1 /* 2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4 * Copyright 2005 Nokia. All rights reserved. 5 * 6 * Licensed under the OpenSSL license (the "License"). You may not use 7 * this file except in compliance with the License. You can obtain a copy 8 * in the file LICENSE in the source distribution or at 9 * https://www.openssl.org/source/license.html 10 */ 11 12 #include <stdio.h> 13 #include "../ssl_locl.h" 14 #include "statem_locl.h" 15 #include "internal/constant_time_locl.h" 16 #include "internal/cryptlib.h" 17 #include <openssl/buffer.h> 18 #include <openssl/rand.h> 19 #include <openssl/objects.h> 20 #include <openssl/evp.h> 21 #include <openssl/hmac.h> 22 #include <openssl/x509.h> 23 #include <openssl/dh.h> 24 #include <openssl/bn.h> 25 #include <openssl/md5.h> 26 27 #define TICKET_NONCE_SIZE 8 28 29 static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt); 30 31 /* 32 * ossl_statem_server13_read_transition() encapsulates the logic for the allowed 33 * handshake state transitions when a TLSv1.3 server is reading messages from 34 * the client. The message type that the client has sent is provided in |mt|. 35 * The current state is in |s->statem.hand_state|. 36 * 37 * Return values are 1 for success (transition allowed) and 0 on error 38 * (transition not allowed) 39 */ 40 static int ossl_statem_server13_read_transition(SSL *s, int mt) 41 { 42 OSSL_STATEM *st = &s->statem; 43 44 /* 45 * Note: There is no case for TLS_ST_BEFORE because at that stage we have 46 * not negotiated TLSv1.3 yet, so that case is handled by 47 * ossl_statem_server_read_transition() 48 */ 49 switch (st->hand_state) { 50 default: 51 break; 52 53 case TLS_ST_EARLY_DATA: 54 if (s->hello_retry_request == SSL_HRR_PENDING) { 55 if (mt == SSL3_MT_CLIENT_HELLO) { 56 st->hand_state = TLS_ST_SR_CLNT_HELLO; 57 return 1; 58 } 59 break; 60 } else if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) { 61 if (mt == SSL3_MT_END_OF_EARLY_DATA) { 62 st->hand_state = TLS_ST_SR_END_OF_EARLY_DATA; 63 return 1; 64 } 65 break; 66 } 67 /* Fall through */ 68 69 case TLS_ST_SR_END_OF_EARLY_DATA: 70 case TLS_ST_SW_FINISHED: 71 if (s->s3->tmp.cert_request) { 72 if (mt == SSL3_MT_CERTIFICATE) { 73 st->hand_state = TLS_ST_SR_CERT; 74 return 1; 75 } 76 } else { 77 if (mt == SSL3_MT_FINISHED) { 78 st->hand_state = TLS_ST_SR_FINISHED; 79 return 1; 80 } 81 } 82 break; 83 84 case TLS_ST_SR_CERT: 85 if (s->session->peer == NULL) { 86 if (mt == SSL3_MT_FINISHED) { 87 st->hand_state = TLS_ST_SR_FINISHED; 88 return 1; 89 } 90 } else { 91 if (mt == SSL3_MT_CERTIFICATE_VERIFY) { 92 st->hand_state = TLS_ST_SR_CERT_VRFY; 93 return 1; 94 } 95 } 96 break; 97 98 case TLS_ST_SR_CERT_VRFY: 99 if (mt == SSL3_MT_FINISHED) { 100 st->hand_state = TLS_ST_SR_FINISHED; 101 return 1; 102 } 103 break; 104 105 case TLS_ST_OK: 106 /* 107 * Its never ok to start processing handshake messages in the middle of 108 * early data (i.e. before we've received the end of early data alert) 109 */ 110 if (s->early_data_state == SSL_EARLY_DATA_READING) 111 break; 112 113 if (mt == SSL3_MT_CERTIFICATE 114 && s->post_handshake_auth == SSL_PHA_REQUESTED) { 115 st->hand_state = TLS_ST_SR_CERT; 116 return 1; 117 } 118 119 if (mt == SSL3_MT_KEY_UPDATE) { 120 st->hand_state = TLS_ST_SR_KEY_UPDATE; 121 return 1; 122 } 123 break; 124 } 125 126 /* No valid transition found */ 127 return 0; 128 } 129 130 /* 131 * ossl_statem_server_read_transition() encapsulates the logic for the allowed 132 * handshake state transitions when the server is reading messages from the 133 * client. The message type that the client has sent is provided in |mt|. The 134 * current state is in |s->statem.hand_state|. 135 * 136 * Return values are 1 for success (transition allowed) and 0 on error 137 * (transition not allowed) 138 */ 139 int ossl_statem_server_read_transition(SSL *s, int mt) 140 { 141 OSSL_STATEM *st = &s->statem; 142 143 if (SSL_IS_TLS13(s)) { 144 if (!ossl_statem_server13_read_transition(s, mt)) 145 goto err; 146 return 1; 147 } 148 149 switch (st->hand_state) { 150 default: 151 break; 152 153 case TLS_ST_BEFORE: 154 case TLS_ST_OK: 155 case DTLS_ST_SW_HELLO_VERIFY_REQUEST: 156 if (mt == SSL3_MT_CLIENT_HELLO) { 157 st->hand_state = TLS_ST_SR_CLNT_HELLO; 158 return 1; 159 } 160 break; 161 162 case TLS_ST_SW_SRVR_DONE: 163 /* 164 * If we get a CKE message after a ServerDone then either 165 * 1) We didn't request a Certificate 166 * OR 167 * 2) If we did request one then 168 * a) We allow no Certificate to be returned 169 * AND 170 * b) We are running SSL3 (in TLS1.0+ the client must return a 0 171 * list if we requested a certificate) 172 */ 173 if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) { 174 if (s->s3->tmp.cert_request) { 175 if (s->version == SSL3_VERSION) { 176 if ((s->verify_mode & SSL_VERIFY_PEER) 177 && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { 178 /* 179 * This isn't an unexpected message as such - we're just 180 * not going to accept it because we require a client 181 * cert. 182 */ 183 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 184 SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, 185 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 186 return 0; 187 } 188 st->hand_state = TLS_ST_SR_KEY_EXCH; 189 return 1; 190 } 191 } else { 192 st->hand_state = TLS_ST_SR_KEY_EXCH; 193 return 1; 194 } 195 } else if (s->s3->tmp.cert_request) { 196 if (mt == SSL3_MT_CERTIFICATE) { 197 st->hand_state = TLS_ST_SR_CERT; 198 return 1; 199 } 200 } 201 break; 202 203 case TLS_ST_SR_CERT: 204 if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) { 205 st->hand_state = TLS_ST_SR_KEY_EXCH; 206 return 1; 207 } 208 break; 209 210 case TLS_ST_SR_KEY_EXCH: 211 /* 212 * We should only process a CertificateVerify message if we have 213 * received a Certificate from the client. If so then |s->session->peer| 214 * will be non NULL. In some instances a CertificateVerify message is 215 * not required even if the peer has sent a Certificate (e.g. such as in 216 * the case of static DH). In that case |st->no_cert_verify| should be 217 * set. 218 */ 219 if (s->session->peer == NULL || st->no_cert_verify) { 220 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 221 /* 222 * For the ECDH ciphersuites when the client sends its ECDH 223 * pub key in a certificate, the CertificateVerify message is 224 * not sent. Also for GOST ciphersuites when the client uses 225 * its key from the certificate for key exchange. 226 */ 227 st->hand_state = TLS_ST_SR_CHANGE; 228 return 1; 229 } 230 } else { 231 if (mt == SSL3_MT_CERTIFICATE_VERIFY) { 232 st->hand_state = TLS_ST_SR_CERT_VRFY; 233 return 1; 234 } 235 } 236 break; 237 238 case TLS_ST_SR_CERT_VRFY: 239 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 240 st->hand_state = TLS_ST_SR_CHANGE; 241 return 1; 242 } 243 break; 244 245 case TLS_ST_SR_CHANGE: 246 #ifndef OPENSSL_NO_NEXTPROTONEG 247 if (s->s3->npn_seen) { 248 if (mt == SSL3_MT_NEXT_PROTO) { 249 st->hand_state = TLS_ST_SR_NEXT_PROTO; 250 return 1; 251 } 252 } else { 253 #endif 254 if (mt == SSL3_MT_FINISHED) { 255 st->hand_state = TLS_ST_SR_FINISHED; 256 return 1; 257 } 258 #ifndef OPENSSL_NO_NEXTPROTONEG 259 } 260 #endif 261 break; 262 263 #ifndef OPENSSL_NO_NEXTPROTONEG 264 case TLS_ST_SR_NEXT_PROTO: 265 if (mt == SSL3_MT_FINISHED) { 266 st->hand_state = TLS_ST_SR_FINISHED; 267 return 1; 268 } 269 break; 270 #endif 271 272 case TLS_ST_SW_FINISHED: 273 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 274 st->hand_state = TLS_ST_SR_CHANGE; 275 return 1; 276 } 277 break; 278 } 279 280 err: 281 /* No valid transition found */ 282 if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 283 BIO *rbio; 284 285 /* 286 * CCS messages don't have a message sequence number so this is probably 287 * because of an out-of-order CCS. We'll just drop it. 288 */ 289 s->init_num = 0; 290 s->rwstate = SSL_READING; 291 rbio = SSL_get_rbio(s); 292 BIO_clear_retry_flags(rbio); 293 BIO_set_retry_read(rbio); 294 return 0; 295 } 296 SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, 297 SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, 298 SSL_R_UNEXPECTED_MESSAGE); 299 return 0; 300 } 301 302 /* 303 * Should we send a ServerKeyExchange message? 304 * 305 * Valid return values are: 306 * 1: Yes 307 * 0: No 308 */ 309 static int send_server_key_exchange(SSL *s) 310 { 311 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 312 313 /* 314 * only send a ServerKeyExchange if DH or fortezza but we have a 315 * sign only certificate PSK: may send PSK identity hints For 316 * ECC ciphersuites, we send a serverKeyExchange message only if 317 * the cipher suite is either ECDH-anon or ECDHE. In other cases, 318 * the server certificate contains the server's public key for 319 * key exchange. 320 */ 321 if (alg_k & (SSL_kDHE | SSL_kECDHE) 322 /* 323 * PSK: send ServerKeyExchange if PSK identity hint if 324 * provided 325 */ 326 #ifndef OPENSSL_NO_PSK 327 /* Only send SKE if we have identity hint for plain PSK */ 328 || ((alg_k & (SSL_kPSK | SSL_kRSAPSK)) 329 && s->cert->psk_identity_hint) 330 /* For other PSK always send SKE */ 331 || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK))) 332 #endif 333 #ifndef OPENSSL_NO_SRP 334 /* SRP: send ServerKeyExchange */ 335 || (alg_k & SSL_kSRP) 336 #endif 337 ) { 338 return 1; 339 } 340 341 return 0; 342 } 343 344 /* 345 * Should we send a CertificateRequest message? 346 * 347 * Valid return values are: 348 * 1: Yes 349 * 0: No 350 */ 351 int send_certificate_request(SSL *s) 352 { 353 if ( 354 /* don't request cert unless asked for it: */ 355 s->verify_mode & SSL_VERIFY_PEER 356 /* 357 * don't request if post-handshake-only unless doing 358 * post-handshake in TLSv1.3: 359 */ 360 && (!SSL_IS_TLS13(s) || !(s->verify_mode & SSL_VERIFY_POST_HANDSHAKE) 361 || s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) 362 /* 363 * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert 364 * a second time: 365 */ 366 && (s->certreqs_sent < 1 || 367 !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) 368 /* 369 * never request cert in anonymous ciphersuites (see 370 * section "Certificate request" in SSL 3 drafts and in 371 * RFC 2246): 372 */ 373 && (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 374 /* 375 * ... except when the application insists on 376 * verification (against the specs, but statem_clnt.c accepts 377 * this for SSL 3) 378 */ 379 || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 380 /* don't request certificate for SRP auth */ 381 && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP) 382 /* 383 * With normal PSK Certificates and Certificate Requests 384 * are omitted 385 */ 386 && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK)) { 387 return 1; 388 } 389 390 return 0; 391 } 392 393 /* 394 * ossl_statem_server13_write_transition() works out what handshake state to 395 * move to next when a TLSv1.3 server is writing messages to be sent to the 396 * client. 397 */ 398 static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s) 399 { 400 OSSL_STATEM *st = &s->statem; 401 402 /* 403 * No case for TLS_ST_BEFORE, because at that stage we have not negotiated 404 * TLSv1.3 yet, so that is handled by ossl_statem_server_write_transition() 405 */ 406 407 switch (st->hand_state) { 408 default: 409 /* Shouldn't happen */ 410 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 411 SSL_F_OSSL_STATEM_SERVER13_WRITE_TRANSITION, 412 ERR_R_INTERNAL_ERROR); 413 return WRITE_TRAN_ERROR; 414 415 case TLS_ST_OK: 416 if (s->key_update != SSL_KEY_UPDATE_NONE) { 417 st->hand_state = TLS_ST_SW_KEY_UPDATE; 418 return WRITE_TRAN_CONTINUE; 419 } 420 if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { 421 st->hand_state = TLS_ST_SW_CERT_REQ; 422 return WRITE_TRAN_CONTINUE; 423 } 424 /* Try to read from the client instead */ 425 return WRITE_TRAN_FINISHED; 426 427 case TLS_ST_SR_CLNT_HELLO: 428 st->hand_state = TLS_ST_SW_SRVR_HELLO; 429 return WRITE_TRAN_CONTINUE; 430 431 case TLS_ST_SW_SRVR_HELLO: 432 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 433 && s->hello_retry_request != SSL_HRR_COMPLETE) 434 st->hand_state = TLS_ST_SW_CHANGE; 435 else if (s->hello_retry_request == SSL_HRR_PENDING) 436 st->hand_state = TLS_ST_EARLY_DATA; 437 else 438 st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS; 439 return WRITE_TRAN_CONTINUE; 440 441 case TLS_ST_SW_CHANGE: 442 if (s->hello_retry_request == SSL_HRR_PENDING) 443 st->hand_state = TLS_ST_EARLY_DATA; 444 else 445 st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS; 446 return WRITE_TRAN_CONTINUE; 447 448 case TLS_ST_SW_ENCRYPTED_EXTENSIONS: 449 if (s->hit) 450 st->hand_state = TLS_ST_SW_FINISHED; 451 else if (send_certificate_request(s)) 452 st->hand_state = TLS_ST_SW_CERT_REQ; 453 else 454 st->hand_state = TLS_ST_SW_CERT; 455 456 return WRITE_TRAN_CONTINUE; 457 458 case TLS_ST_SW_CERT_REQ: 459 if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { 460 s->post_handshake_auth = SSL_PHA_REQUESTED; 461 st->hand_state = TLS_ST_OK; 462 } else { 463 st->hand_state = TLS_ST_SW_CERT; 464 } 465 return WRITE_TRAN_CONTINUE; 466 467 case TLS_ST_SW_CERT: 468 st->hand_state = TLS_ST_SW_CERT_VRFY; 469 return WRITE_TRAN_CONTINUE; 470 471 case TLS_ST_SW_CERT_VRFY: 472 st->hand_state = TLS_ST_SW_FINISHED; 473 return WRITE_TRAN_CONTINUE; 474 475 case TLS_ST_SW_FINISHED: 476 st->hand_state = TLS_ST_EARLY_DATA; 477 return WRITE_TRAN_CONTINUE; 478 479 case TLS_ST_EARLY_DATA: 480 return WRITE_TRAN_FINISHED; 481 482 case TLS_ST_SR_FINISHED: 483 /* 484 * Technically we have finished the handshake at this point, but we're 485 * going to remain "in_init" for now and write out any session tickets 486 * immediately. 487 */ 488 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { 489 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED; 490 } else if (!s->ext.ticket_expected) { 491 /* 492 * If we're not going to renew the ticket then we just finish the 493 * handshake at this point. 494 */ 495 st->hand_state = TLS_ST_OK; 496 return WRITE_TRAN_CONTINUE; 497 } 498 if (s->num_tickets > s->sent_tickets) 499 st->hand_state = TLS_ST_SW_SESSION_TICKET; 500 else 501 st->hand_state = TLS_ST_OK; 502 return WRITE_TRAN_CONTINUE; 503 504 case TLS_ST_SR_KEY_UPDATE: 505 if (s->key_update != SSL_KEY_UPDATE_NONE) { 506 st->hand_state = TLS_ST_SW_KEY_UPDATE; 507 return WRITE_TRAN_CONTINUE; 508 } 509 /* Fall through */ 510 511 case TLS_ST_SW_KEY_UPDATE: 512 st->hand_state = TLS_ST_OK; 513 return WRITE_TRAN_CONTINUE; 514 515 case TLS_ST_SW_SESSION_TICKET: 516 /* In a resumption we only ever send a maximum of one new ticket. 517 * Following an initial handshake we send the number of tickets we have 518 * been configured for. 519 */ 520 if (s->hit || s->num_tickets <= s->sent_tickets) { 521 /* We've written enough tickets out. */ 522 st->hand_state = TLS_ST_OK; 523 } 524 return WRITE_TRAN_CONTINUE; 525 } 526 } 527 528 /* 529 * ossl_statem_server_write_transition() works out what handshake state to move 530 * to next when the server is writing messages to be sent to the client. 531 */ 532 WRITE_TRAN ossl_statem_server_write_transition(SSL *s) 533 { 534 OSSL_STATEM *st = &s->statem; 535 536 /* 537 * Note that before the ClientHello we don't know what version we are going 538 * to negotiate yet, so we don't take this branch until later 539 */ 540 541 if (SSL_IS_TLS13(s)) 542 return ossl_statem_server13_write_transition(s); 543 544 switch (st->hand_state) { 545 default: 546 /* Shouldn't happen */ 547 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 548 SSL_F_OSSL_STATEM_SERVER_WRITE_TRANSITION, 549 ERR_R_INTERNAL_ERROR); 550 return WRITE_TRAN_ERROR; 551 552 case TLS_ST_OK: 553 if (st->request_state == TLS_ST_SW_HELLO_REQ) { 554 /* We must be trying to renegotiate */ 555 st->hand_state = TLS_ST_SW_HELLO_REQ; 556 st->request_state = TLS_ST_BEFORE; 557 return WRITE_TRAN_CONTINUE; 558 } 559 /* Must be an incoming ClientHello */ 560 if (!tls_setup_handshake(s)) { 561 /* SSLfatal() already called */ 562 return WRITE_TRAN_ERROR; 563 } 564 /* Fall through */ 565 566 case TLS_ST_BEFORE: 567 /* Just go straight to trying to read from the client */ 568 return WRITE_TRAN_FINISHED; 569 570 case TLS_ST_SW_HELLO_REQ: 571 st->hand_state = TLS_ST_OK; 572 return WRITE_TRAN_CONTINUE; 573 574 case TLS_ST_SR_CLNT_HELLO: 575 if (SSL_IS_DTLS(s) && !s->d1->cookie_verified 576 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) { 577 st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST; 578 } else if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) { 579 /* We must have rejected the renegotiation */ 580 st->hand_state = TLS_ST_OK; 581 return WRITE_TRAN_CONTINUE; 582 } else { 583 st->hand_state = TLS_ST_SW_SRVR_HELLO; 584 } 585 return WRITE_TRAN_CONTINUE; 586 587 case DTLS_ST_SW_HELLO_VERIFY_REQUEST: 588 return WRITE_TRAN_FINISHED; 589 590 case TLS_ST_SW_SRVR_HELLO: 591 if (s->hit) { 592 if (s->ext.ticket_expected) 593 st->hand_state = TLS_ST_SW_SESSION_TICKET; 594 else 595 st->hand_state = TLS_ST_SW_CHANGE; 596 } else { 597 /* Check if it is anon DH or anon ECDH, */ 598 /* normal PSK or SRP */ 599 if (!