statem_srvr.c 145 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415441644174418441944204421
  1. /*
  2. * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  4. * Copyright 2005 Nokia. All rights reserved.
  5. *
  6. * Licensed under the Apache License 2.0 (the "License"). You may not use
  7. * this file except in compliance with the License. You can obtain a copy
  8. * in the file LICENSE in the source distribution or at
  9. * https://www.openssl.org/source/license.html
  10. */
  11. #include <stdio.h>
  12. #include "../ssl_local.h"
  13. #include "statem_local.h"
  14. #include "internal/constant_time.h"
  15. #include "internal/cryptlib.h"
  16. #include <openssl/buffer.h>
  17. #include <openssl/rand.h>
  18. #include <openssl/objects.h>
  19. #include <openssl/evp.h>
  20. #include <openssl/x509.h>
  21. #include <openssl/dh.h>
  22. #include <openssl/rsa.h>
  23. #include <openssl/bn.h>
  24. #include <openssl/md5.h>
  25. #include <openssl/trace.h>
  26. #include <openssl/core_names.h>
  27. #include <openssl/asn1t.h>
  28. #include <openssl/comp.h>
  29. #define TICKET_NONCE_SIZE 8
  30. typedef struct {
  31. ASN1_TYPE *kxBlob;
  32. ASN1_TYPE *opaqueBlob;
  33. } GOST_KX_MESSAGE;
  34. DECLARE_ASN1_FUNCTIONS(GOST_KX_MESSAGE)
  35. ASN1_SEQUENCE(GOST_KX_MESSAGE) = {
  36. ASN1_SIMPLE(GOST_KX_MESSAGE, kxBlob, ASN1_ANY),
  37. ASN1_OPT(GOST_KX_MESSAGE, opaqueBlob, ASN1_ANY),
  38. } ASN1_SEQUENCE_END(GOST_KX_MESSAGE)
  39. IMPLEMENT_ASN1_FUNCTIONS(GOST_KX_MESSAGE)
  40. static CON_FUNC_RETURN tls_construct_encrypted_extensions(SSL_CONNECTION *s,
  41. WPACKET *pkt);
  42. static ossl_inline int received_client_cert(const SSL_CONNECTION *sc)
  43. {
  44. return sc->session->peer_rpk != NULL || sc->session->peer != NULL;
  45. }
  46. /*
  47. * ossl_statem_server13_read_transition() encapsulates the logic for the allowed
  48. * handshake state transitions when a TLSv1.3 server is reading messages from
  49. * the client. The message type that the client has sent is provided in |mt|.
  50. * The current state is in |s->statem.hand_state|.
  51. *
  52. * Return values are 1 for success (transition allowed) and 0 on error
  53. * (transition not allowed)
  54. */
  55. static int ossl_statem_server13_read_transition(SSL_CONNECTION *s, int mt)
  56. {
  57. OSSL_STATEM *st = &s->statem;
  58. /*
  59. * Note: There is no case for TLS_ST_BEFORE because at that stage we have
  60. * not negotiated TLSv1.3 yet, so that case is handled by
  61. * ossl_statem_server_read_transition()
  62. */
  63. switch (st->hand_state) {
  64. default:
  65. break;
  66. case TLS_ST_EARLY_DATA:
  67. if (s->hello_retry_request == SSL_HRR_PENDING) {
  68. if (mt == SSL3_MT_CLIENT_HELLO) {
  69. st->hand_state = TLS_ST_SR_CLNT_HELLO;
  70. return 1;
  71. }
  72. break;
  73. } else if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
  74. if (mt == SSL3_MT_END_OF_EARLY_DATA) {
  75. st->hand_state = TLS_ST_SR_END_OF_EARLY_DATA;
  76. return 1;
  77. }
  78. break;
  79. }
  80. /* Fall through */
  81. case TLS_ST_SR_END_OF_EARLY_DATA:
  82. case TLS_ST_SW_FINISHED:
  83. if (s->s3.tmp.cert_request) {
  84. if (mt == SSL3_MT_CERTIFICATE) {
  85. st->hand_state = TLS_ST_SR_CERT;
  86. return 1;
  87. }
  88. #ifndef OPENSSL_NO_COMP_ALG
  89. if (mt == SSL3_MT_COMPRESSED_CERTIFICATE
  90. && s->ext.compress_certificate_sent) {
  91. st->hand_state = TLS_ST_SR_COMP_CERT;
  92. return 1;
  93. }
  94. #endif
  95. } else {
  96. if (mt == SSL3_MT_FINISHED) {
  97. st->hand_state = TLS_ST_SR_FINISHED;
  98. return 1;
  99. }
  100. }
  101. break;
  102. case TLS_ST_SR_COMP_CERT:
  103. case TLS_ST_SR_CERT:
  104. if (!received_client_cert(s)) {
  105. if (mt == SSL3_MT_FINISHED) {
  106. st->hand_state = TLS_ST_SR_FINISHED;
  107. return 1;
  108. }
  109. } else {
  110. if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
  111. st->hand_state = TLS_ST_SR_CERT_VRFY;
  112. return 1;
  113. }
  114. }
  115. break;
  116. case TLS_ST_SR_CERT_VRFY:
  117. if (mt == SSL3_MT_FINISHED) {
  118. st->hand_state = TLS_ST_SR_FINISHED;
  119. return 1;
  120. }
  121. break;
  122. case TLS_ST_OK:
  123. /*
  124. * Its never ok to start processing handshake messages in the middle of
  125. * early data (i.e. before we've received the end of early data alert)
  126. */
  127. if (s->early_data_state == SSL_EARLY_DATA_READING)
  128. break;
  129. if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
  130. if (mt == SSL3_MT_CERTIFICATE) {
  131. st->hand_state = TLS_ST_SR_CERT;
  132. return 1;
  133. }
  134. #ifndef OPENSSL_NO_COMP_ALG
  135. if (mt == SSL3_MT_COMPRESSED_CERTIFICATE
  136. && s->ext.compress_certificate_sent) {
  137. st->hand_state = TLS_ST_SR_COMP_CERT;
  138. return 1;
  139. }
  140. #endif
  141. }
  142. if (mt == SSL3_MT_KEY_UPDATE && !SSL_IS_QUIC_HANDSHAKE(s)) {
  143. st->hand_state = TLS_ST_SR_KEY_UPDATE;
  144. return 1;
  145. }
  146. break;
  147. }
  148. /* No valid transition found */
  149. return 0;
  150. }
  151. /*
  152. * ossl_statem_server_read_transition() encapsulates the logic for the allowed
  153. * handshake state transitions when the server is reading messages from the
  154. * client. The message type that the client has sent is provided in |mt|. The
  155. * current state is in |s->statem.hand_state|.
  156. *
  157. * Return values are 1 for success (transition allowed) and 0 on error
  158. * (transition not allowed)
  159. */
  160. int ossl_statem_server_read_transition(SSL_CONNECTION *s, int mt)
  161. {
  162. OSSL_STATEM *st = &s->statem;
  163. if (SSL_CONNECTION_IS_TLS13(s)) {
  164. if (!ossl_statem_server13_read_transition(s, mt))
  165. goto err;
  166. return 1;
  167. }
  168. switch (st->hand_state) {
  169. default:
  170. break;
  171. case TLS_ST_BEFORE:
  172. case TLS_ST_OK:
  173. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  174. if (mt == SSL3_MT_CLIENT_HELLO) {
  175. st->hand_state = TLS_ST_SR_CLNT_HELLO;
  176. return 1;
  177. }
  178. break;
  179. case TLS_ST_SW_SRVR_DONE:
  180. /*
  181. * If we get a CKE message after a ServerDone then either
  182. * 1) We didn't request a Certificate
  183. * OR
  184. * 2) If we did request one then
  185. * a) We allow no Certificate to be returned
  186. * AND
  187. * b) We are running SSL3 (in TLS1.0+ the client must return a 0
  188. * list if we requested a certificate)
  189. */
  190. if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
  191. if (s->s3.tmp.cert_request) {
  192. if (s->version == SSL3_VERSION) {
  193. if ((s->verify_mode & SSL_VERIFY_PEER)
  194. && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
  195. /*
  196. * This isn't an unexpected message as such - we're just
  197. * not going to accept it because we require a client
  198. * cert.
  199. */
  200. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  201. SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  202. return 0;
  203. }
  204. st->hand_state = TLS_ST_SR_KEY_EXCH;
  205. return 1;
  206. }
  207. } else {
  208. st->hand_state = TLS_ST_SR_KEY_EXCH;
  209. return 1;
  210. }
  211. } else if (s->s3.tmp.cert_request) {
  212. if (mt == SSL3_MT_CERTIFICATE) {
  213. st->hand_state = TLS_ST_SR_CERT;
  214. return 1;
  215. }
  216. }
  217. break;
  218. case TLS_ST_SR_CERT:
  219. if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
  220. st->hand_state = TLS_ST_SR_KEY_EXCH;
  221. return 1;
  222. }
  223. break;
  224. case TLS_ST_SR_KEY_EXCH:
  225. /*
  226. * We should only process a CertificateVerify message if we have
  227. * received a Certificate from the client. If so then |s->session->peer|
  228. * will be non NULL. In some instances a CertificateVerify message is
  229. * not required even if the peer has sent a Certificate (e.g. such as in
  230. * the case of static DH). In that case |st->no_cert_verify| should be
  231. * set.
  232. */
  233. if (!received_client_cert(s) || st->no_cert_verify) {
  234. if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  235. /*
  236. * For the ECDH ciphersuites when the client sends its ECDH
  237. * pub key in a certificate, the CertificateVerify message is
  238. * not sent. Also for GOST ciphersuites when the client uses
  239. * its key from the certificate for key exchange.
  240. */
  241. st->hand_state = TLS_ST_SR_CHANGE;
  242. return 1;
  243. }
  244. } else {
  245. if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
  246. st->hand_state = TLS_ST_SR_CERT_VRFY;
  247. return 1;
  248. }
  249. }
  250. break;
  251. case TLS_ST_SR_CERT_VRFY:
  252. if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  253. st->hand_state = TLS_ST_SR_CHANGE;
  254. return 1;
  255. }
  256. break;
  257. case TLS_ST_SR_CHANGE:
  258. #ifndef OPENSSL_NO_NEXTPROTONEG
  259. if (s->s3.npn_seen) {
  260. if (mt == SSL3_MT_NEXT_PROTO) {
  261. st->hand_state = TLS_ST_SR_NEXT_PROTO;
  262. return 1;
  263. }
  264. } else {
  265. #endif
  266. if (mt == SSL3_MT_FINISHED) {
  267. st->hand_state = TLS_ST_SR_FINISHED;
  268. return 1;
  269. }
  270. #ifndef OPENSSL_NO_NEXTPROTONEG
  271. }
  272. #endif
  273. break;
  274. #ifndef OPENSSL_NO_NEXTPROTONEG
  275. case TLS_ST_SR_NEXT_PROTO:
  276. if (mt == SSL3_MT_FINISHED) {
  277. st->hand_state = TLS_ST_SR_FINISHED;
  278. return 1;
  279. }
  280. break;
  281. #endif
  282. case TLS_ST_SW_FINISHED:
  283. if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  284. st->hand_state = TLS_ST_SR_CHANGE;
  285. return 1;
  286. }
  287. break;
  288. }
  289. err:
  290. /* No valid transition found */
  291. if (SSL_CONNECTION_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  292. BIO *rbio;
  293. /*
  294. * CCS messages don't have a message sequence number so this is probably
  295. * because of an out-of-order CCS. We'll just drop it.
  296. */
  297. s->init_num = 0;
  298. s->rwstate = SSL_READING;
  299. rbio = SSL_get_rbio(SSL_CONNECTION_GET_SSL(s));
  300. BIO_clear_retry_flags(rbio);
  301. BIO_set_retry_read(rbio);
  302. return 0;
  303. }
  304. SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
  305. return 0;
  306. }
  307. /*
  308. * Should we send a ServerKeyExchange message?
  309. *
  310. * Valid return values are:
  311. * 1: Yes
  312. * 0: No
  313. */
  314. static int send_server_key_exchange(SSL_CONNECTION *s)
  315. {
  316. unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
  317. /*
  318. * only send a ServerKeyExchange if DH or fortezza but we have a
  319. * sign only certificate PSK: may send PSK identity hints For
  320. * ECC ciphersuites, we send a serverKeyExchange message only if
  321. * the cipher suite is either ECDH-anon or ECDHE. In other cases,
  322. * the server certificate contains the server's public key for
  323. * key exchange.
  324. */
  325. if (alg_k & (SSL_kDHE | SSL_kECDHE)
  326. /*
  327. * PSK: send ServerKeyExchange if PSK identity hint if
  328. * provided
  329. */
  330. #ifndef OPENSSL_NO_PSK
  331. /* Only send SKE if we have identity hint for plain PSK */
  332. || ((alg_k & (SSL_kPSK | SSL_kRSAPSK))
  333. && s->cert->psk_identity_hint)
  334. /* For other PSK always send SKE */
  335. || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK)))
  336. #endif
  337. #ifndef OPENSSL_NO_SRP
  338. /* SRP: send ServerKeyExchange */
  339. || (alg_k & SSL_kSRP)
  340. #endif
  341. ) {
  342. return 1;
  343. }
  344. return 0;
  345. }
  346. /*
  347. * Used to determine if we should send a CompressedCertificate message
  348. *
  349. * Returns the algorithm to use, TLSEXT_comp_cert_none means no compression
  350. */
  351. static int get_compressed_certificate_alg(SSL_CONNECTION *sc)
  352. {
  353. #ifndef OPENSSL_NO_COMP_ALG
  354. int *alg = sc->ext.compress_certificate_from_peer;
  355. if (sc->s3.tmp.cert == NULL)
  356. return TLSEXT_comp_cert_none;
  357. for (; *alg != TLSEXT_comp_cert_none; alg++) {
  358. if (sc->s3.tmp.cert->comp_cert[*alg] != NULL)
  359. return *alg;
  360. }
  361. #endif
  362. return TLSEXT_comp_cert_none;
  363. }
  364. /*
  365. * Should we send a CertificateRequest message?
  366. *
  367. * Valid return values are:
  368. * 1: Yes
  369. * 0: No
  370. */
  371. int send_certificate_request(SSL_CONNECTION *s)
  372. {
  373. if (
  374. /* don't request cert unless asked for it: */
  375. s->verify_mode & SSL_VERIFY_PEER
  376. /*
  377. * don't request if post-handshake-only unless doing
  378. * post-handshake in TLSv1.3:
  379. */
  380. && (!SSL_CONNECTION_IS_TLS13(s)
  381. || !(s->verify_mode & SSL_VERIFY_POST_HANDSHAKE)
  382. || s->post_handshake_auth == SSL_PHA_REQUEST_PENDING)
  383. /*
  384. * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
  385. * a second time:
  386. */
  387. && (s->certreqs_sent < 1 ||
  388. !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE))
  389. /*
  390. * never request cert in anonymous ciphersuites (see
  391. * section "Certificate request" in SSL 3 drafts and in
  392. * RFC 2246):
  393. */
  394. && (!(s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL)
  395. /*
  396. * ... except when the application insists on
  397. * verification (against the specs, but statem_clnt.c accepts
  398. * this for SSL 3)
  399. */
  400. || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
  401. /* don't request certificate for SRP auth */
  402. && !(s->s3.tmp.new_cipher->algorithm_auth & SSL_aSRP)
  403. /*
  404. * With normal PSK Certificates and Certificate Requests
  405. * are omitted
  406. */
  407. && !(s->s3.tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
  408. return 1;
  409. }
  410. return 0;
  411. }
  412. static int do_compressed_cert(SSL_CONNECTION *sc)
  413. {
  414. /* If we negotiated RPK, we won't attempt to compress it */
  415. return sc->ext.server_cert_type == TLSEXT_cert_type_x509
  416. && get_compressed_certificate_alg(sc) != TLSEXT_comp_cert_none;
  417. }
  418. /*
  419. * ossl_statem_server13_write_transition() works out what handshake state to
  420. * move to next when a TLSv1.3 server is writing messages to be sent to the
  421. * client.
  422. */
  423. static WRITE_TRAN ossl_statem_server13_write_transition(SSL_CONNECTION *s)
  424. {
  425. OSSL_STATEM *st = &s->statem;
  426. /*
  427. * No case for TLS_ST_BEFORE, because at that stage we have not negotiated
  428. * TLSv1.3 yet, so that is handled by ossl_statem_server_write_transition()
  429. */
  430. switch (st->hand_state) {
  431. default:
  432. /* Shouldn't happen */
  433. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  434. return WRITE_TRAN_ERROR;
  435. case TLS_ST_OK:
  436. if (s->key_update != SSL_KEY_UPDATE_NONE) {
  437. st->hand_state = TLS_ST_SW_KEY_UPDATE;
  438. return WRITE_TRAN_CONTINUE;
  439. }
  440. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  441. st->hand_state = TLS_ST_SW_CERT_REQ;
  442. return WRITE_TRAN_CONTINUE;
  443. }
  444. if (s->ext.extra_tickets_expected > 0) {
  445. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  446. return WRITE_TRAN_CONTINUE;
  447. }
  448. /* Try to read from the client instead */
  449. return WRITE_TRAN_FINISHED;
  450. case TLS_ST_SR_CLNT_HELLO:
  451. st->hand_state = TLS_ST_SW_SRVR_HELLO;
  452. return WRITE_TRAN_CONTINUE;
  453. case TLS_ST_SW_SRVR_HELLO:
  454. if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
  455. && s->hello_retry_request != SSL_HRR_COMPLETE)
  456. st->hand_state = TLS_ST_SW_CHANGE;
  457. else if (s->hello_retry_request == SSL_HRR_PENDING)
  458. st->hand_state = TLS_ST_EARLY_DATA;
  459. else
  460. st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
  461. return WRITE_TRAN_CONTINUE;
  462. case TLS_ST_SW_CHANGE:
  463. if (s->hello_retry_request == SSL_HRR_PENDING)
  464. st->hand_state = TLS_ST_EARLY_DATA;
  465. else
  466. st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
  467. return WRITE_TRAN_CONTINUE;
  468. case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
  469. if (s->hit)
  470. st->hand_state = TLS_ST_SW_FINISHED;
  471. else if (send_certificate_request(s))
  472. st->hand_state = TLS_ST_SW_CERT_REQ;
  473. else if (do_compressed_cert(s))
  474. st->hand_state = TLS_ST_SW_COMP_CERT;
  475. else
  476. st->hand_state = TLS_ST_SW_CERT;
  477. return WRITE_TRAN_CONTINUE;
  478. case TLS_ST_SW_CERT_REQ:
  479. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  480. s->post_handshake_auth = SSL_PHA_REQUESTED;
  481. st->hand_state = TLS_ST_OK;
  482. } else if (do_compressed_cert(s)) {
  483. st->hand_state = TLS_ST_SW_COMP_CERT;
  484. } else {
  485. st->hand_state = TLS_ST_SW_CERT;
  486. }
  487. return WRITE_TRAN_CONTINUE;
  488. case TLS_ST_SW_COMP_CERT:
  489. case TLS_ST_SW_CERT:
  490. st->hand_state = TLS_ST_SW_CERT_VRFY;
  491. return WRITE_TRAN_CONTINUE;
  492. case TLS_ST_SW_CERT_VRFY:
  493. st->hand_state = TLS_ST_SW_FINISHED;
  494. return WRITE_TRAN_CONTINUE;
  495. case TLS_ST_SW_FINISHED:
  496. st->hand_state = TLS_ST_EARLY_DATA;
  497. s->ts_msg_write = ossl_time_now();
  498. return WRITE_TRAN_CONTINUE;
  499. case TLS_ST_EARLY_DATA:
  500. return WRITE_TRAN_FINISHED;
  501. case TLS_ST_SR_FINISHED:
  502. s->ts_msg_read = ossl_time_now();
  503. /*
  504. * Technically we have finished the handshake at this point, but we're
  505. * going to remain "in_init" for now and write out any session tickets
  506. * immediately.
