053SJung-uk Kim
tls_process_cke_gost(SSL * s,PACKET * pkt)3100e71b7053SJung-uk Kim static int tls_process_cke_gost(SSL *s, PACKET *pkt)
3101e71b7053SJung-uk Kim {
3102e71b7053SJung-uk Kim #ifndef OPENSSL_NO_GOST
3103e71b7053SJung-uk Kim EVP_PKEY_CTX *pkey_ctx;
3104e71b7053SJung-uk Kim EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
3105e71b7053SJung-uk Kim unsigned char premaster_secret[32];
3106e71b7053SJung-uk Kim const unsigned char *start;
3107e71b7053SJung-uk Kim size_t outlen = 32, inlen;
3108e71b7053SJung-uk Kim unsigned long alg_a;
310917f01e99SJung-uk Kim GOST_KX_MESSAGE *pKX = NULL;
311017f01e99SJung-uk Kim const unsigned char *ptr;
3111e71b7053SJung-uk Kim int ret = 0;
3112e71b7053SJung-uk Kim
3113e71b7053SJung-uk Kim /* Get our certificate private key */
3114b077aed3SPierre Pronchery alg_a = s->s3.tmp.new_cipher->algorithm_auth;
3115e71b7053SJung-uk Kim if (alg_a & SSL_aGOST12) {
3116e71b7053SJung-uk Kim /*
3117e71b7053SJung-uk Kim * New GOST ciphersuites have SSL_aGOST01 bit too
3118e71b7053SJung-uk Kim */
3119e71b7053SJung-uk Kim pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey;
3120e71b7053SJung-uk Kim if (pk == NULL) {
3121e71b7053SJung-uk Kim pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
3122e71b7053SJung-uk Kim }
3123e71b7053SJung-uk Kim if (pk == NULL) {
3124e71b7053SJung-uk Kim pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
3125e71b7053SJung-uk Kim }
3126e71b7053SJung-uk Kim } else if (alg_a & SSL_aGOST01) {
3127e71b7053SJung-uk Kim pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
3128e71b7053SJung-uk Kim }
3129e71b7053SJung-uk Kim
3130b077aed3SPierre Pronchery pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, pk, s->ctx->propq);
3131e71b7053SJung-uk Kim if (pkey_ctx == NULL) {
3132b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
3133e71b7053SJung-uk Kim return 0;
3134e71b7053SJung-uk Kim }
3135e71b7053SJung-uk Kim if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
3136b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
313744096ebdSEnji Cooper goto err;
3138e71b7053SJung-uk Kim }
3139e71b7053SJung-uk Kim /*
3140e71b7053SJung-uk Kim * If client certificate is present and is of the same type, maybe
3141e71b7053SJung-uk Kim * use it for key exchange. Don't mind errors from
3142e71b7053SJung-uk Kim * EVP_PKEY_derive_set_peer, because it is completely valid to use a
3143e71b7053SJung-uk Kim * client certificate for authorization only.
3144e71b7053SJung-uk Kim */
3145e71b7053SJung-uk Kim client_pub_pkey = X509_get0_pubkey(s->session->peer);
3146e71b7053SJung-uk Kim if (client_pub_pkey) {
3147e71b7053SJung-uk Kim if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
3148e71b7053SJung-uk Kim ERR_clear_error();
3149e71b7053SJung-uk Kim }
315017f01e99SJung-uk Kim
315117f01e99SJung-uk Kim ptr = PACKET_data(pkt);
315217f01e99SJung-uk Kim /* Some implementations provide extra data in the opaqueBlob
315317f01e99SJung-uk Kim * We have nothing to do with this blob so we just skip it */
315417f01e99SJung-uk Kim pKX = d2i_GOST_KX_MESSAGE(NULL, &ptr, PACKET_remaining(pkt));
315517f01e99SJung-uk Kim if (pKX == NULL
315617f01e99SJung-uk Kim || pKX->kxBlob == NULL
315717f01e99SJung-uk Kim || ASN1_TYPE_get(pKX->kxBlob) != V_ASN1_SEQUENCE) {
3158b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DECRYPTION_FAILED);
3159e71b7053SJung-uk Kim goto err;
3160e71b7053SJung-uk Kim }
316117f01e99SJung-uk Kim
316217f01e99SJung-uk Kim if (!PACKET_forward(pkt, ptr - PACKET_data(pkt))) {
3163b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_DECRYPTION_FAILED);
3164e71b7053SJung-uk Kim goto err;
3165e71b7053SJung-uk Kim }
3166e71b7053SJung-uk Kim
316717f01e99SJung-uk Kim if (PACKET_remaining(pkt) != 0) {
3168b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_DECRYPTION_FAILED);
3169e71b7053SJung-uk Kim goto err;
3170e71b7053SJung-uk Kim }
317117f01e99SJung-uk Kim
317217f01e99SJung-uk Kim inlen = pKX->kxBlob->value.sequence->length;
317317f01e99SJung-uk Kim start = pKX->kxBlob->value.sequence->data;
3174e71b7053SJung-uk Kim
3175e71b7053SJung-uk Kim if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start,
3176e71b7053SJung-uk Kim inlen) <= 0) {
3177b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DECRYPTION_FAILED);
3178e71b7053SJung-uk Kim goto err;
3179e71b7053SJung-uk Kim }
3180e71b7053SJung-uk Kim /* Generate master secret */
3181e71b7053SJung-uk Kim if (!ssl_generate_master_secret(s, premaster_secret,
3182e71b7053SJung-uk Kim sizeof(premaster_secret), 0)) {
3183e71b7053SJung-uk Kim /* SSLfatal() already called */
3184e71b7053SJung-uk Kim goto err;
3185e71b7053SJung-uk Kim }
3186e71b7053SJung-uk Kim /* Check if pubkey from client certificate was used */
3187e71b7053SJung-uk Kim if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
3188e71b7053SJung-uk Kim NULL) > 0)
3189e71b7053SJung-uk Kim s->statem.no_cert_verify = 1;
3190e71b7053SJung-uk Kim
3191e71b7053SJung-uk Kim ret = 1;
3192e71b7053SJung-uk Kim err:
3193e71b7053SJung-uk Kim EVP_PKEY_CTX_free(pkey_ctx);
319417f01e99SJung-uk Kim GOST_KX_MESSAGE_free(pKX);
3195e71b7053SJung-uk Kim return ret;
3196e71b7053SJung-uk Kim #else
3197e71b7053SJung-uk Kim /* Should never happen */
3198b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3199b077aed3SPierre Pronchery return 0;
3200b077aed3SPierre Pronchery #endif
3201b077aed3SPierre Pronchery }
3202b077aed3SPierre Pronchery
tls_process_cke_gost18(SSL * s,PACKET * pkt)3203b077aed3SPierre Pronchery static int tls_process_cke_gost18(SSL *s, PACKET *pkt)
3204b077aed3SPierre Pronchery {
3205b077aed3SPierre Pronchery #ifndef OPENSSL_NO_GOST
3206b077aed3SPierre Pronchery unsigned char rnd_dgst[32];
3207b077aed3SPierre Pronchery EVP_PKEY_CTX *pkey_ctx = NULL;
3208b077aed3SPierre Pronchery EVP_PKEY *pk = NULL;
3209b077aed3SPierre Pronchery unsigned char premaster_secret[32];
3210b077aed3SPierre Pronchery const unsigned char *start = NULL;
3211b077aed3SPierre Pronchery size_t outlen = 32, inlen = 0;
3212b077aed3SPierre Pronchery int ret = 0;
3213b077aed3SPierre Pronchery int cipher_nid = ossl_gost18_cke_cipher_nid(s);
3214b077aed3SPierre Pronchery
3215b077aed3SPierre Pronchery if (cipher_nid == NID_undef) {
3216b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3217b077aed3SPierre Pronchery return 0;
3218b077aed3SPierre Pronchery }
3219b077aed3SPierre Pronchery
3220b077aed3SPierre Pronchery if (ossl_gost_ukm(s, rnd_dgst) <= 0) {
3221b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3222b077aed3SPierre Pronchery goto err;
3223b077aed3SPierre Pronchery }
3224b077aed3SPierre Pronchery
3225b077aed3SPierre Pronchery /* Get our certificate private key */
3226b077aed3SPierre Pronchery pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey != NULL ?
