statem_srvr.c 144 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421342234233424342534263427342834293430343134323433343434353436343734383439344034413442344334443445344634473448344934503451345234533454345534563457345834593460346134623463346434653466346734683469347034713472347334743475347634773478347934803481348234833484348534863487348834893490349134923493349434953496349734983499350035013502350335043505350635073508350935103511351235133514351535163517351835193520352135223523352435253526352735283529353035313532353335343535353635373538353935403541354235433544354535463547354835493550355135523553355435553556355735583559356035613562356335643565356635673568356935703571357235733574357535763577357835793580358135823583358435853586358735883589359035913592359335943595359635973598359936003601360236033604360536063607360836093610361136123613361436153616361736183619362036213622362336243625362636273628362936303631363236333634363536363637363836393640364136423643364436453646364736483649365036513652365336543655365636573658365936603661366236633664366536663667366836693670367136723673367436753676367736783679368036813682368336843685368636873688368936903691369236933694369536963697369836993700370137023703370437053706370737083709371037113712371337143715371637173718371937203721372237233724372537263727372837293730373137323733373437353736373737383739374037413742374337443745374637473748374937503751375237533754375537563757375837593760376137623763376437653766376737683769377037713772377337743775377637773778377937803781378237833784378537863787378837893790379137923793379437953796379737983799380038013802380338043805380638073808380938103811381238133814381538163817381838193820382138223823382438253826382738283829383038313832383338343835383638373838383938403841384238433844384538463847384838493850385138523853385438553856385738583859386038613862386338643865386638673868386938703871387238733874387538763877387838793880388138823883388438853886388738883889389038913892389338943895389638973898389939003901390239033904390539063907390839093910391139123913391439153916391739183919392039213922392339243925392639273928392939303931393239333934393539363937393839393940394139423943394439453946394739483949395039513952395339543955395639573958395939603961396239633964396539663967396839693970397139723973397439753976397739783979398039813982398339843985398639873988398939903991399239933994399539963997399839994000400140024003400440054006400740084009401040114012401340144015401640174018401940204021402240234024402540264027402840294030403140324033403440354036403740384039404040414042404340444045404640474048404940504051405240534054405540564057405840594060406140624063406440654066406740684069407040714072407340744075407640774078407940804081408240834084408540864087408840894090409140924093409440954096409740984099410041014102410341044105410641074108410941104111411241134114411541164117411841194120412141224123412441254126412741284129413041314132413341344135413641374138413941404141414241434144414541464147414841494150415141524153415441554156415741584159416041614162416341644165416641674168416941704171417241734174417541764177417841794180418141824183418441854186418741884189419041914192419341944195419641974198419942004201420242034204420542064207420842094210421142124213421442154216421742184219422042214222422342244225422642274228422942304231423242334234423542364237423842394240424142424243424442454246424742484249425042514252425342544255425642574258425942604261426242634264426542664267426842694270427142724273427442754276427742784279428042814282428342844285428642874288428942904291429242934294429542964297429842994300430143024303430443054306430743084309431043114312431343144315431643174318431943204321432243234324432543264327432843294330433143324333433443354336433743384339434043414342434343444345434643474348434943504351435243534354435543564357435843594360436143624363436443654366436743684369437043714372437343744375437643774378437943804381438243834384438543864387438843894390439143924393439443954396439743984399440044014402
  1. /*
  2. * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  4. * Copyright 2005 Nokia. All rights reserved.
  5. *
  6. * Licensed under the Apache License 2.0 (the "License"). You may not use
  7. * this file except in compliance with the License. You can obtain a copy
  8. * in the file LICENSE in the source distribution or at
  9. * https://www.openssl.org/source/license.html
  10. */
  11. #include <stdio.h>
  12. #include "../ssl_local.h"
  13. #include "statem_local.h"
  14. #include "internal/constant_time.h"
  15. #include "internal/cryptlib.h"
  16. #include <openssl/buffer.h>
  17. #include <openssl/rand.h>
  18. #include <openssl/objects.h>
  19. #include <openssl/evp.h>
  20. #include <openssl/x509.h>
  21. #include <openssl/dh.h>
  22. #include <openssl/rsa.h>
  23. #include <openssl/bn.h>
  24. #include <openssl/md5.h>
  25. #include <openssl/trace.h>
  26. #include <openssl/core_names.h>
  27. #include <openssl/asn1t.h>
  28. #include <openssl/comp.h>
  29. #include "internal/comp.h"
  30. #define TICKET_NONCE_SIZE 8
  31. typedef struct {
  32. ASN1_TYPE *kxBlob;
  33. ASN1_TYPE *opaqueBlob;
  34. } GOST_KX_MESSAGE;
  35. DECLARE_ASN1_FUNCTIONS(GOST_KX_MESSAGE)
  36. ASN1_SEQUENCE(GOST_KX_MESSAGE) = {
  37. ASN1_SIMPLE(GOST_KX_MESSAGE, kxBlob, ASN1_ANY),
  38. ASN1_OPT(GOST_KX_MESSAGE, opaqueBlob, ASN1_ANY),
  39. } ASN1_SEQUENCE_END(GOST_KX_MESSAGE)
  40. IMPLEMENT_ASN1_FUNCTIONS(GOST_KX_MESSAGE)
  41. static CON_FUNC_RETURN tls_construct_encrypted_extensions(SSL_CONNECTION *s,
  42. WPACKET *pkt);
  43. static ossl_inline int received_client_cert(const SSL_CONNECTION *sc)
  44. {
  45. return sc->session->peer_rpk != NULL || sc->session->peer != NULL;
  46. }
  47. /*
  48. * ossl_statem_server13_read_transition() encapsulates the logic for the allowed
  49. * handshake state transitions when a TLSv1.3 server is reading messages from
  50. * the client. The message type that the client has sent is provided in |mt|.
  51. * The current state is in |s->statem.hand_state|.
  52. *
  53. * Return values are 1 for success (transition allowed) and 0 on error
  54. * (transition not allowed)
  55. */
  56. static int ossl_statem_server13_read_transition(SSL_CONNECTION *s, int mt)
  57. {
  58. OSSL_STATEM *st = &s->statem;
  59. /*
  60. * Note: There is no case for TLS_ST_BEFORE because at that stage we have
  61. * not negotiated TLSv1.3 yet, so that case is handled by
  62. * ossl_statem_server_read_transition()
  63. */
  64. switch (st->hand_state) {
  65. default:
  66. break;
  67. case TLS_ST_EARLY_DATA:
  68. if (s->hello_retry_request == SSL_HRR_PENDING) {
  69. if (mt == SSL3_MT_CLIENT_HELLO) {
  70. st->hand_state = TLS_ST_SR_CLNT_HELLO;
  71. return 1;
  72. }
  73. break;
  74. } else if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
  75. if (mt == SSL3_MT_END_OF_EARLY_DATA) {
  76. st->hand_state = TLS_ST_SR_END_OF_EARLY_DATA;
  77. return 1;
  78. }
  79. break;
  80. }
  81. /* Fall through */
  82. case TLS_ST_SR_END_OF_EARLY_DATA:
  83. case TLS_ST_SW_FINISHED:
  84. if (s->s3.tmp.cert_request) {
  85. if (mt == SSL3_MT_CERTIFICATE) {
  86. st->hand_state = TLS_ST_SR_CERT;
  87. return 1;
  88. }
  89. #ifndef OPENSSL_NO_COMP_ALG
  90. if (mt == SSL3_MT_COMPRESSED_CERTIFICATE
  91. && s->ext.compress_certificate_sent) {
  92. st->hand_state = TLS_ST_SR_COMP_CERT;
  93. return 1;
  94. }
  95. #endif
  96. } else {
  97. if (mt == SSL3_MT_FINISHED) {
  98. st->hand_state = TLS_ST_SR_FINISHED;
  99. return 1;
  100. }
  101. }
  102. break;
  103. case TLS_ST_SR_COMP_CERT:
  104. case TLS_ST_SR_CERT:
  105. if (!received_client_cert(s)) {
  106. if (mt == SSL3_MT_FINISHED) {
  107. st->hand_state = TLS_ST_SR_FINISHED;
  108. return 1;
  109. }
  110. } else {
  111. if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
  112. st->hand_state = TLS_ST_SR_CERT_VRFY;
  113. return 1;
  114. }
  115. }
  116. break;
  117. case TLS_ST_SR_CERT_VRFY:
  118. if (mt == SSL3_MT_FINISHED) {
  119. st->hand_state = TLS_ST_SR_FINISHED;
  120. return 1;
  121. }
  122. break;
  123. case TLS_ST_OK:
  124. /*
  125. * Its never ok to start processing handshake messages in the middle of
  126. * early data (i.e. before we've received the end of early data alert)
  127. */
  128. if (s->early_data_state == SSL_EARLY_DATA_READING)
  129. break;
  130. if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
  131. if (mt == SSL3_MT_CERTIFICATE) {
  132. st->hand_state = TLS_ST_SR_CERT;
  133. return 1;
  134. }
  135. #ifndef OPENSSL_NO_COMP_ALG
  136. if (mt == SSL3_MT_COMPRESSED_CERTIFICATE
  137. && s->ext.compress_certificate_sent) {
  138. st->hand_state = TLS_ST_SR_COMP_CERT;
  139. return 1;
  140. }
  141. #endif
  142. }
  143. if (mt == SSL3_MT_KEY_UPDATE && !SSL_IS_QUIC_HANDSHAKE(s)) {
  144. st->hand_state = TLS_ST_SR_KEY_UPDATE;
  145. return 1;
  146. }
  147. break;
  148. }
  149. /* No valid transition found */
  150. return 0;
  151. }
  152. /*
  153. * ossl_statem_server_read_transition() encapsulates the logic for the allowed
  154. * handshake state transitions when the server is reading messages from the
  155. * client. The message type that the client has sent is provided in |mt|. The
  156. * current state is in |s->statem.hand_state|.
  157. *
  158. * Return values are 1 for success (transition allowed) and 0 on error
  159. * (transition not allowed)
  160. */
  161. int ossl_statem_server_read_transition(SSL_CONNECTION *s, int mt)
  162. {
  163. OSSL_STATEM *st = &s->statem;
  164. if (SSL_CONNECTION_IS_TLS13(s)) {
  165. if (!ossl_statem_server13_read_transition(s, mt))
  166. goto err;
  167. return 1;
  168. }
  169. switch (st->hand_state) {
  170. default:
  171. break;
  172. case TLS_ST_BEFORE:
  173. case TLS_ST_OK:
  174. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  175. if (mt == SSL3_MT_CLIENT_HELLO) {
  176. st->hand_state = TLS_ST_SR_CLNT_HELLO;
  177. return 1;
  178. }
  179. break;
  180. case TLS_ST_SW_SRVR_DONE:
  181. /*
  182. * If we get a CKE message after a ServerDone then either
  183. * 1) We didn't request a Certificate
  184. * OR
  185. * 2) If we did request one then
  186. * a) We allow no Certificate to be returned
  187. * AND
  188. * b) We are running SSL3 (in TLS1.0+ the client must return a 0
  189. * list if we requested a certificate)
  190. */
  191. if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
  192. if (s->s3.tmp.cert_request) {
  193. if (s->version == SSL3_VERSION) {
  194. if ((s->verify_mode & SSL_VERIFY_PEER)
  195. && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
  196. /*
  197. * This isn't an unexpected message as such - we're just
  198. * not going to accept it because we require a client
  199. * cert.
  200. */
  201. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  202. SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  203. return 0;
  204. }
  205. st->hand_state = TLS_ST_SR_KEY_EXCH;
  206. return 1;
  207. }
  208. } else {
  209. st->hand_state = TLS_ST_SR_KEY_EXCH;
  210. return 1;
  211. }
  212. } else if (s->s3.tmp.cert_request) {
  213. if (mt == SSL3_MT_CERTIFICATE) {
  214. st->hand_state = TLS_ST_SR_CERT;
  215. return 1;
  216. }
  217. }
  218. break;
  219. case TLS_ST_SR_CERT:
  220. if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
  221. st->hand_state = TLS_ST_SR_KEY_EXCH;
  222. return 1;
  223. }
  224. break;
  225. case TLS_ST_SR_KEY_EXCH:
  226. /*
  227. * We should only process a CertificateVerify message if we have
  228. * received a Certificate from the client. If so then |s->session->peer|
  229. * will be non NULL. In some instances a CertificateVerify message is
  230. * not required even if the peer has sent a Certificate (e.g. such as in
  231. * the case of static DH). In that case |st->no_cert_verify| should be
  232. * set.
  233. */
  234. if (!received_client_cert(s) || st->no_cert_verify) {
  235. if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  236. /*
  237. * For the ECDH ciphersuites when the client sends its ECDH
  238. * pub key in a certificate, the CertificateVerify message is
  239. * not sent. Also for GOST ciphersuites when the client uses
  240. * its key from the certificate for key exchange.
  241. */
  242. st->hand_state = TLS_ST_SR_CHANGE;
  243. return 1;
  244. }
  245. } else {
  246. if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
  247. st->hand_state = TLS_ST_SR_CERT_VRFY;
  248. return 1;
  249. }
  250. }
  251. break;
  252. case TLS_ST_SR_CERT_VRFY:
  253. if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  254. st->hand_state = TLS_ST_SR_CHANGE;
  255. return 1;
  256. }
  257. break;
  258. case TLS_ST_SR_CHANGE:
  259. #ifndef OPENSSL_NO_NEXTPROTONEG
  260. if (s->s3.npn_seen) {
  261. if (mt == SSL3_MT_NEXT_PROTO) {
  262. st->hand_state = TLS_ST_SR_NEXT_PROTO;
  263. return 1;
  264. }
  265. } else {
  266. #endif
  267. if (mt == SSL3_MT_FINISHED) {
  268. st->hand_state = TLS_ST_SR_FINISHED;
  269. return 1;
  270. }
  271. #ifndef OPENSSL_NO_NEXTPROTONEG
  272. }
  273. #endif
  274. break;
  275. #ifndef OPENSSL_NO_NEXTPROTONEG
  276. case TLS_ST_SR_NEXT_PROTO:
  277. if (mt == SSL3_MT_FINISHED) {
  278. st->hand_state = TLS_ST_SR_FINISHED;
  279. return 1;
  280. }
  281. break;
  282. #endif
  283. case TLS_ST_SW_FINISHED:
  284. if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  285. st->hand_state = TLS_ST_SR_CHANGE;
  286. return 1;
  287. }
  288. break;
  289. }
  290. err:
  291. /* No valid transition found */
  292. if (SSL_CONNECTION_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  293. BIO *rbio;
  294. /*
  295. * CCS messages don't have a message sequence number so this is probably
  296. * because of an out-of-order CCS. We'll just drop it.
  297. */
  298. s->init_num = 0;
  299. s->rwstate = SSL_READING;
  300. rbio = SSL_get_rbio(SSL_CONNECTION_GET_SSL(s));
  301. BIO_clear_retry_flags(rbio);
  302. BIO_set_retry_read(rbio);
  303. return 0;
  304. }
  305. SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
  306. return 0;
  307. }
  308. /*
  309. * Should we send a ServerKeyExchange message?
  310. *
  311. * Valid return values are:
  312. * 1: Yes
  313. * 0: No
  314. */
  315. static int send_server_key_exchange(SSL_CONNECTION *s)
  316. {
  317. unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
  318. /*
  319. * only send a ServerKeyExchange if DH or fortezza but we have a
  320. * sign only certificate PSK: may send PSK identity hints For
  321. * ECC ciphersuites, we send a serverKeyExchange message only if
  322. * the cipher suite is either ECDH-anon or ECDHE. In other cases,
  323. * the server certificate contains the server's public key for
  324. * key exchange.
  325. */
  326. if (alg_k & (SSL_kDHE | SSL_kECDHE)
  327. /*
  328. * PSK: send ServerKeyExchange if PSK identity hint if
  329. * provided
  330. */
  331. #ifndef OPENSSL_NO_PSK
  332. /* Only send SKE if we have identity hint for plain PSK */
  333. || ((alg_k & (SSL_kPSK | SSL_kRSAPSK))
  334. && s->cert->psk_identity_hint)
  335. /* For other PSK always send SKE */
  336. || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK)))
  337. #endif
  338. #ifndef OPENSSL_NO_SRP
  339. /* SRP: send ServerKeyExchange */
  340. || (alg_k & SSL_kSRP)
  341. #endif
  342. ) {
  343. return 1;
  344. }
  345. return 0;
  346. }
  347. /*
  348. * Used to determine if we should send a CompressedCertificate message
  349. *
  350. * Returns the algorithm to use, TLSEXT_comp_cert_none means no compression
  351. */
  352. static int get_compressed_certificate_alg(SSL_CONNECTION *sc)
  353. {
  354. #ifndef OPENSSL_NO_COMP_ALG
  355. int *alg = sc->ext.compress_certificate_from_peer;
  356. if (sc->s3.tmp.cert == NULL)
  357. return TLSEXT_comp_cert_none;
  358. for (; *alg != TLSEXT_comp_cert_none; alg++) {
  359. if (sc->s3.tmp.cert->comp_cert[*alg] != NULL)
  360. return *alg;
  361. }
  362. #endif
  363. return TLSEXT_comp_cert_none;
  364. }
  365. /*
  366. * Should we send a CertificateRequest message?
  367. *
  368. * Valid return values are:
  369. * 1: Yes
  370. * 0: No
  371. */
  372. int send_certificate_request(SSL_CONNECTION *s)
  373. {
  374. if (
  375. /* don't request cert unless asked for it: */
  376. s->verify_mode & SSL_VERIFY_PEER
  377. /*
  378. * don't request if post-handshake-only unless doing
  379. * post-handshake in TLSv1.3:
  380. */
  381. && (!SSL_CONNECTION_IS_TLS13(s)
  382. || !(s->verify_mode & SSL_VERIFY_POST_HANDSHAKE)
  383. || s->post_handshake_auth == SSL_PHA_REQUEST_PENDING)
  384. /*
  385. * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
  386. * a second time:
  387. */
  388. && (s->certreqs_sent < 1 ||
  389. !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE))
  390. /*
  391. * never request cert in anonymous ciphersuites (see
  392. * section "Certificate request" in SSL 3 drafts and in
  393. * RFC 2246):
  394. */
  395. && (!(s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL)
  396. /*
  397. * ... except when the application insists on
  398. * verification (against the specs, but statem_clnt.c accepts
  399. * this for SSL 3)
  400. */
  401. || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
  402. /* don't request certificate for SRP auth */
  403. && !(s->s3.tmp.new_cipher->algorithm_auth & SSL_aSRP)
  404. /*
  405. * With normal PSK Certificates and Certificate Requests
  406. * are omitted
  407. */
  408. && !(s->s3.tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
  409. return 1;
  410. }
  411. return 0;
  412. }
  413. static int do_compressed_cert(SSL_CONNECTION *sc)
  414. {
  415. /* If we negotiated RPK, we won't attempt to compress it */
  416. return sc->ext.server_cert_type == TLSEXT_cert_type_x509
  417. && get_compressed_certificate_alg(sc) != TLSEXT_comp_cert_none;
  418. }
  419. /*
  420. * ossl_statem_server13_write_transition() works out what handshake state to
  421. * move to next when a TLSv1.3 server is writing messages to be sent to the
  422. * client.