  507. */
  508. if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
  509. s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
  510. } else if (!s->ext.ticket_expected) {
  511. /*
  512. * If we're not going to renew the ticket then we just finish the
  513. * handshake at this point.
  514. */
  515. st->hand_state = TLS_ST_OK;
  516. return WRITE_TRAN_CONTINUE;
  517. }
  518. if (s->num_tickets > s->sent_tickets)
  519. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  520. else
  521. st->hand_state = TLS_ST_OK;
  522. return WRITE_TRAN_CONTINUE;
  523. case TLS_ST_SR_KEY_UPDATE:
  524. case TLS_ST_SW_KEY_UPDATE:
  525. st->hand_state = TLS_ST_OK;
  526. return WRITE_TRAN_CONTINUE;
  527. case TLS_ST_SW_SESSION_TICKET:
  528. /* In a resumption we only ever send a maximum of one new ticket.
  529. * Following an initial handshake we send the number of tickets we have
  530. * been configured for.
  531. */
  532. if (!SSL_IS_FIRST_HANDSHAKE(s) && s->ext.extra_tickets_expected > 0) {
  533. return WRITE_TRAN_CONTINUE;
  534. } else if (s->hit || s->num_tickets <= s->sent_tickets) {
  535. /* We've written enough tickets out. */
  536. st->hand_state = TLS_ST_OK;
  537. }
  538. return WRITE_TRAN_CONTINUE;
  539. }
  540. }
  541. /*
  542. * ossl_statem_server_write_transition() works out what handshake state to move
  543. * to next when the server is writing messages to be sent to the client.
  544. */
  545. WRITE_TRAN ossl_statem_server_write_transition(SSL_CONNECTION *s)
  546. {
  547. OSSL_STATEM *st = &s->statem;
  548. /*
  549. * Note that before the ClientHello we don't know what version we are going
  550. * to negotiate yet, so we don't take this branch until later
  551. */
  552. if (SSL_CONNECTION_IS_TLS13(s))
  553. return ossl_statem_server13_write_transition(s);
  554. switch (st->hand_state) {
  555. default:
  556. /* Shouldn't happen */
  557. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  558. return WRITE_TRAN_ERROR;
  559. case TLS_ST_OK:
  560. if (st->request_state == TLS_ST_SW_HELLO_REQ) {
  561. /* We must be trying to renegotiate */
  562. st->hand_state = TLS_ST_SW_HELLO_REQ;
  563. st->request_state = TLS_ST_BEFORE;
  564. return WRITE_TRAN_CONTINUE;
  565. }
  566. /* Must be an incoming ClientHello */
  567. if (!tls_setup_handshake(s)) {
  568. /* SSLfatal() already called */
  569. return WRITE_TRAN_ERROR;
  570. }
  571. /* Fall through */
  572. case TLS_ST_BEFORE:
  573. /* Just go straight to trying to read from the client */
  574. return WRITE_TRAN_FINISHED;
  575. case TLS_ST_SW_HELLO_REQ:
  576. st->hand_state = TLS_ST_OK;
  577. return WRITE_TRAN_CONTINUE;
  578. case TLS_ST_SR_CLNT_HELLO:
  579. if (SSL_CONNECTION_IS_DTLS(s) && !s->d1->cookie_verified
  580. && (SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_COOKIE_EXCHANGE)) {
  581. st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
  582. } else if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
  583. /* We must have rejected the renegotiation */
  584. st->hand_state = TLS_ST_OK;
  585. return WRITE_TRAN_CONTINUE;
  586. } else {
  587. st->hand_state = TLS_ST_SW_SRVR_HELLO;
  588. }
  589. return WRITE_TRAN_CONTINUE;
  590. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  591. return WRITE_TRAN_FINISHED;
  592. case TLS_ST_SW_SRVR_HELLO:
  593. if (s->hit) {
  594. if (s->ext.ticket_expected)
  595. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  596. else
  597. st->hand_state = TLS_ST_SW_CHANGE;
  598. } else {
  599. /* Check if it is anon DH or anon ECDH, */
  600. /* normal PSK or SRP */
  601. if (!(s->s3.tmp.new_cipher->algorithm_auth &
  602. (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
  603. st->hand_state = TLS_ST_SW_CERT;
  604. } else if (send_server_key_exchange(s)) {
  605. st->hand_state = TLS_ST_SW_KEY_EXCH;
  606. } else if (send_certificate_request(s)) {
  607. st->hand_state = TLS_ST_SW_CERT_REQ;
  608. } else {
  609. st->hand_state = TLS_ST_SW_SRVR_DONE;
  610. }
  611. }
  612. return WRITE_TRAN_CONTINUE;
  613. case TLS_ST_SW_CERT:
  614. if (s->ext.status_expected) {
  615. st->hand_state = TLS_ST_SW_CERT_STATUS;
  616. return WRITE_TRAN_CONTINUE;
  617. }
  618. /* Fall through */
  619. case TLS_ST_SW_CERT_STATUS:
  620. if (send_server_key_exchange(s)) {
  621. st->hand_state = TLS_ST_SW_KEY_EXCH;
  622. return WRITE_TRAN_CONTINUE;
  623. }
  624. /* Fall through */
  625. case TLS_ST_SW_KEY_EXCH:
  626. if (send_certificate_request(s)) {
  627. st->hand_state = TLS_ST_SW_CERT_REQ;
  628. return WRITE_TRAN_CONTINUE;
  629. }
  630. /* Fall through */
  631. case TLS_ST_SW_CERT_REQ:
  632. st->hand_state = TLS_ST_SW_SRVR_DONE;
  633. return WRITE_TRAN_CONTINUE;
  634. case TLS_ST_SW_SRVR_DONE:
  635. s->ts_msg_write = ossl_time_now();
  636. return WRITE_TRAN_FINISHED;
  637. case TLS_ST_SR_FINISHED:
  638. s->ts_msg_read = ossl_time_now();
  639. if (s->hit) {
  640. st->hand_state = TLS_ST_OK;
  641. return WRITE_TRAN_CONTINUE;
  642. } else if (s->ext.ticket_expected) {
  643. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  644. } else {
  645. st->hand_state = TLS_ST_SW_CHANGE;
  646. }
  647. return WRITE_TRAN_CONTINUE;
  648. case TLS_ST_SW_SESSION_TICKET:
  649. st->hand_state = TLS_ST_SW_CHANGE;
  650. return WRITE_TRAN_CONTINUE;
  651. case TLS_ST_SW_CHANGE:
  652. st->hand_state = TLS_ST_SW_FINISHED;
  653. return WRITE_TRAN_CONTINUE;
  654. case TLS_ST_SW_FINISHED:
  655. if (s->hit) {
  656. return WRITE_TRAN_FINISHED;
  657. }
  658. st->hand_state = TLS_ST_OK;
  659. return WRITE_TRAN_CONTINUE;
  660. }
  661. }
  662. /*
  663. * Perform any pre work that needs to be done prior to sending a message from
  664. * the server to the client.
  665. */
  666. WORK_STATE ossl_statem_server_pre_work(SSL_CONNECTION *s, WORK_STATE wst)
  667. {
  668. OSSL_STATEM *st = &s->statem;
  669. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  670. switch (st->hand_state) {
  671. default:
  672. /* No pre work to be done */
  673. break;
  674. case TLS_ST_SW_HELLO_REQ:
  675. s->shutdown = 0;
  676. if (SSL_CONNECTION_IS_DTLS(s))
  677. dtls1_clear_sent_buffer(s);
  678. break;
  679. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  680. s->shutdown = 0;
  681. if (SSL_CONNECTION_IS_DTLS(s)) {
  682. dtls1_clear_sent_buffer(s);
  683. /* We don't buffer this message so don't use the timer */
  684. st->use_timer = 0;
  685. }
  686. break;
  687. case TLS_ST_SW_SRVR_HELLO:
  688. if (SSL_CONNECTION_IS_DTLS(s)) {
  689. /*
  690. * Messages we write from now on should be buffered and
  691. * retransmitted if necessary, so we need to use the timer now
  692. */
  693. st->use_timer = 1;
  694. }
  695. break;
  696. case TLS_ST_SW_SRVR_DONE:
  697. #ifndef OPENSSL_NO_SCTP
  698. if (SSL_CONNECTION_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(ssl))) {
  699. /* Calls SSLfatal() as required */
  700. return dtls_wait_for_dry(s);
  701. }
  702. #endif
  703. return WORK_FINISHED_CONTINUE;
  704. case TLS_ST_SW_SESSION_TICKET:
  705. if (SSL_CONNECTION_IS_TLS13(s) && s->sent_tickets == 0
  706. && s->ext.extra_tickets_expected == 0) {
  707. /*
  708. * Actually this is the end of the handshake, but we're going
  709. * straight into writing the session ticket out. So we finish off
  710. * the handshake, but keep the various buffers active.
  711. *
  712. * Calls SSLfatal as required.
  713. */
  714. return tls_finish_handshake(s, wst, 0, 0);
  715. }
  716. if (SSL_CONNECTION_IS_DTLS(s)) {
  717. /*
  718. * We're into the last flight. We don't retransmit the last flight
  719. * unless we need to, so we don't use the timer
  720. */
  721. st->use_timer = 0;
  722. }
  723. break;
  724. case TLS_ST_SW_CHANGE:
  725. if (SSL_CONNECTION_IS_TLS13(s))
  726. break;
  727. /* Writes to s->session are only safe for initial handshakes */
  728. if (s->session->cipher == NULL) {
  729. s->session->cipher = s->s3.tmp.new_cipher;
  730. } else if (s->session->cipher != s->s3.tmp.new_cipher) {
  731. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  732. return WORK_ERROR;
  733. }
  734. if (!ssl->method->ssl3_enc->setup_key_block(s)) {
  735. /* SSLfatal() already called */
  736. return WORK_ERROR;
  737. }
  738. if (SSL_CONNECTION_IS_DTLS(s)) {
  739. /*
  740. * We're into the last flight. We don't retransmit the last flight
  741. * unless we need to, so we don't use the timer. This might have
  742. * already been set to 0 if we sent a NewSessionTicket message,
  743. * but we'll set it again here in case we didn't.
  744. */
  745. st->use_timer = 0;
  746. }
  747. return WORK_FINISHED_CONTINUE;
  748. case TLS_ST_EARLY_DATA:
  749. if (s->early_data_state != SSL_EARLY_DATA_ACCEPTING
  750. && (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
  751. return WORK_FINISHED_CONTINUE;
  752. /* Fall through */
  753. case TLS_ST_OK:
  754. /* Calls SSLfatal() as required */
  755. return tls_finish_handshake(s, wst, 1, 1);
  756. }
  757. return WORK_FINISHED_CONTINUE;
  758. }
  759. static ossl_inline int conn_is_closed(void)
  760. {
  761. switch (get_last_sys_error()) {
  762. #if defined(EPIPE)
  763. case EPIPE:
  764. return 1;
  765. #endif
  766. #if defined(ECONNRESET)
  767. case ECONNRESET:
  768. return 1;
  769. #endif
  770. #if defined(WSAECONNRESET)
  771. case WSAECONNRESET:
  772. return 1;
  773. #endif
  774. default:
  775. return 0;
  776. }
  777. }
  778. /*
  779. * Perform any work that needs to be done after sending a message from the
  780. * server to the client.
  781. */
  782. WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst)
  783. {
  784. OSSL_STATEM *st = &s->statem;
  785. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  786. s->init_num = 0;
  787. switch (st->hand_state) {
  788. default:
  789. /* No post work to be done */
  790. break;
  791. case TLS_ST_SW_HELLO_REQ:
  792. if (statem_flush(s) != 1)
  793. return WORK_MORE_A;
  794. if (!ssl3_init_finished_mac(s)) {
  795. /* SSLfatal() already called */
  796. return WORK_ERROR;
  797. }
  798. break;
  799. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  800. if (statem_flush(s) != 1)
  801. return WORK_MORE_A;
  802. /* HelloVerifyRequest resets Finished MAC */
  803. if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) {
  804. /* SSLfatal() already called */
  805. return WORK_ERROR;
  806. }
  807. /*
  808. * The next message should be another ClientHello which we need to
  809. * treat like it was the first packet
  810. */
  811. s->first_packet = 1;
  812. break;
  813. case TLS_ST_SW_SRVR_HELLO:
  814. if (SSL_CONNECTION_IS_TLS13(s)
  815. && s->hello_retry_request == SSL_HRR_PENDING) {
  816. if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0
  817. && statem_flush(s) != 1)
  818. return WORK_MORE_A;
  819. break;
  820. }
  821. #ifndef OPENSSL_NO_SCTP
  822. if (SSL_CONNECTION_IS_DTLS(s) && s->hit) {
  823. unsigned char sctpauthkey[64];
  824. char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
  825. size_t labellen;
  826. /*
  827. * Add new shared key for SCTP-Auth, will be ignored if no
  828. * SCTP used.
  829. */
  830. memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
  831. sizeof(DTLS1_SCTP_AUTH_LABEL));
  832. /* Don't include the terminating zero. */
  833. labellen = sizeof(labelbuffer) - 1;
  834. if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
  835. labellen += 1;
  836. if (SSL_export_keying_material(ssl, sctpauthkey,
  837. sizeof(sctpauthkey), labelbuffer,
  838. labellen, NULL, 0,
  839. 0) <= 0) {
  840. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  841. return WORK_ERROR;
  842. }
  843. BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
  844. sizeof(sctpauthkey), sctpauthkey);
  845. }
  846. #endif
  847. if (!SSL_CONNECTION_IS_TLS13(s)
  848. || ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
  849. && s->hello_retry_request != SSL_HRR_COMPLETE))
  850. break;
  851. /* Fall through */
  852. case TLS_ST_SW_CHANGE:
  853. if (s->hello_retry_request == SSL_HRR_PENDING) {
  854. if (!statem_flush(s))
  855. return WORK_MORE_A;
  856. break;
  857. }
  858. if (SSL_CONNECTION_IS_TLS13(s)) {
  859. if (!ssl->method->ssl3_enc->setup_key_block(s)
  860. || !ssl->method->ssl3_enc->change_cipher_state(s,
  861. SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
  862. /* SSLfatal() already called */
  863. return WORK_ERROR;
  864. }
  865. if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED
  866. && !ssl->method->ssl3_enc->change_cipher_state(s,
  867. SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ)) {
  868. /* SSLfatal() already called */
  869. return WORK_ERROR;
  870. }
  871. /*
  872. * We don't yet know whether the next record we are going to receive
  873. * is an unencrypted alert, an encrypted alert, or an encrypted
  874. * handshake message. We temporarily tolerate unencrypted alerts.
  875. */
  876. if (s->rlayer.rrlmethod->set_plain_alerts != NULL)
  877. s->rlayer.rrlmethod->set_plain_alerts(s->rlayer.rrl, 1);
  878. break;
  879. }
  880. #ifndef OPENSSL_NO_SCTP
  881. if (SSL_CONNECTION_IS_DTLS(s) && !s->hit) {
  882. /*
  883. * Change to new shared key of SCTP-Auth, will be ignored if
  884. * no SCTP used.
  885. */
  886. BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
  887. 0, NULL);
  888. }
  889. #endif
  890. if (!ssl->method->ssl3_enc->change_cipher_state(s,
  891. SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
  892. /* SSLfatal() already called */
  893. return WORK_ERROR;
  894. }
  895. if (SSL_CONNECTION_IS_DTLS(s))
  896. dtls1_increment_epoch(s, SSL3_CC_WRITE);
  897. break;
  898. case TLS_ST_SW_SRVR_DONE:
  899. if (statem_flush(s) != 1)
  900. return WORK_MORE_A;
  901. break;
  902. case TLS_ST_SW_FINISHED:
  903. if (statem_flush(s) != 1)
  904. return WORK_MORE_A;
  905. #ifndef OPENSSL_NO_SCTP
  906. if (SSL_CONNECTION_IS_DTLS(s) && s->hit) {
  907. /*
  908. * Change to new shared key of SCTP-Auth, will be ignored if
  909. * no SCTP used.
  910. */
  911. BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
  912. 0, NULL);
  913. }
  914. #endif
  915. if (SSL_CONNECTION_IS_TLS13(s)) {
  916. /* TLS 1.3 gets the secret size from the handshake md */
  917. size_t dummy;
  918. if (!ssl->method->ssl3_enc->generate_master_secret(s,
  919. s->master_secret, s->handshake_secret, 0,
  920. &dummy)
  921. || !ssl->method->ssl3_enc->change_cipher_state(s,
  922. SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE))
  923. /* SSLfatal() already called */
  924. return WORK_ERROR;
  925. }
  926. break;
  927. case TLS_ST_SW_CERT_REQ:
  928. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  929. if (statem_flush(s) != 1)
  930. return WORK_MORE_A;
  931. } else {
  932. if (!SSL_CONNECTION_IS_TLS13(s)
  933. || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0)
  934. s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none;
  935. }
  936. break;
  937. case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
  938. if (!s->hit && !send_certificate_request(s)) {
  939. if (!SSL_CONNECTION_IS_TLS13(s)
  940. || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0)
  941. s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none;
  942. }
  943. break;
  944. case TLS_ST_SW_KEY_UPDATE:
  945. if (statem_flush(s) != 1)
  946. return WORK_MORE_A;
  947. if (!tls13_update_key(s, 1)) {
  948. /* SSLfatal() already called */
  949. return WORK_ERROR;
  950. }
  951. break;
  952. case TLS_ST_SW_SESSION_TICKET:
  953. clear_sys_error();
  954. if (SSL_CONNECTION_IS_TLS13(s) && statem_flush(s) != 1) {
  955. if (SSL_get_error(ssl, 0) == SSL_ERROR_SYSCALL
  956. && conn_is_closed()) {
  957. /*
  958. * We ignore connection closed errors in TLSv1.3 when sending a
  959. * NewSessionTicket and behave as if we were successful. This is
  960. * so that we are still able to read data sent to us by a client
  961. * that closes soon after the end of the handshake without
  962. * waiting to read our post-handshake NewSessionTickets.
