statem_clnt.c 128 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421342234233424342534263427342834293430343134323433343434353436343734383439344034413442344334443445344634473448344934503451345234533454345534563457345834593460346134623463346434653466346734683469347034713472347334743475347634773478347934803481348234833484348534863487348834893490349134923493349434953496349734983499350035013502350335043505350635073508350935103511351235133514351535163517351835193520352135223523352435253526352735283529353035313532353335343535353635373538353935403541354235433544354535463547354835493550355135523553355435553556355735583559356035613562356335643565356635673568356935703571357235733574357535763577357835793580358135823583358435853586358735883589359035913592359335943595359635973598359936003601360236033604360536063607360836093610361136123613361436153616361736183619362036213622362336243625362636273628362936303631363236333634363536363637363836393640364136423643364436453646364736483649365036513652365336543655365636573658365936603661366236633664366536663667366836693670367136723673367436753676367736783679368036813682368336843685368636873688368936903691369236933694369536963697369836993700370137023703370437053706370737083709371037113712371337143715371637173718371937203721372237233724372537263727372837293730373137323733373437353736373737383739374037413742374337443745374637473748374937503751375237533754375537563757375837593760376137623763376437653766376737683769377037713772377337743775377637773778377937803781378237833784378537863787378837893790379137923793379437953796379737983799380038013802380338043805380638073808380938103811381238133814381538163817381838193820382138223823382438253826382738283829383038313832383338343835383638373838383938403841384238433844384538463847384838493850385138523853385438553856385738583859386038613862386338643865386638673868386938703871387238733874387538763877387838793880388138823883388438853886388738883889389038913892389338943895389638973898389939003901390239033904390539063907390839093910391139123913391439153916391739183919392039213922392339243925392639273928392939303931393239333934393539363937393839393940394139423943394439453946394739483949395039513952395339543955395639573958395939603961396239633964396539663967396839693970397139723973397439753976397739783979398039813982398339843985398639873988398939903991399239933994399539963997399839994000400140024003400440054006400740084009
  1. /*
  2. * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  4. * Copyright 2005 Nokia. All rights reserved.
  5. *
  6. * Licensed under the Apache License 2.0 (the "License"). You may not use
  7. * this file except in compliance with the License. You can obtain a copy
  8. * in the file LICENSE in the source distribution or at
  9. * https://www.openssl.org/source/license.html
  10. */
  11. #include <stdio.h>
  12. #include <time.h>
  13. #include <assert.h>
  14. #include "../ssl_local.h"
  15. #include "statem_local.h"
  16. #include <openssl/buffer.h>
  17. #include <openssl/rand.h>
  18. #include <openssl/objects.h>
  19. #include <openssl/evp.h>
  20. #include <openssl/md5.h>
  21. #include <openssl/dh.h>
  22. #include <openssl/rsa.h>
  23. #include <openssl/bn.h>
  24. #include <openssl/engine.h>
  25. #include <openssl/trace.h>
  26. #include <openssl/core_names.h>
  27. #include <openssl/param_build.h>
  28. #include "internal/cryptlib.h"
  29. static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL_CONNECTION *s,
  30. PACKET *pkt);
  31. static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL_CONNECTION *s,
  32. PACKET *pkt);
  33. static ossl_inline int cert_req_allowed(SSL_CONNECTION *s);
  34. static int key_exchange_expected(SSL_CONNECTION *s);
  35. static int ssl_cipher_list_to_bytes(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *sk,
  36. WPACKET *pkt);
  37. /*
  38. * Is a CertificateRequest message allowed at the moment or not?
  39. *
  40. * Return values are:
  41. * 1: Yes
  42. * 0: No
  43. */
  44. static ossl_inline int cert_req_allowed(SSL_CONNECTION *s)
  45. {
  46. /* TLS does not like anon-DH with client cert */
  47. if ((s->version > SSL3_VERSION
  48. && (s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL))
  49. || (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK)))
  50. return 0;
  51. return 1;
  52. }
  53. /*
  54. * Should we expect the ServerKeyExchange message or not?
  55. *
  56. * Return values are:
  57. * 1: Yes
  58. * 0: No
  59. */
  60. static int key_exchange_expected(SSL_CONNECTION *s)
  61. {
  62. long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
  63. /*
  64. * Can't skip server key exchange if this is an ephemeral
  65. * ciphersuite or for SRP
  66. */
  67. if (alg_k & (SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK
  68. | SSL_kSRP)) {
  69. return 1;
  70. }
  71. return 0;
  72. }
  73. /*
  74. * ossl_statem_client_read_transition() encapsulates the logic for the allowed
  75. * handshake state transitions when a TLS1.3 client is reading messages from the
  76. * server. The message type that the server has sent is provided in |mt|. The
  77. * current state is in |s->statem.hand_state|.
  78. *
  79. * Return values are 1 for success (transition allowed) and 0 on error
  80. * (transition not allowed)
  81. */
  82. static int ossl_statem_client13_read_transition(SSL_CONNECTION *s, int mt)
  83. {
  84. OSSL_STATEM *st = &s->statem;
  85. /*
  86. * Note: There is no case for TLS_ST_CW_CLNT_HELLO, because we haven't
  87. * yet negotiated TLSv1.3 at that point so that is handled by
  88. * ossl_statem_client_read_transition()
  89. */
  90. switch (st->hand_state) {
  91. default:
  92. break;
  93. case TLS_ST_CW_CLNT_HELLO:
  94. /*
  95. * This must a ClientHello following a HelloRetryRequest, so the only
  96. * thing we can get now is a ServerHello.
  97. */
  98. if (mt == SSL3_MT_SERVER_HELLO) {
  99. st->hand_state = TLS_ST_CR_SRVR_HELLO;
  100. return 1;
  101. }
  102. break;
  103. case TLS_ST_CR_SRVR_HELLO:
  104. if (mt == SSL3_MT_ENCRYPTED_EXTENSIONS) {
  105. st->hand_state = TLS_ST_CR_ENCRYPTED_EXTENSIONS;
  106. return 1;
  107. }
  108. break;
  109. case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
  110. if (s->hit) {
  111. if (mt == SSL3_MT_FINISHED) {
  112. st->hand_state = TLS_ST_CR_FINISHED;
  113. return 1;
  114. }
  115. } else {
  116. if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
  117. st->hand_state = TLS_ST_CR_CERT_REQ;
  118. return 1;
  119. }
  120. if (mt == SSL3_MT_CERTIFICATE) {
  121. st->hand_state = TLS_ST_CR_CERT;
  122. return 1;
  123. }
  124. #ifndef OPENSSL_NO_COMP_ALG
  125. if (mt == SSL3_MT_COMPRESSED_CERTIFICATE
  126. && s->ext.compress_certificate_sent) {
  127. st->hand_state = TLS_ST_CR_COMP_CERT;
  128. return 1;
  129. }
  130. #endif
  131. }
  132. break;
  133. case TLS_ST_CR_CERT_REQ:
  134. if (mt == SSL3_MT_CERTIFICATE) {
  135. st->hand_state = TLS_ST_CR_CERT;
  136. return 1;
  137. }
  138. #ifndef OPENSSL_NO_COMP_ALG
  139. if (mt == SSL3_MT_COMPRESSED_CERTIFICATE
  140. && s->ext.compress_certificate_sent) {
  141. st->hand_state = TLS_ST_CR_COMP_CERT;
  142. return 1;
  143. }
  144. #endif
  145. break;
  146. case TLS_ST_CR_CERT:
  147. case TLS_ST_CR_COMP_CERT:
  148. if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
  149. st->hand_state = TLS_ST_CR_CERT_VRFY;
  150. return 1;
  151. }
  152. break;
  153. case TLS_ST_CR_CERT_VRFY:
  154. if (mt == SSL3_MT_FINISHED) {
  155. st->hand_state = TLS_ST_CR_FINISHED;
  156. return 1;
  157. }
  158. break;
  159. case TLS_ST_OK:
  160. if (mt == SSL3_MT_NEWSESSION_TICKET) {
  161. st->hand_state = TLS_ST_CR_SESSION_TICKET;
  162. return 1;
  163. }
  164. if (mt == SSL3_MT_KEY_UPDATE) {
  165. st->hand_state = TLS_ST_CR_KEY_UPDATE;
  166. return 1;
  167. }
  168. if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
  169. #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
  170. /* Restore digest for PHA before adding message.*/
  171. # error Internal DTLS version error
  172. #endif
  173. if (!SSL_CONNECTION_IS_DTLS(s)
  174. && s->post_handshake_auth == SSL_PHA_EXT_SENT) {
  175. s->post_handshake_auth = SSL_PHA_REQUESTED;
  176. /*
  177. * In TLS, this is called before the message is added to the
  178. * digest. In DTLS, this is expected to be called after adding
  179. * to the digest. Either move the digest restore, or add the
  180. * message here after the swap, or do it after the clientFinished?
  181. */
  182. if (!tls13_restore_handshake_digest_for_pha(s)) {
  183. /* SSLfatal() already called */
  184. return 0;
  185. }
  186. st->hand_state = TLS_ST_CR_CERT_REQ;
  187. return 1;
  188. }
  189. }
  190. break;
  191. }
  192. /* No valid transition found */
  193. return 0;
  194. }
  195. /*
  196. * ossl_statem_client_read_transition() encapsulates the logic for the allowed
  197. * handshake state transitions when the client is reading messages from the
  198. * server. The message type that the server has sent is provided in |mt|. The
  199. * current state is in |s->statem.hand_state|.
  200. *
  201. * Return values are 1 for success (transition allowed) and 0 on error
  202. * (transition not allowed)
  203. */
  204. int ossl_statem_client_read_transition(SSL_CONNECTION *s, int mt)
  205. {
  206. OSSL_STATEM *st = &s->statem;
  207. int ske_expected;
  208. /*
  209. * Note that after writing the first ClientHello we don't know what version
  210. * we are going to negotiate yet, so we don't take this branch until later.
  211. */
  212. if (SSL_CONNECTION_IS_TLS13(s)) {
  213. if (!ossl_statem_client13_read_transition(s, mt))
  214. goto err;
  215. return 1;
  216. }
  217. switch (st->hand_state) {
  218. default:
  219. break;
  220. case TLS_ST_CW_CLNT_HELLO:
  221. if (mt == SSL3_MT_SERVER_HELLO) {
  222. st->hand_state = TLS_ST_CR_SRVR_HELLO;
  223. return 1;
  224. }
  225. if (SSL_CONNECTION_IS_DTLS(s)) {
  226. if (mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
  227. st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
  228. return 1;
  229. }
  230. }
  231. break;
  232. case TLS_ST_EARLY_DATA:
  233. /*
  234. * We've not actually selected TLSv1.3 yet, but we have sent early
  235. * data. The only thing allowed now is a ServerHello or a
  236. * HelloRetryRequest.
  237. */
  238. if (mt == SSL3_MT_SERVER_HELLO) {
  239. st->hand_state = TLS_ST_CR_SRVR_HELLO;
  240. return 1;
  241. }
  242. break;
  243. case TLS_ST_CR_SRVR_HELLO:
  244. if (s->hit) {
  245. if (s->ext.ticket_expected) {
  246. if (mt == SSL3_MT_NEWSESSION_TICKET) {
  247. st->hand_state = TLS_ST_CR_SESSION_TICKET;
  248. return 1;
  249. }
  250. } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  251. st->hand_state = TLS_ST_CR_CHANGE;
  252. return 1;
  253. }
  254. } else {
  255. if (SSL_CONNECTION_IS_DTLS(s)
  256. && mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
  257. st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
  258. return 1;
  259. } else if (s->version >= TLS1_VERSION
  260. && s->ext.session_secret_cb != NULL
  261. && s->session->ext.tick != NULL
  262. && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  263. /*
  264. * Normally, we can tell if the server is resuming the session
  265. * from the session ID. EAP-FAST (RFC 4851), however, relies on
  266. * the next server message after the ServerHello to determine if
  267. * the server is resuming.
  268. */
  269. s->hit = 1;
  270. st->hand_state = TLS_ST_CR_CHANGE;
  271. return 1;
  272. } else if (!(s->s3.tmp.new_cipher->algorithm_auth
  273. & (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
  274. if (mt == SSL3_MT_CERTIFICATE) {
  275. st->hand_state = TLS_ST_CR_CERT;
  276. return 1;
  277. }
  278. } else {
  279. ske_expected = key_exchange_expected(s);
  280. /* SKE is optional for some PSK ciphersuites */
  281. if (ske_expected
  282. || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK)
  283. && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
  284. if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
  285. st->hand_state = TLS_ST_CR_KEY_EXCH;
  286. return 1;
  287. }
  288. } else if (mt == SSL3_MT_CERTIFICATE_REQUEST
  289. && cert_req_allowed(s)) {
  290. st->hand_state = TLS_ST_CR_CERT_REQ;
  291. return 1;
  292. } else if (mt == SSL3_MT_SERVER_DONE) {
  293. st->hand_state = TLS_ST_CR_SRVR_DONE;
  294. return 1;
  295. }
  296. }
  297. }
  298. break;
  299. case TLS_ST_CR_CERT:
  300. case TLS_ST_CR_COMP_CERT:
  301. /*
  302. * The CertificateStatus message is optional even if
  303. * |ext.status_expected| is set
  304. */
  305. if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) {
  306. st->hand_state = TLS_ST_CR_CERT_STATUS;
  307. return 1;
  308. }
  309. /* Fall through */
  310. case TLS_ST_CR_CERT_STATUS:
  311. ske_expected = key_exchange_expected(s);
  312. /* SKE is optional for some PSK ciphersuites */
  313. if (ske_expected || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK)
  314. && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
  315. if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
  316. st->hand_state = TLS_ST_CR_KEY_EXCH;
  317. return 1;
  318. }
  319. goto err;
  320. }
  321. /* Fall through */
  322. case TLS_ST_CR_KEY_EXCH:
  323. if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
  324. if (cert_req_allowed(s)) {
  325. st->hand_state = TLS_ST_CR_CERT_REQ;
  326. return 1;
  327. }
  328. goto err;
  329. }
  330. /* Fall through */
  331. case TLS_ST_CR_CERT_REQ:
  332. if (mt == SSL3_MT_SERVER_DONE) {
  333. st->hand_state = TLS_ST_CR_SRVR_DONE;
  334. return 1;
  335. }
  336. break;
  337. case TLS_ST_CW_FINISHED:
  338. if (s->ext.ticket_expected) {
  339. if (mt == SSL3_MT_NEWSESSION_TICKET) {
  340. st->hand_state = TLS_ST_CR_SESSION_TICKET;
  341. return 1;
  342. }
  343. } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  344. st->hand_state = TLS_ST_CR_CHANGE;
  345. return 1;
  346. }
  347. break;
  348. case TLS_ST_CR_SESSION_TICKET:
  349. if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  350. st->hand_state = TLS_ST_CR_CHANGE;
  351. return 1;
  352. }
  353. break;
  354. case TLS_ST_CR_CHANGE:
  355. if (mt == SSL3_MT_FINISHED) {
  356. st->hand_state = TLS_ST_CR_FINISHED;
  357. return 1;
  358. }
  359. break;
  360. case TLS_ST_OK:
  361. if (mt == SSL3_MT_HELLO_REQUEST) {
  362. st->hand_state = TLS_ST_CR_HELLO_REQ;
  363. return 1;
  364. }
  365. break;
  366. }
  367. err:
  368. /* No valid transition found */
  369. if (SSL_CONNECTION_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  370. BIO *rbio;
  371. /*
  372. * CCS messages don't have a message sequence number so this is probably
  373. * because of an out-of-order CCS. We'll just drop it.
  374. */
  375. s->init_num = 0;
  376. s->rwstate = SSL_READING;
  377. rbio = SSL_get_rbio(SSL_CONNECTION_GET_SSL(s));
  378. BIO_clear_retry_flags(rbio);
  379. BIO_set_retry_read(rbio);
  380. return 0;
  381. }
  382. SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
  383. return 0;
  384. }
  385. /*
  386. * ossl_statem_client13_write_transition() works out what handshake state to
  387. * move to next when the TLSv1.3 client is writing messages to be sent to the
  388. * server.
  389. */
  390. static WRITE_TRAN ossl_statem_client13_write_transition(SSL_CONNECTION *s)
  391. {
  392. OSSL_STATEM *st = &s->statem;
  393. /*
  394. * Note: There are no cases for TLS_ST_BEFORE because we haven't negotiated
  395. * TLSv1.3 yet at that point. They are handled by
  396. * ossl_statem_client_write_transition().