  423. */
  424. static WRITE_TRAN ossl_statem_server13_write_transition(SSL_CONNECTION *s)
  425. {
  426. OSSL_STATEM *st = &s->statem;
  427. /*
  428. * No case for TLS_ST_BEFORE, because at that stage we have not negotiated
  429. * TLSv1.3 yet, so that is handled by ossl_statem_server_write_transition()
  430. */
  431. switch (st->hand_state) {
  432. default:
  433. /* Shouldn't happen */
  434. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  435. return WRITE_TRAN_ERROR;
  436. case TLS_ST_OK:
  437. if (s->key_update != SSL_KEY_UPDATE_NONE) {
  438. st->hand_state = TLS_ST_SW_KEY_UPDATE;
  439. return WRITE_TRAN_CONTINUE;
  440. }
  441. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  442. st->hand_state = TLS_ST_SW_CERT_REQ;
  443. return WRITE_TRAN_CONTINUE;
  444. }
  445. if (s->ext.extra_tickets_expected > 0) {
  446. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  447. return WRITE_TRAN_CONTINUE;
  448. }
  449. /* Try to read from the client instead */
  450. return WRITE_TRAN_FINISHED;
  451. case TLS_ST_SR_CLNT_HELLO:
  452. st->hand_state = TLS_ST_SW_SRVR_HELLO;
  453. return WRITE_TRAN_CONTINUE;
  454. case TLS_ST_SW_SRVR_HELLO:
  455. if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
  456. && s->hello_retry_request != SSL_HRR_COMPLETE)
  457. st->hand_state = TLS_ST_SW_CHANGE;
  458. else if (s->hello_retry_request == SSL_HRR_PENDING)
  459. st->hand_state = TLS_ST_EARLY_DATA;
  460. else
  461. st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
  462. return WRITE_TRAN_CONTINUE;
  463. case TLS_ST_SW_CHANGE:
  464. if (s->hello_retry_request == SSL_HRR_PENDING)
  465. st->hand_state = TLS_ST_EARLY_DATA;
  466. else
  467. st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
  468. return WRITE_TRAN_CONTINUE;
  469. case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
  470. if (s->hit)
  471. st->hand_state = TLS_ST_SW_FINISHED;
  472. else if (send_certificate_request(s))
  473. st->hand_state = TLS_ST_SW_CERT_REQ;
  474. else if (do_compressed_cert(s))
  475. st->hand_state = TLS_ST_SW_COMP_CERT;
  476. else
  477. st->hand_state = TLS_ST_SW_CERT;
  478. return WRITE_TRAN_CONTINUE;
  479. case TLS_ST_SW_CERT_REQ:
  480. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  481. s->post_handshake_auth = SSL_PHA_REQUESTED;
  482. st->hand_state = TLS_ST_OK;
  483. } else if (do_compressed_cert(s)) {
  484. st->hand_state = TLS_ST_SW_COMP_CERT;
  485. } else {
  486. st->hand_state = TLS_ST_SW_CERT;
  487. }
  488. return WRITE_TRAN_CONTINUE;
  489. case TLS_ST_SW_COMP_CERT:
  490. case TLS_ST_SW_CERT:
  491. st->hand_state = TLS_ST_SW_CERT_VRFY;
  492. return WRITE_TRAN_CONTINUE;
  493. case TLS_ST_SW_CERT_VRFY:
  494. st->hand_state = TLS_ST_SW_FINISHED;
  495. return WRITE_TRAN_CONTINUE;
  496. case TLS_ST_SW_FINISHED:
  497. st->hand_state = TLS_ST_EARLY_DATA;
  498. s->ts_msg_write = ossl_time_now();
  499. return WRITE_TRAN_CONTINUE;
  500. case TLS_ST_EARLY_DATA:
  501. return WRITE_TRAN_FINISHED;
  502. case TLS_ST_SR_FINISHED:
  503. s->ts_msg_read = ossl_time_now();
  504. /*
  505. * Technically we have finished the handshake at this point, but we're
  506. * going to remain "in_init" for now and write out any session tickets
  507. * immediately.
  508. */
  509. if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
  510. s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
  511. } else if (!s->ext.ticket_expected) {
  512. /*
  513. * If we're not going to renew the ticket then we just finish the
  514. * handshake at this point.
  515. */
  516. st->hand_state = TLS_ST_OK;
  517. return WRITE_TRAN_CONTINUE;
  518. }
  519. if (s->num_tickets > s->sent_tickets)
  520. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  521. else
  522. st->hand_state = TLS_ST_OK;
  523. return WRITE_TRAN_CONTINUE;
  524. case TLS_ST_SR_KEY_UPDATE:
  525. case TLS_ST_SW_KEY_UPDATE:
  526. st->hand_state = TLS_ST_OK;
  527. return WRITE_TRAN_CONTINUE;
  528. case TLS_ST_SW_SESSION_TICKET:
  529. /* In a resumption we only ever send a maximum of one new ticket.
  530. * Following an initial handshake we send the number of tickets we have
  531. * been configured for.
  532. */
  533. if (!SSL_IS_FIRST_HANDSHAKE(s) && s->ext.extra_tickets_expected > 0) {
  534. return WRITE_TRAN_CONTINUE;
  535. } else if (s->hit || s->num_tickets <= s->sent_tickets) {
  536. /* We've written enough tickets out. */
  537. st->hand_state = TLS_ST_OK;
  538. }
  539. return WRITE_TRAN_CONTINUE;
  540. }
  541. }
  542. /*
  543. * ossl_statem_server_write_transition() works out what handshake state to move
  544. * to next when the server is writing messages to be sent to the client.
  545. */
  546. WRITE_TRAN ossl_statem_server_write_transition(SSL_CONNECTION *s)
  547. {
  548. OSSL_STATEM *st = &s->statem;
  549. /*
  550. * Note that before the ClientHello we don't know what version we are going
  551. * to negotiate yet, so we don't take this branch until later
  552. */
  553. if (SSL_CONNECTION_IS_TLS13(s))
  554. return ossl_statem_server13_write_transition(s);
  555. switch (st->hand_state) {
  556. default:
  557. /* Shouldn't happen */
  558. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  559. return WRITE_TRAN_ERROR;
  560. case TLS_ST_OK:
  561. if (st->request_state == TLS_ST_SW_HELLO_REQ) {
  562. /* We must be trying to renegotiate */
  563. st->hand_state = TLS_ST_SW_HELLO_REQ;
  564. st->request_state = TLS_ST_BEFORE;
  565. return WRITE_TRAN_CONTINUE;
  566. }
  567. /* Must be an incoming ClientHello */
  568. if (!tls_setup_handshake(s)) {
  569. /* SSLfatal() already called */
  570. return WRITE_TRAN_ERROR;
  571. }
  572. /* Fall through */
  573. case TLS_ST_BEFORE:
  574. /* Just go straight to trying to read from the client */
  575. return WRITE_TRAN_FINISHED;
  576. case TLS_ST_SW_HELLO_REQ:
  577. st->hand_state = TLS_ST_OK;
  578. return WRITE_TRAN_CONTINUE;
  579. case TLS_ST_SR_CLNT_HELLO:
  580. if (SSL_CONNECTION_IS_DTLS(s) && !s->d1->cookie_verified
  581. && (SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_COOKIE_EXCHANGE)) {
  582. st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
  583. } else if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
  584. /* We must have rejected the renegotiation */
  585. st->hand_state = TLS_ST_OK;
  586. return WRITE_TRAN_CONTINUE;
  587. } else {
  588. st->hand_state = TLS_ST_SW_SRVR_HELLO;
  589. }
  590. return WRITE_TRAN_CONTINUE;
  591. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  592. return WRITE_TRAN_FINISHED;
  593. case TLS_ST_SW_SRVR_HELLO:
  594. if (s->hit) {
  595. if (s->ext.ticket_expected)
  596. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  597. else
  598. st->hand_state = TLS_ST_SW_CHANGE;
  599. } else {
  600. /* Check if it is anon DH or anon ECDH, */
  601. /* normal PSK or SRP */
  602. if (!(s->s3.tmp.new_cipher->algorithm_auth &
  603. (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
  604. st->hand_state = TLS_ST_SW_CERT;
  605. } else if (send_server_key_exchange(s)) {
  606. st->hand_state = TLS_ST_SW_KEY_EXCH;
  607. } else if (send_certificate_request(s)) {
  608. st->hand_state = TLS_ST_SW_CERT_REQ;
  609. } else {
  610. st->hand_state = TLS_ST_SW_SRVR_DONE;
  611. }
  612. }
  613. return WRITE_TRAN_CONTINUE;
  614. case TLS_ST_SW_CERT:
  615. if (s->ext.status_expected) {
  616. st->hand_state = TLS_ST_SW_CERT_STATUS;
  617. return WRITE_TRAN_CONTINUE;
  618. }
  619. /* Fall through */
  620. case TLS_ST_SW_CERT_STATUS:
  621. if (send_server_key_exchange(s)) {
  622. st->hand_state = TLS_ST_SW_KEY_EXCH;
  623. return WRITE_TRAN_CONTINUE;
  624. }
  625. /* Fall through */
  626. case TLS_ST_SW_KEY_EXCH:
  627. if (send_certificate_request(s)) {
  628. st->hand_state = TLS_ST_SW_CERT_REQ;
  629. return WRITE_TRAN_CONTINUE;
  630. }
  631. /* Fall through */
  632. case TLS_ST_SW_CERT_REQ:
  633. st->hand_state = TLS_ST_SW_SRVR_DONE;
  634. return WRITE_TRAN_CONTINUE;
  635. case TLS_ST_SW_SRVR_DONE:
  636. s->ts_msg_write = ossl_time_now();
  637. return WRITE_TRAN_FINISHED;
  638. case TLS_ST_SR_FINISHED:
  639. s->ts_msg_read = ossl_time_now();
  640. if (s->hit) {
  641. st->hand_state = TLS_ST_OK;
  642. return WRITE_TRAN_CONTINUE;
  643. } else if (s->ext.ticket_expected) {
  644. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  645. } else {
  646. st->hand_state = TLS_ST_SW_CHANGE;
  647. }
  648. return WRITE_TRAN_CONTINUE;
  649. case TLS_ST_SW_SESSION_TICKET:
  650. st->hand_state = TLS_ST_SW_CHANGE;
  651. return WRITE_TRAN_CONTINUE;
  652. case TLS_ST_SW_CHANGE:
  653. st->hand_state = TLS_ST_SW_FINISHED;
  654. return WRITE_TRAN_CONTINUE;
  655. case TLS_ST_SW_FINISHED:
  656. if (s->hit) {
  657. return WRITE_TRAN_FINISHED;
  658. }
  659. st->hand_state = TLS_ST_OK;
  660. return WRITE_TRAN_CONTINUE;
  661. }
  662. }
  663. /*
  664. * Perform any pre work that needs to be done prior to sending a message from
  665. * the server to the client.
  666. */
  667. WORK_STATE ossl_statem_server_pre_work(SSL_CONNECTION *s, WORK_STATE wst)
  668. {
  669. OSSL_STATEM *st = &s->statem;
  670. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  671. switch (st->hand_state) {
  672. default:
  673. /* No pre work to be done */
  674. break;
  675. case TLS_ST_SW_HELLO_REQ:
  676. s->shutdown = 0;
  677. if (SSL_CONNECTION_IS_DTLS(s))
  678. dtls1_clear_sent_buffer(s);
  679. break;
  680. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  681. s->shutdown = 0;
  682. if (SSL_CONNECTION_IS_DTLS(s)) {
  683. dtls1_clear_sent_buffer(s);
  684. /* We don't buffer this message so don't use the timer */
  685. st->use_timer = 0;
  686. }
  687. break;
  688. case TLS_ST_SW_SRVR_HELLO:
  689. if (SSL_CONNECTION_IS_DTLS(s)) {
  690. /*
  691. * Messages we write from now on should be buffered and
  692. * retransmitted if necessary, so we need to use the timer now
  693. */
  694. st->use_timer = 1;
  695. }
  696. break;
  697. case TLS_ST_SW_SRVR_DONE:
  698. #ifndef OPENSSL_NO_SCTP
  699. if (SSL_CONNECTION_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(ssl))) {
  700. /* Calls SSLfatal() as required */
  701. return dtls_wait_for_dry(s);
  702. }
  703. #endif
  704. return WORK_FINISHED_CONTINUE;
  705. case TLS_ST_SW_SESSION_TICKET:
  706. if (SSL_CONNECTION_IS_TLS13(s) && s->sent_tickets == 0
  707. && s->ext.extra_tickets_expected == 0) {
  708. /*
  709. * Actually this is the end of the handshake, but we're going
  710. * straight into writing the session ticket out. So we finish off
  711. * the handshake, but keep the various buffers active.
  712. *
  713. * Calls SSLfatal as required.
  714. */
  715. return tls_finish_handshake(s, wst, 0, 0);
  716. }
  717. if (SSL_CONNECTION_IS_DTLS(s)) {
  718. /*
  719. * We're into the last flight. We don't retransmit the last flight
  720. * unless we need to, so we don't use the timer
  721. */
  722. st->use_timer = 0;
  723. }
  724. break;
  725. case TLS_ST_SW_CHANGE:
  726. if (SSL_CONNECTION_IS_TLS13(s))
  727. break;
  728. /* Writes to s->session are only safe for initial handshakes */
  729. if (s->session->cipher == NULL) {
  730. s->session->cipher = s->s3.tmp.new_cipher;
  731. } else if (s->session->cipher != s->s3.tmp.new_cipher) {
  732. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  733. return WORK_ERROR;
  734. }
  735. if (!ssl->method->ssl3_enc->setup_key_block(s)) {
  736. /* SSLfatal() already called */
  737. return WORK_ERROR;
  738. }
  739. if (SSL_CONNECTION_IS_DTLS(s)) {
  740. /*
  741. * We're into the last flight. We don't retransmit the last flight
  742. * unless we need to, so we don't use the timer. This might have
  743. * already been set to 0 if we sent a NewSessionTicket message,
  744. * but we'll set it again here in case we didn't.
  745. */
  746. st->use_timer = 0;
  747. }
  748. return WORK_FINISHED_CONTINUE;
  749. case TLS_ST_EARLY_DATA:
  750. if (s->early_data_state != SSL_EARLY_DATA_ACCEPTING
  751. && (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
  752. return WORK_FINISHED_CONTINUE;
  753. /* Fall through */
  754. case TLS_ST_OK:
  755. /* Calls SSLfatal() as required */
  756. return tls_finish_handshake(s, wst, 1, 1);
  757. }
  758. return WORK_FINISHED_CONTINUE;
  759. }
  760. static ossl_inline int conn_is_closed(void)
  761. {
  762. switch (get_last_sys_error()) {
  763. #if defined(EPIPE)
  764. case EPIPE:
  765. return 1;
  766. #endif
  767. #if defined(ECONNRESET)
  768. case ECONNRESET:
  769. return 1;
  770. #endif
  771. #if defined(WSAECONNRESET)
  772. case WSAECONNRESET:
  773. return 1;
  774. #endif
  775. default:
  776. return 0;
  777. }
  778. }
  779. /*
  780. * Perform any work that needs to be done after sending a message from the
  781. * server to the client.
  782. */
  783. WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst)
  784. {
  785. OSSL_STATEM *st = &s->statem;
  786. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  787. s->init_num = 0;
  788. switch (st->hand_state) {
  789. default:
  790. /* No post work to be done */
  791. break;
  792. case TLS_ST_SW_HELLO_REQ:
  793. if (statem_flush(s) != 1)
  794. return WORK_MORE_A;
  795. if (!ssl3_init_finished_mac(s)) {
  796. /* SSLfatal() already called */
  797. return WORK_ERROR;
  798. }
  799. break;
  800. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  801. if (statem_flush(s) != 1)
  802. return WORK_MORE_A;
  803. /* HelloVerifyRequest resets Finished MAC */
  804. if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) {
  805. /* SSLfatal() already called */
  806. return WORK_ERROR;
  807. }
  808. /*
  809. * The next message should be another ClientHello which we need to
  810. * treat like it was the first packet
  811. */
  812. s->first_packet = 1;
  813. break;
  814. case TLS_ST_SW_SRVR_HELLO:
  815. if (SSL_CONNECTION_IS_TLS13(s)
  816. && s->hello_retry_request == SSL_HRR_PENDING) {
  817. if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0
  818. && statem_flush(s) != 1)
  819. return WORK_MORE_A;
  820. break;
  821. }
  822. #ifndef OPENSSL_NO_SCTP
  823. if (SSL_CONNECTION_IS_DTLS(s) && s->hit) {
  824. unsigned char sctpauthkey[64];
  825. char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
  826. size_t labellen;
  827. /*
  828. * Add new shared key for SCTP-Auth, will be ignored if no
  829. * SCTP used.
  830. */
  831. memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
  832. sizeof(DTLS1_SCTP_AUTH_LABEL));
  833. /* Don't include the terminating zero. */
  834. labellen = sizeof(labelbuffer) - 1;
  835. if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
  836. labellen += 1;
  837. if (SSL_export_keying_material(ssl, sctpauthkey,
  838. sizeof(sctpauthkey), labelbuffer,
  839. labellen, NULL, 0,
  840. 0) <= 0) {
  841. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  842. return WORK_ERROR;
  843. }
  844. BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
  845. sizeof(sctpauthkey), sctpauthkey);
  846. }
  847. #endif
  848. if (!SSL_CONNECTION_IS_TLS13(s)
  849. || ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
  850. && s->hello_retry_request != SSL_HRR_COMPLETE))
  851. break;
  852. /* Fall through */
  853. case TLS_ST_SW_CHANGE:
  854. if (s->hello_retry_request == SSL_HRR_PENDING) {
  855. if (!statem_flush(s))
  856. return WORK_MORE_A;
  857. break;
  858. }
  859. if (SSL_CONNECTION_IS_TLS13(s)) {
  860. if (!ssl->method->ssl3_enc->setup_key_block(s)
  861. || !ssl->method->ssl3_enc->change_cipher_state(s,
  862. SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
  863. /* SSLfatal() already called */
  864. return WORK_ERROR;
  865. }
  866. if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED
  867. && !ssl->method->ssl3_enc->change_cipher_state(s,
  868. SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ)) {
  869. /* SSLfatal() already called */
  870. return WORK_ERROR;
  871. }
  872. /*
  873. * We don't yet know whether the next record we are going to receive
  874. * is an unencrypted alert, an encrypted alert, or an encrypted
  875. * handshake message. We temporarily tolerate unencrypted alerts.
  876. */
  877. if (s->rlayer.rrlmethod->set_plain_alerts != NULL)
  878. s->rlayer.rrlmethod->set_plain_alerts(s->rlayer.rrl, 1);
  879. break;
  880. }
  881. #ifndef OPENSSL_NO_SCTP
  882. if (SSL_CONNECTION_IS_DTLS(s) && !s->hit) {
  883. /*
  884. * Change to new shared key of SCTP-Auth, will be ignored if
  885. * no SCTP used.
  886. */
  887. BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
  888. 0, NULL);
  889. }
  890. #endif
  891. if (!ssl->method->ssl3_enc->change_cipher_state(s,
  892. SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
  893. /* SSLfatal() already called */
  894. return WORK_ERROR;
  895. }
  896. break;
  897. case TLS_ST_SW_SRVR_DONE:
  898. if (statem_flush(s) != 1)
  899. return WORK_MORE_A;
  900. break;
  901. case TLS_ST_SW_FINISHED:
  902. if (statem_flush(s) != 1)
  903. return WORK_MORE_A;
  904. #ifndef OPENSSL_NO_SCTP
  905. if (SSL_CONNECTION_IS_DTLS(s) && s->hit) {
  906. /*
  907. * Change to new shared key of SCTP-Auth, will be ignored if
  908. * no SCTP used.