3227b077aed3SPierre Pronchery s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey :
3228b077aed3SPierre Pronchery s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
3229b077aed3SPierre Pronchery if (pk == NULL) {
3230b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE);
3231b077aed3SPierre Pronchery goto err;
3232b077aed3SPierre Pronchery }
3233b077aed3SPierre Pronchery
3234b077aed3SPierre Pronchery pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, pk, s->ctx->propq);
3235b077aed3SPierre Pronchery if (pkey_ctx == NULL) {
3236b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
3237b077aed3SPierre Pronchery goto err;
3238b077aed3SPierre Pronchery }
3239b077aed3SPierre Pronchery if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
3240b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3241b077aed3SPierre Pronchery goto err;
3242b077aed3SPierre Pronchery }
3243b077aed3SPierre Pronchery
3244b077aed3SPierre Pronchery /* Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code depending on size */
3245b077aed3SPierre Pronchery if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT,
3246b077aed3SPierre Pronchery EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) <= 0) {
3247b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
3248b077aed3SPierre Pronchery goto err;
3249b077aed3SPierre Pronchery }
3250b077aed3SPierre Pronchery
3251b077aed3SPierre Pronchery if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT,
3252b077aed3SPierre Pronchery EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) <= 0) {
3253b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
3254b077aed3SPierre Pronchery goto err;
3255b077aed3SPierre Pronchery }
3256b077aed3SPierre Pronchery inlen = PACKET_remaining(pkt);
3257b077aed3SPierre Pronchery start = PACKET_data(pkt);
3258b077aed3SPierre Pronchery
3259b077aed3SPierre Pronchery if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) {
3260b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DECRYPTION_FAILED);
3261b077aed3SPierre Pronchery goto err;
3262b077aed3SPierre Pronchery }
3263b077aed3SPierre Pronchery /* Generate master secret */
3264b077aed3SPierre Pronchery if (!ssl_generate_master_secret(s, premaster_secret,
3265b077aed3SPierre Pronchery sizeof(premaster_secret), 0)) {
3266b077aed3SPierre Pronchery /* SSLfatal() already called */
3267b077aed3SPierre Pronchery goto err;
3268b077aed3SPierre Pronchery }
3269b077aed3SPierre Pronchery ret = 1;
3270b077aed3SPierre Pronchery
3271b077aed3SPierre Pronchery err:
3272b077aed3SPierre Pronchery EVP_PKEY_CTX_free(pkey_ctx);
3273b077aed3SPierre Pronchery return ret;
3274b077aed3SPierre Pronchery #else
3275b077aed3SPierre Pronchery /* Should never happen */
3276b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3277e71b7053SJung-uk Kim return 0;
3278e71b7053SJung-uk Kim #endif
3279e71b7053SJung-uk Kim }
3280e71b7053SJung-uk Kim
tls_process_client_key_exchange(SSL * s,PACKET * pkt)3281e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
3282e71b7053SJung-uk Kim {
3283e71b7053SJung-uk Kim unsigned long alg_k;
3284e71b7053SJung-uk Kim
3285b077aed3SPierre Pronchery alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
3286e71b7053SJung-uk Kim
3287e71b7053SJung-uk Kim /* For PSK parse and retrieve identity, obtain PSK key */
3288e71b7053SJung-uk Kim if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt)) {
3289e71b7053SJung-uk Kim /* SSLfatal() already called */
3290e71b7053SJung-uk Kim goto err;
3291e71b7053SJung-uk Kim }
3292e71b7053SJung-uk Kim
3293e71b7053SJung-uk Kim if (alg_k & SSL_kPSK) {
3294e71b7053SJung-uk Kim /* Identity extracted earlier: should be nothing left */
3295e71b7053SJung-uk Kim if (PACKET_remaining(pkt) != 0) {
3296b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
3297e71b7053SJung-uk Kim goto err;
3298e71b7053SJung-uk Kim }
3299e71b7053SJung-uk Kim /* PSK handled by ssl_generate_master_secret */
3300e71b7053SJung-uk Kim if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
3301e71b7053SJung-uk Kim /* SSLfatal() already called */
3302e71b7053SJung-uk Kim goto err;
3303e71b7053SJung-uk Kim }
3304e71b7053SJung-uk Kim } else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
3305e71b7053SJung-uk Kim if (!tls_process_cke_rsa(s, pkt)) {
3306e71b7053SJung-uk Kim /* SSLfatal() already called */
3307e71b7053SJung-uk Kim goto err;
3308e71b7053SJung-uk Kim }
3309e71b7053SJung-uk Kim } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
3310e71b7053SJung-uk Kim if (!tls_process_cke_dhe(s, pkt)) {
3311e71b7053SJung-uk Kim /* SSLfatal() already called */
3312e71b7053SJung-uk Kim goto err;
3313e71b7053SJung-uk Kim }
3314e71b7053SJung-uk Kim } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
3315e71b7053SJung-uk Kim if (!tls_process_cke_ecdhe(s, pkt)) {
3316e71b7053SJung-uk Kim /* SSLfatal() already called */
3317e71b7053SJung-uk Kim goto err;
3318e71b7053SJung-uk Kim }
3319e71b7053SJung-uk Kim } else if (alg_k & SSL_kSRP) {
3320e71b7053SJung-uk Kim if (!tls_process_cke_srp(s, pkt)) {
3321e71b7053SJung-uk Kim /* SSLfatal() already called */
3322e71b7053SJung-uk Kim goto err;
3323e71b7053SJung-uk Kim }
3324e71b7053SJung-uk Kim } else if (alg_k & SSL_kGOST) {
3325e71b7053SJung-uk Kim if (!tls_process_cke_gost(s, pkt)) {
3326e71b7053SJung-uk Kim /* SSLfatal() already called */
3327e71b7053SJung-uk Kim goto err;
3328e71b7053SJung-uk Kim }
3329b077aed3SPierre Pronchery } else if (alg_k & SSL_kGOST18) {
3330b077aed3SPierre Pronchery if (!tls_process_cke_gost18(s, pkt)) {
3331b077aed3SPierre Pronchery /* SSLfatal() already called */
3332b077aed3SPierre Pronchery goto err;
3333b077aed3SPierre Pronchery }
3334e71b7053SJung-uk Kim } else {
3335b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_CIPHER_TYPE);
3336e71b7053SJung-uk Kim goto err;
3337e71b7053SJung-uk Kim }
3338e71b7053SJung-uk Kim
3339e71b7053SJung-uk Kim return MSG_PROCESS_CONTINUE_PROCESSING;
3340e71b7053SJung-uk Kim err:
3341e71b7053SJung-uk Kim #ifndef OPENSSL_NO_PSK
3342b077aed3SPierre Pronchery OPENSSL_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen);
3343b077aed3SPierre Pronchery s->s3.tmp.psk = NULL;
3344b077aed3SPierre Pronchery s->s3.tmp.psklen = 0;
3345e71b7053SJung-uk Kim #endif
3346e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
3347e71b7053SJung-uk Kim }
3348e71b7053SJung-uk Kim
tls_post_process_client_key_exchange(SSL * s,WORK_STATE wst)3349e71b7053SJung-uk Kim WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
3350e71b7053SJung-uk Kim {
3351e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SCTP
3352e71b7053SJung-uk Kim if (wst == WORK_MORE_A) {
3353e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) {
3354e71b7053SJung-uk Kim unsigned char sctpauthkey[64];
3355e71b7053SJung-uk Kim char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
33566935a639SJung-uk Kim size_t labellen;
3357e71b7053SJung-uk Kim /*
3358e71b7053SJung-uk Kim * Add new shared key for SCTP-Auth, will be ignored if no SCTP
3359e71b7053SJung-uk Kim * used.