  963. */
  964. s->rwstate = SSL_NOTHING;
  965. break;
  966. }
  967. return WORK_MORE_A;
  968. }
  969. break;
  970. }
  971. return WORK_FINISHED_CONTINUE;
  972. }
  973. /*
  974. * Get the message construction function and message type for sending from the
  975. * server
  976. *
  977. * Valid return values are:
  978. * 1: Success
  979. * 0: Error
  980. */
  981. int ossl_statem_server_construct_message(SSL_CONNECTION *s,
  982. confunc_f *confunc, int *mt)
  983. {
  984. OSSL_STATEM *st = &s->statem;
  985. switch (st->hand_state) {
  986. default:
  987. /* Shouldn't happen */
  988. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE);
  989. return 0;
  990. case TLS_ST_SW_CHANGE:
  991. if (SSL_CONNECTION_IS_DTLS(s))
  992. *confunc = dtls_construct_change_cipher_spec;
  993. else
  994. *confunc = tls_construct_change_cipher_spec;
  995. *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
  996. break;
  997. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  998. *confunc = dtls_construct_hello_verify_request;
  999. *mt = DTLS1_MT_HELLO_VERIFY_REQUEST;
  1000. break;
  1001. case TLS_ST_SW_HELLO_REQ:
  1002. /* No construction function needed */
  1003. *confunc = NULL;
  1004. *mt = SSL3_MT_HELLO_REQUEST;
  1005. break;
  1006. case TLS_ST_SW_SRVR_HELLO:
  1007. *confunc = tls_construct_server_hello;
  1008. *mt = SSL3_MT_SERVER_HELLO;
  1009. break;
  1010. case TLS_ST_SW_CERT:
  1011. *confunc = tls_construct_server_certificate;
  1012. *mt = SSL3_MT_CERTIFICATE;
  1013. break;
  1014. #ifndef OPENSSL_NO_COMP_ALG
  1015. case TLS_ST_SW_COMP_CERT:
  1016. *confunc = tls_construct_server_compressed_certificate;
  1017. *mt = SSL3_MT_COMPRESSED_CERTIFICATE;
  1018. break;
  1019. #endif
  1020. case TLS_ST_SW_CERT_VRFY:
  1021. *confunc = tls_construct_cert_verify;
  1022. *mt = SSL3_MT_CERTIFICATE_VERIFY;
  1023. break;
  1024. case TLS_ST_SW_KEY_EXCH:
  1025. *confunc = tls_construct_server_key_exchange;
  1026. *mt = SSL3_MT_SERVER_KEY_EXCHANGE;
  1027. break;
  1028. case TLS_ST_SW_CERT_REQ:
  1029. *confunc = tls_construct_certificate_request;
  1030. *mt = SSL3_MT_CERTIFICATE_REQUEST;
  1031. break;
  1032. case TLS_ST_SW_SRVR_DONE:
  1033. *confunc = tls_construct_server_done;
  1034. *mt = SSL3_MT_SERVER_DONE;
  1035. break;
  1036. case TLS_ST_SW_SESSION_TICKET:
  1037. *confunc = tls_construct_new_session_ticket;
  1038. *mt = SSL3_MT_NEWSESSION_TICKET;
  1039. break;
  1040. case TLS_ST_SW_CERT_STATUS:
  1041. *confunc = tls_construct_cert_status;
  1042. *mt = SSL3_MT_CERTIFICATE_STATUS;
  1043. break;
  1044. case TLS_ST_SW_FINISHED:
  1045. *confunc = tls_construct_finished;
  1046. *mt = SSL3_MT_FINISHED;
  1047. break;
  1048. case TLS_ST_EARLY_DATA:
  1049. *confunc = NULL;
  1050. *mt = SSL3_MT_DUMMY;
  1051. break;
  1052. case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
  1053. *confunc = tls_construct_encrypted_extensions;
  1054. *mt = SSL3_MT_ENCRYPTED_EXTENSIONS;
  1055. break;
  1056. case TLS_ST_SW_KEY_UPDATE:
  1057. *confunc = tls_construct_key_update;
  1058. *mt = SSL3_MT_KEY_UPDATE;
  1059. break;
  1060. }
  1061. return 1;
  1062. }
  1063. /*
  1064. * Maximum size (excluding the Handshake header) of a ClientHello message,
  1065. * calculated as follows:
  1066. *
  1067. * 2 + # client_version
  1068. * 32 + # only valid length for random
  1069. * 1 + # length of session_id
  1070. * 32 + # maximum size for session_id
  1071. * 2 + # length of cipher suites
  1072. * 2^16-2 + # maximum length of cipher suites array
  1073. * 1 + # length of compression_methods
  1074. * 2^8-1 + # maximum length of compression methods
  1075. * 2 + # length of extensions
  1076. * 2^16-1 # maximum length of extensions
  1077. */
  1078. #define CLIENT_HELLO_MAX_LENGTH 131396
  1079. #define CLIENT_KEY_EXCH_MAX_LENGTH 2048
  1080. #define NEXT_PROTO_MAX_LENGTH 514
  1081. /*
  1082. * Returns the maximum allowed length for the current message that we are
  1083. * reading. Excludes the message header.
  1084. */
  1085. size_t ossl_statem_server_max_message_size(SSL_CONNECTION *s)
  1086. {
  1087. OSSL_STATEM *st = &s->statem;
  1088. switch (st->hand_state) {
  1089. default:
  1090. /* Shouldn't happen */
  1091. return 0;
  1092. case TLS_ST_SR_CLNT_HELLO:
  1093. return CLIENT_HELLO_MAX_LENGTH;
  1094. case TLS_ST_SR_END_OF_EARLY_DATA:
  1095. return END_OF_EARLY_DATA_MAX_LENGTH;
  1096. case TLS_ST_SR_COMP_CERT:
  1097. case TLS_ST_SR_CERT:
  1098. return s->max_cert_list;
  1099. case TLS_ST_SR_KEY_EXCH:
  1100. return CLIENT_KEY_EXCH_MAX_LENGTH;
  1101. case TLS_ST_SR_CERT_VRFY:
  1102. return CERTIFICATE_VERIFY_MAX_LENGTH;
  1103. #ifndef OPENSSL_NO_NEXTPROTONEG
  1104. case TLS_ST_SR_NEXT_PROTO:
  1105. return NEXT_PROTO_MAX_LENGTH;
  1106. #endif
  1107. case TLS_ST_SR_CHANGE:
  1108. return CCS_MAX_LENGTH;
  1109. case TLS_ST_SR_FINISHED:
  1110. return FINISHED_MAX_LENGTH;
  1111. case TLS_ST_SR_KEY_UPDATE:
  1112. return KEY_UPDATE_MAX_LENGTH;
  1113. }
  1114. }
  1115. /*
  1116. * Process a message that the server has received from the client.
  1117. */
  1118. MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL_CONNECTION *s,
  1119. PACKET *pkt)
  1120. {
  1121. OSSL_STATEM *st = &s->statem;
  1122. switch (st->hand_state) {
  1123. default:
  1124. /* Shouldn't happen */
  1125. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1126. return MSG_PROCESS_ERROR;
  1127. case TLS_ST_SR_CLNT_HELLO:
  1128. return tls_process_client_hello(s, pkt);
  1129. case TLS_ST_SR_END_OF_EARLY_DATA:
  1130. return tls_process_end_of_early_data(s, pkt);
  1131. case TLS_ST_SR_CERT:
  1132. return tls_process_client_certificate(s, pkt);
  1133. #ifndef OPENSSL_NO_COMP_ALG
  1134. case TLS_ST_SR_COMP_CERT:
  1135. return tls_process_client_compressed_certificate(s, pkt);
  1136. #endif
  1137. case TLS_ST_SR_KEY_EXCH:
  1138. return tls_process_client_key_exchange(s, pkt);
  1139. case TLS_ST_SR_CERT_VRFY:
  1140. return tls_process_cert_verify(s, pkt);
  1141. #ifndef OPENSSL_NO_NEXTPROTONEG
  1142. case TLS_ST_SR_NEXT_PROTO:
  1143. return tls_process_next_proto(s, pkt);
  1144. #endif
  1145. case TLS_ST_SR_CHANGE:
  1146. return tls_process_change_cipher_spec(s, pkt);
  1147. case TLS_ST_SR_FINISHED:
  1148. return tls_process_finished(s, pkt);
  1149. case TLS_ST_SR_KEY_UPDATE:
  1150. return tls_process_key_update(s, pkt);
  1151. }
  1152. }
  1153. /*
  1154. * Perform any further processing required following the receipt of a message
  1155. * from the client
  1156. */
  1157. WORK_STATE ossl_statem_server_post_process_message(SSL_CONNECTION *s,
  1158. WORK_STATE wst)
  1159. {
  1160. OSSL_STATEM *st = &s->statem;
  1161. switch (st->hand_state) {
  1162. default:
  1163. /* Shouldn't happen */
  1164. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1165. return WORK_ERROR;
  1166. case TLS_ST_SR_CLNT_HELLO:
  1167. return tls_post_process_client_hello(s, wst);
  1168. case TLS_ST_SR_KEY_EXCH:
  1169. return tls_post_process_client_key_exchange(s, wst);
  1170. }
  1171. }
  1172. #ifndef OPENSSL_NO_SRP
  1173. /* Returns 1 on success, 0 for retryable error, -1 for fatal error */
  1174. static int ssl_check_srp_ext_ClientHello(SSL_CONNECTION *s)
  1175. {
  1176. int ret;
  1177. int al = SSL_AD_UNRECOGNIZED_NAME;
  1178. if ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
  1179. (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
  1180. if (s->srp_ctx.login == NULL) {
  1181. /*
  1182. * RFC 5054 says SHOULD reject, we do so if There is no srp
  1183. * login name
  1184. */
  1185. SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY,
  1186. SSL_R_PSK_IDENTITY_NOT_FOUND);
  1187. return -1;
  1188. } else {
  1189. ret = ssl_srp_server_param_with_username_intern(s, &al);
  1190. if (ret < 0)
  1191. return 0;
  1192. if (ret == SSL3_AL_FATAL) {
  1193. SSLfatal(s, al,
  1194. al == SSL_AD_UNKNOWN_PSK_IDENTITY
  1195. ? SSL_R_PSK_IDENTITY_NOT_FOUND
  1196. : SSL_R_CLIENTHELLO_TLSEXT);
  1197. return -1;
  1198. }
  1199. }
  1200. }
  1201. return 1;
  1202. }
  1203. #endif
  1204. int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
  1205. size_t cookie_len)
  1206. {
  1207. /* Always use DTLS 1.0 version: see RFC 6347 */
  1208. if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION)
  1209. || !WPACKET_sub_memcpy_u8(pkt, cookie, cookie_len))
  1210. return 0;
  1211. return 1;
  1212. }
  1213. CON_FUNC_RETURN dtls_construct_hello_verify_request(SSL_CONNECTION *s,
  1214. WPACKET *pkt)
  1215. {
  1216. unsigned int cookie_leni;
  1217. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1218. if (sctx->app_gen_cookie_cb == NULL
  1219. || sctx->app_gen_cookie_cb(SSL_CONNECTION_GET_SSL(s), s->d1->cookie,
  1220. &cookie_leni) == 0
  1221. || cookie_leni > DTLS1_COOKIE_LENGTH) {
  1222. SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
  1223. return CON_FUNC_ERROR;
  1224. }
  1225. s->d1->cookie_len = cookie_leni;
  1226. if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie,
  1227. s->d1->cookie_len)) {
  1228. SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR);
  1229. return CON_FUNC_ERROR;
  1230. }
  1231. return CON_FUNC_SUCCESS;
  1232. }
  1233. /*-
  1234. * ssl_check_for_safari attempts to fingerprint Safari using OS X
  1235. * SecureTransport using the TLS extension block in |hello|.
  1236. * Safari, since 10.6, sends exactly these extensions, in this order:
  1237. * SNI,
  1238. * elliptic_curves
  1239. * ec_point_formats
  1240. * signature_algorithms (for TLSv1.2 only)
  1241. *
  1242. * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
  1243. * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
  1244. * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
  1245. * 10.8..10.8.3 (which don't work).
  1246. */
  1247. static void ssl_check_for_safari(SSL_CONNECTION *s,
  1248. const CLIENTHELLO_MSG *hello)
  1249. {
  1250. static const unsigned char kSafariExtensionsBlock[] = {
  1251. 0x00, 0x0a, /* elliptic_curves extension */
  1252. 0x00, 0x08, /* 8 bytes */
  1253. 0x00, 0x06, /* 6 bytes of curve ids */
  1254. 0x00, 0x17, /* P-256 */
  1255. 0x00, 0x18, /* P-384 */
  1256. 0x00, 0x19, /* P-521 */
  1257. 0x00, 0x0b, /* ec_point_formats */
  1258. 0x00, 0x02, /* 2 bytes */
  1259. 0x01, /* 1 point format */
  1260. 0x00, /* uncompressed */
  1261. /* The following is only present in TLS 1.2 */
  1262. 0x00, 0x0d, /* signature_algorithms */
  1263. 0x00, 0x0c, /* 12 bytes */
  1264. 0x00, 0x0a, /* 10 bytes */
  1265. 0x05, 0x01, /* SHA-384/RSA */
  1266. 0x04, 0x01, /* SHA-256/RSA */
  1267. 0x02, 0x01, /* SHA-1/RSA */
  1268. 0x04, 0x03, /* SHA-256/ECDSA */
  1269. 0x02, 0x03, /* SHA-1/ECDSA */
  1270. };
  1271. /* Length of the common prefix (first two extensions). */
  1272. static const size_t kSafariCommonExtensionsLength = 18;
  1273. unsigned int type;
  1274. PACKET sni, tmppkt;
  1275. size_t ext_len;
  1276. tmppkt = hello->extensions;
  1277. if (!PACKET_forward(&tmppkt, 2)
  1278. || !PACKET_get_net_2(&tmppkt, &type)
  1279. || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
  1280. return;
  1281. }
  1282. if (type != TLSEXT_TYPE_server_name)
  1283. return;
  1284. ext_len = TLS1_get_client_version(
  1285. SSL_CONNECTION_GET_SSL(s)) >= TLS1_2_VERSION ?
  1286. sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;
  1287. s->s3.is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
  1288. ext_len);
  1289. }
  1290. #define RENEG_OPTIONS_OK(options) \
  1291. ((options & SSL_OP_NO_RENEGOTIATION) == 0 \
  1292. && (options & SSL_OP_ALLOW_CLIENT_RENEGOTIATION) != 0)
  1293. MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt)
  1294. {
  1295. /* |cookie| will only be initialized for DTLS. */
  1296. PACKET session_id, compression, extensions, cookie;
  1297. static const unsigned char null_compression = 0;
  1298. CLIENTHELLO_MSG *clienthello = NULL;
  1299. /* Check if this is actually an unexpected renegotiation ClientHello */
  1300. if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
  1301. if (!ossl_assert(!SSL_CONNECTION_IS_TLS13(s))) {
  1302. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1303. goto err;
  1304. }
  1305. if (!RENEG_OPTIONS_OK(s->options)
  1306. || (!s->s3.send_connection_binding
  1307. && (s->options
  1308. & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) == 0)) {
  1309. ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
  1310. return MSG_PROCESS_FINISHED_READING;
  1311. }
  1312. s->renegotiate = 1;
  1313. s->new_session = 1;
  1314. }
  1315. clienthello = OPENSSL_zalloc(sizeof(*clienthello));
  1316. if (clienthello == NULL) {
  1317. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1318. goto err;
  1319. }
  1320. /*
  1321. * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure.
  1322. */
  1323. clienthello->isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer);
  1324. PACKET_null_init(&cookie);
  1325. if (clienthello->isv2) {
  1326. unsigned int mt;
  1327. if (!SSL_IS_FIRST_HANDSHAKE(s)
  1328. || s->hello_retry_request != SSL_HRR_NONE) {
  1329. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
  1330. goto err;
  1331. }
  1332. /*-
  1333. * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
  1334. * header is sent directly on the wire, not wrapped as a TLS
  1335. * record. Our record layer just processes the message length and passes
  1336. * the rest right through. Its format is:
  1337. * Byte Content
  1338. * 0-1 msg_length - decoded by the record layer
  1339. * 2 msg_type - s->init_msg points here
  1340. * 3-4 version
  1341. * 5-6 cipher_spec_length
  1342. * 7-8 session_id_length
  1343. * 9-10 challenge_length
  1344. * ... ...
  1345. */
  1346. if (!PACKET_get_1(pkt, &mt)
  1347. || mt != SSL2_MT_CLIENT_HELLO) {
  1348. /*
  1349. * Should never happen. We should have tested this in the record
  1350. * layer in order to have determined that this is a SSLv2 record
  1351. * in the first place
  1352. */
  1353. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1354. goto err;
  1355. }
  1356. }
  1357. if (!PACKET_get_net_2(pkt, &clienthello->legacy_version)) {
  1358. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
  1359. goto err;
  1360. }
  1361. /* Parse the message and load client random. */
  1362. if (clienthello->isv2) {
  1363. /*
  1364. * Handle an SSLv2 backwards compatible ClientHello
  1365. * Note, this is only for SSLv3+ using the backward compatible format.
  1366. * Real SSLv2 is not supported, and is rejected below.
  1367. */
  1368. unsigned int ciphersuite_len, session_id_len, challenge_len;
  1369. PACKET challenge;
  1370. if (!PACKET_get_net_2(pkt, &ciphersuite_len)
  1371. || !PACKET_get_net_2(pkt, &session_id_len)
  1372. || !PACKET_get_net_2(pkt, &challenge_len)) {
  1373. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RECORD_LENGTH_MISMATCH);
  1374. goto err;
  1375. }
  1376. if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
  1377. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_LENGTH_MISMATCH);
  1378. goto err;
  1379. }
  1380. if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites,
  1381. ciphersuite_len)
  1382. || !PACKET_copy_bytes(pkt, clienthello->session_id, session_id_len)
  1383. || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
  1384. /* No extensions. */
  1385. || PACKET_remaining(pkt) != 0) {
  1386. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RECORD_LENGTH_MISMATCH);
  1387. goto err;
  1388. }
  1389. clienthello->session_id_len = session_id_len;
  1390. /* Load the client random and compression list. We use SSL3_RANDOM_SIZE
  1391. * here rather than sizeof(clienthello->random) because that is the limit
  1392. * for SSLv3 and it is fixed. It won't change even if
  1393. * sizeof(clienthello->random) does.
  1394. */
  1395. challenge_len = challenge_len > SSL3_RANDOM_SIZE
  1396. ? SSL3_RANDOM_SIZE : challenge_len;
  1397. memset(clienthello->random, 0, SSL3_RANDOM_SIZE);
  1398. if (!PACKET_copy_bytes(&challenge,
  1399. clienthello->random + SSL3_RANDOM_SIZE -
  1400. challenge_len, challenge_len)
  1401. /* Advertise only null compression. */
  1402. || !PACKET_buf_init(&compression, &null_compression, 1)) {
  1403. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1404. goto err;
  1405. }
  1406. PACKET_null_init(&clienthello->extensions);
  1407. } else {
  1408. /* Regular ClientHello. */
  1409. if (!PACKET_copy_bytes(pkt, clienthello->random, SSL3_RANDOM_SIZE)
  1410. || !PACKET_get_length_prefixed_1(pkt, &session_id)
  1411. || !PACKET_copy_all(&session_id, clienthello->session_id,
  1412. SSL_MAX_SSL_SESSION_ID_LENGTH,
  1413. &clienthello->session_id_len)) {
  1414. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1415. goto err;
  1416. }
  1417. if (SSL_CONNECTION_IS_DTLS(s)) {
  1418. if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
  1419. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1420. goto err;
  1421. }
  1422. if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie,
  1423. DTLS1_COOKIE_LENGTH,
  1424. &clienthello->dtls_cookie_len)) {
  1425. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1426. goto err;
  1427. }
  1428. /*
  1429. * If we require cookies and this ClientHello doesn't contain one,
  1430. * just return since we do not want to allocate any memory yet.
  1431. * So check cookie length...