  909. */
  910. BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
  911. 0, NULL);
  912. }
  913. #endif
  914. if (SSL_CONNECTION_IS_TLS13(s)) {
  915. /* TLS 1.3 gets the secret size from the handshake md */
  916. size_t dummy;
  917. if (!ssl->method->ssl3_enc->generate_master_secret(s,
  918. s->master_secret, s->handshake_secret, 0,
  919. &dummy)
  920. || !ssl->method->ssl3_enc->change_cipher_state(s,
  921. SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE))
  922. /* SSLfatal() already called */
  923. return WORK_ERROR;
  924. }
  925. break;
  926. case TLS_ST_SW_CERT_REQ:
  927. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  928. if (statem_flush(s) != 1)
  929. return WORK_MORE_A;
  930. } else {
  931. if (!SSL_CONNECTION_IS_TLS13(s)
  932. || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0)
  933. s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none;
  934. }
  935. break;
  936. case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
  937. if (!s->hit && !send_certificate_request(s)) {
  938. if (!SSL_CONNECTION_IS_TLS13(s)
  939. || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0)
  940. s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none;
  941. }
  942. break;
  943. case TLS_ST_SW_KEY_UPDATE:
  944. if (statem_flush(s) != 1)
  945. return WORK_MORE_A;
  946. if (!tls13_update_key(s, 1)) {
  947. /* SSLfatal() already called */
  948. return WORK_ERROR;
  949. }
  950. break;
  951. case TLS_ST_SW_SESSION_TICKET:
  952. clear_sys_error();
  953. if (SSL_CONNECTION_IS_TLS13(s) && statem_flush(s) != 1) {
  954. if (SSL_get_error(ssl, 0) == SSL_ERROR_SYSCALL
  955. && conn_is_closed()) {
  956. /*
  957. * We ignore connection closed errors in TLSv1.3 when sending a
  958. * NewSessionTicket and behave as if we were successful. This is
  959. * so that we are still able to read data sent to us by a client
  960. * that closes soon after the end of the handshake without
  961. * waiting to read our post-handshake NewSessionTickets.
  962. */
  963. s->rwstate = SSL_NOTHING;
  964. break;
  965. }
  966. return WORK_MORE_A;
  967. }
  968. break;
  969. }
  970. return WORK_FINISHED_CONTINUE;
  971. }
  972. /*
  973. * Get the message construction function and message type for sending from the
  974. * server
  975. *
  976. * Valid return values are:
  977. * 1: Success
  978. * 0: Error
  979. */
  980. int ossl_statem_server_construct_message(SSL_CONNECTION *s,
  981. confunc_f *confunc, int *mt)
  982. {
  983. OSSL_STATEM *st = &s->statem;
  984. switch (st->hand_state) {
  985. default:
  986. /* Shouldn't happen */
  987. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE);
  988. return 0;
  989. case TLS_ST_SW_CHANGE:
  990. if (SSL_CONNECTION_IS_DTLS(s))
  991. *confunc = dtls_construct_change_cipher_spec;
  992. else
  993. *confunc = tls_construct_change_cipher_spec;
  994. *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
  995. break;
  996. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  997. *confunc = dtls_construct_hello_verify_request;
  998. *mt = DTLS1_MT_HELLO_VERIFY_REQUEST;
  999. break;
  1000. case TLS_ST_SW_HELLO_REQ:
  1001. /* No construction function needed */
  1002. *confunc = NULL;
  1003. *mt = SSL3_MT_HELLO_REQUEST;
  1004. break;
  1005. case TLS_ST_SW_SRVR_HELLO:
  1006. *confunc = tls_construct_server_hello;
  1007. *mt = SSL3_MT_SERVER_HELLO;
  1008. break;
  1009. case TLS_ST_SW_CERT:
  1010. *confunc = tls_construct_server_certificate;
  1011. *mt = SSL3_MT_CERTIFICATE;
  1012. break;
  1013. #ifndef OPENSSL_NO_COMP_ALG
  1014. case TLS_ST_SW_COMP_CERT:
  1015. *confunc = tls_construct_server_compressed_certificate;
  1016. *mt = SSL3_MT_COMPRESSED_CERTIFICATE;
  1017. break;
  1018. #endif
  1019. case TLS_ST_SW_CERT_VRFY:
  1020. *confunc = tls_construct_cert_verify;
  1021. *mt = SSL3_MT_CERTIFICATE_VERIFY;
  1022. break;
  1023. case TLS_ST_SW_KEY_EXCH:
  1024. *confunc = tls_construct_server_key_exchange;
  1025. *mt = SSL3_MT_SERVER_KEY_EXCHANGE;
  1026. break;
  1027. case TLS_ST_SW_CERT_REQ:
  1028. *confunc = tls_construct_certificate_request;
  1029. *mt = SSL3_MT_CERTIFICATE_REQUEST;
  1030. break;
  1031. case TLS_ST_SW_SRVR_DONE:
  1032. *confunc = tls_construct_server_done;
  1033. *mt = SSL3_MT_SERVER_DONE;
  1034. break;
  1035. case TLS_ST_SW_SESSION_TICKET:
  1036. *confunc = tls_construct_new_session_ticket;
  1037. *mt = SSL3_MT_NEWSESSION_TICKET;
  1038. break;
  1039. case TLS_ST_SW_CERT_STATUS:
  1040. *confunc = tls_construct_cert_status;
  1041. *mt = SSL3_MT_CERTIFICATE_STATUS;
  1042. break;
  1043. case TLS_ST_SW_FINISHED:
  1044. *confunc = tls_construct_finished;
  1045. *mt = SSL3_MT_FINISHED;
  1046. break;
  1047. case TLS_ST_EARLY_DATA:
  1048. *confunc = NULL;
  1049. *mt = SSL3_MT_DUMMY;
  1050. break;
  1051. case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
  1052. *confunc = tls_construct_encrypted_extensions;
  1053. *mt = SSL3_MT_ENCRYPTED_EXTENSIONS;
  1054. break;
  1055. case TLS_ST_SW_KEY_UPDATE:
  1056. *confunc = tls_construct_key_update;
  1057. *mt = SSL3_MT_KEY_UPDATE;
  1058. break;
  1059. }
  1060. return 1;
  1061. }
  1062. /*
  1063. * Maximum size (excluding the Handshake header) of a ClientHello message,
  1064. * calculated as follows:
  1065. *
  1066. * 2 + # client_version
  1067. * 32 + # only valid length for random
  1068. * 1 + # length of session_id
  1069. * 32 + # maximum size for session_id
  1070. * 2 + # length of cipher suites
  1071. * 2^16-2 + # maximum length of cipher suites array
  1072. * 1 + # length of compression_methods
  1073. * 2^8-1 + # maximum length of compression methods
  1074. * 2 + # length of extensions
  1075. * 2^16-1 # maximum length of extensions
  1076. */
  1077. #define CLIENT_HELLO_MAX_LENGTH 131396
  1078. #define CLIENT_KEY_EXCH_MAX_LENGTH 2048
  1079. #define NEXT_PROTO_MAX_LENGTH 514
  1080. /*
  1081. * Returns the maximum allowed length for the current message that we are
  1082. * reading. Excludes the message header.
  1083. */
  1084. size_t ossl_statem_server_max_message_size(SSL_CONNECTION *s)
  1085. {
  1086. OSSL_STATEM *st = &s->statem;
  1087. switch (st->hand_state) {
  1088. default:
  1089. /* Shouldn't happen */
  1090. return 0;
  1091. case TLS_ST_SR_CLNT_HELLO:
  1092. return CLIENT_HELLO_MAX_LENGTH;
  1093. case TLS_ST_SR_END_OF_EARLY_DATA:
  1094. return END_OF_EARLY_DATA_MAX_LENGTH;
  1095. case TLS_ST_SR_COMP_CERT:
  1096. case TLS_ST_SR_CERT:
  1097. return s->max_cert_list;
  1098. case TLS_ST_SR_KEY_EXCH:
  1099. return CLIENT_KEY_EXCH_MAX_LENGTH;
  1100. case TLS_ST_SR_CERT_VRFY:
  1101. return CERTIFICATE_VERIFY_MAX_LENGTH;
  1102. #ifndef OPENSSL_NO_NEXTPROTONEG
  1103. case TLS_ST_SR_NEXT_PROTO:
  1104. return NEXT_PROTO_MAX_LENGTH;
  1105. #endif
  1106. case TLS_ST_SR_CHANGE:
  1107. return CCS_MAX_LENGTH;
  1108. case TLS_ST_SR_FINISHED:
  1109. return FINISHED_MAX_LENGTH;
  1110. case TLS_ST_SR_KEY_UPDATE:
  1111. return KEY_UPDATE_MAX_LENGTH;
  1112. }
  1113. }
  1114. /*
  1115. * Process a message that the server has received from the client.
  1116. */
  1117. MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL_CONNECTION *s,
  1118. PACKET *pkt)
  1119. {
  1120. OSSL_STATEM *st = &s->statem;
  1121. switch (st->hand_state) {
  1122. default:
  1123. /* Shouldn't happen */
  1124. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1125. return MSG_PROCESS_ERROR;
  1126. case TLS_ST_SR_CLNT_HELLO:
  1127. return tls_process_client_hello(s, pkt);
  1128. case TLS_ST_SR_END_OF_EARLY_DATA:
  1129. return tls_process_end_of_early_data(s, pkt);
  1130. case TLS_ST_SR_CERT:
  1131. return tls_process_client_certificate(s, pkt);
  1132. #ifndef OPENSSL_NO_COMP_ALG
  1133. case TLS_ST_SR_COMP_CERT:
  1134. return tls_process_client_compressed_certificate(s, pkt);
  1135. #endif
  1136. case TLS_ST_SR_KEY_EXCH:
  1137. return tls_process_client_key_exchange(s, pkt);
  1138. case TLS_ST_SR_CERT_VRFY:
  1139. return tls_process_cert_verify(s, pkt);
  1140. #ifndef OPENSSL_NO_NEXTPROTONEG
  1141. case TLS_ST_SR_NEXT_PROTO:
  1142. return tls_process_next_proto(s, pkt);
  1143. #endif
  1144. case TLS_ST_SR_CHANGE:
  1145. return tls_process_change_cipher_spec(s, pkt);
  1146. case TLS_ST_SR_FINISHED:
  1147. return tls_process_finished(s, pkt);
  1148. case TLS_ST_SR_KEY_UPDATE:
  1149. return tls_process_key_update(s, pkt);
  1150. }
  1151. }
  1152. /*
  1153. * Perform any further processing required following the receipt of a message
  1154. * from the client
  1155. */
  1156. WORK_STATE ossl_statem_server_post_process_message(SSL_CONNECTION *s,
  1157. WORK_STATE wst)
  1158. {
  1159. OSSL_STATEM *st = &s->statem;
  1160. switch (st->hand_state) {
  1161. default:
  1162. /* Shouldn't happen */
  1163. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1164. return WORK_ERROR;
  1165. case TLS_ST_SR_CLNT_HELLO:
  1166. return tls_post_process_client_hello(s, wst);
  1167. case TLS_ST_SR_KEY_EXCH:
  1168. return tls_post_process_client_key_exchange(s, wst);
  1169. }
  1170. }
  1171. #ifndef OPENSSL_NO_SRP
  1172. /* Returns 1 on success, 0 for retryable error, -1 for fatal error */
  1173. static int ssl_check_srp_ext_ClientHello(SSL_CONNECTION *s)
  1174. {
  1175. int ret;
  1176. int al = SSL_AD_UNRECOGNIZED_NAME;
  1177. if ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
  1178. (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
  1179. if (s->srp_ctx.login == NULL) {
  1180. /*
  1181. * RFC 5054 says SHOULD reject, we do so if There is no srp
  1182. * login name
  1183. */
  1184. SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY,
  1185. SSL_R_PSK_IDENTITY_NOT_FOUND);
  1186. return -1;
  1187. } else {
  1188. ret = ssl_srp_server_param_with_username_intern(s, &al);
  1189. if (ret < 0)
  1190. return 0;
  1191. if (ret == SSL3_AL_FATAL) {
  1192. SSLfatal(s, al,
  1193. al == SSL_AD_UNKNOWN_PSK_IDENTITY
  1194. ? SSL_R_PSK_IDENTITY_NOT_FOUND
  1195. : SSL_R_CLIENTHELLO_TLSEXT);
  1196. return -1;
  1197. }
  1198. }
  1199. }
  1200. return 1;
  1201. }
  1202. #endif
  1203. int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
  1204. size_t cookie_len)
  1205. {
  1206. /* Always use DTLS 1.0 version: see RFC 6347 */
  1207. if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION)
  1208. || !WPACKET_sub_memcpy_u8(pkt, cookie, cookie_len))
  1209. return 0;
  1210. return 1;
  1211. }
  1212. CON_FUNC_RETURN dtls_construct_hello_verify_request(SSL_CONNECTION *s,
  1213. WPACKET *pkt)
  1214. {
  1215. unsigned int cookie_leni;
  1216. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1217. if (sctx->app_gen_cookie_cb == NULL
  1218. || sctx->app_gen_cookie_cb(SSL_CONNECTION_GET_SSL(s), s->d1->cookie,
  1219. &cookie_leni) == 0
  1220. || cookie_leni > DTLS1_COOKIE_LENGTH) {
  1221. SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
  1222. return CON_FUNC_ERROR;
  1223. }
  1224. s->d1->cookie_len = cookie_leni;
  1225. if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie,
  1226. s->d1->cookie_len)) {
  1227. SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR);
  1228. return CON_FUNC_ERROR;
  1229. }
  1230. return CON_FUNC_SUCCESS;
  1231. }
  1232. /*-
  1233. * ssl_check_for_safari attempts to fingerprint Safari using OS X
  1234. * SecureTransport using the TLS extension block in |hello|.
  1235. * Safari, since 10.6, sends exactly these extensions, in this order:
  1236. * SNI,
  1237. * elliptic_curves
  1238. * ec_point_formats
  1239. * signature_algorithms (for TLSv1.2 only)
  1240. *
  1241. * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
  1242. * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
  1243. * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
  1244. * 10.8..10.8.3 (which don't work).
  1245. */
  1246. static void ssl_check_for_safari(SSL_CONNECTION *s,
  1247. const CLIENTHELLO_MSG *hello)
  1248. {
  1249. static const unsigned char kSafariExtensionsBlock[] = {
  1250. 0x00, 0x0a, /* elliptic_curves extension */
  1251. 0x00, 0x08, /* 8 bytes */
  1252. 0x00, 0x06, /* 6 bytes of curve ids */
  1253. 0x00, 0x17, /* P-256 */
  1254. 0x00, 0x18, /* P-384 */
  1255. 0x00, 0x19, /* P-521 */
  1256. 0x00, 0x0b, /* ec_point_formats */
  1257. 0x00, 0x02, /* 2 bytes */
  1258. 0x01, /* 1 point format */
  1259. 0x00, /* uncompressed */
  1260. /* The following is only present in TLS 1.2 */
  1261. 0x00, 0x0d, /* signature_algorithms */
  1262. 0x00, 0x0c, /* 12 bytes */
  1263. 0x00, 0x0a, /* 10 bytes */
  1264. 0x05, 0x01, /* SHA-384/RSA */
  1265. 0x04, 0x01, /* SHA-256/RSA */
  1266. 0x02, 0x01, /* SHA-1/RSA */
  1267. 0x04, 0x03, /* SHA-256/ECDSA */
  1268. 0x02, 0x03, /* SHA-1/ECDSA */
  1269. };
  1270. /* Length of the common prefix (first two extensions). */
  1271. static const size_t kSafariCommonExtensionsLength = 18;
  1272. unsigned int type;
  1273. PACKET sni, tmppkt;
  1274. size_t ext_len;
  1275. tmppkt = hello->extensions;
  1276. if (!PACKET_forward(&tmppkt, 2)
  1277. || !PACKET_get_net_2(&tmppkt, &type)
  1278. || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
  1279. return;
  1280. }
  1281. if (type != TLSEXT_TYPE_server_name)
  1282. return;
  1283. ext_len = TLS1_get_client_version(
  1284. SSL_CONNECTION_GET_SSL(s)) >= TLS1_2_VERSION ?
  1285. sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;
  1286. s->s3.is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
  1287. ext_len);
  1288. }
  1289. #define RENEG_OPTIONS_OK(options) \
  1290. ((options & SSL_OP_NO_RENEGOTIATION) == 0 \
  1291. && (options & SSL_OP_ALLOW_CLIENT_RENEGOTIATION) != 0)
  1292. MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt)
  1293. {
  1294. /* |cookie| will only be initialized for DTLS. */
  1295. PACKET session_id, compression, extensions, cookie;
  1296. static const unsigned char null_compression = 0;
  1297. CLIENTHELLO_MSG *clienthello = NULL;
  1298. /* Check if this is actually an unexpected renegotiation ClientHello */
  1299. if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
  1300. if (!ossl_assert(!SSL_CONNECTION_IS_TLS13(s))) {
  1301. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1302. goto err;
  1303. }
  1304. if (!RENEG_OPTIONS_OK(s->options)
  1305. || (!s->s3.send_connection_binding
  1306. && (s->options
  1307. & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) == 0)) {
  1308. ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
  1309. return MSG_PROCESS_FINISHED_READING;
  1310. }
  1311. s->renegotiate = 1;
  1312. s->new_session = 1;
  1313. }
  1314. clienthello = OPENSSL_zalloc(sizeof(*clienthello));
  1315. if (clienthello == NULL) {
  1316. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1317. goto err;
  1318. }
  1319. /*
  1320. * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure.
  1321. */
  1322. clienthello->isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer);
  1323. PACKET_null_init(&cookie);
  1324. if (clienthello->isv2) {
  1325. unsigned int mt;
  1326. if (!SSL_IS_FIRST_HANDSHAKE(s)
  1327. || s->hello_retry_request != SSL_HRR_NONE) {
  1328. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
  1329. goto err;
  1330. }
  1331. /*-
  1332. * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
  1333. * header is sent directly on the wire, not wrapped as a TLS
  1334. * record. Our record layer just processes the message length and passes
  1335. * the rest right through. Its format is:
  1336. * Byte Content
  1337. * 0-1 msg_length - decoded by the record layer
  1338. * 2 msg_type - s->init_msg points here
  1339. * 3-4 version
  1340. * 5-6 cipher_spec_length
  1341. * 7-8 session_id_length
  1342. * 9-10 challenge_length
  1343. * ... ...
  1344. */
  1345. if (!PACKET_get_1(pkt, &mt)
  1346. || mt != SSL2_MT_CLIENT_HELLO) {
  1347. /*
  1348. * Should never happen. We should have tested this in the record
  1349. * layer in order to have determined that this is a SSLv2 record
  1350. * in the first place
  1351. */
  1352. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1353. goto err;
  1354. }
  1355. }
  1356. if (!PACKET_get_net_2(pkt, &clienthello->legacy_version)) {
  1357. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
  1358. goto err;
  1359. }
  1360. /* Parse the message and load client random. */
  1361. if (clienthello->isv2) {
  1362. /*
  1363. * Handle an SSLv2 backwards compatible ClientHello
  1364. * Note, this is only for SSLv3+ using the backward compatible format.
  1365. * Real SSLv2 is not supported, and is rejected below.
  1366. */
  1367. unsigned int ciphersuite_len, session_id_len, challenge_len;
  1368. PACKET challenge;
  1369. if (!PACKET_get_net_2(pkt, &ciphersuite_len)
  1370. || !PACKET_get_net_2(pkt, &session_id_len)
  1371. || !PACKET_get_net_2(pkt, &challenge_len)) {
  1372. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RECORD_LENGTH_MISMATCH);
  1373. goto err;
  1374. }
  1375. if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
  1376. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_LENGTH_MISMATCH);
  1377. goto err;
  1378. }
  1379. if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites,
  1380. ciphersuite_len)
  1381. || !PACKET_copy_bytes(pkt, clienthello->session_id, session_id_len)
  1382. || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
  1383. /* No extensions. */
  1384. || PACKET_remaining(pkt) != 0) {
  1385. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RECORD_LENGTH_MISMATCH);
  1386. goto err;
  1387. }
  1388. clienthello->session_id_len = session_id_len;
  1389. /* Load the client random and compression list. We use SSL3_RANDOM_SIZE
  1390. * here rather than sizeof(clienthello->random) because that is the limit
  1391. * for SSLv3 and it is fixed. It won't change even if
  1392. * sizeof(clienthello->random) does.
