statem_srvr.c 135 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073
  1. /*
  2. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  4. * Copyright 2005 Nokia. All rights reserved.
  5. *
  6. * Licensed under the OpenSSL license (the "License"). You may not use
  7. * this file except in compliance with the License. You can obtain a copy
  8. * in the file LICENSE in the source distribution or at
  9. * https://www.openssl.org/source/license.html
  10. */
  11. #include <stdio.h>
  12. #include "../ssl_locl.h"
  13. #include "statem_locl.h"
  14. #include "internal/constant_time_locl.h"
  15. #include "internal/cryptlib.h"
  16. #include <openssl/buffer.h>
  17. #include <openssl/rand.h>
  18. #include <openssl/objects.h>
  19. #include <openssl/evp.h>
  20. #include <openssl/hmac.h>
  21. #include <openssl/x509.h>
  22. #include <openssl/dh.h>
  23. #include <openssl/bn.h>
  24. #include <openssl/md5.h>
  25. static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt);
  26. /*
  27. * ossl_statem_server13_read_transition() encapsulates the logic for the allowed
  28. * handshake state transitions when a TLSv1.3 server is reading messages from
  29. * the client. The message type that the client has sent is provided in |mt|.
  30. * The current state is in |s->statem.hand_state|.
  31. *
  32. * Return values are 1 for success (transition allowed) and 0 on error
  33. * (transition not allowed)
  34. */
  35. static int ossl_statem_server13_read_transition(SSL *s, int mt)
  36. {
  37. OSSL_STATEM *st = &s->statem;
  38. /*
  39. * Note: There is no case for TLS_ST_BEFORE because at that stage we have
  40. * not negotiated TLSv1.3 yet, so that case is handled by
  41. * ossl_statem_server_read_transition()
  42. */
  43. switch (st->hand_state) {
  44. default:
  45. break;
  46. case TLS_ST_EARLY_DATA:
  47. if (s->hello_retry_request == SSL_HRR_PENDING) {
  48. if (mt == SSL3_MT_CLIENT_HELLO) {
  49. st->hand_state = TLS_ST_SR_CLNT_HELLO;
  50. return 1;
  51. }
  52. break;
  53. } else if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
  54. if (mt == SSL3_MT_END_OF_EARLY_DATA) {
  55. st->hand_state = TLS_ST_SR_END_OF_EARLY_DATA;
  56. return 1;
  57. }
  58. break;
  59. }
  60. /* Fall through */
  61. case TLS_ST_SR_END_OF_EARLY_DATA:
  62. case TLS_ST_SW_FINISHED:
  63. if (s->s3->tmp.cert_request) {
  64. if (mt == SSL3_MT_CERTIFICATE) {
  65. st->hand_state = TLS_ST_SR_CERT;
  66. return 1;
  67. }
  68. } else {
  69. if (mt == SSL3_MT_FINISHED) {
  70. st->hand_state = TLS_ST_SR_FINISHED;
  71. return 1;
  72. }
  73. }
  74. break;
  75. case TLS_ST_SR_CERT:
  76. if (s->session->peer == NULL) {
  77. if (mt == SSL3_MT_FINISHED) {
  78. st->hand_state = TLS_ST_SR_FINISHED;
  79. return 1;
  80. }
  81. } else {
  82. if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
  83. st->hand_state = TLS_ST_SR_CERT_VRFY;
  84. return 1;
  85. }
  86. }
  87. break;
  88. case TLS_ST_SR_CERT_VRFY:
  89. if (mt == SSL3_MT_FINISHED) {
  90. st->hand_state = TLS_ST_SR_FINISHED;
  91. return 1;
  92. }
  93. break;
  94. case TLS_ST_OK:
  95. /*
  96. * Its never ok to start processing handshake messages in the middle of
  97. * early data (i.e. before we've received the end of early data alert)
  98. */
  99. if (s->early_data_state == SSL_EARLY_DATA_READING)
  100. break;
  101. if (mt == SSL3_MT_CERTIFICATE
  102. && s->post_handshake_auth == SSL_PHA_REQUESTED) {
  103. st->hand_state = TLS_ST_SR_CERT;
  104. return 1;
  105. }
  106. if (mt == SSL3_MT_KEY_UPDATE) {
  107. st->hand_state = TLS_ST_SR_KEY_UPDATE;
  108. return 1;
  109. }
  110. break;
  111. }
  112. /* No valid transition found */
  113. return 0;
  114. }
  115. /*
  116. * ossl_statem_server_read_transition() encapsulates the logic for the allowed
  117. * handshake state transitions when the server is reading messages from the
  118. * client. The message type that the client has sent is provided in |mt|. The
  119. * current state is in |s->statem.hand_state|.
  120. *
  121. * Return values are 1 for success (transition allowed) and 0 on error
  122. * (transition not allowed)
  123. */
  124. int ossl_statem_server_read_transition(SSL *s, int mt)
  125. {
  126. OSSL_STATEM *st = &s->statem;
  127. if (SSL_IS_TLS13(s)) {
  128. if (!ossl_statem_server13_read_transition(s, mt))
  129. goto err;
  130. return 1;
  131. }
  132. switch (st->hand_state) {
  133. default:
  134. break;
  135. case TLS_ST_BEFORE:
  136. case TLS_ST_OK:
  137. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  138. if (mt == SSL3_MT_CLIENT_HELLO) {
  139. st->hand_state = TLS_ST_SR_CLNT_HELLO;
  140. return 1;
  141. }
  142. break;
  143. case TLS_ST_SW_SRVR_DONE:
  144. /*
  145. * If we get a CKE message after a ServerDone then either
  146. * 1) We didn't request a Certificate
  147. * OR
  148. * 2) If we did request one then
  149. * a) We allow no Certificate to be returned
  150. * AND
  151. * b) We are running SSL3 (in TLS1.0+ the client must return a 0
  152. * list if we requested a certificate)
  153. */
  154. if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
  155. if (s->s3->tmp.cert_request) {
  156. if (s->version == SSL3_VERSION) {
  157. if ((s->verify_mode & SSL_VERIFY_PEER)
  158. && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
  159. /*
  160. * This isn't an unexpected message as such - we're just
  161. * not going to accept it because we require a client
  162. * cert.
  163. */
  164. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  165. SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION,
  166. SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  167. return 0;
  168. }
  169. st->hand_state = TLS_ST_SR_KEY_EXCH;
  170. return 1;
  171. }
  172. } else {
  173. st->hand_state = TLS_ST_SR_KEY_EXCH;
  174. return 1;
  175. }
  176. } else if (s->s3->tmp.cert_request) {
  177. if (mt == SSL3_MT_CERTIFICATE) {
  178. st->hand_state = TLS_ST_SR_CERT;
  179. return 1;
  180. }
  181. }
  182. break;
  183. case TLS_ST_SR_CERT:
  184. if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
  185. st->hand_state = TLS_ST_SR_KEY_EXCH;
  186. return 1;
  187. }
  188. break;
  189. case TLS_ST_SR_KEY_EXCH:
  190. /*
  191. * We should only process a CertificateVerify message if we have
  192. * received a Certificate from the client. If so then |s->session->peer|
  193. * will be non NULL. In some instances a CertificateVerify message is
  194. * not required even if the peer has sent a Certificate (e.g. such as in
  195. * the case of static DH). In that case |st->no_cert_verify| should be
  196. * set.
  197. */
  198. if (s->session->peer == NULL || st->no_cert_verify) {
  199. if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  200. /*
  201. * For the ECDH ciphersuites when the client sends its ECDH
  202. * pub key in a certificate, the CertificateVerify message is
  203. * not sent. Also for GOST ciphersuites when the client uses
  204. * its key from the certificate for key exchange.
  205. */
  206. st->hand_state = TLS_ST_SR_CHANGE;
  207. return 1;
  208. }
  209. } else {
  210. if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
  211. st->hand_state = TLS_ST_SR_CERT_VRFY;
  212. return 1;
  213. }
  214. }
  215. break;
  216. case TLS_ST_SR_CERT_VRFY:
  217. if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  218. st->hand_state = TLS_ST_SR_CHANGE;
  219. return 1;
  220. }
  221. break;
  222. case TLS_ST_SR_CHANGE:
  223. #ifndef OPENSSL_NO_NEXTPROTONEG
  224. if (s->s3->npn_seen) {
  225. if (mt == SSL3_MT_NEXT_PROTO) {
  226. st->hand_state = TLS_ST_SR_NEXT_PROTO;
  227. return 1;
  228. }
  229. } else {
  230. #endif
  231. if (mt == SSL3_MT_FINISHED) {
  232. st->hand_state = TLS_ST_SR_FINISHED;
  233. return 1;
  234. }
  235. #ifndef OPENSSL_NO_NEXTPROTONEG
  236. }
  237. #endif
  238. break;
  239. #ifndef OPENSSL_NO_NEXTPROTONEG
  240. case TLS_ST_SR_NEXT_PROTO:
  241. if (mt == SSL3_MT_FINISHED) {
  242. st->hand_state = TLS_ST_SR_FINISHED;
  243. return 1;
  244. }
  245. break;
  246. #endif
  247. case TLS_ST_SW_FINISHED:
  248. if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  249. st->hand_state = TLS_ST_SR_CHANGE;
  250. return 1;
  251. }
  252. break;
  253. }
  254. err:
  255. /* No valid transition found */
  256. SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE,
  257. SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION,
  258. SSL_R_UNEXPECTED_MESSAGE);
  259. return 0;
  260. }
  261. /*
  262. * Should we send a ServerKeyExchange message?
  263. *
  264. * Valid return values are:
  265. * 1: Yes
  266. * 0: No
  267. */
  268. static int send_server_key_exchange(SSL *s)
  269. {
  270. unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
  271. /*
  272. * only send a ServerKeyExchange if DH or fortezza but we have a
  273. * sign only certificate PSK: may send PSK identity hints For
  274. * ECC ciphersuites, we send a serverKeyExchange message only if
  275. * the cipher suite is either ECDH-anon or ECDHE. In other cases,
  276. * the server certificate contains the server's public key for
  277. * key exchange.
  278. */
  279. if (alg_k & (SSL_kDHE | SSL_kECDHE)
  280. /*
  281. * PSK: send ServerKeyExchange if PSK identity hint if
  282. * provided
  283. */
  284. #ifndef OPENSSL_NO_PSK
  285. /* Only send SKE if we have identity hint for plain PSK */
  286. || ((alg_k & (SSL_kPSK | SSL_kRSAPSK))
  287. && s->cert->psk_identity_hint)
  288. /* For other PSK always send SKE */
  289. || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK)))
  290. #endif
  291. #ifndef OPENSSL_NO_SRP
  292. /* SRP: send ServerKeyExchange */
  293. || (alg_k & SSL_kSRP)
  294. #endif
  295. ) {
  296. return 1;
  297. }
  298. return 0;
  299. }
  300. /*
  301. * Should we send a CertificateRequest message?
  302. *
  303. * Valid return values are:
  304. * 1: Yes
  305. * 0: No
  306. */
  307. int send_certificate_request(SSL *s)
  308. {
  309. if (
  310. /* don't request cert unless asked for it: */
  311. s->verify_mode & SSL_VERIFY_PEER
  312. /*
  313. * don't request if post-handshake-only unless doing
  314. * post-handshake in TLSv1.3:
  315. */
  316. && (!SSL_IS_TLS13(s) || !(s->verify_mode & SSL_VERIFY_POST_HANDSHAKE)
  317. || s->post_handshake_auth == SSL_PHA_REQUEST_PENDING)
  318. /*
  319. * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
  320. * a second time:
  321. */
  322. && (s->certreqs_sent < 1 ||
  323. !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE))
  324. /*
  325. * never request cert in anonymous ciphersuites (see
  326. * section "Certificate request" in SSL 3 drafts and in
  327. * RFC 2246):
  328. */
  329. && (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
  330. /*
  331. * ... except when the application insists on
  332. * verification (against the specs, but statem_clnt.c accepts
  333. * this for SSL 3)
  334. */
  335. || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
  336. /* don't request certificate for SRP auth */
  337. && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
  338. /*
  339. * With normal PSK Certificates and Certificate Requests
  340. * are omitted
  341. */
  342. && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
  343. return 1;
  344. }
  345. return 0;
  346. }
  347. /*
  348. * ossl_statem_server13_write_transition() works out what handshake state to
  349. * move to next when a TLSv1.3 server is writing messages to be sent to the
  350. * client.
  351. */
  352. static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
  353. {
  354. OSSL_STATEM *st = &s->statem;
  355. /*
  356. * No case for TLS_ST_BEFORE, because at that stage we have not negotiated
  357. * TLSv1.3 yet, so that is handled by ossl_statem_server_write_transition()
  358. */
  359. switch (st->hand_state) {
  360. default:
  361. /* Shouldn't happen */
  362. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  363. SSL_F_OSSL_STATEM_SERVER13_WRITE_TRANSITION,
  364. ERR_R_INTERNAL_ERROR);
  365. return WRITE_TRAN_ERROR;
  366. case TLS_ST_OK:
  367. if (s->key_update != SSL_KEY_UPDATE_NONE) {
  368. st->hand_state = TLS_ST_SW_KEY_UPDATE;
  369. return WRITE_TRAN_CONTINUE;
  370. }
  371. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  372. st->hand_state = TLS_ST_SW_CERT_REQ;
  373. return WRITE_TRAN_CONTINUE;
  374. }
  375. /* Try to read from the client instead */
  376. return WRITE_TRAN_FINISHED;
  377. case TLS_ST_SR_CLNT_HELLO:
  378. st->hand_state = TLS_ST_SW_SRVR_HELLO;
  379. return WRITE_TRAN_CONTINUE;
  380. case TLS_ST_SW_SRVR_HELLO:
  381. if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
  382. && s->hello_retry_request != SSL_HRR_COMPLETE)
  383. st->hand_state = TLS_ST_SW_CHANGE;
  384. else if (s->hello_retry_request == SSL_HRR_PENDING)
  385. st->hand_state = TLS_ST_EARLY_DATA;
  386. else
  387. st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
  388. return WRITE_TRAN_CONTINUE;
  389. case TLS_ST_SW_CHANGE:
  390. if (s->hello_retry_request == SSL_HRR_PENDING)
  391. st->hand_state = TLS_ST_EARLY_DATA;
  392. else
  393. st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
  394. return WRITE_TRAN_CONTINUE;
  395. case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
  396. if (s->hit)
  397. st->hand_state = TLS_ST_SW_FINISHED;
  398. else if (send_certificate_request(s))
  399. st->hand_state = TLS_ST_SW_CERT_REQ;
  400. else
  401. st->hand_state = TLS_ST_SW_CERT;
  402. return WRITE_TRAN_CONTINUE;
  403. case TLS_ST_SW_CERT_REQ:
  404. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  405. s->post_handshake_auth = SSL_PHA_REQUESTED;
  406. st->hand_state = TLS_ST_OK;
  407. } else {
  408. st->hand_state = TLS_ST_SW_CERT;
  409. }
  410. return WRITE_TRAN_CONTINUE;
  411. case TLS_ST_SW_CERT:
  412. st->hand_state = TLS_ST_SW_CERT_VRFY;
  413. return WRITE_TRAN_CONTINUE;
  414. case TLS_ST_SW_CERT_VRFY:
  415. st->hand_state = TLS_ST_SW_FINISHED;
  416. return WRITE_TRAN_CONTINUE;
  417. case TLS_ST_SW_FINISHED:
  418. st->hand_state = TLS_ST_EARLY_DATA;
  419. return WRITE_TRAN_CONTINUE;
  420. case TLS_ST_EARLY_DATA:
  421. return WRITE_TRAN_FINISHED;
  422. case TLS_ST_SR_FINISHED:
  423. /*
  424. * Technically we have finished the handshake at this point, but we're
  425. * going to remain "in_init" for now and write out the session ticket
  426. * immediately.
  427. * TODO(TLS1.3): Perhaps we need to be able to control this behaviour
  428. * and give the application the opportunity to delay sending the
  429. * session ticket?
  430. */
  431. if (s->post_handshake_auth == SSL_PHA_REQUESTED)
  432. s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
  433. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  434. return WRITE_TRAN_CONTINUE;
  435. case TLS_ST_SR_KEY_UPDATE:
  436. if (s->key_update != SSL_KEY_UPDATE_NONE) {
  437. st->hand_state = TLS_ST_SW_KEY_UPDATE;
  438. return WRITE_TRAN_CONTINUE;
  439. }
  440. /* Fall through */
  441. case TLS_ST_SW_KEY_UPDATE:
  442. case TLS_ST_SW_SESSION_TICKET:
  443. st->hand_state = TLS_ST_OK;
  444. return WRITE_TRAN_CONTINUE;
  445. }
  446. }
  447. /*
  448. * ossl_statem_server_write_transition() works out what handshake state to move
  449. * to next when the server is writing messages to be sent to the client.