  397. */
  398. switch (st->hand_state) {
  399. default:
  400. /* Shouldn't happen */
  401. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  402. return WRITE_TRAN_ERROR;
  403. case TLS_ST_CR_CERT_REQ:
  404. if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
  405. if (s->ext.compress_certificate_from_peer[0] != TLSEXT_comp_cert_none)
  406. st->hand_state = TLS_ST_CW_COMP_CERT;
  407. else
  408. st->hand_state = TLS_ST_CW_CERT;
  409. return WRITE_TRAN_CONTINUE;
  410. }
  411. /*
  412. * We should only get here if we received a CertificateRequest after
  413. * we already sent close_notify
  414. */
  415. if (!ossl_assert((s->shutdown & SSL_SENT_SHUTDOWN) != 0)) {
  416. /* Shouldn't happen - same as default case */
  417. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  418. return WRITE_TRAN_ERROR;
  419. }
  420. st->hand_state = TLS_ST_OK;
  421. return WRITE_TRAN_CONTINUE;
  422. case TLS_ST_CR_FINISHED:
  423. if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY
  424. || s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING)
  425. st->hand_state = TLS_ST_PENDING_EARLY_DATA_END;
  426. else if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
  427. && s->hello_retry_request == SSL_HRR_NONE)
  428. st->hand_state = TLS_ST_CW_CHANGE;
  429. else if (s->s3.tmp.cert_req == 0)
  430. st->hand_state = TLS_ST_CW_FINISHED;
  431. else if (s->ext.compress_certificate_from_peer[0] != TLSEXT_comp_cert_none)
  432. st->hand_state = TLS_ST_CW_COMP_CERT;
  433. else
  434. st->hand_state = TLS_ST_CW_CERT;
  435. return WRITE_TRAN_CONTINUE;
  436. case TLS_ST_PENDING_EARLY_DATA_END:
  437. if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
  438. st->hand_state = TLS_ST_CW_END_OF_EARLY_DATA;
  439. return WRITE_TRAN_CONTINUE;
  440. }
  441. /* Fall through */
  442. case TLS_ST_CW_END_OF_EARLY_DATA:
  443. case TLS_ST_CW_CHANGE:
  444. if (s->s3.tmp.cert_req == 0)
  445. st->hand_state = TLS_ST_CW_FINISHED;
  446. else if (s->ext.compress_certificate_from_peer[0] != TLSEXT_comp_cert_none)
  447. st->hand_state = TLS_ST_CW_COMP_CERT;
  448. else
  449. st->hand_state = TLS_ST_CW_CERT;
  450. return WRITE_TRAN_CONTINUE;
  451. case TLS_ST_CW_COMP_CERT:
  452. case TLS_ST_CW_CERT:
  453. /* If a non-empty Certificate we also send CertificateVerify */
  454. st->hand_state = (s->s3.tmp.cert_req == 1) ? TLS_ST_CW_CERT_VRFY
  455. : TLS_ST_CW_FINISHED;
  456. return WRITE_TRAN_CONTINUE;
  457. case TLS_ST_CW_CERT_VRFY:
  458. st->hand_state = TLS_ST_CW_FINISHED;
  459. return WRITE_TRAN_CONTINUE;
  460. case TLS_ST_CR_KEY_UPDATE:
  461. case TLS_ST_CW_KEY_UPDATE:
  462. case TLS_ST_CR_SESSION_TICKET:
  463. case TLS_ST_CW_FINISHED:
  464. st->hand_state = TLS_ST_OK;
  465. return WRITE_TRAN_CONTINUE;
  466. case TLS_ST_OK:
  467. if (s->key_update != SSL_KEY_UPDATE_NONE) {
  468. st->hand_state = TLS_ST_CW_KEY_UPDATE;
  469. return WRITE_TRAN_CONTINUE;
  470. }
  471. /* Try to read from the server instead */
  472. return WRITE_TRAN_FINISHED;
  473. }
  474. }
  475. /*
  476. * ossl_statem_client_write_transition() works out what handshake state to
  477. * move to next when the client is writing messages to be sent to the server.
  478. */
  479. WRITE_TRAN ossl_statem_client_write_transition(SSL_CONNECTION *s)
  480. {
  481. OSSL_STATEM *st = &s->statem;
  482. /*
  483. * Note that immediately before/after a ClientHello we don't know what
  484. * version we are going to negotiate yet, so we don't take this branch until
  485. * later
  486. */
  487. if (SSL_CONNECTION_IS_TLS13(s))
  488. return ossl_statem_client13_write_transition(s);
  489. switch (st->hand_state) {
  490. default:
  491. /* Shouldn't happen */
  492. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  493. return WRITE_TRAN_ERROR;
  494. case TLS_ST_OK:
  495. if (!s->renegotiate) {
  496. /*
  497. * We haven't requested a renegotiation ourselves so we must have
  498. * received a message from the server. Better read it.
  499. */
  500. return WRITE_TRAN_FINISHED;
  501. }
  502. /* Renegotiation */
  503. /* fall thru */
  504. case TLS_ST_BEFORE:
  505. st->hand_state = TLS_ST_CW_CLNT_HELLO;
  506. return WRITE_TRAN_CONTINUE;
  507. case TLS_ST_CW_CLNT_HELLO:
  508. if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) {
  509. /*
  510. * We are assuming this is a TLSv1.3 connection, although we haven't
  511. * actually selected a version yet.
  512. */
  513. if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0)
  514. st->hand_state = TLS_ST_CW_CHANGE;
  515. else
  516. st->hand_state = TLS_ST_EARLY_DATA;
  517. return WRITE_TRAN_CONTINUE;
  518. }
  519. /*
  520. * No transition at the end of writing because we don't know what
  521. * we will be sent
  522. */
  523. return WRITE_TRAN_FINISHED;
  524. case TLS_ST_CR_SRVR_HELLO:
  525. /*
  526. * We only get here in TLSv1.3. We just received an HRR, so issue a
  527. * CCS unless middlebox compat mode is off, or we already issued one
  528. * because we did early data.
  529. */
  530. if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
  531. && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)
  532. st->hand_state = TLS_ST_CW_CHANGE;
  533. else
  534. st->hand_state = TLS_ST_CW_CLNT_HELLO;
  535. return WRITE_TRAN_CONTINUE;
  536. case TLS_ST_EARLY_DATA:
  537. return WRITE_TRAN_FINISHED;
  538. case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
  539. st->hand_state = TLS_ST_CW_CLNT_HELLO;
  540. return WRITE_TRAN_CONTINUE;
  541. case TLS_ST_CR_SRVR_DONE:
  542. if (s->s3.tmp.cert_req)
  543. st->hand_state = TLS_ST_CW_CERT;
  544. else
  545. st->hand_state = TLS_ST_CW_KEY_EXCH;
  546. return WRITE_TRAN_CONTINUE;
  547. case TLS_ST_CW_CERT:
  548. st->hand_state = TLS_ST_CW_KEY_EXCH;
  549. return WRITE_TRAN_CONTINUE;
  550. case TLS_ST_CW_KEY_EXCH:
  551. /*
  552. * For TLS, cert_req is set to 2, so a cert chain of nothing is
  553. * sent, but no verify packet is sent
  554. */
  555. /*
  556. * XXX: For now, we do not support client authentication in ECDH
  557. * cipher suites with ECDH (rather than ECDSA) certificates. We
  558. * need to skip the certificate verify message when client's
  559. * ECDH public key is sent inside the client certificate.
  560. */
  561. if (s->s3.tmp.cert_req == 1) {
  562. st->hand_state = TLS_ST_CW_CERT_VRFY;
  563. } else {
  564. st->hand_state = TLS_ST_CW_CHANGE;
  565. }
  566. if (s->s3.flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
  567. st->hand_state = TLS_ST_CW_CHANGE;
  568. }
  569. return WRITE_TRAN_CONTINUE;
  570. case TLS_ST_CW_CERT_VRFY:
  571. st->hand_state = TLS_ST_CW_CHANGE;
  572. return WRITE_TRAN_CONTINUE;
  573. case TLS_ST_CW_CHANGE:
  574. if (s->hello_retry_request == SSL_HRR_PENDING) {
  575. st->hand_state = TLS_ST_CW_CLNT_HELLO;
  576. } else if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) {
  577. st->hand_state = TLS_ST_EARLY_DATA;
  578. } else {
  579. #if defined(OPENSSL_NO_NEXTPROTONEG)
  580. st->hand_state = TLS_ST_CW_FINISHED;
  581. #else
  582. if (!SSL_CONNECTION_IS_DTLS(s) && s->s3.npn_seen)
  583. st->hand_state = TLS_ST_CW_NEXT_PROTO;
  584. else
  585. st->hand_state = TLS_ST_CW_FINISHED;
  586. #endif
  587. }
  588. return WRITE_TRAN_CONTINUE;
  589. #if !defined(OPENSSL_NO_NEXTPROTONEG)
  590. case TLS_ST_CW_NEXT_PROTO:
  591. st->hand_state = TLS_ST_CW_FINISHED;
  592. return WRITE_TRAN_CONTINUE;
  593. #endif
  594. case TLS_ST_CW_FINISHED:
  595. if (s->hit) {
  596. st->hand_state = TLS_ST_OK;
  597. return WRITE_TRAN_CONTINUE;
  598. } else {
  599. return WRITE_TRAN_FINISHED;
  600. }
  601. case TLS_ST_CR_FINISHED:
  602. if (s->hit) {
  603. st->hand_state = TLS_ST_CW_CHANGE;
  604. return WRITE_TRAN_CONTINUE;
  605. } else {
  606. st->hand_state = TLS_ST_OK;
  607. return WRITE_TRAN_CONTINUE;
  608. }
  609. case TLS_ST_CR_HELLO_REQ:
  610. /*
  611. * If we can renegotiate now then do so, otherwise wait for a more
  612. * convenient time.
  613. */
  614. if (ssl3_renegotiate_check(SSL_CONNECTION_GET_SSL(s), 1)) {
  615. if (!tls_setup_handshake(s)) {
  616. /* SSLfatal() already called */
  617. return WRITE_TRAN_ERROR;
  618. }
  619. st->hand_state = TLS_ST_CW_CLNT_HELLO;
  620. return WRITE_TRAN_CONTINUE;
  621. }
  622. st->hand_state = TLS_ST_OK;
  623. return WRITE_TRAN_CONTINUE;
  624. }
  625. }
  626. /*
  627. * Perform any pre work that needs to be done prior to sending a message from
  628. * the client to the server.
  629. */
  630. WORK_STATE ossl_statem_client_pre_work(SSL_CONNECTION *s, WORK_STATE wst)
  631. {
  632. OSSL_STATEM *st = &s->statem;
  633. switch (st->hand_state) {
  634. default:
  635. /* No pre work to be done */
  636. break;
  637. case TLS_ST_CW_CLNT_HELLO:
  638. s->shutdown = 0;
  639. if (SSL_CONNECTION_IS_DTLS(s)) {
  640. /* every DTLS ClientHello resets Finished MAC */
  641. if (!ssl3_init_finished_mac(s)) {
  642. /* SSLfatal() already called */
  643. return WORK_ERROR;
  644. }
  645. } else if (s->ext.early_data == SSL_EARLY_DATA_REJECTED) {
  646. /*
  647. * This must be a second ClientHello after an HRR following an
  648. * earlier rejected attempt to send early data. Since we were
  649. * previously encrypting the early data we now need to reset the
  650. * write record layer in order to write in plaintext again.
  651. */
  652. if (!ssl_set_new_record_layer(s,
  653. TLS_ANY_VERSION,
  654. OSSL_RECORD_DIRECTION_WRITE,
  655. OSSL_RECORD_PROTECTION_LEVEL_NONE,
  656. NULL, 0, NULL, 0, NULL, 0, NULL, 0,
  657. NID_undef, NULL, NULL)) {
  658. /* SSLfatal already called */
  659. return WORK_ERROR;
  660. }
  661. }
  662. break;
  663. case TLS_ST_CW_CHANGE:
  664. if (SSL_CONNECTION_IS_DTLS(s)) {
  665. if (s->hit) {
  666. /*
  667. * We're into the last flight so we don't retransmit these
  668. * messages unless we need to.
  669. */
  670. st->use_timer = 0;
  671. }
  672. #ifndef OPENSSL_NO_SCTP
  673. if (BIO_dgram_is_sctp(SSL_get_wbio(SSL_CONNECTION_GET_SSL(s)))) {
  674. /* Calls SSLfatal() as required */
  675. return dtls_wait_for_dry(s);
  676. }
  677. #endif
  678. }
  679. break;
  680. case TLS_ST_PENDING_EARLY_DATA_END:
  681. /*
  682. * If we've been called by SSL_do_handshake()/SSL_write(), or we did not
  683. * attempt to write early data before calling SSL_read() then we press
  684. * on with the handshake. Otherwise we pause here.
  685. */
  686. if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING
  687. || s->early_data_state == SSL_EARLY_DATA_NONE)
  688. return WORK_FINISHED_CONTINUE;
  689. /* Fall through */
  690. case TLS_ST_EARLY_DATA:
  691. return tls_finish_handshake(s, wst, 0, 1);
  692. case TLS_ST_OK:
  693. /* Calls SSLfatal() as required */
  694. return tls_finish_handshake(s, wst, 1, 1);
  695. }
  696. return WORK_FINISHED_CONTINUE;
  697. }
  698. /*
  699. * Perform any work that needs to be done after sending a message from the
  700. * client to the server.
  701. */
  702. WORK_STATE ossl_statem_client_post_work(SSL_CONNECTION *s, WORK_STATE wst)
  703. {
  704. OSSL_STATEM *st = &s->statem;
  705. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  706. s->init_num = 0;
  707. switch (st->hand_state) {
  708. default:
  709. /* No post work to be done */
  710. break;
  711. case TLS_ST_CW_CLNT_HELLO:
  712. if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
  713. && s->max_early_data > 0) {
  714. /*
  715. * We haven't selected TLSv1.3 yet so we don't call the change
  716. * cipher state function associated with the SSL_METHOD. Instead
  717. * we call tls13_change_cipher_state() directly.
  718. */
  719. if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) {
  720. if (!tls13_change_cipher_state(s,
  721. SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
  722. /* SSLfatal() already called */
  723. return WORK_ERROR;
  724. }
  725. }
  726. /* else we're in compat mode so we delay flushing until after CCS */
  727. } else if (!statem_flush(s)) {
  728. return WORK_MORE_A;
  729. }
  730. if (SSL_CONNECTION_IS_DTLS(s)) {
  731. /* Treat the next message as the first packet */
  732. s->first_packet = 1;
  733. }
  734. break;
  735. case TLS_ST_CW_KEY_EXCH:
  736. if (tls_client_key_exchange_post_work(s) == 0) {
  737. /* SSLfatal() already called */
  738. return WORK_ERROR;
  739. }
  740. break;
  741. case TLS_ST_CW_CHANGE:
  742. if (SSL_CONNECTION_IS_TLS13(s)
  743. || s->hello_retry_request == SSL_HRR_PENDING)
  744. break;
  745. if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
  746. && s->max_early_data > 0) {
  747. /*
  748. * We haven't selected TLSv1.3 yet so we don't call the change
  749. * cipher state function associated with the SSL_METHOD. Instead
  750. * we call tls13_change_cipher_state() directly.
  751. */
  752. if (!tls13_change_cipher_state(s,
  753. SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE))
  754. return WORK_ERROR;
  755. break;
  756. }
  757. s->session->cipher = s->s3.tmp.new_cipher;
  758. #ifdef OPENSSL_NO_COMP
  759. s->session->compress_meth = 0;
  760. #else
  761. if (s->s3.tmp.new_compression == NULL)
  762. s->session->compress_meth = 0;
  763. else
  764. s->session->compress_meth = s->s3.tmp.new_compression->id;
  765. #endif
  766. if (!ssl->method->ssl3_enc->setup_key_block(s)) {
  767. /* SSLfatal() already called */
  768. return WORK_ERROR;
  769. }
  770. if (!ssl->method->ssl3_enc->change_cipher_state(s,
  771. SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
  772. /* SSLfatal() already called */
  773. return WORK_ERROR;
  774. }
  775. if (SSL_CONNECTION_IS_DTLS(s)) {
  776. #ifndef OPENSSL_NO_SCTP
  777. if (s->hit) {
  778. /*
  779. * Change to new shared key of SCTP-Auth, will be ignored if
  780. * no SCTP used.
  781. */
  782. BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
  783. 0, NULL);
  784. }
  785. #endif
  786. dtls1_increment_epoch(s, SSL3_CC_WRITE);
  787. }
  788. break;
  789. case TLS_ST_CW_FINISHED:
  790. #ifndef OPENSSL_NO_SCTP
  791. if (wst == WORK_MORE_A && SSL_CONNECTION_IS_DTLS(s) && s->hit == 0) {
  792. /*
  793. * Change to new shared key of SCTP-Auth, will be ignored if
  794. * no SCTP used.
  795. */
  796. BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
  797. 0, NULL);
  798. }
  799. #endif
  800. if (statem_flush(s) != 1)
  801. return WORK_MORE_B;
  802. if (SSL_CONNECTION_IS_TLS13(s)) {
  803. if (!tls13_save_handshake_digest_for_pha(s)) {
  804. /* SSLfatal() already called */
  805. return WORK_ERROR;
  806. }
  807. if (s->post_handshake_auth != SSL_PHA_REQUESTED) {
  808. if (!ssl->method->ssl3_enc->change_cipher_state(s,
  809. SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
  810. /* SSLfatal() already called */
  811. return WORK_ERROR;
  812. }
  813. }
  814. }
  815. break;
  816. case TLS_ST_CW_KEY_UPDATE:
  817. if (statem_flush(s) != 1)
  818. return WORK_MORE_A;
  819. if (!tls13_update_key(s, 1)) {
  820. /* SSLfatal() already called */
  821. return WORK_ERROR;
  822. }
  823. break;
  824. }
  825. return WORK_FINISHED_CONTINUE;
  826. }
  827. /*
  828. * Get the message construction function and message type for sending from the
  829. * client
  830. *
  831. * Valid return values are:
  832. * 1: Success
  833. * 0: Error
  834. */
  835. int ossl_statem_client_construct_message(SSL_CONNECTION *s,
  836. confunc_f *confunc, int *mt)
  837. {
  838. OSSL_STATEM *st = &s->statem;
  839. switch (st->hand_state) {
  840. default:
  841. /* Shouldn't happen */
  842. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE);
  843. return 0;
  844. case TLS_ST_CW_CHANGE:
  845. if (SSL_CONNECTION_IS_DTLS(s))
  846. *confunc = dtls_construct_change_cipher_spec;
  847. else
  848. *confunc = tls_construct_change_cipher_spec;
  849. *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
  850. break;
  851. case TLS_ST_CW_CLNT_HELLO:
  852. *confunc = tls_construct_client_hello;
  853. *mt = SSL3_MT_CLIENT_HELLO;
  854. break;
  855. case TLS_ST_CW_END_OF_EARLY_DATA:
  856. *confunc = tls_construct_end_of_early_data;
  857. *mt = SSL3_MT_END_OF_EARLY_DATA;
  858. break;
  859. case TLS_ST_PENDING_EARLY_DATA_END:
  860. *confunc = NULL;
  861. *mt = SSL3_MT_DUMMY;
  862. break;
  863. case TLS_ST_CW_CERT:
  864. *confunc = tls_construct_client_certificate;
  865. *mt = SSL3_MT_CERTIFICATE;
  866. break;
  867. #ifndef OPENSSL_NO_COMP_ALG
  868. case TLS_ST_CW_COMP_CERT:
  869. *confunc = tls_construct_client_compressed_certificate;
  870. *mt = SSL3_MT_COMPRESSED_CERTIFICATE;
  871. break;
  872. #endif
  873. case TLS_ST_CW_KEY_EXCH:
  874. *confunc = tls_construct_client_key_exchange;
  875. *mt = SSL3_MT_CLIENT_KEY_EXCHANGE;
  876. break;
  877. case TLS_ST_CW_CERT_VRFY:
  878. *confunc = tls_construct_cert_verify;
  879. *mt = SSL3_MT_CERTIFICATE_VERIFY;
  880. break;
  881. #if !defined(OPENSSL_NO_NEXTPROTONEG)
  882. case TLS_ST_CW_NEXT_PROTO:
  883. *confunc = tls_construct_next_proto;
  884. *mt = SSL3_MT_NEXT_PROTO;
  885. break;
  886. #endif
  887. case TLS_ST_CW_FINISHED:
  888. *confunc = tls_construct_finished;
  889. *mt = SSL3_MT_FINISHED;
  890. break;
  891. case TLS_ST_CW_KEY_UPDATE:
  892. *confunc = tls_construct_key_update;
  893. *mt = SSL3_MT_KEY_UPDATE;
  894. break;
  895. }
  896. return 1;
  897. }
  898. /*
  899. * Returns the maximum allowed length for the current message that we are
  900. * reading. Excludes the message header.