  1393. */
  1394. challenge_len = challenge_len > SSL3_RANDOM_SIZE
  1395. ? SSL3_RANDOM_SIZE : challenge_len;
  1396. memset(clienthello->random, 0, SSL3_RANDOM_SIZE);
  1397. if (!PACKET_copy_bytes(&challenge,
  1398. clienthello->random + SSL3_RANDOM_SIZE -
  1399. challenge_len, challenge_len)
  1400. /* Advertise only null compression. */
  1401. || !PACKET_buf_init(&compression, &null_compression, 1)) {
  1402. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1403. goto err;
  1404. }
  1405. PACKET_null_init(&clienthello->extensions);
  1406. } else {
  1407. /* Regular ClientHello. */
  1408. if (!PACKET_copy_bytes(pkt, clienthello->random, SSL3_RANDOM_SIZE)
  1409. || !PACKET_get_length_prefixed_1(pkt, &session_id)
  1410. || !PACKET_copy_all(&session_id, clienthello->session_id,
  1411. SSL_MAX_SSL_SESSION_ID_LENGTH,
  1412. &clienthello->session_id_len)) {
  1413. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1414. goto err;
  1415. }
  1416. if (SSL_CONNECTION_IS_DTLS(s)) {
  1417. if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
  1418. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1419. goto err;
  1420. }
  1421. if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie,
  1422. DTLS1_COOKIE_LENGTH,
  1423. &clienthello->dtls_cookie_len)) {
  1424. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1425. goto err;
  1426. }
  1427. /*
  1428. * If we require cookies and this ClientHello doesn't contain one,
  1429. * just return since we do not want to allocate any memory yet.
  1430. * So check cookie length...
  1431. */
  1432. if (SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_COOKIE_EXCHANGE) {
  1433. if (clienthello->dtls_cookie_len == 0) {
  1434. OPENSSL_free(clienthello);
  1435. return MSG_PROCESS_FINISHED_READING;
  1436. }
  1437. }
  1438. }
  1439. if (!PACKET_get_length_prefixed_2(pkt, &clienthello->ciphersuites)) {
  1440. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1441. goto err;
  1442. }
  1443. if (!PACKET_get_length_prefixed_1(pkt, &compression)) {
  1444. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1445. goto err;
  1446. }
  1447. /* Could be empty. */
  1448. if (PACKET_remaining(pkt) == 0) {
  1449. PACKET_null_init(&clienthello->extensions);
  1450. } else {
  1451. if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions)
  1452. || PACKET_remaining(pkt) != 0) {
  1453. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1454. goto err;
  1455. }
  1456. }
  1457. }
  1458. if (!PACKET_copy_all(&compression, clienthello->compressions,
  1459. MAX_COMPRESSIONS_SIZE,
  1460. &clienthello->compressions_len)) {
  1461. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1462. goto err;
  1463. }
  1464. /* Preserve the raw extensions PACKET for later use */
  1465. extensions = clienthello->extensions;
  1466. if (!tls_collect_extensions(s, &extensions, SSL_EXT_CLIENT_HELLO,
  1467. &clienthello->pre_proc_exts,
  1468. &clienthello->pre_proc_exts_len, 1)) {
  1469. /* SSLfatal already been called */
  1470. goto err;
  1471. }
  1472. s->clienthello = clienthello;
  1473. return MSG_PROCESS_CONTINUE_PROCESSING;
  1474. err:
  1475. if (clienthello != NULL)
  1476. OPENSSL_free(clienthello->pre_proc_exts);
  1477. OPENSSL_free(clienthello);
  1478. return MSG_PROCESS_ERROR;
  1479. }
  1480. static int tls_early_post_process_client_hello(SSL_CONNECTION *s)
  1481. {
  1482. unsigned int j;
  1483. int i, al = SSL_AD_INTERNAL_ERROR;
  1484. int protverr;
  1485. size_t loop;
  1486. unsigned long id;
  1487. #ifndef OPENSSL_NO_COMP
  1488. SSL_COMP *comp = NULL;
  1489. #endif
  1490. const SSL_CIPHER *c;
  1491. STACK_OF(SSL_CIPHER) *ciphers = NULL;
  1492. STACK_OF(SSL_CIPHER) *scsvs = NULL;
  1493. CLIENTHELLO_MSG *clienthello = s->clienthello;
  1494. DOWNGRADE dgrd = DOWNGRADE_NONE;
  1495. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1496. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  1497. /* Finished parsing the ClientHello, now we can start processing it */
  1498. /* Give the ClientHello callback a crack at things */
  1499. if (sctx->client_hello_cb != NULL) {
  1500. /* A failure in the ClientHello callback terminates the connection. */
  1501. switch (sctx->client_hello_cb(ssl, &al, sctx->client_hello_cb_arg)) {
  1502. case SSL_CLIENT_HELLO_SUCCESS:
  1503. break;
  1504. case SSL_CLIENT_HELLO_RETRY:
  1505. s->rwstate = SSL_CLIENT_HELLO_CB;
  1506. return -1;
  1507. case SSL_CLIENT_HELLO_ERROR:
  1508. default:
  1509. SSLfatal(s, al, SSL_R_CALLBACK_FAILED);
  1510. goto err;
  1511. }
  1512. }
  1513. /* Set up the client_random */
  1514. memcpy(s->s3.client_random, clienthello->random, SSL3_RANDOM_SIZE);
  1515. /* Choose the version */
  1516. if (clienthello->isv2) {
  1517. if (clienthello->legacy_version == SSL2_VERSION
  1518. || (clienthello->legacy_version & 0xff00)
  1519. != (SSL3_VERSION_MAJOR << 8)) {
  1520. /*
  1521. * This is real SSLv2 or something completely unknown. We don't
  1522. * support it.
  1523. */
  1524. SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNKNOWN_PROTOCOL);
  1525. goto err;
  1526. }
  1527. /* SSLv3/TLS */
  1528. s->client_version = clienthello->legacy_version;
  1529. }
  1530. /* Choose the server SSL/TLS/DTLS version. */
  1531. protverr = ssl_choose_server_version(s, clienthello, &dgrd);
  1532. if (protverr) {
  1533. if (SSL_IS_FIRST_HANDSHAKE(s)) {
  1534. /* like ssl3_get_record, send alert using remote version number */
  1535. s->version = s->client_version = clienthello->legacy_version;
  1536. }
  1537. SSLfatal(s, SSL_AD_PROTOCOL_VERSION, protverr);
  1538. goto err;
  1539. }
  1540. /* TLSv1.3 specifies that a ClientHello must end on a record boundary */
  1541. if (SSL_CONNECTION_IS_TLS13(s)
  1542. && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
  1543. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
  1544. goto err;
  1545. }
  1546. if (SSL_CONNECTION_IS_DTLS(s)) {
  1547. /* Empty cookie was already handled above by returning early. */
  1548. if (SSL_get_options(ssl) & SSL_OP_COOKIE_EXCHANGE) {
  1549. if (sctx->app_verify_cookie_cb != NULL) {
  1550. if (sctx->app_verify_cookie_cb(ssl, clienthello->dtls_cookie,
  1551. clienthello->dtls_cookie_len) == 0) {
  1552. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1553. SSL_R_COOKIE_MISMATCH);
  1554. goto err;
  1555. /* else cookie verification succeeded */
  1556. }
  1557. /* default verification */
  1558. } else if (s->d1->cookie_len != clienthello->dtls_cookie_len
  1559. || memcmp(clienthello->dtls_cookie, s->d1->cookie,
  1560. s->d1->cookie_len) != 0) {
  1561. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_COOKIE_MISMATCH);
  1562. goto err;
  1563. }
  1564. s->d1->cookie_verified = 1;
  1565. }
  1566. }
  1567. s->hit = 0;
  1568. if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites,
  1569. clienthello->isv2) ||
  1570. !ossl_bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers,
  1571. &scsvs, clienthello->isv2, 1)) {
  1572. /* SSLfatal() already called */
  1573. goto err;
  1574. }
  1575. s->s3.send_connection_binding = 0;
  1576. /* Check what signalling cipher-suite values were received. */
  1577. if (scsvs != NULL) {
  1578. for (i = 0; i < sk_SSL_CIPHER_num(scsvs); i++) {
  1579. c = sk_SSL_CIPHER_value(scsvs, i);
  1580. if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) {
  1581. if (s->renegotiate) {
  1582. /* SCSV is fatal if renegotiating */
  1583. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1584. SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
  1585. goto err;
  1586. }
  1587. s->s3.send_connection_binding = 1;
  1588. } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV &&
  1589. !ssl_check_version_downgrade(s)) {
  1590. /*
  1591. * This SCSV indicates that the client previously tried
  1592. * a higher version. We should fail if the current version
  1593. * is an unexpected downgrade, as that indicates that the first
  1594. * connection may have been tampered with in order to trigger
  1595. * an insecure downgrade.
  1596. */
  1597. SSLfatal(s, SSL_AD_INAPPROPRIATE_FALLBACK,
  1598. SSL_R_INAPPROPRIATE_FALLBACK);
  1599. goto err;
  1600. }
  1601. }
  1602. }
  1603. /* For TLSv1.3 we must select the ciphersuite *before* session resumption */
  1604. if (SSL_CONNECTION_IS_TLS13(s)) {
  1605. const SSL_CIPHER *cipher =
  1606. ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(ssl));
  1607. if (cipher == NULL) {
  1608. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_SHARED_CIPHER);
  1609. goto err;
  1610. }
  1611. if (s->hello_retry_request == SSL_HRR_PENDING
  1612. && (s->s3.tmp.new_cipher == NULL
  1613. || s->s3.tmp.new_cipher->id != cipher->id)) {
  1614. /*
  1615. * A previous HRR picked a different ciphersuite to the one we
  1616. * just selected. Something must have changed.
  1617. */
  1618. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER);
  1619. goto err;
  1620. }
  1621. s->s3.tmp.new_cipher = cipher;
  1622. }
  1623. /* We need to do this before getting the session */
  1624. if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret,
  1625. SSL_EXT_CLIENT_HELLO,
  1626. clienthello->pre_proc_exts, NULL, 0)) {
  1627. /* SSLfatal() already called */
  1628. goto err;
  1629. }
  1630. /*
  1631. * We don't allow resumption in a backwards compatible ClientHello.
  1632. * In TLS1.1+, session_id MUST be empty.
  1633. *
  1634. * Versions before 0.9.7 always allow clients to resume sessions in
  1635. * renegotiation. 0.9.7 and later allow this by default, but optionally
  1636. * ignore resumption requests with flag
  1637. * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
  1638. * than a change to default behavior so that applications relying on
  1639. * this for security won't even compile against older library versions).
  1640. * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
  1641. * request renegotiation but not a new session (s->new_session remains
  1642. * unset): for servers, this essentially just means that the
  1643. * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
  1644. * ignored.
  1645. */
  1646. if (clienthello->isv2 ||
  1647. (s->new_session &&
  1648. (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
  1649. if (!ssl_get_new_session(s, 1)) {
  1650. /* SSLfatal() already called */
  1651. goto err;
  1652. }
  1653. } else {
  1654. i = ssl_get_prev_session(s, clienthello);
  1655. if (i == 1) {
  1656. /* previous session */
  1657. s->hit = 1;
  1658. } else if (i == -1) {
  1659. /* SSLfatal() already called */
  1660. goto err;
  1661. } else {
  1662. /* i == 0 */
  1663. if (!ssl_get_new_session(s, 1)) {
  1664. /* SSLfatal() already called */
  1665. goto err;
  1666. }
  1667. }
  1668. }
  1669. if (SSL_CONNECTION_IS_TLS13(s)) {
  1670. memcpy(s->tmp_session_id, s->clienthello->session_id,
  1671. s->clienthello->session_id_len);
  1672. s->tmp_session_id_len = s->clienthello->session_id_len;
  1673. }
  1674. /*
  1675. * If it is a hit, check that the cipher is in the list. In TLSv1.3 we check
  1676. * ciphersuite compatibility with the session as part of resumption.
  1677. */
  1678. if (!SSL_CONNECTION_IS_TLS13(s) && s->hit) {
  1679. j = 0;
  1680. id = s->session->cipher->id;
  1681. OSSL_TRACE_BEGIN(TLS_CIPHER) {
  1682. BIO_printf(trc_out, "client sent %d ciphers\n",
  1683. sk_SSL_CIPHER_num(ciphers));
  1684. }
  1685. for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
  1686. c = sk_SSL_CIPHER_value(ciphers, i);
  1687. if (trc_out != NULL)
  1688. BIO_printf(trc_out, "client [%2d of %2d]:%s\n", i,
  1689. sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
  1690. if (c->id == id) {
  1691. j = 1;
  1692. break;
  1693. }
  1694. }
  1695. if (j == 0) {
  1696. /*
  1697. * we need to have the cipher in the cipher list if we are asked
  1698. * to reuse it
  1699. */
  1700. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1701. SSL_R_REQUIRED_CIPHER_MISSING);
  1702. OSSL_TRACE_CANCEL(TLS_CIPHER);
  1703. goto err;
  1704. }
  1705. OSSL_TRACE_END(TLS_CIPHER);
  1706. }
  1707. for (loop = 0; loop < clienthello->compressions_len; loop++) {
  1708. if (clienthello->compressions[loop] == 0)
  1709. break;
  1710. }
  1711. if (loop >= clienthello->compressions_len) {
  1712. /* no compress */
  1713. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_COMPRESSION_SPECIFIED);
  1714. goto err;
  1715. }
  1716. if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
  1717. ssl_check_for_safari(s, clienthello);
  1718. /* TLS extensions */
  1719. if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO,
  1720. clienthello->pre_proc_exts, NULL, 0, 1)) {
  1721. /* SSLfatal() already called */
  1722. goto err;
  1723. }
  1724. /*
  1725. * Check if we want to use external pre-shared secret for this handshake
  1726. * for not reused session only. We need to generate server_random before
  1727. * calling tls_session_secret_cb in order to allow SessionTicket
  1728. * processing to use it in key derivation.
  1729. */
  1730. {
  1731. unsigned char *pos;
  1732. pos = s->s3.server_random;
  1733. if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE, dgrd) <= 0) {
  1734. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1735. goto err;
  1736. }
  1737. }
  1738. if (!s->hit && !tls1_set_server_sigalgs(s)) {
  1739. /* SSLfatal() already called */
  1740. goto err;
  1741. }
  1742. if (!s->hit
  1743. && s->version >= TLS1_VERSION
  1744. && !SSL_CONNECTION_IS_TLS13(s)
  1745. && !SSL_CONNECTION_IS_DTLS(s)
  1746. && s->ext.session_secret_cb != NULL) {
  1747. const SSL_CIPHER *pref_cipher = NULL;
  1748. /*
  1749. * s->session->master_key_length is a size_t, but this is an int for
  1750. * backwards compat reasons
  1751. */
  1752. int master_key_length;
  1753. master_key_length = sizeof(s->session->master_key);
  1754. if (s->ext.session_secret_cb(ssl, s->session->master_key,
  1755. &master_key_length, ciphers,
  1756. &pref_cipher,
  1757. s->ext.session_secret_cb_arg)
  1758. && master_key_length > 0) {
  1759. s->session->master_key_length = master_key_length;
  1760. s->hit = 1;
  1761. s->peer_ciphers = ciphers;
  1762. s->session->verify_result = X509_V_OK;
  1763. ciphers = NULL;
  1764. /* check if some cipher was preferred by call back */
  1765. if (pref_cipher == NULL)
  1766. pref_cipher = ssl3_choose_cipher(s, s->peer_ciphers,
  1767. SSL_get_ciphers(ssl));
  1768. if (pref_cipher == NULL) {
  1769. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_SHARED_CIPHER);
  1770. goto err;
  1771. }
  1772. s->session->cipher = pref_cipher;
  1773. sk_SSL_CIPHER_free(s->cipher_list);
  1774. s->cipher_list = sk_SSL_CIPHER_dup(s->peer_ciphers);
  1775. sk_SSL_CIPHER_free(s->cipher_list_by_id);
  1776. s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->peer_ciphers);
  1777. }
  1778. }
  1779. /*
  1780. * Worst case, we will use the NULL compression, but if we have other
  1781. * options, we will now look for them. We have complen-1 compression
  1782. * algorithms from the client, starting at q.
  1783. */
  1784. s->s3.tmp.new_compression = NULL;
  1785. if (SSL_CONNECTION_IS_TLS13(s)) {
  1786. /*
  1787. * We already checked above that the NULL compression method appears in
  1788. * the list. Now we check there aren't any others (which is illegal in
  1789. * a TLSv1.3 ClientHello.
  1790. */
  1791. if (clienthello->compressions_len != 1) {
  1792. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1793. SSL_R_INVALID_COMPRESSION_ALGORITHM);
  1794. goto err;
  1795. }
  1796. }
  1797. #ifndef OPENSSL_NO_COMP
  1798. /* This only happens if we have a cache hit */
  1799. else if (s->session->compress_meth != 0) {
  1800. int m, comp_id = s->session->compress_meth;
  1801. unsigned int k;
  1802. /* Perform sanity checks on resumed compression algorithm */
  1803. /* Can't disable compression */
  1804. if (!ssl_allow_compression(s)) {
  1805. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1806. SSL_R_INCONSISTENT_COMPRESSION);
  1807. goto err;
  1808. }
  1809. /* Look for resumed compression method */
  1810. for (m = 0; m < sk_SSL_COMP_num(sctx->comp_methods); m++) {
  1811. comp = sk_SSL_COMP_value(sctx->comp_methods, m);
  1812. if (comp_id == comp->id) {
  1813. s->s3.tmp.new_compression = comp;
  1814. break;
  1815. }
  1816. }
  1817. if (s->s3.tmp.new_compression == NULL) {
  1818. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1819. SSL_R_INVALID_COMPRESSION_ALGORITHM);
  1820. goto err;
  1821. }
  1822. /* Look for resumed method in compression list */
  1823. for (k = 0; k < clienthello->compressions_len; k++) {
  1824. if (clienthello->compressions[k] == comp_id)
  1825. break;
  1826. }
  1827. if (k >= clienthello->compressions_len) {
  1828. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1829. SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
  1830. goto err;
  1831. }
  1832. } else if (s->hit) {
  1833. comp = NULL;
  1834. } else if (ssl_allow_compression(s) && sctx->comp_methods) {
  1835. /* See if we have a match */
  1836. int m, nn, v, done = 0;
  1837. unsigned int o;
  1838. nn = sk_SSL_COMP_num(sctx->comp_methods);
  1839. for (m = 0; m < nn; m++) {
  1840. comp = sk_SSL_COMP_value(sctx->comp_methods, m);
  1841. v = comp->id;
  1842. for (o = 0; o < clienthello->compressions_len; o++) {
  1843. if (v == clienthello->compressions[o]) {
  1844. done = 1;
  1845. break;
  1846. }
  1847. }
  1848. if (done)
  1849. break;
  1850. }
  1851. if (done)
  1852. s->s3.tmp.new_compression = comp;
  1853. else
  1854. comp = NULL;
  1855. }
  1856. #else
  1857. /*
  1858. * If compression is disabled we'd better not try to resume a session
  1859. * using compression.
  1860. */
  1861. if (s->session->compress_meth != 0) {
  1862. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_COMPRESSION);
  1863. goto err;
  1864. }
  1865. #endif
  1866. /*
  1867. * Given s->peer_ciphers and SSL_get_ciphers, we must pick a cipher
  1868. */
  1869. if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
  1870. sk_SSL_CIPHER_free(s->peer_ciphers);
  1871. s->peer_ciphers = ciphers;
  1872. if (ciphers == NULL) {
  1873. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1874. goto err;
  1875. }
  1876. ciphers = NULL;
  1877. }
  1878. if (!s->hit) {
  1879. #ifdef OPENSSL_NO_COMP
  1880. s->session->compress_meth = 0;
  1881. #else
  1882. s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
  1883. #endif
  1884. }
  1885. sk_SSL_CIPHER_free(ciphers);
  1886. sk_SSL_CIPHER_free(scsvs);
  1887. OPENSSL_free(clienthello->pre_proc_exts);
  1888. OPENSSL_free(s->clienthello);
  1889. s->clienthello = NULL;
  1890. return 1;
  1891. err:
  1892. sk_SSL_CIPHER_free(ciphers);
  1893. sk_SSL_CIPHER_free(scsvs);
  1894. OPENSSL_free(clienthello->pre_proc_exts);
  1895. OPENSSL_free(s->clienthello);
  1896. s->clienthello = NULL;
  1897. return 0;
  1898. }
  1899. /*
  1900. * Call the status request callback if needed. Upon success, returns 1.