  1432. */
  1433. if (SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_COOKIE_EXCHANGE) {
  1434. if (clienthello->dtls_cookie_len == 0) {
  1435. OPENSSL_free(clienthello);
  1436. return MSG_PROCESS_FINISHED_READING;
  1437. }
  1438. }
  1439. }
  1440. if (!PACKET_get_length_prefixed_2(pkt, &clienthello->ciphersuites)) {
  1441. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1442. goto err;
  1443. }
  1444. if (!PACKET_get_length_prefixed_1(pkt, &compression)) {
  1445. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1446. goto err;
  1447. }
  1448. /* Could be empty. */
  1449. if (PACKET_remaining(pkt) == 0) {
  1450. PACKET_null_init(&clienthello->extensions);
  1451. } else {
  1452. if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions)
  1453. || PACKET_remaining(pkt) != 0) {
  1454. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1455. goto err;
  1456. }
  1457. }
  1458. }
  1459. if (!PACKET_copy_all(&compression, clienthello->compressions,
  1460. MAX_COMPRESSIONS_SIZE,
  1461. &clienthello->compressions_len)) {
  1462. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1463. goto err;
  1464. }
  1465. /* Preserve the raw extensions PACKET for later use */
  1466. extensions = clienthello->extensions;
  1467. if (!tls_collect_extensions(s, &extensions, SSL_EXT_CLIENT_HELLO,
  1468. &clienthello->pre_proc_exts,
  1469. &clienthello->pre_proc_exts_len, 1)) {
  1470. /* SSLfatal already been called */
  1471. goto err;
  1472. }
  1473. s->clienthello = clienthello;
  1474. return MSG_PROCESS_CONTINUE_PROCESSING;
  1475. err:
  1476. if (clienthello != NULL)
  1477. OPENSSL_free(clienthello->pre_proc_exts);
  1478. OPENSSL_free(clienthello);
  1479. return MSG_PROCESS_ERROR;
  1480. }
  1481. static int tls_early_post_process_client_hello(SSL_CONNECTION *s)
  1482. {
  1483. unsigned int j;
  1484. int i, al = SSL_AD_INTERNAL_ERROR;
  1485. int protverr;
  1486. size_t loop;
  1487. unsigned long id;
  1488. #ifndef OPENSSL_NO_COMP
  1489. SSL_COMP *comp = NULL;
  1490. #endif
  1491. const SSL_CIPHER *c;
  1492. STACK_OF(SSL_CIPHER) *ciphers = NULL;
  1493. STACK_OF(SSL_CIPHER) *scsvs = NULL;
  1494. CLIENTHELLO_MSG *clienthello = s->clienthello;
  1495. DOWNGRADE dgrd = DOWNGRADE_NONE;
  1496. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1497. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  1498. /* Finished parsing the ClientHello, now we can start processing it */
  1499. /* Give the ClientHello callback a crack at things */
  1500. if (sctx->client_hello_cb != NULL) {
  1501. /* A failure in the ClientHello callback terminates the connection. */
  1502. switch (sctx->client_hello_cb(ssl, &al, sctx->client_hello_cb_arg)) {
  1503. case SSL_CLIENT_HELLO_SUCCESS:
  1504. break;
  1505. case SSL_CLIENT_HELLO_RETRY:
  1506. s->rwstate = SSL_CLIENT_HELLO_CB;
  1507. return -1;
  1508. case SSL_CLIENT_HELLO_ERROR:
  1509. default:
  1510. SSLfatal(s, al, SSL_R_CALLBACK_FAILED);
  1511. goto err;
  1512. }
  1513. }
  1514. /* Set up the client_random */
  1515. memcpy(s->s3.client_random, clienthello->random, SSL3_RANDOM_SIZE);
  1516. /* Choose the version */
  1517. if (clienthello->isv2) {
  1518. if (clienthello->legacy_version == SSL2_VERSION
  1519. || (clienthello->legacy_version & 0xff00)
  1520. != (SSL3_VERSION_MAJOR << 8)) {
  1521. /*
  1522. * This is real SSLv2 or something completely unknown. We don't
  1523. * support it.
  1524. */
  1525. SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNKNOWN_PROTOCOL);
  1526. goto err;
  1527. }
  1528. /* SSLv3/TLS */
  1529. s->client_version = clienthello->legacy_version;
  1530. }
  1531. /*
  1532. * Do SSL/TLS version negotiation if applicable. For DTLS we just check
  1533. * versions are potentially compatible. Version negotiation comes later.
  1534. */
  1535. if (!SSL_CONNECTION_IS_DTLS(s)) {
  1536. protverr = ssl_choose_server_version(s, clienthello, &dgrd);
  1537. } else if (ssl->method->version != DTLS_ANY_VERSION &&
  1538. DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) {
  1539. protverr = SSL_R_VERSION_TOO_LOW;
  1540. } else {
  1541. protverr = 0;
  1542. }
  1543. if (protverr) {
  1544. if (SSL_IS_FIRST_HANDSHAKE(s)) {
  1545. /* like ssl3_get_record, send alert using remote version number */
  1546. s->version = s->client_version = clienthello->legacy_version;
  1547. }
  1548. SSLfatal(s, SSL_AD_PROTOCOL_VERSION, protverr);
  1549. goto err;
  1550. }
  1551. /* TLSv1.3 specifies that a ClientHello must end on a record boundary */
  1552. if (SSL_CONNECTION_IS_TLS13(s)
  1553. && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
  1554. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
  1555. goto err;
  1556. }
  1557. if (SSL_CONNECTION_IS_DTLS(s)) {
  1558. /* Empty cookie was already handled above by returning early. */
  1559. if (SSL_get_options(ssl) & SSL_OP_COOKIE_EXCHANGE) {
  1560. if (sctx->app_verify_cookie_cb != NULL) {
  1561. if (sctx->app_verify_cookie_cb(ssl, clienthello->dtls_cookie,
  1562. clienthello->dtls_cookie_len) == 0) {
  1563. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1564. SSL_R_COOKIE_MISMATCH);
  1565. goto err;
  1566. /* else cookie verification succeeded */
  1567. }
  1568. /* default verification */
  1569. } else if (s->d1->cookie_len != clienthello->dtls_cookie_len
  1570. || memcmp(clienthello->dtls_cookie, s->d1->cookie,
  1571. s->d1->cookie_len) != 0) {
  1572. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_COOKIE_MISMATCH);
  1573. goto err;
  1574. }
  1575. s->d1->cookie_verified = 1;
  1576. }
  1577. if (ssl->method->version == DTLS_ANY_VERSION) {
  1578. protverr = ssl_choose_server_version(s, clienthello, &dgrd);
  1579. if (protverr != 0) {
  1580. s->version = s->client_version;
  1581. SSLfatal(s, SSL_AD_PROTOCOL_VERSION, protverr);
  1582. goto err;
  1583. }
  1584. }
  1585. }
  1586. s->hit = 0;
  1587. if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites,
  1588. clienthello->isv2) ||
  1589. !ossl_bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers,
  1590. &scsvs, clienthello->isv2, 1)) {
  1591. /* SSLfatal() already called */
  1592. goto err;
  1593. }
  1594. s->s3.send_connection_binding = 0;
  1595. /* Check what signalling cipher-suite values were received. */
  1596. if (scsvs != NULL) {
  1597. for (i = 0; i < sk_SSL_CIPHER_num(scsvs); i++) {
  1598. c = sk_SSL_CIPHER_value(scsvs, i);
  1599. if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) {
  1600. if (s->renegotiate) {
  1601. /* SCSV is fatal if renegotiating */
  1602. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1603. SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
  1604. goto err;
  1605. }
  1606. s->s3.send_connection_binding = 1;
  1607. } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV &&
  1608. !ssl_check_version_downgrade(s)) {
  1609. /*
  1610. * This SCSV indicates that the client previously tried
  1611. * a higher version. We should fail if the current version
  1612. * is an unexpected downgrade, as that indicates that the first
  1613. * connection may have been tampered with in order to trigger
  1614. * an insecure downgrade.
  1615. */
  1616. SSLfatal(s, SSL_AD_INAPPROPRIATE_FALLBACK,
  1617. SSL_R_INAPPROPRIATE_FALLBACK);
  1618. goto err;
  1619. }
  1620. }
  1621. }
  1622. /* For TLSv1.3 we must select the ciphersuite *before* session resumption */
  1623. if (SSL_CONNECTION_IS_TLS13(s)) {
  1624. const SSL_CIPHER *cipher =
  1625. ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(ssl));
  1626. if (cipher == NULL) {
  1627. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_SHARED_CIPHER);
  1628. goto err;
  1629. }
  1630. if (s->hello_retry_request == SSL_HRR_PENDING
  1631. && (s->s3.tmp.new_cipher == NULL
  1632. || s->s3.tmp.new_cipher->id != cipher->id)) {
  1633. /*
  1634. * A previous HRR picked a different ciphersuite to the one we
  1635. * just selected. Something must have changed.
  1636. */
  1637. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER);
  1638. goto err;
  1639. }
  1640. s->s3.tmp.new_cipher = cipher;
  1641. }
  1642. /* We need to do this before getting the session */
  1643. if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret,
  1644. SSL_EXT_CLIENT_HELLO,
  1645. clienthello->pre_proc_exts, NULL, 0)) {
  1646. /* SSLfatal() already called */
  1647. goto err;
  1648. }
  1649. /*
  1650. * We don't allow resumption in a backwards compatible ClientHello.
  1651. * In TLS1.1+, session_id MUST be empty.
  1652. *
  1653. * Versions before 0.9.7 always allow clients to resume sessions in
  1654. * renegotiation. 0.9.7 and later allow this by default, but optionally
  1655. * ignore resumption requests with flag
  1656. * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
  1657. * than a change to default behavior so that applications relying on
  1658. * this for security won't even compile against older library versions).
  1659. * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
  1660. * request renegotiation but not a new session (s->new_session remains
  1661. * unset): for servers, this essentially just means that the
  1662. * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
  1663. * ignored.
  1664. */
  1665. if (clienthello->isv2 ||
  1666. (s->new_session &&
  1667. (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
  1668. if (!ssl_get_new_session(s, 1)) {
  1669. /* SSLfatal() already called */
  1670. goto err;
  1671. }
  1672. } else {
  1673. i = ssl_get_prev_session(s, clienthello);
  1674. if (i == 1) {
  1675. /* previous session */
  1676. s->hit = 1;
  1677. } else if (i == -1) {
  1678. /* SSLfatal() already called */
  1679. goto err;
  1680. } else {
  1681. /* i == 0 */
  1682. if (!ssl_get_new_session(s, 1)) {
  1683. /* SSLfatal() already called */
  1684. goto err;
  1685. }
  1686. }
  1687. }
  1688. if (SSL_CONNECTION_IS_TLS13(s)) {
  1689. memcpy(s->tmp_session_id, s->clienthello->session_id,
  1690. s->clienthello->session_id_len);
  1691. s->tmp_session_id_len = s->clienthello->session_id_len;
  1692. }
  1693. /*
  1694. * If it is a hit, check that the cipher is in the list. In TLSv1.3 we check
  1695. * ciphersuite compatibility with the session as part of resumption.
  1696. */
  1697. if (!SSL_CONNECTION_IS_TLS13(s) && s->hit) {
  1698. j = 0;
  1699. id = s->session->cipher->id;
  1700. OSSL_TRACE_BEGIN(TLS_CIPHER) {
  1701. BIO_printf(trc_out, "client sent %d ciphers\n",
  1702. sk_SSL_CIPHER_num(ciphers));
  1703. }
  1704. for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
  1705. c = sk_SSL_CIPHER_value(ciphers, i);
  1706. if (trc_out != NULL)
  1707. BIO_printf(trc_out, "client [%2d of %2d]:%s\n", i,
  1708. sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
  1709. if (c->id == id) {
  1710. j = 1;
  1711. break;
  1712. }
  1713. }
  1714. if (j == 0) {
  1715. /*
  1716. * we need to have the cipher in the cipher list if we are asked
  1717. * to reuse it
  1718. */
  1719. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1720. SSL_R_REQUIRED_CIPHER_MISSING);
  1721. OSSL_TRACE_CANCEL(TLS_CIPHER);
  1722. goto err;
  1723. }
  1724. OSSL_TRACE_END(TLS_CIPHER);
  1725. }
  1726. for (loop = 0; loop < clienthello->compressions_len; loop++) {
  1727. if (clienthello->compressions[loop] == 0)
  1728. break;
  1729. }
  1730. if (loop >= clienthello->compressions_len) {
  1731. /* no compress */
  1732. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_COMPRESSION_SPECIFIED);
  1733. goto err;
  1734. }
  1735. if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
  1736. ssl_check_for_safari(s, clienthello);
  1737. /* TLS extensions */
  1738. if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO,
  1739. clienthello->pre_proc_exts, NULL, 0, 1)) {
  1740. /* SSLfatal() already called */
  1741. goto err;
  1742. }
  1743. /*
  1744. * Check if we want to use external pre-shared secret for this handshake
  1745. * for not reused session only. We need to generate server_random before
  1746. * calling tls_session_secret_cb in order to allow SessionTicket
  1747. * processing to use it in key derivation.
  1748. */
  1749. {
  1750. unsigned char *pos;
  1751. pos = s->s3.server_random;
  1752. if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE, dgrd) <= 0) {
  1753. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1754. goto err;
  1755. }
  1756. }
  1757. if (!s->hit
  1758. && s->version >= TLS1_VERSION
  1759. && !SSL_CONNECTION_IS_TLS13(s)
  1760. && !SSL_CONNECTION_IS_DTLS(s)
  1761. && s->ext.session_secret_cb != NULL) {
  1762. const SSL_CIPHER *pref_cipher = NULL;
  1763. /*
  1764. * s->session->master_key_length is a size_t, but this is an int for
  1765. * backwards compat reasons
  1766. */
  1767. int master_key_length;
  1768. master_key_length = sizeof(s->session->master_key);
  1769. if (s->ext.session_secret_cb(ssl, s->session->master_key,
  1770. &master_key_length, ciphers,
  1771. &pref_cipher,
  1772. s->ext.session_secret_cb_arg)
  1773. && master_key_length > 0) {
  1774. s->session->master_key_length = master_key_length;
  1775. s->hit = 1;
  1776. s->peer_ciphers = ciphers;
  1777. s->session->verify_result = X509_V_OK;
  1778. ciphers = NULL;
  1779. /* check if some cipher was preferred by call back */
  1780. if (pref_cipher == NULL)
  1781. pref_cipher = ssl3_choose_cipher(s, s->peer_ciphers,
  1782. SSL_get_ciphers(ssl));
  1783. if (pref_cipher == NULL) {
  1784. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_SHARED_CIPHER);
  1785. goto err;
  1786. }
  1787. s->session->cipher = pref_cipher;
  1788. sk_SSL_CIPHER_free(s->cipher_list);
  1789. s->cipher_list = sk_SSL_CIPHER_dup(s->peer_ciphers);
  1790. sk_SSL_CIPHER_free(s->cipher_list_by_id);
  1791. s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->peer_ciphers);
  1792. }
  1793. }
  1794. /*
  1795. * Worst case, we will use the NULL compression, but if we have other
  1796. * options, we will now look for them. We have complen-1 compression
  1797. * algorithms from the client, starting at q.
  1798. */
  1799. s->s3.tmp.new_compression = NULL;
  1800. if (SSL_CONNECTION_IS_TLS13(s)) {
  1801. /*
  1802. * We already checked above that the NULL compression method appears in
  1803. * the list. Now we check there aren't any others (which is illegal in
  1804. * a TLSv1.3 ClientHello.
  1805. */
  1806. if (clienthello->compressions_len != 1) {
  1807. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1808. SSL_R_INVALID_COMPRESSION_ALGORITHM);
  1809. goto err;
  1810. }
  1811. }
  1812. #ifndef OPENSSL_NO_COMP
  1813. /* This only happens if we have a cache hit */
  1814. else if (s->session->compress_meth != 0) {
  1815. int m, comp_id = s->session->compress_meth;
  1816. unsigned int k;
  1817. /* Perform sanity checks on resumed compression algorithm */
  1818. /* Can't disable compression */
  1819. if (!ssl_allow_compression(s)) {
  1820. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1821. SSL_R_INCONSISTENT_COMPRESSION);
  1822. goto err;
  1823. }
  1824. /* Look for resumed compression method */
  1825. for (m = 0; m < sk_SSL_COMP_num(sctx->comp_methods); m++) {
  1826. comp = sk_SSL_COMP_value(sctx->comp_methods, m);
  1827. if (comp_id == comp->id) {
  1828. s->s3.tmp.new_compression = comp;
  1829. break;
  1830. }
  1831. }
  1832. if (s->s3.tmp.new_compression == NULL) {
  1833. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1834. SSL_R_INVALID_COMPRESSION_ALGORITHM);
  1835. goto err;
  1836. }
  1837. /* Look for resumed method in compression list */
  1838. for (k = 0; k < clienthello->compressions_len; k++) {
  1839. if (clienthello->compressions[k] == comp_id)
  1840. break;
  1841. }
  1842. if (k >= clienthello->compressions_len) {
  1843. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1844. SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
  1845. goto err;
  1846. }
  1847. } else if (s->hit) {
  1848. comp = NULL;
  1849. } else if (ssl_allow_compression(s) && sctx->comp_methods) {
  1850. /* See if we have a match */
  1851. int m, nn, v, done = 0;
  1852. unsigned int o;
  1853. nn = sk_SSL_COMP_num(sctx->comp_methods);
  1854. for (m = 0; m < nn; m++) {
  1855. comp = sk_SSL_COMP_value(sctx->comp_methods, m);
  1856. v = comp->id;
  1857. for (o = 0; o < clienthello->compressions_len; o++) {
  1858. if (v == clienthello->compressions[o]) {
  1859. done = 1;
  1860. break;
  1861. }
  1862. }
  1863. if (done)
  1864. break;
  1865. }
  1866. if (done)
  1867. s->s3.tmp.new_compression = comp;
  1868. else
  1869. comp = NULL;
  1870. }
  1871. #else
  1872. /*
  1873. * If compression is disabled we'd better not try to resume a session
  1874. * using compression.
  1875. */
  1876. if (s->session->compress_meth != 0) {
  1877. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_COMPRESSION);
  1878. goto err;
  1879. }
  1880. #endif
  1881. /*
  1882. * Given s->peer_ciphers and SSL_get_ciphers, we must pick a cipher
  1883. */
  1884. if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
  1885. sk_SSL_CIPHER_free(s->peer_ciphers);
  1886. s->peer_ciphers = ciphers;
  1887. if (ciphers == NULL) {
  1888. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1889. goto err;
  1890. }
  1891. ciphers = NULL;
  1892. }
  1893. if (!s->hit) {
  1894. #ifdef OPENSSL_NO_COMP
  1895. s->session->compress_meth = 0;
  1896. #else
  1897. s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
  1898. #endif
  1899. if (!tls1_set_server_sigalgs(s)) {
  1900. /* SSLfatal() already called */
  1901. goto err;
  1902. }
  1903. }
  1904. sk_SSL_CIPHER_free(ciphers);
  1905. sk_SSL_CIPHER_free(scsvs);
  1906. OPENSSL_free(clienthello->pre_proc_exts);
  1907. OPENSSL_free(s->clienthello);
  1908. s->clienthello = NULL;
  1909. return 1;
  1910. err:
  1911. sk_SSL_CIPHER_free(ciphers);
  1912. sk_SSL_CIPHER_free(scsvs);
  1913. OPENSSL_free(clienthello->pre_proc_exts);
  1914. OPENSSL_free(s->clienthello);
  1915. s->clienthello = NULL;
  1916. return 0;
  1917. }
  1918. /*
  1919. * Call the status request callback if needed. Upon success, returns 1.
  1920. * Upon failure, returns 0.
  1921. */
  1922. static int tls_handle_status_request(SSL_CONNECTION *s)
  1923. {
  1924. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1925. s->ext.status_expected = 0;
  1926. /*
  1927. * If status request then ask callback what to do. Note: this must be
  1928. * called after servername callbacks in case the certificate has changed,
  1929. * and must be called after the cipher has been chosen because this may
  1930. * influence which certificate is sent
  1931. */
  1932. if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && sctx != NULL
  1933. && sctx->ext.status_cb != NULL) {
  1934. int ret;
  1935. /* If no certificate can't return certificate status */
  1936. if (s->s3.tmp.cert != NULL) {
  1937. /*
  1938. * Set current certificate to one we will use so SSL_get_certificate
  1939. * et al can pick it up.