3360e71b7053SJung-uk Kim */
3361e71b7053SJung-uk Kim memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
3362e71b7053SJung-uk Kim sizeof(DTLS1_SCTP_AUTH_LABEL));
3363e71b7053SJung-uk Kim
33646935a639SJung-uk Kim /* Don't include the terminating zero. */
33656935a639SJung-uk Kim labellen = sizeof(labelbuffer) - 1;
33666935a639SJung-uk Kim if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
33676935a639SJung-uk Kim labellen += 1;
33686935a639SJung-uk Kim
3369e71b7053SJung-uk Kim if (SSL_export_keying_material(s, sctpauthkey,
3370e71b7053SJung-uk Kim sizeof(sctpauthkey), labelbuffer,
33716935a639SJung-uk Kim labellen, NULL, 0,
3372e71b7053SJung-uk Kim 0) <= 0) {
3373b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3374e71b7053SJung-uk Kim return WORK_ERROR;
3375e71b7053SJung-uk Kim }
3376e71b7053SJung-uk Kim
3377e71b7053SJung-uk Kim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
3378e71b7053SJung-uk Kim sizeof(sctpauthkey), sctpauthkey);
3379e71b7053SJung-uk Kim }
3380e71b7053SJung-uk Kim }
3381e71b7053SJung-uk Kim #endif
3382e71b7053SJung-uk Kim
3383e71b7053SJung-uk Kim if (s->statem.no_cert_verify || !s->session->peer) {
3384e71b7053SJung-uk Kim /*
3385e71b7053SJung-uk Kim * No certificate verify or no peer certificate so we no longer need
3386e71b7053SJung-uk Kim * the handshake_buffer
3387e71b7053SJung-uk Kim */
3388e71b7053SJung-uk Kim if (!ssl3_digest_cached_records(s, 0)) {
3389e71b7053SJung-uk Kim /* SSLfatal() already called */
3390e71b7053SJung-uk Kim return WORK_ERROR;
3391e71b7053SJung-uk Kim }
3392e71b7053SJung-uk Kim return WORK_FINISHED_CONTINUE;
3393e71b7053SJung-uk Kim } else {
3394b077aed3SPierre Pronchery if (!s->s3.handshake_buffer) {
3395b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3396e71b7053SJung-uk Kim return WORK_ERROR;
3397e71b7053SJung-uk Kim }
3398e71b7053SJung-uk Kim /*
3399e71b7053SJung-uk Kim * For sigalgs freeze the handshake buffer. If we support
3400e71b7053SJung-uk Kim * extms we've done this already so this is a no-op
3401e71b7053SJung-uk Kim */
3402e71b7053SJung-uk Kim if (!ssl3_digest_cached_records(s, 1)) {
3403e71b7053SJung-uk Kim /* SSLfatal() already called */
3404e71b7053SJung-uk Kim return WORK_ERROR;
3405e71b7053SJung-uk Kim }
3406e71b7053SJung-uk Kim }
3407e71b7053SJung-uk Kim
3408e71b7053SJung-uk Kim return WORK_FINISHED_CONTINUE;
3409e71b7053SJung-uk Kim }
3410e71b7053SJung-uk Kim
tls_process_client_certificate(SSL * s,PACKET * pkt)3411e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
3412e71b7053SJung-uk Kim {
3413e71b7053SJung-uk Kim int i;
3414e71b7053SJung-uk Kim MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
3415e71b7053SJung-uk Kim X509 *x = NULL;
3416e71b7053SJung-uk Kim unsigned long l;
3417e71b7053SJung-uk Kim const unsigned char *certstart, *certbytes;
3418e71b7053SJung-uk Kim STACK_OF(X509) *sk = NULL;
3419e71b7053SJung-uk Kim PACKET spkt, context;
3420e71b7053SJung-uk Kim size_t chainidx;
3421e71b7053SJung-uk Kim SSL_SESSION *new_sess = NULL;
3422e71b7053SJung-uk Kim
3423e71b7053SJung-uk Kim /*
3424e71b7053SJung-uk Kim * To get this far we must have read encrypted data from the client. We no
3425e71b7053SJung-uk Kim * longer tolerate unencrypted alerts. This value is ignored if less than
3426e71b7053SJung-uk Kim * TLSv1.3
3427e71b7053SJung-uk Kim */
3428e71b7053SJung-uk Kim s->statem.enc_read_state = ENC_READ_STATE_VALID;
3429e71b7053SJung-uk Kim
3430e71b7053SJung-uk Kim if ((sk = sk_X509_new_null()) == NULL) {
3431b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
3432e71b7053SJung-uk Kim goto err;
3433e71b7053SJung-uk Kim }
3434e71b7053SJung-uk Kim
3435e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) && (!PACKET_get_length_prefixed_1(pkt, &context)
3436e71b7053SJung-uk Kim || (s->pha_context == NULL && PACKET_remaining(&context) != 0)
3437e71b7053SJung-uk Kim || (s->pha_context != NULL &&
3438e71b7053SJung-uk Kim !PACKET_equal(&context, s->pha_context, s->pha_context_len)))) {
3439b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT);
3440e71b7053SJung-uk Kim goto err;
3441e71b7053SJung-uk Kim }
3442e71b7053SJung-uk Kim
3443e71b7053SJung-uk Kim if (!PACKET_get_length_prefixed_3(pkt, &spkt)
3444e71b7053SJung-uk Kim || PACKET_remaining(pkt) != 0) {
3445b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
3446e71b7053SJung-uk Kim goto err;
3447e71b7053SJung-uk Kim }
3448e71b7053SJung-uk Kim
3449e71b7053SJung-uk Kim for (chainidx = 0; PACKET_remaining(&spkt) > 0; chainidx++) {
3450e71b7053SJung-uk Kim if (!PACKET_get_net_3(&spkt, &l)
3451e71b7053SJung-uk Kim || !PACKET_get_bytes(&spkt, &certbytes, l)) {
3452b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH);
3453e71b7053SJung-uk Kim goto err;
3454e71b7053SJung-uk Kim }
3455e71b7053SJung-uk Kim
3456e71b7053SJung-uk Kim certstart = certbytes;
3457b077aed3SPierre Pronchery x = X509_new_ex(s->ctx->libctx, s->ctx->propq);
3458e71b7053SJung-uk Kim if (x == NULL) {
3459b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_MALLOC_FAILURE);
3460e71b7053SJung-uk Kim goto err;
3461e71b7053SJung-uk Kim }
3462b077aed3SPierre Pronchery if (d2i_X509(&x, (const unsigned char **)&certbytes, l) == NULL) {
3463b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB);
3464b077aed3SPierre Pronchery goto err;
3465b077aed3SPierre Pronchery }
3466b077aed3SPierre Pronchery
3467e71b7053SJung-uk Kim if (certbytes != (certstart + l)) {
3468b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH);
3469e71b7053SJung-uk Kim goto err;
3470e71b7053SJung-uk Kim }
3471e71b7053SJung-uk Kim
3472e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) {
3473e71b7053SJung-uk Kim RAW_EXTENSION *rawexts = NULL;
3474e71b7053SJung-uk Kim PACKET extensions;
3475e71b7053SJung-uk Kim
3476e71b7053SJung-uk Kim if (!PACKET_get_length_prefixed_2(&spkt, &extensions)) {
3477b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
3478e71b7053SJung-uk Kim goto err;
3479e71b7053SJung-uk Kim }
3480e71b7053SJung-uk Kim if (!tls_collect_extensions(s, &extensions,
3481e71b7053SJung-uk Kim SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
3482e71b7053SJung-uk Kim NULL, chainidx == 0)
3483e71b7053SJung-uk Kim || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
3484e71b7053SJung-uk Kim rawexts, x, chainidx,
3485e71b7053SJung-uk Kim PACKET_remaining(&spkt) == 0)) {
3486e71b7053SJung-uk Kim OPENSSL_free(rawexts);
3487e71b7053SJung-uk Kim goto err;
3488e71b7053SJung-uk Kim }
3489e71b7053SJung-uk Kim OPENSSL_free(rawexts);
3490e71b7053SJung-uk Kim }
3491e71b7053SJung-uk Kim
3492e71b7053SJung-uk Kim if (!sk_X509_push(sk, x)) {
3493b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
3494e71b7053SJung-uk Kim goto err;
3495e71b7053SJung-uk Kim }