  1901. * Upon failure, returns 0.
  1902. */
  1903. static int tls_handle_status_request(SSL_CONNECTION *s)
  1904. {
  1905. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1906. s->ext.status_expected = 0;
  1907. /*
  1908. * If status request then ask callback what to do. Note: this must be
  1909. * called after servername callbacks in case the certificate has changed,
  1910. * and must be called after the cipher has been chosen because this may
  1911. * influence which certificate is sent
  1912. */
  1913. if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && sctx != NULL
  1914. && sctx->ext.status_cb != NULL) {
  1915. int ret;
  1916. /* If no certificate can't return certificate status */
  1917. if (s->s3.tmp.cert != NULL) {
  1918. /*
  1919. * Set current certificate to one we will use so SSL_get_certificate
  1920. * et al can pick it up.
  1921. */
  1922. s->cert->key = s->s3.tmp.cert;
  1923. ret = sctx->ext.status_cb(SSL_CONNECTION_GET_SSL(s),
  1924. sctx->ext.status_arg);
  1925. switch (ret) {
  1926. /* We don't want to send a status request response */
  1927. case SSL_TLSEXT_ERR_NOACK:
  1928. s->ext.status_expected = 0;
  1929. break;
  1930. /* status request response should be sent */
  1931. case SSL_TLSEXT_ERR_OK:
  1932. if (s->ext.ocsp.resp)
  1933. s->ext.status_expected = 1;
  1934. break;
  1935. /* something bad happened */
  1936. case SSL_TLSEXT_ERR_ALERT_FATAL:
  1937. default:
  1938. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CLIENTHELLO_TLSEXT);
  1939. return 0;
  1940. }
  1941. }
  1942. }
  1943. return 1;
  1944. }
  1945. /*
  1946. * Call the alpn_select callback if needed. Upon success, returns 1.
  1947. * Upon failure, returns 0.
  1948. */
  1949. int tls_handle_alpn(SSL_CONNECTION *s)
  1950. {
  1951. const unsigned char *selected = NULL;
  1952. unsigned char selected_len = 0;
  1953. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1954. if (sctx->ext.alpn_select_cb != NULL && s->s3.alpn_proposed != NULL) {
  1955. int r = sctx->ext.alpn_select_cb(SSL_CONNECTION_GET_SSL(s),
  1956. &selected, &selected_len,
  1957. s->s3.alpn_proposed,
  1958. (unsigned int)s->s3.alpn_proposed_len,
  1959. sctx->ext.alpn_select_cb_arg);
  1960. if (r == SSL_TLSEXT_ERR_OK) {
  1961. OPENSSL_free(s->s3.alpn_selected);
  1962. s->s3.alpn_selected = OPENSSL_memdup(selected, selected_len);
  1963. if (s->s3.alpn_selected == NULL) {
  1964. s->s3.alpn_selected_len = 0;
  1965. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1966. return 0;
  1967. }
  1968. s->s3.alpn_selected_len = selected_len;
  1969. #ifndef OPENSSL_NO_NEXTPROTONEG
  1970. /* ALPN takes precedence over NPN. */
  1971. s->s3.npn_seen = 0;
  1972. #endif
  1973. /* Check ALPN is consistent with session */
  1974. if (s->session->ext.alpn_selected == NULL
  1975. || selected_len != s->session->ext.alpn_selected_len
  1976. || memcmp(selected, s->session->ext.alpn_selected,
  1977. selected_len) != 0) {
  1978. /* Not consistent so can't be used for early_data */
  1979. s->ext.early_data_ok = 0;
  1980. if (!s->hit) {
  1981. /*
  1982. * This is a new session and so alpn_selected should have
  1983. * been initialised to NULL. We should update it with the
  1984. * selected ALPN.
  1985. */
  1986. if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
  1987. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1988. ERR_R_INTERNAL_ERROR);
  1989. return 0;
  1990. }
  1991. s->session->ext.alpn_selected = OPENSSL_memdup(selected,
  1992. selected_len);
  1993. if (s->session->ext.alpn_selected == NULL) {
  1994. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1995. ERR_R_INTERNAL_ERROR);
  1996. return 0;
  1997. }
  1998. s->session->ext.alpn_selected_len = selected_len;
  1999. }
  2000. }
  2001. return 1;
  2002. } else if (r != SSL_TLSEXT_ERR_NOACK) {
  2003. SSLfatal(s, SSL_AD_NO_APPLICATION_PROTOCOL,
  2004. SSL_R_NO_APPLICATION_PROTOCOL);
  2005. return 0;
  2006. }
  2007. /*
  2008. * If r == SSL_TLSEXT_ERR_NOACK then behave as if no callback was
  2009. * present.
  2010. */
  2011. }
  2012. /* Check ALPN is consistent with session */
  2013. if (s->session->ext.alpn_selected != NULL) {
  2014. /* Not consistent so can't be used for early_data */
  2015. s->ext.early_data_ok = 0;
  2016. }
  2017. return 1;
  2018. }
  2019. WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst)
  2020. {
  2021. const SSL_CIPHER *cipher;
  2022. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  2023. if (wst == WORK_MORE_A) {
  2024. int rv = tls_early_post_process_client_hello(s);
  2025. if (rv == 0) {
  2026. /* SSLfatal() was already called */
  2027. goto err;
  2028. }
  2029. if (rv < 0)
  2030. return WORK_MORE_A;
  2031. wst = WORK_MORE_B;
  2032. }
  2033. if (wst == WORK_MORE_B) {
  2034. if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
  2035. /* Let cert callback update server certificates if required */
  2036. if (!s->hit && s->cert->cert_cb != NULL) {
  2037. int rv = s->cert->cert_cb(ssl, s->cert->cert_cb_arg);
  2038. if (rv == 0) {
  2039. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CERT_CB_ERROR);
  2040. goto err;
  2041. }
  2042. if (rv < 0) {
  2043. s->rwstate = SSL_X509_LOOKUP;
  2044. return WORK_MORE_B;
  2045. }
  2046. s->rwstate = SSL_NOTHING;
  2047. }
  2048. /* In TLSv1.3 we selected the ciphersuite before resumption */
  2049. if (!SSL_CONNECTION_IS_TLS13(s)) {
  2050. cipher =
  2051. ssl3_choose_cipher(s, s->peer_ciphers,
  2052. SSL_get_ciphers(ssl));
  2053. if (cipher == NULL) {
  2054. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  2055. SSL_R_NO_SHARED_CIPHER);
  2056. goto err;
  2057. }
  2058. s->s3.tmp.new_cipher = cipher;
  2059. }
  2060. if (!s->hit) {
  2061. if (!tls_choose_sigalg(s, 1)) {
  2062. /* SSLfatal already called */
  2063. goto err;
  2064. }
  2065. /* check whether we should disable session resumption */
  2066. if (s->not_resumable_session_cb != NULL)
  2067. s->session->not_resumable =
  2068. s->not_resumable_session_cb(ssl,
  2069. ((s->s3.tmp.new_cipher->algorithm_mkey
  2070. & (SSL_kDHE | SSL_kECDHE)) != 0));
  2071. if (s->session->not_resumable)
  2072. /* do not send a session ticket */
  2073. s->ext.ticket_expected = 0;
  2074. }
  2075. } else {
  2076. /* Session-id reuse */
  2077. s->s3.tmp.new_cipher = s->session->cipher;
  2078. }
  2079. /*-
  2080. * we now have the following setup.
  2081. * client_random
  2082. * cipher_list - our preferred list of ciphers
  2083. * ciphers - the client's preferred list of ciphers
  2084. * compression - basically ignored right now
  2085. * ssl version is set - sslv3
  2086. * s->session - The ssl session has been setup.
  2087. * s->hit - session reuse flag
  2088. * s->s3.tmp.new_cipher - the new cipher to use.
  2089. */
  2090. /*
  2091. * Call status_request callback if needed. Has to be done after the
  2092. * certificate callbacks etc above.
  2093. */
  2094. if (!tls_handle_status_request(s)) {
  2095. /* SSLfatal() already called */
  2096. goto err;
  2097. }
  2098. /*
  2099. * Call alpn_select callback if needed. Has to be done after SNI and
  2100. * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
  2101. * we already did this because cipher negotiation happens earlier, and
  2102. * we must handle ALPN before we decide whether to accept early_data.
  2103. */
  2104. if (!SSL_CONNECTION_IS_TLS13(s) && !tls_handle_alpn(s)) {
  2105. /* SSLfatal() already called */
  2106. goto err;
  2107. }
  2108. wst = WORK_MORE_C;
  2109. }
  2110. #ifndef OPENSSL_NO_SRP
  2111. if (wst == WORK_MORE_C) {
  2112. int ret;
  2113. if ((ret = ssl_check_srp_ext_ClientHello(s)) == 0) {
  2114. /*
  2115. * callback indicates further work to be done
  2116. */
  2117. s->rwstate = SSL_X509_LOOKUP;
  2118. return WORK_MORE_C;
  2119. }
  2120. if (ret < 0) {
  2121. /* SSLfatal() already called */
  2122. goto err;
  2123. }
  2124. }
  2125. #endif
  2126. return WORK_FINISHED_STOP;
  2127. err:
  2128. return WORK_ERROR;
  2129. }
  2130. CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt)
  2131. {
  2132. int compm;
  2133. size_t sl, len;
  2134. int version;
  2135. unsigned char *session_id;
  2136. int usetls13 = SSL_CONNECTION_IS_TLS13(s)
  2137. || s->hello_retry_request == SSL_HRR_PENDING;
  2138. version = usetls13 ? TLS1_2_VERSION : s->version;
  2139. if (!WPACKET_put_bytes_u16(pkt, version)
  2140. /*
  2141. * Random stuff. Filling of the server_random takes place in
  2142. * tls_process_client_hello()
  2143. */
  2144. || !WPACKET_memcpy(pkt,
  2145. s->hello_retry_request == SSL_HRR_PENDING
  2146. ? hrrrandom : s->s3.server_random,
  2147. SSL3_RANDOM_SIZE)) {
  2148. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2149. return CON_FUNC_ERROR;
  2150. }
  2151. /*-
  2152. * There are several cases for the session ID to send
  2153. * back in the server hello:
  2154. * - For session reuse from the session cache,
  2155. * we send back the old session ID.
  2156. * - If stateless session reuse (using a session ticket)
  2157. * is successful, we send back the client's "session ID"
  2158. * (which doesn't actually identify the session).
  2159. * - If it is a new session, we send back the new
  2160. * session ID.
  2161. * - However, if we want the new session to be single-use,
  2162. * we send back a 0-length session ID.
  2163. * - In TLSv1.3 we echo back the session id sent to us by the client
  2164. * regardless
  2165. * s->hit is non-zero in either case of session reuse,
  2166. * so the following won't overwrite an ID that we're supposed
  2167. * to send back.
  2168. */
  2169. if (!(SSL_CONNECTION_GET_CTX(s)->session_cache_mode & SSL_SESS_CACHE_SERVER)
  2170. && !s->hit)
  2171. s->session->session_id_length = 0;
  2172. if (usetls13) {
  2173. sl = s->tmp_session_id_len;
  2174. session_id = s->tmp_session_id;
  2175. } else {
  2176. sl = s->session->session_id_length;
  2177. session_id = s->session->session_id;
  2178. }
  2179. if (sl > sizeof(s->session->session_id)) {
  2180. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2181. return CON_FUNC_ERROR;
  2182. }
  2183. /* set up the compression method */
  2184. #ifdef OPENSSL_NO_COMP
  2185. compm = 0;
  2186. #else
  2187. if (usetls13 || s->s3.tmp.new_compression == NULL)
  2188. compm = 0;
  2189. else
  2190. compm = s->s3.tmp.new_compression->id;
  2191. #endif
  2192. if (!WPACKET_sub_memcpy_u8(pkt, session_id, sl)
  2193. || !SSL_CONNECTION_GET_SSL(s)->method->put_cipher_by_char(s->s3.tmp.new_cipher,
  2194. pkt, &len)
  2195. || !WPACKET_put_bytes_u8(pkt, compm)) {
  2196. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2197. return CON_FUNC_ERROR;
  2198. }
  2199. if (!tls_construct_extensions(s, pkt,
  2200. s->hello_retry_request == SSL_HRR_PENDING
  2201. ? SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
  2202. : (SSL_CONNECTION_IS_TLS13(s)
  2203. ? SSL_EXT_TLS1_3_SERVER_HELLO
  2204. : SSL_EXT_TLS1_2_SERVER_HELLO),
  2205. NULL, 0)) {
  2206. /* SSLfatal() already called */
  2207. return CON_FUNC_ERROR;
  2208. }
  2209. if (s->hello_retry_request == SSL_HRR_PENDING) {
  2210. /* Ditch the session. We'll create a new one next time around */
  2211. SSL_SESSION_free(s->session);
  2212. s->session = NULL;
  2213. s->hit = 0;
  2214. /*
  2215. * Re-initialise the Transcript Hash. We're going to prepopulate it with
  2216. * a synthetic message_hash in place of ClientHello1.
  2217. */
  2218. if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) {
  2219. /* SSLfatal() already called */
  2220. return CON_FUNC_ERROR;
  2221. }
  2222. } else if (!(s->verify_mode & SSL_VERIFY_PEER)
  2223. && !ssl3_digest_cached_records(s, 0)) {
  2224. /* SSLfatal() already called */;
  2225. return CON_FUNC_ERROR;
  2226. }
  2227. return CON_FUNC_SUCCESS;
  2228. }
  2229. CON_FUNC_RETURN tls_construct_server_done(SSL_CONNECTION *s, WPACKET *pkt)
  2230. {
  2231. if (!s->s3.tmp.cert_request) {
  2232. if (!ssl3_digest_cached_records(s, 0)) {
  2233. /* SSLfatal() already called */
  2234. return CON_FUNC_ERROR;
  2235. }
  2236. }
  2237. return CON_FUNC_SUCCESS;
  2238. }
  2239. CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s,
  2240. WPACKET *pkt)
  2241. {
  2242. EVP_PKEY *pkdh = NULL;
  2243. unsigned char *encodedPoint = NULL;
  2244. size_t encodedlen = 0;
  2245. int curve_id = 0;
  2246. const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
  2247. int i;
  2248. unsigned long type;
  2249. BIGNUM *r[4];
  2250. EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
  2251. EVP_PKEY_CTX *pctx = NULL;
  2252. size_t paramlen, paramoffset;
  2253. int freer = 0;
  2254. CON_FUNC_RETURN ret = CON_FUNC_ERROR;
  2255. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  2256. if (!WPACKET_get_total_written(pkt, &paramoffset)) {
  2257. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2258. goto err;
  2259. }
  2260. if (md_ctx == NULL) {
  2261. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2262. goto err;
  2263. }
  2264. type = s->s3.tmp.new_cipher->algorithm_mkey;
  2265. r[0] = r[1] = r[2] = r[3] = NULL;
  2266. #ifndef OPENSSL_NO_PSK
  2267. /* Plain PSK or RSAPSK nothing to do */
  2268. if (type & (SSL_kPSK | SSL_kRSAPSK)) {
  2269. } else
  2270. #endif /* !OPENSSL_NO_PSK */
  2271. if (type & (SSL_kDHE | SSL_kDHEPSK)) {
  2272. CERT *cert = s->cert;
  2273. EVP_PKEY *pkdhp = NULL;
  2274. if (s->cert->dh_tmp_auto) {
  2275. pkdh = ssl_get_auto_dh(s);
  2276. if (pkdh == NULL) {
  2277. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2278. goto err;
  2279. }
  2280. pkdhp = pkdh;
  2281. } else {
  2282. pkdhp = cert->dh_tmp;
  2283. }
  2284. #if !defined(OPENSSL_NO_DEPRECATED_3_0)
  2285. if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
  2286. pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(SSL_CONNECTION_GET_SSL(s),
  2287. 0, 1024));
  2288. if (pkdh == NULL) {
  2289. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2290. goto err;
  2291. }
  2292. pkdhp = pkdh;
  2293. }
  2294. #endif
  2295. if (pkdhp == NULL) {
  2296. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_DH_KEY);
  2297. goto err;
  2298. }
  2299. if (!ssl_security(s, SSL_SECOP_TMP_DH,
  2300. EVP_PKEY_get_security_bits(pkdhp), 0, pkdhp)) {
  2301. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL);
  2302. goto err;
  2303. }
  2304. if (s->s3.tmp.pkey != NULL) {
  2305. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2306. goto err;
  2307. }
  2308. s->s3.tmp.pkey = ssl_generate_pkey(s, pkdhp);
  2309. if (s->s3.tmp.pkey == NULL) {
  2310. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2311. goto err;
  2312. }
  2313. EVP_PKEY_free(pkdh);
  2314. pkdh = NULL;
  2315. /* These BIGNUMs need to be freed when we're finished */
  2316. freer = 1;
  2317. if (!EVP_PKEY_get_bn_param(s->s3.tmp.pkey, OSSL_PKEY_PARAM_FFC_P,
  2318. &r[0])
  2319. || !EVP_PKEY_get_bn_param(s->s3.tmp.pkey, OSSL_PKEY_PARAM_FFC_G,
  2320. &r[1])
  2321. || !EVP_PKEY_get_bn_param(s->s3.tmp.pkey,
  2322. OSSL_PKEY_PARAM_PUB_KEY, &r[2])) {
  2323. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2324. goto err;
  2325. }
  2326. } else if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
  2327. if (s->s3.tmp.pkey != NULL) {
  2328. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2329. goto err;
  2330. }
  2331. /* Get NID of appropriate shared curve */
  2332. curve_id = tls1_shared_group(s, -2);
  2333. if (curve_id == 0) {
  2334. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  2335. SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
  2336. goto err;
  2337. }
  2338. /* Cache the group used in the SSL_SESSION */
  2339. s->session->kex_group = curve_id;
  2340. /* Generate a new key for this curve */
  2341. s->s3.tmp.pkey = ssl_generate_pkey_group(s, curve_id);
  2342. if (s->s3.tmp.pkey == NULL) {
  2343. /* SSLfatal() already called */
  2344. goto err;
  2345. }
  2346. /* Encode the public key. */
  2347. encodedlen = EVP_PKEY_get1_encoded_public_key(s->s3.tmp.pkey,
  2348. &encodedPoint);
  2349. if (encodedlen == 0) {
  2350. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
  2351. goto err;
  2352. }
  2353. /*
  2354. * We'll generate the serverKeyExchange message explicitly so we
  2355. * can set these to NULLs
  2356. */
  2357. r[0] = NULL;
  2358. r[1] = NULL;
  2359. r[2] = NULL;
  2360. r[3] = NULL;
  2361. } else
  2362. #ifndef OPENSSL_NO_SRP
  2363. if (type & SSL_kSRP) {
  2364. if ((s->srp_ctx.N == NULL) ||
  2365. (s->srp_ctx.g == NULL) ||
  2366. (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
  2367. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_SRP_PARAM);
  2368. goto err;
  2369. }
  2370. r[0] = s->srp_ctx.N;
  2371. r[1] = s->srp_ctx.g;
  2372. r[2] = s->srp_ctx.s;
  2373. r[3] = s->srp_ctx.B;
  2374. } else
  2375. #endif
  2376. {
  2377. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
  2378. goto err;
  2379. }
  2380. if (((s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0)
  2381. || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) {
  2382. lu = NULL;
  2383. } else if (lu == NULL) {
  2384. SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
  2385. goto err;
  2386. }
  2387. #ifndef OPENSSL_NO_PSK
  2388. if (type & SSL_PSK) {
  2389. size_t len = (s->cert->psk_identity_hint == NULL)
  2390. ? 0 : strlen(s->cert->psk_identity_hint);
  2391. /*
  2392. * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already
  2393. * checked this when we set the identity hint - but just in case
  2394. */
  2395. if (len > PSK_MAX_IDENTITY_LEN
  2396. || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint,
  2397. len)) {
  2398. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2399. goto err;
  2400. }
  2401. }
  2402. #endif
  2403. for (i = 0; i < 4 && r[i] != NULL; i++) {
  2404. unsigned char *binval;