  450. */
  451. WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
  452. {
  453. OSSL_STATEM *st = &s->statem;
  454. /*
  455. * Note that before the ClientHello we don't know what version we are going
  456. * to negotiate yet, so we don't take this branch until later
  457. */
  458. if (SSL_IS_TLS13(s))
  459. return ossl_statem_server13_write_transition(s);
  460. switch (st->hand_state) {
  461. default:
  462. /* Shouldn't happen */
  463. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  464. SSL_F_OSSL_STATEM_SERVER_WRITE_TRANSITION,
  465. ERR_R_INTERNAL_ERROR);
  466. return WRITE_TRAN_ERROR;
  467. case TLS_ST_OK:
  468. if (st->request_state == TLS_ST_SW_HELLO_REQ) {
  469. /* We must be trying to renegotiate */
  470. st->hand_state = TLS_ST_SW_HELLO_REQ;
  471. st->request_state = TLS_ST_BEFORE;
  472. return WRITE_TRAN_CONTINUE;
  473. }
  474. /* Must be an incoming ClientHello */
  475. if (!tls_setup_handshake(s)) {
  476. /* SSLfatal() already called */
  477. return WRITE_TRAN_ERROR;
  478. }
  479. /* Fall through */
  480. case TLS_ST_BEFORE:
  481. /* Just go straight to trying to read from the client */
  482. return WRITE_TRAN_FINISHED;
  483. case TLS_ST_SW_HELLO_REQ:
  484. st->hand_state = TLS_ST_OK;
  485. return WRITE_TRAN_CONTINUE;
  486. case TLS_ST_SR_CLNT_HELLO:
  487. if (SSL_IS_DTLS(s) && !s->d1->cookie_verified
  488. && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) {
  489. st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
  490. } else if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
  491. /* We must have rejected the renegotiation */
  492. st->hand_state = TLS_ST_OK;
  493. return WRITE_TRAN_CONTINUE;
  494. } else {
  495. st->hand_state = TLS_ST_SW_SRVR_HELLO;
  496. }
  497. return WRITE_TRAN_CONTINUE;
  498. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  499. return WRITE_TRAN_FINISHED;
  500. case TLS_ST_SW_SRVR_HELLO:
  501. if (s->hit) {
  502. if (s->ext.ticket_expected)
  503. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  504. else
  505. st->hand_state = TLS_ST_SW_CHANGE;
  506. } else {
  507. /* Check if it is anon DH or anon ECDH, */
  508. /* normal PSK or SRP */
  509. if (!(s->s3->tmp.new_cipher->algorithm_auth &
  510. (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
  511. st->hand_state = TLS_ST_SW_CERT;
  512. } else if (send_server_key_exchange(s)) {
  513. st->hand_state = TLS_ST_SW_KEY_EXCH;
  514. } else if (send_certificate_request(s)) {
  515. st->hand_state = TLS_ST_SW_CERT_REQ;
  516. } else {
  517. st->hand_state = TLS_ST_SW_SRVR_DONE;
  518. }
  519. }
  520. return WRITE_TRAN_CONTINUE;
  521. case TLS_ST_SW_CERT:
  522. if (s->ext.status_expected) {
  523. st->hand_state = TLS_ST_SW_CERT_STATUS;
  524. return WRITE_TRAN_CONTINUE;
  525. }
  526. /* Fall through */
  527. case TLS_ST_SW_CERT_STATUS:
  528. if (send_server_key_exchange(s)) {
  529. st->hand_state = TLS_ST_SW_KEY_EXCH;
  530. return WRITE_TRAN_CONTINUE;
  531. }
  532. /* Fall through */
  533. case TLS_ST_SW_KEY_EXCH:
  534. if (send_certificate_request(s)) {
  535. st->hand_state = TLS_ST_SW_CERT_REQ;
  536. return WRITE_TRAN_CONTINUE;
  537. }
  538. /* Fall through */
  539. case TLS_ST_SW_CERT_REQ:
  540. st->hand_state = TLS_ST_SW_SRVR_DONE;
  541. return WRITE_TRAN_CONTINUE;
  542. case TLS_ST_SW_SRVR_DONE:
  543. return WRITE_TRAN_FINISHED;
  544. case TLS_ST_SR_FINISHED:
  545. if (s->hit) {
  546. st->hand_state = TLS_ST_OK;
  547. return WRITE_TRAN_CONTINUE;
  548. } else if (s->ext.ticket_expected) {
  549. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  550. } else {
  551. st->hand_state = TLS_ST_SW_CHANGE;
  552. }
  553. return WRITE_TRAN_CONTINUE;
  554. case TLS_ST_SW_SESSION_TICKET:
  555. st->hand_state = TLS_ST_SW_CHANGE;
  556. return WRITE_TRAN_CONTINUE;
  557. case TLS_ST_SW_CHANGE:
  558. st->hand_state = TLS_ST_SW_FINISHED;
  559. return WRITE_TRAN_CONTINUE;
  560. case TLS_ST_SW_FINISHED:
  561. if (s->hit) {
  562. return WRITE_TRAN_FINISHED;
  563. }
  564. st->hand_state = TLS_ST_OK;
  565. return WRITE_TRAN_CONTINUE;
  566. }
  567. }
  568. /*
  569. * Perform any pre work that needs to be done prior to sending a message from
  570. * the server to the client.
  571. */
  572. WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
  573. {
  574. OSSL_STATEM *st = &s->statem;
  575. switch (st->hand_state) {
  576. default:
  577. /* No pre work to be done */
  578. break;
  579. case TLS_ST_SW_HELLO_REQ:
  580. s->shutdown = 0;
  581. if (SSL_IS_DTLS(s))
  582. dtls1_clear_sent_buffer(s);
  583. break;
  584. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  585. s->shutdown = 0;
  586. if (SSL_IS_DTLS(s)) {
  587. dtls1_clear_sent_buffer(s);
  588. /* We don't buffer this message so don't use the timer */
  589. st->use_timer = 0;
  590. }
  591. break;
  592. case TLS_ST_SW_SRVR_HELLO:
  593. if (SSL_IS_DTLS(s)) {
  594. /*
  595. * Messages we write from now on should be buffered and
  596. * retransmitted if necessary, so we need to use the timer now
  597. */
  598. st->use_timer = 1;
  599. }
  600. break;
  601. case TLS_ST_SW_SRVR_DONE:
  602. #ifndef OPENSSL_NO_SCTP
  603. if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) {
  604. /* Calls SSLfatal() as required */
  605. return dtls_wait_for_dry(s);
  606. }
  607. #endif
  608. return WORK_FINISHED_CONTINUE;
  609. case TLS_ST_SW_SESSION_TICKET:
  610. if (SSL_IS_TLS13(s)) {
  611. /*
  612. * Actually this is the end of the handshake, but we're going
  613. * straight into writing the session ticket out. So we finish off
  614. * the handshake, but keep the various buffers active.
  615. *
  616. * Calls SSLfatal as required.
  617. */
  618. return tls_finish_handshake(s, wst, 0, 0);
  619. } if (SSL_IS_DTLS(s)) {
  620. /*
  621. * We're into the last flight. We don't retransmit the last flight
  622. * unless we need to, so we don't use the timer
  623. */
  624. st->use_timer = 0;
  625. }
  626. break;
  627. case TLS_ST_SW_CHANGE:
  628. if (SSL_IS_TLS13(s))
  629. break;
  630. s->session->cipher = s->s3->tmp.new_cipher;
  631. if (!s->method->ssl3_enc->setup_key_block(s)) {
  632. /* SSLfatal() already called */
  633. return WORK_ERROR;
  634. }
  635. if (SSL_IS_DTLS(s)) {
  636. /*
  637. * We're into the last flight. We don't retransmit the last flight
  638. * unless we need to, so we don't use the timer. This might have
  639. * already been set to 0 if we sent a NewSessionTicket message,
  640. * but we'll set it again here in case we didn't.
  641. */
  642. st->use_timer = 0;
  643. }
  644. return WORK_FINISHED_CONTINUE;
  645. case TLS_ST_EARLY_DATA:
  646. if (s->early_data_state != SSL_EARLY_DATA_ACCEPTING
  647. && (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
  648. return WORK_FINISHED_CONTINUE;
  649. /* Fall through */
  650. case TLS_ST_OK:
  651. /* Calls SSLfatal() as required */
  652. return tls_finish_handshake(s, wst, 1, 1);
  653. }
  654. return WORK_FINISHED_CONTINUE;
  655. }
  656. /*
  657. * Perform any work that needs to be done after sending a message from the
  658. * server to the client.
  659. */
  660. WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
  661. {
  662. OSSL_STATEM *st = &s->statem;
  663. s->init_num = 0;
  664. switch (st->hand_state) {
  665. default:
  666. /* No post work to be done */
  667. break;
  668. case TLS_ST_SW_HELLO_REQ:
  669. if (statem_flush(s) != 1)
  670. return WORK_MORE_A;
  671. if (!ssl3_init_finished_mac(s)) {
  672. /* SSLfatal() already called */
  673. return WORK_ERROR;
  674. }
  675. break;
  676. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  677. if (statem_flush(s) != 1)
  678. return WORK_MORE_A;
  679. /* HelloVerifyRequest resets Finished MAC */
  680. if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) {
  681. /* SSLfatal() already called */
  682. return WORK_ERROR;
  683. }
  684. /*
  685. * The next message should be another ClientHello which we need to
  686. * treat like it was the first packet
  687. */
  688. s->first_packet = 1;
  689. break;
  690. case TLS_ST_SW_SRVR_HELLO:
  691. if (SSL_IS_TLS13(s) && s->hello_retry_request == SSL_HRR_PENDING) {
  692. if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0
  693. && statem_flush(s) != 1)
  694. return WORK_MORE_A;
  695. break;
  696. }
  697. #ifndef OPENSSL_NO_SCTP
  698. if (SSL_IS_DTLS(s) && s->hit) {
  699. unsigned char sctpauthkey[64];
  700. char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
  701. /*
  702. * Add new shared key for SCTP-Auth, will be ignored if no
  703. * SCTP used.
  704. */
  705. memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
  706. sizeof(DTLS1_SCTP_AUTH_LABEL));
  707. if (SSL_export_keying_material(s, sctpauthkey,
  708. sizeof(sctpauthkey), labelbuffer,
  709. sizeof(labelbuffer), NULL, 0,
  710. 0) <= 0) {
  711. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  712. SSL_F_OSSL_STATEM_SERVER_POST_WORK,
  713. ERR_R_INTERNAL_ERROR);
  714. return WORK_ERROR;
  715. }
  716. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
  717. sizeof(sctpauthkey), sctpauthkey);
  718. }
  719. #endif
  720. if (!SSL_IS_TLS13(s)
  721. || ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
  722. && s->hello_retry_request != SSL_HRR_COMPLETE))
  723. break;
  724. /* Fall through */
  725. case TLS_ST_SW_CHANGE:
  726. if (s->hello_retry_request == SSL_HRR_PENDING) {
  727. if (!statem_flush(s))
  728. return WORK_MORE_A;
  729. break;
  730. }
  731. /*
  732. * TODO(TLS1.3): This actually causes a problem. We don't yet know
  733. * whether the next record we are going to receive is an unencrypted
  734. * alert, or an encrypted handshake message. We're going to need
  735. * something clever in the record layer for this.
  736. */
  737. if (SSL_IS_TLS13(s)) {
  738. if (!s->method->ssl3_enc->setup_key_block(s)
  739. || !s->method->ssl3_enc->change_cipher_state(s,
  740. SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
  741. /* SSLfatal() already called */
  742. return WORK_ERROR;
  743. }
  744. if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED
  745. && !s->method->ssl3_enc->change_cipher_state(s,
  746. SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ)) {
  747. /* SSLfatal() already called */
  748. return WORK_ERROR;
  749. }
  750. break;
  751. }
  752. #ifndef OPENSSL_NO_SCTP
  753. if (SSL_IS_DTLS(s) && !s->hit) {
  754. /*
  755. * Change to new shared key of SCTP-Auth, will be ignored if
  756. * no SCTP used.
  757. */
  758. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
  759. 0, NULL);
  760. }
  761. #endif
  762. if (!s->method->ssl3_enc->change_cipher_state(s,
  763. SSL3_CHANGE_CIPHER_SERVER_WRITE))
  764. {
  765. /* SSLfatal() already called */
  766. return WORK_ERROR;
  767. }
  768. if (SSL_IS_DTLS(s))
  769. dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
  770. break;
  771. case TLS_ST_SW_SRVR_DONE:
  772. if (statem_flush(s) != 1)
  773. return WORK_MORE_A;
  774. break;
  775. case TLS_ST_SW_FINISHED:
  776. if (statem_flush(s) != 1)
  777. return WORK_MORE_A;
  778. #ifndef OPENSSL_NO_SCTP
  779. if (SSL_IS_DTLS(s) && s->hit) {
  780. /*
  781. * Change to new shared key of SCTP-Auth, will be ignored if
  782. * no SCTP used.
  783. */
  784. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
  785. 0, NULL);
  786. }
  787. #endif
  788. if (SSL_IS_TLS13(s)) {
  789. if (!s->method->ssl3_enc->generate_master_secret(s,
  790. s->master_secret, s->handshake_secret, 0,
  791. &s->session->master_key_length)
  792. || !s->method->ssl3_enc->change_cipher_state(s,
  793. SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE))
  794. /* SSLfatal() already called */
  795. return WORK_ERROR;
  796. }
  797. break;
  798. case TLS_ST_SW_CERT_REQ:
  799. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  800. if (statem_flush(s) != 1)
  801. return WORK_MORE_A;
  802. }
  803. break;
  804. case TLS_ST_SW_KEY_UPDATE:
  805. if (statem_flush(s) != 1)
  806. return WORK_MORE_A;
  807. if (!tls13_update_key(s, 1)) {
  808. /* SSLfatal() already called */
  809. return WORK_ERROR;
  810. }
  811. break;
  812. case TLS_ST_SW_SESSION_TICKET:
  813. if (SSL_IS_TLS13(s) && statem_flush(s) != 1)
  814. return WORK_MORE_A;
  815. break;
  816. }
  817. return WORK_FINISHED_CONTINUE;
  818. }
  819. /*
  820. * Get the message construction function and message type for sending from the
  821. * server
  822. *
  823. * Valid return values are:
  824. * 1: Success
  825. * 0: Error
  826. */
  827. int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt,
  828. confunc_f *confunc, int *mt)
  829. {
  830. OSSL_STATEM *st = &s->statem;
  831. switch (st->hand_state) {
  832. default:
  833. /* Shouldn't happen */
  834. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  835. SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE,
  836. SSL_R_BAD_HANDSHAKE_STATE);
  837. return 0;
  838. case TLS_ST_SW_CHANGE:
  839. if (SSL_IS_DTLS(s))
  840. *confunc = dtls_construct_change_cipher_spec;
  841. else
  842. *confunc = tls_construct_change_cipher_spec;
  843. *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
  844. break;
  845. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  846. *confunc = dtls_construct_hello_verify_request;
  847. *mt = DTLS1_MT_HELLO_VERIFY_REQUEST;
  848. break;
  849. case TLS_ST_SW_HELLO_REQ:
  850. /* No construction function needed */
  851. *confunc = NULL;
  852. *mt = SSL3_MT_HELLO_REQUEST;
  853. break;
  854. case TLS_ST_SW_SRVR_HELLO:
  855. *confunc = tls_construct_server_hello;
  856. *mt = SSL3_MT_SERVER_HELLO;
  857. break;
  858. case TLS_ST_SW_CERT:
  859. *confunc = tls_construct_server_certificate;
  860. *mt = SSL3_MT_CERTIFICATE;
  861. break;
  862. case TLS_ST_SW_CERT_VRFY:
  863. *confunc = tls_construct_cert_verify;
  864. *mt = SSL3_MT_CERTIFICATE_VERIFY;
  865. break;
  866. case TLS_ST_SW_KEY_EXCH:
  867. *confunc = tls_construct_server_key_exchange;
  868. *mt = SSL3_MT_SERVER_KEY_EXCHANGE;
  869. break;
  870. case TLS_ST_SW_CERT_REQ:
  871. *confunc = tls_construct_certificate_request;
  872. *mt = SSL3_MT_CERTIFICATE_REQUEST;
  873. break;
  874. case TLS_ST_SW_SRVR_DONE:
  875. *confunc = tls_construct_server_done;
  876. *mt = SSL3_MT_SERVER_DONE;
  877. break;
  878. case TLS_ST_SW_SESSION_TICKET:
  879. *confunc = tls_construct_new_session_ticket;
  880. *mt = SSL3_MT_NEWSESSION_TICKET;
  881. break;
  882. case TLS_ST_SW_CERT_STATUS:
  883. *confunc = tls_construct_cert_status;
  884. *mt = SSL3_MT_CERTIFICATE_STATUS;
  885. break;
  886. case TLS_ST_SW_FINISHED:
  887. *confunc = tls_construct_finished;
  888. *mt = SSL3_MT_FINISHED;
  889. break;
  890. case TLS_ST_EARLY_DATA:
  891. *confunc = NULL;
  892. *mt = SSL3_MT_DUMMY;
  893. break;
  894. case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
  895. *confunc = tls_construct_encrypted_extensions;
  896. *mt = SSL3_MT_ENCRYPTED_EXTENSIONS;
  897. break;
  898. case TLS_ST_SW_KEY_UPDATE:
  899. *confunc = tls_construct_key_update;
  900. *mt = SSL3_MT_KEY_UPDATE;
  901. break;
  902. }
  903. return 1;
  904. }
  905. /*
  906. * Maximum size (excluding the Handshake header) of a ClientHello message,
  907. * calculated as follows:
  908. *
  909. * 2 + # client_version
  910. * 32 + # only valid length for random
  911. * 1 + # length of session_id
  912. * 32 + # maximum size for session_id
  913. * 2 + # length of cipher suites
  914. * 2^16-2 + # maximum length of cipher suites array
  915. * 1 + # length of compression_methods
  916. * 2^8-1 + # maximum length of compression methods
  917. * 2 + # length of extensions
  918. * 2^16-1 # maximum length of extensions
  919. */
  920. #define CLIENT_HELLO_MAX_LENGTH 131396
  921. #define CLIENT_KEY_EXCH_MAX_LENGTH 2048
  922. #define NEXT_PROTO_MAX_LENGTH 514
  923. /*
  924. * Returns the maximum allowed length for the current message that we are
  925. * reading. Excludes the message header.
