statem_srvr.c 141 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271
  1. /*
  2. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  4. * Copyright 2005 Nokia. All rights reserved.
  5. *
  6. * Licensed under the Apache License 2.0 (the "License"). You may not use
  7. * this file except in compliance with the License. You can obtain a copy
  8. * in the file LICENSE in the source distribution or at
  9. * https://www.openssl.org/source/license.html
  10. */
  11. #include <stdio.h>
  12. #include "../ssl_locl.h"
  13. #include "statem_locl.h"
  14. #include "internal/constant_time_locl.h"
  15. #include "internal/cryptlib.h"
  16. #include <openssl/buffer.h>
  17. #include <openssl/rand.h>
  18. #include <openssl/objects.h>
  19. #include <openssl/evp.h>
  20. #include <openssl/hmac.h>
  21. #include <openssl/x509.h>
  22. #include <openssl/dh.h>
  23. #include <openssl/bn.h>
  24. #include <openssl/md5.h>
  25. #include <openssl/trace.h>
  26. #define TICKET_NONCE_SIZE 8
  27. static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt);
  28. /*
  29. * ossl_statem_server13_read_transition() encapsulates the logic for the allowed
  30. * handshake state transitions when a TLSv1.3 server is reading messages from
  31. * the client. The message type that the client has sent is provided in |mt|.
  32. * The current state is in |s->statem.hand_state|.
  33. *
  34. * Return values are 1 for success (transition allowed) and 0 on error
  35. * (transition not allowed)
  36. */
  37. static int ossl_statem_server13_read_transition(SSL *s, int mt)
  38. {
  39. OSSL_STATEM *st = &s->statem;
  40. /*
  41. * Note: There is no case for TLS_ST_BEFORE because at that stage we have
  42. * not negotiated TLSv1.3 yet, so that case is handled by
  43. * ossl_statem_server_read_transition()
  44. */
  45. switch (st->hand_state) {
  46. default:
  47. break;
  48. case TLS_ST_EARLY_DATA:
  49. if (s->hello_retry_request == SSL_HRR_PENDING) {
  50. if (mt == SSL3_MT_CLIENT_HELLO) {
  51. st->hand_state = TLS_ST_SR_CLNT_HELLO;
  52. return 1;
  53. }
  54. break;
  55. } else if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
  56. if (mt == SSL3_MT_END_OF_EARLY_DATA) {
  57. st->hand_state = TLS_ST_SR_END_OF_EARLY_DATA;
  58. return 1;
  59. }
  60. break;
  61. }
  62. /* Fall through */
  63. case TLS_ST_SR_END_OF_EARLY_DATA:
  64. case TLS_ST_SW_FINISHED:
  65. if (s->s3.tmp.cert_request) {
  66. if (mt == SSL3_MT_CERTIFICATE) {
  67. st->hand_state = TLS_ST_SR_CERT;
  68. return 1;
  69. }
  70. } else {
  71. if (mt == SSL3_MT_FINISHED) {
  72. st->hand_state = TLS_ST_SR_FINISHED;
  73. return 1;
  74. }
  75. }
  76. break;
  77. case TLS_ST_SR_CERT:
  78. if (s->session->peer == NULL) {
  79. if (mt == SSL3_MT_FINISHED) {
  80. st->hand_state = TLS_ST_SR_FINISHED;
  81. return 1;
  82. }
  83. } else {
  84. if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
  85. st->hand_state = TLS_ST_SR_CERT_VRFY;
  86. return 1;
  87. }
  88. }
  89. break;
  90. case TLS_ST_SR_CERT_VRFY:
  91. if (mt == SSL3_MT_FINISHED) {
  92. st->hand_state = TLS_ST_SR_FINISHED;
  93. return 1;
  94. }
  95. break;
  96. case TLS_ST_OK:
  97. /*
  98. * Its never ok to start processing handshake messages in the middle of
  99. * early data (i.e. before we've received the end of early data alert)
  100. */
  101. if (s->early_data_state == SSL_EARLY_DATA_READING)
  102. break;
  103. if (mt == SSL3_MT_CERTIFICATE
  104. && s->post_handshake_auth == SSL_PHA_REQUESTED) {
  105. st->hand_state = TLS_ST_SR_CERT;
  106. return 1;
  107. }
  108. if (mt == SSL3_MT_KEY_UPDATE) {
  109. st->hand_state = TLS_ST_SR_KEY_UPDATE;
  110. return 1;
  111. }
  112. break;
  113. }
  114. /* No valid transition found */
  115. return 0;
  116. }
  117. /*
  118. * ossl_statem_server_read_transition() encapsulates the logic for the allowed
  119. * handshake state transitions when the server is reading messages from the
  120. * client. The message type that the client has sent is provided in |mt|. The
  121. * current state is in |s->statem.hand_state|.
  122. *
  123. * Return values are 1 for success (transition allowed) and 0 on error
  124. * (transition not allowed)
  125. */
  126. int ossl_statem_server_read_transition(SSL *s, int mt)
  127. {
  128. OSSL_STATEM *st = &s->statem;
  129. if (SSL_IS_TLS13(s)) {
  130. if (!ossl_statem_server13_read_transition(s, mt))
  131. goto err;
  132. return 1;
  133. }
  134. switch (st->hand_state) {
  135. default:
  136. break;
  137. case TLS_ST_BEFORE:
  138. case TLS_ST_OK:
  139. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  140. if (mt == SSL3_MT_CLIENT_HELLO) {
  141. st->hand_state = TLS_ST_SR_CLNT_HELLO;
  142. return 1;
  143. }
  144. break;
  145. case TLS_ST_SW_SRVR_DONE:
  146. /*
  147. * If we get a CKE message after a ServerDone then either
  148. * 1) We didn't request a Certificate
  149. * OR
  150. * 2) If we did request one then
  151. * a) We allow no Certificate to be returned
  152. * AND
  153. * b) We are running SSL3 (in TLS1.0+ the client must return a 0
  154. * list if we requested a certificate)
  155. */
  156. if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
  157. if (s->s3.tmp.cert_request) {
  158. if (s->version == SSL3_VERSION) {
  159. if ((s->verify_mode & SSL_VERIFY_PEER)
  160. && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
  161. /*
  162. * This isn't an unexpected message as such - we're just
  163. * not going to accept it because we require a client
  164. * cert.
  165. */
  166. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  167. SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION,
  168. SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  169. return 0;
  170. }
  171. st->hand_state = TLS_ST_SR_KEY_EXCH;
  172. return 1;
  173. }
  174. } else {
  175. st->hand_state = TLS_ST_SR_KEY_EXCH;
  176. return 1;
  177. }
  178. } else if (s->s3.tmp.cert_request) {
  179. if (mt == SSL3_MT_CERTIFICATE) {
  180. st->hand_state = TLS_ST_SR_CERT;
  181. return 1;
  182. }
  183. }
  184. break;
  185. case TLS_ST_SR_CERT:
  186. if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
  187. st->hand_state = TLS_ST_SR_KEY_EXCH;
  188. return 1;
  189. }
  190. break;
  191. case TLS_ST_SR_KEY_EXCH:
  192. /*
  193. * We should only process a CertificateVerify message if we have
  194. * received a Certificate from the client. If so then |s->session->peer|
  195. * will be non NULL. In some instances a CertificateVerify message is
  196. * not required even if the peer has sent a Certificate (e.g. such as in
  197. * the case of static DH). In that case |st->no_cert_verify| should be
  198. * set.
  199. */
  200. if (s->session->peer == NULL || st->no_cert_verify) {
  201. if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  202. /*
  203. * For the ECDH ciphersuites when the client sends its ECDH
  204. * pub key in a certificate, the CertificateVerify message is
  205. * not sent. Also for GOST ciphersuites when the client uses
  206. * its key from the certificate for key exchange.
  207. */
  208. st->hand_state = TLS_ST_SR_CHANGE;
  209. return 1;
  210. }
  211. } else {
  212. if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
  213. st->hand_state = TLS_ST_SR_CERT_VRFY;
  214. return 1;
  215. }
  216. }
  217. break;
  218. case TLS_ST_SR_CERT_VRFY:
  219. if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  220. st->hand_state = TLS_ST_SR_CHANGE;
  221. return 1;
  222. }
  223. break;
  224. case TLS_ST_SR_CHANGE:
  225. #ifndef OPENSSL_NO_NEXTPROTONEG
  226. if (s->s3.npn_seen) {
  227. if (mt == SSL3_MT_NEXT_PROTO) {
  228. st->hand_state = TLS_ST_SR_NEXT_PROTO;
  229. return 1;
  230. }
  231. } else {
  232. #endif
  233. if (mt == SSL3_MT_FINISHED) {
  234. st->hand_state = TLS_ST_SR_FINISHED;
  235. return 1;
  236. }
  237. #ifndef OPENSSL_NO_NEXTPROTONEG
  238. }
  239. #endif
  240. break;
  241. #ifndef OPENSSL_NO_NEXTPROTONEG
  242. case TLS_ST_SR_NEXT_PROTO:
  243. if (mt == SSL3_MT_FINISHED) {
  244. st->hand_state = TLS_ST_SR_FINISHED;
  245. return 1;
  246. }
  247. break;
  248. #endif
  249. case TLS_ST_SW_FINISHED:
  250. if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  251. st->hand_state = TLS_ST_SR_CHANGE;
  252. return 1;
  253. }
  254. break;
  255. }
  256. err:
  257. /* No valid transition found */
  258. if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  259. BIO *rbio;
  260. /*
  261. * CCS messages don't have a message sequence number so this is probably
  262. * because of an out-of-order CCS. We'll just drop it.
  263. */
  264. s->init_num = 0;
  265. s->rwstate = SSL_READING;
  266. rbio = SSL_get_rbio(s);
  267. BIO_clear_retry_flags(rbio);
  268. BIO_set_retry_read(rbio);
  269. return 0;
  270. }
  271. SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE,
  272. SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION,
  273. SSL_R_UNEXPECTED_MESSAGE);
  274. return 0;
  275. }
  276. /*
  277. * Should we send a ServerKeyExchange message?
  278. *
  279. * Valid return values are:
  280. * 1: Yes
  281. * 0: No
  282. */
  283. static int send_server_key_exchange(SSL *s)
  284. {
  285. unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
  286. /*
  287. * only send a ServerKeyExchange if DH or fortezza but we have a
  288. * sign only certificate PSK: may send PSK identity hints For
  289. * ECC ciphersuites, we send a serverKeyExchange message only if
  290. * the cipher suite is either ECDH-anon or ECDHE. In other cases,
  291. * the server certificate contains the server's public key for
  292. * key exchange.
  293. */
  294. if (alg_k & (SSL_kDHE | SSL_kECDHE)
  295. /*
  296. * PSK: send ServerKeyExchange if PSK identity hint if
  297. * provided
  298. */
  299. #ifndef OPENSSL_NO_PSK
  300. /* Only send SKE if we have identity hint for plain PSK */
  301. || ((alg_k & (SSL_kPSK | SSL_kRSAPSK))
  302. && s->cert->psk_identity_hint)
  303. /* For other PSK always send SKE */
  304. || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK)))
  305. #endif
  306. #ifndef OPENSSL_NO_SRP
  307. /* SRP: send ServerKeyExchange */
  308. || (alg_k & SSL_kSRP)
  309. #endif
  310. ) {
  311. return 1;
  312. }
  313. return 0;
  314. }
  315. /*
  316. * Should we send a CertificateRequest message?
  317. *
  318. * Valid return values are:
  319. * 1: Yes
  320. * 0: No
  321. */
  322. int send_certificate_request(SSL *s)
  323. {
  324. if (
  325. /* don't request cert unless asked for it: */
  326. s->verify_mode & SSL_VERIFY_PEER
  327. /*
  328. * don't request if post-handshake-only unless doing
  329. * post-handshake in TLSv1.3:
  330. */
  331. && (!SSL_IS_TLS13(s) || !(s->verify_mode & SSL_VERIFY_POST_HANDSHAKE)
  332. || s->post_handshake_auth == SSL_PHA_REQUEST_PENDING)
  333. /*
  334. * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
  335. * a second time:
  336. */
  337. && (s->certreqs_sent < 1 ||
  338. !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE))
  339. /*
  340. * never request cert in anonymous ciphersuites (see
  341. * section "Certificate request" in SSL 3 drafts and in
  342. * RFC 2246):
  343. */
  344. && (!(s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL)
  345. /*
  346. * ... except when the application insists on
  347. * verification (against the specs, but statem_clnt.c accepts
  348. * this for SSL 3)
  349. */
  350. || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
  351. /* don't request certificate for SRP auth */
  352. && !(s->s3.tmp.new_cipher->algorithm_auth & SSL_aSRP)
  353. /*
  354. * With normal PSK Certificates and Certificate Requests
  355. * are omitted
  356. */
  357. && !(s->s3.tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
  358. return 1;
  359. }
  360. return 0;
  361. }
  362. /*
  363. * ossl_statem_server13_write_transition() works out what handshake state to
  364. * move to next when a TLSv1.3 server is writing messages to be sent to the
  365. * client.
  366. */
  367. static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
  368. {
  369. OSSL_STATEM *st = &s->statem;
  370. /*
  371. * No case for TLS_ST_BEFORE, because at that stage we have not negotiated
  372. * TLSv1.3 yet, so that is handled by ossl_statem_server_write_transition()
  373. */
  374. switch (st->hand_state) {
  375. default:
  376. /* Shouldn't happen */
  377. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  378. SSL_F_OSSL_STATEM_SERVER13_WRITE_TRANSITION,
  379. ERR_R_INTERNAL_ERROR);
  380. return WRITE_TRAN_ERROR;
  381. case TLS_ST_OK:
  382. if (s->key_update != SSL_KEY_UPDATE_NONE) {
  383. st->hand_state = TLS_ST_SW_KEY_UPDATE;
  384. return WRITE_TRAN_CONTINUE;
  385. }
  386. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  387. st->hand_state = TLS_ST_SW_CERT_REQ;
  388. return WRITE_TRAN_CONTINUE;
  389. }
  390. /* Try to read from the client instead */
  391. return WRITE_TRAN_FINISHED;
  392. case TLS_ST_SR_CLNT_HELLO:
  393. st->hand_state = TLS_ST_SW_SRVR_HELLO;
  394. return WRITE_TRAN_CONTINUE;
  395. case TLS_ST_SW_SRVR_HELLO:
  396. if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
  397. && s->hello_retry_request != SSL_HRR_COMPLETE)
  398. st->hand_state = TLS_ST_SW_CHANGE;
  399. else if (s->hello_retry_request == SSL_HRR_PENDING)
  400. st->hand_state = TLS_ST_EARLY_DATA;
  401. else
  402. st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
  403. return WRITE_TRAN_CONTINUE;
  404. case TLS_ST_SW_CHANGE:
  405. if (s->hello_retry_request == SSL_HRR_PENDING)
  406. st->hand_state = TLS_ST_EARLY_DATA;
  407. else
  408. st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
  409. return WRITE_TRAN_CONTINUE;
  410. case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
  411. if (s->hit)
  412. st->hand_state = TLS_ST_SW_FINISHED;
  413. else if (send_certificate_request(s))
  414. st->hand_state = TLS_ST_SW_CERT_REQ;
  415. else
  416. st->hand_state = TLS_ST_SW_CERT;
  417. return WRITE_TRAN_CONTINUE;
  418. case TLS_ST_SW_CERT_REQ:
  419. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  420. s->post_handshake_auth = SSL_PHA_REQUESTED;
  421. st->hand_state = TLS_ST_OK;
  422. } else {
  423. st->hand_state = TLS_ST_SW_CERT;
  424. }
  425. return WRITE_TRAN_CONTINUE;
  426. case TLS_ST_SW_CERT:
  427. st->hand_state = TLS_ST_SW_CERT_VRFY;
  428. return WRITE_TRAN_CONTINUE;
  429. case TLS_ST_SW_CERT_VRFY:
  430. st->hand_state = TLS_ST_SW_FINISHED;
  431. return WRITE_TRAN_CONTINUE;
  432. case TLS_ST_SW_FINISHED:
  433. st->hand_state = TLS_ST_EARLY_DATA;
  434. return WRITE_TRAN_CONTINUE;
  435. case TLS_ST_EARLY_DATA:
  436. return WRITE_TRAN_FINISHED;
  437. case TLS_ST_SR_FINISHED:
  438. /*
  439. * Technically we have finished the handshake at this point, but we're
  440. * going to remain "in_init" for now and write out any session tickets
  441. * immediately.
  442. */
  443. if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
  444. s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
  445. } else if (!s->ext.ticket_expected) {
  446. /*
  447. * If we're not going to renew the ticket then we just finish the
  448. * handshake at this point.
  449. */
  450. st->hand_state = TLS_ST_OK;
  451. return WRITE_TRAN_CONTINUE;
  452. }
  453. if (s->num_tickets > s->sent_tickets)
  454. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  455. else
  456. st->hand_state = TLS_ST_OK;
  457. return WRITE_TRAN_CONTINUE;
  458. case TLS_ST_SR_KEY_UPDATE:
  459. case TLS_ST_SW_KEY_UPDATE:
  460. st->hand_state = TLS_ST_OK;
  461. return WRITE_TRAN_CONTINUE;
  462. case TLS_ST_SW_SESSION_TICKET:
  463. /* In a resumption we only ever send a maximum of one new ticket.
  464. * Following an initial handshake we send the number of tickets we have
  465. * been configured for.
  466. */
  467. if (s->hit || s->num_tickets <= s->sent_tickets) {
  468. /* We've written enough tickets out. */
  469. st->hand_state = TLS_ST_OK;
  470. }
  471. return WRITE_TRAN_CONTINUE;
  472. }
  473. }
  474. /*
  475. * ossl_statem_server_write_transition() works out what handshake state to move
  476. * to next when the server is writing messages to be sent to the client.