(s->s3->tmp.new_cipher->algorithm_auth & 600 (SSL_aNULL | SSL_aSRP | SSL_aPSK))) { 601 st->hand_state = TLS_ST_SW_CERT; 602 } else if (send_server_key_exchange(s)) { 603 st->hand_state = TLS_ST_SW_KEY_EXCH; 604 } else if (send_certificate_request(s)) { 605 st->hand_state = TLS_ST_SW_CERT_REQ; 606 } else { 607 st->hand_state = TLS_ST_SW_SRVR_DONE; 608 } 609 } 610 return WRITE_TRAN_CONTINUE; 611 612 case TLS_ST_SW_CERT: 613 if (s->ext.status_expected) { 614 st->hand_state = TLS_ST_SW_CERT_STATUS; 615 return WRITE_TRAN_CONTINUE; 616 } 617 /* Fall through */ 618 619 case TLS_ST_SW_CERT_STATUS: 620 if (send_server_key_exchange(s)) { 621 st->hand_state = TLS_ST_SW_KEY_EXCH; 622 return WRITE_TRAN_CONTINUE; 623 } 624 /* Fall through */ 625 626 case TLS_ST_SW_KEY_EXCH: 627 if (send_certificate_request(s)) { 628 st->hand_state = TLS_ST_SW_CERT_REQ; 629 return WRITE_TRAN_CONTINUE; 630 } 631 /* Fall through */ 632 633 case TLS_ST_SW_CERT_REQ: 634 st->hand_state = TLS_ST_SW_SRVR_DONE; 635 return WRITE_TRAN_CONTINUE; 636 637 case TLS_ST_SW_SRVR_DONE: 638 return WRITE_TRAN_FINISHED; 639 640 case TLS_ST_SR_FINISHED: 641 if (s->hit) { 642 st->hand_state = TLS_ST_OK; 643 return WRITE_TRAN_CONTINUE; 644 } else if (s->ext.ticket_expected) { 645 st->hand_state = TLS_ST_SW_SESSION_TICKET; 646 } else { 647 st->hand_state = TLS_ST_SW_CHANGE; 648 } 649 return WRITE_TRAN_CONTINUE; 650 651 case TLS_ST_SW_SESSION_TICKET: 652 st->hand_state = TLS_ST_SW_CHANGE; 653 return WRITE_TRAN_CONTINUE; 654 655 case TLS_ST_SW_CHANGE: 656 st->hand_state = TLS_ST_SW_FINISHED; 657 return WRITE_TRAN_CONTINUE; 658 659 case TLS_ST_SW_FINISHED: 660 if (s->hit) { 661 return WRITE_TRAN_FINISHED; 662 } 663 st->hand_state = TLS_ST_OK; 664 return WRITE_TRAN_CONTINUE; 665 } 666 } 667 668 /* 669 * Perform any pre work that needs to be done prior to sending a message from 670 * the server to the client. 671 */ 672 WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) 673 { 674 OSSL_STATEM *st = &s->statem; 675 676 switch (st->hand_state) { 677 default: 678 /* No pre work to be done */ 679 break; 680 681 case TLS_ST_SW_HELLO_REQ: 682 s->shutdown = 0; 683 if (SSL_IS_DTLS(s)) 684 dtls1_clear_sent_buffer(s); 685 break; 686 687 case DTLS_ST_SW_HELLO_VERIFY_REQUEST: 688 s->shutdown = 0; 689 if (SSL_IS_DTLS(s)) { 690 dtls1_clear_sent_buffer(s); 691 /* We don't buffer this message so don't use the timer */ 692 st->use_timer = 0; 693 } 694 break; 695 696 case TLS_ST_SW_SRVR_HELLO: 697 if (SSL_IS_DTLS(s)) { 698 /* 699 * Messages we write from now on should be buffered and 700 * retransmitted if necessary, so we need to use the timer now 701 */ 702 st->use_timer = 1; 703 } 704 break; 705 706 case TLS_ST_SW_SRVR_DONE: 707 #ifndef OPENSSL_NO_SCTP 708 if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) { 709 /* Calls SSLfatal() as required */ 710 return dtls_wait_for_dry(s); 711 } 712 #endif 713 return WORK_FINISHED_CONTINUE; 714 715 case TLS_ST_SW_SESSION_TICKET: 716 if (SSL_IS_TLS13(s) && s->sent_tickets == 0) { 717 /* 718 * Actually this is the end of the handshake, but we're going 719 * straight into writing the session ticket out. So we finish off 720 * the handshake, but keep the various buffers active. 721 * 722 * Calls SSLfatal as required. 723 */ 724 return tls_finish_handshake(s, wst, 0, 0); 725 } if (SSL_IS_DTLS(s)) { 726 /* 727 * We're into the last flight. We don't retransmit the last flight 728 * unless we need to, so we don't use the timer 729 */ 730 st->use_timer = 0; 731 } 732 break; 733 734 case TLS_ST_SW_CHANGE: 735 if (SSL_IS_TLS13(s)) 736 break; 737 s->session->cipher = s->s3->tmp.new_cipher; 738 if (!s->method->ssl3_enc->setup_key_block(s)) { 739 /* SSLfatal() already called */ 740 return WORK_ERROR; 741 } 742 if (SSL_IS_DTLS(s)) { 743 /* 744 * We're into the last flight. We don't retransmit the last flight 745 * unless we need to, so we don't use the timer. This might have 746 * already been set to 0 if we sent a NewSessionTicket message, 747 * but we'll set it again here in case we didn't. 748 */ 749 st->use_timer = 0; 750 } 751 return WORK_FINISHED_CONTINUE; 752 753 case TLS_ST_EARLY_DATA: 754 if (s->early_data_state != SSL_EARLY_DATA_ACCEPTING 755 && (s->s3->flags & TLS1_FLAGS_STATELESS) == 0) 756 return WORK_FINISHED_CONTINUE; 757 /* Fall through */ 758 759 case TLS_ST_OK: 760 /* Calls SSLfatal() as required */ 761 return tls_finish_handshake(s, wst, 1, 1); 762 } 763 764 return WORK_FINISHED_CONTINUE; 765 } 766 767 static ossl_inline int conn_is_closed(void) 768 { 769 switch (get_last_sys_error()) { 770 #if defined(EPIPE) 771 case EPIPE: 772 return 1; 773 #endif 774 #if defined(ECONNRESET) 775 case ECONNRESET: 776 return 1; 777 #endif 778 default: 779 return 0; 780 } 781 } 782 783 /* 784 * Perform any work that needs to be done after sending a message from the 785 * server to the client. 786 */ 787 WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) 788 { 789 OSSL_STATEM *st = &s->statem; 790 791 s->init_num = 0; 792 793 switch (st->hand_state) { 794 default: 795 /* No post work to be done */ 796 break; 797 798 case TLS_ST_SW_HELLO_REQ: 799 if (statem_flush(s) != 1) 800 return WORK_MORE_A; 801 if (!ssl3_init_finished_mac(s)) { 802 /* SSLfatal() already called */ 803 return WORK_ERROR; 804 } 805 break; 806 807 case DTLS_ST_SW_HELLO_VERIFY_REQUEST: 808 if (statem_flush(s) != 1) 809 return WORK_MORE_A; 810 /* HelloVerifyRequest resets Finished MAC */ 811 if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) { 812 /* SSLfatal() already called */ 813 return WORK_ERROR; 814 } 815 /* 816 * The next message should be another ClientHello which we need to 817 * treat like it was the first packet 818 */ 819 s->first_packet = 1; 820 break; 821 822 case TLS_ST_SW_SRVR_HELLO: 823 if (SSL_IS_TLS13(s) && s->hello_retry_request == SSL_HRR_PENDING) { 824 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0 825 && statem_flush(s) != 1) 826 return WORK_MORE_A; 827 break; 828 } 829 #ifndef OPENSSL_NO_SCTP 830 if (SSL_IS_DTLS(s) && s->hit) { 831 unsigned char sctpauthkey[64]; 832 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; 833 834 /* 835 * Add new shared key for SCTP-Auth, will be ignored if no 836 * SCTP used. 837 */ 838 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL, 839 sizeof(DTLS1_SCTP_AUTH_LABEL)); 840 841 if (SSL_export_keying_material(s, sctpauthkey, 842 sizeof(sctpauthkey), labelbuffer, 843 sizeof(labelbuffer), NULL, 0, 844 0) <= 0) { 845 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 846 SSL_F_OSSL_STATEM_SERVER_POST_WORK, 847 ERR_R_INTERNAL_ERROR); 848 return WORK_ERROR; 849 } 850 851 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 852 sizeof(sctpauthkey), sctpauthkey); 853 } 854 #endif 855 if (!SSL_IS_TLS13(s) 856 || ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 857 && s->hello_retry_request != SSL_HRR_COMPLETE)) 858 break; 859 /* Fall through */ 860 861 case TLS_ST_SW_CHANGE: 862 if (s->hello_retry_request == SSL_HRR_PENDING) { 863 if (!statem_flush(s)) 864 return WORK_MORE_A; 865 break; 866 } 867 868 if (SSL_IS_TLS13(s)) { 869 if (!s->method->ssl3_enc->setup_key_block(s) 870 || !s->method->ssl3_enc->change_cipher_state(s, 871 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) { 872 /* SSLfatal() already called */ 873 return WORK_ERROR; 874 } 875 876 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED 877 && !s->method->ssl3_enc->change_cipher_state(s, 878 SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ)) { 879 /* SSLfatal() already called */ 880 return WORK_ERROR; 881 } 882 /* 883 * We don't yet know whether the next record we are going to receive 884 * is an unencrypted alert, an encrypted alert, or an encrypted 885 * handshake message. We temporarily tolerate unencrypted alerts. 886 */ 887 s->statem.enc_read_state = ENC_READ_STATE_ALLOW_PLAIN_ALERTS; 888 break; 889 } 890 891 #ifndef OPENSSL_NO_SCTP 892 if (SSL_IS_DTLS(s) && !s->hit) { 893 /* 894 * Change to new shared key of SCTP-Auth, will be ignored if 895 * no SCTP used. 896 */ 897 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 898 0, NULL); 899 } 900 #endif 901 if (!s->method->ssl3_enc->change_cipher_state(s, 902 SSL3_CHANGE_CIPHER_SERVER_WRITE)) 903 { 904 /* SSLfatal() already called */ 905 return WORK_ERROR; 906 } 907 908 if (SSL_IS_DTLS(s)) 909 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); 910 break; 911 912 case TLS_ST_SW_SRVR_DONE: 913 if (statem_flush(s) != 1) 914 return WORK_MORE_A; 915 break; 916 917 case TLS_ST_SW_FINISHED: 918 if (statem_flush(s) != 1) 919 return WORK_MORE_A; 920 #ifndef OPENSSL_NO_SCTP 921 if (SSL_IS_DTLS(s) && s->hit) { 922 /* 923 * Change to new shared key of SCTP-Auth, will be ignored if 924 * no SCTP used. 925 */ 926 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 927 0, NULL); 928 } 929 #endif 930 if (SSL_IS_TLS13(s)) { 931 if (!s->method->ssl3_enc->generate_master_secret(s, 932 s->master_secret, s->handshake_secret, 0, 933 &s->session->master_key_length) 934 || !s->method->ssl3_enc->change_cipher_state(s, 935 SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE)) 936 /* SSLfatal() already called */ 937 return WORK_ERROR; 938 } 939 break; 940 941 case TLS_ST_SW_CERT_REQ: 942 if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { 943 if (statem_flush(s) != 1) 944 return WORK_MORE_A; 945 } 946 break; 947 948 case TLS_ST_SW_KEY_UPDATE: 949 if (statem_flush(s) != 1) 950 return WORK_MORE_A; 951 if (!tls13_update_key(s, 1)) { 952 /* SSLfatal() already called */ 953 return WORK_ERROR; 954 } 955 break; 956 957 case TLS_ST_SW_SESSION_TICKET: 958 clear_sys_error(); 959 if (SSL_IS_TLS13(s) && statem_flush(s) != 1) { 960 if (SSL_get_error(s, 0) == SSL_ERROR_SYSCALL 961 && conn_is_closed()) { 962 /* 963 * We ignore connection closed errors in TLSv1.3 when sending a 964 * NewSessionTicket and behave as if we were successful. This is 965 * so that we are still able to read data sent to us by a client 966 * that closes soon after the end of the handshake without 967 * waiting to read our post-handshake NewSessionTickets. 968 */ 969 s->rwstate = SSL_NOTHING; 970 break; 971 } 972 973 return WORK_MORE_A; 974 } 975 break; 976 } 977 978 return WORK_FINISHED_CONTINUE; 979 } 980 981 /* 982 * Get the message construction function and message type for sending from the 983 * server 984 * 985 * Valid return values are: 986 * 1: Success 987 * 0: Error 988 */ 989 int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt, 990 confunc_f *confunc, int *mt) 991 { 992 OSSL_STATEM *st = &s->statem; 993 994 switch (st->hand_state) { 995 default: 996 /* Shouldn't happen */ 997 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 998 SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE, 999 SSL_R_BAD_HANDSHAKE_STATE); 1000 return 0; 1001 1002 case TLS_ST_SW_CHANGE: 1003 if (SSL_IS_DTLS(s)) 1004 *confunc = dtls_construct_change_cipher_spec; 1005 else 1006 *confunc = tls_construct_change_cipher_spec; 1007 *mt = SSL3_MT_CHANGE_CIPHER_SPEC; 1008 break; 1009 1010 case DTLS_ST_SW_HELLO_VERIFY_REQUEST: 1011 *confunc = dtls_construct_hello_verify_request; 1012 *mt = DTLS1_MT_HELLO_VERIFY_REQUEST; 1013 break; 1014 1015 case TLS_ST_SW_HELLO_REQ: 1016 /* No construction function needed */ 1017 *confunc = NULL; 1018 *mt = SSL3_MT_HELLO_REQUEST; 1019 break; 1020 1021 case TLS_ST_SW_SRVR_HELLO: 1022 *confunc = tls_construct_server_hello; 1023 *mt = SSL3_MT_SERVER_HELLO; 1024 break; 1025 1026 case TLS_ST_SW_CERT: 1027 *confunc = tls_construct_server_certificate; 1028 *mt = SSL3_MT_CERTIFICATE; 1029 break; 1030 1031 case TLS_ST_SW_CERT_VRFY: 1032 *confunc = tls_construct_cert_verify; 1033 *mt = SSL3_MT_CERTIFICATE_VERIFY; 1034 break; 1035 1036 1037 case TLS_ST_SW_KEY_EXCH: 1038 *confunc = tls_construct_server_key_exchange; 1039 *mt = SSL3_MT_SERVER_KEY_EXCHANGE; 1040 break; 1041 1042 case TLS_ST_SW_CERT_REQ: 1043 *confunc = tls_construct_certificate_request; 1044 *mt = SSL3_MT_CERTIFICATE_REQUEST; 1045 break; 1046 1047 case TLS_ST_SW_SRVR_DONE: 1048 *confunc = tls_construct_server_done; 1049 *mt = SSL3_MT_SERVER_DONE; 1050 break; 1051 1052 case TLS_ST_SW_SESSION_TICKET: 1053 *confunc = tls_construct_new_session_ticket; 1054 *mt = SSL3_MT_NEWSESSION_TICKET; 1055 break; 1056 1057 case TLS_ST_SW_CERT_STATUS: 1058 *confunc = tls_construct_cert_status; 1059 *mt = SSL3_MT_CERTIFICATE_STATUS; 1060 break; 1061 1062 case TLS_ST_SW_FINISHED: 1063 *confunc = tls_construct_finished; 1064 *mt = SSL3_MT_FINISHED; 1065 break; 1066 1067 case TLS_ST_EARLY_DATA: 1068 *confunc = NULL; 1069 *mt = SSL3_MT_DUMMY; 1070 break; 1071 1072 case TLS_ST_SW_ENCRYPTED_EXTENSIONS: 1073 *confunc = tls_construct_encrypted_extensions; 1074 *mt = SSL3_MT_ENCRYPTED_EXTENSIONS; 1075 break; 1076 1077 case TLS_ST_SW_KEY_UPDATE: 1078 *confunc = tls_construct_key_update; 1079 *mt = SSL3_MT_KEY_UPDATE; 1080 break; 1081 } 1082 1083 return 1; 1084 } 1085 1086 /* 1087 * Maximum size (excluding the Handshake header) of a ClientHello message, 1088 * calculated as follows: 1089 * 1090 * 2 + # client_version 1091 * 32 + # only valid length for random 1092 * 1 + # length of session_id 1093 * 32 + # maximum size for session_id 1094 * 2 + # length of cipher suites 1095 * 2^16-2 + # maximum length of cipher suites array 1096 * 1 + # length of compression_methods 1097 * 2^8-1 + # maximum length of compression methods 1098 * 2 + # length of extensions 1099 * 2^16-1 # maximum length of extensions 1100 */ 1101 #define CLIENT_HELLO_MAX_LENGTH 131396 1102 1103 #define CLIENT_KEY_EXCH_MAX_LENGTH 2048 1104 #define NEXT_PROTO_MAX_LENGTH 514 1105 1106 /* 1107 * Returns the maximum allowed length for the current message that we are 1108 * reading. Excludes the message header. 1109 */ 1110 size_t ossl_statem_server_max_message_size(SSL *s) 1111 { 1112 OSSL_STATEM *st = &s->statem; 1113 1114 switch (st->hand_state) { 1115 default: 1116 /* Shouldn't happen */ 1117 return 0; 1118 1119 case TLS_ST_SR_CLNT_HELLO: 1120 return CLIENT_HELLO_MAX_LENGTH; 1121 1122 case TLS_ST_SR_END_OF_EARLY_DATA: 1123 return END_OF_EARLY_DATA_MAX_LENGTH; 1124 1125 case TLS_ST_SR_CERT: 1126 return s->max_cert_list; 1127 1128 case TLS_ST_SR_KEY_EXCH: 1129 return CLIENT_KEY_EXCH_MAX_LENGTH; 1130 1131 case TLS_ST_SR_CERT_VRFY: 1132 return SSL3_RT_MAX_PLAIN_LENGTH; 1133 1134 #ifndef OPENSSL_NO_NEXTPROTONEG 1135 case TLS_ST_SR_NEXT_PROTO: 1136 return NEXT_PROTO_MAX_LENGTH; 1137 #endif 1138 1139 case TLS_ST_SR_CHANGE: 1140 return CCS_MAX_LENGTH; 1141 1142 case TLS_ST_SR_FINISHED: 1143 return FINISHED_MAX_LENGTH; 1144 1145 case TLS_ST_SR_KEY_UPDATE: 1146 return KEY_UPDATE_MAX_LENGTH; 1147 } 1148 } 1149 1150 /* 1151 * Process a message that the server has received from the client. 