  901. */
  902. size_t ossl_statem_client_max_message_size(SSL_CONNECTION *s)
  903. {
  904. OSSL_STATEM *st = &s->statem;
  905. switch (st->hand_state) {
  906. default:
  907. /* Shouldn't happen */
  908. return 0;
  909. case TLS_ST_CR_SRVR_HELLO:
  910. return SERVER_HELLO_MAX_LENGTH;
  911. case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
  912. return HELLO_VERIFY_REQUEST_MAX_LENGTH;
  913. case TLS_ST_CR_COMP_CERT:
  914. case TLS_ST_CR_CERT:
  915. return s->max_cert_list;
  916. case TLS_ST_CR_CERT_VRFY:
  917. return SSL3_RT_MAX_PLAIN_LENGTH;
  918. case TLS_ST_CR_CERT_STATUS:
  919. return SSL3_RT_MAX_PLAIN_LENGTH;
  920. case TLS_ST_CR_KEY_EXCH:
  921. return SERVER_KEY_EXCH_MAX_LENGTH;
  922. case TLS_ST_CR_CERT_REQ:
  923. /*
  924. * Set to s->max_cert_list for compatibility with previous releases. In
  925. * practice these messages can get quite long if servers are configured
  926. * to provide a long list of acceptable CAs
  927. */
  928. return s->max_cert_list;
  929. case TLS_ST_CR_SRVR_DONE:
  930. return SERVER_HELLO_DONE_MAX_LENGTH;
  931. case TLS_ST_CR_CHANGE:
  932. if (s->version == DTLS1_BAD_VER)
  933. return 3;
  934. return CCS_MAX_LENGTH;
  935. case TLS_ST_CR_SESSION_TICKET:
  936. return (SSL_CONNECTION_IS_TLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13
  937. : SESSION_TICKET_MAX_LENGTH_TLS12;
  938. case TLS_ST_CR_FINISHED:
  939. return FINISHED_MAX_LENGTH;
  940. case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
  941. return ENCRYPTED_EXTENSIONS_MAX_LENGTH;
  942. case TLS_ST_CR_KEY_UPDATE:
  943. return KEY_UPDATE_MAX_LENGTH;
  944. }
  945. }
  946. /*
  947. * Process a message that the client has received from the server.
  948. */
  949. MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL_CONNECTION *s,
  950. PACKET *pkt)
  951. {
  952. OSSL_STATEM *st = &s->statem;
  953. switch (st->hand_state) {
  954. default:
  955. /* Shouldn't happen */
  956. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  957. return MSG_PROCESS_ERROR;
  958. case TLS_ST_CR_SRVR_HELLO:
  959. return tls_process_server_hello(s, pkt);
  960. case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
  961. return dtls_process_hello_verify(s, pkt);
  962. case TLS_ST_CR_CERT:
  963. return tls_process_server_certificate(s, pkt);
  964. #ifndef OPENSSL_NO_COMP_ALG
  965. case TLS_ST_CR_COMP_CERT:
  966. return tls_process_server_compressed_certificate(s, pkt);
  967. #endif
  968. case TLS_ST_CR_CERT_VRFY:
  969. return tls_process_cert_verify(s, pkt);
  970. case TLS_ST_CR_CERT_STATUS:
  971. return tls_process_cert_status(s, pkt);
  972. case TLS_ST_CR_KEY_EXCH:
  973. return tls_process_key_exchange(s, pkt);
  974. case TLS_ST_CR_CERT_REQ:
  975. return tls_process_certificate_request(s, pkt);
  976. case TLS_ST_CR_SRVR_DONE:
  977. return tls_process_server_done(s, pkt);
  978. case TLS_ST_CR_CHANGE:
  979. return tls_process_change_cipher_spec(s, pkt);
  980. case TLS_ST_CR_SESSION_TICKET:
  981. return tls_process_new_session_ticket(s, pkt);
  982. case TLS_ST_CR_FINISHED:
  983. return tls_process_finished(s, pkt);
  984. case TLS_ST_CR_HELLO_REQ:
  985. return tls_process_hello_req(s, pkt);
  986. case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
  987. return tls_process_encrypted_extensions(s, pkt);
  988. case TLS_ST_CR_KEY_UPDATE:
  989. return tls_process_key_update(s, pkt);
  990. }
  991. }
  992. /*
  993. * Perform any further processing required following the receipt of a message
  994. * from the server
  995. */
  996. WORK_STATE ossl_statem_client_post_process_message(SSL_CONNECTION *s,
  997. WORK_STATE wst)
  998. {
  999. OSSL_STATEM *st = &s->statem;
  1000. switch (st->hand_state) {
  1001. default:
  1002. /* Shouldn't happen */
  1003. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1004. return WORK_ERROR;
  1005. case TLS_ST_CR_CERT:
  1006. case TLS_ST_CR_COMP_CERT:
  1007. return tls_post_process_server_certificate(s, wst);
  1008. case TLS_ST_CR_CERT_VRFY:
  1009. case TLS_ST_CR_CERT_REQ:
  1010. return tls_prepare_client_certificate(s, wst);
  1011. }
  1012. }
  1013. CON_FUNC_RETURN tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt)
  1014. {
  1015. unsigned char *p;
  1016. size_t sess_id_len;
  1017. int i, protverr;
  1018. #ifndef OPENSSL_NO_COMP
  1019. SSL_COMP *comp;
  1020. #endif
  1021. SSL_SESSION *sess = s->session;
  1022. unsigned char *session_id;
  1023. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1024. /* Work out what SSL/TLS/DTLS version to use */
  1025. protverr = ssl_set_client_hello_version(s);
  1026. if (protverr != 0) {
  1027. SSLfatal(s, SSL_AD_INTERNAL_ERROR, protverr);
  1028. return CON_FUNC_ERROR;
  1029. }
  1030. if (sess == NULL
  1031. || !ssl_version_supported(s, sess->ssl_version, NULL)
  1032. || !SSL_SESSION_is_resumable(sess)) {
  1033. if (s->hello_retry_request == SSL_HRR_NONE
  1034. && !ssl_get_new_session(s, 0)) {
  1035. /* SSLfatal() already called */
  1036. return CON_FUNC_ERROR;
  1037. }
  1038. }
  1039. /* else use the pre-loaded session */
  1040. p = s->s3.client_random;
  1041. /*
  1042. * for DTLS if client_random is initialized, reuse it, we are
  1043. * required to use same upon reply to HelloVerify
  1044. */
  1045. if (SSL_CONNECTION_IS_DTLS(s)) {
  1046. size_t idx;
  1047. i = 1;
  1048. for (idx = 0; idx < sizeof(s->s3.client_random); idx++) {
  1049. if (p[idx]) {
  1050. i = 0;
  1051. break;
  1052. }
  1053. }
  1054. } else {
  1055. i = (s->hello_retry_request == SSL_HRR_NONE);
  1056. }
  1057. if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3.client_random),
  1058. DOWNGRADE_NONE) <= 0) {
  1059. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1060. return CON_FUNC_ERROR;
  1061. }
  1062. /*-
  1063. * version indicates the negotiated version: for example from
  1064. * an SSLv2/v3 compatible client hello). The client_version
  1065. * field is the maximum version we permit and it is also
  1066. * used in RSA encrypted premaster secrets. Some servers can
  1067. * choke if we initially report a higher version then
  1068. * renegotiate to a lower one in the premaster secret. This
  1069. * didn't happen with TLS 1.0 as most servers supported it
  1070. * but it can with TLS 1.1 or later if the server only supports
  1071. * 1.0.
  1072. *
  1073. * Possible scenario with previous logic:
  1074. * 1. Client hello indicates TLS 1.2
  1075. * 2. Server hello says TLS 1.0
  1076. * 3. RSA encrypted premaster secret uses 1.2.
  1077. * 4. Handshake proceeds using TLS 1.0.
  1078. * 5. Server sends hello request to renegotiate.
  1079. * 6. Client hello indicates TLS v1.0 as we now
  1080. * know that is maximum server supports.
  1081. * 7. Server chokes on RSA encrypted premaster secret
  1082. * containing version 1.0.
  1083. *
  1084. * For interoperability it should be OK to always use the
  1085. * maximum version we support in client hello and then rely
  1086. * on the checking of version to ensure the servers isn't
  1087. * being inconsistent: for example initially negotiating with
  1088. * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
  1089. * client_version in client hello and not resetting it to
  1090. * the negotiated version.
  1091. *
  1092. * For TLS 1.3 we always set the ClientHello version to 1.2 and rely on the
  1093. * supported_versions extension for the real supported versions.
  1094. */
  1095. if (!WPACKET_put_bytes_u16(pkt, s->client_version)
  1096. || !WPACKET_memcpy(pkt, s->s3.client_random, SSL3_RANDOM_SIZE)) {
  1097. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1098. return CON_FUNC_ERROR;
  1099. }
  1100. /* Session ID */
  1101. session_id = s->session->session_id;
  1102. if (s->new_session || s->session->ssl_version == TLS1_3_VERSION) {
  1103. if (s->version == TLS1_3_VERSION
  1104. && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) {
  1105. sess_id_len = sizeof(s->tmp_session_id);
  1106. s->tmp_session_id_len = sess_id_len;
  1107. session_id = s->tmp_session_id;
  1108. if (s->hello_retry_request == SSL_HRR_NONE
  1109. && RAND_bytes_ex(sctx->libctx, s->tmp_session_id,
  1110. sess_id_len, 0) <= 0) {
  1111. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1112. return CON_FUNC_ERROR;
  1113. }
  1114. } else {
  1115. sess_id_len = 0;
  1116. }
  1117. } else {
  1118. assert(s->session->session_id_length <= sizeof(s->session->session_id));
  1119. sess_id_len = s->session->session_id_length;
  1120. if (s->version == TLS1_3_VERSION) {
  1121. s->tmp_session_id_len = sess_id_len;
  1122. memcpy(s->tmp_session_id, s->session->session_id, sess_id_len);
  1123. }
  1124. }
  1125. if (!WPACKET_start_sub_packet_u8(pkt)
  1126. || (sess_id_len != 0 && !WPACKET_memcpy(pkt, session_id,
  1127. sess_id_len))
  1128. || !WPACKET_close(pkt)) {
  1129. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1130. return CON_FUNC_ERROR;
  1131. }
  1132. /* cookie stuff for DTLS */
  1133. if (SSL_CONNECTION_IS_DTLS(s)) {
  1134. if (s->d1->cookie_len > sizeof(s->d1->cookie)
  1135. || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie,
  1136. s->d1->cookie_len)) {
  1137. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1138. return CON_FUNC_ERROR;
  1139. }
  1140. }
  1141. /* Ciphers supported */
  1142. if (!WPACKET_start_sub_packet_u16(pkt)) {
  1143. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1144. return CON_FUNC_ERROR;
  1145. }
  1146. if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(SSL_CONNECTION_GET_SSL(s)),
  1147. pkt)) {
  1148. /* SSLfatal() already called */
  1149. return CON_FUNC_ERROR;
  1150. }
  1151. if (!WPACKET_close(pkt)) {
  1152. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1153. return CON_FUNC_ERROR;
  1154. }
  1155. /* COMPRESSION */
  1156. if (!WPACKET_start_sub_packet_u8(pkt)) {
  1157. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1158. return CON_FUNC_ERROR;
  1159. }
  1160. #ifndef OPENSSL_NO_COMP
  1161. if (ssl_allow_compression(s)
  1162. && sctx->comp_methods
  1163. && (SSL_CONNECTION_IS_DTLS(s)
  1164. || s->s3.tmp.max_ver < TLS1_3_VERSION)) {
  1165. int compnum = sk_SSL_COMP_num(sctx->comp_methods);
  1166. for (i = 0; i < compnum; i++) {
  1167. comp = sk_SSL_COMP_value(sctx->comp_methods, i);
  1168. if (!WPACKET_put_bytes_u8(pkt, comp->id)) {
  1169. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1170. return CON_FUNC_ERROR;
  1171. }
  1172. }
  1173. }
  1174. #endif
  1175. /* Add the NULL method */
  1176. if (!WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_close(pkt)) {
  1177. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1178. return CON_FUNC_ERROR;
  1179. }
  1180. /* TLS extensions */
  1181. if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0)) {
  1182. /* SSLfatal() already called */
  1183. return CON_FUNC_ERROR;
  1184. }
  1185. return CON_FUNC_SUCCESS;
  1186. }
  1187. MSG_PROCESS_RETURN dtls_process_hello_verify(SSL_CONNECTION *s, PACKET *pkt)
  1188. {
  1189. size_t cookie_len;
  1190. PACKET cookiepkt;
  1191. if (!PACKET_forward(pkt, 2)
  1192. || !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) {
  1193. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1194. return MSG_PROCESS_ERROR;
  1195. }
  1196. cookie_len = PACKET_remaining(&cookiepkt);
  1197. if (cookie_len > sizeof(s->d1->cookie)) {
  1198. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_LENGTH_TOO_LONG);
  1199. return MSG_PROCESS_ERROR;
  1200. }
  1201. if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) {
  1202. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1203. return MSG_PROCESS_ERROR;
  1204. }
  1205. s->d1->cookie_len = cookie_len;
  1206. return MSG_PROCESS_FINISHED_READING;
  1207. }
  1208. static int set_client_ciphersuite(SSL_CONNECTION *s,
  1209. const unsigned char *cipherchars)
  1210. {
  1211. STACK_OF(SSL_CIPHER) *sk;
  1212. const SSL_CIPHER *c;
  1213. int i;
  1214. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1215. c = ssl_get_cipher_by_char(s, cipherchars, 0);
  1216. if (c == NULL) {
  1217. /* unknown cipher */
  1218. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CIPHER_RETURNED);
  1219. return 0;
  1220. }
  1221. /*
  1222. * If it is a disabled cipher we either didn't send it in client hello,
  1223. * or it's not allowed for the selected protocol. So we return an error.
  1224. */
  1225. if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) {
  1226. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED);
  1227. return 0;
  1228. }
  1229. sk = ssl_get_ciphers_by_id(s);
  1230. i = sk_SSL_CIPHER_find(sk, c);
  1231. if (i < 0) {
  1232. /* we did not say we would use this cipher */
  1233. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED);
  1234. return 0;
  1235. }
  1236. if (SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.new_cipher != NULL
  1237. && s->s3.tmp.new_cipher->id != c->id) {
  1238. /* ServerHello selected a different ciphersuite to that in the HRR */
  1239. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED);
  1240. return 0;
  1241. }
  1242. /*
  1243. * Depending on the session caching (internal/external), the cipher
  1244. * and/or cipher_id values may not be set. Make sure that cipher_id is
  1245. * set and use it for comparison.
  1246. */
  1247. if (s->session->cipher != NULL)
  1248. s->session->cipher_id = s->session->cipher->id;
  1249. if (s->hit && (s->session->cipher_id != c->id)) {
  1250. if (SSL_CONNECTION_IS_TLS13(s)) {
  1251. const EVP_MD *md = ssl_md(sctx, c->algorithm2);
  1252. /*
  1253. * In TLSv1.3 it is valid for the server to select a different
  1254. * ciphersuite as long as the hash is the same.
  1255. */
  1256. if (md == NULL
  1257. || md != ssl_md(sctx, s->session->cipher->algorithm2)) {
  1258. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1259. SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED);
  1260. return 0;
  1261. }
  1262. } else {
  1263. /*
  1264. * Prior to TLSv1.3 resuming a session always meant using the same
  1265. * ciphersuite.