  477. */
  478. WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
  479. {
  480. OSSL_STATEM *st = &s->statem;
  481. /*
  482. * Note that before the ClientHello we don't know what version we are going
  483. * to negotiate yet, so we don't take this branch until later
  484. */
  485. if (SSL_IS_TLS13(s))
  486. return ossl_statem_server13_write_transition(s);
  487. switch (st->hand_state) {
  488. default:
  489. /* Shouldn't happen */
  490. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  491. SSL_F_OSSL_STATEM_SERVER_WRITE_TRANSITION,
  492. ERR_R_INTERNAL_ERROR);
  493. return WRITE_TRAN_ERROR;
  494. case TLS_ST_OK:
  495. if (st->request_state == TLS_ST_SW_HELLO_REQ) {
  496. /* We must be trying to renegotiate */
  497. st->hand_state = TLS_ST_SW_HELLO_REQ;
  498. st->request_state = TLS_ST_BEFORE;
  499. return WRITE_TRAN_CONTINUE;
  500. }
  501. /* Must be an incoming ClientHello */
  502. if (!tls_setup_handshake(s)) {
  503. /* SSLfatal() already called */
  504. return WRITE_TRAN_ERROR;
  505. }
  506. /* Fall through */
  507. case TLS_ST_BEFORE:
  508. /* Just go straight to trying to read from the client */
  509. return WRITE_TRAN_FINISHED;
  510. case TLS_ST_SW_HELLO_REQ:
  511. st->hand_state = TLS_ST_OK;
  512. return WRITE_TRAN_CONTINUE;
  513. case TLS_ST_SR_CLNT_HELLO:
  514. if (SSL_IS_DTLS(s) && !s->d1->cookie_verified
  515. && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) {
  516. st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
  517. } else if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
  518. /* We must have rejected the renegotiation */
  519. st->hand_state = TLS_ST_OK;
  520. return WRITE_TRAN_CONTINUE;
  521. } else {
  522. st->hand_state = TLS_ST_SW_SRVR_HELLO;
  523. }
  524. return WRITE_TRAN_CONTINUE;
  525. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  526. return WRITE_TRAN_FINISHED;
  527. case TLS_ST_SW_SRVR_HELLO:
  528. if (s->hit) {
  529. if (s->ext.ticket_expected)
  530. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  531. else
  532. st->hand_state = TLS_ST_SW_CHANGE;
  533. } else {
  534. /* Check if it is anon DH or anon ECDH, */
  535. /* normal PSK or SRP */
  536. if (!(s->s3.tmp.new_cipher->algorithm_auth &
  537. (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
  538. st->hand_state = TLS_ST_SW_CERT;
  539. } else if (send_server_key_exchange(s)) {
  540. st->hand_state = TLS_ST_SW_KEY_EXCH;
  541. } else if (send_certificate_request(s)) {
  542. st->hand_state = TLS_ST_SW_CERT_REQ;
  543. } else {
  544. st->hand_state = TLS_ST_SW_SRVR_DONE;
  545. }
  546. }
  547. return WRITE_TRAN_CONTINUE;
  548. case TLS_ST_SW_CERT:
  549. if (s->ext.status_expected) {
  550. st->hand_state = TLS_ST_SW_CERT_STATUS;
  551. return WRITE_TRAN_CONTINUE;
  552. }
  553. /* Fall through */
  554. case TLS_ST_SW_CERT_STATUS:
  555. if (send_server_key_exchange(s)) {
  556. st->hand_state = TLS_ST_SW_KEY_EXCH;
  557. return WRITE_TRAN_CONTINUE;
  558. }
  559. /* Fall through */
  560. case TLS_ST_SW_KEY_EXCH:
  561. if (send_certificate_request(s)) {
  562. st->hand_state = TLS_ST_SW_CERT_REQ;
  563. return WRITE_TRAN_CONTINUE;
  564. }
  565. /* Fall through */
  566. case TLS_ST_SW_CERT_REQ:
  567. st->hand_state = TLS_ST_SW_SRVR_DONE;
  568. return WRITE_TRAN_CONTINUE;
  569. case TLS_ST_SW_SRVR_DONE:
  570. return WRITE_TRAN_FINISHED;
  571. case TLS_ST_SR_FINISHED:
  572. if (s->hit) {
  573. st->hand_state = TLS_ST_OK;
  574. return WRITE_TRAN_CONTINUE;
  575. } else if (s->ext.ticket_expected) {
  576. st->hand_state = TLS_ST_SW_SESSION_TICKET;
  577. } else {
  578. st->hand_state = TLS_ST_SW_CHANGE;
  579. }
  580. return WRITE_TRAN_CONTINUE;
  581. case TLS_ST_SW_SESSION_TICKET:
  582. st->hand_state = TLS_ST_SW_CHANGE;
  583. return WRITE_TRAN_CONTINUE;
  584. case TLS_ST_SW_CHANGE:
  585. st->hand_state = TLS_ST_SW_FINISHED;
  586. return WRITE_TRAN_CONTINUE;
  587. case TLS_ST_SW_FINISHED:
  588. if (s->hit) {
  589. return WRITE_TRAN_FINISHED;
  590. }
  591. st->hand_state = TLS_ST_OK;
  592. return WRITE_TRAN_CONTINUE;
  593. }
  594. }
  595. /*
  596. * Perform any pre work that needs to be done prior to sending a message from
  597. * the server to the client.
  598. */
  599. WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
  600. {
  601. OSSL_STATEM *st = &s->statem;
  602. switch (st->hand_state) {
  603. default:
  604. /* No pre work to be done */
  605. break;
  606. case TLS_ST_SW_HELLO_REQ:
  607. s->shutdown = 0;
  608. if (SSL_IS_DTLS(s))
  609. dtls1_clear_sent_buffer(s);
  610. break;
  611. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  612. s->shutdown = 0;
  613. if (SSL_IS_DTLS(s)) {
  614. dtls1_clear_sent_buffer(s);
  615. /* We don't buffer this message so don't use the timer */
  616. st->use_timer = 0;
  617. }
  618. break;
  619. case TLS_ST_SW_SRVR_HELLO:
  620. if (SSL_IS_DTLS(s)) {
  621. /*
  622. * Messages we write from now on should be buffered and
  623. * retransmitted if necessary, so we need to use the timer now
  624. */
  625. st->use_timer = 1;
  626. }
  627. break;
  628. case TLS_ST_SW_SRVR_DONE:
  629. #ifndef OPENSSL_NO_SCTP
  630. if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) {
  631. /* Calls SSLfatal() as required */
  632. return dtls_wait_for_dry(s);
  633. }
  634. #endif
  635. return WORK_FINISHED_CONTINUE;
  636. case TLS_ST_SW_SESSION_TICKET:
  637. if (SSL_IS_TLS13(s) && s->sent_tickets == 0) {
  638. /*
  639. * Actually this is the end of the handshake, but we're going
  640. * straight into writing the session ticket out. So we finish off
  641. * the handshake, but keep the various buffers active.
  642. *
  643. * Calls SSLfatal as required.
  644. */
  645. return tls_finish_handshake(s, wst, 0, 0);
  646. } if (SSL_IS_DTLS(s)) {
  647. /*
  648. * We're into the last flight. We don't retransmit the last flight
  649. * unless we need to, so we don't use the timer
  650. */
  651. st->use_timer = 0;
  652. }
  653. break;
  654. case TLS_ST_SW_CHANGE:
  655. if (SSL_IS_TLS13(s))
  656. break;
  657. s->session->cipher = s->s3.tmp.new_cipher;
  658. if (!s->method->ssl3_enc->setup_key_block(s)) {
  659. /* SSLfatal() already called */
  660. return WORK_ERROR;
  661. }
  662. if (SSL_IS_DTLS(s)) {
  663. /*
  664. * We're into the last flight. We don't retransmit the last flight
  665. * unless we need to, so we don't use the timer. This might have
  666. * already been set to 0 if we sent a NewSessionTicket message,
  667. * but we'll set it again here in case we didn't.
  668. */
  669. st->use_timer = 0;
  670. }
  671. return WORK_FINISHED_CONTINUE;
  672. case TLS_ST_EARLY_DATA:
  673. if (s->early_data_state != SSL_EARLY_DATA_ACCEPTING
  674. && (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
  675. return WORK_FINISHED_CONTINUE;
  676. /* Fall through */
  677. case TLS_ST_OK:
  678. /* Calls SSLfatal() as required */
  679. return tls_finish_handshake(s, wst, 1, 1);
  680. }
  681. return WORK_FINISHED_CONTINUE;
  682. }
  683. static ossl_inline int conn_is_closed(void)
  684. {
  685. switch (get_last_sys_error()) {
  686. #if defined(EPIPE)
  687. case EPIPE:
  688. return 1;
  689. #endif
  690. #if defined(ECONNRESET)
  691. case ECONNRESET:
  692. return 1;
  693. #endif
  694. #if defined(WSAECONNRESET)
  695. case WSAECONNRESET:
  696. return 1;
  697. #endif
  698. default:
  699. return 0;
  700. }
  701. }
  702. /*
  703. * Perform any work that needs to be done after sending a message from the
  704. * server to the client.
  705. */
  706. WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
  707. {
  708. OSSL_STATEM *st = &s->statem;
  709. s->init_num = 0;
  710. switch (st->hand_state) {
  711. default:
  712. /* No post work to be done */
  713. break;
  714. case TLS_ST_SW_HELLO_REQ:
  715. if (statem_flush(s) != 1)
  716. return WORK_MORE_A;
  717. if (!ssl3_init_finished_mac(s)) {
  718. /* SSLfatal() already called */
  719. return WORK_ERROR;
  720. }
  721. break;
  722. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  723. if (statem_flush(s) != 1)
  724. return WORK_MORE_A;
  725. /* HelloVerifyRequest resets Finished MAC */
  726. if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) {
  727. /* SSLfatal() already called */
  728. return WORK_ERROR;
  729. }
  730. /*
  731. * The next message should be another ClientHello which we need to
  732. * treat like it was the first packet
  733. */
  734. s->first_packet = 1;
  735. break;
  736. case TLS_ST_SW_SRVR_HELLO:
  737. if (SSL_IS_TLS13(s) && s->hello_retry_request == SSL_HRR_PENDING) {
  738. if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0
  739. && statem_flush(s) != 1)
  740. return WORK_MORE_A;
  741. break;
  742. }
  743. #ifndef OPENSSL_NO_SCTP
  744. if (SSL_IS_DTLS(s) && s->hit) {
  745. unsigned char sctpauthkey[64];
  746. char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
  747. size_t labellen;
  748. /*
  749. * Add new shared key for SCTP-Auth, will be ignored if no
  750. * SCTP used.
  751. */
  752. memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
  753. sizeof(DTLS1_SCTP_AUTH_LABEL));
  754. /* Don't include the terminating zero. */
  755. labellen = sizeof(labelbuffer) - 1;
  756. if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
  757. labellen += 1;
  758. if (SSL_export_keying_material(s, sctpauthkey,
  759. sizeof(sctpauthkey), labelbuffer,
  760. labellen, NULL, 0,
  761. 0) <= 0) {
  762. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  763. SSL_F_OSSL_STATEM_SERVER_POST_WORK,
  764. ERR_R_INTERNAL_ERROR);
  765. return WORK_ERROR;
  766. }
  767. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
  768. sizeof(sctpauthkey), sctpauthkey);
  769. }
  770. #endif
  771. if (!SSL_IS_TLS13(s)
  772. || ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
  773. && s->hello_retry_request != SSL_HRR_COMPLETE))
  774. break;
  775. /* Fall through */
  776. case TLS_ST_SW_CHANGE:
  777. if (s->hello_retry_request == SSL_HRR_PENDING) {
  778. if (!statem_flush(s))
  779. return WORK_MORE_A;
  780. break;
  781. }
  782. if (SSL_IS_TLS13(s)) {
  783. if (!s->method->ssl3_enc->setup_key_block(s)
  784. || !s->method->ssl3_enc->change_cipher_state(s,
  785. SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
  786. /* SSLfatal() already called */
  787. return WORK_ERROR;
  788. }
  789. if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED
  790. && !s->method->ssl3_enc->change_cipher_state(s,
  791. SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ)) {
  792. /* SSLfatal() already called */
  793. return WORK_ERROR;
  794. }
  795. /*
  796. * We don't yet know whether the next record we are going to receive
  797. * is an unencrypted alert, an encrypted alert, or an encrypted
  798. * handshake message. We temporarily tolerate unencrypted alerts.
  799. */
  800. s->statem.enc_read_state = ENC_READ_STATE_ALLOW_PLAIN_ALERTS;
  801. break;
  802. }
  803. #ifndef OPENSSL_NO_SCTP
  804. if (SSL_IS_DTLS(s) && !s->hit) {
  805. /*
  806. * Change to new shared key of SCTP-Auth, will be ignored if
  807. * no SCTP used.
  808. */
  809. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
  810. 0, NULL);
  811. }
  812. #endif
  813. if (!s->method->ssl3_enc->change_cipher_state(s,
  814. SSL3_CHANGE_CIPHER_SERVER_WRITE))
  815. {
  816. /* SSLfatal() already called */
  817. return WORK_ERROR;
  818. }
  819. if (SSL_IS_DTLS(s))
  820. dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
  821. break;
  822. case TLS_ST_SW_SRVR_DONE:
  823. if (statem_flush(s) != 1)
  824. return WORK_MORE_A;
  825. break;
  826. case TLS_ST_SW_FINISHED:
  827. if (statem_flush(s) != 1)
  828. return WORK_MORE_A;
  829. #ifndef OPENSSL_NO_SCTP
  830. if (SSL_IS_DTLS(s) && s->hit) {
  831. /*
  832. * Change to new shared key of SCTP-Auth, will be ignored if
  833. * no SCTP used.
  834. */
  835. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
  836. 0, NULL);
  837. }
  838. #endif
  839. if (SSL_IS_TLS13(s)) {
  840. if (!s->method->ssl3_enc->generate_master_secret(s,
  841. s->master_secret, s->handshake_secret, 0,
  842. &s->session->master_key_length)
  843. || !s->method->ssl3_enc->change_cipher_state(s,
  844. SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE))
  845. /* SSLfatal() already called */
  846. return WORK_ERROR;
  847. }
  848. break;
  849. case TLS_ST_SW_CERT_REQ:
  850. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  851. if (statem_flush(s) != 1)
  852. return WORK_MORE_A;
  853. }
  854. break;
  855. case TLS_ST_SW_KEY_UPDATE:
  856. if (statem_flush(s) != 1)
  857. return WORK_MORE_A;
  858. if (!tls13_update_key(s, 1)) {
  859. /* SSLfatal() already called */
  860. return WORK_ERROR;
  861. }
  862. break;
  863. case TLS_ST_SW_SESSION_TICKET:
  864. clear_sys_error();
  865. if (SSL_IS_TLS13(s) && statem_flush(s) != 1) {
  866. if (SSL_get_error(s, 0) == SSL_ERROR_SYSCALL
  867. && conn_is_closed()) {
  868. /*
  869. * We ignore connection closed errors in TLSv1.3 when sending a
  870. * NewSessionTicket and behave as if we were successful. This is
  871. * so that we are still able to read data sent to us by a client
  872. * that closes soon after the end of the handshake without
  873. * waiting to read our post-handshake NewSessionTickets.
  874. */
  875. s->rwstate = SSL_NOTHING;
  876. break;
  877. }
  878. return WORK_MORE_A;
  879. }
  880. break;
  881. }
  882. return WORK_FINISHED_CONTINUE;
  883. }
  884. /*
  885. * Get the message construction function and message type for sending from the
  886. * server
  887. *
  888. * Valid return values are:
  889. * 1: Success
  890. * 0: Error
  891. */
  892. int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt,
  893. confunc_f *confunc, int *mt)
  894. {
  895. OSSL_STATEM *st = &s->statem;
  896. switch (st->hand_state) {
  897. default:
  898. /* Shouldn't happen */
  899. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  900. SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE,
  901. SSL_R_BAD_HANDSHAKE_STATE);
  902. return 0;
  903. case TLS_ST_SW_CHANGE:
  904. if (SSL_IS_DTLS(s))
  905. *confunc = dtls_construct_change_cipher_spec;
  906. else
  907. *confunc = tls_construct_change_cipher_spec;
  908. *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
  909. break;
  910. case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
  911. *confunc = dtls_construct_hello_verify_request;
  912. *mt = DTLS1_MT_HELLO_VERIFY_REQUEST;
  913. break;
  914. case TLS_ST_SW_HELLO_REQ:
  915. /* No construction function needed */
  916. *confunc = NULL;
  917. *mt = SSL3_MT_HELLO_REQUEST;
  918. break;
  919. case TLS_ST_SW_SRVR_HELLO:
  920. *confunc = tls_construct_server_hello;
  921. *mt = SSL3_MT_SERVER_HELLO;
  922. break;
  923. case TLS_ST_SW_CERT:
  924. *confunc = tls_construct_server_certificate;
  925. *mt = SSL3_MT_CERTIFICATE;
  926. break;
  927. case TLS_ST_SW_CERT_VRFY:
  928. *confunc = tls_construct_cert_verify;
  929. *mt = SSL3_MT_CERTIFICATE_VERIFY;
  930. break;
  931. case TLS_ST_SW_KEY_EXCH:
  932. *confunc = tls_construct_server_key_exchange;
  933. *mt = SSL3_MT_SERVER_KEY_EXCHANGE;
  934. break;
  935. case TLS_ST_SW_CERT_REQ:
  936. *confunc = tls_construct_certificate_request;
  937. *mt = SSL3_MT_CERTIFICATE_REQUEST;
  938. break;
  939. case TLS_ST_SW_SRVR_DONE:
  940. *confunc = tls_construct_server_done;
  941. *mt = SSL3_MT_SERVER_DONE;
  942. break;
  943. case TLS_ST_SW_SESSION_TICKET:
  944. *confunc = tls_construct_new_session_ticket;
  945. *mt = SSL3_MT_NEWSESSION_TICKET;
  946. break;
  947. case TLS_ST_SW_CERT_STATUS:
  948. *confunc = tls_construct_cert_status;
  949. *mt = SSL3_MT_CERTIFICATE_STATUS;
  950. break;
  951. case TLS_ST_SW_FINISHED:
  952. *confunc = tls_construct_finished;
  953. *mt = SSL3_MT_FINISHED;
  954. break;
  955. case TLS_ST_EARLY_DATA:
  956. *confunc = NULL;
  957. *mt = SSL3_MT_DUMMY;
  958. break;
  959. case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
  960. *confunc = tls_construct_encrypted_extensions;
  961. *mt = SSL3_MT_ENCRYPTED_EXTENSIONS;
  962. break;
  963. case TLS_ST_SW_KEY_UPDATE:
  964. *confunc = tls_construct_key_update;
  965. *mt = SSL3_MT_KEY_UPDATE;
  966. break;
  967. }
  968. return 1;
  969. }
  970. /*
  971. * Maximum size (excluding the Handshake header) of a ClientHello message,
  972. * calculated as follows:
  973. *
  974. * 2 + # client_version
  975. * 32 + # only valid length for random
  976. * 1 + # length of session_id
  977. * 32 + # maximum size for session_id
  978. * 2 + # length of cipher suites
  979. * 2^16-2 + # maximum length of cipher suites array
  980. * 1 + # length of compression_methods
  981. * 2^8-1 + # maximum length of compression methods
  982. * 2 + # length of extensions
  983. * 2^16-1 # maximum length of extensions
  984. */
  985. #define CLIENT_HELLO_MAX_LENGTH 131396
  986. #define CLIENT_KEY_EXCH_MAX_LENGTH 2048
  987. #define NEXT_PROTO_MAX_LENGTH 514
  988. /*
  989. * Returns the maximum allowed length for the current message that we are
  990. * reading. Excludes the message header.