1152 */ 1153 MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt) 1154 { 1155 OSSL_STATEM *st = &s->statem; 1156 1157 switch (st->hand_state) { 1158 default: 1159 /* Shouldn't happen */ 1160 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1161 SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE, 1162 ERR_R_INTERNAL_ERROR); 1163 return MSG_PROCESS_ERROR; 1164 1165 case TLS_ST_SR_CLNT_HELLO: 1166 return tls_process_client_hello(s, pkt); 1167 1168 case TLS_ST_SR_END_OF_EARLY_DATA: 1169 return tls_process_end_of_early_data(s, pkt); 1170 1171 case TLS_ST_SR_CERT: 1172 return tls_process_client_certificate(s, pkt); 1173 1174 case TLS_ST_SR_KEY_EXCH: 1175 return tls_process_client_key_exchange(s, pkt); 1176 1177 case TLS_ST_SR_CERT_VRFY: 1178 return tls_process_cert_verify(s, pkt); 1179 1180 #ifndef OPENSSL_NO_NEXTPROTONEG 1181 case TLS_ST_SR_NEXT_PROTO: 1182 return tls_process_next_proto(s, pkt); 1183 #endif 1184 1185 case TLS_ST_SR_CHANGE: 1186 return tls_process_change_cipher_spec(s, pkt); 1187 1188 case TLS_ST_SR_FINISHED: 1189 return tls_process_finished(s, pkt); 1190 1191 case TLS_ST_SR_KEY_UPDATE: 1192 return tls_process_key_update(s, pkt); 1193 1194 } 1195 } 1196 1197 /* 1198 * Perform any further processing required following the receipt of a message 1199 * from the client 1200 */ 1201 WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst) 1202 { 1203 OSSL_STATEM *st = &s->statem; 1204 1205 switch (st->hand_state) { 1206 default: 1207 /* Shouldn't happen */ 1208 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1209 SSL_F_OSSL_STATEM_SERVER_POST_PROCESS_MESSAGE, 1210 ERR_R_INTERNAL_ERROR); 1211 return WORK_ERROR; 1212 1213 case TLS_ST_SR_CLNT_HELLO: 1214 return tls_post_process_client_hello(s, wst); 1215 1216 case TLS_ST_SR_KEY_EXCH: 1217 return tls_post_process_client_key_exchange(s, wst); 1218 } 1219 } 1220 1221 #ifndef OPENSSL_NO_SRP 1222 /* Returns 1 on success, 0 for retryable error, -1 for fatal error */ 1223 static int ssl_check_srp_ext_ClientHello(SSL *s) 1224 { 1225 int ret; 1226 int al = SSL_AD_UNRECOGNIZED_NAME; 1227 1228 if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) && 1229 (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) { 1230 if (s->srp_ctx.login == NULL) { 1231 /* 1232 * RFC 5054 says SHOULD reject, we do so if There is no srp 1233 * login name 1234 */ 1235 SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY, 1236 SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO, 1237 SSL_R_PSK_IDENTITY_NOT_FOUND); 1238 return -1; 1239 } else { 1240 ret = SSL_srp_server_param_with_username(s, &al); 1241 if (ret < 0) 1242 return 0; 1243 if (ret == SSL3_AL_FATAL) { 1244 SSLfatal(s, al, SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO, 1245 al == SSL_AD_UNKNOWN_PSK_IDENTITY 1246 ? SSL_R_PSK_IDENTITY_NOT_FOUND 1247 : SSL_R_CLIENTHELLO_TLSEXT); 1248 return -1; 1249 } 1250 } 1251 } 1252 return 1; 1253 } 1254 #endif 1255 1256 int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie, 1257 size_t cookie_len) 1258 { 1259 /* Always use DTLS 1.0 version: see RFC 6347 */ 1260 if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION) 1261 || !WPACKET_sub_memcpy_u8(pkt, cookie, cookie_len)) 1262 return 0; 1263 1264 return 1; 1265 } 1266 1267 int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt) 1268 { 1269 unsigned int cookie_leni; 1270 if (s->ctx->app_gen_cookie_cb == NULL || 1271 s->ctx->app_gen_cookie_cb(s, s->d1->cookie, 1272 &cookie_leni) == 0 || 1273 cookie_leni > 255) { 1274 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, 1275 SSL_R_COOKIE_GEN_CALLBACK_FAILURE); 1276 return 0; 1277 } 1278 s->d1->cookie_len = cookie_leni; 1279 1280 if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie, 1281 s->d1->cookie_len)) { 1282 SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, 1283 ERR_R_INTERNAL_ERROR); 1284 return 0; 1285 } 1286 1287 return 1; 1288 } 1289 1290 #ifndef OPENSSL_NO_EC 1291 /*- 1292 * ssl_check_for_safari attempts to fingerprint Safari using OS X 1293 * SecureTransport using the TLS extension block in |hello|. 1294 * Safari, since 10.6, sends exactly these extensions, in this order: 1295 * SNI, 1296 * elliptic_curves 1297 * ec_point_formats 1298 * signature_algorithms (for TLSv1.2 only) 1299 * 1300 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8, 1301 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them. 1302 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from 1303 * 10.8..10.8.3 (which don't work). 1304 */ 1305 static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello) 1306 { 1307 static const unsigned char kSafariExtensionsBlock[] = { 1308 0x00, 0x0a, /* elliptic_curves extension */ 1309 0x00, 0x08, /* 8 bytes */ 1310 0x00, 0x06, /* 6 bytes of curve ids */ 1311 0x00, 0x17, /* P-256 */ 1312 0x00, 0x18, /* P-384 */ 1313 0x00, 0x19, /* P-521 */ 1314 1315 0x00, 0x0b, /* ec_point_formats */ 1316 0x00, 0x02, /* 2 bytes */ 1317 0x01, /* 1 point format */ 1318 0x00, /* uncompressed */ 1319 /* The following is only present in TLS 1.2 */ 1320 0x00, 0x0d, /* signature_algorithms */ 1321 0x00, 0x0c, /* 12 bytes */ 1322 0x00, 0x0a, /* 10 bytes */ 1323 0x05, 0x01, /* SHA-384/RSA */ 1324 0x04, 0x01, /* SHA-256/RSA */ 1325 0x02, 0x01, /* SHA-1/RSA */ 1326 0x04, 0x03, /* SHA-256/ECDSA */ 1327 0x02, 0x03, /* SHA-1/ECDSA */ 1328 }; 1329 /* Length of the common prefix (first two extensions). */ 1330 static const size_t kSafariCommonExtensionsLength = 18; 1331 unsigned int type; 1332 PACKET sni, tmppkt; 1333 size_t ext_len; 1334 1335 tmppkt = hello->extensions; 1336 1337 if (!PACKET_forward(&tmppkt, 2) 1338 || !PACKET_get_net_2(&tmppkt, &type) 1339 || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) { 1340 return; 1341 } 1342 1343 if (type != TLSEXT_TYPE_server_name) 1344 return; 1345 1346 ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ? 1347 sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength; 1348 1349 s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock, 1350 ext_len); 1351 } 1352 #endif /* !OPENSSL_NO_EC */ 1353 1354 MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) 1355 { 1356 /* |cookie| will only be initialized for DTLS. */ 1357 PACKET session_id, compression, extensions, cookie; 1358 static const unsigned char null_compression = 0; 1359 CLIENTHELLO_MSG *clienthello = NULL; 1360 1361 /* Check if this is actually an unexpected renegotiation ClientHello */ 1362 if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) { 1363 if (!ossl_assert(!SSL_IS_TLS13(s))) { 1364 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, 1365 ERR_R_INTERNAL_ERROR); 1366 goto err; 1367 } 1368 if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0 1369 || (!s->s3->send_connection_binding 1370 && (s->options 1371 & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) == 0)) { 1372 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); 1373 return MSG_PROCESS_FINISHED_READING; 1374 } 1375 s->renegotiate = 1; 1376 s->new_session = 1; 1377 } 1378 1379 clienthello = OPENSSL_zalloc(sizeof(*clienthello)); 1380 if (clienthello == NULL) { 1381 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, 1382 ERR_R_INTERNAL_ERROR); 1383 goto err; 1384 } 1385 1386 /* 1387 * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure. 1388 */ 1389 clienthello->isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer); 1390 PACKET_null_init(&cookie); 1391 1392 if (clienthello->isv2) { 1393 unsigned int mt; 1394 1395 if (!SSL_IS_FIRST_HANDSHAKE(s) 1396 || s->hello_retry_request != SSL_HRR_NONE) { 1397 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1398 SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNEXPECTED_MESSAGE); 1399 goto err; 1400 } 1401 1402 /*- 1403 * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2 1404 * header is sent directly on the wire, not wrapped as a TLS 1405 * record. Our record layer just processes the message length and passes 1406 * the rest right through. Its format is: 1407 * Byte Content 1408 * 0-1 msg_length - decoded by the record layer 1409 * 2 msg_type - s->init_msg points here 1410 * 3-4 version 1411 * 5-6 cipher_spec_length 1412 * 7-8 session_id_length 1413 * 9-10 challenge_length 1414 * ... ... 1415 */ 1416 1417 if (!PACKET_get_1(pkt, &mt) 1418 || mt != SSL2_MT_CLIENT_HELLO) { 1419 /* 1420 * Should never happen. We should have tested this in the record 1421 * layer in order to have determined that this is a SSLv2 record 1422 * in the first place 1423 */ 1424 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, 1425 ERR_R_INTERNAL_ERROR); 1426 goto err; 1427 } 1428 } 1429 1430 if (!PACKET_get_net_2(pkt, &clienthello->legacy_version)) { 1431 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, 1432 SSL_R_LENGTH_TOO_SHORT); 1433 goto err; 1434 } 1435 1436 /* Parse the message and load client random. */ 1437 if (clienthello->isv2) { 1438 /* 1439 * Handle an SSLv2 backwards compatible ClientHello 1440 * Note, this is only for SSLv3+ using the backward compatible format. 1441 * Real SSLv2 is not supported, and is rejected below. 1442 */ 1443 unsigned int ciphersuite_len, session_id_len, challenge_len; 1444 PACKET challenge; 1445 1446 if (!PACKET_get_net_2(pkt, &ciphersuite_len) 1447 || !PACKET_get_net_2(pkt, &session_id_len) 1448 || !PACKET_get_net_2(pkt, &challenge_len)) { 1449 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, 1450 SSL_R_RECORD_LENGTH_MISMATCH); 1451 goto err; 1452 } 1453 1454 if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) { 1455 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1456 SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); 1457 goto err; 1458 } 1459 1460 if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites, 1461 ciphersuite_len) 1462 || !PACKET_copy_bytes(pkt, clienthello->session_id, session_id_len) 1463 || !PACKET_get_sub_packet(pkt, &challenge, challenge_len) 1464 /* No extensions. */ 1465 || PACKET_remaining(pkt) != 0) { 1466 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, 1467 SSL_R_RECORD_LENGTH_MISMATCH); 1468 goto err; 1469 } 1470 clienthello->session_id_len = session_id_len; 1471 1472 /* Load the client random and compression list. We use SSL3_RANDOM_SIZE 1473 * here rather than sizeof(clienthello->random) because that is the limit 1474 * for SSLv3 and it is fixed. It won't change even if 1475 * sizeof(clienthello->random) does. 1476 */ 1477 challenge_len = challenge_len > SSL3_RANDOM_SIZE 1478 ? SSL3_RANDOM_SIZE : challenge_len; 1479 memset(clienthello->random, 0, SSL3_RANDOM_SIZE); 1480 if (!PACKET_copy_bytes(&challenge, 1481 clienthello->random + SSL3_RANDOM_SIZE - 1482 challenge_len, challenge_len) 1483 /* Advertise only null compression. */ 1484 || !PACKET_buf_init(&compression, &null_compression, 1)) { 1485 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, 1486 ERR_R_INTERNAL_ERROR); 1487 goto err; 1488 } 1489 1490 PACKET_null_init(&clienthello->extensions); 1491 } else { 1492 /* Regular ClientHello. */ 1493 if (!PACKET_copy_bytes(pkt, clienthello->random, SSL3_RANDOM_SIZE) 1494 || !PACKET_get_length_prefixed_1(pkt, &session_id) 1495 || !PACKET_copy_all(&session_id, clienthello->session_id, 1496 SSL_MAX_SSL_SESSION_ID_LENGTH, 1497 &clienthello->session_id_len)) { 1498 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, 1499 SSL_R_LENGTH_MISMATCH); 1500 goto err; 1501 } 1502 1503 if (SSL_IS_DTLS(s)) { 1504 if (!PACKET_get_length_prefixed_1(pkt, &cookie)) { 1505 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, 1506 SSL_R_LENGTH_MISMATCH); 1507 goto err; 1508 } 1509 if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie, 1510 DTLS1_COOKIE_LENGTH, 1511 &clienthello->dtls_cookie_len)) { 1512 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1513 SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 1514 goto err; 1515 } 1516 /* 1517 * If we require cookies and this ClientHello doesn't contain one, 1518 * just return since we do not want to allocate any memory yet. 1519 * So check cookie length... 1520 */ 1521 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { 1522 if (clienthello->dtls_cookie_len == 0) 1523 return MSG_PROCESS_FINISHED_READING; 1524 } 1525 } 1526 1527 if (!PACKET_get_length_prefixed_2(pkt, &clienthello->ciphersuites)) { 1528 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, 1529 SSL_R_LENGTH_MISMATCH); 1530 goto err; 1531 } 1532 1533 if (!PACKET_get_length_prefixed_1(pkt, &compression)) { 1534 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, 1535 SSL_R_LENGTH_MISMATCH); 1536 goto err; 1537 } 1538 1539 /* Could be empty. */ 1540 if (PACKET_remaining(pkt) == 0) { 1541 PACKET_null_init(&clienthello->extensions); 1542 } else { 1543 if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions) 1544 || PACKET_remaining(pkt) != 0) { 1545 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, 1546 SSL_R_LENGTH_MISMATCH); 1547 goto err; 1548 } 1549 } 1550 } 1551 1552 if (!PACKET_copy_all(&compression, clienthello->compressions, 1553 MAX_COMPRESSIONS_SIZE, 1554 &clienthello->compressions_len)) { 1555 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO, 1556 ERR_R_INTERNAL_ERROR); 1557 goto err; 1558 } 1559 1560 /* Preserve the raw extensions PACKET for later use */ 1561 extensions = clienthello->extensions; 1562 if (!tls_collect_extensions(s, &extensions, SSL_EXT_CLIENT_HELLO, 1563 &clienthello->pre_proc_exts, 1564 &clienthello->pre_proc_exts_len, 1)) { 1565 /* SSLfatal already been called */ 1566 goto err; 1567 } 1568 s->clienthello = clienthello; 1569 1570 return MSG_PROCESS_CONTINUE_PROCESSING; 1571 1572 err: 1573 if (clienthello != NULL) 1574 OPENSSL_free(clienthello->pre_proc_exts); 1575 OPENSSL_free(clienthello); 1576 1577 return MSG_PROCESS_ERROR; 1578 } 1579 1580 static int tls_early_post_process_client_hello(SSL *s) 1581 { 1582 unsigned int j; 1583 int i, al = SSL_AD_INTERNAL_ERROR; 1584 int protverr; 1585 size_t loop; 1586 unsigned long id; 1587 #ifndef OPENSSL_NO_COMP 1588 SSL_COMP *comp = NULL; 1589 #endif 1590 const SSL_CIPHER *c; 1591 STACK_OF(SSL_CIPHER) *ciphers = NULL; 1592 STACK_OF(SSL_CIPHER) *scsvs = NULL; 1593 CLIENTHELLO_MSG *clienthello = s->clienthello; 1594 DOWNGRADE dgrd = DOWNGRADE_NONE; 1595 1596 /* Finished parsing the ClientHello, now we can start processing it */ 1597 /* Give the ClientHello callback a crack at things */ 1598 if (s->ctx->client_hello_cb != NULL) { 1599 /* A failure in the ClientHello callback terminates the connection. */ 1600 switch (s->ctx->client_hello_cb(s, &al, s->ctx->client_hello_cb_arg)) { 1601 case SSL_CLIENT_HELLO_SUCCESS: 1602 break; 1603 case SSL_CLIENT_HELLO_RETRY: 1604 s->rwstate = SSL_CLIENT_HELLO_CB; 1605 return -1; 1606 case SSL_CLIENT_HELLO_ERROR: 1607 default: 1608 SSLfatal(s, al, 1609 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 1610 SSL_R_CALLBACK_FAILED); 1611 goto err; 1612 } 1613 } 1614 1615 /* Set up the client_random */ 1616 memcpy(s->s3->client_random, clienthello->random, SSL3_RANDOM_SIZE); 1617 1618 /* Choose the version */ 1619 1620 if (clienthello->isv2) { 1621 if (clienthello->legacy_version == SSL2_VERSION 1622 || (clienthello->legacy_version & 0xff00) 1623 != (SSL3_VERSION_MAJOR << 8)) { 1624 /* 1625 * This is real SSLv2 or something completely unknown. We don't 1626 * support it. 1627 */ 1628 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 1629 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 1630 SSL_R_UNKNOWN_PROTOCOL); 1631 goto err; 1632 } 1633 /* SSLv3/TLS */ 1634 s->client_version = clienthello->legacy_version; 1635 } 1636 /* 1637 * Do SSL/TLS version negotiation if applicable. For DTLS we just check 1638 * versions are potentially compatible. Version negotiation comes later. 