  1266. */
  1267. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1268. SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
  1269. return 0;
  1270. }
  1271. }
  1272. s->s3.tmp.new_cipher = c;
  1273. return 1;
  1274. }
  1275. MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt)
  1276. {
  1277. PACKET session_id, extpkt;
  1278. size_t session_id_len;
  1279. const unsigned char *cipherchars;
  1280. int hrr = 0;
  1281. unsigned int compression;
  1282. unsigned int sversion;
  1283. unsigned int context;
  1284. RAW_EXTENSION *extensions = NULL;
  1285. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  1286. #ifndef OPENSSL_NO_COMP
  1287. SSL_COMP *comp;
  1288. #endif
  1289. if (!PACKET_get_net_2(pkt, &sversion)) {
  1290. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1291. goto err;
  1292. }
  1293. /* load the server random */
  1294. if (s->version == TLS1_3_VERSION
  1295. && sversion == TLS1_2_VERSION
  1296. && PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE
  1297. && memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) {
  1298. if (s->hello_retry_request != SSL_HRR_NONE) {
  1299. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
  1300. goto err;
  1301. }
  1302. s->hello_retry_request = SSL_HRR_PENDING;
  1303. /* Tell the record layer that we know we're going to get TLSv1.3 */
  1304. if (!ssl_set_record_protocol_version(s, s->version)) {
  1305. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1306. goto err;
  1307. }
  1308. hrr = 1;
  1309. if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) {
  1310. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1311. goto err;
  1312. }
  1313. } else {
  1314. if (!PACKET_copy_bytes(pkt, s->s3.server_random, SSL3_RANDOM_SIZE)) {
  1315. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1316. goto err;
  1317. }
  1318. }
  1319. /* Get the session-id. */
  1320. if (!PACKET_get_length_prefixed_1(pkt, &session_id)) {
  1321. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1322. goto err;
  1323. }
  1324. session_id_len = PACKET_remaining(&session_id);
  1325. if (session_id_len > sizeof(s->session->session_id)
  1326. || session_id_len > SSL3_SESSION_ID_SIZE) {
  1327. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_SSL3_SESSION_ID_TOO_LONG);
  1328. goto err;
  1329. }
  1330. if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) {
  1331. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1332. goto err;
  1333. }
  1334. if (!PACKET_get_1(pkt, &compression)) {
  1335. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1336. goto err;
  1337. }
  1338. /* TLS extensions */
  1339. if (PACKET_remaining(pkt) == 0 && !hrr) {
  1340. PACKET_null_init(&extpkt);
  1341. } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
  1342. || PACKET_remaining(pkt) != 0) {
  1343. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
  1344. goto err;
  1345. }
  1346. if (!hrr) {
  1347. if (!tls_collect_extensions(s, &extpkt,
  1348. SSL_EXT_TLS1_2_SERVER_HELLO
  1349. | SSL_EXT_TLS1_3_SERVER_HELLO,
  1350. &extensions, NULL, 1)) {
  1351. /* SSLfatal() already called */
  1352. goto err;
  1353. }
  1354. if (!ssl_choose_client_version(s, sversion, extensions)) {
  1355. /* SSLfatal() already called */
  1356. goto err;
  1357. }
  1358. }
  1359. if (SSL_CONNECTION_IS_TLS13(s) || hrr) {
  1360. if (compression != 0) {
  1361. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1362. SSL_R_INVALID_COMPRESSION_ALGORITHM);
  1363. goto err;
  1364. }
  1365. if (session_id_len != s->tmp_session_id_len
  1366. || memcmp(PACKET_data(&session_id), s->tmp_session_id,
  1367. session_id_len) != 0) {
  1368. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_SESSION_ID);
  1369. goto err;
  1370. }
  1371. }
  1372. if (hrr) {
  1373. if (!set_client_ciphersuite(s, cipherchars)) {
  1374. /* SSLfatal() already called */
  1375. goto err;
  1376. }
  1377. return tls_process_as_hello_retry_request(s, &extpkt);
  1378. }
  1379. /*
  1380. * Now we have chosen the version we need to check again that the extensions
  1381. * are appropriate for this version.
  1382. */
  1383. context = SSL_CONNECTION_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO
  1384. : SSL_EXT_TLS1_2_SERVER_HELLO;
  1385. if (!tls_validate_all_contexts(s, context, extensions)) {
  1386. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
  1387. goto err;
  1388. }
  1389. s->hit = 0;
  1390. if (SSL_CONNECTION_IS_TLS13(s)) {
  1391. /*
  1392. * In TLSv1.3 a ServerHello message signals a key change so the end of
  1393. * the message must be on a record boundary.
  1394. */
  1395. if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
  1396. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
  1397. SSL_R_NOT_ON_RECORD_BOUNDARY);
  1398. goto err;
  1399. }
  1400. /* This will set s->hit if we are resuming */
  1401. if (!tls_parse_extension(s, TLSEXT_IDX_psk,
  1402. SSL_EXT_TLS1_3_SERVER_HELLO,
  1403. extensions, NULL, 0)) {
  1404. /* SSLfatal() already called */
  1405. goto err;
  1406. }
  1407. } else {
  1408. /*
  1409. * Check if we can resume the session based on external pre-shared
  1410. * secret. EAP-FAST (RFC 4851) supports two types of session resumption.
  1411. * Resumption based on server-side state works with session IDs.
  1412. * Resumption based on pre-shared Protected Access Credentials (PACs)
  1413. * works by overriding the SessionTicket extension at the application
  1414. * layer, and does not send a session ID. (We do not know whether
  1415. * EAP-FAST servers would honour the session ID.) Therefore, the session
  1416. * ID alone is not a reliable indicator of session resumption, so we
  1417. * first check if we can resume, and later peek at the next handshake
  1418. * message to see if the server wants to resume.
  1419. */
  1420. if (s->version >= TLS1_VERSION
  1421. && s->ext.session_secret_cb != NULL && s->session->ext.tick) {
  1422. const SSL_CIPHER *pref_cipher = NULL;
  1423. /*
  1424. * s->session->master_key_length is a size_t, but this is an int for
  1425. * backwards compat reasons
  1426. */
  1427. int master_key_length;
  1428. master_key_length = sizeof(s->session->master_key);
  1429. if (s->ext.session_secret_cb(ssl, s->session->master_key,
  1430. &master_key_length,
  1431. NULL, &pref_cipher,
  1432. s->ext.session_secret_cb_arg)
  1433. && master_key_length > 0) {
  1434. s->session->master_key_length = master_key_length;
  1435. s->session->cipher = pref_cipher ?
  1436. pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0);
  1437. } else {
  1438. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1439. goto err;
  1440. }
  1441. }
  1442. if (session_id_len != 0
  1443. && session_id_len == s->session->session_id_length
  1444. && memcmp(PACKET_data(&session_id), s->session->session_id,
  1445. session_id_len) == 0)
  1446. s->hit = 1;
  1447. }
  1448. if (s->hit) {
  1449. if (s->sid_ctx_length != s->session->sid_ctx_length
  1450. || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) {
  1451. /* actually a client application bug */
  1452. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1453. SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
  1454. goto err;
  1455. }
  1456. } else {
  1457. /*
  1458. * If we were trying for session-id reuse but the server
  1459. * didn't resume, make a new SSL_SESSION.
  1460. * In the case of EAP-FAST and PAC, we do not send a session ID,
  1461. * so the PAC-based session secret is always preserved. It'll be
  1462. * overwritten if the server refuses resumption.
  1463. */
  1464. if (s->session->session_id_length > 0) {
  1465. ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_miss);
  1466. if (!ssl_get_new_session(s, 0)) {
  1467. /* SSLfatal() already called */
  1468. goto err;
  1469. }
  1470. }
  1471. s->session->ssl_version = s->version;
  1472. /*
  1473. * In TLSv1.2 and below we save the session id we were sent so we can
  1474. * resume it later. In TLSv1.3 the session id we were sent is just an
  1475. * echo of what we originally sent in the ClientHello and should not be
  1476. * used for resumption.
  1477. */
  1478. if (!SSL_CONNECTION_IS_TLS13(s)) {
  1479. s->session->session_id_length = session_id_len;
  1480. /* session_id_len could be 0 */
  1481. if (session_id_len > 0)
  1482. memcpy(s->session->session_id, PACKET_data(&session_id),
  1483. session_id_len);
  1484. }
  1485. }
  1486. /* Session version and negotiated protocol version should match */
  1487. if (s->version != s->session->ssl_version) {
  1488. SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
  1489. SSL_R_SSL_SESSION_VERSION_MISMATCH);
  1490. goto err;
  1491. }
  1492. /*
  1493. * Now that we know the version, update the check to see if it's an allowed
  1494. * version.
  1495. */
  1496. s->s3.tmp.min_ver = s->version;
  1497. s->s3.tmp.max_ver = s->version;
  1498. if (!set_client_ciphersuite(s, cipherchars)) {
  1499. /* SSLfatal() already called */
  1500. goto err;
  1501. }
  1502. #ifdef OPENSSL_NO_COMP
  1503. if (compression != 0) {
  1504. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1505. SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
  1506. goto err;
  1507. }
  1508. /*
  1509. * If compression is disabled we'd better not try to resume a session
  1510. * using compression.
  1511. */
  1512. if (s->session->compress_meth != 0) {
  1513. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_COMPRESSION);
  1514. goto err;
  1515. }
  1516. #else
  1517. if (s->hit && compression != s->session->compress_meth) {
  1518. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1519. SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
  1520. goto err;
  1521. }
  1522. if (compression == 0)
  1523. comp = NULL;
  1524. else if (!ssl_allow_compression(s)) {
  1525. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COMPRESSION_DISABLED);
  1526. goto err;
  1527. } else {
  1528. comp = ssl3_comp_find(SSL_CONNECTION_GET_CTX(s)->comp_methods,
  1529. compression);
  1530. }
  1531. if (compression != 0 && comp == NULL) {
  1532. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1533. SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
  1534. goto err;
  1535. } else {
  1536. s->s3.tmp.new_compression = comp;
  1537. }
  1538. #endif
  1539. if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, 1)) {
  1540. /* SSLfatal() already called */
  1541. goto err;
  1542. }
  1543. #ifndef OPENSSL_NO_SCTP
  1544. if (SSL_CONNECTION_IS_DTLS(s) && s->hit) {
  1545. unsigned char sctpauthkey[64];
  1546. char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
  1547. size_t labellen;
  1548. /*
  1549. * Add new shared key for SCTP-Auth, will be ignored if
  1550. * no SCTP used.
  1551. */
  1552. memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
  1553. sizeof(DTLS1_SCTP_AUTH_LABEL));
  1554. /* Don't include the terminating zero. */
  1555. labellen = sizeof(labelbuffer) - 1;
  1556. if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
  1557. labellen += 1;
  1558. if (SSL_export_keying_material(ssl, sctpauthkey,
  1559. sizeof(sctpauthkey),
  1560. labelbuffer,
  1561. labellen, NULL, 0, 0) <= 0) {
  1562. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1563. goto err;
  1564. }
  1565. BIO_ctrl(SSL_get_wbio(ssl),
  1566. BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
  1567. sizeof(sctpauthkey), sctpauthkey);
  1568. }
  1569. #endif
  1570. /*
  1571. * In TLSv1.3 we have some post-processing to change cipher state, otherwise
  1572. * we're done with this message
  1573. */
  1574. if (SSL_CONNECTION_IS_TLS13(s)
  1575. && (!ssl->method->ssl3_enc->setup_key_block(s)
  1576. || !ssl->method->ssl3_enc->change_cipher_state(s,
  1577. SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ))) {
  1578. /* SSLfatal() already called */
  1579. goto err;
  1580. }
  1581. OPENSSL_free(extensions);
  1582. return MSG_PROCESS_CONTINUE_READING;
  1583. err:
  1584. OPENSSL_free(extensions);
  1585. return MSG_PROCESS_ERROR;
  1586. }
  1587. static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL_CONNECTION *s,
  1588. PACKET *extpkt)
  1589. {
  1590. RAW_EXTENSION *extensions = NULL;
  1591. /*
  1592. * If we were sending early_data then any alerts should not be sent using
  1593. * the old wrlmethod.
  1594. */
  1595. if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING
  1596. && !ssl_set_new_record_layer(s,
  1597. TLS_ANY_VERSION,
  1598. OSSL_RECORD_DIRECTION_WRITE,
  1599. OSSL_RECORD_PROTECTION_LEVEL_NONE,
  1600. NULL, 0, NULL, 0, NULL, 0, NULL, 0,
  1601. NID_undef, NULL, NULL)) {
  1602. /* SSLfatal already called */
  1603. goto err;
  1604. }
  1605. /* We are definitely going to be using TLSv1.3 */
  1606. s->rlayer.wrlmethod->set_protocol_version(s->rlayer.wrl, TLS1_3_VERSION);
  1607. if (!tls_collect_extensions(s, extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
  1608. &extensions, NULL, 1)
  1609. || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
  1610. extensions, NULL, 0, 1)) {
  1611. /* SSLfatal() already called */
  1612. goto err;
  1613. }
  1614. OPENSSL_free(extensions);
  1615. extensions = NULL;
  1616. if (s->ext.tls13_cookie_len == 0 && s->s3.tmp.pkey != NULL) {
  1617. /*
  1618. * We didn't receive a cookie or a new key_share so the next
  1619. * ClientHello will not change
  1620. */
  1621. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_NO_CHANGE_FOLLOWING_HRR);
  1622. goto err;
  1623. }
  1624. /*
  1625. * Re-initialise the Transcript Hash. We're going to prepopulate it with
  1626. * a synthetic message_hash in place of ClientHello1.
  1627. */
  1628. if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) {
  1629. /* SSLfatal() already called */
  1630. goto err;
  1631. }
  1632. /*
  1633. * Add this message to the Transcript Hash. Normally this is done
  1634. * automatically prior to the message processing stage. However due to the
  1635. * need to create the synthetic message hash, we defer that step until now
  1636. * for HRR messages.
  1637. */
  1638. if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
  1639. s->init_num + SSL3_HM_HEADER_LENGTH)) {
  1640. /* SSLfatal() already called */
  1641. goto err;
  1642. }
  1643. return MSG_PROCESS_FINISHED_READING;
  1644. err:
  1645. OPENSSL_free(extensions);
  1646. return MSG_PROCESS_ERROR;
  1647. }
  1648. /* prepare server cert verification by setting s->session->peer_chain from pkt */
  1649. MSG_PROCESS_RETURN tls_process_server_certificate(SSL_CONNECTION *s,
  1650. PACKET *pkt)
  1651. {
  1652. unsigned long cert_list_len, cert_len;
  1653. X509 *x = NULL;
  1654. const unsigned char *certstart, *certbytes;
  1655. size_t chainidx;
  1656. unsigned int context = 0;
  1657. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1658. if ((s->session->peer_chain = sk_X509_new_null()) == NULL) {
  1659. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  1660. goto err;
  1661. }
  1662. if ((SSL_CONNECTION_IS_TLS13(s) && !PACKET_get_1(pkt, &context))
  1663. || context != 0
  1664. || !PACKET_get_net_3(pkt, &cert_list_len)
  1665. || PACKET_remaining(pkt) != cert_list_len
  1666. || PACKET_remaining(pkt) == 0) {
  1667. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1668. goto err;
  1669. }
  1670. for (chainidx = 0; PACKET_remaining(pkt); chainidx++) {
  1671. if (!PACKET_get_net_3(pkt, &cert_len)
  1672. || !PACKET_get_bytes(pkt, &certbytes, cert_len)) {
  1673. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH);
  1674. goto err;
  1675. }
  1676. certstart = certbytes;
  1677. x = X509_new_ex(sctx->libctx, sctx->propq);
  1678. if (x == NULL) {
  1679. SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB);
  1680. goto err;
  1681. }
  1682. if (d2i_X509(&x, (const unsigned char **)&certbytes,
  1683. cert_len) == NULL) {
  1684. SSLfatal(s, SSL_AD_BAD_CERTIFICATE, ERR_R_ASN1_LIB);
  1685. goto err;
  1686. }
  1687. if (certbytes != (certstart + cert_len)) {
  1688. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH);
  1689. goto err;
  1690. }
  1691. if (SSL_CONNECTION_IS_TLS13(s)) {
  1692. RAW_EXTENSION *rawexts = NULL;
  1693. PACKET extensions;
  1694. if (!PACKET_get_length_prefixed_2(pkt, &extensions)) {
  1695. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
  1696. goto err;
  1697. }
  1698. if (!tls_collect_extensions(s, &extensions,
  1699. SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
  1700. NULL, chainidx == 0)
  1701. || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
  1702. rawexts, x, chainidx,
  1703. PACKET_remaining(pkt) == 0)) {
  1704. OPENSSL_free(rawexts);
  1705. /* SSLfatal already called */
  1706. goto err;
  1707. }
  1708. OPENSSL_free(rawexts);
  1709. }
  1710. if (!sk_X509_push(s->session->peer_chain, x)) {
  1711. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  1712. goto err;
  1713. }
  1714. x = NULL;
  1715. }
  1716. return MSG_PROCESS_CONTINUE_PROCESSING;
  1717. err:
  1718. X509_free(x);
  1719. OSSL_STACK_OF_X509_free(s->session->peer_chain);
  1720. s->session->peer_chain = NULL;
  1721. return MSG_PROCESS_ERROR;
  1722. }
  1723. /*
  1724. * Verify the s->session->peer_chain and check server cert type.
  1725. * On success set s->session->peer and s->session->verify_result.
  1726. * Else the peer certificate verification callback may request retry.
  1727. */
  1728. WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s,
  1729. WORK_STATE wst)
  1730. {
  1731. X509 *x;
  1732. EVP_PKEY *pkey = NULL;
  1733. const SSL_CERT_LOOKUP *clu;
  1734. size_t certidx;
  1735. int i;
  1736. if (s->rwstate == SSL_RETRY_VERIFY)
  1737. s->rwstate = SSL_NOTHING;
  1738. i = ssl_verify_cert_chain(s, s->session->peer_chain);
  1739. if (i > 0 && s->rwstate == SSL_RETRY_VERIFY) {
  1740. return WORK_MORE_A;
  1741. }
  1742. /*
  1743. * The documented interface is that SSL_VERIFY_PEER should be set in order
  1744. * for client side verification of the server certificate to take place.
  1745. * However, historically the code has only checked that *any* flag is set
  1746. * to cause server verification to take place. Use of the other flags makes
  1747. * no sense in client mode. An attempt to clean up the semantics was
  1748. * reverted because at least one application *only* set
  1749. * SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Prior to the clean up this still caused
  1750. * server verification to take place, after the clean up it silently did
  1751. * nothing. SSL_CTX_set_verify()/SSL_set_verify() cannot validate the flags
  1752. * sent to them because they are void functions. Therefore, we now use the
  1753. * (less clean) historic behaviour of performing validation if any flag is
  1754. * set. The *documented* interface remains the same.