  926. */
  927. size_t ossl_statem_server_max_message_size(SSL *s)
  928. {
  929. OSSL_STATEM *st = &s->statem;
  930. switch (st->hand_state) {
  931. default:
  932. /* Shouldn't happen */
  933. return 0;
  934. case TLS_ST_SR_CLNT_HELLO:
  935. return CLIENT_HELLO_MAX_LENGTH;
  936. case TLS_ST_SR_END_OF_EARLY_DATA:
  937. return END_OF_EARLY_DATA_MAX_LENGTH;
  938. case TLS_ST_SR_CERT:
  939. return s->max_cert_list;
  940. case TLS_ST_SR_KEY_EXCH:
  941. return CLIENT_KEY_EXCH_MAX_LENGTH;
  942. case TLS_ST_SR_CERT_VRFY:
  943. return SSL3_RT_MAX_PLAIN_LENGTH;
  944. #ifndef OPENSSL_NO_NEXTPROTONEG
  945. case TLS_ST_SR_NEXT_PROTO:
  946. return NEXT_PROTO_MAX_LENGTH;
  947. #endif
  948. case TLS_ST_SR_CHANGE:
  949. return CCS_MAX_LENGTH;
  950. case TLS_ST_SR_FINISHED:
  951. return FINISHED_MAX_LENGTH;
  952. case TLS_ST_SR_KEY_UPDATE:
  953. return KEY_UPDATE_MAX_LENGTH;
  954. }
  955. }
  956. /*
  957. * Process a message that the server has received from the client.
  958. */
  959. MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt)
  960. {
  961. OSSL_STATEM *st = &s->statem;
  962. switch (st->hand_state) {
  963. default:
  964. /* Shouldn't happen */
  965. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  966. SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE,
  967. ERR_R_INTERNAL_ERROR);
  968. return MSG_PROCESS_ERROR;
  969. case TLS_ST_SR_CLNT_HELLO:
  970. return tls_process_client_hello(s, pkt);
  971. case TLS_ST_SR_END_OF_EARLY_DATA:
  972. return tls_process_end_of_early_data(s, pkt);
  973. case TLS_ST_SR_CERT:
  974. return tls_process_client_certificate(s, pkt);
  975. case TLS_ST_SR_KEY_EXCH:
  976. return tls_process_client_key_exchange(s, pkt);
  977. case TLS_ST_SR_CERT_VRFY:
  978. return tls_process_cert_verify(s, pkt);
  979. #ifndef OPENSSL_NO_NEXTPROTONEG
  980. case TLS_ST_SR_NEXT_PROTO:
  981. return tls_process_next_proto(s, pkt);
  982. #endif
  983. case TLS_ST_SR_CHANGE:
  984. return tls_process_change_cipher_spec(s, pkt);
  985. case TLS_ST_SR_FINISHED:
  986. return tls_process_finished(s, pkt);
  987. case TLS_ST_SR_KEY_UPDATE:
  988. return tls_process_key_update(s, pkt);
  989. }
  990. }
  991. /*
  992. * Perform any further processing required following the receipt of a message
  993. * from the client
  994. */
  995. WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst)
  996. {
  997. OSSL_STATEM *st = &s->statem;
  998. switch (st->hand_state) {
  999. default:
  1000. /* Shouldn't happen */
  1001. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1002. SSL_F_OSSL_STATEM_SERVER_POST_PROCESS_MESSAGE,
  1003. ERR_R_INTERNAL_ERROR);
  1004. return WORK_ERROR;
  1005. case TLS_ST_SR_CLNT_HELLO:
  1006. return tls_post_process_client_hello(s, wst);
  1007. case TLS_ST_SR_KEY_EXCH:
  1008. return tls_post_process_client_key_exchange(s, wst);
  1009. }
  1010. }
  1011. #ifndef OPENSSL_NO_SRP
  1012. /* Returns 1 on success, 0 for retryable error, -1 for fatal error */
  1013. static int ssl_check_srp_ext_ClientHello(SSL *s)
  1014. {
  1015. int ret;
  1016. int al = SSL_AD_UNRECOGNIZED_NAME;
  1017. if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
  1018. (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
  1019. if (s->srp_ctx.login == NULL) {
  1020. /*
  1021. * RFC 5054 says SHOULD reject, we do so if There is no srp
  1022. * login name
  1023. */
  1024. SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY,
  1025. SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO,
  1026. SSL_R_PSK_IDENTITY_NOT_FOUND);
  1027. return -1;
  1028. } else {
  1029. ret = SSL_srp_server_param_with_username(s, &al);
  1030. if (ret < 0)
  1031. return 0;
  1032. if (ret == SSL3_AL_FATAL) {
  1033. SSLfatal(s, al, SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO,
  1034. al == SSL_AD_UNKNOWN_PSK_IDENTITY
  1035. ? SSL_R_PSK_IDENTITY_NOT_FOUND
  1036. : SSL_R_CLIENTHELLO_TLSEXT);
  1037. return -1;
  1038. }
  1039. }
  1040. }
  1041. return 1;
  1042. }
  1043. #endif
  1044. int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
  1045. size_t cookie_len)
  1046. {
  1047. /* Always use DTLS 1.0 version: see RFC 6347 */
  1048. if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION)
  1049. || !WPACKET_sub_memcpy_u8(pkt, cookie, cookie_len))
  1050. return 0;
  1051. return 1;
  1052. }
  1053. int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt)
  1054. {
  1055. unsigned int cookie_leni;
  1056. if (s->ctx->app_gen_cookie_cb == NULL ||
  1057. s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
  1058. &cookie_leni) == 0 ||
  1059. cookie_leni > 255) {
  1060. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
  1061. SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
  1062. return 0;
  1063. }
  1064. s->d1->cookie_len = cookie_leni;
  1065. if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie,
  1066. s->d1->cookie_len)) {
  1067. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
  1068. ERR_R_INTERNAL_ERROR);
  1069. return 0;
  1070. }
  1071. return 1;
  1072. }
  1073. #ifndef OPENSSL_NO_EC
  1074. /*-
  1075. * ssl_check_for_safari attempts to fingerprint Safari using OS X
  1076. * SecureTransport using the TLS extension block in |hello|.
  1077. * Safari, since 10.6, sends exactly these extensions, in this order:
  1078. * SNI,
  1079. * elliptic_curves
  1080. * ec_point_formats
  1081. * signature_algorithms (for TLSv1.2 only)
  1082. *
  1083. * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
  1084. * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
  1085. * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
  1086. * 10.8..10.8.3 (which don't work).
  1087. */
  1088. static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello)
  1089. {
  1090. static const unsigned char kSafariExtensionsBlock[] = {
  1091. 0x00, 0x0a, /* elliptic_curves extension */
  1092. 0x00, 0x08, /* 8 bytes */
  1093. 0x00, 0x06, /* 6 bytes of curve ids */
  1094. 0x00, 0x17, /* P-256 */
  1095. 0x00, 0x18, /* P-384 */
  1096. 0x00, 0x19, /* P-521 */
  1097. 0x00, 0x0b, /* ec_point_formats */
  1098. 0x00, 0x02, /* 2 bytes */
  1099. 0x01, /* 1 point format */
  1100. 0x00, /* uncompressed */
  1101. /* The following is only present in TLS 1.2 */
  1102. 0x00, 0x0d, /* signature_algorithms */
  1103. 0x00, 0x0c, /* 12 bytes */
  1104. 0x00, 0x0a, /* 10 bytes */
  1105. 0x05, 0x01, /* SHA-384/RSA */
  1106. 0x04, 0x01, /* SHA-256/RSA */
  1107. 0x02, 0x01, /* SHA-1/RSA */
  1108. 0x04, 0x03, /* SHA-256/ECDSA */
  1109. 0x02, 0x03, /* SHA-1/ECDSA */
  1110. };
  1111. /* Length of the common prefix (first two extensions). */
  1112. static const size_t kSafariCommonExtensionsLength = 18;
  1113. unsigned int type;
  1114. PACKET sni, tmppkt;
  1115. size_t ext_len;
  1116. tmppkt = hello->extensions;
  1117. if (!PACKET_forward(&tmppkt, 2)
  1118. || !PACKET_get_net_2(&tmppkt, &type)
  1119. || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
  1120. return;
  1121. }
  1122. if (type != TLSEXT_TYPE_server_name)
  1123. return;
  1124. ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
  1125. sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;
  1126. s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
  1127. ext_len);
  1128. }
  1129. #endif /* !OPENSSL_NO_EC */
  1130. MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
  1131. {
  1132. /* |cookie| will only be initialized for DTLS. */
  1133. PACKET session_id, compression, extensions, cookie;
  1134. static const unsigned char null_compression = 0;
  1135. CLIENTHELLO_MSG *clienthello = NULL;
  1136. /* Check if this is actually an unexpected renegotiation ClientHello */
  1137. if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
  1138. if (!ossl_assert(!SSL_IS_TLS13(s))) {
  1139. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1140. ERR_R_INTERNAL_ERROR);
  1141. goto err;
  1142. }
  1143. if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0
  1144. || (!s->s3->send_connection_binding
  1145. && (s->options
  1146. & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) == 0)) {
  1147. ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
  1148. return MSG_PROCESS_FINISHED_READING;
  1149. }
  1150. s->renegotiate = 1;
  1151. s->new_session = 1;
  1152. }
  1153. clienthello = OPENSSL_zalloc(sizeof(*clienthello));
  1154. if (clienthello == NULL) {
  1155. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1156. ERR_R_INTERNAL_ERROR);
  1157. goto err;
  1158. }
  1159. /*
  1160. * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure.
  1161. */
  1162. clienthello->isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer);
  1163. PACKET_null_init(&cookie);
  1164. if (clienthello->isv2) {
  1165. unsigned int mt;
  1166. if (!SSL_IS_FIRST_HANDSHAKE(s)
  1167. || s->hello_retry_request != SSL_HRR_NONE) {
  1168. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
  1169. SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNEXPECTED_MESSAGE);
  1170. goto err;
  1171. }
  1172. /*-
  1173. * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
  1174. * header is sent directly on the wire, not wrapped as a TLS
  1175. * record. Our record layer just processes the message length and passes
  1176. * the rest right through. Its format is:
  1177. * Byte Content
  1178. * 0-1 msg_length - decoded by the record layer
  1179. * 2 msg_type - s->init_msg points here
  1180. * 3-4 version
  1181. * 5-6 cipher_spec_length
  1182. * 7-8 session_id_length
  1183. * 9-10 challenge_length
  1184. * ... ...
  1185. */
  1186. if (!PACKET_get_1(pkt, &mt)
  1187. || mt != SSL2_MT_CLIENT_HELLO) {
  1188. /*
  1189. * Should never happen. We should have tested this in the record
  1190. * layer in order to have determined that this is a SSLv2 record
  1191. * in the first place
  1192. */
  1193. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1194. ERR_R_INTERNAL_ERROR);
  1195. goto err;
  1196. }
  1197. }
  1198. if (!PACKET_get_net_2(pkt, &clienthello->legacy_version)) {
  1199. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1200. SSL_R_LENGTH_TOO_SHORT);
  1201. goto err;
  1202. }
  1203. /* Parse the message and load client random. */
  1204. if (clienthello->isv2) {
  1205. /*
  1206. * Handle an SSLv2 backwards compatible ClientHello
  1207. * Note, this is only for SSLv3+ using the backward compatible format.
  1208. * Real SSLv2 is not supported, and is rejected below.
  1209. */
  1210. unsigned int ciphersuite_len, session_id_len, challenge_len;
  1211. PACKET challenge;
  1212. if (!PACKET_get_net_2(pkt, &ciphersuite_len)
  1213. || !PACKET_get_net_2(pkt, &session_id_len)
  1214. || !PACKET_get_net_2(pkt, &challenge_len)) {
  1215. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1216. SSL_R_RECORD_LENGTH_MISMATCH);
  1217. goto err;
  1218. }
  1219. if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
  1220. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1221. SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
  1222. goto err;
  1223. }
  1224. if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites,
  1225. ciphersuite_len)
  1226. || !PACKET_copy_bytes(pkt, clienthello->session_id, session_id_len)
  1227. || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
  1228. /* No extensions. */
  1229. || PACKET_remaining(pkt) != 0) {
  1230. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1231. SSL_R_RECORD_LENGTH_MISMATCH);
  1232. goto err;
  1233. }
  1234. clienthello->session_id_len = session_id_len;
  1235. /* Load the client random and compression list. We use SSL3_RANDOM_SIZE
  1236. * here rather than sizeof(clienthello->random) because that is the limit
  1237. * for SSLv3 and it is fixed. It won't change even if
  1238. * sizeof(clienthello->random) does.
  1239. */
  1240. challenge_len = challenge_len > SSL3_RANDOM_SIZE
  1241. ? SSL3_RANDOM_SIZE : challenge_len;
  1242. memset(clienthello->random, 0, SSL3_RANDOM_SIZE);
  1243. if (!PACKET_copy_bytes(&challenge,
  1244. clienthello->random + SSL3_RANDOM_SIZE -
  1245. challenge_len, challenge_len)
  1246. /* Advertise only null compression. */
  1247. || !PACKET_buf_init(&compression, &null_compression, 1)) {
  1248. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1249. ERR_R_INTERNAL_ERROR);
  1250. goto err;
  1251. }
  1252. PACKET_null_init(&clienthello->extensions);
  1253. } else {
  1254. /* Regular ClientHello. */
  1255. if (!PACKET_copy_bytes(pkt, clienthello->random, SSL3_RANDOM_SIZE)
  1256. || !PACKET_get_length_prefixed_1(pkt, &session_id)
  1257. || !PACKET_copy_all(&session_id, clienthello->session_id,
  1258. SSL_MAX_SSL_SESSION_ID_LENGTH,
  1259. &clienthello->session_id_len)) {
  1260. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1261. SSL_R_LENGTH_MISMATCH);
  1262. goto err;
  1263. }
  1264. if (SSL_IS_DTLS(s)) {
  1265. if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
  1266. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1267. SSL_R_LENGTH_MISMATCH);
  1268. goto err;
  1269. }
  1270. if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie,
  1271. DTLS1_COOKIE_LENGTH,
  1272. &clienthello->dtls_cookie_len)) {
  1273. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1274. SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
  1275. goto err;
  1276. }
  1277. /*
  1278. * If we require cookies and this ClientHello doesn't contain one,
  1279. * just return since we do not want to allocate any memory yet.
  1280. * So check cookie length...
  1281. */
  1282. if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
  1283. if (clienthello->dtls_cookie_len == 0)
  1284. return MSG_PROCESS_FINISHED_READING;
  1285. }
  1286. }
  1287. if (!PACKET_get_length_prefixed_2(pkt, &clienthello->ciphersuites)) {
  1288. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1289. SSL_R_LENGTH_MISMATCH);
  1290. goto err;
  1291. }
  1292. if (!PACKET_get_length_prefixed_1(pkt, &compression)) {
  1293. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1294. SSL_R_LENGTH_MISMATCH);
  1295. goto err;
  1296. }
  1297. /* Could be empty. */
  1298. if (PACKET_remaining(pkt) == 0) {
  1299. PACKET_null_init(&clienthello->extensions);
  1300. } else {
  1301. if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions)
  1302. || PACKET_remaining(pkt) != 0) {
  1303. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1304. SSL_R_LENGTH_MISMATCH);
  1305. goto err;
  1306. }
  1307. }
  1308. }
  1309. if (!PACKET_copy_all(&compression, clienthello->compressions,
  1310. MAX_COMPRESSIONS_SIZE,
  1311. &clienthello->compressions_len)) {
  1312. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1313. ERR_R_INTERNAL_ERROR);
  1314. goto err;
  1315. }
  1316. /* Preserve the raw extensions PACKET for later use */
  1317. extensions = clienthello->extensions;
  1318. if (!tls_collect_extensions(s, &extensions, SSL_EXT_CLIENT_HELLO,
  1319. &clienthello->pre_proc_exts,
  1320. &clienthello->pre_proc_exts_len, 1)) {
  1321. /* SSLfatal already been called */
  1322. goto err;
  1323. }
  1324. s->clienthello = clienthello;
  1325. return MSG_PROCESS_CONTINUE_PROCESSING;
  1326. err:
  1327. if (clienthello != NULL)
  1328. OPENSSL_free(clienthello->pre_proc_exts);
  1329. OPENSSL_free(clienthello);
  1330. return MSG_PROCESS_ERROR;
  1331. }
  1332. static int tls_early_post_process_client_hello(SSL *s)
  1333. {
  1334. unsigned int j;
  1335. int i, al = SSL_AD_INTERNAL_ERROR;
  1336. int protverr;
  1337. size_t loop;
  1338. unsigned long id;
  1339. #ifndef OPENSSL_NO_COMP
  1340. SSL_COMP *comp = NULL;
  1341. #endif
  1342. const SSL_CIPHER *c;
  1343. STACK_OF(SSL_CIPHER) *ciphers = NULL;
  1344. STACK_OF(SSL_CIPHER) *scsvs = NULL;
  1345. CLIENTHELLO_MSG *clienthello = s->clienthello;
  1346. DOWNGRADE dgrd = DOWNGRADE_NONE;
  1347. /* Finished parsing the ClientHello, now we can start processing it */
  1348. /* Give the ClientHello callback a crack at things */
  1349. if (s->ctx->client_hello_cb != NULL) {
  1350. /* A failure in the ClientHello callback terminates the connection. */
  1351. switch (s->ctx->client_hello_cb(s, &al, s->ctx->client_hello_cb_arg)) {
  1352. case SSL_CLIENT_HELLO_SUCCESS:
  1353. break;
  1354. case SSL_CLIENT_HELLO_RETRY:
  1355. s->rwstate = SSL_CLIENT_HELLO_CB;
  1356. return -1;
  1357. case SSL_CLIENT_HELLO_ERROR:
  1358. default:
  1359. SSLfatal(s, al,
  1360. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1361. SSL_R_CALLBACK_FAILED);
  1362. goto err;
  1363. }
  1364. }
  1365. /* Set up the client_random */
  1366. memcpy(s->s3->client_random, clienthello->random, SSL3_RANDOM_SIZE);
  1367. /* Choose the version */
  1368. if (clienthello->isv2) {
  1369. if (clienthello->legacy_version == SSL2_VERSION
  1370. || (clienthello->legacy_version & 0xff00)
  1371. != (SSL3_VERSION_MAJOR << 8)) {
  1372. /*
  1373. * This is real SSLv2 or something completely unknown. We don't
  1374. * support it.