  2405. int res;
  2406. #ifndef OPENSSL_NO_SRP
  2407. if ((i == 2) && (type & SSL_kSRP)) {
  2408. res = WPACKET_start_sub_packet_u8(pkt);
  2409. } else
  2410. #endif
  2411. res = WPACKET_start_sub_packet_u16(pkt);
  2412. if (!res) {
  2413. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2414. goto err;
  2415. }
  2416. /*-
  2417. * for interoperability with some versions of the Microsoft TLS
  2418. * stack, we need to zero pad the DHE pub key to the same length
  2419. * as the prime
  2420. */
  2421. if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) {
  2422. size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]);
  2423. if (len > 0) {
  2424. if (!WPACKET_allocate_bytes(pkt, len, &binval)) {
  2425. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2426. goto err;
  2427. }
  2428. memset(binval, 0, len);
  2429. }
  2430. }
  2431. if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval)
  2432. || !WPACKET_close(pkt)) {
  2433. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2434. goto err;
  2435. }
  2436. BN_bn2bin(r[i], binval);
  2437. }
  2438. if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
  2439. /*
  2440. * We only support named (not generic) curves. In this situation, the
  2441. * ServerKeyExchange message has: [1 byte CurveType], [2 byte CurveName]
  2442. * [1 byte length of encoded point], followed by the actual encoded
  2443. * point itself
  2444. */
  2445. if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE)
  2446. || !WPACKET_put_bytes_u8(pkt, 0)
  2447. || !WPACKET_put_bytes_u8(pkt, curve_id)
  2448. || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) {
  2449. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2450. goto err;
  2451. }
  2452. OPENSSL_free(encodedPoint);
  2453. encodedPoint = NULL;
  2454. }
  2455. /* not anonymous */
  2456. if (lu != NULL) {
  2457. EVP_PKEY *pkey = s->s3.tmp.cert->privatekey;
  2458. const EVP_MD *md;
  2459. unsigned char *sigbytes1, *sigbytes2, *tbs;
  2460. size_t siglen = 0, tbslen;
  2461. if (pkey == NULL || !tls1_lookup_md(sctx, lu, &md)) {
  2462. /* Should never happen */
  2463. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2464. goto err;
  2465. }
  2466. /* Get length of the parameters we have written above */
  2467. if (!WPACKET_get_length(pkt, &paramlen)) {
  2468. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2469. goto err;
  2470. }
  2471. /* send signature algorithm */
  2472. if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
  2473. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2474. goto err;
  2475. }
  2476. if (EVP_DigestSignInit_ex(md_ctx, &pctx,
  2477. md == NULL ? NULL : EVP_MD_get0_name(md),
  2478. sctx->libctx, sctx->propq, pkey,
  2479. NULL) <= 0) {
  2480. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2481. goto err;
  2482. }
  2483. if (lu->sig == EVP_PKEY_RSA_PSS) {
  2484. if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
  2485. || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) {
  2486. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2487. goto err;
  2488. }
  2489. }
  2490. tbslen = construct_key_exchange_tbs(s, &tbs,
  2491. s->init_buf->data + paramoffset,
  2492. paramlen);
  2493. if (tbslen == 0) {
  2494. /* SSLfatal() already called */
  2495. goto err;
  2496. }
  2497. if (EVP_DigestSign(md_ctx, NULL, &siglen, tbs, tbslen) <=0
  2498. || !WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1)
  2499. || EVP_DigestSign(md_ctx, sigbytes1, &siglen, tbs, tbslen) <= 0
  2500. || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2)
  2501. || sigbytes1 != sigbytes2) {
  2502. OPENSSL_free(tbs);
  2503. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2504. goto err;
  2505. }
  2506. OPENSSL_free(tbs);
  2507. }
  2508. ret = CON_FUNC_SUCCESS;
  2509. err:
  2510. EVP_PKEY_free(pkdh);
  2511. OPENSSL_free(encodedPoint);
  2512. EVP_MD_CTX_free(md_ctx);
  2513. if (freer) {
  2514. BN_free(r[0]);
  2515. BN_free(r[1]);
  2516. BN_free(r[2]);
  2517. BN_free(r[3]);
  2518. }
  2519. return ret;
  2520. }
  2521. CON_FUNC_RETURN tls_construct_certificate_request(SSL_CONNECTION *s,
  2522. WPACKET *pkt)
  2523. {
  2524. if (SSL_CONNECTION_IS_TLS13(s)) {
  2525. /* Send random context when doing post-handshake auth */
  2526. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  2527. OPENSSL_free(s->pha_context);
  2528. s->pha_context_len = 32;
  2529. if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL) {
  2530. s->pha_context_len = 0;
  2531. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2532. return CON_FUNC_ERROR;
  2533. }
  2534. if (RAND_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx,
  2535. s->pha_context, s->pha_context_len, 0) <= 0
  2536. || !WPACKET_sub_memcpy_u8(pkt, s->pha_context,
  2537. s->pha_context_len)) {
  2538. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2539. return CON_FUNC_ERROR;
  2540. }
  2541. /* reset the handshake hash back to just after the ClientFinished */
  2542. if (!tls13_restore_handshake_digest_for_pha(s)) {
  2543. /* SSLfatal() already called */
  2544. return CON_FUNC_ERROR;
  2545. }
  2546. } else {
  2547. if (!WPACKET_put_bytes_u8(pkt, 0)) {
  2548. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2549. return CON_FUNC_ERROR;
  2550. }
  2551. }
  2552. if (!tls_construct_extensions(s, pkt,
  2553. SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL,
  2554. 0)) {
  2555. /* SSLfatal() already called */
  2556. return CON_FUNC_ERROR;
  2557. }
  2558. goto done;
  2559. }
  2560. /* get the list of acceptable cert types */
  2561. if (!WPACKET_start_sub_packet_u8(pkt)
  2562. || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) {
  2563. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2564. return CON_FUNC_ERROR;
  2565. }
  2566. if (SSL_USE_SIGALGS(s)) {
  2567. const uint16_t *psigs;
  2568. size_t nl = tls12_get_psigalgs(s, 1, &psigs);
  2569. if (!WPACKET_start_sub_packet_u16(pkt)
  2570. || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
  2571. || !tls12_copy_sigalgs(s, pkt, psigs, nl)
  2572. || !WPACKET_close(pkt)) {
  2573. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2574. return CON_FUNC_ERROR;
  2575. }
  2576. }
  2577. if (!construct_ca_names(s, get_ca_names(s), pkt)) {
  2578. /* SSLfatal() already called */
  2579. return CON_FUNC_ERROR;
  2580. }
  2581. done:
  2582. s->certreqs_sent++;
  2583. s->s3.tmp.cert_request = 1;
  2584. return CON_FUNC_SUCCESS;
  2585. }
  2586. static int tls_process_cke_psk_preamble(SSL_CONNECTION *s, PACKET *pkt)
  2587. {
  2588. #ifndef OPENSSL_NO_PSK
  2589. unsigned char psk[PSK_MAX_PSK_LEN];
  2590. size_t psklen;
  2591. PACKET psk_identity;
  2592. if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) {
  2593. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2594. return 0;
  2595. }
  2596. if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
  2597. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DATA_LENGTH_TOO_LONG);
  2598. return 0;
  2599. }
  2600. if (s->psk_server_callback == NULL) {
  2601. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_PSK_NO_SERVER_CB);
  2602. return 0;
  2603. }
  2604. if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
  2605. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2606. return 0;
  2607. }
  2608. psklen = s->psk_server_callback(SSL_CONNECTION_GET_SSL(s),
  2609. s->session->psk_identity,
  2610. psk, sizeof(psk));
  2611. if (psklen > PSK_MAX_PSK_LEN) {
  2612. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2613. return 0;
  2614. } else if (psklen == 0) {
  2615. /*
  2616. * PSK related to the given identity not found
  2617. */
  2618. SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY, SSL_R_PSK_IDENTITY_NOT_FOUND);
  2619. return 0;
  2620. }
  2621. OPENSSL_free(s->s3.tmp.psk);
  2622. s->s3.tmp.psk = OPENSSL_memdup(psk, psklen);
  2623. OPENSSL_cleanse(psk, psklen);
  2624. if (s->s3.tmp.psk == NULL) {
  2625. s->s3.tmp.psklen = 0;
  2626. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  2627. return 0;
  2628. }
  2629. s->s3.tmp.psklen = psklen;
  2630. return 1;
  2631. #else
  2632. /* Should never happen */
  2633. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2634. return 0;
  2635. #endif
  2636. }
  2637. static int tls_process_cke_rsa(SSL_CONNECTION *s, PACKET *pkt)
  2638. {
  2639. size_t outlen;
  2640. PACKET enc_premaster;
  2641. EVP_PKEY *rsa = NULL;
  2642. unsigned char *rsa_decrypt = NULL;
  2643. int ret = 0;
  2644. EVP_PKEY_CTX *ctx = NULL;
  2645. OSSL_PARAM params[3], *p = params;
  2646. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  2647. rsa = s->cert->pkeys[SSL_PKEY_RSA].privatekey;
  2648. if (rsa == NULL) {
  2649. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_RSA_CERTIFICATE);
  2650. return 0;
  2651. }
  2652. /* SSLv3 and pre-standard DTLS omit the length bytes. */
  2653. if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
  2654. enc_premaster = *pkt;
  2655. } else {
  2656. if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
  2657. || PACKET_remaining(pkt) != 0) {
  2658. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2659. return 0;
  2660. }
  2661. }
  2662. outlen = SSL_MAX_MASTER_KEY_LENGTH;
  2663. rsa_decrypt = OPENSSL_malloc(outlen);
  2664. if (rsa_decrypt == NULL) {
  2665. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  2666. return 0;
  2667. }
  2668. ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, rsa, sctx->propq);
  2669. if (ctx == NULL) {
  2670. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2671. goto err;
  2672. }
  2673. /*
  2674. * We must not leak whether a decryption failure occurs because of
  2675. * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
  2676. * section 7.4.7.1). We use the special padding type
  2677. * RSA_PKCS1_WITH_TLS_PADDING to do that. It will automatically decrypt the
  2678. * RSA, check the padding and check that the client version is as expected
  2679. * in the premaster secret. If any of that fails then the function appears
  2680. * to return successfully but with a random result. The call below could
  2681. * still fail if the input is publicly invalid.
  2682. * See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
  2683. */
  2684. if (EVP_PKEY_decrypt_init(ctx) <= 0
  2685. || EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_WITH_TLS_PADDING) <= 0) {
  2686. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DECRYPTION_FAILED);
  2687. goto err;
  2688. }
  2689. *p++ = OSSL_PARAM_construct_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION,
  2690. (unsigned int *)&s->client_version);
  2691. if ((s->options & SSL_OP_TLS_ROLLBACK_BUG) != 0)
  2692. *p++ = OSSL_PARAM_construct_uint(
  2693. OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION,
  2694. (unsigned int *)&s->version);
  2695. *p++ = OSSL_PARAM_construct_end();
  2696. if (!EVP_PKEY_CTX_set_params(ctx, params)
  2697. || EVP_PKEY_decrypt(ctx, rsa_decrypt, &outlen,
  2698. PACKET_data(&enc_premaster),
  2699. PACKET_remaining(&enc_premaster)) <= 0) {
  2700. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DECRYPTION_FAILED);
  2701. goto err;
  2702. }
  2703. /*
  2704. * This test should never fail (otherwise we should have failed above) but
  2705. * we double check anyway.
  2706. */
  2707. if (outlen != SSL_MAX_MASTER_KEY_LENGTH) {
  2708. OPENSSL_cleanse(rsa_decrypt, SSL_MAX_MASTER_KEY_LENGTH);
  2709. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DECRYPTION_FAILED);
  2710. goto err;
  2711. }
  2712. /* Also cleanses rsa_decrypt (on success or failure) */
  2713. if (!ssl_generate_master_secret(s, rsa_decrypt, outlen, 0)) {
  2714. /* SSLfatal() already called */
  2715. goto err;
  2716. }
  2717. ret = 1;
  2718. err:
  2719. OPENSSL_free(rsa_decrypt);
  2720. EVP_PKEY_CTX_free(ctx);
  2721. return ret;
  2722. }
  2723. static int tls_process_cke_dhe(SSL_CONNECTION *s, PACKET *pkt)
  2724. {
  2725. EVP_PKEY *skey = NULL;
  2726. unsigned int i;
  2727. const unsigned char *data;
  2728. EVP_PKEY *ckey = NULL;
  2729. int ret = 0;
  2730. if (!PACKET_get_net_2(pkt, &i) || PACKET_remaining(pkt) != i) {
  2731. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
  2732. goto err;
  2733. }
  2734. skey = s->s3.tmp.pkey;
  2735. if (skey == NULL) {
  2736. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_DH_KEY);
  2737. goto err;
  2738. }
  2739. if (PACKET_remaining(pkt) == 0L) {
  2740. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_MISSING_TMP_DH_KEY);
  2741. goto err;
  2742. }
  2743. if (!PACKET_get_bytes(pkt, &data, i)) {
  2744. /* We already checked we have enough data */
  2745. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2746. goto err;
  2747. }
  2748. ckey = EVP_PKEY_new();
  2749. if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) {
  2750. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED);
  2751. goto err;
  2752. }
  2753. if (!EVP_PKEY_set1_encoded_public_key(ckey, data, i)) {
  2754. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2755. goto err;
  2756. }
  2757. if (ssl_derive(s, skey, ckey, 1) == 0) {
  2758. /* SSLfatal() already called */
  2759. goto err;
  2760. }
  2761. ret = 1;
  2762. EVP_PKEY_free(s->s3.tmp.pkey);
  2763. s->s3.tmp.pkey = NULL;
  2764. err:
  2765. EVP_PKEY_free(ckey);
  2766. return ret;
  2767. }
  2768. static int tls_process_cke_ecdhe(SSL_CONNECTION *s, PACKET *pkt)
  2769. {
  2770. EVP_PKEY *skey = s->s3.tmp.pkey;
  2771. EVP_PKEY *ckey = NULL;
  2772. int ret = 0;
  2773. if (PACKET_remaining(pkt) == 0L) {
  2774. /* We don't support ECDH client auth */
  2775. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_MISSING_TMP_ECDH_KEY);
  2776. goto err;
  2777. } else {
  2778. unsigned int i;
  2779. const unsigned char *data;
  2780. /*
  2781. * Get client's public key from encoded point in the
  2782. * ClientKeyExchange message.
  2783. */
  2784. /* Get encoded point length */
  2785. if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i)
  2786. || PACKET_remaining(pkt) != 0) {
  2787. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2788. goto err;
  2789. }
  2790. if (skey == NULL) {
  2791. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_ECDH_KEY);
  2792. goto err;
  2793. }
  2794. ckey = EVP_PKEY_new();
  2795. if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
  2796. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED);
  2797. goto err;
  2798. }
  2799. if (EVP_PKEY_set1_encoded_public_key(ckey, data, i) <= 0) {
  2800. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
  2801. goto err;
  2802. }
  2803. }
  2804. if (ssl_derive(s, skey, ckey, 1) == 0) {
  2805. /* SSLfatal() already called */
  2806. goto err;
  2807. }
  2808. ret = 1;
  2809. EVP_PKEY_free(s->s3.tmp.pkey);
  2810. s->s3.tmp.pkey = NULL;
  2811. err:
  2812. EVP_PKEY_free(ckey);
  2813. return ret;
  2814. }
  2815. static int tls_process_cke_srp(SSL_CONNECTION *s, PACKET *pkt)
  2816. {
  2817. #ifndef OPENSSL_NO_SRP
  2818. unsigned int i;
  2819. const unsigned char *data;
  2820. if (!PACKET_get_net_2(pkt, &i)
  2821. || !PACKET_get_bytes(pkt, &data, i)) {
  2822. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRP_A_LENGTH);
  2823. return 0;
  2824. }
  2825. if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
  2826. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB);
  2827. return 0;
  2828. }
  2829. if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) {
  2830. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRP_PARAMETERS);
  2831. return 0;
  2832. }
  2833. OPENSSL_free(s->session->srp_username);
  2834. s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
  2835. if (s->session->srp_username == NULL) {
  2836. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  2837. return 0;
  2838. }
  2839. if (!srp_generate_server_master_secret(s)) {
  2840. /* SSLfatal() already called */
  2841. return 0;
  2842. }
  2843. return 1;
  2844. #else
  2845. /* Should never happen */
  2846. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2847. return 0;
  2848. #endif
  2849. }
  2850. static int tls_process_cke_gost(SSL_CONNECTION *s, PACKET *pkt)
  2851. {
  2852. #ifndef OPENSSL_NO_GOST
  2853. EVP_PKEY_CTX *pkey_ctx;
  2854. EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
  2855. unsigned char premaster_secret[32];
  2856. const unsigned char *start;
  2857. size_t outlen = sizeof(premaster_secret), inlen;
  2858. unsigned long alg_a;
  2859. GOST_KX_MESSAGE *pKX = NULL;
  2860. const unsigned char *ptr;
  2861. int ret = 0;
  2862. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  2863. /* Get our certificate private key */
  2864. alg_a = s->s3.tmp.new_cipher->algorithm_auth;
  2865. if (alg_a & SSL_aGOST12) {
  2866. /*
  2867. * New GOST ciphersuites have SSL_aGOST01 bit too
  2868. */
  2869. pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey;
  2870. if (pk == NULL) {
  2871. pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
  2872. }
  2873. if (pk == NULL) {
  2874. pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
  2875. }
  2876. } else if (alg_a & SSL_aGOST01) {
  2877. pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
  2878. }
  2879. pkey_ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, pk, sctx->propq);
  2880. if (pkey_ctx == NULL) {
  2881. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2882. return 0;
  2883. }
  2884. if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
  2885. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2886. goto err;
  2887. }
  2888. /*
  2889. * If client certificate is present and is of the same type, maybe
  2890. * use it for key exchange. Don't mind errors from
  2891. * EVP_PKEY_derive_set_peer, because it is completely valid to use a
  2892. * client certificate for authorization only.