  1940. */
  1941. s->cert->key = s->s3.tmp.cert;
  1942. ret = sctx->ext.status_cb(SSL_CONNECTION_GET_SSL(s),
  1943. sctx->ext.status_arg);
  1944. switch (ret) {
  1945. /* We don't want to send a status request response */
  1946. case SSL_TLSEXT_ERR_NOACK:
  1947. s->ext.status_expected = 0;
  1948. break;
  1949. /* status request response should be sent */
  1950. case SSL_TLSEXT_ERR_OK:
  1951. if (s->ext.ocsp.resp)
  1952. s->ext.status_expected = 1;
  1953. break;
  1954. /* something bad happened */
  1955. case SSL_TLSEXT_ERR_ALERT_FATAL:
  1956. default:
  1957. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CLIENTHELLO_TLSEXT);
  1958. return 0;
  1959. }
  1960. }
  1961. }
  1962. return 1;
  1963. }
  1964. /*
  1965. * Call the alpn_select callback if needed. Upon success, returns 1.
  1966. * Upon failure, returns 0.
  1967. */
  1968. int tls_handle_alpn(SSL_CONNECTION *s)
  1969. {
  1970. const unsigned char *selected = NULL;
  1971. unsigned char selected_len = 0;
  1972. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1973. if (sctx->ext.alpn_select_cb != NULL && s->s3.alpn_proposed != NULL) {
  1974. int r = sctx->ext.alpn_select_cb(SSL_CONNECTION_GET_SSL(s),
  1975. &selected, &selected_len,
  1976. s->s3.alpn_proposed,
  1977. (unsigned int)s->s3.alpn_proposed_len,
  1978. sctx->ext.alpn_select_cb_arg);
  1979. if (r == SSL_TLSEXT_ERR_OK) {
  1980. OPENSSL_free(s->s3.alpn_selected);
  1981. s->s3.alpn_selected = OPENSSL_memdup(selected, selected_len);
  1982. if (s->s3.alpn_selected == NULL) {
  1983. s->s3.alpn_selected_len = 0;
  1984. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1985. return 0;
  1986. }
  1987. s->s3.alpn_selected_len = selected_len;
  1988. #ifndef OPENSSL_NO_NEXTPROTONEG
  1989. /* ALPN takes precedence over NPN. */
  1990. s->s3.npn_seen = 0;
  1991. #endif
  1992. /* Check ALPN is consistent with session */
  1993. if (s->session->ext.alpn_selected == NULL
  1994. || selected_len != s->session->ext.alpn_selected_len
  1995. || memcmp(selected, s->session->ext.alpn_selected,
  1996. selected_len) != 0) {
  1997. /* Not consistent so can't be used for early_data */
  1998. s->ext.early_data_ok = 0;
  1999. if (!s->hit) {
  2000. /*
  2001. * This is a new session and so alpn_selected should have
  2002. * been initialised to NULL. We should update it with the
  2003. * selected ALPN.
  2004. */
  2005. if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
  2006. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2007. ERR_R_INTERNAL_ERROR);
  2008. return 0;
  2009. }
  2010. s->session->ext.alpn_selected = OPENSSL_memdup(selected,
  2011. selected_len);
  2012. if (s->session->ext.alpn_selected == NULL) {
  2013. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2014. ERR_R_INTERNAL_ERROR);
  2015. return 0;
  2016. }
  2017. s->session->ext.alpn_selected_len = selected_len;
  2018. }
  2019. }
  2020. return 1;
  2021. } else if (r != SSL_TLSEXT_ERR_NOACK) {
  2022. SSLfatal(s, SSL_AD_NO_APPLICATION_PROTOCOL,
  2023. SSL_R_NO_APPLICATION_PROTOCOL);
  2024. return 0;
  2025. }
  2026. /*
  2027. * If r == SSL_TLSEXT_ERR_NOACK then behave as if no callback was
  2028. * present.
  2029. */
  2030. }
  2031. /* Check ALPN is consistent with session */
  2032. if (s->session->ext.alpn_selected != NULL) {
  2033. /* Not consistent so can't be used for early_data */
  2034. s->ext.early_data_ok = 0;
  2035. }
  2036. return 1;
  2037. }
  2038. WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst)
  2039. {
  2040. const SSL_CIPHER *cipher;
  2041. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  2042. if (wst == WORK_MORE_A) {
  2043. int rv = tls_early_post_process_client_hello(s);
  2044. if (rv == 0) {
  2045. /* SSLfatal() was already called */
  2046. goto err;
  2047. }
  2048. if (rv < 0)
  2049. return WORK_MORE_A;
  2050. wst = WORK_MORE_B;
  2051. }
  2052. if (wst == WORK_MORE_B) {
  2053. if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
  2054. /* Let cert callback update server certificates if required */
  2055. if (!s->hit && s->cert->cert_cb != NULL) {
  2056. int rv = s->cert->cert_cb(ssl, s->cert->cert_cb_arg);
  2057. if (rv == 0) {
  2058. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CERT_CB_ERROR);
  2059. goto err;
  2060. }
  2061. if (rv < 0) {
  2062. s->rwstate = SSL_X509_LOOKUP;
  2063. return WORK_MORE_B;
  2064. }
  2065. s->rwstate = SSL_NOTHING;
  2066. }
  2067. /* In TLSv1.3 we selected the ciphersuite before resumption */
  2068. if (!SSL_CONNECTION_IS_TLS13(s)) {
  2069. cipher =
  2070. ssl3_choose_cipher(s, s->peer_ciphers,
  2071. SSL_get_ciphers(ssl));
  2072. if (cipher == NULL) {
  2073. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  2074. SSL_R_NO_SHARED_CIPHER);
  2075. goto err;
  2076. }
  2077. s->s3.tmp.new_cipher = cipher;
  2078. }
  2079. if (!s->hit) {
  2080. if (!tls_choose_sigalg(s, 1)) {
  2081. /* SSLfatal already called */
  2082. goto err;
  2083. }
  2084. /* check whether we should disable session resumption */
  2085. if (s->not_resumable_session_cb != NULL)
  2086. s->session->not_resumable =
  2087. s->not_resumable_session_cb(ssl,
  2088. ((s->s3.tmp.new_cipher->algorithm_mkey
  2089. & (SSL_kDHE | SSL_kECDHE)) != 0));
  2090. if (s->session->not_resumable)
  2091. /* do not send a session ticket */
  2092. s->ext.ticket_expected = 0;
  2093. }
  2094. } else {
  2095. /* Session-id reuse */
  2096. s->s3.tmp.new_cipher = s->session->cipher;
  2097. }
  2098. /*-
  2099. * we now have the following setup.
  2100. * client_random
  2101. * cipher_list - our preferred list of ciphers
  2102. * ciphers - the client's preferred list of ciphers
  2103. * compression - basically ignored right now
  2104. * ssl version is set - sslv3
  2105. * s->session - The ssl session has been setup.
  2106. * s->hit - session reuse flag
  2107. * s->s3.tmp.new_cipher - the new cipher to use.
  2108. */
  2109. /*
  2110. * Call status_request callback if needed. Has to be done after the
  2111. * certificate callbacks etc above.
  2112. */
  2113. if (!tls_handle_status_request(s)) {
  2114. /* SSLfatal() already called */
  2115. goto err;
  2116. }
  2117. /*
  2118. * Call alpn_select callback if needed. Has to be done after SNI and
  2119. * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
  2120. * we already did this because cipher negotiation happens earlier, and
  2121. * we must handle ALPN before we decide whether to accept early_data.
  2122. */
  2123. if (!SSL_CONNECTION_IS_TLS13(s) && !tls_handle_alpn(s)) {
  2124. /* SSLfatal() already called */
  2125. goto err;
  2126. }
  2127. wst = WORK_MORE_C;
  2128. }
  2129. #ifndef OPENSSL_NO_SRP
  2130. if (wst == WORK_MORE_C) {
  2131. int ret;
  2132. if ((ret = ssl_check_srp_ext_ClientHello(s)) == 0) {
  2133. /*
  2134. * callback indicates further work to be done
  2135. */
  2136. s->rwstate = SSL_X509_LOOKUP;
  2137. return WORK_MORE_C;
  2138. }
  2139. if (ret < 0) {
  2140. /* SSLfatal() already called */
  2141. goto err;
  2142. }
  2143. }
  2144. #endif
  2145. return WORK_FINISHED_STOP;
  2146. err:
  2147. return WORK_ERROR;
  2148. }
  2149. CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt)
  2150. {
  2151. int compm;
  2152. size_t sl, len;
  2153. int version;
  2154. unsigned char *session_id;
  2155. int usetls13 = SSL_CONNECTION_IS_TLS13(s)
  2156. || s->hello_retry_request == SSL_HRR_PENDING;
  2157. version = usetls13 ? TLS1_2_VERSION : s->version;
  2158. if (!WPACKET_put_bytes_u16(pkt, version)
  2159. /*
  2160. * Random stuff. Filling of the server_random takes place in
  2161. * tls_process_client_hello()
  2162. */
  2163. || !WPACKET_memcpy(pkt,
  2164. s->hello_retry_request == SSL_HRR_PENDING
  2165. ? hrrrandom : s->s3.server_random,
  2166. SSL3_RANDOM_SIZE)) {
  2167. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2168. return CON_FUNC_ERROR;
  2169. }
  2170. /*-
  2171. * There are several cases for the session ID to send
  2172. * back in the server hello:
  2173. * - For session reuse from the session cache,
  2174. * we send back the old session ID.
  2175. * - If stateless session reuse (using a session ticket)
  2176. * is successful, we send back the client's "session ID"
  2177. * (which doesn't actually identify the session).
  2178. * - If it is a new session, we send back the new
  2179. * session ID.
  2180. * - However, if we want the new session to be single-use,
  2181. * we send back a 0-length session ID.
  2182. * - In TLSv1.3 we echo back the session id sent to us by the client
  2183. * regardless
  2184. * s->hit is non-zero in either case of session reuse,
  2185. * so the following won't overwrite an ID that we're supposed
  2186. * to send back.
  2187. */
  2188. if (s->session->not_resumable ||
  2189. (!(SSL_CONNECTION_GET_CTX(s)->session_cache_mode & SSL_SESS_CACHE_SERVER)
  2190. && !s->hit))
  2191. s->session->session_id_length = 0;
  2192. if (usetls13) {
  2193. sl = s->tmp_session_id_len;
  2194. session_id = s->tmp_session_id;
  2195. } else {
  2196. sl = s->session->session_id_length;
  2197. session_id = s->session->session_id;
  2198. }
  2199. if (sl > sizeof(s->session->session_id)) {
  2200. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2201. return CON_FUNC_ERROR;
  2202. }
  2203. /* set up the compression method */
  2204. #ifdef OPENSSL_NO_COMP
  2205. compm = 0;
  2206. #else
  2207. if (usetls13 || s->s3.tmp.new_compression == NULL)
  2208. compm = 0;
  2209. else
  2210. compm = s->s3.tmp.new_compression->id;
  2211. #endif
  2212. if (!WPACKET_sub_memcpy_u8(pkt, session_id, sl)
  2213. || !SSL_CONNECTION_GET_SSL(s)->method->put_cipher_by_char(s->s3.tmp.new_cipher,
  2214. pkt, &len)
  2215. || !WPACKET_put_bytes_u8(pkt, compm)) {
  2216. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2217. return CON_FUNC_ERROR;
  2218. }
  2219. if (!tls_construct_extensions(s, pkt,
  2220. s->hello_retry_request == SSL_HRR_PENDING
  2221. ? SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
  2222. : (SSL_CONNECTION_IS_TLS13(s)
  2223. ? SSL_EXT_TLS1_3_SERVER_HELLO
  2224. : SSL_EXT_TLS1_2_SERVER_HELLO),
  2225. NULL, 0)) {
  2226. /* SSLfatal() already called */
  2227. return CON_FUNC_ERROR;
  2228. }
  2229. if (s->hello_retry_request == SSL_HRR_PENDING) {
  2230. /* Ditch the session. We'll create a new one next time around */
  2231. SSL_SESSION_free(s->session);
  2232. s->session = NULL;
  2233. s->hit = 0;
  2234. /*
  2235. * Re-initialise the Transcript Hash. We're going to prepopulate it with
  2236. * a synthetic message_hash in place of ClientHello1.
  2237. */
  2238. if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) {
  2239. /* SSLfatal() already called */
  2240. return CON_FUNC_ERROR;
  2241. }
  2242. } else if (!(s->verify_mode & SSL_VERIFY_PEER)
  2243. && !ssl3_digest_cached_records(s, 0)) {
  2244. /* SSLfatal() already called */;
  2245. return CON_FUNC_ERROR;
  2246. }
  2247. return CON_FUNC_SUCCESS;
  2248. }
  2249. CON_FUNC_RETURN tls_construct_server_done(SSL_CONNECTION *s, WPACKET *pkt)
  2250. {
  2251. if (!s->s3.tmp.cert_request) {
  2252. if (!ssl3_digest_cached_records(s, 0)) {
  2253. /* SSLfatal() already called */
  2254. return CON_FUNC_ERROR;
  2255. }
  2256. }
  2257. return CON_FUNC_SUCCESS;
  2258. }
  2259. CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s,
  2260. WPACKET *pkt)
  2261. {
  2262. EVP_PKEY *pkdh = NULL;
  2263. unsigned char *encodedPoint = NULL;
  2264. size_t encodedlen = 0;
  2265. int curve_id = 0;
  2266. const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
  2267. int i;
  2268. unsigned long type;
  2269. BIGNUM *r[4];
  2270. EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
  2271. EVP_PKEY_CTX *pctx = NULL;
  2272. size_t paramlen, paramoffset;
  2273. int freer = 0;
  2274. CON_FUNC_RETURN ret = CON_FUNC_ERROR;
  2275. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  2276. if (!WPACKET_get_total_written(pkt, &paramoffset)) {
  2277. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2278. goto err;
  2279. }
  2280. if (md_ctx == NULL) {
  2281. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2282. goto err;
  2283. }
  2284. type = s->s3.tmp.new_cipher->algorithm_mkey;
  2285. r[0] = r[1] = r[2] = r[3] = NULL;
  2286. #ifndef OPENSSL_NO_PSK
  2287. /* Plain PSK or RSAPSK nothing to do */
  2288. if (type & (SSL_kPSK | SSL_kRSAPSK)) {
  2289. } else
  2290. #endif /* !OPENSSL_NO_PSK */
  2291. if (type & (SSL_kDHE | SSL_kDHEPSK)) {
  2292. CERT *cert = s->cert;
  2293. EVP_PKEY *pkdhp = NULL;
  2294. if (s->cert->dh_tmp_auto) {
  2295. pkdh = ssl_get_auto_dh(s);
  2296. if (pkdh == NULL) {
  2297. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2298. goto err;
  2299. }
  2300. pkdhp = pkdh;
  2301. } else {
  2302. pkdhp = cert->dh_tmp;
  2303. }
  2304. #if !defined(OPENSSL_NO_DEPRECATED_3_0)
  2305. if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
  2306. pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(SSL_CONNECTION_GET_SSL(s),
  2307. 0, 1024));
  2308. if (pkdh == NULL) {
  2309. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2310. goto err;
  2311. }
  2312. pkdhp = pkdh;
  2313. }
  2314. #endif
  2315. if (pkdhp == NULL) {
  2316. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_DH_KEY);
  2317. goto err;
  2318. }
  2319. if (!ssl_security(s, SSL_SECOP_TMP_DH,
  2320. EVP_PKEY_get_security_bits(pkdhp), 0, pkdhp)) {
  2321. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL);
  2322. goto err;
  2323. }
  2324. if (s->s3.tmp.pkey != NULL) {
  2325. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2326. goto err;
  2327. }
  2328. s->s3.tmp.pkey = ssl_generate_pkey(s, pkdhp);
  2329. if (s->s3.tmp.pkey == NULL) {
  2330. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2331. goto err;
  2332. }
  2333. EVP_PKEY_free(pkdh);
  2334. pkdh = NULL;
  2335. /* These BIGNUMs need to be freed when we're finished */
  2336. freer = 1;
  2337. if (!EVP_PKEY_get_bn_param(s->s3.tmp.pkey, OSSL_PKEY_PARAM_FFC_P,
  2338. &r[0])
  2339. || !EVP_PKEY_get_bn_param(s->s3.tmp.pkey, OSSL_PKEY_PARAM_FFC_G,
  2340. &r[1])
  2341. || !EVP_PKEY_get_bn_param(s->s3.tmp.pkey,
  2342. OSSL_PKEY_PARAM_PUB_KEY, &r[2])) {
  2343. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2344. goto err;
  2345. }
  2346. } else if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
  2347. if (s->s3.tmp.pkey != NULL) {
  2348. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2349. goto err;
  2350. }
  2351. /* Get NID of appropriate shared curve */
  2352. curve_id = tls1_shared_group(s, -2);
  2353. if (curve_id == 0) {
  2354. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  2355. SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
  2356. goto err;
  2357. }
  2358. /* Cache the group used in the SSL_SESSION */
  2359. s->session->kex_group = curve_id;
  2360. /* Generate a new key for this curve */
  2361. s->s3.tmp.pkey = ssl_generate_pkey_group(s, curve_id);
  2362. if (s->s3.tmp.pkey == NULL) {
  2363. /* SSLfatal() already called */
  2364. goto err;
  2365. }
  2366. /* Encode the public key. */
  2367. encodedlen = EVP_PKEY_get1_encoded_public_key(s->s3.tmp.pkey,
  2368. &encodedPoint);
  2369. if (encodedlen == 0) {
  2370. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
  2371. goto err;
  2372. }
  2373. /*
  2374. * We'll generate the serverKeyExchange message explicitly so we
  2375. * can set these to NULLs
  2376. */
  2377. r[0] = NULL;
  2378. r[1] = NULL;
  2379. r[2] = NULL;
  2380. r[3] = NULL;
  2381. } else
  2382. #ifndef OPENSSL_NO_SRP
  2383. if (type & SSL_kSRP) {
  2384. if ((s->srp_ctx.N == NULL) ||
  2385. (s->srp_ctx.g == NULL) ||
  2386. (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
  2387. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_SRP_PARAM);
  2388. goto err;
  2389. }
  2390. r[0] = s->srp_ctx.N;
  2391. r[1] = s->srp_ctx.g;
  2392. r[2] = s->srp_ctx.s;
  2393. r[3] = s->srp_ctx.B;
  2394. } else
  2395. #endif
  2396. {
  2397. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
  2398. goto err;
  2399. }
  2400. if (((s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0)
  2401. || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) {
  2402. lu = NULL;
  2403. } else if (lu == NULL) {
  2404. SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
  2405. goto err;
  2406. }
  2407. #ifndef OPENSSL_NO_PSK
  2408. if (type & SSL_PSK) {
  2409. size_t len = (s->cert->psk_identity_hint == NULL)
  2410. ? 0 : strlen(s->cert->psk_identity_hint);
  2411. /*
  2412. * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already
  2413. * checked this when we set the identity hint - but just in case
  2414. */
  2415. if (len > PSK_MAX_IDENTITY_LEN
  2416. || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint,
  2417. len)) {
  2418. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2419. goto err;
  2420. }
  2421. }
  2422. #endif
  2423. for (i = 0; i < 4 && r[i] != NULL; i++) {
  2424. unsigned char *binval;
  2425. int res;
  2426. #ifndef OPENSSL_NO_SRP
  2427. if ((i == 2) && (type & SSL_kSRP)) {
  2428. res = WPACKET_start_sub_packet_u8(pkt);
  2429. } else
  2430. #endif
  2431. res = WPACKET_start_sub_packet_u16(pkt);
  2432. if (!res) {
  2433. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2434. goto err;
  2435. }
  2436. /*-
  2437. * for interoperability with some versions of the Microsoft TLS
  2438. * stack, we need to zero pad the DHE pub key to the same length
  2439. * as the prime
  2440. */
  2441. if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) {
  2442. size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]);
  2443. if (len > 0) {
  2444. if (!WPACKET_allocate_bytes(pkt, len, &binval)) {
  2445. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2446. goto err;
  2447. }
  2448. memset(binval, 0, len);
  2449. }
  2450. }
  2451. if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval)
  2452. || !WPACKET_close(pkt)) {
  2453. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2454. goto err;
  2455. }
  2456. BN_bn2bin(r[i], binval);
  2457. }
  2458. if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
  2459. /*
  2460. * We only support named (not generic) curves. In this situation, the
  2461. * ServerKeyExchange message has: [1 byte CurveType], [2 byte CurveName]
  2462. * [1 byte length of encoded point], followed by the actual encoded
  2463. * point itself
  2464. */
  2465. if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE)
  2466. || !WPACKET_put_bytes_u8(pkt, 0)
  2467. || !WPACKET_put_bytes_u8(pkt, curve_id)
  2468. || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) {
  2469. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2470. goto err;
  2471. }
  2472. OPENSSL_free(encodedPoint);
  2473. encodedPoint = NULL;
  2474. }