  1375. */
  1376. SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
  1377. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1378. SSL_R_UNKNOWN_PROTOCOL);
  1379. goto err;
  1380. }
  1381. /* SSLv3/TLS */
  1382. s->client_version = clienthello->legacy_version;
  1383. }
  1384. /*
  1385. * Do SSL/TLS version negotiation if applicable. For DTLS we just check
  1386. * versions are potentially compatible. Version negotiation comes later.
  1387. */
  1388. if (!SSL_IS_DTLS(s)) {
  1389. protverr = ssl_choose_server_version(s, clienthello, &dgrd);
  1390. } else if (s->method->version != DTLS_ANY_VERSION &&
  1391. DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) {
  1392. protverr = SSL_R_VERSION_TOO_LOW;
  1393. } else {
  1394. protverr = 0;
  1395. }
  1396. if (protverr) {
  1397. if (SSL_IS_FIRST_HANDSHAKE(s)) {
  1398. /* like ssl3_get_record, send alert using remote version number */
  1399. s->version = s->client_version = clienthello->legacy_version;
  1400. }
  1401. SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
  1402. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
  1403. goto err;
  1404. }
  1405. /* TLSv1.3 specifies that a ClientHello must end on a record boundary */
  1406. if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
  1407. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
  1408. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1409. SSL_R_NOT_ON_RECORD_BOUNDARY);
  1410. goto err;
  1411. }
  1412. if (SSL_IS_DTLS(s)) {
  1413. /* Empty cookie was already handled above by returning early. */
  1414. if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
  1415. if (s->ctx->app_verify_cookie_cb != NULL) {
  1416. if (s->ctx->app_verify_cookie_cb(s, clienthello->dtls_cookie,
  1417. clienthello->dtls_cookie_len) == 0) {
  1418. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1419. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1420. SSL_R_COOKIE_MISMATCH);
  1421. goto err;
  1422. /* else cookie verification succeeded */
  1423. }
  1424. /* default verification */
  1425. } else if (s->d1->cookie_len != clienthello->dtls_cookie_len
  1426. || memcmp(clienthello->dtls_cookie, s->d1->cookie,
  1427. s->d1->cookie_len) != 0) {
  1428. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1429. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1430. SSL_R_COOKIE_MISMATCH);
  1431. goto err;
  1432. }
  1433. s->d1->cookie_verified = 1;
  1434. }
  1435. if (s->method->version == DTLS_ANY_VERSION) {
  1436. protverr = ssl_choose_server_version(s, clienthello, &dgrd);
  1437. if (protverr != 0) {
  1438. s->version = s->client_version;
  1439. SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
  1440. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
  1441. goto err;
  1442. }
  1443. }
  1444. }
  1445. s->hit = 0;
  1446. if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites,
  1447. clienthello->isv2) ||
  1448. !bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, &scsvs,
  1449. clienthello->isv2, 1)) {
  1450. /* SSLfatal() already called */
  1451. goto err;
  1452. }
  1453. s->s3->send_connection_binding = 0;
  1454. /* Check what signalling cipher-suite values were received. */
  1455. if (scsvs != NULL) {
  1456. for(i = 0; i < sk_SSL_CIPHER_num(scsvs); i++) {
  1457. c = sk_SSL_CIPHER_value(scsvs, i);
  1458. if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) {
  1459. if (s->renegotiate) {
  1460. /* SCSV is fatal if renegotiating */
  1461. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1462. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1463. SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
  1464. goto err;
  1465. }
  1466. s->s3->send_connection_binding = 1;
  1467. } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV &&
  1468. !ssl_check_version_downgrade(s)) {
  1469. /*
  1470. * This SCSV indicates that the client previously tried
  1471. * a higher version. We should fail if the current version
  1472. * is an unexpected downgrade, as that indicates that the first
  1473. * connection may have been tampered with in order to trigger
  1474. * an insecure downgrade.
  1475. */
  1476. SSLfatal(s, SSL_AD_INAPPROPRIATE_FALLBACK,
  1477. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1478. SSL_R_INAPPROPRIATE_FALLBACK);
  1479. goto err;
  1480. }
  1481. }
  1482. }
  1483. /* For TLSv1.3 we must select the ciphersuite *before* session resumption */
  1484. if (SSL_IS_TLS13(s)) {
  1485. const SSL_CIPHER *cipher =
  1486. ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));
  1487. if (cipher == NULL) {
  1488. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1489. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1490. SSL_R_NO_SHARED_CIPHER);
  1491. goto err;
  1492. }
  1493. if (s->hello_retry_request == SSL_HRR_PENDING
  1494. && (s->s3->tmp.new_cipher == NULL
  1495. || s->s3->tmp.new_cipher->id != cipher->id)) {
  1496. /*
  1497. * A previous HRR picked a different ciphersuite to the one we
  1498. * just selected. Something must have changed.
  1499. */
  1500. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1501. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1502. SSL_R_BAD_CIPHER);
  1503. goto err;
  1504. }
  1505. s->s3->tmp.new_cipher = cipher;
  1506. }
  1507. /* We need to do this before getting the session */
  1508. if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret,
  1509. SSL_EXT_CLIENT_HELLO,
  1510. clienthello->pre_proc_exts, NULL, 0)) {
  1511. /* SSLfatal() already called */
  1512. goto err;
  1513. }
  1514. /*
  1515. * We don't allow resumption in a backwards compatible ClientHello.
  1516. * TODO(openssl-team): in TLS1.1+, session_id MUST be empty.
  1517. *
  1518. * Versions before 0.9.7 always allow clients to resume sessions in
  1519. * renegotiation. 0.9.7 and later allow this by default, but optionally
  1520. * ignore resumption requests with flag
  1521. * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
  1522. * than a change to default behavior so that applications relying on
  1523. * this for security won't even compile against older library versions).
  1524. * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
  1525. * request renegotiation but not a new session (s->new_session remains
  1526. * unset): for servers, this essentially just means that the
  1527. * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
  1528. * ignored.
  1529. */
  1530. if (clienthello->isv2 ||
  1531. (s->new_session &&
  1532. (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
  1533. if (!ssl_get_new_session(s, 1)) {
  1534. /* SSLfatal() already called */
  1535. goto err;
  1536. }
  1537. } else {
  1538. i = ssl_get_prev_session(s, clienthello);
  1539. if (i == 1) {
  1540. /* previous session */
  1541. s->hit = 1;
  1542. } else if (i == -1) {
  1543. /* SSLfatal() already called */
  1544. goto err;
  1545. } else {
  1546. /* i == 0 */
  1547. if (!ssl_get_new_session(s, 1)) {
  1548. /* SSLfatal() already called */
  1549. goto err;
  1550. }
  1551. }
  1552. }
  1553. if (SSL_IS_TLS13(s)) {
  1554. memcpy(s->tmp_session_id, s->clienthello->session_id,
  1555. s->clienthello->session_id_len);
  1556. s->tmp_session_id_len = s->clienthello->session_id_len;
  1557. }
  1558. /*
  1559. * If it is a hit, check that the cipher is in the list. In TLSv1.3 we check
  1560. * ciphersuite compatibility with the session as part of resumption.
  1561. */
  1562. if (!SSL_IS_TLS13(s) && s->hit) {
  1563. j = 0;
  1564. id = s->session->cipher->id;
  1565. #ifdef CIPHER_DEBUG
  1566. fprintf(stderr, "client sent %d ciphers\n", sk_SSL_CIPHER_num(ciphers));
  1567. #endif
  1568. for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
  1569. c = sk_SSL_CIPHER_value(ciphers, i);
  1570. #ifdef CIPHER_DEBUG
  1571. fprintf(stderr, "client [%2d of %2d]:%s\n",
  1572. i, sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
  1573. #endif
  1574. if (c->id == id) {
  1575. j = 1;
  1576. break;
  1577. }
  1578. }
  1579. if (j == 0) {
  1580. /*
  1581. * we need to have the cipher in the cipher list if we are asked
  1582. * to reuse it
  1583. */
  1584. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1585. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1586. SSL_R_REQUIRED_CIPHER_MISSING);
  1587. goto err;
  1588. }
  1589. }
  1590. for (loop = 0; loop < clienthello->compressions_len; loop++) {
  1591. if (clienthello->compressions[loop] == 0)
  1592. break;
  1593. }
  1594. if (loop >= clienthello->compressions_len) {
  1595. /* no compress */
  1596. SSLfatal(s, SSL_AD_DECODE_ERROR,
  1597. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1598. SSL_R_NO_COMPRESSION_SPECIFIED);
  1599. goto err;
  1600. }
  1601. #ifndef OPENSSL_NO_EC
  1602. if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
  1603. ssl_check_for_safari(s, clienthello);
  1604. #endif /* !OPENSSL_NO_EC */
  1605. /* TLS extensions */
  1606. if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO,
  1607. clienthello->pre_proc_exts, NULL, 0, 1)) {
  1608. /* SSLfatal() already called */
  1609. goto err;
  1610. }
  1611. /*
  1612. * Check if we want to use external pre-shared secret for this handshake
  1613. * for not reused session only. We need to generate server_random before
  1614. * calling tls_session_secret_cb in order to allow SessionTicket
  1615. * processing to use it in key derivation.
  1616. */
  1617. {
  1618. unsigned char *pos;
  1619. pos = s->s3->server_random;
  1620. if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE, dgrd) <= 0) {
  1621. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1622. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1623. ERR_R_INTERNAL_ERROR);
  1624. goto err;
  1625. }
  1626. }
  1627. if (!s->hit
  1628. && s->version >= TLS1_VERSION
  1629. && !SSL_IS_TLS13(s)
  1630. && !SSL_IS_DTLS(s)
  1631. && s->ext.session_secret_cb) {
  1632. const SSL_CIPHER *pref_cipher = NULL;
  1633. /*
  1634. * s->session->master_key_length is a size_t, but this is an int for
  1635. * backwards compat reasons
  1636. */
  1637. int master_key_length;
  1638. master_key_length = sizeof(s->session->master_key);
  1639. if (s->ext.session_secret_cb(s, s->session->master_key,
  1640. &master_key_length, ciphers,
  1641. &pref_cipher,
  1642. s->ext.session_secret_cb_arg)
  1643. && master_key_length > 0) {
  1644. s->session->master_key_length = master_key_length;
  1645. s->hit = 1;
  1646. s->session->ciphers = ciphers;
  1647. s->session->verify_result = X509_V_OK;
  1648. ciphers = NULL;
  1649. /* check if some cipher was preferred by call back */
  1650. if (pref_cipher == NULL)
  1651. pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
  1652. SSL_get_ciphers(s));
  1653. if (pref_cipher == NULL) {
  1654. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1655. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1656. SSL_R_NO_SHARED_CIPHER);
  1657. goto err;
  1658. }
  1659. s->session->cipher = pref_cipher;
  1660. sk_SSL_CIPHER_free(s->cipher_list);
  1661. s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
  1662. sk_SSL_CIPHER_free(s->cipher_list_by_id);
  1663. s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
  1664. }
  1665. }
  1666. /*
  1667. * Worst case, we will use the NULL compression, but if we have other
  1668. * options, we will now look for them. We have complen-1 compression
  1669. * algorithms from the client, starting at q.
  1670. */
  1671. s->s3->tmp.new_compression = NULL;
  1672. if (SSL_IS_TLS13(s)) {
  1673. /*
  1674. * We already checked above that the NULL compression method appears in
  1675. * the list. Now we check there aren't any others (which is illegal in
  1676. * a TLSv1.3 ClientHello.
  1677. */
  1678. if (clienthello->compressions_len != 1) {
  1679. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1680. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1681. SSL_R_INVALID_COMPRESSION_ALGORITHM);
  1682. goto err;
  1683. }
  1684. }
  1685. #ifndef OPENSSL_NO_COMP
  1686. /* This only happens if we have a cache hit */
  1687. else if (s->session->compress_meth != 0) {
  1688. int m, comp_id = s->session->compress_meth;
  1689. unsigned int k;
  1690. /* Perform sanity checks on resumed compression algorithm */
  1691. /* Can't disable compression */
  1692. if (!ssl_allow_compression(s)) {
  1693. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1694. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1695. SSL_R_INCONSISTENT_COMPRESSION);
  1696. goto err;
  1697. }
  1698. /* Look for resumed compression method */
  1699. for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
  1700. comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
  1701. if (comp_id == comp->id) {
  1702. s->s3->tmp.new_compression = comp;
  1703. break;
  1704. }
  1705. }
  1706. if (s->s3->tmp.new_compression == NULL) {
  1707. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1708. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1709. SSL_R_INVALID_COMPRESSION_ALGORITHM);
  1710. goto err;
  1711. }
  1712. /* Look for resumed method in compression list */
  1713. for (k = 0; k < clienthello->compressions_len; k++) {
  1714. if (clienthello->compressions[k] == comp_id)
  1715. break;
  1716. }
  1717. if (k >= clienthello->compressions_len) {
  1718. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1719. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1720. SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
  1721. goto err;
  1722. }
  1723. } else if (s->hit) {
  1724. comp = NULL;
  1725. } else if (ssl_allow_compression(s) && s->ctx->comp_methods) {
  1726. /* See if we have a match */
  1727. int m, nn, v, done = 0;
  1728. unsigned int o;
  1729. nn = sk_SSL_COMP_num(s->ctx->comp_methods);
  1730. for (m = 0; m < nn; m++) {
  1731. comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
  1732. v = comp->id;
  1733. for (o = 0; o < clienthello->compressions_len; o++) {
  1734. if (v == clienthello->compressions[o]) {
  1735. done = 1;
  1736. break;
  1737. }
  1738. }
  1739. if (done)
  1740. break;
  1741. }
  1742. if (done)
  1743. s->s3->tmp.new_compression = comp;
  1744. else
  1745. comp = NULL;
  1746. }
  1747. #else
  1748. /*
  1749. * If compression is disabled we'd better not try to resume a session
  1750. * using compression.
  1751. */
  1752. if (s->session->compress_meth != 0) {
  1753. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1754. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1755. SSL_R_INCONSISTENT_COMPRESSION);
  1756. goto err;
  1757. }
  1758. #endif
  1759. /*
  1760. * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher
  1761. */
  1762. if (!s->hit || SSL_IS_TLS13(s)) {
  1763. sk_SSL_CIPHER_free(s->session->ciphers);
  1764. s->session->ciphers = ciphers;
  1765. if (ciphers == NULL) {
  1766. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1767. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1768. ERR_R_INTERNAL_ERROR);
  1769. goto err;
  1770. }
  1771. ciphers = NULL;
  1772. }
  1773. if (!s->hit) {
  1774. #ifdef OPENSSL_NO_COMP
  1775. s->session->compress_meth = 0;
  1776. #else
  1777. s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
  1778. #endif
  1779. if (!tls1_set_server_sigalgs(s)) {
  1780. /* SSLfatal() already called */
  1781. goto err;
  1782. }
  1783. }
  1784. sk_SSL_CIPHER_free(ciphers);
  1785. sk_SSL_CIPHER_free(scsvs);
  1786. OPENSSL_free(clienthello->pre_proc_exts);
  1787. OPENSSL_free(s->clienthello);
  1788. s->clienthello = NULL;
  1789. return 1;
  1790. err:
  1791. sk_SSL_CIPHER_free(ciphers);
  1792. sk_SSL_CIPHER_free(scsvs);
  1793. OPENSSL_free(clienthello->pre_proc_exts);
  1794. OPENSSL_free(s->clienthello);
  1795. s->clienthello = NULL;
  1796. return 0;
  1797. }
  1798. /*
  1799. * Call the status request callback if needed. Upon success, returns 1.
  1800. * Upon failure, returns 0.