  1755. */
  1756. if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) {
  1757. SSLfatal(s, ssl_x509err2alert(s->verify_result),
  1758. SSL_R_CERTIFICATE_VERIFY_FAILED);
  1759. return WORK_ERROR;
  1760. }
  1761. ERR_clear_error(); /* but we keep s->verify_result */
  1762. /*
  1763. * Inconsistency alert: cert_chain does include the peer's certificate,
  1764. * which we don't include in statem_srvr.c
  1765. */
  1766. x = sk_X509_value(s->session->peer_chain, 0);
  1767. pkey = X509_get0_pubkey(x);
  1768. if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) {
  1769. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1770. SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
  1771. return WORK_ERROR;
  1772. }
  1773. if ((clu = ssl_cert_lookup_by_pkey(pkey, &certidx)) == NULL) {
  1774. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
  1775. return WORK_ERROR;
  1776. }
  1777. /*
  1778. * Check certificate type is consistent with ciphersuite. For TLS 1.3
  1779. * skip check since TLS 1.3 ciphersuites can be used with any certificate
  1780. * type.
  1781. */
  1782. if (!SSL_CONNECTION_IS_TLS13(s)) {
  1783. if ((clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0) {
  1784. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CERTIFICATE_TYPE);
  1785. return WORK_ERROR;
  1786. }
  1787. }
  1788. X509_free(s->session->peer);
  1789. X509_up_ref(x);
  1790. s->session->peer = x;
  1791. s->session->verify_result = s->verify_result;
  1792. /* Save the current hash state for when we receive the CertificateVerify */
  1793. if (SSL_CONNECTION_IS_TLS13(s)
  1794. && !ssl_handshake_hash(s, s->cert_verify_hash,
  1795. sizeof(s->cert_verify_hash),
  1796. &s->cert_verify_hash_len)) {
  1797. /* SSLfatal() already called */;
  1798. return WORK_ERROR;
  1799. }
  1800. return WORK_FINISHED_CONTINUE;
  1801. }
  1802. #ifndef OPENSSL_NO_COMP_ALG
  1803. MSG_PROCESS_RETURN tls_process_server_compressed_certificate(SSL_CONNECTION *sc, PACKET *pkt)
  1804. {
  1805. MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
  1806. PACKET tmppkt;
  1807. BUF_MEM *buf = BUF_MEM_new();
  1808. if (tls13_process_compressed_certificate(sc, pkt, &tmppkt, buf) != MSG_PROCESS_ERROR)
  1809. ret = tls_process_server_certificate(sc, &tmppkt);
  1810. BUF_MEM_free(buf);
  1811. return ret;
  1812. }
  1813. #endif
  1814. static int tls_process_ske_psk_preamble(SSL_CONNECTION *s, PACKET *pkt)
  1815. {
  1816. #ifndef OPENSSL_NO_PSK
  1817. PACKET psk_identity_hint;
  1818. /* PSK ciphersuites are preceded by an identity hint */
  1819. if (!PACKET_get_length_prefixed_2(pkt, &psk_identity_hint)) {
  1820. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1821. return 0;
  1822. }
  1823. /*
  1824. * Store PSK identity hint for later use, hint is used in
  1825. * tls_construct_client_key_exchange. Assume that the maximum length of
  1826. * a PSK identity hint can be as long as the maximum length of a PSK
  1827. * identity.
  1828. */
  1829. if (PACKET_remaining(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN) {
  1830. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DATA_LENGTH_TOO_LONG);
  1831. return 0;
  1832. }
  1833. if (PACKET_remaining(&psk_identity_hint) == 0) {
  1834. OPENSSL_free(s->session->psk_identity_hint);
  1835. s->session->psk_identity_hint = NULL;
  1836. } else if (!PACKET_strndup(&psk_identity_hint,
  1837. &s->session->psk_identity_hint)) {
  1838. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1839. return 0;
  1840. }
  1841. return 1;
  1842. #else
  1843. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1844. return 0;
  1845. #endif
  1846. }
  1847. static int tls_process_ske_srp(SSL_CONNECTION *s, PACKET *pkt, EVP_PKEY **pkey)
  1848. {
  1849. #ifndef OPENSSL_NO_SRP
  1850. PACKET prime, generator, salt, server_pub;
  1851. if (!PACKET_get_length_prefixed_2(pkt, &prime)
  1852. || !PACKET_get_length_prefixed_2(pkt, &generator)
  1853. || !PACKET_get_length_prefixed_1(pkt, &salt)
  1854. || !PACKET_get_length_prefixed_2(pkt, &server_pub)) {
  1855. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1856. return 0;
  1857. }
  1858. if ((s->srp_ctx.N =
  1859. BN_bin2bn(PACKET_data(&prime),
  1860. (int)PACKET_remaining(&prime), NULL)) == NULL
  1861. || (s->srp_ctx.g =
  1862. BN_bin2bn(PACKET_data(&generator),
  1863. (int)PACKET_remaining(&generator), NULL)) == NULL
  1864. || (s->srp_ctx.s =
  1865. BN_bin2bn(PACKET_data(&salt),
  1866. (int)PACKET_remaining(&salt), NULL)) == NULL
  1867. || (s->srp_ctx.B =
  1868. BN_bin2bn(PACKET_data(&server_pub),
  1869. (int)PACKET_remaining(&server_pub), NULL)) == NULL) {
  1870. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB);
  1871. return 0;
  1872. }
  1873. if (!srp_verify_server_param(s)) {
  1874. /* SSLfatal() already called */
  1875. return 0;
  1876. }
  1877. /* We must check if there is a certificate */
  1878. if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS))
  1879. *pkey = X509_get0_pubkey(s->session->peer);
  1880. return 1;
  1881. #else
  1882. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1883. return 0;
  1884. #endif
  1885. }
  1886. static int tls_process_ske_dhe(SSL_CONNECTION *s, PACKET *pkt, EVP_PKEY **pkey)
  1887. {
  1888. PACKET prime, generator, pub_key;
  1889. EVP_PKEY *peer_tmp = NULL;
  1890. BIGNUM *p = NULL, *g = NULL, *bnpub_key = NULL;
  1891. EVP_PKEY_CTX *pctx = NULL;
  1892. OSSL_PARAM *params = NULL;
  1893. OSSL_PARAM_BLD *tmpl = NULL;
  1894. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1895. int ret = 0;
  1896. if (!PACKET_get_length_prefixed_2(pkt, &prime)
  1897. || !PACKET_get_length_prefixed_2(pkt, &generator)
  1898. || !PACKET_get_length_prefixed_2(pkt, &pub_key)) {
  1899. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1900. return 0;
  1901. }
  1902. p = BN_bin2bn(PACKET_data(&prime), (int)PACKET_remaining(&prime), NULL);
  1903. g = BN_bin2bn(PACKET_data(&generator), (int)PACKET_remaining(&generator),
  1904. NULL);
  1905. bnpub_key = BN_bin2bn(PACKET_data(&pub_key),
  1906. (int)PACKET_remaining(&pub_key), NULL);
  1907. if (p == NULL || g == NULL || bnpub_key == NULL) {
  1908. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB);
  1909. goto err;
  1910. }
  1911. tmpl = OSSL_PARAM_BLD_new();
  1912. if (tmpl == NULL
  1913. || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p)
  1914. || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_G, g)
  1915. || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_PUB_KEY,
  1916. bnpub_key)
  1917. || (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) {
  1918. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1919. goto err;
  1920. }
  1921. pctx = EVP_PKEY_CTX_new_from_name(sctx->libctx, "DH", sctx->propq);
  1922. if (pctx == NULL) {
  1923. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1924. goto err;
  1925. }
  1926. if (EVP_PKEY_fromdata_init(pctx) <= 0
  1927. || EVP_PKEY_fromdata(pctx, &peer_tmp, EVP_PKEY_KEYPAIR, params) <= 0) {
  1928. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_DH_VALUE);
  1929. goto err;
  1930. }
  1931. EVP_PKEY_CTX_free(pctx);
  1932. pctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, peer_tmp, sctx->propq);
  1933. if (pctx == NULL
  1934. /*
  1935. * EVP_PKEY_param_check() will verify that the DH params are using
  1936. * a safe prime. In this context, because we're using ephemeral DH,
  1937. * we're ok with it not being a safe prime.
  1938. * EVP_PKEY_param_check_quick() skips the safe prime check.
  1939. */
  1940. || EVP_PKEY_param_check_quick(pctx) != 1
  1941. || EVP_PKEY_public_check(pctx) != 1) {
  1942. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DH_VALUE);
  1943. goto err;
  1944. }
  1945. if (!ssl_security(s, SSL_SECOP_TMP_DH,
  1946. EVP_PKEY_get_security_bits(peer_tmp),
  1947. 0, peer_tmp)) {
  1948. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL);
  1949. goto err;
  1950. }
  1951. s->s3.peer_tmp = peer_tmp;
  1952. peer_tmp = NULL;
  1953. /*
  1954. * FIXME: This makes assumptions about which ciphersuites come with
  1955. * public keys. We should have a less ad-hoc way of doing this
  1956. */
  1957. if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS))
  1958. *pkey = X509_get0_pubkey(s->session->peer);
  1959. /* else anonymous DH, so no certificate or pkey. */
  1960. ret = 1;
  1961. err:
  1962. OSSL_PARAM_BLD_free(tmpl);
  1963. OSSL_PARAM_free(params);
  1964. EVP_PKEY_free(peer_tmp);
  1965. EVP_PKEY_CTX_free(pctx);
  1966. BN_free(p);
  1967. BN_free(g);
  1968. BN_free(bnpub_key);
  1969. return ret;
  1970. }
  1971. static int tls_process_ske_ecdhe(SSL_CONNECTION *s, PACKET *pkt, EVP_PKEY **pkey)
  1972. {
  1973. PACKET encoded_pt;
  1974. unsigned int curve_type, curve_id;
  1975. /*
  1976. * Extract elliptic curve parameters and the server's ephemeral ECDH
  1977. * public key. We only support named (not generic) curves and
  1978. * ECParameters in this case is just three bytes.
  1979. */
  1980. if (!PACKET_get_1(pkt, &curve_type) || !PACKET_get_net_2(pkt, &curve_id)) {
  1981. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
  1982. return 0;
  1983. }
  1984. /*
  1985. * Check curve is named curve type and one of our preferences, if not
  1986. * server has sent an invalid curve.
  1987. */
  1988. if (curve_type != NAMED_CURVE_TYPE
  1989. || !tls1_check_group_id(s, curve_id, 1)) {
  1990. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE);
  1991. return 0;
  1992. }
  1993. if ((s->s3.peer_tmp = ssl_generate_param_group(s, curve_id)) == NULL) {
  1994. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1995. SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
  1996. return 0;
  1997. }
  1998. if (!PACKET_get_length_prefixed_1(pkt, &encoded_pt)) {
  1999. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2000. return 0;
  2001. }
  2002. if (EVP_PKEY_set1_encoded_public_key(s->s3.peer_tmp,
  2003. PACKET_data(&encoded_pt),
  2004. PACKET_remaining(&encoded_pt)) <= 0) {
  2005. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
  2006. return 0;
  2007. }
  2008. /*
  2009. * The ECC/TLS specification does not mention the use of DSA to sign
  2010. * ECParameters in the server key exchange message. We do support RSA
  2011. * and ECDSA.
  2012. */
  2013. if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aECDSA)
  2014. *pkey = X509_get0_pubkey(s->session->peer);
  2015. else if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aRSA)
  2016. *pkey = X509_get0_pubkey(s->session->peer);
  2017. /* else anonymous ECDH, so no certificate or pkey. */
  2018. /* Cache the agreed upon group in the SSL_SESSION */
  2019. s->session->kex_group = curve_id;
  2020. return 1;
  2021. }
  2022. MSG_PROCESS_RETURN tls_process_key_exchange(SSL_CONNECTION *s, PACKET *pkt)
  2023. {
  2024. long alg_k;
  2025. EVP_PKEY *pkey = NULL;
  2026. EVP_MD_CTX *md_ctx = NULL;
  2027. EVP_PKEY_CTX *pctx = NULL;
  2028. PACKET save_param_start, signature;
  2029. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  2030. alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
  2031. save_param_start = *pkt;
  2032. EVP_PKEY_free(s->s3.peer_tmp);
  2033. s->s3.peer_tmp = NULL;
  2034. if (alg_k & SSL_PSK) {
  2035. if (!tls_process_ske_psk_preamble(s, pkt)) {
  2036. /* SSLfatal() already called */
  2037. goto err;
  2038. }
  2039. }
  2040. /* Nothing else to do for plain PSK or RSAPSK */
  2041. if (alg_k & (SSL_kPSK | SSL_kRSAPSK)) {
  2042. } else if (alg_k & SSL_kSRP) {
  2043. if (!tls_process_ske_srp(s, pkt, &pkey)) {
  2044. /* SSLfatal() already called */
  2045. goto err;
  2046. }
  2047. } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
  2048. if (!tls_process_ske_dhe(s, pkt, &pkey)) {
  2049. /* SSLfatal() already called */
  2050. goto err;
  2051. }
  2052. } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
  2053. if (!tls_process_ske_ecdhe(s, pkt, &pkey)) {
  2054. /* SSLfatal() already called */
  2055. goto err;
  2056. }
  2057. } else if (alg_k) {
  2058. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
  2059. goto err;
  2060. }
  2061. /* if it was signed, check the signature */
  2062. if (pkey != NULL) {
  2063. PACKET params;
  2064. const EVP_MD *md = NULL;
  2065. unsigned char *tbs;
  2066. size_t tbslen;
  2067. int rv;
  2068. /*
  2069. * |pkt| now points to the beginning of the signature, so the difference
  2070. * equals the length of the parameters.
  2071. */
  2072. if (!PACKET_get_sub_packet(&save_param_start, &params,
  2073. PACKET_remaining(&save_param_start) -
  2074. PACKET_remaining(pkt))) {
  2075. SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
  2076. goto err;
  2077. }
  2078. if (SSL_USE_SIGALGS(s)) {
  2079. unsigned int sigalg;
  2080. if (!PACKET_get_net_2(pkt, &sigalg)) {
  2081. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
  2082. goto err;
  2083. }
  2084. if (tls12_check_peer_sigalg(s, sigalg, pkey) <=0) {
  2085. /* SSLfatal() already called */
  2086. goto err;
  2087. }
  2088. } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
  2089. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2090. goto err;
  2091. }
  2092. if (!tls1_lookup_md(sctx, s->s3.tmp.peer_sigalg, &md)) {
  2093. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2094. SSL_R_NO_SUITABLE_DIGEST_ALGORITHM);
  2095. goto err;
  2096. }
  2097. if (SSL_USE_SIGALGS(s))
  2098. OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
  2099. md == NULL ? "n/a" : EVP_MD_get0_name(md));
  2100. if (!PACKET_get_length_prefixed_2(pkt, &signature)
  2101. || PACKET_remaining(pkt) != 0) {
  2102. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2103. goto err;
  2104. }
  2105. md_ctx = EVP_MD_CTX_new();
  2106. if (md_ctx == NULL) {
  2107. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2108. goto err;
  2109. }
  2110. if (EVP_DigestVerifyInit_ex(md_ctx, &pctx,
  2111. md == NULL ? NULL : EVP_MD_get0_name(md),
  2112. sctx->libctx, sctx->propq, pkey,
  2113. NULL) <= 0) {
  2114. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2115. goto err;
  2116. }
  2117. if (SSL_USE_PSS(s)) {
  2118. if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
  2119. || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
  2120. RSA_PSS_SALTLEN_DIGEST) <= 0) {
  2121. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2122. goto err;
  2123. }
  2124. }
  2125. tbslen = construct_key_exchange_tbs(s, &tbs, PACKET_data(&params),
  2126. PACKET_remaining(&params));
  2127. if (tbslen == 0) {
  2128. /* SSLfatal() already called */
  2129. goto err;
  2130. }
  2131. rv = EVP_DigestVerify(md_ctx, PACKET_data(&signature),
  2132. PACKET_remaining(&signature), tbs, tbslen);
  2133. OPENSSL_free(tbs);
  2134. if (rv <= 0) {
  2135. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
  2136. goto err;
  2137. }
  2138. EVP_MD_CTX_free(md_ctx);
  2139. md_ctx = NULL;
  2140. } else {
  2141. /* aNULL, aSRP or PSK do not need public keys */
  2142. if (!(s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
  2143. && !(alg_k & SSL_PSK)) {
  2144. /* Might be wrong key type, check it */
  2145. if (ssl3_check_cert_and_algorithm(s)) {
  2146. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DATA);
  2147. }
  2148. /* else this shouldn't happen, SSLfatal() already called */
  2149. goto err;
  2150. }
  2151. /* still data left over */
  2152. if (PACKET_remaining(pkt) != 0) {
  2153. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_EXTRA_DATA_IN_MESSAGE);
  2154. goto err;
  2155. }
  2156. }
  2157. return MSG_PROCESS_CONTINUE_READING;
  2158. err:
  2159. EVP_MD_CTX_free(md_ctx);
  2160. return MSG_PROCESS_ERROR;
  2161. }
  2162. MSG_PROCESS_RETURN tls_process_certificate_request(SSL_CONNECTION *s,
  2163. PACKET *pkt)
  2164. {
  2165. size_t i;
  2166. /* Clear certificate validity flags */
  2167. for (i = 0; i < SSL_PKEY_NUM; i++)
  2168. s->s3.tmp.valid_flags[i] = 0;
  2169. if (SSL_CONNECTION_IS_TLS13(s)) {
  2170. PACKET reqctx, extensions;
  2171. RAW_EXTENSION *rawexts = NULL;
  2172. if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) {
  2173. /*
  2174. * We already sent close_notify. This can only happen in TLSv1.3
  2175. * post-handshake messages. We can't reasonably respond to this, so
  2176. * we just ignore it
  2177. */
  2178. return MSG_PROCESS_FINISHED_READING;
  2179. }
  2180. /* Free and zero certificate types: it is not present in TLS 1.3 */
  2181. OPENSSL_free(s->s3.tmp.ctype);
  2182. s->s3.tmp.ctype = NULL;
  2183. s->s3.tmp.ctype_len = 0;
  2184. OPENSSL_free(s->pha_context);
  2185. s->pha_context = NULL;
  2186. s->pha_context_len = 0;
  2187. if (!PACKET_get_length_prefixed_1(pkt, &reqctx) ||
  2188. !PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) {
  2189. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2190. return MSG_PROCESS_ERROR;
  2191. }
  2192. if (!PACKET_get_length_prefixed_2(pkt, &extensions)) {
  2193. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
  2194. return MSG_PROCESS_ERROR;
  2195. }
  2196. if (!tls_collect_extensions(s, &extensions,
  2197. SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
  2198. &rawexts, NULL, 1)
  2199. || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
  2200. rawexts, NULL, 0, 1)) {
  2201. /* SSLfatal() already called */
  2202. OPENSSL_free(rawexts);
  2203. return MSG_PROCESS_ERROR;
  2204. }
  2205. OPENSSL_free(rawexts);
  2206. if (!tls1_process_sigalgs(s)) {
  2207. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_LENGTH);
  2208. return MSG_PROCESS_ERROR;
  2209. }
  2210. } else {
  2211. PACKET ctypes;
  2212. /* get the certificate types */
  2213. if (!PACKET_get_length_prefixed_1(pkt, &ctypes)) {
  2214. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2215. return MSG_PROCESS_ERROR;
  2216. }
  2217. if (!PACKET_memdup(&ctypes, &s->s3.tmp.ctype, &s->s3.tmp.ctype_len)) {
  2218. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2219. return MSG_PROCESS_ERROR;
  2220. }
  2221. if (SSL_USE_SIGALGS(s)) {
  2222. PACKET sigalgs;
  2223. if (!PACKET_get_length_prefixed_2(pkt, &sigalgs)) {
  2224. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2225. return MSG_PROCESS_ERROR;
  2226. }
  2227. /*
  2228. * Despite this being for certificates, preserve compatibility
  2229. * with pre-TLS 1.3 and use the regular sigalgs field.