3496e71b7053SJung-uk Kim x = NULL;
3497e71b7053SJung-uk Kim }
3498e71b7053SJung-uk Kim
3499e71b7053SJung-uk Kim if (sk_X509_num(sk) <= 0) {
3500e71b7053SJung-uk Kim /* TLS does not mind 0 certs returned */
3501e71b7053SJung-uk Kim if (s->version == SSL3_VERSION) {
3502e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3503e71b7053SJung-uk Kim SSL_R_NO_CERTIFICATES_RETURNED);
3504e71b7053SJung-uk Kim goto err;
3505e71b7053SJung-uk Kim }
3506e71b7053SJung-uk Kim /* Fail for TLS only if we required a certificate */
3507e71b7053SJung-uk Kim else if ((s->verify_mode & SSL_VERIFY_PEER) &&
3508e71b7053SJung-uk Kim (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
3509e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_CERTIFICATE_REQUIRED,
3510e71b7053SJung-uk Kim SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
3511e71b7053SJung-uk Kim goto err;
3512e71b7053SJung-uk Kim }
3513e71b7053SJung-uk Kim /* No client certificate so digest cached records */
3514b077aed3SPierre Pronchery if (s->s3.handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
3515e71b7053SJung-uk Kim /* SSLfatal() already called */
3516e71b7053SJung-uk Kim goto err;
3517e71b7053SJung-uk Kim }
3518e71b7053SJung-uk Kim } else {
3519e71b7053SJung-uk Kim EVP_PKEY *pkey;
3520e71b7053SJung-uk Kim i = ssl_verify_cert_chain(s, sk);
3521e71b7053SJung-uk Kim if (i <= 0) {
3522e71b7053SJung-uk Kim SSLfatal(s, ssl_x509err2alert(s->verify_result),
3523e71b7053SJung-uk Kim SSL_R_CERTIFICATE_VERIFY_FAILED);
3524e71b7053SJung-uk Kim goto err;
3525e71b7053SJung-uk Kim }
3526e71b7053SJung-uk Kim pkey = X509_get0_pubkey(sk_X509_value(sk, 0));
3527e71b7053SJung-uk Kim if (pkey == NULL) {
3528e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3529e71b7053SJung-uk Kim SSL_R_UNKNOWN_CERTIFICATE_TYPE);
3530e71b7053SJung-uk Kim goto err;
3531e71b7053SJung-uk Kim }
3532e71b7053SJung-uk Kim }
3533e71b7053SJung-uk Kim
3534e71b7053SJung-uk Kim /*
3535e71b7053SJung-uk Kim * Sessions must be immutable once they go into the session cache. Otherwise
3536e71b7053SJung-uk Kim * we can get multi-thread problems. Therefore we don't "update" sessions,
3537e71b7053SJung-uk Kim * we replace them with a duplicate. Here, we need to do this every time
3538e71b7053SJung-uk Kim * a new certificate is received via post-handshake authentication, as the
3539e71b7053SJung-uk Kim * session may have already gone into the session cache.
3540e71b7053SJung-uk Kim */
3541e71b7053SJung-uk Kim
3542e71b7053SJung-uk Kim if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
3543e71b7053SJung-uk Kim if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
3544b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
3545e71b7053SJung-uk Kim goto err;
3546e71b7053SJung-uk Kim }
3547e71b7053SJung-uk Kim
3548e71b7053SJung-uk Kim SSL_SESSION_free(s->session);
3549e71b7053SJung-uk Kim s->session = new_sess;
3550e71b7053SJung-uk Kim }
3551e71b7053SJung-uk Kim
3552e71b7053SJung-uk Kim X509_free(s->session->peer);
3553e71b7053SJung-uk Kim s->session->peer = sk_X509_shift(sk);
3554e71b7053SJung-uk Kim s->session->verify_result = s->verify_result;
3555e71b7053SJung-uk Kim
3556e71b7053SJung-uk Kim sk_X509_pop_free(s->session->peer_chain, X509_free);
3557e71b7053SJung-uk Kim s->session->peer_chain = sk;
35589a3ae0cdSJung-uk Kim sk = NULL;
3559e71b7053SJung-uk Kim
3560e71b7053SJung-uk Kim /*
3561e71b7053SJung-uk Kim * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
3562e71b7053SJung-uk Kim * message
3563e71b7053SJung-uk Kim */
3564e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) {
3565e71b7053SJung-uk Kim /* SSLfatal() already called */
3566e71b7053SJung-uk Kim goto err;
3567e71b7053SJung-uk Kim }
3568e71b7053SJung-uk Kim
3569e71b7053SJung-uk Kim /*
3570e71b7053SJung-uk Kim * Inconsistency alert: cert_chain does *not* include the peer's own
3571e71b7053SJung-uk Kim * certificate, while we do include it in statem_clnt.c
3572e71b7053SJung-uk Kim */
3573e71b7053SJung-uk Kim
3574e71b7053SJung-uk Kim /* Save the current hash state for when we receive the CertificateVerify */
3575e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) {
3576e71b7053SJung-uk Kim if (!ssl_handshake_hash(s, s->cert_verify_hash,
3577e71b7053SJung-uk Kim sizeof(s->cert_verify_hash),
3578e71b7053SJung-uk Kim &s->cert_verify_hash_len)) {
3579e71b7053SJung-uk Kim /* SSLfatal() already called */
3580e71b7053SJung-uk Kim goto err;
3581e71b7053SJung-uk Kim }
3582e71b7053SJung-uk Kim
3583e71b7053SJung-uk Kim /* Resend session tickets */
3584e71b7053SJung-uk Kim s->sent_tickets = 0;
3585e71b7053SJung-uk Kim }
3586e71b7053SJung-uk Kim
3587e71b7053SJung-uk Kim ret = MSG_PROCESS_CONTINUE_READING;
3588e71b7053SJung-uk Kim
3589e71b7053SJung-uk Kim err:
3590e71b7053SJung-uk Kim X509_free(x);
3591e71b7053SJung-uk Kim sk_X509_pop_free(sk, X509_free);
3592e71b7053SJung-uk Kim return ret;
3593e71b7053SJung-uk Kim }
3594e71b7053SJung-uk Kim
tls_construct_server_certificate(SSL * s,WPACKET * pkt)3595e71b7053SJung-uk Kim int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
3596e71b7053SJung-uk Kim {
3597b077aed3SPierre Pronchery CERT_PKEY *cpk = s->s3.tmp.cert;
3598e71b7053SJung-uk Kim
3599e71b7053SJung-uk Kim if (cpk == NULL) {
3600b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3601e71b7053SJung-uk Kim return 0;
3602e71b7053SJung-uk Kim }
3603e71b7053SJung-uk Kim
3604e71b7053SJung-uk Kim /*
3605e71b7053SJung-uk Kim * In TLSv1.3 the certificate chain is always preceded by a 0 length context
3606e71b7053SJung-uk Kim * for the server Certificate message
3607e71b7053SJung-uk Kim */
3608e71b7053SJung-uk Kim if (SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) {
3609b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3610e71b7053SJung-uk Kim return 0;
3611e71b7053SJung-uk Kim }
3612e71b7053SJung-uk Kim if (!ssl3_output_cert_chain(s, pkt, cpk)) {
3613e71b7053SJung-uk Kim /* SSLfatal() already called */
3614e71b7053SJung-uk Kim return 0;
3615e71b7053SJung-uk Kim }
3616e71b7053SJung-uk Kim
3617e71b7053SJung-uk Kim return 1;
3618e71b7053SJung-uk Kim }
3619e71b7053SJung-uk Kim
create_ticket_prequel(SSL * s,WPACKET * pkt,uint32_t age_add,unsigned char * tick_nonce)3620e71b7053SJung-uk Kim static int create_ticket_prequel(SSL *s, WPACKET *pkt, uint32_t age_add,
3621e71b7053SJung-uk Kim unsigned char *tick_nonce)
3622e71b7053SJung-uk Kim {
362334252e89SJung-uk Kim uint32_t timeout = (uint32_t)s->session->timeout;
362434252e89SJung-uk Kim
3625e71b7053SJung-uk Kim /*
362634252e89SJung-uk Kim * Ticket lifetime hint:
3627e71b7053SJung-uk Kim * In TLSv1.3 we reset the "time" field above, and always specify the
362834252e89SJung-uk Kim * timeout, limited to a 1 week period per RFC8446.