1639 */ 1640 if (!SSL_IS_DTLS(s)) { 1641 protverr = ssl_choose_server_version(s, clienthello, &dgrd); 1642 } else if (s->method->version != DTLS_ANY_VERSION && 1643 DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) { 1644 protverr = SSL_R_VERSION_TOO_LOW; 1645 } else { 1646 protverr = 0; 1647 } 1648 1649 if (protverr) { 1650 if (SSL_IS_FIRST_HANDSHAKE(s)) { 1651 /* like ssl3_get_record, send alert using remote version number */ 1652 s->version = s->client_version = clienthello->legacy_version; 1653 } 1654 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 1655 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr); 1656 goto err; 1657 } 1658 1659 /* TLSv1.3 specifies that a ClientHello must end on a record boundary */ 1660 if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { 1661 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 1662 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 1663 SSL_R_NOT_ON_RECORD_BOUNDARY); 1664 goto err; 1665 } 1666 1667 if (SSL_IS_DTLS(s)) { 1668 /* Empty cookie was already handled above by returning early. */ 1669 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { 1670 if (s->ctx->app_verify_cookie_cb != NULL) { 1671 if (s->ctx->app_verify_cookie_cb(s, clienthello->dtls_cookie, 1672 clienthello->dtls_cookie_len) == 0) { 1673 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1674 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 1675 SSL_R_COOKIE_MISMATCH); 1676 goto err; 1677 /* else cookie verification succeeded */ 1678 } 1679 /* default verification */ 1680 } else if (s->d1->cookie_len != clienthello->dtls_cookie_len 1681 || memcmp(clienthello->dtls_cookie, s->d1->cookie, 1682 s->d1->cookie_len) != 0) { 1683 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1684 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 1685 SSL_R_COOKIE_MISMATCH); 1686 goto err; 1687 } 1688 s->d1->cookie_verified = 1; 1689 } 1690 if (s->method->version == DTLS_ANY_VERSION) { 1691 protverr = ssl_choose_server_version(s, clienthello, &dgrd); 1692 if (protverr != 0) { 1693 s->version = s->client_version; 1694 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, 1695 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr); 1696 goto err; 1697 } 1698 } 1699 } 1700 1701 s->hit = 0; 1702 1703 if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites, 1704 clienthello->isv2) || 1705 !bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, &scsvs, 1706 clienthello->isv2, 1)) { 1707 /* SSLfatal() already called */ 1708 goto err; 1709 } 1710 1711 s->s3->send_connection_binding = 0; 1712 /* Check what signalling cipher-suite values were received. */ 1713 if (scsvs != NULL) { 1714 for(i = 0; i < sk_SSL_CIPHER_num(scsvs); i++) { 1715 c = sk_SSL_CIPHER_value(scsvs, i); 1716 if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) { 1717 if (s->renegotiate) { 1718 /* SCSV is fatal if renegotiating */ 1719 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1720 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 1721 SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); 1722 goto err; 1723 } 1724 s->s3->send_connection_binding = 1; 1725 } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV && 1726 !ssl_check_version_downgrade(s)) { 1727 /* 1728 * This SCSV indicates that the client previously tried 1729 * a higher version. We should fail if the current version 1730 * is an unexpected downgrade, as that indicates that the first 1731 * connection may have been tampered with in order to trigger 1732 * an insecure downgrade. 1733 */ 1734 SSLfatal(s, SSL_AD_INAPPROPRIATE_FALLBACK, 1735 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 1736 SSL_R_INAPPROPRIATE_FALLBACK); 1737 goto err; 1738 } 1739 } 1740 } 1741 1742 /* For TLSv1.3 we must select the ciphersuite *before* session resumption */ 1743 if (SSL_IS_TLS13(s)) { 1744 const SSL_CIPHER *cipher = 1745 ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s)); 1746 1747 if (cipher == NULL) { 1748 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1749 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 1750 SSL_R_NO_SHARED_CIPHER); 1751 goto err; 1752 } 1753 if (s->hello_retry_request == SSL_HRR_PENDING 1754 && (s->s3->tmp.new_cipher == NULL 1755 || s->s3->tmp.new_cipher->id != cipher->id)) { 1756 /* 1757 * A previous HRR picked a different ciphersuite to the one we 1758 * just selected. Something must have changed. 1759 */ 1760 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1761 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 1762 SSL_R_BAD_CIPHER); 1763 goto err; 1764 } 1765 s->s3->tmp.new_cipher = cipher; 1766 } 1767 1768 /* We need to do this before getting the session */ 1769 if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret, 1770 SSL_EXT_CLIENT_HELLO, 1771 clienthello->pre_proc_exts, NULL, 0)) { 1772 /* SSLfatal() already called */ 1773 goto err; 1774 } 1775 1776 /* 1777 * We don't allow resumption in a backwards compatible ClientHello. 1778 * TODO(openssl-team): in TLS1.1+, session_id MUST be empty. 1779 * 1780 * Versions before 0.9.7 always allow clients to resume sessions in 1781 * renegotiation. 0.9.7 and later allow this by default, but optionally 1782 * ignore resumption requests with flag 1783 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather 1784 * than a change to default behavior so that applications relying on 1785 * this for security won't even compile against older library versions). 1786 * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to 1787 * request renegotiation but not a new session (s->new_session remains 1788 * unset): for servers, this essentially just means that the 1789 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be 1790 * ignored. 1791 */ 1792 if (clienthello->isv2 || 1793 (s->new_session && 1794 (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) { 1795 if (!ssl_get_new_session(s, 1)) { 1796 /* SSLfatal() already called */ 1797 goto err; 1798 } 1799 } else { 1800 i = ssl_get_prev_session(s, clienthello); 1801 if (i == 1) { 1802 /* previous session */ 1803 s->hit = 1; 1804 } else if (i == -1) { 1805 /* SSLfatal() already called */ 1806 goto err; 1807 } else { 1808 /* i == 0 */ 1809 if (!ssl_get_new_session(s, 1)) { 1810 /* SSLfatal() already called */ 1811 goto err; 1812 } 1813 } 1814 } 1815 1816 if (SSL_IS_TLS13(s)) { 1817 memcpy(s->tmp_session_id, s->clienthello->session_id, 1818 s->clienthello->session_id_len); 1819 s->tmp_session_id_len = s->clienthello->session_id_len; 1820 } 1821 1822 /* 1823 * If it is a hit, check that the cipher is in the list. In TLSv1.3 we check 1824 * ciphersuite compatibility with the session as part of resumption. 1825 */ 1826 if (!SSL_IS_TLS13(s) && s->hit) { 1827 j = 0; 1828 id = s->session->cipher->id; 1829 1830 #ifdef CIPHER_DEBUG 1831 fprintf(stderr, "client sent %d ciphers\n", sk_SSL_CIPHER_num(ciphers)); 1832 #endif 1833 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { 1834 c = sk_SSL_CIPHER_value(ciphers, i); 1835 #ifdef CIPHER_DEBUG 1836 fprintf(stderr, "client [%2d of %2d]:%s\n", 1837 i, sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c)); 1838 #endif 1839 if (c->id == id) { 1840 j = 1; 1841 break; 1842 } 1843 } 1844 if (j == 0) { 1845 /* 1846 * we need to have the cipher in the cipher list if we are asked 1847 * to reuse it 1848 */ 1849 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1850 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 1851 SSL_R_REQUIRED_CIPHER_MISSING); 1852 goto err; 1853 } 1854 } 1855 1856 for (loop = 0; loop < clienthello->compressions_len; loop++) { 1857 if (clienthello->compressions[loop] == 0) 1858 break; 1859 } 1860 1861 if (loop >= clienthello->compressions_len) { 1862 /* no compress */ 1863 SSLfatal(s, SSL_AD_DECODE_ERROR, 1864 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 1865 SSL_R_NO_COMPRESSION_SPECIFIED); 1866 goto err; 1867 } 1868 1869 #ifndef OPENSSL_NO_EC 1870 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) 1871 ssl_check_for_safari(s, clienthello); 1872 #endif /* !OPENSSL_NO_EC */ 1873 1874 /* TLS extensions */ 1875 if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO, 1876 clienthello->pre_proc_exts, NULL, 0, 1)) { 1877 /* SSLfatal() already called */ 1878 goto err; 1879 } 1880 1881 /* 1882 * Check if we want to use external pre-shared secret for this handshake 1883 * for not reused session only. We need to generate server_random before 1884 * calling tls_session_secret_cb in order to allow SessionTicket 1885 * processing to use it in key derivation. 1886 */ 1887 { 1888 unsigned char *pos; 1889 pos = s->s3->server_random; 1890 if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE, dgrd) <= 0) { 1891 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1892 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 1893 ERR_R_INTERNAL_ERROR); 1894 goto err; 1895 } 1896 } 1897 1898 if (!s->hit 1899 && s->version >= TLS1_VERSION 1900 && !SSL_IS_TLS13(s) 1901 && !SSL_IS_DTLS(s) 1902 && s->ext.session_secret_cb) { 1903 const SSL_CIPHER *pref_cipher = NULL; 1904 /* 1905 * s->session->master_key_length is a size_t, but this is an int for 1906 * backwards compat reasons 1907 */ 1908 int master_key_length; 1909 1910 master_key_length = sizeof(s->session->master_key); 1911 if (s->ext.session_secret_cb(s, s->session->master_key, 1912 &master_key_length, ciphers, 1913 &pref_cipher, 1914 s->ext.session_secret_cb_arg) 1915 && master_key_length > 0) { 1916 s->session->master_key_length = master_key_length; 1917 s->hit = 1; 1918 s->session->ciphers = ciphers; 1919 s->session->verify_result = X509_V_OK; 1920 1921 ciphers = NULL; 1922 1923 /* check if some cipher was preferred by call back */ 1924 if (pref_cipher == NULL) 1925 pref_cipher = ssl3_choose_cipher(s, s->session->ciphers, 1926 SSL_get_ciphers(s)); 1927 if (pref_cipher == NULL) { 1928 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1929 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 1930 SSL_R_NO_SHARED_CIPHER); 1931 goto err; 1932 } 1933 1934 s->session->cipher = pref_cipher; 1935 sk_SSL_CIPHER_free(s->cipher_list); 1936 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); 1937 sk_SSL_CIPHER_free(s->cipher_list_by_id); 1938 s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers); 1939 } 1940 } 1941 1942 /* 1943 * Worst case, we will use the NULL compression, but if we have other 1944 * options, we will now look for them. We have complen-1 compression 1945 * algorithms from the client, starting at q. 1946 */ 1947 s->s3->tmp.new_compression = NULL; 1948 if (SSL_IS_TLS13(s)) { 1949 /* 1950 * We already checked above that the NULL compression method appears in 1951 * the list. Now we check there aren't any others (which is illegal in 1952 * a TLSv1.3 ClientHello. 1953 */ 1954 if (clienthello->compressions_len != 1) { 1955 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1956 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 1957 SSL_R_INVALID_COMPRESSION_ALGORITHM); 1958 goto err; 1959 } 1960 } 1961 #ifndef OPENSSL_NO_COMP 1962 /* This only happens if we have a cache hit */ 1963 else if (s->session->compress_meth != 0) { 1964 int m, comp_id = s->session->compress_meth; 1965 unsigned int k; 1966 /* Perform sanity checks on resumed compression algorithm */ 1967 /* Can't disable compression */ 1968 if (!ssl_allow_compression(s)) { 1969 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1970 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 1971 SSL_R_INCONSISTENT_COMPRESSION); 1972 goto err; 1973 } 1974 /* Look for resumed compression method */ 1975 for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) { 1976 comp = sk_SSL_COMP_value(s->ctx->comp_methods, m); 1977 if (comp_id == comp->id) { 1978 s->s3->tmp.new_compression = comp; 1979 break; 1980 } 1981 } 1982 if (s->s3->tmp.new_compression == NULL) { 1983 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1984 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 1985 SSL_R_INVALID_COMPRESSION_ALGORITHM); 1986 goto err; 1987 } 1988 /* Look for resumed method in compression list */ 1989 for (k = 0; k < clienthello->compressions_len; k++) { 1990 if (clienthello->compressions[k] == comp_id) 1991 break; 1992 } 1993 if (k >= clienthello->compressions_len) { 1994 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1995 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 1996 SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING); 1997 goto err; 1998 } 1999 } else if (s->hit) { 2000 comp = NULL; 2001 } else if (ssl_allow_compression(s) && s->ctx->comp_methods) { 2002 /* See if we have a match */ 2003 int m, nn, v, done = 0; 2004 unsigned int o; 2005 2006 nn = sk_SSL_COMP_num(s->ctx->comp_methods); 2007 for (m = 0; m < nn; m++) { 2008 comp = sk_SSL_COMP_value(s->ctx->comp_methods, m); 2009 v = comp->id; 2010 for (o = 0; o < clienthello->compressions_len; o++) { 2011 if (v == clienthello->compressions[o]) { 2012 done = 1; 2013 break; 2014 } 2015 } 2016 if (done) 2017 break; 2018 } 2019 if (done) 2020 s->s3->tmp.new_compression = comp; 2021 else 2022 comp = NULL; 2023 } 2024 #else 2025 /* 2026 * If compression is disabled we'd better not try to resume a session 2027 * using compression. 2028 */ 2029 if (s->session->compress_meth != 0) { 2030 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 2031 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 2032 SSL_R_INCONSISTENT_COMPRESSION); 2033 goto err; 2034 } 2035 #endif 2036 2037 /* 2038 * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher 2039 */ 2040 2041 if (!s->hit || SSL_IS_TLS13(s)) { 2042 sk_SSL_CIPHER_free(s->session->ciphers); 2043 s->session->ciphers = ciphers; 2044 if (ciphers == NULL) { 2045 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2046 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 2047 ERR_R_INTERNAL_ERROR); 2048 goto err; 2049 } 2050 ciphers = NULL; 2051 } 2052 2053 if (!s->hit) { 2054 #ifdef OPENSSL_NO_COMP 2055 s->session->compress_meth = 0; 2056 #else 2057 s->session->compress_meth = (comp == NULL) ? 0 : comp->id; 2058 #endif 2059 if (!tls1_set_server_sigalgs(s)) { 2060 /* SSLfatal() already called */ 2061 goto err; 2062 } 2063 } 2064 2065 sk_SSL_CIPHER_free(ciphers); 2066 sk_SSL_CIPHER_free(scsvs); 2067 OPENSSL_free(clienthello->pre_proc_exts); 2068 OPENSSL_free(s->clienthello); 2069 s->clienthello = NULL; 2070 return 1; 2071 err: 2072 sk_SSL_CIPHER_free(ciphers); 2073 sk_SSL_CIPHER_free(scsvs); 2074 OPENSSL_free(clienthello->pre_proc_exts); 2075 OPENSSL_free(s->clienthello); 2076 s->clienthello = NULL; 2077 2078 return 0; 2079 } 2080 2081 /* 2082 * Call the status request callback if needed. Upon success, returns 1. 2083 * Upon failure, returns 0. 2084 */ 2085 static int tls_handle_status_request(SSL *s) 2086 { 2087 s->ext.status_expected = 0; 2088 2089 /* 2090 * If status request then ask callback what to do. Note: this must be 2091 * called after servername callbacks in case the certificate has changed, 2092 * and must be called after the cipher has been chosen because this may 2093 * influence which certificate is sent 2094 */ 2095 if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL 2096 && s->ctx->ext.status_cb != NULL) { 2097 int ret; 2098 2099 /* If no certificate can't return certificate status */ 2100 if (s->s3->tmp.cert != NULL) { 2101 /* 2102 * Set current certificate to one we will use so SSL_get_certificate 2103 * et al can pick it up. 2104 */ 2105 s->cert->key = s->s3->tmp.cert; 2106 ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg); 2107 switch (ret) { 2108 /* We don't want to send a status request response */ 2109 case SSL_TLSEXT_ERR_NOACK: 2110 s->ext.status_expected = 0; 2111 break; 2112 /* status request response should be sent */ 2113 case SSL_TLSEXT_ERR_OK: 2114 if (s->ext.ocsp.resp) 2115 s->ext.status_expected = 1; 2116 break; 2117 /* something bad happened */ 2118 case SSL_TLSEXT_ERR_ALERT_FATAL: 2119 default: 2120 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2121 SSL_F_TLS_HANDLE_STATUS_REQUEST, 2122 SSL_R_CLIENTHELLO_TLSEXT); 2123 return 0; 2124 } 2125 } 2126 } 2127 2128 return 1; 2129 } 2130 2131 /* 2132 * Call the alpn_select callback if needed. Upon success, returns 1. 2133 * Upon failure, returns 0. 2134 */ 2135 int tls_handle_alpn(SSL *s) 2136 { 2137 const unsigned char *selected = NULL; 2138 unsigned char selected_len = 0; 2139 2140 if (s->ctx->ext.alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) { 2141 int r = s->ctx->ext.alpn_select_cb(s, &selected, &selected_len, 2142 s->s3->alpn_proposed, 2143 (unsigned int)s->s3->alpn_proposed_len, 2144 s->ctx->ext.alpn_select_cb_arg); 2145 2146 if (r == SSL_TLSEXT_ERR_OK) { 2147 OPENSSL_free(s->s3->alpn_selected); 2148 s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len); 2149 if (s->s3->alpn_selected == NULL) { 2150 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_HANDLE_ALPN, 2151 ERR_R_INTERNAL_ERROR); 2152 return 0; 2153 } 2154 s->s3->alpn_selected_len = selected_len; 2155 #ifndef OPENSSL_NO_NEXTPROTONEG 2156 /* ALPN takes precedence over NPN. */ 2157 s->s3->npn_seen = 0; 2158 #endif 2159 2160 /* Check ALPN is consistent with session */ 2161 if (s->session->ext.alpn_selected == NULL 2162 || selected_len != s->session->ext.alpn_selected_len 2163 || memcmp(selected, s->session->ext.alpn_selected, 2164 selected_len) != 0) { 2165 /* Not consistent so can't be used for early_data */ 2166 s->ext.early_data_ok = 0; 2167 2168 if (!s->hit) { 2169 /* 2170 * This is a new session and so alpn_selected should have 2171 * been initialised to NULL. We should update it with the 2172 * selected ALPN. 2173 */ 2174 if (!ossl_assert(s->session->ext.alpn_selected == NULL)) { 2175 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2176 SSL_F_TLS_HANDLE_ALPN, 2177 ERR_R_INTERNAL_ERROR); 2178 return 0; 2179 } 2180 s->session->ext.alpn_selected = OPENSSL_memdup(selected, 2181 selected_len); 2182 if (s->session->ext.alpn_selected == NULL) { 2183 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2184 SSL_F_TLS_HANDLE_ALPN, 2185 ERR_R_INTERNAL_ERROR); 2186 return 0; 2187 } 2188 s->session->ext.alpn_selected_len = selected_len; 2189 } 2190 } 2191 2192 return 1; 2193 } else if (r != SSL_TLSEXT_ERR_NOACK) { 2194 SSLfatal(s, SSL_AD_NO_APPLICATION_PROTOCOL, SSL_F_TLS_HANDLE_ALPN, 2195 SSL_R_NO_APPLICATION_PROTOCOL); 2196 return 0; 2197 } 2198 /* 2199 * If r == SSL_TLSEXT_ERR_NOACK then behave as if no callback was 2200 * present. 