  2230. */
  2231. if (!tls1_save_sigalgs(s, &sigalgs, 0)) {
  2232. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2233. SSL_R_SIGNATURE_ALGORITHMS_ERROR);
  2234. return MSG_PROCESS_ERROR;
  2235. }
  2236. if (!tls1_process_sigalgs(s)) {
  2237. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
  2238. return MSG_PROCESS_ERROR;
  2239. }
  2240. }
  2241. /* get the CA RDNs */
  2242. if (!parse_ca_names(s, pkt)) {
  2243. /* SSLfatal() already called */
  2244. return MSG_PROCESS_ERROR;
  2245. }
  2246. }
  2247. if (PACKET_remaining(pkt) != 0) {
  2248. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2249. return MSG_PROCESS_ERROR;
  2250. }
  2251. /* we should setup a certificate to return.... */
  2252. s->s3.tmp.cert_req = 1;
  2253. /*
  2254. * In TLSv1.3 we don't prepare the client certificate yet. We wait until
  2255. * after the CertificateVerify message has been received. This is because
  2256. * in TLSv1.3 the CertificateRequest arrives before the Certificate message
  2257. * but in TLSv1.2 it is the other way around. We want to make sure that
  2258. * SSL_get1_peer_certificate() returns something sensible in
  2259. * client_cert_cb.
  2260. */
  2261. if (SSL_CONNECTION_IS_TLS13(s)
  2262. && s->post_handshake_auth != SSL_PHA_REQUESTED)
  2263. return MSG_PROCESS_CONTINUE_READING;
  2264. return MSG_PROCESS_CONTINUE_PROCESSING;
  2265. }
  2266. MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s,
  2267. PACKET *pkt)
  2268. {
  2269. unsigned int ticklen;
  2270. unsigned long ticket_lifetime_hint, age_add = 0;
  2271. unsigned int sess_len;
  2272. RAW_EXTENSION *exts = NULL;
  2273. PACKET nonce;
  2274. EVP_MD *sha256 = NULL;
  2275. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  2276. PACKET_null_init(&nonce);
  2277. if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint)
  2278. || (SSL_CONNECTION_IS_TLS13(s)
  2279. && (!PACKET_get_net_4(pkt, &age_add)
  2280. || !PACKET_get_length_prefixed_1(pkt, &nonce)))
  2281. || !PACKET_get_net_2(pkt, &ticklen)
  2282. || (SSL_CONNECTION_IS_TLS13(s) ? (ticklen == 0
  2283. || PACKET_remaining(pkt) < ticklen)
  2284. : PACKET_remaining(pkt) != ticklen)) {
  2285. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2286. goto err;
  2287. }
  2288. /*
  2289. * Server is allowed to change its mind (in <=TLSv1.2) and send an empty
  2290. * ticket. We already checked this TLSv1.3 case above, so it should never
  2291. * be 0 here in that instance
  2292. */
  2293. if (ticklen == 0)
  2294. return MSG_PROCESS_CONTINUE_READING;
  2295. /*
  2296. * Sessions must be immutable once they go into the session cache. Otherwise
  2297. * we can get multi-thread problems. Therefore we don't "update" sessions,
  2298. * we replace them with a duplicate. In TLSv1.3 we need to do this every
  2299. * time a NewSessionTicket arrives because those messages arrive
  2300. * post-handshake and the session may have already gone into the session
  2301. * cache.
  2302. */
  2303. if (SSL_CONNECTION_IS_TLS13(s) || s->session->session_id_length > 0) {
  2304. SSL_SESSION *new_sess;
  2305. /*
  2306. * We reused an existing session, so we need to replace it with a new
  2307. * one
  2308. */
  2309. if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
  2310. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
  2311. goto err;
  2312. }
  2313. if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0
  2314. && !SSL_CONNECTION_IS_TLS13(s)) {
  2315. /*
  2316. * In TLSv1.2 and below the arrival of a new tickets signals that
  2317. * any old ticket we were using is now out of date, so we remove the
  2318. * old session from the cache. We carry on if this fails
  2319. */
  2320. SSL_CTX_remove_session(s->session_ctx, s->session);
  2321. }
  2322. SSL_SESSION_free(s->session);
  2323. s->session = new_sess;
  2324. }
  2325. s->session->time = ossl_time_now();
  2326. ssl_session_calculate_timeout(s->session);
  2327. OPENSSL_free(s->session->ext.tick);
  2328. s->session->ext.tick = NULL;
  2329. s->session->ext.ticklen = 0;
  2330. s->session->ext.tick = OPENSSL_malloc(ticklen);
  2331. if (s->session->ext.tick == NULL) {
  2332. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  2333. goto err;
  2334. }
  2335. if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) {
  2336. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2337. goto err;
  2338. }
  2339. s->session->ext.tick_lifetime_hint = ticket_lifetime_hint;
  2340. s->session->ext.tick_age_add = age_add;
  2341. s->session->ext.ticklen = ticklen;
  2342. if (SSL_CONNECTION_IS_TLS13(s)) {
  2343. PACKET extpkt;
  2344. if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
  2345. || PACKET_remaining(pkt) != 0) {
  2346. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2347. goto err;
  2348. }
  2349. if (!tls_collect_extensions(s, &extpkt,
  2350. SSL_EXT_TLS1_3_NEW_SESSION_TICKET, &exts,
  2351. NULL, 1)
  2352. || !tls_parse_all_extensions(s,
  2353. SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
  2354. exts, NULL, 0, 1)) {
  2355. /* SSLfatal() already called */
  2356. goto err;
  2357. }
  2358. }
  2359. /*
  2360. * There are two ways to detect a resumed ticket session. One is to set
  2361. * an appropriate session ID and then the server must return a match in
  2362. * ServerHello. This allows the normal client session ID matching to work
  2363. * and we know much earlier that the ticket has been accepted. The
  2364. * other way is to set zero length session ID when the ticket is
  2365. * presented and rely on the handshake to determine session resumption.
  2366. * We choose the former approach because this fits in with assumptions
  2367. * elsewhere in OpenSSL. The session ID is set to the SHA256 hash of the
  2368. * ticket.
  2369. */
  2370. sha256 = EVP_MD_fetch(sctx->libctx, "SHA2-256", sctx->propq);
  2371. if (sha256 == NULL) {
  2372. /* Error is already recorded */
  2373. SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR);
  2374. goto err;
  2375. }
  2376. /*
  2377. * We use sess_len here because EVP_Digest expects an int
  2378. * but s->session->session_id_length is a size_t
  2379. */
  2380. if (!EVP_Digest(s->session->ext.tick, ticklen,
  2381. s->session->session_id, &sess_len,
  2382. sha256, NULL)) {
  2383. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2384. goto err;
  2385. }
  2386. EVP_MD_free(sha256);
  2387. sha256 = NULL;
  2388. s->session->session_id_length = sess_len;
  2389. s->session->not_resumable = 0;
  2390. /* This is a standalone message in TLSv1.3, so there is no more to read */
  2391. if (SSL_CONNECTION_IS_TLS13(s)) {
  2392. const EVP_MD *md = ssl_handshake_md(s);
  2393. int hashleni = EVP_MD_get_size(md);
  2394. size_t hashlen;
  2395. static const unsigned char nonce_label[] = "resumption";
  2396. /* Ensure cast to size_t is safe */
  2397. if (!ossl_assert(hashleni >= 0)) {
  2398. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2399. goto err;
  2400. }
  2401. hashlen = (size_t)hashleni;
  2402. if (!tls13_hkdf_expand(s, md, s->resumption_master_secret,
  2403. nonce_label,
  2404. sizeof(nonce_label) - 1,
  2405. PACKET_data(&nonce),
  2406. PACKET_remaining(&nonce),
  2407. s->session->master_key,
  2408. hashlen, 1)) {
  2409. /* SSLfatal() already called */
  2410. goto err;
  2411. }
  2412. s->session->master_key_length = hashlen;
  2413. OPENSSL_free(exts);
  2414. ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
  2415. return MSG_PROCESS_FINISHED_READING;
  2416. }
  2417. return MSG_PROCESS_CONTINUE_READING;
  2418. err:
  2419. EVP_MD_free(sha256);
  2420. OPENSSL_free(exts);
  2421. return MSG_PROCESS_ERROR;
  2422. }
  2423. /*
  2424. * In TLSv1.3 this is called from the extensions code, otherwise it is used to
  2425. * parse a separate message. Returns 1 on success or 0 on failure
  2426. */
  2427. int tls_process_cert_status_body(SSL_CONNECTION *s, PACKET *pkt)
  2428. {
  2429. size_t resplen;
  2430. unsigned int type;
  2431. if (!PACKET_get_1(pkt, &type)
  2432. || type != TLSEXT_STATUSTYPE_ocsp) {
  2433. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_UNSUPPORTED_STATUS_TYPE);
  2434. return 0;
  2435. }
  2436. if (!PACKET_get_net_3_len(pkt, &resplen)
  2437. || PACKET_remaining(pkt) != resplen) {
  2438. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2439. return 0;
  2440. }
  2441. s->ext.ocsp.resp = OPENSSL_malloc(resplen);
  2442. if (s->ext.ocsp.resp == NULL) {
  2443. s->ext.ocsp.resp_len = 0;
  2444. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  2445. return 0;
  2446. }
  2447. s->ext.ocsp.resp_len = resplen;
  2448. if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) {
  2449. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2450. return 0;
  2451. }
  2452. return 1;
  2453. }
  2454. MSG_PROCESS_RETURN tls_process_cert_status(SSL_CONNECTION *s, PACKET *pkt)
  2455. {
  2456. if (!tls_process_cert_status_body(s, pkt)) {
  2457. /* SSLfatal() already called */
  2458. return MSG_PROCESS_ERROR;
  2459. }
  2460. return MSG_PROCESS_CONTINUE_READING;
  2461. }
  2462. /*
  2463. * Perform miscellaneous checks and processing after we have received the
  2464. * server's initial flight. In TLS1.3 this is after the Server Finished message.
  2465. * In <=TLS1.2 this is after the ServerDone message. Returns 1 on success or 0
  2466. * on failure.
  2467. */
  2468. int tls_process_initial_server_flight(SSL_CONNECTION *s)
  2469. {
  2470. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  2471. /*
  2472. * at this point we check that we have the required stuff from
  2473. * the server
  2474. */
  2475. if (!ssl3_check_cert_and_algorithm(s)) {
  2476. /* SSLfatal() already called */
  2477. return 0;
  2478. }
  2479. /*
  2480. * Call the ocsp status callback if needed. The |ext.ocsp.resp| and
  2481. * |ext.ocsp.resp_len| values will be set if we actually received a status
  2482. * message, or NULL and -1 otherwise
  2483. */
  2484. if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing
  2485. && sctx->ext.status_cb != NULL) {
  2486. int ret = sctx->ext.status_cb(SSL_CONNECTION_GET_SSL(s),
  2487. sctx->ext.status_arg);
  2488. if (ret == 0) {
  2489. SSLfatal(s, SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE,
  2490. SSL_R_INVALID_STATUS_RESPONSE);
  2491. return 0;
  2492. }
  2493. if (ret < 0) {
  2494. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2495. SSL_R_OCSP_CALLBACK_FAILURE);
  2496. return 0;
  2497. }
  2498. }
  2499. #ifndef OPENSSL_NO_CT
  2500. if (s->ct_validation_callback != NULL) {
  2501. /* Note we validate the SCTs whether or not we abort on error */
  2502. if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) {
  2503. /* SSLfatal() already called */
  2504. return 0;
  2505. }
  2506. }
  2507. #endif
  2508. return 1;
  2509. }
  2510. MSG_PROCESS_RETURN tls_process_server_done(SSL_CONNECTION *s, PACKET *pkt)
  2511. {
  2512. if (PACKET_remaining(pkt) > 0) {
  2513. /* should contain no data */
  2514. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2515. return MSG_PROCESS_ERROR;
  2516. }
  2517. #ifndef OPENSSL_NO_SRP
  2518. if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
  2519. if (ssl_srp_calc_a_param_intern(s) <= 0) {
  2520. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_SRP_A_CALC);
  2521. return MSG_PROCESS_ERROR;
  2522. }
  2523. }
  2524. #endif
  2525. if (!tls_process_initial_server_flight(s)) {
  2526. /* SSLfatal() already called */
  2527. return MSG_PROCESS_ERROR;
  2528. }
  2529. return MSG_PROCESS_FINISHED_READING;
  2530. }
  2531. static int tls_construct_cke_psk_preamble(SSL_CONNECTION *s, WPACKET *pkt)
  2532. {
  2533. #ifndef OPENSSL_NO_PSK
  2534. int ret = 0;
  2535. /*
  2536. * The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes to return a
  2537. * \0-terminated identity. The last byte is for us for simulating
  2538. * strnlen.
  2539. */
  2540. char identity[PSK_MAX_IDENTITY_LEN + 1];
  2541. size_t identitylen = 0;
  2542. unsigned char psk[PSK_MAX_PSK_LEN];
  2543. unsigned char *tmppsk = NULL;
  2544. char *tmpidentity = NULL;
  2545. size_t psklen = 0;
  2546. if (s->psk_client_callback == NULL) {
  2547. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_PSK_NO_CLIENT_CB);
  2548. goto err;
  2549. }
  2550. memset(identity, 0, sizeof(identity));
  2551. psklen = s->psk_client_callback(SSL_CONNECTION_GET_SSL(s),
  2552. s->session->psk_identity_hint,
  2553. identity, sizeof(identity) - 1,
  2554. psk, sizeof(psk));
  2555. if (psklen > PSK_MAX_PSK_LEN) {
  2556. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
  2557. psklen = PSK_MAX_PSK_LEN; /* Avoid overrunning the array on cleanse */
  2558. goto err;
  2559. } else if (psklen == 0) {
  2560. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_PSK_IDENTITY_NOT_FOUND);
  2561. goto err;
  2562. }
  2563. identitylen = strlen(identity);
  2564. if (identitylen > PSK_MAX_IDENTITY_LEN) {
  2565. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2566. goto err;
  2567. }
  2568. tmppsk = OPENSSL_memdup(psk, psklen);
  2569. tmpidentity = OPENSSL_strdup(identity);
  2570. if (tmppsk == NULL || tmpidentity == NULL) {
  2571. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  2572. goto err;
  2573. }
  2574. OPENSSL_free(s->s3.tmp.psk);
  2575. s->s3.tmp.psk = tmppsk;
  2576. s->s3.tmp.psklen = psklen;
  2577. tmppsk = NULL;
  2578. OPENSSL_free(s->session->psk_identity);
  2579. s->session->psk_identity = tmpidentity;
  2580. tmpidentity = NULL;
  2581. if (!WPACKET_sub_memcpy_u16(pkt, identity, identitylen)) {
  2582. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2583. goto err;
  2584. }
  2585. ret = 1;
  2586. err:
  2587. OPENSSL_cleanse(psk, psklen);
  2588. OPENSSL_cleanse(identity, sizeof(identity));
  2589. OPENSSL_clear_free(tmppsk, psklen);
  2590. OPENSSL_clear_free(tmpidentity, identitylen);
  2591. return ret;
  2592. #else
  2593. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2594. return 0;
  2595. #endif
  2596. }
  2597. static int tls_construct_cke_rsa(SSL_CONNECTION *s, WPACKET *pkt)
  2598. {
  2599. unsigned char *encdata = NULL;
  2600. EVP_PKEY *pkey = NULL;
  2601. EVP_PKEY_CTX *pctx = NULL;
  2602. size_t enclen;
  2603. unsigned char *pms = NULL;
  2604. size_t pmslen = 0;
  2605. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  2606. if (s->session->peer == NULL) {
  2607. /*
  2608. * We should always have a server certificate with SSL_kRSA.