  1801. */
  1802. static int tls_handle_status_request(SSL *s)
  1803. {
  1804. s->ext.status_expected = 0;
  1805. /*
  1806. * If status request then ask callback what to do. Note: this must be
  1807. * called after servername callbacks in case the certificate has changed,
  1808. * and must be called after the cipher has been chosen because this may
  1809. * influence which certificate is sent
  1810. */
  1811. if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL
  1812. && s->ctx->ext.status_cb != NULL) {
  1813. int ret;
  1814. /* If no certificate can't return certificate status */
  1815. if (s->s3->tmp.cert != NULL) {
  1816. /*
  1817. * Set current certificate to one we will use so SSL_get_certificate
  1818. * et al can pick it up.
  1819. */
  1820. s->cert->key = s->s3->tmp.cert;
  1821. ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
  1822. switch (ret) {
  1823. /* We don't want to send a status request response */
  1824. case SSL_TLSEXT_ERR_NOACK:
  1825. s->ext.status_expected = 0;
  1826. break;
  1827. /* status request response should be sent */
  1828. case SSL_TLSEXT_ERR_OK:
  1829. if (s->ext.ocsp.resp)
  1830. s->ext.status_expected = 1;
  1831. break;
  1832. /* something bad happened */
  1833. case SSL_TLSEXT_ERR_ALERT_FATAL:
  1834. default:
  1835. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1836. SSL_F_TLS_HANDLE_STATUS_REQUEST,
  1837. SSL_R_CLIENTHELLO_TLSEXT);
  1838. return 0;
  1839. }
  1840. }
  1841. }
  1842. return 1;
  1843. }
  1844. /*
  1845. * Call the alpn_select callback if needed. Upon success, returns 1.
  1846. * Upon failure, returns 0.
  1847. */
  1848. int tls_handle_alpn(SSL *s)
  1849. {
  1850. const unsigned char *selected = NULL;
  1851. unsigned char selected_len = 0;
  1852. if (s->ctx->ext.alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
  1853. int r = s->ctx->ext.alpn_select_cb(s, &selected, &selected_len,
  1854. s->s3->alpn_proposed,
  1855. (unsigned int)s->s3->alpn_proposed_len,
  1856. s->ctx->ext.alpn_select_cb_arg);
  1857. if (r == SSL_TLSEXT_ERR_OK) {
  1858. OPENSSL_free(s->s3->alpn_selected);
  1859. s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
  1860. if (s->s3->alpn_selected == NULL) {
  1861. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_HANDLE_ALPN,
  1862. ERR_R_INTERNAL_ERROR);
  1863. return 0;
  1864. }
  1865. s->s3->alpn_selected_len = selected_len;
  1866. #ifndef OPENSSL_NO_NEXTPROTONEG
  1867. /* ALPN takes precedence over NPN. */
  1868. s->s3->npn_seen = 0;
  1869. #endif
  1870. /* Check ALPN is consistent with session */
  1871. if (s->session->ext.alpn_selected == NULL
  1872. || selected_len != s->session->ext.alpn_selected_len
  1873. || memcmp(selected, s->session->ext.alpn_selected,
  1874. selected_len) != 0) {
  1875. /* Not consistent so can't be used for early_data */
  1876. s->ext.early_data_ok = 0;
  1877. if (!s->hit) {
  1878. /*
  1879. * This is a new session and so alpn_selected should have
  1880. * been initialised to NULL. We should update it with the
  1881. * selected ALPN.
  1882. */
  1883. if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
  1884. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1885. SSL_F_TLS_HANDLE_ALPN,
  1886. ERR_R_INTERNAL_ERROR);
  1887. return 0;
  1888. }
  1889. s->session->ext.alpn_selected = OPENSSL_memdup(selected,
  1890. selected_len);
  1891. if (s->session->ext.alpn_selected == NULL) {
  1892. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1893. SSL_F_TLS_HANDLE_ALPN,
  1894. ERR_R_INTERNAL_ERROR);
  1895. return 0;
  1896. }
  1897. s->session->ext.alpn_selected_len = selected_len;
  1898. }
  1899. }
  1900. return 1;
  1901. } else if (r != SSL_TLSEXT_ERR_NOACK) {
  1902. SSLfatal(s, SSL_AD_NO_APPLICATION_PROTOCOL, SSL_F_TLS_HANDLE_ALPN,
  1903. SSL_R_NO_APPLICATION_PROTOCOL);
  1904. return 0;
  1905. }
  1906. /*
  1907. * If r == SSL_TLSEXT_ERR_NOACK then behave as if no callback was
  1908. * present.
  1909. */
  1910. }
  1911. /* Check ALPN is consistent with session */
  1912. if (s->session->ext.alpn_selected != NULL) {
  1913. /* Not consistent so can't be used for early_data */
  1914. s->ext.early_data_ok = 0;
  1915. }
  1916. return 1;
  1917. }
  1918. WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
  1919. {
  1920. const SSL_CIPHER *cipher;
  1921. if (wst == WORK_MORE_A) {
  1922. int rv = tls_early_post_process_client_hello(s);
  1923. if (rv == 0) {
  1924. /* SSLfatal() was already called */
  1925. goto err;
  1926. }
  1927. if (rv < 0)
  1928. return WORK_MORE_A;
  1929. wst = WORK_MORE_B;
  1930. }
  1931. if (wst == WORK_MORE_B) {
  1932. if (!s->hit || SSL_IS_TLS13(s)) {
  1933. /* Let cert callback update server certificates if required */
  1934. if (!s->hit && s->cert->cert_cb != NULL) {
  1935. int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
  1936. if (rv == 0) {
  1937. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1938. SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
  1939. SSL_R_CERT_CB_ERROR);
  1940. goto err;
  1941. }
  1942. if (rv < 0) {
  1943. s->rwstate = SSL_X509_LOOKUP;
  1944. return WORK_MORE_B;
  1945. }
  1946. s->rwstate = SSL_NOTHING;
  1947. }
  1948. /* In TLSv1.3 we selected the ciphersuite before resumption */
  1949. if (!SSL_IS_TLS13(s)) {
  1950. cipher =
  1951. ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
  1952. if (cipher == NULL) {
  1953. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1954. SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
  1955. SSL_R_NO_SHARED_CIPHER);
  1956. goto err;
  1957. }
  1958. s->s3->tmp.new_cipher = cipher;
  1959. }
  1960. if (!s->hit) {
  1961. if (!tls_choose_sigalg(s, 1)) {
  1962. /* SSLfatal already called */
  1963. goto err;
  1964. }
  1965. /* check whether we should disable session resumption */
  1966. if (s->not_resumable_session_cb != NULL)
  1967. s->session->not_resumable =
  1968. s->not_resumable_session_cb(s,
  1969. ((s->s3->tmp.new_cipher->algorithm_mkey
  1970. & (SSL_kDHE | SSL_kECDHE)) != 0));
  1971. if (s->session->not_resumable)
  1972. /* do not send a session ticket */
  1973. s->ext.ticket_expected = 0;
  1974. }
  1975. } else {
  1976. /* Session-id reuse */
  1977. s->s3->tmp.new_cipher = s->session->cipher;
  1978. }
  1979. /*-
  1980. * we now have the following setup.
  1981. * client_random
  1982. * cipher_list - our preferred list of ciphers
  1983. * ciphers - the clients preferred list of ciphers
  1984. * compression - basically ignored right now
  1985. * ssl version is set - sslv3
  1986. * s->session - The ssl session has been setup.
  1987. * s->hit - session reuse flag
  1988. * s->s3->tmp.new_cipher- the new cipher to use.
  1989. */
  1990. /*
  1991. * Call status_request callback if needed. Has to be done after the
  1992. * certificate callbacks etc above.
  1993. */
  1994. if (!tls_handle_status_request(s)) {
  1995. /* SSLfatal() already called */
  1996. goto err;
  1997. }
  1998. /*
  1999. * Call alpn_select callback if needed. Has to be done after SNI and
  2000. * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
  2001. * we already did this because cipher negotiation happens earlier, and
  2002. * we must handle ALPN before we decide whether to accept early_data.
  2003. */
  2004. if (!SSL_IS_TLS13(s) && !tls_handle_alpn(s)) {
  2005. /* SSLfatal() already called */
  2006. goto err;
  2007. }
  2008. wst = WORK_MORE_C;
  2009. }
  2010. #ifndef OPENSSL_NO_SRP
  2011. if (wst == WORK_MORE_C) {
  2012. int ret;
  2013. if ((ret = ssl_check_srp_ext_ClientHello(s)) == 0) {
  2014. /*
  2015. * callback indicates further work to be done
  2016. */
  2017. s->rwstate = SSL_X509_LOOKUP;
  2018. return WORK_MORE_C;
  2019. }
  2020. if (ret < 0) {
  2021. /* SSLfatal() already called */
  2022. goto err;
  2023. }
  2024. }
  2025. #endif
  2026. return WORK_FINISHED_STOP;
  2027. err:
  2028. return WORK_ERROR;
  2029. }
  2030. int tls_construct_server_hello(SSL *s, WPACKET *pkt)
  2031. {
  2032. int compm;
  2033. size_t sl, len;
  2034. int version;
  2035. unsigned char *session_id;
  2036. int usetls13 = SSL_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING;
  2037. version = usetls13 ? TLS1_2_VERSION : s->version;
  2038. if (!WPACKET_put_bytes_u16(pkt, version)
  2039. /*
  2040. * Random stuff. Filling of the server_random takes place in
  2041. * tls_process_client_hello()
  2042. */
  2043. || !WPACKET_memcpy(pkt,
  2044. s->hello_retry_request == SSL_HRR_PENDING
  2045. ? hrrrandom : s->s3->server_random,
  2046. SSL3_RANDOM_SIZE)) {
  2047. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO,
  2048. ERR_R_INTERNAL_ERROR);
  2049. return 0;
  2050. }
  2051. /*-
  2052. * There are several cases for the session ID to send
  2053. * back in the server hello:
  2054. * - For session reuse from the session cache,
  2055. * we send back the old session ID.
  2056. * - If stateless session reuse (using a session ticket)
  2057. * is successful, we send back the client's "session ID"
  2058. * (which doesn't actually identify the session).
  2059. * - If it is a new session, we send back the new
  2060. * session ID.
  2061. * - However, if we want the new session to be single-use,
  2062. * we send back a 0-length session ID.
  2063. * - In TLSv1.3 we echo back the session id sent to us by the client
  2064. * regardless
  2065. * s->hit is non-zero in either case of session reuse,
  2066. * so the following won't overwrite an ID that we're supposed
  2067. * to send back.
  2068. */
  2069. if (s->session->not_resumable ||
  2070. (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
  2071. && !s->hit))
  2072. s->session->session_id_length = 0;
  2073. if (usetls13) {
  2074. sl = s->tmp_session_id_len;
  2075. session_id = s->tmp_session_id;
  2076. } else {
  2077. sl = s->session->session_id_length;
  2078. session_id = s->session->session_id;
  2079. }
  2080. if (sl > sizeof(s->session->session_id)) {
  2081. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO,
  2082. ERR_R_INTERNAL_ERROR);
  2083. return 0;
  2084. }
  2085. /* set up the compression method */
  2086. #ifdef OPENSSL_NO_COMP
  2087. compm = 0;
  2088. #else
  2089. if (usetls13 || s->s3->tmp.new_compression == NULL)
  2090. compm = 0;
  2091. else
  2092. compm = s->s3->tmp.new_compression->id;
  2093. #endif
  2094. if (!WPACKET_sub_memcpy_u8(pkt, session_id, sl)
  2095. || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len)
  2096. || !WPACKET_put_bytes_u8(pkt, compm)
  2097. || !tls_construct_extensions(s, pkt,
  2098. s->hello_retry_request
  2099. == SSL_HRR_PENDING
  2100. ? SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
  2101. : (SSL_IS_TLS13(s)
  2102. ? SSL_EXT_TLS1_3_SERVER_HELLO
  2103. : SSL_EXT_TLS1_2_SERVER_HELLO),
  2104. NULL, 0)) {
  2105. /* SSLfatal() already called */
  2106. return 0;
  2107. }
  2108. if (s->hello_retry_request == SSL_HRR_PENDING) {
  2109. /* Ditch the session. We'll create a new one next time around */
  2110. SSL_SESSION_free(s->session);
  2111. s->session = NULL;
  2112. s->hit = 0;
  2113. /*
  2114. * Re-initialise the Transcript Hash. We're going to prepopulate it with
  2115. * a synthetic message_hash in place of ClientHello1.