362934252e89SJung-uk Kim * For TLSv1.2 this is advisory only and we leave this unspecified for
363034252e89SJung-uk Kim * resumed session (for simplicity).
3631e71b7053SJung-uk Kim */
363234252e89SJung-uk Kim #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
363334252e89SJung-uk Kim
363434252e89SJung-uk Kim if (SSL_IS_TLS13(s)) {
363534252e89SJung-uk Kim if (s->session->timeout > ONE_WEEK_SEC)
363634252e89SJung-uk Kim timeout = ONE_WEEK_SEC;
363734252e89SJung-uk Kim } else if (s->hit)
363834252e89SJung-uk Kim timeout = 0;
363934252e89SJung-uk Kim
364034252e89SJung-uk Kim if (!WPACKET_put_bytes_u32(pkt, timeout)) {
3641b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3642e71b7053SJung-uk Kim return 0;
3643e71b7053SJung-uk Kim }
3644e71b7053SJung-uk Kim
3645e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) {
3646e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u32(pkt, age_add)
3647e71b7053SJung-uk Kim || !WPACKET_sub_memcpy_u8(pkt, tick_nonce, TICKET_NONCE_SIZE)) {
3648b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3649e71b7053SJung-uk Kim return 0;
3650e71b7053SJung-uk Kim }
3651e71b7053SJung-uk Kim }
3652e71b7053SJung-uk Kim
3653e71b7053SJung-uk Kim /* Start the sub-packet for the actual ticket data */
3654e71b7053SJung-uk Kim if (!WPACKET_start_sub_packet_u16(pkt)) {
3655b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3656e71b7053SJung-uk Kim return 0;
3657e71b7053SJung-uk Kim }
3658e71b7053SJung-uk Kim
3659e71b7053SJung-uk Kim return 1;
3660e71b7053SJung-uk Kim }
3661e71b7053SJung-uk Kim
3662b077aed3SPierre Pronchery /*
3663b077aed3SPierre Pronchery * Returns 1 on success, 0 to abort construction of the ticket (non-fatal), or
3664b077aed3SPierre Pronchery * -1 on fatal error
3665b077aed3SPierre Pronchery */
construct_stateless_ticket(SSL * s,WPACKET * pkt,uint32_t age_add,unsigned char * tick_nonce)3666e71b7053SJung-uk Kim static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add,
3667e71b7053SJung-uk Kim unsigned char *tick_nonce)
3668e71b7053SJung-uk Kim {
3669e71b7053SJung-uk Kim unsigned char *senc = NULL;
3670e71b7053SJung-uk Kim EVP_CIPHER_CTX *ctx = NULL;
3671b077aed3SPierre Pronchery SSL_HMAC *hctx = NULL;
3672e71b7053SJung-uk Kim unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2;
3673e71b7053SJung-uk Kim const unsigned char *const_p;
3674e71b7053SJung-uk Kim int len, slen_full, slen, lenfinal;
3675e71b7053SJung-uk Kim SSL_SESSION *sess;
3676b077aed3SPierre Pronchery size_t hlen;
3677e71b7053SJung-uk Kim SSL_CTX *tctx = s->session_ctx;
3678e71b7053SJung-uk Kim unsigned char iv[EVP_MAX_IV_LENGTH];
3679e71b7053SJung-uk Kim unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
3680b077aed3SPierre Pronchery int iv_len, ok = -1;
3681e71b7053SJung-uk Kim size_t macoffset, macendoffset;
3682e71b7053SJung-uk Kim
3683e71b7053SJung-uk Kim /* get session encoding length */
3684e71b7053SJung-uk Kim slen_full = i2d_SSL_SESSION(s->session, NULL);
3685e71b7053SJung-uk Kim /*
3686e71b7053SJung-uk Kim * Some length values are 16 bits, so forget it if session is too
3687e71b7053SJung-uk Kim * long
3688e71b7053SJung-uk Kim */
3689e71b7053SJung-uk Kim if (slen_full == 0 || slen_full > 0xFF00) {
3690b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3691e71b7053SJung-uk Kim goto err;
3692e71b7053SJung-uk Kim }
3693e71b7053SJung-uk Kim senc = OPENSSL_malloc(slen_full);
3694e71b7053SJung-uk Kim if (senc == NULL) {
3695b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
3696e71b7053SJung-uk Kim goto err;
3697e71b7053SJung-uk Kim }
3698e71b7053SJung-uk Kim
3699e71b7053SJung-uk Kim ctx = EVP_CIPHER_CTX_new();
3700b077aed3SPierre Pronchery hctx = ssl_hmac_new(tctx);
3701e71b7053SJung-uk Kim if (ctx == NULL || hctx == NULL) {
3702b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
3703e71b7053SJung-uk Kim goto err;
3704e71b7053SJung-uk Kim }
3705e71b7053SJung-uk Kim
3706e71b7053SJung-uk Kim p = senc;
3707e71b7053SJung-uk Kim if (!i2d_SSL_SESSION(s->session, &p)) {
3708b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3709e71b7053SJung-uk Kim goto err;
3710e71b7053SJung-uk Kim }
3711e71b7053SJung-uk Kim
3712e71b7053SJung-uk Kim /*
3713e71b7053SJung-uk Kim * create a fresh copy (not shared with other threads) to clean up
3714e71b7053SJung-uk Kim */
3715e71b7053SJung-uk Kim const_p = senc;
3716e71b7053SJung-uk Kim sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
3717e71b7053SJung-uk Kim if (sess == NULL) {
3718b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3719e71b7053SJung-uk Kim goto err;
3720e71b7053SJung-uk Kim }
3721e71b7053SJung-uk Kim
3722e71b7053SJung-uk Kim slen = i2d_SSL_SESSION(sess, NULL);
3723e71b7053SJung-uk Kim if (slen == 0 || slen > slen_full) {
3724e71b7053SJung-uk Kim /* shouldn't ever happen */
3725b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3726e71b7053SJung-uk Kim SSL_SESSION_free(sess);
3727e71b7053SJung-uk Kim goto err;
3728e71b7053SJung-uk Kim }
3729e71b7053SJung-uk Kim p = senc;
3730e71b7053SJung-uk Kim if (!i2d_SSL_SESSION(sess, &p)) {
3731b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3732e71b7053SJung-uk Kim SSL_SESSION_free(sess);
3733e71b7053SJung-uk Kim goto err;
3734e71b7053SJung-uk Kim }
3735e71b7053SJung-uk Kim SSL_SESSION_free(sess);
3736e71b7053SJung-uk Kim
3737e71b7053SJung-uk Kim /*
3738e71b7053SJung-uk Kim * Initialize HMAC and cipher contexts. If callback present it does
3739e71b7053SJung-uk Kim * all the work otherwise use generated values from parent ctx.