  991. */
  992. size_t ossl_statem_server_max_message_size(SSL *s)
  993. {
  994. OSSL_STATEM *st = &s->statem;
  995. switch (st->hand_state) {
  996. default:
  997. /* Shouldn't happen */
  998. return 0;
  999. case TLS_ST_SR_CLNT_HELLO:
  1000. return CLIENT_HELLO_MAX_LENGTH;
  1001. case TLS_ST_SR_END_OF_EARLY_DATA:
  1002. return END_OF_EARLY_DATA_MAX_LENGTH;
  1003. case TLS_ST_SR_CERT:
  1004. return s->max_cert_list;
  1005. case TLS_ST_SR_KEY_EXCH:
  1006. return CLIENT_KEY_EXCH_MAX_LENGTH;
  1007. case TLS_ST_SR_CERT_VRFY:
  1008. return SSL3_RT_MAX_PLAIN_LENGTH;
  1009. #ifndef OPENSSL_NO_NEXTPROTONEG
  1010. case TLS_ST_SR_NEXT_PROTO:
  1011. return NEXT_PROTO_MAX_LENGTH;
  1012. #endif
  1013. case TLS_ST_SR_CHANGE:
  1014. return CCS_MAX_LENGTH;
  1015. case TLS_ST_SR_FINISHED:
  1016. return FINISHED_MAX_LENGTH;
  1017. case TLS_ST_SR_KEY_UPDATE:
  1018. return KEY_UPDATE_MAX_LENGTH;
  1019. }
  1020. }
  1021. /*
  1022. * Process a message that the server has received from the client.
  1023. */
  1024. MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt)
  1025. {
  1026. OSSL_STATEM *st = &s->statem;
  1027. switch (st->hand_state) {
  1028. default:
  1029. /* Shouldn't happen */
  1030. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1031. SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE,
  1032. ERR_R_INTERNAL_ERROR);
  1033. return MSG_PROCESS_ERROR;
  1034. case TLS_ST_SR_CLNT_HELLO:
  1035. return tls_process_client_hello(s, pkt);
  1036. case TLS_ST_SR_END_OF_EARLY_DATA:
  1037. return tls_process_end_of_early_data(s, pkt);
  1038. case TLS_ST_SR_CERT:
  1039. return tls_process_client_certificate(s, pkt);
  1040. case TLS_ST_SR_KEY_EXCH:
  1041. return tls_process_client_key_exchange(s, pkt);
  1042. case TLS_ST_SR_CERT_VRFY:
  1043. return tls_process_cert_verify(s, pkt);
  1044. #ifndef OPENSSL_NO_NEXTPROTONEG
  1045. case TLS_ST_SR_NEXT_PROTO:
  1046. return tls_process_next_proto(s, pkt);
  1047. #endif
  1048. case TLS_ST_SR_CHANGE:
  1049. return tls_process_change_cipher_spec(s, pkt);
  1050. case TLS_ST_SR_FINISHED:
  1051. return tls_process_finished(s, pkt);
  1052. case TLS_ST_SR_KEY_UPDATE:
  1053. return tls_process_key_update(s, pkt);
  1054. }
  1055. }
  1056. /*
  1057. * Perform any further processing required following the receipt of a message
  1058. * from the client
  1059. */
  1060. WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst)
  1061. {
  1062. OSSL_STATEM *st = &s->statem;
  1063. switch (st->hand_state) {
  1064. default:
  1065. /* Shouldn't happen */
  1066. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1067. SSL_F_OSSL_STATEM_SERVER_POST_PROCESS_MESSAGE,
  1068. ERR_R_INTERNAL_ERROR);
  1069. return WORK_ERROR;
  1070. case TLS_ST_SR_CLNT_HELLO:
  1071. return tls_post_process_client_hello(s, wst);
  1072. case TLS_ST_SR_KEY_EXCH:
  1073. return tls_post_process_client_key_exchange(s, wst);
  1074. }
  1075. }
  1076. #ifndef OPENSSL_NO_SRP
  1077. /* Returns 1 on success, 0 for retryable error, -1 for fatal error */
  1078. static int ssl_check_srp_ext_ClientHello(SSL *s)
  1079. {
  1080. int ret;
  1081. int al = SSL_AD_UNRECOGNIZED_NAME;
  1082. if ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
  1083. (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
  1084. if (s->srp_ctx.login == NULL) {
  1085. /*
  1086. * RFC 5054 says SHOULD reject, we do so if There is no srp
  1087. * login name
  1088. */
  1089. SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY,
  1090. SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO,
  1091. SSL_R_PSK_IDENTITY_NOT_FOUND);
  1092. return -1;
  1093. } else {
  1094. ret = SSL_srp_server_param_with_username(s, &al);
  1095. if (ret < 0)
  1096. return 0;
  1097. if (ret == SSL3_AL_FATAL) {
  1098. SSLfatal(s, al, SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO,
  1099. al == SSL_AD_UNKNOWN_PSK_IDENTITY
  1100. ? SSL_R_PSK_IDENTITY_NOT_FOUND
  1101. : SSL_R_CLIENTHELLO_TLSEXT);
  1102. return -1;
  1103. }
  1104. }
  1105. }
  1106. return 1;
  1107. }
  1108. #endif
  1109. int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
  1110. size_t cookie_len)
  1111. {
  1112. /* Always use DTLS 1.0 version: see RFC 6347 */
  1113. if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION)
  1114. || !WPACKET_sub_memcpy_u8(pkt, cookie, cookie_len))
  1115. return 0;
  1116. return 1;
  1117. }
  1118. int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt)
  1119. {
  1120. unsigned int cookie_leni;
  1121. if (s->ctx->app_gen_cookie_cb == NULL ||
  1122. s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
  1123. &cookie_leni) == 0 ||
  1124. cookie_leni > 255) {
  1125. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
  1126. SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
  1127. return 0;
  1128. }
  1129. s->d1->cookie_len = cookie_leni;
  1130. if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie,
  1131. s->d1->cookie_len)) {
  1132. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
  1133. ERR_R_INTERNAL_ERROR);
  1134. return 0;
  1135. }
  1136. return 1;
  1137. }
  1138. #ifndef OPENSSL_NO_EC
  1139. /*-
  1140. * ssl_check_for_safari attempts to fingerprint Safari using OS X
  1141. * SecureTransport using the TLS extension block in |hello|.
  1142. * Safari, since 10.6, sends exactly these extensions, in this order:
  1143. * SNI,
  1144. * elliptic_curves
  1145. * ec_point_formats
  1146. * signature_algorithms (for TLSv1.2 only)
  1147. *
  1148. * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
  1149. * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
  1150. * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
  1151. * 10.8..10.8.3 (which don't work).
  1152. */
  1153. static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello)
  1154. {
  1155. static const unsigned char kSafariExtensionsBlock[] = {
  1156. 0x00, 0x0a, /* elliptic_curves extension */
  1157. 0x00, 0x08, /* 8 bytes */
  1158. 0x00, 0x06, /* 6 bytes of curve ids */
  1159. 0x00, 0x17, /* P-256 */
  1160. 0x00, 0x18, /* P-384 */
  1161. 0x00, 0x19, /* P-521 */
  1162. 0x00, 0x0b, /* ec_point_formats */
  1163. 0x00, 0x02, /* 2 bytes */
  1164. 0x01, /* 1 point format */
  1165. 0x00, /* uncompressed */
  1166. /* The following is only present in TLS 1.2 */
  1167. 0x00, 0x0d, /* signature_algorithms */
  1168. 0x00, 0x0c, /* 12 bytes */
  1169. 0x00, 0x0a, /* 10 bytes */
  1170. 0x05, 0x01, /* SHA-384/RSA */
  1171. 0x04, 0x01, /* SHA-256/RSA */
  1172. 0x02, 0x01, /* SHA-1/RSA */
  1173. 0x04, 0x03, /* SHA-256/ECDSA */
  1174. 0x02, 0x03, /* SHA-1/ECDSA */
  1175. };
  1176. /* Length of the common prefix (first two extensions). */
  1177. static const size_t kSafariCommonExtensionsLength = 18;
  1178. unsigned int type;
  1179. PACKET sni, tmppkt;
  1180. size_t ext_len;
  1181. tmppkt = hello->extensions;
  1182. if (!PACKET_forward(&tmppkt, 2)
  1183. || !PACKET_get_net_2(&tmppkt, &type)
  1184. || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
  1185. return;
  1186. }
  1187. if (type != TLSEXT_TYPE_server_name)
  1188. return;
  1189. ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
  1190. sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;
  1191. s->s3.is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
  1192. ext_len);
  1193. }
  1194. #endif /* !OPENSSL_NO_EC */
  1195. MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
  1196. {
  1197. /* |cookie| will only be initialized for DTLS. */
  1198. PACKET session_id, compression, extensions, cookie;
  1199. static const unsigned char null_compression = 0;
  1200. CLIENTHELLO_MSG *clienthello = NULL;
  1201. /* Check if this is actually an unexpected renegotiation ClientHello */
  1202. if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
  1203. if (!ossl_assert(!SSL_IS_TLS13(s))) {
  1204. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1205. ERR_R_INTERNAL_ERROR);
  1206. goto err;
  1207. }
  1208. if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0
  1209. || (!s->s3.send_connection_binding
  1210. && (s->options
  1211. & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) == 0)) {
  1212. ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
  1213. return MSG_PROCESS_FINISHED_READING;
  1214. }
  1215. s->renegotiate = 1;
  1216. s->new_session = 1;
  1217. }
  1218. clienthello = OPENSSL_zalloc(sizeof(*clienthello));
  1219. if (clienthello == NULL) {
  1220. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1221. ERR_R_INTERNAL_ERROR);
  1222. goto err;
  1223. }
  1224. /*
  1225. * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure.
  1226. */
  1227. clienthello->isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer);
  1228. PACKET_null_init(&cookie);
  1229. if (clienthello->isv2) {
  1230. unsigned int mt;
  1231. if (!SSL_IS_FIRST_HANDSHAKE(s)
  1232. || s->hello_retry_request != SSL_HRR_NONE) {
  1233. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
  1234. SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNEXPECTED_MESSAGE);
  1235. goto err;
  1236. }
  1237. /*-
  1238. * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
  1239. * header is sent directly on the wire, not wrapped as a TLS
  1240. * record. Our record layer just processes the message length and passes
  1241. * the rest right through. Its format is:
  1242. * Byte Content
  1243. * 0-1 msg_length - decoded by the record layer
  1244. * 2 msg_type - s->init_msg points here
  1245. * 3-4 version
  1246. * 5-6 cipher_spec_length
  1247. * 7-8 session_id_length
  1248. * 9-10 challenge_length
  1249. * ... ...
  1250. */
  1251. if (!PACKET_get_1(pkt, &mt)
  1252. || mt != SSL2_MT_CLIENT_HELLO) {
  1253. /*
  1254. * Should never happen. We should have tested this in the record
  1255. * layer in order to have determined that this is a SSLv2 record
  1256. * in the first place
  1257. */
  1258. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1259. ERR_R_INTERNAL_ERROR);
  1260. goto err;
  1261. }
  1262. }
  1263. if (!PACKET_get_net_2(pkt, &clienthello->legacy_version)) {
  1264. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1265. SSL_R_LENGTH_TOO_SHORT);
  1266. goto err;
  1267. }
  1268. /* Parse the message and load client random. */
  1269. if (clienthello->isv2) {
  1270. /*
  1271. * Handle an SSLv2 backwards compatible ClientHello
  1272. * Note, this is only for SSLv3+ using the backward compatible format.
  1273. * Real SSLv2 is not supported, and is rejected below.
  1274. */
  1275. unsigned int ciphersuite_len, session_id_len, challenge_len;
  1276. PACKET challenge;
  1277. if (!PACKET_get_net_2(pkt, &ciphersuite_len)
  1278. || !PACKET_get_net_2(pkt, &session_id_len)
  1279. || !PACKET_get_net_2(pkt, &challenge_len)) {
  1280. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1281. SSL_R_RECORD_LENGTH_MISMATCH);
  1282. goto err;
  1283. }
  1284. if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
  1285. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1286. SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
  1287. goto err;
  1288. }
  1289. if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites,
  1290. ciphersuite_len)
  1291. || !PACKET_copy_bytes(pkt, clienthello->session_id, session_id_len)
  1292. || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
  1293. /* No extensions. */
  1294. || PACKET_remaining(pkt) != 0) {
  1295. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1296. SSL_R_RECORD_LENGTH_MISMATCH);
  1297. goto err;
  1298. }
  1299. clienthello->session_id_len = session_id_len;
  1300. /* Load the client random and compression list. We use SSL3_RANDOM_SIZE
  1301. * here rather than sizeof(clienthello->random) because that is the limit
  1302. * for SSLv3 and it is fixed. It won't change even if
  1303. * sizeof(clienthello->random) does.
  1304. */
  1305. challenge_len = challenge_len > SSL3_RANDOM_SIZE
  1306. ? SSL3_RANDOM_SIZE : challenge_len;
  1307. memset(clienthello->random, 0, SSL3_RANDOM_SIZE);
  1308. if (!PACKET_copy_bytes(&challenge,
  1309. clienthello->random + SSL3_RANDOM_SIZE -
  1310. challenge_len, challenge_len)
  1311. /* Advertise only null compression. */
  1312. || !PACKET_buf_init(&compression, &null_compression, 1)) {
  1313. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1314. ERR_R_INTERNAL_ERROR);
  1315. goto err;
  1316. }
  1317. PACKET_null_init(&clienthello->extensions);
  1318. } else {
  1319. /* Regular ClientHello. */
  1320. if (!PACKET_copy_bytes(pkt, clienthello->random, SSL3_RANDOM_SIZE)
  1321. || !PACKET_get_length_prefixed_1(pkt, &session_id)
  1322. || !PACKET_copy_all(&session_id, clienthello->session_id,
  1323. SSL_MAX_SSL_SESSION_ID_LENGTH,
  1324. &clienthello->session_id_len)) {
  1325. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1326. SSL_R_LENGTH_MISMATCH);
  1327. goto err;
  1328. }
  1329. if (SSL_IS_DTLS(s)) {
  1330. if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
  1331. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1332. SSL_R_LENGTH_MISMATCH);
  1333. goto err;
  1334. }
  1335. if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie,
  1336. DTLS1_COOKIE_LENGTH,
  1337. &clienthello->dtls_cookie_len)) {
  1338. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1339. SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
  1340. goto err;
  1341. }
  1342. /*
  1343. * If we require cookies and this ClientHello doesn't contain one,
  1344. * just return since we do not want to allocate any memory yet.
  1345. * So check cookie length...
  1346. */
  1347. if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
  1348. if (clienthello->dtls_cookie_len == 0) {
  1349. OPENSSL_free(clienthello);
  1350. return MSG_PROCESS_FINISHED_READING;
  1351. }
  1352. }
  1353. }
  1354. if (!PACKET_get_length_prefixed_2(pkt, &clienthello->ciphersuites)) {
  1355. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1356. SSL_R_LENGTH_MISMATCH);
  1357. goto err;
  1358. }
  1359. if (!PACKET_get_length_prefixed_1(pkt, &compression)) {
  1360. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1361. SSL_R_LENGTH_MISMATCH);
  1362. goto err;
  1363. }
  1364. /* Could be empty. */
  1365. if (PACKET_remaining(pkt) == 0) {
  1366. PACKET_null_init(&clienthello->extensions);
  1367. } else {
  1368. if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions)
  1369. || PACKET_remaining(pkt) != 0) {
  1370. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1371. SSL_R_LENGTH_MISMATCH);
  1372. goto err;
  1373. }
  1374. }
  1375. }
  1376. if (!PACKET_copy_all(&compression, clienthello->compressions,
  1377. MAX_COMPRESSIONS_SIZE,
  1378. &clienthello->compressions_len)) {
  1379. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
  1380. ERR_R_INTERNAL_ERROR);
  1381. goto err;
  1382. }
  1383. /* Preserve the raw extensions PACKET for later use */
  1384. extensions = clienthello->extensions;
  1385. if (!tls_collect_extensions(s, &extensions, SSL_EXT_CLIENT_HELLO,
  1386. &clienthello->pre_proc_exts,
  1387. &clienthello->pre_proc_exts_len, 1)) {
  1388. /* SSLfatal already been called */
  1389. goto err;
  1390. }
  1391. s->clienthello = clienthello;
  1392. return MSG_PROCESS_CONTINUE_PROCESSING;
  1393. err:
  1394. if (clienthello != NULL)
  1395. OPENSSL_free(clienthello->pre_proc_exts);
  1396. OPENSSL_free(clienthello);
  1397. return MSG_PROCESS_ERROR;
  1398. }
  1399. static int tls_early_post_process_client_hello(SSL *s)
  1400. {
  1401. unsigned int j;
  1402. int i, al = SSL_AD_INTERNAL_ERROR;
  1403. int protverr;
  1404. size_t loop;
  1405. unsigned long id;
  1406. #ifndef OPENSSL_NO_COMP
  1407. SSL_COMP *comp = NULL;
  1408. #endif
  1409. const SSL_CIPHER *c;
  1410. STACK_OF(SSL_CIPHER) *ciphers = NULL;
  1411. STACK_OF(SSL_CIPHER) *scsvs = NULL;
  1412. CLIENTHELLO_MSG *clienthello = s->clienthello;
  1413. DOWNGRADE dgrd = DOWNGRADE_NONE;
  1414. /* Finished parsing the ClientHello, now we can start processing it */
  1415. /* Give the ClientHello callback a crack at things */
  1416. if (s->ctx->client_hello_cb != NULL) {
  1417. /* A failure in the ClientHello callback terminates the connection. */
  1418. switch (s->ctx->client_hello_cb(s, &al, s->ctx->client_hello_cb_arg)) {
  1419. case SSL_CLIENT_HELLO_SUCCESS:
  1420. break;
  1421. case SSL_CLIENT_HELLO_RETRY:
  1422. s->rwstate = SSL_CLIENT_HELLO_CB;
  1423. return -1;
  1424. case SSL_CLIENT_HELLO_ERROR:
  1425. default:
  1426. SSLfatal(s, al,
  1427. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1428. SSL_R_CALLBACK_FAILED);
  1429. goto err;
  1430. }
  1431. }
  1432. /* Set up the client_random */
  1433. memcpy(s->s3.client_random, clienthello->random, SSL3_RANDOM_SIZE);
  1434. /* Choose the version */
  1435. if (clienthello->isv2) {
  1436. if (clienthello->legacy_version == SSL2_VERSION
  1437. || (clienthello->legacy_version & 0xff00)
  1438. != (SSL3_VERSION_MAJOR << 8)) {
  1439. /*
  1440. * This is real SSLv2 or something completely unknown. We don't
  1441. * support it.