  2116. */
  2117. if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) {
  2118. /* SSLfatal() already called */
  2119. return 0;
  2120. }
  2121. } else if (!(s->verify_mode & SSL_VERIFY_PEER)
  2122. && !ssl3_digest_cached_records(s, 0)) {
  2123. /* SSLfatal() already called */;
  2124. return 0;
  2125. }
  2126. return 1;
  2127. }
  2128. int tls_construct_server_done(SSL *s, WPACKET *pkt)
  2129. {
  2130. if (!s->s3->tmp.cert_request) {
  2131. if (!ssl3_digest_cached_records(s, 0)) {
  2132. /* SSLfatal() already called */
  2133. return 0;
  2134. }
  2135. }
  2136. return 1;
  2137. }
  2138. int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
  2139. {
  2140. #ifndef OPENSSL_NO_DH
  2141. EVP_PKEY *pkdh = NULL;
  2142. #endif
  2143. #ifndef OPENSSL_NO_EC
  2144. unsigned char *encodedPoint = NULL;
  2145. size_t encodedlen = 0;
  2146. int curve_id = 0;
  2147. #endif
  2148. const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg;
  2149. int i;
  2150. unsigned long type;
  2151. const BIGNUM *r[4];
  2152. EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
  2153. EVP_PKEY_CTX *pctx = NULL;
  2154. size_t paramlen, paramoffset;
  2155. if (!WPACKET_get_total_written(pkt, &paramoffset)) {
  2156. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2157. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
  2158. goto err;
  2159. }
  2160. if (md_ctx == NULL) {
  2161. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2162. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
  2163. goto err;
  2164. }
  2165. type = s->s3->tmp.new_cipher->algorithm_mkey;
  2166. r[0] = r[1] = r[2] = r[3] = NULL;
  2167. #ifndef OPENSSL_NO_PSK
  2168. /* Plain PSK or RSAPSK nothing to do */
  2169. if (type & (SSL_kPSK | SSL_kRSAPSK)) {
  2170. } else
  2171. #endif /* !OPENSSL_NO_PSK */
  2172. #ifndef OPENSSL_NO_DH
  2173. if (type & (SSL_kDHE | SSL_kDHEPSK)) {
  2174. CERT *cert = s->cert;
  2175. EVP_PKEY *pkdhp = NULL;
  2176. DH *dh;
  2177. if (s->cert->dh_tmp_auto) {
  2178. DH *dhp = ssl_get_auto_dh(s);
  2179. pkdh = EVP_PKEY_new();
  2180. if (pkdh == NULL || dhp == NULL) {
  2181. DH_free(dhp);
  2182. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2183. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2184. ERR_R_INTERNAL_ERROR);
  2185. goto err;
  2186. }
  2187. EVP_PKEY_assign_DH(pkdh, dhp);
  2188. pkdhp = pkdh;
  2189. } else {
  2190. pkdhp = cert->dh_tmp;
  2191. }
  2192. if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
  2193. DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024);
  2194. pkdh = ssl_dh_to_pkey(dhp);
  2195. if (pkdh == NULL) {
  2196. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2197. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2198. ERR_R_INTERNAL_ERROR);
  2199. goto err;
  2200. }
  2201. pkdhp = pkdh;
  2202. }
  2203. if (pkdhp == NULL) {
  2204. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2205. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2206. SSL_R_MISSING_TMP_DH_KEY);
  2207. goto err;
  2208. }
  2209. if (!ssl_security(s, SSL_SECOP_TMP_DH,
  2210. EVP_PKEY_security_bits(pkdhp), 0, pkdhp)) {
  2211. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  2212. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2213. SSL_R_DH_KEY_TOO_SMALL);
  2214. goto err;
  2215. }
  2216. if (s->s3->tmp.pkey != NULL) {
  2217. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2218. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2219. ERR_R_INTERNAL_ERROR);
  2220. goto err;
  2221. }
  2222. s->s3->tmp.pkey = ssl_generate_pkey(pkdhp);
  2223. if (s->s3->tmp.pkey == NULL) {
  2224. /* SSLfatal() already called */
  2225. goto err;
  2226. }
  2227. dh = EVP_PKEY_get0_DH(s->s3->tmp.pkey);
  2228. if (dh == NULL) {
  2229. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2230. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2231. ERR_R_INTERNAL_ERROR);
  2232. goto err;
  2233. }
  2234. EVP_PKEY_free(pkdh);
  2235. pkdh = NULL;
  2236. DH_get0_pqg(dh, &r[0], NULL, &r[1]);
  2237. DH_get0_key(dh, &r[2], NULL);
  2238. } else
  2239. #endif
  2240. #ifndef OPENSSL_NO_EC
  2241. if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
  2242. if (s->s3->tmp.pkey != NULL) {
  2243. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2244. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2245. ERR_R_INTERNAL_ERROR);
  2246. goto err;
  2247. }
  2248. /* Get NID of appropriate shared curve */
  2249. curve_id = tls1_shared_group(s, -2);
  2250. if (curve_id == 0) {
  2251. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  2252. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2253. SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
  2254. goto err;
  2255. }
  2256. s->s3->tmp.pkey = ssl_generate_pkey_group(s, curve_id);
  2257. /* Generate a new key for this curve */
  2258. if (s->s3->tmp.pkey == NULL) {
  2259. /* SSLfatal() already called */
  2260. goto err;
  2261. }
  2262. /* Encode the public key. */
  2263. encodedlen = EVP_PKEY_get1_tls_encodedpoint(s->s3->tmp.pkey,
  2264. &encodedPoint);
  2265. if (encodedlen == 0) {
  2266. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2267. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB);
  2268. goto err;
  2269. }
  2270. /*
  2271. * We'll generate the serverKeyExchange message explicitly so we
  2272. * can set these to NULLs
  2273. */
  2274. r[0] = NULL;
  2275. r[1] = NULL;
  2276. r[2] = NULL;
  2277. r[3] = NULL;
  2278. } else
  2279. #endif /* !OPENSSL_NO_EC */
  2280. #ifndef OPENSSL_NO_SRP
  2281. if (type & SSL_kSRP) {
  2282. if ((s->srp_ctx.N == NULL) ||
  2283. (s->srp_ctx.g == NULL) ||
  2284. (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
  2285. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2286. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2287. SSL_R_MISSING_SRP_PARAM);
  2288. goto err;
  2289. }
  2290. r[0] = s->srp_ctx.N;
  2291. r[1] = s->srp_ctx.g;
  2292. r[2] = s->srp_ctx.s;
  2293. r[3] = s->srp_ctx.B;
  2294. } else
  2295. #endif
  2296. {
  2297. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2298. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2299. SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
  2300. goto err;
  2301. }
  2302. if (((s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0)
  2303. || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) {
  2304. lu = NULL;
  2305. } else if (lu == NULL) {
  2306. SSLfatal(s, SSL_AD_DECODE_ERROR,
  2307. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
  2308. goto err;
  2309. }
  2310. #ifndef OPENSSL_NO_PSK
  2311. if (type & SSL_PSK) {
  2312. size_t len = (s->cert->psk_identity_hint == NULL)
  2313. ? 0 : strlen(s->cert->psk_identity_hint);
  2314. /*
  2315. * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already
  2316. * checked this when we set the identity hint - but just in case
  2317. */
  2318. if (len > PSK_MAX_IDENTITY_LEN
  2319. || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint,
  2320. len)) {
  2321. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2322. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2323. ERR_R_INTERNAL_ERROR);
  2324. goto err;
  2325. }
  2326. }
  2327. #endif
  2328. for (i = 0; i < 4 && r[i] != NULL; i++) {
  2329. unsigned char *binval;
  2330. int res;
  2331. #ifndef OPENSSL_NO_SRP
  2332. if ((i == 2) && (type & SSL_kSRP)) {
  2333. res = WPACKET_start_sub_packet_u8(pkt);
  2334. } else
  2335. #endif
  2336. res = WPACKET_start_sub_packet_u16(pkt);
  2337. if (!res) {
  2338. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2339. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2340. ERR_R_INTERNAL_ERROR);
  2341. goto err;
  2342. }
  2343. #ifndef OPENSSL_NO_DH
  2344. /*-
  2345. * for interoperability with some versions of the Microsoft TLS
  2346. * stack, we need to zero pad the DHE pub key to the same length
  2347. * as the prime
  2348. */
  2349. if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) {
  2350. size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]);
  2351. if (len > 0) {
  2352. if (!WPACKET_allocate_bytes(pkt, len, &binval)) {
  2353. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2354. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2355. ERR_R_INTERNAL_ERROR);
  2356. goto err;
  2357. }
  2358. memset(binval, 0, len);
  2359. }
  2360. }
  2361. #endif
  2362. if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval)
  2363. || !WPACKET_close(pkt)) {
  2364. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2365. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2366. ERR_R_INTERNAL_ERROR);
  2367. goto err;
  2368. }
  2369. BN_bn2bin(r[i], binval);
  2370. }
  2371. #ifndef OPENSSL_NO_EC
  2372. if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
  2373. /*
  2374. * We only support named (not generic) curves. In this situation, the
  2375. * ServerKeyExchange message has: [1 byte CurveType], [2 byte CurveName]
  2376. * [1 byte length of encoded point], followed by the actual encoded
  2377. * point itself
  2378. */
  2379. if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE)
  2380. || !WPACKET_put_bytes_u8(pkt, 0)
  2381. || !WPACKET_put_bytes_u8(pkt, curve_id)
  2382. || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) {
  2383. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2384. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2385. ERR_R_INTERNAL_ERROR);
  2386. goto err;
  2387. }
  2388. OPENSSL_free(encodedPoint);
  2389. encodedPoint = NULL;
  2390. }
  2391. #endif
  2392. /* not anonymous */
  2393. if (lu != NULL) {
  2394. EVP_PKEY *pkey = s->s3->tmp.cert->privatekey;
  2395. const EVP_MD *md;
  2396. unsigned char *sigbytes1, *sigbytes2, *tbs;
  2397. size_t siglen, tbslen;
  2398. int rv;
  2399. if (pkey == NULL || !tls1_lookup_md(lu, &md)) {
  2400. /* Should never happen */
  2401. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2402. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2403. ERR_R_INTERNAL_ERROR);
  2404. goto err;
  2405. }
  2406. /* Get length of the parameters we have written above */
  2407. if (!WPACKET_get_length(pkt, &paramlen)) {
  2408. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2409. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2410. ERR_R_INTERNAL_ERROR);
  2411. goto err;
  2412. }
  2413. /* send signature algorithm */
  2414. if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
  2415. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2416. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2417. ERR_R_INTERNAL_ERROR);
  2418. goto err;
  2419. }
  2420. /*
  2421. * Create the signature. We don't know the actual length of the sig
  2422. * until after we've created it, so we reserve enough bytes for it
  2423. * up front, and then properly allocate them in the WPACKET
  2424. * afterwards.
  2425. */
  2426. siglen = EVP_PKEY_size(pkey);
  2427. if (!WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1)
  2428. || EVP_DigestSignInit(md_ctx, &pctx, md, NULL, pkey) <= 0) {
  2429. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2430. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2431. ERR_R_INTERNAL_ERROR);
  2432. goto err;
  2433. }
  2434. if (lu->sig == EVP_PKEY_RSA_PSS) {
  2435. if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
  2436. || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) {
  2437. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2438. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2439. ERR_R_EVP_LIB);
  2440. goto err;
  2441. }
  2442. }
  2443. tbslen = construct_key_exchange_tbs(s, &tbs,
  2444. s->init_buf->data + paramoffset,
  2445. paramlen);
  2446. if (tbslen == 0) {
  2447. /* SSLfatal() already called */
  2448. goto err;
  2449. }
  2450. rv = EVP_DigestSign(md_ctx, sigbytes1, &siglen, tbs, tbslen);
  2451. OPENSSL_free(tbs);
  2452. if (rv <= 0 || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2)
  2453. || sigbytes1 != sigbytes2) {
  2454. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2455. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2456. ERR_R_INTERNAL_ERROR);
  2457. goto err;
  2458. }
  2459. }
  2460. EVP_MD_CTX_free(md_ctx);
  2461. return 1;
  2462. err:
  2463. #ifndef OPENSSL_NO_DH
  2464. EVP_PKEY_free(pkdh);
  2465. #endif
  2466. #ifndef OPENSSL_NO_EC
  2467. OPENSSL_free(encodedPoint);
  2468. #endif
  2469. EVP_MD_CTX_free(md_ctx);
  2470. return 0;
  2471. }
  2472. int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
  2473. {
  2474. if (SSL_IS_TLS13(s)) {
  2475. /* Send random context when doing post-handshake auth */
  2476. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  2477. OPENSSL_free(s->pha_context);
  2478. s->pha_context_len = 32;
  2479. if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL
  2480. || RAND_bytes(s->pha_context, s->pha_context_len) <= 0
  2481. || !WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) {
  2482. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2483. SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
  2484. ERR_R_INTERNAL_ERROR);
  2485. return 0;
  2486. }
  2487. /* reset the handshake hash back to just after the ClientFinished */
  2488. if (!tls13_restore_handshake_digest_for_pha(s)) {
  2489. /* SSLfatal() already called */
  2490. return 0;
  2491. }
  2492. } else {
  2493. if (!WPACKET_put_bytes_u8(pkt, 0)) {
  2494. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2495. SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
  2496. ERR_R_INTERNAL_ERROR);
  2497. return 0;
  2498. }
  2499. }
  2500. if (!tls_construct_extensions(s, pkt,
  2501. SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL,
  2502. 0)) {
  2503. /* SSLfatal() already called */
  2504. return 0;
  2505. }
  2506. goto done;
  2507. }
  2508. /* get the list of acceptable cert types */
  2509. if (!WPACKET_start_sub_packet_u8(pkt)
  2510. || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) {
  2511. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2512. SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
  2513. return 0;
  2514. }
  2515. if (SSL_USE_SIGALGS(s)) {
  2516. const uint16_t *psigs;
  2517. size_t nl = tls12_get_psigalgs(s, 1, &psigs);
  2518. if (!WPACKET_start_sub_packet_u16(pkt)
  2519. || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
  2520. || !tls12_copy_sigalgs(s, pkt, psigs, nl)
  2521. || !WPACKET_close(pkt)) {
  2522. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2523. SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
  2524. ERR_R_INTERNAL_ERROR);
  2525. return 0;
  2526. }
  2527. }
  2528. if (!construct_ca_names(s, pkt)) {
  2529. /* SSLfatal() already called */
  2530. return 0;
  2531. }
  2532. done:
  2533. s->certreqs_sent++;
  2534. s->s3->tmp.cert_request = 1;
  2535. return 1;
  2536. }
  2537. static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt)
  2538. {
  2539. #ifndef OPENSSL_NO_PSK
  2540. unsigned char psk[PSK_MAX_PSK_LEN];
  2541. size_t psklen;
  2542. PACKET psk_identity;
  2543. if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) {
  2544. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2545. SSL_R_LENGTH_MISMATCH);
  2546. return 0;
  2547. }
  2548. if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
  2549. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2550. SSL_R_DATA_LENGTH_TOO_LONG);
  2551. return 0;
  2552. }
  2553. if (s->psk_server_callback == NULL) {
  2554. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2555. SSL_R_PSK_NO_SERVER_CB);
  2556. return 0;
  2557. }
  2558. if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
  2559. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2560. ERR_R_INTERNAL_ERROR);
  2561. return 0;
  2562. }
  2563. psklen = s->psk_server_callback(s, s->session->psk_identity,
  2564. psk, sizeof(psk));
  2565. if (psklen > PSK_MAX_PSK_LEN) {
  2566. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2567. ERR_R_INTERNAL_ERROR);
  2568. return 0;
  2569. } else if (psklen == 0) {
  2570. /*
  2571. * PSK related to the given identity not found
  2572. */
  2573. SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY,
  2574. SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2575. SSL_R_PSK_IDENTITY_NOT_FOUND);
  2576. return 0;
  2577. }
  2578. OPENSSL_free(s->s3->tmp.psk);
  2579. s->s3->tmp.psk = OPENSSL_memdup(psk, psklen);
  2580. OPENSSL_cleanse(psk, psklen);
  2581. if (s->s3->tmp.psk == NULL) {
  2582. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2583. SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE);
  2584. return 0;
  2585. }
  2586. s->s3->tmp.psklen = psklen;
  2587. return 1;
  2588. #else
  2589. /* Should never happen */
  2590. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2591. ERR_R_INTERNAL_ERROR);
  2592. return 0;
  2593. #endif
  2594. }
  2595. static int tls_process_cke_rsa(SSL *s, PACKET *pkt)
  2596. {
  2597. #ifndef OPENSSL_NO_RSA
  2598. unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
  2599. int decrypt_len;
  2600. unsigned char decrypt_good, version_good;
  2601. size_t j, padding_len;
  2602. PACKET enc_premaster;
  2603. RSA *rsa = NULL;
  2604. unsigned char *rsa_decrypt = NULL;
  2605. int ret = 0;
  2606. rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA].privatekey);
  2607. if (rsa == NULL) {
  2608. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2609. SSL_R_MISSING_RSA_CERTIFICATE);
  2610. return 0;
  2611. }
  2612. /* SSLv3 and pre-standard DTLS omit the length bytes. */
  2613. if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
  2614. enc_premaster = *pkt;
  2615. } else {
  2616. if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
  2617. || PACKET_remaining(pkt) != 0) {
  2618. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2619. SSL_R_LENGTH_MISMATCH);
  2620. return 0;
  2621. }
  2622. }
  2623. /*
  2624. * We want to be sure that the plaintext buffer size makes it safe to
  2625. * iterate over the entire size of a premaster secret
  2626. * (SSL_MAX_MASTER_KEY_LENGTH). Reject overly short RSA keys because
  2627. * their ciphertext cannot accommodate a premaster secret anyway.
  2628. */
  2629. if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) {
  2630. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2631. RSA_R_KEY_SIZE_TOO_SMALL);
  2632. return 0;
  2633. }
  2634. rsa_decrypt = OPENSSL_malloc(RSA_size(rsa));
  2635. if (rsa_decrypt == NULL) {
  2636. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2637. ERR_R_MALLOC_FAILURE);
  2638. return 0;
  2639. }
  2640. /*
  2641. * We must not leak whether a decryption failure occurs because of
  2642. * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
  2643. * section 7.4.7.1). The code follows that advice of the TLS RFC and
  2644. * generates a random premaster secret for the case that the decrypt
  2645. * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
  2646. */
  2647. if (RAND_priv_bytes(rand_premaster_secret,
  2648. sizeof(rand_premaster_secret)) <= 0) {
  2649. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2650. ERR_R_INTERNAL_ERROR);
  2651. goto err;
  2652. }
  2653. /*
  2654. * Decrypt with no padding. PKCS#1 padding will be removed as part of
  2655. * the timing-sensitive code below.
  2656. */
  2657. /* TODO(size_t): Convert this function */
  2658. decrypt_len = (int)RSA_private_decrypt((int)PACKET_remaining(&enc_premaster),
  2659. PACKET_data(&enc_premaster),
  2660. rsa_decrypt, rsa, RSA_NO_PADDING);
  2661. if (decrypt_len < 0) {
  2662. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2663. ERR_R_INTERNAL_ERROR);
  2664. goto err;
  2665. }
  2666. /* Check the padding. See RFC 3447, section 7.2.2. */
  2667. /*
  2668. * The smallest padded premaster is 11 bytes of overhead. Small keys
  2669. * are publicly invalid, so this may return immediately. This ensures
  2670. * PS is at least 8 bytes.
  2671. */
  2672. if (decrypt_len < 11 + SSL_MAX_MASTER_KEY_LENGTH) {
  2673. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2674. SSL_R_DECRYPTION_FAILED);
  2675. goto err;
  2676. }
  2677. padding_len = decrypt_len - SSL_MAX_MASTER_KEY_LENGTH;
  2678. decrypt_good = constant_time_eq_int_8(rsa_decrypt[0], 0) &
  2679. constant_time_eq_int_8(rsa_decrypt[1], 2);
  2680. for (j = 2; j < padding_len - 1; j++) {
  2681. decrypt_good &= ~constant_time_is_zero_8(rsa_decrypt[j]);
  2682. }
  2683. decrypt_good &= constant_time_is_zero_8(rsa_decrypt[padding_len - 1]);
  2684. /*
  2685. * If the version in the decrypted pre-master secret is correct then
  2686. * version_good will be 0xff, otherwise it'll be zero. The
  2687. * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
  2688. * (http://eprint.iacr.org/2003/052/) exploits the version number
  2689. * check as a "bad version oracle". Thus version checks are done in
  2690. * constant time and are treated like any other decryption error.
  2691. */
  2692. version_good =
  2693. constant_time_eq_8(rsa_decrypt[padding_len],
  2694. (unsigned)(s->client_version >> 8));
  2695. version_good &=
  2696. constant_time_eq_8(rsa_decrypt[padding_len + 1],
  2697. (unsigned)(s->client_version & 0xff));
  2698. /*
  2699. * The premaster secret must contain the same version number as the
  2700. * ClientHello to detect version rollback attacks (strangely, the
  2701. * protocol does not offer such protection for DH ciphersuites).
  2702. * However, buggy clients exist that send the negotiated protocol
  2703. * version instead if the server does not support the requested
  2704. * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
  2705. * clients.
  2706. */
  2707. if (s->options & SSL_OP_TLS_ROLLBACK_BUG) {
  2708. unsigned char workaround_good;
  2709. workaround_good = constant_time_eq_8(rsa_decrypt[padding_len],
  2710. (unsigned)(s->version >> 8));
  2711. workaround_good &=
  2712. constant_time_eq_8(rsa_decrypt[padding_len + 1],
  2713. (unsigned)(s->version & 0xff));
  2714. version_good |= workaround_good;
  2715. }
  2716. /*
  2717. * Both decryption and version must be good for decrypt_good to
  2718. * remain non-zero (0xff).
  2719. */
  2720. decrypt_good &= version_good;
  2721. /*
  2722. * Now copy rand_premaster_secret over from p using
  2723. * decrypt_good_mask. If decryption failed, then p does not
  2724. * contain valid plaintext, however, a check above guarantees
  2725. * it is still sufficiently large to read from.