2201 */ 2202 } 2203 2204 /* Check ALPN is consistent with session */ 2205 if (s->session->ext.alpn_selected != NULL) { 2206 /* Not consistent so can't be used for early_data */ 2207 s->ext.early_data_ok = 0; 2208 } 2209 2210 return 1; 2211 } 2212 2213 WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) 2214 { 2215 const SSL_CIPHER *cipher; 2216 2217 if (wst == WORK_MORE_A) { 2218 int rv = tls_early_post_process_client_hello(s); 2219 if (rv == 0) { 2220 /* SSLfatal() was already called */ 2221 goto err; 2222 } 2223 if (rv < 0) 2224 return WORK_MORE_A; 2225 wst = WORK_MORE_B; 2226 } 2227 if (wst == WORK_MORE_B) { 2228 if (!s->hit || SSL_IS_TLS13(s)) { 2229 /* Let cert callback update server certificates if required */ 2230 if (!s->hit && s->cert->cert_cb != NULL) { 2231 int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg); 2232 if (rv == 0) { 2233 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2234 SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, 2235 SSL_R_CERT_CB_ERROR); 2236 goto err; 2237 } 2238 if (rv < 0) { 2239 s->rwstate = SSL_X509_LOOKUP; 2240 return WORK_MORE_B; 2241 } 2242 s->rwstate = SSL_NOTHING; 2243 } 2244 2245 /* In TLSv1.3 we selected the ciphersuite before resumption */ 2246 if (!SSL_IS_TLS13(s)) { 2247 cipher = 2248 ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); 2249 2250 if (cipher == NULL) { 2251 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 2252 SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, 2253 SSL_R_NO_SHARED_CIPHER); 2254 goto err; 2255 } 2256 s->s3->tmp.new_cipher = cipher; 2257 } 2258 if (!s->hit) { 2259 if (!tls_choose_sigalg(s, 1)) { 2260 /* SSLfatal already called */ 2261 goto err; 2262 } 2263 /* check whether we should disable session resumption */ 2264 if (s->not_resumable_session_cb != NULL) 2265 s->session->not_resumable = 2266 s->not_resumable_session_cb(s, 2267 ((s->s3->tmp.new_cipher->algorithm_mkey 2268 & (SSL_kDHE | SSL_kECDHE)) != 0)); 2269 if (s->session->not_resumable) 2270 /* do not send a session ticket */ 2271 s->ext.ticket_expected = 0; 2272 } 2273 } else { 2274 /* Session-id reuse */ 2275 s->s3->tmp.new_cipher = s->session->cipher; 2276 } 2277 2278 /*- 2279 * we now have the following setup. 2280 * client_random 2281 * cipher_list - our preferred list of ciphers 2282 * ciphers - the clients preferred list of ciphers 2283 * compression - basically ignored right now 2284 * ssl version is set - sslv3 2285 * s->session - The ssl session has been setup. 2286 * s->hit - session reuse flag 2287 * s->s3->tmp.new_cipher- the new cipher to use. 2288 */ 2289 2290 /* 2291 * Call status_request callback if needed. Has to be done after the 2292 * certificate callbacks etc above. 2293 */ 2294 if (!tls_handle_status_request(s)) { 2295 /* SSLfatal() already called */ 2296 goto err; 2297 } 2298 /* 2299 * Call alpn_select callback if needed. Has to be done after SNI and 2300 * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3 2301 * we already did this because cipher negotiation happens earlier, and 2302 * we must handle ALPN before we decide whether to accept early_data. 2303 */ 2304 if (!SSL_IS_TLS13(s) && !tls_handle_alpn(s)) { 2305 /* SSLfatal() already called */ 2306 goto err; 2307 } 2308 2309 wst = WORK_MORE_C; 2310 } 2311 #ifndef OPENSSL_NO_SRP 2312 if (wst == WORK_MORE_C) { 2313 int ret; 2314 if ((ret = ssl_check_srp_ext_ClientHello(s)) == 0) { 2315 /* 2316 * callback indicates further work to be done 2317 */ 2318 s->rwstate = SSL_X509_LOOKUP; 2319 return WORK_MORE_C; 2320 } 2321 if (ret < 0) { 2322 /* SSLfatal() already called */ 2323 goto err; 2324 } 2325 } 2326 #endif 2327 2328 return WORK_FINISHED_STOP; 2329 err: 2330 return WORK_ERROR; 2331 } 2332 2333 int tls_construct_server_hello(SSL *s, WPACKET *pkt) 2334 { 2335 int compm; 2336 size_t sl, len; 2337 int version; 2338 unsigned char *session_id; 2339 int usetls13 = SSL_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING; 2340 2341 version = usetls13 ? TLS1_2_VERSION : s->version; 2342 if (!WPACKET_put_bytes_u16(pkt, version) 2343 /* 2344 * Random stuff. Filling of the server_random takes place in 2345 * tls_process_client_hello() 2346 */ 2347 || !WPACKET_memcpy(pkt, 2348 s->hello_retry_request == SSL_HRR_PENDING 2349 ? hrrrandom : s->s3->server_random, 2350 SSL3_RANDOM_SIZE)) { 2351 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO, 2352 ERR_R_INTERNAL_ERROR); 2353 return 0; 2354 } 2355 2356 /*- 2357 * There are several cases for the session ID to send 2358 * back in the server hello: 2359 * - For session reuse from the session cache, 2360 * we send back the old session ID. 2361 * - If stateless session reuse (using a session ticket) 2362 * is successful, we send back the client's "session ID" 2363 * (which doesn't actually identify the session). 2364 * - If it is a new session, we send back the new 2365 * session ID. 2366 * - However, if we want the new session to be single-use, 2367 * we send back a 0-length session ID. 2368 * - In TLSv1.3 we echo back the session id sent to us by the client 2369 * regardless 2370 * s->hit is non-zero in either case of session reuse, 2371 * so the following won't overwrite an ID that we're supposed 2372 * to send back. 2373 */ 2374 if (s->session->not_resumable || 2375 (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) 2376 && !s->hit)) 2377 s->session->session_id_length = 0; 2378 2379 if (usetls13) { 2380 sl = s->tmp_session_id_len; 2381 session_id = s->tmp_session_id; 2382 } else { 2383 sl = s->session->session_id_length; 2384 session_id = s->session->session_id; 2385 } 2386 2387 if (sl > sizeof(s->session->session_id)) { 2388 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO, 2389 ERR_R_INTERNAL_ERROR); 2390 return 0; 2391 } 2392 2393 /* set up the compression method */ 2394 #ifdef OPENSSL_NO_COMP 2395 compm = 0; 2396 #else 2397 if (usetls13 || s->s3->tmp.new_compression == NULL) 2398 compm = 0; 2399 else 2400 compm = s->s3->tmp.new_compression->id; 2401 #endif 2402 2403 if (!WPACKET_sub_memcpy_u8(pkt, session_id, sl) 2404 || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len) 2405 || !WPACKET_put_bytes_u8(pkt, compm)) { 2406 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO, 2407 ERR_R_INTERNAL_ERROR); 2408 return 0; 2409 } 2410 2411 if (!tls_construct_extensions(s, pkt, 2412 s->hello_retry_request == SSL_HRR_PENDING 2413 ? SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST 2414 : (SSL_IS_TLS13(s) 2415 ? SSL_EXT_TLS1_3_SERVER_HELLO 2416 : SSL_EXT_TLS1_2_SERVER_HELLO), 2417 NULL, 0)) { 2418 /* SSLfatal() already called */ 2419 return 0; 2420 } 2421 2422 if (s->hello_retry_request == SSL_HRR_PENDING) { 2423 /* Ditch the session. We'll create a new one next time around */ 2424 SSL_SESSION_free(s->session); 2425 s->session = NULL; 2426 s->hit = 0; 2427 2428 /* 2429 * Re-initialise the Transcript Hash. We're going to prepopulate it with 2430 * a synthetic message_hash in place of ClientHello1. 2431 */ 2432 if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) { 2433 /* SSLfatal() already called */ 2434 return 0; 2435 } 2436 } else if (!(s->verify_mode & SSL_VERIFY_PEER) 2437 && !ssl3_digest_cached_records(s, 0)) { 2438 /* SSLfatal() already called */; 2439 return 0; 2440 } 2441 2442 return 1; 2443 } 2444 2445 int tls_construct_server_done(SSL *s, WPACKET *pkt) 2446 { 2447 if (!s->s3->tmp.cert_request) { 2448 if (!ssl3_digest_cached_records(s, 0)) { 2449 /* SSLfatal() already called */ 2450 return 0; 2451 } 2452 } 2453 return 1; 2454 } 2455 2456 int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) 2457 { 2458 #ifndef OPENSSL_NO_DH 2459 EVP_PKEY *pkdh = NULL; 2460 #endif 2461 #ifndef OPENSSL_NO_EC 2462 unsigned char *encodedPoint = NULL; 2463 size_t encodedlen = 0; 2464 int curve_id = 0; 2465 #endif 2466 const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg; 2467 int i; 2468 unsigned long type; 2469 const BIGNUM *r[4]; 2470 EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); 2471 EVP_PKEY_CTX *pctx = NULL; 2472 size_t paramlen, paramoffset; 2473 2474 if (!WPACKET_get_total_written(pkt, ¶moffset)) { 2475 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2476 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 2477 goto err; 2478 } 2479 2480 if (md_ctx == NULL) { 2481 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2482 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 2483 goto err; 2484 } 2485 2486 type = s->s3->tmp.new_cipher->algorithm_mkey; 2487 2488 r[0] = r[1] = r[2] = r[3] = NULL; 2489 #ifndef OPENSSL_NO_PSK 2490 /* Plain PSK or RSAPSK nothing to do */ 2491 if (type & (SSL_kPSK | SSL_kRSAPSK)) { 2492 } else 2493 #endif /* !OPENSSL_NO_PSK */ 2494 #ifndef OPENSSL_NO_DH 2495 if (type & (SSL_kDHE | SSL_kDHEPSK)) { 2496 CERT *cert = s->cert; 2497 2498 EVP_PKEY *pkdhp = NULL; 2499 DH *dh; 2500 2501 if (s->cert->dh_tmp_auto) { 2502 DH *dhp = ssl_get_auto_dh(s); 2503 pkdh = EVP_PKEY_new(); 2504 if (pkdh == NULL || dhp == NULL) { 2505 DH_free(dhp); 2506 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2507 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, 2508 ERR_R_INTERNAL_ERROR); 2509 goto err; 2510 } 2511 EVP_PKEY_assign_DH(pkdh, dhp); 2512 pkdhp = pkdh; 2513 } else { 2514 pkdhp = cert->dh_tmp; 2515 } 2516 if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) { 2517 DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024); 2518 pkdh = ssl_dh_to_pkey(dhp); 2519 if (pkdh == NULL) { 2520 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2521 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, 2522 ERR_R_INTERNAL_ERROR); 2523 goto err; 2524 } 2525 pkdhp = pkdh; 2526 } 2527 if (pkdhp == NULL) { 2528 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2529 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, 2530 SSL_R_MISSING_TMP_DH_KEY); 2531 goto err; 2532 } 2533 if (!ssl_security(s, SSL_SECOP_TMP_DH, 2534 EVP_PKEY_security_bits(pkdhp), 0, pkdhp)) { 2535 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 2536 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, 2537 SSL_R_DH_KEY_TOO_SMALL); 2538 goto err; 2539 } 2540 if (s->s3->tmp.pkey != NULL) { 2541 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2542 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, 2543 ERR_R_INTERNAL_ERROR); 2544 goto err; 2545 } 2546 2547 s->s3->tmp.pkey = ssl_generate_pkey(pkdhp); 2548 if (s->s3->tmp.pkey == NULL) { 2549 /* SSLfatal() already called */ 2550 goto err; 2551 } 2552 2553 dh = EVP_PKEY_get0_DH(s->s3->tmp.pkey); 2554 if (dh == NULL) { 2555 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2556 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, 2557 ERR_R_INTERNAL_ERROR); 2558 goto err; 2559 } 2560 2561 EVP_PKEY_free(pkdh); 2562 pkdh = NULL; 2563 2564 DH_get0_pqg(dh, &r[0], NULL, &r[1]); 2565 DH_get0_key(dh, &r[2], NULL); 2566 } else 2567 #endif 2568 #ifndef OPENSSL_NO_EC 2569 if (type & (SSL_kECDHE | SSL_kECDHEPSK)) { 2570 2571 if (s->s3->tmp.pkey != NULL) { 2572 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2573 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, 2574 ERR_R_INTERNAL_ERROR); 2575 goto err; 2576 } 2577 2578 /* Get NID of appropriate shared curve */ 2579 curve_id = tls1_shared_group(s, -2); 2580 if (curve_id == 0) { 2581 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 2582 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, 2583 SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); 2584 goto err; 2585 } 2586 s->s3->tmp.pkey = ssl_generate_pkey_group(s, curve_id); 2587 /* Generate a new key for this curve */ 2588 if (s->s3->tmp.pkey == NULL) { 2589 /* SSLfatal() already called */ 2590 goto err; 2591 } 2592 2593 /* Encode the public key. */ 2594 encodedlen = EVP_PKEY_get1_tls_encodedpoint(s->s3->tmp.pkey, 2595 &encodedPoint); 2596 if (encodedlen == 0) { 2597 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2598 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB); 2599 goto err; 2600 } 2601 2602 /* 2603 * We'll generate the serverKeyExchange message explicitly so we 2604 * can set these to NULLs 2605 */ 2606 r[0] = NULL; 2607 r[1] = NULL; 2608 r[2] = NULL; 2609 r[3] = NULL; 2610 } else 2611 #endif /* !OPENSSL_NO_EC */ 2612 #ifndef OPENSSL_NO_SRP 2613 if (type & SSL_kSRP) { 2614 if ((s->srp_ctx.N == NULL) || 2615 (s->srp_ctx.g == NULL) || 2616 (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) { 2617 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2618 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, 2619 SSL_R_MISSING_SRP_PARAM); 2620 goto err; 2621 } 2622 r[0] = s->srp_ctx.N; 2623 r[1] = s->srp_ctx.g; 2624 r[2] = s->srp_ctx.s; 2625 r[3] = s->srp_ctx.B; 2626 } else 2627 #endif 2628 { 2629 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2630 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, 2631 SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 2632 goto err; 2633 } 2634 2635 if (((s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0) 2636 || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) { 2637 lu = NULL; 2638 } else if (lu == NULL) { 2639 SSLfatal(s, SSL_AD_DECODE_ERROR, 2640 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 2641 goto err; 2642 } 2643 2644 #ifndef OPENSSL_NO_PSK 2645 if (type & SSL_PSK) { 2646 size_t len = (s->cert->psk_identity_hint == NULL) 2647 ? 