  1442. */
  1443. SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
  1444. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1445. SSL_R_UNKNOWN_PROTOCOL);
  1446. goto err;
  1447. }
  1448. /* SSLv3/TLS */
  1449. s->client_version = clienthello->legacy_version;
  1450. }
  1451. /*
  1452. * Do SSL/TLS version negotiation if applicable. For DTLS we just check
  1453. * versions are potentially compatible. Version negotiation comes later.
  1454. */
  1455. if (!SSL_IS_DTLS(s)) {
  1456. protverr = ssl_choose_server_version(s, clienthello, &dgrd);
  1457. } else if (s->method->version != DTLS_ANY_VERSION &&
  1458. DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) {
  1459. protverr = SSL_R_VERSION_TOO_LOW;
  1460. } else {
  1461. protverr = 0;
  1462. }
  1463. if (protverr) {
  1464. if (SSL_IS_FIRST_HANDSHAKE(s)) {
  1465. /* like ssl3_get_record, send alert using remote version number */
  1466. s->version = s->client_version = clienthello->legacy_version;
  1467. }
  1468. SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
  1469. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
  1470. goto err;
  1471. }
  1472. /* TLSv1.3 specifies that a ClientHello must end on a record boundary */
  1473. if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
  1474. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
  1475. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1476. SSL_R_NOT_ON_RECORD_BOUNDARY);
  1477. goto err;
  1478. }
  1479. if (SSL_IS_DTLS(s)) {
  1480. /* Empty cookie was already handled above by returning early. */
  1481. if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
  1482. if (s->ctx->app_verify_cookie_cb != NULL) {
  1483. if (s->ctx->app_verify_cookie_cb(s, clienthello->dtls_cookie,
  1484. clienthello->dtls_cookie_len) == 0) {
  1485. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1486. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1487. SSL_R_COOKIE_MISMATCH);
  1488. goto err;
  1489. /* else cookie verification succeeded */
  1490. }
  1491. /* default verification */
  1492. } else if (s->d1->cookie_len != clienthello->dtls_cookie_len
  1493. || memcmp(clienthello->dtls_cookie, s->d1->cookie,
  1494. s->d1->cookie_len) != 0) {
  1495. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1496. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1497. SSL_R_COOKIE_MISMATCH);
  1498. goto err;
  1499. }
  1500. s->d1->cookie_verified = 1;
  1501. }
  1502. if (s->method->version == DTLS_ANY_VERSION) {
  1503. protverr = ssl_choose_server_version(s, clienthello, &dgrd);
  1504. if (protverr != 0) {
  1505. s->version = s->client_version;
  1506. SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
  1507. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
  1508. goto err;
  1509. }
  1510. }
  1511. }
  1512. s->hit = 0;
  1513. if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites,
  1514. clienthello->isv2) ||
  1515. !bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, &scsvs,
  1516. clienthello->isv2, 1)) {
  1517. /* SSLfatal() already called */
  1518. goto err;
  1519. }
  1520. s->s3.send_connection_binding = 0;
  1521. /* Check what signalling cipher-suite values were received. */
  1522. if (scsvs != NULL) {
  1523. for(i = 0; i < sk_SSL_CIPHER_num(scsvs); i++) {
  1524. c = sk_SSL_CIPHER_value(scsvs, i);
  1525. if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) {
  1526. if (s->renegotiate) {
  1527. /* SCSV is fatal if renegotiating */
  1528. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1529. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1530. SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
  1531. goto err;
  1532. }
  1533. s->s3.send_connection_binding = 1;
  1534. } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV &&
  1535. !ssl_check_version_downgrade(s)) {
  1536. /*
  1537. * This SCSV indicates that the client previously tried
  1538. * a higher version. We should fail if the current version
  1539. * is an unexpected downgrade, as that indicates that the first
  1540. * connection may have been tampered with in order to trigger
  1541. * an insecure downgrade.
  1542. */
  1543. SSLfatal(s, SSL_AD_INAPPROPRIATE_FALLBACK,
  1544. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1545. SSL_R_INAPPROPRIATE_FALLBACK);
  1546. goto err;
  1547. }
  1548. }
  1549. }
  1550. /* For TLSv1.3 we must select the ciphersuite *before* session resumption */
  1551. if (SSL_IS_TLS13(s)) {
  1552. const SSL_CIPHER *cipher =
  1553. ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));
  1554. if (cipher == NULL) {
  1555. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1556. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1557. SSL_R_NO_SHARED_CIPHER);
  1558. goto err;
  1559. }
  1560. if (s->hello_retry_request == SSL_HRR_PENDING
  1561. && (s->s3.tmp.new_cipher == NULL
  1562. || s->s3.tmp.new_cipher->id != cipher->id)) {
  1563. /*
  1564. * A previous HRR picked a different ciphersuite to the one we
  1565. * just selected. Something must have changed.
  1566. */
  1567. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1568. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1569. SSL_R_BAD_CIPHER);
  1570. goto err;
  1571. }
  1572. s->s3.tmp.new_cipher = cipher;
  1573. }
  1574. /* We need to do this before getting the session */
  1575. if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret,
  1576. SSL_EXT_CLIENT_HELLO,
  1577. clienthello->pre_proc_exts, NULL, 0)) {
  1578. /* SSLfatal() already called */
  1579. goto err;
  1580. }
  1581. /*
  1582. * We don't allow resumption in a backwards compatible ClientHello.
  1583. * TODO(openssl-team): in TLS1.1+, session_id MUST be empty.
  1584. *
  1585. * Versions before 0.9.7 always allow clients to resume sessions in
  1586. * renegotiation. 0.9.7 and later allow this by default, but optionally
  1587. * ignore resumption requests with flag
  1588. * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
  1589. * than a change to default behavior so that applications relying on
  1590. * this for security won't even compile against older library versions).
  1591. * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
  1592. * request renegotiation but not a new session (s->new_session remains
  1593. * unset): for servers, this essentially just means that the
  1594. * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
  1595. * ignored.
  1596. */
  1597. if (clienthello->isv2 ||
  1598. (s->new_session &&
  1599. (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
  1600. if (!ssl_get_new_session(s, 1)) {
  1601. /* SSLfatal() already called */
  1602. goto err;
  1603. }
  1604. } else {
  1605. i = ssl_get_prev_session(s, clienthello);
  1606. if (i == 1) {
  1607. /* previous session */
  1608. s->hit = 1;
  1609. } else if (i == -1) {
  1610. /* SSLfatal() already called */
  1611. goto err;
  1612. } else {
  1613. /* i == 0 */
  1614. if (!ssl_get_new_session(s, 1)) {
  1615. /* SSLfatal() already called */
  1616. goto err;
  1617. }
  1618. }
  1619. }
  1620. if (SSL_IS_TLS13(s)) {
  1621. memcpy(s->tmp_session_id, s->clienthello->session_id,
  1622. s->clienthello->session_id_len);
  1623. s->tmp_session_id_len = s->clienthello->session_id_len;
  1624. }
  1625. /*
  1626. * If it is a hit, check that the cipher is in the list. In TLSv1.3 we check
  1627. * ciphersuite compatibility with the session as part of resumption.
  1628. */
  1629. if (!SSL_IS_TLS13(s) && s->hit) {
  1630. j = 0;
  1631. id = s->session->cipher->id;
  1632. OSSL_TRACE_BEGIN(TLS_CIPHER) {
  1633. BIO_printf(trc_out, "client sent %d ciphers\n",
  1634. sk_SSL_CIPHER_num(ciphers));
  1635. }
  1636. for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
  1637. c = sk_SSL_CIPHER_value(ciphers, i);
  1638. if (trc_out != NULL)
  1639. BIO_printf(trc_out, "client [%2d of %2d]:%s\n", i,
  1640. sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
  1641. if (c->id == id) {
  1642. j = 1;
  1643. break;
  1644. }
  1645. }
  1646. if (j == 0) {
  1647. /*
  1648. * we need to have the cipher in the cipher list if we are asked
  1649. * to reuse it
  1650. */
  1651. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1652. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1653. SSL_R_REQUIRED_CIPHER_MISSING);
  1654. OSSL_TRACE_CANCEL(TLS_CIPHER);
  1655. goto err;
  1656. }
  1657. OSSL_TRACE_END(TLS_CIPHER);
  1658. }
  1659. for (loop = 0; loop < clienthello->compressions_len; loop++) {
  1660. if (clienthello->compressions[loop] == 0)
  1661. break;
  1662. }
  1663. if (loop >= clienthello->compressions_len) {
  1664. /* no compress */
  1665. SSLfatal(s, SSL_AD_DECODE_ERROR,
  1666. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1667. SSL_R_NO_COMPRESSION_SPECIFIED);
  1668. goto err;
  1669. }
  1670. #ifndef OPENSSL_NO_EC
  1671. if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
  1672. ssl_check_for_safari(s, clienthello);
  1673. #endif /* !OPENSSL_NO_EC */
  1674. /* TLS extensions */
  1675. if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO,
  1676. clienthello->pre_proc_exts, NULL, 0, 1)) {
  1677. /* SSLfatal() already called */
  1678. goto err;
  1679. }
  1680. /*
  1681. * Check if we want to use external pre-shared secret for this handshake
  1682. * for not reused session only. We need to generate server_random before
  1683. * calling tls_session_secret_cb in order to allow SessionTicket
  1684. * processing to use it in key derivation.
  1685. */
  1686. {
  1687. unsigned char *pos;
  1688. pos = s->s3.server_random;
  1689. if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE, dgrd) <= 0) {
  1690. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1691. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1692. ERR_R_INTERNAL_ERROR);
  1693. goto err;
  1694. }
  1695. }
  1696. if (!s->hit
  1697. && s->version >= TLS1_VERSION
  1698. && !SSL_IS_TLS13(s)
  1699. && !SSL_IS_DTLS(s)
  1700. && s->ext.session_secret_cb) {
  1701. const SSL_CIPHER *pref_cipher = NULL;
  1702. /*
  1703. * s->session->master_key_length is a size_t, but this is an int for
  1704. * backwards compat reasons
  1705. */
  1706. int master_key_length;
  1707. master_key_length = sizeof(s->session->master_key);
  1708. if (s->ext.session_secret_cb(s, s->session->master_key,
  1709. &master_key_length, ciphers,
  1710. &pref_cipher,
  1711. s->ext.session_secret_cb_arg)
  1712. && master_key_length > 0) {
  1713. s->session->master_key_length = master_key_length;
  1714. s->hit = 1;
  1715. s->peer_ciphers = ciphers;
  1716. s->session->verify_result = X509_V_OK;
  1717. ciphers = NULL;
  1718. /* check if some cipher was preferred by call back */
  1719. if (pref_cipher == NULL)
  1720. pref_cipher = ssl3_choose_cipher(s, s->peer_ciphers,
  1721. SSL_get_ciphers(s));
  1722. if (pref_cipher == NULL) {
  1723. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1724. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1725. SSL_R_NO_SHARED_CIPHER);
  1726. goto err;
  1727. }
  1728. s->session->cipher = pref_cipher;
  1729. sk_SSL_CIPHER_free(s->cipher_list);
  1730. s->cipher_list = sk_SSL_CIPHER_dup(s->peer_ciphers);
  1731. sk_SSL_CIPHER_free(s->cipher_list_by_id);
  1732. s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->peer_ciphers);
  1733. }
  1734. }
  1735. /*
  1736. * Worst case, we will use the NULL compression, but if we have other
  1737. * options, we will now look for them. We have complen-1 compression
  1738. * algorithms from the client, starting at q.
  1739. */
  1740. s->s3.tmp.new_compression = NULL;
  1741. if (SSL_IS_TLS13(s)) {
  1742. /*
  1743. * We already checked above that the NULL compression method appears in
  1744. * the list. Now we check there aren't any others (which is illegal in
  1745. * a TLSv1.3 ClientHello.
  1746. */
  1747. if (clienthello->compressions_len != 1) {
  1748. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1749. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1750. SSL_R_INVALID_COMPRESSION_ALGORITHM);
  1751. goto err;
  1752. }
  1753. }
  1754. #ifndef OPENSSL_NO_COMP
  1755. /* This only happens if we have a cache hit */
  1756. else if (s->session->compress_meth != 0) {
  1757. int m, comp_id = s->session->compress_meth;
  1758. unsigned int k;
  1759. /* Perform sanity checks on resumed compression algorithm */
  1760. /* Can't disable compression */
  1761. if (!ssl_allow_compression(s)) {
  1762. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1763. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1764. SSL_R_INCONSISTENT_COMPRESSION);
  1765. goto err;
  1766. }
  1767. /* Look for resumed compression method */
  1768. for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
  1769. comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
  1770. if (comp_id == comp->id) {
  1771. s->s3.tmp.new_compression = comp;
  1772. break;
  1773. }
  1774. }
  1775. if (s->s3.tmp.new_compression == NULL) {
  1776. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1777. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1778. SSL_R_INVALID_COMPRESSION_ALGORITHM);
  1779. goto err;
  1780. }
  1781. /* Look for resumed method in compression list */
  1782. for (k = 0; k < clienthello->compressions_len; k++) {
  1783. if (clienthello->compressions[k] == comp_id)
  1784. break;
  1785. }
  1786. if (k >= clienthello->compressions_len) {
  1787. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1788. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1789. SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
  1790. goto err;
  1791. }
  1792. } else if (s->hit) {
  1793. comp = NULL;
  1794. } else if (ssl_allow_compression(s) && s->ctx->comp_methods) {
  1795. /* See if we have a match */
  1796. int m, nn, v, done = 0;
  1797. unsigned int o;
  1798. nn = sk_SSL_COMP_num(s->ctx->comp_methods);
  1799. for (m = 0; m < nn; m++) {
  1800. comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
  1801. v = comp->id;
  1802. for (o = 0; o < clienthello->compressions_len; o++) {
  1803. if (v == clienthello->compressions[o]) {
  1804. done = 1;
  1805. break;
  1806. }
  1807. }
  1808. if (done)
  1809. break;
  1810. }
  1811. if (done)
  1812. s->s3.tmp.new_compression = comp;
  1813. else
  1814. comp = NULL;
  1815. }
  1816. #else
  1817. /*
  1818. * If compression is disabled we'd better not try to resume a session
  1819. * using compression.
  1820. */
  1821. if (s->session->compress_meth != 0) {
  1822. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1823. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1824. SSL_R_INCONSISTENT_COMPRESSION);
  1825. goto err;
  1826. }
  1827. #endif
  1828. /*
  1829. * Given s->peer_ciphers and SSL_get_ciphers, we must pick a cipher
  1830. */
  1831. if (!s->hit || SSL_IS_TLS13(s)) {
  1832. sk_SSL_CIPHER_free(s->peer_ciphers);
  1833. s->peer_ciphers = ciphers;
  1834. if (ciphers == NULL) {
  1835. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1836. SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
  1837. ERR_R_INTERNAL_ERROR);
  1838. goto err;
  1839. }
  1840. ciphers = NULL;
  1841. }
  1842. if (!s->hit) {
  1843. #ifdef OPENSSL_NO_COMP
  1844. s->session->compress_meth = 0;
  1845. #else
  1846. s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
  1847. #endif
  1848. if (!tls1_set_server_sigalgs(s)) {
  1849. /* SSLfatal() already called */
  1850. goto err;
  1851. }
  1852. }
  1853. sk_SSL_CIPHER_free(ciphers);
  1854. sk_SSL_CIPHER_free(scsvs);
  1855. OPENSSL_free(clienthello->pre_proc_exts);
  1856. OPENSSL_free(s->clienthello);
  1857. s->clienthello = NULL;
  1858. return 1;
  1859. err:
  1860. sk_SSL_CIPHER_free(ciphers);
  1861. sk_SSL_CIPHER_free(scsvs);
  1862. OPENSSL_free(clienthello->pre_proc_exts);
  1863. OPENSSL_free(s->clienthello);
  1864. s->clienthello = NULL;
  1865. return 0;
  1866. }
  1867. /*
  1868. * Call the status request callback if needed. Upon success, returns 1.
  1869. * Upon failure, returns 0.
  1870. */
  1871. static int tls_handle_status_request(SSL *s)
  1872. {
  1873. s->ext.status_expected = 0;
  1874. /*
  1875. * If status request then ask callback what to do. Note: this must be
  1876. * called after servername callbacks in case the certificate has changed,
  1877. * and must be called after the cipher has been chosen because this may
  1878. * influence which certificate is sent
  1879. */
  1880. if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL
  1881. && s->ctx->ext.status_cb != NULL) {
  1882. int ret;
  1883. /* If no certificate can't return certificate status */
  1884. if (s->s3.tmp.cert != NULL) {
  1885. /*
  1886. * Set current certificate to one we will use so SSL_get_certificate
  1887. * et al can pick it up.