  2893. */
  2894. client_pub_pkey = tls_get_peer_pkey(s);
  2895. if (client_pub_pkey) {
  2896. if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
  2897. ERR_clear_error();
  2898. }
  2899. ptr = PACKET_data(pkt);
  2900. /* Some implementations provide extra data in the opaqueBlob
  2901. * We have nothing to do with this blob so we just skip it */
  2902. pKX = d2i_GOST_KX_MESSAGE(NULL, &ptr, PACKET_remaining(pkt));
  2903. if (pKX == NULL
  2904. || pKX->kxBlob == NULL
  2905. || ASN1_TYPE_get(pKX->kxBlob) != V_ASN1_SEQUENCE) {
  2906. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DECRYPTION_FAILED);
  2907. goto err;
  2908. }
  2909. if (!PACKET_forward(pkt, ptr - PACKET_data(pkt))) {
  2910. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_DECRYPTION_FAILED);
  2911. goto err;
  2912. }
  2913. if (PACKET_remaining(pkt) != 0) {
  2914. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_DECRYPTION_FAILED);
  2915. goto err;
  2916. }
  2917. inlen = pKX->kxBlob->value.sequence->length;
  2918. start = pKX->kxBlob->value.sequence->data;
  2919. if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start,
  2920. inlen) <= 0) {
  2921. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DECRYPTION_FAILED);
  2922. goto err;
  2923. }
  2924. /* Generate master secret */
  2925. if (!ssl_generate_master_secret(s, premaster_secret, outlen, 0)) {
  2926. /* SSLfatal() already called */
  2927. goto err;
  2928. }
  2929. /* Check if pubkey from client certificate was used */
  2930. if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
  2931. NULL) > 0)
  2932. s->statem.no_cert_verify = 1;
  2933. ret = 1;
  2934. err:
  2935. EVP_PKEY_CTX_free(pkey_ctx);
  2936. GOST_KX_MESSAGE_free(pKX);
  2937. return ret;
  2938. #else
  2939. /* Should never happen */
  2940. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2941. return 0;
  2942. #endif
  2943. }
  2944. static int tls_process_cke_gost18(SSL_CONNECTION *s, PACKET *pkt)
  2945. {
  2946. #ifndef OPENSSL_NO_GOST
  2947. unsigned char rnd_dgst[32];
  2948. EVP_PKEY_CTX *pkey_ctx = NULL;
  2949. EVP_PKEY *pk = NULL;
  2950. unsigned char premaster_secret[32];
  2951. const unsigned char *start = NULL;
  2952. size_t outlen = sizeof(premaster_secret), inlen = 0;
  2953. int ret = 0;
  2954. int cipher_nid = ossl_gost18_cke_cipher_nid(s);
  2955. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  2956. if (cipher_nid == NID_undef) {
  2957. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2958. return 0;
  2959. }
  2960. if (ossl_gost_ukm(s, rnd_dgst) <= 0) {
  2961. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2962. goto err;
  2963. }
  2964. /* Get our certificate private key */
  2965. pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey != NULL ?
  2966. s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey :
  2967. s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
  2968. if (pk == NULL) {
  2969. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE);
  2970. goto err;
  2971. }
  2972. pkey_ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, pk, sctx->propq);
  2973. if (pkey_ctx == NULL) {
  2974. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2975. goto err;
  2976. }
  2977. if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
  2978. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2979. goto err;
  2980. }
  2981. /* Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code depending on size */
  2982. if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT,
  2983. EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) <= 0) {
  2984. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
  2985. goto err;
  2986. }
  2987. if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT,
  2988. EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) <= 0) {
  2989. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
  2990. goto err;
  2991. }
  2992. inlen = PACKET_remaining(pkt);
  2993. start = PACKET_data(pkt);
  2994. if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) {
  2995. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DECRYPTION_FAILED);
  2996. goto err;
  2997. }
  2998. /* Generate master secret */
  2999. if (!ssl_generate_master_secret(s, premaster_secret, outlen, 0)) {
  3000. /* SSLfatal() already called */
  3001. goto err;
  3002. }
  3003. ret = 1;
  3004. err:
  3005. EVP_PKEY_CTX_free(pkey_ctx);
  3006. return ret;
  3007. #else
  3008. /* Should never happen */
  3009. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3010. return 0;
  3011. #endif
  3012. }
  3013. MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL_CONNECTION *s,
  3014. PACKET *pkt)
  3015. {
  3016. unsigned long alg_k;
  3017. alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
  3018. /* For PSK parse and retrieve identity, obtain PSK key */
  3019. if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt)) {
  3020. /* SSLfatal() already called */
  3021. goto err;
  3022. }
  3023. if (alg_k & SSL_kPSK) {
  3024. /* Identity extracted earlier: should be nothing left */
  3025. if (PACKET_remaining(pkt) != 0) {
  3026. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  3027. goto err;
  3028. }
  3029. /* PSK handled by ssl_generate_master_secret */
  3030. if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
  3031. /* SSLfatal() already called */
  3032. goto err;
  3033. }
  3034. } else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
  3035. if (!tls_process_cke_rsa(s, pkt)) {
  3036. /* SSLfatal() already called */
  3037. goto err;
  3038. }
  3039. } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
  3040. if (!tls_process_cke_dhe(s, pkt)) {
  3041. /* SSLfatal() already called */
  3042. goto err;
  3043. }
  3044. } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
  3045. if (!tls_process_cke_ecdhe(s, pkt)) {
  3046. /* SSLfatal() already called */
  3047. goto err;
  3048. }
  3049. } else if (alg_k & SSL_kSRP) {
  3050. if (!tls_process_cke_srp(s, pkt)) {
  3051. /* SSLfatal() already called */
  3052. goto err;
  3053. }
  3054. } else if (alg_k & SSL_kGOST) {
  3055. if (!tls_process_cke_gost(s, pkt)) {
  3056. /* SSLfatal() already called */
  3057. goto err;
  3058. }
  3059. } else if (alg_k & SSL_kGOST18) {
  3060. if (!tls_process_cke_gost18(s, pkt)) {
  3061. /* SSLfatal() already called */
  3062. goto err;
  3063. }
  3064. } else {
  3065. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_CIPHER_TYPE);
  3066. goto err;
  3067. }
  3068. return MSG_PROCESS_CONTINUE_PROCESSING;
  3069. err:
  3070. #ifndef OPENSSL_NO_PSK
  3071. OPENSSL_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen);
  3072. s->s3.tmp.psk = NULL;
  3073. s->s3.tmp.psklen = 0;
  3074. #endif
  3075. return MSG_PROCESS_ERROR;
  3076. }
  3077. WORK_STATE tls_post_process_client_key_exchange(SSL_CONNECTION *s,
  3078. WORK_STATE wst)
  3079. {
  3080. #ifndef OPENSSL_NO_SCTP
  3081. if (wst == WORK_MORE_A) {
  3082. if (SSL_CONNECTION_IS_DTLS(s)) {
  3083. unsigned char sctpauthkey[64];
  3084. char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
  3085. size_t labellen;
  3086. /*
  3087. * Add new shared key for SCTP-Auth, will be ignored if no SCTP
  3088. * used.
  3089. */
  3090. memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
  3091. sizeof(DTLS1_SCTP_AUTH_LABEL));
  3092. /* Don't include the terminating zero. */
  3093. labellen = sizeof(labelbuffer) - 1;
  3094. if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
  3095. labellen += 1;
  3096. if (SSL_export_keying_material(SSL_CONNECTION_GET_SSL(s),
  3097. sctpauthkey,
  3098. sizeof(sctpauthkey), labelbuffer,
  3099. labellen, NULL, 0,
  3100. 0) <= 0) {
  3101. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3102. return WORK_ERROR;
  3103. }
  3104. BIO_ctrl(s->wbio, BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
  3105. sizeof(sctpauthkey), sctpauthkey);
  3106. }
  3107. }
  3108. #endif
  3109. if (s->statem.no_cert_verify || !received_client_cert(s)) {
  3110. /*
  3111. * No certificate verify or no peer certificate so we no longer need
  3112. * the handshake_buffer
  3113. */
  3114. if (!ssl3_digest_cached_records(s, 0)) {
  3115. /* SSLfatal() already called */
  3116. return WORK_ERROR;
  3117. }
  3118. return WORK_FINISHED_CONTINUE;
  3119. } else {
  3120. if (!s->s3.handshake_buffer) {
  3121. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3122. return WORK_ERROR;
  3123. }
  3124. /*
  3125. * For sigalgs freeze the handshake buffer. If we support
  3126. * extms we've done this already so this is a no-op
  3127. */
  3128. if (!ssl3_digest_cached_records(s, 1)) {
  3129. /* SSLfatal() already called */
  3130. return WORK_ERROR;
  3131. }
  3132. }
  3133. return WORK_FINISHED_CONTINUE;
  3134. }
  3135. MSG_PROCESS_RETURN tls_process_client_rpk(SSL_CONNECTION *sc, PACKET *pkt)
  3136. {
  3137. MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
  3138. SSL_SESSION *new_sess = NULL;
  3139. EVP_PKEY *peer_rpk = NULL;
  3140. if (!tls_process_rpk(sc, pkt, &peer_rpk)) {
  3141. /* SSLfatal already called */
  3142. goto err;
  3143. }
  3144. if (peer_rpk == NULL) {
  3145. if ((sc->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
  3146. && (sc->verify_mode & SSL_VERIFY_PEER)) {
  3147. SSLfatal(sc, SSL_AD_CERTIFICATE_REQUIRED,
  3148. SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  3149. goto err;
  3150. }
  3151. } else {
  3152. if (ssl_verify_rpk(sc, peer_rpk) <= 0) {
  3153. SSLfatal(sc, ssl_x509err2alert(sc->verify_result),
  3154. SSL_R_CERTIFICATE_VERIFY_FAILED);
  3155. goto err;
  3156. }
  3157. }
  3158. /*
  3159. * Sessions must be immutable once they go into the session cache. Otherwise
  3160. * we can get multi-thread problems. Therefore we don't "update" sessions,
  3161. * we replace them with a duplicate. Here, we need to do this every time
  3162. * a new RPK (or certificate) is received via post-handshake authentication,
  3163. * as the session may have already gone into the session cache.
  3164. */
  3165. if (sc->post_handshake_auth == SSL_PHA_REQUESTED) {
  3166. if ((new_sess = ssl_session_dup(sc->session, 0)) == NULL) {
  3167. SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  3168. goto err;
  3169. }
  3170. SSL_SESSION_free(sc->session);
  3171. sc->session = new_sess;
  3172. }
  3173. /* Ensure there is no peer/peer_chain */
  3174. X509_free(sc->session->peer);
  3175. sc->session->peer = NULL;
  3176. sk_X509_pop_free(sc->session->peer_chain, X509_free);
  3177. sc->session->peer_chain = NULL;
  3178. /* Save RPK */
  3179. EVP_PKEY_free(sc->session->peer_rpk);
  3180. sc->session->peer_rpk = peer_rpk;
  3181. peer_rpk = NULL;
  3182. sc->session->verify_result = sc->verify_result;
  3183. /*
  3184. * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
  3185. * message
  3186. */
  3187. if (SSL_CONNECTION_IS_TLS13(sc)) {
  3188. if (!ssl3_digest_cached_records(sc, 1)) {
  3189. /* SSLfatal() already called */
  3190. goto err;
  3191. }
  3192. /* Save the current hash state for when we receive the CertificateVerify */
  3193. if (!ssl_handshake_hash(sc, sc->cert_verify_hash,
  3194. sizeof(sc->cert_verify_hash),
  3195. &sc->cert_verify_hash_len)) {
  3196. /* SSLfatal() already called */;
  3197. goto err;
  3198. }
  3199. /* resend session tickets */
  3200. sc->sent_tickets = 0;
  3201. }
  3202. ret = MSG_PROCESS_CONTINUE_READING;
  3203. err:
  3204. EVP_PKEY_free(peer_rpk);
  3205. return ret;
  3206. }
  3207. MSG_PROCESS_RETURN tls_process_client_certificate(SSL_CONNECTION *s,
  3208. PACKET *pkt)
  3209. {
  3210. int i;
  3211. MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
  3212. X509 *x = NULL;
  3213. unsigned long l;
  3214. const unsigned char *certstart, *certbytes;
  3215. STACK_OF(X509) *sk = NULL;
  3216. PACKET spkt, context;
  3217. size_t chainidx;
  3218. SSL_SESSION *new_sess = NULL;
  3219. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  3220. /*
  3221. * To get this far we must have read encrypted data from the client. We no
  3222. * longer tolerate unencrypted alerts. This is ignored if less than TLSv1.3
  3223. */
  3224. if (s->rlayer.rrlmethod->set_plain_alerts != NULL)
  3225. s->rlayer.rrlmethod->set_plain_alerts(s->rlayer.rrl, 0);
  3226. if (s->ext.client_cert_type == TLSEXT_cert_type_rpk)
  3227. return tls_process_client_rpk(s, pkt);
  3228. if (s->ext.client_cert_type != TLSEXT_cert_type_x509) {
  3229. SSLfatal(s, SSL_AD_UNSUPPORTED_CERTIFICATE,
  3230. SSL_R_UNKNOWN_CERTIFICATE_TYPE);
  3231. goto err;
  3232. }
  3233. if ((sk = sk_X509_new_null()) == NULL) {
  3234. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  3235. goto err;
  3236. }
  3237. if (SSL_CONNECTION_IS_TLS13(s)
  3238. && (!PACKET_get_length_prefixed_1(pkt, &context)
  3239. || (s->pha_context == NULL && PACKET_remaining(&context) != 0)
  3240. || (s->pha_context != NULL
  3241. && !PACKET_equal(&context, s->pha_context,
  3242. s->pha_context_len)))) {
  3243. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT);
  3244. goto err;
  3245. }
  3246. if (!PACKET_get_length_prefixed_3(pkt, &spkt)
  3247. || PACKET_remaining(pkt) != 0) {
  3248. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  3249. goto err;
  3250. }
  3251. for (chainidx = 0; PACKET_remaining(&spkt) > 0; chainidx++) {
  3252. if (!PACKET_get_net_3(&spkt, &l)
  3253. || !PACKET_get_bytes(&spkt, &certbytes, l)) {
  3254. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH);
  3255. goto err;
  3256. }
  3257. certstart = certbytes;
  3258. x = X509_new_ex(sctx->libctx, sctx->propq);
  3259. if (x == NULL) {
  3260. SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_X509_LIB);
  3261. goto err;
  3262. }
  3263. if (d2i_X509(&x, (const unsigned char **)&certbytes, l) == NULL) {
  3264. SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB);
  3265. goto err;
  3266. }
  3267. if (certbytes != (certstart + l)) {
  3268. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH);
  3269. goto err;
  3270. }
  3271. if (SSL_CONNECTION_IS_TLS13(s)) {
  3272. RAW_EXTENSION *rawexts = NULL;
  3273. PACKET extensions;
  3274. if (!PACKET_get_length_prefixed_2(&spkt, &extensions)) {
  3275. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
  3276. goto err;
  3277. }
  3278. if (!tls_collect_extensions(s, &extensions,
  3279. SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
  3280. NULL, chainidx == 0)
  3281. || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
  3282. rawexts, x, chainidx,
  3283. PACKET_remaining(&spkt) == 0)) {
  3284. OPENSSL_free(rawexts);
  3285. goto err;
  3286. }
  3287. OPENSSL_free(rawexts);
  3288. }
  3289. if (!sk_X509_push(sk, x)) {
  3290. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  3291. goto err;
  3292. }
  3293. x = NULL;
  3294. }
  3295. if (sk_X509_num(sk) <= 0) {
  3296. /* TLS does not mind 0 certs returned */
  3297. if (s->version == SSL3_VERSION) {
  3298. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  3299. SSL_R_NO_CERTIFICATES_RETURNED);
  3300. goto err;
  3301. }
  3302. /* Fail for TLS only if we required a certificate */
  3303. else if ((s->verify_mode & SSL_VERIFY_PEER) &&
  3304. (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
  3305. SSLfatal(s, SSL_AD_CERTIFICATE_REQUIRED,
  3306. SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  3307. goto err;
  3308. }
  3309. /* No client certificate so digest cached records */
  3310. if (s->s3.handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
  3311. /* SSLfatal() already called */
  3312. goto err;
  3313. }
  3314. } else {
  3315. EVP_PKEY *pkey;
  3316. i = ssl_verify_cert_chain(s, sk);
  3317. if (i <= 0) {
  3318. SSLfatal(s, ssl_x509err2alert(s->verify_result),
  3319. SSL_R_CERTIFICATE_VERIFY_FAILED);
  3320. goto err;
  3321. }
  3322. pkey = X509_get0_pubkey(sk_X509_value(sk, 0));
  3323. if (pkey == NULL) {
  3324. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  3325. SSL_R_UNKNOWN_CERTIFICATE_TYPE);
  3326. goto err;
  3327. }
  3328. }
  3329. /*
  3330. * Sessions must be immutable once they go into the session cache. Otherwise
  3331. * we can get multi-thread problems. Therefore we don't "update" sessions,
  3332. * we replace them with a duplicate. Here, we need to do this every time
  3333. * a new certificate is received via post-handshake authentication, as the
  3334. * session may have already gone into the session cache.
  3335. */
  3336. if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
  3337. if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
  3338. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
  3339. goto err;
  3340. }
  3341. SSL_SESSION_free(s->session);
  3342. s->session = new_sess;
  3343. }
  3344. X509_free(s->session->peer);
  3345. s->session->peer = sk_X509_shift(sk);
  3346. s->session->verify_result = s->verify_result;
  3347. OSSL_STACK_OF_X509_free(s->session->peer_chain);
  3348. s->session->peer_chain = sk;
  3349. sk = NULL;
  3350. /* Ensure there is no RPK */
  3351. EVP_PKEY_free(s->session->peer_rpk);
  3352. s->session->peer_rpk = NULL;
  3353. /*
  3354. * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
  3355. * message
  3356. */
  3357. if (SSL_CONNECTION_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) {
  3358. /* SSLfatal() already called */
  3359. goto err;
  3360. }
  3361. /*
  3362. * Inconsistency alert: cert_chain does *not* include the peer's own
  3363. * certificate, while we do include it in statem_clnt.c
  3364. */
  3365. /* Save the current hash state for when we receive the CertificateVerify */
  3366. if (SSL_CONNECTION_IS_TLS13(s)) {
  3367. if (!ssl_handshake_hash(s, s->cert_verify_hash,
  3368. sizeof(s->cert_verify_hash),
  3369. &s->cert_verify_hash_len)) {
  3370. /* SSLfatal() already called */
  3371. goto err;
  3372. }
  3373. /* Resend session tickets */
  3374. s->sent_tickets = 0;
  3375. }
  3376. ret = MSG_PROCESS_CONTINUE_READING;
  3377. err:
  3378. X509_free(x);
  3379. OSSL_STACK_OF_X509_free(sk);
  3380. return ret;
  3381. }
  3382. #ifndef OPENSSL_NO_COMP_ALG
  3383. MSG_PROCESS_RETURN tls_process_client_compressed_certificate(SSL_CONNECTION *sc, PACKET *pkt)
  3384. {
  3385. MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
  3386. PACKET tmppkt;
  3387. BUF_MEM *buf = BUF_MEM_new();
  3388. if (tls13_process_compressed_certificate(sc, pkt, &tmppkt, buf) != MSG_PROCESS_ERROR)
  3389. ret = tls_process_client_certificate(sc, &tmppkt);
  3390. BUF_MEM_free(buf);
  3391. return ret;
  3392. }
  3393. #endif
  3394. CON_FUNC_RETURN tls_construct_server_certificate(SSL_CONNECTION *s, WPACKET *pkt)
  3395. {
  3396. CERT_PKEY *cpk = s->s3.tmp.cert;
  3397. if (cpk == NULL) {
  3398. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3399. return CON_FUNC_ERROR;
  3400. }
  3401. /*
  3402. * In TLSv1.3 the certificate chain is always preceded by a 0 length context
  3403. * for the server Certificate message
  3404. */
  3405. if (SSL_CONNECTION_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) {
  3406. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3407. return CON_FUNC_ERROR;
  3408. }
  3409. switch (s->ext.server_cert_type) {
  3410. case TLSEXT_cert_type_rpk:
  3411. if (!tls_output_rpk(s, pkt, cpk)) {
  3412. /* SSLfatal() already called */
  3413. return 0;
  3414. }
  3415. break;
  3416. case TLSEXT_cert_type_x509:
  3417. if (!ssl3_output_cert_chain(s, pkt, cpk, 0)) {
  3418. /* SSLfatal() already called */
  3419. return 0;
  3420. }
  3421. break;
  3422. default:
  3423. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3424. return 0;
  3425. }
  3426. return CON_FUNC_SUCCESS;
  3427. }
  3428. #ifndef OPENSSL_NO_COMP_ALG
  3429. CON_FUNC_RETURN tls_construct_server_compressed_certificate(SSL_CONNECTION *sc, WPACKET *pkt)
  3430. {
  3431. int alg = get_compressed_certificate_alg(sc);
  3432. OSSL_COMP_CERT *cc = sc->s3.tmp.cert->comp_cert[alg];
  3433. if (!ossl_assert(cc != NULL)) {
  3434. SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3435. return 0;
  3436. }
  3437. /*
  3438. * Server can't compress on-demand
  3439. * Use pre-compressed certificate
  3440. */
  3441. if (!WPACKET_put_bytes_u16(pkt, alg)
  3442. || !WPACKET_put_bytes_u24(pkt, cc->orig_len)
  3443. || !WPACKET_start_sub_packet_u24(pkt)
  3444. || !WPACKET_memcpy(pkt, cc->data, cc->len)
  3445. || !WPACKET_close(pkt))
  3446. return 0;
  3447. sc->s3.tmp.cert->cert_comp_used++;
  3448. return 1;
  3449. }
  3450. #endif
  3451. static int create_ticket_prequel(SSL_CONNECTION *s, WPACKET *pkt,
  3452. uint32_t age_add, unsigned char *tick_nonce)
  3453. {
  3454. uint32_t timeout = (uint32_t)ossl_time2seconds(s->session->timeout);
  3455. /*
  3456. * Ticket lifetime hint:
  3457. * In TLSv1.3 we reset the "time" field above, and always specify the
  3458. * timeout, limited to a 1 week period per RFC8446.