0 : strlen(s->cert->psk_identity_hint); 2648 2649 /* 2650 * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already 2651 * checked this when we set the identity hint - but just in case 2652 */ 2653 if (len > PSK_MAX_IDENTITY_LEN 2654 || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint, 2655 len)) { 2656 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2657 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, 2658 ERR_R_INTERNAL_ERROR); 2659 goto err; 2660 } 2661 } 2662 #endif 2663 2664 for (i = 0; i < 4 && r[i] != NULL; i++) { 2665 unsigned char *binval; 2666 int res; 2667 2668 #ifndef OPENSSL_NO_SRP 2669 if ((i == 2) && (type & SSL_kSRP)) { 2670 res = WPACKET_start_sub_packet_u8(pkt); 2671 } else 2672 #endif 2673 res = WPACKET_start_sub_packet_u16(pkt); 2674 2675 if (!res) { 2676 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2677 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, 2678 ERR_R_INTERNAL_ERROR); 2679 goto err; 2680 } 2681 2682 #ifndef OPENSSL_NO_DH 2683 /*- 2684 * for interoperability with some versions of the Microsoft TLS 2685 * stack, we need to zero pad the DHE pub key to the same length 2686 * as the prime 2687 */ 2688 if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) { 2689 size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]); 2690 2691 if (len > 0) { 2692 if (!WPACKET_allocate_bytes(pkt, len, &binval)) { 2693 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2694 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, 2695 ERR_R_INTERNAL_ERROR); 2696 goto err; 2697 } 2698 memset(binval, 0, len); 2699 } 2700 } 2701 #endif 2702 if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval) 2703 || !WPACKET_close(pkt)) { 2704 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2705 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, 2706 ERR_R_INTERNAL_ERROR); 2707 goto err; 2708 } 2709 2710 BN_bn2bin(r[i], binval); 2711 } 2712 2713 #ifndef OPENSSL_NO_EC 2714 if (type & (SSL_kECDHE | SSL_kECDHEPSK)) { 2715 /* 2716 * We only support named (not generic) curves. In this situation, the 2717 * ServerKeyExchange message has: [1 byte CurveType], [2 byte CurveName] 2718 * [1 byte length of encoded point], followed by the actual encoded 2719 * point itself 2720 */ 2721 if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE) 2722 || !WPACKET_put_bytes_u8(pkt, 0) 2723 || !WPACKET_put_bytes_u8(pkt, curve_id) 2724 || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) { 2725 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2726 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, 2727 ERR_R_INTERNAL_ERROR); 2728 goto err; 2729 } 2730 OPENSSL_free(encodedPoint); 2731 encodedPoint = NULL; 2732 } 2733 #endif 2734 2735 /* not anonymous */ 2736 if (lu != NULL) { 2737 EVP_PKEY *pkey = s->s3->tmp.cert->privatekey; 2738 const EVP_MD *md; 2739 unsigned char *sigbytes1, *sigbytes2, *tbs; 2740 size_t siglen, tbslen; 2741 int rv; 2742 2743 if (pkey == NULL || !tls1_lookup_md(lu, &md)) { 2744 /* Should never happen */ 2745 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2746 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, 2747 ERR_R_INTERNAL_ERROR); 2748 goto err; 2749 } 2750 /* Get length of the parameters we have written above */ 2751 if (!WPACKET_get_length(pkt, ¶mlen)) { 2752 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2753 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, 2754 ERR_R_INTERNAL_ERROR); 2755 goto err; 2756 } 2757 /* send signature algorithm */ 2758 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) { 2759 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2760 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, 2761 ERR_R_INTERNAL_ERROR); 2762 goto err; 2763 } 2764 /* 2765 * Create the signature. We don't know the actual length of the sig 2766 * until after we've created it, so we reserve enough bytes for it 2767 * up front, and then properly allocate them in the WPACKET 2768 * afterwards. 2769 */ 2770 siglen = EVP_PKEY_size(pkey); 2771 if (!WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1) 2772 || EVP_DigestSignInit(md_ctx, &pctx, md, NULL, pkey) <= 0) { 2773 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2774 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, 2775 ERR_R_INTERNAL_ERROR); 2776 goto err; 2777 } 2778 if (lu->sig == EVP_PKEY_RSA_PSS) { 2779 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 2780 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) { 2781 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2782 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, 2783 ERR_R_EVP_LIB); 2784 goto err; 2785 } 2786 } 2787 tbslen = construct_key_exchange_tbs(s, &tbs, 2788 s->init_buf->data + paramoffset, 2789 paramlen); 2790 if (tbslen == 0) { 2791 /* SSLfatal() already called */ 2792 goto err; 2793 } 2794 rv = EVP_DigestSign(md_ctx, sigbytes1, &siglen, tbs, tbslen); 2795 OPENSSL_free(tbs); 2796 if (rv <= 0 || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2) 2797 || sigbytes1 != sigbytes2) { 2798 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2799 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, 2800 ERR_R_INTERNAL_ERROR); 2801 goto err; 2802 } 2803 } 2804 2805 EVP_MD_CTX_free(md_ctx); 2806 return 1; 2807 err: 2808 #ifndef OPENSSL_NO_DH 2809 EVP_PKEY_free(pkdh); 2810 #endif 2811 #ifndef OPENSSL_NO_EC 2812 OPENSSL_free(encodedPoint); 2813 #endif 2814 EVP_MD_CTX_free(md_ctx); 2815 return 0; 2816 } 2817 2818 int tls_construct_certificate_request(SSL *s, WPACKET *pkt) 2819 { 2820 if (SSL_IS_TLS13(s)) { 2821 /* Send random context when doing post-handshake auth */ 2822 if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { 2823 OPENSSL_free(s->pha_context); 2824 s->pha_context_len = 32; 2825 if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL 2826 || RAND_bytes(s->pha_context, s->pha_context_len) <= 0 2827 || !WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) { 2828 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2829 SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, 2830 ERR_R_INTERNAL_ERROR); 2831 return 0; 2832 } 2833 /* reset the handshake hash back to just after the ClientFinished */ 2834 if (!tls13_restore_handshake_digest_for_pha(s)) { 2835 /* SSLfatal() already called */ 2836 return 0; 2837 } 2838 } else { 2839 if (!WPACKET_put_bytes_u8(pkt, 0)) { 2840 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2841 SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, 2842 ERR_R_INTERNAL_ERROR); 2843 return 0; 2844 } 2845 } 2846 2847 if (!tls_construct_extensions(s, pkt, 2848 SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL, 2849 0)) { 2850 /* SSLfatal() already called */ 2851 return 0; 2852 } 2853 goto done; 2854 } 2855 2856 /* get the list of acceptable cert types */ 2857 if (!WPACKET_start_sub_packet_u8(pkt) 2858 || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) { 2859 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2860 SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); 2861 return 0; 2862 } 2863 2864 if (SSL_USE_SIGALGS(s)) { 2865 const uint16_t *psigs; 2866 size_t nl = tls12_get_psigalgs(s, 1, &psigs); 2867 2868 if (!WPACKET_start_sub_packet_u16(pkt) 2869 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH) 2870 || !tls12_copy_sigalgs(s, pkt, psigs, nl) 2871 || !WPACKET_close(pkt)) { 2872 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2873 SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, 2874 ERR_R_INTERNAL_ERROR); 2875 return 0; 2876 } 2877 } 2878 2879 if (!construct_ca_names(s, pkt)) { 2880 /* SSLfatal() already called */ 2881 return 0; 2882 } 2883 2884 done: 2885 s->certreqs_sent++; 2886 s->s3->tmp.cert_request = 1; 2887 return 1; 2888 } 2889 2890 static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt) 2891 { 2892 #ifndef OPENSSL_NO_PSK 2893 unsigned char psk[PSK_MAX_PSK_LEN]; 2894 size_t psklen; 2895 PACKET psk_identity; 2896 2897 if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) { 2898 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, 2899 SSL_R_LENGTH_MISMATCH); 2900 return 0; 2901 } 2902 if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) { 2903 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, 2904 SSL_R_DATA_LENGTH_TOO_LONG); 2905 return 0; 2906 } 2907 if (s->psk_server_callback == NULL) { 2908 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, 2909 SSL_R_PSK_NO_SERVER_CB); 2910 return 0; 2911 } 2912 2913 if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) { 2914 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, 2915 ERR_R_INTERNAL_ERROR); 2916 return 0; 2917 } 2918 2919 psklen = s->psk_server_callback(s, s->session->psk_identity, 2920 psk, sizeof(psk)); 2921 2922 if (psklen > PSK_MAX_PSK_LEN) { 2923 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, 2924 ERR_R_INTERNAL_ERROR); 2925 return 0; 2926 } else if (psklen == 0) { 2927 /* 2928 * PSK related to the given identity not found 2929 */ 2930 SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY, 2931 SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, 2932 SSL_R_PSK_IDENTITY_NOT_FOUND); 2933 return 0; 2934 } 2935 2936 OPENSSL_free(s->s3->tmp.psk); 2937 s->s3->tmp.psk = OPENSSL_memdup(psk, psklen); 2938 OPENSSL_cleanse(psk, psklen); 2939 2940 if (s->s3->tmp.psk == NULL) { 2941 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 2942 SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE); 2943 return 0; 2944 } 2945 2946 s->s3->tmp.psklen = psklen; 2947 2948 return 1; 2949 #else 2950 /* Should never happen */ 2951 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, 2952 ERR_R_INTERNAL_ERROR); 2953 return 0; 2954 #endif 2955 } 2956 2957 static int tls_process_cke_rsa(SSL *s, PACKET *pkt) 2958 { 2959 #ifndef OPENSSL_NO_RSA 2960 unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH]; 2961 int decrypt_len; 2962 unsigned char decrypt_good, version_good; 2963 size_t j, padding_len; 2964 PACKET enc_premaster; 2965 RSA *rsa = NULL; 2966 unsigned char *rsa_decrypt = NULL; 2967 int ret = 0; 2968 2969 rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA].privatekey); 2970 if (rsa == NULL) { 2971 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, 2972 SSL_R_MISSING_RSA_CERTIFICATE); 2973 return 0; 2974 } 2975 2976 /* SSLv3 and pre-standard DTLS omit the length bytes. */ 2977 if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) { 2978 enc_premaster = *pkt; 2979 } else { 2980 if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster) 2981 || PACKET_remaining(pkt) != 0) { 2982 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, 2983 SSL_R_LENGTH_MISMATCH); 2984 return 0; 2985 } 2986 } 2987 2988 /* 2989 * We want to be sure that the plaintext buffer size makes it safe to 2990 * iterate over the entire size of a premaster secret 2991 * (SSL_MAX_MASTER_KEY_LENGTH). Reject overly short RSA keys because 2992 * their ciphertext cannot accommodate a premaster secret anyway. 2993 */ 2994 if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) { 2995 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, 2996 RSA_R_KEY_SIZE_TOO_SMALL); 2997 return 0; 2998 } 2999 3000 rsa_decrypt = OPENSSL_malloc(RSA_size(rsa)); 3001 if (rsa_decrypt == NULL) { 3002 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, 3003 ERR_R_MALLOC_FAILURE); 3004 return 0; 3005 } 3006 3007 /* 3008 * We must not leak whether a decryption failure occurs because of 3009 * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246, 3010 * section 7.4.7.1). The code follows that advice of the TLS RFC and 3011 * generates a random premaster secret for the case that the decrypt 3012 * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 3013 */ 3014 3015 if (RAND_priv_bytes(rand_premaster_secret, 3016 sizeof(rand_premaster_secret)) <= 0) { 3017 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, 3018 ERR_R_INTERNAL_ERROR); 3019 goto err; 3020 } 3021 3022 /* 3023 * Decrypt with no padding. PKCS#1 padding will be removed as part of 3024 * the timing-sensitive code below. 3025 */ 3026 /* TODO(size_t): Convert this function */ 3027 decrypt_len = (int)RSA_private_decrypt((int)PACKET_remaining(&enc_premaster), 3028 PACKET_data(&enc_premaster), 3029 rsa_decrypt, rsa, RSA_NO_PADDING); 3030 if (decrypt_len < 0) { 3031 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, 3032 ERR_R_INTERNAL_ERROR); 3033 goto err; 3034 } 3035 3036 /* Check the padding. See RFC 3447, section 7.2.2. */ 3037 3038 /* 3039 * The smallest padded premaster is 11 bytes of overhead. Small keys 3040 * are publicly invalid, so this may return immediately. This ensures 3041 * PS is at least 8 bytes. 3042 */ 3043 if (decrypt_len < 11 + SSL_MAX_MASTER_KEY_LENGTH) { 3044 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, 3045 SSL_R_DECRYPTION_FAILED); 3046 goto err; 3047 } 3048 3049 padding_len = decrypt_len - SSL_MAX_MASTER_KEY_LENGTH; 3050 decrypt_good = constant_time_eq_int_8(rsa_decrypt[0], 0) & 3051 constant_time_eq_int_8(rsa_decrypt[1], 2); 3052 for (j = 2; j < padding_len - 1; j++) { 3053 decrypt_good &= ~constant_time_is_zero_8(rsa_decrypt[j]); 3054 } 3055 decrypt_good &= constant_time_is_zero_8(rsa_decrypt[padding_len - 1]); 3056 3057 /* 3058 * If the version in the decrypted pre-master secret is correct then 3059 * version_good will be 0xff, otherwise it'll be zero. The 3060 * Klima-Pokorny-Rosa extension of Bleichenbacher's attack 3061 * (http://eprint.iacr.org/2003/052/) exploits the version number 3062 * check as a "bad version oracle". Thus version checks are done in 3063 * constant time and are treated like any other decryption error. 3064 */ 3065 version_good = 3066 constant_time_eq_8(rsa_decrypt[padding_len], 3067 (unsigned)(s->client_version >> 8)); 3068 version_good &= 3069 constant_time_eq_8(rsa_decrypt[padding_len + 1], 3070 (unsigned)(s->client_version & 0xff)); 3071 3072 /* 3073 * The premaster secret must contain the same version number as the 3074 * ClientHello to detect version rollback attacks (strangely, the 3075 * protocol does not offer such protection for DH ciphersuites). 3076 * However, buggy clients exist that send the negotiated protocol 3077 * version instead if the server does not support the requested 3078 * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such 3079 * clients. 3080 */ 3081 if (s->options & SSL_OP_TLS_ROLLBACK_BUG) { 3082 unsigned char workaround_good; 3083 workaround_good = constant_time_eq_8(rsa_decrypt[padding_len], 3084 (unsigned)(s->version >> 8)); 3085 workaround_good &= 3086 constant_time_eq_8(rsa_decrypt[padding_len + 1], 3087 (unsigned)(s->version & 0xff)); 3088 version_good |= workaround_good; 3089 } 3090 3091 /* 3092 * Both decryption and version must be good for decrypt_good to 3093 * remain non-zero (0xff). 3094 */ 3095 decrypt_good &= version_good; 3096 3097 /* 3098 * Now copy rand_premaster_secret over from p using 3099 * decrypt_good_mask. If decryption failed, then p does not 3100 * contain valid plaintext, however, a check above guarantees 3101 * it is still sufficiently large to read from. 3102 */ 3103 for (j = 0; j < sizeof(rand_premaster_secret); j++) { 3104 rsa_decrypt[padding_len + j] = 3105 constant_time_select_8(decrypt_good, 3106 rsa_decrypt[padding_len + j], 3107 rand_premaster_secret[j]); 3108 } 3109 3110 if (!ssl_generate_master_secret(s, rsa_decrypt + padding_len, 3111 sizeof(rand_premaster_secret), 0)) { 3112 /* SSLfatal() already called */ 3113 goto err; 3114 } 3115 3116 ret = 1; 3117 err: 3118 OPENSSL_free(rsa_decrypt); 3119 return ret; 3120 #else 3121 /* Should never happen */ 3122 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, 3123 ERR_R_INTERNAL_ERROR); 3124 return 0; 3125 #endif 3126 } 3127 3128 static int tls_process_cke_dhe(SSL *s, PACKET *pkt) 3129 { 3130 #ifndef OPENSSL_NO_DH 3131 EVP_PKEY *skey = NULL; 3132 DH *cdh; 3133 unsigned int i; 3134 BIGNUM *pub_key; 3135 const unsigned char *data; 3136 EVP_PKEY *ckey = NULL; 3137 int ret = 0; 3138 3139 if (!PACKET_get_net_2(pkt, &i) || PACKET_remaining(pkt) != i) { 3140 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_DHE, 3141 SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); 3142 goto err; 3143 } 3144 skey = s->s3->tmp.pkey; 3145 if (skey == NULL) { 3146 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE, 3147 SSL_R_MISSING_TMP_DH_KEY); 3148 goto err; 3149 } 3150 3151 if (PACKET_remaining(pkt) == 0L) { 3152 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_DHE, 3153 SSL_R_MISSING_TMP_DH_KEY); 3154 goto err; 3155 } 3156 if (!PACKET_get_bytes(pkt, &data, i)) { 3157 /* We already checked we have enough data */ 3158 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE, 3159 ERR_R_INTERNAL_ERROR); 3160 goto err; 3161 } 3162 ckey = EVP_PKEY_new(); 3163 if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) { 3164 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE, 3165 SSL_R_BN_LIB); 3166 goto err; 3167 } 3168 3169 cdh = EVP_PKEY_get0_DH(ckey); 3170 pub_key = BN_bin2bn(data, i, NULL); 3171 if (pub_key == NULL || cdh == NULL || !DH_set0_key(cdh, pub_key, NULL)) { 3172 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE, 3173 ERR_R_INTERNAL_ERROR); 3174 BN_free(pub_key); 3175 goto err; 3176 } 3177 3178 if (ssl_derive(s, skey, ckey, 1) == 0) { 3179 /* SSLfatal() already called */ 3180 goto err; 3181 } 3182 3183 ret = 1; 3184 EVP_PKEY_free(s->s3->tmp.pkey); 3185 s->s3->tmp.pkey = NULL; 3186 err: 3187 EVP_PKEY_free(ckey); 3188 return ret; 3189 #else 3190 /* Should never happen */ 3191 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE, 3192 ERR_R_INTERNAL_ERROR); 3193 return 0; 3194 #endif 3195 } 3196 3197 static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt) 3198 { 3199 #ifndef OPENSSL_NO_EC 3200 EVP_PKEY *skey = s->s3->tmp.pkey; 3201 EVP_PKEY *ckey = NULL; 3202 int ret = 0; 3203 3204 if (PACKET_remaining(pkt) == 0L) { 3205 /* We don't support ECDH client auth */ 3206 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_CKE_ECDHE, 3207 SSL_R_MISSING_TMP_ECDH_KEY); 3208 goto err; 3209 } else { 3210 unsigned int i; 3211 const unsigned char *data; 3212 3213 /* 3214 * Get client's public key from encoded point in the 3215 * ClientKeyExchange message. 