  1888. */
  1889. s->cert->key = s->s3.tmp.cert;
  1890. ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
  1891. switch (ret) {
  1892. /* We don't want to send a status request response */
  1893. case SSL_TLSEXT_ERR_NOACK:
  1894. s->ext.status_expected = 0;
  1895. break;
  1896. /* status request response should be sent */
  1897. case SSL_TLSEXT_ERR_OK:
  1898. if (s->ext.ocsp.resp)
  1899. s->ext.status_expected = 1;
  1900. break;
  1901. /* something bad happened */
  1902. case SSL_TLSEXT_ERR_ALERT_FATAL:
  1903. default:
  1904. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1905. SSL_F_TLS_HANDLE_STATUS_REQUEST,
  1906. SSL_R_CLIENTHELLO_TLSEXT);
  1907. return 0;
  1908. }
  1909. }
  1910. }
  1911. return 1;
  1912. }
  1913. /*
  1914. * Call the alpn_select callback if needed. Upon success, returns 1.
  1915. * Upon failure, returns 0.
  1916. */
  1917. int tls_handle_alpn(SSL *s)
  1918. {
  1919. const unsigned char *selected = NULL;
  1920. unsigned char selected_len = 0;
  1921. if (s->ctx->ext.alpn_select_cb != NULL && s->s3.alpn_proposed != NULL) {
  1922. int r = s->ctx->ext.alpn_select_cb(s, &selected, &selected_len,
  1923. s->s3.alpn_proposed,
  1924. (unsigned int)s->s3.alpn_proposed_len,
  1925. s->ctx->ext.alpn_select_cb_arg);
  1926. if (r == SSL_TLSEXT_ERR_OK) {
  1927. OPENSSL_free(s->s3.alpn_selected);
  1928. s->s3.alpn_selected = OPENSSL_memdup(selected, selected_len);
  1929. if (s->s3.alpn_selected == NULL) {
  1930. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_HANDLE_ALPN,
  1931. ERR_R_INTERNAL_ERROR);
  1932. return 0;
  1933. }
  1934. s->s3.alpn_selected_len = selected_len;
  1935. #ifndef OPENSSL_NO_NEXTPROTONEG
  1936. /* ALPN takes precedence over NPN. */
  1937. s->s3.npn_seen = 0;
  1938. #endif
  1939. /* Check ALPN is consistent with session */
  1940. if (s->session->ext.alpn_selected == NULL
  1941. || selected_len != s->session->ext.alpn_selected_len
  1942. || memcmp(selected, s->session->ext.alpn_selected,
  1943. selected_len) != 0) {
  1944. /* Not consistent so can't be used for early_data */
  1945. s->ext.early_data_ok = 0;
  1946. if (!s->hit) {
  1947. /*
  1948. * This is a new session and so alpn_selected should have
  1949. * been initialised to NULL. We should update it with the
  1950. * selected ALPN.
  1951. */
  1952. if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
  1953. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1954. SSL_F_TLS_HANDLE_ALPN,
  1955. ERR_R_INTERNAL_ERROR);
  1956. return 0;
  1957. }
  1958. s->session->ext.alpn_selected = OPENSSL_memdup(selected,
  1959. selected_len);
  1960. if (s->session->ext.alpn_selected == NULL) {
  1961. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1962. SSL_F_TLS_HANDLE_ALPN,
  1963. ERR_R_INTERNAL_ERROR);
  1964. return 0;
  1965. }
  1966. s->session->ext.alpn_selected_len = selected_len;
  1967. }
  1968. }
  1969. return 1;
  1970. } else if (r != SSL_TLSEXT_ERR_NOACK) {
  1971. SSLfatal(s, SSL_AD_NO_APPLICATION_PROTOCOL, SSL_F_TLS_HANDLE_ALPN,
  1972. SSL_R_NO_APPLICATION_PROTOCOL);
  1973. return 0;
  1974. }
  1975. /*
  1976. * If r == SSL_TLSEXT_ERR_NOACK then behave as if no callback was
  1977. * present.
  1978. */
  1979. }
  1980. /* Check ALPN is consistent with session */
  1981. if (s->session->ext.alpn_selected != NULL) {
  1982. /* Not consistent so can't be used for early_data */
  1983. s->ext.early_data_ok = 0;
  1984. }
  1985. return 1;
  1986. }
  1987. WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
  1988. {
  1989. const SSL_CIPHER *cipher;
  1990. if (wst == WORK_MORE_A) {
  1991. int rv = tls_early_post_process_client_hello(s);
  1992. if (rv == 0) {
  1993. /* SSLfatal() was already called */
  1994. goto err;
  1995. }
  1996. if (rv < 0)
  1997. return WORK_MORE_A;
  1998. wst = WORK_MORE_B;
  1999. }
  2000. if (wst == WORK_MORE_B) {
  2001. if (!s->hit || SSL_IS_TLS13(s)) {
  2002. /* Let cert callback update server certificates if required */
  2003. if (!s->hit && s->cert->cert_cb != NULL) {
  2004. int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
  2005. if (rv == 0) {
  2006. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2007. SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
  2008. SSL_R_CERT_CB_ERROR);
  2009. goto err;
  2010. }
  2011. if (rv < 0) {
  2012. s->rwstate = SSL_X509_LOOKUP;
  2013. return WORK_MORE_B;
  2014. }
  2015. s->rwstate = SSL_NOTHING;
  2016. }
  2017. /* In TLSv1.3 we selected the ciphersuite before resumption */
  2018. if (!SSL_IS_TLS13(s)) {
  2019. cipher =
  2020. ssl3_choose_cipher(s, s->peer_ciphers, SSL_get_ciphers(s));
  2021. if (cipher == NULL) {
  2022. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  2023. SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
  2024. SSL_R_NO_SHARED_CIPHER);
  2025. goto err;
  2026. }
  2027. s->s3.tmp.new_cipher = cipher;
  2028. }
  2029. if (!s->hit) {
  2030. if (!tls_choose_sigalg(s, 1)) {
  2031. /* SSLfatal already called */
  2032. goto err;
  2033. }
  2034. /* check whether we should disable session resumption */
  2035. if (s->not_resumable_session_cb != NULL)
  2036. s->session->not_resumable =
  2037. s->not_resumable_session_cb(s,
  2038. ((s->s3.tmp.new_cipher->algorithm_mkey
  2039. & (SSL_kDHE | SSL_kECDHE)) != 0));
  2040. if (s->session->not_resumable)
  2041. /* do not send a session ticket */
  2042. s->ext.ticket_expected = 0;
  2043. }
  2044. } else {
  2045. /* Session-id reuse */
  2046. s->s3.tmp.new_cipher = s->session->cipher;
  2047. }
  2048. /*-
  2049. * we now have the following setup.
  2050. * client_random
  2051. * cipher_list - our preferred list of ciphers
  2052. * ciphers - the clients preferred list of ciphers
  2053. * compression - basically ignored right now
  2054. * ssl version is set - sslv3
  2055. * s->session - The ssl session has been setup.
  2056. * s->hit - session reuse flag
  2057. * s->s3.tmp.new_cipher - the new cipher to use.
  2058. */
  2059. /*
  2060. * Call status_request callback if needed. Has to be done after the
  2061. * certificate callbacks etc above.
  2062. */
  2063. if (!tls_handle_status_request(s)) {
  2064. /* SSLfatal() already called */
  2065. goto err;
  2066. }
  2067. /*
  2068. * Call alpn_select callback if needed. Has to be done after SNI and
  2069. * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
  2070. * we already did this because cipher negotiation happens earlier, and
  2071. * we must handle ALPN before we decide whether to accept early_data.
  2072. */
  2073. if (!SSL_IS_TLS13(s) && !tls_handle_alpn(s)) {
  2074. /* SSLfatal() already called */
  2075. goto err;
  2076. }
  2077. wst = WORK_MORE_C;
  2078. }
  2079. #ifndef OPENSSL_NO_SRP
  2080. if (wst == WORK_MORE_C) {
  2081. int ret;
  2082. if ((ret = ssl_check_srp_ext_ClientHello(s)) == 0) {
  2083. /*
  2084. * callback indicates further work to be done
  2085. */
  2086. s->rwstate = SSL_X509_LOOKUP;
  2087. return WORK_MORE_C;
  2088. }
  2089. if (ret < 0) {
  2090. /* SSLfatal() already called */
  2091. goto err;
  2092. }
  2093. }
  2094. #endif
  2095. return WORK_FINISHED_STOP;
  2096. err:
  2097. return WORK_ERROR;
  2098. }
  2099. int tls_construct_server_hello(SSL *s, WPACKET *pkt)
  2100. {
  2101. int compm;
  2102. size_t sl, len;
  2103. int version;
  2104. unsigned char *session_id;
  2105. int usetls13 = SSL_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING;
  2106. version = usetls13 ? TLS1_2_VERSION : s->version;
  2107. if (!WPACKET_put_bytes_u16(pkt, version)
  2108. /*
  2109. * Random stuff. Filling of the server_random takes place in
  2110. * tls_process_client_hello()
  2111. */
  2112. || !WPACKET_memcpy(pkt,
  2113. s->hello_retry_request == SSL_HRR_PENDING
  2114. ? hrrrandom : s->s3.server_random,
  2115. SSL3_RANDOM_SIZE)) {
  2116. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO,
  2117. ERR_R_INTERNAL_ERROR);
  2118. return 0;
  2119. }
  2120. /*-
  2121. * There are several cases for the session ID to send
  2122. * back in the server hello:
  2123. * - For session reuse from the session cache,
  2124. * we send back the old session ID.
  2125. * - If stateless session reuse (using a session ticket)
  2126. * is successful, we send back the client's "session ID"
  2127. * (which doesn't actually identify the session).
  2128. * - If it is a new session, we send back the new
  2129. * session ID.
  2130. * - However, if we want the new session to be single-use,
  2131. * we send back a 0-length session ID.
  2132. * - In TLSv1.3 we echo back the session id sent to us by the client
  2133. * regardless
  2134. * s->hit is non-zero in either case of session reuse,
  2135. * so the following won't overwrite an ID that we're supposed
  2136. * to send back.
  2137. */
  2138. if (s->session->not_resumable ||
  2139. (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
  2140. && !s->hit))
  2141. s->session->session_id_length = 0;
  2142. if (usetls13) {
  2143. sl = s->tmp_session_id_len;
  2144. session_id = s->tmp_session_id;
  2145. } else {
  2146. sl = s->session->session_id_length;
  2147. session_id = s->session->session_id;
  2148. }
  2149. if (sl > sizeof(s->session->session_id)) {
  2150. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO,
  2151. ERR_R_INTERNAL_ERROR);
  2152. return 0;
  2153. }
  2154. /* set up the compression method */
  2155. #ifdef OPENSSL_NO_COMP
  2156. compm = 0;
  2157. #else
  2158. if (usetls13 || s->s3.tmp.new_compression == NULL)
  2159. compm = 0;
  2160. else
  2161. compm = s->s3.tmp.new_compression->id;
  2162. #endif
  2163. if (!WPACKET_sub_memcpy_u8(pkt, session_id, sl)
  2164. || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt, &len)
  2165. || !WPACKET_put_bytes_u8(pkt, compm)) {
  2166. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO,
  2167. ERR_R_INTERNAL_ERROR);
  2168. return 0;
  2169. }
  2170. if (!tls_construct_extensions(s, pkt,
  2171. s->hello_retry_request == SSL_HRR_PENDING
  2172. ? SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
  2173. : (SSL_IS_TLS13(s)
  2174. ? SSL_EXT_TLS1_3_SERVER_HELLO
  2175. : SSL_EXT_TLS1_2_SERVER_HELLO),
  2176. NULL, 0)) {
  2177. /* SSLfatal() already called */
  2178. return 0;
  2179. }
  2180. if (s->hello_retry_request == SSL_HRR_PENDING) {
  2181. /* Ditch the session. We'll create a new one next time around */
  2182. SSL_SESSION_free(s->session);
  2183. s->session = NULL;
  2184. s->hit = 0;
  2185. /*
  2186. * Re-initialise the Transcript Hash. We're going to prepopulate it with
  2187. * a synthetic message_hash in place of ClientHello1.
  2188. */
  2189. if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) {
  2190. /* SSLfatal() already called */
  2191. return 0;
  2192. }
  2193. } else if (!(s->verify_mode & SSL_VERIFY_PEER)
  2194. && !ssl3_digest_cached_records(s, 0)) {
  2195. /* SSLfatal() already called */;
  2196. return 0;
  2197. }
  2198. return 1;
  2199. }
  2200. int tls_construct_server_done(SSL *s, WPACKET *pkt)
  2201. {
  2202. if (!s->s3.tmp.cert_request) {
  2203. if (!ssl3_digest_cached_records(s, 0)) {
  2204. /* SSLfatal() already called */
  2205. return 0;
  2206. }
  2207. }
  2208. return 1;
  2209. }
  2210. int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
  2211. {
  2212. #ifndef OPENSSL_NO_DH
  2213. EVP_PKEY *pkdh = NULL;
  2214. #endif
  2215. #ifndef OPENSSL_NO_EC
  2216. unsigned char *encodedPoint = NULL;
  2217. size_t encodedlen = 0;
  2218. int curve_id = 0;
  2219. #endif
  2220. const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
  2221. int i;
  2222. unsigned long type;
  2223. const BIGNUM *r[4];
  2224. EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
  2225. EVP_PKEY_CTX *pctx = NULL;
  2226. size_t paramlen, paramoffset;
  2227. if (!WPACKET_get_total_written(pkt, &paramoffset)) {
  2228. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2229. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
  2230. goto err;
  2231. }
  2232. if (md_ctx == NULL) {
  2233. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2234. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
  2235. goto err;
  2236. }
  2237. type = s->s3.tmp.new_cipher->algorithm_mkey;
  2238. r[0] = r[1] = r[2] = r[3] = NULL;
  2239. #ifndef OPENSSL_NO_PSK
  2240. /* Plain PSK or RSAPSK nothing to do */
  2241. if (type & (SSL_kPSK | SSL_kRSAPSK)) {
  2242. } else
  2243. #endif /* !OPENSSL_NO_PSK */
  2244. #ifndef OPENSSL_NO_DH
  2245. if (type & (SSL_kDHE | SSL_kDHEPSK)) {
  2246. CERT *cert = s->cert;
  2247. EVP_PKEY *pkdhp = NULL;
  2248. DH *dh;
  2249. if (s->cert->dh_tmp_auto) {
  2250. DH *dhp = ssl_get_auto_dh(s);
  2251. pkdh = EVP_PKEY_new();
  2252. if (pkdh == NULL || dhp == NULL) {
  2253. DH_free(dhp);
  2254. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2255. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2256. ERR_R_INTERNAL_ERROR);
  2257. goto err;
  2258. }
  2259. EVP_PKEY_assign_DH(pkdh, dhp);
  2260. pkdhp = pkdh;
  2261. } else {
  2262. pkdhp = cert->dh_tmp;
  2263. }
  2264. if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
  2265. DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024);
  2266. pkdh = ssl_dh_to_pkey(dhp);
  2267. if (pkdh == NULL) {
  2268. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2269. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2270. ERR_R_INTERNAL_ERROR);
  2271. goto err;
  2272. }
  2273. pkdhp = pkdh;
  2274. }
  2275. if (pkdhp == NULL) {
  2276. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2277. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2278. SSL_R_MISSING_TMP_DH_KEY);
  2279. goto err;
  2280. }
  2281. if (!ssl_security(s, SSL_SECOP_TMP_DH,
  2282. EVP_PKEY_security_bits(pkdhp), 0, pkdhp)) {
  2283. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  2284. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2285. SSL_R_DH_KEY_TOO_SMALL);
  2286. goto err;
  2287. }
  2288. if (s->s3.tmp.pkey != NULL) {
  2289. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2290. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2291. ERR_R_INTERNAL_ERROR);
  2292. goto err;
  2293. }
  2294. s->s3.tmp.pkey = ssl_generate_pkey(pkdhp);
  2295. if (s->s3.tmp.pkey == NULL) {
  2296. /* SSLfatal() already called */
  2297. goto err;
  2298. }
  2299. dh = EVP_PKEY_get0_DH(s->s3.tmp.pkey);
  2300. if (dh == NULL) {
  2301. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2302. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2303. ERR_R_INTERNAL_ERROR);
  2304. goto err;
  2305. }
  2306. EVP_PKEY_free(pkdh);
  2307. pkdh = NULL;
  2308. DH_get0_pqg(dh, &r[0], NULL, &r[1]);
  2309. DH_get0_key(dh, &r[2], NULL);
  2310. } else
  2311. #endif
  2312. #ifndef OPENSSL_NO_EC
  2313. if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
  2314. if (s->s3.tmp.pkey != NULL) {
  2315. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2316. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2317. ERR_R_INTERNAL_ERROR);
  2318. goto err;
  2319. }
  2320. /* Get NID of appropriate shared curve */
  2321. curve_id = tls1_shared_group(s, -2);
  2322. if (curve_id == 0) {
  2323. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  2324. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2325. SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
  2326. goto err;
  2327. }
  2328. s->s3.tmp.pkey = ssl_generate_pkey_group(s, curve_id);
  2329. /* Generate a new key for this curve */
  2330. if (s->s3.tmp.pkey == NULL) {
  2331. /* SSLfatal() already called */
  2332. goto err;
  2333. }
  2334. /* Encode the public key. */
  2335. encodedlen = EVP_PKEY_get1_tls_encodedpoint(s->s3.tmp.pkey,
  2336. &encodedPoint);
  2337. if (encodedlen == 0) {
  2338. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2339. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB);
  2340. goto err;
  2341. }
  2342. /*
  2343. * We'll generate the serverKeyExchange message explicitly so we
  2344. * can set these to NULLs
  2345. */
  2346. r[0] = NULL;
  2347. r[1] = NULL;
  2348. r[2] = NULL;
  2349. r[3] = NULL;
  2350. } else
  2351. #endif /* !OPENSSL_NO_EC */
  2352. #ifndef OPENSSL_NO_SRP
  2353. if (type & SSL_kSRP) {
  2354. if ((s->srp_ctx.N == NULL) ||
  2355. (s->srp_ctx.g == NULL) ||
  2356. (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
  2357. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2358. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2359. SSL_R_MISSING_SRP_PARAM);
  2360. goto err;
  2361. }
  2362. r[0] = s->srp_ctx.N;
  2363. r[1] = s->srp_ctx.g;
  2364. r[2] = s->srp_ctx.s;
  2365. r[3] = s->srp_ctx.B;
  2366. } else
  2367. #endif
  2368. {
  2369. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2370. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2371. SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
  2372. goto err;
  2373. }
  2374. if (((s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0)
  2375. || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) {
  2376. lu = NULL;
  2377. } else if (lu == NULL) {
  2378. SSLfatal(s, SSL_AD_DECODE_ERROR,
  2379. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
  2380. goto err;
  2381. }
  2382. #ifndef OPENSSL_NO_PSK
  2383. if (type & SSL_PSK) {
  2384. size_t len = (s->cert->psk_identity_hint == NULL)
  2385. ? 0 : strlen(s->cert->psk_identity_hint);
  2386. /*
  2387. * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already
  2388. * checked this when we set the identity hint - but just in case
  2389. */
  2390. if (len > PSK_MAX_IDENTITY_LEN
  2391. || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint,
  2392. len)) {
  2393. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2394. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2395. ERR_R_INTERNAL_ERROR);
  2396. goto err;
  2397. }
  2398. }
  2399. #endif
  2400. for (i = 0; i < 4 && r[i] != NULL; i++) {
  2401. unsigned char *binval;
  2402. int res;
  2403. #ifndef OPENSSL_NO_SRP
  2404. if ((i == 2) && (type & SSL_kSRP)) {
  2405. res = WPACKET_start_sub_packet_u8(pkt);
  2406. } else
  2407. #endif
  2408. res = WPACKET_start_sub_packet_u16(pkt);
  2409. if (!res) {
  2410. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2411. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2412. ERR_R_INTERNAL_ERROR);
  2413. goto err;
  2414. }
  2415. #ifndef OPENSSL_NO_DH
  2416. /*-
  2417. * for interoperability with some versions of the Microsoft TLS
  2418. * stack, we need to zero pad the DHE pub key to the same length
  2419. * as the prime
  2420. */
  2421. if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) {
  2422. size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]);
  2423. if (len > 0) {
  2424. if (!WPACKET_allocate_bytes(pkt, len, &binval)) {
  2425. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2426. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2427. ERR_R_INTERNAL_ERROR);
  2428. goto err;
  2429. }
  2430. memset(binval, 0, len);
  2431. }
  2432. }
  2433. #endif
  2434. if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval)
  2435. || !WPACKET_close(pkt)) {
  2436. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2437. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2438. ERR_R_INTERNAL_ERROR);
  2439. goto err;
  2440. }
  2441. BN_bn2bin(r[i], binval);
  2442. }
  2443. #ifndef OPENSSL_NO_EC
  2444. if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
  2445. /*
  2446. * We only support named (not generic) curves. In this situation, the
  2447. * ServerKeyExchange message has: [1 byte CurveType], [2 byte CurveName]
  2448. * [1 byte length of encoded point], followed by the actual encoded
  2449. * point itself
  2450. */
  2451. if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE)
  2452. || !WPACKET_put_bytes_u8(pkt, 0)
  2453. || !WPACKET_put_bytes_u8(pkt, curve_id)
  2454. || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) {
  2455. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2456. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2457. ERR_R_INTERNAL_ERROR);
  2458. goto err;
  2459. }
  2460. OPENSSL_free(encodedPoint);
  2461. encodedPoint = NULL;
  2462. }
  2463. #endif
  2464. /* not anonymous */
  2465. if (lu != NULL) {
  2466. EVP_PKEY *pkey = s->s3.tmp.cert->privatekey;
  2467. const EVP_MD *md;
  2468. unsigned char *sigbytes1, *sigbytes2, *tbs;
  2469. size_t siglen, tbslen;
  2470. int rv;
  2471. if (pkey == NULL || !tls1_lookup_md(lu, &md)) {
  2472. /* Should never happen */
  2473. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2474. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2475. ERR_R_INTERNAL_ERROR);
  2476. goto err;
  2477. }
  2478. /* Get length of the parameters we have written above */
  2479. if (!WPACKET_get_length(pkt, &paramlen)) {
  2480. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2481. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2482. ERR_R_INTERNAL_ERROR);
  2483. goto err;
  2484. }
  2485. /* send signature algorithm */
  2486. if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
  2487. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2488. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2489. ERR_R_INTERNAL_ERROR);
  2490. goto err;
  2491. }
  2492. /*
  2493. * Create the signature. We don't know the actual length of the sig
  2494. * until after we've created it, so we reserve enough bytes for it
  2495. * up front, and then properly allocate them in the WPACKET
  2496. * afterwards.