  3459. * For TLSv1.2 this is advisory only and we leave this unspecified for
  3460. * resumed session (for simplicity).
  3461. */
  3462. #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
  3463. if (SSL_CONNECTION_IS_TLS13(s)) {
  3464. if (ossl_time_compare(s->session->timeout,
  3465. ossl_seconds2time(ONE_WEEK_SEC)) > 0)
  3466. timeout = ONE_WEEK_SEC;
  3467. } else if (s->hit)
  3468. timeout = 0;
  3469. if (!WPACKET_put_bytes_u32(pkt, timeout)) {
  3470. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3471. return 0;
  3472. }
  3473. if (SSL_CONNECTION_IS_TLS13(s)) {
  3474. if (!WPACKET_put_bytes_u32(pkt, age_add)
  3475. || !WPACKET_sub_memcpy_u8(pkt, tick_nonce, TICKET_NONCE_SIZE)) {
  3476. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3477. return 0;
  3478. }
  3479. }
  3480. /* Start the sub-packet for the actual ticket data */
  3481. if (!WPACKET_start_sub_packet_u16(pkt)) {
  3482. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3483. return 0;
  3484. }
  3485. return 1;
  3486. }
  3487. static CON_FUNC_RETURN construct_stateless_ticket(SSL_CONNECTION *s,
  3488. WPACKET *pkt,
  3489. uint32_t age_add,
  3490. unsigned char *tick_nonce)
  3491. {
  3492. unsigned char *senc = NULL;
  3493. EVP_CIPHER_CTX *ctx = NULL;
  3494. SSL_HMAC *hctx = NULL;
  3495. unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2;
  3496. const unsigned char *const_p;
  3497. int len, slen_full, slen, lenfinal;
  3498. SSL_SESSION *sess;
  3499. size_t hlen;
  3500. SSL_CTX *tctx = s->session_ctx;
  3501. unsigned char iv[EVP_MAX_IV_LENGTH];
  3502. unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
  3503. int iv_len;
  3504. CON_FUNC_RETURN ok = CON_FUNC_ERROR;
  3505. size_t macoffset, macendoffset;
  3506. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  3507. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  3508. /* get session encoding length */
  3509. slen_full = i2d_SSL_SESSION(s->session, NULL);
  3510. /*
  3511. * Some length values are 16 bits, so forget it if session is too
  3512. * long
  3513. */
  3514. if (slen_full == 0 || slen_full > 0xFF00) {
  3515. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3516. goto err;
  3517. }
  3518. senc = OPENSSL_malloc(slen_full);
  3519. if (senc == NULL) {
  3520. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  3521. goto err;
  3522. }
  3523. ctx = EVP_CIPHER_CTX_new();
  3524. if (ctx == NULL) {
  3525. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  3526. goto err;
  3527. }
  3528. hctx = ssl_hmac_new(tctx);
  3529. if (hctx == NULL) {
  3530. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
  3531. goto err;
  3532. }
  3533. p = senc;
  3534. if (!i2d_SSL_SESSION(s->session, &p)) {
  3535. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3536. goto err;
  3537. }
  3538. /*
  3539. * create a fresh copy (not shared with other threads) to clean up
  3540. */
  3541. const_p = senc;
  3542. sess = d2i_SSL_SESSION_ex(NULL, &const_p, slen_full, sctx->libctx,
  3543. sctx->propq);
  3544. if (sess == NULL) {
  3545. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3546. goto err;
  3547. }
  3548. slen = i2d_SSL_SESSION(sess, NULL);
  3549. if (slen == 0 || slen > slen_full) {
  3550. /* shouldn't ever happen */
  3551. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3552. SSL_SESSION_free(sess);
  3553. goto err;
  3554. }
  3555. p = senc;
  3556. if (!i2d_SSL_SESSION(sess, &p)) {
  3557. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3558. SSL_SESSION_free(sess);
  3559. goto err;
  3560. }
  3561. SSL_SESSION_free(sess);
  3562. /*
  3563. * Initialize HMAC and cipher contexts. If callback present it does
  3564. * all the work otherwise use generated values from parent ctx.
  3565. */
  3566. #ifndef OPENSSL_NO_DEPRECATED_3_0
  3567. if (tctx->ext.ticket_key_evp_cb != NULL || tctx->ext.ticket_key_cb != NULL)
  3568. #else
  3569. if (tctx->ext.ticket_key_evp_cb != NULL)
  3570. #endif
  3571. {
  3572. int ret = 0;
  3573. if (tctx->ext.ticket_key_evp_cb != NULL)
  3574. ret = tctx->ext.ticket_key_evp_cb(ssl, key_name, iv, ctx,
  3575. ssl_hmac_get0_EVP_MAC_CTX(hctx),
  3576. 1);
  3577. #ifndef OPENSSL_NO_DEPRECATED_3_0
  3578. else if (tctx->ext.ticket_key_cb != NULL)
  3579. /* if 0 is returned, write an empty ticket */
  3580. ret = tctx->ext.ticket_key_cb(ssl, key_name, iv, ctx,
  3581. ssl_hmac_get0_HMAC_CTX(hctx), 1);
  3582. #endif
  3583. if (ret == 0) {
  3584. /*
  3585. * In TLSv1.2 we construct a 0 length ticket. In TLSv1.3 a 0
  3586. * length ticket is not allowed so we abort construction of the
  3587. * ticket
  3588. */
  3589. if (SSL_CONNECTION_IS_TLS13(s)) {
  3590. ok = CON_FUNC_DONT_SEND;
  3591. goto err;
  3592. }
  3593. /* Put timeout and length */
  3594. if (!WPACKET_put_bytes_u32(pkt, 0)
  3595. || !WPACKET_put_bytes_u16(pkt, 0)) {
  3596. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3597. goto err;
  3598. }
  3599. OPENSSL_free(senc);
  3600. EVP_CIPHER_CTX_free(ctx);
  3601. ssl_hmac_free(hctx);
  3602. return CON_FUNC_SUCCESS;
  3603. }
  3604. if (ret < 0) {
  3605. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED);
  3606. goto err;
  3607. }
  3608. iv_len = EVP_CIPHER_CTX_get_iv_length(ctx);
  3609. if (iv_len < 0) {
  3610. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3611. goto err;
  3612. }
  3613. } else {
  3614. EVP_CIPHER *cipher = EVP_CIPHER_fetch(sctx->libctx, "AES-256-CBC",
  3615. sctx->propq);
  3616. if (cipher == NULL) {
  3617. /* Error is already recorded */
  3618. SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR);
  3619. goto err;
  3620. }
  3621. iv_len = EVP_CIPHER_get_iv_length(cipher);
  3622. if (iv_len < 0
  3623. || RAND_bytes_ex(sctx->libctx, iv, iv_len, 0) <= 0
  3624. || !EVP_EncryptInit_ex(ctx, cipher, NULL,
  3625. tctx->ext.secure->tick_aes_key, iv)
  3626. || !ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key,
  3627. sizeof(tctx->ext.secure->tick_hmac_key),
  3628. "SHA256")) {
  3629. EVP_CIPHER_free(cipher);
  3630. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3631. goto err;
  3632. }
  3633. EVP_CIPHER_free(cipher);
  3634. memcpy(key_name, tctx->ext.tick_key_name,
  3635. sizeof(tctx->ext.tick_key_name));
  3636. }
  3637. if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) {
  3638. /* SSLfatal() already called */
  3639. goto err;
  3640. }
  3641. if (!WPACKET_get_total_written(pkt, &macoffset)
  3642. /* Output key name */
  3643. || !WPACKET_memcpy(pkt, key_name, sizeof(key_name))
  3644. /* output IV */
  3645. || !WPACKET_memcpy(pkt, iv, iv_len)
  3646. || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH,
  3647. &encdata1)
  3648. /* Encrypt session data */
  3649. || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen)
  3650. || !WPACKET_allocate_bytes(pkt, len, &encdata2)
  3651. || encdata1 != encdata2
  3652. || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal)
  3653. || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2)
  3654. || encdata1 + len != encdata2
  3655. || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH
  3656. || !WPACKET_get_total_written(pkt, &macendoffset)
  3657. || !ssl_hmac_update(hctx,
  3658. (unsigned char *)s->init_buf->data + macoffset,
  3659. macendoffset - macoffset)
  3660. || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1)
  3661. || !ssl_hmac_final(hctx, macdata1, &hlen, EVP_MAX_MD_SIZE)
  3662. || hlen > EVP_MAX_MD_SIZE
  3663. || !WPACKET_allocate_bytes(pkt, hlen, &macdata2)
  3664. || macdata1 != macdata2) {
  3665. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3666. goto err;
  3667. }
  3668. /* Close the sub-packet created by create_ticket_prequel() */
  3669. if (!WPACKET_close(pkt)) {
  3670. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3671. goto err;
  3672. }
  3673. ok = CON_FUNC_SUCCESS;
  3674. err:
  3675. OPENSSL_free(senc);
  3676. EVP_CIPHER_CTX_free(ctx);
  3677. ssl_hmac_free(hctx);
  3678. return ok;
  3679. }
  3680. static int construct_stateful_ticket(SSL_CONNECTION *s, WPACKET *pkt,
  3681. uint32_t age_add,
  3682. unsigned char *tick_nonce)
  3683. {
  3684. if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) {
  3685. /* SSLfatal() already called */
  3686. return 0;
  3687. }
  3688. if (!WPACKET_memcpy(pkt, s->session->session_id,
  3689. s->session->session_id_length)
  3690. || !WPACKET_close(pkt)) {
  3691. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3692. return 0;
  3693. }
  3694. return 1;
  3695. }
  3696. static void tls_update_ticket_counts(SSL_CONNECTION *s)
  3697. {
  3698. /*
  3699. * Increment both |sent_tickets| and |next_ticket_nonce|. |sent_tickets|
  3700. * gets reset to 0 if we send more tickets following a post-handshake
  3701. * auth, but |next_ticket_nonce| does not. If we're sending extra
  3702. * tickets, decrement the count of pending extra tickets.
  3703. */
  3704. s->sent_tickets++;
  3705. s->next_ticket_nonce++;
  3706. if (s->ext.extra_tickets_expected > 0)
  3707. s->ext.extra_tickets_expected--;
  3708. }
  3709. CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt)
  3710. {
  3711. SSL_CTX *tctx = s->session_ctx;
  3712. unsigned char tick_nonce[TICKET_NONCE_SIZE];
  3713. union {
  3714. unsigned char age_add_c[sizeof(uint32_t)];
  3715. uint32_t age_add;
  3716. } age_add_u;
  3717. CON_FUNC_RETURN ret = CON_FUNC_ERROR;
  3718. age_add_u.age_add = 0;
  3719. if (SSL_CONNECTION_IS_TLS13(s)) {
  3720. size_t i, hashlen;
  3721. uint64_t nonce;
  3722. static const unsigned char nonce_label[] = "resumption";
  3723. const EVP_MD *md = ssl_handshake_md(s);
  3724. int hashleni = EVP_MD_get_size(md);
  3725. /* Ensure cast to size_t is safe */
  3726. if (!ossl_assert(hashleni >= 0)) {
  3727. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3728. goto err;
  3729. }
  3730. hashlen = (size_t)hashleni;
  3731. /*
  3732. * If we already sent one NewSessionTicket, or we resumed then
  3733. * s->session may already be in a cache and so we must not modify it.
  3734. * Instead we need to take a copy of it and modify that.
  3735. */
  3736. if (s->sent_tickets != 0 || s->hit) {
  3737. SSL_SESSION *new_sess = ssl_session_dup(s->session, 0);
  3738. if (new_sess == NULL) {
  3739. /* SSLfatal already called */
  3740. goto err;
  3741. }
  3742. SSL_SESSION_free(s->session);
  3743. s->session = new_sess;
  3744. }
  3745. if (!ssl_generate_session_id(s, s->session)) {
  3746. /* SSLfatal() already called */
  3747. goto err;
  3748. }
  3749. if (RAND_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx,
  3750. age_add_u.age_add_c, sizeof(age_add_u), 0) <= 0) {
  3751. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3752. goto err;
  3753. }
  3754. s->session->ext.tick_age_add = age_add_u.age_add;
  3755. nonce = s->next_ticket_nonce;
  3756. for (i = TICKET_NONCE_SIZE; i > 0; i--) {
  3757. tick_nonce[i - 1] = (unsigned char)(nonce & 0xff);
  3758. nonce >>= 8;
  3759. }
  3760. if (!tls13_hkdf_expand(s, md, s->resumption_master_secret,
  3761. nonce_label,
  3762. sizeof(nonce_label) - 1,
  3763. tick_nonce,
  3764. TICKET_NONCE_SIZE,
  3765. s->session->master_key,
  3766. hashlen, 1)) {
  3767. /* SSLfatal() already called */
  3768. goto err;
  3769. }
  3770. s->session->master_key_length = hashlen;
  3771. s->session->time = ossl_time_now();
  3772. ssl_session_calculate_timeout(s->session);
  3773. if (s->s3.alpn_selected != NULL) {
  3774. OPENSSL_free(s->session->ext.alpn_selected);
  3775. s->session->ext.alpn_selected =
  3776. OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len);
  3777. if (s->session->ext.alpn_selected == NULL) {
  3778. s->session->ext.alpn_selected_len = 0;
  3779. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  3780. goto err;
  3781. }
  3782. s->session->ext.alpn_selected_len = s->s3.alpn_selected_len;
  3783. }
  3784. s->session->ext.max_early_data = s->max_early_data;
  3785. }
  3786. if (tctx->generate_ticket_cb != NULL &&
  3787. tctx->generate_ticket_cb(SSL_CONNECTION_GET_SSL(s),
  3788. tctx->ticket_cb_data) == 0) {
  3789. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3790. goto err;
  3791. }
  3792. /*
  3793. * If we are using anti-replay protection then we behave as if
  3794. * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
  3795. * is no point in using full stateless tickets.
  3796. */
  3797. if (SSL_CONNECTION_IS_TLS13(s)
  3798. && ((s->options & SSL_OP_NO_TICKET) != 0
  3799. || (s->max_early_data > 0
  3800. && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))) {
  3801. if (!construct_stateful_ticket(s, pkt, age_add_u.age_add, tick_nonce)) {
  3802. /* SSLfatal() already called */
  3803. goto err;
  3804. }
  3805. } else {
  3806. CON_FUNC_RETURN tmpret;
  3807. tmpret = construct_stateless_ticket(s, pkt, age_add_u.age_add,
  3808. tick_nonce);
  3809. if (tmpret != CON_FUNC_SUCCESS) {
  3810. if (tmpret == CON_FUNC_DONT_SEND) {
  3811. /* Non-fatal. Abort construction but continue */
  3812. ret = CON_FUNC_DONT_SEND;
  3813. /* We count this as a success so update the counts anwyay */
  3814. tls_update_ticket_counts(s);
  3815. }
  3816. /* else SSLfatal() already called */
  3817. goto err;
  3818. }
  3819. }
  3820. if (SSL_CONNECTION_IS_TLS13(s)) {
  3821. if (!tls_construct_extensions(s, pkt,
  3822. SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
  3823. NULL, 0)) {
  3824. /* SSLfatal() already called */
  3825. goto err;
  3826. }
  3827. tls_update_ticket_counts(s);
  3828. ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
  3829. }
  3830. ret = CON_FUNC_SUCCESS;
  3831. err:
  3832. return ret;
  3833. }
  3834. /*
  3835. * In TLSv1.3 this is called from the extensions code, otherwise it is used to
  3836. * create a separate message. Returns 1 on success or 0 on failure.
  3837. */
  3838. int tls_construct_cert_status_body(SSL_CONNECTION *s, WPACKET *pkt)
  3839. {
  3840. if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type)
  3841. || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp,
  3842. s->ext.ocsp.resp_len)) {
  3843. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3844. return 0;
  3845. }
  3846. return 1;
  3847. }
  3848. CON_FUNC_RETURN tls_construct_cert_status(SSL_CONNECTION *s, WPACKET *pkt)
  3849. {
  3850. if (!tls_construct_cert_status_body(s, pkt)) {
  3851. /* SSLfatal() already called */
  3852. return CON_FUNC_ERROR;
  3853. }
  3854. return CON_FUNC_SUCCESS;
  3855. }
  3856. #ifndef OPENSSL_NO_NEXTPROTONEG
  3857. /*
  3858. * tls_process_next_proto reads a Next Protocol Negotiation handshake message.
  3859. * It sets the next_proto member in s if found
  3860. */
  3861. MSG_PROCESS_RETURN tls_process_next_proto(SSL_CONNECTION *s, PACKET *pkt)
  3862. {
  3863. PACKET next_proto, padding;
  3864. size_t next_proto_len;
  3865. /*-
  3866. * The payload looks like:
  3867. * uint8 proto_len;
  3868. * uint8 proto[proto_len];
  3869. * uint8 padding_len;
  3870. * uint8 padding[padding_len];
  3871. */
  3872. if (!PACKET_get_length_prefixed_1(pkt, &next_proto)
  3873. || !PACKET_get_length_prefixed_1(pkt, &padding)
  3874. || PACKET_remaining(pkt) > 0) {
  3875. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  3876. return MSG_PROCESS_ERROR;
  3877. }
  3878. if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) {
  3879. s->ext.npn_len = 0;
  3880. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3881. return MSG_PROCESS_ERROR;
  3882. }
  3883. s->ext.npn_len = (unsigned char)next_proto_len;
  3884. return MSG_PROCESS_CONTINUE_READING;
  3885. }
  3886. #endif
  3887. static CON_FUNC_RETURN tls_construct_encrypted_extensions(SSL_CONNECTION *s,
  3888. WPACKET *pkt)
  3889. {
  3890. if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
  3891. NULL, 0)) {
  3892. /* SSLfatal() already called */
  3893. return CON_FUNC_ERROR;
  3894. }
  3895. return CON_FUNC_SUCCESS;
  3896. }
  3897. MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL_CONNECTION *s, PACKET *pkt)
  3898. {
  3899. if (PACKET_remaining(pkt) != 0) {
  3900. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  3901. return MSG_PROCESS_ERROR;
  3902. }
  3903. if (s->early_data_state != SSL_EARLY_DATA_READING
  3904. && s->early_data_state != SSL_EARLY_DATA_READ_RETRY) {
  3905. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3906. return MSG_PROCESS_ERROR;
  3907. }
  3908. /*
  3909. * EndOfEarlyData signals a key change so the end of the message must be on
  3910. * a record boundary.
  3911. */
  3912. if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
  3913. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
  3914. return MSG_PROCESS_ERROR;
  3915. }
  3916. s->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
  3917. if (!SSL_CONNECTION_GET_SSL(s)->method->ssl3_enc->change_cipher_state(s,
  3918. SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ)) {
  3919. /* SSLfatal() already called */
  3920. return MSG_PROCESS_ERROR;
  3921. }
  3922. return MSG_PROCESS_CONTINUE_READING;
  3923. }