3216 */ 3217 3218 /* Get encoded point length */ 3219 if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i) 3220 || PACKET_remaining(pkt) != 0) { 3221 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE, 3222 SSL_R_LENGTH_MISMATCH); 3223 goto err; 3224 } 3225 ckey = EVP_PKEY_new(); 3226 if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) { 3227 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE, 3228 ERR_R_EVP_LIB); 3229 goto err; 3230 } 3231 if (EVP_PKEY_set1_tls_encodedpoint(ckey, data, i) == 0) { 3232 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE, 3233 ERR_R_EC_LIB); 3234 goto err; 3235 } 3236 } 3237 3238 if (ssl_derive(s, skey, ckey, 1) == 0) { 3239 /* SSLfatal() already called */ 3240 goto err; 3241 } 3242 3243 ret = 1; 3244 EVP_PKEY_free(s->s3->tmp.pkey); 3245 s->s3->tmp.pkey = NULL; 3246 err: 3247 EVP_PKEY_free(ckey); 3248 3249 return ret; 3250 #else 3251 /* Should never happen */ 3252 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE, 3253 ERR_R_INTERNAL_ERROR); 3254 return 0; 3255 #endif 3256 } 3257 3258 static int tls_process_cke_srp(SSL *s, PACKET *pkt) 3259 { 3260 #ifndef OPENSSL_NO_SRP 3261 unsigned int i; 3262 const unsigned char *data; 3263 3264 if (!PACKET_get_net_2(pkt, &i) 3265 || !PACKET_get_bytes(pkt, &data, i)) { 3266 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_SRP, 3267 SSL_R_BAD_SRP_A_LENGTH); 3268 return 0; 3269 } 3270 if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) { 3271 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP, 3272 ERR_R_BN_LIB); 3273 return 0; 3274 } 3275 if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) { 3276 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CKE_SRP, 3277 SSL_R_BAD_SRP_PARAMETERS); 3278 return 0; 3279 } 3280 OPENSSL_free(s->session->srp_username); 3281 s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login); 3282 if (s->session->srp_username == NULL) { 3283 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP, 3284 ERR_R_MALLOC_FAILURE); 3285 return 0; 3286 } 3287 3288 if (!srp_generate_server_master_secret(s)) { 3289 /* SSLfatal() already called */ 3290 return 0; 3291 } 3292 3293 return 1; 3294 #else 3295 /* Should never happen */ 3296 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP, 3297 ERR_R_INTERNAL_ERROR); 3298 return 0; 3299 #endif 3300 } 3301 3302 static int tls_process_cke_gost(SSL *s, PACKET *pkt) 3303 { 3304 #ifndef OPENSSL_NO_GOST 3305 EVP_PKEY_CTX *pkey_ctx; 3306 EVP_PKEY *client_pub_pkey = NULL, *pk = NULL; 3307 unsigned char premaster_secret[32]; 3308 const unsigned char *start; 3309 size_t outlen = 32, inlen; 3310 unsigned long alg_a; 3311 unsigned int asn1id, asn1len; 3312 int ret = 0; 3313 PACKET encdata; 3314 3315 /* Get our certificate private key */ 3316 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 3317 if (alg_a & SSL_aGOST12) { 3318 /* 3319 * New GOST ciphersuites have SSL_aGOST01 bit too 3320 */ 3321 pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey; 3322 if (pk == NULL) { 3323 pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey; 3324 } 3325 if (pk == NULL) { 3326 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; 3327 } 3328 } else if (alg_a & SSL_aGOST01) { 3329 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; 3330 } 3331 3332 pkey_ctx = EVP_PKEY_CTX_new(pk, NULL); 3333 if (pkey_ctx == NULL) { 3334 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, 3335 ERR_R_MALLOC_FAILURE); 3336 return 0; 3337 } 3338 if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) { 3339 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, 3340 ERR_R_INTERNAL_ERROR); 3341 return 0; 3342 } 3343 /* 3344 * If client certificate is present and is of the same type, maybe 3345 * use it for key exchange. Don't mind errors from 3346 * EVP_PKEY_derive_set_peer, because it is completely valid to use a 3347 * client certificate for authorization only. 3348 */ 3349 client_pub_pkey = X509_get0_pubkey(s->session->peer); 3350 if (client_pub_pkey) { 3351 if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0) 3352 ERR_clear_error(); 3353 } 3354 /* Decrypt session key */ 3355 if (!PACKET_get_1(pkt, &asn1id) 3356 || asn1id != (V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED) 3357 || !PACKET_peek_1(pkt, &asn1len)) { 3358 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, 3359 SSL_R_DECRYPTION_FAILED); 3360 goto err; 3361 } 3362 if (asn1len == 0x81) { 3363 /* 3364 * Long form length. Should only be one byte of length. Anything else 3365 * isn't supported. 3366 * We did a successful peek before so this shouldn't fail 3367 */ 3368 if (!PACKET_forward(pkt, 1)) { 3369 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, 3370 SSL_R_DECRYPTION_FAILED); 3371 goto err; 3372 } 3373 } else if (asn1len >= 0x80) { 3374 /* 3375 * Indefinite length, or more than one long form length bytes. We don't 3376 * support it 3377 */ 3378 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, 3379 SSL_R_DECRYPTION_FAILED); 3380 goto err; 3381 } /* else short form length */ 3382 3383 if (!PACKET_as_length_prefixed_1(pkt, &encdata)) { 3384 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, 3385 SSL_R_DECRYPTION_FAILED); 3386 goto err; 3387 } 3388 inlen = PACKET_remaining(&encdata); 3389 start = PACKET_data(&encdata); 3390 3391 if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start, 3392 inlen) <= 0) { 3393 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, 3394 SSL_R_DECRYPTION_FAILED); 3395 goto err; 3396 } 3397 /* Generate master secret */ 3398 if (!ssl_generate_master_secret(s, premaster_secret, 3399 sizeof(premaster_secret), 0)) { 3400 /* SSLfatal() already called */ 3401 goto err; 3402 } 3403 /* Check if pubkey from client certificate was used */ 3404 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, 3405 NULL) > 0) 3406 s->statem.no_cert_verify = 1; 3407 3408 ret = 1; 3409 err: 3410 EVP_PKEY_CTX_free(pkey_ctx); 3411 return ret; 3412 #else 3413 /* Should never happen */ 3414 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST, 3415 ERR_R_INTERNAL_ERROR); 3416 return 0; 3417 #endif 3418 } 3419 3420 MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) 3421 { 3422 unsigned long alg_k; 3423 3424 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 3425 3426 /* For PSK parse and retrieve identity, obtain PSK key */ 3427 if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt)) { 3428 /* SSLfatal() already called */ 3429 goto err; 3430 } 3431 3432 if (alg_k & SSL_kPSK) { 3433 /* Identity extracted earlier: should be nothing left */ 3434 if (PACKET_remaining(pkt) != 0) { 3435 SSLfatal(s, SSL_AD_DECODE_ERROR, 3436 SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, 3437 SSL_R_LENGTH_MISMATCH); 3438 goto err; 3439 } 3440 /* PSK handled by ssl_generate_master_secret */ 3441 if (!ssl_generate_master_secret(s, NULL, 0, 0)) { 3442 /* SSLfatal() already called */ 3443 goto err; 3444 } 3445 } else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) { 3446 if (!tls_process_cke_rsa(s, pkt)) { 3447 /* SSLfatal() already called */ 3448 goto err; 3449 } 3450 } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) { 3451 if (!tls_process_cke_dhe(s, pkt)) { 3452 /* SSLfatal() already called */ 3453 goto err; 3454 } 3455 } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) { 3456 if (!tls_process_cke_ecdhe(s, pkt)) { 3457 /* SSLfatal() already called */ 3458 goto err; 3459 } 3460 } else if (alg_k & SSL_kSRP) { 3461 if (!tls_process_cke_srp(s, pkt)) { 3462 /* SSLfatal() already called */ 3463 goto err; 3464 } 3465 } else if (alg_k & SSL_kGOST) { 3466 if (!tls_process_cke_gost(s, pkt)) { 3467 /* SSLfatal() already called */ 3468 goto err; 3469 } 3470 } else { 3471 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3472 SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, 3473 SSL_R_UNKNOWN_CIPHER_TYPE); 3474 goto err; 3475 } 3476 3477 return MSG_PROCESS_CONTINUE_PROCESSING; 3478 err: 3479 #ifndef OPENSSL_NO_PSK 3480 OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen); 3481 s->s3->tmp.psk = NULL; 3482 #endif 3483 return MSG_PROCESS_ERROR; 3484 } 3485 3486 WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) 3487 { 3488 #ifndef OPENSSL_NO_SCTP 3489 if (wst == WORK_MORE_A) { 3490 if (SSL_IS_DTLS(s)) { 3491 unsigned char sctpauthkey[64]; 3492 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; 3493 /* 3494 * Add new shared key for SCTP-Auth, will be ignored if no SCTP 3495 * used. 3496 */ 3497 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL, 3498 sizeof(DTLS1_SCTP_AUTH_LABEL)); 3499 3500 if (SSL_export_keying_material(s, sctpauthkey, 3501 sizeof(sctpauthkey), labelbuffer, 3502 sizeof(labelbuffer), NULL, 0, 3503 0) <= 0) { 3504 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3505 SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE, 3506 ERR_R_INTERNAL_ERROR); 3507 return WORK_ERROR; 3508 } 3509 3510 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 3511 sizeof(sctpauthkey), sctpauthkey); 3512 } 3513 } 3514 #endif 3515 3516 if (s->statem.no_cert_verify || !s->session->peer) { 3517 /* 3518 * No certificate verify or no peer certificate so we no longer need 3519 * the handshake_buffer 3520 */ 3521 if (!ssl3_digest_cached_records(s, 0)) { 3522 /* SSLfatal() already called */ 3523 return WORK_ERROR; 3524 } 3525 return WORK_FINISHED_CONTINUE; 3526 } else { 3527 if (!s->s3->handshake_buffer) { 3528 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3529 SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE, 3530 ERR_R_INTERNAL_ERROR); 3531 return WORK_ERROR; 3532 } 3533 /* 3534 * For sigalgs freeze the handshake buffer. If we support 3535 * extms we've done this already so this is a no-op 3536 */ 3537 if (!ssl3_digest_cached_records(s, 1)) { 3538 /* SSLfatal() already called */ 3539 return WORK_ERROR; 3540 } 3541 } 3542 3543 return WORK_FINISHED_CONTINUE; 3544 } 3545 3546 MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) 3547 { 3548 int i; 3549 MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; 3550 X509 *x = NULL; 3551 unsigned long l; 3552 const unsigned char *certstart, *certbytes; 3553 STACK_OF(X509) *sk = NULL; 3554 PACKET spkt, context; 3555 size_t chainidx; 3556 SSL_SESSION *new_sess = NULL; 3557 3558 /* 3559 * To get this far we must have read encrypted data from the client. We no 3560 * longer tolerate unencrypted alerts. This value is ignored if less than 3561 * TLSv1.3 3562 */ 3563 s->statem.enc_read_state = ENC_READ_STATE_VALID; 3564 3565 if ((sk = sk_X509_new_null()) == NULL) { 3566 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, 3567 ERR_R_MALLOC_FAILURE); 3568 goto err; 3569 } 3570 3571 if (SSL_IS_TLS13(s) && (!PACKET_get_length_prefixed_1(pkt, &context) 3572 || (s->pha_context == NULL && PACKET_remaining(&context) != 0) 3573 || (s->pha_context != NULL && 3574 !PACKET_equal(&context, s->pha_context, s->pha_context_len)))) { 3575 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, 3576 SSL_R_INVALID_CONTEXT); 3577 goto err; 3578 } 3579 3580 if (!PACKET_get_length_prefixed_3(pkt, &spkt) 3581 || PACKET_remaining(pkt) != 0) { 3582 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, 3583 SSL_R_LENGTH_MISMATCH); 3584 goto err; 3585 } 3586 3587 for (chainidx = 0; PACKET_remaining(&spkt) > 0; chainidx++) { 3588 if (!PACKET_get_net_3(&spkt, &l) 3589 || !PACKET_get_bytes(&spkt, &certbytes, l)) { 3590 SSLfatal(s, SSL_AD_DECODE_ERROR, 3591 SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, 3592 SSL_R_CERT_LENGTH_MISMATCH); 3593 goto err; 3594 } 3595 3596 certstart = certbytes; 3597 x = d2i_X509(NULL, (const unsigned char **)&certbytes, l); 3598 if (x == NULL) { 3599 SSLfatal(s, SSL_AD_DECODE_ERROR, 3600 SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB); 3601 goto err; 3602 } 3603 if (certbytes != (certstart + l)) { 3604 SSLfatal(s, SSL_AD_DECODE_ERROR, 3605 SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, 3606 SSL_R_CERT_LENGTH_MISMATCH); 3607 goto err; 3608 } 3609 3610 if (SSL_IS_TLS13(s)) { 3611 RAW_EXTENSION *rawexts = NULL; 3612 PACKET extensions; 3613 3614 if (!PACKET_get_length_prefixed_2(&spkt, &extensions)) { 3615 SSLfatal(s, SSL_AD_DECODE_ERROR, 3616 SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, 3617 SSL_R_BAD_LENGTH); 3618 goto err; 3619 } 3620 if (!tls_collect_extensions(s, &extensions, 3621 SSL_EXT_TLS1_3_CERTIFICATE, &rawexts, 3622 NULL, chainidx == 0) 3623 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE, 3624 rawexts, x, chainidx, 3625 PACKET_remaining(&spkt) == 0)) { 3626 OPENSSL_free(rawexts); 3627 goto err; 3628 } 3629 OPENSSL_free(rawexts); 3630 } 3631 3632 if (!sk_X509_push(sk, x)) { 3633 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3634 SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, 3635 ERR_R_MALLOC_FAILURE); 3636 goto err; 3637 } 3638 x = NULL; 3639 } 3640 3641 if (sk_X509_num(sk) <= 0) { 3642 /* TLS does not mind 0 certs returned */ 3643 if (s->version == SSL3_VERSION) { 3644 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3645 SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, 3646 SSL_R_NO_CERTIFICATES_RETURNED); 3647 goto err; 3648 } 3649 /* Fail for TLS only if we required a certificate */ 3650 else if ((s->verify_mode & SSL_VERIFY_PEER) && 3651 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { 3652 SSLfatal(s, SSL_AD_CERTIFICATE_REQUIRED, 3653 SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, 3654 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 3655 goto err; 3656 } 3657 /* No client certificate so digest cached records */ 3658 if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) { 3659 /* SSLfatal() already called */ 3660 goto err; 3661 } 3662 } else { 3663 EVP_PKEY *pkey; 3664 i = ssl_verify_cert_chain(s, sk); 3665 if (i <= 0) { 3666 SSLfatal(s, ssl_x509err2alert(s->verify_result), 3667 SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, 3668 SSL_R_CERTIFICATE_VERIFY_FAILED); 3669 goto err; 3670 } 3671 if (i > 1) { 3672 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3673 SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, i); 3674 goto err; 3675 } 3676 pkey = X509_get0_pubkey(sk_X509_value(sk, 0)); 3677 if (pkey == NULL) { 3678 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 3679 SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, 3680 SSL_R_UNKNOWN_CERTIFICATE_TYPE); 3681 goto err; 3682 } 3683 } 3684 3685 /* 3686 * Sessions must be immutable once they go into the session cache. Otherwise 3687 * we can get multi-thread problems. Therefore we don't "update" sessions, 3688 * we replace them with a duplicate. Here, we need to do this every time 3689 * a new certificate is received via post-handshake authentication, as the 3690 * session may have already gone into the session cache. 3691 */ 3692 3693 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { 3694 if ((new_sess = ssl_session_dup(s->session, 0)) == 0) { 3695 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3696 SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, 3697 ERR_R_MALLOC_FAILURE); 3698 goto err; 3699 } 3700 3701 SSL_SESSION_free(s->session); 3702 s->session = new_sess; 3703 } 3704 3705 X509_free(s->session->peer); 3706 s->session->peer = sk_X509_shift(sk); 3707 s->session->verify_result = s->verify_result; 3708 3709 sk_X509_pop_free(s->session->peer_chain, X509_free); 3710 s->session->peer_chain = sk; 3711 3712 /* 3713 * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE 3714 * message 3715 */ 3716 if (SSL_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) { 3717 /* SSLfatal() already called */ 3718 goto err; 3719 } 3720 3721 /* 3722 * Inconsistency alert: cert_chain does *not* include the peer's own 3723 * certificate, while we do include it in statem_clnt.c 3724 */ 3725 sk = NULL; 3726 3727 /* Save the current hash state for when we receive the CertificateVerify */ 3728 if (SSL_IS_TLS13(s)) { 3729 if (!ssl_handshake_hash(s, s->cert_verify_hash, 3730 sizeof(s->cert_verify_hash), 3731 &s->cert_verify_hash_len)) { 3732 /* SSLfatal() already called */ 3733 goto err; 3734 } 3735 3736 /* Resend session tickets */ 3737 s->sent_tickets = 0; 3738 } 3739 3740 ret = MSG_PROCESS_CONTINUE_READING; 3741 3742 err: 3743 X509_free(x); 3744 sk_X509_pop_free(sk, X509_free); 3745 return ret; 3746 } 3747 3748 int tls_construct_server_certificate(SSL *s, WPACKET *pkt) 3749 { 3750 CERT_PKEY *cpk = s->s3->tmp.cert; 3751 3752 if (cpk == NULL) { 3753 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3754 SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); 3755 return 0; 3756 } 3757 3758 /* 3759 * In TLSv1.3 the certificate chain is always preceded by a 0 length context 3760 * for the server Certificate message 3761 */ 3762 if (SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) { 3763 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3764 SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); 3765 return 0; 3766 } 3767 if (!ssl3_output_cert_chain(s, pkt, cpk)) { 3768 /* SSLfatal() already called */ 3769 return 0; 3770 } 3771 3772 return 1; 3773 } 3774 3775 static int create_ticket_prequel(SSL *s, WPACKET *pkt, uint32_t age_add, 3776 unsigned char *tick_nonce) 3777 { 3778 /* 3779 * Ticket lifetime hint: For TLSv1.2 this is advisory only and we leave this 3780 * unspecified for resumed session (for simplicity). 