3740e71b7053SJung-uk Kim */
3741b077aed3SPierre Pronchery #ifndef OPENSSL_NO_DEPRECATED_3_0
3742b077aed3SPierre Pronchery if (tctx->ext.ticket_key_evp_cb != NULL || tctx->ext.ticket_key_cb != NULL)
3743b077aed3SPierre Pronchery #else
3744b077aed3SPierre Pronchery if (tctx->ext.ticket_key_evp_cb != NULL)
3745b077aed3SPierre Pronchery #endif
3746b077aed3SPierre Pronchery {
3747b077aed3SPierre Pronchery int ret = 0;
3748b077aed3SPierre Pronchery
3749b077aed3SPierre Pronchery if (tctx->ext.ticket_key_evp_cb != NULL)
3750b077aed3SPierre Pronchery ret = tctx->ext.ticket_key_evp_cb(s, key_name, iv, ctx,
3751b077aed3SPierre Pronchery ssl_hmac_get0_EVP_MAC_CTX(hctx),
3752b077aed3SPierre Pronchery 1);
3753b077aed3SPierre Pronchery #ifndef OPENSSL_NO_DEPRECATED_3_0
3754b077aed3SPierre Pronchery else if (tctx->ext.ticket_key_cb != NULL)
3755e71b7053SJung-uk Kim /* if 0 is returned, write an empty ticket */
3756b077aed3SPierre Pronchery ret = tctx->ext.ticket_key_cb(s, key_name, iv, ctx,
3757b077aed3SPierre Pronchery ssl_hmac_get0_HMAC_CTX(hctx), 1);
3758b077aed3SPierre Pronchery #endif
3759e71b7053SJung-uk Kim
3760e71b7053SJung-uk Kim if (ret == 0) {
3761b077aed3SPierre Pronchery /*
3762b077aed3SPierre Pronchery * In TLSv1.2 we construct a 0 length ticket. In TLSv1.3 a 0
3763b077aed3SPierre Pronchery * length ticket is not allowed so we abort construction of the
3764b077aed3SPierre Pronchery * ticket
3765b077aed3SPierre Pronchery */
3766b077aed3SPierre Pronchery if (SSL_IS_TLS13(s)) {
3767b077aed3SPierre Pronchery ok = 0;
3768b077aed3SPierre Pronchery goto err;
3769b077aed3SPierre Pronchery }
3770e71b7053SJung-uk Kim /* Put timeout and length */
3771e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u32(pkt, 0)
3772e71b7053SJung-uk Kim || !WPACKET_put_bytes_u16(pkt, 0)) {
3773b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3774e71b7053SJung-uk Kim goto err;
3775e71b7053SJung-uk Kim }
3776e71b7053SJung-uk Kim OPENSSL_free(senc);
3777e71b7053SJung-uk Kim EVP_CIPHER_CTX_free(ctx);
3778b077aed3SPierre Pronchery ssl_hmac_free(hctx);
3779e71b7053SJung-uk Kim return 1;
3780e71b7053SJung-uk Kim }
3781e71b7053SJung-uk Kim if (ret < 0) {
3782b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED);
3783e71b7053SJung-uk Kim goto err;
3784e71b7053SJung-uk Kim }
3785b077aed3SPierre Pronchery iv_len = EVP_CIPHER_CTX_get_iv_length(ctx);
3786b077aed3SPierre Pronchery if (iv_len < 0) {
3787b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3788b077aed3SPierre Pronchery goto err;
3789b077aed3SPierre Pronchery }
3790e71b7053SJung-uk Kim } else {
3791b077aed3SPierre Pronchery EVP_CIPHER *cipher = EVP_CIPHER_fetch(s->ctx->libctx, "AES-256-CBC",
3792b077aed3SPierre Pronchery s->ctx->propq);
3793e71b7053SJung-uk Kim
3794b077aed3SPierre Pronchery if (cipher == NULL) {
3795b077aed3SPierre Pronchery /* Error is already recorded */
3796b077aed3SPierre Pronchery SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR);
3797b077aed3SPierre Pronchery goto err;
3798b077aed3SPierre Pronchery }
3799b077aed3SPierre Pronchery
3800b077aed3SPierre Pronchery iv_len = EVP_CIPHER_get_iv_length(cipher);
3801b077aed3SPierre Pronchery if (iv_len < 0
3802b077aed3SPierre Pronchery || RAND_bytes_ex(s->ctx->libctx, iv, iv_len, 0) <= 0
3803e71b7053SJung-uk Kim || !EVP_EncryptInit_ex(ctx, cipher, NULL,
3804e71b7053SJung-uk Kim tctx->ext.secure->tick_aes_key, iv)
3805b077aed3SPierre Pronchery || !ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key,
3806e71b7053SJung-uk Kim sizeof(tctx->ext.secure->tick_hmac_key),
3807b077aed3SPierre Pronchery "SHA256")) {
3808b077aed3SPierre Pronchery EVP_CIPHER_free(cipher);
3809b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3810e71b7053SJung-uk Kim goto err;
3811e71b7053SJung-uk Kim }
3812b077aed3SPierre Pronchery EVP_CIPHER_free(cipher);
3813e71b7053SJung-uk Kim memcpy(key_name, tctx->ext.tick_key_name,
3814e71b7053SJung-uk Kim sizeof(tctx->ext.tick_key_name));
3815e71b7053SJung-uk Kim }
3816e71b7053SJung-uk Kim
3817e71b7053SJung-uk Kim if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) {
3818e71b7053SJung-uk Kim /* SSLfatal() already called */
3819e71b7053SJung-uk Kim goto err;
3820e71b7053SJung-uk Kim }
3821e71b7053SJung-uk Kim
3822e71b7053SJung-uk Kim if (!WPACKET_get_total_written(pkt, &macoffset)
3823e71b7053SJung-uk Kim /* Output key name */
3824e71b7053SJung-uk Kim || !WPACKET_memcpy(pkt, key_name, sizeof(key_name))
3825e71b7053SJung-uk Kim /* output IV */
3826e71b7053SJung-uk Kim || !WPACKET_memcpy(pkt, iv, iv_len)
3827e71b7053SJung-uk Kim || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH,
3828e71b7053SJung-uk Kim &encdata1)
3829e71b7053SJung-uk Kim /* Encrypt session data */
3830e71b7053SJung-uk Kim || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen)
3831e71b7053SJung-uk Kim || !WPACKET_allocate_bytes(pkt, len, &encdata2)
3832e71b7053SJung-uk Kim || encdata1 != encdata2
3833e71b7053SJung-uk Kim || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal)
3834e71b7053SJung-uk Kim || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2)
3835e71b7053SJung-uk Kim || encdata1 + len != encdata2
3836e71b7053SJung-uk Kim || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH
3837e71b7053SJung-uk Kim || !WPACKET_get_total_written(pkt, &macendoffset)
3838b077aed3SPierre Pronchery || !ssl_hmac_update(hctx,
3839e71b7053SJung-uk Kim (unsigned char *)s->init_buf->data + macoffset,
3840e71b7053SJung-uk Kim macendoffset - macoffset)
3841e71b7053SJung-uk Kim || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1)
3842b077aed3SPierre Pronchery || !ssl_hmac_final(hctx, macdata1, &hlen, EVP_MAX_MD_SIZE)
3843e71b7053SJung-uk Kim || hlen > EVP_MAX_MD_SIZE
3844e71b7053SJung-uk Kim || !WPACKET_allocate_bytes(pkt, hlen, &macdata2)
3845e71b7053SJung-uk Kim || macdata1 != macdata2) {
3846b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3847e71b7053SJung-uk Kim goto err;
3848e71b7053SJung-uk Kim }
3849e71b7053SJung-uk Kim
3850e71b7053SJung-uk Kim /* Close the sub-packet created by create_ticket_prequel() */
3851e71b7053SJung-uk Kim if (!WPACKET_close(pkt)) {
3852b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3853e71b7053SJung-uk Kim goto err;
3854e71b7053SJung-uk Kim }
3855e71b7053SJung-uk Kim
3856e71b7053SJung-uk Kim ok = 1;
3857e71b7053SJung-uk Kim err:
3858e71b7053SJung-uk Kim OPENSSL_free(senc);
3859e71b7053SJung-uk Kim EVP_CIPHER_CTX_free(ctx);
3860b077aed3SPierre Pronchery ssl_hmac_free(hctx);
3861e71b7053SJung-uk Kim return ok;
3862e71b7053SJung-uk Kim }
3863e71b7053SJung-uk Kim
construct_stateful_ticket(SSL * s,WPACKET * pkt,uint32_t age_add,unsigned char * tick_nonce)3864e71b7053SJung-uk Kim static int construct_stateful_ticket(SSL *s, WPACKET *pkt, uint32_t age_add,
3865e71b7053SJung-uk Kim unsigned char *tick_nonce)
3866e71b7053SJung-uk Kim {
3867e71b7053SJung-uk Kim if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) {
3868e71b7053SJung-uk Kim /* SSLfatal() already called */
3869e71b7053SJung-uk Kim return 0;
3870e71b7053SJung-uk Kim }
3871e71b7053SJung-uk Kim
3872e71b7053SJung-uk Kim if (!WPACKET_memcpy(pkt, s->session->session_id,
3873e71b7053SJung-uk Kim s->session->session_id_length)
3874e71b7053SJung-uk Kim || !WPACKET_close(pkt)) {
3875b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3876e71b7053SJung-uk Kim return 0;
3877e71b7053SJung-uk Kim }
3878e71b7053SJung-uk Kim
3879e71b7053SJung-uk Kim return 1;
3880e71b7053SJung-uk Kim }
3881e71b7053SJung-uk Kim
tls_update_ticket_counts(SSL * s)3882b077aed3SPierre Pronchery static void tls_update_ticket_counts(SSL *s)
3883b077aed3SPierre Pronchery {
3884b077aed3SPierre Pronchery /*
3885b077aed3SPierre Pronchery * Increment both |sent_tickets| and |next_ticket_nonce|. |sent_tickets|
3886b077aed3SPierre Pronchery * gets reset to 0 if we send more tickets following a post-handshake
3887b077aed3SPierre Pronchery * auth, but |next_ticket_nonce| does not. If we're sending extra
3888b077aed3SPierre Pronchery * tickets, decrement the count of pending extra tickets.