  2475. /* not anonymous */
  2476. if (lu != NULL) {
  2477. EVP_PKEY *pkey = s->s3.tmp.cert->privatekey;
  2478. const EVP_MD *md;
  2479. unsigned char *sigbytes1, *sigbytes2, *tbs;
  2480. size_t siglen = 0, tbslen;
  2481. if (pkey == NULL || !tls1_lookup_md(sctx, lu, &md)) {
  2482. /* Should never happen */
  2483. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2484. goto err;
  2485. }
  2486. /* Get length of the parameters we have written above */
  2487. if (!WPACKET_get_length(pkt, &paramlen)) {
  2488. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2489. goto err;
  2490. }
  2491. /* send signature algorithm */
  2492. if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
  2493. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2494. goto err;
  2495. }
  2496. if (EVP_DigestSignInit_ex(md_ctx, &pctx,
  2497. md == NULL ? NULL : EVP_MD_get0_name(md),
  2498. sctx->libctx, sctx->propq, pkey,
  2499. NULL) <= 0) {
  2500. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2501. goto err;
  2502. }
  2503. if (lu->sig == EVP_PKEY_RSA_PSS) {
  2504. if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
  2505. || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) {
  2506. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2507. goto err;
  2508. }
  2509. }
  2510. tbslen = construct_key_exchange_tbs(s, &tbs,
  2511. s->init_buf->data + paramoffset,
  2512. paramlen);
  2513. if (tbslen == 0) {
  2514. /* SSLfatal() already called */
  2515. goto err;
  2516. }
  2517. if (EVP_DigestSign(md_ctx, NULL, &siglen, tbs, tbslen) <=0
  2518. || !WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1)
  2519. || EVP_DigestSign(md_ctx, sigbytes1, &siglen, tbs, tbslen) <= 0
  2520. || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2)
  2521. || sigbytes1 != sigbytes2) {
  2522. OPENSSL_free(tbs);
  2523. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2524. goto err;
  2525. }
  2526. OPENSSL_free(tbs);
  2527. }
  2528. ret = CON_FUNC_SUCCESS;
  2529. err:
  2530. EVP_PKEY_free(pkdh);
  2531. OPENSSL_free(encodedPoint);
  2532. EVP_MD_CTX_free(md_ctx);
  2533. if (freer) {
  2534. BN_free(r[0]);
  2535. BN_free(r[1]);
  2536. BN_free(r[2]);
  2537. BN_free(r[3]);
  2538. }
  2539. return ret;
  2540. }
  2541. CON_FUNC_RETURN tls_construct_certificate_request(SSL_CONNECTION *s,
  2542. WPACKET *pkt)
  2543. {
  2544. if (SSL_CONNECTION_IS_TLS13(s)) {
  2545. /* Send random context when doing post-handshake auth */
  2546. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  2547. OPENSSL_free(s->pha_context);
  2548. s->pha_context_len = 32;
  2549. if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL) {
  2550. s->pha_context_len = 0;
  2551. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2552. return CON_FUNC_ERROR;
  2553. }
  2554. if (RAND_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx,
  2555. s->pha_context, s->pha_context_len, 0) <= 0
  2556. || !WPACKET_sub_memcpy_u8(pkt, s->pha_context,
  2557. s->pha_context_len)) {
  2558. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2559. return CON_FUNC_ERROR;
  2560. }
  2561. /* reset the handshake hash back to just after the ClientFinished */
  2562. if (!tls13_restore_handshake_digest_for_pha(s)) {
  2563. /* SSLfatal() already called */
  2564. return CON_FUNC_ERROR;
  2565. }
  2566. } else {
  2567. if (!WPACKET_put_bytes_u8(pkt, 0)) {
  2568. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2569. return CON_FUNC_ERROR;
  2570. }
  2571. }
  2572. if (!tls_construct_extensions(s, pkt,
  2573. SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL,
  2574. 0)) {
  2575. /* SSLfatal() already called */
  2576. return CON_FUNC_ERROR;
  2577. }
  2578. goto done;
  2579. }
  2580. /* get the list of acceptable cert types */
  2581. if (!WPACKET_start_sub_packet_u8(pkt)
  2582. || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) {
  2583. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2584. return CON_FUNC_ERROR;
  2585. }
  2586. if (SSL_USE_SIGALGS(s)) {
  2587. const uint16_t *psigs;
  2588. size_t nl = tls12_get_psigalgs(s, 1, &psigs);
  2589. if (!WPACKET_start_sub_packet_u16(pkt)
  2590. || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
  2591. || !tls12_copy_sigalgs(s, pkt, psigs, nl)
  2592. || !WPACKET_close(pkt)) {
  2593. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2594. return CON_FUNC_ERROR;
  2595. }
  2596. }
  2597. if (!construct_ca_names(s, get_ca_names(s), pkt)) {
  2598. /* SSLfatal() already called */
  2599. return CON_FUNC_ERROR;
  2600. }
  2601. done:
  2602. s->certreqs_sent++;
  2603. s->s3.tmp.cert_request = 1;
  2604. return CON_FUNC_SUCCESS;
  2605. }
  2606. static int tls_process_cke_psk_preamble(SSL_CONNECTION *s, PACKET *pkt)
  2607. {
  2608. #ifndef OPENSSL_NO_PSK
  2609. unsigned char psk[PSK_MAX_PSK_LEN];
  2610. size_t psklen;
  2611. PACKET psk_identity;
  2612. if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) {
  2613. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2614. return 0;
  2615. }
  2616. if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
  2617. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DATA_LENGTH_TOO_LONG);
  2618. return 0;
  2619. }
  2620. if (s->psk_server_callback == NULL) {
  2621. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_PSK_NO_SERVER_CB);
  2622. return 0;
  2623. }
  2624. if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
  2625. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2626. return 0;
  2627. }
  2628. psklen = s->psk_server_callback(SSL_CONNECTION_GET_SSL(s),
  2629. s->session->psk_identity,
  2630. psk, sizeof(psk));
  2631. if (psklen > PSK_MAX_PSK_LEN) {
  2632. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2633. return 0;
  2634. } else if (psklen == 0) {
  2635. /*
  2636. * PSK related to the given identity not found
  2637. */
  2638. SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY, SSL_R_PSK_IDENTITY_NOT_FOUND);
  2639. return 0;
  2640. }
  2641. OPENSSL_free(s->s3.tmp.psk);
  2642. s->s3.tmp.psk = OPENSSL_memdup(psk, psklen);
  2643. OPENSSL_cleanse(psk, psklen);
  2644. if (s->s3.tmp.psk == NULL) {
  2645. s->s3.tmp.psklen = 0;
  2646. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  2647. return 0;
  2648. }
  2649. s->s3.tmp.psklen = psklen;
  2650. return 1;
  2651. #else
  2652. /* Should never happen */
  2653. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2654. return 0;
  2655. #endif
  2656. }
  2657. static int tls_process_cke_rsa(SSL_CONNECTION *s, PACKET *pkt)
  2658. {
  2659. size_t outlen;
  2660. PACKET enc_premaster;
  2661. EVP_PKEY *rsa = NULL;
  2662. unsigned char *rsa_decrypt = NULL;
  2663. int ret = 0;
  2664. EVP_PKEY_CTX *ctx = NULL;
  2665. OSSL_PARAM params[3], *p = params;
  2666. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  2667. rsa = s->cert->pkeys[SSL_PKEY_RSA].privatekey;
  2668. if (rsa == NULL) {
  2669. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_RSA_CERTIFICATE);
  2670. return 0;
  2671. }
  2672. /* SSLv3 and pre-standard DTLS omit the length bytes. */
  2673. if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
  2674. enc_premaster = *pkt;
  2675. } else {
  2676. if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
  2677. || PACKET_remaining(pkt) != 0) {
  2678. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2679. return 0;
  2680. }
  2681. }
  2682. outlen = SSL_MAX_MASTER_KEY_LENGTH;
  2683. rsa_decrypt = OPENSSL_malloc(outlen);
  2684. if (rsa_decrypt == NULL) {
  2685. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  2686. return 0;
  2687. }
  2688. ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, rsa, sctx->propq);
  2689. if (ctx == NULL) {
  2690. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2691. goto err;
  2692. }
  2693. /*
  2694. * We must not leak whether a decryption failure occurs because of
  2695. * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
  2696. * section 7.4.7.1). We use the special padding type
  2697. * RSA_PKCS1_WITH_TLS_PADDING to do that. It will automatically decrypt the
  2698. * RSA, check the padding and check that the client version is as expected
  2699. * in the premaster secret. If any of that fails then the function appears
  2700. * to return successfully but with a random result. The call below could
  2701. * still fail if the input is publicly invalid.
  2702. * See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
  2703. */
  2704. if (EVP_PKEY_decrypt_init(ctx) <= 0
  2705. || EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_WITH_TLS_PADDING) <= 0) {
  2706. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DECRYPTION_FAILED);
  2707. goto err;
  2708. }
  2709. *p++ = OSSL_PARAM_construct_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION,
  2710. (unsigned int *)&s->client_version);
  2711. if ((s->options & SSL_OP_TLS_ROLLBACK_BUG) != 0)
  2712. *p++ = OSSL_PARAM_construct_uint(
  2713. OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION,
  2714. (unsigned int *)&s->version);
  2715. *p++ = OSSL_PARAM_construct_end();
  2716. if (!EVP_PKEY_CTX_set_params(ctx, params)
  2717. || EVP_PKEY_decrypt(ctx, rsa_decrypt, &outlen,
  2718. PACKET_data(&enc_premaster),
  2719. PACKET_remaining(&enc_premaster)) <= 0) {
  2720. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DECRYPTION_FAILED);
  2721. goto err;
  2722. }
  2723. /*
  2724. * This test should never fail (otherwise we should have failed above) but
  2725. * we double check anyway.
  2726. */
  2727. if (outlen != SSL_MAX_MASTER_KEY_LENGTH) {
  2728. OPENSSL_cleanse(rsa_decrypt, SSL_MAX_MASTER_KEY_LENGTH);
  2729. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DECRYPTION_FAILED);
  2730. goto err;
  2731. }
  2732. /* Also cleanses rsa_decrypt (on success or failure) */
  2733. if (!ssl_generate_master_secret(s, rsa_decrypt, outlen, 0)) {
  2734. /* SSLfatal() already called */
  2735. goto err;
  2736. }
  2737. ret = 1;
  2738. err:
  2739. OPENSSL_free(rsa_decrypt);
  2740. EVP_PKEY_CTX_free(ctx);
  2741. return ret;
  2742. }
  2743. static int tls_process_cke_dhe(SSL_CONNECTION *s, PACKET *pkt)
  2744. {
  2745. EVP_PKEY *skey = NULL;
  2746. unsigned int i;
  2747. const unsigned char *data;
  2748. EVP_PKEY *ckey = NULL;
  2749. int ret = 0;
  2750. if (!PACKET_get_net_2(pkt, &i) || PACKET_remaining(pkt) != i) {
  2751. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
  2752. goto err;
  2753. }
  2754. skey = s->s3.tmp.pkey;
  2755. if (skey == NULL) {
  2756. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_DH_KEY);
  2757. goto err;
  2758. }
  2759. if (PACKET_remaining(pkt) == 0L) {
  2760. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_MISSING_TMP_DH_KEY);
  2761. goto err;
  2762. }
  2763. if (!PACKET_get_bytes(pkt, &data, i)) {
  2764. /* We already checked we have enough data */
  2765. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2766. goto err;
  2767. }
  2768. ckey = EVP_PKEY_new();
  2769. if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) {
  2770. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED);
  2771. goto err;
  2772. }
  2773. if (!EVP_PKEY_set1_encoded_public_key(ckey, data, i)) {
  2774. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2775. goto err;
  2776. }
  2777. if (ssl_derive(s, skey, ckey, 1) == 0) {
  2778. /* SSLfatal() already called */
  2779. goto err;
  2780. }
  2781. ret = 1;
  2782. EVP_PKEY_free(s->s3.tmp.pkey);
  2783. s->s3.tmp.pkey = NULL;
  2784. err:
  2785. EVP_PKEY_free(ckey);
  2786. return ret;
  2787. }
  2788. static int tls_process_cke_ecdhe(SSL_CONNECTION *s, PACKET *pkt)
  2789. {
  2790. EVP_PKEY *skey = s->s3.tmp.pkey;
  2791. EVP_PKEY *ckey = NULL;
  2792. int ret = 0;
  2793. if (PACKET_remaining(pkt) == 0L) {
  2794. /* We don't support ECDH client auth */
  2795. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_MISSING_TMP_ECDH_KEY);
  2796. goto err;
  2797. } else {
  2798. unsigned int i;
  2799. const unsigned char *data;
  2800. /*
  2801. * Get client's public key from encoded point in the
  2802. * ClientKeyExchange message.
  2803. */
  2804. /* Get encoded point length */
  2805. if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i)
  2806. || PACKET_remaining(pkt) != 0) {
  2807. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  2808. goto err;
  2809. }
  2810. if (skey == NULL) {
  2811. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_ECDH_KEY);
  2812. goto err;
  2813. }
  2814. ckey = EVP_PKEY_new();
  2815. if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
  2816. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED);
  2817. goto err;
  2818. }
  2819. if (EVP_PKEY_set1_encoded_public_key(ckey, data, i) <= 0) {
  2820. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
  2821. goto err;
  2822. }
  2823. }
  2824. if (ssl_derive(s, skey, ckey, 1) == 0) {
  2825. /* SSLfatal() already called */
  2826. goto err;
  2827. }
  2828. ret = 1;
  2829. EVP_PKEY_free(s->s3.tmp.pkey);
  2830. s->s3.tmp.pkey = NULL;
  2831. err:
  2832. EVP_PKEY_free(ckey);
  2833. return ret;
  2834. }
  2835. static int tls_process_cke_srp(SSL_CONNECTION *s, PACKET *pkt)
  2836. {
  2837. #ifndef OPENSSL_NO_SRP
  2838. unsigned int i;
  2839. const unsigned char *data;
  2840. if (!PACKET_get_net_2(pkt, &i)
  2841. || !PACKET_get_bytes(pkt, &data, i)) {
  2842. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRP_A_LENGTH);
  2843. return 0;
  2844. }
  2845. if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
  2846. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB);
  2847. return 0;
  2848. }
  2849. if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) {
  2850. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRP_PARAMETERS);
  2851. return 0;
  2852. }
  2853. OPENSSL_free(s->session->srp_username);
  2854. s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
  2855. if (s->session->srp_username == NULL) {
  2856. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  2857. return 0;
  2858. }
  2859. if (!srp_generate_server_master_secret(s)) {
  2860. /* SSLfatal() already called */
  2861. return 0;
  2862. }
  2863. return 1;
  2864. #else
  2865. /* Should never happen */
  2866. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2867. return 0;
  2868. #endif
  2869. }
  2870. static int tls_process_cke_gost(SSL_CONNECTION *s, PACKET *pkt)
  2871. {
  2872. #ifndef OPENSSL_NO_GOST
  2873. EVP_PKEY_CTX *pkey_ctx;
  2874. EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
  2875. unsigned char premaster_secret[32];
  2876. const unsigned char *start;
  2877. size_t outlen = sizeof(premaster_secret), inlen;
  2878. unsigned long alg_a;
  2879. GOST_KX_MESSAGE *pKX = NULL;
  2880. const unsigned char *ptr;
  2881. int ret = 0;
  2882. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  2883. /* Get our certificate private key */
  2884. alg_a = s->s3.tmp.new_cipher->algorithm_auth;
  2885. if (alg_a & SSL_aGOST12) {
  2886. /*
  2887. * New GOST ciphersuites have SSL_aGOST01 bit too
  2888. */
  2889. pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey;
  2890. if (pk == NULL) {
  2891. pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
  2892. }
  2893. if (pk == NULL) {
  2894. pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
  2895. }
  2896. } else if (alg_a & SSL_aGOST01) {
  2897. pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
  2898. }
  2899. pkey_ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, pk, sctx->propq);
  2900. if (pkey_ctx == NULL) {
  2901. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2902. return 0;
  2903. }
  2904. if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
  2905. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2906. return 0;
  2907. }
  2908. /*
  2909. * If client certificate is present and is of the same type, maybe
  2910. * use it for key exchange. Don't mind errors from
  2911. * EVP_PKEY_derive_set_peer, because it is completely valid to use a
  2912. * client certificate for authorization only.
  2913. */
  2914. client_pub_pkey = tls_get_peer_pkey(s);
  2915. if (client_pub_pkey) {
  2916. if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
  2917. ERR_clear_error();
  2918. }
  2919. ptr = PACKET_data(pkt);
  2920. /* Some implementations provide extra data in the opaqueBlob
  2921. * We have nothing to do with this blob so we just skip it */
  2922. pKX = d2i_GOST_KX_MESSAGE(NULL, &ptr, PACKET_remaining(pkt));
  2923. if (pKX == NULL
  2924. || pKX->kxBlob == NULL
  2925. || ASN1_TYPE_get(pKX->kxBlob) != V_ASN1_SEQUENCE) {
  2926. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DECRYPTION_FAILED);
  2927. goto err;
  2928. }
  2929. if (!PACKET_forward(pkt, ptr - PACKET_data(pkt))) {
  2930. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_DECRYPTION_FAILED);
  2931. goto err;
  2932. }
  2933. if (PACKET_remaining(pkt) != 0) {
  2934. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_DECRYPTION_FAILED);
  2935. goto err;
  2936. }
  2937. inlen = pKX->kxBlob->value.sequence->length;
  2938. start = pKX->kxBlob->value.sequence->data;
  2939. if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start,
  2940. inlen) <= 0) {
  2941. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DECRYPTION_FAILED);
  2942. goto err;
  2943. }
  2944. /* Generate master secret */
  2945. if (!ssl_generate_master_secret(s, premaster_secret, outlen, 0)) {
  2946. /* SSLfatal() already called */
  2947. goto err;
  2948. }
  2949. /* Check if pubkey from client certificate was used */
  2950. if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
  2951. NULL) > 0)
  2952. s->statem.no_cert_verify = 1;
  2953. ret = 1;
  2954. err:
  2955. EVP_PKEY_CTX_free(pkey_ctx);
  2956. GOST_KX_MESSAGE_free(pKX);
  2957. return ret;
  2958. #else
  2959. /* Should never happen */
  2960. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2961. return 0;
  2962. #endif
  2963. }
  2964. static int tls_process_cke_gost18(SSL_CONNECTION *s, PACKET *pkt)
  2965. {
  2966. #ifndef OPENSSL_NO_GOST
  2967. unsigned char rnd_dgst[32];
  2968. EVP_PKEY_CTX *pkey_ctx = NULL;
  2969. EVP_PKEY *pk = NULL;
  2970. unsigned char premaster_secret[32];
  2971. const unsigned char *start = NULL;
  2972. size_t outlen = sizeof(premaster_secret), inlen = 0;
  2973. int ret = 0;
  2974. int cipher_nid = ossl_gost18_cke_cipher_nid(s);
  2975. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  2976. if (cipher_nid == NID_undef) {
  2977. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2978. return 0;
  2979. }
  2980. if (ossl_gost_ukm(s, rnd_dgst) <= 0) {
  2981. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2982. goto err;
  2983. }
  2984. /* Get our certificate private key */
  2985. pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey != NULL ?