3781 * In TLSv1.3 we reset the "time" field above, and always specify the 3782 * timeout. 3783 */ 3784 if (!WPACKET_put_bytes_u32(pkt, 3785 (s->hit && !SSL_IS_TLS13(s)) 3786 ? 0 : s->session->timeout)) { 3787 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL, 3788 ERR_R_INTERNAL_ERROR); 3789 return 0; 3790 } 3791 3792 if (SSL_IS_TLS13(s)) { 3793 if (!WPACKET_put_bytes_u32(pkt, age_add) 3794 || !WPACKET_sub_memcpy_u8(pkt, tick_nonce, TICKET_NONCE_SIZE)) { 3795 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL, 3796 ERR_R_INTERNAL_ERROR); 3797 return 0; 3798 } 3799 } 3800 3801 /* Start the sub-packet for the actual ticket data */ 3802 if (!WPACKET_start_sub_packet_u16(pkt)) { 3803 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL, 3804 ERR_R_INTERNAL_ERROR); 3805 return 0; 3806 } 3807 3808 return 1; 3809 } 3810 3811 static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add, 3812 unsigned char *tick_nonce) 3813 { 3814 unsigned char *senc = NULL; 3815 EVP_CIPHER_CTX *ctx = NULL; 3816 HMAC_CTX *hctx = NULL; 3817 unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2; 3818 const unsigned char *const_p; 3819 int len, slen_full, slen, lenfinal; 3820 SSL_SESSION *sess; 3821 unsigned int hlen; 3822 SSL_CTX *tctx = s->session_ctx; 3823 unsigned char iv[EVP_MAX_IV_LENGTH]; 3824 unsigned char key_name[TLSEXT_KEYNAME_LENGTH]; 3825 int iv_len, ok = 0; 3826 size_t macoffset, macendoffset; 3827 3828 /* get session encoding length */ 3829 slen_full = i2d_SSL_SESSION(s->session, NULL); 3830 /* 3831 * Some length values are 16 bits, so forget it if session is too 3832 * long 3833 */ 3834 if (slen_full == 0 || slen_full > 0xFF00) { 3835 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET, 3836 ERR_R_INTERNAL_ERROR); 3837 goto err; 3838 } 3839 senc = OPENSSL_malloc(slen_full); 3840 if (senc == NULL) { 3841 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3842 SSL_F_CONSTRUCT_STATELESS_TICKET, ERR_R_MALLOC_FAILURE); 3843 goto err; 3844 } 3845 3846 ctx = EVP_CIPHER_CTX_new(); 3847 hctx = HMAC_CTX_new(); 3848 if (ctx == NULL || hctx == NULL) { 3849 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET, 3850 ERR_R_MALLOC_FAILURE); 3851 goto err; 3852 } 3853 3854 p = senc; 3855 if (!i2d_SSL_SESSION(s->session, &p)) { 3856 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET, 3857 ERR_R_INTERNAL_ERROR); 3858 goto err; 3859 } 3860 3861 /* 3862 * create a fresh copy (not shared with other threads) to clean up 3863 */ 3864 const_p = senc; 3865 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full); 3866 if (sess == NULL) { 3867 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET, 3868 ERR_R_INTERNAL_ERROR); 3869 goto err; 3870 } 3871 3872 slen = i2d_SSL_SESSION(sess, NULL); 3873 if (slen == 0 || slen > slen_full) { 3874 /* shouldn't ever happen */ 3875 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET, 3876 ERR_R_INTERNAL_ERROR); 3877 SSL_SESSION_free(sess); 3878 goto err; 3879 } 3880 p = senc; 3881 if (!i2d_SSL_SESSION(sess, &p)) { 3882 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET, 3883 ERR_R_INTERNAL_ERROR); 3884 SSL_SESSION_free(sess); 3885 goto err; 3886 } 3887 SSL_SESSION_free(sess); 3888 3889 /* 3890 * Initialize HMAC and cipher contexts. If callback present it does 3891 * all the work otherwise use generated values from parent ctx. 3892 */ 3893 if (tctx->ext.ticket_key_cb) { 3894 /* if 0 is returned, write an empty ticket */ 3895 int ret = tctx->ext.ticket_key_cb(s, key_name, iv, ctx, 3896 hctx, 1); 3897 3898 if (ret == 0) { 3899 3900 /* Put timeout and length */ 3901 if (!WPACKET_put_bytes_u32(pkt, 0) 3902 || !WPACKET_put_bytes_u16(pkt, 0)) { 3903 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3904 SSL_F_CONSTRUCT_STATELESS_TICKET, 3905 ERR_R_INTERNAL_ERROR); 3906 goto err; 3907 } 3908 OPENSSL_free(senc); 3909 EVP_CIPHER_CTX_free(ctx); 3910 HMAC_CTX_free(hctx); 3911 return 1; 3912 } 3913 if (ret < 0) { 3914 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET, 3915 SSL_R_CALLBACK_FAILED); 3916 goto err; 3917 } 3918 iv_len = EVP_CIPHER_CTX_iv_length(ctx); 3919 } else { 3920 const EVP_CIPHER *cipher = EVP_aes_256_cbc(); 3921 3922 iv_len = EVP_CIPHER_iv_length(cipher); 3923 if (RAND_bytes(iv, iv_len) <= 0 3924 || !EVP_EncryptInit_ex(ctx, cipher, NULL, 3925 tctx->ext.secure->tick_aes_key, iv) 3926 || !HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key, 3927 sizeof(tctx->ext.secure->tick_hmac_key), 3928 EVP_sha256(), NULL)) { 3929 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET, 3930 ERR_R_INTERNAL_ERROR); 3931 goto err; 3932 } 3933 memcpy(key_name, tctx->ext.tick_key_name, 3934 sizeof(tctx->ext.tick_key_name)); 3935 } 3936 3937 if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) { 3938 /* SSLfatal() already called */ 3939 goto err; 3940 } 3941 3942 if (!WPACKET_get_total_written(pkt, &macoffset) 3943 /* Output key name */ 3944 || !WPACKET_memcpy(pkt, key_name, sizeof(key_name)) 3945 /* output IV */ 3946 || !WPACKET_memcpy(pkt, iv, iv_len) 3947 || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH, 3948 &encdata1) 3949 /* Encrypt session data */ 3950 || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen) 3951 || !WPACKET_allocate_bytes(pkt, len, &encdata2) 3952 || encdata1 != encdata2 3953 || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal) 3954 || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2) 3955 || encdata1 + len != encdata2 3956 || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH 3957 || !WPACKET_get_total_written(pkt, &macendoffset) 3958 || !HMAC_Update(hctx, 3959 (unsigned char *)s->init_buf->data + macoffset, 3960 macendoffset - macoffset) 3961 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1) 3962 || !HMAC_Final(hctx, macdata1, &hlen) 3963 || hlen > EVP_MAX_MD_SIZE 3964 || !WPACKET_allocate_bytes(pkt, hlen, &macdata2) 3965 || macdata1 != macdata2) { 3966 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 3967 SSL_F_CONSTRUCT_STATELESS_TICKET, ERR_R_INTERNAL_ERROR); 3968 goto err; 3969 } 3970 3971 /* Close the sub-packet created by create_ticket_prequel() */ 3972 if (!WPACKET_close(pkt)) { 3973 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET, 3974 ERR_R_INTERNAL_ERROR); 3975 goto err; 3976 } 3977 3978 ok = 1; 3979 err: 3980 OPENSSL_free(senc); 3981 EVP_CIPHER_CTX_free(ctx); 3982 HMAC_CTX_free(hctx); 3983 return ok; 3984 } 3985 3986 static int construct_stateful_ticket(SSL *s, WPACKET *pkt, uint32_t age_add, 3987 unsigned char *tick_nonce) 3988 { 3989 if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) { 3990 /* SSLfatal() already called */ 3991 return 0; 3992 } 3993 3994 if (!WPACKET_memcpy(pkt, s->session->session_id, 3995 s->session->session_id_length) 3996 || !WPACKET_close(pkt)) { 3997 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATEFUL_TICKET, 3998 ERR_R_INTERNAL_ERROR); 3999 return 0; 4000 } 4001 4002 return 1; 4003 } 4004 4005 int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) 4006 { 4007 SSL_CTX *tctx = s->session_ctx; 4008 unsigned char tick_nonce[TICKET_NONCE_SIZE]; 4009 union { 4010 unsigned char age_add_c[sizeof(uint32_t)]; 4011 uint32_t age_add; 4012 } age_add_u; 4013 4014 age_add_u.age_add = 0; 4015 4016 if (SSL_IS_TLS13(s)) { 4017 size_t i, hashlen; 4018 uint64_t nonce; 4019 static const unsigned char nonce_label[] = "resumption"; 4020 const EVP_MD *md = ssl_handshake_md(s); 4021 void (*cb) (const SSL *ssl, int type, int val) = NULL; 4022 int hashleni = EVP_MD_size(md); 4023 4024 /* Ensure cast to size_t is safe */ 4025 if (!ossl_assert(hashleni >= 0)) { 4026 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 4027 SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, 4028 ERR_R_INTERNAL_ERROR); 4029 goto err; 4030 } 4031 hashlen = (size_t)hashleni; 4032 4033 if (s->info_callback != NULL) 4034 cb = s->info_callback; 4035 else if (s->ctx->info_callback != NULL) 4036 cb = s->ctx->info_callback; 4037 4038 if (cb != NULL) { 4039 /* 4040 * We don't start and stop the handshake in between each ticket when 4041 * sending more than one - but it should appear that way to the info 4042 * callback. 4043 */ 4044 if (s->sent_tickets != 0) { 4045 ossl_statem_set_in_init(s, 0); 4046 cb(s, SSL_CB_HANDSHAKE_DONE, 1); 4047 ossl_statem_set_in_init(s, 1); 4048 } 4049 cb(s, SSL_CB_HANDSHAKE_START, 1); 4050 } 4051 /* 4052 * If we already sent one NewSessionTicket, or we resumed then 4053 * s->session may already be in a cache and so we must not modify it. 4054 * Instead we need to take a copy of it and modify that. 4055 */ 4056 if (s->sent_tickets != 0 || s->hit) { 4057 SSL_SESSION *new_sess = ssl_session_dup(s->session, 0); 4058 4059 if (new_sess == NULL) { 4060 /* SSLfatal already called */ 4061 goto err; 4062 } 4063 4064 SSL_SESSION_free(s->session); 4065 s->session = new_sess; 4066 } 4067 4068 if (!ssl_generate_session_id(s, s->session)) { 4069 /* SSLfatal() already called */ 4070 goto err; 4071 } 4072 if (RAND_bytes(age_add_u.age_add_c, sizeof(age_add_u)) <= 0) { 4073 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 4074 SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, 4075 ERR_R_INTERNAL_ERROR); 4076 goto err; 4077 } 4078 s->session->ext.tick_age_add = age_add_u.age_add; 4079 4080 nonce = s->next_ticket_nonce; 4081 for (i = TICKET_NONCE_SIZE; i > 0; i--) { 4082 tick_nonce[i - 1] = (unsigned char)(nonce & 0xff); 4083 nonce >>= 8; 4084 } 4085 4086 if (!tls13_hkdf_expand(s, md, s->resumption_master_secret, 4087 nonce_label, 4088 sizeof(nonce_label) - 1, 4089 tick_nonce, 4090 TICKET_NONCE_SIZE, 4091 s->session->master_key, 4092 hashlen)) { 4093 /* SSLfatal() already called */ 4094 goto err; 4095 } 4096 s->session->master_key_length = hashlen; 4097 4098 s->session->time = (long)time(NULL); 4099 if (s->s3->alpn_selected != NULL) { 4100 OPENSSL_free(s->session->ext.alpn_selected); 4101 s->session->ext.alpn_selected = 4102 OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len); 4103 if (s->session->ext.alpn_selected == NULL) { 4104 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 4105 SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, 4106 ERR_R_MALLOC_FAILURE); 4107 goto err; 4108 } 4109 s->session->ext.alpn_selected_len = s->s3->alpn_selected_len; 4110 } 4111 s->session->ext.max_early_data = s->max_early_data; 4112 } 4113 4114 if (tctx->generate_ticket_cb != NULL && 4115 tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0) 4116 goto err; 4117 4118 /* 4119 * If we are using anti-replay protection then we behave as if 4120 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there 4121 * is no point in using full stateless tickets. 4122 */ 4123 if (SSL_IS_TLS13(s) 4124 && ((s->options & SSL_OP_NO_TICKET) != 0 4125 || (s->max_early_data > 0 4126 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))) { 4127 if (!construct_stateful_ticket(s, pkt, age_add_u.age_add, tick_nonce)) { 4128 /* SSLfatal() already called */ 4129 goto err; 4130 } 4131 } else if (!construct_stateless_ticket(s, pkt, age_add_u.age_add, 4132 tick_nonce)) { 4133 /* SSLfatal() already called */ 4134 goto err; 4135 } 4136 4137 if (SSL_IS_TLS13(s)) { 4138 if (!tls_construct_extensions(s, pkt, 4139 SSL_EXT_TLS1_3_NEW_SESSION_TICKET, 4140 NULL, 0)) { 4141 /* SSLfatal() already called */ 4142 goto err; 4143 } 4144 /* 4145 * Increment both |sent_tickets| and |next_ticket_nonce|. |sent_tickets| 4146 * gets reset to 0 if we send more tickets following a post-handshake 4147 * auth, but |next_ticket_nonce| does not. 4148 */ 4149 s->sent_tickets++; 4150 s->next_ticket_nonce++; 4151 ssl_update_cache(s, SSL_SESS_CACHE_SERVER); 4152 } 4153 4154 return 1; 4155 err: 4156 return 0; 4157 } 4158 4159 /* 4160 * In TLSv1.3 this is called from the extensions code, otherwise it is used to 4161 * create a separate message. Returns 1 on success or 0 on failure. 4162 */ 4163 int tls_construct_cert_status_body(SSL *s, WPACKET *pkt) 4164 { 4165 if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type) 4166 || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp, 4167 s->ext.ocsp.resp_len)) { 4168 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_STATUS_BODY, 4169 ERR_R_INTERNAL_ERROR); 4170 return 0; 4171 } 4172 4173 return 1; 4174 } 4175 4176 int tls_construct_cert_status(SSL *s, WPACKET *pkt) 4177 { 4178 if (!tls_construct_cert_status_body(s, pkt)) { 4179 /* SSLfatal() already called */ 4180 return 0; 4181 } 4182 4183 return 1; 4184 } 4185 4186 #ifndef OPENSSL_NO_NEXTPROTONEG 4187 /* 4188 * tls_process_next_proto reads a Next Protocol Negotiation handshake message. 4189 * It sets the next_proto member in s if found 4190 */ 4191 MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt) 4192 { 4193 PACKET next_proto, padding; 4194 size_t next_proto_len; 4195 4196 /*- 4197 * The payload looks like: 4198 * uint8 proto_len; 4199 * uint8 proto[proto_len]; 4200 * uint8 padding_len; 4201 * uint8 padding[padding_len]; 4202 */ 4203 if (!PACKET_get_length_prefixed_1(pkt, &next_proto) 4204 || !PACKET_get_length_prefixed_1(pkt, &padding) 4205 || PACKET_remaining(pkt) > 0) { 4206 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEXT_PROTO, 4207 SSL_R_LENGTH_MISMATCH); 4208 return MSG_PROCESS_ERROR; 4209 } 4210 4211 if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) { 4212 s->ext.npn_len = 0; 4213 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEXT_PROTO, 4214 ERR_R_INTERNAL_ERROR); 4215 return MSG_PROCESS_ERROR; 4216 } 4217 4218 s->ext.npn_len = (unsigned char)next_proto_len; 4219 4220 return MSG_PROCESS_CONTINUE_READING; 4221 } 4222 #endif 4223 4224 static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt) 4225 { 4226 if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, 4227 NULL, 0)) { 4228 /* SSLfatal() already called */ 4229 return 0; 4230 } 4231 4232 return 1; 4233 } 4234 4235 MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt) 4236 { 4237 if (PACKET_remaining(pkt) != 0) { 4238 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA, 4239 SSL_R_LENGTH_MISMATCH); 4240 return MSG_PROCESS_ERROR; 4241 } 4242 4243 if (s->early_data_state != SSL_EARLY_DATA_READING 4244 && s->early_data_state != SSL_EARLY_DATA_READ_RETRY) { 4245 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA, 4246 ERR_R_INTERNAL_ERROR); 4247 return MSG_PROCESS_ERROR; 4248 } 4249 4250 /* 4251 * EndOfEarlyData signals a key change so the end of the message must be on 4252 * a record boundary. 4253 */ 4254 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { 4255 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 4256 SSL_F_TLS_PROCESS_END_OF_EARLY_DATA, 4257 SSL_R_NOT_ON_RECORD_BOUNDARY); 4258 return MSG_PROCESS_ERROR; 4259 } 4260 4261 s->early_data_state = SSL_EARLY_DATA_FINISHED_READING; 4262 if (!s->method->ssl3_enc->change_cipher_state(s, 4263 SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ)) { 4264 /* SSLfatal() already called */ 4265 return MSG_PROCESS_ERROR; 4266 } 4267 4268 return MSG_PROCESS_CONTINUE_READING; 4269 } 4270