3889b077aed3SPierre Pronchery */
3890b077aed3SPierre Pronchery s->sent_tickets++;
3891b077aed3SPierre Pronchery s->next_ticket_nonce++;
3892b077aed3SPierre Pronchery if (s->ext.extra_tickets_expected > 0)
3893b077aed3SPierre Pronchery s->ext.extra_tickets_expected--;
3894b077aed3SPierre Pronchery }
3895b077aed3SPierre Pronchery
tls_construct_new_session_ticket(SSL * s,WPACKET * pkt)3896e71b7053SJung-uk Kim int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
3897e71b7053SJung-uk Kim {
3898e71b7053SJung-uk Kim SSL_CTX *tctx = s->session_ctx;
3899e71b7053SJung-uk Kim unsigned char tick_nonce[TICKET_NONCE_SIZE];
3900e71b7053SJung-uk Kim union {
3901e71b7053SJung-uk Kim unsigned char age_add_c[sizeof(uint32_t)];
3902e71b7053SJung-uk Kim uint32_t age_add;
3903e71b7053SJung-uk Kim } age_add_u;
3904b077aed3SPierre Pronchery int ret = 0;
3905e71b7053SJung-uk Kim
3906e71b7053SJung-uk Kim age_add_u.age_add = 0;
3907e71b7053SJung-uk Kim
3908e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) {
3909e71b7053SJung-uk Kim size_t i, hashlen;
3910e71b7053SJung-uk Kim uint64_t nonce;
3911e71b7053SJung-uk Kim static const unsigned char nonce_label[] = "resumption";
3912e71b7053SJung-uk Kim const EVP_MD *md = ssl_handshake_md(s);
3913b077aed3SPierre Pronchery int hashleni = EVP_MD_get_size(md);
3914e71b7053SJung-uk Kim
3915e71b7053SJung-uk Kim /* Ensure cast to size_t is safe */
3916e71b7053SJung-uk Kim if (!ossl_assert(hashleni >= 0)) {
3917b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3918e71b7053SJung-uk Kim goto err;
3919e71b7053SJung-uk Kim }
3920e71b7053SJung-uk Kim hashlen = (size_t)hashleni;
3921e71b7053SJung-uk Kim
3922e71b7053SJung-uk Kim /*
3923e71b7053SJung-uk Kim * If we already sent one NewSessionTicket, or we resumed then
3924e71b7053SJung-uk Kim * s->session may already be in a cache and so we must not modify it.
3925e71b7053SJung-uk Kim * Instead we need to take a copy of it and modify that.
3926e71b7053SJung-uk Kim */
3927e71b7053SJung-uk Kim if (s->sent_tickets != 0 || s->hit) {
3928e71b7053SJung-uk Kim SSL_SESSION *new_sess = ssl_session_dup(s->session, 0);
3929e71b7053SJung-uk Kim
3930e71b7053SJung-uk Kim if (new_sess == NULL) {
3931e71b7053SJung-uk Kim /* SSLfatal already called */
3932e71b7053SJung-uk Kim goto err;
3933e71b7053SJung-uk Kim }
3934e71b7053SJung-uk Kim
3935e71b7053SJung-uk Kim SSL_SESSION_free(s->session);
3936e71b7053SJung-uk Kim s->session = new_sess;
3937e71b7053SJung-uk Kim }
3938e71b7053SJung-uk Kim
3939e71b7053SJung-uk Kim if (!ssl_generate_session_id(s, s->session)) {
3940e71b7053SJung-uk Kim /* SSLfatal() already called */
3941e71b7053SJung-uk Kim goto err;
3942e71b7053SJung-uk Kim }
3943b077aed3SPierre Pronchery if (RAND_bytes_ex(s->ctx->libctx, age_add_u.age_add_c,
3944b077aed3SPierre Pronchery sizeof(age_add_u), 0) <= 0) {
3945b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3946e71b7053SJung-uk Kim goto err;
3947e71b7053SJung-uk Kim }
3948e71b7053SJung-uk Kim s->session->ext.tick_age_add = age_add_u.age_add;
3949e71b7053SJung-uk Kim
3950e71b7053SJung-uk Kim nonce = s->next_ticket_nonce;
3951e71b7053SJung-uk Kim for (i = TICKET_NONCE_SIZE; i > 0; i--) {
3952e71b7053SJung-uk Kim tick_nonce[i - 1] = (unsigned char)(nonce & 0xff);
3953e71b7053SJung-uk Kim nonce >>= 8;
3954e71b7053SJung-uk Kim }
3955e71b7053SJung-uk Kim
3956e71b7053SJung-uk Kim if (!tls13_hkdf_expand(s, md, s->resumption_master_secret,
3957e71b7053SJung-uk Kim nonce_label,
3958e71b7053SJung-uk Kim sizeof(nonce_label) - 1,
3959e71b7053SJung-uk Kim tick_nonce,
3960e71b7053SJung-uk Kim TICKET_NONCE_SIZE,
3961e71b7053SJung-uk Kim s->session->master_key,
39626935a639SJung-uk Kim hashlen, 1)) {
3963e71b7053SJung-uk Kim /* SSLfatal() already called */
3964e71b7053SJung-uk Kim goto err;
3965e71b7053SJung-uk Kim }
3966e71b7053SJung-uk Kim s->session->master_key_length = hashlen;
3967e71b7053SJung-uk Kim
3968b077aed3SPierre Pronchery s->session->time = time(NULL);
3969b077aed3SPierre Pronchery ssl_session_calculate_timeout(s->session);
3970b077aed3SPierre Pronchery if (s->s3.alpn_selected != NULL) {
3971e71b7053SJung-uk Kim OPENSSL_free(s->session->ext.alpn_selected);
3972e71b7053SJung-uk Kim s->session->ext.alpn_selected =
3973b077aed3SPierre Pronchery OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len);
3974e71b7053SJung-uk Kim if (s->session->ext.alpn_selected == NULL) {
3975b6c1fdcdSJung-uk Kim s->session->ext.alpn_selected_len = 0;
3976b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
3977e71b7053SJung-uk Kim goto err;
3978e71b7053SJung-uk Kim }
3979b077aed3SPierre Pronchery s->session->ext.alpn_selected_len = s->s3.alpn_selected_len;
3980e71b7053SJung-uk Kim }
3981e71b7053SJung-uk Kim s->session->ext.max_early_data = s->max_early_data;
3982e71b7053SJung-uk Kim }
3983e71b7053SJung-uk Kim
3984e71b7053SJung-uk Kim if (tctx->generate_ticket_cb != NULL &&
39859a3ae0cdSJung-uk Kim tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0) {
3986b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3987e71b7053SJung-uk Kim goto err;
39889a3ae0cdSJung-uk Kim }
3989e71b7053SJung-uk Kim /*
3990e71b7053SJung-uk Kim * If we are using anti-replay protection then we behave as if
3991e71b7053SJung-uk Kim * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
3992e71b7053SJung-uk Kim * is no point in using full stateless tickets.