  2986. s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey :
  2987. s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
  2988. if (pk == NULL) {
  2989. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE);
  2990. goto err;
  2991. }
  2992. pkey_ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, pk, sctx->propq);
  2993. if (pkey_ctx == NULL) {
  2994. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  2995. goto err;
  2996. }
  2997. if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
  2998. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  2999. goto err;
  3000. }
  3001. /* Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code depending on size */
  3002. if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT,
  3003. EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) <= 0) {
  3004. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
  3005. goto err;
  3006. }
  3007. if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT,
  3008. EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) <= 0) {
  3009. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
  3010. goto err;
  3011. }
  3012. inlen = PACKET_remaining(pkt);
  3013. start = PACKET_data(pkt);
  3014. if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) {
  3015. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DECRYPTION_FAILED);
  3016. goto err;
  3017. }
  3018. /* Generate master secret */
  3019. if (!ssl_generate_master_secret(s, premaster_secret, outlen, 0)) {
  3020. /* SSLfatal() already called */
  3021. goto err;
  3022. }
  3023. ret = 1;
  3024. err:
  3025. EVP_PKEY_CTX_free(pkey_ctx);
  3026. return ret;
  3027. #else
  3028. /* Should never happen */
  3029. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3030. return 0;
  3031. #endif
  3032. }
  3033. MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL_CONNECTION *s,
  3034. PACKET *pkt)
  3035. {
  3036. unsigned long alg_k;
  3037. alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
  3038. /* For PSK parse and retrieve identity, obtain PSK key */
  3039. if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt)) {
  3040. /* SSLfatal() already called */
  3041. goto err;
  3042. }
  3043. if (alg_k & SSL_kPSK) {
  3044. /* Identity extracted earlier: should be nothing left */
  3045. if (PACKET_remaining(pkt) != 0) {
  3046. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  3047. goto err;
  3048. }
  3049. /* PSK handled by ssl_generate_master_secret */
  3050. if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
  3051. /* SSLfatal() already called */
  3052. goto err;
  3053. }
  3054. } else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
  3055. if (!tls_process_cke_rsa(s, pkt)) {
  3056. /* SSLfatal() already called */
  3057. goto err;
  3058. }
  3059. } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
  3060. if (!tls_process_cke_dhe(s, pkt)) {
  3061. /* SSLfatal() already called */
  3062. goto err;
  3063. }
  3064. } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
  3065. if (!tls_process_cke_ecdhe(s, pkt)) {
  3066. /* SSLfatal() already called */
  3067. goto err;
  3068. }
  3069. } else if (alg_k & SSL_kSRP) {
  3070. if (!tls_process_cke_srp(s, pkt)) {
  3071. /* SSLfatal() already called */
  3072. goto err;
  3073. }
  3074. } else if (alg_k & SSL_kGOST) {
  3075. if (!tls_process_cke_gost(s, pkt)) {
  3076. /* SSLfatal() already called */
  3077. goto err;
  3078. }
  3079. } else if (alg_k & SSL_kGOST18) {
  3080. if (!tls_process_cke_gost18(s, pkt)) {
  3081. /* SSLfatal() already called */
  3082. goto err;
  3083. }
  3084. } else {
  3085. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_CIPHER_TYPE);
  3086. goto err;
  3087. }
  3088. return MSG_PROCESS_CONTINUE_PROCESSING;
  3089. err:
  3090. #ifndef OPENSSL_NO_PSK
  3091. OPENSSL_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen);
  3092. s->s3.tmp.psk = NULL;
  3093. s->s3.tmp.psklen = 0;
  3094. #endif
  3095. return MSG_PROCESS_ERROR;
  3096. }
  3097. WORK_STATE tls_post_process_client_key_exchange(SSL_CONNECTION *s,
  3098. WORK_STATE wst)
  3099. {
  3100. #ifndef OPENSSL_NO_SCTP
  3101. if (wst == WORK_MORE_A) {
  3102. if (SSL_CONNECTION_IS_DTLS(s)) {
  3103. unsigned char sctpauthkey[64];
  3104. char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
  3105. size_t labellen;
  3106. /*
  3107. * Add new shared key for SCTP-Auth, will be ignored if no SCTP
  3108. * used.
  3109. */
  3110. memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
  3111. sizeof(DTLS1_SCTP_AUTH_LABEL));
  3112. /* Don't include the terminating zero. */
  3113. labellen = sizeof(labelbuffer) - 1;
  3114. if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
  3115. labellen += 1;
  3116. if (SSL_export_keying_material(SSL_CONNECTION_GET_SSL(s),
  3117. sctpauthkey,
  3118. sizeof(sctpauthkey), labelbuffer,
  3119. labellen, NULL, 0,
  3120. 0) <= 0) {
  3121. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3122. return WORK_ERROR;
  3123. }
  3124. BIO_ctrl(s->wbio, BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
  3125. sizeof(sctpauthkey), sctpauthkey);
  3126. }
  3127. }
  3128. #endif
  3129. if (s->statem.no_cert_verify || !received_client_cert(s)) {
  3130. /*
  3131. * No certificate verify or no peer certificate so we no longer need
  3132. * the handshake_buffer
  3133. */
  3134. if (!ssl3_digest_cached_records(s, 0)) {
  3135. /* SSLfatal() already called */
  3136. return WORK_ERROR;
  3137. }
  3138. return WORK_FINISHED_CONTINUE;
  3139. } else {
  3140. if (!s->s3.handshake_buffer) {
  3141. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3142. return WORK_ERROR;
  3143. }
  3144. /*
  3145. * For sigalgs freeze the handshake buffer. If we support
  3146. * extms we've done this already so this is a no-op
  3147. */
  3148. if (!ssl3_digest_cached_records(s, 1)) {
  3149. /* SSLfatal() already called */
  3150. return WORK_ERROR;
  3151. }
  3152. }
  3153. return WORK_FINISHED_CONTINUE;
  3154. }
  3155. MSG_PROCESS_RETURN tls_process_client_rpk(SSL_CONNECTION *sc, PACKET *pkt)
  3156. {
  3157. MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
  3158. SSL_SESSION *new_sess = NULL;
  3159. EVP_PKEY *peer_rpk = NULL;
  3160. if (!tls_process_rpk(sc, pkt, &peer_rpk)) {
  3161. /* SSLfatal already called */
  3162. goto err;
  3163. }
  3164. if (peer_rpk == NULL) {
  3165. if ((sc->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
  3166. && (sc->verify_mode & SSL_VERIFY_PEER)) {
  3167. SSLfatal(sc, SSL_AD_CERTIFICATE_REQUIRED,
  3168. SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  3169. goto err;
  3170. }
  3171. } else {
  3172. if (ssl_verify_rpk(sc, peer_rpk) <= 0) {
  3173. SSLfatal(sc, ssl_x509err2alert(sc->verify_result),
  3174. SSL_R_CERTIFICATE_VERIFY_FAILED);
  3175. goto err;
  3176. }
  3177. }
  3178. /*
  3179. * Sessions must be immutable once they go into the session cache. Otherwise
  3180. * we can get multi-thread problems. Therefore we don't "update" sessions,
  3181. * we replace them with a duplicate. Here, we need to do this every time
  3182. * a new RPK (or certificate) is received via post-handshake authentication,
  3183. * as the session may have already gone into the session cache.
  3184. */
  3185. if (sc->post_handshake_auth == SSL_PHA_REQUESTED) {
  3186. if ((new_sess = ssl_session_dup(sc->session, 0)) == NULL) {
  3187. SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  3188. goto err;
  3189. }
  3190. SSL_SESSION_free(sc->session);
  3191. sc->session = new_sess;
  3192. }
  3193. /* Ensure there is no peer/peer_chain */
  3194. X509_free(sc->session->peer);
  3195. sc->session->peer = NULL;
  3196. sk_X509_pop_free(sc->session->peer_chain, X509_free);
  3197. sc->session->peer_chain = NULL;
  3198. /* Save RPK */
  3199. EVP_PKEY_free(sc->session->peer_rpk);
  3200. sc->session->peer_rpk = peer_rpk;
  3201. peer_rpk = NULL;
  3202. sc->session->verify_result = sc->verify_result;
  3203. /*
  3204. * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
  3205. * message
  3206. */
  3207. if (SSL_CONNECTION_IS_TLS13(sc)) {
  3208. if (!ssl3_digest_cached_records(sc, 1)) {
  3209. /* SSLfatal() already called */
  3210. goto err;
  3211. }
  3212. /* Save the current hash state for when we receive the CertificateVerify */
  3213. if (!ssl_handshake_hash(sc, sc->cert_verify_hash,
  3214. sizeof(sc->cert_verify_hash),
  3215. &sc->cert_verify_hash_len)) {
  3216. /* SSLfatal() already called */;
  3217. goto err;
  3218. }
  3219. /* resend session tickets */
  3220. sc->sent_tickets = 0;
  3221. }
  3222. ret = MSG_PROCESS_CONTINUE_READING;
  3223. err:
  3224. EVP_PKEY_free(peer_rpk);
  3225. return ret;
  3226. }
  3227. MSG_PROCESS_RETURN tls_process_client_certificate(SSL_CONNECTION *s,
  3228. PACKET *pkt)
  3229. {
  3230. int i;
  3231. MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
  3232. X509 *x = NULL;
  3233. unsigned long l;
  3234. const unsigned char *certstart, *certbytes;
  3235. STACK_OF(X509) *sk = NULL;
  3236. PACKET spkt, context;
  3237. size_t chainidx;
  3238. SSL_SESSION *new_sess = NULL;
  3239. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  3240. /*
  3241. * To get this far we must have read encrypted data from the client. We no
  3242. * longer tolerate unencrypted alerts. This is ignored if less than TLSv1.3
  3243. */
  3244. if (s->rlayer.rrlmethod->set_plain_alerts != NULL)
  3245. s->rlayer.rrlmethod->set_plain_alerts(s->rlayer.rrl, 0);
  3246. if (s->ext.client_cert_type == TLSEXT_cert_type_rpk)
  3247. return tls_process_client_rpk(s, pkt);
  3248. if (s->ext.client_cert_type != TLSEXT_cert_type_x509) {
  3249. SSLfatal(s, SSL_AD_UNSUPPORTED_CERTIFICATE,
  3250. SSL_R_UNKNOWN_CERTIFICATE_TYPE);
  3251. goto err;
  3252. }
  3253. if ((sk = sk_X509_new_null()) == NULL) {
  3254. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  3255. goto err;
  3256. }
  3257. if (SSL_CONNECTION_IS_TLS13(s)
  3258. && (!PACKET_get_length_prefixed_1(pkt, &context)
  3259. || (s->pha_context == NULL && PACKET_remaining(&context) != 0)
  3260. || (s->pha_context != NULL
  3261. && !PACKET_equal(&context, s->pha_context,
  3262. s->pha_context_len)))) {
  3263. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT);
  3264. goto err;
  3265. }
  3266. if (!PACKET_get_length_prefixed_3(pkt, &spkt)
  3267. || PACKET_remaining(pkt) != 0) {
  3268. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  3269. goto err;
  3270. }
  3271. for (chainidx = 0; PACKET_remaining(&spkt) > 0; chainidx++) {
  3272. if (!PACKET_get_net_3(&spkt, &l)
  3273. || !PACKET_get_bytes(&spkt, &certbytes, l)) {
  3274. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH);
  3275. goto err;
  3276. }
  3277. certstart = certbytes;
  3278. x = X509_new_ex(sctx->libctx, sctx->propq);
  3279. if (x == NULL) {
  3280. SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_X509_LIB);
  3281. goto err;
  3282. }
  3283. if (d2i_X509(&x, (const unsigned char **)&certbytes, l) == NULL) {
  3284. SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB);
  3285. goto err;
  3286. }
  3287. if (certbytes != (certstart + l)) {
  3288. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH);
  3289. goto err;
  3290. }
  3291. if (SSL_CONNECTION_IS_TLS13(s)) {
  3292. RAW_EXTENSION *rawexts = NULL;
  3293. PACKET extensions;
  3294. if (!PACKET_get_length_prefixed_2(&spkt, &extensions)) {
  3295. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
  3296. goto err;
  3297. }
  3298. if (!tls_collect_extensions(s, &extensions,
  3299. SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
  3300. NULL, chainidx == 0)
  3301. || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
  3302. rawexts, x, chainidx,
  3303. PACKET_remaining(&spkt) == 0)) {
  3304. OPENSSL_free(rawexts);
  3305. goto err;
  3306. }
  3307. OPENSSL_free(rawexts);
  3308. }
  3309. if (!sk_X509_push(sk, x)) {
  3310. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  3311. goto err;
  3312. }
  3313. x = NULL;
  3314. }
  3315. if (sk_X509_num(sk) <= 0) {
  3316. /* TLS does not mind 0 certs returned */
  3317. if (s->version == SSL3_VERSION) {
  3318. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  3319. SSL_R_NO_CERTIFICATES_RETURNED);
  3320. goto err;
  3321. }
  3322. /* Fail for TLS only if we required a certificate */
  3323. else if ((s->verify_mode & SSL_VERIFY_PEER) &&
  3324. (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
  3325. SSLfatal(s, SSL_AD_CERTIFICATE_REQUIRED,
  3326. SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  3327. goto err;
  3328. }
  3329. /* No client certificate so digest cached records */
  3330. if (s->s3.handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
  3331. /* SSLfatal() already called */
  3332. goto err;
  3333. }
  3334. } else {
  3335. EVP_PKEY *pkey;
  3336. i = ssl_verify_cert_chain(s, sk);
  3337. if (i <= 0) {
  3338. SSLfatal(s, ssl_x509err2alert(s->verify_result),
  3339. SSL_R_CERTIFICATE_VERIFY_FAILED);
  3340. goto err;
  3341. }
  3342. pkey = X509_get0_pubkey(sk_X509_value(sk, 0));
  3343. if (pkey == NULL) {
  3344. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  3345. SSL_R_UNKNOWN_CERTIFICATE_TYPE);
  3346. goto err;
  3347. }
  3348. }
  3349. /*
  3350. * Sessions must be immutable once they go into the session cache. Otherwise
  3351. * we can get multi-thread problems. Therefore we don't "update" sessions,
  3352. * we replace them with a duplicate. Here, we need to do this every time
  3353. * a new certificate is received via post-handshake authentication, as the
  3354. * session may have already gone into the session cache.
  3355. */
  3356. if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
  3357. if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
  3358. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
  3359. goto err;
  3360. }
  3361. SSL_SESSION_free(s->session);
  3362. s->session = new_sess;
  3363. }
  3364. X509_free(s->session->peer);
  3365. s->session->peer = sk_X509_shift(sk);
  3366. s->session->verify_result = s->verify_result;
  3367. OSSL_STACK_OF_X509_free(s->session->peer_chain);
  3368. s->session->peer_chain = sk;
  3369. sk = NULL;
  3370. /* Ensure there is no RPK */
  3371. EVP_PKEY_free(s->session->peer_rpk);
  3372. s->session->peer_rpk = NULL;
  3373. /*
  3374. * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
  3375. * message
  3376. */
  3377. if (SSL_CONNECTION_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) {
  3378. /* SSLfatal() already called */
  3379. goto err;
  3380. }
  3381. /*
  3382. * Inconsistency alert: cert_chain does *not* include the peer's own
  3383. * certificate, while we do include it in statem_clnt.c
  3384. */
  3385. /* Save the current hash state for when we receive the CertificateVerify */
  3386. if (SSL_CONNECTION_IS_TLS13(s)) {
  3387. if (!ssl_handshake_hash(s, s->cert_verify_hash,
  3388. sizeof(s->cert_verify_hash),
  3389. &s->cert_verify_hash_len)) {
  3390. /* SSLfatal() already called */
  3391. goto err;
  3392. }
  3393. /* Resend session tickets */
  3394. s->sent_tickets = 0;
  3395. }
  3396. ret = MSG_PROCESS_CONTINUE_READING;
  3397. err:
  3398. X509_free(x);
  3399. OSSL_STACK_OF_X509_free(sk);
  3400. return ret;
  3401. }
  3402. #ifndef OPENSSL_NO_COMP_ALG
  3403. MSG_PROCESS_RETURN tls_process_client_compressed_certificate(SSL_CONNECTION *sc, PACKET *pkt)
  3404. {
  3405. MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
  3406. PACKET tmppkt;
  3407. BUF_MEM *buf = BUF_MEM_new();
  3408. if (tls13_process_compressed_certificate(sc, pkt, &tmppkt, buf) != MSG_PROCESS_ERROR)
  3409. ret = tls_process_client_certificate(sc, &tmppkt);
  3410. BUF_MEM_free(buf);
  3411. return ret;
  3412. }
  3413. #endif
  3414. CON_FUNC_RETURN tls_construct_server_certificate(SSL_CONNECTION *s, WPACKET *pkt)
  3415. {
  3416. CERT_PKEY *cpk = s->s3.tmp.cert;
  3417. if (cpk == NULL) {
  3418. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3419. return CON_FUNC_ERROR;
  3420. }
  3421. /*
  3422. * In TLSv1.3 the certificate chain is always preceded by a 0 length context
  3423. * for the server Certificate message
  3424. */
  3425. if (SSL_CONNECTION_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) {
  3426. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3427. return CON_FUNC_ERROR;
  3428. }
  3429. switch (s->ext.server_cert_type) {
  3430. case TLSEXT_cert_type_rpk:
  3431. if (!tls_output_rpk(s, pkt, cpk)) {
  3432. /* SSLfatal() already called */
  3433. return 0;
  3434. }
  3435. break;
  3436. case TLSEXT_cert_type_x509:
  3437. if (!ssl3_output_cert_chain(s, pkt, cpk, 0)) {
  3438. /* SSLfatal() already called */
  3439. return 0;
  3440. }
  3441. break;
  3442. default:
  3443. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3444. return 0;
  3445. }
  3446. return CON_FUNC_SUCCESS;
  3447. }
  3448. #ifndef OPENSSL_NO_COMP_ALG
  3449. CON_FUNC_RETURN tls_construct_server_compressed_certificate(SSL_CONNECTION *sc, WPACKET *pkt)
  3450. {
  3451. int alg = get_compressed_certificate_alg(sc);
  3452. OSSL_COMP_CERT *cc = sc->s3.tmp.cert->comp_cert[alg];
  3453. if (!ossl_assert(cc != NULL)) {
  3454. SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3455. return 0;
  3456. }
  3457. /*
  3458. * Server can't compress on-demand
  3459. * Use pre-compressed certificate
  3460. */
  3461. if (!WPACKET_put_bytes_u16(pkt, alg)
  3462. || !WPACKET_put_bytes_u24(pkt, cc->orig_len)
  3463. || !WPACKET_start_sub_packet_u24(pkt)
  3464. || !WPACKET_memcpy(pkt, cc->data, cc->len)
  3465. || !WPACKET_close(pkt))
  3466. return 0;
  3467. sc->s3.tmp.cert->cert_comp_used++;
  3468. return 1;
  3469. }
  3470. #endif
  3471. static int create_ticket_prequel(SSL_CONNECTION *s, WPACKET *pkt,
  3472. uint32_t age_add, unsigned char *tick_nonce)
  3473. {
  3474. uint32_t timeout = (uint32_t)ossl_time2seconds(s->session->timeout);
  3475. /*
  3476. * Ticket lifetime hint:
  3477. * In TLSv1.3 we reset the "time" field above, and always specify the
  3478. * timeout, limited to a 1 week period per RFC8446.