  2497. */
  2498. siglen = EVP_PKEY_size(pkey);
  2499. if (!WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1)
  2500. || EVP_DigestSignInit(md_ctx, &pctx, md, NULL, pkey) <= 0) {
  2501. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2502. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2503. ERR_R_INTERNAL_ERROR);
  2504. goto err;
  2505. }
  2506. if (lu->sig == EVP_PKEY_RSA_PSS) {
  2507. if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
  2508. || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) {
  2509. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2510. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2511. ERR_R_EVP_LIB);
  2512. goto err;
  2513. }
  2514. }
  2515. tbslen = construct_key_exchange_tbs(s, &tbs,
  2516. s->init_buf->data + paramoffset,
  2517. paramlen);
  2518. if (tbslen == 0) {
  2519. /* SSLfatal() already called */
  2520. goto err;
  2521. }
  2522. rv = EVP_DigestSign(md_ctx, sigbytes1, &siglen, tbs, tbslen);
  2523. OPENSSL_free(tbs);
  2524. if (rv <= 0 || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2)
  2525. || sigbytes1 != sigbytes2) {
  2526. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2527. SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
  2528. ERR_R_INTERNAL_ERROR);
  2529. goto err;
  2530. }
  2531. }
  2532. EVP_MD_CTX_free(md_ctx);
  2533. return 1;
  2534. err:
  2535. #ifndef OPENSSL_NO_DH
  2536. EVP_PKEY_free(pkdh);
  2537. #endif
  2538. #ifndef OPENSSL_NO_EC
  2539. OPENSSL_free(encodedPoint);
  2540. #endif
  2541. EVP_MD_CTX_free(md_ctx);
  2542. return 0;
  2543. }
  2544. int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
  2545. {
  2546. if (SSL_IS_TLS13(s)) {
  2547. /* Send random context when doing post-handshake auth */
  2548. if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
  2549. OPENSSL_free(s->pha_context);
  2550. s->pha_context_len = 32;
  2551. if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL
  2552. || RAND_bytes(s->pha_context, s->pha_context_len) <= 0
  2553. || !WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) {
  2554. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2555. SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
  2556. ERR_R_INTERNAL_ERROR);
  2557. return 0;
  2558. }
  2559. /* reset the handshake hash back to just after the ClientFinished */
  2560. if (!tls13_restore_handshake_digest_for_pha(s)) {
  2561. /* SSLfatal() already called */
  2562. return 0;
  2563. }
  2564. } else {
  2565. if (!WPACKET_put_bytes_u8(pkt, 0)) {
  2566. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2567. SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
  2568. ERR_R_INTERNAL_ERROR);
  2569. return 0;
  2570. }
  2571. }
  2572. if (!tls_construct_extensions(s, pkt,
  2573. SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL,
  2574. 0)) {
  2575. /* SSLfatal() already called */
  2576. return 0;
  2577. }
  2578. goto done;
  2579. }
  2580. /* get the list of acceptable cert types */
  2581. if (!WPACKET_start_sub_packet_u8(pkt)
  2582. || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) {
  2583. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2584. SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
  2585. return 0;
  2586. }
  2587. if (SSL_USE_SIGALGS(s)) {
  2588. const uint16_t *psigs;
  2589. size_t nl = tls12_get_psigalgs(s, 1, &psigs);
  2590. if (!WPACKET_start_sub_packet_u16(pkt)
  2591. || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
  2592. || !tls12_copy_sigalgs(s, pkt, psigs, nl)
  2593. || !WPACKET_close(pkt)) {
  2594. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2595. SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
  2596. ERR_R_INTERNAL_ERROR);
  2597. return 0;
  2598. }
  2599. }
  2600. if (!construct_ca_names(s, get_ca_names(s), pkt)) {
  2601. /* SSLfatal() already called */
  2602. return 0;
  2603. }
  2604. done:
  2605. s->certreqs_sent++;
  2606. s->s3.tmp.cert_request = 1;
  2607. return 1;
  2608. }
  2609. static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt)
  2610. {
  2611. #ifndef OPENSSL_NO_PSK
  2612. unsigned char psk[PSK_MAX_PSK_LEN];
  2613. size_t psklen;
  2614. PACKET psk_identity;
  2615. if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) {
  2616. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2617. SSL_R_LENGTH_MISMATCH);
  2618. return 0;
  2619. }
  2620. if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
  2621. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2622. SSL_R_DATA_LENGTH_TOO_LONG);
  2623. return 0;
  2624. }
  2625. if (s->psk_server_callback == NULL) {
  2626. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2627. SSL_R_PSK_NO_SERVER_CB);
  2628. return 0;
  2629. }
  2630. if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
  2631. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2632. ERR_R_INTERNAL_ERROR);
  2633. return 0;
  2634. }
  2635. psklen = s->psk_server_callback(s, s->session->psk_identity,
  2636. psk, sizeof(psk));
  2637. if (psklen > PSK_MAX_PSK_LEN) {
  2638. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2639. ERR_R_INTERNAL_ERROR);
  2640. return 0;
  2641. } else if (psklen == 0) {
  2642. /*
  2643. * PSK related to the given identity not found
  2644. */
  2645. SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY,
  2646. SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2647. SSL_R_PSK_IDENTITY_NOT_FOUND);
  2648. return 0;
  2649. }
  2650. OPENSSL_free(s->s3.tmp.psk);
  2651. s->s3.tmp.psk = OPENSSL_memdup(psk, psklen);
  2652. OPENSSL_cleanse(psk, psklen);
  2653. if (s->s3.tmp.psk == NULL) {
  2654. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  2655. SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE);
  2656. return 0;
  2657. }
  2658. s->s3.tmp.psklen = psklen;
  2659. return 1;
  2660. #else
  2661. /* Should never happen */
  2662. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
  2663. ERR_R_INTERNAL_ERROR);
  2664. return 0;
  2665. #endif
  2666. }
  2667. static int tls_process_cke_rsa(SSL *s, PACKET *pkt)
  2668. {
  2669. #ifndef OPENSSL_NO_RSA
  2670. unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
  2671. int decrypt_len;
  2672. unsigned char decrypt_good, version_good;
  2673. size_t j, padding_len;
  2674. PACKET enc_premaster;
  2675. RSA *rsa = NULL;
  2676. unsigned char *rsa_decrypt = NULL;
  2677. int ret = 0;
  2678. rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA].privatekey);
  2679. if (rsa == NULL) {
  2680. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2681. SSL_R_MISSING_RSA_CERTIFICATE);
  2682. return 0;
  2683. }
  2684. /* SSLv3 and pre-standard DTLS omit the length bytes. */
  2685. if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
  2686. enc_premaster = *pkt;
  2687. } else {
  2688. if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
  2689. || PACKET_remaining(pkt) != 0) {
  2690. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2691. SSL_R_LENGTH_MISMATCH);
  2692. return 0;
  2693. }
  2694. }
  2695. /*
  2696. * We want to be sure that the plaintext buffer size makes it safe to
  2697. * iterate over the entire size of a premaster secret
  2698. * (SSL_MAX_MASTER_KEY_LENGTH). Reject overly short RSA keys because
  2699. * their ciphertext cannot accommodate a premaster secret anyway.
  2700. */
  2701. if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) {
  2702. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2703. RSA_R_KEY_SIZE_TOO_SMALL);
  2704. return 0;
  2705. }
  2706. rsa_decrypt = OPENSSL_malloc(RSA_size(rsa));
  2707. if (rsa_decrypt == NULL) {
  2708. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2709. ERR_R_MALLOC_FAILURE);
  2710. return 0;
  2711. }
  2712. /*
  2713. * We must not leak whether a decryption failure occurs because of
  2714. * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
  2715. * section 7.4.7.1). The code follows that advice of the TLS RFC and
  2716. * generates a random premaster secret for the case that the decrypt
  2717. * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
  2718. */
  2719. if (RAND_priv_bytes(rand_premaster_secret,
  2720. sizeof(rand_premaster_secret)) <= 0) {
  2721. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2722. ERR_R_INTERNAL_ERROR);
  2723. goto err;
  2724. }
  2725. /*
  2726. * Decrypt with no padding. PKCS#1 padding will be removed as part of
  2727. * the timing-sensitive code below.
  2728. */
  2729. /* TODO(size_t): Convert this function */
  2730. decrypt_len = (int)RSA_private_decrypt((int)PACKET_remaining(&enc_premaster),
  2731. PACKET_data(&enc_premaster),
  2732. rsa_decrypt, rsa, RSA_NO_PADDING);
  2733. if (decrypt_len < 0) {
  2734. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2735. ERR_R_INTERNAL_ERROR);
  2736. goto err;
  2737. }
  2738. /* Check the padding. See RFC 3447, section 7.2.2. */
  2739. /*
  2740. * The smallest padded premaster is 11 bytes of overhead. Small keys
  2741. * are publicly invalid, so this may return immediately. This ensures
  2742. * PS is at least 8 bytes.
  2743. */
  2744. if (decrypt_len < 11 + SSL_MAX_MASTER_KEY_LENGTH) {
  2745. SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2746. SSL_R_DECRYPTION_FAILED);
  2747. goto err;
  2748. }
  2749. padding_len = decrypt_len - SSL_MAX_MASTER_KEY_LENGTH;
  2750. decrypt_good = constant_time_eq_int_8(rsa_decrypt[0], 0) &
  2751. constant_time_eq_int_8(rsa_decrypt[1], 2);
  2752. for (j = 2; j < padding_len - 1; j++) {
  2753. decrypt_good &= ~constant_time_is_zero_8(rsa_decrypt[j]);
  2754. }
  2755. decrypt_good &= constant_time_is_zero_8(rsa_decrypt[padding_len - 1]);
  2756. /*
  2757. * If the version in the decrypted pre-master secret is correct then
  2758. * version_good will be 0xff, otherwise it'll be zero. The
  2759. * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
  2760. * (http://eprint.iacr.org/2003/052/) exploits the version number
  2761. * check as a "bad version oracle". Thus version checks are done in
  2762. * constant time and are treated like any other decryption error.
  2763. */
  2764. version_good =
  2765. constant_time_eq_8(rsa_decrypt[padding_len],
  2766. (unsigned)(s->client_version >> 8));
  2767. version_good &=
  2768. constant_time_eq_8(rsa_decrypt[padding_len + 1],
  2769. (unsigned)(s->client_version & 0xff));
  2770. /*
  2771. * The premaster secret must contain the same version number as the
  2772. * ClientHello to detect version rollback attacks (strangely, the
  2773. * protocol does not offer such protection for DH ciphersuites).
  2774. * However, buggy clients exist that send the negotiated protocol
  2775. * version instead if the server does not support the requested
  2776. * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
  2777. * clients.
  2778. */
  2779. if (s->options & SSL_OP_TLS_ROLLBACK_BUG) {
  2780. unsigned char workaround_good;
  2781. workaround_good = constant_time_eq_8(rsa_decrypt[padding_len],
  2782. (unsigned)(s->version >> 8));
  2783. workaround_good &=
  2784. constant_time_eq_8(rsa_decrypt[padding_len + 1],
  2785. (unsigned)(s->version & 0xff));
  2786. version_good |= workaround_good;
  2787. }
  2788. /*
  2789. * Both decryption and version must be good for decrypt_good to
  2790. * remain non-zero (0xff).
  2791. */
  2792. decrypt_good &= version_good;
  2793. /*
  2794. * Now copy rand_premaster_secret over from p using
  2795. * decrypt_good_mask. If decryption failed, then p does not
  2796. * contain valid plaintext, however, a check above guarantees
  2797. * it is still sufficiently large to read from.
  2798. */
  2799. for (j = 0; j < sizeof(rand_premaster_secret); j++) {
  2800. rsa_decrypt[padding_len + j] =
  2801. constant_time_select_8(decrypt_good,
  2802. rsa_decrypt[padding_len + j],
  2803. rand_premaster_secret[j]);
  2804. }
  2805. if (!ssl_generate_master_secret(s, rsa_decrypt + padding_len,
  2806. sizeof(rand_premaster_secret), 0)) {
  2807. /* SSLfatal() already called */
  2808. goto err;
  2809. }
  2810. ret = 1;
  2811. err:
  2812. OPENSSL_free(rsa_decrypt);
  2813. return ret;
  2814. #else
  2815. /* Should never happen */
  2816. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
  2817. ERR_R_INTERNAL_ERROR);
  2818. return 0;
  2819. #endif
  2820. }
  2821. static int tls_process_cke_dhe(SSL *s, PACKET *pkt)
  2822. {
  2823. #ifndef OPENSSL_NO_DH
  2824. EVP_PKEY *skey = NULL;
  2825. DH *cdh;
  2826. unsigned int i;
  2827. BIGNUM *pub_key;
  2828. const unsigned char *data;
  2829. EVP_PKEY *ckey = NULL;
  2830. int ret = 0;
  2831. if (!PACKET_get_net_2(pkt, &i) || PACKET_remaining(pkt) != i) {
  2832. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2833. SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
  2834. goto err;
  2835. }
  2836. skey = s->s3.tmp.pkey;
  2837. if (skey == NULL) {
  2838. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2839. SSL_R_MISSING_TMP_DH_KEY);
  2840. goto err;
  2841. }
  2842. if (PACKET_remaining(pkt) == 0L) {
  2843. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2844. SSL_R_MISSING_TMP_DH_KEY);
  2845. goto err;
  2846. }
  2847. if (!PACKET_get_bytes(pkt, &data, i)) {
  2848. /* We already checked we have enough data */
  2849. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2850. ERR_R_INTERNAL_ERROR);
  2851. goto err;
  2852. }
  2853. ckey = EVP_PKEY_new();
  2854. if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) {
  2855. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2856. SSL_R_BN_LIB);
  2857. goto err;
  2858. }
  2859. cdh = EVP_PKEY_get0_DH(ckey);
  2860. pub_key = BN_bin2bn(data, i, NULL);
  2861. if (pub_key == NULL || cdh == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
  2862. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2863. ERR_R_INTERNAL_ERROR);
  2864. BN_free(pub_key);
  2865. goto err;
  2866. }
  2867. if (ssl_derive(s, skey, ckey, 1) == 0) {
  2868. /* SSLfatal() already called */
  2869. goto err;
  2870. }
  2871. ret = 1;
  2872. EVP_PKEY_free(s->s3.tmp.pkey);
  2873. s->s3.tmp.pkey = NULL;
  2874. err:
  2875. EVP_PKEY_free(ckey);
  2876. return ret;
  2877. #else
  2878. /* Should never happen */
  2879. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
  2880. ERR_R_INTERNAL_ERROR);
  2881. return 0;
  2882. #endif
  2883. }
  2884. static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt)
  2885. {
  2886. #ifndef OPENSSL_NO_EC
  2887. EVP_PKEY *skey = s->s3.tmp.pkey;
  2888. EVP_PKEY *ckey = NULL;
  2889. int ret = 0;
  2890. if (PACKET_remaining(pkt) == 0L) {
  2891. /* We don't support ECDH client auth */
  2892. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_CKE_ECDHE,
  2893. SSL_R_MISSING_TMP_ECDH_KEY);
  2894. goto err;
  2895. } else {
  2896. unsigned int i;
  2897. const unsigned char *data;
  2898. /*
  2899. * Get client's public key from encoded point in the
  2900. * ClientKeyExchange message.