  2726. */
  2727. for (j = 0; j < sizeof(rand_premaster_secret); j++) {
  2728. rsa_decrypt[padding_len + j] =
  2729. constant_time_select_8(decrypt_good,
  2730. rsa_decrypt[padding_len + j],
  2731. rand_premaster_secret[j]);
  2732. }
  2733. if (!ssl_generate_master_secret(s, rsa_decrypt + padding_len,
  2734. sizeof(rand_premaster_secret), 0)) {
  2735. /* SSLfatal() already called */
  2736. goto err;
  2737. }
  2738. ret = 1;
  2739. err:
  2740. OPENSSL_free(rsa_decrypt);
  2741. return ret;
  2742. #else
  2743. /* Should never happen */
  2744. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2745. ERR_R_INTERNAL_ERROR);
  2746. return 0;
  2747. #endif
  2748. }
  2749. static int tls_process_cke_dhe(SSL *s, PACKET *pkt)
  2750. {
  2751. #ifndef OPENSSL_NO_DH
  2752. EVP_PKEY *skey = NULL;
  2753. DH *cdh;
  2754. unsigned int i;
  2755. BIGNUM *pub_key;
  2756. const unsigned char *data;
  2757. EVP_PKEY *ckey = NULL;
  2758. int ret = 0;
  2759. if (!PACKET_get_net_2(pkt, &i) || PACKET_remaining(pkt) != i) {
  2760. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2761. SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
  2762. goto err;
  2763. }
  2764. skey = s->s3->tmp.pkey;
  2765. if (skey == NULL) {
  2766. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2767. SSL_R_MISSING_TMP_DH_KEY);
  2768. goto err;
  2769. }
  2770. if (PACKET_remaining(pkt) == 0L) {
  2771. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2772. SSL_R_MISSING_TMP_DH_KEY);
  2773. goto err;
  2774. }
  2775. if (!PACKET_get_bytes(pkt, &data, i)) {
  2776. /* We already checked we have enough data */
  2777. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2778. ERR_R_INTERNAL_ERROR);
  2779. goto err;
  2780. }
  2781. ckey = EVP_PKEY_new();
  2782. if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) {
  2783. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2784. SSL_R_BN_LIB);
  2785. goto err;
  2786. }
  2787. cdh = EVP_PKEY_get0_DH(ckey);
  2788. pub_key = BN_bin2bn(data, i, NULL);
  2789. if (pub_key == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
  2790. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2791. ERR_R_INTERNAL_ERROR);
  2792. if (pub_key != NULL)
  2793. BN_free(pub_key);
  2794. goto err;
  2795. }
  2796. if (ssl_derive(s, skey, ckey, 1) == 0) {
  2797. /* SSLfatal() already called */
  2798. goto err;
  2799. }
  2800. ret = 1;
  2801. EVP_PKEY_free(s->s3->tmp.pkey);
  2802. s->s3->tmp.pkey = NULL;
  2803. err:
  2804. EVP_PKEY_free(ckey);
  2805. return ret;
  2806. #else
  2807. /* Should never happen */
  2808. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2809. ERR_R_INTERNAL_ERROR);
  2810. return 0;
  2811. #endif
  2812. }
  2813. static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt)
  2814. {
  2815. #ifndef OPENSSL_NO_EC
  2816. EVP_PKEY *skey = s->s3->tmp.pkey;
  2817. EVP_PKEY *ckey = NULL;
  2818. int ret = 0;
  2819. if (PACKET_remaining(pkt) == 0L) {
  2820. /* We don't support ECDH client auth */
  2821. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_CKE_ECDHE,
  2822. SSL_R_MISSING_TMP_ECDH_KEY);
  2823. goto err;
  2824. } else {
  2825. unsigned int i;
  2826. const unsigned char *data;
  2827. /*
  2828. * Get client's public key from encoded point in the
  2829. * ClientKeyExchange message.
  2830. */
  2831. /* Get encoded point length */
  2832. if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i)
  2833. || PACKET_remaining(pkt) != 0) {
  2834. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
  2835. SSL_R_LENGTH_MISMATCH);
  2836. goto err;
  2837. }
  2838. ckey = EVP_PKEY_new();
  2839. if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
  2840. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
  2841. ERR_R_EVP_LIB);
  2842. goto err;
  2843. }
  2844. if (EVP_PKEY_set1_tls_encodedpoint(ckey, data, i) == 0) {
  2845. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
  2846. ERR_R_EC_LIB);
  2847. goto err;
  2848. }
  2849. }
  2850. if (ssl_derive(s, skey, ckey, 1) == 0) {
  2851. /* SSLfatal() already called */
  2852. goto err;
  2853. }
  2854. ret = 1;
  2855. EVP_PKEY_free(s->s3->tmp.pkey);
  2856. s->s3->tmp.pkey = NULL;
  2857. err:
  2858. EVP_PKEY_free(ckey);
  2859. return ret;
  2860. #else
  2861. /* Should never happen */
  2862. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
  2863. ERR_R_INTERNAL_ERROR);
  2864. return 0;
  2865. #endif
  2866. }
  2867. static int tls_process_cke_srp(SSL *s, PACKET *pkt)
  2868. {
  2869. #ifndef OPENSSL_NO_SRP
  2870. unsigned int i;
  2871. const unsigned char *data;
  2872. if (!PACKET_get_net_2(pkt, &i)
  2873. || !PACKET_get_bytes(pkt, &data, i)) {
  2874. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
  2875. SSL_R_BAD_SRP_A_LENGTH);
  2876. return 0;
  2877. }
  2878. if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
  2879. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
  2880. ERR_R_BN_LIB);
  2881. return 0;
  2882. }
  2883. if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) {
  2884. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CKE_SRP,
  2885. SSL_R_BAD_SRP_PARAMETERS);
  2886. return 0;
  2887. }
  2888. OPENSSL_free(s->session->srp_username);
  2889. s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
  2890. if (s->session->srp_username == NULL) {
  2891. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
  2892. ERR_R_MALLOC_FAILURE);
  2893. return 0;
  2894. }
  2895. if (!srp_generate_server_master_secret(s)) {
  2896. /* SSLfatal() already called */
  2897. return 0;
  2898. }
  2899. return 1;
  2900. #else
  2901. /* Should never happen */
  2902. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
  2903. ERR_R_INTERNAL_ERROR);
  2904. return 0;
  2905. #endif
  2906. }
  2907. static int tls_process_cke_gost(SSL *s, PACKET *pkt)
  2908. {
  2909. #ifndef OPENSSL_NO_GOST
  2910. EVP_PKEY_CTX *pkey_ctx;
  2911. EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
  2912. unsigned char premaster_secret[32];
  2913. const unsigned char *start;
  2914. size_t outlen = 32, inlen;
  2915. unsigned long alg_a;
  2916. unsigned int asn1id, asn1len;
  2917. int ret = 0;
  2918. PACKET encdata;
  2919. /* Get our certificate private key */
  2920. alg_a = s->s3->tmp.new_cipher->algorithm_auth;
  2921. if (alg_a & SSL_aGOST12) {
  2922. /*
  2923. * New GOST ciphersuites have SSL_aGOST01 bit too
  2924. */
  2925. pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey;
  2926. if (pk == NULL) {
  2927. pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
  2928. }
  2929. if (pk == NULL) {
  2930. pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
  2931. }
  2932. } else if (alg_a & SSL_aGOST01) {
  2933. pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
  2934. }
  2935. pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
  2936. if (pkey_ctx == NULL) {
  2937. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  2938. ERR_R_MALLOC_FAILURE);
  2939. return 0;
  2940. }
  2941. if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
  2942. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  2943. ERR_R_INTERNAL_ERROR);
  2944. return 0;
  2945. }
  2946. /*
  2947. * If client certificate is present and is of the same type, maybe
  2948. * use it for key exchange. Don't mind errors from
  2949. * EVP_PKEY_derive_set_peer, because it is completely valid to use a
  2950. * client certificate for authorization only.
  2951. */
  2952. client_pub_pkey = X509_get0_pubkey(s->session->peer);
  2953. if (client_pub_pkey) {
  2954. if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
  2955. ERR_clear_error();
  2956. }
  2957. /* Decrypt session key */
  2958. if (!PACKET_get_1(pkt, &asn1id)
  2959. || asn1id != (V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)
  2960. || !PACKET_peek_1(pkt, &asn1len)) {
  2961. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  2962. SSL_R_DECRYPTION_FAILED);
  2963. goto err;
  2964. }
  2965. if (asn1len == 0x81) {
  2966. /*
  2967. * Long form length. Should only be one byte of length. Anything else
  2968. * isn't supported.
  2969. * We did a successful peek before so this shouldn't fail
  2970. */
  2971. if (!PACKET_forward(pkt, 1)) {
  2972. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  2973. SSL_R_DECRYPTION_FAILED);
  2974. goto err;
  2975. }
  2976. } else if (asn1len >= 0x80) {
  2977. /*
  2978. * Indefinite length, or more than one long form length bytes. We don't
  2979. * support it
  2980. */
  2981. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  2982. SSL_R_DECRYPTION_FAILED);
  2983. goto err;
  2984. } /* else short form length */
  2985. if (!PACKET_as_length_prefixed_1(pkt, &encdata)) {
  2986. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  2987. SSL_R_DECRYPTION_FAILED);
  2988. goto err;
  2989. }
  2990. inlen = PACKET_remaining(&encdata);
  2991. start = PACKET_data(&encdata);
  2992. if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start,
  2993. inlen) <= 0) {
  2994. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  2995. SSL_R_DECRYPTION_FAILED);
  2996. goto err;
  2997. }
  2998. /* Generate master secret */
  2999. if (!ssl_generate_master_secret(s, premaster_secret,
  3000. sizeof(premaster_secret), 0)) {
  3001. /* SSLfatal() already called */
  3002. goto err;
  3003. }
  3004. /* Check if pubkey from client certificate was used */
  3005. if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
  3006. NULL) > 0)
  3007. s->statem.no_cert_verify = 1;
  3008. ret = 1;
  3009. err:
  3010. EVP_PKEY_CTX_free(pkey_ctx);
  3011. return ret;
  3012. #else
  3013. /* Should never happen */
  3014. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3015. ERR_R_INTERNAL_ERROR);
  3016. return 0;
  3017. #endif
  3018. }
  3019. MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
  3020. {
  3021. unsigned long alg_k;
  3022. alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
  3023. /* For PSK parse and retrieve identity, obtain PSK key */
  3024. if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt)) {
  3025. /* SSLfatal() already called */
  3026. goto err;
  3027. }
  3028. if (alg_k & SSL_kPSK) {
  3029. /* Identity extracted earlier: should be nothing left */
  3030. if (PACKET_remaining(pkt) != 0) {
  3031. SSLfatal(s, SSL_AD_DECODE_ERROR,
  3032. SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
  3033. SSL_R_LENGTH_MISMATCH);
  3034. goto err;
  3035. }
  3036. /* PSK handled by ssl_generate_master_secret */
  3037. if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
  3038. /* SSLfatal() already called */
  3039. goto err;
  3040. }
  3041. } else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
  3042. if (!tls_process_cke_rsa(s, pkt)) {
  3043. /* SSLfatal() already called */
  3044. goto err;
  3045. }
  3046. } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
  3047. if (!tls_process_cke_dhe(s, pkt)) {
  3048. /* SSLfatal() already called */
  3049. goto err;
  3050. }
  3051. } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
  3052. if (!tls_process_cke_ecdhe(s, pkt)) {
  3053. /* SSLfatal() already called */
  3054. goto err;
  3055. }
  3056. } else if (alg_k & SSL_kSRP) {
  3057. if (!tls_process_cke_srp(s, pkt)) {
  3058. /* SSLfatal() already called */
  3059. goto err;
  3060. }
  3061. } else if (alg_k & SSL_kGOST) {
  3062. if (!tls_process_cke_gost(s, pkt)) {
  3063. /* SSLfatal() already called */
  3064. goto err;
  3065. }
  3066. } else {
  3067. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3068. SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
  3069. SSL_R_UNKNOWN_CIPHER_TYPE);
  3070. goto err;
  3071. }
  3072. return MSG_PROCESS_CONTINUE_PROCESSING;
  3073. err:
  3074. #ifndef OPENSSL_NO_PSK
  3075. OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
  3076. s->s3->tmp.psk = NULL;
  3077. #endif
  3078. return MSG_PROCESS_ERROR;
  3079. }
  3080. WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
  3081. {
  3082. #ifndef OPENSSL_NO_SCTP
  3083. if (wst == WORK_MORE_A) {
  3084. if (SSL_IS_DTLS(s)) {
  3085. unsigned char sctpauthkey[64];
  3086. char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
  3087. /*
  3088. * Add new shared key for SCTP-Auth, will be ignored if no SCTP
  3089. * used.
  3090. */
  3091. memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
  3092. sizeof(DTLS1_SCTP_AUTH_LABEL));
  3093. if (SSL_export_keying_material(s, sctpauthkey,
  3094. sizeof(sctpauthkey), labelbuffer,
  3095. sizeof(labelbuffer), NULL, 0,
  3096. 0) <= 0) {
  3097. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3098. SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
  3099. ERR_R_INTERNAL_ERROR);
  3100. return WORK_ERROR;
  3101. }
  3102. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
  3103. sizeof(sctpauthkey), sctpauthkey);
  3104. }
  3105. }
  3106. #endif
  3107. if (s->statem.no_cert_verify || !s->session->peer) {
  3108. /*
  3109. * No certificate verify or no peer certificate so we no longer need
  3110. * the handshake_buffer
  3111. */
  3112. if (!ssl3_digest_cached_records(s, 0)) {
  3113. /* SSLfatal() already called */
  3114. return WORK_ERROR;
  3115. }
  3116. return WORK_FINISHED_CONTINUE;
  3117. } else {
  3118. if (!s->s3->handshake_buffer) {
  3119. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3120. SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
  3121. ERR_R_INTERNAL_ERROR);
  3122. return WORK_ERROR;
  3123. }
  3124. /*
  3125. * For sigalgs freeze the handshake buffer. If we support
  3126. * extms we've done this already so this is a no-op
  3127. */
  3128. if (!ssl3_digest_cached_records(s, 1)) {
  3129. /* SSLfatal() already called */
  3130. return WORK_ERROR;
  3131. }
  3132. }
  3133. return WORK_FINISHED_CONTINUE;
  3134. }
  3135. MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
  3136. {
  3137. int i;
  3138. MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
  3139. X509 *x = NULL;
  3140. unsigned long l;
  3141. const unsigned char *certstart, *certbytes;
  3142. STACK_OF(X509) *sk = NULL;
  3143. PACKET spkt, context;
  3144. size_t chainidx;
  3145. SSL_SESSION *new_sess = NULL;
  3146. if ((sk = sk_X509_new_null()) == NULL) {
  3147. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3148. ERR_R_MALLOC_FAILURE);
  3149. goto err;
  3150. }
  3151. if (SSL_IS_TLS13(s) && (!PACKET_get_length_prefixed_1(pkt, &context)
  3152. || (s->pha_context == NULL && PACKET_remaining(&context) != 0)
  3153. || (s->pha_context != NULL &&
  3154. !PACKET_equal(&context, s->pha_context, s->pha_context_len)))) {
  3155. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3156. SSL_R_INVALID_CONTEXT);
  3157. goto err;
  3158. }
  3159. if (!PACKET_get_length_prefixed_3(pkt, &spkt)
  3160. || PACKET_remaining(pkt) != 0) {
  3161. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3162. SSL_R_LENGTH_MISMATCH);
  3163. goto err;
  3164. }
  3165. for (chainidx = 0; PACKET_remaining(&spkt) > 0; chainidx++) {
  3166. if (!PACKET_get_net_3(&spkt, &l)
  3167. || !PACKET_get_bytes(&spkt, &certbytes, l)) {
  3168. SSLfatal(s, SSL_AD_DECODE_ERROR,
  3169. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3170. SSL_R_CERT_LENGTH_MISMATCH);
  3171. goto err;
  3172. }
  3173. certstart = certbytes;
  3174. x = d2i_X509(NULL, (const unsigned char **)&certbytes, l);
  3175. if (x == NULL) {
  3176. SSLfatal(s, SSL_AD_DECODE_ERROR,
  3177. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
  3178. goto err;
  3179. }
  3180. if (certbytes != (certstart + l)) {
  3181. SSLfatal(s, SSL_AD_DECODE_ERROR,
  3182. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3183. SSL_R_CERT_LENGTH_MISMATCH);
  3184. goto err;
  3185. }
  3186. if (SSL_IS_TLS13(s)) {
  3187. RAW_EXTENSION *rawexts = NULL;
  3188. PACKET extensions;
  3189. if (!PACKET_get_length_prefixed_2(&spkt, &extensions)) {
  3190. SSLfatal(s, SSL_AD_DECODE_ERROR,
  3191. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3192. SSL_R_BAD_LENGTH);
  3193. goto err;
  3194. }
  3195. if (!tls_collect_extensions(s, &extensions,
  3196. SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
  3197. NULL, chainidx == 0)
  3198. || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
  3199. rawexts, x, chainidx,
  3200. PACKET_remaining(&spkt) == 0)) {
  3201. OPENSSL_free(rawexts);
  3202. goto err;
  3203. }
  3204. OPENSSL_free(rawexts);
  3205. }
  3206. if (!sk_X509_push(sk, x)) {
  3207. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3208. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3209. ERR_R_MALLOC_FAILURE);
  3210. goto err;
  3211. }
  3212. x = NULL;
  3213. }
  3214. if (sk_X509_num(sk) <= 0) {
  3215. /* TLS does not mind 0 certs returned */
  3216. if (s->version == SSL3_VERSION) {
  3217. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  3218. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3219. SSL_R_NO_CERTIFICATES_RETURNED);
  3220. goto err;
  3221. }
  3222. /* Fail for TLS only if we required a certificate */
  3223. else if ((s->verify_mode & SSL_VERIFY_PEER) &&
  3224. (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
  3225. SSLfatal(s, SSL_AD_CERTIFICATE_REQUIRED,
  3226. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3227. SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  3228. goto err;
  3229. }
  3230. /* No client certificate so digest cached records */
  3231. if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
  3232. /* SSLfatal() already called */
  3233. goto err;
  3234. }
  3235. } else {
  3236. EVP_PKEY *pkey;
  3237. i = ssl_verify_cert_chain(s, sk);
  3238. if (i <= 0) {
  3239. SSLfatal(s, ssl_x509err2alert(s->verify_result),
  3240. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3241. SSL_R_CERTIFICATE_VERIFY_FAILED);
  3242. goto err;
  3243. }
  3244. if (i > 1) {
  3245. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  3246. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, i);
  3247. goto err;
  3248. }
  3249. pkey = X509_get0_pubkey(sk_X509_value(sk, 0));
  3250. if (pkey == NULL) {
  3251. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  3252. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3253. SSL_R_UNKNOWN_CERTIFICATE_TYPE);
  3254. goto err;
  3255. }
  3256. }
  3257. /*
  3258. * Sessions must be immutable once they go into the session cache. Otherwise
  3259. * we can get multi-thread problems. Therefore we don't "update" sessions,
  3260. * we replace them with a duplicate. Here, we need to do this every time
  3261. * a new certificate is received via post-handshake authentication, as the
  3262. * session may have already gone into the session cache.