  2609. */
  2610. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2611. return 0;
  2612. }
  2613. pkey = X509_get0_pubkey(s->session->peer);
  2614. if (!EVP_PKEY_is_a(pkey, "RSA")) {
  2615. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2616. return 0;
  2617. }
  2618. pmslen = SSL_MAX_MASTER_KEY_LENGTH;
  2619. pms = OPENSSL_malloc(pmslen);
  2620. if (pms == NULL) {
  2621. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  2622. return 0;
  2623. }
  2624. pms[0] = s->client_version >> 8;
  2625. pms[1] = s->client_version & 0xff;
  2626. if (RAND_bytes_ex(sctx->libctx, pms + 2, pmslen - 2, 0) <= 0) {
  2627. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_RAND_LIB);
  2628. goto err;
  2629. }
  2630. /* Fix buf for TLS and beyond */
  2631. if (s->version > SSL3_VERSION && !WPACKET_start_sub_packet_u16(pkt)) {
  2632. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2633. goto err;
  2634. }
  2635. pctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, pkey, sctx->propq);
  2636. if (pctx == NULL || EVP_PKEY_encrypt_init(pctx) <= 0
  2637. || EVP_PKEY_encrypt(pctx, NULL, &enclen, pms, pmslen) <= 0) {
  2638. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2639. goto err;
  2640. }
  2641. if (!WPACKET_allocate_bytes(pkt, enclen, &encdata)
  2642. || EVP_PKEY_encrypt(pctx, encdata, &enclen, pms, pmslen) <= 0) {
  2643. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_RSA_ENCRYPT);
  2644. goto err;
  2645. }
  2646. EVP_PKEY_CTX_free(pctx);
  2647. pctx = NULL;
  2648. /* Fix buf for TLS and beyond */
  2649. if (s->version > SSL3_VERSION && !WPACKET_close(pkt)) {
  2650. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2651. goto err;
  2652. }
  2653. /* Log the premaster secret, if logging is enabled. */
  2654. if (!ssl_log_rsa_client_key_exchange(s, encdata, enclen, pms, pmslen)) {
  2655. /* SSLfatal() already called */
  2656. goto err;
  2657. }
  2658. s->s3.tmp.pms = pms;
  2659. s->s3.tmp.pmslen = pmslen;
  2660. return 1;
  2661. err:
  2662. OPENSSL_clear_free(pms, pmslen);
  2663. EVP_PKEY_CTX_free(pctx);
  2664. return 0;
  2665. }
  2666. static int tls_construct_cke_dhe(SSL_CONNECTION *s, WPACKET *pkt)
  2667. {
  2668. EVP_PKEY *ckey = NULL, *skey = NULL;
  2669. unsigned char *keybytes = NULL;
  2670. int prime_len;
  2671. unsigned char *encoded_pub = NULL;
  2672. size_t encoded_pub_len, pad_len;
  2673. int ret = 0;
  2674. skey = s->s3.peer_tmp;
  2675. if (skey == NULL) {
  2676. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2677. goto err;
  2678. }
  2679. ckey = ssl_generate_pkey(s, skey);
  2680. if (ckey == NULL) {
  2681. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2682. goto err;
  2683. }
  2684. if (ssl_derive(s, ckey, skey, 0) == 0) {
  2685. /* SSLfatal() already called */
  2686. goto err;
  2687. }
  2688. /* send off the data */
  2689. /* Generate encoding of server key */
  2690. encoded_pub_len = EVP_PKEY_get1_encoded_public_key(ckey, &encoded_pub);
  2691. if (encoded_pub_len == 0) {
  2692. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2693. EVP_PKEY_free(ckey);
  2694. return EXT_RETURN_FAIL;
  2695. }
  2696. /*
  2697. * For interoperability with some versions of the Microsoft TLS
  2698. * stack, we need to zero pad the DHE pub key to the same length
  2699. * as the prime.
  2700. */
  2701. prime_len = EVP_PKEY_get_size(ckey);
  2702. pad_len = prime_len - encoded_pub_len;
  2703. if (pad_len > 0) {
  2704. if (!WPACKET_sub_allocate_bytes_u16(pkt, pad_len, &keybytes)) {
  2705. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2706. goto err;
  2707. }
  2708. memset(keybytes, 0, pad_len);
  2709. }
  2710. if (!WPACKET_sub_memcpy_u16(pkt, encoded_pub, encoded_pub_len)) {
  2711. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2712. goto err;
  2713. }
  2714. ret = 1;
  2715. err:
  2716. OPENSSL_free(encoded_pub);
  2717. EVP_PKEY_free(ckey);
  2718. return ret;
  2719. }
  2720. static int tls_construct_cke_ecdhe(SSL_CONNECTION *s, WPACKET *pkt)
  2721. {
  2722. unsigned char *encodedPoint = NULL;
  2723. size_t encoded_pt_len = 0;
  2724. EVP_PKEY *ckey = NULL, *skey = NULL;
  2725. int ret = 0;
  2726. skey = s->s3.peer_tmp;
  2727. if (skey == NULL) {
  2728. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2729. return 0;
  2730. }
  2731. ckey = ssl_generate_pkey(s, skey);
  2732. if (ckey == NULL) {
  2733. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
  2734. goto err;
  2735. }
  2736. if (ssl_derive(s, ckey, skey, 0) == 0) {
  2737. /* SSLfatal() already called */
  2738. goto err;
  2739. }
  2740. /* Generate encoding of client key */
  2741. encoded_pt_len = EVP_PKEY_get1_encoded_public_key(ckey, &encodedPoint);
  2742. if (encoded_pt_len == 0) {
  2743. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
  2744. goto err;
  2745. }
  2746. if (!WPACKET_sub_memcpy_u8(pkt, encodedPoint, encoded_pt_len)) {
  2747. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2748. goto err;
  2749. }
  2750. ret = 1;
  2751. err:
  2752. OPENSSL_free(encodedPoint);
  2753. EVP_PKEY_free(ckey);
  2754. return ret;
  2755. }
  2756. static int tls_construct_cke_gost(SSL_CONNECTION *s, WPACKET *pkt)
  2757. {
  2758. #ifndef OPENSSL_NO_GOST
  2759. /* GOST key exchange message creation */
  2760. EVP_PKEY_CTX *pkey_ctx = NULL;
  2761. X509 *peer_cert;
  2762. size_t msglen;
  2763. unsigned int md_len;
  2764. unsigned char shared_ukm[32], tmp[256];
  2765. EVP_MD_CTX *ukm_hash = NULL;
  2766. int dgst_nid = NID_id_GostR3411_94;
  2767. unsigned char *pms = NULL;
  2768. size_t pmslen = 0;
  2769. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  2770. if ((s->s3.tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0)
  2771. dgst_nid = NID_id_GostR3411_2012_256;
  2772. /*
  2773. * Get server certificate PKEY and create ctx from it
  2774. */
  2775. peer_cert = s->session->peer;
  2776. if (peer_cert == NULL) {
  2777. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  2778. SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
  2779. return 0;
  2780. }
  2781. pkey_ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx,
  2782. X509_get0_pubkey(peer_cert),
  2783. sctx->propq);
  2784. if (pkey_ctx == NULL) {
  2785. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2786. return 0;
  2787. }
  2788. /*
  2789. * If we have send a certificate, and certificate key
  2790. * parameters match those of server certificate, use
  2791. * certificate key for key exchange
  2792. */
  2793. /* Otherwise, generate ephemeral key pair */
  2794. pmslen = 32;
  2795. pms = OPENSSL_malloc(pmslen);
  2796. if (pms == NULL) {
  2797. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  2798. goto err;
  2799. }
  2800. if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0
  2801. /* Generate session key
  2802. */
  2803. || RAND_bytes_ex(sctx->libctx, pms, pmslen, 0) <= 0) {
  2804. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2805. goto err;
  2806. };
  2807. /*
  2808. * Compute shared IV and store it in algorithm-specific context
  2809. * data
  2810. */
  2811. ukm_hash = EVP_MD_CTX_new();
  2812. if (ukm_hash == NULL
  2813. || EVP_DigestInit(ukm_hash, EVP_get_digestbynid(dgst_nid)) <= 0
  2814. || EVP_DigestUpdate(ukm_hash, s->s3.client_random,
  2815. SSL3_RANDOM_SIZE) <= 0
  2816. || EVP_DigestUpdate(ukm_hash, s->s3.server_random,
  2817. SSL3_RANDOM_SIZE) <= 0
  2818. || EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) {
  2819. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2820. goto err;
  2821. }
  2822. EVP_MD_CTX_free(ukm_hash);
  2823. ukm_hash = NULL;
  2824. if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
  2825. EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) <= 0) {
  2826. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
  2827. goto err;
  2828. }
  2829. /* Make GOST keytransport blob message */
  2830. /*
  2831. * Encapsulate it into sequence
  2832. */
  2833. msglen = 255;
  2834. if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) {
  2835. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
  2836. goto err;
  2837. }
  2838. if (!WPACKET_put_bytes_u8(pkt, V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)
  2839. || (msglen >= 0x80 && !WPACKET_put_bytes_u8(pkt, 0x81))
  2840. || !WPACKET_sub_memcpy_u8(pkt, tmp, msglen)) {
  2841. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2842. goto err;
  2843. }
  2844. EVP_PKEY_CTX_free(pkey_ctx);
  2845. s->s3.tmp.pms = pms;
  2846. s->s3.tmp.pmslen = pmslen;
  2847. return 1;
  2848. err:
  2849. EVP_PKEY_CTX_free(pkey_ctx);
  2850. OPENSSL_clear_free(pms, pmslen);
  2851. EVP_MD_CTX_free(ukm_hash);
  2852. return 0;
  2853. #else
  2854. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2855. return 0;
  2856. #endif
  2857. }
  2858. #ifndef OPENSSL_NO_GOST
  2859. int ossl_gost18_cke_cipher_nid(const SSL_CONNECTION *s)
  2860. {
  2861. if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_MAGMA) != 0)
  2862. return NID_magma_ctr;
  2863. else if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_KUZNYECHIK) != 0)
  2864. return NID_kuznyechik_ctr;
  2865. return NID_undef;
  2866. }
  2867. int ossl_gost_ukm(const SSL_CONNECTION *s, unsigned char *dgst_buf)
  2868. {
  2869. EVP_MD_CTX * hash = NULL;
  2870. unsigned int md_len;
  2871. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  2872. const EVP_MD *md = ssl_evp_md_fetch(sctx->libctx, NID_id_GostR3411_2012_256,
  2873. sctx->propq);
  2874. if (md == NULL)
  2875. return 0;
  2876. if ((hash = EVP_MD_CTX_new()) == NULL
  2877. || EVP_DigestInit(hash, md) <= 0
  2878. || EVP_DigestUpdate(hash, s->s3.client_random, SSL3_RANDOM_SIZE) <= 0
  2879. || EVP_DigestUpdate(hash, s->s3.server_random, SSL3_RANDOM_SIZE) <= 0
  2880. || EVP_DigestFinal_ex(hash, dgst_buf, &md_len) <= 0) {
  2881. EVP_MD_CTX_free(hash);
  2882. ssl_evp_md_free(md);
  2883. return 0;
  2884. }
  2885. EVP_MD_CTX_free(hash);
  2886. ssl_evp_md_free(md);
  2887. return 1;
  2888. }
  2889. #endif
  2890. static int tls_construct_cke_gost18(SSL_CONNECTION *s, WPACKET *pkt)
  2891. {
  2892. #ifndef OPENSSL_NO_GOST
  2893. /* GOST 2018 key exchange message creation */
  2894. unsigned char rnd_dgst[32];
  2895. unsigned char *encdata = NULL;
  2896. EVP_PKEY_CTX *pkey_ctx = NULL;
  2897. X509 *peer_cert;
  2898. unsigned char *pms = NULL;
  2899. size_t pmslen = 0;
  2900. size_t msglen;
  2901. int cipher_nid = ossl_gost18_cke_cipher_nid(s);
  2902. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  2903. if (cipher_nid == NID_undef) {
  2904. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2905. return 0;
  2906. }
  2907. if (ossl_gost_ukm(s, rnd_dgst) <= 0) {
  2908. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2909. goto err;
  2910. }
  2911. /* Pre-master secret - random bytes */
  2912. pmslen = 32;
  2913. pms = OPENSSL_malloc(pmslen);
  2914. if (pms == NULL) {
  2915. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  2916. goto err;
  2917. }
  2918. if (RAND_bytes_ex(sctx->libctx, pms, pmslen, 0) <= 0) {
  2919. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2920. goto err;
  2921. }
  2922. /* Get server certificate PKEY and create ctx from it */
  2923. peer_cert = s->session->peer;
  2924. if (peer_cert == NULL) {
  2925. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  2926. SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
  2927. goto err;
  2928. }
  2929. pkey_ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx,
  2930. X509_get0_pubkey(peer_cert),
  2931. sctx->propq);
  2932. if (pkey_ctx == NULL) {
  2933. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2934. goto err;
  2935. }
  2936. if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0) {
  2937. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2938. goto err;
  2939. };
  2940. /* Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code */
  2941. if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
  2942. EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) <= 0) {
  2943. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
  2944. goto err;
  2945. }
  2946. if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
  2947. EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) <= 0) {
  2948. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
  2949. goto err;
  2950. }
  2951. if (EVP_PKEY_encrypt(pkey_ctx, NULL, &msglen, pms, pmslen) <= 0) {
  2952. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2953. goto err;
  2954. }
  2955. if (!WPACKET_allocate_bytes(pkt, msglen, &encdata)
  2956. || EVP_PKEY_encrypt(pkey_ctx, encdata, &msglen, pms, pmslen) <= 0) {
  2957. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2958. goto err;
  2959. }
  2960. EVP_PKEY_CTX_free(pkey_ctx);
  2961. pkey_ctx = NULL;
  2962. s->s3.tmp.pms = pms;
  2963. s->s3.tmp.pmslen = pmslen;
  2964. return 1;
  2965. err:
  2966. EVP_PKEY_CTX_free(pkey_ctx);
  2967. OPENSSL_clear_free(pms, pmslen);
  2968. return 0;
  2969. #else
  2970. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2971. return 0;
  2972. #endif
  2973. }
  2974. static int tls_construct_cke_srp(SSL_CONNECTION *s, WPACKET *pkt)
  2975. {
  2976. #ifndef OPENSSL_NO_SRP
  2977. unsigned char *abytes = NULL;
  2978. if (s->srp_ctx.A == NULL
  2979. || !WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(s->srp_ctx.A),
  2980. &abytes)) {
  2981. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2982. return 0;
  2983. }
  2984. BN_bn2bin(s->srp_ctx.A, abytes);
  2985. OPENSSL_free(s->session->srp_username);
  2986. s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
  2987. if (s->session->srp_username == NULL) {
  2988. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  2989. return 0;
  2990. }
  2991. return 1;
  2992. #else
  2993. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2994. return 0;
  2995. #endif
  2996. }
  2997. CON_FUNC_RETURN tls_construct_client_key_exchange(SSL_CONNECTION *s,
  2998. WPACKET *pkt)
  2999. {
  3000. unsigned long alg_k;
  3001. alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
  3002. /*
  3003. * All of the construct functions below call SSLfatal() if necessary so
  3004. * no need to do so here.
  3005. */
  3006. if ((alg_k & SSL_PSK)
  3007. && !tls_construct_cke_psk_preamble(s, pkt))
  3008. goto err;
  3009. if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
  3010. if (!tls_construct_cke_rsa(s, pkt))
  3011. goto err;
  3012. } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
  3013. if (!tls_construct_cke_dhe(s, pkt))
  3014. goto err;
  3015. } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
  3016. if (!tls_construct_cke_ecdhe(s, pkt))
  3017. goto err;
  3018. } else if (alg_k & SSL_kGOST) {
  3019. if (!tls_construct_cke_gost(s, pkt))
  3020. goto err;
  3021. } else if (alg_k & SSL_kGOST18) {
  3022. if (!tls_construct_cke_gost18(s, pkt))
  3023. goto err;
  3024. } else if (alg_k & SSL_kSRP) {
  3025. if (!tls_construct_cke_srp(s, pkt))
  3026. goto err;
  3027. } else if (!(alg_k & SSL_kPSK)) {
  3028. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3029. goto err;
  3030. }
  3031. return CON_FUNC_SUCCESS;
  3032. err:
  3033. OPENSSL_clear_free(s->s3.tmp.pms, s->s3.tmp.pmslen);
  3034. s->s3.tmp.pms = NULL;
  3035. s->s3.tmp.pmslen = 0;
  3036. #ifndef OPENSSL_NO_PSK
  3037. OPENSSL_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen);
  3038. s->s3.tmp.psk = NULL;
  3039. s->s3.tmp.psklen = 0;
  3040. #endif
  3041. return CON_FUNC_ERROR;
  3042. }
  3043. int tls_client_key_exchange_post_work(SSL_CONNECTION *s)
  3044. {
  3045. unsigned char *pms = NULL;
  3046. size_t pmslen = 0;
  3047. pms = s->s3.tmp.pms;
  3048. pmslen = s->s3.tmp.pmslen;
  3049. #ifndef OPENSSL_NO_SRP
  3050. /* Check for SRP */
  3051. if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
  3052. if (!srp_generate_client_master_secret(s)) {
  3053. /* SSLfatal() already called */
  3054. goto err;
  3055. }
  3056. return 1;
  3057. }
  3058. #endif
  3059. if (pms == NULL && !(s->s3.tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
  3060. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_PASSED_INVALID_ARGUMENT);
  3061. goto err;
  3062. }
  3063. if (!ssl_generate_master_secret(s, pms, pmslen, 1)) {
  3064. /* SSLfatal() already called */
  3065. /* ssl_generate_master_secret frees the pms even on error */
  3066. pms = NULL;
  3067. pmslen = 0;
  3068. goto err;
  3069. }
  3070. pms = NULL;
  3071. pmslen = 0;
  3072. #ifndef OPENSSL_NO_SCTP
  3073. if (SSL_CONNECTION_IS_DTLS(s)) {
  3074. unsigned char sctpauthkey[64];
  3075. char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
  3076. size_t labellen;
  3077. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  3078. /*
  3079. * Add new shared key for SCTP-Auth, will be ignored if no SCTP
  3080. * used.