  2901. */
  2902. /* Get encoded point length */
  2903. if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i)
  2904. || PACKET_remaining(pkt) != 0) {
  2905. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
  2906. SSL_R_LENGTH_MISMATCH);
  2907. goto err;
  2908. }
  2909. if (skey == NULL) {
  2910. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
  2911. SSL_R_MISSING_TMP_ECDH_KEY);
  2912. goto err;
  2913. }
  2914. ckey = EVP_PKEY_new();
  2915. if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
  2916. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
  2917. ERR_R_EVP_LIB);
  2918. goto err;
  2919. }
  2920. if (EVP_PKEY_set1_tls_encodedpoint(ckey, data, i) == 0) {
  2921. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
  2922. ERR_R_EC_LIB);
  2923. goto err;
  2924. }
  2925. }
  2926. if (ssl_derive(s, skey, ckey, 1) == 0) {
  2927. /* SSLfatal() already called */
  2928. goto err;
  2929. }
  2930. ret = 1;
  2931. EVP_PKEY_free(s->s3.tmp.pkey);
  2932. s->s3.tmp.pkey = NULL;
  2933. err:
  2934. EVP_PKEY_free(ckey);
  2935. return ret;
  2936. #else
  2937. /* Should never happen */
  2938. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
  2939. ERR_R_INTERNAL_ERROR);
  2940. return 0;
  2941. #endif
  2942. }
  2943. static int tls_process_cke_srp(SSL *s, PACKET *pkt)
  2944. {
  2945. #ifndef OPENSSL_NO_SRP
  2946. unsigned int i;
  2947. const unsigned char *data;
  2948. if (!PACKET_get_net_2(pkt, &i)
  2949. || !PACKET_get_bytes(pkt, &data, i)) {
  2950. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
  2951. SSL_R_BAD_SRP_A_LENGTH);
  2952. return 0;
  2953. }
  2954. if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
  2955. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
  2956. ERR_R_BN_LIB);
  2957. return 0;
  2958. }
  2959. if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) {
  2960. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CKE_SRP,
  2961. SSL_R_BAD_SRP_PARAMETERS);
  2962. return 0;
  2963. }
  2964. OPENSSL_free(s->session->srp_username);
  2965. s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
  2966. if (s->session->srp_username == NULL) {
  2967. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
  2968. ERR_R_MALLOC_FAILURE);
  2969. return 0;
  2970. }
  2971. if (!srp_generate_server_master_secret(s)) {
  2972. /* SSLfatal() already called */
  2973. return 0;
  2974. }
  2975. return 1;
  2976. #else
  2977. /* Should never happen */
  2978. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
  2979. ERR_R_INTERNAL_ERROR);
  2980. return 0;
  2981. #endif
  2982. }
  2983. static int tls_process_cke_gost(SSL *s, PACKET *pkt)
  2984. {
  2985. #ifndef OPENSSL_NO_GOST
  2986. EVP_PKEY_CTX *pkey_ctx;
  2987. EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
  2988. unsigned char premaster_secret[32];
  2989. const unsigned char *start;
  2990. size_t outlen = 32, inlen;
  2991. unsigned long alg_a;
  2992. unsigned int asn1id, asn1len;
  2993. int ret = 0;
  2994. PACKET encdata;
  2995. /* Get our certificate private key */
  2996. alg_a = s->s3.tmp.new_cipher->algorithm_auth;
  2997. if (alg_a & SSL_aGOST12) {
  2998. /*
  2999. * New GOST ciphersuites have SSL_aGOST01 bit too
  3000. */
  3001. pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey;
  3002. if (pk == NULL) {
  3003. pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
  3004. }
  3005. if (pk == NULL) {
  3006. pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
  3007. }
  3008. } else if (alg_a & SSL_aGOST01) {
  3009. pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
  3010. }
  3011. pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
  3012. if (pkey_ctx == NULL) {
  3013. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3014. ERR_R_MALLOC_FAILURE);
  3015. return 0;
  3016. }
  3017. if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
  3018. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3019. ERR_R_INTERNAL_ERROR);
  3020. return 0;
  3021. }
  3022. /*
  3023. * If client certificate is present and is of the same type, maybe
  3024. * use it for key exchange. Don't mind errors from
  3025. * EVP_PKEY_derive_set_peer, because it is completely valid to use a
  3026. * client certificate for authorization only.
  3027. */
  3028. client_pub_pkey = X509_get0_pubkey(s->session->peer);
  3029. if (client_pub_pkey) {
  3030. if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
  3031. ERR_clear_error();
  3032. }
  3033. /* Decrypt session key */
  3034. if (!PACKET_get_1(pkt, &asn1id)
  3035. || asn1id != (V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)
  3036. || !PACKET_peek_1(pkt, &asn1len)) {
  3037. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3038. SSL_R_DECRYPTION_FAILED);
  3039. goto err;
  3040. }
  3041. if (asn1len == 0x81) {
  3042. /*
  3043. * Long form length. Should only be one byte of length. Anything else
  3044. * isn't supported.
  3045. * We did a successful peek before so this shouldn't fail
  3046. */
  3047. if (!PACKET_forward(pkt, 1)) {
  3048. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3049. SSL_R_DECRYPTION_FAILED);
  3050. goto err;
  3051. }
  3052. } else if (asn1len >= 0x80) {
  3053. /*
  3054. * Indefinite length, or more than one long form length bytes. We don't
  3055. * support it
  3056. */
  3057. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3058. SSL_R_DECRYPTION_FAILED);
  3059. goto err;
  3060. } /* else short form length */
  3061. if (!PACKET_as_length_prefixed_1(pkt, &encdata)) {
  3062. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3063. SSL_R_DECRYPTION_FAILED);
  3064. goto err;
  3065. }
  3066. inlen = PACKET_remaining(&encdata);
  3067. start = PACKET_data(&encdata);
  3068. if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start,
  3069. inlen) <= 0) {
  3070. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3071. SSL_R_DECRYPTION_FAILED);
  3072. goto err;
  3073. }
  3074. /* Generate master secret */
  3075. if (!ssl_generate_master_secret(s, premaster_secret,
  3076. sizeof(premaster_secret), 0)) {
  3077. /* SSLfatal() already called */
  3078. goto err;
  3079. }
  3080. /* Check if pubkey from client certificate was used */
  3081. if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
  3082. NULL) > 0)
  3083. s->statem.no_cert_verify = 1;
  3084. ret = 1;
  3085. err:
  3086. EVP_PKEY_CTX_free(pkey_ctx);
  3087. return ret;
  3088. #else
  3089. /* Should never happen */
  3090. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
  3091. ERR_R_INTERNAL_ERROR);
  3092. return 0;
  3093. #endif
  3094. }
  3095. MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
  3096. {
  3097. unsigned long alg_k;
  3098. alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
  3099. /* For PSK parse and retrieve identity, obtain PSK key */
  3100. if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt)) {
  3101. /* SSLfatal() already called */
  3102. goto err;
  3103. }
  3104. if (alg_k & SSL_kPSK) {
  3105. /* Identity extracted earlier: should be nothing left */
  3106. if (PACKET_remaining(pkt) != 0) {
  3107. SSLfatal(s, SSL_AD_DECODE_ERROR,
  3108. SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
  3109. SSL_R_LENGTH_MISMATCH);
  3110. goto err;
  3111. }
  3112. /* PSK handled by ssl_generate_master_secret */
  3113. if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
  3114. /* SSLfatal() already called */
  3115. goto err;
  3116. }
  3117. } else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
  3118. if (!tls_process_cke_rsa(s, pkt)) {
  3119. /* SSLfatal() already called */
  3120. goto err;
  3121. }
  3122. } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
  3123. if (!tls_process_cke_dhe(s, pkt)) {
  3124. /* SSLfatal() already called */
  3125. goto err;
  3126. }
  3127. } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
  3128. if (!tls_process_cke_ecdhe(s, pkt)) {
  3129. /* SSLfatal() already called */
  3130. goto err;
  3131. }
  3132. } else if (alg_k & SSL_kSRP) {
  3133. if (!tls_process_cke_srp(s, pkt)) {
  3134. /* SSLfatal() already called */
  3135. goto err;
  3136. }
  3137. } else if (alg_k & SSL_kGOST) {
  3138. if (!tls_process_cke_gost(s, pkt)) {
  3139. /* SSLfatal() already called */
  3140. goto err;
  3141. }
  3142. } else {
  3143. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3144. SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
  3145. SSL_R_UNKNOWN_CIPHER_TYPE);
  3146. goto err;
  3147. }
  3148. return MSG_PROCESS_CONTINUE_PROCESSING;
  3149. err:
  3150. #ifndef OPENSSL_NO_PSK
  3151. OPENSSL_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen);
  3152. s->s3.tmp.psk = NULL;
  3153. #endif
  3154. return MSG_PROCESS_ERROR;
  3155. }
  3156. WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
  3157. {
  3158. #ifndef OPENSSL_NO_SCTP
  3159. if (wst == WORK_MORE_A) {
  3160. if (SSL_IS_DTLS(s)) {
  3161. unsigned char sctpauthkey[64];
  3162. char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
  3163. size_t labellen;
  3164. /*
  3165. * Add new shared key for SCTP-Auth, will be ignored if no SCTP
  3166. * used.
  3167. */
  3168. memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
  3169. sizeof(DTLS1_SCTP_AUTH_LABEL));
  3170. /* Don't include the terminating zero. */
  3171. labellen = sizeof(labelbuffer) - 1;
  3172. if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
  3173. labellen += 1;
  3174. if (SSL_export_keying_material(s, sctpauthkey,
  3175. sizeof(sctpauthkey), labelbuffer,
  3176. labellen, NULL, 0,
  3177. 0) <= 0) {
  3178. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3179. SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
  3180. ERR_R_INTERNAL_ERROR);
  3181. return WORK_ERROR;
  3182. }
  3183. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
  3184. sizeof(sctpauthkey), sctpauthkey);
  3185. }
  3186. }
  3187. #endif
  3188. if (s->statem.no_cert_verify || !s->session->peer) {
  3189. /*
  3190. * No certificate verify or no peer certificate so we no longer need
  3191. * the handshake_buffer
  3192. */
  3193. if (!ssl3_digest_cached_records(s, 0)) {
  3194. /* SSLfatal() already called */
  3195. return WORK_ERROR;
  3196. }
  3197. return WORK_FINISHED_CONTINUE;
  3198. } else {
  3199. if (!s->s3.handshake_buffer) {
  3200. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3201. SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
  3202. ERR_R_INTERNAL_ERROR);
  3203. return WORK_ERROR;
  3204. }
  3205. /*
  3206. * For sigalgs freeze the handshake buffer. If we support
  3207. * extms we've done this already so this is a no-op
  3208. */
  3209. if (!ssl3_digest_cached_records(s, 1)) {
  3210. /* SSLfatal() already called */
  3211. return WORK_ERROR;
  3212. }
  3213. }
  3214. return WORK_FINISHED_CONTINUE;
  3215. }
  3216. MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
  3217. {
  3218. int i;
  3219. MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
  3220. X509 *x = NULL;
  3221. unsigned long l;
  3222. const unsigned char *certstart, *certbytes;
  3223. STACK_OF(X509) *sk = NULL;
  3224. PACKET spkt, context;
  3225. size_t chainidx;
  3226. SSL_SESSION *new_sess = NULL;
  3227. /*
  3228. * To get this far we must have read encrypted data from the client. We no
  3229. * longer tolerate unencrypted alerts. This value is ignored if less than
  3230. * TLSv1.3
  3231. */
  3232. s->statem.enc_read_state = ENC_READ_STATE_VALID;
  3233. if ((sk = sk_X509_new_null()) == NULL) {
  3234. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3235. ERR_R_MALLOC_FAILURE);
  3236. goto err;
  3237. }
  3238. if (SSL_IS_TLS13(s) && (!PACKET_get_length_prefixed_1(pkt, &context)
  3239. || (s->pha_context == NULL && PACKET_remaining(&context) != 0)
  3240. || (s->pha_context != NULL &&
  3241. !PACKET_equal(&context, s->pha_context, s->pha_context_len)))) {
  3242. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3243. SSL_R_INVALID_CONTEXT);
  3244. goto err;
  3245. }
  3246. if (!PACKET_get_length_prefixed_3(pkt, &spkt)
  3247. || PACKET_remaining(pkt) != 0) {
  3248. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3249. SSL_R_LENGTH_MISMATCH);
  3250. goto err;
  3251. }
  3252. for (chainidx = 0; PACKET_remaining(&spkt) > 0; chainidx++) {
  3253. if (!PACKET_get_net_3(&spkt, &l)
  3254. || !PACKET_get_bytes(&spkt, &certbytes, l)) {
  3255. SSLfatal(s, SSL_AD_DECODE_ERROR,
  3256. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3257. SSL_R_CERT_LENGTH_MISMATCH);
  3258. goto err;
  3259. }
  3260. certstart = certbytes;
  3261. x = d2i_X509(NULL, (const unsigned char **)&certbytes, l);
  3262. if (x == NULL) {
  3263. SSLfatal(s, SSL_AD_DECODE_ERROR,
  3264. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
  3265. goto err;
  3266. }
  3267. if (certbytes != (certstart + l)) {
  3268. SSLfatal(s, SSL_AD_DECODE_ERROR,
  3269. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3270. SSL_R_CERT_LENGTH_MISMATCH);
  3271. goto err;
  3272. }
  3273. if (SSL_IS_TLS13(s)) {
  3274. RAW_EXTENSION *rawexts = NULL;
  3275. PACKET extensions;
  3276. if (!PACKET_get_length_prefixed_2(&spkt, &extensions)) {
  3277. SSLfatal(s, SSL_AD_DECODE_ERROR,
  3278. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3279. SSL_R_BAD_LENGTH);
  3280. goto err;
  3281. }
  3282. if (!tls_collect_extensions(s, &extensions,
  3283. SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
  3284. NULL, chainidx == 0)
  3285. || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
  3286. rawexts, x, chainidx,
  3287. PACKET_remaining(&spkt) == 0)) {
  3288. OPENSSL_free(rawexts);
  3289. goto err;
  3290. }
  3291. OPENSSL_free(rawexts);
  3292. }
  3293. if (!sk_X509_push(sk, x)) {
  3294. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3295. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3296. ERR_R_MALLOC_FAILURE);
  3297. goto err;
  3298. }
  3299. x = NULL;
  3300. }
  3301. if (sk_X509_num(sk) <= 0) {
  3302. /* TLS does not mind 0 certs returned */
  3303. if (s->version == SSL3_VERSION) {
  3304. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  3305. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3306. SSL_R_NO_CERTIFICATES_RETURNED);
  3307. goto err;
  3308. }
  3309. /* Fail for TLS only if we required a certificate */
  3310. else if ((s->verify_mode & SSL_VERIFY_PEER) &&
  3311. (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
  3312. SSLfatal(s, SSL_AD_CERTIFICATE_REQUIRED,
  3313. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3314. SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
  3315. goto err;
  3316. }
  3317. /* No client certificate so digest cached records */
  3318. if (s->s3.handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
  3319. /* SSLfatal() already called */
  3320. goto err;
  3321. }
  3322. } else {
  3323. EVP_PKEY *pkey;
  3324. i = ssl_verify_cert_chain(s, sk);
  3325. if (i <= 0) {
  3326. SSLfatal(s, ssl_x509err2alert(s->verify_result),
  3327. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3328. SSL_R_CERTIFICATE_VERIFY_FAILED);
  3329. goto err;
  3330. }
  3331. if (i > 1) {
  3332. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  3333. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, i);
  3334. goto err;
  3335. }
  3336. pkey = X509_get0_pubkey(sk_X509_value(sk, 0));
  3337. if (pkey == NULL) {
  3338. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  3339. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3340. SSL_R_UNKNOWN_CERTIFICATE_TYPE);
  3341. goto err;
  3342. }
  3343. }
  3344. /*
  3345. * Sessions must be immutable once they go into the session cache. Otherwise
  3346. * we can get multi-thread problems. Therefore we don't "update" sessions,
  3347. * we replace them with a duplicate. Here, we need to do this every time
  3348. * a new certificate is received via post-handshake authentication, as the
  3349. * session may have already gone into the session cache.