  3263. */
  3264. if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
  3265. int m = s->session_ctx->session_cache_mode;
  3266. if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
  3267. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3268. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3269. ERR_R_MALLOC_FAILURE);
  3270. goto err;
  3271. }
  3272. if (m & SSL_SESS_CACHE_SERVER) {
  3273. /*
  3274. * Remove the old session from the cache. We carry on if this fails
  3275. */
  3276. SSL_CTX_remove_session(s->session_ctx, s->session);
  3277. }
  3278. SSL_SESSION_free(s->session);
  3279. s->session = new_sess;
  3280. }
  3281. X509_free(s->session->peer);
  3282. s->session->peer = sk_X509_shift(sk);
  3283. s->session->verify_result = s->verify_result;
  3284. sk_X509_pop_free(s->session->peer_chain, X509_free);
  3285. s->session->peer_chain = sk;
  3286. /*
  3287. * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
  3288. * message
  3289. */
  3290. if (SSL_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) {
  3291. /* SSLfatal() already called */
  3292. goto err;
  3293. }
  3294. /*
  3295. * Inconsistency alert: cert_chain does *not* include the peer's own
  3296. * certificate, while we do include it in statem_clnt.c
  3297. */
  3298. sk = NULL;
  3299. /* Save the current hash state for when we receive the CertificateVerify */
  3300. if (SSL_IS_TLS13(s)
  3301. && !ssl_handshake_hash(s, s->cert_verify_hash,
  3302. sizeof(s->cert_verify_hash),
  3303. &s->cert_verify_hash_len)) {
  3304. /* SSLfatal() already called */
  3305. goto err;
  3306. }
  3307. ret = MSG_PROCESS_CONTINUE_READING;
  3308. err:
  3309. X509_free(x);
  3310. sk_X509_pop_free(sk, X509_free);
  3311. return ret;
  3312. }
  3313. int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
  3314. {
  3315. CERT_PKEY *cpk = s->s3->tmp.cert;
  3316. if (cpk == NULL) {
  3317. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3318. SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
  3319. return 0;
  3320. }
  3321. /*
  3322. * In TLSv1.3 the certificate chain is always preceded by a 0 length context
  3323. * for the server Certificate message
  3324. */
  3325. if (SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) {
  3326. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3327. SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
  3328. return 0;
  3329. }
  3330. if (!ssl3_output_cert_chain(s, pkt, cpk)) {
  3331. /* SSLfatal() already called */
  3332. return 0;
  3333. }
  3334. return 1;
  3335. }
  3336. int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
  3337. {
  3338. unsigned char *senc = NULL;
  3339. EVP_CIPHER_CTX *ctx = NULL;
  3340. HMAC_CTX *hctx = NULL;
  3341. unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2;
  3342. const unsigned char *const_p;
  3343. int len, slen_full, slen, lenfinal;
  3344. SSL_SESSION *sess;
  3345. unsigned int hlen;
  3346. SSL_CTX *tctx = s->session_ctx;
  3347. unsigned char iv[EVP_MAX_IV_LENGTH];
  3348. unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
  3349. int iv_len;
  3350. size_t macoffset, macendoffset;
  3351. union {
  3352. unsigned char age_add_c[sizeof(uint32_t)];
  3353. uint32_t age_add;
  3354. } age_add_u;
  3355. if (SSL_IS_TLS13(s)) {
  3356. if (s->post_handshake_auth != SSL_PHA_EXT_RECEIVED) {
  3357. void (*cb) (const SSL *ssl, int type, int val) = NULL;
  3358. /*
  3359. * This is the first session ticket we've sent. In the state
  3360. * machine we "cheated" and tacked this onto the end of the first
  3361. * handshake. From an info callback perspective this should appear
  3362. * like the start of a new handshake.
  3363. */
  3364. if (s->info_callback != NULL)
  3365. cb = s->info_callback;
  3366. else if (s->ctx->info_callback != NULL)
  3367. cb = s->ctx->info_callback;
  3368. if (cb != NULL)
  3369. cb(s, SSL_CB_HANDSHAKE_START, 1);
  3370. }
  3371. if (!ssl_generate_session_id(s, s->session)) {
  3372. /* SSLfatal() already called */
  3373. goto err;
  3374. }
  3375. if (RAND_bytes(age_add_u.age_add_c, sizeof(age_add_u)) <= 0) {
  3376. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3377. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
  3378. ERR_R_INTERNAL_ERROR);
  3379. goto err;
  3380. }
  3381. s->session->ext.tick_age_add = age_add_u.age_add;
  3382. /*
  3383. * ticket_nonce is set to a single 0 byte because we only ever send a
  3384. * single ticket per connection. IMPORTANT: If we ever support multiple
  3385. * tickets per connection then this will need to be changed.
  3386. */
  3387. OPENSSL_free(s->session->ext.tick_nonce);
  3388. s->session->ext.tick_nonce = OPENSSL_zalloc(sizeof(char));
  3389. if (s->session->ext.tick_nonce == NULL) {
  3390. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3391. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
  3392. ERR_R_MALLOC_FAILURE);
  3393. goto err;
  3394. }
  3395. s->session->ext.tick_nonce_len = 1;
  3396. s->session->time = (long)time(NULL);
  3397. if (s->s3->alpn_selected != NULL) {
  3398. OPENSSL_free(s->session->ext.alpn_selected);
  3399. s->session->ext.alpn_selected =
  3400. OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len);
  3401. if (s->session->ext.alpn_selected == NULL) {
  3402. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3403. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
  3404. ERR_R_MALLOC_FAILURE);
  3405. goto err;
  3406. }
  3407. s->session->ext.alpn_selected_len = s->s3->alpn_selected_len;
  3408. }
  3409. s->session->ext.max_early_data = s->max_early_data;
  3410. }
  3411. if (tctx->generate_ticket_cb != NULL &&
  3412. tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0)
  3413. goto err;
  3414. /* get session encoding length */
  3415. slen_full = i2d_SSL_SESSION(s->session, NULL);
  3416. /*
  3417. * Some length values are 16 bits, so forget it if session is too
  3418. * long
  3419. */
  3420. if (slen_full == 0 || slen_full > 0xFF00) {
  3421. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3422. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
  3423. goto err;
  3424. }
  3425. senc = OPENSSL_malloc(slen_full);
  3426. if (senc == NULL) {
  3427. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3428. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
  3429. goto err;
  3430. }
  3431. ctx = EVP_CIPHER_CTX_new();
  3432. hctx = HMAC_CTX_new();
  3433. if (ctx == NULL || hctx == NULL) {
  3434. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3435. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
  3436. goto err;
  3437. }
  3438. p = senc;
  3439. if (!i2d_SSL_SESSION(s->session, &p)) {
  3440. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3441. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
  3442. goto err;
  3443. }
  3444. /*
  3445. * create a fresh copy (not shared with other threads) to clean up
  3446. */
  3447. const_p = senc;
  3448. sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
  3449. if (sess == NULL) {
  3450. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3451. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
  3452. goto err;
  3453. }
  3454. slen = i2d_SSL_SESSION(sess, NULL);
  3455. if (slen == 0 || slen > slen_full) {
  3456. /* shouldn't ever happen */
  3457. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3458. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
  3459. SSL_SESSION_free(sess);
  3460. goto err;
  3461. }
  3462. p = senc;
  3463. if (!i2d_SSL_SESSION(sess, &p)) {
  3464. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3465. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
  3466. SSL_SESSION_free(sess);
  3467. goto err;
  3468. }
  3469. SSL_SESSION_free(sess);
  3470. /*
  3471. * Initialize HMAC and cipher contexts. If callback present it does
  3472. * all the work otherwise use generated values from parent ctx.
  3473. */
  3474. if (tctx->ext.ticket_key_cb) {
  3475. /* if 0 is returned, write an empty ticket */
  3476. int ret = tctx->ext.ticket_key_cb(s, key_name, iv, ctx,
  3477. hctx, 1);
  3478. if (ret == 0) {
  3479. /* Put timeout and length */
  3480. if (!WPACKET_put_bytes_u32(pkt, 0)
  3481. || !WPACKET_put_bytes_u16(pkt, 0)) {
  3482. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3483. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
  3484. ERR_R_INTERNAL_ERROR);
  3485. goto err;
  3486. }
  3487. OPENSSL_free(senc);
  3488. EVP_CIPHER_CTX_free(ctx);
  3489. HMAC_CTX_free(hctx);
  3490. return 1;
  3491. }
  3492. if (ret < 0) {
  3493. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3494. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
  3495. SSL_R_CALLBACK_FAILED);
  3496. goto err;
  3497. }
  3498. iv_len = EVP_CIPHER_CTX_iv_length(ctx);
  3499. } else {
  3500. const EVP_CIPHER *cipher = EVP_aes_256_cbc();
  3501. iv_len = EVP_CIPHER_iv_length(cipher);
  3502. if (RAND_bytes(iv, iv_len) <= 0
  3503. || !EVP_EncryptInit_ex(ctx, cipher, NULL,
  3504. tctx->ext.secure->tick_aes_key, iv)
  3505. || !HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key,
  3506. sizeof(tctx->ext.secure->tick_hmac_key),
  3507. EVP_sha256(), NULL)) {
  3508. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3509. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
  3510. ERR_R_INTERNAL_ERROR);
  3511. goto err;
  3512. }
  3513. memcpy(key_name, tctx->ext.tick_key_name,
  3514. sizeof(tctx->ext.tick_key_name));
  3515. }
  3516. /*
  3517. * Ticket lifetime hint: For TLSv1.2 this is advisory only and we leave this
  3518. * unspecified for resumed session (for simplicity).
  3519. * In TLSv1.3 we reset the "time" field above, and always specify the
  3520. * timeout.
  3521. */
  3522. if (!WPACKET_put_bytes_u32(pkt,
  3523. (s->hit && !SSL_IS_TLS13(s))
  3524. ? 0 : s->session->timeout)
  3525. || (SSL_IS_TLS13(s)
  3526. && (!WPACKET_put_bytes_u32(pkt, age_add_u.age_add)
  3527. || !WPACKET_sub_memcpy_u8(pkt, s->session->ext.tick_nonce,
  3528. s->session->ext.tick_nonce_len)))
  3529. /* Now the actual ticket data */
  3530. || !WPACKET_start_sub_packet_u16(pkt)
  3531. || !WPACKET_get_total_written(pkt, &macoffset)
  3532. /* Output key name */
  3533. || !WPACKET_memcpy(pkt, key_name, sizeof(key_name))
  3534. /* output IV */
  3535. || !WPACKET_memcpy(pkt, iv, iv_len)
  3536. || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH,
  3537. &encdata1)
  3538. /* Encrypt session data */
  3539. || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen)
  3540. || !WPACKET_allocate_bytes(pkt, len, &encdata2)
  3541. || encdata1 != encdata2
  3542. || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal)
  3543. || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2)
  3544. || encdata1 + len != encdata2
  3545. || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH
  3546. || !WPACKET_get_total_written(pkt, &macendoffset)
  3547. || !HMAC_Update(hctx,
  3548. (unsigned char *)s->init_buf->data + macoffset,
  3549. macendoffset - macoffset)
  3550. || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1)
  3551. || !HMAC_Final(hctx, macdata1, &hlen)
  3552. || hlen > EVP_MAX_MD_SIZE
  3553. || !WPACKET_allocate_bytes(pkt, hlen, &macdata2)
  3554. || macdata1 != macdata2
  3555. || !WPACKET_close(pkt)) {
  3556. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3557. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
  3558. goto err;
  3559. }
  3560. if (SSL_IS_TLS13(s)) {
  3561. ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
  3562. if (!tls_construct_extensions(s, pkt,
  3563. SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
  3564. NULL, 0)) {
  3565. /* SSLfatal() already called */
  3566. goto err;
  3567. }
  3568. }
  3569. EVP_CIPHER_CTX_free(ctx);
  3570. HMAC_CTX_free(hctx);
  3571. OPENSSL_free(senc);
  3572. return 1;
  3573. err:
  3574. OPENSSL_free(senc);
  3575. EVP_CIPHER_CTX_free(ctx);
  3576. HMAC_CTX_free(hctx);
  3577. return 0;
  3578. }
  3579. /*
  3580. * In TLSv1.3 this is called from the extensions code, otherwise it is used to
  3581. * create a separate message. Returns 1 on success or 0 on failure.
  3582. */
  3583. int tls_construct_cert_status_body(SSL *s, WPACKET *pkt)
  3584. {
  3585. if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type)
  3586. || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp,
  3587. s->ext.ocsp.resp_len)) {
  3588. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_STATUS_BODY,
  3589. ERR_R_INTERNAL_ERROR);
  3590. return 0;
  3591. }
  3592. return 1;
  3593. }
  3594. int tls_construct_cert_status(SSL *s, WPACKET *pkt)
  3595. {
  3596. if (!tls_construct_cert_status_body(s, pkt)) {
  3597. /* SSLfatal() already called */
  3598. return 0;
  3599. }
  3600. return 1;
  3601. }
  3602. #ifndef OPENSSL_NO_NEXTPROTONEG
  3603. /*
  3604. * tls_process_next_proto reads a Next Protocol Negotiation handshake message.
  3605. * It sets the next_proto member in s if found
  3606. */
  3607. MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
  3608. {
  3609. PACKET next_proto, padding;
  3610. size_t next_proto_len;
  3611. /*-
  3612. * The payload looks like:
  3613. * uint8 proto_len;
  3614. * uint8 proto[proto_len];
  3615. * uint8 padding_len;
  3616. * uint8 padding[padding_len];
  3617. */
  3618. if (!PACKET_get_length_prefixed_1(pkt, &next_proto)
  3619. || !PACKET_get_length_prefixed_1(pkt, &padding)
  3620. || PACKET_remaining(pkt) > 0) {
  3621. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEXT_PROTO,
  3622. SSL_R_LENGTH_MISMATCH);
  3623. return MSG_PROCESS_ERROR;
  3624. }
  3625. if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) {
  3626. s->ext.npn_len = 0;
  3627. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEXT_PROTO,
  3628. ERR_R_INTERNAL_ERROR);
  3629. return MSG_PROCESS_ERROR;
  3630. }
  3631. s->ext.npn_len = (unsigned char)next_proto_len;
  3632. return MSG_PROCESS_CONTINUE_READING;
  3633. }
  3634. #endif
  3635. static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt)
  3636. {
  3637. if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
  3638. NULL, 0)) {
  3639. /* SSLfatal() already called */
  3640. return 0;
  3641. }
  3642. return 1;
  3643. }
  3644. MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt)
  3645. {
  3646. if (PACKET_remaining(pkt) != 0) {
  3647. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
  3648. SSL_R_LENGTH_MISMATCH);
  3649. return MSG_PROCESS_ERROR;
  3650. }
  3651. if (s->early_data_state != SSL_EARLY_DATA_READING
  3652. && s->early_data_state != SSL_EARLY_DATA_READ_RETRY) {
  3653. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
  3654. ERR_R_INTERNAL_ERROR);
  3655. return MSG_PROCESS_ERROR;
  3656. }
  3657. /*
  3658. * EndOfEarlyData signals a key change so the end of the message must be on
  3659. * a record boundary.
  3660. */
  3661. if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
  3662. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
  3663. SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
  3664. SSL_R_NOT_ON_RECORD_BOUNDARY);
  3665. return MSG_PROCESS_ERROR;
  3666. }
  3667. s->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
  3668. if (!s->method->ssl3_enc->change_cipher_state(s,
  3669. SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ)) {
  3670. /* SSLfatal() already called */
  3671. return MSG_PROCESS_ERROR;
  3672. }
  3673. return MSG_PROCESS_CONTINUE_READING;
  3674. }