  3081. */
  3082. memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
  3083. sizeof(DTLS1_SCTP_AUTH_LABEL));
  3084. /* Don't include the terminating zero. */
  3085. labellen = sizeof(labelbuffer) - 1;
  3086. if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
  3087. labellen += 1;
  3088. if (SSL_export_keying_material(ssl, sctpauthkey,
  3089. sizeof(sctpauthkey), labelbuffer,
  3090. labellen, NULL, 0, 0) <= 0) {
  3091. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3092. goto err;
  3093. }
  3094. BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
  3095. sizeof(sctpauthkey), sctpauthkey);
  3096. }
  3097. #endif
  3098. return 1;
  3099. err:
  3100. OPENSSL_clear_free(pms, pmslen);
  3101. s->s3.tmp.pms = NULL;
  3102. s->s3.tmp.pmslen = 0;
  3103. return 0;
  3104. }
  3105. /*
  3106. * Check a certificate can be used for client authentication. Currently check
  3107. * cert exists, if we have a suitable digest for TLS 1.2 if static DH client
  3108. * certificates can be used and optionally checks suitability for Suite B.
  3109. */
  3110. static int ssl3_check_client_certificate(SSL_CONNECTION *s)
  3111. {
  3112. /* If no suitable signature algorithm can't use certificate */
  3113. if (!tls_choose_sigalg(s, 0) || s->s3.tmp.sigalg == NULL)
  3114. return 0;
  3115. /*
  3116. * If strict mode check suitability of chain before using it. This also
  3117. * adjusts suite B digest if necessary.
  3118. */
  3119. if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT &&
  3120. !tls1_check_chain(s, NULL, NULL, NULL, -2))
  3121. return 0;
  3122. return 1;
  3123. }
  3124. WORK_STATE tls_prepare_client_certificate(SSL_CONNECTION *s, WORK_STATE wst)
  3125. {
  3126. X509 *x509 = NULL;
  3127. EVP_PKEY *pkey = NULL;
  3128. int i;
  3129. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  3130. if (wst == WORK_MORE_A) {
  3131. /* Let cert callback update client certificates if required */
  3132. if (s->cert->cert_cb) {
  3133. i = s->cert->cert_cb(ssl, s->cert->cert_cb_arg);
  3134. if (i < 0) {
  3135. s->rwstate = SSL_X509_LOOKUP;
  3136. return WORK_MORE_A;
  3137. }
  3138. if (i == 0) {
  3139. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED);
  3140. return WORK_ERROR;
  3141. }
  3142. s->rwstate = SSL_NOTHING;
  3143. }
  3144. if (ssl3_check_client_certificate(s)) {
  3145. if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
  3146. return WORK_FINISHED_STOP;
  3147. }
  3148. return WORK_FINISHED_CONTINUE;
  3149. }
  3150. /* Fall through to WORK_MORE_B */
  3151. wst = WORK_MORE_B;
  3152. }
  3153. /* We need to get a client cert */
  3154. if (wst == WORK_MORE_B) {
  3155. /*
  3156. * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP;
  3157. * return(-1); We then get retied later
  3158. */
  3159. i = ssl_do_client_cert_cb(s, &x509, &pkey);
  3160. if (i < 0) {
  3161. s->rwstate = SSL_X509_LOOKUP;
  3162. return WORK_MORE_B;
  3163. }
  3164. s->rwstate = SSL_NOTHING;
  3165. if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
  3166. if (!SSL_use_certificate(ssl, x509)
  3167. || !SSL_use_PrivateKey(ssl, pkey))
  3168. i = 0;
  3169. } else if (i == 1) {
  3170. i = 0;
  3171. ERR_raise(ERR_LIB_SSL, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
  3172. }
  3173. X509_free(x509);
  3174. EVP_PKEY_free(pkey);
  3175. if (i && !ssl3_check_client_certificate(s))
  3176. i = 0;
  3177. if (i == 0) {
  3178. if (s->version == SSL3_VERSION) {
  3179. s->s3.tmp.cert_req = 0;
  3180. ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE);
  3181. return WORK_FINISHED_CONTINUE;
  3182. } else {
  3183. s->s3.tmp.cert_req = 2;
  3184. s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none;
  3185. if (!ssl3_digest_cached_records(s, 0)) {
  3186. /* SSLfatal() already called */
  3187. return WORK_ERROR;
  3188. }
  3189. }
  3190. }
  3191. if (!SSL_CONNECTION_IS_TLS13(s)
  3192. || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0)
  3193. s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none;
  3194. if (s->post_handshake_auth == SSL_PHA_REQUESTED)
  3195. return WORK_FINISHED_STOP;
  3196. return WORK_FINISHED_CONTINUE;
  3197. }
  3198. /* Shouldn't ever get here */
  3199. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3200. return WORK_ERROR;
  3201. }
  3202. CON_FUNC_RETURN tls_construct_client_certificate(SSL_CONNECTION *s,
  3203. WPACKET *pkt)
  3204. {
  3205. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  3206. if (SSL_CONNECTION_IS_TLS13(s)) {
  3207. if (s->pha_context == NULL) {
  3208. /* no context available, add 0-length context */
  3209. if (!WPACKET_put_bytes_u8(pkt, 0)) {
  3210. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3211. return CON_FUNC_ERROR;
  3212. }
  3213. } else if (!WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) {
  3214. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3215. return CON_FUNC_ERROR;
  3216. }
  3217. }
  3218. if (!ssl3_output_cert_chain(s, pkt,
  3219. (s->s3.tmp.cert_req == 2) ? NULL
  3220. : s->cert->key, 0)) {
  3221. /* SSLfatal() already called */
  3222. return CON_FUNC_ERROR;
  3223. }
  3224. if (SSL_CONNECTION_IS_TLS13(s)
  3225. && SSL_IS_FIRST_HANDSHAKE(s)
  3226. && (!ssl->method->ssl3_enc->change_cipher_state(s,
  3227. SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {
  3228. /*
  3229. * This is a fatal error, which leaves enc_write_ctx in an inconsistent
  3230. * state and thus ssl3_send_alert may crash.
  3231. */
  3232. SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_CANNOT_CHANGE_CIPHER);
  3233. return CON_FUNC_ERROR;
  3234. }
  3235. return CON_FUNC_SUCCESS;
  3236. }
  3237. #ifndef OPENSSL_NO_COMP_ALG
  3238. CON_FUNC_RETURN tls_construct_client_compressed_certificate(SSL_CONNECTION *sc,
  3239. WPACKET *pkt)
  3240. {
  3241. SSL *ssl = SSL_CONNECTION_GET_SSL(sc);
  3242. WPACKET tmppkt;
  3243. BUF_MEM *buf = NULL;
  3244. size_t length;
  3245. size_t max_length;
  3246. COMP_METHOD *method;
  3247. COMP_CTX *comp = NULL;
  3248. int comp_len;
  3249. int ret = 0;
  3250. int alg = sc->ext.compress_certificate_from_peer[0];
  3251. /* Note that sc->s3.tmp.cert_req == 2 is checked in write transition */
  3252. if ((buf = BUF_MEM_new()) == NULL || !WPACKET_init(&tmppkt, buf))
  3253. goto err;
  3254. /* Use the |tmppkt| for the to-be-compressed data */
  3255. if (sc->pha_context == NULL) {
  3256. /* no context available, add 0-length context */
  3257. if (!WPACKET_put_bytes_u8(&tmppkt, 0))
  3258. goto err;
  3259. } else if (!WPACKET_sub_memcpy_u8(&tmppkt, sc->pha_context, sc->pha_context_len))
  3260. goto err;
  3261. if (!ssl3_output_cert_chain(sc, &tmppkt, sc->cert->key, 0)) {
  3262. /* SSLfatal() already called */
  3263. goto out;
  3264. }
  3265. /* continue with the real |pkt| */
  3266. if (!WPACKET_put_bytes_u16(pkt, alg)
  3267. || !WPACKET_get_total_written(&tmppkt, &length)
  3268. || !WPACKET_put_bytes_u24(pkt, length))
  3269. goto err;
  3270. switch (alg) {
  3271. case TLSEXT_comp_cert_zlib:
  3272. method = COMP_zlib_oneshot();
  3273. break;
  3274. case TLSEXT_comp_cert_brotli:
  3275. method = COMP_brotli_oneshot();
  3276. break;
  3277. case TLSEXT_comp_cert_zstd:
  3278. method = COMP_zstd_oneshot();
  3279. break;
  3280. default:
  3281. goto err;
  3282. }
  3283. max_length = ossl_calculate_comp_expansion(alg, length);
  3284. if ((comp = COMP_CTX_new(method)) == NULL
  3285. || !WPACKET_start_sub_packet_u24(pkt)
  3286. || !WPACKET_reserve_bytes(pkt, max_length, NULL))
  3287. goto err;
  3288. comp_len = COMP_compress_block(comp, WPACKET_get_curr(pkt), max_length,
  3289. (unsigned char *)buf->data, length);
  3290. if (comp_len <= 0)
  3291. goto err;
  3292. if (!WPACKET_allocate_bytes(pkt, comp_len, NULL)
  3293. || !WPACKET_close(pkt))
  3294. goto err;
  3295. if (SSL_IS_FIRST_HANDSHAKE(sc)
  3296. && (!ssl->method->ssl3_enc->change_cipher_state(sc,
  3297. SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {
  3298. /*
  3299. * This is a fatal error, which leaves sc->enc_write_ctx in an
  3300. * inconsistent state and thus ssl3_send_alert may crash.
  3301. */
  3302. SSLfatal(sc, SSL_AD_NO_ALERT, SSL_R_CANNOT_CHANGE_CIPHER);
  3303. goto out;
  3304. }
  3305. ret = 1;
  3306. goto out;
  3307. err:
  3308. SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3309. out:
  3310. if (buf != NULL) {
  3311. /* If |buf| is NULL, then |tmppkt| could not have been initialized */
  3312. WPACKET_cleanup(&tmppkt);
  3313. }
  3314. BUF_MEM_free(buf);
  3315. COMP_CTX_free(comp);
  3316. return ret;
  3317. }
  3318. #endif
  3319. int ssl3_check_cert_and_algorithm(SSL_CONNECTION *s)
  3320. {
  3321. const SSL_CERT_LOOKUP *clu;
  3322. size_t idx;
  3323. long alg_k, alg_a;
  3324. alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
  3325. alg_a = s->s3.tmp.new_cipher->algorithm_auth;
  3326. /* we don't have a certificate */
  3327. if (!(alg_a & SSL_aCERT))
  3328. return 1;
  3329. /* This is the passed certificate */
  3330. clu = ssl_cert_lookup_by_pkey(X509_get0_pubkey(s->session->peer), &idx);
  3331. /* Check certificate is recognised and suitable for cipher */
  3332. if (clu == NULL || (alg_a & clu->amask) == 0) {
  3333. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_MISSING_SIGNING_CERT);
  3334. return 0;
  3335. }
  3336. if (clu->amask & SSL_aECDSA) {
  3337. if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s))
  3338. return 1;
  3339. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_ECC_CERT);
  3340. return 0;
  3341. }
  3342. if (alg_k & (SSL_kRSA | SSL_kRSAPSK) && idx != SSL_PKEY_RSA) {
  3343. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  3344. SSL_R_MISSING_RSA_ENCRYPTING_CERT);
  3345. return 0;
  3346. }
  3347. if ((alg_k & SSL_kDHE) && (s->s3.peer_tmp == NULL)) {
  3348. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3349. return 0;
  3350. }
  3351. return 1;
  3352. }
  3353. #ifndef OPENSSL_NO_NEXTPROTONEG
  3354. CON_FUNC_RETURN tls_construct_next_proto(SSL_CONNECTION *s, WPACKET *pkt)
  3355. {
  3356. size_t len, padding_len;
  3357. unsigned char *padding = NULL;
  3358. len = s->ext.npn_len;
  3359. padding_len = 32 - ((len + 2) % 32);
  3360. if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len)
  3361. || !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)) {
  3362. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3363. return CON_FUNC_ERROR;
  3364. }
  3365. memset(padding, 0, padding_len);
  3366. return CON_FUNC_SUCCESS;
  3367. }
  3368. #endif
  3369. MSG_PROCESS_RETURN tls_process_hello_req(SSL_CONNECTION *s, PACKET *pkt)
  3370. {
  3371. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  3372. if (PACKET_remaining(pkt) > 0) {
  3373. /* should contain no data */
  3374. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  3375. return MSG_PROCESS_ERROR;
  3376. }
  3377. if ((s->options & SSL_OP_NO_RENEGOTIATION)) {
  3378. ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
  3379. return MSG_PROCESS_FINISHED_READING;
  3380. }
  3381. /*
  3382. * This is a historical discrepancy (not in the RFC) maintained for
  3383. * compatibility reasons. If a TLS client receives a HelloRequest it will
  3384. * attempt an abbreviated handshake. However if a DTLS client receives a
  3385. * HelloRequest it will do a full handshake. Either behaviour is reasonable
  3386. * but doing one for TLS and another for DTLS is odd.
  3387. */
  3388. if (SSL_CONNECTION_IS_DTLS(s))
  3389. SSL_renegotiate(ssl);
  3390. else
  3391. SSL_renegotiate_abbreviated(ssl);
  3392. return MSG_PROCESS_FINISHED_READING;
  3393. }
  3394. static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL_CONNECTION *s,
  3395. PACKET *pkt)
  3396. {
  3397. PACKET extensions;
  3398. RAW_EXTENSION *rawexts = NULL;
  3399. if (!PACKET_as_length_prefixed_2(pkt, &extensions)
  3400. || PACKET_remaining(pkt) != 0) {
  3401. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  3402. goto err;
  3403. }
  3404. if (!tls_collect_extensions(s, &extensions,
  3405. SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, &rawexts,
  3406. NULL, 1)
  3407. || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
  3408. rawexts, NULL, 0, 1)) {
  3409. /* SSLfatal() already called */
  3410. goto err;
  3411. }
  3412. OPENSSL_free(rawexts);
  3413. return MSG_PROCESS_CONTINUE_READING;
  3414. err:
  3415. OPENSSL_free(rawexts);
  3416. return MSG_PROCESS_ERROR;
  3417. }
  3418. int ssl_do_client_cert_cb(SSL_CONNECTION *s, X509 **px509, EVP_PKEY **ppkey)
  3419. {
  3420. int i = 0;
  3421. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  3422. #ifndef OPENSSL_NO_ENGINE
  3423. if (sctx->client_cert_engine) {
  3424. i = tls_engine_load_ssl_client_cert(s, px509, ppkey);
  3425. if (i != 0)
  3426. return i;
  3427. }
  3428. #endif
  3429. if (sctx->client_cert_cb)
  3430. i = sctx->client_cert_cb(SSL_CONNECTION_GET_SSL(s), px509, ppkey);
  3431. return i;
  3432. }
  3433. int ssl_cipher_list_to_bytes(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *sk,
  3434. WPACKET *pkt)
  3435. {
  3436. int i;
  3437. size_t totlen = 0, len, maxlen, maxverok = 0;
  3438. int empty_reneg_info_scsv = !s->renegotiate;
  3439. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  3440. /* Set disabled masks for this session */
  3441. if (!ssl_set_client_disabled(s)) {
  3442. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_PROTOCOLS_AVAILABLE);
  3443. return 0;
  3444. }
  3445. if (sk == NULL) {
  3446. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3447. return 0;
  3448. }
  3449. #ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
  3450. # if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6
  3451. # error Max cipher length too short
  3452. # endif
  3453. /*
  3454. * Some servers hang if client hello > 256 bytes as hack workaround
  3455. * chop number of supported ciphers to keep it well below this if we
  3456. * use TLS v1.2
  3457. */
  3458. if (TLS1_get_version(ssl) >= TLS1_2_VERSION)
  3459. maxlen = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
  3460. else
  3461. #endif
  3462. /* Maximum length that can be stored in 2 bytes. Length must be even */
  3463. maxlen = 0xfffe;
  3464. if (empty_reneg_info_scsv)
  3465. maxlen -= 2;
  3466. if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV)
  3467. maxlen -= 2;
  3468. for (i = 0; i < sk_SSL_CIPHER_num(sk) && totlen < maxlen; i++) {
  3469. const SSL_CIPHER *c;
  3470. c = sk_SSL_CIPHER_value(sk, i);
  3471. /* Skip disabled ciphers */
  3472. if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0))
  3473. continue;
  3474. if (!ssl->method->put_cipher_by_char(c, pkt, &len)) {
  3475. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3476. return 0;
  3477. }
  3478. /* Sanity check that the maximum version we offer has ciphers enabled */
  3479. if (!maxverok) {
  3480. if (SSL_CONNECTION_IS_DTLS(s)) {
  3481. if (DTLS_VERSION_GE(c->max_dtls, s->s3.tmp.max_ver)
  3482. && DTLS_VERSION_LE(c->min_dtls, s->s3.tmp.max_ver))
  3483. maxverok = 1;
  3484. } else {
  3485. if (c->max_tls >= s->s3.tmp.max_ver
  3486. && c->min_tls <= s->s3.tmp.max_ver)
  3487. maxverok = 1;
  3488. }
  3489. }
  3490. totlen += len;
  3491. }
  3492. if (totlen == 0 || !maxverok) {
  3493. const char *maxvertext =
  3494. !maxverok
  3495. ? "No ciphers enabled for max supported SSL/TLS version"
  3496. : NULL;
  3497. SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_CIPHERS_AVAILABLE,
  3498. maxvertext);
  3499. return 0;
  3500. }
  3501. if (totlen != 0) {
  3502. if (empty_reneg_info_scsv) {
  3503. static SSL_CIPHER scsv = {
  3504. 0, NULL, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
  3505. };
  3506. if (!ssl->method->put_cipher_by_char(&scsv, pkt, &len)) {
  3507. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3508. return 0;
  3509. }
  3510. }
  3511. if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) {
  3512. static SSL_CIPHER scsv = {
  3513. 0, NULL, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
  3514. };
  3515. if (!ssl->method->put_cipher_by_char(&scsv, pkt, &len)) {
  3516. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3517. return 0;
  3518. }
  3519. }
  3520. }
  3521. return 1;
  3522. }
  3523. CON_FUNC_RETURN tls_construct_end_of_early_data(SSL_CONNECTION *s, WPACKET *pkt)
  3524. {
  3525. if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
  3526. && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) {
  3527. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  3528. return CON_FUNC_ERROR;
  3529. }
  3530. s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING;
  3531. return CON_FUNC_SUCCESS;
  3532. }