3993e71b7053SJung-uk Kim */
3994e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)
3995e71b7053SJung-uk Kim && ((s->options & SSL_OP_NO_TICKET) != 0
3996e71b7053SJung-uk Kim || (s->max_early_data > 0
3997e71b7053SJung-uk Kim && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))) {
3998e71b7053SJung-uk Kim if (!construct_stateful_ticket(s, pkt, age_add_u.age_add, tick_nonce)) {
3999e71b7053SJung-uk Kim /* SSLfatal() already called */
4000e71b7053SJung-uk Kim goto err;
4001e71b7053SJung-uk Kim }
4002b077aed3SPierre Pronchery } else {
4003b077aed3SPierre Pronchery int tmpret;
4004b077aed3SPierre Pronchery
4005b077aed3SPierre Pronchery tmpret = construct_stateless_ticket(s, pkt, age_add_u.age_add,
4006b077aed3SPierre Pronchery tick_nonce);
4007b077aed3SPierre Pronchery if (tmpret != 1) {
4008b077aed3SPierre Pronchery if (tmpret == 0) {
4009b077aed3SPierre Pronchery ret = 2; /* Non-fatal. Abort construction but continue */
4010b077aed3SPierre Pronchery /* We count this as a success so update the counts anwyay */
4011b077aed3SPierre Pronchery tls_update_ticket_counts(s);
4012b077aed3SPierre Pronchery }
4013b077aed3SPierre Pronchery /* else SSLfatal() already called */
4014e71b7053SJung-uk Kim goto err;
4015e71b7053SJung-uk Kim }
4016b077aed3SPierre Pronchery }
4017e71b7053SJung-uk Kim
4018e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) {
4019e71b7053SJung-uk Kim if (!tls_construct_extensions(s, pkt,
4020e71b7053SJung-uk Kim SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
4021e71b7053SJung-uk Kim NULL, 0)) {
4022e71b7053SJung-uk Kim /* SSLfatal() already called */
4023e71b7053SJung-uk Kim goto err;
4024e71b7053SJung-uk Kim }
4025b077aed3SPierre Pronchery tls_update_ticket_counts(s);
4026e71b7053SJung-uk Kim ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
4027e71b7053SJung-uk Kim }
4028e71b7053SJung-uk Kim
4029b077aed3SPierre Pronchery ret = 1;
4030e71b7053SJung-uk Kim err:
4031b077aed3SPierre Pronchery return ret;
4032e71b7053SJung-uk Kim }
4033e71b7053SJung-uk Kim
4034e71b7053SJung-uk Kim /*
4035e71b7053SJung-uk Kim * In TLSv1.3 this is called from the extensions code, otherwise it is used to
4036e71b7053SJung-uk Kim * create a separate message. Returns 1 on success or 0 on failure.
4037e71b7053SJung-uk Kim */
tls_construct_cert_status_body(SSL * s,WPACKET * pkt)4038e71b7053SJung-uk Kim int tls_construct_cert_status_body(SSL *s, WPACKET *pkt)
4039e71b7053SJung-uk Kim {
4040e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type)
4041e71b7053SJung-uk Kim || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp,
4042e71b7053SJung-uk Kim s->ext.ocsp.resp_len)) {
4043b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
4044e71b7053SJung-uk Kim return 0;
4045e71b7053SJung-uk Kim }
4046e71b7053SJung-uk Kim
4047e71b7053SJung-uk Kim return 1;
4048e71b7053SJung-uk Kim }
4049e71b7053SJung-uk Kim
tls_construct_cert_status(SSL * s,WPACKET * pkt)4050e71b7053SJung-uk Kim int tls_construct_cert_status(SSL *s, WPACKET *pkt)
4051e71b7053SJung-uk Kim {
4052e71b7053SJung-uk Kim if (!tls_construct_cert_status_body(s, pkt)) {
4053e71b7053SJung-uk Kim /* SSLfatal() already called */
4054e71b7053SJung-uk Kim return 0;
4055e71b7053SJung-uk Kim }
4056e71b7053SJung-uk Kim
4057e71b7053SJung-uk Kim return 1;
4058e71b7053SJung-uk Kim }
4059e71b7053SJung-uk Kim
4060e71b7053SJung-uk Kim #ifndef OPENSSL_NO_NEXTPROTONEG
4061e71b7053SJung-uk Kim /*
4062e71b7053SJung-uk Kim * tls_process_next_proto reads a Next Protocol Negotiation handshake message.
4063e71b7053SJung-uk Kim * It sets the next_proto member in s if found
4064e71b7053SJung-uk Kim */
tls_process_next_proto(SSL * s,PACKET * pkt)4065e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
4066e71b7053SJung-uk Kim {
4067e71b7053SJung-uk Kim PACKET next_proto, padding;
4068e71b7053SJung-uk Kim size_t next_proto_len;
4069e71b7053SJung-uk Kim
4070e71b7053SJung-uk Kim /*-
4071e71b7053SJung-uk Kim * The payload looks like:
4072e71b7053SJung-uk Kim * uint8 proto_len;
4073e71b7053SJung-uk Kim * uint8 proto[proto_len];
4074e71b7053SJung-uk Kim * uint8 padding_len;
4075e71b7053SJung-uk Kim * uint8 padding[padding_len];
4076e71b7053SJung-uk Kim */
4077e71b7053SJung-uk Kim if (!PACKET_get_length_prefixed_1(pkt, &next_proto)
4078e71b7053SJung-uk Kim || !PACKET_get_length_prefixed_1(pkt, &padding)
4079e71b7053SJung-uk Kim || PACKET_remaining(pkt) > 0) {
4080b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
4081e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
4082e71b7053SJung-uk Kim }
4083e71b7053SJung-uk Kim
4084e71b7053SJung-uk Kim if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) {
4085e71b7053SJung-uk Kim s->ext.npn_len = 0;
4086b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
4087e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
4088e71b7053SJung-uk Kim }
4089e71b7053SJung-uk Kim
4090e71b7053SJung-uk Kim s->ext.npn_len = (unsigned char)next_proto_len;
4091e71b7053SJung-uk Kim
4092e71b7053SJung-uk Kim return MSG_PROCESS_CONTINUE_READING;
4093e71b7053SJung-uk Kim }
4094e71b7053SJung-uk Kim #endif
4095e71b7053SJung-uk Kim
tls_construct_encrypted_extensions(SSL * s,WPACKET * pkt)4096e71b7053SJung-uk Kim static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt)
4097e71b7053SJung-uk Kim {
4098e71b7053SJung-uk Kim if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
4099e71b7053SJung-uk Kim NULL, 0)) {
4100e71b7053SJung-uk Kim /* SSLfatal() already called */
4101e71b7053SJung-uk Kim return 0;
4102e71b7053SJung-uk Kim }
4103e71b7053SJung-uk Kim
4104e71b7053SJung-uk Kim return 1;
4105e71b7053SJung-uk Kim }
4106e71b7053SJung-uk Kim
tls_process_end_of_early_data(SSL * s,PACKET * pkt)4107e71b7053SJung-uk Kim MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt)
4108e71b7053SJung-uk Kim {
4109e71b7053SJung-uk Kim if (PACKET_remaining(pkt) != 0) {
4110b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
4111e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
4112e71b7053SJung-uk Kim }
4113e71b7053SJung-uk Kim
4114e71b7053SJung-uk Kim if (s->early_data_state != SSL_EARLY_DATA_READING
4115e71b7053SJung-uk Kim && s->early_data_state != SSL_EARLY_DATA_READ_RETRY) {
4116b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
4117e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
4118e71b7053SJung-uk Kim }
4119e71b7053SJung-uk Kim
4120e71b7053SJung-uk Kim /*
4121e71b7053SJung-uk Kim * EndOfEarlyData signals a key change so the end of the message must be on
4122e71b7053SJung-uk Kim * a record boundary.
4123e71b7053SJung-uk Kim */
4124e71b7053SJung-uk Kim if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
4125b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
4126e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
4127e71b7053SJung-uk Kim }
4128e71b7053SJung-uk Kim
4129e71b7053SJung-uk Kim s->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
4130e71b7053SJung-uk Kim if (!s->method->ssl3_enc->change_cipher_state(s,
4131e71b7053SJung-uk Kim SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ)) {
4132e71b7053SJung-uk Kim /* SSLfatal() already called */
4133e71b7053SJung-uk Kim return MSG_PROCESS_ERROR;
4134e71b7053SJung-uk Kim }
4135e71b7053SJung-uk Kim
4136e71b7053SJung-uk Kim return MSG_PROCESS_CONTINUE_READING;
4137e71b7053SJung-uk Kim }
4138