  3350. */
  3351. if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
  3352. if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
  3353. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3354. SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
  3355. ERR_R_MALLOC_FAILURE);
  3356. goto err;
  3357. }
  3358. SSL_SESSION_free(s->session);
  3359. s->session = new_sess;
  3360. }
  3361. X509_free(s->session->peer);
  3362. s->session->peer = sk_X509_shift(sk);
  3363. s->session->verify_result = s->verify_result;
  3364. sk_X509_pop_free(s->session->peer_chain, X509_free);
  3365. s->session->peer_chain = sk;
  3366. /*
  3367. * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
  3368. * message
  3369. */
  3370. if (SSL_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) {
  3371. /* SSLfatal() already called */
  3372. goto err;
  3373. }
  3374. /*
  3375. * Inconsistency alert: cert_chain does *not* include the peer's own
  3376. * certificate, while we do include it in statem_clnt.c
  3377. */
  3378. sk = NULL;
  3379. /* Save the current hash state for when we receive the CertificateVerify */
  3380. if (SSL_IS_TLS13(s)) {
  3381. if (!ssl_handshake_hash(s, s->cert_verify_hash,
  3382. sizeof(s->cert_verify_hash),
  3383. &s->cert_verify_hash_len)) {
  3384. /* SSLfatal() already called */
  3385. goto err;
  3386. }
  3387. /* Resend session tickets */
  3388. s->sent_tickets = 0;
  3389. }
  3390. ret = MSG_PROCESS_CONTINUE_READING;
  3391. err:
  3392. X509_free(x);
  3393. sk_X509_pop_free(sk, X509_free);
  3394. return ret;
  3395. }
  3396. int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
  3397. {
  3398. CERT_PKEY *cpk = s->s3.tmp.cert;
  3399. if (cpk == NULL) {
  3400. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3401. SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
  3402. return 0;
  3403. }
  3404. /*
  3405. * In TLSv1.3 the certificate chain is always preceded by a 0 length context
  3406. * for the server Certificate message
  3407. */
  3408. if (SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) {
  3409. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3410. SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
  3411. return 0;
  3412. }
  3413. if (!ssl3_output_cert_chain(s, pkt, cpk)) {
  3414. /* SSLfatal() already called */
  3415. return 0;
  3416. }
  3417. return 1;
  3418. }
  3419. static int create_ticket_prequel(SSL *s, WPACKET *pkt, uint32_t age_add,
  3420. unsigned char *tick_nonce)
  3421. {
  3422. /*
  3423. * Ticket lifetime hint: For TLSv1.2 this is advisory only and we leave this
  3424. * unspecified for resumed session (for simplicity).
  3425. * In TLSv1.3 we reset the "time" field above, and always specify the
  3426. * timeout.
  3427. */
  3428. if (!WPACKET_put_bytes_u32(pkt,
  3429. (s->hit && !SSL_IS_TLS13(s))
  3430. ? 0 : s->session->timeout)) {
  3431. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL,
  3432. ERR_R_INTERNAL_ERROR);
  3433. return 0;
  3434. }
  3435. if (SSL_IS_TLS13(s)) {
  3436. if (!WPACKET_put_bytes_u32(pkt, age_add)
  3437. || !WPACKET_sub_memcpy_u8(pkt, tick_nonce, TICKET_NONCE_SIZE)) {
  3438. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL,
  3439. ERR_R_INTERNAL_ERROR);
  3440. return 0;
  3441. }
  3442. }
  3443. /* Start the sub-packet for the actual ticket data */
  3444. if (!WPACKET_start_sub_packet_u16(pkt)) {
  3445. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL,
  3446. ERR_R_INTERNAL_ERROR);
  3447. return 0;
  3448. }
  3449. return 1;
  3450. }
  3451. static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add,
  3452. unsigned char *tick_nonce)
  3453. {
  3454. unsigned char *senc = NULL;
  3455. EVP_CIPHER_CTX *ctx = NULL;
  3456. HMAC_CTX *hctx = NULL;
  3457. unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2;
  3458. const unsigned char *const_p;
  3459. int len, slen_full, slen, lenfinal;
  3460. SSL_SESSION *sess;
  3461. unsigned int hlen;
  3462. SSL_CTX *tctx = s->session_ctx;
  3463. unsigned char iv[EVP_MAX_IV_LENGTH];
  3464. unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
  3465. int iv_len, ok = 0;
  3466. size_t macoffset, macendoffset;
  3467. /* get session encoding length */
  3468. slen_full = i2d_SSL_SESSION(s->session, NULL);
  3469. /*
  3470. * Some length values are 16 bits, so forget it if session is too
  3471. * long
  3472. */
  3473. if (slen_full == 0 || slen_full > 0xFF00) {
  3474. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3475. ERR_R_INTERNAL_ERROR);
  3476. goto err;
  3477. }
  3478. senc = OPENSSL_malloc(slen_full);
  3479. if (senc == NULL) {
  3480. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3481. SSL_F_CONSTRUCT_STATELESS_TICKET, ERR_R_MALLOC_FAILURE);
  3482. goto err;
  3483. }
  3484. ctx = EVP_CIPHER_CTX_new();
  3485. hctx = HMAC_CTX_new();
  3486. if (ctx == NULL || hctx == NULL) {
  3487. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3488. ERR_R_MALLOC_FAILURE);
  3489. goto err;
  3490. }
  3491. p = senc;
  3492. if (!i2d_SSL_SESSION(s->session, &p)) {
  3493. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3494. ERR_R_INTERNAL_ERROR);
  3495. goto err;
  3496. }
  3497. /*
  3498. * create a fresh copy (not shared with other threads) to clean up
  3499. */
  3500. const_p = senc;
  3501. sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
  3502. if (sess == NULL) {
  3503. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3504. ERR_R_INTERNAL_ERROR);
  3505. goto err;
  3506. }
  3507. slen = i2d_SSL_SESSION(sess, NULL);
  3508. if (slen == 0 || slen > slen_full) {
  3509. /* shouldn't ever happen */
  3510. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3511. ERR_R_INTERNAL_ERROR);
  3512. SSL_SESSION_free(sess);
  3513. goto err;
  3514. }
  3515. p = senc;
  3516. if (!i2d_SSL_SESSION(sess, &p)) {
  3517. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3518. ERR_R_INTERNAL_ERROR);
  3519. SSL_SESSION_free(sess);
  3520. goto err;
  3521. }
  3522. SSL_SESSION_free(sess);
  3523. /*
  3524. * Initialize HMAC and cipher contexts. If callback present it does
  3525. * all the work otherwise use generated values from parent ctx.
  3526. */
  3527. if (tctx->ext.ticket_key_cb) {
  3528. /* if 0 is returned, write an empty ticket */
  3529. int ret = tctx->ext.ticket_key_cb(s, key_name, iv, ctx,
  3530. hctx, 1);
  3531. if (ret == 0) {
  3532. /* Put timeout and length */
  3533. if (!WPACKET_put_bytes_u32(pkt, 0)
  3534. || !WPACKET_put_bytes_u16(pkt, 0)) {
  3535. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3536. SSL_F_CONSTRUCT_STATELESS_TICKET,
  3537. ERR_R_INTERNAL_ERROR);
  3538. goto err;
  3539. }
  3540. OPENSSL_free(senc);
  3541. EVP_CIPHER_CTX_free(ctx);
  3542. HMAC_CTX_free(hctx);
  3543. return 1;
  3544. }
  3545. if (ret < 0) {
  3546. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3547. SSL_R_CALLBACK_FAILED);
  3548. goto err;
  3549. }
  3550. iv_len = EVP_CIPHER_CTX_iv_length(ctx);
  3551. } else {
  3552. const EVP_CIPHER *cipher = EVP_aes_256_cbc();
  3553. iv_len = EVP_CIPHER_iv_length(cipher);
  3554. if (RAND_bytes(iv, iv_len) <= 0
  3555. || !EVP_EncryptInit_ex(ctx, cipher, NULL,
  3556. tctx->ext.secure->tick_aes_key, iv)
  3557. || !HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key,
  3558. sizeof(tctx->ext.secure->tick_hmac_key),
  3559. EVP_sha256(), NULL)) {
  3560. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3561. ERR_R_INTERNAL_ERROR);
  3562. goto err;
  3563. }
  3564. memcpy(key_name, tctx->ext.tick_key_name,
  3565. sizeof(tctx->ext.tick_key_name));
  3566. }
  3567. if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) {
  3568. /* SSLfatal() already called */
  3569. goto err;
  3570. }
  3571. if (!WPACKET_get_total_written(pkt, &macoffset)
  3572. /* Output key name */
  3573. || !WPACKET_memcpy(pkt, key_name, sizeof(key_name))
  3574. /* output IV */
  3575. || !WPACKET_memcpy(pkt, iv, iv_len)
  3576. || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH,
  3577. &encdata1)
  3578. /* Encrypt session data */
  3579. || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen)
  3580. || !WPACKET_allocate_bytes(pkt, len, &encdata2)
  3581. || encdata1 != encdata2
  3582. || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal)
  3583. || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2)
  3584. || encdata1 + len != encdata2
  3585. || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH
  3586. || !WPACKET_get_total_written(pkt, &macendoffset)
  3587. || !HMAC_Update(hctx,
  3588. (unsigned char *)s->init_buf->data + macoffset,
  3589. macendoffset - macoffset)
  3590. || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1)
  3591. || !HMAC_Final(hctx, macdata1, &hlen)
  3592. || hlen > EVP_MAX_MD_SIZE
  3593. || !WPACKET_allocate_bytes(pkt, hlen, &macdata2)
  3594. || macdata1 != macdata2) {
  3595. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3596. SSL_F_CONSTRUCT_STATELESS_TICKET, ERR_R_INTERNAL_ERROR);
  3597. goto err;
  3598. }
  3599. /* Close the sub-packet created by create_ticket_prequel() */
  3600. if (!WPACKET_close(pkt)) {
  3601. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
  3602. ERR_R_INTERNAL_ERROR);
  3603. goto err;
  3604. }
  3605. ok = 1;
  3606. err:
  3607. OPENSSL_free(senc);
  3608. EVP_CIPHER_CTX_free(ctx);
  3609. HMAC_CTX_free(hctx);
  3610. return ok;
  3611. }
  3612. static int construct_stateful_ticket(SSL *s, WPACKET *pkt, uint32_t age_add,
  3613. unsigned char *tick_nonce)
  3614. {
  3615. if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) {
  3616. /* SSLfatal() already called */
  3617. return 0;
  3618. }
  3619. if (!WPACKET_memcpy(pkt, s->session->session_id,
  3620. s->session->session_id_length)
  3621. || !WPACKET_close(pkt)) {
  3622. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATEFUL_TICKET,
  3623. ERR_R_INTERNAL_ERROR);
  3624. return 0;
  3625. }
  3626. return 1;
  3627. }
  3628. int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
  3629. {
  3630. SSL_CTX *tctx = s->session_ctx;
  3631. unsigned char tick_nonce[TICKET_NONCE_SIZE];
  3632. union {
  3633. unsigned char age_add_c[sizeof(uint32_t)];
  3634. uint32_t age_add;
  3635. } age_add_u;
  3636. age_add_u.age_add = 0;
  3637. if (SSL_IS_TLS13(s)) {
  3638. size_t i, hashlen;
  3639. uint64_t nonce;
  3640. static const unsigned char nonce_label[] = "resumption";
  3641. const EVP_MD *md = ssl_handshake_md(s);
  3642. int hashleni = EVP_MD_size(md);
  3643. /* Ensure cast to size_t is safe */
  3644. if (!ossl_assert(hashleni >= 0)) {
  3645. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3646. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
  3647. ERR_R_INTERNAL_ERROR);
  3648. goto err;
  3649. }
  3650. hashlen = (size_t)hashleni;
  3651. /*
  3652. * If we already sent one NewSessionTicket, or we resumed then
  3653. * s->session may already be in a cache and so we must not modify it.
  3654. * Instead we need to take a copy of it and modify that.
  3655. */
  3656. if (s->sent_tickets != 0 || s->hit) {
  3657. SSL_SESSION *new_sess = ssl_session_dup(s->session, 0);
  3658. if (new_sess == NULL) {
  3659. /* SSLfatal already called */
  3660. goto err;
  3661. }
  3662. SSL_SESSION_free(s->session);
  3663. s->session = new_sess;
  3664. }
  3665. if (!ssl_generate_session_id(s, s->session)) {
  3666. /* SSLfatal() already called */
  3667. goto err;
  3668. }
  3669. if (RAND_bytes(age_add_u.age_add_c, sizeof(age_add_u)) <= 0) {
  3670. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3671. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
  3672. ERR_R_INTERNAL_ERROR);
  3673. goto err;
  3674. }
  3675. s->session->ext.tick_age_add = age_add_u.age_add;
  3676. nonce = s->next_ticket_nonce;
  3677. for (i = TICKET_NONCE_SIZE; i > 0; i--) {
  3678. tick_nonce[i - 1] = (unsigned char)(nonce & 0xff);
  3679. nonce >>= 8;
  3680. }
  3681. if (!tls13_hkdf_expand(s, md, s->resumption_master_secret,
  3682. nonce_label,
  3683. sizeof(nonce_label) - 1,
  3684. tick_nonce,
  3685. TICKET_NONCE_SIZE,
  3686. s->session->master_key,
  3687. hashlen, 1)) {
  3688. /* SSLfatal() already called */
  3689. goto err;
  3690. }
  3691. s->session->master_key_length = hashlen;
  3692. s->session->time = (long)time(NULL);
  3693. if (s->s3.alpn_selected != NULL) {
  3694. OPENSSL_free(s->session->ext.alpn_selected);
  3695. s->session->ext.alpn_selected =
  3696. OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len);
  3697. if (s->session->ext.alpn_selected == NULL) {
  3698. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  3699. SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
  3700. ERR_R_MALLOC_FAILURE);
  3701. goto err;
  3702. }
  3703. s->session->ext.alpn_selected_len = s->s3.alpn_selected_len;
  3704. }
  3705. s->session->ext.max_early_data = s->max_early_data;
  3706. }
  3707. if (tctx->generate_ticket_cb != NULL &&
  3708. tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0)
  3709. goto err;
  3710. /*
  3711. * If we are using anti-replay protection then we behave as if
  3712. * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
  3713. * is no point in using full stateless tickets.
  3714. */
  3715. if (SSL_IS_TLS13(s)
  3716. && ((s->options & SSL_OP_NO_TICKET) != 0
  3717. || (s->max_early_data > 0
  3718. && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))) {
  3719. if (!construct_stateful_ticket(s, pkt, age_add_u.age_add, tick_nonce)) {
  3720. /* SSLfatal() already called */
  3721. goto err;
  3722. }
  3723. } else if (!construct_stateless_ticket(s, pkt, age_add_u.age_add,
  3724. tick_nonce)) {
  3725. /* SSLfatal() already called */
  3726. goto err;
  3727. }
  3728. if (SSL_IS_TLS13(s)) {
  3729. if (!tls_construct_extensions(s, pkt,
  3730. SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
  3731. NULL, 0)) {
  3732. /* SSLfatal() already called */
  3733. goto err;
  3734. }
  3735. /*
  3736. * Increment both |sent_tickets| and |next_ticket_nonce|. |sent_tickets|
  3737. * gets reset to 0 if we send more tickets following a post-handshake
  3738. * auth, but |next_ticket_nonce| does not.
  3739. */
  3740. s->sent_tickets++;
  3741. s->next_ticket_nonce++;
  3742. ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
  3743. }
  3744. return 1;
  3745. err:
  3746. return 0;
  3747. }
  3748. /*
  3749. * In TLSv1.3 this is called from the extensions code, otherwise it is used to
  3750. * create a separate message. Returns 1 on success or 0 on failure.
  3751. */
  3752. int tls_construct_cert_status_body(SSL *s, WPACKET *pkt)
  3753. {
  3754. if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type)
  3755. || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp,
  3756. s->ext.ocsp.resp_len)) {
  3757. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_STATUS_BODY,
  3758. ERR_R_INTERNAL_ERROR);
  3759. return 0;
  3760. }
  3761. return 1;
  3762. }
  3763. int tls_construct_cert_status(SSL *s, WPACKET *pkt)
  3764. {
  3765. if (!tls_construct_cert_status_body(s, pkt)) {
  3766. /* SSLfatal() already called */
  3767. return 0;
  3768. }
  3769. return 1;
  3770. }
  3771. #ifndef OPENSSL_NO_NEXTPROTONEG
  3772. /*
  3773. * tls_process_next_proto reads a Next Protocol Negotiation handshake message.
  3774. * It sets the next_proto member in s if found
  3775. */
  3776. MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
  3777. {
  3778. PACKET next_proto, padding;
  3779. size_t next_proto_len;
  3780. /*-
  3781. * The payload looks like:
  3782. * uint8 proto_len;
  3783. * uint8 proto[proto_len];
  3784. * uint8 padding_len;
  3785. * uint8 padding[padding_len];
  3786. */
  3787. if (!PACKET_get_length_prefixed_1(pkt, &next_proto)
  3788. || !PACKET_get_length_prefixed_1(pkt, &padding)
  3789. || PACKET_remaining(pkt) > 0) {
  3790. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEXT_PROTO,
  3791. SSL_R_LENGTH_MISMATCH);
  3792. return MSG_PROCESS_ERROR;
  3793. }
  3794. if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) {
  3795. s->ext.npn_len = 0;
  3796. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEXT_PROTO,
  3797. ERR_R_INTERNAL_ERROR);
  3798. return MSG_PROCESS_ERROR;
  3799. }
  3800. s->ext.npn_len = (unsigned char)next_proto_len;
  3801. return MSG_PROCESS_CONTINUE_READING;
  3802. }
  3803. #endif
  3804. static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt)
  3805. {
  3806. if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
  3807. NULL, 0)) {
  3808. /* SSLfatal() already called */
  3809. return 0;
  3810. }
  3811. return 1;
  3812. }
  3813. MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt)
  3814. {
  3815. if (PACKET_remaining(pkt) != 0) {
  3816. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
  3817. SSL_R_LENGTH_MISMATCH);
  3818. return MSG_PROCESS_ERROR;
  3819. }
  3820. if (s->early_data_state != SSL_EARLY_DATA_READING
  3821. && s->early_data_state != SSL_EARLY_DATA_READ_RETRY) {
  3822. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
  3823. ERR_R_INTERNAL_ERROR);
  3824. return MSG_PROCESS_ERROR;
  3825. }
  3826. /*
  3827. * EndOfEarlyData signals a key change so the end of the message must be on
  3828. * a record boundary.
  3829. */
  3830. if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
  3831. SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
  3832. SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
  3833. SSL_R_NOT_ON_RECORD_BOUNDARY);
  3834. return MSG_PROCESS_ERROR;
  3835. }
  3836. s->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
  3837. if (!s->method->ssl3_enc->change_cipher_state(s,
  3838. SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ)) {
  3839. /* SSLfatal() already called */
  3840. return MSG_PROCESS_ERROR;
  3841. }
  3842. return MSG_PROCESS_CONTINUE_READING;
  3843. }