  3479. * For TLSv1.2 this is advisory only and we leave this unspecified for
  3480. * resumed session (for simplicity).
  3481. */
  3482. #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
  3483. if (SSL_CONNECTION_IS_TLS13(s)) {
  3484. if (ossl_time_compare(s->session->timeout,
  3485. ossl_seconds2time(ONE_WEEK_SEC)) > 0)
  3486. timeout = ONE_WEEK_SEC;
  3487. } else if (s->hit)
  3488. timeout = 0;
  3489. if (!WPACKET_put_bytes_u32(pkt, timeout)) {
  3490. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3491. return 0;
  3492. }
  3493. if (SSL_CONNECTION_IS_TLS13(s)) {
  3494. if (!WPACKET_put_bytes_u32(pkt, age_add)
  3495. || !WPACKET_sub_memcpy_u8(pkt, tick_nonce, TICKET_NONCE_SIZE)) {
  3496. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3497. return 0;
  3498. }
  3499. }
  3500. /* Start the sub-packet for the actual ticket data */
  3501. if (!WPACKET_start_sub_packet_u16(pkt)) {
  3502. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3503. return 0;
  3504. }
  3505. return 1;
  3506. }
  3507. static CON_FUNC_RETURN construct_stateless_ticket(SSL_CONNECTION *s,
  3508. WPACKET *pkt,
  3509. uint32_t age_add,
  3510. unsigned char *tick_nonce)
  3511. {
  3512. unsigned char *senc = NULL;
  3513. EVP_CIPHER_CTX *ctx = NULL;
  3514. SSL_HMAC *hctx = NULL;
  3515. unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2;
  3516. const unsigned char *const_p;
  3517. int len, slen_full, slen, lenfinal;
  3518. SSL_SESSION *sess;
  3519. size_t hlen;
  3520. SSL_CTX *tctx = s->session_ctx;
  3521. unsigned char iv[EVP_MAX_IV_LENGTH];
  3522. unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
  3523. int iv_len;
  3524. CON_FUNC_RETURN ok = CON_FUNC_ERROR;
  3525. size_t macoffset, macendoffset;
  3526. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  3527. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  3528. /* get session encoding length */
  3529. slen_full = i2d_SSL_SESSION(s->session, NULL);
  3530. /*
  3531. * Some length values are 16 bits, so forget it if session is too
  3532. * long
  3533. */
  3534. if (slen_full == 0 || slen_full > 0xFF00) {
  3535. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3536. goto err;
  3537. }
  3538. senc = OPENSSL_malloc(slen_full);
  3539. if (senc == NULL) {
  3540. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  3541. goto err;
  3542. }
  3543. ctx = EVP_CIPHER_CTX_new();
  3544. if (ctx == NULL) {
  3545. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  3546. goto err;
  3547. }
  3548. hctx = ssl_hmac_new(tctx);
  3549. if (hctx == NULL) {
  3550. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
  3551. goto err;
  3552. }
  3553. p = senc;
  3554. if (!i2d_SSL_SESSION(s->session, &p)) {
  3555. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3556. goto err;
  3557. }
  3558. /*
  3559. * create a fresh copy (not shared with other threads) to clean up
  3560. */
  3561. const_p = senc;
  3562. sess = d2i_SSL_SESSION_ex(NULL, &const_p, slen_full, sctx->libctx,
  3563. sctx->propq);
  3564. if (sess == NULL) {
  3565. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3566. goto err;
  3567. }
  3568. slen = i2d_SSL_SESSION(sess, NULL);
  3569. if (slen == 0 || slen > slen_full) {
  3570. /* shouldn't ever happen */
  3571. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3572. SSL_SESSION_free(sess);
  3573. goto err;
  3574. }
  3575. p = senc;
  3576. if (!i2d_SSL_SESSION(sess, &p)) {
  3577. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3578. SSL_SESSION_free(sess);
  3579. goto err;
  3580. }
  3581. SSL_SESSION_free(sess);
  3582. /*
  3583. * Initialize HMAC and cipher contexts. If callback present it does
  3584. * all the work otherwise use generated values from parent ctx.
  3585. */
  3586. #ifndef OPENSSL_NO_DEPRECATED_3_0
  3587. if (tctx->ext.ticket_key_evp_cb != NULL || tctx->ext.ticket_key_cb != NULL)
  3588. #else
  3589. if (tctx->ext.ticket_key_evp_cb != NULL)
  3590. #endif
  3591. {
  3592. int ret = 0;
  3593. if (tctx->ext.ticket_key_evp_cb != NULL)
  3594. ret = tctx->ext.ticket_key_evp_cb(ssl, key_name, iv, ctx,
  3595. ssl_hmac_get0_EVP_MAC_CTX(hctx),
  3596. 1);
  3597. #ifndef OPENSSL_NO_DEPRECATED_3_0
  3598. else if (tctx->ext.ticket_key_cb != NULL)
  3599. /* if 0 is returned, write an empty ticket */
  3600. ret = tctx->ext.ticket_key_cb(ssl, key_name, iv, ctx,
  3601. ssl_hmac_get0_HMAC_CTX(hctx), 1);
  3602. #endif
  3603. if (ret == 0) {
  3604. /*
  3605. * In TLSv1.2 we construct a 0 length ticket. In TLSv1.3 a 0
  3606. * length ticket is not allowed so we abort construction of the
  3607. * ticket
  3608. */
  3609. if (SSL_CONNECTION_IS_TLS13(s)) {
  3610. ok = CON_FUNC_DONT_SEND;
  3611. goto err;
  3612. }
  3613. /* Put timeout and length */
  3614. if (!WPACKET_put_bytes_u32(pkt, 0)
  3615. || !WPACKET_put_bytes_u16(pkt, 0)) {
  3616. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3617. goto err;
  3618. }
  3619. OPENSSL_free(senc);
  3620. EVP_CIPHER_CTX_free(ctx);
  3621. ssl_hmac_free(hctx);
  3622. return CON_FUNC_SUCCESS;
  3623. }
  3624. if (ret < 0) {
  3625. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED);
  3626. goto err;
  3627. }
  3628. iv_len = EVP_CIPHER_CTX_get_iv_length(ctx);
  3629. if (iv_len < 0) {
  3630. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3631. goto err;
  3632. }
  3633. } else {
  3634. EVP_CIPHER *cipher = EVP_CIPHER_fetch(sctx->libctx, "AES-256-CBC",
  3635. sctx->propq);
  3636. if (cipher == NULL) {
  3637. /* Error is already recorded */
  3638. SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR);
  3639. goto err;
  3640. }
  3641. iv_len = EVP_CIPHER_get_iv_length(cipher);
  3642. if (iv_len < 0
  3643. || RAND_bytes_ex(sctx->libctx, iv, iv_len, 0) <= 0
  3644. || !EVP_EncryptInit_ex(ctx, cipher, NULL,
  3645. tctx->ext.secure->tick_aes_key, iv)
  3646. || !ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key,
  3647. sizeof(tctx->ext.secure->tick_hmac_key),
  3648. "SHA256")) {
  3649. EVP_CIPHER_free(cipher);
  3650. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3651. goto err;
  3652. }
  3653. EVP_CIPHER_free(cipher);
  3654. memcpy(key_name, tctx->ext.tick_key_name,
  3655. sizeof(tctx->ext.tick_key_name));
  3656. }
  3657. if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) {
  3658. /* SSLfatal() already called */
  3659. goto err;
  3660. }
  3661. if (!WPACKET_get_total_written(pkt, &macoffset)
  3662. /* Output key name */
  3663. || !WPACKET_memcpy(pkt, key_name, sizeof(key_name))
  3664. /* output IV */
  3665. || !WPACKET_memcpy(pkt, iv, iv_len)
  3666. || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH,
  3667. &encdata1)
  3668. /* Encrypt session data */
  3669. || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen)
  3670. || !WPACKET_allocate_bytes(pkt, len, &encdata2)
  3671. || encdata1 != encdata2
  3672. || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal)
  3673. || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2)
  3674. || encdata1 + len != encdata2
  3675. || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH
  3676. || !WPACKET_get_total_written(pkt, &macendoffset)
  3677. || !ssl_hmac_update(hctx,
  3678. (unsigned char *)s->init_buf->data + macoffset,
  3679. macendoffset - macoffset)
  3680. || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1)
  3681. || !ssl_hmac_final(hctx, macdata1, &hlen, EVP_MAX_MD_SIZE)
  3682. || hlen > EVP_MAX_MD_SIZE
  3683. || !WPACKET_allocate_bytes(pkt, hlen, &macdata2)
  3684. || macdata1 != macdata2) {
  3685. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3686. goto err;
  3687. }
  3688. /* Close the sub-packet created by create_ticket_prequel() */
  3689. if (!WPACKET_close(pkt)) {
  3690. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3691. goto err;
  3692. }
  3693. ok = CON_FUNC_SUCCESS;
  3694. err:
  3695. OPENSSL_free(senc);
  3696. EVP_CIPHER_CTX_free(ctx);
  3697. ssl_hmac_free(hctx);
  3698. return ok;
  3699. }
  3700. static int construct_stateful_ticket(SSL_CONNECTION *s, WPACKET *pkt,
  3701. uint32_t age_add,
  3702. unsigned char *tick_nonce)
  3703. {
  3704. if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) {
  3705. /* SSLfatal() already called */
  3706. return 0;
  3707. }
  3708. if (!WPACKET_memcpy(pkt, s->session->session_id,
  3709. s->session->session_id_length)
  3710. || !WPACKET_close(pkt)) {
  3711. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3712. return 0;
  3713. }
  3714. return 1;
  3715. }
  3716. static void tls_update_ticket_counts(SSL_CONNECTION *s)
  3717. {
  3718. /*
  3719. * Increment both |sent_tickets| and |next_ticket_nonce|. |sent_tickets|
  3720. * gets reset to 0 if we send more tickets following a post-handshake
  3721. * auth, but |next_ticket_nonce| does not. If we're sending extra
  3722. * tickets, decrement the count of pending extra tickets.
  3723. */
  3724. s->sent_tickets++;
  3725. s->next_ticket_nonce++;
  3726. if (s->ext.extra_tickets_expected > 0)
  3727. s->ext.extra_tickets_expected--;
  3728. }
  3729. CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt)
  3730. {
  3731. SSL_CTX *tctx = s->session_ctx;
  3732. unsigned char tick_nonce[TICKET_NONCE_SIZE];
  3733. union {
  3734. unsigned char age_add_c[sizeof(uint32_t)];
  3735. uint32_t age_add;
  3736. } age_add_u;
  3737. CON_FUNC_RETURN ret = CON_FUNC_ERROR;
  3738. age_add_u.age_add = 0;
  3739. if (SSL_CONNECTION_IS_TLS13(s)) {
  3740. size_t i, hashlen;
  3741. uint64_t nonce;
  3742. static const unsigned char nonce_label[] = "resumption";
  3743. const EVP_MD *md = ssl_handshake_md(s);
  3744. int hashleni = EVP_MD_get_size(md);
  3745. /* Ensure cast to size_t is safe */
  3746. if (!ossl_assert(hashleni >= 0)) {
  3747. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3748. goto err;
  3749. }
  3750. hashlen = (size_t)hashleni;
  3751. /*
  3752. * If we already sent one NewSessionTicket, or we resumed then
  3753. * s->session may already be in a cache and so we must not modify it.
  3754. * Instead we need to take a copy of it and modify that.
  3755. */
  3756. if (s->sent_tickets != 0 || s->hit) {
  3757. SSL_SESSION *new_sess = ssl_session_dup(s->session, 0);
  3758. if (new_sess == NULL) {
  3759. /* SSLfatal already called */
  3760. goto err;
  3761. }
  3762. SSL_SESSION_free(s->session);
  3763. s->session = new_sess;
  3764. }
  3765. if (!ssl_generate_session_id(s, s->session)) {
  3766. /* SSLfatal() already called */
  3767. goto err;
  3768. }
  3769. if (RAND_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx,
  3770. age_add_u.age_add_c, sizeof(age_add_u), 0) <= 0) {
  3771. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3772. goto err;
  3773. }
  3774. s->session->ext.tick_age_add = age_add_u.age_add;
  3775. nonce = s->next_ticket_nonce;
  3776. for (i = TICKET_NONCE_SIZE; i > 0; i--) {
  3777. tick_nonce[i - 1] = (unsigned char)(nonce & 0xff);
  3778. nonce >>= 8;
  3779. }
  3780. if (!tls13_hkdf_expand(s, md, s->resumption_master_secret,
  3781. nonce_label,
  3782. sizeof(nonce_label) - 1,
  3783. tick_nonce,
  3784. TICKET_NONCE_SIZE,
  3785. s->session->master_key,
  3786. hashlen, 1)) {
  3787. /* SSLfatal() already called */
  3788. goto err;
  3789. }
  3790. s->session->master_key_length = hashlen;
  3791. s->session->time = ossl_time_now();
  3792. ssl_session_calculate_timeout(s->session);
  3793. if (s->s3.alpn_selected != NULL) {
  3794. OPENSSL_free(s->session->ext.alpn_selected);
  3795. s->session->ext.alpn_selected =
  3796. OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len);
  3797. if (s->session->ext.alpn_selected == NULL) {
  3798. s->session->ext.alpn_selected_len = 0;
  3799. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  3800. goto err;
  3801. }
  3802. s->session->ext.alpn_selected_len = s->s3.alpn_selected_len;
  3803. }
  3804. s->session->ext.max_early_data = s->max_early_data;
  3805. }
  3806. if (tctx->generate_ticket_cb != NULL &&
  3807. tctx->generate_ticket_cb(SSL_CONNECTION_GET_SSL(s),
  3808. tctx->ticket_cb_data) == 0) {
  3809. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3810. goto err;
  3811. }
  3812. /*
  3813. * If we are using anti-replay protection then we behave as if
  3814. * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
  3815. * is no point in using full stateless tickets.
  3816. */
  3817. if (SSL_CONNECTION_IS_TLS13(s)
  3818. && ((s->options & SSL_OP_NO_TICKET) != 0
  3819. || (s->max_early_data > 0
  3820. && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))) {
  3821. if (!construct_stateful_ticket(s, pkt, age_add_u.age_add, tick_nonce)) {
  3822. /* SSLfatal() already called */
  3823. goto err;
  3824. }
  3825. } else {
  3826. CON_FUNC_RETURN tmpret;
  3827. tmpret = construct_stateless_ticket(s, pkt, age_add_u.age_add,
  3828. tick_nonce);
  3829. if (tmpret != CON_FUNC_SUCCESS) {
  3830. if (tmpret == CON_FUNC_DONT_SEND) {
  3831. /* Non-fatal. Abort construction but continue */
  3832. ret = CON_FUNC_DONT_SEND;
  3833. /* We count this as a success so update the counts anwyay */
  3834. tls_update_ticket_counts(s);
  3835. }
  3836. /* else SSLfatal() already called */
  3837. goto err;
  3838. }
  3839. }
  3840. if (SSL_CONNECTION_IS_TLS13(s)) {
  3841. if (!tls_construct_extensions(s, pkt,
  3842. SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
  3843. NULL, 0)) {
  3844. /* SSLfatal() already called */
  3845. goto err;
  3846. }
  3847. tls_update_ticket_counts(s);
  3848. ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
  3849. }
  3850. ret = CON_FUNC_SUCCESS;
  3851. err:
  3852. return ret;
  3853. }
  3854. /*
  3855. * In TLSv1.3 this is called from the extensions code, otherwise it is used to
  3856. * create a separate message. Returns 1 on success or 0 on failure.
  3857. */
  3858. int tls_construct_cert_status_body(SSL_CONNECTION *s, WPACKET *pkt)
  3859. {
  3860. if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type)
  3861. || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp,
  3862. s->ext.ocsp.resp_len)) {
  3863. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3864. return 0;
  3865. }
  3866. return 1;
  3867. }
  3868. CON_FUNC_RETURN tls_construct_cert_status(SSL_CONNECTION *s, WPACKET *pkt)
  3869. {
  3870. if (!tls_construct_cert_status_body(s, pkt)) {
  3871. /* SSLfatal() already called */
  3872. return CON_FUNC_ERROR;
  3873. }
  3874. return CON_FUNC_SUCCESS;
  3875. }
  3876. #ifndef OPENSSL_NO_NEXTPROTONEG
  3877. /*
  3878. * tls_process_next_proto reads a Next Protocol Negotiation handshake message.
  3879. * It sets the next_proto member in s if found
  3880. */
  3881. MSG_PROCESS_RETURN tls_process_next_proto(SSL_CONNECTION *s, PACKET *pkt)
  3882. {
  3883. PACKET next_proto, padding;
  3884. size_t next_proto_len;
  3885. /*-
  3886. * The payload looks like:
  3887. * uint8 proto_len;
  3888. * uint8 proto[proto_len];
  3889. * uint8 padding_len;
  3890. * uint8 padding[padding_len];
  3891. */
  3892. if (!PACKET_get_length_prefixed_1(pkt, &next_proto)
  3893. || !PACKET_get_length_prefixed_1(pkt, &padding)
  3894. || PACKET_remaining(pkt) > 0) {
  3895. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  3896. return MSG_PROCESS_ERROR;
  3897. }
  3898. if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) {
  3899. s->ext.npn_len = 0;
  3900. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3901. return MSG_PROCESS_ERROR;
  3902. }
  3903. s->ext.npn_len = (unsigned char)next_proto_len;
  3904. return MSG_PROCESS_CONTINUE_READING;
  3905. }
  3906. #endif
  3907. static CON_FUNC_RETURN tls_construct_encrypted_extensions(SSL_CONNECTION *s,
  3908. WPACKET *pkt)
  3909. {
  3910. if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
  3911. NULL, 0)) {
  3912. /* SSLfatal() already called */
  3913. return CON_FUNC_ERROR;
  3914. }
  3915. return CON_FUNC_SUCCESS;
  3916. }
  3917. MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL_CONNECTION *s, PACKET *pkt)
  3918. {
  3919. if (PACKET_remaining(pkt) != 0) {
  3920. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  3921. return MSG_PROCESS_ERROR;
  3922. }
  3923. if (s->early_data_state != SSL_EARLY_DATA_READING
  3924. && s->early_data_state != SSL_EARLY_DATA_READ_RETRY) {
  3925. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  3926. return MSG_PROCESS_ERROR;
  3927. }
  3928. /*
  3929. * EndOfEarlyData signals a key change so the end of the message must be on
  3930. * a record boundary.
  3931. */
  3932. if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
  3933. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
  3934. return MSG_PROCESS_ERROR;
  3935. }
  3936. s->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
  3937. if (!SSL_CONNECTION_GET_SSL(s)->method->ssl3_enc->change_cipher_state(s,
  3938. SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ)) {
  3939. /* SSLfatal() already called */
  3940. return MSG_PROCESS_ERROR;
  3941. }
  3942. return MSG_PROCESS_CONTINUE_READING;
  3943. }